diff --git a/.etckeeper b/.etckeeper
index d47f2b0..3710939 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -18,7 +18,6 @@ mkdir -p './cron.weekly'
mkdir -p './crypto-policies/policies/modules'
mkdir -p './cxs/newusers'
mkdir -p './dbus-1/session.d'
-mkdir -p './debuginfod'
mkdir -p './dkms/framework.conf.d'
mkdir -p './dnf/aliases.d'
mkdir -p './dnf/modules.defaults.d'
@@ -249,6 +248,7 @@ maybe chmod 0644 'bash_completion.d/python-argcomplete.sh'
maybe chmod 0644 'bash_completion.d/redefine_filedir'
maybe chmod 0644 'bash_completion.d/scl'
maybe chmod 0644 'bashrc'
+maybe chmod 0644 'bashrc.rpmnew'
maybe chmod 0644 'bindresvport.blacklist'
maybe chmod 0755 'binfmt.d'
maybe chmod 0644 'cczerc'
@@ -486,6 +486,7 @@ maybe chmod 0755 'dconf/db/distro.d/locks'
maybe chmod 0644 'dconf/db/local'
maybe chmod 0644 'dconf/db/site'
maybe chmod 0755 'debuginfod'
+maybe chmod 0644 'debuginfod/elfutils.urls'
maybe chmod 0755 'default'
maybe chmod 0644 'default/grub'
maybe chmod 0600 'default/useradd'
@@ -522,6 +523,7 @@ maybe chmod 0640 'dnf/modules.d/postgresql.module'
maybe chmod 0644 'dnf/modules.d/python27.module'
maybe chmod 0644 'dnf/modules.d/python36.module'
maybe chmod 0640 'dnf/modules.d/python38.module'
+maybe chmod 0640 'dnf/modules.d/python39.module'
maybe chmod 0644 'dnf/modules.d/redis.module'
maybe chmod 0644 'dnf/modules.d/ruby.module'
maybe chmod 0644 'dnf/modules.d/rust-toolset.module'
@@ -547,6 +549,7 @@ maybe chmod 0755 'dnf/vars'
maybe chmod 0644 'dnf/vars/contentdir'
maybe chmod 0644 'dnf/vars/infra'
maybe chmod 0644 'dnf/vars/infra.rpmsave'
+maybe chmod 0644 'dnf/vars/stream'
maybe chmod 0755 'docker'
maybe chmod 0640 'docker/daemon.json'
maybe chmod 0600 'docker/key.json'
@@ -957,6 +960,7 @@ maybe chmod 0644 'httpd/conf.d/perl.conf.rpmnew'
maybe chmod 0644 'httpd/conf.d/php.conf'
maybe chmod 0644 'httpd/conf.d/phpmyadmin.conf'
maybe chmod 0644 'httpd/conf.d/squid.conf'
+maybe chmod 0644 'httpd/conf.d/ssl.conf'
maybe chmod 0644 'httpd/conf.d/ssl.conf_disabled'
maybe chmod 0644 'httpd/conf.d/userdir.conf'
maybe chmod 0644 'httpd/conf.d/welcome.conf'
@@ -4901,6 +4905,8 @@ maybe chmod 0644 'profile.d/colorxzgrep.sh'
maybe chmod 0644 'profile.d/colorzgrep.csh'
maybe chmod 0644 'profile.d/colorzgrep.sh'
maybe chmod 0644 'profile.d/csh.local'
+maybe chmod 0644 'profile.d/debuginfod.csh'
+maybe chmod 0644 'profile.d/debuginfod.sh'
maybe chmod 0644 'profile.d/gawk.csh'
maybe chmod 0644 'profile.d/gawk.sh'
maybe chmod 0640 'profile.d/grc.sh'
@@ -5515,6 +5521,7 @@ maybe chmod 0755 'systemd'
maybe chmod 0644 'systemd/coredump.conf'
maybe chmod 0644 'systemd/journald.conf'
maybe chmod 0644 'systemd/logind.conf'
+maybe chmod 0644 'systemd/logind.conf.rpmnew'
maybe chmod 0644 'systemd/resolved.conf'
maybe chmod 0755 'systemd/system'
maybe chmod 0644 'systemd/system.conf'
@@ -5654,6 +5661,8 @@ maybe chmod 0644 'yum.repos.d/almalinux-plus.repo'
maybe chmod 0644 'yum.repos.d/almalinux-powertools.repo'
maybe chmod 0644 'yum.repos.d/almalinux-resilientstorage.repo'
maybe chmod 0644 'yum.repos.d/almalinux-rt.repo'
+maybe chmod 0644 'yum.repos.d/almalinux-sap.repo'
+maybe chmod 0644 'yum.repos.d/almalinux-saphana.repo'
maybe chmod 0644 'yum.repos.d/almalinux.repo'
maybe chmod 0640 'yum.repos.d/atomic.repo'
maybe chmod 0640 'yum.repos.d/bestcrypt.repo'
diff --git a/aliases.db b/aliases.db
index d29131a..ac5eedf 100644
Binary files a/aliases.db and b/aliases.db differ
diff --git a/almalinux-release b/almalinux-release
index d8fe7c5..435b57e 100644
--- a/almalinux-release
+++ b/almalinux-release
@@ -1 +1 @@
-AlmaLinux release 8.6 (Sky Tiger)
+AlmaLinux release 8.7 (Stone Smilodon)
diff --git a/almalinux-release-upstream b/almalinux-release-upstream
index f1555e8..dc7a1a6 100644
--- a/almalinux-release-upstream
+++ b/almalinux-release-upstream
@@ -1 +1 @@
-Derived from Red Hat Enterprise Linux 8.6 (Source)
+Derived from Red Hat Enterprise Linux 8.7 (Source)
diff --git a/bashrc.rpmnew b/bashrc.rpmnew
new file mode 100644
index 0000000..d462ac7
--- /dev/null
+++ b/bashrc.rpmnew
@@ -0,0 +1,96 @@
+# /etc/bashrc
+
+# System wide functions and aliases
+# Environment stuff goes in /etc/profile
+
+# It's NOT a good idea to change this file unless you know what you
+# are doing. It's much better to create a custom.sh shell script in
+# /etc/profile.d/ to make custom changes to your environment, as this
+# will prevent the need for merging in future updates.
+
+# Prevent doublesourcing
+if [ -z "$BASHRCSOURCED" ]; then
+ BASHRCSOURCED="Y"
+
+ # are we an interactive shell?
+ if [ "$PS1" ]; then
+ if [ -z "$PROMPT_COMMAND" ]; then
+ case $TERM in
+ xterm*|vte*)
+ if [ -e /etc/sysconfig/bash-prompt-xterm ]; then
+ PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm
+ else
+ PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
+ fi
+ ;;
+ screen*)
+ if [ -e /etc/sysconfig/bash-prompt-screen ]; then
+ PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen
+ else
+ PROMPT_COMMAND='printf "\033k%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
+ fi
+ ;;
+ *)
+ [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default
+ ;;
+ esac
+ fi
+ # Turn on parallel history
+ shopt -s histappend
+ history -a
+ # Turn on checkwinsize
+ shopt -s checkwinsize
+ [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ "
+ # You might want to have e.g. tty in prompt (e.g. more virtual machines)
+ # and console windows
+ # If you want to do so, just add e.g.
