Chapter 6. Notable Bug Fixes
This chapter describes bugs fixed in Red Hat Enterprise Linux 7.7 that have a significant impact on users.
6.1. Authentication and Interoperability
Directory Server flushes the entry cache after a back end transaction plug-in failed
Previously, if a back end transaction plug-in failed, Directory Server rolled-back the operation, but did not revert the changes in the entry cache. As a consequence, the entry cache contained incorrect entries. With this update, Directory Server flushes the entry cache after a back end transaction plug-in failed. As a result, clients retrieve the correct data when querying the database in the mentioned situation.
The ds-replcheck
utility no longer incorrectly reports non-matching tombstone entries on replicas
Previously, if an administrator ran the ds-replcheck
utility on different Directory Server replicas with tombstones present, ds-replcheck
reported that one of the replicas was missing the tombstone entries. It is expected that tombstone entries do not match on each replica. With this update, ds-replcheck
no longer searches for tombstone entries. As a result, the utility does not report missing tombstone entries as a problem.
Directory Server no longer crashes when shutting down the service while a cleanAllRUV
task is running
Previously, stopping the Directory Server service while a cleanAllRUV
task was running freed resources the task was using. As a consequence, the service terminated unexpectedly. With this update, Directory Server increments a reference counter that enables the task to complete before the service shutdown process proceeds. As a result, the server no longer crashes in the mentioned scenario.
Directory Server now correctly rejects the current password if passwordInHistory
is set to 0
Previously, administrators could not set the passwordInHistory
attribute in Directory Server to 0
. As a consequence, Users could reset their password to the same password as they currently use. With this update, users can now set passwordInHistory
to 0
and, as a result, to check the current password.
Directory Server no longer truncates nsSSL3Ciphers
values longer than 1023 characters
Previously, Directory Server used a fixed buffer size to store the preferred TLS ciphers set in the nsSSL3Ciphers
parameter in the cn=encryption,cn=config
entry. As a consequence, if the value was longer than 1024 characters, the server truncated the value and used only ciphers specified in the first 1023 characters. With this fix, Directory Server no longer uses a fixed buffer size to store the value. As a result, the setting works as expected.
(BZ#1716267)
Directory Server no longer uses the CoS attribute with a higher priority than the real attribute
Previously, Directory Server used the operational-default
Class of Service (CoS) attribute with a higher priority than the real attribute. As a consequence, the server overwrote the attribute set in a local password with the CoS policy defined in a subtree. This update fixes the problem. As a result, CoS-defined password policies work as expected.
Directory Server now updates the pwdLastSet
field of a user on password changes
Previously, if password synchronization was enabled and a user changed a password in Directory Server, the server did not set the pwdLastSet
attribute. As a consequence, Active Directory (AD) still forced the user to update the password. Directory Server now updates pwdLastSet
in the mentioned scenario. As a result. AD does not force the user to change the password again.
(BZ#1597202)
Searches with scope one
no longer return incomplete results in Directory Server
Previously, when a user performed a search with a scope set to one
, the search operation did not return all expected entries. With this update, Directory Server correctly creates the entry candidates list for one level searches. As a result, the server returns the expected entries.
Directory Server no longer ignores IPv6 addresses in an ACI if both IPv6 and IPv4 addresses are used
Administrators can specify both IPv4 and IPv6 addresses in Access Control Instructions (ACI) to allow or deny access. Previously, if an ACI contained both IPv4 and IPv6 addresses, Directory Server ignored the IPv6 address. As a consequence, the ACI did not work as expected. This update fixes the parsing of the ip
keyword in ACIs. As a result, IP-based ACIs work as expected in the mentioned scenario.
Replicating modrdn
operations to read-only Directory Server now succeeds
The conflict entry management in Directory Server requires to add tracking entries for modrdn
operations. Previously, adding these entries failed on read-only consumers and, as a consequence, modrdn
operations could not be replicated to such instances. This update fixes the problem. As a result, replicating modrdn
operations to read-only consumers succeeds.
The time after which Directory Server deletes tasks has been changed
Previously, Directory Server deleted task entries 2 minutes after a task finished. As a consequence, applications that were monitoring the task could miss the task result. This update changes the time after which the server deletes tasks. By default, all completed tasks are now deleted after 1 hour, except import and export tasks, which are deleted 24 hours after completion.
