- Frequent Actions
Copyright © 2013 Red Hat, Inc.
Edition 5
Abstract
Note
Table 1.1. Red Hat Enterprise Linux 6 International Languages
| Territory | Language | Locale | Fonts | Package Names |
|---|---|---|---|---|
| China | Simplified Chinese | zh_CN.UTF-8 | AR PL (ShanHeiSun and Zenkai) Uni | fonts-chinese, scim-pinyin, scim-tables |
| Japan | Japanese | ja_JP.UTF-8 | Sazanami (Gothic and Mincho) | fonts-japanese, scim-anthy |
| Korea | Hangul | ko_KR.UTF-8 | Baekmuk (Batang, Dotum, Gulim, Headline) | fonts-korean, scim-hangul |
| Taiwan | Traditional Chinese | zh_TW.UTF-8 | AR PL (ShanHeiSun and Zenkai) Uni | fonts-chinese, scim-chewing, scim-tables |
| Brazil | Portuguese | pt_BR.UTF-8 | standard latin fonts | |
| France | French | ft_FR.UTF-8 | standard latin fonts | |
| Germany | German | de_DE.UTF-8 | standard latin fonts | |
| Italy | Italy | it_IT.UTF-8 | standard latin fonts | |
| Russia | Russian | ru_RU.UTF-8 | KOI8-R, fonts-KOI8-R-100dpi, fonts-KOI8-R-75dpi and xorg-x11-fonts-cyrillic | fonts-KO18-R, fonts-KO18-R-100 dpi,fonts-KO18-R-75dpi, xorg-x11-fonts-cyrillic |
| Spain | Spanish | es_ES.UTF-8 | standard latin fonts | |
| India | Assamese | as_IN.UTF-8 | Lohit Bengali | fonts-bengali, scim-m17n, m17n-db-assamese |
| Bengali | bn_IN.UTF-8 | Lohit Bengali | fonts-bengali, scim-m17n, m17n-db-bengali | |
| Gujarati | gu_IN.UTF-8 | Lohit Gujarati | fonts-gujarati, scim-m17n, m17n-db-gujarati | |
| Hindi | hi_IN.UTF-8 | Lohit Hindi | fonts-hindi, scim-m17n, m17n-db-hindi | |
| Kannada | kn_IN.UTF-8 | Lohit Kannada | fonts-kannada, scim-m17n, m17n-db-kannada | |
| Malayalam | ml_IN.UTF-8 | Lohit Malayalam | fonts-malayalam, scim-m17n, m17n-db-malayalam | |
| Marathi | mr_IN.UTF-8 | Lohit Hindi | fonts-hindi, scim-m17n, m17n-db-marathi | |
| Oriya | or_IN.UTF-8 | Lohit Oriya | fonts-oriya, scim-m17n, m17n-db-oriya | |
| Punjabi | pa_IN.UTF-8 | Lohit Punjabi | fonts-punjabi, scim-m17n, m17n-db-punjabi | |
| Tamil | ta_IN.UTF-8 | Lohit Tamil | fonts-tamil, scim-m17n, m17n-db-tamil | |
| Telugu | te_IN.UTF-8 | Lohit Telugu | fonts-telugu, scim-m17n, m17n-db-telugu |
procfs entries, sysfs default values, boot parameters, kernel configuration options, or any noticeable behavior changes.
reserved_blocksproc/<pid>/comm and /proc/<pid>/task/<tid>/comm filesefi_no_storage_paranoiaint_pln_enablenfsd.nfs4_disable_idmappingpci kernel parameter can be used in Red Hat Enterprise Linux 6.5:
pcie_bus_tune_off—disables PCIe maximum payload size (MPS) tuning and uses the BIOS-configured MPS default values.
pcie_bus_safe—sets every device MPS to the largest value supported by all devices below the root complex.
pcie_bus_perf—sets the device MPS to the largest allowable MPS based on its parent bus.
pcie_bus_peer2peer— sets every device's MPS to 128B, which every device is guaranteed to support.
smbios_26_uuidtsc_init_debugusbcore.usbfs_memory_mbtcp_limit_output_bytestcp_limit_output_bytes controls TCP Small Queue limit per TCP socket.
tcp_challenge_ack_limittcp_challenge_ack_limit limits the number of challenge acknowledgements sent per second, as recommended in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks).
accept_raaccept_ra boolean allows for accepting router discovery messages (also known router advertisements).
cookie_hmac_algcookie_hmac_alg is used to select the keyed-hash message authentication code (HMAC) algorithm used when generating the cookie value sent by a listening SCTP socket to a connecting client in the INIT-ACK chunk. Valid values are:
nf_conntrack_acctnf_conntrack_acct boolean enables connection tracking flow accounting.
nf_conntrack_bucketsnf_conntrack_buckets determines the size of hash table. If it is not specified as parameter during module loading, the default size is calculated by dividing total memory by 16384 to determine the number of buckets but the hash table will never have fewer than 32 or more than 16384 buckets.
nf_conntrack_checksumnf_conntrack_events_retry_timeoutmerge_across_nodesmerge_across_nodes parameter specifies if pages from different NUMA nodes can be merged. When set to 0, Kernel SamePage Merging (KSM) merges only pages which physically reside in the memory area of the same NUMA node. 1 is the default value and merging across nodes is performed as in earlier releases.
be2iscsi driver has been upgraded to the latest upstream version.
megaraid_sas driver has been upgraded to version 6.600.18.00.
BFA driver has been updates to version 3.2.21.1.
NVMe driver has been added to Red Hat Enterprise Linux 6.
vxlan, driver has been updated.
qlcnic driver as a Technology Preview.
BNA driver has been updated to version 3.1.2.1.
ixgbevf driver has been updated to the latest upstream version.
igbvf driver has been update the to latest upstream version.
bnx2x driver has been update to version 1.78.17-0.
be2net driver has been updated to version 4.6.x.
qlcnic driver has been updated to add support for QLogic 83XX CNA adapter.
e1000e driver has been updated to the latest upstream version.
tg3 driver has been updated to include various bug fixes and new features, including hardware PTP support.
sfc driver has been upgraded to upstream version 3.2 and includes hardware accelerated receive flow steering (RFS).
igb driver has been updated to version 4.1.2 to include software time stamping support.
qlge driver has been updated to version 1.00.00.32.
hpilo driver has been upgraded to the latest upstream version.
O_DIRECT I/O. These applications may use the raw block device, or the XFS file system in O_DIRECT mode. (XFS is the only file system that does not fall back to buffered I/O when doing certain allocation operations.) Only applications designed for use with O_DIRECT I/O and DIF/DIX hardware should enable this feature.
Btrfs is still experimental
keepalived daemon implements a set of health checkers to load-balanced server pools according to their state. The keepalived daemon also implements the Virtual Router Redundancy Protocol (VRRP), allowing router or director failover to achieve high availability.
mpt2sas driver is fully supported. However, when used in the lockless mode, the driver is a Technology Preview.
fence_ipmilan agent. This new Technology Preview is used to force a kernel dump of a host if the host is configured to do so. Note that this feature is not a substitute for the off operation in a production cluster.
virtio-win component, BZ#1001981qemu-kvm component
fence-agents component
fence_scsi fencing agent is no longer supported on any version of the Red Hat Enterprise Linux High Availability Add-On in VMware virtual machines, except when using iSCSI-based storage. See the Virtualization Support Matrix for High Availability for full details on supported combinations:
fence_scsi on an affected combination can contact Red Hat Global Support Services for assistance in evaluating alternative configurations or for additional information.
matahari component
distribution component
fence-virt component
openscap component
dracut component
biosdevname=0 installation parameter to avoid biosdevname naming in this case.
dracut component
biosdevname=1 by default, the installation completes successfully, but the system will not be able to mount the rootfs partition after reboot. This is because of a bug in Dracut where the boot network interface is not brought up if biosdevname naming is used. In order to install and reboot the system successfully in this case, use the biosdevname=0 installation parameter to avoid biosdevname naming.
anaconda component
ql4xdisablesysfsboot to 1 may cause boot from SAN failures.
anaconda component
zerombr kickstart command. The --initlabel option of the clearpart command is not intended to serve this purpose.
anaconda component, BZ#676025Skip Boot Loader Configuration during the installation process. Boot loader configuration will need to be completed manually after installation. This problem does not affect users running Anaconda in the graphical mode (graphical mode also includes VNC connectivity mode).
anaconda component
/boot volume on an encrypted volume.
anaconda component
sdc instead of sda).
kernel component
em1 is used instead of eth0 on new Dell machines). However, the previously used network interface names are preserved on the system and the upgraded system will still use the previously used interfaces. This is not the case for Yum upgrades.
anaconda component
kdump default on feature currently depends on Anaconda to insert the crashkernel= parameter to the kernel parameter list in the boot loader's configuration file.
firstaidkit component
anaconda component, BZ#623261 clearpart --initlabel kickstart command. Adding the --all switch—as in clearpart --initlabel --all—ensures disks are cleared correctly.
anaconda component
yaboot component, BZ#613929 anaconda component
system-config-kickstart component
subscription-manager component
389-ds-base component, BZ#878111 dirsrv-<instance> log files in the /var/log/ directory due to incorrect permissions on the directory.
cpuspeed component, BZ#626893 /proc/cpuinfo or /sys/device/system/cpu/*/cpufreq. This is due to the firmware manipulating the CPU frequency without providing any notification to the operating system. To avoid this ensure that the HP Power Regulator option in the BIOS is set to OS Control. An alternative available on more recent systems is to set Collaborative Power Control to Enabled.
releng component, BZ#644778 grub component, BZ#695951BOOTX64 rather than bootx64 to boot the installer due to case sensitivity issues.
grub component, BZ#698708 virtio-win component
NetKVM driver through the Windows Device Manager, the old registry values are not removed. As a consequence, for example, non-existent parameters may be available.
qemu-kvm component
kernel component
New-VHD –Path .\MyDisk.vhdx –SizeBytes 5120MB –BlockSizeBytes 1MB -Dynamiclibvirt component
virsh vol-resize command options --allocate and --shrink. Use of the --shrink option will result in the following error message:
error: invalid argument: storageVolumeResize: unsupported flags (0x4)
--allocate option will result in the following error message:
error: invalid argument: storageVolumeResize: unsupported flags (0x1)
virsh vol-info command. You can shrink an existing volume by name through the followind sequence of steps:
vol-dumpxml .
vol-create with the edited XML file.
vol-download and vol-upload commands to the smaller volume.
vol-delete command to remove the larger volume.
vol-clone command to restore the name from the larger volume.
vol-delete command to remove the temporary volume.
virtio-win component
Search for the best driver in these locations option because the newer and installed driver will be selected as the "best" driver. If you want to force installation of a particular driver version, use the Don't search option and the button to select the folder of the older driver. This method will allow you to install an older driver on a system that already has a driver installed.
kernel component
/var/log/messages file.
libvirt component, BZ#888635numad component, BZ#872524grubby component, BZ#893390sync command before turning the guest off.
kernel component
kernel component, BZ#874406kernel component
quemu-kvm component, BZ#871265lahfm_lm CPU feature is ignored by Linux guests, even when the feature is enabled. To work around this problem, use a different CPU model, for example AMD Opteron G4.
qemu-kvm component, BZ#860929CPU0: update failed (for patch_level=0x6000624)
virt-p2v component, BZ#816930virt-p2v component, BZ#808820virtio-win component, BZ#615928 libvirt component, BZ#622649 service libvirt reload command to restore libvirt's additional iptables rules.
