diff --git a/.etckeeper b/.etckeeper
index bfb189a..5ad58e4 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -28,6 +28,7 @@ mkdir -p './falco/rules.d'
mkdir -p './firewalld/helpers'
mkdir -p './firewalld/icmptypes'
mkdir -p './firewalld/ipsets'
+mkdir -p './firewalld/policies'
mkdir -p './firewalld/services'
mkdir -p './glvnd/egl_vendor.d'
mkdir -p './gnupg'
@@ -37,6 +38,7 @@ mkdir -p './incron.d'
mkdir -p './java/security/security.d'
mkdir -p './jvm'
mkdir -p './jvm-commmon'
+mkdir -p './keyutils'
mkdir -p './letsencrypt/renewal-hooks/deploy'
mkdir -p './letsencrypt/renewal-hooks/post'
mkdir -p './letsencrypt/renewal-hooks/pre'
@@ -78,7 +80,6 @@ mkdir -p './polkit-1/localauthority/50-local.d'
mkdir -p './polkit-1/localauthority/90-mandatory.d'
mkdir -p './pyzor'
mkdir -p './qemu-ga/fsfreeze-hook.d'
-mkdir -p './rhsm/ca'
mkdir -p './rhsm/facts'
mkdir -p './rhsm/pluginconf.d'
mkdir -p './rspamd/override.d'
@@ -132,7 +133,8 @@ maybe chmod 0644 'NetworkManager/NetworkManager.conf'
maybe chmod 0755 'NetworkManager/conf.d'
maybe chmod 0755 'NetworkManager/dispatcher.d'
maybe chmod 0755 'NetworkManager/dispatcher.d/11-dhclient'
-maybe chmod 0755 'NetworkManager/dispatcher.d/20-chrony'
+maybe chmod 0755 'NetworkManager/dispatcher.d/20-chrony-dhcp'
+maybe chmod 0755 'NetworkManager/dispatcher.d/20-chrony-onoffline'
maybe chmod 0755 'NetworkManager/dispatcher.d/20-squid'
maybe chmod 0755 'NetworkManager/dispatcher.d/no-wait.d'
maybe chmod 0755 'NetworkManager/dispatcher.d/pre-down.d'
@@ -859,6 +861,7 @@ maybe chmod 0750 'firewalld/helpers'
maybe chmod 0750 'firewalld/icmptypes'
maybe chmod 0750 'firewalld/ipsets'
maybe chmod 0644 'firewalld/lockdown-whitelist.xml'
+maybe chmod 0750 'firewalld/policies'
maybe chmod 0750 'firewalld/services'
maybe chmod 0750 'firewalld/zones'
maybe chmod 0644 'firewalld/zones/public.xml'
@@ -937,6 +940,7 @@ maybe chmod 0644 'httpd/conf.d/perl.conf.rpmnew'
maybe chmod 0644 'httpd/conf.d/php.conf'
maybe chmod 0644 'httpd/conf.d/phpmyadmin.conf'
maybe chmod 0644 'httpd/conf.d/squid.conf'
+maybe chmod 0644 'httpd/conf.d/ssl.conf'
maybe chmod 0644 'httpd/conf.d/ssl.conf_disabled'
maybe chmod 0644 'httpd/conf.d/userdir.conf'
maybe chmod 0644 'httpd/conf.d/welcome.conf'
@@ -981,23 +985,23 @@ maybe chmod 0644 'issue.net'
maybe chmod 0644 'issue.rpmnew'
maybe chmod 0755 'java'
maybe chmod 0755 'java/java-1.8.0-openjdk'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/calendars.properties'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/logging.properties'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/blacklisted.certs'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/java.policy'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/java.security'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/nss.cfg'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/nss.fips.cfg'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/limited'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/limited/US_export_policy.jar'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/limited/local_policy.jar'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/unlimited'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/unlimited/US_export_policy.jar'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/unlimited/local_policy.jar'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/calendars.properties'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/logging.properties'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/blacklisted.certs'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/java.policy'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/java.security'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/nss.cfg'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/nss.fips.cfg'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/limited'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/limited/US_export_policy.jar'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/limited/local_policy.jar'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/unlimited'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/unlimited/US_export_policy.jar'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/unlimited/local_policy.jar'
maybe chmod 0755 'java/security'
maybe chmod 0755 'java/security/security.d'
maybe chmod 0755 'jvm'
@@ -1011,6 +1015,7 @@ maybe chmod 0755 'kernel/postinst.d'
maybe chmod 0755 'kernel/postinst.d/dkms'
maybe chmod 0755 'kernel/prerm.d'
maybe chmod 0755 'kernel/prerm.d/dkms'
+maybe chmod 0755 'keyutils'
maybe chmod 0644 'krb5.conf'
maybe chmod 0755 'krb5.conf.d'
maybe chmod 0644 'krb5.conf.d/kcm_default_ccache'
@@ -1020,6 +1025,7 @@ maybe chmod 0644 'ld.so.conf.d/bind-export-x86_64.conf'
maybe chmod 0644 'ld.so.conf.d/dyninst-x86_64.conf'
maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-193.6.3.el8_2.x86_64.conf'
maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-305.25.1.el8_4.x86_64.conf'
+maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-348.2.1.el8_5.x86_64.conf'
maybe chmod 0755 'letsencrypt'
maybe chown 'setroubleshoot' 'letsencrypt/.updated-options-ssl-apache-conf-digest.txt'
maybe chgrp 'setroubleshoot' 'letsencrypt/.updated-options-ssl-apache-conf-digest.txt'
@@ -4395,6 +4401,7 @@ maybe chmod 0644 'profile.d/csh.local'
maybe chmod 0644 'profile.d/gawk.csh'
maybe chmod 0644 'profile.d/gawk.sh'
maybe chmod 0640 'profile.d/grc.sh'
+maybe chmod 0644 'profile.d/iproute2.sh'
maybe chmod 0644 'profile.d/lang.csh'
maybe chmod 0644 'profile.d/lang.sh'
maybe chmod 0644 'profile.d/less.csh'
@@ -4528,6 +4535,8 @@ maybe chmod 0644 'resolv.conf'
maybe chmod 0644 'resolv.conf.save'
maybe chmod 0755 'rhsm'
maybe chmod 0755 'rhsm/ca'
+maybe chmod 0644 'rhsm/ca/redhat-entitlement-authority.pem'
+maybe chmod 0644 'rhsm/ca/redhat-uep.pem'
maybe chmod 0755 'rhsm/facts'
maybe chmod 0644 'rhsm/logging.conf'
maybe chmod 0755 'rhsm/pluginconf.d'
diff --git a/.updated b/.updated
index 7e3b92c..78c5073 100644
--- a/.updated
+++ b/.updated
@@ -1,4 +1,4 @@
# This file was created by systemd-update-done. Its only
# purpose is to hold a timestamp of the time this directory
# was updated. See man:systemd-update-done.service(8).
-TIMESTAMP_NSEC=1614695289186707635
+TIMESTAMP_NSEC=1637331558928868970
diff --git a/NetworkManager/dispatcher.d/20-chrony-dhcp b/NetworkManager/dispatcher.d/20-chrony-dhcp
new file mode 100755
index 0000000..41cc3e1
--- /dev/null
+++ b/NetworkManager/dispatcher.d/20-chrony-dhcp
@@ -0,0 +1,58 @@
+#!/bin/sh
+# This is a NetworkManager dispatcher script for chronyd to update
+# its NTP sources passed from DHCP options. Note that this script is
+# specific to NetworkManager-dispatcher due to use of the
+# DHCP4_NTP_SERVERS environment variable.
+
+export LC_ALL=C
+
+interface=$1
+action=$2
+
+helper=/usr/libexec/chrony-helper
+default_server_options=iburst
+server_dir=/run/chrony-helper
+
+dhcp_server_tmpfile=$server_dir/tmp-nm-dhcp.$interface
+dhcp_server_file=$server_dir/nm-dhcp.$interface
+# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager.
+nm_dhcp_servers=$DHCP4_NTP_SERVERS
+
+[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network
+[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \
+ . /etc/sysconfig/network-scripts/ifcfg-"${interface}"
+
+add_servers_from_dhcp() {
+ rm -f "$dhcp_server_file"
+
+ # Remove servers saved by the dhclient script before it detected NM.
+ rm -f "/var/lib/dhclient/chrony.servers.$interface"
+
+ # Don't add NTP servers if PEERNTP=no specified; return early.
+ [ "$PEERNTP" = "no" ] && return
+
+ # Create the directory with correct SELinux context.
