diff --git a/.etckeeper b/.etckeeper
index 2a4ff90..47426c1 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -298,7 +298,7 @@ maybe chmod 0644 'cron.d/csf-cron'
maybe chmod 0600 'cron.d/csf_update'
maybe chmod 0644 'cron.d/lfd-cron'
maybe chmod 0644 'cron.d/maldet_pub'
-maybe chmod 0700 'cron.daily'
+maybe chmod 0755 'cron.daily'
maybe chmod 0750 'cron.daily/aide'
maybe chmod 0700 'cron.daily/csget'
maybe chmod 0755 'cron.daily/etckeeper'
@@ -306,12 +306,12 @@ maybe chmod 0755 'cron.daily/logrotate'
maybe chmod 0755 'cron.daily/maldet'
maybe chmod 0755 'cron.daily/rkhunter'
maybe chmod 0600 'cron.deny'
-maybe chmod 0700 'cron.hourly'
+maybe chmod 0755 'cron.hourly'
maybe chmod 0755 'cron.hourly/0anacron'
-maybe chmod 0700 'cron.monthly'
+maybe chmod 0755 'cron.monthly'
maybe chmod 0755 'cron.monthly/psacct'
-maybe chmod 0700 'cron.weekly'
-maybe chmod 0600 'crontab'
+maybe chmod 0755 'cron.weekly'
+maybe chmod 0644 'crontab'
maybe chmod 0755 'crypto-policies'
maybe chmod 0755 'crypto-policies/back-ends'
maybe chmod 0644 'crypto-policies/back-ends/nss.config'
@@ -933,6 +933,7 @@ maybe chmod 0644 'httpd/conf.d/perl.conf'
maybe chmod 0644 'httpd/conf.d/perl.conf.rpmnew'
maybe chmod 0644 'httpd/conf.d/php.conf'
maybe chmod 0644 'httpd/conf.d/phpmyadmin.conf'
+maybe chmod 0644 'httpd/conf.d/ssl.conf'
maybe chmod 0644 'httpd/conf.d/ssl.conf_disabled'
maybe chmod 0644 'httpd/conf.d/userdir.conf'
maybe chmod 0644 'httpd/conf.d/welcome.conf'
@@ -977,23 +978,23 @@ maybe chmod 0644 'issue.net'
maybe chmod 0644 'issue.rpmnew'
maybe chmod 0755 'java'
maybe chmod 0755 'java/java-1.8.0-openjdk'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/calendars.properties'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/logging.properties'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/blacklisted.certs'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/java.policy'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/java.security'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/nss.cfg'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/nss.fips.cfg'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/limited'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/limited/US_export_policy.jar'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/limited/local_policy.jar'
-maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/unlimited'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/unlimited/US_export_policy.jar'
-maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/unlimited/local_policy.jar'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/calendars.properties'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/logging.properties'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/blacklisted.certs'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/java.policy'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/java.security'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/nss.cfg'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/nss.fips.cfg'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/policy'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/policy/limited'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/policy/limited/US_export_policy.jar'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/policy/limited/local_policy.jar'
+maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/policy/unlimited'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/policy/unlimited/US_export_policy.jar'
+maybe chmod 0644 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/policy/unlimited/local_policy.jar'
maybe chmod 0755 'java/security'
maybe chmod 0755 'java/security/security.d'
maybe chmod 0755 'jvm'
@@ -1014,9 +1015,9 @@ maybe chmod 0755 'ld.so.conf.d'
maybe chmod 0644 'ld.so.conf.d/bind-export-x86_64.conf'
maybe chmod 0644 'ld.so.conf.d/dyninst-x86_64.conf'
maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-193.6.3.el8_2.x86_64.conf'
-maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-240.10.1.el8_3.x86_64.conf'
maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-240.15.1.el8_3.x86_64.conf'
maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-240.22.1.el8_3.x86_64.conf'
+maybe chmod 0444 'ld.so.conf.d/kernel-4.18.0-305.3.1.el8.x86_64.conf'
maybe chmod 0755 'letsencrypt'
maybe chown 'setroubleshoot' 'letsencrypt/.updated-options-ssl-apache-conf-digest.txt'
maybe chgrp 'setroubleshoot' 'letsencrypt/.updated-options-ssl-apache-conf-digest.txt'
@@ -2426,6 +2427,19 @@ maybe chmod 0640 'letsencrypt/renewal/zira.898.ro.conf'
maybe chmod 0644 'letsencrypt/renewal/zira.go.ro.conf'
maybe chmod 0640 'letsencrypt/ssl-dhparams.pem'
maybe chmod 0640 'libaudit.conf'
+maybe chmod 0755 'libibverbs.d'
+maybe chmod 0644 'libibverbs.d/bnxt_re.driver'
+maybe chmod 0644 'libibverbs.d/cxgb4.driver'
+maybe chmod 0644 'libibverbs.d/efa.driver'
+maybe chmod 0644 'libibverbs.d/hfi1verbs.driver'
+maybe chmod 0644 'libibverbs.d/hns.driver'
+maybe chmod 0644 'libibverbs.d/i40iw.driver'
+maybe chmod 0644 'libibverbs.d/mlx4.driver'
+maybe chmod 0644 'libibverbs.d/mlx5.driver'
+maybe chmod 0644 'libibverbs.d/qedr.driver'
+maybe chmod 0644 'libibverbs.d/rxe.driver'
+maybe chmod 0644 'libibverbs.d/siw.driver'
+maybe chmod 0644 'libibverbs.d/vmw_pvrdma.driver'
maybe chmod 0755 'libnl'
maybe chmod 0644 'libnl/classid'
maybe chmod 0644 'libnl/pktloc'
@@ -2454,6 +2468,7 @@ maybe chmod 0644 'logrotate.d/fail2ban'
maybe chmod 0644 'logrotate.d/firewalld'
maybe chmod 0644 'logrotate.d/httpd'
maybe chmod 0644 'logrotate.d/iptraf-ng'
+maybe chmod 0644 'logrotate.d/kvm_stat'
maybe chmod 0644 'logrotate.d/lfd'
maybe chmod 0644 'logrotate.d/mysql'
maybe chgrp 'named' 'logrotate.d/named'
@@ -2631,6 +2646,7 @@ maybe chmod 0644 'mail/spamassassin/v330.pre'
maybe chmod 0644 'mail/spamassassin/v340.pre'
maybe chmod 0644 'mail/spamassassin/v341.pre'
maybe chmod 0644 'mail/spamassassin/v342.pre'
+maybe chmod 0644 'mail/spamassassin/v343.pre'
maybe chmod 0644 'mail/spamassassin/wrongmx.pm'
maybe chmod 0644 'mailcap'
maybe chmod 0644 'man_db.conf'
@@ -3075,11 +3091,13 @@ maybe chmod 0644 'modprobe.d/blacklist-firewire.conf'
maybe chmod 0640 'modprobe.d/cramfs.conf'
maybe chmod 0644 'modprobe.d/firewalld-sysctls.conf'
maybe chmod 0644 'modprobe.d/lockd.conf'
+maybe chmod 0644 'modprobe.d/mlx4.conf'
maybe chmod 0644 'modprobe.d/nodccp.conf'
maybe chmod 0644 'modprobe.d/rds.conf'
maybe chmod 0644 'modprobe.d/sctp.conf'
maybe chmod 0640 'modprobe.d/squashfs.conf'
maybe chmod 0644 'modprobe.d/tipc.conf'
+maybe chmod 0644 'modprobe.d/truescale.conf'
maybe chmod 0644 'modprobe.d/tuned.conf'
maybe chmod 0640 'modprobe.d/udf.conf'
maybe chmod 0640 'modprobe.d/vfat.conf'
@@ -3591,8 +3609,6 @@ maybe chmod 0644 'nginx/conf.d/mail.club3d.ro.conf'
maybe chown 'nginx' 'nginx/conf.d/padmin.club3d.ro.conf'
maybe chgrp 'nginx' 'nginx/conf.d/padmin.club3d.ro.conf'
maybe chmod 0640 'nginx/conf.d/padmin.club3d.ro.conf'
-maybe chown 'nginx' 'nginx/conf.d/php-fpm.conf'
-maybe chgrp 'nginx' 'nginx/conf.d/php-fpm.conf'
maybe chmod 0644 'nginx/conf.d/php-fpm.conf'
maybe chown 'nginx' 'nginx/conf.d/rspamd.club3d.ro.conf'
maybe chgrp 'nginx' 'nginx/conf.d/rspamd.club3d.ro.conf'
@@ -4028,6 +4044,7 @@ maybe chmod 0640 'postfix/_sql/mysql_virtual_mailbox_maps.cf'
maybe chmod 0644 'postfix/access'
maybe chgrp 'postfix' 'postfix/access.db'
maybe chmod 0640 'postfix/access.db'
+maybe chmod 0644 'postfix/access.rpmnew'
maybe chgrp 'postfix' 'postfix/blacklist'
maybe chmod 0640 'postfix/blacklist'
maybe chgrp 'postfix' 'postfix/blacklist.db'
@@ -4038,6 +4055,7 @@ maybe chgrp 'postfix' 'postfix/body_checks.db'
maybe chmod 0640 'postfix/body_checks.db'
maybe chmod 0640 'postfix/ca-certificates-2019.2.32-76.el7_7.noarch.rpm'
maybe chmod 0644 'postfix/canonical'
+maybe chmod 0644 'postfix/canonical.rpmnew'
maybe chgrp 'postfix' 'postfix/check_client_access'
maybe chmod 0640 'postfix/check_client_access'
maybe chgrp 'postfix' 'postfix/check_client_access.db'
@@ -4069,9 +4087,11 @@ maybe chgrp 'postfix' 'postfix/helo_access.pcre.db'
maybe chmod 0640 'postfix/helo_access.pcre.db'
maybe chmod 0644 'postfix/main.cf'
maybe chmod 0644 'postfix/main.cf.proto'
+maybe chmod 0644 'postfix/main.cf.rpmnew'
maybe chmod 0644 'postfix/master.cf'
maybe chmod 0644 'postfix/master.cf.bkp'
maybe chmod 0644 'postfix/master.cf.proto'
+maybe chmod 0644 'postfix/master.cf.rpmnew'
maybe chgrp 'postfix' 'postfix/mime_header_checks'
maybe chmod 0640 'postfix/mime_header_checks'
maybe chgrp 'postfix' 'postfix/mynetworks'
@@ -4152,9 +4172,11 @@ maybe chmod 0640 'postfix/submission_header_cleanup'
maybe chmod 0644 'postfix/transport'
maybe chgrp 'postfix' 'postfix/transport.db'
maybe chmod 0640 'postfix/transport.db'
+maybe chmod 0644 'postfix/transport.rpmnew'
maybe chmod 0644 'postfix/virtual'
maybe chgrp 'postfix' 'postfix/virtual.db'
maybe chmod 0640 'postfix/virtual.db'
+maybe chmod 0644 'postfix/virtual.rpmnew'
maybe chgrp 'postfix' 'postfix/virtual_regexp'
maybe chmod 0640 'postfix/virtual_regexp'
maybe chmod 0755 'ppp'
@@ -4286,6 +4308,7 @@ maybe chmod 0755 'pyzor'
maybe chmod 0755 'qemu-ga'
maybe chmod 0755 'qemu-ga/fsfreeze-hook'
maybe chmod 0755 'qemu-ga/fsfreeze-hook.d'
+maybe chmod 0755 'qemu-kvm'
maybe chmod 0755 'rc.d'
maybe chmod 0755 'rc.d/init.d'
maybe chmod 0644 'rc.d/init.d/README'
@@ -4303,6 +4326,14 @@ maybe chmod 0755 'rc.d/rc3.d'
maybe chmod 0755 'rc.d/rc4.d'
maybe chmod 0755 'rc.d/rc5.d'
maybe chmod 0755 'rc.d/rc6.d'
+maybe chmod 0755 'rdma'
+maybe chmod 0644 'rdma/mlx4.conf'
+maybe chmod 0755 'rdma/modules'
+maybe chmod 0644 'rdma/modules/infiniband.conf'
+maybe chmod 0644 'rdma/modules/iwarp.conf'
+maybe chmod 0644 'rdma/modules/opa.conf'
+maybe chmod 0644 'rdma/modules/rdma.conf'
+maybe chmod 0644 'rdma/modules/roce.conf'
maybe chmod 0644 'rearj.cfg'
maybe chmod 0755 'redhat-lsb'
maybe chmod 0755 'redhat-lsb/lsb_killproc'
@@ -4684,9 +4715,6 @@ maybe chmod 0644 'sysconfig/anaconda'
maybe chmod 0644 'sysconfig/arpwatch'
maybe chmod 0644 'sysconfig/atd'
maybe chmod 0644 'sysconfig/authconfig'
-maybe chmod 0755 'sysconfig/cbq'
-maybe chmod 0644 'sysconfig/cbq/avpkt'
-maybe chmod 0644 'sysconfig/cbq/cbq-0000.example'
maybe chmod 0644 'sysconfig/certbot'
maybe chmod 0644 'sysconfig/chronyd'
maybe chmod 0755 'sysconfig/console'
@@ -4811,9 +4839,8 @@ maybe chmod 0755 'systemd/system/vmtoolsd.service.requires'
maybe chmod 0755 'systemd/user'
maybe chmod 0644 'systemd/user.conf'
maybe chmod 0755 'systemd/user/sockets.target.wants'
-maybe chown 'tss' 'tcsd.conf'
maybe chgrp 'tss' 'tcsd.conf'
-maybe chmod 0600 'tcsd.conf'
+maybe chmod 0640 'tcsd.conf'
maybe chmod 0755 'terminfo'
maybe chmod 0755 'tmpfiles.d'
maybe chmod 0644 'tmpfiles.d/clamav.conf'
@@ -4830,11 +4857,15 @@ maybe chmod 0755 'udev'
maybe chmod 0444 'udev/hwdb.bin'
maybe chmod 0755 'udev/hwdb.d'
maybe chmod 0755 'udev/rules.d'
+maybe chmod 0644 'udev/rules.d/70-persistent-ipoib.rules'
maybe chmod 0644 'udev/rules.d/70-snap.snapd.rules'
maybe chmod 0644 'udev/rules.d/75-cd-aliases-generator.rules'
maybe chmod 0644 'udev/rules.d/75-persistent-net-generator.rules'
maybe chmod 0644 'udev/rules.d/90-bcrypt-device-permissions.rules'
maybe chmod 0644 'udev/udev.conf'
+maybe chmod 0755 'unbound'
+maybe chmod 0644 'unbound/icannbundle.pem'
+maybe chmod 0644 'unbound/root.key'
maybe chmod 0644 'updatedb.conf'
maybe chmod 0644 'vconsole.conf'
maybe chmod 0644 'vimrc'
diff --git a/alternatives/alt-java b/alternatives/alt-java
index c21c515..8624c57 120000
--- a/alternatives/alt-java
+++ b/alternatives/alt-java
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/alt-java
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/jre/bin/alt-java
\ No newline at end of file
diff --git a/alternatives/alt-java.1.gz b/alternatives/alt-java.1.gz
index 700bf0d..944e028 120000
--- a/alternatives/alt-java.1.gz
+++ b/alternatives/alt-java.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/alt-java-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/alt-java-java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/java b/alternatives/java
index 2b69120..48d8cee 120000
--- a/alternatives/java
+++ b/alternatives/java
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/java
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/jre/bin/java
\ No newline at end of file
diff --git a/alternatives/java.1.gz b/alternatives/java.1.gz
index 129ff22..57ad7b1 120000
--- a/alternatives/java.1.gz
+++ b/alternatives/java.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/java-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/java-java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/jjs b/alternatives/jjs
index c9db1ea..4a1a80d 120000
--- a/alternatives/jjs
+++ b/alternatives/jjs
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/jjs
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/jre/bin/jjs
