committing changes in /etc made by "-bash"

Package changes:

.etckeeper

@@ -28,7 +28,6 @@ mkdir -p './cups'
 mkdir -p './dbus-1/session.d'
 mkdir -p './dconf/db/local.d/locks'
 mkdir -p './dconf/db/site.d/locks'
-mkdir -p './debuginfod'
 mkdir -p './dkms/framework.conf.d'
 mkdir -p './dnf/aliases.d'
 mkdir -p './dnf/modules.defaults.d'
@@ -96,7 +95,6 @@ mkdir -p './polkit-1/localauthority/50-local.d'
 mkdir -p './polkit-1/localauthority/90-mandatory.d'
 mkdir -p './pyzor'
 mkdir -p './qemu-ga/fsfreeze-hook.d'
-mkdir -p './rhsm/ca'
 mkdir -p './rhsm/facts'
 mkdir -p './rhsm/pluginconf.d'
 mkdir -p './rspamd/override.d'
@@ -453,7 +451,6 @@ maybe chmod 0644 'dbus-1/system.conf'
 maybe chmod 0755 'dbus-1/system.d'
 maybe chmod 0644 'dbus-1/system.d/com.redhat.RHSM1.Facts.conf'
 maybe chmod 0644 'dbus-1/system.d/com.redhat.RHSM1.conf'
-maybe chmod 0644 'dbus-1/system.d/com.redhat.tuned.conf'
 maybe chmod 0644 'dbus-1/system.d/nm-dispatcher.conf'
 maybe chmod 0644 'dbus-1/system.d/nm-ifcfg-rh.conf'
 maybe chmod 0644 'dbus-1/system.d/oddjob-mkhomedir.conf'
@@ -476,6 +473,7 @@ maybe chmod 0755 'dconf/db/site.d/locks'
 maybe chmod 0755 'dconf/profile'
 maybe chmod 0644 'dconf/profile/user'
 maybe chmod 0755 'debuginfod'
+maybe chmod 0644 'debuginfod/elfutils.urls'
 maybe chmod 0755 'default'
 maybe chmod 0640 'default/color'
 maybe chmod 0644 'default/grub'
@@ -920,6 +918,7 @@ maybe chmod 0644 'httpd/conf.d/perl.conf'
 maybe chmod 0644 'httpd/conf.d/php.conf'
 maybe chmod 0644 'httpd/conf.d/phpmyadmin.conf'
 maybe chmod 0644 'httpd/conf.d/squid.conf'
+maybe chmod 0644 'httpd/conf.d/ssl.conf'
 maybe chmod 0644 'httpd/conf.d/ssl.conf_disabled'
 maybe chmod 0644 'httpd/conf.d/userdir.conf'
 maybe chmod 0644 'httpd/conf.d/welcome.conf'
@@ -3468,6 +3467,7 @@ maybe chmod 0644 'libibverbs.d/efa.driver'
 maybe chmod 0644 'libibverbs.d/hfi1verbs.driver'
 maybe chmod 0644 'libibverbs.d/hns.driver'
 maybe chmod 0644 'libibverbs.d/irdma.driver'
+maybe chmod 0644 'libibverbs.d/mana.driver'
 maybe chmod 0644 'libibverbs.d/mlx4.driver'
 maybe chmod 0644 'libibverbs.d/mlx5.driver'
 maybe chmod 0644 'libibverbs.d/qedr.driver'
@@ -5648,6 +5648,8 @@ maybe chmod 0644 'profile.d/colorxzgrep.sh'
 maybe chmod 0644 'profile.d/colorzgrep.csh'
 maybe chmod 0644 'profile.d/colorzgrep.sh'
 maybe chmod 0644 'profile.d/csh.local'
+maybe chmod 0644 'profile.d/debuginfod.csh'
+maybe chmod 0644 'profile.d/debuginfod.sh'
 maybe chmod 0644 'profile.d/gawk.csh'
 maybe chmod 0644 'profile.d/gawk.sh'
 maybe chmod 0640 'profile.d/grc.sh'
@@ -5712,6 +5714,8 @@ maybe chmod 0644 'resolv.conf'
 maybe chmod 0644 'resolv.conf.save'
 maybe chmod 0755 'rhsm'
 maybe chmod 0755 'rhsm/ca'
+maybe chmod 0644 'rhsm/ca/redhat-entitlement-authority.pem'
+maybe chmod 0644 'rhsm/ca/redhat-uep.pem'
 maybe chmod 0755 'rhsm/facts'
 maybe chmod 0644 'rhsm/logging.conf'
 maybe chmod 0755 'rhsm/pluginconf.d'
@@ -5823,6 +5827,7 @@ maybe chmod 0644 'rspamd/worker-fuzzy.inc'
 maybe chmod 0644 'rspamd/worker-normal.inc'
 maybe chmod 0644 'rspamd/worker-proxy.inc'
 maybe chmod 0644 'rsyslog.conf'
+maybe chmod 0644 'rsyslog.conf.rpmnew'
 maybe chmod 0755 'rsyslog.d'
 maybe chmod 0640 'rsyslog.d/00-backup.conf'
 maybe chmod 0640 'rsyslog.d/docker.conf'

almalinux-release

@@ -1 +1 @@
-AlmaLinux release 8.8 (Sapphire Caracal)
+AlmaLinux release 8.9 (Midnight Oncilla)

almalinux-release-upstream

@@ -1 +1 @@
-Derived from Red Hat Enterprise Linux 8.8 (Source)
+Derived from Red Hat Enterprise Linux 8.9 (Source)

ansible/hosts

@@ -28,6 +28,10 @@
 
 ## www[001:006].example.com
 
+# You can also use ranges for multiple hosts: 
+
+## db-[99:101]-node.example.com
+
 # Ex 3: A collection of database servers in the 'dbservers' group:
 
 ## [dbservers]
@@ -37,8 +41,14 @@
 ## 10.25.1.56
 ## 10.25.1.57
 
-# Here's another example of host ranges, this time there are no
-# leading 0s:
 
