3.7 Security

The following security features, bug fixes, and enhancements are included in this update.

  • Network Security Services (NSS) package updates.  This update introduces several NSS changes, including numerous bug fixes, security enhancements, and improvements over the previous NSS version.

    Notably, the NSS code and Certificate Authority (CA) list now meets the recommendations that are published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI).

  • SCAP Security Guide enhancement to include Universal Base Image containers and images.  The security policies in the SCAP Security Guide been enhanced to include Universal Base Image (UBI) containers and UBI images, which also includes ubi-minimal images. This enhancement enables configuration compliance scanning of UBI containers and images by using the atomic scan command. UBI containers and images can now be scanned against any profile that is shipped in the SCAP Security Guide, with only those rules that are relevant to the secure configuration of UBI being evaluated. Any rules that are inapplicable to UBI images and containers are automatically skipped.

  • scap-security-guide packages updated to version 0.1.43.  As of this update, the scap-security-guide packages are updated to version 0.1.43 in this update. This version of the scap-security-guide packages provides several bug fixes and enhancements over the previous version.

  • shadow-utils packages updated to version 4.6.  The shadow-utils packages have been updated to version 4.6 in this update. This version of the shadow-utils packages provides several bug fixes and enhancements over the previous version, including the new newuidmap and newgidmap commands for manipulating name space mapping for UID and GID.

  • tangd_port_t SElinux type added.  Oracle Linux 7 Update 7 includes the tangd_port_t SELinux type. This SELinux type enables the tangd service to run as confined while in SELinux enforcing mode, which simplifies the configuration of a Tang server to enable listening on a user-defined port, while preserving the security level that SELinux provides when in enforcing mode.