+ $helper create-helper-directory > /dev/null 2>&1
+
+ for server in $nm_dhcp_servers; do
+ echo "$server ${NTPSERVERARGS:-$default_server_options}" >> "$dhcp_server_tmpfile"
+ done
+ [ -e "$dhcp_server_tmpfile" ] && mv "$dhcp_server_tmpfile" "$dhcp_server_file"
+
+ $helper update-daemon > /dev/null 2>&1 || :
+}
+
+clear_servers_from_dhcp() {
+ if [ -f "$dhcp_server_file" ]; then
+ rm -f "$dhcp_server_file"
+ $helper update-daemon > /dev/null 2>&1 || :
+ fi
+}
+
+if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then
+ add_servers_from_dhcp
+elif [ "$action" = "down" ]; then
+ clear_servers_from_dhcp
+fi
+
+exit 0
diff --git a/NetworkManager/dispatcher.d/20-chrony b/NetworkManager/dispatcher.d/20-chrony-onoffline
similarity index 86%
rename from NetworkManager/dispatcher.d/20-chrony
rename to NetworkManager/dispatcher.d/20-chrony-onoffline
index 0b0c3e7..34cfa0d 100755
--- a/NetworkManager/dispatcher.d/20-chrony
+++ b/NetworkManager/dispatcher.d/20-chrony-onoffline
@@ -5,11 +5,13 @@
export LC_ALL=C
+chronyc=/usr/bin/chronyc
+
# For NetworkManager consider only up/down events
[ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0
# Note: for networkd-dispatcher routable.d ~= on and off.d ~= off
-chronyc onoffline > /dev/null 2>&1
+$chronyc onoffline > /dev/null 2>&1
exit 0
diff --git a/alternatives/alt-java b/alternatives/alt-java
index 6c61514..08c2a2f 120000
--- a/alternatives/alt-java
+++ b/alternatives/alt-java
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/alt-java
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/alt-java
\ No newline at end of file
diff --git a/alternatives/alt-java.1.gz b/alternatives/alt-java.1.gz
index cc45b1d..25ee7d9 120000
--- a/alternatives/alt-java.1.gz
+++ b/alternatives/alt-java.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/alt-java-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/alt-java-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/java b/alternatives/java
index cad4e86..e937699 120000
--- a/alternatives/java
+++ b/alternatives/java
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/java
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/java
\ No newline at end of file
diff --git a/alternatives/java.1.gz b/alternatives/java.1.gz
index a971392..8759baf 120000
--- a/alternatives/java.1.gz
+++ b/alternatives/java.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/java-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/java-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/jjs b/alternatives/jjs
index b328d3d..8e38c1b 120000
--- a/alternatives/jjs
+++ b/alternatives/jjs
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/jjs
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/jjs
\ No newline at end of file
diff --git a/alternatives/jjs.1.gz b/alternatives/jjs.1.gz
index 6445e5b..03dae84 120000
--- a/alternatives/jjs.1.gz
+++ b/alternatives/jjs.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/jjs-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/jjs-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/jre b/alternatives/jre
index b8939cb..765261a 120000
--- a/alternatives/jre
+++ b/alternatives/jre
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre
\ No newline at end of file
diff --git a/alternatives/jre_1.8.0 b/alternatives/jre_1.8.0
index b8939cb..765261a 120000
--- a/alternatives/jre_1.8.0
+++ b/alternatives/jre_1.8.0
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre
\ No newline at end of file
diff --git a/alternatives/jre_1.8.0_openjdk b/alternatives/jre_1.8.0_openjdk
index fc3e42d..5a9fc72 120000
--- a/alternatives/jre_1.8.0_openjdk
+++ b/alternatives/jre_1.8.0_openjdk
@@ -1 +1 @@
-/usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64
\ No newline at end of file
+/usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64
\ No newline at end of file
diff --git a/alternatives/jre_openjdk b/alternatives/jre_openjdk
index b8939cb..765261a 120000
--- a/alternatives/jre_openjdk
+++ b/alternatives/jre_openjdk
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre
\ No newline at end of file
diff --git a/alternatives/keytool b/alternatives/keytool
index 0a9578c..dff8672 120000
--- a/alternatives/keytool
+++ b/alternatives/keytool
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/keytool
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/keytool
\ No newline at end of file
diff --git a/alternatives/keytool.1.gz b/alternatives/keytool.1.gz
index 3ce83dd..1b000ca 120000
--- a/alternatives/keytool.1.gz
+++ b/alternatives/keytool.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/keytool-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/keytool-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/orbd b/alternatives/orbd
index c291659..b26a842 120000
--- a/alternatives/orbd
+++ b/alternatives/orbd
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/orbd
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/orbd
\ No newline at end of file
diff --git a/alternatives/orbd.1.gz b/alternatives/orbd.1.gz
index 3adb375..7fc0254 120000
--- a/alternatives/orbd.1.gz
+++ b/alternatives/orbd.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/orbd-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/orbd-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/pack200 b/alternatives/pack200
index b444214..aa04a1c 120000
--- a/alternatives/pack200
+++ b/alternatives/pack200
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/pack200
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/pack200
\ No newline at end of file
diff --git a/alternatives/pack200.1.gz b/alternatives/pack200.1.gz
index 0e9bf8a..e772dc1 120000
--- a/alternatives/pack200.1.gz
+++ b/alternatives/pack200.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/pack200-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/pack200-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/policytool b/alternatives/policytool
index cdc8ad0..2df507e 120000
--- a/alternatives/policytool
+++ b/alternatives/policytool
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/policytool
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/policytool
\ No newline at end of file
diff --git a/alternatives/policytool.1.gz b/alternatives/policytool.1.gz
index 653bc15..8762cf0 120000
--- a/alternatives/policytool.1.gz
+++ b/alternatives/policytool.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/policytool-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/policytool-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/rmid b/alternatives/rmid
index a6ac45e..28bf5b2 120000
--- a/alternatives/rmid
+++ b/alternatives/rmid
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/rmid
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/rmid
\ No newline at end of file
diff --git a/alternatives/rmid.1.gz b/alternatives/rmid.1.gz
index 092af89..c78d388 120000
--- a/alternatives/rmid.1.gz
+++ b/alternatives/rmid.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/rmid-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/rmid-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/rmiregistry b/alternatives/rmiregistry
index 0a22fad..fff17ac 120000
--- a/alternatives/rmiregistry
+++ b/alternatives/rmiregistry
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/rmiregistry
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/rmiregistry
\ No newline at end of file
diff --git a/alternatives/rmiregistry.1.gz b/alternatives/rmiregistry.1.gz
index 373e791..a9f145c 120000
--- a/alternatives/rmiregistry.1.gz
+++ b/alternatives/rmiregistry.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/rmiregistry-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/rmiregistry-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/servertool b/alternatives/servertool
index bda9a16..6bf3af7 120000
--- a/alternatives/servertool
+++ b/alternatives/servertool
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/servertool
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/servertool
\ No newline at end of file
diff --git a/alternatives/servertool.1.gz b/alternatives/servertool.1.gz
index c339c65..21e6951 120000
--- a/alternatives/servertool.1.gz
+++ b/alternatives/servertool.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/servertool-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/servertool-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/tnameserv b/alternatives/tnameserv
index 1c0658a..324f09c 120000
--- a/alternatives/tnameserv
+++ b/alternatives/tnameserv
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/tnameserv
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/tnameserv
\ No newline at end of file
diff --git a/alternatives/tnameserv.1.gz b/alternatives/tnameserv.1.gz
index 95b3adf..c1e8b20 120000
--- a/alternatives/tnameserv.1.gz
+++ b/alternatives/tnameserv.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/tnameserv-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/tnameserv-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/unpack200 b/alternatives/unpack200
index 570babf..7997d2a 120000
--- a/alternatives/unpack200
+++ b/alternatives/unpack200
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/unpack200
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/unpack200
\ No newline at end of file
diff --git a/alternatives/unpack200.1.gz b/alternatives/unpack200.1.gz
index bc69720..5a4c101 120000
--- a/alternatives/unpack200.1.gz
+++ b/alternatives/unpack200.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/unpack200-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/unpack200-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz
\ No newline at end of file
diff --git a/bindresvport.blacklist b/bindresvport.blacklist
index 8904277..67ff771 100644
--- a/bindresvport.blacklist
+++ b/bindresvport.blacklist
@@ -8,6 +8,11 @@
631 # cups
636 # ldaps
664 # Secure ASF, used by IPMI on some cards
+749 # Kerberos V kadmin
+774 # rpasswd
+873 # rsyncd
921 # lwresd
+992 # SSL-enabled telnet
993 # imaps
+994 # irc
995 # pops
diff --git a/centos-release b/centos-release
index 354bfc4..6e4cd8b 100644
--- a/centos-release
+++ b/centos-release
@@ -1 +1 @@
-CentOS Linux release 8.4.2105
+CentOS Linux release 8.5.2111
diff --git a/centos-release-upstream b/centos-release-upstream
index 5d7b282..80cdbe5 100644
--- a/centos-release-upstream
+++ b/centos-release-upstream
@@ -1 +1 @@
-Derived from Red Hat Enterprise Linux 8.4
+Derived from Red Hat Enterprise Linux 8.5
diff --git a/crypto-policies/back-ends/nss.config b/crypto-policies/back-ends/nss.config
index a35edba..d771c5d 100644
--- a/crypto-policies/back-ends/nss.config
+++ b/crypto-policies/back-ends/nss.config
@@ -1,7 +1,7 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
name=p11-kit-proxy
diff --git a/crypto-policies/state/CURRENT.pol b/crypto-policies/state/CURRENT.pol
index b2618d6..84e1d05 100644
--- a/crypto-policies/state/CURRENT.pol
+++ b/crypto-policies/state/CURRENT.pol
@@ -1,22 +1,30 @@
-# Current runtime policy dump
-# DEFAULT
-arbitrary_dh_groups = 1
+# Policy DEFAULT dump
+#
+# Do not parse the contents of this file with automated tools,
+# it is provided for review convenience only.
