saving uncommitted changes in /etc prior to dnf run

.etckeeper

@@ -28,6 +28,7 @@ mkdir -p './falco/rules.d'
 mkdir -p './firewalld/helpers'
 mkdir -p './firewalld/icmptypes'
 mkdir -p './firewalld/ipsets'
+mkdir -p './firewalld/policies'
 mkdir -p './firewalld/services'
 mkdir -p './glvnd/egl_vendor.d'
 mkdir -p './gnupg'
@@ -37,6 +38,7 @@ mkdir -p './incron.d'
 mkdir -p './java/security/security.d'
 mkdir -p './jvm'
 mkdir -p './jvm-commmon'
+mkdir -p './keyutils'
 mkdir -p './letsencrypt/renewal-hooks/deploy'
 mkdir -p './letsencrypt/renewal-hooks/post'
 mkdir -p './letsencrypt/renewal-hooks/pre'
@@ -78,7 +80,6 @@ mkdir -p './polkit-1/localauthority/50-local.d'
 mkdir -p './polkit-1/localauthority/90-mandatory.d'
 mkdir -p './pyzor'
 mkdir -p './qemu-ga/fsfreeze-hook.d'
-mkdir -p './rhsm/ca'
 mkdir -p './rhsm/facts'
 mkdir -p './rhsm/pluginconf.d'
 mkdir -p './rspamd/override.d'
@@ -132,7 +133,8 @@ maybe chmod 0644 'NetworkManager/NetworkManager.conf'
 maybe chmod 0755 'NetworkManager/conf.d'
 maybe chmod 0755 'NetworkManager/dispatcher.d'
 maybe chmod 0755 'NetworkManager/dispatcher.d/11-dhclient'
-maybe chmod 0755 'NetworkManager/dispatcher.d/20-chrony'
+maybe chmod 0755 'NetworkManager/dispatcher.d/20-chrony-dhcp'
+maybe chmod 0755 'NetworkManager/dispatcher.d/20-chrony-onoffline'
 maybe chmod 0755 'NetworkManager/dispatcher.d/20-squid'
 maybe chmod 0755 'NetworkManager/dispatcher.d/no-wait.d'
 maybe chmod 0755 'NetworkManager/dispatcher.d/pre-down.d'
@@ -859,6 +861,7 @@ maybe chmod 0750 'firewalld/helpers'
 maybe chmod 0750 'firewalld/icmptypes'
 maybe chmod 0750 'firewalld/ipsets'
 maybe chmod 0644 'firewalld/lockdown-whitelist.xml'
+maybe chmod 0750 'firewalld/policies'
 maybe chmod 0750 'firewalld/services'
 maybe chmod 0750 'firewalld/zones'
 maybe chmod 0644 'firewalld/zones/public.xml'
@@ -937,6 +940,7 @@ maybe chmod 0644 'httpd/conf.d/perl.conf.rpmnew'
 maybe chmod 0644 'httpd/conf.d/php.conf'
 maybe chmod 0644 'httpd/conf.d/phpmyadmin.conf'
 maybe chmod 0644 'httpd/conf.d/squid.conf'
+maybe chmod 0644 'httpd/conf.d/ssl.conf'
 maybe chmod 0644 'httpd/conf.d/ssl.conf_disabled'
 maybe chmod 0644 'httpd/conf.d/userdir.conf'
 maybe chmod 0644 'httpd/conf.d/welcome.conf'
@@ -981,23 +985,23 @@ maybe chmod 0644 'issue.net'
 maybe chmod 0644 'issue.rpmnew'
 maybe chmod 0755 'java'
 maybe chmod 0755 'java/java-1.8.0-openjdk'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/calendars.properties'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/logging.properties'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/blacklisted.certs'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/java.policy'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/java.security'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/nss.cfg'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/nss.fips.cfg'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/limited'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/limited/US_export_policy.jar'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/limited/local_policy.jar'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/unlimited'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/unlimited/US_export_policy.jar'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/lib/security/policy/unlimited/local_policy.jar'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/calendars.properties'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/logging.properties'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/blacklisted.certs'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/java.policy'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/java.security'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/nss.cfg'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/nss.fips.cfg'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/limited'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/limited/US_export_policy.jar'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/limited/local_policy.jar'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/unlimited'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/unlimited/US_export_policy.jar'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/policy/unlimited/local_policy.jar'
 maybe chmod 0755 'java/security'
 maybe chmod 0755 'java/security/security.d'
 maybe chmod 0755 'jvm'
@@ -1011,6 +1015,7 @@ maybe chmod 0755 'kernel/postinst.d'
 maybe chmod 0755 'kernel/postinst.d/dkms'
 maybe chmod 0755 'kernel/prerm.d'
 maybe chmod 0755 'kernel/prerm.d/dkms'
+maybe chmod 0755 'keyutils'
 maybe chmod 0644 'krb5.conf'
 maybe chmod 0755 'krb5.conf.d'
 maybe chmod 0644 'krb5.conf.d/kcm_default_ccache'
@@ -1020,6 +1025,7 @@ maybe chmod 0644 'ld.so.conf.d/bind-export-x86_64.conf'
 maybe chmod 0644 'ld.so.conf.d/dyninst-x86_64.conf'
 maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-193.6.3.el8_2.x86_64.conf'
 maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-305.25.1.el8_4.x86_64.conf'
+maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-348.2.1.el8_5.x86_64.conf'
 maybe chmod 0755 'letsencrypt'
 maybe chown 'setroubleshoot' 'letsencrypt/.updated-options-ssl-apache-conf-digest.txt'
 maybe chgrp 'setroubleshoot' 'letsencrypt/.updated-options-ssl-apache-conf-digest.txt'
@@ -4395,6 +4401,7 @@ maybe chmod 0644 'profile.d/csh.local'
 maybe chmod 0644 'profile.d/gawk.csh'
 maybe chmod 0644 'profile.d/gawk.sh'
 maybe chmod 0640 'profile.d/grc.sh'
+maybe chmod 0644 'profile.d/iproute2.sh'
 maybe chmod 0644 'profile.d/lang.csh'
 maybe chmod 0644 'profile.d/lang.sh'
 maybe chmod 0644 'profile.d/less.csh'
@@ -4528,6 +4535,8 @@ maybe chmod 0644 'resolv.conf'
 maybe chmod 0644 'resolv.conf.save'
 maybe chmod 0755 'rhsm'
 maybe chmod 0755 'rhsm/ca'
+maybe chmod 0644 'rhsm/ca/redhat-entitlement-authority.pem'
+maybe chmod 0644 'rhsm/ca/redhat-uep.pem'
 maybe chmod 0755 'rhsm/facts'
 maybe chmod 0644 'rhsm/logging.conf'
 maybe chmod 0755 'rhsm/pluginconf.d'

.updated

@@ -1,4 +1,4 @@
 # This file was created by systemd-update-done. Its only 
 # purpose is to hold a timestamp of the time this directory
 # was updated. See man:systemd-update-done.service(8).
-TIMESTAMP_NSEC=1614695289186707635
+TIMESTAMP_NSEC=1637331558928868970

