3.7 Security

The following security features, bug fixes, and enhancements are included in this update:

  • Libreswan updated to version 3.23.  This version of the Libreswan software includes bug fixes and improvements from the previous version.

  • nss version updated to 3.34.  This version of the nss package includes bug fixes and improvements from the last version.

  • SCAP workbench updated to version 1.1.6.  This version of the SCAP workbench (scap-workbench) utility includes bug fixes and improvements from the previous version.

  • SELinux supports NNP policy for systemd services.  In this update, the selinux-policy packages contain a policy for systemd services that use the No New Privileges (NNP) security feature. Also introduced is the nnp_nosuid_transition policy capability that enables SELinux domain transitions under NNP or nosuid if nnp_nosuid_transition is allowed between the old and new contexts.

    For example, the following rule describes how this capability is allowed for a service:

    allow init_t fprintd_t:process2 { nnp_transition nosuid_transition };

    In addition, the distribution policy now contains the m4 macro interface. This interface can be used in SELinux security policies for services that use the init_nnp_daemon_domain() function.

  • SSLv3 disabled in mod_ssl To improve security for SSL/TLS connections, support for SSLv3 in the default configuration for the httpd mod_ssl module has been disabled. This change also restricts the use of certain cryptographic cipher suites.


    Only fresh installations of the mod_ssl package are affected. Users can change their existing SSL configuration manually, as required.

  • Using OpenSCAP to generate remediation scripts for use with Ansible.  The OpenSCAP scanner can be used to generate remediation scripts into Ansible playbook format. This capability assists with the integration of configuration compliance into an existing Ansible work flow. After generating an Ansible playbook, you can then customize it with the desired values.