diff --git a/.etckeeper b/.etckeeper
index b8f58e4..18c7d7f 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -28,7 +28,6 @@ mkdir -p './cups'
mkdir -p './dbus-1/session.d'
mkdir -p './dconf/db/local.d/locks'
mkdir -p './dconf/db/site.d/locks'
-mkdir -p './debuginfod'
mkdir -p './dkms/framework.conf.d'
mkdir -p './dnf/aliases.d'
mkdir -p './dnf/modules.defaults.d'
@@ -96,7 +95,6 @@ mkdir -p './polkit-1/localauthority/50-local.d'
mkdir -p './polkit-1/localauthority/90-mandatory.d'
mkdir -p './pyzor'
mkdir -p './qemu-ga/fsfreeze-hook.d'
-mkdir -p './rhsm/ca'
mkdir -p './rhsm/facts'
mkdir -p './rhsm/pluginconf.d'
mkdir -p './rspamd/override.d'
@@ -453,7 +451,6 @@ maybe chmod 0644 'dbus-1/system.conf'
maybe chmod 0755 'dbus-1/system.d'
maybe chmod 0644 'dbus-1/system.d/com.redhat.RHSM1.Facts.conf'
maybe chmod 0644 'dbus-1/system.d/com.redhat.RHSM1.conf'
-maybe chmod 0644 'dbus-1/system.d/com.redhat.tuned.conf'
maybe chmod 0644 'dbus-1/system.d/nm-dispatcher.conf'
maybe chmod 0644 'dbus-1/system.d/nm-ifcfg-rh.conf'
maybe chmod 0644 'dbus-1/system.d/oddjob-mkhomedir.conf'
@@ -476,6 +473,7 @@ maybe chmod 0755 'dconf/db/site.d/locks'
maybe chmod 0755 'dconf/profile'
maybe chmod 0644 'dconf/profile/user'
maybe chmod 0755 'debuginfod'
+maybe chmod 0644 'debuginfod/elfutils.urls'
maybe chmod 0755 'default'
maybe chmod 0640 'default/color'
maybe chmod 0644 'default/grub'
@@ -920,6 +918,7 @@ maybe chmod 0644 'httpd/conf.d/perl.conf'
maybe chmod 0644 'httpd/conf.d/php.conf'
maybe chmod 0644 'httpd/conf.d/phpmyadmin.conf'
maybe chmod 0644 'httpd/conf.d/squid.conf'
+maybe chmod 0644 'httpd/conf.d/ssl.conf'
maybe chmod 0644 'httpd/conf.d/ssl.conf_disabled'
maybe chmod 0644 'httpd/conf.d/userdir.conf'
maybe chmod 0644 'httpd/conf.d/welcome.conf'
@@ -3468,6 +3467,7 @@ maybe chmod 0644 'libibverbs.d/efa.driver'
maybe chmod 0644 'libibverbs.d/hfi1verbs.driver'
maybe chmod 0644 'libibverbs.d/hns.driver'
maybe chmod 0644 'libibverbs.d/irdma.driver'
+maybe chmod 0644 'libibverbs.d/mana.driver'
maybe chmod 0644 'libibverbs.d/mlx4.driver'
maybe chmod 0644 'libibverbs.d/mlx5.driver'
maybe chmod 0644 'libibverbs.d/qedr.driver'
@@ -5648,6 +5648,8 @@ maybe chmod 0644 'profile.d/colorxzgrep.sh'
maybe chmod 0644 'profile.d/colorzgrep.csh'
maybe chmod 0644 'profile.d/colorzgrep.sh'
maybe chmod 0644 'profile.d/csh.local'
+maybe chmod 0644 'profile.d/debuginfod.csh'
+maybe chmod 0644 'profile.d/debuginfod.sh'
maybe chmod 0644 'profile.d/gawk.csh'
maybe chmod 0644 'profile.d/gawk.sh'
maybe chmod 0640 'profile.d/grc.sh'
@@ -5712,6 +5714,8 @@ maybe chmod 0644 'resolv.conf'
maybe chmod 0644 'resolv.conf.save'
maybe chmod 0755 'rhsm'
maybe chmod 0755 'rhsm/ca'
+maybe chmod 0644 'rhsm/ca/redhat-entitlement-authority.pem'
+maybe chmod 0644 'rhsm/ca/redhat-uep.pem'
maybe chmod 0755 'rhsm/facts'
maybe chmod 0644 'rhsm/logging.conf'
maybe chmod 0755 'rhsm/pluginconf.d'
@@ -5823,6 +5827,7 @@ maybe chmod 0644 'rspamd/worker-fuzzy.inc'
maybe chmod 0644 'rspamd/worker-normal.inc'
maybe chmod 0644 'rspamd/worker-proxy.inc'
maybe chmod 0644 'rsyslog.conf'
+maybe chmod 0644 'rsyslog.conf.rpmnew'
maybe chmod 0755 'rsyslog.d'
maybe chmod 0640 'rsyslog.d/00-backup.conf'
maybe chmod 0640 'rsyslog.d/docker.conf'
diff --git a/almalinux-release b/almalinux-release
index 1e5acad..2d71103 100644
--- a/almalinux-release
+++ b/almalinux-release
@@ -1 +1 @@
-AlmaLinux release 8.8 (Sapphire Caracal)
+AlmaLinux release 8.9 (Midnight Oncilla)
diff --git a/almalinux-release-upstream b/almalinux-release-upstream
index 3c51791..c053c08 100644
--- a/almalinux-release-upstream
+++ b/almalinux-release-upstream
@@ -1 +1 @@
-Derived from Red Hat Enterprise Linux 8.8 (Source)
+Derived from Red Hat Enterprise Linux 8.9 (Source)
diff --git a/ansible/hosts b/ansible/hosts
index e84a30c..23d85a5 100644
--- a/ansible/hosts
+++ b/ansible/hosts
@@ -28,6 +28,10 @@
## www[001:006].example.com
+# You can also use ranges for multiple hosts:
+
+## db-[99:101]-node.example.com
+
# Ex 3: A collection of database servers in the 'dbservers' group:
## [dbservers]
@@ -37,8 +41,14 @@
## 10.25.1.56
## 10.25.1.57
-# Here's another example of host ranges, this time there are no
-# leading 0s:
-## db-[99:101]-node.example.com
+# Ex4: Multiple hosts arranged into groups such as 'Debian' and 'openSUSE':
+
+## [Debian]
+## alpha.example.org
+## beta.example.org
+
+## [openSUSE]
+## green.example.com
+## blue.example.com
diff --git a/crypto-policies/state/CURRENT.pol b/crypto-policies/state/CURRENT.pol
index 84e1d05..5e1eaf0 100644
--- a/crypto-policies/state/CURRENT.pol
+++ b/crypto-policies/state/CURRENT.pol
@@ -23,6 +23,7 @@ cipher@gnutls = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GC
protocol@gnutls = TLS1.3 TLS1.2 DTLS1.2
cipher@java-tls = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
protocol@java-tls = TLS1.3 TLS1.2 DTLS1.2
+mac@krb5 = HMAC-SHA2-384 HMAC-SHA2-256 AEAD UMAC-128 HMAC-SHA2-512 HMAC-SHA1
protocol@libreswan = IKEv2
cipher@nss = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
protocol@nss = TLS1.3 TLS1.2 DTLS1.2
diff --git a/dbus-1/system.d/com.redhat.tuned.conf b/dbus-1/system.d/com.redhat.tuned.conf
deleted file mode 100644
index c3b4277..0000000
--- a/dbus-1/system.d/com.redhat.tuned.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/debuginfod/elfutils.urls b/debuginfod/elfutils.urls