+#
+# Baseline values for all scopes:
cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 CAMELLIA-256-GCM AES-256-CTR AES-256-CBC CAMELLIA-256-CBC AES-128-GCM AES-128-CCM CAMELLIA-128-GCM AES-128-CTR AES-128-CBC CAMELLIA-128-CBC
group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA1
-ike_protocol = IKEv2
key_exchange = ECDHE RSA DHE DHE-RSA PSK DHE-PSK ECDHE-PSK ECDHE-GSS DHE-GSS
mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
+protocol =
+sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA3-384 ECDSA-SHA2-384 ECDSA-SHA3-512 ECDSA-SHA2-512 EDDSA-ED25519 EDDSA-ED448 RSA-PSS-SHA2-256 RSA-PSS-SHA2-384 RSA-PSS-SHA2-512 RSA-SHA3-256 RSA-SHA2-256 RSA-SHA3-384 RSA-SHA2-384 RSA-SHA3-512 RSA-SHA2-512 ECDSA-SHA2-224 RSA-PSS-SHA2-224 RSA-SHA2-224 ECDSA-SHA1 RSA-PSS-SHA1 RSA-SHA1
+arbitrary_dh_groups = 1
min_dh_size = 2048
min_dsa_size = 2048
-min_dtls_version = DTLS1.2
min_rsa_size = 2048
-min_tls_version = TLS1.2
-protocol = TLS1.3 TLS1.2 DTLS1.2
sha1_in_certs = 1
-sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA3-384 ECDSA-SHA2-384 ECDSA-SHA3-512 ECDSA-SHA2-512 EDDSA-ED25519 EDDSA-ED448 RSA-PSS-SHA2-256 RSA-PSS-SHA2-384 RSA-PSS-SHA2-512 RSA-SHA3-256 RSA-SHA2-256 RSA-SHA3-384 RSA-SHA2-384 RSA-SHA3-512 RSA-SHA2-512 ECDSA-SHA2-224 RSA-PSS-SHA2-224 RSA-SHA2-224 ECDSA-SHA1 RSA-PSS-SHA1 RSA-SHA1
ssh_certs = 1
-ssh_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 CAMELLIA-256-GCM AES-256-CTR AES-256-CBC CAMELLIA-256-CBC AES-128-GCM AES-128-CCM CAMELLIA-128-GCM AES-128-CTR AES-128-CBC CAMELLIA-128-CBC
ssh_etm = 1
-ssh_group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
-tls_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
+# Scope-specific properties derived for select backends:
+cipher@gnutls = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
+protocol@gnutls = TLS1.3 TLS1.2 DTLS1.2
+cipher@java-tls = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
+protocol@java-tls = TLS1.3 TLS1.2 DTLS1.2
+protocol@libreswan = IKEv2
+cipher@nss = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
+protocol@nss = TLS1.3 TLS1.2 DTLS1.2
+cipher@openssl = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
+protocol@openssl = TLS1.3 TLS1.2 DTLS1.2
diff --git a/dhcp/dhclient.d/chrony.sh b/dhcp/dhclient.d/chrony.sh
index be17e2a..d5398e8 100755
--- a/dhcp/dhclient.d/chrony.sh
+++ b/dhcp/dhclient.d/chrony.sh
@@ -3,6 +3,9 @@
SERVERFILE=$SAVEDIR/chrony.servers.$interface
chrony_config() {
+ # Disable modifications if called from a NM dispatcher script
+ [ -n "$NM_DISPATCHER_ACTION" ] && return 0
+
rm -f "$SERVERFILE"
if [ "$PEERNTP" != "no" ]; then
for server in $new_ntp_servers; do
@@ -13,6 +16,8 @@ chrony_config() {
}
chrony_restore() {
+ [ -n "$NM_DISPATCHER_ACTION" ] && return 0
+
if [ -f "$SERVERFILE" ]; then
rm -f "$SERVERFILE"
/usr/libexec/chrony-helper update-daemon || :
diff --git a/firewalld/firewalld.conf b/firewalld/firewalld.conf
index f791b23..a0556c0 100644
--- a/firewalld/firewalld.conf
+++ b/firewalld/firewalld.conf
@@ -23,6 +23,8 @@ Lockdown=no
# packet would be sent via the same interface that the packet arrived on, the
# packet will match and be accepted, otherwise dropped.
# The rp_filter for IPv4 is controlled using sysctl.
+# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
+# for details.
# Default: yes
IPv6_rpfilter=yes
diff --git a/httpd/conf.d/ssl.conf b/httpd/conf.d/ssl.conf
new file mode 100644
index 0000000..d28adf3
--- /dev/null
+++ b/httpd/conf.d/ssl.conf
@@ -0,0 +1,203 @@
+#
+# When we also provide SSL we have to listen to the
+# standard HTTPS port in addition.
+#
+Listen 443 https
+
+##
+## SSL Global Context
+##
+## All SSL configuration in this context applies both to
+## the main server and all SSL-enabled virtual hosts.
+##
+
+# Pass Phrase Dialog:
+# Configure the pass phrase gathering process.
+# The filtering dialog program (`builtin' is a internal
+# terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+# Inter-Process Session Cache:
+# Configure the SSL Session Cache: First the mechanism
+# to use and second the expiring timeout (in seconds).
+SSLSessionCache shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout 300
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names. NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly.
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+# List the protocol versions which clients are allowed to connect with.
+# The OpenSSL system profile is used by default. See
+# update-crypto-policies(8) for more details.
+#SSLProtocol all -SSLv3
+#SSLProxyProtocol all -SSLv3
+
+# User agents such as web browsers are not configured for the user's
+# own preference of either security or performance, therefore this
+# must be the prerogative of the web server administrator who manages
+# cpu load versus confidentiality, so enforce the server's cipher order.
+SSLHonorCipherOrder on
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+# The OpenSSL system profile is configured by default. See
+# update-crypto-policies(8) for more details.
+SSLCipherSuite PROFILE=SYSTEM
+SSLProxyCipherSuite PROFILE=SYSTEM
+
+# Point SSLCertificateFile at a PEM encoded certificate. If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase. Note that restarting httpd will prompt again. Keep
+# in mind that if you have both an RSA and a DSA certificate you
+# can configure both in parallel (to also allow the use of DSA
+# ciphers, etc.)
+# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+# require an ECC certificate which can also be configured in
+# parallel.
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+
+# Server Private Key:
+# If the key is not combined with the certificate, use this
+# directive to point at the key file. Keep in mind that if
+# you've both a RSA and a DSA private key you can configure
+# both in parallel (to also allow the use of DSA ciphers, etc.)
+# ECC keys, when in use, can also be configured in parallel
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+
+# Server Certificate Chain:
+# Point SSLCertificateChainFile at a file containing the
+# concatenation of PEM encoded CA certificates which form the
+# certificate chain for the server certificate. Alternatively
+# the referenced file can be the same as SSLCertificateFile
+# when the CA certificates are directly appended to the server
+# certificate for convenience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+# Certificate Authority (CA):
+# Set the CA certificate verification path where to find CA
+# certificates for client authentication or alternatively one
+# huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+# Client Authentication (Type):
+# Client certificate verification type and depth. Types are
+# none, optional, require and optional_no_ca. Depth is a
+# number which specifies how deeply to verify the certificate
+# issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth 10
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_ssl documentation
+# for more details.
+#
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+
+# SSL Protocol Adjustments:
+# The safe and default but still SSL/TLS standard compliant shutdown
+# approach is that mod_ssl sends the close notify alert but doesn't wait for
+# the close notify alert from client. When you need a different shutdown
+# approach you can use one of the following variables:
+# o ssl-unclean-shutdown:
+# This forces an unclean shutdown when the connection is closed, i.e. no
+# SSL close notify alert is sent or allowed to be received. This violates
+# the SSL/TLS standard but is needed for some brain-dead browsers. Use
+# this when you receive I/O errors because of the standard approach where
+# mod_ssl sends the close notify alert.
+# o ssl-accurate-shutdown:
+# This forces an accurate shutdown when the connection is closed, i.e. a
+# SSL close notify alert is sent and mod_ssl waits for the close notify
+# alert of the client. This is 100% SSL/TLS standard compliant, but in
+# practice often causes hanging connections with brain-dead browsers. Use
+# this only for browsers where you know that their SSL implementation
+# works correctly.
+# Notice: Most problems of broken clients are also related to the HTTP
+# keep-alive facility, so you usually additionally want to disable
+# keep-alive for those clients, too. Use variable "nokeepalive" for this.
+# Similarly, one has to force some clients to use HTTP/1.0 to workaround
+# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+# "force-response-1.0" for this.