\ No newline at end of file
diff --git a/alternatives/jjs.1.gz b/alternatives/jjs.1.gz
index 2c228e5..27391f5 120000
--- a/alternatives/jjs.1.gz
+++ b/alternatives/jjs.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/jjs-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/jjs-java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/jre b/alternatives/jre
index 66e10e4..647791d 120000
--- a/alternatives/jre
+++ b/alternatives/jre
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/jre
\ No newline at end of file
diff --git a/alternatives/jre_1.8.0 b/alternatives/jre_1.8.0
index 66e10e4..647791d 120000
--- a/alternatives/jre_1.8.0
+++ b/alternatives/jre_1.8.0
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/jre
\ No newline at end of file
diff --git a/alternatives/jre_1.8.0_openjdk b/alternatives/jre_1.8.0_openjdk
index 1bb90b6..1f0719c 120000
--- a/alternatives/jre_1.8.0_openjdk
+++ b/alternatives/jre_1.8.0_openjdk
@@ -1 +1 @@
-/usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64
\ No newline at end of file
+/usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64
\ No newline at end of file
diff --git a/alternatives/jre_openjdk b/alternatives/jre_openjdk
index 66e10e4..647791d 120000
--- a/alternatives/jre_openjdk
+++ b/alternatives/jre_openjdk
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/jre
\ No newline at end of file
diff --git a/alternatives/keytool b/alternatives/keytool
index 8965e19..4837e6b 120000
--- a/alternatives/keytool
+++ b/alternatives/keytool
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/keytool
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/jre/bin/keytool
\ No newline at end of file
diff --git a/alternatives/keytool.1.gz b/alternatives/keytool.1.gz
index 21a0cb6..ac68cec 120000
--- a/alternatives/keytool.1.gz
+++ b/alternatives/keytool.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/keytool-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/keytool-java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/orbd b/alternatives/orbd
index 1f04e84..034f982 120000
--- a/alternatives/orbd
+++ b/alternatives/orbd
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/orbd
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/jre/bin/orbd
\ No newline at end of file
diff --git a/alternatives/orbd.1.gz b/alternatives/orbd.1.gz
index 1ca3eb8..cbf7533 120000
--- a/alternatives/orbd.1.gz
+++ b/alternatives/orbd.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/orbd-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/orbd-java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/pack200 b/alternatives/pack200
index ffe71ca..6da1dd7 120000
--- a/alternatives/pack200
+++ b/alternatives/pack200
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/pack200
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/jre/bin/pack200
\ No newline at end of file
diff --git a/alternatives/pack200.1.gz b/alternatives/pack200.1.gz
index f2c34ec..6102b7d 120000
--- a/alternatives/pack200.1.gz
+++ b/alternatives/pack200.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/pack200-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/pack200-java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/policytool b/alternatives/policytool
index cccde7b..9274ccf 120000
--- a/alternatives/policytool
+++ b/alternatives/policytool
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/policytool
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/jre/bin/policytool
\ No newline at end of file
diff --git a/alternatives/policytool.1.gz b/alternatives/policytool.1.gz
index 397c014..02bd410 120000
--- a/alternatives/policytool.1.gz
+++ b/alternatives/policytool.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/policytool-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/policytool-java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/rmid b/alternatives/rmid
index 8be4a98..ad887ed 120000
--- a/alternatives/rmid
+++ b/alternatives/rmid
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/rmid
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/jre/bin/rmid
\ No newline at end of file
diff --git a/alternatives/rmid.1.gz b/alternatives/rmid.1.gz
index a935cda..aaf6fab 120000
--- a/alternatives/rmid.1.gz
+++ b/alternatives/rmid.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/rmid-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/rmid-java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/rmiregistry b/alternatives/rmiregistry
index 2dbe6f5..62607c7 120000
--- a/alternatives/rmiregistry
+++ b/alternatives/rmiregistry
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/rmiregistry
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/jre/bin/rmiregistry
\ No newline at end of file
diff --git a/alternatives/rmiregistry.1.gz b/alternatives/rmiregistry.1.gz
index 3995e45..f6ac2ca 120000
--- a/alternatives/rmiregistry.1.gz
+++ b/alternatives/rmiregistry.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/rmiregistry-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/rmiregistry-java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/servertool b/alternatives/servertool
index 056c71a..a4c070b 120000
--- a/alternatives/servertool
+++ b/alternatives/servertool
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/servertool
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/jre/bin/servertool
\ No newline at end of file
diff --git a/alternatives/servertool.1.gz b/alternatives/servertool.1.gz
index 41d9cae..63bb376 120000
--- a/alternatives/servertool.1.gz
+++ b/alternatives/servertool.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/servertool-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/servertool-java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/tnameserv b/alternatives/tnameserv
index 9190305..f9db324 120000
--- a/alternatives/tnameserv
+++ b/alternatives/tnameserv
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/tnameserv
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/jre/bin/tnameserv
\ No newline at end of file
diff --git a/alternatives/tnameserv.1.gz b/alternatives/tnameserv.1.gz
index c125c3d..1443410 120000
--- a/alternatives/tnameserv.1.gz
+++ b/alternatives/tnameserv.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/tnameserv-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/tnameserv-java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64.1.gz
\ No newline at end of file
diff --git a/alternatives/unpack200 b/alternatives/unpack200
index 4348fba..70f5ad3 120000
--- a/alternatives/unpack200
+++ b/alternatives/unpack200
@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/jre/bin/unpack200
\ No newline at end of file
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/jre/bin/unpack200
\ No newline at end of file
diff --git a/alternatives/unpack200.1.gz b/alternatives/unpack200.1.gz
index 6dd35e5..71e0f95 120000
--- a/alternatives/unpack200.1.gz
+++ b/alternatives/unpack200.1.gz
@@ -1 +1 @@
-/usr/share/man/man1/unpack200-java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64.1.gz
\ No newline at end of file
+/usr/share/man/man1/unpack200-java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64.1.gz
\ No newline at end of file
diff --git a/centos-release b/centos-release
index a629bbf..354bfc4 100644
--- a/centos-release
+++ b/centos-release
@@ -1 +1 @@
-CentOS Linux release 8.3.2011
+CentOS Linux release 8.4.2105
diff --git a/centos-release-upstream b/centos-release-upstream
index 1e563b4..5d7b282 100644
--- a/centos-release-upstream
+++ b/centos-release-upstream
@@ -1 +1 @@
-Derived from Red Hat Enterprise Linux 8.3
+Derived from Red Hat Enterprise Linux 8.4
diff --git a/httpd/conf.d/ssl.conf b/httpd/conf.d/ssl.conf
new file mode 100644
index 0000000..d28adf3
--- /dev/null
+++ b/httpd/conf.d/ssl.conf
@@ -0,0 +1,203 @@
+#
+# When we also provide SSL we have to listen to the
+# standard HTTPS port in addition.
+#
+Listen 443 https
+
+##
+## SSL Global Context
+##
+## All SSL configuration in this context applies both to
+## the main server and all SSL-enabled virtual hosts.
+##
+
+# Pass Phrase Dialog:
+# Configure the pass phrase gathering process.
+# The filtering dialog program (`builtin' is a internal
+# terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+# Inter-Process Session Cache:
+# Configure the SSL Session Cache: First the mechanism
+# to use and second the expiring timeout (in seconds).
+SSLSessionCache shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout 300
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names. NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly.
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+# List the protocol versions which clients are allowed to connect with.
+# The OpenSSL system profile is used by default. See
+# update-crypto-policies(8) for more details.
+#SSLProtocol all -SSLv3
+#SSLProxyProtocol all -SSLv3
+
+# User agents such as web browsers are not configured for the user's
+# own preference of either security or performance, therefore this
+# must be the prerogative of the web server administrator who manages
+# cpu load versus confidentiality, so enforce the server's cipher order.
+SSLHonorCipherOrder on
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+# The OpenSSL system profile is configured by default. See
+# update-crypto-policies(8) for more details.
+SSLCipherSuite PROFILE=SYSTEM
+SSLProxyCipherSuite PROFILE=SYSTEM
+
+# Point SSLCertificateFile at a PEM encoded certificate. If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase. Note that restarting httpd will prompt again. Keep
+# in mind that if you have both an RSA and a DSA certificate you
+# can configure both in parallel (to also allow the use of DSA
+# ciphers, etc.)
+# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+# require an ECC certificate which can also be configured in
+# parallel.
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+
+# Server Private Key:
+# If the key is not combined with the certificate, use this
+# directive to point at the key file. Keep in mind that if
+# you've both a RSA and a DSA private key you can configure
+# both in parallel (to also allow the use of DSA ciphers, etc.)
+# ECC keys, when in use, can also be configured in parallel
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+
+# Server Certificate Chain:
+# Point SSLCertificateChainFile at a file containing the
+# concatenation of PEM encoded CA certificates which form the
+# certificate chain for the server certificate. Alternatively
+# the referenced file can be the same as SSLCertificateFile
+# when the CA certificates are directly appended to the server
+# certificate for convenience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+# Certificate Authority (CA):
+# Set the CA certificate verification path where to find CA
+# certificates for client authentication or alternatively one
+# huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+# Client Authentication (Type):
+# Client certificate verification type and depth. Types are
+# none, optional, require and optional_no_ca. Depth is a
+# number which specifies how deeply to verify the certificate
+# issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth 10
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_ssl documentation
+# for more details.
+#
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+
+# SSL Protocol Adjustments:
+# The safe and default but still SSL/TLS standard compliant shutdown
+# approach is that mod_ssl sends the close notify alert but doesn't wait for
+# the close notify alert from client. When you need a different shutdown
+# approach you can use one of the following variables:
+# o ssl-unclean-shutdown:
+# This forces an unclean shutdown when the connection is closed, i.e. no
+# SSL close notify alert is sent or allowed to be received. This violates
+# the SSL/TLS standard but is needed for some brain-dead browsers. Use
+# this when you receive I/O errors because of the standard approach where
+# mod_ssl sends the close notify alert.
+# o ssl-accurate-shutdown:
+# This forces an accurate shutdown when the connection is closed, i.e. a
+# SSL close notify alert is sent and mod_ssl waits for the close notify
+# alert of the client. This is 100% SSL/TLS standard compliant, but in
+# practice often causes hanging connections with brain-dead browsers. Use
+# this only for browsers where you know that their SSL implementation
+# works correctly.
+# Notice: Most problems of broken clients are also related to the HTTP
+# keep-alive facility, so you usually additionally want to disable
+# keep-alive for those clients, too. Use variable "nokeepalive" for this.
+# Similarly, one has to force some clients to use HTTP/1.0 to workaround
+# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+# "force-response-1.0" for this.