-## db-[99:101]-node.example.com
+# Ex4: Multiple hosts arranged into groups such as 'Debian' and 'openSUSE':
+
+## [Debian]
+## alpha.example.org
+## beta.example.org
+
+## [openSUSE]
+## green.example.com
+## blue.example.com
 

crypto-policies/state/CURRENT.pol

@@ -23,6 +23,7 @@ cipher@gnutls = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GC
 protocol@gnutls = TLS1.3 TLS1.2 DTLS1.2
 cipher@java-tls = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
 protocol@java-tls = TLS1.3 TLS1.2 DTLS1.2
+mac@krb5 = HMAC-SHA2-384 HMAC-SHA2-256 AEAD UMAC-128 HMAC-SHA2-512 HMAC-SHA1
 protocol@libreswan = IKEv2
 cipher@nss = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
 protocol@nss = TLS1.3 TLS1.2 DTLS1.2

dbus-1/system.d/com.redhat.tuned.conf

@@ -1,16 +0,0 @@
-<?xml version="1.0"?>
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
-  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-
-<busconfig>
-	<policy context="default">
-		<allow receive_sender="com.redhat.tuned" />
-		<allow send_destination="com.redhat.tuned" send_interface="org.freedesktop.DBus.Introspectable" />
-		<allow send_destination="com.redhat.tuned" send_interface="com.redhat.tuned.control" />
-	</policy>
-
-	<policy user="root">
-		<allow own="com.redhat.tuned" />
-		<allow send_destination="com.redhat.tuned" />
-	</policy>
-</busconfig>

debuginfod/elfutils.urls

@@ -0,0 +1 @@
+https://debuginfod.centos.org/

httpd/conf.d/ssl.conf

@@ -0,0 +1,203 @@
+#
+# When we also provide SSL we have to listen to the 
+# standard HTTPS port in addition.
+#
+Listen 443 https
+
+##
+##  SSL Global Context
+##
+##  All SSL configuration in this context applies both to
+##  the main server and all SSL-enabled virtual hosts.
+##
+
+#   Pass Phrase Dialog:
+#   Configure the pass phrase gathering process.
+#   The filtering dialog program (`builtin' is a internal
+#   terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+#   Inter-Process Session Cache:
+#   Configure the SSL Session Cache: First the mechanism 
+#   to use and second the expiring timeout (in seconds).
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names.  NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly. 
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:443>
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+
+#   SSL Engine Switch:
+#   Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+#   List the protocol versions which clients are allowed to connect with.
+#   The OpenSSL system profile is used by default.  See
+#   update-crypto-policies(8) for more details.
+#SSLProtocol all -SSLv3
+#SSLProxyProtocol all -SSLv3
+
+#   User agents such as web browsers are not configured for the user's
+#   own preference of either security or performance, therefore this
+#   must be the prerogative of the web server administrator who manages
+#   cpu load versus confidentiality, so enforce the server's cipher order.
+SSLHonorCipherOrder on
+
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_ssl documentation for a complete list.
+#   The OpenSSL system profile is configured by default.  See
+#   update-crypto-policies(8) for more details.
+SSLCipherSuite PROFILE=SYSTEM
+SSLProxyCipherSuite PROFILE=SYSTEM
+
+#   Point SSLCertificateFile at a PEM encoded certificate.  If
+#   the certificate is encrypted, then you will be prompted for a
+#   pass phrase.  Note that restarting httpd will prompt again.  Keep
+#   in mind that if you have both an RSA and a DSA certificate you
+#   can configure both in parallel (to also allow the use of DSA
+#   ciphers, etc.)
+#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+#   require an ECC certificate which can also be configured in
+#   parallel.
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+
+#   Server Private Key:
+#   If the key is not combined with the certificate, use this
+#   directive to point at the key file.  Keep in mind that if
+#   you've both a RSA and a DSA private key you can configure
+#   both in parallel (to also allow the use of DSA ciphers, etc.)
+#   ECC keys, when in use, can also be configured in parallel
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+
+#   Server Certificate Chain:
+#   Point SSLCertificateChainFile at a file containing the
+#   concatenation of PEM encoded CA certificates which form the
+#   certificate chain for the server certificate. Alternatively
+#   the referenced file can be the same as SSLCertificateFile
+#   when the CA certificates are directly appended to the server
+#   certificate for convenience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+#   Certificate Authority (CA):
+#   Set the CA certificate verification path where to find CA
+#   certificates for client authentication or alternatively one
+#   huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+#   Client Authentication (Type):
+#   Client certificate verification type and depth.  Types are
+#   none, optional, require and optional_no_ca.  Depth is a
+#   number which specifies how deeply to verify the certificate
+#   issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth  10
+
+#   Access Control:
+#   With SSLRequire you can do per-directory access control based
+#   on arbitrary complex boolean expressions containing server
+#   variable checks and other lookup directives.  The syntax is a
+#   mixture between C and Perl.  See the mod_ssl documentation
+#   for more details.
+#<Location />
+#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+#   SSL Engine Options:
+#   Set various options for the SSL engine.
+#   o FakeBasicAuth:
+#     Translate the client X.509 into a Basic Authorisation.  This means that
+#     the standard Auth/DBMAuth methods can be used for access control.  The
+#     user name is the `one line' version of the client's X.509 certificate.
+#     Note that no password is obtained from the user. Every entry in the user
+#     file needs this password: `xxj31ZMTZzkVA'.
+#   o ExportCertData:
+#     This exports two additional environment variables: SSL_CLIENT_CERT and
+#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+#     server (always existing) and the client (only existing when client
+#     authentication is used). This can be used to import the certificates
+#     into CGI scripts.
+#   o StdEnvVars:
+#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+#     Per default this exportation is switched off for performance reasons,
+#     because the extraction step is an expensive operation and is usually
+#     useless for serving static content. So one usually enables the
+#     exportation for CGI and SSI requests only.
+#   o StrictRequire:
+#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+#     under a "Satisfy any" situation, i.e. when it applies access is denied
+#     and no other module can change it.
+#   o OptRenegotiate:
+#     This enables optimized SSL connection renegotiation handling when SSL
+#     directives are used in per-directory context. 
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+<FilesMatch "\.(cgi|shtml|phtml|php)$">
+    SSLOptions +StdEnvVars
+</FilesMatch>
+<Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+</Directory>
+
+#   SSL Protocol Adjustments:
+#   The safe and default but still SSL/TLS standard compliant shutdown
+#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+#   the close notify alert from client. When you need a different shutdown
+#   approach you can use one of the following variables:
+#   o ssl-unclean-shutdown:
+#     This forces an unclean shutdown when the connection is closed, i.e. no
+#     SSL close notify alert is sent or allowed to be received.  This violates
+#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+#     this when you receive I/O errors because of the standard approach where
+#     mod_ssl sends the close notify alert.
+#   o ssl-accurate-shutdown:
+#     This forces an accurate shutdown when the connection is closed, i.e. a
+#     SSL close notify alert is sent and mod_ssl waits for the close notify
+#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+#     practice often causes hanging connections with brain-dead browsers. Use
+#     this only for browsers where you know that their SSL implementation
+#     works correctly. 
+#   Notice: Most problems of broken clients are also related to the HTTP
+#   keep-alive facility, so you usually additionally want to disable
+#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+#   "force-response-1.0" for this.
+BrowserMatch "MSIE [2-5]" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+#   Per-Server Logging:
+#   The home of a custom SSL log file. Use this when you want a
+#   compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
+