new file mode 100644
index 0000000..1f54c3c
--- /dev/null
+++ b/debuginfod/elfutils.urls
@@ -0,0 +1 @@
+https://debuginfod.centos.org/
diff --git a/httpd/conf.d/ssl.conf b/httpd/conf.d/ssl.conf
new file mode 100644
index 0000000..d28adf3
--- /dev/null
+++ b/httpd/conf.d/ssl.conf
@@ -0,0 +1,203 @@
+#
+# When we also provide SSL we have to listen to the
+# standard HTTPS port in addition.
+#
+Listen 443 https
+
+##
+## SSL Global Context
+##
+## All SSL configuration in this context applies both to
+## the main server and all SSL-enabled virtual hosts.
+##
+
+# Pass Phrase Dialog:
+# Configure the pass phrase gathering process.
+# The filtering dialog program (`builtin' is a internal
+# terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+# Inter-Process Session Cache:
+# Configure the SSL Session Cache: First the mechanism
+# to use and second the expiring timeout (in seconds).
+SSLSessionCache shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout 300
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names. NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly.
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+# List the protocol versions which clients are allowed to connect with.
+# The OpenSSL system profile is used by default. See
+# update-crypto-policies(8) for more details.
+#SSLProtocol all -SSLv3
+#SSLProxyProtocol all -SSLv3
+
+# User agents such as web browsers are not configured for the user's
+# own preference of either security or performance, therefore this
+# must be the prerogative of the web server administrator who manages
+# cpu load versus confidentiality, so enforce the server's cipher order.
+SSLHonorCipherOrder on
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+# The OpenSSL system profile is configured by default. See
+# update-crypto-policies(8) for more details.
+SSLCipherSuite PROFILE=SYSTEM
+SSLProxyCipherSuite PROFILE=SYSTEM
+
+# Point SSLCertificateFile at a PEM encoded certificate. If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase. Note that restarting httpd will prompt again. Keep
+# in mind that if you have both an RSA and a DSA certificate you
+# can configure both in parallel (to also allow the use of DSA
+# ciphers, etc.)
+# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+# require an ECC certificate which can also be configured in
+# parallel.
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+
+# Server Private Key:
+# If the key is not combined with the certificate, use this
+# directive to point at the key file. Keep in mind that if
+# you've both a RSA and a DSA private key you can configure
+# both in parallel (to also allow the use of DSA ciphers, etc.)
+# ECC keys, when in use, can also be configured in parallel
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+
+# Server Certificate Chain:
+# Point SSLCertificateChainFile at a file containing the
+# concatenation of PEM encoded CA certificates which form the
+# certificate chain for the server certificate. Alternatively
+# the referenced file can be the same as SSLCertificateFile
+# when the CA certificates are directly appended to the server
+# certificate for convenience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+# Certificate Authority (CA):
+# Set the CA certificate verification path where to find CA
+# certificates for client authentication or alternatively one
+# huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+# Client Authentication (Type):
+# Client certificate verification type and depth. Types are
+# none, optional, require and optional_no_ca. Depth is a
+# number which specifies how deeply to verify the certificate
+# issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth 10
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_ssl documentation
+# for more details.
+#
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+
+# SSL Protocol Adjustments:
+# The safe and default but still SSL/TLS standard compliant shutdown
+# approach is that mod_ssl sends the close notify alert but doesn't wait for
+# the close notify alert from client. When you need a different shutdown
+# approach you can use one of the following variables:
+# o ssl-unclean-shutdown:
+# This forces an unclean shutdown when the connection is closed, i.e. no
+# SSL close notify alert is sent or allowed to be received. This violates
+# the SSL/TLS standard but is needed for some brain-dead browsers. Use
+# this when you receive I/O errors because of the standard approach where
+# mod_ssl sends the close notify alert.
+# o ssl-accurate-shutdown:
+# This forces an accurate shutdown when the connection is closed, i.e. a
+# SSL close notify alert is sent and mod_ssl waits for the close notify
+# alert of the client. This is 100% SSL/TLS standard compliant, but in
+# practice often causes hanging connections with brain-dead browsers. Use
+# this only for browsers where you know that their SSL implementation
+# works correctly.
+# Notice: Most problems of broken clients are also related to the HTTP
+# keep-alive facility, so you usually additionally want to disable
+# keep-alive for those clients, too. Use variable "nokeepalive" for this.
+# Similarly, one has to force some clients to use HTTP/1.0 to workaround
+# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+# "force-response-1.0" for this.