+BrowserMatch "MSIE [2-5]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+
+
diff --git a/httpd/conf.d/welcome.conf.rpmnew b/httpd/conf.d/welcome.conf.rpmnew
index 5158e8b..37b7394 100644
--- a/httpd/conf.d/welcome.conf.rpmnew
+++ b/httpd/conf.d/welcome.conf.rpmnew
@@ -16,4 +16,4 @@
Alias /.noindex.html /usr/share/httpd/noindex/index.html
-Alias /poweredby.png /usr/share/httpd/icons/apache_pb2.png
\ No newline at end of file
+Alias /poweredby.png /usr/share/httpd/icons/apache_pb3.png
\ No newline at end of file
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/calendars.properties b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/calendars.properties
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/calendars.properties
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/calendars.properties
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/logging.properties b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/logging.properties
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/logging.properties
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/logging.properties
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/blacklisted.certs b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/blacklisted.certs
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/blacklisted.certs
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/blacklisted.certs
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/cacerts b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/cacerts
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/cacerts
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/cacerts
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/java.policy b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/java.policy
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/java.policy
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/java.policy
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/java.security b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/java.security
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/java.security
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/java.security
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/nss.cfg b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/nss.cfg
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/nss.cfg
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/nss.cfg
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/nss.fips.cfg b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/nss.fips.cfg
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/nss.fips.cfg
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/nss.fips.cfg
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/limited/US_export_policy.jar b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/limited/US_export_policy.jar
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/limited/US_export_policy.jar
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/limited/US_export_policy.jar
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/limited/local_policy.jar b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/limited/local_policy.jar
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/limited/local_policy.jar
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/limited/local_policy.jar
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/unlimited/US_export_policy.jar b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/unlimited/US_export_policy.jar
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/unlimited/US_export_policy.jar
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/unlimited/US_export_policy.jar
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/unlimited/local_policy.jar b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/unlimited/local_policy.jar
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/unlimited/local_policy.jar
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/unlimited/local_policy.jar
diff --git a/krb5.conf.d/kcm_default_ccache b/krb5.conf.d/kcm_default_ccache
index 4cd5b48..996e865 100644
--- a/krb5.conf.d/kcm_default_ccache
+++ b/krb5.conf.d/kcm_default_ccache
@@ -3,7 +3,7 @@
# On Fedora/RHEL/CentOS, this is /etc/krb5.conf.d/
#
# To enable the KCM credential cache enable the KCM socket and the service:
-# systemctl enable sssd-secrets.socket sssd-kcm.socket
+# systemctl enable sssd-kcm.socket
# systemctl start sssd-kcm.socket
#
# To disable the KCM credential cache, comment out the following lines.
diff --git a/ld.so.conf.d/kernel-4.18.0-348.2.1.el8_5.x86_64.conf b/ld.so.conf.d/kernel-4.18.0-348.2.1.el8_5.x86_64.conf
new file mode 100644
index 0000000..e4b9dd6
--- /dev/null
+++ b/ld.so.conf.d/kernel-4.18.0-348.2.1.el8_5.x86_64.conf
@@ -0,0 +1 @@
+ # Placeholder file, no vDSO hwcap entries used in this kernel.
diff --git a/modprobe.d/tuned.conf b/modprobe.d/tuned.conf
index 7865529..3acc67f 100644
--- a/modprobe.d/tuned.conf
+++ b/modprobe.d/tuned.conf
@@ -1,11 +1,11 @@
-# This file specifies additional parameters to kernel modules added by Tuned.
-# Its content is set by the Tuned modules plugin.
+# This file specifies additional parameters to kernel modules added by TuneD.
+# Its content is set by the TuneD modules plugin.
#
# Please do not edit this file. Content of this file can be overwritten by
-# switch of Tuned profile.
+# switch of TuneD profile.
#
-# If you need to add kernel module parameter which should be handled by Tuned,
-# create Tuned profile containing the following:
+# If you need to add kernel module parameter which should be handled by TuneD,
+# create TuneD profile containing the following:
#
# [modules]
# MODULE_NAME = MODULE_PARAMETERS
@@ -16,7 +16,7 @@
#
# and reboot or reload the module
#
-# Tuned tries to automatically reload the module if specified the following
+# TuneD tries to automatically reload the module if specified the following
# way:
#
# [modules]
diff --git a/nfs.conf b/nfs.conf
index ebc57d3..05247ff 100644
--- a/nfs.conf
+++ b/nfs.conf
@@ -22,6 +22,8 @@ use-gss-proxy=1
# cred-cache-directory=
# preferred-realm=
# set-home=1
+# upcall-timeout=30
+# cancel-timed-out-upcalls=0
#
[lockd]
# port=0
diff --git a/pam.d/cockpit b/pam.d/cockpit
index 208880f..9776e4b 100644
--- a/pam.d/cockpit
+++ b/pam.d/cockpit
@@ -1,7 +1,4 @@
#%PAM-1.0
-# this MUST be first in the "auth" stack as it sets PAM_USER
-# user_unknown is definitive, so die instead of ignore to avoid subsequent modules mess up the error code
--auth [success=done new_authtok_reqd=done user_unknown=die default=ignore] pam_cockpit_cert.so
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
diff --git a/pki/tls/openssl.cnf b/pki/tls/openssl.cnf
index 5faa1ec..b6c1501 100644
--- a/pki/tls/openssl.cnf
+++ b/pki/tls/openssl.cnf
@@ -364,5 +364,5 @@ tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
-ess_cert_id_alg = sha1 # algorithm to compute certificate
+ess_cert_id_alg = sha256 # algorithm to compute certificate
# identifier (optional, default: sha1)
diff --git a/profile.d/iproute2.sh b/profile.d/iproute2.sh