virtio-win component, BZ#612801 qemu-kvm component, BZ#720597qemu-kvm component, BZ#612788 virt-v2v component, BZ#618091 virt-v2v component, BZ#678232 lvm2 component, BZ#1024347/dev/ directory to be up-to-date with any data written to the logical volume (mainly the symlinks that are based on metadata, like the content of /dev/disk directory). The event is generated each time the device is closed after being open for writing.
device-mapper: remove ioctl on failed: Device or resource busy
OPTIONS+="watch" line in the /lib/udev/rules.d/13-dm-disk.rules file. This will cause the WATCH rule for LVM volumes to be disabled. However, this may cause the /dev/ content to be out-of-sync with actual metadata state stored on the logical volume. If LVM needs to retry the logical volume removal because it is being open in parallel, most notably by udev as described before, it issues an error message "remove ioctl failed: Device or resource busy". If this is the case, the removal is retried several times before lvconvert fails completely.
device-mapper-persistent-date component, BZ#960284
anaconda component
/boot/efi mount point to the software RAID partition and fails with the "have not created /boot/efi" message in such a scenario.
kernel component, BZ#918647
lvchange --discard ignore <pool> command. Any discards that might be issued to thin volumes will be ignored.
kernel component
parted component
lvm2 component, BZ#852812dracut component
echo "options qla2xxx ql2xasynclogin=0" > /etc/modprobe.d/qla2xxx.conf mkinitrd /boot/initramfs-`uname -r`.img `uname -r` --force
lvm2 component, BZ#903411--thinpool and --discards options are specified on logical-volume creation. To work around this problem, manually deactivate all thin volumes related to the changed thin pool prior to running the lvchange command.
kernel component
nfs module can cause the system to terminate unexpectedly if the fsx utility was ran with NFSv4.1 before.
device-mapper-multipath component
multipathd service is not running, failed devices will not be restored. However, the multipath command gives no indication that multipathd is not running. Users can unknowingly set up multipath devices without starting the multipathd service, keeping failed paths from automatically getting restored. Make sure to start multipathing by
~]# mpathconf --enable ~]# service multipathd start
~]# chkconfig multipathd on ~]# service multipathd start
multipathd will automatically start on boot, and multipath devices will automatically restore failed paths.
lvm2 component, BZ#837603lvmetad daemon in the lvm.conf file, but the daemon is still running, the cached metadata are remembered until the daemon is restarted. However, if the use_lvmetad parameter in lvm.conf is reset to 1 without an intervening lvmetad restart, the cached metadata can be incorrect. Consequently, VG metadata can be overwritten with previous versions. To work around this problem, stop the lvmedat daemon manually when disabling use_lvmetad in lvm.conf. The daemon can only be restarted after use_lvmetad has been set to 1. To recover from an out-of-sync lvmetad cache, execute the pvscan --cache command or restart lvmetad. To restore metadata to correct versions, use vgcfrestore with a corresponding file in /etc/lvm/archive.
lvm2 component, BZ#563927~]$ lvcreate --type raid1 -m 1 -L 1G -n my_mirror my_vg
kernel component, BZ#606260 lvm2 component pvmove command cannot currently be used to move mirror devices. However, it is possible to move mirror devices by issuing a sequence of two commands. For mirror images, add a new image on the destination PV and then remove the mirror image on the source PV:
~]$lvconvert -m +1 <vg/lv> <new PV>~]$lvconvert -m -1 <vg/lv> <old PV>
~]$lvconvert --mirrorlog core <vg/lv>~]$lvconvert --mirrorlog disk <vg/lv> <new PV>
~]$lvconvert --mirrorlog mirrored <vg/lv> <new PV>~]$lvconvert --mirrorlog disk <vg/lv> <old PV>
kernel component
/sys/class/net/<bridge_name>/bridge/multicast_querier file. Note that if the setting is not available, the problem should not occur.
kernel component
bcma driver causes the brcmsmac driver not to load automatically when the bcma driver scans the for devices. This causes the kernel not to load the brcmsmac module automatically on boot. Symptoms can be confirmed by running the lspci -v command for the device and noting the driver to be bmca, not brcmsmac. To load the driver manually, run modprobe brcmsmac on the command line.
389-ds-base component
dirsrv service will stop responding to new incoming client requests. A restart of the dirsrv service is required to restore service.
kernel component, BZ#1003475]# echo 1 > /sys/class/fc_host/host/issue_lip
]# modprobe -r bfa && modprobe bfa
anaconda component, BZ#984129asknetwork installation parameter and provide a "dummy" static IP address to the corresponding network interface of the iSCSI function. This prevents Anaconda from entering an infinite loop and allows it to request the iSCSI offload function to perform DHCP acquisition instead.
iscsi-initiator-utils component, BZ#825185kernel component
igb link us up, the following ethtool fields display incorrect values as follows:
linuxptp component
samba4 component, BZ#878168 ipa trust-add command will fail even if it would be possible to use IPv4. To work around this problem, add the IPv4 address of the AD server to the /etc/hosts file. In this case, the FreeIPA server will use only the IPv4 address and executing ipa trust-add will be successful.
kernel component
sysfs vport_delete interface to delete that NPIV port. This should be done before the root port is destroyed. Users are advised to script the NPIV port deletion and configure the system such that the script is executed before the fcoe service is stopped, in the shutdown sequence.
kernel component
bfa driver to reset all FCoE targets which might lead to data corruption on LUN. To avoid these problems, do not use the bfa driver with a Linux FCoE target.
NetworkManager component, BZ#896198 GATEWAY setting in the /etc/sysconfig/network file causes NetworkManager to assign that gateway to all interfaces with static IP addresses, even if their configuration did not specify a gateway or specified a different gateway. Interfaces have the incorrect gateway information and the wrong interface may have the default route. Instead of using GATEWAY in /etc/sysconfig/network to specify which interface receives the default route, set DEFROUTE=no in each ifcfg file that should not have the default route. Any interface connected using configuration from an ifcfg file containing DEFROUTE=no will never receive the default route.
kernel component
Could not set up I/O space
kernel component
fcoe-target service while the Fibre Channel over Ethernet (FCoE) can lead to a kernel crash. Please minimize FCoE traffic before stopping or restarting this service.
fcoe-utils component
ifconfig eth0 down ifconfig eth0 up sleep 5 dcbtool sc eth0 dcb on sleep 5 dcbtool sc eth0 pfc e:1 a:1 w:1 dcbtool sc eth0 app:fcoe e:1 a:1 w:1 service fcoe restart
libibverbs component
ibv_ud_pingpong command was used with a packet size of 2048 or greater. UD is limited to no more than the smallest MTU of any point in the path between point A and B, which is between 0 and 4096 given that the largest MTU supported (but not the smallest nor required) is 4096. If the underlying Ethernet is jumbo frame capable, and with a 4096 IB MTU on an RoCE device, the max packet size that can be used with UD is 4012 bytes.
bind-dyndb-ldap component
A/AAAA records for the name server belonging to the new zone are created after this delay. Sometimes, BIND attempts to load this invalid zone and fails. In such a case, reload BIND by running either rndc reload or service named restart.
selinux-policy component
nmbd service from writing into the /var/, which breaks NetBIOS name resolution and leads to SELinux AVC denials.
kernel component
kernel component
/etc/sysconfig/network-scripts/ifcfg-<interface> file:
LINKDELAY=10
NetworkManager component, BZ#758076samba component
ldapsam_compat back end. This back end was never designed to run a production LDAP and Samba environment for a long period of time. The ldapsam_compat back end was created as a tool to ease migration from historical Samba releases (version 2.2.x) to Samba version 3 and greater using the new ldapsam back end and the new LDAP schema. The ldapsam_compat back end lack various important LDAP attributes and object classes in order to fully provide full user and group management. In particular, it cannot allocate user and group IDs. In the Red Hat Enterprise Linux Reference Guide, it is pointed out that this back end is likely to be deprecated in future releases. Refer to Samba's documentation for instructions on how to migrate existing setups to the new LDAP schema.
ldapsam_compat back end with their existing LDAP setup even when all the above restrictions apply.
kernel component
/usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt and https://access.redhat.com/site/solutions/53031.
kernel component
ipsec daemon, error messages about modules being in use can occur.
openssl component, BZ#1022002corosync component
lvm2 component, BZ#814779lvmetad at the moment. If global/use_lvmetad=1 is used together with global/locking_type=3 configuration setting (clustered locking), the use_lvmetad setting is automatically overriden to 0 and lvmetad is not used in this case at all. Also, the following warning message is displayed:
WARNING: configuration setting use_lvmetad overriden to 0 due to locking_type 3. Clustered environment not supported by lvmetad yet.
luci component, BZ#615898 luci will not function with Red Hat Enterprise Linux 5 clusters unless each cluster node has ricci version 0.12.2-14.
ipa component, BZ#1024744ipa component, BZ#1024959ipa component, BZ#1009102--sizelimit parameter is used for the CLI permission-find command. The permission is still accessible using the command line when the --sizelimit option is not specified. To work around this problem, run the following command on the server to trigger the DNS permission update process again and fix the list of permission object classes:
]#ipa-ldap-updater--ldapi/usr/share/ipa/updates/40-dns.update
ipa component, BZ#1015481]$ ipa user-show admin
ipa: ERROR: Unknown option: no_membersipa component, BZ#1016042re-initialize command causing the MemberOf task to fail with an error under certain circumstances. When the ipa-replica-manage re-initialize command is run for a Windows Synchronization (WinSync) replication agreement, it succeeds in the re-initialization part, but fails during execution of the MemberOf task which is run after the re-initialization part. The following error is returned:
Update succeeded Can't contact LDAP server
sssd component, BZ#995737ldap_rootdse_last_usn = attr_name ldap_entry_usn = attr_name
ipa component, BZ#983237.ldaprc), ipa-adtrust-install will not use the expected authentication mechanism and will fail to configure some of the parts of the Active Directory Integration feature, a crash of samba daemon (smbd) can occur or the user will be unable to use the feature. To work around this problem, remove any user default settings related to LDAP authentication mechanism from the .ldaprc file. The ipa-adtrust-install installer will then successfully configure the Active Directory integration feature.
ipa component, BZ#894388ipa component, BZ#894378Add Automount Keys permission which cannot be modified.
ipa component, BZ#817080ipa-server-install --uninstall command. This will cause a subsequent re-installation to fail with an unexpected error.
sssd component, BZ#892604sssd component, BZ#891647enumerate=true value in the sssd.conf file to access all users in the system. However, using enumerate=true is not recommended in large environments as this can lead to high CPU consumption. As a result, operations like login or logout can be slowed down.
ipa component, BZ#888579sssd component, BZ#785877krb5 component
/dev/random file and seed its internal random number generator (RNG). Clients which attempt to connect to the kadmin service can time out and fail with a GSS-API or Kerberos error. After the service completely finishes initializing itself, it will process messages received from now-disconnected clients and can log clock-skew or decrypt-integrity-check-failed errors for those connections. To work around this problem, use a service such as rngd to seed the system RNG using hardware sources of entropy.
ipa component, BZ#887193guest_u:s0) used when no custom rule matches is too constraining. An Identity Management user authenticating to Red Hat Enterprise Linux 6.5 can be assigned the too constraining SELinux user in which case a login through graphical session would always fail. To work around this problem, change a too constraining default SELinux user in the Identity Management server from guest_u:s0 to a more relaxed value unconfined_u:s0-s0:c0.c1023:
kinit admin ipa config-mod ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
ipa component, BZ#761574Certificate operation cannot be completed: Unable to communicate with CMS (Unauthorized)
~]# yum downgrade ipa-server libipa_hbac libipa_hbac-python ipa-python ipa-client ipa-admintools ipa-server-selinux
ipa component
upgrade.log file:
/sbin/restorecon: lstat(/var/lib/pki-ca/publish*) failed: No such file or directory
sssd component
user@DOMAIN. The UPN can be changed to differ from the UPN in Active Directory, however only the default format, user@DOMAIN, is supported.
sssd component, BZ#805921getent group groupname command. This can be caused by an incorrect ldap_schema in the [domain/DOMAINNAME] section of the sssd.conf file. SSSD supports three LDAP schema types: RFC 2307, RFC 2307bis, and IPA. By default, SSSD uses the more common RFC 2307 schema. The difference between RFC 2307 and RFC 2307bis is the way which group membership is stored in the LDAP server. In an RFC 2307 server, group members are stored as the multi-valued memberuid attribute which contains the name of the users that are members. In an RFC2307bis server, group members are stored as the multi-valued attribute member (or sometimes uniqueMember) which contains the DN of the user or group that is a member of this group. RFC2307bis allows nested groups to be maintained as well.
ldap_schema = rfc2307bis in the sssd.conf file,
/var/lib/sss/db/cache_DOMAINNAME.ldb file,
ldap_group_member = uniqueMember in the sssd.conf file, delete the cache file and restart SSSD.