+BrowserMatch "MSIE [2-5]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+
+
diff --git a/libibverbs.d/mana.driver b/libibverbs.d/mana.driver
new file mode 100644
index 0000000..6e0584b
--- /dev/null
+++ b/libibverbs.d/mana.driver
@@ -0,0 +1 @@
+driver mana
diff --git a/lvm/lvm.conf b/lvm/lvm.conf
index 08268a0..2e760c4 100644
--- a/lvm/lvm.conf
+++ b/lvm/lvm.conf
@@ -650,11 +650,6 @@ allocation {
# This configuration option has an automatic default value.
# vdo_block_map_period = 16380
- # Configuration option allocation/vdo_check_point_frequency.
- # The default check point frequency for VDO volume.
- # This configuration option has an automatic default value.
- # vdo_check_point_frequency = 0
-
# Configuration option allocation/vdo_use_sparse_index.
# Enables sparse indexing for VDO volume.
# This configuration option has an automatic default value.
@@ -1318,10 +1313,10 @@ global {
# Configuration option global/vdo_disabled_features.
# Features to not use in the vdo driver.
# This can be helpful for testing, or to avoid using a feature that is
- # causing problems. Features include: online_rename
+ # causing problems. Features include: online_rename, version4
#
# Example
- # vdo_disabled_features = [ "online_rename" ]
+ # vdo_disabled_features = [ "online_rename", "version4" ]
#
# This configuration option does not have a default value defined.
diff --git a/lvm/profile/vdo-small.profile b/lvm/profile/vdo-small.profile
index 2044fc2..97b5b37 100644
--- a/lvm/profile/vdo-small.profile
+++ b/lvm/profile/vdo-small.profile
@@ -8,7 +8,6 @@ allocation {
vdo_minimum_io_size=4096
vdo_block_map_cache_size_mb=128
vdo_block_map_period=16380
- vdo_check_point_frequency=0
vdo_use_sparse_index=0
vdo_index_memory_size_mb=256
vdo_slab_size_mb=2048
diff --git a/nftables/nat.nft b/nftables/nat.nft
index 7079893..905179c 100644
--- a/nftables/nat.nft
+++ b/nftables/nat.nft
@@ -18,13 +18,21 @@ table ip nftables_svc {
elements = { 192.168.122.0/24 }
}
+ # force port randomization for non-locally originated connections using
+ # suspicious port values to prevent port-shadow attacks, i.e.
+ # accidental matching of new inbound connections vs. existing ones
+ chain do_masquerade {
+ meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random
+ masquerade
+ }
+
# base-chain to manipulate conntrack in postrouting,
# will see packets for new or related traffic only
chain POSTROUTING {
type nat hook postrouting priority srcnat + 20
policy accept
- iifname @masq_interfaces oifname != @masq_interfaces masquerade
- ip saddr @masq_ips masquerade
+ iifname @masq_interfaces oifname != @masq_interfaces jump do_masquerade
+ ip saddr @masq_ips jump do_masquerade
}
}
diff --git a/pam.d/smartcard-auth b/pam.d/smartcard-auth
index 9572770..e8a6745 100644
--- a/pam.d/smartcard-auth
+++ b/pam.d/smartcard-auth
@@ -1,19 +1,4 @@
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.
-auth required pam_env.so
-auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
-auth required pam_deny.so
-
-account required pam_unix.so
-account sufficient pam_localuser.so
-account sufficient pam_succeed_if.so uid < 500 quiet
-account required pam_permit.so
-
-password optional pam_pkcs11.so
-
-session optional pam_keyinit.so revoke
-session required pam_limits.so
--session optional pam_systemd.so
-session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
-session required pam_unix.so
+auth sufficient pam_sss.so allow_missing_name
diff --git a/profile.d/debuginfod.csh b/profile.d/debuginfod.csh
new file mode 100644
index 0000000..c676597
--- /dev/null
+++ b/profile.d/debuginfod.csh
@@ -0,0 +1,16 @@
+# $HOME/.login* or similar files may first set $DEBUGINFOD_URLS.
+# If $DEBUGINFOD_URLS is not set there, we set it from system *.url files.
+# $HOME/.*rc or similar files may then amend $DEBUGINFOD_URLS.
+# See also [man debuginfod-client-config] for other environment variables
+# such as $DEBUGINFOD_MAXSIZE, $DEBUGINFOD_MAXTIME, $DEBUGINFOD_PROGRESS.
+
+if (! $?DEBUGINFOD_URLS) then
+ set prefix="/usr"
+ set DEBUGINFOD_URLS=`sh -c 'cat /dev/null "$0"/*.urls 2>/dev/null; :' "/etc/debuginfod" | tr '\n' ' '`
+ if ( "$DEBUGINFOD_URLS" != "" ) then
+ setenv DEBUGINFOD_URLS "$DEBUGINFOD_URLS"
+ else
+ unset DEBUGINFOD_URLS
+ endif
+ unset prefix
+endif
diff --git a/profile.d/debuginfod.sh b/profile.d/debuginfod.sh
new file mode 100644
index 0000000..7c93b50
--- /dev/null
+++ b/profile.d/debuginfod.sh
@@ -0,0 +1,12 @@
+# $HOME/.profile* or similar files may first set $DEBUGINFOD_URLS.
+# If $DEBUGINFOD_URLS is not set there, we set it from system *.url files.
+# $HOME/.*rc or similar files may then amend $DEBUGINFOD_URLS.
+# See also [man debuginfod-client-config] for other environment variables
+# such as $DEBUGINFOD_MAXSIZE, $DEBUGINFOD_MAXTIME, $DEBUGINFOD_PROGRESS.