+ # if [ "$PS1" ]; then
+ # PS1="[\u@\h:\l \W]\\$ "
+ # fi
+ # to your custom modification shell script in /etc/profile.d/ directory
+ fi
+
+ if ! shopt -q login_shell ; then # We're not a login shell
+ # Need to redefine pathmunge, it gets undefined at the end of /etc/profile
+ pathmunge () {
+ case ":${PATH}:" in
+ *:"$1":*)
+ ;;
+ *)
+ if [ "$2" = "after" ] ; then
+ PATH=$PATH:$1
+ else
+ PATH=$1:$PATH
+ fi
+ esac
+ }
+
+ # By default, we want umask to get set. This sets it for non-login shell.
+ # Current threshold for system reserved uid/gids is 200
+ # You could check uidgid reservation validity in
+ # /usr/share/doc/setup-*/uidgid file
+ if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
+ umask 002
+ else
+ umask 022
+ fi
+
+ SHELL=/bin/bash
+ # Only display echos from profile.d scripts if we are no login shell
+ # and interactive - otherwise just process them to set envvars
+ for i in /etc/profile.d/*.sh; do
+ if [ -r "$i" ]; then
+ if [ "$PS1" ]; then
+ . "$i"
+ else
+ . "$i" >/dev/null
+ fi
+ fi
+ done
+
+ unset i
+ unset -f pathmunge
+ fi
+
+fi
+# vim:ts=4:sw=4
diff --git a/chrony.conf.rpmnew b/chrony.conf.rpmnew
index 7425d9a..9d0f700 100644
--- a/chrony.conf.rpmnew
+++ b/chrony.conf.rpmnew
@@ -1,6 +1,6 @@
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
-pool 2.cloudlinux.pool.ntp.org iburst
+pool 2.almalinux.pool.ntp.org iburst
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
diff --git a/csh.login b/csh.login
index e4b1990..18c5136 100644
--- a/csh.login
+++ b/csh.login
@@ -23,6 +23,7 @@ else
breaksw
endsw
end
+ unset p
endif
setenv HOSTNAME `/usr/bin/hostname`
diff --git a/debuginfod/elfutils.urls b/debuginfod/elfutils.urls
new file mode 100644
index 0000000..1f54c3c
--- /dev/null
+++ b/debuginfod/elfutils.urls
@@ -0,0 +1 @@
+https://debuginfod.centos.org/
diff --git a/dkms/framework.conf b/dkms/framework.conf
index 24725e8..127622d 100644
--- a/dkms/framework.conf
+++ b/dkms/framework.conf
@@ -28,7 +28,10 @@
# Location of the sign-file kernel binary (default: depends on distribution):
# sign_file="/path/to/sign-file"
-# Location of the key and certificate used for Secure boot (default: /var/lib/dkms):
+# Location of the key and certificate files used for Secure boot.
+# mok_signing_key can also be a "pkcs11:..." string for PKCS#11 engine, as
+# long as the sign_file program supports it.
+# (default: /var/lib/dkms):
# mok_signing_key=/var/lib/dkms/mok.key
# mok_certificate=/var/lib/dkms/mok.pub
diff --git a/dnf/modules.d/python39.module b/dnf/modules.d/python39.module
new file mode 100644
index 0000000..704a05f
--- /dev/null
+++ b/dnf/modules.d/python39.module
@@ -0,0 +1,5 @@
+[python39]
+name=python39
+stream=3.9
+profiles=
+state=enabled
diff --git a/dnf/vars/stream b/dnf/vars/stream
new file mode 100644
index 0000000..481c83e
--- /dev/null
+++ b/dnf/vars/stream
@@ -0,0 +1 @@
+8-stream
diff --git a/group b/group
index 2e988e9..22094d1 100644
--- a/group
+++ b/group
@@ -43,7 +43,6 @@ cockpit-ws:x:991:
cockpit-wsinstance:x:990:
sshd:x:74:
chrony:x:989:
-rngd:x:988:
slocate:x:21:
named:x:25:
redis:x:987:
diff --git a/group- b/group-
index a3eef53..2e988e9 100644
--- a/group-
+++ b/group-
@@ -50,7 +50,7 @@ redis:x:987:
memcached:x:986:
nginx:x:985:madalin,smiti
apache:x:48:
-docker:x:984:
+docker:x:984:sftp
cgred:x:983:
dovecot:x:97:
dovenull:x:982:
diff --git a/gshadow b/gshadow
index eff699b..8daf797 100644
--- a/gshadow
+++ b/gshadow
@@ -43,7 +43,6 @@ cockpit-ws:!::
cockpit-wsinstance:!::
sshd:!::
chrony:!::
-rngd:!::
slocate:!::
named:!::
redis:!::
diff --git a/gshadow- b/gshadow-
index 318e289..eff699b 100644
--- a/gshadow-
+++ b/gshadow-
@@ -50,7 +50,7 @@ redis:!::
memcached:!::
nginx:!::madalin,smiti
apache:!::
-docker:!::
+docker:!::sftp
cgred:!::
dovecot:!::
dovenull:!::
diff --git a/httpd/conf.d/ssl.conf b/httpd/conf.d/ssl.conf
new file mode 100644
index 0000000..d28adf3
--- /dev/null
+++ b/httpd/conf.d/ssl.conf
@@ -0,0 +1,203 @@
+#
+# When we also provide SSL we have to listen to the
+# standard HTTPS port in addition.
+#
+Listen 443 https
+
+##
+## SSL Global Context
+##
+## All SSL configuration in this context applies both to
+## the main server and all SSL-enabled virtual hosts.
+##
+
+# Pass Phrase Dialog:
+# Configure the pass phrase gathering process.
+# The filtering dialog program (`builtin' is a internal
+# terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+# Inter-Process Session Cache:
+# Configure the SSL Session Cache: First the mechanism
+# to use and second the expiring timeout (in seconds).
+SSLSessionCache shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout 300
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names. NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly.
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+# List the protocol versions which clients are allowed to connect with.
+# The OpenSSL system profile is used by default. See
+# update-crypto-policies(8) for more details.
+#SSLProtocol all -SSLv3
+#SSLProxyProtocol all -SSLv3
+
+# User agents such as web browsers are not configured for the user's
+# own preference of either security or performance, therefore this
+# must be the prerogative of the web server administrator who manages
+# cpu load versus confidentiality, so enforce the server's cipher order.
+SSLHonorCipherOrder on
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+# The OpenSSL system profile is configured by default. See
+# update-crypto-policies(8) for more details.
+SSLCipherSuite PROFILE=SYSTEM
+SSLProxyCipherSuite PROFILE=SYSTEM
+
+# Point SSLCertificateFile at a PEM encoded certificate. If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase. Note that restarting httpd will prompt again. Keep
+# in mind that if you have both an RSA and a DSA certificate you
+# can configure both in parallel (to also allow the use of DSA
+# ciphers, etc.)
+# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+# require an ECC certificate which can also be configured in
+# parallel.