Directory Server did not return the shadowWarning
attribute if passwordWarning
was set lower than 86400
Previously, Directory Server did not return the shadowWarning
attribute in searches if the passwordWarning
attribute in the cn=config
entry was set to a value lower than 86400
seconds (1 day). This update fixes the problem. As a result, the server returns the value of the shadowWarning
attribute in the mentioned scenario.
krb5
memory caches are now thread-safe
Previously, the memory caches of the Kerberos V5 login program (krb5
) were not completely thread-safe. As a consequence, multi-threaded access terminated unexpectedly in some cases. With this update, the memory caches are cleaned up to be more thread-safe. As a result, no more crashes occur.
krb5
configurations prohibited by FIPS 140-2 can now work again
Previously, Red Hat Enterprise Linux 7.6 build of the Kerberos V5 (krb5
) system increased compliance with FIPS 140-2. As a consequence, certain previously permitted configurations that were prohibited by FIPS 140-2 stopped working. With this update, the changes have been reverted, because krb5
only requires to work in FIPS mode, not be FIPS-compliant. As a result, configurations prohibited by FIPS 140-2 can now work again.
Note that Red Hat Enterprise Linux 8 does not support these configurations at the moment.
Certificate System starts even if the value in the numSubordinates
attribute exceeds the number of profile entries
The LDAP numSubordinates
operational attribute defines the expected number of profile entries. Previously, Certificate System did not start until all profiles and lightweight Certificate Authorities (CA) were loaded. As a consequence, if the value in the attribute exceeds the number of profile entries the start process did not complete. With this update, a watchdog timer forces the start process to proceed after a short delay in the mentioned scenario and Certificate System logs the unexpected condition. As a result, the Certificate System starts completes even when numSubordinates
in the profiles or lightweight CA subtrees exceeds the number of entries in the search result.
TLS_RSA_* ciphers are now disabled by default in Certificate System
Previously, by default, TLS_RSA_* ciphers were enabled in Certificate System. However, in environments with certain hardware security modules (HSM) in Federal Information Processing Standard (FIPS) mode, these ciphers are not supported. As a consequence, the SSL handshake failed and the connection was not established. This update disables TLS_RSA_* ciphers by default. As a result, connections work with those HSMs in FIPS mode.
The Certificate System REST API no longer stores clear text passwords in log files
Previously, the Certificate System REST API did not filter out plain password values. As a consequence, passwords were visible in clear text in log files. With this update, the server replaces password attribute values with "(sensitive)". As a result, clear text passwords are no longer visible in logs.
Client authentication can now be disabled in Certificate System
A previous version of Certificate System added a feature to enforce TLS client authentication when authenticating through CMCAuth. However, certain older applications do not support TLS client authentication and failed to connect to Certificate System. This update adds the bypassClientAuth
configuration parameter to the /var/lib/pki/pki-instance_name/ca/conf/CS.cfg
file. As a result, administrators can now set this parameter to true
to disable client authentication if not supported by certain applications.
Certificate System CA installations succeed when using a PKCS #12 file
Previously, the default value of the pki_ca_signing_cert_path
parameter was set to a predefined path. Due to a recent change in the way the pkispawn
utility validates the parameter when an administrator used a PKCS #12 file to install a certificate authority (CA), the installation failed with an Invalid certificate path: pki_ca_signing_cert_path=/etc/pki/pki-tomcat/external_ca.cert
error. This update fixes the problem by removing the default value of pki_ca_signing_cert_path
. As a result, the CA installation succeeds in the mentioned scenario.
The pki
utility correctly asks for a password
Previously, if the user did not provide a password using command-line options, the pki
utility did not prompt for a password. As a consequence, pki
incorrectly reported Error: Missing user password
and the operation failed. The pki
utility has been fixed to prompt for a password under the described circumstances.
(BZ#1479559)
Certificate System automatically shuts down if signed audit logs cannot be stored due to a full file system
Previously, if audit signing was enabled and the file system on which Certificate System stored the signed audit logs was full, Certificate System continued operating but did not log further operations. To prevent missing signed audit logs, Certificate System now shuts down automatically in the mentioned scenario.
SSSD uses the AD LDAP server to retrieve POSIX attributes for initgroup lookups
The SSSD service uses the Active Directory (AD) global catalog (GC) for initgroup lookups, but the POSIX attributes, such as the user home directory or shell, are not replicated to the GC set by default. Consequently, when SSSD requests the POSIX attributes during SSSD lookups, SSSD incorrectly considers the attributes to be removed from the server, because they are not present in the GC, and removes them from the SSSD cache as well. With this update, initgroup lookups now switch between LDAP and GC connection as appropriate, because the AD LDAP server contains the POSIX attributes even without schema modification. As a result, POSIX attributes, such as shell or home directory, are no longer overwritten or missing.