O=$REALM, where $REALM is the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the --subject option is specified. To work around this issue, add the following option for the second stage of the installation: --subject "O=$REALM" where $REALM is the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected.
ipa passwd command. When reset, user's Kerberos credentials in the Directory Server are properly generated and the user is able to log in using Kerberos authentication.
ipa-client-install setup script. To work around this issue, install the policycoreutils package manually:
~]# yum install policycoreutilsipa-ldap-updater fails with a traceback error when executed by a non-root user due to the SASL EXTERNAL bind requiring root privileges. To work around this issue, run the aforementioned command as the root user.
netgroup-find option to search for external hosts.
filter, subtree, and other options are used to target those entries which are writable. Attributes define which part(s) of those entries are writable. As a result, the list of attributes will be writable to members of the permission.
sssd component, BZ#808063ldap_disable_paging option in the sssd-ldap man page does not indicate that it accepts the boolean values True or False, and defaulting to False if it is not explicitly specified.
sudo commands are not case sensitive. For example, executing the following commands will result in the latter one failing due to the case insensitivity:
~]$ipa sudocmd-add /usr/bin/X⋮ ~]$ipa sudocmd-add /usr/bin/xipa: ERROR: sudo command with name "/usr/bin/x" already exists
ipa-server-install command should add a record to the static hostname lookup table in /etc/hosts and enable further configuration of Identity Management integrated services. However, a record is not added to /etc/hosts when an IP address is passed as an CLI option and not interactively. Consequently, Identity Management installation fails because integrated services that are being configured expect the Identity Management server hostname to be resolvable. To work around this issue, complete one of the following:
ipa-server-install without the --ip-address option and pass the IP address interactively.
/etc/hosts before the installation is started. The record should contain the Identity Management server IP address and its full hostname (the hosts(5) man page specifies the record format).
sssd component
libldb. This failure occurs when the SSSD cache contains internal entries whose distinguished name contains the \, character sequence. The most likely example of this is for an invalid memberUID entry to appear in an LDAP group of the form:
memberUID: user1,user2
memberUID is a multi-valued attribute and should not have multiple users in the same attribute.
(Wed Nov 2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active in ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb
/var/lib/sss/db/cache_<DOMAIN>.ldb file and restart SSSD.
Removing the /var/lib/sss/db/cache_<DOMAIN>.ldb file
/var/lib/sss/db/cache_<DOMAIN>.ldb file purges the cache of all entries (including cached credentials).
sssd component, BZ#751314memberUID values, SSSD fails to sanitize the values properly. The memberUID value should only contain one username. As a result, SSSD creates incorrect users, using the broken memberUID values as their usernames. This, for example, causes problems during cache indexing.
6ComputeNode subscription.
sssd component, BZ#741264 [domain/DOMAINNAME] section of the /etc/sssd/sssd.conf file:
ldap_referrals = false
kernel component
kernel component
kernel component
sg_scan command) or similar functionality. Please consult Brocade directly for a Brocade equivalent of this functionality.
kernel componentbnx2i and bnx2fc Broadcom drivers, remain a Technology Preview until further notice.
kexec-tools component
UUID/LABEL resolving is not functional. Avoid using the UUID/LABEL syntax when dumping core to Btrfs file systems.
trace-cmd component
trace-cmd service does not start on 64-bit PowerPC and IBM System z systems because the sys_enter and sys_exit events do not get enabled on the aforementioned systems.
trace-cmd component
report, does not work on IBM System z systems. This is due to the fact that the CONFIG_FTRACE_SYSCALLS parameter is not set on IBM System z systems.
libfprint component
~]$ lsusb -v -d 147e:2016 | grep bcdDevicekernel component
lpfc) does support DH-CHAP authentication on Red Hat Enterprise Linux 5, from version 5.4. Future Red Hat Enterprise Linux 6 releases may include DH-CHAP authentication.
kernel component
mpt2sas driver is "Phase 5 firmware" (that is, with version number in the form 05.xx.xx.xx). Note that following this recommendation is especially important on complex SAS configurations involving multiple SAS expanders.
kernel component
grubby component
kexec-tools component
kernel component
?mem_max are not symmetrical between two machines, the performance can be negatively affected. To work around this problem, adjust the value of ?mem_max to be equal across all Red Hat Enterprise Linux systems in the network.
kabi-whitelists component
radix_tree_gang_lookup_slot symbol. Consult Symantec should you require a workaround for this issue.
kernel component
kernel component
iscsi_firmware parameter to grub's kernel command line. This will signal to dracut to boot from the iSCSI HBA.
kernel component
vmalloc=256MB
kernel component
open(2) system call), then the device is closed (via the close(2) system call), and the /dev/disk/by-id link for the device may be removed. When the problem on the device that caused the error is resolved, the by-id link is not re-created. To work around this issue, run the following command:
~]# echo 'change' > /sys/class/block/sdX/ueventkernel component
mpt2sas driver is connected to a storage using an SAS switch LSI SAS 6160, the driver may become unresponsive during Controller Fail Drive Fail (CFDF) testing. This is due to faulty firmware that is present on the switch. To fix this issue, use a newer version (14.00.00.00 or later) of firmware for the LSI SAS 6160 switch.
kernel component, BZ#745713nohpet parameter or, alternatively, the clocksource=jiffies parameter to the kernel command line of the guest. Or, if running under Red Hat Enterprise Linux 5.7 or newer, locate the guest configuration file for the guest and add the hpet=0 parameter in it.
kernel component
WARNING: BIOS bug: CPU MTRRs don't cover all of memory, losing <number>MB of RAM
disable_mtrr_trim kernel command line option.
kernel component
perf record command becomes unresponsive when specifying a tracepoint event and a hardware event at the same time.
kernel component
~]# ./perf record -agT -e sched:sched_switch -F 100 -- sleep 3kernel component
select() call. However, it is safe to increase the default hard limit; that way, applications requiring a large amount of file descriptors can increase their soft limit without needing root privileges and without any user intervention.
kernel component
bfa xxxx:xx:xx.x: Base port (WWN = xx:xx:xx:xx:xx:xx:xx:xx) lost fabric connectivity
bfa driver.
kernel component
scsi devices. It is usually triggered when a large amounts of I/O operations are pending on the controller in the first kernel before performing a kdump.
kernel component, BZ#679262/proc/kallsyms and /proc/modules show all zeros when accessed by a non-root user.
kernel component
nomce kernel boot option, which disables machine check error reporting, or the mce=ignore_ce kernel boot option, which disables correctable machine check error reporting.
kernel component
kernel: cciss0: <0x3230> at PCI 0000:1f:00.0 IRQ 71 using DAC … kernel: cciss1: <0x3230> at PCI 0000:02:00.0 IRQ 75 using DAC
pci=bfsort parameter to the kernel command line, and check again.
kernel component
netxen_nic is 4.0.550. This includes the boot firmware which is flashed in option ROM on the adapter itself.
kernel component
vmcore. As a result, the second kernel is not loaded, and the system becomes unresponsive.
kernel component
vmcore through the network using the Intel 82575EB ethernet device in a 32 bit environment causes the networking driver to not function properly in the kdump kernel, and prevent the vmcore from being captured.
kernel component #!/bin/sh # Disable hyper-threading processor cores on suspend and hibernate, re-enable # on resume. # This file goes into /etc/pm/sleep.d/ case $1 in hibernate|suspend) echo 0 > /sys/devices/system/cpu/cpu1/online echo 0 > /sys/devices/system/cpu/cpu3/online ;; thaw|resume) echo 1 > /sys/devices/system/cpu/cpu1/online echo 1 > /sys/devices/system/cpu/cpu3/online ;; esac
kernel component
nmi_watchdog registers with the perf subsystem. Consequently, during boot, the perf subsystem grabs control of the performance counter registers, blocking OProfile from working. To resolve this, either boot with the nmi_watchdog=0 kernel parameter set, or run the following command to disable it at run time:
echo 0 > /proc/sys/kernel/nmi_watchdognmi-watchdog, use the following command
echo 1 > /proc/sys/kernel/nmi_watchdogkernel component, BZ#603911 BUG: NMI Watchdog detected LOCKUP and have either ftrace_modify_code or ipi_handler in the backtrace. To work around this issue, disable NMI watchdog by setting the nmi_watchdog=0 kernel parameter, or using the following command at run time:
echo 0 > /proc/sys/kernel/nmi_watchdogkernel component
vmcore via NFS. To work around this issue, utilize other kdump facilities, for example dumping to the local file system, or dumping over SSH.
kernel component, BZ#587909 kernel component
nmi_watchdog=2 or nmi_watchdog=lapic parameters. The parameter nmi_watchdog=1 is not supported.
kernel component pci=noioapicquirk, is required when installing the 32-bit variant of Red Hat Enterprise Linux 6 on HP xw9300 workstations. Note that the parameter change is not required when installing the 64-bit variant.
gnome-panel component, BZ#1017631xorg-x11-drv-intel component, BZ#889574xorg-x11-drv-synaptics component, BZ#873721firefox component
about:config into the URL bar and press the Enter key.
true for the boolean value and then press the button.
wacomcpl component, BZ#769466acroread component
kernel component, BZ#681257 fprintd component
evolution component
anaconda component
xorg-x11-server component, BZ#623169 ssh-keygen component
“-4w:+4w” (valid from four weeks ago to four weeks from now)
perl-WWW-curl component
freerpd component, BZ#988277 --plugin rpdsnd option with the xfreerdp command without specifying which plug-in should be used; the pulseaudio plug-in will be used automatically in this case.
coolkey component, BZ#906537 libreport component
Wrong settings detected for Red Hat Customer Support [..]
Login=<rhn-user> and Password=<rhn-password> credentials in the /etc/libreport/plugins/rhtsupport.conf will be used in the same way they are used by report-rhtsupport.
vlock component
libreoffice component
gnome-power-manager component
rsyslog component
SIGHUP signal is issued. To reload the configuration, the rsyslog daemon needs to be restarted:
~]# service rsyslog restartrelease-notes componentrelease-notes componentBug Fixes
Enhancements
Bug Fixes
boot.iso and it was not possible to install packages included in it. With this update, anaconda has been modified to include devices with ISO 9660 formatting, and to configure any device as a source repository if this device contains the /repodata/repomd.xml file. As a result, anaconda now recognizes ISO on USB as expected.
loader command created the /etc/sysconfig/network file by renaming a new temporary file, which did not trigger the NetworkManager's inotify mechanism. Consequently, a hostname set by the network --hostname kickstart option could be overridden by NetworkManager with hostname obtained though DHCP or DNS. With this update, loader has been modified to write new values directly into /etc/sysconfig/network. As a result, NetworkManager now accepts the hostname value specified in this file.
list-harddrives command has been modified not to list the /dev/srX devices in its output.
clearpart --drives and part --ondisk commands, a backtrace was returned. Consequently, installation did not finish successfully. With this update, only one set of disks is used with these commands. User must specify multiple disks with a single clearpart command, otherwise only the last clearpart --drives arguments is used.