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+
+# Server Private Key:
+# If the key is not combined with the certificate, use this
+# directive to point at the key file. Keep in mind that if
+# you've both a RSA and a DSA private key you can configure
+# both in parallel (to also allow the use of DSA ciphers, etc.)
+# ECC keys, when in use, can also be configured in parallel
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+
+# Server Certificate Chain:
+# Point SSLCertificateChainFile at a file containing the
+# concatenation of PEM encoded CA certificates which form the
+# certificate chain for the server certificate. Alternatively
+# the referenced file can be the same as SSLCertificateFile
+# when the CA certificates are directly appended to the server
+# certificate for convenience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+# Certificate Authority (CA):
+# Set the CA certificate verification path where to find CA
+# certificates for client authentication or alternatively one
+# huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+# Client Authentication (Type):
+# Client certificate verification type and depth. Types are
+# none, optional, require and optional_no_ca. Depth is a
+# number which specifies how deeply to verify the certificate
+# issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth 10
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_ssl documentation
+# for more details.
+#
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+
+# SSL Protocol Adjustments:
+# The safe and default but still SSL/TLS standard compliant shutdown
+# approach is that mod_ssl sends the close notify alert but doesn't wait for
+# the close notify alert from client. When you need a different shutdown
+# approach you can use one of the following variables:
+# o ssl-unclean-shutdown:
+# This forces an unclean shutdown when the connection is closed, i.e. no
+# SSL close notify alert is sent or allowed to be received. This violates
+# the SSL/TLS standard but is needed for some brain-dead browsers. Use
+# this when you receive I/O errors because of the standard approach where
+# mod_ssl sends the close notify alert.
+# o ssl-accurate-shutdown:
+# This forces an accurate shutdown when the connection is closed, i.e. a
+# SSL close notify alert is sent and mod_ssl waits for the close notify
+# alert of the client. This is 100% SSL/TLS standard compliant, but in
+# practice often causes hanging connections with brain-dead browsers. Use
+# this only for browsers where you know that their SSL implementation
+# works correctly.
+# Notice: Most problems of broken clients are also related to the HTTP
+# keep-alive facility, so you usually additionally want to disable
+# keep-alive for those clients, too. Use variable "nokeepalive" for this.
+# Similarly, one has to force some clients to use HTTP/1.0 to workaround
+# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+# "force-response-1.0" for this.
+BrowserMatch "MSIE [2-5]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+
+
diff --git a/nfs.conf b/nfs.conf
index 86ed7d5..30f9e10 100644
--- a/nfs.conf
+++ b/nfs.conf
@@ -5,6 +5,10 @@
[general]
# pipefs-directory=/var/lib/nfs/rpc_pipefs
#
+[nfsrahead]
+# nfs=15000
+# nfs4=16000
+#
[exportfs]
# debug=0
#
diff --git a/pam.d/systemd-user b/pam.d/systemd-user
index 2725df9..8607d4f 100644
--- a/pam.d/systemd-user
+++ b/pam.d/systemd-user
@@ -2,6 +2,7 @@
#
# Used by systemd --user instances.
+account sufficient pam_unix.so no_pass_expiry
account include system-auth
session required pam_selinux.so close
diff --git a/passwd b/passwd
index dddd067..3dd135a 100644
--- a/passwd
+++ b/passwd
@@ -25,7 +25,6 @@ cockpit-ws:x:994:991:User for cockpit web service:/nonexisting:/sbin/nologin
cockpit-wsinstance:x:993:990:User for cockpit-ws instances:/nonexisting:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
chrony:x:992:989::/var/lib/chrony:/sbin/nologin
-rngd:x:991:988:Random Number Generator Daemon:/var/lib/rngd:/sbin/nologin
named:x:25:25:Named:/var/named:/bin/false
redis:x:990:987:Redis Database Server:/var/lib/redis:/sbin/nologin
memcached:x:989:986:Memcached daemon:/run/memcached:/sbin/nologin
diff --git a/passwd- b/passwd-
index 5d2c175..dddd067 100644
--- a/passwd-
+++ b/passwd-
@@ -76,3 +76,4 @@ bogdan:x:1019:1020::/home/bogdan:/bin/bash
squid:x:23:23::/var/spool/squid:/sbin/nologin
laser:x:1020:1021::/home/laser:/bin/bash
pydio:x:1021:1022::/home/pydio:/bin/bash
+sftp:x:1023:1023::/home/sftp:/bin/bash
diff --git a/profile.d/debuginfod.csh b/profile.d/debuginfod.csh
new file mode 100644
index 0000000..c01f682
--- /dev/null
+++ b/profile.d/debuginfod.csh
@@ -0,0 +1,16 @@
+# $HOME/.login* or similar files may first set $DEBUGINFOD_URLS.
+# If $DEBUGINFOD_URLS is not set there, we set it from system *.url files.
+# $HOME/.*rc or similar files may then amend $DEBUGINFOD_URLS.
+# See also [man debuginfod-client-config] for other environment variables
+# such as $DEBUGINFOD_MAXSIZE, $DEBUGINFOD_MAXTIME, $DEBUGINFOD_PROGRESS.
+
+if (! $?DEBUGINFOD_URLS) then
+ set prefix="/usr"
+ set DEBUGINFOD_URLS=`sh -c 'cat "$0"/*.urls 2>/dev/null; :' "/etc/debuginfod" | tr '\n' ' '`
+ if ( "$DEBUGINFOD_URLS" != "" ) then
+ setenv DEBUGINFOD_URLS "$DEBUGINFOD_URLS"
+ else
+ unset DEBUGINFOD_URLS
+ endif
+ unset prefix
+endif
diff --git a/profile.d/debuginfod.sh b/profile.d/debuginfod.sh
new file mode 100644
index 0000000..8f94ca4
--- /dev/null
+++ b/profile.d/debuginfod.sh
@@ -0,0 +1,12 @@
+# $HOME/.profile* or similar files may first set $DEBUGINFOD_URLS.
+# If $DEBUGINFOD_URLS is not set there, we set it from system *.url files.
+# $HOME/.*rc or similar files may then amend $DEBUGINFOD_URLS.
+# See also [man debuginfod-client-config] for other environment variables
+# such as $DEBUGINFOD_MAXSIZE, $DEBUGINFOD_MAXTIME, $DEBUGINFOD_PROGRESS.