+BrowserMatch "MSIE [2-5]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+
+
diff --git a/httpd/conf.d/welcome.conf.rpmnew b/httpd/conf.d/welcome.conf.rpmnew
index 44d6a56..5158e8b 100644
--- a/httpd/conf.d/welcome.conf.rpmnew
+++ b/httpd/conf.d/welcome.conf.rpmnew
@@ -7,24 +7,13 @@
#
Options -Indexes
- ErrorDocument 403 /noindex/index.html
+ ErrorDocument 403 /.noindex.html
- Options MultiViews
- DirectoryIndex index.html
-
- AddLanguage en-US .en-US
- AddLanguage es-ES .es-ES
- AddLanguage zh-CN .zh-CN
- AddLanguage zh-HK .zh-HK
- AddLanguage zh-TW .zh-TW
-
- LanguagePriority en
- ForceLanguagePriority Fallback
-
AllowOverride None
Require all granted
-Alias /noindex /usr/share/httpd/noindex
+Alias /.noindex.html /usr/share/httpd/noindex/index.html
+Alias /poweredby.png /usr/share/httpd/icons/apache_pb2.png
\ No newline at end of file
diff --git a/iproute2/rt_protos b/iproute2/rt_protos
index b3a0ec8..7cafddc 100644
--- a/iproute2/rt_protos
+++ b/iproute2/rt_protos
@@ -14,7 +14,8 @@
13 dnrouted
14 xorp
15 ntk
-16 dhcp
+16 dhcp
+18 keepalived
42 babel
186 bgp
187 isis
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/calendars.properties b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/calendars.properties
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/calendars.properties
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/calendars.properties
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/logging.properties b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/logging.properties
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/logging.properties
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/logging.properties
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/blacklisted.certs b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/blacklisted.certs
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/blacklisted.certs
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/blacklisted.certs
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/cacerts b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/cacerts
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/cacerts
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/cacerts
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/java.policy b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/java.policy
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/java.policy
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/java.policy
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/java.security b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/java.security
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/java.security
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/java.security
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/nss.cfg b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/nss.cfg
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/nss.cfg
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/nss.cfg
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/nss.fips.cfg b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/nss.fips.cfg
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/nss.fips.cfg
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/nss.fips.cfg
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/limited/US_export_policy.jar b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/policy/limited/US_export_policy.jar
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/limited/US_export_policy.jar
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/policy/limited/US_export_policy.jar
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/limited/local_policy.jar b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/policy/limited/local_policy.jar
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/limited/local_policy.jar
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/policy/limited/local_policy.jar
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/unlimited/US_export_policy.jar b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/policy/unlimited/US_export_policy.jar
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/unlimited/US_export_policy.jar
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/policy/unlimited/US_export_policy.jar
diff --git a/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/unlimited/local_policy.jar b/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/policy/unlimited/local_policy.jar
similarity index 100%
rename from java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-0.el8_3.x86_64/lib/security/policy/unlimited/local_policy.jar
rename to java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.292.b10-1.el8_4.x86_64/lib/security/policy/unlimited/local_policy.jar
diff --git a/ld.so.conf.d/kernel-4.18.0-240.10.1.el8_3.x86_64.conf b/ld.so.conf.d/kernel-4.18.0-305.3.1.el8.x86_64.conf
similarity index 100%
rename from ld.so.conf.d/kernel-4.18.0-240.10.1.el8_3.x86_64.conf
rename to ld.so.conf.d/kernel-4.18.0-305.3.1.el8.x86_64.conf
diff --git a/libibverbs.d/bnxt_re.driver b/libibverbs.d/bnxt_re.driver
new file mode 100644
index 0000000..d0573c8
--- /dev/null
+++ b/libibverbs.d/bnxt_re.driver
@@ -0,0 +1 @@
+driver bnxt_re
diff --git a/libibverbs.d/cxgb4.driver b/libibverbs.d/cxgb4.driver
new file mode 100644
index 0000000..e041cb2
--- /dev/null
+++ b/libibverbs.d/cxgb4.driver
@@ -0,0 +1 @@
+driver cxgb4
diff --git a/libibverbs.d/efa.driver b/libibverbs.d/efa.driver
new file mode 100644
index 0000000..d8570cb
--- /dev/null
+++ b/libibverbs.d/efa.driver
@@ -0,0 +1 @@
+driver efa
diff --git a/libibverbs.d/hfi1verbs.driver b/libibverbs.d/hfi1verbs.driver
new file mode 100644
index 0000000..3ceb7ee
--- /dev/null
+++ b/libibverbs.d/hfi1verbs.driver
@@ -0,0 +1 @@
+driver hfi1verbs
diff --git a/libibverbs.d/hns.driver b/libibverbs.d/hns.driver
new file mode 100644
index 0000000..bba7737
--- /dev/null
+++ b/libibverbs.d/hns.driver
@@ -0,0 +1 @@
+driver hns
diff --git a/libibverbs.d/i40iw.driver b/libibverbs.d/i40iw.driver
new file mode 100644
index 0000000..7dab2f0
--- /dev/null
+++ b/libibverbs.d/i40iw.driver
@@ -0,0 +1 @@
+driver i40iw
diff --git a/libibverbs.d/mlx4.driver b/libibverbs.d/mlx4.driver
new file mode 100644
index 0000000..4d29fa8
--- /dev/null
+++ b/libibverbs.d/mlx4.driver
@@ -0,0 +1 @@
+driver mlx4
diff --git a/libibverbs.d/mlx5.driver b/libibverbs.d/mlx5.driver
new file mode 100644
index 0000000..5190aa5
--- /dev/null
+++ b/libibverbs.d/mlx5.driver
@@ -0,0 +1 @@
+driver mlx5
diff --git a/libibverbs.d/qedr.driver b/libibverbs.d/qedr.driver
new file mode 100644
index 0000000..cd112f8
--- /dev/null
+++ b/libibverbs.d/qedr.driver
@@ -0,0 +1 @@
+driver qedr
diff --git a/libibverbs.d/rxe.driver b/libibverbs.d/rxe.driver
new file mode 100644
index 0000000..ed63053
--- /dev/null
+++ b/libibverbs.d/rxe.driver
@@ -0,0 +1 @@
+driver rxe
diff --git a/libibverbs.d/siw.driver b/libibverbs.d/siw.driver
new file mode 100644
index 0000000..d83a372
--- /dev/null
+++ b/libibverbs.d/siw.driver
@@ -0,0 +1 @@
+driver siw
diff --git a/libibverbs.d/vmw_pvrdma.driver b/libibverbs.d/vmw_pvrdma.driver
new file mode 100644
index 0000000..076999c
--- /dev/null
+++ b/libibverbs.d/vmw_pvrdma.driver
@@ -0,0 +1 @@
+driver vmw_pvrdma
diff --git a/logrotate.d/dnf b/logrotate.d/dnf
index 1f2c114..0ce2629 100644
--- a/logrotate.d/dnf
+++ b/logrotate.d/dnf
@@ -1,15 +1,7 @@
-/var/log/dnf.librepo.log {
- missingok
- notifempty
- rotate 4
- weekly
- create 0600 root root
-}
-
/var/log/hawkey.log {
missingok
notifempty
rotate 4
weekly
- create 0600 root root
+ create
}
diff --git a/logrotate.d/kvm_stat b/logrotate.d/kvm_stat
new file mode 100644
index 0000000..105e15e
--- /dev/null
+++ b/logrotate.d/kvm_stat
@@ -0,0 +1,11 @@
+/var/log/kvm_stat.csv {
+ size 10M
+ missingok
+ compress
+ maxage 30
+ rotate 5
+ nodateext
+ postrotate
+ /usr/bin/systemctl try-restart kvm_stat.service
+ endscript
+}
diff --git a/mail/spamassassin/init.pre.rpmnew b/mail/spamassassin/init.pre.rpmnew
index 6313a03..0539b29 100644
--- a/mail/spamassassin/init.pre.rpmnew
+++ b/mail/spamassassin/init.pre.rpmnew
@@ -19,10 +19,6 @@
#
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
-# Hashcash - perform hashcash verification.
-#
-loadplugin Mail::SpamAssassin::Plugin::Hashcash
-
# SPF - perform SPF verification.
#
loadplugin Mail::SpamAssassin::Plugin::SPF
diff --git a/mail/spamassassin/v342.pre b/mail/spamassassin/v342.pre
index 9b425fd..c4758e9 100644
--- a/mail/spamassassin/v342.pre
+++ b/mail/spamassassin/v342.pre
@@ -3,7 +3,7 @@
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
-# This file was installed during the installation of SpamAssassin 3.4.1,
+# This file was installed during the installation of SpamAssassin 3.4.2,
# and contains plugin loading commands for the new plugins added in that
# release. It will not be overwritten during future SpamAssassin installs,
# so you can modify it to enable some disabled-by-default plugins below,
@@ -16,10 +16,9 @@
# added to new files, named according to the release they're added in.
###########################################################################
-# HashBL - Use EBL email blocklist
+# HashBL - Query hashed/unhashed strings, emails, uris etc from DNS lists
# loadplugin Mail::SpamAssassin::Plugin::HashBL
-
# FromNameSpoof - help stop spam that tries to spoof other domains using
# the from name
# loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof
@@ -28,5 +27,3 @@
# OpenPhish or PhishTank feeds.
# loadplugin Mail::SpamAssassin::Plugin::Phishing
-# allow URI rules to look at DKIM headers if they exist
-parse_dkim_uris 1
diff --git a/mail/spamassassin/v343.pre b/mail/spamassassin/v343.pre
new file mode 100644
index 0000000..b33fe6d
--- /dev/null
+++ b/mail/spamassassin/v343.pre
@@ -0,0 +1,25 @@
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# This file was installed during the installation of SpamAssassin 4.0.0,
+# and contains plugin loading commands for the new plugins added in that
+# release. It will not be overwritten during future SpamAssassin installs,
+# so you can modify it to enable some disabled-by-default plugins below,
+# if you so wish.
+#
+# There are now multiple files read to enable plugins in the
+# /etc/mail/spamassassin directory; previously only one, "init.pre" was
+# read. Now both "init.pre", "v310.pre", and any other files ending in
+# ".pre" will be read. As future releases are made, new plugins will be
+# added to new files, named according to the release they're added in.
+###########################################################################
+
+# OLEVBMacro - Detects both OLE macros and VB code inside Office documents
+#
+# It tries to discern between safe and malicious code but due to the threat
+# macros present to security, many places block these type of documents outright.
+#
+# For this plugin to work, Archive::Zip and IO::String modules are required.
+# loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
diff --git a/modprobe.d/mlx4.conf b/modprobe.d/mlx4.conf
new file mode 100644
index 0000000..c8b4cce
--- /dev/null
+++ b/modprobe.d/mlx4.conf
@@ -0,0 +1,21 @@
+# This file is intended for users to select the various module options
+# they need for the mlx4 driver. On upgrade of the rdma package,
+# any user made changes to this file are preserved. Any changes made
+# to the libmlx4.conf file in this directory are overwritten on
+# pacakge upgrade.
+#
+# Some sample options and what they would do
+# Enable debugging output, device managed flow control, and disable SRIOV
+#options mlx4_core debug_level=1 log_num_mgm_entry_size=-1 probe_vf=0 num_vfs=0
+#
+# Enable debugging output and create SRIOV devices, but don't attach any of
+# the child devices to the host, only the parent device
+#options mlx4_core debug_level=1 probe_vf=0 num_vfs=7
+#
+# Enable debugging output, SRIOV, and attach one of the SRIOV child devices
+# in addition to the parent device to the host
+#options mlx4_core debug_level=1 probe_vf=1 num_vfs=7
+#
+# Enable per priority flow control for send and receive, setting both priority
+# 1 and 2 as no drop priorities
+#options mlx4_en pfctx=3 pfcrx=3
diff --git a/modprobe.d/truescale.conf b/modprobe.d/truescale.conf
new file mode 100644
index 0000000..eced349
--- /dev/null
+++ b/modprobe.d/truescale.conf
@@ -0,0 +1 @@
+install ib_qib modprobe -i ib_qib $CMDLINE_OPTS && /usr/libexec/truescale-serdes.cmds start
diff --git a/postfix/access.rpmnew b/postfix/access.rpmnew
new file mode 100644
index 0000000..257339b
--- /dev/null
+++ b/postfix/access.rpmnew
@@ -0,0 +1,484 @@
+# ACCESS(5) ACCESS(5)
+#
+# NAME
+# access - Postfix SMTP server access table
+#
+# SYNOPSIS
+# postmap /etc/postfix/access
+#
+# postmap -q "string" /etc/postfix/access
+#
+# postmap -q - /etc/postfix/access as the lookup key for such addresses. The value is
+# specified with the smtpd_null_access_lookup_key parameter
+# in the Postfix main.cf file.
+#
+# EMAIL ADDRESS EXTENSION
+# When a mail address localpart contains the optional recip-
+# ient delimiter (e.g., user+foo@domain), the lookup order
+# becomes: user+foo@domain, user@domain, domain, user+foo@,
+# and user@.
+#
+# HOST NAME/ADDRESS PATTERNS
+# With lookups from indexed files such as DB or DBM, or from
+# networked tables such as NIS, LDAP or SQL, the following
+# lookup patterns are examined in the order as listed:
+#
+# domain.tld
+# Matches domain.tld.
+#
+# The pattern domain.tld also matches subdomains, but
+# only when the string smtpd_access_maps is listed in
+# the Postfix parent_domain_matches_subdomains con-
+# figuration setting.
+#
+# .domain.tld
+# Matches subdomains of domain.tld, but only when the
+# string smtpd_access_maps is not listed in the Post-
+# fix parent_domain_matches_subdomains configuration
+# setting.
+#
+# net.work.addr.ess
+#
+# net.work.addr
+#
+# net.work
+#
+# net Matches a remote IPv4 host address or network
+# address range. Specify one to four decimal octets
+# separated by ".". Do not specify "[]" , "/", lead-
+# ing zeros, or hexadecimal forms.
+#
+# Network ranges are matched by repeatedly truncating
+# the last ".octet" from a remote IPv4 host address
+# string, until a match is found in the access table,
+# or until further truncation is not possible.
+#
+# NOTE: use the cidr lookup table type to specify
+# network/netmask patterns. See cidr_table(5) for
+# details.
+#
+# net:work:addr:ess
+#
+# net:work:addr
+#
+# net:work
+#
+# net Matches a remote IPv6 host address or network
+# address range. Specify three to eight hexadecimal
+# octet pairs separated by ":", using the compressed
+# form "::" for a sequence of zero-valued octet
+# pairs. Do not specify "[]", "/", leading zeros, or
+# non-compressed forms.
+#
+# A network range is matched by repeatedly truncating
+# the last ":octetpair" from the compressed-form
+# remote IPv6 host address string, until a match is
+# found in the access table, or until further trunca-
+# tion is not possible.
+#
+# NOTE: use the cidr lookup table type to specify
+# network/netmask patterns. See cidr_table(5) for
+# details.
+#
+# IPv6 support is available in Postfix 2.2 and later.
+#
+# ACCEPT ACTIONS
+# OK Accept the address etc. that matches the pattern.
+#
+# all-numerical
+# An all-numerical result is treated as OK. This for-
+# mat is generated by address-based relay authoriza-
+# tion schemes such as pop-before-smtp.
+#
+# For other accept actions, see "OTHER ACTIONS" below.
+#
+# REJECT ACTIONS
+# Postfix version 2.3 and later support enhanced status
+# codes as defined in RFC 3463. When no code is specified
+# at the beginning of the text below, Postfix inserts a
+# default enhanced status code of "5.7.1" in the case of
+# reject actions, and "4.7.1" in the case of defer actions.
+# See "ENHANCED STATUS CODES" below.
+#
+# 4NN text
+#
+# 5NN text
+# Reject the address etc. that matches the pattern,
+# and respond with the numerical three-digit code and
+# text. 4NN means "try again later", while 5NN means
+# "do not try again".
+#
+# The following responses have special meaning for
+# the Postfix SMTP server:
+#
+# 421 text (Postfix 2.3 and later)
+#
+# 521 text (Postfix 2.6 and later)
+# After responding with the numerical
+# three-digit code and text, disconnect imme-
+# diately from the SMTP client. This frees up
+# SMTP server resources so that they can be
+# made available to another SMTP client.
+#
+# Note: The "521" response should be used only
+# with botnets and other malware where inter-
+# operability is of no concern. The "send 521
+# and disconnect" behavior is NOT defined in
+# the SMTP standard.
+#
+# REJECT optional text...
+# Reject the address etc. that matches the pattern.
+# Reply with "$access_map_reject_code optional
+# text..." when the optional text is specified, oth-
+# erwise reply with a generic error response message.
+#
+# DEFER optional text...
+# Reject the address etc. that matches the pattern.
+# Reply with "$access_map_defer_code optional
+# text..." when the optional text is specified, oth-
+# erwise reply with a generic error response message.
+#
+# This feature is available in Postfix 2.6 and later.
+#
+# DEFER_IF_REJECT optional text...
+# Defer the request if some later restriction would
+# result in a REJECT action. Reply with
+# "$access_map_defer_code 4.7.1 optional text..."
+# when the optional text is specified, otherwise
+# reply with a generic error response message.
+#
+# Prior to Postfix 2.6, the SMTP reply code is 450.
+#
+# This feature is available in Postfix 2.1 and later.
+#
+# DEFER_IF_PERMIT optional text...
+# Defer the request if some later restriction would
+# result in a an explicit or implicit PERMIT action.
+# Reply with "$access_map_defer_code 4.7.1 optional
+# text..." when the optional text is specified, oth-
+# erwise reply with a generic error response message.
+#
+# Prior to Postfix 2.6, the SMTP reply code is 450.
+#
+# This feature is available in Postfix 2.1 and later.
+#
+# For other reject actions, see "OTHER ACTIONS" below.
+#
+# OTHER ACTIONS
+# restriction...
+# Apply the named UCE restriction(s) (permit, reject,
+# reject_unauth_destination, and so on).
+#
+# BCC user@domain
+# Send one copy of the message to the specified
+# recipient.
