committing changes in /etc made by "-bash"

Package changes:

.etckeeper

@@ -18,7 +18,6 @@ mkdir -p './cron.weekly'
 mkdir -p './crypto-policies/policies/modules'
 mkdir -p './cxs/newusers'
 mkdir -p './dbus-1/session.d'
-mkdir -p './debuginfod'
 mkdir -p './dkms/framework.conf.d'
 mkdir -p './dnf/aliases.d'
 mkdir -p './dnf/modules.defaults.d'
@@ -249,6 +248,7 @@ maybe chmod 0644 'bash_completion.d/python-argcomplete.sh'
 maybe chmod 0644 'bash_completion.d/redefine_filedir'
 maybe chmod 0644 'bash_completion.d/scl'
 maybe chmod 0644 'bashrc'
+maybe chmod 0644 'bashrc.rpmnew'
 maybe chmod 0644 'bindresvport.blacklist'
 maybe chmod 0755 'binfmt.d'
 maybe chmod 0644 'cczerc'
@@ -486,6 +486,7 @@ maybe chmod 0755 'dconf/db/distro.d/locks'
 maybe chmod 0644 'dconf/db/local'
 maybe chmod 0644 'dconf/db/site'
 maybe chmod 0755 'debuginfod'
+maybe chmod 0644 'debuginfod/elfutils.urls'
 maybe chmod 0755 'default'
 maybe chmod 0644 'default/grub'
 maybe chmod 0600 'default/useradd'
@@ -522,6 +523,7 @@ maybe chmod 0640 'dnf/modules.d/postgresql.module'
 maybe chmod 0644 'dnf/modules.d/python27.module'
 maybe chmod 0644 'dnf/modules.d/python36.module'
 maybe chmod 0640 'dnf/modules.d/python38.module'
+maybe chmod 0640 'dnf/modules.d/python39.module'
 maybe chmod 0644 'dnf/modules.d/redis.module'
 maybe chmod 0644 'dnf/modules.d/ruby.module'
 maybe chmod 0644 'dnf/modules.d/rust-toolset.module'
@@ -547,6 +549,7 @@ maybe chmod 0755 'dnf/vars'
 maybe chmod 0644 'dnf/vars/contentdir'
 maybe chmod 0644 'dnf/vars/infra'
 maybe chmod 0644 'dnf/vars/infra.rpmsave'
+maybe chmod 0644 'dnf/vars/stream'
 maybe chmod 0755 'docker'
 maybe chmod 0640 'docker/daemon.json'
 maybe chmod 0600 'docker/key.json'
@@ -957,6 +960,7 @@ maybe chmod 0644 'httpd/conf.d/perl.conf.rpmnew'
 maybe chmod 0644 'httpd/conf.d/php.conf'
 maybe chmod 0644 'httpd/conf.d/phpmyadmin.conf'
 maybe chmod 0644 'httpd/conf.d/squid.conf'
+maybe chmod 0644 'httpd/conf.d/ssl.conf'
 maybe chmod 0644 'httpd/conf.d/ssl.conf_disabled'
 maybe chmod 0644 'httpd/conf.d/userdir.conf'
 maybe chmod 0644 'httpd/conf.d/welcome.conf'
@@ -4901,6 +4905,8 @@ maybe chmod 0644 'profile.d/colorxzgrep.sh'
 maybe chmod 0644 'profile.d/colorzgrep.csh'
 maybe chmod 0644 'profile.d/colorzgrep.sh'
 maybe chmod 0644 'profile.d/csh.local'
+maybe chmod 0644 'profile.d/debuginfod.csh'
+maybe chmod 0644 'profile.d/debuginfod.sh'
 maybe chmod 0644 'profile.d/gawk.csh'
 maybe chmod 0644 'profile.d/gawk.sh'
 maybe chmod 0640 'profile.d/grc.sh'
@@ -5515,6 +5521,7 @@ maybe chmod 0755 'systemd'
 maybe chmod 0644 'systemd/coredump.conf'
 maybe chmod 0644 'systemd/journald.conf'
 maybe chmod 0644 'systemd/logind.conf'
+maybe chmod 0644 'systemd/logind.conf.rpmnew'
 maybe chmod 0644 'systemd/resolved.conf'
 maybe chmod 0755 'systemd/system'
 maybe chmod 0644 'systemd/system.conf'
@@ -5654,6 +5661,8 @@ maybe chmod 0644 'yum.repos.d/almalinux-plus.repo'
 maybe chmod 0644 'yum.repos.d/almalinux-powertools.repo'
 maybe chmod 0644 'yum.repos.d/almalinux-resilientstorage.repo'
 maybe chmod 0644 'yum.repos.d/almalinux-rt.repo'
+maybe chmod 0644 'yum.repos.d/almalinux-sap.repo'
+maybe chmod 0644 'yum.repos.d/almalinux-saphana.repo'
 maybe chmod 0644 'yum.repos.d/almalinux.repo'
 maybe chmod 0640 'yum.repos.d/atomic.repo'
 maybe chmod 0640 'yum.repos.d/bestcrypt.repo'

almalinux-release

@@ -1 +1 @@
-AlmaLinux release 8.6 (Sky Tiger)
+AlmaLinux release 8.7 (Stone Smilodon)

almalinux-release-upstream

@@ -1 +1 @@
-Derived from Red Hat Enterprise Linux 8.6 (Source)
+Derived from Red Hat Enterprise Linux 8.7 (Source)

bashrc.rpmnew

@@ -0,0 +1,96 @@
+# /etc/bashrc
+
+# System wide functions and aliases
+# Environment stuff goes in /etc/profile
+
+# It's NOT a good idea to change this file unless you know what you
+# are doing. It's much better to create a custom.sh shell script in
+# /etc/profile.d/ to make custom changes to your environment, as this
+# will prevent the need for merging in future updates.
+
+# Prevent doublesourcing
+if [ -z "$BASHRCSOURCED" ]; then
+  BASHRCSOURCED="Y"
+
+  # are we an interactive shell?
+  if [ "$PS1" ]; then
+    if [ -z "$PROMPT_COMMAND" ]; then
+      case $TERM in
+      xterm*|vte*)
+        if [ -e /etc/sysconfig/bash-prompt-xterm ]; then
+            PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm
+        else
+            PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
+        fi
+        ;;
+      screen*)
+        if [ -e /etc/sysconfig/bash-prompt-screen ]; then
+            PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen
+        else
+            PROMPT_COMMAND='printf "\033k%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
+        fi
+        ;;
+      *)
+        [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default
+        ;;
+      esac
+    fi
+    # Turn on parallel history
+    shopt -s histappend
+    history -a
+    # Turn on checkwinsize
+    shopt -s checkwinsize
+    [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ "
+    # You might want to have e.g. tty in prompt (e.g. more virtual machines)
+    # and console windows
+    # If you want to do so, just add e.g.
+    # if [ "$PS1" ]; then
+    #   PS1="[\u@\h:\l \W]\\$ "
+    # fi
+    # to your custom modification shell script in /etc/profile.d/ directory
+  fi
+
+  if ! shopt -q login_shell ; then # We're not a login shell
+    # Need to redefine pathmunge, it gets undefined at the end of /etc/profile
+    pathmunge () {
+        case ":${PATH}:" in
+            *:"$1":*)
+                ;;
+            *)
+                if [ "$2" = "after" ] ; then
+                    PATH=$PATH:$1
+                else
+                    PATH=$1:$PATH
+                fi
+        esac
+    }
+
+    # By default, we want umask to get set. This sets it for non-login shell.
+    # Current threshold for system reserved uid/gids is 200
+    # You could check uidgid reservation validity in
+    # /usr/share/doc/setup-*/uidgid file
+    if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
+       umask 002
+    else
+       umask 022
+    fi
+
+    SHELL=/bin/bash
+    # Only display echos from profile.d scripts if we are no login shell
+    # and interactive - otherwise just process them to set envvars
+    for i in /etc/profile.d/*.sh; do
+        if [ -r "$i" ]; then
+            if [ "$PS1" ]; then
+                . "$i"
+            else
+                . "$i" >/dev/null
+            fi
+        fi
+    done
+
+    unset i
+    unset -f pathmunge
+  fi
+
+fi
+# vim:ts=4:sw=4

chrony.conf.rpmnew

@@ -1,6 +1,6 @@
 # Use public servers from the pool.ntp.org project.
 # Please consider joining the pool (http://www.pool.ntp.org/join.html).
-pool 2.cloudlinux.pool.ntp.org iburst
+pool 2.almalinux.pool.ntp.org iburst
 
 # Record the rate at which the system clock gains/losses time.
 driftfile /var/lib/chrony/drift

csh.login

@@ -23,6 +23,7 @@ else
 			breaksw
 		endsw
 	end
+	unset p
 endif
 
 setenv HOSTNAME `/usr/bin/hostname`

debuginfod/elfutils.urls

@@ -0,0 +1 @@
+https://debuginfod.centos.org/

dkms/framework.conf

@@ -28,7 +28,10 @@
 # Location of the sign-file kernel binary (default: depends on distribution):
 # sign_file="/path/to/sign-file"
 
