diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 8ac0b1fe83..72e6bf40a5 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -9,6 +9,7 @@ Feel free to delete sections of the template which do not apply to your PR, or a - [ ] The toolchain has been rebuilt successfully (or no changes were made to it) - [ ] The toolchain/worker package manifests are up-to-date - [ ] Any updated packages successfully build (or no packages were changed) +- [ ] Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files - [ ] All package sources are available - [ ] cgmanifest files are up-to-date and sorted (`./cgmanifest.json`, `./toolkit/tools/cgmanifest.json`, `./toolkit/scripts/toolchain/cgmanifest.json`, `.github/workflows/cgmanifest.json`) - [ ] LICENSE-MAP files are up-to-date (`./SPECS/LICENSES-AND-NOTICES/data/licenses.json`, `./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md`, `./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON`) @@ -33,8 +34,9 @@ What does the PR accomplish, why was it needed? ###### Does this affect the toolchain? -**YES** -NO + + +**YES/NO** ###### Associated issues @@ -45,5 +47,5 @@ NO - https://nvd.nist.gov/vuln/detail/CVE-YYYY-XXXX ###### Test Methodology - + - Pipeline build id: xxxx diff --git a/.github/workflows/check-entangled-specs.yml b/.github/workflows/check-entangled-specs.yml index bb9fe506b0..c39e5d9d75 100644 --- a/.github/workflows/check-entangled-specs.yml +++ b/.github/workflows/check-entangled-specs.yml @@ -5,16 +5,13 @@ name: Spec Entanglement Mismatch Check on: push: - paths: - - "**.spec" branches: [main, dev, 1.0*] pull_request: - paths: - - "**.spec" branches: [main, dev, 1.0*] jobs: check: + name: Spec Entanglement Mismatch Check runs-on: ubuntu-latest steps: diff --git a/.github/workflows/check-license-map.yml b/.github/workflows/check-license-map.yml index 654461de16..197a50e428 100644 --- a/.github/workflows/check-license-map.yml +++ b/.github/workflows/check-license-map.yml @@ -10,6 +10,7 @@ on: jobs: check: + name: Spec License Map Check runs-on: ubuntu-latest steps: diff --git a/.github/workflows/check-package-cgmanifest.yml b/.github/workflows/check-package-cgmanifest.yml index aef876e548..d168caf79b 100644 --- a/.github/workflows/check-package-cgmanifest.yml +++ b/.github/workflows/check-package-cgmanifest.yml @@ -9,7 +9,7 @@ on: jobs: build: - name: Validate Manifests + name: Check Package CGManifests runs-on: ubuntu-18.04 steps: diff --git a/.github/workflows/check_entangled_specs.py b/.github/workflows/check_entangled_specs.py index 43fbbfc755..76de5a965c 100644 --- a/.github/workflows/check_entangled_specs.py +++ b/.github/workflows/check_entangled_specs.py @@ -28,6 +28,10 @@ version_matching_groups = [ "SPECS/hyperv-daemons/hyperv-daemons.spec", "SPECS/kernel/kernel.spec", "SPECS/kernel-hyperv/kernel-hyperv.spec" + ]), + frozenset([ + "SPECS/azure-iotedge/azure-iotedge.spec", + "SPECS/libiothsm-std/libiothsm-std.spec" ]) ] diff --git a/.github/workflows/go-test-coverage.yml b/.github/workflows/go-test-coverage.yml index afe9a23330..97ecef5cbb 100644 --- a/.github/workflows/go-test-coverage.yml +++ b/.github/workflows/go-test-coverage.yml @@ -1,4 +1,4 @@ -name: Go +name: Go Test Coverage on: push: @@ -9,7 +9,7 @@ on: jobs: build: - name: Build + name: Go Test Coverage runs-on: ubuntu-18.04 steps: diff --git a/.github/workflows/lint-specs.yml b/.github/workflows/lint-specs.yml index 939efc9d26..5043ad57aa 100644 --- a/.github/workflows/lint-specs.yml +++ b/.github/workflows/lint-specs.yml @@ -12,6 +12,7 @@ on: jobs: spec-lint: + name: Spec Linting runs-on: ubuntu-latest steps: diff --git a/.github/workflows/validate-cg-manifest.sh b/.github/workflows/validate-cg-manifest.sh index 78579e71d0..29a8090502 100755 --- a/.github/workflows/validate-cg-manifest.sh +++ b/.github/workflows/validate-cg-manifest.sh @@ -31,6 +31,11 @@ ignore_list=" \ python-sphinxcontrib-websupport \ python-yamlloader \ python-zope-interface \ + python-nocasedict \ + python-pywbem \ + python-repoze-lru \ + python-sphinxcontrib-websupport \ + python-yamlloader \ qt5-rpm-macros \ runc \ grub2-efi-binary-signed-aarch64 \ @@ -49,15 +54,14 @@ for spec in "$@" do echo Checking "$spec" - # Get the source0 for the package, it apears to always occur last in the list of sources - source0=$(rpmspec --srpm --define "with_check 0" --qf "[%{SOURCE}\n]" -q $spec 2>/dev/null | tail -1) - if [[ -z $source0 ]] + # Ensure spec can be parsed + name=$(rpmspec --srpm --define "with_check 0" --qf "%{NAME}" -q $spec 2>/dev/null ) + if [[ -z $name ]] then - echo " No source file listed for $name:$version, skipping" + echo " Not able to parse $spec, skipping" continue fi - name=$(rpmspec --srpm --define "with_check 0" --qf "%{NAME}" -q $spec 2>/dev/null ) # Some specs don't make sense to add, ignore them if echo $ignore_list | grep -w "$name" > /dev/null then @@ -67,6 +71,14 @@ do version=$(rpmspec --srpm --define "with_check 0" --qf "%{VERSION}" -q $spec 2>/dev/null ) + # Get the source0 for the package, it apears to always occur last in the list of sources + source0=$(rpmspec --srpm --define "with_check 0" --qf "[%{SOURCE}\n]" -q $spec 2>/dev/null | tail -1) + if [[ -z $source0 ]] + then + echo " No source file listed for $name:$version, skipping" + continue + fi + # Some source files have been renamed, look for a comment and also try that (while manually substituting the name/version) source0alt=$(grep "^#[[:blank:]]*Source0:" $spec | awk '{print $NF}' | sed "s/%\?%{name}/$name/g" | sed "s/%\?%{version}/$version/g" ) # Some packages define a %url as well diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 18072ff300..8a7a5dc5b0 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -1,4 +1,5 @@ %global debug_package %{nil} +%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh %ifarch x86_64 %global buildarch x86_64 %endif @@ -8,8 +9,8 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} -Version: 5.10.28.1 -Release: 6%{?dist} +Version: 5.10.52.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -66,7 +67,10 @@ URL: https://github.com/microsoft/CBL-Mariner-Linux-Kernel # 4. Build this spec Source0: kernel-%{version}-%{release}.%{buildarch}.rpm Source1: vmlinuz-%{uname_r} +Source2: sha512hmac-openssl.sh BuildRequires: cpio +BuildRequires: openssl +BuildRequires: sed %description This package contains the Linux kernel package with kernel signed with the production key @@ -86,7 +90,6 @@ The kernel package contains the signed Linux kernel. %build # This spec's whole purpose is to inject the signed kernel binary -# Do not do anything extra. rpm2cpio %{SOURCE0} | cpio -idmv cp %{SOURCE1} ./boot/vmlinuz-%{uname_r} @@ -94,6 +97,10 @@ cp %{SOURCE1} ./boot/vmlinuz-%{uname_r} # Don't use * wildcard. It does not copy over hidden files in the root folder... cp -rp ./. %{buildroot}/ +# Recalculate sha512hmac for FIPS +%{sha512hmac} %{buildroot}/boot/vmlinuz-%{uname_r} | sed -e "s,$RPM_BUILD_ROOT,," > %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac +cp %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac %{buildroot}/lib/modules/%{uname_r}/.vmlinuz.hmac + %triggerin -n kernel -- initramfs mkdir -p %{_localstatedir}/lib/rpm-state/initramfs/pending touch %{_localstatedir}/lib/rpm-state/initramfs/pending/%{uname_r} @@ -139,12 +146,54 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %endif %changelog -* Tue May 25 2021 Thomas Crain - 5.10.28.1-6 -- Bump release number to match kernel-headers release +* Tue Jul 20 2021 Rachel Menge - 5.10.52.1-1 +- Update source to 5.10.52.1 -* Fri May 14 2021 Thomas Crain - 5.10.28.1-5 +* Mon Jul 19 2021 Chris Co - 5.10.47.1-2 - Bump release number to match kernel release +* Tue Jul 06 2021 Rachel Menge - 5.10.47.1-1 +- Update source to 5.10.47.1 + +* Wed Jun 30 2021 Chris Co - 5.10.42.1-4 +- Bump release number to match kernel release + +* Tue Jun 22 2021 Suresh Babu Chalamalasetty - 5.10.42.1-3 +- Bump release number to match kernel release + +* Wed Jun 16 2021 Chris Co - 5.10.42.1-2 +- Bump release number to match kernel release + +* Tue Jun 08 2021 Rachel Menge - 5.10.42.1-1 +- Update source to 5.10.42.1 + +* Thu Jun 03 2021 Rachel Menge - 5.10.37.1-2 +- Bump release number to match kernel release + +* Fri May 28 2021 Rachel Menge - 5.10.37.1-1 +- Update source to 5.10.37.1 + +* Thu May 27 2021 Chris Co - 5.10.32.1-7 +- Bump release number to match kernel release + +* Wed May 26 2021 Chris Co - 5.10.32.1-6 +- Bump release number to match kernel release + +* Tue May 25 2021 Daniel Mihai - 5.10.32.1-5 +- Bump release number to match kernel release + +* Thu May 20 2021 Nicolas Ontiveros - 5.10.32.1-4 +- Recalculate sha512hmac on signed kernel binary + +* Tue May 17 2021 Andrew Phelps - 5.10.32.1-3 +- Update to kernel release 5.10.32.1-3 + +* Thu May 13 2021 Rachel Menge - 5.10.32.1-2 +- Bump release number to match kernel release + +* Mon May 03 2021 Rachel Menge - 5.10.32.1-1 +- Update source to 5.10.32.1 + * Thu Apr 22 2021 Chris Co - 5.10.28.1-4 - Bump release number to match kernel release diff --git a/SPECS-SIGNED/kernel-signed/sha512hmac-openssl.sh b/SPECS-SIGNED/kernel-signed/sha512hmac-openssl.sh new file mode 100644 index 0000000000..af67fa7b8f --- /dev/null +++ b/SPECS-SIGNED/kernel-signed/sha512hmac-openssl.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# Mocks sha512hmac using the openssl tool. +# Only for use during RPM build. + +openssl sha512 -hmac FIPS-FTW-RHT2009 -hex "$1" | cut -f 2 -d ' ' | echo "$(cat -) $1" \ No newline at end of file diff --git a/SPECS/CUnit/CUnit.spec b/SPECS/CUnit/CUnit.spec index 971930e696..c91099c009 100644 --- a/SPECS/CUnit/CUnit.spec +++ b/SPECS/CUnit/CUnit.spec @@ -4,7 +4,7 @@ Name: CUnit Version: 2.1.3 Release: 23%{?dist} Summary: Unit testing framework for C -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner License: LGPLv2+ URL: http://cunit.sourceforge.net/ @@ -53,12 +53,12 @@ done %postun -p /sbin/ldconfig %files +%license %{_defaultdocdir}/%{name}/COPYING %{_datadir}/%{name}/ %{_libdir}/libcunit.so.* %dir %{_docdir}/%{name} %{_docdir}/%{name}/AUTHORS %{_docdir}/%{name}/ChangeLog -%{_docdir}/%{name}/COPYING %{_docdir}/%{name}/NEWS %{_docdir}/%{name}/README %{_docdir}/%{name}/TODO @@ -74,6 +74,7 @@ done %changelog * Fri Aug 21 2020 Thomas Crain - 2.1.3-23 - Initial CBL-Mariner import from Fedora 33 (license: MIT) +- License verified * Mon Jul 27 2020 Fedora Release Engineering - 2.1.3-22 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/SPECS/Cython/Cython.spec b/SPECS/Cython/Cython.spec index e3193ef350..c402f17509 100644 --- a/SPECS/Cython/Cython.spec +++ b/SPECS/Cython/Cython.spec @@ -25,15 +25,18 @@ Cython is an optimising static compiler for both the Python programming language %description %{_description} %package -n python3-%{name} -Summary: %{summary} +Summary: C extensions for Python 3 %{?python_provide:%python_provide python3-%{name}} Provides: %{name} = %{version}-%{release} Provides: %{name}%{?_isa} = %{version}-%{release} -Obsoletes: %{name} < %{version}-%{release} +BuildRequires: python3 +BuildRequires: python3-devel +BuildRequires: python3-libs +BuildRequires: python3-xml +Requires: python3 -%description -n python3-%{name} %{_description} - -Python 3 version. +%description -n python3-%{name} +Cython is an optimising static compiler for both the Python programming language and the extended Cython programming language (based on Pyrex). It makes writing C extensions for Python as easy as Python itself. %prep %setup -n %{upname}-%{version} diff --git a/SPECS/Cython/cython_testfix_with_outer_raising.patch b/SPECS/Cython/cython_testfix_with_outer_raising.patch new file mode 100644 index 0000000000..568414e83a --- /dev/null +++ b/SPECS/Cython/cython_testfix_with_outer_raising.patch @@ -0,0 +1,50 @@ +diff -ruN a/tests/run/generators_py35.py b/tests/run/generators_py35.py +--- a/tests/run/generators_py35.py 1969-12-31 16:00:00.000000000 -0800 ++++ b/tests/run/generators_py35.py 2021-04-30 00:40:03.333141340 -0700 +@@ -0,0 +1,24 @@ ++# mode: run ++# tag: generators, pure3.5 ++ ++from __future__ import generator_stop ++ ++# "generator_stop" was only added in Py3.5. ++ ++ ++def with_outer_raising(*args): ++ """ ++ >>> x = with_outer_raising(1, 2, 3) ++ >>> try: ++ ... list(x()) ++ ... except RuntimeError: ++ ... print("OK!") ++ ... else: ++ ... print("NOT RAISED!") ++ OK! ++ """ ++ def generator(): ++ for i in args: ++ yield i ++ raise StopIteration ++ return generator +\ No newline at end of file +diff -ruN a/tests/run/generators_py.py b/tests/run/generators_py.py +--- a/tests/run/generators_py.py 2021-04-30 00:38:33.905610251 -0700 ++++ b/tests/run/generators_py.py 2021-04-30 00:40:43.292935879 -0700 +@@ -81,17 +81,6 @@ + yield i + return generator + +-def with_outer_raising(*args): +- """ +- >>> x = with_outer_raising(1, 2, 3) +- >>> list(x()) +- [1, 2, 3] +- """ +- def generator(): +- for i in args: +- yield i +- raise StopIteration +- return generator + + def test_close(): + """ diff --git a/SPECS/GSL/GSL.spec b/SPECS/GSL/GSL.spec index 9bf7e7800a..a85cf54ff1 100644 --- a/SPECS/GSL/GSL.spec +++ b/SPECS/GSL/GSL.spec @@ -50,7 +50,7 @@ rm -rf $RPM_BUILD_ROOT %{_includedir}/gsl/* %changelog -* Sat May 09 00:21:38 PST 2020 Nick Samson - 2.0.0-3 +* Sat May 09 2020 Nick Samson - 2.0.0-3 - Added %%license line automatically * Thu Apr 09 2020 Joe Schmitt 2.0.0-2 diff --git a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md index 2c5ae1a877..fca8043c5e 100644 --- a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md +++ b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md @@ -2,12 +2,12 @@ The CBL-Mariner SPEC files originated from a variety of sources with varying lic | Origin | License | Specs | | --- | --- | --- | -| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | at
atf
attr
augeas
autoconf213
babeltrace2
bmake
brotli
busybox
byacc
calamares
catch
chrony
conda
conntrack-tools
cpprest
cryptsetup
CUnit
Cython
dbus-python
desktop-file-utils
dnf
docbook5-schemas
dos2unix
dpdk
dwz
ebtables
extra-cmake-modules
fdupes
firewalld
fmt
fribidi
gcovr
glusterfs
gnu-efi
hardening-check
heimdal
hwdata
hyperv-daemons
ipmitool
ipv6calc
iscsi-initiator-utils
isns-utils
javapackages-tools
jemalloc
kde-settings
kexec-tools
kf5
kf5-kconfig
kf5-kcoreaddons
kf5-ki18n
kf5-kwidgetsaddons
kpmcore
kyua
leveldb
libatasmart
libburn
libcgroup
libcomps
libdnf
libisoburn
libisofs
libkcapi
liblognorm
libpciaccess
libpwquality
libstoragemgmt
libvirt
libxcrypt
mokutil
mozjs60
nftables
open-vm-tools
openssl
p11-kit
patchelf
perl-JSON
picosat
pkgconf
prometheus
pugixml
pycairo
python-async-generator
python-conda-package-handling
python-cpuinfo
python-cytoolz
python-fields
python-filelock
python-frozendict
python-google-auth
python-jwt
python-kubernetes
python-mock
python-nose
python-process-tests
python-pycosat
python-pytest-benchmark
python-pytest-cov
python-pytest-forked
python-pytest-mock
python-pytest-xdist
python-pywbem
python-responses
python-ruamel-yaml
python-ruamel-yaml-clib
python-sphinx-theme-py3doc-enhanced
python-toolz
python-tqdm
python3-pytest-asyncio
qt5-qtbase
qt5-qtdeclarative
qt5-qtsvg
qt5-qttools
qt5-rpm-macros
rdma-core
sanlock
sgml-common
squashfs-tools
uclibc-ng
uuid
vitess
websocketpp
words
xmlstarlet
xorg-x11-util-macros
yajl
yaml-cpp
yasm
zipper | -| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress
aspnetcore-runtime-3.1
auoms
azure-iot-sdk-c
azure-iotedge
azure-storage-cpp
bazel
blobfuse
bmon
bond
bpftrace
ccache
clamav
cloud-hypervisor
cloud-init-vmware-guestinfo
coredns-1.6.7
coredns-1.7.0
distroless-packages
dtc
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
go-md2man
grpc
GSL
helm
installkernel
ivykis
jsonbuilder
kubernetes-1.18.14
kubernetes-1.18.17
kubernetes-1.19.7
kubernetes-1.19.9
kubernetes-1.20.2
kubernetes-1.20.5
libacvp
libconfini
libconfuse
libiothsm-std
libmaxminddb
libuv
libxml++
lsb-release
lttng-consume
lutok
mailcap
mariner-release
mariner-repos
mariner-rpm-macros
mm-common
moby-buildx
moby-cli
moby-containerd
moby-engine
moby-runc
msgpack
ncompress
nlohmann-json
nmap
nmi
ntopng
oath-toolkit
omi
pcaudiolib
pcre2
perl-Archive-Zip
perl-Compress-Bzip2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates-base
python-cachetools
python-cherrypy
python-execnet
python-logutils
python-nocasedict
python-pecan
python-remoto
python-repoze-lru
python-routes
python-rsa
python-sphinxcontrib-websupport
python-yamlloader
qemu-kvm
R
rocksdb
shim
shim-unsigned
shim-unsigned-aarch64
shim-unsigned-x64
span-lite
swupdate
tinyxml2
toml11
tracelogging
vala
verity-read-only-root
vnstat
zstd | +| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | archivemount
at
atf
attr
augeas
autoconf213
babeltrace2
bmake
brotli
busybox
byacc
calamares
catch
checkpolicy
chrony
collectd
colm
conda
conntrack-tools
cpprest
cryptsetup
CUnit
Cython
dbus-python
desktop-file-utils
dnf
docbook5-schemas
dos2unix
dpdk
dwz
ebtables
extra-cmake-modules
fdupes
firewalld
fmt
fribidi
fuse-zip
gcovr
glusterfs
gnu-efi
hardening-check
heimdal
hwdata
hyperscan
hyperv-daemons
ipmitool
ipv6calc
iscsi-initiator-utils
isns-utils
javapackages-tools
jemalloc
kde-settings
kexec-tools
kf5
kf5-kconfig
kf5-kcoreaddons
kf5-ki18n
kf5-kwidgetsaddons
kpmcore
kyua
leveldb
libatasmart
libburn
libcgroup
libcomps
libdnf
libisoburn
libisofs
libkcapi
liblognorm
libpciaccess
libpwquality
libsemanage
libstoragemgmt
libvirt
libxcrypt
libzip
mailcap
mcstrans
mokutil
mozjs60
nftables
oath-toolkit
open-vm-tools
openssl
p11-kit
p7zip
patchelf
perl-App-cpanminus
perl-CPAN-DistnameInfo
perl-CPAN-Meta-Check
perl-File-pushd
perl-JSON
perl-local-lib
perl-Module-CPANfile
perl-Parse-PMFile
perl-Pod-Parser
perl-String-ShellQuote
picosat
pkgconf
policycoreutils
prometheus
pugixml
pycairo
pyelftools
python-async-generator
python-conda-package-handling
python-cpuinfo
python-cytoolz
python-fields
python-filelock
python-frozendict
python-google-auth
python-jwt
python-kubernetes
python-mock
python-nose
python-pexpect
python-process-tests
python-ptyprocess
python-pycosat
python-pytest-benchmark
python-pytest-cov
python-pytest-forked
python-pytest-mock
python-pytest-xdist
python-pywbem
python-responses
python-ruamel-yaml
python-ruamel-yaml-clib
python-sphinx-theme-py3doc-enhanced
python-toolz
python-tqdm
python3-pytest-asyncio
qt5-qtbase
qt5-qtdeclarative
qt5-qtsvg
qt5-qttools
qt5-rpm-macros
ragel
rdma-core
re2
sanlock
secilc
selinux-policy
setools
sgml-common
sos
squashfs-tools
uclibc-ng
uuid
vitess
websocketpp
words
xmlstarlet
xorg-x11-util-macros
yajl
yaml-cpp
yasm
zipper | +| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress
auoms
azure-iot-sdk-c
azure-iotedge
azure-storage-cpp
bazel
blobfuse
bmon
bond
bpftrace
ccache
clamav
cloud-hypervisor
cloud-init-vmware-guestinfo
coredns-1.6.7
coredns-1.7.0
distroless-packages
dtc
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
go-md2man
grpc
GSL
helm
installkernel
ivykis
jsonbuilder
kubernetes-1.18.14
kubernetes-1.18.17
kubernetes-1.19.7
kubernetes-1.19.9
kubernetes-1.20.2
kubernetes-1.20.5
libacvp
libconfini
libconfuse
libiothsm-std
libmaxminddb
libuv
libxml++
lsb-release
lttng-consume
lutok
mailcap
mariner-release
mariner-repos
mariner-rpm-macros
mm-common
moby-buildx
moby-cli
moby-containerd
moby-engine
moby-runc
msgpack
ncompress
nlohmann-json
nmap
nmi
node-problem-detector
ntopng
oath-toolkit
omi
pcaudiolib
pcre2
perl-Archive-Zip
perl-Compress-Bzip2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates-base
python-cachetools
python-cherrypy
python-execnet
python-logutils
python-nocasedict
python-pecan
python-remoto
python-repoze-lru
python-routes
python-rsa
python-sphinxcontrib-websupport
python-yamlloader
qemu-kvm
R
rocksdb
shim
shim-unsigned
shim-unsigned-aarch64
shim-unsigned-x64
span-lite
swupdate
tinyxml2
toml11
tracelogging
vala
verity-read-only-root
vnstat
zstd | | OpenSUSE | ???? | ant
ant-contrib
bazel-workspaces
boringssl
envoy
golang-packaging
jna
kured | -| Photon | [Photon License](LICENSE-PHOTON.md) and [Photon Notice](NOTICE.APACHE2).
Also see [LICENSE-EXCEPTIONS.PHOTON](LICENSE-EXCEPTIONS.PHOTON). | acl
alsa-lib
alsa-utils
ansible
apparmor
apr
apr-util
asciidoc
atftp
audit
autoconf
autoconf-archive
autofs
autogen
automake
babel
bash
bc
bcc
bind
binutils
bison
blktrace
boost
bridge-utils
btrfs-progs
bubblewrap
build-essential
bzip2
c-ares
ca-certificates
cairo
cdrkit
check
chkconfig
chrpath
cifs-utils
clang
cloud-init
cloud-utils-growpart
cmake
cni
core-packages
coreutils
cpio
cppunit
cracklib
crash
crash-gcore-command
createrepo_c
cri-tools
cronie
ctags
curl
cyrus-sasl
dbus
dbus-glib
dejagnu
device-mapper-multipath
dhcp
dialog
diffutils
dkms
dmidecode
dnsmasq
docbook-dtd-xml
docbook-style-xsl
dosfstools
dotnet-runtime-3.1
dotnet-sdk-3.1
dracut
dstat
e2fsprogs
ed
efibootmgr
efivar
elfutils
erlang
etcd-3.4.13
etcd-3.4.3
ethtool
expat
expect
fcgi
file
filesystem
findutils
finger
flex
fontconfig
fping
freetype
fuse
gawk
gc
gcc
gdb
gdbm
gettext
git
glib
glib-networking
glibc
glibmm24
gmp
gnome-common
gnupg2
gnuplot
gnutls
gobject-introspection
golang-1.15
gperf
gperftools
gpgme
gptfdisk
grep
groff
grub2
grub2-efi-binary-signed
gtest
gtk-doc
guile
gzip
haproxy
harfbuzz
haveged
hdparm
http-parser
httpd
i2c-tools
iana-etc
icu
initramfs
initscripts
inotify-tools
intltool
iotop
iperf3
ipmitool
iproute
ipset
iptables
iputils
ipvsadm
ipxe
irqbalance
itstool
jansson
jq
json-c
json-glib
kbd
keepalived
kernel
kernel-headers
kernel-hyperv
kernel-signed
kexec-tools
keyutils
kmod
krb5
lapack
less
libaio
libarchive
libassuan
libatomic_ops
libcap
libcap-ng
libconfig
libdb
libdnet
libedit
libestr
libev
libevent
libfastjson
libffi
libgcrypt
libgpg-error
libgssglue
libgsystem
libgudev
libjpeg-turbo
libksba
liblogging
libmbim
libmnl
libmodulemd
libmpc
libmspack
libndp
libnetfilter_conntrack
libnetfilter_cthelper
libnetfilter_cttimeout
libnetfilter_queue
libnfnetlink
libnftnl
libnl3
libnsl2
libpcap
libpipeline
libpng
libpsl
libqmi
librelp
librepo
librsync
libseccomp
libselinux
libsepol
libserf
libsigc++20
libsolv
libsoup
libssh2
libtalloc
libtar
libtasn1
libtiff
libtirpc
libtool
libunistring
libunwind
libusb
libvirt
libwebp
libxml2
libxslt
libyaml
linux-firmware
lldb
lldpad
llvm
lm-sensors
lmdb
log4cpp
logrotate
lshw
lsof
lsscsi
ltrace
lttng-tools
lttng-ust
lua
lvm2
lz4
lzo
m2crypto
m4
make
man-db
man-pages
mariadb
mc
mercurial
meson
mlocate
ModemManager
mpfr
msr-tools
mysql
nano
nasm
ncurses
ndctl
net-snmp
net-tools
nettle
newt
nfs-utils
nghttp2
nginx
ninja-build
nodejs-8.11.4
nodejs-9.11.2
npth
nspr
nss
nss-altfiles
ntp
numactl
numpy
nvme-cli
oniguruma
OpenIPMI
openjdk8
openjdk8_aarch64
openldap
openscap
openssh
openvswitch
ostree
pam
pango
parted
patch
pciutils
pcre
perl
perl-Canary-Stability
perl-CGI
perl-common-sense
perl-Crypt-SSLeay
perl-DBD-SQLite
perl-DBI
perl-DBIx-Simple
perl-Exporter-Tiny
perl-File-HomeDir
perl-File-Which
perl-IO-Socket-SSL
perl-JSON-Any
perl-JSON-XS
perl-libintl-perl
perl-List-MoreUtils
perl-Module-Build
perl-Module-Install
perl-Module-ScanDeps
perl-Net-SSLeay
perl-NetAddr-IP
perl-Object-Accessor
perl-Path-Class
perl-Try-Tiny
perl-Types-Serialiser
perl-WWW-Curl
perl-XML-Parser
perl-YAML
perl-YAML-Tiny
pgbouncer
pinentry
pixman
polkit
popt
postgresql
powershell
procps-ng
protobuf
protobuf-c
psmisc
pth
pyasn1-modules
pygobject3
pyOpenSSL
PyPAM
pyparsing
pytest
python-appdirs
python-asn1crypto
python-atomicwrites
python-attrs
python-backports-ssl_match_hostname
python-bcrypt
python-boto3
python-botocore
python-certifi
python-cffi
python-chardet
python-configobj
python-constantly
python-coverage
python-cryptography
python-daemon
python-dateutil
python-defusedxml
python-distro
python-docopt
python-docutils
python-ecdsa
python-enum34
python-futures
python-gevent
python-greenlet
python-hyperlink
python-hypothesis
python-idna
python-imagesize
python-incremental
python-iniparse
python-ipaddr
python-ipaddress
python-jinja2
python-jmespath
python-jsonpatch
python-jsonpointer
python-jsonschema
python-lockfile
python-lxml
python-m2r
python-mako
python-markupsafe
python-mistune
python-msgpack
python-netaddr
python-netifaces
python-ntplib
python-oauthlib
python-packaging
python-pam
python-pbr
python-pip
python-ply
python-prettytable
python-psutil
python-psycopg2
python-py
python-pyasn1
python-pycodestyle
python-pycparser
python-pycurl
python-pygments
python-pynacl
python-pyvmomi
python-requests
python-setuptools
python-setuptools_scm
python-simplejson
python-six
python-snowballstemmer
python-sphinx
python-sphinx-theme-alabaster
python-sqlalchemy
python-twisted
python-typing
python-urllib3
python-vcversioner
python-virtualenv
python-wcwidth
python-webob
python-websocket-client
python-werkzeug
python-zope-interface
python2
python3
pytz
PyYAML
rapidjson
readline
redis
rng-tools
rpcbind
rpcsvc-proto
rpm
rpm-ostree
rrdtool
rsync
rsyslog
ruby
rubygem-bundler
rust
scons
sed
sg3_utils
shadow-utils
slang
snappy
socat
sqlite
sshpass
strace
strongswan
subversion
sudo
swig
syslinux
syslog-ng
sysstat
systemd
systemd-bootstrap
systemtap
tar
tboot
tcl
tcp_wrappers
tcpdump
tcsh
tdnf
telegraf
texinfo
tmux
tpm2-abrmd
tpm2-tools
tpm2-tss
traceroute
tree
trousers
tzdata
unbound
unixODBC
unzip
usbutils
userspace-rcu
utf8proc
util-linux
valgrind
vim
vsftpd
WALinuxAgent
wget
which
wpa_supplicant
xerces-c
xfsprogs
xinetd
xmlsec1
xmlto
xz
zchunk
zeromq
zip
zlib
zsh | +| Photon | [Photon License](LICENSE-PHOTON.md) and [Photon Notice](NOTICE.APACHE2).
Also see [LICENSE-EXCEPTIONS.PHOTON](LICENSE-EXCEPTIONS.PHOTON). | acl
alsa-lib
alsa-utils
ansible
apparmor
apr
apr-util
asciidoc
atftp
audit
autoconf
autoconf-archive
autofs
autogen
automake
babel
bash
bc
bcc
bind
binutils
bison
blktrace
boost
bridge-utils
btrfs-progs
bubblewrap
build-essential
bzip2
c-ares
ca-certificates
cairo
cdrkit
check
chkconfig
chrpath
cifs-utils
clang
cloud-init
cloud-utils-growpart
cmake
cni
core-packages
coreutils
cpio
cppunit
cracklib
crash
crash-gcore-command
createrepo_c
cri-tools
cronie
ctags
curl
cyrus-sasl
dbus
dbus-glib
dejagnu
device-mapper-multipath
dhcp
dialog
diffutils
dkms
dmidecode
dnsmasq
docbook-dtd-xml
docbook-style-xsl
dosfstools
dracut
dstat
e2fsprogs
ed
efibootmgr
efivar
elfutils
erlang
etcd-3.4.13
etcd-3.4.3
ethtool
expat
expect
fcgi
file
filesystem
findutils
finger
flex
fontconfig
fping
freetype
fuse
gawk
gc
gcc
gdb
gdbm
gettext
git
glib
glib-networking
glibc
glibmm24
gmp
gnome-common
gnupg2
gnuplot
gnutls
gobject-introspection
golang-1.15
gperf
gperftools
gpgme
gptfdisk
grep
groff
grub2
grub2-efi-binary-signed
gtest
gtk-doc
guile
gzip
haproxy
harfbuzz
haveged
hdparm
http-parser
httpd
i2c-tools
iana-etc
icu
initramfs
initscripts
inotify-tools
intltool
iotop
iperf3
ipmitool
iproute
ipset
iptables
iputils
ipvsadm
ipxe
irqbalance
itstool
jansson
jq
json-c
json-glib
kbd
keepalived
kernel
kernel-headers
kernel-hyperv
kernel-signed
kexec-tools
keyutils
kmod
krb5
lapack
less
libaio
libarchive
libassuan
libatomic_ops
libcap
libcap-ng
libconfig
libdb
libdnet
libedit
libestr
libev
libevent
libfastjson
libffi
libgcrypt
libgpg-error
libgssglue
libgsystem
libgudev
libjpeg-turbo
libksba
liblogging
libmbim
libmnl
libmodulemd
libmpc
libmspack
libndp
libnetfilter_conntrack
libnetfilter_cthelper
libnetfilter_cttimeout
libnetfilter_queue
libnfnetlink
libnftnl
libnl3
libnsl2
libpcap
libpipeline
libpng
libpsl
libqmi
librelp
librepo
librsync
libseccomp
libselinux
libsepol
libserf
libsigc++20
libsolv
libsoup
libssh2
libtalloc
libtar
libtasn1
libtiff
libtirpc
libtool
libunistring
libunwind
libusb
libvirt
libwebp
libxml2
libxslt
libyaml
linux-firmware
lldb
lldpad
llvm
lm-sensors
lmdb
log4cpp
logrotate
lshw
lsof
lsscsi
ltrace
lttng-tools
lttng-ust
lua
lvm2
lz4
lzo
m2crypto
m4
make
man-db
man-pages
mariadb
mc
mercurial
meson
mlocate
ModemManager
mpfr
msr-tools
mysql
nano
nasm
ncurses
ndctl
net-snmp
net-tools
nettle
newt
nfs-utils
nghttp2
nginx
ninja-build
nodejs
npth
nspr
nss
nss-altfiles
ntp
numactl
numpy
nvme-cli
oniguruma
OpenIPMI
openjdk8
openjdk8_aarch64
openldap
openscap
openssh
openvswitch
ostree
pam
pango
parted
patch
pciutils
pcre
perl
perl-Canary-Stability
perl-CGI
perl-common-sense
perl-Crypt-SSLeay
perl-DBD-SQLite
perl-DBI
perl-DBIx-Simple
perl-Exporter-Tiny
perl-File-HomeDir
perl-File-Which
perl-IO-Socket-SSL
perl-JSON-Any
perl-JSON-XS
perl-libintl-perl
perl-List-MoreUtils
perl-Module-Build
perl-Module-Install
perl-Module-ScanDeps
perl-Net-SSLeay
perl-NetAddr-IP
perl-Object-Accessor
perl-Path-Class
perl-Try-Tiny
perl-Types-Serialiser
perl-WWW-Curl
perl-XML-Parser
perl-YAML
perl-YAML-Tiny
pgbouncer
pinentry
pixman
polkit
popt
postgresql
powershell
procps-ng
protobuf
protobuf-c
psmisc
pth
pyasn1-modules
pygobject3
pyOpenSSL
PyPAM
pyparsing
pytest
python-appdirs
python-asn1crypto
python-atomicwrites
python-attrs
python-backports-ssl_match_hostname
python-bcrypt
python-boto3
python-botocore
python-certifi
python-cffi
python-chardet
python-configobj
python-constantly
python-coverage
python-cryptography
python-daemon
python-dateutil
python-defusedxml
python-distro
python-docopt
python-docutils
python-ecdsa
python-enum34
python-futures
python-gevent
python-greenlet
python-hyperlink
python-hypothesis
python-idna
python-imagesize
python-incremental
python-iniparse
python-ipaddr
python-ipaddress
python-jinja2
python-jmespath
python-jsonpatch
python-jsonpointer
python-jsonschema
python-lockfile
python-lxml
python-m2r
python-mako
python-markupsafe
python-mistune
python-msgpack
python-netaddr
python-netifaces
python-ntplib
python-oauthlib
python-packaging
python-pam
python-pbr
python-pip
python-ply
python-prettytable
python-psutil
python-psycopg2
python-py
python-pyasn1
python-pycodestyle
python-pycparser
python-pycurl
python-pygments
python-pynacl
python-pyvmomi
python-requests
python-setuptools
python-setuptools_scm
python-simplejson
python-six
python-snowballstemmer
python-sphinx
python-sphinx-theme-alabaster
python-sqlalchemy
python-twisted
python-typing
python-urllib3
python-vcversioner
python-virtualenv
python-wcwidth
python-webob
python-websocket-client
python-werkzeug
python-zope-interface
python2
python3
pytz
PyYAML
rapidjson
readline
redis
rng-tools
rpcbind
rpcsvc-proto
rpm
rpm-ostree
rrdtool
rsync
rsyslog
ruby
rubygem-bundler
rust
scons
sed
sg3_utils
shadow-utils
slang
snappy
socat
sqlite
sshpass
strace
strongswan
subversion
sudo
swig
syslinux
syslog-ng
sysstat
systemd
systemd-bootstrap
systemtap
tar
tboot
tcl
tcp_wrappers
tcpdump
tcsh
tdnf
telegraf
texinfo
tmux
tpm2-abrmd
tpm2-tools
tpm2-tss
traceroute
tree
trousers
tzdata
unbound
unixODBC
unzip
usbutils
userspace-rcu
utf8proc
util-linux
valgrind
vim
vsftpd
WALinuxAgent
wget
which
wpa_supplicant
xerces-c
xfsprogs
xinetd
xmlsec1
xmlto
xz
zchunk
zeromq
zip
zlib
zsh | | OpenMamba | [Openmamba GPLv2 License](https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt) | bash-completion | -| Nvidia | [ASL 2.0 License](http://www.apache.org/licenses/LICENSE-2.0) | nvidia-container-runtime | +| Nvidia | [ASL 2.0 License](http://www.apache.org/licenses/LICENSE-2.0) | libnvidia-container
nvidia-container-runtime
nvidia-container-toolkit
nvidia-docker2 | | Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka | -| Ceph Source | [LGPLv2 License](https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt) | ceph | +| Ceph Source | [LGPL2.1](https://github.com/ceph/ceph/blob/master/COPYING-LGPL2.1) | ceph | | Numad source | [LGPLv2 License](https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt) | numad | diff --git a/SPECS/LICENSES-AND-NOTICES/data/licenses.json b/SPECS/LICENSES-AND-NOTICES/data/licenses.json index 192b67618d..6e8b4948a8 100644 --- a/SPECS/LICENSES-AND-NOTICES/data/licenses.json +++ b/SPECS/LICENSES-AND-NOTICES/data/licenses.json @@ -10,6 +10,7 @@ "origin": "Fedora", "license": "[Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files)", "specs": [ + "archivemount", "at", "atf", "attr", @@ -22,8 +23,11 @@ "byacc", "calamares", "catch", + "checkpolicy", "chrony", - "conda", + "collectd", + "colm", + "conda", "conntrack-tools", "cpprest", "cryptsetup", @@ -42,6 +46,7 @@ "firewalld", "fmt", "fribidi", + "fuse-zip", "gcovr", "glusterfs", "gnu-efi", @@ -49,6 +54,7 @@ "heimdal", "hwdata", "hyperv-daemons", + "hyperscan", "ipmitool", "ipv6calc", "iscsi-initiator-utils", @@ -76,22 +82,39 @@ "liblognorm", "libpciaccess", "libpwquality", + "libsemanage", "libstoragemgmt", "libvirt", "libxcrypt", + "libzip", + "mailcap", + "mcstrans", "mokutil", "mozjs60", "nftables", + "oath-toolkit", "open-vm-tools", "openssl", + "p7zip", "p11-kit", "patchelf", "perl-JSON", + "perl-App-cpanminus", + "perl-CPAN-DistnameInfo", + "perl-CPAN-Meta-Check", + "perl-File-pushd", + "perl-local-lib", + "perl-Module-CPANfile", + "perl-Parse-PMFile", + "perl-Pod-Parser", + "perl-String-ShellQuote", "picosat", "pkgconf", + "policycoreutils", "prometheus", "pugixml", "pycairo", + "pyelftools", "python-async-generator", "python-conda-package-handling", "python-cpuinfo", @@ -104,7 +127,9 @@ "python-kubernetes", "python-mock", "python-nose", + "python-pexpect", "python-process-tests", + "python-ptyprocess", "python-pycosat", "python-pytest-benchmark", "python-pytest-cov", @@ -124,9 +149,15 @@ "qt5-qtsvg", "qt5-qttools", "qt5-rpm-macros", + "ragel", "rdma-core", - "sanlock", + "re2", + "sanlock", + "secilc", + "selinux-policy", + "setools", "sgml-common", + "sos", "squashfs-tools", "uclibc-ng", "uuid", @@ -146,7 +177,6 @@ "license": "[Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md)", "specs": [ "application-gateway-kubernetes-ingress", - "aspnetcore-runtime-3.1", "auoms", "azure-iot-sdk-c", "azure-iotedge", @@ -208,6 +238,7 @@ "nlohmann-json", "nmap", "nmi", + "node-problem-detector", "ntopng", "oath-toolkit", "omi", @@ -335,8 +366,6 @@ "docbook-dtd-xml", "docbook-style-xsl", "dosfstools", - "dotnet-runtime-3.1", - "dotnet-sdk-3.1", "dracut", "dstat", "e2fsprogs", @@ -541,8 +570,7 @@ "nghttp2", "nginx", "ninja-build", - "nodejs-8.11.4", - "nodejs-9.11.2", + "nodejs", "npth", "nspr", "nss", @@ -791,7 +819,10 @@ "origin": "Nvidia", "license": "[ASL 2.0 License](http://www.apache.org/licenses/LICENSE-2.0)", "specs": [ - "nvidia-container-runtime" + "libnvidia-container", + "nvidia-container-runtime", + "nvidia-container-toolkit", + "nvidia-docker2" ] }, { @@ -803,7 +834,7 @@ }, { "origin": "Ceph Source", - "license": "[LGPLv2 License](https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt)", + "license": "[LGPL2.1](https://github.com/ceph/ceph/blob/master/COPYING-LGPL2.1)", "specs": [ "ceph" ] diff --git a/SPECS/OpenIPMI/OpenIPMI.spec b/SPECS/OpenIPMI/OpenIPMI.spec index b688dafabd..b46a9243e2 100644 --- a/SPECS/OpenIPMI/OpenIPMI.spec +++ b/SPECS/OpenIPMI/OpenIPMI.spec @@ -187,24 +187,24 @@ echo "disable ipmi.service" > %{buildroot}%{_libdir}/systemd/system-preset/50-ip * Tue Mar 02 2021 Henry Li - 2.0.25-6 - Provides python3-openipmi from OpenIPMI-python -* Sat May 09 00:21:40 PST 2020 Nick Samson - 2.0.25-5 +* Sat May 09 2020 Nick Samson - 2.0.25-5 - Added %%license line automatically -* Fri Apr 17 2020 Nicolas Ontiveros 2.0.25-4 -- Rename openipmi to OpenIPMI. -- Remove sha1 macro. +* Fri Apr 17 2020 Nicolas Ontiveros 2.0.25-4 +- Rename openipmi to OpenIPMI. +- Remove sha1 macro. -* Tue Sep 03 2019 Mateusz Malisz 2.0.25-3 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 2.0.25-3 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Tue Jan 08 2019 Alexey Makhalov 2.0.25-2 -- Added BuildRequires python2-devel +* Tue Jan 08 2019 Alexey Makhalov 2.0.25-2 +- Added BuildRequires python2-devel -* Mon Sep 10 2018 Him Kalyan Bordoloi 2.0.25-1 -- Upgrade to 2.0.25 +* Mon Sep 10 2018 Him Kalyan Bordoloi 2.0.25-1 +- Upgrade to 2.0.25 -* Fri Sep 15 2017 Xiaolin Li 2.0.24-2 -- openipmi-devel requires ncurses-devel +* Fri Sep 15 2017 Xiaolin Li 2.0.24-2 +- openipmi-devel requires ncurses-devel -* Mon Sep 11 2017 Xiaolin Li 2.0.24-1 -- Initial build. First version +* Mon Sep 11 2017 Xiaolin Li 2.0.24-1 +- Initial build. First version diff --git a/SPECS/PyPAM/PyPAM.spec b/SPECS/PyPAM/PyPAM.spec index 6ee91fb1b0..1d972c89bd 100644 --- a/SPECS/PyPAM/PyPAM.spec +++ b/SPECS/PyPAM/PyPAM.spec @@ -85,7 +85,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:20:39 PST 2020 Nick Samson - 0.5.0-8 +* Sat May 09 2020 Nick Samson - 0.5.0-8 - Added %%license line automatically * Tue Apr 28 2020 Emre Girgin 0.5.0-7 diff --git a/SPECS/PyYAML/PyYAML.spec b/SPECS/PyYAML/PyYAML.spec index 1c14ff2d47..205aa51a77 100644 --- a/SPECS/PyYAML/PyYAML.spec +++ b/SPECS/PyYAML/PyYAML.spec @@ -108,21 +108,21 @@ rm -rf $RPM_BUILD_ROOT * Sat May 09 2020 Nick Samson - 3.13-5 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 3.13-4 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Tue Apr 16 2019 Tapas Kundu 3.13-3 -- Added lib3 changes for CVE-2017-18342 -- change default loader for yaml.add_constructor -- Add custom constructors to multiple loaders -* Thu Mar 28 2019 Ankit Jain 3.13-2 -- Fix for CVE-2017-18342 -* Thu Sep 20 2018 Tapas Kundu 3.13-1 -- Updated to release 3.13 -* Tue May 16 2017 Kumar Kaushik 3.12-2 -- Adding python3 support. -* Tue Apr 18 2017 Dheeraj Shetty 3.12-1 -- Updated version to 3.12 -* Tue May 24 2016 Priyesh Padmavilasom 3.11-2 -- GA - Bump release of all rpms -* Wed Mar 04 2015 Mahmoud Bassiouny -- Initial packaging for Photon +* Tue Sep 03 2019 Mateusz Malisz 3.13-4 +- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Apr 16 2019 Tapas Kundu 3.13-3 +- Added lib3 changes for CVE-2017-18342 +- change default loader for yaml.add_constructor +- Add custom constructors to multiple loaders +* Thu Mar 28 2019 Ankit Jain 3.13-2 +- Fix for CVE-2017-18342 +* Thu Sep 20 2018 Tapas Kundu 3.13-1 +- Updated to release 3.13 +* Tue May 16 2017 Kumar Kaushik 3.12-2 +- Adding python3 support. +* Tue Apr 18 2017 Dheeraj Shetty 3.12-1 +- Updated version to 3.12 +* Tue May 24 2016 Priyesh Padmavilasom 3.11-2 +- GA - Bump release of all rpms +* Wed Mar 04 2015 Mahmoud Bassiouny +- Initial packaging for Photon diff --git a/SPECS/WALinuxAgent/WALinuxAgent.signatures.json b/SPECS/WALinuxAgent/WALinuxAgent.signatures.json index f041d63e95..ea3afc6542 100644 --- a/SPECS/WALinuxAgent/WALinuxAgent.signatures.json +++ b/SPECS/WALinuxAgent/WALinuxAgent.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "WALinuxAgent-2.2.52.tar.gz": "46f692edaa93f094eef6c0dc8d95f3ece5a7176e98ac6f3bce741da74946cd28" + "WALinuxAgent-2.2.54.2.tar.gz": "2c047d262ca55718268a0921c7bd04b6c1ab1032bd885e3e0949107f493e7b7c" } } \ No newline at end of file diff --git a/SPECS/WALinuxAgent/WALinuxAgent.spec b/SPECS/WALinuxAgent/WALinuxAgent.spec index 5b6e0573b8..36f1fe66c7 100644 --- a/SPECS/WALinuxAgent/WALinuxAgent.spec +++ b/SPECS/WALinuxAgent/WALinuxAgent.spec @@ -1,30 +1,29 @@ Summary: The Windows Azure Linux Agent Name: WALinuxAgent -Version: 2.2.52 -Release: 3%{?dist} +Version: 2.2.54.2 +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner Group: System/Daemons URL: https://github.com/Azure/WALinuxAgent -#Source0: https://github.com/Azure/WALinuxAgent/archive/v%{version}.tar.gz -Source0: https://github.com/Azure/WALinuxAgent/archive/%{name}-%{version}.tar.gz -Patch0: add-distro.patch -BuildRequires: python-distro -BuildRequires: python-setuptools -BuildRequires: python-xml -BuildRequires: python2 -BuildRequires: python2-libs +#Source0: https://github.com/Azure/WALinuxAgent/archive/refs/tags/v%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz +BuildRequires: python3-distro +BuildRequires: python3-setuptools +BuildRequires: python3-xml +BuildRequires: python3 +BuildRequires: python3-libs BuildRequires: systemd Requires: /bin/grep Requires: /bin/sed Requires: iptables Requires: openssh Requires: openssl -Requires: python-pyasn1 -Requires: python-xml -Requires: python2 -Requires: python2-libs +Requires: python3-pyasn1 +Requires: python3-xml +Requires: python3 +Requires: python3-libs Requires: sudo Requires: systemd Requires: util-linux @@ -36,23 +35,26 @@ VMs in the Windows Azure cloud. This package should be installed on Linux disk images that are built to run in the Windows Azure environment. %prep -%setup -q -%patch0 -p1 +%setup -q -n %{name}-%{version} %pre -p /bin/sh %build -python2 setup.py build -b py2 +python3 setup.py build -b py3 %install -python2 -tt setup.py build -b py2 install --prefix=%{_prefix} --lnx-distro='mariner' --root=%{buildroot} --force +python3 -tt setup.py build -b py3 install --prefix=%{_prefix} --lnx-distro='mariner' --root=%{buildroot} --force mkdir -p %{buildroot}/%{_localstatedir}/log mkdir -p -m 0700 %{buildroot}/%{_sharedstatedir}/waagent mkdir -p %{buildroot}/%{_localstatedir}/log touch %{buildroot}/%{_localstatedir}/log/waagent.log +# python refers to python2 version on CBL-Mariner hence update to use python3 +sed -i 's,#!/usr/bin/env python,#!/usr/bin/python3,' %{buildroot}%{_bindir}/waagent +sed -i 's,#!/usr/bin/env python,#!/usr/bin/python3,' %{buildroot}%{_bindir}/waagent2.0 +sed -i 's,/usr/bin/python ,/usr/bin/python3 ,' %{buildroot}%{_libdir}/systemd/system/waagent.service %check -python2 setup.py check && python2 setup.py test +python3 setup.py check && python3 setup.py test %post %systemd_post waagent.service @@ -67,17 +69,23 @@ python2 setup.py check && python2 setup.py test %{_libdir}/systemd/system/* %defattr(0644,root,root,0755) %license LICENSE.txt -%doc Changelog -%attr(0755,root,root) %{_sbindir}/waagent -%attr(0755,root,root) %{_sbindir}/waagent2.0 +%attr(0755,root,root) %{_bindir}/waagent +%attr(0755,root,root) %{_bindir}/waagent2.0 %config %{_sysconfdir}/waagent.conf %ghost %{_localstatedir}/log/waagent.log %dir %attr(0700, root, root) %{_sharedstatedir}/waagent -%{_libdir}/python2.7/site-packages/* +%{python3_sitelib}/* %changelog +* Tue Aug 17 2021 Thomas Crain - 2.2.54.2-2 +- Fix incorrect %%{_lib} macro usage + +* Mon May 24 2021 Suresh Babu Chalamalasetty - 2.2.54.2-1 +- Upgrade to version 2.2.54.2 which has Mariner distro support. + * Mon Apr 26 2021 Thomas Crain - 2.2.52-3 - Replace incorrect %%{_lib} usage with %%{_libdir} +- %{_lib}/python3.7/site-packages/* * Mon Jan 25 2021 Henry Beberman 2.2.52-2 - Remove log symlink and use /var/log/waagent.log directly diff --git a/SPECS/WALinuxAgent/add-distro.patch b/SPECS/WALinuxAgent/add-distro.patch deleted file mode 100644 index bdd6bde9fc..0000000000 --- a/SPECS/WALinuxAgent/add-distro.patch +++ /dev/null @@ -1,242 +0,0 @@ ---- a/azurelinuxagent/common/osutil/factory.py 2020-09-29 11:31:13.000000000 -0700 -+++ b/azurelinuxagent/common/osutil/factory.py 2020-12-08 14:54:58.878191794 -0800 -@@ -24,6 +24,7 @@ - from .arch import ArchUtil - from .bigip import BigIpOSUtil - from .clearlinux import ClearLinuxUtil -+from .mariner import MarinerOSUtil - from .coreos import CoreOSUtil - from .debian import DebianOSBaseUtil, DebianOSModernUtil - from .default import DefaultOSUtil -@@ -57,6 +58,9 @@ - - if "Clear Linux" in distro_full_name: - return ClearLinuxUtil() -+ -+ if distro_name == "mariner": -+ return MarinerOSUtil() - - if distro_name == "ubuntu": - if Version(distro_version) in [Version("12.04"), Version("12.10")]: ---- a/azurelinuxagent/common/osutil/mariner.py 2020-12-08 22:14:27.843117432 -0800 -+++ b/azurelinuxagent/common/osutil/mariner.py 2020-12-08 22:52:05.926318033 -0800 -@@ -0,0 +1,89 @@ -+# -+# Copyright 2017 Microsoft Corporation -+# -+# Licensed under the Apache License, Version 2.0 (the "License"); -+# you may not use this file except in compliance with the License. -+# You may obtain a copy of the License at -+# -+# http://www.apache.org/licenses/LICENSE-2.0 -+# -+# Unless required by applicable law or agreed to in writing, software -+# distributed under the License is distributed on an "AS IS" BASIS, -+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+# See the License for the specific language governing permissions and -+# limitations under the License. -+# -+# Requires Python 2.4 and Openssl 1.0 -+# -+ -+import os -+import re -+import pwd -+import shutil -+import socket -+import array -+import struct -+import fcntl -+import time -+import base64 -+import azurelinuxagent.common.conf as conf -+import azurelinuxagent.common.logger as logger -+import azurelinuxagent.common.utils.fileutil as fileutil -+import azurelinuxagent.common.utils.shellutil as shellutil -+import azurelinuxagent.common.utils.textutil as textutil -+from azurelinuxagent.common.osutil.default import DefaultOSUtil -+ -+class MarinerOSUtil(DefaultOSUtil): -+ def __init__(self): -+ super(MarinerOSUtil, self).__init__() -+ self.agent_conf_file_path = '/etc/waagent.conf' -+ self.jit_enabled = True -+ -+ def is_dhcp_enabled(self): -+ return True -+ -+ def start_network(self) : -+ return shellutil.run("systemctl start systemd-networkd", chk_err=False) -+ -+ def restart_if(self, iface): -+ shellutil.run("systemctl restart systemd-networkd") -+ -+ def restart_ssh_service(self): -+ shellutil.run("systemctl restart sshd") -+ -+ def stop_dhcp_service(self): -+ return shellutil.run("systemctl stop systemd-networkd", chk_err=False) -+ -+ def start_dhcp_service(self): -+ return shellutil.run("systemctl start systemd-networkd", chk_err=False) -+ -+ def start_agent_service(self): -+ return shellutil.run("systemctl start waagent", chk_err=False) -+ -+ def stop_agent_service(self): -+ return shellutil.run("systemctl stop waagent", chk_err=False) -+ -+ def get_dhcp_pid(self): -+ ret= shellutil.run_get_output("pidof systemd-networkd") -+ return ret[1] if ret[0] == 0 else None -+ -+ def conf_sshd(self, disable_password): -+ pass -+ -+ def del_root_password(self): -+ try: -+ passwd_file_path = conf.get_passwd_file_path() -+ try: -+ passwd_content = fileutil.read_file(passwd_file_path) -+ if not passwd_content: -+ raise FileNotFoundError -+ except FileNotFoundError: -+ new_passwd = ["root:*LOCK*:14600::::::"] -+ else: -+ passwd = passwd_content.split('\n') -+ new_passwd = [x for x in passwd if not x.startswith("root:")] -+ new_passwd.insert(0, "root:*LOCK*:14600::::::") -+ fileutil.write_file(passwd_file_path, "\n".join(new_passwd)) -+ except IOError as e: -+ raise OSUtilError("Failed to delete root password:{0}".format(e)) -+ pass -\ No newline at end of file ---- a/azurelinuxagent/common/version.py 2020-09-29 11:31:13.000000000 -0700 -+++ b/azurelinuxagent/common/version.py 2020-12-08 14:58:51.840248635 -0800 -@@ -100,6 +100,9 @@ - - if os.path.exists("/etc/euleros-release"): - osinfo[0] = "euleros" -+ -+ if os.path.exists("/etc/mariner-release"): -+ osinfo[0] = "mariner" - - # The platform.py lib has issue with detecting BIG-IP linux distribution. - # Merge the following patch provided by F5. ---- a/config/mariner/waagent.conf 2020-12-08 22:15:55.038466254 -0800 -+++ b/config/mariner/waagent.conf 2020-12-08 15:06:48.272503589 -0800 -@@ -0,0 +1,80 @@ -+# Microsoft Azure Linux Agent Configuration -+# -+ -+# Specified program is invoked with the argument "Ready" when we report ready status -+# to the endpoint server. -+Role.StateConsumer=None -+ -+# Specified program is invoked with XML file argument specifying role -+# configuration. -+Role.ConfigurationConsumer=None -+ -+# Specified program is invoked with XML file argument specifying role topology. -+Role.TopologyConsumer=None -+ -+# Enable instance creation -+Provisioning.Enabled=n -+ -+# Rely on cloud-init to provision -+Provisioning.UseCloudInit=y -+ -+# Password authentication for root account will be unavailable. -+Provisioning.DeleteRootPassword=y -+ -+# Generate fresh host key pair. -+Provisioning.RegenerateSshHostKeyPair=y -+ -+# Supported values are "rsa", "dsa" and "ecdsa". -+Provisioning.SshHostKeyPairType=rsa -+ -+# Monitor host name changes and publish changes via DHCP requests. -+Provisioning.MonitorHostName=y -+ -+# Decode CustomData from Base64. -+Provisioning.DecodeCustomData=y -+ -+# Execute CustomData after provisioning. -+Provisioning.ExecuteCustomData=n -+ -+# Allow reset password of sys user -+Provisioning.AllowResetSysUser=n -+ -+# Format if unformatted. If 'n', resource disk will not be mounted. -+ResourceDisk.Format=n -+ -+# File system on the resource disk -+# Typically ext3 or ext4. FreeBSD images should use 'ufs2' here. -+ResourceDisk.Filesystem=ext4 -+ -+# Mount point for the resource disk -+ResourceDisk.MountPoint=/mnt/resource -+ -+# Create and use swapfile on resource disk. -+ResourceDisk.EnableSwap=n -+ -+# Size of the swapfile. -+ResourceDisk.SwapSizeMB=0 -+ -+# Enable verbose logging (y|n) -+Logs.Verbose=n -+ -+# Is FIPS enabled -+OS.EnableFIPS=n -+ -+# Root device timeout in seconds. -+OS.RootDeviceScsiTimeout=300 -+ -+# If "None", the system default version is used. -+OS.OpensslPath=None -+ -+# Set the path to SSH keys and configuration files -+OS.SshDir=/etc/ssh -+ -+# Enable or disable self-update, default is enabled -+AutoUpdate.Enabled=y -+AutoUpdate.GAFamily=Prod -+ -+# Determine if the overprovisioning feature is enabled. If yes, hold extension -+# handling until inVMArtifactsProfile.OnHold is false. -+# Default is disabled -+# EnableOverProvisioning=n ---- a/init/mariner/waagent.service 2020-12-08 22:16:40.614123434 -0800 -+++ b/init/mariner/waagent.service 2020-12-08 15:06:44.940529116 -0800 -@@ -0,0 +1,16 @@ -+[Unit] -+Description=Azure Linux Agent -+Wants=systemd-networkd-wait-online.service sshd.service sshd-keygen.service -+After=systemd-networkd-wait-online.service cloud-init.service -+ -+ConditionFileIsExecutable=/usr/sbin/waagent -+ConditionPathExists=/etc/waagent.conf -+ -+[Service] -+Type=simple -+ExecStart=/usr/bin/python -u /usr/sbin/waagent -daemon -+Restart=always -+RestartSec=5 -+ -+[Install] -+WantedBy=multi-user.target ---- a/setup.py 2020-09-29 11:31:13.000000000 -0700 -+++ b/setup.py 2020-12-08 15:04:44.289458366 -0800 -@@ -116,6 +116,12 @@ - src=["config/clearlinux/waagent.conf"]) - set_systemd_files(data_files, dest='/usr/lib/systemd/system', - src=["init/clearlinux/waagent.service"]) -+ elif name == 'mariner': -+ set_bin_files(data_files) -+ set_conf_files(data_files, dest="/etc", -+ src=["config/mariner/waagent.conf"]) -+ set_systemd_files(data_files, dest='/usr/lib/systemd/system', -+ src=["init/mariner/waagent.service"]) - elif name == 'ubuntu': - set_bin_files(data_files) - set_conf_files(data_files, src=["config/ubuntu/waagent.conf"]) diff --git a/SPECS/ansible/ansible.signatures.json b/SPECS/ansible/ansible.signatures.json index 6678f9b3e4..39781562b8 100644 --- a/SPECS/ansible/ansible.signatures.json +++ b/SPECS/ansible/ansible.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "ansible-2.9.12.tar.gz": "7e95ddf719190b068fafc7d7c7877c218054cc5da4f6d9d794faf7bc66dab774" + "ansible-2.9.18.tar.gz": "55fee77729eab2dce854c94a7b6998f0fcb7b9a053bdaa7eb4057f01a0d5d93c" } } \ No newline at end of file diff --git a/SPECS/ansible/ansible.spec b/SPECS/ansible/ansible.spec index 78d2077905..da595b2898 100644 --- a/SPECS/ansible/ansible.spec +++ b/SPECS/ansible/ansible.spec @@ -1,7 +1,7 @@ %{!?python2_sitelib: %global python2_sitelib %(python2 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} Summary: Configuration-management, application deployment, cloud provisioning system Name: ansible -Version: 2.9.12 +Version: 2.9.18 Release: 1%{?dist} License: GPLv3+ Vendor: Microsoft Corporation @@ -41,6 +41,9 @@ python2 setup.py test %{python2_sitelib}/* %changelog +* Tue Jun 15 2021 Nicolas Ontiveros - 2.9.18-1 +- Upgrade to version 2.9.18, which resolves CVE-2021-20191 and CVE-2021-20178 + * Wed Dec 30 2020 Nicolas Ontiveros - 2.9.12-1 - Upgrade to version 2.9.12, which resolves CVE-2020-10744 diff --git a/SPECS/apr-util/apr-util.spec b/SPECS/apr-util/apr-util.spec index 93b6172a05..8462dafcf4 100644 --- a/SPECS/apr-util/apr-util.spec +++ b/SPECS/apr-util/apr-util.spec @@ -122,7 +122,7 @@ rm -rf %{buildroot} %{_libdir}/apr-util-%{apuver}/apr_dbd_sqlite* %changelog -* Sat May 09 00:21:10 PST 2020 Nick Samson - 1.6.1-4 +* Sat May 09 2020 Nick Samson - 1.6.1-4 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.6.1-3 diff --git a/SPECS/archivemount/archivemount.signatures.json b/SPECS/archivemount/archivemount.signatures.json new file mode 100644 index 0000000000..ca7545178c --- /dev/null +++ b/SPECS/archivemount/archivemount.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "archivemount-0.9.1.tar.gz": "c529b981cacb19541b48ddafdafb2ede47a40fcaf16c677c1e2cd198b159c5b3" + } +} diff --git a/SPECS/archivemount/archivemount.spec b/SPECS/archivemount/archivemount.spec new file mode 100644 index 0000000000..e2f6241383 --- /dev/null +++ b/SPECS/archivemount/archivemount.spec @@ -0,0 +1,171 @@ +Name: archivemount +Version: 0.9.1 +Release: 4%{?dist} +Summary: FUSE based filesystem for mounting compressed archives +Vendor: Microsoft Corporation +Distribution: Mariner +License: LGPLv2+ +URL: https://www.cybernoia.de/software/archivemount.html +Source0: https://www.cybernoia.de/software/archivemount/%{name}-%{version}.tar.gz + +BuildRequires: gcc +BuildRequires: fuse-devel +BuildRequires: libarchive-devel +BuildRequires: automake +BuildRequires: make +Requires: fuse + +%description +Archivemount is a piece of glue code between libarchive and FUSE. It can be +used to mount a (possibly compressed) archive (as in .tar.gz or .tar.bz2) +and use it like an ordinary filesystem. + +%prep +%autosetup -p1 + +%build +%configure --enable-debug +%make_build + +%install +rm -rf $RPM_BUILD_ROOT +rm -f archivemount.1 +%make_install + +%files +%doc CHANGELOG README +%license COPYING +%{_mandir}/*/* +%{_bindir}/archivemount + +%changelog +* Mon May 17 2021 Suresh Babu Chalamalasetty - 0.9.1-4 +- Initial CBL-Mariner import from Fedora 34 (license: MIT) +- License verified + +* Tue Jan 26 2021 Fedora Release Engineering - 0.9.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 0.9.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Apr 20 2020 Niels de Vos - 0.9.1-1 +- Update to version 0.9.1 + +* Mon Apr 20 2020 Niels de Vos - 0.9.0-1 +- Update to version 0.9.0 (#1825602) + +* Tue Jan 28 2020 Fedora Release Engineering - 0.8.12-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Jul 24 2019 Fedora Release Engineering - 0.8.12-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jan 31 2019 Fedora Release Engineering - 0.8.12-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jul 12 2018 Fedora Release Engineering - 0.8.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jun 18 2018 Vasiliy N. Glazov - 0.8.12-2 +- Clean spec to match packaging guidelines + +* Sun Apr 1 2018 Niels de Vos - 0.8.12-1 +- Update to version 0.8.12 (#1560985) + +* Tue Mar 27 2018 Niels de Vos - 0.8.11-1 +- Update to version 0.8.11 (#1560985) + +* Fri Mar 16 2018 Niels de Vos - 0.8.10-1 +- Update to version 0.8.10 (#1557308) + +* Tue Mar 6 2018 Niels de Vos - 0.8.9-1 +- Update to version 0.8.9 (#1547963) + +* Wed Feb 07 2018 Fedora Release Engineering - 0.8.7-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Aug 02 2017 Fedora Release Engineering - 0.8.7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.8.7-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 0.8.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Feb 03 2016 Fedora Release Engineering - 0.8.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Nov 24 2015 Niels de Vos - 0.8.7-1 +- Update to version 0.8.7 (#1284705) + +* Mon Nov 23 2015 Niels de Vos - 0.8.6-1 +- Update to version 0.8.6 (#1197053) + +* Wed Jun 17 2015 Fedora Release Engineering - 0.8.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Fri Aug 15 2014 Fedora Release Engineering - 0.8.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 0.8.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Oct 24 2013 Niels de Vos - 0.8.3-1 +- Update to version 0.8.3 (#1022856) +- Drop upstreamed patches + +* Wed Oct 23 2013 Niels de Vos - 0.8.2-1 +- Update to version 0.8.2 (#1021347) + +* Sun Oct 13 2013 Niels de Vos - 0.8.1-2 +- Do not call fuse_main() to prevent a confusing error message (#1018587) + +* Mon Aug 19 2013 Niels de Vos - 0.8.1-1 +- Update to version 0.8.1 (#997779) + +* Sat Aug 03 2013 Fedora Release Engineering - 0.6.1-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Feb 13 2013 Fedora Release Engineering - 0.6.1-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Jan 17 2013 Tomas Bzatek - 0.6.1-10 +- Rebuilt for new libarchive + +* Wed Jul 18 2012 Fedora Release Engineering - 0.6.1-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jan 26 2012 Tomas Bzatek - 0.6.1-8 +- Rebuilt for new libarchive + +* Sat Jan 07 2012 Niels de Vos - 0.6.1-7 +- Rebuild for new gcc-4.7 + +* Tue Nov 15 2011 Niels de Vos - 0.6.1-6 +- Rebuild for new libarchive + +* Mon Feb 07 2011 Fedora Release Engineering - 0.6.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Jan 18 2011 Niels de Vos 0.6.1-4 +- fix the -debuginfo package as suggested by Tomas Mraz (BZ#598688 comment #12) + +* Fri Jan 14 2011 Niels de Vos 0.6.1-3 +- fix the -debuginfo package (BZ#598688 comment #10) + +* Mon Jan 10 2011 Niels de Vos 0.6.1-2 +- force running in single threaded mode (much more stable) +- fix some points from BZ #598688 comment #7 + +* Thu Jun 24 2010 Niels de Vos 0.6.1-1 +- upstream fixed licensing in the source to LGPL (v2 or newer) +- new source does not contain autom4te.cache anymore, no need to 'rm -rf' it + +* Tue Jun 15 2010 Niels de Vos 0.6.0-2 +- fix license to GNU Library General Public v2 or newer +- remove packaged autoconf/automake cache files + +* Tue Jun 01 2010 Niels de Vos 0.6.0-1 +- Initial package diff --git a/SPECS/aspnetcore-runtime-3.1/aspnetcore-runtime-3.1.signatures.json b/SPECS/aspnetcore-runtime-3.1/aspnetcore-runtime-3.1.signatures.json deleted file mode 100644 index 7873844508..0000000000 --- a/SPECS/aspnetcore-runtime-3.1/aspnetcore-runtime-3.1.signatures.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "Signatures": { - "aspnetcore-runtime-3.1.5-linux-x64.tar.gz": "bf202e612374eecf089b08db2085f36e54c09d6e93db0ff4244580ee47b9c61f" - } -} \ No newline at end of file diff --git a/SPECS/aspnetcore-runtime-3.1/aspnetcore-runtime-3.1.spec b/SPECS/aspnetcore-runtime-3.1/aspnetcore-runtime-3.1.spec deleted file mode 100644 index 5f86b8844d..0000000000 --- a/SPECS/aspnetcore-runtime-3.1/aspnetcore-runtime-3.1.spec +++ /dev/null @@ -1,41 +0,0 @@ -%define debug_package %{nil} -Summary: Microsoft aspnetcore runtime -Name: aspnetcore-runtime-3.1 -Version: 3.1.5 -Release: 1%{?dist} -License: ASL 2.0 -Vendor: Microsoft Corporation -Distribution: Mariner -Group: Development/Tools -URL: https://github.com/dotnet/aspnetcore -Source0: https://download.visualstudio.microsoft.com/download/pr/6827d794-a218-4352-b3b3-a19ec773c975/e3e53bc2f20df220a29c6e09f74d8a00/aspnetcore-runtime-3.1.5-linux-x64.tar.gz -Requires: dotnet-runtime-3.1 -ExclusiveArch: x86_64 - -%description -ASP.NET Core is an open-source and cross-platform framework for building -modern cloud based internet connected applications, such as web apps, -IoT apps and mobile backends - -%prep -%setup -qc -T -a 0 dotnet-runtime-%{version} - -%build - -%install -mkdir -p %{buildroot}%{_libdir}/dotnet/shared -cp -r shared/Microsoft.AspNetCore.App %{buildroot}%{_libdir}/dotnet/shared - -%post -p /sbin/ldconfig -%postun -p /sbin/ldconfig - -%files -%license LICENSE.txt ThirdPartyNotices.txt -%defattr(-,root,root,0755) -%{_libdir}/dotnet/shared/Microsoft.AspNetCore.App - -%changelog -* Thu Nov 12 2020 Henry Beberman - 3.1.5-1 -- Add aspnetcore-runtime spec. -- License verified -- Original version for CBL-Mariner \ No newline at end of file diff --git a/SPECS/atftp/atftp.spec b/SPECS/atftp/atftp.spec index b6f4f916c3..66117817ef 100644 --- a/SPECS/atftp/atftp.spec +++ b/SPECS/atftp/atftp.spec @@ -131,7 +131,7 @@ fi %changelog -* Sat May 09 00:21:18 PST 2020 Nick Samson - 0.7.2-3 +* Sat May 09 2020 Nick Samson - 0.7.2-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 0.7.2-2 diff --git a/SPECS/audit/audit.spec b/SPECS/audit/audit.spec index 046bdd77f3..8fa9714547 100644 --- a/SPECS/audit/audit.spec +++ b/SPECS/audit/audit.spec @@ -1,9 +1,7 @@ -%{!?python2_sitelib: %global python2_sitelib %(python2 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} -%{!?python3_sitelib: %global python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} Summary: Kernel Audit Tool Name: audit Version: 3.0 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -49,18 +47,6 @@ Provides: audit-libs-devel = %{version}-%{release} %description devel The libraries and header files needed for audit development. -%package python -Summary: Python bindings for libaudit -License: LGPLv2+ -BuildRequires: python2-devel -BuildRequires: python2-libs -Requires: %{name} = %{version}-%{release} -Requires: python2 - -%description python -The audit-python package contains the python2 bindings for libaudit -and libauparse. - %package -n python3-audit Summary: Python3 bindings for libaudit License: LGPLv2+ @@ -85,7 +71,6 @@ and libauparse. --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ --sysconfdir=%{_sysconfdir} \ - --with-python=yes \ --with-python3=yes \ --with-libwrap \ --enable-gssapi-krb5=yes \ @@ -165,78 +150,77 @@ make %{?_smp_mflags} check %{_mandir}/man3/* %{_datadir}/aclocal/audit.m4 -%files python -%defattr(-,root,root) -%{python2_sitelib}/* - %files -n python3-audit %defattr(-,root,root) %{python3_sitelib}/* %changelog -* Mon Nov 02 2020 Joe Schmitt - 3.0-5 +* Wed Aug 18 2021 Thomas Crian - 3.0-6 +- Remove python2 subpackage + +* Mon Nov 02 2020 Joe Schmitt - 3.0-5 (from dev branch) - Provide audit-libs-devel from the devel subpackage. - Provide audit-libs-python3 from the python3 subpackage. -* Thu May 14 2020 Nicolas Ontiveros 3.0-4 -- Set "RefuseManualStop=no" in "auditd.service". +* Thu May 14 2020 Nicolas Ontiveros 3.0-4 +- Set "RefuseManualStop=no" in "auditd.service". -* Sat May 09 00:21:30 PST 2020 Nick Samson - 3.0-3 -- Added %%license line automatically +* Sat May 09 00:21:30 PST 2020 Nick Samson - 3.0-3 +- Added %%license line automatically -* Thu Apr 30 2020 Emre Girgin 3.0-2 -- Renaming go to golang +* Thu Apr 30 2020 Emre Girgin 3.0-2 +- Renaming go to golang -* Wed Mar 18 2020 Emre Girgin 3.0-1 -- Updated to version 3.0-alpha8. Subpackage licenses updated. +* Wed Mar 18 2020 Emre Girgin 3.0-1 +- Updated to version 3.0-alpha8. Subpackage licenses updated. -* Tue Sep 03 2019 Mateusz Malisz 2.8.4-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 2.8.4-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Sep 3 2018 Keerthana K 2.8.4-1 -- Updated to version 2.8.4. +* Mon Sep 3 2018 Keerthana K 2.8.4-1 +- Updated to version 2.8.4. -* Thu Dec 28 2017 Divya Thaluru 2.7.5-4 -- Fixed the log file directory structure +* Thu Dec 28 2017 Divya Thaluru 2.7.5-4 +- Fixed the log file directory structure -* Thu Jun 29 2017 Divya Thaluru 2.7.5-3 -- Disabled audit service by default +* Thu Jun 29 2017 Divya Thaluru 2.7.5-3 +- Disabled audit service by default -* Thu May 18 2017 Xiaolin Li 2.7.5-2 -- Move python2 requires to python subpackage and added python3. +* Thu May 18 2017 Xiaolin Li 2.7.5-2 +- Move python2 requires to python subpackage and added python3. -* Fri Apr 14 2017 Alexey Makhalov 2.7.5-1 -- Version update. +* Fri Apr 14 2017 Alexey Makhalov 2.7.5-1 +- Version update. -* Wed Dec 07 2016 Xiaolin Li 2.5-7 -- Moved man3 to devel subpackage. +* Wed Dec 07 2016 Xiaolin Li 2.5-7 +- Moved man3 to devel subpackage. -* Thu Nov 24 2016 Alexey Makhalov 2.5-6 -- Required krb5-devel. +* Thu Nov 24 2016 Alexey Makhalov 2.5-6 +- Required krb5-devel. -* Fri Jul 22 2016 Xiaolin Li 2.5-5 -- Add gawk requirement. +* Fri Jul 22 2016 Xiaolin Li 2.5-5 +- Add gawk requirement. -* Thu May 26 2016 Divya Thaluru 2.5-4 -- Fixed logic to restart the active services after upgrade +* Thu May 26 2016 Divya Thaluru 2.5-4 +- Fixed logic to restart the active services after upgrade -* Tue May 24 2016 Priyesh Padmavilasom 2.5-3 -- GA - Bump release of all rpms +* Tue May 24 2016 Priyesh Padmavilasom 2.5-3 +- GA - Bump release of all rpms -* Tue May 3 2016 Divya Thaluru 2.5-2 -- Fixing spec file to handle rpm upgrade scenario correctly +* Tue May 3 2016 Divya Thaluru 2.5-2 +- Fixing spec file to handle rpm upgrade scenario correctly -* Tue Feb 23 2016 Anish Swaminathan 2.5-1 -- Upgrade to 2.5 +* Tue Feb 23 2016 Anish Swaminathan 2.5-1 +- Upgrade to 2.5 -* Fri Jan 29 2016 Anish Swaminathan 2.4.4-4 -- Add directories for auditd service. +* Fri Jan 29 2016 Anish Swaminathan 2.4.4-4 +- Add directories for auditd service. -* Tue Jan 12 2016 Anish Swaminathan 2.4.4-3 -- Change config file attributes. +* Tue Jan 12 2016 Anish Swaminathan 2.4.4-3 +- Change config file attributes. -* Wed Dec 09 2015 Anish Swaminathan 2.4.4-2 -- Add systemd requirement. +* Wed Dec 09 2015 Anish Swaminathan 2.4.4-2 +- Add systemd requirement. -* Fri Aug 28 2015 Divya Thaluru 2.4.4-1 -- Initial version +* Fri Aug 28 2015 Divya Thaluru 2.4.4-1 +- Initial version diff --git a/SPECS/autoconf/autoconf.spec b/SPECS/autoconf/autoconf.spec index 3f3713fb59..aab37aa7b2 100644 --- a/SPECS/autoconf/autoconf.spec +++ b/SPECS/autoconf/autoconf.spec @@ -51,7 +51,7 @@ make -k check %{?_smp_mflags} TESTSUITEFLAGS="1-37 39-500" * Mon Oct 12 2020 Joe Schmitt 2.69-10 - Use new perl package names. -* Sat May 09 00:21:00 PST 2020 Nick Samson 2.69-9 +* Sat May 09 2020 Nick Samson 2.69-9 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 2.69-8 - Initial CBL-Mariner import from Photon (license: Apache2). diff --git a/SPECS/autogen/autogen.spec b/SPECS/autogen/autogen.spec index 0d4c9080d8..665525f9bd 100644 --- a/SPECS/autogen/autogen.spec +++ b/SPECS/autogen/autogen.spec @@ -80,30 +80,31 @@ make %{?_smp_mflags} check %exclude /usr/share/info/ %changelog -* Mon Oct 12 2020 Joe Schmitt 5.18.16-6 -- Add BuildRequires on perl. -* Sat May 09 00:20:48 PST 2020 Nick Samson - 5.18.16-5 +* Mon Oct 12 2020 Joe Schmitt 5.18.16-6 +- Add BuildRequires on perl. + +* Sat May 09 2020 Nick Samson - 5.18.16-5 - Added %%license line automatically -* Thu Feb 27 2020 Henry Beberman 5.18.16-4 -- Add compiler flags for GCC9 compatibility. License verified. -* Thu Feb 27 2020 Henry Beberman 5.18.16-3 -- Exclude /usr/share/info from the RPM -* Tue Sep 03 2019 Mateusz Malisz 5.18.16-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Wed Sep 12 2018 Anish Swaminathan 5.18.16-1 -- Upgrade to 5.18.16 -* Mon May 01 2017 Dheeraj Shetty 5.18.12-2 -- Adding Make Check -* Tue Apr 18 2017 Dheeraj Shetty 5.18.12-1 -- Updated version to 5.18.12 -* Tue May 24 2016 Priyesh Padmavilasom 5.18.7-2 -- GA - Bump release of all rpms -* Wed Feb 24 2016 Kumar Kaushik 5.18.7-1 -- Updated version tp 5.16.7. -* Thu Jan 21 2016 Xiaolin Li 5.18.6-1 -- Updated to version 5.18.6 -* Tue Sep 29 2015 Xiaolin Li 5.18.5-2 -- Create a seperate libopts package. -* Thu Jun 18 2015 Divya Thaluru 5.18.5-1 -- Initial build. First version +* Thu Feb 27 2020 Henry Beberman 5.18.16-4 +- Add compiler flags for GCC9 compatibility. License verified. +* Thu Feb 27 2020 Henry Beberman 5.18.16-3 +- Exclude /usr/share/info from the RPM +* Tue Sep 03 2019 Mateusz Malisz 5.18.16-2 +- Initial CBL-Mariner import from Photon (license: Apache2). +* Wed Sep 12 2018 Anish Swaminathan 5.18.16-1 +- Upgrade to 5.18.16 +* Mon May 01 2017 Dheeraj Shetty 5.18.12-2 +- Adding Make Check +* Tue Apr 18 2017 Dheeraj Shetty 5.18.12-1 +- Updated version to 5.18.12 +* Tue May 24 2016 Priyesh Padmavilasom 5.18.7-2 +- GA - Bump release of all rpms +* Wed Feb 24 2016 Kumar Kaushik 5.18.7-1 +- Updated version tp 5.16.7. +* Thu Jan 21 2016 Xiaolin Li 5.18.6-1 +- Updated to version 5.18.6 +* Tue Sep 29 2015 Xiaolin Li 5.18.5-2 +- Create a seperate libopts package. +* Thu Jun 18 2015 Divya Thaluru 5.18.5-1 +- Initial build. First version diff --git a/SPECS/automake/automake.spec b/SPECS/automake/automake.spec index 5899d1ac66..2f547397c3 100644 --- a/SPECS/automake/automake.spec +++ b/SPECS/automake/automake.spec @@ -43,7 +43,7 @@ make %{?_smp_mflags} check %{_defaultdocdir}/%{name}-%{version}/* %{_mandir}/*/* %changelog -* Sat May 09 00:21:00 PST 2020 Nick Samson - 1.16.1-3 +* Sat May 09 2020 Nick Samson - 1.16.1-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.16.1-2 diff --git a/SPECS/azure-iot-sdk-c/azure-iot-sdk-c.spec b/SPECS/azure-iot-sdk-c/azure-iot-sdk-c.spec index 1633302607..b4f081530a 100644 --- a/SPECS/azure-iot-sdk-c/azure-iot-sdk-c.spec +++ b/SPECS/azure-iot-sdk-c/azure-iot-sdk-c.spec @@ -97,7 +97,7 @@ rm -rf $RPM_BUILD_ROOT - Removing the Conflict reference to azure-iot-sdk-c-public-preview. * Sun May 31 2020 Henry Beberman 2020.02.04.1-5 - Add -Wno-error to cflags to fix compilation with updated -Werror default. -* Sat May 09 00:20:46 PST 2020 Nick Samson - 2020.02.04.1-4 +* Sat May 09 2020 Nick Samson - 2020.02.04.1-4 - Added %%license line automatically * Mon May 04 2020 Eric Li 2020.02.04.1-3 - Add #Source0: and license verified. diff --git a/SPECS/azure-iotedge/azure-iotedge.signatures.json b/SPECS/azure-iotedge/azure-iotedge.signatures.json index eac5e83c63..d785e09c47 100644 --- a/SPECS/azure-iotedge/azure-iotedge.signatures.json +++ b/SPECS/azure-iotedge/azure-iotedge.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "azure-iotedge-1.1.0-cargo.tar.gz": "94d8d7a8d2834eb4d5ec47f76c37a0a1e7a90979f8fabca556db808a60d7b310", - "azure-iotedge-1.1.0.tar.gz": "c8cd6b70786057a3e599a7649478dcd478726a4125d9e69ddea6314916fe060b" + "azure-iotedge-1.1.2-cargo.tar.gz": "eec1a83f6d30bb88679f6ef73e9ceaf2f3ca3d6cfe7cec02fc94c383997dd8ea", + "azure-iotedge-1.1.2.tar.gz": "23c0efe1f720ed3a27060cab0cae83fecfe73f017063b1bdb94a4bbce34c87b5" } } \ No newline at end of file diff --git a/SPECS/azure-iotedge/azure-iotedge.spec b/SPECS/azure-iotedge/azure-iotedge.spec index 089bb8c797..654ca86954 100644 --- a/SPECS/azure-iotedge/azure-iotedge.spec +++ b/SPECS/azure-iotedge/azure-iotedge.spec @@ -1,7 +1,7 @@ Summary: Azure IoT Edge Security Daemon Name: azure-iotedge -Version: 1.1.0 -Release: 4%{?dist} +Version: 1.1.2 +Release: 1%{?dist} # A buildable azure-iotedge environments needs functioning submodules that do not work from the archive download # To recreate the tar.gz run the following @@ -166,6 +166,9 @@ echo "========================================================================== %doc %{_docdir}/iotedge-%{version}/trademark %changelog +* Fri May 14 2021 Andrew Phelps - 1.1.2-1 +- Update to version 1.1.2 + * Mon Apr 26 2021 Thomas Crain - 1.1.0-4 - Bump release to rebuild with rust 1.47.0-3 (security update) diff --git a/SPECS/babel/babel.spec b/SPECS/babel/babel.spec index 1faf3c3ec8..0523b6a099 100644 --- a/SPECS/babel/babel.spec +++ b/SPECS/babel/babel.spec @@ -95,7 +95,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:21:26 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin 2.6.0-7 diff --git a/SPECS/bind/CVE-2020-8618.patch b/SPECS/bind/CVE-2020-8618.patch deleted file mode 100644 index 5467af0361..0000000000 --- a/SPECS/bind/CVE-2020-8618.patch +++ /dev/null @@ -1,191 +0,0 @@ -diff --git a/lib/ns/client.c b/lib/ns/client.c -index 04a8da7d3e..2d568e30c4 100644 ---- a/lib/ns/client.c -+++ b/lib/ns/client.c -@@ -286,45 +286,20 @@ client_senddone(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) { - isc_nmhandle_unref(handle); - } - --/*% -- * We only want to fail with ISC_R_NOSPACE when called from -- * ns_client_sendraw() and not when called from ns_client_send(), -- * tcpbuffer is NULL when called from ns_client_sendraw() and -- * length != 0. tcpbuffer != NULL when called from ns_client_send() -- * and length == 0. -- */ -- --static isc_result_t -+static void - client_allocsendbuf(ns_client_t *client, isc_buffer_t *buffer, -- isc_buffer_t *tcpbuffer, uint32_t length, - unsigned char **datap) { - unsigned char *data; - uint32_t bufsize; -- isc_result_t result; - - REQUIRE(datap != NULL); -- REQUIRE((tcpbuffer == NULL && length != 0) || -- (tcpbuffer != NULL && length == 0)); - - if (TCP_CLIENT(client)) { - INSIST(client->tcpbuf == NULL); -- if (length + 2 > NS_CLIENT_TCP_BUFFER_SIZE) { -- result = ISC_R_NOSPACE; -- goto done; -- } - client->tcpbuf = isc_mem_get(client->mctx, - NS_CLIENT_TCP_BUFFER_SIZE); - data = client->tcpbuf; -- if (tcpbuffer != NULL) { -- isc_buffer_init(tcpbuffer, data, -- NS_CLIENT_TCP_BUFFER_SIZE); -- isc_buffer_init(buffer, data, -- NS_CLIENT_TCP_BUFFER_SIZE); -- } else { -- isc_buffer_init(buffer, data, -- NS_CLIENT_TCP_BUFFER_SIZE); -- INSIST(length <= 0xffff); -- } -+ isc_buffer_init(buffer, data, NS_CLIENT_TCP_BUFFER_SIZE); - } else { - data = client->sendbuf; - if ((client->attributes & NS_CLIENTATTR_HAVECOOKIE) == 0) { -@@ -342,17 +317,9 @@ client_allocsendbuf(ns_client_t *client, isc_buffer_t *buffer, - if (bufsize > NS_CLIENT_SEND_BUFFER_SIZE) { - bufsize = NS_CLIENT_SEND_BUFFER_SIZE; - } -- if (length > bufsize) { -- result = ISC_R_NOSPACE; -- goto done; -- } - isc_buffer_init(buffer, data, bufsize); - } - *datap = data; -- result = ISC_R_SUCCESS; -- --done: -- return (result); - } - - static isc_result_t -@@ -384,8 +351,10 @@ ns_client_sendraw(ns_client_t *client, dns_message_t *message) { - goto done; - } - -- result = client_allocsendbuf(client, &buffer, NULL, mr->length, &data); -- if (result != ISC_R_SUCCESS) { -+ client_allocsendbuf(client, &buffer, &data); -+ -+ if (mr->length > isc_buffer_length(&buffer)) { -+ result = ISC_R_NOSPACE; - goto done; - } - -@@ -421,7 +390,6 @@ ns_client_send(ns_client_t *client) { - isc_result_t result; - unsigned char *data; - isc_buffer_t buffer = { .magic = 0 }; -- isc_buffer_t tcpbuffer = { .magic = 0 }; - isc_region_t r; - dns_compress_t cctx; - bool cleanup_cctx = false; -@@ -490,13 +458,7 @@ ns_client_send(ns_client_t *client) { - } - } - -- /* -- * XXXRTH The following doesn't deal with TCP buffer resizing. -- */ -- result = client_allocsendbuf(client, &buffer, &tcpbuffer, 0, &data); -- if (result != ISC_R_SUCCESS) { -- goto done; -- } -+ client_allocsendbuf(client, &buffer, &data); - - result = dns_compress_init(&cctx, -1, client->mctx); - if (result != ISC_R_SUCCESS) { -@@ -618,7 +580,6 @@ renderend: - client->sendcb(&buffer); - } else if (TCP_CLIENT(client)) { - isc_buffer_usedregion(&buffer, &r); -- isc_buffer_add(&tcpbuffer, r.length); - #ifdef HAVE_DNSTAP - if (client->view != NULL) { - dns_dt_send(client->view, dtmsgtype, &client->peeraddr, -@@ -627,11 +588,10 @@ renderend: - } - #endif /* HAVE_DNSTAP */ - -- /* don't count the 2-octet length header */ -- respsize = isc_buffer_usedlength(&tcpbuffer) - 2; -+ respsize = isc_buffer_usedlength(&buffer); - - isc_nmhandle_ref(client->handle); -- result = client_sendpkg(client, &tcpbuffer); -+ result = client_sendpkg(client, &buffer); - if (result != ISC_R_SUCCESS) { - /* We won't get a callback to clean it up */ - isc_nmhandle_unref(client->handle); -diff --git a/lib/ns/include/ns/client.h b/lib/ns/include/ns/client.h -index 61612a32ea..74c435b0c6 100644 ---- a/lib/ns/include/ns/client.h -+++ b/lib/ns/include/ns/client.h -@@ -81,7 +81,7 @@ - *** Types - ***/ - --#define NS_CLIENT_TCP_BUFFER_SIZE (65535 + 2) -+#define NS_CLIENT_TCP_BUFFER_SIZE 65535 - #define NS_CLIENT_SEND_BUFFER_SIZE 4096 - - /*! -diff --git a/lib/ns/xfrout.c b/lib/ns/xfrout.c -index a92783cf1b..717d142ce2 100644 ---- a/lib/ns/xfrout.c -+++ b/lib/ns/xfrout.c -@@ -648,14 +648,13 @@ typedef struct { - dns_db_t *db; - dns_dbversion_t *ver; - isc_quota_t *quota; -- rrstream_t *stream; /* The XFR RR stream */ -- bool question_added; /* QUESTION section sent? */ -- bool end_of_stream; /* EOS has been reached */ -- isc_buffer_t buf; /* Buffer for message owner -- * names and rdatas */ -- isc_buffer_t txlenbuf; /* Transmit length buffer */ -- isc_buffer_t txbuf; /* Transmit message buffer */ -- size_t cbytes; /* Length of current message */ -+ rrstream_t *stream; /* The XFR RR stream */ -+ bool question_added; /* QUESTION section sent? */ -+ bool end_of_stream; /* EOS has been reached */ -+ isc_buffer_t buf; /* Buffer for message owner -+ * names and rdatas */ -+ isc_buffer_t txbuf; /* Transmit message buffer */ -+ size_t cbytes; /* Length of current message */ - void *txmem; - unsigned int txmemlen; - dns_tsigkey_t *tsigkey; /* Key used to create TSIG */ -@@ -1231,12 +1230,11 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id, - - /* - * Allocate another temporary buffer for the compressed -- * response message and its TCP length prefix. -+ * response message. - */ -- len = 2 + 65535; -+ len = NS_CLIENT_TCP_BUFFER_SIZE; - mem = isc_mem_get(mctx, len); -- isc_buffer_init(&xfr->txlenbuf, mem, 2); -- isc_buffer_init(&xfr->txbuf, (char *)mem + 2, len - 2); -+ isc_buffer_init(&xfr->txbuf, (char *)mem, len); - xfr->txmem = mem; - xfr->txmemlen = len; - -@@ -1286,7 +1284,6 @@ sendstream(xfrout_ctx_t *xfr) { - int n_rrs; - - isc_buffer_clear(&xfr->buf); -- isc_buffer_clear(&xfr->txlenbuf); - isc_buffer_clear(&xfr->txbuf); - - is_tcp = ((xfr->client->attributes & NS_CLIENTATTR_TCP) != 0); diff --git a/SPECS/bind/CVE-2020-8619.patch b/SPECS/bind/CVE-2020-8619.patch deleted file mode 100644 index a388534355..0000000000 --- a/SPECS/bind/CVE-2020-8619.patch +++ /dev/null @@ -1,530 +0,0 @@ -diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c -index d6d0e87a80..6d8f4e0d63 100644 ---- a/lib/dns/rbtdb.c -+++ b/lib/dns/rbtdb.c -@@ -1857,8 +1857,13 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { - * Caller must be holding the node lock. - */ - static inline void --new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { -- INSIST(!ISC_LINK_LINKED(node, deadlink)); -+new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, -+ isc_rwlocktype_t locktype) { -+ if (locktype == isc_rwlocktype_write && ISC_LINK_LINKED(node, deadlink)) -+ { -+ ISC_LIST_UNLINK(rbtdb->deadnodes[node->locknum], node, -+ deadlink); -+ } - if (isc_refcount_increment0(&node->references) == 0) { - /* this is the first reference to the node */ - isc_refcount_increment0( -@@ -1876,13 +1881,14 @@ is_leaf(dns_rbtnode_t *node) { - } - - static inline void --send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { -+send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, -+ isc_rwlocktype_t locktype) { - isc_event_t *ev; - dns_db_t *db; - - ev = isc_event_allocate(rbtdb->common.mctx, NULL, DNS_EVENT_RBTPRUNE, - prune_tree, node, sizeof(isc_event_t)); -- new_reference(rbtdb, node); -+ new_reference(rbtdb, node, locktype); - db = NULL; - attach((dns_db_t *)rbtdb, &db); - ev->ev_sender = db; -@@ -1918,7 +1924,7 @@ cleanup_dead_nodes(dns_rbtdb_t *rbtdb, int bucketnum) { - node->data == NULL); - - if (is_leaf(node) && rbtdb->task != NULL) { -- send_to_prune_tree(rbtdb, node); -+ send_to_prune_tree(rbtdb, node, isc_rwlocktype_write); - } else if (node->down == NULL && node->data == NULL) { - /* - * Not a interior node and not needing to be -@@ -1986,7 +1992,7 @@ reactivate_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, - } - } - -- new_reference(rbtdb, node); -+ new_reference(rbtdb, node, locktype); - - NODE_UNLOCK(nodelock, locktype); - } -@@ -2121,15 +2127,17 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, - * periodic walk-through). - */ - if (!pruning && is_leaf(node) && rbtdb->task != NULL) { -- send_to_prune_tree(rbtdb, node); -+ send_to_prune_tree(rbtdb, node, isc_rwlocktype_write); - no_reference = false; - } else { - delete_node(rbtdb, node); - } - } else { - INSIST(node->data == NULL); -- INSIST(!ISC_LINK_LINKED(node, deadlink)); -- ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node, deadlink); -+ if (!ISC_LINK_LINKED(node, deadlink)) { -+ ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node, -+ deadlink); -+ } - } - - restore_locks: -@@ -2199,16 +2207,13 @@ prune_tree(isc_task_t *task, isc_event_t *event) { - - /* - * We need to gain a reference to the node before -- * decrementing it in the next iteration. In addition, -- * if the node is in the dead-nodes list, extract it -- * from the list beforehand as we do in -- * reactivate_node(). -+ * decrementing it in the next iteration. - */ - if (ISC_LINK_LINKED(parent, deadlink)) { - ISC_LIST_UNLINK(rbtdb->deadnodes[locknum], - parent, deadlink); - } -- new_reference(rbtdb, parent); -+ new_reference(rbtdb, parent, isc_rwlocktype_write); - } else { - parent = NULL; - } -@@ -2975,7 +2980,7 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) { - * We increment the reference count on node to ensure that - * search->zonecut_rdataset will still be valid later. - */ -- new_reference(search->rbtdb, node); -+ new_reference(search->rbtdb, node, isc_rwlocktype_read); - search->zonecut = node; - search->zonecut_rdataset = found; - search->need_cleanup = true; -@@ -3027,7 +3032,8 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) { - - static inline void - bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rdatasetheader_t *header, -- isc_stdtime_t now, dns_rdataset_t *rdataset) { -+ isc_stdtime_t now, isc_rwlocktype_t locktype, -+ dns_rdataset_t *rdataset) { - unsigned char *raw; /* RDATASLAB */ - - /* -@@ -3042,7 +3048,7 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rdatasetheader_t *header, - return; - } - -- new_reference(rbtdb, node); -+ new_reference(rbtdb, node, locktype); - - INSIST(rdataset->methods == NULL); /* We must be disassociated. */ - -@@ -3147,12 +3153,12 @@ setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep, - NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock), - isc_rwlocktype_read); - bind_rdataset(search->rbtdb, node, search->zonecut_rdataset, -- search->now, rdataset); -+ search->now, isc_rwlocktype_read, rdataset); - if (sigrdataset != NULL && search->zonecut_sigrdataset != NULL) - { - bind_rdataset(search->rbtdb, node, - search->zonecut_sigrdataset, search->now, -- sigrdataset); -+ isc_rwlocktype_read, sigrdataset); - } - NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock), - isc_rwlocktype_read); -@@ -3817,18 +3823,21 @@ again: - foundname, NULL); - if (result == ISC_R_SUCCESS) { - if (nodep != NULL) { -- new_reference(search->rbtdb, -- node); -+ new_reference( -+ search->rbtdb, node, -+ isc_rwlocktype_read); - *nodep = node; - } - bind_rdataset(search->rbtdb, node, - found, search->now, -+ isc_rwlocktype_read, - rdataset); - if (foundsig != NULL) { -- bind_rdataset(search->rbtdb, -- node, foundsig, -- search->now, -- sigrdataset); -+ bind_rdataset( -+ search->rbtdb, node, -+ foundsig, search->now, -+ isc_rwlocktype_read, -+ sigrdataset); - } - } - } else if (found == NULL && foundsig == NULL) { -@@ -4107,7 +4116,8 @@ found: - * ensure that search->zonecut_rdataset will - * still be valid later. - */ -- new_reference(search.rbtdb, node); -+ new_reference(search.rbtdb, node, -+ isc_rwlocktype_read); - search.zonecut = node; - search.zonecut_rdataset = header; - search.zonecut_sigrdataset = NULL; -@@ -4285,7 +4295,7 @@ found: - goto node_exit; - } - if (nodep != NULL) { -- new_reference(search.rbtdb, node); -+ new_reference(search.rbtdb, node, isc_rwlocktype_read); - *nodep = node; - } - if ((search.rbtversion->secure == dns_db_secure && -@@ -4293,10 +4303,10 @@ found: - (search.options & DNS_DBFIND_FORCENSEC) != 0) - { - bind_rdataset(search.rbtdb, node, nsecheader, 0, -- rdataset); -+ isc_rwlocktype_read, rdataset); - if (nsecsig != NULL) { - bind_rdataset(search.rbtdb, node, nsecsig, 0, -- sigrdataset); -+ isc_rwlocktype_read, sigrdataset); - } - } - if (wild) { -@@ -4369,7 +4379,7 @@ found: - - if (nodep != NULL) { - if (!at_zonecut) { -- new_reference(search.rbtdb, node); -+ new_reference(search.rbtdb, node, isc_rwlocktype_read); - } else { - search.need_cleanup = false; - } -@@ -4377,10 +4387,11 @@ found: - } - - if (type != dns_rdatatype_any) { -- bind_rdataset(search.rbtdb, node, found, 0, rdataset); -+ bind_rdataset(search.rbtdb, node, found, 0, isc_rwlocktype_read, -+ rdataset); - if (foundsig != NULL) { - bind_rdataset(search.rbtdb, node, foundsig, 0, -- sigrdataset); -+ isc_rwlocktype_read, sigrdataset); - } - } - -@@ -4563,8 +4574,7 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) { - * We increment the reference count on node to ensure that - * search->zonecut_rdataset will still be valid later. - */ -- new_reference(search->rbtdb, node); -- INSIST(!ISC_LINK_LINKED(node, deadlink)); -+ new_reference(search->rbtdb, node, locktype); - search->zonecut = node; - search->zonecut_rdataset = dname_header; - search->zonecut_sigrdataset = sigdname_header; -@@ -4672,14 +4682,15 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node, - } - result = DNS_R_DELEGATION; - if (nodep != NULL) { -- new_reference(search->rbtdb, node); -+ new_reference(search->rbtdb, node, locktype); - *nodep = node; - } - bind_rdataset(search->rbtdb, node, found, search->now, -- rdataset); -+ locktype, rdataset); - if (foundsig != NULL) { - bind_rdataset(search->rbtdb, node, foundsig, -- search->now, sigrdataset); -+ search->now, locktype, -+ sigrdataset); - } - if (need_headerupdate(found, search->now) || - (foundsig != NULL && -@@ -4788,13 +4799,13 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep, - if (result != ISC_R_SUCCESS) { - goto unlock_node; - } -- bind_rdataset(search->rbtdb, node, found, now, -+ bind_rdataset(search->rbtdb, node, found, now, locktype, - rdataset); - if (foundsig != NULL) { - bind_rdataset(search->rbtdb, node, foundsig, -- now, sigrdataset); -+ now, locktype, sigrdataset); - } -- new_reference(search->rbtdb, node); -+ new_reference(search->rbtdb, node, locktype); - *nodep = node; - result = DNS_R_COVERINGNSEC; - } else if (!empty_node) { -@@ -5019,18 +5030,18 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, - if ((search.options & DNS_DBFIND_COVERINGNSEC) != 0 && - nsecheader != NULL) { - if (nodep != NULL) { -- new_reference(search.rbtdb, node); -- INSIST(!ISC_LINK_LINKED(node, deadlink)); -+ new_reference(search.rbtdb, node, locktype); - *nodep = node; - } - bind_rdataset(search.rbtdb, node, nsecheader, -- search.now, rdataset); -+ search.now, locktype, rdataset); - if (need_headerupdate(nsecheader, search.now)) { - update = nsecheader; - } - if (nsecsig != NULL) { - bind_rdataset(search.rbtdb, node, nsecsig, -- search.now, sigrdataset); -+ search.now, locktype, -+ sigrdataset); - if (need_headerupdate(nsecsig, search.now)) { - updatesig = nsecsig; - } -@@ -5045,18 +5056,18 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, - */ - if (nsheader != NULL) { - if (nodep != NULL) { -- new_reference(search.rbtdb, node); -- INSIST(!ISC_LINK_LINKED(node, deadlink)); -+ new_reference(search.rbtdb, node, locktype); - *nodep = node; - } - bind_rdataset(search.rbtdb, node, nsheader, search.now, -- rdataset); -+ locktype, rdataset); - if (need_headerupdate(nsheader, search.now)) { - update = nsheader; - } - if (nssig != NULL) { - bind_rdataset(search.rbtdb, node, nssig, -- search.now, sigrdataset); -+ search.now, locktype, -+ sigrdataset); - if (need_headerupdate(nssig, search.now)) { - updatesig = nssig; - } -@@ -5077,8 +5088,7 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, - */ - - if (nodep != NULL) { -- new_reference(search.rbtdb, node); -- INSIST(!ISC_LINK_LINKED(node, deadlink)); -+ new_reference(search.rbtdb, node, locktype); - *nodep = node; - } - -@@ -5110,13 +5120,14 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, - if (type != dns_rdatatype_any || result == DNS_R_NCACHENXDOMAIN || - result == DNS_R_NCACHENXRRSET) - { -- bind_rdataset(search.rbtdb, node, found, search.now, rdataset); -+ bind_rdataset(search.rbtdb, node, found, search.now, locktype, -+ rdataset); - if (need_headerupdate(found, search.now)) { - update = found; - } - if (!NEGATIVE(found) && foundsig != NULL) { - bind_rdataset(search.rbtdb, node, foundsig, search.now, -- sigrdataset); -+ locktype, sigrdataset); - if (need_headerupdate(foundsig, search.now)) { - updatesig = foundsig; - } -@@ -5275,15 +5286,15 @@ cache_findzonecut(dns_db_t *db, const dns_name_t *name, unsigned int options, - } - - if (nodep != NULL) { -- new_reference(search.rbtdb, node); -- INSIST(!ISC_LINK_LINKED(node, deadlink)); -+ new_reference(search.rbtdb, node, locktype); - *nodep = node; - } - -- bind_rdataset(search.rbtdb, node, found, search.now, rdataset); -+ bind_rdataset(search.rbtdb, node, found, search.now, locktype, -+ rdataset); - if (foundsig != NULL) { - bind_rdataset(search.rbtdb, node, foundsig, search.now, -- sigrdataset); -+ locktype, sigrdataset); - } - - if (need_headerupdate(found, search.now) || -@@ -5646,10 +5657,11 @@ zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, - } - } - if (found != NULL) { -- bind_rdataset(rbtdb, rbtnode, found, now, rdataset); -+ bind_rdataset(rbtdb, rbtnode, found, now, isc_rwlocktype_read, -+ rdataset); - if (foundsig != NULL) { - bind_rdataset(rbtdb, rbtnode, foundsig, now, -- sigrdataset); -+ isc_rwlocktype_read, sigrdataset); - } - } - -@@ -5740,9 +5752,9 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, - } - } - if (found != NULL) { -- bind_rdataset(rbtdb, rbtnode, found, now, rdataset); -+ bind_rdataset(rbtdb, rbtnode, found, now, locktype, rdataset); - if (!NEGATIVE(found) && foundsig != NULL) { -- bind_rdataset(rbtdb, rbtnode, foundsig, now, -+ bind_rdataset(rbtdb, rbtnode, foundsig, now, locktype, - sigrdataset); - } - } -@@ -5910,6 +5922,9 @@ resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader) { - return (result); - } - -+/* -+ * node write lock must be held. -+ */ - static void - resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, - rdatasetheader_t *header) { -@@ -5921,7 +5936,8 @@ resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, - header->heap_index); - header->heap_index = 0; - if (version != NULL) { -- new_reference(rbtdb, header->node); -+ new_reference(rbtdb, header->node, -+ isc_rwlocktype_write); - ISC_LIST_APPEND(version->resigned_list, header, link); - } - } -@@ -5952,6 +5968,9 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion, - RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write); - } - -+/* -+ * write lock on rbtnode must be held. -+ */ - static isc_result_t - add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, - rdatasetheader_t *newheader, unsigned int options, bool loading, -@@ -6080,9 +6099,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, - free_rdataset(rbtdb, rbtdb->common.mctx, - newheader); - if (addedrdataset != NULL) { -- bind_rdataset(rbtdb, rbtnode, -- topheader, now, -- addedrdataset); -+ bind_rdataset( -+ rbtdb, rbtnode, -+ topheader, now, -+ isc_rwlocktype_write, -+ addedrdataset); - } - return (DNS_R_UNCHANGED); - } -@@ -6142,6 +6163,7 @@ find_header: - free_rdataset(rbtdb, rbtdb->common.mctx, newheader); - if (addedrdataset != NULL) { - bind_rdataset(rbtdb, rbtnode, header, now, -+ isc_rwlocktype_write, - addedrdataset); - } - return (DNS_R_UNCHANGED); -@@ -6253,6 +6275,7 @@ find_header: - free_rdataset(rbtdb, rbtdb->common.mctx, newheader); - if (addedrdataset != NULL) { - bind_rdataset(rbtdb, rbtnode, header, now, -+ isc_rwlocktype_write, - addedrdataset); - } - return (ISC_R_SUCCESS); -@@ -6302,6 +6325,7 @@ find_header: - free_rdataset(rbtdb, rbtdb->common.mctx, newheader); - if (addedrdataset != NULL) { - bind_rdataset(rbtdb, rbtnode, header, now, -+ isc_rwlocktype_write, - addedrdataset); - } - return (ISC_R_SUCCESS); -@@ -6499,7 +6523,8 @@ find_header: - } - - if (addedrdataset != NULL) { -- bind_rdataset(rbtdb, rbtnode, newheader, now, addedrdataset); -+ bind_rdataset(rbtdb, rbtnode, newheader, now, -+ isc_rwlocktype_write, addedrdataset); - } - - return (ISC_R_SUCCESS); -@@ -7042,13 +7067,15 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, - } - - if (result == ISC_R_SUCCESS && newrdataset != NULL) { -- bind_rdataset(rbtdb, rbtnode, newheader, 0, newrdataset); -+ bind_rdataset(rbtdb, rbtnode, newheader, 0, -+ isc_rwlocktype_write, newrdataset); - } - - if (result == DNS_R_NXRRSET && newrdataset != NULL && - (options & DNS_DBSUB_WANTOLD) != 0) - { -- bind_rdataset(rbtdb, rbtnode, header, 0, newrdataset); -+ bind_rdataset(rbtdb, rbtnode, header, 0, isc_rwlocktype_write, -+ newrdataset); - } - - unlock: -@@ -7935,8 +7962,7 @@ getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) { - /* Note that the access to origin_node doesn't require a DB lock */ - onode = (dns_rbtnode_t *)rbtdb->origin_node; - if (onode != NULL) { -- new_reference(rbtdb, onode); -- -+ new_reference(rbtdb, onode, isc_rwlocktype_none); - *nodep = rbtdb->origin_node; - } else { - INSIST(IS_CACHE(rbtdb)); -@@ -8129,7 +8155,8 @@ getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *foundname) { - * Found something; pass back the answer and unlock - * the bucket. - */ -- bind_rdataset(rbtdb, header->node, header, 0, rdataset); -+ bind_rdataset(rbtdb, header->node, header, 0, -+ isc_rwlocktype_read, rdataset); - - if (foundname != NULL) { - dns_rbt_fullnamefromnode(header->node, foundname); -@@ -9136,7 +9163,7 @@ rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) { - isc_rwlocktype_read); - - bind_rdataset(rbtdb, rbtnode, header, rbtiterator->common.now, -- rdataset); -+ isc_rwlocktype_read, rdataset); - - NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock, - isc_rwlocktype_read); -@@ -9591,7 +9618,7 @@ dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep, - result = ISC_R_SUCCESS; - } - -- new_reference(rbtdb, node); -+ new_reference(rbtdb, node, isc_rwlocktype_none); - - *nodep = rbtdbiter->node; - -@@ -10504,7 +10531,7 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, bool tree_locked, - * We first need to gain a new reference to the node to meet a - * requirement of decrement_reference(). - */ -- new_reference(rbtdb, header->node); -+ new_reference(rbtdb, header->node, isc_rwlocktype_write); - decrement_reference(rbtdb, header->node, 0, - isc_rwlocktype_write, - tree_locked ? isc_rwlocktype_write diff --git a/SPECS/bind/CVE-2020-8620.patch b/SPECS/bind/CVE-2020-8620.patch deleted file mode 100644 index 741756aa08..0000000000 --- a/SPECS/bind/CVE-2020-8620.patch +++ /dev/null @@ -1,148 +0,0 @@ -diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h -index cb3da7fc71..a0c3ce1b4b 100644 ---- a/lib/isc/netmgr/netmgr-int.h -+++ b/lib/isc/netmgr/netmgr-int.h -@@ -560,16 +560,6 @@ isc__nm_enqueue_ievent(isc__networker_t *worker, isc__netievent_t *event); - * way to use an isc__networker_t from another thread.) - */ - --void --isc__nm_alloc_cb(uv_handle_t *handle, size_t size, uv_buf_t *buf); --/*%< -- * Allocator for recv operations. -- * -- * Note that as currently implemented, this doesn't actually -- * allocate anything, it just assigns the the isc__networker's UDP -- * receive buffer to a socket, and marks it as "in use". -- */ -- - void - isc__nm_free_uvbuf(isc_nmsocket_t *sock, const uv_buf_t *buf); - /*%< -diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c -index 8ac42822c2..6606d076d3 100644 ---- a/lib/isc/netmgr/netmgr.c -+++ b/lib/isc/netmgr/netmgr.c -@@ -976,23 +976,6 @@ isc__nmsocket_init(isc_nmsocket_t *sock, isc_nm_t *mgr, isc_nmsocket_type type, - sock->magic = NMSOCK_MAGIC; - } - --void --isc__nm_alloc_cb(uv_handle_t *handle, size_t size, uv_buf_t *buf) { -- isc_nmsocket_t *sock = uv_handle_get_data(handle); -- isc__networker_t *worker = NULL; -- -- REQUIRE(VALID_NMSOCK(sock)); -- REQUIRE(isc__nm_in_netthread()); -- REQUIRE(size <= ISC_NETMGR_RECVBUF_SIZE); -- -- worker = &sock->mgr->workers[sock->tid]; -- INSIST(!worker->recvbuf_inuse); -- -- buf->base = worker->recvbuf; -- worker->recvbuf_inuse = true; -- buf->len = ISC_NETMGR_RECVBUF_SIZE; --} -- - void - isc__nm_free_uvbuf(isc_nmsocket_t *sock, const uv_buf_t *buf) { - isc__networker_t *worker = NULL; -@@ -1005,7 +988,7 @@ isc__nm_free_uvbuf(isc_nmsocket_t *sock, const uv_buf_t *buf) { - worker = &sock->mgr->workers[sock->tid]; - - REQUIRE(worker->recvbuf_inuse); -- if (buf->base > worker->recvbuf && -+ if (sock->type == isc_nm_udpsocket && buf->base > worker->recvbuf && - buf->base <= worker->recvbuf + ISC_NETMGR_RECVBUF_SIZE) - { - /* Can happen in case of out-of-order recvmmsg in libuv1.36 */ -diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c -index c572777662..d34461950c 100644 ---- a/lib/isc/netmgr/tcp.c -+++ b/lib/isc/netmgr/tcp.c -@@ -519,6 +519,30 @@ isc__nm_tcp_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg) { - return (ISC_R_SUCCESS); - } - -+/*%< -+ * Allocator for TCP read operations. Limited to size 2^16. -+ * -+ * Note this doesn't actually allocate anything, it just assigns the -+ * worker's receive buffer to a socket, and marks it as "in use". -+ */ -+static void -+tcp_alloc_cb(uv_handle_t *handle, size_t size, uv_buf_t *buf) { -+ isc_nmsocket_t *sock = uv_handle_get_data(handle); -+ isc__networker_t *worker = NULL; -+ -+ REQUIRE(VALID_NMSOCK(sock)); -+ REQUIRE(sock->type == isc_nm_tcpsocket); -+ REQUIRE(isc__nm_in_netthread()); -+ REQUIRE(size <= 65536); -+ -+ worker = &sock->mgr->workers[sock->tid]; -+ INSIST(!worker->recvbuf_inuse); -+ -+ buf->base = worker->recvbuf; -+ buf->len = size; -+ worker->recvbuf_inuse = true; -+} -+ - void - isc__nm_async_tcp_startread(isc__networker_t *worker, isc__netievent_t *ev0) { - isc__netievent_startread_t *ievent = (isc__netievent_startread_t *)ev0; -@@ -536,7 +560,7 @@ isc__nm_async_tcp_startread(isc__networker_t *worker, isc__netievent_t *ev0) { - 0); - } - -- r = uv_read_start(&sock->uv_handle.stream, isc__nm_alloc_cb, read_cb); -+ r = uv_read_start(&sock->uv_handle.stream, tcp_alloc_cb, read_cb); - if (r != 0) { - isc__nm_incstats(sock->mgr, sock->statsindex[STATID_RECVFAIL]); - } -diff --git a/lib/isc/netmgr/udp.c b/lib/isc/netmgr/udp.c -index 6e2d2098cf..c1e69027fb 100644 ---- a/lib/isc/netmgr/udp.c -+++ b/lib/isc/netmgr/udp.c -@@ -132,6 +132,32 @@ isc_nm_listenudp(isc_nm_t *mgr, isc_nmiface_t *iface, isc_nm_recv_cb_t cb, - return (ISC_R_SUCCESS); - } - -+/*%< -+ * Allocator for UDP recv operations. Limited to size 20 * (2^16 + 2), -+ * which allows enough space for recvmmsg() to get multiple messages at -+ * a time. -+ * -+ * Note this doesn't actually allocate anything, it just assigns the -+ * worker's receive buffer to a socket, and marks it as "in use". -+ */ -+static void -+udp_alloc_cb(uv_handle_t *handle, size_t size, uv_buf_t *buf) { -+ isc_nmsocket_t *sock = uv_handle_get_data(handle); -+ isc__networker_t *worker = NULL; -+ -+ REQUIRE(VALID_NMSOCK(sock)); -+ REQUIRE(sock->type == isc_nm_udpsocket); -+ REQUIRE(isc__nm_in_netthread()); -+ REQUIRE(size <= ISC_NETMGR_RECVBUF_SIZE); -+ -+ worker = &sock->mgr->workers[sock->tid]; -+ INSIST(!worker->recvbuf_inuse); -+ -+ buf->base = worker->recvbuf; -+ buf->len = ISC_NETMGR_RECVBUF_SIZE; -+ worker->recvbuf_inuse = true; -+} -+ - /* - * handle 'udplisten' async call - start listening on a socket. - */ -@@ -178,7 +204,7 @@ isc__nm_async_udplisten(isc__networker_t *worker, isc__netievent_t *ev0) { - uv_send_buffer_size(&sock->uv_handle.handle, - &(int){ ISC_SEND_BUFFER_SIZE }); - #endif -- uv_udp_recv_start(&sock->uv_handle.udp, isc__nm_alloc_cb, udp_recv_cb); -+ uv_udp_recv_start(&sock->uv_handle.udp, udp_alloc_cb, udp_recv_cb); - } - - static void diff --git a/SPECS/bind/CVE-2020-8621.patch b/SPECS/bind/CVE-2020-8621.patch deleted file mode 100644 index f401fc46fd..0000000000 --- a/SPECS/bind/CVE-2020-8621.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index 7d443fd55b..3c0e3013aa 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -4020,6 +4020,15 @@ fctx_nextaddress(fetchctx_t *fctx) { - addrinfo->flags |= FCTX_ADDRINFO_MARK; - fctx->find = NULL; - fctx->forwarding = true; -+ -+ /* -+ * QNAME minimization is disabled when -+ * forwarding, and has to remain disabled if -+ * we switch back to normal recursion; otherwise -+ * forwarding could leave us in an inconsistent -+ * state. -+ */ -+ fctx->minimized = false; - return (addrinfo); - } - } diff --git a/SPECS/bind/CVE-2020-8622.patch b/SPECS/bind/CVE-2020-8622.patch deleted file mode 100644 index 2562bed31d..0000000000 --- a/SPECS/bind/CVE-2020-8622.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff --git a/lib/dns/message.c b/lib/dns/message.c -index dd9dd23a12..97425c753b 100644 ---- a/lib/dns/message.c -+++ b/lib/dns/message.c -@@ -1709,6 +1709,16 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, - msg->header_ok = 0; - msg->question_ok = 0; - -+ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) { -+ isc_buffer_usedregion(&origsource, &msg->saved); -+ } else { -+ msg->saved.length = isc_buffer_usedlength(&origsource); -+ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); -+ memmove(msg->saved.base, isc_buffer_base(&origsource), -+ msg->saved.length); -+ msg->free_saved = 1; -+ } -+ - isc_buffer_remainingregion(source, &r); - if (r.length < DNS_MESSAGE_HEADERLEN) { - return (ISC_R_UNEXPECTEDEND); -@@ -1793,15 +1803,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, - } - - truncated: -- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) { -- isc_buffer_usedregion(&origsource, &msg->saved); -- } else { -- msg->saved.length = isc_buffer_usedlength(&origsource); -- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); -- memmove(msg->saved.base, isc_buffer_base(&origsource), -- msg->saved.length); -- msg->free_saved = 1; -- } - - if (ret == ISC_R_UNEXPECTEDEND && ignore_tc) { - return (DNS_R_RECOVERABLE); diff --git a/SPECS/bind/CVE-2020-8624.patch b/SPECS/bind/CVE-2020-8624.patch deleted file mode 100644 index 83687a9842..0000000000 --- a/SPECS/bind/CVE-2020-8624.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c -index 41c1a598db..752c0d2770 100644 ---- a/bin/named/zoneconf.c -+++ b/bin/named/zoneconf.c -@@ -252,7 +252,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, - - str = cfg_obj_asstring(matchtype); - CHECK(dns_ssu_mtypefromstring(str, &mtype)); -- if (mtype == dns_ssumatchtype_subdomain) { -+ if (mtype == dns_ssumatchtype_subdomain && -+ strcasecmp(str, "zonesub") == 0) { - usezone = true; - } - diff --git a/SPECS/bind/CVE-2020-8625.patch b/SPECS/bind/CVE-2020-8625.patch deleted file mode 100644 index 7e63939c14..0000000000 --- a/SPECS/bind/CVE-2020-8625.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -urN bind-9.16.3-original/lib/dns/spnego.c bind-9.16.3/lib/dns/spnego.c ---- bind-9.16.3-original/lib/dns/spnego.c 2021-03-01 08:56:47.639826977 -0800 -+++ bind-9.16.3/lib/dns/spnego.c 2021-03-01 08:58:57.223786168 -0800 -@@ -842,7 +842,7 @@ - return (ASN1_OVERRUN); - } - -- data->components = malloc(len * sizeof(*data->components)); -+ data->components = malloc((len + 1) * sizeof(*data->components)); - if (data->components == NULL) { - return (ENOMEM); - } diff --git a/SPECS/bind/bind-9.10-dist-native-pkcs11.patch b/SPECS/bind/bind-9.10-dist-native-pkcs11.patch index a04d6ee754..e3b47e5c51 100644 --- a/SPECS/bind/bind-9.10-dist-native-pkcs11.patch +++ b/SPECS/bind/bind-9.10-dist-native-pkcs11.patch @@ -1,3 +1,24 @@ +From 8f232dac49cbb143a30a5c807f9085f3ef251f0e Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Thu, 21 Jan 2021 10:46:20 +0100 +Subject: [PATCH] Enable custom pkcs11 native build + +Share common parts like libisc, libcc and others. But provide native +pkcs11 libraries as a new copy of libdns and libns. +--- + bin/Makefile.in | 2 +- + bin/confgen/Makefile.in | 2 +- + bin/dnssec-pkcs11/Makefile.in | 39 +++++++++++++++++--------------- + bin/named-pkcs11/Makefile.in | 33 ++++++++++++++------------- + configure.ac | 19 ++++++++++++++++ + lib/Makefile.in | 2 +- + lib/dns-pkcs11/Makefile.in | 22 +++++++++--------- + lib/dns-pkcs11/tests/Makefile.in | 8 +++---- + lib/ns-pkcs11/Makefile.in | 26 ++++++++++----------- + lib/ns-pkcs11/tests/Makefile.in | 12 +++++----- + make/includes.in | 7 ++++++ + 11 files changed, 101 insertions(+), 71 deletions(-) + diff --git a/bin/Makefile.in b/bin/Makefile.in index 9ad7f62..094775a 100644 --- a/bin/Makefile.in @@ -12,7 +33,7 @@ index 9ad7f62..094775a 100644 TARGETS = diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in -index ef3e70c..1f5165a 100644 +index c126bf3..1b7512d 100644 --- a/bin/confgen/Makefile.in +++ b/bin/confgen/Makefile.in @@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ @@ -25,7 +46,7 @@ index ef3e70c..1f5165a 100644 ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in -index 05fdb55..433d4f4 100644 +index ace0e5a..e0f6a00 100644 --- a/bin/dnssec-pkcs11/Makefile.in +++ b/bin/dnssec-pkcs11/Makefile.in @@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@ @@ -40,11 +61,11 @@ index 05fdb55..433d4f4 100644 +CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1 CWARNINGS = --DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_PK11_LIBS@ +-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ - ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS} - ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS} + ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@ -DNSDEPLIBS = ../../lib/dns/libdns.@A@ +DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @@ -65,14 +86,14 @@ index 05fdb55..433d4f4 100644 - dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \ - dnssec-verify@EXEEXT@ +TARGETS = dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \ -+ dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \ -+ dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \ -+ dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \ -+ dnssec-verify${EXEEXT} ++ dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \ ++ dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \ ++ dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \ ++ dnssec-verify${EXEEXT} OBJS = dnssectool.@O@ -@@ -64,19 +67,19 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} +@@ -52,19 +55,19 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \ @BIND9_MAKE_RULES@ @@ -96,26 +117,26 @@ index 05fdb55..433d4f4 100644 export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \ ${FINALBUILDCMD} -@@ -84,7 +87,7 @@ dnssec-signzone.@O@: dnssec-signzone.c +@@ -72,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ -c ${srcdir}/dnssec-signzone.c -dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} -+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} ++dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \ ${FINALBUILDCMD} -@@ -92,19 +95,19 @@ dnssec-verify.@O@: dnssec-verify.c +@@ -80,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ -c ${srcdir}/dnssec-verify.c -dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} -+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} ++dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \ ${FINALBUILDCMD} -dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} -+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} ++dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ dnssec-revoke.@O@ ${OBJS} ${LIBS} @@ -129,22 +150,8 @@ index 05fdb55..433d4f4 100644 ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ dnssec-importkey.@O@ ${OBJS} ${LIBS} -@@ -115,14 +118,12 @@ docclean manclean maintainer-clean:: - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} -- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - - install:: ${TARGETS} installdirs - for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done - for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done - - uninstall:: -- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done - for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done - - clean distclean:: -diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.inindex f66bc9a..6d6c1c7 100644 +diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in +index 98125dd..518a75f 100644 --- a/bin/named-pkcs11/Makefile.in +++ b/bin/named-pkcs11/Makefile.in @@ -37,13 +37,14 @@ DBDRIVER_LIBS = @@ -155,10 +162,10 @@ diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.inindex f6 -DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@ -DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ -DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ -+# Skip building on PKCS11 variant -+DLZDRIVER_OBJS = -+DLZDRIVER_SRCS = -+DLZDRIVER_INCLUDES = ++# Skip building on PKCS11 variant ++DLZDRIVER_OBJS = ++DLZDRIVER_SRCS = ++DLZDRIVER_INCLUDES = +DLZDRIVER_LIBS = CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ @@ -167,21 +174,21 @@ diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.inindex f6 ${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \ ${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \ ${DBDRIVER_INCLUDES} \ -@@ -53,24 +54,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ - ${MAXMINDDB_CFLAGS} \ - ${ZLIB_CFLAGS} +@@ -56,24 +57,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ + ${LIBXML2_CFLAGS} \ + ${MAXMINDDB_CFLAGS} -CDEFINES = @CONTRIB_DLZ@ +CDEFINES = CWARNINGS = --DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_PK11_LIBS@ +-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ ISCCCLIBS = ../../lib/isccc/libisccc.@A@ - ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS} - ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS} + ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@ BIND9LIBS = ../../lib/bind9/libbind9.@A@ -NSLIBS = ../../lib/ns/libns.@A@ +NSLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@ @@ -197,7 +204,7 @@ diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.inindex f6 DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} -@@ -87,7 +88,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \ +@@ -93,7 +94,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \ SUBDIRS = unix @@ -206,7 +213,7 @@ diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.inindex f6 GEOIP2LINKOBJS = geoip.@O@ -@@ -147,7 +148,7 @@ server.@O@: server.c +@@ -151,7 +152,7 @@ server.@O@: server.c -DPRODUCT=\"${PRODUCT}\" \ -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c @@ -215,30 +222,26 @@ diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.inindex f6 export MAKE_SYMTABLE="yes"; \ export BASEOBJS="${OBJS} ${UOBJS}"; \ ${FINALBUILDCMD} -@@ -173,15 +174,15 @@ installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 +@@ -180,11 +181,11 @@ statschannel.@O@: bind9.xsl.h + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} -install:: named@EXEEXT@ installdirs - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} +install:: named-pkcs11@EXEEXT@ installdirs + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir} - ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8 - ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 uninstall:: - rm -f ${DESTDIR}${mandir}/man5/named.conf.5 - rm -f ${DESTDIR}${mandir}/man8/named.8 - ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ + ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@ @DLZ_DRIVER_RULES@ diff --git a/configure.ac b/configure.ac -index de6a248..e95ef36 100644 +index da99e85..55680ea 100644 --- a/configure.ac +++ b/configure.ac -@@ -1196,12 +1196,14 @@ AC_SUBST(USE_GSSAPI) +@@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI) AC_SUBST(DST_GSSAPI_INC) AC_SUBST(DNS_GSSAPI_LIBS) DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS" @@ -253,7 +256,7 @@ index de6a248..e95ef36 100644 # # was --with-lmdb specified? -@@ -2296,6 +2298,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE) +@@ -2327,6 +2329,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE) AC_SUBST(BIND9_NS_BUILDINCLUDE) AC_SUBST(BIND9_BIND9_BUILDINCLUDE) AC_SUBST(BIND9_IRS_BUILDINCLUDE) @@ -262,7 +265,7 @@ index de6a248..e95ef36 100644 if test "X$srcdir" != "X"; then BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include" BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include" -@@ -2304,6 +2308,8 @@ if test "X$srcdir" != "X"; then +@@ -2335,6 +2339,8 @@ if test "X$srcdir" != "X"; then BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include" BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include" BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include" @@ -271,7 +274,7 @@ index de6a248..e95ef36 100644 else BIND9_ISC_BUILDINCLUDE="" BIND9_ISCCC_BUILDINCLUDE="" -@@ -2312,6 +2318,8 @@ else +@@ -2343,6 +2349,8 @@ else BIND9_NS_BUILDINCLUDE="" BIND9_BIND9_BUILDINCLUDE="" BIND9_IRS_BUILDINCLUDE="" @@ -280,7 +283,7 @@ index de6a248..e95ef36 100644 fi AC_SUBST_FILE(BIND9_MAKE_INCLUDES) -@@ -2771,8 +2779,11 @@ AC_CONFIG_FILES([ +@@ -2798,8 +2806,11 @@ AC_CONFIG_FILES([ bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile @@ -292,7 +295,7 @@ index de6a248..e95ef36 100644 bin/nsupdate/Makefile bin/pkcs11/Makefile bin/plugins/Makefile -@@ -2843,6 +2854,10 @@ AC_CONFIG_FILES([ +@@ -2861,6 +2872,10 @@ AC_CONFIG_FILES([ lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile @@ -303,7 +306,7 @@ index de6a248..e95ef36 100644 lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile -@@ -2875,6 +2890,10 @@ AC_CONFIG_FILES([ +@@ -2893,6 +2908,10 @@ AC_CONFIG_FILES([ lib/ns/include/Makefile lib/ns/include/ns/Makefile lib/ns/tests/Makefile @@ -328,28 +331,29 @@ index ffa2d5a..6fbc192 100644 @BIND9_MAKE_RULES@ diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in -index 0ef3b5f..80683c2 100644 +index 58bda3c..d6a45df 100644 --- a/lib/dns-pkcs11/Makefile.in +++ b/lib/dns-pkcs11/Makefile.in -@@ -26,14 +26,14 @@ VERSION=@BIND9_VERSION@ +@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ - USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ + @BIND9_MAKE_INCLUDES@ -CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ +CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ ${ISC_INCLUDES} \ + ${FSTRM_CFLAGS} \ ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ - ${JSON_C_CFLAGS} \ - ${LIBXML2_CFLAGS} \ +@@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ + ${LMDB_CFLAGS} \ ${MAXMINDDB_CFLAGS} --CDEFINES = @USE_GSSAPI@ ${USE_ISC_SPNEGO} -+CDEFINES = @USE_GSSAPI@ ${USE_ISC_SPNEGO} @USE_PKCS11@ +-CDEFINES = @USE_GSSAPI@ ++CDEFINES = @USE_GSSAPI@ @USE_PKCS11@ CWARNINGS = -@@ -139,15 +139,15 @@ version.@O@: version.c - -DLIBAGE=${LIBAGE} \ +@@ -135,15 +135,15 @@ version.@O@: version.c + -DMAPAPI=\"${MAPAPI}\" \ -c ${srcdir}/version.c -libdns.@SA@: ${OBJS} @@ -362,13 +366,13 @@ index 0ef3b5f..80683c2 100644 ${LIBTOOL_MODE_LINK} \ - ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ + ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ + -release "${VERSION}" \ - ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} + ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} include: gen ${MAKE} include/dns/enumtype.h -@@ -178,22 +178,22 @@ gen: gen.c +@@ -174,22 +174,22 @@ gen: gen.c ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \ ${BUILD_LIBS} ${LFS_LIBS} @@ -397,61 +401,63 @@ index 0ef3b5f..80683c2 100644 rm -f include/dns/rdatastruct.h rm -f dnstap.pb-c.c dnstap.pb-c.h diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in -index fd8ebb9..9384a4f 100644 +index 3bb5e01..c96fe7d 100644 --- a/lib/dns-pkcs11/tests/Makefile.in +++ b/lib/dns-pkcs11/tests/Makefile.in -@@ -15,14 +15,14 @@ VERSION=@BIND9_VERSION@ +@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ -CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ +CINCLUDES = -I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ - ${OPENSSL_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@ + ${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \ + ${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@ -CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\"" +CDEFINES = @USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" - ISCLIBS = ../../isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS} + ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ ISCDEPLIBS = ../../isc/libisc.@A@ --DNSLIBS = ../libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@ +-DNSLIBS = ../libdns.@A@ @NO_LIBTOOL_DNSLIBS@ -DNSDEPLIBS = ../libdns.@A@ -+DNSLIBS = ../libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_PK11_LIBS@ ++DNSLIBS = ../libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ +DNSDEPLIBS = ../libdns-pkcs11.@A@ LIBS = @LIBS@ @CMOCKA_LIBS@ diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in -index 97aaaf6..c7ffc7b 100644 +index bc683ce..7a9d2f2 100644 --- a/lib/ns-pkcs11/Makefile.in +++ b/lib/ns-pkcs11/Makefile.in -@@ -20,11 +20,11 @@ VERSION=@BIND9_VERSION@ +@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@ - USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ + @BIND9_MAKE_INCLUDES@ -CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \ - ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ +CINCLUDES = -I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \ + ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ - ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ + ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ + ${FSTRM_CFLAGS} -CDEFINES = -DNAMED_PLUGINDIR=\"${plugindir}\" +CDEFINES = @USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\" CWARNINGS = -@@ -32,9 +32,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS +@@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ --DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_PK11_LIBS@ +-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ -DNSDEPLIBS = ../../lib/dns/libdns.@A@ +DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ LIBS = @LIBS@ -@@ -66,28 +66,28 @@ version.@O@: version.c - -DLIBAGE=${LIBAGE} \ +@@ -60,28 +60,28 @@ version.@O@: version.c + -DMAJOR=\"${MAJOR}\" \ -c ${srcdir}/version.c -libns.@SA@: ${OBJS} @@ -464,9 +470,9 @@ index 97aaaf6..c7ffc7b 100644 ${LIBTOOL_MODE_LINK} \ - ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \ + ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ -- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} -+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} + -release "${VERSION}" \ +- ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} ++ ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} -timestamp: libns.@A@ +timestamp: libns-pkcs11.@A@ @@ -488,27 +494,27 @@ index 97aaaf6..c7ffc7b 100644 - rm -f libns.@A@ timestamp + rm -f libns-pkcs11.@A@ timestamp diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in -index 70c77a4..87955a7 100644 +index 4c3e694..c1b6d99 100644 --- a/lib/ns-pkcs11/tests/Makefile.in +++ b/lib/ns-pkcs11/tests/Makefile.in -@@ -21,17 +21,17 @@ WRAP_NAME = -Wl,-install_name,${top_builddir}/lib/ns/tests/$@ - WRAP_RPATH = -Wl,-rpath,${top_builddir}/lib/ns/tests - WRAP_LIB = -L${top_builddir}/lib/ns/tests -lwrap +@@ -17,17 +17,17 @@ VERSION=@BIND9_VERSION@ + + WRAP_OPTIONS = -Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach -CINCLUDES = -I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ +CINCLUDES = -I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ ${OPENSSL_CFLAGS} \ @CMOCKA_CFLAGS@ -CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" -+CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@ ++CDEFINES = -DTESTS="\"${top_builddir}/lib/ns-pkcs11/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@ - ISCLIBS = ../../isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS} + ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ ISCDEPLIBS = ../../isc/libisc.@A@ --DNSLIBS = ../../dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@ +-DNSLIBS = ../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ -DNSDEPLIBS = ../../dns/libdns.@A@ -NSLIBS = ../libns.@A@ -NSDEPLIBS = ../libns.@A@ -+DNSLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_PK11_LIBS@ ++DNSLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ +DNSDEPLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ +NSLIBS = ../libns-pkcs11.@A@ +NSDEPLIBS = ../libns-pkcs11.@A@ @@ -516,7 +522,7 @@ index 70c77a4..87955a7 100644 LIBS = @LIBS@ @CMOCKA_LIBS@ diff --git a/make/includes.in b/make/includes.in -index 48cdaf7..7b17738 100644 +index b8317d3..b73b0c4 100644 --- a/make/includes.in +++ b/make/includes.in @@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ @@ -530,3 +536,5 @@ index 48cdaf7..7b17738 100644 +NS_PKCS11_INCLUDES = @BIND9_NS_PKCS11_BUILDINCLUDE@ \ + -I${top_srcdir}/lib/ns-pkcs11/include + +-- +2.26.3 diff --git a/SPECS/bind/bind-9.14-config-pkcs11.patch b/SPECS/bind/bind-9.14-config-pkcs11.patch index bfc6e457c8..b4caf34248 100644 --- a/SPECS/bind/bind-9.14-config-pkcs11.patch +++ b/SPECS/bind/bind-9.14-config-pkcs11.patch @@ -29,9 +29,9 @@ diff --git a/configure.ac b/configure.ac index fde41dc..e5cc3cd 100644 --- a/configure.ac +++ b/configure.ac -@@ -889,10 +889,14 @@ AS_CASE([$enable_native_pkcs11], - AC_SUBST([PKCS11_TEST]) +@@ -935,10 +935,14 @@ AS_CASE([$enable_native_pkcs11], AC_SUBST([PKCS11_TOOLS]) + AC_SUBST([PKCS11_MANS]) +USE_PKCS11='-DUSE_PKCS11=0' +USE_OPENSSL='-DUSE_OPENSSL=0' @@ -64,9 +64,9 @@ index 116e2d2..99bdf5b 100644 #if USE_PKCS11 #include #include -@@ -98,11 +105,10 @@ struct dst_key { +@@ -113,11 +120,10 @@ struct dst_key { void *generic; - gss_ctx_id_t gssctx; + dns_gss_ctx_id_t gssctx; DH *dh; -#if USE_OPENSSL - EVP_PKEY *pkey; @@ -80,4 +80,3 @@ index 116e2d2..99bdf5b 100644 } keydata; /*%< pointer to key in crypto pkg fmt */ -- 2.21.1 - diff --git a/SPECS/bind/bind.signatures.json b/SPECS/bind/bind.signatures.json index 2b8259e37e..d85855072e 100644 --- a/SPECS/bind/bind.signatures.json +++ b/SPECS/bind/bind.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "bind-9.16.3.tar.xz": "27ac6513de5f8d0db34b9f241da53baa15a14b2ad21338d0cde0826eaf564f7e", + "bind-9.16.15.tar.xz": "98b6f432d878a7bf8f57eb7b3c28be27278cf6b9989154bfe6c81104b38e7839", "generate-rndc-key.sh": "da0964516a9abe4074e262a1d0b7f63e63b2150c4cc2dddaaca029010383c422", "named-chroot.files": "5dbc7bd2a21836fb86cb740a2d4d72eb9f2b4f341996cd0c8ae9c39e95c0d76c", "named.conf.sample": "1807f11df688de4eb8cdcc97bd1a8863d81b03b1f24af96f3639de40bc8e538a", diff --git a/SPECS/bind/bind.spec b/SPECS/bind/bind.spec index f6e39fb01b..f3e8153e83 100644 --- a/SPECS/bind/bind.spec +++ b/SPECS/bind/bind.spec @@ -8,8 +8,8 @@ %{!?_export_dir:%global _export_dir /bind9-export/} Summary: Domain Name System software Name: bind -Version: 9.16.3 -Release: 5%{?dist} +Version: 9.16.15 +Release: 1%{?dist} License: ISC Vendor: Microsoft Corporation Distribution: Mariner @@ -33,20 +33,16 @@ Source14: setup-named-softhsm.sh Source15: named-chroot.files # CVE-2019-6470 is fixed by updating the dhcp package to 4.4.1 or greater Patch0: CVE-2019-6470.nopatch -Patch1: CVE-2020-8618.patch -Patch2: CVE-2020-8619.patch -Patch3: CVE-2020-8620.patch -Patch4: CVE-2020-8621.patch -Patch5: CVE-2020-8622.patch # CVE-2020-8623 only impacts package built with "--enable-native-pkcs11" -Patch6: CVE-2020-8623.nopatch -Patch7: CVE-2020-8624.patch -Patch8: CVE-2020-8625.patch +Patch1: CVE-2020-8623.nopatch Patch9: bind-9.14-config-pkcs11.patch Patch10: bind-9.10-dist-native-pkcs11.patch BuildRequires: gcc BuildRequires: json-c-devel BuildRequires: krb5-devel +Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd +Requires(postun):/usr/sbin/userdel /usr/sbin/groupdel +BuildRequires: openssl-devel BuildRequires: libcap-devel BuildRequires: libtool BuildRequires: libuv-devel @@ -201,13 +197,6 @@ Summary: BIND utilities %prep %setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch7 -p1 -%patch8 -p1 %patch9 -p1 -b .config-pkcs11 cp -r bin/named{,-pkcs11} @@ -426,7 +415,7 @@ fi; %dir /run/named %files libs -%{_libdir}/*so.* +%{_libdir}/*-%{version}*.so %exclude %{_libdir}/libdns-pkcs11* %exclude %{_libdir}/libns-pkcs11* @@ -546,11 +535,16 @@ fi; %{_tmpfilesdir}/named.conf %changelog +* Tue Jul 27 2021 Jon Slobodzian - 9.16.15-1 +- Update version to 9.16.15 to fix CVE-2021-25215 +- Remove unprovided soname version of libraries +- Include versioned library names in libs subpackage + * Fri May 14 2021 Thomas Crain - 9.16.3-5 - Merge the following releases from 1.0 to dev branch - nicolasg@microsoft.com, 9.16.3-3: Fixes CVE-2020-8625 -* Thu May 13 2021 Henry Li - 9.16.3-4 +* Thu May 13 2021 Henry Li - 9.16.3-4 - Fix file path error caused by linting - Remove duplicate %files section for bind-license - Remove named.conf from main package, which is already provided by bind-utils @@ -560,6 +554,9 @@ fi; bind-pkcs11-utils, bind-pkcs11-devel, bind-dnssec-utils, bind-dnssec-doc, bind-python3-bind and bind-chroot packages +* Mon Mar 01 2021 Nicolas Guibourge - 9.16.3-3 +- Fixes CVE-2020-8625 + * Fri Sep 11 2020 Ruying Chen - 9.16.3-2 - Fixes CVE-2020-8618, CVE-2020-8619, CVE-2020-8620, - CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 @@ -567,7 +564,7 @@ fi; * Wed May 27 2020 Daniel McIlvaney - 9.16.3-1 - Update to version 9.16.3, fixes CVE-2018-5743, CVE-2018-5744, CVE-2019-6465, CVE-2019-6467, CVE-2019-6471, CVE-2020-8616, CVE-2020-8617 -* Sat May 09 00:21:20 PST 2020 Nick Samson - 9.13.3-4 +* Sat May 09 2020 Nick Samson - 9.13.3-4 - Added %%license line automatically * Fri May 1 2020 Emre Girgin 9.13.3-3 diff --git a/SPECS/binutils/CVE-2019-12972.patch b/SPECS/binutils/CVE-2019-12972.patch deleted file mode 100644 index fe0993efd2..0000000000 --- a/SPECS/binutils/CVE-2019-12972.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/bfd/elfcode.h -+++ b/bfd/elfcode.h -@@ -755,7 +755,8 @@ - /* A further sanity check. */ - if (i_ehdrp->e_shnum != 0) - { -- if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)) -+ if (i_ehdrp->e_shstrndx >= elf_numsections (abfd) -+ || i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB) - { - /* PR 2257: - We used to just goto got_wrong_format_error here diff --git a/SPECS/binutils/CVE-2019-14250.patch b/SPECS/binutils/CVE-2019-14250.patch deleted file mode 100644 index 4ee873ac81..0000000000 --- a/SPECS/binutils/CVE-2019-14250.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- a/libiberty/simple-object-elf.c -+++ b/libiberty/simple-object-elf.c -@@ -548,6 +548,14 @@ - XDELETE (eor); - return NULL; - } -+ -+ if (!eor->shstrndx) -+ { -+ *errmsg = "invalid ELF shstrndx == 0"; -+ *err = 0; -+ XDELETE (eor); -+ return NULL; -+ } - - return (void *) eor; - } diff --git a/SPECS/binutils/CVE-2019-14444.patch b/SPECS/binutils/CVE-2019-14444.patch deleted file mode 100644 index 4647fb9314..0000000000 --- a/SPECS/binutils/CVE-2019-14444.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/binutils/readelf.c -+++ b/binutils/readelf.c -@@ -13213,7 +13213,7 @@ - } - - rloc = start + rp->r_offset; -- if ((rloc + reloc_size) > end || (rloc < start)) -+ if (rloc >= end || (rloc + reloc_size) > end || (rloc < start)) - { - warn (_("skipping invalid relocation offset 0x%lx in section %s\n"), - (unsigned long) rp->r_offset, diff --git a/SPECS/binutils/CVE-2019-17450.patch b/SPECS/binutils/CVE-2019-17450.patch deleted file mode 100644 index a095662396..0000000000 --- a/SPECS/binutils/CVE-2019-17450.patch +++ /dev/null @@ -1,72 +0,0 @@ ---- a/bfd/dwarf2.c -+++ b/bfd/dwarf2.c -@@ -2803,13 +2803,13 @@ - } - - static bfd_boolean --find_abstract_instance (struct comp_unit * unit, -- bfd_byte * orig_info_ptr, -- struct attribute * attr_ptr, -- const char ** pname, -- bfd_boolean * is_linkage, -- char ** filename_ptr, -- int * linenumber_ptr) -+find_abstract_instance (struct comp_unit *unit, -+ struct attribute *attr_ptr, -+ unsigned int recur_count, -+ const char **pname, -+ bfd_boolean *is_linkage, -+ char **filename_ptr, -+ int *linenumber_ptr) - { - bfd *abfd = unit->abfd; - bfd_byte *info_ptr; -@@ -2820,6 +2820,14 @@ - struct attribute attr; - const char *name = NULL; - -+ if (recur_count == 100) -+ { -+ _bfd_error_handler -+ (_("DWARF error: abstract instance recursion detected")); -+ bfd_set_error (bfd_error_bad_value); -+ return FALSE; -+ } -+ - /* DW_FORM_ref_addr can reference an entry in a different CU. It - is an offset from the .debug_info section, not the current CU. */ - if (attr_ptr->form == DW_FORM_ref_addr) -@@ -2939,15 +2947,6 @@ - info_ptr, info_ptr_end); - if (info_ptr == NULL) - break; -- /* It doesn't ever make sense for DW_AT_specification to -- refer to the same DIE. Stop simple recursion. */ -- if (info_ptr == orig_info_ptr) -- { -- _bfd_error_handler -- (_("DWARF error: abstract instance recursion detected")); -- bfd_set_error (bfd_error_bad_value); -- return FALSE; -- } - switch (attr.name) - { - case DW_AT_name: -@@ -2961,7 +2960,7 @@ - } - break; - case DW_AT_specification: -- if (!find_abstract_instance (unit, info_ptr, &attr, -+ if (!find_abstract_instance (unit, &attr, recur_count + 1, - &name, is_linkage, - filename_ptr, linenumber_ptr)) - return FALSE; -@@ -3175,7 +3174,7 @@ - - case DW_AT_abstract_origin: - case DW_AT_specification: -- if (!find_abstract_instance (unit, info_ptr, &attr, -+ if (!find_abstract_instance (unit, &attr, 0, - &func->name, - &func->is_linkage, - &func->file, diff --git a/SPECS/binutils/CVE-2019-17451.patch b/SPECS/binutils/CVE-2019-17451.patch deleted file mode 100644 index 1afa4c8d0f..0000000000 --- a/SPECS/binutils/CVE-2019-17451.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- a/bfd/dwarf2.c -+++ b/bfd/dwarf2.c -@@ -4426,7 +4425,16 @@ - for (total_size = 0; - msec; - msec = find_debug_info (debug_bfd, debug_sections, msec)) -- total_size += msec->size; -+ { -+ /* Catch PR25070 testcase overflowing size calculation here. */ -+ if (total_size + msec->size < total_size -+ || total_size + msec->size < msec->size) -+ { -+ bfd_set_error (bfd_error_no_memory); -+ return FALSE; -+ } -+ total_size += msec->size; -+ } - - stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size); - if (stash->info_ptr_memory == NULL) diff --git a/SPECS/binutils/CVE-2019-9071.patch b/SPECS/binutils/CVE-2019-9071.patch deleted file mode 100644 index 7ccf14066f..0000000000 --- a/SPECS/binutils/CVE-2019-9071.patch +++ /dev/null @@ -1,110 +0,0 @@ ---- a/libiberty/cp-demangle.c -+++ b/libiberty/cp-demangle.c -@@ -861,7 +861,7 @@ - int - cplus_demangle_fill_name (struct demangle_component *p, const char *s, int len) - { -- if (p == NULL || s == NULL || len == 0) -+ if (p == NULL || s == NULL || len <= 0) - return 0; - p->d_printing = 0; - p->type = DEMANGLE_COMPONENT_NAME; -@@ -4055,7 +4055,7 @@ - are larger than the actual numbers encountered. */ - - static void --d_count_templates_scopes (int *num_templates, int *num_scopes, -+d_count_templates_scopes (struct d_print_info *dpi, - const struct demangle_component *dc) - { - if (dc == NULL) -@@ -4075,13 +4075,13 @@ - break; - - case DEMANGLE_COMPONENT_TEMPLATE: -- (*num_templates)++; -+ dpi->num_copy_templates++; - goto recurse_left_right; - - case DEMANGLE_COMPONENT_REFERENCE: - case DEMANGLE_COMPONENT_RVALUE_REFERENCE: - if (d_left (dc)->type == DEMANGLE_COMPONENT_TEMPLATE_PARAM) -- (*num_scopes)++; -+ dpi->num_saved_scopes++; - goto recurse_left_right; - - case DEMANGLE_COMPONENT_QUAL_NAME: -@@ -4146,42 +4146,42 @@ - case DEMANGLE_COMPONENT_TAGGED_NAME: - case DEMANGLE_COMPONENT_CLONE: - recurse_left_right: -- d_count_templates_scopes (num_templates, num_scopes, -- d_left (dc)); -- d_count_templates_scopes (num_templates, num_scopes, -- d_right (dc)); -+ /* PR 89394 - Check for too much recursion. */ -+ if (dpi->recursion > DEMANGLE_RECURSION_LIMIT) -+ /* FIXME: There ought to be a way to report to the -+ user that the recursion limit has been reached. */ -+ return; -+ -+ ++ dpi->recursion; -+ d_count_templates_scopes (dpi, d_left (dc)); -+ d_count_templates_scopes (dpi, d_right (dc)); -+ -- dpi->recursion; - break; - - case DEMANGLE_COMPONENT_CTOR: -- d_count_templates_scopes (num_templates, num_scopes, -- dc->u.s_ctor.name); -+ d_count_templates_scopes (dpi, dc->u.s_ctor.name); - break; - - case DEMANGLE_COMPONENT_DTOR: -- d_count_templates_scopes (num_templates, num_scopes, -- dc->u.s_dtor.name); -+ d_count_templates_scopes (dpi, dc->u.s_dtor.name); - break; - - case DEMANGLE_COMPONENT_EXTENDED_OPERATOR: -- d_count_templates_scopes (num_templates, num_scopes, -- dc->u.s_extended_operator.name); -+ d_count_templates_scopes (dpi, dc->u.s_extended_operator.name); - break; - - case DEMANGLE_COMPONENT_FIXED_TYPE: -- d_count_templates_scopes (num_templates, num_scopes, -- dc->u.s_fixed.length); -+ d_count_templates_scopes (dpi, dc->u.s_fixed.length); - break; - - case DEMANGLE_COMPONENT_GLOBAL_CONSTRUCTORS: - case DEMANGLE_COMPONENT_GLOBAL_DESTRUCTORS: -- d_count_templates_scopes (num_templates, num_scopes, -- d_left (dc)); -+ d_count_templates_scopes (dpi, d_left (dc)); - break; - - case DEMANGLE_COMPONENT_LAMBDA: - case DEMANGLE_COMPONENT_DEFAULT_ARG: -- d_count_templates_scopes (num_templates, num_scopes, -- dc->u.s_unary_num.sub); -+ d_count_templates_scopes (dpi, dc->u.s_unary_num.sub); - break; - } - } -@@ -4216,8 +4216,12 @@ - dpi->next_copy_template = 0; - dpi->num_copy_templates = 0; - -- d_count_templates_scopes (&dpi->num_copy_templates, -- &dpi->num_saved_scopes, dc); -+ d_count_templates_scopes (dpi, dc); -+ /* If we did not reach the recursion limit, then reset the -+ current recursion value back to 0, so that we can print -+ the templates. */ -+ if (dpi->recursion < DEMANGLE_RECURSION_LIMIT) -+ dpi->recursion = 0; - dpi->num_copy_templates *= dpi->num_saved_scopes; - - dpi->current_template = NULL; diff --git a/SPECS/binutils/CVE-2019-9073.patch b/SPECS/binutils/CVE-2019-9073.patch deleted file mode 100644 index 0d44fe81a6..0000000000 --- a/SPECS/binutils/CVE-2019-9073.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/binutils/objdump.c -+++ b/binutils/objdump.c -@@ -3178,7 +3178,9 @@ - static void - dump_bfd_private_header (bfd *abfd) - { -- bfd_print_private_bfd_data (abfd, stdout); -+ if (!bfd_print_private_bfd_data (abfd, stdout)) -+ non_fatal (_("warning: private headers incomplete: %s"), -+ bfd_errmsg (bfd_get_error ())); - } - - static void diff --git a/SPECS/binutils/CVE-2019-9074.patch b/SPECS/binutils/CVE-2019-9074.patch deleted file mode 100644 index 721b72a474..0000000000 --- a/SPECS/binutils/CVE-2019-9074.patch +++ /dev/null @@ -1,33 +0,0 @@ ---- a/bfd/pei-x86_64.c -+++ b/bfd/pei-x86_64.c -@@ -541,7 +541,7 @@ - /* virt_size might be zero for objects. */ - if (stop == 0 && strcmp (abfd->xvec->name, "pe-x86-64") == 0) - { -- stop = (datasize / onaline) * onaline; -+ stop = datasize; - virt_size_is_zero = TRUE; - } - else if (datasize < stop) -@@ -551,8 +551,8 @@ - _("Warning: %s section size (%ld) is smaller than virtual size (%ld)\n"), - pdata_section->name, (unsigned long) datasize, - (unsigned long) stop); -- /* Be sure not to read passed datasize. */ -- stop = datasize / onaline; -+ /* Be sure not to read past datasize. */ -+ stop = datasize; - } - - /* Display functions table. */ -@@ -724,8 +724,7 @@ - altent += imagebase; - - if (altent >= pdata_vma -- && (altent + PDATA_ROW_SIZE <= pdata_vma -- + pei_section_data (abfd, pdata_section)->virt_size)) -+ && altent - pdata_vma + PDATA_ROW_SIZE <= stop) - { - pex64_get_runtime_function - (abfd, &arf, &pdata[altent - pdata_vma]); - diff --git a/SPECS/binutils/CVE-2019-9075.patch b/SPECS/binutils/CVE-2019-9075.patch deleted file mode 100644 index ac3c68f5a4..0000000000 --- a/SPECS/binutils/CVE-2019-9075.patch +++ /dev/null @@ -1,89 +0,0 @@ -Patch for CVE-2019-9075. -Adapted from upstream: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8abac8031ed369a2734b1cdb7df28a39a54b4b49 ---- a/bfd/ChangeLog -+++ b/bfd/ChangeLog -@@ -1,3 +1,13 @@ -+2019-02-20 Alan Modra -+ -+ PR 24236 -+ * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding -+ sentinel NUL to string buffer nearer to loop where it is used. -+ Don't go past sentinel when scanning strings, and don't write -+ NUL again. -+ * archive.c (do_slurp_coff_armap): Simplify string handling to -+ archive64.c style. -+ - 2019-02-02 Nick Clifton - - 2.32 Release ---- a/bfd/archive.c -+++ b/bfd/archive.c -@@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd) - int *raw_armap, *rawptr; - struct artdata *ardata = bfd_ardata (abfd); - char *stringbase; -+ char *stringend; - bfd_size_type stringsize; - bfd_size_type parsed_size; - carsym *carsyms; -@@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd) - } - - /* OK, build the carsyms. */ -- for (i = 0; i < nsymz && stringsize > 0; i++) -+ stringend = stringbase + stringsize; -+ *stringend = 0; -+ for (i = 0; i < nsymz; i++) - { -- bfd_size_type len; -- - rawptr = raw_armap + i; - carsyms->file_offset = swap ((bfd_byte *) rawptr); - carsyms->name = stringbase; -- /* PR 17512: file: 4a1d50c1. */ -- len = strnlen (stringbase, stringsize); -- if (len < stringsize) -- len ++; -- stringbase += len; -- stringsize -= len; -+ stringbase += strlen (stringbase); -+ if (stringbase != stringend) -+ ++stringbase; - carsyms++; - } -- *stringbase = 0; - - ardata->symdef_count = nsymz; - ardata->first_file_filepos = bfd_tell (abfd); ---- a/bfd/archive64.c -+++ b/bfd/archive64.c -@@ -100,8 +100,6 @@ - return FALSE; - carsyms = ardata->symdefs; - stringbase = ((char *) ardata->symdefs) + carsym_size; -- stringbase[stringsize] = 0; -- stringend = stringbase + stringsize; - - raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize); - if (raw_armap == NULL) -@@ -115,15 +113,17 @@ - goto release_raw_armap; - } - -+ stringend = stringbase + stringsize; -+ *stringend = 0; - for (i = 0; i < nsymz; i++) - { - carsyms->file_offset = bfd_getb64 (raw_armap + i * 8); - carsyms->name = stringbase; -- if (stringbase < stringend) -- stringbase += strlen (stringbase) + 1; -+ stringbase += strlen (stringbase); -+ if (stringbase != stringend) -+ ++stringbase; - ++carsyms; - } -- *stringbase = '\0'; - - ardata->symdef_count = nsymz; - ardata->first_file_filepos = bfd_tell (abfd); diff --git a/SPECS/binutils/CVE-2019-9077.patch b/SPECS/binutils/CVE-2019-9077.patch deleted file mode 100644 index 3ce8940938..0000000000 --- a/SPECS/binutils/CVE-2019-9077.patch +++ /dev/null @@ -1,29 +0,0 @@ -Patch for CVE-2019.9077. -Adapted from: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7fc0c668f2aceb8582d74db1ad2528e2bba8a921 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,9 @@ -+2019-02-20 Nick Clifton -+ -+ PR 24243 -+ * readelf.c (process_mips_specific): Check for an options section -+ that is too small to even contain a single option. -+ - 2018-06-24 Nick Clifton - - 2.32 branch created. ---- a/binutils/readelf.c -+++ b/binutils/readelf.c -@@ -16178,6 +16178,12 @@ - error (_("No MIPS_OPTIONS header found\n")); - return FALSE; - } -+ /* PR 24243 */ -+ if (sect->sh_size < sizeof (* eopt)) -+ { -+ error (_("The MIPS options section is too small.\n")); -+ return FALSE; -+ } - - eopt = (Elf_External_Options *) get_data (NULL, filedata, options_offset, 1, - sect->sh_size, _("options")); diff --git a/SPECS/binutils/CVE-2020-35493.patch b/SPECS/binutils/CVE-2020-35493.patch deleted file mode 100644 index 89ba10192f..0000000000 --- a/SPECS/binutils/CVE-2020-35493.patch +++ /dev/null @@ -1,30 +0,0 @@ -From f2a3559d54602cecfec6d90f792be4a70ad918ab Mon Sep 17 00:00:00 2001 -From: Nick Clifton -Date: Fri, 3 Jan 2020 16:17:53 +0000 -Subject: [PATCH] Fix potential illegal memory access when parsing a corrupt - PEF format file. - - PR 25307 - (bfd_pef_parse_function_stubs): Correct the test that ensures that - there is enough data remaining in the code buffer before - attempting to read a function stub. ---- - bfd/pef.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletion(-) - -diff --git a/bfd/pef.c b/bfd/pef.c -index 726b8d7493..574d9bcb5d 100644 ---- a/bfd/pef.c -+++ b/bfd/pef.c -@@ -806,7 +806,7 @@ bfd_pef_parse_function_stubs (bfd *abfd, - codepos += 4; - } - -- if ((codepos + 4) > codelen) -+ if ((codepos + 24) > codelen) - break; - - ret = bfd_pef_parse_function_stub (abfd, codebuf + codepos, 24, &sym_index); --- -2.25.1 - diff --git a/SPECS/binutils/CVE-2020-35494-helper.patch b/SPECS/binutils/CVE-2020-35494-helper.patch deleted file mode 100644 index 6a7b198139..0000000000 --- a/SPECS/binutils/CVE-2020-35494-helper.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 8c5e259235a4e4546910245b170de1e29a711034 Mon Sep 17 00:00:00 2001 -From: Alan Modra -Date: Sun, 29 Dec 2019 12:56:29 +1030 -Subject: [PATCH] Usage of unitialized heap in tic4x_print_cond - - PR 25319 - * tic4x-dis.c (tic4x_print_cond): Init all of condtable. ---- - opcodes/tic4x-dis.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletion(-) - -diff --git a/opcodes/tic4x-dis.c b/opcodes/tic4x-dis.c -index d9f95c9410..01cfa1e060 100644 ---- a/opcodes/tic4x-dis.c -+++ b/opcodes/tic4x-dis.c -@@ -277,7 +277,7 @@ tic4x_print_cond (struct disassemble_info *info, unsigned int cond) - - if (condtable == NULL) - { -- condtable = xmalloc (sizeof (tic4x_cond_t *) * 32); -+ condtable = xcalloc (sizeof (tic4x_cond_t *), 32); - for (i = 0; i < tic4x_num_conds; i++) - condtable[tic4x_conds[i].cond] = (tic4x_cond_t *)(tic4x_conds + i); - } --- -2.25.1 - diff --git a/SPECS/binutils/CVE-2020-35494.patch b/SPECS/binutils/CVE-2020-35494.patch deleted file mode 100644 index 493f40d26d..0000000000 --- a/SPECS/binutils/CVE-2020-35494.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 2c5b6e1a1c406cbe06e2d6f77861764ebd01b9ce Mon Sep 17 00:00:00 2001 -From: Alan Modra -Date: Mon, 30 Dec 2019 09:19:25 +1030 -Subject: [PATCH] Re: Usage of unitialized heap in tic4x_print_cond - - PR 25319 - * tic4x-dis.c (tic4x_print_cond): Correct order of xcalloc args. ---- - opcodes/tic4x-dis.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletion(-) - -diff --git a/opcodes/tic4x-dis.c b/opcodes/tic4x-dis.c -index 01cfa1e060..e058fdc9f8 100644 ---- a/opcodes/tic4x-dis.c -+++ b/opcodes/tic4x-dis.c -@@ -277,7 +277,7 @@ tic4x_print_cond (struct disassemble_info *info, unsigned int cond) - - if (condtable == NULL) - { -- condtable = xcalloc (sizeof (tic4x_cond_t *), 32); -+ condtable = xcalloc (32, sizeof (tic4x_cond_t *)); - for (i = 0; i < tic4x_num_conds; i++) - condtable[tic4x_conds[i].cond] = (tic4x_cond_t *)(tic4x_conds + i); - } --- -2.25.1 - diff --git a/SPECS/binutils/CVE-2020-35495.patch b/SPECS/binutils/CVE-2020-35495.patch deleted file mode 100644 index e9e1effdee..0000000000 --- a/SPECS/binutils/CVE-2020-35495.patch +++ /dev/null @@ -1,203 +0,0 @@ -From 7a0fb7be96e0ce79e1ae429bc1ba913e5244d537 Mon Sep 17 00:00:00 2001 -From: Nick Clifton -Date: Fri, 3 Jan 2020 14:41:02 +0000 -Subject: [PATCH] Fix potential illegal memory access failures in the BFD - library by ensuring that the return value from bfd_malloc() is checked before - it is used. - - PR 25308 - * elf-properties.c (_bfd_elf_convert_gnu_properties): Check the - return value from bfd_malloc. - * elf32-arm.c (bfd_elf32_arm_vfp11_fix_veneer_locations): Likewise. - (bfd_elf32_arm_stm32l4xx_fix_veneer_locations): Likewise. - (elf32_arm_filter_cmse_symbols): Likewise. - (elf32_arm_write_section): Likewise. - * mach-o.c (bfd_mach_o_core_fetch_environment): Likewise. - (bfd_mach_o_follow_dsym): Likewise. - * pef.c (bfd_pef_print_loader_section): Likewise. - (bfd_pef_scan_start_address): Likewise. - (bfd_pef_parse_function_stubs): Likewise. - (bfd_pef_parse_symbols): Likewise. ---- - bfd/elf-properties.c | 2 ++ - bfd/elf32-arm.c | 11 ++++++----- - bfd/mach-o.c | 7 +++++++ - bfd/pef.c | 11 +++++++++++ - 4 files changed, 26 insertions(+), 5 deletions(-) - -diff --git a/bfd/elf-properties.c b/bfd/elf-properties.c -index a42abc44dd..76ddad6037 100644 ---- a/bfd/elf-properties.c -+++ b/bfd/elf-properties.c -@@ -703,6 +703,8 @@ _bfd_elf_convert_gnu_properties (bfd *ibfd, asection *isec, - if (size > bfd_get_section_size (isec)) - { - contents = (bfd_byte *) bfd_malloc (size); -+ if (contents == NULL) -+ return FALSE; - free (*ptr); - *ptr = contents; - } -diff --git a/bfd/elf32-arm.c b/bfd/elf32-arm.c -index ae8a269426..2bf355a331 100644 ---- a/bfd/elf32-arm.c -+++ b/bfd/elf32-arm.c -@@ -7148,7 +7148,6 @@ find_arm_glue (struct bfd_link_info *link_info, - - tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen (name) - + strlen (ARM2THUMB_GLUE_ENTRY_NAME) + 1); -- - BFD_ASSERT (tmp_name); - - sprintf (tmp_name, ARM2THUMB_GLUE_ENTRY_NAME, name); -@@ -7323,7 +7322,6 @@ record_arm_to_thumb_glue (struct bfd_link_info * link_info, - - tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen (name) - + strlen (ARM2THUMB_GLUE_ENTRY_NAME) + 1); -- - BFD_ASSERT (tmp_name); - - sprintf (tmp_name, ARM2THUMB_GLUE_ENTRY_NAME, name); -@@ -7401,7 +7399,6 @@ record_arm_bx_glue (struct bfd_link_info * link_info, int reg) - /* Add symbol for veneer. */ - tmp_name = (char *) - bfd_malloc ((bfd_size_type) strlen (ARM_BX_GLUE_ENTRY_NAME) + 1); -- - BFD_ASSERT (tmp_name); - - sprintf (tmp_name, ARM_BX_GLUE_ENTRY_NAME, reg); -@@ -7493,7 +7490,6 @@ record_vfp11_erratum_veneer (struct bfd_link_info *link_info, - - tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen - (VFP11_ERRATUM_VENEER_ENTRY_NAME) + 10); -- - BFD_ASSERT (tmp_name); - - sprintf (tmp_name, VFP11_ERRATUM_VENEER_ENTRY_NAME, -@@ -7613,7 +7609,6 @@ record_stm32l4xx_erratum_veneer (struct bfd_link_info *link_info, - - tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen - (STM32L4XX_ERRATUM_VENEER_ENTRY_NAME) + 10); -- - BFD_ASSERT (tmp_name); - - sprintf (tmp_name, STM32L4XX_ERRATUM_VENEER_ENTRY_NAME, -@@ -8644,6 +8639,7 @@ bfd_elf32_arm_vfp11_fix_veneer_locations (bfd *abfd, - - tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen - (VFP11_ERRATUM_VENEER_ENTRY_NAME) + 10); -+ BFD_ASSERT (tmp_name); - - for (sec = abfd->sections; sec != NULL; sec = sec->next) - { -@@ -8731,6 +8727,7 @@ bfd_elf32_arm_stm32l4xx_fix_veneer_locations (bfd *abfd, - - tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen - (STM32L4XX_ERRATUM_VENEER_ENTRY_NAME) + 10); -+ BFD_ASSERT (tmp_name); - - for (sec = abfd->sections; sec != NULL; sec = sec->next) - { -@@ -18505,6 +18502,8 @@ elf32_arm_filter_cmse_symbols (bfd *abfd ATTRIBUTE_UNUSED, - - maxnamelen = 128; - cmse_name = (char *) bfd_malloc (maxnamelen); -+ BFD_ASSERT (cmse_name); -+ - for (src_count = 0; src_count < symcount; src_count++) - { - struct elf32_arm_link_hash_entry *cmse_hash; -@@ -19700,6 +19699,8 @@ elf32_arm_write_section (bfd *output_bfd, - unsigned int in_index, out_index; - bfd_vma add_to_offsets = 0; - -+ if (edited_contents == NULL) -+ return FALSE; - for (in_index = 0, out_index = 0; in_index * 8 < input_size || edit_node;) - { - if (edit_node) -diff --git a/bfd/mach-o.c b/bfd/mach-o.c -index b494a77690..3b6fbb5788 100644 ---- a/bfd/mach-o.c -+++ b/bfd/mach-o.c -@@ -5752,6 +5752,8 @@ bfd_mach_o_core_fetch_environment (bfd *abfd, - unsigned char *buf = bfd_malloc (1024); - unsigned long size = 1024; - -+ if (buf == NULL) -+ return -1; - for (;;) - { - bfd_size_type nread = 0; -@@ -5797,6 +5799,8 @@ bfd_mach_o_core_fetch_environment (bfd *abfd, - bottom = seg->fileoff + seg->filesize - offset; - top = seg->fileoff + seg->filesize - 4; - *rbuf = bfd_malloc (top - bottom); -+ if (*rbuf == NULL) -+ return -1; - *rlen = top - bottom; - - memcpy (*rbuf, buf + size - *rlen, *rlen); -@@ -5941,6 +5945,9 @@ bfd_mach_o_follow_dsym (bfd *abfd) - dsym_filename = (char *)bfd_malloc (strlen (base_bfd->filename) - + strlen (dsym_subdir) + 1 - + strlen (base_basename) + 1); -+ if (dsym_filename == NULL) -+ return NULL; -+ - sprintf (dsym_filename, "%s%s/%s", - base_bfd->filename, dsym_subdir, base_basename); - -diff --git a/bfd/pef.c b/bfd/pef.c -index d88fed7138..726b8d7493 100644 ---- a/bfd/pef.c -+++ b/bfd/pef.c -@@ -447,6 +447,8 @@ bfd_pef_print_loader_section (bfd *abfd, FILE *file) - - loaderlen = loadersec->size; - loaderbuf = bfd_malloc (loaderlen); -+ if (loaderbuf == NULL) -+ return -1; - - if (bfd_seek (abfd, loadersec->filepos, SEEK_SET) < 0 - || bfd_bread ((void *) loaderbuf, loaderlen, abfd) != loaderlen -@@ -478,6 +480,9 @@ bfd_pef_scan_start_address (bfd *abfd) - - loaderlen = loadersec->size; - loaderbuf = bfd_malloc (loaderlen); -+ if (loaderbuf == NULL) -+ goto end; -+ - if (bfd_seek (abfd, loadersec->filepos, SEEK_SET) < 0) - goto error; - if (bfd_bread ((void *) loaderbuf, loaderlen, abfd) != loaderlen) -@@ -753,6 +758,8 @@ bfd_pef_parse_function_stubs (bfd *abfd, - (header.imported_library_count * sizeof (bfd_pef_imported_library)); - imports = bfd_malloc - (header.total_imported_symbol_count * sizeof (bfd_pef_imported_symbol)); -+ if (libraries == NULL || imports == NULL) -+ goto error; - - if (loaderlen < (56 + (header.imported_library_count * 24))) - goto error; -@@ -897,6 +904,8 @@ bfd_pef_parse_symbols (bfd *abfd, asymbol **csym) - { - codelen = codesec->size; - codebuf = bfd_malloc (codelen); -+ if (codebuf == NULL) -+ goto end; - if (bfd_seek (abfd, codesec->filepos, SEEK_SET) < 0) - goto end; - if (bfd_bread ((void *) codebuf, codelen, abfd) != codelen) -@@ -908,6 +917,8 @@ bfd_pef_parse_symbols (bfd *abfd, asymbol **csym) - { - loaderlen = loadersec->size; - loaderbuf = bfd_malloc (loaderlen); -+ if (loaderbuf == NULL) -+ goto end; - if (bfd_seek (abfd, loadersec->filepos, SEEK_SET) < 0) - goto end; - if (bfd_bread ((void *) loaderbuf, loaderlen, abfd) != loaderlen) --- -2.25.1 - diff --git a/SPECS/binutils/CVE-2020-35507.nopatch b/SPECS/binutils/CVE-2020-35507.nopatch deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/SPECS/binutils/binutils.signatures.json b/SPECS/binutils/binutils.signatures.json index af06521de0..8328d60773 100644 --- a/SPECS/binutils/binutils.signatures.json +++ b/SPECS/binutils/binutils.