No free space error message was incorrectly shown instead of the appropriate No free slots dialog. With this update, the correct error message is displayed in case of incorrectly specified partitioning.
.discinfo file. Consequently, the stage2 parameter was loaded twice, increasing the boot time. With this update, anaconda has been modified to skip the check for .discinfo in rescue mode. As a result, stage2 is only loaded once, as expected.
reboot command was present in the kickstart configuration. Consequently, a manual reboot was required. This update adds support for kickstart upgrades on System z, thus fixing this bug.
XFS filesystems. This bug has been fixed, and the official limit of 100TB is now used as accepted.
autopart command did not function correctly with already defined prepboot partitions. Consequently, when using a kickstart file that contained the part command defining a prepboot partition followed by autopart, anaconda terminated unexpectedly with a segmentation fault. With this update, autopart has been modified to work correctly in the aforementioned configuration. As a result, the installation continues as expected.
/etc/zipl.conf configuration file using a set of default kernel parameters regardless of whether a fresh install or upgrade was performed. Consequently, kernel parameters added to /etc/zipl.conf by users were lost when upgrading IBM System z systems with anaconda. This update adds support for boot loader upgrades for systems with System z architecture. As a result, kernel parameters added by users to /etc/zipl.conf are preserved in the aforementioned scenario.
/etc/multipath/bindings file had incorrect SElinux context after installation. This bug has been fixed, and /etc/multipath/bindings is now installed with correct SElinux context.
kickstart file did not contain correct network commands for VLAN interfaces. Consequently, these commands were not reusable during the installation. This bug has been fixed, and the generated kickstart now contains reusable network commands.
tboot package is installed. MD IOMMU is enabled when trusted boot is in use and AMD IOMMU specifications are present and enabled in the BIOS. To revert these settings, users may remove the "amd_iommu=on" kernel parameter if stability issues are encountered.
stage2 file were not activated. This behavior has been changed and bond devices can now be activated also in later stages of installation.
--hibernation option was used in the kickstart file. With this update, anaconda has been modified to accept the --hibernation option, and swap size is no longer limited to 10% of disk space when this option is specified.
/etc/ssh/sshd_config.anaconda configuration file, the sshd daemon did not start during installation on IBM System z architectures in FIPS mode. Consequently, the installation was not successful. This bug has been fixed, and sshd now runs as expected during installation in FIPS mode.
Enhancements
--driveorder option in the kickstart boot loader. It is now possible to specify disks that use the /dev/disk/by-*/ folders as arguments for --driveorder.
--ipv6gateway option to the kickstart network command, which allows to specify a default IPv6 gateway. Now, both IPv4 and IPv6 default gateways can be specified in network kickstart command using --gateway or --ipv6gateway respectively.
hostname is specified in the kickstart configuration of a network device that uses the DHCP protocol, this hostname is passed to the dhclient utility.
Bug Fixes
Security Fix
Upgrade to an Upstream Version
Bug Fixes
automount daemon. The daemon automatically mounts file systems when in use and unmounts them when they are not busy.
Bug Fixes
Client x.x.x.x is violating the NFSv4 specification by sending a UDP/IP datagram to the NFSv4 server.
--random-multimount-selection option. Consequently, this setting was not used when mounting local file systems even when it was given. This bug has been fixed and --random-multimount-selection now works as expected.
SELinux context= option and returned a syntax error when the option was used. The master map parser has been updated to recognize SELinux context= that can now be used without complications.
libldap library was not initialized in a thread-safe manner. Consequently, when running automount, the ber_memalloc_x() function could have terminated unexpectedly with a segmentation fault. With this update, the initializaliton of libldap has been modified to be thread-safe and ber_memalloc_x() no longer crashes in the aforementioned scenario. (BZ#996749)
automount daemon was checking host availability and one of the network interfaces was marked "DOWN", automount terminated with a segmentation fault. With this update, a check for this case has been added and the segmentation fault no longer occurs.
automount daemon received a shutdown signal, executing the autofs reload command caused automount to stop running when multiple maps were being removed from the auto.master map. A patch has been added to fix this bug and automount no longer terminates in the described case.
automount daemon became unresponsive. The code that handled the expire thread creation has been modified to prevent the aforementioned problem.
Enhancements
TIMEOUT configuration option has been enhanced in the autofs man page. The description now explains the internal default configuration more clearly.
<key, value> format in addition to the existing informational format.
Bug Fixes
Upgrade to an upstream version
Bug Fixes
Upgrade to an upstream version
Bug Fix
Bug Fix
Security Fix
Bug Fixes
Upgrade to an upstream version
Enhancement
Bug Fix
Bug Fixes
Bug Fixes
Bug Fix
Upgrade to an upstream version
Bug Fix
Bug Fixes
Enhancement
Security Fixes
Bug Fixes
Enhancements
Bug Fixes
Enhancements
Bug Fixes
Enhancement
Enhancements
Bug Fix
Bug Fixes
Bug Fixes
Enhancements
Bug Fix
Enhancement
Bug Fixes
Enhancements
Bug Fix
Bug Fixes
Bug Fix
Security Fix
Bug Fixes
Enhancements
bond=<bondname>[:<bondslaves>:[:<options>]]
Bug Fixes
Bug Fixes
Bug Fix
Bug Fix
Bug Fixes
Bug Fixes
Security Fix
Upgrade to an Upstream Version
Bug Fix
Bug Fixes
Upgrade to an upstream version
Bug Fix
Enhancement
Upgrade to an Upstream Version
Bug Fix
Bug Fixes
Enhancements
Bug Fixes
Bug Fix
Bug Fixes
Bug Fix
Upgrade to an upstream version
Bug Fixes
Bug Fix
Bug Fixes
Enhancement
Bug Fixes
Bug Fix
Bug Fixes
Upgrade to an upstream version
libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.
Security Fixes
Bug Fixes
Enhancements
Bug Fixes
Enhancement
Bug Fixes
Bug Fix
Bug Fixes
Bug Fixes
Enhancements
Bug Fixes
Upgrade to an upstream version
Bug Fixes
Upgrade to an upstream version
Bug Fix
Enhancement
Upgrade to an upstream version
Bug Fixes
Bug Fixes
Bug Fix
Enhancements
Bug Fixes
Bug Fix
Upgrade to an upstream version
Bug Fixes
Enhancements
Bug Fixes
Bug Fixes
Enhancements
Bug Fixes
ip and rtmon), which are designed to use the advanced networking capabilities of the Linux kernel.
Bug Fixes
ip monitor neigh command, the cache experienced the layer 2 network miss. Consequently, ip monitor neigh command could not decode the miss event generated by the kernel. To fix this bug, code for neighbor cache events for entry deletion and entry miss have been back-ported from upstream and ip monitor neigh now recognizes cache miss event and format it properly with a miss keyword on the output.
iproute. Users can now setup IPv6 token-only networking, optionaly receiving network prefixes later.
ip utility recognizes and supports the 'vxlan' devices.
rto_min (the minimum TCP Retransmission TimeOut to use when communicating with a certain destination) was set, the ip route show command did not return correct values. A patch has been provided to fix this bug and ip route show now handles rto_min as expected.
lnstat utility was referring wrongly to non-existent directory, the iproute-doc instead of iproute-<package version> directory. The incorrect documentation could confuse the user. To fix this bug, the file-system path has been corrected.
lnstat utility's interval option behavior and its documentation. Consequently, lnstat exited after a number of seconds instead of refreshing the view, making the interval option useless. The interval option behavior has been changed to refresh the data every N seconds, thus fixing the bug.
ip utility was mishandling netlink communication, which could cause hangs under certain circumstances. Consequently, listing network devices with the ip link show command hung in a SELinux restricted mode. With this update, the ip utility checks for the result of the rtnl_send() function before waiting for a reply, avoiding an indefinite hang. As a result, it is now possible to list network devices in a SELinux restricted environment.
tc utility documentation lacked description of the batch option. To fix this bug, the tc manual pages have been updated including the description of the batch option.
Enhancements
sysfs system did not provide the ability to inspect the non-configuration IP multicast Internet Group Management Protocol (IGMP) snooping data. Without this functionality, users could not fully analyze their multicast traffic. With this update, users are able to list detected multicast router ports, groups with active subscribers and the associated interfaces.
tc utility is instrumented from a pipe, there is no way how to recognize when a subcommand has been completed. A new OK option has been added to the tc utility. Now, tc in the batch mode accepts commands in standard input (the tc -OK -force -batch command) and returns OK on a new line on standard output for each successfully completed tc subcommand.
Bug Fixes
Enhancements
Upgrade to an upstream version
Bug Fixes
Upgrade to an upstream version
Bug Fixes
Enhancements
Upgrade to an upstream version
Upgrade to an upstream version
Bug Fix
Upgrade to an Upstream Version
Bug Fixes
Enhancements
Bug Fix
Security Fixes
Bug Fixes
Enhancements
Security Fixes
Bug Fixes
kernel: blk: request botched
echo "1048576 1048576 4194304" >/proc/sys/net/ipv4/tcp_wmem
ERST: Could not register with persistent store
Enhancements
Bug Fixes
Enhancements
Upgrade to an upstream version
Bug Fixes
Upgrade to an upstream version
Bug Fix
Bug Fixes
Enhancement
Upgrade to an upstream version
Upgrade to an upstream version
Security Fix
Bug Fixes
guestfs_download API or the guestfish download command is not allowed. However libguestfs did not return an error in such case and lost protocol synchronization instead. With this update, libguestfs now tests if the download source is a directory and returns an error message if it is.
boot.ini file to find the systemroot path. As a result, Windows guests are detected properly even if they use non-standard systemroot paths.
virt-resize fails on Windows guests that are in an inconsistent state. This update adds the description of this problem to the guestfs(3) man page.
iface parameter was used when adding a drive, libguestfs entered an infinite loop. With this update, libguestfs has been fixed to process iface parameters correctly, thus preventing the hang.
guestfs_filesystem_available(g,"xfs") function could be evaluated as true even if certain XFS functions were not available. This problem has been documented in the guestfs(3) man page.
hivex-commit command with a relative path parameter wrote to a location inaccessible to users. This command has been modified to require an absolute path or a NULL path that overwrites the original. An error message is now displayed if a relative path is passed to hivex-commit.
guestfs_cap_get_file() function that is responsible for retrieving the file capabilities has been modified to return an empty string in the described case.
guestfish command with both --remote and --add options can have unexpected results. This behavior has been documented in the guestfish(1) man page.
guestfish --remote command, the following message was displayed:
libguestfs: error: waitpid (qemu): No child processes
guestfs_sh or sh command before mounting a disk caused the guestfish utility to terminate with a segmentation fault. With this update, guestfish has been modified to verify if a file system is mounted before executing these commands, and if not, an error message is displayed. As a result, guestfish no longer crashes in the aforementioned scenario.