+
+if [ -z "$DEBUGINFOD_URLS" ]; then
+ prefix="/usr"
+ DEBUGINFOD_URLS=$(cat "/etc/debuginfod"/*.urls 2>/dev/null | tr '\n' ' ')
+ [ -n "$DEBUGINFOD_URLS" ] && export DEBUGINFOD_URLS || unset DEBUGINFOD_URLS
+ unset prefix
+fi
diff --git a/profile.d/which2.sh b/profile.d/which2.sh
index 0f47f9e..bca5347 100644
--- a/profile.d/which2.sh
+++ b/profile.d/which2.sh
@@ -20,7 +20,7 @@ bash|sh)
;;
esac
-which () {
+function which {
(alias; eval ${which_declare}) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot $@
}
diff --git a/rspamd/composites.conf b/rspamd/composites.conf
index cd03d5f..e2096b2 100644
--- a/rspamd/composites.conf
+++ b/rspamd/composites.conf
@@ -53,7 +53,17 @@ composites {
expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA";
score = 1.0;
policy = "remove_weight";
- description = "Authenticating message via SPF/DKIM/DMARC/ARC not possible";
+ description = "Authenticating message via SPF/DKIM/DMARC/ARC not available";
+ }
+ AUTH_NA_OR_FAIL {
+ expression = "!(R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA) & (R_DKIM_NA | R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL) & (R_SPF_NA | R_SPF_DNSFAIL) & DMARC_NA & (ARC_NA | ARC_DNSFAIL)";
+ score = 1.0;
+ policy = "remove_weight";
+ description = "No authenticating method SPF/DKIM/DMARC/ARC was successful";
+ }
+ BOUNCE_NO_AUTH {
+ expression = "(AUTH_NA | AUTH_NA_OR_FAIL) & (BOUNCE | SUBJ_BOUNCE_WORDS)";
+ score = 1.0;
}
DKIM_MIXED {
expression = "-R_DKIM_ALLOW & (R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)"
@@ -154,6 +164,13 @@ composites {
score = 7.0;
group = "scams";
}
+
+ FREEMAIL_AFF {
+ expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & R_UNDISC_RCPT & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM)";
+ score = 4.0;
+ policy = "leave";
+ description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses";
+ }
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"
diff --git a/selinux/targeted/.policy.sha512 b/selinux/targeted/.policy.sha512
index 04d81f2..6ae58a8 100644
--- a/selinux/targeted/.policy.sha512
+++ b/selinux/targeted/.policy.sha512
@@ -1 +1 @@
-9fe72523a1a52ad8db6852cfa216b14f18e3ea0c50d5059245a744898c086c55c645bd656aff473a20bf5827b92135b0b07c0d41915e237d3564371bec868156
+57a40f0b00b666b2b42c16c54b8626e0c7729e48adf14e7451f99fe7b2a9faa8b6dfb4bfee4b09eb157013cc85229b19a2a8a107d102d1743103eb7cd7f83aef
diff --git a/selinux/targeted/contexts/files/file_contexts b/selinux/targeted/contexts/files/file_contexts
index 6426122..eef63d7 100644
--- a/selinux/targeted/contexts/files/file_contexts
+++ b/selinux/targeted/contexts/files/file_contexts
@@ -2129,6 +2129,7 @@
/var/log/turboprint.* system_u:object_r:cupsd_log_t:s0
/var/run/certmaster.* system_u:object_r:certmaster_var_run_t:s0
/var/run/certmonger.* system_u:object_r:certmonger_var_run_t:s0
+/var/run/irqbalance.* system_u:object_r:irqbalance_var_run_t:s0
/var/run/keepalived.* system_u:object_r:keepalived_var_run_t:s0
/opt/google/chrome/.*\.so -- system_u:object_r:textrel_shlib_t:s0
/usr/share/sectool/.*\.py -- system_u:object_r:bin_t:s0
@@ -2783,7 +2784,6 @@
/var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t:s0
/var/spool/postfix/public(/.*)? system_u:object_r:postfix_public_t:s0
/var/spool/retrace-server(/.*)? system_u:object_r:abrt_retrace_spool_t:s0
-/var/tmp/insights-archive(/.*)? system_u:object_r:insights_client_tmp_t:s0
/var/www/cgi-bin/keystone(/.*)? system_u:object_r:keystone_cgi_script_exec_t:s0
/var/spool/postfix/lib/ld.*\.so.* -- system_u:object_r:ld_so_t:s0
/usr/share/selinux-policy[^/]*/html(/.*)? system_u:object_r:httpd_sys_content_t:s0
@@ -3250,6 +3250,7 @@
/usr/lib/systemd/system/openstack-nova-* -- system_u:object_r:nova_unit_file_t:s0
/usr/lib/systemd/system-generators/lvm2.* -- system_u:object_r:lvm_exec_t:s0
/usr/lib/systemd/system/dnssec-triggerd.* -- system_u:object_r:dnssec_trigger_unit_file_t:s0
+/usr/lib/systemd/system/insights-client.* -- system_u:object_r:insights_client_unit_file_t:s0
/usr/lib/systemd/system/openstack-swift.* -- system_u:object_r:swift_unit_file_t:s0
/usr/lib/systemd/system/rabbitmq-server.* -- system_u:object_r:rabbitmq_unit_file_t:s0
/etc/boinc-client/global_prefs_override.xml -- system_u:object_r:boinc_var_lib_t:s0
@@ -5313,7 +5314,6 @@
/var/qmail/bin/sendmail -- system_u:object_r:sendmail_exec_t:s0
/var/qmail/bin/splogger -- system_u:object_r:qmail_splogger_exec_t:s0
/var/run/consolekit\.pid -- system_u:object_r:consolekit_var_run_t:s0
-/var/run/irqbalance\.pid -- system_u:object_r:irqbalance_var_run_t:s0
/var/run/powersaved\.pid -- system_u:object_r:apmd_var_run_t:s0
/var/run/rpc\.statd\.lock -- system_u:object_r:rpcd_lock_t:s0
/var/run/samba/nmbd\.pid -- system_u:object_r:nmbd_var_run_t:s0
@@ -5501,6 +5501,7 @@
/opt/likewise/sbin/lwregd -- system_u:object_r:lwregd_exec_t:s0
/sbin/pam_timestamp_check -- system_u:object_r:pam_timestamp_exec_t:s0
/sys/kernel/uevent_helper -- system_u:object_r:usermodehelper_t:s0
+/tmp/insights-client\.ppid -- system_u:object_r:insights_client_tmp_t:s0
/usr/afs/bin/dafileserver -- system_u:object_r:afs_fsserver_exec_t:s0
/usr/bin/cinder-scheduler -- system_u:object_r:cinder_scheduler_exec_t:s0
/usr/bin/cpufreq-selector -- system_u:object_r:cpufreqselector_exec_t:s0
@@ -5835,6 +5836,7 @@
/usr/libexec/pcp/lib/pmproxy -- system_u:object_r:pcp_pmproxy_initrc_exec_t:s0
/usr/libexec/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t:s0
/usr/libexec/postfix/virtual -- system_u:object_r:postfix_virtual_exec_t:s0
+/usr/libexec/samba/rpcd_lsad -- system_u:object_r:winbind_rpcd_exec_t:s0
/usr/libexec/telepathy-rakia -- system_u:object_r:telepathy_sofiasip_exec_t:s0
/usr/libexec/telepathy-salut -- system_u:object_r:telepathy_salut_exec_t:s0
/usr/libexec/udisks2/udisksd -- system_u:object_r:devicekit_disk_exec_t:s0
@@ -5930,6 +5932,7 @@
/var/run/samba/namelist\.debug -- system_u:object_r:nmbd_var_run_t:s0