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "binutils-2.32.tar.xz": "0ab6c55dd86a92ed561972ba15b9b70a8b9f75557f896446c82e8b36e473ee04" + "binutils-2.36.1.tar.xz": "e81d9edf373f193af428a0f256674aea62a9d74dfe93f65192d4eae030b0f3b0" } } \ No newline at end of file diff --git a/SPECS/binutils/binutils.spec b/SPECS/binutils/binutils.spec index 4d78289bcd..be6440cead 100644 --- a/SPECS/binutils/binutils.spec +++ b/SPECS/binutils/binutils.spec @@ -1,36 +1,13 @@ Summary: Contains a linker, an assembler, and other tools Name: binutils -Version: 2.32 -Release: 5%{?dist} +Version: 2.36.1 +Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Mariner Group: System Environment/Base URL: https://www.gnu.org/software/binutils Source0: https://ftp.gnu.org/gnu/binutils/%{name}-%{version}.tar.xz -Patch0: CVE-2019-9070.nopatch -Patch1: CVE-2019-9075.patch -Patch2: CVE-2019-9077.patch -Patch3: CVE-2019-12972.patch -Patch4: CVE-2019-14250.patch -Patch5: CVE-2019-14444.patch -Patch6: CVE-2019-9071.patch -# Binutils commmunity does not consider this a bug -Patch7: CVE-2019-9072.nopatch -Patch8: CVE-2019-9073.patch -Patch9: CVE-2019-9074.patch -# Binutils community does not consider this a bug -Patch10: CVE-2019-9076.nopatch -Patch11: CVE-2019-17450.patch -Patch12: CVE-2019-17451.patch -Patch13: CVE-2020-35493.patch -Patch14: CVE-2020-35494-helper.patch -Patch15: CVE-2020-35494.patch -Patch16: CVE-2020-35495.patch -# Fix is included in CVE-2020-35495.patch. -Patch17: CVE-2020-35496.nopatch -# Fix is included in CVE-2020-35495.patch. -Patch18: CVE-2020-35507.nopatch %description The Binutils package contains a linker, an assembler, @@ -124,19 +101,33 @@ make %{?_smp_mflags} check %{_includedir}/dis-asm.h %{_includedir}/bfd_stdint.h %{_includedir}/diagnostics.h +%{_includedir}/ctf-api.h +%{_includedir}/ctf.h %{_libdir}/libbfd.a %{_libdir}/libopcodes.a %{_libdir}/libbfd.so %{_libdir}/libopcodes.so +%{_libdir}/bfd-plugins/libdep.so +%{_libdir}/libctf-nobfd.a +%{_libdir}/libctf-nobfd.so +%{_libdir}/libctf-nobfd.so.0 +%{_libdir}/libctf-nobfd.so.0.* +%{_libdir}/libctf.a +%{_libdir}/libctf.so +%{_libdir}/libctf.so.0 +%{_libdir}/libctf.so.0.* %changelog -* Mon Jan 11 2021 Emre Girgin - 2.32-5 -- Update URL and Source0 to use https. -- Fix CVE-2020-35493. -- Fix CVE-2020-35494. -- Fix CVE-2020-35495. -- Fix CVE-2020-35496. -- Fix CVE-2020-35507. +* Tue May 11 2021 Andrew Phelps 2.36.1-1 +- Update to version 2.36.1 + +* Mon Jan 11 2021 Emre Girgin 2.32-5 +- Update URL and Source0 to use https. +- Fix CVE-2020-35493. +- Fix CVE-2020-35494. +- Fix CVE-2020-35495. +- Fix CVE-2020-35496. +- Fix CVE-2020-35507. * Thu Oct 22 2020 Nicolas Ontiveros 2.32-4 - Use autosetup diff --git a/SPECS/bison/bison.spec b/SPECS/bison/bison.spec index 0c650ceace..887c41ef0b 100644 --- a/SPECS/bison/bison.spec +++ b/SPECS/bison/bison.spec @@ -51,10 +51,11 @@ make %{?_smp_mflags} check * Fri Aug 21 2020 Thomas Crain 3.1-4 - Remove yacc command for compatibility with byacc package - Remove sha hash -* Sat May 09 00:21:04 PST 2020 Nick Samson 3.1-3 +- License verified +* Sat May 09 2020 Nick Samson 3.1-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 3.1-2 -- Initial import from Photon (license: dual Apache2/GPL2). +- Initial CBL-Mariner import from Photon (license: Apache2). * Tue Sep 18 2018 Tapas Kundu 3.1-1 - Updated to release 3.1 * Sun Sep 09 2018 Alexey Makhalov 3.0.4-4 diff --git a/SPECS/blktrace/blktrace.spec b/SPECS/blktrace/blktrace.spec index 293963c874..c4b6ca4045 100644 --- a/SPECS/blktrace/blktrace.spec +++ b/SPECS/blktrace/blktrace.spec @@ -42,23 +42,23 @@ rm -rf %{buildroot}/* * Mon Jan 11 2021 Ruying Chen - 1.2.0-6 - Provide iowatcher. -* Sat May 09 00:21:09 PST 2020 Nick Samson - 1.2.0-5 +* Sat May 09 2020 Nick Samson - 1.2.0-5 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 1.2.0-4 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 1.2.0-4 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Thu Jan 24 2019 Tapas Kundu 1.2.0-3 -- Fix for CVE-2018-10689. +* Thu Jan 24 2019 Tapas Kundu 1.2.0-3 +- Fix for CVE-2018-10689. -* Sun Sep 23 2018 Sujay G 1.2.0-2 -- Bump blktrace version to 1.2.0 +* Sun Sep 23 2018 Sujay G 1.2.0-2 +- Bump blktrace version to 1.2.0 -* Tue May 24 2016 Priyesh Padmavilasom 1.1.0-2 -- GA - Bump release of all rpms +* Tue May 24 2016 Priyesh Padmavilasom 1.1.0-2 +- GA - Bump release of all rpms -* Thu Jan 21 2016 Xiaolin Li 1.1.0-1 -- Updated to version 1.1.0 +* Thu Jan 21 2016 Xiaolin Li 1.1.0-1 +- Updated to version 1.1.0 -* Mon Nov 30 2015 Harish Udaiya Kumar 1.0.5-1 -- Initial build. First version +* Mon Nov 30 2015 Harish Udaiya Kumar 1.0.5-1 +- Initial build. First version diff --git a/SPECS/blobfuse/blobfuse.spec b/SPECS/blobfuse/blobfuse.spec index 9f4dc25016..dc4917b517 100644 --- a/SPECS/blobfuse/blobfuse.spec +++ b/SPECS/blobfuse/blobfuse.spec @@ -1,7 +1,7 @@ Summary: FUSE adapter - Azure Storage Blobs Name: blobfuse Version: 1.3.6 -Release: 1%{?dist} +Release: 3%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -47,6 +47,10 @@ rm -rf %{buildroot} %{_bindir}/blobfuse %changelog +* Tue Jun 08 2021 Henry Beberman 1.3.6-3 +- Increment release to force republishing using golang 1.15.13. +* Mon Apr 26 2021 Nicolas Guibourge 1.3.6-2 +- Increment release to force republishing using golang 1.15.11. * Tue Feb 02 2021 Henry Beberman 1.3.6-1 - Add blobfuse spec - License verified diff --git a/SPECS/bridge-utils/bridge-utils.spec b/SPECS/bridge-utils/bridge-utils.spec index b76b1f41b2..9057394c74 100644 --- a/SPECS/bridge-utils/bridge-utils.spec +++ b/SPECS/bridge-utils/bridge-utils.spec @@ -27,7 +27,7 @@ make DESTDIR=%{buildroot} install %{_mandir}/man8/* %changelog -* Sat May 09 00:20:34 PST 2020 Nick Samson - 1.6-4 +* Sat May 09 2020 Nick Samson - 1.6-4 - Added %%license line automatically * Thu Apr 09 2020 Joe Schmitt 1.6-3 diff --git a/SPECS/btrfs-progs/btrfs-progs.spec b/SPECS/btrfs-progs/btrfs-progs.spec index 705f42cd0b..6112432579 100644 --- a/SPECS/btrfs-progs/btrfs-progs.spec +++ b/SPECS/btrfs-progs/btrfs-progs.spec @@ -75,7 +75,7 @@ rm -rf %{buildroot} %{_libdir}/libbtrfsutil.so %changelog -* Sat May 09 00:21:31 PST 2020 Nick Samson - 4.19-3 +* Sat May 09 2020 Nick Samson - 4.19-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 4.19-2 diff --git a/SPECS/byacc/byacc.spec b/SPECS/byacc/byacc.spec index 74a2a9cf67..fdb5de8a94 100644 --- a/SPECS/byacc/byacc.spec +++ b/SPECS/byacc/byacc.spec @@ -5,8 +5,8 @@ Name: byacc Version: 1.9.%{byaccdate} Release: 3%{?dist} License: Public Domain -URL: http://invisible-island.net/byacc/byacc.html -Vendor: Microsoft +URL: https://invisible-island.net/byacc/byacc.html +Vendor: Microsoft Corporation Distribution: Mariner #Source0: https://invisible-mirror.net/archives/%{name}/%{name}-%{byaccdate}.tgz Source0: %{name}-%{version}.tar.gz @@ -56,6 +56,7 @@ echo ====================TESTING END===================== %changelog * Fri Aug 21 2020 Thomas Crain - 1.9.20200330-4 - Initial CBL-Mariner import from Fedora 33 (license: MIT) +- License verified * Sat Aug 01 2020 Fedora Release Engineering - 1.9.20200330-3 - Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/SPECS/bzip2/bzip2.spec b/SPECS/bzip2/bzip2.spec index d69c89bdf8..ac41aefcdb 100644 --- a/SPECS/bzip2/bzip2.spec +++ b/SPECS/bzip2/bzip2.spec @@ -108,7 +108,7 @@ make %{?_smp_mflags} check - Don't stomp on CFLAGS. * Tue May 26 2020 Emre Girgin 1.0.6-14 - Fix CVE-2019-12900. This was erroneously named CVE-2019-1353 before, which is not even related to bzip2. -* Sat May 09 00:21:38 PST 2020 Nick Samson - 1.0.6-13 +* Sat May 09 2020 Nick Samson - 1.0.6-13 - Added %%license line automatically * Wed Apr 22 2020 Emre Girgin 1.0.6-12 - Fix CVE-2019-1353. diff --git a/SPECS/ca-certificates/ca-certificates.signatures.json b/SPECS/ca-certificates/ca-certificates.signatures.json index 05d01f8484..f5afc66e4a 100644 --- a/SPECS/ca-certificates/ca-certificates.signatures.json +++ b/SPECS/ca-certificates/ca-certificates.signatures.json @@ -14,7 +14,7 @@ "ca-legacy.8.txt": "4fef2b8fed41d21ae559803b06074ca61a3f46648f174832542e3223d16dabf4", "ca-legacy.conf": "400b96da374503fa6b6350a867347082d0c90e05ba4d02cc6b51b11229199c4d", "certdata.base.txt": "76c4cd1860b9a6f6ee9c2a0dcddcef46f65950b7ec12d2a7eeabeedca4e379f9", - "certdata.microsoft.txt": "80f8c0f75356730bea953a6f0317a70856c98991bced06d86c0eab9cfc8c4b85", + "certdata.microsoft.txt": "37a832a646e56f75cd8a128d40bdb20a23b4e8794692b1b2d9ae243351c4d255", "certdata.txt": "cc6408bd4be7fbfb8699bdb40ccb7f6de5780d681d87785ea362646e4dad5e8e", "certdata2pem.py": "0be02cecc27a6e55e1cad1783033b147f502b26f9fb1bb5a53e7a43bbcb68fa0", "nssckbi.h": "9d916fe1586259d94632f186a736449e8344b8a18f7ac97253f13efc764d77ea", diff --git a/SPECS/ca-certificates/ca-certificates.spec b/SPECS/ca-certificates/ca-certificates.spec index 9c26ae127d..72aaac65a6 100644 --- a/SPECS/ca-certificates/ca-certificates.spec +++ b/SPECS/ca-certificates/ca-certificates.spec @@ -71,7 +71,7 @@ Name: ca-certificates # When updating, "Version" AND "Release" tags must be updated in the "prebuilt-ca-certificates" package as well. Version: 20200720 -Release: 13%{?dist} +Release: 15%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -415,6 +415,12 @@ rm -f %{pkidir}/tls/certs/*.{0,pem} %{_bindir}/bundle2pem.sh %changelog +* Wed Jul 07 2021 CBL-Mariner Service Account - 20200720-15 +- Updating Microsoft trusted root CAs. + +* Thu Jun 03 2021 CBL-Mariner Service Account - 20200720-14 +- Updating Microsoft trusted root CAs. + * Fri Mar 12 2021 CBL-Mariner Servicing Account - 20200720-13 - Updating Microsoft trusted root CAs. diff --git a/SPECS/ca-certificates/certdata.microsoft.txt b/SPECS/ca-certificates/certdata.microsoft.txt index 731a3c1029..71e3dec94e 100644 --- a/SPECS/ca-certificates/certdata.microsoft.txt +++ b/SPECS/ca-certificates/certdata.microsoft.txt @@ -72,7 +72,7 @@ CKA_MODIFIABLE CK_BBOOL CK_FALSE CKA_LABEL UTF8 "Microsoft Builtin Roots" # -# Certificate "Edicom_CAEDICOM_ROOT" +# Certificate "CAEDICOM ROOT" # # Issuer: C=ES,O=EDICOM,CN=CAEDICOM Root # Serial Number:00:fb:71:26:58:ad:99:e5 @@ -85,7 +85,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Edicom_CAEDICOM_ROOT" +CKA_LABEL UTF8 "CAEDICOM ROOT" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\066\061\026\060\024\006\003\125\004\003\014\015\103\101\105 @@ -195,7 +195,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Edicom_CAEDICOM_ROOT" +# Trust for "CAEDICOM ROOT" # Issuer: C=ES,O=EDICOM,CN=CAEDICOM Root # Serial Number:00:fb:71:26:58:ad:99:e5 # Subject: C=ES,O=EDICOM,CN=CAEDICOM Root @@ -207,7 +207,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Edicom_CAEDICOM_ROOT" +CKA_LABEL UTF8 "CAEDICOM ROOT" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \125\233\272\173\017\376\200\326\323\202\233\037\320\172\244\323 \042\031\107\220 @@ -231,7 +231,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Certigna_CertignaRootCA" +# Certificate "Certigna Root CA" # # Issuer: CN=Certigna Root CA,OU=0002 48146308100036,O=Dhimyotis,C=FR # Serial Number:00:ca:e9:1b:89:f1:55:03:0d:a3:e6:41:6d:c4:e3:a6:e1 @@ -244,7 +244,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certigna_CertignaRootCA" +CKA_LABEL UTF8 "Certigna Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\132\061\013\060\011\006\003\125\004\006\023\002\106\122\061 @@ -375,7 +375,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Certigna_CertignaRootCA" +# Trust for "Certigna Root CA" # Issuer: CN=Certigna Root CA,OU=0002 48146308100036,O=Dhimyotis,C=FR # Serial Number:00:ca:e9:1b:89:f1:55:03:0d:a3:e6:41:6d:c4:e3:a6:e1 # Subject: CN=Certigna Root CA,OU=0002 48146308100036,O=Dhimyotis,C=FR @@ -387,7 +387,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certigna_CertignaRootCA" +CKA_LABEL UTF8 "Certigna Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \055\015\122\024\377\236\255\231\044\001\164\040\107\156\154\205 \047\047\365\103 @@ -414,7 +414,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "TrustCor_RootCertCA1TrustCor" +# Certificate "TrustCor RootCert CA-1" # # Issuer: CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA # Serial Number:00:da:9b:ec:71:f3:03:b0:19 @@ -427,7 +427,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TrustCor_RootCertCA1TrustCor" +CKA_LABEL UTF8 "TrustCor RootCert CA-1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\244\061\013\060\011\006\003\125\004\006\023\002\120\101 @@ -533,7 +533,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "TrustCor_RootCertCA1TrustCor" +# Trust for "TrustCor RootCert CA-1" # Issuer: CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA # Serial Number:00:da:9b:ec:71:f3:03:b0:19 # Subject: CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA @@ -545,7 +545,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TrustCor_RootCertCA1TrustCor" +CKA_LABEL UTF8 "TrustCor RootCert CA-1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \377\275\315\347\202\310\103\136\074\157\046\206\134\312\250\072 \105\133\303\012 @@ -576,7 +576,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "TrustCor_RootCertCA2TrustCor" +# Certificate "TrustCor RootCert CA-2" # # Issuer: CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA # Serial Number:25:a1:df:ca:33:cb:59:02 @@ -589,7 +589,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TrustCor_RootCertCA2TrustCor" +CKA_LABEL UTF8 "TrustCor RootCert CA-2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\244\061\013\060\011\006\003\125\004\006\023\002\120\101 @@ -727,7 +727,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "TrustCor_RootCertCA2TrustCor" +# Trust for "TrustCor RootCert CA-2" # Issuer: CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA # Serial Number:25:a1:df:ca:33:cb:59:02 # Subject: CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA @@ -739,7 +739,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TrustCor_RootCertCA2TrustCor" +CKA_LABEL UTF8 "TrustCor RootCert CA-2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \270\276\155\313\126\361\125\271\143\324\022\312\116\006\064\307 \224\262\034\300 @@ -770,7 +770,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "TrustCor_ECA1TrustCor" +# Certificate "TrustCor ECA-1" # # Issuer: CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA # Serial Number:00:84:82:2c:5f:1c:62:d0:40 @@ -783,7 +783,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TrustCor_ECA1TrustCor" +CKA_LABEL UTF8 "TrustCor ECA-1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\234\061\013\060\011\006\003\125\004\006\023\002\120\101 @@ -886,7 +886,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "TrustCor_ECA1TrustCor" +# Trust for "TrustCor ECA-1" # Issuer: CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA # Serial Number:00:84:82:2c:5f:1c:62:d0:40 # Subject: CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA @@ -898,7 +898,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TrustCor_ECA1TrustCor" +CKA_LABEL UTF8 "TrustCor ECA-1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \130\321\337\225\225\147\153\143\300\360\133\034\027\115\213\204 \013\310\170\275 @@ -928,7 +928,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Amazon_AmazonRootCA1" +# Certificate "Amazon Root CA 1" # # Issuer: CN=Amazon Root CA 1,O=Amazon,C=US # Serial Number:06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca @@ -941,7 +941,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Amazon_AmazonRootCA1" +CKA_LABEL UTF8 "Amazon Root CA 1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\071\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -1019,7 +1019,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Amazon_AmazonRootCA1" +# Trust for "Amazon Root CA 1" # Issuer: CN=Amazon Root CA 1,O=Amazon,C=US # Serial Number:06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca # Subject: CN=Amazon Root CA 1,O=Amazon,C=US @@ -1031,7 +1031,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Amazon_AmazonRootCA1" +CKA_LABEL UTF8 "Amazon Root CA 1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \215\247\371\145\354\136\374\067\221\017\034\156\131\375\301\314 \152\156\336\026 @@ -1056,7 +1056,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Amazon_AmazonRootCA2" +# Certificate "Amazon Root CA 2" # # Issuer: CN=Amazon Root CA 2,O=Amazon,C=US # Serial Number:06:6c:9f:d2:96:35:86:9f:0a:0f:e5:86:78:f8:5b:26:bb:8a:37 @@ -1069,7 +1069,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Amazon_AmazonRootCA2" +CKA_LABEL UTF8 "Amazon Root CA 2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\071\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -1179,7 +1179,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Amazon_AmazonRootCA2" +# Trust for "Amazon Root CA 2" # Issuer: CN=Amazon Root CA 2,O=Amazon,C=US # Serial Number:06:6c:9f:d2:96:35:86:9f:0a:0f:e5:86:78:f8:5b:26:bb:8a:37 # Subject: CN=Amazon Root CA 2,O=Amazon,C=US @@ -1191,7 +1191,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Amazon_AmazonRootCA2" +CKA_LABEL UTF8 "Amazon Root CA 2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \132\214\357\105\327\246\230\131\166\172\214\213\104\226\265\170 \317\107\113\032 @@ -1216,7 +1216,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Amazon_AmazonRootCA3" +# Certificate "Amazon Root CA 3" # # Issuer: CN=Amazon Root CA 3,O=Amazon,C=US # Serial Number:06:6c:9f:d5:74:97:36:66:3f:3b:0b:9a:d9:e8:9e:76:03:f2:4a @@ -1229,7 +1229,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Amazon_AmazonRootCA3" +CKA_LABEL UTF8 "Amazon Root CA 3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\071\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -1282,7 +1282,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Amazon_AmazonRootCA3" +# Trust for "Amazon Root CA 3" # Issuer: CN=Amazon Root CA 3,O=Amazon,C=US # Serial Number:06:6c:9f:d5:74:97:36:66:3f:3b:0b:9a:d9:e8:9e:76:03:f2:4a # Subject: CN=Amazon Root CA 3,O=Amazon,C=US @@ -1294,7 +1294,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Amazon_AmazonRootCA3" +CKA_LABEL UTF8 "Amazon Root CA 3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \015\104\335\214\074\214\032\032\130\165\144\201\351\017\056\052 \377\263\322\156 @@ -1319,7 +1319,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Amazon_AmazonRootCA4" +# Certificate "Amazon Root CA 4" # # Issuer: CN=Amazon Root CA 4,O=Amazon,C=US # Serial Number:06:6c:9f:d7:c1:bb:10:4c:29:43:e5:71:7b:7b:2c:c8:1a:c1:0e @@ -1332,7 +1332,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Amazon_AmazonRootCA4" +CKA_LABEL UTF8 "Amazon Root CA 4" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\071\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -1389,7 +1389,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Amazon_AmazonRootCA4" +# Trust for "Amazon Root CA 4" # Issuer: CN=Amazon Root CA 4,O=Amazon,C=US # Serial Number:06:6c:9f:d7:c1:bb:10:4c:29:43:e5:71:7b:7b:2c:c8:1a:c1:0e # Subject: CN=Amazon Root CA 4,O=Amazon,C=US @@ -1401,7 +1401,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Amazon_AmazonRootCA4" +CKA_LABEL UTF8 "Amazon Root CA 4" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \366\020\204\007\326\370\273\147\230\014\302\342\104\302\353\256 \034\357\143\276 @@ -1426,7 +1426,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Harica_HaricaECCRootCA2015" +# Certificate "Hellenic Academic and Research Institutions ECC RootCA 2015" # # Issuer: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR # Serial Number: 0 (0x0) @@ -1439,7 +1439,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Harica_HaricaECCRootCA2015" +CKA_LABEL UTF8 "Hellenic Academic and Research Institutions ECC RootCA 2015" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\252\061\013\060\011\006\003\125\004\006\023\002\107\122 @@ -1522,7 +1522,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Harica_HaricaECCRootCA2015" +# Trust for "Hellenic Academic and Research Institutions ECC RootCA 2015" # Issuer: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR # Serial Number: 0 (0x0) # Subject: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR @@ -1534,7 +1534,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Harica_HaricaECCRootCA2015" +CKA_LABEL UTF8 "Hellenic Academic and Research Institutions ECC RootCA 2015" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \237\361\161\215\222\325\232\363\175\164\227\264\274\157\204\150 \013\272\266\146 @@ -1565,7 +1565,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Harica_HaricaRootCA2015" +# Certificate "Hellenic Academic and Research Institutions RootCA 2015" # # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR # Serial Number: 0 (0x0) @@ -1578,7 +1578,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Harica_HaricaRootCA2015" +CKA_LABEL UTF8 "Hellenic Academic and Research Institutions RootCA 2015" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\246\061\013\060\011\006\003\125\004\006\023\002\107\122 @@ -1713,7 +1713,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Harica_HaricaRootCA2015" +# Trust for "Hellenic Academic and Research Institutions RootCA 2015" # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR # Serial Number: 0 (0x0) # Subject: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR @@ -1725,7 +1725,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Harica_HaricaRootCA2015" +CKA_LABEL UTF8 "Hellenic Academic and Research Institutions RootCA 2015" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \001\014\006\225\246\230\031\024\377\277\137\306\260\266\225\352 \051\351\022\246 @@ -1756,7 +1756,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ICA_rca15_rsa" +# Certificate "I.CA Root CA/RSA" # # Issuer: serialNumber=NTRCZ-26439395,CN=I.CA Root CA/RSA,O="Prvn.. certifika..n.. autorita, a.s.",C=CZ # Serial Number: 100000000 (0x5f5e100) @@ -1769,7 +1769,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ICA_rca15_rsa" +CKA_LABEL UTF8 "I.CA Root CA/RSA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\160\061\013\060\011\006\003\125\004\006\023\002\103\132\061 @@ -1906,7 +1906,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "ICA_rca15_rsa" +# Trust for "I.CA Root CA/RSA" # Issuer: serialNumber=NTRCZ-26439395,CN=I.CA Root CA/RSA,O="Prvn.. certifika..n.. autorita, a.s.",C=CZ # Serial Number: 100000000 (0x5f5e100) # Subject: serialNumber=NTRCZ-26439395,CN=I.CA Root CA/RSA,O="Prvn.. certifika..n.. autorita, a.s.",C=CZ @@ -1918,7 +1918,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ICA_rca15_rsa" +CKA_LABEL UTF8 "I.CA Root CA/RSA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \233\011\131\211\201\124\010\033\366\251\016\233\236\130\244\151 \014\233\241\004 @@ -1946,7 +1946,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Cisco_rxcr2" +# Certificate "RXC-R2" # # Issuer: CN=Cisco RXC-R2,O=Cisco Systems,C=US # Serial Number: 1 (0x1) @@ -1959,7 +1959,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Cisco_rxcr2" +CKA_LABEL UTF8 "RXC-R2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\074\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -2035,7 +2035,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Cisco_rxcr2" +# Trust for "RXC-R2" # Issuer: CN=Cisco RXC-R2,O=Cisco Systems,C=US # Serial Number: 1 (0x1) # Subject: CN=Cisco RXC-R2,O=Cisco Systems,C=US @@ -2047,7 +2047,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Cisco_rxcr2" +CKA_LABEL UTF8 "RXC-R2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \054\212\377\316\226\144\060\272\004\300\117\201\335\113\111\307 \033\133\201\240 @@ -2071,7 +2071,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GlobalS_globalsign_root-r6" +# Certificate "GlobalSign Root CA - R6" # # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6 # Serial Number:45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51 @@ -2084,7 +2084,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GlobalS_globalsign_root-r6" +CKA_LABEL UTF8 "GlobalSign Root CA - R6" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157 @@ -2199,7 +2199,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GlobalS_globalsign_root-r6" +# Trust for "GlobalSign Root CA - R6" # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6 # Serial Number:45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6 @@ -2211,7 +2211,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GlobalS_globalsign_root-r6" +CKA_LABEL UTF8 "GlobalSign Root CA - R6" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \200\224\144\016\265\247\241\312\021\234\037\335\325\237\201\002 \143\247\373\321 @@ -2236,7 +2236,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Multicert_MCRootCA" +# Certificate "MULTICERT Root Certification Authority 01" # # Issuer: CN=MULTICERT Root Certification Authority 01,O=MULTICERT - Servi..os de Certifica....o Electr..nica S.A.,C=PT # Serial Number:54:4d:a5:bc:40:35:56:5a @@ -2249,7 +2249,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Multicert_MCRootCA" +CKA_LABEL UTF8 "MULTICERT Root Certification Authority 01" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\205\061\013\060\011\006\003\125\004\006\023\002\120\124 @@ -2379,7 +2379,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Multicert_MCRootCA" +# Trust for "MULTICERT Root Certification Authority 01" # Issuer: CN=MULTICERT Root Certification Authority 01,O=MULTICERT - Servi..os de Certifica....o Electr..nica S.A.,C=PT # Serial Number:54:4d:a5:bc:40:35:56:5a # Subject: CN=MULTICERT Root Certification Authority 01,O=MULTICERT - Servi..os de Certifica....o Electr..nica S.A.,C=PT @@ -2391,7 +2391,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Multicert_MCRootCA" +CKA_LABEL UTF8 "MULTICERT Root Certification Authority 01" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \106\257\172\061\265\231\106\015\106\235\140\101\024\133\023\145 \035\371\027\012 @@ -2420,7 +2420,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GuangDong_GDCA_TrustAUTH_R5_ROOT" +# Certificate "GDCA TrustAUTH R5 ROOT" # # Issuer: CN=GDCA TrustAUTH R5 ROOT,O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.",C=CN # Serial Number:7d:09:97:fe:f0:47:ea:7a @@ -2433,7 +2433,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GuangDong_GDCA_TrustAUTH_R5_ROOT" +CKA_LABEL UTF8 "GDCA TrustAUTH R5 ROOT" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\142\061\013\060\011\006\003\125\004\006\023\002\103\116\061 @@ -2552,7 +2552,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GuangDong_GDCA_TrustAUTH_R5_ROOT" +# Trust for "GDCA TrustAUTH R5 ROOT" # Issuer: CN=GDCA TrustAUTH R5 ROOT,O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.",C=CN # Serial Number:7d:09:97:fe:f0:47:ea:7a # Subject: CN=GDCA TrustAUTH R5 ROOT,O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.",C=CN @@ -2564,7 +2564,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GuangDong_GDCA_TrustAUTH_R5_ROOT" +CKA_LABEL UTF8 "GDCA TrustAUTH R5 ROOT" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \017\066\070\133\201\032\045\303\233\061\116\203\312\351\064\146 \160\314\164\264 @@ -2591,7 +2591,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "IndiaGov_CCAIndia2015" +# Certificate "CCA India 2015" # # Issuer: CN=CCA India 2015 SPL,O=India PKI,C=IN # Serial Number: 10165 (0x27b5) @@ -2604,7 +2604,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "IndiaGov_CCAIndia2015" +CKA_LABEL UTF8 "CCA India 2015" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\076\061\013\060\011\006\003\125\004\006\023\002\111\116\061 @@ -2679,7 +2679,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "IndiaGov_CCAIndia2015" +# Trust for "CCA India 2015" # Issuer: CN=CCA India 2015 SPL,O=India PKI,C=IN # Serial Number: 10165 (0x27b5) # Subject: CN=CCA India 2015 SPL,O=India PKI,C=IN @@ -2691,7 +2691,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "IndiaGov_CCAIndia2015" +CKA_LABEL UTF8 "CCA India 2015" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \073\306\334\340\003\007\275\147\140\101\353\330\131\160\306\057 \217\332\121\011 @@ -2715,7 +2715,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SweedishGov_SwedishGovernmentRootAuthorityv3" +# Certificate "Swedish Government Root Authority v3" # # Issuer: CN=Swedish Government Root Authority v3,O=Swedish Social Insurance Agency,C=SE # Serial Number:32:69:a2:bf:40:6b:8d:b4:47:83:64:3c:8b:0d:c9:43 @@ -2728,7 +2728,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SweedishGov_SwedishGovernmentRootAuthorityv3" +CKA_LABEL UTF8 "Swedish Government Root Authority v3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\146\061\013\060\011\006\003\125\004\006\023\002\123\105\061 @@ -2850,7 +2850,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SweedishGov_SwedishGovernmentRootAuthorityv3" +# Trust for "Swedish Government Root Authority v3" # Issuer: CN=Swedish Government Root Authority v3,O=Swedish Social Insurance Agency,C=SE # Serial Number:32:69:a2:bf:40:6b:8d:b4:47:83:64:3c:8b:0d:c9:43 # Subject: CN=Swedish Government Root Authority v3,O=Swedish Social Insurance Agency,C=SE @@ -2862,7 +2862,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SweedishGov_SwedishGovernmentRootAuthorityv3" +CKA_LABEL UTF8 "Swedish Government Root Authority v3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \164\157\210\371\254\026\074\123\000\236\357\222\014\100\147\165 \152\025\161\176 @@ -2890,7 +2890,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "NationalDigitalCertificationAgency_TunRootCA2" +# Certificate "Tunisian Root Certificate Authority - TunRootCA2" # # Issuer: O=National Digital Certification Agency,CN=Tunisian Root Certificate Authority - TunRootCA2,C=TN # Serial Number:21:66:15:05:05:27:05:05:bc:8a:b0:1d:af:0a:be:c4 @@ -2903,7 +2903,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NationalDigitalCertificationAgency_TunRootCA2" +CKA_LABEL UTF8 "Tunisian Root Certificate Authority - TunRootCA2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\170\061\013\060\011\006\003\125\004\006\023\002\124\116\061 @@ -3028,7 +3028,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "NationalDigitalCertificationAgency_TunRootCA2" +# Trust for "Tunisian Root Certificate Authority - TunRootCA2" # Issuer: O=National Digital Certification Agency,CN=Tunisian Root Certificate Authority - TunRootCA2,C=TN # Serial Number:21:66:15:05:05:27:05:05:bc:8a:b0:1d:af:0a:be:c4 # Subject: O=National Digital Certification Agency,CN=Tunisian Root Certificate Authority - TunRootCA2,C=TN @@ -3040,7 +3040,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NationalDigitalCertificationAgency_TunRootCA2" +CKA_LABEL UTF8 "Tunisian Root Certificate Authority - TunRootCA2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \226\070\143\074\220\126\256\210\024\240\145\322\073\334\140\240 \356\160\057\247 @@ -3069,7 +3069,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "grca_grca2" +# Certificate "TW Government Root Certification Authority 2" # # Issuer: O=Government Root Certification Authority,C=TW # Serial Number:00:b6:4b:88:07:e2:23:ee:c8:5c:12:ad:a6:0e:06:a1:f2 @@ -3082,7 +3082,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "grca_grca2" +CKA_LABEL UTF8 "TW Government Root Certification Authority 2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\077\061\013\060\011\006\003\125\004\006\023\002\124\127\061 @@ -3194,7 +3194,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "grca_grca2" +# Trust for "TW Government Root Certification Authority 2" # Issuer: O=Government Root Certification Authority,C=TW # Serial Number:00:b6:4b:88:07:e2:23:ee:c8:5c:12:ad:a6:0e:06:a1:f2 # Subject: O=Government Root Certification Authority,C=TW @@ -3206,7 +3206,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "grca_grca2" +CKA_LABEL UTF8 "TW Government Root Certification Authority 2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \260\221\252\221\070\107\363\023\327\047\274\357\310\027\237\010 \157\072\214\017 @@ -3232,7 +3232,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ATrust_atroot05" +# Certificate "A-Trust-Root-05" # # Issuer: CN=A-Trust-Root-05,OU=A-Trust-Root-05,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT # Serial Number: 1035700 (0xfcdb4) @@ -3245,7 +3245,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ATrust_atroot05" +CKA_LABEL UTF8 "A-Trust-Root-05" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\213\061\013\060\011\006\003\125\004\006\023\002\101\124 @@ -3372,7 +3372,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "ATrust_atroot05" +# Trust for "A-Trust-Root-05" # Issuer: CN=A-Trust-Root-05,OU=A-Trust-Root-05,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT # Serial Number: 1035700 (0xfcdb4) # Subject: CN=A-Trust-Root-05,OU=A-Trust-Root-05,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT @@ -3384,7 +3384,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ATrust_atroot05" +CKA_LABEL UTF8 "A-Trust-Root-05" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \056\146\311\204\021\201\300\217\261\337\253\324\377\215\134\307 \053\340\217\002 @@ -3413,7 +3413,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ATrust_atqual02a" +# Certificate "A-Trust-Qual-02" # # Issuer: CN=A-Trust-Qual-02,OU=A-Trust-Qual-02,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT # Serial Number: 1330660 (0x144de4) @@ -3426,7 +3426,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ATrust_atqual02a" +CKA_LABEL UTF8 "A-Trust-Qual-02" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\213\061\013\060\011\006\003\125\004\006\023\002\101\124 @@ -3521,7 +3521,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "ATrust_atqual02a" +# Trust for "A-Trust-Qual-02" # Issuer: CN=A-Trust-Qual-02,OU=A-Trust-Qual-02,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT # Serial Number: 1330660 (0x144de4) # Subject: CN=A-Trust-Qual-02,OU=A-Trust-Qual-02,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT @@ -3533,7 +3533,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ATrust_atqual02a" +CKA_LABEL UTF8 "A-Trust-Qual-02" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \315\170\172\075\134\272\202\007\010\050\110\066\136\232\315\351 \150\063\144\330 @@ -3562,7 +3562,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ThaiNRCA_THNRCA" +# Certificate "Thailand National Root Certification Authority - G1" # # Issuer: CN=Thailand National Root Certification Authority - G1,OU=Thailand National Root Certification Authority,O=Electronic Transactions Development Agency (Public Organization),C=TH # Serial Number: 1364379020 (0x5152c58c) @@ -3575,7 +3575,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ThaiNRCA_THNRCA" +CKA_LABEL UTF8 "Thailand National Root Certification Authority - G1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\317\061\013\060\011\006\003\125\004\006\023\002\124\110 @@ -3724,7 +3724,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "ThaiNRCA_THNRCA" +# Trust for "Thailand National Root Certification Authority - G1" # Issuer: CN=Thailand National Root Certification Authority - G1,OU=Thailand National Root Certification Authority,O=Electronic Transactions Development Agency (Public Organization),C=TH # Serial Number: 1364379020 (0x5152c58c) # Subject: CN=Thailand National Root Certification Authority - G1,OU=Thailand National Root Certification Authority,O=Electronic Transactions Development Agency (Public Organization),C=TH @@ -3736,7 +3736,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ThaiNRCA_THNRCA" +CKA_LABEL UTF8 "Thailand National Root Certification Authority - G1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \146\362\334\373\077\201\115\336\351\263\040\157\021\336\376\033 \373\337\341\062 @@ -3770,7 +3770,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "TWCA_TWCA_GLOBAL_4096_EV" +# Certificate "TWCA Global Root CA" # # Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW # Serial Number: 3262 (0xcbe) @@ -3783,7 +3783,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TWCA_TWCA_GLOBAL_4096_EV" +CKA_LABEL UTF8 "TWCA Global Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\121\061\013\060\011\006\003\125\004\006\023\002\124\127\061 @@ -3896,7 +3896,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "TWCA_TWCA_GLOBAL_4096_EV" +# Trust for "TWCA Global Root CA" # Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW # Serial Number: 3262 (0xcbe) # Subject: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW @@ -3908,7 +3908,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TWCA_TWCA_GLOBAL_4096_EV" +CKA_LABEL UTF8 "TWCA Global Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \234\273\110\123\366\244\366\323\122\244\350\062\122\125\140\023 \365\255\257\145 @@ -3934,7 +3934,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "pkioverheid_PKIoverheidEVRootCA" +# Certificate "Staat der Nederlanden EV Root CA" # # Issuer: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL # Serial Number: 10000013 (0x98968d) @@ -3947,7 +3947,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "pkioverheid_PKIoverheidEVRootCA" +CKA_LABEL UTF8 "Staat der Nederlanden EV Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\130\061\013\060\011\006\003\125\004\006\023\002\116\114\061 @@ -4063,7 +4063,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "pkioverheid_PKIoverheidEVRootCA" +# Trust for "Staat der Nederlanden EV Root CA" # Issuer: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL # Serial Number: 10000013 (0x98968d) # Subject: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL @@ -4075,7 +4075,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "pkioverheid_PKIoverheidEVRootCA" +CKA_LABEL UTF8 "Staat der Nederlanden EV Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \166\342\176\301\117\333\202\301\300\246\165\265\005\276\075\051 \264\355\333\273 @@ -4101,7 +4101,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "pkioverheid_PKIoverheid_G3Root" +# Certificate "Government of Netherlands G3" # # Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL # Serial Number: 10003001 (0x98a239) @@ -4114,7 +4114,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "pkioverheid_PKIoverheid_G3Root" +CKA_LABEL UTF8 "Government of Netherlands G3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 @@ -4230,7 +4230,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "pkioverheid_PKIoverheid_G3Root" +# Trust for "Government of Netherlands G3" # Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL # Serial Number: 10003001 (0x98a239) # Subject: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL @@ -4242,7 +4242,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "pkioverheid_PKIoverheid_G3Root" +CKA_LABEL UTF8 "Government of Netherlands G3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \330\353\153\101\121\222\131\340\363\347\205\000\300\075\266\210 \227\311\356\374 @@ -4268,7 +4268,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "certinomis_AC_Racine_G3" +# Certificate "Certinomis - Root CA" # # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR # Serial Number: 1 (0x1) @@ -4281,7 +4281,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "certinomis_AC_Racine_G3" +CKA_LABEL UTF8 "Certinomis - Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\132\061\013\060\011\006\003\125\004\006\023\002\106\122\061 @@ -4399,7 +4399,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "certinomis_AC_Racine_G3" +# Trust for "Certinomis - Root CA" # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR # Serial Number: 1 (0x1) # Subject: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR @@ -4411,7 +4411,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "certinomis_AC_Racine_G3" +CKA_LABEL UTF8 "Certinomis - Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \235\160\273\001\245\244\240\030\021\056\367\034\001\271\062\305 \064\347\210\250 @@ -4437,7 +4437,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ANF_ANF_Global_Root_CA_SHA1" +# Certificate "ANF Global Root CA" # # Issuer: CN=ANF Global Root CA,serialNumber=G63287510,E=info@anf.es,OU=ANF Clase 1 CA,O=ANF Autoridad de Certificacion,L=Barcelona (see current address at http://www.anf.es/es/address-direccion.html ),ST=Barcelona,C=ES # Serial Number:01:3f:2f:31:53:6f @@ -4450,7 +4450,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ANF_ANF_Global_Root_CA_SHA1" +CKA_LABEL UTF8 "ANF Global Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\202\001\012\061\013\060\011\006\003\125\004\006\023\002\105 @@ -4630,7 +4630,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "ANF_ANF_Global_Root_CA_SHA1" +# Trust for "ANF Global Root CA" # Issuer: CN=ANF Global Root CA,serialNumber=G63287510,E=info@anf.es,OU=ANF Clase 1 CA,O=ANF Autoridad de Certificacion,L=Barcelona (see current address at http://www.anf.es/es/address-direccion.html ),ST=Barcelona,C=ES # Serial Number:01:3f:2f:31:53:6f # Subject: CN=ANF Global Root CA,serialNumber=G63287510,E=info@anf.es,OU=ANF Clase 1 CA,O=ANF Autoridad de Certificacion,L=Barcelona (see current address at http://www.anf.es/es/address-direccion.html ),ST=Barcelona,C=ES @@ -4642,7 +4642,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ANF_ANF_Global_Root_CA_SHA1" +CKA_LABEL UTF8 "ANF Global Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \133\265\231\040\321\033\071\024\171\106\072\335\121\000\333\035 \122\364\072\324 @@ -4679,7 +4679,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GovSaudiArabia_NCDCsnrcasha256" +# Certificate "Saudi National Root CA" # # Issuer: OU=Saudi National Root CA,O=National Center for Digital Certification,C=SA # Serial Number: 1236677912 (0x49b63518) @@ -4692,7 +4692,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GovSaudiArabia_NCDCsnrcasha256" +CKA_LABEL UTF8 "Saudi National Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\142\061\013\060\011\006\003\125\004\006\023\002\123\101\061 @@ -4799,7 +4799,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GovSaudiArabia_NCDCsnrcasha256" +# Trust for "Saudi National Root CA" # Issuer: OU=Saudi National Root CA,O=National Center for Digital Certification,C=SA # Serial Number: 1236677912 (0x49b63518) # Subject: OU=Saudi National Root CA,O=National Center for Digital Certification,C=SA @@ -4811,7 +4811,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GovSaudiArabia_NCDCsnrcasha256" +CKA_LABEL UTF8 "Saudi National Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \203\121\120\233\175\370\317\350\173\256\142\256\271\260\072\122 \364\346\054\171 @@ -4838,7 +4838,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SSC_SSC_GDL_CA_ROOT_B" +# Certificate "SSC GDL CA Root B" # # Issuer: CN=SSC GDL CA Root B,OU=CA ROOT Services,O=Skaitmeninio sertifikavimo centras,C=LT # Serial Number:3e:8c:4f:bc:e4:29:83:82:4d:84:55:8e:d5:35:80:cf @@ -4851,7 +4851,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SSC_SSC_GDL_CA_ROOT_B" +CKA_LABEL UTF8 "SSC GDL CA Root B" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\161\061\013\060\011\006\003\125\004\006\023\002\114\124\061 @@ -4976,7 +4976,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SSC_SSC_GDL_CA_ROOT_B" +# Trust for "SSC GDL CA Root B" # Issuer: CN=SSC GDL CA Root B,OU=CA ROOT Services,O=Skaitmeninio sertifikavimo centras,C=LT # Serial Number:3e:8c:4f:bc:e4:29:83:82:4d:84:55:8e:d5:35:80:cf # Subject: CN=SSC GDL CA Root B,OU=CA ROOT Services,O=Skaitmeninio sertifikavimo centras,C=LT @@ -4988,7 +4988,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SSC_SSC_GDL_CA_ROOT_B" +CKA_LABEL UTF8 "SSC GDL CA Root B" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \310\140\243\030\374\365\267\023\013\020\007\255\177\141\112\100 \377\377\030\137 @@ -5017,7 +5017,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GovHungary_NISZ_ROOT" +# Certificate "Fotanúsítványkiadó - Kormányzati Hitelesítés Szolgáltató" # # Issuer: CN=F..tan..s..tv..nykiad.. - Korm..nyzati Hiteles..t..s Szolg..ltat..,O=NISZ Nemzeti Infokommunik..ci..s Szolg..ltat.. Zrt.,L=Budapest,C=HU # Serial Number:74:f8:60:f1:e8:a3:8f:41 @@ -5030,7 +5030,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GovHungary_NISZ_ROOT" +CKA_LABEL UTF8 "Fotanúsítványkiadó - Kormányzati Hitelesítés Szolgáltató" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\253\061\013\060\011\006\003\125\004\006\023\002\110\125 @@ -5169,7 +5169,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GovHungary_NISZ_ROOT" +# Trust for "Fotanúsítványkiadó - Kormányzati Hitelesítés Szolgáltató" # Issuer: CN=F..tan..s..tv..nykiad.. - Korm..nyzati Hiteles..t..s Szolg..ltat..,O=NISZ Nemzeti Infokommunik..ci..s Szolg..ltat.. Zrt.,L=Budapest,C=HU # Serial Number:74:f8:60:f1:e8:a3:8f:41 # Subject: CN=F..tan..s..tv..nykiad.. - Korm..nyzati Hiteles..t..s Szolg..ltat..,O=NISZ Nemzeti Infokommunik..ci..s Szolg..ltat.. Zrt.,L=Budapest,C=HU @@ -5181,7 +5181,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GovHungary_NISZ_ROOT" +CKA_LABEL UTF8 "Fotanúsítványkiadó - Kormányzati Hitelesítés Szolgáltató" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \377\267\340\217\146\341\320\302\130\057\002\105\304\227\002\222 \244\156\210\003 @@ -5212,7 +5212,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "TurkTrust_TURKTRUST_h5ROOT" +# Certificate "TÃœRKTRUST Elektronik Sertifika Hizmet Saglayicisi H5" # # Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR # Serial Number:00:8e:17:fe:24:20:81 @@ -5225,7 +5225,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TurkTrust_TURKTRUST_h5ROOT" +CKA_LABEL UTF8 "TÃœRKTRUST Elektronik Sertifika Hizmet Saglayicisi H5" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122 @@ -5332,7 +5332,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "TurkTrust_TURKTRUST_h5ROOT" +# Trust for "TÃœRKTRUST Elektronik Sertifika Hizmet Saglayicisi H5" # Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR # Serial Number:00:8e:17:fe:24:20:81 # Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR @@ -5344,7 +5344,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TurkTrust_TURKTRUST_h5ROOT" +CKA_LABEL UTF8 "TÃœRKTRUST Elektronik Sertifika Hizmet Saglayicisi H5" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \304\030\366\115\106\321\337\000\075\047\060\023\162\103\251\022 \021\306\165\373 @@ -5376,7 +5376,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SouthAfricanPostOffice_c3rootcert2014b64" +# Certificate "SAPO Class 3 Root CA" # # Issuer: E=pkiadmin@trustcentre.co.za,CN=SAPO Class 3 Root CA,OU=SAPO Trust Centre,O=South African Post Office Limited,L=Somerset West,ST=Western Cape,C=ZA # Serial Number: 2 (0x2) @@ -5389,7 +5389,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SouthAfricanPostOffice_c3rootcert2014b64" +CKA_LABEL UTF8 "SAPO Class 3 Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101 @@ -5535,7 +5535,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SouthAfricanPostOffice_c3rootcert2014b64" +# Trust for "SAPO Class 3 Root CA" # Issuer: E=pkiadmin@trustcentre.co.za,CN=SAPO Class 3 Root CA,OU=SAPO Trust Centre,O=South African Post Office Limited,L=Somerset West,ST=Western Cape,C=ZA # Serial Number: 2 (0x2) # Subject: E=pkiadmin@trustcentre.co.za,CN=SAPO Class 3 Root CA,OU=SAPO Trust Centre,O=South African Post Office Limited,L=Somerset West,ST=Western Cape,C=ZA @@ -5547,7 +5547,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SouthAfricanPostOffice_c3rootcert2014b64" +CKA_LABEL UTF8 "SAPO Class 3 Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \070\335\166\131\307\065\020\013\000\242\067\344\221\267\274\017 \374\322\061\154 @@ -5581,7 +5581,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "IdenTrust_IdenTrust_Commercial_Root_CA_1" +# Certificate "IdenTrust Commercial Root CA 1" # # Issuer: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US # Serial Number:0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02 @@ -5594,7 +5594,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "IdenTrust_IdenTrust_Commercial_Root_CA_1" +CKA_LABEL UTF8 "IdenTrust Commercial Root CA 1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\112\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -5708,7 +5708,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "IdenTrust_IdenTrust_Commercial_Root_CA_1" +# Trust for "IdenTrust Commercial Root CA 1" # Issuer: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US # Serial Number:0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02 # Subject: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US @@ -5720,7 +5720,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "IdenTrust_IdenTrust_Commercial_Root_CA_1" +CKA_LABEL UTF8 "IdenTrust Commercial Root CA 1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \337\161\176\252\112\331\116\311\125\204\231\140\055\110\336\137 \274\360\072\045 @@ -5746,7 +5746,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "IdenTrust_IdenTrust_Public_Sector_Root_CA_1" +# Certificate "IdenTrust Public Sector Root CA 1" # # Issuer: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US # Serial Number:0a:01:42:80:00:00:01:45:23:cf:46:7c:00:00:00:02 @@ -5759,7 +5759,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "IdenTrust_IdenTrust_Public_Sector_Root_CA_1" +CKA_LABEL UTF8 "IdenTrust Public Sector Root CA 1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -5873,7 +5873,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "IdenTrust_IdenTrust_Public_Sector_Root_CA_1" +# Trust for "IdenTrust Public Sector Root CA 1" # Issuer: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US # Serial Number:0a:01:42:80:00:00:01:45:23:cf:46:7c:00:00:00:02 # Subject: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US @@ -5885,7 +5885,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "IdenTrust_IdenTrust_Public_Sector_Root_CA_1" +CKA_LABEL UTF8 "IdenTrust Public Sector Root CA 1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \272\051\101\140\167\230\077\364\363\357\362\061\005\073\056\352 \155\115\105\375 @@ -5911,7 +5911,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Disig_CA_Disig_Root_R2" +# Certificate "CA Disig Root R2" # # Issuer: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK # Serial Number:00:92:b8:88:db:b0:8a:c1:63 @@ -5924,7 +5924,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Disig_CA_Disig_Root_R2" +CKA_LABEL UTF8 "CA Disig Root R2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061 @@ -6039,7 +6039,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Disig_CA_Disig_Root_R2" +# Trust for "CA Disig Root R2" # Issuer: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK # Serial Number:00:92:b8:88:db:b0:8a:c1:63 # Subject: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK @@ -6051,7 +6051,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Disig_CA_Disig_Root_R2" +CKA_LABEL UTF8 "CA Disig Root R2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \265\141\353\352\244\336\344\045\113\151\032\230\245\127\107\302 \064\307\331\161 @@ -6077,7 +6077,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "digicert_DigiCertAssuredIDRootG2" +# Certificate "DigiCert Assured ID Root G2" # # Issuer: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US # Serial Number:0b:93:1c:3a:d6:39:67:ea:67:23:bf:c3:af:9a:f4:4b @@ -6090,7 +6090,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "digicert_DigiCertAssuredIDRootG2" +CKA_LABEL UTF8 "DigiCert Assured ID Root G2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\145\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -6179,7 +6179,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "digicert_DigiCertAssuredIDRootG2" +# Trust for "DigiCert Assured ID Root G2" # Issuer: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US # Serial Number:0b:93:1c:3a:d6:39:67:ea:67:23:bf:c3:af:9a:f4:4b # Subject: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -6191,7 +6191,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "digicert_DigiCertAssuredIDRootG2" +CKA_LABEL UTF8 "DigiCert Assured ID Root G2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \241\113\110\331\103\356\012\016\100\220\117\074\340\244\300\221 \223\121\135\077 @@ -6219,7 +6219,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "digicert_DigiCertAssuredIDRootG3" +# Certificate "DigiCert Assured ID Root G3" # # Issuer: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US # Serial Number:0b:a1:5a:fa:1d:df:a0:b5:49:44:af:cd:24:a0:6c:ec @@ -6232,7 +6232,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "digicert_DigiCertAssuredIDRootG3" +CKA_LABEL UTF8 "DigiCert Assured ID Root G3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\145\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -6300,7 +6300,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "digicert_DigiCertAssuredIDRootG3" +# Trust for "DigiCert Assured ID Root G3" # Issuer: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US # Serial Number:0b:a1:5a:fa:1d:df:a0:b5:49:44:af:cd:24:a0:6c:ec # Subject: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -6312,7 +6312,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "digicert_DigiCertAssuredIDRootG3" +CKA_LABEL UTF8 "DigiCert Assured ID Root G3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \365\027\242\117\232\110\306\311\370\242\000\046\237\334\017\110 \054\253\060\211 @@ -6340,7 +6340,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "digicert_DigiCertGlobalRootG2" +# Certificate "DigiCert Global Root G2" # # Issuer: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US # Serial Number:03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5 @@ -6353,7 +6353,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "digicert_DigiCertGlobalRootG2" +CKA_LABEL UTF8 "DigiCert Global Root G2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -6442,7 +6442,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "digicert_DigiCertGlobalRootG2" +# Trust for "DigiCert Global Root G2" # Issuer: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US # Serial Number:03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5 # Subject: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -6454,7 +6454,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "digicert_DigiCertGlobalRootG2" +CKA_LABEL UTF8 "DigiCert Global Root G2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \337\074\044\371\277\326\146\166\033\046\200\163\376\006\321\314 \215\117\202\244 @@ -6482,7 +6482,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "digicert_DigiCertGlobalRootG3" +# Certificate "DigiCert Global Root G3" # # Issuer: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US # Serial Number:05:55:56:bc:f2:5e:a4:35:35:c3:a4:0f:d5:ab:45:72 @@ -6495,7 +6495,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "digicert_DigiCertGlobalRootG3" +CKA_LABEL UTF8 "DigiCert Global Root G3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -6563,7 +6563,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "digicert_DigiCertGlobalRootG3" +# Trust for "DigiCert Global Root G3" # Issuer: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US # Serial Number:05:55:56:bc:f2:5e:a4:35:35:c3:a4:0f:d5:ab:45:72 # Subject: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -6575,7 +6575,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "digicert_DigiCertGlobalRootG3" +CKA_LABEL UTF8 "DigiCert Global Root G3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \176\004\336\211\152\076\146\155\000\346\207\323\077\372\331\073 \350\075\064\236 @@ -6603,7 +6603,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "digicert_DigiCertTrustedRootG4" +# Certificate "DigiCert Trusted Root G4" # # Issuer: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US # Serial Number:05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c @@ -6616,7 +6616,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "digicert_DigiCertTrustedRootG4" +CKA_LABEL UTF8 "DigiCert Trusted Root G4" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\142\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -6737,7 +6737,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "digicert_DigiCertTrustedRootG4" +# Trust for "DigiCert Trusted Root G4" # Issuer: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US # Serial Number:05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c # Subject: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -6749,7 +6749,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "digicert_DigiCertTrustedRootG4" +CKA_LABEL UTF8 "DigiCert Trusted Root G4" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \335\373\026\315\111\061\311\163\242\003\175\077\310\072\115\175 \167\135\005\344 @@ -6777,7 +6777,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "AGESIC_ACRN" +# Certificate "Autoridad Certificadora Raíz Nacional de Uruguay" # # Issuer: C=UY,O=AGESIC,CN=Autoridad Certificadora Ra..z Nacional de Uruguay # Serial Number:02:ee:00:9b:66:d8:6a:1d:67:fe:da:8a:25:6f:21:5a:75:1b @@ -6790,7 +6790,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "AGESIC_ACRN" +CKA_LABEL UTF8 "Autoridad Certificadora Raíz Nacional de Uruguay" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\132\061\072\060\070\006\003\125\004\003\014\061\101\165\164 @@ -6926,7 +6926,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "AGESIC_ACRN" +# Trust for "Autoridad Certificadora Raíz Nacional de Uruguay" # Issuer: C=UY,O=AGESIC,CN=Autoridad Certificadora Ra..z Nacional de Uruguay # Serial Number:02:ee:00:9b:66:d8:6a:1d:67:fe:da:8a:25:6f:21:5a:75:1b # Subject: C=UY,O=AGESIC,CN=Autoridad Certificadora Ra..z Nacional de Uruguay @@ -6938,7 +6938,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "AGESIC_ACRN" +CKA_LABEL UTF8 "Autoridad Certificadora Raíz Nacional de Uruguay" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \172\034\335\343\322\031\176\161\067\103\075\077\231\300\263\151 \367\006\307\111 @@ -6965,7 +6965,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "KIRSA_SZAFIRroot_ca" +# Certificate "SZAFIR ROOT CA" # # Issuer: CN=SZAFIR ROOT CA,O=Krajowa Izba Rozliczeniowa S.A.,C=PL # Serial Number:00:e6:09:fe:7a:ea:00:68:8c:e0:24:b4:ed:20:1b:1f:ef:52:b4:44:d1 @@ -6978,7 +6978,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "KIRSA_SZAFIRroot_ca" +CKA_LABEL UTF8 "SZAFIR ROOT CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\120\061\013\060\011\006\003\125\004\006\023\002\120\114\061 @@ -7063,7 +7063,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "KIRSA_SZAFIRroot_ca" +# Trust for "SZAFIR ROOT CA" # Issuer: CN=SZAFIR ROOT CA,O=Krajowa Izba Rozliczeniowa S.A.,C=PL # Serial Number:00:e6:09:fe:7a:ea:00:68:8c:e0:24:b4:ed:20:1b:1f:ef:52:b4:44:d1 # Subject: CN=SZAFIR ROOT CA,O=Krajowa Izba Rozliczeniowa S.A.,C=PL @@ -7075,7 +7075,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "KIRSA_SZAFIRroot_ca" +CKA_LABEL UTF8 "SZAFIR ROOT CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \323\356\373\313\274\364\230\147\203\206\046\342\073\265\234\240 \036\060\135\267 @@ -7102,7 +7102,185 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "TMCA_TMCArootca" +# Certificate "Signet Root CA" +# +# Issuer: CN=Signet Root CA,OU=Signet Certification Authority,O=Telekomunikacja Polska S.A.,C=PL +# Serial Number: 1 (0x1) +# Subject: CN=Signet Root CA,OU=Signet Certification Authority,O=Telekomunikacja Polska S.A.,C=PL +# Not Valid Before: Mon May 06 11:38:04 2013 +# Not Valid After : Thu May 06 11:38:04 2038 +# Fingerprint (SHA-256): 72:86:CE:24:9F:E9:E3:2B:D4:75:22:57:C1:7C:D8:F6:99:1A:9C:1E:6F:1A:3C:C7:33:04:ED:02:3E:6A:E4:EB +# Fingerprint (SHA1): B2:BD:90:31:AA:6D:0E:14:F4:C5:7F:D5:48:25:8F:37:B1:FB:39:E4 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Signet Root CA" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\165\061\013\060\011\006\003\125\004\006\023\002\120\114\061 +\044\060\042\006\003\125\004\012\014\033\124\145\154\145\153\157 +\155\165\156\151\153\141\143\152\141\040\120\157\154\163\153\141 +\040\123\056\101\056\061\047\060\045\006\003\125\004\013\014\036 +\123\151\147\156\145\164\040\103\145\162\164\151\146\151\143\141 +\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\027 +\060\025\006\003\125\004\003\014\016\123\151\147\156\145\164\040 +\122\157\157\164\040\103\101 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\165\061\013\060\011\006\003\125\004\006\023\002\120\114\061 +\044\060\042\006\003\125\004\012\014\033\124\145\154\145\153\157 +\155\165\156\151\153\141\143\152\141\040\120\157\154\163\153\141 +\040\123\056\101\056\061\047\060\045\006\003\125\004\013\014\036 +\123\151\147\156\145\164\040\103\145\162\164\151\146\151\143\141 +\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\027 +\060\025\006\003\125\004\003\014\016\123\151\147\156\145\164\040 +\122\157\157\164\040\103\101 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\001\001 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\310\060\202\003\260\240\003\002\001\002\002\001\001 +\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060 +\165\061\013\060\011\006\003\125\004\006\023\002\120\114\061\044 +\060\042\006\003\125\004\012\014\033\124\145\154\145\153\157\155 +\165\156\151\153\141\143\152\141\040\120\157\154\163\153\141\040 +\123\056\101\056\061\047\060\045\006\003\125\004\013\014\036\123 +\151\147\156\145\164\040\103\145\162\164\151\146\151\143\141\164 +\151\157\156\040\101\165\164\150\157\162\151\164\171\061\027\060 +\025\006\003\125\004\003\014\016\123\151\147\156\145\164\040\122 +\157\157\164\040\103\101\060\036\027\015\061\063\060\065\060\066 +\061\061\063\070\060\064\132\027\015\063\070\060\065\060\066\061 +\061\063\070\060\064\132\060\165\061\013\060\011\006\003\125\004 +\006\023\002\120\114\061\044\060\042\006\003\125\004\012\014\033 +\124\145\154\145\153\157\155\165\156\151\153\141\143\152\141\040 +\120\157\154\163\153\141\040\123\056\101\056\061\047\060\045\006 +\003\125\004\013\014\036\123\151\147\156\145\164\040\103\145\162 +\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157 +\162\151\164\171\061\027\060\025\006\003\125\004\003\014\016\123 +\151\147\156\145\164\040\122\157\157\164\040\103\101\060\202\002 +\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000 +\003\202\002\017\000\060\202\002\012\002\202\002\001\000\251\144 +\313\270\061\342\265\017\200\047\006\314\105\136\352\015\137\327 +\167\152\227\150\266\135\240\170\005\104\253\060\260\172\207\357 +\142\356\010\130\125\134\027\372\053\200\016\034\165\247\147\166 +\112\226\303\050\153\170\371\132\337\372\152\171\247\212\124\035 +\052\226\206\361\265\027\325\135\032\126\367\100\020\267\016\341 +\007\334\147\013\231\242\000\010\324\004\042\167\246\103\216\237 +\325\060\252\372\235\201\106\362\075\316\136\302\176\301\174\237 +\063\257\046\332\035\336\140\367\202\247\066\314\365\310\300\002 +\217\222\317\156\116\377\373\376\141\077\256\277\275\226\147\376 +\320\257\035\326\043\367\060\346\173\210\135\351\365\063\104\312 +\212\273\247\073\131\216\160\027\151\050\027\273\020\126\245\302 +\264\013\015\373\264\167\211\020\104\125\155\211\253\325\115\062 +\271\327\367\151\234\375\265\257\003\262\041\266\054\140\365\137 +\321\302\124\210\057\140\357\234\124\206\265\101\007\063\054\154 +\013\034\022\332\107\231\146\064\256\240\354\155\320\143\227\177 +\304\005\200\223\370\102\054\124\330\376\332\225\030\153\205\362 +\134\371\166\207\066\036\261\200\037\100\340\013\012\223\324\256 +\132\161\127\015\072\357\341\354\173\135\370\020\232\067\174\251 +\026\242\304\216\127\073\020\033\166\255\250\161\100\063\205\003 +\077\155\330\036\075\347\060\123\307\343\352\327\320\060\125\304 +\232\147\102\174\267\100\153\334\251\104\120\362\343\056\105\142 +\161\274\271\156\050\005\071\166\365\131\352\241\003\060\164\340 +\337\262\012\043\025\116\343\130\072\242\117\170\310\210\133\121 +\222\316\072\052\066\017\316\337\263\002\117\056\374\205\252\103 +\326\006\265\170\267\310\273\043\033\105\217\247\065\064\312\252 +\024\067\325\237\173\060\126\217\351\127\012\106\247\001\227\233 +\054\247\115\377\131\075\356\236\063\054\054\363\040\273\130\370 +\163\037\001\320\103\042\303\050\027\266\044\000\022\125\270\133 +\023\274\277\327\331\275\131\373\302\123\151\365\256\122\046\315 +\254\122\267\310\035\123\232\241\004\240\002\103\120\235\022\251 +\300\156\121\301\355\021\116\337\357\304\024\041\272\272\241\016 +\225\203\065\122\320\347\237\122\325\222\371\042\303\207\002\003 +\001\000\001\243\143\060\141\060\017\006\003\125\035\023\001\001 +\377\004\005\060\003\001\001\377\060\016\006\003\125\035\017\001 +\001\377\004\004\003\002\001\006\060\037\006\003\125\035\043\004 +\030\060\026\200\024\120\173\011\257\151\055\057\265\340\221\257 +\215\222\023\053\261\062\350\111\320\060\035\006\003\125\035\016 +\004\026\004\024\120\173\011\257\151\055\057\265\340\221\257\215 +\222\023\053\261\062\350\111\320\060\015\006\011\052\206\110\206 +\367\015\001\001\013\005\000\003\202\002\001\000\020\045\247\000 +\045\075\376\215\106\326\100\307\057\331\132\044\205\110\230\243 +\340\321\100\241\323\243\300\004\225\064\041\166\026\351\326\213 +\052\246\321\066\046\076\303\345\110\216\153\370\006\323\311\155 +\040\213\301\371\170\207\054\355\165\101\050\076\160\371\302\161 +\155\061\014\067\340\025\342\333\136\360\300\256\120\025\354\210 +\121\123\203\311\245\362\317\254\302\346\314\020\307\154\030\167 +\126\130\265\044\232\207\003\141\166\117\036\130\363\333\225\062 +\170\021\053\261\040\023\261\176\322\345\344\173\264\060\145\003 +\213\033\342\350\336\352\022\336\227\152\136\000\105\326\340\133 +\052\220\241\320\053\350\321\166\111\151\026\357\333\202\264\123 +\062\110\045\154\164\360\312\367\316\335\341\111\217\122\325\124 +\025\364\010\257\006\147\123\230\347\254\354\065\212\233\023\364 +\035\375\201\350\033\061\316\363\340\205\222\353\203\132\316\264 +\027\211\260\116\341\141\160\137\350\261\062\316\233\036\012\173 +\031\055\310\150\066\063\244\126\365\272\111\275\057\374\263\012 +\262\153\232\136\076\373\114\030\257\134\360\137\331\261\333\011 +\035\106\122\307\160\333\270\230\051\324\071\152\136\074\142\207 +\172\212\217\166\277\334\247\150\272\213\305\071\306\011\117\157 +\166\102\114\317\000\123\012\264\037\130\306\112\025\375\372\341 +\274\267\174\124\206\117\274\167\171\044\022\115\144\135\264\172 +\333\151\066\164\146\350\175\344\133\051\362\060\375\265\335\336 +\241\041\141\146\140\045\073\110\157\316\253\217\115\242\114\313 +\014\373\301\066\364\120\301\154\054\151\134\112\104\035\304\134 +\047\115\044\367\116\341\077\253\145\003\323\270\221\174\360\205 +\070\326\212\107\104\054\260\016\011\245\262\322\367\352\354\364 +\165\266\153\125\113\301\051\073\246\104\233\302\020\354\172\216 +\114\035\243\242\041\334\145\306\200\036\324\227\117\364\200\123 +\012\272\135\215\073\166\200\047\072\131\133\037\365\126\206\341 +\350\212\130\267\232\367\102\357\132\250\112\356\124\372\044\236 +\237\270\314\354\242\010\342\254\202\215\322\063\043\302\156\343 +\344\377\231\365\134\147\305\262\166\042\033\155\054\366\006\367 +\216\064\121\042\350\366\031\152\277\120\232\202 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "Signet Root CA" +# Issuer: CN=Signet Root CA,OU=Signet Certification Authority,O=Telekomunikacja Polska S.A.,C=PL +# Serial Number: 1 (0x1) +# Subject: CN=Signet Root CA,OU=Signet Certification Authority,O=Telekomunikacja Polska S.A.,C=PL +# Not Valid Before: Mon May 06 11:38:04 2013 +# Not Valid After : Thu May 06 11:38:04 2038 +# Fingerprint (SHA-256): 72:86:CE:24:9F:E9:E3:2B:D4:75:22:57:C1:7C:D8:F6:99:1A:9C:1E:6F:1A:3C:C7:33:04:ED:02:3E:6A:E4:EB +# Fingerprint (SHA1): B2:BD:90:31:AA:6D:0E:14:F4:C5:7F:D5:48:25:8F:37:B1:FB:39:E4 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Signet Root CA" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\262\275\220\061\252\155\016\024\364\305\177\325\110\045\217\067 +\261\373\071\344 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\033\135\236\231\344\051\040\043\023\111\141\364\272\063\172\043 +END +CKA_ISSUER MULTILINE_OCTAL +\060\165\061\013\060\011\006\003\125\004\006\023\002\120\114\061 +\044\060\042\006\003\125\004\012\014\033\124\145\154\145\153\157 +\155\165\156\151\153\141\143\152\141\040\120\157\154\163\153\141 +\040\123\056\101\056\061\047\060\045\006\003\125\004\013\014\036 +\123\151\147\156\145\164\040\103\145\162\164\151\146\151\143\141 +\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\027 +\060\025\006\003\125\004\003\014\016\123\151\147\156\145\164\040 +\122\157\157\164\040\103\101 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\001\001 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "TM Applied Business Root Certificate" # # Issuer: CN=TM Applied Business Root Certificate,OU=TM Applied Business Certification Authority,O=TM,C=my # Serial Number: 1 (0x1) @@ -7115,7 +7293,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TMCA_TMCArootca" +CKA_LABEL UTF8 "TM Applied Business Root Certificate" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\177\061\013\060\011\006\003\125\004\006\023\002\155\171\061 @@ -7228,7 +7406,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "TMCA_TMCArootca" +# Trust for "TM Applied Business Root Certificate" # Issuer: CN=TM Applied Business Root Certificate,OU=TM Applied Business Certification Authority,O=TM,C=my # Serial Number: 1 (0x1) # Subject: CN=TM Applied Business Root Certificate,OU=TM Applied Business Certification Authority,O=TM,C=my @@ -7240,7 +7418,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TMCA_TMCArootca" +CKA_LABEL UTF8 "TM Applied Business Root Certificate" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \231\127\305\077\305\237\270\347\071\367\244\267\247\016\233\216 \145\237\040\214 @@ -7269,7 +7447,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "TcTrust_TSYSTEMSGlobalRoot_Class_2" +# Certificate "T-TeleSec GlobalRoot Class 2" # # Issuer: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE # Serial Number: 1 (0x1) @@ -7282,7 +7460,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TcTrust_TSYSTEMSGlobalRoot_Class_2" +CKA_LABEL UTF8 "T-TeleSec GlobalRoot Class 2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\202\061\013\060\011\006\003\125\004\006\023\002\104\105 @@ -7377,7 +7555,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "TcTrust_TSYSTEMSGlobalRoot_Class_2" +# Trust for "T-TeleSec GlobalRoot Class 2" # Issuer: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE # Serial Number: 1 (0x1) # Subject: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE @@ -7389,7 +7567,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TcTrust_TSYSTEMSGlobalRoot_Class_2" +CKA_LABEL UTF8 "T-TeleSec GlobalRoot Class 2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \131\015\055\175\210\117\100\056\141\176\245\142\062\027\145\317 \027\330\224\351 @@ -7418,7 +7596,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "eTurga_Etugra_Root" +# Certificate "E-Tugra Certification Authority" # # Issuer: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR # Serial Number:6a:68:3e:9c:51:9b:cb:53 @@ -7431,7 +7609,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "eTurga_Etugra_Root" +CKA_LABEL UTF8 "E-Tugra Certification Authority" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\262\061\013\060\011\006\003\125\004\006\023\002\124\122 @@ -7572,7 +7750,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "eTurga_Etugra_Root" +# Trust for "E-Tugra Certification Authority" # Issuer: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR # Serial Number:6a:68:3e:9c:51:9b:cb:53 # Subject: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR @@ -7584,7 +7762,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "eTurga_Etugra_Root" +CKA_LABEL UTF8 "E-Tugra Certification Authority" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \121\306\347\010\111\006\156\363\222\324\134\240\015\155\243\142 \217\303\122\071 @@ -7616,7 +7794,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "JapanGov_GOVT_JPNApplicationCA2_Root" +# Certificate "GPKI ApplicationCA2 Root" # # Issuer: CN=ApplicationCA2 Root,OU=GPKI,O=Japanese Government,C=JP # Serial Number:12537282828 @@ -7629,7 +7807,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "JapanGov_GOVT_JPNApplicationCA2_Root" +CKA_LABEL UTF8 "GPKI ApplicationCA2 Root" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\130\061\013\060\011\006\003\125\004\006\023\002\112\120\061 @@ -7721,7 +7899,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "JapanGov_GOVT_JPNApplicationCA2_Root" +# Trust for "GPKI ApplicationCA2 Root" # Issuer: CN=ApplicationCA2 Root,OU=GPKI,O=Japanese Government,C=JP # Serial Number:12537282828 # Subject: CN=ApplicationCA2 Root,OU=GPKI,O=Japanese Government,C=JP @@ -7733,7 +7911,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "JapanGov_GOVT_JPNApplicationCA2_Root" +CKA_LABEL UTF8 "GPKI ApplicationCA2 Root" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \360\017\303\175\152\034\222\141\373\153\301\302\030\111\214\132 \244\334\121\373 @@ -7759,7 +7937,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ADOCA_ADOCA02" +# Certificate "Australian Defence Organisation (ADO) Certificate Authority 02" # # Issuer: CN=ADOCA02,OU=CAs,OU=PKI,OU=DoD,O=GOV,C=AU # Serial Number: 1813 (0x715) @@ -7772,7 +7950,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ADOCA_ADOCA02" +CKA_LABEL UTF8 "Australian Defence Organisation (ADO) Certificate Authority 02" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\127\061\013\060\011\006\003\125\004\006\023\002\101\125\061 @@ -7862,7 +8040,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "ADOCA_ADOCA02" +# Trust for "Australian Defence Organisation (ADO) Certificate Authority 02" # Issuer: CN=ADOCA02,OU=CAs,OU=PKI,OU=DoD,O=GOV,C=AU # Serial Number: 1813 (0x715) # Subject: CN=ADOCA02,OU=CAs,OU=PKI,OU=DoD,O=GOV,C=AU @@ -7874,7 +8052,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ADOCA_ADOCA02" +CKA_LABEL UTF8 "Australian Defence Organisation (ADO) Certificate Authority 02" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \204\102\235\237\342\347\072\015\310\252\012\340\251\002\362\164 \231\063\376\002 @@ -7900,7 +8078,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "OATI_oati_ca1" +# Certificate "OATI WebCARES Root CA" # # Issuer: CN=OATI WebCARES Root CA,O=Open Access Technology International Inc,L=Minneapolis,ST=MN,C=US # Serial Number:02:57:62:06:6a:75:60:87:4f:90:04:bf:a1:c8:28:41 @@ -7913,7 +8091,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "OATI_oati_ca1" +CKA_LABEL UTF8 "OATI WebCARES Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -8116,7 +8294,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "OATI_oati_ca1" +# Trust for "OATI WebCARES Root CA" # Issuer: CN=OATI WebCARES Root CA,O=Open Access Technology International Inc,L=Minneapolis,ST=MN,C=US # Serial Number:02:57:62:06:6a:75:60:87:4f:90:04:bf:a1:c8:28:41 # Subject: CN=OATI WebCARES Root CA,O=Open Access Technology International Inc,L=Minneapolis,ST=MN,C=US @@ -8128,7 +8306,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "OATI_oati_ca1" +CKA_LABEL UTF8 "OATI WebCARES Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \113\153\322\323\210\116\106\310\014\342\271\142\274\131\214\331 \325\330\100\023 @@ -8158,7 +8336,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GlobalS_globalsign_root-r5" +# Certificate "GlobalSign ECC Root CA - R5" # # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5 # Serial Number:60:59:49:e0:26:2e:bb:55:f9:0a:77:8a:71:f9:4a:d8:6c @@ -8171,7 +8349,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GlobalS_globalsign_root-r5" +CKA_LABEL UTF8 "GlobalSign ECC Root CA - R5" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157 @@ -8235,7 +8413,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GlobalS_globalsign_root-r5" +# Trust for "GlobalSign ECC Root CA - R5" # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5 # Serial Number:60:59:49:e0:26:2e:bb:55:f9:0a:77:8a:71:f9:4a:d8:6c # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5 @@ -8247,7 +8425,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GlobalS_globalsign_root-r5" +CKA_LABEL UTF8 "GlobalSign ECC Root CA - R5" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \037\044\306\060\315\244\030\357\040\151\377\255\117\335\137\106 \072\033\151\252 @@ -8274,7 +8452,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GlobalS_globalsign_root-r4" +# Certificate "Google Trust Services - GlobalSign ECC Root CA - R4" # # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 # Serial Number:2a:38:a4:1c:96:0a:04:de:42:b2:28:a5:0b:e8:34:98:02 @@ -8287,7 +8465,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GlobalS_globalsign_root-r4" +CKA_LABEL UTF8 "Google Trust Services - GlobalSign ECC Root CA - R4" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157 @@ -8347,7 +8525,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GlobalS_globalsign_root-r4" +# Trust for "Google Trust Services - GlobalSign ECC Root CA - R4" # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 # Serial Number:2a:38:a4:1c:96:0a:04:de:42:b2:28:a5:0b:e8:34:98:02 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 @@ -8359,7 +8537,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GlobalS_globalsign_root-r4" +CKA_LABEL UTF8 "Google Trust Services - GlobalSign ECC Root CA - R4" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \151\151\126\056\100\200\364\044\241\347\031\237\024\272\363\356 \130\253\152\273 @@ -8386,7 +8564,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "QuoVadis_qvrca1g3" +# Certificate "QuoVadis Root CA 1 G3" # # Issuer: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM # Serial Number:78:58:5f:2e:ad:2c:19:4b:e3:37:07:35:34:13:28:b5:96:d4:65:93 @@ -8399,7 +8577,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "QuoVadis_qvrca1g3" +CKA_LABEL UTF8 "QuoVadis Root CA 1 G3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\110\061\013\060\011\006\003\125\004\006\023\002\102\115\061 @@ -8513,7 +8691,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "QuoVadis_qvrca1g3" +# Trust for "QuoVadis Root CA 1 G3" # Issuer: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM # Serial Number:78:58:5f:2e:ad:2c:19:4b:e3:37:07:35:34:13:28:b5:96:d4:65:93 # Subject: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM @@ -8525,7 +8703,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "QuoVadis_qvrca1g3" +CKA_LABEL UTF8 "QuoVadis Root CA 1 G3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \033\216\352\127\226\051\032\311\071\352\270\012\201\032\163\163 \300\223\171\147 @@ -8551,7 +8729,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "QuoVadis_qvrca2g3" +# Certificate "QuoVadis Root CA 2 G3" # # Issuer: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM # Serial Number:44:57:34:24:5b:81:89:9b:35:f2:ce:b8:2b:3b:5b:a7:26:f0:75:28 @@ -8564,7 +8742,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "QuoVadis_qvrca2g3" +CKA_LABEL UTF8 "QuoVadis Root CA 2 G3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\110\061\013\060\011\006\003\125\004\006\023\002\102\115\061 @@ -8678,7 +8856,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "QuoVadis_qvrca2g3" +# Trust for "QuoVadis Root CA 2 G3" # Issuer: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM # Serial Number:44:57:34:24:5b:81:89:9b:35:f2:ce:b8:2b:3b:5b:a7:26:f0:75:28 # Subject: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM @@ -8690,7 +8868,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "QuoVadis_qvrca2g3" +CKA_LABEL UTF8 "QuoVadis Root CA 2 G3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \011\074\141\363\213\213\334\175\125\337\165\070\002\005\000\341 \045\365\310\066 @@ -8716,7 +8894,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "QuoVadis_qvrca3g3" +# Certificate "QuoVadis Root CA 3 G3" # # Issuer: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM # Serial Number:2e:f5:9b:02:28:a7:db:7a:ff:d5:a3:a9:ee:bd:03:a0:cf:12:6a:1d @@ -8729,7 +8907,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "QuoVadis_qvrca3g3" +CKA_LABEL UTF8 "QuoVadis Root CA 3 G3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\110\061\013\060\011\006\003\125\004\006\023\002\102\115\061 @@ -8843,7 +9021,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "QuoVadis_qvrca3g3" +# Trust for "QuoVadis Root CA 3 G3" # Issuer: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM # Serial Number:2e:f5:9b:02:28:a7:db:7a:ff:d5:a3:a9:ee:bd:03:a0:cf:12:6a:1d # Subject: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM @@ -8855,7 +9033,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "QuoVadis_qvrca3g3" +CKA_LABEL UTF8 "QuoVadis Root CA 3 G3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \110\022\275\222\074\250\304\071\006\347\060\155\047\226\346\244 \317\042\056\175 @@ -8881,7 +9059,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Entrust_ENTRUST_ec1" +# Certificate "Entrust Root Certification Authority - EC1" # # Issuer: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US # Serial Number:00:a6:8b:79:29:00:00:00:00:50:d0:91:f9 @@ -8894,7 +9072,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Entrust_ENTRUST_ec1" +CKA_LABEL UTF8 "Entrust Root Certification Authority - EC1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\277\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -8984,7 +9162,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Entrust_ENTRUST_ec1" +# Trust for "Entrust Root Certification Authority - EC1" # Issuer: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US # Serial Number:00:a6:8b:79:29:00:00:00:00:50:d0:91:f9 # Subject: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US @@ -8996,7 +9174,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Entrust_ENTRUST_ec1" +CKA_LABEL UTF8 "Entrust Root Certification Authority - EC1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \040\330\006\100\337\233\045\365\022\045\072\021\352\367\131\212 \353\024\265\107 @@ -9029,7 +9207,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Symantec_SYMC_PCA3_G6" +# Certificate "Symantec Class 3 Public Primary Certification Authority - G6" # # Issuer: CN=Symantec Class 3 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US # Serial Number:65:63:71:85:d3:6f:45:c6:8f:7f:31:f9:09:87:92:82 @@ -9042,7 +9220,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Symantec_SYMC_PCA3_G6" +CKA_LABEL UTF8 "Symantec Class 3 Public Primary Certification Authority - G6" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -9175,7 +9353,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Symantec_SYMC_PCA3_G6" +# Trust for "Symantec Class 3 Public Primary Certification Authority - G6" # Issuer: CN=Symantec Class 3 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US # Serial Number:65:63:71:85:d3:6f:45:c6:8f:7f:31:f9:09:87:92:82 # Subject: CN=Symantec Class 3 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US @@ -9187,7 +9365,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Symantec_SYMC_PCA3_G6" +CKA_LABEL UTF8 "Symantec Class 3 Public Primary Certification Authority - G6" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \046\241\154\043\132\044\162\042\233\043\142\200\045\274\200\227 \310\205\044\241 @@ -9218,7 +9396,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Symantec_SYMC_PCA_3_G4" +# Certificate "Symantec Class 3 Public Primary Certification Authority - G4" # # Issuer: CN=Symantec Class 3 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US # Serial Number:4c:79:b5:9a:28:9c:76:31:64:f5:89:44:d0:91:02:de @@ -9231,7 +9409,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Symantec_SYMC_PCA_3_G4" +CKA_LABEL UTF8 "Symantec Class 3 Public Primary Certification Authority - G4" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -9311,7 +9489,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Symantec_SYMC_PCA_3_G4" +# Trust for "Symantec Class 3 Public Primary Certification Authority - G4" # Issuer: CN=Symantec Class 3 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US # Serial Number:4c:79:b5:9a:28:9c:76:31:64:f5:89:44:d0:91:02:de # Subject: CN=Symantec Class 3 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US @@ -9323,7 +9501,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Symantec_SYMC_PCA_3_G4" +CKA_LABEL UTF8 "Symantec Class 3 Public Primary Certification Authority - G4" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \130\325\055\271\063\001\244\375\051\032\214\226\105\240\217\356 \177\122\222\202 @@ -9354,7 +9532,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "CFCA_CFCA_EV_root" +# Certificate "CFCA EV ROOT" # # Issuer: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN # Serial Number: 407555286 (0x184accd6) @@ -9367,7 +9545,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CFCA_CFCA_EV_root" +CKA_LABEL UTF8 "CFCA EV ROOT" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\126\061\013\060\011\006\003\125\004\006\023\002\103\116\061 @@ -9485,7 +9663,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "CFCA_CFCA_EV_root" +# Trust for "CFCA EV ROOT" # Issuer: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN # Serial Number: 407555286 (0x184accd6) # Subject: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN @@ -9497,7 +9675,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CFCA_CFCA_EV_root" +CKA_LABEL UTF8 "CFCA EV ROOT" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \342\270\051\113\125\204\253\153\130\302\220\106\154\254\077\270 \071\217\204\203 @@ -9523,7 +9701,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Harica_Harica_root" +# Certificate "Hellenic Academic and Research Institutions RootCA 2011" # # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR # Serial Number: 0 (0x0) @@ -9536,7 +9714,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Harica_Harica_root" +CKA_LABEL UTF8 "Hellenic Academic and Research Institutions RootCA 2011" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\225\061\013\060\011\006\003\125\004\006\023\002\107\122 @@ -9640,7 +9818,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Harica_Harica_root" +# Trust for "Hellenic Academic and Research Institutions RootCA 2011" # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR # Serial Number: 0 (0x0) # Subject: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR @@ -9652,7 +9830,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Harica_Harica_root" +CKA_LABEL UTF8 "Hellenic Academic and Research Institutions RootCA 2011" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \376\105\145\233\171\003\133\230\241\141\265\121\056\254\332\130 \011\110\042\115 @@ -9682,7 +9860,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Athens_Athex_root" +# Certificate "Athex Root CA" # # Issuer: CN=ATHEX Root CA,O=Athens Exchange S.A.,C=GR # Serial Number: 10012 (0x271c) @@ -9695,7 +9873,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Athens_Athex_root" +CKA_LABEL UTF8 "Athex Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\104\061\013\060\011\006\003\125\004\006\023\002\107\122\061 @@ -9773,7 +9951,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Athens_Athex_root" +# Trust for "Athex Root CA" # Issuer: CN=ATHEX Root CA,O=Athens Exchange S.A.,C=GR # Serial Number: 10012 (0x271c) # Subject: CN=ATHEX Root CA,O=Athens Exchange S.A.,C=GR @@ -9785,7 +9963,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Athens_Athex_root" +CKA_LABEL UTF8 "Athex Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \333\053\173\103\115\373\177\301\313\131\046\354\135\225\041\376 \065\017\362\171 @@ -9810,7 +9988,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ACCV_ACCV_root" +# Certificate "ACCVRAIZ1" # # Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1 # Serial Number:5e:c3:b7:a6:43:7f:a4:e0 @@ -9823,7 +10001,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ACCV_ACCV_root" +CKA_LABEL UTF8 "ACCVRAIZ1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\102\061\022\060\020\006\003\125\004\003\014\011\101\103\103 @@ -9975,7 +10153,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "ACCV_ACCV_root" +# Trust for "ACCVRAIZ1" # Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1 # Serial Number:5e:c3:b7:a6:43:7f:a4:e0 # Subject: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1 @@ -9987,7 +10165,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ACCV_ACCV_root" +CKA_LABEL UTF8 "ACCVRAIZ1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \223\005\172\210\025\306\117\316\210\057\372\221\026\122\050\170 \274\123\144\027 @@ -10012,7 +10190,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Halcom_Halcom_Root_CA" +# Certificate "Halcom Root CA" # # Issuer: CN=Halcom Root CA,O=Halcom,C=SI # Serial Number: 504275 (0x7b1d3) @@ -10025,7 +10203,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Halcom_Halcom_Root_CA" +CKA_LABEL UTF8 "Halcom Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\067\061\013\060\011\006\003\125\004\006\023\002\123\111\061 @@ -10100,7 +10278,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Halcom_Halcom_Root_CA" +# Trust for "Halcom Root CA" # Issuer: CN=Halcom Root CA,O=Halcom,C=SI # Serial Number: 504275 (0x7b1d3) # Subject: CN=Halcom Root CA,O=Halcom,C=SI @@ -10112,7 +10290,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Halcom_Halcom_Root_CA" +CKA_LABEL UTF8 "Halcom Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \123\133\000\026\162\253\277\173\154\302\124\005\256\115\044\376 \003\077\321\314 @@ -10136,7 +10314,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "CFCA_root1" +# Certificate "China Financial CA" # # Issuer: O=CFCA GT CA,C=CN # Serial Number: 429472831 (0x19993c3f) @@ -10149,7 +10327,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CFCA_root1" +CKA_LABEL UTF8 "China Financial CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\042\061\013\060\011\006\003\125\004\006\023\002\103\116\061 @@ -10222,7 +10400,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "CFCA_root1" +# Trust for "China Financial CA" # Issuer: O=CFCA GT CA,C=CN # Serial Number: 429472831 (0x19993c3f) # Subject: O=CFCA GT CA,C=CN @@ -10234,7 +10412,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CFCA_root1" +CKA_LABEL UTF8 "China Financial CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \352\275\242\100\104\012\273\326\224\223\012\001\320\227\144\306 \302\327\171\146 @@ -10257,7 +10435,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "DigID_root1" +# Certificate "Digidentity BV" # # Issuer: CN=Digidentity L3 Root CA - G2,O=Digidentity B.V.,C=NL # Serial Number: 1 (0x1) @@ -10270,7 +10448,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "DigID_root1" +CKA_LABEL UTF8 "Digidentity BV" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\116\061\013\060\011\006\003\125\004\006\023\002\116\114\061 @@ -10387,7 +10565,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "DigID_root1" +# Trust for "Digidentity BV" # Issuer: CN=Digidentity L3 Root CA - G2,O=Digidentity B.V.,C=NL # Serial Number: 1 (0x1) # Subject: CN=Digidentity L3 Root CA - G2,O=Digidentity B.V.,C=NL @@ -10399,7 +10577,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "DigID_root1" +CKA_LABEL UTF8 "Digidentity BV" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \361\070\243\060\244\352\230\153\353\122\013\261\020\065\207\156 \373\235\177\034 @@ -10424,7 +10602,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Siths_root1" +# Certificate "Inera AB" # # Issuer: CN=SITHS Root CA v1,O=Inera AB,C=SE # Serial Number:00:90:66:61:a8:62:3d:65:44:77:04:3f:71:9a:c3:97:0c @@ -10437,7 +10615,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Siths_root1" +CKA_LABEL UTF8 "Inera AB" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\073\061\013\060\011\006\003\125\004\006\023\002\123\105\061 @@ -10552,7 +10730,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Siths_root1" +# Trust for "Inera AB" # Issuer: CN=SITHS Root CA v1,O=Inera AB,C=SE # Serial Number:00:90:66:61:a8:62:3d:65:44:77:04:3f:71:9a:c3:97:0c # Subject: CN=SITHS Root CA v1,O=Inera AB,C=SE @@ -10564,7 +10742,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Siths_root1" +CKA_LABEL UTF8 "Inera AB" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \130\137\170\165\276\347\103\076\260\171\352\253\175\005\273\017 \172\362\274\314 @@ -10589,7 +10767,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "MOGAHA_root2" +# Certificate "GPKIRootCA1" # # Issuer: CN=GPKIRootCA1,OU=GPKI,O=Government of Korea,C=KR # Serial Number: 1 (0x1) @@ -10602,7 +10780,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "MOGAHA_root2" +CKA_LABEL UTF8 "GPKIRootCA1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\120\061\013\060\011\006\003\125\004\006\023\002\113\122\061 @@ -10685,7 +10863,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "MOGAHA_root2" +# Trust for "GPKIRootCA1" # Issuer: CN=GPKIRootCA1,OU=GPKI,O=Government of Korea,C=KR # Serial Number: 1 (0x1) # Subject: CN=GPKIRootCA1,OU=GPKI,O=Government of Korea,C=KR @@ -10697,7 +10875,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "MOGAHA_root2" +CKA_LABEL UTF8 "GPKIRootCA1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \166\022\355\236\111\263\145\264\332\323\022\014\001\346\003\164 \215\256\214\360 @@ -10723,7 +10901,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "dtrust_nonevroot" +# Certificate "D-TRUST Root Class 3 CA 2 2009" # # Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE # Serial Number: 623603 (0x983f3) @@ -10736,7 +10914,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "dtrust_nonevroot" +CKA_LABEL UTF8 "D-TRUST Root Class 3 CA 2 2009" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\115\061\013\060\011\006\003\125\004\006\023\002\104\105\061 @@ -10830,7 +11008,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "dtrust_nonevroot" +# Trust for "D-TRUST Root Class 3 CA 2 2009" # Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE # Serial Number: 623603 (0x983f3) # Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE @@ -10842,7 +11020,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "dtrust_nonevroot" +CKA_LABEL UTF8 "D-TRUST Root Class 3 CA 2 2009" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \130\350\253\260\066\025\063\373\200\367\233\033\155\051\323\377 \215\137\000\360 @@ -10867,7 +11045,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "dtrust_evroot" +# Certificate "D-TRUST Root Class 3 CA 2 EV 2009" # # Issuer: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE # Serial Number: 623604 (0x983f4) @@ -10880,7 +11058,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "dtrust_evroot" +CKA_LABEL UTF8 "D-TRUST Root Class 3 CA 2 EV 2009" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\120\061\013\060\011\006\003\125\004\006\023\002\104\105\061 @@ -10977,7 +11155,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "dtrust_evroot" +# Trust for "D-TRUST Root Class 3 CA 2 EV 2009" # Issuer: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE # Serial Number: 623604 (0x983f4) # Subject: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE @@ -10989,7 +11167,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "dtrust_evroot" +CKA_LABEL UTF8 "D-TRUST Root Class 3 CA 2 EV 2009" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \226\311\033\013\225\264\020\230\102\372\320\330\042\171\376\140 \372\271\026\203 @@ -11015,7 +11193,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Brazil_root1" +# Certificate "?Autoridade Certificadora Raiz Brasileira v2" # # Issuer: CN=Autoridade Certificadora Raiz Brasileira v2,OU=Instituto Nacional de Tecnologia da Informacao - ITI,O=ICP-Brasil,C=BR # Serial Number: 1 (0x1) @@ -11028,7 +11206,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Brazil_root1" +CKA_LABEL UTF8 "?Autoridade Certificadora Raiz Brasileira v2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\227\061\013\060\011\006\003\125\004\006\023\002\102\122 @@ -11171,7 +11349,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Brazil_root1" +# Trust for "?Autoridade Certificadora Raiz Brasileira v2" # Issuer: CN=Autoridade Certificadora Raiz Brasileira v2,OU=Instituto Nacional de Tecnologia da Informacao - ITI,O=ICP-Brasil,C=BR # Serial Number: 1 (0x1) # Subject: CN=Autoridade Certificadora Raiz Brasileira v2,OU=Instituto Nacional de Tecnologia da Informacao - ITI,O=ICP-Brasil,C=BR @@ -11183,7 +11361,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Brazil_root1" +CKA_LABEL UTF8 "?Autoridade Certificadora Raiz Brasileira v2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \251\202\056\154\151\063\306\074\024\214\055\312\244\112\134\361 \252\322\304\056 @@ -11213,7 +11391,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SwissCom_Root2" +# Certificate "?Swisscom Root CA 2" # # Issuer: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch # Serial Number:1e:9e:28:e8:48:f2:e5:ef:c3:7c:4a:1e:5a:18:67:b6 @@ -11226,7 +11404,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SwissCom_Root2" +CKA_LABEL UTF8 "?Swisscom Root CA 2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\144\061\013\060\011\006\003\125\004\006\023\002\143\150\061 @@ -11351,7 +11529,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SwissCom_Root2" +# Trust for "?Swisscom Root CA 2" # Issuer: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch # Serial Number:1e:9e:28:e8:48:f2:e5:ef:c3:7c:4a:1e:5a:18:67:b6 # Subject: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch @@ -11363,7 +11541,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SwissCom_Root2" +CKA_LABEL UTF8 "?Swisscom Root CA 2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \167\107\117\306\060\344\017\114\107\144\077\204\272\270\306\225 \112\212\101\354 @@ -11391,7 +11569,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GovFrance_Root1" +# Certificate "?IGC/A AC racine Etat francais" # # Issuer: CN=IGC/A AC racine Etat francais,OU=0002 130007669,O=ANSSI,C=FR # Serial Number:11:21:85:0c:b3:9c:6a:32:fa:be:67:1b:81:3f:a4:86:15:8f @@ -11404,7 +11582,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GovFrance_Root1" +CKA_LABEL UTF8 "?IGC/A AC racine Etat francais" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\136\061\013\060\011\006\003\125\004\006\023\002\106\122\061 @@ -11526,7 +11704,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GovFrance_Root1" +# Trust for "?IGC/A AC racine Etat francais" # Issuer: CN=IGC/A AC racine Etat francais,OU=0002 130007669,O=ANSSI,C=FR # Serial Number:11:21:85:0c:b3:9c:6a:32:fa:be:67:1b:81:3f:a4:86:15:8f # Subject: CN=IGC/A AC racine Etat francais,OU=0002 130007669,O=ANSSI,C=FR @@ -11538,7 +11716,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GovFrance_Root1" +CKA_LABEL UTF8 "?IGC/A AC racine Etat francais" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \032\311\057\011\352\211\342\213\022\155\372\305\036\072\367\352 \220\225\243\356 @@ -11565,7 +11743,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "PersonalID_Root1" +# Certificate "?PersonalID Trustworthy RootCA 2011" # # Issuer: CN=PersonalID Trustworthy RootCA 2011,OU=Certificate Services,O=PersonalID Ltd.,C=IL # Serial Number:58:cb:f9:64:96:71:74:95:40:f4:ad:08:ac:64:e4:e3 @@ -11578,7 +11756,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "PersonalID_Root1" +CKA_LABEL UTF8 "?PersonalID Trustworthy RootCA 2011" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\163\061\013\060\011\006\003\125\004\006\023\002\111\114\061 @@ -11711,7 +11889,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "PersonalID_Root1" +# Trust for "?PersonalID Trustworthy RootCA 2011" # Issuer: CN=PersonalID Trustworthy RootCA 2011,OU=Certificate Services,O=PersonalID Ltd.,C=IL # Serial Number:58:cb:f9:64:96:71:74:95:40:f4:ad:08:ac:64:e4:e3 # Subject: CN=PersonalID Trustworthy RootCA 2011,OU=Certificate Services,O=PersonalID Ltd.,C=IL @@ -11723,7 +11901,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "PersonalID_Root1" +CKA_LABEL UTF8 "?PersonalID Trustworthy RootCA 2011" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \103\224\316\061\046\377\032\042\114\335\115\356\264\364\354\035 \243\150\357\152 @@ -11752,7 +11930,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Actalis_Root1" +# Certificate "Actalis Authentication Root CA" # # Issuer: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT # Serial Number:57:0a:11:97:42:c4:e3:cc @@ -11765,7 +11943,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Actalis_Root1" +CKA_LABEL UTF8 "Actalis Authentication Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\153\061\013\060\011\006\003\125\004\006\023\002\111\124\061 @@ -11887,7 +12065,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Actalis_Root1" +# Trust for "Actalis Authentication Root CA" # Issuer: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT # Serial Number:57:0a:11:97:42:c4:e3:cc # Subject: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT @@ -11899,7 +12077,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Actalis_Root1" +CKA_LABEL UTF8 "Actalis Authentication Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \363\163\263\207\006\132\050\204\212\362\363\112\316\031\053\335 \307\216\234\254 @@ -11926,7 +12104,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "BuyPass_Root2" +# Certificate "Buypass Class 3 Root CA" # # Issuer: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO # Serial Number: 2 (0x2) @@ -11939,7 +12117,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "BuyPass_Root2" +CKA_LABEL UTF8 "Buypass Class 3 Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\116\061\013\060\011\006\003\125\004\006\023\002\116\117\061 @@ -12051,7 +12229,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "BuyPass_Root2" +# Trust for "Buypass Class 3 Root CA" # Issuer: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO # Serial Number: 2 (0x2) # Subject: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO @@ -12063,7 +12241,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "BuyPass_Root2" +CKA_LABEL UTF8 "Buypass Class 3 Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \332\372\367\372\146\204\354\006\217\024\120\275\307\302\201\245 \274\251\144\127 @@ -12088,7 +12266,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "BuyPass_Root1" +# Certificate "Buypass Class 2 Root CA" # # Issuer: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO # Serial Number: 2 (0x2) @@ -12101,7 +12279,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "BuyPass_Root1" +CKA_LABEL UTF8 "Buypass Class 2 Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\116\061\013\060\011\006\003\125\004\006\023\002\116\117\061 @@ -12213,7 +12391,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "BuyPass_Root1" +# Trust for "Buypass Class 2 Root CA" # Issuer: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO # Serial Number: 2 (0x2) # Subject: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO @@ -12225,7 +12403,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "BuyPass_Root1" +CKA_LABEL UTF8 "Buypass Class 2 Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \111\012\165\164\336\207\012\107\376\130\356\366\307\153\353\306 \013\022\100\231 @@ -12250,7 +12428,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "TcTrust_root1" +# Certificate "T-TeleSec Global Root Class 3" # # Issuer: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE # Serial Number: 1 (0x1) @@ -12263,7 +12441,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TcTrust_root1" +CKA_LABEL UTF8 "T-TeleSec Global Root Class 3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\202\061\013\060\011\006\003\125\004\006\023\002\104\105 @@ -12358,7 +12536,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "TcTrust_root1" +# Trust for "T-TeleSec Global Root Class 3" # Issuer: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE # Serial Number: 1 (0x1) # Subject: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE @@ -12370,7 +12548,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TcTrust_root1" +CKA_LABEL UTF8 "T-TeleSec Global Root Class 3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \125\246\162\076\313\362\354\315\303\043\164\160\031\235\052\276 \021\343\201\321 @@ -12399,7 +12577,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "BIT_root2" +# Certificate "Swiss Government Root CA II" # # Issuer: CN=Swiss Government Root CA II,OU=Certification Authorities,OU=Services,O=The Federal Authorities of the Swiss Confederation,C=CH # Serial Number:0e:9f:17:99:a5:b1:3d:9c:cb:ec:06:eb:a3:f0:0e:69 @@ -12412,7 +12590,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "BIT_root2" +CKA_LABEL UTF8 "Swiss Government Root CA II" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\247\061\013\060\011\006\003\125\004\006\023\002\103\110 @@ -12583,7 +12761,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "BIT_root2" +# Trust for "Swiss Government Root CA II" # Issuer: CN=Swiss Government Root CA II,OU=Certification Authorities,OU=Services,O=The Federal Authorities of the Swiss Confederation,C=CH # Serial Number:0e:9f:17:99:a5:b1:3d:9c:cb:ec:06:eb:a3:f0:0e:69 # Subject: CN=Swiss Government Root CA II,OU=Certification Authorities,OU=Services,O=The Federal Authorities of the Swiss Confederation,C=CH @@ -12595,7 +12773,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "BIT_root2" +CKA_LABEL UTF8 "Swiss Government Root CA II" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \307\367\313\342\002\066\146\371\206\002\135\112\076\061\077\051 \353\014\133\070 @@ -12627,7 +12805,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "BIT_root1" +# Certificate "Swiss Government Root CA I" # # Issuer: CN=Swiss Government Root CA I,OU=Certification Authorities,OU=Services,O=The Federal Authorities of the Swiss Confederation,C=CH # Serial Number:00:fd:75:04:8d:7a:60:86:93:69:4c:aa:00:3c:65:d3:3d @@ -12640,7 +12818,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "BIT_root1" +CKA_LABEL UTF8 "Swiss Government Root CA I" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\246\061\013\060\011\006\003\125\004\006\023\002\103\110 @@ -12811,7 +12989,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "BIT_root1" +# Trust for "Swiss Government Root CA I" # Issuer: CN=Swiss Government Root CA I,OU=Certification Authorities,OU=Services,O=The Federal Authorities of the Swiss Confederation,C=CH # Serial Number:00:fd:75:04:8d:7a:60:86:93:69:4c:aa:00:3c:65:d3:3d # Subject: CN=Swiss Government Root CA I,OU=Certification Authorities,OU=Services,O=The Federal Authorities of the Swiss Confederation,C=CH @@ -12823,7 +13001,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "BIT_root1" +CKA_LABEL UTF8 "Swiss Government Root CA I" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \241\130\121\207\025\145\206\316\371\304\124\342\052\261\134\130 \164\126\007\264 @@ -12855,7 +13033,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Comsign_root1" +# Certificate "ComSign Global Root CA" # # Issuer: C=IL,O=ComSign Ltd.,CN=ComSign Global Root CA # Serial Number:00:8f:61:71:15:ba:79:58:17:8c:7d:11:3a:ac:d6:db:ae @@ -12868,7 +13046,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Comsign_root1" +CKA_LABEL UTF8 "ComSign Global Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\105\061\037\060\035\006\003\125\004\003\023\026\103\157\155 @@ -12992,7 +13170,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Comsign_root1" +# Trust for "ComSign Global Root CA" # Issuer: C=IL,O=ComSign Ltd.,CN=ComSign Global Root CA # Serial Number:00:8f:61:71:15:ba:79:58:17:8c:7d:11:3a:ac:d6:db:ae # Subject: C=IL,O=ComSign Ltd.,CN=ComSign Global Root CA @@ -13004,7 +13182,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Comsign_root1" +CKA_LABEL UTF8 "ComSign Global Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \256\073\061\277\217\330\221\007\234\361\337\064\313\316\156\160 \323\177\265\260 @@ -13030,7 +13208,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "NetworkSolutions_root1" +# Certificate "Network Solutions" # # Issuer: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US # Serial Number:1c:a0:2d:c1:52:3b:6a:6d:8b:5c:1f:95:4a:ed:ac:30 @@ -13043,7 +13221,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NetworkSolutions_root1" +CKA_LABEL UTF8 "Network Solutions" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\142\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -13132,7 +13310,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "NetworkSolutions_root1" +# Trust for "Network Solutions" # Issuer: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US # Serial Number:1c:a0:2d:c1:52:3b:6a:6d:8b:5c:1f:95:4a:ed:ac:30 # Subject: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US @@ -13144,7 +13322,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NetworkSolutions_root1" +CKA_LABEL UTF8 "Network Solutions" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \161\211\232\147\277\063\257\061\276\375\300\161\370\367\063\261 \203\205\143\062 @@ -13172,7 +13350,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Comodo_root1" +# Certificate "Sectigo (CCA)" # # Issuer: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB # Serial Number:20:a4:c4:7f:dd:df:e1:c7:53:63:07:13:88:77:60:12 @@ -13185,7 +13363,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Comodo_root1" +CKA_LABEL UTF8 "Sectigo (CCA)" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\201\061\013\060\011\006\003\125\004\006\023\002\107\102 @@ -13282,7 +13460,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Comodo_root1" +# Trust for "Sectigo (CCA)" # Issuer: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB # Serial Number:20:a4:c4:7f:dd:df:e1:c7:53:63:07:13:88:77:60:12 # Subject: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB @@ -13294,7 +13472,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Comodo_root1" +CKA_LABEL UTF8 "Sectigo (CCA)" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \356\206\223\207\377\375\203\111\253\132\321\103\042\130\207\211 \244\127\260\022 @@ -13324,7 +13502,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GovLux_root1" +# Certificate "LuxTrust Global Root CA" # # Issuer: CN=LuxTrust Global Root,O=LuxTrust s.a.,C=LU # Serial Number: 3000 (0xbb8) @@ -13337,7 +13515,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GovLux_root1" +CKA_LABEL UTF8 "LuxTrust Global Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\104\061\013\060\011\006\003\125\004\006\023\002\114\125\061 @@ -13418,7 +13596,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GovLux_root1" +# Trust for "LuxTrust Global Root CA" # Issuer: CN=LuxTrust Global Root,O=LuxTrust s.a.,C=LU # Serial Number: 3000 (0xbb8) # Subject: CN=LuxTrust Global Root,O=LuxTrust s.a.,C=LU @@ -13430,7 +13608,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GovLux_root1" +CKA_LABEL UTF8 "LuxTrust Global Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \311\074\064\352\220\331\023\014\017\003\000\113\230\275\213\065 \160\221\126\021 @@ -13455,7 +13633,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GovSpain_root1" +# Certificate "AC1 RAIZ MTIN" # # Issuer: C=ES,L=MADRID,O=MINISTERIO DE TRABAJO E INMIGRACION,OU=SUBDIRECCION GENERAL DE PROCESO DE DATOS,OU=PRESTADOR DE SERVICIOS DE CERTIFICACION MTIN,serialNumber=S2819001E,CN=AC1 RAIZ MTIN # Serial Number:05:0b:41:5e:82:7b @@ -13468,7 +13646,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GovSpain_root1" +CKA_LABEL UTF8 "AC1 RAIZ MTIN" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\342\061\026\060\024\006\003\125\004\003\023\015\101\103 @@ -13663,7 +13841,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GovSpain_root1" +# Trust for "AC1 RAIZ MTIN" # Issuer: C=ES,L=MADRID,O=MINISTERIO DE TRABAJO E INMIGRACION,OU=SUBDIRECCION GENERAL DE PROCESO DE DATOS,OU=PRESTADOR DE SERVICIOS DE CERTIFICACION MTIN,serialNumber=S2819001E,CN=AC1 RAIZ MTIN # Serial Number:05:0b:41:5e:82:7b # Subject: C=ES,L=MADRID,O=MINISTERIO DE TRABAJO E INMIGRACION,OU=SUBDIRECCION GENERAL DE PROCESO DE DATOS,OU=PRESTADOR DE SERVICIOS DE CERTIFICACION MTIN,serialNumber=S2819001E,CN=AC1 RAIZ MTIN @@ -13675,7 +13853,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GovSpain_root1" +CKA_LABEL UTF8 "AC1 RAIZ MTIN" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \152\322\073\235\304\216\067\137\205\232\331\312\265\205\062\134 \043\211\100\161 @@ -13710,7 +13888,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "msft_root1" +# Certificate "Microsoft Root Certificate Authority 2011" # # Issuer: CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US # Serial Number:3f:8b:c8:b5:fc:9f:b2:96:43:b5:69:d6:6c:42:e1:44 @@ -13723,7 +13901,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "msft_root1" +CKA_LABEL UTF8 "Microsoft Root Certificate Authority 2011" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -13854,7 +14032,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "msft_root1" +# Trust for "Microsoft Root Certificate Authority 2011" # Issuer: CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US # Serial Number:3f:8b:c8:b5:fc:9f:b2:96:43:b5:69:d6:6c:42:e1:44 # Subject: CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US @@ -13866,7 +14044,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "msft_root1" +CKA_LABEL UTF8 "Microsoft Root Certificate Authority 2011" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \217\103\050\212\322\162\363\020\073\157\261\102\204\205\352\060 \024\300\274\376 @@ -13896,7 +14074,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "atos_root1" +# Certificate "Atos TrustedRoot 2011" # # Issuer: C=DE,O=Atos,CN=Atos TrustedRoot 2011 # Serial Number:5c:33:cb:62:2c:5f:b3:32 @@ -13909,7 +14087,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "atos_root1" +CKA_LABEL UTF8 "Atos TrustedRoot 2011" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\074\061\036\060\034\006\003\125\004\003\014\025\101\164\157 @@ -13989,7 +14167,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "atos_root1" +# Trust for "Atos TrustedRoot 2011" # Issuer: C=DE,O=Atos,CN=Atos TrustedRoot 2011 # Serial Number:5c:33:cb:62:2c:5f:b3:32 # Subject: C=DE,O=Atos,CN=Atos TrustedRoot 2011 @@ -14001,7 +14179,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "atos_root1" +CKA_LABEL UTF8 "Atos TrustedRoot 2011" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \053\261\365\076\125\014\035\305\361\324\346\267\152\106\113\125 \006\002\254\041 @@ -14025,7 +14203,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ANCERT_root5" +# Certificate "ANCERT Certificados Notariales V2" # # Issuer: CN=ANCERT Certificados Notariales V2,O=Agencia Notarial de Certificacion S.L.U. - CIF B83395988,C=ES # Serial Number:09:bd:56:05:2a:13:16:f4:68:4f:74:0e:a9:7d:1c:48 @@ -14038,7 +14216,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ANCERT_root5" +CKA_LABEL UTF8 "ANCERT Certificados Notariales V2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\174\061\013\060\011\006\003\125\004\006\023\002\105\123\061 @@ -14185,7 +14363,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "ANCERT_root5" +# Trust for "ANCERT Certificados Notariales V2" # Issuer: CN=ANCERT Certificados Notariales V2,O=Agencia Notarial de Certificacion S.L.U. - CIF B83395988,C=ES # Serial Number:09:bd:56:05:2a:13:16:f4:68:4f:74:0e:a9:7d:1c:48 # Subject: CN=ANCERT Certificados Notariales V2,O=Agencia Notarial de Certificacion S.L.U. - CIF B83395988,C=ES @@ -14197,7 +14375,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ANCERT_root5" +CKA_LABEL UTF8 "ANCERT Certificados Notariales V2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \157\142\336\270\154\205\130\132\344\056\107\215\264\327\155\263 \147\130\132\346 @@ -14226,7 +14404,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ANCERT_root4" +# Certificate "ANCERT Certificados CGN V2" # # Issuer: CN=ANCERT Certificados CGN V2,O=Agencia Notarial de Certificacion S.L.U. - CIF B83395988,C=ES # Serial Number:0f:38:8c:70:fe:a6:95:5d:e9:5d:9c:87:af:79:04:99 @@ -14239,7 +14417,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ANCERT_root4" +CKA_LABEL UTF8 "ANCERT Certificados CGN V2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\165\061\013\060\011\006\003\125\004\006\023\002\105\123\061 @@ -14385,7 +14563,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "ANCERT_root4" +# Trust for "ANCERT Certificados CGN V2" # Issuer: CN=ANCERT Certificados CGN V2,O=Agencia Notarial de Certificacion S.L.U. - CIF B83395988,C=ES # Serial Number:0f:38:8c:70:fe:a6:95:5d:e9:5d:9c:87:af:79:04:99 # Subject: CN=ANCERT Certificados CGN V2,O=Agencia Notarial de Certificacion S.L.U. - CIF B83395988,C=ES @@ -14397,7 +14575,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ANCERT_root4" +CKA_LABEL UTF8 "ANCERT Certificados CGN V2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \176\261\240\102\233\345\364\050\254\053\223\227\035\174\204\110 \245\066\007\014 @@ -14426,7 +14604,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Juur-SK_EECCRCA" +# Certificate "Estonian Certification Centre Root CA" # # Issuer: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE # Serial Number:54:80:f9:a0:73:ed:3f:00:4c:ca:89:d8:e3:71:e6:4a @@ -14439,7 +14617,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Juur-SK_EECCRCA" +CKA_LABEL UTF8 "Estonian Certification Centre Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\165\061\013\060\011\006\003\125\004\006\023\002\105\105\061 @@ -14537,7 +14715,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Juur-SK_EECCRCA" +# Trust for "Estonian Certification Centre Root CA" # Issuer: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE # Serial Number:54:80:f9:a0:73:ed:3f:00:4c:ca:89:d8:e3:71:e6:4a # Subject: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE @@ -14549,7 +14727,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Juur-SK_EECCRCA" +CKA_LABEL UTF8 "Estonian Certification Centre Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \311\250\271\347\125\200\136\130\343\123\167\247\045\353\257\303 \173\047\314\327 @@ -14578,7 +14756,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GSA_fbca256" +# Certificate "U.S Government Common Policy" # # Issuer: CN=Federal Common Policy CA,OU=FPKI,O=U.S. Government,C=US # Serial Number: 304 (0x130) @@ -14591,7 +14769,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GSA_fbca256" +CKA_LABEL UTF8 "U.S Government Common Policy" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\131\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -14690,7 +14868,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GSA_fbca256" +# Trust for "U.S Government Common Policy" # Issuer: CN=Federal Common Policy CA,OU=FPKI,O=U.S. Government,C=US # Serial Number: 304 (0x130) # Subject: CN=Federal Common Policy CA,OU=FPKI,O=U.S. Government,C=US @@ -14702,7 +14880,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GSA_fbca256" +CKA_LABEL UTF8 "U.S Government Common Policy" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \220\137\224\057\331\362\217\147\233\067\201\200\375\117\204\143 \107\366\105\301 @@ -14728,7 +14906,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "CNNIC_CNNICEV" +# Certificate "China Internet Network Information Center EV Certificates Root" # # Issuer: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN # Serial Number: 1218379777 (0x489f0001) @@ -14741,7 +14919,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CNNIC_CNNICEV" +CKA_LABEL UTF8 "China Internet Network Information Center EV Certificates Root" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116 @@ -14839,7 +15017,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "CNNIC_CNNICEV" +# Trust for "China Internet Network Information Center EV Certificates Root" # Issuer: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN # Serial Number: 1218379777 (0x489f0001) # Subject: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN @@ -14851,7 +15029,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CNNIC_CNNICEV" +CKA_LABEL UTF8 "China Internet Network Information Center EV Certificates Root" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \117\231\252\223\373\053\321\067\046\241\231\112\316\177\360\005 \362\223\135\036 @@ -14880,7 +15058,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Comodo_USERTrustECC" +# Certificate "Sectigo ECC" # # Issuer: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US # Serial Number:5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26 @@ -14893,7 +15071,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Comodo_USERTrustECC" +CKA_LABEL UTF8 "Sectigo ECC" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -14970,7 +15148,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Comodo_USERTrustECC" +# Trust for "Sectigo ECC" # Issuer: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US # Serial Number:5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26 # Subject: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US @@ -14982,7 +15160,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Comodo_USERTrustECC" +CKA_LABEL UTF8 "Sectigo ECC" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \321\313\312\135\262\325\052\177\151\073\147\115\345\360\132\035 \014\225\175\360 @@ -15012,7 +15190,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Comodo_USERTrustRSA" +# Certificate "Sectigo" # # Issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US # Serial Number:01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d @@ -15025,7 +15203,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Comodo_USERTrustRSA" +CKA_LABEL UTF8 "Sectigo" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -15155,7 +15333,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Comodo_USERTrustRSA" +# Trust for "Sectigo" # Issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US # Serial Number:01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d # Subject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US @@ -15167,7 +15345,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Comodo_USERTrustRSA" +CKA_LABEL UTF8 "Sectigo" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \053\217\033\127\063\015\273\242\320\172\154\121\367\016\351\015 \332\271\255\216 @@ -15197,7 +15375,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Comodo_COMODORSA" +# Certificate "Sectigo (formerly Comodo CA)" # # Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB # Serial Number:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d @@ -15210,7 +15388,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Comodo_COMODORSA" +CKA_LABEL UTF8 "Sectigo (formerly Comodo CA)" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102 @@ -15339,7 +15517,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Comodo_COMODORSA" +# Trust for "Sectigo (formerly Comodo CA)" # Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB # Serial Number:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d # Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB @@ -15351,7 +15529,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Comodo_COMODORSA" +CKA_LABEL UTF8 "Sectigo (formerly Comodo CA)" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \257\345\322\104\250\321\031\102\060\377\107\237\342\370\227\273 \315\172\214\264 @@ -15381,7 +15559,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "VerizonRoot_vz_sha256" +# Certificate "DigiCert Global Root CA" # # Issuer: CN=Verizon Global Root CA,OU=OmniRoot,O=Verizon Business,C=US # Serial Number: 1 (0x1) @@ -15394,7 +15572,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "VerizonRoot_vz_sha256" +CKA_LABEL UTF8 "DigiCert Global Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\134\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -15478,7 +15656,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "VerizonRoot_vz_sha256" +# Trust for "DigiCert Global Root CA" # Issuer: CN=Verizon Global Root CA,OU=OmniRoot,O=Verizon Business,C=US # Serial Number: 1 (0x1) # Subject: CN=Verizon Global Root CA,OU=OmniRoot,O=Verizon Business,C=US @@ -15490,7 +15668,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "VerizonRoot_vz_sha256" +CKA_LABEL UTF8 "DigiCert Global Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \221\041\230\356\362\075\312\304\011\071\061\057\356\227\335\126 \013\256\111\261 @@ -15516,7 +15694,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SwissSign_Silver_Root_G3" +# Certificate "SwissSign Silver Root CA – G3" # # Issuer: CN=SwissSign Silver Root CA - G3,O=SwissSign AG,C=CH # Serial Number:00:aa:88:b0:5a:0b:b1:76:9b @@ -15529,7 +15707,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SwissSign_Silver_Root_G3" +CKA_LABEL UTF8 "SwissSign Silver Root CA – G3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\114\061\013\060\011\006\003\125\004\006\023\002\103\110\061 @@ -15644,7 +15822,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SwissSign_Silver_Root_G3" +# Trust for "SwissSign Silver Root CA – G3" # Issuer: CN=SwissSign Silver Root CA - G3,O=SwissSign AG,C=CH # Serial Number:00:aa:88:b0:5a:0b:b1:76:9b # Subject: CN=SwissSign Silver Root CA - G3,O=SwissSign AG,C=CH @@ -15656,7 +15834,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SwissSign_Silver_Root_G3" +CKA_LABEL UTF8 "SwissSign Silver Root CA – G3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \215\010\374\103\300\167\014\250\117\115\314\262\324\032\135\225 \155\170\155\304 @@ -15681,7 +15859,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "MicroSec_Micorosec2009" +# Certificate "MicroSec e-Szigno Root CA 2009" # # Issuer: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU # Serial Number:00:c2:7e:43:04:4e:47:3f:19 @@ -15694,7 +15872,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "MicroSec_Micorosec2009" +CKA_LABEL UTF8 "MicroSec e-Szigno Root CA 2009" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\202\061\013\060\011\006\003\125\004\006\023\002\110\125 @@ -15793,7 +15971,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "MicroSec_Micorosec2009" +# Trust for "MicroSec e-Szigno Root CA 2009" # Issuer: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU # Serial Number:00:c2:7e:43:04:4e:47:3f:19 # Subject: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU @@ -15805,7 +15983,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "MicroSec_Micorosec2009" +CKA_LABEL UTF8 "MicroSec e-Szigno Root CA 2009" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \211\337\164\376\134\364\017\112\200\371\343\067\175\124\332\221 \341\001\061\216 @@ -15834,7 +16012,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ANFAC_ANF_Server_CA" +# Certificate "ANF AC" # # Issuer: CN=ANF Server CA,serialNumber=G63287510,OU=ANF Clase 1 CA,O=ANF Autoridad de Certificaci..n,L=Barcelona (see current address at https://www.anf.es/address/),ST=Barcelona,C=ES # Serial Number: 78923 (0x1344b) @@ -15847,7 +16025,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ANFAC_ANF_Server_CA" +CKA_LABEL UTF8 "ANF AC" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\331\061\013\060\011\006\003\125\004\006\023\002\105\123 @@ -15998,7 +16176,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "ANFAC_ANF_Server_CA" +# Trust for "ANF AC" # Issuer: CN=ANF Server CA,serialNumber=G63287510,OU=ANF Clase 1 CA,O=ANF Autoridad de Certificaci..n,L=Barcelona (see current address at https://www.anf.es/address/),ST=Barcelona,C=ES # Serial Number: 78923 (0x1344b) # Subject: CN=ANF Server CA,serialNumber=G63287510,OU=ANF Clase 1 CA,O=ANF Autoridad de Certificaci..n,L=Barcelona (see current address at https://www.anf.es/address/),ST=Barcelona,C=ES @@ -16010,7 +16188,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ANFAC_ANF_Server_CA" +CKA_LABEL UTF8 "ANF AC" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \316\251\211\015\205\330\007\123\246\046\050\154\332\327\214\265 \146\327\014\362 @@ -16044,7 +16222,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SpanishProperty_RAIZ_REGISTRADORES_SAFELAYER" +# Certificate "Colegio de Registradores Mercantiles" # # Issuer: CN=Registradores de Espa..a - CA Ra..z,OU=Certificado Propio,O=Colegio de Registradores de la Propiedad y Mercantiles de Espa..a,C=ES # Serial Number:2d:e4:0a:e1:9b:d1:c2:aa:4c:f4:00:ac:81:35:f9 @@ -16057,7 +16235,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SpanishProperty_RAIZ_REGISTRADORES_SAFELAYER" +CKA_LABEL UTF8 "Colegio de Registradores Mercantiles" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\244\061\013\060\011\006\003\125\004\006\023\002\105\123 @@ -16210,7 +16388,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SpanishProperty_RAIZ_REGISTRADORES_SAFELAYER" +# Trust for "Colegio de Registradores Mercantiles" # Issuer: CN=Registradores de Espa..a - CA Ra..z,OU=Certificado Propio,O=Colegio de Registradores de la Propiedad y Mercantiles de Espa..a,C=ES # Serial Number:2d:e4:0a:e1:9b:d1:c2:aa:4c:f4:00:ac:81:35:f9 # Subject: CN=Registradores de Espa..a - CA Ra..z,OU=Certificado Propio,O=Colegio de Registradores de la Propiedad y Mercantiles de Espa..a,C=ES @@ -16222,7 +16400,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SpanishProperty_RAIZ_REGISTRADORES_SAFELAYER" +CKA_LABEL UTF8 "Colegio de Registradores Mercantiles" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \041\021\145\312\067\237\273\136\330\001\343\034\103\012\142\252 \301\011\274\264 @@ -16254,7 +16432,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Sonera_teliasonera" +# Certificate "TeliaSonera Root CA v1" # # Issuer: CN=TeliaSonera Root CA v1,O=TeliaSonera # Serial Number:00:95:be:16:a0:f7:2e:46:f1:7b:39:82:72:fa:8b:cd:96 @@ -16267,7 +16445,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Sonera_teliasonera" +CKA_LABEL UTF8 "TeliaSonera Root CA v1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\067\061\024\060\022\006\003\125\004\012\014\013\124\145\154 @@ -16376,7 +16554,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Sonera_teliasonera" +# Trust for "TeliaSonera Root CA v1" # Issuer: CN=TeliaSonera Root CA v1,O=TeliaSonera # Serial Number:00:95:be:16:a0:f7:2e:46:f1:7b:39:82:72:fa:8b:cd:96 # Subject: CN=TeliaSonera Root CA v1,O=TeliaSonera @@ -16388,7 +16566,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Sonera_teliasonera" +CKA_LABEL UTF8 "TeliaSonera Root CA v1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \103\023\273\226\361\325\206\233\301\116\152\222\366\317\366\064 \151\207\202\067 @@ -16413,7 +16591,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "CzechPost_postsignum_qca2_root" +# Certificate "PostSignum Root QCA 2" # # Issuer: CN=PostSignum Root QCA 2,O="..esk.. po..ta, s.p. [I.. 47114983]",C=CZ # Serial Number: 100 (0x64) @@ -16426,7 +16604,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CzechPost_postsignum_qca2_root" +CKA_LABEL UTF8 "PostSignum Root QCA 2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\133\061\013\060\011\006\003\125\004\006\023\002\103\132\061 @@ -16544,7 +16722,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "CzechPost_postsignum_qca2_root" +# Trust for "PostSignum Root QCA 2" # Issuer: CN=PostSignum Root QCA 2,O="..esk.. po..ta, s.p. [I.. 47114983]",C=CZ # Serial Number: 100 (0x64) # Subject: CN=PostSignum Root QCA 2,O="..esk.. po..ta, s.p. [I.. 47114983]",C=CZ @@ -16556,7 +16734,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CzechPost_postsignum_qca2_root" +CKA_LABEL UTF8 "PostSignum Root QCA 2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \240\370\333\077\013\364\027\151\073\050\056\267\112\152\330\155 \371\324\110\243 @@ -16582,7 +16760,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "CertPlus_Keynectis" +# Certificate "KEYNECTSIS ROOT CA" # # Issuer: CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR # Serial Number:11:21:bc:27:6c:55:47:af:58:4e:ef:d4:ce:d6:29:b2:a2:85 @@ -16595,7 +16773,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CertPlus_Keynectis" +CKA_LABEL UTF8 "KEYNECTSIS ROOT CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\114\061\013\060\011\006\003\125\004\006\023\002\106\122\061 @@ -16685,7 +16863,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "CertPlus_Keynectis" +# Trust for "KEYNECTSIS ROOT CA" # Issuer: CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR # Serial Number:11:21:bc:27:6c:55:47:af:58:4e:ef:d4:ce:d6:29:b2:a2:85 # Subject: CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR @@ -16697,7 +16875,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CertPlus_Keynectis" +CKA_LABEL UTF8 "KEYNECTSIS ROOT CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \234\141\134\115\115\205\020\072\123\046\302\115\272\352\344\242 \322\325\314\227 @@ -16723,7 +16901,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GovLithuania_RootCA" +# Certificate "VI Registru Centras RCSC (RootCA)" # # Issuer: CN=VI Registru Centras RCSC (RootCA),OU=Registru Centro Sertifikavimo Centras,O=VI Registru Centras - I.k. 124110246,C=LT # Serial Number:03:a3:a4:57:b5:f0:f3:86:4a:11:63:e8:98:ff:16:9c @@ -16736,7 +16914,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GovLithuania_RootCA" +CKA_LABEL UTF8 "VI Registru Centras RCSC (RootCA)" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\230\061\013\060\011\006\003\125\004\006\023\002\114\124 @@ -16878,7 +17056,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GovLithuania_RootCA" +# Trust for "VI Registru Centras RCSC (RootCA)" # Issuer: CN=VI Registru Centras RCSC (RootCA),OU=Registru Centro Sertifikavimo Centras,O=VI Registru Centras - I.k. 124110246,C=LT # Serial Number:03:a3:a4:57:b5:f0:f3:86:4a:11:63:e8:98:ff:16:9c # Subject: CN=VI Registru Centras RCSC (RootCA),OU=Registru Centro Sertifikavimo Centras,O=VI Registru Centras - I.k. 124110246,C=LT @@ -16890,7 +17068,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GovLithuania_RootCA" +CKA_LABEL UTF8 "VI Registru Centras RCSC (RootCA)" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \227\035\064\206\374\036\216\143\025\367\306\362\341\051\147\307 \044\064\042\024 @@ -16921,7 +17099,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GoDaddy_sfsroot-g2" +# Certificate "Amazon Services Root Certificate Authority -- G2" # # Issuer: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US # Serial Number: 0 (0x0) @@ -16934,7 +17112,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GoDaddy_sfsroot-g2" +CKA_LABEL UTF8 "Amazon Services Root Certificate Authority -- G2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\230\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -17034,7 +17212,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GoDaddy_sfsroot-g2" +# Trust for "Amazon Services Root Certificate Authority -- G2" # Issuer: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US # Serial Number: 0 (0x0) # Subject: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US @@ -17046,7 +17224,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GoDaddy_sfsroot-g2" +CKA_LABEL UTF8 "Amazon Services Root Certificate Authority -- G2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \222\132\217\215\054\155\004\340\146\137\131\152\377\042\330\143 \350\045\157\077 @@ -17076,7 +17254,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GoDaddy_gdroot-g2" +# Certificate "Go Daddy Root Certificate Authority – G2" # # Issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US # Serial Number: 0 (0x0) @@ -17089,7 +17267,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GoDaddy_gdroot-g2" +CKA_LABEL UTF8 "Go Daddy Root Certificate Authority – G2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -17184,7 +17362,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GoDaddy_gdroot-g2" +# Trust for "Go Daddy Root Certificate Authority – G2" # Issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US # Serial Number: 0 (0x0) # Subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US @@ -17196,7 +17374,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GoDaddy_gdroot-g2" +CKA_LABEL UTF8 "Go Daddy Root Certificate Authority – G2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \107\276\253\311\042\352\350\016\170\170\064\142\247\237\105\302 \124\375\346\213 @@ -17225,7 +17403,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GoDaddy_sfroot-g2" +# Certificate "Starfield Root Certificate Authority – G2" # # Issuer: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US # Serial Number: 0 (0x0) @@ -17238,7 +17416,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GoDaddy_sfroot-g2" +CKA_LABEL UTF8 "Starfield Root Certificate Authority – G2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\217\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -17337,7 +17515,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GoDaddy_sfroot-g2" +# Trust for "Starfield Root Certificate Authority – G2" # Issuer: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US # Serial Number: 0 (0x0) # Subject: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US @@ -17349,7 +17527,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GoDaddy_sfroot-g2" +CKA_LABEL UTF8 "Starfield Root Certificate Authority – G2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \265\034\006\174\356\053\014\075\370\125\253\055\222\364\376\071 \324\347\017\016 @@ -17379,7 +17557,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "globals_GSRootR3" +# Certificate "GlobalSign Root CA - R3" # # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3 # Serial Number:04:00:00:00:00:01:21:58:53:08:a2 @@ -17392,7 +17570,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "globals_GSRootR3" +CKA_LABEL UTF8 "GlobalSign Root CA - R3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157 @@ -17473,7 +17651,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "globals_GSRootR3" +# Trust for "GlobalSign Root CA - R3" # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3 # Serial Number:04:00:00:00:00:01:21:58:53:08:a2 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3 @@ -17485,7 +17663,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "globals_GSRootR3" +CKA_LABEL UTF8 "GlobalSign Root CA - R3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \326\233\126\021\110\360\034\167\305\105\170\301\011\046\337\133 \205\151\166\255 @@ -17510,7 +17688,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Affirmtrust_PremiumECC" +# Certificate "AffirmTrust Premium ECC" # # Issuer: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US # Serial Number:74:97:25:8a:c7:3f:7a:54 @@ -17523,7 +17701,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Affirmtrust_PremiumECC" +CKA_LABEL UTF8 "AffirmTrust Premium ECC" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\105\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -17582,7 +17760,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Affirmtrust_PremiumECC" +# Trust for "AffirmTrust Premium ECC" # Issuer: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US # Serial Number:74:97:25:8a:c7:3f:7a:54 # Subject: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US @@ -17594,7 +17772,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Affirmtrust_PremiumECC" +CKA_LABEL UTF8 "AffirmTrust Premium ECC" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \270\043\153\000\057\035\026\206\123\001\125\154\021\244\067\312 \353\377\303\273 @@ -17619,7 +17797,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Affirmtrust_Premium" +# Certificate "AffirmTrust Premium" # # Issuer: CN=AffirmTrust Premium,O=AffirmTrust,C=US # Serial Number:6d:8c:14:46:b1:a6:0a:ee @@ -17632,7 +17810,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Affirmtrust_Premium" +CKA_LABEL UTF8 "AffirmTrust Premium" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\101\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -17743,7 +17921,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Affirmtrust_Premium" +# Trust for "AffirmTrust Premium" # Issuer: CN=AffirmTrust Premium,O=AffirmTrust,C=US # Serial Number:6d:8c:14:46:b1:a6:0a:ee # Subject: CN=AffirmTrust Premium,O=AffirmTrust,C=US @@ -17755,7 +17933,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Affirmtrust_Premium" +CKA_LABEL UTF8 "AffirmTrust Premium" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \330\246\063\054\340\003\157\261\205\366\143\117\175\152\006\145 \046\062\050\047 @@ -17780,7 +17958,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Affirmtrust_Networking" +# Certificate "AffirmTrust Networking" # # Issuer: CN=AffirmTrust Networking,O=AffirmTrust,C=US # Serial Number:7c:4f:04:39:1c:d4:99:2d @@ -17793,7 +17971,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Affirmtrust_Networking" +CKA_LABEL UTF8 "AffirmTrust Networking" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\104\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -17872,7 +18050,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Affirmtrust_Networking" +# Trust for "AffirmTrust Networking" # Issuer: CN=AffirmTrust Networking,O=AffirmTrust,C=US # Serial Number:7c:4f:04:39:1c:d4:99:2d # Subject: CN=AffirmTrust Networking,O=AffirmTrust,C=US @@ -17884,7 +18062,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Affirmtrust_Networking" +CKA_LABEL UTF8 "AffirmTrust Networking" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \051\066\041\002\213\040\355\002\365\146\305\062\321\326\355\220 \237\105\000\057 @@ -17909,7 +18087,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Affirmtrust_Commercial" +# Certificate "AffirmTrust Commercial" # # Issuer: CN=AffirmTrust Commercial,O=AffirmTrust,C=US # Serial Number:77:77:06:27:26:a9:b1:7c @@ -17922,7 +18100,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Affirmtrust_Commercial" +CKA_LABEL UTF8 "AffirmTrust Commercial" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\104\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -18001,7 +18179,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Affirmtrust_Commercial" +# Trust for "AffirmTrust Commercial" # Issuer: CN=AffirmTrust Commercial,O=AffirmTrust,C=US # Serial Number:77:77:06:27:26:a9:b1:7c # Subject: CN=AffirmTrust Commercial,O=AffirmTrust,C=US @@ -18013,7 +18191,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Affirmtrust_Commercial" +CKA_LABEL UTF8 "AffirmTrust Commercial" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \371\265\266\062\105\137\234\276\354\127\137\200\334\351\156\054 \307\262\170\267 @@ -18038,7 +18216,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Entrust_new2048ca" +# Certificate "Entrust (2048)" # # Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net # Serial Number: 946069240 (0x3863def8) @@ -18051,7 +18229,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Entrust_new2048ca" +CKA_LABEL UTF8 "Entrust (2048)" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156 @@ -18158,7 +18336,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Entrust_new2048ca" +# Trust for "Entrust (2048)" # Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net # Serial Number: 946069240 (0x3863def8) # Subject: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net @@ -18170,7 +18348,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Entrust_new2048ca" +CKA_LABEL UTF8 "Entrust (2048)" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \120\060\006\011\035\227\324\365\256\071\367\313\347\222\175\175 \145\055\064\061 @@ -18202,7 +18380,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Firma_firma2048" +# Certificate "CAROOT Firmaprofesional" # # Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES # Serial Number:53:ec:3b:ee:fb:b2:48:5f @@ -18215,7 +18393,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Firma_firma2048" +CKA_LABEL UTF8 "CAROOT Firmaprofesional" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\121\061\013\060\011\006\003\125\004\006\023\002\105\123\061 @@ -18341,7 +18519,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Firma_firma2048" +# Trust for "CAROOT Firmaprofesional" # Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES # Serial Number:53:ec:3b:ee:fb:b2:48:5f # Subject: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES @@ -18353,7 +18531,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Firma_firma2048" +CKA_LABEL UTF8 "CAROOT Firmaprofesional" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \256\305\373\077\310\341\277\304\345\117\003\007\132\232\350\000 \267\367\266\372 @@ -18379,7 +18557,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SECOM_SCRoot2" +# Certificate "SECOM Trust Systems Co Ltd." # # Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP # Serial Number: 0 (0x0) @@ -18392,7 +18570,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SECOM_SCRoot2" +CKA_LABEL UTF8 "SECOM Trust Systems Co Ltd." CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\135\061\013\060\011\006\003\125\004\006\023\002\112\120\061 @@ -18476,7 +18654,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SECOM_SCRoot2" +# Trust for "SECOM Trust Systems Co Ltd." # Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP # Serial Number: 0 (0x0) # Subject: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP @@ -18488,7 +18666,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SECOM_SCRoot2" +CKA_LABEL UTF8 "SECOM Trust Systems Co Ltd." CKA_CERT_SHA1_HASH MULTILINE_OCTAL \137\073\214\362\370\020\263\175\170\264\316\354\031\031\303\163 \064\271\307\164 @@ -18514,7 +18692,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Brazil_acraizv1" +# Certificate "Autoridade Certificadora da Raiz Brasileira v1 - ICP-Brasil" # # Issuer: CN=Autoridade Certificadora Raiz Brasileira v1,OU=Instituto Nacional de Tecnologia da Informacao - ITI,O=ICP-Brasil,C=BR # Serial Number: 1 (0x1) @@ -18527,7 +18705,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Brazil_acraizv1" +CKA_LABEL UTF8 "Autoridade Certificadora da Raiz Brasileira v1 - ICP-Brasil" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\227\061\013\060\011\006\003\125\004\006\023\002\102\122 @@ -18636,7 +18814,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Brazil_acraizv1" +# Trust for "Autoridade Certificadora da Raiz Brasileira v1 - ICP-Brasil" # Issuer: CN=Autoridade Certificadora Raiz Brasileira v1,OU=Instituto Nacional de Tecnologia da Informacao - ITI,O=ICP-Brasil,C=BR # Serial Number: 1 (0x1) # Subject: CN=Autoridade Certificadora Raiz Brasileira v1,OU=Instituto Nacional de Tecnologia da Informacao - ITI,O=ICP-Brasil,C=BR @@ -18648,7 +18826,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Brazil_acraizv1" +CKA_LABEL UTF8 "Autoridade Certificadora da Raiz Brasileira v1 - ICP-Brasil" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \160\135\053\105\145\307\004\172\124\006\224\247\232\367\253\270 \102\275\301\141 @@ -18678,7 +18856,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ATrust_Qual03a" +# Certificate "A-Trust-Qual-03a" # # Issuer: CN=A-Trust-Qual-03,OU=A-Trust-Qual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT # Serial Number: 255636 (0x3e694) @@ -18691,7 +18869,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ATrust_Qual03a" +CKA_LABEL UTF8 "A-Trust-Qual-03a" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\213\061\013\060\011\006\003\125\004\006\023\002\101\124 @@ -18786,7 +18964,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "ATrust_Qual03a" +# Trust for "A-Trust-Qual-03a" # Issuer: CN=A-Trust-Qual-03,OU=A-Trust-Qual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT # Serial Number: 255636 (0x3e694) # Subject: CN=A-Trust-Qual-03,OU=A-Trust-Qual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT @@ -18798,7 +18976,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ATrust_Qual03a" +CKA_LABEL UTF8 "A-Trust-Qual-03a" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \102\357\335\346\277\363\136\320\272\346\254\335\040\114\120\256 \206\304\364\372 @@ -18827,7 +19005,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "UserTrust_AddTrustRoot" +# Certificate "Sectigo (AddTrust)" # # Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE # Serial Number: 1 (0x1) @@ -18840,7 +19018,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "UserTrust_AddTrustRoot" +CKA_LABEL UTF8 "Sectigo (AddTrust)" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061 @@ -18940,7 +19118,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "UserTrust_AddTrustRoot" +# Trust for "Sectigo (AddTrust)" # Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE # Serial Number: 1 (0x1) # Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE @@ -18952,7 +19130,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "UserTrust_AddTrustRoot" +CKA_LABEL UTF8 "Sectigo (AddTrust)" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \002\372\363\342\221\103\124\150\140\170\127\151\115\365\344\133 \150\205\030\150 @@ -18980,7 +19158,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Entrust_Entrust_G2_Root" +# Certificate "Entrust.net" # # Issuer: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US # Serial Number: 1246989352 (0x4a538c28) @@ -18993,7 +19171,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Entrust_Entrust_G2_Root" +CKA_LABEL UTF8 "Entrust.net" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\276\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -19104,7 +19282,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Entrust_Entrust_G2_Root" +# Trust for "Entrust.net" # Issuer: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US # Serial Number: 1246989352 (0x4a538c28) # Subject: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US @@ -19116,7 +19294,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Entrust_Entrust_G2_Root" +CKA_LABEL UTF8 "Entrust.net" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \214\364\047\375\171\014\072\321\146\006\215\350\036\127\357\273 \223\042\162\324 @@ -19149,7 +19327,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "PortugalGov_ECRaizEstado" +# Certificate "ECRaizEstado" # # Issuer: CN=ECRaizEstado,O=SCEE,C=PT # Serial Number:42:ea:5b:0a:51:11:26:7c:d8:27:74:b7:df:7f:71 @@ -19162,7 +19340,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "PortugalGov_ECRaizEstado" +CKA_LABEL UTF8 "ECRaizEstado" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\063\061\013\060\011\006\003\125\004\006\023\002\120\124\061 @@ -19275,7 +19453,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "PortugalGov_ECRaizEstado" +# Trust for "ECRaizEstado" # Issuer: CN=ECRaizEstado,O=SCEE,C=PT # Serial Number:42:ea:5b:0a:51:11:26:7c:d8:27:74:b7:df:7f:71 # Subject: CN=ECRaizEstado,O=SCEE,C=PT @@ -19287,7 +19465,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "PortugalGov_ECRaizEstado" +CKA_LABEL UTF8 "ECRaizEstado" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \071\023\205\076\105\304\071\242\332\161\214\337\266\363\340\063 \340\117\356\161 @@ -19312,7 +19490,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SerbianPost_Root" +# Certificate "Posta CA Root" # # Issuer: CN=Posta CA Root,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ca,DC=posta,DC=rs # Serial Number: 1224507125 (0x48fc7ef5) @@ -19325,7 +19503,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SerbianPost_Root" +CKA_LABEL UTF8 "Posta CA Root" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\256\061\022\060\020\006\012\011\222\046\211\223\362\054 @@ -19480,7 +19658,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SerbianPost_Root" +# Trust for "Posta CA Root" # Issuer: CN=Posta CA Root,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ca,DC=posta,DC=rs # Serial Number: 1224507125 (0x48fc7ef5) # Subject: CN=Posta CA Root,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ca,DC=posta,DC=rs @@ -19492,7 +19670,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SerbianPost_Root" +CKA_LABEL UTF8 "Posta CA Root" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \326\277\171\224\364\053\345\372\051\332\013\327\130\173\131\037 \107\244\117\042 @@ -19524,7 +19702,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "FNMT_fnmtrcm" +# Certificate "AC RAIZ FNMT-RCM" # # Issuer: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES # Serial Number:00:81:bb:dd:6b:24:1f:da:b4:be:8f:1b:da:08:55:c4 @@ -19537,7 +19715,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "FNMT_fnmtrcm" +CKA_LABEL UTF8 "AC RAIZ FNMT-RCM" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\073\061\013\060\011\006\003\125\004\006\023\002\105\123\061 @@ -19651,7 +19829,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "FNMT_fnmtrcm" +# Trust for "AC RAIZ FNMT-RCM" # Issuer: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES # Serial Number:00:81:bb:dd:6b:24:1f:da:b4:be:8f:1b:da:08:55:c4 # Subject: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES @@ -19663,7 +19841,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "FNMT_fnmtrcm" +CKA_LABEL UTF8 "AC RAIZ FNMT-RCM" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \270\145\023\013\355\312\070\322\177\151\222\224\040\167\013\355 \206\357\274\020 @@ -19688,7 +19866,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "TWCA_TWCA1" +# Certificate "TWCA Root Certification Authority 1" # # Issuer: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW # Serial Number: 1 (0x1) @@ -19701,7 +19879,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TWCA_TWCA1" +CKA_LABEL UTF8 "TWCA Root Certification Authority 1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\137\061\013\060\011\006\003\125\004\006\023\002\124\127\061 @@ -19787,7 +19965,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "TWCA_TWCA1" +# Trust for "TWCA Root Certification Authority 1" # Issuer: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW # Serial Number: 1 (0x1) # Subject: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW @@ -19799,7 +19977,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TWCA_TWCA1" +CKA_LABEL UTF8 "TWCA Root Certification Authority 1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \317\236\207\155\323\353\374\102\046\227\243\265\243\172\240\166 \251\006\043\110 @@ -19826,7 +20004,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Verisign_VRSN_C3_PCA_G4" +# Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US # Serial Number:2f:80:fe:23:8c:0e:22:0f:48:67:12:28:91:87:ac:b3 @@ -19839,7 +20017,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Verisign_VRSN_C3_PCA_G4" +CKA_LABEL UTF8 "VeriSign Class 3 Public Primary Certification Authority - G4" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -19939,7 +20117,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Verisign_VRSN_C3_PCA_G4" +# Trust for "VeriSign Class 3 Public Primary Certification Authority - G4" # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US # Serial Number:2f:80:fe:23:8c:0e:22:0f:48:67:12:28:91:87:ac:b3 # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -19951,7 +20129,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Verisign_VRSN_C3_PCA_G4" +CKA_LABEL UTF8 "VeriSign Class 3 Public Primary Certification Authority - G4" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \042\325\330\337\217\002\061\321\215\367\235\267\317\212\055\144 \311\077\154\072 @@ -19985,7 +20163,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "thawte_THAWTE_PCA_G2" +# Certificate "thawte Primary Root CA - G2" # # Issuer: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US # Serial Number:35:fc:26:5c:d9:84:4f:c9:3d:26:3d:57:9b:ae:d7:56 @@ -19998,7 +20176,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "thawte_THAWTE_PCA_G2" +CKA_LABEL UTF8 "thawte Primary Root CA - G2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\204\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -20074,7 +20252,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "thawte_THAWTE_PCA_G2" +# Trust for "thawte Primary Root CA - G2" # Issuer: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US # Serial Number:35:fc:26:5c:d9:84:4f:c9:3d:26:3d:57:9b:ae:d7:56 # Subject: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US @@ -20086,7 +20264,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "thawte_THAWTE_PCA_G2" +CKA_LABEL UTF8 "thawte Primary Root CA - G2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \252\333\274\042\043\217\304\001\241\047\273\070\335\364\035\333 \010\236\360\022 @@ -20116,7 +20294,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GeoTrust_GEOTRUST_PCA_G2" +# Certificate "GeoTrust Primary Certification Authority - G2" # # Issuer: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US # Serial Number:3c:b2:f4:48:0a:00:e2:fe:eb:24:3b:5e:60:3e:c3:6b @@ -20129,7 +20307,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GeoTrust_GEOTRUST_PCA_G2" +CKA_LABEL UTF8 "GeoTrust Primary Certification Authority - G2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\230\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -20210,7 +20388,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GeoTrust_GEOTRUST_PCA_G2" +# Trust for "GeoTrust Primary Certification Authority - G2" # Issuer: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US # Serial Number:3c:b2:f4:48:0a:00:e2:fe:eb:24:3b:5e:60:3e:c3:6b # Subject: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US @@ -20222,7 +20400,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GeoTrust_GEOTRUST_PCA_G2" +CKA_LABEL UTF8 "GeoTrust Primary Certification Authority - G2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \215\027\204\325\067\363\003\175\354\160\376\127\213\121\232\231 \346\020\327\260 @@ -20253,7 +20431,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Verisign_VRSN_UNIVERSAL_ROOT_CA" +# Certificate "VeriSign Universal Root Certification Authority" # # Issuer: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US # Serial Number:40:1a:c4:64:21:b3:13:21:03:0e:bb:e4:12:1a:c5:1d @@ -20266,7 +20444,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Verisign_VRSN_UNIVERSAL_ROOT_CA" +CKA_LABEL UTF8 "VeriSign Universal Root Certification Authority" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\275\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -20383,7 +20561,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Verisign_VRSN_UNIVERSAL_ROOT_CA" +# Trust for "VeriSign Universal Root Certification Authority" # Issuer: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US # Serial Number:40:1a:c4:64:21:b3:13:21:03:0e:bb:e4:12:1a:c5:1d # Subject: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -20395,7 +20573,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Verisign_VRSN_UNIVERSAL_ROOT_CA" +CKA_LABEL UTF8 "VeriSign Universal Root Certification Authority" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \066\171\312\065\146\207\162\060\115\060\245\373\207\073\017\247 \173\267\015\124 @@ -20428,7 +20606,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "thawte_THAWTE_PCA_G3" +# Certificate "thawte Primary Root CA - G3" # # Issuer: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US # Serial Number:60:01:97:b7:46:a7:ea:b4:b4:9a:d6:4b:2f:f7:90:fb @@ -20441,7 +20619,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "thawte_THAWTE_PCA_G3" +CKA_LABEL UTF8 "thawte Primary Root CA - G3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\256\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -20549,7 +20727,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "thawte_THAWTE_PCA_G3" +# Trust for "thawte Primary Root CA - G3" # Issuer: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US # Serial Number:60:01:97:b7:46:a7:ea:b4:b4:9a:d6:4b:2f:f7:90:fb # Subject: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US @@ -20561,7 +20739,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "thawte_THAWTE_PCA_G3" +CKA_LABEL UTF8 "thawte Primary Root CA - G3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \361\213\123\215\033\351\003\266\246\360\126\103\133\027\025\211 \312\363\153\362 @@ -20594,7 +20772,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GeoTrust_GEOTRUST_PCA_G3" +# Certificate "GeoTrust Primary Certification Authority - G3" # # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f @@ -20607,7 +20785,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GeoTrust_GEOTRUST_PCA_G3" +CKA_LABEL UTF8 "GeoTrust Primary Certification Authority - G3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\230\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -20709,7 +20887,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GeoTrust_GEOTRUST_PCA_G3" +# Trust for "GeoTrust Primary Certification Authority - G3" # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f # Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US @@ -20721,7 +20899,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GeoTrust_GEOTRUST_PCA_G3" +CKA_LABEL UTF8 "GeoTrust Primary Certification Authority - G3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \003\236\355\270\013\347\240\074\151\123\211\073\040\322\331\062 \072\114\052\375 @@ -20752,7 +20930,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Edicom_ACEDICOMRoot" +# Certificate "EDICOM" # # Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root # Serial Number:61:8d:c7:86:3b:01:82:05 @@ -20765,7 +20943,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Edicom_ACEDICOMRoot" +CKA_LABEL UTF8 "EDICOM" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\104\061\026\060\024\006\003\125\004\003\014\015\101\103\105 @@ -20883,7 +21061,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Edicom_ACEDICOMRoot" +# Trust for "EDICOM" # Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root # Serial Number:61:8d:c7:86:3b:01:82:05 # Subject: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root @@ -20895,7 +21073,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Edicom_ACEDICOMRoot" +CKA_LABEL UTF8 "EDICOM" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \340\264\062\056\262\366\245\150\266\124\123\204\110\030\112\120 \066\207\103\204 @@ -20920,7 +21098,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Camerfirma_ChambersofCommerceRoot" +# Certificate "Chambers of Commerce Root - 2008" # # Issuer: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU # Serial Number:00:a3:da:42:7e:a4:b1:ae:da @@ -20933,7 +21111,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Camerfirma_ChambersofCommerceRoot" +CKA_LABEL UTF8 "Chambers of Commerce Root - 2008" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\256\061\013\060\011\006\003\125\004\006\023\002\105\125 @@ -21091,7 +21269,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Camerfirma_ChambersofCommerceRoot" +# Trust for "Chambers of Commerce Root - 2008" # Issuer: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU # Serial Number:00:a3:da:42:7e:a4:b1:ae:da # Subject: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU @@ -21103,7 +21281,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Camerfirma_ChambersofCommerceRoot" +CKA_LABEL UTF8 "Chambers of Commerce Root - 2008" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \170\152\164\254\166\253\024\177\234\152\060\120\272\236\250\176 \376\232\316\074 @@ -21135,7 +21313,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Camerfirma_ChambersignRoot" +# Certificate "Global Chambersign Root - 2008" # # Issuer: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU # Serial Number:00:c9:cd:d3:e9:d5:7d:23:ce @@ -21148,7 +21326,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Camerfirma_ChambersignRoot" +CKA_LABEL UTF8 "Global Chambersign Root - 2008" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\254\061\013\060\011\006\003\125\004\006\023\002\105\125 @@ -21303,7 +21481,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Camerfirma_ChambersignRoot" +# Trust for "Global Chambersign Root - 2008" # Issuer: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU # Serial Number:00:c9:cd:d3:e9:d5:7d:23:ce # Subject: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU @@ -21315,7 +21493,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Camerfirma_ChambersignRoot" +CKA_LABEL UTF8 "Global Chambersign Root - 2008" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \112\275\356\354\225\015\065\234\211\256\307\122\241\054\133\051 \366\326\252\014 @@ -21346,7 +21524,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Certum_ctnca" +# Certificate "Certum Trusted Network CA" # # Issuer: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL # Serial Number: 279744 (0x444c0) @@ -21359,7 +21537,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certum_ctnca" +CKA_LABEL UTF8 "Certum Trusted Network CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\176\061\013\060\011\006\003\125\004\006\023\002\120\114\061 @@ -21451,7 +21629,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Certum_ctnca" +# Trust for "Certum Trusted Network CA" # Issuer: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL # Serial Number: 279744 (0x444c0) # Subject: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL @@ -21463,7 +21641,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certum_ctnca" +CKA_LABEL UTF8 "Certum Trusted Network CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \007\340\062\340\040\267\054\077\031\057\006\050\242\131\072\031 \247\017\006\236 @@ -21491,7 +21669,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "CNNIC_root" +# Certificate "CNNIC Root" # # Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN # Serial Number: 1228079105 (0x49330001) @@ -21504,7 +21682,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CNNIC_root" +CKA_LABEL UTF8 "CNNIC Root" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061 @@ -21582,7 +21760,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "CNNIC_root" +# Trust for "CNNIC Root" # Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN # Serial Number: 1228079105 (0x49330001) # Subject: CN=CNNIC ROOT,O=CNNIC,C=CN @@ -21594,7 +21772,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CNNIC_root" +CKA_LABEL UTF8 "CNNIC Root" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \213\257\114\233\035\360\052\222\367\332\022\216\271\033\254\364 \230\140\113\157 @@ -21618,7 +21796,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "pkioverheid_GBORoot2" +# Certificate "Staat der Nederlanden Root CA - G2" # # Issuer: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL # Serial Number: 10000012 (0x98968c) @@ -21631,7 +21809,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "pkioverheid_GBORoot2" +CKA_LABEL UTF8 "Staat der Nederlanden Root CA - G2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 @@ -21752,7 +21930,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "pkioverheid_GBORoot2" +# Trust for "Staat der Nederlanden Root CA - G2" # Issuer: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL # Serial Number: 10000012 (0x98968c) # Subject: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL @@ -21764,7 +21942,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "pkioverheid_GBORoot2" +CKA_LABEL UTF8 "Staat der Nederlanden Root CA - G2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \131\257\202\171\221\206\307\264\165\007\313\317\003\127\106\353 \004\335\267\026 @@ -21790,7 +21968,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "NetLock_Gold" +# Certificate "NetLock Arany (Class Gold) Fotanúsítvány" # # Issuer: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU # Serial Number:49:41:2c:e4:00:10 @@ -21803,7 +21981,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NetLock_Gold" +CKA_LABEL UTF8 "NetLock Arany (Class Gold) Fotanúsítvány" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\247\061\013\060\011\006\003\125\004\006\023\002\110\125 @@ -21907,7 +22085,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "NetLock_Gold" +# Trust for "NetLock Arany (Class Gold) Fotanúsítvány" # Issuer: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU # Serial Number:49:41:2c:e4:00:10 # Subject: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU @@ -21919,7 +22097,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NetLock_Gold" +CKA_LABEL UTF8 "NetLock Arany (Class Gold) Fotanúsítvány" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \006\010\077\131\077\025\241\004\240\151\244\153\251\003\320\006 \267\227\011\221 @@ -21950,7 +22128,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "NetLock_Platinum" +# Certificate "NetLock Platina (Class Platinum) Fotanúsítvány" # # Issuer: CN=NetLock Platina (Class Platinum) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU # Serial Number:49:41:2d:ec:00:10 @@ -21963,7 +22141,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NetLock_Platinum" +CKA_LABEL UTF8 "NetLock Platina (Class Platinum) Fotanúsítvány" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\255\061\013\060\011\006\003\125\004\006\023\002\110\125 @@ -22100,7 +22278,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "NetLock_Platinum" +# Trust for "NetLock Platina (Class Platinum) Fotanúsítvány" # Issuer: CN=NetLock Platina (Class Platinum) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU # Serial Number:49:41:2d:ec:00:10 # Subject: CN=NetLock Platina (Class Platinum) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU @@ -22112,7 +22290,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NetLock_Platinum" +CKA_LABEL UTF8 "NetLock Platina (Class Platinum) Fotanúsítvány" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \354\223\336\010\074\223\331\063\251\206\263\325\315\342\132\313 \057\356\317\216 @@ -22143,7 +22321,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "certSIGN_root" +# Certificate "certSIGN Root CA" # # Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO # Serial Number:20:06:05:16:70:02 @@ -22156,7 +22334,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "certSIGN_root" +CKA_LABEL UTF8 "certSIGN Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\073\061\013\060\011\006\003\125\004\006\023\002\122\117\061 @@ -22232,7 +22410,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "certSIGN_root" +# Trust for "certSIGN Root CA" # Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO # Serial Number:20:06:05:16:70:02 # Subject: OU=certSIGN ROOT CA,O=certSIGN,C=RO @@ -22244,7 +22422,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "certSIGN_root" +CKA_LABEL UTF8 "certSIGN Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \372\267\356\066\227\046\142\373\055\260\052\366\277\003\375\350 \174\113\057\233 @@ -22268,7 +22446,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Cisco_crca2048" +# Certificate "Cisco Systems" # # Issuer: CN=Cisco Root CA 2048,O=Cisco Systems # Serial Number:5f:f8:7b:28:2b:54:dc:8d:42:a3:15:b5:68:c9:ad:ff @@ -22281,7 +22459,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Cisco_crca2048" +CKA_LABEL UTF8 "Cisco Systems" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\065\061\026\060\024\006\003\125\004\012\023\015\103\151\163 @@ -22359,7 +22537,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Cisco_crca2048" +# Trust for "Cisco Systems" # Issuer: CN=Cisco Root CA 2048,O=Cisco Systems # Serial Number:5f:f8:7b:28:2b:54:dc:8d:42:a3:15:b5:68:c9:ad:ff # Subject: CN=Cisco Root CA 2048,O=Cisco Systems @@ -22371,7 +22549,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Cisco_crca2048" +CKA_LABEL UTF8 "Cisco Systems" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \336\231\014\355\231\340\103\037\140\355\303\223\176\174\325\277 \016\331\345\372 @@ -22396,7 +22574,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SHECA_UCAGlobalRoot4096" +# Certificate "UCA Global Root" # # Issuer: CN=UCA Global Root,O=UniTrust,C=CN # Serial Number: 8 (0x8) @@ -22409,7 +22587,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SHECA_UCAGlobalRoot4096" +CKA_LABEL UTF8 "UCA Global Root" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\072\061\013\060\011\006\003\125\004\006\023\002\103\116\061 @@ -22523,7 +22701,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SHECA_UCAGlobalRoot4096" +# Trust for "UCA Global Root" # Issuer: CN=UCA Global Root,O=UniTrust,C=CN # Serial Number: 8 (0x8) # Subject: CN=UCA Global Root,O=UniTrust,C=CN @@ -22535,7 +22713,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SHECA_UCAGlobalRoot4096" +CKA_LABEL UTF8 "UCA Global Root" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \013\227\054\236\246\347\314\130\331\073\040\277\161\354\101\056 \162\011\372\277 @@ -22559,7 +22737,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SHECA_UCARoot2048" +# Certificate "UCA Root" # # Issuer: CN=UCA Root,O=UniTrust,C=CN # Serial Number: 9 (0x9) @@ -22572,7 +22750,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SHECA_UCARoot2048" +CKA_LABEL UTF8 "UCA Root" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\063\061\013\060\011\006\003\125\004\006\023\002\103\116\061 @@ -22653,7 +22831,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SHECA_UCARoot2048" +# Trust for "UCA Root" # Issuer: CN=UCA Root,O=UniTrust,C=CN # Serial Number: 9 (0x9) # Subject: CN=UCA Root,O=UniTrust,C=CN @@ -22665,7 +22843,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SHECA_UCARoot2048" +CKA_LABEL UTF8 "UCA Root" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \202\120\276\325\242\024\103\072\146\067\174\274\020\357\203\366 \151\332\072\147 @@ -22689,7 +22867,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "comodo_COMODOECCCertificationAuthority" +# Certificate "Sectigo (formerly Comodo CA) ECC" # # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB # Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a @@ -22702,7 +22880,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "comodo_COMODOECCCertificationAuthority" +CKA_LABEL UTF8 "Sectigo (formerly Comodo CA) ECC" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102 @@ -22778,7 +22956,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "comodo_COMODOECCCertificationAuthority" +# Trust for "Sectigo (formerly Comodo CA) ECC" # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB # Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a # Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB @@ -22790,7 +22968,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "comodo_COMODOECCCertificationAuthority" +CKA_LABEL UTF8 "Sectigo (formerly Comodo CA) ECC" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \237\164\116\237\053\115\272\354\017\061\054\120\266\126\073\216 \055\223\303\021 @@ -22820,7 +22998,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "CHT_eCA" +# Certificate "Chunghwa Telecom Co. Ltd." # # Issuer: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW # Serial Number:15:c8:bd:65:47:5c:af:b8:97:00:5e:e4:06:d2:bc:9d @@ -22833,7 +23011,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CHT_eCA" +CKA_LABEL UTF8 "Chunghwa Telecom Co. Ltd." CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\136\061\013\060\011\006\003\125\004\006\023\002\124\127\061 @@ -22954,7 +23132,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "CHT_eCA" +# Trust for "Chunghwa Telecom Co. Ltd." # Issuer: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW # Serial Number:15:c8:bd:65:47:5c:af:b8:97:00:5e:e4:06:d2:bc:9d # Subject: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW @@ -22966,7 +23144,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CHT_eCA" +CKA_LABEL UTF8 "Chunghwa Telecom Co. Ltd." CKA_CERT_SHA1_HASH MULTILINE_OCTAL \147\145\015\361\176\216\176\133\202\100\244\364\126\113\317\342 \075\151\306\360 @@ -22993,7 +23171,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Certigna_Certigna" +# Certificate "Certigna" # # Issuer: CN=Certigna,O=Dhimyotis,C=FR # Serial Number:00:fe:dc:e3:01:0f:c9:48:ff @@ -23006,7 +23184,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certigna_Certigna" +CKA_LABEL UTF8 "Certigna" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\064\061\013\060\011\006\003\125\004\006\023\002\106\122\061 @@ -23089,7 +23267,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Certigna_Certigna" +# Trust for "Certigna" # Issuer: CN=Certigna,O=Dhimyotis,C=FR # Serial Number:00:fe:dc:e3:01:0f:c9:48:ff # Subject: CN=Certigna,O=Dhimyotis,C=FR @@ -23101,7 +23279,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certigna_Certigna" +CKA_LABEL UTF8 "Certigna" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \261\056\023\143\105\206\244\157\032\262\140\150\067\130\055\304 \254\375\224\227 @@ -23125,7 +23303,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "POSTAR_POSTARCA" +# Certificate "POSTarCA" # # Issuer: OU=POSTArCA,O=POSTA,C=SI # Serial Number: 1044616010 (0x3e43934a) @@ -23138,7 +23316,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "POSTAR_POSTARCA" +CKA_LABEL UTF8 "POSTarCA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\060\061\013\060\011\006\003\125\004\006\023\002\123\111\061 @@ -23226,7 +23404,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "POSTAR_POSTARCA" +# Trust for "POSTarCA" # Issuer: OU=POSTArCA,O=POSTA,C=SI # Serial Number: 1044616010 (0x3e43934a) # Subject: OU=POSTArCA,O=POSTA,C=SI @@ -23238,7 +23416,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "POSTAR_POSTARCA" +CKA_LABEL UTF8 "POSTarCA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \261\352\303\345\270\044\166\351\325\013\036\306\175\054\301\036 \022\340\264\221 @@ -23262,7 +23440,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "izenpe_sa_ca_raiz2" +# Certificate "Izenpe.com" # # Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES # Serial Number:06:e8:46:27:2f:1f:0a:8f:d1:84:5c:e3:69:f6:d5 @@ -23275,7 +23453,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "izenpe_sa_ca_raiz2" +CKA_LABEL UTF8 "Izenpe.com" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\070\061\013\060\011\006\003\125\004\006\023\002\105\123\061 @@ -23396,7 +23574,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "izenpe_sa_ca_raiz2" +# Trust for "Izenpe.com" # Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES # Serial Number:06:e8:46:27:2f:1f:0a:8f:d1:84:5c:e3:69:f6:d5 # Subject: CN=Izenpe.com,O=IZENPE S.A.,C=ES @@ -23408,7 +23586,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "izenpe_sa_ca_raiz2" +CKA_LABEL UTF8 "Izenpe.com" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \060\167\236\223\025\002\056\224\205\152\077\370\274\370\025\260 \202\371\256\375 @@ -23433,7 +23611,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GlobalS_GSRootR1" +# Certificate "GlobalSign Root CA - R1" # # Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE # Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94 @@ -23446,7 +23624,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GlobalS_GSRootR1" +CKA_LABEL UTF8 "GlobalSign Root CA - R1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061 @@ -23530,7 +23708,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GlobalS_GSRootR1" +# Trust for "GlobalSign Root CA - R1" # Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE # Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94 # Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE @@ -23542,7 +23720,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GlobalS_GSRootR1" +CKA_LABEL UTF8 "GlobalSign Root CA - R1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \261\274\226\213\324\364\235\142\052\250\232\201\362\025\001\122 \244\035\202\234 @@ -23568,7 +23746,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "NLB_ACNLB" +# Certificate "NLB Nova Ljubljanska Banka d.d. Ljubljana" # # Issuer: O=ACNLB,C=SI # Serial Number: 1053001358 (0x3ec3868e) @@ -23581,7 +23759,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NLB_ACNLB" +CKA_LABEL UTF8 "NLB Nova Ljubljanska Banka d.d. Ljubljana" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\035\061\013\060\011\006\003\125\004\006\023\002\123\111\061 @@ -23661,7 +23839,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "NLB_ACNLB" +# Trust for "NLB Nova Ljubljanska Banka d.d. Ljubljana" # Issuer: O=ACNLB,C=SI # Serial Number: 1053001358 (0x3ec3868e) # Subject: O=ACNLB,C=SI @@ -23673,7 +23851,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NLB_ACNLB" +CKA_LABEL UTF8 "NLB Nova Ljubljanska Banka d.d. Ljubljana" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \004\126\362\075\036\234\103\256\313\015\200\177\034\006\107\125 \032\005\364\126 @@ -23695,7 +23873,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Abogacia_Root1" +# Certificate "Autoridad de Certificacion de la Abogacia" # # Issuer: CN=Autoridad de Certificacion de la Abogacia,O=Consejo General de la Abogacia NIF:Q-2863006I,C=ES # Serial Number:00:90:8b:32:4f:c1:90:1a:ce:b4:c3:38:09:cd:cf:e4 @@ -23708,7 +23886,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Abogacia_Root1" +CKA_LABEL UTF8 "Autoridad de Certificacion de la Abogacia" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\171\061\013\060\011\006\003\125\004\006\023\002\105\123\061 @@ -23817,7 +23995,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Abogacia_Root1" +# Trust for "Autoridad de Certificacion de la Abogacia" # Issuer: CN=Autoridad de Certificacion de la Abogacia,O=Consejo General de la Abogacia NIF:Q-2863006I,C=ES # Serial Number:00:90:8b:32:4f:c1:90:1a:ce:b4:c3:38:09:cd:cf:e4 # Subject: CN=Autoridad de Certificacion de la Abogacia,O=Consejo General de la Abogacia NIF:Q-2863006I,C=ES @@ -23829,7 +24007,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Abogacia_Root1" +CKA_LABEL UTF8 "Autoridad de Certificacion de la Abogacia" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \177\212\167\203\153\334\155\006\217\213\007\067\374\305\162\124 \023\006\214\244 @@ -23858,7 +24036,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "VRK_Root1" +# Certificate "VRK Gov. Root CA" # # Issuer: CN=VRK Gov. Root CA,OU=Varmennepalvelut,OU=Certification Authority Services,O=Vaestorekisterikeskus CA,ST=Finland,C=FI # Serial Number: 100000 (0x186a0) @@ -23871,7 +24049,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "VRK_Root1" +CKA_LABEL UTF8 "VRK Gov. Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\243\061\013\060\011\006\003\125\004\006\023\002\106\111 @@ -23975,7 +24153,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "VRK_Root1" +# Trust for "VRK Gov. Root CA" # Issuer: CN=VRK Gov. Root CA,OU=Varmennepalvelut,OU=Certification Authority Services,O=Vaestorekisterikeskus CA,ST=Finland,C=FI # Serial Number: 100000 (0x186a0) # Subject: CN=VRK Gov. Root CA,OU=Varmennepalvelut,OU=Certification Authority Services,O=Vaestorekisterikeskus CA,ST=Finland,C=FI @@ -23987,7 +24165,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "VRK_Root1" +CKA_LABEL UTF8 "VRK Gov. Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \372\247\331\373\061\267\106\362\000\250\136\145\171\166\023\330 \026\340\143\265 @@ -24018,7 +24196,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Visa_Root2" +# Certificate "Visa Information Delivery Root CA" # # Issuer: CN=Visa Information Delivery Root CA,OU=Visa International Service Association,O=VISA,C=US # Serial Number:5b:57:d7:a8:4c:b0:af:d9:d3:6f:4b:a0:31:b4:d6:e2 @@ -24031,7 +24209,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Visa_Root2" +CKA_LABEL UTF8 "Visa Information Delivery Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\171\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -24128,7 +24306,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Visa_Root2" +# Trust for "Visa Information Delivery Root CA" # Issuer: CN=Visa Information Delivery Root CA,OU=Visa International Service Association,O=VISA,C=US # Serial Number:5b:57:d7:a8:4c:b0:af:d9:d3:6f:4b:a0:31:b4:d6:e2 # Subject: CN=Visa Information Delivery Root CA,OU=Visa International Service Association,O=VISA,C=US @@ -24140,7 +24318,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Visa_Root2" +CKA_LABEL UTF8 "Visa Information Delivery Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \132\115\016\213\137\334\375\366\116\162\231\243\154\006\015\262 \042\312\170\344 @@ -24169,7 +24347,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ArgeDaten_globaltrust2006" +# Certificate "Austrian Society for Data Protection GLOBALTRUST Certification Service" # # Issuer: E=info@globaltrust.info,CN=GLOBALTRUST,OU=GLOBALTRUST Certification Service,O=ARGE DATEN - Austrian Society for Data Protection,ST=Austria,L=Vienna,C=AT # Serial Number: 0 (0x0) @@ -24182,7 +24360,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ArgeDaten_globaltrust2006" +CKA_LABEL UTF8 "Austrian Society for Data Protection GLOBALTRUST Certification Service" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\324\061\013\060\011\006\003\125\004\006\023\002\101\124 @@ -24355,7 +24533,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "ArgeDaten_globaltrust2006" +# Trust for "Austrian Society for Data Protection GLOBALTRUST Certification Service" # Issuer: E=info@globaltrust.info,CN=GLOBALTRUST,OU=GLOBALTRUST Certification Service,O=ARGE DATEN - Austrian Society for Data Protection,ST=Austria,L=Vienna,C=AT # Serial Number: 0 (0x0) # Subject: E=info@globaltrust.info,CN=GLOBALTRUST,OU=GLOBALTRUST Certification Service,O=ARGE DATEN - Austrian Society for Data Protection,ST=Austria,L=Vienna,C=AT @@ -24367,7 +24545,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ArgeDaten_globaltrust2006" +CKA_LABEL UTF8 "Austrian Society for Data Protection GLOBALTRUST Certification Service" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \064\054\331\323\006\055\244\214\064\151\145\051\177\010\036\274 \056\366\217\334 @@ -24401,7 +24579,139 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "globals_GSRootR2" +# Certificate "Cybertrust Global Root" +# +# Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc" +# Serial Number:04:00:00:00:00:01:0f:85:aa:2d:48 +# Subject: CN=Cybertrust Global Root,O="Cybertrust, Inc" +# Not Valid Before: Fri Dec 15 08:00:00 2006 +# Not Valid After : Wed Dec 15 08:00:00 2021 +# Fingerprint (SHA-256): 96:0A:DF:00:63:E9:63:56:75:0C:29:65:DD:0A:08:67:DA:0B:9C:BD:6E:77:71:4A:EA:FB:23:49:AB:39:3D:A3 +# Fingerprint (SHA1): 5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Cybertrust Global Root" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\073\061\030\060\026\006\003\125\004\012\023\017\103\171\142 +\145\162\164\162\165\163\164\054\040\111\156\143\061\037\060\035 +\006\003\125\004\003\023\026\103\171\142\145\162\164\162\165\163 +\164\040\107\154\157\142\141\154\040\122\157\157\164 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\073\061\030\060\026\006\003\125\004\012\023\017\103\171\142 +\145\162\164\162\165\163\164\054\040\111\156\143\061\037\060\035 +\006\003\125\004\003\023\026\103\171\142\145\162\164\162\165\163 +\164\040\107\154\157\142\141\154\040\122\157\157\164 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\013\004\000\000\000\000\001\017\205\252\055\110 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\003\241\060\202\002\211\240\003\002\001\002\002\013\004 +\000\000\000\000\001\017\205\252\055\110\060\015\006\011\052\206 +\110\206\367\015\001\001\005\005\000\060\073\061\030\060\026\006 +\003\125\004\012\023\017\103\171\142\145\162\164\162\165\163\164 +\054\040\111\156\143\061\037\060\035\006\003\125\004\003\023\026 +\103\171\142\145\162\164\162\165\163\164\040\107\154\157\142\141 +\154\040\122\157\157\164\060\036\027\015\060\066\061\062\061\065 +\060\070\060\060\060\060\132\027\015\062\061\061\062\061\065\060 +\070\060\060\060\060\132\060\073\061\030\060\026\006\003\125\004 +\012\023\017\103\171\142\145\162\164\162\165\163\164\054\040\111 +\156\143\061\037\060\035\006\003\125\004\003\023\026\103\171\142 +\145\162\164\162\165\163\164\040\107\154\157\142\141\154\040\122 +\157\157\164\060\202\001\042\060\015\006\011\052\206\110\206\367 +\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002 +\202\001\001\000\370\310\274\275\024\120\146\023\377\360\323\171 +\354\043\362\267\032\307\216\205\361\022\163\246\031\252\020\333 +\234\242\145\164\132\167\076\121\175\126\366\334\043\266\324\355 +\137\130\261\067\115\325\111\016\156\365\152\207\326\322\214\322 +\047\306\342\377\066\237\230\145\240\023\116\306\052\144\233\325 +\220\022\317\024\006\364\073\343\324\050\276\350\016\370\253\116 +\110\224\155\216\225\061\020\134\355\242\055\275\325\072\155\262 +\034\273\140\300\106\113\001\365\111\256\176\106\212\320\164\215 +\241\014\002\316\356\374\347\217\270\153\146\363\177\104\000\277 +\146\045\024\053\335\020\060\035\007\226\077\115\366\153\270\217 +\267\173\014\245\070\353\336\107\333\325\135\071\374\210\247\363 +\327\052\164\361\350\132\242\073\237\120\272\246\214\105\065\302 +\120\145\225\334\143\202\357\335\277\167\115\234\142\311\143\163 +\026\320\051\017\111\251\110\360\263\252\267\154\305\247\060\071 +\100\135\256\304\342\135\046\123\360\316\034\043\010\141\250\224 +\031\272\004\142\100\354\037\070\160\167\022\006\161\247\060\030 +\135\045\047\245\002\003\001\000\001\243\201\245\060\201\242\060 +\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060 +\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377 +\060\035\006\003\125\035\016\004\026\004\024\266\010\173\015\172 +\314\254\040\114\206\126\062\136\317\253\156\205\055\160\127\060 +\077\006\003\125\035\037\004\070\060\066\060\064\240\062\240\060 +\206\056\150\164\164\160\072\057\057\167\167\167\062\056\160\165 +\142\154\151\143\055\164\162\165\163\164\056\143\157\155\057\143 +\162\154\057\143\164\057\143\164\162\157\157\164\056\143\162\154 +\060\037\006\003\125\035\043\004\030\060\026\200\024\266\010\173 +\015\172\314\254\040\114\206\126\062\136\317\253\156\205\055\160 +\127\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000 +\003\202\001\001\000\126\357\012\043\240\124\116\225\227\311\370 +\211\332\105\301\324\243\000\045\364\037\023\253\267\243\205\130 +\151\302\060\255\330\025\212\055\343\311\315\201\132\370\163\043 +\132\247\174\005\363\375\042\073\016\321\006\304\333\066\114\163 +\004\216\345\260\042\344\305\363\056\245\331\043\343\270\116\112 +\040\247\156\002\044\237\042\140\147\173\213\035\162\011\305\061 +\134\351\171\237\200\107\075\255\241\013\007\024\075\107\377\003 +\151\032\014\013\104\347\143\045\247\177\262\311\270\166\204\355 +\043\366\175\007\253\105\176\323\337\263\277\351\212\266\315\250 +\242\147\053\122\325\267\145\360\071\114\143\240\221\171\223\122 +\017\124\335\203\273\237\321\217\247\123\163\303\313\377\060\354 +\174\004\270\330\104\037\223\137\161\011\042\267\156\076\352\034 +\003\116\235\032\040\141\373\201\067\354\136\374\012\105\253\327 +\347\027\125\320\240\352\140\233\246\366\343\214\133\051\302\006 +\140\024\235\055\227\114\251\223\025\235\141\304\001\137\110\326 +\130\275\126\061\022\116\021\310\041\340\263\021\221\145\333\264 +\246\210\070\316\125 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "Cybertrust Global Root" +# Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc" +# Serial Number:04:00:00:00:00:01:0f:85:aa:2d:48 +# Subject: CN=Cybertrust Global Root,O="Cybertrust, Inc" +# Not Valid Before: Fri Dec 15 08:00:00 2006 +# Not Valid After : Wed Dec 15 08:00:00 2021 +# Fingerprint (SHA-256): 96:0A:DF:00:63:E9:63:56:75:0C:29:65:DD:0A:08:67:DA:0B:9C:BD:6E:77:71:4A:EA:FB:23:49:AB:39:3D:A3 +# Fingerprint (SHA1): 5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Cybertrust Global Root" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\137\103\345\261\277\370\170\214\254\034\307\312\112\232\306\042 +\053\314\064\306 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\162\344\112\207\343\151\100\200\167\352\274\343\364\377\360\341 +END +CKA_ISSUER MULTILINE_OCTAL +\060\073\061\030\060\026\006\003\125\004\012\023\017\103\171\142 +\145\162\164\162\165\163\164\054\040\111\156\143\061\037\060\035 +\006\003\125\004\003\023\026\103\171\142\145\162\164\162\165\163 +\164\040\107\154\157\142\141\154\040\122\157\157\164 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\013\004\000\000\000\000\001\017\205\252\055\110 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "Google Trust Services - GlobalSign Root CA-R2" # # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2 # Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d @@ -24414,7 +24724,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "globals_GSRootR2" +CKA_LABEL UTF8 "Google Trust Services - GlobalSign Root CA-R2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157 @@ -24500,7 +24810,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "globals_GSRootR2" +# Trust for "Google Trust Services - GlobalSign Root CA-R2" # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2 # Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2 @@ -24512,7 +24822,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "globals_GSRootR2" +CKA_LABEL UTF8 "Google Trust Services - GlobalSign Root CA-R2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \165\340\253\266\023\205\022\047\034\004\370\137\335\336\070\344 \267\044\056\376 @@ -24537,7 +24847,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "frenchgov_DCSSI_rsa" +# Certificate "Secrétariat Général de la Défense Nationale" # # Issuer: E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR # Serial Number:39:11:45:10:94 @@ -24550,7 +24860,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "frenchgov_DCSSI_rsa" +CKA_LABEL UTF8 "Secrétariat Général de la Défense Nationale" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122 @@ -24649,7 +24959,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "frenchgov_DCSSI_rsa" +# Trust for "Secrétariat Général de la Défense Nationale" # Issuer: E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR # Serial Number:39:11:45:10:94 # Subject: E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR @@ -24661,7 +24971,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "frenchgov_DCSSI_rsa" +CKA_LABEL UTF8 "Secrétariat Général de la Défense Nationale" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \140\326\211\164\265\302\145\236\212\017\301\210\174\210\322\106 \151\033\030\054 @@ -24690,7 +25000,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "wisekey_owrgbca" +# Certificate "OISTE WISeKey Global Root GB CA" # # Issuer: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH # Serial Number:76:b1:20:52:74:f0:85:87:46:b3:f8:23:1a:f6:c2:c0 @@ -24703,7 +25013,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "wisekey_owrgbca" +CKA_LABEL UTF8 "OISTE WISeKey Global Root GB CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\155\061\013\060\011\006\003\125\004\006\023\002\103\110\061 @@ -24794,7 +25104,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "wisekey_owrgbca" +# Trust for "OISTE WISeKey Global Root GB CA" # Issuer: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH # Serial Number:76:b1:20:52:74:f0:85:87:46:b3:f8:23:1a:f6:c2:c0 # Subject: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH @@ -24806,7 +25116,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "wisekey_owrgbca" +CKA_LABEL UTF8 "OISTE WISeKey Global Root GB CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \017\371\100\166\030\323\327\152\113\230\360\250\065\236\014\375 \047\254\314\355 @@ -24834,7 +25144,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "wisekey_owgrgaca" +# Certificate "OISTE WISeKey Global Root GA CA" # # Issuer: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH # Serial Number:41:3d:72:c7:f4:6b:1f:81:43:7d:f1:d2:28:54:df:9a @@ -24847,7 +25157,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "wisekey_owgrgaca" +CKA_LABEL UTF8 "OISTE WISeKey Global Root GA CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\110 @@ -24946,7 +25256,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "wisekey_owgrgaca" +# Trust for "OISTE WISeKey Global Root GA CA" # Issuer: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH # Serial Number:41:3d:72:c7:f4:6b:1f:81:43:7d:f1:d2:28:54:df:9a # Subject: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH @@ -24958,7 +25268,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "wisekey_owgrgaca" +CKA_LABEL UTF8 "OISTE WISeKey Global Root GA CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \131\042\241\341\132\352\026\065\041\370\230\071\152\106\106\260 \104\033\017\251 @@ -24988,7 +25298,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SwissSign_Platinum_G2" +# Certificate "SwissSign Platinum G2 Root CA" # # Issuer: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH # Serial Number:4e:b2:00:67:0c:03:5d:4f @@ -25001,7 +25311,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SwissSign_Platinum_G2" +CKA_LABEL UTF8 "SwissSign Platinum G2 Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\111\061\013\060\011\006\003\125\004\006\023\002\103\110\061 @@ -25120,7 +25430,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SwissSign_Platinum_G2" +# Trust for "SwissSign Platinum G2 Root CA" # Issuer: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH # Serial Number:4e:b2:00:67:0c:03:5d:4f # Subject: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH @@ -25132,7 +25442,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SwissSign_Platinum_G2" +CKA_LABEL UTF8 "SwissSign Platinum G2 Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \126\340\372\300\073\217\030\043\125\030\345\323\021\312\350\302 \103\061\253\146 @@ -25157,7 +25467,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SwissSign_Gold_G2" +# Certificate "SwissSign" # # Issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH # Serial Number:00:bb:40:1c:43:f5:5e:4f:b0 @@ -25170,7 +25480,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SwissSign_Gold_G2" +CKA_LABEL UTF8 "SwissSign" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\105\061\013\060\011\006\003\125\004\006\023\002\103\110\061 @@ -25288,7 +25598,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SwissSign_Gold_G2" +# Trust for "SwissSign" # Issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH # Serial Number:00:bb:40:1c:43:f5:5e:4f:b0 # Subject: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH @@ -25300,7 +25610,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SwissSign_Gold_G2" +CKA_LABEL UTF8 "SwissSign" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \330\305\070\212\267\060\033\033\156\324\172\346\105\045\072\157 \237\032\047\141 @@ -25325,7 +25635,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SwissSign_Silver_G2" +# Certificate "SwissSign Silver G2 Root CA" # # Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH # Serial Number:4f:1b:d4:2f:54:bb:2f:4b @@ -25338,7 +25648,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SwissSign_Silver_G2" +CKA_LABEL UTF8 "SwissSign Silver G2 Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\107\061\013\060\011\006\003\125\004\006\023\002\103\110\061 @@ -25457,7 +25767,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SwissSign_Silver_G2" +# Trust for "SwissSign Silver G2 Root CA" # Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH # Serial Number:4f:1b:d4:2f:54:bb:2f:4b # Subject: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH @@ -25469,7 +25779,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SwissSign_Silver_G2" +CKA_LABEL UTF8 "SwissSign Silver G2 Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \233\252\345\237\126\356\041\313\103\132\276\045\223\337\247\360 \100\321\035\313 @@ -25494,7 +25804,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "geotrust_GeoTrust_Primary_Root_CA" +# Certificate "GeoTrust" # # Issuer: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US # Serial Number:18:ac:b5:6a:fd:69:b6:15:3a:63:6c:af:da:fa:c4:a1 @@ -25507,7 +25817,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "geotrust_GeoTrust_Primary_Root_CA" +CKA_LABEL UTF8 "GeoTrust" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\130\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -25592,7 +25902,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "geotrust_GeoTrust_Primary_Root_CA" +# Trust for "GeoTrust" # Issuer: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US # Serial Number:18:ac:b5:6a:fd:69:b6:15:3a:63:6c:af:da:fa:c4:a1 # Subject: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US @@ -25604,7 +25914,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "geotrust_GeoTrust_Primary_Root_CA" +CKA_LABEL UTF8 "GeoTrust" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \062\074\021\216\033\367\270\266\122\124\342\342\020\015\326\002 \220\067\360\226 @@ -25631,7 +25941,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "thawte_Thawte_Primary_Root_CA" +# Certificate "thawte" # # Issuer: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US # Serial Number:34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6d @@ -25644,7 +25954,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "thawte_Thawte_Primary_Root_CA" +CKA_LABEL UTF8 "thawte" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\251\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -25750,7 +26060,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "thawte_Thawte_Primary_Root_CA" +# Trust for "thawte" # Issuer: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US # Serial Number:34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6d # Subject: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US @@ -25762,7 +26072,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "thawte_Thawte_Primary_Root_CA" +CKA_LABEL UTF8 "thawte" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \221\306\326\356\076\212\310\143\204\345\110\302\231\051\134\165 \154\201\173\201 @@ -25794,7 +26104,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "verisign_VRSN_C3_PCA_G5_Root_CA" +# Certificate "VeriSign" # # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US # Serial Number:18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a @@ -25807,7 +26117,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "verisign_VRSN_C3_PCA_G5_Root_CA" +CKA_LABEL UTF8 "VeriSign" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -25928,7 +26238,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "verisign_VRSN_C3_PCA_G5_Root_CA" +# Trust for "VeriSign" # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US # Serial Number:18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -25940,7 +26250,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "verisign_VRSN_C3_PCA_G5_Root_CA" +CKA_LABEL UTF8 "VeriSign" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \116\266\325\170\111\233\034\317\137\130\036\255\126\276\075\233 \147\104\245\345 @@ -25974,7 +26284,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "xramp_Secure_Global_CA_Certificate" +# Certificate "Trustwave" # # Issuer: CN=Secure Global CA,O=SecureTrust Corporation,C=US # Serial Number:07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5 @@ -25987,7 +26297,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "xramp_Secure_Global_CA_Certificate" +CKA_LABEL UTF8 "Trustwave" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\112\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -26074,7 +26384,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "xramp_Secure_Global_CA_Certificate" +# Trust for "Trustwave" # Issuer: CN=Secure Global CA,O=SecureTrust Corporation,C=US # Serial Number:07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5 # Subject: CN=Secure Global CA,O=SecureTrust Corporation,C=US @@ -26086,7 +26396,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "xramp_Secure_Global_CA_Certificate" +CKA_LABEL UTF8 "Trustwave" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \072\104\163\132\345\201\220\037\044\206\141\106\036\073\234\304 \137\365\072\033 @@ -26112,7 +26422,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "xramp_SecureTrust_CA_Certificate" +# Certificate "Trustwave" # # Issuer: CN=SecureTrust CA,O=SecureTrust Corporation,C=US # Serial Number:0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0 @@ -26125,7 +26435,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "xramp_SecureTrust_CA_Certificate" +CKA_LABEL UTF8 "Trustwave" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\110\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -26212,7 +26522,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "xramp_SecureTrust_CA_Certificate" +# Trust for "Trustwave" # Issuer: CN=SecureTrust CA,O=SecureTrust Corporation,C=US # Serial Number:0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0 # Subject: CN=SecureTrust CA,O=SecureTrust Corporation,C=US @@ -26224,7 +26534,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "xramp_SecureTrust_CA_Certificate" +CKA_LABEL UTF8 "Trustwave" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \207\202\306\303\004\065\073\317\322\226\222\322\131\076\175\104 \331\064\377\021 @@ -26250,7 +26560,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Entrust_EntrustRootCACert" +# Certificate "Entrust" # # Issuer: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US # Serial Number: 1164660820 (0x456b5054) @@ -26263,7 +26573,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Entrust_EntrustRootCACert" +CKA_LABEL UTF8 "Entrust" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\260\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -26377,7 +26687,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Entrust_EntrustRootCACert" +# Trust for "Entrust" # Issuer: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US # Serial Number: 1164660820 (0x456b5054) # Subject: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US @@ -26389,7 +26699,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Entrust_EntrustRootCACert" +CKA_LABEL UTF8 "Entrust" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \263\036\261\267\100\343\154\204\002\332\334\067\324\115\365\324 \147\111\122\371 @@ -26421,7 +26731,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "digicert_DigiCert_Assured_ID_Root_CA" +# Certificate "DigiCert" # # Issuer: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US # Serial Number:0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39 @@ -26434,7 +26744,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "digicert_DigiCert_Assured_ID_Root_CA" +CKA_LABEL UTF8 "DigiCert" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\145\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -26525,7 +26835,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "digicert_DigiCert_Assured_ID_Root_CA" +# Trust for "DigiCert" # Issuer: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US # Serial Number:0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39 # Subject: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -26537,7 +26847,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "digicert_DigiCert_Assured_ID_Root_CA" +CKA_LABEL UTF8 "DigiCert" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \005\143\270\143\015\142\327\132\273\310\253\036\113\337\265\250 \231\262\115\103 @@ -26565,7 +26875,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "digicert_DigiCert_Global_Root_CA" +# Certificate "DigiCert" # # Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US # Serial Number:08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a @@ -26578,7 +26888,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "digicert_DigiCert_Global_Root_CA" +CKA_LABEL UTF8 "DigiCert" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -26669,7 +26979,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "digicert_DigiCert_Global_Root_CA" +# Trust for "DigiCert" # Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US # Serial Number:08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a # Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -26681,7 +26991,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "digicert_DigiCert_Global_Root_CA" +CKA_LABEL UTF8 "DigiCert" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \250\230\135\072\145\345\345\304\262\327\326\155\100\306\335\057 \261\234\124\066 @@ -26709,7 +27019,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "digicert_DigiCert_High_Assurance_EV_Root_CA" +# Certificate "DigiCert" # # Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US # Serial Number:02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77 @@ -26722,7 +27032,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "digicert_DigiCert_High_Assurance_EV_Root_CA" +CKA_LABEL UTF8 "DigiCert" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\154\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -26814,7 +27124,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "digicert_DigiCert_High_Assurance_EV_Root_CA" +# Trust for "DigiCert" # Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US # Serial Number:02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77 # Subject: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -26826,7 +27136,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "digicert_DigiCert_High_Assurance_EV_Root_CA" +CKA_LABEL UTF8 "DigiCert" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \137\267\356\006\063\342\131\333\255\014\114\232\346\323\217\032 \141\307\334\045 @@ -26854,7 +27164,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "QuoVadis_qvrca2" +# Certificate "QuoVadis Root CA 2" # # Issuer: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM # Serial Number: 1289 (0x509) @@ -26867,7 +27177,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "QuoVadis_qvrca2" +CKA_LABEL UTF8 "QuoVadis Root CA 2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\105\061\013\060\011\006\003\125\004\006\023\002\102\115\061 @@ -26985,7 +27295,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "QuoVadis_qvrca2" +# Trust for "QuoVadis Root CA 2" # Issuer: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM # Serial Number: 1289 (0x509) # Subject: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM @@ -26997,7 +27307,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "QuoVadis_qvrca2" +CKA_LABEL UTF8 "QuoVadis Root CA 2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \312\072\373\317\022\100\066\113\104\262\026\040\210\200\110\071 \031\223\174\367 @@ -27022,7 +27332,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "QuoVadis_qvrca3" +# Certificate "QuoVadis Root CA 3" # # Issuer: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM # Serial Number: 1478 (0x5c6) @@ -27035,7 +27345,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "QuoVadis_qvrca3" +CKA_LABEL UTF8 "QuoVadis Root CA 3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\105\061\013\060\011\006\003\125\004\006\023\002\102\115\061 @@ -27168,7 +27478,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "QuoVadis_qvrca3" +# Trust for "QuoVadis Root CA 3" # Issuer: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM # Serial Number: 1478 (0x5c6) # Subject: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM @@ -27180,7 +27490,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "QuoVadis_qvrca3" +CKA_LABEL UTF8 "QuoVadis Root CA 3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \037\111\024\367\330\164\225\035\335\256\002\300\276\375\072\055 \202\165\121\205 @@ -27205,7 +27515,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Spanishgov_ACRAIZ_CERTIFICATE_AND_CRL_SIGNING_SHA1" +# Certificate "DIRECCION GENERAL DE LA POLICIA" # # Issuer: CN=AC RAIZ DNIE,OU=DNIE,O=DIRECCION GENERAL DE LA POLICIA,C=ES # Serial Number:00:d2:85:70:fd:ae:a7:d6:5f:11:84:15:c6:31:b5:cb @@ -27218,7 +27528,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Spanishgov_ACRAIZ_CERTIFICATE_AND_CRL_SIGNING_SHA1" +CKA_LABEL UTF8 "DIRECCION GENERAL DE LA POLICIA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\135\061\013\060\011\006\003\125\004\006\023\002\105\123\061 @@ -27340,7 +27650,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Spanishgov_ACRAIZ_CERTIFICATE_AND_CRL_SIGNING_SHA1" +# Trust for "DIRECCION GENERAL DE LA POLICIA" # Issuer: CN=AC RAIZ DNIE,OU=DNIE,O=DIRECCION GENERAL DE LA POLICIA,C=ES # Serial Number:00:d2:85:70:fd:ae:a7:d6:5f:11:84:15:c6:31:b5:cb # Subject: CN=AC RAIZ DNIE,OU=DNIE,O=DIRECCION GENERAL DE LA POLICIA,C=ES @@ -27352,7 +27662,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Spanishgov_ACRAIZ_CERTIFICATE_AND_CRL_SIGNING_SHA1" +CKA_LABEL UTF8 "DIRECCION GENERAL DE LA POLICIA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \263\217\354\354\013\024\212\246\206\303\320\017\001\354\310\204 \216\200\205\353 @@ -27379,7 +27689,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "catcert_EC-ACC_csrs" +# Certificate "Agencia Catalana de Certificacio (NIF Q-0801176-I)" # # Issuer: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES # Serial Number:ee:2b:3d:eb:d4:21:de:14:a8:62:ac:04:f3:dd:c4:01 @@ -27392,7 +27702,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "catcert_EC-ACC_csrs" +CKA_LABEL UTF8 "Agencia Catalana de Certificacio (NIF Q-0801176-I)" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\363\061\013\060\011\006\003\125\004\006\023\002\105\123 @@ -27527,7 +27837,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "catcert_EC-ACC_csrs" +# Trust for "Agencia Catalana de Certificacio (NIF Q-0801176-I)" # Issuer: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES # Serial Number:ee:2b:3d:eb:d4:21:de:14:a8:62:ac:04:f3:dd:c4:01 # Subject: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES @@ -27539,7 +27849,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "catcert_EC-ACC_csrs" +CKA_LABEL UTF8 "Agencia Catalana de Certificacio (NIF Q-0801176-I)" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \050\220\072\143\133\122\200\372\346\167\114\013\155\247\326\272 \246\112\362\350 @@ -27576,7 +27886,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Atrust_nQual03new" +# Certificate "A-Trust-nQual-03" # # Issuer: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT # Serial Number: 1357049 (0x14b4f9) @@ -27589,7 +27899,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Atrust_nQual03new" +CKA_LABEL UTF8 "A-Trust-nQual-03" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\215\061\013\060\011\006\003\125\004\006\023\002\101\124 @@ -27685,7 +27995,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Atrust_nQual03new" +# Trust for "A-Trust-nQual-03" # Issuer: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT # Serial Number: 1357049 (0x14b4f9) # Subject: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT @@ -27697,7 +28007,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Atrust_nQual03new" +CKA_LABEL UTF8 "A-Trust-nQual-03" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \114\256\343\211\061\321\232\347\073\061\252\165\312\063\326\041 \051\017\247\136 @@ -27726,7 +28036,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "DigSigT_X3" +# Certificate "DST Root CA X3" # # Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. # Serial Number:44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b @@ -27739,7 +28049,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "DigSigT_X3" +CKA_LABEL UTF8 "DST Root CA X3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\077\061\044\060\042\006\003\125\004\012\023\033\104\151\147 @@ -27819,7 +28129,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "DigSigT_X3" +# Trust for "DST Root CA X3" # Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. # Serial Number:44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b # Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. @@ -27831,7 +28141,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "DigSigT_X3" +CKA_LABEL UTF8 "DST Root CA X3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \332\311\002\117\124\330\366\337\224\223\137\261\163\046\070\312 \152\327\174\023 @@ -27857,7 +28167,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "kisa_Wire" +# Certificate "KISA RootCA 1" # # Issuer: CN=KISA RootCA 1,OU=Korea Certification Authority Central,O=KISA,C=KR # Serial Number: 4 (0x4) @@ -27870,7 +28180,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "kisa_Wire" +CKA_LABEL UTF8 "KISA RootCA 1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\144\061\013\060\011\006\003\125\004\006\023\002\113\122\061 @@ -27956,7 +28266,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "kisa_Wire" +# Trust for "KISA RootCA 1" # Issuer: CN=KISA RootCA 1,OU=Korea Certification Authority Central,O=KISA,C=KR # Serial Number: 4 (0x4) # Subject: CN=KISA RootCA 1,OU=Korea Certification Authority Central,O=KISA,C=KR @@ -27968,7 +28278,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "kisa_Wire" +CKA_LABEL UTF8 "KISA RootCA 1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \002\162\150\051\076\137\135\027\252\244\263\303\346\066\036\037 \222\127\136\252 @@ -27995,7 +28305,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "godaddy_GD-Class2-root" +# Certificate "Go Daddy Class 2 Certification Authority" # # Issuer: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US # Serial Number: 0 (0x0) @@ -28008,7 +28318,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "godaddy_GD-Class2-root" +CKA_LABEL UTF8 "Go Daddy Class 2 Certification Authority" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -28103,7 +28413,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "godaddy_GD-Class2-root" +# Trust for "Go Daddy Class 2 Certification Authority" # Issuer: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US # Serial Number: 0 (0x0) # Subject: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US @@ -28115,7 +28425,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "godaddy_GD-Class2-root" +CKA_LABEL UTF8 "Go Daddy Class 2 Certification Authority" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \047\226\272\346\077\030\001\342\167\046\033\240\327\167\160\002 \217\040\356\344 @@ -28142,7 +28452,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "godaddy_SF-Class2-root" +# Certificate "Starfield Class 2 Certification Authority" # # Issuer: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US # Serial Number: 0 (0x0) @@ -28155,7 +28465,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "godaddy_SF-Class2-root" +CKA_LABEL UTF8 "Starfield Class 2 Certification Authority" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\150\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -28251,7 +28561,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "godaddy_SF-Class2-root" +# Trust for "Starfield Class 2 Certification Authority" # Issuer: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US # Serial Number: 0 (0x0) # Subject: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US @@ -28263,7 +28573,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "godaddy_SF-Class2-root" +CKA_LABEL UTF8 "Starfield Class 2 Certification Authority" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \255\176\034\050\260\144\357\217\140\003\100\040\024\303\320\343 \067\016\265\212 @@ -28290,7 +28600,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "visa_RootCA" +# Certificate "Visa eCommerce Root" # # Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US # Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62 @@ -28303,7 +28613,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "visa_RootCA" +CKA_LABEL UTF8 "Visa eCommerce Root" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -28393,7 +28703,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "visa_RootCA" +# Trust for "Visa eCommerce Root" # Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US # Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62 # Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US @@ -28405,7 +28715,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "visa_RootCA" +CKA_LABEL UTF8 "Visa eCommerce Root" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \160\027\233\206\214\000\244\372\140\221\122\042\077\237\076\062 \275\340\005\142 @@ -28433,7 +28743,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "xramp_XGCA" +# Certificate "Trustwave" # # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US # Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad @@ -28446,7 +28756,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "xramp_XGCA" +CKA_LABEL UTF8 "Trustwave" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -28549,7 +28859,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "xramp_XGCA" +# Trust for "Trustwave" # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US # Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad # Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US @@ -28561,7 +28871,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "xramp_XGCA" +CKA_LABEL UTF8 "Trustwave" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \270\001\206\321\353\234\206\245\101\004\317\060\124\363\114\122 \267\345\130\306 @@ -28591,7 +28901,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "secom_secom" +# Certificate "SECOM Trust Systems CO LTD" # # Issuer: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP # Serial Number: 0 (0x0) @@ -28604,7 +28914,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "secom_secom" +CKA_LABEL UTF8 "SECOM Trust Systems CO LTD" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\120\061\013\060\011\006\003\125\004\006\023\002\112\120\061 @@ -28686,7 +28996,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "secom_secom" +# Trust for "SECOM Trust Systems CO LTD" # Issuer: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP # Serial Number: 0 (0x0) # Subject: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP @@ -28698,7 +29008,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "secom_secom" +CKA_LABEL UTF8 "SECOM Trust Systems CO LTD" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \066\261\053\111\371\201\236\327\114\236\274\070\017\306\126\217 \135\254\262\367 @@ -28724,7 +29034,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "grca_grca" +# Certificate "TW Government Root Certification Authority" # # Issuer: O=Government Root Certification Authority,C=TW # Serial Number:1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6 @@ -28737,7 +29047,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "grca_grca" +CKA_LABEL UTF8 "TW Government Root Certification Authority" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\077\061\013\060\011\006\003\125\004\006\023\002\124\127\061 @@ -28852,7 +29162,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "grca_grca" +# Trust for "TW Government Root Certification Authority" # Issuer: O=Government Root Certification Authority,C=TW # Serial Number:1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6 # Subject: O=Government Root Certification Authority,C=TW @@ -28864,7 +29174,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "grca_grca" +CKA_LABEL UTF8 "TW Government Root Certification Authority" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \364\213\021\277\336\253\276\224\124\040\161\346\101\336\153\276 \210\053\100\271 @@ -28890,7 +29200,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "HongKongPost_RootCA1" +# Certificate "Hongkong Post Root CA 1" # # Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK # Serial Number: 1000 (0x3e8) @@ -28903,7 +29213,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "HongKongPost_RootCA1" +CKA_LABEL UTF8 "Hongkong Post Root CA 1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\107\061\013\060\011\006\003\125\004\006\023\002\110\113\061 @@ -28981,7 +29291,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "HongKongPost_RootCA1" +# Trust for "Hongkong Post Root CA 1" # Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK # Serial Number: 1000 (0x3e8) # Subject: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK @@ -28993,7 +29303,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "HongKongPost_RootCA1" +CKA_LABEL UTF8 "Hongkong Post Root CA 1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \326\332\250\040\215\011\322\025\115\044\265\057\313\064\156\262 \130\262\212\130 @@ -29018,7 +29328,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Trustis_FPSRootCA" +# Certificate "Trustis FPS Root CA" # # Issuer: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB # Serial Number:1b:1f:ad:b6:20:f9:24:d3:36:6b:f7:c7:f1:8c:a0:59 @@ -29031,7 +29341,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Trustis_FPSRootCA" +CKA_LABEL UTF8 "Trustis FPS Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\105\061\013\060\011\006\003\125\004\006\023\002\107\102\061 @@ -29113,7 +29423,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Trustis_FPSRootCA" +# Trust for "Trustis FPS Root CA" # Issuer: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB # Serial Number:1b:1f:ad:b6:20:f9:24:d3:36:6b:f7:c7:f1:8c:a0:59 # Subject: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB @@ -29125,7 +29435,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Trustis_FPSRootCA" +CKA_LABEL UTF8 "Trustis FPS Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \073\300\070\013\063\303\366\246\014\206\025\042\223\331\337\365 \113\201\300\004 @@ -29151,7 +29461,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Camerfirma_CommerceRoot" +# Certificate "Chambers of Commerce Root" # # Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU # Serial Number: 0 (0x0) @@ -29164,7 +29474,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Camerfirma_CommerceRoot" +CKA_LABEL UTF8 "Chambers of Commerce Root" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\177\061\013\060\011\006\003\125\004\006\023\002\105\125\061 @@ -29275,7 +29585,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Camerfirma_CommerceRoot" +# Trust for "Chambers of Commerce Root" # Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU # Serial Number: 0 (0x0) # Subject: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU @@ -29287,7 +29597,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Camerfirma_CommerceRoot" +CKA_LABEL UTF8 "Chambers of Commerce Root" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \156\072\125\244\031\014\031\134\223\204\074\300\333\162\056\061 \060\141\360\261 @@ -29316,7 +29626,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Camerfirma_GlobalRoot" +# Certificate "Chambersign Global Root" # # Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU # Serial Number: 0 (0x0) @@ -29329,7 +29639,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Camerfirma_GlobalRoot" +CKA_LABEL UTF8 "Chambersign Global Root" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\175\061\013\060\011\006\003\125\004\006\023\002\105\125\061 @@ -29438,7 +29748,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Camerfirma_GlobalRoot" +# Trust for "Chambersign Global Root" # Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU # Serial Number: 0 (0x0) # Subject: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU @@ -29450,7 +29760,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Camerfirma_GlobalRoot" +CKA_LABEL UTF8 "Chambersign Global Root" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \063\233\153\024\120\044\233\125\172\001\207\162\204\331\340\057 \303\322\330\351 @@ -29478,7 +29788,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Comodo_AAA" +# Certificate "Sectigo (AAA)" # # Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB # Serial Number: 1 (0x1) @@ -29491,7 +29801,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Comodo_AAA" +CKA_LABEL UTF8 "Sectigo (AAA)" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\173\061\013\060\011\006\003\125\004\006\023\002\107\102\061 @@ -29591,7 +29901,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Comodo_AAA" +# Trust for "Sectigo (AAA)" # Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB # Serial Number: 1 (0x1) # Subject: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB @@ -29603,7 +29913,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Comodo_AAA" +CKA_LABEL UTF8 "Sectigo (AAA)" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \321\353\043\244\155\027\326\217\331\045\144\302\361\361\140\027 \144\330\343\111 @@ -29631,7 +29941,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GeoTrust_GlobalCA" +# Certificate "GeoTrust Global CA" # # Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US # Serial Number: 144470 (0x23456) @@ -29644,7 +29954,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GeoTrust_GlobalCA" +CKA_LABEL UTF8 "GeoTrust Global CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\102\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -29724,7 +30034,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GeoTrust_GlobalCA" +# Trust for "GeoTrust Global CA" # Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US # Serial Number: 144470 (0x23456) # Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US @@ -29736,7 +30046,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GeoTrust_GlobalCA" +CKA_LABEL UTF8 "GeoTrust Global CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \336\050\364\244\377\345\271\057\243\305\003\321\243\111\247\371 \226\052\202\022 @@ -29761,7 +30071,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GeoTrust_UniversalCA" +# Certificate "GeoTrust Universal CA" # # Issuer: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US # Serial Number: 1 (0x1) @@ -29774,7 +30084,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GeoTrust_UniversalCA" +CKA_LABEL UTF8 "GeoTrust Universal CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\105\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -29887,7 +30197,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GeoTrust_UniversalCA" +# Trust for "GeoTrust Universal CA" # Issuer: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US # Serial Number: 1 (0x1) # Subject: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US @@ -29899,7 +30209,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GeoTrust_UniversalCA" +CKA_LABEL UTF8 "GeoTrust Universal CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \346\041\363\065\103\171\005\232\113\150\060\235\212\057\164\042 \025\207\354\171 @@ -29924,7 +30234,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GeoTrust_UniversalCA2" +# Certificate "GeoTrust Universal CA 2" # # Issuer: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US # Serial Number: 1 (0x1) @@ -29937,7 +30247,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GeoTrust_UniversalCA2" +CKA_LABEL UTF8 "GeoTrust Universal CA 2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -30050,7 +30360,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GeoTrust_UniversalCA2" +# Trust for "GeoTrust Universal CA 2" # Issuer: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US # Serial Number: 1 (0x1) # Subject: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US @@ -30062,7 +30372,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GeoTrust_UniversalCA2" +CKA_LABEL UTF8 "GeoTrust Universal CA 2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \067\232\031\173\101\205\105\065\014\246\003\151\363\074\056\257 \107\117\040\171 @@ -30087,7 +30397,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "QuoVadis_RootCA" +# Certificate "QuoVadis Root Certification Authority" # # Issuer: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM # Serial Number: 985026699 (0x3ab6508b) @@ -30100,7 +30410,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "QuoVadis_RootCA" +CKA_LABEL UTF8 "QuoVadis Root Certification Authority" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\177\061\013\060\011\006\003\125\004\006\023\002\102\115\061 @@ -30228,7 +30538,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "QuoVadis_RootCA" +# Trust for "QuoVadis Root Certification Authority" # Issuer: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM # Serial Number: 985026699 (0x3ab6508b) # Subject: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM @@ -30240,7 +30550,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "QuoVadis_RootCA" +CKA_LABEL UTF8 "QuoVadis Root Certification Authority" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \336\077\100\275\120\223\323\233\154\140\366\332\274\007\142\001 \000\211\166\311 @@ -30269,7 +30579,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Sonera_Class2CA" +# Certificate "Sonera Class2 CA" # # Issuer: CN=Sonera Class2 CA,O=Sonera,C=FI # Serial Number: 29 (0x1d) @@ -30282,7 +30592,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Sonera_Class2CA" +CKA_LABEL UTF8 "Sonera Class2 CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061 @@ -30357,7 +30667,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Sonera_Class2CA" +# Trust for "Sonera Class2 CA" # Issuer: CN=Sonera Class2 CA,O=Sonera,C=FI # Serial Number: 29 (0x1d) # Subject: CN=Sonera Class2 CA,O=Sonera,C=FI @@ -30369,7 +30679,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Sonera_Class2CA" +CKA_LABEL UTF8 "Sonera Class2 CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \067\367\155\346\007\174\220\305\261\076\223\032\267\101\020\264 \362\344\232\047 @@ -30393,7 +30703,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Certum_root" +# Certificate "Certum" # # Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL # Serial Number: 65568 (0x10020) @@ -30406,7 +30716,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certum_root" +CKA_LABEL UTF8 "Certum" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\076\061\013\060\011\006\003\125\004\006\023\002\120\114\061 @@ -30479,7 +30789,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Certum_root" +# Trust for "Certum" # Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL # Serial Number: 65568 (0x10020) # Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL @@ -30491,7 +30801,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certum_root" +CKA_LABEL UTF8 "Certum" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \142\122\334\100\367\021\103\242\057\336\236\367\064\216\006\102 \121\261\201\030 @@ -30515,7 +30825,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "baltimore_cybertrust" +# Certificate "DigiCert Baltimore Root" # # Issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE # Serial Number: 33554617 (0x20000b9) @@ -30528,7 +30838,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "baltimore_cybertrust" +CKA_LABEL UTF8 "DigiCert Baltimore Root" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\132\061\013\060\011\006\003\125\004\006\023\002\111\105\061 @@ -30612,7 +30922,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "baltimore_cybertrust" +# Trust for "DigiCert Baltimore Root" # Issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE # Serial Number: 33554617 (0x20000b9) # Subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE @@ -30624,7 +30934,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "baltimore_cybertrust" +CKA_LABEL UTF8 "DigiCert Baltimore Root" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \324\336\040\320\136\146\374\123\376\032\120\210\054\170\333\050 \122\312\344\164 @@ -30650,7 +30960,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "verisign_c3pcag3v2" +# Certificate "VeriSign" # # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US # Serial Number:00:9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57 @@ -30663,7 +30973,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "verisign_c3pcag3v2" +CKA_LABEL UTF8 "VeriSign" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -30772,7 +31082,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "verisign_c3pcag3v2" +# Trust for "VeriSign" # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US # Serial Number:00:9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57 # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -30784,7 +31094,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "verisign_c3pcag3v2" +CKA_LABEL UTF8 "VeriSign" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \023\055\015\105\123\113\151\227\315\262\325\303\071\342\125\166 \140\233\134\306 @@ -30818,7 +31128,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "msft_msroot01" +# Certificate "Microsoft Root Certificate Authority" # # Issuer: CN=Microsoft Root Certificate Authority,DC=microsoft,DC=com # Serial Number:79:ad:16:a1:4a:a0:a5:ad:4c:73:58:f4:07:13:2e:65 @@ -30831,7 +31141,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "msft_msroot01" +CKA_LABEL UTF8 "Microsoft Root Certificate Authority" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\137\061\023\060\021\006\012\011\222\046\211\223\362\054\144 @@ -30952,7 +31262,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "msft_msroot01" +# Trust for "Microsoft Root Certificate Authority" # Issuer: CN=Microsoft Root Certificate Authority,DC=microsoft,DC=com # Serial Number:79:ad:16:a1:4a:a0:a5:ad:4c:73:58:f4:07:13:2e:65 # Subject: CN=Microsoft Root Certificate Authority,DC=microsoft,DC=com @@ -30964,7 +31274,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "msft_msroot01" +CKA_LABEL UTF8 "Microsoft Root Certificate Authority" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \315\324\356\256\140\000\254\177\100\303\200\054\027\036\060\024 \200\060\300\162 @@ -30992,7 +31302,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "msft_msroot10" +# Certificate "Microsoft Root Certificate Authority 2010" # # Issuer: CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US # Serial Number:28:cc:3a:25:bf:ba:44:ac:44:9a:9b:58:6b:43:39:aa @@ -31005,7 +31315,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "msft_msroot10" +CKA_LABEL UTF8 "Microsoft Root Certificate Authority 2010" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -31136,7 +31446,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "msft_msroot10" +# Trust for "Microsoft Root Certificate Authority 2010" # Issuer: CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US # Serial Number:28:cc:3a:25:bf:ba:44:ac:44:9a:9b:58:6b:43:39:aa # Subject: CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US @@ -31148,7 +31458,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "msft_msroot10" +CKA_LABEL UTF8 "Microsoft Root Certificate Authority 2010" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \073\036\375\072\146\352\050\261\146\227\071\107\003\247\054\243 \100\240\133\325 @@ -31178,7 +31488,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "CertPlus_class2" +# Certificate "CertPlus Class 2 Primary CA" # # Issuer: CN=Class 2 Primary CA,O=Certplus,C=FR # Serial Number:00:85:bd:4b:f3:d8:da:e3:69:f6:94:d7:5f:c3:a5:44:23 @@ -31191,7 +31501,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CertPlus_class2" +CKA_LABEL UTF8 "CertPlus Class 2 Primary CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\075\061\013\060\011\006\003\125\004\006\023\002\106\122\061 @@ -31274,7 +31584,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "CertPlus_class2" +# Trust for "CertPlus Class 2 Primary CA" # Issuer: CN=Class 2 Primary CA,O=Certplus,C=FR # Serial Number:00:85:bd:4b:f3:d8:da:e3:69:f6:94:d7:5f:c3:a5:44:23 # Subject: CN=Class 2 Primary CA,O=Certplus,C=FR @@ -31286,7 +31596,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CertPlus_class2" +CKA_LABEL UTF8 "CertPlus Class 2 Primary CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \164\040\164\101\162\234\335\222\354\171\061\330\043\020\215\302 \201\222\342\273 @@ -31311,7 +31621,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "DeutscheT_DTroot2" +# Certificate "Deutsche Telekom Root CA 2" # # Issuer: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE # Serial Number: 38 (0x26) @@ -31324,7 +31634,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "DeutscheT_DTroot2" +CKA_LABEL UTF8 "Deutsche Telekom Root CA 2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\161\061\013\060\011\006\003\125\004\006\023\002\104\105\061 @@ -31415,7 +31725,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "DeutscheT_DTroot2" +# Trust for "Deutsche Telekom Root CA 2" # Issuer: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE # Serial Number: 38 (0x26) # Subject: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE @@ -31427,7 +31737,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "DeutscheT_DTroot2" +CKA_LABEL UTF8 "Deutsche Telekom Root CA 2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \205\244\010\300\234\031\076\135\121\130\175\315\326\023\060\375 \214\336\067\277 @@ -31455,7 +31765,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "NetLock_classa" +# Certificate "NetLock Kozjegyzoi (Class A) Tanusitvanykiado" # # Issuer: CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,ST=Hungary,C=HU # Serial Number: 259 (0x103) @@ -31468,7 +31778,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NetLock_classa" +CKA_LABEL UTF8 "NetLock Kozjegyzoi (Class A) Tanusitvanykiado" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\257\061\013\060\011\006\003\125\004\006\023\002\110\125 @@ -31613,7 +31923,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "NetLock_classa" +# Trust for "NetLock Kozjegyzoi (Class A) Tanusitvanykiado" # Issuer: CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,ST=Hungary,C=HU # Serial Number: 259 (0x103) # Subject: CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,ST=Hungary,C=HU @@ -31625,7 +31935,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NetLock_classa" +CKA_LABEL UTF8 "NetLock Kozjegyzoi (Class A) Tanusitvanykiado" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \254\355\137\145\123\375\045\316\001\137\037\172\110\073\152\164 \237\141\170\306 @@ -31657,7 +31967,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SZAFIR_SZAFIRROOTCA2E252" +# Certificate "SZAFIR ROOT CA2" # # Issuer: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL # Serial Number:3e:8a:5d:07:ec:55:d2:32:d5:b7:e3:b6:5f:01:eb:2d:dc:e4:d6:e4 @@ -31670,7 +31980,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SZAFIR_SZAFIRROOTCA2E252" +CKA_LABEL UTF8 "SZAFIR ROOT CA2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\121\061\013\060\011\006\003\125\004\006\023\002\120\114\061 @@ -31755,7 +32065,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SZAFIR_SZAFIRROOTCA2E252" +# Trust for "SZAFIR ROOT CA2" # Issuer: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL # Serial Number:3e:8a:5d:07:ec:55:d2:32:d5:b7:e3:b6:5f:01:eb:2d:dc:e4:d6:e4 # Subject: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL @@ -31767,7 +32077,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SZAFIR_SZAFIRROOTCA2E252" +CKA_LABEL UTF8 "SZAFIR ROOT CA2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \342\122\372\225\077\355\333\044\140\275\156\050\363\234\314\317 \136\263\077\336 @@ -31794,7 +32104,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "CHUNGWA_ePKIRootCertificationAuthorityG2D99B" +# Certificate "ePKI Root Certification Authority - G2" # # Issuer: CN=ePKI Root Certification Authority - G2,O="Chunghwa Telecom Co., Ltd.",C=TW # Serial Number:00:d6:96:2e:c1:0a:15:93:12:af:8f:63:bc:d4:44:c9:5b @@ -31807,7 +32117,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CHUNGWA_ePKIRootCertificationAuthorityG2D99B" +CKA_LABEL UTF8 "ePKI Root Certification Authority - G2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\143\061\013\060\011\006\003\125\004\006\023\002\124\127\061 @@ -31928,7 +32238,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "CHUNGWA_ePKIRootCertificationAuthorityG2D99B" +# Trust for "ePKI Root Certification Authority - G2" # Issuer: CN=ePKI Root Certification Authority - G2,O="Chunghwa Telecom Co., Ltd.",C=TW # Serial Number:00:d6:96:2e:c1:0a:15:93:12:af:8f:63:bc:d4:44:c9:5b # Subject: CN=ePKI Root Certification Authority - G2,O="Chunghwa Telecom Co., Ltd.",C=TW @@ -31940,7 +32250,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CHUNGWA_ePKIRootCertificationAuthorityG2D99B" +CKA_LABEL UTF8 "ePKI Root Certification Authority - G2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \331\233\020\102\230\131\107\143\360\271\251\047\267\222\151\313 \107\335\025\213 @@ -31968,7 +32278,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "TUBITAK_KamuSMSSLKokSertifikasiSurum13143" +# Certificate "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" # # Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR # Serial Number: 1 (0x1) @@ -31981,7 +32291,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TUBITAK_KamuSMSSLKokSertifikasiSurum13143" +CKA_LABEL UTF8 "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122 @@ -32096,7 +32406,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "TUBITAK_KamuSMSSLKokSertifikasiSurum13143" +# Trust for "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" # Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR # Serial Number: 1 (0x1) # Subject: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR @@ -32108,7 +32418,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TUBITAK_KamuSMSSLKokSertifikasiSurum13143" +CKA_LABEL UTF8 "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \061\103\144\233\354\316\047\354\355\072\077\013\217\015\344\350 \221\335\356\312 @@ -32142,7 +32452,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SSLCorporation_SSLcomEVRootCertificationAuthorityECC4CDD" +# Certificate "SSL.com EV Root Certification Authority ECC" # # Issuer: CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US # Serial Number:2c:29:9c:5b:16:ed:05:95 @@ -32155,7 +32465,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SSLCorporation_SSLcomEVRootCertificationAuthorityECC4CDD" +CKA_LABEL UTF8 "SSL.com EV Root Certification Authority ECC" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\177\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -32231,7 +32541,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SSLCorporation_SSLcomEVRootCertificationAuthorityECC4CDD" +# Trust for "SSL.com EV Root Certification Authority ECC" # Issuer: CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US # Serial Number:2c:29:9c:5b:16:ed:05:95 # Subject: CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US @@ -32243,7 +32553,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SSLCorporation_SSLcomEVRootCertificationAuthorityECC4CDD" +CKA_LABEL UTF8 "SSL.com EV Root Certification Authority ECC" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \114\335\121\243\321\365\040\062\024\260\306\305\062\043\003\221 \307\106\102\155 @@ -32272,7 +32582,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SSLCorporation_SSLcomEVRootCertificationAuthorityRSA1CB7" +# Certificate "SSL.com EV Root Certification Authority RSA" # # Issuer: CN=SSL.com EV Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US # Serial Number:1d:6c:11:eb:6f:da:39:9d @@ -32285,7 +32595,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SSLCorporation_SSLcomEVRootCertificationAuthorityRSA1CB7" +CKA_LABEL UTF8 "SSL.com EV Root Certification Authority RSA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\177\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -32414,7 +32724,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SSLCorporation_SSLcomEVRootCertificationAuthorityRSA1CB7" +# Trust for "SSL.com EV Root Certification Authority RSA" # Issuer: CN=SSL.com EV Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US # Serial Number:1d:6c:11:eb:6f:da:39:9d # Subject: CN=SSL.com EV Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US @@ -32426,7 +32736,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SSLCorporation_SSLcomEVRootCertificationAuthorityRSA1CB7" +CKA_LABEL UTF8 "SSL.com EV Root Certification Authority RSA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \034\267\355\341\166\274\337\357\014\206\157\106\373\371\200\351 \001\345\316\065 @@ -32455,7 +32765,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SSLCorporation_SSLcomRootCertificationAuthorityECCC319" +# Certificate "SSL.com Root Certification Authority ECC" # # Issuer: CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US # Serial Number:75:e6:df:cb:c1:68:5b:a8 @@ -32468,7 +32778,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SSLCorporation_SSLcomRootCertificationAuthorityECCC319" +CKA_LABEL UTF8 "SSL.com Root Certification Authority ECC" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\174\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -32542,7 +32852,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SSLCorporation_SSLcomRootCertificationAuthorityECCC319" +# Trust for "SSL.com Root Certification Authority ECC" # Issuer: CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US # Serial Number:75:e6:df:cb:c1:68:5b:a8 # Subject: CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US @@ -32554,7 +32864,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SSLCorporation_SSLcomRootCertificationAuthorityECCC319" +CKA_LABEL UTF8 "SSL.com Root Certification Authority ECC" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \303\031\174\071\044\346\124\257\033\304\253\040\225\172\342\303 \016\023\002\152 @@ -32582,7 +32892,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SSLCorporation_SSLcomRootCertificationAuthorityRSAB7AB" +# Certificate "SSL.com Root Certification Authority RSA" # # Issuer: CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US # Serial Number:7b:2c:9b:d3:16:80:32:99 @@ -32595,7 +32905,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SSLCorporation_SSLcomRootCertificationAuthorityRSAB7AB" +CKA_LABEL UTF8 "SSL.com Root Certification Authority RSA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\174\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -32722,7 +33032,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SSLCorporation_SSLcomRootCertificationAuthorityRSAB7AB" +# Trust for "SSL.com Root Certification Authority RSA" # Issuer: CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US # Serial Number:7b:2c:9b:d3:16:80:32:99 # Subject: CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US @@ -32734,7 +33044,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SSLCorporation_SSLcomRootCertificationAuthorityRSAB7AB" +CKA_LABEL UTF8 "SSL.com Root Certification Authority RSA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \267\253\063\010\321\352\104\167\272\024\200\022\132\157\275\251 \066\111\014\273 @@ -32762,7 +33072,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "CERTUM_CertumTrustedNetworkCA2D3DD" +# Certificate "Certum Trusted Network CA 2" # # Issuer: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL # Serial Number:21:d6:d0:4a:4f:25:0f:c9:32:37:fc:aa:5e:12:8d:e9 @@ -32775,7 +33085,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CERTUM_CertumTrustedNetworkCA2D3DD" +CKA_LABEL UTF8 "Certum Trusted Network CA 2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\200\061\013\060\011\006\003\125\004\006\023\002\120\114 @@ -32904,7 +33214,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "CERTUM_CertumTrustedNetworkCA2D3DD" +# Trust for "Certum Trusted Network CA 2" # Issuer: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL # Serial Number:21:d6:d0:4a:4f:25:0f:c9:32:37:fc:aa:5e:12:8d:e9 # Subject: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL @@ -32916,7 +33226,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CERTUM_CertumTrustedNetworkCA2D3DD" +CKA_LABEL UTF8 "Certum Trusted Network CA 2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \323\335\110\076\053\277\114\005\350\257\020\365\372\166\046\317 \323\334\060\222 @@ -32946,7 +33256,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "LuxTrustSA_LuxTrustGlobalRoot21E0E" +# Certificate "LuxTrust Global Root 2" # # Issuer: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU # Serial Number:0a:7e:a6:df:4b:44:9e:da:6a:24:85:9e:e6:b8:15:d3:16:7f:bb:b1 @@ -32959,7 +33269,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "LuxTrustSA_LuxTrustGlobalRoot21E0E" +CKA_LABEL UTF8 "LuxTrust Global Root 2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\106\061\013\060\011\006\003\125\004\006\023\002\114\125\061 @@ -33079,7 +33389,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "LuxTrustSA_LuxTrustGlobalRoot21E0E" +# Trust for "LuxTrust Global Root 2" # Issuer: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU # Serial Number:0a:7e:a6:df:4b:44:9e:da:6a:24:85:9e:e6:b8:15:d3:16:7f:bb:b1 # Subject: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU @@ -33091,7 +33401,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "LuxTrustSA_LuxTrustGlobalRoot21E0E" +CKA_LABEL UTF8 "LuxTrust Global Root 2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \036\016\126\031\012\321\213\045\230\262\004\104\377\146\212\004 \027\231\137\077 @@ -33117,7 +33427,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "CONSEJOGENERALDELAABOGACIA_ACAROOTD496" +# Certificate "ACA ROOT" # # Issuer: CN=ACA ROOT,O=CONSEJO GENERAL DE LA ABOGACIA,serialNumber=Q2863006I,C=ES # Serial Number:47:43:91:24:3f:ce:c3:0d:57:48:28:6b:ee:80:5d:ab @@ -33130,7 +33440,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CONSEJOGENERALDELAABOGACIA_ACAROOTD496" +CKA_LABEL UTF8 "ACA ROOT" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\135\061\013\060\011\006\003\125\004\006\023\002\105\123\061 @@ -33252,7 +33562,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "CONSEJOGENERALDELAABOGACIA_ACAROOTD496" +# Trust for "ACA ROOT" # Issuer: CN=ACA ROOT,O=CONSEJO GENERAL DE LA ABOGACIA,serialNumber=Q2863006I,C=ES # Serial Number:47:43:91:24:3f:ce:c3:0d:57:48:28:6b:ee:80:5d:ab # Subject: CN=ACA ROOT,O=CONSEJO GENERAL DE LA ABOGACIA,serialNumber=Q2863006I,C=ES @@ -33264,7 +33574,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CONSEJOGENERALDELAABOGACIA_ACAROOTD496" +CKA_LABEL UTF8 "ACA ROOT" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \324\226\131\053\060\127\007\070\154\305\363\315\262\131\256\146 \327\146\037\312 @@ -33291,7 +33601,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "UniTrust_UCAGlobalG2Root28F9" +# Certificate "UCA Global G2 Root" # # Issuer: CN=UCA Global G2 Root,O=UniTrust,C=CN # Serial Number:5d:df:b1:da:5a:a3:ed:5d:be:5a:65:20:65:03:90:ef @@ -33304,7 +33614,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "UniTrust_UCAGlobalG2Root28F9" +CKA_LABEL UTF8 "UCA Global G2 Root" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\075\061\013\060\011\006\003\125\004\006\023\002\103\116\061 @@ -33414,7 +33724,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "UniTrust_UCAGlobalG2Root28F9" +# Trust for "UCA Global G2 Root" # Issuer: CN=UCA Global G2 Root,O=UniTrust,C=CN # Serial Number:5d:df:b1:da:5a:a3:ed:5d:be:5a:65:20:65:03:90:ef # Subject: CN=UCA Global G2 Root,O=UniTrust,C=CN @@ -33426,7 +33736,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "UniTrust_UCAGlobalG2Root28F9" +CKA_LABEL UTF8 "UCA Global G2 Root" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \050\371\170\026\031\172\377\030\045\030\252\104\376\301\240\316 \134\266\114\212 @@ -33451,7 +33761,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "UniTrust_UCAExtendedValidationRootA3A1" +# Certificate "UCA Extended Validation Root" # # Issuer: CN=UCA Extended Validation Root,O=UniTrust,C=CN # Serial Number:4f:d2:2b:8f:f5:64:c8:33:9e:4f:34:58:66:23:70:60 @@ -33464,7 +33774,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "UniTrust_UCAExtendedValidationRootA3A1" +CKA_LABEL UTF8 "UCA Extended Validation Root" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\107\061\013\060\011\006\003\125\004\006\023\002\103\116\061 @@ -33577,7 +33887,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "UniTrust_UCAExtendedValidationRootA3A1" +# Trust for "UCA Extended Validation Root" # Issuer: CN=UCA Extended Validation Root,O=UniTrust,C=CN # Serial Number:4f:d2:2b:8f:f5:64:c8:33:9e:4f:34:58:66:23:70:60 # Subject: CN=UCA Extended Validation Root,O=UniTrust,C=CN @@ -33589,7 +33899,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "UniTrust_UCAExtendedValidationRootA3A1" +CKA_LABEL UTF8 "UCA Extended Validation Root" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \243\241\260\157\044\141\043\112\343\066\245\302\067\374\246\377 \335\360\327\072 @@ -33615,7 +33925,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SECOMTrustSystemsCO_SecurityCommunicationECCRootCA1B80E" +# Certificate "Security Communication ECC RootCA1" # # Issuer: CN=Security Communication ECC RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP # Serial Number:00:d6:5d:9b:b3:78:81:2e:eb @@ -33628,7 +33938,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SECOMTrustSystemsCO_SecurityCommunicationECCRootCA1B80E" +CKA_LABEL UTF8 "Security Communication ECC RootCA1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\141\061\013\060\011\006\003\125\004\006\023\002\112\120\061 @@ -33694,7 +34004,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SECOMTrustSystemsCO_SecurityCommunicationECCRootCA1B80E" +# Trust for "Security Communication ECC RootCA1" # Issuer: CN=Security Communication ECC RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP # Serial Number:00:d6:5d:9b:b3:78:81:2e:eb # Subject: CN=Security Communication ECC RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP @@ -33706,7 +34016,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SECOMTrustSystemsCO_SecurityCommunicationECCRootCA1B80E" +CKA_LABEL UTF8 "Security Communication ECC RootCA1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \270\016\046\251\277\322\262\073\300\357\106\311\272\307\273\366 \035\015\101\101 @@ -33733,7 +34043,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SECOMTrustSystemsCO_SecurityCommunicationRootCA3C303" +# Certificate "Security Communication RootCA3" # # Issuer: CN=Security Communication RootCA3,O="SECOM Trust Systems CO.,LTD.",C=JP # Serial Number:00:e1:7c:37:40:fd:1b:fe:67 @@ -33746,7 +34056,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SECOMTrustSystemsCO_SecurityCommunicationRootCA3C303" +CKA_LABEL UTF8 "Security Communication RootCA3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\135\061\013\060\011\006\003\125\004\006\023\002\112\120\061 @@ -33863,7 +34173,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SECOMTrustSystemsCO_SecurityCommunicationRootCA3C303" +# Trust for "Security Communication RootCA3" # Issuer: CN=Security Communication RootCA3,O="SECOM Trust Systems CO.,LTD.",C=JP # Serial Number:00:e1:7c:37:40:fd:1b:fe:67 # Subject: CN=Security Communication RootCA3,O="SECOM Trust Systems CO.,LTD.",C=JP @@ -33875,7 +34185,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SECOMTrustSystemsCO_SecurityCommunicationRootCA3C303" +CKA_LABEL UTF8 "Security Communication RootCA3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \303\003\310\042\164\222\345\141\242\234\137\171\221\053\036\104 \023\221\060\072 @@ -33901,7 +34211,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ACCAMERFIRMASA_CHAMBERSOFCOMMERCEROOT20162DE1" +# Certificate "CHAMBERS OF COMMERCE ROOT - 2016" # # Issuer: CN=CHAMBERS OF COMMERCE ROOT - 2016,O=AC CAMERFIRMA S.A.,OID.2.5.4.97=VATES-A82743287,serialNumber=A82743287,OU=CHAMBERS OF COMMERCE ROOT - 2016,OU=see current address at www.camerfirma.com/address,L=MADRID,ST=MADRID,C=ES # Serial Number:34:9a:2d:a1:82:06:b2:b3 @@ -33914,7 +34224,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ACCAMERFIRMASA_CHAMBERSOFCOMMERCEROOT20162DE1" +CKA_LABEL UTF8 "CHAMBERS OF COMMERCE ROOT - 2016" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\202\001\014\061\013\060\011\006\003\125\004\006\023\002\105 @@ -34075,7 +34385,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "ACCAMERFIRMASA_CHAMBERSOFCOMMERCEROOT20162DE1" +# Trust for "CHAMBERS OF COMMERCE ROOT - 2016" # Issuer: CN=CHAMBERS OF COMMERCE ROOT - 2016,O=AC CAMERFIRMA S.A.,OID.2.5.4.97=VATES-A82743287,serialNumber=A82743287,OU=CHAMBERS OF COMMERCE ROOT - 2016,OU=see current address at www.camerfirma.com/address,L=MADRID,ST=MADRID,C=ES # Serial Number:34:9a:2d:a1:82:06:b2:b3 # Subject: CN=CHAMBERS OF COMMERCE ROOT - 2016,O=AC CAMERFIRMA S.A.,OID.2.5.4.97=VATES-A82743287,serialNumber=A82743287,OU=CHAMBERS OF COMMERCE ROOT - 2016,OU=see current address at www.camerfirma.com/address,L=MADRID,ST=MADRID,C=ES @@ -34087,7 +34397,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ACCAMERFIRMASA_CHAMBERSOFCOMMERCEROOT20162DE1" +CKA_LABEL UTF8 "CHAMBERS OF COMMERCE ROOT - 2016" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \055\341\152\126\167\272\312\071\341\326\214\060\334\261\112\276 \042\246\027\233 @@ -34124,7 +34434,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ACCAMERFIRMASA_GLOBALCHAMBERSIGNROOT20161139" +# Certificate "GLOBAL CHAMBERSIGN ROOT - 2016" # # Issuer: CN=GLOBAL CHAMBERSIGN ROOT - 2016,O=AC CAMERFIRMA S.A.,OID.2.5.4.97=VATES-A82743287,serialNumber=A82743287,OU=GLOBAL CHAMBERSIGN ROOT - 2016,OU=see current address at www.camerfirma.com/address,L=MADRID,ST=MADRID,C=ES # Serial Number:2d:d2:2e:50:30:a6:5e:13 @@ -34137,7 +34447,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ACCAMERFIRMASA_GLOBALCHAMBERSIGNROOT20161139" +CKA_LABEL UTF8 "GLOBAL CHAMBERSIGN ROOT - 2016" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\202\001\010\061\013\060\011\006\003\125\004\006\023\002\105 @@ -34297,7 +34607,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "ACCAMERFIRMASA_GLOBALCHAMBERSIGNROOT20161139" +# Trust for "GLOBAL CHAMBERSIGN ROOT - 2016" # Issuer: CN=GLOBAL CHAMBERSIGN ROOT - 2016,O=AC CAMERFIRMA S.A.,OID.2.5.4.97=VATES-A82743287,serialNumber=A82743287,OU=GLOBAL CHAMBERSIGN ROOT - 2016,OU=see current address at www.camerfirma.com/address,L=MADRID,ST=MADRID,C=ES # Serial Number:2d:d2:2e:50:30:a6:5e:13 # Subject: CN=GLOBAL CHAMBERSIGN ROOT - 2016,O=AC CAMERFIRMA S.A.,OID.2.5.4.97=VATES-A82743287,serialNumber=A82743287,OU=GLOBAL CHAMBERSIGN ROOT - 2016,OU=see current address at www.camerfirma.com/address,L=MADRID,ST=MADRID,C=ES @@ -34309,7 +34619,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ACCAMERFIRMASA_GLOBALCHAMBERSIGNROOT20161139" +CKA_LABEL UTF8 "GLOBAL CHAMBERSIGN ROOT - 2016" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \021\071\244\236\204\204\252\362\331\015\230\136\304\164\032\145 \335\135\224\342 @@ -34346,7 +34656,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "NetworkSolutionsLLC_NetworkSolutionsRSACertificateAuthority8E92" +# Certificate "Network Solutions RSA Certificate Authority" # # Issuer: CN=Network Solutions RSA Certificate Authority,O=Network Solutions L.L.C.,L=Jacksonville,ST=FL,C=US # Serial Number:4c:03:4b:ac:67:18:4c:7f:af:44:08:4d:82:96:c7:b2 @@ -34359,7 +34669,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NetworkSolutionsLLC_NetworkSolutionsRSACertificateAuthority8E92" +CKA_LABEL UTF8 "Network Solutions RSA Certificate Authority" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\212\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -34489,7 +34799,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "NetworkSolutionsLLC_NetworkSolutionsRSACertificateAuthority8E92" +# Trust for "Network Solutions RSA Certificate Authority" # Issuer: CN=Network Solutions RSA Certificate Authority,O=Network Solutions L.L.C.,L=Jacksonville,ST=FL,C=US # Serial Number:4c:03:4b:ac:67:18:4c:7f:af:44:08:4d:82:96:c7:b2 # Subject: CN=Network Solutions RSA Certificate Authority,O=Network Solutions L.L.C.,L=Jacksonville,ST=FL,C=US @@ -34501,7 +34811,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NetworkSolutionsLLC_NetworkSolutionsRSACertificateAuthority8E92" +CKA_LABEL UTF8 "Network Solutions RSA Certificate Authority" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \216\222\214\017\302\173\267\253\243\116\153\300\312\022\120\313 \127\266\017\204 @@ -34531,7 +34841,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "NetworkSolutionsLLC_NetworkSolutionsECCCertificateAuthority80F9" +# Certificate "Network Solutions ECC Certificate Authority" # # Issuer: CN=Network Solutions ECC Certificate Authority,O=Network Solutions L.L.C.,L=Jacksonville,ST=FL,C=US # Serial Number:79:38:4b:b4:19:1a:8d:74:22:cc:ff:85:32:f2:e4:ba @@ -34544,7 +34854,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NetworkSolutionsLLC_NetworkSolutionsECCCertificateAuthority80F9" +CKA_LABEL UTF8 "Network Solutions ECC Certificate Authority" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\212\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -34621,7 +34931,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "NetworkSolutionsLLC_NetworkSolutionsECCCertificateAuthority80F9" +# Trust for "Network Solutions ECC Certificate Authority" # Issuer: CN=Network Solutions ECC Certificate Authority,O=Network Solutions L.L.C.,L=Jacksonville,ST=FL,C=US # Serial Number:79:38:4b:b4:19:1a:8d:74:22:cc:ff:85:32:f2:e4:ba # Subject: CN=Network Solutions ECC Certificate Authority,O=Network Solutions L.L.C.,L=Jacksonville,ST=FL,C=US @@ -34633,7 +34943,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NetworkSolutionsLLC_NetworkSolutionsECCCertificateAuthority80F9" +CKA_LABEL UTF8 "Network Solutions ECC Certificate Authority" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \200\371\133\164\034\070\071\224\225\303\117\040\302\076\163\066 \061\115\074\153 @@ -34663,7 +34973,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GOV_AustralianDefencePublicRootCAA9CA" +# Certificate "Australian Defence Public Root CA" # # Issuer: CN=Australian Defence Public Root CA,OU=CAs,OU=PKI,OU=DoD,O=GOV,C=AU # Serial Number:29:eb:92:33:46:4f:32:41:ff:83:19:00:a9:ad:c4:d9:f8:e3:e2:7f @@ -34676,7 +34986,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GOV_AustralianDefencePublicRootCAA9CA" +CKA_LABEL UTF8 "Australian Defence Public Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\161\061\013\060\011\006\003\125\004\006\023\002\101\125\061 @@ -34776,7 +35086,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GOV_AustralianDefencePublicRootCAA9CA" +# Trust for "Australian Defence Public Root CA" # Issuer: CN=Australian Defence Public Root CA,OU=CAs,OU=PKI,OU=DoD,O=GOV,C=AU # Serial Number:29:eb:92:33:46:4f:32:41:ff:83:19:00:a9:ad:c4:d9:f8:e3:e2:7f # Subject: CN=Australian Defence Public Root CA,OU=CAs,OU=PKI,OU=DoD,O=GOV,C=AU @@ -34788,7 +35098,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GOV_AustralianDefencePublicRootCAA9CA" +CKA_LABEL UTF8 "Australian Defence Public Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \251\312\376\235\375\147\364\024\132\323\227\320\342\363\005\015 \031\215\346\356 @@ -34817,7 +35127,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "RepublikaSlovenija_SITRUSTRoot3A49" +# Certificate "SI-TRUST Root" # # Issuer: CN=SI-TRUST Root,OID.2.5.4.97=VATSI-17659957,O=Republika Slovenija,C=SI # Serial Number:00:90:ae:77:76:00:00:00:00:57:1d:d0:6f @@ -34830,7 +35140,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "RepublikaSlovenija_SITRUSTRoot3A49" +CKA_LABEL UTF8 "SI-TRUST Root" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\134\061\013\060\011\006\003\125\004\006\023\002\123\111\061 @@ -34931,7 +35241,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "RepublikaSlovenija_SITRUSTRoot3A49" +# Trust for "SI-TRUST Root" # Issuer: CN=SI-TRUST Root,OID.2.5.4.97=VATSI-17659957,O=Republika Slovenija,C=SI # Serial Number:00:90:ae:77:76:00:00:00:00:57:1d:d0:6f # Subject: CN=SI-TRUST Root,OID.2.5.4.97=VATSI-17659957,O=Republika Slovenija,C=SI @@ -34943,7 +35253,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "RepublikaSlovenija_SITRUSTRoot3A49" +CKA_LABEL UTF8 "SI-TRUST Root" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \072\111\171\264\017\250\101\110\202\000\265\202\373\356\266\072 \253\231\031\256 @@ -34969,7 +35279,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SwissGovernmentPKI_SwissGovernmentRootCAIIICCEA" +# Certificate "Swiss Government Root CA III" # # Issuer: CN=Swiss Government Root CA III,OU=www.pki.admin.ch,O=Swiss Government PKI,C=CH # Serial Number:00:fb:1f:0b:42:2b:a8:41:3e:57:d1:ee:2a:6e:5a:4f:bb @@ -34982,7 +35292,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SwissGovernmentPKI_SwissGovernmentRootCAIIICCEA" +CKA_LABEL UTF8 "Swiss Government Root CA III" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\156\061\013\060\011\006\003\125\004\006\023\002\103\110\061 @@ -35115,7 +35425,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SwissGovernmentPKI_SwissGovernmentRootCAIIICCEA" +# Trust for "Swiss Government Root CA III" # Issuer: CN=Swiss Government Root CA III,OU=www.pki.admin.ch,O=Swiss Government PKI,C=CH # Serial Number:00:fb:1f:0b:42:2b:a8:41:3e:57:d1:ee:2a:6e:5a:4f:bb # Subject: CN=Swiss Government Root CA III,OU=www.pki.admin.ch,O=Swiss Government PKI,C=CH @@ -35127,7 +35437,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SwissGovernmentPKI_SwissGovernmentRootCAIIICCEA" +CKA_LABEL UTF8 "Swiss Government Root CA III" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \314\352\343\044\105\315\102\030\335\030\216\255\316\263\023\074 \177\263\100\255 @@ -35155,7 +35465,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "LGPKI_ApplicationCAG4Root21DA" +# Certificate "Application CA G4 Root" # # Issuer: CN=Application CA G4 Root,O=LGPKI,C=JP # Serial Number:31:a5:f3:ca:90:ea:23:ac:d2:9e:bd @@ -35168,7 +35478,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "LGPKI_ApplicationCAG4Root21DA" +CKA_LABEL UTF8 "Application CA G4 Root" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\076\061\013\060\011\006\003\125\004\006\023\002\112\120\061 @@ -35247,7 +35557,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "LGPKI_ApplicationCAG4Root21DA" +# Trust for "Application CA G4 Root" # Issuer: CN=Application CA G4 Root,O=LGPKI,C=JP # Serial Number:31:a5:f3:ca:90:ea:23:ac:d2:9e:bd # Subject: CN=Application CA G4 Root,O=LGPKI,C=JP @@ -35259,7 +35569,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "LGPKI_ApplicationCAG4Root21DA" +CKA_LABEL UTF8 "Application CA G4 Root" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \041\332\316\114\054\064\346\144\150\356\006\061\115\260\125\240 \250\235\114\035 @@ -35283,7 +35593,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "DigicertSdnBhd_PosDigicertClass2RootCAG2313B" +# Certificate "PosDigicert Class 2 Root CA G2" # # Issuer: CN=PosDigicert Class 2 Root CA G2,O=Digicert Sdn. Bhd.,C=MY # Serial Number: 9969756 (0x98205c) @@ -35296,7 +35606,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "DigicertSdnBhd_PosDigicertClass2RootCAG2313B" +CKA_LABEL UTF8 "PosDigicert Class 2 Root CA G2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\123\061\013\060\011\006\003\125\004\006\023\002\115\131\061 @@ -35414,7 +35724,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "DigicertSdnBhd_PosDigicertClass2RootCAG2313B" +# Trust for "PosDigicert Class 2 Root CA G2" # Issuer: CN=PosDigicert Class 2 Root CA G2,O=Digicert Sdn. Bhd.,C=MY # Serial Number: 9969756 (0x98205c) # Subject: CN=PosDigicert Class 2 Root CA G2,O=Digicert Sdn. Bhd.,C=MY @@ -35426,7 +35736,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "DigicertSdnBhd_PosDigicertClass2RootCAG2313B" +CKA_LABEL UTF8 "PosDigicert Class 2 Root CA G2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \061\073\215\016\176\056\115\040\256\206\150\377\345\235\265\031 \074\277\172\062 @@ -35452,7 +35762,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "NetrustPteLtd_NetrustRootCA20AB5" +# Certificate "Netrust Root CA 2" # # Issuer: CN=Netrust Root CA 2,OU=Netrust Certificate Authority,O=Netrust Pte Ltd,C=SG # Serial Number: 1472720116 (0x57c7ecf4) @@ -35465,7 +35775,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NetrustPteLtd_NetrustRootCA20AB5" +CKA_LABEL UTF8 "Netrust Root CA 2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\153\061\013\060\011\006\003\125\004\006\023\002\123\107\061 @@ -35590,7 +35900,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "NetrustPteLtd_NetrustRootCA20AB5" +# Trust for "Netrust Root CA 2" # Issuer: CN=Netrust Root CA 2,OU=Netrust Certificate Authority,O=Netrust Pte Ltd,C=SG # Serial Number: 1472720116 (0x57c7ecf4) # Subject: CN=Netrust Root CA 2,OU=Netrust Certificate Authority,O=Netrust Pte Ltd,C=SG @@ -35602,7 +35912,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NetrustPteLtd_NetrustRootCA20AB5" +CKA_LABEL UTF8 "Netrust Root CA 2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \012\265\303\315\164\110\270\155\161\036\167\245\111\203\213\207 \316\122\137\177 @@ -35629,7 +35939,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "FNMTRCM_ACRAIZFNMTRCMEC50" +# Certificate "AC RAIZ FNMT-RCM" # # Issuer: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES # Serial Number:5d:93:8d:30:67:36:c8:06:1d:1a:c7:54:84:69:07 @@ -35642,7 +35952,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "FNMTRCM_ACRAIZFNMTRCMEC50" +CKA_LABEL UTF8 "AC RAIZ FNMT-RCM" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\073\061\013\060\011\006\003\125\004\006\023\002\105\123\061 @@ -35756,7 +36066,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "FNMTRCM_ACRAIZFNMTRCMEC50" +# Trust for "AC RAIZ FNMT-RCM" # Issuer: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES # Serial Number:5d:93:8d:30:67:36:c8:06:1d:1a:c7:54:84:69:07 # Subject: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES @@ -35768,7 +36078,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "FNMTRCM_ACRAIZFNMTRCMEC50" +CKA_LABEL UTF8 "AC RAIZ FNMT-RCM" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \354\120\065\007\262\025\304\225\142\031\342\250\232\133\102\231 \054\114\054\040 @@ -35793,7 +36103,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "SSLCorporation_SSLcomEVRootCertificationAuthorityRSAR2743A" +# Certificate "SSL.com EV Root Certification Authority RSA R2" # # Issuer: CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US # Serial Number:56:b6:29:cd:34:bc:78:f6 @@ -35806,7 +36116,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SSLCorporation_SSLcomEVRootCertificationAuthorityRSAR2743A" +CKA_LABEL UTF8 "SSL.com EV Root Certification Authority RSA R2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -35935,7 +36245,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "SSLCorporation_SSLcomEVRootCertificationAuthorityRSAR2743A" +# Trust for "SSL.com EV Root Certification Authority RSA R2" # Issuer: CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US # Serial Number:56:b6:29:cd:34:bc:78:f6 # Subject: CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US @@ -35947,7 +36257,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SSLCorporation_SSLcomEVRootCertificationAuthorityRSAR2743A" +CKA_LABEL UTF8 "SSL.com EV Root Certification Authority RSA R2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \164\072\360\122\233\320\062\240\364\112\203\315\324\272\251\173 \174\056\304\232 @@ -35976,7 +36286,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GoogleTrustServicesLLC_GTSRootR1E1C9" +# Certificate "GTS Root R1" # # Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US # Serial Number:6e:47:a9:c5:4b:47:0c:0d:ec:33:d0:89:b9:1c:f4:e1 @@ -35989,7 +36299,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GoogleTrustServicesLLC_GTSRootR1E1C9" +CKA_LABEL UTF8 "GTS Root R1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -36102,7 +36412,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GoogleTrustServicesLLC_GTSRootR1E1C9" +# Trust for "GTS Root R1" # Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US # Serial Number:6e:47:a9:c5:4b:47:0c:0d:ec:33:d0:89:b9:1c:f4:e1 # Subject: CN=GTS Root R1,O=Google Trust Services LLC,C=US @@ -36114,7 +36424,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GoogleTrustServicesLLC_GTSRootR1E1C9" +CKA_LABEL UTF8 "GTS Root R1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \341\311\120\346\357\042\370\114\126\105\162\213\222\040\140\327 \325\247\243\350 @@ -36140,7 +36450,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GoogleTrustServicesLLC_GTSRootR2D273" +# Certificate "GTS Root R2" # # Issuer: CN=GTS Root R2,O=Google Trust Services LLC,C=US # Serial Number:6e:47:a9:c6:5a:b3:e7:20:c5:30:9a:3f:68:52:f2:6f @@ -36153,7 +36463,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GoogleTrustServicesLLC_GTSRootR2D273" +CKA_LABEL UTF8 "GTS Root R2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -36266,7 +36576,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GoogleTrustServicesLLC_GTSRootR2D273" +# Trust for "GTS Root R2" # Issuer: CN=GTS Root R2,O=Google Trust Services LLC,C=US # Serial Number:6e:47:a9:c6:5a:b3:e7:20:c5:30:9a:3f:68:52:f2:6f # Subject: CN=GTS Root R2,O=Google Trust Services LLC,C=US @@ -36278,7 +36588,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GoogleTrustServicesLLC_GTSRootR2D273" +CKA_LABEL UTF8 "GTS Root R2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \322\163\226\052\052\136\071\237\163\077\341\307\036\144\077\003 \070\064\374\115 @@ -36304,7 +36614,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GoogleTrustServicesLLC_GTSRootR330D4" +# Certificate "GTS Root R3" # # Issuer: CN=GTS Root R3,O=Google Trust Services LLC,C=US # Serial Number:6e:47:a9:c7:6c:a9:73:24:40:89:0f:03:55:dd:8d:1d @@ -36317,7 +36627,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GoogleTrustServicesLLC_GTSRootR330D4" +CKA_LABEL UTF8 "GTS Root R3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -36377,7 +36687,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GoogleTrustServicesLLC_GTSRootR330D4" +# Trust for "GTS Root R3" # Issuer: CN=GTS Root R3,O=Google Trust Services LLC,C=US # Serial Number:6e:47:a9:c7:6c:a9:73:24:40:89:0f:03:55:dd:8d:1d # Subject: CN=GTS Root R3,O=Google Trust Services LLC,C=US @@ -36389,7 +36699,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GoogleTrustServicesLLC_GTSRootR330D4" +CKA_LABEL UTF8 "GTS Root R3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \060\324\044\157\007\377\333\221\211\212\013\351\111\146\021\353 \214\136\106\345 @@ -36415,7 +36725,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GoogleTrustServicesLLC_GTSRootR42A1D" +# Certificate "GTS Root R4" # # Issuer: CN=GTS Root R4,O=Google Trust Services LLC,C=US # Serial Number:6e:47:a9:c8:8b:94:b6:e8:bb:3b:2a:d8:a2:b2:c1:99 @@ -36428,7 +36738,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GoogleTrustServicesLLC_GTSRootR42A1D" +CKA_LABEL UTF8 "GTS Root R4" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -36488,7 +36798,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GoogleTrustServicesLLC_GTSRootR42A1D" +# Trust for "GTS Root R4" # Issuer: CN=GTS Root R4,O=Google Trust Services LLC,C=US # Serial Number:6e:47:a9:c8:8b:94:b6:e8:bb:3b:2a:d8:a2:b2:c1:99 # Subject: CN=GTS Root R4,O=Google Trust Services LLC,C=US @@ -36500,7 +36810,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GoogleTrustServicesLLC_GTSRootR42A1D" +CKA_LABEL UTF8 "GTS Root R4" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \052\035\140\047\331\112\261\012\034\115\221\134\315\063\240\313 \076\055\124\313 @@ -36526,7 +36836,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Halcomdd_HalcomRootCertificateAuthority23D7" +# Certificate "Halcom Root Certificate Authority" # # Issuer: CN=Halcom Root Certificate Authority,OID.2.5.4.97=VATSI-43353126,O=Halcom d.d.,C=SI # Serial Number: 843675 (0xcdf9b) @@ -36539,7 +36849,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Halcomdd_HalcomRootCertificateAuthority23D7" +CKA_LABEL UTF8 "Halcom Root Certificate Authority" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\150\061\013\060\011\006\003\125\004\006\023\002\123\111\061 @@ -36626,7 +36936,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Halcomdd_HalcomRootCertificateAuthority23D7" +# Trust for "Halcom Root Certificate Authority" # Issuer: CN=Halcom Root Certificate Authority,OID.2.5.4.97=VATSI-43353126,O=Halcom d.d.,C=SI # Serial Number: 843675 (0xcdf9b) # Subject: CN=Halcom Root Certificate Authority,OID.2.5.4.97=VATSI-43353126,O=Halcom d.d.,C=SI @@ -36638,7 +36948,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Halcomdd_HalcomRootCertificateAuthority23D7" +CKA_LABEL UTF8 "Halcom Root Certificate Authority" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \043\327\061\376\334\134\213\271\175\346\334\216\023\264\021\275 \117\044\000\117 @@ -36665,7 +36975,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ATHENSSTOCKEXCHANGE_ATHEXRootCAG2892A" +# Certificate "ATHEX Root CA G2" # # Issuer: CN=ATHEX Root CA G2,O=ATHENS STOCK EXCHANGE,C=GR # Serial Number: 16079 (0x3ecf) @@ -36678,7 +36988,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ATHENSSTOCKEXCHANGE_ATHEXRootCAG2892A" +CKA_LABEL UTF8 "ATHEX Root CA G2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\110\061\013\060\011\006\003\125\004\006\023\002\107\122\061 @@ -36789,7 +37099,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "ATHENSSTOCKEXCHANGE_ATHEXRootCAG2892A" +# Trust for "ATHEX Root CA G2" # Issuer: CN=ATHEX Root CA G2,O=ATHENS STOCK EXCHANGE,C=GR # Serial Number: 16079 (0x3ecf) # Subject: CN=ATHEX Root CA G2,O=ATHENS STOCK EXCHANGE,C=GR @@ -36801,7 +37111,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ATHENSSTOCKEXCHANGE_ATHEXRootCAG2892A" +CKA_LABEL UTF8 "ATHEX Root CA G2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \211\052\033\324\310\260\370\252\232\145\355\114\271\323\277\110 \100\263\113\301 @@ -36826,7 +37136,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "WISeKey_OISTEWISeKeyGlobalRootGCCAE011" +# Certificate "OISTE WISeKey Global Root GC CA" # # Issuer: CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH # Serial Number:21:2a:56:0c:ae:da:0c:ab:40:45:bf:2b:a2:2d:3a:ea @@ -36839,7 +37149,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "WISeKey_OISTEWISeKeyGlobalRootGCCAE011" +CKA_LABEL UTF8 "OISTE WISeKey Global Root GC CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\155\061\013\060\011\006\003\125\004\006\023\002\103\110\061 @@ -36909,7 +37219,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "WISeKey_OISTEWISeKeyGlobalRootGCCAE011" +# Trust for "OISTE WISeKey Global Root GC CA" # Issuer: CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH # Serial Number:21:2a:56:0c:ae:da:0c:ab:40:45:bf:2b:a2:2d:3a:ea # Subject: CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH @@ -36921,7 +37231,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "WISeKey_OISTEWISeKeyGlobalRootGCCAE011" +CKA_LABEL UTF8 "OISTE WISeKey Global Root GC CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \340\021\204\136\064\336\276\210\201\271\234\366\026\046\321\226 \037\303\271\061 @@ -36949,7 +37259,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "CERTSIGNSA_certSIGNROOTCAG226F9" +# Certificate "certSIGN ROOT CA G2" # # Issuer: OU=certSIGN ROOT CA G2,O=CERTSIGN SA,C=RO # Serial Number:11:00:34:b6:4e:c6:36:2d:36 @@ -36962,7 +37272,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CERTSIGNSA_certSIGNROOTCAG226F9" +CKA_LABEL UTF8 "certSIGN ROOT CA G2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\101\061\013\060\011\006\003\125\004\006\023\002\122\117\061 @@ -37073,7 +37383,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "CERTSIGNSA_certSIGNROOTCAG226F9" +# Trust for "certSIGN ROOT CA G2" # Issuer: OU=certSIGN ROOT CA G2,O=CERTSIGN SA,C=RO # Serial Number:11:00:34:b6:4e:c6:36:2d:36 # Subject: OU=certSIGN ROOT CA G2,O=CERTSIGN SA,C=RO @@ -37085,7 +37395,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CERTSIGNSA_certSIGNROOTCAG226F9" +CKA_LABEL UTF8 "certSIGN ROOT CA G2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \046\371\223\264\355\075\050\047\260\271\113\247\351\025\035\243 \215\222\345\062 @@ -37110,7 +37420,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "DigiCert_Hotspot20TrustRootCA_03" +# Certificate "Hotspot 2.0 Trust Root CA - 03" # # Issuer: CN=Hotspot 2.0 Trust Root CA - 03,O=WFA Hotspot 2.0,C=US # Serial Number:0c:b3:0f:70:f2:86:a4:33:e0:b9:09:89:de:01:ed:b7 @@ -37123,7 +37433,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "DigiCert_Hotspot20TrustRootCA_03" +CKA_LABEL UTF8 "Hotspot 2.0 Trust Root CA - 03" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\120\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -37239,7 +37549,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "DigiCert_Hotspot20TrustRootCA_03" +# Trust for "Hotspot 2.0 Trust Root CA - 03" # Issuer: CN=Hotspot 2.0 Trust Root CA - 03,O=WFA Hotspot 2.0,C=US # Serial Number:0c:b3:0f:70:f2:86:a4:33:e0:b9:09:89:de:01:ed:b7 # Subject: CN=Hotspot 2.0 Trust Root CA - 03,O=WFA Hotspot 2.0,C=US @@ -37251,7 +37561,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "DigiCert_Hotspot20TrustRootCA_03" +CKA_LABEL UTF8 "Hotspot 2.0 Trust Root CA - 03" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \121\120\037\277\316\151\030\235\140\234\372\361\100\305\166\165 \135\314\037\337 @@ -37278,7 +37588,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "JapanGov_LGPKI_G3ROOT" +# Certificate "Application CA G3 Root" # # Issuer: CN=Application CA G3 Root,O=LGPKI,C=JP # Serial Number: 49 (0x31) @@ -37291,7 +37601,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "JapanGov_LGPKI_G3ROOT" +CKA_LABEL UTF8 "Application CA G3 Root" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\076\061\013\060\011\006\003\125\004\006\023\002\112\120\061 @@ -37369,7 +37679,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "JapanGov_LGPKI_G3ROOT" +# Trust for "Application CA G3 Root" # Issuer: CN=Application CA G3 Root,O=LGPKI,C=JP # Serial Number: 49 (0x31) # Subject: CN=Application CA G3 Root,O=LGPKI,C=JP @@ -37381,7 +37691,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "JapanGov_LGPKI_G3ROOT" +CKA_LABEL UTF8 "Application CA G3 Root" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \157\070\204\126\216\231\310\306\254\016\135\336\055\262\002\335 \000\056\066\143 @@ -37405,7 +37715,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GLOBALTRUST 2015465B26" +# Certificate "GLOBALTRUST 2015" # # Issuer: CN=GLOBALTRUST 2015,OU=GLOBALTRUST Certification Service,O=e-commerce monitoring GmbH,L=Wien,ST=Wien,C=AT # Serial Number: 0 (0x0) @@ -37418,7 +37728,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GLOBALTRUST 2015465B26" +CKA_LABEL UTF8 "GLOBALTRUST 2015" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\227\061\013\060\011\006\003\125\004\006\023\002\101\124 @@ -37551,7 +37861,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GLOBALTRUST 2015465B26" +# Trust for "GLOBALTRUST 2015" # Issuer: CN=GLOBALTRUST 2015,OU=GLOBALTRUST Certification Service,O=e-commerce monitoring GmbH,L=Wien,ST=Wien,C=AT # Serial Number: 0 (0x0) # Subject: CN=GLOBALTRUST 2015,OU=GLOBALTRUST Certification Service,O=e-commerce monitoring GmbH,L=Wien,ST=Wien,C=AT @@ -37563,7 +37873,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GLOBALTRUST 2015465B26" +CKA_LABEL UTF8 "GLOBALTRUST 2015" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \106\133\046\276\276\161\006\335\205\104\301\023\235\237\242\127 \000\301\327\275 @@ -37593,7 +37903,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Microsoft ECC Product Root Certificate Authority 2018(06F1AA)" +# Certificate "Microsoft ECC Product Root Certificate Authority 2018" # # Issuer: CN=Microsoft ECC Product Root Certificate Authority 2018,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US # Serial Number:14:98:26:66:dc:7c:cd:8f:40:53:67:7b:b9:99:ec:85 @@ -37606,7 +37916,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Microsoft ECC Product Root Certificate Authority 2018(06F1AA)" +CKA_LABEL UTF8 "Microsoft ECC Product Root Certificate Authority 2018" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -37694,7 +38004,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Microsoft ECC Product Root Certificate Authority 2018(06F1AA)" +# Trust for "Microsoft ECC Product Root Certificate Authority 2018" # Issuer: CN=Microsoft ECC Product Root Certificate Authority 2018,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US # Serial Number:14:98:26:66:dc:7c:cd:8f:40:53:67:7b:b9:99:ec:85 # Subject: CN=Microsoft ECC Product Root Certificate Authority 2018,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US @@ -37706,7 +38016,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Microsoft ECC Product Root Certificate Authority 2018(06F1AA)" +CKA_LABEL UTF8 "Microsoft ECC Product Root Certificate Authority 2018" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \006\361\252\063\013\222\173\165\072\100\346\214\337\042\343\113 \313\357\063\122 @@ -37737,7 +38047,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ISRG Root X1(CABD2A)" +# Certificate "ISRG Root X1" # # Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US # Serial Number:00:82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00 @@ -37750,7 +38060,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ISRG Root X1(CABD2A)" +CKA_LABEL UTF8 "ISRG Root X1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\117\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -37866,7 +38176,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "ISRG Root X1(CABD2A)" +# Trust for "ISRG Root X1" # Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US # Serial Number:00:82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00 # Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US @@ -37878,7 +38188,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ISRG Root X1(CABD2A)" +CKA_LABEL UTF8 "ISRG Root X1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \312\275\052\171\241\007\152\061\362\035\045\066\065\313\003\235 \103\051\245\350 @@ -37905,7 +38215,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Entrust Root Certification Authority - G4(14884E)" +# Certificate "Entrust Root Certification Authority - G4" # # Issuer: CN=Entrust Root Certification Authority - G4,OU="(c) 2015 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US # Serial Number:00:d9:b5:43:7f:af:a9:39:0f:00:00:00:00:55:65:ad:58 @@ -37918,7 +38228,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Entrust Root Certification Authority - G4(14884E)" +CKA_LABEL UTF8 "Entrust Root Certification Authority - G4" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\276\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -38062,7 +38372,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Entrust Root Certification Authority - G4(14884E)" +# Trust for "Entrust Root Certification Authority - G4" # Issuer: CN=Entrust Root Certification Authority - G4,OU="(c) 2015 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US # Serial Number:00:d9:b5:43:7f:af:a9:39:0f:00:00:00:00:55:65:ad:58 # Subject: CN=Entrust Root Certification Authority - G4,OU="(c) 2015 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US @@ -38074,7 +38384,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Entrust Root Certification Authority - G4(14884E)" +CKA_LABEL UTF8 "Entrust Root Certification Authority - G4" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \024\210\116\206\046\067\260\046\257\131\142\134\100\167\354\065 \051\272\226\001 @@ -38108,7 +38418,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "emSign Root CA - G1(8AC7AD)" +# Certificate "emSign Root CA - G1" # # Issuer: CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN # Serial Number:31:f5:e4:62:0c:6c:58:ed:d6:d8 @@ -38121,7 +38431,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "emSign Root CA - G1(8AC7AD)" +CKA_LABEL UTF8 "emSign Root CA - G1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\147\061\013\060\011\006\003\125\004\006\023\002\111\116\061 @@ -38209,7 +38519,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "emSign Root CA - G1(8AC7AD)" +# Trust for "emSign Root CA - G1" # Issuer: CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN # Serial Number:31:f5:e4:62:0c:6c:58:ed:d6:d8 # Subject: CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN @@ -38221,7 +38531,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "emSign Root CA - G1(8AC7AD)" +CKA_LABEL UTF8 "emSign Root CA - G1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \212\307\255\217\163\254\116\301\265\165\115\245\100\364\374\317 \174\265\216\214 @@ -38248,7 +38558,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "emSign ECC Root CA - G3(3043FA)" +# Certificate "emSign ECC Root CA - G3" # # Issuer: CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN # Serial Number:3c:f6:07:a9:68:70:0e:da:8b:84 @@ -38261,7 +38571,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "emSign ECC Root CA - G3(3043FA)" +CKA_LABEL UTF8 "emSign ECC Root CA - G3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\153\061\013\060\011\006\003\125\004\006\023\002\111\116\061 @@ -38329,7 +38639,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "emSign ECC Root CA - G3(3043FA)" +# Trust for "emSign ECC Root CA - G3" # Issuer: CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN # Serial Number:3c:f6:07:a9:68:70:0e:da:8b:84 # Subject: CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN @@ -38341,7 +38651,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "emSign ECC Root CA - G3(3043FA)" +CKA_LABEL UTF8 "emSign ECC Root CA - G3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \060\103\372\117\362\127\334\240\303\200\356\056\130\352\170\262 \077\346\273\301 @@ -38368,7 +38678,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "emSign Root CA - C1(E72EF1)" +# Certificate "emSign Root CA - C1" # # Issuer: CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US # Serial Number:00:ae:cf:00:ba:c4:cf:32:f8:43:b2 @@ -38381,7 +38691,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "emSign Root CA - C1(E72EF1)" +CKA_LABEL UTF8 "emSign Root CA - C1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\126\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -38465,7 +38775,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "emSign Root CA - C1(E72EF1)" +# Trust for "emSign Root CA - C1" # Issuer: CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US # Serial Number:00:ae:cf:00:ba:c4:cf:32:f8:43:b2 # Subject: CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US @@ -38477,7 +38787,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "emSign Root CA - C1(E72EF1)" +CKA_LABEL UTF8 "emSign Root CA - C1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \347\056\361\337\374\262\011\050\317\135\324\325\147\067\261\121 \313\206\117\001 @@ -38503,7 +38813,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "emSign ECC Root CA - C3(B6AF43)" +# Certificate "emSign ECC Root CA - C3" # # Issuer: CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US # Serial Number:7b:71:b6:82:56:b8:12:7c:9c:a8 @@ -38516,7 +38826,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "emSign ECC Root CA - C3(B6AF43)" +CKA_LABEL UTF8 "emSign ECC Root CA - C3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -38579,7 +38889,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "emSign ECC Root CA - C3(B6AF43)" +# Trust for "emSign ECC Root CA - C3" # Issuer: CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US # Serial Number:7b:71:b6:82:56:b8:12:7c:9c:a8 # Subject: CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US @@ -38591,7 +38901,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "emSign ECC Root CA - C3(B6AF43)" +CKA_LABEL UTF8 "emSign ECC Root CA - C3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \266\257\103\302\233\201\123\175\366\357\153\303\037\037\140\025 \014\356\110\146 @@ -38617,7 +38927,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Fina Root CA(6202BF)" +# Certificate "Fina Root CA" # # Issuer: CN=Fina Root CA,O=Financijska agencija,C=HR # Serial Number:00:98:33:c9:a8:00:00:00:00:56:54:bc:6e @@ -38630,7 +38940,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Fina Root CA(6202BF)" +CKA_LABEL UTF8 "Fina Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\103\061\013\060\011\006\003\125\004\006\023\002\110\122\061 @@ -38744,7 +39054,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Fina Root CA(6202BF)" +# Trust for "Fina Root CA" # Issuer: CN=Fina Root CA,O=Financijska agencija,C=HR # Serial Number:00:98:33:c9:a8:00:00:00:00:56:54:bc:6e # Subject: CN=Fina Root CA,O=Financijska agencija,C=HR @@ -38756,7 +39066,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Fina Root CA(6202BF)" +CKA_LABEL UTF8 "Fina Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \142\002\277\026\232\362\177\246\176\320\316\306\153\170\053\203 \042\141\046\351 @@ -38781,7 +39091,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Hongkong Post Root CA 3(58A2D0)" +# Certificate "Hongkong Post Root CA 3" # # Issuer: CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK # Serial Number:08:16:5f:8a:4c:a5:ec:00:c9:93:40:df:c4:c6:ae:23:b8:1c:5a:a4 @@ -38794,7 +39104,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Hongkong Post Root CA 3(58A2D0)" +CKA_LABEL UTF8 "Hongkong Post Root CA 3" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\157\061\013\060\011\006\003\125\004\006\023\002\110\113\061 @@ -38921,7 +39231,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Hongkong Post Root CA 3(58A2D0)" +# Trust for "Hongkong Post Root CA 3" # Issuer: CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK # Serial Number:08:16:5f:8a:4c:a5:ec:00:c9:93:40:df:c4:c6:ae:23:b8:1c:5a:a4 # Subject: CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK @@ -38933,7 +39243,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Hongkong Post Root CA 3(58A2D0)" +CKA_LABEL UTF8 "Hongkong Post Root CA 3" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \130\242\320\354\040\122\201\133\301\363\370\144\002\044\116\302 \216\002\113\002 @@ -38962,7 +39272,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Microsoft ECC TS Root Certificate Authority 2018(31F9FC)" +# Certificate "Microsoft ECC TS Root Certificate Authority 2018" # # Issuer: CN=Microsoft ECC TS Root Certificate Authority 2018,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US # Serial Number:15:38:75:e1:64:7e:d1:b0:47:b4:ef:af:41:12:82:45 @@ -38975,7 +39285,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Microsoft ECC TS Root Certificate Authority 2018(31F9FC)" +CKA_LABEL UTF8 "Microsoft ECC TS Root Certificate Authority 2018" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\217\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -39062,7 +39372,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Microsoft ECC TS Root Certificate Authority 2018(31F9FC)" +# Trust for "Microsoft ECC TS Root Certificate Authority 2018" # Issuer: CN=Microsoft ECC TS Root Certificate Authority 2018,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US # Serial Number:15:38:75:e1:64:7e:d1:b0:47:b4:ef:af:41:12:82:45 # Subject: CN=Microsoft ECC TS Root Certificate Authority 2018,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US @@ -39074,7 +39384,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Microsoft ECC TS Root Certificate Authority 2018(31F9FC)" +CKA_LABEL UTF8 "Microsoft ECC TS Root Certificate Authority 2018" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \061\371\374\213\243\200\131\206\267\041\352\162\225\306\133\072 \104\123\102\164 @@ -39105,7 +39415,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "PostSignum Root QCA 4(AA40D2)" +# Certificate "PostSignum Root QCA 4" # # Issuer: CN=PostSignum Root QCA 4,O="..esk.. po..ta, s.p.",OID.2.5.4.97=NTRCZ-47114983,C=CZ # Serial Number: 4000 (0xfa0) @@ -39118,7 +39428,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "PostSignum Root QCA 4(AA40D2)" +CKA_LABEL UTF8 "PostSignum Root QCA 4" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\145\061\013\060\011\006\003\125\004\006\023\002\103\132\061 @@ -39264,7 +39574,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "PostSignum Root QCA 4(AA40D2)" +# Trust for "PostSignum Root QCA 4" # Issuer: CN=PostSignum Root QCA 4,O="..esk.. po..ta, s.p.",OID.2.5.4.97=NTRCZ-47114983,C=CZ # Serial Number: 4000 (0xfa0) # Subject: CN=PostSignum Root QCA 4,O="..esk.. po..ta, s.p.",OID.2.5.4.97=NTRCZ-47114983,C=CZ @@ -39276,7 +39586,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "PostSignum Root QCA 4(AA40D2)" +CKA_LABEL UTF8 "PostSignum Root QCA 4" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \252\100\322\127\233\250\044\044\315\047\161\233\035\153\037\065 \161\163\200\231 @@ -39303,7 +39613,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "NAVER Global Root Certification Authority(8F6BF2)" +# Certificate "NAVER Global Root Certification Authority" # # Issuer: CN=NAVER Global Root Certification Authority,O=NAVER BUSINESS PLATFORM Corp.,C=KR # Serial Number:01:94:30:1e:a2:0b:dd:f5:c5:33:2a:b1:43:44:71:f8:d6:50:4d:0d @@ -39316,7 +39626,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NAVER Global Root Certification Authority(8F6BF2)" +CKA_LABEL UTF8 "NAVER Global Root Certification Authority" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\151\061\013\060\011\006\003\125\004\006\023\002\113\122\061 @@ -39438,7 +39748,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "NAVER Global Root Certification Authority(8F6BF2)" +# Trust for "NAVER Global Root Certification Authority" # Issuer: CN=NAVER Global Root Certification Authority,O=NAVER BUSINESS PLATFORM Corp.,C=KR # Serial Number:01:94:30:1e:a2:0b:dd:f5:c5:33:2a:b1:43:44:71:f8:d6:50:4d:0d # Subject: CN=NAVER Global Root Certification Authority,O=NAVER BUSINESS PLATFORM Corp.,C=KR @@ -39450,7 +39760,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "NAVER Global Root Certification Authority(8F6BF2)" +CKA_LABEL UTF8 "NAVER Global Root Certification Authority" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \217\153\362\251\047\112\332\024\240\304\364\216\141\047\371\300 \036\170\135\321 @@ -39478,7 +39788,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "RCSC RootCA(FDE7C6)" +# Certificate "RCSC RootCA" # # Issuer: CN=RCSC RootCA,O=VI Registru centras- i.k. 124110246,OU=RCSC,C=LT # Serial Number:4f:00:1b:a1:24:bd:cb:88:48:be:bd:3f:2b:62:c7:c5 @@ -39491,7 +39801,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "RCSC RootCA(FDE7C6)" +CKA_LABEL UTF8 "RCSC RootCA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\140\061\013\060\011\006\003\125\004\006\023\002\114\124\061 @@ -39613,7 +39923,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "RCSC RootCA(FDE7C6)" +# Trust for "RCSC RootCA" # Issuer: CN=RCSC RootCA,O=VI Registru centras- i.k. 124110246,OU=RCSC,C=LT # Serial Number:4f:00:1b:a1:24:bd:cb:88:48:be:bd:3f:2b:62:c7:c5 # Subject: CN=RCSC RootCA,O=VI Registru centras- i.k. 124110246,OU=RCSC,C=LT @@ -39625,7 +39935,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "RCSC RootCA(FDE7C6)" +CKA_LABEL UTF8 "RCSC RootCA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \375\347\306\375\263\053\270\346\071\071\204\015\152\340\122\303 \330\267\073\207 @@ -39653,7 +39963,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "VRK Gov. Root CA - G2(F435F8)" +# Certificate "VRK Gov. Root CA - G2" # # Issuer: CN=VRK Gov. Root CA - G2,OU=Varmennepalvelut,OU=Certification Authority Services,O=Vaestorekisterikeskus CA,C=FI # Serial Number: 200000 (0x30d40) @@ -39666,7 +39976,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "VRK Gov. Root CA - G2(F435F8)" +CKA_LABEL UTF8 "VRK Gov. Root CA - G2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\226\061\013\060\011\006\003\125\004\006\023\002\106\111 @@ -39800,7 +40110,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "VRK Gov. Root CA - G2(F435F8)" +# Trust for "VRK Gov. Root CA - G2" # Issuer: CN=VRK Gov. Root CA - G2,OU=Varmennepalvelut,OU=Certification Authority Services,O=Vaestorekisterikeskus CA,C=FI # Serial Number: 200000 (0x30d40) # Subject: CN=VRK Gov. Root CA - G2,OU=Varmennepalvelut,OU=Certification Authority Services,O=Vaestorekisterikeskus CA,C=FI @@ -39812,7 +40122,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "VRK Gov. Root CA - G2(F435F8)" +CKA_LABEL UTF8 "VRK Gov. Root CA - G2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \364\065\370\137\001\010\332\150\116\173\375\121\174\220\306\047 \273\232\154\365 @@ -39842,7 +40152,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Trustwave Global Certification Authority(2F8F36)" +# Certificate "Trustwave Global Certification Authority" # # Issuer: CN=Trustwave Global Certification Authority,O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US # Serial Number:05:f7:0e:86:da:49:f3:46:35:2e:ba:b2 @@ -39855,7 +40165,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Trustwave Global Certification Authority(2F8F36)" +CKA_LABEL UTF8 "Trustwave Global Certification Authority" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -39983,7 +40293,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Trustwave Global Certification Authority(2F8F36)" +# Trust for "Trustwave Global Certification Authority" # Issuer: CN=Trustwave Global Certification Authority,O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US # Serial Number:05:f7:0e:86:da:49:f3:46:35:2e:ba:b2 # Subject: CN=Trustwave Global Certification Authority,O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US @@ -39995,7 +40305,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Trustwave Global Certification Authority(2F8F36)" +CKA_LABEL UTF8 "Trustwave Global Certification Authority" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \057\217\066\117\341\130\227\104\041\131\207\245\052\232\320\151 \225\046\177\265 @@ -40024,7 +40334,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Trustwave Global ECC P256 Certification Authority(B49082)" +# Certificate "Trustwave Global ECC P256 Certification Authority" # # Issuer: CN=Trustwave Global ECC P256 Certification Authority,O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US # Serial Number:0d:6a:5f:08:3f:28:5c:3e:51:95:df:5d @@ -40037,7 +40347,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Trustwave Global ECC P256 Certification Authority(B49082)" +CKA_LABEL UTF8 "Trustwave Global ECC P256 Certification Authority" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\221\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -40112,7 +40422,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Trustwave Global ECC P256 Certification Authority(B49082)" +# Trust for "Trustwave Global ECC P256 Certification Authority" # Issuer: CN=Trustwave Global ECC P256 Certification Authority,O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US # Serial Number:0d:6a:5f:08:3f:28:5c:3e:51:95:df:5d # Subject: CN=Trustwave Global ECC P256 Certification Authority,O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US @@ -40124,7 +40434,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Trustwave Global ECC P256 Certification Authority(B49082)" +CKA_LABEL UTF8 "Trustwave Global ECC P256 Certification Authority" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \264\220\202\335\105\014\276\213\133\261\146\323\342\244\010\046 \315\355\102\317 @@ -40154,7 +40464,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Trustwave Global ECC P384 Certification Authority(E7F3A3)" +# Certificate "Trustwave Global ECC P384 Certification Authority" # # Issuer: CN=Trustwave Global ECC P384 Certification Authority,O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US # Serial Number:08:bd:85:97:6c:99:27:a4:80:68:47:3b @@ -40167,7 +40477,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Trustwave Global ECC P384 Certification Authority(E7F3A3)" +CKA_LABEL UTF8 "Trustwave Global ECC P384 Certification Authority" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\221\061\013\060\011\006\003\125\004\006\023\002\125\123 @@ -40246,7 +40556,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Trustwave Global ECC P384 Certification Authority(E7F3A3)" +# Trust for "Trustwave Global ECC P384 Certification Authority" # Issuer: CN=Trustwave Global ECC P384 Certification Authority,O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US # Serial Number:08:bd:85:97:6c:99:27:a4:80:68:47:3b # Subject: CN=Trustwave Global ECC P384 Certification Authority,O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US @@ -40258,7 +40568,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Trustwave Global ECC P384 Certification Authority(E7F3A3)" +CKA_LABEL UTF8 "Trustwave Global ECC P384 Certification Authority" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \347\363\243\310\317\157\303\004\056\155\016\147\062\305\236\150 \225\015\136\322 @@ -40288,7 +40598,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Digidentity Services Root CA(7B3FB2)" +# Certificate "Digidentity Services Root CA" # # Issuer: C=NL,O=Digidentity B.V.,CN=Digidentity Services Root CA # Serial Number:12:81:b9:18:f3:79:3a:42:93:ce:91:58:61:e4:ed:5c @@ -40301,7 +40611,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Digidentity Services Root CA(7B3FB2)" +CKA_LABEL UTF8 "Digidentity Services Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\117\061\045\060\043\006\003\125\004\003\014\034\104\151\147 @@ -40417,7 +40727,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Digidentity Services Root CA(7B3FB2)" +# Trust for "Digidentity Services Root CA" # Issuer: C=NL,O=Digidentity B.V.,CN=Digidentity Services Root CA # Serial Number:12:81:b9:18:f3:79:3a:42:93:ce:91:58:61:e4:ed:5c # Subject: C=NL,O=Digidentity B.V.,CN=Digidentity Services Root CA @@ -40429,7 +40739,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Digidentity Services Root CA(7B3FB2)" +CKA_LABEL UTF8 "Digidentity Services Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \173\077\262\167\356\061\034\036\325\140\312\271\156\117\355\167 \136\152\076\355 @@ -40456,7 +40766,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "HiPKI Root CA - G1(6A92E4)" +# Certificate "HiPKI Root CA - G1" # # Issuer: CN=HiPKI Root CA - G1,O="Chunghwa Telecom Co., Ltd.",C=TW # Serial Number:2d:dd:ac:ce:62:97:94:a1:43:e8:b0:cd:76:6a:5e:60 @@ -40469,7 +40779,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "HiPKI Root CA - G1(6A92E4)" +CKA_LABEL UTF8 "HiPKI Root CA - G1" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\117\061\013\060\011\006\003\125\004\006\023\002\124\127\061 @@ -40585,7 +40895,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "HiPKI Root CA - G1(6A92E4)" +# Trust for "HiPKI Root CA - G1" # Issuer: CN=HiPKI Root CA - G1,O="Chunghwa Telecom Co., Ltd.",C=TW # Serial Number:2d:dd:ac:ce:62:97:94:a1:43:e8:b0:cd:76:6a:5e:60 # Subject: CN=HiPKI Root CA - G1,O="Chunghwa Telecom Co., Ltd.",C=TW @@ -40597,7 +40907,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "HiPKI Root CA - G1(6A92E4)" +CKA_LABEL UTF8 "HiPKI Root CA - G1" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \152\222\344\250\356\033\354\226\105\067\343\051\127\111\315\226 \343\345\322\140 @@ -40624,7 +40934,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "TrustFactory SSL Root Certificate Authority(D11478)" +# Certificate "TrustFactory SSL Root Certificate Authority" # # Issuer: CN=TrustFactory SSL Root Certificate Authority,OU=TrustFactory PKI Operations,O=TrustFactory(Pty)Ltd,L=Johannesburg,ST=Gauteng,C=ZA # Serial Number:68:5d:cc:26:39:e0:23:66:e4:4a:9d:64:d3:8e:04:35 @@ -40637,7 +40947,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TrustFactory SSL Root Certificate Authority(D11478)" +CKA_LABEL UTF8 "TrustFactory SSL Root Certificate Authority" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\261\061\013\060\011\006\003\125\004\006\023\002\132\101 @@ -40780,7 +41090,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "TrustFactory SSL Root Certificate Authority(D11478)" +# Trust for "TrustFactory SSL Root Certificate Authority" # Issuer: CN=TrustFactory SSL Root Certificate Authority,OU=TrustFactory PKI Operations,O=TrustFactory(Pty)Ltd,L=Johannesburg,ST=Gauteng,C=ZA # Serial Number:68:5d:cc:26:39:e0:23:66:e4:4a:9d:64:d3:8e:04:35 # Subject: CN=TrustFactory SSL Root Certificate Authority,OU=TrustFactory PKI Operations,O=TrustFactory(Pty)Ltd,L=Johannesburg,ST=Gauteng,C=ZA @@ -40792,7 +41102,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TrustFactory SSL Root Certificate Authority(D11478)" +CKA_LABEL UTF8 "TrustFactory SSL Root Certificate Authority" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \321\024\170\350\345\373\142\124\005\223\322\054\121\127\015\001 \116\254\166\330 @@ -40825,7 +41135,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "A-Trust-Root-07(1B1815)" +# Certificate "A-Trust-Root-07" # # Issuer: CN=A-Trust-Root-07,OU=A-Trust-Root-07,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT # Serial Number: 1408559753 (0x53f4ea89) @@ -40838,7 +41148,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "A-Trust-Root-07(1B1815)" +CKA_LABEL UTF8 "A-Trust-Root-07" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\213\061\013\060\011\006\003\125\004\006\023\002\101\124 @@ -40965,7 +41275,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "A-Trust-Root-07(1B1815)" +# Trust for "A-Trust-Root-07" # Issuer: CN=A-Trust-Root-07,OU=A-Trust-Root-07,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT # Serial Number: 1408559753 (0x53f4ea89) # Subject: CN=A-Trust-Root-07,OU=A-Trust-Root-07,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT @@ -40977,7 +41287,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "A-Trust-Root-07(1B1815)" +CKA_LABEL UTF8 "A-Trust-Root-07" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \033\030\025\257\222\135\024\016\374\132\371\241\252\125\356\273 \117\373\305\141 @@ -41006,7 +41316,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS(62FFD9)" +# Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # # Issuer: CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS,OID.2.5.4.97=VATES-Q2826004J,OU=Ceres,O=FNMT-RCM,C=ES # Serial Number:62:f6:32:6c:e5:c4:e3:68:5c:1b:62:dd:9c:2e:9d:95 @@ -41019,7 +41329,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "AC RAIZ FNMT-RCM SERVIDORES SEGUROS(62FFD9)" +CKA_LABEL UTF8 "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\170\061\013\060\011\006\003\125\004\006\023\002\105\123\061 @@ -41092,7 +41402,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "AC RAIZ FNMT-RCM SERVIDORES SEGUROS(62FFD9)" +# Trust for "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # Issuer: CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS,OID.2.5.4.97=VATES-Q2826004J,OU=Ceres,O=FNMT-RCM,C=ES # Serial Number:62:f6:32:6c:e5:c4:e3:68:5c:1b:62:dd:9c:2e:9d:95 # Subject: CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS,OID.2.5.4.97=VATES-Q2826004J,OU=Ceres,O=FNMT-RCM,C=ES @@ -41104,7 +41414,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "AC RAIZ FNMT-RCM SERVIDORES SEGUROS(62FFD9)" +CKA_LABEL UTF8 "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \142\377\331\236\300\145\015\003\316\165\223\322\355\077\055\062 \311\343\345\112 @@ -41133,7 +41443,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Izenpe.com(2F783D)" +# Certificate "Izenpe.com" # # Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES # Serial Number:00:b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d @@ -41146,7 +41456,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Izenpe.com(2F783D)" +CKA_LABEL UTF8 "Izenpe.com" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\070\061\013\060\011\006\003\125\004\006\023\002\105\123\061 @@ -41267,7 +41577,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Izenpe.com(2F783D)" +# Trust for "Izenpe.com" # Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES # Serial Number:00:b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d # Subject: CN=Izenpe.com,O=IZENPE S.A.,C=ES @@ -41279,7 +41589,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Izenpe.com(2F783D)" +CKA_LABEL UTF8 "Izenpe.com" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \057\170\075\045\122\030\247\112\145\071\161\265\054\242\234\105 \025\157\351\031 @@ -41304,7 +41614,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Microsoft ECC Root Certificate Authority 2017(999A64)" +# Certificate "Microsoft ECC Root Certificate Authority 2017" # # Issuer: CN=Microsoft ECC Root Certificate Authority 2017,O=Microsoft Corporation,C=US # Serial Number:66:f2:3d:af:87:de:8b:b1:4a:ea:0c:57:31:01:c2:ec @@ -41317,7 +41627,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Microsoft ECC Root Certificate Authority 2017(999A64)" +CKA_LABEL UTF8 "Microsoft ECC Root Certificate Authority 2017" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\145\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -41386,7 +41696,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Microsoft ECC Root Certificate Authority 2017(999A64)" +# Trust for "Microsoft ECC Root Certificate Authority 2017" # Issuer: CN=Microsoft ECC Root Certificate Authority 2017,O=Microsoft Corporation,C=US # Serial Number:66:f2:3d:af:87:de:8b:b1:4a:ea:0c:57:31:01:c2:ec # Subject: CN=Microsoft ECC Root Certificate Authority 2017,O=Microsoft Corporation,C=US @@ -41398,7 +41708,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Microsoft ECC Root Certificate Authority 2017(999A64)" +CKA_LABEL UTF8 "Microsoft ECC Root Certificate Authority 2017" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \231\232\144\303\177\364\175\237\253\225\361\107\151\211\024\140 \356\304\303\305 @@ -41426,7 +41736,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Microsoft RSA Root Certificate Authority 2017(73A5E6)" +# Certificate "Microsoft RSA Root Certificate Authority 2017" # # Issuer: CN=Microsoft RSA Root Certificate Authority 2017,O=Microsoft Corporation,C=US # Serial Number:1e:d3:97:09:5f:d8:b4:b3:47:70:1e:aa:be:7f:45:b3 @@ -41439,7 +41749,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Microsoft RSA Root Certificate Authority 2017(73A5E6)" +CKA_LABEL UTF8 "Microsoft RSA Root Certificate Authority 2017" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\145\061\013\060\011\006\003\125\004\006\023\002\125\123\061 @@ -41561,7 +41871,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Microsoft RSA Root Certificate Authority 2017(73A5E6)" +# Trust for "Microsoft RSA Root Certificate Authority 2017" # Issuer: CN=Microsoft RSA Root Certificate Authority 2017,O=Microsoft Corporation,C=US # Serial Number:1e:d3:97:09:5f:d8:b4:b3:47:70:1e:aa:be:7f:45:b3 # Subject: CN=Microsoft RSA Root Certificate Authority 2017,O=Microsoft Corporation,C=US @@ -41573,7 +41883,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Microsoft RSA Root Certificate Authority 2017(73A5E6)" +CKA_LABEL UTF8 "Microsoft RSA Root Certificate Authority 2017" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \163\245\346\112\073\377\203\026\377\016\334\314\141\212\220\156 \116\256\115\164 @@ -41601,7 +41911,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "TunTrust Root CA(CFE970)" +# Certificate "TunTrust Root CA" # # Issuer: CN=TunTrust Root CA,O=Agence Nationale de Certification Electronique,C=TN # Serial Number:13:02:d5:e2:40:4c:92:46:86:16:67:5d:b4:bb:bb:b2:6b:3e:fc:13 @@ -41614,7 +41924,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TunTrust Root CA(CFE970)" +CKA_LABEL UTF8 "TunTrust Root CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\141\061\013\060\011\006\003\125\004\006\023\002\124\116\061 @@ -41737,7 +42047,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "TunTrust Root CA(CFE970)" +# Trust for "TunTrust Root CA" # Issuer: CN=TunTrust Root CA,O=Agence Nationale de Certification Electronique,C=TN # Serial Number:13:02:d5:e2:40:4c:92:46:86:16:67:5d:b4:bb:bb:b2:6b:3e:fc:13 # Subject: CN=TunTrust Root CA,O=Agence Nationale de Certification Electronique,C=TN @@ -41749,7 +42059,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "TunTrust Root CA(CFE970)" +CKA_LABEL UTF8 "TunTrust Root CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \317\351\160\204\017\340\163\017\235\366\014\177\054\113\356\040 \106\064\234\273 @@ -41777,7 +42087,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Certum EC-384 CA(F33E78)" +# Certificate "Certum EC-384 CA" # # Issuer: CN=Certum EC-384 CA,OU=Certum Certification Authority,O=Asseco Data Systems S.A.,C=PL # Serial Number:78:8f:27:5c:81:12:52:20:a5:04:d0:2d:dd:ba:73:f4 @@ -41790,7 +42100,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certum EC-384 CA(F33E78)" +CKA_LABEL UTF8 "Certum EC-384 CA" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\164\061\013\060\011\006\003\125\004\006\023\002\120\114\061 @@ -41862,7 +42172,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Certum EC-384 CA(F33E78)" +# Trust for "Certum EC-384 CA" # Issuer: CN=Certum EC-384 CA,OU=Certum Certification Authority,O=Asseco Data Systems S.A.,C=PL # Serial Number:78:8f:27:5c:81:12:52:20:a5:04:d0:2d:dd:ba:73:f4 # Subject: CN=Certum EC-384 CA,OU=Certum Certification Authority,O=Asseco Data Systems S.A.,C=PL @@ -41874,7 +42184,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certum EC-384 CA(F33E78)" +CKA_LABEL UTF8 "Certum EC-384 CA" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \363\076\170\074\254\337\364\242\314\254\147\125\151\126\327\345 \026\074\341\355 @@ -41903,7 +42213,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Certum Trusted Root CA(C88344)" +# Certificate "Certum Trusted Root CA " # # Issuer: CN=Certum Trusted Root CA,OU=Certum Certification Authority,O=Asseco Data Systems S.A.,C=PL # Serial Number:1e:bf:59:50:b8:c9:80:37:4c:06:f7:eb:55:4f:b5:ed @@ -41916,7 +42226,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certum Trusted Root CA(C88344)" +CKA_LABEL UTF8 "Certum Trusted Root CA " CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\172\061\013\060\011\006\003\125\004\006\023\002\120\114\061 @@ -42042,7 +42352,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Certum Trusted Root CA(C88344)" +# Trust for "Certum Trusted Root CA " # Issuer: CN=Certum Trusted Root CA,OU=Certum Certification Authority,O=Asseco Data Systems S.A.,C=PL # Serial Number:1e:bf:59:50:b8:c9:80:37:4c:06:f7:eb:55:4f:b5:ed # Subject: CN=Certum Trusted Root CA,OU=Certum Certification Authority,O=Asseco Data Systems S.A.,C=PL @@ -42054,7 +42364,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Certum Trusted Root CA(C88344)" +CKA_LABEL UTF8 "Certum Trusted Root CA " CKA_CERT_SHA1_HASH MULTILINE_OCTAL \310\203\104\300\030\256\237\314\361\207\267\217\042\321\305\327 \105\204\272\345 @@ -42083,7 +42393,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Autoridade Certificadora Raiz Brasileira v10(6C155E)" +# Certificate "Autoridade Certificadora Raiz Brasileira v10" # # Issuer: CN=Autoridade Certificadora Raiz Brasileira v10,OU=Instituto Nacional de Tecnologia da Informacao - ITI,O=ICP-Brasil,C=BR # Serial Number:00:d2:d5:8b:44:bf:81:93:42 @@ -42096,7 +42406,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Autoridade Certificadora Raiz Brasileira v10(6C155E)" +CKA_LABEL UTF8 "Autoridade Certificadora Raiz Brasileira v10" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\201\230\061\013\060\011\006\003\125\004\006\023\002\102\122 @@ -42239,7 +42549,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Autoridade Certificadora Raiz Brasileira v10(6C155E)" +# Trust for "Autoridade Certificadora Raiz Brasileira v10" # Issuer: CN=Autoridade Certificadora Raiz Brasileira v10,OU=Instituto Nacional de Tecnologia da Informacao - ITI,O=ICP-Brasil,C=BR # Serial Number:00:d2:d5:8b:44:bf:81:93:42 # Subject: CN=Autoridade Certificadora Raiz Brasileira v10,OU=Instituto Nacional de Tecnologia da Informacao - ITI,O=ICP-Brasil,C=BR @@ -42251,7 +42561,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Autoridade Certificadora Raiz Brasileira v10(6C155E)" +CKA_LABEL UTF8 "Autoridade Certificadora Raiz Brasileira v10" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \154\025\136\327\047\032\220\112\015\300\100\360\310\127\377\123 \277\155\262\220 @@ -42281,7 +42591,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GlobalSign Root E46(39B46C)" +# Certificate "GlobalSign Root E46" # # Issuer: CN=GlobalSign Root E46,O=GlobalSign nv-sa,C=BE # Serial Number:11:d2:bb:ba:33:6e:d4:bc:e6:24:68:c5:0d:84:1d:98:e8:43 @@ -42294,7 +42604,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GlobalSign Root E46(39B46C)" +CKA_LABEL UTF8 "GlobalSign Root E46" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\106\061\013\060\011\006\003\125\004\006\023\002\102\105\061 @@ -42354,7 +42664,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GlobalSign Root E46(39B46C)" +# Trust for "GlobalSign Root E46" # Issuer: CN=GlobalSign Root E46,O=GlobalSign nv-sa,C=BE # Serial Number:11:d2:bb:ba:33:6e:d4:bc:e6:24:68:c5:0d:84:1d:98:e8:43 # Subject: CN=GlobalSign Root E46,O=GlobalSign nv-sa,C=BE @@ -42366,7 +42676,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GlobalSign Root E46(39B46C)" +CKA_LABEL UTF8 "GlobalSign Root E46" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \071\264\154\325\376\200\006\353\342\057\112\273\010\063\240\257 \333\271\335\204 @@ -42392,7 +42702,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GlobalSign Root R46(53A2B0)" +# Certificate "GlobalSign Root R46" # # Issuer: CN=GlobalSign Root R46,O=GlobalSign nv-sa,C=BE # Serial Number:11:d2:bb:b9:d7:23:18:9e:40:5f:0a:9d:2d:d0:df:25:67:d1 @@ -42405,7 +42715,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GlobalSign Root R46(53A2B0)" +CKA_LABEL UTF8 "GlobalSign Root R46" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\106\061\013\060\011\006\003\125\004\006\023\002\102\105\061 @@ -42518,7 +42828,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GlobalSign Root R46(53A2B0)" +# Trust for "GlobalSign Root R46" # Issuer: CN=GlobalSign Root R46,O=GlobalSign nv-sa,C=BE # Serial Number:11:d2:bb:b9:d7:23:18:9e:40:5f:0a:9d:2d:d0:df:25:67:d1 # Subject: CN=GlobalSign Root R46,O=GlobalSign nv-sa,C=BE @@ -42530,7 +42840,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GlobalSign Root R46(53A2B0)" +CKA_LABEL UTF8 "GlobalSign Root R46" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \123\242\260\113\312\153\326\105\346\071\212\216\304\015\322\277 \167\303\242\220 @@ -42556,7 +42866,7 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "GLOBALTRUST 2020(D067C1)" +# Certificate "GLOBALTRUST 2020" # # Issuer: CN=GLOBALTRUST 2020,O=e-commerce monitoring GmbH,C=AT # Serial Number:5a:4b:bd:5a:fb:4f:8a:5b:fa:65:e5 @@ -42569,7 +42879,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GLOBALTRUST 2020(D067C1)" +CKA_LABEL UTF8 "GLOBALTRUST 2020" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\115\061\013\060\011\006\003\125\004\006\023\002\101\124\061 @@ -42684,7 +42994,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "GLOBALTRUST 2020(D067C1)" +# Trust for "GLOBALTRUST 2020" # Issuer: CN=GLOBALTRUST 2020,O=e-commerce monitoring GmbH,C=AT # Serial Number:5a:4b:bd:5a:fb:4f:8a:5b:fa:65:e5 # Subject: CN=GLOBALTRUST 2020,O=e-commerce monitoring GmbH,C=AT @@ -42696,7 +43006,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GLOBALTRUST 2020(D067C1)" +CKA_LABEL UTF8 "GLOBALTRUST 2020" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \320\147\301\023\121\001\014\252\320\307\152\145\067\061\026\046 \117\123\161\242 @@ -42715,13 +43025,13 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\013\132\113\275\132\373\117\212\133\372\145\345 END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "Telia Root CA v2(B999CD)" +# Certificate "Telia Root CA v2" # # Issuer: CN=Telia Root CA v2,O=Telia Finland Oyj,C=FI # Serial Number:01:67:5f:27:d6:fe:7a:e3:e4:ac:be:09:5b:05:9e @@ -42734,7 +43044,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Telia Root CA v2(B999CD)" +CKA_LABEL UTF8 "Telia Root CA v2" CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_SUBJECT MULTILINE_OCTAL \060\104\061\013\060\011\006\003\125\004\006\023\002\106\111\061 @@ -42849,7 +43159,7 @@ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for "Telia Root CA v2(B999CD)" +# Trust for "Telia Root CA v2" # Issuer: CN=Telia Root CA v2,O=Telia Finland Oyj,C=FI # Serial Number:01:67:5f:27:d6:fe:7a:e3:e4:ac:be:09:5b:05:9e # Subject: CN=Telia Root CA v2,O=Telia Finland Oyj,C=FI @@ -42861,7 +43171,7 @@ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Telia Root CA v2(B999CD)" +CKA_LABEL UTF8 "Telia Root CA v2" CKA_CERT_SHA1_HASH MULTILINE_OCTAL \271\231\315\321\163\120\212\304\107\005\010\234\214\210\373\276 \240\053\100\315 @@ -42885,3 +43195,1091 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "DigiCert TLS RSA4096 Root G5" +# +# Issuer: CN=DigiCert TLS RSA4096 Root G5,O="DigiCert, Inc.",C=US +# Serial Number:08:f9:b4:78:a8:fa:7e:da:6a:33:37:89:de:7c:cf:8a +# Subject: CN=DigiCert TLS RSA4096 Root G5,O="DigiCert, Inc.",C=US +# Not Valid Before: Fri Jan 15 00:00:00 2021 +# Not Valid After : Sun Jan 14 23:59:59 2046 +# Fingerprint (SHA-256): 37:1A:00:DC:05:33:B3:72:1A:7E:EB:40:E8:41:9E:70:79:9D:2B:0A:0F:2C:1D:80:69:31:65:F7:CE:C4:AD:75 +# Fingerprint (SHA1): A7:88:49:DC:5D:7C:75:8C:8C:DE:39:98:56:B3:AA:D0:B2:A5:71:35 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "DigiCert TLS RSA4096 Root G5" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\027\060\025\006\003\125\004\012\023\016\104\151\147\151\103\145 +\162\164\054\040\111\156\143\056\061\045\060\043\006\003\125\004 +\003\023\034\104\151\147\151\103\145\162\164\040\124\114\123\040 +\122\123\101\064\060\071\066\040\122\157\157\164\040\107\065 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\027\060\025\006\003\125\004\012\023\016\104\151\147\151\103\145 +\162\164\054\040\111\156\143\056\061\045\060\043\006\003\125\004 +\003\023\034\104\151\147\151\103\145\162\164\040\124\114\123\040 +\122\123\101\064\060\071\066\040\122\157\157\164\040\107\065 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\010\371\264\170\250\372\176\332\152\063\067\211\336\174 +\317\212 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\146\060\202\003\116\240\003\002\001\002\002\020\010 +\371\264\170\250\372\176\332\152\063\067\211\336\174\317\212\060 +\015\006\011\052\206\110\206\367\015\001\001\014\005\000\060\115 +\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060 +\025\006\003\125\004\012\023\016\104\151\147\151\103\145\162\164 +\054\040\111\156\143\056\061\045\060\043\006\003\125\004\003\023 +\034\104\151\147\151\103\145\162\164\040\124\114\123\040\122\123 +\101\064\060\071\066\040\122\157\157\164\040\107\065\060\036\027 +\015\062\061\060\061\061\065\060\060\060\060\060\060\132\027\015 +\064\066\060\061\061\064\062\063\065\071\065\071\132\060\115\061 +\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060\025 +\006\003\125\004\012\023\016\104\151\147\151\103\145\162\164\054 +\040\111\156\143\056\061\045\060\043\006\003\125\004\003\023\034 +\104\151\147\151\103\145\162\164\040\124\114\123\040\122\123\101 +\064\060\071\066\040\122\157\157\164\040\107\065\060\202\002\042 +\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003 +\202\002\017\000\060\202\002\012\002\202\002\001\000\263\320\364 +\311\171\021\235\375\374\146\201\347\314\325\344\274\354\201\076 +\152\065\216\056\267\347\336\257\371\007\115\317\060\235\352\011 +\013\231\275\154\127\332\030\112\270\170\254\072\071\250\246\110 +\254\056\162\345\275\353\361\032\315\347\244\003\251\077\021\264 +\330\057\211\026\373\224\001\075\273\057\370\023\005\241\170\034 +\216\050\340\105\340\203\364\131\033\225\263\256\176\003\105\345 +\276\302\102\376\356\362\074\266\205\023\230\062\235\026\250\051 +\302\013\034\070\334\237\061\167\134\277\047\243\374\047\254\267 +\053\275\164\233\027\055\362\201\332\135\260\341\043\027\076\210 +\112\022\043\320\352\317\235\336\003\027\261\102\112\240\026\114 +\244\155\223\351\077\072\356\072\174\235\130\235\364\116\217\374 +\073\043\310\155\270\342\005\332\314\353\354\303\061\364\327\247 +\051\124\200\317\104\133\114\157\060\236\363\314\335\037\224\103 +\235\115\177\160\160\015\324\072\321\067\360\154\235\233\300\024 +\223\130\357\315\101\070\165\274\023\003\225\174\177\343\134\351 +\325\015\325\342\174\020\142\252\153\360\075\166\363\077\243\350 +\260\301\375\357\252\127\115\254\206\247\030\264\051\301\054\016 +\277\144\276\051\214\330\002\055\315\134\057\362\177\357\025\364 +\014\025\254\012\260\361\323\015\117\152\115\167\227\001\240\361 +\146\267\267\316\357\316\354\354\245\165\312\254\343\341\143\367 +\270\241\004\310\274\173\077\135\055\026\042\126\355\110\111\376 +\247\057\171\060\045\233\272\153\055\077\235\073\304\027\347\035 +\056\373\362\317\246\374\343\024\054\226\230\041\214\264\221\351 +\031\140\203\362\060\053\006\163\120\325\230\073\006\351\307\212 +\014\140\214\050\370\122\233\156\341\366\115\273\006\044\233\327 +\053\046\077\375\052\057\161\365\326\044\276\177\061\236\017\155 +\350\217\117\115\243\077\377\065\352\337\111\136\101\217\206\371 +\361\167\171\113\033\264\243\136\057\373\106\002\320\146\023\136 +\136\205\117\316\330\160\210\173\316\001\265\226\227\327\315\175 +\375\202\370\302\044\301\312\001\071\117\215\242\301\024\100\037 +\234\146\325\014\011\106\326\362\320\321\110\166\126\072\103\313 +\266\012\021\071\272\214\023\154\006\265\236\317\353\002\003\001 +\000\001\243\102\060\100\060\035\006\003\125\035\016\004\026\004 +\024\121\063\034\355\066\100\257\027\323\045\315\151\150\362\257 +\116\043\076\263\101\060\016\006\003\125\035\017\001\001\377\004 +\004\003\002\001\206\060\017\006\003\125\035\023\001\001\377\004 +\005\060\003\001\001\377\060\015\006\011\052\206\110\206\367\015 +\001\001\014\005\000\003\202\002\001\000\140\246\257\133\137\127 +\332\211\333\113\120\251\304\043\065\041\377\320\141\060\204\221 +\267\077\020\317\045\216\311\277\106\064\331\301\041\046\034\160 +\031\162\036\243\311\207\376\251\103\144\226\072\310\123\004\012 +\266\101\273\304\107\000\331\237\030\030\073\262\016\363\064\352 +\044\367\335\257\040\140\256\222\050\137\066\347\135\344\336\307 +\074\333\120\071\255\273\075\050\115\226\174\166\306\133\364\301 +\333\024\245\253\031\142\007\030\100\137\227\221\334\234\307\253 +\265\121\015\346\151\123\125\314\071\175\332\305\021\125\162\305 +\073\213\211\370\064\055\244\027\345\027\346\231\175\060\210\041 +\067\315\060\027\075\270\362\274\250\165\240\103\334\076\211\113 +\220\256\155\003\340\034\243\240\226\011\273\175\243\267\052\020 +\104\113\106\007\064\143\355\061\271\004\356\243\233\232\256\346 +\061\170\364\352\044\141\073\253\130\144\377\273\207\047\142\045 +\201\337\334\241\057\366\355\247\377\172\217\121\056\060\370\244 +\001\322\205\071\137\001\231\226\157\132\133\160\031\106\376\206 +\140\076\255\200\020\011\335\071\045\057\130\177\273\322\164\360 +\367\106\037\106\071\112\330\123\320\363\056\073\161\245\324\157 +\374\363\147\344\007\217\335\046\031\341\215\133\372\243\223\021 +\233\351\310\072\303\125\150\232\222\341\122\166\070\350\341\272 +\275\373\117\325\357\263\347\110\203\061\360\202\041\343\266\276 +\247\253\157\357\237\337\114\317\001\270\142\152\043\075\347\011 +\115\200\033\173\060\244\303\335\007\177\064\276\244\046\262\366 +\101\350\011\035\343\040\230\252\067\117\377\367\361\342\051\160 +\061\107\077\164\320\024\026\372\041\212\002\325\212\011\224\167 +\056\362\131\050\213\174\120\222\012\146\170\070\203\165\304\265 +\132\250\021\306\345\301\235\146\125\317\123\304\257\327\165\205 +\251\102\023\126\354\041\167\201\223\132\014\352\226\331\111\312 +\241\010\362\227\073\155\233\004\030\044\104\216\174\001\362\334 +\045\330\136\206\232\261\071\333\365\221\062\152\321\246\160\212 +\242\367\336\244\105\205\046\250\036\214\135\051\133\310\113\330 +\232\152\003\136\160\362\205\117\154\113\150\057\312\124\366\214 +\332\062\376\303\153\203\077\070\306\176 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "DigiCert TLS RSA4096 Root G5" +# Issuer: CN=DigiCert TLS RSA4096 Root G5,O="DigiCert, Inc.",C=US +# Serial Number:08:f9:b4:78:a8:fa:7e:da:6a:33:37:89:de:7c:cf:8a +# Subject: CN=DigiCert TLS RSA4096 Root G5,O="DigiCert, Inc.",C=US +# Not Valid Before: Fri Jan 15 00:00:00 2021 +# Not Valid After : Sun Jan 14 23:59:59 2046 +# Fingerprint (SHA-256): 37:1A:00:DC:05:33:B3:72:1A:7E:EB:40:E8:41:9E:70:79:9D:2B:0A:0F:2C:1D:80:69:31:65:F7:CE:C4:AD:75 +# Fingerprint (SHA1): A7:88:49:DC:5D:7C:75:8C:8C:DE:39:98:56:B3:AA:D0:B2:A5:71:35 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "DigiCert TLS RSA4096 Root G5" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\247\210\111\334\135\174\165\214\214\336\071\230\126\263\252\320 +\262\245\161\065 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\254\376\367\064\226\251\362\263\264\022\113\344\047\101\157\341 +END +CKA_ISSUER MULTILINE_OCTAL +\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\027\060\025\006\003\125\004\012\023\016\104\151\147\151\103\145 +\162\164\054\040\111\156\143\056\061\045\060\043\006\003\125\004 +\003\023\034\104\151\147\151\103\145\162\164\040\124\114\123\040 +\122\123\101\064\060\071\066\040\122\157\157\164\040\107\065 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\010\371\264\170\250\372\176\332\152\063\067\211\336\174 +\317\212 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "DigiCert TLS ECC P384 Root G5" +# +# Issuer: CN=DigiCert TLS ECC P384 Root G5,O="DigiCert, Inc.",C=US +# Serial Number:09:e0:93:65:ac:f7:d9:c8:b9:3e:1c:0b:04:2a:2e:f3 +# Subject: CN=DigiCert TLS ECC P384 Root G5,O="DigiCert, Inc.",C=US +# Not Valid Before: Fri Jan 15 00:00:00 2021 +# Not Valid After : Sun Jan 14 23:59:59 2046 +# Fingerprint (SHA-256): 01:8E:13:F0:77:25:32:CF:80:9B:D1:B1:72:81:86:72:83:FC:48:C6:E1:3B:E9:C6:98:12:85:4A:49:0C:1B:05 +# Fingerprint (SHA1): 17:F3:DE:5E:9F:0F:19:E9:8E:F6:1F:32:26:6E:20:C4:07:AE:30:EE +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "DigiCert TLS ECC P384 Root G5" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\027\060\025\006\003\125\004\012\023\016\104\151\147\151\103\145 +\162\164\054\040\111\156\143\056\061\046\060\044\006\003\125\004 +\003\023\035\104\151\147\151\103\145\162\164\040\124\114\123\040 +\105\103\103\040\120\063\070\064\040\122\157\157\164\040\107\065 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\027\060\025\006\003\125\004\012\023\016\104\151\147\151\103\145 +\162\164\054\040\111\156\143\056\061\046\060\044\006\003\125\004 +\003\023\035\104\151\147\151\103\145\162\164\040\124\114\123\040 +\105\103\103\040\120\063\070\064\040\122\157\157\164\040\107\065 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\011\340\223\145\254\367\331\310\271\076\034\013\004\052 +\056\363 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\031\060\202\001\237\240\003\002\001\002\002\020\011 +\340\223\145\254\367\331\310\271\076\034\013\004\052\056\363\060 +\012\006\010\052\206\110\316\075\004\003\003\060\116\061\013\060 +\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003 +\125\004\012\023\016\104\151\147\151\103\145\162\164\054\040\111 +\156\143\056\061\046\060\044\006\003\125\004\003\023\035\104\151 +\147\151\103\145\162\164\040\124\114\123\040\105\103\103\040\120 +\063\070\064\040\122\157\157\164\040\107\065\060\036\027\015\062 +\061\060\061\061\065\060\060\060\060\060\060\132\027\015\064\066 +\060\061\061\064\062\063\065\071\065\071\132\060\116\061\013\060 +\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003 +\125\004\012\023\016\104\151\147\151\103\145\162\164\054\040\111 +\156\143\056\061\046\060\044\006\003\125\004\003\023\035\104\151 +\147\151\103\145\162\164\040\124\114\123\040\105\103\103\040\120 +\063\070\064\040\122\157\157\164\040\107\065\060\166\060\020\006 +\007\052\206\110\316\075\002\001\006\005\053\201\004\000\042\003 +\142\000\004\301\104\241\317\021\227\120\232\336\043\202\065\007 +\315\320\313\030\235\322\361\177\167\065\117\073\335\224\162\122 +\355\302\073\370\354\372\173\153\130\040\354\231\256\311\374\150 +\263\165\271\333\011\354\310\023\365\116\306\012\035\146\060\114 +\273\037\107\012\074\141\020\102\051\174\245\010\016\340\042\351 +\323\065\150\316\233\143\237\204\265\231\115\130\240\216\365\124 +\347\225\311\243\102\060\100\060\035\006\003\125\035\016\004\026 +\004\024\301\121\105\120\131\253\076\347\054\132\372\040\042\022 +\007\200\210\174\021\152\060\016\006\003\125\035\017\001\001\377 +\004\004\003\002\001\206\060\017\006\003\125\035\023\001\001\377 +\004\005\060\003\001\001\377\060\012\006\010\052\206\110\316\075 +\004\003\003\003\150\000\060\145\002\061\000\211\152\215\107\347 +\354\374\156\125\003\331\147\154\046\116\203\306\375\311\373\053 +\023\274\267\172\214\264\145\322\151\151\143\023\143\073\046\120 +\056\001\241\171\006\221\235\110\277\302\276\002\060\107\303\025 +\173\261\240\221\231\111\223\250\074\174\350\106\006\213\054\362 +\061\000\224\235\142\310\211\275\031\204\024\351\245\373\001\270 +\015\166\103\214\056\123\313\174\337\014\027\226\120 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "DigiCert TLS ECC P384 Root G5" +# Issuer: CN=DigiCert TLS ECC P384 Root G5,O="DigiCert, Inc.",C=US +# Serial Number:09:e0:93:65:ac:f7:d9:c8:b9:3e:1c:0b:04:2a:2e:f3 +# Subject: CN=DigiCert TLS ECC P384 Root G5,O="DigiCert, Inc.",C=US +# Not Valid Before: Fri Jan 15 00:00:00 2021 +# Not Valid After : Sun Jan 14 23:59:59 2046 +# Fingerprint (SHA-256): 01:8E:13:F0:77:25:32:CF:80:9B:D1:B1:72:81:86:72:83:FC:48:C6:E1:3B:E9:C6:98:12:85:4A:49:0C:1B:05 +# Fingerprint (SHA1): 17:F3:DE:5E:9F:0F:19:E9:8E:F6:1F:32:26:6E:20:C4:07:AE:30:EE +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "DigiCert TLS ECC P384 Root G5" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\027\363\336\136\237\017\031\351\216\366\037\062\046\156\040\304 +\007\256\060\356 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\323\161\004\152\103\034\333\246\131\341\250\243\252\305\161\355 +END +CKA_ISSUER MULTILINE_OCTAL +\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\027\060\025\006\003\125\004\012\023\016\104\151\147\151\103\145 +\162\164\054\040\111\156\143\056\061\046\060\044\006\003\125\004 +\003\023\035\104\151\147\151\103\145\162\164\040\124\114\123\040 +\105\103\103\040\120\063\070\064\040\122\157\157\164\040\107\065 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\011\340\223\145\254\367\331\310\271\076\034\013\004\052 +\056\363 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "DigiCert RSA4096 Root G5" +# +# Issuer: CN=DigiCert RSA4096 Root G5,O="DigiCert, Inc.",C=US +# Serial Number:08:bf:a2:6f:9a:3f:33:65:a2:ac:f0:a6:38:c4:01:70 +# Subject: CN=DigiCert RSA4096 Root G5,O="DigiCert, Inc.",C=US +# Not Valid Before: Fri Jan 15 00:00:00 2021 +# Not Valid After : Sun Jan 14 23:59:59 2046 +# Fingerprint (SHA-256): E4:6A:39:22:04:A8:DC:A3:42:A7:1C:1C:A9:A6:0C:91:85:B9:A9:30:37:01:20:C3:B9:C7:E3:85:6F:0D:8F:3B +# Fingerprint (SHA1): 87:B8:E6:D3:8F:1A:39:CD:97:F0:4A:9E:17:4B:3C:9E:E7:EE:11:15 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "DigiCert RSA4096 Root G5" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\111\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\027\060\025\006\003\125\004\012\023\016\104\151\147\151\103\145 +\162\164\054\040\111\156\143\056\061\041\060\037\006\003\125\004 +\003\023\030\104\151\147\151\103\145\162\164\040\122\123\101\064 +\060\071\066\040\122\157\157\164\040\107\065 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\111\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\027\060\025\006\003\125\004\012\023\016\104\151\147\151\103\145 +\162\164\054\040\111\156\143\056\061\041\060\037\006\003\125\004 +\003\023\030\104\151\147\151\103\145\162\164\040\122\123\101\064 +\060\071\066\040\122\157\157\164\040\107\065 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\010\277\242\157\232\077\063\145\242\254\360\246\070\304 +\001\160 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\136\060\202\003\106\240\003\002\001\002\002\020\010 +\277\242\157\232\077\063\145\242\254\360\246\070\304\001\160\060 +\015\006\011\052\206\110\206\367\015\001\001\014\005\000\060\111 +\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060 +\025\006\003\125\004\012\023\016\104\151\147\151\103\145\162\164 +\054\040\111\156\143\056\061\041\060\037\006\003\125\004\003\023 +\030\104\151\147\151\103\145\162\164\040\122\123\101\064\060\071 +\066\040\122\157\157\164\040\107\065\060\036\027\015\062\061\060 +\061\061\065\060\060\060\060\060\060\132\027\015\064\066\060\061 +\061\064\062\063\065\071\065\071\132\060\111\061\013\060\011\006 +\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004 +\012\023\016\104\151\147\151\103\145\162\164\054\040\111\156\143 +\056\061\041\060\037\006\003\125\004\003\023\030\104\151\147\151 +\103\145\162\164\040\122\123\101\064\060\071\066\040\122\157\157 +\164\040\107\065\060\202\002\042\060\015\006\011\052\206\110\206 +\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012 +\002\202\002\001\000\252\276\015\262\006\175\046\371\107\352\344 +\033\347\102\151\270\231\302\271\356\044\261\106\220\313\131\044 +\122\124\065\246\044\302\137\221\031\310\266\102\326\363\107\145 +\225\144\347\205\145\147\251\256\174\000\117\340\170\003\120\255 +\363\177\216\270\021\347\201\142\261\213\337\362\111\046\011\336 +\017\026\274\332\050\233\241\310\227\057\223\220\332\040\052\343 +\204\324\377\251\236\260\055\277\264\000\336\233\037\310\240\143 +\123\150\205\157\115\205\306\252\143\371\215\262\065\166\142\164 +\003\334\223\230\150\005\236\315\220\145\335\322\172\061\253\044 +\055\155\100\056\220\077\143\154\054\353\372\036\200\124\215\171 +\002\220\024\263\265\117\116\365\210\004\103\200\303\110\263\046 +\057\254\121\225\062\125\045\057\101\226\260\126\241\010\073\334 +\230\037\162\205\054\167\312\230\314\070\373\216\162\311\155\354 +\005\354\355\115\267\074\133\024\120\205\335\227\373\131\367\220 +\022\364\023\277\203\115\200\262\025\145\021\227\140\345\326\134 +\346\004\265\120\346\161\063\266\040\223\251\150\000\070\316\111 +\333\264\134\073\162\327\105\134\124\277\315\074\001\043\036\174 +\326\370\151\054\245\000\012\154\062\110\264\336\160\055\072\023 +\027\301\177\144\313\363\060\355\241\075\226\147\361\224\265\140 +\154\133\151\150\365\202\063\011\242\266\331\363\205\262\156\240 +\224\360\302\304\175\241\054\312\163\365\256\340\122\234\242\146 +\346\003\316\352\337\355\030\324\271\143\213\367\350\377\373\263 +\133\217\103\305\257\267\164\224\120\065\145\256\326\057\361\205 +\217\123\241\160\364\215\062\135\274\226\303\036\302\004\004\234 +\004\017\263\135\176\211\040\312\136\047\015\211\112\022\043\264 +\366\304\335\330\037\370\150\263\066\370\036\274\306\367\204\266 +\350\212\116\210\060\070\300\046\330\160\012\011\072\064\016\153 +\202\022\226\034\057\346\236\255\330\161\065\201\261\214\006\156 +\364\156\146\377\113\112\256\275\360\376\327\134\137\123\273\062 +\074\315\142\321\024\240\051\037\020\336\251\162\117\261\255\144 +\345\203\052\217\213\352\204\225\356\230\045\230\232\263\161\074 +\301\247\120\362\254\102\142\061\302\241\220\306\356\342\267\212 +\250\265\266\033\073\002\003\001\000\001\243\102\060\100\060\035 +\006\003\125\035\016\004\026\004\024\142\155\267\221\117\304\352 +\243\142\140\217\240\320\276\265\217\006\174\150\000\060\016\006 +\003\125\035\017\001\001\377\004\004\003\002\001\206\060\017\006 +\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015 +\006\011\052\206\110\206\367\015\001\001\014\005\000\003\202\002 +\001\000\141\350\373\047\155\326\342\270\263\011\257\252\360\261 +\202\114\376\075\027\211\115\055\025\235\373\356\320\273\204\354 +\204\165\333\103\023\336\214\237\307\051\357\207\164\313\023\160 +\201\126\000\164\374\256\364\331\072\336\042\010\121\245\240\134 +\202\146\266\173\114\251\332\217\253\254\034\101\226\146\326\235 +\336\126\346\277\116\261\262\136\137\300\303\156\324\302\204\220 +\365\175\261\272\026\321\051\212\310\235\351\317\320\307\031\073 +\077\317\356\367\341\063\256\102\310\230\300\010\236\363\132\363 +\337\324\053\073\216\250\050\126\031\307\116\167\074\045\124\334 +\270\110\110\321\371\047\152\076\354\023\257\262\005\211\375\125 +\137\363\175\216\015\234\011\135\054\212\176\205\316\370\341\277 +\021\075\062\214\132\327\176\075\364\063\130\317\242\005\230\243 +\263\373\316\211\277\375\302\026\335\156\334\210\111\015\013\240 +\003\377\347\105\351\004\301\351\375\252\235\165\370\270\037\207 +\203\331\353\071\323\132\247\313\230\254\023\211\000\374\157\225 +\116\341\175\021\106\155\366\070\106\243\023\240\054\001\365\142 +\317\277\034\120\221\047\164\135\267\354\107\174\320\321\165\313 +\173\356\321\115\043\012\303\140\245\167\055\200\332\147\017\216 +\153\166\007\360\246\017\352\204\256\036\171\277\010\212\332\011 +\363\364\356\265\066\363\324\172\103\272\224\065\341\372\301\073 +\033\226\231\244\127\143\353\265\250\202\367\255\370\167\327\166 +\206\363\166\123\126\133\374\046\102\204\316\237\203\221\221\257 +\364\276\160\025\200\245\330\350\151\261\330\221\124\270\031\262 +\142\371\242\372\125\355\004\277\271\104\206\344\317\361\233\000 +\277\021\017\276\265\164\044\121\377\167\064\143\354\110\043\016 +\350\021\353\167\155\332\312\202\221\276\244\204\223\114\332\241 +\376\314\006\204\350\041\350\124\272\346\323\035\143\075\302\132 +\374\346\311\203\236\162\144\251\206\131\000\214\302\367\023\203 +\266\320\244\061\306\254\221\216\173\244\042\126\023\306\165\307 +\043\274\213\133\374\106\075\376\135\122\051\257\257\350\311\303 +\166\113\350\253\107\002\362\232\015\323\054\210\200\007\206\300 +\143\017\002\114\216\004\123\166\271\130\102\157\174\051\160\135 +\277\047 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "DigiCert RSA4096 Root G5" +# Issuer: CN=DigiCert RSA4096 Root G5,O="DigiCert, Inc.",C=US +# Serial Number:08:bf:a2:6f:9a:3f:33:65:a2:ac:f0:a6:38:c4:01:70 +# Subject: CN=DigiCert RSA4096 Root G5,O="DigiCert, Inc.",C=US +# Not Valid Before: Fri Jan 15 00:00:00 2021 +# Not Valid After : Sun Jan 14 23:59:59 2046 +# Fingerprint (SHA-256): E4:6A:39:22:04:A8:DC:A3:42:A7:1C:1C:A9:A6:0C:91:85:B9:A9:30:37:01:20:C3:B9:C7:E3:85:6F:0D:8F:3B +# Fingerprint (SHA1): 87:B8:E6:D3:8F:1A:39:CD:97:F0:4A:9E:17:4B:3C:9E:E7:EE:11:15 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "DigiCert RSA4096 Root G5" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\207\270\346\323\217\032\071\315\227\360\112\236\027\113\074\236 +\347\356\021\025 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\046\030\234\156\140\042\171\266\215\017\145\114\231\027\126\022 +END +CKA_ISSUER MULTILINE_OCTAL +\060\111\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\027\060\025\006\003\125\004\012\023\016\104\151\147\151\103\145 +\162\164\054\040\111\156\143\056\061\041\060\037\006\003\125\004 +\003\023\030\104\151\147\151\103\145\162\164\040\122\123\101\064 +\060\071\066\040\122\157\157\164\040\107\065 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\010\277\242\157\232\077\063\145\242\254\360\246\070\304 +\001\160 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "DigiCert ECC P384 Root G5" +# +# Issuer: CN=DigiCert ECC P384 Root G5,O="DigiCert, Inc.",C=US +# Serial Number:0d:f3:d9:37:65:a3:79:c5:95:66:ea:92:e2:24:4f:34 +# Subject: CN=DigiCert ECC P384 Root G5,O="DigiCert, Inc.",C=US +# Not Valid Before: Fri Jan 15 00:00:00 2021 +# Not Valid After : Sun Jan 14 23:59:59 2046 +# Fingerprint (SHA-256): C1:46:8C:F2:25:4E:60:04:B2:46:96:AB:A2:09:D1:A3:0B:A6:E2:DF:F6:8A:9A:4E:32:C6:AB:41:4F:90:C8:D9 +# Fingerprint (SHA1): D1:EE:B1:E8:C0:90:20:BA:B8:5D:3D:E2:7F:78:EE:33:A0:6C:AE:DB +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "DigiCert ECC P384 Root G5" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\112\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\027\060\025\006\003\125\004\012\023\016\104\151\147\151\103\145 +\162\164\054\040\111\156\143\056\061\042\060\040\006\003\125\004 +\003\023\031\104\151\147\151\103\145\162\164\040\105\103\103\040 +\120\063\070\064\040\122\157\157\164\040\107\065 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\112\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\027\060\025\006\003\125\004\012\023\016\104\151\147\151\103\145 +\162\164\054\040\111\156\143\056\061\042\060\040\006\003\125\004 +\003\023\031\104\151\147\151\103\145\162\164\040\105\103\103\040 +\120\063\070\064\040\122\157\157\164\040\107\065 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\015\363\331\067\145\243\171\305\225\146\352\222\342\044 +\117\064 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\021\060\202\001\227\240\003\002\001\002\002\020\015 +\363\331\067\145\243\171\305\225\146\352\222\342\044\117\064\060 +\012\006\010\052\206\110\316\075\004\003\003\060\112\061\013\060 +\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003 +\125\004\012\023\016\104\151\147\151\103\145\162\164\054\040\111 +\156\143\056\061\042\060\040\006\003\125\004\003\023\031\104\151 +\147\151\103\145\162\164\040\105\103\103\040\120\063\070\064\040 +\122\157\157\164\040\107\065\060\036\027\015\062\061\060\061\061 +\065\060\060\060\060\060\060\132\027\015\064\066\060\061\061\064 +\062\063\065\071\065\071\132\060\112\061\013\060\011\006\003\125 +\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012\023 +\016\104\151\147\151\103\145\162\164\054\040\111\156\143\056\061 +\042\060\040\006\003\125\004\003\023\031\104\151\147\151\103\145 +\162\164\040\105\103\103\040\120\063\070\064\040\122\157\157\164 +\040\107\065\060\166\060\020\006\007\052\206\110\316\075\002\001 +\006\005\053\201\004\000\042\003\142\000\004\374\131\037\316\231 +\154\177\233\016\266\051\143\157\306\205\363\012\323\326\233\256 +\127\025\114\016\355\135\343\011\176\155\052\243\206\252\272\170 +\240\247\161\275\104\372\010\300\112\006\326\157\335\054\112\070 +\164\345\320\275\377\172\377\345\071\116\275\275\027\036\037\103 +\255\325\274\047\330\113\277\166\214\060\062\244\373\371\123\345 +\330\252\070\123\135\250\240\067\240\147\012\243\102\060\100\060 +\035\006\003\125\035\016\004\026\004\024\222\226\367\346\272\325 +\021\272\371\042\056\173\176\132\331\360\045\345\005\033\060\016 +\006\003\125\035\017\001\001\377\004\004\003\002\001\206\060\017 +\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060 +\012\006\010\052\206\110\316\075\004\003\003\003\150\000\060\145 +\002\061\000\375\300\115\361\244\247\333\247\014\046\021\364\111 +\275\007\070\143\053\104\142\006\171\010\307\303\324\317\233\076 +\253\072\047\252\220\307\375\131\242\270\062\122\333\312\216\027 +\013\012\220\002\060\135\032\354\121\211\324\144\334\371\345\036 +\070\275\133\056\343\345\104\344\073\030\172\327\360\225\100\217 +\362\353\317\364\371\320\145\242\101\362\260\346\174\301\066\054 +\217\136\071\335\067 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "DigiCert ECC P384 Root G5" +# Issuer: CN=DigiCert ECC P384 Root G5,O="DigiCert, Inc.",C=US +# Serial Number:0d:f3:d9:37:65:a3:79:c5:95:66:ea:92:e2:24:4f:34 +# Subject: CN=DigiCert ECC P384 Root G5,O="DigiCert, Inc.",C=US +# Not Valid Before: Fri Jan 15 00:00:00 2021 +# Not Valid After : Sun Jan 14 23:59:59 2046 +# Fingerprint (SHA-256): C1:46:8C:F2:25:4E:60:04:B2:46:96:AB:A2:09:D1:A3:0B:A6:E2:DF:F6:8A:9A:4E:32:C6:AB:41:4F:90:C8:D9 +# Fingerprint (SHA1): D1:EE:B1:E8:C0:90:20:BA:B8:5D:3D:E2:7F:78:EE:33:A0:6C:AE:DB +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "DigiCert ECC P384 Root G5" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\321\356\261\350\300\220\040\272\270\135\075\342\177\170\356\063 +\240\154\256\333 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\021\177\205\256\107\037\121\141\156\006\224\036\152\103\010\013 +END +CKA_ISSUER MULTILINE_OCTAL +\060\112\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\027\060\025\006\003\125\004\012\023\016\104\151\147\151\103\145 +\162\164\054\040\111\156\143\056\061\042\060\040\006\003\125\004 +\003\023\031\104\151\147\151\103\145\162\164\040\105\103\103\040 +\120\063\070\064\040\122\157\157\164\040\107\065 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\015\363\331\067\145\243\171\305\225\146\352\222\342\044 +\117\064 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "ISRG Root X2" +# +# Issuer: CN=ISRG Root X2,O=Internet Security Research Group,C=US +# Serial Number:41:d2:9d:d1:72:ea:ee:a7:80:c1:2c:6c:e9:2f:87:52 +# Subject: CN=ISRG Root X2,O=Internet Security Research Group,C=US +# Not Valid Before: Fri Sep 04 00:00:00 2020 +# Not Valid After : Mon Sep 17 16:00:00 2040 +# Fingerprint (SHA-256): 69:72:9B:8E:15:A8:6E:FC:17:7A:57:AF:B7:17:1D:FC:64:AD:D2:8C:2F:CA:8C:F1:50:7E:34:45:3C:CB:14:70 +# Fingerprint (SHA1): BD:B1:B9:3C:D5:97:8D:45:C6:26:14:55:F8:DB:95:C7:5A:D1:53:AF +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "ISRG Root X2" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\117\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\051\060\047\006\003\125\004\012\023\040\111\156\164\145\162\156 +\145\164\040\123\145\143\165\162\151\164\171\040\122\145\163\145 +\141\162\143\150\040\107\162\157\165\160\061\025\060\023\006\003 +\125\004\003\023\014\111\123\122\107\040\122\157\157\164\040\130 +\062 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\117\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\051\060\047\006\003\125\004\012\023\040\111\156\164\145\162\156 +\145\164\040\123\145\143\165\162\151\164\171\040\122\145\163\145 +\141\162\143\150\040\107\162\157\165\160\061\025\060\023\006\003 +\125\004\003\023\014\111\123\122\107\040\122\157\157\164\040\130 +\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\101\322\235\321\162\352\356\247\200\301\054\154\351\057 +\207\122 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\033\060\202\001\241\240\003\002\001\002\002\020\101 +\322\235\321\162\352\356\247\200\301\054\154\351\057\207\122\060 +\012\006\010\052\206\110\316\075\004\003\003\060\117\061\013\060 +\011\006\003\125\004\006\023\002\125\123\061\051\060\047\006\003 +\125\004\012\023\040\111\156\164\145\162\156\145\164\040\123\145 +\143\165\162\151\164\171\040\122\145\163\145\141\162\143\150\040 +\107\162\157\165\160\061\025\060\023\006\003\125\004\003\023\014 +\111\123\122\107\040\122\157\157\164\040\130\062\060\036\027\015 +\062\060\060\071\060\064\060\060\060\060\060\060\132\027\015\064 +\060\060\071\061\067\061\066\060\060\060\060\132\060\117\061\013 +\060\011\006\003\125\004\006\023\002\125\123\061\051\060\047\006 +\003\125\004\012\023\040\111\156\164\145\162\156\145\164\040\123 +\145\143\165\162\151\164\171\040\122\145\163\145\141\162\143\150 +\040\107\162\157\165\160\061\025\060\023\006\003\125\004\003\023 +\014\111\123\122\107\040\122\157\157\164\040\130\062\060\166\060 +\020\006\007\052\206\110\316\075\002\001\006\005\053\201\004\000 +\042\003\142\000\004\315\233\325\237\200\203\012\354\011\112\363 +\026\112\076\134\317\167\254\336\147\005\015\035\007\266\334\026 +\373\132\213\024\333\342\161\140\304\272\105\225\021\211\216\352 +\006\337\367\052\026\034\244\271\305\305\062\340\003\340\036\202 +\030\070\213\327\105\330\012\152\156\346\000\167\373\002\121\175 +\042\330\012\156\232\133\167\337\360\372\101\354\071\334\165\312 +\150\007\014\037\352\243\102\060\100\060\016\006\003\125\035\017 +\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035\023 +\001\001\377\004\005\060\003\001\001\377\060\035\006\003\125\035 +\016\004\026\004\024\174\102\226\256\336\113\110\073\372\222\370 +\236\214\317\155\213\251\162\067\225\060\012\006\010\052\206\110 +\316\075\004\003\003\003\150\000\060\145\002\060\173\171\116\106 +\120\204\302\104\207\106\033\105\160\377\130\231\336\364\375\244 +\322\125\246\040\055\164\326\064\274\101\243\120\137\001\047\126 +\264\276\047\165\006\257\022\056\165\230\215\374\002\061\000\213 +\365\167\154\324\310\145\252\340\013\054\356\024\235\047\067\244 +\371\123\245\121\344\051\203\327\370\220\061\133\102\237\012\365 +\376\256\000\150\347\214\111\017\266\157\133\133\025\362\347 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "ISRG Root X2" +# Issuer: CN=ISRG Root X2,O=Internet Security Research Group,C=US +# Serial Number:41:d2:9d:d1:72:ea:ee:a7:80:c1:2c:6c:e9:2f:87:52 +# Subject: CN=ISRG Root X2,O=Internet Security Research Group,C=US +# Not Valid Before: Fri Sep 04 00:00:00 2020 +# Not Valid After : Mon Sep 17 16:00:00 2040 +# Fingerprint (SHA-256): 69:72:9B:8E:15:A8:6E:FC:17:7A:57:AF:B7:17:1D:FC:64:AD:D2:8C:2F:CA:8C:F1:50:7E:34:45:3C:CB:14:70 +# Fingerprint (SHA1): BD:B1:B9:3C:D5:97:8D:45:C6:26:14:55:F8:DB:95:C7:5A:D1:53:AF +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "ISRG Root X2" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\275\261\271\074\325\227\215\105\306\046\024\125\370\333\225\307 +\132\321\123\257 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\323\236\304\036\043\074\246\337\317\243\176\155\340\024\346\345 +END +CKA_ISSUER MULTILINE_OCTAL +\060\117\061\013\060\011\006\003\125\004\006\023\002\125\123\061 +\051\060\047\006\003\125\004\012\023\040\111\156\164\145\162\156 +\145\164\040\123\145\143\165\162\151\164\171\040\122\145\163\145 +\141\162\143\150\040\107\162\157\165\160\061\025\060\023\006\003 +\125\004\003\023\014\111\123\122\107\040\122\157\157\164\040\130 +\062 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\101\322\235\321\162\352\356\247\200\301\054\154\351\057 +\207\122 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "e-Szigno Root CA 2017" +# +# Issuer: CN=e-Szigno Root CA 2017,OID.2.5.4.97=VATHU-23584497,O=Microsec Ltd.,L=Budapest,C=HU +# Serial Number:01:54:48:ef:21:fd:97:59:0d:f5:04:0a +# Subject: CN=e-Szigno Root CA 2017,OID.2.5.4.97=VATHU-23584497,O=Microsec Ltd.,L=Budapest,C=HU +# Not Valid Before: Tue Aug 22 12:07:06 2017 +# Not Valid After : Fri Aug 22 12:07:06 2042 +# Fingerprint (SHA-256): BE:B0:0B:30:83:9B:9B:C3:2C:32:E4:44:79:05:95:06:41:F2:64:21:B1:5E:D0:89:19:8B:51:8A:E2:EA:1B:99 +# Fingerprint (SHA1): 89:D4:83:03:4F:9E:9A:48:80:5F:72:37:D4:A9:A6:EF:CB:7C:1F:D1 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "e-Szigno Root CA 2017" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\161\061\013\060\011\006\003\125\004\006\023\002\110\125\061 +\021\060\017\006\003\125\004\007\014\010\102\165\144\141\160\145 +\163\164\061\026\060\024\006\003\125\004\012\014\015\115\151\143 +\162\157\163\145\143\040\114\164\144\056\061\027\060\025\006\003 +\125\004\141\014\016\126\101\124\110\125\055\062\063\065\070\064 +\064\071\067\061\036\060\034\006\003\125\004\003\014\025\145\055 +\123\172\151\147\156\157\040\122\157\157\164\040\103\101\040\062 +\060\061\067 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\161\061\013\060\011\006\003\125\004\006\023\002\110\125\061 +\021\060\017\006\003\125\004\007\014\010\102\165\144\141\160\145 +\163\164\061\026\060\024\006\003\125\004\012\014\015\115\151\143 +\162\157\163\145\143\040\114\164\144\056\061\027\060\025\006\003 +\125\004\141\014\016\126\101\124\110\125\055\062\063\065\070\064 +\064\071\067\061\036\060\034\006\003\125\004\003\014\025\145\055 +\123\172\151\147\156\157\040\122\157\157\164\040\103\101\040\062 +\060\061\067 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\014\001\124\110\357\041\375\227\131\015\365\004\012 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\100\060\202\001\345\240\003\002\001\002\002\014\001 +\124\110\357\041\375\227\131\015\365\004\012\060\012\006\010\052 +\206\110\316\075\004\003\002\060\161\061\013\060\011\006\003\125 +\004\006\023\002\110\125\061\021\060\017\006\003\125\004\007\014 +\010\102\165\144\141\160\145\163\164\061\026\060\024\006\003\125 +\004\012\014\015\115\151\143\162\157\163\145\143\040\114\164\144 +\056\061\027\060\025\006\003\125\004\141\014\016\126\101\124\110 +\125\055\062\063\065\070\064\064\071\067\061\036\060\034\006\003 +\125\004\003\014\025\145\055\123\172\151\147\156\157\040\122\157 +\157\164\040\103\101\040\062\060\061\067\060\036\027\015\061\067 +\060\070\062\062\061\062\060\067\060\066\132\027\015\064\062\060 +\070\062\062\061\062\060\067\060\066\132\060\161\061\013\060\011 +\006\003\125\004\006\023\002\110\125\061\021\060\017\006\003\125 +\004\007\014\010\102\165\144\141\160\145\163\164\061\026\060\024 +\006\003\125\004\012\014\015\115\151\143\162\157\163\145\143\040 +\114\164\144\056\061\027\060\025\006\003\125\004\141\014\016\126 +\101\124\110\125\055\062\063\065\070\064\064\071\067\061\036\060 +\034\006\003\125\004\003\014\025\145\055\123\172\151\147\156\157 +\040\122\157\157\164\040\103\101\040\062\060\061\067\060\131\060 +\023\006\007\052\206\110\316\075\002\001\006\010\052\206\110\316 +\075\003\001\007\003\102\000\004\226\334\075\212\330\260\173\157 +\306\047\276\104\220\261\263\126\025\173\216\103\044\175\032\204 +\131\356\143\150\262\306\136\207\320\025\110\036\250\220\255\275 +\123\242\332\336\072\220\246\140\137\150\062\265\206\101\337\207 +\133\054\173\305\376\174\172\332\243\143\060\141\060\017\006\003 +\125\035\023\001\001\377\004\005\060\003\001\001\377\060\016\006 +\003\125\035\017\001\001\377\004\004\003\002\001\006\060\035\006 +\003\125\035\016\004\026\004\024\207\021\025\010\321\252\301\170 +\014\261\257\316\306\311\220\357\277\060\004\300\060\037\006\003 +\125\035\043\004\030\060\026\200\024\207\021\025\010\321\252\301 +\170\014\261\257\316\306\311\220\357\277\060\004\300\060\012\006 +\010\052\206\110\316\075\004\003\002\003\111\000\060\106\002\041 +\000\265\127\335\327\212\125\013\066\341\206\104\372\324\331\150 +\215\270\334\043\212\212\015\324\057\175\352\163\354\277\115\154 +\250\002\041\000\313\245\264\022\372\347\265\350\317\176\223\374 +\363\065\217\157\116\132\174\264\274\116\262\374\162\252\133\131 +\371\347\334\061 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "e-Szigno Root CA 2017" +# Issuer: CN=e-Szigno Root CA 2017,OID.2.5.4.97=VATHU-23584497,O=Microsec Ltd.,L=Budapest,C=HU +# Serial Number:01:54:48:ef:21:fd:97:59:0d:f5:04:0a +# Subject: CN=e-Szigno Root CA 2017,OID.2.5.4.97=VATHU-23584497,O=Microsec Ltd.,L=Budapest,C=HU +# Not Valid Before: Tue Aug 22 12:07:06 2017 +# Not Valid After : Fri Aug 22 12:07:06 2042 +# Fingerprint (SHA-256): BE:B0:0B:30:83:9B:9B:C3:2C:32:E4:44:79:05:95:06:41:F2:64:21:B1:5E:D0:89:19:8B:51:8A:E2:EA:1B:99 +# Fingerprint (SHA1): 89:D4:83:03:4F:9E:9A:48:80:5F:72:37:D4:A9:A6:EF:CB:7C:1F:D1 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "e-Szigno Root CA 2017" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\211\324\203\003\117\236\232\110\200\137\162\067\324\251\246\357 +\313\174\037\321 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\336\037\366\236\204\256\247\264\041\316\036\130\175\321\204\230 +END +CKA_ISSUER MULTILINE_OCTAL +\060\161\061\013\060\011\006\003\125\004\006\023\002\110\125\061 +\021\060\017\006\003\125\004\007\014\010\102\165\144\141\160\145 +\163\164\061\026\060\024\006\003\125\004\012\014\015\115\151\143 +\162\157\163\145\143\040\114\164\144\056\061\027\060\025\006\003 +\125\004\141\014\016\126\101\124\110\125\055\062\063\065\070\064 +\064\071\067\061\036\060\034\006\003\125\004\003\014\025\145\055 +\123\172\151\147\156\157\040\122\157\157\164\040\103\101\040\062 +\060\061\067 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\014\001\124\110\357\041\375\227\131\015\365\004\012 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "HARICA TLS ECC Root CA 2021" +# +# Issuer: CN=HARICA TLS ECC Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR +# Serial Number:67:74:9d:8d:77:d8:3b:6a:db:22:f4:ff:59:e2:bf:ce +# Subject: CN=HARICA TLS ECC Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR +# Not Valid Before: Fri Feb 19 11:01:10 2021 +# Not Valid After : Mon Feb 13 11:01:09 2045 +# Fingerprint (SHA-256): 3F:99:CC:47:4A:CF:CE:4D:FE:D5:87:94:66:5E:47:8D:15:47:73:9F:2E:78:0F:1B:B4:CA:9B:13:30:97:D4:01 +# Fingerprint (SHA1): BC:B0:C1:9D:E9:98:92:70:19:38:57:E9:8D:A7:B4:5D:6E:EE:01:48 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "HARICA TLS ECC Root CA 2021" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\154\061\013\060\011\006\003\125\004\006\023\002\107\122\061 +\067\060\065\006\003\125\004\012\014\056\110\145\154\154\145\156 +\151\143\040\101\143\141\144\145\155\151\143\040\141\156\144\040 +\122\145\163\145\141\162\143\150\040\111\156\163\164\151\164\165 +\164\151\157\156\163\040\103\101\061\044\060\042\006\003\125\004 +\003\014\033\110\101\122\111\103\101\040\124\114\123\040\105\103 +\103\040\122\157\157\164\040\103\101\040\062\060\062\061 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\154\061\013\060\011\006\003\125\004\006\023\002\107\122\061 +\067\060\065\006\003\125\004\012\014\056\110\145\154\154\145\156 +\151\143\040\101\143\141\144\145\155\151\143\040\141\156\144\040 +\122\145\163\145\141\162\143\150\040\111\156\163\164\151\164\165 +\164\151\157\156\163\040\103\101\061\044\060\042\006\003\125\004 +\003\014\033\110\101\122\111\103\101\040\124\114\123\040\105\103 +\103\040\122\157\157\164\040\103\101\040\062\060\062\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\147\164\235\215\167\330\073\152\333\042\364\377\131\342 +\277\316 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\124\060\202\001\333\240\003\002\001\002\002\020\147 +\164\235\215\167\330\073\152\333\042\364\377\131\342\277\316\060 +\012\006\010\052\206\110\316\075\004\003\003\060\154\061\013\060 +\011\006\003\125\004\006\023\002\107\122\061\067\060\065\006\003 +\125\004\012\014\056\110\145\154\154\145\156\151\143\040\101\143 +\141\144\145\155\151\143\040\141\156\144\040\122\145\163\145\141 +\162\143\150\040\111\156\163\164\151\164\165\164\151\157\156\163 +\040\103\101\061\044\060\042\006\003\125\004\003\014\033\110\101 +\122\111\103\101\040\124\114\123\040\105\103\103\040\122\157\157 +\164\040\103\101\040\062\060\062\061\060\036\027\015\062\061\060 +\062\061\071\061\061\060\061\061\060\132\027\015\064\065\060\062 +\061\063\061\061\060\061\060\071\132\060\154\061\013\060\011\006 +\003\125\004\006\023\002\107\122\061\067\060\065\006\003\125\004 +\012\014\056\110\145\154\154\145\156\151\143\040\101\143\141\144 +\145\155\151\143\040\141\156\144\040\122\145\163\145\141\162\143 +\150\040\111\156\163\164\151\164\165\164\151\157\156\163\040\103 +\101\061\044\060\042\006\003\125\004\003\014\033\110\101\122\111 +\103\101\040\124\114\123\040\105\103\103\040\122\157\157\164\040 +\103\101\040\062\060\062\061\060\166\060\020\006\007\052\206\110 +\316\075\002\001\006\005\053\201\004\000\042\003\142\000\004\070 +\010\376\261\240\226\322\172\254\257\111\072\320\300\340\303\073 +\050\252\361\162\155\145\000\107\210\204\374\232\046\153\252\113 +\272\154\004\012\210\136\027\362\125\207\374\060\260\064\342\064 +\130\127\032\204\123\351\060\331\251\362\226\164\303\121\037\130 +\111\061\314\230\116\140\021\207\165\323\162\224\220\117\233\020 +\045\052\250\170\055\276\220\101\130\220\025\162\247\241\267\243 +\102\060\100\060\017\006\003\125\035\023\001\001\377\004\005\060 +\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\311 +\033\123\201\022\376\004\325\026\321\252\274\232\157\267\240\225 +\031\156\312\060\016\006\003\125\035\017\001\001\377\004\004\003 +\002\001\206\060\012\006\010\052\206\110\316\075\004\003\003\003 +\147\000\060\144\002\060\021\336\256\370\334\116\210\260\251\360 +\042\255\302\121\100\357\140\161\055\356\217\002\304\135\003\160 +\111\244\222\352\305\024\210\160\246\323\015\260\252\312\054\100 +\234\373\351\202\156\232\002\060\053\107\232\007\306\321\302\201 +\174\312\013\226\030\101\033\243\364\060\011\236\265\043\050\015 +\237\024\266\074\123\242\114\006\151\175\372\154\221\306\052\111 +\105\346\354\267\023\341\072\154 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "HARICA TLS ECC Root CA 2021" +# Issuer: CN=HARICA TLS ECC Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR +# Serial Number:67:74:9d:8d:77:d8:3b:6a:db:22:f4:ff:59:e2:bf:ce +# Subject: CN=HARICA TLS ECC Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR +# Not Valid Before: Fri Feb 19 11:01:10 2021 +# Not Valid After : Mon Feb 13 11:01:09 2045 +# Fingerprint (SHA-256): 3F:99:CC:47:4A:CF:CE:4D:FE:D5:87:94:66:5E:47:8D:15:47:73:9F:2E:78:0F:1B:B4:CA:9B:13:30:97:D4:01 +# Fingerprint (SHA1): BC:B0:C1:9D:E9:98:92:70:19:38:57:E9:8D:A7:B4:5D:6E:EE:01:48 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "HARICA TLS ECC Root CA 2021" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\274\260\301\235\351\230\222\160\031\070\127\351\215\247\264\135 +\156\356\001\110 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\256\367\114\345\146\065\321\267\233\214\042\223\164\323\113\260 +END +CKA_ISSUER MULTILINE_OCTAL +\060\154\061\013\060\011\006\003\125\004\006\023\002\107\122\061 +\067\060\065\006\003\125\004\012\014\056\110\145\154\154\145\156 +\151\143\040\101\143\141\144\145\155\151\143\040\141\156\144\040 +\122\145\163\145\141\162\143\150\040\111\156\163\164\151\164\165 +\164\151\157\156\163\040\103\101\061\044\060\042\006\003\125\004 +\003\014\033\110\101\122\111\103\101\040\124\114\123\040\105\103 +\103\040\122\157\157\164\040\103\101\040\062\060\062\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\147\164\235\215\167\330\073\152\333\042\364\377\131\342 +\277\316 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + +# +# Certificate "HARICA TLS RSA Root CA 2021" +# +# Issuer: CN=HARICA TLS RSA Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR +# Serial Number:39:ca:93:1c:ef:43:f3:c6:8e:93:c7:f4:64:89:38:7e +# Subject: CN=HARICA TLS RSA Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR +# Not Valid Before: Fri Feb 19 10:55:38 2021 +# Not Valid After : Mon Feb 13 10:55:37 2045 +# Fingerprint (SHA-256): D9:5D:0E:8E:DA:79:52:5B:F9:BE:B1:1B:14:D2:10:0D:32:94:98:5F:0C:62:D9:FA:BD:9C:D9:99:EC:CB:7B:1D +# Fingerprint (SHA1): 02:2D:05:82:FA:88:CE:14:0C:06:79:DE:7F:14:10:E9:45:D7:A5:6D +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "HARICA TLS RSA Root CA 2021" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\154\061\013\060\011\006\003\125\004\006\023\002\107\122\061 +\067\060\065\006\003\125\004\012\014\056\110\145\154\154\145\156 +\151\143\040\101\143\141\144\145\155\151\143\040\141\156\144\040 +\122\145\163\145\141\162\143\150\040\111\156\163\164\151\164\165 +\164\151\157\156\163\040\103\101\061\044\060\042\006\003\125\004 +\003\014\033\110\101\122\111\103\101\040\124\114\123\040\122\123 +\101\040\122\157\157\164\040\103\101\040\062\060\062\061 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\154\061\013\060\011\006\003\125\004\006\023\002\107\122\061 +\067\060\065\006\003\125\004\012\014\056\110\145\154\154\145\156 +\151\143\040\101\143\141\144\145\155\151\143\040\141\156\144\040 +\122\145\163\145\141\162\143\150\040\111\156\163\164\151\164\165 +\164\151\157\156\163\040\103\101\061\044\060\042\006\003\125\004 +\003\014\033\110\101\122\111\103\101\040\124\114\123\040\122\123 +\101\040\122\157\157\164\040\103\101\040\062\060\062\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\071\312\223\034\357\103\363\306\216\223\307\364\144\211 +\070\176 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\244\060\202\003\214\240\003\002\001\002\002\020\071 +\312\223\034\357\103\363\306\216\223\307\364\144\211\070\176\060 +\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\154 +\061\013\060\011\006\003\125\004\006\023\002\107\122\061\067\060 +\065\006\003\125\004\012\014\056\110\145\154\154\145\156\151\143 +\040\101\143\141\144\145\155\151\143\040\141\156\144\040\122\145 +\163\145\141\162\143\150\040\111\156\163\164\151\164\165\164\151 +\157\156\163\040\103\101\061\044\060\042\006\003\125\004\003\014 +\033\110\101\122\111\103\101\040\124\114\123\040\122\123\101\040 +\122\157\157\164\040\103\101\040\062\060\062\061\060\036\027\015 +\062\061\060\062\061\071\061\060\065\065\063\070\132\027\015\064 +\065\060\062\061\063\061\060\065\065\063\067\132\060\154\061\013 +\060\011\006\003\125\004\006\023\002\107\122\061\067\060\065\006 +\003\125\004\012\014\056\110\145\154\154\145\156\151\143\040\101 +\143\141\144\145\155\151\143\040\141\156\144\040\122\145\163\145 +\141\162\143\150\040\111\156\163\164\151\164\165\164\151\157\156 +\163\040\103\101\061\044\060\042\006\003\125\004\003\014\033\110 +\101\122\111\103\101\040\124\114\123\040\122\123\101\040\122\157 +\157\164\040\103\101\040\062\060\062\061\060\202\002\042\060\015 +\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002 +\017\000\060\202\002\012\002\202\002\001\000\213\302\347\257\145 +\233\005\147\226\311\015\044\271\320\016\144\374\316\342\044\030 +\054\204\177\167\121\313\004\021\066\270\136\355\151\161\247\236 +\344\045\011\227\147\301\107\302\317\221\026\066\142\075\070\004 +\341\121\202\377\254\322\264\151\335\056\354\021\243\105\356\153 +\153\073\114\277\214\215\244\036\235\021\271\351\070\371\172\016 +\014\230\342\043\035\321\116\143\324\347\270\101\104\373\153\257 +\153\332\037\323\305\221\210\133\244\211\222\321\201\346\214\071 +\130\240\326\151\103\251\255\230\122\130\156\333\012\373\153\317 +\150\372\343\244\136\072\105\163\230\007\352\137\002\162\336\014 +\245\263\237\256\251\035\267\035\263\374\212\131\347\156\162\145 +\255\365\060\224\043\007\363\202\026\113\065\230\234\123\273\057 +\312\344\132\331\307\215\035\374\230\231\373\054\244\202\153\360 +\052\037\216\013\137\161\134\134\256\102\173\051\211\201\313\003 +\243\231\312\210\236\013\100\011\101\063\333\346\130\172\375\256 +\231\160\300\132\017\326\023\206\161\057\166\151\374\220\335\333 +\055\156\321\362\233\365\032\153\236\157\025\214\172\360\113\050 +\240\042\070\200\044\154\066\244\073\362\060\221\363\170\023\317 +\301\077\065\253\361\035\021\043\265\103\042\236\001\222\267\030 +\002\345\021\321\202\333\025\000\314\141\067\301\052\174\232\341 +\320\272\263\120\106\356\202\254\235\061\370\373\043\342\003\000 +\110\160\243\011\046\171\025\123\140\363\070\134\255\070\352\201 +\000\143\024\271\063\136\335\013\333\240\105\007\032\063\011\370 +\115\264\247\002\246\151\364\302\131\005\210\145\205\126\256\113 +\313\340\336\074\175\055\032\310\351\373\037\243\141\112\326\052 +\023\255\167\114\032\030\233\221\017\130\330\006\124\305\227\370 +\252\077\040\212\246\205\246\167\366\246\374\034\342\356\156\224 +\063\052\203\120\204\012\345\117\206\370\120\105\170\000\201\353 +\133\150\343\046\215\314\173\134\121\364\024\054\100\276\032\140 +\035\172\162\141\035\037\143\055\210\252\316\242\105\220\010\374 +\153\276\263\120\052\132\375\250\110\030\106\326\220\100\222\220 +\012\204\136\150\061\370\353\355\015\323\035\306\175\231\030\125 +\126\047\145\056\215\105\305\044\354\316\343\002\003\001\000\001 +\243\102\060\100\060\017\006\003\125\035\023\001\001\377\004\005 +\060\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024 +\012\110\043\246\140\244\222\012\063\352\223\133\305\127\352\045 +\115\275\022\356\060\016\006\003\125\035\017\001\001\377\004\004 +\003\002\001\206\060\015\006\011\052\206\110\206\367\015\001\001 +\013\005\000\003\202\002\001\000\076\220\110\252\156\142\025\045 +\146\173\014\325\214\213\211\235\327\355\116\007\357\234\320\024 +\137\136\120\275\150\226\220\244\024\021\252\150\155\011\065\071 +\100\011\332\364\011\054\064\245\173\131\204\111\051\227\164\310 +\007\036\107\155\362\316\034\120\046\343\236\075\100\123\077\367 +\177\226\166\020\305\106\245\320\040\113\120\364\065\073\030\364 +\125\152\101\033\107\006\150\074\273\011\010\142\331\137\125\102 +\252\254\123\205\254\225\126\066\126\253\344\005\214\305\250\332 +\037\243\151\275\123\017\304\377\334\312\343\176\362\114\210\206 +\107\106\032\363\000\365\200\221\242\334\103\102\224\233\040\360 +\321\315\262\353\054\123\302\123\170\112\117\004\224\101\232\217 +\047\062\301\345\111\031\277\361\362\302\213\250\012\071\061\050 +\264\175\142\066\054\115\354\037\063\266\176\167\155\176\120\360 +\237\016\327\021\217\317\030\305\343\047\376\046\357\005\235\317 +\317\067\305\320\173\332\073\260\026\204\014\072\223\326\276\027 +\333\017\076\016\031\170\011\307\251\002\162\042\113\367\067\166 +\272\165\304\205\003\132\143\325\261\165\005\302\271\275\224\255 +\214\025\231\247\223\175\366\305\363\252\164\317\004\205\224\230 +\000\364\342\371\312\044\145\277\340\142\257\310\305\372\262\311 +\236\126\110\332\171\375\226\166\025\276\243\216\126\304\263\064 +\374\276\107\364\301\264\250\374\325\060\210\150\356\313\256\311 +\143\304\166\276\254\070\030\341\136\134\317\256\072\042\121\353 +\321\213\263\363\053\063\007\124\207\372\264\262\023\173\272\123 +\004\142\001\235\361\300\117\356\341\072\324\213\040\020\372\002 +\127\346\357\301\013\267\220\106\234\031\051\214\334\157\240\112 +\151\151\224\267\044\145\240\377\254\077\316\001\373\041\056\375 +\150\370\233\362\245\317\061\070\134\025\252\346\227\000\301\337 +\132\245\247\071\252\351\204\177\074\121\250\072\331\224\133\214 +\277\117\010\161\345\333\250\134\324\322\246\376\000\243\306\026 +\307\017\350\200\316\034\050\144\164\031\010\323\102\343\316\000 +\135\177\261\334\023\260\341\005\313\321\040\252\206\164\236\071 +\347\221\375\377\133\326\367\255\246\057\003\013\155\343\127\124 +\353\166\123\030\215\021\230\272 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "HARICA TLS RSA Root CA 2021" +# Issuer: CN=HARICA TLS RSA Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR +# Serial Number:39:ca:93:1c:ef:43:f3:c6:8e:93:c7:f4:64:89:38:7e +# Subject: CN=HARICA TLS RSA Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR +# Not Valid Before: Fri Feb 19 10:55:38 2021 +# Not Valid After : Mon Feb 13 10:55:37 2045 +# Fingerprint (SHA-256): D9:5D:0E:8E:DA:79:52:5B:F9:BE:B1:1B:14:D2:10:0D:32:94:98:5F:0C:62:D9:FA:BD:9C:D9:99:EC:CB:7B:1D +# Fingerprint (SHA1): 02:2D:05:82:FA:88:CE:14:0C:06:79:DE:7F:14:10:E9:45:D7:A5:6D +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "HARICA TLS RSA Root CA 2021" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\002\055\005\202\372\210\316\024\014\006\171\336\177\024\020\351 +\105\327\245\155 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\145\107\233\130\206\335\054\360\374\242\204\037\036\226\304\221 +END +CKA_ISSUER MULTILINE_OCTAL +\060\154\061\013\060\011\006\003\125\004\006\023\002\107\122\061 +\067\060\065\006\003\125\004\012\014\056\110\145\154\154\145\156 +\151\143\040\101\143\141\144\145\155\151\143\040\141\156\144\040 +\122\145\163\145\141\162\143\150\040\111\156\163\164\151\164\165 +\164\151\157\156\163\040\103\101\061\044\060\042\006\003\125\004 +\003\014\033\110\101\122\111\103\101\040\124\114\123\040\122\123 +\101\040\122\157\157\164\040\103\101\040\062\060\062\061 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\071\312\223\034\357\103\363\306\216\223\307\364\144\211 +\070\176 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + diff --git a/SPECS/cdrkit/cdrkit.spec b/SPECS/cdrkit/cdrkit.spec index 61c67babc8..9cda62c833 100644 --- a/SPECS/cdrkit/cdrkit.spec +++ b/SPECS/cdrkit/cdrkit.spec @@ -49,7 +49,7 @@ ln -s genisoimage %{buildroot}%{_prefix}/bin/mkisofs - Add an explicit provides for `genisoimage` * Sun May 31 2020 Henry Beberman - 1.1.11-8 - Add patch to fix format-security errors. -* Sat May 09 00:20:47 PST 2020 Nick Samson - 1.1.11-7 +* Sat May 09 2020 Nick Samson - 1.1.11-7 - Added %%license line automatically * Mon Apr 27 2020 Pawel Winogrodzki 1.1.11-6 - Fixed the 'Source0' tags. diff --git a/SPECS/ceph/ceph.signatures.json b/SPECS/ceph/ceph.signatures.json index d9eab82642..b9a73e6549 100644 --- a/SPECS/ceph/ceph.signatures.json +++ b/SPECS/ceph/ceph.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "ceph-15.2.4.tar.gz": "5d51297d5f0358f6fc386ecf3d6e3093a044ef4714ed6c0f0d13af90c96dc54b" + "ceph-16.2.0.tar.gz": "dfeee542536607220dc2ca49f47c41127c8562dea234a886625e0f7ee1524904" } } \ No newline at end of file diff --git a/SPECS/ceph/ceph.spec b/SPECS/ceph/ceph.spec index a75088749c..154d0772f2 100644 --- a/SPECS/ceph/ceph.spec +++ b/SPECS/ceph/ceph.spec @@ -1,14 +1,17 @@ +#disable debuginfo because ceph-debuginfo rpm is too large +%define debug_package %{nil} +%global _python_bytecompile_extra 1 + Summary: User space components of the Ceph file system Name: ceph -Version: 15.2.4 -Release: 2%{?dist} -License: LGPLv2 and LGPLv3 and CC-BY-SA and GPLv2 and Boost and BSD and MIT +Version: 16.2.0 +Release: 3%{?dist} +License: LGPLv2 and LGPLv3 and CC-BY-SA and GPLv2 and Boost and BSD and MIT and Public Domain and GPLv3 and ASL-2.0 URL: https://ceph.io/ -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner Source0: https://download.ceph.com/tarballs/%{name}-%{version}.tar.gz -%global _python_bytecompile_extra 1 # # Copyright (C) 2004-2019 The Ceph Project Developers. See COPYING file @@ -70,14 +73,17 @@ Requires(post): binutils Requires: systemd BuildRequires: cryptsetup +BuildRequires: cryptsetup-devel BuildRequires: expat-devel BuildRequires: fuse-devel BuildRequires: gcc BuildRequires: gdbm BuildRequires: gperf +BuildRequires: icu-devel BuildRequires: keyutils-devel BuildRequires: leveldb-devel > 1.2 BuildRequires: libaio-devel +BuildRequires: lua-devel BuildRequires: util-linux-libs BuildRequires: libcap-ng-devel BuildRequires: curl-devel @@ -943,7 +949,6 @@ install -m 0644 -D udev/50-rbd.rules %{buildroot}%{_udevrulesdir}/50-rbd.rules # sudoers.d install -m 0600 -D sudoers.d/ceph-osd-smartctl %{buildroot}%{_sysconfdir}/sudoers.d/ceph-osd-smartctl -install -m 0600 -D sudoers.d/cephadm %{buildroot}%{_sysconfdir}/sudoers.d/cephadm #set up placeholder directories mkdir -p %{buildroot}%{_sysconfdir}/ceph @@ -1054,7 +1059,6 @@ exit 0 %files -n cephadm %{_sbindir}/cephadm %{_mandir}/man8/cephadm.8* -%{_sysconfdir}/sudoers.d/cephadm %attr(0700,cephadm,cephadm) %dir %{_sharedstatedir}/cephadm %attr(0700,cephadm,cephadm) %dir %{_sharedstatedir}/cephadm/.ssh %attr(0600,cephadm,cephadm) %{_sharedstatedir}/cephadm/.ssh/authorized_keys @@ -1071,6 +1075,8 @@ exit 0 %{_bindir}/ceph-syn %{_bindir}/cephfs-data-scan %{_bindir}/cephfs-journal-tool +%{_bindir}/cephfs-mirror +%{_bindir}/cephfs-top %{_bindir}/cephfs-table-tool %{_bindir}/rados %{_bindir}/radosgw-admin @@ -1079,6 +1085,8 @@ exit 0 %{_bindir}/rbd-replay-many %{_bindir}/rbdmap %{_sbindir}/mount.ceph +%{_unitdir}/cephfs-mirror@.service +%{_unitdir}/cephfs-mirror.target %if %{with lttng} %{_bindir}/rbd-replay-prep %endif @@ -1101,6 +1109,9 @@ exit 0 %{_mandir}/man8/rbd-replay-many.8* %{_mandir}/man8/rbd-replay-prep.8* %{_mandir}/man8/rgw-orphan-list.8* +%{_mandir}/man8/cephfs-mirror.8* +%{_mandir}/man8/cephfs-top.8* +%{python3_sitelib}/cephfs_top-*.egg-info %dir %{_datadir}/ceph/ %{_datadir}/ceph/known_hosts_drop.ceph.com %{_datadir}/ceph/id_rsa_drop.ceph.com @@ -1116,6 +1127,8 @@ exit 0 %{_udevrulesdir}/50-rbd.rules %attr(3770,ceph,ceph) %dir %{_localstatedir}/log/ceph/ %attr(750,ceph,ceph) %dir %{_localstatedir}/lib/ceph/ +%exclude %{_includedir}/libcephsqlite.h +%exclude %{_libdir}/libcephsqlite.so %pre common CEPH_GROUP_ID=167 @@ -1235,6 +1248,8 @@ fi %{_datadir}/ceph/mgr/insights %{_datadir}/ceph/mgr/iostat %{_datadir}/ceph/mgr/localpool +%{_datadir}/ceph/mgr/mds_autoscaler +%{_datadir}/ceph/mgr/mirroring %{_datadir}/ceph/mgr/orchestrator %{_datadir}/ceph/mgr/osd_perf_query %{_datadir}/ceph/mgr/osd_support @@ -1244,6 +1259,8 @@ fi %{_datadir}/ceph/mgr/rbd_support %{_datadir}/ceph/mgr/restful %{_datadir}/ceph/mgr/selftest +%{_datadir}/ceph/mgr/snap_schedule +%{_datadir}/ceph/mgr/stats %{_datadir}/ceph/mgr/status %{_datadir}/ceph/mgr/telegraf %{_datadir}/ceph/mgr/telemetry @@ -1324,6 +1341,7 @@ fi %files fuse %{_bindir}/ceph-fuse %{_mandir}/man8/ceph-fuse.8* +%{_mandir}/man8/mount.fuse.ceph.8* %{_sbindir}/mount.fuse.ceph %{_unitdir}/ceph-fuse@.service %{_unitdir}/ceph-fuse.target @@ -1402,6 +1420,8 @@ fi %{_bindir}/radosgw-es %{_bindir}/radosgw-object-expirer %{_bindir}/rgw-orphan-list +%{_bindir}/rgw-gap-list +%{_bindir}/rgw-gap-list-comparator %{_libdir}/libradosgw.so* %{_mandir}/man8/radosgw.8* %dir %{_localstatedir}/lib/ceph/radosgw @@ -1436,6 +1456,7 @@ fi %files osd %{_bindir}/ceph-clsinfo %{_bindir}/ceph-bluestore-tool +%{_bindir}/ceph-erasure-code-tool %{_bindir}/ceph-objectstore-tool %{_bindir}/ceph-osdomap-tool %{_bindir}/ceph-osd @@ -1556,6 +1577,7 @@ fi %if %{with lttng} %{_libdir}/librbd_tp.so.* %endif +%{_libdir}/ceph/librbd/libceph_*.so* %post -n librbd1 -p /sbin/ldconfig @@ -1573,7 +1595,6 @@ fi %files -n librgw2 %{_libdir}/librgw.so.* -%{_libdir}/librgw_admin_user.so.* %if %{with lttng} %{_libdir}/librgw_op_tp.so.* %{_libdir}/librgw_rados_tp.so.* @@ -1586,10 +1607,8 @@ fi %files -n librgw-devel %dir %{_includedir}/rados %{_includedir}/rados/librgw.h -%{_includedir}/rados/librgw_admin_user.h %{_includedir}/rados/rgw_file.h %{_libdir}/librgw.so -%{_libdir}/librgw_admin_user.so %if %{with lttng} %{_libdir}/librgw_op_tp.so %{_libdir}/librgw_rados_tp.so @@ -1616,6 +1635,7 @@ fi %{_includedir}/cephfs/libcephfs.h %{_includedir}/cephfs/ceph_ll_client.h %{_libdir}/libcephfs.so +%{_includedir}/cephfs/metrics/Types.h %files -n python%{python3_pkgversion}-cephfs %{python3_sitearch}/cephfs.cpython*.so @@ -1784,8 +1804,18 @@ exit 0 %config %{_sysconfdir}/prometheus/ceph/ceph_default_alerts.yml %changelog +* Wed Aug 18 2021 Thomas Crain - 16.2.0-3 +- Enable python byte compilation for directories outside of %%python3_site{lib,arch} + +* Thu Jun 17 2021 Neha Agarwal 16.2.0-2 +- Disable debuginfo because ceph-debuginfo rpm is too large + +* Fri May 21 2021 Neha Agarwal 16.2.0-1 +- Update package version to fix CVE-2020-25660, CVE-2020-25678 and CVE-2020-27781 + * Fri Feb 05 2021 Joe Schmitt - 15.2.4-2 - Include python bytecompiled files in the resulting package. -* Fri Aug 21 2020 Thomas Crain 15.2.4-1 -- Initial CBL-Mariner import from Ceph source (license: LGPLv2.1) \ No newline at end of file +* Fri Aug 21 2020 Thomas Crain 15.2.4-1 +- Initial CBL-Mariner import from Ceph source (license: LGPLv2.1) +- License verified diff --git a/SPECS/check/check.spec b/SPECS/check/check.spec index 3f4c5697da..67cd12036d 100644 --- a/SPECS/check/check.spec +++ b/SPECS/check/check.spec @@ -46,22 +46,30 @@ make %{?_smp_mflags} check /usr/share/aclocal/* %changelog -* Mon Sep 28 2020 Ruying Chen 0.12.0-5 -- Provide check-devel -* Sat May 09 2020 Nick Samson 0.12.0-4 -- Added %%license line automatically -* Thu Apr 23 2020 Pawel Winogrodzki 0.12.0-3 -- License verified. -- Updated 'Url' and 'Source0' tags. -* Tue Sep 03 2019 Mateusz Malisz 0.12.0-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Wed Sep 19 2018 Ajay Kaher 0.12.0-1 -- Upgraded to version 0.12.0 -* Tue May 24 2016 Priyesh Padmavilasom 0.10.0-2 -- GA - Bump release of all rpms -* Tue Feb 23 2016 Xiaolin Li 0.10.0-1 -- Updated to version 0.10.0 -* Wed May 20 2015 Touseef Liaqat 0.9.14-2 -- Updated group. -* Tue Nov 25 2014 Divya Thaluru 0.9.14-1 -- Initial build. First version +* Mon Sep 28 2020 Ruying Chen 0.12.0-5 +- Provide check-devel + +* Sat May 09 2020 Nick Samson 0.12.0-4 +- Added %%license line automatically + +* Thu Apr 23 2020 Pawel Winogrodzki 0.12.0-3 +- License verified. +- Updated 'Url' and 'Source0' tags. + +* Tue Sep 03 2019 Mateusz Malisz 0.12.0-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Wed Sep 19 2018 Ajay Kaher 0.12.0-1 +- Upgraded to version 0.12.0 + +* Tue May 24 2016 Priyesh Padmavilasom 0.10.0-2 +- GA - Bump release of all rpms + +* Tue Feb 23 2016 Xiaolin Li 0.10.0-1 +- Updated to version 0.10.0 + +* Wed May 20 2015 Touseef Liaqat 0.9.14-2 +- Updated group. + +* Tue Nov 25 2014 Divya Thaluru 0.9.14-1 +- Initial build. First version diff --git a/SPECS/checkpolicy/checkpolicy.signatures.json b/SPECS/checkpolicy/checkpolicy.signatures.json new file mode 100644 index 0000000000..ffede63296 --- /dev/null +++ b/SPECS/checkpolicy/checkpolicy.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "checkpolicy-3.2.tar.gz": "9b1c81fa86fe3867842164448d90c8e7ea94b2987497809c65d4caa87a5c5bc8" + } +} diff --git a/SPECS/checkpolicy/checkpolicy.spec b/SPECS/checkpolicy/checkpolicy.spec new file mode 100644 index 0000000000..352955eb0e --- /dev/null +++ b/SPECS/checkpolicy/checkpolicy.spec @@ -0,0 +1,939 @@ +%define libselinuxver 3.2-1 +%define libsepolver 3.2-1 +Summary: SELinux policy compiler +Name: checkpolicy +Version: 3.2 +Release: 1%{?dist} +License: GPLv2 +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/SELinuxProject/selinux/wiki +Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz +BuildRequires: bison +BuildRequires: flex +BuildRequires: flex-devel +BuildRequires: gcc +BuildRequires: libselinux-devel >= %{libselinuxver} +BuildRequires: libsepol-devel >= %{libsepolver} + +%description +Security-enhanced Linux is a feature of the Linux® kernel and a number +of utilities with enhanced security functionality designed to add +mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These +architectural components provide general support for the enforcement +of many kinds of mandatory access control policies, including those +based on the concepts of Type Enforcement®, Role-based Access +Control, and Multi-level Security. + +This package contains checkpolicy, the SELinux policy compiler. +Only required for building policies. + +%prep +%autosetup -p1 + +%build +%make_build clean +%make_build LIBDIR="%{_libdir}" CFLAGS="%{build_cflags} -fno-semantic-interposition" + +pushd test +%make_build LIBDIR="%{_libdir}" CFLAGS="%{build_cflags} -fno-semantic-interposition" +popd + +%install +mkdir -p %{buildroot}%{_bindir} +%make_install LIBDIR="%{_libdir}" +install test/dismod %{buildroot}%{_bindir}/sedismod +install test/dispol %{buildroot}%{_bindir}/sedispol + +%files +%license COPYING +%{_bindir}/checkpolicy +%{_bindir}/checkmodule +%{_bindir}/sedismod +%{_bindir}/sedispol +%{_mandir}/man8/checkpolicy.8.gz +%{_mandir}/man8/checkmodule.8.gz +%{_mandir}/ru/man8/checkpolicy.8.gz +%{_mandir}/ru/man8/checkmodule.8.gz + +%changelog +* Fri Aug 13 2021 Thomas Crain - 3.2-1 +- Upgrade to latest upstream version +- Add -fno-semantic-interposition to CFLAGS as recommended by upstream +- Update source URL to new format +- Lint spec +- License verified + +* Wed Aug 19 2020 Daniel Burgener - 2.9-3 +- Initial CBL-Mariner import from Fedora 31 (license: MIT) +- License verified + +* Wed Jul 24 2019 Fedora Release Engineering - 2.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Mar 18 2019 Petr Lautrbach - 2.9-1 +- SELinux userspace 2.9 release + +* Mon Mar 11 2019 Petr Lautrbach - 2.9-0.rc2.1 +- SELinux userspace 2.9-rc2 release + +* Thu Jan 31 2019 Fedora Release Engineering - 2.9-0.rc1.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jan 25 2019 Petr Lautrbach - 2.9-0.rc1.1 +- SELinux userspace 2.9-rc1 release + +* Mon Jan 21 2019 Petr Lautrbach - 2.8-3 +- Check the result value of hashtable_search +- Destroy the class datum if it fails to initialize + +* Thu Jul 12 2018 Fedora Release Engineering - 2.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri May 25 2018 Petr Lautrbach - 2.8-1 +- SELinux userspace 2.8 release + +* Tue May 15 2018 Petr Lautrbach - 2.8-0.rc3.1 +- SELinux userspace 2.8-rc3 release candidate + +* Mon Apr 23 2018 Petr Lautrbach - 2.8-0.rc1.1 +- SELinux userspace 2.8-rc1 release candidate + +* Wed Mar 21 2018 Petr Lautrbach - 2.7-7 +- Add support for the SCTP portcon keyword + +* Tue Mar 13 2018 Petr Lautrbach - 2.7-6 +- build: follow standard semantics for DESTDIR and PREFIX + +* Thu Feb 22 2018 Florian Weimer - 2.7-5 +- Use LDFLAGS from redhat-rpm-config + +* Wed Feb 07 2018 Fedora Release Engineering - 2.7-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Nov 22 2017 Petr Lautrbach - 2.7-3 +- Rebuild with libsepol-2.7-3 and libselinux-2.7-6 + +* Fri Oct 20 2017 Petr Lautrbach - 2.7-2 +- Rebuilt with libsepol-2.7-2 + +* Mon Aug 07 2017 Petr Lautrbach - 2.7-1 +- Update to upstream release 2017-08-04 + +* Wed Aug 02 2017 Fedora Release Engineering - 2.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 2.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Feb 15 2017 Petr Lautrbach - 2.6-1 +- Update to upstream release 2016-10-14 + +* Fri Feb 10 2017 Fedora Release Engineering - 2.5-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Oct 03 2016 Petr Lautrbach 2.5-8 +- Add types associated to a role in the current scope when parsing + +* Mon Aug 01 2016 Petr Lautrbach 2.5-7 +- Extend checkpolicy pathname matching +- Rebuilt with libsepol-2.5-9 + +* Mon Jun 27 2016 Petr Lautrbach - 2.5-6 +- Fix typos in sedispol + +* Thu Jun 23 2016 Petr Lautrbach - 2.5-5 +- Set flex as default lexer +- Fix checkmodule output message + +* Wed May 11 2016 Petr Lautrbach - 2.5-4 +- Rebuilt with libsepol-2.5-6 + +* Fri Apr 29 2016 Petr Lautrbach - 2.5-3 +- Build policy on systems not supporting DCCP protocol +- Fail if module name different than output base filename + +* Fri Apr 08 2016 Petr Lautrbach - 2.5-2 +- Add support for portcon dccp protocol + +* Tue Feb 23 2016 Petr Lautrbach 2.5-1 +- Update to upstream release 2016-02-23 + +* Sun Feb 21 2016 Petr Lautrbach 2.5-0.1.rc1 +- Update to upstream rc1 release 2016-01-07 + +* Wed Feb 03 2016 Fedora Release Engineering - 2.4-2.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Jul 21 2015 Petr Lautrbach 2.4-1.1 +- Update to 2.4 release + +* Sat Aug 16 2014 Fedora Release Engineering - 2.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 11 2014 Tom Callaway - 2.3-3 +- fix license handling + +* Sat Jun 07 2014 Fedora Release Engineering - 2.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue May 6 2014 Dan Walsh - 2.3-1 +- Update to upstream + * Add Android support for building dispol. + * Report source file and line information for neverallow failures. + * Prevent incompatible option combinations for checkmodule. + * Drop -lselinux from LDLIBS for test programs; not used. + * Add debug feature to display constraints/validatetrans from Richard Haines. + +* Thu Oct 31 2013 Dan Walsh - 2.2-1 +- Update to upstream + * Fix hyphen usage in man pages from Laurent Bigonville. + * handle-unknown / -U required argument fix from Laurent Bigonville. + * Support overriding Makefile PATH and LIBDIR from Laurent Bigonville. + * Support space and : in filenames from Dan Walsh. + +* Sat Aug 03 2013 Fedora Release Engineering - 2.1.12-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Jul 16 2013 Dan Walsh - 2.1.12-4 +- Fix a segmentation fault if the --handle-unknown option was set without +arguments. +- Thanks to Alexandre Rebert and his team at Carnegie Mellon University +for detecting this crash. + +* Tue Mar 19 2013 Dan Walsh - 2.1.12-3 +- ":" should be allowed for file trans names + +* Tue Mar 12 2013 Dan Walsh - 2.1.12-2 +- Space should be allowed for file trans names + +* Thu Feb 7 2013 Dan Walsh - 2.1.12-1 +- Update to upstream + * Fix errors found by coverity + * implement default type policy syntax + * Free allocated memory when clean up / exit. + +* Sat Jan 5 2013 Dan Walsh - 2.1.11-3 +- Update to latest patches from eparis/Upstream +- checkpolicy: libsepol: implement default type policy syntax +- +- We currently have a mechanism in which the default user, role, and range +- can be picked up from the source or the target object. This implements +- the same thing for types. The kernel will override this with type +- transition rules and similar. This is just the default if nothing +- specific is given. + +* Wed Sep 19 2012 Dan Walsh - 2.1.11-2 +- Rebuild with fixed libsepol + +* Thu Sep 13 2012 Dan Walsh - 2.1.11-1 +- Update to upstream + * fd leak reading policy + * check return code on ebitmap_set_bit + +* Mon Jul 30 2012 Dan Walsh - 2.1.10-4 +- Rebuild to grab latest libsepol + +* Tue Jul 24 2012 Dan Walsh - 2.1.10-3 +- Rebuild to grab latest libsepol + +* Wed Jul 18 2012 Fedora Release Engineering - 2.1.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jul 4 2012 Dan Walsh - 2.1.10-1 +- Update to upstream + * sepolgen: We need to support files that have a + in them + * Android/MacOS X build support + +* Mon Apr 23 2012 Dan Walsh - 2.1.9-4 +- Rebuild to get latest libsepol which fixes the file_name transition problems + +* Tue Apr 17 2012 Dan Walsh - 2.1.9-3 +- Recompile with libsepol that has support for ptrace_child + +* Tue Apr 3 2012 Dan Walsh - 2.1.9-2 +- Allow checkpolicy to use + in a file name + +* Thu Mar 29 2012 Dan Walsh - 2.1.9-1 +- Update to upstream + * implement new default labeling behaviors for usr, role, range + * Fix dead links to www.nsa.gov/selinux + +* Mon Jan 16 2012 Dan Walsh - 2.1.8-3 +- Fix man page to link to www.nsa.giv/research/selinux + +* Thu Jan 12 2012 Fedora Release Engineering - 2.1.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Dec 21 2011 Dan Walsh - 2.1.8-1 +-Update to upstream + * add ignoredirs config for genhomedircon + * Fallback_user_level can be NULL if you are not using MLS + +* Wed Dec 21 2011 Dan Walsh - 2.1.7-3 +- default_rules should be optional + +* Thu Dec 15 2011 Dan Walsh - 2.1.7-2 +- Rebuild with latest libsepol + +* Tue Dec 6 2011 Dan Walsh - 2.1.7-1 +- Upgrade to upstream + * dis* fixed signed vs unsigned errors + * dismod: fix unused parameter errors + * test: Makefile: include -W and -Werror + * allow ~ in filename transition rules +- Allow policy to specify the source of target for generating the default user,role +- or mls label for a new target. + +* Mon Nov 14 2011 Dan Walsh - 2.1.6-2 +- Allow ~ in a filename + +* Fri Nov 4 2011 Dan Walsh - 2.1.6-1 +- Upgrade to upstream + * Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules" + * drop libsepol dynamic link in checkpolicy + +* Tue Sep 20 2011 Dan Walsh - 2.1.5-2 +- Fix checkpolicy to ignore '"' in filename trans rules + +* Mon Sep 19 2011 Dan Walsh - 2.1.5-1 +-Update to upstream + * Separate tunable from boolean during compile. + +* Tue Aug 30 2011 Dan Walsh - 2.1.4-0 +-Update to upstream + * checkpolicy: fix spacing in output message + +* Thu Aug 18 2011 Dan Walsh - 2.1.3-0 + * add missing ; to attribute_role_def + *Redo filename/filesystem syntax to support filename trans + +* Wed Aug 3 2011 Dan Walsh - 2.1.2-0 +-Update to upstream + * .gitignore changes + * dispol output of role trans + * man page update: build a module with an older policy version + +* Thu Jul 28 2011 Dan Walsh - 2.1.1-0 +-Update to upstream + * Minor updates to filename trans rule output in dis{mod,pol} + +* Thu Jul 28 2011 Dan Walsh - 2.1.0-1 +-Update to upstream + +* Mon May 23 2011 Dan Walsh - 2.0.26-1 +-Update to upstream + * Wrap file names in filename transitions with quotes by Steve Lawrence. + * Allow filesystem names to start with a digit by James Carter. + * Add support for using the last path compnent in type transitions by Eric + +* Thu Apr 21 2011 Dan Walsh - 2.0.24-2 + +* Fixes for new role_transition class field by Eric Paris. + +* Fri Apr 15 2011 Dan Walsh - 2.0.24-2 +- Add "-" as a file type + +* Tue Apr 12 2011 Dan Walsh - 2.0.24-1 +-Update to upstream + * Add new class field in role_transition by Harry Ciao. + +* Mon Apr 11 2011 Dan Walsh - 2.0.23-5 +- Fix type_transition to allow all files + +* Tue Mar 29 2011 Dan Walsh - 2.0.23-4 +- Patches from Eric Paris +We just use random numbers to make menu selections. Use #defines and +names that make some sense instead. +This patch adds support for using the last path component as part of the +information in making labeling decisions for new objects. A example +rule looks like so: +type_transition unconfined_t etc_t:file system_conf_t eric; +This rule says if unconfined_t creates a file in a directory labeled +etc_t and the last path component is "eric" (no globbing, no matching +magic, just exact strcmp) it should be labeled system_conf_t. +The kernel and policy representation does not have support for such +rules in conditionals, and thus policy explicitly notes that fact if +such a rule is added to a conditional. + +* Tue Feb 08 2011 Fedora Release Engineering - 2.0.23-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 12 2011 Dan Walsh - 2.0.23-2 +- Add James Carters Patch + *This patch is needed because some filesystem names (such as 9p) start + with a digit. + +* Tue Dec 21 2010 Dan Walsh - 2.0.23-1 +- Latest update from NSA + * Remove unused variables to fix compliation under GCC 4.6 by Justin Mattock + +* Wed Dec 8 2010 Dan Walsh - 2.0.22-2 +- Rebuild to make sure it will build in Fedora + +* Wed Jun 16 2010 Dan Walsh - 2.0.22-1 +- Latest update from NSA + * Update checkmodule man page and usage by Daniel Walsh and Steve Lawrence +- Allow policy version to be one number + +* Mon May 3 2010 Dan Walsh - 2.0.21-2 +- Fix checkmodule man page and usage statements + +* Sun Nov 1 2009 Dan Walsh - 2.0.21-1 +- Latest update from NSA + * Add support for building Xen policies from Paul Nuzzi. + * Add long options to checkpolicy and checkmodule by Guido + Trentalancia + +* Fri Jul 24 2009 Fedora Release Engineering - 2.0.19-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Feb 23 2009 Fedora Release Engineering - 2.0.19-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Wed Feb 18 2009 Dan Walsh - 2.0.19-1 +- Latest update from NSA + * Fix alias field in module format, caused by boundary format change + from Caleb Case. + +* Fri Jan 30 2009 Dan Walsh - 2.0.18-1 +- Latest update from NSA + * Properly escape regex symbols in the lexer from Stephen Smalley. + * Add bounds support from KaiGai Kohei. + +* Tue Oct 28 2008 Dan Walsh - 2.0.16-4 + +* Mon Jul 7 2008 Dan Walsh - 2.0.16-3 +- Rebuild with new libsepol + +* Wed May 28 2008 Tom "spot" Callaway 2.0.16-2 +- fix license tag + +* Wed May 28 2008 Dan Walsh - 2.0.16-1 +- Latest update from NSA + * Update checkpolicy for user and role mapping support from Joshua Brindle. + +* Fri May 2 2008 Dan Walsh - 2.0.15-1 +- Latest update from NSA + * Fix for policy module versions that look like IPv4 addresses from Jim Carter. + Resolves bug 444451. + +* Fri May 2 2008 Dan Walsh - 2.0.14-2 +- Allow modules with 4 sections or more + +* Thu Mar 27 2008 Dan Walsh - 2.0.14-1 +- Latest update from NSA + * Add permissive domain support from Eric Paris. + +* Thu Mar 13 2008 Dan Walsh - 2.0.13-1 +- Latest update from NSA + * Split out non-grammar parts of policy_parse.yacc into + policy_define.c and policy_define.h from Todd C. Miller. + * Initialize struct policy_file before using it, from Todd C. Miller. + * Remove unused define, move variable out of .y file, simplify COND_ERR, from Todd C. Miller. + +* Thu Feb 28 2008 Dan Walsh - 2.0.10-1 +- Latest update from NSA + * Use yyerror2() where appropriate from Todd C. Miller. +- Build against latest libsepol + +* Fri Feb 22 2008 Dan Walsh - 2.0.9-2 +- Start shipping sedismod and sedispol + +* Mon Feb 4 2008 Dan Walsh - 2.0.9-1 +- Latest update from NSA + * Update dispol for libsepol avtab changes from Stephen Smalley. + +* Fri Jan 25 2008 Dan Walsh - 2.0.8-1 +- Latest update from NSA + * Deprecate role dominance in parser. + +* Mon Jan 21 2008 Dan Walsh - 2.0.7-2 +- Update to use libsepol-static library + +* Fri Jan 11 2008 Dan Walsh - 2.0.7-1 +- Latest update from NSA + * Added support for policy capabilities from Todd Miller. + +* Thu Nov 15 2007 Dan Walsh - 2.0.6-1 +- Latest update from NSA + * Initialize the source file name from the command line argument so that checkpolicy/checkmodule report something more useful than "unknown source". + * Merged remove use of REJECT and trailing context in lex rules; make ipv4 address parsing like ipv6 from James Carter. + +* Tue Sep 18 2007 Dan Walsh - 2.0.4-1 + * Merged handle unknown policydb flag support from Eric Paris. + Adds new command line options -U {allow, reject, deny} for selecting + the flag when a base module or kernel policy is built. + +* Tue Aug 28 2007 Fedora Release Engineering - 2.0.3-3 +- Rebuild for selinux ppc32 issue. + +* Mon Jun 18 2007 Dan Walsh - 2.0.3-2 +- Rebuild with the latest libsepol + +* Sun Jun 17 2007 Dan Walsh - 2.0.3-1 +- Latest update from NSA + * Merged fix for segfault on duplicate require of sensitivity from Caleb Case. + * Merged fix for dead URLs in checkpolicy man pages from Dan Walsh. + +* Thu Apr 12 2007 Dan Walsh - 2.0.2-1 +- Latest update from NSA + * Merged checkmodule man page fix from Dan Walsh. + +* Fri Mar 30 2007 Dan Walsh - 2.0.1-3 +- Rebuild with new libsepol + +* Wed Mar 28 2007 Dan Walsh - 2.0.1-2 +- Rebuild with new libsepol + +* Mon Nov 20 2006 Dan Walsh - 2.0.1-1 +- Latest update from NSA + * Merged patch to allow dots in class identifiers from Caleb Case. + +* Tue Nov 14 2006 Dan Walsh - 2.0.0-1 +- Latest update from NSA + * Merged patch to use new libsepol error codes by Karl MacMillan. + * Updated version for stable branch. + +* Tue Nov 14 2006 Dan Walsh - 1.33.1-2 +- Rebuild for new libraries + +* Tue Nov 14 2006 Dan Walsh - 1.33.1-1 +- Latest update from NSA + * Collapse user identifiers and identifiers together. + +* Tue Oct 17 2006 Dan Walsh - 1.32-1 +- Latest update from NSA + * Updated version for release. + +* Thu Sep 28 2006 Dan Walsh - 1.30.12-1 +- Latest update from NSA + * Merged user and range_transition support for modules from + Darrel Goeddel + +* Wed Sep 6 2006 Dan Walsh - 1.30.11-1 +- Latest update from NSA + * merged range_transition enhancements and user module format + changes from Darrel Goeddel + * Merged symtab datum patch from Karl MacMillan. + +* Wed Jul 12 2006 Jesse Keating - 1.30.9-1.1 +- rebuild + +* Tue Jul 4 2006 Dan Walsh - 1.30.8-1 +- Latest upgrade from NSA + * Lindent. + * Merged patch to remove TE rule conflict checking from the parser + from Joshua Brindle. This can only be done properly by the + expander. + * Merged patch to make checkpolicy/checkmodule handling of + duplicate/conflicting TE rules the same as the expander + from Joshua Brindle. + * Merged optionals in base take 2 patch set from Joshua Brindle. + +* Tue May 23 2006 Dan Walsh - 1.30.5-1 +- Latest upgrade from NSA + * Merged compiler cleanup patch from Karl MacMillan. + * Merged fix warnings patch from Karl MacMillan. + +* Wed Apr 5 2006 Dan Walsh - 1.30.4-1 +- Latest upgrade from NSA + * Changed require_class to reject permissions that have not been + declared if building a base module. + +* Tue Mar 28 2006 Dan Walsh - 1.30.3-1 +- Latest upgrade from NSA + * Fixed checkmodule to call link_modules prior to expand_module + to handle optionals. + * Fixed require_class to avoid shadowing permissions already defined + in an inherited common definition. + +* Mon Mar 27 2006 Dan Walsh - 1.30.1-2 +- Rebuild with new libsepol + +* Thu Mar 23 2006 Dan Walsh - 1.30.1-1 +- Latest upgrade from NSA + * Moved processing of role and user require statements to 2nd pass. + +* Fri Mar 17 2006 Dan Walsh - 1.30-1 +- Latest upgrade from NSA + * Updated version for release. + * Fixed bug in role dominance (define_role_dom). + +* Fri Feb 17 2006 Dan Walsh - 1.29.4-1 +- Latest upgrade from NSA + * Added a check for failure to declare each sensitivity in + a level definition. + * Changed to clone level data for aliased sensitivities to + avoid double free upon sens_destroy. Bug reported by Kevin + Carr of Tresys Technology. + +* Mon Feb 13 2006 Dan Walsh - 1.29.2-1 +- Latest upgrade from NSA + * Merged optionals in base patch from Joshua Brindle. + +* Mon Feb 13 2006 Dan Walsh - 1.29.1-1.2 +- Need to build againi + +* Fri Feb 10 2006 Jesse Keating - 1.29.1-1.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Dan Walsh 1.29.1-1 +- Latest upgrade from NSA + * Merged sepol_av_to_string patch from Joshua Brindle. + +* Tue Feb 07 2006 Jesse Keating - 1.28-5.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Jan 13 2006 Dan Walsh 1.28-5 +- Rebuild to get latest libsepol + +* Fri Jan 13 2006 Dan Walsh 1.28-5 +- Rebuild to get latest libsepol + +* Thu Jan 5 2006 Dan Walsh 1.28-4 +- Rebuild to get latest libsepol + +* Wed Jan 4 2006 Dan Walsh 1.28-3 +- Rebuild to get latest libsepol + +* Fri Dec 16 2005 Dan Walsh 1.28-2 +- Rebuild to get latest libsepol + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Fri Dec 9 2005 Dan Walsh 1.28-1 +- Latest upgrade from NSA + +* Sun Dec 4 2005 Dan Walsh 1.27.20-1 +- Latest upgrade from NSA + * Merged checkmodule man page from Dan Walsh, and edited it. + +* Thu Dec 1 2005 Dan Walsh 1.27.19-1 +- Latest upgrade from NSA + * Added error checking of all ebitmap_set_bit calls for out of + memory conditions. + * Merged removal of compatibility handling of netlink classes + (requirement that policies with newer versions include the + netlink class definitions, remapping of fine-grained netlink + classes in newer source policies to single netlink class when + generating older policies) from George Coker. + +* Tue Nov 8 2005 Dan Walsh 1.27.17-7 +- Rebuild to get latest libsepol + +* Tue Oct 25 2005 Dan Walsh 1.27.17-1 +- Latest upgrade from NSA + * Merged dismod fix from Joshua Brindle. + +* Thu Oct 20 2005 Dan Walsh 1.27.16-1 +- Latest upgrade from NSA + * Removed obsolete cond_check_type_rules() function and call and + cond_optimize_lists() call from checkpolicy.c; these are handled + during parsing and expansion now. + * Updated calls to expand_module for interface change. + * Changed checkmodule to verify that expand_module succeeds + when building base modules. + * Merged module compiler fixes from Joshua Brindle. + * Removed direct calls to hierarchy_check_constraints() and + check_assertions() from checkpolicy since they are now called + internally by expand_module(). + +* Tue Oct 18 2005 Dan Walsh 1.27.11-1 +- Latest upgrade from NSA + * Updated for changes to sepol policydb_index_others interface. + +* Tue Oct 18 2005 Dan Walsh 1.27.10-1 +- Latest upgrade from NSA + * Updated for changes to sepol expand_module and link_modules interfaces. + +* Sat Oct 15 2005 Dan Walsh 1.27.9-2 +- Rebuild to get latest libsepol + +* Fri Oct 14 2005 Dan Walsh 1.27.9-1 +- Latest upgrade from NSA + * Merged support for require blocks inside conditionals from + Joshua Brindle (Tresys). + +* Wed Oct 12 2005 Karsten Hopp 1.27.8-2 +- add buildrequirement for libselinux-devel for dispol + +* Mon Oct 10 2005 Dan Walsh 1.27.8-1 +- Latest upgrade from NSA + * Updated for changes to libsepol. + +* Fri Oct 7 2005 Dan Walsh 1.27.7-2 +- Rebuild to get latest libsepol + +* Thu Oct 6 2005 Dan Walsh 1.27.7-1 +- Latest upgrade from NSA + * Merged several bug fixes from Joshua Brindle (Tresys). + +* Tue Oct 4 2005 Dan Walsh 1.27.6-1 +- Latest upgrade from NSA + * Merged MLS in modules patch from Joshua Brindle (Tresys). + +* Mon Oct 3 2005 Dan Walsh 1.27.5-2 +- Rebuild to get latest libsepol + +* Wed Sep 28 2005 Dan Walsh 1.27.5-1 +- Latest upgrade from NSA + * Merged error handling improvement in checkmodule from Karl MacMillan (Tresys). + +* Tue Sep 27 2005 Dan Walsh 1.27.4-1 +- Latest upgrade from NSA + * Merged bugfix for dup role transition error messages from + Karl MacMillan (Tresys). + +* Fri Sep 23 2005 Dan Walsh 1.27.3-1 +- Latest upgrade from NSA + * Merged policyver/modulever patches from Joshua Brindle (Tresys). + +* Wed Sep 21 2005 Dan Walsh 1.27.2-2 +- Rebuild to get latest libsepol + +* Wed Sep 21 2005 Dan Walsh 1.27.2-1 +- Latest upgrade from NSA + * Fixed parse_categories handling of undefined category. + +* Tue Sep 20 2005 Dan Walsh 1.27.1-2 +- Rebuild to get latest libsepol + +* Sat Sep 17 2005 Dan Walsh 1.27.1-1 +- Latest upgrade from NSA + * Merged bug fix for role dominance handling from Darrel Goeddel (TCS). + +* Wed Sep 14 2005 Dan Walsh 1.26-2 +- Rebuild to get latest libsepol + +* Mon Sep 12 2005 Dan Walsh 1.26-1 +- Latest upgrade from NSA + * Updated version for release. +- Rebuild to get latest libsepol + +* Thu Sep 1 2005 Dan Walsh 1.25.12-3 +- Rebuild to get latest libsepol + +* Mon Aug 29 2005 Dan Walsh 1.25.12-2 +- Rebuild to get latest libsepol + +* Mon Aug 22 2005 Dan Walsh 1.25.12-1 +- Update to NSA Release + * Fixed handling of validatetrans constraint expressions. + Bug reported by Dan Walsh for checkpolicy -M. + +* Mon Aug 22 2005 Dan Walsh 1.25.11-2 +- Fix mls crash + +* Fri Aug 19 2005 Dan Walsh 1.25.11-1 +- Update to NSA Release + * Merged use-after-free fix from Serge Hallyn (IBM). + Bug found by Coverity. + +* Sun Aug 14 2005 Dan Walsh 1.25.10-1 +- Update to NSA Release + * Fixed further memory leaks found by valgrind. + * Changed checkpolicy to destroy the policydbs prior to exit + to allow leak detection. + * Fixed several memory leaks found by valgrind. + +* Sun Aug 14 2005 Dan Walsh 1.25.8-3 +- Rebuild to get latest libsepol changes + +* Sat Aug 13 2005 Dan Walsh 1.25.8-2 +- Rebuild to get latest libsepol changes + +* Thu Aug 11 2005 Dan Walsh 1.25.8-1 +- Update to NSA Release + * Updated checkpolicy and dispol for the new avtab format. + Converted users of ebitmaps to new inline operators. + Note: The binary policy format version has been incremented to + version 20 as a result of these changes. To build a policy + for a kernel that does not yet include these changes, use + the -c 19 option to checkpolicy. + * Merged patch to prohibit use of "self" as a type name from Jason Tang (Tresys). + * Merged patch to fix dismod compilation from Joshua Brindle (Tresys). + +* Wed Aug 10 2005 Dan Walsh 1.25.5-1 +- Update to NSA Release + * Fixed call to hierarchy checking code to pass the right policydb. + * Merged patch to update dismod for the relocation of the + module read/write code from libsemanage to libsepol, and + to enable build of test subdirectory from Jason Tang (Tresys). + +* Thu Jul 28 2005 Dan Walsh 1.25.3-1 +- Update to NSA Release + * Merged hierarchy check fix from Joshua Brindle (Tresys). + +* Thu Jul 7 2005 Dan Walsh 1.25.2-1 +- Update to NSA Release + * Merged loadable module support from Tresys Technology. + * Merged patch to prohibit the use of * and ~ in type sets + (other than in neverallow statements) and in role sets + from Joshua Brindle (Tresys). + * Updated version for release. + +* Fri May 20 2005 Dan Walsh 1.23-4-1 +- Update to NSA Release + * Merged cleanup patch from Dan Walsh. + +* Thu May 19 2005 Dan Walsh 1.23-3-1 +- Update to NSA Release + * Added sepol_ prefix to Flask types to avoid namespace + collision with libselinux. + +* Sat May 7 2005 Dan Walsh 1.23-2-1 +- Update to NSA Release + * Merged identifier fix from Joshua Brindle (Tresys). + +* Thu Apr 14 2005 Dan Walsh 1.23,1-1 + * Merged hierarchical type/role patch from Tresys Technology. + * Merged MLS fixes from Darrel Goeddel of TCS. + +* Thu Mar 10 2005 Dan Walsh 1.22-1 +- Update to NSA Release + +* Tue Mar 1 2005 Dan Walsh 1.21.4-2 +- Rebuild for FC4 + +* Thu Feb 17 2005 Dan Walsh 1.21.4-1 + * Merged define_user() cleanup patch from Darrel Goeddel (TCS). + * Moved genpolusers utility to libsepol. + * Merged range_transition support from Darrel Goeddel (TCS). + +* Thu Feb 10 2005 Dan Walsh 1.21.2-1 +- Latest from NSA + * Changed relabel Makefile target to use restorecon. + +* Mon Feb 7 2005 Dan Walsh 1.21.1-1 +- Latest from NSA + * Merged enhanced MLS support from Darrel Goeddel (TCS). + +* Fri Jan 7 2005 Dan Walsh 1.20.1-1 +- Update for version increase at NSA + +* Mon Dec 20 2004 Dan Walsh 1.19.2-1 +- Latest from NSA + * Merged typeattribute statement patch from Darrel Goeddel of TCS. + * Changed genpolusers to handle multiple user config files. + * Merged nodecon ordering patch from Chad Hanson of TCS. + +* Thu Nov 11 2004 Dan Walsh 1.19.1-1 +- Latest from NSA + * Merged nodecon ordering patch from Chad Hanson of TCS. + +* Thu Nov 4 2004 Dan Walsh 1.18.1-1 +- Latest from NSA + * MLS build fix. + +* Sat Sep 4 2004 Dan Walsh 1.17.5-1 +- Latest from NSA + * Fixed Makefile dependencies (Chris PeBenito). + +* Sat Sep 4 2004 Dan Walsh 1.17.4-1 +- Latest from NSA + * Fixed Makefile dependencies (Chris PeBenito). + +* Sat Sep 4 2004 Dan Walsh 1.17.3-1 +- Latest from NSA + * Merged fix for role dominance ordering issue from Chad Hanson of TCS. + +* Mon Aug 30 2004 Dan Walsh 1.17.2-1 +- Latest from NSA + +* Thu Aug 26 2004 Dan Walsh 1.16.3-1 +- Fix NSA package to not include y.tab files. + +* Tue Aug 24 2004 Dan Walsh 1.16.2-1 +- Latest from NSA +- Allow port ranges to overlap + +* Sun Aug 22 2004 Dan Walsh 1.16.1-1 +- Latest from NSA + +* Mon Aug 16 2004 Dan Walsh 1.15.6-1 +- Latest from NSA + +* Fri Aug 13 2004 Dan Walsh 1.15.5-1 +- Latest from NSA + +* Wed Aug 11 2004 Dan Walsh 1.15.4-1 +- Latest from NSA + +* Sat Aug 7 2004 Dan Walsh 1.15.3-1 +- Latest from NSA + +* Wed Aug 4 2004 Dan Walsh 1.15.2-1 +- Latest from NSA + +* Sat Jul 31 2004 Dan Walsh 1.15.1-1 +- Latest from NSA + +* Tue Jul 27 2004 Dan Walsh 1.14.2-1 +- Latest from NSA + +* Wed Jun 30 2004 Dan Walsh 1.14.1-1 +- Latest from NSA + +* Fri Jun 18 2004 Dan Walsh 1.12.2-1 +- Latest from NSA + +* Thu Jun 17 2004 Dan Walsh 1.12.1-1 +- Update to latest from NSA + +* Wed Jun 16 2004 Dan Walsh 1.12-1 +- Update to latest from NSA + +* Wed Jun 16 2004 Dan Walsh 1.10-5 +- Add nlclass patch + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Fri Jun 4 2004 Dan Walsh 1.10-3 +- Add BuildRequires flex + +* Thu Apr 8 2004 Dan Walsh 1.10-2 +- Add BuildRequires byacc + +* Thu Apr 8 2004 Dan Walsh 1.10-1 +- Upgrade to the latest from NSA + +* Mon Mar 15 2004 Dan Walsh 1.8-1 +- Upgrade to the latest from NSA + +* Tue Feb 24 2004 Dan Walsh 1.6-1 +- Upgrade to the latest from NSA + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Tue Jan 20 2004 Dan Walsh 1.4-6 +- Add typealias patch + +* Tue Jan 20 2004 Dan Walsh 1.4-5 +- Update excludetypes with negset-final patch + +* Wed Jan 14 2004 Dan Walsh 1.4-4 +- Add excludetypes patch + +* Wed Jan 14 2004 Dan Walsh 1.4-3 +- Add Colin Walter's lineno patch + +* Wed Jan 7 2004 Dan Walsh 1.4-2 +- Remove check for roles transition + +* Sat Dec 6 2003 Dan Walsh 1.4-1 +- upgrade to 1.4 + +* Wed Oct 1 2003 Dan Walsh 1.2-1 +- upgrade to 1.2 + +* Thu Aug 28 2003 Dan Walsh 1.1-2 +- upgrade to 1.1 + +* Mon Jun 2 2003 Dan Walsh 1.0-1 +- Initial version diff --git a/SPECS/chrony/chrony.spec b/SPECS/chrony/chrony.spec index ce0a4ad152..453e4b1bfe 100644 --- a/SPECS/chrony/chrony.spec +++ b/SPECS/chrony/chrony.spec @@ -4,7 +4,7 @@ Name: chrony Version: 3.5.1 -Release: 4%{?dist} +Release: 5%{?dist} Summary: An NTP client/server Vendor: Microsoft Corporation Distribution: Mariner @@ -91,6 +91,8 @@ cat >> chrony.conf << EOF # Setting larger 'maxdistance' to tolerate time.windows.com delay maxdistance 16.0 +# Disable listening on UDP port (leaving only Unix socket interface). +cmdport 0 EOF touch -r examples/chrony.conf.example2 examples/chrony-wait.service chrony.conf @@ -201,6 +203,9 @@ systemctl start chronyd.service %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jun 23 2021 Mateusz Malisz - 3.5.1-5 +- Make chronyd not listen on UDP port by default. + * Tue Apr 13 2021 Rachel Menge - 3.5.1-4 - Bump release to rebuild with new nettle (3.7.2) diff --git a/SPECS/chrpath/chrpath.spec b/SPECS/chrpath/chrpath.spec index 3e58c471c6..c0c4ccb099 100644 --- a/SPECS/chrpath/chrpath.spec +++ b/SPECS/chrpath/chrpath.spec @@ -35,7 +35,7 @@ rm -rf %{buildroot}/usr/doc %{_mandir}/man1/chrpath.1* %changelog -* Sat May 09 00:20:45 PST 2020 Nick Samson - 0.16-4 +* Sat May 09 2020 Nick Samson - 0.16-4 - Added %%license line automatically * Tue Apr 07 2020 Paul Monson 0.16-3 diff --git a/SPECS/cifs-utils/CVE-2021-20208.patch b/SPECS/cifs-utils/CVE-2021-20208.patch new file mode 100644 index 0000000000..ca28b230eb --- /dev/null +++ b/SPECS/cifs-utils/CVE-2021-20208.patch @@ -0,0 +1,263 @@ +From cb8b6a8b8ea983844584d8ada4d9aa4c88c997fb Mon Sep 17 00:00:00 2001 +From: Alastair Houghton +Date: Tue, 29 Dec 2020 14:02:39 +0000 +Subject: [PATCH] cifs.upcall: try to use container ipc/uts/net/pid/mnt/user + namespaces + +In certain scenarios (e.g. kerberos multimount), when a process does +syscalls, the kernel sometimes has to query information or trigger +some actions in userspace. To do so it calls the cifs.upcall binary +with information on the process that triggered the syscall in the +first place. + +ls(pid=10) ====> open("foo") ====> kernel + + that user doesn't have an SMB + session, lets create one using his + kerberos credential cache + + call cifs.upcall and ask for krb info + for whoever owns pid=10 + | + cifs.upcall --pid 10 <=================+ + + ...gather info... + return binary blob used + when establishing SMB session + ===================> kernel + open SMB session, handle + open() syscall +ls <=================================== return open() result to ls + +On a system using containers, the kernel is still calling the host +cifs.upcall and using the host configuration (for network, pid, etc). + +This patch changes the behaviour of cifs.upcall so that it uses the +calling process namespaces (ls in the example) when doing its +job. + +Note that the kernel still calls the binary in the host, but the +binary will place itself the contexts of the calling process +namespaces. + +This code makes use of (but shouldn't require) the following kernel +config options and syscall flags: + +approx. year | +introduced | config/flags +---------------+---------------- +2008 | CONFIG_NAMESPACES=y +2007 | CONFIG_UTS_NS=y +2020 | CONFIG_TIME_NS=y +2006 | CONFIG_IPC_NS=y +2007 | CONFIG_USER_NS +2008 | CONFIG_PID_NS=y +2007 | CONFIG_NET_NS=y +2007 | CONFIG_CGROUPS +2016 | CLONE_NEWCGROUP setns() flag + +Signed-off-by: Aurelien Aptel +Signed-off-by: Alastair Houghton +--- + cifs.upcall.c | 172 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 172 insertions(+) + +diff --git a/cifs.upcall.c b/cifs.upcall.c +index 89563fd..9718d00 100644 +--- a/cifs.upcall.c ++++ b/cifs.upcall.c +@@ -51,6 +51,7 @@ + #include + #include + #include ++#include + + #include "data_blob.h" + #include "spnego.h" +@@ -227,6 +228,164 @@ err_cache: + return credtime; + } + ++static struct namespace_file { ++ int nstype; ++ const char *name; ++ int fd; ++} namespace_files[] = { ++ ++#ifdef CLONE_NEWCGROUP ++ { CLONE_NEWCGROUP, "cgroup", -1 }, ++#endif ++ ++#ifdef CLONE_NEWIPC ++ { CLONE_NEWIPC, "ipc", -1 }, ++#endif ++ ++#ifdef CLONE_NEWUTS ++ { CLONE_NEWUTS, "uts", -1 }, ++#endif ++ ++#ifdef CLONE_NEWNET ++ { CLONE_NEWNET, "net", -1 }, ++#endif ++ ++#ifdef CLONE_NEWPID ++ { CLONE_NEWPID, "pid", -1 }, ++#endif ++ ++#ifdef CLONE_NEWTIME ++ { CLONE_NEWTIME, "time", -1 }, ++#endif ++ ++#ifdef CLONE_NEWNS ++ { CLONE_NEWNS, "mnt", -1 }, ++#endif ++ ++#ifdef CLONE_NEWUSER ++ { CLONE_NEWUSER, "user", -1 }, ++#endif ++}; ++ ++#define NS_PATH_FMT "/proc/%d/ns/%s" ++#define NS_PATH_MAXLEN (6 + 10 + 4 + 6 + 1) ++ ++/** ++ * in_same_user_ns - return true if two processes are in the same user ++ * namespace. ++ * @pid_a: the pid of the first process ++ * @pid_b: the pid of the second process ++ * ++ * Works by comparing the inode numbers for /proc//user. ++ */ ++static int ++in_same_user_ns(pid_t pid_a, pid_t pid_b) ++{ ++ char path[NS_PATH_MAXLEN]; ++ ino_t a_ino, b_ino; ++ struct stat st; ++ ++ snprintf(path, sizeof(path), NS_PATH_FMT, pid_a, "user"); ++ if (stat(path, &st) != 0) ++ return 0; ++ a_ino = st.st_ino; ++ ++ snprintf(path, sizeof(path), NS_PATH_FMT, pid_b, "user"); ++ if (stat(path, &st) != 0) ++ return 0; ++ b_ino = st.st_ino; ++ ++ return a_ino == b_ino; ++} ++ ++/** ++ * switch_to_process_ns - change the namespace to the one for the specified ++ * process. ++ * @pid: initiating pid value from the upcall string ++ * ++ * Uses setns() to switch process namespace. ++ * This ensures that we have the same access and configuration as the ++ * process that triggered the lookup. ++ */ ++static int ++switch_to_process_ns(pid_t pid) ++{ ++ int count = sizeof(namespace_files) / sizeof(struct namespace_file); ++ int n, err = 0; ++ int rc = 0; ++ ++ /* First, open all the namespace fds. We do this first because ++ the namespace changes might prohibit us from opening them. */ ++ for (n = 0; n < count; ++n) { ++ char nspath[NS_PATH_MAXLEN]; ++ int ret, fd; ++ ++#ifdef CLONE_NEWUSER ++ if (namespace_files[n].nstype == CLONE_NEWUSER ++ && in_same_user_ns(getpid(), pid)) { ++ /* Switching to the same user namespace is forbidden, ++ because switching to a user namespace grants all ++ capabilities in that namespace regardless of uid. */ ++ namespace_files[n].fd = -1; ++ continue; ++ } ++#endif ++ ++ ret = snprintf(nspath, NS_PATH_MAXLEN, NS_PATH_FMT, ++ pid, namespace_files[n].name); ++ if (ret >= NS_PATH_MAXLEN) { ++ syslog(LOG_DEBUG, "%s: unterminated path!\n", __func__); ++ err = ENAMETOOLONG; ++ rc = -1; ++ goto out; ++ } ++ ++ fd = open(nspath, O_RDONLY); ++ if (fd < 0 && errno != ENOENT) { ++ /* ++ * don't stop on non-existing ns ++ * but stop for other errors ++ */ ++ err = errno; ++ rc = -1; ++ goto out; ++ } ++ ++ namespace_files[n].fd = fd; ++ } ++ ++ /* Next, call setns for each of them */ ++ for (n = 0; n < count; ++n) { ++ /* skip non-existing ns */ ++ if (namespace_files[n].fd < 0) ++ continue; ++ ++ rc = setns(namespace_files[n].fd, namespace_files[n].nstype); ++ ++ if (rc < 0) { ++ syslog(LOG_DEBUG, "%s: setns() failed for %s\n", ++ __func__, namespace_files[n].name); ++ err = errno; ++ goto out; ++ } ++ } ++ ++out: ++ /* Finally, close all the fds */ ++ for (n = 0; n < count; ++n) { ++ if (namespace_files[n].fd != -1) { ++ close(namespace_files[n].fd); ++ namespace_files[n].fd = -1; ++ } ++ } ++ ++ if (rc != 0) { ++ errno = err; ++ } ++ ++ return rc; ++} ++ + #define ENV_PATH_FMT "/proc/%d/environ" + #define ENV_PATH_MAXLEN (6 + 10 + 8 + 1) + +@@ -1052,6 +1211,19 @@ int main(const int argc, char *const argv[]) + env_cachename = + get_cachename_from_process_env(env_probe ? arg.pid : 0); + ++ /* ++ * Change to the process's namespace. This means that things will work ++ * acceptably in containers, because we'll be looking at the correct ++ * filesystem and have the correct network configuration. ++ */ ++ rc = switch_to_process_ns(arg.pid); ++ if (rc == -1) { ++ syslog(LOG_ERR, "unable to switch to process namespace: %s", ++ strerror(errno)); ++ rc = 1; ++ goto out; ++ } ++ + rc = setuid(uid); + if (rc == -1) { + syslog(LOG_ERR, "setuid: %s", strerror(errno)); +-- +2.17.1 diff --git a/SPECS/cifs-utils/cifs-utils.spec b/SPECS/cifs-utils/cifs-utils.spec index b9711a8373..32ebca02c1 100755 --- a/SPECS/cifs-utils/cifs-utils.spec +++ b/SPECS/cifs-utils/cifs-utils.spec @@ -1,18 +1,16 @@ -Summary: cifs client utils -Name: cifs-utils -Version: 6.8 -Release: 4%{?dist} -License: GPLv3 -URL: http://wiki.samba.org/index.php/LinuxCIFS_utils -Group: Applications/Nfs-utils-client -Source0: https://ftp.samba.org/pub/linux-cifs/cifs-utils/cifs-utils-%{version}.tar.bz2 - -Patch0: CVE-2020-14342.patch -Patch1: CVE-2020-14342-fix.patch - - +Summary: cifs client utils +Name: cifs-utils +Version: 6.8 +Release: 5%{?dist} +License: GPLv3 Vendor: Microsoft Corporation Distribution: Mariner +Group: Applications/Nfs-utils-client +URL: https://wiki.samba.org/index.php/LinuxCIFS_utils +Source0: https://ftp.samba.org/pub/linux-cifs/cifs-utils/cifs-utils-%{version}.tar.bz2 +Patch0: CVE-2020-14342.patch +Patch1: CVE-2020-14342-fix.patch +Patch2: CVE-2021-20208.patch BuildRequires: libcap-ng-devel BuildRequires: libtalloc-devel Requires: libcap-ng @@ -20,11 +18,10 @@ Requires: libcap-ng %description Cifs-utils, a package of utilities for doing and managing mounts of the Linux CIFS filesystem. - %package devel -Summary: The libraries and header files needed for Cifs-Utils development. -Group: Development/Libraries -Requires: cifs-utils = %{version}-%{release} +Summary: The libraries and header files needed for Cifs-Utils development. +Group: Development/Libraries +Requires: cifs-utils = %{version}-%{release} %description devel Provides header files needed for Cifs-Utils development. @@ -52,17 +49,28 @@ make %{?_smp_mflags} check %{_includedir}/cifsidmap.h %changelog -* Wed Sep 30 2020 Henry Beberman 6.8-4 -- Add patch for CVE-2020-14342 -* Sat May 09 2020 Nick Samson 6.8-3 -- Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 6.8-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 07 2017 Ajay Kaher 6.8-1 -- Upgraded to version 6.8 -* Thu Apr 06 2017 Anish Swaminathan 6.7-1 -- Upgraded to version 6.7 -* Tue May 24 2016 Priyesh Padmavilasom 6.4-2 -- GA - Bump release of all rpms -* Mon Jan 25 2016 Divya Thaluru 6.4-1 -- Initial build. First version +* Mon May 03 2021 Pawel Winogrodzki - 6.8-5 +- Adding a patch fo CVE-2021-20208. +- Updated "URL" tag to use HTTPS. +- License verified. + +* Wed Sep 30 2020 Henry Beberman - 6.8-4 +- Add patch for CVE-2020-14342 + +* Sat May 09 2020 Nick Samson - 6.8-3 +- Added %%license line automatically + +* Tue Sep 03 2019 Mateusz Malisz - 6.8-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 07 2017 Ajay Kaher - 6.8-1 +- Upgraded to version 6.8 + +* Thu Apr 06 2017 Anish Swaminathan - 6.7-1 +- Upgraded to version 6.7 + +* Tue May 24 2016 Priyesh Padmavilasom - 6.4-2 +- GA - Bump release of all rpms + +* Mon Jan 25 2016 Divya Thaluru - 6.4-1 +- Initial build. First version diff --git a/SPECS/clang/clang.spec b/SPECS/clang/clang.spec index 733d03f521..3768ae493f 100644 --- a/SPECS/clang/clang.spec +++ b/SPECS/clang/clang.spec @@ -86,26 +86,26 @@ rm -rf %{buildroot}/* * Tue Apr 27 2021 Henry Li - 8.0.1-4 - Enable eh/rtti, which are required by lldb. -* Fri Jun 12 2020 Henry Beberman 8.0.1-3 -- Temporarily disable generation of debug symbols. +* Fri Jun 12 2020 Henry Beberman 8.0.1-3 +- Temporarily disable generation of debug symbols. -* Sat May 09 00:21:24 PST 2020 Nick Samson - 8.0.1-2 -- Added %%license line automatically +* Sat May 09 2020 Nick Samson - 8.0.1-2 +- Added %%license line automatically -* Tue Mar 17 2020 Henry Beberman 8.0.1-1 -- Update to 8.0.1. Fix Source0 URL. License verified. +* Tue Mar 17 2020 Henry Beberman 8.0.1-1 +- Update to 8.0.1. Fix Source0 URL. License verified. -* Tue Sep 03 2019 Mateusz Malisz 6.0.1-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 6.0.1-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Thu Aug 09 2018 Srivatsa S. Bhat 6.0.1-1 -- Update to version 6.0.1 to get it to build with gcc 7.3 +* Thu Aug 09 2018 Srivatsa S. Bhat 6.0.1-1 +- Update to version 6.0.1 to get it to build with gcc 7.3 -* Wed Jun 28 2017 Chang Lee 4.0.0-2 -- Updated %check +* Wed Jun 28 2017 Chang Lee 4.0.0-2 +- Updated %check -* Fri Apr 7 2017 Alexey Makhalov 4.0.0-1 -- Version update +* Fri Apr 7 2017 Alexey Makhalov 4.0.0-1 +- Version update -* Wed Jan 11 2017 Xiaolin Li 3.9.1-1 -- Initial build. +* Wed Jan 11 2017 Xiaolin Li 3.9.1-1 +- Initial build. diff --git a/SPECS/cloud-utils-growpart/cloud-utils-growpart.spec b/SPECS/cloud-utils-growpart/cloud-utils-growpart.spec index 1c65b1e6c0..80a5998d7e 100644 --- a/SPECS/cloud-utils-growpart/cloud-utils-growpart.spec +++ b/SPECS/cloud-utils-growpart/cloud-utils-growpart.spec @@ -1,14 +1,13 @@ Summary: Shell script to auto detect free size on disk and grow partition. Name: cloud-utils-growpart Version: 0.32 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv3 Vendor: Microsoft Corporation Distribution: Mariner Group: System Environment URL: https://launchpad.net/cloud-utils Source0: https://launchpad.net/cloud-utils/trunk/%{version}/+download/cloud-utils-%{version}.tar.gz -Patch0: growpart-remove-flock-disk-locking.patch Requires: gawk Requires: gptfdisk Requires: util-linux @@ -21,7 +20,6 @@ This is generally used by cloud-init for disk space manangement on cloud images. %prep %setup -q -n cloud-utils-%{version} -%patch0 -p1 %build @@ -37,6 +35,9 @@ cp man/growpart.* $RPM_BUILD_ROOT/%{_mandir}/man1/ %doc %{_mandir}/man1/growpart.* %changelog +* Thu Jun 03 2021 Chris Co - 0.32-3 +- Remove patch now that unexpected timeout was root caused and fixed + * Tue Apr 27 2021 Chris Co - 0.32-2 - Add patch to handle unexpected timeout diff --git a/SPECS/cloud-utils-growpart/growpart-remove-flock-disk-locking.patch b/SPECS/cloud-utils-growpart/growpart-remove-flock-disk-locking.patch deleted file mode 100644 index 9f5a2129ba..0000000000 --- a/SPECS/cloud-utils-growpart/growpart-remove-flock-disk-locking.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 1baf9aed12e35e7c032499081ea1c9887e65626a Mon Sep 17 00:00:00 2001 -From: Chris Co -Date: Wed, 28 Apr 2021 05:58:02 +0000 -Subject: [PATCH] growpart: remove flock disk locking - -Regression identified when using flock disk locking with 5.10 kernel and -systemd-239. During unlock_disk_and_settle(), udevadm settle will not -complete and eventually timeout after 2 minutes. When looking at the -systemd-udevd logs, the daemon crashes and produces the following stack -trace: - - Stack trace of thread 1531: - #0 0x00007fd73d9be405 recvmsg (libpthread.so.0) - #1 0x00007fd73dab33b8 udev_monitor_receive_device (libsystemd-shared-239.so) - #2 0x0000600347316201 on_uevent (systemd-udevd) - #3 0x0000600347316667 on_inotify (systemd-udevd) - #4 0x00007fd73dbad6d7 source_dispatch (libsystemd-shared-239.so) - #5 0x00007fd73dbaf4e5 sd_event_dispatch (libsystemd-shared-239.so) - #6 0x00007fd73dbaf678 sd_event_run (libsystemd-shared-239.so) - #7 0x00007fd73dbaf89f sd_event_loop (libsystemd-shared-239.so) - #8 0x00006003473132df run (systemd-udevd) - #9 0x00007fd73d80e133 __libc_start_main (libc.so.6) - #10 0x0000600347313efe _start (systemd-udevd) - -The failing behavior appears to be directly linked to the "exec FD" -actions. A quick way to replicate this issue in the repro environment: - exec 9<>$disk - exec 9>&- - udevadm settle - -This patch comments out the initial lock_disk() call, which makes -unlock_disk_and_settle() return early because ${FLOCK_DISK_FD} is not -set to a valid FD, avoiding the file descriptor actions that lead to -the failing behavior. - -Note that this change does re-introduce the possibility of udev race -conditions during the disk operations, effectively reverting this -behavior to pre-0.32 behavior. - -Signed-off-by: Chris Co ---- - bin/growpart | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/bin/growpart b/bin/growpart -index 994b258..90fa016 100755 ---- a/bin/growpart -+++ b/bin/growpart -@@ -954,7 +954,7 @@ get_resizer "$format" "$resizer" || - fail "failed to get a resizer for format '$format'" - resizer=$_RET - --lock_disk $DISK -+#lock_disk $DISK - debug 1 "resizing $PART on $DISK using $resizer" - "$resizer" - ret=$? --- -2.17.1 - diff --git a/SPECS/cmake/cmake.spec b/SPECS/cmake/cmake.spec index bac96a6946..3b9daf8fac 100644 --- a/SPECS/cmake/cmake.spec +++ b/SPECS/cmake/cmake.spec @@ -88,7 +88,7 @@ make %{?