NetworkManager/dispatcher.d/20-chrony-dhcp

@@ -0,0 +1,58 @@
+#!/bin/sh
+# This is a NetworkManager dispatcher script for chronyd to update
+# its NTP sources passed from DHCP options. Note that this script is
+# specific to NetworkManager-dispatcher due to use of the
+# DHCP4_NTP_SERVERS environment variable.
+
+export LC_ALL=C
+
+interface=$1
+action=$2
+
+helper=/usr/libexec/chrony-helper
+default_server_options=iburst
+server_dir=/run/chrony-helper
+
+dhcp_server_tmpfile=$server_dir/tmp-nm-dhcp.$interface
+dhcp_server_file=$server_dir/nm-dhcp.$interface
+# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager.
+nm_dhcp_servers=$DHCP4_NTP_SERVERS
+
+[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network
+[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \
+    . /etc/sysconfig/network-scripts/ifcfg-"${interface}"
+
+add_servers_from_dhcp() {
+    rm -f "$dhcp_server_file"
+
+    # Remove servers saved by the dhclient script before it detected NM.
+    rm -f "/var/lib/dhclient/chrony.servers.$interface"
+
+    # Don't add NTP servers if PEERNTP=no specified; return early.
+    [ "$PEERNTP" = "no" ] && return
+
+    # Create the directory with correct SELinux context.
+    $helper create-helper-directory > /dev/null 2>&1
+
+    for server in $nm_dhcp_servers; do
+        echo "$server ${NTPSERVERARGS:-$default_server_options}" >> "$dhcp_server_tmpfile"
+    done
+    [ -e "$dhcp_server_tmpfile" ] && mv "$dhcp_server_tmpfile" "$dhcp_server_file"
+
+    $helper update-daemon > /dev/null 2>&1 || :
+}
+
+clear_servers_from_dhcp() {
+    if [ -f "$dhcp_server_file" ]; then
+        rm -f "$dhcp_server_file"
+        $helper update-daemon > /dev/null 2>&1 || :
+    fi
+}
+
+if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then
+    add_servers_from_dhcp
+elif [ "$action" = "down" ]; then
+    clear_servers_from_dhcp
+fi
+
+exit 0

NetworkManager/dispatcher.d/20-chrony-onoffline

@@ -5,11 +5,13 @@
 
 export LC_ALL=C
 
+chronyc=/usr/bin/chronyc
+
 # For NetworkManager consider only up/down events
 [ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0
 
 # Note: for networkd-dispatcher routable.d ~= on and off.d ~= off
 
-chronyc onoffline > /dev/null 2>&1
+$chronyc onoffline > /dev/null 2>&1
 
 exit 0

alternatives/alt-java

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/alt-java
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/alt-java

alternatives/alt-java.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/alt-java-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
+/usr/share/man/man1/alt-java-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz

alternatives/java

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/java
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/java

alternatives/java.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/java-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
+/usr/share/man/man1/java-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz

alternatives/jjs

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/jjs
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/jjs

alternatives/jjs.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/jjs-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
+/usr/share/man/man1/jjs-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz

alternatives/jre

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre

alternatives/jre_1.8.0

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre

alternatives/jre_1.8.0_openjdk

@@ -1 +1 @@
-/usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64
+/usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64

alternatives/jre_openjdk

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre

alternatives/keytool

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/keytool
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/keytool

alternatives/keytool.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/keytool-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
+/usr/share/man/man1/keytool-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz

alternatives/orbd

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/orbd
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/orbd

alternatives/orbd.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/orbd-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
+/usr/share/man/man1/orbd-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz

alternatives/pack200

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/pack200
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/pack200

alternatives/pack200.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/pack200-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
+/usr/share/man/man1/pack200-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz

alternatives/policytool

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/policytool
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/policytool

alternatives/policytool.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/policytool-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
+/usr/share/man/man1/policytool-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz

alternatives/rmid

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/rmid
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/rmid

alternatives/rmid.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/rmid-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
+/usr/share/man/man1/rmid-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz

alternatives/rmiregistry

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/rmiregistry
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/rmiregistry

alternatives/rmiregistry.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/rmiregistry-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
+/usr/share/man/man1/rmiregistry-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz

alternatives/servertool

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/servertool
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/servertool

alternatives/servertool.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/servertool-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
+/usr/share/man/man1/servertool-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz

alternatives/tnameserv

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/tnameserv
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/tnameserv

alternatives/tnameserv.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/tnameserv-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
+/usr/share/man/man1/tnameserv-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz

alternatives/unpack200

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64/jre/bin/unpack200
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/bin/unpack200

alternatives/unpack200.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/unpack200-java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64.1.gz
+/usr/share/man/man1/unpack200-java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64.1.gz

bindresvport.blacklist

@@ -8,6 +8,11 @@
 631     # cups
 636     # ldaps
 664     # Secure ASF, used by IPMI on some cards
+749     # Kerberos V kadmin
+774     # rpasswd
+873     # rsyncd
 921     # lwresd
+992     # SSL-enabled telnet
 993     # imaps
+994     # irc
 995     # pops

centos-release

@@ -1 +1 @@
-CentOS Linux release 8.4.2105
+CentOS Linux release 8.5.2111

centos-release-upstream

@@ -1 +1 @@
-Derived from Red Hat Enterprise Linux 8.4
+Derived from Red Hat Enterprise Linux 8.5

crypto-policies/back-ends/nss.config

@@ -1,7 +1,7 @@
 library=
 name=Policy
 NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
 
 
 name=p11-kit-proxy

crypto-policies/state/CURRENT.pol

@@ -1,22 +1,30 @@
-# Current runtime policy dump
-# DEFAULT
-arbitrary_dh_groups = 1
+# Policy DEFAULT dump
+#
+# Do not parse the contents of this file with automated tools,
+# it is provided for review convenience only.
+#
+# Baseline values for all scopes:
 cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 CAMELLIA-256-GCM AES-256-CTR AES-256-CBC CAMELLIA-256-CBC AES-128-GCM AES-128-CCM CAMELLIA-128-GCM AES-128-CTR AES-128-CBC CAMELLIA-128-CBC
 group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
 hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA1
-ike_protocol = IKEv2
 key_exchange = ECDHE RSA DHE DHE-RSA PSK DHE-PSK ECDHE-PSK ECDHE-GSS DHE-GSS
 mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
+protocol =
+sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA3-384 ECDSA-SHA2-384 ECDSA-SHA3-512 ECDSA-SHA2-512 EDDSA-ED25519 EDDSA-ED448 RSA-PSS-SHA2-256 RSA-PSS-SHA2-384 RSA-PSS-SHA2-512 RSA-SHA3-256 RSA-SHA2-256 RSA-SHA3-384 RSA-SHA2-384 RSA-SHA3-512 RSA-SHA2-512 ECDSA-SHA2-224 RSA-PSS-SHA2-224 RSA-SHA2-224 ECDSA-SHA1 RSA-PSS-SHA1 RSA-SHA1
+arbitrary_dh_groups = 1
 min_dh_size = 2048
 min_dsa_size = 2048
-min_dtls_version = DTLS1.2
 min_rsa_size = 2048
-min_tls_version = TLS1.2
-protocol = TLS1.3 TLS1.2 DTLS1.2
 sha1_in_certs = 1
-sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA3-384 ECDSA-SHA2-384 ECDSA-SHA3-512 ECDSA-SHA2-512 EDDSA-ED25519 EDDSA-ED448 RSA-PSS-SHA2-256 RSA-PSS-SHA2-384 RSA-PSS-SHA2-512 RSA-SHA3-256 RSA-SHA2-256 RSA-SHA3-384 RSA-SHA2-384 RSA-SHA3-512 RSA-SHA2-512 ECDSA-SHA2-224 RSA-PSS-SHA2-224 RSA-SHA2-224 ECDSA-SHA1 RSA-PSS-SHA1 RSA-SHA1
 ssh_certs = 1
-ssh_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 CAMELLIA-256-GCM AES-256-CTR AES-256-CBC CAMELLIA-256-CBC AES-128-GCM AES-128-CCM CAMELLIA-128-GCM AES-128-CTR AES-128-CBC CAMELLIA-128-CBC
 ssh_etm = 1
-ssh_group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
-tls_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
+# Scope-specific properties derived for select backends:
+cipher@gnutls = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
+protocol@gnutls = TLS1.3 TLS1.2 DTLS1.2
+cipher@java-tls = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
+protocol@java-tls = TLS1.3 TLS1.2 DTLS1.2
+protocol@libreswan = IKEv2
+cipher@nss = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
+protocol@nss = TLS1.3 TLS1.2 DTLS1.2
+cipher@openssl = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
+protocol@openssl = TLS1.3 TLS1.2 DTLS1.2