/var/run/samba/share_info\.tdb -- system_u:object_r:smbd_var_run_t:s0
/var/run/samba/unexpected\.tdb -- system_u:object_r:nmbd_var_run_t:s0
+/var/tmp/insights-client\.ppid -- system_u:object_r:insights_client_tmp_t:s0
/var/www/apcupsd/multimon\.cgi -- system_u:object_r:apcupsd_cgi_script_exec_t:s0
/var/www/apcupsd/upsimage\.cgi -- system_u:object_r:apcupsd_cgi_script_exec_t:s0
/var/www/apcupsd/upsstats\.cgi -- system_u:object_r:apcupsd_cgi_script_exec_t:s0
@@ -6078,6 +6081,7 @@
/usr/libexec/openssh/sftp-server -- system_u:object_r:bin_t:s0
/usr/libexec/openssh/ssh-keysign -- system_u:object_r:ssh_keysign_exec_t:s0
/usr/libexec/openssh/sshd-keygen -- system_u:object_r:sshd_keygen_exec_t:s0
+/usr/libexec/samba/samba-dcerpcd -- system_u:object_r:winbind_rpcd_exec_t:s0
/usr/libexec/squid/cache_swap\.sh -- system_u:object_r:squid_exec_t:s0
/usr/libexec/telepathy-butterfly -- system_u:object_r:telepathy_msn_exec_t:s0
/usr/sbin/abrt-install-ccpp-hook -- system_u:object_r:abrt_exec_t:s0
@@ -6153,6 +6157,7 @@
/var/lib/likewise-open/rpc/socket -s system_u:object_r:eventlogd_var_socket_t:s0
/var/run/\.heim_org\.h5l\.kcm-socket -s system_u:object_r:sssd_var_run_t:s0
/etc/Pegasus/pegasus_current\.conf system_u:object_r:pegasus_data_t:s0
+/etc/insights-client/\.unregistered -- system_u:object_r:insights_client_etc_rw_t:s0
/etc/named\.caching-nameserver\.conf -- system_u:object_r:named_conf_t:s0
/etc/pki/tls/certs/make-dummy-cert -- system_u:object_r:bin_t:s0
/etc/sysconfig/update_spamassassin -- system_u:object_r:mscan_etc_t:s0
@@ -6276,6 +6281,7 @@
/usr/lib/systemd/system/cgdcbxd\.service -- system_u:object_r:cgdcbxd_unit_file_t:s0
/usr/lib/systemd/system/ipmievd\.service -- system_u:object_r:ipmievd_unit_file_t:s0
/usr/lib/systemd/system/rpcbind\.service -- system_u:object_r:rpcbind_unit_file_t:s0
+/usr/lib/systemd/system/sa-update\.timer -- system_u:object_r:spamd_update_unit_file_t:s0
/usr/lib/systemd/system/sanlock\.service -- system_u:object_r:sanlock_unit_file_t:s0
/usr/lib/systemd/systemd-fence_sanlockd -- system_u:object_r:fenced_exec_t:s0
/usr/lib/systemd/systemd-journal-upload -- system_u:object_r:systemd_journal_upload_exec_t:s0
@@ -6307,6 +6313,7 @@
/etc/sysconfig/network-scripts/ifup-ipsec -- system_u:object_r:initrc_exec_t:s0
/usr/bin/systemd-gnome-ask-password-agent -- system_u:object_r:systemd_passwd_agent_exec_t:s0
/usr/lib/dbus-1/dbus-daemon-launch-helper -- system_u:object_r:dbusd_exec_t:s0
+/usr/lib/systemd/system/sa-update\.service -- system_u:object_r:spamd_update_unit_file_t:s0
/usr/lib/systemd/systemd-user-runtime-dir -- system_u:object_r:systemd_logind_exec_t:s0
/usr/lib/vlc/codec/librealaudio_plugin\.so -- system_u:object_r:textrel_shlib_t:s0
/usr/lib/vlc/codec/librealvideo_plugin\.so -- system_u:object_r:textrel_shlib_t:s0
@@ -6332,11 +6339,13 @@
/usr/libexec/microcode_ctl/reload_microcode -- system_u:object_r:cpucontrol_exec_t:s0
/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- system_u:object_r:pegasus_openlmi_system_exec_t:s0
/usr/libexec/polkit-1/polkit-agent-helper-1 -- system_u:object_r:policykit_auth_exec_t:s0
+/usr/libexec/rhc/rhc-package-manager-worker -- system_u:object_r:rpm_exec_t:s0
/usr/libexec/selinux/semanage_migrate_store -- system_u:object_r:semanage_exec_t:s0
/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t:s0
/usr/lib/systemd/system/boinc-client\.service -- system_u:object_r:boinc_unit_file_t:s0
/usr/lib/systemd/system/dirsrv-admin\.service -- system_u:object_r:dirsrvadmin_unit_file_t:s0
/usr/lib/systemd/system/sanlk-resetd\.service -- system_u:object_r:sanlk_resetd_unit_file_t:s0
+/usr/lib/systemd/system/spamassassin\.service -- system_u:object_r:spamd_unit_file_t:s0
/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t:s0
/etc/dnssec-trigger/dnssec_trigger_server\.key -- system_u:object_r:dnssec_t:s0
/usr/libexec/dbus-1/dbus-daemon-launch-helper -- system_u:object_r:dbusd_exec_t:s0
diff --git a/selinux/targeted/contexts/files/file_contexts.bin b/selinux/targeted/contexts/files/file_contexts.bin
index 3eb192d..171aac2 100644
Binary files a/selinux/targeted/contexts/files/file_contexts.bin and b/selinux/targeted/contexts/files/file_contexts.bin differ
diff --git a/selinux/targeted/policy/policy.31 b/selinux/targeted/policy/policy.31
index c4eb532..cd6d025 100644
Binary files a/selinux/targeted/policy/policy.31 and b/selinux/targeted/policy/policy.31 differ
diff --git a/shadow b/shadow
index 9d934b2..5df9f03 100644
--- a/shadow
+++ b/shadow
@@ -25,7 +25,6 @@ cockpit-ws:!!:18424::::::
cockpit-wsinstance:!!:18424::::::
sshd:!!:18424::::::
chrony:!!:18424::::::
-rngd:!!:18424::::::
named:!!:18526::::::
redis:!!:18526::::::
memcached:!!:18526::::::
diff --git a/shadow- b/shadow-
index e5f8e82..9d934b2 100644
--- a/shadow-
+++ b/shadow-
@@ -35,7 +35,7 @@ dovecot:!!:18526::::::
dovenull:!!:18526::::::
postfix:!!:18526::::::
mysql:!!:18526::::::
-madalin:$6$EiMxEtxQguelfC4J$gD2fVn5XDfgJG.50Stc9/tZtL2VxJNBmAklHZj2k9nIzQRuU.rzEwf5ktDUy/4f/..R5AUvE3Q2IWnniZ7xIZ0:18764:0:99999:7:::
+madalin:$6$o5gdTOT7LTSGwvLw$RWG5G9gx7lGmA7yqkTYueqZcm.5C5tUmngV01pmiqWpfFkH9uUoJMx1p3lZUP8R.h43NYIiH7IePvP1sHd4aN/:19296:0:99999:7:::
sslh:!!:18527::::::
vampi:$6$tRIULiDksEzmp1/r$0wXDJUfPNaUIio90.hQrQy10943EpXazN7GdVxo1ZFh3hWfHaw.X3uWl6UVTBZgWfgmk3719HzfnoYNwHhpfb.:18639:0:99999:7:::
_rspamd:!!:18527::::::
@@ -76,3 +76,4 @@ bogdan:mCxaxi7Ck2FlI:18822:0:99999:7:30::
squid:!!:18921::::::
laser:$6$3IDnJkLhNhDa5MUg$ysajgR6P3uElTVSBuLJbix4lHHNheJ.JBIrGFRvUPsY2/265PmO3vjgWTculxKkywvas0vcVrX3Q4QQZ/qufR.:18954:0:99999:7:30::
pydio:!!:19102:0:99999:7:30::
+sftp:!!:19193:0:99999:7:30::
diff --git a/ssh/sshd_config.rpmnew b/ssh/sshd_config.rpmnew
index 80fbf3d..4aad59d 100644
--- a/ssh/sshd_config.rpmnew
+++ b/ssh/sshd_config.rpmnew
@@ -96,7 +96,7 @@ GSSAPICleanupCredentials no
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# WARNING: 'UsePAM no' is not supported in RHEL and may cause several