(BZ#1194345)
Changing the shell with ypchsh
no longer results in an overwritten password when NIS uses passwd.adjunct
Previously, when the NIS server was set up to support the passwd.adjunct
map and the user changed the shell on a NIS client by using the ypchsh
command, the yppasswdd
daemon overwrote the user’s password hash inside passwd.adjunct
with the ##username
string. Consequently, the affected user was unable to log in due to a corrupted password hash. This bug has been fixed, and yppasswdd
no longer overwrites the user’s password hash while updating the user’s shell information. As a result, the user can successfully log in the new shell after running ypchsh
.
(BZ#1624295)
6.2. Compiler and Tools
The SystemTap Dyninst backend works without the dyninst-devel
package
The stap --dyninst
command uses the SystemTap Dyninst backend. Previously, this backend did not work when the dyninst-devel
package was not installed. As a consequence, SystemTap terminated unexpectedly, and users had to manually install dyninst-devel
and run the ldconfig
tool as a workaround. This bug has been fixed and the SystemTap Dyninst backend now works without the dyninst-devel
package.
(BZ#1498558)
GDB breakpoint default source file works for symbolic links
Previously, the GDB debugger could not locate the symbol table information for the default source file, if the file was a symbolic link. As a consequence, users could not set breakpoints by omitting the source file name and using the default, such as break 63
. This bug has been fixed and users can now use default source files with breakpoints for files behind symbolic links.
The DNS stub resolver in glibc
no longer rejects valid host names, such as hostname-.example.com
The DNS stub resolver in glibc
rejected certain valid host names, such as hostname-.example.com, and accepted some invalid names. As a consequence, some host names on the Internet could not be resolved. To fix the problem, the DNS name validation functions, such as res hnok
, have been adjusted to match user expectations and specifications more closely. As a result, host names of the form hostname-.example.com can now be resolved successfully if they exist in DNS.
iconv
no longer hangs when converting from certain IBM character sets
Previously, the glibc
converters for the IBM930, IBM933, IBM935, IBM937, and IBM393 character sets returned an error and failed to advance to the next input character when they encountered invalid redundant shift sequences. As a consequence, converting from these character sets using the iconv
tool with the -c
option to discard these characters made the tool unresponsive, because it could not progress beyond the first occurence of a redundant shift sequence. The converters have been modified to accept these sequences and continue correctly. As a result, the conversions mentioned above are now possible.
(BZ#1427734)
iconv
can convert between the IBM273 and ISO-8859-1 character sets
Previously, the glibc
implementation of the IBM273 character set was not equivalent to the ISO-8859-1 character set. It did not have a representation for the Unicode character MACRON
, instead it used the corresponding byte to represent the OVERLINE
Unicode character, which has the same visual representation as a MACRON
. As a consequence, using the iconv
tool provided by glibc
to convert IBM273 text containing an OVERLINE
character to ISO-8859-1 or ISO-8859-1 text containing a MACRON
character to IBM273 resulted in an error during conversion. To fix this bug, the IBM273 character set was made equivalent to the ISO-8859-1 character set by replacing its OVERLINE
representation with MACRON
. As a result, both character sets now use the MACRON
Unicode character, are equivalent, and conversion from one to the other does not lead to an error.
getifaddrs
calls can no longer unexpectedly terminate applications
Previously, the network interface list produced by the getifaddrs
function in the glibc
library could lack interface names if the interfaces changed in the kernel at the same time. As a consequence, applications using getifaddrs
could terminate unexpectedly in such situation. This has been fixed and getifaddrs
now ensures the list is identical to kernel state. As a result, the unexpected termination mentioned above cannot happen.
(BZ#1472832)
Makefiles containing explicit targets before implicit work again
Previously, mixing implicit (pattern) and explicit targets in Makefiles was deprecated. After update to version 3.82, the make
build tool returned errors for mixed targets. As a consequence, legacy Makefiles containing mixed targets could not be used. With this update, make
can correctly parse situations where an explicit target is listed before an implicit target. As a result, certain legacy Makefiles can now be used again without modification. However, implicit targets before explicit targets still result in an error.
Note that mixing explicit and implicit targets in Makefiles is deprecated and should not be added to new Makefiles.
PCP now reports all process details on large systems
Previously, the Performance Co-Pilot (PCP) toolkit failed to report certain process details in some cases on very large systems. The code reading the process details files was changed so that it can read data of arbitrary length, instead of only the first 1024 bytes. As a result, the described PCP error can no longer happen.
strip
no longer crashes with certain executable files
Previously, the strip
tool contained untrue assumptions about executable file structure. As a consequence, attempting to strip certain executable files could unexpectedly terminate strip
. The assumptions about structure have been changed such that this problem can no longer happen and strip
works correctly.