-# Location of the key and certificate used for Secure boot (default: /var/lib/dkms):
+# Location of the key and certificate files used for Secure boot.
+# mok_signing_key can also be a "pkcs11:..." string for PKCS#11 engine, as
+# long as the sign_file program supports it.
+# (default: /var/lib/dkms):
 # mok_signing_key=/var/lib/dkms/mok.key
 # mok_certificate=/var/lib/dkms/mok.pub
 

dnf/modules.d/python39.module

@@ -0,0 +1,5 @@
+[python39]
+name=python39
+stream=3.9
+profiles=
+state=enabled

dnf/vars/stream

@@ -0,0 +1 @@
+8-stream

group

@@ -43,7 +43,6 @@ cockpit-ws:x:991:
 cockpit-wsinstance:x:990:
 sshd:x:74:
 chrony:x:989:
-rngd:x:988:
 slocate:x:21:
 named:x:25:
 redis:x:987:

group-

@@ -50,7 +50,7 @@ redis:x:987:
 memcached:x:986:
 nginx:x:985:madalin,smiti
 apache:x:48:
-docker:x:984:
+docker:x:984:sftp
 cgred:x:983:
 dovecot:x:97:
 dovenull:x:982:

gshadow

@@ -43,7 +43,6 @@ cockpit-ws:!::
 cockpit-wsinstance:!::
 sshd:!::
 chrony:!::
-rngd:!::
 slocate:!::
 named:!::
 redis:!::

gshadow-

@@ -50,7 +50,7 @@ redis:!::
 memcached:!::
 nginx:!::madalin,smiti
 apache:!::
-docker:!::
+docker:!::sftp
 cgred:!::
 dovecot:!::
 dovenull:!::

httpd/conf.d/ssl.conf

@@ -0,0 +1,203 @@
+#
+# When we also provide SSL we have to listen to the 
+# standard HTTPS port in addition.
+#
+Listen 443 https
+
+##
+##  SSL Global Context
+##
+##  All SSL configuration in this context applies both to
+##  the main server and all SSL-enabled virtual hosts.
+##
+
+#   Pass Phrase Dialog:
+#   Configure the pass phrase gathering process.
+#   The filtering dialog program (`builtin' is a internal
+#   terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+#   Inter-Process Session Cache:
+#   Configure the SSL Session Cache: First the mechanism 
+#   to use and second the expiring timeout (in seconds).
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names.  NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly. 
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:443>
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+
+#   SSL Engine Switch:
+#   Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+#   List the protocol versions which clients are allowed to connect with.
+#   The OpenSSL system profile is used by default.  See
+#   update-crypto-policies(8) for more details.
+#SSLProtocol all -SSLv3
+#SSLProxyProtocol all -SSLv3
+
+#   User agents such as web browsers are not configured for the user's
+#   own preference of either security or performance, therefore this
+#   must be the prerogative of the web server administrator who manages
+#   cpu load versus confidentiality, so enforce the server's cipher order.
+SSLHonorCipherOrder on
+
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_ssl documentation for a complete list.
+#   The OpenSSL system profile is configured by default.  See
+#   update-crypto-policies(8) for more details.
+SSLCipherSuite PROFILE=SYSTEM
+SSLProxyCipherSuite PROFILE=SYSTEM
+
+#   Point SSLCertificateFile at a PEM encoded certificate.  If
+#   the certificate is encrypted, then you will be prompted for a
+#   pass phrase.  Note that restarting httpd will prompt again.  Keep
+#   in mind that if you have both an RSA and a DSA certificate you
+#   can configure both in parallel (to also allow the use of DSA
+#   ciphers, etc.)
+#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+#   require an ECC certificate which can also be configured in
+#   parallel.
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+
+#   Server Private Key:
+#   If the key is not combined with the certificate, use this
+#   directive to point at the key file.  Keep in mind that if
+#   you've both a RSA and a DSA private key you can configure
+#   both in parallel (to also allow the use of DSA ciphers, etc.)
+#   ECC keys, when in use, can also be configured in parallel
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+
+#   Server Certificate Chain:
+#   Point SSLCertificateChainFile at a file containing the
+#   concatenation of PEM encoded CA certificates which form the
+#   certificate chain for the server certificate. Alternatively
+#   the referenced file can be the same as SSLCertificateFile
+#   when the CA certificates are directly appended to the server
+#   certificate for convenience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+#   Certificate Authority (CA):
+#   Set the CA certificate verification path where to find CA
+#   certificates for client authentication or alternatively one
+#   huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+#   Client Authentication (Type):
+#   Client certificate verification type and depth.  Types are
+#   none, optional, require and optional_no_ca.  Depth is a
+#   number which specifies how deeply to verify the certificate
+#   issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth  10
+
+#   Access Control:
+#   With SSLRequire you can do per-directory access control based
+#   on arbitrary complex boolean expressions containing server
+#   variable checks and other lookup directives.  The syntax is a
+#   mixture between C and Perl.  See the mod_ssl documentation
+#   for more details.
+#<Location />
+#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+#   SSL Engine Options:
+#   Set various options for the SSL engine.
+#   o FakeBasicAuth:
+#     Translate the client X.509 into a Basic Authorisation.  This means that
+#     the standard Auth/DBMAuth methods can be used for access control.  The
+#     user name is the `one line' version of the client's X.509 certificate.
+#     Note that no password is obtained from the user. Every entry in the user
+#     file needs this password: `xxj31ZMTZzkVA'.
+#   o ExportCertData:
+#     This exports two additional environment variables: SSL_CLIENT_CERT and
+#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+#     server (always existing) and the client (only existing when client
+#     authentication is used). This can be used to import the certificates
+#     into CGI scripts.
+#   o StdEnvVars:
+#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+#     Per default this exportation is switched off for performance reasons,
+#     because the extraction step is an expensive operation and is usually
+#     useless for serving static content. So one usually enables the
+#     exportation for CGI and SSI requests only.
+#   o StrictRequire:
+#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+#     under a "Satisfy any" situation, i.e. when it applies access is denied
+#     and no other module can change it.
+#   o OptRenegotiate:
+#     This enables optimized SSL connection renegotiation handling when SSL
+#     directives are used in per-directory context. 
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+<FilesMatch "\.(cgi|shtml|phtml|php)$">
+    SSLOptions +StdEnvVars
+</FilesMatch>
+<Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+</Directory>
+
+#   SSL Protocol Adjustments:
+#   The safe and default but still SSL/TLS standard compliant shutdown
+#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+#   the close notify alert from client. When you need a different shutdown
+#   approach you can use one of the following variables:
+#   o ssl-unclean-shutdown:
+#     This forces an unclean shutdown when the connection is closed, i.e. no
+#     SSL close notify alert is sent or allowed to be received.  This violates
+#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+#     this when you receive I/O errors because of the standard approach where
+#     mod_ssl sends the close notify alert.
+#   o ssl-accurate-shutdown:
+#     This forces an accurate shutdown when the connection is closed, i.e. a
+#     SSL close notify alert is sent and mod_ssl waits for the close notify
+#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+#     practice often causes hanging connections with brain-dead browsers. Use
+#     this only for browsers where you know that their SSL implementation
+#     works correctly. 
+#   Notice: Most problems of broken clients are also related to the HTTP
+#   keep-alive facility, so you usually additionally want to disable
+#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+#   "force-response-1.0" for this.
+BrowserMatch "MSIE [2-5]" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+#   Per-Server Logging:
+#   The home of a custom SSL log file. Use this when you want a
+#   compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
+

nfs.conf

@@ -5,6 +5,10 @@
 [general]
 # pipefs-directory=/var/lib/nfs/rpc_pipefs
 #
+[nfsrahead]
+# nfs=15000
+# nfs4=16000
+#
 [exportfs]
 # debug=0
 #

pam.d/systemd-user

@@ -2,6 +2,7 @@
 #
 # Used by systemd --user instances.
 
+account  sufficient pam_unix.so no_pass_expiry
 account  include system-auth
 
 session  required pam_selinux.so close

passwd

@@ -25,7 +25,6 @@ cockpit-ws:x:994:991:User for cockpit web service:/nonexisting:/sbin/nologin
 cockpit-wsinstance:x:993:990:User for cockpit-ws instances:/nonexisting:/sbin/nologin
 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
 chrony:x:992:989::/var/lib/chrony:/sbin/nologin
-rngd:x:991:988:Random Number Generator Daemon:/var/lib/rngd:/sbin/nologin
 named:x:25:25:Named:/var/named:/bin/false
 redis:x:990:987:Redis Database Server:/var/lib/redis:/sbin/nologin
 memcached:x:989:986:Memcached daemon:/run/memcached:/sbin/nologin

passwd-

@@ -76,3 +76,4 @@ bogdan:x:1019:1020::/home/bogdan:/bin/bash
 squid:x:23:23::/var/spool/squid:/sbin/nologin
 laser:x:1020:1021::/home/laser:/bin/bash
 pydio:x:1021:1022::/home/pydio:/bin/bash
+sftp:x:1023:1023::/home/sftp:/bin/bash

profile.d/debuginfod.csh

@@ -0,0 +1,16 @@
+# $HOME/.login* or similar files may first set $DEBUGINFOD_URLS.
+# If $DEBUGINFOD_URLS is not set there, we set it from system *.url files.
+# $HOME/.*rc or similar files may then amend $DEBUGINFOD_URLS.
+# See also [man debuginfod-client-config] for other environment variables
+# such as $DEBUGINFOD_MAXSIZE, $DEBUGINFOD_MAXTIME, $DEBUGINFOD_PROGRESS.
+
+if (! $?DEBUGINFOD_URLS) then
+    set prefix="/usr"
+    set DEBUGINFOD_URLS=`sh -c 'cat "$0"/*.urls 2>/dev/null; :' "/etc/debuginfod" | tr '\n' ' '`
+    if ( "$DEBUGINFOD_URLS" != "" ) then
+        setenv DEBUGINFOD_URLS "$DEBUGINFOD_URLS"
+    else
+        unset DEBUGINFOD_URLS
+    endif
+    unset prefix
+endif