Upgrade to an upstream version
Bug Fix
Bug Fixes
Upgrade to an upstream version
Bug Fixes
Upgrade to an upstream version
Bug Fix
Upgrade to an upstream version
Bug Fixes
Enhancement
Upgrade to an upstream version
Bug Fixes
Bug Fixes
root [date] - failed cgroup allow path rw /dev/kqemuWith this update, libvirt no longer attempts the nonsensical cgroup actions, leaving only valid attempts in the libvirtd and audit logs.
libvirtError: XML error: missing security model when using multiple labelsWith this update, if the seclabel entry already exists, a new one is no longer created, and the migration works as expected in the described scenario.
error dumping (eth3) (3) interface: Invalid argumentWith this update, libvirt retries the NLM_F_REQUEST message formatted appropriately for all versions of the kernel. Now, a single libvirt binary successfully assigns SR-IOV network devices to a guest using PCI passthrough on a host running any version of Red Hat Enterprise Linux 6 kernel.
internal error Expecting VMX entry 'virtualHW.version' to be 4, 7 or 8 but found 9This update adds VirtualHW version 9 into the list of supported versions and the aforementioned error message is no longer displayed in this scenario.
Enhancements
Bug Fix
Bug Fixes
Bug Fix
Bug Fix
Bug Fix
Upgrade to an upstream version
Bug Fixes
Enhancement
Upgrade to an upstream version
Bug Fixes
Bug Fixes
Security Fixes
Bug Fixes
Unable to contact any of the nodes in this cluster.
No nodes from this cluster could be contacted. The status of this cluster is unknown
Enhancements
luci service will be restarted automatically.
Bug Fixes
Failed to acquire lock on /var/run/lvmetad.pid. Already running?
Internal error: Unreleased memory pool(s) found.
WARNING: The running dmeventd instance is too old
Failed to restart dmeventd daemon. Please, try manual restart
stdin: fdopen failed: Invalid argument
Enhancements
Change clustered property of all volumes groups? [y/n]
Bug Fixes
Bug Fix
Bug Fixes
Bug Fixes
Enhancement
Bug Fixes
Enhancement
Upgrade to an upstream version
Bug Fixes
Bug Fixes
Enhancements
Bug Fix
Bug Fix
Bug Fix
Bug Fix
Bug Fixes
Bug Fixes
Error: could not generate the authentication key from the supplied pass phraseAs a result, the aforementioned utilities and daemons no longer crash in FIPS mode.
Enhancements
Bug Fixes
Bug Fixes
NetworkManager did not explicitly request static routes from DHCP (Dynamic Host Configuration Protocol) servers, and thus some servers would not deliver those routes. With this update, NetworkManager now requests static routes from DHCP servers when available.
Enable Wireless box in NetworkManager as the field was unresponsive. Moreover, the Enable Wireless connection option was unavailable in NetworkManager after hardware was disabled and enabled again. With this update, users can turn on the wireless connection from the GUI after their hardware is reenabled.
NetworkManager applet in some Virtual Machine (VM) configurations, left-clicking on the icon could cause the applet to terminate unexpectedly. This bug has been fixed and the applet no longer crashes in these configurations.
NetworkManager connection editor (nm-connection-editor) were not set to connect automatically, and thus had to be manually started. With this update, these connections automatically start when created by default.
GATEAWAY setting in the /etc/sysconfig/network file caused NetworkManager to assign that GATEWAY to all interfaces with static IP addresses. This scenario took place even if no GATEWAY or a different one was specified for these addresses. To fix this bug, if GATEAWAY is given in /etc/sysconfig/network, only configurations with a matching gateway address will be given the default route. Alternatively, the DEFROUTE=yes/no option may be used in individual configuration files to allow or deny the default route on a per-configuration basis.
vpnc program via NetworkManager with token out of synchronization, the server prompted for a next token. However, NetworkManager misinterpreted this response and reported a failed connection. With this update, a new prompt for next token code has been added to the NetworkManager-vpnc utility, thus fixing the bug.
NetworkManager attempted to replace the IPv6 default route which the kernel had added. Consequently, the kernel returned the following failure message:
'ICMPv6 RA: ndisc_router_discovery() failed to add default route.'To fix this bug,
NetworkManager no longer replaces an IPv6 default route added by the kernel.
nm-connection-editor. This was confusing for the user. The dialog checkbox information has been replaced with a more informative text, thus fixing the bug.
NetworkManager was not allowed to manage bridge, bond, or VLAN interfaces due to the missing M_BOND_BRIDGE_VLAN_ENABLED option in the /etc/sysconfig/network file, the NetworkManager connection editor (nm-connection-editor) still allowed the user to create these types of network connections. The editor now warns the user when unusable connections have been created, thus fixing the bug.
NetworkManager GUI applet (nm-applet) did not show bridge, bond, or VLAN interfaces in the menu. With this update, the nm-applet has been enhanced to show all available bond, bridge, and VLAN interfaces that are configured but not yet created.
NetworkManager now supports a much larger set of bond interface options.
NetworkManager was unable to set the mode of a bond master interface. A patch has been provided to fix this bug and the mode setting now changes according to nm-editor alterations.
NetworkManager connection editor (nm-connection-editor) did not allow setting the cloned MAC address for VLAN interfaces. A patch has been provided to fix this bug and nm-connection-editor now works as expected.
nm-online did not describe the correct usage of nm-online parameters, such as the -t option. The manual page has been updated to describe the usage of its parameters correctly.
NetworkManager wrote and saved only connection types compatible with standard ifcfg network configuration files. This bug has been fixed and other connection types like Bluetooth, WWAN, can now be saved as keyfiles in the /etc/NetworkManager/system-connections/ directory.
NetworkManager did not ensure a clean bridge state. With this update, NetworkManager resets bridge options and removes all bridge ports, which ensures clean bridge state on start-up with bridging support enabled.
NetworkManager GUI applet saves the value of the checkbox when connecting to WPA Enterprise networks.
NetworkManager connection editor (nm-connection-editor) disallows setting the BSSID for ad-Hoc WiFi connections, since this value is automatically chosen by the kernel.
Enhancements
NetworkManager has been enhanced to support the creation and management of Point-to-point Protocol over Ethernet (PPPoE) based connections. NetworkManager now waits a short period of time before reconnecting a PPPoE connection to ensure the peer is ready.
GATEWAY_PING_TIMEOUT configuration option has been added. This new option ensures that NetworkManager waits for a successful ping of the gateway before indicating network connectivity.
NetworkManager now reads ifcfg alias files and assigns the addresses in them to their master interface, using the alias name as the address label.
nm-connection-editor and nm-applet utilities have been created.
Bug Fixes
Stopping RPC idmapd: [ OK ] Starting RPC idmapd: [ OK ]
Bug Fixes
Upgrade to an upstream version
Bug Fixes
SSL PKCS#11 bypass feature failed with a fatal error message. This behavior could break the semantics of certain calls, thus breaking the Application Binary Interface (ABI) compatibility. With this update, the nss package has been modified to preserve the upstream behavior. As a result, an attempt to enable SSL PKCS#11 bypass no longer fails.
httpd) sometimes terminated unexpectedly with a segmentation fault after making more than 1023 calls to the NSPR library. With this update, an improvement to the way NSPR frees previously allocated memory has been made and httpd no longer crashes in the described scenario.
certutil -H command, which is a list of options and arguments used by the certutil utility, did not describe the -F option. This information has been added and the option is now properly described in the output of certutil -H.
pkcs11n.h header was missing certain constants to support the Transport Layer Security (TLS) 1.2 protocol. The constants have been added to the nss-util package and NSS now supports TLS 1.2 as expected.
pkcs11.txt file so that only the owner of the file could read it and write to it. This behavior overwrote other permissions specified by the user. Consequently, users were prevented from adding security modules to their own configuration using the system-wide security databases. This update provides a patch to fix this bug. As a result, NSS preserves the existing permissions for pkcs11.txt and users are now able to modify the NSS security module database.
softoken cryptographic module did not ensure whether the freebl library had been properly initialized before running its self test. Consequently, certain clients, such as the Lightweight Directory Access Protocol (LDAP) client, could initialize and finalize NSS. In such a case, freebl was cleaned up and unloaded. When the library was loaded again, an attempt to run the test terminated unexpectedly causing client failures such as Transport Layer Security (TLS) connection errors. This bug has been fixed and softoken now correctly initializes freebl before running self tests. As a result, the failures no longer occur in the described scenario.
Enhancements
Upgrade to an upstream version
Bug Fixes
Enhancements
Bug Fixes
Bug Fixes
Enhancement
Upgrade to an upstream version
Bug Fix
Bug Fixes
Upgrade to an upstream version
Bug Fix
Security Fix
Bug Fixes
It is recommended that your private key files are NOT accessible by others.
It is required that your private key files are NOT accessible by others.
Enhancements
Upgrade to an upstream version
Bug Fixes
Enhancements
Bug Fixes
Bug Fixes
digest algorithm not supportedThis bug has been fixed and Openswan now recognizes these certificates and sets up a connection correctly.
Enhancements
Security Fix
Note
Upgrade to an Upstream Version
Bug Fixes
Enhancement
Upgrade to an upstream version
Bug Fixes
Enhancements
Bug Fixes
Upgrade to an upstream version
Bug Fixes
Enhancement
Upgrade to an upstream version
Bug Fixes
Enhancement
Bug Fix
Upgrade to an upstream version
Bug Fix
Bug Fix
Bug Fix
Bug Fix
Bug Fix
Bug Fix
Bug Fix
Security Fixes
Bug Fixes
Enhancement
Bug Fixes
Bug Fixes
PamConfig object class. Consequently, new features for PAM (Pluggable Authentication Module), such as configuration of multiple instances and pamFilter attribute, could not be used because of the schema violation. With this update, the upgrade script updates the schema file for the PamConfig object class as expected. As a result, the new features now function properly.
modify_update_last_modified_attr() function. The size of these leaks averaged between 60-80 bytes per modify call, which could cause problems in environments with frequent modify operations. With this update, memory leaks no longer occur in the modify_update_last_modified_attr() function.
Directory Server (DS) was not able to replace multi-valued attributes for new values that differed from the old ones only in the letter case. Consequently, a code 20 error message was displayed:
Type or value exists
DS has been modified to correctly process modification requests, and the letter case of attribute values can now be changed without complications.
DNA (Distributed Numeric Assignment) plug-in logged messages with the DB_LOCK_DEADLOCK error code when attempting to create an entry with a uidNumber attribute. This bug has been fixed and DNA now handles this case properly and errors are no longer logged in the aforementioned scenario.
Posix Winsync plug-in was unnecessarily calling the internal modify() function. This internal modify() call failed and logged the following message:
slapi_modify_internal_set_pb: NULL parameter
Posix Winsync has been fixed and no longer calls modify(). As a result, the aforementioned message is no longer logged.
/etc/dirsrv/slapd-dstet-mkubik/dse.ldif file was written with 0 bytes after a server termination or when the system was powered off. Consequently, after the system restart, the DS or IdM system sometimes did not start, leading to production server outages. The server mechanism by which dse.ldif is written has been modified, and server outages no longer occur in the described case.
ns-slapd daemon terminated unexpectedly with a segmentation fault. This bug has been fixed and removal of tombstone entries no longer causes ns-slapd to crash.
schema-reload plug-in was not thread-safe. Consequently, executing the schema-reload.pl script under a heavy load could have caused the ns-slapd process to terminate unexpectedly with a segmentation fault. With this update, schema-reload has been modified to be thread-safe, and schema-reload.pl can be now executed along with other LDAP operations without complications.
DNA (Distributed Numeric Assignment) plug-in, a deadlock occurred when DNA operation was executed along with other plug-ins. This update moves the release timing of the problematic lock, and DNA no longer causes the deadlock in the aforementioned scenario.
modrdn operation to terminate unexpectedly with a segmentation fault. This update modifies the declaration of the local variable so it does not get out of scope. As a result, modrdn operations no longer crash.
cleanallruv task with the replica-force-cleaning option enabled did not remove all configuration attributes. Consequently, the task was initiated each time the server was restarted. With this update, the cleanallruv search mechanism has been modified, and cleanallruv no longer restarts when the server is restarted.