libibverbs.d/mana.driver

@@ -0,0 +1 @@
+driver mana

lvm/lvm.conf

@@ -650,11 +650,6 @@ allocation {
 	# This configuration option has an automatic default value.
 	# vdo_block_map_period = 16380
 
-	# Configuration option allocation/vdo_check_point_frequency.
-	# The default check point frequency for VDO volume.
-	# This configuration option has an automatic default value.
-	# vdo_check_point_frequency = 0
-
 	# Configuration option allocation/vdo_use_sparse_index.
 	# Enables sparse indexing for VDO volume.
 	# This configuration option has an automatic default value.
@@ -1318,10 +1313,10 @@ global {
 	# Configuration option global/vdo_disabled_features.
 	# Features to not use in the vdo driver.
 	# This can be helpful for testing, or to avoid using a feature that is
-	# causing problems. Features include: online_rename
+	# causing problems. Features include: online_rename, version4
 	#
 	# Example
-	# vdo_disabled_features = [ "online_rename" ]
+	# vdo_disabled_features = [ "online_rename", "version4" ]
 	#
 	# This configuration option does not have a default value defined.
 

lvm/profile/vdo-small.profile

@@ -8,7 +8,6 @@ allocation {
 	vdo_minimum_io_size=4096
 	vdo_block_map_cache_size_mb=128
 	vdo_block_map_period=16380
-	vdo_check_point_frequency=0
 	vdo_use_sparse_index=0
 	vdo_index_memory_size_mb=256
 	vdo_slab_size_mb=2048

nftables/nat.nft

@@ -18,13 +18,21 @@ table ip nftables_svc {
 		elements = { 192.168.122.0/24 }
 	}
 
+	# force port randomization for non-locally originated connections using
+	# suspicious port values to prevent port-shadow attacks, i.e.
+	# accidental matching of new inbound connections vs. existing ones
+	chain do_masquerade {
+		meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random
+		masquerade
+	}
+
 	# base-chain to manipulate conntrack in postrouting,
 	# will see packets for new or related traffic only
 	chain POSTROUTING {
 		type nat hook postrouting priority srcnat + 20
 		policy accept
 
-		iifname @masq_interfaces oifname != @masq_interfaces masquerade
-		ip saddr @masq_ips masquerade
+		iifname @masq_interfaces oifname != @masq_interfaces jump do_masquerade
+		ip saddr @masq_ips jump do_masquerade
 	}
 }

pam.d/smartcard-auth

@@ -1,19 +1,4 @@
 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authselect is run.
-auth        required      pam_env.so
-auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
-auth        required      pam_deny.so
-
-account     required      pam_unix.so
-account     sufficient    pam_localuser.so
-account     sufficient    pam_succeed_if.so uid < 500 quiet
-account     required      pam_permit.so
-
-password    optional      pam_pkcs11.so
-
-session     optional      pam_keyinit.so revoke
-session     required      pam_limits.so
--session     optional      pam_systemd.so
-session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
-session     required      pam_unix.so
+auth sufficient pam_sss.so allow_missing_name

profile.d/debuginfod.csh

@@ -0,0 +1,16 @@
+# $HOME/.login* or similar files may first set $DEBUGINFOD_URLS.
+# If $DEBUGINFOD_URLS is not set there, we set it from system *.url files.
+# $HOME/.*rc or similar files may then amend $DEBUGINFOD_URLS.
+# See also [man debuginfod-client-config] for other environment variables
+# such as $DEBUGINFOD_MAXSIZE, $DEBUGINFOD_MAXTIME, $DEBUGINFOD_PROGRESS.
+
+if (! $?DEBUGINFOD_URLS) then
+    set prefix="/usr"
+    set DEBUGINFOD_URLS=`sh -c 'cat /dev/null "$0"/*.urls 2>/dev/null; :' "/etc/debuginfod" | tr '\n' ' '`
+    if ( "$DEBUGINFOD_URLS" != "" ) then
+        setenv DEBUGINFOD_URLS "$DEBUGINFOD_URLS"
+    else
+        unset DEBUGINFOD_URLS
+    endif
+    unset prefix
+endif

profile.d/debuginfod.sh

@@ -0,0 +1,12 @@
+# $HOME/.profile* or similar files may first set $DEBUGINFOD_URLS.
+# If $DEBUGINFOD_URLS is not set there, we set it from system *.url files.
+# $HOME/.*rc or similar files may then amend $DEBUGINFOD_URLS.
+# See also [man debuginfod-client-config] for other environment variables
+# such as $DEBUGINFOD_MAXSIZE, $DEBUGINFOD_MAXTIME, $DEBUGINFOD_PROGRESS.
+
+if [ -z "$DEBUGINFOD_URLS" ]; then
+    prefix="/usr"
+    DEBUGINFOD_URLS=$(cat /dev/null "/etc/debuginfod"/*.urls 2>/dev/null | tr '\n' ' ')
+    [ -n "$DEBUGINFOD_URLS" ] && export DEBUGINFOD_URLS || unset DEBUGINFOD_URLS
+    unset prefix
+fi