dhcp/dhclient.d/chrony.sh

@@ -3,6 +3,9 @@
 SERVERFILE=$SAVEDIR/chrony.servers.$interface
 
 chrony_config() {
+	# Disable modifications if called from a NM dispatcher script
+	[ -n "$NM_DISPATCHER_ACTION" ] && return 0
+
 	rm -f "$SERVERFILE"
 	if [ "$PEERNTP" != "no" ]; then
 		for server in $new_ntp_servers; do
@@ -13,6 +16,8 @@ chrony_config() {
 }
 
 chrony_restore() {
+	[ -n "$NM_DISPATCHER_ACTION" ] && return 0
+
 	if [ -f "$SERVERFILE" ]; then
 		rm -f "$SERVERFILE"
 		/usr/libexec/chrony-helper update-daemon || :

firewalld/firewalld.conf

@@ -23,6 +23,8 @@ Lockdown=no
 # packet would be sent via the same interface that the packet arrived on, the 
 # packet will match and be accepted, otherwise dropped.
 # The rp_filter for IPv4 is controlled using sysctl.
+# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
+# for details.
 # Default: yes
 IPv6_rpfilter=yes
 

httpd/conf.d/ssl.conf

@@ -0,0 +1,203 @@
+#
+# When we also provide SSL we have to listen to the 
+# standard HTTPS port in addition.
+#
+Listen 443 https
+
+##
+##  SSL Global Context
+##
+##  All SSL configuration in this context applies both to
+##  the main server and all SSL-enabled virtual hosts.
+##
+
+#   Pass Phrase Dialog:
+#   Configure the pass phrase gathering process.
+#   The filtering dialog program (`builtin' is a internal
+#   terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+#   Inter-Process Session Cache:
+#   Configure the SSL Session Cache: First the mechanism 
+#   to use and second the expiring timeout (in seconds).
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names.  NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly. 
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:443>
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+
+#   SSL Engine Switch:
+#   Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+#   List the protocol versions which clients are allowed to connect with.
+#   The OpenSSL system profile is used by default.  See
+#   update-crypto-policies(8) for more details.
+#SSLProtocol all -SSLv3
+#SSLProxyProtocol all -SSLv3
+
+#   User agents such as web browsers are not configured for the user's
+#   own preference of either security or performance, therefore this
+#   must be the prerogative of the web server administrator who manages
+#   cpu load versus confidentiality, so enforce the server's cipher order.
+SSLHonorCipherOrder on
+
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_ssl documentation for a complete list.
+#   The OpenSSL system profile is configured by default.  See
+#   update-crypto-policies(8) for more details.
+SSLCipherSuite PROFILE=SYSTEM
+SSLProxyCipherSuite PROFILE=SYSTEM
+
+#   Point SSLCertificateFile at a PEM encoded certificate.  If
+#   the certificate is encrypted, then you will be prompted for a
+#   pass phrase.  Note that restarting httpd will prompt again.  Keep
+#   in mind that if you have both an RSA and a DSA certificate you
+#   can configure both in parallel (to also allow the use of DSA
+#   ciphers, etc.)
+#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+#   require an ECC certificate which can also be configured in
+#   parallel.
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+
+#   Server Private Key:
+#   If the key is not combined with the certificate, use this
+#   directive to point at the key file.  Keep in mind that if
+#   you've both a RSA and a DSA private key you can configure
+#   both in parallel (to also allow the use of DSA ciphers, etc.)
+#   ECC keys, when in use, can also be configured in parallel
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+
+#   Server Certificate Chain:
+#   Point SSLCertificateChainFile at a file containing the
+#   concatenation of PEM encoded CA certificates which form the
+#   certificate chain for the server certificate. Alternatively
+#   the referenced file can be the same as SSLCertificateFile
+#   when the CA certificates are directly appended to the server
+#   certificate for convenience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+#   Certificate Authority (CA):
+#   Set the CA certificate verification path where to find CA
+#   certificates for client authentication or alternatively one
+#   huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+#   Client Authentication (Type):
+#   Client certificate verification type and depth.  Types are
+#   none, optional, require and optional_no_ca.  Depth is a
+#   number which specifies how deeply to verify the certificate
+#   issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth  10
+
+#   Access Control:
+#   With SSLRequire you can do per-directory access control based
+#   on arbitrary complex boolean expressions containing server
+#   variable checks and other lookup directives.  The syntax is a
+#   mixture between C and Perl.  See the mod_ssl documentation
+#   for more details.
+#<Location />
+#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+#   SSL Engine Options:
+#   Set various options for the SSL engine.
+#   o FakeBasicAuth:
+#     Translate the client X.509 into a Basic Authorisation.  This means that
+#     the standard Auth/DBMAuth methods can be used for access control.  The
+#     user name is the `one line' version of the client's X.509 certificate.
+#     Note that no password is obtained from the user. Every entry in the user
+#     file needs this password: `xxj31ZMTZzkVA'.
+#   o ExportCertData:
+#     This exports two additional environment variables: SSL_CLIENT_CERT and
+#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+#     server (always existing) and the client (only existing when client
+#     authentication is used). This can be used to import the certificates
+#     into CGI scripts.
+#   o StdEnvVars:
+#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+#     Per default this exportation is switched off for performance reasons,
+#     because the extraction step is an expensive operation and is usually
+#     useless for serving static content. So one usually enables the
+#     exportation for CGI and SSI requests only.
+#   o StrictRequire:
+#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+#     under a "Satisfy any" situation, i.e. when it applies access is denied
+#     and no other module can change it.
+#   o OptRenegotiate:
+#     This enables optimized SSL connection renegotiation handling when SSL
+#     directives are used in per-directory context. 
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+<FilesMatch "\.(cgi|shtml|phtml|php)$">
+    SSLOptions +StdEnvVars
+</FilesMatch>
+<Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+</Directory>
+
+#   SSL Protocol Adjustments:
+#   The safe and default but still SSL/TLS standard compliant shutdown
+#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+#   the close notify alert from client. When you need a different shutdown
+#   approach you can use one of the following variables:
+#   o ssl-unclean-shutdown:
+#     This forces an unclean shutdown when the connection is closed, i.e. no
+#     SSL close notify alert is sent or allowed to be received.  This violates
+#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+#     this when you receive I/O errors because of the standard approach where
+#     mod_ssl sends the close notify alert.
+#   o ssl-accurate-shutdown:
+#     This forces an accurate shutdown when the connection is closed, i.e. a
+#     SSL close notify alert is sent and mod_ssl waits for the close notify
+#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+#     practice often causes hanging connections with brain-dead browsers. Use
+#     this only for browsers where you know that their SSL implementation
+#     works correctly. 
+#   Notice: Most problems of broken clients are also related to the HTTP
+#   keep-alive facility, so you usually additionally want to disable
+#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+#   "force-response-1.0" for this.
+BrowserMatch "MSIE [2-5]" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+#   Per-Server Logging:
+#   The home of a custom SSL log file. Use this when you want a
+#   compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
+

httpd/conf.d/welcome.conf.rpmnew

@@ -16,4 +16,4 @@
 </Directory>
 
 Alias /.noindex.html /usr/share/httpd/noindex/index.html
-Alias /poweredby.png /usr/share/httpd/icons/apache_pb2.png
+Alias /poweredby.png /usr/share/httpd/icons/apache_pb3.png

krb5.conf.d/kcm_default_ccache

@@ -3,7 +3,7 @@
 # On Fedora/RHEL/CentOS, this is /etc/krb5.conf.d/
 #
 # To enable the KCM credential cache enable the KCM socket and the service:
-#   systemctl enable sssd-secrets.socket sssd-kcm.socket
+#   systemctl enable sssd-kcm.socket
 #   systemctl start sssd-kcm.socket
 #
 # To disable the KCM credential cache, comment out the following lines.

ld.so.conf.d/kernel-4.18.0-348.2.1.el8_5.x86_64.conf

@@ -0,0 +1 @@
+    # Placeholder file, no vDSO hwcap entries used in this kernel.