_smp_mflags} test * Fri Jun 12 2020 Henry Beberman 3.12.1-7 - Temporarily disable generation of debug symbols. -* Sat May 09 00:20:40 PST 2020 Nick Samson - 3.12.1-6 +* Sat May 09 2020 Nick Samson - 3.12.1-6 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 3.12.1-5 diff --git a/SPECS/cni/cni.spec b/SPECS/cni/cni.spec index 5a4f9eab90..de8a8d1f70 100644 --- a/SPECS/cni/cni.spec +++ b/SPECS/cni/cni.spec @@ -1,7 +1,7 @@ Summary: Container Network Interface (CNI) plugins Name: cni Version: 0.7.5 -Release: 5%{?dist} +Release: 7%{?dist} License: ASL 2.0 # cni moved to https://github.com/containernetworking/cni/issues/667#issuecomment-491693752 URL: https://github.com/containernetworking/plugins @@ -39,6 +39,10 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck} %{_default_cni_plugins_dir}/* %changelog +* Tue Jun 08 2021 Henry Beberman 0.7.5-7 +- Increment release to force republishing using golang 1.15.13. +* Mon Apr 26 2021 Nicolas Guibourge 0.7.5-6 +- Increment release to force republishing using golang 1.15.11. * Thu Dec 10 2020 Andrew Phelps 0.7.5-5 - Increment release to force republishing using golang 1.15. * Sat May 09 2020 Nick Samson 0.7.5-4 diff --git a/SPECS/collectd/apache.conf b/SPECS/collectd/apache.conf new file mode 100644 index 0000000000..a1a4848944 --- /dev/null +++ b/SPECS/collectd/apache.conf @@ -0,0 +1,7 @@ +LoadPlugin apache +# +# URL "http://localhost/status?auto" +# User "www-user" +# Password "secret" +# CACert "/etc/ssl/ca.crt" +# diff --git a/SPECS/collectd/collectd-gcc11.patch b/SPECS/collectd/collectd-gcc11.patch new file mode 100644 index 0000000000..0769aac246 --- /dev/null +++ b/SPECS/collectd/collectd-gcc11.patch @@ -0,0 +1,26 @@ +diff --git a/configure b/configure +index 5bc55f8..3bc1ea2 100755 +--- a/configure ++++ b/configure +@@ -103142,7 +103142,7 @@ main () + { + + netsnmp_variable_list *key = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);; +- int val; ++ int val = 0; + u_char type = ASN_INTEGER; + snmp_set_var_value(key, &val, sizeof(val)); + snmp_set_var_typed_value(key, type, &val, sizeof(val)); +diff --git a/configure.ac b/configure.ac +index 2a3152c..5288fcd 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3872,7 +3872,7 @@ if test "x$with_libnetsnmp" = "xyes"; then + ]], + [[ + netsnmp_variable_list *key = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);; +- int val; ++ int val = 0; + u_char type = ASN_INTEGER; + snmp_set_var_value(key, &val, sizeof(val)); + snmp_set_var_typed_value(key, type, &val, sizeof(val)); diff --git a/SPECS/collectd/collectd-httpd.conf b/SPECS/collectd/collectd-httpd.conf new file mode 100644 index 0000000000..5f842476a4 --- /dev/null +++ b/SPECS/collectd/collectd-httpd.conf @@ -0,0 +1,30 @@ +# Configuration for collectd. + +Alias /collectd/ /usr/share/collectd/collection3/ + + + Require local + # Require all granted + DirectoryIndex bin/index.cgi + DirectoryIndexRedirect on + + + + Require all denied + + + + Require all denied + + + + Require local + # Require all granted + + + + Options ExecCGI + AddHandler cgi-script .cgi + Require local + # Require all granted + diff --git a/SPECS/collectd/collectd-include-collectd.d.patch b/SPECS/collectd/collectd-include-collectd.d.patch new file mode 100644 index 0000000000..04a3d8594e --- /dev/null +++ b/SPECS/collectd/collectd-include-collectd.d.patch @@ -0,0 +1,30 @@ +From ab946c74080ef9608a324f9fca85ae6c6d1eef69 Mon Sep 17 00:00:00 2001 +From: Ruben Kerkhof +Date: Sat, 30 Jan 2016 17:18:05 +0100 +Subject: [PATCH] Disable rrdtool, include /etc/collectd.d + +--- + src/collectd.conf.in | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/collectd.conf.in b/src/collectd.conf.in +index 07d66cd7595e..b91350ca16f4 100644 +--- a/src/collectd.conf.in ++++ b/src/collectd.conf.in +@@ -168,7 +168,7 @@ + #@BUILD_PLUGIN_REDIS_TRUE@LoadPlugin redis + #@BUILD_PLUGIN_ROUTEROS_TRUE@LoadPlugin routeros + #@BUILD_PLUGIN_RRDCACHED_TRUE@LoadPlugin rrdcached +-@LOAD_PLUGIN_RRDTOOL@LoadPlugin rrdtool ++#@LOAD_PLUGIN_RRDTOOL@LoadPlugin rrdtool + #@BUILD_PLUGIN_SENSORS_TRUE@LoadPlugin sensors + #@BUILD_PLUGIN_SERIAL_TRUE@LoadPlugin serial + #@BUILD_PLUGIN_SIGROK_TRUE@LoadPlugin sigrok +@@ -1497,3 +1497,4 @@ + # + # + # ++Include "/etc/collectd.d" +-- +2.5.0 + diff --git a/SPECS/collectd/collectd.service b/SPECS/collectd/collectd.service new file mode 100644 index 0000000000..28ab7cde5a --- /dev/null +++ b/SPECS/collectd/collectd.service @@ -0,0 +1,13 @@ +[Unit] +Description=Collectd statistics daemon +Documentation=man:collectd(1) man:collectd.conf(5) +After=local-fs.target network-online.target +Requires=local-fs.target network-online.target + +[Service] +ExecStart=/usr/sbin/collectd +Restart=on-failure +Type=notify + +[Install] +WantedBy=multi-user.target diff --git a/SPECS/collectd/collectd.signatures.json b/SPECS/collectd/collectd.signatures.json new file mode 100644 index 0000000000..eef2b6c2b1 --- /dev/null +++ b/SPECS/collectd/collectd.signatures.json @@ -0,0 +1,15 @@ +{ + "Signatures": { + "collectd-5.12.0.tar.bz2": "5bae043042c19c31f77eb8464e56a01a5454e0b39fa07cf7ad0f1bfc9c3a09d6", + "collectd-httpd.conf": "1167c286b7329331f648182d2639024aa9accd183306c0edb47a8a25ce85dec4", + "collectd.service": "8a2e52f27c31ff99e973132046acabe9d69406c985da0171c9178e7d35deaa4f", + "apache.conf": "725464f17b42367e902c6c87d465d295a4f1677925596f1a4e5424e8808eeffb", + "email.conf": "5612c78046e21e929dc571c49334dd36f1d02718fc5921c13ce0cacb90924d5f", + "mysql.conf": "246271021223c6a3e2071dde288808fa20488293f78644ac226e9dee4378e0b4", + "nginx.conf": "553189b9c9fbeda231a8c372d0e5e1e7c8fd82b05b9d5c49f7913af11327b429", + "sensors.conf": "0dd219e933d2fb275140e99a32c01ddb9e2fefae3500a0e120386748aa980022", + "snmp.conf": "e07805b4395ee048838d03be49d352da00d2d06616f157eaa17644f868e5c64e", + "rrdtool.conf": "f958c6910c382d75d200f1b6f0bb8ed881113eb457c77df141e72ec574fb4e23", + "onewire.conf": "9f8bc954f158b1e6f682665bb0a0e38c4b164aca6abd6e030f89f928b5caec2e" + } +} diff --git a/SPECS/collectd/collectd.spec b/SPECS/collectd/collectd.spec new file mode 100644 index 0000000000..210cd03c8a --- /dev/null +++ b/SPECS/collectd/collectd.spec @@ -0,0 +1,1595 @@ +%global __provides_exclude_from ^%{_libdir}/collectd/.*\\.so$ +Summary: Statistics collection daemon for filling RRD files +Name: collectd +Version: 5.12.0 +Release: 6%{?dist} +License: GPLv2 AND MIT +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://collectd.org/ +Source: https://github.com/collectd/collectd/releases/download/%{name}-%{version}/%{name}-%{version}.tar.bz2 +Source1: collectd-httpd.conf +Source2: collectd.service +Source91: apache.conf +Source92: email.conf +Source93: mysql.conf +Source94: nginx.conf +Source95: sensors.conf +Source96: snmp.conf +Source97: rrdtool.conf +Source98: onewire.conf +Patch0: %{name}-include-collectd.d.patch +Patch1: %{name}-gcc11.patch +BuildRequires: libgcrypt-devel +BuildRequires: perl +BuildRequires: perl(ExtUtils::Embed) +BuildRequires: perl(ExtUtils::MakeMaker) +Requires(post): systemd +Requires(postun): systemd +Requires(preun): systemd +%undefine _strict_symbol_defs_build + +%description +collectd is a daemon which collects system performance statistics periodically +and provides mechanisms to store the values in a variety of ways, +for example in RRD files. + +%package apache +Summary: Apache plugin for collectd +Requires: %{name} = %{version}-%{release} + +%description apache +This plugin collects data provided by Apache's 'mod_status'. + +%package ascent +Summary: Ascent plugin for collectd +BuildRequires: curl-devel +BuildRequires: libxml2-devel +Requires: %{name} = %{version}-%{release} + +%description ascent +This plugin collects data about an Ascent server, +a free server for the "World of Warcraft" game. + +%package bind +Summary: Bind plugin for collectd +BuildRequires: curl-devel +BuildRequires: libxml2-devel +Requires: %{name} = %{version}-%{release} + +%description bind +This plugin retrieves statistics from the BIND dns server. + +%package ceph +Summary: Ceph plugin for collectd +BuildRequires: yajl-devel +Requires: %{name} = %{version}-%{release} + +%description ceph +This plugin collects data from Ceph. + +%package chrony +Summary: Chrony plugin for collectd +Requires: %{name} = %{version}-%{release} + +%description chrony +Chrony plugin for collectd + +%package -n collectd-utils +Summary: Collectd utilities +Requires: %{name} = %{version}-%{release} +Requires: libcollectdclient = %{version}-%{release} + +%description -n collectd-utils +Collectd utilities + +%package curl +Summary: Curl plugin for collectd +BuildRequires: curl-devel +Requires: %{name} = %{version}-%{release} + +%description curl +This plugin reads webpages with curl + +%package curl_json +Summary: Curl JSON plugin for collectd +BuildRequires: curl-devel +BuildRequires: yajl-devel +Requires: %{name} = %{version}-%{release} + +%description curl_json +This plugin retrieves JSON data via curl. + +%package curl_xml +Summary: Curl XML plugin for collectd +BuildRequires: curl-devel +BuildRequires: libxml2-devel +Requires: %{name} = %{version}-%{release} + +%description curl_xml +This plugin retrieves XML data via curl. + +%package disk +Summary: Disk plugin for collectd +BuildRequires: systemd-devel +Requires: %{name} = %{version}-%{release} + +%description disk +This plugin collects statistics of harddisk and, where supported, partitions. + +%package dns +Summary: DNS traffic analysis plugin for collectd +BuildRequires: libpcap-devel +Requires: %{name} = %{version}-%{release} + +%description dns +This plugin collects DNS traffic data. + +%package drbd +Summary: DRBD plugin for collectd +Requires: %{name} = %{version}-%{release} + +%description drbd +This plugin collects data from DRBD. + +%package email +Summary: Email plugin for collectd +Requires: %{name} = %{version}-%{release} + +%description email +This plugin collects data provided by spamassassin. + +%package hugepages +Summary: Hugepages plugin for collectd +Requires: %{name} = %{version}-%{release} + +%description hugepages +This plugin collects statistics about hugepage usage. + +%package infiniband +Summary: Collect metrics about infiniband ports + +%description infiniband +Collect metrics about infiniband ports + +%package iptables +Summary: Iptables plugin for collectd +BuildRequires: iptables-devel +Requires: collectd = %{version}-%{release} + +%description iptables +This plugin collects data from iptables counters. + +%package ipvs +Summary: IPVS plugin for collectd +Requires: %{name} = %{version}-%{release} + +%description ipvs +This plugin collects data from IPVS. + +%package -n libcollectdclient +Summary: Collectd client library + +%description -n libcollectdclient +Collectd client library. + +%package -n libcollectdclient-devel +Summary: Development files for libcollectdclient +Requires: libcollectdclient = %{version}-%{release} + +%description -n libcollectdclient-devel +Development files for libcollectdclient. + +%package log_logstash +Summary: Logstash plugin for collectd +BuildRequires: yajl-devel +Requires: %{name} = %{version}-%{release} + +%description log_logstash +This plugin formats messages as JSON events for Logstash + +%package lua +Summary: Lua plugin for collectd +BuildRequires: lua-devel +Requires: %{name} = %{version}-%{release} + +%description lua +The Lua plugin embeds a Lua interpreter into collectd and exposes the +application programming interface (API) to Lua scripts. + +%package mcelog +Summary: Mcelog plugin for collectd +Requires: %{name} = %{version}-%{release} + +%description mcelog +This plugin monitors machine check exceptions reported by mcelog and generates +appropriate notifications when machine check exceptions are detected. + +%package mdevents +Summary: Get events from RAID arrays in syslog + +%description mdevents +This plugin, named mdevents, is responsible for gathering the events +from RAID arrays that were written to syslog by mdadm utility (which +is a user-space software for managing the RAIDs). Then, based on +configuration provided by user, plugin will decide whether to send the +collectd notification or not. + +Mdevents needs the syslog and mdadm to be present on a platform that +collectd is launched. + +%package netlink +Summary: Netlink plugin for collectd +BuildRequires: iproute +BuildRequires: libmnl-devel +Requires: %{name} = %{version}-%{release} + +%description netlink +This plugin uses a netlink socket to query the Linux kernel +about statistics of various interface and routing aspects. + +%package nginx +Summary: Nginx plugin for collectd +Requires: %{name} = %{version}-%{release} + +%description nginx +This plugin collects data provided by Nginx. + +%package openldap +Summary: OpenLDAP plugin for collectd +BuildRequires: openldap +Requires: %{name} = %{version}-%{release} + +%description openldap +This plugin for collectd reads monitoring information +from OpenLDAP's cn=Monitor subtree. + +%package ovs_events +Summary: Open vSwitch events plugin for collectd +BuildRequires: yajl-devel +Requires: %{name} = %{version}-%{release} + +%description ovs_events +This plugin monitors the link status of Open vSwitch (OVS) connected +interfaces, dispatches the values to collectd and sends notifications +whenever a link state change occurs in the OVS database. + +%package ovs_stats +Summary: Open vSwitch stats plugin for collectd +BuildRequires: yajl-devel +Requires: %{name} = %{version}-%{release} + +%description ovs_stats +This plugin collects statictics of OVS connected bridges and interfaces. + +%package -n perl-Collectd +Summary: Perl bindings for collectd +Requires: %{name} = %{version}-%{release} +Requires: perl + +%description -n perl-Collectd +This package contains the Perl bindings and plugin for collectd. + +%package pinba +Summary: Pinba plugin for collectd +BuildRequires: protobuf-c-devel +Requires: %{name} = %{version}-%{release} + +%description pinba +This plugin receives profiling information from Pinba, +an extension for the PHP interpreter. + +%package postgresql +Summary: PostgreSQL plugin for collectd +BuildRequires: postgresql-devel +Requires: %{name} = %{version}-%{release} + +%description postgresql +PostgreSQL querying plugin. This plugins provides data of issued commands, +called handlers and database traffic. + +%package python +Summary: Python plugin for collectd +BuildRequires: python3-devel +Requires: %{name} = %{version}-%{release} + +%description python +The Python plugin embeds a Python interpreter into Collectd and exposes the +application programming interface (API) to Python-scripts. + +%package rrdcached +Summary: RRDCacheD plugin for collectd +BuildRequires: rrdtool-devel +Requires: %{name} = %{version}-%{release} + +%description rrdcached +This plugin uses the RRDtool accelerator daemon, rrdcached(1), +to store values to RRD files in an efficient manner. + +%package rrdtool +Summary: RRDTool plugin for collectd +BuildRequires: rrdtool-devel +Requires: %{name} = %{version}-%{release} + +%description rrdtool +This plugin for collectd provides rrdtool support. + +%ifnarch ppc sparc sparc64 +%package sensors +Summary: Libsensors module for collectd +BuildRequires: lm-sensors-devel +Requires: %{name} = %{version}-%{release} + +%description sensors +This plugin for collectd provides querying of sensors supported by +lm_sensors. +%endif + + +%package smart +Summary: SMART plugin for collectd +BuildRequires: libatasmart-devel +Requires: %{name} = %{version}-%{release} + +%description smart +This plugin for collectd collects SMART statistics, +notably load cycle count, temperature and bad sectors. + +%package snmp +Summary: SNMP module for collectd +BuildRequires: net-snmp-devel +Requires: %{name} = %{version}-%{release} + +%description snmp +This plugin for collectd provides querying of net-snmp. + +%package snmp_agent +Summary: SNMP AgentX plugin for collectd +BuildRequires: net-snmp-devel +Requires: %{name} = %{version}-%{release} + +%description snmp_agent +This plugin is an AgentX subagent that receives and handles queries +from a SNMP master agent and returns the data collected by read plugins. + +%package synproxy +Summary: Synproxy plugin for collectd +Requires: %{name} = %{version}-%{release} + +%description synproxy +This plugin provides statistics for Linux SYNPROXY available since 3.12 + +%ifnarch ppc sparc sparc64 +%package virt +Summary: Libvirt plugin for collectd +BuildRequires: libvirt-devel +BuildRequires: libxml2-devel +Requires: %{name} = %{version}-%{release} + +%description virt +This plugin collects information from virtualized guests. +%endif + + +%package web +Summary: Contrib web interface to viewing rrd files +Requires: %{name} = %{version}-%{release} +Requires: collectd-rrdtool = %{version}-%{release} +Requires: httpd +Requires: perl + +%description web +This package will allow for a simple web interface to view rrd files created by +collectd. + +%package write_http +Summary: HTTP output plugin for collectd +BuildRequires: curl-devel +Requires: %{name} = %{version}-%{release} + +%description write_http +This plugin can send data to Redis. + +%package write_kafka +Summary: Kafka output plugin for collectd +BuildRequires: librdkafka-devel +Requires: %{name} = %{version}-%{release} + +%description write_kafka +This sends values to Kafka, a distributed messaging system. + +%package write_sensu +Summary: Sensu output plugin for collectd +Requires: %{name} = %{version}-%{release} + +%description write_sensu +This plugin can send data to Sensu. + +%package write_syslog +Summary: syslog output plugin for collectd +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +Provides: %{name}-write-syslog = %{version}-%{release} + +%description write_syslog +This plugin can send data to syslog. + +%package write_tsdb +Summary: OpenTSDB output plugin for collectd +Requires: %{name} = %{version}-%{release} + +%description write_tsdb +This plugin can send data to OpenTSDB. + +%prep +%autosetup -v -p1 + +# recompile generated files +touch src/pinba.proto + + +%build +%configure \ + --disable-dependency-tracking \ + --enable-all-plugins \ + --disable-static \ + --disable-amqp \ + --disable-amqp1 \ + --disable-apple_sensors \ + --disable-aquaero \ + --disable-barometer \ + --disable-buddyinfo \ + --disable-capabilities \ + --disable-check_uptime \ + --disable-connectivity \ + --disable-dbi \ + --disable-dcpmm \ + --disable-dpdk_telemetry \ + --disable-dpdkevents \ + --disable-dpdkstat \ + --disable-gmond \ + --disable-gps \ + --disable-gpu_nvidia \ + --disable-grpc \ + --disable-intel_pmu \ + --disable-intel_rdt \ + --disable-ipmi \ + --disable-ipstats \ + --disable-java \ + --disable-logparser \ + --disable-lpar \ + --disable-lvm \ + --disable-memcachec \ + --disable-mic \ + --disable-modbus \ + --disable-mqtt \ + --disable-mysql \ + --disable-netapp \ + --disable-netstat_udp \ + --disable-notify_desktop \ + --disable-notify_email \ + --disable-nut \ + --disable-oracle \ + --disable-onewire \ +%ifarch s390 s390x + --disable-pcie_errors \ +%endif + --disable-pf \ + --disable-ping \ + --disable-procevent \ + --disable-redis \ + --disable-redfish \ + --disable-routeros \ +%ifarch ppc sparc sparc64 + --disable-sensors \ +%endif + --disable-sigrok \ + --disable-slurm \ + --disable-sysevent \ + --disable-tape \ + --disable-tokyotyrant \ + --disable-turbostat \ + --disable-ubi \ + --disable-varnish \ + --disable-write_influxdb_udp \ + --disable-write_mongodb \ + --disable-write_prometheus \ + --disable-write_redis \ + --disable-write_riemann \ + --disable-xencpu \ + --disable-xmms \ + --disable-zone \ + --with-java=%{java_home}/ \ + --with-python=%{_bindir}/python3 \ + --with-perl-bindings=INSTALLDIRS=vendor \ + --disable-werror \ + AR_FLAGS="-cr" + +make %{?_smp_mflags} + + +%install +rm -rf contrib/SpamAssassin +make install DESTDIR=%{buildroot} + +install -Dp -m0644 src/collectd.conf %{buildroot}%{_sysconfdir}/collectd.conf +install -Dp -m0644 %{SOURCE2} %{buildroot}%{_unitdir}/collectd.service +install -d -m0755 %{buildroot}%{_localstatedir}/lib/collectd/rrd +install -d -m0755 %{buildroot}%{_datadir}/collectd/collection3/ +install -d -m0755 %{buildroot}%{_sysconfdir}/httpd/conf.d/ + +find contrib/ -type f -exec chmod a-x {} \; + +# Remove Perl hidden .packlist files. +find %{buildroot} -name .packlist -delete +# Remove Perl temporary file perllocal.pod +find %{buildroot} -name perllocal.pod -delete + +# copy web interface +cp -ad contrib/collection3/* %{buildroot}%{_datadir}/collectd/collection3/ +cp -pv %{buildroot}%{_datadir}/collectd/collection3/etc/collection.conf %{buildroot}%{_sysconfdir}/collection.conf +ln -rsf %{_sysconfdir}/collection.conf %{buildroot}%{_datadir}/collectd/collection3/etc/collection.conf +cp -pv %{SOURCE1} %{buildroot}%{_sysconfdir}/httpd/conf.d/collectd.conf +chmod +x %{buildroot}%{_datadir}/collectd/collection3/bin/*.cgi + +# Move the Perl examples to a separate directory. +mkdir perl-examples +find contrib -name '*.p[lm]' -exec mv {} perl-examples/ \; + +# Move config contribs +mkdir -p %{buildroot}%{_sysconfdir}/collectd.d/ +cp %{SOURCE91} %{buildroot}%{_sysconfdir}/collectd.d/apache.conf +cp %{SOURCE92} %{buildroot}%{_sysconfdir}/collectd.d/email.conf +cp %{SOURCE93} %{buildroot}%{_sysconfdir}/collectd.d/mysql.conf +cp %{SOURCE94} %{buildroot}%{_sysconfdir}/collectd.d/nginx.conf +cp %{SOURCE95} %{buildroot}%{_sysconfdir}/collectd.d/sensors.conf +cp %{SOURCE96} %{buildroot}%{_sysconfdir}/collectd.d/snmp.conf +cp %{SOURCE97} %{buildroot}%{_sysconfdir}/collectd.d/rrdtool.conf +cp %{SOURCE98} %{buildroot}%{_sysconfdir}/collectd.d/onewire.conf + +# configs for subpackaged plugins +%ifnarch s390 s390x +for p in dns ipmi libvirt nut perl ping postgresql +%else +for p in dns ipmi libvirt perl ping postgresql +%endif +do +cat > %{buildroot}%{_sysconfdir}/collectd.d/$p.conf < - 5.12.0-6 +- Update Requires to perl package + +* Thu Jun 03 2021 Suresh Babu Chalamalasetty - 5.12.0-5 +- Initial CBL-Mariner import from Fedora 35 (license: MIT) +- License verified + +* Fri May 21 2021 Jitka Plesnikova - 5.12.0-4 +- Perl 5.34 rebuild + +* Tue Mar 02 2021 Zbigniew JÄ™drzejewski-Szmek - 5.12.0-3 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Mon Feb 08 2021 Pavel Raiskup - 5.12.0-2 +- rebuild for libpq ABI fix rhbz#1908268 + +* Tue Jan 26 2021 Matthias Runge - 5.12.0-1 +- rebase to 5.12 + +* Tue Jan 26 2021 Fedora Release Engineering - 5.11.0-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jan 13 08:56:31 CET 2021 Adrian Reber - 5.11.0-12 +- Rebuilt for protobuf 3.14 + +* Wed Sep 23 2020 Adrian Reber - 5.11.0-11 +- Rebuilt for protobuf 3.13 + +* Wed Sep 02 2020 Kevin Fenzi - 5.11.0-10 +- Rebuild for new net-snmp. + +* Sat Aug 01 2020 Fedora Release Engineering - 5.11.0-9 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 28 2020 Jeff Law - 5.11.0-8 +- Fix uninitialized variable in configure test which caused + unexpected results for HAVE_NETSNMP_OLD_API + +* Mon Jul 27 2020 Fedora Release Engineering - 5.11.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Jul 10 2020 Jiri Vanek - 5.11.0-6 +- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11 + +* Tue Jun 23 2020 Jitka Plesnikova - 5.11.0-5 +- Perl 5.32 rebuild + +* Sat Jun 20 2020 Adrian Reber - 5.11.0-4 +- Rebuilt for protobuf 3.12 + +* Thu Jun 18 2020 Björn Esser - 5.11.0-3 +- Rebuild (gpsd) + +* Tue May 26 2020 Miro HronÄok - 5.11.0-2 +- Rebuilt for Python 3.9 + +* Thu Mar 19 2020 Ruben Kerkhof - 5.11.0-1 +- Upstream released new version +- Disable mqtt plugin for now due to broken deps + +* Tue Jan 28 2020 Fedora Release Engineering - 5.9.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Oct 17 2019 Matthias Runge - 5.9.2-1 +- rebase to 5.9.2 +- move write_syslog to own subpackage + +* Mon Aug 19 2019 Miro HronÄok - 5.9.0-4 +- Rebuilt for Python 3.8 + +* Thu Aug 15 2019 Ruben Kerkhof - 5.9.0-3 +- Remove lvm2 plugin, liblvm2 is gone from the distro + +* Wed Jul 24 2019 Fedora Release Engineering - 5.9.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Jul 05 2019 Kevin Fenzi - 5.9.0-1 +- Update to 5.9.0. + +* Wed Jul 03 2019 Björn Esser - 5.8.1-7 +- Rebuild (gpsd) + +* Tue Jun 25 2019 Björn Esser - 5.8.1-6 +- Rebuilt (iptables) + +* Fri May 31 2019 Jitka Plesnikova - 5.8.1-5 +- Perl 5.30 rebuild + +* Tue Feb 12 2019 Ruben Kerkhof - 5.8.1-4 +- Fix test failure + +* Thu Jan 31 2019 Fedora Release Engineering - 5.8.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 14 2019 Björn Esser - 5.8.1-2 +- Rebuilt for libcrypt.so.2 (#1666033) +- Add upstream patch to remove upper limit of SENSORS_API_VERSION + +* Wed Oct 24 2018 Ruben Kerkhof - 5.8.1-1 +- Upstream released new version + +* Thu Jul 12 2018 Fedora Release Engineering - 5.8.0-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jul 03 2018 Petr Pisar - 5.8.0-15 +- Perl 5.28 rebuild + +* Mon Jul 02 2018 Miro HronÄok - 5.8.0-14 +- Rebuilt for Python 3.7 + +* Fri Jun 29 2018 Jitka Plesnikova - 5.8.0-13 +- Perl 5.28 rebuild + +* Thu Jun 28 2018 Ruben Kerkhof - 5.8.0-12 +- Remove unneeded ldconfig scriptlets + +* Tue Jun 19 2018 Miro HronÄok - 5.8.0-11 +- Rebuilt for Python 3.7 + +* Thu Apr 05 2018 Ruben Kerkhof - 5.8.0-10 +- Depend on perl-interpreter since the build scripts call /usr/bin/perl + +* Wed Apr 04 2018 Ruben Kerkhof - 5.8.0-9 +- Fix segfault in Ceph plugin (#1531596) + +* Sun Feb 18 2018 Kevin Fenzi - 5.8.0-8 +- Rebuild for new libowcapi. + +* Wed Feb 07 2018 Fedora Release Engineering - 5.8.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 23 2018 Ruben Kerkhof - 5.8.0-6 +- Disable strict symbol checks in the link editor. + Collectd uses plugins so undefined symbols are expected. + +* Tue Jan 23 2018 Ruben Kerkhof - 5.8.0-5 +- Disable broken gmond plugin. Ganglia needs to depend on libtirpc-devel. + +* Sat Jan 20 2018 Björn Esser - 5.8.0-4 +- Rebuilt for switch to libxcrypt + +* Wed Dec 20 2017 Kevin Fenzi - 5.8.0-3 +- Rebuild for new libxen. + +* Tue Nov 21 2017 Ruben Kerkhof - 5.8.0-2 +- Enable write_mongodb plugin (#1388826) +- Remove dependency on libltdl + +* Sat Nov 18 2017 Ruben Kerkhof - 5.8.0-1 +- Upstream released new version +- Fixes CVE-2017-16820 (double free in snmp plugin) + +* Mon Oct 02 2017 Ruben Kerkhof - 5.7.2-15 +- Use mariadb-connector-c-devel instead of mysql-devel (31493616) + +* Mon Oct 02 2017 Ruben Kerkhof - 5.7.2-14 +- Enable ping plugin again (#1478736) + +* Wed Sep 27 2017 Kevin Fenzi - 5.7.2-13 +- Rebuild for new libgps + +* Wed Aug 02 2017 Fedora Release Engineering - 5.7.2-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Sun Jul 30 2017 Florian Weimer - 5.7.2-11 +- Rebuild with binutils fix for ppc64le (#1475636) + +* Wed Jul 26 2017 Fedora Release Engineering - 5.7.2-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jul 24 2017 Kevin Fenzi - 5.7.2-9 +- Rebuild for new libxenctrl + +* Fri Jul 14 2017 Ruben Kerkhof - 5.7.2-8 +- Own /usr/share/collectd (#1471070) +- Own /usr/include/collectd + +* Thu Jul 13 2017 Ruben Kerkhof - 5.7.2-7 +- Re-enable java plugin on ppc64le + +* Fri Jul 07 2017 Ruben Kerkhof - 5.7.2-6 +- Disable java plugin on ppc64le for now, javac segfaults. + +* Mon Jul 03 2017 Ruben Kerkhof - 5.7.2-5 +- Rebuild for owfs + +* Thu Jun 15 2017 Ruben Kerkhof - 5.7.2-4 +- Disable ping plugin for now until liboping is fixed (#1427893) + +* Wed Jun 07 2017 Jitka Plesnikova - 5.7.2-3 +- Perl 5.26 re-rebuild of bootstrapped packages + +* Wed Jun 07 2017 Ruben Kerkhof - 5.7.2-2 +- Disable turbostat plugin. Upstream issue #2311 + +* Wed Jun 07 2017 Ruben Kerkhof - 5.7.2-1 +- Upstream released new version + +* Sun Jun 04 2017 Jitka Plesnikova - 5.7.1-5 +- Perl 5.26 rebuild + +* Fri Apr 14 2017 Ruben Kerkhof - 5.7.1-4 +- Enable write_kafka plugin (#1388826) + +* Fri Apr 14 2017 Ruben Kerkhof - 5.7.1-3 +- Fix CVE-2017-7401 + +* Fri Feb 10 2017 Fedora Release Engineering - 5.7.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Jan 23 2017 Ruben Kerkhof - 5.7.1-1 +- Upstream released new version +- Re-enable parallel make, this was fixed upstream + +* Mon Dec 19 2016 Miro HronÄok - 5.7.0-2 +- Rebuild for Python 3.6 + +* Mon Dec 12 2016 Ruben Kerkhof - 5.7.0-1 +- Upstream released new version +- Enable new hugepages and write_prometheus plugins + +* Sat Oct 22 2016 Ruben Kerkhof - 5.6.1-2 +- Rebuild for owfs + +* Mon Oct 10 2016 Ruben Kerkhof - 5.6.1-1 +- Upstream released new version + +* Sat Sep 17 2016 Dan Horák - 5.6.0-2 +- fix arch checks for xencpu subpackage + +* Thu Sep 15 2016 Ruben Kerkhof - 5.6.0-1 +- Upstream released new version: https://collectd.org/news.shtml#news99 +- Enable new plugins: chrony, cpusleep, gps, lua, mqtt, xencpu + +* Thu Aug 11 2016 Ruben Kerkhof - 5.5.2-2 +- Add patch to fix build with glibc 2.24 +- Switch to Python 3 +- Move python plugin to subpackage + +* Tue Jul 26 2016 Ruben Kerkhof - 5.5.2-1 +- Upstream released new version (https://collectd.org/news.shtml#news98) +- Contains fix for CVE-2016-6254 +- Drop a few patches applied upstream + +* Mon Jun 13 2016 Ruben Kerkhof - 5.5.1-13 +- Rebuild against new glibc + (see https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/VUOTESHSWFRCYPXIVG6BSMAUITS7QCK2/). + +* Thu Jun 09 2016 Ruben Kerkhof - 5.5.1-12 +- Suppress spammy debug messages of exec plugin (#1343863) + Upstream commit 53de2cf4 + +* Thu Jun 09 2016 Ruben Kerkhof - 5.5.1-11 +- Enable iptables plugin again now that kernel-headers are fixed. + (https://bugzilla.redhat.com/1300256) + +* Thu Jun 09 2016 Ruben Kerkhof - 5.5.1-10 +- Fix build with librrd + rrdtool 1.6 is now thread-safe, but we failed to detect this. + upstream commit 70cb50e + +* Tue May 17 2016 Jitka Plesnikova - 5.5.1-9 +- Perl 5.24 rebuild + +* Sat Apr 30 2016 Kevin Fenzi - 5.5.1-8 +- Rebuild for librrd + +* Fri Apr 15 2016 Ruben Kerkhof - 5.5.1-7 +- Rebase modbus patch + +* Fri Apr 15 2016 Ruben Kerkhof - 5.5.1-6 +- Use Type=notify in systemd unit now that collectd supports it +- Uncomment accidentally commented Requires for collectd-utils + +* Sat Feb 27 2016 Ruben Kerkhof - 5.5.1-5 +- Enable zfs_arc plugin now that it supports ZoL. +- Move disk plugin to subpackage. +- Move log_logstash plugin to subpackage. +- Move write_http plugin to subpackage. +- Move utils to subpackage. +- Finally create subpackage for libcollectdclient. +- Modbus: avoid enabling libmodbus's debug flag by default + +* Sat Feb 27 2016 Ruben Kerkhof - 5.5.1-4 +- Disable deprecation warnings in vserver plugin for now. + The upcoming glibc 2.24 deprecates readdir_r. + Reported upstream in #1566 + +* Fri Feb 26 2016 Ruben Kerkhof - 5.5.1-3 +- Disable -Werror + Fixes build failures due to deprecation warnings turned into errors. + +* Wed Feb 03 2016 Fedora Release Engineering - 5.5.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Sat Jan 30 2016 Ruben Kerkhof 5.5.1-1 +- Rediff patch +- Use fully versioned dependencies on main package + +* Sat Jan 30 2016 Ruben Kerkhof 5.5.1-0 +- Upstream released new version + +* Sun Dec 06 2015 Ruben Kerkhof 5.5.0-11 +- Fix regression in swap plugin (#1261237) +- Replace my patch for Varnish 4.1 with upstream patches + +* Sat Oct 31 2015 Ruben Kerkhof 5.5.0-10 +- Fix build against Varnish 4.1 (#1275413) + +* Sun Oct 25 2015 Peter Robinson 5.5.0-9 +- Use %%license +- Fix build on PPC64 and PPC64LE +- Minor spec cleanups + +* Tue Sep 08 2015 Ruben Kerkhof 5.5.0-8 +- Rebuild for hiredis soname bump +- Drop hardened_build macro, it's the default now + +* Sat Jul 25 2015 Ruben Kerkhof 5.5.0-7 +- Silence build noise by setting AR_FLAGS: + ar: `u' modifier ignored since `D' is the default (see `U') + +* Sun Jul 05 2015 Ruben Kerkhof 5.5.0-6 +- Disable iptables plugin, libiptc is broken (#1239213) + +* Sun Jul 05 2015 Ruben Kerkhof 5.5.0-5 +- Turbostat plugin doesn't need net-snmp + +* Mon Jun 22 2015 Ruben Kerkhof 5.5.0-4 +- Enable Redis plugin +- Reduce diff with EPEL spec +- Remove unused collection.conf + +* Wed Jun 17 2015 Fedora Release Engineering - 5.5.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Jun 15 2015 Ruben Kerkhof 5.5.0-2 +- Rebuild for new OneWire version + +* Fri Jun 05 2015 Ruben Kerkhof 5.5.0-1 +- Upstream released new version +- New plugins for Ceph, DRBD, SMART, turbostat, Redis and more + +* Fri Jun 05 2015 Jitka Plesnikova - 5.4.2-5 +- Perl 5.22 rebuild + +* Tue Apr 21 2015 Remi Collet 5.4.2-4 +- rebuild for new librabbitmq + +* Sun Apr 12 2015 Ruben Kerkhof 5.4.2-3 +- Rebuilt for new Ganglia version + +* Sun Mar 01 2015 Ruben Kerkhof 5.4.2-2 +- Remove workaround for perl / python module loading + This was fixed by upstream commit f131f0347f58 in 2009 + +* Fri Feb 27 2015 Ruben Kerkhof 5.4.2-1 +- Upstream released new version +- Drop BuildRequires on owfs-capi, fixed in owfs +- Drop collectd-fix-colors-in-collection.conf.patch, fixed upstream +- Drop collectd-lvm-do-not-segfault-when-there-are-no-vgs.patch, fixed upstream + +* Tue Feb 10 2015 Ruben Kerkhof 5.4.1-15 +- OneWire libraries are in owfs-capi package + +* Tue Feb 10 2015 Ruben Kerkhof 5.4.1-14 +- Rebuilt for new OneWire version + +* Wed Feb 04 2015 Ruben Kerkhof 5.4.1-13 +- Exclude onewire.conf from main collectd package + +* Tue Dec 09 2014 Ruben Kerkhof 5.4.1-12 +- Improve the systemd unit a bit + +* Thu Nov 06 2014 Ruben Kerkhof 5.4.1-11 +- Fix building with varnish 4 + +* Thu Oct 16 2014 Ruben Kerkhof 5.4.1-10 +- Rebuilt for new OneWire version + +* Thu Aug 28 2014 Jitka Plesnikova - 5.4.1-9 +- Perl 5.20 rebuild + +* Sat Aug 16 2014 Fedora Release Engineering - 5.4.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Aug 08 2014 Ruben Kerkhof 5.4.1-7 +- Rebuild for new protobuf-c again + +* Wed Jul 23 2014 Ruben Kerkhof - 5.4.1-6 +- Enable onewire plugin (patch from Tomasz Torcz) +- Rebuild for new protobuf-c (#1126752) + +* Sat Jun 07 2014 Ruben Kerkhof - 5.4.1-5 +- Fix 404 while loading stylesheet in collection3 +- Restore symlink to /etc/collection.conf + +* Sat Jun 07 2014 Fedora Release Engineering - 5.4.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed Jun 04 2014 Ruben Kerkhof 5.4.1-3 +- Enable nut plugin again +- Disable varnish plugin (#1099363) +- Don't build libcollectd client with -Werror for now + (https://github.com/collectd/collectd/issues/632) +- LVM plugin: don't segfault when there are no vgs + +* Mon Mar 03 2014 Ruben Kerkhof 5.4.1-2 +- Disable nut plugin (#1071919) + +* Tue Jan 28 2014 Ruben Kerkhof 5.4.1-1 +- Upstream released new version: http://collectd.org/news.shtml#news95 + +* Thu Jan 23 2014 Kevin Fenzi 5.4.0-3 +- Rebuild for new libdbi + +* Sat Dec 14 2013 Ruben Kerkhof 5.4.0-2 +- Enable memcached plugin (#1036422) +- Stop running autoreconf + +* Sun Sep 15 2013 Ruben Kerkhof 5.4.0-1 +- Update to 5.4.0 + http://mailman.verplant.org/pipermail/collectd/2013-August/005906.html +- Enable new cgroups, statsd and lvm plugins + +* Sat Aug 03 2013 Fedora Release Engineering - 5.3.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 17 2013 Petr Pisar - 5.3.0-4 +- Perl 5.18 rebuild + +* Mon Jun 03 2013 Kevin Fenzi 5.3.0-3 +- Rebuild for new ganglia + +* Mon May 27 2013 Ruben Kerkhof 5.3.0-2 +- BuildRequire static version of iproute (#967214) + +* Sat Apr 27 2013 Ruben Kerkhof 5.3.0-1 +- update to 5.3.0 + http://mailman.verplant.org/pipermail/collectd/2013-April/005749.html +- enable all plugins we can enable +- filter plugins from Provides +- use new systemd macros (#850062) +- modernize specfile + +* Mon Apr 22 2013 Alan Pevec 5.2.2-1 +- update to 5.2.2 + http://mailman.verplant.org/pipermail/collectd/2013-April/005749.html +- build with PIE flags rhbz#954322 + +* Mon Feb 04 2013 Alan Pevec 5.2.1-1 +- update to 5.2.1 + http://mailman.verplant.org/pipermail/collectd/2013-January/005577.html + +* Mon Nov 26 2012 Alan Pevec 5.2.0-1 +- update to 5.2.0 from Steve Traylen rhbz#877721 + +* Wed Nov 21 2012 Alan Pevec 5.1.1-1 +- update to 5.1.1 +- spec cleanups from Ruben Kerkhof +- fix postgresql_default.conf location rhbz#681615 +- fix broken configuration for httpd 2.4 rhbz#871385 + +* Mon Nov 19 2012 Alan Pevec 5.0.5-1 +- new upstream version 5.0.5 + http://mailman.verplant.org/pipermail/collectd/2012-November/005465.html + +* Mon Sep 17 2012 Alan Pevec 5.0.4-1 +- New upstream release, version bump to 5 (#743894) from Andrew Elwell + +* Wed Jul 18 2012 Fedora Release Engineering - 4.10.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jun 11 2012 Petr Pisar - 4.10.7-2 +- Perl 5.16 rebuild + +* Tue Apr 03 2012 Alan Pevec 4.10.7-1 +- new upstream release 4.10.7 + http://mailman.verplant.org/pipermail/collectd/2012-April/005045.html + +* Wed Feb 29 2012 Alan Pevec 4.10.6-1 +- new upstream release 4.10.6 + http://mailman.verplant.org/pipermail/collectd/2012-February/004932.html + +* Thu Jan 12 2012 Fedora Release Engineering - 4.10.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Nov 28 2011 Alan Pevec 4.10.4-1 +- new upstream version 4.10.4 + http://mailman.verplant.org/pipermail/collectd/2011-October/004777.html +- collectd-web config file DataDir value wrong rhbz#719809 +- Python plugin doesn't work rhbz#739593 +- Add systemd service file. (thanks Paul P. Komkoff Jr) rhbz#754460 + +* Fri Jul 29 2011 Kevin Fenzi - 4.10.3-8 +- Rebuild for new snmp again. + +* Thu Jul 21 2011 Petr Sabata - 4.10.3-7 +- Perl mass rebuild + +* Wed Jul 20 2011 Petr Sabata - 4.10.3-6 +- Perl mass rebuild + +* Fri Jul 08 2011 Kevin Fenzi - 4.10.3-5 +- Rebuild for new snmp + +* Thu Jun 16 2011 Marcela MaÅ¡láňová - 4.10.3-4 +- Perl mass rebuild + +* Tue May 03 2011 Dan Horák - 4.10.3-3 +- fix build on s390(x) + +* Tue Apr 19 2011 Alan Pevec 4.10.3-2 +- re-enable nut plugin rhbz#465729 rhbz#691380 + +* Tue Mar 29 2011 Alan Pevec 4.10.3-1 +- new upstream version 4.10.3 + http://collectd.org/news.shtml#news87 +- disable nut 2.6 which fails collectd check: + libupsclient . . . . no (symbol upscli_connect not found) + +* Wed Mar 23 2011 Dan Horák - 4.10.2-4 +- rebuilt for mysql 5.5.10 (soname bump in libmysqlclient) + +* Tue Feb 08 2011 Fedora Release Engineering - 4.10.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Jan 07 2011 Dan Horák 4.10.2-2 +- no nut on s390(x) + +* Thu Dec 16 2010 Alan Pevec 4.10.2-1 +- New upstream version 4.10.2 +- http://collectd.org/news.shtml#news86 +- explicitly disable/enable all plugins, fixes FTBFS bz#660936 + +* Thu Nov 04 2010 Alan Pevec 4.10.1-1 +- New upstream version 4.10.1 + http://collectd.org/news.shtml#news85 + +* Sat Oct 30 2010 Richard W.M. Jones 4.10.0-3 +- Bump and rebuild for updated libnetsnmp.so. + +* Wed Sep 29 2010 jkeating - 4.10.0-2 +- Rebuilt for gcc bug 634757 + +* Sun Sep 19 2010 Robert Scheck 4.10.0-1 +- New upstream version 4.10.0 (thanks to Mike McGrath) + +* Tue Jun 08 2010 Alan Pevec 4.9.2-1 +- New upstream version 4.9.2 + http://collectd.org/news.shtml#news83 + +* Thu Apr 29 2010 Marcela Maslanova - 4.9.1-3 +- Mass rebuild with perl-5.12.0 + +* Fri Mar 26 2010 Alan Pevec 4.9.1-2 +- enable ping plugin bz#541744 + +* Mon Mar 08 2010 Lubomir Rintel 4.9.1-1 +- New upstream version 4.9.1 + http://collectd.org/news.shtml#news81 + +* Tue Feb 16 2010 Alan Pevec 4.8.3-1 +- New upstream version 4.8.3 + http://collectd.org/news.shtml#news81 +- FTBFS bz#564943 - system libiptc is not usable and owniptc fails to compile: + add a patch from upstream iptables.git to fix owniptc compilation + +* Fri Dec 4 2009 Stepan Kasal - 4.8.1-3 +- rebuild against perl 5.10.1 + +* Fri Nov 27 2009 Alan Pevec 4.8.1-2 +- use Fedora libiptc, owniptc in collectd sources fails to compile + +* Wed Nov 25 2009 Alan Pevec 4.8.1-1 +- update to 4.8.1 (Florian La Roche) bz# 516276 +- disable ping plugin until liboping is packaged bz# 541744 + +* Fri Sep 11 2009 Tom "spot" Callaway 4.6.5-1 +- update to 4.6.5 +- disable ppc/ppc64 due to compile error + +* Wed Sep 02 2009 Alan Pevec 4.6.4-1 +- fix condrestart: on upgrade collectd is not restarted, bz# 516273 +- collectd does not re-connect to libvirtd, bz# 480997 +- fix unpackaged files https://bugzilla.redhat.com/show_bug.cgi?id=516276#c4 +- New upstream version 4.6.4 + http://collectd.org/news.shtml#news69 + +* Fri Aug 21 2009 Tomas Mraz - 4.6.2-5 +- rebuilt with new openssl + +* Thu Aug 6 2009 Richard W.M. Jones - 4.6.2-4 +- Force rebuild to test FTBFS issue. +- lib/collectd/types.db seems to have moved to share/collectd/types.db + +* Fri Jul 24 2009 Fedora Release Engineering - 4.6.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed May 20 2009 Alan Pevec 4.6.2-1 +- New upstream version 4.6.2 + http://collectd.org/news.shtml#news64 + +* Tue Mar 03 2009 Alan Pevec 4.5.3-2 +- patch for strict-aliasing issue in liboping.c + +* Mon Mar 02 2009 Alan Pevec 4.5.3-1 +- New upstream version 4.5.3 +- fixes collectd is built without iptables plugin, bz# 479208 +- list all expected plugins explicitly to avoid such bugs + +* Tue Feb 24 2009 Fedora Release Engineering - 4.5.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Fri Jan 23 2009 Richard W.M. Jones - 4.5.1-3 +- Rebuild against new mysql client. + +* Sun Dec 07 2008 Alan Pevec 4.5.1-2.1 +- fix subpackages, bz# 475093 + +* Sun Nov 30 2008 Alan Pevec 4.5.1-2 +- workaround for https://bugzilla.redhat.com/show_bug.cgi?id=468067 + +* Wed Oct 22 2008 Alan Pevec 4.5.1-1 +- New upstream version 4.5.1, bz# 470943 + http://collectd.org/news.shtml#news59 +- enable Network UPS Tools (nut) plugin, bz# 465729 +- enable postgresql plugin +- spec cleanup, bz# 473641 + +* Fri Aug 01 2008 Alan Pevec 4.4.2-1 +- New upstream version 4.4.2. + +* Thu Jul 03 2008 Lubomir Rintel 4.4.1-4 +- Fix a typo introduced by previous change that prevented building in el5 + +* Thu Jul 03 2008 Lubomir Rintel 4.4.1-3 +- Make this compile with older perl package +- Turn dependencies on packages to dependencies on Perl modules +- Add default attributes for files + +* Thu Jun 12 2008 Alan Pevec 4.4.1-2 +- Split rrdtool into a subpackage (Chris Lalancette) +- cleanup subpackages, split dns plugin, enable ipmi +- include /etc/collectd.d (bz#443942) + +* Mon Jun 09 2008 Alan Pevec 4.4.1-1 +- New upstream version 4.4.1. +- plugin changes: reenable iptables, disable ascent + +* Tue May 27 2008 Alan Pevec 4.4.0-2 +- disable iptables/libiptc + +* Mon May 26 2008 Alan Pevec 4.4.0-1 +- New upstream version 4.4.0. + +* Wed Apr 23 2008 Richard W.M. Jones - 4.3.2-9 +- Added {?dist} to release number (thanks Alan Pevec). + +* Wed Apr 23 2008 Richard W.M. Jones - 4.3.2-8 +- Bump release number so we can tag this in Rawhide. + +* Thu Apr 17 2008 Richard W.M. Jones - 4.3.2-6 +- Exclude perl.so from the main package. + +* Thu Apr 17 2008 Richard W.M. Jones - 4.3.2-5 +- Put the perl bindings and plugin into a separate perl-Collectd + package. Note AFAICT from the manpage, the plugin and Collectd::* + perl modules must all be packaged together. + +* Wed Apr 16 2008 Richard W.M. Jones - 4.3.2-4 +- Remove -devel subpackage. +- Add subpackages for apache, email, mysql, nginx, sensors, + snmp (thanks Richard Shade). +- Add subpackages for perl, libvirt. + +* Tue Apr 15 2008 Richard W.M. Jones - 4.3.2-2 +- Install Perl bindings in vendor dir not site dir. + +* Tue Apr 15 2008 Richard W.M. Jones - 4.3.2-1 +- New upstream version 4.3.2. +- Create a -devel subpackage for development stuff, examples, etc. +- Use .bz2 package instead of .gz. +- Remove fix-hostname patch, now upstream. +- Don't mark collectd init script as config. +- Enable MySQL, sensors, email, apache, Perl, unixsock support. +- Don't remove example Perl scripts. +- Package types.db(5) manpage. +- Fix defattr. +- Build in koji to find the full build-requires list. + +* Mon Apr 14 2008 Richard W.M. Jones - 4.2.3.100.g79b0797-2 +- Prepare for Fedora package review: +- Clarify license is GPLv2 (only). +- Setup should be quiet. +- Spelling mistake in original description fixed. +- Don't include NEWS in doc - it's an empty file. +- Convert some other doc files to UTF-8. +- config(noreplace) on init file. + +* Thu Jan 10 2008 Chris Lalancette - 4.2.3.100.g79b0797.1.ovirt +- Update to git version 79b0797 +- Remove *.pm files so we don't get a bogus dependency +- Re-enable rrdtool; we will need it on the WUI side anyway + +* Mon Oct 29 2007 Dag Wieers - 4.2.0-1 - 5946+/dag +- Updated to release 4.2.0. + +* Mon Oct 29 2007 Dag Wieers - 3.11.5-1 +- Initial package. (using DAR) diff --git a/SPECS/collectd/email.conf b/SPECS/collectd/email.conf new file mode 100644 index 0000000000..cc43ff0d59 --- /dev/null +++ b/SPECS/collectd/email.conf @@ -0,0 +1,7 @@ +LoadPlugin email +# +# SocketFile "/usr/var/run/collectd-email" +# SocketGroup "collectd" +# SocketPerms "0770" +# MaxConns 5 +# diff --git a/SPECS/collectd/mysql.conf b/SPECS/collectd/mysql.conf new file mode 100644 index 0000000000..6dc03cc60d --- /dev/null +++ b/SPECS/collectd/mysql.conf @@ -0,0 +1,7 @@ +LoadPlugin mysql +# +# Host "database.serv.er" +# User "db_user" +# Password "secret" +# Database "db_name" +# diff --git a/SPECS/collectd/nginx.conf b/SPECS/collectd/nginx.conf new file mode 100644 index 0000000000..ae56014b4c --- /dev/null +++ b/SPECS/collectd/nginx.conf @@ -0,0 +1,7 @@ +LoadPlugin nginx +# +# URL "http://localhost/status?auto" +# User "www-user" +# Password "secret" +# CACert "/etc/ssl/ca.crt" +# diff --git a/SPECS/collectd/onewire.conf b/SPECS/collectd/onewire.conf new file mode 100644 index 0000000000..36589a8b97 --- /dev/null +++ b/SPECS/collectd/onewire.conf @@ -0,0 +1,6 @@ +LoadPlugin onewire +# +# Device "-s localhost:4304" +# Sensor "F10FCA000800" +# IgnoreSelected false +# diff --git a/SPECS/collectd/rrdtool.conf b/SPECS/collectd/rrdtool.conf new file mode 100644 index 0000000000..f58406c649 --- /dev/null +++ b/SPECS/collectd/rrdtool.conf @@ -0,0 +1,6 @@ +LoadPlugin rrdtool + + DataDir "/var/lib/collectd/rrd" + CacheTimeout 120 + CacheFlush 900 + diff --git a/SPECS/collectd/sensors.conf b/SPECS/collectd/sensors.conf new file mode 100644 index 0000000000..8149f1be57 --- /dev/null +++ b/SPECS/collectd/sensors.conf @@ -0,0 +1,7 @@ +LoadPlugin sensors +# +# Sensor "it8712-isa-0290/temperature-temp1" +# Sensor "it8712-isa-0290/fanspeed-fan3" +# Sensor "it8712-isa-0290/voltage-in8" +# IgnoreSelected false +# diff --git a/SPECS/collectd/snmp.conf b/SPECS/collectd/snmp.conf new file mode 100644 index 0000000000..235a0685ce --- /dev/null +++ b/SPECS/collectd/snmp.conf @@ -0,0 +1,42 @@ +LoadPlugin snmp +# +# +# Type "voltage" +# Table false +# Instance "input_line1" +# Values "SNMPv2-SMI::enterprises.6050.5.4.1.1.2.1" +# +# +# Type "users" +# Table false +# Instance "" +# Values "HOST-RESOURCES-MIB::hrSystemNumUsers.0" +# +# +# Type "if_octets" +# Table true +# Instance "IF-MIB::ifDescr" +# Values "IF-MIB::ifInOctets" "IF-MIB::ifOutOctets" +# +# +# +# Address "192.168.0.2" +# Version 1 +# Community "community_string" +# Collect "std_traffic" +# Inverval 120 +# +# +# Address "192.168.0.42" +# Version 2 +# Community "another_string" +# Collect "std_traffic" "hr_users" +# +# +# Address "192.168.0.3" +# Version 1 +# Community "more_communities" +# Collect "powerplus_voltge_input" +# Interval 300 +# +# diff --git a/SPECS/colm/colm.signatures.json b/SPECS/colm/colm.signatures.json new file mode 100644 index 0000000000..2b7c9e6c89 --- /dev/null +++ b/SPECS/colm/colm.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "colm-0.13.0.7.tar.gz": "e43fa328ad7672f485848bf4f40ae498a1925ce5199f2d94e4828e13628ee638" + } +} \ No newline at end of file diff --git a/SPECS/colm/colm.spec b/SPECS/colm/colm.spec new file mode 100644 index 0000000000..5b61fc12a3 --- /dev/null +++ b/SPECS/colm/colm.spec @@ -0,0 +1,109 @@ +Name: colm +Version: 0.13.0.7 +Release: 3%{?dist} +Summary: Programming language designed for the analysis of computer languages +# aapl/ and some headers from src/ are the LGPLv2+ +License: MIT AND LGPLv2+ +Group: Development/Libraries +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://www.colm.net/open-source/colm/ +Source0: https://www.colm.net/files/%{name}/%{name}-%{version}.tar.gz + +BuildRequires: gcc +BuildRequires: libstdc++ +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +BuildRequires: make +BuildRequires: asciidoc + +# Unfortunately, upstream doesn't exist and not possible to find version +Provides: bundled(aapl) + +%description +Colm is a programming language designed for the analysis and transformation +of computer languages. Colm is influenced primarily by TXL. It is +in the family of program transformation languages. + +%package devel +Summary: Development libraries and header files for %{name} +Requires: %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release} + +%description devel +%{summary}. + +%prep +%autosetup +# Do not pollute with docs +sed -i -e "/dist_doc_DATA/d" Makefile.am + +%build +autoreconf -vfi +%configure --disable-static +%make_build + +%install +%make_install +find %{buildroot}%{_libdir} -type f -name '*.la' -print -delete +install -p -m 0644 -D %{name}.vim %{buildroot}%{_datadir}/vim/vimfiles/syntax/%{name}.vim + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%license COPYING +%doc ChangeLog README +%{_bindir}/%{name} +%{_libdir}/lib%{name}-%{version}.so +%dir %{_datadir}/vim +%dir %{_datadir}/vim/vimfiles +%dir %{_datadir}/vim/vimfiles/syntax +%{_datadir}/vim/vimfiles/syntax/%{name}.vim + +%files devel +%{_libdir}/lib%{name}.so +%{_includedir}/%{name}/ + +%changelog +* Fri Jul 02 2021 Suresh Babu Chalamalasetty - 0.13.0.7-3 +- Initial CBL-Mariner import from Fedora 32 (license: MIT) +- License verified + +* Tue Jan 28 2020 Fedora Release Engineering - 0.13.0.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sun Jul 28 2019 Christian Glombek - 0.13.0.7-1 +- Updated to version 0.13.0.7 + +* Wed Jul 24 2019 Fedora Release Engineering - 0.13.0.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jan 31 2019 Fedora Release Engineering - 0.13.0.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jul 12 2018 Fedora Release Engineering - 0.13.0.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jul 06 2018 Christian Glombek - 0.13.0.6-1 +- Updated to version 0.13.0.6 + +* Wed Feb 07 2018 Fedora Release Engineering - 0.13.0.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sun Dec 10 2017 Jason Taylor - 0.13.0.5-1 +- Upstream bugfix release +- Correction to spec license add MIT license +- Added asciidoc BuildRequires and docdir files + +* Wed Aug 02 2017 Fedora Release Engineering - 0.13.0.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.13.0.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 0.13.0.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Dec 01 2016 Igor Gnatenko - 0.13.0.4-1 +- Initial package diff --git a/SPECS/core-packages/core-packages.spec b/SPECS/core-packages/core-packages.spec index a969224367..60194536df 100644 --- a/SPECS/core-packages/core-packages.spec +++ b/SPECS/core-packages/core-packages.spec @@ -1,7 +1,7 @@ Summary: Metapackage with core sets of packages Name: core-packages Version: 0.1 -Release: 22%{?dist} +Release: 23%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -56,6 +56,10 @@ Requires: libtool Requires: lz4 Requires: mariner-release Requires: mariner-repos +%ifarch x86_64 +# Temporarily exclude aarch64 from including the microsoft repo until content is available in the repo +Requires: mariner-repos-microsoft +%endif Requires: mariner-rpm-macros Requires: ncurses-libs Requires: net-tools @@ -90,6 +94,9 @@ Requires: zlib %files container %changelog +* Sat Jul 24 2021 Jon Slobodzian - 0.1-23 +- Include new Microsoft repo for x86_64 architectures (temporarily exclude from aarch64) + * Thu Mar 04 2021 Suresh Babu Chalamalasetty - 0.1-22 - Remove bootloader packages to reduce disk footprint in core images. diff --git a/SPECS/coredns/coredns-1.6.7.spec b/SPECS/coredns/coredns-1.6.7.spec index f263faa851..519d7f882f 100644 --- a/SPECS/coredns/coredns-1.6.7.spec +++ b/SPECS/coredns/coredns-1.6.7.spec @@ -3,7 +3,7 @@ Summary: Fast and flexible DNS server Name: coredns Version: 1.6.7 -Release: 1%{?dist} +Release: 3%{?dist} License: Apache License 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -61,5 +61,9 @@ rm -rf %{buildroot}/* %{_bindir}/%{name} %changelog -* Wed Jan 20 2021 Nicolas Guibourge - 1.6.7-1 +* Tue Jun 08 2021 Henry Beberman 1.6.7-3 +- Increment release to force republishing using golang 1.15.13. +* Mon Apr 26 2021 Nicolas Guibourge 1.6.7-2 +- Increment release to force republishing using golang 1.15.11. +* Wed Jan 20 2021 Nicolas Guibourge 1.6.7-1 - Original version for CBL-Mariner. diff --git a/SPECS/coredns/coredns-1.7.0.spec b/SPECS/coredns/coredns-1.7.0.spec index de7fe7d4ca..7512f8e438 100644 --- a/SPECS/coredns/coredns-1.7.0.spec +++ b/SPECS/coredns/coredns-1.7.0.spec @@ -3,7 +3,7 @@ Summary: Fast and flexible DNS server Name: coredns Version: 1.7.0 -Release: 1%{?dist} +Release: 3%{?dist} License: Apache License 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -61,5 +61,9 @@ rm -rf %{buildroot}/* %{_bindir}/%{name} %changelog -* Wed Jan 20 2021 Nicolas Guibourge - 1.7.0-1 +* Tue Jun 08 2021 Henry Beberman 1.7.0-3 +- Increment release to force republishing using golang 1.15.13. +* Mon Apr 26 2021 Nicolas Guibourge 1.7.0-2 +- Increment release to force republishing using golang 1.15.11. +* Wed Jan 20 2021 Nicolas Guibourge 1.7.0-1 - Original version for CBL-Mariner. diff --git a/SPECS/coreutils/coreutils.spec b/SPECS/coreutils/coreutils.spec index f27bb2ed0b..1909943974 100644 --- a/SPECS/coreutils/coreutils.spec +++ b/SPECS/coreutils/coreutils.spec @@ -1,7 +1,7 @@ Summary: Basic system utilities Name: coreutils Version: 8.30 -Release: 8%{?dist} +Release: 10%{?dist} License: GPLv3 Vendor: Microsoft Corporation Distribution: Mariner @@ -22,6 +22,8 @@ Patch4: CVE-2013-0222.nopatch # CVE-2013-0223 is fixed in coreutils-8.30-i18n-1.patch Patch5: CVE-2013-0223.nopatch Requires: gmp +Requires: libselinux +BuildRequires: libselinux-devel Conflicts: toybox Provides: sh-utils @@ -93,6 +95,12 @@ LANGUAGE=en_US.UTF-8 LC_ALL=en_US.UTF-8 make -k check %defattr(-,root,root) %changelog +* Tue Jun 15 2021 Daniel Burgener 8.30-10 +- Fix issue with undocumented libselinux requirement + +* Tue Feb 16 2021 Daniel Burgener 8.30-9 +- Enable SELinux support + * Fri Jan 22 2021 Andrew Phelps 8.30-8 - Fix check test diff --git a/SPECS/cppunit/cppunit.spec b/SPECS/cppunit/cppunit.spec index 12df4fe028..2c38a68076 100644 --- a/SPECS/cppunit/cppunit.spec +++ b/SPECS/cppunit/cppunit.spec @@ -60,17 +60,17 @@ find %{buildroot} -type f -name "*.la" -delete -print * Mon Feb 08 2021 Henry Li - 1.12.1-6 - Add cppunit as Requires for cppunit-devel -* Thu Jun 11 2020 Henry Beberman - 1.12.1-5 -- Disable link as-needed to fix compilation errors updated ldflags. +* Thu Jun 11 2020 Henry Beberman - 1.12.1-5 +- Disable link as-needed to fix compilation errors updated ldflags. -* Sat May 09 00:21:26 PST 2020 Nick Samson - 1.12.1-4 -- Added %%license line automatically +* Sat May 09 2020 Nick Samson - 1.12.1-4 +- Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 1.12.1-3 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 1.12.1-3 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Oct 13 2017 Alexey Makhalov 1.12.1-2 -- Use standard configure macros +* Fri Oct 13 2017 Alexey Makhalov 1.12.1-2 +- Use standard configure macros -* Sun Mar 26 2017 Vinay Kulkarni 1.12.1-1 -- Initial version of cppunit for Photon. +* Sun Mar 26 2017 Vinay Kulkarni 1.12.1-1 +- Initial version of cppunit for Photon. diff --git a/SPECS/createrepo_c/createrepo_c.spec b/SPECS/createrepo_c/createrepo_c.spec index f63cab741d..dc5b6211fc 100644 --- a/SPECS/createrepo_c/createrepo_c.spec +++ b/SPECS/createrepo_c/createrepo_c.spec @@ -78,7 +78,7 @@ ln -sf %{_bindir}/modifyrepo_c %{buildroot}%{_bindir}/modifyrepo %{_lib64dir}/pkgconfig/%{name}.pc %changelog -* Sat May 09 00:21:36 PST 2020 Nick Samson - 0.11.1-6 +* Sat May 09 2020 Nick Samson - 0.11.1-6 - Added %%license line automatically * Thu Apr 23 2020 Andrew Phelps 0.11.1-5 diff --git a/SPECS/cri-tools/cri-tools.spec b/SPECS/cri-tools/cri-tools.spec index 42ad174de7..c317fb9e21 100644 --- a/SPECS/cri-tools/cri-tools.spec +++ b/SPECS/cri-tools/cri-tools.spec @@ -3,7 +3,7 @@ Summary: CRI tools Name: cri-tools Version: 1.11.1 -Release: 6%{?dist} +Release: 8%{?dist} License: ASL 2.0 URL: https://github.com/kubernetes-sigs/cri-tools #Source0: https://github.com/kubernetes-sigs/cri-tools/archive/v%{version}.tar.gz @@ -61,6 +61,10 @@ cp docs/roadmap.md %{buildroot}/usr/share/doc/cri-tools rm -rf %{buildroot}/* %changelog +* Tue Jun 08 2021 Henry Beberman 1.11.1-8 +- Increment release to force republishing using golang 1.15.13. +* Mon Apr 26 2021 Nicolas Guibourge 1.11.1-7 +- Increment release to force republishing using golang 1.15.11. * Thu Dec 10 2020 Andrew Phelps 1.11.1-6 - Increment release to force republishing using golang 1.15. * Sat May 09 2020 Nick Samson 1.11.1-5 diff --git a/SPECS/cronie/cronie.spec b/SPECS/cronie/cronie.spec index 571aa17ccb..fa7b1f69da 100644 --- a/SPECS/cronie/cronie.spec +++ b/SPECS/cronie/cronie.spec @@ -1,7 +1,7 @@ Summary: Cron Daemon Name: cronie Version: 1.5.2 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ and MIT and BSD and ISC URL: https://github.com/cronie-crond/cronie Source0: https://github.com/cronie-crond/cronie/releases/download/cronie-%{version}/cronie-%{version}.tar.gz @@ -31,6 +31,7 @@ sed -i 's/^\s*auth\s*include\s*password-auth$/auth include system-auth/ --sysconfdir=/etc \ --localstatedir=/var\ --with-pam \ + --with-selinux \ --enable-anacron \ --enable-pie \ --enable-relro @@ -120,45 +121,48 @@ make %{?_smp_mflags} check %ghost %attr(0600,root,root) %{_localstatedir}/spool/anacron/cron.weekly %changelog -* Fri Feb 05 2021 Joe Schmitt - 1.5.2-4 +* Fri Feb 05 2021 Joe Schmitt - 1.5.2-5 - Replace incorrect %%{_lib} usage with %%{_libdir} -* Sat May 09 00:21:34 PST 2020 Nick Samson - 1.5.2-3 +* Fri Sep 04 2020 Daniel Burgener - 1.5.2-4 +- Enable SELinux support + +* Sat May 09 2020 Nick Samson - 1.5.2-3 - Added %%license line automatically -* Tue Apr 28 2020 Emre Girgin 1.5.2-2 -- Renaming Linux-PAM to pam -* Wed Mar 18 2020 Nicolas Ontiveros 1.5.2-1 -- Update to 1.5.2. License verified. -* Tue Sep 03 2019 Mateusz Malisz 1.5.1-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Apr 24 2017 Bo Gan 1.5.1-1 -- Update to 1.5.1 -* Wed Dec 07 2016 Xiaolin Li 1.5.0-13 -- BuildRequires Linux-PAM-devel -* Wed Oct 05 2016 ChangLee 1.5.0-12 -- Modified %check -* Mon Aug 29 2016 Divya Thaluru 1.5.0-11 -- Fixed pam configuration for crond -* Thu Aug 4 2016 Divya Thaluru 1.5.0-10 -- Added logic to not replace conf files in upgrade scenario -* Tue May 24 2016 Priyesh Padmavilasom 1.5.0-9 -- GA - Bump release of all rpms -* Tue May 3 2016 Divya Thaluru 1.5.0-8 -- Fixing spec file to handle rpm upgrade scenario correctly -* Thu Mar 24 2016 Xiaolin Li 1.5.0-7 -- Add run-parts command. -* Fri Mar 04 2016 Anish Swaminathan 1.5.0-6 -- Add folders to sysconfdir. -* Mon Feb 08 2016 Anish Swaminathan 1.5.0-5 -- Change default sysconfdir. -* Thu Dec 10 2015 Xiaolin Li 1.5.0-4 -- Add systemd to Requires and BuildRequires. -- Use systemctl to enable/disable service. -* Mon Nov 30 2015 Xiaolin Li 1.5.0-3 -- Symlink cron.service to crond.service. -- And move the /usr/etc/pam.d/crond to /etc/pam.d/crond -* Thu Nov 12 2015 Xiaolin Li 1.5.0-2 -- Add crond to systemd service. -* Wed Jun 17 2015 Divya Thaluru 1.5.0-1 -- Initial build. First version +* Tue Apr 28 2020 Emre Girgin 1.5.2-2 +- Renaming Linux-PAM to pam +* Wed Mar 18 2020 Nicolas Ontiveros 1.5.2-1 +- Update to 1.5.2. License verified. +* Tue Sep 03 2019 Mateusz Malisz 1.5.1-2 +- Initial CBL-Mariner import from Photon (license: Apache2). +* Mon Apr 24 2017 Bo Gan 1.5.1-1 +- Update to 1.5.1 +* Wed Dec 07 2016 Xiaolin Li 1.5.0-13 +- BuildRequires Linux-PAM-devel +* Wed Oct 05 2016 ChangLee 1.5.0-12 +- Modified %check +* Mon Aug 29 2016 Divya Thaluru 1.5.0-11 +- Fixed pam configuration for crond +* Thu Aug 4 2016 Divya Thaluru 1.5.0-10 +- Added logic to not replace conf files in upgrade scenario +* Tue May 24 2016 Priyesh Padmavilasom 1.5.0-9 +- GA - Bump release of all rpms +* Tue May 3 2016 Divya Thaluru 1.5.0-8 +- Fixing spec file to handle rpm upgrade scenario correctly +* Thu Mar 24 2016 Xiaolin Li 1.5.0-7 +- Add run-parts command. +* Fri Mar 04 2016 Anish Swaminathan 1.5.0-6 +- Add folders to sysconfdir. +* Mon Feb 08 2016 Anish Swaminathan 1.5.0-5 +- Change default sysconfdir. +* Thu Dec 10 2015 Xiaolin Li 1.5.0-4 +- Add systemd to Requires and BuildRequires. +- Use systemctl to enable/disable service. +* Mon Nov 30 2015 Xiaolin Li 1.5.0-3 +- Symlink cron.service to crond.service. +- And move the /usr/etc/pam.d/crond to /etc/pam.d/crond +* Thu Nov 12 2015 Xiaolin Li 1.5.0-2 +- Add crond to systemd service. +* Wed Jun 17 2015 Divya Thaluru 1.5.0-1 +- Initial build. First version diff --git a/SPECS/ctags/ctags.spec b/SPECS/ctags/ctags.spec index 83033a3bb1..bb7cc69610 100644 --- a/SPECS/ctags/ctags.spec +++ b/SPECS/ctags/ctags.spec @@ -46,7 +46,7 @@ rm -rf %{buildroot} %changelog * Sun May 31 2020 Henry Beberman - 5.8-5 - Add patch to fix format-security errors. -* Sat May 09 00:20:47 PST 2020 Nick Samson - 5.8-4 +* Sat May 09 2020 Nick Samson - 5.8-4 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 5.8-3 - Initial CBL-Mariner import from Photon (license: Apache2). diff --git a/SPECS/curl/CVE-2021-22897.patch b/SPECS/curl/CVE-2021-22897.patch new file mode 100644 index 0000000000..0af0088d32 --- /dev/null +++ b/SPECS/curl/CVE-2021-22897.patch @@ -0,0 +1,63 @@ +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 23 Apr 2021 10:54:10 +0200 +Subject: [PATCH] schannel: don't use static to store selected ciphers + +CVE-2021-22897 + +Bug: https://curl.se/docs/CVE-2021-22897.html +--- + lib/vtls/schannel.c | 9 +++++---- + lib/vtls/schannel.h | 3 +++ + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index 8c25ac5dd5a5..dba7072273a9 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -328,12 +328,12 @@ get_alg_id_by_name(char *name) + } + + static CURLcode +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers) ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, ++ int *algIds) + { + char *startCur = ciphers; + int algCount = 0; +- static ALG_ID algIds[45]; /*There are 45 listed in the MS headers*/ +- while(startCur && (0 != *startCur) && (algCount < 45)) { ++ while(startCur && (0 != *startCur) && (algCount < NUMOF_CIPHERS)) { + long alg = strtol(startCur, 0, 0); + if(!alg) + alg = get_alg_id_by_name(startCur); +@@ -593,7 +593,8 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, + } + + if(SSL_CONN_CONFIG(cipher_list)) { +- result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list)); ++ result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list), ++ BACKEND->algIds); + if(CURLE_OK != result) { + failf(data, "Unable to set ciphers to passed via SSL_CONN_CONFIG"); + return result; +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h +index 2952caa1a5a1..77853aa30f96 100644 +--- a/lib/vtls/schannel.h ++++ b/lib/vtls/schannel.h +@@ -71,6 +71,8 @@ CURLcode Curl_verify_certificate(struct Curl_easy *data, + #endif + #endif + ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers */ ++ + struct Curl_schannel_cred { + CredHandle cred_handle; + TimeStamp time_stamp; +@@ -102,6 +104,7 @@ struct ssl_backend_data { + #ifdef HAS_MANUAL_VERIFY_API + bool use_manual_cred_validation; /* true if manual cred validation is used */ + #endif ++ ALG_ID algIds[NUMOF_CIPHERS]; + }; + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */ diff --git a/SPECS/curl/CVE-2021-22898.patch b/SPECS/curl/CVE-2021-22898.patch new file mode 100644 index 0000000000..71e7496415 --- /dev/null +++ b/SPECS/curl/CVE-2021-22898.patch @@ -0,0 +1,32 @@ +From 280f4238182c4f2bc5843ce1fefce3dbc2220033 Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Fri, 7 May 2021 13:09:57 +0200 +Subject: [PATCH] telnet: check sscanf() for correct number of matches + +CVE-2021-22898 + +Bug: https://curl.se/docs/CVE-2021-22898.html +--- + lib/telnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index f96a4cb4c..4551435a0 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -919,11 +919,11 @@ static void suboption(struct Curl_easy *data) + + for(v = tn->telnet_vars; v; v = v->next) { + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { ++ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { + msnprintf((char *)&temp[len], sizeof(temp) - len, + "%c%s%c%s", CURL_NEW_ENV_VAR, varname, + CURL_NEW_ENV_VALUE, varval); + len += tmplen; + } +-- +2.31.1 + diff --git a/SPECS/curl/CVE-2021-22901.patch b/SPECS/curl/CVE-2021-22901.patch new file mode 100644 index 0000000000..8572b3869b --- /dev/null +++ b/SPECS/curl/CVE-2021-22901.patch @@ -0,0 +1,308 @@ +From 15156c613dc0e562ac20b5b24a39605ee7ec62d2 Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Wed, 5 May 2021 13:42:26 +0200 +Subject: [PATCH] openssl: associate/detach the transfer from connection + +Bug: https://curl.se/docs/CVE-2021-22901.html +--- + lib/multi.c | 5 +- + lib/vtls/openssl.c | 146 +++++++++++++++++++++++++++++++++------------ + lib/vtls/vtls.c | 23 ++++++- + lib/vtls/vtls.h | 12 ++++ + 4 files changed, 145 insertions(+), 41 deletions(-) + +diff --git a/lib/multi.c b/lib/multi.c +index be3e41f..68c8404 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -872,8 +872,10 @@ bool Curl_multiplex_wanted(const struct Curl_multi *multi) + void Curl_detach_connnection(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; +- if(conn) ++ if(conn) { + Curl_llist_remove(&conn->easyq, &data->conn_queue, NULL); ++ Curl_ssl_detach_conn(data, conn); ++ } + data->conn = NULL; + } + +@@ -890,6 +892,7 @@ void Curl_attach_connnection(struct Curl_easy *data, + data->conn = conn; + Curl_llist_insert_next(&conn->easyq, conn->easyq.tail, data, + &data->conn_queue); ++ Curl_ssl_associate_conn(data, conn); + } + + static int waitconnect_getsock(struct connectdata *conn, +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 68b9898..45a9eca 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -246,6 +246,10 @@ struct ssl_backend_data { + #endif + }; + ++static void ossl_associate_connection(struct Curl_easy *data, ++ struct connectdata *conn, ++ int sockindex); ++ + /* + * Number of bytes to read from the random number seed file. This must be + * a finite value (because some entropy "files" like /dev/urandom have +@@ -2504,6 +2508,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + curl_socket_t sockfd = conn->sock[sockindex]; + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + ctx_option_t ctx_options = 0; ++ void *ssl_sessionid = NULL; + + #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + bool sni; +@@ -3205,46 +3210,23 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + } + #endif + +- /* Check if there's a cached ID we can/should use here! */ +- if(SSL_SET_OPTION(primary.sessionid)) { +- void *ssl_sessionid = NULL; +- int data_idx = ossl_get_ssl_data_index(); +- int connectdata_idx = ossl_get_ssl_conn_index(); +- int sockindex_idx = ossl_get_ssl_sockindex_index(); +- int proxy_idx = ossl_get_proxy_index(); +- +- if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && +- proxy_idx >= 0) { +- /* Store the data needed for the "new session" callback. +- * The sockindex is stored as a pointer to an array element. */ +- SSL_set_ex_data(backend->handle, data_idx, data); +- SSL_set_ex_data(backend->handle, connectdata_idx, conn); +- SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); +-#ifndef CURL_DISABLE_PROXY +- SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: +- NULL); +-#else +- SSL_set_ex_data(backend->handle, proxy_idx, NULL); +-#endif +- +- } ++ ossl_associate_connection(data, conn, sockindex); + +- Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, +- &ssl_sessionid, NULL, sockindex)) { +- /* we got a session id, use it! */ +- if(!SSL_set_session(backend->handle, ssl_sessionid)) { +- Curl_ssl_sessionid_unlock(data); +- failf(data, "SSL: SSL_set_session failed: %s", +- ossl_strerror(ERR_get_error(), error_buffer, +- sizeof(error_buffer))); +- return CURLE_SSL_CONNECT_ERROR; +- } +- /* Informational message */ +- infof(data, "SSL re-using session ID\n"); ++ Curl_ssl_sessionid_lock(data); ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { ++ /* we got a session id, use it! */ ++ if(!SSL_set_session(backend->handle, ssl_sessionid)) { ++ Curl_ssl_sessionid_unlock(data); ++ failf(data, "SSL: SSL_set_session failed: %s", ++ ossl_strerror(ERR_get_error(), error_buffer, ++ sizeof(error_buffer))); ++ return CURLE_SSL_CONNECT_ERROR; + } +- Curl_ssl_sessionid_unlock(data); ++ /* Informational message */ ++ infof(data, "SSL re-using session ID\n"); + } ++ Curl_ssl_sessionid_unlock(data); + + #ifndef CURL_DISABLE_PROXY + if(conn->proxy_ssl[sockindex].use) { +@@ -4470,6 +4452,90 @@ static void *ossl_get_internals(struct ssl_connect_data *connssl, + (void *)backend->ctx : (void *)backend->handle; + } + ++static void ossl_associate_connection(struct Curl_easy *data, ++ struct connectdata *conn, ++ int sockindex) ++{ ++ struct ssl_connect_data *connssl = &conn->ssl[sockindex]; ++ struct ssl_backend_data *backend = connssl->backend; ++ ++ /* If we don't have SSL context, do nothing. */ ++ if(!backend->handle) ++ return; ++ ++ if(SSL_SET_OPTION(primary.sessionid)) { ++ int data_idx = ossl_get_ssl_data_index(); ++ int connectdata_idx = ossl_get_ssl_conn_index(); ++ int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); ++ ++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && ++ proxy_idx >= 0) { ++ /* Store the data needed for the "new session" callback. ++ * The sockindex is stored as a pointer to an array element. */ ++ SSL_set_ex_data(backend->handle, data_idx, data); ++ SSL_set_ex_data(backend->handle, connectdata_idx, conn); ++ SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); ++#ifndef CURL_DISABLE_PROXY ++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: ++ NULL); ++#else ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL); ++#endif ++ } ++ } ++} ++ ++/* ++ * Starting with TLS 1.3, the ossl_new_session_cb callback gets called after ++ * the handshake. If the transfer that sets up the callback gets killed before ++ * this callback arrives, we must make sure to properly clear the data to ++ * avoid UAF problems. A future optimization could be to instead store another ++ * transfer that might still be using the same connection. ++ */ ++ ++static void ossl_disassociate_connection(struct Curl_easy *data, ++ int sockindex) ++{ ++ struct connectdata *conn = data->conn; ++ struct ssl_connect_data *connssl = &conn->ssl[sockindex]; ++ struct ssl_backend_data *backend = connssl->backend; ++ ++ /* If we don't have SSL context, do nothing. */ ++ if(!backend->handle) ++ return; ++ ++ if(SSL_SET_OPTION(primary.sessionid)) { ++ bool isproxy = FALSE; ++ bool incache; ++ void *old_ssl_sessionid = NULL; ++ int data_idx = ossl_get_ssl_data_index(); ++ int connectdata_idx = ossl_get_ssl_conn_index(); ++ int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); ++ ++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && ++ proxy_idx >= 0) { ++ /* Invalidate the session cache entry, if any */ ++ isproxy = SSL_get_ex_data(backend->handle, proxy_idx) ? TRUE : FALSE; ++ ++ /* Disable references to data in "new session" callback to avoid ++ * accessing a stale pointer. */ ++ SSL_set_ex_data(backend->handle, data_idx, NULL); ++ SSL_set_ex_data(backend->handle, connectdata_idx, NULL); ++ SSL_set_ex_data(backend->handle, sockindex_idx, NULL); ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL); ++ } ++ ++ Curl_ssl_sessionid_lock(data); ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, ++ &old_ssl_sessionid, NULL, sockindex)); ++ if(incache) ++ Curl_ssl_delsessionid(data, old_ssl_sessionid); ++ Curl_ssl_sessionid_unlock(data); ++ } ++} ++ + const struct Curl_ssl Curl_ssl_openssl = { + { CURLSSLBACKEND_OPENSSL, "openssl" }, /* info */ + +@@ -4504,10 +4570,12 @@ const struct Curl_ssl Curl_ssl_openssl = { + ossl_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ + #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) +- ossl_sha256sum /* sha256sum */ ++ ossl_sha256sum, /* sha256sum */ + #else +- NULL /* sha256sum */ ++ NULL, /* sha256sum */ + #endif ++ ossl_associate_connection, /* associate_connection */ ++ ossl_disassociate_connection /* disassociate_connection */ + }; + + #endif /* USE_OPENSSL */ +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 2e07df0..22cfb88 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -579,6 +579,25 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + return CURLE_OK; + } + ++void Curl_ssl_associate_conn(struct Curl_easy *data, ++ struct connectdata *conn) ++{ ++ if(Curl_ssl->associate_connection) { ++ Curl_ssl->associate_connection(data, conn, FIRSTSOCKET); ++ if(conn->sock[SECONDARYSOCKET] && conn->bits.sock_accepted) ++ Curl_ssl->associate_connection(data, conn, SECONDARYSOCKET); ++ } ++} ++ ++void Curl_ssl_detach_conn(struct Curl_easy *data, ++ struct connectdata *conn) ++{ ++ if(Curl_ssl->disassociate_connection) { ++ Curl_ssl->disassociate_connection(data, FIRSTSOCKET); ++ if(conn->sock[SECONDARYSOCKET] && conn->bits.sock_accepted) ++ Curl_ssl->disassociate_connection(data, SECONDARYSOCKET); ++ } ++} + + void Curl_ssl_close_all(struct Curl_easy *data) + { +@@ -1207,7 +1226,9 @@ static const struct Curl_ssl Curl_ssl_multi = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- NULL /* sha256sum */ ++ NULL, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + const struct Curl_ssl *Curl_ssl = +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h +index 2b43e77..78d1003 100644 +--- a/lib/vtls/vtls.h ++++ b/lib/vtls/vtls.h +@@ -83,6 +83,11 @@ struct Curl_ssl { + bool (*false_start)(void); + CURLcode (*sha256sum)(const unsigned char *input, size_t inputlen, + unsigned char *sha256sum, size_t sha256sumlen); ++ ++ void (*associate_connection)(struct Curl_easy *data, ++ struct connectdata *conn, ++ int sockindex); ++ void (*disassociate_connection)(struct Curl_easy *data, int sockindex); + }; + + #ifdef USE_SSL +@@ -277,6 +282,11 @@ bool Curl_ssl_cert_status_request(void); + + bool Curl_ssl_false_start(void); + ++void Curl_ssl_associate_conn(struct Curl_easy *data, ++ struct connectdata *conn); ++void Curl_ssl_detach_conn(struct Curl_easy *data, ++ struct connectdata *conn); ++ + #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ + + #else /* if not USE_SSL */ +@@ -303,6 +313,8 @@ bool Curl_ssl_false_start(void); + #define Curl_ssl_cert_status_request() FALSE + #define Curl_ssl_false_start() FALSE + #define Curl_ssl_tls13_ciphersuites() FALSE ++#define Curl_ssl_associate_conn(a,b) Curl_nop_stmt ++#define Curl_ssl_detach_conn(a,b) Curl_nop_stmt + #endif + + #endif /* HEADER_CURL_VTLS_H */ +-- +2.17.1 + diff --git a/SPECS/binutils/CVE-2019-9070.nopatch b/SPECS/curl/CVE-2021-22922.nopatch similarity index 100% rename from SPECS/binutils/CVE-2019-9070.nopatch rename to SPECS/curl/CVE-2021-22922.nopatch diff --git a/SPECS/binutils/CVE-2019-9072.nopatch b/SPECS/curl/CVE-2021-22923.nopatch similarity index 100% rename from SPECS/binutils/CVE-2019-9072.nopatch rename to SPECS/curl/CVE-2021-22923.nopatch diff --git a/SPECS/curl/CVE-2021-22924.patch b/SPECS/curl/CVE-2021-22924.patch new file mode 100644 index 0000000000..7c8ee4b382 --- /dev/null +++ b/SPECS/curl/CVE-2021-22924.patch @@ -0,0 +1,278 @@ +From 31619bb3d705d73b7cd9ad3e040b73fe2892f5f4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 19 Jun 2021 00:42:28 +0200 +Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and case + sensitivity + +CVE-2021-22924 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2021-22924.html + +Patch updated to cleanly backport 7.76.0. +--- + lib/url.c | 10 ++++++---- + lib/urldata.h | 4 ++-- + lib/vtls/gtls.c | 10 +++++----- + lib/vtls/nss.c | 4 ++-- + lib/vtls/openssl.c | 18 +++++++++--------- + lib/vtls/vtls.c | 26 +++++++++++++++++++++----- + 6 files changed, 45 insertions(+), 27 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 19fcfb8..662289e 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -3722,6 +3722,8 @@ static CURLcode create_conn(struct Curl_easy *data, + */ + data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH]; + data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE]; ++ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; ++ data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT]; + data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; + data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; + data->set.ssl.primary.cipher_list = +@@ -3746,8 +3748,11 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.primary.pinned_key = + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]; + data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY]; ++ data->set.proxy_ssl.primary.issuercert = ++ data->set.str[STRING_SSL_ISSUERCERT_PROXY]; ++ data->set.proxy_ssl.primary.issuercert_blob = ++ data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; + data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; +- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; + data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; + data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; +@@ -3756,7 +3761,6 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; + #endif + data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; +- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; + data->set.ssl.key = data->set.str[STRING_KEY]; + data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; +@@ -3770,9 +3774,7 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + #endif + #endif +- + data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; +- data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT]; + + if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary, + &conn->ssl_config)) { +diff --git a/lib/urldata.h b/lib/urldata.h +index fec8756..c0f2f3a 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -246,6 +246,7 @@ struct ssl_primary_config { + long version_max; /* max supported version the client wants to use*/ + char *CApath; /* certificate dir (doesn't work on windows) */ + char *CAfile; /* certificate to verify peer against */ ++ char *issuercert; /* optional issuer certificate filename */ + char *clientcert; + char *random_file; /* path to file containing "random" data */ + char *egdsocket; /* path to file containing the EGD daemon socket */ +@@ -253,6 +254,7 @@ struct ssl_primary_config { + char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ + char *pinned_key; + struct curl_blob *cert_blob; ++ struct curl_blob *issuercert_blob; + char *curves; /* list of curves to use */ + BIT(verifypeer); /* set TRUE if this is desired */ + BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ +@@ -264,8 +266,6 @@ struct ssl_config_data { + struct ssl_primary_config primary; + long certverifyresult; /* result from the certificate verification */ + char *CRLfile; /* CRL to check certificate revocation */ +- char *issuercert;/* optional issuer certificate filename */ +- struct curl_blob *issuercert_blob; + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + char *cert_type; /* format for certificate (default: PEM)*/ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 3b0d940..bdaee62 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -849,7 +849,7 @@ gtls_connect_step3(struct Curl_easy *data, + if(!chainp) { + if(SSL_CONN_CONFIG(verifypeer) || + SSL_CONN_CONFIG(verifyhost) || +- SSL_SET_OPTION(issuercert)) { ++ SSL_CONN_CONFIG(issuercert)) { + #ifdef HAVE_GNUTLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(username) != NULL +@@ -1033,21 +1033,21 @@ gtls_connect_step3(struct Curl_easy *data, + gnutls_x509_crt_t format */ + gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER); + +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + gnutls_x509_crt_init(&x509_issuer); +- issuerp = load_file(SSL_SET_OPTION(issuercert)); ++ issuerp = load_file(SSL_CONN_CONFIG(issuercert)); + gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM); + rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer); + gnutls_x509_crt_deinit(x509_issuer); + unload_file(issuerp); + if(rc <= 0) { + failf(data, "server certificate issuer check failed (IssuerCert: %s)", +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + gnutls_x509_crt_deinit(x509_cert); + return CURLE_SSL_ISSUER_ERROR; + } + infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n", +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + } + + size = sizeof(certname); +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index bc6c3ca..4e64804 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2156,9 +2156,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data, + if(result) + goto error; + +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + SECStatus ret = SECFailure; +- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert)); ++ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert)); + if(nickname) { + /* we support only nicknames in case of issuercert for now */ + ret = check_issuer_cert(backend->handle, nickname); +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 45a9eca..9854054 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -3868,10 +3868,10 @@ static CURLcode servercert(struct Curl_easy *data, + deallocating the certificate. */ + + /* e.g. match issuer name with provided issuer certificate */ +- if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) { +- if(SSL_SET_OPTION(issuercert_blob)) +- fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data, +- (int)SSL_SET_OPTION(issuercert_blob)->len); ++ if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) { ++ if(SSL_CONN_CONFIG(issuercert_blob)) ++ fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data, ++ (int)SSL_CONN_CONFIG(issuercert_blob)->len); + else { + fp = BIO_new(BIO_s_file()); + if(fp == NULL) { +@@ -3885,10 +3885,10 @@ static CURLcode servercert(struct Curl_easy *data, + return CURLE_OUT_OF_MEMORY; + } + +- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) { ++ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) { + if(strict) + failf(data, "SSL: Unable to open issuer cert (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(backend->server_cert); + backend->server_cert = NULL; +@@ -3900,7 +3900,7 @@ static CURLcode servercert(struct Curl_easy *data, + if(!issuer) { + if(strict) + failf(data, "SSL: Unable to read issuer cert (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + X509_free(backend->server_cert); +@@ -3911,7 +3911,7 @@ static CURLcode servercert(struct Curl_easy *data, + if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) { + if(strict) + failf(data, "SSL: Certificate issuer check failed (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + X509_free(backend->server_cert); +@@ -3920,7 +3920,7 @@ static CURLcode servercert(struct Curl_easy *data, + } + + infof(data, " SSL certificate issuer check ok (%s)\n", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + } +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 22cfb88..f0fb6b2 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -125,6 +125,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) + return !memcmp(first->data, second->data, first->len); /* same data */ + } + ++static bool safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ else if(!a && !b) ++ return TRUE; /* match */ ++ return FALSE; /* no match */ ++} ++ ++ + bool + Curl_ssl_config_matches(struct ssl_primary_config *data, + struct ssl_primary_config *needle) +@@ -135,11 +145,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && + blobcmp(data->cert_blob, needle->cert_blob) && +- Curl_safe_strcasecompare(data->CApath, needle->CApath) && +- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) && +- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && +- Curl_safe_strcasecompare(data->random_file, needle->random_file) && +- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && ++ blobcmp(data->issuercert_blob, needle->issuercert_blob) && ++ safecmp(data->CApath, needle->CApath) && ++ safecmp(data->CAfile, needle->CAfile) && ++ safecmp(data->issuercert, needle->issuercert) && ++ safecmp(data->clientcert, needle->clientcert) && ++ safecmp(data->random_file, needle->random_file) && ++ safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && +@@ -161,8 +173,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + dest->sessionid = source->sessionid; + + CLONE_BLOB(cert_blob); ++ CLONE_BLOB(issuercert_blob); + CLONE_STRING(CApath); + CLONE_STRING(CAfile); ++ CLONE_STRING(issuercert); + CLONE_STRING(clientcert); + CLONE_STRING(random_file); + CLONE_STRING(egdsocket); +@@ -178,6 +192,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) + { + Curl_safefree(sslc->CApath); + Curl_safefree(sslc->CAfile); ++ Curl_safefree(sslc->issuercert); + Curl_safefree(sslc->clientcert); + Curl_safefree(sslc->random_file); + Curl_safefree(sslc->egdsocket); +@@ -185,6 +200,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) + Curl_safefree(sslc->cipher_list13); + Curl_safefree(sslc->pinned_key); + Curl_safefree(sslc->cert_blob); ++ Curl_safefree(sslc->issuercert_blob); + Curl_safefree(sslc->curves); + } + +-- +2.17.1 + diff --git a/SPECS/curl/CVE-2021-22925.patch b/SPECS/curl/CVE-2021-22925.patch new file mode 100644 index 0000000000..f05caaa5a8 --- /dev/null +++ b/SPECS/curl/CVE-2021-22925.patch @@ -0,0 +1,41 @@ +From 894f6ec730597eb243618d33cc84d71add8d6a8a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 12 Jun 2021 18:25:15 +0200 +Subject: [PATCH] telnet: fix option parser to not send uninitialized contents + +CVS-2021-22925 + +Reported-by: Red Hat Product Security +Bug: https://curl.se/docs/CVE-2021-22925.html +--- + lib/telnet.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 1d3024ec4d3e..a81bb81c3675 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -920,12 +920,17 @@ static void suboption(struct Curl_easy *data) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { +- msnprintf((char *)&temp[len], sizeof(temp) - len, +- "%c%s%c%s", CURL_NEW_ENV_VAR, varname, +- CURL_NEW_ENV_VALUE, varval); +- len += tmplen; +- } ++ int rv; ++ char sep[2] = ""; ++ varval[0] = 0; ++ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); ++ if(rv == 1) ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s", CURL_NEW_ENV_VAR, varname); ++ else if(rv >= 2) ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s%c%s", CURL_NEW_ENV_VAR, varname, ++ CURL_NEW_ENV_VALUE, varval); + } + } + msnprintf((char *)&temp[len], sizeof(temp) - len, diff --git a/SPECS/curl/curl.spec b/SPECS/curl/curl.spec index 2557d1dfb7..0010197de0 100644 --- a/SPECS/curl/curl.spec +++ b/SPECS/curl/curl.spec @@ -1,13 +1,20 @@ Summary: An URL retrieval utility and library Name: curl Version: 7.76.0 -Release: 2%{?dist} +Release: 5%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner Group: System Environment/NetworkingLibraries URL: https://curl.haxx.se Source0: https://curl.haxx.se/download/%{name}-%{version}.tar.gz +Patch0: CVE-2021-22898.patch +Patch1: CVE-2021-22901.patch +Patch2: CVE-2021-22897.patch +Patch3: CVE-2021-22922.nopatch +Patch4: CVE-2021-22923.nopatch +Patch5: CVE-2021-22924.patch +Patch6: CVE-2021-22925.patch BuildRequires: krb5-devel BuildRequires: libssh2-devel BuildRequires: openssl-devel @@ -15,11 +22,6 @@ Requires: curl-libs = %{version}-%{release} Requires: krb5 Requires: libssh2 Requires: openssl -%if %{with_check} -BuildRequires: python3 -BuildRequires: shadow-utils -BuildRequires: sudo -%endif %description The cURL package contains an utility and a library used for @@ -49,6 +51,10 @@ This package contains minimal set of shared curl libraries. %autosetup -p1 %build +# CVE-2021-22922 and CVE-2021-22923 are vulnerabilities when curl's metalink +# feature. We do not build with "--with-libmetalink" option and are therefore +# not affected by these CVEs, but I am placing this comment here as a reminder +# to leave metalink disabled. %configure \ CFLAGS="%{optflags}" \ CXXFLAGS="%{optflags}" \ @@ -68,12 +74,6 @@ install -v -d -m755 %{buildroot}/%{_docdir}/%{name}-%{version} find %{buildroot} -type f -name "*.la" -delete -print %{_fixperms} %{buildroot}/* -%check -chmod g+w . -R -useradd test -G root -m - -sudo -u test make %{?_smp_mflags} check - %post -p /sbin/ldconfig %postun -p /sbin/ldconfig @@ -100,7 +100,19 @@ rm -rf %{buildroot}/* %{_libdir}/libcurl.so.* %changelog -* Fri Apr 02 2021 Thomas Crain - 7.76.0-2 +* Wed Jul 21 2021 Chris Co - 7.76.0-5 +- Address CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-22925 + +* Thu Jun 24 2021 Suresh Babu Chalamalasetty - 7.76.0-4 +- CVE-2021-22897 fix + +* Fri May 28 2021 Daniel Burgener - 7.76.0-3 +- Disable check to remove circular dependency + +* Wed May 26 2021 Jon Slobodzian - 7.76.0-2 (from 1.0 branch) +- Patch 7.76.0 to fix CVE-2021-22898 and CVE-2021-22901. + +* Fri Apr 02 2021 Thomas Crain - 7.76.0-2 (from dev branch) - Merge the following releases from dev to 1.0 spec - v-ruyche@microsoft.com, 7.68.0-2: Add explicit provides for libcurl and libcurl-devel @@ -133,7 +145,7 @@ rm -rf %{buildroot}/* * Thu May 14 2020 Nicolas Ontiveros 7.66.0-1 - Upgrade to version 7.66.0, which fixes CVE-2018-16890 and CVE-2019-3822/3833. -* Sat May 09 00:21:39 PST 2020 Nick Samson - 7.61.1-6 +* Sat May 09 2020 Nick Samson - 7.61.1-6 - Added %%license line automatically * Wed May 06 2020 Pawel Winogrodzki 7.61.1-5 diff --git a/SPECS/dbus/dbus.spec b/SPECS/dbus/dbus.spec index 5294e9a7f9..0be458241a 100644 --- a/SPECS/dbus/dbus.spec +++ b/SPECS/dbus/dbus.spec @@ -13,6 +13,7 @@ Patch0: CVE-2019-12749.patch BuildRequires: expat-devel BuildRequires: systemd-devel BuildRequires: xz-devel +BuildRequires: libselinux-devel Requires: expat Requires: systemd Requires: xz @@ -36,7 +37,7 @@ It contains the libraries and header files to create applications %configure \ --docdir=%{_versioneddocdir} \ --enable-libaudit=no \ - --enable-selinux=no \ + --enable-selinux=yes \ --with-console-auth-dir=/run/console make %{?_smp_mflags} @@ -89,9 +90,12 @@ make %{?_smp_mflags} check * Tue Nov 03 2020 Ruying Chen - 1.13.6-5 - Systemd supports merged /usr. Update with corresponding file locations and macros. -* Mon Nov 02 2020 Joe Schmitt - 1.13.6-4 +* Mon Nov 02 2020 Joe Schmitt - 1.13.6-4 (from dev branch) - Provide dbus-libs. +* Thu Oct 22 2020 Thomas Crain - 1.13.6-4 (from 1.0 branch) +- Patch CVE-2019-12749 + * Sat May 09 00:21:00 PST 2020 Nick Samson - 1.13.6-3 - Added %%license line automatically diff --git a/SPECS/dejagnu/dejagnu.spec b/SPECS/dejagnu/dejagnu.spec index ae244a270e..e2e8d6cb87 100644 --- a/SPECS/dejagnu/dejagnu.spec +++ b/SPECS/dejagnu/dejagnu.spec @@ -62,7 +62,7 @@ make DESTDIR=%{buildroot} install %{_includedir}/* %changelog -* Sat May 09 00:21:41 PST 2020 Nick Samson - 1.6.2-2 +* Sat May 09 2020 Nick Samson - 1.6.2-2 - Added %%license line automatically * Mon Apr 13 2020 Emre Girgin 1.6.2-1 diff --git a/SPECS/device-mapper-multipath/device-mapper-multipath.signatures.json b/SPECS/device-mapper-multipath/device-mapper-multipath.signatures.json index 6466064029..4ddac24b00 100644 --- a/SPECS/device-mapper-multipath/device-mapper-multipath.signatures.json +++ b/SPECS/device-mapper-multipath/device-mapper-multipath.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "multipath-tools-0.8.4.tar.gz": "ccd73bf67621161d9e42d1a770c3a7efff6e252433e8b8ed5f64a88cb5e7151d" + "multipath-tools-0.8.6.tar.gz": "ba781d981bd6e8efa5f9f3af6727f85520af6395958e852c1907f59f6124f08e" } } \ No newline at end of file diff --git a/SPECS/device-mapper-multipath/device-mapper-multipath.spec b/SPECS/device-mapper-multipath/device-mapper-multipath.spec index d23d22fa86..348d9c398d 100644 --- a/SPECS/device-mapper-multipath/device-mapper-multipath.spec +++ b/SPECS/device-mapper-multipath/device-mapper-multipath.spec @@ -1,31 +1,31 @@ Summary: Provide tools to manage multipath devices Name: device-mapper-multipath -Version: 0.8.4 -Release: 3%{?dist} +Version: 0.8.6 +Release: 1%{?dist} License: GPLv2 +Group: System Environment/Base Vendor: Microsoft Corporation Distribution: Mariner -Group: System Environment/Base URL: http://christophe.varoqui.free.fr/ -#Source0: https://git.opensvc.com/?p=multipath-tools/.git;a=snapshot;h=refs/tags/%{version};sf=tgz" +#Source0: https://github.com/opensvc/multipath-tools/archive/refs/tags/%{version}.tar.gz Source0: multipath-tools-%{version}.tar.gz -Patch0: libdmmp-jsonc.patch -Patch1: libmpathpersist.patch -BuildRequires: device-mapper-devel -BuildRequires: json-c-devel -BuildRequires: libaio-devel -BuildRequires: ncurses-devel -BuildRequires: readline-devel -BuildRequires: systemd-devel BuildRequires: userspace-rcu-devel -Requires: device-mapper -Requires: kpartx = %{version}-%{release} -Requires: libaio -Requires: libselinux -Requires: libsepol -Requires: ncurses -Requires: readline -Requires: userspace-rcu +BuildRequires: libaio-devel +BuildRequires: device-mapper-devel +BuildRequires: readline-devel +BuildRequires: ncurses-devel +BuildRequires: systemd-devel +BuildRequires: json-c-devel + +Requires: userspace-rcu +Requires: libaio +Requires: device-mapper +Requires: libselinux +Requires: libsepol +Requires: readline +Requires: ncurses +Requires: kpartx = %{version}-%{release} + %description Device-mapper-multipath provides tools to manage multipath devices by @@ -46,9 +46,7 @@ Requires: %{name} = %{version}-%{release} It contains the libraries and header files to create applications %prep -%setup -q -n multipath-tools-%{version} -%patch0 -p1 -%patch1 -p1 +%setup -qn multipath-tools-%{version} %build make %{?_smp_mflags} @@ -102,42 +100,46 @@ rm -rf %{buildroot} %{_mandir}/man8/kpartx.8.gz %changelog +* Thu Apr 29 2021 Andrew Phelps 0.8.6-1 +- Update to version 0.8.6 for parallel build fix. +- Update Source0 URL. + * Tue Nov 03 2020 Ruying Chen - 0.8.4-3 - Systemd supports merged /usr. Update with corresponding file locations and macros. -* Wed Jun 17 2020 Joe Schmitt 0.8.4-2 -- Update Source0 URL. -- Use release tag instead of commit. +* Wed Jun 17 2020 Joe Schmitt 0.8.4-2 +- Update Source0 URL. +- Use release tag instead of commit. -* Thu Jun 11 2020 Nicolas Ontiveros 0.8.4-1 -- Upgrade to version 0.8.4 +* Thu Jun 11 2020 Nicolas Ontiveros 0.8.4-1 +- Upgrade to version 0.8.4 -* Tue May 26 2020 Pawel Winogrodzki 0.8.0-2 -- Adding the "%%license" macro. +* Tue May 26 2020 Pawel Winogrodzki 0.8.0-2 +- Adding the "%%license" macro. -* Wed Mar 25 2020 Nicolas Ontiveros 0.8.0-1 -- Update version to 0.8.0. License verified. +* Wed Mar 25 2020 Nicolas Ontiveros 0.8.0-1 +- Update version to 0.8.0. License verified. -* Tue Sep 03 2019 Mateusz Malisz 0.7.3-4 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 0.7.3-4 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Thu Dec 06 2018 Srivatsa S. Bhat (VMware) 0.7.3-3 -- Make device-mapper a runtime dependency of kpartx. +* Thu Dec 06 2018 Srivatsa S. Bhat (VMware) 0.7.3-3 +- Make device-mapper a runtime dependency of kpartx. -* Wed Sep 26 2018 Anish Swaminathan 0.7.3-2 -- Remove rados dependency +* Wed Sep 26 2018 Anish Swaminathan 0.7.3-2 +- Remove rados dependency -* Wed Oct 04 2017 Dheeraj Shetty 0.7.3-1 -- Update to 0.7.3 +* Wed Oct 04 2017 Dheeraj Shetty 0.7.3-1 +- Update to 0.7.3 -* Tue May 9 2017 Bo Gan 0.7.1-1 -- Update to 0.7.1 +* Tue May 9 2017 Bo Gan 0.7.1-1 +- Update to 0.7.1 -* Fri Nov 18 2016 Anish Swaminathan 0.5.0-3 -- Change systemd dependency +* Fri Nov 18 2016 Anish Swaminathan 0.5.0-3 +- Change systemd dependency -* Tue May 24 2016 Priyesh Padmavilasom 0.5.0-2 -- GA - Bump release of all rpms +* Tue May 24 2016 Priyesh Padmavilasom 0.5.0-2 +- GA - Bump release of all rpms -* Mon Jun 22 2015 Divya Thaluru 0.5.0-1 -- Initial build. First version +* Mon Jun 22 2015 Divya Thaluru 0.5.0-1 +- Initial build. First version diff --git a/SPECS/device-mapper-multipath/libdmmp-jsonc.patch b/SPECS/device-mapper-multipath/libdmmp-jsonc.patch deleted file mode 100644 index 7c03c347bd..0000000000 --- a/SPECS/device-mapper-multipath/libdmmp-jsonc.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= -Date: Mon, 13 Apr 2020 19:22:02 +0200 -Subject: [PATCH] libdmmp: Add support for upcoming json-c 0.14.0. - -TRUE/FALSE are not defined anymore. 1 and 0 are used instead. -This is backwards compatible, as earlier versions of json-c are -using the same integer values in their present definitions. - -Signed-off-by: Benjamin Marzinski ---- - libdmmp/libdmmp_private.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libdmmp/libdmmp_private.h b/libdmmp/libdmmp_private.h -index ac85b63f..4378962b 100644 ---- a/libdmmp/libdmmp_private.h -+++ b/libdmmp/libdmmp_private.h -@@ -82,7 +82,7 @@ static out_type func_name(struct dmmp_context *ctx, const char *var_name) { \ - do { \ - json_type j_type = json_type_null; \ - json_object *j_obj_tmp = NULL; \ -- if (json_object_object_get_ex(j_obj, key, &j_obj_tmp) != TRUE) { \ -+ if (json_object_object_get_ex(j_obj, key, &j_obj_tmp) != 1) { \ - _error(ctx, "Invalid JSON output from multipathd IPC: " \ - "key '%s' not found", key); \ - rc = DMMP_ERR_IPC_ERROR; \ --- -2.17.2 - diff --git a/SPECS/device-mapper-multipath/libmpathpersist.patch b/SPECS/device-mapper-multipath/libmpathpersist.patch deleted file mode 100644 index 8f0a687ae9..0000000000 --- a/SPECS/device-mapper-multipath/libmpathpersist.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Christian Hesse -Date: Wed, 6 May 2020 09:35:47 +0200 -Subject: [PATCH] libmpathpersist: depend on libmultipath - -Without this the build fails with: - -/usr/bin/ld: cannot find -lmultipath - -Signed-off-by: Christian Hesse -Signed-off-by: Benjamin Marzinski ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 1dee3680..ba1d73ba 100644 ---- a/Makefile -+++ b/Makefile -@@ -28,7 +28,7 @@ all: $(BUILDDIRS) - $(BUILDDIRS): - $(MAKE) -C $@ - --multipath multipathd mpathpersist: libmultipath -+libmpathpersist multipath multipathd mpathpersist: libmultipath - mpathpersist: libmpathpersist - - $(BUILDDIRS.clean): --- -2.17.2 diff --git a/SPECS/dhcp/CVE-2021-25217.patch b/SPECS/dhcp/CVE-2021-25217.patch new file mode 100644 index 0000000000..8e02a6f245 --- /dev/null +++ b/SPECS/dhcp/CVE-2021-25217.patch @@ -0,0 +1,30 @@ +diff --git a/common/parse.c b/common/parse.c +index 386a6321..fc7b39c6 100644 +--- a/common/parse.c ++++ b/common/parse.c +@@ -3,7 +3,7 @@ + Common parser code for dhcpd and dhclient. */ + + /* +- * Copyright (c) 2004-2019 by Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (c) 2004-2021 by Internet Systems Consortium, Inc. ("ISC") + * Copyright (c) 1995-2003 by Internet Software Consortium + * + * This Source Code Form is subject to the terms of the Mozilla Public +@@ -5556,13 +5556,14 @@ int parse_X (cfile, buf, max) + skip_to_semi (cfile); + return 0; + } +- convert_num (cfile, &buf [len], val, 16, 8); +- if (len++ > max) { ++ if (len >= max) { + parse_warn (cfile, + "hexadecimal constant too long."); + skip_to_semi (cfile); + return 0; + } ++ convert_num (cfile, &buf [len], val, 16, 8); ++ len++; + token = peek_token (&val, (unsigned *)0, cfile); + if (token == COLON) + token = next_token (&val, diff --git a/SPECS/dhcp/dhcp.spec b/SPECS/dhcp/dhcp.spec index a651d12c1a..d0a03bd435 100644 --- a/SPECS/dhcp/dhcp.spec +++ b/SPECS/dhcp/dhcp.spec @@ -1,31 +1,32 @@ Summary: Dynamic host configuration protocol Name: dhcp Version: 4.4.2 -Release: 2%{?dist} +Release: 3%{?dist} License: MPLv2.0 -Url: https://www.isc.org/dhcp/ -Source0: ftp://ftp.isc.org/isc/dhcp/%{version}/%{name}-%{version}.tar.gz -Group: System Environment/Base +Url: https://www.isc.org/dhcp/ +Source0: ftp://ftp.isc.org/isc/dhcp/%{version}/%{name}-%{version}.tar.gz +Patch1: CVE-2021-25217.patch +Group: System Environment/Base Vendor: Microsoft Corporation Distribution: Mariner -BuildRequires: systemd +BuildRequires: systemd %description The ISC DHCP package contains both the client and server programs for DHCP. dhclient (the client) is used for connecting to a network which uses DHCP to assign network addresses. dhcpd (the server) is used for assigning network addresses on private networks %package libs -Summary: Libraries for dhcp +Summary: Libraries for dhcp %description libs Libraries for the dhcp. %package devel -Summary: Development Libraries and header files for dhcp -Requires: dhcp-libs +Summary: Development Libraries and header files for dhcp +Requires: dhcp-libs %description devel Headers and libraries for the dhcp. %package server -Summary: Provides the ISC DHCP server -Requires: dhcp-libs +Summary: Provides the ISC DHCP server +Requires: dhcp-libs %description server dhcpd is the name of a program that operates as a daemon on a server to provide Dynamic Host Configuration Protocol (DHCP) service to a network. Clients may solicit an IP address (IP) from a DHCP server when they need one @@ -38,7 +39,10 @@ The ISC DHCP Client, dhclient, provides a means for configuring one or more netw %prep +%autosetup -p1 + %setup -qn %{name}-%{version} + %build CFLAGS="-D_PATH_DHCLIENT_SCRIPT='\"/sbin/dhclient-script\"' \ -D_PATH_DHCPD_CONF='\"/etc/dhcp/dhcpd.conf\"' \ @@ -116,8 +120,8 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/dhclient/ #%check #Commented out %check due to missing support of ATF. -%post libs -p /sbin/ldconfig -%postun libs -p /sbin/ldconfig +%post libs -p /sbin/ldconfig +%postun libs -p /sbin/ldconfig %files libs %defattr(-,root,root) @@ -167,32 +171,48 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/dhclient/ %{_mandir}/man8/dhclient.8.gz %changelog -* Tue Jun 08 2021 Muhammad Falak Wani 4.4.2-2 -- Add an explicit provides for dhclient. -* Thu May 28 2020 Nicolas Ontiveros 4.4.2-1 -- Update to version 4.4.2, which fixes CVE-2017-3144 and CVE-2018-5733. -- License verified. -* Sat May 09 00:21:03 PST 2020 Nick Samson 4.3.6-2 -- Added %%license line automatically -* Thu Mar 26 2020 Nicolas Ontiveros 4.3.6-1 -- Update version to 4.3.6. License verified. URL updated. -* Tue Sep 03 2019 Mateusz Malisz 4.3.5-5 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Wed Jul 05 2017 Chang Lee 4.3.5-4 -- Commented out %check due to missing support of ATF. -* Thu Apr 20 2017 Divya Thaluru 4.3.5-3 -- Added default dhcp configuration and lease files -* Wed Dec 7 2016 Divya Thaluru 4.3.5-2 -- Added configuration file for dhcp service -* Mon Nov 14 2016 Harish Udaiya Kumar 4.3.5-1 -- Upgraded to version 4.3.5. -* Wed Oct 05 2016 ChangLee 4.3.3-4 -- Modified %check -* Tue May 24 2016 Priyesh Padmavilasom 4.3.3-3 -- GA - Bump release of all rpms -* Wed Mar 30 2016 Anish Swaminathan 4.3.3-2 -- Add patch for CVE-2016-2774 -* Fri Jan 22 2016 Xiaolin Li 4.3.3-1 -- Updated to version 4.3.3 -* Wed Jul 15 2015 Divya Thaluru 4.3.2-1 -- Initial build. +* Tue Jun 08 2021 Muhammad Falak Wani 4.4.2-3 +- Add an explicit provides for dhclient. + +* Wed May 26 2021 Jon Slobodzian 4.4.2-2 +- Patch to fix CVE-2021-25217. + +* Thu May 28 2020 Nicolas Ontiveros 4.4.2-1 +- Update to version 4.4.2, which fixes CVE-2017-3144 and CVE-2018-5733. +- License verified. + +* Sat May 09 2020 Nick Samson 4.3.6-2 +- Added %%license line automatically + +* Thu Mar 26 2020 Nicolas Ontiveros 4.3.6-1 +- Update version to 4.3.6. License verified. URL updated. + +* Tue Sep 03 2019 Mateusz Malisz 4.3.5-5 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Wed Jul 05 2017 Chang Lee 4.3.5-4 +- Commented out %check due to missing support of ATF. + +* Thu Apr 20 2017 Divya Thaluru 4.3.5-3 +- Added default dhcp configuration and lease files + +* Wed Dec 7 2016 Divya Thaluru 4.3.5-2 +- Added configuration file for dhcp service + +* Mon Nov 14 2016 Harish Udaiya Kumar 4.3.5-1 +- Upgraded to version 4.3.5. + +* Wed Oct 05 2016 ChangLee 4.3.3-4 +- Modified %check + +* Tue May 24 2016 Priyesh Padmavilasom 4.3.3-3 +- GA - Bump release of all rpms + +* Wed Mar 30 2016 Anish Swaminathan 4.3.3-2 +- Add patch for CVE-2016-2774 + +* Fri Jan 22 2016 Xiaolin Li 4.3.3-1 +- Updated to version 4.3.3 + +* Wed Jul 15 2015 Divya Thaluru 4.3.2-1 +- Initial build. diff --git a/SPECS/dialog/dialog.spec b/SPECS/dialog/dialog.spec index abf5a860df..933368b88e 100644 --- a/SPECS/dialog/dialog.spec +++ b/SPECS/dialog/dialog.spec @@ -85,7 +85,7 @@ chmod +x %{buildroot}%{_libdir}/* %{_mandir}/man3/dialog.* %changelog -* Sat May 09 00:20:59 PST 2020 Nick Samson - 1.3-3.20180621 +* Sat May 09 2020 Nick Samson - 1.3-3.20180621 - Added %%license line automatically * Thu Apr 16 2020 Nick Samson 1.3-2 diff --git a/SPECS/diffutils/diffutils.spec b/SPECS/diffutils/diffutils.spec index a377e6c108..0065bea588 100644 --- a/SPECS/diffutils/diffutils.spec +++ b/SPECS/diffutils/diffutils.spec @@ -42,7 +42,7 @@ make %{?_smp_mflags} check %{_mandir}/*/* %changelog -* Sat May 09 00:20:58 PST 2020 Nick Samson - 3.6-4 +* Sat May 09 2020 Nick Samson - 3.6-4 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 3.6-3 diff --git a/SPECS/dkms/dkms.spec b/SPECS/dkms/dkms.spec index 98b2df4b37..10d5210891 100644 --- a/SPECS/dkms/dkms.spec +++ b/SPECS/dkms/dkms.spec @@ -66,34 +66,34 @@ echo "disable dkms.service" > %{buildroot}%{_libdir}/systemd/system-preset/50-dk * Tue Nov 03 2020 Ruying Chen - 2.8.1-4 - Systemd supports merged /usr. Update with corresponding file locations and macros. -* Sat May 09 00:21:19 PST 2020 Nick Samson - 2.8.1-3 +* Sat May 09 2020 Nick Samson - 2.8.1-3 - Added %%license line automatically -* Thu Apr 09 2020 Joe Schmitt 2.8.1-2 -- Update Source0 with valid URL. -- Remove sha1 macro. -- Remove commit global. -- Fix changelog styling. -- License verified. +* Thu Apr 09 2020 Joe Schmitt 2.8.1-2 +- Update Source0 with valid URL. +- Remove sha1 macro. +- Remove commit global. +- Fix changelog styling. +- License verified. -* Thu Mar 26 2020 Nicolas Ontiveros 2.8.1-1 -- Update version to 2.8.1. License verified. +* Thu Mar 26 2020 Nicolas Ontiveros 2.8.1-1 +- Update version to 2.8.1. License verified. -* Tue Sep 03 2019 Mateusz Malisz 2.6.1-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 2.6.1-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Sep 10 2018 Ajay Kaher 2.6.1-1 -- Upgraded to version 2.6.1 +* Mon Sep 10 2018 Ajay Kaher 2.6.1-1 +- Upgraded to version 2.6.1 -* Thu May 26 2016 Divya Thaluru 2.2.0.3-4 -- Fixed logic to restart the active services after upgrade +* Thu May 26 2016 Divya Thaluru 2.2.0.3-4 +- Fixed logic to restart the active services after upgrade -* Tue May 24 2016 Priyesh Padmavilasom 2.2.0.3-3 -- GA - Bump release of all rpms +* Tue May 24 2016 Priyesh Padmavilasom 2.2.0.3-3 +- GA - Bump release of all rpms -* Tue Aug 25 2015 Alexey Makhalov 2.2.0.3-2 -- Added systemd preset file with 'disable' default value. -- Set BuildArch to noarch. +* Tue Aug 25 2015 Alexey Makhalov 2.2.0.3-2 +- Added systemd preset file with 'disable' default value. +- Set BuildArch to noarch. -* Thu Aug 6 2015 Divya Thaluru 2.2.0.3-1 -- Initial version +* Thu Aug 6 2015 Divya Thaluru 2.2.0.3-1 +- Initial version diff --git a/SPECS/dmidecode/dmidecode.spec b/SPECS/dmidecode/dmidecode.spec index 143df14aca..5820962de8 100644 --- a/SPECS/dmidecode/dmidecode.spec +++ b/SPECS/dmidecode/dmidecode.spec @@ -25,7 +25,7 @@ make DESTDIR=%{buildroot} prefix=%{_prefix} install %{_mandir}/man8/* %changelog -* Sat May 09 00:21:29 PST 2020 Nick Samson - 3.2-2 +* Sat May 09 2020 Nick Samson - 3.2-2 - Added %%license line automatically * Thu Mar 19 2020 Nicolas Ontiveros 3.2-1 diff --git a/SPECS/docbook-style-xsl/docbook-style-xsl.spec b/SPECS/docbook-style-xsl/docbook-style-xsl.spec index ca793d324f..3a89b3f20b 100644 --- a/SPECS/docbook-style-xsl/docbook-style-xsl.spec +++ b/SPECS/docbook-style-xsl/docbook-style-xsl.spec @@ -102,48 +102,38 @@ fi %{_docdir}/* %changelog -* Tue Jan 05 2021 Joe Schmitt - 1.79.1-13 -- Symlink versioned stylesheets to unversioned %%{_datadir}/sgml/docbook/xsl-stylesheets. -- Add runtime requirement on docbook-dtd-xml since the xsl stylesheets reference the DTD schema. +* Sat May 09 2020 Nick Samson - 1.79.1-10 +- Added %%license line automatically -* Tue Dec 01 2020 Joe Schmitt - 1.79.1-12 -- Provide docbook-xsl-stylesheets. +* Tue May 05 2020 Emre Girgin 1.79.1-9 +- Renaming docbook-xsl to docbook-style-xsl -* Mon Sep 28 2020 Ruying Chen 1.79.1-11 -- Provide docbook-xsl +* Tue Sep 03 2019 Mateusz Malisz 1.79.1-8 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Sat May 09 2020 Nick Samson 1.79.1-10 -- Added %%license line automatically +* Fri Jan 18 2019 Tapas Kundu 1.79.1-7 +- Removed saxon jar files while installing -* Tue May 05 2020 Emre Girgin 1.79.1-9 -- Renaming docbook-xsl to docbook-style-xsl +* Tue Dec 04 2018 Ashwin H 1.79.1-6 +- emove windows installers -* Tue Sep 03 2019 Mateusz Malisz 1.79.1-8 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Fri Aug 18 2017 Rongrong Qiu 1.79.1-5 +- Update make check for bug 1635477 -* Fri Jan 18 2019 Tapas Kundu 1.79.1-7 -- Removed saxon jar files while installing +* Tue Apr 25 2017 Priyesh Padmavilasom 1.79.1-4 +- Fix arch -* Tue Dec 04 2018 Ashwin H 1.79.1-6 -- Remove windows installers +* Tue May 24 2016 Priyesh Padmavilasom 1.79.1-3 +- GA - Bump release of all rpms -* Fri Aug 18 2017 Rongrong Qiu 1.79.1-5 -- Update make check for bug 1635477 +* Tue May 3 2016 Divya Thaluru 1.79.1-2 +- Fixing spec file to handle rpm upgrade scenario correctly -* Tue Apr 25 2017 Priyesh Padmavilasom 1.79.1-4 -- Fix arch +* Thu Feb 25 2016 Kumar Kaushik 1.79.1-1 +- Updated version. -* Tue May 24 2016 Priyesh Padmavilasom 1.79.1-3 -- GA - Bump release of all rpms +* Wed May 20 2015 Touseef Liaqat 1.78.1-2 +- Updated group. -* Tue May 3 2016 Divya Thaluru 1.79.1-2 -- Fixing spec file to handle rpm upgrade scenario correctly - -* Thu Feb 25 2016 Kumar Kaushik 1.79.1-1 -- Updated version. - -* Wed May 20 2015 Touseef Liaqat 1.78.1-2 -- Updated group. - -* Mon Nov 24 2014 Divya Thaluru 1.78.1-1 -- Initial build. First version +* Mon Nov 24 2014 Divya Thaluru 1.78.1-1 +- Initial build. First version diff --git a/SPECS/docbook5-schemas/LICENSE b/SPECS/docbook5-schemas/LICENSE deleted file mode 100644 index a0d7440a9f..0000000000 --- a/SPECS/docbook5-schemas/LICENSE +++ /dev/null @@ -1,63 +0,0 @@ -Copyright © OASIS® 2008. All Rights Reserved. - -All capitalized terms in the following text have the meanings assigned to them -in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The -full Policy may be found at the OASIS website. - -This document and translations of it may be copied and furnished to others, -and derivative works that comment on or otherwise explain it or assist in its -implementation may be prepared, copied, published, and distributed, in whole -or in part, without restriction of any kind, provided that the above copyright -notice and this section are included on all such copies and derivative works. -However, this document itself may not be modified in any way, including by -removing the copyright notice or references to OASIS, except as needed for -the purpose of developing any document or deliverable produced by an OASIS -Technical Committee (in which case the rules applicable to copyrights, as set -forth in the OASIS IPR Policy, must be followed) or as required to translate -it into languages other than English. - -The limited permissions granted above are perpetual and will not be revoked by -OASIS or its successors or assigns. -This document and the information contained herein is provided on an "AS IS" -basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT -NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT -INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY -OR FITNESS FOR A PARTICULAR PURPOSE. - -OASIS requests that any OASIS Party or any other party that believes it has -patent claims that would necessarily be infringed by implementations of this -OASIS Committee Specification or OASIS Standard, to notify OASIS TC -Administrator and provide an indication of its willingness to grant patent -licenses to such patent claims in a manner consistent with the IPR Mode of -the OASIS Technical Committee that produced this specification. - -OASIS invites any party to contact the OASIS TC Administrator if it is aware -of a claim of ownership of any patent claims that would necessarily be -infringed by implementations of this specification by a patent holder that -is not willing to provide a license to such patent claims in a manner -consistent with the IPR Mode of the OASIS Technical Committee that produced -this specification. OASIS may include such claims on its website, but -disclaims any obligation to do so. - -OASIS takes no position regarding the validity or scope of any intellectual -property or other rights that might be claimed to pertain to the -implementation or use of the technology described in this document or the -extent to which any license under such rights might or might not be available; -neither does it represent that it has made any effort to identify any such -rights. Information on OASIS' procedures with respect to rights in any -document or deliverable produced by an OASIS Technical Committee can be found -on the OASIS website. Copies of claims of rights made available for -publication and any assurances of licenses to be made available, or the result -of an attempt made to obtain a general license or permission for the use of -such proprietary rights by implementers or users of this OASIS Committee -Specification or OASIS Standard, can be obtained from the OASIS TC -Administrator. OASIS makes no representation that any information or list of -intellectual property rights will at any time be complete, or that any claims -in such list are, in fact, Essential Claims. - -The name "OASIS" is a trademark of OASIS, the owner and developer of this -specification, and should be used only to refer to the organization and its -official outputs. OASIS welcomes reference to, and implementation and use of, -specifications, while reserving the right to enforce its marks against -misleading uses. Please see https://www.oasis-open.org/who/trademark.php for -above guidance. \ No newline at end of file diff --git a/SPECS/docbook5-schemas/docbook5-schemas.signatures.json b/SPECS/docbook5-schemas/docbook5-schemas.signatures.json index 30b31973e1..8720c54d81 100644 --- a/SPECS/docbook5-schemas/docbook5-schemas.signatures.json +++ b/SPECS/docbook5-schemas/docbook5-schemas.signatures.json @@ -1,7 +1,6 @@ { "Signatures": { - "LICENSE": "5c66bad84ebcc537a993635ee5daea509830c948eb8c05e9a6d1edb388fda5ed", - "docbook-5.0.zip": "3dcd65e1f5d9c0c891b3be204fa2bb418ce485d32310e1ca052e81d36623208e", - "docbook5-schemas-5.1.zip": "b3f3413654003c1e773360d7fc60ebb8abd0e8c9af8e7d6c4b55f124f34d1e7f" + "docbook5-schemas-5.1.zip": "b3f3413654003c1e773360d7fc60ebb8abd0e8c9af8e7d6c4b55f124f34d1e7f", + "docbook-5.0.zip": "3dcd65e1f5d9c0c891b3be204fa2bb418ce485d32310e1ca052e81d36623208e" } } \ No newline at end of file diff --git a/SPECS/docbook5-schemas/docbook5-schemas.spec b/SPECS/docbook5-schemas/docbook5-schemas.spec index 65cea533fd..19d6ab2b24 100644 --- a/SPECS/docbook5-schemas/docbook5-schemas.spec +++ b/SPECS/docbook5-schemas/docbook5-schemas.spec @@ -4,12 +4,11 @@ Version: 5.1 Release: 3%{?dist} License: Freely redistributable without restriction URL: https://docbook.org/ -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner #Source0: https://www.docbook.org/xml/%{version}/docbook-v%{version}-os.zip Source0: %{name}-%{version}.zip Source1: https://www.docbook.org/xml/5.0/docbook-5.0.zip -Source2: LICENSE Provides: docbook5-dtd = %{version}-%{release} Provides: docbook5-rng = %{version}-%{release} @@ -36,7 +35,6 @@ developed by the OASIS consortium. %setup -c -T mkdir 5.0 mkdir 5.1 -mv %{SOURCE2} . #Unzip Docbook 5.0 specification cd 5.0 @@ -237,7 +235,7 @@ do done %install -DOCBOOK5DIR=$RPM_BUILD_ROOT%{_datadir}/xml/docbook5 +DOCBOOK5DIR=%{buildroot}%{_datadir}/xml/docbook5 for v in 5.0 5.1 do mkdir -p ${DOCBOOK5DIR}/schema/rng/$v @@ -249,13 +247,13 @@ mkdir -p ${DOCBOOK5DIR}/schema/dtd/5.0 mkdir -p ${DOCBOOK5DIR}/schema/xsd/5.0 install -m644 5.0/dtd/* ${DOCBOOK5DIR}/schema/dtd/5.0 install -m644 5.0/xsd/* ${DOCBOOK5DIR}/schema/xsd/5.0 -mkdir -p $RPM_BUILD_ROOT%{_bindir} -install -m755 %{version}/tools/db4-entities.pl $RPM_BUILD_ROOT%{_bindir} +mkdir -p %{buildroot}%{_bindir} +install -m755 %{version}/tools/db4-entities.pl %{buildroot}%{_bindir} mkdir -p ${DOCBOOK5DIR}/stylesheet/upgrade install -m644 %{version}/tools/db4-upgrade.xsl ${DOCBOOK5DIR}/stylesheet/upgrade -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/xml -install -m644 docbook-5.xml $RPM_BUILD_ROOT%{_sysconfdir}/xml/docbook-5.xml +mkdir -p %{buildroot}%{_sysconfdir}/xml +install -m644 docbook-5.xml %{buildroot}%{_sysconfdir}/xml/docbook-5.xml %post ROOTCATALOG=%{_sysconfdir}/xml/catalog @@ -315,7 +313,7 @@ if [ "$1" = 0 ]; then fi %files -%license LICENSE +%license 5.1/docbook-v5.1-os.html %doc docs/* README ChangeLog %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/xml/docbook-5.xml %dir %{_datadir}/xml/docbook5/ @@ -340,6 +338,7 @@ fi %changelog * Fri Aug 21 2020 Thomas Crain - 5.1-3 - Initial CBL-Mariner import from Fedora 33 (license: MIT) +- License verified * Mon Jul 27 2020 Fedora Release Engineering - 5.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/SPECS/dosfstools/dosfstools.spec b/SPECS/dosfstools/dosfstools.spec index 185e7fc6ae..555af907dc 100644 --- a/SPECS/dosfstools/dosfstools.spec +++ b/SPECS/dosfstools/dosfstools.spec @@ -28,7 +28,7 @@ rm -rf %{buildroot}/* %{_mandir}/man8/* %{_docdir}/dosfstools/* %changelog -* Sat May 09 00:21:25 PST 2020 Nick Samson - 4.1-4 +* Sat May 09 2020 Nick Samson - 4.1-4 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 4.1-3 diff --git a/SPECS/dotnet-runtime-3.1/dotnet-runtime-3.1.signatures.json b/SPECS/dotnet-runtime-3.1/dotnet-runtime-3.1.signatures.json deleted file mode 100644 index 87126fbb89..0000000000 --- a/SPECS/dotnet-runtime-3.1/dotnet-runtime-3.1.signatures.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "Signatures": { - "dotnet-runtime-3.1.5-linux-x64.tar.gz": "ae0a4e9a1e875b46d3201cdad2779572de1c12c0aae36688ae3c3978db319ff5" - } -} \ No newline at end of file diff --git a/SPECS/dotnet-runtime-3.1/dotnet-runtime-3.1.spec b/SPECS/dotnet-runtime-3.1/dotnet-runtime-3.1.spec deleted file mode 100644 index aecd4117ae..0000000000 --- a/SPECS/dotnet-runtime-3.1/dotnet-runtime-3.1.spec +++ /dev/null @@ -1,80 +0,0 @@ -Summary: Microsoft .NET Core Runtime -Name: dotnet-runtime-3.1 -Version: 3.1.5 -Release: 2%{?dist} -License: MIT -Vendor: Microsoft Corporation -Distribution: Mariner -Group: Development/Tools -URL: https://github.com/dotnet/core -Source0: https://download.visualstudio.microsoft.com/download/pr/d00eaeea-6d7b-4e73-9d96-c0234ed3b665/0d25d9d1aeaebdeef01d15370d5cd22b/dotnet-runtime-3.1.5-linux-x64.tar.gz -Requires: glibc -Requires: icu -Requires: krb5 -Requires: libgcc -Requires: libstdc++ -Requires: libunwind -Requires: lttng-ust -Requires: openssl -Requires: zlib -ExclusiveArch: x86_64 - -%description -.NET Core is a development platform that you can use to build command-line -applications, microservices and modern websites. - -%prep -%setup -qc -T -a 0 dotnet-runtime-%{version} - -%build - -%install -mkdir -p %{buildroot}%{_libdir}/dotnet - -cp -r * %{buildroot}%{_libdir}/dotnet -mkdir -p %{buildroot}%{_bindir} -ln -sf %{_libdir}/dotnet/dotnet %{buildroot}%{_bindir}/dotnet - -%post -p /sbin/ldconfig -%postun -p /sbin/ldconfig - -%files -%license LICENSE.txt ThirdPartyNotices.txt -%defattr(-,root,root,0755) -%exclude %{_libdir}/dotnet/LICENSE.txt -%exclude %{_libdir}/dotnet/ThirdPartyNotices.txt -%exclude %{_libdir}/debug -%{_bindir}/dotnet -%{_libdir}/* - -%changelog -* Thu Nov 12 2020 Henry Beberman - 3.1.5-2 -- Fix scriptlets and move licenses to the correct folder - -* Fri Jun 19 2020 Andrew Phelps 3.1.5-1 -- Update version to 3.1.5. Fix runtime requirements. - -* Sat May 09 2020 Nick Samson 3.1.3-4 -- Added %%license line automatically - -* Tue May 05 2020 Emre Girgin 3.1.3-3 -- Renaming dotnet-runtime to dotnet-runtime-3.1 - -* Mon May 04 2020 Emre Girgin 3.1.3-2 -- Replace BuildArch with ExclusiveArch - -* Mon Mar 30 2020 Andrew Phelps 3.1.3-1 -- Update to dotnet 3.1.3. License verified. - -* Tue Sep 03 2019 Mateusz Malisz 2.2.0-2 -- Initial CBL-Mariner import from Photon (license: Apache2). - -* Wed Dec 05 2018 Ajay Kaher 2.2.0-1 -- upgraded to version 2.2.0 - -* Thu Sep 27 2018 Ajay Kaher 2.1.4-1 -- upgraded to version 2.1.4 -- add aarch64 support - -* Wed Jan 31 2018 Priyesh Padmavilasom 2.0.5-1 -- Initial build for photon diff --git a/SPECS/dotnet-sdk-3.1/dotnet-sdk-3.1.signatures.json b/SPECS/dotnet-sdk-3.1/dotnet-sdk-3.1.signatures.json deleted file mode 100644 index ea751ffbc1..0000000000 --- a/SPECS/dotnet-sdk-3.1/dotnet-sdk-3.1.signatures.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "Signatures": { - "dotnet-sdk-3.1.105-linux-x64.tar.gz": "a389763ee658aff89ab725d7c24db3b74aac10b666df7c61265fb80c41c76e79" - } -} \ No newline at end of file diff --git a/SPECS/dotnet-sdk-3.1/dotnet-sdk-3.1.spec b/SPECS/dotnet-sdk-3.1/dotnet-sdk-3.1.spec deleted file mode 100644 index eb6383791e..0000000000 --- a/SPECS/dotnet-sdk-3.1/dotnet-sdk-3.1.spec +++ /dev/null @@ -1,56 +0,0 @@ -%define debug_package %{nil} -Summary: Microsoft .NET Core SDK -Name: dotnet-sdk-3.1 -Version: 3.1.105 -Release: 1%{?dist} -Vendor: Microsoft Corporation -Distribution: Mariner -License: MIT -Url: https://github.com/dotnet/core -Group: Development/Tools -Source0: https://download.visualstudio.microsoft.com/download/pr/37268c18-226d-436b-b13c-4b77b7f42140/17e8a85360206006a557d634d16713cd/dotnet-sdk-3.1.105-linux-x64.tar.gz -ExclusiveArch: x86_64 - -Requires: dotnet-runtime-3.1 -Requires: icu - -%description -.NET Core is a development platform that you can use to build command-line -applications, microservices and modern websites. - -%prep -%setup -qc dotnet-sdk-%{version} - -%build - -%install -mkdir -p %{buildroot}%{_libdir}/dotnet/sdk -mkdir -p %{buildroot}%{_docdir}/dotnet-sdk-%{version} -cp -r sdk/%{version} %{buildroot}%{_libdir}/dotnet/sdk -cp LICENSE.txt ThirdPartyNotices.txt %{buildroot}%{_docdir}/dotnet-sdk-%{version} - -%files -%license LICENSE.txt - %defattr(-,root,root,0755) - %{_libdir}/* - %{_docdir}/* - -%changelog -* Fri Jun 19 2020 Andrew Phelps 3.1.105-1 -- Update version to 3.1.105 -* Sat May 09 2020 Nick Samson 3.1.102-5 -- Added %%license line automatically -* Tue May 05 2020 Emre Girgin 3.1.102-4 -- Renaming dotnet-runtime to dotnet-runtime-3.1 -* Mon May 04 2020 Emre Girgin 3.1.102-3 -- Renaming dotnet-sdk to dotnet-sdk-3.1 -* Mon May 04 2020 Emre Girgin 3.1.102-2 -- Replace BuildArch with ExclusiveArch -* Mon Mar 30 2020 Andrew Phelps 3.1.102-1 -- Update to dotnet 3.1.102. License verified. -* Tue Sep 03 2019 Mateusz Malisz 2.1.403-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Wed Dec 05 2018 Ajay Kaher 2.1.403-1 -- upgraded to version 2.1.403 -* Wed Jan 31 2018 Priyesh Padmavilasom 2.1.4-1 -- Initial build for photon diff --git a/SPECS/dstat/dstat.spec b/SPECS/dstat/dstat.spec index f3c53f7974..b95f083dc7 100644 --- a/SPECS/dstat/dstat.spec +++ b/SPECS/dstat/dstat.spec @@ -31,7 +31,7 @@ Dstat gives you detailed selective information in columns and clearly indicates %{_datadir}/dstat/ %changelog -* Sat May 09 00:21:38 PST 2020 Nick Samson - 0.7.4-2 +* Sat May 09 2020 Nick Samson - 0.7.4-2 - Added %%license line automatically * Mon Apr 27 2020 Pawel Winogrodzki 0.7.4-1 diff --git a/SPECS/e2fsprogs/e2fsprogs.spec b/SPECS/e2fsprogs/e2fsprogs.spec index 3c9b8659a0..47bc340c99 100644 --- a/SPECS/e2fsprogs/e2fsprogs.spec +++ b/SPECS/e2fsprogs/e2fsprogs.spec @@ -134,7 +134,7 @@ make %{?_smp_mflags} check * Fri Jul 31 2020 Leandro Pereira - 1.44.6-3 - Don't stomp on CFLAGS. -* Sat May 09 00:21:25 PST 2020 Nick Samson - 1.44.6-2 +* Sat May 09 2020 Nick Samson - 1.44.6-2 - Added %%license line automatically * Thu Mar 19 2020 Nicolas Ontiveros 1.44.6-1 diff --git a/SPECS/efibootmgr/efibootmgr.spec b/SPECS/efibootmgr/efibootmgr.spec index 67859e34a2..2e4230ba52 100644 --- a/SPECS/efibootmgr/efibootmgr.spec +++ b/SPECS/efibootmgr/efibootmgr.spec @@ -35,7 +35,7 @@ rm -rf %{buildroot}/* %{_sbindir}/* %{_mandir}/man8/* %changelog -* Sat May 09 00:21:06 PST 2020 Nick Samson - 16-2 +* Sat May 09 2020 Nick Samson - 16-2 - Added %%license line automatically * Wed Mar 18 2020 Nicolas Ontiveros 16-1 diff --git a/SPECS/erlang/erlang.spec b/SPECS/erlang/erlang.spec index 5fa47b8854..eb8bb731de 100644 --- a/SPECS/erlang/erlang.spec +++ b/SPECS/erlang/erlang.spec @@ -39,7 +39,7 @@ make install DESTDIR=$RPM_BUILD_ROOT %exclude %{_libdir}/debug %changelog -* Sat May 09 00:20:44 PST 2020 Nick Samson - 22.0.7-2 +* Sat May 09 2020 Nick Samson - 22.0.7-2 - Added %%license line automatically * Thu Mar 19 2020 Henry Beberman 22.0.7-1 diff --git a/SPECS/espeak-ng/espeak-ng.spec b/SPECS/espeak-ng/espeak-ng.spec index a9b6ec6e9a..e0a3cd1c65 100644 --- a/SPECS/espeak-ng/espeak-ng.spec +++ b/SPECS/espeak-ng/espeak-ng.spec @@ -47,10 +47,11 @@ find %{buildroot} -type f -name "*.la" -delete -print ln -s libespeak-ng.so %{buildroot}%{_libdir}/libespeak.so rm %{buildroot}%{_libdir}/libespeak.la -# Rename problematic file with space in its name -pushd '%{buildroot}%{_datadir}/espeak-ng-data/voices/!v' -mv 'Mr serious' 'Mr_serious' -popd +# Rename problematic file with space in name +# This file does not work well with our GNU Make build system when placed in the ISO initrd +# GNU Make hacks to allow spaces in filenames are hacky and likely to make things worse +# Sample error: "make[1]: *** No rule to make target 'serious', needed by 'image'. Stop." +mv "%{buildroot}%{_datadir}/espeak-ng-data/voices/!v/Mr serious" "%{buildroot}%{_datadir}/espeak-ng-data/voices/!v/Mr_serious" %check make check @@ -79,8 +80,8 @@ make check %{_libdir}/*.so %changelog -* Wed May 05 2021 Thomas Crain - 1.50-3 -- Rename 'Mr serious' voice file to 'Mr_serious' to avoid spaces in filenames +* Mon May 10 2021 Thomas Crain - 1.50-3 +- Rename "Mr serious" voice to "Mr_serious" * Fri Mar 05 2021 Thomas Crain - 1.50-2 - Add tests-fix-greek-letter-variants.patch to address failing test diff --git a/SPECS/etcd/etcd-3.4.13.spec b/SPECS/etcd/etcd-3.4.13.spec index 86f741ad57..b7968cb01c 100644 --- a/SPECS/etcd/etcd-3.4.13.spec +++ b/SPECS/etcd/etcd-3.4.13.spec @@ -1,7 +1,7 @@ Summary: A highly-available key value store for shared configuration Name: etcd Version: 3.4.13 -Release: 1%{?dist} +Release: 3%{?dist} License: ASL 2.0 URL: https://github.com/etcd-io/etcd/ Group: System Environment/Security @@ -74,6 +74,10 @@ rm -rf %{buildroot}/* %config(noreplace) %{_sysconfdir}/etcd/etcd-default-conf.yml %changelog +* Tue Jun 08 2021 Henry Beberman 3.4.13-3 +- Increment release to force republishing using golang 1.15.13. +* Mon Apr 26 2021 Nicolas Guibourge 3.4.13-2 +- Increment release to force republishing using golang 1.15.11. * Mon Jan 25 2021 Nicolas Guibourge 3.4.13-1 - Update to version 3.4.13. * Thu Dec 10 2020 Andrew Phelps 3.3.25-2 diff --git a/SPECS/etcd/etcd-3.4.3.spec b/SPECS/etcd/etcd-3.4.3.spec index 457fce3f12..e2853cad4b 100644 --- a/SPECS/etcd/etcd-3.4.3.spec +++ b/SPECS/etcd/etcd-3.4.3.spec @@ -1,7 +1,7 @@ Summary: A highly-available key value store for shared configuration Name: etcd Version: 3.4.3 -Release: 1%{?dist} +Release: 3%{?dist} License: ASL 2.0 URL: https://github.com/etcd-io/etcd/ Group: System Environment/Security @@ -74,6 +74,10 @@ rm -rf %{buildroot}/* %config(noreplace) %{_sysconfdir}/etcd/etcd-default-conf.yml %changelog +* Tue Jun 08 2021 Henry Beberman 3.4.3-3 +- Increment release to force republishing using golang 1.15.13. +* Mon Apr 26 2021 Nicolas Guibourge 3.4.3-2 +- Increment release to force republishing using golang 1.15.11. * Mon Jan 25 2021 Nicolas Guibourge 3.4.3-1 - Update to version 3.4.3. * Thu Dec 10 2020 Andrew Phelps 3.3.25-2 diff --git a/SPECS/ethtool/ethtool.spec b/SPECS/ethtool/ethtool.spec index 600e54010f..a3cfecbc7b 100644 --- a/SPECS/ethtool/ethtool.spec +++ b/SPECS/ethtool/ethtool.spec @@ -38,7 +38,7 @@ rm -rf %{buildroot}/* %{_mandir} %changelog -* Sat May 09 00:21:41 PST 2020 Nick Samson - 5.0-2 +* Sat May 09 2020 Nick Samson - 5.0-2 - Added %%license line automatically * Mon Mar 16 2020 Henry Beberman 5.0-1 diff --git a/SPECS/expat/expat.spec b/SPECS/expat/expat.spec index 48585b0484..1e5bf4138c 100644 --- a/SPECS/expat/expat.spec +++ b/SPECS/expat/expat.spec @@ -66,7 +66,7 @@ rm -rf %{buildroot}/* %{_libdir}/libexpat.so.* %changelog -* Sat May 09 00:21:10 PST 2020 Nick Samson - 2.2.6-4 +* Sat May 09 2020 Nick Samson - 2.2.6-4 - Added %%license line automatically * Wed Apr 22 2020 Nicolas Ontiveros 2.2.6-3 diff --git a/SPECS/expect/expect.spec b/SPECS/expect/expect.spec index eac8bcfc13..f2c51eaf43 100644 --- a/SPECS/expect/expect.spec +++ b/SPECS/expect/expect.spec @@ -58,7 +58,7 @@ make %{?_smp_mflags} test %changelog * Sun May 31 2020 Henry Beberman - 5.45.4-4 - Add patch to fix format-security errors. -* Sat May 09 00:21:13 PST 2020 Nick Samson - 5.45.4-3 +* Sat May 09 2020 Nick Samson - 5.45.4-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 5.45.4-2 - Initial CBL-Mariner import from Photon (license: Apache2). diff --git a/SPECS/fcgi/fcgi.spec b/SPECS/fcgi/fcgi.spec index 5935133e49..d852e5efbb 100644 --- a/SPECS/fcgi/fcgi.spec +++ b/SPECS/fcgi/fcgi.spec @@ -57,7 +57,7 @@ make check %{_includedir}/* %changelog -* Sat May 09 00:21:03 PST 2020 Nick Samson - 2.4.0-7 +* Sat May 09 2020 Nick Samson - 2.4.0-7 - Added %%license line automatically * Mon Apr 27 2020 Pawel Winogrodzki 2.4.0-6 diff --git a/SPECS/findutils/findutils.spec b/SPECS/findutils/findutils.spec index c53fb397c6..0b3878d722 100644 --- a/SPECS/findutils/findutils.spec +++ b/SPECS/findutils/findutils.spec @@ -62,7 +62,7 @@ make %{?_smp_mflags} check %defattr(-,root,root) %changelog -* Sat May 09 00:20:51 PST 2020 Nick Samson - 4.6.0-7 +* Sat May 09 2020 Nick Samson - 4.6.0-7 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 4.6.0-6 diff --git a/SPECS/flannel/flannel.spec b/SPECS/flannel/flannel.spec index bf3e4ee884..3f3a5c7e1d 100644 --- a/SPECS/flannel/flannel.spec +++ b/SPECS/flannel/flannel.spec @@ -5,7 +5,7 @@ Summary: Simple and easy way to configure a layer 3 network fabric designed for Kubernetes Name: flannel Version: 0.12.0 -Release: 1%{?dist} +Release: 3%{?dist} License: Apache License 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -58,5 +58,9 @@ rm -rf %{gopath_flannel_folder}/* %{_bindir}/flanneld %changelog +* Tue Jun 08 2021 Henry Beberman 0.12.0-3 +- Increment release to force republishing using golang 1.15.13. +* Mon Apr 26 2021 Nicolas Guibourge 0.12.0-2 +- Increment release to force republishing using golang 1.15.11. * Wed Jan 20 2021 Nicolas Guibourge - 0.12.0-1 - Original version for CBL-Mariner. diff --git a/SPECS/fluent-bit/fluent-bit.signatures.json b/SPECS/fluent-bit/fluent-bit.signatures.json index 6221a462e6..49bb635c5b 100644 --- a/SPECS/fluent-bit/fluent-bit.signatures.json +++ b/SPECS/fluent-bit/fluent-bit.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "fluent-bit-1.4.1.tar.gz" : "f5e2e10133d2a266e508db9d95e425108a1a7e43ca713bedd0d9005d962b0cff" + "fluent-bit-1.5.2.tar.gz" : "d9dd4fe94116533cd23fc5d2e505408f687c1eb1b4c233b4f9413ff6b87d53f3" } } diff --git a/SPECS/fluent-bit/fluent-bit.spec b/SPECS/fluent-bit/fluent-bit.spec index 3fc69496b4..6b6a44c738 100644 --- a/SPECS/fluent-bit/fluent-bit.spec +++ b/SPECS/fluent-bit/fluent-bit.spec @@ -2,8 +2,8 @@ Name: fluent-bit Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX -Version: 1.4.1 -Release: 2%{?dist} +Version: 1.5.2 +Release: 1%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -46,9 +46,12 @@ make install DESTDIR=%{buildroot} %files devel %{_includedir}/* -/usr/lib64/*.so +/usr/lib64/fluent-bit/*.so %changelog +* Mon May 24 2021 Suresh Babu Chalamalasetty 1.5.2-1 +- Update to version 1.5.2 + * Mon Oct 19 2020 Pawel Winogrodzki 1.4.1-2 - License verified. - Fixed source URL. diff --git a/SPECS/fping/fping.spec b/SPECS/fping/fping.spec index 2275347678..d8879fde64 100644 --- a/SPECS/fping/fping.spec +++ b/SPECS/fping/fping.spec @@ -39,7 +39,7 @@ rm -rf %{buildroot} %doc %{_mandir}/man8/fping.8* %changelog -* Sat May 09 00:20:36 PST 2020 Nick Samson - 4.2-2 +* Sat May 09 2020 Nick Samson - 4.2-2 - Added %%license line automatically * Mon Mar 16 2020 Henry Beberman 4.2-1 diff --git a/SPECS/freefont/freefont.spec b/SPECS/freefont/freefont.spec index ec598201b6..6da65a9e50 100644 --- a/SPECS/freefont/freefont.spec +++ b/SPECS/freefont/freefont.spec @@ -31,7 +31,7 @@ mv *.ttf %{buildroot}%{_fontdir}/ %{_fontdir}/*.ttf %changelog -* Sat May 09 00:20:57 PST 2020 Nick Samson - 20120503-2 +* Sat May 09 2020 Nick Samson - 20120503-2 - Added %%license line automatically * Wed Apr 29 2020 Mateusz Malisz 20120503-1 diff --git a/SPECS/freetype/freetype.spec b/SPECS/freetype/freetype.spec index 06a82a6015..f9f99f1796 100644 --- a/SPECS/freetype/freetype.spec +++ b/SPECS/freetype/freetype.spec @@ -60,29 +60,29 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck} - Add enable-fretype-config to configuration - Add /usr/bin/freetype-config to freetype-devel -* Sat May 09 00:21:42 PST 2020 Nick Samson - 2.9.1-4 +* Sat May 09 2020 Nick Samson - 2.9.1-4 - Added %%license line automatically -* Fri Apr 17 2020 Nicolas Ontiveros 2.9.1-3 -- Rename freetype2 to freetype. -- Update URL. -- Remove sha1 macro. -- Update Source0. +* Fri Apr 17 2020 Nicolas Ontiveros 2.9.1-3 +- Rename freetype2 to freetype. +- Update URL. +- Remove sha1 macro. +- Update Source0. -* Tue Sep 03 2019 Mateusz Malisz 2.9.1-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 2.9.1-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Wed Sep 12 2018 Sujay G 2.9.1-1 -- version bump to 2.9.1 +* Wed Sep 12 2018 Sujay G 2.9.1-1 +- version bump to 2.9.1 -* Thu Jun 14 2018 Tapas Kundu 2.7.1-4 -- CVE-2018-6942 +* Thu Jun 14 2018 Tapas Kundu 2.7.1-4 +- CVE-2018-6942 -* Mon May 15 2017 Priyesh Padmavilasom 2.7.1-3 -- CVE-2017-8287 +* Mon May 15 2017 Priyesh Padmavilasom 2.7.1-3 +- CVE-2017-8287 -* Fri Apr 28 2017 Dheeraj Shetty 2.7.1-2 -- CVE-2017-7857, CVE-2017-7858 and CVE-2017-7864 +* Fri Apr 28 2017 Dheeraj Shetty 2.7.1-2 +- CVE-2017-7857, CVE-2017-7858 and CVE-2017-7864 -* Fri Nov 11 2016 Dheeraj Shetty 2.7.1-1 -- Initial version +* Fri Nov 11 2016 Dheeraj Shetty 2.7.1-1 +- Initial version diff --git a/SPECS/fuse-zip/fuse-zip.signatures.json b/SPECS/fuse-zip/fuse-zip.signatures.json new file mode 100644 index 0000000000..98a42edc75 --- /dev/null +++ b/SPECS/fuse-zip/fuse-zip.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "fuse-zip-0.7.2.tar.gz": "3dd0be005677442f1fd9769a02dfc0b4fcdd39eb167e5697db2f14f4fee58915" + } +} diff --git a/SPECS/fuse-zip/fuse-zip.spec b/SPECS/fuse-zip/fuse-zip.spec new file mode 100644 index 0000000000..6acfa53876 --- /dev/null +++ b/SPECS/fuse-zip/fuse-zip.spec @@ -0,0 +1,210 @@ +Name: fuse-zip +Version: 0.7.2 +Release: 2%{?dist} +Summary: Filesystem to navigate, extract, create and modify ZIP archives +Vendor: Microsoft Corporation +Distribution: Mariner +License: GPLv3+ +URL: https://bitbucket.org/agalanin/fuse-zip/ +Source0: https://bitbucket.org/agalanin/fuse-zip/downloads/%{name}-%{version}.tar.gz + +BuildRequires: libstdc++ +BuildRequires: libstdc++-devel +BuildRequires: libzip-devel +BuildRequires: fuse-devel +BuildRequires: zlib-devel +BuildRequires: bzip2-devel +BuildRequires: make +Requires: fuse + +%description +fuse-zip is a FUSE file system to navigate, extract, create and modify +ZIP archives based in libzip implemented in C++. + +With fuse-zip you really can work with ZIP archives as real directories. +Unlike KIO or Gnome VFS, it can be used in any application without +modifications. + +Unlike other FUSE filesystems, only fuse-zip provides write support +to ZIP archives. Also, fuse-zip is faster that all known implementations +on large archives with many files. + +%prep +%autosetup -p1 + +sed -i '/CXXFLAGS=.*/d' lib/Makefile +sed -i '/CXXFLAGS=.*/d' Makefile +sed -i "s|prefix=/usr/local|prefix=%{_prefix}|" Makefile + +%build +%set_build_flags +%make_build + +%install +%make_install + +%files +%doc README.md changelog +%license LICENSE +%{_bindir}/%{name} +%{_mandir}/man1/%{name}.1.gz +%{_docdir}/fuse-zip + +%changelog +* Mon May 17 2021 Suresh Babu Chalamalasetty - 0.7.2-2 +- Initial CBL-Mariner import from Fedora 34 (license: MIT) +- License verified + +* Mon Feb 22 2021 Vasiliy Glazov - 0.7.2-1 +- Update to 0.7.2 + +* Tue Jan 26 2021 Fedora Release Engineering - 0.7.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 0.7.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Sun Jun 21 2020 Vasiliy Glazov - 0.7.1-1 +- Update to 0.7.1 + +* Tue Jan 28 2020 Fedora Release Engineering - 0.7.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Sep 25 2019 Vasiliy N. Glazov - 0.7.0-1 +- Update to 0.7.0 + +* Tue Aug 06 2019 Vasiliy N. Glazov - 0.6.2-1 +- Update to 0.6.2 + +* Mon Jul 29 2019 Vasiliy N. Glazov - 0.6.1-1 +- Update to 0.6.1 + +* Thu Jul 25 2019 Fedora Release Engineering - 0.6.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Mar 20 2019 Vasiliy N. Glazov - 0.6.0-1 +- Update to 0.6.0 + +* Thu Jan 31 2019 Fedora Release Engineering - 0.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Tue Dec 25 2018 Vasiliy N. Glazov - 0.5.0-1 +- Update to 0.5.0 + +* Fri Jul 13 2018 Fedora Release Engineering - 0.4.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Feb 07 2018 Fedora Release Engineering - 0.4.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Feb 05 2018 Vasiliy N. Glazov - 0.4.5-1 +- Update to 0.4.5 + +* Thu Dec 07 2017 Vasiliy N. Glazov - 0.4.4-1 +- Update to 0.4.4 + +* Wed Aug 02 2017 Fedora Release Engineering - 0.4.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.4.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Feb 28 2017 Remi Collet - 0.4.2-3 +- rebuild for new libzip + +* Fri Feb 10 2017 Fedora Release Engineering - 0.4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Mar 15 2016 Vasiliy N. Glazov - 0.4.2-1 +- Update to 0.4.2 + +* Wed Feb 03 2016 Fedora Release Engineering - 0.4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jul 29 2015 Vasiliy N. Glazov - 0.4.1-1 +- Update to 0.4.1 +- Update makefile patch + +* Wed Jun 17 2015 Fedora Release Engineering - 0.4.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed May 06 2015 Remi Collet - 0.4.0-4 +- rebuild for new libzip +- honour fedora build flags and fix FTBFS + +* Sat Aug 16 2014 Fedora Release Engineering - 0.4.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 0.4.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed Mar 05 2014 Vasiliy N. Glazov - 0.4.0-1 +- Update to 0.4.0 +- Drop fuse-zip-libzip010.patch + +* Wed Aug 21 2013 Remi Collet - 0.2.12-9 +- rebuild for new libzip + +* Thu Aug 08 2013 Vasiliy N. Glazov - 0.2.12-8 +- Clean spec +- Correct build flags +- Added russian description + +* Sat Aug 03 2013 Fedora Release Engineering - 0.2.12-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Feb 13 2013 Fedora Release Engineering - 0.2.12-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Jul 19 2012 Fedora Release Engineering - 0.2.12-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sat Feb 04 2012 Remi Collet - 0.2.12-4 +- rebuild for new libzip +- add patch for new callback prototype (fix #787370) + +* Fri Jan 13 2012 Fedora Release Engineering - 0.2.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Feb 08 2011 Fedora Release Engineering - 0.2.12-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue May 04 2010 Rakesh Pandit - 0.2.12-1 +- Updated to 0.2.12 + +* Sat Jan 30 2010 Rakesh Pandit - 0.2.11-1 +- Updated to 0.2.11 + +* Fri Dec 04 2009 Rakesh Pandit - 0.2.8-1 +- Updated to 0.2.8 + +* Thu Sep 17 2009 Peter Lemenkov - 0.2.7-4 +- Rebuilt with new fuse + +* Fri Jul 24 2009 Fedora Release Engineering - 0.2.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue Feb 24 2009 Fedora Release Engineering - 0.2.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Dec 29 2008 Rakesh Pandit 0.2.7-1 +- Upgraded to 0.2.7 + +* Mon Dec 29 2008 Rakesh Pandit 0.2.6-6 +- fixed man page spelling mistake + +* Sun Dec 07 2008 Rakesh Pandit 0.2.6-5 +- fixed debug info package + +* Sat Nov 08 2008 Rakesh Pandit 0.2.6-4 +- removed INSTALL file from package - not useful + +* Fri Nov 07 2008 Rakesh Pandit 0.2.6-3 +- fix flag, save timestamp and clean %%install + +* Tue Nov 04 2008 Rakesh Pandit 0.2.6-2 +- Makefile patch by Debarshi Ray , fix debuginfo + +* Tue Nov 04 2008 Rakesh Pandit 0.2.6-1 +- initial package + diff --git a/SPECS/gcc/gcc.spec b/SPECS/gcc/gcc.spec index 049abf4141..4204fa82bd 100644 --- a/SPECS/gcc/gcc.spec +++ b/SPECS/gcc/gcc.spec @@ -276,7 +276,7 @@ make %{?_smp_mflags} check-gcc * Thu Jun 11 2020 Henry Beberman - 9.1.0-5 - Disable -Werror=format-security to build with hardened cflags -* Sat May 09 00:21:12 PST 2020 Nick Samson - 9.1.0-4 +* Sat May 09 2020 Nick Samson - 9.1.0-4 - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin - 9.1.0-3 diff --git a/SPECS/gdbm/gdbm.spec b/SPECS/gdbm/gdbm.spec index 3c87a4ff8b..ecb8be19d6 100644 --- a/SPECS/gdbm/gdbm.spec +++ b/SPECS/gdbm/gdbm.spec @@ -76,22 +76,29 @@ make %{?_smp_mflags} check %{_mandir}/man3/* %changelog -* Mon Oct 12 2020 Joe Schmitt 1.18-4 -- Symlink headers for compatibility. -* Sat May 09 00:21:30 PST 2020 Nick Samson - 1.18-3 +* Mon Oct 12 2020 Joe Schmitt 1.18-4 +- Symlink headers for compatibility. + +* Sat May 09 2020 Nick Samson - 1.18-3 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 1.18-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 14 2018 Keerthana K 1.18-1 -- Update to version 1.18 -* Fri Jun 23 2017 Xiaolin Li 1.13-3 -- Add devel package. -* Tue May 02 2017 Anish Swaminathan 1.13-2 -- Add lang package. -* Wed Apr 05 2017 Danut Moraru 1.13-1 -- Upgrade gdbm to 1.13 -* Tue May 24 2016 Priyesh Padmavilasom 1.11-2 -- GA - Bump release of all rpms -* Wed Nov 5 2014 Divya Thaluru 1.11-1 -- Initial build. First version +* Tue Sep 03 2019 Mateusz Malisz 1.18-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 14 2018 Keerthana K 1.18-1 +- Update to version 1.18 + +* Fri Jun 23 2017 Xiaolin Li 1.13-3 +- Add devel package. + +* Tue May 02 2017 Anish Swaminathan 1.13-2 +- Add lang package. + +* Wed Apr 05 2017 Danut Moraru 1.13-1 +- Upgrade gdbm to 1.13 + +* Tue May 24 2016 Priyesh Padmavilasom 1.11-2 +- GA - Bump release of all rpms + +* Wed Nov 5 2014 Divya Thaluru 1.11-1 +- Initial build. First version diff --git a/SPECS/gettext/gettext.spec b/SPECS/gettext/gettext.spec index 213ddb47d3..ba4b9f541a 100644 --- a/SPECS/gettext/gettext.spec +++ b/SPECS/gettext/gettext.spec @@ -56,25 +56,34 @@ make %{?_smp_mflags} check %{_mandir}/* %changelog -* Mon Sep 28 2020 Ruying Chen 0.21-1 -- Update to version 0.21. -- Update URL and Source0 to use https. -- Provide gettext-devel -* Thu Jun 11 2020 Henry Beberman - 0.19.8.1-3 -- Disable -Wno-error=format-security to build with hardened cflags -* Sat May 09 00:21:19 PST 2020 Nick Samson - 0.19.8.1-2 -- Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 19.8.1-1 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 14 2018 Keerthana K 0.19.8.1-1 -- Update to version 0.19.8.1 -* Wed Apr 05 2017 Danut Moraru 0.19.8-1 -- Upgrade to 0.19.8 -* Tue May 24 2016 Priyesh Padmavilasom 0.19.5.1-2 -- GA - Bump release of all rpms -* Tue Jan 12 2016 Xiaolin Li 0.19.5.1-1 -- Updated to version 0.19.5.1 -* Tue Nov 10 2015 Xiaolin Li 0.18.3.2-2 -- Handled locale files with macro find_lang -* Wed Nov 5 2014 Divya Thaluru 0.18.3.2-1 -- Initial build. First version +* Mon Sep 28 2020 Ruying Chen 0.21-1 +- Update to version 0.21. +- Update URL and Source0 to use https. +- Provide gettext-devel + +* Thu Jun 11 2020 Henry Beberman - 0.19.8.1-3 +- Disable -Wno-error=format-security to build with hardened cflags + +* Sat May 09 2020 Nick Samson 0.19.8.1-2 +- Added %%license line automatically + +* Tue Sep 03 2019 Mateusz Malisz 19.8.1-1 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 14 2018 Keerthana K 0.19.8.1-1 +- Update to version 0.19.8.1 + +* Wed Apr 05 2017 Danut Moraru 0.19.8-1 +- Upgrade to 0.19.8 + +* Tue May 24 2016 Priyesh Padmavilasom 0.19.5.1-2 +- GA - Bump release of all rpms + +* Tue Jan 12 2016 Xiaolin Li 0.19.5.1-1 +- Updated to version 0.19.5.1 + +* Tue Nov 10 2015 Xiaolin Li 0.18.3.2-2 +- Handled locale files with macro find_lang + +* Wed Nov 5 2014 Divya Thaluru 0.18.3.2-1 +- Initial build. First version diff --git a/SPECS/glib-networking/glib-networking.spec b/SPECS/glib-networking/glib-networking.spec index 412a4c2705..0dc280a781 100644 --- a/SPECS/glib-networking/glib-networking.spec +++ b/SPECS/glib-networking/glib-networking.spec @@ -76,7 +76,7 @@ ninja test - Bump release to rebuild with new nettle (3.7.2) * Tue Aug 18 2020 Henry Beberman - 2.59.1-6 - Backport patch for CVE-2020-13645 -* Sat May 09 00:20:40 PST 2020 Nick Samson - 2.59.1-5 +* Sat May 09 2020 Nick Samson - 2.59.1-5 - Added %%license line automatically, updated license line * Wed May 06 2020 Pawel Winogrodzki 2.59.1-4 - Removing *Requires for "ca-certificates". diff --git a/SPECS/glibc/glibc.spec b/SPECS/glibc/glibc.spec index 229fa585dc..6493e26e9f 100644 --- a/SPECS/glibc/glibc.spec +++ b/SPECS/glibc/glibc.spec @@ -7,7 +7,7 @@ Summary: Main C library Name: glibc Version: 2.28 -Release: 17%{?dist} +Release: 18%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -304,6 +304,9 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||: %defattr(-,root,root) %changelog +* Thu Jul 29 2021 Jon Slobodzian 2.28-18 +- Dash Rolled for Merge from 1.0 branch + * Fri Apr 02 2021 Thomas Crain - 2.28-17 - Merge the following releases from 1.0 to dev branch - lihl@microsoft.com, 2.28-13: Added patch to resolve CVE-2019-7309, Used autosteup diff --git a/SPECS/glibmm24/glibmm24.spec b/SPECS/glibmm24/glibmm24.spec index ead1511dd0..c48ba0365e 100644 --- a/SPECS/glibmm24/glibmm24.spec +++ b/SPECS/glibmm24/glibmm24.spec @@ -67,7 +67,7 @@ export GIO_EXTRA_MODULES=/usr/lib/gio/modules; make check %{_datadir}/* %changelog -* Sat May 09 00:20:49 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin 2.56.0-6 diff --git a/SPECS/gmp/gmp.spec b/SPECS/gmp/gmp.spec index c5c28c9b92..87469a2577 100644 --- a/SPECS/gmp/gmp.spec +++ b/SPECS/gmp/gmp.spec @@ -63,7 +63,7 @@ make %{?_smp_mflags} check %{_docdir}/%{name}-%{version}/isa_abi_headache %changelog -* Sat May 09 00:21:12 PST 2020 Nick Samson - 6.1.2-5 +* Sat May 09 2020 Nick Samson - 6.1.2-5 - Added %%license line automatically * Fri Feb 14 2020 Andrew Phelps 6.1.2-4 diff --git a/SPECS/gnome-common/gnome-common.spec b/SPECS/gnome-common/gnome-common.spec index e65865b2d5..0a72ab6381 100644 --- a/SPECS/gnome-common/gnome-common.spec +++ b/SPECS/gnome-common/gnome-common.spec @@ -39,7 +39,7 @@ make %{?_smp_mflags} check %{_datadir}/aclocal/*.m4 %changelog -* Sat May 09 00:21:20 PST 2020 Nick Samson - 3.18.0-6 +* Sat May 09 2020 Nick Samson - 3.18.0-6 - Added %%license line automatically * Mon Apr 27 2020 Pawel Winogrodzki 3.18.0-5 diff --git a/SPECS/gnuplot/gnuplot.spec b/SPECS/gnuplot/gnuplot.spec index 451badc298..05fff46076 100644 --- a/SPECS/gnuplot/gnuplot.spec +++ b/SPECS/gnuplot/gnuplot.spec @@ -36,7 +36,7 @@ make DESTDIR=%{buildroot} install %changelog -* Sat May 09 00:21:32 PST 2020 Nick Samson - 5.2.4-4 +* Sat May 09 2020 Nick Samson - 5.2.4-4 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 5.2.4-3 diff --git a/SPECS/go-md2man/go-md2man.spec b/SPECS/go-md2man/go-md2man.spec index dff1f5e03f..a83d61f4a0 100644 --- a/SPECS/go-md2man/go-md2man.spec +++ b/SPECS/go-md2man/go-md2man.spec @@ -1,7 +1,7 @@ Summary: Converts markdown into roff (man pages) Name: go-md2man Version: 2.0.0 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -48,10 +48,12 @@ cp go-md2man-2.0.0/LICENSE.md %{buildroot}%{_docdir}/%{name}-%{version}/LICENSE. %{_bindir}/go-md2man %changelog -* Fri Jun 18 2021 Henry Li - 2.0.0-6 +* Fri Jun 18 2021 Henry Li - 2.0.0-7 - Provides go-go-md2man. - Fix linting errors. +* Tue Jun 08 2021 Henry Beberman 2.0.0-6 +- Increment release to force republishing using golang 1.15.13. * Thu Dec 10 2020 Andrew Phelps 2.0.0-5 - Increment release to force republishing using golang 1.15. diff --git a/SPECS/gobject-introspection/gobject-introspection.spec b/SPECS/gobject-introspection/gobject-introspection.spec index e31eb087f4..47720447fa 100644 --- a/SPECS/gobject-introspection/gobject-introspection.spec +++ b/SPECS/gobject-introspection/gobject-introspection.spec @@ -5,7 +5,7 @@ Name: gobject-introspection Summary: Introspection system for GObject-based libraries %define BaseVersion 1.58 Version: %{BaseVersion}.0 -Release: 8%{?dist} +Release: 10%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and MIT URL: https://github.com/GNOME/gobject-introspection @@ -139,6 +139,10 @@ make %{?