+#
+# If multiple BCC actions are specified within the
+# same SMTP MAIL transaction, with Postfix 3.0 only
+# the last action will be used.
+#
+# This feature is available in Postfix 3.0 and later.
+#
+# DISCARD optional text...
+# Claim successful delivery and silently discard the
+# message. Log the optional text if specified, oth-
+# erwise log a generic message.
+#
+# Note: this action currently affects all recipients
+# of the message. To discard only one recipient
+# without discarding the entire message, use the
+# transport(5) table to direct mail to the discard(8)
+# service.
+#
+# This feature is available in Postfix 2.0 and later.
+#
+# DUNNO Pretend that the lookup key was not found. This
+# prevents Postfix from trying substrings of the
+# lookup key (such as a subdomain name, or a network
+# address subnetwork).
+#
+# This feature is available in Postfix 2.0 and later.
+#
+# FILTER transport:destination
+# After the message is queued, send the entire mes-
+# sage through the specified external content filter.
+# The transport name specifies the first field of a
+# mail delivery agent definition in master.cf; the
+# syntax of the next-hop destination is described in
+# the manual page of the corresponding delivery
+# agent. More information about external content
+# filters is in the Postfix FILTER_README file.
+#
+# Note 1: do not use $number regular expression sub-
+# stitutions for transport or destination unless you
+# know that the information has a trusted origin.
+#
+# Note 2: this action overrides the main.cf con-
+# tent_filter setting, and affects all recipients of
+# the message. In the case that multiple FILTER
+# actions fire, only the last one is executed.
+#
+# Note 3: the purpose of the FILTER command is to
+# override message routing. To override the recipi-
+# ent's transport but not the next-hop destination,
+# specify an empty filter destination (Postfix 2.7
+# and later), or specify a transport:destination that
+# delivers through a different Postfix instance
+# (Postfix 2.6 and earlier). Other options are using
+# the recipient-dependent transport_maps or the sen-
+# der-dependent sender_dependent_default_transport-
+# _maps features.
+#
+# This feature is available in Postfix 2.0 and later.
+#
+# HOLD optional text...
+# Place the message on the hold queue, where it will
+# sit until someone either deletes it or releases it
+# for delivery. Log the optional text if specified,
+# otherwise log a generic message.
+#
+# Mail that is placed on hold can be examined with
+# the postcat(1) command, and can be destroyed or
+# released with the postsuper(1) command.
+#
+# Note: use "postsuper -r" to release mail that was
+# kept on hold for a significant fraction of $maxi-
+# mal_queue_lifetime or $bounce_queue_lifetime, or
+# longer. Use "postsuper -H" only for mail that will
+# not expire within a few delivery attempts.
+#
+# Note: this action currently affects all recipients
+# of the message.
+#
+# This feature is available in Postfix 2.0 and later.
+#
+# PREPEND headername: headervalue
+# Prepend the specified message header to the mes-
+# sage. When more than one PREPEND action executes,
+# the first prepended header appears before the sec-
+# ond etc. prepended header.
+#
+# Note: this action must execute before the message
+# content is received; it cannot execute in the con-
+# text of smtpd_end_of_data_restrictions.
+#
+# This feature is available in Postfix 2.1 and later.
+#
+# REDIRECT user@domain
+# After the message is queued, send the message to
+# the specified address instead of the intended
+# recipient(s). When multiple REDIRECT actions fire,
+# only the last one takes effect.
+#
+# Note: this action overrides the FILTER action, and
+# currently overrides all recipients of the message.
+#
+# This feature is available in Postfix 2.1 and later.
+#
+# INFO optional text...
+# Log an informational record with the optional text,
+# together with client information and if available,
+# with helo, sender, recipient and protocol informa-
+# tion.
+#
+# This feature is available in Postfix 3.0 and later.
+#
+# WARN optional text...
+# Log a warning with the optional text, together with
+# client information and if available, with helo,
+# sender, recipient and protocol information.
+#
+# This feature is available in Postfix 2.1 and later.
+#
+# ENHANCED STATUS CODES
+# Postfix version 2.3 and later support enhanced status
+# codes as defined in RFC 3463. When an enhanced status
+# code is specified in an access table, it is subject to
+# modification. The following transformations are needed
+# when the same access table is used for client, helo,
+# sender, or recipient access restrictions; they happen
+# regardless of whether Postfix replies to a MAIL FROM, RCPT
+# TO or other SMTP command.
+#
+# o When a sender address matches a REJECT action, the
+# Postfix SMTP server will transform a recipient DSN
+# status (e.g., 4.1.1-4.1.6) into the corresponding
+# sender DSN status, and vice versa.
+#
+# o When non-address information matches a REJECT
+# action (such as the HELO command argument or the
+# client hostname/address), the Postfix SMTP server
+# will transform a sender or recipient DSN status
+# into a generic non-address DSN status (e.g.,
+# 4.0.0).
+#
+# REGULAR EXPRESSION TABLES
+# This section describes how the table lookups change when
+# the table is given in the form of regular expressions. For
+# a description of regular expression lookup table syntax,
+# see regexp_table(5) or pcre_table(5).
+#
+# Each pattern is a regular expression that is applied to
+# the entire string being looked up. Depending on the appli-
+# cation, that string is an entire client hostname, an
+# entire client IP address, or an entire mail address. Thus,
+# no parent domain or parent network search is done,
+# user@domain mail addresses are not broken up into their
+# user@ and domain constituent parts, nor is user+foo broken
+# up into user and foo.
+#
+# Patterns are applied in the order as specified in the ta-
+# ble, until a pattern is found that matches the search
+# string.
+#
+# Actions are the same as with indexed file lookups, with
+# the additional feature that parenthesized substrings from
+# the pattern can be interpolated as $1, $2 and so on.
+#
+# TCP-BASED TABLES
+# This section describes how the table lookups change when
+# lookups are directed to a TCP-based server. For a descrip-
+# tion of the TCP client/server lookup protocol, see tcp_ta-
+# ble(5). This feature is not available up to and including
+# Postfix version 2.4.
+#
+# Each lookup operation uses the entire query string once.
+# Depending on the application, that string is an entire
+# client hostname, an entire client IP address, or an entire
+# mail address. Thus, no parent domain or parent network
+# search is done, user@domain mail addresses are not broken
+# up into their user@ and domain constituent parts, nor is
+# user+foo broken up into user and foo.
+#
+# Actions are the same as with indexed file lookups.
+#
+# EXAMPLE
+# The following example uses an indexed file, so that the
+# order of table entries does not matter. The example per-
+# mits access by the client at address 1.2.3.4 but rejects
+# all other clients in 1.2.3.0/24. Instead of hash lookup
+# tables, some systems use dbm. Use the command "postconf
+# -m" to find out what lookup tables Postfix supports on
+# your system.
+#
+# /etc/postfix/main.cf:
+# smtpd_client_restrictions =
+# check_client_access hash:/etc/postfix/access
+#
+# /etc/postfix/access:
+# 1.2.3 REJECT
+# 1.2.3.4 OK
+#
+# Execute the command "postmap /etc/postfix/access" after
+# editing the file.
+#
+# BUGS
+# The table format does not understand quoting conventions.
+#
+# SEE ALSO
+# postmap(1), Postfix lookup table manager
+# smtpd(8), SMTP server
+# postconf(5), configuration parameters
+# transport(5), transport:nexthop syntax
+#
+# README FILES
+# Use "postconf readme_directory" or "postconf html_direc-
+# tory" to locate this information.
+# SMTPD_ACCESS_README, built-in SMTP server access control
+# DATABASE_README, Postfix lookup table overview
+#
+# LICENSE
+# The Secure Mailer license must be distributed with this
+# software.
+#
+# AUTHOR(S)
+# Wietse Venema
+# IBM T.J. Watson Research
+# P.O. Box 704
+# Yorktown Heights, NY 10598, USA
+#
+# Wietse Venema
+# Google, Inc.
+# 111 8th Avenue
+# New York, NY 10011, USA
+#
+# ACCESS(5)
diff --git a/postfix/canonical.rpmnew b/postfix/canonical.rpmnew
new file mode 100644
index 0000000..9881f4e
--- /dev/null
+++ b/postfix/canonical.rpmnew
@@ -0,0 +1,307 @@
+# CANONICAL(5) CANONICAL(5)
+#
+# NAME
+# canonical - Postfix canonical table format
+#
+# SYNOPSIS
+# postmap /etc/postfix/canonical
+#
+# postmap -q "string" /etc/postfix/canonical
+#
+# postmap -q - /etc/postfix/canonical Firstname.Lastname mapping.
+
+# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
+#
+# The VIRTUAL_README document gives information about the many forms
+# of domain hosting that Postfix supports.
+
+# "USER HAS MOVED" BOUNCE MESSAGES
+#
+# See the discussion in the ADDRESS_REWRITING_README document.
+
+# TRANSPORT MAP
+#
+# See the discussion in the ADDRESS_REWRITING_README document.
+
+# ALIAS DATABASE
+#
+# The alias_maps parameter specifies the list of alias databases used
+# by the local delivery agent. The default list is system dependent.
+#
+# On systems with NIS, the default is to search the local alias
+# database, then the NIS alias database. See aliases(5) for syntax
+# details.
+#
+# If you change the alias database, run "postalias /etc/aliases" (or
+# wherever your system stores the mail alias file), or simply run
+# "newaliases" to build the necessary DBM or DB file.
+#
+# It will take a minute or so before changes become visible. Use
+# "postfix reload" to eliminate the delay.
+#
+#alias_maps = dbm:/etc/aliases
+alias_maps = hash:/etc/aliases
+#alias_maps = hash:/etc/aliases, nis:mail.aliases
+#alias_maps = netinfo:/aliases
+
+# The alias_database parameter specifies the alias database(s) that
+# are built with "newaliases" or "sendmail -bi". This is a separate
+# configuration parameter, because alias_maps (see above) may specify
+# tables that are not necessarily all under control by Postfix.
+#
+#alias_database = dbm:/etc/aliases
+#alias_database = dbm:/etc/mail/aliases
+alias_database = hash:/etc/aliases
+#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
+
+# ADDRESS EXTENSIONS (e.g., user+foo)
+#
+# The recipient_delimiter parameter specifies the separator between
+# user names and address extensions (user+foo). See canonical(5),
+# local(8), relocated(5) and virtual(5) for the effects this has on
+# aliases, canonical, virtual, relocated and .forward file lookups.
+# Basically, the software tries user+foo and .forward+foo before
+# trying user and .forward.
+#
+#recipient_delimiter = +
+
+# DELIVERY TO MAILBOX
+#
+# The home_mailbox parameter specifies the optional pathname of a
+# mailbox file relative to a user's home directory. The default
+# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
+# "Maildir/" for qmail-style delivery (the / is required).
+#
+#home_mailbox = Mailbox
+#home_mailbox = Maildir/
+
+# The mail_spool_directory parameter specifies the directory where
+# UNIX-style mailboxes are kept. The default setting depends on the
+# system type.
+#
+#mail_spool_directory = /var/mail
+#mail_spool_directory = /var/spool/mail
+
+# The mailbox_command parameter specifies the optional external
+# command to use instead of mailbox delivery. The command is run as
+# the recipient with proper HOME, SHELL and LOGNAME environment settings.
+# Exception: delivery for root is done as $default_user.
+#
+# Other environment variables of interest: USER (recipient username),
+# EXTENSION (address extension), DOMAIN (domain part of address),
+# and LOCAL (the address localpart).
+#
+# Unlike other Postfix configuration parameters, the mailbox_command
+# parameter is not subjected to $parameter substitutions. This is to
+# make it easier to specify shell syntax (see example below).
+#
+# Avoid shell meta characters because they will force Postfix to run
+# an expensive shell process. Procmail alone is expensive enough.
+#
+# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
+# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
+#
+#mailbox_command = /some/where/procmail
+#mailbox_command = /some/where/procmail -a "$EXTENSION"
+
+# The mailbox_transport specifies the optional transport in master.cf
+# to use after processing aliases and .forward files. This parameter
+# has precedence over the mailbox_command, fallback_transport and
+# luser_relay parameters.
+#
+# Specify a string of the form transport:nexthop, where transport is
+# the name of a mail delivery transport defined in master.cf. The
+# :nexthop part is optional. For more details see the sample transport
+# configuration file.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must update the "local_recipient_maps" setting in
+# the main.cf file, otherwise the SMTP server will reject mail for
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd"
+# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
+#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
+
+# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
+# server using LMTP (Local Mail Transport Protocol), this is prefered
+# over the older cyrus deliver program by setting the
+# mailbox_transport as below:
+#
+# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
+#
+# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
+# these settings.
+#
+# local_destination_recipient_limit = 300
+# local_destination_concurrency_limit = 5
+#
+# Of course you should adjust these settings as appropriate for the
+# capacity of the hardware you are using. The recipient limit setting
+# can be used to take advantage of the single instance message store
+# capability of Cyrus. The concurrency limit can be used to control
+# how many simultaneous LMTP sessions will be permitted to the Cyrus
+# message store.
+#
+# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
+# subsequent line in master.cf.
+#mailbox_transport = cyrus
+
+# The fallback_transport specifies the optional transport in master.cf
+# to use for recipients that are not found in the UNIX passwd database.
+# This parameter has precedence over the luser_relay parameter.
+#
+# Specify a string of the form transport:nexthop, where transport is
+# the name of a mail delivery transport defined in master.cf. The
+# :nexthop part is optional. For more details see the sample transport
+# configuration file.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must update the "local_recipient_maps" setting in
+# the main.cf file, otherwise the SMTP server will reject mail for
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
+#fallback_transport =
+
+# The luser_relay parameter specifies an optional destination address
+# for unknown recipients. By default, mail for unknown@$mydestination,
+# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
+# as undeliverable.
+#
+# The following expansions are done on luser_relay: $user (recipient
+# username), $shell (recipient shell), $home (recipient home directory),
+# $recipient (full recipient address), $extension (recipient address
+# extension), $domain (recipient domain), $local (entire recipient
+# localpart), $recipient_delimiter. Specify ${name?value} or
+# ${name:value} to expand value only when $name does (does not) exist.
+#
+# luser_relay works only for the default Postfix local delivery agent.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must specify "local_recipient_maps =" (i.e. empty) in
+# the main.cf file, otherwise the SMTP server will reject mail for
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+#luser_relay = $user@other.host
+#luser_relay = $local@other.host
+#luser_relay = admin+$local
+
+# JUNK MAIL CONTROLS
+#
+# The controls listed here are only a very small subset. The file
+# SMTPD_ACCESS_README provides an overview.
+
+# The header_checks parameter specifies an optional table with patterns
+# that each logical message header is matched against, including
+# headers that span multiple physical lines.
+#
+# By default, these patterns also apply to MIME headers and to the
+# headers of attached messages. With older Postfix versions, MIME and
+# attached message headers were treated as body text.