(BZ#1644632)
Optimized CPU consumption by libdb
A previous update to the libdb
database caused an excessive CPU consumption in the trickle thread. With this update, the CPU usage has been optimized.
passwd --stdin
no longer limits the password length to 79 characters
When changing a password using the passwd
command with the --stdin
option, the length of the password was limited to 79 characters. Consequently, when you entered a password longer than 79 characters via standard input, only the first 79 characters were accepted, and no warning was shown. With this update, passwd
has been fixed to align the accepted size of the password with size defined by Pluggable Authentication Module (PAM). As a result, the passwd --stdin
command now accepts passwords longer than 79 characters, but not longer than PAM_MAX_RESP_SIZE - 1
characters. If that limit is exceeded, passwd
reports an error to the standard error output, and exits with exit code 1.
(BZ#1276570)
fixfiles
no longer incorrectly fails
Previously, the fixfiles
script failed if the /etc/selinux/fixfiles_exclude_dirs
file contained at least one entry and the /etc/selinux/targeted/contexts/files/file_contexts.local
file was not present. With this update, the requirement for existence of /etc/selinux/targeted/contexts/files/file_contexts.local
has been removed, and fixfiles now works correctly in the described scenario.
6.3. Desktop
System no longer boots to a blank screen when Xinerama is enabled
When the Xinerama extension was enabled in /etc/X11/xorg.conf
on a system using the nvidia or nouveau driver, the RANDR X extension got disabled. Consequently, login screen failed to start upon boot due to the RANDR X extension being disabled. This bug has been fixed and the login screen now starts properly even with Xinerama enabled.
Soft lock-ups fixed during boot in the kernel with i915
On a rare occasion when a GM45 system had an improper firmware configuration, an incorrect DisplayPort
hot-plug signal could cause the i915
driver to be overloaded on boot. Consequently, certain GM45 systems experienced very slow boot times while the video driver attempted to work around the problem. In some cases, the kernel also reported soft lock-ups. This bug has been fixed and the lock-ups no longer occur in the described scenario.
(BZ#1608704)
X.org server no longer crashes during fast user switching
Previously, the X.Org X11 qxl
video driver did not emulate the leaving virtual terminal event on shutdown. Consequently, the X.Org display server terminated unexpectedly during fast user switching, and the current user session was terminated when switching a user. With this update, qxl
has been fixed, and the X.org server no longer crashes during fast user switching.
6.4. File Systems
Non-root users can now access SMB shares mounted using the multiuser
option
In Red Hat Enterprise Linux (RHEL) 7.5, a fix was added to handle NT LAN Manager (NTLM) authentication when no domain was specified. This change affected how the cifs.ko
kernel module selected the domain name when using NTLM. As a consequence, when a server message block (SMB) share was mounted with the multiuser
option, an incorrect domain name was selected and non-root users failed to access the mounted SMB share. This update reverts the fix. As a result, shares mounted with multiuser
can now be accessed by non-root users in RHEL 7.7.
(BZ#1710421)
Setting disk quota limits over a network works again for users occupying more than 4 GB of space on the network file system
Previously, the setquota
utility was unable to handle an occupied space greater than 4 GB when communicating with an NFS server due to an incorrect format of the used disk size. Consequently, when setting disk quota limits for a user exceeding 4 GB of used space on a NFS-mounted file system, setquota
failed to perform the operation. This update corrects the conversion of the used disk size to an RPC protocol format, and the described problem no longer occurs.
6.5. Installation and Booting
NVDIMM commands are added to the Kickstart script file anaconda-ks.cfg
after installation
The installer creates a Kickstart script equivalent to the configuration used for system installation. This script is stored in the /root/anaconda-ks.cfg
file. Previously, when the graphical user interface was used to install RHEL, the nvdimm
commands used for configuring Non-Volatile Dual In-line Memory (NVDIMM) devices were not added to this file. This bug has been fixed and the Kickstart file now contains the nvdimm
commands as expected.
(BZ#1620109)
The graphical installation program no longer permits an invalid passphrase
Previously, when installing RHEL 7 using the graphical installation program, it was possible to leave the passphrase field in the Partitioning Disk Encryption Passphrase dialog box empty, click the Save Passphrase button, and finish your partitioning tasks. As a consequence, partitioning was misconfigured and you had to cancel the disk encryption process or enter a valid passphrase. With this update, the Save Passphrase button is available only when you enter a valid and non-empty passphrase.
(BZ#1489713)
Using the version
or inst.version
kernel boot parameters no longer stops the installation program
Previously, booting the installation program from the kernel command line using the version
or inst.version
boot parameters printed the version, for example anaconda 30.25.6
, and stopped the installation program.