modprobe.d/tuned.conf

@@ -1,11 +1,11 @@
-# This file specifies additional parameters to kernel modules added by Tuned.
-# Its content is set by the Tuned modules plugin.
+# This file specifies additional parameters to kernel modules added by TuneD.
+# Its content is set by the TuneD modules plugin.
 #
 # Please do not edit this file. Content of this file can be overwritten by
-# switch of Tuned profile.
+# switch of TuneD profile.
 #
-# If you need to add kernel module parameter which should be handled by Tuned,
-# create Tuned profile containing the following:
+# If you need to add kernel module parameter which should be handled by TuneD,
+# create TuneD profile containing the following:
 #
 # [modules]
 # MODULE_NAME = MODULE_PARAMETERS
@@ -16,7 +16,7 @@
 #
 # and reboot or reload the module
 #
-# Tuned tries to automatically reload the module if specified the following
+# TuneD tries to automatically reload the module if specified the following
 # way:
 #
 # [modules]

nfs.conf

@@ -22,6 +22,8 @@ use-gss-proxy=1
 # cred-cache-directory=
 # preferred-realm=
 # set-home=1
+# upcall-timeout=30
+# cancel-timed-out-upcalls=0
 #
 [lockd]
 # port=0

pam.d/cockpit

@@ -1,7 +1,4 @@
 #%PAM-1.0
-# this MUST be first in the "auth" stack as it sets PAM_USER
-# user_unknown is definitive, so die instead of ignore to avoid subsequent modules mess up the error code
--auth      [success=done new_authtok_reqd=done user_unknown=die default=ignore]   pam_cockpit_cert.so
 auth       required     pam_sepermit.so
 auth       substack     password-auth
 auth       include      postlogin

pki/tls/openssl.cnf

@@ -364,5 +364,5 @@ tsa_name		= yes	# Must the TSA name be included in the reply?
 				# (optional, default: no)
 ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
 				# (optional, default: no)
-ess_cert_id_alg		= sha1	# algorithm to compute certificate
+ess_cert_id_alg		= sha256	# algorithm to compute certificate
 				# identifier (optional, default: sha1)

profile.d/iproute2.sh

@@ -0,0 +1,5 @@
+# tc initialization script (sh)
+
+if [ -z "$TC_LIB_DIR" ]; then
+    export TC_LIB_DIR=/usr/lib64/tc
+fi

profile.d/which2.sh

@@ -1,7 +1,19 @@
-# Initialization script for bash and sh
+# shellcheck shell=sh
+# Initialization script for bash, sh, mksh and ksh
 
-if [ "$0" = "ksh" ] || [ "$0" = "-ksh" ] ; then
-  alias which='(alias; typeset -f) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot'
-else
-  alias which='(alias; declare -f) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot'
+which_declare="declare -f"
+which_opt="-f"
+which_shell="$(cat /proc/$$/comm)"
+
+if [ "$which_shell" = "ksh" ] || [ "$which_shell" = "mksh" ] || [ "$which_shell" = "zsh" ] ; then
+  which_declare="typeset -f"
+  which_opt=""
 fi
+ 
+which ()
+{
+(alias; eval ${which_declare}) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot "$@"
+}
+
+export which_declare
+export ${which_opt} which

rhsm/ca/redhat-entitlement-authority.pem

@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGejCCBGKgAwIBAgIJAJGKz8qFAAAIMA0GCSqGSIb3DQEBDAUAMIGwMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
+Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0
+d29yazEeMBwGA1UEAwwVRW50aXRsZW1lbnQgTWFzdGVyIENBMSQwIgYJKoZIhvcN
+AQkBFhVjYS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMTgwOTEyMTgxMzIxWhcNMzAw
+MzE1MTgxMzIxWjCBsTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
+aW5hMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0IE5l
+dHdvcmsxMTAvBgNVBAMMKFJlZCBIYXQgRW50aXRsZW1lbnQgT3BlcmF0aW9ucyBB
+dXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALsmiohDnNvIpBMZVJR5pbP6
+GrE5B4doUmvTeR4XJ5C66uvFTwuGTVigNXAL+0UWf9r2AwxKEPCy65h7fLbyK4W7
+/xEZPVsamQYDHpyBwlkPkJ3WhHneqQWC8bKkv8Iqu08V+86biCDDAh6uP0SiAz7a
+NGaLEnOe5L9WNfsYyNwrG+2AfiLy/1LUtmmg5dc6Ln7R+uv0PZJ5J2iUbiT6lMz3
+v73zAxuEjiDNurZzxzHSSEYzw0W1eO6zM4F26gcOuH2BHemPMjHi+c1OnheaafDE
+HQJTNgECz5Xe7WGdZwOyn9a8GtMvm0PAhGVyp7RAWxxfoU1B794cBb66IKKjliJQ
+5DKoqyxD9qJbMF8U4Kd1ZIVB0Iy2WEaaqCFMIi3xtlWVUNku5x21ewMmJvwjnWZA
+tUeKQUFwIXqSjuOoZDu80H6NQb+4dnRSjWlx/m7HPk75m0zErshpB2HSKUnrs4wR
+i7GsWDDcqBus7eLMwUZPvDNVcLQu/2Y4DUHNbJbn7+DwEqi5D0heC+dyY8iS45gp
+I/yhVvq/GfKL+dqjaNaE4CorJJA5qJ9f383Ol/aub+aJeBahCBNuVa2daA9Bo3BA
+dnL7KkILPFyCcEhQITnu70Qn9sQlwYcRoYF2LWAm9DtLrBT0Y0w7wQHh8vNhwEQ7
+k5G87WpwzcC8y6ePR0vFAgMBAAGjgZMwgZAwHQYDVR0OBBYEFMRJeFZFnR4sYWDD
+ZktYBTcvAyJ7MB8GA1UdIwQYMBaAFIhLpkXERuyP1s+m9hrPJjyQzH8XMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAgBgNVHREE
+GTAXgRVjYS1zdXBwb3J0QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEMBQADggIBAGKk
+q5Ab0AC7SOCYq9up5z0twbe+gI72cm854+VhcxafnLP2/4nH6nQauKLKEFLI8+fV
+RAwYxm1f5nuEiaTvjPE0umYdgMlpEJQeGdW/+/DotDaOon1G6bSMEKFvaKcBHKqa
+kBxQ29trwMG2WN8qZ7/H3XzBvLZ+JrYr01vDSV0P4tcBFOytbMZeJr4xmfxiqWxp
+VUM9eGf6z+ngXyth8lohxGd9MMXwsaPdvM+wptp3AQpq5wFPWyfJqCd6uBxu09k1
+ns3Y/sya2GHqDK4bUW6gCHO13gkYviTCIBLAlX7PDeK5nYVcq8HvTLU9+H9BFGix
+YGDdHphz7i5qO/gLLLcfKhENP6jtbe8i6nwqeDzj+DMy38iMWNYFVWn1OrBaQMtf
+wlVfyRJij9SfyiUAVFld1RoPAN/haf1VmF/0dGrOigibYijqnHvDJffMUND/sbk8
+df6O6VYjvLLlwry4W4dHiLLA7NAHGtkUv2g1+oH1lQIfRG+PvZhWz4pGT1AlzfwD
+aXUfX2X+Bo9tYr9BGy5Li1pLGLvfw+an7cBAbBaw8+HhAHt+Vm4F03KX/bHlge0a
+fMYK6FoA/xQSaZ6IPm4HfPSMvhboguVG+/AZQN4/UxjDleoEz8b0CWYafcJRRZch
+BdxBjTy7JLf3j0HCbenZQF83wwtrSmiTOTK1tLsm
+-----END CERTIFICATE-----