+#
+# For details, see "man header_checks".
+#
+#header_checks = regexp:/etc/postfix/header_checks
+
+# FAST ETRN SERVICE
+#
+# Postfix maintains per-destination logfiles with information about
+# deferred mail, so that mail can be flushed quickly with the SMTP
+# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
+# See the ETRN_README document for a detailed description.
+#
+# The fast_flush_domains parameter controls what destinations are
+# eligible for this service. By default, they are all domains that
+# this server is willing to relay mail to.
+#
+#fast_flush_domains = $relay_domains
+
+# SHOW SOFTWARE VERSION OR NOT
+#
+# The smtpd_banner parameter specifies the text that follows the 220
+# code in the SMTP server's greeting banner. Some people like to see
+# the mail version advertised. By default, Postfix shows no version.
+#
+# You MUST specify $myhostname at the start of the text. That is an
+# RFC requirement. Postfix itself does not care.
+#
+#smtpd_banner = $myhostname ESMTP $mail_name
+#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
+
+# PARALLEL DELIVERY TO THE SAME DESTINATION
+#
+# How many parallel deliveries to the same user or domain? With local
+# delivery, it does not make sense to do massively parallel delivery
+# to the same user, because mailbox updates must happen sequentially,
+# and expensive pipelines in .forward files can cause disasters when
+# too many are run at the same time. With SMTP deliveries, 10
+# simultaneous connections to the same domain could be sufficient to
+# raise eyebrows.
+#
+# Each message delivery transport has its XXX_destination_concurrency_limit
+# parameter. The default is $default_destination_concurrency_limit for
+# most delivery transports. For the local delivery agent the default is 2.
+
+#local_destination_concurrency_limit = 2
+#default_destination_concurrency_limit = 20
+
+# DEBUGGING CONTROL
+#
+# The debug_peer_level parameter specifies the increment in verbose
+# logging level when an SMTP client or server host name or address
+# matches a pattern in the debug_peer_list parameter.
+#
+debug_peer_level = 2
+
+# The debug_peer_list parameter specifies an optional list of domain
+# or network patterns, /file/name patterns or type:name tables. When
+# an SMTP client or server host name or address matches a pattern,
+# increase the verbose logging level by the amount specified in the
+# debug_peer_level parameter.
+#
+#debug_peer_list = 127.0.0.1
+#debug_peer_list = some.domain
+
+# The debugger_command specifies the external command that is executed
+# when a Postfix daemon program is run with the -D option.
+#
+# Use "command .. & sleep 5" so that the debugger can attach before
+# the process marches on. If you use an X-based debugger, be sure to
+# set up your XAUTHORITY environment variable before starting Postfix.
+#
+debugger_command =
+ PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+ ddd $daemon_directory/$process_name $process_id & sleep 5
+
+# If you can't use X, use this to capture the call stack when a
+# daemon crashes. The result is in a file in the configuration
+# directory, and is named after the process name and the process ID.
+#
+# debugger_command =
+# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
+# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
+# >$config_directory/$process_name.$process_id.log & sleep 5
+#
+# Another possibility is to run gdb under a detached screen session.
+# To attach to the screen session, su root and run "screen -r
+# " where uniquely matches one of the detached
+# sessions (from "screen -list").
+#
+# debugger_command =
+# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
+# -dmS $process_name gdb $daemon_directory/$process_name
+# $process_id & sleep 1
+
+# INSTALL-TIME CONFIGURATION INFORMATION
+#
+# The following parameters are used when installing a new Postfix version.
+#
+# sendmail_path: The full pathname of the Postfix sendmail command.
+# This is the Sendmail-compatible mail posting interface.
+#
+sendmail_path = /usr/sbin/sendmail.postfix
+
+# newaliases_path: The full pathname of the Postfix newaliases command.
+# This is the Sendmail-compatible command to build alias databases.
+#
+newaliases_path = /usr/bin/newaliases.postfix
+
+# mailq_path: The full pathname of the Postfix mailq command. This
+# is the Sendmail-compatible mail queue listing command.
+#
+mailq_path = /usr/bin/mailq.postfix
+
+# setgid_group: The group for mail submission and queue management
+# commands. This must be a group name with a numerical group ID that
+# is not shared with other accounts, not even with the Postfix account.
+#
+setgid_group = postdrop
+
+# html_directory: The location of the Postfix HTML documentation.
+#
+html_directory = no
+
+# manpage_directory: The location of the Postfix on-line manual pages.
+#
+manpage_directory = /usr/share/man
+
+# sample_directory: The location of the Postfix sample configuration files.
+# This parameter is obsolete as of Postfix 2.1.
+#
+sample_directory = /usr/share/doc/postfix/samples
+
+# readme_directory: The location of the Postfix README files.
+#
+readme_directory = /usr/share/doc/postfix/README_FILES
+
+# TLS CONFIGURATION
+#
+# Basic Postfix TLS configuration by default with self-signed certificate
+# for inbound SMTP and also opportunistic TLS for outbound SMTP.
+
+# The full pathname of a file with the Postfix SMTP server RSA certificate
+# in PEM format. Intermediate certificates should be included in general,
+# the server certificate first, then the issuing CA(s) (bottom-up order).
+#
+smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
+
+# The full pathname of a file with the Postfix SMTP server RSA private key
+# in PEM format. The private key must be accessible without a pass-phrase,
+# i.e. it must not be encrypted.
+#
+smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
+
+# Announce STARTTLS support to remote SMTP clients, but do not require that
+# clients use TLS encryption (opportunistic TLS inbound).
+#
+smtpd_tls_security_level = may
+
+# Directory with PEM format Certification Authority certificates that the
+# Postfix SMTP client uses to verify a remote SMTP server certificate.
+#
+smtp_tls_CApath = /etc/pki/tls/certs
+
+# The full pathname of a file containing CA certificates of root CAs
+# trusted to sign either remote SMTP server certificates or intermediate CA
+# certificates.
+#
+smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+
+# Use TLS if this is supported by the remote SMTP server, otherwise use
+# plaintext (opportunistic TLS outbound).
+#
+smtp_tls_security_level = may
+meta_directory = /etc/postfix
+shlib_directory = /usr/lib64/postfix
diff --git a/postfix/master.cf b/postfix/master.cf
index ebe92f5..2b7fc64 100644
--- a/postfix/master.cf
+++ b/postfix/master.cf
@@ -154,3 +154,5 @@ amavisfeed unix - - n - 2 lmtp
-o local_recipient_maps=
-o relay_recipient_maps=
+#smtpd pass - - n - - smtpd
+postlog unix-dgram n - n - 1 postlogd
diff --git a/postfix/master.cf.proto b/postfix/master.cf.proto
index 1b7e44f..0af43e1 100644
--- a/postfix/master.cf.proto
+++ b/postfix/master.cf.proto
@@ -64,6 +64,7 @@ virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
+postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
@@ -78,7 +79,7 @@ scache unix - - n - 1 scache
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
-# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
+# flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
@@ -97,7 +98,7 @@ scache unix - - n - 1 scache
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
-# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
+# flags=DRX user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
@@ -128,5 +129,5 @@ scache unix - - n - 1 scache
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
-# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
diff --git a/postfix/master.cf.rpmnew b/postfix/master.cf.rpmnew
new file mode 100644
index 0000000..0af43e1
--- /dev/null
+++ b/postfix/master.cf.rpmnew
@@ -0,0 +1,133 @@
+#
+# Postfix master process configuration file. For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (no) (never) (100)
+# ==========================================================================
+smtp inet n - n - - smtpd
+#smtp inet n - n - 1 postscreen
+#smtpd pass - - n - - smtpd
+#dnsblog unix - - n - 0 dnsblog
+#tlsproxy unix - - n - 0 tlsproxy
+#submission inet n - n - - smtpd
+# -o syslog_name=postfix/submission
+# -o smtpd_tls_security_level=encrypt
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_tls_auth_only=yes
+# -o smtpd_reject_unlisted_recipient=no
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+#smtps inet n - n - - smtpd
+# -o syslog_name=postfix/smtps
+# -o smtpd_tls_wrappermode=yes
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_reject_unlisted_recipient=no
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+#628 inet n - n - - qmqpd
+pickup unix n - n 60 1 pickup
+cleanup unix n - n - 0 cleanup
+qmgr unix n - n 300 1 qmgr
+#qmgr unix n - n 300 1 oqmgr
+tlsmgr unix - - n 1000? 1 tlsmgr
+rewrite unix - - n - - trivial-rewrite
+bounce unix - - n - 0 bounce
+defer unix - - n - 0 bounce
+trace unix - - n - 0 bounce
+verify unix - - n - 1 verify
+flush unix n - n 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+smtp unix - - n - - smtp
+relay unix - - n - - smtp
+ -o syslog_name=postfix/$service_name
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq unix n - n - - showq
+error unix - - n - - error
+retry unix - - n - - error
+discard unix - - n - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - n - - lmtp
+anvil unix - - n - 1 anvil
+scache unix - - n - 1 scache
+postlog unix-dgram n - n - 1 postlogd
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent. See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+#maildrop unix - n n - - pipe
+# flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+# mailbox_transport = lmtp:inet:localhost
+# virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus unix - n n - - pipe
+# flags=DRX user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+#
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix - n n - - pipe
+# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+#uucp unix - n n - - pipe
+# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# ====================================================================
+#
+# Other external delivery methods.
+#
+#ifmail unix - n n - - pipe
+# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+#
+#bsmtp unix - n n - - pipe
+# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
+#
+#scalemail-backend unix - n n - 2 pipe
+# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
+# ${nexthop} ${user} ${extension}
+#
+#mailman unix - n n - - pipe
+# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+# ${nexthop} ${user}
diff --git a/postfix/postfix-files b/postfix/postfix-files
index 6add5fd..1eda0a3 100644
--- a/postfix/postfix-files
+++ b/postfix/postfix-files
@@ -100,6 +100,7 @@ $daemon_directory/postfix-script:f:root:-:755
$daemon_directory/postfix-tls-script:f:root:-:755
$daemon_directory/postfix-wrapper:f:root:-:755
$daemon_directory/postmulti-script:f:root:-:755
+$daemon_directory/postlogd:f:root:-:755
$daemon_directory/postscreen:f:root:-:755
$daemon_directory/proxymap:f:root:-:755
$daemon_directory/qmgr:f:root:-:755
@@ -175,7 +176,6 @@ $manpage_directory/man5/cidr_table.5.gz:f:root:-:644
$manpage_directory/man5/generics.5.gz:f:root:-:644:o
$manpage_directory/man5/generic.5.gz:f:root:-:644
$manpage_directory/man5/header_checks.5.gz:f:root:-:644
-$manpage_directory/man5/lmdb_table.5.gz:f:root:-:644
$manpage_directory/man5/master.5.gz:f:root:-:644
$manpage_directory/man5/memcache_table.5.gz:f:root:-:644
$manpage_directory/man5/socketmap_table.5.gz:f:root:-:644
@@ -202,6 +202,7 @@ $manpage_directory/man8/nqmgr.8.gz:f:root:-:644:o
$manpage_directory/man8/oqmgr.8.gz:f:root:-:644:
$manpage_directory/man8/pickup.8.gz:f:root:-:644
$manpage_directory/man8/pipe.8.gz:f:root:-:644
+$manpage_directory/man8/postlogd.8.gz:f:root:-:644
$manpage_directory/man8/postscreen.8.gz:f:root:-:644
$manpage_directory/man8/proxymap.8.gz:f:root:-:644
$manpage_directory/man8/qmgr.8.gz:f:root:-:644
@@ -270,7 +271,6 @@ $readme_directory/HOSTING_README:f:root:-:644:o
$readme_directory/INSTALL:f:root:-:644
$readme_directory/IPV6_README:f:root:-:644
$readme_directory/LINUX_README:f:root:-:644
-$readme_directory/LMDB_README:f:root:-:644
$readme_directory/LOCAL_RECIPIENT_README:f:root:-:644
$readme_directory/MACOSX_README:f:root:-:644:o
$readme_directory/MAILDROP_README:f:root:-:644
@@ -403,6 +403,7 @@ $html_directory/postlock.1.html:f:root:-:644
$html_directory/postlog.1.html:f:root:-:644
$html_directory/postmap.1.html:f:root:-:644
$html_directory/postmulti.1.html:f:root:-:644
+$html_directory/postlogd.8.html:f:root:-:644
$html_directory/postqueue.1.html:f:root:-:644
$html_directory/postscreen.8.html:f:root:-:644
$html_directory/postsuper.1.html:f:root:-:644
diff --git a/postfix/transport.rpmnew b/postfix/transport.rpmnew
new file mode 100644
index 0000000..d1b3268
--- /dev/null
+++ b/postfix/transport.rpmnew
@@ -0,0 +1,317 @@
+# TRANSPORT(5) TRANSPORT(5)
+#
+# NAME
+# transport - Postfix transport table format
+#
+# SYNOPSIS
+# postmap /etc/postfix/transport
+#
+# postmap -q "string" /etc/postfix/transport
+#
+# postmap -q - /etc/postfix/transport = 3.5):
+#
+# example.com smtp:bar.example, foo.example
+#
+# This tries to deliver to bar.example before trying to
+# deliver to foo.example.
+#
+# The error mailer can be used to bounce mail:
+#
+# .example.com error:mail for *.example.com is not deliverable
+#
+# This causes all mail for user@anything.example.com to be
+# bounced.
+#
+# REGULAR EXPRESSION TABLES
+# This section describes how the table lookups change when
+# the table is given in the form of regular expressions. For
+# a description of regular expression lookup table syntax,
+# see regexp_table(5) or pcre_table(5).
+#
+# Each pattern is a regular expression that is applied to
+# the entire address being looked up. Thus,
+# some.domain.hierarchy is not looked up via its parent
+# domains, nor is user+foo@domain looked up as user@domain.
+#
+# Patterns are applied in the order as specified in the ta-
+# ble, until a pattern is found that matches the search
+# string.
+#
+# The trivial-rewrite(8) server disallows regular expression
+# substitution of $1 etc. in regular expression lookup
+# tables, because that could open a security hole (Postfix
+# version 2.3 and later).
+#
+# TCP-BASED TABLES
+# This section describes how the table lookups change when
+# lookups are directed to a TCP-based server. For a descrip-
+# tion of the TCP client/server lookup protocol, see tcp_ta-
+# ble(5). This feature is not available up to and including
+# Postfix version 2.4.
+#
+# Each lookup operation uses the entire recipient address
+# once. Thus, some.domain.hierarchy is not looked up via
+# its parent domains, nor is user+foo@domain looked up as
+# user@domain.
+#
+# Results are the same as with indexed file lookups.
+#
+# CONFIGURATION PARAMETERS
+# The following main.cf parameters are especially relevant.
+# The text below provides only a parameter summary. See
+# postconf(5) for more details including examples.