Acl plug-in, when using the getEffectiveRights request on a non-existing entry, a NULL pointer dereference could have occurred. Consequently, the server terminated unexpectedly with a segmentation fault. With this update, Acl has been modified to check for NULL entry pointers. As a result, the server no longer crashes and an appropriate error message is now displayed when using getEffectiveRights request on a non-existing entry.
sasl_io buffer, SASL connections could have been refused by the server. With this update, the buffer size has been increased to 65,536 bytes. Moreover, users can increase this value with the nsslapd-sasl-max-buffer-size setting. As a result, SASL connections are now accepted without complications.
Directory Server could have encountered a race condition in the connection handling code. Consequently, the server terminated unexpectedly with a segmentation fault. With this update, code that updates the connection objects has been moved into the connection mutex object. As a result, Directory Server does not crash under high loads.
Directory Server received large number of asynchronous search requests, some of the requests terminated with error 53:
LDAP_UNWILLING_TO_PERFORM
Directory Server safely handles intensive asynchronous search requests.
str2entry_dupcheck() function was called instead of the more appropriate str2entry_fast() function. This behavior has been changed and str2entry_fast() is now called in the described scenario.
Directory Server. Consequently, a LDAP protocol error was returned. With this update, Directory Server has been modified to handle sequences of zero length correctly, thus preventing the error.
Directory Server processed only the LDAP request. With this update, Directory Server has been modified to process all listener requests at the same time.
Directory Server (DS) encountered an error while it processed a startTLS request, the server attempted to write a response back to the client. Consequently, DS became unresponsive. With this update, DS has been modified to correctly processes startTLS requests even in case of network errors. As a result, DS no longer hangs in the aforementioned scenario.
backlog parameter of the listen() function was set to "128". Consequently, if the server processed a large amount of simultaneous connection requests, the server could have dropped connection requests due to exceeded backlog size. With this update, a nsslapd-listen-backlog-size attribute has been added to allow the backlog size to be changed.
Directory Server did not function properly. If logging functionality was set to "critical" and logging was disabled, the rotated logs were deleted. If the attribute nsslapd-errorlog-level was explicitly set to any value, even zero, the disk monitoring feature did not stop the Directory Server as expected. This update corrects the settings of the disk monitoring feature and the server shuts down when the critical threshold is reached.
connections attribute that stores the number of currently connected clients was incorrectly incremented twice, both by the disconnect_server_nomutex() and connection_reset() function. Consequently, the attribute contained incorrect values. This bug has been fixed and connections now store the correct number of connected clients.
Directory Server (DS) used both the replication and the DNA plug-in, and the client sent a sequence of ADD or DELETE requests for the same entry, DS returned the following message:
modify_switch_entries failed
password attribute is not preserved after the Directory Server (DS) restart. Previously, an attempt to delete the password after restarting DS, caused DS to terminate unexpectedly. With this update, DS has been modified to check if the password attribute exists, and if no, to skip the deletion. As a result, DS no longer crashes in the described case.
account policy plug-in to configure policies for individual users based on the createTimestamp attribute, the createTimestamp was overwritten after the consequent binding. Consequently, account policy failed to lock the user. With this update, createTimestamp is no longer modified after successful binding and account policy now locks users as expected.
Directory Server (DS) to terminate unexpectedly. With this update, DS has been modified to correctly process tombstones with modrdn, thus preventing the crash.
nsslapd-db-deadlock-policy configuration parameter has been introduced. The default value of this parameter is set to 9, which terminates the last locker in case of a deadlock. After changing this value to 6, the locker with the fewest write locks is terminated, which is advised for users who encounter frequent deadlocks.
Bug Fixes
Bug Fixes
Enhancement
Upgrade to an upstream version
Bug Fix
Bug Fixes
Enhancement
Bug Fix
Security Fix
Bug Fixes
sqlite3.Cursor.lastrowid object did not accept an insert statement specified in the Turkish locale. Consequently, when installing Red Hat Enterprise Linux 6 with the graphical installer, selecting "Turkish" as the install language led to an installation failure. With this update, sqlite3.Cursor.lastrowid has been fixed and installation no longer fails under the Turkish locale.
SysLogHandler class inserted a UTF-8 byte order mark (BOM) into log messages. Consequently, these messages were evaluated as having the emergency priority level and were logged to all user consoles. With this update, SysLogHandler no longer appends a BOM to log messages, and messages are now assigned correct priority levels.
random.py script failed to import the random module when the /dev/urandom file did not exist on the system. This led subsequent programs, such as Yum, to terminate unexpectedly. This bug has been fixed, and random.py now works as expected even without /dev/urandom.
WatchedFileHandler class was sensitive to a race condition, which led to occasional errors. Consequently, rotating to a new log file failed. WatchedFileHandler has been fixed and the log rotation now works as expected.
SocketServer module did not handle the system call interruption properly. This caused certain HTTP servers to terminate unexpectedly. With this update, SocketServer has been modified to handle the interruption and servers no longer crash in the aforementioned scenario.
timeout=None argument to the subprocess.Popen() function caused the upstream version of the Eventlet library to terminate unexpectedly. This bug has been fixed and Eventlet no longer fails in the described case.
SSLSocket class failed to pass the automatic do_handshake() function, the connection remained open. This problem affected only Python 2 versions. The underlying source code has been fixed and the failed incoming connection is now closed properly.
libexpat.so libraries were available, Python failed to choose the correct one. This update adds an explicit RPATH to the _elementtree.so, thus fixing this bug.
urlparse module did not parse the query and fragment parts of URLs properly for arbitrary XML schemes. With this update, urlparse has been fixed and correct parsing is now assured in this scenario.
Enhancement
collections.OrderedDict data structure to the collections package. collections.OrderedDict is used in application code to ensure that the in-memory python dictionaries are emitted in the same order when converted to a string by the json.dumps routines.
Bug Fix
Bug Fixes
Bug Fix
Upgrade to an upstream version
Bug Fixes
Enhancement
Bug Fix
Bug Fixes
qemu-kvm utility was reporting incorrect memory size on QMP (QEMU Machine Protocol) event when using Virtio Balloon Driver with more than 4 GB of memory. A patch has been provided to fix this bug, and qemu-kvm now reports the correct amount of current RAM.
qemu-kvm utility did not enable the IOeventFD feature, which caused the IOeventFD support for virtio-blk devices to be silently disabled. This update enables the IOeventFD feature, and the IOeventFD support for virtio-blk devices works as expected.
Enhancements
qemu-img rebase command has been implemented. Now, no data loss will occur when running the qemu-img rebase command.
Hyper-V virtual hard disk), image formats, as created by Microsoft Hyper-V.
GlusterFS in QEMU allows native access to GlusterFS volumes using the libgfapi library instead of through a locally mounted FUSE file system. This native approach offers considerable performance improvements.
QEMU guest agent running on the guest. These scripts can notify applications which would flush their data to the disk during a freeze or thaw operation, thus allowing consistent snapshots to be taken.
BZ#817066
Bug Fixes
Upgrade to an upstream version
Upgrade to an upstream version
Bug Fix
Enhancements
Upgrade to an upstream version
Bug Fix
Enhancement
Security Fixes
Table 8.1. Upgraded packages
| Package name | Upstream version |
|---|---|
| libibverbs | 1.1.7 |
| libmlx4 | 1.0.5 |
| librdmacm | 1.0.17 |
| mstflint | 3.0 |
| perftest | 2.0 |
| qperf | 0.4.9 |
| rdma | 3.10 |
Bug Fix
Enhancements
Bug Fixes
exportfs utility was used to relocate an exported share, the size of the /var/llib/nfs/rmtab file was doubled. This bug has been fixed and the /var/lib/nfs/rmtab file size is no longer doubled in the aforementioned scenario.
fs-lib.sh agent did not recognize the trailing slash ("/") character when searching for devices in the /proc/mounts file. Consequently, NFSv4 mounts were not monitored. With this update, fs-lib.sh has been modified to track the slash characters. As a result, NFSv4 mounts are managed and monitored as expected.
oracledb.sh script, when there were multiple ORACLE instances running in the same home directory, the script produced unnecessary delays. The bug has been fixed, and oracledb.sh now works without delays when multiple ORACLE instances are present in the home directory.
postgres agent needs to receive the SIGINT signal. Previously, this signal was not sent and postgres performed a hard shutdown instead of a graceful exit. This behavior has been modified, and SIGINT is now sent to postgres on shutdown to attempt a graceful exit, and after a period of time, the SIGQUIT signal is sent if the agent is still active. As a result, postgres performs graceful shutdown during the stop action.
ip.sh agent did not configure IPv6 addresses that contained upper-case letters. Consequently, a resource with such an address failed. With this update, ip.sh has been modified to be case insensitive for IPv6 addresses. As a result, IPv6 addresses with upper case letters are now configured properly by ip.sh.
fs-lib.sh script, such as ip.sh, ignored the self_fence option when the force_unmount option was enabled. Consequently, the configured self_fence option was not enabled. This bug has been fixed and self_fence is accepted regardless of force_unmount.
mount utility has been changed from previous error to more appropriate debug level.
/var/lib/nfs/statd/sm/ directory, the rpc.statd daemon was unable to start. This problem only appeared if the cluster included NFS mounts. This update modifies how files are copied to the /var/lib/nfs/statd/sm/ directory, so that the SELinux context is inherited from the target directory. As a result, rpc.statd can now be started without complications.
autofs maps are used for network storage, agents for cluster file systems ("fs") such as netfs.sh, fs.sh, or clusterfs.sh require the use_findmnt option set to 'false'. Previously, when use_findmnt was set incorrectly, and autofs maps became unavailable, the rgmanager services with "fs" resources consequently became unresponsive until the network was restored. The underlying source code has been modified and rgmanager services no longer hang in the aforementioned scenario.
lvm.sh agent was unable to accurately detect a tag represented by a cluster node. Consequently, the active logical volume on a cluster node failed when another node rejoined the cluster. With this update, lvm.sh properly detects whether tags represent a cluster node. As a result, when nodes rejoin the cluster, the volume group no longer fails on other nodes.
tomcat-6 service were used as cluster resources, the TOMCAT_USER setting in custom /conf/tomcat6.conf configuration files was ignored. Consequently, each instance always started with TOMCAT_USER set to root. This bug has been fixed, and TOMCAT_USER is now applied properly in the described case.
tomcat.conf configuration file for a tomcat-6 resource was stored on a shared storage resource that became unavailable, the subsequent stop operation on tomcat-6 failed. This bug has been fixed, and tomcat-6 can now be successfully stopped when tomcat.conf is not readable.
fs.sh or clusterfs.sh, required usage of the /tmp directory during status monitoring. If this directory became full after mounting the file system, the monitor action failed even though the file system was correctly mounted. The /tmp directory is no longer used during file system monitors, thus fixing this bug.
lvchange --deltag command at the same time and corrupt the LVM headers. With this update, LVM headers do not become corrupt even when rgmanager stars on two nodes at the same time.
Enhancements
oracledb, orainstance, and oralistener resource agents.
update-source option to the named.sa agent. With this option enabled, it is possible to set the notify-source, transfer-source, and query-source to the service cluster IP.
/usr/share/cluster/orainstance.sh script has been moved from the /tmp/ directory to /var/tmp/.
TNS_ADMIN variable has been added to the oracledb.sh cluster script. This variable is a standard Oracle feature to set a specific path to the listener configuration file.