rhsm/ca/redhat-uep.pem

@@ -0,0 +1,119 @@
+-----BEGIN CERTIFICATE-----
+MIIG/TCCBOWgAwIBAgIBNzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMx
+FzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMu
+MRgwFgYDVQQLDA9SZWQgSGF0IE5ldHdvcmsxMTAvBgNVBAMMKFJlZCBIYXQgRW50
+aXRsZW1lbnQgT3BlcmF0aW9ucyBBdXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFWNh
+LXN1cHBvcnRAcmVkaGF0LmNvbTAeFw0xMDEwMDQxMzI3NDhaFw0zMDA5MjkxMzI3
+NDhaMIGuMQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAU
+BgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEu
+MCwGA1UEAwwlUmVkIEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEk
+MCIGCSqGSIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEA2QurMeAVnCHVsuZNQzciWMdpd4LAVk2eGugN
+0cxmBpzoVI8lIsJOmJkpOAuFOQMX9CBr8RuQyg4r1/OH/rfhm6FgGIw8TGKZoWC/
+1B9teZqTiM85k6/1GRNxdk6dUK77HVO0PMIKtNBHRxIsXcRzJ1q+u5WPBes9pEVG
+nbidTNUkknrSIdynTJcqAI/I0VAsqLqX87XJSzXKvRilE+p/fLHmVTAffl1Cn/Dy
+KULxna7ooyrKKnfqeQ5dK8aMr1ASQ1wphWohLjegly9V0amEi+HHWnOL8toxJy8v
+WUTUzzAvZ4ZTtTV26xGetZZWEaNyv7YCv2AexjcBQ2x+ejrFJrVNo9jizHS06HK8
+UgHVDKhmVcAe2/5yrJCjKDLwg1FJfjKwhzhLYdNVCejpy8CHQndwO0EX1hHv/AfP
+RTAmr5qPhHFD+uuIrYrSLUpgMLmWa9dinJcGeKlA1KJvG5emGMM3k64Xr7dJToXo
+5loGyZ6lvKPIKLmfeXMRW/4+BqyzwbO1i4aIHAZcSPDFGKWwuvF0iVUYUUVxw0nv
+qPZA4roq5+j/YSz0q5XGVgiIt34htlvunLp/ICGYJBR6zEHcB9aZGJdDcJvoYZjw
+7Gphw6lFF6Ta4imoyhGECWKjd1ips3opcN+DlU0yCUrcIXVIXAnkTwu5ocOgAkxr
+f/6FjqcCAwEAAaOCAR8wggEbMB0GA1UdDgQWBBSW/bscQED/QIStsh8LJsHDam/W
+fDCB5QYDVR0jBIHdMIHagBTESXhWRZ0eLGFgw2ZLWAU3LwMie6GBtqSBszCBsDEL
+MAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdS
+YWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0
+IE5ldHdvcmsxHjAcBgNVBAMMFUVudGl0bGVtZW50IE1hc3RlciBDQTEkMCIGCSqG
+SIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tggkAkYrPyoUAAAAwEgYDVR0T
+AQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQUFAAOCAgEArWBznYWKpY4LqAzhOSop
+t30D2/UlCSr50l33uUCNYD4D4nTr/pyX3AR6P3JcOCz0t22pVCg8D3DZc5VlzY7y
+P5RD3KbLxFNJTloclMG0n6aIN7baA4b8zwkduMQvKZnA/YNR5xE7V7J2WJHCEBBB
+Z+ZFwGpGsoZpPZP4hHLVke3xHm6A5F5SzP1Ug0T9W80VLK4jtgyGs8l1R7rXiOIt
+Nik8317KGq7DU8TI2Rw/9Gc8FKNfUYcVD7uC/MMQXJTRvkADmNLtZM63nhzpg1Hr
+hA6U5YcDCBKsPA43/wsPOONYtrAlToD5hJhU+1Rhmwcw3qvWBO3NkdilqGFOTc2K
+50PQrqoRTCZFS41nv2WqZFfbvSq4dZRJl8xpB4LAHSspsMrbr9WZHX5fbggf6ixw
+S9KDqQbM7asP0FEKBFXJV1rE8P/oSK6yVWQyigTsNcdGR4AUzDsTO9udcwoM2Ed4
+XdakVkF+dXm9ZBwv5UBf5ITSyMXL3qlusIOblJVGUQizumoq0LiSnjwbkxh2XHhd
+XD/B/qax7FnaNg+TfujR/kk3kF1OpqWx/wC/qPR+zho1+35Al31gZOfNIn/sReoM
+tcci9LFHGvijIy4VUDQK8HmGjIxJPrIIe1nB5BkiGyjwn00D5q+BwYVst1C68Rwx
+iRZpyzOZmeineJvhrJZ4Tvs=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGejCCBGKgAwIBAgIJAJGKz8qFAAAIMA0GCSqGSIb3DQEBDAUAMIGwMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
+Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0
+d29yazEeMBwGA1UEAwwVRW50aXRsZW1lbnQgTWFzdGVyIENBMSQwIgYJKoZIhvcN
+AQkBFhVjYS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMTgwOTEyMTgxMzIxWhcNMzAw
+MzE1MTgxMzIxWjCBsTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
+aW5hMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0IE5l
+dHdvcmsxMTAvBgNVBAMMKFJlZCBIYXQgRW50aXRsZW1lbnQgT3BlcmF0aW9ucyBB
+dXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALsmiohDnNvIpBMZVJR5pbP6
+GrE5B4doUmvTeR4XJ5C66uvFTwuGTVigNXAL+0UWf9r2AwxKEPCy65h7fLbyK4W7
+/xEZPVsamQYDHpyBwlkPkJ3WhHneqQWC8bKkv8Iqu08V+86biCDDAh6uP0SiAz7a
+NGaLEnOe5L9WNfsYyNwrG+2AfiLy/1LUtmmg5dc6Ln7R+uv0PZJ5J2iUbiT6lMz3
+v73zAxuEjiDNurZzxzHSSEYzw0W1eO6zM4F26gcOuH2BHemPMjHi+c1OnheaafDE
+HQJTNgECz5Xe7WGdZwOyn9a8GtMvm0PAhGVyp7RAWxxfoU1B794cBb66IKKjliJQ
+5DKoqyxD9qJbMF8U4Kd1ZIVB0Iy2WEaaqCFMIi3xtlWVUNku5x21ewMmJvwjnWZA
+tUeKQUFwIXqSjuOoZDu80H6NQb+4dnRSjWlx/m7HPk75m0zErshpB2HSKUnrs4wR
+i7GsWDDcqBus7eLMwUZPvDNVcLQu/2Y4DUHNbJbn7+DwEqi5D0heC+dyY8iS45gp
+I/yhVvq/GfKL+dqjaNaE4CorJJA5qJ9f383Ol/aub+aJeBahCBNuVa2daA9Bo3BA