+#
+# empty_address_recipient (MAILER-DAEMON)
+# The recipient of mail addressed to the null
+# address.
+#
+# parent_domain_matches_subdomains (see 'postconf -d' out-
+# put)
+# A list of Postfix features where the pattern "exam-
+# ple.com" also matches subdomains of example.com,
+# instead of requiring an explicit ".example.com"
+# pattern.
+#
+# transport_maps (empty)
+# Optional lookup tables with mappings from recipient
+# address to (message delivery transport, next-hop
+# destination).
+#
+# SEE ALSO
+# trivial-rewrite(8), rewrite and resolve addresses
+# master(5), master.cf file format
+# postconf(5), configuration parameters
+# postmap(1), Postfix lookup table manager
+#
+# README FILES
+# Use "postconf readme_directory" or "postconf html_direc-
+# tory" to locate this information.
+# ADDRESS_REWRITING_README, address rewriting guide
+# DATABASE_README, Postfix lookup table overview
+# FILTER_README, external content filter
+#
+# LICENSE
+# The Secure Mailer license must be distributed with this
+# software.
+#
+# AUTHOR(S)
+# Wietse Venema
+# IBM T.J. Watson Research
+# P.O. Box 704
+# Yorktown Heights, NY 10598, USA
+#
+# Wietse Venema
+# Google, Inc.
+# 111 8th Avenue
+# New York, NY 10011, USA
+#
+# TRANSPORT(5)
diff --git a/postfix/virtual.rpmnew b/postfix/virtual.rpmnew
new file mode 100644
index 0000000..da9cd65
--- /dev/null
+++ b/postfix/virtual.rpmnew
@@ -0,0 +1,324 @@
+# VIRTUAL(5) VIRTUAL(5)
+#
+# NAME
+# virtual - Postfix virtual alias table format
+#
+# SYNOPSIS
+# postmap /etc/postfix/virtual
+#
+# postmap -q "string" /etc/postfix/virtual
+#
+# postmap -q - /etc/postfix/virtual [port2_type]
+#
+# @port1 and @port2:
+# One of auto, ib, or eth. No checking is performed to make sure that
+# combinations are valid. Invalid inputs will result in the driver
+# not setting the port to the type requested. port1 is required at
+# all times, port2 is required for dual port cards.
+#
+# Example:
+# 0000:0b:00.0 eth eth
+#
+# You can find the right pci device to use for any given card by loading
+# the mlx4_core module, then going to /sys/bus/pci/drivers/mlx4_core and
+# seeing what possible PCI devices are listed there. The possible values
+# for ports are: ib, eth, and auto. However, not all cards support all
+# types, so if you get messages from the kernel that your selected port
+# type isn't supported, there's nothing this script can do about it. Also,
+# some cards don't support using different types on the two ports (aka,
+# both ports must be either eth or ib). Again, we can't set what the kernel
+# or hardware won't support.
+#
diff --git a/rdma/modules/infiniband.conf b/rdma/modules/infiniband.conf
new file mode 100644
index 0000000..99526e1
--- /dev/null
+++ b/rdma/modules/infiniband.conf
@@ -0,0 +1,12 @@
+# These modules are loaded by the system if any InfiniBand device is installed
+# InfiniBand over IP netdevice
+ib_ipoib
+
+# Access to fabric management SMPs and GMPs from userspace.
+ib_umad
+
+# SCSI Remote Protocol target support
+# ib_srpt
+
+# ib_ucm provides the obsolete /dev/infiniband/ucm0
+# ib_ucm
diff --git a/rdma/modules/iwarp.conf b/rdma/modules/iwarp.conf
new file mode 100644
index 0000000..0cb831d
--- /dev/null
+++ b/rdma/modules/iwarp.conf
@@ -0,0 +1 @@
+# These modules are loaded by the system if any iWarp device is installed
diff --git a/rdma/modules/opa.conf b/rdma/modules/opa.conf
new file mode 100644
index 0000000..b9bc9f1
--- /dev/null
+++ b/rdma/modules/opa.conf
@@ -0,0 +1,10 @@
+# These modules are loaded by the system if any OmniPath Architecture device
+# is installed
+# Infiniband over IP netdevice
+ib_ipoib
+
+# Access to fabric management SMPs and GMPs from userspace.
+ib_umad
+
+# Omnipath Ethernet Virtual NIC netdevice
+opa_vnic
diff --git a/rdma/modules/rdma.conf b/rdma/modules/rdma.conf
new file mode 100644
index 0000000..4e2901b
--- /dev/null
+++ b/rdma/modules/rdma.conf
@@ -0,0 +1,24 @@
+# These modules are loaded by the system if any RDMA devices is installed
+# iSCSI over RDMA client support
+ib_iser
+
+# iSCSI over RDMA target support
+ib_isert
+
+# SCSI RDMA Protocol target driver
+ib_srpt
+
+# User access to RDMA verbs (supports libibverbs)
+ib_uverbs
+
+# User access to RDMA connection management (supports librdmacm)
+rdma_ucm
+
+# RDS over RDMA support
+# rds_rdma
+
+# NFS over RDMA client support
+xprtrdma
+
+# NFS over RDMA server support
+svcrdma
diff --git a/rdma/modules/roce.conf b/rdma/modules/roce.conf
new file mode 100644
index 0000000..8e4927c
--- /dev/null
+++ b/rdma/modules/roce.conf
@@ -0,0 +1,2 @@
+# These modules are loaded by the system if any RDMA over Converged Ethernet
+# device is installed
diff --git a/rhsm/rhsm.conf b/rhsm/rhsm.conf
index 061f20a..9cf9613 100644
--- a/rhsm/rhsm.conf
+++ b/rhsm/rhsm.conf
@@ -94,6 +94,12 @@ autoAttachInterval = 1440
splay = 1
# If set to 1, rhsmcertd will not execute.
disable = 0
+# Set to 1, when rhsmcerd will try to do automatic registration.
+# Setting this option make sense only on machines running on public
+# clouds. Currently only AWS, Azure and GCP are supported
+auto_registration = 0
+# Interval to run auto-registration (in minutes):
+auto_registration_interval = 60
[logging]
default_log_level = INFO
diff --git a/security/pwquality.conf b/security/pwquality.conf
index 550036d..63eb315 100644
--- a/security/pwquality.conf
+++ b/security/pwquality.conf
@@ -54,6 +54,10 @@
# The check is enabled if the value is not 0.
# usercheck = 1
#
+# Length of substrings from the username to check for in the password
+# The check is enabled if the value is greater than 0 and usercheck is enabled.
+# usersubstr = 0
+#
# Whether the check is enforced by the PAM module and possibly other
# applications.
# The new password is rejected if it fails the check and the value is not 0.
@@ -61,3 +65,15 @@
#
# Path to the cracklib dictionaries. Default is to use the cracklib default.
# dictpath =
+#
+# Prompt user at most N times before returning with error. The default is 1.
+# retry = 3
+#
+# Enforces pwquality checks on the root user password.
+# Enabled if the option is present.
+# enforce_for_root
+#
+# Skip testing the password quality for users that are not present in the
+# /etc/passwd file.
+# Enabled if the option is present.
+# local_users_only
diff --git a/selinux/semanage.conf b/selinux/semanage.conf
index 9045021..8d30db4 100644
--- a/selinux/semanage.conf
+++ b/selinux/semanage.conf
@@ -42,14 +42,16 @@ module-store = direct
expand-check=0
# usepasswd check tells semanage to scan all pass word records for home directories
-# and setup the labeling correctly. If this is turned off, SELinux will label /home
-# correctly only. You will need to use semanage fcontext command.
+# and setup the labeling correctly. If this is turned off, SELinux will label only /home
+# and home directories of users with SELinux login mappings defined, see
+# semanage login -l for the list of such users.
+# If you want to use a different home directory, you will need to use semanage fcontext command.
# For example, if you had home dirs in /althome directory you would have to execute
# semanage fcontext -a -e /home /althome
usepasswd=False
bzip-small=true
bzip-blocksize=5
-ignoredirs=/root
+ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var
[sefcontext_compile]
path = /usr/sbin/sefcontext_compile
diff --git a/selinux/targeted/.policy.sha512 b/selinux/targeted/.policy.sha512
index fdaf026..1cd8e2e 100644
--- a/selinux/targeted/.policy.sha512
+++ b/selinux/targeted/.policy.sha512
@@ -1 +1 @@
-a22e33fcbb09d3c1722d49f584d554e7c9a887c3b1da8dc15f90e9d72884fd73191d410f6d4dbf9f0c7c99e8362393b218002ba9644eecb0d1e509bbc9132d04
+a3901cc0dc86321934577ebddea6d769230a49a9899939b0c78d693b1b1dd8bbf53fba876ba3c8c08bf7fe910a1a8d760bcf812026b8edac95389f7e9a13b4bb
diff --git a/selinux/targeted/contexts/files/file_contexts b/selinux/targeted/contexts/files/file_contexts
index 3cece99..74786cc 100644
--- a/selinux/targeted/contexts/files/file_contexts
+++ b/selinux/targeted/contexts/files/file_contexts
@@ -530,6 +530,7 @@
/dev/usbmon.+ -c system_u:object_r:usbmon_device_t:s0
/dev/mmcblk.* -b system_u:object_r:removable_device_t:s0
/dev/mspblk.* -b system_u:object_r:removable_device_t:s0
+/etc/httpd/.* -l system_u:object_r:etc_t:s0
/initrd\.img.* -l system_u:object_r:boot_t:s0
/etc/bacula.* system_u:object_r:bacula_etc_t:s0
/etc/drupal.* system_u:object_r:httpd_sys_rw_content_t:s0
@@ -1532,6 +1533,7 @@
/boot/System\.map(-.*)? -- system_u:object_r:system_map_t:s0
/usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t:s0
/var/cache/swift(/.*)? -- system_u:object_r:swift_var_cache_t:s0
+/dev/vhost-vdpa-[0-9]+ -c system_u:object_r:vhost_device_t:s0
/etc/MailScanner(/.*)? system_u:object_r:mscan_etc_t:s0
/etc/WebCalendar(/.*)? system_u:object_r:httpd_sys_rw_content_t:s0
/etc/dirsrv/dsgw(/.*)? system_u:object_r:dirsrvadmin_config_t:s0
@@ -2068,6 +2070,7 @@
/opt/google-earth/.*\.so.* -- system_u:object_r:textrel_shlib_t:s0
/usr/google-earth/.*\.so.* -- system_u:object_r:textrel_shlib_t:s0
/var/run/nm-xl2tpd.conf.* -- system_u:object_r:NetworkManager_var_run_t:s0
+/var/run/pcsd-ruby.socket -s system_u:object_r:cluster_var_run_t:s0
/etc/resolv-secure.conf.* system_u:object_r:net_conf_t:s0
/var/cache/tomcat6?(/.*)? system_u:object_r:tomcat_cache_t:s0
/var/lib/syslog-ng.persist -- system_u:object_r:syslogd_var_lib_t:s0
@@ -2213,6 +2216,7 @@
/var/run/postgresql(/.*)? system_u:object_r:postgresql_var_run_t:s0
/var/run/samba/nmbd(/.*)? system_u:object_r:nmbd_var_run_t:s0
/var/run/stickshift(/.*)? system_u:object_r:openshift_var_run_t:s0
+/var/run/strongswan(/.*)? system_u:object_r:ipsec_var_run_t:s0
/var/run/timemaster(/.*)? system_u:object_r:timemaster_var_run_t:s0
/var/spool/asterisk(/.*)? system_u:object_r:asterisk_spool_t:s0
/var/spool/cups-pdf(/.*)? system_u:object_r:print_spool_t:s0
@@ -2746,6 +2750,7 @@
/var/spool/cron/crontabs/.* -- <>
/etc/rc\.d/init\.d/dhcrelay(6)? -- system_u:object_r:dhcpd_initrc_exec_t:s0
/usr/share/awstats/tools/.+\.pl -- system_u:object_r:awstats_exec_t:s0
+/var/run/systemd/machines.lock -- system_u:object_r:systemd_machined_var_run_t:s0
/etc/security/namespace\.d(/.*)? -- system_u:object_r:namespace_init_exec_t:s0
/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t:s0
/etc/pki/pki-tomcat/alias(/.*)? system_u:object_r:pki_tomcat_cert_t:s0
@@ -4023,7 +4028,6 @@
/var/run/\.zebra -s system_u:object_r:zebra_var_run_t:s0
/var/run/\.zserv -s system_u:object_r:zebra_var_run_t:s0
/var/run/zarafa -s system_u:object_r:zarafa_server_var_run_t:s0
-/etc/httpd/logs system_u:object_r:httpd_log_t:s0
/bin/dbus-daemon -- system_u:object_r:dbusd_exec_t:s0
/etc/fetchmailrc -- system_u:object_r:fetchmail_etc_t:s0
/etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t:s0
@@ -4560,7 +4564,6 @@
/dev/device-mapper -c system_u:object_r:fixed_disk_device_t:s0
/dev/xen/hypercall -c system_u:object_r:xen_device_t:s0
/var/run/gpsd\.sock -s system_u:object_r:gpsd_var_run_t:s0
-/etc/httpd/modules system_u:object_r:httpd_modules_t:s0
/usr/bin/pkidaemon system_u:object_r:pki_tomcat_exec_t:s0
/\.ismount-test-file -- system_u:object_r:sosreport_tmp_t:s0
/bin/systemd-notify -- system_u:object_r:systemd_notify_exec_t:s0
@@ -4710,6 +4713,7 @@
/var/log/lost\+found -d system_u:object_r:lost_found_t:s0