new file mode 100644
index 0000000..f13e1f0
--- /dev/null
+++ b/profile.d/iproute2.sh
@@ -0,0 +1,5 @@
+# tc initialization script (sh)
+
+if [ -z "$TC_LIB_DIR" ]; then
+ export TC_LIB_DIR=/usr/lib64/tc
+fi
diff --git a/profile.d/which2.sh b/profile.d/which2.sh
index 25dd0de..6ef7979 100644
--- a/profile.d/which2.sh
+++ b/profile.d/which2.sh
@@ -1,7 +1,19 @@
-# Initialization script for bash and sh
+# shellcheck shell=sh
+# Initialization script for bash, sh, mksh and ksh
-if [ "$0" = "ksh" ] || [ "$0" = "-ksh" ] ; then
- alias which='(alias; typeset -f) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot'
-else
- alias which='(alias; declare -f) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot'
+which_declare="declare -f"
+which_opt="-f"
+which_shell="$(cat /proc/$$/comm)"
+
+if [ "$which_shell" = "ksh" ] || [ "$which_shell" = "mksh" ] || [ "$which_shell" = "zsh" ] ; then
+ which_declare="typeset -f"
+ which_opt=""
fi
+
+which ()
+{
+(alias; eval ${which_declare}) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot "$@"
+}
+
+export which_declare
+export ${which_opt} which
diff --git a/rhsm/ca/redhat-entitlement-authority.pem b/rhsm/ca/redhat-entitlement-authority.pem
new file mode 100644
index 0000000..e1b9919
--- /dev/null
+++ b/rhsm/ca/redhat-entitlement-authority.pem
@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGejCCBGKgAwIBAgIJAJGKz8qFAAAIMA0GCSqGSIb3DQEBDAUAMIGwMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
+Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0
+d29yazEeMBwGA1UEAwwVRW50aXRsZW1lbnQgTWFzdGVyIENBMSQwIgYJKoZIhvcN
+AQkBFhVjYS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMTgwOTEyMTgxMzIxWhcNMzAw
+MzE1MTgxMzIxWjCBsTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
+aW5hMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0IE5l
+dHdvcmsxMTAvBgNVBAMMKFJlZCBIYXQgRW50aXRsZW1lbnQgT3BlcmF0aW9ucyBB
+dXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALsmiohDnNvIpBMZVJR5pbP6
+GrE5B4doUmvTeR4XJ5C66uvFTwuGTVigNXAL+0UWf9r2AwxKEPCy65h7fLbyK4W7
+/xEZPVsamQYDHpyBwlkPkJ3WhHneqQWC8bKkv8Iqu08V+86biCDDAh6uP0SiAz7a
+NGaLEnOe5L9WNfsYyNwrG+2AfiLy/1LUtmmg5dc6Ln7R+uv0PZJ5J2iUbiT6lMz3
+v73zAxuEjiDNurZzxzHSSEYzw0W1eO6zM4F26gcOuH2BHemPMjHi+c1OnheaafDE
+HQJTNgECz5Xe7WGdZwOyn9a8GtMvm0PAhGVyp7RAWxxfoU1B794cBb66IKKjliJQ
+5DKoqyxD9qJbMF8U4Kd1ZIVB0Iy2WEaaqCFMIi3xtlWVUNku5x21ewMmJvwjnWZA
+tUeKQUFwIXqSjuOoZDu80H6NQb+4dnRSjWlx/m7HPk75m0zErshpB2HSKUnrs4wR
+i7GsWDDcqBus7eLMwUZPvDNVcLQu/2Y4DUHNbJbn7+DwEqi5D0heC+dyY8iS45gp
+I/yhVvq/GfKL+dqjaNaE4CorJJA5qJ9f383Ol/aub+aJeBahCBNuVa2daA9Bo3BA
+dnL7KkILPFyCcEhQITnu70Qn9sQlwYcRoYF2LWAm9DtLrBT0Y0w7wQHh8vNhwEQ7
+k5G87WpwzcC8y6ePR0vFAgMBAAGjgZMwgZAwHQYDVR0OBBYEFMRJeFZFnR4sYWDD
+ZktYBTcvAyJ7MB8GA1UdIwQYMBaAFIhLpkXERuyP1s+m9hrPJjyQzH8XMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAgBgNVHREE
+GTAXgRVjYS1zdXBwb3J0QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEMBQADggIBAGKk
+q5Ab0AC7SOCYq9up5z0twbe+gI72cm854+VhcxafnLP2/4nH6nQauKLKEFLI8+fV
+RAwYxm1f5nuEiaTvjPE0umYdgMlpEJQeGdW/+/DotDaOon1G6bSMEKFvaKcBHKqa
+kBxQ29trwMG2WN8qZ7/H3XzBvLZ+JrYr01vDSV0P4tcBFOytbMZeJr4xmfxiqWxp
+VUM9eGf6z+ngXyth8lohxGd9MMXwsaPdvM+wptp3AQpq5wFPWyfJqCd6uBxu09k1
+ns3Y/sya2GHqDK4bUW6gCHO13gkYviTCIBLAlX7PDeK5nYVcq8HvTLU9+H9BFGix
+YGDdHphz7i5qO/gLLLcfKhENP6jtbe8i6nwqeDzj+DMy38iMWNYFVWn1OrBaQMtf
+wlVfyRJij9SfyiUAVFld1RoPAN/haf1VmF/0dGrOigibYijqnHvDJffMUND/sbk8
+df6O6VYjvLLlwry4W4dHiLLA7NAHGtkUv2g1+oH1lQIfRG+PvZhWz4pGT1AlzfwD
+aXUfX2X+Bo9tYr9BGy5Li1pLGLvfw+an7cBAbBaw8+HhAHt+Vm4F03KX/bHlge0a
+fMYK6FoA/xQSaZ6IPm4HfPSMvhboguVG+/AZQN4/UxjDleoEz8b0CWYafcJRRZch
+BdxBjTy7JLf3j0HCbenZQF83wwtrSmiTOTK1tLsm
+-----END CERTIFICATE-----
diff --git a/rhsm/ca/redhat-uep.pem b/rhsm/ca/redhat-uep.pem
new file mode 100644
index 0000000..dec41a9
--- /dev/null
+++ b/rhsm/ca/redhat-uep.pem
@@ -0,0 +1,119 @@
+-----BEGIN CERTIFICATE-----
+MIIG/TCCBOWgAwIBAgIBNzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMx
+FzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMu
+MRgwFgYDVQQLDA9SZWQgSGF0IE5ldHdvcmsxMTAvBgNVBAMMKFJlZCBIYXQgRW50
+aXRsZW1lbnQgT3BlcmF0aW9ucyBBdXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFWNh
+LXN1cHBvcnRAcmVkaGF0LmNvbTAeFw0xMDEwMDQxMzI3NDhaFw0zMDA5MjkxMzI3
+NDhaMIGuMQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAU
+BgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEu
+MCwGA1UEAwwlUmVkIEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEk
+MCIGCSqGSIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEA2QurMeAVnCHVsuZNQzciWMdpd4LAVk2eGugN
+0cxmBpzoVI8lIsJOmJkpOAuFOQMX9CBr8RuQyg4r1/OH/rfhm6FgGIw8TGKZoWC/
+1B9teZqTiM85k6/1GRNxdk6dUK77HVO0PMIKtNBHRxIsXcRzJ1q+u5WPBes9pEVG
+nbidTNUkknrSIdynTJcqAI/I0VAsqLqX87XJSzXKvRilE+p/fLHmVTAffl1Cn/Dy
+KULxna7ooyrKKnfqeQ5dK8aMr1ASQ1wphWohLjegly9V0amEi+HHWnOL8toxJy8v
+WUTUzzAvZ4ZTtTV26xGetZZWEaNyv7YCv2AexjcBQ2x+ejrFJrVNo9jizHS06HK8
+UgHVDKhmVcAe2/5yrJCjKDLwg1FJfjKwhzhLYdNVCejpy8CHQndwO0EX1hHv/AfP
+RTAmr5qPhHFD+uuIrYrSLUpgMLmWa9dinJcGeKlA1KJvG5emGMM3k64Xr7dJToXo
+5loGyZ6lvKPIKLmfeXMRW/4+BqyzwbO1i4aIHAZcSPDFGKWwuvF0iVUYUUVxw0nv
+qPZA4roq5+j/YSz0q5XGVgiIt34htlvunLp/ICGYJBR6zEHcB9aZGJdDcJvoYZjw
+7Gphw6lFF6Ta4imoyhGECWKjd1ips3opcN+DlU0yCUrcIXVIXAnkTwu5ocOgAkxr
+f/6FjqcCAwEAAaOCAR8wggEbMB0GA1UdDgQWBBSW/bscQED/QIStsh8LJsHDam/W
+fDCB5QYDVR0jBIHdMIHagBTESXhWRZ0eLGFgw2ZLWAU3LwMie6GBtqSBszCBsDEL
+MAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdS
+YWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0
+IE5ldHdvcmsxHjAcBgNVBAMMFUVudGl0bGVtZW50IE1hc3RlciBDQTEkMCIGCSqG
+SIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tggkAkYrPyoUAAAAwEgYDVR0T
+AQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQUFAAOCAgEArWBznYWKpY4LqAzhOSop
+t30D2/UlCSr50l33uUCNYD4D4nTr/pyX3AR6P3JcOCz0t22pVCg8D3DZc5VlzY7y
+P5RD3KbLxFNJTloclMG0n6aIN7baA4b8zwkduMQvKZnA/YNR5xE7V7J2WJHCEBBB
+Z+ZFwGpGsoZpPZP4hHLVke3xHm6A5F5SzP1Ug0T9W80VLK4jtgyGs8l1R7rXiOIt
+Nik8317KGq7DU8TI2Rw/9Gc8FKNfUYcVD7uC/MMQXJTRvkADmNLtZM63nhzpg1Hr
+hA6U5YcDCBKsPA43/wsPOONYtrAlToD5hJhU+1Rhmwcw3qvWBO3NkdilqGFOTc2K
+50PQrqoRTCZFS41nv2WqZFfbvSq4dZRJl8xpB4LAHSspsMrbr9WZHX5fbggf6ixw
+S9KDqQbM7asP0FEKBFXJV1rE8P/oSK6yVWQyigTsNcdGR4AUzDsTO9udcwoM2Ed4
+XdakVkF+dXm9ZBwv5UBf5ITSyMXL3qlusIOblJVGUQizumoq0LiSnjwbkxh2XHhd
+XD/B/qax7FnaNg+TfujR/kk3kF1OpqWx/wC/qPR+zho1+35Al31gZOfNIn/sReoM
+tcci9LFHGvijIy4VUDQK8HmGjIxJPrIIe1nB5BkiGyjwn00D5q+BwYVst1C68Rwx
+iRZpyzOZmeineJvhrJZ4Tvs=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGejCCBGKgAwIBAgIJAJGKz8qFAAAIMA0GCSqGSIb3DQEBDAUAMIGwMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
+Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0
+d29yazEeMBwGA1UEAwwVRW50aXRsZW1lbnQgTWFzdGVyIENBMSQwIgYJKoZIhvcN
+AQkBFhVjYS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMTgwOTEyMTgxMzIxWhcNMzAw
+MzE1MTgxMzIxWjCBsTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
+aW5hMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0IE5l
+dHdvcmsxMTAvBgNVBAMMKFJlZCBIYXQgRW50aXRsZW1lbnQgT3BlcmF0aW9ucyBB
+dXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALsmiohDnNvIpBMZVJR5pbP6
+GrE5B4doUmvTeR4XJ5C66uvFTwuGTVigNXAL+0UWf9r2AwxKEPCy65h7fLbyK4W7