With this update, the version
and inst.version
parameters are ignored when the installation program is booted from the kernel command line, and as a result, the installation program is not stopped.
(BZ#1637112)
The RHEL 7.7 graphical installation now displays supported NVDIMM device sector sizes
Previously, when configuring NVDIMM devices using the graphical user interface (GUI), it was possible to enter an unsupported sector size. No warning message was displayed, and as a consequence, a reconfiguration error occurred. With this update, the sector size dialog box contains a drop-down list that displays only the supported sector sizes of 512
and 4096
.
(BZ#1614049)
Cancelling a job initiated from cockpit-composer
no longer fails
Image build process did not support cancelling an image build. As a consequence, cancelling a job initiated from cockpit-composer
GUI using composer-cli compose cancel
resulted in a hung compose API server, causing newly queued job builds to not start, and remain in waiting state. To fix the problem, a feature to cancel the Image build process was implemented. As a result, cancelling a job initiated from cockpit-composer
no longer fails.
The rpm
command now supports the --setcaps
and --restore
options
This update introduces the --setcaps
and --restore
options for the rpm
command.
The --setcaps
option sets capabilities of files in a required package. The syntax is as follows:
rpm --setcaps _PACKAGE_NAME_
The --restore
option restores owner, group, permissions, and capabilities of files in a required package. The syntax is as follows:
rpm --restore _PACKAGE_NAME_
GRUB 2 regexp
command is no longer missing
Previously, the module providing the regexp
command for the Grand Unified Bootloader version 2 (GRUB2) was missing in the GRUB2 EFI binary. As a consequence, on UEFI systems with Secure Boot enabled, using regexp
failed with the error: can’t find command `regexp`
message. With this update, the module providing regexp
is included in the GRUB2 EFI binary and works correctly in the described situation.
(BZ#1630678)
6.6. Kernel
Netfilter now supports zero-length CIDR values in certain IP set types
Previously, the kernel rejected a zero-length Classless Inter-domain Routing (CIDR) network mask value in the first and the last parameter in hash:net,port,net
and hash:net6,port,net6
IP set types. As a consequence, Netfilter could not match a port against all network destinations. With this update, zero-length CIDR values are allowed in the first and the last parameter of the mentioned IP set types. As a result, administrators can create firewall rules that match a port that is valid for all destinations.
(BZ#1680426)
AVC denials for NFS mounted directories mounted on the server side
NFS crossmnt
mounts automatically create internal mounts when a process accesses a subdirectory that is used as a mount point on the server. Consequently, SELinux checks whether the process accessing an NFS mounted directory has a mount permission, which may cause Access Vector Cache (AVC) denials. In this update, SELinux permission checking is skipped for internal mounts of this type. As a result, mount permission is not needed when accessing an NFS directory that is mounted on the server side.
(BZ#1077929)
The intel_pstate
driver loads on the Intel Skylake-X systems with HWP disabled
Previously, with the Intel Skylake-X systems, it was impossible to load the intel_pstate
driver if Hardware P-States (HWP) were disabled. As a consequence, the kernel defaulted to loading the acpi_cpufreq
driver. This update fixes the problem and intel_pstate
now loads correctly in the described scenario.
In the event that the user wants to use acpi_cpufreq
(not recommended), the solution is to append the intel_pstate=disable
parameter to the kernel command line.
(BZ#1698453)
Data corruption no longer occurs on RAID 10 reshape on top of VDO
Previously, RAID 10 reshape (with both LVM and "mdadm") on top of VDO corrupted data. With this fix, the data corruption no longer occurs. However, Stacking RAID 10 (or other RAID types) on top of VDO does not take advantage of the deduplication and compression capabilities of VDO and is not recommended.
(BZ#1528466)
write-behind
in RAID1 no longer triggers a kernel panic
Previously, the write-behind mode in the Redundant Array of Independent Disks Mode 1 (RAID1) virtualization technology used the upper layer bio structures. The structures were freed immediately after the bio structures written to bottom layer disks came back. As a consequence, a kernel panic was triggered and the write-behind
function could not be used. This update fixes the problem and write-behind
can now be used without triggering a kernel panic in the described scenario.
(BZ#1632575)
The kernel now supports destination MAC addresses in bitmap:ipmac
, hash:ipmac
, and hash:mac
IP set types
Previously, the kernel implementation of the bitmap:ipmac
, hash:ipmac
, and hash:mac
IP set types only allowed matching on the source MAC address, while destination MAC addresses could be specified, but were not matched against set entries. As a consequence, administrators could create iptables
rules that used a destination MAC address in one of these IP set types, but packets matching the given specification were not actually classified. With this update, the kernel compares the destination MAC address and returns a match if the specified classification corresponds to the destination MAC address of a packet. As a result, rules that match packets against the destination MAC address now work correctly.