Bug Fixes
Bug Fixes
Bug Fixes
Enhancement
Bug Fixes
Bug Fix
Enhancement
Bug Fix
Bug Fixes
Enhancements
Bug Fix
Bug Fixes
Bug Fixes
Bug Fixes
Bug Fix
Enhancement
Bug Fixes
ziomon utility did not follow symbolic links to find multipath devices in the /dev/mapper/ directory. Consequently, the multipath devices could not be found. The bug has been fixed with this update so that ziomon now follows the symbolic links and the multipath devices can be found as expected.
dbginfo.sh utility collects various data from the system for debugging purposes. Previously, certain runtime data were missing from the dbginfo.sh output and the underlying source code was not coherent. As a consequence, incomplete information was provided and the utility performance was decreased. In addition, in certain cases, dbginfo.sh failed to detect if the debgfs file system had been mounted. The code has been unified and calls to additional utilities and commands have been added to improve collecting data. Also, dbginfo.sh now collects data from additional configuration and log files.
ziorep_config configuration report is supposed to ignore Small Computer System Interface (SCSI) disks that are not part of the multipath devices when creating the multipath mapper report. Previously, ziorep_config failed to correctly ignore SCSI disks, which were not a part of a multipath device. Now, when no multipath device is found for a SCSI disk, such a disk is skipped in the output.
sysfs_getUnitsFromPort() function only searched the Small Computer System Interface (SCSI) device directory for devices using the scsi_generic:sg* layout. This layout is deprecated and available only if the CONFIG_SYSFS_DEPRECATED[_V2] option is set in the kernel configuration. Consequently, the function did not work properly. With this update, the function has been modified to search for devices using also the scsi_generic/sg* layout so that it now works as expected.
dbginfo.sh source code, the collection of the sysfs tree took a long time and logs were not written serialized, but were mixed up. Also, some information was missing from the generated file, because the utility did not collect information from all necessary configuration files. With this update, the underlying source code has been improved to fix these problems and dbginfo.sh now works as expected.
dbginfo.sh utility collects various data from the system for debugging purposes. Previously, the collected information from the system did not provide enough data about cryptographic adapters. The dbginfo.sh has been modified to collect information providing further information about the adapters.
sysfs file system could potentially block the dbginfo.sh utility. Consequently, the utility became unresponsive in such a case. This bug has been fixed so that the trace pipes no longer block dbginfo.sh. As a result, the utility no longer hangs in the described scenario.
zgetdump utility did not allocate enough memory for the CPU ELF notes. Consequently, on systems with many CPUs, the following error was returned:
zgetdump: Internal Error: hdr_size=28512 alloc_size=26624With this update, the utility has been modified to allocate enough memory for the ELF notes and the error is no longer returned.
--force option for the Direct Access Storage Device (DASD) multi-volume dump had been specified and the dump partition was modified afterwards, the dump failed with an error. With this update, the correct even address is loaded and the option works as expected.
Enhancements
makedumpfile command. This feature allows users to provide a problem analysis without shutting down the system.
Note
safe offline option to ensure that all outstanding write requests are completed before setting the device offline.
Security Fixes
Note
Bug Fixes
Winbind service (winbindd) was under a heavy load to authenticate a large amount of Active Directory (AD) users, it was possible that it used 100% of the CPU and stopped the user authentication. This update provides a patch to improve the connection handling significantly, and winbindd no longer stops the user authentication in the described scenario.
Note
net ads keytab add command always converted characters in the service principal name (SPN) into uppercase characters. Consequently, several Kerberos services were not able to find their tickets. With this update, SPN is no longer converted into uppercase characters and Samba works as expected.
smbd daemon to terminate with a segmentation fault. Consequently, the client was disconnected. With this update, the underlying source code has been adapted to verify that the pointer is valid before attempting to dereference it. As a result, smbd no longer crashes in this situation.
smbstatus command, the locked files were missing from the command output. The underlying source code has been modified to fix this bug and non-root users are now able to display the locked files as expected.
winbind daemon was not informed when its child process had successfully connected to a domain controller. As a consequence, the Network Data Representation (NDR) cache entries never expired and therefore the entries could not be updated. With this update, the winbind child process notifies the main winbind process when it connects to a domain controller. As result, the cache is now updated as expected.
Enhancement
smbd daemon expected the old printing databases of Samba 3.5 to be in the UTF-8 format. However, the databases could be also in a different format, for example in Latin-1. Consequently, smbd could not migrate the database in this case. This update enhances the net utility, which is used for administration of Samba and remote CIFS servers, to be able to encode the database correctly and convert it to UTF-8. As a result, smbd can now migrate the databases as expected.
Security Fix
Bug Fixes
Upgrade to an upstream version
Bug Fix
Enhancements
Bug Fix
Bug Fix
Bug Fixes
Bug Fixes
Bug Fixes
Bug Fixes
Enhancements
Bug Fixes
AWStats utility was configured to purge httpd log files, AVC messages were generated due to missing SELinux policy rules for this setup. To fix this bug, the awstats_purge_apache_log_files Boolean was added. When enabled, the Boolean allows AWStats to purge the log files. Thus, the AVC messages are no longer returned.
httpd daemon did not have permissions for searching the /var/lib/cobbler/webui_sessions/ directory. Consequently, the user was not able to log into the Cobbler Web User Interface (UI). With this update, the SELinux policy has been updated and the user is now able to use the Cobbler Web UI as expected.
postfix service occurred:
postfix service was unable to connect to the MySQL database.
sysadm_u SELinux user was not able to execute the postqueue -p command correctly.
postfix daemon was not able to list the content of the /tmp/ directory.
posfix-master binary was not able to execute the postfix-policyd-spf-perl Postfix server.
postfix now works as expected in the described scenarios.
/usr/local/bin/x11vnc file was missing. Consequently, SELinux in enforcing mode blocked the GNOME Display Manager (GDM) and the X.Org implementation of the X Window System from executing the x11vnc server utility. The xserver_exec_t security context for the file has been added to the SELinux policy and GDM and X.Org now work correctly in the described scenario.
sysstat utility was unable to write a device label when generating data for the sar command. With this update, the SELinux policy has been updated to allow sysstat to work correctly.
/bin/yum-builddep file was missing. Consequently, SELinux in enforcing mode returned an error after installation of the sendmail package using the yum-builddep command. The security context has been updated to rpm_exec_t and the installation using yum-builddep now proceeds as expected.
df_inode plug-in of the Munin utility caused AVC messages to be returned. The policy rules have been updated and the plug-in now works as expected.
tgtd daemon occurred due to insufficient SELinux policy rules:
tgtd daemon was not able to connect to the TCP port 3205 when it was running on a server together with the iSNSd daemon. Consequently, tgtd failed to discover the Internet Storage Name Service (iSNS) target.
tgtd daemon failed to access the /dev/infiniband/uverbs0 device due to missing SELinux labeling for the device.
SYS_RAWIO, SYS_ADMIN and IPC_LOCK capabilities were missing.
tgtd daemon failed to access the /dev/sg0 device.
tgtd now works as expected in the described scenarios.
udev rule restarted the ktune services for each new device. This could lead to many restarts in a short period of time. The multiple restarts could trigger a race condition in the kernel, which cannot be currently fixed. The tuned daemon code has been modified not to trigger more than one restart per 10 seconds, thus preventing the race condition from occurring.
cgrulesengd daemon attempted to use the inotifyfs scripts for monitoring file-system changes, SELinux denied the daemon to access to the scripts due to the insufficient SELinux policy. This update adds a new SELinux policy rule to fix this bug and cgrulesengd can now use inotifyfs as expected.
system-config-kdump utility occurred due to insufficient SELinux policy rules:
kexec feature running in the kdumpgui_t SELinux domain was not able to access the kcore file.
system-config-kdump was unable to write to the /boot/efi/EFI/redhat/grub.cfg file.
system-config-kdump failed to write the zipl information.
system-config-kdump now works as expected.
sudo utility due to missing SELinux policy rules. Consequently, when users used NRPE and their own Nagios plug-ins for monitoring servers, an attempt to call the status action of the init.d script for the supplied service, to determine the health of the service, failed. The appropriate SELinux policy rules have been updated so that NRPE can now use the sudo utility as expected.
/var/lock/subsys/dirsrv-admin file, an attempt to restart the Administration server using the console or the command line failed. As a consequence, AVC denial messages were returned. This update adds the proper default security context for the file and denial messages are now no longer returned.
/sbin/ip6tables file was missing. Consequently, SELinux in enforcing mode caused failures in the Shorewall utility. With this update, the security context has been updated to iptables_exec_t. As a result, Shorewall works as expected.
abrt_t SELinux domain was not allowed to make a transition to the prelink_t SELinux domain. As a consequence, the RPM verification of a package, which provided binary of a package that had terminated unexpectedly, failed during the Automatic Bug Reporting Tool (ABRT) processing. The SELinux policy has been modified to fix this bug so that the RPM verification no longer fails in the described scenario.
snmptthandler utility from performing any operations in the /var/spool/snmptt/ directory due to the incorrect security context of the directory. With this update, the context has been updated to snmpd_var_lib_t so that the utility now works as expected.
/var/spool/nagios/checkresults/ directory. This update fixes the relevant SELinux policy rules and Nagios is no longer prevented from storing the file in this directory.
/var/log/audit/audit.log file. This was because SELinux did not allow the yppus utility to connect to the Transmission Control Protocol (TCP) 111 port. With this update, the appropriate SELinux policy rules have been modified and the AVC message is no longer logged in the described scenario.
postfix agent did not work correctly. As a consequence, the postdrop utility, which was labeled with the httpd_t SELinux label, was unable to access the /var/spool/postfix/maildrop/ directory. With this update, the httpd_can_sendmail Boolean has been updated to allow postdrop to access the directory.
sanlock-helper utility was not allowed to send a SIGKILL signal to any process, which was registered to the sanlock daemon. The relevant SELinux policy rules have been modified with this update and sanlock-helper is now able to send the SIGKILL signal to the registered processes.
pegasus_t and the mount_t SELinux domains did not work correctly. Consequently, when the OpenPegasus Web-Based Enterprise Management (WBEM) services tried to retrieve information about a file system using the wbemcli utility, the access to the mount was denied by SELinux. With this update, the SELinux policy has been modified and OpenPegasus is now able to access the mount in the described scenario.
sandbox SELinux domains were not able to use inherited user terminals due to missing SELinux policy rules. With this update, the respective rules have been updated to allow sandbox domains to use these terminals.
s2s service was used in the mixed Red Hat Network Satellite and Red Hat Network Satellite Proxy environment, the following AVC message was returned in the audit.log file:
type=AVC msg=audit(1364300742.715:101611): avc: denied { name_connect } for pid=2278 comm="s2s" dest=5269 scontext=system_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:jabber_interserver_port_t:s0 tclass=tcp_socket
The appropriate SELinux rules have been added to fix this bug and the AVC message is no longer returned in such a case.
opasswd and the opasswd.old files were labeled with the etc_t SELinux context. However, these files included sensitive information and were supposed to be labeled with the shadow_t context. With this update, the SELinux policy has been modified and the files are now correctly labeled with shadow_t as expected.
/dev/ptp*) were incorrectly labeled with the device_t SELinux label instead of clock_device_t. This update provides a patch to fix this bug and the clock devices are now correctly labeled.
svnserve daemon from using the TCP port 3690. The appropriate SELinux policy rules have been updated and svnserve can now use the port as expected.
aide_t and the prelink_t SELinux domains was not possible. As a consequence, when SELinux was running in enforcing mode, the aide --check command executed inside a cron job did not work correctly. The respective SELinux rules have been updated to fix this bug and the command now works as expected.
mysqld_safe script was unable to execute a shell (/bin/sh) with the shell_exec_t SELinux security context. Consequently, the mysql55 and mariadb55 Software Collection packages were not working correctly. With this update, SELinux policy rules have been updated and these packages now work as expected. In addition, the mysqld_safe SELinux policy has been modified to allow the SYS_NICE capability.
netns support, SELinux denied various operations, which caused Quantum to terminate unexpectedly. Moreover, due to a “dontaudit” rule for the operations, AVC messages were not returned unless SELinux was running in permissive mode. The appropriate SELinux policy has been fixed so that SELinux no longer denies the operations and Quantum failures no longer occur in the described scenario.
ftp_homdedir Boolean allowed certain rules, that were not supposed to be allowed by the Boolean. The relevant SELinux policy has been modified and the Boolean now allows only the rules that it is supposed to.