rhsm/ca/redhat-entitlement-authority.pem

@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGejCCBGKgAwIBAgIJAJGKz8qFAAAIMA0GCSqGSIb3DQEBDAUAMIGwMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
+Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0
+d29yazEeMBwGA1UEAwwVRW50aXRsZW1lbnQgTWFzdGVyIENBMSQwIgYJKoZIhvcN
+AQkBFhVjYS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMTgwOTEyMTgxMzIxWhcNMzAw
+MzE1MTgxMzIxWjCBsTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
+aW5hMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0IE5l
+dHdvcmsxMTAvBgNVBAMMKFJlZCBIYXQgRW50aXRsZW1lbnQgT3BlcmF0aW9ucyBB
+dXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALsmiohDnNvIpBMZVJR5pbP6
+GrE5B4doUmvTeR4XJ5C66uvFTwuGTVigNXAL+0UWf9r2AwxKEPCy65h7fLbyK4W7
+/xEZPVsamQYDHpyBwlkPkJ3WhHneqQWC8bKkv8Iqu08V+86biCDDAh6uP0SiAz7a
+NGaLEnOe5L9WNfsYyNwrG+2AfiLy/1LUtmmg5dc6Ln7R+uv0PZJ5J2iUbiT6lMz3
+v73zAxuEjiDNurZzxzHSSEYzw0W1eO6zM4F26gcOuH2BHemPMjHi+c1OnheaafDE
+HQJTNgECz5Xe7WGdZwOyn9a8GtMvm0PAhGVyp7RAWxxfoU1B794cBb66IKKjliJQ
+5DKoqyxD9qJbMF8U4Kd1ZIVB0Iy2WEaaqCFMIi3xtlWVUNku5x21ewMmJvwjnWZA
+tUeKQUFwIXqSjuOoZDu80H6NQb+4dnRSjWlx/m7HPk75m0zErshpB2HSKUnrs4wR
+i7GsWDDcqBus7eLMwUZPvDNVcLQu/2Y4DUHNbJbn7+DwEqi5D0heC+dyY8iS45gp
+I/yhVvq/GfKL+dqjaNaE4CorJJA5qJ9f383Ol/aub+aJeBahCBNuVa2daA9Bo3BA
+dnL7KkILPFyCcEhQITnu70Qn9sQlwYcRoYF2LWAm9DtLrBT0Y0w7wQHh8vNhwEQ7
+k5G87WpwzcC8y6ePR0vFAgMBAAGjgZMwgZAwHQYDVR0OBBYEFMRJeFZFnR4sYWDD
+ZktYBTcvAyJ7MB8GA1UdIwQYMBaAFIhLpkXERuyP1s+m9hrPJjyQzH8XMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAgBgNVHREE
+GTAXgRVjYS1zdXBwb3J0QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEMBQADggIBAGKk
+q5Ab0AC7SOCYq9up5z0twbe+gI72cm854+VhcxafnLP2/4nH6nQauKLKEFLI8+fV
+RAwYxm1f5nuEiaTvjPE0umYdgMlpEJQeGdW/+/DotDaOon1G6bSMEKFvaKcBHKqa
+kBxQ29trwMG2WN8qZ7/H3XzBvLZ+JrYr01vDSV0P4tcBFOytbMZeJr4xmfxiqWxp
+VUM9eGf6z+ngXyth8lohxGd9MMXwsaPdvM+wptp3AQpq5wFPWyfJqCd6uBxu09k1
+ns3Y/sya2GHqDK4bUW6gCHO13gkYviTCIBLAlX7PDeK5nYVcq8HvTLU9+H9BFGix
+YGDdHphz7i5qO/gLLLcfKhENP6jtbe8i6nwqeDzj+DMy38iMWNYFVWn1OrBaQMtf
+wlVfyRJij9SfyiUAVFld1RoPAN/haf1VmF/0dGrOigibYijqnHvDJffMUND/sbk8
+df6O6VYjvLLlwry4W4dHiLLA7NAHGtkUv2g1+oH1lQIfRG+PvZhWz4pGT1AlzfwD
+aXUfX2X+Bo9tYr9BGy5Li1pLGLvfw+an7cBAbBaw8+HhAHt+Vm4F03KX/bHlge0a
+fMYK6FoA/xQSaZ6IPm4HfPSMvhboguVG+/AZQN4/UxjDleoEz8b0CWYafcJRRZch
+BdxBjTy7JLf3j0HCbenZQF83wwtrSmiTOTK1tLsm
+-----END CERTIFICATE-----