(BZ#1607252)
The kdump
kernel is now able to boot after a CPU hot add or hot remove operation
When running Red Hat Enterprise Linux 7 on the little-endian variant of IBM Power Systems with kdump
enabled, the kdump
crash kernel failed to boot if triggered by the kexec
system call after a CPU hot add or hot remove operation. This update fixes the bug by utilizing the CPU online and offline events. As a result, kdump
kernel manages to boot in the described scenario.
(BZ#1549355)
6.7. Networking
dnsmasq
no longer uses ports lower than 1024 as a source port
Previously, the Domain Name System forwarder (dnsmasq
) used for queries all ports below 1024. However, Berkeley Internet Name Domain (BIND) drops DNS queries incoming from some of the low ports. Consequently, the target port 464 was ignored by BIND. With this update, dnsmasq
has been fixed to not use custom random port generator, but it now lets the operating system to assign random ports instead. As a result, dnsmasq
no longer uses ports lower than 1024 as a source port, which prevents the described problem with BIND.
Dnsmasq with enabled cache no longer returns cached responses without DNSSEC records
Previously, dnsmasq
service with enabled cache returned cached responses without DNSSEC
records, even if query had DNSSEC OK
bit set. As a consequence, returned replies could not pass DNSSEC
validation by client under the dnsmasq
. That causes clients under dnsmasq
not able to use DNSSEC validation. To fix this, always forward requests with DNSSEC OK
bit set and do not use cached values, unless DNSSEC
validation is enabled locally. As a result, clients under dnsmasq
can successfully validate all responses.
(BZ#1638703)
The ipset
service can now load sets which depends on other sets
Τhe ipset
service saves IP sets (lists of IP addresses) in separate files. In Red Hat Enterprise Linux (RHEL) 7.6, when starting the service, each set was loaded sequentially ignoring dependencies between them. As a consequence, the service failed to load IP sets with dependencies on other sets. With this update, the ipset
service creates first all the sets included in the saved configuration, and then adds their entries. As a result, IP sets with dependencies on other sets can now be loaded.
Error logging in the ipset
service has been improved
Previously, the ipset
service did not report configuration errors with a meaningful severity in the systemd
logs. The severity level for invalid configuration entries was only informational
, and the service did not report errors for an unusable configuration. As a consequence, it was difficult for administrators to identify and troubleshoot issues in the ipset
service’s configuration. With this update, ipset
reports configuration issues as warnings
in systemd
logs and, if the service fails to start, it logs an entry with the error
severity including further details. As a result, it is now easier to troubleshoot issues in the configuration of the ipset
service.
The ipset
service now ignores invalid configuration entries during startup
The ipset
service stores configurations as sets in separate files. Previously, when the service started, it restored the configuration from all sets in a single operation, without filtering invalid entries that can be inserted by manually editing a set. As a consequence, if a single configuration entry was invalid, the service did not restore further unrelated sets. The problem has been fixed. As a result, the ipset
service detects and removes invalid configuration entries during the restore operation, and ignores invalid configuration entries.
firewalld rebased to version 0.6.3
The firewalld
packages have been upgraded to upstream version 0.6.3, which provides a number of bug fixes over the previous version:
-
The
firewalld
service now only modifiesifcfg
files for permanent configuration changes. -
Untranslated strings in the
firewall-config
utility have been fixed, which caused that rich rules could not be modified in the UI. -
The
set-log-denied
parameter now works correctly when used in combination with theicmp-block-inversion
parameter. -
The
firewall-cmd
utility now correctly checks the return value of theipset
command. -
IP forwarding is no longer enabled when using port forwarding and the
toaddr
parameter is not specified. - The shell auto-complete feature no longer constantly asks for authentication.
6.8. Security
An SELinux policy reload no longer causes false ENOMEM
Reloading SELinux policy previously caused the internal security context lookup table to become unresponsive. Consequently, when the kernel encountered a new security context during a policy reload, the operation failed with a false "Out of memory" (ENOMEM) error. With this update, the internal Security Identifier (SID) lookup table has been redesigned and no longer freezes. As a result, the kernel no longer returns misleading ENOMEM errors during an SELinux policy reload.