profile.d/debuginfod.sh

@@ -0,0 +1,12 @@
+# $HOME/.profile* or similar files may first set $DEBUGINFOD_URLS.
+# If $DEBUGINFOD_URLS is not set there, we set it from system *.url files.
+# $HOME/.*rc or similar files may then amend $DEBUGINFOD_URLS.
+# See also [man debuginfod-client-config] for other environment variables
+# such as $DEBUGINFOD_MAXSIZE, $DEBUGINFOD_MAXTIME, $DEBUGINFOD_PROGRESS.
+
+if [ -z "$DEBUGINFOD_URLS" ]; then
+    prefix="/usr"
+    DEBUGINFOD_URLS=$(cat "/etc/debuginfod"/*.urls 2>/dev/null | tr '\n' ' ')
+    [ -n "$DEBUGINFOD_URLS" ] && export DEBUGINFOD_URLS || unset DEBUGINFOD_URLS
+    unset prefix
+fi

profile.d/which2.sh

@@ -20,7 +20,7 @@ bash|sh)
     ;;
 esac
 
-which () {
+function which {
     (alias; eval ${which_declare}) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot $@
 }
 

rspamd/composites.conf

@@ -53,7 +53,17 @@ composites {
     expression = "R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA";
     score = 1.0;
     policy = "remove_weight";
-    description = "Authenticating message via SPF/DKIM/DMARC/ARC not possible";
+    description = "Authenticating message via SPF/DKIM/DMARC/ARC not available";
+  }
+  AUTH_NA_OR_FAIL {
+    expression = "!(R_DKIM_NA & R_SPF_NA & DMARC_NA & ARC_NA) & (R_DKIM_NA | R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL) & (R_SPF_NA | R_SPF_DNSFAIL) & DMARC_NA & (ARC_NA | ARC_DNSFAIL)";
+    score = 1.0;
+    policy = "remove_weight";
+    description = "No authenticating method SPF/DKIM/DMARC/ARC was successful";
+  }
+  BOUNCE_NO_AUTH {
+    expression = "(AUTH_NA | AUTH_NA_OR_FAIL) & (BOUNCE | SUBJ_BOUNCE_WORDS)";
+    score = 1.0;
   }
   DKIM_MIXED {
     expression = "-R_DKIM_ALLOW & (R_DKIM_TEMPFAIL | R_DKIM_PERMFAIL | R_DKIM_REJECT)"
@@ -154,6 +164,13 @@ composites {
     score = 7.0;
     group = "scams";
   }
+  
+  FREEMAIL_AFF {
+	  expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & R_UNDISC_RCPT & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM)";
+	  score = 4.0;
+	  policy = "leave";
+	  description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses";
+  }
 
   .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
   .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"

selinux/targeted/.policy.sha512

@@ -1 +1 @@
-9fe72523a1a52ad8db6852cfa216b14f18e3ea0c50d5059245a744898c086c55c645bd656aff473a20bf5827b92135b0b07c0d41915e237d3564371bec868156
+57a40f0b00b666b2b42c16c54b8626e0c7729e48adf14e7451f99fe7b2a9faa8b6dfb4bfee4b09eb157013cc85229b19a2a8a107d102d1743103eb7cd7f83aef

selinux/targeted/contexts/files/file_contexts

@@ -2129,6 +2129,7 @@
 /var/log/turboprint.*	system_u:object_r:cupsd_log_t:s0
 /var/run/certmaster.*	system_u:object_r:certmaster_var_run_t:s0
 /var/run/certmonger.*	system_u:object_r:certmonger_var_run_t:s0
+/var/run/irqbalance.*	system_u:object_r:irqbalance_var_run_t:s0
 /var/run/keepalived.*	system_u:object_r:keepalived_var_run_t:s0
 /opt/google/chrome/.*\.so	--	system_u:object_r:textrel_shlib_t:s0
 /usr/share/sectool/.*\.py	--	system_u:object_r:bin_t:s0
@@ -2783,7 +2784,6 @@
 /var/spool/postfix/bounce(/.*)?	system_u:object_r:postfix_spool_bounce_t:s0
 /var/spool/postfix/public(/.*)?	system_u:object_r:postfix_public_t:s0
 /var/spool/retrace-server(/.*)?	system_u:object_r:abrt_retrace_spool_t:s0
-/var/tmp/insights-archive(/.*)?	system_u:object_r:insights_client_tmp_t:s0
 /var/www/cgi-bin/keystone(/.*)?	system_u:object_r:keystone_cgi_script_exec_t:s0
 /var/spool/postfix/lib/ld.*\.so.*	--	system_u:object_r:ld_so_t:s0
 /usr/share/selinux-policy[^/]*/html(/.*)?	system_u:object_r:httpd_sys_content_t:s0
@@ -3250,6 +3250,7 @@
 /usr/lib/systemd/system/openstack-nova-*	--	system_u:object_r:nova_unit_file_t:s0
 /usr/lib/systemd/system-generators/lvm2.*	--	system_u:object_r:lvm_exec_t:s0
 /usr/lib/systemd/system/dnssec-triggerd.*	--	system_u:object_r:dnssec_trigger_unit_file_t:s0
+/usr/lib/systemd/system/insights-client.*	--	system_u:object_r:insights_client_unit_file_t:s0
 /usr/lib/systemd/system/openstack-swift.*	--	system_u:object_r:swift_unit_file_t:s0
 /usr/lib/systemd/system/rabbitmq-server.*	--	system_u:object_r:rabbitmq_unit_file_t:s0
 /etc/boinc-client/global_prefs_override.xml	--	system_u:object_r:boinc_var_lib_t:s0
@@ -5313,7 +5314,6 @@
 /var/qmail/bin/sendmail	--	system_u:object_r:sendmail_exec_t:s0
 /var/qmail/bin/splogger	--	system_u:object_r:qmail_splogger_exec_t:s0
 /var/run/consolekit\.pid	--	system_u:object_r:consolekit_var_run_t:s0
-/var/run/irqbalance\.pid	--	system_u:object_r:irqbalance_var_run_t:s0
 /var/run/powersaved\.pid	--	system_u:object_r:apmd_var_run_t:s0
 /var/run/rpc\.statd\.lock	--	system_u:object_r:rpcd_lock_t:s0
 /var/run/samba/nmbd\.pid	--	system_u:object_r:nmbd_var_run_t:s0
@@ -5501,6 +5501,7 @@
 /opt/likewise/sbin/lwregd	--	system_u:object_r:lwregd_exec_t:s0
 /sbin/pam_timestamp_check	--	system_u:object_r:pam_timestamp_exec_t:s0
 /sys/kernel/uevent_helper	--	system_u:object_r:usermodehelper_t:s0
+/tmp/insights-client\.ppid	--	system_u:object_r:insights_client_tmp_t:s0
 /usr/afs/bin/dafileserver	--	system_u:object_r:afs_fsserver_exec_t:s0
 /usr/bin/cinder-scheduler	--	system_u:object_r:cinder_scheduler_exec_t:s0
 /usr/bin/cpufreq-selector	--	system_u:object_r:cpufreqselector_exec_t:s0
@@ -5835,6 +5836,7 @@
 /usr/libexec/pcp/lib/pmproxy	--	system_u:object_r:pcp_pmproxy_initrc_exec_t:s0
 /usr/libexec/postfix/cleanup	--	system_u:object_r:postfix_cleanup_exec_t:s0
 /usr/libexec/postfix/virtual	--	system_u:object_r:postfix_virtual_exec_t:s0
+/usr/libexec/samba/rpcd_lsad	--	system_u:object_r:winbind_rpcd_exec_t:s0
 /usr/libexec/telepathy-rakia	--	system_u:object_r:telepathy_sofiasip_exec_t:s0
 /usr/libexec/telepathy-salut	--	system_u:object_r:telepathy_salut_exec_t:s0
 /usr/libexec/udisks2/udisksd	--	system_u:object_r:devicekit_disk_exec_t:s0
@@ -5930,6 +5932,7 @@
 /var/run/samba/namelist\.debug	--	system_u:object_r:nmbd_var_run_t:s0
 /var/run/samba/share_info\.tdb	--	system_u:object_r:smbd_var_run_t:s0
 /var/run/samba/unexpected\.tdb	--	system_u:object_r:nmbd_var_run_t:s0
+/var/tmp/insights-client\.ppid	--	system_u:object_r:insights_client_tmp_t:s0
 /var/www/apcupsd/multimon\.cgi	--	system_u:object_r:apcupsd_cgi_script_exec_t:s0
 /var/www/apcupsd/upsimage\.cgi	--	system_u:object_r:apcupsd_cgi_script_exec_t:s0
 /var/www/apcupsd/upsstats\.cgi	--	system_u:object_r:apcupsd_cgi_script_exec_t:s0
@@ -6078,6 +6081,7 @@
 /usr/libexec/openssh/sftp-server	--	system_u:object_r:bin_t:s0
 /usr/libexec/openssh/ssh-keysign	--	system_u:object_r:ssh_keysign_exec_t:s0
 /usr/libexec/openssh/sshd-keygen	--	system_u:object_r:sshd_keygen_exec_t:s0
+/usr/libexec/samba/samba-dcerpcd	--	system_u:object_r:winbind_rpcd_exec_t:s0
 /usr/libexec/squid/cache_swap\.sh	--	system_u:object_r:squid_exec_t:s0
 /usr/libexec/telepathy-butterfly	--	system_u:object_r:telepathy_msn_exec_t:s0
 /usr/sbin/abrt-install-ccpp-hook	--	system_u:object_r:abrt_exec_t:s0
@@ -6153,6 +6157,7 @@
 /var/lib/likewise-open/rpc/socket	-s	system_u:object_r:eventlogd_var_socket_t:s0
 /var/run/\.heim_org\.h5l\.kcm-socket	-s	system_u:object_r:sssd_var_run_t:s0
 /etc/Pegasus/pegasus_current\.conf	system_u:object_r:pegasus_data_t:s0
+/etc/insights-client/\.unregistered	--	system_u:object_r:insights_client_etc_rw_t:s0
 /etc/named\.caching-nameserver\.conf	--	system_u:object_r:named_conf_t:s0
 /etc/pki/tls/certs/make-dummy-cert	--	system_u:object_r:bin_t:s0
 /etc/sysconfig/update_spamassassin	--	system_u:object_r:mscan_etc_t:s0
@@ -6276,6 +6281,7 @@
 /usr/lib/systemd/system/cgdcbxd\.service	--	system_u:object_r:cgdcbxd_unit_file_t:s0
 /usr/lib/systemd/system/ipmievd\.service	--	system_u:object_r:ipmievd_unit_file_t:s0
 /usr/lib/systemd/system/rpcbind\.service	--	system_u:object_r:rpcbind_unit_file_t:s0
+/usr/lib/systemd/system/sa-update\.timer	--	system_u:object_r:spamd_update_unit_file_t:s0
 /usr/lib/systemd/system/sanlock\.service	--	system_u:object_r:sanlock_unit_file_t:s0
 /usr/lib/systemd/systemd-fence_sanlockd	--	system_u:object_r:fenced_exec_t:s0
 /usr/lib/systemd/systemd-journal-upload	--	system_u:object_r:systemd_journal_upload_exec_t:s0
@@ -6307,6 +6313,7 @@
 /etc/sysconfig/network-scripts/ifup-ipsec	--	system_u:object_r:initrc_exec_t:s0
 /usr/bin/systemd-gnome-ask-password-agent	--	system_u:object_r:systemd_passwd_agent_exec_t:s0
 /usr/lib/dbus-1/dbus-daemon-launch-helper	--	system_u:object_r:dbusd_exec_t:s0
+/usr/lib/systemd/system/sa-update\.service	--	system_u:object_r:spamd_update_unit_file_t:s0
 /usr/lib/systemd/systemd-user-runtime-dir	--	system_u:object_r:systemd_logind_exec_t:s0
 /usr/lib/vlc/codec/librealaudio_plugin\.so	--	system_u:object_r:textrel_shlib_t:s0
 /usr/lib/vlc/codec/librealvideo_plugin\.so	--	system_u:object_r:textrel_shlib_t:s0
@@ -6332,11 +6339,13 @@
 /usr/libexec/microcode_ctl/reload_microcode	--	system_u:object_r:cpucontrol_exec_t:s0
 /usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt	--	system_u:object_r:pegasus_openlmi_system_exec_t:s0
 /usr/libexec/polkit-1/polkit-agent-helper-1	--	system_u:object_r:policykit_auth_exec_t:s0
+/usr/libexec/rhc/rhc-package-manager-worker	--	system_u:object_r:rpm_exec_t:s0
 /usr/libexec/selinux/semanage_migrate_store	--	system_u:object_r:semanage_exec_t:s0
 /usr/share/system-config-netboot/pxeboot\.py	--	system_u:object_r:bin_t:s0
 /usr/lib/systemd/system/boinc-client\.service	--	system_u:object_r:boinc_unit_file_t:s0
 /usr/lib/systemd/system/dirsrv-admin\.service	--	system_u:object_r:dirsrvadmin_unit_file_t:s0
 /usr/lib/systemd/system/sanlk-resetd\.service	--	system_u:object_r:sanlk_resetd_unit_file_t:s0
+/usr/lib/systemd/system/spamassassin\.service	--	system_u:object_r:spamd_unit_file_t:s0
 /usr/share/rhn/rhn_applet/needed-packages\.py	--	system_u:object_r:bin_t:s0
 /etc/dnssec-trigger/dnssec_trigger_server\.key	--	system_u:object_r:dnssec_t:s0
 /usr/libexec/dbus-1/dbus-daemon-launch-helper	--	system_u:object_r:dbusd_exec_t:s0