rhsm/ca/redhat-uep.pem

@@ -0,0 +1,119 @@
+-----BEGIN CERTIFICATE-----
+MIIG/jCCBOagAwIBAgICAtYwDQYJKoZIhvcNAQELBQAwgbExCzAJBgNVBAYTAlVT
+MRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEWMBQGA1UECgwNUmVkIEhhdCwgSW5j
+LjEYMBYGA1UECwwPUmVkIEhhdCBOZXR3b3JrMTEwLwYDVQQDDChSZWQgSGF0IEVu
+dGl0bGVtZW50IE9wZXJhdGlvbnMgQXV0aG9yaXR5MSQwIgYJKoZIhvcNAQkBFhVj
+YS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMjIwMTIxMTcyNDU1WhcNMzAwNDI0MTcy
+NDU1WjCBrjELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRYw
+FAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0IE5ldHdvcmsx
+LjAsBgNVBAMMJVJlZCBIYXQgRW50aXRsZW1lbnQgUHJvZHVjdCBBdXRob3JpdHkx
+JDAiBgkqhkiG9w0BCQEWFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTCCAiIwDQYJKoZI
+hvcNAQEBBQADggIPADCCAgoCggIBANkLqzHgFZwh1bLmTUM3IljHaXeCwFZNnhro
+DdHMZgac6FSPJSLCTpiZKTgLhTkDF/Qga/EbkMoOK9fzh/634ZuhYBiMPEximaFg
+v9QfbXmak4jPOZOv9RkTcXZOnVCu+x1TtDzCCrTQR0cSLF3EcydavruVjwXrPaRF
+Rp24nUzVJJJ60iHcp0yXKgCPyNFQLKi6l/O1yUs1yr0YpRPqf3yx5lUwH35dQp/w
+8ilC8Z2u6KMqyip36nkOXSvGjK9QEkNcKYVqIS43oJcvVdGphIvhx1pzi/LaMScv
+L1lE1M8wL2eGU7U1dusRnrWWVhGjcr+2Ar9gHsY3AUNsfno6xSa1TaPY4sx0tOhy
+vFIB1QyoZlXAHtv+cqyQoygy8INRSX4ysIc4S2HTVQno6cvAh0J3cDtBF9YR7/wH
+z0UwJq+aj4RxQ/rriK2K0i1KYDC5lmvXYpyXBnipQNSibxuXphjDN5OuF6+3SU6F
+6OZaBsmepbyjyCi5n3lzEVv+Pgass8GztYuGiBwGXEjwxRilsLrxdIlVGFFFccNJ
+76j2QOK6Kufo/2Es9KuVxlYIiLd+IbZb7py6fyAhmCQUesxB3AfWmRiXQ3Cb6GGY
+8OxqYcOpRRek2uIpqMoRhAlio3dYqbN6KXDfg5VNMglK3CF1SFwJ5E8LuaHDoAJM
+a3/+hY6nAgMBAAGjggEfMIIBGzAdBgNVHQ4EFgQUlv27HEBA/0CErbIfCybBw2pv
+1nwwgeUGA1UdIwSB3TCB2oAUxEl4VkWdHixhYMNmS1gFNy8DInuhgbakgbMwgbAx
+CzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBwwH
+UmFsZWlnaDEWMBQGA1UECgwNUmVkIEhhdCwgSW5jLjEYMBYGA1UECwwPUmVkIEhh
+dCBOZXR3b3JrMR4wHAYDVQQDDBVFbnRpdGxlbWVudCBNYXN0ZXIgQ0ExJDAiBgkq
+hkiG9w0BCQEWFWNhLXN1cHBvcnRAcmVkaGF0LmNvbYIJAJGKz8qFAAAAMBIGA1Ud
+EwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggIBAAHXJaMuS/lKEdlmewTU
+0pKjTBpFfRSxQP1xO7stDfTDggeDSyzDx/iibX/hfw6x/Y2AyU2MtqSAiiTyYuB4
+kmK0QhqSnOzwANSpy1zn5SvB9LxO3H0v2KV6J9uJjL3v+h2zxHRo5O0X0ZxfKQS6
+5dd52S8aEvSVnxoLyr4JLxF9nEW0Dp1cu9P2qPdRWLQSLJEsbsv454KsyGsOfT3o
+YYgD8+oddMR042s5yNegBj4TohMgaeNREr7kjZzJZ+z7kgCupSSq0SG2KfihwaC1
+hju/dUq9me9JkW7hztxUrZVvrZR+hnlpD+taSDuR9JO9xLrDDfxRa377IyYjlkQW
+hdjquuo4jKWp13Vjf9/z+kuui3YFupqvbnSGoV8f2sME0Yh5DFppKLaVzTxljH3K
+YUqyfdVToqsApcWqmSLUwXDhjTzgehqIcQfyK/Klx5+wm4jsKBUeSalS684ML8iT
+8+LNjw8eMBX5sM9ZuiU4tpqFoXiwrYwk05RPLI6Rr5kunRIfRvSnQJ07pMTfSmtx
+Qrz8crKhTY3+HxiZJ/486bOQm+Bz3rf2DyZopY06Q2sm79Y3ax/j3vdYyBEoKzuU
+YjTwYnAoxQWrjgbpvutdTlVTgTrRz2NSEgPyX59LQWa6+zFMbvAt0y8FW76p+e+p
+PQBPkUhYa+TflZocXlPSXau9
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGejCCBGKgAwIBAgIJAJGKz8qFAAAAMA0GCSqGSIb3DQEBCwUAMIGwMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
+Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0
+d29yazEeMBwGA1UEAwwVRW50aXRsZW1lbnQgTWFzdGVyIENBMSQwIgYJKoZIhvcN
+AQkBFhVjYS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMjIwMTIxMTYyOTA1WhcNMzIw
+MTE5MTYyOTA1WjCBsTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
+aW5hMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0IE5l
+dHdvcmsxMTAvBgNVBAMMKFJlZCBIYXQgRW50aXRsZW1lbnQgT3BlcmF0aW9ucyBB
+dXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALsmiohDnNvIpBMZVJR5pbP6
+GrE5B4doUmvTeR4XJ5C66uvFTwuGTVigNXAL+0UWf9r2AwxKEPCy65h7fLbyK4W7
+/xEZPVsamQYDHpyBwlkPkJ3WhHneqQWC8bKkv8Iqu08V+86biCDDAh6uP0SiAz7a
+NGaLEnOe5L9WNfsYyNwrG+2AfiLy/1LUtmmg5dc6Ln7R+uv0PZJ5J2iUbiT6lMz3
+v73zAxuEjiDNurZzxzHSSEYzw0W1eO6zM4F26gcOuH2BHemPMjHi+c1OnheaafDE
+HQJTNgECz5Xe7WGdZwOyn9a8GtMvm0PAhGVyp7RAWxxfoU1B794cBb66IKKjliJQ
+5DKoqyxD9qJbMF8U4Kd1ZIVB0Iy2WEaaqCFMIi3xtlWVUNku5x21ewMmJvwjnWZA
+tUeKQUFwIXqSjuOoZDu80H6NQb+4dnRSjWlx/m7HPk75m0zErshpB2HSKUnrs4wR
+i7GsWDDcqBus7eLMwUZPvDNVcLQu/2Y4DUHNbJbn7+DwEqi5D0heC+dyY8iS45gp