NSS now processes X.509 certificates for use with IPsec correctly
Previously, the NSS library did not properly process X.509 certificates for use with IPsec. As a consequence, if X.509 certificates had non-empty Extended Key Usage (EKU) attributes that did not contain serverAuth
and clientAuth
attributes, the Libreswan
IPsec implementation incorrectly rejected validation of the certificates. With this update, the IPsec profiles in NSS have been fixed, and Libreswan can now accept the described certificates.
NSS no longer accepts RSA PKCS#1 v1.5 signatures made with an RSA-PSS key
RSA-PSS keys can be used for creating RSA-PSS signatures only and signatures made with those keys that use the PKCS#1 v1.5 algorithm violate the standard. Previously, the Network Security Services (NSS) libraries did not check the type of an RSA public key used by a server when validating signatures made using a corresponding private key. Consequently, NSS accepted RSA PKCS#1 v1.5 signatures as valid, even if they were made with an RSA-PSS key.
The bug has been fixed and the NSS libraries now properly check the type of RSA public keys used by a server when validating signatures made using a corresponding private key. As a result, the signatures in this scenario are no longer accepted by NSS.
Accessing authorized keys no longer fails when switching users
Previously, group information cache in OpenSSH was not cleaned when changing the user for retrieving authorized keys using the AuthorizedKeysCommand*
configuration options. Consequently, an attempt to access authorized keys failed for the new user due to incorrect group information. This bug has been fixed, and authorized keys can now be successfully accessed when the user is changed.
scap-security-guide
now correctly skips rules that are not applicable to containers and container images
SCAP Security Guide content can be used to scan containers and container images now. Rules that are not applicable to containers and container images have been marked with a specific CPE identifier. As a result, the evaluation of these rules is skipped automatically, and the result not applicable
is reported when scanning containers and container images.
Ansible playbooks from the SCAP Security Guide no longer fail due to common errors
Ansible tasks included in the SCAP Security Guide content were previously unable to handle certain common cases, such as missing configuration files, non-existent files, or uninstalled packages. As a consequence, when using an Ansible playbook from the SCAP Security Guide or generated by the oscap
command, the ansible-playbook
command terminated with every error. With this update, the Ansible tasks have been updated to handle common cases, and Ansible playbooks from the SCAP Security Guide can be successfully executed even if common errors are encountered during the playbook execution.
SCAP Security Guide
now correctly checks the dconf
configuration
Prior to this update, OVAL (Open Vulnerability and Assessment Language) checks used in the SCAP Security Guide
project did not check the dconf
binary database directly, but it checked only the respective key files. This could lead to false positives or negatives in scanning results. With this update, SCAP Security Guide
adds one more check component, which ensures that the dconf
binary database is up-to-date with regards to those key files. As a result, the complex check now checks the dconf
configuration correctly.
SELinux now allow gssd_t
processes to access kernel keyrings of other processes
Previously, an allow rule for the gssd_t
type was missing in the SELinux policy. As a consequence, SELinux in enforcing mode occasionally prevented processes running as gssd_t
from accessing kernel keyrings of other processes and could block for example sec=krb5
mounts. The rule has been added to the policy, and processes running as gssd_t
are now able to access keyrings of other processes.
SELinux no longer blocks snapperd
from managing all non-security directories
Prior to this update, an allow rule for the snapper daemon (snapperd
) was missing in the SELinux policy. Consequently, snapper was not able to create a configuration file on a btrfs volume for a new snapshot with SELinux in enforcing mode. With this update, the missing rule has been added, and SELinux now allows snapperd
to manage all non-security directories.
sudo
I/O logging function now works also for SELinux-confined users
Prior to this update of the SELinux policy, rules that allow user domains to use generic pseudoterminal interfaces were missing. As a consequence, the I/O logging function of the sudo
utility did not work for SELinux-confined users. The missing rules have been added to the policy, and the I/O logging function no longer fails in the described scenario.
(BZ#1564470)
sudo
configured using LDAP now handles sudoRunAsGroup
correctly
Previously, the sudo
tool configured using LDAP did not correctly handle the case when the sudoRunAsGroup
attribute was defined and the sudoRunAsUser
attribute was not. As a consequence, the root
user was used as the target user. With this update, the handling of sudoRunAsGroup
has been fixed to match the behavior documented in the sudoers.ldap(5)
man page, and sudo
now works properly in the described scenario.
6.9. Servers and Services
chronyd
no longer fails to synchronize with NTP servers after reboot
Previously, when an interface was controlled by network scripts and NetworkManager was enabled at the same time, the chrony
NetworkManager dispatcher script switched NTP sources to the offline state on boot. As a consequence, chronyd
was prevented from synchronizing the system clock. With this update, the chrony
dispatcher script ignores events that are not related to interfaces coming up or down. As a result, chronyd
now synchronizes with NTP servers as expected under the described circumstances.