_smp_mflags} check %doc %{_mandir}/man1/*.gz %changelog +* Tue Jun 08 2021 Henry Beberman 1.58.0-10 +- Increment release to force republishing using golang 1.15.13. +* Mon Apr 26 2021 Nicolas Guibourge 1.58.0-9 +- Increment release to force republishing using golang 1.15.11. * Thu Dec 10 2020 Andrew Phelps 1.58.0-8 - Increment release to force republishing using golang 1.15. * Wed Jul 01 2020 Pawel Winogrodzki 1.58.0-7 diff --git a/SPECS/golang/golang-1.15.signatures.json b/SPECS/golang/golang-1.15.signatures.json index 9abb07948e..dd0c3366eb 100644 --- a/SPECS/golang/golang-1.15.signatures.json +++ b/SPECS/golang/golang-1.15.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "go1.15.7.src.tar.gz": "8631b3aafd8ecb9244ec2ffb8a2a8b4983cf4ad15572b9801f7c5b167c1a2abc", + "go1.15.13.src.tar.gz": "99069e7223479cce4553f84f874b9345f6f4045f27cf5089489b546da619a244", "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52" } } \ No newline at end of file diff --git a/SPECS/golang/golang-1.15.spec b/SPECS/golang/golang-1.15.spec index 8451b783f3..22f329fb0a 100644 --- a/SPECS/golang/golang-1.15.spec +++ b/SPECS/golang/golang-1.15.spec @@ -12,8 +12,8 @@ %define __find_requires %{nil} Summary: Go Name: golang -Version: 1.15.7 -Release: 2%{?dist} +Version: 1.15.13 +Release: 1%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -116,9 +116,11 @@ fi %{_bindir}/* %changelog -* Tue Jun 15 2021 Henry Li - 1.15.7-2 -- Provides go from golang -- Apply linting +* Tue Jun 08 2021 Henry Beberman - 1.15.13-1 +- Updated to version 1.15.13 to fix CVE-2021-33194 and CVE-2021-31525 + +* Mon Apr 26 2021 Nicolas Guibourge - 1.15.11-1 +- Updated to version 1.15.11 to fix CVE-2021-27918 * Wed Feb 03 2021 Andrew Phelps - 1.15.7-1 - Updated to version 1.15.7 to fix CVE-2021-3114 diff --git a/SPECS/gperf/gperf.spec b/SPECS/gperf/gperf.spec index 021556e8a2..20498202a0 100644 --- a/SPECS/gperf/gperf.spec +++ b/SPECS/gperf/gperf.spec @@ -43,7 +43,7 @@ make %{?_smp_mflags} check %{_bindir}/* %changelog -* Sat May 09 00:20:56 PST 2020 Nick Samson - 3.1-3 +* Sat May 09 2020 Nick Samson - 3.1-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 3.1-2 diff --git a/SPECS/gptfdisk/gptfdisk.spec b/SPECS/gptfdisk/gptfdisk.spec index 32aa4d67b2..13229031c9 100644 --- a/SPECS/gptfdisk/gptfdisk.spec +++ b/SPECS/gptfdisk/gptfdisk.spec @@ -40,7 +40,7 @@ rm -rf %{buildroot}/* /sbin/* %{_mandir}/man8/* %changelog -* Sat May 09 00:21:01 PST 2020 Nick Samson - 1.0.4-3 +* Sat May 09 2020 Nick Samson - 1.0.4-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.0.4-2 diff --git a/SPECS/grep/grep-3.1-glibc-2.28-fix.patch b/SPECS/grep/grep-3.1-glibc-2.28-fix.patch new file mode 100644 index 0000000000..4ca9377ce9 --- /dev/null +++ b/SPECS/grep/grep-3.1-glibc-2.28-fix.patch @@ -0,0 +1,38 @@ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 66fb461..c6e96e4 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -55,10 +55,6 @@ XFAIL_TESTS = triple-backref + # FIXME-2015: Remove this once the gnulib bug is fixed. + if USE_INCLUDED_REGEX + XFAIL_TESTS += equiv-classes +-else +-# The backslash-alt test fails for glibc, which needs to be fixed. +-# FIXME-2015: Remove this once the glibc bug is fixed. +-XFAIL_TESTS += backref-alt + endif + + TESTS = \ +diff --git a/tests/Makefile.in b/tests/Makefile.in +index 55c72d0..04e64af 100644 +--- a/tests/Makefile.in ++++ b/tests/Makefile.in +@@ -108,9 +108,6 @@ check_PROGRAMS = get-mb-cur-max$(EXEEXT) + # The included matcher needs to be fixed. + # FIXME-2015: Remove this once the gnulib bug is fixed. + @USE_INCLUDED_REGEX_TRUE@am__append_1 = equiv-classes +-# The backslash-alt test fails for glibc, which needs to be fixed. +-# FIXME-2015: Remove this once the glibc bug is fixed. +-@USE_INCLUDED_REGEX_FALSE@am__append_2 = backref-alt + subdir = tests + ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 + am__aclocal_m4_deps = $(top_srcdir)/m4/00gnulib.m4 \ +@@ -1408,7 +1405,7 @@ LDADD = ../lib/libgreputils.a $(LIBINTL) ../lib/libgreputils.a + # matcher (i.e., with glibc) and with the included matcher. + # Both matchers need to be fixed. + # FIXME-2015: Remove this once the glibc and gnulib bugs are fixed. +-XFAIL_TESTS = triple-backref $(am__append_1) $(am__append_2) ++XFAIL_TESTS = triple-backref $(am__append_1) + TESTS = \ + backref \ + backref-alt \ diff --git a/SPECS/grep/grep-3.31-help-align.patch b/SPECS/grep/grep-3.31-help-align.patch new file mode 100644 index 0000000000..1954b66ac1 --- /dev/null +++ b/SPECS/grep/grep-3.31-help-align.patch @@ -0,0 +1,31 @@ +diff --git a/src/grep.c b/src/grep.c +index a2de03d..fd1b3a9 100644 +--- a/src/grep.c ++++ b/src/grep.c +@@ -1962,17 +1962,20 @@ Output control:\n\ + -D, --devices=ACTION how to handle devices, FIFOs and sockets;\n\ + ACTION is 'read' or 'skip'\n\ + -r, --recursive like --directories=recurse\n\ +- -R, --dereference-recursive likewise, but follow all symlinks\n\ ++ -R, --dereference-recursive\n\ ++ likewise, but follow all symlinks\n\ + ")); + printf (_("\ +- --include=FILE_PATTERN search only files that match FILE_PATTERN\n\ +- --exclude=FILE_PATTERN skip files and directories matching\ ++ --include=FILE_PATTERN\n\ ++ search only files that match FILE_PATTERN\n\ ++ --exclude=FILE_PATTERN\n\ ++ skip files and directories matching\ + FILE_PATTERN\n\ + --exclude-from=FILE skip files matching any file pattern from FILE\n\ +- --exclude-dir=PATTERN directories that match PATTERN will be skipped.\n\ ++ --exclude-dir=PATTERN directories that match PATTERN will be skipped.\n\ + ")); + printf (_("\ +- -L, --files-without-match print only names of FILEs with no selected lines\n\ ++ -L, --files-without-match print only names of FILEs with no selected lines\n\ + -l, --files-with-matches print only names of FILEs with selected lines\n\ + -c, --count print only a count of selected lines per FILE\n\ + -T, --initial-tab make tabs line up (if needed)\n\ + \ No newline at end of file diff --git a/SPECS/grep/grep-3.31-man-fix-gs.patch b/SPECS/grep/grep-3.31-man-fix-gs.patch new file mode 100644 index 0000000000..233270f7e2 --- /dev/null +++ b/SPECS/grep/grep-3.31-man-fix-gs.patch @@ -0,0 +1,61 @@ +diff --git a/doc/grep.in.1 b/doc/grep.in.1 +index 40c9586..a4e89eb 100644 +--- a/doc/grep.in.1 ++++ b/doc/grep.in.1 +@@ -335,7 +335,7 @@ Print + .I NUM + lines of trailing context after matching lines. + Places a line containing a group separator +-.RB ( \-\^\- ) ++.RB "(described under " \-\^\-group\-separator ) + between contiguous groups of matches. + With the + .B \-o +@@ -348,7 +348,7 @@ Print + .I NUM + lines of leading context before matching lines. + Places a line containing a group separator +-.RB ( \-\^\- ) ++.RB "(described under " \-\^\-group\-separator ) + between contiguous groups of matches. + With the + .B \-o +@@ -361,13 +361,24 @@ Print + .I NUM + lines of output context. + Places a line containing a group separator +-.RB ( \-\^\- ) ++.RB "(described under " \-\^\-group\-separator ) + between contiguous groups of matches. + With the + .B \-o + or + .B \-\^\-only\-matching + option, this has no effect and a warning is given. ++.TP ++.BI \-\^\-group\-separator= SEP ++Use ++.I SEP ++as a group separator. By default ++.I SEP ++is double hyphen ++.RB ( \-\^\- ). ++.TP ++.B \-\^\-no\-group-separator ++Use empty string as a group separator. + .SS "File and Directory Selection" + .TP + .BR \-a ", " \-\^\-text +diff --git a/src/grep.c b/src/grep.c +index 8d22aec..a2de03d 100644 +--- a/src/grep.c ++++ b/src/grep.c +@@ -1986,6 +1986,8 @@ Context control:\n\ + ")); + printf (_("\ + -NUM same as --context=NUM\n\ ++ --group-separator=SEP use SEP as a group separator\n\ ++ --no-group-separator use empty string as a group separator\n\ + --color[=WHEN],\n\ + --colour[=WHEN] use markers to highlight the matching strings;\n\ + WHEN is 'always', 'never', or 'auto'\n\ diff --git a/SPECS/grep/grep.spec b/SPECS/grep/grep.spec index 9e8a48c301..39c38932ab 100644 --- a/SPECS/grep/grep.spec +++ b/SPECS/grep/grep.spec @@ -1,31 +1,44 @@ Summary: Programs for searching through files Name: grep Version: 3.1 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv3+ -URL: http://www.gnu.org/software/grep -Group: Applications/File Vendor: Microsoft Corporation Distribution: Mariner +Group: Applications/File +URL: https://www.gnu.org/software/grep Source0: http://ftp.gnu.org/gnu/grep/%{name}-%{version}.tar.xz +Patch0: grep-3.31-man-fix-gs.patch +Patch1: grep-3.31-help-align.patch +Patch2: grep-3.1-glibc-2.28-fix.patch +BuildRequires: pcre-devel +Requires: pcre Conflicts: toybox + %description The Grep package contains programs for searching through files. %package lang -Summary: Additional language files for grep -Group: System Environment/Base -Requires: %{name} = %{version}-%{release} +Summary: Additional language files for grep +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + %description lang These are the additional language files of grep %prep %setup -q +%patch0 -p1 -b .man-fix-gs +%patch1 -p1 -b .help-align +%patch2 -p1 -b .glibc-2.28-fix +# Skip pcre-jitstack test, which is known to fail when libpcre is built without jit +sed -i 's/require_pcre_/require_pcre_\nskip_ "test known to fail when libpcre is built without jit"/g' tests/pcre-jitstack + %build ./configure \ --prefix=%{_prefix} \ --bindir=/bin \ - --with-included-regex \ + --without-included-regex \ --disable-silent-rules make %{?_smp_mflags} @@ -35,7 +48,7 @@ rm -rf %{buildroot}%{_infodir} %find_lang %{name} %check -make %{?_smp_mflags} check +make %{?_smp_mflags} check %files %defattr(-,root,root) @@ -47,9 +60,13 @@ make %{?_smp_mflags} check %defattr(-,root,root) %changelog +* Tue Jun 15 2021 Andrew Phelps 3.1-5 +- Support perl regular expressions ("grep -P") +- Fix test issues +- Add Fedora patch files for help text and manpage. * Tue Jan 05 2021 Andrew Phelps 3.1-4 - Fix test issue by configuring "--with-included-regex". Remove sha1. -* Sat May 09 00:20:53 PST 2020 Nick Samson - 3.1-3 +* Sat May 09 2020 Nick Samson 3.1-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 3.1-2 - Initial CBL-Mariner import from Photon (license: Apache2). diff --git a/SPECS/groff/groff.spec b/SPECS/groff/groff.spec index 1680433828..7111f9db87 100644 --- a/SPECS/groff/groff.spec +++ b/SPECS/groff/groff.spec @@ -23,16 +23,22 @@ Requires: perl-DBIx-Simple Requires: perl-DBD-SQLite Requires: perl-File-HomeDir +AutoReq: no + %description The Groff package contains programs for processing and formatting text. + %prep %setup -q + %build PAGE=letter ./configure \ --prefix=%{_prefix} \ - --with-grofferdir=%{_datadir}/%{name}/%{version}/groffer + --with-grofferdir=%{_datadir}/%{name}/%{version}/groffer \ + --without-x make + %install install -vdm 755 %{_defaultdocdir}/%{name}-1.22/pdf make DESTDIR=%{buildroot} install @@ -46,6 +52,7 @@ done rm -rf %{buildroot}%{_infodir} %post -p /sbin/ldconfig + %postun -p /sbin/ldconfig %files @@ -60,18 +67,29 @@ rm -rf %{buildroot}%{_infodir} %changelog * Fri Apr 30 2021 Pawel Winogrodzki 1.22.3-7 - Adding Fedora's symbolic links to provide the same set of file paths. -* Mon Oct 12 2020 Joe Schmitt 1.22.3-6 + +* Mon Oct 12 2020 Joe Schmitt 1.22.3-6 (from dev branch) - Use new perl package names. - Provide groff-base. + +* Mon Oct 05 2020 Daniel Burgener 1.22.3-6 (from 1.0 branch) +- Ensure build without X11 support +- Don't automatically add requirements when built in the toolchain + * Mon Sep 28 2020 Daniel McIlvaney 1.22.3-5 - Nopatch CVE-2000-0803.nopatch + * Sat May 09 2020 Nick Samson 1.22.3-4 - Added %%license line automatically + * Tue Sep 03 2019 Mateusz Malisz 1.22.3-3 - Initial CBL-Mariner import from Photon (license: Apache2). + * Tue May 24 2016 Priyesh Padmavilasom 1.22.3-2 - GA - Bump release of all rpms + * Tue Feb 23 2016 Xiaolin Li 1.22.3-1 - Updated to version 1.22.3 + * Wed Nov 5 2014 Divya Thaluru 1.22.2-1 - Initial build. First version diff --git a/SPECS/grpc/grpc.spec b/SPECS/grpc/grpc.spec index 173953f723..31982abf8b 100644 --- a/SPECS/grpc/grpc.spec +++ b/SPECS/grpc/grpc.spec @@ -1,7 +1,7 @@ Summary: Open source remote procedure call (RPC) framework Name: grpc Version: 1.35.0 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -17,16 +17,18 @@ Source0: %{name}-%{version}.tar.gz # popd # sudo mv grpc grpc-%{version} # sudo tar -cvf grpc-%{version}.tar.gz grpc-%{version}/ -BuildRequires: git BuildRequires: c-ares-devel BuildRequires: cmake BuildRequires: gcc -BuildRequires: zlib-devel +BuildRequires: git BuildRequires: openssl-devel +BuildRequires: protobuf-devel +BuildRequires: zlib-devel -Requires: zlib -Requires: openssl Requires: c-ares +Requires: openssl +Requires: protobuf +Requires: zlib %description gRPC is a modern, open source, high-performance remote procedure call (RPC) framework that can run anywhere. It enables client and server applications to communicate transparently, and simplifies the building of connected systems. @@ -34,6 +36,7 @@ gRPC is a modern, open source, high-performance remote procedure call (RPC) fram %package devel Summary: Development files for grpc Requires: %{name} = %{version}-%{release} +Requires: protobuf-devel %description devel The grpc-devel package contains the header files and libraries @@ -53,13 +56,14 @@ The grpc-plugins package contains the grpc plugins. %build mkdir -p cmake/build cd cmake/build -cmake ../.. -DgRPC_INSTALL=ON \ - -DBUILD_SHARED_LIBS=ON \ - -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_INSTALL_PREFIX:PATH=%{_prefix} \ - -DgRPC_ZLIB_PROVIDER:STRING='package' \ - -DgRPC_SSL_PROVIDER:STRING='package' \ - -DgRPC_CARES_PROVIDER:STRING='package' +cmake ../.. -DgRPC_INSTALL=ON \ + -DBUILD_SHARED_LIBS=ON \ + -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_INSTALL_PREFIX:PATH=%{_prefix} \ + -DgRPC_CARES_PROVIDER:STRING='package' \ + -DgRPC_PROTOBUF_PROVIDER:STRING='package' \ + -DgRPC_SSL_PROVIDER:STRING='package' \ + -DgRPC_ZLIB_PROVIDER:STRING='package' %make_build %install @@ -71,26 +75,22 @@ find %{buildroot} -name '*.cmake' -delete %files %license LICENSE %{_libdir}/*.so.* -%{_lib64dir}/*.so.* %{_datadir}/grpc/roots.pem -%exclude %{_datadir}/pkgconfig/zlib.pc -%exclude %{_bindir}/acountry -%exclude %{_bindir}/ahost -%exclude %{_bindir}/adig -%exclude %{_bindir}/protoc* %files devel %{_includedir}/* %{_libdir}/*.so %{_lib64dir}/*.so %{_libdir}/pkgconfig/*.pc -%{_lib64dir}/pkgconfig/*.pc %files plugins %license LICENSE %{_bindir}/grpc_*_plugin %changelog +* Mon Jun 21 2021 Pawel Winogrodzki - 1.35.0-4 +- Switch to system package for protobuf dependency. + * Wed Apr 28 2021 Nick Samson - 1.35.0-3 - Switch to system package for c-ares dependency. @@ -98,4 +98,4 @@ find %{buildroot} -name '*.cmake' -delete - Switch to system provided packages for zlib and openssl. * Mon Mar 08 2021 Neha Agarwal - 1.35.0-1 -- Original CBL-Mariner version. License Verified. +- Original version for CBL-Mariner. License Verified. diff --git a/SPECS/gtest/gtest.spec b/SPECS/gtest/gtest.spec index 177ea74f21..6eae56df8a 100644 --- a/SPECS/gtest/gtest.spec +++ b/SPECS/gtest/gtest.spec @@ -103,7 +103,7 @@ find %{buildroot} -name '*.la' -delete %{_lib64dir}/libgtest_main.a %changelog -* Sat May 09 00:20:49 PST 2020 Nick Samson - 1.8.1-5 +* Sat May 09 2020 Nick Samson - 1.8.1-5 - Added %%license line automatically * Thu Apr 23 2020 Andrew Phelps 1.8.1-4 diff --git a/SPECS/gtk-doc/gtk-doc.spec b/SPECS/gtk-doc/gtk-doc.spec index 825f0e7909..75b41774b1 100644 --- a/SPECS/gtk-doc/gtk-doc.spec +++ b/SPECS/gtk-doc/gtk-doc.spec @@ -51,7 +51,7 @@ cd tests && make check-TESTS %{_libdir}/cmake/ %changelog -* Sat May 09 00:20:38 PST 2020 Nick Samson - 1.29-6 +* Sat May 09 2020 Nick Samson - 1.29-6 - Added %%license line automatically * Tue May 05 2020 Emre Girgin 1.29-5 diff --git a/SPECS/guile/guile.spec b/SPECS/guile/guile.spec index b2a68ed8fd..6739b8d9eb 100644 --- a/SPECS/guile/guile.spec +++ b/SPECS/guile/guile.spec @@ -84,23 +84,23 @@ make %{?_smp_mflags} check * Sat May 09 2020 Nick Samson - 2.0.14-2 - Added %%license line automatically -* Mon Mar 16 2020 Henry Beberman 2.0.14-1 -- Update to 2.0.14. License verified. +* Mon Mar 16 2020 Henry Beberman 2.0.14-1 +- Update to 2.0.14. License verified. -* Tue Sep 03 2019 Mateusz Malisz 2.0.13-3 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 2.0.13-3 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Wed May 03 2017 Dheeraj Shetty 2.0.13-2 -- Adding glibc-iconv to Requires section +* Wed May 03 2017 Dheeraj Shetty 2.0.13-2 +- Adding glibc-iconv to Requires section -* Wed Jan 18 2017 Dheeraj Shetty 2.0.13-1 -- Bumped to latest version 2.0.13 to handle CVE-2016-8606 +* Wed Jan 18 2017 Dheeraj Shetty 2.0.13-1 +- Bumped to latest version 2.0.13 to handle CVE-2016-8606 -* Thu Oct 06 2016 ChangLee 2.0.11-3 -- Modified %check +* Thu Oct 06 2016 ChangLee 2.0.11-3 +- Modified %check -* Tue May 24 2016 Priyesh Padmavilasom 2.0.11-2 -- GA - Bump release of all rpms +* Tue May 24 2016 Priyesh Padmavilasom 2.0.11-2 +- GA - Bump release of all rpms -* Thu Jun 18 2015 Divya Thaluru 2.0.11-1 -- Initial build. First version +* Thu Jun 18 2015 Divya Thaluru 2.0.11-1 +- Initial build. First version diff --git a/SPECS/haproxy/haproxy.spec b/SPECS/haproxy/haproxy.spec index b55313ae6f..a8d533fce2 100644 --- a/SPECS/haproxy/haproxy.spec +++ b/SPECS/haproxy/haproxy.spec @@ -63,7 +63,7 @@ install -vDm644 examples/transparent_proxy.cfg %{buildroot}/%{_sysconfdir}/hapr * Tue May 19 2020 Nicolas Ontiveros 1.9.6-5 - Fix CVE-2019-14241. - Fix CVE-2020-11100. -* Sat May 09 00:20:35 PST 2020 Nick Samson 1.9.6-4 +* Sat May 09 2020 Nick Samson 1.9.6-4 - Added %%license line automatically * Tue Apr 21 2020 Nicolas Ontiveros 1.9.6-3 - Fix CVE-2019-19330. diff --git a/SPECS/haveged/haveged.spec b/SPECS/haveged/haveged.spec index 7154700c9e..f47f0c626c 100644 --- a/SPECS/haveged/haveged.spec +++ b/SPECS/haveged/haveged.spec @@ -106,7 +106,7 @@ rm -rf %{buildroot} %changelog -* Sat May 09 00:21:04 PST 2020 Nick Samson - 1.9.8-2 +* Sat May 09 2020 Nick Samson - 1.9.8-2 - Added %%license line automatically * Mon Mar 16 2020 Henry Beberman 1.9.8-1 diff --git a/SPECS/hdparm/hdparm.spec b/SPECS/hdparm/hdparm.spec index 2b28524fd0..31ab304e62 100644 --- a/SPECS/hdparm/hdparm.spec +++ b/SPECS/hdparm/hdparm.spec @@ -32,7 +32,7 @@ make DESTDIR=%{buildroot} binprefix=%{_prefix} install %changelog * Sun May 31 2020 Henry Beberman - 9.56-4 - Update make to explicitly consume cflags and ldflags. -* Sat May 09 00:21:36 PST 2020 Nick Samson - 9.56-3 +* Sat May 09 2020 Nick Samson - 9.56-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 9.56-2 diff --git a/SPECS/http-parser/http-parser.spec b/SPECS/http-parser/http-parser.spec index afe9638f85..4b2ad54015 100644 --- a/SPECS/http-parser/http-parser.spec +++ b/SPECS/http-parser/http-parser.spec @@ -43,7 +43,7 @@ make PREFIX="%{_prefix}" DESTDIR="%{buildroot}" install %changelog * Sun May 31 2020 Henry Beberman - 2.8.1-5 - Update make to explicitly consume cflags -* Sat May 09 00:21:11 PST 2020 Nick Samson - 2.8.1-4 +* Sat May 09 2020 Nick Samson - 2.8.1-4 - Added %%license line automatically * Tue Apr 14 2020 Nick Samson 2.8.1-3 - Updated Source0, License verified. diff --git a/SPECS/httpd/CVE-2020-13950.patch b/SPECS/httpd/CVE-2020-13950.patch new file mode 100644 index 0000000000..5b42da6cd1 --- /dev/null +++ b/SPECS/httpd/CVE-2020-13950.patch @@ -0,0 +1,33 @@ +Backport of: + +From 8c162db8b65b2193e622b780e8c6516d4265f68b Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Mon, 11 May 2015 15:48:58 +0000 +Subject: [PATCH] mod_proxy_http: follow up to r1656259. The proxy connection + may be NULL during prefetch, don't try to dereference it! Still + origin->keepalive will be set according to p_conn->close by the caller + (proxy_http_handler). + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1678771 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/proxy/mod_proxy_http.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/modules/proxy/mod_proxy_http.c ++++ b/modules/proxy/mod_proxy_http.c +@@ -577,7 +577,6 @@ static int ap_proxy_http_prefetch(proxy_ + apr_off_t bytes; + int force10, rv; + apr_read_type_e block; +- conn_rec *origin = p_conn->connection; + + if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) { + if (req->expecting_100) { +@@ -637,7 +636,6 @@ static int ap_proxy_http_prefetch(proxy_ + "chunked body with Content-Length (C-L ignored)", + c->client_ip, c->remote_host ? c->remote_host: ""); + req->old_cl_val = NULL; +- origin->keepalive = AP_CONN_CLOSE; + p_conn->close = 1; + } + diff --git a/SPECS/httpd/CVE-2020-35452.patch b/SPECS/httpd/CVE-2020-35452.patch new file mode 100644 index 0000000000..621d8951cd --- /dev/null +++ b/SPECS/httpd/CVE-2020-35452.patch @@ -0,0 +1,51 @@ +From 3b6431eb9c9dba603385f70a2131ab4a01bf0d3b Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Mon, 18 Jan 2021 17:39:12 +0000 +Subject: [PATCH] Merge r1885659 from trunk: + +mod_auth_digest: Fast validation of the nonce's base64 to fail early if + the format can't match anyway. + +Submitted by: ylavic +Reviewed by: ylavic, covener, jailletc36 + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1885666 13f79535-47bb-0310-9956-ffa450edef68 +--- + CHANGES | 3 +++ + modules/aaa/mod_auth_digest.c | 9 +++++++-- + 2 files changed, 10 insertions(+), 2 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index e5c6afc3aa5..5af3c081b93 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -1,6 +1,9 @@ +# -*- coding: utf-8 -*- +# Changes with Apache 2.4.47 +# +#+ *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if +#+ the format can't match anyway. [Yann Ylavic] +#+ +# *) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked +# Transfer-Encoding from the client, spooling the request body when needed +# to provide a Content-Length to the backend. PR 57087. [Yann Ylavic] +--- a/modules/aaa/mod_auth_digest.c ++++ b/modules/aaa/mod_auth_digest.c +@@ -1422,9 +1422,14 @@ static int check_nonce(request_rec *r, d + time_rec nonce_time; + char tmp, hash[NONCE_HASH_LEN+1]; + +- if (strlen(resp->nonce) != NONCE_LEN) { ++ /* Since the time part of the nonce is a base64 encoding of an ++ * apr_time_t (8 bytes), it should end with a '=', fail early otherwise. ++ */ ++ if (strlen(resp->nonce) != NONCE_LEN ++ || resp->nonce[NONCE_TIME_LEN - 1] != '=') { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775) +- "invalid nonce %s received - length is not %d", ++ "invalid nonce '%s' received - length is not %d " ++ "or time encoding is incorrect", + resp->nonce, NONCE_LEN); + note_digest_auth_failure(r, conf, resp, 1); + return HTTP_UNAUTHORIZED; diff --git a/SPECS/httpd/CVE-2021-26690.patch b/SPECS/httpd/CVE-2021-26690.patch new file mode 100644 index 0000000000..84e3d40be2 --- /dev/null +++ b/SPECS/httpd/CVE-2021-26690.patch @@ -0,0 +1,25 @@ +From 67bd9bfe6c38831e14fe7122f1d84391472498f8 Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Mon, 1 Mar 2021 20:07:08 +0000 +Subject: [PATCH] mod_session: save one apr_strtok() in + session_identity_decode(). + +When the encoding is invalid (missing '='), no need to parse further. + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887050 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/session/mod_session.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/modules/session/mod_session.c ++++ b/modules/session/mod_session.c +@@ -405,8 +405,8 @@ static apr_status_t session_identity_dec + char *plast = NULL; + const char *psep = "="; + char *key = apr_strtok(pair, psep, &plast); +- char *val = apr_strtok(NULL, psep, &plast); + if (key && *key) { ++ char *val = apr_strtok(NULL, sep, &plast); + if (!val || !*val) { + apr_table_unset(z->entries, key); + } diff --git a/SPECS/httpd/CVE-2021-26691.patch b/SPECS/httpd/CVE-2021-26691.patch new file mode 100644 index 0000000000..c8fb62e555 --- /dev/null +++ b/SPECS/httpd/CVE-2021-26691.patch @@ -0,0 +1,39 @@ +From 7e09dd714fc62c08c5b0319ed7b9702594faf49b Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Mon, 1 Mar 2021 20:13:54 +0000 +Subject: [PATCH] mod_session: account for the '&' in identity_concat(). + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68 +--- + changes-entries/session_parsing.txt | 2 ++ + modules/session/mod_session.c | 3 +-- + 2 files changed, 3 insertions(+), 2 deletions(-) + create mode 100644 changes-entries/session_parsing.txt + +#diff --git a/changes-entries/session_parsing.txt b/changes-entries/session_parsing.txt +#new file mode 100644 +#index 00000000000..a996e821063 +#--- /dev/null +#+++ b/changes-entries/session_parsing.txt +#@@ -0,0 +1,2 @@ +#+ *) mod_session: Improve session parsing. [Yann Yalvic] +#+ +--- a/modules/session/mod_session.c ++++ b/modules/session/mod_session.c +@@ -318,7 +318,7 @@ static apr_status_t ap_session_set(reque + static int identity_count(void *v, const char *key, const char *val) + { + int *count = v; +- *count += strlen(key) * 3 + strlen(val) * 3 + 1; ++ *count += strlen(key) * 3 + strlen(val) * 3 + 2; + return 1; + } + +@@ -354,7 +354,6 @@ static int identity_concat(void *v, cons + */ + static apr_status_t session_identity_encode(request_rec * r, session_rec * z) + { +- + char *buffer = NULL; + int length = 0; + if (z->expiry) { diff --git a/SPECS/httpd/CVE-2021-30641.patch b/SPECS/httpd/CVE-2021-30641.patch new file mode 100644 index 0000000000..798b5705fc --- /dev/null +++ b/SPECS/httpd/CVE-2021-30641.patch @@ -0,0 +1,60 @@ +From eb986059aa5aa0b6c1d52714ea83e3dd758afdd1 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Wed, 21 Apr 2021 01:10:12 +0000 +Subject: [PATCH] Merge r1889036 from trunk: + +legacy default slash-matching behavior w/ 'MergeSlashes OFF' + +Submitted By: Ruediger Pluem +Reviewed By: covener, rpluem, ylavic + + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1889038 13f79535-47bb-0310-9956-ffa450edef68 +--- + server/request.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/server/request.c ++++ b/server/request.c +@@ -1419,7 +1419,20 @@ AP_DECLARE(int) ap_location_walk(request + + cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r); + cached = (cache->cached != NULL); +- entry_uri = r->uri; ++ ++ /* ++ * When merge_slashes is set to AP_CORE_CONFIG_OFF the slashes in r->uri ++ * have not been merged. But for Location walks we always go with merged ++ * slashes no matter what merge_slashes is set to. ++ */ ++ if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) { ++ entry_uri = r->uri; ++ } ++ else { ++ char *uri = apr_pstrdup(r->pool, r->uri); ++ ap_no2slash(uri); ++ entry_uri = uri; ++ } + + /* If we have an cache->cached location that matches r->uri, + * and the vhost's list of locations hasn't changed, we can skip +@@ -1486,7 +1499,7 @@ AP_DECLARE(int) ap_location_walk(request + pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t)); + } + +- if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) { ++ if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) { + continue; + } + +@@ -1496,7 +1509,7 @@ AP_DECLARE(int) ap_location_walk(request + apr_table_setn(r->subprocess_env, + ((const char **)entry_core->refs->elts)[i], + apr_pstrndup(r->pool, +- entry_uri + pmatch[i].rm_so, ++ r->uri + pmatch[i].rm_so, + pmatch[i].rm_eo - pmatch[i].rm_so)); + } + } diff --git a/SPECS/httpd/httpd.spec b/SPECS/httpd/httpd.spec index 8d5626bdaf..41b95061d3 100644 --- a/SPECS/httpd/httpd.spec +++ b/SPECS/httpd/httpd.spec @@ -13,6 +13,12 @@ Source0: https://archive.apache.org/dist/%{name}/%{name}-%{version}.tar.b Source1: macros.httpd Patch0: httpd-blfs_layout-1.patch Patch1: httpd-uncomment-ServerName.patch +Patch2: CVE-2020-13950.patch +Patch3: CVE-2020-35452.patch +Patch4: CVE-2021-26690.patch +Patch5: CVE-2021-30641.patch +Patch6: CVE-2021-26691.patch + # CVE-1999-0236 must be mitigated by the user. See "Server Side Includes" at https://httpd.apache.org/docs/2.4/misc/security_tips.html Patch100: CVE-1999-0236.nopatch # CVE-1999-1412 applies only to MacOS X @@ -73,6 +79,11 @@ The httpd-tools of httpd. %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 %build %configure \ @@ -208,6 +219,12 @@ fi %exclude %{_mandir}/man1/apxs.1* %changelog +* Thu Jun 24 2021 Suresh Babu Chalamalasetty 2.4.46-5 (from 1.0 branch) +- CVE-2021-26691 fix + +* Tue Jun 22 2021 Suresh Babu Chalamalasetty 2.4.46-4 (from 1.0 branch) +- CVE-2020-13950 CVE-2021-26690 CVE-2021-30641 and CVE-2020-35452 fixes + * Wed Apr 07 2021 Henry Li - 2.4.46-5 - Add macros.httpd to provide necessary httpd macros @@ -215,95 +232,95 @@ fi - Add Provides for httpd-mmn and httpd-filesystem from httpd - Fix files section for httpd-devel and httpd-tools -* Tue Oct 06 2020 Pawel Winogrodzki 2.4.46-3 -- Mark CVE-2007-0086 as nopatch +* Tue Oct 06 2020 Pawel Winogrodzki 2.4.46-3 +- Mark CVE-2007-0086 as nopatch -* Mon Sep 28 2020 Daniel McIlvaney 2.4.46-2 -- Mark CVE-1999-0236 CVE-1999-1412 as nopatch +* Mon Sep 28 2020 Daniel McIlvaney 2.4.46-2 +- Mark CVE-1999-0236 CVE-1999-1412 as nopatch -* Tue Aug 18 2020 Pawel Winogrodzki 2.4.46-1 -- Updated to 2.4.46 to resolve CVE-2020-11984. +* Tue Aug 18 2020 Pawel Winogrodzki 2.4.46-1 +- Updated to 2.4.46 to resolve CVE-2020-11984. -* Tue May 19 2020 Ruying Chen 2.4.43-1 -- Updated to 2.4.43 to resolve the following CVEs -- CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097 -- CVE-2019-10098, CVE-2020-1927, CVE-2020-1934 +* Tue May 19 2020 Ruying Chen 2.4.43-1 +- Updated to 2.4.43 to resolve the following CVEs +- CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097 +- CVE-2019-10098, CVE-2020-1927, CVE-2020-1934 -* Sat May 09 2020 Nick Samson 2.4.39-4 -- Added %%license line automatically +* Sat May 09 2020 Nick Samson 2.4.39-4 +- Added %%license line automatically -* Tue Apr 07 2020 Pawel Winogrodzki 2.4.39-3 -- Updated and verified 'Source0', 'Patch0' and 'URL' tags. -- License verified. -- Removed '%%define sha1' line. +* Tue Apr 07 2020 Pawel Winogrodzki 2.4.39-3 +- Updated and verified 'Source0', 'Patch0' and 'URL' tags. +- License verified. +- Removed '%%define sha1' line. -* Tue Sep 03 2019 Mateusz Malisz 2.4.39-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 2.4.39-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Tue Apr 16 2019 Dweep Advani 2.4.39-1 -- Upgrading to 2.4.39 for fixing multiple CVEs -- (1) CVE-2018-17189 (2) CVE-2018-17199 (3) CVE-2019-0190 -- (4) CVE-2019-0211 (5) CVE-2019-0215 (6) CVE-2019-0217 +* Tue Apr 16 2019 Dweep Advani 2.4.39-1 +- Upgrading to 2.4.39 for fixing multiple CVEs +- (1) CVE-2018-17189 (2) CVE-2018-17199 (3) CVE-2019-0190 +- (4) CVE-2019-0211 (5) CVE-2019-0215 (6) CVE-2019-0217 -* Thu Jan 24 2019 Dweep Advani 2.4.34-2 -- Fixed CVE-2018-11763 +* Thu Jan 24 2019 Dweep Advani 2.4.34-2 +- Fixed CVE-2018-11763 -* Wed Aug 29 2018 Tapas Kundu 2.4.34-1 -- Updated to version 2.4.34, fix CVE-2018-1333 +* Wed Aug 29 2018 Tapas Kundu 2.4.34-1 +- Updated to version 2.4.34, fix CVE-2018-1333 -* Mon Oct 02 2017 Xiaolin Li 2.4.28-1 -- Updated to version 2.4.28 +* Mon Oct 02 2017 Xiaolin Li 2.4.28-1 +- Updated to version 2.4.28 -* Mon Sep 18 2017 Alexey Makhalov 2.4.27-3 -- Remove shadow from requires and use explicit tools for post actions +* Mon Sep 18 2017 Alexey Makhalov 2.4.27-3 +- Remove shadow from requires and use explicit tools for post actions -* Mon Aug 07 2017 Anish Swaminathan 2.4.27-2 -- Add shadow to requires for useradd/groupadd +* Mon Aug 07 2017 Anish Swaminathan 2.4.27-2 +- Add shadow to requires for useradd/groupadd -* Mon Jul 24 2017 Anish Swaminathan 2.4.27-1 -- Updated to version 2.4.27 - Fixes CVE-2017-3167 +* Mon Jul 24 2017 Anish Swaminathan 2.4.27-1 +- Updated to version 2.4.27 - Fixes CVE-2017-3167 -* Wed May 31 2017 Harish Udaiya Kumar 2.4.25-3 -- Provide preset file to disable service by default. +* Wed May 31 2017 Harish Udaiya Kumar 2.4.25-3 +- Provide preset file to disable service by default. -* Fri Mar 31 2017 Dheeraj Shetty 2.4.25-2 -- Fixing httpd.pid file write issue +* Fri Mar 31 2017 Dheeraj Shetty 2.4.25-2 +- Fixing httpd.pid file write issue -* Fri Mar 31 2017 Dheeraj Shetty 2.4.25-1 -- Updated to version 2.4.25 +* Fri Mar 31 2017 Dheeraj Shetty 2.4.25-1 +- Updated to version 2.4.25 -* Tue Dec 27 2016 Xiaolin Li 2.4.18-8 -- BuildRequires lua, Requires lua. +* Tue Dec 27 2016 Xiaolin Li 2.4.18-8 +- BuildRequires lua, Requires lua. -* Wed Dec 21 2016 Anish Swaminathan 2.4.18-7 -- Change config file properties for httpd.conf +* Wed Dec 21 2016 Anish Swaminathan 2.4.18-7 +- Change config file properties for httpd.conf -* Thu Jul 28 2016 Divya Thaluru 2.4.18-6 -- Removed packaging of debug files +* Thu Jul 28 2016 Divya Thaluru 2.4.18-6 +- Removed packaging of debug files -* Wed Jul 27 2016 Divya Thaluru 2.4.18-5 -- Added patch for CVE-2016-5387 +* Wed Jul 27 2016 Divya Thaluru 2.4.18-5 +- Added patch for CVE-2016-5387 -* Tue May 24 2016 Priyesh Padmavilasom 2.4.18-4 -- GA - Bump release of all rpms +* Tue May 24 2016 Priyesh Padmavilasom 2.4.18-4 +- GA - Bump release of all rpms -* Thu May 05 2016 Kumar Kaushik 2.4.18-3 -- Adding upgrade support in pre/post/un script. +* Thu May 05 2016 Kumar Kaushik 2.4.18-3 +- Adding upgrade support in pre/post/un script. -* Mon Mar 21 2016 Mahmoud Bassiouny 2.4.18-2 -- Fixing systemd service +* Mon Mar 21 2016 Mahmoud Bassiouny 2.4.18-2 +- Fixing systemd service -* Fri Jan 22 2016 Xiaolin Li 2.4.18-1 -- Updated to version 2.4.18 +* Fri Jan 22 2016 Xiaolin Li 2.4.18-1 +- Updated to version 2.4.18 -* Mon Nov 23 2015 Sharath George 2.4.12-4 -- Add /etc/mime.types +* Mon Nov 23 2015 Sharath George 2.4.12-4 +- Add /etc/mime.types -* Tue Sep 29 2015 Xiaolin Li 2.4.12-3 -- Move perl script to tools package. +* Tue Sep 29 2015 Xiaolin Li 2.4.12-3 +- Move perl script to tools package. -* Thu Jul 16 2015 Touseef Liaqat 2.4.12-2 -- Added service file. Changed installation paths. +* Thu Jul 16 2015 Touseef Liaqat 2.4.12-2 +- Added service file. Changed installation paths. -* Wed May 20 2015 Touseef Liaqat 2.4.12-1 -- Initial build. First version +* Wed May 20 2015 Touseef Liaqat 2.4.12-1 +- Initial build. First version diff --git a/SPECS/hyperscan/hyperscan-fix-missed-symbols.patch b/SPECS/hyperscan/hyperscan-fix-missed-symbols.patch new file mode 100644 index 0000000000..cb165ece3d --- /dev/null +++ b/SPECS/hyperscan/hyperscan-fix-missed-symbols.patch @@ -0,0 +1,30 @@ +Fix missed symbols +ld: ../lib/libhs.so.5.3.0: undefined reference to `avx2_memset' +ld: ../lib/libhs.so.5.3.0: undefined reference to `core2_memcpy' +ld: ../lib/libhs.so.5.3.0: undefined reference to `core2_memset' +ld: ../lib/libhs.so.5.3.0: undefined reference to `core2_memmove' +ld: ../lib/libhs.so.5.3.0: undefined reference to `avx2_memmove' +ld: ../lib/libhs.so.5.3.0: undefined reference to `corei7_memset' +ld: ../lib/libhs.so.5.3.0: undefined reference to `corei7_memcpy' +ld: ../lib/libhs.so.5.3.0: undefined reference to `avx2_memcpy' +ld: ../lib/libhs.so.5.3.0: undefined reference to `corei7_memmove' + +see https://github.com/intel/hyperscan/issues/292 + + +diff --git a/hyperscan/cmake/build_wrapper.sh b/hyperscan/cmake/build_wrapper.sh +index 1962813..5559b78 100755 +--- a/cmake/build_wrapper.sh ++++ b/cmake/build_wrapper.sh +@@ -16,8 +16,10 @@ KEEPSYMS=$(mktemp -p /tmp keep.syms.XXXXX) + # find the libc used by gcc + LIBC_SO=$("$@" --print-file-name=libc.so.6) + cp ${KEEPSYMS_IN} ${KEEPSYMS} ++# see https://github.com/intel/hyperscan/issues/292 + # get all symbols from libc and turn them into patterns +-nm -f p -g -D ${LIBC_SO} | sed -s 's/\([^ ]*\).*/^\1$/' >> ${KEEPSYMS} ++nm -f p -g -D ${LIBC_SO} | sed -s 's/\([^ @]*\).*/^\1$/' >> ${KEEPSYMS} ++#nm -f p -g -D ${LIBC_SO} | sed -s 's/\([^ ]*\).*/^\1$/' >> ${KEEPSYMS} + # build the object + "$@" + # rename the symbols in the object diff --git a/SPECS/hyperscan/hyperscan.signatures.json b/SPECS/hyperscan/hyperscan.signatures.json new file mode 100644 index 0000000000..85daf2accc --- /dev/null +++ b/SPECS/hyperscan/hyperscan.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "hyperscan-5.4.0.tar.gz": "e51aba39af47e3901062852e5004d127fa7763b5dbbc16bcca4265243ffa106f" + } +} \ No newline at end of file diff --git a/SPECS/hyperscan/hyperscan.spec b/SPECS/hyperscan/hyperscan.spec new file mode 100644 index 0000000000..632c77e17e --- /dev/null +++ b/SPECS/hyperscan/hyperscan.spec @@ -0,0 +1,175 @@ +%global __cmake_in_source_build 1 +Name: hyperscan +Version: 5.4.0 +Release: 2%{?dist} +Summary: High-performance regular expression matching library +License: BSD +Group: Development/Libraries +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://www.hyperscan.io/ +Source0: https://github.com/intel/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch0: hyperscan-fix-missed-symbols.patch + +BuildRequires: gcc +BuildRequires: libstdc++-devel +BuildRequires: libstdc++ +BuildRequires: boost-devel +BuildRequires: cmake +BuildRequires: pcre-devel +BuildRequires: python3 +BuildRequires: ragel +BuildRequires: sqlite-devel >= 3.0 +BuildRequires: libpcap-devel +Requires: pcre + +#package requires SSE support and fails to build on non x86_64 archs +ExclusiveArch: x86_64 + +%description +Hyperscan is a high-performance multiple regex matching library. It +follows the regular expression syntax of the commonly-used libpcre +library, but is a standalone library with its own C API. + +Hyperscan uses hybrid automata techniques to allow simultaneous +matching of large numbers (up to tens of thousands) of regular +expressions and for the matching of regular expressions across streams +of data. + +Hyperscan is typically used in a DPI library stack. + +%package devel +Summary: Libraries and header files for the hyperscan library +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +Hyperscan is a high-performance multiple regex matching library. It +follows the regular expression syntax of the commonly-used libpcre +library, but is a standalone library with its own C API. + +Hyperscan uses hybrid automata techniques to allow simultaneous +matching of large numbers (up to tens of thousands) of regular +expressions and for the matching of regular expressions across streams +of data. + +Hyperscan is typically used in a DPI library stack. + +This package provides the libraries, include files and other resources +needed for developing Hyperscan applications. + +%prep +%autosetup -p1 + +%build +# LTO seems to be losing the target prefix on ifunc targets leading to +# multiply defined symbols. This seems like a GCC bug +# Disable LTO +%define _lto_cflags %{nil} +%cmake -DBUILD_SHARED_LIBS:BOOL=ON -DBUILD_STATIC_AND_SHARED:BOOL=OFF . +%make_build + +%install +%make_install + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%files +%doc %{_defaultdocdir}/%{name}/examples/README.md +%doc %{_defaultdocdir}/%{name}/examples/*.cc +%doc %{_defaultdocdir}/%{name}/examples/*.c +%license COPYING +%license LICENSE +%{_libdir}/*.so.* + +%files devel +%{_libdir}/*.so +%{_libdir}/pkgconfig/libhs.pc +%{_includedir}/hs/ + +%changelog +* Fri Jul 02 2021 Suresh Babu Chalamalasetty - 5.4.0-2 +- Initial CBL-Mariner import from Fedora 33 (license: MIT) +- License verified + +* Tue Jan 26 2021 Jason Taylor - 5.4.0-1 +- Updated to latest upstream release + +* Mon Aug 10 2020 Jason Taylor - 5.3.0-5 +- Updated to new cmake macros + +* Sat Aug 01 2020 Fedora Release Engineering - 5.3.0-4 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 28 2020 Fedora Release Engineering - 5.3.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 08 2020 Jeff Law - 5.3.0-2 +- Disable LTO + +* Thu May 28 2020 Jason Taylor - 5.3.0-1 +- Latest upstream release + +* Wed Jan 29 2020 Fedora Release Engineering - 5.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Oct 30 2019 Jason Taylor - 5.2.1-1 +- Latest upstream release + +* Thu Jul 25 2019 Fedora Release Engineering - 5.1.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Apr 10 2019 Jason Taylor - 5.1.1-1 +- Latest upstream version (#1698365) +- Removed patch added for FTBFS (#1675120) + +* Tue Feb 12 2019 Björn Esser - 5.1.0-1 +- Latest upstream version (#1671192) +- Add patch to fix build (#1675120) + +* Fri Feb 01 2019 Fedora Release Engineering - 5.0.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 5.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 09 2018 Jason Taylor - 5.0.0-1 +- Latest upstream version + +* Wed Feb 07 2018 Fedora Release Engineering - 4.7.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 25 2018 Jason Taylor - 4.7.0-1 +- upstream bugfix release + +* Fri Sep 22 2017 Jason Taylor - 4.6.0-1 +- latest upstream release + +* Wed Aug 02 2017 Fedora Release Engineering - 4.5.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Jason Taylor - 4.5.2-1 +- upstream bugfix release + +* Wed Jul 26 2017 Fedora Release Engineering - 4.5.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Jun 16 2017 Jason Taylor - 4.5.1-1 +- upstream bugfix release + +* Fri Jun 09 2017 Jason Taylor - 4.5.0-1 +- Update to latest upstream +- Removed CMakeLists.txt patch, moved into upstream + +* Fri May 12 2017 Jason Taylor - 4.4.1-1 +- Update to latest upstream +- Add CMakeLists.txt path patch +- Spec file updates to meet packaging standards + +* Fri Sep 2 2016 Jason Taylor - 4.3.1-1 +- Updated to latest upstream release. + +* Fri Jul 1 2016 Jason Ish - 4.2.0-1 +- Initial package of Hyperscan. diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index c1f8622a0c..c044083129 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "25339871302f7a47e1aecfa9fc2586c78bc37edb98773752f0a5dec30f0ed3a1", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-5.10.28.1.tar.gz": "51118e54227410d15c20246e4905d897a8b6b3ebe1326ebe44e1080d0d17c27d" + "kernel-5.10.52.1.tar.gz": "7fd3e7779e20f6ec6ddaa8c4b78a713a15b13860730e5b7e624ae27b304363b3" } } \ No newline at end of file diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index 09b5b3713e..9777aa9259 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -8,8 +8,8 @@ %global udev_prefix 70 Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 5.10.28.1 -Release: 2%{?dist} +Version: 5.10.52.1 +Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -219,6 +219,21 @@ fi %{_sbindir}/lsvmbus %changelog +* Tue Jul 20 2021 Rachel Menge - 5.10.52.1-1 +- Update source to 5.10.52.1 + +* Tue Jul 06 2021 Rachel Menge - 5.10.47.1-1 +- Update source to 5.10.47.1 + +* Tue Jun 08 2021 Rachel Menge - 5.10.42.1-1 +- Update source to 5.10.42.1 + +* Fri May 28 2021 Rachel Menge - 5.10.37.1-1 +- Update source to 5.10.37.1 + +* Mon May 03 2021 Rachel Menge - 5.10.32.1-1 +- Update source to 5.10.32.1 + * Thu Apr 15 2021 Rachel Menge - 5.10.28.1-2 - Update to kernel release 5.10.28.1-2 diff --git a/SPECS/i2c-tools/i2c-tools.spec b/SPECS/i2c-tools/i2c-tools.spec index 5bd5a28583..f2c5710d41 100644 --- a/SPECS/i2c-tools/i2c-tools.spec +++ b/SPECS/i2c-tools/i2c-tools.spec @@ -50,7 +50,7 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install %{_libdir}/libi2c.so %changelog -* Sat May 09 00:21:01 PST 2020 Nick Samson - 4.1-3 +* Sat May 09 2020 Nick Samson - 4.1-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 4.1-2 diff --git a/SPECS/inotify-tools/inotify-tools.spec b/SPECS/inotify-tools/inotify-tools.spec index 26d3db120b..eebb23db46 100644 --- a/SPECS/inotify-tools/inotify-tools.spec +++ b/SPECS/inotify-tools/inotify-tools.spec @@ -60,7 +60,7 @@ make %{?_smp_mflags} check /%{_libdir}/libinotifytools.la %changelog -* Sat May 09 00:21:22 PST 2020 Nick Samson - 3.14-2 +* Sat May 09 2020 Nick Samson - 3.14-2 - Added %%license line automatically * Mon Mar 16 2020 Henry Beberman 3.14-1 diff --git a/SPECS/intltool/intltool.spec b/SPECS/intltool/intltool.spec index b2aea74939..388efda264 100644 --- a/SPECS/intltool/intltool.spec +++ b/SPECS/intltool/intltool.spec @@ -36,7 +36,7 @@ make %{?_smp_mflags} check %{_mandir}/man8/* %changelog -* Sat May 09 00:21:18 PST 2020 Nick Samson - 0.51.0-7 +* Sat May 09 2020 Nick Samson - 0.51.0-7 - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin 0.51.0-6 diff --git a/SPECS/iotop/iotop.spec b/SPECS/iotop/iotop.spec index e8384658c2..db3b1347c0 100644 --- a/SPECS/iotop/iotop.spec +++ b/SPECS/iotop/iotop.spec @@ -47,7 +47,7 @@ rm -rf %{buildroot}/* %changelog -* Sat May 09 00:21:23 PST 2020 Nick Samson - 0.6-7 +* Sat May 09 2020 Nick Samson - 0.6-7 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 0.6-6 diff --git a/SPECS/iperf3/iperf3.spec b/SPECS/iperf3/iperf3.spec index f04ac166b7..96610bf7f6 100644 --- a/SPECS/iperf3/iperf3.spec +++ b/SPECS/iperf3/iperf3.spec @@ -68,7 +68,7 @@ make %{?_smp_mflags} check %{_mandir}/man3/libiperf.3.gz %changelog -* Sat May 09 00:21:29 PST 2020 Nick Samson - 3.6-5 +* Sat May 09 2020 Nick Samson - 3.6-5 - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin 3.6-4 diff --git a/SPECS/iproute/iproute.spec b/SPECS/iproute/iproute.spec index f281f1156e..7f42c00950 100644 --- a/SPECS/iproute/iproute.spec +++ b/SPECS/iproute/iproute.spec @@ -69,7 +69,7 @@ cd .. %{_mandir}/man3/* %changelog -* Sat May 09 00:20:46 PST 2020 Nick Samson - 4.18.0-5 +* Sat May 09 2020 Nick Samson - 4.18.0-5 - Added %%license line automatically * Mon Apr 13 2020 Emre Girgin 4.18.0-4 diff --git a/SPECS/ipset/ipset.spec b/SPECS/ipset/ipset.spec index 3d273049e4..7302986307 100644 --- a/SPECS/ipset/ipset.spec +++ b/SPECS/ipset/ipset.spec @@ -75,7 +75,7 @@ rm -rf %{buildroot}/* %{_libdir}/pkgconfig/libipset.pc %changelog -* Sat May 09 00:20:42 PST 2020 Nick Samson - 7.1-2 +* Sat May 09 2020 Nick Samson - 7.1-2 - Added %%license line automatically * Mon Mar 16 2020 Henry Beberman 7.1-1 diff --git a/SPECS/iptables/iptables.spec b/SPECS/iptables/iptables.spec index 53c13d4430..0b322b1150 100644 --- a/SPECS/iptables/iptables.spec +++ b/SPECS/iptables/iptables.spec @@ -1,7 +1,7 @@ Summary: Linux kernel packet control tool Name: iptables Version: 1.8.3 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -18,7 +18,7 @@ BuildRequires: libmnl-devel BuildRequires: libnftnl-devel BuildRequires: systemd Requires: systemd - +Requires: iana-etc %description The next part of this chapter deals with firewalls. The principal firewall tool for Linux is Iptables. You will need to install @@ -100,10 +100,13 @@ rm -rf %{buildroot}/* %{_mandir}/man3/* %changelog +* Mon Jun 21 2021 Rachel Menge - 1.8.3-6 +- Add dependency on iana-etc (JOSLOBO 7/26: bumped dash version for merge) + * Fri Apr 02 2021 Thomas Crain - 1.8.3-5 - Merge the following releases from 1.0 to dev branch - rachelmenge@microsoft.com, 1.8.3-4: Add ssh brute force prevention to ip4save and ip6save -- License verified +- License verified * Tue Nov 03 2020 Ruying Chen - 1.8.3-4 - Systemd supports merged /usr. Update with corresponding file locations and macros. @@ -111,54 +114,54 @@ rm -rf %{buildroot}/* * Sat May 09 2020 Nick Samson - 1.8.3-3 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 1.8.3-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 1.8.3-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Tue Jul 30 2019 Shreyas B. 1.8.3-1 -- Updated to version 1.8.3 +* Tue Jul 30 2019 Shreyas B. 1.8.3-1 +- Updated to version 1.8.3 -* Tue Feb 26 2019 Alexey Makhalov 1.8.0-2 -- Flush ip6tables on service stop +* Tue Feb 26 2019 Alexey Makhalov 1.8.0-2 +- Flush ip6tables on service stop -* Mon Sep 10 2018 Ankit Jain 1.8.0-1 -- Updated to version 1.8.0 +* Mon Sep 10 2018 Ankit Jain 1.8.0-1 +- Updated to version 1.8.0 -* Thu Aug 10 2017 Priyesh Padmavilasom 1.6.1-4 -- fix ip4save script for upgrade issues. +* Thu Aug 10 2017 Priyesh Padmavilasom 1.6.1-4 +- fix ip4save script for upgrade issues. -* Mon Jul 24 2017 Priyesh Padmavilasom 1.6.1-3 -- use iptables-restore to reload rules. +* Mon Jul 24 2017 Priyesh Padmavilasom 1.6.1-3 +- use iptables-restore to reload rules. -* Fri Jun 23 2017 Xiaolin Li 1.6.1-2 -- Add devel package. +* Fri Jun 23 2017 Xiaolin Li 1.6.1-2 +- Add devel package. -* Tue Mar 28 2017 Dheeraj Shetty 1.6.1-1 -- Updated to version 1.6.1 +* Tue Mar 28 2017 Dheeraj Shetty 1.6.1-1 +- Updated to version 1.6.1 -* Wed Jan 18 2017 Alexey Makhalov 1.6.0-6 -- Flush iptables on service stop +* Wed Jan 18 2017 Alexey Makhalov 1.6.0-6 +- Flush iptables on service stop -* Tue Aug 30 2016 Anish Swaminathan 1.6.0-5 -- Change config file properties for iptables script +* Tue Aug 30 2016 Anish Swaminathan 1.6.0-5 +- Change config file properties for iptables script -* Tue May 24 2016 Priyesh Padmavilasom 1.6.0-4 -- GA - Bump release of all rpms +* Tue May 24 2016 Priyesh Padmavilasom 1.6.0-4 +- GA - Bump release of all rpms -* Thu May 05 2016 Kumar Kaushik 1.6.0-3 -- Adding package support in pre/post/un scripts section. +* Thu May 05 2016 Kumar Kaushik 1.6.0-3 +- Adding package support in pre/post/un scripts section. -* Thu Apr 21 2016 Divya Thaluru 1.6.0-2 -- Enabled iptable service. Added iptable rule to accept ssh connections by default. +* Thu Apr 21 2016 Divya Thaluru 1.6.0-2 +- Enabled iptable service. Added iptable rule to accept ssh connections by default. -* Fri Jan 15 2016 Xiaolin Li 1.6.0-1 -- Updated to version 1.6.0 +* Fri Jan 15 2016 Xiaolin Li 1.6.0-1 +- Updated to version 1.6.0 -* Thu Dec 10 2015 Xiaolin Li 1.4.21-3 -- Add systemd to Requires and BuildRequires. -- Use systemctl to enable/disable service. +* Thu Dec 10 2015 Xiaolin Li 1.4.21-3 +- Add systemd to Requires and BuildRequires. +- Use systemctl to enable/disable service. -* Wed May 20 2015 Touseef Liaqat 1.4.21-2 -- Updated group. +* Wed May 20 2015 Touseef Liaqat 1.4.21-2 +- Updated group. -* Fri Oct 10 2014 Divya Thaluru 1.4.21-1 -- Initial build. First version +* Fri Oct 10 2014 Divya Thaluru 1.4.21-1 +- Initial build. First version diff --git a/SPECS/ipvsadm/ipvsadm.spec b/SPECS/ipvsadm/ipvsadm.spec index be3b719ea6..2bb6ac731d 100644 --- a/SPECS/ipvsadm/ipvsadm.spec +++ b/SPECS/ipvsadm/ipvsadm.spec @@ -34,7 +34,7 @@ rm -rf %{buildroot}/* %{_mandir}/* %changelog -* Sat May 09 00:20:53 PST 2020 Nick Samson - 1.29-5 +* Sat May 09 2020 Nick Samson - 1.29-5 - Added %%license line automatically * Thu Apr 30 2020 Nicolas Ontiveros 1.29-4 diff --git a/SPECS/ipxe/ipxe.spec b/SPECS/ipxe/ipxe.spec index 8b4ced11ce..0f77e8cc16 100644 --- a/SPECS/ipxe/ipxe.spec +++ b/SPECS/ipxe/ipxe.spec @@ -62,7 +62,7 @@ install -vDm 644 src/bin/*.{rom,mrom} %{buildroot}/usr/share/ipxe/ /usr/share/ipxe/rtl8139.rom %changelog -* Sat May 09 00:21:22 PST 2020 Nick Samson - 1.20.1-3 +* Sat May 09 2020 Nick Samson - 1.20.1-3 - Added %%license line automatically * Mon May 04 2020 Emre Girgin 1.20.1-2 diff --git a/SPECS/irqbalance/irqbalance.spec b/SPECS/irqbalance/irqbalance.spec index 57585ce59b..80098915f2 100644 --- a/SPECS/irqbalance/irqbalance.spec +++ b/SPECS/irqbalance/irqbalance.spec @@ -59,7 +59,7 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck} %{_datadir}/* %changelog -* Sat May 09 00:21:03 PST 2020 Nick Samson - 1.6.0-3 +* Sat May 09 2020 Nick Samson - 1.6.0-3 - Added %%license line automatically * Thu Apr 09 2020 Joe Schmitt 1.6.0-2 diff --git a/SPECS/jansson/jansson.spec b/SPECS/jansson/jansson.spec index 2f75d64e25..06a7a4954f 100644 --- a/SPECS/jansson/jansson.spec +++ b/SPECS/jansson/jansson.spec @@ -58,7 +58,7 @@ rm -rf %{buildroot}/* %{_libdir}/pkgconfig/%{name}.pc %changelog -* Sat May 09 00:20:58 PST 2020 Nick Samson - 2.11-3 +* Sat May 09 2020 Nick Samson - 2.11-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 2.11-2 diff --git a/SPECS/jq/jq.spec b/SPECS/jq/jq.spec index 71a90ad534..805d1db2a3 100644 --- a/SPECS/jq/jq.spec +++ b/SPECS/jq/jq.spec @@ -64,7 +64,7 @@ rm -rf %{buildroot}/* %{_includedir}/* %changelog -* Sat May 09 00:21:44 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.5-5 diff --git a/SPECS/kbd/kbd.spec b/SPECS/kbd/kbd.spec index 670c26851c..d58ce699e0 100644 --- a/SPECS/kbd/kbd.spec +++ b/SPECS/kbd/kbd.spec @@ -51,7 +51,7 @@ make %{?_smp_mflags} check %{_mandir}/*/* %changelog -* Sat May 09 00:20:58 PST 2020 Nick Samson - 2.0.4-5 +* Sat May 09 2020 Nick Samson - 2.0.4-5 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 2.0.4-4 diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index dd26972790..16a53f4817 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kernel-5.10.28.1.tar.gz": "51118e54227410d15c20246e4905d897a8b6b3ebe1326ebe44e1080d0d17c27d" + "kernel-5.10.52.1.tar.gz": "7fd3e7779e20f6ec6ddaa8c4b78a713a15b13860730e5b7e624ae27b304363b3" } } \ No newline at end of file diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 7fec02d156..8e83d145e6 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -1,13 +1,13 @@ Summary: Linux API header files Name: kernel-headers -Version: 5.10.28.1 -Release: 6%{?dist} +Version: 5.10.52.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner Group: System Environment/Kernel URL: https://github.com/microsoft/CBL-Mariner-Linux-Kernel -#Source0: https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/%{version}.tar.gz +#Source0: https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/%%{version}.tar.gz Source0: kernel-%{version}.tar.gz # Historical name shipped by other distros Provides: glibc-kernheaders @@ -37,12 +37,54 @@ cp -rv usr/include/* /%{buildroot}%{_includedir} %{_includedir}/* %changelog -* Tue May 25 2021 Thomas Crain - 5.10.28.1-6 -- Add glibc-kernheaders provides to base package +* Tue Jul 20 2021 Rachel Menge - 5.10.52.1-1 +- Update source to 5.10.52.1 -* Fri May 14 2021 Thomas Crain - 5.10.28.1-5 +* Mon Jul 19 2021 Chris Co - 5.10.47.1-2 - Bump release number to match kernel release +* Tue Jul 06 2021 Rachel Menge - 5.10.47.1-1 +- Update source to 5.10.47.1 + +* Wed Jun 30 2021 Chris Co - 5.10.42.1-4 +- Bump release number to match kernel release + +* Tue Jun 22 2021 Suresh Babu Chalamalasetty - 5.10.42.1-3 +- Bump release number to match kernel release + +* Wed Jun 16 2021 Chris Co - 5.10.42.1-2 +- Bump release number to match kernel release + +* Tue Jun 08 2021 Rachel Menge - 5.10.42.1-1 +- Update source to 5.10.42.1 + +* Thu Jun 03 2021 Rachel Menge - 5.10.37.1-2 +- Bump release number to match kernel release + +* Fri May 28 2021 Rachel Menge - 5.10.37.1-1 +- Update source to 5.10.37.1 + +* Thu May 27 2021 Chris Co - 5.10.32.1-7 +- Bump release number to match kernel release + +* Wed May 26 2021 Chris Co - 5.10.32.1-6 +- Bump release number to match kernel release + +* Tue May 25 2021 Daniel Mihai - 5.10.32.1-5 +- Bump release number to match kernel release + +* Thu May 20 2021 Nicolas Ontiveros - 5.10.32.1-4 +- Bump release number to match kernel-signed update + +* Tue May 17 2021 Andrew Phelps - 5.10.32.1-3 +- Bump release number to match kernel release + +* Thu May 13 2021 Rachel Menge - 5.10.32.1-2 +- Bump release number to match kernel release + +* Mon May 03 2021 Rachel Menge - 5.10.32.1-1 +- Update source to 5.10.32.1 + * Thu Apr 22 2021 Chris Co - 5.10.28.1-4 - Bump release number to match kernel release diff --git a/SPECS/kernel-hyperv/cbl-mariner-ca-20210127.pem b/SPECS/kernel-hyperv/cbl-mariner-ca-20210127.pem new file mode 100644 index 0000000000..7b90650cf1 --- /dev/null +++ b/SPECS/kernel-hyperv/cbl-mariner-ca-20210127.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIFBjCCA+6gAwIBAgITMwAABFzCHaG8uk/QhQABAAAEXDANBgkqhkiG9w0BAQsF +ADB5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH +UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQD +ExpNaWNyb3NvZnQgVGVzdGluZyBQQ0EgMjAxMDAeFw0yMTAxMjgyMTQ0MjVaFw0y +MjAxMjcyMTQ0MjVaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv +bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0 +aW9uMTAwLgYDVQQDEydNYXJpbmVyIFNlY3VyZSBCb290KFByb2R1Y3Rpb24gU2ln +bmluZykwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDlDKbGLQsXa/s9 +8dukx0OKHoZRCp5otKK/Av2PrbLA4obLl8rHW5uaSi8OFOEaQ75t/PR0me55CIb/ +W7XN/CTRzUtOd5F+ZjJA04asn+ztxvdF8VVtBexNswvh3wi88Tf6YkKDRzMdYboh +2X8lB2aZxUCa98AL4lfWDB2OxakrLJY3LMpnBcDQ8QuGYhEt3YRFkT5mrWeSqphj +6Q1zRtXcETX6P/Mv0JthF45QwVDJCVuRXpgKY+Ug7fXkANpuDO79UmovyLeBa7mv +Oqke6kiXjdCqWd6VuIQxg1VpKNL8wn132NjCQdSwimvmeO0F2r0gqQ7fpQECJoBk +OwEfEEYhAgMBAAGjggF3MIIBczATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4E +FgQUrrgYstPQgjOv9ptpbKdZJ8nqz1kwRQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsT +FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEWMBQGA1UEBRMNNDYwODk3KzQ2NDEyOTAf +BgNVHSMEGDAWgBS/ZaKrb3WjTkWWVwXPOYf0wBUcHDBcBgNVHR8EVTBTMFGgT6BN +hktodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQl +MjBUZXN0aW5nJTIwUENBJTIwMjAxMCgxKS5jcmwwaQYIKwYBBQUHAQEEXTBbMFkG +CCsGAQUFBzAChk1odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRz +L01pY3Jvc29mdCUyMFRlc3RpbmclMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNVHRMB +Af8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBLbLjVDt5GE8uu2ebkmIZBdyEwGQg/ +2y95ja8yfXvFX2p0SFdz1MTxox2ZiIOONF6MbhTadLRTCGifwvHgTwArsjPnl0jk +4YyMCZsJtQOaRtIn8YVRvoGQ8b7oUXx49JtMx1e+Fu0FR3cpBz0VEKrkPiLAzd0x +sRIRfkRDpgZDonOxugsIdceDu/sveqIMv5SlDtq8y7nh+4V2JQpJFs4dU+xTvAHI +9ntSEGLSnvNoj/Z2oTQEoxY4AcfyT81IGVzokDDyArlkp9dgAePoSEH0scJ4bYiF +fP48iMy8Qx136RQNzQQahsFOQDj9RD2weZXWIOCVWkBvaVIkCnk8XIzf +-----END CERTIFICATE----- diff --git a/SPECS/kernel-hyperv/config b/SPECS/kernel-hyperv/config index b5f02fd2cb..92a3529ead 100644 --- a/SPECS/kernel-hyperv/config +++ b/SPECS/kernel-hyperv/config @@ -1,11 +1,11 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.10.28.1 Kernel Configuration +# Linux/x86_64 5.10.52.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=90100 -CONFIG_LD_VERSION=232000000 +CONFIG_LD_VERSION=236010000 CONFIG_CLANG_VERSION=0 CONFIG_LLD_VERSION=0 CONFIG_CC_CAN_LINK=y @@ -46,7 +46,7 @@ CONFIG_SYSVIPC_SYSCTL=y CONFIG_POSIX_MQUEUE=y CONFIG_POSIX_MQUEUE_SYSCTL=y # CONFIG_WATCH_QUEUE is not set -# CONFIG_CROSS_MEMORY_ATTACH is not set +CONFIG_CROSS_MEMORY_ATTACH=y CONFIG_USELIB=y CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y @@ -798,7 +798,9 @@ CONFIG_BLK_MQ_RDMA=y # CONFIG_MQ_IOSCHED_DEADLINE=y CONFIG_MQ_IOSCHED_KYBER=y -# CONFIG_IOSCHED_BFQ is not set +CONFIG_IOSCHED_BFQ=m +CONFIG_BFQ_GROUP_IOSCHED=y +# CONFIG_BFQ_CGROUP_DEBUG is not set # end of IO Schedulers CONFIG_ASN1=y @@ -1633,7 +1635,8 @@ CONFIG_DMA_SHARED_BUFFER=y # CONFIG_MHI_BUS is not set # end of Bus devices -CONFIG_CONNECTOR=m +CONFIG_CONNECTOR=y +CONFIG_PROC_EVENTS=y # CONFIG_GNSS is not set # CONFIG_MTD is not set # CONFIG_OF is not set @@ -2597,6 +2600,7 @@ CONFIG_POWER_SUPPLY=y # CONFIG_CHARGER_BQ2415X is not set # CONFIG_CHARGER_SMB347 is not set # CONFIG_BATTERY_GAUGE_LTC2941 is not set +# CONFIG_BATTERY_RT5033 is not set # CONFIG_CHARGER_BD99954 is not set # CONFIG_HWMON is not set CONFIG_THERMAL=y @@ -3216,7 +3220,6 @@ CONFIG_INTEL_IDMA64=m # CONFIG_INTEL_IDXD is not set CONFIG_INTEL_IOATDMA=y # CONFIG_PLX_DMA is not set -# CONFIG_XILINX_ZYNQMP_DPDMA is not set # CONFIG_QCOM_HIDMA_MGMT is not set # CONFIG_QCOM_HIDMA is not set CONFIG_DW_DMAC_CORE=y @@ -3278,7 +3281,6 @@ CONFIG_HYPERV_TIMER=y CONFIG_HYPERV_UTILS=m CONFIG_HYPERV_BALLOON=m CONFIG_DXGKRNL=m -# CONFIG_DXGKRNL_DEBUG is not set # end of Microsoft Hyper-V guest support # CONFIG_GREYBUS is not set @@ -3666,7 +3668,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate" # CONFIG_PSTORE_CONSOLE is not set # CONFIG_PSTORE_PMSG is not set # CONFIG_PSTORE_RAM is not set -# CONFIG_PSTORE_BLK is not set # CONFIG_SYSV_FS is not set # CONFIG_UFS_FS is not set # CONFIG_EROFS_FS is not set @@ -4104,10 +4105,12 @@ CONFIG_PKCS7_MESSAGE_PARSER=y # CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_SYSTEM_TRUSTED_KEYRING=y -CONFIG_SYSTEM_TRUSTED_KEYS="" +CONFIG_SYSTEM_TRUSTED_KEYS="certs/mariner.pem" # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set # CONFIG_SECONDARY_TRUSTED_KEYRING is not set -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +CONFIG_SYSTEM_BLACKLIST_KEYRING=y +CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" +# CONFIG_SYSTEM_REVOCATION_LIST is not set # end of Certificates for signature checking CONFIG_BINARY_PRINTF=y diff --git a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json index 62db6fa6d6..83f1de19a8 100644 --- a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json +++ b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json @@ -1,7 +1,8 @@ { "Signatures": { - "config": "409a59c15de0b9a2417df76b89dfe9796449a2e1b45ea0d48ea09013a012c947", - "kernel-5.10.28.1.tar.gz": "51118e54227410d15c20246e4905d897a8b6b3ebe1326ebe44e1080d0d17c27d", + "cbl-mariner-ca-20210127.pem": "82363cb44e786353936abc2e2d62d9325cacf2d9e9a8ebaf4221ea30a9e0cd7b", + "config": "8ca79d2ce0e8d2555caabe8a92c56d97578e5b9c7a2843a933b5239df09ff206", + "kernel-5.10.52.1.tar.gz": "7fd3e7779e20f6ec6ddaa8c4b78a713a15b13860730e5b7e624ae27b304363b3", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f" } } \ No newline at end of file diff --git a/SPECS/kernel-hyperv/kernel-hyperv.spec b/SPECS/kernel-hyperv/kernel-hyperv.spec index 9dbacc2e4a..941ba329f5 100644 --- a/SPECS/kernel-hyperv/kernel-hyperv.spec +++ b/SPECS/kernel-hyperv/kernel-hyperv.spec @@ -3,8 +3,8 @@ %define uname_r %{version}-%{release} Summary: Linux Kernel optimized for Hyper-V Name: kernel-hyperv -Version: 5.10.28.1 -Release: 5%{?dist} +Version: 5.10.52.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -14,6 +14,7 @@ URL: https://github.com/microsoft/CBL-Mariner-Linux-Kernel Source0: kernel-%{version}.tar.gz Source1: config Source2: sha512hmac-openssl.sh +Source3: cbl-mariner-ca-20210127.pem BuildRequires: audit-devel BuildRequires: bash BuildRequires: bc @@ -28,6 +29,7 @@ BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: procps-ng-devel BuildRequires: python3 +BuildRequires: sed BuildRequires: xerces-c-devel Requires: filesystem Requires: kmod @@ -113,6 +115,9 @@ if [ -s config_diff ]; then exit 1 fi +# Add CBL-Mariner cert into kernel's trusted keyring +cp %{SOURCE3} certs/mariner.pem + make VERBOSE=1 KBUILD_BUILD_VERSION="1" KBUILD_BUILD_HOST="CBL-Mariner" ARCH=x86_64 %{?_smp_mflags} make -C tools perf @@ -141,18 +146,6 @@ install -vdm 755 %{buildroot}%{_prefix}/src/linux-headers-%{uname_r} install -vdm 755 %{buildroot}%{_libdir}/debug/lib/modules/%{uname_r} make INSTALL_MOD_PATH=%{buildroot} modules_install -# Verify for build-id match -# We observe different IDs sometimes -# TODO: debug it -ID1=`readelf -n vmlinux | grep "Build ID"` -./scripts/extract-vmlinux arch/x86/boot/bzImage > extracted-vmlinux -ID2=`readelf -n extracted-vmlinux | grep "Build ID"` -if [ "$ID1" != "$ID2" ] ; then - echo "Build IDs do not match" - echo $ID1 - echo $ID2 - exit 1 -fi install -vm 600 arch/x86/boot/bzImage %{buildroot}/boot/vmlinuz-%{uname_r} # Restrict the permission on System.map-X file @@ -165,7 +158,7 @@ ln -s vmlinux-%{uname_r} %{buildroot}%{_libdir}/debug/lib/modules/%{uname_r}/vml cat > %{buildroot}/boot/linux-%{uname_r}.cfg << "EOF" # GRUB Environment Block -mariner_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta crashkernel=128M +mariner_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta crashkernel=128M lockdown=integrity mariner_linux=vmlinuz-%{uname_r} mariner_initrd=initrd.img-%{uname_r} EOF @@ -274,8 +267,54 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_libdir}/perf/include/bpf/* %changelog -* Mon Apr 26 2021 Thomas Crain - 5.10.28.1-5 -- Replace incorrect %%{_lib} usage with %%{_libdir} +* Tue Jul 20 2021 Rachel Menge - 5.10.52.1-1 +- Update source to 5.10.52.1 + +* Mon Jul 19 2021 Chris Co - 5.10.47.1-2 +- Enable CONFIG_CONNECTOR and CONFIG_PROC_EVENTS + +* Tue Jul 06 2021 Rachel Menge - 5.10.47.1-1 +- Update source to 5.10.47.1 + +* Wed Jun 30 2021 Chris Co - 5.10.42.1-4 +- Bump release number to match kernel release + +* Tue Jun 22 2021 Suresh Babu Chalamalasetty - 5.10.42.1-3 +- Enable CONFIG_IOSCHED_BFQ and CONFIG_BFQ_GROUP_IOSCHED configs + +* Wed Jun 16 2021 Chris Co - 5.10.42.1-2 +- Enable CONFIG_CROSS_MEMORY_ATTACH + +* Tue Jun 08 2021 Rachel Menge - 5.10.42.1-1 +- Update source to 5.10.42.1 + +* Thu Jun 03 2021 Rachel Menge - 5.10.37.1-2 +- Bump release number to match kernel release + +* Fri May 28 2021 Rachel Menge - 5.10.37.1-1 +- Update source to 5.10.37.1 + +* Thu May 27 2021 Chris Co - 5.10.32.1-7 +- Set lockdown=integrity by default + +* Wed May 26 2021 Chris Co - 5.10.32.1-6 +- Add Mariner cert into the trusted kernel keyring + +* Tue May 25 2021 Daniel Mihai - 5.10.32.1-5 +- Bump release number to match kernel release + +* Thu May 20 2021 Nicolas Ontiveros - 5.10.32.1-4 +- Bump release number to match kernel-signed update + +* Tue May 17 2021 Andrew Phelps - 5.10.32.1-3 +- Update CONFIG_LD_VERSION for binutils 2.36.1 +- Remove build-id match check + +* Thu May 13 2021 Rachel Menge - 5.10.32.1-2 +- Bump release number to match kernel release + +* Mon May 03 2021 Rachel Menge - 5.10.32.1-1 +- Update source to 5.10.32.1 * Thu Apr 22 2021 Chris Co - 5.10.28.1-4 - Bump release number to match kernel release diff --git a/SPECS/kernel/CVE-2020-25672.nopatch b/SPECS/kernel/CVE-2020-25672.nopatch new file mode 100644 index 0000000000..2b12502b5b --- /dev/null +++ b/SPECS/kernel/CVE-2020-25672.nopatch @@ -0,0 +1,3 @@ +CVE-2020-25672 - already patched in 5.10.37.1 stable kernel +Upstream commit: 7574fcdbdcb335763b6b322f6928dc0fd5730451 +Stable commit: 568ac94df580b1a65837dc299e8758635e7b1423 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-23133.nopatch b/SPECS/kernel/CVE-2021-23133.nopatch new file mode 100644 index 0000000000..65e9c8e531 --- /dev/null +++ b/SPECS/kernel/CVE-2021-23133.nopatch @@ -0,0 +1,3 @@ +CVE-2021-23133 - already patched in 5.10.32.1 stable kernel +Upstream: b166a20b07382b8bc1dcee2a448715c9c2c81b5b +Stable: 5a627026be4a17e5b9db23558cd28e62b2cbc66e \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-23134.nopatch b/SPECS/kernel/CVE-2021-23134.nopatch new file mode 100644 index 0000000000..01e8beacdc --- /dev/null +++ b/SPECS/kernel/CVE-2021-23134.nopatch @@ -0,0 +1,3 @@ +CVE-2021-23134 - already patched in 5.10.37.1 stable kernel +Upstream: c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 +Stable: 6b7021ed36dabf29e56842e3408781cd3b82ef6e \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29154.nopatch b/SPECS/kernel/CVE-2021-29154.nopatch new file mode 100644 index 0000000000..2133e69644 --- /dev/null +++ b/SPECS/kernel/CVE-2021-29154.nopatch @@ -0,0 +1,6 @@ +CVE-2021-23133 - already patched in 5.10.32.1 stable kernel +Upstream: 26f55a59dc65ff77cd1c4b37991e26497fc68049 +Stable: faa30969f66e74910e9424214a4a426c2dc249d8 + +Upstream: e4d4d456436bfb2fe412ee2cd489f7658449b098 +Stable: 3edb8967d91ecbc4c5eee34a65d4124267327574 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29155.nopatch b/SPECS/kernel/CVE-2021-29155.nopatch new file mode 100644 index 0000000000..cb0c2a4735 --- /dev/null +++ b/SPECS/kernel/CVE-2021-29155.nopatch @@ -0,0 +1,24 @@ +CVE-2021-29155 - already patched in 5.10.37.1 stable kernel +Upstream: 9601148392520e2e134936e76788fc2a6371e7be +Stable: 4f3ff11204eac0ee23acf64deecb3bad7b0db0c6 + +Upstream: 6f55b2f2a1178856c19bbce2f71449926e731914 +Stable: 480d875f12424a86fd710e8762ed1e23b7f02572 + +Upstream: 24c109bb1537c12c02aeed2d51a347b4d6a9b76e +Stable: 589fd9684dfafee37c60abde4ca3c0af723be3b3 + +Upstream: b658bbb844e28f1862867f37e8ca11a8e2aa94a3 +Stable: 55565c30790839b40311c270a8b1a437ae9b2769 + +Upstream: a6aaece00a57fa6f22575364b3903dfbccf5345d +Stable: 7723d3243857ab20f6450cfbbd765d8594e5e308 + +Upstream: 073815b756c51ba9d8384d924c5d1c03ca3d1ae4 +Stable: 2982ea926b5cb97ff79fbb27eba72521568811ff + +Upstream: f528819334881fd622fdadeddb3f7edaed8b7c9b +Stable: fbe6603e7cabad8a203a764300531e9ca811317a + +Upstream: 7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0 +Stable: b642e493a9a0ed56be3b8cfcfb95fe3c7cea0b55 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-30178.nopatch b/SPECS/kernel/CVE-2021-30178.nopatch new file mode 100644 index 0000000000..3cb9f48da5 --- /dev/null +++ b/SPECS/kernel/CVE-2021-30178.nopatch @@ -0,0 +1,3 @@ +CVE-2021-30178 - Introducing commit not in stable tree. No fix necessary at this time. +Upstream introducing commit - 8f014550dfb114cc7f42a517d20d2cf887a0b771 +Upstream fix commit - 919f4ebc598701670e80e31573a58f1f2d2bf918 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-31829.nopatch b/SPECS/kernel/CVE-2021-31829.nopatch new file mode 100644 index 0000000000..3828041008 --- /dev/null +++ b/SPECS/kernel/CVE-2021-31829.nopatch @@ -0,0 +1,3 @@ +CVE-2021-31829 - already patched in 5.10.37.1 stable kernel +Upstream: 801c6058d14a82179a7ee17a4b532cac6fad067f +Stable: 2fa15d61e4cbaaa1d1250e67b251ff96952fa614 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-31916.nopatch b/SPECS/kernel/CVE-2021-31916.nopatch new file mode 100644 index 0000000000..334bc42089 --- /dev/null +++ b/SPECS/kernel/CVE-2021-31916.nopatch @@ -0,0 +1,3 @@ +CVE-2021-31916 - already patched in 5.10.37.1 stable kernel +Upstream: 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a +Stable: 921aae17bb0f02181fa05cf5580ebc855fdbd74d \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-32399.nopatch b/SPECS/kernel/CVE-2021-32399.nopatch new file mode 100644 index 0000000000..9609497390 --- /dev/null +++ b/SPECS/kernel/CVE-2021-32399.nopatch @@ -0,0 +1,3 @@ +CVE-2021-32399 - already patched in 5.10.37.1 stable kernel +Upstream: e2cb6b891ad2b8caa9131e3be70f45243df82a80 +Stable: 2d84ef4e6569a818f912d93d5345c21542807ac7 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-33033.nopatch b/SPECS/kernel/CVE-2021-33033.nopatch new file mode 100644 index 0000000000..a44e234fb9 --- /dev/null +++ b/SPECS/kernel/CVE-2021-33033.nopatch @@ -0,0 +1,3 @@ +CVE-2021-33033 - already patched in 5.10.37.1 stable kernel +Upstream: 1165affd484889d4986cf3b724318935a0b120d8 +Stable: 38731bbcd9f0bb8228baaed5feb4a1f76530e49c \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-33034.nopatch b/SPECS/kernel/CVE-2021-33034.nopatch new file mode 100644 index 0000000000..ad4b8ccedc --- /dev/null +++ b/SPECS/kernel/CVE-2021-33034.nopatch @@ -0,0 +1,3 @@ +CVE-2021-33034 - already patched in 5.10.37.1 stable kernel +Upstream: 5c4c8c9544099bb9043a10a5318130a943e32fc3 +Stable: 1d7bd87a2c8d264ca3e5c9ba6f3eafc23e994028 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-33200.nopatch b/SPECS/kernel/CVE-2021-33200.nopatch new file mode 100644 index 0000000000..00b7ee7b9c --- /dev/null +++ b/SPECS/kernel/CVE-2021-33200.nopatch @@ -0,0 +1,10 @@ +CVE-2021-33200 - already patched in 5.10.42.1 stable kernel + +Upstream: 3d0220f6861d713213b015b582e9f21e5b28d2e0 +Stable: 4e2c7b297431457663a90d4186e666b61d5da86c + +Upstream: bb01a1bba579b4b1c5566af24d95f1767859771e +Stable: c87ef240a8bbbda5913fac1e84209d224c1aaf50 + +Upstream: a7036191277f9fa68d92f2071ddc38c09b1e5ee5 +Stable: 27acfd11ba179b746f55077edf9750f8f7cb1cb6 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-33624.nopatch b/SPECS/kernel/CVE-2021-33624.nopatch new file mode 100644 index 0000000000..40deee42f8 --- /dev/null +++ b/SPECS/kernel/CVE-2021-33624.nopatch @@ -0,0 +1,3 @@ +CVE-2021-33624 - already patched in 5.10.47.1 stable kernel +Upstream: 9183671af6dbf60a1219371d4ed73e23f43b49db +Stable: 5fc6ed1831ca5a30fb0ceefd5e33c7c689e7627b \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-33909.nopatch b/SPECS/kernel/CVE-2021-33909.nopatch new file mode 100644 index 0000000000..1af14969b0 --- /dev/null +++ b/SPECS/kernel/CVE-2021-33909.nopatch @@ -0,0 +1,3 @@ +CVE-2021-33909 - already patched in 5.10.52.1 stable kernel +Upstream: 8cae8cd89f05f6de223d63e6d15e31c8ba9cf53b +Stable: 174c34d9cda1b5818419b8f5a332ced10755e52f \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-34693.nopatch b/SPECS/kernel/CVE-2021-34693.nopatch new file mode 100644 index 0000000000..3e998868cd --- /dev/null +++ b/SPECS/kernel/CVE-2021-34693.nopatch @@ -0,0 +1,3 @@ +CVE-2021-34693 - already patched in 5.10.47.1 stable kernel +Upstream: 5e87ddbe3942e27e939bdc02deb8579b0cbd8ecc +Stable: acb755be1f7adb204dcedc4d3b204ef098628623 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-3483.nopatch b/SPECS/kernel/CVE-2021-3483.nopatch new file mode 100644 index 0000000000..0219c53bf2 --- /dev/null +++ b/SPECS/kernel/CVE-2021-3483.nopatch @@ -0,0 +1,3 @@ +CVE-2021-3483 - already patched in 5.10.37.1 stable kernel +Upstream: 829933ef05a951c8ff140e814656d73e74915faf +Stable: c04adcc819d3bdd85a5dc2523687707b89724df7 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-3501.nopatch b/SPECS/kernel/CVE-2021-3501.nopatch new file mode 100644 index 0000000000..e3ccde01a2 --- /dev/null +++ b/SPECS/kernel/CVE-2021-3501.nopatch @@ -0,0 +1,3 @@ +CVE-2021-3501 - already patched in 5.10.37.1 stable kernel +Upstream: 04c4f2ee3f68c9a4bf1653d15f1a9a435ae33f7a +Stable: 7f64753835a78c7d2cc2932a5808ef3b7fd4c050 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-35039.nopatch b/SPECS/kernel/CVE-2021-35039.nopatch new file mode 100644 index 0000000000..6b35edc134 --- /dev/null +++ b/SPECS/kernel/CVE-2021-35039.nopatch @@ -0,0 +1,3 @@ +CVE-2021-35039 - already patched in 5.10.52.1 stable kernel +Upstream: 0c18f29aae7ce3dadd26d8ee3505d07cc982df75 +Stable: 3051f230f19feb02dfe5b36794f8c883b576e184 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-3506.nopatch b/SPECS/kernel/CVE-2021-3506.nopatch new file mode 100644 index 0000000000..fe5dee9607 --- /dev/null +++ b/SPECS/kernel/CVE-2021-3506.nopatch @@ -0,0 +1,3 @@ +CVE-2021-3506 - already patched in 5.10.37.1 stable kernel +Upstream: b862676e371715456c9dade7990c8004996d0d9e +Stable: 9aa4602237d535b83c579eb752e8fc1c3e7e7055 \ No newline at end of file diff --git a/SPECS/kernel/cbl-mariner-ca-20210127.pem b/SPECS/kernel/cbl-mariner-ca-20210127.pem new file mode 100644 index 0000000000..7b90650cf1 --- /dev/null +++ b/SPECS/kernel/cbl-mariner-ca-20210127.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIFBjCCA+6gAwIBAgITMwAABFzCHaG8uk/QhQABAAAEXDANBgkqhkiG9w0BAQsF +ADB5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH +UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQD +ExpNaWNyb3NvZnQgVGVzdGluZyBQQ0EgMjAxMDAeFw0yMTAxMjgyMTQ0MjVaFw0y +MjAxMjcyMTQ0MjVaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv +bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0 +aW9uMTAwLgYDVQQDEydNYXJpbmVyIFNlY3VyZSBCb290KFByb2R1Y3Rpb24gU2ln +bmluZykwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDlDKbGLQsXa/s9 +8dukx0OKHoZRCp5otKK/Av2PrbLA4obLl8rHW5uaSi8OFOEaQ75t/PR0me55CIb/ +W7XN/CTRzUtOd5F+ZjJA04asn+ztxvdF8VVtBexNswvh3wi88Tf6YkKDRzMdYboh +2X8lB2aZxUCa98AL4lfWDB2OxakrLJY3LMpnBcDQ8QuGYhEt3YRFkT5mrWeSqphj +6Q1zRtXcETX6P/Mv0JthF45QwVDJCVuRXpgKY+Ug7fXkANpuDO79UmovyLeBa7mv +Oqke6kiXjdCqWd6VuIQxg1VpKNL8wn132NjCQdSwimvmeO0F2r0gqQ7fpQECJoBk +OwEfEEYhAgMBAAGjggF3MIIBczATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4E +FgQUrrgYstPQgjOv9ptpbKdZJ8nqz1kwRQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsT +FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEWMBQGA1UEBRMNNDYwODk3KzQ2NDEyOTAf +BgNVHSMEGDAWgBS/ZaKrb3WjTkWWVwXPOYf0wBUcHDBcBgNVHR8EVTBTMFGgT6BN +hktodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQl +MjBUZXN0aW5nJTIwUENBJTIwMjAxMCgxKS5jcmwwaQYIKwYBBQUHAQEEXTBbMFkG +CCsGAQUFBzAChk1odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRz +L01pY3Jvc29mdCUyMFRlc3RpbmclMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNVHRMB +Af8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBLbLjVDt5GE8uu2ebkmIZBdyEwGQg/ +2y95ja8yfXvFX2p0SFdz1MTxox2ZiIOONF6MbhTadLRTCGifwvHgTwArsjPnl0jk +4YyMCZsJtQOaRtIn8YVRvoGQ8b7oUXx49JtMx1e+Fu0FR3cpBz0VEKrkPiLAzd0x +sRIRfkRDpgZDonOxugsIdceDu/sveqIMv5SlDtq8y7nh+4V2JQpJFs4dU+xTvAHI +9ntSEGLSnvNoj/Z2oTQEoxY4AcfyT81IGVzokDDyArlkp9dgAePoSEH0scJ4bYiF +fP48iMy8Qx136RQNzQQahsFOQDj9RD2weZXWIOCVWkBvaVIkCnk8XIzf +-----END CERTIFICATE----- diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 463985418e..262863be5f 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -1,11 +1,11 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.10.28.1 Kernel Configuration +# Linux/x86_64 5.10.52.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=90100 -CONFIG_LD_VERSION=232000000 +CONFIG_LD_VERSION=236010000 CONFIG_CLANG_VERSION=0 CONFIG_LLD_VERSION=0 CONFIG_CC_CAN_LINK=y @@ -46,7 +46,7 @@ CONFIG_SYSVIPC_SYSCTL=y CONFIG_POSIX_MQUEUE=y CONFIG_POSIX_MQUEUE_SYSCTL=y # CONFIG_WATCH_QUEUE is not set -# CONFIG_CROSS_MEMORY_ATTACH is not set +CONFIG_CROSS_MEMORY_ATTACH=y # CONFIG_USELIB is not set CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y @@ -387,7 +387,7 @@ CONFIG_X86_LOCAL_APIC=y CONFIG_X86_IO_APIC=y CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y CONFIG_X86_MCE=y -# CONFIG_X86_MCELOG_LEGACY is not set +CONFIG_X86_MCELOG_LEGACY=y CONFIG_X86_MCE_INTEL=y CONFIG_X86_MCE_AMD=y CONFIG_X86_MCE_THRESHOLD=y @@ -887,7 +887,9 @@ CONFIG_BLK_PM=y # CONFIG_MQ_IOSCHED_DEADLINE=y CONFIG_MQ_IOSCHED_KYBER=y -# CONFIG_IOSCHED_BFQ is not set +CONFIG_IOSCHED_BFQ=m +CONFIG_BFQ_GROUP_IOSCHED=y +# CONFIG_BFQ_CGROUP_DEBUG is not set # end of IO Schedulers CONFIG_PREEMPT_NOTIFIERS=y @@ -1862,7 +1864,8 @@ CONFIG_DMA_SHARED_BUFFER=y # CONFIG_MHI_BUS is not set # end of Bus devices -CONFIG_CONNECTOR=m +CONFIG_CONNECTOR=y +CONFIG_PROC_EVENTS=y # CONFIG_GNSS is not set # CONFIG_MTD is not set # CONFIG_OF is not set @@ -2970,9 +2973,11 @@ CONFIG_SERIAL_8250_MID=m # # Non-8250 serial port support # +# CONFIG_SERIAL_KGDB_NMI is not set # CONFIG_SERIAL_UARTLITE is not set CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y +CONFIG_CONSOLE_POLL=y # CONFIG_SERIAL_JSM is not set # CONFIG_SERIAL_LANTIQ is not set # CONFIG_SERIAL_SCCNXP is not set @@ -3297,6 +3302,7 @@ CONFIG_POWER_SUPPLY=y # CONFIG_CHARGER_BQ25980 is not set # CONFIG_CHARGER_SMB347 is not set # CONFIG_BATTERY_GAUGE_LTC2941 is not set +# CONFIG_BATTERY_RT5033 is not set # CONFIG_CHARGER_RT9455 is not set # CONFIG_CHARGER_BD99954 is not set CONFIG_HWMON=m @@ -5423,7 +5429,6 @@ CONFIG_INTEL_IDMA64=m # CONFIG_INTEL_IDXD is not set CONFIG_INTEL_IOATDMA=y # CONFIG_PLX_DMA is not set -# CONFIG_XILINX_ZYNQMP_DPDMA is not set # CONFIG_QCOM_HIDMA_MGMT is not set # CONFIG_QCOM_HIDMA is not set CONFIG_DW_DMAC_CORE=y @@ -5506,7 +5511,6 @@ CONFIG_HYPERV_TIMER=y CONFIG_HYPERV_UTILS=m CONFIG_HYPERV_BALLOON=m CONFIG_DXGKRNL=m -# CONFIG_DXGKRNL_DEBUG is not set # end of Microsoft Hyper-V guest support # @@ -6360,7 +6364,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate" # CONFIG_PSTORE_CONSOLE is not set # CONFIG_PSTORE_PMSG is not set # CONFIG_PSTORE_RAM is not set -# CONFIG_PSTORE_BLK is not set # CONFIG_SYSV_FS is not set # CONFIG_UFS_FS is not set # CONFIG_EROFS_FS is not set @@ -6825,10 +6828,12 @@ CONFIG_PKCS7_MESSAGE_PARSER=y # CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_SYSTEM_TRUSTED_KEYRING=y -CONFIG_SYSTEM_TRUSTED_KEYS="" +CONFIG_SYSTEM_TRUSTED_KEYS="certs/mariner.pem" # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set # CONFIG_SECONDARY_TRUSTED_KEYRING is not set -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +CONFIG_SYSTEM_BLACKLIST_KEYRING=y +CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" +# CONFIG_SYSTEM_REVOCATION_LIST is not set # end of Certificates for signature checking CONFIG_BINARY_PRINTF=y @@ -6991,13 +6996,21 @@ CONFIG_STACK_VALIDATION=y # # Generic Kernel Debugging Instruments # -# CONFIG_MAGIC_SYSRQ is not set +CONFIG_MAGIC_SYSRQ=y +CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x0 +# CONFIG_MAGIC_SYSRQ_SERIAL is not set CONFIG_DEBUG_FS=y CONFIG_DEBUG_FS_ALLOW_ALL=y # CONFIG_DEBUG_FS_DISALLOW_MOUNT is not set # CONFIG_DEBUG_FS_ALLOW_NONE is not set CONFIG_HAVE_ARCH_KGDB=y -# CONFIG_KGDB is not set +CONFIG_KGDB=y +CONFIG_KGDB_HONOUR_BLOCKLIST=y +CONFIG_KGDB_SERIAL_CONSOLE=y +# CONFIG_KGDB_TESTS is not set +# CONFIG_KGDB_LOW_LEVEL_TRAP is not set +# CONFIG_KGDB_KDB is not set +CONFIG_ARCH_HAS_EARLY_DEBUG=y CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN is not set CONFIG_HAVE_ARCH_KCSAN=y diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index bc10413643..7b01bf611e 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1,11 +1,11 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.10.28.1 Kernel Configuration +# Linux/arm64 5.10.52.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=90100 -CONFIG_LD_VERSION=232000000 +CONFIG_LD_VERSION=236010000 CONFIG_CLANG_VERSION=0 CONFIG_LLD_VERSION=0 CONFIG_CC_CAN_LINK=y @@ -32,7 +32,7 @@ CONFIG_SYSVIPC_SYSCTL=y CONFIG_POSIX_MQUEUE=y CONFIG_POSIX_MQUEUE_SYSCTL=y # CONFIG_WATCH_QUEUE is not set -# CONFIG_CROSS_MEMORY_ATTACH is not set +CONFIG_CROSS_MEMORY_ATTACH=y # CONFIG_USELIB is not set CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y @@ -432,6 +432,7 @@ CONFIG_SETEND_EMULATION=y # CONFIG_ARM64_HW_AFDBM=y CONFIG_ARM64_PAN=y +CONFIG_AS_HAS_LSE_ATOMICS=y CONFIG_ARM64_LSE_ATOMICS=y CONFIG_ARM64_USE_LSE_ATOMICS=y CONFIG_ARM64_VHE=y @@ -449,9 +450,11 @@ CONFIG_ARM64_CNP=y # # ARMv8.3 architectural features # +CONFIG_ARM64_PTR_AUTH=y CONFIG_CC_HAS_BRANCH_PROT_PAC_RET=y CONFIG_CC_HAS_SIGN_RETURN_ADDRESS=y CONFIG_AS_HAS_PAC=y +CONFIG_AS_HAS_CFI_NEGATE_RA_STATE=y # end of ARMv8.3 architectural features # @@ -469,6 +472,8 @@ CONFIG_ARM64_BTI=y CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI=y CONFIG_ARM64_E0PD=y CONFIG_ARCH_RANDOM=y +CONFIG_ARM64_AS_HAS_MTE=y +CONFIG_ARM64_MTE=y # end of ARMv8.5 architectural features CONFIG_ARM64_SVE=y @@ -1069,6 +1074,7 @@ CONFIG_IDLE_PAGE_TRACKING=y CONFIG_ARCH_HAS_PTE_DEVMAP=y CONFIG_HMM_MIRROR=y CONFIG_FRAME_VECTOR=y +CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y # CONFIG_PERCPU_STATS is not set # CONFIG_GUP_BENCHMARK is not set # CONFIG_READ_ONLY_THP_FOR_FS is not set @@ -4720,6 +4726,7 @@ CONFIG_CHARGER_BQ25890=m # CONFIG_CHARGER_BQ25980 is not set CONFIG_CHARGER_SMB347=m CONFIG_BATTERY_GAUGE_LTC2941=m +# CONFIG_BATTERY_RT5033 is not set CONFIG_CHARGER_RT9455=m CONFIG_CHARGER_UCS1002=m # CONFIG_CHARGER_BD99954 is not set @@ -7558,7 +7565,6 @@ CONFIG_HYPERV_TIMER=y CONFIG_HYPERV_UTILS=m CONFIG_HYPERV_BALLOON=y CONFIG_DXGKRNL=y -# CONFIG_DXGKRNL_DEBUG is not set # end of Microsoft Hyper-V guest support # @@ -8138,7 +8144,6 @@ CONFIG_RESET_BERLIN=y CONFIG_RESET_BRCMSTB=y CONFIG_RESET_BRCMSTB_RESCAL=y CONFIG_RESET_IMX7=y -# CONFIG_RESET_INTEL_GW is not set CONFIG_RESET_MESON=y # CONFIG_RESET_MESON_AUDIO_ARB is not set # CONFIG_RESET_QCOM_AOSS is not set @@ -8504,7 +8509,6 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate" # CONFIG_PSTORE_CONSOLE is not set # CONFIG_PSTORE_PMSG is not set # CONFIG_PSTORE_RAM is not set -# CONFIG_PSTORE_BLK is not set # CONFIG_SYSV_FS is not set # CONFIG_UFS_FS is not set # CONFIG_EROFS_FS is not set @@ -8973,10 +8977,12 @@ CONFIG_PKCS7_MESSAGE_PARSER=y # CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_SYSTEM_TRUSTED_KEYRING=y -CONFIG_SYSTEM_TRUSTED_KEYS="" +CONFIG_SYSTEM_TRUSTED_KEYS="certs/mariner.pem" # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set # CONFIG_SECONDARY_TRUSTED_KEYRING is not set -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +CONFIG_SYSTEM_BLACKLIST_KEYRING=y +CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" +# CONFIG_SYSTEM_REVOCATION_LIST is not set # end of Certificates for signature checking CONFIG_BINARY_PRINTF=y diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 7da435aaae..b756de24ae 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,8 +1,9 @@ { "Signatures": { - "config": "37dacc87cdac3d733618dea2733d5e4d98caed2bcf9c0cdc30c46691ccd695ef", - "config_aarch64": "cd6fd817674f65a2c12ef6069835762fa0f41d8bff1d05655604dcbd25e03f14", - "kernel-5.10.28.1.tar.gz": "51118e54227410d15c20246e4905d897a8b6b3ebe1326ebe44e1080d0d17c27d", + "cbl-mariner-ca-20210127.pem": "82363cb44e786353936abc2e2d62d9325cacf2d9e9a8ebaf4221ea30a9e0cd7b", + "config": "6eb66708f4cd1faf77e4ed9bdd805fcc73e78ed6297009ef3eef0e36895343fb", + "config_aarch64": "a6ccb3944a151a577292022ffeba42afbce8eeb73480e8888967477a10d7c008", + "kernel-5.10.52.1.tar.gz": "7fd3e7779e20f6ec6ddaa8c4b78a713a15b13860730e5b7e624ae27b304363b3", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f" } } diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 7a6870c621..c3522705e0 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -3,8 +3,8 @@ %define uname_r %{version}-%{release} Summary: Linux Kernel Name: kernel -Version: 5.10.28.1 -Release: 6%{?dist} +Version: 5.10.52.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -15,6 +15,7 @@ Source0: kernel-%{version}.tar.gz Source1: config Source2: config_aarch64 Source3: sha512hmac-openssl.sh +Source4: cbl-mariner-ca-20210127.pem # Kernel CVEs are addressed by moving to a newer version of the stable kernel. # Since kernel CVEs are filed against the upstream kernel version and not the # stable kernel version, our automated tooling will still flag the CVE as not @@ -158,6 +159,26 @@ Patch1129: CVE-2021-29650.nopatch Patch1130: CVE-2021-30002.nopatch # CVE-2021-29648 - Introducing commit not in stable tree. No fix necessary at this time. Patch1131: CVE-2021-29648.nopatch +Patch1132: CVE-2021-23133.nopatch +Patch1133: CVE-2021-29154.nopatch +# CVE-2021-30178 - Introducing commit not in stable tree. No fix necessary at this time. +Patch1134: CVE-2021-30178.nopatch +Patch1135: CVE-2021-23134.nopatch +Patch1136: CVE-2021-29155.nopatch +Patch1137: CVE-2021-31829.nopatch +Patch1138: CVE-2021-31916.nopatch +Patch1139: CVE-2021-32399.nopatch +Patch1140: CVE-2021-33033.nopatch +Patch1141: CVE-2021-33034.nopatch +Patch1142: CVE-2021-3483.nopatch +Patch1143: CVE-2021-3501.nopatch +Patch1144: CVE-2021-3506.nopatch +Patch1145: CVE-2020-25672.nopatch +Patch1146: CVE-2021-33200.nopatch +Patch1147: CVE-2021-34693.nopatch +Patch1148: CVE-2021-33624.nopatch +Patch1149: CVE-2021-35039.nopatch +Patch1150: CVE-2021-33909.nopatch BuildRequires: audit-devel BuildRequires: bash BuildRequires: bc @@ -172,6 +193,7 @@ BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: procps-ng-devel BuildRequires: python3 +BuildRequires: sed BuildRequires: xerces-c-devel Requires: filesystem Requires: kmod @@ -292,6 +314,9 @@ if [ -s config_diff ]; then exit 1 fi +# Add CBL-Mariner cert into kernel's trusted keyring +cp %{SOURCE4} certs/mariner.pem + make VERBOSE=1 KBUILD_BUILD_VERSION="1" KBUILD_BUILD_HOST="CBL-Mariner" ARCH=${arch} %{?_smp_mflags} make -C tools perf @@ -321,18 +346,6 @@ install -vdm 755 %{buildroot}%{_libdir}/debug/lib/modules/%{uname_r} make INSTALL_MOD_PATH=%{buildroot} modules_install %ifarch x86_64 -# Verify for build-id match -# We observe different IDs sometimes -# TODO: debug it -ID1=`readelf -n vmlinux | grep "Build ID"` -./scripts/extract-vmlinux arch/x86/boot/bzImage > extracted-vmlinux -ID2=`readelf -n extracted-vmlinux | grep "Build ID"` -if [ "$ID1" != "$ID2" ] ; then - echo "Build IDs do not match" - echo $ID1 - echo $ID2 - exit 1 -fi install -vm 600 arch/x86/boot/bzImage %{buildroot}/boot/vmlinuz-%{uname_r} %endif @@ -351,7 +364,7 @@ ln -s vmlinux-%{uname_r} %{buildroot}%{_libdir}/debug/lib/modules/%{uname_r}/vml cat > %{buildroot}/boot/linux-%{uname_r}.cfg << "EOF" # GRUB Environment Block -mariner_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta crashkernel=128M +mariner_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta crashkernel=128M lockdown=integrity mariner_linux=vmlinuz-%{uname_r} mariner_initrd=initrd.img-%{uname_r} EOF @@ -496,11 +509,61 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %endif %changelog -* Tue May 25 2021 Thomas Crain - 5.10.28.1-6 -- Bump release number to match kernel-headers release +* Tue Jul 20 2021 Rachel Menge - 5.10.52.1-1 +- Update source to 5.10.52.1 +- Address CVE-2021-35039, CVE-2021-33909 -* Fri May 14 2021 Thomas Crain - 5.10.28.1-5 -- Replace incorrect %%{_lib} usage with %%{_libdir} +* Mon Jul 19 2021 Chris Co - 5.10.47.1-2 +- Enable CONFIG_CONNECTOR and CONFIG_PROC_EVENTS + +* Tue Jul 06 2021 Rachel Menge - 5.10.47.1-1 +- Update source to 5.10.47.1 +- Address CVE-2021-34693, CVE-2021-33624 + +* Wed Jun 30 2021 Chris Co - 5.10.42.1-4 +- Enable legacy mcelog config + +* Tue Jun 22 2021 Suresh Babu Chalamalasetty - 5.10.42.1-3 +- Enable CONFIG_IOSCHED_BFQ and CONFIG_BFQ_GROUP_IOSCHED configs + +* Wed Jun 16 2021 Chris Co - 5.10.42.1-2 +- Enable CONFIG_CROSS_MEMORY_ATTACH + +* Tue Jun 08 2021 Rachel Menge - 5.10.42.1-1 +- Update source to 5.10.42.1 +- Address CVE-2021-33200 + +* Thu Jun 03 2021 Rachel Menge - 5.10.37.1-2 +- Address CVE-2020-25672 + +* Fri May 28 2021 Rachel Menge - 5.10.37.1-1 +- Update source to 5.10.37.1 +- Address CVE-2021-23134, CVE-2021-29155, CVE-2021-31829, CVE-2021-31916, + CVE-2021-32399, CVE-2021-33033, CVE-2021-33034, CVE-2021-3483 + CVE-2021-3501, CVE-2021-3506 + +* Thu May 27 2021 Chris Co - 5.10.32.1-7 +- Set lockdown=integrity by default + +* Wed May 26 2021 Chris Co - 5.10.32.1-6 +- Add Mariner cert into the trusted kernel keyring + +* Tue May 25 2021 Daniel Mihai - 5.10.32.1-5 +- Enable kernel debugger + +* Thu May 20 2021 Nicolas Ontiveros - 5.10.32.1-4 +- Bump release number to match kernel-signed update + +* Tue May 17 2021 Andrew Phelps - 5.10.32.1-3 +- Update CONFIG_LD_VERSION for binutils 2.36.1 +- Remove build-id match check + +* Thu May 13 2021 Rachel Menge - 5.10.32.1-2 +- Add CONFIG_AS_HAS_LSE_ATOMICS=y + +* Mon May 03 2021 Rachel Menge - 5.10.32.1-1 +- Update source to 5.10.32.1 +- Address CVE-2021-23133, CVE-2021-29154, CVE-2021-30178 * Thu Apr 22 2021 Chris Co - 5.10.28.1-4 - Disable CONFIG_EFI_DISABLE_PCI_DMA. It can cause boot issues on some hardware. diff --git a/SPECS/kexec-tools/kdumpctl b/SPECS/kexec-tools/kdumpctl index 47330e59ab..f425e485af 100755 --- a/SPECS/kexec-tools/kdumpctl +++ b/SPECS/kexec-tools/kdumpctl @@ -23,7 +23,7 @@ image_time=0 . $dracutbasedir/dracut-functions.sh . /lib/kdump/kdump-lib.sh -standard_kexec_args="-p" +standard_kexec_args="-s -p" # Some default values in case /etc/sysconfig/kdump doesn't include KDUMP_COMMANDLINE_REMOVE="hugepages hugepagesz slub_debug" diff --git a/SPECS/kexec-tools/kexec-tools.signatures.json b/SPECS/kexec-tools/kexec-tools.signatures.json index f26a6317c3..2cc18fa01b 100644 --- a/SPECS/kexec-tools/kexec-tools.signatures.json +++ b/SPECS/kexec-tools/kexec-tools.signatures.json @@ -12,7 +12,7 @@ "dracut-module-setup.sh": "437b0b82c27d7a96d3baf847aaf33f7ca824676193d783619e938417c9d866ec", "dracut-monitor_dd_progress": "2e343a54c032f6af0d5f7b5fb49f2d90057b2a234625fe7ee6c1afb21cb5c435", "early-kdump-howto.txt": "984d51f3d9e7f2f858ef153418190c470bf20ee702c97fe34285c6d05078999c", - "eppic-d84c354.tar.gz": "115592c5feeaa32846442a00dd91196e19a2717009a5dcf661fcc25ee89ae364", + "eppic-e8844d3.tar.gz": "5bf3fce09fc880a96cbc0cbb3eadcae1892d7fd43350a585f150b1cce176b128", "fadump-howto.txt": "b9090c3e0e26b6124a0c8b0c79a7adf10637c9bbc34e0a59529e3f1b66c074f0", "kdump-dep-generator.sh": "f660e26df9c4843340093a294bcd41a68a71cea48314b5d1a3553bba5038bbbc", "kdump-in-cluster-environment.txt": "50784977e2c3a425ae00de4831f9fd4fb4a04574db1a72b9b28f7c0979a52564", @@ -26,7 +26,7 @@ "kdump.sysconfig.aarch64": "a829f3a0f88d983ccec2782b048f12a2eafca71aac4dd42acac2eaea8f7dd8d9", "kdump.sysconfig.i386": "1175bcc11be49841d4b8c3f9612e68bb7b2e0e8f00067ffa782fd9dba04f821d", "kdump.sysconfig.x86_64": "850b3be780165d0721edb8d34b2ba28aafc60b29850ff627daf04190369e359c", - "kdumpctl": "425419fbb9c21d97ec50d61f2a13bb1ca4ed5a395553075322bd41f99180988a", + "kdumpctl": "988d0e666a3ecd3d5e8d6d98fc07d2922764b39782bf4b0f1235ef72bfa7eca9", "kdumpctl.8": "025a39d212eed0584da7c23c1bb50d6ab797a0fa3c686ac6b80391af875dbaec", "kexec-kdump-howto.txt": "e783390a9aa582a2b5e7981cd3277081385340b5873a3f0633c789811876eccb", "kexec-tools-2.0.21.tar.xz": "e113142dee891638ad96e0f72cf9277b244477619470b30c41999d312e8e8702", diff --git a/SPECS/kexec-tools/kexec-tools.spec b/SPECS/kexec-tools/kexec-tools.spec index e1e3b399c4..ccb326458d 100644 --- a/SPECS/kexec-tools/kexec-tools.spec +++ b/SPECS/kexec-tools/kexec-tools.spec @@ -1,15 +1,17 @@ -%global eppic_ver d84c3541035d95077aa8571f5d5c3e07c6ef510b +%global eppic_ver e8844d3793471163ae4a56d8f95897be9e5bd554 # First 7 digits from ^ -%global eppic_shortver d84c354 +%global eppic_shortver e8844d3 %global mkdf_ver 1.6.8 +Summary: The kexec/kdump userspace component Name: kexec-tools Version: 2.0.21 -Release: 1%{?dist} +Release: 3%{?dist} License: GPLv2 -Summary: The kexec/kdump userspace component Vendor: Microsoft Corporation Distribution: Mariner +Group: Development/Tools +URL: https://github.com/horms/kexec-tools Source0: http://kernel.org/pub/linux/utils/kernel/kexec/%{name}-%{version}.tar.xz Source1: kdumpctl @@ -322,6 +324,11 @@ done /usr/share/makedumpfile/ %changelog +* Mon Jun 07 2021 Chris Co - 2.0.21-3 +- Always use -s option in kdumpctl to use kexec file load by default +* Tue May 11 2021 Andrew Phelps 2.0.21-2 +- Update eppic version for compatibility with binutils 2.36.1 +- Add Group and URL * Tue Feb 23 2021 Andrew Phelps 2.0.21-1 - Update version to 2.0.21 - Add patches for makedumpfile to support new printk in 5.10 kernel diff --git a/SPECS/kmod/kmod.spec b/SPECS/kmod/kmod.spec index 065c296ebd..5b34ec5d3a 100644 --- a/SPECS/kmod/kmod.spec +++ b/SPECS/kmod/kmod.spec @@ -64,29 +64,41 @@ find %{buildroot} -name '*.la' -delete * Fri Feb 05 2021 Joe Schmitt - 25-6 - Replace incorrect %%{_lib} usage with %%{_libdir} -* Mon Sep 28 2020 Ruying Chen 25-5 -- Provide /sbin/modprobe and module-init-tools for base package -* Sat May 09 2020 Nick Samson 25-4 -- Added %%license line automatically -* Tue Jan 21 2020 Andrew Phelps 25-3 -- Fix changelog date -* Tue Sep 03 2019 Mateusz Malisz 25-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Wed Sep 12 2018 Ankit Jain 25-1 -- Updated to version 25 -* Fri Jun 23 2017 Xiaolin Li 24-3 -- Add devel package. -* Tue Jun 06 2017 Chang Lee 24-2 -- Remove %check -* Mon Apr 03 2017 Divya Thaluru 24-1 -- Updated to version 24 -* Tue May 24 2016 Priyesh Padmavilasom 21-4 -- GA - Bump release of all rpms -* Thu Apr 21 2016 Anish Swaminathan 21-3 -- Add patch for return code fix in error path -* Fri Mar 25 2016 Alexey Makhalov 21-2 -- /bin/lsmod -> /sbin/lsmod -* Wed Jan 13 2016 Xiaolin Li 21-1 -- Updated to version 21 -* Wed Nov 5 2014 Divya Thaluru 16-1 -- Initial build. First version +* Mon Sep 28 2020 Ruying Chen 25-5 +- Provide /sbin/modprobe and module-init-tools for base package + +* Sat May 09 2020 Nick Samson 25-4 +- Added %%license line automatically + +* Tue Jan 21 2020 Andrew Phelps 25-3 +- Fix changelog date + +* Tue Sep 03 2019 Mateusz Malisz 25-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Wed Sep 12 2018 Ankit Jain 25-1 +- Updated to version 25 + +* Fri Jun 23 2017 Xiaolin Li 24-3 +- Add devel package. + +* Tue Jun 06 2017 Chang Lee 24-2 +- Remove %check + +* Mon Apr 03 2017 Divya Thaluru 24-1 +- Updated to version 24 + +* Tue May 24 2016 Priyesh Padmavilasom 21-4 +- GA - Bump release of all rpms + +* Thu Apr 21 2016 Anish Swaminathan 21-3 +- Add patch for return code fix in error path + +* Fri Mar 25 2016 Alexey Makhalov 21-2 +- /bin/lsmod -> /sbin/lsmod + +* Wed Jan 13 2016 Xiaolin Li 21-1 +- Updated to version 21 + +* Wed Nov 5 2014 Divya Thaluru 16-1 +- Initial build. First version diff --git a/SPECS/krb5/krb5.spec b/SPECS/krb5/krb5.spec index 3c30eb4481..a03ec4d090 100644 --- a/SPECS/krb5/krb5.spec +++ b/SPECS/krb5/krb5.spec @@ -138,50 +138,53 @@ rm -rf %{buildroot}/* * Fri Jan 29 2021 Joe Schmitt - 1.17-4 - Add missing requires on e2fsprogs-devel in devel subpackage. +* Mon Oct 19 2020 Andrew Phelps - 1.17-4 (from 1.0 branch) +- Fix check tests by adding iana-etc which supplies required /etc/services file + * Fri Jul 31 2020 Leandro Pereira - 1.17-3 - Don't stomp on CPPFLAGS * Sat May 09 2020 Nick Samson - 1.17-2 - Added %%license line automatically -* Tue Mar 17 2020 Henry Beberman 1.17-1 -- Update to 1.17. Fix Source0 URL. License verified. +* Tue Mar 17 2020 Henry Beberman 1.17-1 +- Update to 1.17. Fix Source0 URL. License verified. -* Tue Sep 03 2019 Mateusz Malisz 1.16.1-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 1.16.1-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 14 2018 Ankit Jain 1.16.1-1 -- Update to version 1.16.1 +* Fri Sep 14 2018 Ankit Jain 1.16.1-1 +- Update to version 1.16.1 -* Wed Dec 13 2017 Xiaolin Li 1.16-1 -- Update to version 1.16 to address CVE-2017-15088 +* Wed Dec 13 2017 Xiaolin Li 1.16-1 +- Update to version 1.16 to address CVE-2017-15088 -* Thu Sep 28 2017 Xiaolin Li 1.15.2-1 -- Update to version 1.15.2 +* Thu Sep 28 2017 Xiaolin Li 1.15.2-1 +- Update to version 1.15.2 -* Mon Jul 10 2017 Alexey Makhalov 1.15.1-2 -- Fix make check: add /etc/hosts entry, disable parallel check +* Mon Jul 10 2017 Alexey Makhalov 1.15.1-2 +- Fix make check: add /etc/hosts entry, disable parallel check -* Mon Apr 03 2017 Divya Thaluru 1.15.1-1 -- Updated to version 1.51.1 +* Mon Apr 03 2017 Divya Thaluru 1.15.1-1 +- Updated to version 1.51.1 -* Wed Nov 23 2016 Alexey Makhalov 1.14-6 -- Added -lang and -devel subpackages +* Wed Nov 23 2016 Alexey Makhalov 1.14-6 +- Added -lang and -devel subpackages -* Wed Nov 16 2016 Alexey Makhalov 1.14-5 -- Use e2fsprogs-libs as runtime deps +* Wed Nov 16 2016 Alexey Makhalov 1.14-5 +- Use e2fsprogs-libs as runtime deps -* Tue May 24 2016 Priyesh Padmavilasom 1.14-4 -- GA - Bump release of all rpms +* Tue May 24 2016 Priyesh Padmavilasom 1.14-4 +- GA - Bump release of all rpms -* Mon Mar 21 2016 Priyesh Padmavilasom 1.14-3 -- Add patch to never unload gssapi mechanisms +* Mon Mar 21 2016 Priyesh Padmavilasom 1.14-3 +- Add patch to never unload gssapi mechanisms -* Fri Mar 18 2016 Anish Swaminathan 1.14-2 -- Add patch for skipping unnecessary mech calls in gss_inquire_cred +* Fri Mar 18 2016 Anish Swaminathan 1.14-2 +- Add patch for skipping unnecessary mech calls in gss_inquire_cred -* Thu Jan 21 2016 Anish Swaminathan 1.14-1 -- Upgrade version +* Thu Jan 21 2016 Anish Swaminathan 1.14-1 +- Upgrade version -* Tue Oct 07 2014 Divya Thaluru 1.12.2-1 -- Initial build. First version +* Tue Oct 07 2014 Divya Thaluru 1.12.2-1 +- Initial build. First version diff --git a/SPECS/kubernetes/CVE-2020-8563.nopatch b/SPECS/kubernetes/CVE-2020-8563.nopatch deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/SPECS/kubernetes/CVE-2020-8565.nopatch b/SPECS/kubernetes/CVE-2020-8565.nopatch deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/SPECS/kubernetes/Readme.txt b/SPECS/kubernetes/Readme.txt deleted file mode 100644 index 006061f816..0000000000 --- a/SPECS/kubernetes/Readme.txt +++ /dev/null @@ -1,14 +0,0 @@ -Supported k8s versions match versions AKS (Azure Kubernetes Service) currently supports. -Run 'az aks get-versions ...' command to know them. -(see https://docs.microsoft.com/en-us/azure/aks/supported-kubernetes-versions) - -etcd and coredns versions are the ones that k8s requires: --> from cmd/kubeadm/app/constants/constants.go (look for DefaultEtcdVersion and CoreDNSVersion) - -k8s version | etcd version | coredns version -1.17.13 | 3.4.3 | 1.6.5 -1.17.16 | 3.4.3 | 1.6.5 -1.18.10 | 3.4.3 | 1.6.7 -1.18.14 | 3.4.3 | 1.6.7 -1.19.3 | 3.4.13 | 1.7.0 -1.19.6 | 3.4.13 | 1.7.0 \ No newline at end of file diff --git a/SPECS/kubernetes/golang-1.15-k8s-1.18-test.patch b/SPECS/kubernetes/golang-1.15-k8s-1.18-test.patch deleted file mode 100644 index 1448eabe43..0000000000 --- a/SPECS/kubernetes/golang-1.15-k8s-1.18-test.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- test.sh 2020-09-24 18:43:24.000000000 -0700 -+++ test-golang-1.15.sh 2021-01-05 10:35:13.514802863 -0800 -@@ -243,6 +243,17 @@ - - verifyPathsToPackagesUnderTest "$@" - -+ # vet tool which is by default invoked by 'go test' command will fail -+ # because of a verification that is specific to golang 1.15 (stringintconv) -+ # => exclude that verification from the vet check list (see golang doc for more) -+ # -+ # this version of kubernetes was initially built against golang 1.13 which vet tool does not -+ # has the problematic check. CBL-Mariner moved to golang 1.15 and consequenlty build this version of kubernetes -+ # against golang 1.15 -+ # -+ go_vet_tests=asmdecl,assign,atomic,bools,buildtag,cgocall,composites,copylocks,errorsas,httpresponse,ifaceassert,loopclosure,lostcancel,nilfunc,printf,shift,stdmethods,structtag,tests,unmarshal,unreachable,unsafeptr,unusedresult -+ goflags+=(-vet $go_vet_tests) -+ - # If we're not collecting coverage, run all requested tests with one 'go test' - # command, which is much faster. - if [[ ! ${KUBE_COVER} =~ ^[yY]$ ]]; then diff --git a/SPECS/kubernetes/kubelet.service b/SPECS/kubernetes/kubelet.service deleted file mode 100755 index 12a9435784..0000000000 --- a/SPECS/kubernetes/kubelet.service +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=Kubernetes Kubelet Server -Documentation=https://kubernetes.io/docs/concepts/overview/components/#kubelet https://kubernetes.io/docs/reference/generated/kubelet/ -After=docker.service -Requires=docker.service - -[Service] -Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf" -Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml" -# This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically -EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env -# This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use -# the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file. -EnvironmentFile=-/etc/sysconfig/kubelet - -ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS - -Restart=always -StartLimitInterval=0 -RestartSec=10 -KillMode=process - -[Install] -WantedBy=multi-user.target diff --git a/SPECS/kubernetes/kubernetes-1.18.14.signatures.json b/SPECS/kubernetes/kubernetes-1.18.14.signatures.json deleted file mode 100644 index 442de6abd6..0000000000 --- a/SPECS/kubernetes/kubernetes-1.18.14.signatures.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "Signatures": { - "golang-1.15-k8s-1.18-test.patch": "043a5ae433066335578701d29544c81669ffaa19fa14d987a82fd8b5a3acdd88", - "kubelet.service": "22ea9e0b85aa9db9e1accfb6c21843683425fc1af9c0a2669523e42a455dc57e", - "kubernetes-node-linux-amd64-1.18.14-hotfix.20210428.tar.gz": "ccbba2aa26f2ebf589ccf5d52a88b7347e663d6fc53d1fbbf8b1e0b93d3db5b6" - } -} \ No newline at end of file diff --git a/SPECS/kubernetes/kubernetes-1.18.14.spec b/SPECS/kubernetes/kubernetes-1.18.14.spec deleted file mode 100644 index f2fb822037..0000000000 --- a/SPECS/kubernetes/kubernetes-1.18.14.spec +++ /dev/null @@ -1,338 +0,0 @@ -%global debug_package %{nil} -%ifarch x86_64 -%define archname amd64 -%endif -%ifarch aarch64 -%define archname arm64 -%endif -%define host_components 'kubelet kubectl kubeadm' -%define container_image_components 'kube-proxy kube-apiserver kube-controller-manager kube-scheduler' -Summary: Microsoft Kubernetes -Name: kubernetes -Version: 1.18.14 -Release: 5%{?dist} -License: ASL 2.0 -Vendor: Microsoft Corporation -Distribution: Mariner -Group: Microsoft Kubernetes -URL: https://mcr.microsoft.com/oss -#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.18.14-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz -# Note that only amd64 tarball exist which is OK since kubernetes is built from source -Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210428.tar.gz -Source1: kubelet.service -Source2: golang-1.15-k8s-1.18-test.patch -# CVE-2020-8565 Kubernetes doc on website recommend to not enable debug level logging in production (no patch available) -Patch0: CVE-2020-8565.nopatch -# CVE-2020-8563 Only applies when using VSphere as cloud provider, -# Kubernetes doc on website recommend to not enable debug level logging in production (no patch available) -Patch1: CVE-2020-8563.nopatch -BuildRequires: flex-devel -BuildRequires: golang >= 1.13.15 -BuildRequires: rsync -BuildRequires: systemd-devel -BuildRequires: which -Requires: cni -Requires: cri-tools -Requires: ebtables -Requires: ethtool -Requires: iproute -Requires: iptables -Requires: moby-engine -Requires: socat -Requires: util-linux -Requires(postun): %{_sbindir}/groupdel -Requires(postun): %{_sbindir}/userdel -Requires(pre): %{_sbindir}/groupadd -Requires(pre): %{_sbindir}/useradd - -%description -Microsoft Kubernetes %{version}. - -%package client -Summary: Client utilities -Requires: %{name} = %{version} - -%description client -Client utilities for Microsoft Kubernetes %{version}. - -%package kubeadm -Summary: Bootstrap utilities -Requires: %{name} = %{version} -Requires: moby-cli - -%description kubeadm -Bootstrap utilities for Microsoft Kubernetes %{version}. - -%package kube-proxy -Summary: Kubernetes proxy -Requires: ebtables-legacy -Requires: ethtool -Requires: iproute -Requires: iptables - -%description kube-proxy -Network proxy for Microsoft Kubernetes %{version}. - -%package kube-apiserver -Summary: Kubernetes API server - -%description kube-apiserver -API server for Microsoft Kubernetes %{version}. - -%package kube-controller-manager -Summary: Kubernetes controller manager - -%description kube-controller-manager -Controller manager for Microsoft Kubernetes %{version}. - -%package kube-scheduler -Summary: Kubernetes scheduler - -%description kube-scheduler -Scheduler for Microsoft Kubernetes %{version}. - -%package pause -Summary: Kubernetes pause - -%description pause -Pause component for Microsoft Kubernetes %{version}. - -%prep -%setup -q -D -T -b 0 -n %{name} - -%build -# expand kubernetes source tarball (which is included source0 tarball) -echo "+++ extract sources from tarball" -mkdir -p %{_builddir}/%{name}/src -cd %{_builddir}/%{name}/src -tar -xof %{_builddir}/%{name}/kubernetes-src.tar.gz - -# build host and container image related components -components_to_build=%{host_components} -for component in ${components_to_build}; do - echo "+++ host - building ${component}" - make WHAT=cmd/${component} - cp -f _output/local/bin/linux/%{archname}/${component} %{_builddir}/%{name}/node/bin -done - -components_to_build=%{container_image_components} -for component in ${components_to_build}; do - echo "+++ container image - building ${component}" - make WHAT=cmd/${component} - cp -f _output/local/bin/linux/%{archname}/${component} %{_builddir}/%{name}/node/bin -done - -# build pause -pushd build/pause -gcc -Os -Wall -Werror -static -o %{_builddir}/%{name}/node/bin/pause pause.c -strip %{_builddir}/%{name}/node/bin/pause -popd - -%check -# patch test script so it supports golang 1.15 which is now used to build kubernetes -cd %{_builddir}/%{name}/src/hack/make-rules -patch -p1 test.sh < %{SOURCE2} - -# perform unit tests -# Note: -# - components are not unit tested the same way -# - not all components have unit -cd %{_builddir}/%{name}/src -components_to_test=$(ls -1 %{_builddir}/%{name}/node/bin) - -for component in ${components_to_test}; do - if [[ ${component} == "kubelet" || ${component} == "kubectl" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/${component} - elif [[ ${component} == "kube-proxy" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/proxy - elif [[ ${component} == "kube-scheduler" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/scheduler - elif [[ ${component} == "kube-apiserver" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/kubeapiserver - elif [[ ${component} == "kube-controller-manager" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/controller - else - echo "+++ no unit test available for ${component}" - fi -done - -%install -# install binaries -install -m 755 -d %{buildroot}%{_bindir} -cd %{_builddir} -binaries=%{host_components} -for bin in ${binaries}; do - echo "+++ INSTALLING ${bin}" - install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/${bin} -done - -binaries=%{container_image_components} -for bin in ${binaries}; do - echo "+++ INSTALLING ${bin}" - install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/${bin} -done - -install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/pause - -# install service files -install -d -m 0755 %{buildroot}%{_libdir}/systemd/system -install -p -m 644 -t %{buildroot}%{_libdir}/systemd/system %{SOURCE1} - -# install config files -install -d -m 0755 %{buildroot}%{_sysconfdir}/kubernetes -install -d -m 644 %{buildroot}%{_sysconfdir}/kubernetes/manifests - -# install the place the kubelet defaults to put volumes -install -dm755 %{buildroot}%{_sharedstatedir}/kubelet -install -dm755 %{buildroot}%{_var}/run/kubernetes - -install -d -m 0755 %{buildroot}%{_libdir}/tmpfiles.d -cat << EOF >> %{buildroot}%{_libdir}/tmpfiles.d/kubernetes.conf -d %{_var}/run/kubernetes 0755 kube kube - -EOF - -%clean -rm -rf %{buildroot}/* - -%pre -if [ $1 -eq 1 ]; then - # Initial installation. - getent group kube >/dev/null || groupadd -r kube - getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \ - -c "Kubernetes user" kube -fi - -%post -chown -R kube:kube %{_sharedstatedir}/kubelet -chown -R kube:kube %{_var}/run/kubernetes -systemctl daemon-reload - -%post kubeadm -systemctl daemon-reload -systemctl stop kubelet -systemctl enable kubelet - -%postun -if [ $1 -eq 0 ]; then - # Package deletion - userdel kube - groupdel kube - systemctl daemon-reload -fi - -%files -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kubelet -%{_libdir}/tmpfiles.d/kubernetes.conf -%dir %{_sysconfdir}/kubernetes -%dir %{_sysconfdir}/kubernetes/manifests -%dir %{_sharedstatedir}/kubelet -%dir %{_var}/run/kubernetes -%{_libdir}/systemd/system/kubelet.service - -%files client -%defattr(-,root,root) -%{_bindir}/kubectl - -%files kubeadm -%defattr(-,root,root) -%{_bindir}/kubeadm - -%files kube-proxy -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-proxy - -%files kube-apiserver -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-apiserver - -%files kube-controller-manager -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-controller-manager - -%files kube-scheduler -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-scheduler - -%files pause -%defattr(-,root,root) -%license LICENSES -%{_bindir}/pause - -%changelog -* Mon May 03 2021 Thomas Crain - 1.18.14-5 -- Replace incorrect %%{_lib} usage with %%{_libdir} - -* Thu Apr 29 2021 CBL-Mariner Service Account - 1.18.14-4 -- Update to version "1.18.14-hotfix.20210428". - -* Mon Mar 29 2021 CBL-Mariner Service Account - 1.18.14-3 -- Update to version "1.18.14-hotfix.20210322". - -* Thu Mar 18 2021 CBL-Mariner Service Account - 1.18.14-2 -- Update to version "1.18.14-hotfix.20210310". - -* Wed Jan 20 2021 Nicolas Guibourge - 1.18.14-1 -- Move to version 1.18.14 - -* Fri Jan 15 2021 Nicolas Guibourge - 1.18.8-8 -- Packages for container images - -* Tue Jan 05 2021 Nicolas Guibourge - 1.18.8-7 -- Fix test issue when building against golang 1.15 -- CVE-2020-8563 - -* Mon Jan 04 2021 Nicolas Guibourge - 1.18.8-6 -- CVE-2020-8564, CVE-2020-8565, CVE-2020-8566 - -* Thu Dec 17 2020 Nicolas Guibourge - 1.18.8-5 -- Rename spec file - -* Wed Dec 02 2020 Nicolas Guibourge - 1.18.8-4 -- Rename ms-kubernetes-1.81.8 into kubernetes and lint spec - -* Wed Nov 18 2020 George Mileka 1.18.8-3 -- Added license file and macro. - -* Thu Oct 29 2020 Anirudh Gopal 1.18.8-2 -- Update k8s to v1.18.8-hotfix.20200917 release - -* Fri Oct 2 2020 George Mileka 1.18.8-1 -- Moved k8s to 1.18.8. - -* Mon Aug 17 2020 Jiri Appl 1.18.6-4 -- Clean up the spec. - -* Thu Aug 6 2020 George Mileka 1.18.6-3 -- Create /etc/kubernetes/manifests. - -* Wed Jul 30 2020 Jiri Appl 1.18.6-2 -- Removed container images. - -* Fri Jul 24 2020 George Mileka 1.18.6 -- Moved to 1.18.6. - -* Tue Jun 30 2020 George Mileka 1.18.2 -- Adding the 1.16 knd 1.17 ubeproxy and coredns for downgrade scenarios. - -* Fri Jun 05 2020 George Mileka 1.18.2 -- Switched to K8s 1.18.2. - -* Thu Jun 04 2020 Nicolas Guibourge 1.18.0-2 -- Renaming iproute2 to iproute. - -* Fri May 29 2020 George Mileka 1.18.0 -- Switched to ecpacr. - -* Tue Apr 14 2020 George Mileka 1.18.0 -- Original version for CBL-Mariner of K8s 1.18.0. diff --git a/SPECS/kubernetes/kubernetes-1.18.17.signatures.json b/SPECS/kubernetes/kubernetes-1.18.17.signatures.json deleted file mode 100644 index fc4468c8bf..0000000000 --- a/SPECS/kubernetes/kubernetes-1.18.17.signatures.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "Signatures": { - "golang-1.15-k8s-1.18-test.patch": "043a5ae433066335578701d29544c81669ffaa19fa14d987a82fd8b5a3acdd88", - "kubelet.service": "22ea9e0b85aa9db9e1accfb6c21843683425fc1af9c0a2669523e42a455dc57e", - "kubernetes-node-linux-amd64-1.18.17-hotfix.20210428.tar.gz": "fa07d9d5e0c0d45b449bb5e422c9ccd01c4890a48a648673f6a503386985aa0a" - } -} \ No newline at end of file diff --git a/SPECS/kubernetes/kubernetes-1.18.17.spec b/SPECS/kubernetes/kubernetes-1.18.17.spec deleted file mode 100644 index 73ff2d15f5..0000000000 --- a/SPECS/kubernetes/kubernetes-1.18.17.spec +++ /dev/null @@ -1,341 +0,0 @@ -%global debug_package %{nil} -%ifarch x86_64 -%define archname amd64 -%endif -%ifarch aarch64 -%define archname arm64 -%endif -%define host_components 'kubelet kubectl kubeadm' -%define container_image_components 'kube-proxy kube-apiserver kube-controller-manager kube-scheduler' -Summary: Microsoft Kubernetes -Name: kubernetes -Version: 1.18.17 -Release: 3%{?dist} -License: ASL 2.0 -Vendor: Microsoft Corporation -Distribution: Mariner -Group: Microsoft Kubernetes -URL: https://mcr.microsoft.com/oss -#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.18.17-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz -# Note that only amd64 tarball exist which is OK since kubernetes is built from source -Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210428.tar.gz -Source1: kubelet.service -Source2: golang-1.15-k8s-1.18-test.patch -# CVE-2020-8565 Kubernetes doc on website recommend to not enable debug level logging in production (no patch available) -Patch0: CVE-2020-8565.nopatch -# CVE-2020-8563 Only applies when using VSphere as cloud provider, -# Kubernetes doc on website recommend to not enable debug level logging in production (no patch available) -Patch1: CVE-2020-8563.nopatch -BuildRequires: flex-devel -BuildRequires: golang >= 1.13.15 -BuildRequires: rsync -BuildRequires: systemd-devel -BuildRequires: which -Requires: cni -Requires: cri-tools -Requires: ebtables -Requires: ethtool -Requires: iproute -Requires: iptables -Requires: moby-engine -Requires: socat -Requires: util-linux -Requires(postun): %{_sbindir}/groupdel -Requires(postun): %{_sbindir}/userdel -Requires(pre): %{_sbindir}/groupadd -Requires(pre): %{_sbindir}/useradd - -%description -Microsoft Kubernetes %{version}. - -%package client -Summary: Client utilities -Requires: %{name} = %{version} - -%description client -Client utilities for Microsoft Kubernetes %{version}. - -%package kubeadm -Summary: Bootstrap utilities -Requires: %{name} = %{version} -Requires: moby-cli - -%description kubeadm -Bootstrap utilities for Microsoft Kubernetes %{version}. - -%package kube-proxy -Summary: Kubernetes proxy -Requires: ebtables-legacy -Requires: ethtool -Requires: iproute -Requires: iptables - -%description kube-proxy -Network proxy for Microsoft Kubernetes %{version}. - -%package kube-apiserver -Summary: Kubernetes API server - -%description kube-apiserver -API server for Microsoft Kubernetes %{version}. - -%package kube-controller-manager -Summary: Kubernetes controller manager - -%description kube-controller-manager -Controller manager for Microsoft Kubernetes %{version}. - -%package kube-scheduler -Summary: Kubernetes scheduler - -%description kube-scheduler -Scheduler for Microsoft Kubernetes %{version}. - -%package pause -Summary: Kubernetes pause - -%description pause -Pause component for Microsoft Kubernetes %{version}. - -%prep -%setup -q -D -T -b 0 -n %{name} - -%build -# expand kubernetes source tarball (which is included source0 tarball) -echo "+++ extract sources from tarball" -mkdir -p %{_builddir}/%{name}/src -cd %{_builddir}/%{name}/src -tar -xof %{_builddir}/%{name}/kubernetes-src.tar.gz - -# build host and container image related components -components_to_build=%{host_components} -for component in ${components_to_build}; do - echo "+++ host - building ${component}" - make WHAT=cmd/${component} - cp -f _output/local/bin/linux/%{archname}/${component} %{_builddir}/%{name}/node/bin -done - -components_to_build=%{container_image_components} -for component in ${components_to_build}; do - echo "+++ container image - building ${component}" - make WHAT=cmd/${component} - cp -f _output/local/bin/linux/%{archname}/${component} %{_builddir}/%{name}/node/bin -done - -# build pause -pushd build/pause -gcc -Os -Wall -Werror -static -o %{_builddir}/%{name}/node/bin/pause pause.c -strip %{_builddir}/%{name}/node/bin/pause -popd - -%check -# patch test script so it supports golang 1.15 which is now used to build kubernetes -cd %{_builddir}/%{name}/src/hack/make-rules -patch -p1 test.sh < %{SOURCE2} - -# perform unit tests -# Note: -# - components are not unit tested the same way -# - not all components have unit -cd %{_builddir}/%{name}/src -components_to_test=$(ls -1 %{_builddir}/%{name}/node/bin) - -for component in ${components_to_test}; do - if [[ ${component} == "kubelet" || ${component} == "kubectl" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/${component} - elif [[ ${component} == "kube-proxy" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/proxy - elif [[ ${component} == "kube-scheduler" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/scheduler - elif [[ ${component} == "kube-apiserver" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/kubeapiserver - elif [[ ${component} == "kube-controller-manager" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/controller - else - echo "+++ no unit test available for ${component}" - fi -done - -%install -# install binaries -install -m 755 -d %{buildroot}%{_bindir} -cd %{_builddir} -binaries=%{host_components} -for bin in ${binaries}; do - echo "+++ INSTALLING ${bin}" - install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/${bin} -done - -binaries=%{container_image_components} -for bin in ${binaries}; do - echo "+++ INSTALLING ${bin}" - install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/${bin} -done - -install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/pause - -# install service files -install -d -m 0755 %{buildroot}/%{_libdir}/systemd/system -install -p -m 644 -t %{buildroot}%{_libdir}/systemd/system %{SOURCE1} - -# install config files -install -d -m 0755 %{buildroot}%{_sysconfdir}/kubernetes -install -d -m 644 %{buildroot}%{_sysconfdir}/kubernetes/manifests - -# install the place the kubelet defaults to put volumes -install -dm755 %{buildroot}%{_sharedstatedir}/kubelet -install -dm755 %{buildroot}%{_var}/run/kubernetes - -install -d -m 0755 %{buildroot}/%{_libdir}/tmpfiles.d -cat << EOF >> %{buildroot}/%{_libdir}/tmpfiles.d/kubernetes.conf -d %{_var}/run/kubernetes 0755 kube kube - -EOF - -%clean -rm -rf %{buildroot}/* - -%pre -if [ $1 -eq 1 ]; then - # Initial installation. - getent group kube >/dev/null || groupadd -r kube - getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \ - -c "Kubernetes user" kube -fi - -%post -chown -R kube:kube %{_sharedstatedir}/kubelet -chown -R kube:kube %{_var}/run/kubernetes -systemctl daemon-reload - -%post kubeadm -systemctl daemon-reload -systemctl stop kubelet -systemctl enable kubelet - -%postun -if [ $1 -eq 0 ]; then - # Package deletion - userdel kube - groupdel kube - systemctl daemon-reload -fi - -%files -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kubelet -%{_libdir}/tmpfiles.d/kubernetes.conf -%dir %{_sysconfdir}/kubernetes -%dir %{_sysconfdir}/kubernetes/manifests -%dir %{_sharedstatedir}/kubelet -%dir %{_var}/run/kubernetes -%{_libdir}/systemd/system/kubelet.service - -%files client -%defattr(-,root,root) -%{_bindir}/kubectl - -%files kubeadm -%defattr(-,root,root) -%{_bindir}/kubeadm - -%files kube-proxy -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-proxy - -%files kube-apiserver -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-apiserver - -%files kube-controller-manager -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-controller-manager - -%files kube-scheduler -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-scheduler - -%files pause -%defattr(-,root,root) -%license LICENSES -%{_bindir}/pause - -%changelog -* Fri Apr 30 2021 Thomas Crain - 1.18.17-3 -- Replace incorrect %%{_lib} usage with %%{_libdir} - -* Thu Apr 29 2021 CBL-Mariner Service Account - 1.18.17-2 -- Update to version "1.18.17-hotfix.20210428". - -* Thu Apr 22 2021 CBL-Mariner Service Account - 1.18.17-1 -- Update to version "1.18.17-hotfix.20210322". - -* Mon Mar 29 2021 CBL-Mariner Service Account - 1.18.14-3 -- Update to version "1.18.14-hotfix.20210322". - -* Thu Mar 18 2021 CBL-Mariner Service Account - 1.18.14-2 -- Update to version "1.18.14-hotfix.20210310". - -* Wed Jan 20 2021 Nicolas Guibourge - 1.18.14-1 -- Move to version 1.18.14 - -* Fri Jan 15 2021 Nicolas Guibourge - 1.18.8-8 -- Packages for container images - -* Tue Jan 05 2021 Nicolas Guibourge - 1.18.8-7 -- Fix test issue when building against golang 1.15 -- CVE-2020-8563 - -* Mon Jan 04 2021 Nicolas Guibourge - 1.18.8-6 -- CVE-2020-8564, CVE-2020-8565, CVE-2020-8566 - -* Thu Dec 17 2020 Nicolas Guibourge - 1.18.8-5 -- Rename spec file - -* Wed Dec 02 2020 Nicolas Guibourge - 1.18.8-4 -- Rename ms-kubernetes-1.81.8 into kubernetes and lint spec - -* Wed Nov 18 2020 George Mileka 1.18.8-3 -- Added license file and macro. - -* Thu Oct 29 2020 Anirudh Gopal 1.18.8-2 -- Update k8s to v1.18.8-hotfix.20200917 release - -* Fri Oct 2 2020 George Mileka 1.18.8-1 -- Moved k8s to 1.18.8. - -* Mon Aug 17 2020 Jiri Appl 1.18.6-4 -- Clean up the spec. - -* Thu Aug 6 2020 George Mileka 1.18.6-3 -- Create /etc/kubernetes/manifests. - -* Wed Jul 30 2020 Jiri Appl 1.18.6-2 -- Removed container images. - -* Fri Jul 24 2020 George Mileka 1.18.6 -- Moved to 1.18.6. - -* Tue Jun 30 2020 George Mileka 1.18.2 -- Adding the 1.16 knd 1.17 ubeproxy and coredns for downgrade scenarios. - -* Fri Jun 05 2020 George Mileka 1.18.2 -- Switched to K8s 1.18.2. - -* Thu Jun 04 2020 Nicolas Guibourge 1.18.0-2 -- Renaming iproute2 to iproute. - -* Fri May 29 2020 George Mileka 1.18.0 -- Switched to ecpacr. - -* Tue Apr 14 2020 George Mileka 1.18.0 -- Original version for CBL-Mariner of K8s 1.18.0. diff --git a/SPECS/kubernetes/kubernetes-1.19.7.signatures.json b/SPECS/kubernetes/kubernetes-1.19.7.signatures.json deleted file mode 100644 index 29ee44fa79..0000000000 --- a/SPECS/kubernetes/kubernetes-1.19.7.signatures.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "Signatures": { - "kubelet.service": "22ea9e0b85aa9db9e1accfb6c21843683425fc1af9c0a2669523e42a455dc57e", - "kubernetes-node-linux-amd64-1.19.7-hotfix.20210428.tar.gz": "78626dd33b75c33eae4b03802bbc075d86369a881d729d61dccb5a86b4da0f60" - } -} \ No newline at end of file diff --git a/SPECS/kubernetes/kubernetes-1.19.7.spec b/SPECS/kubernetes/kubernetes-1.19.7.spec deleted file mode 100644 index 44268047da..0000000000 --- a/SPECS/kubernetes/kubernetes-1.19.7.spec +++ /dev/null @@ -1,297 +0,0 @@ -%global debug_package %{nil} -%ifarch x86_64 -%define archname amd64 -%endif -%ifarch aarch64 -%define archname arm64 -%endif -%define host_components 'kubelet kubectl kubeadm' -%define container_image_components 'kube-proxy kube-apiserver kube-controller-manager kube-scheduler' -Summary: Microsoft Kubernetes -Name: kubernetes -Version: 1.19.7 -Release: 3%{?dist} -License: ASL 2.0 -Vendor: Microsoft Corporation -Distribution: Mariner -Group: Microsoft Kubernetes -URL: https://mcr.microsoft.com/oss -#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.19.7-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz -# Note that only amd64 tarball exist which is OK since kubernetes is built from source -Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210428.tar.gz -Source1: kubelet.service -# CVE-2020-8565 Kubernetes doc on website recommend to not enable debug level logging in production (no patch available) -Patch0: CVE-2020-8565.nopatch -BuildRequires: flex-devel -BuildRequires: golang >= 1.15.5 -BuildRequires: rsync -BuildRequires: systemd-devel -BuildRequires: which -Requires: cni -Requires: cri-tools -Requires: ebtables -Requires: ethtool -Requires: iproute -Requires: iptables -Requires: moby-engine -Requires: socat -Requires: util-linux -Requires(postun): %{_sbindir}/groupdel -Requires(postun): %{_sbindir}/userdel -Requires(pre): %{_sbindir}/groupadd -Requires(pre): %{_sbindir}/useradd - -%description -Microsoft Kubernetes %{version}. - -%package client -Summary: Client utilities -Requires: %{name} = %{version} - -%description client -Client utilities for Microsoft Kubernetes %{version}. - -%package kubeadm -Summary: Bootstrap utilities -Requires: %{name} = %{version} -Requires: moby-cli - -%description kubeadm -Bootstrap utilities for Microsoft Kubernetes %{version}. - -%package kube-proxy -Summary: Kubernetes proxy -Requires: ebtables-legacy -Requires: ethtool -Requires: iproute -Requires: iptables - -%description kube-proxy -Network proxy for Microsoft Kubernetes %{version}. - -%package kube-apiserver -Summary: Kubernetes API server - -%description kube-apiserver -API server for Microsoft Kubernetes %{version}. - -%package kube-controller-manager -Summary: Kubernetes controller manager - -%description kube-controller-manager -Controller manager for Microsoft Kubernetes %{version}. - -%package kube-scheduler -Summary: Kubernetes scheduler - -%description kube-scheduler -Scheduler for Microsoft Kubernetes %{version}. - -%package pause -Summary: Kubernetes pause - -%description pause -Pause component for Microsoft Kubernetes %{version}. - -%prep -%setup -q -D -T -b 0 -n %{name} - -%build -# expand kubernetes source tarball (which is included source0 tarball) -echo "+++ extract sources from tarball" -mkdir -p %{_builddir}/%{name}/src -cd %{_builddir}/%{name}/src -tar -xof %{_builddir}/%{name}/kubernetes-src.tar.gz - -# build host and container image related components -components_to_build=%{host_components} -for component in ${components_to_build}; do - echo "+++ host - building ${component}" - make WHAT=cmd/${component} - cp -f _output/local/bin/linux/%{archname}/${component} %{_builddir}/%{name}/node/bin -done - -components_to_build=%{container_image_components} -for component in ${components_to_build}; do - echo "+++ container image - building ${component}" - make WHAT=cmd/${component} - cp -f _output/local/bin/linux/%{archname}/${component} %{_builddir}/%{name}/node/bin -done - -# build pause -pushd build/pause -gcc -Os -Wall -Werror -static -o %{_builddir}/%{name}/node/bin/pause pause.c -strip %{_builddir}/%{name}/node/bin/pause -popd - -%check -# patch test script so it supports golang 1.15 which is now used to build kubernetes -cd %{_builddir}/%{name}/src/hack/make-rules -patch -p1 test.sh < %{SOURCE2} - -# perform unit tests -# Note: -# - components are not unit tested the same way -# - not all components have unit -cd %{_builddir}/%{name}/src -components_to_test=$(ls -1 %{_builddir}/%{name}/node/bin) - -for component in ${components_to_test}; do - if [[ ${component} == "kubelet" || ${component} == "kubectl" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/${component} - elif [[ ${component} == "kube-proxy" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/proxy - elif [[ ${component} == "kube-scheduler" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/scheduler - elif [[ ${component} == "kube-apiserver" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/kubeapiserver - elif [[ ${component} == "kube-controller-manager" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/controller - else - echo "+++ no unit test available for ${component}" - fi -done - -%install -# install binaries -install -m 755 -d %{buildroot}%{_bindir} -cd %{_builddir} -binaries=%{host_components} -for bin in ${binaries}; do - echo "+++ INSTALLING ${bin}" - install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/${bin} -done - -binaries=%{container_image_components} -for bin in ${binaries}; do - echo "+++ INSTALLING ${bin}" - install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/${bin} -done - -install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/pause - -# install service files -install -d -m 0755 %{buildroot}/%{_libdir}/systemd/system -install -p -m 644 -t %{buildroot}%{_libdir}/systemd/system %{SOURCE1} - -# install config files -install -d -m 0755 %{buildroot}%{_sysconfdir}/kubernetes -install -d -m 644 %{buildroot}%{_sysconfdir}/kubernetes/manifests - -# install the place the kubelet defaults to put volumes -install -dm755 %{buildroot}%{_sharedstatedir}/kubelet -install -dm755 %{buildroot}%{_var}/run/kubernetes - -install -d -m 0755 %{buildroot}/%{_libdir}/tmpfiles.d -cat << EOF >> %{buildroot}/%{_libdir}/tmpfiles.d/kubernetes.conf -d %{_var}/run/kubernetes 0755 kube kube - -EOF - -%clean -rm -rf %{buildroot}/* - -%pre -if [ $1 -eq 1 ]; then - # Initial installation. - getent group kube >/dev/null || groupadd -r kube - getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \ - -c "Kubernetes user" kube -fi - -%post -chown -R kube:kube %{_sharedstatedir}/kubelet -chown -R kube:kube %{_var}/run/kubernetes -systemctl daemon-reload - -%post kubeadm -systemctl daemon-reload -systemctl stop kubelet -systemctl enable kubelet - -%postun -if [ $1 -eq 0 ]; then - # Package deletion - userdel kube - groupdel kube - systemctl daemon-reload -fi - -%files -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kubelet -%{_libdir}/tmpfiles.d/kubernetes.conf -%dir %{_sysconfdir}/kubernetes -%dir %{_sysconfdir}/kubernetes/manifests -%dir %{_sharedstatedir}/kubelet -%dir %{_var}/run/kubernetes -%{_libdir}/systemd/system/kubelet.service - -%files client -%defattr(-,root,root) -%{_bindir}/kubectl - -%files kubeadm -%defattr(-,root,root) -%{_bindir}/kubeadm - -%files kube-proxy -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-proxy - -%files kube-apiserver -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-apiserver - -%files kube-controller-manager -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-controller-manager - -%files kube-scheduler -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-scheduler - -%files pause -%defattr(-,root,root) -%license LICENSES -%{_bindir}/pause - -%changelog -* Fri Apr 30 2021 Thomas Crain - 1.19.7-3 -- Replace incorrect %%{_lib} usage with %%{_libdir} - -* Thu Apr 29 2021 CBL-Mariner Service Account - 1.19.7-2 -- Update to version "1.19.7-hotfix.20210428". - -* Thu Mar 18 2021 CBL-Mariner Service Account - 1.19.7-1 -- Update to version "1.19.7-hotfix.20210310". - -* Thu Mar 18 2021 CBL-Mariner Service Account - 1.19.6-2 -- Update to version "1.19.6-hotfix.20210310". - -* Wed Jan 20 2021 Nicolas Guibourge - 1.19.6-1 -- Move to version 1.19.6 - -* Fri Jan 15 2021 Nicolas Guibourge - 1.19.1-5 -- Packages for container images - -* Tue Jan 05 2021 Nicolas Guibourge - 1.19.1-4 -- CVE-2020-8563 - -* Mon Jan 04 2021 Nicolas Guibourge - 1.19.1-3 -- CVE-2020-8564, CVE-2020-8565, CVE-2020-8566 - -* Thu Dec 17 2020 Nicolas Guibourge - 1.19.1-2 -- Rename spec file - -* Wed Dec 02 2020 Nicolas Guibourge - 1.19.1-1 -- Original version for CBL-Mariner of K8s 1.19.1. diff --git a/SPECS/kubernetes/kubernetes-1.19.9.signatures.json b/SPECS/kubernetes/kubernetes-1.19.9.signatures.json deleted file mode 100644 index 9eb87a8313..0000000000 --- a/SPECS/kubernetes/kubernetes-1.19.9.signatures.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "Signatures": { - "kubelet.service": "22ea9e0b85aa9db9e1accfb6c21843683425fc1af9c0a2669523e42a455dc57e", - "kubernetes-node-linux-amd64-1.19.9-hotfix.20210428.tar.gz": "e41b5aaea5615bf845616115df39a62908cde47145c6a77e449abfe1d8c3f7cf" - } -} \ No newline at end of file diff --git a/SPECS/kubernetes/kubernetes-1.19.9.spec b/SPECS/kubernetes/kubernetes-1.19.9.spec deleted file mode 100644 index 9c1b1e8be9..0000000000 --- a/SPECS/kubernetes/kubernetes-1.19.9.spec +++ /dev/null @@ -1,300 +0,0 @@ -%global debug_package %{nil} -%ifarch x86_64 -%define archname amd64 -%endif -%ifarch aarch64 -%define archname arm64 -%endif -%define host_components 'kubelet kubectl kubeadm' -%define container_image_components 'kube-proxy kube-apiserver kube-controller-manager kube-scheduler' -Summary: Microsoft Kubernetes -Name: kubernetes -Version: 1.19.9 -Release: 3%{?dist} -License: ASL 2.0 -Vendor: Microsoft Corporation -Distribution: Mariner -Group: Microsoft Kubernetes -URL: https://mcr.microsoft.com/oss -#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.19.9-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz -# Note that only amd64 tarball exist which is OK since kubernetes is built from source -Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210428.tar.gz -Source1: kubelet.service -# CVE-2020-8565 Kubernetes doc on website recommend to not enable debug level logging in production (no patch available) -Patch0: CVE-2020-8565.nopatch -BuildRequires: flex-devel -BuildRequires: golang >= 1.15.5 -BuildRequires: rsync -BuildRequires: systemd-devel -BuildRequires: which -Requires: cni -Requires: cri-tools -Requires: ebtables -Requires: ethtool -Requires: iproute -Requires: iptables -Requires: moby-engine -Requires: socat -Requires: util-linux -Requires(postun): %{_sbindir}/groupdel -Requires(postun): %{_sbindir}/userdel -Requires(pre): %{_sbindir}/groupadd -Requires(pre): %{_sbindir}/useradd - -%description -Microsoft Kubernetes %{version}. - -%package client -Summary: Client utilities -Requires: %{name} = %{version} - -%description client -Client utilities for Microsoft Kubernetes %{version}. - -%package kubeadm -Summary: Bootstrap utilities -Requires: %{name} = %{version} -Requires: moby-cli - -%description kubeadm -Bootstrap utilities for Microsoft Kubernetes %{version}. - -%package kube-proxy -Summary: Kubernetes proxy -Requires: ebtables-legacy -Requires: ethtool -Requires: iproute -Requires: iptables - -%description kube-proxy -Network proxy for Microsoft Kubernetes %{version}. - -%package kube-apiserver -Summary: Kubernetes API server - -%description kube-apiserver -API server for Microsoft Kubernetes %{version}. - -%package kube-controller-manager -Summary: Kubernetes controller manager - -%description kube-controller-manager -Controller manager for Microsoft Kubernetes %{version}. - -%package kube-scheduler -Summary: Kubernetes scheduler - -%description kube-scheduler -Scheduler for Microsoft Kubernetes %{version}. - -%package pause -Summary: Kubernetes pause - -%description pause -Pause component for Microsoft Kubernetes %{version}. - -%prep -%setup -q -D -T -b 0 -n %{name} - -%build -# expand kubernetes source tarball (which is included source0 tarball) -echo "+++ extract sources from tarball" -mkdir -p %{_builddir}/%{name}/src -cd %{_builddir}/%{name}/src -tar -xof %{_builddir}/%{name}/kubernetes-src.tar.gz - -# build host and container image related components -components_to_build=%{host_components} -for component in ${components_to_build}; do - echo "+++ host - building ${component}" - make WHAT=cmd/${component} - cp -f _output/local/bin/linux/%{archname}/${component} %{_builddir}/%{name}/node/bin -done - -components_to_build=%{container_image_components} -for component in ${components_to_build}; do - echo "+++ container image - building ${component}" - make WHAT=cmd/${component} - cp -f _output/local/bin/linux/%{archname}/${component} %{_builddir}/%{name}/node/bin -done - -# build pause -pushd build/pause -gcc -Os -Wall -Werror -static -o %{_builddir}/%{name}/node/bin/pause pause.c -strip %{_builddir}/%{name}/node/bin/pause -popd - -%check -# patch test script so it supports golang 1.15 which is now used to build kubernetes -cd %{_builddir}/%{name}/src/hack/make-rules -patch -p1 test.sh < %{SOURCE2} - -# perform unit tests -# Note: -# - components are not unit tested the same way -# - not all components have unit -cd %{_builddir}/%{name}/src -components_to_test=$(ls -1 %{_builddir}/%{name}/node/bin) - -for component in ${components_to_test}; do - if [[ ${component} == "kubelet" || ${component} == "kubectl" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/${component} - elif [[ ${component} == "kube-proxy" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/proxy - elif [[ ${component} == "kube-scheduler" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/scheduler - elif [[ ${component} == "kube-apiserver" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/kubeapiserver - elif [[ ${component} == "kube-controller-manager" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/controller - else - echo "+++ no unit test available for ${component}" - fi -done - -%install -# install binaries -install -m 755 -d %{buildroot}%{_bindir} -cd %{_builddir} -binaries=%{host_components} -for bin in ${binaries}; do - echo "+++ INSTALLING ${bin}" - install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/${bin} -done - -binaries=%{container_image_components} -for bin in ${binaries}; do - echo "+++ INSTALLING ${bin}" - install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/${bin} -done - -install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/pause - -# install service files -install -d -m 0755 %{buildroot}/%{_libdir}/systemd/system -install -p -m 644 -t %{buildroot}%{_libdir}/systemd/system %{SOURCE1} - -# install config files -install -d -m 0755 %{buildroot}%{_sysconfdir}/kubernetes -install -d -m 644 %{buildroot}%{_sysconfdir}/kubernetes/manifests - -# install the place the kubelet defaults to put volumes -install -dm755 %{buildroot}%{_sharedstatedir}/kubelet -install -dm755 %{buildroot}%{_var}/run/kubernetes - -install -d -m 0755 %{buildroot}/%{_libdir}/tmpfiles.d -cat << EOF >> %{buildroot}/%{_libdir}/tmpfiles.d/kubernetes.conf -d %{_var}/run/kubernetes 0755 kube kube - -EOF - -%clean -rm -rf %{buildroot}/* - -%pre -if [ $1 -eq 1 ]; then - # Initial installation. - getent group kube >/dev/null || groupadd -r kube - getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \ - -c "Kubernetes user" kube -fi - -%post -chown -R kube:kube %{_sharedstatedir}/kubelet -chown -R kube:kube %{_var}/run/kubernetes -systemctl daemon-reload - -%post kubeadm -systemctl daemon-reload -systemctl stop kubelet -systemctl enable kubelet - -%postun -if [ $1 -eq 0 ]; then - # Package deletion - userdel kube - groupdel kube - systemctl daemon-reload -fi - -%files -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kubelet -%{_libdir}/tmpfiles.d/kubernetes.conf -%dir %{_sysconfdir}/kubernetes -%dir %{_sysconfdir}/kubernetes/manifests -%dir %{_sharedstatedir}/kubelet -%dir %{_var}/run/kubernetes -%{_libdir}/systemd/system/kubelet.service - -%files client -%defattr(-,root,root) -%{_bindir}/kubectl - -%files kubeadm -%defattr(-,root,root) -%{_bindir}/kubeadm - -%files kube-proxy -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-proxy - -%files kube-apiserver -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-apiserver - -%files kube-controller-manager -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-controller-manager - -%files kube-scheduler -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-scheduler - -%files pause -%defattr(-,root,root) -%license LICENSES -%{_bindir}/pause - -%changelog -* Fri Apr 30 2021 Thomas Crain - 1.19.9-3 -- Replace incorrect %%{_lib} usage with %%{_libdir} - -* Thu Apr 29 2021 CBL-Mariner Service Account - 1.19.9-2 -- Update to version "1.19.9-hotfix.20210428". - -* Thu Apr 22 2021 CBL-Mariner Service Account - 1.19.9-1 -- Update to version "1.19.9-hotfix.20210322". - -* Thu Mar 18 2021 CBL-Mariner Service Account - 1.19.7-1 -- Update to version "1.19.7-hotfix.20210310". - -* Thu Mar 18 2021 CBL-Mariner Service Account - 1.19.6-2 -- Update to version "1.19.6-hotfix.20210310". - -* Wed Jan 20 2021 Nicolas Guibourge - 1.19.6-1 -- Move to version 1.19.6 - -* Fri Jan 15 2021 Nicolas Guibourge - 1.19.1-5 -- Packages for container images - -* Tue Jan 05 2021 Nicolas Guibourge - 1.19.1-4 -- CVE-2020-8563 - -* Mon Jan 04 2021 Nicolas Guibourge - 1.19.1-3 -- CVE-2020-8564, CVE-2020-8565, CVE-2020-8566 - -* Thu Dec 17 2020 Nicolas Guibourge - 1.19.1-2 -- Rename spec file - -* Wed Dec 02 2020 Nicolas Guibourge - 1.19.1-1 -- Original version for CBL-Mariner of K8s 1.19.1. diff --git a/SPECS/kubernetes/kubernetes-1.20.2.signatures.json b/SPECS/kubernetes/kubernetes-1.20.2.signatures.json deleted file mode 100644 index e3fc52221e..0000000000 --- a/SPECS/kubernetes/kubernetes-1.20.2.signatures.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "Signatures": { - "kubelet.service": "22ea9e0b85aa9db9e1accfb6c21843683425fc1af9c0a2669523e42a455dc57e", - "kubernetes-node-linux-amd64-1.20.2-hotfix.20210428.tar.gz": "b07034861e5c1d532b9bdcf6a4564bdc710e1bb42d402923426b8327fc5c79e1" - } -} \ No newline at end of file diff --git a/SPECS/kubernetes/kubernetes-1.20.2.spec b/SPECS/kubernetes/kubernetes-1.20.2.spec deleted file mode 100644 index 3f42881188..0000000000 --- a/SPECS/kubernetes/kubernetes-1.20.2.spec +++ /dev/null @@ -1,304 +0,0 @@ -%global debug_package %{nil} -%ifarch x86_64 -%define archname amd64 -%endif -%ifarch aarch64 -%define archname arm64 -%endif -%define host_components 'kubelet kubectl kubeadm' -%define container_image_components 'kube-proxy kube-apiserver kube-controller-manager kube-scheduler' -Summary: Microsoft Kubernetes -Name: kubernetes -Version: 1.20.2 -Release: 3%{?dist} -License: ASL 2.0 -Vendor: Microsoft Corporation -Distribution: Mariner -Group: Microsoft Kubernetes -URL: https://mcr.microsoft.com/oss -#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.20.2-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz -# Note that only amd64 tarball exist which is OK since kubernetes is built from source -Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210428.tar.gz -Source1: kubelet.service -# CVE-2020-8565 Kubernetes doc on website recommend to not enable debug level logging in production (no patch available) -Patch0: CVE-2020-8565.nopatch -BuildRequires: flex-devel -BuildRequires: golang >= 1.15.5 -BuildRequires: rsync -BuildRequires: systemd-devel -BuildRequires: which -Requires: cni -Requires: cri-tools -Requires: ebtables -Requires: ethtool -Requires: iproute -Requires: iptables -Requires: moby-engine -Requires: socat -Requires: util-linux -Requires(postun): %{_sbindir}/groupdel -Requires(postun): %{_sbindir}/userdel -Requires(pre): %{_sbindir}/groupadd -Requires(pre): %{_sbindir}/useradd - -%description -Microsoft Kubernetes %{version}. - -%package client -Summary: Client utilities -Requires: %{name} = %{version} - -%description client -Client utilities for Microsoft Kubernetes %{version}. - -%package kubeadm -Summary: Bootstrap utilities -Requires: %{name} = %{version} -Requires: moby-cli - -%description kubeadm -Bootstrap utilities for Microsoft Kubernetes %{version}. - -%package kube-proxy -Summary: Kubernetes proxy -Requires: ebtables-legacy -Requires: ethtool -Requires: iproute -Requires: iptables - -%description kube-proxy -Network proxy for Microsoft Kubernetes %{version}. - -%package kube-apiserver -Summary: Kubernetes API server - -%description kube-apiserver -API server for Microsoft Kubernetes %{version}. - -%package kube-controller-manager -Summary: Kubernetes controller manager - -%description kube-controller-manager -Controller manager for Microsoft Kubernetes %{version}. - -%package kube-scheduler -Summary: Kubernetes scheduler - -%description kube-scheduler -Scheduler for Microsoft Kubernetes %{version}. - -%package pause -Summary: Kubernetes pause - -%description pause -Pause component for Microsoft Kubernetes %{version}. - -%prep -%setup -q -D -T -b 0 -n %{name} - -%build -# expand kubernetes source tarball (which is included source0 tarball) -echo "+++ extract sources from tarball" -mkdir -p %{_builddir}/%{name}/src -cd %{_builddir}/%{name}/src -tar -xof %{_builddir}/%{name}/kubernetes-src.tar.gz - -# build host and container image related components -components_to_build=%{host_components} -for component in ${components_to_build}; do - echo "+++ host - building ${component}" - make WHAT=cmd/${component} - cp -f _output/local/bin/linux/%{archname}/${component} %{_builddir}/%{name}/node/bin -done - -components_to_build=%{container_image_components} -for component in ${components_to_build}; do - echo "+++ container image - building ${component}" - make WHAT=cmd/${component} - cp -f _output/local/bin/linux/%{archname}/${component} %{_builddir}/%{name}/node/bin -done - -# build pause -pushd build/pause/linux -gcc -Os -Wall -Werror -static -o %{_builddir}/%{name}/node/bin/pause pause.c -strip %{_builddir}/%{name}/node/bin/pause -popd - -%check -# patch test script so it supports golang 1.15 which is now used to build kubernetes -cd %{_builddir}/%{name}/src/hack/make-rules -patch -p1 test.sh < %{SOURCE2} - -# perform unit tests -# Note: -# - components are not unit tested the same way -# - not all components have unit -cd %{_builddir}/%{name}/src -components_to_test=$(ls -1 %{_builddir}/%{name}/node/bin) - -for component in ${components_to_test}; do - if [[ ${component} == "kubelet" || ${component} == "kubectl" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/${component} - elif [[ ${component} == "kube-proxy" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/proxy - elif [[ ${component} == "kube-scheduler" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/scheduler - elif [[ ${component} == "kube-apiserver" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/kubeapiserver - elif [[ ${component} == "kube-controller-manager" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/controller - else - echo "+++ no unit test available for ${component}" - fi -done - -%install -# install binaries -install -m 755 -d %{buildroot}%{_bindir} -cd %{_builddir} -binaries=%{host_components} -for bin in ${binaries}; do - echo "+++ INSTALLING ${bin}" - install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/${bin} -done - -binaries=%{container_image_components} -for bin in ${binaries}; do - echo "+++ INSTALLING ${bin}" - install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/${bin} -done - -install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/pause - -# install service files -install -d -m 0755 %{buildroot}/%{_libdir}/systemd/system -install -p -m 644 -t %{buildroot}%{_libdir}/systemd/system %{SOURCE1} - -# install config files -install -d -m 0755 %{buildroot}%{_sysconfdir}/kubernetes -install -d -m 644 %{buildroot}%{_sysconfdir}/kubernetes/manifests - -# install the place the kubelet defaults to put volumes -install -dm755 %{buildroot}%{_sharedstatedir}/kubelet -install -dm755 %{buildroot}%{_var}/run/kubernetes - -install -d -m 0755 %{buildroot}/%{_libdir}/tmpfiles.d -cat << EOF >> %{buildroot}/%{_libdir}/tmpfiles.d/kubernetes.conf -d %{_var}/run/kubernetes 0755 kube kube - -EOF - -%clean -rm -rf %{buildroot}/* - -%pre -if [ $1 -eq 1 ]; then - # Initial installation. - getent group kube >/dev/null || groupadd -r kube - getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \ - -c "Kubernetes user" kube -fi - -%post -chown -R kube:kube %{_sharedstatedir}/kubelet -chown -R kube:kube %{_var}/run/kubernetes -systemctl daemon-reload - -%post kubeadm -systemctl daemon-reload -systemctl stop kubelet -systemctl enable kubelet - -%postun -if [ $1 -eq 0 ]; then - # Package deletion - userdel kube - groupdel kube - systemctl daemon-reload -fi - -%files -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kubelet -%{_libdir}/tmpfiles.d/kubernetes.conf -%dir %{_sysconfdir}/kubernetes -%dir %{_sysconfdir}/kubernetes/manifests -%dir %{_sharedstatedir}/kubelet -%dir %{_var}/run/kubernetes -%{_libdir}/systemd/system/kubelet.service - -%files client -%defattr(-,root,root) -%{_bindir}/kubectl - -%files kubeadm -%defattr(-,root,root) -%{_bindir}/kubeadm - -%files kube-proxy -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-proxy - -%files kube-apiserver -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-apiserver - -%files kube-controller-manager -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-controller-manager - -%files kube-scheduler -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-scheduler - -%files pause -%defattr(-,root,root) -%license LICENSES -%{_bindir}/pause - -%changelog -* Fri Apr 30 2021 Thomas Crain - 1.20.2-3 -- Replace incorrect %%{_lib} usage with %%{_libdir} - -* Thu Apr 29 2021 CBL-Mariner Service Account - 1.20.2-2 -- Update to version "1.20.2-hotfix.20210428". - -* Thu Apr 22 2021 CBL-Mariner Service Account - 1.20.2-1 -- Update to version "1.20.2-hotfix.20210310". -- Adjust "pause" building steps with the new sources layout. - -* Thu Apr 22 2021 CBL-Mariner Service Account - 1.19.9-1 -- Update to version "1.19.9-hotfix.20210322". - -* Thu Mar 18 2021 CBL-Mariner Service Account - 1.19.7-1 -- Update to version "1.19.7-hotfix.20210310". - -* Thu Mar 18 2021 CBL-Mariner Service Account - 1.19.6-2 -- Update to version "1.19.6-hotfix.20210310". - -* Wed Jan 20 2021 Nicolas Guibourge - 1.19.6-1 -- Move to version 1.19.6 - -* Fri Jan 15 2021 Nicolas Guibourge - 1.19.1-5 -- Packages for container images - -* Tue Jan 05 2021 Nicolas Guibourge - 1.19.1-4 -- CVE-2020-8563 - -* Mon Jan 04 2021 Nicolas Guibourge - 1.19.1-3 -- CVE-2020-8564, CVE-2020-8565, CVE-2020-8566 - -* Thu Dec 17 2020 Nicolas Guibourge - 1.19.1-2 -- Rename spec file - -* Wed Dec 02 2020 Nicolas Guibourge - 1.19.1-1 -- Original version for CBL-Mariner of K8s 1.19.1. diff --git a/SPECS/kubernetes/kubernetes-1.20.5.signatures.json b/SPECS/kubernetes/kubernetes-1.20.5.signatures.json deleted file mode 100644 index 12685f1632..0000000000 --- a/SPECS/kubernetes/kubernetes-1.20.5.signatures.