+I/yhVvq/GfKL+dqjaNaE4CorJJA5qJ9f383Ol/aub+aJeBahCBNuVa2daA9Bo3BA
+dnL7KkILPFyCcEhQITnu70Qn9sQlwYcRoYF2LWAm9DtLrBT0Y0w7wQHh8vNhwEQ7
+k5G87WpwzcC8y6ePR0vFAgMBAAGjgZMwgZAwHQYDVR0OBBYEFMRJeFZFnR4sYWDD
+ZktYBTcvAyJ7MB8GA1UdIwQYMBaAFIhLpkXERuyP1s+m9hrPJjyQzH8XMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAgBgNVHREE
+GTAXgRVjYS1zdXBwb3J0QHJlZGhhdC5jb20wDQYJKoZIhvcNAQELBQADggIBAJ7G
+6lRBNMUJuXE9LevQ5ppJFQH46LTYDgYKDKKmYgQMtxHxLlsU+2Z/ZXClHYN0fVhK
+JLiZsYPHaGpTtlMXQjIwuRE2tNezaBejJCyqRiPAp7wlbFwHijcqW3j9X1tsVul9
+ry0IEHKe1uK/EtObPpGMGugsUSIRul38X+gDkkkVnIczl8xCxmpRu4XZuGZZsCR2
+O8eZM4pyjucMRskf6oC8FpJbTa+DHJlSLyZanMmNAs3Vg58FlJL+hTOHklPg9QnC
+rSqZRfexbaqN1L9bjg5QQihCrkMRnD1T5as+8YZjDOJh1KLbVi75YFlC9KLcQ9qu
+iQP6knsyjdn5o9lTNF021nOO6rK5nwXPDbRPu/G3un1PjQWSv+KhktJqPOCvLoXN
+/20AqMqEVTcPgEiGYB3U3IVD8+EX7J+1xl8fBYTi9IUZGpjBuPtovPMmmVq4mN2G
+KXu8ehqgn/coNql1TYseNXfgYVnBV1g0VaQ57PpSHNQRyANQ3grjZ1dhpLsptzT2
+bP1PBUvltR8ROTg9syo54tIvhWRO3sIpwftK6IeF5MYcyhyG32GoM6qcgiLFL87j
+DLA87Vtwm02AAx0TBGVlDgsUflMeR3N0Y5PK1tuqGWf+E19/rsnbPgkedGdjb1Bp
+tKXPTiXLrM+P1uEq3eSVmm5vWHwB/QZ4XOQgobPk
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIHZDCCBUygAwIBAgIJAOb+QiglyeZeMA0GCSqGSIb3DQEBBQUAMIGwMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
+Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0
+d29yazEeMBwGA1UEAwwVRW50aXRsZW1lbnQgTWFzdGVyIENBMSQwIgYJKoZIhvcN
+AQkBFhVjYS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMTAwMzE3MTkwMDQ0WhcNMzAw
+MzEyMTkwMDQ0WjCBsDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
+aW5hMRAwDgYDVQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgw
+FgYDVQQLDA9SZWQgSGF0IE5ldHdvcmsxHjAcBgNVBAMMFUVudGl0bGVtZW50IE1h
+c3RlciBDQTEkMCIGCSqGSIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2Z+mW7OYcBcGxWS+RSKG2GJ2
+csMXiGGfEp36vKVsIvypmNS60SkicKENMYREalbdSjrgfXxPJygZWsVWJ5lHPfBV
+o3WkFrFHTIXd/R6LxnaHD1m8Cx3GwEeuSlE/ASjc1ePtMnsHH7xqZ9wdl85b1C8O
+scgO7fwuM192kvv/veI/BogIqUQugtG6szXpV8dp4ml029LXFoNIy2lfFoa2wKYw
+MiUHwtYgAz7TDY63e8qGhd5PoqTv9XKQogo2ze9sF9y/npZjliNy5qf6bFE+24oW
+E8pGsp3zqz8h5mvw4v+tfIx5uj7dwjDteFrrWD1tcT7UmNrBDWXjKMG81zchq3h4
+etgF0iwMHEuYuixiJWNzKrLNVQbDmcLGNOvyJfq60tM8AUAd72OUQzivBegnWMit
+CLcT5viCT1AIkYXt7l5zc/duQWLeAAR2FmpZFylSukknzzeiZpPclRziYTboDYHq
+revM97eER1xsfoSYp4mJkBHfdlqMnf3CWPcNgru8NbEPeUGMI6+C0YvknPlqDDtU
+ojfl4qNdf6nWL+YNXpR1YGKgWGWgTU6uaG8Sc6qGfAoLHh6oGwbuz102j84OgjAJ
+DGv/S86svmZWSqZ5UoJOIEqFYrONcOSgztZ5tU+gP4fwRIkTRbTEWSgudVREOXhs
+bfN1YGP7HYvS0OiBKZUCAwEAAaOCAX0wggF5MB0GA1UdDgQWBBSIS6ZFxEbsj9bP
+pvYazyY8kMx/FzCB5QYDVR0jBIHdMIHagBSIS6ZFxEbsj9bPpvYazyY8kMx/F6GB
+tqSBszCBsDELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAw
+DgYDVQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQL
+DA9SZWQgSGF0IE5ldHdvcmsxHjAcBgNVBAMMFUVudGl0bGVtZW50IE1hc3RlciBD
+QTEkMCIGCSqGSIb3DQEJARYVY2Etc3VwcG9ydEByZWRoYXQuY29tggkA5v5CKCXJ
+5l4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEG
+MCAGA1UdEQQZMBeBFWNhLXN1cHBvcnRAcmVkaGF0LmNvbTAgBgNVHRIEGTAXgRVj
+YS1zdXBwb3J0QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEFBQADggIBAJ1hEdNBDTRr
+6kI6W6stoogSUwjuiWPDY8DptwGhdpyIfbCoxvBR7F52DlwyXOpCunogfKMRklnE
+gH1Wt66RYkgNuJcenKHAhR5xgSLoPCOVF9rDjMunyyBuxjIbctM21R7BswVpsEIE
+OpV5nlJ6wkHsrn0/E+Zk5UJdCzM+Fp4hqHtEn/c97nvRspQcpWeDg6oUvaJSZTGM
+8yFpzR90X8ZO4rOgpoERukvYutUfJUzZuDyS3LLc6ysamemH93rZXr52zc4B+C9G
+Em8zemDgIPaH42ce3C3TdVysiq/yk+ir7pxW8toeavFv75l1UojFSjND+Q2AlNQn
+pYkmRznbD5TZ3yDuPFQG2xYKnMPACepGgKZPyErtOIljQKCdgcvb9EqNdZaJFz1+
+/iWKYBL077Y0CKwb+HGIDeYdzrYxbEd95YuVU0aStnf2Yii2tLcpQtK9cC2+DXjL
+Yf3kQs4xzH4ZejhG9wzv8PGXOS8wHYnfVNA3+fclDEQ1mEBKWHHmenGI6QKZUP8f
+g0SQ3PNRnSZu8R+rhABOEuVFIBRlaYijg2Pxe0NgL9FlHsNyRfo6EUrB2QFRKACW
+3Mo6pZyDjQt7O8J7l9B9IIURoJ1niwygf7VSJTMl2w3fFleNJlZTGgdXw0V+5g+9
+Kg6Ay0rrsi4nw1JHue2GvdjdfVOaWSWC
+-----END CERTIFICATE-----