+/xEZPVsamQYDHpyBwlkPkJ3WhHneqQWC8bKkv8Iqu08V+86biCDDAh6uP0SiAz7a
+NGaLEnOe5L9WNfsYyNwrG+2AfiLy/1LUtmmg5dc6Ln7R+uv0PZJ5J2iUbiT6lMz3
+v73zAxuEjiDNurZzxzHSSEYzw0W1eO6zM4F26gcOuH2BHemPMjHi+c1OnheaafDE
+HQJTNgECz5Xe7WGdZwOyn9a8GtMvm0PAhGVyp7RAWxxfoU1B794cBb66IKKjliJQ
+5DKoqyxD9qJbMF8U4Kd1ZIVB0Iy2WEaaqCFMIi3xtlWVUNku5x21ewMmJvwjnWZA
+tUeKQUFwIXqSjuOoZDu80H6NQb+4dnRSjWlx/m7HPk75m0zErshpB2HSKUnrs4wR
+i7GsWDDcqBus7eLMwUZPvDNVcLQu/2Y4DUHNbJbn7+DwEqi5D0heC+dyY8iS45gp
+I/yhVvq/GfKL+dqjaNaE4CorJJA5qJ9f383Ol/aub+aJeBahCBNuVa2daA9Bo3BA
+dnL7KkILPFyCcEhQITnu70Qn9sQlwYcRoYF2LWAm9DtLrBT0Y0w7wQHh8vNhwEQ7
+k5G87WpwzcC8y6ePR0vFAgMBAAGjgZMwgZAwHQYDVR0OBBYEFMRJeFZFnR4sYWDD
+ZktYBTcvAyJ7MB8GA1UdIwQYMBaAFIhLpkXERuyP1s+m9hrPJjyQzH8XMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAgBgNVHREE
+GTAXgRVjYS1zdXBwb3J0QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEMBQADggIBAGKk
+q5Ab0AC7SOCYq9up5z0twbe+gI72cm854+VhcxafnLP2/4nH6nQauKLKEFLI8+fV
+RAwYxm1f5nuEiaTvjPE0umYdgMlpEJQeGdW/+/DotDaOon1G6bSMEKFvaKcBHKqa
+kBxQ29trwMG2WN8qZ7/H3XzBvLZ+JrYr01vDSV0P4tcBFOytbMZeJr4xmfxiqWxp
+VUM9eGf6z+ngXyth8lohxGd9MMXwsaPdvM+wptp3AQpq5wFPWyfJqCd6uBxu09k1
+ns3Y/sya2GHqDK4bUW6gCHO13gkYviTCIBLAlX7PDeK5nYVcq8HvTLU9+H9BFGix
+YGDdHphz7i5qO/gLLLcfKhENP6jtbe8i6nwqeDzj+DMy38iMWNYFVWn1OrBaQMtf
+wlVfyRJij9SfyiUAVFld1RoPAN/haf1VmF/0dGrOigibYijqnHvDJffMUND/sbk8
+df6O6VYjvLLlwry4W4dHiLLA7NAHGtkUv2g1+oH1lQIfRG+PvZhWz4pGT1AlzfwD
+aXUfX2X+Bo9tYr9BGy5Li1pLGLvfw+an7cBAbBaw8+HhAHt+Vm4F03KX/bHlge0a
+fMYK6FoA/xQSaZ6IPm4HfPSMvhboguVG+/AZQN4/UxjDleoEz8b0CWYafcJRRZch
+BdxBjTy7JLf3j0HCbenZQF83wwtrSmiTOTK1tLsm
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIHZDCCBUygAwIBAgIJAOb+QiglyeZeMA0GCSqGSIb3DQEBBQUAMIGwMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
+Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0
+d29yazEeMBwGA1UEAwwVRW50aXRsZW1lbnQgTWFzdGVyIENBMSQwIgYJKoZIhvcN
+AQkBFhVjYS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMTAwMzE3MTkwMDQ0WhcNMzAw
+MzEyMTkwMDQ0WjCBsDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
+aW5hMRAwDgYDVQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgw
+FgYDVQQLDA9SZWQgSGF0IE5ldHdvcmsxHjAcBgNVBAMMFUVudGl0bGVtZW50IE1h
+c3RlciBDQTEkMCIGCSqGSIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2Z+mW7OYcBcGxWS+RSKG2GJ2
+csMXiGGfEp36vKVsIvypmNS60SkicKENMYREalbdSjrgfXxPJygZWsVWJ5lHPfBV
+o3WkFrFHTIXd/R6LxnaHD1m8Cx3GwEeuSlE/ASjc1ePtMnsHH7xqZ9wdl85b1C8O
+scgO7fwuM192kvv/veI/BogIqUQugtG6szXpV8dp4ml029LXFoNIy2lfFoa2wKYw
+MiUHwtYgAz7TDY63e8qGhd5PoqTv9XKQogo2ze9sF9y/npZjliNy5qf6bFE+24oW
+E8pGsp3zqz8h5mvw4v+tfIx5uj7dwjDteFrrWD1tcT7UmNrBDWXjKMG81zchq3h4
+etgF0iwMHEuYuixiJWNzKrLNVQbDmcLGNOvyJfq60tM8AUAd72OUQzivBegnWMit
+CLcT5viCT1AIkYXt7l5zc/duQWLeAAR2FmpZFylSukknzzeiZpPclRziYTboDYHq
+revM97eER1xsfoSYp4mJkBHfdlqMnf3CWPcNgru8NbEPeUGMI6+C0YvknPlqDDtU
+ojfl4qNdf6nWL+YNXpR1YGKgWGWgTU6uaG8Sc6qGfAoLHh6oGwbuz102j84OgjAJ
+DGv/S86svmZWSqZ5UoJOIEqFYrONcOSgztZ5tU+gP4fwRIkTRbTEWSgudVREOXhs
+bfN1YGP7HYvS0OiBKZUCAwEAAaOCAX0wggF5MB0GA1UdDgQWBBSIS6ZFxEbsj9bP
+pvYazyY8kMx/FzCB5QYDVR0jBIHdMIHagBSIS6ZFxEbsj9bPpvYazyY8kMx/F6GB
+tqSBszCBsDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAw
+DgYDVQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQL
+DA9SZWQgSGF0IE5ldHdvcmsxHjAcBgNVBAMMFUVudGl0bGVtZW50IE1hc3RlciBD
+QTEkMCIGCSqGSIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tggkA5v5CKCXJ
+5l4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEG
+MCAGA1UdEQQZMBeBFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTAgBgNVHRIEGTAXgRVj
+YS1zdXBwb3J0QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEFBQADggIBAJ1hEdNBDTRr
+6kI6W6stoogSUwjuiWPDY8DptwGhdpyIfbCoxvBR7F52DlwyXOpCunogfKMRklnE
+gH1Wt66RYkgNuJcenKHAhR5xgSLoPCOVF9rDjMunyyBuxjIbctM21R7BswVpsEIE
+OpV5nlJ6wkHsrn0/E+Zk5UJdCzM+Fp4hqHtEn/c97nvRspQcpWeDg6oUvaJSZTGM
+8yFpzR90X8ZO4rOgpoERukvYutUfJUzZuDyS3LLc6ysamemH93rZXr52zc4B+C9G
+Em8zemDgIPaH42ce3C3TdVysiq/yk+ir7pxW8toeavFv75l1UojFSjND+Q2AlNQn
+pYkmRznbD5TZ3yDuPFQG2xYKnMPACepGgKZPyErtOIljQKCdgcvb9EqNdZaJFz1+
+/iWKYBL077Y0CKwb+HGIDeYdzrYxbEd95YuVU0aStnf2Yii2tLcpQtK9cC2+DXjL
+Yf3kQs4xzH4ZejhG9wzv8PGXOS8wHYnfVNA3+fclDEQ1mEBKWHHmenGI6QKZUP8f
+g0SQ3PNRnSZu8R+rhABOEuVFIBRlaYijg2Pxe0NgL9FlHsNyRfo6EUrB2QFRKACW
+3Mo6pZyDjQt7O8J7l9B9IIURoJ1niwygf7VSJTMl2w3fFleNJlZTGgdXw0V+5g+9
+Kg6Ay0rrsi4nw1JHue2GvdjdfVOaWSWC
+-----END CERTIFICATE-----
diff --git a/rhsm/syspurpose/valid_fields.json b/rhsm/syspurpose/valid_fields.json
index 305ec4b..1ac7ea0 100644
--- a/rhsm/syspurpose/valid_fields.json
+++ b/rhsm/syspurpose/valid_fields.json
@@ -1,10 +1,12 @@
{
"role": [
- "CentOS Linux Server",
- "CentOS Linux Workstation",
- "CentOS Linux Compute Node"
+ "Red Hat Enterprise Linux Server",
+ "Red Hat Enterprise Linux Workstation",
+ "Red Hat Enterprise Linux Compute Node"
],
"service_level_agreement": [
+ "Premium",
+ "Standard",
"Self-Support"
],
"usage": [
diff --git a/selinux/targeted/.policy.sha512 b/selinux/targeted/.policy.sha512
index 6d72a98..ad725d3 100644
--- a/selinux/targeted/.policy.sha512
+++ b/selinux/targeted/.policy.sha512
@@ -1 +1 @@
-75bbafd0a65946991d82c82160b5152cae16b907d520df2318106c7fef205ebe3e25c082c19f579b844fcebcff7f5e2d58204616933091584fd0b2a4caf7c712
+828a1b4dc0ed2742113500ad93be884d2fe2ac1b53b291ff72e6b8a8ef7ea5ab995278fbc172ea4cfd06d41a3a6fa0cf252337677eae720800df14b6be26129b
diff --git a/selinux/targeted/contexts/files/file_contexts b/selinux/targeted/contexts/files/file_contexts
index f5d8866..f05c981 100644
--- a/selinux/targeted/contexts/files/file_contexts
+++ b/selinux/targeted/contexts/files/file_contexts
@@ -1217,6 +1217,7 @@
/var/run/user/[^/]*/keyring.* system_u:object_r:gkeyringd_tmp_t:s0
/var/usrlocal/(.*/)?bin(/.*)? system_u:object_r:bin_t:s0
/var/run/user/[^/]*/\.orc(/.*)? system_u:object_r:gstreamer_home_t:s0
+/var/usrlocal/(.*/)?sbin(/.*)? system_u:object_r:bin_t:s0
/usr/lib/gimp/.*/plug-ins(/.*)? system_u:object_r:bin_t:s0
/var/run/user/[^/]*/dconf(/.*)? system_u:object_r:config_home_t:s0
/var/www/html/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
@@ -1265,6 +1266,7 @@
/dev/usb/mdc800.* -c system_u:object_r:scanner_device_t:s0
/dev/xen/blktap.* -c system_u:object_r:xen_device_t:s0
/dev/scramdisk/.* -b system_u:object_r:fixed_disk_device_t:s0
+/dev/shm/slapd-.* system_u:object_r:dirsrv_tmpfs_t:s0
/sys/fs/cgroup/.* <>
/sys/fs/pstore/.* <>
/var/cache/mod_.* system_u:object_r:httpd_cache_t:s0
@@ -2411,6 +2413,7 @@
/usr/share/nginx/html(/.*)? system_u:object_r:httpd_sys_content_t:s0
/var/axfrdns/log/main(/.*)? system_u:object_r:var_log_t:s0
/var/cache/PackageKit(/.*)? system_u:object_r:rpm_var_cache_t:s0
+/var/cache/cloud-what(/.*)? system_u:object_r:cloud_what_var_cache_t:s0
/var/cache/fontconfig(/.*)? system_u:object_r:fonts_cache_t:s0
/var/cache/krb5rcache(/.*)? system_u:object_r:krb5_host_rcache_t:s0
/var/cache/mod_gnutls(/.*)? system_u:object_r:httpd_cache_t:s0
@@ -2454,6 +2457,7 @@
/var/spool/uucppublic(/.*)? system_u:object_r:uucpd_spool_t:s0
/var/tinydns/log/main(/.*)? system_u:object_r:var_log_t:s0
/var/www/miq/vmdb/log(/.*)? system_u:object_r:httpd_log_t:s0
+/usr/bin/emc/scaleio/(.*)\.ko -- system_u:object_r:modules_object_t:s0