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "Signatures": { - "kubelet.service": "22ea9e0b85aa9db9e1accfb6c21843683425fc1af9c0a2669523e42a455dc57e", - "kubernetes-node-linux-amd64-1.20.5-hotfix.20210428.tar.gz": "e2e5accaa10b02cea9fa5d31ec1c648f791810bb5c672d1e002bfcad5e58a11a" - } -} \ No newline at end of file diff --git a/SPECS/kubernetes/kubernetes-1.20.5.spec b/SPECS/kubernetes/kubernetes-1.20.5.spec deleted file mode 100644 index 9815bc6ec5..0000000000 --- a/SPECS/kubernetes/kubernetes-1.20.5.spec +++ /dev/null @@ -1,307 +0,0 @@ -%global debug_package %{nil} -%ifarch x86_64 -%define archname amd64 -%endif -%ifarch aarch64 -%define archname arm64 -%endif -%define host_components 'kubelet kubectl kubeadm' -%define container_image_components 'kube-proxy kube-apiserver kube-controller-manager kube-scheduler' -Summary: Microsoft Kubernetes -Name: kubernetes -Version: 1.20.5 -Release: 3%{?dist} -License: ASL 2.0 -Vendor: Microsoft Corporation -Distribution: Mariner -Group: Microsoft Kubernetes -URL: https://mcr.microsoft.com/oss -#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.20.5-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz -# Note that only amd64 tarball exist which is OK since kubernetes is built from source -Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210428.tar.gz -Source1: kubelet.service -# CVE-2020-8565 Kubernetes doc on website recommend to not enable debug level logging in production (no patch available) -Patch0: CVE-2020-8565.nopatch -BuildRequires: flex-devel -BuildRequires: golang >= 1.15.5 -BuildRequires: rsync -BuildRequires: systemd-devel -BuildRequires: which -Requires: cni -Requires: cri-tools -Requires: ebtables -Requires: ethtool -Requires: iproute -Requires: iptables -Requires: moby-engine -Requires: socat -Requires: util-linux -Requires(postun): %{_sbindir}/groupdel -Requires(postun): %{_sbindir}/userdel -Requires(pre): %{_sbindir}/groupadd -Requires(pre): %{_sbindir}/useradd - -%description -Microsoft Kubernetes %{version}. - -%package client -Summary: Client utilities -Requires: %{name} = %{version} - -%description client -Client utilities for Microsoft Kubernetes %{version}. - -%package kubeadm -Summary: Bootstrap utilities -Requires: %{name} = %{version} -Requires: moby-cli - -%description kubeadm -Bootstrap utilities for Microsoft Kubernetes %{version}. - -%package kube-proxy -Summary: Kubernetes proxy -Requires: ebtables-legacy -Requires: ethtool -Requires: iproute -Requires: iptables - -%description kube-proxy -Network proxy for Microsoft Kubernetes %{version}. - -%package kube-apiserver -Summary: Kubernetes API server - -%description kube-apiserver -API server for Microsoft Kubernetes %{version}. - -%package kube-controller-manager -Summary: Kubernetes controller manager - -%description kube-controller-manager -Controller manager for Microsoft Kubernetes %{version}. - -%package kube-scheduler -Summary: Kubernetes scheduler - -%description kube-scheduler -Scheduler for Microsoft Kubernetes %{version}. - -%package pause -Summary: Kubernetes pause - -%description pause -Pause component for Microsoft Kubernetes %{version}. - -%prep -%setup -q -D -T -b 0 -n %{name} - -%build -# expand kubernetes source tarball (which is included source0 tarball) -echo "+++ extract sources from tarball" -mkdir -p %{_builddir}/%{name}/src -cd %{_builddir}/%{name}/src -tar -xof %{_builddir}/%{name}/kubernetes-src.tar.gz - -# build host and container image related components -components_to_build=%{host_components} -for component in ${components_to_build}; do - echo "+++ host - building ${component}" - make WHAT=cmd/${component} - cp -f _output/local/bin/linux/%{archname}/${component} %{_builddir}/%{name}/node/bin -done - -components_to_build=%{container_image_components} -for component in ${components_to_build}; do - echo "+++ container image - building ${component}" - make WHAT=cmd/${component} - cp -f _output/local/bin/linux/%{archname}/${component} %{_builddir}/%{name}/node/bin -done - -# build pause -pushd build/pause/linux -gcc -Os -Wall -Werror -static -o %{_builddir}/%{name}/node/bin/pause pause.c -strip %{_builddir}/%{name}/node/bin/pause -popd - -%check -# patch test script so it supports golang 1.15 which is now used to build kubernetes -cd %{_builddir}/%{name}/src/hack/make-rules -patch -p1 test.sh < %{SOURCE2} - -# perform unit tests -# Note: -# - components are not unit tested the same way -# - not all components have unit -cd %{_builddir}/%{name}/src -components_to_test=$(ls -1 %{_builddir}/%{name}/node/bin) - -for component in ${components_to_test}; do - if [[ ${component} == "kubelet" || ${component} == "kubectl" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/${component} - elif [[ ${component} == "kube-proxy" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/proxy - elif [[ ${component} == "kube-scheduler" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/scheduler - elif [[ ${component} == "kube-apiserver" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/kubeapiserver - elif [[ ${component} == "kube-controller-manager" ]]; then - echo "+++ unit test pkg ${component}" - make test WHAT=./pkg/controller - else - echo "+++ no unit test available for ${component}" - fi -done - -%install -# install binaries -install -m 755 -d %{buildroot}%{_bindir} -cd %{_builddir} -binaries=%{host_components} -for bin in ${binaries}; do - echo "+++ INSTALLING ${bin}" - install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/${bin} -done - -binaries=%{container_image_components} -for bin in ${binaries}; do - echo "+++ INSTALLING ${bin}" - install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/${bin} -done - -install -p -m 755 -t %{buildroot}%{_bindir} %{name}/node/bin/pause - -# install service files -install -d -m 0755 %{buildroot}/%{_libdir}/systemd/system -install -p -m 644 -t %{buildroot}%{_libdir}/systemd/system %{SOURCE1} - -# install config files -install -d -m 0755 %{buildroot}%{_sysconfdir}/kubernetes -install -d -m 644 %{buildroot}%{_sysconfdir}/kubernetes/manifests - -# install the place the kubelet defaults to put volumes -install -dm755 %{buildroot}%{_sharedstatedir}/kubelet -install -dm755 %{buildroot}%{_var}/run/kubernetes - -install -d -m 0755 %{buildroot}/%{_libdir}/tmpfiles.d -cat << EOF >> %{buildroot}/%{_libdir}/tmpfiles.d/kubernetes.conf -d %{_var}/run/kubernetes 0755 kube kube - -EOF - -%clean -rm -rf %{buildroot}/* - -%pre -if [ $1 -eq 1 ]; then - # Initial installation. - getent group kube >/dev/null || groupadd -r kube - getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \ - -c "Kubernetes user" kube -fi - -%post -chown -R kube:kube %{_sharedstatedir}/kubelet -chown -R kube:kube %{_var}/run/kubernetes -systemctl daemon-reload - -%post kubeadm -systemctl daemon-reload -systemctl stop kubelet -systemctl enable kubelet - -%postun -if [ $1 -eq 0 ]; then - # Package deletion - userdel kube - groupdel kube - systemctl daemon-reload -fi - -%files -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kubelet -%{_libdir}/tmpfiles.d/kubernetes.conf -%dir %{_sysconfdir}/kubernetes -%dir %{_sysconfdir}/kubernetes/manifests -%dir %{_sharedstatedir}/kubelet -%dir %{_var}/run/kubernetes -%{_libdir}/systemd/system/kubelet.service - -%files client -%defattr(-,root,root) -%{_bindir}/kubectl - -%files kubeadm -%defattr(-,root,root) -%{_bindir}/kubeadm - -%files kube-proxy -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-proxy - -%files kube-apiserver -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-apiserver - -%files kube-controller-manager -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-controller-manager - -%files kube-scheduler -%defattr(-,root,root) -%license LICENSES -%{_bindir}/kube-scheduler - -%files pause -%defattr(-,root,root) -%license LICENSES -%{_bindir}/pause - -%changelog -* Fri Apr 30 2021 Thomas Crain - 1.20.5-3 -- Replace incorrect %%{_lib} usage with %%{_libdir} - -* Thu Apr 29 2021 CBL-Mariner Service Account - 1.20.5-2 -- Update to version "1.20.5-hotfix.20210428". - -* Thu Apr 22 2021 CBL-Mariner Service Account - 1.20.5-1 -- Update to version "1.20.5-hotfix.20210322". - -* Thu Apr 22 2021 CBL-Mariner Service Account - 1.20.2-1 -- Update to version "1.20.2-hotfix.20210310". -- Adjust "pause" building steps with the new sources layout. - -* Thu Apr 22 2021 CBL-Mariner Service Account - 1.19.9-1 -- Update to version "1.19.9-hotfix.20210322". - -* Thu Mar 18 2021 CBL-Mariner Service Account - 1.19.7-1 -- Update to version "1.19.7-hotfix.20210310". - -* Thu Mar 18 2021 CBL-Mariner Service Account - 1.19.6-2 -- Update to version "1.19.6-hotfix.20210310". - -* Wed Jan 20 2021 Nicolas Guibourge - 1.19.6-1 -- Move to version 1.19.6 - -* Fri Jan 15 2021 Nicolas Guibourge - 1.19.1-5 -- Packages for container images - -* Tue Jan 05 2021 Nicolas Guibourge - 1.19.1-4 -- CVE-2020-8563 - -* Mon Jan 04 2021 Nicolas Guibourge - 1.19.1-3 -- CVE-2020-8564, CVE-2020-8565, CVE-2020-8566 - -* Thu Dec 17 2020 Nicolas Guibourge - 1.19.1-2 -- Rename spec file - -* Wed Dec 02 2020 Nicolas Guibourge - 1.19.1-1 -- Original version for CBL-Mariner of K8s 1.19.1. diff --git a/SPECS/lapack/lapack.spec b/SPECS/lapack/lapack.spec index 7ed7546def..41aa09b27f 100644 --- a/SPECS/lapack/lapack.spec +++ b/SPECS/lapack/lapack.spec @@ -68,7 +68,7 @@ mv %{buildroot}/%{_includedir}/*.h %{buildroot}/%{_includedir}/lapacke/. %exclude %{_libdir}/cmake/* %changelog -* Sat May 09 00:20:43 PST 2020 Nick Samson - 3.8.0-3 +* Sat May 09 2020 Nick Samson - 3.8.0-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 3.8.0-2 diff --git a/SPECS/less/less.spec b/SPECS/less/less.spec index 1f353f9781..ac82525ad1 100644 --- a/SPECS/less/less.spec +++ b/SPECS/less/less.spec @@ -34,7 +34,7 @@ make DESTDIR=%{buildroot} install %{_mandir}/*/* %changelog -* Sat May 09 00:20:49 PST 2020 Nick Samson - 530-2 +* Sat May 09 2020 Nick Samson - 530-2 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 530-2 diff --git a/SPECS/leveldb/leveldb.spec b/SPECS/leveldb/leveldb.spec index d68c841ac9..47ba4168da 100644 --- a/SPECS/leveldb/leveldb.spec +++ b/SPECS/leveldb/leveldb.spec @@ -6,7 +6,7 @@ Version: 1.22 Release: 3%{?dist} License: BSD URL: https://github.com/google/leveldb -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz @@ -69,7 +69,7 @@ mkdir -p %{buildroot}%{_libdir}/pkgconfig cp -a %{name}.pc %{buildroot}%{_libdir}/pkgconfig/ %check -%ctest +ctest -V %{?_smp_mflags} %post -p /sbin/ldconfig %postun -p /sbin/ldconfig @@ -91,6 +91,7 @@ cp -a %{name}.pc %{buildroot}%{_libdir}/pkgconfig/ %changelog * Fri Aug 21 2020 Thomas Crain 1.22-3 - Initial CBL-Mariner version imported from Fedora 33 (license: MIT) +- License verified * Tue Jul 28 2020 Fedora Release Engineering - 1.22-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/SPECS/libassuan/libassuan.spec b/SPECS/libassuan/libassuan.spec index ecd29e0231..320c486481 100644 --- a/SPECS/libassuan/libassuan.spec +++ b/SPECS/libassuan/libassuan.spec @@ -47,25 +47,35 @@ make %{?_smp_mflags} check %{_datadir}/aclocal/* %changelog -* Mon Sep 28 2020 Joe Schmitt 2.5.1-5 -- Provide pkgconfig(libassuan). -* Mon Sep 28 2020 Ruying Chen 2.5.1-4 -- Provide libassuan-devel -* Sat May 09 2020 Nick Samson 2.5.1-3 -- Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 2.5.1-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Keerthana K 2.5.1-1 -- Update to version 2.5.1 -* Mon Apr 03 2017 Divya Thaluru 2.4.3-1 -- Upgrade version to 2.4.3 -* Thu Nov 24 2016 Alexey Makhalov 2.4.2-3 -- BuildRequired libgpg-error-devel. -* Tue May 24 2016 Priyesh Padmavilasom 2.4.2-2 -- GA - Bump release of all rpms -* Fri Jan 15 2016 Xiaolin Li 2.4.2-1 -- Updated to version 2.4.2 -* Wed May 20 2015 Touseef Liaqat 2.2.0-2 -- Updated group. -* Tue Dec 30 2014 Divya Thaluru 2.2.0-1 -- Initial version +* Mon Sep 28 2020 Joe Schmitt 2.5.1-5 +- Provide pkgconfig(libassuan). + +* Mon Sep 28 2020 Ruying Chen 2.5.1-4 +- Provide libassuan-devel + +* Sat May 09 2020 Nick Samson 2.5.1-3 +- Added %%license line automatically + +* Tue Sep 03 2019 Mateusz Malisz 2.5.1-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Keerthana K 2.5.1-1 +- Update to version 2.5.1 + +* Mon Apr 03 2017 Divya Thaluru 2.4.3-1 +- Upgrade version to 2.4.3 + +* Thu Nov 24 2016 Alexey Makhalov 2.4.2-3 +- BuildRequired libgpg-error-devel. + +* Tue May 24 2016 Priyesh Padmavilasom 2.4.2-2 +- GA - Bump release of all rpms + +* Fri Jan 15 2016 Xiaolin Li 2.4.2-1 +- Updated to version 2.4.2 + +* Wed May 20 2015 Touseef Liaqat 2.2.0-2 +- Updated group. + +* Tue Dec 30 2014 Divya Thaluru 2.2.0-1 +- Initial version diff --git a/SPECS/libatomic_ops/libatomic_ops.spec b/SPECS/libatomic_ops/libatomic_ops.spec index dfff7f78be..eacd9e70f7 100644 --- a/SPECS/libatomic_ops/libatomic_ops.spec +++ b/SPECS/libatomic_ops/libatomic_ops.spec @@ -66,7 +66,7 @@ rm -rf %{buildroot}/* %{_libdir}/pkgconfig/atomic_ops.pc %changelog -* Sat May 09 00:21:13 PST 2020 Nick Samson - 7.6.6-3 +* Sat May 09 2020 Nick Samson - 7.6.6-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 7.6.6-2 diff --git a/SPECS/libcap/libcap.spec b/SPECS/libcap/libcap.spec index 59bfc1f2d5..c0ffae3c07 100644 --- a/SPECS/libcap/libcap.spec +++ b/SPECS/libcap/libcap.spec @@ -54,7 +54,7 @@ sed -i "s|pass_capsh --chroot=\$(/bin/pwd) ==||g" quicktest.sh %{_mandir}/man3/* %changelog -* Sat May 09 00:21:44 PST 2020 Nick Samson - 2.26-2 +* Sat May 09 2020 Nick Samson - 2.26-2 - Added %%license line automatically * Mon Mar 16 2020 Andrew Phelps 2.26-1 diff --git a/SPECS/libdb/libdb.spec b/SPECS/libdb/libdb.spec index e93947a64d..7e1e102abb 100644 --- a/SPECS/libdb/libdb.spec +++ b/SPECS/libdb/libdb.spec @@ -101,14 +101,14 @@ rm -rf %{buildroot} * Tue Nov 03 2020 Joe Schmitt - 5.3.28-5 - Create utils subpackage. -* Sat May 09 00:20:43 PST 2020 Nick Samson - 5.3.28-4 +* Sat May 09 2020 Nick Samson - 5.3.28-4 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 5.3.28-3 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 5.3.28-3 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Tue Nov 14 2017 Alexey Makhalov 5.3.28-2 -- Aarch64 support +* Tue Nov 14 2017 Alexey Makhalov 5.3.28-2 +- Aarch64 support -* Thu Oct 27 2016 Priyesh Padmavilasom 5.3.28-1 -- Initial build. First version +* Thu Oct 27 2016 Priyesh Padmavilasom 5.3.28-1 +- Initial build. First version diff --git a/SPECS/libdnet/libdnet.spec b/SPECS/libdnet/libdnet.spec index eb09919542..4e3c5bb13c 100644 --- a/SPECS/libdnet/libdnet.spec +++ b/SPECS/libdnet/libdnet.spec @@ -51,7 +51,7 @@ make %{?_smp_mflags} check %{_libdir}/libdnet.a %changelog -* Sat May 09 00:21:38 PST 2020 Nick Samson - 1.12-2 +* Sat May 09 2020 Nick Samson - 1.12-2 - Added %%license line automatically * Tue Mar 17 2020 Henry Beberman 1.12-1 diff --git a/SPECS/libdnf/CVE-2021-3445.patch b/SPECS/libdnf/CVE-2021-3445.patch new file mode 100644 index 0000000000..8e245d8526 --- /dev/null +++ b/SPECS/libdnf/CVE-2021-3445.patch @@ -0,0 +1,92 @@ +diff --git a/libdnf/dnf-keyring.cpp b/libdnf/dnf-keyring.cpp +index 99e7e6e..fd0fc5d 100644 +--- a/libdnf/dnf-keyring.cpp ++++ b/libdnf/dnf-keyring.cpp +@@ -34,6 +34,8 @@ + #include + #include + #include ++#include ++#include + + #include "dnf-types.h" + #include "dnf-keyring.h" +@@ -210,6 +212,26 @@ dnf_keyring_add_public_keys(rpmKeyring keyring, GError **error) + return TRUE; + } + ++static int ++rpmcliverifysignatures_log_handler_cb(rpmlogRec rec, rpmlogCallbackData data) ++{ ++ GString **string =(GString **) data; ++ ++ /* create string if required */ ++ if (*string == NULL) ++ *string = g_string_new(""); ++ ++ /* if text already exists, join them */ ++ if ((*string)->len > 0) ++ g_string_append(*string, ": "); ++ g_string_append(*string, rpmlogRecMessage(rec)); ++ ++ /* remove the trailing /n which rpm does */ ++ if ((*string)->len > 0) ++ g_string_truncate(*string,(*string)->len - 1); ++ return 0; ++} ++ + /** + * dnf_keyring_check_untrusted_file: + */ +@@ -226,6 +248,10 @@ dnf_keyring_check_untrusted_file(rpmKeyring keyring, + rpmtd td = NULL; + rpmts ts = NULL; + ++ char *path = g_strdup(filename); ++ char *path_array[2] = {path, NULL}; ++ g_autoptr(GString) rpm_error = NULL; ++ + /* open the file for reading */ + fd = Fopen(filename, "r.fdio"); + if (fd == NULL) { +@@ -246,9 +272,27 @@ dnf_keyring_check_untrusted_file(rpmKeyring keyring, + goto out; + } + +- /* we don't want to abort on missing keys */ + ts = rpmtsCreate(); +- rpmtsSetVSFlags(ts, _RPMVSF_NOSIGNATURES); ++ ++ if (rpmtsSetKeyring(ts, keyring) < 0) { ++ g_set_error_literal(error, DNF_ERROR, DNF_ERROR_INTERNAL_ERROR, "failed to set keyring"); ++ goto out; ++ } ++ rpmtsSetVfyLevel(ts, RPMSIG_SIGNATURE_TYPE); ++ rpmlogSetCallback(rpmcliverifysignatures_log_handler_cb, &rpm_error); ++ ++ // rpm doesn't provide any better API call than rpmcliVerifySignatures (which is for CLI): ++ // - use path_array as input argument ++ // - gather logs via callback because we don't want to print anything if check is successful ++ if (rpmcliVerifySignatures(ts, (char * const*) path_array)) { ++ g_set_error(error, ++ DNF_ERROR, ++ DNF_ERROR_GPG_SIGNATURE_INVALID, ++ "%s could not be verified.\n%s", ++ filename, ++ (rpm_error ? rpm_error->str : "UNKNOWN ERROR")); ++ goto out; ++ } + + /* read in the file */ + rc = rpmReadPackageFile(ts, fd, filename, &hdr); +@@ -312,6 +356,10 @@ dnf_keyring_check_untrusted_file(rpmKeyring keyring, + g_debug("%s has been verified as trusted", filename); + ret = TRUE; + out: ++ rpmlogSetCallback(NULL, NULL); ++ ++ if (path != NULL) ++ g_free(path); + if (dig != NULL) + pgpFreeDig(dig); + if (td != NULL) { diff --git a/SPECS/libdnf/libdnf.spec b/SPECS/libdnf/libdnf.spec index 3b620158f9..5359584ab7 100644 --- a/SPECS/libdnf/libdnf.spec +++ b/SPECS/libdnf/libdnf.spec @@ -7,7 +7,7 @@ Name: libdnf Version: %{libdnf_major_version}.%{libdnf_minor_version}.%{libdnf_micro_version} -Release: 1%{?dist} +Release: 2%{?dist} Summary: Library providing simplified C and Python API to libsolv. License: LGPLv2+ Vendor: Microsoft Corporation @@ -15,6 +15,7 @@ Distribution: Mariner URL: https://github.com/rpm-software-management/libdnf #Source0: %{url}/archive/%{version}.tar.gz Source0: %{name}-%{version}.tar.gz +Patch0: CVE-2021-3445.patch BuildRequires: cmake BuildRequires: gcc @@ -85,7 +86,7 @@ Requires: python3-%{name} = %{version}-%{release} Python 3 bindings for the hawkey library. %prep -%setup -q +%autosetup -p1 %build # Allows cmake to find libsolv. @@ -176,6 +177,9 @@ popd %{python3_sitelib}/hawkey/ %changelog +* Tue Jul 06 2021 Henry Li 0.43.1-2 +- Patch CVE-2021-3445 + * Mon Aug 17 2020 Emre Girgin 0.43.1-1 - Updating to version 0.43.1. diff --git a/SPECS/libev/libev.spec b/SPECS/libev/libev.spec index 7e8d934ed2..86feebe951 100644 --- a/SPECS/libev/libev.spec +++ b/SPECS/libev/libev.spec @@ -66,17 +66,17 @@ make %{?_smp_mflags} -k check * Tue Nov 03 2020 Ruying Chen - 4.24-5 - Split libev-libevent-devel subpackage to resolve event.h conflicts with libevent-devel. -* Sat May 09 00:21:43 PST 2020 Nick Samson - 4.24-4 +* Sat May 09 2020 Nick Samson - 4.24-4 - Added %%license line automatically -* Wed Apr 08 2020 Joe Schmitt 4.24-3 -- Update Source0 with valid URL. -- Remove sha1 macro. -- License verified. -- Fix changelog styling +* Wed Apr 08 2020 Joe Schmitt 4.24-3 +- Update Source0 with valid URL. +- Remove sha1 macro. +- License verified. +- Fix changelog styling -* Tue Sep 03 2019 Mateusz Malisz 4.24-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 4.24-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Apr 03 2017 Harish Udaiya Kumar 4.24-1 -- Initial Version. +* Mon Apr 03 2017 Harish Udaiya Kumar 4.24-1 +- Initial Version. diff --git a/SPECS/libevent/libevent.spec b/SPECS/libevent/libevent.spec index b602fb7f2f..2282734f7a 100644 --- a/SPECS/libevent/libevent.spec +++ b/SPECS/libevent/libevent.spec @@ -59,7 +59,7 @@ make %{?_smp_mflags} -k check %{_libdir}/pkgconfig/libevent_extra.pc %changelog -* Sat May 09 00:21:17 PST 2020 Nick Samson - 2.1.8-3 +* Sat May 09 2020 Nick Samson - 2.1.8-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 2.1.8-2 diff --git a/SPECS/libfastjson/libfastjson.spec b/SPECS/libfastjson/libfastjson.spec index ea31d0a255..28375f81c0 100644 --- a/SPECS/libfastjson/libfastjson.spec +++ b/SPECS/libfastjson/libfastjson.spec @@ -54,7 +54,7 @@ make check %changelog -* Sat May 09 00:21:44 PST 2020 Nick Samson - 0.99.8-4 +* Sat May 09 2020 Nick Samson - 0.99.8-4 - Added %%license line automatically * Tue Apr 21 2020 Eric Li 0.99.8-3 diff --git a/SPECS/libgcrypt/libgcrypt-CVE-2021-33560-fix.patch b/SPECS/libgcrypt/libgcrypt-CVE-2021-33560-fix.patch new file mode 100644 index 0000000000..0620132e00 --- /dev/null +++ b/SPECS/libgcrypt/libgcrypt-CVE-2021-33560-fix.patch @@ -0,0 +1,99 @@ +From: NIIBE Yutaka +Date: Fri, 21 May 2021 02:15:07 +0000 (+0900) +Subject: cipher: Fix ElGamal encryption for other implementations. +X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff_plain;h=632d80ef30e13de6926d503aa697f92b5dbfbc5e + +cipher: Fix ElGamal encryption for other implementations. + +* cipher/elgamal.c (gen_k): Remove support of smaller K. +(do_encrypt): Never use smaller K. +(sign): Folllow the change of gen_k. + +-- + +This change basically reverts encryption changes in two commits: + + 74386120dad6b3da62db37f7044267c8ef34689b + 78531373a342aeb847950f404343a05e36022065 + +Use of smaller K for ephemeral key in ElGamal encryption is only good, +when we can guarantee that recipient's key is generated by our +implementation (or compatible). + +For detail, please see: + + Luca De Feo, Bertram Poettering, Alessandro Sorniotti, + "On the (in)security of ElGamal in OpenPGP"; + in the proceedings of CCS'2021. + +CVE-id: CVE-2021-33560 +GnuPG-bug-id: 5328 +Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti +Signed-off-by: NIIBE Yutaka +--- + +diff --git a/cipher/elgamal.c b/cipher/elgamal.c +index 9835122f..eead4502 100644 +--- a/cipher/elgamal.c ++++ b/cipher/elgamal.c +@@ -66,7 +66,7 @@ static const char *elg_names[] = + + + static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie); +-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k); ++static gcry_mpi_t gen_k (gcry_mpi_t p); + static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits, + gcry_mpi_t **factors); + static int check_secret_key (ELG_secret_key *sk); +@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie ) + + /**************** + * Generate a random secret exponent k from prime p, so that k is +- * relatively prime to p-1. With SMALL_K set, k will be selected for +- * better encryption performance - this must never be used signing! ++ * relatively prime to p-1. + */ + static gcry_mpi_t +-gen_k( gcry_mpi_t p, int small_k ) ++gen_k( gcry_mpi_t p ) + { + gcry_mpi_t k = mpi_alloc_secure( 0 ); + gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) ); +@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k ) + unsigned int nbits, nbytes; + char *rndbuf = NULL; + +- if (small_k) +- { +- /* Using a k much lesser than p is sufficient for encryption and +- * it greatly improves the encryption performance. We use +- * Wiener's table and add a large safety margin. */ +- nbits = wiener_map( orig_nbits ) * 3 / 2; +- if( nbits >= orig_nbits ) +- BUG(); +- } +- else +- nbits = orig_nbits; +- ++ nbits = orig_nbits; + + nbytes = (nbits+7)/8; + if( DBG_CIPHER ) +@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) + * error code. + */ + +- k = gen_k( pkey->p, 1 ); ++ k = gen_k( pkey->p ); + mpi_powm (a, pkey->g, k, pkey->p); + + /* b = (y^k * input) mod p +@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey ) + * + */ + mpi_sub_ui(p_1, p_1, 1); +- k = gen_k( skey->p, 0 /* no small K ! */ ); ++ k = gen_k( skey->p ); + mpi_powm( a, skey->g, k, skey->p ); + mpi_mul(t, skey->x, a ); + mpi_subm(t, input, t, p_1 ); diff --git a/SPECS/libgcrypt/libgcrypt.spec b/SPECS/libgcrypt/libgcrypt.spec index 87f30588f6..b95ec169af 100644 --- a/SPECS/libgcrypt/libgcrypt.spec +++ b/SPECS/libgcrypt/libgcrypt.spec @@ -1,13 +1,15 @@ Summary: GNU Crypto Libraries Name: libgcrypt Version: 1.8.7 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ AND LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner Group: System Environment/Libraries URL: https://gnupg.org/related_software/libgcrypt/ Source0: https://gnupg.org/ftp/gcrypt/%{name}/%{name}-%{version}.tar.bz2 +#libgcrypt CVE-2021-33560 fix +Patch0: libgcrypt-CVE-2021-33560-fix.patch BuildRequires: libgpg-error-devel Requires: libgpg-error @@ -25,7 +27,7 @@ The package contains libraries and header files for developing applications that use libgcrypt. %prep -%autosetup +%autosetup -p1 %build %configure @@ -57,6 +59,9 @@ make %{?_smp_mflags} check %{_libdir}/pkgconfig/%{name}.pc %changelog +* Tue Jun 22 2021 Suresh Babu Chalamalasetty - 1.8.7-2 +- libgcrypt CVE-2021-33560 fix + * Mon Feb 01 2021 Thomas Crain - 1.8.7-1 - Update to 1.8.7 to fix CVE-2019-13627 - Remove cross-compile patch diff --git a/SPECS/libgpg-error/libgpg-error.spec b/SPECS/libgpg-error/libgpg-error.spec index a75f6e6053..ee76ddb0aa 100644 --- a/SPECS/libgpg-error/libgpg-error.spec +++ b/SPECS/libgpg-error/libgpg-error.spec @@ -72,25 +72,35 @@ make %{?_smp_mflags} check %defattr(-,root,root) %changelog -* Mon Sep 28 2020 Joe Schmitt 1.32-5 -- Explicitly add Provides pkgconfig(gpg-error) to devel package. -* Sat May 09 2020 Nick Samson 1.32-4 -- Added %%license line automatically -* Thu Apr 23 2020 Nick Samson 1.32-3 -- Updated Source0, URL. License verified. -* Tue Sep 03 2019 Mateusz Malisz 1.32-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Sep 10 2018 Bo Gan 1.32-1 -- Update to 1.32 -* Tue Apr 04 2017 Harish Udaiya Kumar 1.27-1 -- Upgraded to new version 1.27 -* Wed Nov 23 2016 Alexey Makhalov 1.21-3 -- Added -lang subpackage -* Tue May 24 2016 Priyesh Padmavilasom 1.21-2 -- GA - Bump release of all rpms -* Fri Jan 15 2016 Xiaolin Li 1.21-1 -- Updated to version 1.21 -* Tue Nov 10 2015 Xiaolin Li 1.17-2 -- Handled locale files with macro find_lang -* Tue Dec 30 2014 Priyesh Padmavilasom -- initial specfile. +* Mon Sep 28 2020 Joe Schmitt 1.32-5 +- Explicitly add Provides pkgconfig(gpg-error) to devel package. + +* Sat May 09 2020 Nick Samson 1.32-4 +- Added %%license line automatically + +* Thu Apr 23 2020 Nick Samson 1.32-3 +- Updated Source0, URL. License verified. + +* Tue Sep 03 2019 Mateusz Malisz 1.32-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Mon Sep 10 2018 Bo Gan 1.32-1 +- Update to 1.32 + +* Tue Apr 04 2017 Harish Udaiya Kumar 1.27-1 +- Upgraded to new version 1.27 + +* Wed Nov 23 2016 Alexey Makhalov 1.21-3 +- Added -lang subpackage + +* Tue May 24 2016 Priyesh Padmavilasom 1.21-2 +- GA - Bump release of all rpms + +* Fri Jan 15 2016 Xiaolin Li 1.21-1 +- Updated to version 1.21 + +* Tue Nov 10 2015 Xiaolin Li 1.17-2 +- Handled locale files with macro find_lang + +* Tue Dec 30 2014 Priyesh Padmavilasom +- initial specfile. diff --git a/SPECS/libgssglue/libgssglue.spec b/SPECS/libgssglue/libgssglue.spec index 6186744381..a9e3bfbc8c 100644 --- a/SPECS/libgssglue/libgssglue.spec +++ b/SPECS/libgssglue/libgssglue.spec @@ -44,7 +44,7 @@ find %{buildroot}/%{_libdir} -name '*.la' -delete %{_libdir}/pkgconfig/*.pc %changelog -* Sat May 09 00:21:01 PST 2020 Nick Samson - 0.4-5 +* Sat May 09 2020 Nick Samson - 0.4-5 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 0.4-4 diff --git a/SPECS/libgsystem/libgsystem.spec b/SPECS/libgsystem/libgsystem.spec index a0b6baad87..61688c406c 100644 --- a/SPECS/libgsystem/libgsystem.spec +++ b/SPECS/libgsystem/libgsystem.spec @@ -87,7 +87,7 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/gir-*/*.gir %changelog -* Sat May 09 00:20:37 PST 2020 Nick Samson - 2015.2-5 +* Sat May 09 2020 Nick Samson - 2015.2-5 - Added %%license line automatically * Wed Apr 08 2020 Pawel Winogrodzki 2015.2-4 diff --git a/SPECS/libiothsm-std/libiothsm-std.signatures.json b/SPECS/libiothsm-std/libiothsm-std.signatures.json index da981d4ec9..fc33e8ec16 100644 --- a/SPECS/libiothsm-std/libiothsm-std.signatures.json +++ b/SPECS/libiothsm-std/libiothsm-std.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "azure-iotedge-1.1.0.tar.gz": "c8cd6b70786057a3e599a7649478dcd478726a4125d9e69ddea6314916fe060b" + "azure-iotedge-1.1.2.tar.gz": "23c0efe1f720ed3a27060cab0cae83fecfe73f017063b1bdb94a4bbce34c87b5" } } \ No newline at end of file diff --git a/SPECS/libiothsm-std/libiothsm-std.spec b/SPECS/libiothsm-std/libiothsm-std.spec index abb0838630..6ab033251f 100644 --- a/SPECS/libiothsm-std/libiothsm-std.spec +++ b/SPECS/libiothsm-std/libiothsm-std.spec @@ -1,6 +1,6 @@ Summary: Azure IoT standard mode HSM lib Name: libiothsm-std -Version: 1.1.0 +Version: 1.1.2 Release: 1%{?dist} # A buildable azure-iotedge environments needs functioning submodules that do not work from the archive download @@ -51,6 +51,8 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libiothsm.so* %changelog +* Fri May 14 2021 Andrew Phelps 1.1.2-1 +- Update to version 1.1.2 * Tue Feb 23 2021 Andrew Phelps 1.1.0-1 - Update to version 1.1.0 * Wed May 27 2020 Andrew Phelps 1.0.9.1-1 diff --git a/SPECS/libjpeg-turbo/CVE-2020-17541.patch b/SPECS/libjpeg-turbo/CVE-2020-17541.patch new file mode 100644 index 0000000000..0df0b2a5af --- /dev/null +++ b/SPECS/libjpeg-turbo/CVE-2020-17541.patch @@ -0,0 +1,45 @@ +From 6bbc0a3c703f5ea2aecc3a6e60e8ba2935febb82 Mon Sep 17 00:00:00 2001 +From: DRC +Date: Thu, 5 Dec 2019 13:12:28 -0600 +Subject: [PATCH] Huffman enc.: Fix very rare local buffer overrun + +... detected by ASan. This is a similar issue to the issue that was +fixed with 402a715f82313384ef4606660c32d8678c79f197. Apparently it is +possible to create a malformed JPEG image that exceeds the Huffman +encoder's 256-byte local buffer when attempting to losslessly tranform +the image. That makes sense, given that it was necessary to extend the +Huffman decoder's local buffer to 512 bytes in order to handle all +pathological cases (refer to 0463f7c9aad060fcd56e98d025ce16185279e2bc.) + +Since this issue affected only lossless transformation, a workflow that +isn't generally exposed to arbitrary data exploits, and since the +overrun did not overflow the stack (i.e. it did not result in a segfault +or other user-visible issue, and valgrind didn't even detect it), it did +not likely pose a security risk. + +Fixes #392 +--- + jchuff.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff -Naur a/jchuff.c b/jchuff.c +--- a/jchuff.c 2018-07-27 09:47:48.000000000 -0700 ++++ b/jchuff.c 2021-06-11 12:13:35.203734046 -0700 +@@ -4,7 +4,7 @@ + * This file was part of the Independent JPEG Group's software: + * Copyright (C) 1991-1997, Thomas G. Lane. + * libjpeg-turbo Modifications: +- * Copyright (C) 2009-2011, 2014-2016, 2018, D. R. Commander. ++ * Copyright (C) 2009-2011, 2014-2016, 2018-2019, D. R. Commander. + * Copyright (C) 2015, Matthieu Darbois. + * For conditions of distribution and use, see the accompanying README.ijg + * file. +@@ -428,7 +428,7 @@ + * scanning order-- 1, 8, 16, etc.), then this will produce an encoded block + * larger than 200 bytes. + */ +-#define BUFSIZE (DCTSIZE2 * 4) ++#define BUFSIZE (DCTSIZE2 * 8) + + #define LOAD_BUFFER() { \ + if (state->free_in_buffer < BUFSIZE) { \ diff --git a/SPECS/libjpeg-turbo/libjpeg-turbo.spec b/SPECS/libjpeg-turbo/libjpeg-turbo.spec index 15d80d118b..1779b2c910 100644 --- a/SPECS/libjpeg-turbo/libjpeg-turbo.spec +++ b/SPECS/libjpeg-turbo/libjpeg-turbo.spec @@ -1,7 +1,7 @@ Summary: fork of the original IJG libjpeg which uses SIMD. Name: libjpeg-turbo Version: 2.0.0 -Release: 8%{?dist} +Release: 9%{?dist} License: IJG Vendor: Microsoft Corporation Distribution: Mariner @@ -10,6 +10,7 @@ URL: https://sourceforge.net/projects/libjpeg-turbo Source0: http://downloads.sourceforge.net/libjpeg-turbo/%{name}-%{version}.tar.gz Patch0: CVE-2018-20330.patch Patch1: CVE-2018-19664.patch +Patch2: CVE-2020-17541.patch BuildRequires: cmake Provides: libjpeg = 6b-47 Provides: turbojpeg = %{version}-%{release} @@ -64,6 +65,9 @@ popd %{_libdir}/pkgconfig/*.pc %changelog +* Fri Jul 26 2021 Henry Beberman - 2.0.0-9 +- Patch CVE-2020-17541 (JOSLOBO: Dash rolled for merge) + * Fri Jul 23 2021 Thomas Crain - 2.0.0-8 - Add provides for turbojpeg, turbojpeg-devel packages, utils subpackage diff --git a/SPECS/libksba/libksba.spec b/SPECS/libksba/libksba.spec index cade65a9de..5646b74e74 100644 --- a/SPECS/libksba/libksba.spec +++ b/SPECS/libksba/libksba.spec @@ -46,15 +46,20 @@ make %{?_smp_mflags} -k check %exclude %{_datadir}/info/dir %changelog -* Mon Sep 28 2020 Ruying Chen 1.3.5-4 -- Provide libksba-devel for base package -* Sat May 09 2020 Nick Samson 1.3.5-3 -- Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 1.3.5-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Tue Apr 11 2017 Harish Udaiya Kumar 1.3.5-1 -- Udpated to version 1.3.5 -* Thu Nov 24 2016 Alexey Makhalov 1.3.4-2 -- BuildRequired libgpg-error-devel. -* Wed Jul 27 2016 Kumar Kaushik 1.3.4-1 -- Initial Build. +* Mon Sep 28 2020 Ruying Chen 1.3.5-4 +- Provide libksba-devel for base package + +* Sat May 09 2020 Nick Samson 1.3.5-3 +- Added %%license line automatically + +* Tue Sep 03 2019 Mateusz Malisz 1.3.5-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Tue Apr 11 2017 Harish Udaiya Kumar 1.3.5-1 +- Udpated to version 1.3.5 + +* Thu Nov 24 2016 Alexey Makhalov 1.3.4-2 +- BuildRequired libgpg-error-devel. + +* Wed Jul 27 2016 Kumar Kaushik 1.3.4-1 +- Initial Build. diff --git a/SPECS/libmbim/libmbim.spec b/SPECS/libmbim/libmbim.spec index b5ae9813d1..c6e377856b 100644 --- a/SPECS/libmbim/libmbim.spec +++ b/SPECS/libmbim/libmbim.spec @@ -55,7 +55,7 @@ make %{?_smp_mflags} check %{_datadir}/gtk-doc/* %changelog -* Sat May 09 00:21:05 PST 2020 Nick Samson - 1.18.2-2 +* Sat May 09 2020 Nick Samson - 1.18.2-2 - Added %%license line automatically * Tue Mar 17 2020 Henry Beberman 1.18.2-1 diff --git a/SPECS/libmnl/libmnl.spec b/SPECS/libmnl/libmnl.spec index 901058844b..6b1dba7272 100644 --- a/SPECS/libmnl/libmnl.spec +++ b/SPECS/libmnl/libmnl.spec @@ -55,7 +55,7 @@ rm -rf %{buildroot}/* %{_libdir}/pkgconfig/* %changelog -* Sat May 09 00:20:39 PST 2020 Nick Samson - 1.0.4-5 +* Sat May 09 2020 Nick Samson - 1.0.4-5 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.0.4-4 diff --git a/SPECS/libmpc/libmpc.spec b/SPECS/libmpc/libmpc.spec index 4875b0f886..a0ffcb513d 100644 --- a/SPECS/libmpc/libmpc.spec +++ b/SPECS/libmpc/libmpc.spec @@ -45,23 +45,32 @@ make %{?_smp_mflags} check %{_libdir}/*.so.* %changelog -* Mon Sep 28 2020 Ruying Chen 1.1.0-6 -- Provide libmpc-devel -* Sat May 09 2020 Nick Samson 1.1.0-5 -- Added %%license line automatically -* Thu Apr 30 2020 Emre Girgin 1.1.0-4 -- Renaming mpc to libmpc -* Tue Apr 07 2020 Paul Monson 1.1.0-3 -- Add #Source0. License verified. -* Tue Sep 03 2019 Mateusz Malisz 1.1.0-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Sep 10 2018 Srivatsa S. Bhat 1.1.0-1 -- Update to version 1.1.0 -* Mon Oct 03 2016 ChangLee 1.0.3-3 -- Modified check -* Tue May 24 2016 Priyesh Padmavilasom 1.0.3-2 -- GA - Bump release of all rpms -* Tue Jan 12 2016 Anish Swaminathan 1.0.3-1 -- Update version. -* Wed Nov 5 2014 Divya Thaluru 1.0.2-1 -- Initial build. First version +* Mon Sep 28 2020 Ruying Chen 1.1.0-6 +- Provide libmpc-devel + +* Sat May 09 2020 Nick Samson 1.1.0-5 +- Added %%license line automatically + +* Thu Apr 30 2020 Emre Girgin 1.1.0-4 +- Renaming mpc to libmpc + +* Tue Apr 07 2020 Paul Monson 1.1.0-3 +- Add #Source0. License verified. + +* Tue Sep 03 2019 Mateusz Malisz 1.1.0-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Mon Sep 10 2018 Srivatsa S. Bhat 1.1.0-1 +- Update to version 1.1.0 + +* Mon Oct 03 2016 ChangLee 1.0.3-3 +- Modified check + +* Tue May 24 2016 Priyesh Padmavilasom 1.0.3-2 +- GA - Bump release of all rpms + +* Tue Jan 12 2016 Anish Swaminathan 1.0.3-1 +- Update version. + +* Wed Nov 5 2014 Divya Thaluru 1.0.2-1 +- Initial build. First version diff --git a/SPECS/libmspack/libmspack.spec b/SPECS/libmspack/libmspack.spec index fe7281bcd3..000afce61a 100644 --- a/SPECS/libmspack/libmspack.spec +++ b/SPECS/libmspack/libmspack.spec @@ -53,7 +53,7 @@ cd test %{_libdir}/*.so %changelog -* Sat May 09 00:21:33 PST 2020 Nick Samson - 0.7.1alpha-3 +* Sat May 09 2020 Nick Samson - 0.7.1alpha-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 0.7.1alpha-2 diff --git a/SPECS/libnetfilter_conntrack/libnetfilter_conntrack.spec b/SPECS/libnetfilter_conntrack/libnetfilter_conntrack.spec index aeace18b6e..b3b7fa3ba0 100644 --- a/SPECS/libnetfilter_conntrack/libnetfilter_conntrack.spec +++ b/SPECS/libnetfilter_conntrack/libnetfilter_conntrack.spec @@ -53,7 +53,7 @@ make %{?_smp_mflags} %{_libdir}/*.la %changelog -* Sat May 09 00:21:18 PST 2020 Nick Samson - 1.0.7-4 +* Sat May 09 2020 Nick Samson - 1.0.7-4 - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin 1.0.7-3 diff --git a/SPECS/libnetfilter_cthelper/libnetfilter_cthelper.spec b/SPECS/libnetfilter_cthelper/libnetfilter_cthelper.spec index fd85a09245..cf91cea439 100644 --- a/SPECS/libnetfilter_cthelper/libnetfilter_cthelper.spec +++ b/SPECS/libnetfilter_cthelper/libnetfilter_cthelper.spec @@ -54,7 +54,7 @@ find %{buildroot} -type f -name '*.la' -exec rm -f {} ';' %{_libdir}/*.so %changelog -* Sat May 09 00:20:44 PST 2020 Nick Samson - 1.0.0-4 +* Sat May 09 2020 Nick Samson - 1.0.0-4 - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin 1.0.0-3 diff --git a/SPECS/libnetfilter_cttimeout/libnetfilter_cttimeout.spec b/SPECS/libnetfilter_cttimeout/libnetfilter_cttimeout.spec index e2950b3fe3..edad82b657 100644 --- a/SPECS/libnetfilter_cttimeout/libnetfilter_cttimeout.spec +++ b/SPECS/libnetfilter_cttimeout/libnetfilter_cttimeout.spec @@ -53,7 +53,7 @@ find %{buildroot} -type f -name '*.la' -exec rm -f {} ';' %{_libdir}/*.so %changelog -* Sat May 09 00:21:31 PST 2020 Nick Samson - 1.0.0-4 +* Sat May 09 2020 Nick Samson - 1.0.0-4 - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin 1.0.0-3 diff --git a/SPECS/libnetfilter_queue/libnetfilter_queue.spec b/SPECS/libnetfilter_queue/libnetfilter_queue.spec index ae96c13137..bbbc51b976 100644 --- a/SPECS/libnetfilter_queue/libnetfilter_queue.spec +++ b/SPECS/libnetfilter_queue/libnetfilter_queue.spec @@ -54,7 +54,7 @@ make %{?_smp_mflags} %{_libdir}/*.la %changelog -* Sat May 09 00:21:27 PST 2020 Nick Samson - 1.0.3-4 +* Sat May 09 2020 Nick Samson - 1.0.3-4 - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin 1.0.3-3 diff --git a/SPECS/libnfnetlink/libnfnetlink.spec b/SPECS/libnfnetlink/libnfnetlink.spec index 618d632ab3..18424f9d21 100644 --- a/SPECS/libnfnetlink/libnfnetlink.spec +++ b/SPECS/libnfnetlink/libnfnetlink.spec @@ -51,7 +51,7 @@ find %{buildroot} -type f -name '*.la' -exec rm -f {} ';' %{_libdir}/*.so %changelog -* Sat May 09 00:21:29 PST 2020 Nick Samson - 1.0.1-4 +* Sat May 09 2020 Nick Samson - 1.0.1-4 - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin 1.0.1-3 diff --git a/SPECS/libnftnl/libnftnl.spec b/SPECS/libnftnl/libnftnl.spec index 261e5ce839..c7cd633bf3 100644 --- a/SPECS/libnftnl/libnftnl.spec +++ b/SPECS/libnftnl/libnftnl.spec @@ -60,11 +60,11 @@ find %{buildroot} -type f -name "*.la" -delete -print - Update to version 1.1.9 - Remove sha1 macro -* Sat May 09 00:21:00 PST 2020 Nick Samson - 1.1.1-3 +* Sat May 09 2020 Nick Samson - 1.1.1-3 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 1.1.1-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 1.1.1-2 +- Initial CBL-Mariner import from Photon (license: Apache2). * Mon Sep 10 2018 Ankit Jain 1.1.1-1 - Initial version diff --git a/SPECS/libnl3/libnl3.spec b/SPECS/libnl3/libnl3.spec index dc85743d41..4fac319f41 100644 --- a/SPECS/libnl3/libnl3.spec +++ b/SPECS/libnl3/libnl3.spec @@ -74,23 +74,34 @@ make %{?_smp_mflags} check %changelog * Fri Aug 28 2020 Thomas Crain - 3.4.0-6 - Add pkg-config provides to devel package -* Sat May 09 00:21:15 PST 2020 Nick Samson - 3.4.0-5 +- License verified + +* Sat May 09 2020 Nick Samson - 3.4.0-5 - Added %%license line automatically + * Thu Apr 30 2020 Nicolas Ontiveros - 3.4.0-4 - Rename from libnl to libnl3. + * Tue Apr 14 2020 Nick Samson - 3.4.0-3 - Updated Source0, URL. License verified. + * Tue Sep 03 2019 Mateusz Malisz - 3.4.0-2 -- Initial import from Photon (license: dual Apache2/GPL2). +- Initial CBL-Mariner import from Photon (license: Apache2). + * Wed Sep 19 2018 Bo Gan - 3.4.0-1 - Updated to version 3.4.0 + * Tue Apr 11 2017 Harish Udaiya Kumar - 3.2.29-1 - Updated to version 3.2.29. + * Tue May 24 2016 Priyesh Padmavilasom - 3.2.27-2 - GA - Bump release of all rpms + * Fri Jan 15 2016 Xiaolin Li - 3.2.27-1 - Updated to version 3.2.27 + * Tue Sep 22 2015 Harish Udaiya Kumar - 3.2.25-2 - Updated build-requires after creating devel package for dbus. + * Tue Jun 23 2015 Divya Thaluru - 3.2.25-1 - Initial build. diff --git a/SPECS/libnsl2/libnsl2.spec b/SPECS/libnsl2/libnsl2.spec index 18d35f5f27..997cf607ab 100644 --- a/SPECS/libnsl2/libnsl2.spec +++ b/SPECS/libnsl2/libnsl2.spec @@ -56,7 +56,7 @@ make install DESTDIR=%{buildroot} %{_libdir}/*.la %changelog -* Sat May 09 00:21:34 PST 2020 Nick Samson - 1.2.0-4 +* Sat May 09 2020 Nick Samson - 1.2.0-4 - Added %%license line automatically * Fri Apr 17 2020 Nicolas Ontiveros 1.2.0-3 diff --git a/SPECS/libnvidia-container/common.mk.patch b/SPECS/libnvidia-container/common.mk.patch new file mode 100644 index 0000000000..55570a4bfc --- /dev/null +++ b/SPECS/libnvidia-container/common.mk.patch @@ -0,0 +1,12 @@ +diff -urN libnvidia-container-1.3.3-orig/mk/common.mk libnvidia-container-1.3.3/mk/common.mk +--- libnvidia-container-1.3.3-orig/mk/common.mk 2021-02-05 05:26:41.000000000 -0800 ++++ libnvidia-container-1.3.3/mk/common.mk 2021-04-16 23:53:31.110955932 -0700 +@@ -22,7 +22,7 @@ + UID := $(shell id -u) + GID := $(shell id -g) + DATE := $(shell date -u --iso-8601=minutes) +-REVISION := $(shell git rev-parse HEAD) ++REVISION = 0 + COMPILER := $(realpath $(shell which $(CC))) + PLATFORM ?= $(shell uname -m) + diff --git a/SPECS/libnvidia-container/libnvidia-container.signatures.json b/SPECS/libnvidia-container/libnvidia-container.signatures.json new file mode 100644 index 0000000000..c9f052b80d --- /dev/null +++ b/SPECS/libnvidia-container/libnvidia-container.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "libnvidia-container-1.3.3.tar.gz": "99ff64baeb3b7c3fa9938bd91637deda8982146f166f52e99fabe956aa04eb53", + "nvidia-modprobe-450.57.tar.gz": "396b4102d3075a2dee3024652fae206a1b38ace54b8efb1e2c20757a11ec19f1" + } +} \ No newline at end of file diff --git a/SPECS/libnvidia-container/libnvidia-container.spec b/SPECS/libnvidia-container/libnvidia-container.spec new file mode 100644 index 0000000000..81e9bbb128 --- /dev/null +++ b/SPECS/libnvidia-container/libnvidia-container.spec @@ -0,0 +1,279 @@ +%define modprobe_version 450.57 +%define _major 1 +%define mod_probe_dir deps/src/nvidia-modprobe-%{modprobe_version} +Summary: NVIDIA container runtime library +Name: libnvidia-container +Version: 1.3.3 +Release: 2%{?dist} +License: BSD AND ASL2.0 AND GPLv3+ AND LGPLv3+ AND MIT AND GPLv2 +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/NVIDIA/libnvidia-container +#Source0: https://github.com/NVIDIA/%%{name}/archive/v%%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz +#Source1: https://github.com/NVIDIA/nvidia-modprobe/archive/%%{modprobe_version}.tar.gz +Source1: nvidia-modprobe-%{modprobe_version}.tar.gz +Patch0: common.mk.patch +Patch1: libtirpc.patch +Patch2: nvidia-modprobe.patch +BuildRequires: libseccomp-devel +BuildRequires: libtirpc-devel +BuildRequires: make +BuildRequires: rpcsvc-proto +BuildRequires: which + +%description +The nvidia-container library provides an interface to configure GNU/Linux +containers leveraging NVIDIA hardware. The implementation relies on several +kernel subsystems and is designed to be agnostic of the container runtime. + +%prep +%setup -q +%patch0 -p1 +%patch1 -p1 + +mkdir -p %{mod_probe_dir} +tar -C %{mod_probe_dir} --strip-components=1 -xzf %{SOURCE1} +%patch2 -p1 -d %{mod_probe_dir} +touch %{mod_probe_dir}/.download_stamp + +%build +%make_build WITH_LIBELF=yes + +%install +DESTDIR=%{buildroot} make install prefix=%{_prefix} \ + exec_prefix=%{_prefix} \ + bindir=%{_bindir} \ + libdir=%{_libdir} \ + includedir=%{_includedir}\ + docdir=%{_licensedir} \ + WITH_LIBELF=yes + +%package -n %{name}%{_major} +Summary: NVIDIA container runtime library + +%description -n %{name}%{_major} +The nvidia-container library provides an interface to configure GNU/Linux +containers leveraging NVIDIA hardware. The implementation relies on several +kernel subsystems and is designed to be agnostic of the container runtime. + +This package requires the NVIDIA driver (>= 340.29) to be installed separately. + +%package devel +Summary: NVIDIA container runtime library (development files) +Requires: %{name}%{_major}%{?_isa} = %{version}-%{release} + +%description devel +The nvidia-container library provides an interface to configure GNU/Linux +containers leveraging NVIDIA hardware. The implementation relies on several +kernel subsystems and is designed to be agnostic of the container runtime. + +This package contains the files required to compile programs with the library. + +%package static +Summary: NVIDIA container runtime library (static library) +Requires: %{name}-devel%{?_isa} = %{version}-%{release} + +%description static +The nvidia-container library provides an interface to configure GNU/Linux +containers leveraging NVIDIA hardware. The implementation relies on several +kernel subsystems and is designed to be agnostic of the container runtime. + +This package requires the NVIDIA driver (>= 340.29) to be installed separately. + +%define debug_package %{nil} + +%package -n %{name}%{_major}-debuginfo +Summary: NVIDIA container runtime library (debugging symbols) +Requires: %{name}%{_major}%{?_isa} = %{version}-%{release} + +%description -n %{name}%{_major}-debuginfo +The nvidia-container library provides an interface to configure GNU/Linux +containers leveraging NVIDIA hardware. The implementation relies on several +kernel subsystems and is designed to be agnostic of the container runtime. + +This package contains the debugging symbols for the library. + +%package tools +Summary: NVIDIA container runtime library (command-line tools) +Requires: %{name}%{_major}%{?_isa} = %{version}-%{release} + +%description tools +The nvidia-container library provides an interface to configure GNU/Linux +containers leveraging NVIDIA hardware. The implementation relies on several +kernel subsystems and is designed to be agnostic of the container runtime. + +This package contains command-line tools that facilitate using the library. + +%post -n %{name}%{_major} -p /sbin/ldconfig +%postun -n %{name}%{_major} -p /sbin/ldconfig + +%files -n %{name}%{_major} +%license %{_licensedir}/* +%{_libdir}/lib*.so.* + +%files devel +%license %{_licensedir}/* +%{_includedir}/*.h +%{_libdir}/lib*.so +%{_libdir}/pkgconfig/*.pc + +%files static +%license %{_licensedir}/* +%{_libdir}/lib*.a + +%files -n %{name}%{_major}-debuginfo +%license %{_licensedir}/* +%{_libdir}/debug%{_libdir}/lib*.so.* + +%files tools +%license %{_licensedir}/* +%{_bindir}/* + +%changelog +* Fri Apr 23 2021 joseph knierman - 1.3.3-2 +- License verified +- Initial CBL-Mariner import from NVIDIA (license: ASL 2.0). + +* Fri Feb 05 2021 NVIDIA CORPORATION 1.3.3-1 +- Promote 1.3.3-0.1.rc.2 to 1.3.3-1 + +* Wed Feb 03 2021 NVIDIA CORPORATION 1.3.3-0.1.rc.2 +- Remove path_join() with already chrooted directory + +* Wed Feb 03 2021 NVIDIA CORPORATION 1.3.3-0.1.rc.1 +- Pre-create MIG related nvcaps at startup +- Add more logging around device node creation with --load-kmods + +* Mon Jan 25 2021 NVIDIA CORPORATION 1.3.2-1 +- Fix handling of /proc/PID/cgroups entries with colons in paths +- Add pread64 as allowed syscall for ldconfig + +* Mon Dec 07 2020 NVIDIA CORPORATION 1.3.1-1 +- Honor OPT_NO_CGROUPS in nvc_device_mig_caps_mount +- Fix bug in resolving absolute symlinks in find_library_paths() + +* Wed Sep 16 2020 NVIDIA CORPORATION 1.3.0-1 +- Promote 1.3.0-0.1.rc.1 to 1.3.0-1 + +* Fri Aug 21 2020 NVIDIA CORPORATION 1.3.0-0.1.rc.1 +- 2bda067f Add support to "list" command to print /dev based capabilities +- 3c2ad6aa Add logic to conditionally mount /dev based nvidia-capabilities +- 4d432175 Change default "list" command to set mig-config / mig-monitor = NULL +- 3ec7f3ba Fix minor bug that would not unmount paths on failure +- b5c0a394 Update nvidia-modprobe dependency to 450.57 + +* Wed Jul 08 2020 NVIDIA CORPORATION 1.2.0-1 +- Promote 1.2.0-0.1.rc.3 to 1.2.0-1 + +* Wed Jul 01 2020 NVIDIA CORPORATION 1.2.0-0.1.rc.3 +- 7deea6b8 WSL2 Support - Remove unnecessary umount and free +- 53739009 WSL2 Support - Fix error path when mounting the driver +- 38198a81 WSL2 Support - Fix error path in dxcore +- 31f5ea35 Changed email for travis.ci to kklues@nvidia.com +- abdd5175 Update license and copyright in packages +- 65827fe7 Update license clause to reflect actual licensing +- 77499d88 Transition Travis CI build to Ubuntu 18.04 + +* Thu Jun 18 2020 NVIDIA CORPORATION 1.2.0-0.1.rc.2 +- 4ea9b59f Update debian based dockerfiles to set distribution in changelog +- a57fcea5 Add 'ngx' as a new capability for a container +- 6f16ccd3 Allow --mig-monitor and --mig-config on machines without MIG capable GPUs + +* Thu Jun 11 2020 NVIDIA CORPORATION 1.2.0-0.1.rc.1 +- 4263e684 Add support for Windows Subsystem for Linux (WSL2) +- e768f8bc Fix ability to build RC packages via TAG=rc. + +* Tue May 19 2020 NVIDIA CORPORATION 1.1.1-1 +- deeb499 Fixup deb packaging files to remove warnings +- 6003504 nvmlSystemGetCudaDriverVersion_v2 to nvmlSystemGetCudaDriverVersion +- 1ee8b60 Update centos8/rhel8 to conditionally set appropriate CFLAGS and LDLIBS +- d746370 Add smoke test to verify functioning build for all OSs on amd64/x86_64 + +* Fri May 15 2020 NVIDIA CORPORATION 1.1.0-1 +- b217c6ad Update build system to support multi-arch builds +- 1ddcdfc1 Add support for MIG (Milti-Instance-GPUs) +- ddae363a Add libnvidia-allocator.so as a compute-lib +- 6ed0f129 Add option to not use pivot_root +- e18e9b7a Allow devices to be identified by PCI bus ID + +* Mon Nov 11 2019 NVIDIA CORPORATION 1.0.7-1 +- 8d90918a Add Raytracing library + +* Fri Sep 013 2019 NVIDIA CORPORATION 1.0.6-1 +- b6aff41 Update error messages for CUDA version requirements + +* Wed Sep 04 2019 NVIDIA CORPORATION 1.0.5-1 +- 688495e Add Opensuse15.1 support + +* Wed Aug 21 2019 NVIDIA CORPORATION 1.0.4-1 +- 61bfaf38 Update DSL to output the first element instead of the last in case of failure +- 5ce32c6c Add initial support for Optix +- acc38a22 Fix execveat typo +- b5e491b1 arm64: Add support for AARCH64 architecture + +* Thu Jul 18 2019 NVIDIA CORPORATION 1.0.3-1 +- b9545d7 Add support for Vulkan + +* Tue Feb 05 2019 NVIDIA CORPORATION 1.0.2-1 +- 4045013 Adds support for libnvidia-opticalflow + +* Mon Jan 14 2019 NVIDIA CORPORATION 1.0.1-1 +- deccb28 Allow yet more syscalls in ldconfig + +* Thu Sep 20 2018 NVIDIA CORPORATION 1.0.0-1 +- 35a9f27 Add support for CUDA forward compatibility +- ebed710 Add device brand to the device informations and requirements +- a141a7a Handle 32-bit PCI domains in procfs +- 391c4b6 Preload glibc libraries before switching root +- bcf69c6 Bump libtirpc to 1.1.4 +- 30aec17 Bump nvidia-modprobe-utils to 396.51 +- d05745f Bump the address space limits for ldconfig + +* Mon Jun 11 2018 NVIDIA CORPORATION 1.0.0-0.1.rc.2 +- 7ea554a Rework capabilities to support more unprivileged use-cases +- f06cbbb Fix driver process DEATHSIG teardown +- 931bd4f Allow more syscalls in ldconfig +- a0644ea Fix off-by-one error + +* Thu Apr 26 2018 NVIDIA CORPORATION 1.0.0-0.1.rc.1 +- 4d43665 Bump nvidia-modprobe-utils to 396.18 +- d8338a6 Bump libtirpc to 1.0.3 +- cef6c8f Add execveat to the list of allowed syscalls + +* Mon Mar 05 2018 NVIDIA CORPORATION 1.0.0-0.1.beta.1 +- 6822b13 Bump nvidia-modprobe-utils to 390.25 +- 8245f6c Slightly improve RPC error messages +- 9398d41 Add support for display capability +- 57a0dd5 Increase driver service timeout from 1s to 10s +- e48a0d4 Add device minor to the CLI info command +- 019fdc1 Add support for custom driver root directory +- b78a28c Add ppc64le support +- 41656bf Add --ldcache option to the CLI + +* Wed Jan 10 2018 NVIDIA CORPORATION 1.0.0-0.1.alpha.3 +- d268f8f Improve error message if driver installed in the container +- 3fdac29 Add optional support for libelf from the elfutils project +- 584bca5 Remove top directory bind mounts to prevent EXDEV errors +- c6dc820 Add info command to nvidia-container-cli +- 44b74ee Add device model to the device informations +- cbdd58f Strip RPC prefix from error messages +- d4ee216 Rework the CLI list command +- b0c4865 Improve the --userspec CLI option and rename it to --user +- e6fa331 Refactor the CLI and split it into multiple files +- fa9853b Bump nvidia-modprobe-utils to 387.34 +- 7888296 Move the driver capabilities to the container options +- ea2f780 Add support for EGL device isolation +- b5bffa3 Fix driver procfs remount to work with unpatched kernels + +* Mon Oct 30 2017 NVIDIA CORPORATION 1.0.0-0.1.alpha.2 +- b80e4b6 Relax some requirement constraints +- 3cd1bb6 Handle 32-bit PCI domains +- 6c67a19 Add support for device architecture requirement +- 7584e96 Filter NVRM proc filesystem based on visible devices +- 93c46e1 Prevent the driver process from triggering MPS +- fe4925e Reject invalid device identifier "GPU-" +- dabef1c Do not change bind mount attributes on top-level directories + +* Tue Sep 05 2017 NVIDIA CORPORATION 1.0.0-0.1.alpha.1 +- Initial release diff --git a/SPECS/libnvidia-container/libtirpc.patch b/SPECS/libnvidia-container/libtirpc.patch new file mode 100644 index 0000000000..adb4ec1095 --- /dev/null +++ b/SPECS/libnvidia-container/libtirpc.patch @@ -0,0 +1,13 @@ +diff -urN libnvidia-container-1.3.3.orig/Makefile libnvidia-container-1.3.3/Makefile +--- libnvidia-container-1.3.3.orig/Makefile 2021-02-05 05:26:41.000000000 -0800 ++++ libnvidia-container-1.3.3/Makefile 2021-04-18 13:32:26.857212545 -0700 +@@ -133,6 +133,9 @@ + LIB_CPPFLAGS += -isystem $(DEPS_DIR)$(includedir)/tirpc -DWITH_TIRPC + LIB_LDLIBS_STATIC += -l:libtirpc.a + LIB_LDLIBS_SHARED += -lpthread ++else ++CPPFLAGS += -I/usr/include/tirpc ++LIB_LDLIBS_SHARED += -lpthread -ltirpc + endif + ifeq ($(WITH_SECCOMP), yes) + LIB_CPPFLAGS += -DWITH_SECCOMP $(shell pkg-config --cflags libseccomp) diff --git a/SPECS/libnvidia-container/nvidia-modprobe.patch b/SPECS/libnvidia-container/nvidia-modprobe.patch new file mode 100644 index 0000000000..c66373a239 --- /dev/null +++ b/SPECS/libnvidia-container/nvidia-modprobe.patch @@ -0,0 +1,29 @@ +diff -ruN nvidia-modprobe-450.57/modprobe-utils/nvidia-modprobe-utils.c nvidia-modprobe-450.57-patched/modprobe-utils/nvidia-modprobe-utils.c +--- nvidia-modprobe-450.57/modprobe-utils/nvidia-modprobe-utils.c 2020-07-09 17:06:05.000000000 +0000 ++++ nvidia-modprobe-450.57-patched/modprobe-utils/nvidia-modprobe-utils.c 2020-08-18 12:43:03.223871514 +0000 +@@ -840,10 +840,10 @@ + return mknod_helper(major, minor_num, vgpu_dev_name, NV_PROC_REGISTRY_PATH); + } + +-static int nvidia_cap_get_device_file_attrs(const char* cap_file_path, +- int *major, +- int *minor, +- char *name) ++int nvidia_cap_get_device_file_attrs(const char* cap_file_path, ++ int *major, ++ int *minor, ++ char *name) + { + char field[32]; + FILE *fp; +diff -ruN nvidia-modprobe-450.57/modprobe-utils/nvidia-modprobe-utils.h nvidia-modprobe-450.57-patched/modprobe-utils/nvidia-modprobe-utils.h +--- nvidia-modprobe-450.57/modprobe-utils/nvidia-modprobe-utils.h 2020-07-09 17:06:05.000000000 +0000 ++++ nvidia-modprobe-450.57-patched/modprobe-utils/nvidia-modprobe-utils.h 2020-08-18 12:43:44.227745050 +0000 +@@ -81,6 +81,7 @@ + int nvidia_nvswitch_get_file_state(int minor); + int nvidia_cap_mknod(const char* cap_file_path, int *minor); + int nvidia_cap_get_file_state(const char* cap_file_path); ++int nvidia_cap_get_device_file_attrs(const char* cap_file_path, int *major, int *minor, char *name); + int nvidia_get_chardev_major(const char *name); + + #endif /* NV_LINUX */ diff --git a/SPECS/libpcap/libpcap.spec b/SPECS/libpcap/libpcap.spec index 5d6f90df4f..b3a4893bec 100644 --- a/SPECS/libpcap/libpcap.spec +++ b/SPECS/libpcap/libpcap.spec @@ -68,7 +68,7 @@ make DESTDIR=%{buildroot} install %{_mandir}/man7/* %changelog -* Sat May 09 00:20:50 PST 2020 Nick Samson - 1.9.1-2 +* Sat May 09 2020 Nick Samson - 1.9.1-2 - Added %%license line automatically * Fri May 01 2020 Pawel Winogrodzki 1.9.1-1 diff --git a/SPECS/libpng/libpng.spec b/SPECS/libpng/libpng.spec index 61925790d8..894eeb42df 100644 --- a/SPECS/libpng/libpng.spec +++ b/SPECS/libpng/libpng.spec @@ -68,28 +68,28 @@ make %{?_smp_mflags} -k check * Wed Mar 03 2021 Henry Li - 1.6.37-3 - Provides libpng16 from libpng -* Sat May 09 2020 Nick Samson - 1.6.37-2 -- Added %%license line automatically +* Sat May 09 2020 Nick Samson - 1.6.37-2 +- Added %%license line automatically -* Fri May 08 2020 Nick Samson 1.6.37-1 -- Updated to 1.6.37 to resolve CVE-2018-14550 and CVE-2019-7317. -- Updated Source0 URL. Removed %%sha line. -- License verified; moniker changed to reflect Fedora standards. +* Fri May 08 2020 Nick Samson 1.6.37-1 +- Updated to 1.6.37 to resolve CVE-2018-14550 and CVE-2019-7317. +- Updated Source0 URL. Removed %%sha line. +- License verified; moniker changed to reflect Fedora standards. -* Tue Sep 03 2019 Mateusz Malisz 1.6.35-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 1.6.35-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Sep 10 2018 Bo Gan 1.6.35-1 -- Update to 1.6.35 +* Mon Sep 10 2018 Bo Gan 1.6.35-1 +- Update to 1.6.35 -* Tue Apr 11 2017 Harish Udaiya Kumar 1.6.29-1 -- Updated to version 1.6.29 +* Tue Apr 11 2017 Harish Udaiya Kumar 1.6.29-1 +- Updated to version 1.6.29 -* Thu Feb 23 2017 Divya Thaluru 1.6.27-1 -- Updated to version 1.6.27 +* Thu Feb 23 2017 Divya Thaluru 1.6.27-1 +- Updated to version 1.6.27 -* Mon Sep 12 2016 Harish Udaiya Kumar 1.6.23-2 -- Included the libpng16 pkgconfig +* Mon Sep 12 2016 Harish Udaiya Kumar 1.6.23-2 +- Included the libpng16 pkgconfig -* Wed Jul 27 2016 Divya Thaluru 1.6.23-1 -- Initial version +* Wed Jul 27 2016 Divya Thaluru 1.6.23-1 +- Initial version diff --git a/SPECS/libseccomp/libseccomp.spec b/SPECS/libseccomp/libseccomp.spec index e122b8ff63..f2e53b16d7 100644 --- a/SPECS/libseccomp/libseccomp.spec +++ b/SPECS/libseccomp/libseccomp.spec @@ -71,7 +71,7 @@ find %{buildroot} -type f -name "*.la" -delete -print - Modernize spec with macros - Remove libtool archive files -* Sat May 09 2020 Nick Samson - 2.4.1-2 +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Tue Mar 17 2020 Henry Beberman - 2.4.1-1 diff --git a/SPECS/libselinux/libselinux.signatures.json b/SPECS/libselinux/libselinux.signatures.json index a5cd27dcfc..58a7d001cd 100644 --- a/SPECS/libselinux/libselinux.signatures.json +++ b/SPECS/libselinux/libselinux.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "libselinux-2.9.tar.gz": "1bccc8873e449587d9a2b2cf253de9b89a8291b9fbc7c59393ca9e5f5f4d2693" + "libselinux-3.2.tar.gz": "df758ef1d9d4811051dd901ea6b029ae334ffd7c671c128beb16bce1e25ac161" } } \ No newline at end of file diff --git a/SPECS/libselinux/libselinux.spec b/SPECS/libselinux/libselinux.spec index 32e3e10310..6ef1d020b9 100644 --- a/SPECS/libselinux/libselinux.spec +++ b/SPECS/libselinux/libselinux.spec @@ -1,17 +1,16 @@ -%{!?python3_sitelib: %global python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} Summary: SELinux library and simple utilities Name: libselinux -Version: 2.9 -Release: 6%{?dist} +Version: 3.2 +Release: 1%{?dist} License: Public Domain -Group: System Environment/Libraries -URL: https://github.com/SELinuxProject/selinux/wiki -Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/%{name}-%{version}.tar.gz Vendor: Microsoft Corporation Distribution: Mariner +Group: System Environment/Libraries +URL: https://github.com/SELinuxProject/selinux/wiki +Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz BuildRequires: libsepol-devel -BuildRequires: pcre-devel, swig -BuildRequires: python3-devel +BuildRequires: pcre-devel +BuildRequires: swig Requires: pcre-libs Requires: libsepol @@ -33,7 +32,7 @@ decisions. Required for any applications that use the SELinux API. %package utils Summary: SELinux libselinux utilies Group: Development/Libraries -Requires: libselinux = %{version}-%{release} +Requires: %{name} = %{version}-%{release} %description utils The libselinux-utils package contains the utilities @@ -41,10 +40,9 @@ The libselinux-utils package contains the utilities %package devel Summary: Header files and libraries used to build SELinux Group: Development/Libraries -Requires: libselinux = %{version}-%{release} +Requires: %{name} = %{version}-%{release} Requires: pcre-devel -Requires: libsepol-devel -Provides: pkgconfig(libselinux) +Requires: libsepol-devel >= %{version} %description devel The libselinux-devel package contains the libraries and header files @@ -54,44 +52,37 @@ needed for developing SELinux applications. Summary: SELinux python3 bindings for libselinux Group: Development/Libraries Provides: python3-%{name} = %{version}-%{release} -Requires: libselinux = %{version}-%{release} +Requires: %{name} = %{version}-%{release} Requires: python3 -Requires: python3-libs %description python3 The libselinux-python package contains the python3 bindings for developing SELinux applications. %prep -%setup -qn %{name}-%{version} +%autosetup %build sed '/unistd.h/a#include ' -i src/setrans_client.c -make clean -make %{?_smp_mflags} swigify CFLAGS="%{build_cflags} -Wno-error=strict-overflow" -make LIBDIR="%{_libdir}" %{?_smp_mflags} PYTHON=/usr/bin/python3 pywrap +%make_build clean +%make_build swigify CFLAGS="%{build_cflags} -Wno-error=strict-overflow -fno-semantic-interposition" +%make_build LIBDIR="%{_libdir}" PYTHON=%{python3} pywrap %install - make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" PYTHON=/usr/bin/python3 install install-pywrap -mkdir -p %{buildroot}/%{_prefix}/lib/tmpfiles.d -mkdir -p %{buildroot}/var/run/setrans -echo "d /var/run/setrans 0755 root root" > %{buildroot}/%{_prefix}/lib/tmpfiles.d/libselinux.conf +mkdir -p %{buildroot}%{_libdir}/tmpfiles.d +mkdir -p %{buildroot}%{_localstatedir}/run/setrans +echo "d %{_localstatedir}/run/setrans 0755 root root" > %{buildroot}/%{_libdir}/tmpfiles.d/libselinux.conf -%clean -rm -rf %{buildroot} - -%post -p /sbin/ldconfig - -%postun -p /sbin/ldconfig +%ldconfig_scriptlets %files %defattr(-,root,root,-) %license LICENSE -%ghost /var/run/setrans +%ghost %{_localstatedir}/run/setrans %{_libdir}/libselinux.so.1 -%{_prefix}/lib/tmpfiles.d/libselinux.conf +%{_libdir}/tmpfiles.d/libselinux.conf %files utils %defattr(-,root,root,-) @@ -104,10 +95,10 @@ rm -rf %{buildroot} %files devel %defattr(-,root,root,-) %{_libdir}/libselinux.so -%{_libdir}/pkgconfig +%{_libdir}/libselinux.a +%{_libdir}/pkgconfig/libselinux.pc %dir %{_includedir}/selinux %{_includedir}/selinux/* -%{_libdir}/libselinux.a %{_mandir}/man3/* %files python3 @@ -115,38 +106,61 @@ rm -rf %{buildroot} %{python3_sitelib}/* %changelog -* Mon May 19 2021 Nick Samson - 2.9-6 -- Removed python2 module support +* Fri Aug 13 2021 Thomas Crain - 3.2-1 +- Upgrade to latest upstream version +- Add -fno-semantic-interposition to CFLAGS as recommended by upstream +- License verified +- Remove manual pkgconfig provides +- Update source URL to new format +- Lint spec + +* Mon May 19 2021 Nick Samson - 2.9-6 +- Removed python2 module support + * Fri Feb 05 2021 Joe Schmitt - 2.9-5 - Replace incorrect %%{_lib} usage with %%{_libdir} -* Mon Sep 28 2020 Ruying Chen 2.9-4 -- Provide python3-libselinux for -python3 subpackage -* Sat May 09 2020 Nick Samson 2.9-3 -- Added %%license line automatically -* Tue Mar 24 2020 Henry Beberman 2.9-2 -- Add -Wno-error=strict-overflow to resolve build break with gcc9 -* Tue Mar 17 2020 Henry Beberman 2.9-1 -- Update to 2.9. Fix Source0 URL. License verified. -* Tue Sep 03 2019 Mateusz Malisz 2.8-3 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Tue Jan 08 2019 Alexey Makhalov 2.8-2 -- Added BuildRequires python2-devel -* Fri Aug 10 2018 Srivatsa S. Bhat 2.8-1 -- Update to version 2.8 to get it to build with gcc 7.3 -* Thu Aug 24 2017 Alexey Makhalov 2.6-4 -- Fix compilation issue for glibc-2.26 -* Wed May 31 2017 Xiaolin Li 2.6-3 -- Include pytho3 packages. -* Mon May 22 2017 Harish Udaiya Kumar 2.6-2 -- Include python subpackage. -* Wed May 03 2017 Harish Udaiya Kumar 2.6-1 -- Upgraded to version 2.6 -* Tue May 02 2017 Anish Swaminathan 2.5-3 -- Remove pcre requires and add requires on pcre-libs -* Tue May 24 2016 Priyesh Padmavilasom 2.5-2 -- GA - Bump release of all rpms -* Fri Jan 22 2016 Xiaolin Li 2.5-1 -- Updated to version 2.5 -* Wed Feb 25 2015 Divya Thaluru 2.4-1 -- Initial build. First version +* Mon Sep 28 2020 Ruying Chen - 2.9-4 +- Provide python3-libselinux for -python3 subpackage + +* Sat May 09 2020 Nick Samson - 2.9-3 +- Added %%license line automatically + +* Tue Mar 24 2020 Henry Beberman - 2.9-2 +- Add -Wno-error=strict-overflow to resolve build break with gcc9 + +* Tue Mar 17 2020 Henry Beberman - 2.9-1 +- Update to 2.9. Fix Source0 URL. License verified. + +* Tue Sep 03 2019 Mateusz Malisz - 2.8-3 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Tue Jan 08 2019 Alexey Makhalov - 2.8-2 +- Added BuildRequires python2-devel + +* Fri Aug 10 2018 Srivatsa S. Bhat - 2.8-1 +- Update to version 2.8 to get it to build with gcc 7.3 + +* Thu Aug 24 2017 Alexey Makhalov - 2.6-4 +- Fix compilation issue for glibc-2.26 + +* Wed May 31 2017 Xiaolin Li - 2.6-3 +- Include pytho3 packages. + +* Mon May 22 2017 Harish Udaiya Kumar - 2.6-2 +- Include python subpackage. + +* Wed May 03 2017 Harish Udaiya Kumar - 2.6-1 +- Upgraded to version 2.6 + +* Tue May 02 2017 Anish Swaminathan - 2.5-3 +- Remove pcre requires and add requires on pcre-libs + +* Tue May 24 2016 Priyesh Padmavilasom - 2.5-2 +- GA - Bump release of all rpms + +* Fri Jan 22 2016 Xiaolin Li - 2.5-1 +- Updated to version 2.5 + +* Wed Feb 25 2015 Divya Thaluru - 2.4-1 +- Initial build. First version diff --git a/SPECS/libsemanage/libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch b/SPECS/libsemanage/libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch new file mode 100644 index 0000000000..1e1aef97cb --- /dev/null +++ b/SPECS/libsemanage/libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch @@ -0,0 +1,65 @@ +From dc105dcb5e34e256bcbcf547fea590cfcee06933 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 7 Nov 2018 18:17:34 +0100 +Subject: [PATCH] libsemanage: Fix RESOURCE_LEAK and USE_AFTER_FREE coverity + scan defects + +--- + libsemanage/src/direct_api.c | 21 ++++++++------------- + 1 file changed, 8 insertions(+), 13 deletions(-) + +diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c +index 9a4e79385b69..393ec9faf92d 100644 +--- a/libsemanage/src/direct_api.c ++++ b/libsemanage/src/direct_api.c +@@ -1028,7 +1028,7 @@ static int semanage_direct_write_langext(semanage_handle_t *sh, + + fp = NULL; + +- ret = 0; ++ return 0; + + cleanup: + if (fp != NULL) fclose(fp); +@@ -2185,7 +2185,6 @@ cleanup: + semanage_module_info_destroy(sh, modinfo); + free(modinfo); + +- if (fp != NULL) fclose(fp); + return status; + } + +@@ -2350,16 +2349,6 @@ static int semanage_direct_get_module_info(semanage_handle_t *sh, + free(tmp); + tmp = NULL; + +- if (fclose(fp) != 0) { +- ERR(sh, +- "Unable to close %s module lang ext file.", +- (*modinfo)->name); +- status = -1; +- goto cleanup; +- } +- +- fp = NULL; +- + /* lookup enabled/disabled status */ + ret = semanage_module_get_path(sh, + *modinfo, +@@ -2403,7 +2392,13 @@ cleanup: + free(modinfos); + } + +- if (fp != NULL) fclose(fp); ++ if (fp != NULL && fclose(fp) != 0) { ++ ERR(sh, ++ "Unable to close %s module lang ext file.", ++ (*modinfo)->name); ++ status = -1; ++ } ++ + return status; + } + +-- +2.32.0 diff --git a/SPECS/libsemanage/libsemanage.signatures.json b/SPECS/libsemanage/libsemanage.signatures.json new file mode 100644 index 0000000000..f37c412358 --- /dev/null +++ b/SPECS/libsemanage/libsemanage.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "libsemanage-3.2.tar.gz": "d722a55ca4fe2d4e2b30527720db657e6238b28079e69e2e4affeb8e733ee511", + "semanage.conf": "68d403bca3d7bd2e90d00cf44622dc0598817197994812e06367df0c239b1204" + } +} diff --git a/SPECS/libsemanage/libsemanage.spec b/SPECS/libsemanage/libsemanage.spec new file mode 100644 index 0000000000..29faed6703 --- /dev/null +++ b/SPECS/libsemanage/libsemanage.spec @@ -0,0 +1,1460 @@ +%define libsepolver 3.2-1 +%define libselinuxver 3.2-1 +Summary: SELinux binary policy manipulation library +Name: libsemanage +Version: 3.2 +Release: 1%{?dist} +License: LGPLv2+ +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/SELinuxProject/selinux/wiki +Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz +Source1: semanage.conf +Patch0: libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch +BuildRequires: audit-devel +BuildRequires: bison +BuildRequires: bzip2 +BuildRequires: flex +BuildRequires: gcc +BuildRequires: libselinux-devel >= %{libselinuxver} +BuildRequires: libsepol-devel >= %{libsepolver} +BuildRequires: python3 +BuildRequires: python3-devel +BuildRequires: swig +Requires: audit-libs +Requires: bzip2-libs +Requires: libselinux%{?_isa} >= %{libselinuxver} +Provides: libsemanage.so.1 + +%description +Security-enhanced Linux is a feature of the Linux® kernel and a number +of utilities with enhanced security functionality designed to add +mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These +architectural components provide general support for the enforcement +of many kinds of mandatory access control policies, including those +based on the concepts of Type Enforcement®, Role-based Access +Control, and Multi-level Security. + +libsemanage provides an API for the manipulation of SELinux binary policies. +It is used by checkpolicy (the policy compiler) and similar tools, as well +as by programs like load_policy that need to perform specific transformations +on binary policies such as customizing policy boolean settings. + +%package devel +Summary: Header files and libraries used to build policy manipulation tools +Requires: %{name}%{?_isa} = %{version}-%{release} +Provides: %{name}-static = %{version}-%{release} + +%description devel +The semanage-devel package contains the libraries and header files +needed for developing applications that manipulate binary policies. + +%package python3 +Summary: semanage python 3 bindings for libsemanage +Provides: python3-%{name} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: libselinux-python3 >= %{libselinuxver} + +%description python3 +The libsemanage-python3 package contains the python 3 bindings for developing +SELinux management applications. + +%prep +%autosetup -p2 + +%build +%make_build clean +%make_build swigify CFLAGS="%{build_cflags} -Wno-error=strict-overflow -fno-semantic-interposition" +%make_build LIBDIR="%{_libdir}" SHLIBDIR="%{_lib}" all +%make_build LIBDIR="%{_libdir}" PYTHON=%{python3} pywrap + +%install +mkdir -p %{buildroot}%{_libdir} +mkdir -p %{buildroot}%{_includedir} +mkdir -p %{buildroot}%{_sharedstatedir}/selinux +mkdir -p %{buildroot}%{_sharedstatedir}/selinux/tmp +make DESTDIR=%{buildroot} LIBDIR="%{_libdir}" SHLIBDIR="/%{_lib}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" PYTHON=%{_bindir}/python3 install install-pywrap + +cp %{SOURCE1} %{buildroot}%{_sysconfdir}/selinux/semanage.conf +ln -sf %{_libdir}/libsemanage.so.2 %{buildroot}/%{_libdir}/libsemanage.so + +%ldconfig_scriptlets + +%files +%license COPYING +%dir %{_sysconfdir}/selinux +%config(noreplace) %{_sysconfdir}/selinux/semanage.conf +%{_libdir}/libsemanage.so.2 +%{_mandir}/man5/* +%{_mandir}/ru/man5/* +%dir %{_libexecdir}/selinux +%dir %{_sharedstatedir}/selinux +%dir %{_sharedstatedir}/selinux/tmp + +%files devel +%{_libdir}/libsemanage.so +%{_libdir}/pkgconfig/libsemanage.pc +%dir %{_includedir}/semanage +%{_includedir}/semanage/*.h +%{_libdir}/libsemanage.a +%{_mandir}/man3/* + +%files python3 +%{python3_sitelib}/*.so +%{python3_sitelib}/semanage.py* +%{python3_sitelib}/__pycache__/semanage.cpython*.pyc +%{_libexecdir}/selinux/semanage_migrate_store + +%changelog +* Fri Aug 13 2021 Thomas Crain - 3.2-1 +- Upgrade to latest upstream version and rebase patch +- Add -fno-semantic-interposition to CFLAGS as recommended by upstream +- Add static subpackage provides to devel subpackage +- Update source URL to new format +- Lint spec +- License verified + +* Tue Aug 25 2020 Daniel Burgener - 2.9-4 +- Initial CBL-Mariner import from Fedora 31 (license: MIT) +- License verified + +* Tue Aug 13 2019 Petr Lautrbach - 2.9-3 +- Drop python2-libsemanage (#1738466) + +* Thu Jul 25 2019 Fedora Release Engineering - 2.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Mar 18 2019 Petr Lautrbach - 2.9-1 +- SELinux userspace 2.9 release + +* Mon Mar 11 2019 Petr Lautrbach - 2.9-0.rc2.1 +- SELinux userspace 2.9-rc2 release + +* Fri Feb 01 2019 Fedora Release Engineering - 2.9-0.rc1.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jan 25 2019 Petr Lautrbach - 2.9-0.rc1.1 +- SELinux userspace 2.9-rc1 release + +* Mon Jan 21 2019 Petr Lautrbach - 2.8-8 +- Always set errno to 0 before calling getpwent() +- Set selinux policy root around calls to selinux_boolean_sub + +* Mon Dec 10 2018 Petr Lautrbach - 2.8-7 +- genhomedircon - improve handling large groups + +* Tue Nov 13 2018 Petr Lautrbach - 2.8-6 +- Fix RESOURCE_LEAK and USE_AFTER_FREE coverity scan defects + +* Mon Sep 17 2018 Petr Lautrbach - 2.8-5 +- Include user name in ROLE_REMOVE audit events + +* Tue Sep 4 2018 Petr Lautrbach - 2.8-4 +- Reset umask before creating directories (#1186422) + +* Fri Jul 13 2018 Fedora Release Engineering - 2.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jun 19 2018 Miro HronÄok - 2.8-2 +- Rebuilt for Python 3.7 + +* Fri May 25 2018 Petr Lautrbach - 2.8-1 +- SELinux userspace 2.8 release + +* Mon May 14 2018 Petr Lautrbach - 2.8-0.rc3.1 +- SELinux userspace 2.8-rc3 release candidate + +* Fri May 4 2018 Petr Lautrbach - 2.8-0.rc2.1 +- SELinux userspace 2.8-rc2 release candidate + +* Mon Apr 23 2018 Petr Lautrbach - 2.8-0.rc1.1 +- SELinux userspace 2.8-rc1 release candidate + +* Wed Mar 21 2018 Petr Lautrbach - 2.7-12 +- build: Replace PYSITEDIR with PYTHONLIBDIR +- direct_api.c: Fix iterating over array (#1557468) + +* Fri Mar 16 2018 Petr Lautrbach - 2.7-11 +- Revert "remove access() check to make setuid programs work" (#1557468) + +* Tue Mar 13 2018 Petr Lautrbach - 2.7-10 +- properly check return value of iterate function +- Use umask(0077) for fopen() write operations +- Return commit number if save-previous false +- Allow tmp files to be kept if a compile fails +- build: follow standard semantics for DESTDIR and PREFIX +- Improve warning for installing disabled module +- silence clang static analyzer report +- remove access() check to make setuid programs work + +* Fri Feb 09 2018 Igor Gnatenko - 2.7-9 +- Escape macros in %%changelog + +* Wed Feb 07 2018 Fedora Release Engineering - 2.7-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Feb 03 2018 Igor Gnatenko - 2.7-7 +- Switch to %%ldconfig_scriptlets + +* Tue Jan 09 2018 Iryna Shcherbina - 2.7-6 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Wed Nov 22 2017 Petr Lautrbach - 2.7-5 +- free genhomedircon fallback user +- Rebuild with libsepol-2.7-3 and libselinux-2.7-6 + +* Fri Oct 20 2017 Petr Lautrbach - 2.7-4 +- Add support for listing fcontext.homedirs file (#1409813) + +* Sun Aug 20 2017 Zbigniew JÄ™drzejewski-Szmek - 2.7-3 +- Add Provides for the old names without %%_isa + +* Thu Aug 10 2017 Zbigniew JÄ™drzejewski-Szmek - 2.7-2 +- Python 2 binary package renamed to python2-libsemanage + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 +- Python 3 binary package renamed to python3-libsemanage + +* Mon Aug 07 2017 Petr Lautrbach - 2.7-1 +- Update to upstream release 2017-08-04 +- Use 'sefcontext_compile -r' when it's run during SELinux policy build + +* Thu Aug 03 2017 Fedora Release Engineering - 2.6-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 2.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Apr 28 2017 Petr Lautrbach - 2.6-4 +- Follow upstream and rename _semanage.so to _semanage.cpython-36m-x86_64-linux-gnu.so + +* Tue Apr 18 2017 Petr Lautrbach - 2.6-3 +- Do not list duplicate port entries after setting a boolean (#1439875) + +* Thu Mar 02 2017 Petr Lautrbach - 2.6-2 +- Fix FTBFS - fatal error (#1427903) + +* Mon Feb 20 2017 Petr Lautrbach - 2.6-1.1 +- Update to upstream release 2016-10-14 + +* Fri Feb 10 2017 Fedora Release Engineering - 2.5-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Dec 09 2016 Charalampos Stratakis - 2.5-9 +- Rebuild for Python 3.6 + +* Mon Oct 03 2016 Petr Lautrbach 2.5-8 +- Fixes bug preventing the installation of base modules +- make distclean target work +- Do not always print a module name warning +- Use pp module name instead of filename when installing module +- tests: Do not force using gcc +- genhomedircon: remove hardcoded refpolicy strings +- genhomedircon: add support for %%group syntax +- genhomedircon: generate contexts for logins mapped to the default user +- Validate and compile file contexts before installing +- Swap tcp and udp protocol numbers + +* Mon Aug 01 2016 Petr Lautrbach 2.5-7 +- Rebuilt with libsepol-2.5-9 and libselinux-2.5-11 + +* Tue Jul 19 2016 Fedora Release Engineering - 2.5-6 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Jun 23 2016 Petr Lautrbach - 2.5-5 +- Sort object files for deterministic linking order +- Support overriding Makefile RANLIB +- Respect CC and PKG_CONFIG environment variable + +* Fri May 06 2016 Petr Lautrbach - 2.5-4 +- Fix multiple spelling errors +- genhomedircon: %%{USERID} and %%{USERNAME} support and code cleanup + +* Mon Mar 21 2016 Petr Lautrbach - 2.5-3 +- Enable expand-check by default (#1319652) + +* Sun Feb 28 2016 Petr Lautrbach 2.5-2 +- Use fully versioned arch-specific requires + +* Tue Feb 23 2016 Petr Lautrbach 2.5-1 +- Update to upstream release 2016-02-23 + +* Sun Feb 21 2016 Petr Lautrbach 2.5-0.1.rc1 +- Update to upstream rc1 release 2016-01-07 + +* Thu Feb 04 2016 Fedora Release Engineering - 2.4-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Nov 04 2015 Robert Kuska - 2.4-5 +- Rebuilt for Python3.5 rebuild + +* Fri Sep 04 2015 Petr Lautrbach 2.4-4 +- Save homedir_template in the policy store for genhomedircon + https://bugs.gentoo.org/558686 + +* Fri Aug 14 2015 Adam Jackson 2.4-3 +- Pass ldflags into the build so hardening works + +* Thu Jul 30 2015 Petr Lautrbach 2.4-2 +- semanage_migrate_store: use /usr/bin/python3 +- move semanage_migrate_store script to libsemanage-python3 + +* Wed Jun 24 2015 Petr Lautrbach 2.4-0.6 +- Allow to use compressed modules without a compression extension + +* Wed Jun 17 2015 Fedora Release Engineering - 2.3-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Jun 16 2015 Petr Lautrbach 2.4-0.5 +- add /var/lib/selinux/tmp directory + +* Tue May 12 2015 Petr Lautrbach 2.4-0.4 +- semanage_migrate_store: add -r option for migrating inside chroots + +* Mon Apr 13 2015 Petr Lautrbach 2.4-0.3 +- Update to upstream release 2.4 + +* Sun Aug 17 2014 Fedora Release Engineering - 2.3-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Jul 30 2014 Miroslav Grepl - 2.3-5 +- Skip policy module re-link when only setting booleans. + * patch from Stephen Smalley + +* Fri Jul 18 2014 Tom Callaway - 2.3-4 +- fix license handling + +* Sat Jun 07 2014 Fedora Release Engineering - 2.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 28 2014 Kalev Lember - 2.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 + +* Tue May 6 2014 Dan Walsh - 2.3-1 +- Update to upstream + * Fix memory leak in semanage_genhomedircon from Thomas Hurd. + +* Sun Mar 30 2014 Dan Walsh - 2.2-3 +- libsemanage: fix memory leak in semanage_genhomedircon +- Patch from THomas Hurd + +* Tue Feb 11 2014 Dan Walsh - 2.2-2 +- Move semanage.conf man page from devel package to main package + +* Thu Oct 31 2013 Dan Walsh - 2.2-1 +- Update to upstream + * Avoid duplicate list entries from Dan Walsh. + * Add audit support to libsemanage from Dan Walsh. + * Remove policy.kern and replace with symlink from Dan Walsh. + * Apply a MAX_UID check for genhomedircon from Laurent Bigonville. + * Fix man pages from Laurent Bigonville. + +* Wed Oct 16 2013 Dan Walsh - 2.1.10-14 +- Cleanup handling of missing mls_range to fix problems with useradd -Z +- Fix auditing of login record changes, roles were not working correctly. +Resolves: #952237 + +* Fri Oct 4 2013 Dan Walsh - 2.1.10-13 +- Fix errors found by coverity +Resolves: #952237 + +* Wed Sep 25 2013 Dan Walsh - 2.1.10-12 +- Do not fail on missing SELinux User Record when adding login record + +* Mon Sep 23 2013 Dan Walsh - 2.1.10-11 +- Add msg to audit records + +* Thu Sep 19 2013 Dan Walsh - 2.1.10-10 +- Do not write error message to screen when looking for previous record for auditing. +- Add mls_range from user record if the MLS range is not specified by the seuser add record. +- Error out if seuser or mls range is not specified when adding user records + +* Mon Sep 9 2013 Dan Walsh - 2.1.10-9 +- Create symlink from policy.kern to active kernel. + +* Fri Sep 6 2013 Dan Walsh - 2.1.10-8 +- Unlink policy.kern when done to save space. + +* Fri Jul 26 2013 Dan Walsh - 2.1.10-7 +- Move handling of role audit records into the library +- Patch stops semanage from removing user record while in use + +* Tue Jul 9 2013 Dan Walsh - 2.1.10-6 +- Remove dependance on selinux-policy, /etc/selinux should be owned by libsemanage, and selinux-policy can require it. + +* Fri Jun 28 2013 Dan Walsh - 2.1.10-5 +- Allways build python3 version + +* Mon Apr 22 2013 Dan Walsh - 2.1.10-4 +- + +* Thu Apr 11 2013 Dan Walsh - 2.1.10-3 +- Fix test suite to build + +* Thu Feb 14 2013 Dan Walsh - 2.1.10-2 +- Revert some changes which are causing the wrong policy version file to be created + +* Thu Feb 7 2013 Dan Walsh - 2.1.10-1 +- Update to upstream + * Add sefcontext_compile to compile regex everytime policy is rebuilt + * Cleanup/fix enable/disable/remove module. + * redo genhomedircon minuid + * fixes from coverity + * semanage_store: do not leak memory in semanage_exec_prog + * genhomedircon: remove useless conditional in get_home_dirs + * genhomedircon: double free in get_home_dirs + * fcontext_record: do not leak on error in semanage_fcontext_key_create + * genhomedircon: do not leak on failure in write_gen_home_dir_context + * semanage_store: do not leak fd + * genhomedircon: do not leak shells list + * semanage_store: do not leak on strdup failure + * semanage_store: rewrite for readability + +* Wed Jan 16 2013 Dan Walsh 2.1.9-4 +- Add selinux-policy as a requires to get /etc/selinux owned + +* Sat Jan 5 2013 Dan Walsh 2.1.9-3 +- Update to latest patches from eparis/Upstream +- libsemanage: fixes from coverity +- libsemange: redo genhomedircon minuid + +* Wed Nov 21 2012 Dan Walsh - 2.1.9-2 +- Fix handling of missing semanage permissive -d foo, not failing correctly +- Previous to this fix the first module beginning with foo would get deleted. + +* Thu Sep 13 2012 Dan Walsh - 2.1.9-1 +- Update to upstream + * libsemanage: do not set soname needlessly + * libsemanage: remove PYTHONLIBDIR and ruby equivalent + * do boolean name substitution + * Fix segfault for building standard policies. + +* Fri Aug 03 2012 David Malcolm - 2.1.8-6 +- rebuild for https://fedoraproject.org/wiki/Features/Python_3.3 + +* Wed Aug 1 2012 David Malcolm - 2.1.8-5 +- remove rhel logic from with_python3 conditional + +* Thu Jul 19 2012 Fedora Release Engineering - 2.1.8-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jul 13 2012 Dan Walsh - 2.1.8-3 +- Attempt to allocate memory for selinux_binary_policy_path and free memory +- allocated by asprintf. + +* Thu Jul 12 2012 Dan Walsh - 2.1.8-2 +- Fix asprintf within an asprintf call + +* Wed Jul 4 2012 Dan Walsh - 2.1.8-1 +- Update to upstream + * remove build warning when build swig c files + * additional makefile support for rubywrap + * ignore 80 column limit for readability + * semanage_store: fix snprintf length argument by using asprintf + * Use default semanage.conf as a fallback + * use after free in python bindings + +* Tue May 29 2012 Dan Walsh - 2.1.7-2 +- Apply patch from Sven Vermeulen to fix problem with python3 bindings. + +* Thu Mar 29 2012 Dan Walsh - 2.1.7-1 +- Update to upstream + * Alternate path for semanage.conf + * do not link against libpython, this is considered bad in Debian + * Allow to build for several ruby version + * fallback-user-level + +* Wed Feb 15 2012 Dan Walsh - 2.1.6-3 +- Check in correct patch. + +* Fri Jan 13 2012 Fedora Release Engineering - 2.1.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Jan 6 2012 Dan Walsh - 2.1.6-2 +- Add patch form Xin Ouyang to make library use private semanage.conf + +* Wed Dec 21 2011 Dan Walsh - 2.1.6-1 +-Update to upstream + * add ignoredirs config for genhomedircon + * Fallback_user_level can be NULL if you are not using MLS + +* Thu Dec 15 2011 Dan Walsh - 2.1.5-4 +- Rebuild with latest libsepol + +* Thu Dec 15 2011 Dan Walsh - 2.1.5-3 +- Rebuild with latest libsepol + +* Thu Dec 15 2011 Dan Walsh - 2.1.5-2 +- Add support for ignoredirs param in /etc/selinux/semanage.conf + +* Fri Nov 4 2011 Dan Walsh - 2.1.5-1 +- Upgrade to upstream + * regenerate .pc on VERSION change + * maintain mode even if umask is tighter + * semanage.conf man page + * create man5dir if not exist + +* Wed Oct 19 2011 Dan Walsh - 2.1.4-2 +- Fix handling of umask, so files get created with the correct label. + +* Mon Sep 19 2011 Dan Walsh - 2.1.4-2 +- Add Guido Trentalancia semanage.conf man page + +* Mon Sep 19 2011 Dan Walsh - 2.1.4-1 +-Update to upstream + * Create a new preserve_tunables flag + * tree: default make target to all not + * fix semanage_store_access_check calling arguments + +* Wed Sep 14 2011 Dan Walsh - 2.1.3-2 +- Add support for preserving tunables + +* Tue Aug 30 2011 Dan Walsh - 2.1.3-1 +-Update to upstream + * python wrapper makefile changes + +* Thu Aug 18 2011 Dan Walsh - 2.1.2-1 +-Update to upstream +2.1.2 2011-08-17 + * print error debug info for buggy fc + * introduce semanage_set_root and friends + * throw exceptions in python rather than return + * python3 support. + * patch for MCS/MLS in user files +2.1.1 2011-08-01 + * Remove generated files, expand .gitignore + * Use -Werror and change a few prototypes to support it + +* Thu Jul 28 2011 Dan Walsh - 2.1.0-1 +- Update to upstream + * Release, minor version bump + +* Wed Jun 8 2011 Dan Walsh - 2.0.46-6 +- More fixes for disabled modules + +* Tue Jun 7 2011 Dan Walsh - 2.0.46-5 +- Change libsemanage mechanism for handling disabled modules. Now it will only create a flag for a module +indicating the module is disabled. MODULE.pp.disabled, it will no longer rename the module. This way we can +ship active modules in rpm. + +* Wed Jun 1 2011 Dan Walsh - 2.0.46-4 +- Add semanage_set_selinux_path, to allow semodule to work on alternate selinux pools + +* Tue Feb 08 2011 Fedora Release Engineering - 2.0.46-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Dec 30 2010 David Malcolm - 2.0.46-2 +- big reworking of the support-multiple-python-builds patch to deal with +PEP 3149: the latest Python 3.2 onwards uses include paths and library names +that don't fit prior naming patterns, and so we must query python3-config for +this information. To complicate things further, python 2's python-config +doesn't understand all of the options needed ("--extension-suffix"). I've +thus added new Makefile variables as needed, to be supplied by the specfile by +invoking the appropriate config tool (or by hardcoding the old value for +"--extension-suffix" i.e. ".so") +- rework python3 manifest for PEP 3149, and rebuild for newer python3 + +* Tue Dec 21 2010 Dan Walsh - 2.0.46-1 +- Update to upstream + * Fix compliation under GCC 4.6 by Justin Mattock + +* Wed Aug 25 2010 Thomas Spura - 2.0.45-6 +- rebuild with python3.2 + http://lists.fedoraproject.org/pipermail/devel/2010-August/141368.html + +* Wed Jul 21 2010 David Malcolm - 2.0.45-5 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Tue Apr 27 2010 David Malcolm - 2.0.45-4 +- add python3 subpackage + +* Wed Apr 7 2010 Dan Walsh - 2.0.45-3 +- Fix -devel package to point at the correct shared library + +* Fri Mar 26 2010 Dan Walsh - 2.0.45-2 +- Move shared library to /usr/lib + +* Mon Mar 8 2010 Dan Walsh - 2.0.45-1 +- Update to upstream + * Add enable/disable patch support from Dan Walsh. + * Add usepasswd flag to semanage.conf to disable genhomedircon using + passwd from Dan Walsh. + * regenerate swig wrappers + +* Thu Feb 25 2010 Dan Walsh - 2.0.44-2 +- Allow disable of usepasswd + +* Wed Feb 17 2010 Dan Walsh - 2.0.44-1 +- Update to upstream + * Replace usage of fmemopen() with sepol_policy_file_set_mem() since + glibc < 2.9 does not support binary mode ('b') for fmemopen'd + streams. + +* Thu Jan 28 2010 Dan Walsh - 2.0.43-4 +- Cleanup spec file + +* Mon Jan 18 2010 Dan Walsh - 2.0.43-3 +- Splect libsemanage.a into a static subpackage to keep fedora packaging guidelines happy + +* Wed Dec 16 2009 Dan Walsh - 2.0.43-2 +- Rebuild all c programs with -fPIC + +* Tue Dec 1 2009 Dan Walsh - 2.0.43-1 +- Update to upstream + * Move libsemanage.so to /usr/lib + * Add NAME lines to man pages from Manoj Srivastava + +* Wed Nov 18 2009 Dan Walsh - 2.0.42-1 +- Update to upstream + * Move load_policy from /usr/sbin to /sbin from Dan Walsh. + +* Mon Nov 2 2009 Dan Walsh - 2.0.41-1 +- Update to upstream + * Add pkgconfig file from Eamon Walsh. + * Add semanage_set_check_contexts() function to disable calling + setfiles + +* Mon Sep 28 2009 Dan Walsh - 2.0.39-1 +- Update to upstream + * make swigify + +* Sun Sep 20 2009 Dan Walsh - 2.0.38-2 +- Dont relabel /root with genhomedircon + +* Thu Sep 17 2009 Dan Walsh - 2.0.38-1 +- Update to upstream + * Change semodule upgrade behavior to install even if the module + is not present from Dan Walsh. + * Make genhomedircon trim excess '/' from homedirs from Dan Walsh. + +* Wed Sep 9 2009 Dan Walsh - 2.0.37-1 +- Update to upstream + * Fix persistent dontaudit support to rebuild policy if the + dontaudit state is changed from Chad Sellers. +- Move load_policy to /sbin + +* Fri Aug 28 2009 Dan Walsh - 2.0.36-2 +- Add enable/disable modules + +* Wed Aug 26 2009 Dan Walsh - 2.0.36-1 +- Update to upstream + * Changed bzip-blocksize=0 handling to support existing compressed + modules in the store. + +* Wed Aug 26 2009 Dan Walsh - 2.0.35-2 +- Make sure /root is not used in genhomedircon + +* Wed Aug 5 2009 Dan Walsh - 2.0.35-1 +- Revert hard linking of files between tmp/active/previous. +- Enable configuration of bzip behavior from Stephen Smalley. +- bzip-blocksize=0 to disable compression and decompression support. +- bzip-blocksize=1..9 to set the blocksize for compression. +- bzip-small=true to reduce memory usage for decompression. + +* Sat Jul 25 2009 Fedora Release Engineering - 2.0.33-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Fri Jul 10 2009 Dan Walsh - 2.0.33-2 +- Put check for /root back into genhomedircon + +* Tue Jul 7 2009 Dan Walsh - 2.0.33-1 +- Update to upstream + +* Mon Jun 8 2009 Dan Walsh - 2.0.32-1 +- Update to upstream + * Ruby bindings from David Quigley. + +* Thu Apr 9 2009 Dan Walsh - 2.0.31-5 +- Return error on invalid file + +* Wed Mar 11 2009 Dan Walsh - 2.0.31-4 +- Fix typo + +* Wed Feb 25 2009 Fedora Release Engineering - 2.0.31-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Jan 15 2009 Dan Walsh - 2.0.31-2 +- Fix link to only link on sandbox + +* Mon Jan 12 2009 Dan Walsh - 2.0.31-1 +- Update to upstream + * Policy module compression (bzip) support from Dan Walsh. + * Hard link files between tmp/active/previous from Dan Walsh. + +* Mon Jan 12 2009 Dan Walsh - 2.0.30-3 +- Fix up patch to get it upstreamed + +* Thu Dec 04 2008 Ignacio Vazquez-Abrams - 2.0.30-2 +- Rebuild for Python 2.6 + +* Thu Dec 4 2008 Dan Walsh - 2.0.30-1 +- Add semanage_mls_enabled() interface from Stephen Smalley. + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 2.0.29-2 +- Rebuild for Python 2.6 + +* Mon Sep 15 2008 Dan Walsh - 2.0.28-1 +- Update to upstream + * Add USER to lines to homedir_template context file from Chris PeBenito. + +* Mon Sep 15 2008 Dan Walsh - 2.0.28-2 +- Add compression support + +* Mon Sep 15 2008 Dan Walsh - 2.0.28-1 +- Update to upstream + * allow fcontext and seuser changes without rebuilding the policy from Dan Walsh + +* Wed Sep 10 2008 Dan Walsh - 2.0.27-3 +- Additional fixes for Don't rebuild on fcontext or seuser modifications + +* Tue Sep 2 2008 Dan Walsh - 2.0.27-2 +- Don't rebuild on fcontext or seuser modifications + +* Tue Aug 5 2008 Dan Walsh - 2.0.27-1 +- Update to upstream + * Modify genhomedircon to skip groupname entries. + Ultimately we need to expand them to the list of users to support per-role homedir labeling when using the groupname syntax. + +* Tue Jul 29 2008 Dan Walsh - 2.0.26-1 +- Update to upstream + * Fix bug in genhomedircon fcontext matches logic from Dan Walsh. + Strip any trailing slash before appending /*$. + +* Tue Jun 17 2008 Dan Walsh - 2.0.25-3 +- Another fix for genhomedircon + +* Wed May 28 2008 Tom "spot" Callaway - 2.0.25-2 +- fix license tag + +* Tue Feb 5 2008 Dan Walsh - 2.0.25-1 +- Update to upstream + * Do not call genhomedircon if the policy was not rebuilt from Stephen Smalley. + Fixes semanage boolean -D seg fault (bug 441379). + +* Tue Feb 5 2008 Dan Walsh - 2.0.24-1 +- Update to upstream + * make swigify + +* Tue Feb 5 2008 Dan Walsh - 2.0.23-1 +- Update to upstream + * Use vfork rather than fork for libsemanage helpers to reduce memory overhead as suggested by Todd Miller. + +* Mon Feb 4 2008 Dan Walsh - 2.0.22-1 +- Update to upstream + * Free policydb before fork from Joshua Brindle. + * Drop the base module immediately after expanding to permit memory re-use from Stephen Smalley. + +* Sat Feb 2 2008 Dan Walsh - 2.0.20-1 +- Update to upstream + * Use sepol_set_expand_consume_base to reduce peak memory usage when + using semodule + +* Fri Feb 1 2008 Dan Walsh - 2.0.19-1 +- Update to upstream + * Fix genhomedircon to not override a file context with a homedir context from Todd Miller. + +* Tue Jan 29 2008 Dan Walsh - 2.0.18-1 +- Update to upstream + * Fix spurious out of memory error reports. + * Merged second version of fix for genhomedircon handling from Caleb Case. + +* Tue Jan 22 2008 Dan Walsh - 2.0.16-1 +- Update to upstream + * Merged fix for genhomedircon handling of missing HOME_DIR or HOME_ROOT templates from Caleb Case. + +* Tue Jan 22 2008 Dan Walsh - 2.0.15-2 +- Stop differentiating on user for homedir labeling + +* Thu Dec 6 2007 Dan Walsh - 2.0.15-1 +- Update to upstream + * Fix genhomedircon handling of shells and missing user context template from Dan Walsh. + * Copy the store path in semanage_select_store from Dan Walsh. +- Add expand-check=0 to semanage.conf + +* Mon Dec 3 2007 Dan Walsh - 2.0.14-5 +- Fix handling of /etc/shells so genhomedircon will work + +* Thu Nov 29 2007 Dan Walsh - 2.0.14-3 +- Allow semanage_genhomedircon to work with out a USER int homedir.template + +* Sat Nov 10 2007 Dan Walsh - 2.0.14-2 +- Fix semanage_select_store to allocate memory, fixes crash on invalid store + +* Tue Nov 6 2007 Dan Walsh - 2.0.14-1 +- Upgrade to latest from NSA + * Call rmdir() rather than remove() on directory removal so that errno isn't polluted from Stephen Smalley. + * Allow handle_unknown in base to be overridden by semanage.conf from Stephen Smalley. + +* Fri Oct 5 2007 Dan Walsh - 2.0.12-1 +- Upgrade to latest from NSA + * ustr cleanups from James Antill. + * Ensure that /root gets labeled even if using the default context from Dan Walsh. + +* Fri Sep 28 2007 Dan Walsh - 2.0.11-1 +- Upgrade to latest from NSA + * Fix ordering of file_contexts.homedirs from Todd Miller and Dan Walsh. + +* Fri Sep 28 2007 Dan Walsh - 2.0.10-2 +- Fix sort order on generated homedir context + +* Fri Sep 28 2007 Dan Walsh - 2.0.10-1 +- Upgrade to latest from NSA + * Fix error checking on getpw*_r functions from Todd Miller. + * Make genhomedircon skip invalid homedir contexts from Todd Miller. + * Set default user and prefix from seusers from Dan Walsh. + * Add swigify Makefile target from Dan Walsh. + +* Wed Sep 26 2007 Dan Walsh - 2.0.9-1 +- Upgrade to latest from NSA + * Pass CFLAGS to CC even on link command, per Dennis Gilmore. + * Clear errno on non-fatal errors to avoid reporting them upon a + later error that does not set errno. + * Improve reporting of system errors, e.g. full filesystem or read-only filesystem from Stephen Smalley. +- Fix segfault in genhomedircon when using bad user names + +* Wed Sep 26 2007 Dan Walsh - 2.0.6-2 +- Fix genhomedircon code to only generate valid context +- Fixes autorelabel problem + +* Thu Sep 13 2007 Dan Walsh - 2.0.6-1 +- Upgrade to latest from NSA + * Change to use getpw* function calls to the _r versions from Todd Miller. + +* Thu Aug 23 2007 Dan Walsh - 2.0.5-1 +- Upgrade to latest from NSA + +* Mon Aug 20 2007 Dan Walsh - 2.0.4-1 +- Upgrade to latest from NSA + * Allow dontaudits to be turned off via semanage interface when + updating policy + +* Sat Aug 11 2007 Dan Walsh - 2.0.3-5 +- Add ability to load a policy without dontaudit rules +- + +* Tue Jun 26 2007 Dan Walsh - 2.0.3-4 +- Rebuild to fix segfault on x86 platforms, swigify on each build + +* Fri Jun 1 2007 Dan Walsh - 2.0.3-3 +- Rebuild for rawhide + +* Thu May 3 2007 Dan Walsh - 2.0.3-2 +- Apply patch to fix dependencies in spec file from Robert Scheck + +* Wed Apr 25 2007 Dan Walsh - 2.0.3-1 +- Upgrade to latest from NSA + * Fix to libsemanage man patches so whatis will work better from Dan Walsh + +* Wed Apr 25 2007 Dan Walsh - 2.0.2-1 +- Upgrade to latest from NSA +- Merged optimizations from Stephen Smalley. +- do not set all booleans upon commit, only those whose values have changed +- only install the sandbox upon commit if something was rebuilt + +* Sat Mar 17 2007 Dan Walsh - 2.0.1-2 +- Add SELinux to Man page Names so man -k will work + +* Mon Mar 12 2007 Dan Walsh - 2.0.1-1 +- Merged dbase_file_flush patch from Dan Walsh. +- This removes any mention of specific tools (e.g. semanage) +- from the comment header of the auto-generated files, +- since there are multiple front-end tools. + +* Tue Feb 20 2007 Dan Walsh - 2.0.0-1 +- Upgrade to latest from NSA + * Merged Makefile test target patch from Caleb Case. + * Merged get_commit_number function rename patch from Caleb Case. + * Merged strnlen -> strlen patch from Todd Miller. + +* Wed Feb 7 2007 Dan Walsh - 1.10.1-1 +- Upgrade to latest from NSA + * Merged python binding fix from Dan Walsh. + * Updated version for stable branch. + +* Fri Dec 22 2006 Dan Walsh - 1.9.2-1 +- Upgrade to latest from NSA + * Merged patch to optionally reduce disk usage by removing + the backup module store and linked policy from Karl MacMillan + * Merged patch to correctly propagate return values in libsemanage + +* Fri Dec 22 2006 Dan Walsh - 1.9.1-3 +- Apply Karl MacMillan patch to get proper error codes. + +* Thu Dec 7 2006 Jeremy Katz - 1.9.1-2 +- rebuild against python 2.5 + +* Tue Nov 28 2006 Dan Walsh - 1.9.1-1 +- Upgrade to latest from NSA + * Merged patch to compile wit -fPIC instead of -fpic from + Manoj Srivastava to prevent hitting the global offest table + limit. Patch changed to include libselinux and libsemanage in + addition to libsepol. + +* Tue Oct 17 2006 Dan Walsh - 1.8-1 +- Upgrade to latest from NSA + * Updated version for release. + +* Thu Aug 31 2006 Dan Walsh - 1.6.17-1 +- Upgrade to latest from NSA + * Merged patch to skip reload if no active store exists and + the store path doesn't match the active store path from Dan Walsh. + * Merged patch to not destroy sepol handle on error path of + connect from James Athey. + * Merged patch to add genhomedircon path to semanage.conf from + James Athey. + +* Thu Aug 31 2006 Dan Walsh - 1.6.16-3 +- Fix semanage to not load if is not the correct policy type and it is installing + +* Thu Aug 31 2006 Dan Walsh - 1.6.16-2 +- Fix requires lines + +* Wed Aug 23 2006 Dan Walsh - 1.6.16-1 +- Upgrade to latest from NSA + * Make most copy errors fatal, but allow exceptions for + file_contexts.local, seusers, and netfilter_contexts if + the source file does not exist in the store. + +* Sat Aug 12 2006 Dan Walsh - 1.6.15-1 +- Upgrade to latest from NSA + * Merged separate local file contexts patch from Chris PeBenito. + * Merged patch to make most copy errors non-fatal from Dan Walsh. + +* Thu Aug 10 2006 Dan Walsh - 1.6.13-3 +- Change other updates to be non-fatal + +* Wed Aug 9 2006 Dan Walsh - 1.6.13-2 +- Change netfilter stuff to be non-fatal so update can proceed. + +* Thu Aug 3 2006 Dan Walsh - 1.6.13-1 +- Upgrade to latest from NSA + * Merged netfilter contexts support from Chris PeBenito. + +* Mon Jul 17 2006 Dan Walsh - 1.6.12-2 +- Rebuild for new gcc + +* Tue Jul 11 2006 Dan Walsh - 1.6.12-1 +- Upgrade to latest from NSA + * Merged support for read operations on read-only fs from + Caleb Case (Tresys Technology). + +* Tue Jul 4 2006 Dan Walsh - 1.6.11-1 +- Upgrade to latest from NSA + * Lindent. + * Merged setfiles location check patch from Dan Walsh. + +* Fri Jun 16 2006 Dan Walsh - 1.6.9-1 +- Upgrade to latest from NSA + * Merged several fixes from Serge Hallyn: + dbase_file_cache: deref of uninit data on error path. + dbase_policydb_cache: clear fp to avoid double fclose + semanage_fc_sort: destroy temp on error paths + +* Fri Jun 16 2006 Dan Walsh - 1.6.8-2 +- Handle setfiles being in /sbin or /usr/sbin + +* Mon May 15 2006 Dan Walsh - 1.6.8-1 +- Upgrade to latest from NSA + * Updated default location for setfiles to /sbin to + match policycoreutils. This can also be adjusted via + semanage.conf using the syntax: + [setfiles] + path = /path/to/setfiles + args = -q -c $@ $< + [end] + +* Mon May 15 2006 Dan Walsh - 1.6.7-3 +- Spec file cleanup from n0dalus+redhat@gmail.com + +* Mon May 15 2006 Dan Walsh - 1.6.7-2 +- Add /usr/include/semanage to spec file + +* Mon May 8 2006 Dan Walsh - 1.6.7-1 +- Upgrade to latest from NSA + * Merged fix warnings patch from Karl MacMillan. + +* Fri Apr 14 2006 Dan Walsh - 1.6.6-1 +- Upgrade to latest from NSA + * Merged updated file context sorting patch from Christopher + Ashworth, with bug fix for escaped character flag. + * Merged file context sorting code from Christopher Ashworth + (Tresys Technology), based on fc_sort.c code in refpolicy. + * Merged python binding t_output_helper removal patch from Dan Walsh. + * Regenerated swig files. + +* Wed Mar 29 2006 Dan Walsh - 1.6.3-1 +- Fix to work with new version of swig +- Upgrade to latest from NSA + * Merged corrected fix for descriptor leak from Dan Walsh. + +* Wed Mar 29 2006 Dan Walsh - 1.6.2-2 +- Fix leaky descriptor + +* Tue Mar 21 2006 Dan Walsh - 1.6.2-1 +- Upgrade to latest from NSA + * Merged Makefile PYLIBVER definition patch from Dan Walsh. + * Merged man page reorganization from Ivan Gyurdiev. + +* Fri Mar 17 2006 Dan Walsh - 1.6-1 +- Make work on RHEL4 +- Upgrade to latest from NSA + * Merged abort early on merge errors patch from Ivan Gyurdiev. + * Cleaned up error handling in semanage_split_fc based on a patch + by Serge Hallyn (IBM) and suggestions by Ivan Gyurdiev. + * Merged MLS handling fixes from Ivan Gyurdiev. + +* Fri Feb 17 2006 Dan Walsh - 1.5.28-1 +- Upgrade to latest from NSA + * Merged bug fix for fcontext validate handler from Ivan Gyurdiev. + * Merged base_merge_components changes from Ivan Gyurdiev. + +* Thu Feb 16 2006 Dan Walsh - 1.5.26-1 +- Upgrade to latest from NSA + * Merged paths array patch from Ivan Gyurdiev. + * Merged bug fix patch from Ivan Gyurdiev. + * Merged improve bindings patch from Ivan Gyurdiev. + * Merged use PyList patch from Ivan Gyurdiev. + * Merged memory leak fix patch from Ivan Gyurdiev. + * Merged nodecon support patch from Ivan Gyurdiev. + * Merged cleanups patch from Ivan Gyurdiev. + * Merged split swig patch from Ivan Gyurdiev. + +* Mon Feb 13 2006 Dan Walsh - 1.5.23-1 +- Upgrade to latest from NSA + * Merged optionals in base patch from Joshua Brindle. + * Merged treat seusers/users_extra as optional sections patch from + Ivan Gyurdiev. + * Merged parse_optional fixes from Ivan Gyurdiev. + +* Fri Feb 10 2006 Jesse Keating - 1.5.21-2.1 +- bump again for double-long bug on ppc(64) + +* Fri Feb 10 2006 Dan Walsh - 1.5.21-2 +- Fix handling of seusers and users_map file + +* Tue Feb 07 2006 Dan Walsh - 1.5.21-1 +- Upgrade to latest from NSA + * Merged seuser/user_extra support patch from Joshua Brindle. + * Merged remote system dbase patch from Ivan Gyurdiev. + +* Tue Feb 07 2006 Jesse Keating - 1.5.20-1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Thu Feb 2 2006 Dan Walsh 1.5.20-1 +- Upgrade to latest from NSA + * Merged clone record on set_con patch from Ivan Gyurdiev. + +* Mon Jan 30 2006 Dan Walsh 1.5.19-1 +- Upgrade to latest from NSA + * Merged fname parameter patch from Ivan Gyurdiev. + * Merged more size_t -> unsigned int fixes from Ivan Gyurdiev. + * Merged seusers.system patch from Ivan Gyurdiev. + * Merged improve port/fcontext API patch from Ivan Gyurdiev. + +* Fri Jan 27 2006 Dan Walsh 1.5.18-1 +- Upgrade to latest from NSA + * Merged seuser -> seuser_local rename patch from Ivan Gyurdiev. + * Merged set_create_store, access_check, and is_connected interfaces + from Joshua Brindle. + +* Fri Jan 13 2006 Dan Walsh 1.5.16-1 +- Upgrade to latest from NSA + * Regenerate python wrappers. + +* Fri Jan 13 2006 Dan Walsh 1.5.15-1 +- Upgrade to latest from NSA + * Merged pywrap Makefile diff from Dan Walsh. + * Merged cache management patch from Ivan Gyurdiev. + * Merged bugfix for dbase_llist_clear from Ivan Gyurdiev. + * Merged remove apply_local function patch from Ivan Gyurdiev. + * Merged only do read locking in direct case patch from Ivan Gyurdiev. + * Merged cache error path memory leak fix from Ivan Gyurdiev. + * Merged auto-generated file header patch from Ivan Gyurdiev. + * Merged pywrap test update from Ivan Gyurdiev. + * Merged hidden defs update from Ivan Gyurdiev. + +* Fri Jan 13 2006 Dan Walsh 1.5.14-2 +- Break out python out of regular Makefile + +* Fri Jan 13 2006 Dan Walsh 1.5.14-1 +- Upgrade to latest from NSA + * Merged disallow port overlap patch from Ivan Gyurdiev. + * Merged join prereq and implementation patches from Ivan Gyurdiev. + * Merged join user extra data part 2 patch from Ivan Gyurdiev. + * Merged bugfix patch from Ivan Gyurdiev. + * Merged remove add_local/set_local patch from Ivan Gyurdiev. + * Merged user extra data part 1 patch from Ivan Gyurdiev. + * Merged size_t -> unsigned int patch from Ivan Gyurdiev. + * Merged calloc check in semanage_store patch from Ivan Gyurdiev, + bug noticed by Steve Grubb. + * Merged cleanups after add/set removal patch from Ivan Gyurdiev. + +* Sat Jan 7 2006 Dan Walsh 1.5.9-1 +- Upgrade to latest from NSA + * Merged const in APIs patch from Ivan Gyurdiev. + * Merged validation of local file contexts patch from Ivan Gyurdiev. + * Merged compare2 function patch from Ivan Gyurdiev. + * Merged hidden def/proto update patch from Ivan Gyurdiev. + +* Fri Jan 6 2006 Dan Walsh 1.5.8-1 +- Upgrade to latest from NSA + * Re-applied string and file optimization patch from Russell Coker, + with bug fix. + * Reverted string and file optimization patch from Russell Coker. + * Clarified error messages from parse_module_headers and + parse_base_headers for base/module mismatches. + +* Fri Jan 6 2006 Dan Walsh 1.5.6-1 +- Upgrade to latest from NSA + * Clarified error messages from parse_module_headers and + parse_base_headers for base/module mismatches. + * Merged string and file optimization patch from Russell Coker. + * Merged swig header reordering patch from Ivan Gyurdiev. + * Merged toggle modify on add patch from Ivan Gyurdiev. + * Merged ports parser bugfix patch from Ivan Gyurdiev. + * Merged fcontext swig patch from Ivan Gyurdiev. + * Merged remove add/modify/delete for active booleans patch from Ivan Gyurdiev. + * Merged man pages for dbase functions patch from Ivan Gyurdiev. + * Merged pywrap tests patch from Ivan Gyurdiev. + +* Thu Jan 5 2006 Dan Walsh 1.5.4-2 +- Patch to fix add + +* Thu Jan 5 2006 Dan Walsh 1.5.4-1 +- Upgrade to latest from NSA + * Merged patch series from Ivan Gyurdiev. + This includes patches to: + - separate file rw code from linked list + - annotate objects + - fold together internal headers + - support ordering of records in compare function + - add active dbase backend, active booleans + - return commit numbers for ro database calls + - use modified flags to skip rebuild whenever possible + - enable port interfaces + - update swig interfaces and typemaps + - add an API for file_contexts.local and file_contexts + - flip the traversal order in iterate/list + - reorganize sandbox_expand + - add seusers MLS validation + - improve dbase spec/documentation + - clone record on set/add/modify + +* Tue Dec 27 2005 Dan Walsh 1.5.3-3 +- Add Ivans patch to turn on ports + +* Wed Dec 14 2005 Dan Walsh 1.5.3-2 +- Remove patch since upstream does the right thing + +* Wed Dec 14 2005 Dan Walsh 1.5.3-1 +- Upgrade to latest from NSA + * Merged further header cleanups from Ivan Gyurdiev. + * Merged toggle modified flag in policydb_modify, fix memory leak + in clear_obsolete, polymorphism vs headers fix, and include guards + for internal headers patches from Ivan Gyurdiev. + +* Tue Dec 13 2005 Dan Walsh 1.5.1-2 +- Upgrade to latest from NSA + * Merged toggle modified flag in policydb_modify, fix memory leak + in clear_obsolete, polymorphism vs headers fix, and include guards + for internal headers patches from Ivan Gyurdiev. + +* Mon Dec 12 2005 Dan Walsh 1.5.1-1 +- Upgrade to latest from NSA + * Added file-mode= setting to semanage.conf, default to 0644. + Changed semanage_copy_file and callers to use this mode when + installing policy files to runtime locations. + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Wed Dec 7 2005 Dan Walsh 1.4-1 +- Fix mode of output seusers file + +* Tue Dec 6 2005 Dan Walsh 1.3.64-1 +- Upgrade to latest from NSA + * Changed semanage_handle_create() to set do_reload based on + is_selinux_enabled(). This prevents improper attempts to + load policy on a non-SELinux system. + +* Mon Dec 5 2005 Dan Walsh 1.3.63-1 +- Upgrade to latest from NSA + * Dropped handle from user_del_role interface. + * Removed defrole interfaces. + +* Tue Nov 29 2005 Dan Walsh 1.3.61-1 +- Upgrade to latest from NSA + * Merged Makefile python definitions patch from Dan Walsh. + * Removed is_selinux_mls_enabled() conditionals in seusers and users + file parsers. + +* Wed Nov 23 2005 Dan Walsh 1.3.59-1 +- Add additional swig objects + * Merged wrap char*** for user_get_roles patch from Joshua Brindle. + * Merged remove defrole from sepol patch from Ivan Gyurdiev. + * Merged swig wrappers for modifying users and seusers from Joshua Brindle. + +* Wed Nov 23 2005 Dan Walsh 1.3.56-2 +- Add additional swig objects + +* Wed Nov 16 2005 Dan Walsh 1.3.56-1 +- Upgrade to latest from NSA + * Fixed free->key_free bug. + * Merged clear obsolete patch from Ivan Gyurdiev. + * Merged modified swigify patch from Dan Walsh + (original patch from Joshua Brindle). + * Merged move genhomedircon call patch from Chad Sellers. + +* Mon Nov 14 2005 Dan Walsh 1.3.53-3 +- Add genhomedircon patch from Joshua Brindle + +* Fri Nov 11 2005 Dan Walsh 1.3.53-2 +- Add swigify patch from Joshua Brindle + +* Fri Nov 11 2005 Dan Walsh 1.3.53-1 +- Upgrade to latest from NSA + * Merged move seuser validation patch from Ivan Gyurdiev. + * Merged hidden declaration fixes from Ivan Gyurdiev, + with minor corrections. + +* Wed Nov 9 2005 Dan Walsh 1.3.52-1 +- Upgrade to latest from NSA + * Merged cleanup patch from Ivan Gyurdiev. + This renames semanage_module_conn to semanage_direct_handle, + and moves sepol handle create/destroy into semanage handle + create/destroy to allow use even when disconnected (for the + record interfaces). + +* Tue Nov 8 2005 Dan Walsh 1.3.51-1 +- Upgrade to latest from NSA + * Clear modules modified flag upon disconnect and commit. + * Added tracking of module modifications and use it to + determine whether expand-time checks should be applied + on commit. + * Reverted semanage_set_reload_bools() interface. + +* Tue Nov 8 2005 Dan Walsh 1.3.48-1 +- Upgrade to latest from NSA + * Disabled calls to port dbase for merge and commit and stubbed + out calls to sepol_port interfaces since they are not exported. + * Merged rename instead of copy patch from Joshua Brindle (Tresys). + * Added hidden_def/hidden_proto for exported symbols used within + libsemanage to eliminate relocations. Wrapped type definitions + in exported headers as needed to avoid conflicts. Added + src/context_internal.h and src/iface_internal.h. + * Added semanage_is_managed() interface to allow detection of whether + the policy is managed via libsemanage. This enables proper handling + in setsebool for non-managed systems. + * Merged semanage_set_reload_bools() interface from Ivan Gyurdiev, + to enable runtime control over preserving active boolean values + versus reloading their saved settings upon commit. + +* Mon Nov 7 2005 Dan Walsh 1.3.43-1 +- Upgrade to latest from NSA + * Merged seuser parser resync, dbase tracking and cleanup, strtol + bug, copyright, and assert space patches from Ivan Gyurdiev. + * Added src/*_internal.h in preparation for other changes. + * Added hidden/hidden_proto/hidden_def to src/debug.[hc] and + src/seusers.[hc]. + +* Thu Nov 3 2005 Dan Walsh 1.3.41-1 +- Upgrade to latest from NSA + * Merged interface parse/print, context_to_string interface change, + move assert_noeof, and order preserving patches from Ivan Gyurdiev. + * Added src/dso.h in preparation for other changes. + * Merged install seusers, handle/error messages, MLS parsing, + and seusers validation patches from Ivan Gyurdiev. + +* Mon Oct 31 2005 Dan Walsh 1.3.39-1 +- Upgrade to latest from NSA + * Merged record interface, dbase flush, common database code, + and record bugfix patches from Ivan Gyurdiev. + +* Fri Oct 28 2005 Dan Walsh 1.3.38-1 +- Upgrade to latest from NSA + * Merged dbase policydb list and count change from Ivan Gyurdiev. + * Merged enable dbase and set relay patches from Ivan Gyurdiev. + +* Thu Oct 27 2005 Dan Walsh 1.3.36-1 +- Update from NSA + * Merged query APIs and dbase_file_set patches from Ivan Gyurdiev. + +* Wed Oct 26 2005 Dan Walsh 1.3.35-1 +- Update from NSA + * Merged sepol handle passing, seusers support, and policydb cache + patches from Ivan Gyurdiev. + +* Tue Oct 25 2005 Dan Walsh 1.3.34-1 +- Update from NSA + * Merged resync to sepol changes and booleans fixes/improvements + patches from Ivan Gyurdiev. + * Merged support for genhomedircon/homedir template, store selection, + explicit policy reload, and semanage.conf relocation from Joshua + Brindle. + +* Mon Oct 24 2005 Dan Walsh 1.3.32-1 +- Update from NSA + * Merged resync to sepol changes and transaction fix patches from + Ivan Gyurdiev. + * Merged reorganize users patch from Ivan Gyurdiev. + * Merged remove unused relay functions patch from Ivan Gyurdiev. + +* Fri Oct 21 2005 Dan Walsh 1.3.30-1 +- Update from NSA + * Fixed policy file leaks in semanage_load_module and + semanage_write_module. + * Merged further database work from Ivan Gyurdiev. + * Fixed bug in semanage_direct_disconnect. + +* Thu Oct 20 2005 Dan Walsh 1.3.28-1 +- Update from NSA + * Merged interface renaming patch from Ivan Gyurdiev. + * Merged policy component patch from Ivan Gyurdiev. + * Renamed 'check=' configuration value to 'expand-check=' for + clarity. + * Changed semanage_commit_sandbox to check for and report errors + on rename(2) calls performed during rollback. + * Added optional check= configuration value to semanage.conf + and updated call to sepol_expand_module to pass its value + to control assertion and hierarchy checking on module expansion. + * Merged fixes for make DESTDIR= builds from Joshua Brindle. + +* Tue Oct 18 2005 Dan Walsh 1.3.24-1 +- Update from NSA + * Merged default database from Ivan Gyurdiev. + * Merged removal of connect requirement in policydb backend from + Ivan Gyurdiev. + * Merged commit locking fix and lock rename from Joshua Brindle. + * Merged transaction rollback in lock patch from Joshua Brindle. + * Changed default args for load_policy to be null, as it no longer + takes a pathname argument and we want to preserve booleans. + * Merged move local dbase initialization patch from Ivan Gyurdiev. + * Merged acquire/release read lock in databases patch from Ivan Gyurdiev. + * Merged rename direct -> policydb as appropriate patch from Ivan Gyurdiev. + * Added calls to sepol_policy_file_set_handle interface prior + to invoking sepol operations on policy files. + * Updated call to sepol_policydb_from_image to pass the handle. + +* Tue Oct 18 2005 Dan Walsh 1.3.20-1 +- Update from NSA + * Changed default args for load_policy to be null, as it no longer + takes a pathname argument and we want to preserve booleans. + * Merged move local dbase initialization patch from Ivan Gyurdiev. + * Merged acquire/release read lock in databases patch from Ivan Gyurdiev. + * Merged rename direct -> policydb as appropriate patch from Ivan Gyurdiev. + * Added calls to sepol_policy_file_set_handle interface prior + to invoking sepol operations on policy files. + * Updated call to sepol_policydb_from_image to pass the handle. + +* Tue Oct 18 2005 Dan Walsh 1.3.20-1 +- Update from NSA + * Merged user and port APIs - policy database patch from Ivan + Gyurdiev. + * Converted calls to sepol link_packages and expand_module interfaces + from using buffers to using sepol handles for error reporting, and + changed direct_connect/disconnect to create/destroy sepol handles. + +* Sat Oct 15 2005 Dan Walsh 1.3.18-1 +- Update from NSA + * Merged bugfix patch from Ivan Gyurdiev. + * Merged seuser database patch from Ivan Gyurdiev. + Merged direct user/port databases to the handle from Ivan Gyurdiev. + * Removed obsolete include/semanage/commit_api.h (leftover). + Merged seuser record patch from Ivan Gyurdiev. + * Merged boolean and interface databases from Ivan Gyurdiev. + +* Fri Oct 14 2005 Dan Walsh 1.3.14-1 +- Update from NSA + * Updated to use get interfaces for hidden sepol_module_package type. + * Changed semanage_expand_sandbox and semanage_install_active + to generate/install the latest policy version supported by libsepol + by default (unless overridden by semanage.conf), since libselinux + will now downgrade automatically for load_policy. + * Merged new callback-based error reporting system and ongoing + database work from Ivan Gyurdiev. + +* Wed Oct 12 2005 Dan Walsh 1.3.11-1 +- Update from NSA + * Fixed semanage_install_active() to use the same logic for + selecting a policy version as semanage_expand_sandbox(). Dropped + dead code from semanage_install_sandbox(). + +* Mon Oct 10 2005 Dan Walsh 1.3.10-1 +- Update from NSA + * Updated for changes to libsepol, and to only use types and interfaces + provided by the shared libsepol. + +* Fri Oct 7 2005 Dan Walsh 1.3.9-1 +- Update from NSA + * Merged further database work from Ivan Gyurdiev. + +* Tue Oct 4 2005 Dan Walsh 1.3.8-1 +- Update from NSA + * Merged iterate, redistribute, and dbase split patches from + Ivan Gyurdiev. + +* Mon Oct 3 2005 Dan Walsh 1.3.7-1 +- Update from NSA + * Merged patch series from Ivan Gyurdiev. + (pointer typedef elimination, file renames, dbase work, backend + separation) + * Split interfaces from semanage.[hc] into handle.[hc], modules.[hc]. + * Separated handle create from connect interface. + * Added a constructor for initialization. + * Moved up src/include/*.h to src. + * Created a symbol map file; dropped dso.h and hidden markings. + +* Wed Sep 28 2005 Dan Walsh 1.3.5-1 +- Update from NSA + * Split interfaces from semanage.[hc] into handle.[hc], modules.[hc]. + * Separated handle create from connect interface. + * Added a constructor for initialization. + * Moved up src/include/*.h to src. + * Created a symbol map file; dropped dso.h and hidden markings. + +* Fri Sep 23 2005 Dan Walsh 1.3.4-1 +- Update from NSA + * Merged dbase redesign patch from Ivan Gyurdiev. + +* Wed Sep 21 2005 Dan Walsh 1.3.3-1 +- Update from NSA + * Merged boolean record, stub record handler, and status codes + patches from Ivan Gyurdiev. + +* Tue Sep 20 2005 Dan Walsh 1.3.2-1 +- Update from NSA + * Merged stub iterator functionality from Ivan Gyurdiev. + * Merged interface record patch from Ivan Gyurdiev. + +* Wed Sep 14 2005 Dan Walsh 1.3.1-1 +- Update from NSA + * Merged stub functionality for managing user and port records, + and record table code from Ivan Gyurdiev. + * Updated version for release. + +* Thu Sep 1 2005 Dan Walsh 1.1.6-1 +- Update from NSA + * Merged semod.conf template patch from Dan Walsh (Red Hat), + but restored location to /usr/share/semod/semod.conf. + * Fixed several bugs found by valgrind. + * Fixed bug in prior patch for the semod_build_module_list leak. + * Merged errno fix from Joshua Brindle (Tresys). + * Merged fix for semod_build_modules_list leak on error path + from Serge Hallyn (IBM). Bug found by Coverity. + +* Thu Aug 25 2005 Dan Walsh 1.1.3-1 +- Update from NSA + * Merged errno fix from Joshua Brindle (Tresys). + * Merged fix for semod_build_modules_list leak on error path + from Serge Hallyn (IBM). Bug found by Coverity. + * Merged several fixes from Serge Hallyn (IBM). Bugs found by + Coverity. + * Fixed several other bugs and warnings. + * Merged patch to move module read/write code from libsemanage + to libsepol from Jason Tang (Tresys). + * Merged relay records patch from Ivan Gyurdiev. + * Merged key extract patch from Ivan Gyurdiev. +- Initial version +- Created by Stephen Smalley diff --git a/SPECS/libsemanage/semanage.conf b/SPECS/libsemanage/semanage.conf new file mode 100644 index 0000000000..90450216cd --- /dev/null +++ b/SPECS/libsemanage/semanage.conf @@ -0,0 +1,57 @@ +# Authors: Jason Tang +# +# Copyright (C) 2004-2005 Tresys Technology, LLC +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +# +# Specify how libsemanage will interact with a SELinux policy manager. +# The four options are: +# +# "source" - libsemanage manipulates a source SELinux policy +# "direct" - libsemanage will write directly to a module store. +# /foo/bar - Write by way of a policy management server, whose +# named socket is at /foo/bar. The path must begin +# with a '/'. +# foo.com:4242 - Establish a TCP connection to a remote policy +# management server at foo.com. If there is a colon +# then the remainder is interpreted as a port number; +# otherwise default to port 4242. +module-store = direct + +# When generating the final linked and expanded policy, by default +# semanage will set the policy version to POLICYDB_VERSION_MAX, as +# given in . Change this setting if a different +# version is necessary. +#policy-version = 19 + +# expand-check check neverallow rules when executing all semanage +# commands. There might be a penalty in execution time if this +# option is enabled. +expand-check=0 + +# usepasswd check tells semanage to scan all pass word records for home directories +# and setup the labeling correctly. If this is turned off, SELinux will label /home +# correctly only. You will need to use semanage fcontext command. +# For example, if you had home dirs in /althome directory you would have to execute +# semanage fcontext -a -e /home /althome +usepasswd=False +bzip-small=true +bzip-blocksize=5 +ignoredirs=/root + +[sefcontext_compile] +path = /usr/sbin/sefcontext_compile +args = -r $@ +[end] diff --git a/SPECS/libsepol/libsepol.signatures.json b/SPECS/libsepol/libsepol.signatures.json index 3cbafed67e..e3252869bb 100644 --- a/SPECS/libsepol/libsepol.signatures.json +++ b/SPECS/libsepol/libsepol.signatures.json @@ -1,6 +1,5 @@ { "Signatures": { - "CUnit-2.1-2-src.tar.bz2": "1f705f30b36fe1dadb5494989d1d663241603f456b468c81f606a1bdbc168bea", - "libsepol-3.1.tar.gz": "ae6778d01443fdd38cd30eeee846494e19f4d407b09872580372f4aa4bf8a3cc" + "libsepol-3.2.tar.gz": "dfc7f662af8000116e56a01de6a0394ed79be1b34b999e551346233c5dd19508" } } \ No newline at end of file diff --git a/SPECS/libsepol/libsepol.spec b/SPECS/libsepol/libsepol.spec index d547c17620..c7055fd334 100644 --- a/SPECS/libsepol/libsepol.spec +++ b/SPECS/libsepol/libsepol.spec @@ -1,14 +1,16 @@ Summary: SELinux binary policy manipulation library Name: libsepol -Version: 3.1 +Version: 3.2 Release: 1%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner Group: System Environment/Libraries -URL: http://www.selinuxproject.org -Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/%{name}-%{version}.tar.gz -Source1: https://sourceforge.net/projects/cunit/files/CUnit-2.1-2-src.tar.bz2 +URL: https://github.com/SELinuxProject/selinux/wiki +Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz +%if %{with_check} +BuildRequires: cunit-devel +%endif %description Security-enhanced Linux is a feature of the Linux® kernel and a number @@ -26,25 +28,23 @@ It is used by checkpolicy (the policy compiler) and similar tools, as well as by programs like load_policy that need to perform specific transformations on binary policies such as customizing policy boolean settings. -%package devel +%package devel Summary: Header files and libraries used to build policy manipulation tools Group: Development/Libraries Requires: %{name} = %{version}-%{release} -Provides: pkgconfig(libsepol) = %{version}-%{release} Provides: %{name}-static = %{version}-%{release} -%description devel +%description devel The libsepol-devel package contains the libraries and header files needed for developing applications that manipulate binary policies. %prep -%setup -q +%autosetup sed -i 's/int rc;/int rc = SEPOL_OK;/' ./cil/src/cil_binary.c -tar xf %{SOURCE1} --no-same-owner %build -make clean -make %{?_smp_mflags} CFLAGS="%{build_cflags}" +%make_build clean +%make_build CFLAGS="%{build_cflags} -fno-semantic-interposition" %install mkdir -p %{buildroot}/%{_lib} @@ -53,7 +53,9 @@ mkdir -p %{buildroot}%{_includedir} mkdir -p %{buildroot}%{_bindir} mkdir -p %{buildroot}%{_mandir}/man3 mkdir -p %{buildroot}%{_mandir}/man8 -make DESTDIR=%{buildroot} LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install + +%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" + rm -f %{buildroot}%{_bindir}/genpolbools rm -f %{buildroot}%{_bindir}/genpolusers rm -f %{buildroot}%{_bindir}/chkcon @@ -61,15 +63,7 @@ rm -rf %{buildroot}%{_mandir}/man8 rm -rf %{buildroot}%{_mandir}/ru/man8 %check -pushd CUnit-2.1-2/ -./configure --prefix=%{_prefix} -make -make install -popd - -%clean -rm -rf %{buildroot} - +%make_build test %post /sbin/ldconfig @@ -78,6 +72,10 @@ exit 0 %postun -p /sbin/ldconfig +%files +%defattr(-,root,root) +%{_libdir}/libsepol.so.2 + %files devel %defattr(-,root,root) %license COPYING @@ -91,49 +89,53 @@ exit 0 %{_includedir}/sepol/cil/*.h %{_mandir}/man3/*.3.gz -%files -%defattr(-,root,root) -%{_libdir}/libsepol.so.1 - %changelog +* Fri Aug 13 2021 Thomas Crain - 3.2-1 +- Upgrade to latest upstream and update source URL format +- Add -fno-semantic-interposition to CFLAGS as recommended by upstream +- Remove cunit source, switch to check-time build requirement on cunit +- Bump libsepol sover to 2 +- Lint spec +- License verified + * Tue Feb 23 2021 Henry Li - 3.1-1 - Upgrade libsepol to version 3.1 * Fri Feb 05 2021 Joe Schmitt - 2.9-7 - Replace incorrect %%{_lib} usage with %%{_libdir} -* Mon Sep 28 2020 Ruying Chen 2.9-6 -- Add explicit provide for libsepol-static +* Mon Sep 28 2020 Ruying Chen - 2.9-6 +- Add explicit provide for libsepol-static -* Tue Jun 09 2020 Nicolas Ontiveros 2.9-5 -- Remove unused "systemd-bootstrap" from requires. +* Tue Jun 09 2020 Nicolas Ontiveros - 2.9-5 +- Remove unused "systemd-bootstrap" from requires. -* Fri May 29 2020 Nicolas Ontiveros 2.9-4 -- Use "systemd-bootstrap" to break circular dependencies. +* Fri May 29 2020 Nicolas Ontiveros - 2.9-4 +- Use "systemd-bootstrap" to break circular dependencies. -* Sat May 09 00:21:36 PST 2020 Nick Samson 2.9-3 -- Added %%license line automatically +* Sat May 09 2020 Nick Samson - 2.9-3 +- Added %%license line automatically -* Tue Mar 24 2020 Henry Beberman 2.9-2 -- Add cflags to make to fix gcc9 compatibility. +* Tue Mar 24 2020 Henry Beberman - 2.9-2 +- Add cflags to make to fix gcc9 compatibility. -* Tue Mar 17 2020 Henry Beberman 2.9-1 -- Update to 2.9. Fix Source0 URL. License verified. +* Tue Mar 17 2020 Henry Beberman - 2.9-1 +- Update to 2.9. Fix Source0 URL. License verified. -* Tue Sep 03 2019 Mateusz Malisz 2.8-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz - 2.8-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Aug 10 2018 Srivatsa S. Bhat 2.8-1 -- Update to version 2.8 to get it to build with gcc 7.3 +* Fri Aug 10 2018 Srivatsa S. Bhat - 2.8-1 +- Update to version 2.8 to get it to build with gcc 7.3 -* Tue Apr 04 2017 Kumar Kaushik 2.6-1 -- Updating version to 2.6 +* Tue Apr 04 2017 Kumar Kaushik - 2.6-1 +- Updating version to 2.6 -* Tue May 24 2016 Priyesh Padmavilasom 2.5-2 -- GA - Bump release of all rpms +* Tue May 24 2016 Priyesh Padmavilasom - 2.5-2 +- GA - Bump release of all rpms -* Fri Jan 22 2016 Xiaolin Li 2.5-1 -- Updated to version 2.5 +* Fri Jan 22 2016 Xiaolin Li - 2.5-1 +- Updated to version 2.5 -* Wed Feb 25 2015 Divya Thaluru 2.4-1 -- Initial build. First version +* Wed Feb 25 2015 Divya Thaluru - 2.4-1 +- Initial build. First version diff --git a/SPECS/libserf/libserf.spec b/SPECS/libserf/libserf.spec index da49d91d88..2637c8d941 100644 --- a/SPECS/libserf/libserf.spec +++ b/SPECS/libserf/libserf.spec @@ -1,7 +1,7 @@ Summary: A high performance C-based HTTP client library built upon the Apache Portable Runtime (APR) library Name: libserf Version: 1.3.9 -Release: 5%{?dist} +Release: 6%{?dist} License: ASL 2.0 URL: https://serf.apache.org/ Group: System Environment/Libraries @@ -52,6 +52,9 @@ sed -i '/SUITE_ADD_TEST(suite, test_ssltunnel_basic_auth_server_has_keepalive_of sed -i '/SUITE_ADD_TEST(suite, test_ssltunnel_basic_auth_proxy_has_keepalive_off);/d' ./test/test_context.c sed -i '/SUITE_ADD_TEST(suite, test_ssltunnel_basic_auth_proxy_close_conn_on_200resp);/d' ./test/test_context.c sed -i '/SUITE_ADD_TEST(suite, test_ssltunnel_digest_auth);/d' ./test/test_context.c + +# OpenSSL 1.1.1i+ breaks test_ssl_handshake, so disable test_ssl_handshake +sed -i '/SUITE_ADD_TEST(suite, test_ssl_handshake);/d' ./test/test_context.c scons check %files @@ -67,6 +70,9 @@ scons check %changelog +* Tue May 04 2021 Nicolas Ontiveros 1.3.9-6 +- Disable test_ssl_handshake + * Mon Dec 07 2020 Andrew Phelps 1.3.9-5 - Fix check tests. * Sat May 09 2020 Nick Samson 1.3.9-4 diff --git a/SPECS/libsigc++20/libsigc++20.spec b/SPECS/libsigc++20/libsigc++20.spec index 7c40b6b2ac..7147ef8baf 100644 --- a/SPECS/libsigc++20/libsigc++20.spec +++ b/SPECS/libsigc++20/libsigc++20.spec @@ -45,7 +45,7 @@ make %{?_smp_mflags} check %{_datadir}/* %changelog -* Sat May 09 00:20:34 PST 2020 Nick Samson - 2.10.0-6 +* Sat May 09 2020 Nick Samson - 2.10.0-6 - Added %%license line automatically * Wed Apr 29 2020 Emre Girgin 2.10.0-5 diff --git a/SPECS/libsoup/libsoup.spec b/SPECS/libsoup/libsoup.spec index 57080c88e6..b1a1bc93e0 100644 --- a/SPECS/libsoup/libsoup.spec +++ b/SPECS/libsoup/libsoup.spec @@ -106,53 +106,53 @@ make check * Tue Jan 05 2021 Ruying Chen - 2.64.0-6 - Enable gobject-introspection support. -* Sat May 09 00:21:16 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically -* Tue Apr 21 2020 Eric Li 2.64.0-4 -- Fix Source0: and delete sha1. Verified license. Fixed URL. Fixed formatting. +* Tue Apr 21 2020 Eric Li 2.64.0-4 +- Fix Source0: and delete sha1. Verified license. Fixed URL. Fixed formatting. -* Tue Sep 03 2019 Mateusz Malisz 2.64.0-3 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 2.64.0-3 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Dec 07 2018 Keerthana 2.64.0-2 -- Fix Make check failures. +* Fri Dec 07 2018 Keerthana 2.64.0-2 +- Fix Make check failures. -* Mon Sep 17 2018 Bo Gan 2.64.0-1 -- Update to 2.64.0 +* Mon Sep 17 2018 Bo Gan 2.64.0-1 +- Update to 2.64.0 -* Mon Sep 03 2018 Ankit Jain 2.57.1-4 -- Fix for CVE-2018-12910 +* Mon Sep 03 2018 Ankit Jain 2.57.1-4 +- Fix for CVE-2018-12910 -* Mon Jun 18 2018 Tapas Kundu 2.57.1-3 -- CVE-2017-2885 +* Mon Jun 18 2018 Tapas Kundu 2.57.1-3 +- CVE-2017-2885 -* Fri Aug 11 2017 Chang Lee 2.57.1-2 -- Added krb5-devel to BuildRequires for %check +* Fri Aug 11 2017 Chang Lee 2.57.1-2 +- Added krb5-devel to BuildRequires for %check -* Tue Apr 04 2017 Kumar Kaushik 2.57.1-1 -- Upgrading to version 2.57.1 +* Tue Apr 04 2017 Kumar Kaushik 2.57.1-1 +- Upgrading to version 2.57.1 -* Fri Nov 18 2016 Alexey Makhalov 2.53.90-3 -- Add sqlite-devel build deps +* Fri Nov 18 2016 Alexey Makhalov 2.53.90-3 +- Add sqlite-devel build deps -* Tue May 24 2016 Priyesh Padmavilasom 2.53.90-2 -- GA - Bump release of all rpms +* Tue May 24 2016 Priyesh Padmavilasom 2.53.90-2 +- GA - Bump release of all rpms -* Fri Feb 26 2016 Kumar Kaushik 2.53.90-1 -- Updated version. +* Fri Feb 26 2016 Kumar Kaushik 2.53.90-1 +- Updated version. -* Mon Oct 12 2015 Xiaolin Li 2.50.0-5 -- Moving static lib files to devel package. +* Mon Oct 12 2015 Xiaolin Li 2.50.0-5 +- Moving static lib files to devel package. -* Fri Oct 9 2015 Xiaolin Li 2.50.0-4 -- Removing la files from packages. +* Fri Oct 9 2015 Xiaolin Li 2.50.0-4 +- Removing la files from packages. -* Mon Jul 20 2015 Divya Thaluru 2.50.0-3 -- Addinf libxml2 to Requires +* Mon Jul 20 2015 Divya Thaluru 2.50.0-3 +- Addinf libxml2 to Requires -* Mon Jul 13 2015 Alexey Makhalov 2.50.0-2 -- Exclude /usr/lib/debug +* Mon Jul 13 2015 Alexey Makhalov 2.50.0-2 +- Exclude /usr/lib/debug -* Fri Jun 5 2015 Touseef Liaqat 2.50.0-1 -- Initial build. First version +* Fri Jun 5 2015 Touseef Liaqat 2.50.0-1 +- Initial build. First version diff --git a/SPECS/libssh2/libssh2.spec b/SPECS/libssh2/libssh2.spec index 3a276084c9..52818bed6f 100644 --- a/SPECS/libssh2/libssh2.spec +++ b/SPECS/libssh2/libssh2.spec @@ -64,7 +64,7 @@ find %{buildroot} -name '*.la' -exec rm -f {} ';' - Update to version 1.9.0 * Tue May 12 2020 Paul Monson 1.8.0-4 - Remove support for MD5, RIPEMD, BF, RC4, CAST, and DES -* Sat May 09 00:20:35 PST 2020 Nick Samson - 1.8.0-4 +* Sat May 09 2020 Nick Samson - 1.8.0-4 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.8.0-3 - Initial CBL-Mariner import from Photon (license: Apache2). diff --git a/SPECS/libstoragemgmt/libstoragemgmt.spec b/SPECS/libstoragemgmt/libstoragemgmt.spec index 93995d2b07..29e95ff1ba 100644 --- a/SPECS/libstoragemgmt/libstoragemgmt.spec +++ b/SPECS/libstoragemgmt/libstoragemgmt.spec @@ -535,6 +535,7 @@ fi * Fri Aug 21 2020 Thomas Crain 1.8.4-6 - Initial CBL-Mariner version imported from Fedora 33 (license: MIT) +- License verified * Sat Aug 01 2020 Fedora Release Engineering - 1.8.4-5 - Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/SPECS/libtar/libtar.spec b/SPECS/libtar/libtar.spec index 893d3eb536..ddbfabc99b 100644 --- a/SPECS/libtar/libtar.spec +++ b/SPECS/libtar/libtar.spec @@ -59,7 +59,7 @@ chmod +x %{buildroot}/%{_libdir}/libtar.so.* %{_libdir}/libtar.la %changelog -* Sat May 09 00:21:30 PST 2020 Nick Samson - 1.2.20-8 +* Sat May 09 2020 Nick Samson - 1.2.20-8 - Added %%license line automatically * Thu Apr 23 2020 Nick Samson 1.2.20-7 diff --git a/SPECS/libtasn1/libtasn1.spec b/SPECS/libtasn1/libtasn1.spec index b3f2d91c3f..978ee9117d 100644 --- a/SPECS/libtasn1/libtasn1.spec +++ b/SPECS/libtasn1/libtasn1.spec @@ -62,35 +62,46 @@ make %{?_smp_mflags} check - Add an explicit provides for `libtasn1-tools`. - Add version-release to pkgconfig(libtans1) -* Sat May 09 00:20:53 PST 2020 Nick Samson - 4.14-2 +* Sat May 09 2020 Nick Samson - 4.14-2 - Added %%license line automatically -* Wed Apr 22 2020 Nicolas Ontiveros 4.14-1 -- Upgrade to version 4.14. -- Fixed CVE-2018-1000654. -- Remove sha1 macro. -- Update URL. -- Update Source0. -- License verified. -* Tue Sep 03 2019 Mateusz Malisz 4.13-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Feb 12 2018 Xiaolin Li 4.13-1 -- Update to version 4.13 fix CVE-2018-6003. -* Tue Oct 10 2017 Priyesh Padmavilasom 4.12-1 -- update to 4.12 and apply patch for CVE-2017-10790 -* Tue Apr 04 2017 Kumar Kaushik 4.10-1 -- Upgrading version to 4.10 -* Wed Dec 07 2016 Xiaolin Li 4.7-4 -- Moved man3 to devel subpackage. -* Wed Nov 30 2016 Dheeraj Shetty 4.7-3 -- Added patch for CVE-2016-4008 -* Tue May 24 2016 Priyesh Padmavilasom 4.7-2 -- GA - Bump release of all rpms -* Fri Jan 15 2016 Xiaolin Li 4.7-1 -- Updated to version 4.7 -* Mon Oct 12 2015 Xiaolin Li 4.5-3 -- Moving static lib files to devel package. -* Fri Oct 9 2015 Xiaolin Li 4.5-2 -- Removing la files from packages. -* Fri Jun 19 2015 Divya Thaluru 4.5-1 -- Initial build. First version +* Wed Apr 22 2020 Nicolas Ontiveros 4.14-1 +- Upgrade to version 4.14. +- Fixed CVE-2018-1000654. +- Remove sha1 macro. +- Update URL. +- Update Source0. +- License verified. + +* Tue Sep 03 2019 Mateusz Malisz 4.13-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Mon Feb 12 2018 Xiaolin Li 4.13-1 +- Update to version 4.13 fix CVE-2018-6003. + +* Tue Oct 10 2017 Priyesh Padmavilasom 4.12-1 +- update to 4.12 and apply patch for CVE-2017-10790 + +* Tue Apr 04 2017 Kumar Kaushik 4.10-1 +- Upgrading version to 4.10 + +* Wed Dec 07 2016 Xiaolin Li 4.7-4 +- Moved man3 to devel subpackage. + +* Wed Nov 30 2016 Dheeraj Shetty 4.7-3 +- Added patch for CVE-2016-4008 + +* Tue May 24 2016 Priyesh Padmavilasom 4.7-2 +- GA - Bump release of all rpms + +* Fri Jan 15 2016 Xiaolin Li 4.7-1 +- Updated to version 4.7 + +* Mon Oct 12 2015 Xiaolin Li 4.5-3 +- Moving static lib files to devel package. + +* Fri Oct 9 2015 Xiaolin Li 4.5-2 +- Removing la files from packages. + +* Fri Jun 19 2015 Divya Thaluru 4.5-1 +- Initial build. First version diff --git a/SPECS/libtirpc/libtirpc.spec b/SPECS/libtirpc/libtirpc.spec index 0e378d07ca..514d48e22b 100644 --- a/SPECS/libtirpc/libtirpc.spec +++ b/SPECS/libtirpc/libtirpc.spec @@ -68,7 +68,7 @@ make install DESTDIR=%{buildroot} %{_libdir}/*.la %changelog -* Sat May 09 00:20:39 PST 2020 Nick Samson - 1.1.4-4 +* Sat May 09 2020 Nick Samson - 1.1.4-4 - Added %%license line automatically * Wed Apr 08 2020 Pawel Winogrodzki 1.1.4-3 diff --git a/SPECS/libtool/libtool.spec b/SPECS/libtool/libtool.spec index 7ef61c05a1..dec6adfc4b 100644 --- a/SPECS/libtool/libtool.spec +++ b/SPECS/libtool/libtool.spec @@ -85,17 +85,23 @@ make %{?_smp_mflags} check * Fri Feb 05 2021 Joe Schmitt - 2.4.6-6 - Provide libtool-ltdl-devel%%{?_isa} -* Mon Sep 28 2020 Ruying Chen 2.4.6-6 -- Add explicit provides for libtool-ltdl, libtool-ltdl-devel -* Sat May 09 00:21:36 PST 2020 Nick Samson - 2.4.6-5 -- Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 2.4.6-4 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Jun 23 2017 Xiaolin Li 2.4.6-3 -- Move header file and source code to libltdl-devel package. -* Tue May 24 2016 Priyesh Padmavilasom 2.4.6-2 -- GA - Bump release of all rpms -* Wed Jan 13 2016 Xiaolin Li 2.4.6-1 -- Updated to version 2.4.6 -* Wed Nov 5 2014 Divya Thaluru 2.4.2-1 -- Initial build. First version +* Mon Sep 28 2020 Ruying Chen 2.4.6-6 +- Add explicit provides for libtool-ltdl, libtool-ltdl-devel + +* Sat May 09 2020 Nick Samson - 2.4.6-5 +- Added %%license line automatically + +* Tue Sep 03 2019 Mateusz Malisz 2.4.6-4 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Jun 23 2017 Xiaolin Li 2.4.6-3 +- Move header file and source code to libltdl-devel package. + +* Tue May 24 2016 Priyesh Padmavilasom 2.4.6-2 +- GA - Bump release of all rpms + +* Wed Jan 13 2016 Xiaolin Li 2.4.6-1 +- Updated to version 2.4.6 + +* Wed Nov 5 2014 Divya Thaluru 2.4.2-1 +- Initial build. First version diff --git a/SPECS/libunwind/libunwind.spec b/SPECS/libunwind/libunwind.spec index b0e228c340..94fa247d6c 100644 --- a/SPECS/libunwind/libunwind.spec +++ b/SPECS/libunwind/libunwind.spec @@ -44,7 +44,7 @@ find %{buildroot} -name '*.la' -delete %{_libdir}/pkgconfig/libunwind* %changelog -* Sat May 09 00:21:12 PST 2020 Nick Samson - 1.2-4 +* Sat May 09 2020 Nick Samson - 1.2-4 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.2-3 diff --git a/SPECS/libvirt/CVE-2020-10701.patch b/SPECS/libvirt/CVE-2020-10701.patch new file mode 100644 index 0000000000..61fe9bdb52 --- /dev/null +++ b/SPECS/libvirt/CVE-2020-10701.patch @@ -0,0 +1,32 @@ +From 4cc90c2e62df653e909ad31fd810224bf8bcf913 Mon Sep 17 00:00:00 2001 +From: Jonathon Jongsma +Date: Fri, 20 Mar 2020 09:43:13 -0500 +Subject: [PATCH] api: disallow virDomainAgentSetResponseTimeout() on read-only connections + +This function changes the amount of time that libvirt waits for a +response from the guest agent for all guest agent commands. Since this +is a configuration change, it should not be allowed on read-only +connections. + +Signed-off-by: Jonathon Jongsma +Reviewed-by: Daniel Henrique Barboza +Reviewed-by: Michal Privoznik +--- + src/libvirt-domain.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index 65813b6..a12809c 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -12576,6 +12576,8 @@ virDomainAgentSetResponseTimeout(virDomainPtr domain, + virCheckDomainReturn(domain, -1); + conn = domain->conn; + ++ virCheckReadOnlyGoto(conn->flags, error); ++ + if (conn->driver->domainAgentSetResponseTimeout) { + if (conn->driver->domainAgentSetResponseTimeout(domain, timeout, flags) < 0) + goto error; +-- +1.7.1 diff --git a/SPECS/libwebp/libwebp.signatures.json b/SPECS/libwebp/libwebp.signatures.json index 21fe7cd5bb..95cd67d3ae 100644 --- a/SPECS/libwebp/libwebp.signatures.json +++ b/SPECS/libwebp/libwebp.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "libwebp-1.0.0.tar.gz": "c5c5ebf979543ac1f3348df8f6245262abd787a147b9632c880d92bfc38dbbeb" + "libwebp-1.0.3.tar.gz": "082d114bcb18a0e2aafc3148d43367c39304f86bf18ba0b2e766447e111a4a91" } -} \ No newline at end of file +} diff --git a/SPECS/libwebp/libwebp.spec b/SPECS/libwebp/libwebp.spec index 4d2e1067cc..9b9dab1322 100644 --- a/SPECS/libwebp/libwebp.spec +++ b/SPECS/libwebp/libwebp.spec @@ -1,54 +1,53 @@ Summary: Library to encode and decode webP format images Name: libwebp -Version: 1.0.0 -Release: 4%{?dist} +Version: 1.0.3 +Release: 1%{?dist} License: BSD -URL: https://webmproject.org/ -Group: System Environment/Libraries Vendor: Microsoft Corporation Distribution: Mariner +Group: System Environment/Libraries +URL: https://webmproject.org/ #Source0: https://github.com/webmproject/%{name}/archive/v%{version}.tar.gz Source0: %{name}-%{version}.tar.gz -BuildRequires: libjpeg-turbo-devel -BuildRequires: libtiff-devel -BuildRequires: libpng-devel -Requires: libjpeg-turbo -Requires: libtiff -Requires: libpng +BuildRequires: libjpeg-turbo-devel +BuildRequires: libpng-devel +BuildRequires: libtiff-devel +Requires: libjpeg-turbo +Requires: libpng +Requires: libtiff + %description The libwebp package contains a library and support programs to encode and decode images in WebP format. -%package devel -Summary: Header and development files -Requires: %{name} = %{version}-%{release} -%description devel +%package devel +Summary: Header and development files +Requires: %{name} = %{version}-%{release} +%description devel It contains the libraries and header files to create applications %prep %setup -q + %build ./autogen.sh ./configure \ - --prefix=%{_prefix} \ - --enable-libwebpmux \ - --enable-libwebpdemux \ - --enable-libwebpdecoder \ - --enable-libwebpextras \ - --enable-swap-16bit-csp \ - --disable-static + --prefix=%{_prefix} \ + --enable-libwebpmux \ + --enable-libwebpdemux \ + --enable-libwebpdecoder \ + --enable-libwebpextras \ + --enable-swap-16bit-csp \ + --disable-static make %{?