+
+if [ -z "$DEBUGINFOD_URLS" ]; then
+ prefix="/usr"
+ DEBUGINFOD_URLS=$(cat /dev/null "/etc/debuginfod"/*.urls 2>/dev/null | tr '\n' ' ')
+ [ -n "$DEBUGINFOD_URLS" ] && export DEBUGINFOD_URLS || unset DEBUGINFOD_URLS
+ unset prefix
+fi
diff --git a/rhsm/ca/redhat-entitlement-authority.pem b/rhsm/ca/redhat-entitlement-authority.pem
new file mode 100644
index 0000000..e1b9919
--- /dev/null
+++ b/rhsm/ca/redhat-entitlement-authority.pem
@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGejCCBGKgAwIBAgIJAJGKz8qFAAAIMA0GCSqGSIb3DQEBDAUAMIGwMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
+Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0
+d29yazEeMBwGA1UEAwwVRW50aXRsZW1lbnQgTWFzdGVyIENBMSQwIgYJKoZIhvcN
+AQkBFhVjYS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMTgwOTEyMTgxMzIxWhcNMzAw
+MzE1MTgxMzIxWjCBsTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
+aW5hMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0IE5l
+dHdvcmsxMTAvBgNVBAMMKFJlZCBIYXQgRW50aXRsZW1lbnQgT3BlcmF0aW9ucyBB
+dXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALsmiohDnNvIpBMZVJR5pbP6
+GrE5B4doUmvTeR4XJ5C66uvFTwuGTVigNXAL+0UWf9r2AwxKEPCy65h7fLbyK4W7
+/xEZPVsamQYDHpyBwlkPkJ3WhHneqQWC8bKkv8Iqu08V+86biCDDAh6uP0SiAz7a
+NGaLEnOe5L9WNfsYyNwrG+2AfiLy/1LUtmmg5dc6Ln7R+uv0PZJ5J2iUbiT6lMz3
+v73zAxuEjiDNurZzxzHSSEYzw0W1eO6zM4F26gcOuH2BHemPMjHi+c1OnheaafDE
+HQJTNgECz5Xe7WGdZwOyn9a8GtMvm0PAhGVyp7RAWxxfoU1B794cBb66IKKjliJQ
+5DKoqyxD9qJbMF8U4Kd1ZIVB0Iy2WEaaqCFMIi3xtlWVUNku5x21ewMmJvwjnWZA
+tUeKQUFwIXqSjuOoZDu80H6NQb+4dnRSjWlx/m7HPk75m0zErshpB2HSKUnrs4wR
+i7GsWDDcqBus7eLMwUZPvDNVcLQu/2Y4DUHNbJbn7+DwEqi5D0heC+dyY8iS45gp
+I/yhVvq/GfKL+dqjaNaE4CorJJA5qJ9f383Ol/aub+aJeBahCBNuVa2daA9Bo3BA
+dnL7KkILPFyCcEhQITnu70Qn9sQlwYcRoYF2LWAm9DtLrBT0Y0w7wQHh8vNhwEQ7
+k5G87WpwzcC8y6ePR0vFAgMBAAGjgZMwgZAwHQYDVR0OBBYEFMRJeFZFnR4sYWDD
+ZktYBTcvAyJ7MB8GA1UdIwQYMBaAFIhLpkXERuyP1s+m9hrPJjyQzH8XMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAgBgNVHREE
+GTAXgRVjYS1zdXBwb3J0QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEMBQADggIBAGKk
+q5Ab0AC7SOCYq9up5z0twbe+gI72cm854+VhcxafnLP2/4nH6nQauKLKEFLI8+fV
+RAwYxm1f5nuEiaTvjPE0umYdgMlpEJQeGdW/+/DotDaOon1G6bSMEKFvaKcBHKqa
+kBxQ29trwMG2WN8qZ7/H3XzBvLZ+JrYr01vDSV0P4tcBFOytbMZeJr4xmfxiqWxp
+VUM9eGf6z+ngXyth8lohxGd9MMXwsaPdvM+wptp3AQpq5wFPWyfJqCd6uBxu09k1
+ns3Y/sya2GHqDK4bUW6gCHO13gkYviTCIBLAlX7PDeK5nYVcq8HvTLU9+H9BFGix
+YGDdHphz7i5qO/gLLLcfKhENP6jtbe8i6nwqeDzj+DMy38iMWNYFVWn1OrBaQMtf
+wlVfyRJij9SfyiUAVFld1RoPAN/haf1VmF/0dGrOigibYijqnHvDJffMUND/sbk8
+df6O6VYjvLLlwry4W4dHiLLA7NAHGtkUv2g1+oH1lQIfRG+PvZhWz4pGT1AlzfwD
+aXUfX2X+Bo9tYr9BGy5Li1pLGLvfw+an7cBAbBaw8+HhAHt+Vm4F03KX/bHlge0a
+fMYK6FoA/xQSaZ6IPm4HfPSMvhboguVG+/AZQN4/UxjDleoEz8b0CWYafcJRRZch
+BdxBjTy7JLf3j0HCbenZQF83wwtrSmiTOTK1tLsm
+-----END CERTIFICATE-----
diff --git a/rhsm/ca/redhat-uep.pem b/rhsm/ca/redhat-uep.pem
new file mode 100644
index 0000000..71b0a72
--- /dev/null
+++ b/rhsm/ca/redhat-uep.pem
@@ -0,0 +1,119 @@
+-----BEGIN CERTIFICATE-----
+MIIG/jCCBOagAwIBAgICAtYwDQYJKoZIhvcNAQELBQAwgbExCzAJBgNVBAYTAlVT
+MRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEWMBQGA1UECgwNUmVkIEhhdCwgSW5j
+LjEYMBYGA1UECwwPUmVkIEhhdCBOZXR3b3JrMTEwLwYDVQQDDChSZWQgSGF0IEVu
+dGl0bGVtZW50IE9wZXJhdGlvbnMgQXV0aG9yaXR5MSQwIgYJKoZIhvcNAQkBFhVj
+YS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMjIwMTIxMTcyNDU1WhcNMzAwNDI0MTcy
+NDU1WjCBrjELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRYw
+FAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0IE5ldHdvcmsx
+LjAsBgNVBAMMJVJlZCBIYXQgRW50aXRsZW1lbnQgUHJvZHVjdCBBdXRob3JpdHkx