/var/tmp/lost\+found -d system_u:object_r:lost_found_t:s0
/var/tmp/vi\.recover -d system_u:object_r:tmp_t:s0
+/dev/isst_interface -c system_u:object_r:cpu_device_t:s0
/dev/mapper/control -c system_u:object_r:lvm_control_t:s0
/var/run/charon\.ctl -s system_u:object_r:ipsec_var_run_t:s0
/var/run/dcc/dccifd -s system_u:object_r:dccifd_var_run_t:s0
@@ -5404,6 +5408,7 @@
/usr/sbin/audisp-prelude -- system_u:object_r:prelude_audisp_exec_t:s0
/usr/sbin/avahi-dnsconfd -- system_u:object_r:avahi_exec_t:s0
/usr/sbin/cgconfigparser -- system_u:object_r:cgconfig_exec_t:s0
+/usr/sbin/charon-systemd -- system_u:object_r:ipsec_exec_t:s0
/usr/sbin/condor_starter -- system_u:object_r:condor_startd_exec_t:s0
/usr/sbin/condor_vm-gahp -- system_u:object_r:virtd_exec_t:s0
/usr/sbin/dmsetup\.static -- system_u:object_r:lvm_exec_t:s0
@@ -5525,6 +5530,8 @@
/usr/libexec/news/nntpget -- system_u:object_r:innd_exec_t:s0
/usr/libexec/pcp/bin/pmcd -- system_u:object_r:pcp_pmcd_exec_t:s0
/usr/libexec/pcp/bin/pmie -- system_u:object_r:pcp_pmie_exec_t:s0
+/usr/libexec/pcp/lib/pmcd -- system_u:object_r:pcp_pmcd_initrc_exec_t:s0
+/usr/libexec/pcp/lib/pmie -- system_u:object_r:pcp_pmie_initrc_exec_t:s0
/usr/libexec/postfix/lmtp -- system_u:object_r:postfix_smtp_exec_t:s0
/usr/libexec/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t:s0
/usr/libexec/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t:s0
@@ -5816,6 +5823,7 @@
/usr/libexec/ntpdate-wrapper -- system_u:object_r:ntpdate_exec_t:s0
/usr/libexec/openipmi-helper -- system_u:object_r:ipmievd_helper_exec_t:s0
/usr/libexec/pcp/bin/pmproxy -- system_u:object_r:pcp_pmproxy_exec_t:s0
+/usr/libexec/pcp/lib/pmproxy -- system_u:object_r:pcp_pmproxy_initrc_exec_t:s0
/usr/libexec/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t:s0
/usr/libexec/postfix/virtual -- system_u:object_r:postfix_virtual_exec_t:s0
/usr/libexec/telepathy-rakia -- system_u:object_r:telepathy_sofiasip_exec_t:s0
@@ -5870,6 +5878,7 @@
/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:textrel_shlib_t:s0
/usr/lib/mediawiki/math/texvc -- system_u:object_r:mediawiki_script_exec_t:s0
/usr/lib/systemd/systemd-fsck -- system_u:object_r:fsadm_exec_t:s0
+/usr/lib/systemd/systemd-pull -- system_u:object_r:systemd_importd_exec_t:s0
/usr/lib/udisks/udisks-daemon -- system_u:object_r:devicekit_disk_exec_t:s0
/usr/lib/vmware/bin/vmware-ui -- system_u:object_r:vmware_exec_t:s0
/usr/lib/vte/gnome-pty-helper -- system_u:object_r:bin_t:s0
@@ -5886,6 +5895,7 @@
/usr/libexec/openafs/salvager -- system_u:object_r:afs_fsserver_exec_t:s0
/usr/libexec/openafs/vlserver -- system_u:object_r:afs_vlserver_exec_t:s0
/usr/libexec/pcp/bin/pmlogger -- system_u:object_r:pcp_pmlogger_exec_t:s0
+/usr/libexec/pcp/lib/pmlogger -- system_u:object_r:pcp_pmlogger_initrc_exec_t:s0
/usr/libexec/ricci-modservice -- system_u:object_r:ricci_modservice_exec_t:s0
/usr/libexec/ricci-modstorage -- system_u:object_r:ricci_modstorage_exec_t:s0
/usr/libexec/sssd/sssd_autofs -- system_u:object_r:sssd_exec_t:s0
@@ -5971,6 +5981,7 @@
/var/run/pluto/ipsec_setup\.pid -- system_u:object_r:ipsec_mgmt_var_run_t:s0
/var/run/portmap\.upgrade-state -- system_u:object_r:portmap_var_run_t:s0
/var/run/samba/connections\.tdb -- system_u:object_r:smbd_var_run_t:s0
+/var/spool/mail/\.fetchmail\.pid -- system_u:object_r:fetchmail_uidl_cache_t:s0
/var/www/apcupsd/upsfstats\.cgi -- system_u:object_r:apcupsd_cgi_script_exec_t:s0
/var/named/chroot_sdb/dev/null -c system_u:object_r:null_device_t:s0
/var/named/chroot_sdb/dev/zero -c system_u:object_r:zero_device_t:s0
@@ -6016,7 +6027,6 @@
/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t:s0
/usr/share/vdsm/supervdsmServer -- system_u:object_r:virtd_exec_t:s0
/var/lib/likewise/krb5ccr_lsass -- system_u:object_r:lsassd_var_lib_t:s0
-/var/mail/\.fetchmail-UIDL-cache -- system_u:object_r:fetchmail_uidl_cache_t:s0
/var/named/chroot/etc/localtime -- system_u:object_r:locale_t:s0
/var/run/console-kit-daemon\.pid -- system_u:object_r:consolekit_var_run_t:s0
/var/www/nut-cgi-bin/upsset\.cgi -- system_u:object_r:nutups_cgi_script_exec_t:s0
@@ -6220,6 +6230,7 @@
/var/lib/likewise-open/db/registry\.db -- system_u:object_r:lwregd_var_lib_t:s0
/var/lib/likewise-open/run/rpcdep\.dat -- system_u:object_r:dcerpcd_var_lib_t:s0
/var/lib/likewise/db/lsass-adcache\.db -- system_u:object_r:lsassd_var_lib_t:s0
+/var/spool/mail/\.fetchmail-UIDL-cache -- system_u:object_r:fetchmail_uidl_cache_t:s0
/usr/Zend/lib/ZendExtensionManager\.so system_u:object_r:textrel_shlib_t:s0
/etc/rc\.d/init\.d/mountall-bootclean\.sh -- system_u:object_r:tmpreaper_exec_t:s0
/etc/rc\.d/init\.d/mountnfs-bootclean\.sh -- system_u:object_r:tmpreaper_exec_t:s0
diff --git a/selinux/targeted/contexts/files/file_contexts.bin b/selinux/targeted/contexts/files/file_contexts.bin
index dda59ec..2b61544 100644
Binary files a/selinux/targeted/contexts/files/file_contexts.bin and b/selinux/targeted/contexts/files/file_contexts.bin differ
diff --git a/selinux/targeted/policy/policy.31 b/selinux/targeted/policy/policy.31
index b3cfeb5..69af88c 100644
Binary files a/selinux/targeted/policy/policy.31 and b/selinux/targeted/policy/policy.31 differ
diff --git a/sysconfig/cbq/avpkt b/sysconfig/cbq/avpkt
deleted file mode 100644
index c362b94..0000000
--- a/sysconfig/cbq/avpkt
+++ /dev/null
@@ -1 +0,0 @@
-AVPKT=3000
diff --git a/sysconfig/cbq/cbq-0000.example b/sysconfig/cbq/cbq-0000.example
deleted file mode 100644
index 5503374..0000000
--- a/sysconfig/cbq/cbq-0000.example
+++ /dev/null
@@ -1,5 +0,0 @@
-DEVICE=eth0,10Mbit,1Mbit
-RATE=128Kbit
-WEIGHT=10Kbit
-PRIO=5
-RULE=192.168.1.0/24
diff --git a/sysconfig/network-scripts/ifup b/sysconfig/network-scripts/ifup
index 8d56580..6ee260a 100755
--- a/sysconfig/network-scripts/ifup
+++ b/sysconfig/network-scripts/ifup
@@ -122,7 +122,7 @@ if [ "${VLAN}" = "yes" ] && [ "$ISALIAS" = "no" ] && [ -n "$DEVICE" ]; then
}
# Link on Physical device needs to be up but no ip required
- check_device_down ${PHYSDEV} && { ip -o link set dev ${PHYSDEV} up; }
+ check_device_down ${PHYSDEV} && set_link_up ${PHYSDEV}
if [ ! -f /proc/net/vlan/${DEVICE} ]; then
if [ "${REORDER_HDR}" = "no" -o "${REORDER_HDR}" = "0" ]; then
diff --git a/sysconfig/network-scripts/ifup-aliases b/sysconfig/network-scripts/ifup-aliases
index 8a943c1..5ee04d2 100755
--- a/sysconfig/network-scripts/ifup-aliases
+++ b/sysconfig/network-scripts/ifup-aliases
@@ -280,8 +280,9 @@ function new_interface ()
# update ARP cache of neighboring computers:
if ! is_false "${ARPUPDATE}" && [ "${REALDEVICE}" != "lo" ]; then
- /sbin/arping -q -A -c 1 -I ${parent_device} ${IPADDR}
- ( sleep 2; /sbin/arping -q -U -c 1 -I ${parent_device} ${IPADDR} ) > /dev/null 2>&1 < /dev/null &
+ /sbin/arping -q -A -c 1 -w ${ARPING_UPDATE_WAIT:-3} -I ${parent_device} ${IPADDR}
+ ( sleep 2;
+ /sbin/arping -q -U -c 1 -w ${ARPING_UPDATE_WAIT:-3} -I ${parent_device} ${IPADDR} ) > /dev/null 2>&1 < /dev/null &
fi
! is_false "$IPV6INIT" && \
diff --git a/sysconfig/network-scripts/ifup-eth b/sysconfig/network-scripts/ifup-eth
index cd898f6..592bfb8 100755
--- a/sysconfig/network-scripts/ifup-eth
+++ b/sysconfig/network-scripts/ifup-eth
@@ -76,7 +76,7 @@ if [ "${TYPE}" = "Bridge" ]; then
# set LINKDELAY (used as timeout when calling check_link_down())
# to at least (${DELAY} * 2) + 7 if STP is enabled. This is the
# minimum time required for /sys/class/net/$REALDEVICE/carrier to
- # become 1 after "ip link set dev $DEVICE up" is called.
+ # become 1 after "set_link_up $DEVICE" is called.
if is_true "${STP}"; then
if [ -n "${DELAY}" ]; then
forward_delay="${DELAY}"
@@ -164,7 +164,7 @@ fi
# so it can actually get an IP.
if [ "$ISALIAS" = no ] && is_bonding_device ${DEVICE} ; then
install_bonding_driver ${DEVICE}
- /sbin/ip link set dev ${DEVICE} up
+ set_link_up ${DEVICE}
for device in $(LANG=C grep -l "^[[:space:]]*MASTER=['\"]\?${DEVICE}['\"]\?\([[:space:]#]\|$\)" /etc/sysconfig/network-scripts/ifcfg-*) ; do
is_ignored_file "$device" && continue
/sbin/ifup ${device##*/} || net_log "Unable to start slave device ${device##*/} for master ${DEVICE}." warning
@@ -188,7 +188,7 @@ if [ -n "${BRIDGE}" ]; then
ip link add ${BRIDGE} type bridge 2>/dev/null
fi
/sbin/ip addr flush dev ${DEVICE} 2>/dev/null
- /sbin/ip link set dev ${DEVICE} up
+ set_link_up ${DEVICE}
ethtool_set
[ -n "${LINKDELAY}" ] && /bin/sleep ${LINKDELAY}
ip link set dev ${DEVICE} master ${BRIDGE}
@@ -243,7 +243,7 @@ if [ -n "${DYNCONFIG}" ] && [ -x /sbin/dhclient ]; then
else
if [ -z "${IPADDR}" -a -z "${IPADDR0}" -a -z "${IPADDR1}" -a -z "${IPADDR2}" ]; then
# enable device without IP, useful for e.g. PPPoE
- ip link set dev ${REALDEVICE} up
+ set_link_up ${REALDEVICE}
ethtool_set
[ -n "${LINKDELAY}" ] && /bin/sleep ${LINKDELAY}
else
@@ -253,7 +253,7 @@ else
[ -n "${ARP}" ] && \
ip link set dev ${REALDEVICE} $(toggle_value arp $ARP)
- if ! ip link set dev ${REALDEVICE} up ; then
+ if ! set_link_up ${REALDEVICE} ; then
net_log $"Failed to bring up ${DEVICE}."
exit 1
fi
@@ -302,9 +302,9 @@ else
# update ARP cache of neighboring computers
if ! is_false "${arpupdate[$idx]}" && [ "${REALDEVICE}" != "lo" ]; then
- /sbin/arping -q -A -c 1 -I ${REALDEVICE} ${ipaddr[$idx]}
+ /sbin/arping -q -A -c 1 -w ${ARPING_UPDATE_WAIT:-3} -I ${REALDEVICE} ${ipaddr[$idx]}
( sleep 2;
- /sbin/arping -q -U -c 1 -I ${REALDEVICE} ${ipaddr[$idx]} ) > /dev/null 2>&1 < /dev/null &
+ /sbin/arping -q -U -c 1 -w ${ARPING_UPDATE_WAIT:-3} -I ${REALDEVICE} ${ipaddr[$idx]} ) > /dev/null 2>&1 < /dev/null &
fi
# set lifetime of address to forever
diff --git a/sysconfig/network-scripts/ifup-ippp b/sysconfig/network-scripts/ifup-ippp
index e1f08a7..47ffc87 100755
--- a/sysconfig/network-scripts/ifup-ippp
+++ b/sysconfig/network-scripts/ifup-ippp
@@ -342,7 +342,7 @@ function addprovider()
# activate ISDN device
/usr/bin/logger -p daemon.info -t ifup-ippp "ip addr add $IPADDR peer $GATEWAY${pfx:/$pfx} dev $DEVICE"
ip addr add $IPADDR peer $GATEWAY${pfx:/$pfx} dev $DEVICE
- ip link set dev $DEVICE up
+ set_link_up $DEVICE
if [ "$ENCAP" = "syncppp" ]; then
# start ipppd daemon
diff --git a/sysconfig/network-scripts/ifup-plip b/sysconfig/network-scripts/ifup-plip
index 2cea68b..3524b26 100755
--- a/sysconfig/network-scripts/ifup-plip
+++ b/sysconfig/network-scripts/ifup-plip
@@ -12,7 +12,7 @@ fi
[ -z "$PREFIX" ] && eval $(/bin/ipcalc --prefix ${IPADDR} ${NETMASK})
ip addr add ${IPADDR} peer ${REMIP}/${PREFIX} dev ${DEVICE}
-ip link set up dev ${DEVICE}
+set_link_up ${DEVICE}
ip route add ${NETWORK} dev ${DEVICE}
. /etc/sysconfig/network
diff --git a/sysconfig/network-scripts/ifup-plusb b/sysconfig/network-scripts/ifup-plusb
index 1b29afe..2b2c2c5 100755
--- a/sysconfig/network-scripts/ifup-plusb
+++ b/sysconfig/network-scripts/ifup-plusb
@@ -29,7 +29,7 @@ if [ ${BROADCAST} != "" ] ; then
else
ip addr add ${IPADDR} peer ${REMIP}/${PREFIX} dev ${DEVICE}
fi
-ip link set up dev ${DEVICE}
+set_link_up ${DEVICE}
. /etc/sysconfig/network
diff --git a/sysconfig/network-scripts/ifup-tunnel b/sysconfig/network-scripts/ifup-tunnel
index ea85df5..f20048a 100755
--- a/sysconfig/network-scripts/ifup-tunnel
+++ b/sysconfig/network-scripts/ifup-tunnel
@@ -91,7 +91,7 @@ fi
/sbin/ip addr add "$MY_INNER_IPADDR" dev "$DEVICE" \
${PEER_INNER_IPADDR:+peer "$PEER_INNER_IPADDR"}
-/sbin/ip link set dev "$DEVICE" up
+set_link_up "${DEVICE}"