+dnL7KkILPFyCcEhQITnu70Qn9sQlwYcRoYF2LWAm9DtLrBT0Y0w7wQHh8vNhwEQ7
+k5G87WpwzcC8y6ePR0vFAgMBAAGjgZMwgZAwHQYDVR0OBBYEFMRJeFZFnR4sYWDD
+ZktYBTcvAyJ7MB8GA1UdIwQYMBaAFIhLpkXERuyP1s+m9hrPJjyQzH8XMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAgBgNVHREE
+GTAXgRVjYS1zdXBwb3J0QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEMBQADggIBAGKk
+q5Ab0AC7SOCYq9up5z0twbe+gI72cm854+VhcxafnLP2/4nH6nQauKLKEFLI8+fV
+RAwYxm1f5nuEiaTvjPE0umYdgMlpEJQeGdW/+/DotDaOon1G6bSMEKFvaKcBHKqa
+kBxQ29trwMG2WN8qZ7/H3XzBvLZ+JrYr01vDSV0P4tcBFOytbMZeJr4xmfxiqWxp
+VUM9eGf6z+ngXyth8lohxGd9MMXwsaPdvM+wptp3AQpq5wFPWyfJqCd6uBxu09k1
+ns3Y/sya2GHqDK4bUW6gCHO13gkYviTCIBLAlX7PDeK5nYVcq8HvTLU9+H9BFGix
+YGDdHphz7i5qO/gLLLcfKhENP6jtbe8i6nwqeDzj+DMy38iMWNYFVWn1OrBaQMtf
+wlVfyRJij9SfyiUAVFld1RoPAN/haf1VmF/0dGrOigibYijqnHvDJffMUND/sbk8
+df6O6VYjvLLlwry4W4dHiLLA7NAHGtkUv2g1+oH1lQIfRG+PvZhWz4pGT1AlzfwD
+aXUfX2X+Bo9tYr9BGy5Li1pLGLvfw+an7cBAbBaw8+HhAHt+Vm4F03KX/bHlge0a
+fMYK6FoA/xQSaZ6IPm4HfPSMvhboguVG+/AZQN4/UxjDleoEz8b0CWYafcJRRZch
+BdxBjTy7JLf3j0HCbenZQF83wwtrSmiTOTK1tLsm
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIHZDCCBUygAwIBAgIJAOb+QiglyeZeMA0GCSqGSIb3DQEBBQUAMIGwMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
+Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0
+d29yazEeMBwGA1UEAwwVRW50aXRsZW1lbnQgTWFzdGVyIENBMSQwIgYJKoZIhvcN
+AQkBFhVjYS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMTAwMzE3MTkwMDQ0WhcNMzAw
+MzEyMTkwMDQ0WjCBsDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
+aW5hMRAwDgYDVQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgw
+FgYDVQQLDA9SZWQgSGF0IE5ldHdvcmsxHjAcBgNVBAMMFUVudGl0bGVtZW50IE1h
+c3RlciBDQTEkMCIGCSqGSIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2Z+mW7OYcBcGxWS+RSKG2GJ2
+csMXiGGfEp36vKVsIvypmNS60SkicKENMYREalbdSjrgfXxPJygZWsVWJ5lHPfBV
+o3WkFrFHTIXd/R6LxnaHD1m8Cx3GwEeuSlE/ASjc1ePtMnsHH7xqZ9wdl85b1C8O
+scgO7fwuM192kvv/veI/BogIqUQugtG6szXpV8dp4ml029LXFoNIy2lfFoa2wKYw
+MiUHwtYgAz7TDY63e8qGhd5PoqTv9XKQogo2ze9sF9y/npZjliNy5qf6bFE+24oW
+E8pGsp3zqz8h5mvw4v+tfIx5uj7dwjDteFrrWD1tcT7UmNrBDWXjKMG81zchq3h4
+etgF0iwMHEuYuixiJWNzKrLNVQbDmcLGNOvyJfq60tM8AUAd72OUQzivBegnWMit
+CLcT5viCT1AIkYXt7l5zc/duQWLeAAR2FmpZFylSukknzzeiZpPclRziYTboDYHq
+revM97eER1xsfoSYp4mJkBHfdlqMnf3CWPcNgru8NbEPeUGMI6+C0YvknPlqDDtU
+ojfl4qNdf6nWL+YNXpR1YGKgWGWgTU6uaG8Sc6qGfAoLHh6oGwbuz102j84OgjAJ
+DGv/S86svmZWSqZ5UoJOIEqFYrONcOSgztZ5tU+gP4fwRIkTRbTEWSgudVREOXhs
+bfN1YGP7HYvS0OiBKZUCAwEAAaOCAX0wggF5MB0GA1UdDgQWBBSIS6ZFxEbsj9bP
+pvYazyY8kMx/FzCB5QYDVR0jBIHdMIHagBSIS6ZFxEbsj9bPpvYazyY8kMx/F6GB
+tqSBszCBsDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAw
+DgYDVQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQL
+DA9SZWQgSGF0IE5ldHdvcmsxHjAcBgNVBAMMFUVudGl0bGVtZW50IE1hc3RlciBD
+QTEkMCIGCSqGSIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tggkA5v5CKCXJ
+5l4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEG
+MCAGA1UdEQQZMBeBFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTAgBgNVHRIEGTAXgRVj
+YS1zdXBwb3J0QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEFBQADggIBAJ1hEdNBDTRr
+6kI6W6stoogSUwjuiWPDY8DptwGhdpyIfbCoxvBR7F52DlwyXOpCunogfKMRklnE
+gH1Wt66RYkgNuJcenKHAhR5xgSLoPCOVF9rDjMunyyBuxjIbctM21R7BswVpsEIE
+OpV5nlJ6wkHsrn0/E+Zk5UJdCzM+Fp4hqHtEn/c97nvRspQcpWeDg6oUvaJSZTGM
+8yFpzR90X8ZO4rOgpoERukvYutUfJUzZuDyS3LLc6ysamemH93rZXr52zc4B+C9G
+Em8zemDgIPaH42ce3C3TdVysiq/yk+ir7pxW8toeavFv75l1UojFSjND+Q2AlNQn
+pYkmRznbD5TZ3yDuPFQG2xYKnMPACepGgKZPyErtOIljQKCdgcvb9EqNdZaJFz1+
+/iWKYBL077Y0CKwb+HGIDeYdzrYxbEd95YuVU0aStnf2Yii2tLcpQtK9cC2+DXjL
+Yf3kQs4xzH4ZejhG9wzv8PGXOS8wHYnfVNA3+fclDEQ1mEBKWHHmenGI6QKZUP8f
+g0SQ3PNRnSZu8R+rhABOEuVFIBRlaYijg2Pxe0NgL9FlHsNyRfo6EUrB2QFRKACW
+3Mo6pZyDjQt7O8J7l9B9IIURoJ1niwygf7VSJTMl2w3fFleNJlZTGgdXw0V+5g+9
+Kg6Ay0rrsi4nw1JHue2GvdjdfVOaWSWC
+-----END CERTIFICATE-----