/usr/bin/mozilla-bin-[0-9].* -- system_u:object_r:mozilla_exec_t:s0
/usr/lib/googleearth/.*\.so.* -- system_u:object_r:textrel_shlib_t:s0
/usr/libexec/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t:s0
@@ -2635,6 +2639,7 @@
/var/run/NetworkManager(/.*)? system_u:object_r:NetworkManager_var_run_t:s0
/var/run/corosync-qnetd(/.*)? system_u:object_r:cluster_var_run_t:s0
/var/run/docker/plugins(/.*)? system_u:object_r:container_plugin_var_run_t:s0
+/var/run/libvirt/common(/.*)? system_u:object_r:virt_common_var_run_t:s0
/var/run/openvpn-server(/.*)? system_u:object_r:openvpn_var_run_t:s0
/var/run/samba/winbindd(/.*)? system_u:object_r:winbind_var_run_t:s0
/var/run/setroubleshoot(/.*)? system_u:object_r:setroubleshoot_var_run_t:s0
@@ -2914,6 +2919,7 @@
/usr/share/munin/plugins/nut.* -- system_u:object_r:services_munin_plugin_exec_t:s0
/var/log/cluster/aisexec\.log.* -- system_u:object_r:cluster_var_log_t:s0
/var/run/mysqld/mysqlmanager.* -- system_u:object_r:mysqlmanagerd_var_run_t:s0
+dev/shm/var\.lib\.opencryptoki.* system_u:object_r:pkcs_slotd_tmpfs_t:s0
/usr/lib/pgsql/test/regress/.*\.sh -- system_u:object_r:bin_t:s0
/usr/share/ajaxterm/ajaxterm.py.* -- system_u:object_r:bin_t:s0
/opt/real/RealPlayer/plugins(/.*)? -- system_u:object_r:textrel_shlib_t:s0
@@ -3251,6 +3257,7 @@
/usr/share/w3c-markup-validator/cgi-bin(/.*)? system_u:object_r:w3c_validator_script_exec_t:s0
/usr/share/wordpress/wp-content/upgrade(/.*)? system_u:object_r:httpd_sys_rw_content_t:s0
/usr/share/wordpress/wp-content/uploads(/.*)? system_u:object_r:httpd_sys_rw_content_t:s0
+/var/lib/private/systemd/journal-upload(/.*)? system_u:object_r:systemd_journal_upload_var_lib_t:s0
/usr/lib/systemd/system/nm-cloud-setup\.(service|timer) -- system_u:object_r:NetworkManager_unit_file_t:s0
/usr/lib/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- system_u:object_r:textrel_shlib_t:s0
/usr/lib/systemd/system/corosync-qdevice.* -- system_u:object_r:cluster_unit_file_t:s0
@@ -3379,6 +3386,7 @@
/dev/pkey -c system_u:object_r:crypt_device_t:s0
/dev/port -c system_u:object_r:memory_device_t:s0
/dev/ptmx -c system_u:object_r:ptmx_t:s0
+/dev/trng -c system_u:object_r:random_device_t:s0
/dev/uhid -c system_u:object_r:uhid_device_t:s0
/dev/vhci -c system_u:object_r:vhost_device_t:s0
/dev/vmci -c system_u:object_r:vmci_device_t:s0
@@ -4198,6 +4206,7 @@
/sbin/unix_update -- system_u:object_r:updpwd_exec_t:s0
/sbin/unix_verify -- system_u:object_r:chkpwd_exec_t:s0
/sbin/vgcfgbackup -- system_u:object_r:lvm_exec_t:s0
+/usr/bin/Xwayland -- system_u:object_r:xserver_exec_t:s0
/usr/bin/atlantik -- system_u:object_r:games_exec_t:s0
/usr/bin/cdrecord -- system_u:object_r:cdrecord_exec_t:s0
/usr/bin/clamscan -- system_u:object_r:antivirus_exec_t:s0
@@ -4365,6 +4374,7 @@
/etc/udev/devices -d system_u:object_r:device_t:s0
/sys/firmware/efi -d system_u:object_r:efivarfs_t:s0
/sys/kernel/debug -d system_u:object_r:debugfs_t:s0
+/var/tmp/tmp-inst -d system_u:object_r:tmp_t:s0
/dev/input/uinput -c system_u:object_r:event_device_t:s0
/dev/loop-control -c system_u:object_r:loop_control_device_t:s0
/dev/vmbus/hv_kvp -c system_u:object_r:hypervkvp_device_t:s0
@@ -5527,6 +5537,7 @@
/usr/libexec/postfix/lmtp -- system_u:object_r:postfix_smtp_exec_t:s0
/usr/libexec/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t:s0
/usr/libexec/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t:s0
+/usr/libexec/rhsm-service -- system_u:object_r:rhsmcertd_exec_t:s0
/usr/libexec/ricci-modlog -- system_u:object_r:ricci_modlog_exec_t:s0
/usr/libexec/ricci-modrpm -- system_u:object_r:ricci_modrpm_exec_t:s0
/usr/libexec/rtkit-daemon -- system_u:object_r:rtkit_daemon_exec_t:s0
@@ -5714,6 +5725,7 @@
/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:textrel_shlib_t:s0
/usr/lib/libdivxdecore\.so\.0 -- system_u:object_r:textrel_shlib_t:s0
/usr/lib/libdivxencore\.so\.0 -- system_u:object_r:textrel_shlib_t:s0
+/usr/lib/pcs/pcs_snmp_agent -- system_u:object_r:cluster_exec_t:s0
/usr/lib/rtkit/rtkit-daemon -- system_u:object_r:rtkit_daemon_exec_t:s0
/usr/lib/squid/cachemgr\.cgi -- system_u:object_r:squid_script_exec_t:s0
/usr/libexec/abrt-hook-ccpp -- system_u:object_r:abrt_dump_oops_exec_t:s0
@@ -5834,6 +5846,7 @@
/var/lib/misc/dnsmasq\.leases -- system_u:object_r:dnsmasq_lease_t:s0
/var/lib/tftpboot/pxelinux\.0 -- system_u:object_r:cobbler_var_lib_t:s0
/var/run/aeolus/dbomatic\.pid -- system_u:object_r:mongod_var_run_t:s0
+/var/run/initiatorname\.iscsi -- system_u:object_r:iscsi_var_run_t:s0
/var/run/milter-greylist\.pid -- system_u:object_r:greylist_milter_data_t:s0
/var/run/nm-dns-dnsmasq\.conf -- system_u:object_r:NetworkManager_var_run_t:s0
/var/run/samba/sessionid\.tdb -- system_u:object_r:smbd_var_run_t:s0
@@ -6000,10 +6013,12 @@
/usr/lib/systemd/systemd-rfkill -- system_u:object_r:systemd_rfkill_exec_t:s0
/usr/lib/systemd/systemd-sysctl -- system_u:object_r:systemd_sysctl_exec_t:s0
/usr/libexec/cyrus-imapd/master -- system_u:object_r:cyrus_exec_t:s0
+/usr/libexec/gdm-runtime-config -- system_u:object_r:xdm_exec_t:s0
/usr/libexec/git-core/git-shell -- system_u:object_r:shell_exec_t:s0
/usr/libexec/mimedefang-wrapper -- system_u:object_r:spamd_exec_t:s0
/usr/libexec/mongodb-scl-helper -- system_u:object_r:mongod_exec_t:s0
/usr/libexec/openafs/fileserver -- system_u:object_r:afs_fsserver_exec_t:s0
+/usr/libexec/rhsm-facts-service -- system_u:object_r:rhsmcertd_exec_t:s0
/usr/libexec/rssh_chroot_helper -- system_u:object_r:rssh_chroot_helper_exec_t:s0
/usr/libexec/sssd/selinux_child -- system_u:object_r:sssd_selinux_manager_exec_t:s0
/usr/libexec/telepathy-sofiasip -- system_u:object_r:telepathy_sofiasip_exec_t:s0
@@ -6249,6 +6264,7 @@
/usr/lib/systemd/system/rpcbind\.service -- system_u:object_r:rpcbind_unit_file_t:s0
/usr/lib/systemd/system/sanlock\.service -- system_u:object_r:sanlock_unit_file_t:s0
/usr/lib/systemd/systemd-fence_sanlockd -- system_u:object_r:fenced_exec_t:s0
+/usr/lib/systemd/systemd-journal-upload -- system_u:object_r:systemd_journal_upload_exec_t:s0
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- system_u:object_r:bin_t:s0
/usr/libexec/cockpit-wsinstance-factory -- system_u:object_r:cockpit_ws_exec_t:s0
/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t:s0
diff --git a/selinux/targeted/contexts/files/file_contexts.bin b/selinux/targeted/contexts/files/file_contexts.bin
index f8a1e65..463ce83 100644
Binary files a/selinux/targeted/contexts/files/file_contexts.bin and b/selinux/targeted/contexts/files/file_contexts.bin differ
diff --git a/selinux/targeted/contexts/files/file_contexts.subs_dist b/selinux/targeted/contexts/files/file_contexts.subs_dist
index f64b231..0f127d9 100644
--- a/selinux/targeted/contexts/files/file_contexts.subs_dist
+++ b/selinux/targeted/contexts/files/file_contexts.subs_dist
@@ -17,3 +17,4 @@
/var/roothome /root
/sbin /usr/sbin
/sysroot/tmp /tmp
+/var/usrlocal /usr/local
diff --git a/selinux/targeted/policy/policy.31 b/selinux/targeted/policy/policy.31
index 244ade3..c981620 100644
Binary files a/selinux/targeted/policy/policy.31 and b/selinux/targeted/policy/policy.31 differ