Munin Common Gateway Interface (CGI) scripts was labeled incorrectly, and therefore ran in an incorrect SELinux domain. The file context for the scripts has been updated to httpd_munin_script_exec_t and the scripts now run in the correct SELinux domain.
/var/log/syslog-ng file was incorrectly labeled with the syslog_var_run_t SELinux security context. Consequently, when SELinux was running in enforcing mode, the logwatch utility was unable to access the file. With this update, the security context for the syslog-ng file has been modified to var_log_t and logwatch can now access the file as expected.
hald_t SELinux domain. As a result, the AVC denial messages are now no longer returned in the described scenario.
/etc/yaboot.conf file was incorrectly labeled with the etc_t SELinux security context. With this update, the security context has been changed to the bootloader_etc_t.
SETUID and SETGID capabilities were missing in the SELinux policy. As a consequence, when SELinux was in enforcing mode, the rsyslog utility was unable to drop privileges with the $PrivDropToUser and $PrivDropToGroup options. With this update, the missing capabilities have been added to the SELinux policy and rsyslog can now drop privileges as expected.
chronyd daemon from using the SYS_NICE capability. The capability is required by the sched_setscheduler() function. With this update, the SELinux policy rules has been modified to allow the daemon to use SYS_NICE.
dovecot_t SELinux domain to the oddjob_mkhomedir_t SELinux domain was not allowed. Consequently, an attempt to create a user home directory alongside with the Dovecot server and the pam_oddjob_mkhomedir module enabled failed and AVC messages were returned. The SELinux policy has been modified so that the transition is now allowed.
lldpad service from communicating with the fcoemon service. As a consequence, the user was not able to create a virtual machine in Virtual Machine Manager (virt-manager) and the following AVC message was returned:
type=AVC msg=audit(1376046443.294:69876): avc: denied { sendto } for pid=2755 comm="lldpad" path=003030303232
scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:fcoemon_t:s0 tclass=unix_dgram_socket
The appropriate SELinux policy has been fixed and users are now able to create virtual machines as expected.
/var/run/vdsm/storage/ VDSM's daemon directory. As a consequence, an attempt to run such a virtual machine terminated unexpectedly with an error. With this update, the svirt_t SELinux domain has been updated to read symbolic links in the /var/run/ directory. As a result, the virtual machines no longer fail in the described scenario.
/sys/devices/system/cpu/ directory. Consequently, such domains could not get information from the directory. With this update, the relevant SELinux policy rules have been updated to allow the domains access to the /sys/devices/system/cpu/ directory.
xinetd daemon failed to execute a shell script and the following error message was returned:
xinetd[2771]: execv( /usr/local/eal4_testing/audit-test/utils/network-server/pidfile_kill.sh ) failed: Permission denied (errno = 13)The appropriate SELinux rules have been updated to allow
xinetd to execute shell scripts.
libvirt library failed with an error. With this update, the SELinux policy has been modified and QEMU processes now start as expected.
beaker jobs failed during automatic wireless testing and an AVC denied message was returned. Consequently, users were unable to use the wireless connection. The appropriate SELinux policy rules have been updated to fix this bug so that users can now use the wireless connection in the described scenario.
yppasswdd daemon on a server, the rpc.yppasswdd binary was now allowed to read the /var/run/utmp file and list the content of the /boot/ directory. The relevant SELinux policy has been updated and the daemon can now access the utmp file and the /boot/ directory as expected.
/var/run/utmp file. This update fixes the relevant SELinux policy to allow CVS to read the file as expected.
Enhancements
ftpd_use_fusefs, has been added to the SELinux policy. When enabled, this Boolean allows the GlusterFS mounts to be used for the File Transfer Protocol (FTP) data directory.
pand, haproxy, watchdog, lldpad, and openhpid daemons ran in the initrc_t SELinux domain. With this enhancement, SELinux support has been added for the daemons and they now use their own separate SELinux domains.
pacemaker resource manager did not have its own SELinux policy defined and used the initrc_t domain. With this update, all cluster administrative services including pacemaker have been merged together to the cluster_t SELinux domain. In addition to this merge, all other Red Hat Cluster services have been updated to use the cluster_t domain.
git_shell_t SELinux type has been removed from the SELinux policy. With this enhancement, the updated SELinux policy for the Git control system is provided.
/var/lib/openvpn/ directory. In addition, the SELinux policy has been updated to allow OpenVPN to manage its own log files.
amavis_t, clamd_t, clamscan_t, freshclam_t SELinux domains have been merged to the antivirus_t SELinux domain.
mongod_port_t SELinux port type.
usr/lib(64)?/nagios/plugins/ directory have been updated to the nagios_unconfined_plugin_exec_t context.
tftp_use_nfs Boolean allows The Trivial File Transfer Protocol (TFTP) to read from NFS volumes for public file transfer services. The tftp_use_cifs Boolean allows TFTP to read from CIFS volumes.
qemu-ga) has been updated according to new qemu-ga features and functionality.
xattr list of supported file systems. With this enhancement, the SELinux policy has been updated accordingly.
openvpn_run_unconfined Boolean has been added to the SELinux policy. When enabled, the Boolean allows OpenVPN to execute unconfined scripts.
openstack-selinux policies has been changed from “quantum” to “neutron”.
httpd_port_t SELinux label.
Bug Fix
Bug Fix
Bug Fixes
Bug Fixes
Enhancements
GIMP Toolkit (GTK+) widget for SPICE (Simple Protocol for Independent Computing Environments) clients. Both Virtual Machine Manager and Virtual Machine Viewer can make use of this widget to access virtual machines using the SPICE protocol.
Upgrade to an upstream version
Bug Fixes
polkit utility is built against newer GTK+ and GLib versions, thus it has a runtime dependency on these versions. Previously, upgrading spice-gtk without upgrading GTK+ and GLib at the same time caused applications using polkit to terminate unexpectedly on startup. With this update, the RPM dependencies have been adjusted so that spice-gtk RPMs require new enough versions of GTK+ and GLib. As a result, spice-gtk cannot be installed unless the GTK+ and GLib versions it requires are installed as well.
spice-gtk connected to the server plain port by default and succeeded only if the server provided the port. However, this prevented spice-gtk from connecting to a secure port by default. With this update, spice-gtk can connect to secure port instead of always trying plain ports first.
spice-gtk client terminated unexpectedly. To fix this bug, cache palettes of unrendered bitmaps have been applied and the client no longer crashes in the aforementioned scenario.
spice-gtk was connecting to an unreachable host, a connection timeout error took about 2 minutes to occur. With this update, spice-gtk waits for 10 seconds only before reporting an unreachable host error.
spice-gtk did not handle correctly an indication that software Smartcard support had already been initialized. Consequently, software Smartcard support stopped working after migration or restarting a guest. As a workaround, do not disable software Smartcard support at spice-gtk connection time if libcacard reports that software Smartcard support is already initialized. Pursuing this workaround, software Smartcard support keeps working across guest reboots or migrations.
Enhancements
SPICE clients. The SPICE client now establishes the connection to the remote server by the proxy server specified by the environment SPICE_PROXY=host:port variable, or by the controller.
SPICE guest agent has support for this feature.
Upgrade to an upstream version
Enhancement
Upgrade to an upstream version
Bug Fixes
client_migrate_info() function was called with the cert-host-subject option specified and then was called without the option, on the third call, the option was freed for the second time. This was because the pointer was not set to NULL after it was first freed during the second call. This behavior caused the SPICE server to terminate unexpectedly with a segmentation fault. The underlying source code has been modified and the pointer is set to NULL when the cert-host-subject option is not specified. As a result, the pointer is freed only once and SPICE no longer crashes in the described scenario.
getaddrinfo() function failed with a segmentation fault. Consequently, Quick Emulator (QEMU) terminated unexpectedly. The underlying source code has been modified and QEMU no longer crashes when executing getaddrinfo().
MSG_MIGRATE message. This is not allowed and the client thus forwarded a wrong message instead of a MSG_MIGRATE_DATA message to the destination host. The destination host then aborted the migration. This update modifies the SPICE server code to ensure that only the MSG_MIGRATE_DATA message can be sent after sending MSG_MIGRATE and the migration process now successfully finish.
Enhancements
disable-agent-file-transfer option has been provided. As a result, users can now filter out the file transfer messages.
Upgrade to an upstream version
Bug Fixes
Enhancements
Bug Fix
Enhancement
Bug Fixes
Note
Authentication token manipulation errorThis message appeared to be a system error, which could confuse users. With this update, SSSD sends and additional error message that specifies the problem:
Old password not accepted
Unable to create response: Invalid argumentWith this update, the sss_package_grow() function code has been fixed to properly compute the response packet length, and SSSD no longer fails in the aforementioned scenario.
Enhancements
Upgrade to an upstream version
Bug Fixes
Enhancements
Security Fixes
Bug Fixes
Enhancements
Bug Fix
Bug Fixes
Enhancements
Bug Fix
Bug Fix
Bug Fix
Bug Fix
Upgrade to an upstream version
Bug Fixes
Bug Fix
Bug Fix
Upgrade to an upstream version
Bug Fixes
Bug Fixes
Enhancements
Bug Fixes
Enhancement
Bug Fixes
Enhancements
Bug Fix
Bug Fixes
Upgrade to an upstream version
Upgrade to an upstream version
Bug Fixes
Bug Fix
Upgrade to an upstream version
Bug Fixes
Unable to connect to the graphic server
libvirtd.log file. With this update, libvirt events and callbacks are unregistered when closing the guest terminal, and I/O errors are no longer logged in the aforementioned scenario.
automatically resize option was disabled in remote-viewer and the screen resolution on the guest machine was changed, this change was not accepted and the resolution reverted back to the previous state. With this update, remote-viewer has been modified to keep monitor configuration synchronized with the guest, even when automatic resize is disabled.
Alt+S key combination or other menu accelerators the guest kept the Alt state enabled. Consequently, certain guest functionality did not work correctly. With this update, the guest Alt keys are properly released when the keyboard grab is taken in the client user interface, thus fixing this bug.
Enhancements
--title STRING option to remote-viewer, which makes it possible to override the default window title with user-defined text.
--hotkeys option that enables hotkey configuration from the command line.
Enhancements
Bug Fixes
Guest moved used index from 0 to 256
virtio_ioport_write: unexpected address 0x13 value 0x0
Enhancements
ovs-vsctl set port <PORT_NAME> other-config:priority-tags=true
Upgrade to an upstream version
Bug Fix
Security Fixes
Upgrade to an Upstream Version
Bug Fixes
Enhancement
Bug Fixes
Bug Fix
Bug Fix
Enhancements
Upgrade to an Upstream Version
Bug Fixes
Bug Fixes
Bug Fix
Bug Fixes
Bug Fix
Bug Fix
Security Fix
Bug Fixes
Bug Fix
Bug Fixes
Enhancement
Bug Fix
Bug Fix
Enhancement
| Revision History | |||
|---|---|---|---|
| Revision 1-0.16 | Fri Dec 13 2013 | ||
| |||
| Revision 1-0.15 | Thu Nov 21 2013 | ||
| |||
| Revision 1-0.0 | Thu Oct 03 2013 | ||
| |||
Copyright © 2013 Red Hat, Inc.