Security
The following features, enhancements, and changes related to security are introduced in Oracle Linux 10.2.
SELinux Enhancements Prevent fapolicyd Service Interruption
The fapolicyd-selinux package now includes an SELinux module that helps protect the fapolicyd service from unauthorized interference. The module blocks attempts to stop the service by sending a SIGSTOP signal or to trace it by using the ptrace() function. These protections prevent the system from hanging and eliminate the need for a manual reboot when these actions are attempted.
New libreswan-minimal Subpackage Reduces Container Image Size
A new libreswan-minimal subpackage is now available for containerized environments. Unlike the full libreswan package, the minimal subpackage does not depend on systemd or other optional external tools, making it better suited for lightweight deployments. Applications that do not require systemd can use libreswan-minimal to build smaller container images, which can improve startup times and reduce resource consumption.
SELinux Policy Now Confines the redfish-finder Service
The redfish-finder service now runs in a dedicated SELinux domain instead of the unconfined_service_t domain. This change helps systems meet the CIS Server Level 2 benchmark requirement to restrict unconfined daemons while allowing the service to operate correctly in SELinux enforcing mode.
SELinux Policy Now Confines the systemd-oomd Service
The systemd-oomd service now runs in a dedicated SELinux domain instead of the unconfined_service_t domain. This change helps systems meet the CIS Server Level 2 benchmark requirement to restrict unconfined daemons while allowing the service to operate correctly in SELinux enforcing mode.
OpenSSH Adds Support for Hybrid ML-KEM NIST Key Exchange
OpenSSH now supports the mlkem768nistp256-sha256 and mlkem1024nistp384-sha384 hybrid key exchange algorithms. These algorithms combine the ML-KEM post-quantum key encapsulation mechanism with NIST-standardized elliptic curves, enabling you to strengthen SSH connections against cryptographic threats.
OpenSSH Supports Hybrid ML-KEM Key Exchange in FIPS Mode
OpenSSH now supports hybrid ML-KEM key exchange with NIST-standardized elliptic curves when the system operates in FIPS mode. This enhancement enables SSH connections to use a combination of classical cryptography and post-quantum key exchange while maintaining compliance with FIPS requirements.
libssh Adds Support for Hybrid ML-KEM Key Exchange
The libssh library now supports hybrid post-quantum key exchange methods that combine the ML-KEM key encapsulation mechanism with traditional elliptic-curve key exchange. These methods help protect SSH connections against quantum computing threats while maintaining compatibility with existing cryptographic standards.
-
mlkem768nistp256-sha256 -
mlkem768x25519-sha256 -
mlkem1024nistp384-sha384
The mlkem768x25519-sha256 method is the default key exchange algorithm for SSH connections unless you configure a different method.
System-Wide Cryptographic Policies Now Enable ML-KEM for libssh
The system-wide crypto-policies package now enables the mlkem768nistp256-sha256 and mlkem1024nistp384-sha384 hybrid post-quantum key exchange algorithms for libssh in all predefined cryptographic policies.
This change aligns libssh with OpenSSH support for ML-KEM, providing quantum-resistant key exchange for SSH connections without requiring additional configuration.
System-Wide Cryptographic Policies Now Enable Hybrid ML-KEM Key Exchange for OpenSSH in FIPS Mode
The system-wide crypto-policies package now enables the mlkem768nistp256-sha256 and mlkem1024nistp384-sha384 hybrid key exchange algorithms for OpenSSH when the FIPS cryptographic policy is active.
This change automatically enables quantum-resistant SSH key exchange on FIPS-enabled systems when the remote host also supports one of these algorithms.
System-Wide Cryptographic Policies Now Prioritize mlkem768x25519-sha256 for libssh
The system-wide crypto-policies package now enables the mlkem768x25519-sha256 hybrid post-quantum key exchange algorithm for libssh in all predefined cryptographic policies and gives it the highest negotiation priority.
This change allows libssh to use the preferred hybrid key exchange algorithm by default when the remote host also supports it, strengthening SSH connections with post-quantum cryptography.
New p11-kit-client Subpackage Simplifies Client Deployments
The p11-kit package now includes a dedicated p11-kit-client subpackage that contains the p11-kit-client.so module. This change lets you install only the client components your environment requires, reducing unnecessary packages on host systems and in container images.
restorecon Adds -c Option to Report Relabeled Files
The restorecon command now supports the -c option, which reports how many files were relabeled during a relabeling operation. The command returns a successful exit status only when it relabels one or more files, making it easier to verify that SELinux labeling issues have been remediated successfully.
Additional SELinux Services Now Run in Enforcing Mode
The following SELinux domains now run in enforcing mode:
-
anaconda_generator_t -
ktlshd_t -
switcheroo_control_t -
systemd_pcrextend_t -
systemd_user_runtimedir_t -
tuned_ppd_t
These domains previously operated in permissive mode while the corresponding SELinux policies were refined. With the policies now complete, SELinux actively enforces access controls for these services, helping prevent unauthorized access.
SELinux Policy Updated for the New OpenSSH Architecture
The SELinux policy now supports the new OpenSSH multi-binary architecture by defining the security contexts and transitions required processes including the sshd, sshd-session, and sshd-auth processes.
This update ensures that SELinux correctly confines each OpenSSH component while preserving normal authentication and session management. Combined with the new OpenSSH architecture, these changes improve process isolation, reduce the attack surface, and help protect sensitive resources such as host keys and authentication sockets.
setfiles Adds Option to Reduces Memory Usage
The setfiles utility now supports the -A option, which disables tracking of conflicts between hard-linked inodes during relabeling operations. On large file systems, this option can significantly reduce memory usage, making it easier to run setfiles on systems with limited memory.
capnproto Now Available in the CodeReady Builder Repository
The capnproto package is added to the CodeReady Builder (CRB) repository. capnproto is a high-performance data interchange and remote procedure call (RPC) library used by packages such as rust-sequoia-sq and rust-sequoia-podman.
Providing capnproto as a standalone package lets you install, update, and maintain the library independently of the applications that depend on it, simplifying the delivery of security updates and bug fixes.
New clevis-pin-trustee Package Enables Remote Attestation for LUKS Volumes
The new clevis-pin-trustee package adds a Trustee pin to the Clevis framework, enabling LUKS-encrypted volumes to be unlocked automatically based on remote attestation through the Trustee Key Broker Service (KBS). The package also includes support for automatically unlocking encrypted root volumes during system boot.
You can use the Trustee pin to bind LUKS-encrypted volumes to one or more Trustee servers. It can also be combined with other Clevis pins, such as tang and tpm2, to support multi-factor or policy-based unlocking.
SCAP Security Guide updated to 0.1.80
SCAP Security Guide packages are updated to the upstream version 0.1.80 and provide following features:
- Oracle Linux 9
stigandstig_guiprofiles are aligned with DISA STIG for Oracle Linux 9 V1R4 - Removed
configure_ssh_crypto_policyfrom Oracle Linux 9 profiles - Rule
audit_rules_privileged_commandsadds architecture filters in audit rules
Additional details about enhancements and bug fixes are available in the v0.1.80 project release notes https://github.com/ComplianceAsCode/content/releases#release-v0.1.80.