diff --git a/squid/cachemgr.conf b/squid/cachemgr.conf
index 530c45e..5bdbecc 100644
--- a/squid/cachemgr.conf
+++ b/squid/cachemgr.conf
@@ -1,4 +1,4 @@
-## Copyright (C) 1996-2020 The Squid Software Foundation and contributors
+## Copyright (C) 1996-2021 The Squid Software Foundation and contributors
##
## Squid software is distributed under GPLv2+ license and includes
## contributions from numerous individuals and organizations.
diff --git a/squid/cachemgr.conf.default b/squid/cachemgr.conf.default
index 530c45e..5bdbecc 100644
--- a/squid/cachemgr.conf.default
+++ b/squid/cachemgr.conf.default
@@ -1,4 +1,4 @@
-## Copyright (C) 1996-2020 The Squid Software Foundation and contributors
+## Copyright (C) 1996-2021 The Squid Software Foundation and contributors
##
## Squid software is distributed under GPLv2+ license and includes
## contributions from numerous individuals and organizations.
diff --git a/squid/errorpage.css b/squid/errorpage.css
index 6ed4362..38ba434 100644
--- a/squid/errorpage.css
+++ b/squid/errorpage.css
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
+ * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
diff --git a/squid/errorpage.css.default b/squid/errorpage.css.default
index 6ed4362..38ba434 100644
--- a/squid/errorpage.css.default
+++ b/squid/errorpage.css.default
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
+ * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
diff --git a/squid/mime.conf b/squid/mime.conf
index 75e0d2f..e1fc509 100644
--- a/squid/mime.conf
+++ b/squid/mime.conf
@@ -1,4 +1,4 @@
-## Copyright (C) 1996-2020 The Squid Software Foundation and contributors
+## Copyright (C) 1996-2021 The Squid Software Foundation and contributors
##
## Squid software is distributed under GPLv2+ license and includes
## contributions from numerous individuals and organizations.
diff --git a/squid/mime.conf.default b/squid/mime.conf.default
index 75e0d2f..e1fc509 100644
--- a/squid/mime.conf.default
+++ b/squid/mime.conf.default
@@ -1,4 +1,4 @@
-## Copyright (C) 1996-2020 The Squid Software Foundation and contributors
+## Copyright (C) 1996-2021 The Squid Software Foundation and contributors
##
## Squid software is distributed under GPLv2+ license and includes
## contributions from numerous individuals and organizations.
diff --git a/systemd/system.conf b/systemd/system.conf
index 8e5358f..2e8538b 100644
--- a/systemd/system.conf
+++ b/systemd/system.conf
@@ -52,7 +52,7 @@
#DefaultLimitFSIZE=
#DefaultLimitDATA=
#DefaultLimitSTACK=
-#DefaultLimitCORE=
+DefaultLimitCORE=0:infinity
#DefaultLimitRSS=
#DefaultLimitNOFILE=
#DefaultLimitAS=
diff --git a/systemd/system/multi-user.target.wants/memcached.service b/systemd/system/multi-user.target.wants/memcached.service
deleted file mode 120000
index 51c7ecf..0000000
--- a/systemd/system/multi-user.target.wants/memcached.service
+++ /dev/null
@@ -1 +0,0 @@
-/usr/lib/systemd/system/memcached.service
\ No newline at end of file
diff --git a/systemd/system/multi-user.target.wants/redis.service b/systemd/system/multi-user.target.wants/redis.service
deleted file mode 120000
index 4ff86f2..0000000
--- a/systemd/system/multi-user.target.wants/redis.service
+++ /dev/null
@@ -1 +0,0 @@
-/usr/lib/systemd/system/redis.service
\ No newline at end of file
diff --git a/tuned/bootcmdline b/tuned/bootcmdline
index 943641d..f951d50 100644
--- a/tuned/bootcmdline
+++ b/tuned/bootcmdline
@@ -1,12 +1,12 @@
# This file specifies additional parameters to kernel boot command line and
-# initrd overlay images. Its content is set by the Tuned bootloader plugin
+# initrd overlay images. Its content is set by the TuneD bootloader plugin
# and sourced by the grub2-mkconfig (/etc/grub.d/00_tuned script).
#
# Please do not edit this file. Content of this file can be overwritten by
-# switch of Tuned profile.
+# switch of TuneD profile.
#
# If you need to add parameters to the kernel boot command line, create
-# Tuned profile containing the following:
+# TuneD profile containing the following:
#
# [bootloader]
# cmdline = YOUR_ADDITIONAL_KERNEL_PARAMETERS
@@ -22,7 +22,7 @@
#
# YOUR_ADDITIONAL_KERNEL_PARAMETERS will stay preserved.
#
-# Similarly if you need to add initrd overlay image, create Tuned profile
+# Similarly if you need to add initrd overlay image, create TuneD profile
# containing the following:
#
# [bootloader]
diff --git a/tuned/tuned-main.conf b/tuned/tuned-main.conf
index 1afd16b..7dfa6a5 100644
--- a/tuned/tuned-main.conf
+++ b/tuned/tuned-main.conf
@@ -24,7 +24,7 @@ recommend_command = 1
# Whether to reapply sysctl from /run/sysctl.d/, /etc/sysctl.d/ and
# /etc/sysctl.conf. If enabled, these sysctls will be re-appliead
-# after Tuned sysctls are applied, i.e. Tuned sysctls will not
+# after TuneD sysctls are applied, i.e. TuneD sysctls will not
# override user-provided system sysctls.
reapply_sysctl = 1
diff --git a/udev/hwdb.bin b/udev/hwdb.bin
index 13c707a..b4c2140 100644
Binary files a/udev/hwdb.bin and b/udev/hwdb.bin differ
diff --git a/vmware-tools/tools.conf.example b/vmware-tools/tools.conf.example
index 0e6dfff..fe08ebe 100644
--- a/vmware-tools/tools.conf.example
+++ b/vmware-tools/tools.conf.example
@@ -351,3 +351,31 @@
# User-defined poll interval in seconds. Set to 0 to disable polling.
#poll-interval=60
+
+[gueststoreupgrade]
+
+# The guestStoreUpgrade plugin is only available for Windows.
+
+# The policy value is one of the settings listed below.
+# off = no VMware Tools upgrade from GuestStore. Feature is
+# disabled.
+# manual = (Default) VMware Tools upgrade from GuestStore is
+# manually started.
+# powercycle = VMware Tools upgrade from GuestStore on system
+# power on.
+
+#policy=manual
+
+# Time interval for periodically checking available VMware Tools package
+# version in the GuestStore.
+# User-defined poll interval in seconds. Set to 0 to disable polling.
+# Minimum valid value is 900 seconds (15 minutes)
+# Default value is 3600 seconds (60 minutes)
+#poll-interval=3600
+
+# VMware Tools package version metadata key to specify a VMware Tools
+# package version in the GuestStore.
+# User-defined key for VMware Tools package version.
+# Default value is "vmtools" which points to the latest version of
+# VMware Tools package in the GuestStore.
+#vmtools-version-key=vmtools