Chapter 33. Security
When firewalld
starts, net.netfilter.nf_conntrack_max
is no longer reset to default if its configuration exists
Previously,
firewalld
reset the nf_conntrack
settings to their default values when it was started or restarted. As a consequence, the net.netfilter.nf_conntrack_max
setting was restored to its default value. With this update, each time firewalld
starts, it reloads nf_conntrack
sysctls as they are configured in /etc/sysctl.conf
and /etc/sysctl.d
. As a result, net.netfilter.nf_conntrack_max
maintains the user-configured value. (BZ#1462977)
Tomcat
can now be started using tomcat-jsvc
with SELinux
in enforcing mode
In Red Hat Enterprise Linux 7.4, the
tomcat_t
unconfined domain was not correctly defined in the SELinux
policy. Consequently, the Tomcat
server cannot be started by the tomcat-jsvc
service with SELinux
in enforcing mode. This update allows the tomcat_t
domain to use the dac_override
, setuid
, and kill
capability rules. As a result, Tomcat
is now able to start through tomcat-jsvc
with SELinux
in enforcing mode. (BZ#1470735)
SELinux
now allows vdsm
to communicate with lldpad
Prior to this update,
SELinux
in enforcing mode denied the vdsm
daemon to access lldpad
information. Consequently, vdsm
was not able to work correctly. With this update, a rule to allow a virtd_t
domain to send data to a lldpad_t
domain through the dgram
socket has been added to the selinux-policy packages. As a result, vdsm
labeled as virtd_t
can now communicate with lldpad
labeled as lldpad_t
if SELinux
is set to enforcing mode. (BZ#1472722)
OpenSSH
servers without Privilege Separation no longer crash
Prior to this update, a pointer had been dereferenced before its validity was checked. Consequently,
OpenSSH
servers with the Privilege Separation
option turned off crashed during the session cleanup. With this update, pointers are checked properly, and OpenSSH
servers no longer crash while running without Privilege Separation
due the described bug.
The clevis luks bind
command no longer fails with the DISA STIG-compliant password policy
Previously, passwords generated as part of the
clevis luks bind
command were not compliant with the Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) password policy set in the pwquality.conf
file. Consequently, clevis luks bind
failed on DISA STIG-compliant systems in certain cases. With this update, passwords are generated using a utility designed to generate random passwords that pass the password policy, and clevis luks bind
now succeeds in the described scenario. (BZ#1500975)
WinSCP
5.10 now works properly with OpenSSH
Previously,
OpenSSH
incorrectly recognized WinSCP
version 5.10 as older version 5.1. As a consequence, the compatibility bits for WinSCP
version 5.1 were enabled for WinSCP
5.10, and the newer version did not work properly with OpenSSH
. With this update, the version selectors have been fixed, and WinSCP
5.10 now works properly with OpenSSH
servers. (BZ#1496808)
SFTP
no longer allows to create zero-length files in read-only mode
Prior to this update, the
process_open
function in the OpenSSH SFTP
server did not properly prevent write operations in read-only mode. Consequently, attackers were allowed to create zero-length files. With this update, the function has been fixed, and the SFTP
server no longer allows any file creation in read-only mode. (BZ#1517226)