Chapter 62. Security
certutil
does not return the NSS database password requirements in FIPS mode
When creating a new Network Security Services (NSS) database with the
certutil
tool, the user has nowhere to find out what the database password requirements are when running in FIPS mode. The prompt message does not provide password requirements, and certutil
returns only a generic error message:
certutil: could not authenticate to token NSS FIPS 140-2 Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.
(BZ#1401809)
systemd-importd
runs as init_t
The
systemd-importd
service is using the NoNewPrivileges
security flag in the systemd
unit file. This blocks the SELinux domain transition from the init_t
to systemd_importd_t
domain. (BZ#1365944)
The SCAP password length requirement is ignored in the kickstart installation
The interactive kickstart installation does not enforce the password length check defined by the SCAP rule and accepts shorter root passwords. To work around this problem, use the
--strict
option with the pwpolicy root
command in the kickstart file. (BZ#1372791)
rhnsd.pid
is writable by group and others
In Red Hat Enterprise Linux 7.4, the default permissions of the
/var/run/rhnsd.pid
file are set to -rw-rw-rw-.
. This setting is not secure. To work around this problem, change the permissions of this file to be writable only by the owner:
# chmod go-w /var/run/rhnsd.pid
(BZ#1480306)