rhsm/rhsm.conf

@@ -108,3 +108,4 @@ default_log_level = INFO
 # rhsm = DEBUG
 # rhsm.connection = DEBUG
 # rhsm-app = DEBUG
+# rhsmcertd = DEBUG

rspamd/composites.conf

@@ -163,7 +163,7 @@ composites {
     group = "scams";
   }
   FREEMAIL_AFF {
-    expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM)";
+    expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM | SUBJECT_HAS_CURRENCY)";
     score = 4.0;
     policy = "leave";
     description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses";
@@ -181,6 +181,12 @@ composites {
     description = "Fake reply exhibiting characteristics of being injected into a compromised mail server, possibly e-mail thread hijacking";
     group = "compromised_hosts";
   }
+  SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE {
+    expression = "(REDIRECTOR_URL | HAS_ANON_DOMAIN | HAS_IPFS_GATEWAY_URL) & (-g+:fuzzy | -g+:statistics | -g+:surbl | -g+:rbl)";
+    score = 1.0;
+    policy = "leave";
+    description = "Message contains redirector, anonymous or IPFS gateway URL and is marked by fuzzy/bayes/SURBL/RBL";
+  }
 
   .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
   .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"

rsyslog.conf.rpmnew

@@ -0,0 +1,80 @@
+# rsyslog configuration file
+
+# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
+# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html 
+# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
+
+#### MODULES ####
+
+module(load="imuxsock" 	  # provides support for local system logging (e.g. via logger command)
+       SysSock.Use="off") # Turn off message reception via local log socket; 
+			  # local messages are retrieved through imjournal now.
+module(load="imjournal" 	    # provides access to the systemd journal
+       UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
+       StateFile="imjournal.state") # File to store the position in the journal
+#module(load="imklog") # reads kernel messages (the same are read from journald)
+#module(load="immark") # provides --MARK-- message capability
+
+# Provides UDP syslog reception
+# for parameters see http://www.rsyslog.com/doc/imudp.html
+#module(load="imudp") # needs to be done just once
+#input(type="imudp" port="514")
+
+# Provides TCP syslog reception
+# for parameters see http://www.rsyslog.com/doc/imtcp.html
+#module(load="imtcp") # needs to be done just once
+#input(type="imtcp" port="514")
+
+#### GLOBAL DIRECTIVES ####
+
+# Where to place auxiliary files
+global(workDirectory="/var/lib/rsyslog")
+
+# Use default timestamp format
+module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
+
+# Include all config files in /etc/rsyslog.d/
+include(file="/etc/rsyslog.d/*.conf" mode="optional")
+
+#### RULES ####
+
+# Log all kernel messages to the console.
+# Logging much else clutters up the screen.
+#kern.*                                                 /dev/console
+
+# Log anything (except mail) of level info or higher.
+# Don't log private authentication messages!
+*.info;mail.none;authpriv.none;cron.none                /var/log/messages
+
+# The authpriv file has restricted access.
+authpriv.*                                              /var/log/secure
+
+# Log all the mail messages in one place.
+mail.*                                                  -/var/log/maillog
+
+
+# Log cron stuff
+cron.*                                                  /var/log/cron
+
+# Everybody gets emergency messages
+*.emerg                                                 :omusrmsg:*
+
+# Save news errors of level crit and higher in a special file.
+uucp,news.crit                                          /var/log/spooler
+
+# Save boot messages also to boot.log
+local7.*                                                /var/log/boot.log
+
+
+# ### sample forwarding rule ###
+#action(type="omfwd"  
+# An on-disk queue is created for this action. If the remote host is
+# down, messages are spooled to disk and sent when it is up again.
+#queue.filename="fwdRule1"       # unique name prefix for spool files
+#queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)
+#queue.saveonshutdown="on"       # save messages to disk on shutdown
+#queue.type="LinkedList"         # run asynchronously
+#action.resumeRetryCount="-1"    # infinite retries if host is down
+# Remote Logging (we use TCP for reliable delivery)
+# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
+#Target="remote_host" Port="XXX" Protocol="tcp")

selinux/targeted/.policy.sha512

@@ -1 +1 @@
-9371168ea4ca64ad6610f35f6ad045755662c50b03f2a034c0705449e59bdd39ba6b52bd0cb7ebf705b7ea311ba43d91f55544775215fa5ef1d1b04d9e21fff2
+da21fddcacbf8f3ec089e14164092f9fc387952f306da7cb453df6b823b94227ab2d5d5605d49e25350050f62133f9c09fd30eef16a837456b0b59b8c4f6873b