(BZ#1600882)
CUPS no longer denies access if SSSD running on the same server is configured with ignore_group_members = true
When System Security Services Daemon (SSSD) uses the ignore_group_members = true
setting in the /etc/sssd/sssd.conf
file, the getgrnam()
function returns the group structure without group members of groups retrieved by SSSD. This is expected behavior. Previously, CUPS used only getgrnam()
to verify if a user is a member of a group. As a consequence, if SSSD was configured with the mentioned setting on a CUPS server that used groups to allow access to the server for members of a group, CUPS denied access to users in these groups. With this update, CUPS now additionally uses the getgrouplist()
function, which returns group members even if SSSD is configured with ignore_group_members = true
. As a result, CUPS correctly determines access based on group memberships in the mentioned scenario.
Running dbus-daemon no longer fails to activate a system service
With the rebase of the D-Bus message bus daemon (dbus-daemon) to version 1.10.24, locations of several dbus tools were migrated. The dbus-send
executable was moved from the /bin
directory to the /usr/bin
directory; the dbus-daemon-launch-helper
executable was moved from the libdir
directory to the libexecdir
directory. Consequently, if a scriptlet in a package called the dbus-send
command to send a message to D-Bus, and triggered a service activation, the activation could fail. With this update, the bug has been fixed by creating compatibility symlinks between the old and new locations of dbus-daemon-launch-helper
. As a result, any running instance of dbus-daemon can now call the system bus and activate a system service.
Teaming in the rescue system works correctly again
Updates provided by the advisory RHBA-2019:0498 fixed several problems in ReaR, affecting complex network configurations. However, in case of teaming, this update introduced another problem. If the team had multiple member interfaces, the team device was not configured correctly in the rescue system. As a consequence, after applying an update provided by RHBA-2019:0498, a work around was needed to preserve the previous behavior. This update fixes the bug in ReaR, and teaming in the rescue system now works correctly.
Virtual machines now work correctly on RHEL 7 nodes in RHOSP 10
Previously, upgrading a Red Hat Enterprise Linux 7 (RHEL 7) node in Red Hat OpenStack Plaform 10 (RHOSP 10) to a later minor version sometimes caused virtual machines (VMs) hosted on that node to become unable to start. This update fixes how the tuned
service configures parameters of the kvm-intel module, which prevents the described problem from occurring.
Handling of ksm
and ksmtuned
in Tuned has been fixed
Previously, Tuned sometimes failed to apply the cpu-partitioning
profile if the ksm
and ksmtuned
services were enabled. With this update, handling of the ksm
and ksmtuned
services has been fixed. As a result, Tuned now applies the cpu-partitioning
profile reliably.
(BZ#1622239)
Error messages in /var/log/tuned/tuned.log
referring to non-existent sysctl settings no longer occur when a Tuned
profile is loaded
Previously, the Tuned
daemon treated non-existent sysctl settings as an error. For example net.bridge.bridge-nf-call-ip6tables
, net.bridge.bridge-nf-call-iptables
, or net.bridge.bridge-nf-call-arptables
, which are unavailable on some systems, could trigger error in the /var/log/tuned/tuned.log
file:
Failed to set sysctl parameter 'net.bridge.bridge-nf-call-ip6tables' to '0', the parameter does not exist
With this update, Tuned
has been fixed, and the error messages no longer occur within /var/log/tuned/tuned.log
under the described circumstances.
6.10. Storage
LVM no longer causes data corruption in the first 128kB of allocatable space of a physical volume
Previously, a bug in the I/O layer of LVM might have caused data corruption in rare cases. The bug could manifest only when the following conditions were true at the same time:
- A physical volume (PV) was created with a non-default alignment. The default is 1MB.
- An LVM command was modifying metadata at the tail end of the metadata region of the PV.
- A user or a file system was modifying the same bytes (racing).
No cases of the data corruption have been reported.
With this update, the problem has been fixed, and LVM can no longer cause data corruption under these conditions.
System boot is no longer delayed by ndctl
Previously, a udev
rule installed by the ndctl
package sometimes delayed the system boot process for several minutes on systems with Non-Volatile Dual In-line Memory Module (NVDIMM) devices. In such cases, systemd
displayed a message similar to the following:
INFO: task systemd-udevd:1554 blocked for more than 120 seconds. ... nvdimm_bus_check_dimm_count+0x31/0xa0 [libnvdimm] ...
With this update, ndctl
no longer installs the udev
rule. As a result, ndctl
does not delay the system boot.
(BZ#1635441)