# IPv6 initialisation?
/etc/sysconfig/network-scripts/ifup-ipv6 ${CONFIG}
diff --git a/sysconfig/network-scripts/network-functions b/sysconfig/network-scripts/network-functions
index 614ad2c..e318151 100644
--- a/sysconfig/network-scripts/network-functions
+++ b/sysconfig/network-scripts/network-functions
@@ -453,11 +453,19 @@ check_device_down ()
fi
}
+set_link_up ()
+{
+ if [ "$LINKSTATUS" != down ]; then
+ ip link set dev $1 up >/dev/null 2>&1
+ fi
+}
+
check_link_down ()
{
if ! LC_ALL=C ip link show dev $1 2>/dev/null| grep -q ",UP" ; then
- ip link set dev $1 up >/dev/null 2>&1
+ set_link_up $1
fi
+
timeout=0
delay=10
[ -n "$LINKDELAY" ] && delay=$(($LINKDELAY * 2))
diff --git a/sysconfig/network-scripts/network-functions-ipv6 b/sysconfig/network-scripts/network-functions-ipv6
index 2f7b19b..9a87a13 100644
--- a/sysconfig/network-scripts/network-functions-ipv6
+++ b/sysconfig/network-scripts/network-functions-ipv6
@@ -10,6 +10,8 @@
#
#
+# Source network-functions due to need of set_link_up()
+. ./network-functions
##### Test for IPv6 capabilities
# $1: (optional) testflag: currently supported: "testonly" (do not load a module)
@@ -108,7 +110,7 @@ ipv6_enable_autotunnel() {
true
else
# bring up basic tunnel device
- /sbin/ip link set sit0 up
+ set_link_up sit0
if ! ipv6_test_device_status sit0; then
net_log $"Tunnel device 'sit0' enabling didn't work" err $fn
@@ -159,7 +161,7 @@ ipv6_add_addr_on_device() {
net_log $"Device '$device' doesn't exist" err $fn
return 3
else
- /sbin/ip link set $device up
+ set_link_up $device
if ! ipv6_test_device_status $device; then
net_log $"Device '$device' enabling didn't work" err $fn
@@ -604,7 +606,7 @@ ipv6_add_tunnel_device() {
return 3
fi
- /sbin/ip link set $device up
+ set_link_up $device
if ! ipv6_test_device_status $device; then
net_log $"Tunnel device '$device' bringing up didn't work" err $fn
diff --git a/udev/hwdb.bin b/udev/hwdb.bin
index 459aa6a..e41b666 100644
Binary files a/udev/hwdb.bin and b/udev/hwdb.bin differ
diff --git a/udev/rules.d/70-persistent-ipoib.rules b/udev/rules.d/70-persistent-ipoib.rules
new file mode 100644
index 0000000..f8d700a
--- /dev/null
+++ b/udev/rules.d/70-persistent-ipoib.rules
@@ -0,0 +1,12 @@
+# This is a sample udev rules file that demonstrates how to get udev to
+# set the name of IPoIB interfaces to whatever you wish. There is a
+# 16 character limit on network device names.
+#
+# Important items to note: ATTR{type}=="32" is IPoIB interfaces, and the
+# ATTR{address} match must start with ?* and only reference the last 8
+# bytes of the address or else the address might not match the variable QPN
+# portion.
+#
+# Modern udev is case sensitive and all addresses need to be in lower case.
+#
+# ACTION=="add", SUBSYSTEM=="net", DRIVERS=="?*", ATTR{type}=="32", ATTR{address}=="?*00:02:c9:03:00:31:78:f2", NAME="mlx4_ib3"
diff --git a/unbound/icannbundle.pem b/unbound/icannbundle.pem
new file mode 100644
index 0000000..d76ce0b
--- /dev/null
+++ b/unbound/icannbundle.pem
@@ -0,0 +1,237 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
+ Validity
+ Not Before: Dec 23 04:19:12 2009 GMT
+ Not After : Dec 18 04:19:12 2029 GMT
+ Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15:
+ bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0:
+ 9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82:
+ 27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd:
+ fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84:
+ 22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14:
+ e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb:
+ d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e:
+ e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02:
+ 1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c:
+ 39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e:
+ ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6:
+ 7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb:
+ 31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74:
+ 9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36:
+ 09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3:
+ 04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52:
+ 85:41
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
+ X509v3 Subject Key Identifier:
+ BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
+ Signature Algorithm: sha256WithRSAEncryption
+ 0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b:
+ 3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7:
+ c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26:
+ b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c:
+ 7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d:
+ 9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c:
+ 90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c:
+ 84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a:
+ 98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81:
+ 5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8:
+ c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf:
+ 1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2:
+ 90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16:
+ 70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31:
+ e7:40:61:a4
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
+TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
+BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX
+DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O
+IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB
+MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb
+cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S
+G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg
+ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2
+paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7
+MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29
+iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
+Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3
+DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH
+6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD
+2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h
+15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF
+0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg
+j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 11 (0xb)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
+ Validity
+ Not Before: Nov 8 23:39:47 2016 GMT
+ Not After : Nov 6 23:39:47 2026 GMT
+ Subject: O=ICANN, CN=ICANN EMAIL CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75:
+ 8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba:
+ c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9:
+ 57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01:
+ 4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6:
+ fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e:
+ a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6:
+ 6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01:
+ db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95:
+ d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65:
+ 7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f:
+ 20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78:
+ b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22:
+ d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23:
+ 2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21:
+ fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5:
+ 7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a:
+ 4d:b1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Authority Key Identifier:
+ keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
+
+ X509v3 Subject Key Identifier:
+ 7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4
+ Signature Algorithm: sha256WithRSAEncryption
+ 0e:8a:c9:ea:6f:9c:e9:23:b6:9c:a6:a4:c2:d1:b1:ee:25:18:
+ 24:2b:79:d4:a8:f2:99:b9:5c:91:4d:e6:2b:32:2e:01:f5:87:
+ 95:64:fc:6d:f1:87:fa:24:b4:43:4b:49:f3:84:54:44:eb:af:
+ 41:ab:49:ab:c8:b7:32:6c:14:83:5b:d7:2c:41:f9:89:d5:c4:
+ 2b:9a:55:c5:b6:ad:17:d5:4d:bc:41:58:56:72:0d:db:b7:7d:
+ 57:c6:a2:9c:7e:6b:67:ae:26:f8:26:45:bb:c4:95:2e:ea:71:
+ e3:b4:7a:69:95:a4:8a:80:f8:59:dc:88:6e:e1:a7:fc:bb:8e:
+ b2:aa:a8:b6:1b:2f:2c:97:a5:12:d5:82:ae:a0:e8:a6:15:fd:
+ d1:e0:5d:e4:84:b1:76:db:0a:e2:ca:58:2e:d3:df:48:4e:46:
+ ac:c6:35:79:17:99:ce:e9:be:2c:e4:c2:50:ff:5b:96:15:cd:
+ 64:ac:1b:db:fe:d2:ac:43:61:c8:5f:ee:24:b6:a4:3b:d2:ff:
+ 0a:f4:0c:88:58:a1:9d:a4:c1:1f:6a:6c:67:90:98:e8:1f:5e:
+ 2d:55:60:91:26:2a:b1:66:80:e4:e6:0e:05:2c:75:a9:ca:0b:
+ e4:a0:8f:e1:47:a8:8f:61:5d:7c:ce:09:60:88:48:c3:46:bf:
+ be:7e:36:be
+-----BEGIN CERTIFICATE-----
+MIIDZDCCAkygAwIBAgIBCzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
+TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
+BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzk0N1oX
+DTI2MTEwNjIzMzk0N1owKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O
+IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz
+9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3
+jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6
+LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8
+ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK
+VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI
+QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
+AwIBBjAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU
+ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAA6KyepvnOkj
+tpympMLRse4lGCQredSo8pm5XJFN5isyLgH1h5Vk/G3xh/oktENLSfOEVETrr0Gr
+SavItzJsFINb1yxB+YnVxCuaVcW2rRfVTbxBWFZyDdu3fVfGopx+a2euJvgmRbvE
+lS7qceO0emmVpIqA+FnciG7hp/y7jrKqqLYbLyyXpRLVgq6g6KYV/dHgXeSEsXbb
+CuLKWC7T30hORqzGNXkXmc7pvizkwlD/W5YVzWSsG9v+0qxDYchf7iS2pDvS/wr0
+DIhYoZ2kwR9qbGeQmOgfXi1VYJEmKrFmgOTmDgUsdanKC+Sgj+FHqI9hXXzOCWCI
+SMNGv75+Nr4=
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 10 (0xa)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
+ Validity
+ Not Before: Nov 8 23:38:16 2016 GMT
+ Not After : Nov 6 23:38:16 2026 GMT
+ Subject: O=ICANN, CN=ICANN SSL CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60:
+ 7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d:
+ 73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35:
+ e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89:
+ 81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61:
+ 17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca:
+ dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28:
+ 9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d:
+ f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d:
+ d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68:
+ f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0:
+ 3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa:
+ 94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40:
+ 3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85:
+ e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b:
+ 09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b:
+ 20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8:
+ e2:c5
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Authority Key Identifier:
+ keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
+
+ X509v3 Subject Key Identifier:
+ 6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8
+ Signature Algorithm: sha256WithRSAEncryption
+ 47:46:4f:c7:5f:46:e3:d1:dc:fc:2b:f8:fc:65:ce:36:b1:f4:
+ 5f:ee:14:75:a3:d9:5f:de:75:4b:fa:7b:88:9f:10:8c:2e:97:
+ cc:35:1b:ce:24:d3:36:60:95:d5:ae:11:b6:3f:8b:f4:12:69:
+ 85:b5:3b:2a:b6:ab:7a:81:85:c2:55:57:ed:d0:b5:e7:4f:54:
+ 37:51:24:c9:d5:07:3a:ef:b6:c5:1a:3e:14:29:a7:a6:f8:08:
+ 2a:0b:26:79:f9:62:85:4a:e5:ea:90:ca:71:38:16:91:4e:7e:
+ fd:e3:b3:f3:55:8f:5a:d0:86:cf:33:94:88:f1:90:99:cb:81:
+ e2:81:92:68:2f:c3:61:d5:52:8d:e6:9a:5b:00:83:42:27:88:
+ f6:d9:fa:d1:bc:bb:b0:bc:b5:14:0b:4e:1a:54:ef:fa:d6:9d:
+ c4:0c:fc:ed:15:ab:21:4b:45:b5:d9:3b:ed:3c:d5:1e:2e:7a:
+ 83:6f:24:45:d4:4c:b4:ef:60:43:18:d0:84:5d:16:7b:f5:50:
+ 80:b1:a9:c2:8f:3b:c8:90:08:fd:aa:17:13:19:38:19:d1:8e:
+ 85:7c:1e:57:16:8c:f9:8a:e8:29:25:38:cd:bb:55:8e:4a:6a:
+ 6f:e5:7d:fc:d7:55:d6:ae:38:07:96:c1:97:ff:e5:2b:4f:99:
+ 2d:70:f2:08
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAkqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
+TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
+BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzgxNloX
+DTI2MTEwNjIzMzgxNlowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O
+IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z
+K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3
+VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo
+nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz
+kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4
+yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H
+kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
+AQYwHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53
+qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQBHRk/HX0bj0dz8
+K/j8Zc42sfRf7hR1o9lf3nVL+nuInxCMLpfMNRvOJNM2YJXVrhG2P4v0EmmFtTsq
+tqt6gYXCVVft0LXnT1Q3USTJ1Qc677bFGj4UKaem+AgqCyZ5+WKFSuXqkMpxOBaR
+Tn7947PzVY9a0IbPM5SI8ZCZy4HigZJoL8Nh1VKN5ppbAINCJ4j22frRvLuwvLUU
+C04aVO/61p3EDPztFashS0W12TvtPNUeLnqDbyRF1Ey072BDGNCEXRZ79VCAsanC
+jzvIkAj9qhcTGTgZ0Y6FfB5XFoz5iugpJTjNu1WOSmpv5X3811XWrjgHlsGX/+Ur
+T5ktcPII
+-----END CERTIFICATE-----
diff --git a/unbound/root.key b/unbound/root.key
new file mode 100644
index 0000000..a0b1bef
--- /dev/null
+++ b/unbound/root.key
@@ -0,0 +1,5 @@
+; // The root key in bind format. This can be read by most tools, including
+; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
+trusted-keys {
+"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
+};
diff --git a/vmware-tools/tools.conf.example b/vmware-tools/tools.conf.example
index a697e11..0e6dfff 100644
--- a/vmware-tools/tools.conf.example
+++ b/vmware-tools/tools.conf.example
@@ -217,6 +217,26 @@
# whether to include reserved space in diskInfo space metrics on Linux
#diskinfo-include-reserved=false
+[appinfo]
+
+# This plugin collects info about running applications in guest OS.
+
+# Set to true to disable the appinfo plugin.
+#disabled=false
+
+# User-defined poll interval in seconds. Set to 0 to disable the plugin.
+#poll-interval=21600
+
+# For Windows guest, set to true to use WMI for getting the application
+# version info, otherwise native Win32 API is used.
+#useWMI=false
+
+[servicediscovery]
+
+# This plugin provides admins with additional info for better VM management.
+
+# Set to true to disable the servicediscovery plugin.
+#disabled=false
[unity]
#
@@ -263,13 +283,22 @@
#execScripts=true
#scriptArg=
-# Linux only
+# Linux:
# The value of excludedFileSystems is a comma-separated list of glob-style
# patterns specifying the file systems to be excluded from quiesced snapshots.
# The patterns may use '*' (wildcard) to represent any string of characters
# and '?" (joker) to represent any single character. Note that the characters
# represented by these patters, '*' and '?" may include any characters,
# including '/'
+#
+# Windows:
+# The value of excludedFileSystems is a comma-separated list of mount points
+# specifying the volumes to be excluded from quiesced snapshots.
+# Each mount point must be a full path separated and ended with "\\".
+# to exclude volumes with drive letter E and mount point F:\mount\, set below
+# excludedFileSystems= E:\\,F:\\mount\\
+# This option only applies when app quiescing doesn't take effect.
+
#excludedFileSystems=
# Whether to execute scripts on quiescing.
@@ -315,3 +344,10 @@
# to disable guest customization
#enable-customization=false
+
+[cbhelper]
+
+# The carbonblack helper plugin is only available for Windows.
+
+# User-defined poll interval in seconds. Set to 0 to disable polling.
+#poll-interval=60
diff --git a/vmware-tools/vgauth.conf b/vmware-tools/vgauth.conf
index 2fbbc4e..c10de51 100644
--- a/vmware-tools/vgauth.conf
+++ b/vmware-tools/vgauth.conf
@@ -1,3 +1,5 @@
[service]
samlSchemaDir = /etc/vmware-tools/vgauth/schemas
+[localization]
+msgCatalog = /usr/share/open-vm-tools