# problems.
UsePAM yes
diff --git a/sysconfig/rngd b/sysconfig/rngd
index f0da1d9..dbb6f7a 100644
--- a/sysconfig/rngd
+++ b/sysconfig/rngd
@@ -1,3 +1,3 @@
# Optional arguments passed to rngd. See rngd(8) and
# https://bugzilla.redhat.com/show_bug.cgi?id=1252175#c21
-RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist"
+RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -D daemon:daemon"
diff --git a/systemd/logind.conf.rpmnew b/systemd/logind.conf.rpmnew
new file mode 100644
index 0000000..ed65ee5
--- /dev/null
+++ b/systemd/logind.conf.rpmnew
@@ -0,0 +1,38 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+#
+# Entries in this file show the compile time defaults.
+# You can change settings by editing this file.
+# Defaults can be restored by simply deleting this file.
+#
+# See logind.conf(5) for details.
+
+[Login]
+#NAutoVTs=6
+#ReserveVT=6
+#KillUserProcesses=no
+#KillOnlyUsers=
+#KillExcludeUsers=root
+#InhibitDelayMaxSec=5
+#HandlePowerKey=poweroff
+#HandleSuspendKey=suspend
+#HandleHibernateKey=hibernate
+#HandleLidSwitch=suspend
+#HandleLidSwitchExternalPower=suspend
+#HandleLidSwitchDocked=ignore
+#PowerKeyIgnoreInhibited=no
+#SuspendKeyIgnoreInhibited=no
+#HibernateKeyIgnoreInhibited=no
+#LidSwitchIgnoreInhibited=yes
+#HoldoffTimeoutSec=30s
+#IdleAction=ignore
+#IdleActionSec=30min
+#RuntimeDirectorySize=10%
+#RemoveIPC=no
+#InhibitorsMax=8192
+#SessionsMax=8192
+#StopIdleSessionSec=infinity
diff --git a/systemd/system.conf b/systemd/system.conf
index 2e8538b..f3a716f 100644
--- a/systemd/system.conf
+++ b/systemd/system.conf
@@ -37,6 +37,7 @@
#DefaultStandardError=inherit
#DefaultTimeoutStartSec=90s
#DefaultTimeoutStopSec=90s
+#DefaultDeviceTimeoutSec=90s
#DefaultRestartSec=100ms
#DefaultStartLimitIntervalSec=10s
#DefaultStartLimitBurst=5
diff --git a/unbound/icannbundle.pem b/unbound/icannbundle.pem
index d76ce0b..ceeef5b 100644
--- a/unbound/icannbundle.pem
+++ b/unbound/icannbundle.pem
@@ -1,59 +1,3 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 1 (0x1)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
- Validity
- Not Before: Dec 23 04:19:12 2009 GMT
- Not After : Dec 18 04:19:12 2029 GMT
- Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15:
- bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0:
- 9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82:
- 27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd:
- fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84:
- 22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14:
- e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb:
- d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e:
- e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02:
- 1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c:
- 39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e:
- ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6:
- 7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb:
- 31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74:
- 9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36:
- 09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3:
- 04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52:
- 85:41
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Key Usage: critical
- Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
- X509v3 Subject Key Identifier:
- BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
- Signature Algorithm: sha256WithRSAEncryption
- 0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b:
- 3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7:
- c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26:
- b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c:
- 7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d:
- 9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c:
- 90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c:
- 84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a:
- 98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81:
- 5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8:
- c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf:
- 1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2:
- 90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16:
- 70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31:
- e7:40:61:a4
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
@@ -75,163 +19,3 @@ DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH
0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg
j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk
-----END CERTIFICATE-----
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 11 (0xb)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
- Validity
- Not Before: Nov 8 23:39:47 2016 GMT
- Not After : Nov 6 23:39:47 2026 GMT
- Subject: O=ICANN, CN=ICANN EMAIL CA
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75:
- 8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba:
- c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9:
- 57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01:
- 4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6:
- fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e:
- a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6:
- 6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01:
- db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95:
- d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65:
- 7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f:
- 20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78:
- b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22:
- d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23:
- 2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21:
- fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5:
- 7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a:
- 4d:b1
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Key Usage: critical
- Certificate Sign, CRL Sign
- X509v3 Authority Key Identifier:
- keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
-
- X509v3 Subject Key Identifier:
- 7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4
- Signature Algorithm: sha256WithRSAEncryption
- 0e:8a:c9:ea:6f:9c:e9:23:b6:9c:a6:a4:c2:d1:b1:ee:25:18:
- 24:2b:79:d4:a8:f2:99:b9:5c:91:4d:e6:2b:32:2e:01:f5:87:
- 95:64:fc:6d:f1:87:fa:24:b4:43:4b:49:f3:84:54:44:eb:af:
- 41:ab:49:ab:c8:b7:32:6c:14:83:5b:d7:2c:41:f9:89:d5:c4:
- 2b:9a:55:c5:b6:ad:17:d5:4d:bc:41:58:56:72:0d:db:b7:7d:
- 57:c6:a2:9c:7e:6b:67:ae:26:f8:26:45:bb:c4:95:2e:ea:71:
- e3:b4:7a:69:95:a4:8a:80:f8:59:dc:88:6e:e1:a7:fc:bb:8e:
- b2:aa:a8:b6:1b:2f:2c:97:a5:12:d5:82:ae:a0:e8:a6:15:fd:
- d1:e0:5d:e4:84:b1:76:db:0a:e2:ca:58:2e:d3:df:48:4e:46:
- ac:c6:35:79:17:99:ce:e9:be:2c:e4:c2:50:ff:5b:96:15:cd:
- 64:ac:1b:db:fe:d2:ac:43:61:c8:5f:ee:24:b6:a4:3b:d2:ff:
- 0a:f4:0c:88:58:a1:9d:a4:c1:1f:6a:6c:67:90:98:e8:1f:5e:
- 2d:55:60:91:26:2a:b1:66:80:e4:e6:0e:05:2c:75:a9:ca:0b:
- e4:a0:8f:e1:47:a8:8f:61:5d:7c:ce:09:60:88:48:c3:46:bf:
- be:7e:36:be
------BEGIN CERTIFICATE-----
-MIIDZDCCAkygAwIBAgIBCzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
-TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
-BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzk0N1oX
-DTI2MTEwNjIzMzk0N1owKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O
-IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz
-9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3
-jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6
-LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8
-ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK
-VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI
-QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
-AwIBBjAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU
-ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAA6KyepvnOkj
-tpympMLRse4lGCQredSo8pm5XJFN5isyLgH1h5Vk/G3xh/oktENLSfOEVETrr0Gr
-SavItzJsFINb1yxB+YnVxCuaVcW2rRfVTbxBWFZyDdu3fVfGopx+a2euJvgmRbvE
-lS7qceO0emmVpIqA+FnciG7hp/y7jrKqqLYbLyyXpRLVgq6g6KYV/dHgXeSEsXbb
-CuLKWC7T30hORqzGNXkXmc7pvizkwlD/W5YVzWSsG9v+0qxDYchf7iS2pDvS/wr0
-DIhYoZ2kwR9qbGeQmOgfXi1VYJEmKrFmgOTmDgUsdanKC+Sgj+FHqI9hXXzOCWCI
-SMNGv75+Nr4=
------END CERTIFICATE-----
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 10 (0xa)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
- Validity
- Not Before: Nov 8 23:38:16 2016 GMT
- Not After : Nov 6 23:38:16 2026 GMT
- Subject: O=ICANN, CN=ICANN SSL CA
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60:
- 7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d:
- 73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35:
- e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89:
- 81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61:
- 17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca:
- dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28:
- 9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d:
- f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d:
- d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68:
- f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0:
- 3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa:
- 94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40:
- 3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85:
- e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b:
- 09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b:
- 20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8:
- e2:c5
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Key Usage: critical
- Certificate Sign, CRL Sign
- X509v3 Authority Key Identifier:
- keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
-
- X509v3 Subject Key Identifier:
- 6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8
- Signature Algorithm: sha256WithRSAEncryption
- 47:46:4f:c7:5f:46:e3:d1:dc:fc:2b:f8:fc:65:ce:36:b1:f4:
- 5f:ee:14:75:a3:d9:5f:de:75:4b:fa:7b:88:9f:10:8c:2e:97:
- cc:35:1b:ce:24:d3:36:60:95:d5:ae:11:b6:3f:8b:f4:12:69:
- 85:b5:3b:2a:b6:ab:7a:81:85:c2:55:57:ed:d0:b5:e7:4f:54:
- 37:51:24:c9:d5:07:3a:ef:b6:c5:1a:3e:14:29:a7:a6:f8:08:
- 2a:0b:26:79:f9:62:85:4a:e5:ea:90:ca:71:38:16:91:4e:7e:
- fd:e3:b3:f3:55:8f:5a:d0:86:cf:33:94:88:f1:90:99:cb:81:
- e2:81:92:68:2f:c3:61:d5:52:8d:e6:9a:5b:00:83:42:27:88:
- f6:d9:fa:d1:bc:bb:b0:bc:b5:14:0b:4e:1a:54:ef:fa:d6:9d:
- c4:0c:fc:ed:15:ab:21:4b:45:b5:d9:3b:ed:3c:d5:1e:2e:7a:
- 83:6f:24:45:d4:4c:b4:ef:60:43:18:d0:84:5d:16:7b:f5:50:
- 80:b1:a9:c2:8f:3b:c8:90:08:fd:aa:17:13:19:38:19:d1:8e:
- 85:7c:1e:57:16:8c:f9:8a:e8:29:25:38:cd:bb:55:8e:4a:6a:
- 6f:e5:7d:fc:d7:55:d6:ae:38:07:96:c1:97:ff:e5:2b:4f:99:
- 2d:70:f2:08
------BEGIN CERTIFICATE-----
-MIIDYjCCAkqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
-TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
-BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzgxNloX
-DTI2MTEwNjIzMzgxNlowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O
-IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z
-K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3
-VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo
-nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz
-kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4
-yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H
-kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
-AQYwHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53
-qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQBHRk/HX0bj0dz8
-K/j8Zc42sfRf7hR1o9lf3nVL+nuInxCMLpfMNRvOJNM2YJXVrhG2P4v0EmmFtTsq
-tqt6gYXCVVft0LXnT1Q3USTJ1Qc677bFGj4UKaem+AgqCyZ5+WKFSuXqkMpxOBaR
-Tn7947PzVY9a0IbPM5SI8ZCZy4HigZJoL8Nh1VKN5ppbAINCJ4j22frRvLuwvLUU
-C04aVO/61p3EDPztFashS0W12TvtPNUeLnqDbyRF1Ey072BDGNCEXRZ79VCAsanC
-jzvIkAj9qhcTGTgZ0Y6FfB5XFoz5iugpJTjNu1WOSmpv5X3811XWrjgHlsGX/+Ur
-T5ktcPII
------END CERTIFICATE-----
diff --git a/vmware-tools/tools.conf.example b/vmware-tools/tools.conf.example
index 1682c3c..bfcf952 100644
--- a/vmware-tools/tools.conf.example
+++ b/vmware-tools/tools.conf.example
@@ -1,4 +1,4 @@
-# Copyright (c) 2019-2021 VMware, Inc. All rights reserved.
+# Copyright (c) 2019-2022 VMware, Inc. All rights reserved.
# "CAUTION: tools.conf is highly syntax sensitive file. Use extreme caution
# while editing it. If modified, it is automatically re-loaded by
@@ -245,6 +245,44 @@
# whether to include reserved space in diskInfo space metrics on Linux
#diskinfo-include-reserved=false
+[globalconf]
+
+# The GlobalConf feature provides an ability for the vSphere administrators
+# to distribute a 'VMware Tools Configuration File' (tools.conf) via the
+# GuestStore for multiple VMs at scale.
+
+# Defines the configuration to enable/disable the GlobalConf module.
+# Set to true to enable the module.
+# Set to false to disable the module. Default false.
+#enabled=false
+
+# Defines a custom GlobalConf poll interval (in seconds).
+# Default 3600 seconds. Minimum 1800 seconds.
+#poll-interval=3600
+
+# Defines the global configuration resource in GuestStore.
+# Windows guests
+#resource=/vmware/configurations/vmtools/windows/tools.conf
+#
+# Linux guests
+#resource=/vmware/configurations/vmtools/linux/tools.conf
+
+[componentmgr]
+
+# This plugin manages the known and enabled components add/remove status.
+# The plugin polls at regular interval and triggers action add/remove for
+# all the known and enabled components in the componentMgr plugin.
+
+# Default and minimum polling interval in seconds (0 => polling disabled)
+#poll-interval=180
+
+# Comma separated list of components managed by the plugin. If not specified,
+# default value is all, which means all components are enabled by default.
+# A special value of none means no component, which is equivalent to disabling
+# the plugin completely. Value is parsed left to right and parsing stops at
+# first occurrence of all or none or end of line.
+#included=all
+
[appinfo]
# This plugin collects info about running applications in guest OS.
@@ -259,6 +297,35 @@
# version info, otherwise native Win32 API is used.
#useWMI=false
+# Whether to remove the duplicate applications information in the
+# guestinfo variable.
+#remove-duplicates=true
+
+[containerinfo]
+
+# This plugin collects info about running containers in guest OS.
+
+# User-defined poll interval in seconds. Set to 0 to disable the plugin.