shadow

@@ -25,7 +25,6 @@ cockpit-ws:!!:18424::::::
 cockpit-wsinstance:!!:18424::::::
 sshd:!!:18424::::::
 chrony:!!:18424::::::
-rngd:!!:18424::::::
 named:!!:18526::::::
 redis:!!:18526::::::
 memcached:!!:18526::::::

shadow-

@@ -35,7 +35,7 @@ dovecot:!!:18526::::::
 dovenull:!!:18526::::::
 postfix:!!:18526::::::
 mysql:!!:18526::::::
-madalin:$6$EiMxEtxQguelfC4J$gD2fVn5XDfgJG.50Stc9/tZtL2VxJNBmAklHZj2k9nIzQRuU.rzEwf5ktDUy/4f/..R5AUvE3Q2IWnniZ7xIZ0:18764:0:99999:7:::
+madalin:$6$o5gdTOT7LTSGwvLw$RWG5G9gx7lGmA7yqkTYueqZcm.5C5tUmngV01pmiqWpfFkH9uUoJMx1p3lZUP8R.h43NYIiH7IePvP1sHd4aN/:19296:0:99999:7:::
 sslh:!!:18527::::::
 vampi:$6$tRIULiDksEzmp1/r$0wXDJUfPNaUIio90.hQrQy10943EpXazN7GdVxo1ZFh3hWfHaw.X3uWl6UVTBZgWfgmk3719HzfnoYNwHhpfb.:18639:0:99999:7:::
 _rspamd:!!:18527::::::
@@ -76,3 +76,4 @@ bogdan:mCxaxi7Ck2FlI:18822:0:99999:7:30::
 squid:!!:18921::::::
 laser:$6$3IDnJkLhNhDa5MUg$ysajgR6P3uElTVSBuLJbix4lHHNheJ.JBIrGFRvUPsY2/265PmO3vjgWTculxKkywvas0vcVrX3Q4QQZ/qufR.:18954:0:99999:7:30::
 pydio:!!:19102:0:99999:7:30::
+sftp:!!:19193:0:99999:7:30::

ssh/sshd_config.rpmnew

@@ -96,7 +96,7 @@ GSSAPICleanupCredentials no
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# WARNING: 'UsePAM no' is not supported in RHEL and may cause several
 # problems.
 UsePAM yes
 

sysconfig/rngd

@@ -1,3 +1,3 @@
 # Optional arguments passed to rngd. See rngd(8) and
 # https://bugzilla.redhat.com/show_bug.cgi?id=1252175#c21
-RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist"
+RNGD_ARGS="--fill-watermark=0 -x pkcs11 -x nist -D daemon:daemon"

systemd/logind.conf.rpmnew

@@ -0,0 +1,38 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+#
+# Entries in this file show the compile time defaults.
+# You can change settings by editing this file.
+# Defaults can be restored by simply deleting this file.
+#
+# See logind.conf(5) for details.
+
+[Login]
+#NAutoVTs=6
+#ReserveVT=6
+#KillUserProcesses=no
+#KillOnlyUsers=
+#KillExcludeUsers=root
+#InhibitDelayMaxSec=5
+#HandlePowerKey=poweroff
+#HandleSuspendKey=suspend
+#HandleHibernateKey=hibernate
+#HandleLidSwitch=suspend
+#HandleLidSwitchExternalPower=suspend
+#HandleLidSwitchDocked=ignore
+#PowerKeyIgnoreInhibited=no
+#SuspendKeyIgnoreInhibited=no
+#HibernateKeyIgnoreInhibited=no
+#LidSwitchIgnoreInhibited=yes
+#HoldoffTimeoutSec=30s
+#IdleAction=ignore
+#IdleActionSec=30min
+#RuntimeDirectorySize=10%
+#RemoveIPC=no
+#InhibitorsMax=8192
+#SessionsMax=8192
+#StopIdleSessionSec=infinity

systemd/system.conf

@@ -37,6 +37,7 @@
 #DefaultStandardError=inherit
 #DefaultTimeoutStartSec=90s
 #DefaultTimeoutStopSec=90s
+#DefaultDeviceTimeoutSec=90s
 #DefaultRestartSec=100ms
 #DefaultStartLimitIntervalSec=10s
 #DefaultStartLimitBurst=5