+JDAiBgkqhkiG9w0BCQEWFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTCCAiIwDQYJKoZI
+hvcNAQEBBQADggIPADCCAgoCggIBANkLqzHgFZwh1bLmTUM3IljHaXeCwFZNnhro
+DdHMZgac6FSPJSLCTpiZKTgLhTkDF/Qga/EbkMoOK9fzh/634ZuhYBiMPEximaFg
+v9QfbXmak4jPOZOv9RkTcXZOnVCu+x1TtDzCCrTQR0cSLF3EcydavruVjwXrPaRF
+Rp24nUzVJJJ60iHcp0yXKgCPyNFQLKi6l/O1yUs1yr0YpRPqf3yx5lUwH35dQp/w
+8ilC8Z2u6KMqyip36nkOXSvGjK9QEkNcKYVqIS43oJcvVdGphIvhx1pzi/LaMScv
+L1lE1M8wL2eGU7U1dusRnrWWVhGjcr+2Ar9gHsY3AUNsfno6xSa1TaPY4sx0tOhy
+vFIB1QyoZlXAHtv+cqyQoygy8INRSX4ysIc4S2HTVQno6cvAh0J3cDtBF9YR7/wH
+z0UwJq+aj4RxQ/rriK2K0i1KYDC5lmvXYpyXBnipQNSibxuXphjDN5OuF6+3SU6F
+6OZaBsmepbyjyCi5n3lzEVv+Pgass8GztYuGiBwGXEjwxRilsLrxdIlVGFFFccNJ
+76j2QOK6Kufo/2Es9KuVxlYIiLd+IbZb7py6fyAhmCQUesxB3AfWmRiXQ3Cb6GGY
+8OxqYcOpRRek2uIpqMoRhAlio3dYqbN6KXDfg5VNMglK3CF1SFwJ5E8LuaHDoAJM
+a3/+hY6nAgMBAAGjggEfMIIBGzAdBgNVHQ4EFgQUlv27HEBA/0CErbIfCybBw2pv
+1nwwgeUGA1UdIwSB3TCB2oAUxEl4VkWdHixhYMNmS1gFNy8DInuhgbakgbMwgbAx
+CzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBwwH
+UmFsZWlnaDEWMBQGA1UECgwNUmVkIEhhdCwgSW5jLjEYMBYGA1UECwwPUmVkIEhh
+dCBOZXR3b3JrMR4wHAYDVQQDDBVFbnRpdGxlbWVudCBNYXN0ZXIgQ0ExJDAiBgkq
+hkiG9w0BCQEWFWNhLXN1cHBvcnRAcmVkaGF0LmNvbYIJAJGKz8qFAAAAMBIGA1Ud
+EwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggIBAAHXJaMuS/lKEdlmewTU
+0pKjTBpFfRSxQP1xO7stDfTDggeDSyzDx/iibX/hfw6x/Y2AyU2MtqSAiiTyYuB4
+kmK0QhqSnOzwANSpy1zn5SvB9LxO3H0v2KV6J9uJjL3v+h2zxHRo5O0X0ZxfKQS6
+5dd52S8aEvSVnxoLyr4JLxF9nEW0Dp1cu9P2qPdRWLQSLJEsbsv454KsyGsOfT3o
+YYgD8+oddMR042s5yNegBj4TohMgaeNREr7kjZzJZ+z7kgCupSSq0SG2KfihwaC1
+hju/dUq9me9JkW7hztxUrZVvrZR+hnlpD+taSDuR9JO9xLrDDfxRa377IyYjlkQW
+hdjquuo4jKWp13Vjf9/z+kuui3YFupqvbnSGoV8f2sME0Yh5DFppKLaVzTxljH3K
+YUqyfdVToqsApcWqmSLUwXDhjTzgehqIcQfyK/Klx5+wm4jsKBUeSalS684ML8iT
+8+LNjw8eMBX5sM9ZuiU4tpqFoXiwrYwk05RPLI6Rr5kunRIfRvSnQJ07pMTfSmtx
+Qrz8crKhTY3+HxiZJ/486bOQm+Bz3rf2DyZopY06Q2sm79Y3ax/j3vdYyBEoKzuU
+YjTwYnAoxQWrjgbpvutdTlVTgTrRz2NSEgPyX59LQWa6+zFMbvAt0y8FW76p+e+p
+PQBPkUhYa+TflZocXlPSXau9
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGejCCBGKgAwIBAgIJAJGKz8qFAAAAMA0GCSqGSIb3DQEBCwUAMIGwMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
+Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0
+d29yazEeMBwGA1UEAwwVRW50aXRsZW1lbnQgTWFzdGVyIENBMSQwIgYJKoZIhvcN
+AQkBFhVjYS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMjIwMTIxMTYyOTA1WhcNMzIw
+MTE5MTYyOTA1WjCBsTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
+aW5hMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0IE5l
+dHdvcmsxMTAvBgNVBAMMKFJlZCBIYXQgRW50aXRsZW1lbnQgT3BlcmF0aW9ucyBB
+dXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALsmiohDnNvIpBMZVJR5pbP6
+GrE5B4doUmvTeR4XJ5C66uvFTwuGTVigNXAL+0UWf9r2AwxKEPCy65h7fLbyK4W7
+/xEZPVsamQYDHpyBwlkPkJ3WhHneqQWC8bKkv8Iqu08V+86biCDDAh6uP0SiAz7a
+NGaLEnOe5L9WNfsYyNwrG+2AfiLy/1LUtmmg5dc6Ln7R+uv0PZJ5J2iUbiT6lMz3
+v73zAxuEjiDNurZzxzHSSEYzw0W1eO6zM4F26gcOuH2BHemPMjHi+c1OnheaafDE
+HQJTNgECz5Xe7WGdZwOyn9a8GtMvm0PAhGVyp7RAWxxfoU1B794cBb66IKKjliJQ
+5DKoqyxD9qJbMF8U4Kd1ZIVB0Iy2WEaaqCFMIi3xtlWVUNku5x21ewMmJvwjnWZA
+tUeKQUFwIXqSjuOoZDu80H6NQb+4dnRSjWlx/m7HPk75m0zErshpB2HSKUnrs4wR
+i7GsWDDcqBus7eLMwUZPvDNVcLQu/2Y4DUHNbJbn7+DwEqi5D0heC+dyY8iS45gp
+I/yhVvq/GfKL+dqjaNaE4CorJJA5qJ9f383Ol/aub+aJeBahCBNuVa2daA9Bo3BA
+dnL7KkILPFyCcEhQITnu70Qn9sQlwYcRoYF2LWAm9DtLrBT0Y0w7wQHh8vNhwEQ7
+k5G87WpwzcC8y6ePR0vFAgMBAAGjgZMwgZAwHQYDVR0OBBYEFMRJeFZFnR4sYWDD
+ZktYBTcvAyJ7MB8GA1UdIwQYMBaAFIhLpkXERuyP1s+m9hrPJjyQzH8XMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAgBgNVHREE
+GTAXgRVjYS1zdXBwb3J0QHJlZGhhdC5jb20wDQYJKoZIhvcNAQELBQADggIBAJ7G
+6lRBNMUJuXE9LevQ5ppJFQH46LTYDgYKDKKmYgQMtxHxLlsU+2Z/ZXClHYN0fVhK