selinux/targeted/contexts/files/file_contexts

@@ -802,7 +802,6 @@
 /usr/bin/ocid.*	--	system_u:object_r:container_runtime_exec_t:s0
 /usr/bin/ping.*	--	system_u:object_r:ping_exec_t:s0
 /usr/bin/wine.*	--	system_u:object_r:wine_exec_t:s0
-/usr/sbin/rip.*	--	system_u:object_r:zebra_exec_t:s0
 /var/lock/LCK..	--	system_u:object_r:apcupsd_lock_t:s0
 /var/log/Xorg.*	--	system_u:object_r:xserver_log_t:s0
 /var/log/btmp.*	--	system_u:object_r:faillog_t:s0
@@ -2444,6 +2443,7 @@
 /var/run/avahi-daemon(/.*)?	system_u:object_r:avahi_var_run_t:s0
 /var/run/dlm_controld(/.*)?	system_u:object_r:dlm_controld_var_run_t:s0
 /var/run/libvirt/qemu(/.*)?	system_u:object_r:qemu_var_run_t:s0
+/var/run/opencryptoki(/.*)?	system_u:object_r:pkcs_slotd_var_run_t:s0
 /var/run/pcscd\.events(/.*)?	system_u:object_r:pcscd_var_run_t:s0
 /var/run/sanlk-resetd(/.*)?	system_u:object_r:sanlock_var_run_t:s0
 /var/run/spamassassin(/.*)?	system_u:object_r:spamd_var_run_t:s0
@@ -3664,6 +3664,7 @@
 /usr/sbin/pvs	--	system_u:object_r:lvm_exec_t:s0
 /usr/sbin/sbd	--	system_u:object_r:sbd_exec_t:s0
 /usr/sbin/sln	--	system_u:object_r:ldconfig_exec_t:s0
+/usr/sbin/sos	--	system_u:object_r:sosreport_exec_t:s0
 /usr/sbin/tlp	--	system_u:object_r:tlp_exec_t:s0
 /usr/sbin/tor	--	system_u:object_r:tor_exec_t:s0
 /usr/sbin/vgs	--	system_u:object_r:lvm_exec_t:s0
@@ -3805,6 +3806,7 @@
 /usr/sbin/pptp	--	system_u:object_r:pptp_exec_t:s0
 /usr/sbin/psad	--	system_u:object_r:psad_exec_t:s0
 /usr/sbin/pump	--	system_u:object_r:dhcpc_exec_t:s0
+/usr/sbin/ripd	--	system_u:object_r:zebra_exec_t:s0
 /usr/sbin/rngd	--	system_u:object_r:rngd_exec_t:s0
 /usr/sbin/runc	--	system_u:object_r:container_runtime_exec_t:s0
 /usr/sbin/sdpd	--	system_u:object_r:bluetooth_exec_t:s0
@@ -4138,6 +4140,7 @@
 /usr/sbin/qdiskd	--	system_u:object_r:qdiskd_exec_t:s0
 /usr/sbin/racoon	--	system_u:object_r:racoon_exec_t:s0
 /usr/sbin/reposd	--	system_u:object_r:sblim_reposd_exec_t:s0
+/usr/sbin/ripngd	--	system_u:object_r:zebra_exec_t:s0
 /usr/sbin/rklogd	--	system_u:object_r:klogd_exec_t:s0
 /usr/sbin/setkey	--	system_u:object_r:setkey_exec_t:s0
 /usr/sbin/sfdisk	--	system_u:object_r:fsadm_exec_t:s0
@@ -6276,6 +6279,7 @@
 /usr/lib/nspluginwrapper/plugin-config	--	system_u:object_r:mozilla_plugin_config_exec_t:s0
 /usr/lib/pgsql/test/regress/pg_regress	--	system_u:object_r:postgresql_exec_t:s0
 /usr/lib/systemd/systemd-socket-proxyd	--	system_u:object_r:systemd_socket_proxyd_exec_t:s0
+/usr/libexec/openssh/ssh-pkcs11-helper	--	system_u:object_r:ssh_agent_exec_t:s0
 /usr/share/cluster/fence_scsi_check\.pl	--	system_u:object_r:fenced_exec_t:s0
 /usr/share/gnucash/finance-quote-check	--	system_u:object_r:bin_t:s0
 /usr/share/munin/plugins/http_loadtime	--	system_u:object_r:services_munin_plugin_exec_t:s0
@@ -6337,6 +6341,7 @@
 /etc/rc\.d/init\.d/openstack-glance-registry	--	system_u:object_r:glance_registry_initrc_exec_t:s0
 /etc/rc\.d/init\.d/openstack-glance-scrubber	--	system_u:object_r:glance_scrubber_initrc_exec_t:s0
 /usr/lib/policykit/polkit-read-auth-helper	--	system_u:object_r:policykit_auth_exec_t:s0
+/usr/lib/systemd/system/mimedefang\.service	--	system_u:object_r:antivirus_unit_file_t:s0
 /usr/lib/xfce4/session/balou-install-theme	--	system_u:object_r:bin_t:s0
 /usr/lib/xorg/modules/drivers/nvidia_drv\.o	--	system_u:object_r:textrel_shlib_t:s0
 /usr/share/PackageKit/pk-upgrade-distro\.sh	--	system_u:object_r:bin_t:s0

tuned/tuned-main.conf

@@ -75,3 +75,10 @@ log_file_max_size = 1MB
 # Size of connections backlog for listen function on socket
 # Higher value allows to process requests from more clients
 # connections_backlog = 1024
+
+# TuneD daemon rollback strategy. Supported values: auto|not_on_exit
+# - auto: rollbacks are always performed on a profile switch or 
+#   graceful TuneD process exit
+# - not_on_exit: rollbacks are always performed on a profile
+#   switch, but not on any kind of TuneD process exit
+# rollback = auto