unbound/icannbundle.pem

@@ -1,59 +1,3 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
-        Validity
-            Not Before: Dec 23 04:19:12 2009 GMT
-            Not After : Dec 18 04:19:12 2029 GMT
-        Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15:
-                    bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0:
-                    9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82:
-                    27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd:
-                    fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84:
-                    22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14:
-                    e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb:
-                    d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e:
-                    e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02:
-                    1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c:
-                    39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e:
-                    ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6:
-                    7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb:
-                    31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74:
-                    9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36:
-                    09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3:
-                    04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52:
-                    85:41
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
-    Signature Algorithm: sha256WithRSAEncryption
-        0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b:
-        3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7:
-        c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26:
-        b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c:
-        7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d:
-        9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c:
-        90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c:
-        84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a:
-        98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81:
-        5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8:
-        c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf:
-        1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2:
-        90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16:
-        70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31:
-        e7:40:61:a4
 -----BEGIN CERTIFICATE-----
 MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
 TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
@@ -75,163 +19,3 @@ DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH
 0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg
 j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk
 -----END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 11 (0xb)
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
-        Validity
-            Not Before: Nov  8 23:39:47 2016 GMT
-            Not After : Nov  6 23:39:47 2026 GMT
-        Subject: O=ICANN, CN=ICANN EMAIL CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75:
-                    8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba:
-                    c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9:
-                    57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01:
-                    4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6:
-                    fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e:
-                    a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6:
-                    6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01:
-                    db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95:
-                    d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65:
-                    7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f:
-                    20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78:
-                    b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22:
-                    d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23:
-                    2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21:
-                    fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5:
-                    7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a:
-                    4d:b1
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Authority Key Identifier: 
-                keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
-
-            X509v3 Subject Key Identifier: 
-                7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4
-    Signature Algorithm: sha256WithRSAEncryption
-        0e:8a:c9:ea:6f:9c:e9:23:b6:9c:a6:a4:c2:d1:b1:ee:25:18:
-        24:2b:79:d4:a8:f2:99:b9:5c:91:4d:e6:2b:32:2e:01:f5:87:
-        95:64:fc:6d:f1:87:fa:24:b4:43:4b:49:f3:84:54:44:eb:af:
-        41:ab:49:ab:c8:b7:32:6c:14:83:5b:d7:2c:41:f9:89:d5:c4:
-        2b:9a:55:c5:b6:ad:17:d5:4d:bc:41:58:56:72:0d:db:b7:7d:
-        57:c6:a2:9c:7e:6b:67:ae:26:f8:26:45:bb:c4:95:2e:ea:71:
-        e3:b4:7a:69:95:a4:8a:80:f8:59:dc:88:6e:e1:a7:fc:bb:8e:
-        b2:aa:a8:b6:1b:2f:2c:97:a5:12:d5:82:ae:a0:e8:a6:15:fd:
-        d1:e0:5d:e4:84:b1:76:db:0a:e2:ca:58:2e:d3:df:48:4e:46:
-        ac:c6:35:79:17:99:ce:e9:be:2c:e4:c2:50:ff:5b:96:15:cd:
-        64:ac:1b:db:fe:d2:ac:43:61:c8:5f:ee:24:b6:a4:3b:d2:ff:
-        0a:f4:0c:88:58:a1:9d:a4:c1:1f:6a:6c:67:90:98:e8:1f:5e:
-        2d:55:60:91:26:2a:b1:66:80:e4:e6:0e:05:2c:75:a9:ca:0b:
-        e4:a0:8f:e1:47:a8:8f:61:5d:7c:ce:09:60:88:48:c3:46:bf:
-        be:7e:36:be
------BEGIN CERTIFICATE-----
-MIIDZDCCAkygAwIBAgIBCzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
-TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
-BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzk0N1oX
-DTI2MTEwNjIzMzk0N1owKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O
-IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz
-9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3
-jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6
-LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8
-ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK
-VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI
-QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
-AwIBBjAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU
-ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAA6KyepvnOkj
-tpympMLRse4lGCQredSo8pm5XJFN5isyLgH1h5Vk/G3xh/oktENLSfOEVETrr0Gr
-SavItzJsFINb1yxB+YnVxCuaVcW2rRfVTbxBWFZyDdu3fVfGopx+a2euJvgmRbvE
-lS7qceO0emmVpIqA+FnciG7hp/y7jrKqqLYbLyyXpRLVgq6g6KYV/dHgXeSEsXbb
-CuLKWC7T30hORqzGNXkXmc7pvizkwlD/W5YVzWSsG9v+0qxDYchf7iS2pDvS/wr0
-DIhYoZ2kwR9qbGeQmOgfXi1VYJEmKrFmgOTmDgUsdanKC+Sgj+FHqI9hXXzOCWCI
-SMNGv75+Nr4=
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 10 (0xa)
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
-        Validity
-            Not Before: Nov  8 23:38:16 2016 GMT
-            Not After : Nov  6 23:38:16 2026 GMT
-        Subject: O=ICANN, CN=ICANN SSL CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60:
-                    7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d:
-                    73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35:
-                    e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89:
-                    81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61:
-                    17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca:
-                    dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28:
-                    9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d:
-                    f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d:
-                    d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68:
-                    f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0:
-                    3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa:
-                    94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40:
-                    3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85:
-                    e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b:
-                    09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b:
-                    20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8:
-                    e2:c5
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Authority Key Identifier: 
-                keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
-
-            X509v3 Subject Key Identifier: 
-                6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8
-    Signature Algorithm: sha256WithRSAEncryption
-        47:46:4f:c7:5f:46:e3:d1:dc:fc:2b:f8:fc:65:ce:36:b1:f4:
-        5f:ee:14:75:a3:d9:5f:de:75:4b:fa:7b:88:9f:10:8c:2e:97:
-        cc:35:1b:ce:24:d3:36:60:95:d5:ae:11:b6:3f:8b:f4:12:69:
-        85:b5:3b:2a:b6:ab:7a:81:85:c2:55:57:ed:d0:b5:e7:4f:54:
-        37:51:24:c9:d5:07:3a:ef:b6:c5:1a:3e:14:29:a7:a6:f8:08:
-        2a:0b:26:79:f9:62:85:4a:e5:ea:90:ca:71:38:16:91:4e:7e:
-        fd:e3:b3:f3:55:8f:5a:d0:86:cf:33:94:88:f1:90:99:cb:81:
-        e2:81:92:68:2f:c3:61:d5:52:8d:e6:9a:5b:00:83:42:27:88:
-        f6:d9:fa:d1:bc:bb:b0:bc:b5:14:0b:4e:1a:54:ef:fa:d6:9d:
-        c4:0c:fc:ed:15:ab:21:4b:45:b5:d9:3b:ed:3c:d5:1e:2e:7a:
-        83:6f:24:45:d4:4c:b4:ef:60:43:18:d0:84:5d:16:7b:f5:50:
-        80:b1:a9:c2:8f:3b:c8:90:08:fd:aa:17:13:19:38:19:d1:8e:
-        85:7c:1e:57:16:8c:f9:8a:e8:29:25:38:cd:bb:55:8e:4a:6a:
-        6f:e5:7d:fc:d7:55:d6:ae:38:07:96:c1:97:ff:e5:2b:4f:99:
-        2d:70:f2:08
------BEGIN CERTIFICATE-----
-MIIDYjCCAkqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
-TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
-BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzgxNloX
-DTI2MTEwNjIzMzgxNlowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O
-IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z
-K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3
-VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo
-nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz
-kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4
-yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H
-kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
-AQYwHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53
-qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQBHRk/HX0bj0dz8
-K/j8Zc42sfRf7hR1o9lf3nVL+nuInxCMLpfMNRvOJNM2YJXVrhG2P4v0EmmFtTsq
-tqt6gYXCVVft0LXnT1Q3USTJ1Qc677bFGj4UKaem+AgqCyZ5+WKFSuXqkMpxOBaR
-Tn7947PzVY9a0IbPM5SI8ZCZy4HigZJoL8Nh1VKN5ppbAINCJ4j22frRvLuwvLUU
-C04aVO/61p3EDPztFashS0W12TvtPNUeLnqDbyRF1Ey072BDGNCEXRZ79VCAsanC
-jzvIkAj9qhcTGTgZ0Y6FfB5XFoz5iugpJTjNu1WOSmpv5X3811XWrjgHlsGX/+Ur
-T5ktcPII
------END CERTIFICATE-----

vmware-tools/tools.conf.example

@@ -1,4 +1,4 @@
-# Copyright (c) 2019-2021 VMware, Inc.  All rights reserved.
+# Copyright (c) 2019-2022 VMware, Inc.  All rights reserved.
 
 # "CAUTION: tools.conf is highly syntax sensitive file. Use extreme caution
 # while editing it. If modified, it is automatically re-loaded by
@@ -245,6 +245,44 @@
 # whether to include reserved space in diskInfo space metrics on Linux
 #diskinfo-include-reserved=false
 
+[globalconf]
+
+# The GlobalConf feature provides an ability for the vSphere administrators
+# to distribute a 'VMware Tools Configuration File' (tools.conf) via the
+# GuestStore for multiple VMs at scale.
+
+# Defines the configuration to enable/disable the GlobalConf module.
+# Set to true to enable the module.
+# Set to false to disable the module. Default false.
+#enabled=false
+
+# Defines a custom GlobalConf poll interval (in seconds).
+# Default 3600 seconds. Minimum 1800 seconds.
+#poll-interval=3600
+
+# Defines the global configuration resource in GuestStore.
+# Windows guests
+#resource=/vmware/configurations/vmtools/windows/tools.conf
+#
+# Linux guests
+#resource=/vmware/configurations/vmtools/linux/tools.conf
+
+[componentmgr]
+
+# This plugin manages the known and enabled components add/remove status.
+# The plugin polls at regular interval and triggers action add/remove for
+# all the known and enabled components in the componentMgr plugin.
+
+# Default and minimum polling interval in seconds (0 => polling disabled)
+#poll-interval=180
+
+# Comma separated list of components managed by the plugin. If not specified,
+# default value is all, which means all components are enabled by default.
+# A special value of none means no component, which is equivalent to disabling
+# the plugin completely. Value is parsed left to right and parsing stops at
+# first occurrence of all or none or end of line.
+#included=all
+
 [appinfo]
 