+JLiZsYPHaGpTtlMXQjIwuRE2tNezaBejJCyqRiPAp7wlbFwHijcqW3j9X1tsVul9
+ry0IEHKe1uK/EtObPpGMGugsUSIRul38X+gDkkkVnIczl8xCxmpRu4XZuGZZsCR2
+O8eZM4pyjucMRskf6oC8FpJbTa+DHJlSLyZanMmNAs3Vg58FlJL+hTOHklPg9QnC
+rSqZRfexbaqN1L9bjg5QQihCrkMRnD1T5as+8YZjDOJh1KLbVi75YFlC9KLcQ9qu
+iQP6knsyjdn5o9lTNF021nOO6rK5nwXPDbRPu/G3un1PjQWSv+KhktJqPOCvLoXN
+/20AqMqEVTcPgEiGYB3U3IVD8+EX7J+1xl8fBYTi9IUZGpjBuPtovPMmmVq4mN2G
+KXu8ehqgn/coNql1TYseNXfgYVnBV1g0VaQ57PpSHNQRyANQ3grjZ1dhpLsptzT2
+bP1PBUvltR8ROTg9syo54tIvhWRO3sIpwftK6IeF5MYcyhyG32GoM6qcgiLFL87j
+DLA87Vtwm02AAx0TBGVlDgsUflMeR3N0Y5PK1tuqGWf+E19/rsnbPgkedGdjb1Bp
+tKXPTiXLrM+P1uEq3eSVmm5vWHwB/QZ4XOQgobPk
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIHZDCCBUygAwIBAgIJAOb+QiglyeZeMA0GCSqGSIb3DQEBBQUAMIGwMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
+Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0
+d29yazEeMBwGA1UEAwwVRW50aXRsZW1lbnQgTWFzdGVyIENBMSQwIgYJKoZIhvcN
+AQkBFhVjYS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMTAwMzE3MTkwMDQ0WhcNMzAw
+MzEyMTkwMDQ0WjCBsDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
+aW5hMRAwDgYDVQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgw
+FgYDVQQLDA9SZWQgSGF0IE5ldHdvcmsxHjAcBgNVBAMMFUVudGl0bGVtZW50IE1h
+c3RlciBDQTEkMCIGCSqGSIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2Z+mW7OYcBcGxWS+RSKG2GJ2
+csMXiGGfEp36vKVsIvypmNS60SkicKENMYREalbdSjrgfXxPJygZWsVWJ5lHPfBV
+o3WkFrFHTIXd/R6LxnaHD1m8Cx3GwEeuSlE/ASjc1ePtMnsHH7xqZ9wdl85b1C8O
+scgO7fwuM192kvv/veI/BogIqUQugtG6szXpV8dp4ml029LXFoNIy2lfFoa2wKYw
+MiUHwtYgAz7TDY63e8qGhd5PoqTv9XKQogo2ze9sF9y/npZjliNy5qf6bFE+24oW
+E8pGsp3zqz8h5mvw4v+tfIx5uj7dwjDteFrrWD1tcT7UmNrBDWXjKMG81zchq3h4
+etgF0iwMHEuYuixiJWNzKrLNVQbDmcLGNOvyJfq60tM8AUAd72OUQzivBegnWMit
+CLcT5viCT1AIkYXt7l5zc/duQWLeAAR2FmpZFylSukknzzeiZpPclRziYTboDYHq
+revM97eER1xsfoSYp4mJkBHfdlqMnf3CWPcNgru8NbEPeUGMI6+C0YvknPlqDDtU
+ojfl4qNdf6nWL+YNXpR1YGKgWGWgTU6uaG8Sc6qGfAoLHh6oGwbuz102j84OgjAJ
+DGv/S86svmZWSqZ5UoJOIEqFYrONcOSgztZ5tU+gP4fwRIkTRbTEWSgudVREOXhs
+bfN1YGP7HYvS0OiBKZUCAwEAAaOCAX0wggF5MB0GA1UdDgQWBBSIS6ZFxEbsj9bP
+pvYazyY8kMx/FzCB5QYDVR0jBIHdMIHagBSIS6ZFxEbsj9bPpvYazyY8kMx/F6GB
+tqSBszCBsDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAw
+DgYDVQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQL
+DA9SZWQgSGF0IE5ldHdvcmsxHjAcBgNVBAMMFUVudGl0bGVtZW50IE1hc3RlciBD
+QTEkMCIGCSqGSIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tggkA5v5CKCXJ
+5l4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEG
+MCAGA1UdEQQZMBeBFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTAgBgNVHRIEGTAXgRVj
+YS1zdXBwb3J0QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEFBQADggIBAJ1hEdNBDTRr
+6kI6W6stoogSUwjuiWPDY8DptwGhdpyIfbCoxvBR7F52DlwyXOpCunogfKMRklnE
+gH1Wt66RYkgNuJcenKHAhR5xgSLoPCOVF9rDjMunyyBuxjIbctM21R7BswVpsEIE
+OpV5nlJ6wkHsrn0/E+Zk5UJdCzM+Fp4hqHtEn/c97nvRspQcpWeDg6oUvaJSZTGM
+8yFpzR90X8ZO4rOgpoERukvYutUfJUzZuDyS3LLc6ysamemH93rZXr52zc4B+C9G
+Em8zemDgIPaH42ce3C3TdVysiq/yk+ir7pxW8toeavFv75l1UojFSjND+Q2AlNQn
+pYkmRznbD5TZ3yDuPFQG2xYKnMPACepGgKZPyErtOIljQKCdgcvb9EqNdZaJFz1+
+/iWKYBL077Y0CKwb+HGIDeYdzrYxbEd95YuVU0aStnf2Yii2tLcpQtK9cC2+DXjL
+Yf3kQs4xzH4ZejhG9wzv8PGXOS8wHYnfVNA3+fclDEQ1mEBKWHHmenGI6QKZUP8f
+g0SQ3PNRnSZu8R+rhABOEuVFIBRlaYijg2Pxe0NgL9FlHsNyRfo6EUrB2QFRKACW
+3Mo6pZyDjQt7O8J7l9B9IIURoJ1niwygf7VSJTMl2w3fFleNJlZTGgdXw0V+5g+9
+Kg6Ay0rrsi4nw1JHue2GvdjdfVOaWSWC
+-----END CERTIFICATE-----
diff --git a/rhsm/rhsm.conf b/rhsm/rhsm.conf
index 78e917e..1035ccc 100644
--- a/rhsm/rhsm.conf
+++ b/rhsm/rhsm.conf
@@ -108,3 +108,4 @@ default_log_level = INFO
# rhsm = DEBUG
# rhsm.connection = DEBUG
# rhsm-app = DEBUG
+# rhsmcertd = DEBUG