rhsm/syspurpose/valid_fields.json

@@ -1,10 +1,12 @@
 {
     "role": [
-      "CentOS Linux Server",
-      "CentOS Linux Workstation",
-      "CentOS Linux Compute Node"
+      "Red Hat Enterprise Linux Server",
+      "Red Hat Enterprise Linux Workstation",
+      "Red Hat Enterprise Linux Compute Node"
     ],
     "service_level_agreement": [
+      "Premium",
+      "Standard",
       "Self-Support"
     ],
     "usage": [

selinux/targeted/.policy.sha512

@@ -1 +1 @@
-75bbafd0a65946991d82c82160b5152cae16b907d520df2318106c7fef205ebe3e25c082c19f579b844fcebcff7f5e2d58204616933091584fd0b2a4caf7c712
+828a1b4dc0ed2742113500ad93be884d2fe2ac1b53b291ff72e6b8a8ef7ea5ab995278fbc172ea4cfd06d41a3a6fa0cf252337677eae720800df14b6be26129b

selinux/targeted/contexts/files/file_contexts

@@ -1217,6 +1217,7 @@
 /var/run/user/[^/]*/keyring.*	system_u:object_r:gkeyringd_tmp_t:s0
 /var/usrlocal/(.*/)?bin(/.*)?	system_u:object_r:bin_t:s0
 /var/run/user/[^/]*/\.orc(/.*)?	system_u:object_r:gstreamer_home_t:s0
+/var/usrlocal/(.*/)?sbin(/.*)?	system_u:object_r:bin_t:s0
 /usr/lib/gimp/.*/plug-ins(/.*)?	system_u:object_r:bin_t:s0
 /var/run/user/[^/]*/dconf(/.*)?	system_u:object_r:config_home_t:s0
 /var/www/html/[^/]*/cgi-bin(/.*)?	system_u:object_r:httpd_sys_script_exec_t:s0
@@ -1265,6 +1266,7 @@
 /dev/usb/mdc800.*	-c	system_u:object_r:scanner_device_t:s0
 /dev/xen/blktap.*	-c	system_u:object_r:xen_device_t:s0
 /dev/scramdisk/.*	-b	system_u:object_r:fixed_disk_device_t:s0
+/dev/shm/slapd-.*	system_u:object_r:dirsrv_tmpfs_t:s0
 /sys/fs/cgroup/.*	<<none>>
 /sys/fs/pstore/.*	<<none>>
 /var/cache/mod_.*	system_u:object_r:httpd_cache_t:s0
@@ -2411,6 +2413,7 @@
 /usr/share/nginx/html(/.*)?	system_u:object_r:httpd_sys_content_t:s0
 /var/axfrdns/log/main(/.*)?	system_u:object_r:var_log_t:s0
 /var/cache/PackageKit(/.*)?	system_u:object_r:rpm_var_cache_t:s0
+/var/cache/cloud-what(/.*)?	system_u:object_r:cloud_what_var_cache_t:s0
 /var/cache/fontconfig(/.*)?	system_u:object_r:fonts_cache_t:s0
 /var/cache/krb5rcache(/.*)?	system_u:object_r:krb5_host_rcache_t:s0
 /var/cache/mod_gnutls(/.*)?	system_u:object_r:httpd_cache_t:s0
@@ -2454,6 +2457,7 @@
 /var/spool/uucppublic(/.*)?	system_u:object_r:uucpd_spool_t:s0
 /var/tinydns/log/main(/.*)?	system_u:object_r:var_log_t:s0
 /var/www/miq/vmdb/log(/.*)?	system_u:object_r:httpd_log_t:s0
+/usr/bin/emc/scaleio/(.*)\.ko	--	system_u:object_r:modules_object_t:s0
 /usr/bin/mozilla-bin-[0-9].*	--	system_u:object_r:mozilla_exec_t:s0
 /usr/lib/googleearth/.*\.so.*	--	system_u:object_r:textrel_shlib_t:s0
 /usr/libexec/postfix/(n)?qmgr	--	system_u:object_r:postfix_qmgr_exec_t:s0
@@ -2635,6 +2639,7 @@
 /var/run/NetworkManager(/.*)?	system_u:object_r:NetworkManager_var_run_t:s0
 /var/run/corosync-qnetd(/.*)?	system_u:object_r:cluster_var_run_t:s0
 /var/run/docker/plugins(/.*)?	system_u:object_r:container_plugin_var_run_t:s0
+/var/run/libvirt/common(/.*)?	system_u:object_r:virt_common_var_run_t:s0
 /var/run/openvpn-server(/.*)?	system_u:object_r:openvpn_var_run_t:s0
 /var/run/samba/winbindd(/.*)?	system_u:object_r:winbind_var_run_t:s0
 /var/run/setroubleshoot(/.*)?	system_u:object_r:setroubleshoot_var_run_t:s0
@@ -2914,6 +2919,7 @@
 /usr/share/munin/plugins/nut.*	--	system_u:object_r:services_munin_plugin_exec_t:s0
 /var/log/cluster/aisexec\.log.*	--	system_u:object_r:cluster_var_log_t:s0
 /var/run/mysqld/mysqlmanager.*	--	system_u:object_r:mysqlmanagerd_var_run_t:s0
+dev/shm/var\.lib\.opencryptoki.*	system_u:object_r:pkcs_slotd_tmpfs_t:s0
 /usr/lib/pgsql/test/regress/.*\.sh	--	system_u:object_r:bin_t:s0
 /usr/share/ajaxterm/ajaxterm.py.*	--	system_u:object_r:bin_t:s0
 /opt/real/RealPlayer/plugins(/.*)?	--	system_u:object_r:textrel_shlib_t:s0
@@ -3251,6 +3257,7 @@
 /usr/share/w3c-markup-validator/cgi-bin(/.*)?	system_u:object_r:w3c_validator_script_exec_t:s0
 /usr/share/wordpress/wp-content/upgrade(/.*)?	system_u:object_r:httpd_sys_rw_content_t:s0
 /usr/share/wordpress/wp-content/uploads(/.*)?	system_u:object_r:httpd_sys_rw_content_t:s0
+/var/lib/private/systemd/journal-upload(/.*)?	system_u:object_r:systemd_journal_upload_var_lib_t:s0
 /usr/lib/systemd/system/nm-cloud-setup\.(service|timer)	--	system_u:object_r:NetworkManager_unit_file_t:s0
 /usr/lib/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)*	--	system_u:object_r:textrel_shlib_t:s0
 /usr/lib/systemd/system/corosync-qdevice.*	--	system_u:object_r:cluster_unit_file_t:s0
@@ -3379,6 +3386,7 @@
 /dev/pkey	-c	system_u:object_r:crypt_device_t:s0
 /dev/port	-c	system_u:object_r:memory_device_t:s0
 /dev/ptmx	-c	system_u:object_r:ptmx_t:s0
+/dev/trng	-c	system_u:object_r:random_device_t:s0
 /dev/uhid	-c	system_u:object_r:uhid_device_t:s0
 /dev/vhci	-c	system_u:object_r:vhost_device_t:s0
 /dev/vmci	-c	system_u:object_r:vmci_device_t:s0
@@ -4198,6 +4206,7 @@
 /sbin/unix_update	--	system_u:object_r:updpwd_exec_t:s0
 /sbin/unix_verify	--	system_u:object_r:chkpwd_exec_t:s0
 /sbin/vgcfgbackup	--	system_u:object_r:lvm_exec_t:s0
+/usr/bin/Xwayland	--	system_u:object_r:xserver_exec_t:s0
 /usr/bin/atlantik	--	system_u:object_r:games_exec_t:s0
 /usr/bin/cdrecord	--	system_u:object_r:cdrecord_exec_t:s0
 /usr/bin/clamscan	--	system_u:object_r:antivirus_exec_t:s0
@@ -4365,6 +4374,7 @@
 /etc/udev/devices	-d	system_u:object_r:device_t:s0
 /sys/firmware/efi	-d	system_u:object_r:efivarfs_t:s0
 /sys/kernel/debug	-d	system_u:object_r:debugfs_t:s0
+/var/tmp/tmp-inst	-d	system_u:object_r:tmp_t:s0
 /dev/input/uinput	-c	system_u:object_r:event_device_t:s0
 /dev/loop-control	-c	system_u:object_r:loop_control_device_t:s0
 /dev/vmbus/hv_kvp	-c	system_u:object_r:hypervkvp_device_t:s0
@@ -5527,6 +5537,7 @@
 /usr/libexec/postfix/lmtp	--	system_u:object_r:postfix_smtp_exec_t:s0
 /usr/libexec/postfix/pipe	--	system_u:object_r:postfix_pipe_exec_t:s0
 /usr/libexec/postfix/smtp	--	system_u:object_r:postfix_smtp_exec_t:s0
+/usr/libexec/rhsm-service	--	system_u:object_r:rhsmcertd_exec_t:s0
 /usr/libexec/ricci-modlog	--	system_u:object_r:ricci_modlog_exec_t:s0
 /usr/libexec/ricci-modrpm	--	system_u:object_r:ricci_modrpm_exec_t:s0
 /usr/libexec/rtkit-daemon	--	system_u:object_r:rtkit_daemon_exec_t:s0
@@ -5714,6 +5725,7 @@
 /usr/lib/ladspa/se4_1883\.so	--	system_u:object_r:textrel_shlib_t:s0
 /usr/lib/libdivxdecore\.so\.0	--	system_u:object_r:textrel_shlib_t:s0
 /usr/lib/libdivxencore\.so\.0	--	system_u:object_r:textrel_shlib_t:s0
+/usr/lib/pcs/pcs_snmp_agent	--	system_u:object_r:cluster_exec_t:s0
 /usr/lib/rtkit/rtkit-daemon	--	system_u:object_r:rtkit_daemon_exec_t:s0
 /usr/lib/squid/cachemgr\.cgi	--	system_u:object_r:squid_script_exec_t:s0
 /usr/libexec/abrt-hook-ccpp	--	system_u:object_r:abrt_dump_oops_exec_t:s0
@@ -5834,6 +5846,7 @@
 /var/lib/misc/dnsmasq\.leases	--	system_u:object_r:dnsmasq_lease_t:s0
 /var/lib/tftpboot/pxelinux\.0	--	system_u:object_r:cobbler_var_lib_t:s0
 /var/run/aeolus/dbomatic\.pid	--	system_u:object_r:mongod_var_run_t:s0
+/var/run/initiatorname\.iscsi	--	system_u:object_r:iscsi_var_run_t:s0
 /var/run/milter-greylist\.pid	--	system_u:object_r:greylist_milter_data_t:s0
 /var/run/nm-dns-dnsmasq\.conf	--	system_u:object_r:NetworkManager_var_run_t:s0
 /var/run/samba/sessionid\.tdb	--	system_u:object_r:smbd_var_run_t:s0
@@ -6000,10 +6013,12 @@
 /usr/lib/systemd/systemd-rfkill	--	system_u:object_r:systemd_rfkill_exec_t:s0
 /usr/lib/systemd/systemd-sysctl	--	system_u:object_r:systemd_sysctl_exec_t:s0
 /usr/libexec/cyrus-imapd/master	--	system_u:object_r:cyrus_exec_t:s0
+/usr/libexec/gdm-runtime-config	--	system_u:object_r:xdm_exec_t:s0
 /usr/libexec/git-core/git-shell	--	system_u:object_r:shell_exec_t:s0
 /usr/libexec/mimedefang-wrapper	--	system_u:object_r:spamd_exec_t:s0
 /usr/libexec/mongodb-scl-helper	--	system_u:object_r:mongod_exec_t:s0
 /usr/libexec/openafs/fileserver	--	system_u:object_r:afs_fsserver_exec_t:s0
+/usr/libexec/rhsm-facts-service	--	system_u:object_r:rhsmcertd_exec_t:s0
 /usr/libexec/rssh_chroot_helper	--	system_u:object_r:rssh_chroot_helper_exec_t:s0
 /usr/libexec/sssd/selinux_child	--	system_u:object_r:sssd_selinux_manager_exec_t:s0
 /usr/libexec/telepathy-sofiasip	--	system_u:object_r:telepathy_sofiasip_exec_t:s0
@@ -6249,6 +6264,7 @@
 /usr/lib/systemd/system/rpcbind\.service	--	system_u:object_r:rpcbind_unit_file_t:s0
 /usr/lib/systemd/system/sanlock\.service	--	system_u:object_r:sanlock_unit_file_t:s0
 /usr/lib/systemd/systemd-fence_sanlockd	--	system_u:object_r:fenced_exec_t:s0
+/usr/lib/systemd/systemd-journal-upload	--	system_u:object_r:systemd_journal_upload_exec_t:s0
 /usr/lib/xfce4/exo-1/exo-compose-mail-1	--	system_u:object_r:bin_t:s0
 /usr/libexec/cockpit-wsinstance-factory	--	system_u:object_r:cockpit_ws_exec_t:s0
 /usr/share/authconfig/authconfig-gtk\.py	--	system_u:object_r:bin_t:s0