 # This plugin collects info about running applications in guest OS.
@@ -259,6 +297,35 @@
 # version info, otherwise native Win32 API is used.
 #useWMI=false
 
+# Whether to remove the duplicate applications information in the
+# guestinfo variable.
+#remove-duplicates=true
+
+[containerinfo]
+
+# This plugin collects info about running containers in guest OS.
+
+# User-defined poll interval in seconds. Set to 0 to disable the plugin.
+#poll-interval=21600
+
+# Maximum number of containers to be retrieved per namespace.
+#max-containers=256
+
+# Whether to remove the duplicate containers information in the
+# guestinfo variable.
+#remove-duplicates=true
+
+# Unix socket to use to communicate with the docker daemon.
+#docker-unix-socket=/var/run/docker.sock
+
+# The unix socket to connect to communicate with containerd grpc server
+# for retrieving the list of running containers.
+#containerd-unix-socket=/run/containerd/containerd.sock
+
+# List of namespaces to be queried for the running containers.
+# The value for this key is a comman separated list.
+#allowed-namespaces=moby,k8s.io,default
+
 [servicediscovery]
 
 # This plugin provides admins with additional info for better VM management.

vmware-tools/vgauth/schemas/saml-schema-assertion-2.0.xsd

@@ -1,283 +1,283 @@
-<?xml version="1.0" encoding="US-ASCII"?>
+<?xml version="1.0" encoding="US-ASCII"?>
-<schema
+<schema
-    targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
+    targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns="http://www.w3.org/2001/XMLSchema"
+    xmlns="http://www.w3.org/2001/XMLSchema"
-    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
-    elementFormDefault="unqualified"
+    elementFormDefault="unqualified"
-    attributeFormDefault="unqualified"
+    attributeFormDefault="unqualified"
-    blockDefault="substitution"
+    blockDefault="substitution"
-    version="2.0">
+    version="2.0">
-    <import namespace="http://www.w3.org/2000/09/xmldsig#"
+    <import namespace="http://www.w3.org/2000/09/xmldsig#"
-        schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
+        schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
-    <import namespace="http://www.w3.org/2001/04/xmlenc#"
+    <import namespace="http://www.w3.org/2001/04/xmlenc#"
-        schemaLocation="http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd"/>
+        schemaLocation="http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd"/>
-    <annotation>
+    <annotation>
-        <documentation>
+        <documentation>
-            Document identifier: saml-schema-assertion-2.0
+            Document identifier: saml-schema-assertion-2.0
-            Location: http://docs.oasis-open.org/security/saml/v2.0/
+            Location: http://docs.oasis-open.org/security/saml/v2.0/
-            Revision history:
+            Revision history:
-            V1.0 (November, 2002):
+            V1.0 (November, 2002):
-              Initial Standard Schema.
+              Initial Standard Schema.
-            V1.1 (September, 2003):
+            V1.1 (September, 2003):
-              Updates within the same V1.0 namespace.
+              Updates within the same V1.0 namespace.
-            V2.0 (March, 2005):
+            V2.0 (March, 2005):
-              New assertion schema for SAML V2.0 namespace.
+              New assertion schema for SAML V2.0 namespace.
-        </documentation>
+        </documentation>
-    </annotation>
+    </annotation>
-    <attributeGroup name="IDNameQualifiers">
+    <attributeGroup name="IDNameQualifiers">
-        <attribute name="NameQualifier" type="string" use="optional"/>
+        <attribute name="NameQualifier" type="string" use="optional"/>
-        <attribute name="SPNameQualifier" type="string" use="optional"/>
+        <attribute name="SPNameQualifier" type="string" use="optional"/>
-    </attributeGroup>
+    </attributeGroup>
-    <element name="BaseID" type="saml:BaseIDAbstractType"/>
+    <element name="BaseID" type="saml:BaseIDAbstractType"/>
-    <complexType name="BaseIDAbstractType" abstract="true">
+    <complexType name="BaseIDAbstractType" abstract="true">
-        <attributeGroup ref="saml:IDNameQualifiers"/>
+        <attributeGroup ref="saml:IDNameQualifiers"/>
-    </complexType>
+    </complexType>
-    <element name="NameID" type="saml:NameIDType"/>
+    <element name="NameID" type="saml:NameIDType"/>
-    <complexType name="NameIDType">
+    <complexType name="NameIDType">
-        <simpleContent>
+        <simpleContent>
-            <extension base="string">
+            <extension base="string">
-                <attributeGroup ref="saml:IDNameQualifiers"/>
+                <attributeGroup ref="saml:IDNameQualifiers"/>
-                <attribute name="Format" type="anyURI" use="optional"/>
+                <attribute name="Format" type="anyURI" use="optional"/>
-                <attribute name="SPProvidedID" type="string" use="optional"/>
+                <attribute name="SPProvidedID" type="string" use="optional"/>
-            </extension>
+            </extension>
-        </simpleContent>
+        </simpleContent>
-    </complexType>
+    </complexType>
-    <complexType name="EncryptedElementType">
+    <complexType name="EncryptedElementType">
-        <sequence>
+        <sequence>
-            <element ref="xenc:EncryptedData"/>
+            <element ref="xenc:EncryptedData"/>
-            <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
+            <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
-        </sequence>
+        </sequence>
-    </complexType>
+    </complexType>
-    <element name="EncryptedID" type="saml:EncryptedElementType"/>
+    <element name="EncryptedID" type="saml:EncryptedElementType"/>
-    <element name="Issuer" type="saml:NameIDType"/>
+    <element name="Issuer" type="saml:NameIDType"/>
-    <element name="AssertionIDRef" type="NCName"/>
+    <element name="AssertionIDRef" type="NCName"/>
-    <element name="AssertionURIRef" type="anyURI"/>
+    <element name="AssertionURIRef" type="anyURI"/>
-    <element name="Assertion" type="saml:AssertionType"/>
+    <element name="Assertion" type="saml:AssertionType"/>
-    <complexType name="AssertionType">
+    <complexType name="AssertionType">
-        <sequence>
+        <sequence>
-            <element ref="saml:Issuer"/>
+            <element ref="saml:Issuer"/>
-            <element ref="ds:Signature" minOccurs="0"/>
+            <element ref="ds:Signature" minOccurs="0"/>
-            <element ref="saml:Subject" minOccurs="0"/>
+            <element ref="saml:Subject" minOccurs="0"/>
-            <element ref="saml:Conditions" minOccurs="0"/>
+            <element ref="saml:Conditions" minOccurs="0"/>
-            <element ref="saml:Advice" minOccurs="0"/>
+            <element ref="saml:Advice" minOccurs="0"/>
-            <choice minOccurs="0" maxOccurs="unbounded">
+            <choice minOccurs="0" maxOccurs="unbounded">
-                <element ref="saml:Statement"/>
+                <element ref="saml:Statement"/>
-                <element ref="saml:AuthnStatement"/>
+                <element ref="saml:AuthnStatement"/>
-                <element ref="saml:AuthzDecisionStatement"/>
+                <element ref="saml:AuthzDecisionStatement"/>
-                <element ref="saml:AttributeStatement"/>
+                <element ref="saml:AttributeStatement"/>
-            </choice>
+            </choice>
-        </sequence>
+        </sequence>
-        <attribute name="Version" type="string" use="required"/>
+        <attribute name="Version" type="string" use="required"/>
-        <attribute name="ID" type="ID" use="required"/>
+        <attribute name="ID" type="ID" use="required"/>
-        <attribute name="IssueInstant" type="dateTime" use="required"/>
+        <attribute name="IssueInstant" type="dateTime" use="required"/>
-    </complexType>
+    </complexType>
-    <element name="Subject" type="saml:SubjectType"/>
+    <element name="Subject" type="saml:SubjectType"/>
-    <complexType name="SubjectType">
+    <complexType name="SubjectType">
-        <choice>
+        <choice>
-            <sequence>
+            <sequence>
-                <choice>
+                <choice>
-                    <element ref="saml:BaseID"/>
+                    <element ref="saml:BaseID"/>
-                    <element ref="saml:NameID"/>
+                    <element ref="saml:NameID"/>
-                    <element ref="saml:EncryptedID"/>
+                    <element ref="saml:EncryptedID"/>
-                </choice>
+                </choice>
-                <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
+                <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
-            </sequence>
+            </sequence>
-            <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
+            <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
-        </choice>
+        </choice>
-    </complexType>
+    </complexType>
-    <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+    <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
-    <complexType name="SubjectConfirmationType">
+    <complexType name="SubjectConfirmationType">
-        <sequence>
+        <sequence>
-            <choice minOccurs="0">
+            <choice minOccurs="0">
-                <element ref="saml:BaseID"/>
+                <element ref="saml:BaseID"/>
-                <element ref="saml:NameID"/>
+                <element ref="saml:NameID"/>
-                <element ref="saml:EncryptedID"/>
+                <element ref="saml:EncryptedID"/>
-            </choice>
+            </choice>
-            <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+            <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
-        </sequence>
+        </sequence>
-        <attribute name="Method" type="anyURI" use="required"/>
+        <attribute name="Method" type="anyURI" use="required"/>
-    </complexType>
+    </complexType>
-    <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
+    <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
-    <complexType name="SubjectConfirmationDataType" mixed="true">
+    <complexType name="SubjectConfirmationDataType" mixed="true">
-        <complexContent>
+        <complexContent>
-            <restriction base="anyType">
+            <restriction base="anyType">
-                <sequence>
+                <sequence>
-                    <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+                    <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-                </sequence>
+                </sequence>
-                <attribute name="NotBefore" type="dateTime" use="optional"/>
+                <attribute name="NotBefore" type="dateTime" use="optional"/>
-                <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+                <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
-                <attribute name="Recipient" type="anyURI" use="optional"/>
+                <attribute name="Recipient" type="anyURI" use="optional"/>
-                <attribute name="InResponseTo" type="NCName" use="optional"/>
+                <attribute name="InResponseTo" type="NCName" use="optional"/>
-                <attribute name="Address" type="string" use="optional"/>
+                <attribute name="Address" type="string" use="optional"/>
-                <anyAttribute namespace="##other" processContents="lax"/>
+                <anyAttribute namespace="##other" processContents="lax"/>
-            </restriction>
+            </restriction>
-        </complexContent>
+        </complexContent>
-    </complexType>
+    </complexType>
-    <complexType name="KeyInfoConfirmationDataType" mixed="false">
+    <complexType name="KeyInfoConfirmationDataType" mixed="false">
-        <complexContent>
+        <complexContent>
-            <restriction base="saml:SubjectConfirmationDataType">
+            <restriction base="saml:SubjectConfirmationDataType">
-                <sequence>
+                <sequence>
-                    <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
+                    <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
-                </sequence>
+                </sequence>
-            </restriction>
+            </restriction>
-        </complexContent>
+        </complexContent>
-    </complexType>
+    </complexType>
-    <element name="Conditions" type="saml:ConditionsType"/>
+    <element name="Conditions" type="saml:ConditionsType"/>
-    <complexType name="ConditionsType">
+    <complexType name="ConditionsType">
-        <choice minOccurs="0" maxOccurs="unbounded">
+        <choice minOccurs="0" maxOccurs="unbounded">
-            <element ref="saml:Condition"/>
+            <element ref="saml:Condition"/>
-            <element ref="saml:AudienceRestriction"/>
+            <element ref="saml:AudienceRestriction"/>
-            <element ref="saml:OneTimeUse"/>
+            <element ref="saml:OneTimeUse"/>
-            <element ref="saml:ProxyRestriction"/>
+            <element ref="saml:ProxyRestriction"/>
-        </choice>
+        </choice>
-        <attribute name="NotBefore" type="dateTime" use="optional"/>