diff --git a/rspamd/composites.conf b/rspamd/composites.conf
index fe89808..e38d64e 100644
--- a/rspamd/composites.conf
+++ b/rspamd/composites.conf
@@ -163,7 +163,7 @@ composites {
group = "scams";
}
FREEMAIL_AFF {
- expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM)";
+ expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM | SUBJECT_HAS_CURRENCY)";
score = 4.0;
policy = "leave";
description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses";
@@ -181,6 +181,12 @@ composites {
description = "Fake reply exhibiting characteristics of being injected into a compromised mail server, possibly e-mail thread hijacking";
group = "compromised_hosts";
}
+ SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE {
+ expression = "(REDIRECTOR_URL | HAS_ANON_DOMAIN | HAS_IPFS_GATEWAY_URL) & (-g+:fuzzy | -g+:statistics | -g+:surbl | -g+:rbl)";
+ score = 1.0;
+ policy = "leave";
+ description = "Message contains redirector, anonymous or IPFS gateway URL and is marked by fuzzy/bayes/SURBL/RBL";
+ }
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"
diff --git a/rsyslog.conf.rpmnew b/rsyslog.conf.rpmnew
new file mode 100644
index 0000000..f5db1cc
--- /dev/null
+++ b/rsyslog.conf.rpmnew
@@ -0,0 +1,80 @@
+# rsyslog configuration file
+
+# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
+# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
+# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
+
+#### MODULES ####
+
+module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
+ SysSock.Use="off") # Turn off message reception via local log socket;
+ # local messages are retrieved through imjournal now.
+module(load="imjournal" # provides access to the systemd journal
+ UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
+ StateFile="imjournal.state") # File to store the position in the journal
+#module(load="imklog") # reads kernel messages (the same are read from journald)
+#module(load="immark") # provides --MARK-- message capability
+
+# Provides UDP syslog reception
+# for parameters see http://www.rsyslog.com/doc/imudp.html
+#module(load="imudp") # needs to be done just once
+#input(type="imudp" port="514")
+
+# Provides TCP syslog reception
+# for parameters see http://www.rsyslog.com/doc/imtcp.html
+#module(load="imtcp") # needs to be done just once
+#input(type="imtcp" port="514")
+
+#### GLOBAL DIRECTIVES ####
+
+# Where to place auxiliary files
+global(workDirectory="/var/lib/rsyslog")
+
+# Use default timestamp format
+module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
+
+# Include all config files in /etc/rsyslog.d/
+include(file="/etc/rsyslog.d/*.conf" mode="optional")
+
+#### RULES ####
+
+# Log all kernel messages to the console.
+# Logging much else clutters up the screen.
+#kern.* /dev/console
+
+# Log anything (except mail) of level info or higher.
+# Don't log private authentication messages!
+*.info;mail.none;authpriv.none;cron.none /var/log/messages
+
+# The authpriv file has restricted access.
+authpriv.* /var/log/secure
+
+# Log all the mail messages in one place.
+mail.* -/var/log/maillog
+
+
+# Log cron stuff
+cron.* /var/log/cron
+
+# Everybody gets emergency messages
+*.emerg :omusrmsg:*
+
+# Save news errors of level crit and higher in a special file.
+uucp,news.crit /var/log/spooler
+
+# Save boot messages also to boot.log
+local7.* /var/log/boot.log
+
+
+# ### sample forwarding rule ###
+#action(type="omfwd"
+# An on-disk queue is created for this action. If the remote host is
+# down, messages are spooled to disk and sent when it is up again.