selinux/targeted/contexts/files/file_contexts.subs_dist

@@ -17,3 +17,4 @@
 /var/roothome        /root
 /sbin                /usr/sbin
 /sysroot/tmp         /tmp
+/var/usrlocal        /usr/local

squid/cachemgr.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 1996-2020 The Squid Software Foundation and contributors
+## Copyright (C) 1996-2021 The Squid Software Foundation and contributors
 ##
 ## Squid software is distributed under GPLv2+ license and includes
 ## contributions from numerous individuals and organizations.

squid/cachemgr.conf.default

@@ -1,4 +1,4 @@
-## Copyright (C) 1996-2020 The Squid Software Foundation and contributors
+## Copyright (C) 1996-2021 The Squid Software Foundation and contributors
 ##
 ## Squid software is distributed under GPLv2+ license and includes
 ## contributions from numerous individuals and organizations.

squid/errorpage.css

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
+ * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
  *
  * Squid software is distributed under GPLv2+ license and includes
  * contributions from numerous individuals and organizations.

squid/errorpage.css.default

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
+ * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
  *
  * Squid software is distributed under GPLv2+ license and includes
  * contributions from numerous individuals and organizations.

squid/mime.conf

@@ -1,4 +1,4 @@
-## Copyright (C) 1996-2020 The Squid Software Foundation and contributors
+## Copyright (C) 1996-2021 The Squid Software Foundation and contributors
 ##
 ## Squid software is distributed under GPLv2+ license and includes
 ## contributions from numerous individuals and organizations.

squid/mime.conf.default

@@ -1,4 +1,4 @@
-## Copyright (C) 1996-2020 The Squid Software Foundation and contributors
+## Copyright (C) 1996-2021 The Squid Software Foundation and contributors
 ##
 ## Squid software is distributed under GPLv2+ license and includes
 ## contributions from numerous individuals and organizations.

systemd/system.conf

@@ -52,7 +52,7 @@
 #DefaultLimitFSIZE=
 #DefaultLimitDATA=
 #DefaultLimitSTACK=
-#DefaultLimitCORE=
+DefaultLimitCORE=0:infinity
 #DefaultLimitRSS=
 #DefaultLimitNOFILE=
 #DefaultLimitAS=

systemd/system/multi-user.target.wants/memcached.service

@@ -1 +0,0 @@
-/usr/lib/systemd/system/memcached.service

systemd/system/multi-user.target.wants/redis.service

@@ -1 +0,0 @@
-/usr/lib/systemd/system/redis.service

tuned/bootcmdline

@@ -1,12 +1,12 @@
 # This file specifies additional parameters to kernel boot command line and
-# initrd overlay images. Its content is set by the Tuned  bootloader plugin
+# initrd overlay images. Its content is set by the TuneD  bootloader plugin
 # and sourced by the grub2-mkconfig (/etc/grub.d/00_tuned script).
 #
 # Please do not edit this file. Content of this file can be overwritten by
-# switch of Tuned profile.
+# switch of TuneD profile.
 #
 # If you need to add parameters to the kernel boot command line, create
-# Tuned profile containing the following:
+# TuneD profile containing the following:
 #
 # [bootloader]
 # cmdline = YOUR_ADDITIONAL_KERNEL_PARAMETERS
@@ -22,7 +22,7 @@
 #
 # YOUR_ADDITIONAL_KERNEL_PARAMETERS will stay preserved.
 #
-# Similarly if you need to add initrd overlay image, create Tuned profile
+# Similarly if you need to add initrd overlay image, create TuneD profile
 # containing the following:
 #
 # [bootloader]

tuned/tuned-main.conf

@@ -24,7 +24,7 @@ recommend_command = 1
 
 # Whether to reapply sysctl from /run/sysctl.d/, /etc/sysctl.d/ and
 # /etc/sysctl.conf.  If enabled, these sysctls will be re-appliead
-# after Tuned sysctls are applied, i.e. Tuned sysctls will not
+# after TuneD sysctls are applied, i.e. TuneD sysctls will not
 # override user-provided system sysctls.
 reapply_sysctl = 1
 

vmware-tools/tools.conf.example

@@ -351,3 +351,31 @@
 
 # User-defined poll interval in seconds. Set to 0 to disable polling.
 #poll-interval=60
+
+[gueststoreupgrade]
+
+# The guestStoreUpgrade plugin is only available for Windows.
+
+# The policy value is one of the settings listed below.
+# off         = no VMware Tools upgrade from GuestStore. Feature is
+#               disabled.
+# manual      = (Default) VMware Tools upgrade from GuestStore is
+#               manually started.
+# powercycle  = VMware Tools upgrade from GuestStore on system
+#               power on.
+
+#policy=manual
+
+# Time interval for periodically checking available VMware Tools package
+# version in the GuestStore.
+# User-defined poll interval in seconds. Set to 0 to disable polling.
+# Minimum valid value is 900 seconds (15 minutes)
+# Default value is 3600 seconds (60 minutes)
+#poll-interval=3600
+
+# VMware Tools package version metadata key to specify a VMware Tools
+# package version in the GuestStore.
+# User-defined key for VMware Tools package version.
+# Default value is "vmtools" which points to the latest version of
+# VMware Tools package in the GuestStore.
+#vmtools-version-key=vmtools