+        <attribute name="NotBefore" type="dateTime" use="optional"/>
-        <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+        <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
-    </complexType>
+    </complexType>
-    <element name="Condition" type="saml:ConditionAbstractType"/>
+    <element name="Condition" type="saml:ConditionAbstractType"/>
-    <complexType name="ConditionAbstractType" abstract="true"/>
+    <complexType name="ConditionAbstractType" abstract="true"/>
-    <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
+    <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
-    <complexType name="AudienceRestrictionType">
+    <complexType name="AudienceRestrictionType">
-        <complexContent>
+        <complexContent>
-            <extension base="saml:ConditionAbstractType">
+            <extension base="saml:ConditionAbstractType">
-                <sequence>
+                <sequence>
-                    <element ref="saml:Audience" maxOccurs="unbounded"/>
+                    <element ref="saml:Audience" maxOccurs="unbounded"/>
-                </sequence>
+                </sequence>
-            </extension>
+            </extension>
-        </complexContent>
+        </complexContent>
-    </complexType>
+    </complexType>
-    <element name="Audience" type="anyURI"/>
+    <element name="Audience" type="anyURI"/>
-    <element name="OneTimeUse" type="saml:OneTimeUseType" />
+    <element name="OneTimeUse" type="saml:OneTimeUseType" />
-    <complexType name="OneTimeUseType">
+    <complexType name="OneTimeUseType">
-        <complexContent>
+        <complexContent>
-            <extension base="saml:ConditionAbstractType"/>
+            <extension base="saml:ConditionAbstractType"/>
-        </complexContent>
+        </complexContent>
-    </complexType>
+    </complexType>
-    <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
+    <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
-    <complexType name="ProxyRestrictionType">
+    <complexType name="ProxyRestrictionType">
-    <complexContent>
+    <complexContent>
-        <extension base="saml:ConditionAbstractType">
+        <extension base="saml:ConditionAbstractType">
-            <sequence>
+            <sequence>
-                <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+                <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
-            </sequence>
+            </sequence>
-            <attribute name="Count" type="nonNegativeInteger" use="optional"/>
+            <attribute name="Count" type="nonNegativeInteger" use="optional"/>
-        </extension>
+        </extension>
-	</complexContent>
+	</complexContent>
-    </complexType>
+    </complexType>
-    <element name="Advice" type="saml:AdviceType"/>
+    <element name="Advice" type="saml:AdviceType"/>
-    <complexType name="AdviceType">
+    <complexType name="AdviceType">
-        <choice minOccurs="0" maxOccurs="unbounded">
+        <choice minOccurs="0" maxOccurs="unbounded">
-            <element ref="saml:AssertionIDRef"/>
+            <element ref="saml:AssertionIDRef"/>
-            <element ref="saml:AssertionURIRef"/>
+            <element ref="saml:AssertionURIRef"/>
-            <element ref="saml:Assertion"/>
+            <element ref="saml:Assertion"/>
-            <element ref="saml:EncryptedAssertion"/>
+            <element ref="saml:EncryptedAssertion"/>
-            <any namespace="##other" processContents="lax"/>
+            <any namespace="##other" processContents="lax"/>
-        </choice>
+        </choice>
-    </complexType>
+    </complexType>
-    <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
+    <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
-    <element name="Statement" type="saml:StatementAbstractType"/>
+    <element name="Statement" type="saml:StatementAbstractType"/>
-    <complexType name="StatementAbstractType" abstract="true"/>
+    <complexType name="StatementAbstractType" abstract="true"/>
-    <element name="AuthnStatement" type="saml:AuthnStatementType"/>
+    <element name="AuthnStatement" type="saml:AuthnStatementType"/>
-    <complexType name="AuthnStatementType">
+    <complexType name="AuthnStatementType">
-        <complexContent>
+        <complexContent>
-            <extension base="saml:StatementAbstractType">
+            <extension base="saml:StatementAbstractType">
-                <sequence>
+                <sequence>
-                    <element ref="saml:SubjectLocality" minOccurs="0"/>
+                    <element ref="saml:SubjectLocality" minOccurs="0"/>
-                    <element ref="saml:AuthnContext"/>
+                    <element ref="saml:AuthnContext"/>
-                </sequence>
+                </sequence>
-                <attribute name="AuthnInstant" type="dateTime" use="required"/>
+                <attribute name="AuthnInstant" type="dateTime" use="required"/>
-                <attribute name="SessionIndex" type="string" use="optional"/>
+                <attribute name="SessionIndex" type="string" use="optional"/>
-                <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
+                <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
-            </extension>
+            </extension>
-        </complexContent>
+        </complexContent>
-    </complexType>
+    </complexType>
-    <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
+    <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
-    <complexType name="SubjectLocalityType">
+    <complexType name="SubjectLocalityType">
-        <attribute name="Address" type="string" use="optional"/>
+        <attribute name="Address" type="string" use="optional"/>
-        <attribute name="DNSName" type="string" use="optional"/>
+        <attribute name="DNSName" type="string" use="optional"/>
-    </complexType>
+    </complexType>
-    <element name="AuthnContext" type="saml:AuthnContextType"/>
+    <element name="AuthnContext" type="saml:AuthnContextType"/>
-    <complexType name="AuthnContextType">
+    <complexType name="AuthnContextType">
-        <sequence>
+        <sequence>
-            <choice>
+            <choice>
-                <sequence>
+                <sequence>
-                    <element ref="saml:AuthnContextClassRef"/>
+                    <element ref="saml:AuthnContextClassRef"/>
-                    <choice minOccurs="0">
+                    <choice minOccurs="0">
-                        <element ref="saml:AuthnContextDecl"/>
+                        <element ref="saml:AuthnContextDecl"/>
-                        <element ref="saml:AuthnContextDeclRef"/>
+                        <element ref="saml:AuthnContextDeclRef"/>
-                    </choice>
+                    </choice>
-                </sequence>
+                </sequence>
-                <choice>
+                <choice>
-                    <element ref="saml:AuthnContextDecl"/>
+                    <element ref="saml:AuthnContextDecl"/>
-                    <element ref="saml:AuthnContextDeclRef"/>
+                    <element ref="saml:AuthnContextDeclRef"/>
-                </choice>
+                </choice>
-            </choice>
+            </choice>
-            <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
+            <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
-        </sequence>
+        </sequence>
-    </complexType>
+    </complexType>
-    <element name="AuthnContextClassRef" type="anyURI"/>
+    <element name="AuthnContextClassRef" type="anyURI"/>
-    <element name="AuthnContextDeclRef" type="anyURI"/>
+    <element name="AuthnContextDeclRef" type="anyURI"/>
-    <element name="AuthnContextDecl" type="anyType"/>
+    <element name="AuthnContextDecl" type="anyType"/>
-    <element name="AuthenticatingAuthority" type="anyURI"/>
+    <element name="AuthenticatingAuthority" type="anyURI"/>
-    <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
+    <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
-    <complexType name="AuthzDecisionStatementType">
+    <complexType name="AuthzDecisionStatementType">
-        <complexContent>
+        <complexContent>
-            <extension base="saml:StatementAbstractType">
+            <extension base="saml:StatementAbstractType">
-                <sequence>
+                <sequence>
-                    <element ref="saml:Action" maxOccurs="unbounded"/>
+                    <element ref="saml:Action" maxOccurs="unbounded"/>
-                    <element ref="saml:Evidence" minOccurs="0"/>
+                    <element ref="saml:Evidence" minOccurs="0"/>
-                </sequence>
+                </sequence>
-                <attribute name="Resource" type="anyURI" use="required"/>
+                <attribute name="Resource" type="anyURI" use="required"/>
-                <attribute name="Decision" type="saml:DecisionType" use="required"/>
+                <attribute name="Decision" type="saml:DecisionType" use="required"/>
-            </extension>
+            </extension>
-        </complexContent>
+        </complexContent>
-    </complexType>
+    </complexType>
-    <simpleType name="DecisionType">
+    <simpleType name="DecisionType">
-        <restriction base="string">
+        <restriction base="string">
-            <enumeration value="Permit"/>
+            <enumeration value="Permit"/>
-            <enumeration value="Deny"/>
+            <enumeration value="Deny"/>
-            <enumeration value="Indeterminate"/>
+            <enumeration value="Indeterminate"/>
-        </restriction>
+        </restriction>
-    </simpleType>
+    </simpleType>
-    <element name="Action" type="saml:ActionType"/>
+    <element name="Action" type="saml:ActionType"/>
-    <complexType name="ActionType">
+    <complexType name="ActionType">
-        <simpleContent>
+        <simpleContent>
-            <extension base="string">
+            <extension base="string">
-                <attribute name="Namespace" type="anyURI" use="required"/>
+                <attribute name="Namespace" type="anyURI" use="required"/>
-            </extension>
+            </extension>
-        </simpleContent>
+        </simpleContent>
-    </complexType>
+    </complexType>
-    <element name="Evidence" type="saml:EvidenceType"/>
+    <element name="Evidence" type="saml:EvidenceType"/>
-    <complexType name="EvidenceType">
+    <complexType name="EvidenceType">
-        <choice maxOccurs="unbounded">
+        <choice maxOccurs="unbounded">
-            <element ref="saml:AssertionIDRef"/>
+            <element ref="saml:AssertionIDRef"/>
-            <element ref="saml:AssertionURIRef"/>
+            <element ref="saml:AssertionURIRef"/>
-            <element ref="saml:Assertion"/>
+            <element ref="saml:Assertion"/>
-            <element ref="saml:EncryptedAssertion"/>
+            <element ref="saml:EncryptedAssertion"/>
-        </choice>
+        </choice>
-    </complexType>
+    </complexType>
-    <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+    <element name="AttributeStatement" type="saml:AttributeStatementType"/>
-    <complexType name="AttributeStatementType">
+    <complexType name="AttributeStatementType">
-        <complexContent>
+        <complexContent>
-            <extension base="saml:StatementAbstractType">
+            <extension base="saml:StatementAbstractType">
-                <choice maxOccurs="unbounded">
+                <choice maxOccurs="unbounded">
-                    <element ref="saml:Attribute"/>
+                    <element ref="saml:Attribute"/>
-                    <element ref="saml:EncryptedAttribute"/>
+                    <element ref="saml:EncryptedAttribute"/>
-                </choice>
+                </choice>
-            </extension>
+            </extension>
-        </complexContent>
+        </complexContent>
-    </complexType>
+    </complexType>
-    <element name="Attribute" type="saml:AttributeType"/>
+    <element name="Attribute" type="saml:AttributeType"/>
-    <complexType name="AttributeType">
+    <complexType name="AttributeType">
-        <sequence>
+        <sequence>
-            <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
+            <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
-        </sequence>
+        </sequence>
-        <attribute name="Name" type="string" use="required"/>
+        <attribute name="Name" type="string" use="required"/>
-        <attribute name="NameFormat" type="anyURI" use="optional"/>
+        <attribute name="NameFormat" type="anyURI" use="optional"/>
-        <attribute name="FriendlyName" type="string" use="optional"/>
+        <attribute name="FriendlyName" type="string" use="optional"/>
-        <anyAttribute namespace="##other" processContents="lax"/>
+        <anyAttribute namespace="##other" processContents="lax"/>
-    </complexType>
+    </complexType>
-    <element name="AttributeValue" type="anyType" nillable="true"/>
+    <element name="AttributeValue" type="anyType" nillable="true"/>
-    <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
+    <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
-</schema>
+</schema>