+#queue.filename="fwdRule1" # unique name prefix for spool files
+#queue.maxdiskspace="1g" # 1gb space limit (use as much as possible)
+#queue.saveonshutdown="on" # save messages to disk on shutdown
+#queue.type="LinkedList" # run asynchronously
+#action.resumeRetryCount="-1" # infinite retries if host is down
+# Remote Logging (we use TCP for reliable delivery)
+# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
+#Target="remote_host" Port="XXX" Protocol="tcp")
diff --git a/selinux/targeted/.policy.sha512 b/selinux/targeted/.policy.sha512
index 654e0bd..f27916f 100644
--- a/selinux/targeted/.policy.sha512
+++ b/selinux/targeted/.policy.sha512
@@ -1 +1 @@
-9371168ea4ca64ad6610f35f6ad045755662c50b03f2a034c0705449e59bdd39ba6b52bd0cb7ebf705b7ea311ba43d91f55544775215fa5ef1d1b04d9e21fff2
+da21fddcacbf8f3ec089e14164092f9fc387952f306da7cb453df6b823b94227ab2d5d5605d49e25350050f62133f9c09fd30eef16a837456b0b59b8c4f6873b
diff --git a/selinux/targeted/contexts/files/file_contexts b/selinux/targeted/contexts/files/file_contexts
index fb8cb47..ac8d2ba 100644
--- a/selinux/targeted/contexts/files/file_contexts
+++ b/selinux/targeted/contexts/files/file_contexts
@@ -802,7 +802,6 @@
/usr/bin/ocid.* -- system_u:object_r:container_runtime_exec_t:s0
/usr/bin/ping.* -- system_u:object_r:ping_exec_t:s0
/usr/bin/wine.* -- system_u:object_r:wine_exec_t:s0
-/usr/sbin/rip.* -- system_u:object_r:zebra_exec_t:s0
/var/lock/LCK.. -- system_u:object_r:apcupsd_lock_t:s0
/var/log/Xorg.* -- system_u:object_r:xserver_log_t:s0
/var/log/btmp.* -- system_u:object_r:faillog_t:s0
@@ -2444,6 +2443,7 @@
/var/run/avahi-daemon(/.*)? system_u:object_r:avahi_var_run_t:s0
/var/run/dlm_controld(/.*)? system_u:object_r:dlm_controld_var_run_t:s0
/var/run/libvirt/qemu(/.*)? system_u:object_r:qemu_var_run_t:s0
+/var/run/opencryptoki(/.*)? system_u:object_r:pkcs_slotd_var_run_t:s0
/var/run/pcscd\.events(/.*)? system_u:object_r:pcscd_var_run_t:s0
/var/run/sanlk-resetd(/.*)? system_u:object_r:sanlock_var_run_t:s0
/var/run/spamassassin(/.*)? system_u:object_r:spamd_var_run_t:s0
@@ -3664,6 +3664,7 @@
/usr/sbin/pvs -- system_u:object_r:lvm_exec_t:s0
/usr/sbin/sbd -- system_u:object_r:sbd_exec_t:s0
/usr/sbin/sln -- system_u:object_r:ldconfig_exec_t:s0
+/usr/sbin/sos -- system_u:object_r:sosreport_exec_t:s0
/usr/sbin/tlp -- system_u:object_r:tlp_exec_t:s0
/usr/sbin/tor -- system_u:object_r:tor_exec_t:s0
/usr/sbin/vgs -- system_u:object_r:lvm_exec_t:s0
@@ -3805,6 +3806,7 @@
/usr/sbin/pptp -- system_u:object_r:pptp_exec_t:s0
/usr/sbin/psad -- system_u:object_r:psad_exec_t:s0
/usr/sbin/pump -- system_u:object_r:dhcpc_exec_t:s0
+/usr/sbin/ripd -- system_u:object_r:zebra_exec_t:s0
/usr/sbin/rngd -- system_u:object_r:rngd_exec_t:s0
/usr/sbin/runc -- system_u:object_r:container_runtime_exec_t:s0
/usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t:s0
@@ -4138,6 +4140,7 @@
/usr/sbin/qdiskd -- system_u:object_r:qdiskd_exec_t:s0
/usr/sbin/racoon -- system_u:object_r:racoon_exec_t:s0
/usr/sbin/reposd -- system_u:object_r:sblim_reposd_exec_t:s0
+/usr/sbin/ripngd -- system_u:object_r:zebra_exec_t:s0
/usr/sbin/rklogd -- system_u:object_r:klogd_exec_t:s0
/usr/sbin/setkey -- system_u:object_r:setkey_exec_t:s0
/usr/sbin/sfdisk -- system_u:object_r:fsadm_exec_t:s0
@@ -6276,6 +6279,7 @@
/usr/lib/nspluginwrapper/plugin-config -- system_u:object_r:mozilla_plugin_config_exec_t:s0
/usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t:s0
/usr/lib/systemd/systemd-socket-proxyd -- system_u:object_r:systemd_socket_proxyd_exec_t:s0
+/usr/libexec/openssh/ssh-pkcs11-helper -- system_u:object_r:ssh_agent_exec_t:s0
/usr/share/cluster/fence_scsi_check\.pl -- system_u:object_r:fenced_exec_t:s0
/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t:s0
/usr/share/munin/plugins/http_loadtime -- system_u:object_r:services_munin_plugin_exec_t:s0
@@ -6337,6 +6341,7 @@
/etc/rc\.d/init\.d/openstack-glance-registry -- system_u:object_r:glance_registry_initrc_exec_t:s0
/etc/rc\.d/init\.d/openstack-glance-scrubber -- system_u:object_r:glance_scrubber_initrc_exec_t:s0
/usr/lib/policykit/polkit-read-auth-helper -- system_u:object_r:policykit_auth_exec_t:s0
+/usr/lib/systemd/system/mimedefang\.service -- system_u:object_r:antivirus_unit_file_t:s0
/usr/lib/xfce4/session/balou-install-theme -- system_u:object_r:bin_t:s0
/usr/lib/xorg/modules/drivers/nvidia_drv\.o -- system_u:object_r:textrel_shlib_t:s0
/usr/share/PackageKit/pk-upgrade-distro\.sh -- system_u:object_r:bin_t:s0
diff --git a/selinux/targeted/contexts/files/file_contexts.bin b/selinux/targeted/contexts/files/file_contexts.bin
index 160be78..511e8d2 100644
Binary files a/selinux/targeted/contexts/files/file_contexts.bin and b/selinux/targeted/contexts/files/file_contexts.bin differ
diff --git a/selinux/targeted/policy/policy.31 b/selinux/targeted/policy/policy.31
index cdc209b..933a11a 100644
Binary files a/selinux/targeted/policy/policy.31 and b/selinux/targeted/policy/policy.31 differ
diff --git a/tuned/tuned-main.conf b/tuned/tuned-main.conf
index 54a0b3e..c58474f 100644
--- a/tuned/tuned-main.conf
+++ b/tuned/tuned-main.conf
@@ -75,3 +75,10 @@ log_file_max_size = 1MB
# Size of connections backlog for listen function on socket
# Higher value allows to process requests from more clients
# connections_backlog = 1024
+
+# TuneD daemon rollback strategy. Supported values: auto|not_on_exit
+# - auto: rollbacks are always performed on a profile switch or
+# graceful TuneD process exit
+# - not_on_exit: rollbacks are always performed on a profile
+# switch, but not on any kind of TuneD process exit
+# rollback = auto