+#poll-interval=21600
+
+# Maximum number of containers to be retrieved per namespace.
+#max-containers=256
+
+# Whether to remove the duplicate containers information in the
+# guestinfo variable.
+#remove-duplicates=true
+
+# Unix socket to use to communicate with the docker daemon.
+#docker-unix-socket=/var/run/docker.sock
+
+# The unix socket to connect to communicate with containerd grpc server
+# for retrieving the list of running containers.
+#containerd-unix-socket=/run/containerd/containerd.sock
+
+# List of namespaces to be queried for the running containers.
+# The value for this key is a comman separated list.
+#allowed-namespaces=moby,k8s.io,default
+
[servicediscovery]
# This plugin provides admins with additional info for better VM management.
diff --git a/vmware-tools/vgauth/schemas/saml-schema-assertion-2.0.xsd b/vmware-tools/vgauth/schemas/saml-schema-assertion-2.0.xsd
index 6aa3b27..9bbfa26 100644
--- a/vmware-tools/vgauth/schemas/saml-schema-assertion-2.0.xsd
+++ b/vmware-tools/vgauth/schemas/saml-schema-assertion-2.0.xsd
@@ -1,283 +1,283 @@
-
-
-
-
-
-
- Document identifier: saml-schema-assertion-2.0
- Location: http://docs.oasis-open.org/security/saml/v2.0/
- Revision history:
- V1.0 (November, 2002):
- Initial Standard Schema.
- V1.1 (September, 2003):
- Updates within the same V1.0 namespace.
- V2.0 (March, 2005):
- New assertion schema for SAML V2.0 namespace.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+ Document identifier: saml-schema-assertion-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V1.0 (November, 2002):
+ Initial Standard Schema.
+ V1.1 (September, 2003):
+ Updates within the same V1.0 namespace.
+ V2.0 (March, 2005):
+ New assertion schema for SAML V2.0 namespace.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/yum.repos.d/almalinux-sap.repo b/yum.repos.d/almalinux-sap.repo
new file mode 100644
index 0000000..ba71bff
--- /dev/null
+++ b/yum.repos.d/almalinux-sap.repo
@@ -0,0 +1,28 @@
+# almalinux-sap.repo
+
+[sap]
+name=AlmaLinux $releasever - SAP
+mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/sap
+# baseurl=https://repo.almalinux.org/almalinux/$releasever/SAP/$basearch/os/
+enabled=0
+gpgcheck=1
+countme=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux
+
+## Sources
+[sap-source]
+name=AlmaLinux $releasever - SAP Sources
+mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/sap-source
+# baseurl=https://repo.almalinux.org/vault/$releasever/SAP/Source/
+enabled=0
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux
+
+## Debuginfo
+[sap-debuginfo]
+name=AlmaLinux $releasever - SAP Debuginfo
+mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/sap-debuginfo
+# baseurl=https://repo.almalinux.org/vault/$releasever/SAP/debug/$basearch/
+enabled=0
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux
diff --git a/yum.repos.d/almalinux-saphana.repo b/yum.repos.d/almalinux-saphana.repo
new file mode 100644
index 0000000..f1616ad
--- /dev/null
+++ b/yum.repos.d/almalinux-saphana.repo
@@ -0,0 +1,28 @@
+# almalinux-saphana.repo
+
+[saphana]
+name=AlmaLinux $releasever - SAP HANA
+mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/saphana
+# baseurl=https://repo.almalinux.org/almalinux/$releasever/SAPHANA/$basearch/os/
+enabled=0
+gpgcheck=1
+countme=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux
+
+## Sources
+[saphana-source]
+name=AlmaLinux $releasever - SAP HANA Sources
+mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/saphana-source
+# baseurl=https://repo.almalinux.org/vault/$releasever/SAPHANA/Source/
+enabled=0
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux
+
+## Debuginfo
+[saphana-debuginfo]
+name=AlmaLinux $releasever - SAP HANA Debuginfo
+mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/saphana-debuginfo
+# baseurl=https://repo.almalinux.org/vault/$releasever/SAPHANA/debug/$basearch/
+enabled=0
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux
diff --git a/yum.repos.d/epel-modular.repo b/yum.repos.d/epel-modular.repo
index 98f41c6..6824726 100644
--- a/yum.repos.d/epel-modular.repo
+++ b/yum.repos.d/epel-modular.repo
@@ -1,16 +1,18 @@
[epel-modular]
-name=Extra Packages for Enterprise Linux Modular 8 - $basearch
+# This repo has been DEPRECATED, see https://pagure.io/epel/issue/198 for more details.
+name=Extra Packages for Enterprise Linux Modular 8 - $basearch - DEPRECATED
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/8/Modular/$basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-modular-8&arch=$basearch&infra=$infra&content=$contentdir
-enabled=1
+enabled=0
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
[epel-modular-debuginfo]
-name=Extra Packages for Enterprise Linux Modular 8 - $basearch - Debug
+# This repo has been DEPRECATED, see https://pagure.io/epel/issue/198 for more details.
+name=Extra Packages for Enterprise Linux Modular 8 - $basearch - Debug - DEPRECATED
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/8/Modular/$basearch/debug
@@ -20,7 +22,8 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
gpgcheck=1
[epel-modular-source]
-name=Extra Packages for Enterprise Linux Modular 8 - $basearch - Source
+# This repo has been DEPRECATED, see https://pagure.io/epel/issue/198 for more details.
+name=Extra Packages for Enterprise Linux Modular 8 - $basearch - Source - DEPRECATED
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place it's address here.
#baseurl=https://download.example/pub/epel/8/Modular/source/tree/
diff --git a/yum.repos.d/epel-testing-modular.repo b/yum.repos.d/epel-testing-modular.repo
index cb0f517..8316709 100644
--- a/yum.repos.d/epel-testing-modular.repo
+++ b/yum.repos.d/epel-testing-modular.repo
@@ -1,5 +1,6 @@
[epel-testing-modular]
-name=Extra Packages for Enterprise Linux Modular 8 - Testing - $basearch
+# This repo has been DEPRECATED, see https://pagure.io/epel/issue/198 for more details.
+name=Extra Packages for Enterprise Linux Modular 8 - Testing - $basearch - DEPRECATED
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/testing/8/Modular/$basearch
@@ -10,7 +11,8 @@ countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
[epel-testing-modular-debuginfo]
-name=Extra Packages for Enterprise Linux Modular 8 - Testing - $basearch - Debug
+# This repo has been DEPRECATED, see https://pagure.io/epel/issue/198 for more details.
+name=Extra Packages for Enterprise Linux Modular 8 - Testing - $basearch - Debug - DEPRECATED
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/testing/8/Modular/$basearch/debug
@@ -20,7 +22,8 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
gpgcheck=1
[epel-testing-modular-source]
-name=Extra Packages for Enterprise Linux Modular 8 - Testing - $basearch - Source
+# This repo has been DEPRECATED, see https://pagure.io/epel/issue/198 for more details.
+name=Extra Packages for Enterprise Linux Modular 8 - Testing - $basearch - Source - DEPRECATED
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place it's address here.
#baseurl=https://download.example/pub/epel/testing/8/Modular/source/tree/