yum.repos.d/almalinux-sap.repo

@@ -0,0 +1,28 @@
+# almalinux-sap.repo
+
+[sap]
+name=AlmaLinux $releasever - SAP
+mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/sap
+# baseurl=https://repo.almalinux.org/almalinux/$releasever/SAP/$basearch/os/
+enabled=0
+gpgcheck=1
+countme=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux
+
+## Sources
+[sap-source]
+name=AlmaLinux $releasever - SAP Sources
+mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/sap-source
+# baseurl=https://repo.almalinux.org/vault/$releasever/SAP/Source/
+enabled=0
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux
+
+## Debuginfo
+[sap-debuginfo]
+name=AlmaLinux $releasever - SAP Debuginfo
+mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/sap-debuginfo
+# baseurl=https://repo.almalinux.org/vault/$releasever/SAP/debug/$basearch/
+enabled=0
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

yum.repos.d/almalinux-saphana.repo

@@ -0,0 +1,28 @@
+# almalinux-saphana.repo
+
+[saphana]
+name=AlmaLinux $releasever - SAP HANA
+mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/saphana
+# baseurl=https://repo.almalinux.org/almalinux/$releasever/SAPHANA/$basearch/os/
+enabled=0
+gpgcheck=1
+countme=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux
+
+## Sources
+[saphana-source]
+name=AlmaLinux $releasever - SAP HANA Sources
+mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/saphana-source
+# baseurl=https://repo.almalinux.org/vault/$releasever/SAPHANA/Source/
+enabled=0
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux
+
+## Debuginfo
+[saphana-debuginfo]
+name=AlmaLinux $releasever - SAP HANA Debuginfo
+mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/saphana-debuginfo
+# baseurl=https://repo.almalinux.org/vault/$releasever/SAPHANA/debug/$basearch/
+enabled=0
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

yum.repos.d/epel-modular.repo

@@ -1,16 +1,18 @@
 [epel-modular]
-name=Extra Packages for Enterprise Linux Modular 8 - $basearch
+# This repo has been DEPRECATED, see https://pagure.io/epel/issue/198 for more details.
+name=Extra Packages for Enterprise Linux Modular 8 - $basearch - DEPRECATED
 # It is much more secure to use the metalink, but if you wish to use a local mirror
 # place its address here.
 #baseurl=https://download.example/pub/epel/8/Modular/$basearch
 metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-modular-8&arch=$basearch&infra=$infra&content=$contentdir
-enabled=1
+enabled=0
 gpgcheck=1
 countme=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
 
 [epel-modular-debuginfo]
-name=Extra Packages for Enterprise Linux Modular 8 - $basearch - Debug
+# This repo has been DEPRECATED, see https://pagure.io/epel/issue/198 for more details.
+name=Extra Packages for Enterprise Linux Modular 8 - $basearch - Debug - DEPRECATED
 # It is much more secure to use the metalink, but if you wish to use a local mirror
 # place its address here.
 #baseurl=https://download.example/pub/epel/8/Modular/$basearch/debug
@@ -20,7 +22,8 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
 gpgcheck=1
 
 [epel-modular-source]
-name=Extra Packages for Enterprise Linux Modular 8 - $basearch - Source
+# This repo has been DEPRECATED, see https://pagure.io/epel/issue/198 for more details.
+name=Extra Packages for Enterprise Linux Modular 8 - $basearch - Source - DEPRECATED
 # It is much more secure to use the metalink, but if you wish to use a local mirror
 # place it's address here.
 #baseurl=https://download.example/pub/epel/8/Modular/source/tree/

yum.repos.d/epel-testing-modular.repo

@@ -1,5 +1,6 @@
 [epel-testing-modular]
-name=Extra Packages for Enterprise Linux Modular 8 - Testing - $basearch
+# This repo has been DEPRECATED, see https://pagure.io/epel/issue/198 for more details.
+name=Extra Packages for Enterprise Linux Modular 8 - Testing - $basearch - DEPRECATED
 # It is much more secure to use the metalink, but if you wish to use a local mirror
 # place its address here.
 #baseurl=https://download.example/pub/epel/testing/8/Modular/$basearch
@@ -10,7 +11,8 @@ countme=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
 
 [epel-testing-modular-debuginfo]
-name=Extra Packages for Enterprise Linux Modular 8 - Testing - $basearch - Debug
+# This repo has been DEPRECATED, see https://pagure.io/epel/issue/198 for more details.
+name=Extra Packages for Enterprise Linux Modular 8 - Testing - $basearch - Debug - DEPRECATED
 # It is much more secure to use the metalink, but if you wish to use a local mirror
 # place its address here.
 #baseurl=https://download.example/pub/epel/testing/8/Modular/$basearch/debug
@@ -20,7 +22,8 @@ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
 gpgcheck=1
 
 [epel-testing-modular-source]
-name=Extra Packages for Enterprise Linux Modular 8 - Testing - $basearch - Source
+# This repo has been DEPRECATED, see https://pagure.io/epel/issue/198 for more details.
+name=Extra Packages for Enterprise Linux Modular 8 - Testing - $basearch - Source - DEPRECATED
 # It is much more secure to use the metalink, but if you wish to use a local mirror
 # place it's address here.
 #baseurl=https://download.example/pub/epel/testing/8/Modular/source/tree/