_smp_mflags} %install make DESTDIR=%{buildroot} install -find %{buildroot} -name '*.la' -delete +find %{buildroot} -type f -name '*.la' -delete -print -%post -/sbin/ldconfig - -%postun -/sbin/ldconfig +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig %files %defattr(-,root,root) @@ -64,16 +63,23 @@ find %{buildroot} -name '*.la' -delete %{_libdir}/pkgconfig/*.pc %changelog -* Sat May 09 00:21:21 PST 2020 Nick Samson - 1.0.0-4 -- Added %%license line automatically +* Tue May 25 2021 Mateusz Malisz - 1.0.3-1 +- Update to version 1.0.3 + +* Sat May 09 2020 Nick Samson 1.0.0-4 +- Added %%license line automatically * Mon Apr 13 2020 Jon Slobodzian 1.0.0-3 - Verified license. Removed sha1. Fixed Source0 URL comment. Fixed formatting. URL to https. + * Tue Sep 03 2019 Mateusz Malisz 1.0.0-2 - Initial CBL-Mariner import from Photon (license: Apache2). + * Wed Sep 12 2018 Keerthana K 1.0.0-1 - Update to version 1.0.0 + * Thu Apr 06 2017 Kumar Kaushik 0.6.0-1 - Upgrading version to 0.6.0 + * Wed Jul 27 2016 Divya Thaluru 0.5.1-1 - Initial version diff --git a/SPECS/libxml2/CVE-2019-20388.patch b/SPECS/libxml2/CVE-2019-20388.patch deleted file mode 100644 index d62751f6bd..0000000000 --- a/SPECS/libxml2/CVE-2019-20388.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001 -From: Zhipeng Xie -Date: Tue, 20 Aug 2019 16:33:06 +0800 -Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream - -When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun -alloc a new schema for ctxt->schema and set vctxt->xsiAssemble -to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize -vctxt->xsiAssemble to 0 again which cause the alloced schema -can not be freed anymore. - -Found with libFuzzer. - -Signed-off-by: Zhipeng Xie ---- - xmlschemas.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/xmlschemas.c b/xmlschemas.c -index 301c84499..39d92182f 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) { - vctxt->nberrors = 0; - vctxt->depth = -1; - vctxt->skipDepth = -1; -- vctxt->xsiAssemble = 0; - vctxt->hasKeyrefs = 0; - #ifdef ENABLE_IDC_NODE_TABLES_TEST - vctxt->createIDCNodeTables = 1; --- -GitLab diff --git a/SPECS/libxml2/CVE-2020-24977.patch b/SPECS/libxml2/CVE-2020-24977.patch deleted file mode 100644 index f8ad63065c..0000000000 --- a/SPECS/libxml2/CVE-2020-24977.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 7 Aug 2020 21:54:27 +0200 -Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout' - -Make sure that truncated UTF-8 sequences don't cause an out-of-bounds -array access. - -Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for -the report. - -Fixes #178. ---- - xmllint.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/xmllint.c b/xmllint.c -index f6a8e4636..c647486f3 100644 ---- a/xmllint.c -+++ b/xmllint.c -@@ -528,6 +528,12 @@ static void - xmlHTMLEncodeSend(void) { - char *result; - -+ /* -+ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might -+ * end with a truncated UTF-8 sequence. This is a hack to at least avoid -+ * an out-of-bounds read. -+ */ -+ memset(&buffer[sizeof(buffer)-4], 0, 4); - result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); - if (result) { - xmlGenericError(xmlGenericErrorContext, "%s", result); --- -GitLab diff --git a/SPECS/libxml2/CVE-2020-7595.patch b/SPECS/libxml2/CVE-2020-7595.patch deleted file mode 100644 index b639483f35..0000000000 --- a/SPECS/libxml2/CVE-2020-7595.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 -From: Zhipeng Xie -Date: Thu, 12 Dec 2019 17:30:55 +0800 -Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities - -When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef -return NULL which cause a infinite loop in xmlStringLenDecodeEntities - -Found with libFuzzer. - -Signed-off-by: Zhipeng Xie ---- - parser.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index d1c319631..a34bb6cdd 100644 ---- a/parser.c -+++ b/parser.c -@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, - else - c = 0; - while ((c != 0) && (c != end) && /* non input consuming loop */ -- (c != end2) && (c != end3)) { -+ (c != end2) && (c != end3) && -+ (ctxt->instate != XML_PARSER_EOF)) { - - if (c == 0) break; - if ((c == '&') && (str[1] == '#')) { --- -GitLab diff --git a/SPECS/libxml2/libxml2.signatures.json b/SPECS/libxml2/libxml2.signatures.json index 6b4f7588d1..042e089dbc 100644 --- a/SPECS/libxml2/libxml2.signatures.json +++ b/SPECS/libxml2/libxml2.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "libxml2-2.9.10.tar.gz": "aafee193ffb8fe0c82d4afef6ef91972cbaf5feea100edc2f262750611b4be1f" + "libxml2-2.9.12.tar.gz": "c8d6681e38c56f172892c85ddc0852e1fd4b53b4209e7f4ebf17f7e2eae71d92" } -} \ No newline at end of file +} diff --git a/SPECS/libxml2/libxml2.spec b/SPECS/libxml2/libxml2.spec index b71b731f52..0c9ffc2894 100644 --- a/SPECS/libxml2/libxml2.spec +++ b/SPECS/libxml2/libxml2.spec @@ -1,18 +1,14 @@ Summary: Libxml2 Name: libxml2 -Version: 2.9.10 -Release: 8%{?dist} +Version: 2.9.12 +Release: 2%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner Group: System Environment/General Libraries URL: http://www.xmlsoft.org/ Source0: ftp://xmlsoft.org/libxml2/%{name}-%{version}.tar.gz -Patch0: CVE-2019-20388.patch -Patch1: CVE-2020-7595.patch -Patch2: CVE-2020-24977.patch BuildRequires: python3-devel -Provides: pkgconfig(libxml-2.0) = %{version}-%{release} Provides: %{name}-tools = %{version}-%{release} Provides: libxml-tools = %{version}-%{release} @@ -22,7 +18,7 @@ The libxml2 package contains libraries and utilities used for parsing XML files. %package -n python3-libxml2 Summary: Python 3 bindings for libxml2. Group: Development/Libraries -Requires: %{name} = %{version} +Requires: %{name} = %{version}-%{release} Requires: python3 Requires: python3-xml Provides: %{name}-python3 = %{version}-%{release} @@ -32,7 +28,7 @@ Python3 libxml2. %package devel Summary: Libraries and header files for libxml -Requires: %{name} = %{version} +Requires: %{name} = %{version}-%{release} Provides: %{name}-devel%{?_isa} = %{version}-%{release} %description devel @@ -44,30 +40,19 @@ Static libraries and header files for the support library for libxml %build %configure \ --disable-static \ - --with-history -make %{?_smp_mflags} + --with-history \ + --with-python=%{python3} +%make_build %install -[ %{buildroot} != "/"] && rm -rf %{buildroot}/* -make DESTDIR=%{buildroot} install +%make_install find %{buildroot} -type f -name "*.la" -delete -print %{_fixperms} %{buildroot}/* -make clean -%configure \ - --disable-static \ - --with-python=%{_bindir}/python3 -make %{?_smp_mflags} -make install DESTDIR=%{buildroot} - %check -make PYTHON_SUBDIR="" runtests +%make_build PYTHON_SUBDIR="" runtests -%post -p /sbin/ldconfig -%postun -p /sbin/ldconfig - -%clean -rm -rf %{buildroot}/* +%ldconfig_scriptlets %files %defattr(-,root,root) @@ -92,6 +77,14 @@ rm -rf %{buildroot}/* %{_libdir}/cmake/libxml2/libxml2-config.cmake %changelog +* Tue Aug 17 2021 Thomas Crain - 2.9.12-2 +- Revert re-addition of python2 dependency from bad merge +- Remove recompilation with python support during install step +- Lint spec + +* Thu May 27 2021 Mateusz Malisz - 2.9.12-1 +- Update to version 2.9.12 to fix CVE-2021-3517, CVE-2021-3518 and CVE-2021-3537 + * Fri May 21 2021 Nick Samson - 2.9.10-8 - Added explicit requirement on python xml library - Remove requirement on python2 @@ -102,6 +95,9 @@ rm -rf %{buildroot}/* - v-ruyche@microsoft.com, 2.9.10-3: Patch CVE-2020-24977. - anphel@microsoft.com, 2.9.10-4: Skip python tests which are known to be broken. +* Wed Mar 03 2021 Andrew Phelps - 2.9.10-4 +- Skip python tests which are known to be broken. + * Fri Feb 05 2021 Joe Schmitt - 2.9.10-6 - Provide libxml2-devel%%{?_isa} diff --git a/SPECS/libxslt/libxslt.spec b/SPECS/libxslt/libxslt.spec index 62dcef2b0a..23efc3c1fc 100644 --- a/SPECS/libxslt/libxslt.spec +++ b/SPECS/libxslt/libxslt.spec @@ -89,7 +89,7 @@ rm -rf %{buildroot}/* * Tue May 12 2020 Paul Monson 1.1.32-4 - Add patch for CVE-2019-5815 -* Sat May 09 00:21:44 PST 2020 Nick Samson - 1.1.32-3 +* Sat May 09 2020 Nick Samson - 1.1.32-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.1.32-2 diff --git a/SPECS/libzip/libzip.signatures.json b/SPECS/libzip/libzip.signatures.json new file mode 100644 index 0000000000..420c46fbae --- /dev/null +++ b/SPECS/libzip/libzip.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "libzip-1.7.3.tar.xz": "a60473ffdb7b4260c08bfa19c2ccea0438edac11193c3afbbb1f17fbcf6c6132" + } +} diff --git a/SPECS/libzip/libzip.spec b/SPECS/libzip/libzip.spec new file mode 100644 index 0000000000..443296cc47 --- /dev/null +++ b/SPECS/libzip/libzip.spec @@ -0,0 +1,355 @@ +Name: libzip +Version: 1.7.3 +Release: 5%{?dist} +Summary: C library for reading, creating, and modifying zip archives +Vendor: Microsoft Corporation +Distribution: Mariner +License: BSD +URL: https://libzip.org/ +Source0: https://libzip.org/download/libzip-%{version}.tar.xz + +BuildRequires: gcc +BuildRequires: zlib-devel +BuildRequires: bzip2-devel +BuildRequires: openssl-devel +BuildRequires: xz-devel +BuildRequires: cmake >= 3.0.2 +# Needed to run the test suite +# find regress/ -type f | /usr/lib/rpm/perl.req +# find regress/ -type f | /usr/lib/rpm/perl.prov +%if %{with_check} +BuildRequires: perl +BuildRequires: perl(Cwd) +BuildRequires: perl(File::Copy) +BuildRequires: perl(File::Path) +BuildRequires: perl(Getopt::Long) +BuildRequires: perl(IPC::Open3) +BuildRequires: perl(Storable) +BuildRequires: perl(Symbol) +BuildRequires: perl(UNIVERSAL) +BuildRequires: perl(strict) +BuildRequires: perl(warnings) +%endif + +%description +libzip is a C library for reading, creating, and modifying zip archives. Files +can be added from data buffers, files, or compressed data copied directly from +other zip archives. Changes made without closing the archive can be reverted. +The API is documented by man pages. + + +%package devel +Summary: Development files for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + + +%package tools +Summary: Command line tools from %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description tools +The %{name}-tools package provides command line tools split off %{name}: +- zipcmp +- zipmerge +- ziptool + + +%prep +%autosetup -p1 + +# unwanted in package documentation +rm INSTALL.md + +%build +%cmake \ + -DENABLE_COMMONCRYPTO:BOOL=OFF \ + -DENABLE_GNUTLS:BOOL=OFF \ + -DENABLE_MBEDTLS:BOOL=OFF \ + -DENABLE_OPENSSL:BOOL=ON \ + -DENABLE_WINDOWS_CRYPTO:BOOL=OFF \ + -DENABLE_BZIP2:BOOL=ON \ + -DENABLE_LZMA:BOOL=ON \ + -DBUILD_TOOLS:BOOL=ON \ + -DBUILD_REGRESS:BOOL=ON \ + -DBUILD_EXAMPLES:BOOL=OFF \ + -DBUILD_DOC:BOOL=ON \ + . + +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} INSTALL='install -p' + +%check +make check + + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%license LICENSE +%{_libdir}/libzip.so.5* +%{_docdir}/libzip +%{_libdir}/cmake/libzip + +%files tools +%{_bindir}/zipcmp +%{_bindir}/zipmerge +%{_bindir}/ziptool + +%files devel +%doc AUTHORS THANKS *.md +%{_includedir}/zip.h +%{_includedir}/zipconf*.h +%{_libdir}/libzip.so +%{_libdir}/pkgconfig/libzip.pc + + +%changelog +* Mon May 17 2021 Suresh Babu Chalamalasetty - 1.7.3-5 +- Initial CBL-Mariner import from Fedora 34 (license: MIT) +- License verified + +* Tue Jan 26 2021 Fedora Release Engineering - 1.7.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Jul 28 2020 Fedora Release Engineering - 1.7.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 21 2020 Rex Dieter - 1.7.3-2 +- use %%cmake_build, %%cmake_install, %ctest + +* Wed Jul 15 2020 Remi Collet - 1.7.3-1 +- update to 1.7.3 +- drop patch merged upstream + +* Mon Jul 13 2020 Remi Collet - 1.7.2-1 +- update to 1.7.2 +- fix installation layout using merged patch from + https://github.com/nih-at/libzip/pull/190 + +* Mon Jun 15 2020 Remi Collet - 1.7.1-1 +- update to 1.7.1 + +* Fri Jun 5 2020 Remi Collet - 1.7.0-1 +- update to 1.7.0 +- patch zipconf.h to re-add missing LIBZIP_VERSION_* macros + +* Mon Feb 3 2020 Remi Collet - 1.6.1-1 +- update to 1.6.1 + +* Wed Jan 29 2020 Fedora Release Engineering - 1.6.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jan 24 2020 Remi Collet - 1.6.0-1 +- update to 1.6.0 +- enable lzma support + +* Thu Jul 25 2019 Fedora Release Engineering - 1.5.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Mar 12 2019 Remi Collet - 1.5.2-1 +- update to 1.5.2 +- add all explicit cmake options to ensure openssl is used + even in local build with other lilbraries available + +* Fri Feb 01 2019 Fedora Release Engineering - 1.5.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 1.5.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Apr 11 2018 Remi Collet - 1.5.1-1 +- update to 1.5.1 +- drop dependency on zlib-devel and bzip2-devel no more + referenced in libzip.pc +- drop rpath patch merged upstream + +* Thu Mar 15 2018 Remi Collet - 1.5.0-2 +- add dependency on zlib-devel and bzip2-devel #1556068 + +* Mon Mar 12 2018 Remi Collet - 1.5.0-1 +- update to 1.5.0 +- use openssl for cryptography instead of bundled custom AES implementation + +* Tue Feb 20 2018 Remi Collet - 1.4.0-5 +- missing BR on C compiler +- use ldconfig_scriptlets + +* Wed Feb 07 2018 Fedora Release Engineering - 1.4.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Jan 5 2018 Remi Collet - 1.4.0-3 +- add upstream patch and drop multilib hack + +* Tue Jan 2 2018 Remi Collet - 1.4.0-2 +- re-add multilib hack #1529886 + +* Sat Dec 30 2017 Remi Collet - 1.4.0-1 +- update to 1.4.0 +- switch to cmake +- add upstream patch for lib64 + +* Mon Nov 20 2017 Remi Collet - 1.3.2-1 +- update to 1.3.2 +- drop multilib header hack +- change URL to https://libzip.org/ +- test suite now ok on all arch + +* Wed Sep 06 2017 Pavel Raiskup - 1.3.0-2 +- use multilib-rpm-config for multilib hacks + +* Mon Sep 4 2017 Remi Collet - 1.3.0-1 +- update to 1.3.0 +- add dependency on bzip2 library +- ignore 3 tests failing on 32-bit + +* Thu Aug 03 2017 Fedora Release Engineering - 1.2.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Feb 28 2017 Remi Collet - 1.2.0-1 +- update to 1.2.0 +- soname bump to 5 + +* Tue Feb 28 2017 Remi Collet - 1.2.0-0 +- update to 1.2.0 +- soname bump to 5 +- temporarily keep libzip.so.4 + +* Fri Feb 10 2017 Fedora Release Engineering - 1.1.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Sat May 28 2016 Remi Collet - 1.1.3-1 +- update to 1.1.3 + +* Sat Feb 20 2016 Remi Collet - 1.1.2-1 +- update to 1.1.2 +- add BR on perl(Getopt::Long) + +* Sat Feb 13 2016 Remi Collet - 1.1.1-1 +- update to 1.1.1 + +* Thu Feb 04 2016 Fedora Release Engineering - 1.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jan 28 2016 Remi Collet - 1.1-1 +- update to 1.1 +- new ziptool command +- add fix for undefined optopt in ziptool.c (upstream) + +* Fri Dec 4 2015 Remi Collet - 1.0.1-3 +- fix libzip-tools summary #1288424 + +* Wed Jun 17 2015 Fedora Release Engineering - 1.0.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue May 5 2015 Remi Collet - 1.0.1-1 +- update to 1.0.1 +- soname bump from .2 to .4 +- drop ziptorrent +- create "tools" sub package + +* Mon Mar 23 2015 Rex Dieter 0.11.2-5 +- actually apply patch (using %%autosetup) + +* Mon Mar 23 2015 Rex Dieter 0.11.2-4 +- CVE-2015-2331: integer overflow when processing ZIP archives (#1204676,#1204677) + +* Sun Aug 17 2014 Fedora Release Engineering - 0.11.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 0.11.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Dec 19 2013 Remi Collet - 0.11.2-1 +- update to 0.11.2 +- run test during build + +* Thu Oct 24 2013 Remi Collet - 0.11.1-3 +- replace php patch with upstream one + +* Fri Aug 23 2013 Remi Collet - 0.11.1-2 +- include API-CHANGES and LICENSE in package doc + +* Wed Aug 21 2013 Remi Collet - 0.11.1-1 +- update to 0.11.1 + +* Sat Aug 03 2013 Fedora Release Engineering - 0.10.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 14 2013 Fedora Release Engineering - 0.10.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Oct 15 2012 Remi Collet - 0.10.1-5 +- fix typo in multiarch (#866171) + +* Wed Sep 05 2012 Rex Dieter 0.10.1-4 +- Warning about conflicting contexts for /usr/lib64/libzip/include/zipconf.h versus /usr/include/zipconf-64.h (#853954) + +* Thu Jul 19 2012 Fedora Release Engineering - 0.10.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 10 2012 Rex Dieter 0.10.1-2 +- spec cleanup, better multilib fix + +* Wed Mar 21 2012 Remi Collet - 0.10.1-1 +- update to 0.10.1 (security fix only) +- fixes for CVE-2012-1162 and CVE-2012-1163 + +* Sun Mar 04 2012 Remi Collet - 0.10-2 +- try to fix ARM issue (#799684) + +* Sat Feb 04 2012 Remi Collet - 0.10-1 +- update to 0.10 +- apply patch with changes from php bundled lib (thanks spot) +- handle multiarch headers (ex from MySQL) + +* Fri Jan 13 2012 Fedora Release Engineering - 0.9.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Feb 08 2011 Fedora Release Engineering - 0.9.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Feb 04 2010 Kalev Lember - 0.9.3-2 +- Cleaned up pkgconfig deps which are now automatically handled by RPM. + +* Thu Feb 04 2010 Kalev Lember - 0.9.3-1 +- Updated to libzip 0.9.3 + +* Tue Aug 11 2009 Ville Skyttä - 0.9-4 +- Use bzipped upstream tarball. + +* Sat Jul 25 2009 Fedora Release Engineering - 0.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Feb 25 2009 Fedora Release Engineering - 0.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Fri Dec 12 2008 Rex Dieter 0.9-1 +- libzip-0.9 + +* Sat Feb 09 2008 Sebastian Vahl 0.8-5 +- rebuild for new gcc-4.3 + +* Fri Jan 11 2008 Rex Dieter 0.8-4 +- use better workaround for removing rpaths + +* Tue Nov 20 2007 Sebastian Vahl 0.8-3 +- require pkgconfig in devel subpkg +- move api description to devel subpkg +- keep timestamps in %%install +- avoid lib64 rpaths + +* Thu Nov 15 2007 Sebastian Vahl 0.8-2 +- Change License to BSD + +* Thu Nov 15 2007 Sebastian Vahl 0.8-1 +- Initial version for Fedora diff --git a/SPECS/lldb/lldb.spec b/SPECS/lldb/lldb.spec index 1d74a57e39..0285bf7ba4 100644 --- a/SPECS/lldb/lldb.spec +++ b/SPECS/lldb/lldb.spec @@ -105,7 +105,7 @@ rm -rf %{buildroot}/* - Explicitly set python verison. * Fri Jun 12 2020 Henry Beberman 8.0.1-3 - Temporarily disable generation of debug symbols. -* Sat May 09 00:21:04 PST 2020 Nick Samson - 8.0.1-2 +* Sat May 09 2020 Nick Samson - 8.0.1-2 - Added %%license line automatically * Tue Mar 17 2020 Henry Beberman 8.0.1-1 - Update to 8.0.1. Source0 URL fixed. License verified. diff --git a/SPECS/lmdb/lmdb.spec b/SPECS/lmdb/lmdb.spec index a944788f86..d3d009ff8c 100644 --- a/SPECS/lmdb/lmdb.spec +++ b/SPECS/lmdb/lmdb.spec @@ -73,7 +73,7 @@ rm -rf %{buildroot}/* %{_libdir}/*.so %changelog -* Sat May 09 00:20:56 PST 2020 Nick Samson - 0.9.23-2 +* Sat May 09 2020 Nick Samson - 0.9.23-2 - Added %%license line automatically * Tue Mar 17 2020 Henry Beberman 0.9.23-1 diff --git a/SPECS/log4cpp/log4cpp.spec b/SPECS/log4cpp/log4cpp.spec index f92f6041c7..8591469f09 100644 --- a/SPECS/log4cpp/log4cpp.spec +++ b/SPECS/log4cpp/log4cpp.spec @@ -60,7 +60,7 @@ make DESTDIR=%{buildroot} install %_prefix/share/aclocal/*.m4 %changelog -* Sat May 09 00:21:30 PST 2020 Nick Samson - 1.1.3-6 +* Sat May 09 2020 Nick Samson - 1.1.3-6 - Added %%license line automatically * Mon May 04 2020 Emre Girgin 1.1.3-5 diff --git a/SPECS/logrotate/logrotate.signatures.json b/SPECS/logrotate/logrotate.signatures.json index 10b1001f9e..d338ac6171 100644 --- a/SPECS/logrotate/logrotate.signatures.json +++ b/SPECS/logrotate/logrotate.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "logrotate-3.16.0.tar.gz": "bc6acfd09925045d48b5ff553c24c567cfd5f59d513c4ac34bfb51fa6b79dc8a" + "logrotate-3.18.1.tar.gz": "5db8d0d9600a260e5b6dc4498aa7c1a6910a51b611611005f652a4f606d0a23b" } } \ No newline at end of file diff --git a/SPECS/logrotate/logrotate.spec b/SPECS/logrotate/logrotate.spec index 2b3564fd4a..281192c6ad 100644 --- a/SPECS/logrotate/logrotate.spec +++ b/SPECS/logrotate/logrotate.spec @@ -1,56 +1,74 @@ Summary: Logrotate Name: logrotate -Version: 3.16.0 -Release: 2%{?dist} +Version: 3.18.1 +Release: 1%{?dist} License: GPLv2 -URL: https://github.com/logrotate/logrotate/ -#Source0: %{url}/archive/%{version}.tar.gz -Source0: %{name}-%{version}.tar.gz -Group: System Environment/Base Vendor: Microsoft Corporation Distribution: Mariner - +Group: System Environment/Base +URL: https://github.com/logrotate/logrotate/ +Source0: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz BuildRequires: popt-devel - -Requires: popt +BuildRequires: systemd-devel +Requires: popt +Requires: systemd %description -The logrotate utility is designed to simplify the administration of log files on a system which generates a lot of log files. Logrotate allows for the automatic rotation compression, removal and mailing of log files. Logrotate can be set to handle a log file daily, weekly, monthly or when the log file gets to a certain size. +The logrotate utility is designed to simplify the administration of log +files on a system which generates a lot of log files. Logrotate allows +for the automatic rotation compression, removal and mailing of log files. +Logrotate can be set to handle a log file daily, weekly, monthly or when +the log file gets to a certain size. %prep -%setup -q +%autosetup -p1 %build ./autogen.sh -./configure \ - --prefix=%{_prefix} -# logrotate code has misleading identation and GCC 6.3 does not like it. -make %{?_smp_mflags} CFLAGS="-Wno-error=misleading-indentation -g -O2" +./configure --prefix=%{_prefix} --with-state-file-path=%{_localstatedir}/lib/logrotate/logrotate.status +make %{?_smp_mflags} + +# Disable dateext since it can cause rotation to fail if run twice in a day +sed -i 's/dateext/#dateext/' examples/logrotate.conf + +# Remove hardening options that are not supported by our current systemd version. +sed -i -E '/ProtectClock=true|ProtectHostname=true|ProtectKernelLogs=true/d' examples/logrotate.service %install make DESTDIR=%{buildroot} install install -vd %{buildroot}%{_sysconfdir}/logrotate.d -install -vd %{buildroot}%{_sysconfdir}/cron.daily install -vd %{buildroot}%{_localstatedir}/lib/logrotate +install -vd %{buildroot}%{_unitdir} touch %{buildroot}%{_localstatedir}/lib/logrotate/logrotate.status +install -p -m 644 examples/logrotate.conf %{buildroot}%{_sysconfdir}/logrotate.conf +install -p -m 644 examples/logrotate.{service,timer} %{buildroot}%{_unitdir}/ +install -p -m 644 examples/{b,w}tmp %{buildroot}%{_sysconfdir}/logrotate.d/ -%post -p /sbin/ldconfig +%post +%systemd_post logrotate.{service,timer} -%postun -p /sbin/ldconfig +%postun +%systemd_preun logrotate.{service,timer} %files %defattr(-,root,root) %license COPYING %dir %{_sysconfdir}/logrotate.d +%dir %{_localstatedir}/lib/logrotate %{_sbindir}/logrotate +%{_unitdir}/logrotate.{service,timer} +%config(noreplace) %{_sysconfdir}/logrotate.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/{b,w}tmp %{_mandir}/man5/logrotate.conf.5.gz %{_mandir}/man8/logrotate.8.gz -/var/lib/logrotate/logrotate.status +%ghost %verify(not size md5 mtime) %attr(0644, root, root) %{_localstatedir}/lib/logrotate/logrotate.status %changelog -* Sat May 09 00:21:41 PST 2020 Nick Samson - 3.16.0-2 -- Added %%license line automatically - +* Wed Jul 21 2021 Henry Beberman - 3.18.1-1 +- Update to version 3.18.1 +- Add default logrotate systemd service and logrotate.conf +* Sat May 09 2020 Nick Samson - 3.16.0-2 +- Added %%license line automatically * Fri Apr 24 2020 Pawel Winogrodzki 3.16.0-1 - Updated to 3.16.0. - License verified. diff --git a/SPECS/lsb-release/lsb-release.spec b/SPECS/lsb-release/lsb-release.spec index e617b281ce..fbefb941d4 100644 --- a/SPECS/lsb-release/lsb-release.spec +++ b/SPECS/lsb-release/lsb-release.spec @@ -5,7 +5,7 @@ Version: 1.4 Release: 1%{?dist} License: GPLv2+ URL: https://wiki.linuxfoundation.org/lsb/start -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner BuildArch: noarch Source0: https://downloads.sourceforge.net/lsb/%{name}-%{version}.tar.gz @@ -35,3 +35,4 @@ install -D -m 755 lsb_release %{buildroot}%{_bindir}/lsb_release %changelog * Wed Aug 26 2020 Thomas Crain - 1.4-1 - Original version for Mariner. +- License verified. diff --git a/SPECS/lshw/lshw.spec b/SPECS/lshw/lshw.spec index dbf4881321..c40e3334c5 100644 --- a/SPECS/lshw/lshw.spec +++ b/SPECS/lshw/lshw.spec @@ -42,7 +42,7 @@ make DESTDIR=%{buildroot} install /usr/share/* %changelog -* Sat May 09 00:21:24 PST 2020 Nick Samson - B.02.18-3 +* Sat May 09 2020 Nick Samson - B.02.18-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz B.02.18-2 diff --git a/SPECS/lsof/lsof.spec b/SPECS/lsof/lsof.spec index 8f6e239533..8a07529752 100644 --- a/SPECS/lsof/lsof.spec +++ b/SPECS/lsof/lsof.spec @@ -39,7 +39,7 @@ install -v -m 0644 Lsof.8 %{buildroot}%{_mandir}/man8/lsof.8 %changelog * Wed Jul 01 2020 Henry Beberman - 4.93.2-3 - Fix license to point to 00README which contains the license. Removes false dependency on /bin/ksh -* Sat May 09 00:20:40 PST 2020 Nick Samson - 4.93.2-2 +* Sat May 09 2020 Nick Samson - 4.93.2-2 - Added %%license line automatically * Mon Apr 27 2020 Pawel Winogrodzki 4.93.2-1 - Bumping up the version to 4.93.2. diff --git a/SPECS/lsscsi/lsscsi.spec b/SPECS/lsscsi/lsscsi.spec index 849a2ac3d9..2542352b03 100644 --- a/SPECS/lsscsi/lsscsi.spec +++ b/SPECS/lsscsi/lsscsi.spec @@ -32,7 +32,7 @@ make %{?_smp_mflags} -k check %{_mandir}/* %changelog -* Sat May 09 00:21:07 PST 2020 Nick Samson - 0.30-3 +* Sat May 09 2020 Nick Samson - 0.30-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 0.30-2 diff --git a/SPECS/ltrace/ltrace.spec b/SPECS/ltrace/ltrace.spec index 1d76e28b1d..bd6f66867d 100644 --- a/SPECS/ltrace/ltrace.spec +++ b/SPECS/ltrace/ltrace.spec @@ -52,7 +52,7 @@ rm -rf %{buildroot}/* %{_bindir}/* %{_datadir} %changelog -* Sat May 09 00:21:21 PST 2020 Nick Samson - 0.7.3-6 +* Sat May 09 2020 Nick Samson - 0.7.3-6 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 0.7.3-5 diff --git a/SPECS/lvm2/lvm2.spec b/SPECS/lvm2/lvm2.spec index 3abcf6e381..831b94dc61 100644 --- a/SPECS/lvm2/lvm2.spec +++ b/SPECS/lvm2/lvm2.spec @@ -310,7 +310,7 @@ echo "disable lvm2-lvmeatd.service" >> %{buildroot}%{_libdir}/systemd/system-pre * Fri May 29 2020 Nicolas Ontiveros 2.03.05-4 - Use systemd-bootstrap to break circular dependencies. -* Sat May 09 00:20:52 PST 2020 Nick Samson 2.03.05-3 +* Sat May 09 2020 Nick Samson 2.03.05-3 - Added %%license line automatically * Wed Apr 08 2020 Nicolas Ontiveros 2.03.05-2 diff --git a/SPECS/lzo/lzo.spec b/SPECS/lzo/lzo.spec index 96ae332780..068d450fde 100644 --- a/SPECS/lzo/lzo.spec +++ b/SPECS/lzo/lzo.spec @@ -93,7 +93,7 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/lzo2.pc %changelog -* Sat May 09 00:21:12 PST 2020 Nick Samson - 2.10-3 +* Sat May 09 2020 Nick Samson - 2.10-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 2.10-2 diff --git a/SPECS/m4/m4.spec b/SPECS/m4/m4.spec index c09532699a..3f4a9d3421 100644 --- a/SPECS/m4/m4.spec +++ b/SPECS/m4/m4.spec @@ -40,7 +40,7 @@ make %{?_smp_mflags} check %{_mandir}/*/* %changelog -* Sat May 09 00:21:28 PST 2020 Nick Samson - 1.4.18-4 +* Sat May 09 2020 Nick Samson - 1.4.18-4 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.4.18-3 diff --git a/SPECS/mailcap/mailcap.spec b/SPECS/mailcap/mailcap.spec index 95fd3735fa..506aee5c52 100644 --- a/SPECS/mailcap/mailcap.spec +++ b/SPECS/mailcap/mailcap.spec @@ -4,7 +4,7 @@ Version: 2.1.49 Release: 3%{?dist} License: Public Domain and MIT URL: https://pagure.io/mailcap -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner Source0: https://pagure.io/releases/%{name}/%{name}-%{version}.tar.xz BuildArch: noarch @@ -44,7 +44,7 @@ MIME type mappings for nginx. %install -rm -rf $RPM_BUILD_ROOT +rm -rf ${buildroot} %make_install sysconfdir=%{_sysconfdir} mandir=%{_mandir} @@ -67,6 +67,7 @@ make check %changelog * Fri Aug 21 2020 Thomas Crain - 2.1.49-3 - Initial CBL-Mariner version imported from Fedora 33 (license: MIT) +- License verified * Tue Jul 28 2020 Fedora Release Engineering - 2.1.49-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/SPECS/man-db/man-db.spec b/SPECS/man-db/man-db.spec index 0ce110e019..d64969b1f3 100644 --- a/SPECS/man-db/man-db.spec +++ b/SPECS/man-db/man-db.spec @@ -83,43 +83,60 @@ fi %changelog * Wed Jun 09 2021 Muhammad Falak Wani 2.8.4-8 - Add an explict provides for "man-pages-reader" + * Thu May 13 2021 Henry Li 2.8.4-7 - Remove zsoelim man page, which is provided by groff -* Mon Sep 28 2020 Ruying Chen 2.8.4-6 -- Add explicit provide for "man" -* Sat May 09 2020 Nick Samson 2.8.4-5 -- Added %%license line automatically -* Fri Apr 17 2020 Emre Girgin 2.8.4-4 -- Rename shadow to shadow-utils. -* Tue Apr 07 2020 Joe Schmitt 2.8.4-3 -- Update Source0 with valid URL. -- Update URL. -- Remove sha1 macro. -- License verified. -* Tue Sep 03 2019 Mateusz Malisz 2.8.4-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Oct 22 2018 Sujay G 2.8.4-1 -- Bump man-db version to 2.8.4 -* Mon Sep 18 2017 Alexey Makhalov 2.7.6-4 -- Remove shadow from requires and use explicit tools for post actions -* Fri Aug 04 2017 Chang Lee 2.7.6-3 -- Setup a testing environment before %check -* Fri Jun 23 2017 Xiaolin Li 2.7.6-2 -- Add gdbm-devel to BuildRequires -* Fri Mar 31 2017 Michelle Wang 2.7.6-1 -- Update package version -* Mon Oct 03 2016 ChangLee 2.7.5-5 -- Modified check -* Tue May 24 2016 Priyesh Padmavilasom 2.7.5-4 -- GA - Bump release of all rpms -* Mon May 16 2016 Xiaolin Li 2.7.5-3 -- Fix user man:man adding. -* Thu May 05 2016 Kumar Kaushik 2.7.5-2 -- Adding support for upgrade in pre/post/un scripts. -* Wed Feb 24 2016 Kumar Kaushik 2.7.5-1 -- Updated to new version. -* Tue Nov 10 2015 Xiaolin Li 2.6.6-2 -- Handled locale files with macro find_lang -* Wed Nov 5 2014 Divya Thaluru 2.6.6-1 -- Initial build. First version +* Mon Sep 28 2020 Ruying Chen 2.8.4-6 +- Add explicit provide for "man" + +* Sat May 09 2020 Nick Samson 2.8.4-5 +- Added %%license line automatically + +* Fri Apr 17 2020 Emre Girgin 2.8.4-4 +- Rename shadow to shadow-utils. + +* Tue Apr 07 2020 Joe Schmitt 2.8.4-3 +- Update Source0 with valid URL. +- Update URL. +- Remove sha1 macro. +- License verified. + +* Tue Sep 03 2019 Mateusz Malisz 2.8.4-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Mon Oct 22 2018 Sujay G 2.8.4-1 +- Bump man-db version to 2.8.4 + +* Mon Sep 18 2017 Alexey Makhalov 2.7.6-4 +- Remove shadow from requires and use explicit tools for post actions + +* Fri Aug 04 2017 Chang Lee 2.7.6-3 +- Setup a testing environment before %check + +* Fri Jun 23 2017 Xiaolin Li 2.7.6-2 +- Add gdbm-devel to BuildRequires + +* Fri Mar 31 2017 Michelle Wang 2.7.6-1 +- Update package version + +* Mon Oct 03 2016 ChangLee 2.7.5-5 +- Modified check + +* Tue May 24 2016 Priyesh Padmavilasom 2.7.5-4 +- GA - Bump release of all rpms + +* Mon May 16 2016 Xiaolin Li 2.7.5-3 +- Fix user man:man adding. + +* Thu May 05 2016 Kumar Kaushik 2.7.5-2 +- Adding support for upgrade in pre/post/un scripts. + +* Wed Feb 24 2016 Kumar Kaushik 2.7.5-1 +- Updated to new version. + +* Tue Nov 10 2015 Xiaolin Li 2.6.6-2 +- Handled locale files with macro find_lang + +* Wed Nov 5 2014 Divya Thaluru 2.6.6-1 +- Initial build. First version diff --git a/SPECS/man-pages/man-pages.spec b/SPECS/man-pages/man-pages.spec index e85ec39b22..268586377a 100644 --- a/SPECS/man-pages/man-pages.spec +++ b/SPECS/man-pages/man-pages.spec @@ -37,7 +37,7 @@ rm -vf %{buildroot}%{_mandir}/man5/passwd.5 %{_mandir}/man8/* %changelog -* Sat May 09 00:20:51 PST 2020 Nick Samson - 4.16-4 +* Sat May 09 2020 Nick Samson - 4.16-4 - Added %%license line automatically and updated licenses. * Wed Apr 15 2020 Nick Samson 4.16-3 diff --git a/SPECS/mariner-repos/mariner-microsoft-preview.repo b/SPECS/mariner-repos/mariner-microsoft-preview.repo new file mode 100755 index 0000000000..b799f39992 --- /dev/null +++ b/SPECS/mariner-repos/mariner-microsoft-preview.repo @@ -0,0 +1,9 @@ +[mariner-official-microsoft-preview] +name=CBL-Mariner Official Microsoft Preview $releasever $basearch +baseurl=https://packages.microsoft.com/cbl-mariner/$releasever/preview/Microsoft/$basearch/rpms +gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY file:///etc/pki/rpm-gpg/MICROSOFT-METADATA-GPG-KEY +gpgcheck=1 +repo_gpgcheck=1 +enabled=1 +skip_if_unavailable=True +sslverify=1 diff --git a/SPECS/mariner-repos/mariner-microsoft.repo b/SPECS/mariner-repos/mariner-microsoft.repo new file mode 100755 index 0000000000..9e422e05dc --- /dev/null +++ b/SPECS/mariner-repos/mariner-microsoft.repo @@ -0,0 +1,9 @@ +[mariner-official-microsoft] +name=CBL-Mariner Official Microsoft $releasever $basearch +baseurl=https://packages.microsoft.com/cbl-mariner/$releasever/prod/Microsoft/$basearch/rpms +gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY file:///etc/pki/rpm-gpg/MICROSOFT-METADATA-GPG-KEY +gpgcheck=1 +repo_gpgcheck=1 +enabled=1 +skip_if_unavailable=True +sslverify=1 diff --git a/SPECS/mariner-repos/mariner-repos.signatures.json b/SPECS/mariner-repos/mariner-repos.signatures.json index 509e6d4121..51a35f5875 100644 --- a/SPECS/mariner-repos/mariner-repos.signatures.json +++ b/SPECS/mariner-repos/mariner-repos.signatures.json @@ -8,6 +8,8 @@ "mariner-official-update.repo": "d80ed87ba6cf1e535131a9a68499b832dc87fc9add29cbae0f6cc76ebc36fbf3", "mariner-preview.repo": "7b5731bce3d0c81647144822a886a01912e325db10f7519e105b5224a25f1568", "mariner-ui.repo": "3e434c6418de638ff919f373f666866d0e075b8f26deeec4b96fb47e1d62d9b3", - "mariner-ui-preview.repo": "77a094a136cab2a927cffe92753e853f44b28607010cf48af7a2781edb7aded0" + "mariner-ui-preview.repo": "77a094a136cab2a927cffe92753e853f44b28607010cf48af7a2781edb7aded0", + "mariner-microsoft.repo": "135b5d5b925fd351cdd3db9063895dc79eb6d6c49d891d6507a5acd8a0c6effc", + "mariner-microsoft-preview.repo": "92e7b972026de175bf744525a8a2e40cff94b1cd5d6489a12d024ec57da02de3" } } diff --git a/SPECS/mariner-repos/mariner-repos.spec b/SPECS/mariner-repos/mariner-repos.spec index 419d51758c..5f201ea5dc 100644 --- a/SPECS/mariner-repos/mariner-repos.spec +++ b/SPECS/mariner-repos/mariner-repos.spec @@ -16,6 +16,8 @@ Source5: mariner-ui.repo Source6: mariner-ui-preview.repo Source7: mariner-extras.repo Source8: mariner-extras-preview.repo +Source9: mariner-microsoft.repo +Source10: mariner-microsoft-preview.repo Requires(post): gpgme Requires(post): rpm @@ -65,6 +67,23 @@ Requires: %{name} = %{version}-%{release} %description extras-preview %{summary} +%package microsoft +Summary: CBL-Mariner Microsoft repository. +Group: System Envrionment/Base +Requires: %{name} = %{version}-%{release} + +%description microsoft +%{summary} + +%package microsoft-preview +Summary: CBL-Mariner Microsoft Preview repository. +Group: System Envrionment/Base +Requires: %{name} = %{version}-%{release} + +%description microsoft-preview +%{summary} + + %install rm -rf %{buildroot} export REPO_DIRECTORY="%{buildroot}%{_sysconfdir}/yum.repos.d" @@ -76,6 +95,8 @@ install -m 644 %{SOURCE5} $REPO_DIRECTORY install -m 644 %{SOURCE6} $REPO_DIRECTORY install -m 644 %{SOURCE7} $REPO_DIRECTORY install -m 644 %{SOURCE8} $REPO_DIRECTORY +install -m 644 %{SOURCE9} $REPO_DIRECTORY +install -m 644 %{SOURCE10} $REPO_DIRECTORY export RPM_GPG_DIRECTORY="%{buildroot}%{_sysconfdir}/pki/rpm-gpg" @@ -124,8 +145,20 @@ gpg --batch --yes --delete-keys 2BC94FFF7015A5F28F1537AD0CD9FED33135CE90 %defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/yum.repos.d/mariner-extras-preview.repo +%files microsoft +%defattr(-,root,root,-) +%config(noreplace) /etc/yum.repos.d/mariner-microsoft.repo + +%files microsoft-preview +%defattr(-,root,root,-) +%config(noreplace) /etc/yum.repos.d/mariner-microsoft-preview.repo + %changelog -* Thu Jul 08 2021 Jon Slobodzian - 2.0-1 + +* Tue Jul 13 2021 Jon Slobodzian - 2.0-1 +- Add microsoft and microsoft-preview repo configuration packages. +- These repos offer Mariner packages produced by partner teams within Microsoft on +- behalf of the Mariner team but are released on an independent cadence from Mariner. - Version update for 2.0. Formatting changes. * Fri Feb 19 2021 Mateusz Malisz - 1.0-13 diff --git a/SPECS/mc/mc.spec b/SPECS/mc/mc.spec index c963199a4e..24fd3fede1 100644 --- a/SPECS/mc/mc.spec +++ b/SPECS/mc/mc.spec @@ -41,7 +41,7 @@ make %{?_smp_mflags} -k check %exclude /usr/src %changelog -* Sat May 09 00:21:37 PST 2020 Nick Samson - 4.8.21-4 +* Sat May 09 2020 Nick Samson - 4.8.21-4 - Added %%license line automatically * Tue Apr 21 2020 Eric Li 4.8.21-3 diff --git a/SPECS/mcstrans/mcstrans.signatures.json b/SPECS/mcstrans/mcstrans.signatures.json new file mode 100644 index 0000000000..f31c85fa01 --- /dev/null +++ b/SPECS/mcstrans/mcstrans.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "mcstrans-3.2.tar.gz": "fafaf7614b7114b95c582643f8b2a6ae1605093fbaf3b571d9b01fc81fb70929", + "secolor.conf.8": "9f86a0b630281205ef5830339fa580f592b34524a3a11da670c01ccbed55f3f8" + } +} diff --git a/SPECS/mcstrans/mcstrans.spec b/SPECS/mcstrans/mcstrans.spec new file mode 100644 index 0000000000..813a1f7fef --- /dev/null +++ b/SPECS/mcstrans/mcstrans.spec @@ -0,0 +1,299 @@ +Summary: SELinux Translation Daemon +Name: mcstrans +Version: 3.2 +Release: 1%{?dist} +License: GPLv2+ +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/SELinuxProject/selinux/wiki +Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz +Source1: secolor.conf.8 +BuildRequires: gcc +BuildRequires: libcap-devel +BuildRequires: libselinux-devel >= %{version} +BuildRequires: libsepol-devel >= %{version} +BuildRequires: pcre-devel +BuildRequires: systemd +Requires: pcre +Provides: setransd = %{version}-%{release} +Provides: libsetrans = %{version}-%{release} +Obsoletes: libsetrans <= %{version}-%{release} +%{?systemd_requires} + +%description +Security-enhanced Linux is a feature of the Linux® kernel and a number +of utilities with enhanced security functionality designed to add +mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These +architectural components provide general support for the enforcement +of many kinds of mandatory access control policies, including those +based on the concepts of Type Enforcement®, Role-based Access +Control, and Multi-level Security. + +mcstrans provides an translation daemon to translate SELinux categories +from internal representations to user defined representation. + +%prep +%autosetup -p 1 -n mcstrans-%{version} + +%build +%{set_build_flags} +%make_build LIBDIR="%{_libdir}" CFLAGS="%{build_cflags} -fno-semantic-interposition" + +%install +mkdir -p %{buildroot}/%{_lib} +mkdir -p %{buildroot}%{_libdir} +mkdir -p %{buildroot}%{_datadir}/mcstrans +mkdir -p %{buildroot}%{_sysconfdir}/selinux/mls/setrans.d + +%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_lib}" SBINDIR="%{_sbindir}" SYSTEMDDIR="/usr/lib/systemd" +rm -f %{buildroot}%{_libdir}/*.a +cp -r share/* %{buildroot}%{_datadir}/mcstrans/ + +# Systemd +rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/mcstrans +install -m644 %{SOURCE1} %{buildroot}%{_mandir}/man8/ + +%post +%systemd_post mcstrans.service + +%preun +%systemd_preun mcstrans.service + +%postun +%systemd_postun mcstrans.service + +%files +%license COPYING +%{_mandir}/man8/mcs.8.gz +%{_mandir}/man8/mcstransd.8.gz +%{_mandir}/man5/setrans.conf.5.gz +%{_mandir}/ru/man8/mcs.8.gz +%{_mandir}/ru/man8/mcstransd.8.gz +%{_mandir}/ru/man5/setrans.conf.5.gz +%{_mandir}/man8/secolor.conf.8.gz +%{_sbindir}/mcstransd +%{_unitdir}/mcstrans.service +%dir %{_sysconfdir}/selinux/mls/setrans.d +%dir %{_datadir}/mcstrans + +%defattr(0644,root,root,0755) +%dir %{_datadir}/mcstrans/util +%dir %{_datadir}/mcstrans/examples +%{_datadir}/mcstrans/examples/* + +%defattr(0755,root,root,0755) +%{_datadir}/mcstrans/util/* + +%changelog +* Fri Aug 13 2021 Thomas Crain - 3.2-1 +- Upgrade to latest upstream version +- Add -fno-semantic-interposition to CFLAGS as recommended by upstream +- Update source URL to new format +- Lint spec +- License verified + +* Thu Aug 27 2020 Daniel Burgener - 2.9-3 +- Initial CBL-Mariner import from Fedora 31 (license: MIT) +- License verified + +* Thu Jul 25 2019 Fedora Release Engineering - 2.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Mar 19 2019 Petr Lautrbach - 2.9-1 +- SELinux userspace 2.9 release + +* Mon Mar 11 2019 Petr Lautrbach - 2.9-0.rc2.1 +- SELinux userspace 2.9-rc2 release + +* Fri Feb 01 2019 Fedora Release Engineering - 2.9-0.rc1.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Jan 30 2019 Petr Lautrbach - 2.9-0.rc1.1 +- Update to mcstrans-2.9-rc1 + +* Tue Oct 2 2018 Petr Lautrbach - 2.8-1 +- Update to mcstrans-2.8 + +* Fri Jul 13 2018 Fedora Release Engineering - 0.3.4-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Feb 08 2018 Fedora Release Engineering - 0.3.4-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 0.3.4-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.3.4-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 0.3.4-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Feb 04 2016 Fedora Release Engineering - 0.3.4-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 0.3.4-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sun Aug 17 2014 Fedora Release Engineering - 0.3.4-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 0.3.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed Mar 19 2014 Karsten Hopp |karsten@redhat.com> - 0.3.4-4 +- fix changelog order so that it builds with a recent rpm + +* Wed Oct 16 2013 Dan Walsh - 0.3.4-3 +- Make mcstrans PIE and fully relro +- Resolves: #983268 + +* Tue Oct 15 2013 Dan Walsh - 0.3.4-2 +- Add RELRO support for long running services + +* Thu Sep 12 2013 Dan Walsh - 0.3.4-1 +- Update to latest version/applying patches +- Move binary to /usr/sbin rather then /sbin + +* Sat Aug 03 2013 Fedora Release Engineering - 0.3.3-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Mar 26 2013 Dan Walsh - 0.3.3-7 +- Add secolor.conf.5 man page +- Make mcstransd watch for content being written to /run/setrans for files names containing translations. +-- This will allow apps like libvirt to write content nameing randomly selected MCS labels +- Fix memory leak in mcstransd + +* Thu Feb 14 2013 Fedora Release Engineering - 0.3.3-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Jul 19 2012 Fedora Release Engineering - 0.3.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Feb 10 2012 Petr Pisar - 0.3.3-4 +- Rebuild against PCRE 8.30 + +* Thu Feb 2 2012 Dan Walsh - 0.3.3-3 +- Fix the systemd service file + +* Wed Feb 1 2012 Dan Walsh - 0.3.3-2 +- Update to upstream +- Write pid file + +* Fri Jan 13 2012 Fedora Release Engineering - 0.3.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Feb 08 2011 Fedora Release Engineering - 0.3.2-1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 5 2011 Ted X Toth - 0.3.2-0 +- Add constraints +- Add setrans.conf man page +- Fix mixed raw and translated range bug +- Moved todo comments to TODO file + +* Fri Oct 16 2009 Dan Walsh 0.3.1-4 +- Add mcstransd man page + +* Thu Sep 17 2009 Miroslav Grepl 0.3.1-3 +- Fix init script + +* Sat Jul 25 2009 Fedora Release Engineering - 0.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Feb 5 2009 Joe Nall 0.3.1-1 +- Rewrite translations to allow individual word/category mapping +- Eamon Walsh's color mapping changes + +* Wed May 28 2008 Tom "spot" Callaway 0.2.11-2 +- fix license tag + +* Wed May 7 2008 Dan Walsh 0.2.11-1 +- More fixes from Jim Meyering + +* Tue May 6 2008 Dan Walsh 0.2.10-1 +- More error checking on failed strdup + +* Tue May 6 2008 Dan Walsh 0.2.9-1 +- Start mcstrans before netlabel + +* Mon Apr 14 2008 Dan Walsh 0.2.8-1 +- Fix error handling + +* Tue Feb 12 2008 Dan Walsh 0.2.7-2 +- Rebuild for gcc 4.3 + +* Tue Oct 30 2007 Steve Conklin - 0.2.7-1 +- Folded current patches into tarball + +* Thu Oct 25 2007 Steve Conklin - 0.2.6-3 +- Fixed a compile problem with max_categories + +* Thu Oct 25 2007 Steve Conklin - 0.2.6-2 +- Fixed some init script errors + +* Thu Sep 13 2007 Dan Walsh 0.2.6-1 +- Check for max_categories and error out + +* Thu Mar 1 2007 Dan Walsh 0.2.5-1 +- Fix case where s0="" + +* Mon Feb 26 2007 Dan Walsh 0.2.4-1 +- Translate range if fully specified correctly + +* Mon Feb 12 2007 Dan Walsh 0.2.3-1 +- Additional fix to handle ssh root/sysadm_r/s0:c1,c2 +Resolves: #224637 + +* Mon Feb 5 2007 Dan Walsh 0.2.1-1 +- Rewrite to handle MLS properly +Resolves: #225355 + +* Mon Jan 29 2007 Dan Walsh 0.1.10-2 +- Cleanup memory when complete + +* Mon Dec 4 2006 Dan Walsh 0.1.10-1 +- Fix Memory Leak +Resolves: #218173 + +* Thu Sep 21 2006 Dan Walsh 0.1.9-1 +- Add -pie +- Fix compiler warnings +- Fix Memory Leak +Resolves: #218173 + +* Wed Sep 13 2006 Peter Jones - 0.1.8-3 +- Fix subsys locking in init script + +* Wed Aug 23 2006 Dan Walsh 0.1.8-1 +- Only allow one version to run + +* Wed Jul 12 2006 Jesse Keating - sh: line 0: fg: no job control +- rebuild + +* Mon Jun 19 2006 Dan Walsh 0.1.7-1 +- Apply sgrubb patch to only call getpeercon on translations + +* Tue Jun 6 2006 Dan Walsh 0.1.6-1 +- Exit gracefully when selinux is not enabled + +* Mon May 15 2006 Dan Walsh 0.1.5-1 +- Fix sighup handling + +* Mon May 15 2006 Dan Walsh 0.1.4-1 +- Add patch from sgrubb +- Fix 64 bit size problems +- Increase the open file limit +- Make sure maximum size is not exceeded + +* Fri May 12 2006 Dan Walsh 0.1.3-1 +- Move initscripts to /etc/rc.d/init.d + +* Thu May 11 2006 Dan Walsh 0.1.2-1 +- Drop Privs + +* Mon May 8 2006 Dan Walsh 0.1.1-1 +- Initial Version +- This daemon reuses the code from libsetrans diff --git a/SPECS/mcstrans/secolor.conf.8 b/SPECS/mcstrans/secolor.conf.8 new file mode 100644 index 0000000000..2947aca996 --- /dev/null +++ b/SPECS/mcstrans/secolor.conf.8 @@ -0,0 +1,180 @@ +.TH "secolor.conf" "8" "08 April 2011" "SELinux API documentation" +.SH "NAME" +secolor.conf \- The SELinux color configuration file +. +.SH "DESCRIPTION" +The +.I /etc/selinux/{SELINUXTYPE}/secolor.conf +configuation file controls the color to be associated to the context components associated to the +.I raw +context passed by +.BR selinux_raw_context_to_color "(3)," +when context related information is to be displayed in color by an SELinux-aware application. +.sp +.BR selinux_raw_context_to_color "(3)" +obtains this color information from the active policy +.B secolor.conf +file as returned by +.BR selinux_colors_path "(3)." +. +.SH "FILE FORMAT" +The file format is as follows: +.RS +.B color +.I color_name +.BI "= #"color_mask +.br +[...] +.sp +.I context_component string +.B = +.I fg_color_name bg_color_name +.br +[...] +.sp +.RE + +Where: +.br +.B color +.RS +The color keyword. Each color entry is on a new line. +.RE +.I color_name +.RS +A single word name for the color (e.g. red). +.RE +.I color_mask +.RS +A color mask starting with a hash (#) that describes the hexadecimal RGB colors with black being #000000 and white being #ffffff. +.RE +.I context_component +.RS +The context component name that must be one of the following: +.br +.RS +user, role, type or range +.RE +Each +.IR context_component " " string " ..." +entry is on a new line. +.RE +.I string +.RS +This is the +.I context_component +string that will be matched with the +.I raw +context component passed by +.BR selinux_raw_context_to_color "(3)." +.br +A wildcard '*' may be used to match any undefined string for the user, role and type +.I context_component +entries only. +.RE + +.I fg_color_name +.RS +The color_name string that will be used as the foreground color. +A +.I color_mask +may also be used. +.RE +.I bg_color_name +.RS +The color_name string that will be used as the background color. +A +.I color_mask +may also be used. +.RE +. +.SH "EXAMPLES" +Example 1 entries are: +.RS +color black = #000000 +.br +color green = #008000 +.br +color yellow = #ffff00 +.br +color blue = #0000ff +.br +color white = #ffffff +.br +color red = #ff0000 +.br +color orange = #ffa500 +.br +color tan = #D2B48C +.sp +user * = black white +.br +role * = white black +.br +type * = tan orange +.br +range s0\-s0:c0.c1023 = black green +.br +range s1\-s1:c0.c1023 = white green +.br +range s3\-s3:c0.c1023 = black tan +.br +range s5\-s5:c0.c1023 = white blue +.br +range s7\-s7:c0.c1023 = black red +.br +range s9\-s9:c0.c1023 = black orange +.br +range s15:c0.c1023 = black yellow +.RE + +.sp +Example 2 entries are: +.RS +color black = #000000 +.br +color green = #008000 +.br +color yellow = #ffff00 +.br +color blue = #0000ff +.br +color white = #ffffff +.br +color red = #ff0000 +.br +color orange = #ffa500 +.br +color tan = #d2b48c +.sp +user unconfined_u = #ff0000 green +.br +role unconfined_r = red #ffffff +.br +type unconfined_t = red orange +.br +user user_u = black green +.br +role user_r = white black +.br +type user_t = tan red +.br +user xguest_u = black yellow +.br +role xguest_r = black red +.br +type xguest_t = black green +.br +user sysadm_u = white black +.br +range s0:c0.c1023 = black white +.br +user * = black white +.br +role * = black white +.br +type * = black white +.RE +. +.SH "SEE ALSO" +.BR mcstransd "(8), " selinux_raw_context_to_color "(3), " selinux_colors_path "(3)" diff --git a/SPECS/mlocate/mlocate.spec b/SPECS/mlocate/mlocate.spec index e2c7512501..3b8e048f36 100644 --- a/SPECS/mlocate/mlocate.spec +++ b/SPECS/mlocate/mlocate.spec @@ -48,7 +48,7 @@ mv %{buildroot}/%{_mandir}/man1/locate.1 %{buildroot}/%{_mandir}/man1/%{name}.1 %{_localstatedir}/* %changelog -* Sat May 09 00:20:54 PST 2020 Nick Samson - 0.26-4 +* Sat May 09 2020 Nick Samson - 0.26-4 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 0.26-3 diff --git a/SPECS/moby-buildx/moby-buildx.spec b/SPECS/moby-buildx/moby-buildx.spec index 283d255b91..a49c0f78f7 100644 --- a/SPECS/moby-buildx/moby-buildx.spec +++ b/SPECS/moby-buildx/moby-buildx.spec @@ -1,7 +1,7 @@ Summary: A Docker CLI plugin for extended build capabilities with BuildKit Name: moby-buildx Version: 0.4.1+azure -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 Group: Tools/Container @@ -79,6 +79,8 @@ cp %{SOURCE2} %{buildroot}/usr/share/doc/%{name}-%{version}/NOTICE %{_libexecdir}/docker/cli-plugins/docker-buildx %changelog +* Tue Jun 08 2021 Henry Beberman 0.4.1+azure-3 +- Increment release to force republishing using golang 1.15.13. * Thu Dec 10 2020 Andrew Phelps 0.4.1+azure-2 - Increment release to force republishing using golang 1.15. * Thu Jun 11 2020 Andrew Phelps 0.4.1+azure-1 diff --git a/SPECS/moby-cli/moby-cli.spec b/SPECS/moby-cli/moby-cli.spec index 488e9606fe..339f080359 100644 --- a/SPECS/moby-cli/moby-cli.spec +++ b/SPECS/moby-cli/moby-cli.spec @@ -1,7 +1,7 @@ Summary: The open-source application container engine client. Name: moby-cli Version: 19.03.15+azure -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Group: Tools/Container @@ -94,6 +94,9 @@ cp %{SOURCE2} %{buildroot}/usr/share/doc/%{name}-%{version}/LICENSE /usr/share/fish/vendor_completions.d/docker.fish %changelog +* Tue Jun 08 2021 Henry Beberman 19.03.15+azure-2 +- Increment release to force republishing using golang 1.15.13. + * Thu Apr 15 2021 Andrew Phelps 19.03.15+azure-1 - Update to version 19.03.15+azure - Rename 'md2man' to 'go-md2man' in md2man-all.sh diff --git a/SPECS/moby-containerd/CVE-2021-32760.patch b/SPECS/moby-containerd/CVE-2021-32760.patch new file mode 100644 index 0000000000..b98ce1bcf5 --- /dev/null +++ b/SPECS/moby-containerd/CVE-2021-32760.patch @@ -0,0 +1,79 @@ +From 45e9ebe3c91b258ad7489baaea3a1f6e0b42ceb4 Mon Sep 17 00:00:00 2001 +From: Derek McGowan +Date: Tue, 6 Jul 2021 12:37:54 -0700 +Subject: [PATCH] [release/1.4] Use chmod path for checking symlink + +Signed-off-by: Derek McGowan +--- + archive/tar_test.go | 35 +++++++++++++++++++++++++++++++++++ + archive/tar_unix.go | 2 +- + 2 files changed, 36 insertions(+), 1 deletion(-) + +diff --git a/archive/tar_test.go b/archive/tar_test.go +index 568f5a95f..8ffd3f221 100644 +--- a/archive/tar_test.go ++++ b/archive/tar_test.go +@@ -243,6 +243,11 @@ func TestBreakouts(t *testing.T) { + return nil + } + errFileDiff := errors.New("files differ") ++ td, err := ioutil.TempDir("", "test-breakouts-") ++ if err != nil { ++ t.Fatal(err) ++ } ++ defer os.RemoveAll(td) + + isSymlinkFile := func(f string) func(string) error { + return func(root string) error { +@@ -744,6 +749,36 @@ func TestBreakouts(t *testing.T) { + // resolution ends up just removing etc + validator: fileNotExists("etc/passwd"), + }, ++ { ++ ++ name: "HardlinkSymlinkChmod", ++ w: func() tartest.WriterToTar { ++ p := filepath.Join(td, "perm400") ++ if err := ioutil.WriteFile(p, []byte("..."), 0400); err != nil { ++ t.Fatal(err) ++ } ++ ep := filepath.Join(td, "also-exists-outside-root") ++ if err := ioutil.WriteFile(ep, []byte("..."), 0640); err != nil { ++ t.Fatal(err) ++ } ++ ++ return tartest.TarAll( ++ tc.Symlink(p, ep), ++ tc.Link(ep, "sketchylink"), ++ ) ++ }(), ++ validator: func(string) error { ++ p := filepath.Join(td, "perm400") ++ fi, err := os.Lstat(p) ++ if err != nil { ++ return err ++ } ++ if perm := fi.Mode() & os.ModePerm; perm != 0400 { ++ return errors.Errorf("%s perm changed from 0400 to %04o", p, perm) ++ } ++ return nil ++ }, ++ }, + } + + for _, bo := range breakouts { +diff --git a/archive/tar_unix.go b/archive/tar_unix.go +index 6e89d2fdb..c22e79bf2 100644 +--- a/archive/tar_unix.go ++++ b/archive/tar_unix.go +@@ -113,7 +113,7 @@ func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error { + + func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error { + if hdr.Typeflag == tar.TypeLink { +- if fi, err := os.Lstat(hdr.Linkname); err == nil && (fi.Mode()&os.ModeSymlink == 0) { ++ if fi, err := os.Lstat(path); err == nil && (fi.Mode()&os.ModeSymlink == 0) { + if err := os.Chmod(path, hdrInfo.Mode()); err != nil && !os.IsNotExist(err) { + return err + } +-- +2.32.0 diff --git a/SPECS/moby-containerd/generate-sources.sh b/SPECS/moby-containerd/generate-sources.sh index ed26a60dac..d8f8596934 100755 --- a/SPECS/moby-containerd/generate-sources.sh +++ b/SPECS/moby-containerd/generate-sources.sh @@ -5,8 +5,8 @@ # Git clone is a standard practice of producing source files for moby-* packages. CONTAINERD_REPO=https://github.com/containerd/containerd.git -CONTAINERD_COMMIT=814b7956fafc7a0980ea07e950f983d0837e5578 -VERSION=1.3.4+azure +CONTAINERD_COMMIT=05f951a3781f4f2c1911b05e61c160e9c30eaa8e +VERSION=1.4.4+azure mkdir -p /build/containerd-src cd /build/containerd-src @@ -15,7 +15,11 @@ git fetch --tags origin ${CONTAINERD_COMMIT} git checkout ${CONTAINERD_COMMIT} cd /build/ -tar -C /build/containerd-src -czf ./moby-containerd-${VERSION}.tar.gz . +tar --sort=name \ + --mtime="2021-04-26 00:00Z" \ + --owner=0 --group=0 --numeric-owner \ + --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ + -C /build/containerd-src -czf ./moby-containerd-${VERSION}.tar.gz . rm -rf /build/containerd-src echo "sources generated successfully @ /build/moby-containerd-${VERSION}.tar.gz" \ No newline at end of file diff --git a/SPECS/moby-containerd/moby-containerd.signatures.json b/SPECS/moby-containerd/moby-containerd.signatures.json index 73c23d4df4..9282f6fc2d 100644 --- a/SPECS/moby-containerd/moby-containerd.signatures.json +++ b/SPECS/moby-containerd/moby-containerd.signatures.json @@ -4,6 +4,6 @@ "NOTICE": "2fdaf93393511be4091774d401986e318fc3f335352f8276758832e605f8758e", "containerd.service": "2449216ee019ebfcb5756a5ab701558425c7d444bab05e82d6ddabe3e0b097ef", "containerd.toml": "167fb1035c983638e56f4a20bb8e6bfe1fd280c8ca9ee00a7c7358a5ca3be9f5", - "moby-containerd-1.3.4+azure.tar.gz": "10cc5c901d1e74e457bd0bed606bb03ef39563ebce0d62e14793372055108ae3" + "moby-containerd-1.4.4+azure.tar.gz": "ec4b32f9a66bb9aa26f825c9cd333123732905c96c792a06efdabcae83cd1925" } } \ No newline at end of file diff --git a/SPECS/moby-containerd/moby-containerd.spec b/SPECS/moby-containerd/moby-containerd.spec index a5d57297d8..7405e6a353 100644 --- a/SPECS/moby-containerd/moby-containerd.spec +++ b/SPECS/moby-containerd/moby-containerd.spec @@ -2,7 +2,7 @@ Summary: Industry-standard container runtime Name: moby-containerd -Version: 1.3.4+azure +Version: 1.4.4+azure Release: 2%{?dist} License: ASL 2.0 Group: Tools/Container @@ -17,6 +17,7 @@ Source1: containerd.service Source2: containerd.toml Source3: NOTICE Source4: LICENSE +Patch0: CVE-2021-32760.patch URL: https://www.containerd.io Vendor: Microsoft Corporation Distribution: Mariner @@ -69,6 +70,7 @@ used directly by developers or end-users. %prep %setup -q -n %{name}-%{version} -c +%patch0 -p1 mkdir -p %{OUR_GOPATH}/src/github.com/containerd ln -sfT %{_topdir}/BUILD/%{name}-%{version} %{OUR_GOPATH}/src/github.com/containerd/containerd @@ -133,6 +135,12 @@ fi %{_mandir}/*/* %changelog +* Mon Jul 19 2021 Neha Agarwal 1.4.4+azure-2 +- CVE-2021-32760 fix +* Mon Jul 12 2021 Andrew Phelps 1.4.4+azure-1 +- Update to version 1.4.4+azure +* Tue Jun 08 2021 Henry Beberman 1.3.4+azure-3 +- Increment release to force republishing using golang 1.15.13. * Thu Dec 10 2020 Andrew Phelps 1.3.4+azure-2 - Increment release to force republishing using golang 1.15. * Thu Jun 11 2020 Andrew Phelps 1.3.4+azure-1 diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec index 2a8f2b359a..225f39bf4a 100644 --- a/SPECS/moby-engine/moby-engine.spec +++ b/SPECS/moby-engine/moby-engine.spec @@ -1,7 +1,7 @@ Summary: The open-source application container engine Name: moby-engine Version: 19.03.15+azure -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Group: Tools/Container @@ -149,6 +149,9 @@ fi /usr/share/doc/%{name}-%{version}/* %changelog +* Tue Jun 08 2021 Henry Beberman 19.03.15+azure-2 +- Increment release to force republishing using golang 1.15.13. + * Thu Apr 15 2021 Andrew Phelps 19.03.15+azure-1 - Update to version 19.03.15+azure diff --git a/SPECS/moby-runc/generate-sources.sh b/SPECS/moby-runc/generate-sources.sh new file mode 100755 index 0000000000..9baeb9556b --- /dev/null +++ b/SPECS/moby-runc/generate-sources.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +# This script generates the sources for moby-buildx package. +# Git clone is a standard practice of producing source files for moby-* packages. + +RUNC_REPO=https://github.com/opencontainers/runc.git +RUNC_COMMIT=b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7 +VERSION=v1.0.0-rc95 + +mkdir -p /build/runc-src +cd /build/runc-src +git clone ${RUNC_REPO} +cd runc +git fetch --tags origin ${RUNC_COMMIT} +git checkout ${RUNC_COMMIT} +cd /build/ +tar -C /build/runc-src -czf ./runc-${VERSION}.tar.gz . +rm -rf /build/runc-src + +echo "sources generated successfully @ /build/runc-${VERSION}.tar.gz" diff --git a/SPECS/moby-runc/getgosyssources.sh b/SPECS/moby-runc/getgosyssources.sh index 049e9487e9..f2109c2815 100755 --- a/SPECS/moby-runc/getgosyssources.sh +++ b/SPECS/moby-runc/getgosyssources.sh @@ -5,7 +5,7 @@ # golang sys sources are git cloned to latest commit. GOLANG_SYS=https://github.com/golang/sys.git -GOLANG_SYS_COMMIT=669c56c373c468cbe0f0c12b7939832b26088d33 +GOLANG_SYS_COMMIT=b0526f3d87448f0401ea3f7f3a81aa9e6ab4804d mkdir -p /build/work/sys-master cd /build/work/sys-master @@ -18,7 +18,7 @@ rm -rf /build/work # golang crypto sources are git cloned to latest commit. GOLANG_CRYPO=https://github.com/golang/crypto.git -GOLANG_CRYPTO_COMMIT=0848c9571904fcbcb24543358ca8b5a7dbfde875 +GOLANG_CRYPTO_COMMIT=c07d793c2f9aacf728fe68cbd7acd73adbd04159 mkdir -p /build/work/crypto-master cd /build/work/crypto-master diff --git a/SPECS/moby-runc/moby-runc.signatures.json b/SPECS/moby-runc/moby-runc.signatures.json index 1e2fe60891..62806738d9 100644 --- a/SPECS/moby-runc/moby-runc.signatures.json +++ b/SPECS/moby-runc/moby-runc.signatures.json @@ -2,11 +2,11 @@ "Signatures": { "LICENSE": "a382e75d3b80971ffb0c863fd8922da48564cfdf8dd30e5c918334a0b6521c05", "NOTICE": "cc96602ba377f696d7b92b09e67a4ae74d81985f6c22501acc41267e8aa5c302", - "golang-crypto-0848c9571904fcbcb24543358ca8b5a7dbfde875.tar.gz": "250b757fddd894b62ba13f6aaef4c955e966912de51cee0eddd2a36522c3abb7", - "golang-sys-669c56c373c468cbe0f0c12b7939832b26088d33.tar.gz": "df0a725a833f571b2f64fbec89e15b137d8656125a868c5aa232bb2905e6b5b7", - "logrus-v1.4.1.tar.gz": "aecd75cfc00edfc8d8bdb013d2cee2a5da686fce31c5cf2ae314ce4642c8e139", - "runc-v1.0.0-rc10.tar.xz": "c823307ce8695af05381c5c25a92daacd6219c674d8bebaa0e1bff801c2b1f24", + "golang-crypto-c07d793c2f9aacf728fe68cbd7acd73adbd04159.tar.gz": "b7e8935189ea46c67eedafe6a97aefbdc2bf71dd9097fb7ee8a2a8ebc7556e7e", + "golang-sys-b0526f3d87448f0401ea3f7f3a81aa9e6ab4804d.tar.gz": "23703a84893a1cb53d3efbb46143451431b95b78d29ef1e02132cd580bb3a445", + "logrus-v1.8.1.tar.gz": "e9492c08ac8f202b438ccfb992bf81b7860739cf8f2266958e0c574c7abfdd74", + "runc-v1.0.0-rc95.tar.gz": "aa99fc1f018e0882491b771a0bb7f6ffeda3668e9936a079a5b305441e8e85d3", "runtime-spec-v1.0.2.tar.gz": "0933a1ba6e418fe020993e80426107da8de3572f3f20b4cd1ef296de6e62bb61", - "urfave-cli-v1.22.4.tar.gz": "83d628fdd261accd4dc0b232bfc8ff06e734ec5137e134a8cee916693a8bb117" + "urfave-cli-v2.3.0.tar.gz": "b17376246f1477157daab86d4a1562d6b004f5be0d15dfc61ebd8bb129384e6b" } } \ No newline at end of file diff --git a/SPECS/moby-runc/moby-runc.spec b/SPECS/moby-runc/moby-runc.spec index 8a19fda5ed..95b1097f16 100644 --- a/SPECS/moby-runc/moby-runc.spec +++ b/SPECS/moby-runc/moby-runc.spec @@ -1,22 +1,23 @@ Summary: CLI tool for spawning and running containers per OCI spec. Name: moby-runc -Version: 1.0.0~rc10+azure -Release: 5%{?dist} +Version: 1.0.0~rc95+azure +Release: 2%{?dist} License: ASL 2.0 URL: https://runc.io/ -#Source0: https://github.com/opencontainers/runc/releases/download/v1.0.0-rc10/runc.tar.xz -Source0: runc-v1.0.0-rc10.tar.xz -#Source1: https://github.com/sirupsen/logrus/archive/v1.4.1.tar.gz -Source1: logrus-v1.4.1.tar.gz +# See generate-sources.sh for creating runc source tarball +#Source0: https://github.com/opencontainers/runc/releases/download/v1.0.0-rc95/runc.tar.xz +Source0: runc-v1.0.0-rc95.tar.gz +#Source1: https://github.com/sirupsen/logrus/archive/v1.8.1.tar.gz +Source1: logrus-v1.8.1.tar.gz #Source2: https://github.com/opencontainers/runtime-spec/archive/v1.0.2.tar.gz Source2: runtime-spec-v1.0.2.tar.gz -#Source3: https://github.com/urfave/cli/archive/v1.22.4.tar.gz -Source3: urfave-cli-v1.22.4.tar.gz +#Source3: https://github.com/urfave/cli/archive/v2.3.0.tar.gz +Source3: urfave-cli-v2.3.0.tar.gz # golang sys and crypto sources are git cloned to latest commit. # Please look for ./getgosources.sh for more details. -Source4: https://github.com/golang/sys/archive/golang-sys-669c56c373c468cbe0f0c12b7939832b26088d33.tar.gz -Source5: https://github.com/golang/crypto/archive/golang-crypto-0848c9571904fcbcb24543358ca8b5a7dbfde875.tar.gz +Source4: https://github.com/golang/sys/archive/golang-sys-b0526f3d87448f0401ea3f7f3a81aa9e6ab4804d.tar.gz +Source5: https://github.com/golang/crypto/archive/golang-crypto-c07d793c2f9aacf728fe68cbd7acd73adbd04159.tar.gz Source6: NOTICE Source7: LICENSE @@ -60,7 +61,7 @@ runC is a CLI tool for spawning and running containers according to the OCI spec %prep %setup -q -n %{name}-%{version} -c mkdir -p %{OUR_GOPATH}/src/github.com/opencontainers -ln -sfT %{_topdir}/BUILD/%{name}-%{version}/runc-1.0.0-rc10 %{OUR_GOPATH}/src/github.com/opencontainers/runc +ln -svfT %{_topdir}/BUILD/%{name}-%{version}/runc %{OUR_GOPATH}/src/github.com/opencontainers/runc pushd .. @@ -76,8 +77,8 @@ mkdir -p %{OUR_GOPATH}/src/github.com/urfave/ mkdir -p %{OUR_GOPATH}/src/golang.org/x/ ln -sfT %{_topdir}/BUILD/%{name}-%{version}/runtime-spec-1.0.2 %{OUR_GOPATH}/src/github.com/opencontainers/runtime-spec -ln -sfT %{_topdir}/BUILD/%{name}-%{version}/logrus-1.4.1 %{OUR_GOPATH}/src/github.com/sirupsen/logrus -ln -sfT %{_topdir}/BUILD/%{name}-%{version}/cli-1.22.4 %{OUR_GOPATH}/src/github.com/urfave/cli +ln -sfT %{_topdir}/BUILD/%{name}-%{version}/logrus-1.8.1 %{OUR_GOPATH}/src/github.com/sirupsen/logrus +ln -sfT %{_topdir}/BUILD/%{name}-%{version}/cli-2.3.0 %{OUR_GOPATH}/src/github.com/urfave/cli ln -sfT %{_topdir}/BUILD/%{name}-%{version}/sys-master %{OUR_GOPATH}/src/golang.org/x/sys ln -sfT %{_topdir}/BUILD/%{name}-%{version}/crypto-master %{OUR_GOPATH}/src/golang.org/x/crypto @@ -113,6 +114,14 @@ cp %{SOURCE7} %{buildroot}/usr/share/doc/%{name}-%{version}/LICENSE %{_mandir}/*/* %changelog +* Tue Jun 08 2021 Henry Beberman 1.0.0~rc95+azure-2 +- Increment release to force republishing using golang 1.15.13. +* Wed May 19 2021 Andrew Phelps 1.0.0~rc95+azure-1 +- Update to version 1.0.0~rc95+azure to fix CVE-2021-30465 +* Thu May 13 2021 Andrew Phelps 1.0.0~rc94+azure-1 +- Update to version 1.0.0~rc94+azure +* Mon Apr 26 2021 Nicolas Guibourge 1.0.0~rc10+azure-6 +- Increment release to force republishing using golang 1.15.11. * Thu Dec 10 2020 Andrew Phelps 1.0.0~rc10+azure-5 - Increment release to force republishing using golang 1.15. * Wed May 20 2020 Joe Schmitt 1.0.0~rc10+azure-4 diff --git a/SPECS/mpfr/mpfr.spec b/SPECS/mpfr/mpfr.spec index 2f77f2ad35..08b19ade1e 100644 --- a/SPECS/mpfr/mpfr.spec +++ b/SPECS/mpfr/mpfr.spec @@ -65,7 +65,7 @@ make %{?_smp_mflags} check %{_docdir}/mpfr-%{version}/COPYING %changelog -* Sat May 09 00:20:52 PST 2020 Nick Samson - 4.0.1-3 +* Sat May 09 2020 Nick Samson - 4.0.1-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 4.0.1-2 diff --git a/SPECS/nano/nano.spec b/SPECS/nano/nano.spec index 99835bfbf9..90113ec878 100644 --- a/SPECS/nano/nano.spec +++ b/SPECS/nano/nano.spec @@ -53,7 +53,7 @@ make %{?_smp_mflags} check %{_datadir}/doc/%{name}-%{version}/* %changelog -* Sat May 09 00:21:02 PST 2020 Nick Samson - 3.0-3 +* Sat May 09 2020 Nick Samson - 3.0-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 3.0-2 diff --git a/SPECS/nasm/nasm.spec b/SPECS/nasm/nasm.spec index 1f82e1b7a1..aef62e8e17 100644 --- a/SPECS/nasm/nasm.spec +++ b/SPECS/nasm/nasm.spec @@ -27,7 +27,7 @@ make %{?_smp_mflags} -k test %{_bindir}/* %{_datadir}/* %changelog -* Sat May 09 00:21:14 PST 2020 Nick Samson - 2.13.03-5 +* Sat May 09 2020 Nick Samson - 2.13.03-5 - Added %%license line automatically * Mon May 04 2020 Emre Girgin 2.13.03-4 diff --git a/SPECS/net-tools/net-tools.spec b/SPECS/net-tools/net-tools.spec index 4be09b3a1d..caefa4ddde 100644 --- a/SPECS/net-tools/net-tools.spec +++ b/SPECS/net-tools/net-tools.spec @@ -119,41 +119,41 @@ rm -rf %{buildroot}/* * Sat May 09 2020 Nick Samson - 1.60-14 - Added %%license line automatically -* Mon Apr 13 2020 Eric Li 1.60-13 -- Update Source0: and delete sha1. Verified license. Fixed URL. +* Mon Apr 13 2020 Eric Li 1.60-13 +- Update Source0: and delete sha1. Verified license. Fixed URL. -* Tue Sep 03 2019 Mateusz Malisz 1.60-12 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 1.60-12 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Oct 02 2017 Alexey Makhalov 1.60-11 -- Added conflicts toybox +* Mon Oct 02 2017 Alexey Makhalov 1.60-11 +- Added conflicts toybox -* Wed Dec 14 2016 Alexey Makhalov 1.60-10 -- Fix compilation issue with linux-4.9 +* Wed Dec 14 2016 Alexey Makhalov 1.60-10 +- Fix compilation issue with linux-4.9 -* Wed Nov 16 2016 Alexey Makhalov 1.60-9 -- Remove iputils deps. +* Wed Nov 16 2016 Alexey Makhalov 1.60-9 +- Remove iputils deps. -* Tue Oct 04 2016 ChangLee 1.60-8 -- Modified %check +* Tue Oct 04 2016 ChangLee 1.60-8 +- Modified %check -* Tue May 24 2016 Priyesh Padmavilasom 1.60-7 -- GA - Bump release of all rpms +* Tue May 24 2016 Priyesh Padmavilasom 1.60-7 +- GA - Bump release of all rpms -* Thu Feb 4 2016 Alexey Makhalov 1.60-6 -- Apply all patches from 1.60-26ubuntu1. +* Thu Feb 4 2016 Alexey Makhalov 1.60-6 +- Apply all patches from 1.60-26ubuntu1. -* Fri Jan 22 2016 Alexey Makhalov 1.60-5 -- Added net-tools-1.60-manydevs.patch +* Fri Jan 22 2016 Alexey Makhalov 1.60-5 +- Added net-tools-1.60-manydevs.patch -* Fri Nov 6 2015 Alexey Makhalov 1.60-4 -- Added ipv6 support. Include hostname and dnshostname. +* Fri Nov 6 2015 Alexey Makhalov 1.60-4 +- Added ipv6 support. Include hostname and dnshostname. -* Thu Oct 22 2015 Harish Udaiya Kumar 1.60-3 -- Added changes to replace inetutils with net-tools +* Thu Oct 22 2015 Harish Udaiya Kumar 1.60-3 +- Added changes to replace inetutils with net-tools -* Thu Jul 30 2015 Divya Thaluru 1.60-2 -- Disable building with parallel threads +* Thu Jul 30 2015 Divya Thaluru 1.60-2 +- Disable building with parallel threads -* Mon Jul 13 2015 Divya Thaluru 1.60-1 -- Initial build. First version +* Mon Jul 13 2015 Divya Thaluru 1.60-1 +- Initial build. First version diff --git a/SPECS/nettle/nettle.spec b/SPECS/nettle/nettle.spec index 541ddd4f06..46515f7746 100644 --- a/SPECS/nettle/nettle.spec +++ b/SPECS/nettle/nettle.spec @@ -65,7 +65,7 @@ make %{?_smp_mflags} check %changelog * Mon Apr 12 2021 Rachel Menge - 3.7.2-1 - Update to 3.7.2 for CVE-2021-20305 -* Sat May 09 00:20:58 PST 2020 Nick Samson - 3.4.1-2 +* Sat May 09 2020 Nick Samson - 3.4.1-2 - Added %%license line automatically * Mon Mar 16 2020 Henry Beberman 3.4.1-1 - Update to 3.4.1. Licence verified. diff --git a/SPECS/nghttp2/nghttp2.spec b/SPECS/nghttp2/nghttp2.spec index 3530aa6a5f..dbf85b2ad2 100644 --- a/SPECS/nghttp2/nghttp2.spec +++ b/SPECS/nghttp2/nghttp2.spec @@ -70,7 +70,7 @@ rm %{buildroot}/%{_libdir}/*.la - License verified. - Removed %%sha1 macro. -* Sat May 09 00:20:46 PST 2020 Nick Samson - 1.33.0-3 +* Sat May 09 2020 Nick Samson - 1.33.0-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz - 1.33.0-2 diff --git a/SPECS/nginx/CVE-2019-20372.patch b/SPECS/nginx/CVE-2019-20372.patch deleted file mode 100644 index ed5ad95f08..0000000000 --- a/SPECS/nginx/CVE-2019-20372.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c -index 4ffb2cc..76e6705 100644 ---- a/src/http/ngx_http_special_response.c -+++ b/src/http/ngx_http_special_response.c -@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page) - return ngx_http_named_location(r, &uri); - } - -+ r->expect_tested = 1; -+ -+ if (ngx_http_discard_request_body(r) != NGX_OK) { -+ r->keepalive = 0; -+ } -+ - location = ngx_list_push(&r->headers_out.headers); - - if (location == NULL) { diff --git a/SPECS/nginx/nginx.signatures.json b/SPECS/nginx/nginx.signatures.json index 388ce88bc7..55f753dcf8 100644 --- a/SPECS/nginx/nginx.signatures.json +++ b/SPECS/nginx/nginx.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "nginx-1.16.1.tar.gz": "f11c2a6dd1d3515736f0324857957db2de98be862461b5a542a3ac6188dbe32b", + "nginx-1.20.1.tar.gz": "e462e11533d5c30baa05df7652160ff5979591d291736cfa5edb9fd2edb48c49", "nginx-njs-0.2.1.tar.gz": "1e9d6692d47ba1a529139dcc238585ae0e23d1543f25d85fc6516a2f241dbc11", "nginx.service": "73a1321ae35eafc4e02614cde224fc0bf20ceba97f969b3373dd73c15c22a0e1" } diff --git a/SPECS/nginx/nginx.spec b/SPECS/nginx/nginx.spec index 16ed5c5f8e..04d7290b44 100644 --- a/SPECS/nginx/nginx.spec +++ b/SPECS/nginx/nginx.spec @@ -1,8 +1,8 @@ %define sha1 nginx-njs=fd8c3f2d219f175be958796e3beaa17f3b465126 Summary: High-performance HTTP server and reverse proxy Name: nginx -Version: 1.16.1 -Release: 4%{?dist} +Version: 1.20.1 +Release: 1%{?dist} License: BSD 2-Clause Vendor: Microsoft Corporation Distribution: Mariner @@ -11,8 +11,7 @@ URL: https://nginx.org/ Source0: https://nginx.org/download/%{name}-%{version}.tar.gz Source1: nginx.service Source2: nginx-njs-0.2.1.tar.gz -Patch0: CVE-2019-20372.patch -Patch1: CVE-2009-4487.nopatch +Patch0: CVE-2009-4487.nopatch BuildRequires: openssl-devel BuildRequires: pcre-devel BuildRequires: which @@ -89,8 +88,8 @@ install -p -m 0644 %{SOURCE1} %{buildroot}%{_libdir}/systemd/system/nginx.servic * Wed Feb 10 2021 Henry Li - 1.16.1-3 - Add Provides for nginx-filesystem from nginx -* Sat May 09 00:21:09 PST 2020 Nick Samson - 1.16.1-2 -- Added %%license line automatically +* Sat May 09 2020 Nick Samson - 1.16.1-2 +- Added %%license line automatically * Fri Mar 13 2020 Paul Monson 1.16.1-1 - Update to version 1.16.1. License verified. diff --git a/SPECS/nmap/nmap-unix_crash.patch b/SPECS/nmap/nmap-unix_crash.patch new file mode 100644 index 0000000000..feb8f7a9ca --- /dev/null +++ b/SPECS/nmap/nmap-unix_crash.patch @@ -0,0 +1,32 @@ +From f6b40614e4a8131394792d590965f8af3c635323 Mon Sep 17 00:00:00 2001 +From: nnposter +Date: Fri, 16 Oct 2020 02:54:52 +0000 +Subject: [PATCH] Fix a Unix domain socket crash. Fixes #2154 + +--- + CHANGELOG | 2 ++ + ncat/ncat_main.c | 4 ++-- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/ncat/ncat_main.c b/ncat/ncat_main.c +index 8942d83cb9..2792a6ac24 100644 +--- a/ncat/ncat_main.c ++++ b/ncat/ncat_main.c +@@ -846,7 +846,7 @@ int main(int argc, char *argv[]) + targetaddrs->addr.un.sun_family = AF_UNIX; + strncpy(targetaddrs->addr.un.sun_path, argv[optind], sizeof(targetaddrs->addr.un.sun_path)); + targetaddrs->addrlen = SUN_LEN(&targetaddrs->addr.un); +- o.target = argv[optind]; ++ o.sslservername = o.target = argv[optind]; + optind++; + } else + #endif +@@ -865,7 +865,7 @@ int main(int argc, char *argv[]) + targetaddrs->addr.vm.svm_cid = long_cid; + + targetaddrs->addrlen = sizeof(targetaddrs->addr.vm); +- o.target = argv[optind]; ++ o.sslservername = o.target = argv[optind]; + optind++; + } + } else diff --git a/SPECS/nmap/nmap.spec b/SPECS/nmap/nmap.spec index f4b62a1b6e..5331f0a559 100644 --- a/SPECS/nmap/nmap.spec +++ b/SPECS/nmap/nmap.spec @@ -1,13 +1,15 @@ Summary: Nmap Network Mapper Name: nmap Version: 7.90 -Release: 2%{?dist} +Release: 3%{?dist} License: Nmap Vendor: Microsoft Corporation Distribution: Mariner Group: Applications/System URL: https://nmap.org/ Source0: https://nmap.org/dist/%{name}-%{version}.tar.bz2 +## https://github.com/nmap/nmap/commit/f6b40614e4a8131394792d590965f8af3c635323.patch +Patch0: nmap-unix_crash.patch BuildRequires: binutils BuildRequires: gcc BuildRequires: kernel-headers @@ -58,8 +60,15 @@ ln -s ncat %{buildroot}%{_bindir}/nc %{_bindir}/nc %changelog +* Tue Aug 10 2021 Jon Slobodzian 7.90-3 +- Bumped version for merge. + +* Mon May 17 2021 Suresh Babu Chalamalasetty 7.90-2 (merge from 1.0 branch) +- nmap-unix_crash.patch fix for crash with unix sockets. + * Mon May 03 2021 Thomas Crain - 7.90-2 -- Remove zenmap/ndiff from configuration +- Remove zenmap/ndiff from configuration + * Tue Feb 02 2021 Henry Beberman - 7.90-1 - Add nmap spec diff --git a/SPECS/node-problem-detector/add_mariner_OSVersion.patch b/SPECS/node-problem-detector/add_mariner_OSVersion.patch new file mode 100644 index 0000000000..19e0889018 --- /dev/null +++ b/SPECS/node-problem-detector/add_mariner_OSVersion.patch @@ -0,0 +1,12 @@ +diff -Naur a/pkg/util/helpers_linux.go b/pkg/util/helpers_linux.go +--- a/pkg/util/helpers_linux.go 2021-05-14 17:05:59.000000000 -0700 ++++ b/pkg/util/helpers_linux.go 2021-06-15 12:26:43.919828110 -0700 +@@ -57,6 +58,8 @@ + return getDebianVersion(osReleaseMap), nil + case "rhel": + return getDebianVersion(osReleaseMap), nil ++ case "mariner": ++ return getDebianVersion(osReleaseMap), nil + default: + return "", fmt.Errorf("Unsupported ID in /etc/os-release: %q", osReleaseMap["ID"]) + } diff --git a/SPECS/node-problem-detector/node-problem-detector.signatures.json b/SPECS/node-problem-detector/node-problem-detector.signatures.json new file mode 100644 index 0000000000..eb85ec4d6c --- /dev/null +++ b/SPECS/node-problem-detector/node-problem-detector.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "node-problem-detector-0.8.8.tar.gz": "29b40175a96b524ecc8bb4bf85e12309b789d9c16b5b242af3f0e20b6c89b6df" + } +} \ No newline at end of file diff --git a/SPECS/node-problem-detector/node-problem-detector.spec b/SPECS/node-problem-detector/node-problem-detector.spec new file mode 100644 index 0000000000..a8a568b1a0 --- /dev/null +++ b/SPECS/node-problem-detector/node-problem-detector.spec @@ -0,0 +1,68 @@ +Summary: Kubernetes daemon to detect and report node issues +Name: node-problem-detector +Version: 0.8.8 +Release: 1%{?dist} +License: ASL 2.0 +Vendor: Microsoft Corporation +Distribution: Mariner +Group: System Environment/Daemons +URL: https://github.com/kubernetes/node-problem-detector +Source0: https://github.com/kubernetes/%{name}/archive/refs/tags/%{name}-%{version}.tar.gz +Patch0: remove_windows_build.patch +Patch1: add_mariner_OSVersion.patch +BuildRequires: golang +BuildRequires: systemd-devel +ExclusiveArch: x86_64 + +%description +node-problem-detector aims to make various node problems visible to the +upstream layers in the cluster management stack. It is a daemon that +runs on each node, detects node problems and reports them to apiserver. + +%package config +Summary: Default configs for node-problem-detector +Requires: node-problem-detector + +%description config +Default configuration files for node-problem-detector + +%prep +%autosetup -p1 + +%build +%make_build build-binaries VERSION=%{version} + +%install +mkdir -p %{buildroot}%{_bindir}/ +install -vdm 755 %{buildroot}/%{_bindir} +install -pm 755 output/linux_amd64/bin/node-problem-detector %{buildroot}%{_bindir}/ +install -pm 755 output/linux_amd64/bin/health-checker %{buildroot}%{_bindir}/ +install -pm 755 output/linux_amd64/bin/log-counter %{buildroot}%{_bindir}/ + +install -vdm 755 %{buildroot}%{_sysconfdir}/node-problem-detector.d +cp -R config %{buildroot}%{_sysconfdir}/node-problem-detector.d + +chmod 755 %{buildroot}%{_sysconfdir}/node-problem-detector.d/config/plugin/check_ntp.sh +chmod 755 %{buildroot}%{_sysconfdir}/node-problem-detector.d/config/plugin/network_problem.sh + +%check +make test + +%files +%license LICENSE +%defattr(-,root,root,0755) +%{_bindir}/node-problem-detector +%{_bindir}/health-checker +%{_bindir}/log-counter + +%files config +%license LICENSE +%defattr(-,root,root,0755) +%config(noreplace) %{_sysconfdir}/node-problem-detector.d/* + +%changelog +* Tue Jun 15 2021 Henry Beberman - 0.8.8-1 +- Add node-problem-detector spec. +- Add Mariner to OSVersion detection and disable exe builds in makefile. +- License verified +- Original version for CBL-Mariner diff --git a/SPECS/node-problem-detector/remove_windows_build.patch b/SPECS/node-problem-detector/remove_windows_build.patch new file mode 100644 index 0000000000..5c0d003c4b --- /dev/null +++ b/SPECS/node-problem-detector/remove_windows_build.patch @@ -0,0 +1,30 @@ +diff -Naur a/Makefile b/Makefile +--- a/Makefile 2021-05-14 17:05:59.000000000 -0700 ++++ b/Makefile 2021-06-15 12:31:28.612040696 -0700 +@@ -123,25 +123,9 @@ + BINARIES_LINUX_ONLY += bin/log-counter + endif + +-ALL_BINARIES = $(foreach binary, $(BINARIES) $(BINARIES_LINUX_ONLY), ./$(binary)) $(foreach binary, $(BINARIES) $(BINARIES_LINUX_ONLY), output/linux_amd64/$(binary)) $(foreach binary, $(BINARIES), output/windows_amd64/$(binary).exe) ++ALL_BINARIES = $(foreach binary, $(BINARIES) $(BINARIES_LINUX_ONLY), ./$(binary)) $(foreach binary, $(BINARIES) $(BINARIES_LINUX_ONLY), output/linux_amd64/$(binary)) + ALL_TARBALLS = $(foreach platform, $(PLATFORMS), $(NPD_NAME_VERSION)-$(platform).tar.gz) + +-output/windows_amd64/bin/%.exe: $(PKG_SOURCES) +- GOOS=windows GOARCH=amd64 CGO_ENABLED=$(CGO_ENABLED) GO111MODULE=on go build \ +- -mod vendor \ +- -o $@ \ +- -ldflags '-X $(PKG)/pkg/version.version=$(VERSION)' \ +- -tags "$(WINDOWS_BUILD_TAGS)" \ +- ./cmd/$(subst -,,$*) +- touch $@ +- +-output/windows_amd64/test/bin/%.exe: $(PKG_SOURCES) +- GOOS=windows GOARCH=amd64 CGO_ENABLED=$(CGO_ENABLED) GO111MODULE=on go build \ +- -mod vendor \ +- -o $@ \ +- -tags "$(WINDOWS_BUILD_TAGS)" \ +- ./test/e2e/$(subst -,,$*) +- + output/linux_amd64/bin/%: $(PKG_SOURCES) + GOOS=linux GOARCH=amd64 CGO_ENABLED=$(CGO_ENABLED) GO111MODULE=on go build \ + -mod vendor \ diff --git a/SPECS/nodejs/nodejs-8.11.4.signatures.json b/SPECS/nodejs/nodejs-8.11.4.signatures.json deleted file mode 100644 index bf5c38cc53..0000000000 --- a/SPECS/nodejs/nodejs-8.11.4.signatures.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "Signatures": { - "node-v8.11.4.tar.xz": "fbce7de6d96b0bcb0db0bf77f0e6ea999b6755e6930568aedaab06847552a609" - } -} \ No newline at end of file diff --git a/SPECS/nodejs/nodejs-8.11.4.spec b/SPECS/nodejs/nodejs-8.11.4.spec deleted file mode 100644 index 2357171bc8..0000000000 --- a/SPECS/nodejs/nodejs-8.11.4.spec +++ /dev/null @@ -1,103 +0,0 @@ -Summary: A JavaScript runtime built on Chrome's V8 JavaScript engine. -Name: nodejs -Version: 8.11.4 -Release: 7%{?dist} -License: BSD and MIT and Public Domain and naist-2003 -Group: Applications/System -Vendor: Microsoft Corporation -Distribution: Mariner -URL: https://github.com/nodejs/node -Source0: https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz -Patch0: patch_tls_nodejs8.patch - -BuildRequires: coreutils >= 8.22, openssl-devel >= 1.0.1 -BuildRequires: python2 -BuildRequires: which -Requires: coreutils >= 8.22 -Requires: openssl >= 1.0.1 -Requires: python2 - -%description -Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. The Node.js package ecosystem, npm, is the largest ecosystem of open source libraries in the world. - -%package devel -Summary: Development files node -Group: System Environment/Base -Requires: %{name} = %{version}-%{release} - -%description devel -The nodejs-devel package contains libraries, header files and documentation -for developing applications that use nodejs. - -%prep -%setup -q -n node-v%{version} -%patch0 -p1 - -%build -sh configure --prefix=%{_prefix} \ - --shared-openssl \ - --shared-zlib - -make %{?_smp_mflags} - -%install - -make install DESTDIR=$RPM_BUILD_ROOT -rm -fr %{buildroot}%{_libdir}/dtrace/ # No systemtap support. -install -m 755 -d %{buildroot}%{_libdir}/node_modules/ -install -m 755 -d %{buildroot}%{_datadir}/%{name} - -# Remove junk files from node_modules/ - we should probably take care of -# this in the installer. -for FILE in .gitmodules .gitignore .npmignore .travis.yml \*.py[co]; do - find %{buildroot}%{_libdir}/node_modules/ -name "$FILE" -delete -done - -%check -make cctest - -%post -p /sbin/ldconfig - -%files -%defattr(-,root,root) -%license LICENSE -%{_bindir}/* -%{_libdir}/node_modules/* -%{_mandir}/man*/* -%doc CHANGELOG.md LICENSE README.md - -%files devel -%defattr(-,root,root) -%{_includedir}/* -%{_docdir}/node/lldb_commands.py -%{_docdir}/node/lldbinit -%{_docdir}/node/gdbinit -%{_datadir}/systemtap/tapset/node.stp - -%changelog -* Sat May 09 00:21:43 PST 2020 Nick Samson - 8.11.4-7 -- Added %%license line automatically -* Mon May 04 2020 Paul Monson 8.11.4-6 -- Add patch that enables building openssl without TLS versions less 1.2 -* Wed Apr 08 2020 Pawel Winogrodzki 8.11.4-5 -- License verified. -- Fixed "Source0" tag. -- Removed "%%define sha1". -* Wed Apr 08 2020 Nicolas Ontiveros 8.11.4-4 -- Remove toybox and only use core-utils in requires. -* Tue Sep 03 2019 Mateusz Malisz 8.11.4-3 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Tue Jan 08 2019 Alexey Makhalov 8.11.4-2 -- Added BuildRequires python2, which -* Tue Sep 11 2018 Keerthana K 8.11.4-1 -- Updated to version 8.11.4 to fix CVE-2018-7161 and CVE-2018-7167. -* Wed Feb 14 2018 Xiaolin Li 8.3.0-1 -- Updated to version 8.3.0 -* Fri Oct 13 2017 Alexey Makhalov 7.7.4-4 -- Remove BuildArch -* Mon Sep 18 2017 Alexey Makhalov 7.7.4-3 -- Requires coreutils or toybox -* Fri Jul 14 2017 Chang Lee 7.7.4-2 -- Updated %check -* Mon Mar 20 2017 Xiaolin Li 7.7.4-1 -- Initial packaging for Photon diff --git a/SPECS/nodejs/nodejs-9.11.2.signatures.json b/SPECS/nodejs/nodejs-9.11.2.signatures.json deleted file mode 100644 index 93040f9169..0000000000 --- a/SPECS/nodejs/nodejs-9.11.2.signatures.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "Signatures": { - "node-v9.11.2.tar.xz": "06484eac7f6b7c87e96983a039422347c0047284bc4d373d90884ae3966dc213" - } -} \ No newline at end of file diff --git a/SPECS/nodejs/nodejs.signatures.json b/SPECS/nodejs/nodejs.signatures.json new file mode 100644 index 0000000000..3a0aa1d51d --- /dev/null +++ b/SPECS/nodejs/nodejs.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "node-v14.17.2.tar.xz": "4f5fb2b87e2255da3b200ed73ab076002e4b088df0027ec85e25541a6830583e" + } +} \ No newline at end of file diff --git a/SPECS/nodejs/nodejs-9.11.2.spec b/SPECS/nodejs/nodejs.spec similarity index 86% rename from SPECS/nodejs/nodejs-9.11.2.spec rename to SPECS/nodejs/nodejs.spec index 253cc26409..4fc069572a 100644 --- a/SPECS/nodejs/nodejs-9.11.2.spec +++ b/SPECS/nodejs/nodejs.spec @@ -1,21 +1,21 @@ Summary: A JavaScript runtime built on Chrome's V8 JavaScript engine. Name: nodejs -Version: 9.11.2 -Release: 7%{?dist} +Version: 14.17.2 +Release: 1%{?dist} License: BSD and MIT and Public Domain and naist-2003 Group: Applications/System Vendor: Microsoft Corporation Distribution: Mariner URL: https://github.com/nodejs/node Source0: https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz -Patch0: patch_tls_nodejs9.patch +Patch0: patch_tls_nodejs14.patch BuildRequires: coreutils >= 8.22, openssl-devel >= 1.0.1 -BuildRequires: python2 +BuildRequires: python3 BuildRequires: which Requires: coreutils >= 8.22 Requires: openssl >= 1.0.1 -Requires: python2 +Requires: python3 %description Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. The Node.js package ecosystem, npm, is the largest ecosystem of open source libraries in the world. @@ -42,7 +42,7 @@ make %{?_smp_mflags} %install -make install DESTDIR=$RPM_BUILD_ROOT +make %{?_smp_mflags} install DESTDIR=$RPM_BUILD_ROOT rm -fr %{buildroot}%{_libdir}/dtrace/ # No systemtap support. install -m 755 -d %{buildroot}%{_libdir}/node_modules/ install -m 755 -d %{buildroot}%{_datadir}/%{name} @@ -69,13 +69,15 @@ make cctest %files devel %defattr(-,root,root) %{_includedir}/* -%{_docdir}/node/lldb_commands.py -%{_docdir}/node/lldbinit -%{_docdir}/node/gdbinit +%{_docdir}/* %{_datadir}/systemtap/tapset/node.stp %changelog -* Sat May 09 00:21:42 PST 2020 Nick Samson - 9.11.2-7 +* Mon Jul 19 2021 Neha Agarwal - 14.17.2-1 +- Update to version 14.17.2 to fix CVE-2021-22918 +* Mon Jun 07 2021 Henry Beberman - 14.17.0-1 +- Update to nodejs version 14.17.0 +* Sat May 09 2020 Nick Samson - 9.11.2-7 - Added %%license line automatically * Mon May 04 2020 Paul Monson 9.11.2-6 - Add patch that enables building openssl without TLS versions less 1.2 diff --git a/SPECS/nodejs/patch_tls_nodejs14.patch b/SPECS/nodejs/patch_tls_nodejs14.patch new file mode 100644 index 0000000000..4122d58b19 --- /dev/null +++ b/SPECS/nodejs/patch_tls_nodejs14.patch @@ -0,0 +1,20 @@ +diff -Naur a/src/node_crypto.cc b/src/node_crypto.cc +--- a/src/node_crypto.cc 2021-05-11 11:47:49.000000000 -0700 ++++ b/src/node_crypto.cc 2021-06-07 15:35:30.941141552 -0700 +@@ -604,6 +604,8 @@ + min_version = 0; + max_version = MAX_SUPPORTED_VERSION; + method = TLS_client_method(); ++// TLS1 and TSL1.1 are disabled in openssl ++#if 0 + } else if (sslmethod == "TLSv1_method") { + min_version = TLS1_VERSION; + max_version = TLS1_VERSION; +@@ -626,6 +628,7 @@ + min_version = TLS1_1_VERSION; + max_version = TLS1_1_VERSION; + method = TLS_client_method(); ++#endif + } else if (sslmethod == "TLSv1_2_method") { + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; diff --git a/SPECS/nodejs/patch_tls_nodejs8.patch b/SPECS/nodejs/patch_tls_nodejs8.patch deleted file mode 100644 index 0bfc2fbe90..0000000000 --- a/SPECS/nodejs/patch_tls_nodejs8.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -ruN a/src/node_crypto.cc b/src/node_crypto.cc ---- a/src/node_crypto.cc 2020-05-04 14:32:49.481205912 -0700 -+++ b/src/node_crypto.cc 2020-05-04 14:40:40.456686371 -0700 -@@ -536,6 +536,8 @@ - method = SSLv23_server_method(); - } else if (strcmp(*sslmethod, "SSLv23_client_method") == 0) { - method = SSLv23_client_method(); -+// TLS1 and TSL1.1 are disabled in openssl -+#if 0 - } else if (strcmp(*sslmethod, "TLSv1_method") == 0) { - method = TLSv1_method(); - } else if (strcmp(*sslmethod, "TLSv1_server_method") == 0) { -@@ -548,6 +550,7 @@ - method = TLSv1_1_server_method(); - } else if (strcmp(*sslmethod, "TLSv1_1_client_method") == 0) { - method = TLSv1_1_client_method(); -+#endif - } else if (strcmp(*sslmethod, "TLSv1_2_method") == 0) { - method = TLSv1_2_method(); - } else if (strcmp(*sslmethod, "TLSv1_2_server_method") == 0) { diff --git a/SPECS/nodejs/patch_tls_nodejs9.patch b/SPECS/nodejs/patch_tls_nodejs9.patch deleted file mode 100644 index 3e90d21b92..0000000000 --- a/SPECS/nodejs/patch_tls_nodejs9.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -ruN a/src/node_crypto.cc b/src/node_crypto.cc ---- a/src/node_crypto.cc 2020-05-04 15:00:25.891257518 -0700 -+++ b/src/node_crypto.cc 2020-05-04 15:29:03.075011348 -0700 -@@ -576,6 +576,8 @@ - method = SSLv23_server_method(); - } else if (strcmp(*sslmethod, "SSLv23_client_method") == 0) { - method = SSLv23_client_method(); -+// TLS1 and TSL1.1 are disabled in openssl -+#if 0 - } else if (strcmp(*sslmethod, "TLSv1_method") == 0) { - method = TLSv1_method(); - } else if (strcmp(*sslmethod, "TLSv1_server_method") == 0) { -@@ -588,6 +590,7 @@ - method = TLSv1_1_server_method(); - } else if (strcmp(*sslmethod, "TLSv1_1_client_method") == 0) { - method = TLSv1_1_client_method(); -+#endif - } else if (strcmp(*sslmethod, "TLSv1_2_method") == 0) { - method = TLSv1_2_method(); - } else if (strcmp(*sslmethod, "TLSv1_2_server_method") == 0) { diff --git a/SPECS/npth/npth.spec b/SPECS/npth/npth.spec index 8c2fb6cd0c..dae3b4f0be 100644 --- a/SPECS/npth/npth.spec +++ b/SPECS/npth/npth.spec @@ -58,7 +58,7 @@ make %{?_smp_mflags} -k check %{_datadir}/aclocal/* %changelog -* Sat May 09 00:21:02 PST 2020 Nick Samson - 1.6-3 +* Sat May 09 2020 Nick Samson - 1.6-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.6-2 diff --git a/SPECS/nspr/nspr.spec b/SPECS/nspr/nspr.spec index e8905e3a9e..9f65c9b121 100644 --- a/SPECS/nspr/nspr.spec +++ b/SPECS/nspr/nspr.spec @@ -58,7 +58,7 @@ make DESTDIR=%{buildroot} install %{_datarootdir}/aclocal/* %changelog -* Sat May 09 00:21:34 PST 2020 Nick Samson - 4.21-2 +* Sat May 09 2020 Nick Samson - 4.21-2 - Added %%license line automatically * Tue Mar 17 2020 Andrew Phelps 4.21-1 diff --git a/SPECS/nss-altfiles/nss-altfiles.spec b/SPECS/nss-altfiles/nss-altfiles.spec index a4adfa2a17..47eaf228e6 100644 --- a/SPECS/nss-altfiles/nss-altfiles.spec +++ b/SPECS/nss-altfiles/nss-altfiles.spec @@ -37,7 +37,7 @@ rm -rf %{buildroot}%{_infodir} %{_libdir}/*.so.* %changelog -* Sat May 09 00:21:33 PST 2020 Nick Samson - 2.23.0-4 +* Sat May 09 2020 Nick Samson - 2.23.0-4 - Added %%license line automatically * Tue Apr 07 2020 Paul Monson 2.23.0-3 diff --git a/SPECS/nss/CVE-2020-12403.patch b/SPECS/nss/CVE-2020-12403.patch new file mode 100644 index 0000000000..8a653ce467 --- /dev/null +++ b/SPECS/nss/CVE-2020-12403.patch @@ -0,0 +1,116 @@ +Backported from upstream commits by Benjamin Beurdouche +https://hg.mozilla.org/projects/nss/rev/f282556e6cc7715f5754aeaadda6f902590e7e38 +https://hg.mozilla.org/projects/nss/rev/c25adfdfab34ddb08d3262aac3242e3399de1095 + +Signed-off-by: Henry Beberman +diff -Naur a/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc +--- a/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc 2019-05-10 14:14:18.000000000 -0700 ++++ b/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc 2021-06-10 12:04:08.183647431 -0700 +@@ -43,9 +43,26 @@ + + SECItem params = {siBuffer, reinterpret_cast(&aead_params), + sizeof(aead_params)}; ++ ++ // Encrypt with bad parameters (TagLen is too long) ++ unsigned int outputLen = 0; ++ aead_params.ulTagLen = 158072; ++ std::vector output(data_len + aead_params.ulTagLen); ++ SECStatus rv = PK11_Encrypt(key.get(), kMech, ¶ms, output.data(), ++ &outputLen, output.size(), data, data_len); ++ EXPECT_EQ(SECFailure, rv); ++ EXPECT_EQ(0U, outputLen); ++ ++ // Encrypt with bad parameters (TagLen is too short) ++ aead_params.ulTagLen = 2; ++ std::vector output(data_len + aead_params.ulTagLen); ++ SECStatus rv = PK11_Encrypt(key.get(), kMech, ¶ms, output.data(), ++ &outputLen, output.size(), data, data_len); ++ EXPECT_EQ(SECFailure, rv); ++ EXPECT_EQ(0U, outputLen); + + // Encrypt. +- unsigned int outputLen = 0; ++ aead_params.ulTagLen = 16; + std::vector output(data_len + aead_params.ulTagLen); + SECStatus rv = PK11_Encrypt(key.get(), kMech, ¶ms, output.data(), + &outputLen, output.size(), data, data_len); +diff -Naur a/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc b/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc +--- a/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc 2019-05-10 14:14:18.000000000 -0700 ++++ b/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc 2021-06-10 12:06:57.079302905 -0700 +@@ -77,4 +77,53 @@ + NSS_ShutdownContext(globalctx); + } + ++TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) { ++ PK11SlotInfo* slot; ++ PK11SymKey* key; ++ PK11Context* ctx; ++ ++ NSSInitContext* globalctx = ++ NSS_InitContext("", "", "", "", NULL, ++ NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB | ++ NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT); ++ ++ const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR; ++ ++ slot = PK11_GetInternalSlot(); ++ ASSERT_TRUE(slot); ++ ++ // Use arbitrary bytes for the ChaCha20 key and IV ++ uint8_t key_bytes[32]; ++ for (size_t i = 0; i < 32; i++) { ++ key_bytes[i] = i; ++ } ++ SECItem keyItem = {siBuffer, key_bytes, 32}; ++ ++ uint8_t iv_bytes[16]; ++ for (size_t i = 0; i < 16; i++) { ++ key_bytes[i] = i; ++ } ++ SECItem ivItem = {siBuffer, iv_bytes, 16}; ++ ++ SECItem* param = PK11_ParamFromIV(cipher, &ivItem); ++ ++ key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT, ++ &keyItem, NULL); ++ ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param); ++ ASSERT_TRUE(key); ++ ASSERT_TRUE(ctx); ++ ++ uint8_t outbuf[128]; ++ // This is supposed to fail for Chacha20. This is because the underlying ++ // PK11_CipherOp operation is calling the C_EncryptUpdate function for ++ // which multi-part is disabled for ChaCha20 in counter mode. ++ ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure); ++ ++ PK11_FreeSymKey(key); ++ PK11_FreeSlot(slot); ++ SECITEM_FreeItem(param, PR_TRUE); ++ PK11_DestroyContext(ctx, PR_TRUE); ++ NSS_ShutdownContext(globalctx); ++} ++ + } // namespace nss_test +diff -Naur a/nss/lib/freebl/chacha20poly1305.c b/nss/lib/freebl/chacha20poly1305.c +--- a/nss/lib/freebl/chacha20poly1305.c 2019-05-10 14:14:18.000000000 -0700 ++++ b/nss/lib/freebl/chacha20poly1305.c 2021-06-10 11:54:41.192530256 -0700 +@@ -111,7 +111,7 @@ + PORT_SetError(SEC_ERROR_BAD_KEY); + return SECFailure; + } +- if (tagLen == 0 || tagLen > 16) { ++ if (tagLen != 16) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + return SECFailure; + } +diff -Naur a/nss/lib/softoken/pkcs11c.c b/nss/lib/softoken/pkcs11c.c +--- a/nss/lib/softoken/pkcs11c.c 2019-05-10 14:14:18.000000000 -0700 ++++ b/nss/lib/softoken/pkcs11c.c 2021-06-10 11:41:44.429521228 -0700 +@@ -1207,6 +1207,7 @@ + break; + + case CKM_NSS_CHACHA20_CTR: ++ context->multi = PR_FALSE; + if (key_type != CKK_NSS_CHACHA20) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; diff --git a/SPECS/nss/nss.spec b/SPECS/nss/nss.spec index e53f3d3647..0456a6f9d6 100644 --- a/SPECS/nss/nss.spec +++ b/SPECS/nss/nss.spec @@ -12,7 +12,7 @@ Summary: Security client Name: nss Version: 3.44 -Release: 4%{?dist} +Release: 7%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -20,6 +20,7 @@ Group: Applications/System URL: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS Source0: https://archive.mozilla.org/pub/security/nss/releases/NSS_3_44_RTM/src/%{name}-%{version}.tar.gz Patch0: nss-3.44-standalone-1.patch +Patch1: CVE-2020-12403.patch BuildRequires: nspr-devel BuildRequires: sqlite-devel Provides: %{name}-tools = %{version}-%{release} @@ -62,9 +63,11 @@ This package contains minimal set of shared nss libraries. %prep %setup -q %patch0 -p1 +%patch1 -p1 %build export NSS_FORCE_FIPS=1 +export NSS_DISABLE_GTESTS=1 cd nss # -j is not supported by nss make VERBOSE=1 BUILD_OPT=1 \ @@ -93,7 +96,7 @@ install -vm 644 Linux*/lib/pkgconfig/nss.pc %{buildroot}%{_libdir}/pkgconfig %check pushd nss/tests export USE_64=1 -HOST=localhost DOMSUF=localdomain BUILD_OPT=1 ./all.sh +HOST=localhost DOMSUF=localdomain BUILD_OPT=1 NSS_CYCLES=standard ./all.sh popd %post -p /sbin/ldconfig @@ -122,68 +125,84 @@ popd %{unsupported_tools_directory}/shlibsign %changelog +* Thu Jul 29 2021 Jon Slobodzian 3.44-7 +- Dash Rolled for Merge from 1.0 branch + +* Thu Jun 10 2021 Henry Beberman 3.44-6 +- Patch CVE-2020-12403 + +* Wed Jun 02 2021 Andrew Phelps 3.44-5 +- Set NSS_DISABLE_GTESTS=1 to speed up build +- Run tests much faster by limiting to NSS_CYCLES=standard + * Fri Mar 26 2021 Thomas Crain - 3.44-4 - Merge the following releases from 1.0 to dev branch - anphel@microsoft.com, 3.44-3: Fix check tests - niontive@microsoft.com, 3.44-4: Enable FIPS mode -* Mon Sep 28 2020 Ruying Chen 3.44-3 -- Provide nss-tools, -util, -static, -softokn, -softokn-devel -- Provide nss-pkcs11-devel, -pkcs11-devel-static +* Wed Mar 03 2021 Nicolas Ontiveros 3.44-4 +- Enable FIPS mode -* Sat May 09 2020 Nick Samson 3.44-2 -- Added %%license line automatically +* Tue Jan 26 2021 Andrew Phelps 3.44-3 (from 1.0 branch) +- Fix check tests -* Tue Mar 17 2020 Andrew Phelps 3.44-1 -- Update version to 3.44. License verified. +* Mon Sep 28 2020 Ruying Chen 3.44-3 (from dev branch) +- Provide nss-tools, -util, -static, -softokn, -softokn-devel +- Provide nss-pkcs11-devel, -pkcs11-devel-static -* Tue Sep 03 2019 Mateusz Malisz 3.39-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Sat May 09 2020 Nick Samson 3.44-2 +- Added %%license line automatically -* Mon Sep 10 2018 Him Kalyan Bordoloi 3.39-1 -- Upgrade to 3.39. +* Tue Mar 17 2020 Andrew Phelps 3.44-1 +- Update version to 3.44. License verified. -* Thu Dec 07 2017 Alexey Makhalov 3.31-5 -- Add static libcrmf.a library to devel package +* Tue Sep 03 2019 Mateusz Malisz 3.39-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Tue Nov 14 2017 Alexey Makhalov 3.31-4 -- Aarch64 support +* Mon Sep 10 2018 Him Kalyan Bordoloi 3.39-1 +- Upgrade to 3.39. -* Fri Jul 07 2017 Vinay Kulkarni 3.31-3 -- Fix buildrequires. +* Thu Dec 07 2017 Alexey Makhalov 3.31-5 +- Add static libcrmf.a library to devel package -* Thu Jun 29 2017 Xiaolin Li 3.31-2 -- Fix check. +* Tue Nov 14 2017 Alexey Makhalov 3.31-4 +- Aarch64 support -* Tue Jun 20 2017 Xiaolin Li 3.31-1 -- Upgrade to 3.31. +* Fri Jul 07 2017 Vinay Kulkarni 3.31-3 +- Fix buildrequires. -* Sat Apr 15 2017 Priyesh Padmavilasom 3.30.1-1 -- Update to 3.30.1 +* Thu Jun 29 2017 Xiaolin Li 3.31-2 +- Fix check. -* Fri Apr 14 2017 Alexey Makhalov 3.25-4 -- Added libs subpackage to reduce tdnf dependent tree +* Tue Jun 20 2017 Xiaolin Li 3.31-1 +- Upgrade to 3.31. -* Wed Nov 16 2016 Alexey Makhalov 3.25-3 -- Use sqlite-libs as runtime dependency +* Sat Apr 15 2017 Priyesh Padmavilasom 3.30.1-1 +- Update to 3.30.1 -* Mon Oct 04 2016 ChangLee 3.25-2 -- Modified %check +* Fri Apr 14 2017 Alexey Makhalov 3.25-4 +- Added libs subpackage to reduce tdnf dependent tree -* Tue Jul 05 2016 Anish Swaminathan 3.25-1 -- Upgrade to 3.25 +* Wed Nov 16 2016 Alexey Makhalov 3.25-3 +- Use sqlite-libs as runtime dependency -* Tue May 24 2016 Priyesh Padmavilasom 3.21-2 -- GA - Bump release of all rpms +* Mon Oct 04 2016 ChangLee 3.25-2 +- Modified %check -* Thu Jan 21 2016 Xiaolin Li 3.21 -- Updated to version 3.21 +* Tue Jul 05 2016 Anish Swaminathan 3.25-1 +- Upgrade to 3.25 -* Tue Aug 04 2015 Kumar Kaushik 3.19-2 -- Version update. Firefox requirement. +* Tue May 24 2016 Priyesh Padmavilasom 3.21-2 +- GA - Bump release of all rpms -* Fri May 29 2015 Alexey Makhalov 3.19-1 -- Version update. Firefox requirement. +* Thu Jan 21 2016 Xiaolin Li 3.21 +- Updated to version 3.21 -* Wed Nov 5 2014 Divya Thaluru 3.15.4-1 -- Initial build. First version +* Tue Aug 04 2015 Kumar Kaushik 3.19-2 +- Version update. Firefox requirement. + +* Fri May 29 2015 Alexey Makhalov 3.19-1 +- Version update. Firefox requirement. + +* Wed Nov 5 2014 Divya Thaluru 3.15.4-1 +- Initial build. First version diff --git a/SPECS/ntp/ntp.spec b/SPECS/ntp/ntp.spec index ec2d5e33a1..3011a02a3d 100644 --- a/SPECS/ntp/ntp.spec +++ b/SPECS/ntp/ntp.spec @@ -177,7 +177,7 @@ rm -rf %{buildroot}/* %{_mandir}/man8/ntpstat.8* %changelog -* Sat May 09 00:21:37 PST 2020 Nick Samson - 4.2.8p13-3 +* Sat May 09 2020 Nick Samson - 4.2.8p13-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 4.2.8p13-2 diff --git a/SPECS/nvidia-container-runtime/nvidia-container-runtime.spec b/SPECS/nvidia-container-runtime/nvidia-container-runtime.spec index 2a47b782e9..44162e00fc 100644 --- a/SPECS/nvidia-container-runtime/nvidia-container-runtime.spec +++ b/SPECS/nvidia-container-runtime/nvidia-container-runtime.spec @@ -1,7 +1,7 @@ Summary: NVIDIA container runtime Name: nvidia-container-runtime Version: 3.4.2 -Release: 2%{?dist} +Release: 4%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -33,6 +33,12 @@ install -m 755 %{name} %{buildroot}%{_bindir}/%{name} %{_bindir}/%{name} %changelog +* Tue Jun 08 2021 Henry Beberman 3.4.2-4 +- Increment release to force republishing using golang 1.15.13. + +* Mon Apr 26 2021 Nicolas Guibourge 3.4.2-3 +- Increment release to force republishing using golang 1.15.11. + * Wed Apr 21 2021 Joseph Knierman - 3.4.2-2 - License verified - Initial CBL-Mariner import from NVIDIA (license: ASL 2.0). diff --git a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit-1.4.2.patch b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit-1.4.2.patch new file mode 100644 index 0000000000..48f3a09cb0 --- /dev/null +++ b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit-1.4.2.patch @@ -0,0 +1,12 @@ +diff -ru nvidia-container-toolkit-1.4.2-orig/go.mod nvidia-container-toolkit-1.4.2/go.mod +--- nvidia-container-toolkit-1.4.2-orig/go.mod 2021-02-05 07:47:01.000000000 -0500 ++++ nvidia-container-toolkit-1.4.2/go.mod 2021-04-20 03:38:02.000000000 -0400 +@@ -4,6 +4,5 @@ + + require ( + github.com/BurntSushi/toml v0.3.1 +- github.com/stretchr/testify v1.6.0 + golang.org/x/mod v0.3.0 + ) +Only in nvidia-container-toolkit-1.4.2: nvidia-container-toolkit +Only in nvidia-container-toolkit-1.4.2: vendor diff --git a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json new file mode 100644 index 0000000000..5dcc5df426 --- /dev/null +++ b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "nvidia-container-toolkit-1.4.2-vendor.tar.gz": "5463294471c22283c0bad835ed8abd708971579c2b1d7caf461bd00f93efe610", + "nvidia-container-toolkit-1.4.2.tar.gz": "8c3ff8dd96812dcc2c09b203d2749fcba51941e33387aba1bca4da2f87065a0c" + } +} diff --git a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec new file mode 100644 index 0000000000..f6e616bd6d --- /dev/null +++ b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec @@ -0,0 +1,128 @@ +%global debug_package %{nil} +Summary: NVIDIA container runtime hook +Name: nvidia-container-toolkit +Version: 1.4.2 +Release: 3%{?dist} +License: ALS2.0 +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/NVIDIA/nvidia-container-runtime +#Source0: https://github.com/NVIDIA/%%{name}/archive/v%%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz +# Below is a manually created tarball, no download link. +# We're using pre-populated Go modules from this tarball, since network is disabled during build time. +# How to re-build this file: +# 1. wget https://github.com/NVIDIA/%%{name}/archive/v%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz +# 2. tar -xf %%{name}-%%{version}.tar.gz +# 3. cd %%{name}-%%{version} +# 4. go mod vendor +# 5. tar --sort=name \ +# --mtime="2021-04-26 00:00Z" \ +# --owner=0 --group=0 --numeric-owner \ +# --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ +# -cf %%{name}-%%{version}-vendor.tar.gz vendor +# +# NOTES: +# - You require GNU tar version 1.28+. +# - The additional options enable generation of a tarball with the same hash every time regardless of the environment. +# See: https://reproducible-builds.org/docs/archives/ +# - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates. +Source1: %{name}-%{version}-vendor.tar.gz +Patch0: nvidia-container-toolkit-1.4.2.patch +BuildRequires: golang +Provides: nvidia-container-runtime-hook + +%description +Provides a OCI hook to enable GPU support in containers. + +%prep +%autosetup -p1 +tar -xvf %{SOURCE1} + +%build +go build -ldflags "-s -w " -o "nvidia-container-toolkit" ./pkg + +%install +mkdir -p %{buildroot}%{_bindir} +install -m 755 -t %{buildroot}%{_bindir} nvidia-container-toolkit + +cp config/config.toml.centos config.toml +mkdir -p %{buildroot}%{_sysconfdir}/nvidia-container-runtime +install -m 644 -t %{buildroot}%{_sysconfdir}/nvidia-container-runtime config.toml + +mkdir -p %{buildroot}%{_libexecdir}/oci/hooks.d +install -m 755 -t %{buildroot}%{_libexecdir}/oci/hooks.d oci-nvidia-hook + +mkdir -p %{buildroot}%{_datadir}/containers/oci/hooks.d +install -m 644 -t %{buildroot}%{_datadir}/containers/oci/hooks.d oci-nvidia-hook.json + +%posttrans +ln -sf %{_bindir}/nvidia-container-toolkit %{_bindir}/nvidia-container-runtime-hook + +%postun +rm -f %{_bindir}/nvidia-container-runtime-hook + +%files +%license LICENSE +%{_bindir}/nvidia-container-toolkit +%config %{_sysconfdir}/nvidia-container-runtime/config.toml +%{_libexecdir}/oci/hooks.d/oci-nvidia-hook +%{_datadir}/containers/oci/hooks.d/oci-nvidia-hook.json + +%changelog +* Tue Jun 08 2021 Henry Beberman 1.4.2-3 +- Increment release to force republishing using golang 1.15.13. + +* Mon Apr 26 2021 Joseph Knierman - 1.4.2-2 +- License verified +- Initial CBL-Mariner import from NVIDIA (license: ASL 2.0). + +* Fri Feb 05 2021 NVIDIA CORPORATION 1.4.2-1 +- Add dependence on libnvidia-container-tools >= 1.3.3 + +* Mon Jan 25 2021 NVIDIA CORPORATION 1.4.1-1 +- Ignore NVIDIA_VISIBLE_DEVICES for containers with insufficent privileges +- Add dependence on libnvidia-container-tools >= 1.3.2 + +* Fri Dec 11 2020 NVIDIA CORPORATION 1.4.0-1 +- Add 'compute' capability to list of defaults +- Add dependence on libnvidia-container-tools >= 1.3.1 + +* Wed Sep 16 2020 NVIDIA CORPORATION 1.3.0-1 +- Promote 1.3.0-0.1.rc.2 to 1.3.0-1 +- Add dependence on libnvidia-container-tools >= 1.3.0 + +* Mon Aug 10 2020 NVIDIA CORPORATION 1.3.0-0.1.rc.2 +- 2c180947 Add more tests for new semantics with device list from volume mounts +- 7c003857 Refactor accepting device lists from volume mounts as a boolean + +* Fri Jul 24 2020 NVIDIA CORPORATION 1.3.0-0.1.rc.1 +- b50d86c1 Update build system to accept a TAG variable for things like rc.x +- fe65573b Add common CI tests for things like golint, gofmt, unit tests, etc. +- da6fbb34 Revert "Add ability to merge envars of the form NVIDIA_VISIBLE_DEVICES_*" +- a7fb3330 Flip build-all targets to run automatically on merge requests +- 8b248b66 Rename github.com/NVIDIA/container-toolkit to nvidia-container-toolkit +- da36874e Add new config options to pull device list from mounted files instead of ENVVAR + +* Wed Jul 22 2020 NVIDIA CORPORATION 1.2.1-1 +- 4e6e0ed4 Add 'ngx' to list of *all* driver capabilities +- 2f4af743 List config.toml as a config file in the RPM SPEC + +* Wed Jul 08 2020 NVIDIA CORPORATION 1.2.0-1 +- 8e0aab46 Fix repo listed in changelog for debian distributions +- 320bb6e4 Update dependence on libnvidia-container to 1.2.0 +- 6cfc8097 Update package license to match source license +- e7dc3cbb Fix debian copyright file +- d3aee3e0 Add the 'ngx' driver capability + +* Wed Jun 03 2020 NVIDIA CORPORATION 1.1.2-1 +- c32237f3 Add support for parsing Linux Capabilities for older OCI specs + +* Tue May 19 2020 NVIDIA CORPORATION 1.1.1-1 +- d202aded Update dependence to libnvidia-container 1.1.1 + +* Fri May 15 2020 NVIDIA CORPORATION 1.1.0-1 +- 4e4de762 Update build system to support multi-arch builds +- fcc1d116 Add support for MIG (Multi-Instance GPUs) +- d4ff0416 Add ability to merge envars of the form NVIDIA_VISIBLE_DEVICES_* +- 60f165ad Add no-pivot option to toolkit diff --git a/SPECS/nvidia-docker2/nvidia-docker2.signatures.json b/SPECS/nvidia-docker2/nvidia-docker2.signatures.json new file mode 100644 index 0000000000..e69d6fa38d --- /dev/null +++ b/SPECS/nvidia-docker2/nvidia-docker2.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "nvidia-docker-2.6.0.tar.gz": "a2f41b91770e45d3f7e6d361be720573a20e88ea33d4f8c7984b6b0cfdc57214" + } +} \ No newline at end of file diff --git a/SPECS/nvidia-docker2/nvidia-docker2.spec b/SPECS/nvidia-docker2/nvidia-docker2.spec new file mode 100644 index 0000000000..b941eb8f77 --- /dev/null +++ b/SPECS/nvidia-docker2/nvidia-docker2.spec @@ -0,0 +1,56 @@ +%global debug_package %{nil} +Summary: nvidia-docker CLI wrapper +Name: nvidia-docker2 +Version: 2.6.0 +Release: 2%{?dist} +License: ASL2.0 +Vendor: Microsoft Corporation +Distribution: Mariner +Group: Development Tools +URL: https://github.com/NVIDIA/nvidia-docker +#Source0: https://github.com/NVIDIA/nvidia-docker/archive/v%%{version}.tar.gz +Source0: nvidia-docker-%{version}.tar.gz +Requires: nvidia-container-runtime >= 3.4.2 +Conflicts: nvidia-docker < 2.0.0 +BuildArch: noarch + +%description +Replaces nvidia-docker with a new implementation based on nvidia-container-runtime + +%prep +%autosetup -n nvidia-docker-%{version} +cp nvidia-docker daemon.json LICENSE .. + +%install +mkdir -p %{buildroot}%{_bindir} +install -m 755 -t %{buildroot}%{_bindir} nvidia-docker +mkdir -p %{buildroot}%{_sysconfdir}/docker +install -m 644 -t %{buildroot}%{_sysconfdir}/docker daemon.json + +%files +%license LICENSE +%{_bindir}/nvidia-docker +%config %{_sysconfdir}/docker/daemon.json + +%changelog +* Wed May 19 2021 Joseph Knierman - 2.6.0-2 +- License verified +- Initial CBL-Mariner import from NVIDIA (license: ASL 2.0). + +* Thu Apr 29 2021 NVIDIA CORPORATION 2.6.0-1 +- Add dependence on nvidia-container-runtime >= 3.5.0 +- Add Jenkinsfile for building packages + +* Wed Sep 16 2020 NVIDIA CORPORATION 2.5.0-1 +- Bump version to v2.5.0 +- Add dependence on nvidia-container-runtime >= 3.4.0 +- Update readme to point to the official documentatio +- Add %config directive to daemon.json for RPM installations + +* Wed Jul 08 2020 NVIDIA CORPORATION 2.4.0-1 +- 09a01276 Update package license to match source license +- b9c70155 Update dependence on nvidia-container-runtime to 3.3.0 + +* Fri May 15 2020 NVIDIA CORPORATION 2.3.0-1 +- 0d3b049a Update build system to support multi-arch builds +- 8557216d Require new MIG changes diff --git a/SPECS/nvme-cli/nvme-cli.spec b/SPECS/nvme-cli/nvme-cli.spec index 013aa85a1e..9ee12144d1 100644 --- a/SPECS/nvme-cli/nvme-cli.spec +++ b/SPECS/nvme-cli/nvme-cli.spec @@ -30,7 +30,7 @@ make install PREFIX=%{_prefix} DESTDIR=%{buildroot} %{_mandir}/man1/* %changelog -* Sat May 09 00:20:54 PST 2020 Nick Samson - 1.8.1-3 +* Sat May 09 2020 Nick Samson - 1.8.1-3 - Added %%license line automatically * Tue Mar 24 2020 Paul Monson 1.8.1-2 diff --git a/SPECS/oath-toolkit/oath-toolkit.spec b/SPECS/oath-toolkit/oath-toolkit.spec index 37733a6285..16dffd2b5a 100644 --- a/SPECS/oath-toolkit/oath-toolkit.spec +++ b/SPECS/oath-toolkit/oath-toolkit.spec @@ -2,9 +2,9 @@ Summary: One-time password components Name: oath-toolkit Version: 2.6.2 Release: 7%{?dist} -License: GPLv3+ +License: GPLv3+ and LGPLv2+ URL: https://www.nongnu.org/oath-toolkit/ -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner Source0: https://download.savannah.gnu.org/releases/%{name}/%{name}-%{version}.tar.gz @@ -199,6 +199,7 @@ mkdir -p -m 0600 %{buildroot}%{_sysconfdir}/liboath %changelog * Fri Aug 21 2020 Thomas Crain - 2.6.2-7 - Initial CBL-Mariner import from Fedora 33 (license: MIT) +- License verified * Tue Jul 28 2020 Fedora Release Engineering - 2.6.2-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/SPECS/openssh/openssh.spec b/SPECS/openssh/openssh.spec index 86bc34f2e0..c5e592f9ab 100644 --- a/SPECS/openssh/openssh.spec +++ b/SPECS/openssh/openssh.spec @@ -2,7 +2,7 @@ Summary: Free version of the SSH connectivity tools Name: openssh Version: 8.5p1 -Release: 2%{?dist} +Release: 3%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -26,6 +26,7 @@ BuildRequires: systemd BuildRequires: shadow-utils BuildRequires: sudo %endif +BuildRequires: libselinux-devel Requires: openssh-clients = %{version}-%{release} Requires: openssh-server = %{version}-%{release} @@ -67,6 +68,7 @@ tar xf %{SOURCE1} --no-same-owner --with-md5-passwords \ --with-privsep-path=%{_sharedstatedir}/sshd \ --with-pam \ + --with-selinux \ --with-maintype=man \ --enable-strip=no \ --with-kerberos5=%{_prefix} @@ -183,6 +185,9 @@ rm -rf %{buildroot}/* %{_mandir}/man8/ssh-sk-helper.8.gz %changelog +* Wed Mar 24 2021 Daniel Burgener 8.5p1-3 +- Add SELinux support + * Fri Mar 12 2021 Henry Beberman - 8.5p1-2 - Update default sshd_config to align more closely with other cloud images diff --git a/SPECS/openssl/openssl-1.1.1-drbg-seed.patch b/SPECS/openssl/openssl-1.1.1-drbg-seed.patch new file mode 100644 index 0000000000..fbfa5f4bba --- /dev/null +++ b/SPECS/openssl/openssl-1.1.1-drbg-seed.patch @@ -0,0 +1,1093 @@ +diff --git a/crypto/fips/fips_drbg_lib.c b/crypto/fips/fips_drbg_lib.c +index 1c6ff1b..f603a6c 100644 +--- a/crypto/fips/fips_drbg_lib.c ++++ b/crypto/fips/fips_drbg_lib.c +@@ -58,6 +58,7 @@ + #include + #include "fips_locl.h" + #include "fips_rand_lcl.h" ++#include "../../include/crypto/rand.h" + + /* Support framework for SP800-90 DRBGs */ + +@@ -139,6 +140,110 @@ void FIPS_drbg_free(DRBG_CTX *dctx) + } + } + ++static size_t fips_concatenate_lrng(DRBG_CTX *dctx, ++ unsigned char **pout, ++ size_t str_len, ++ size_t max_str_len) ++{ ++ unsigned char *tmp_str = NULL; ++ size_t idx = 0, total_bytes = 0, bytes_needed = 0; ++ ssize_t bytes = 0; ++ int rng_attempts = 3; ++ ++ bytes_needed = dctx->strength / 8; ++ ++ total_bytes = bytes_needed + str_len; ++ ++ if (total_bytes < bytes_needed) { ++ FIPSerr(FIPS_F_FIPS_DRBG_LRNG, ERR_R_PASSED_INVALID_ARGUMENT); ++ goto err; ++ } ++ ++ if (total_bytes > max_str_len) { ++ FIPSerr(FIPS_F_FIPS_DRBG_LRNG, ERR_R_PASSED_INVALID_ARGUMENT); ++ goto err; ++ } ++ ++ tmp_str = OPENSSL_zalloc(total_bytes); ++ if (tmp_str == NULL) { ++ FIPSerr(FIPS_F_FIPS_DRBG_LRNG, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (*pout != NULL) { ++ memcpy(tmp_str, *pout, str_len); ++ } ++ ++ idx = str_len; ++ ++ while (bytes_needed != 0 && rng_attempts-- > 0) { ++ bytes = syscall_random(tmp_str + idx, bytes_needed, 0); ++ if (bytes > 0) { ++ idx += bytes; ++ bytes_needed -= bytes; ++ rng_attempts = 3; /* reset counter after successful attempt */ ++ } else if (bytes < 0 && errno != EINTR) { ++ break; ++ } ++ } ++ ++ if (bytes_needed == 0) { ++ *pout = tmp_str; ++ return total_bytes; ++ } ++ ++ FIPSerr(FIPS_F_FIPS_DRBG_LRNG, FIPS_R_ERROR_RETRIEVING_RAND); ++ ++err: ++ if (tmp_str != NULL) ++ OPENSSL_clear_free(tmp_str, total_bytes); ++ return 0; ++} ++ ++static size_t fips_get_pers(DRBG_CTX *dctx, ++ unsigned char **pout, size_t pers_len) ++{ ++ if (dctx->get_pers != NULL) { ++ return dctx->get_pers(dctx, pout, pers_len); ++ } ++ ++ return fips_concatenate_lrng(dctx, pout, pers_len, dctx->max_pers); ++} ++ ++static size_t fips_get_adin(DRBG_CTX *dctx, ++ unsigned char **pout, size_t adin_len) ++{ ++ if (dctx->get_adin != NULL) { ++ return dctx->get_adin(dctx, pout, adin_len); ++ } ++ ++ return fips_concatenate_lrng(dctx, pout, adin_len, dctx->max_adin); ++} ++ ++static void fips_cleanup_pers(DRBG_CTX *dctx, ++ unsigned char *out, size_t outlen) ++{ ++ if (dctx->cleanup_pers != NULL) { ++ return dctx->cleanup_pers(dctx, out, outlen); ++ } ++ ++ if (out != NULL) { ++ OPENSSL_clear_free(out, outlen); ++ } ++} ++ ++static void fips_cleanup_adin(DRBG_CTX *dctx, ++ unsigned char *out, size_t outlen) ++{ ++ if (dctx->cleanup_adin != NULL) { ++ return dctx->cleanup_adin(dctx, out, outlen); ++ } ++ ++ if (out != NULL) { ++ OPENSSL_clear_free(out, outlen); ++ } ++} ++ + static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len) + { +@@ -185,6 +290,7 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx, + { + size_t entlen = 0, noncelen = 0; + unsigned char *nonce = NULL, *entropy = NULL; ++ const unsigned char *tmp_pers = NULL; + + #if 0 + /* Put here so error script picks them up */ +@@ -198,7 +304,7 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx, + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED); + #endif + +- int r = 0; ++ int r = 0, pers_alloc = 0; + + if (perslen > dctx->max_pers) { + r = FIPS_R_PERSONALISATION_STRING_TOO_LONG; +@@ -240,6 +346,14 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx, + + } + ++ tmp_pers = pers; ++ ++ perslen = fips_get_pers(dctx, &pers, perslen); ++ ++ if (tmp_pers != pers) { ++ pers_alloc = 1; ++ } ++ + if (!dctx->instantiate(dctx, + entropy, entlen, nonce, noncelen, pers, perslen)) { + r = FIPS_R_ERROR_INSTANTIATING_DRBG; +@@ -251,6 +365,8 @@ int FIPS_drbg_instantiate(DRBG_CTX *dctx, + dctx->reseed_counter = 1; + + end: ++ if (pers != NULL && pers_alloc) ++ fips_cleanup_pers(dctx, pers, perslen); + + if (entropy && dctx->cleanup_entropy) + fips_cleanup_entropy(dctx, entropy, entlen); +@@ -272,8 +388,9 @@ static int drbg_reseed(DRBG_CTX *dctx, + const unsigned char *adin, size_t adinlen, int hcheck) + { + unsigned char *entropy = NULL; ++ const unsigned char *tmp_adin = NULL; + size_t entlen = 0; +- int r = 0; ++ int r = 0, adin_alloc = 0; + + #if 0 + FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED); +@@ -314,6 +431,14 @@ static int drbg_reseed(DRBG_CTX *dctx, + goto end; + } + ++ tmp_adin = adin; ++ ++ adinlen = fips_get_adin(dctx, &adin, adinlen); ++ ++ if (tmp_adin != adin) { ++ adin_alloc = 1; ++ } ++ + if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen)) + goto end; + +@@ -322,6 +447,9 @@ static int drbg_reseed(DRBG_CTX *dctx, + dctx->reseed_counter = 1; + end: + ++ if (adin != NULL && adin_alloc) ++ fips_cleanup_adin(dctx, adin, adinlen); ++ + if (entropy && dctx->cleanup_entropy) + fips_cleanup_entropy(dctx, entropy, entlen); + +@@ -462,7 +590,7 @@ int FIPS_drbg_set_callbacks(DRBG_CTX *dctx, + { + if (dctx->status != DRBG_STATUS_UNINITIALISED) + return 0; +- dctx->entropy_blocklen = entropy_blocklen; ++ dctx->entropy_blocklen = entropy_blocklen; + dctx->get_entropy = get_entropy; + dctx->cleanup_entropy = cleanup_entropy; + dctx->get_nonce = get_nonce; +@@ -470,12 +598,51 @@ int FIPS_drbg_set_callbacks(DRBG_CTX *dctx, + return 1; + } + +-int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, +- size_t (*get_adin) (DRBG_CTX *ctx, +- unsigned char **pout), +- void (*cleanup_adin) (DRBG_CTX *ctx, ++int FIPS_drbg_set_all_callbacks(DRBG_CTX *dctx, ++ size_t (*get_pers) (DRBG_CTX *ctx, ++ unsigned char **pout, ++ size_t pers_len), ++ void (*cleanup_pers) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen), ++ size_t (*get_adin) (DRBG_CTX *ctx, ++ unsigned char **pout, ++ size_t adin_len), ++ void (*cleanup_adin) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen), ++ size_t (*get_entropy) (DRBG_CTX *ctx, ++ unsigned char **pout, ++ int entropy, ++ size_t min_len, ++ size_t max_len), ++ void (*cleanup_entropy) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen), ++ size_t entropy_blocklen, ++ size_t (*get_nonce) (DRBG_CTX *ctx, ++ unsigned char **pout, ++ int entropy, size_t min_len, ++ size_t max_len), ++ void (*cleanup_nonce) (DRBG_CTX *ctx, + unsigned char *out, +- size_t olen), ++ size_t olen)) ++{ ++ if (dctx->status != DRBG_STATUS_UNINITIALISED) ++ return 0; ++ dctx->get_pers = get_pers; ++ dctx->cleanup_pers = cleanup_pers; ++ dctx->get_adin = get_adin; ++ dctx->cleanup_adin = cleanup_adin; ++ dctx->entropy_blocklen = entropy_blocklen; ++ dctx->get_entropy = get_entropy; ++ dctx->cleanup_entropy = cleanup_entropy; ++ dctx->get_nonce = get_nonce; ++ dctx->cleanup_nonce = cleanup_nonce; ++ return 1; ++} ++ ++int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, + int (*rand_seed_cb) (DRBG_CTX *ctx, + const void *buf, + int num), +@@ -485,8 +652,6 @@ int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, + { + if (dctx->status != DRBG_STATUS_UNINITIALISED) + return 0; +- dctx->get_adin = get_adin; +- dctx->cleanup_adin = cleanup_adin; + dctx->rand_seed_cb = rand_seed_cb; + dctx->rand_add_cb = rand_add_cb; + return 1; +diff --git a/crypto/fips/fips_drbg_rand.c b/crypto/fips/fips_drbg_rand.c +index 492bb7d..46626e8 100644 +--- a/crypto/fips/fips_drbg_rand.c ++++ b/crypto/fips/fips_drbg_rand.c +@@ -98,7 +98,7 @@ static int fips_drbg_bytes(unsigned char *out, int count) + else + rcnt = count; + if (dctx->get_adin) { +- adinlen = dctx->get_adin(dctx, &adin); ++ adinlen = dctx->get_adin(dctx, &adin, dctx->max_adin); + if (adinlen && !adin) { + FIPSerr(FIPS_F_FIPS_DRBG_BYTES, + FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT); +diff --git a/crypto/fips/fips_drbg_selftest.c b/crypto/fips/fips_drbg_selftest.c +index d6d0566..ca91345 100644 +--- a/crypto/fips/fips_drbg_selftest.c ++++ b/crypto/fips/fips_drbg_selftest.c +@@ -164,6 +164,16 @@ typedef struct { + int noncecnt; + } TEST_ENT; + ++static size_t test_pers(DRBG_CTX *dctx, unsigned char **pout, size_t pers_len) ++{ ++ return pers_len; ++} ++ ++static size_t test_adin(DRBG_CTX *dctx, unsigned char **pout, size_t adin_len) ++{ ++ return adin_len; ++} ++ + static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len) + { +@@ -198,7 +208,8 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, + + if (!FIPS_drbg_init(dctx, td->nid, td->flags)) + return 0; +- if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) ++ if (!FIPS_drbg_set_all_callbacks(dctx, test_pers, 0, test_adin, 0, ++ test_entropy, 0, 0, test_nonce, 0)) + return 0; + + FIPS_drbg_set_app_data(dctx, &t); +@@ -261,7 +272,8 @@ static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, + */ + if (!FIPS_drbg_init(dctx, td->nid, td->flags)) + return 0; +- if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) ++ if (!FIPS_drbg_set_all_callbacks(dctx, test_pers, 0, test_adin, 0, ++ test_entropy, 0, 0, test_nonce, 0)) + return 0; + + FIPS_drbg_set_app_data(dctx, &t); +@@ -336,7 +348,8 @@ static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t) + if (!FIPS_drbg_init(dctx, td->nid, td->flags)) + return 0; + +- if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) ++ if (!FIPS_drbg_set_all_callbacks(dctx, test_pers, 0, test_adin, 0, ++ test_entropy, 0, 0, test_nonce, 0)) + return 0; + + FIPS_drbg_set_app_data(dctx, t); +diff --git a/crypto/fips/fips_err.h b/crypto/fips/fips_err.h +index 9a9c9a1..c09cc09 100644 +--- a/crypto/fips/fips_err.h ++++ b/crypto/fips/fips_err.h +@@ -91,6 +91,7 @@ static ERR_STRING_DATA FIPS_str_functs[] = { + {ERR_FUNC(FIPS_F_FIPS_DRBG_NEW), "FIPS_drbg_new"}, + {ERR_FUNC(FIPS_F_FIPS_DRBG_RESEED), "FIPS_drbg_reseed"}, + {ERR_FUNC(FIPS_F_FIPS_DRBG_SINGLE_KAT), "FIPS_DRBG_SINGLE_KAT"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_LRNG), "fips_concatenate_lrng"}, + {ERR_FUNC(FIPS_F_FIPS_GET_ENTROPY), "fips_get_entropy"}, + {ERR_FUNC(FIPS_F_FIPS_MODULE_MODE_SET), "FIPS_module_mode_set"}, + {ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"}, +@@ -187,6 +188,9 @@ static ERR_STRING_DATA FIPS_str_reasons[] = { + "uninstantiate zeroise error"}, + {ERR_REASON(FIPS_R_UNSUPPORTED_DRBG_TYPE), "unsupported drbg type"}, + {ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM), "unsupported platform"}, ++ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_PERS), "error retrieving personalization string"}, ++ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ADIN), "error retrieving additional input string"}, ++ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_RAND), "error retrieving random bytes from LRNG"}, + {0, NULL} + }; + +diff --git a/crypto/fips/fips_rand_lcl.h b/crypto/fips/fips_rand_lcl.h +index cab1657..3f04344 100644 +--- a/crypto/fips/fips_rand_lcl.h ++++ b/crypto/fips/fips_rand_lcl.h +@@ -166,6 +166,18 @@ struct drbg_ctx_st { + /* uninstantiate */ + int (*uninstantiate) (DRBG_CTX *ctx); + ++ /* personal string gathering function */ ++ size_t (*get_pers) (DRBG_CTX *ctx, unsigned char **pout, size_t pers_len); ++ ++ /* Indicates we have finished with personal string buffer */ ++ void (*cleanup_pers) (DRBG_CTX *ctx, unsigned char *out, size_t olen); ++ ++ /* additional input gathering function */ ++ size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout, size_t adin_len); ++ ++ /* Indicates we have finished with additional buffer */ ++ void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen); ++ + /* Entropy source block length */ + size_t entropy_blocklen; + +@@ -181,10 +193,6 @@ struct drbg_ctx_st { + /* Indicates we have finished with nonce buffer */ + void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen); + +- /* Callbacks used when called through RAND interface */ +- /* Get any additional input for generate */ +- size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout); +- void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen); + /* Callback for RAND_seed(), RAND_add() */ + int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num); + int (*rand_add_cb) (DRBG_CTX *ctx, +diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c +index 5d7a1d7..0d37757 100644 +--- a/crypto/rand/drbg_lib.c ++++ b/crypto/rand/drbg_lib.c +@@ -202,6 +202,12 @@ static RAND_DRBG *rand_drbg_new(int secure, + + if (parent == NULL) { + #ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ drbg->get_pers = rand_drbg_get_pers; ++ drbg->get_adin = rand_drbg_get_adin; ++ drbg->cleanup_pers = rand_drbg_cleanup_pers; ++ drbg->cleanup_adin = rand_drbg_cleanup_adin; ++ } + drbg->get_entropy = rand_crngt_get_entropy; + drbg->cleanup_entropy = rand_crngt_cleanup_entropy; + #else +@@ -216,8 +222,17 @@ static RAND_DRBG *rand_drbg_new(int secure, + drbg->reseed_interval = master_reseed_interval; + drbg->reseed_time_interval = master_reseed_time_interval; + } else { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ drbg->get_pers = rand_drbg_get_pers; ++ drbg->get_adin = rand_drbg_get_adin; ++ drbg->cleanup_pers = rand_drbg_cleanup_pers; ++ drbg->cleanup_adin = rand_drbg_cleanup_adin; ++ } ++#endif + drbg->get_entropy = rand_drbg_get_entropy; + drbg->cleanup_entropy = rand_drbg_cleanup_entropy; ++ + /* + * Do not provide nonce callbacks, the child DRBGs will + * obtain their nonce using random bits from the parent. +@@ -298,6 +313,10 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg, + size_t min_entropy = drbg->strength; + size_t min_entropylen = drbg->min_entropylen; + size_t max_entropylen = drbg->max_entropylen; ++#ifdef OPENSSL_FIPS ++ int pers_alloc = 0; ++ const unsigned char *tmp_pers = NULL; ++#endif + + if (perslen > drbg->max_perslen) { + RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, +@@ -350,6 +369,29 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg, + } + } + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ if (drbg->get_pers != NULL) { ++ tmp_pers = pers; ++ perslen = drbg->get_pers(drbg, &pers, perslen); ++ if (tmp_pers != pers) { ++ pers_alloc = 1; ++ } ++ } else { ++ /* ++ * FIPS mode requires LRNG concatenation unless ++ * callback is overriden for DRBG testing ++ */ ++ perslen = rand_drbg_get_pers(drbg, &pers, perslen); ++ if (perslen == 0 || pers == NULL) { ++ RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ERROR_RETRIEVING_PERS); ++ goto end; ++ } ++ pers_alloc = 1; ++ } ++ } ++#endif ++ + if (!drbg->meth->instantiate(drbg, entropy, entropylen, + nonce, noncelen, pers, perslen)) { + RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ERROR_INSTANTIATING_DRBG); +@@ -368,6 +410,17 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg, + } + + end: ++ #ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ if (pers != NULL && pers_alloc) { ++ if (drbg->cleanup_pers != NULL) { ++ drbg->cleanup_pers(drbg, pers, perslen); ++ } else { ++ rand_drbg_cleanup_pers(drbg, pers, perslen); ++ } ++ } ++ } ++ #endif + if (entropy != NULL && drbg->cleanup_entropy != NULL) + drbg->cleanup_entropy(drbg, entropy, entropylen); + if (nonce != NULL && drbg->cleanup_nonce != NULL) +@@ -414,6 +467,10 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg, + { + unsigned char *entropy = NULL; + size_t entropylen = 0; ++#ifdef OPENSSL_FIPS ++ int adin_alloc = 0; ++ const unsigned char *tmp_adin = NULL; ++#endif + + if (drbg->state == DRBG_ERROR) { + RANDerr(RAND_F_RAND_DRBG_RESEED, RAND_R_IN_ERROR_STATE); +@@ -443,6 +500,29 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg, + goto end; + } + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ if (drbg->get_adin != NULL) { ++ tmp_adin = adin; ++ adinlen = drbg->get_adin(drbg, &adin, adinlen); ++ if (tmp_adin != adin) { ++ adin_alloc = 1; ++ } ++ } else { ++ /* ++ * FIPS mode requires LRNG concatenation unless ++ * callback is overriden for DRBG testing ++ */ ++ adinlen = rand_drbg_get_adin(drbg, &adin, adinlen); ++ if (adinlen == 0 || adin == NULL) { ++ RANDerr(RAND_F_RAND_DRBG_RESEED, RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT); ++ goto end; ++ } ++ adin_alloc = 1; ++ } ++ } ++#endif ++ + if (!drbg->meth->reseed(drbg, entropy, entropylen, adin, adinlen)) + goto end; + +@@ -458,6 +538,17 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg, + } + + end: ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ if (adin != NULL && adin_alloc) { ++ if (drbg->cleanup_adin != NULL) { ++ drbg->cleanup_adin(drbg, adin, adinlen); ++ } else { ++ rand_drbg_cleanup_adin(drbg, adin, adinlen); ++ } ++ } ++ } ++#endif + if (entropy != NULL && drbg->cleanup_entropy != NULL) + drbg->cleanup_entropy(drbg, entropy, entropylen); + if (drbg->state == DRBG_READY) +@@ -693,6 +784,40 @@ int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen) + return ret; + } + ++#ifdef OPENSSL_FIPS ++/* ++* Set the RAND_DRBG callbacks for obtaining entropy, nonce, ++* personalization string and additional input params ++* ++* Setting the callbacks is allowed only if the drbg has not been ++* initialized yet. Otherwise, the operation will fail. ++* ++* Returns 1 on success, 0 on failure. ++*/ ++int RAND_DRBG_set_fips_callbacks(RAND_DRBG *drbg, ++ RAND_DRBG_get_pers_fn get_pers, ++ RAND_DRBG_cleanup_pers_fn cleanup_pers, ++ RAND_DRBG_get_adin_fn get_adin, ++ RAND_DRBG_cleanup_adin_fn cleanup_adin, ++ RAND_DRBG_get_entropy_fn get_entropy, ++ RAND_DRBG_cleanup_entropy_fn cleanup_entropy, ++ RAND_DRBG_get_nonce_fn get_nonce, ++ RAND_DRBG_cleanup_nonce_fn cleanup_nonce) ++{ ++ if (drbg->state != DRBG_UNINITIALISED) ++ return 0; ++ drbg->get_pers = get_pers; ++ drbg->cleanup_pers = cleanup_pers; ++ drbg->get_adin = get_adin; ++ drbg->cleanup_adin = cleanup_adin; ++ drbg->get_entropy = get_entropy; ++ drbg->cleanup_entropy = cleanup_entropy; ++ drbg->get_nonce = get_nonce; ++ drbg->cleanup_nonce = cleanup_nonce; ++ return 1; ++} ++#endif ++ + /* + * Set the RAND_DRBG callbacks for obtaining entropy and nonce. + * +diff --git a/crypto/rand/drbg_selftest.c b/crypto/rand/drbg_selftest.c +index 023242c..b6f9404 100644 +--- a/crypto/rand/drbg_selftest.c ++++ b/crypto/rand/drbg_selftest.c +@@ -231,6 +231,18 @@ static const struct drbg_kat *drbg_test[] = { &kat1308, &kat1465, &kat3146 }; + + static const size_t drbg_test_nelem = OSSL_NELEM(drbg_test); + ++#ifdef OPENSSL_FIPS ++static size_t kat_pers(RAND_DRBG *drbg, unsigned char **pout, size_t pers_len) ++{ ++ return pers_len; ++} ++ ++static size_t kat_adin(RAND_DRBG *drbg, unsigned char **pout, size_t adin_len) ++{ ++ return adin_len; ++} ++#endif ++ + static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout, + int entropy, size_t min_len, size_t max_len, + int prediction_resistance) +@@ -276,9 +288,14 @@ static int single_kat_no_reseed(const struct drbg_kat *td) + + if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) + return 0; +- ++#ifndef OPENSSL_FIPS + if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, + kat_nonce, NULL)) { ++#else ++ if (!RAND_DRBG_set_fips_callbacks(drbg, kat_pers, NULL, ++ kat_adin, NULL, kat_entropy, ++ NULL, kat_nonce, NULL)) { ++#endif + failures++; + goto err; + } +@@ -336,9 +353,14 @@ static int single_kat_pr_false(const struct drbg_kat *td) + + if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) + return 0; +- ++#ifndef OPENSSL_FIPS + if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, + kat_nonce, NULL)) { ++#else ++ if (!RAND_DRBG_set_fips_callbacks(drbg, kat_pers, NULL, ++ kat_adin, NULL, kat_entropy, ++ NULL, kat_nonce, NULL)) { ++#endif + failures++; + goto err; + } +@@ -402,8 +424,14 @@ static int single_kat_pr_true(const struct drbg_kat *td) + if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) + return 0; + ++#ifndef OPENSSL_FIPS + if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, + kat_nonce, NULL)) { ++#else ++ if (!RAND_DRBG_set_fips_callbacks(drbg, kat_pers, NULL, ++ kat_adin, NULL, kat_entropy, ++ NULL, kat_nonce, NULL)) { ++#endif + failures++; + goto err; + } +@@ -493,8 +521,14 @@ static int test_drbg_sanity(const struct drbg_kat *td) + if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) + return 0; + ++#ifndef OPENSSL_FIPS + if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, + kat_nonce, NULL)) { ++#else ++ if (!RAND_DRBG_set_fips_callbacks(drbg, kat_pers, NULL, ++ kat_adin, NULL, kat_entropy, ++ NULL, kat_nonce, NULL)) { ++#endif + failures++; + goto err; + } +diff --git a/crypto/rand/rand_err.c b/crypto/rand/rand_err.c +index a3ae5f5..2c9962d 100644 +--- a/crypto/rand/rand_err.c ++++ b/crypto/rand/rand_err.c +@@ -25,6 +25,12 @@ static const ERR_STRING_DATA RAND_str_functs[] = { + "rand_drbg_enable_locking"}, + {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_GENERATE, 0), + "RAND_DRBG_generate"}, ++#ifdef OPENSSL_FIPS ++ {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_GET_PERS, 0), ++ "rand_drbg_get_pers"}, ++ {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_GET_ADIN, 0), ++ "rand_drbg_get_adin"}, ++#endif + {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_GET_ENTROPY, 0), + "rand_drbg_get_entropy"}, + {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_DRBG_GET_NONCE, 0), +diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c +index d8d3498..f6f2bb4 100644 +--- a/crypto/rand/rand_lib.c ++++ b/crypto/rand/rand_lib.c +@@ -117,6 +117,116 @@ size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool) + } + #endif + ++#ifdef OPENSSL_FIPS ++ ++static size_t fips_concatenate_lrng(RAND_DRBG *drbg, ++ unsigned char **pout, ++ size_t str_len, ++ size_t max_str_len) ++{ ++ unsigned char *tmp_str = NULL; ++ size_t idx = 0, total_bytes = 0, bytes_needed = 0; ++ ssize_t bytes = 0; ++ int rng_attempts = 3; ++ ++ bytes_needed = drbg->strength / 8; ++ ++ total_bytes = bytes_needed + str_len; ++ ++ if (total_bytes < bytes_needed) { ++ RANDerr(RAND_F_RAND_DRBG_LRNG, ERR_R_PASSED_INVALID_ARGUMENT); ++ goto err; ++ } ++ ++ if (total_bytes > max_str_len) { ++ RANDerr(RAND_F_RAND_DRBG_LRNG, ERR_R_PASSED_INVALID_ARGUMENT); ++ goto err; ++ } ++ ++ tmp_str = OPENSSL_zalloc(total_bytes); ++ if (tmp_str == NULL) { ++ RANDerr(RAND_F_RAND_DRBG_LRNG, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (*pout != NULL) { ++ memcpy(tmp_str, *pout, str_len); ++ } ++ ++ idx = str_len; ++ ++ while (bytes_needed != 0 && rng_attempts-- > 0) { ++ bytes = syscall_random(tmp_str + idx, bytes_needed, 0); ++ if (bytes > 0) { ++ idx += bytes; ++ bytes_needed -= bytes; ++ rng_attempts = 3; /* reset counter after successful attempt */ ++ } else if (bytes < 0 && errno != EINTR) { ++ break; ++ } ++ } ++ ++ if (bytes_needed == 0) { ++ *pout = tmp_str; ++ return total_bytes; ++ } ++ ++ RANDerr(RAND_F_RAND_DRBG_LRNG, RAND_R_ERROR_RETRIEVING_RAND); ++ ++err: ++ if (tmp_str != NULL) ++ OPENSSL_clear_free(tmp_str, total_bytes); ++ return 0; ++} ++ ++/* ++ * Implements the get_pers() callback (see RAND_DRBG_set_fips_callbacks()) ++ * ++ * Concatenate the personalization string with random bits from Linux RNG ++ */ ++ ++size_t rand_drbg_get_pers(RAND_DRBG *drbg, ++ unsigned char **pout, size_t pers_len) ++{ ++ return fips_concatenate_lrng(drbg, pout, pers_len, drbg->max_perslen); ++} ++ ++/* ++ * Implements the get_adin() callback (see RAND_DRBG_set_fips_callbacks()) ++ * ++ * Concatenate the additional input string with random bits from Linux RNG ++ */ ++size_t rand_drbg_get_adin(RAND_DRBG *drbg, ++ unsigned char **pout, size_t adin_len) ++{ ++ return fips_concatenate_lrng(drbg, pout, adin_len, drbg->max_adinlen); ++} ++ ++/* ++ * Implements the cleanup_pers() callback (see RAND_DRBG_set_fips_callbacks()) ++ * ++ */ ++void rand_drbg_cleanup_pers(RAND_DRBG *drbg, ++ unsigned char *out, size_t outlen) ++{ ++ if (out != NULL) { ++ OPENSSL_clear_free(out, outlen); ++ } ++} ++ ++/* ++ * Implements the cleanup_adin() callback (see RAND_DRBG_set_fips_callbacks()) ++ * ++ */ ++void rand_drbg_cleanup_adin(RAND_DRBG *drbg, ++ unsigned char *out, size_t outlen) ++{ ++ if (out != NULL) { ++ OPENSSL_clear_free(out, outlen); ++ } ++} ++ ++#endif + + /* + * Implements the get_entropy() callback (see RAND_DRBG_set_callbacks()) +@@ -243,6 +353,33 @@ size_t rand_drbg_get_nonce(RAND_DRBG *drbg, + int count; + } data; + ++#ifdef OPENSSL_FIPS ++ size_t entropy_available = 0; ++ ++ if (FIPS_mode()) { ++ /* Use the SP800-90B compliant entropy source to acquire a nonce */ ++ if (entropy < drbg->strength / 2) { ++ entropy = drbg->strength / 2; ++ } ++ ++ pool = rand_pool_new(entropy, drbg->secure, min_len, max_len); ++ if (pool == NULL) ++ return 0; ++ ++ entropy_available = rand_pool_acquire_entropy(pool); ++ ++ if (entropy_available > 0) { ++ CRYPTO_atomic_add(&rand_nonce_count, 1, &data.count, rand_nonce_lock); ++ ret = rand_pool_length(pool); ++ *pout = rand_pool_detach(pool); ++ } ++ ++ rand_pool_free(pool); ++ ++ return ret; ++ } ++#endif ++ + memset(&data, 0, sizeof(data)); + pool = rand_pool_new(0, 0, min_len, max_len); + if (pool == NULL) +diff --git a/crypto/rand/rand_local.h b/crypto/rand/rand_local.h +index 2d13e45..50c2e72 100644 +--- a/crypto/rand/rand_local.h ++++ b/crypto/rand/rand_local.h +@@ -291,6 +291,12 @@ struct rand_drbg_st { + RAND_DRBG_METHOD *meth; + + /* Callback functions. See comments in rand_lib.c */ ++#ifdef OPENSSL_FIPS ++ RAND_DRBG_get_pers_fn get_pers; ++ RAND_DRBG_get_adin_fn get_adin; ++ RAND_DRBG_cleanup_pers_fn cleanup_pers; ++ RAND_DRBG_cleanup_adin_fn cleanup_adin; ++#endif + RAND_DRBG_get_entropy_fn get_entropy; + RAND_DRBG_cleanup_entropy_fn cleanup_entropy; + RAND_DRBG_get_nonce_fn get_nonce; +diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c +index 4c2d54e..722d721 100644 +--- a/crypto/rand/rand_unix.c ++++ b/crypto/rand/rand_unix.c +@@ -346,7 +346,7 @@ static ssize_t sysctl_random(char *buf, size_t buflen) + * syscall_random(): Try to get random data using a system call + * returns the number of bytes returned in buf, or < 0 on error. + */ +-static ssize_t syscall_random(void *buf, size_t buflen, int nonblock) ++ssize_t syscall_random(void *buf, size_t buflen, int nonblock) + { + /* + * Note: 'buflen' equals the size of the buffer which is used by the +diff --git a/include/crypto/rand.h b/include/crypto/rand.h +index 479c16d..e6bc79c 100644 +--- a/include/crypto/rand.h ++++ b/include/crypto/rand.h +@@ -33,6 +33,16 @@ size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool); + size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool); + + /* DRBG entropy callbacks. */ ++#ifdef OPENSSL_FIPS ++size_t rand_drbg_get_pers(RAND_DRBG *drbg, ++ unsigned char **pout, size_t pers_len); ++void rand_drbg_cleanup_pers(RAND_DRBG *drbg, ++ unsigned char *out, size_t outlen); ++size_t rand_drbg_get_adin(RAND_DRBG *drbg, ++ unsigned char **pout, size_t adin_len); ++void rand_drbg_cleanup_adin(RAND_DRBG *drbg, ++ unsigned char *out, size_t outlen); ++#endif + size_t rand_drbg_get_entropy(RAND_DRBG *drbg, + unsigned char **pout, + int entropy, size_t min_len, size_t max_len, +@@ -145,4 +155,9 @@ void rand_pool_keep_random_devices_open(int keep); + */ + int rand_drbg_selftest(void); + ++/* ++ * Acquire random bits from Linux RNG ++ */ ++ssize_t syscall_random(void *buf, size_t buflen, int nonblock); ++ + #endif +diff --git a/include/openssl/fips.h b/include/openssl/fips.h +index 701b37b..35c3c55 100644 +--- a/include/openssl/fips.h ++++ b/include/openssl/fips.h +@@ -142,6 +142,7 @@ extern "C" { + # define FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT 118 + # define FIPS_F_RSA_OSSL_PUBLIC_DECRYPT 119 + # define FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT 120 ++# define FIPS_F_FIPS_DRBG_LRNG 200 + + /* Reason codes. */ + # define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150 +@@ -190,6 +191,9 @@ extern "C" { + # define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138 + # define FIPS_R_UNSUPPORTED_DRBG_TYPE 139 + # define FIPS_R_UNSUPPORTED_PLATFORM 113 ++# define FIPS_R_ERROR_RETRIEVING_PERS 200 ++# define FIPS_R_ERROR_RETRIEVING_ADIN 201 ++# define FIPS_R_ERROR_RETRIEVING_RAND 202 + + # ifdef __cplusplus + } +diff --git a/include/openssl/fips_rand.h b/include/openssl/fips_rand.h +index c924fd4..1330311 100644 +--- a/include/openssl/fips_rand.h ++++ b/include/openssl/fips_rand.h +@@ -99,13 +99,38 @@ extern "C" { + unsigned char *out, + size_t olen)); + ++ int FIPS_drbg_set_all_callbacks(DRBG_CTX *dctx, ++ size_t (*get_pers) (DRBG_CTX *ctx, ++ unsigned char **pout, ++ size_t pers_len), ++ void (*cleanup_pers) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen), ++ size_t (*get_adin) (DRBG_CTX *ctx, ++ unsigned char **pout, ++ size_t adin_len), ++ void (*cleanup_adin) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen), ++ size_t (*get_entropy) (DRBG_CTX *ctx, ++ unsigned char **pout, ++ int entropy, ++ size_t min_len, ++ size_t max_len), ++ void (*cleanup_entropy) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen), ++ size_t entropy_blocklen, ++ size_t (*get_nonce) (DRBG_CTX *ctx, ++ unsigned char **pout, ++ int entropy, ++ size_t min_len, ++ size_t max_len), ++ void (*cleanup_nonce) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen)); ++ + int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, +- size_t (*get_adin) (DRBG_CTX *ctx, +- unsigned char +- **pout), +- void (*cleanup_adin) (DRBG_CTX *ctx, +- unsigned char *out, +- size_t olen), + int (*rand_seed_cb) (DRBG_CTX *ctx, + const void *buf, + int num), +diff --git a/include/openssl/rand_drbg.h b/include/openssl/rand_drbg.h +index 45b731b..9bf650d 100644 +--- a/include/openssl/rand_drbg.h ++++ b/include/openssl/rand_drbg.h +@@ -103,6 +103,7 @@ void *RAND_DRBG_get_ex_data(const RAND_DRBG *drbg, int idx); + /* + * Callback function typedefs + */ ++ + typedef size_t (*RAND_DRBG_get_entropy_fn)(RAND_DRBG *drbg, + unsigned char **pout, + int entropy, size_t min_len, +@@ -116,13 +117,33 @@ typedef size_t (*RAND_DRBG_get_nonce_fn)(RAND_DRBG *drbg, unsigned char **pout, + typedef void (*RAND_DRBG_cleanup_nonce_fn)(RAND_DRBG *drbg, + unsigned char *out, size_t outlen); + ++#ifdef OPENSSL_FIPS ++typedef size_t (*RAND_DRBG_get_pers_fn)(RAND_DRBG *drbg, ++ unsigned char **pout, size_t pers_len); ++typedef void (*RAND_DRBG_cleanup_pers_fn)(RAND_DRBG *drbg, ++ unsigned char *out, size_t outlen); ++typedef size_t (*RAND_DRBG_get_adin_fn)(RAND_DRBG *drbg, ++ unsigned char **pout, size_t adin_len); ++typedef void (*RAND_DRBG_cleanup_adin_fn)(RAND_DRBG *drbg, ++ unsigned char *out, size_t outlen); ++int RAND_DRBG_set_fips_callbacks(RAND_DRBG *drbg, ++ RAND_DRBG_get_pers_fn get_pers, ++ RAND_DRBG_cleanup_pers_fn cleanup_pers, ++ RAND_DRBG_get_adin_fn get_adin, ++ RAND_DRBG_cleanup_adin_fn cleanup_adin, ++ RAND_DRBG_get_entropy_fn get_entropy, ++ RAND_DRBG_cleanup_entropy_fn cleanup_entropy, ++ RAND_DRBG_get_nonce_fn get_nonce, ++ RAND_DRBG_cleanup_nonce_fn cleanup_nonce); ++#endif ++ ++ + int RAND_DRBG_set_callbacks(RAND_DRBG *drbg, + RAND_DRBG_get_entropy_fn get_entropy, + RAND_DRBG_cleanup_entropy_fn cleanup_entropy, + RAND_DRBG_get_nonce_fn get_nonce, + RAND_DRBG_cleanup_nonce_fn cleanup_nonce); + +- + # ifdef __cplusplus + } + # endif +diff --git a/include/openssl/randerr.h b/include/openssl/randerr.h +index ba9fb91..ca80b54 100644 +--- a/include/openssl/randerr.h ++++ b/include/openssl/randerr.h +@@ -29,6 +29,10 @@ int ERR_load_RAND_strings(void); + # define RAND_F_RAND_BYTES 100 + # define RAND_F_RAND_DRBG_ENABLE_LOCKING 119 + # define RAND_F_RAND_DRBG_GENERATE 107 ++#ifdef OPENSSL_FIPS ++# define RAND_F_RAND_DRBG_GET_PERS 128 ++# define RAND_F_RAND_DRBG_GET_ADIN 129 ++#endif + # define RAND_F_RAND_DRBG_GET_ENTROPY 120 + # define RAND_F_RAND_DRBG_GET_NONCE 123 + # define RAND_F_RAND_DRBG_INSTANTIATE 108 +@@ -38,6 +42,9 @@ int ERR_load_RAND_strings(void); + # define RAND_F_RAND_DRBG_SET 104 + # define RAND_F_RAND_DRBG_SET_DEFAULTS 121 + # define RAND_F_RAND_DRBG_UNINSTANTIATE 118 ++#ifdef OPENSSL_FIPS ++# define RAND_F_RAND_DRBG_LRNG 201 ++#endif + # define RAND_F_RAND_INIT_FIPS 200 + # define RAND_F_RAND_LOAD_FILE 111 + # define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 122 +@@ -91,5 +98,10 @@ int ERR_load_RAND_strings(void); + # define RAND_R_TOO_MUCH_NONCE_REQUESTED 136 + # define RAND_R_UNSUPPORTED_DRBG_FLAGS 132 + # define RAND_R_UNSUPPORTED_DRBG_TYPE 120 ++#ifdef OPENSSL_FIPS ++# define RAND_R_ERROR_RETRIEVING_PERS 200 ++# define RAND_R_ERROR_RETRIEVING_RAND 201 ++# define RAND_R_ERROR_NO_LRNG_CONCAT 202 ++#endif + + #endif +diff --git a/util/libcrypto.num b/util/libcrypto.num +index e354631..0b2d382 100644 +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -4635,4 +4635,7 @@ EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION: + EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION: + EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION: + EC_GROUP_check_named_curve 6598 1_1_1g EXIST::FUNCTION:EC +-FIPS_init_entropy 6599 1_1_1k EXIST::FUNCTION: +\ No newline at end of file ++FIPS_init_entropy 6599 1_1_1k EXIST::FUNCTION: ++syscall_random 6600 1_1_1k EXIST::FUNCTION: ++RAND_DRBG_set_fips_callbacks 6601 1_1_1k EXIST::FUNCTION: ++FIPS_drbg_set_all_callbacks 6602 1_1_1k EXIST::FUNCTION: +\ No newline at end of file +diff --git a/util/private.num b/util/private.num +index e9420e7..ff8cc7a 100644 +--- a/util/private.num ++++ b/util/private.num +@@ -46,8 +46,12 @@ PROFESSION_INFO datatype + PROFESSION_INFOS datatype + RAND_DRBG_cleanup_entropy_fn datatype + RAND_DRBG_cleanup_nonce_fn datatype ++RAND_DRBG_cleanup_pers_fn datatype ++RAND_DRBG_cleanup_adin_fn datatype + RAND_DRBG_get_entropy_fn datatype + RAND_DRBG_get_nonce_fn datatype ++RAND_DRBG_get_pers_fn datatype ++RAND_DRBG_get_adin_fn datatype + RAND_poll_cb datatype + SSL_CTX_allow_early_data_cb_fn datatype + SSL_CTX_keylog_cb_func datatype diff --git a/SPECS/openssl/openssl-1.1.1-jitterentropy.patch b/SPECS/openssl/openssl-1.1.1-jitterentropy.patch new file mode 100644 index 0000000000..7308baa8b9 --- /dev/null +++ b/SPECS/openssl/openssl-1.1.1-jitterentropy.patch @@ -0,0 +1,2122 @@ +diff --git a/crypto/fips/build.info b/crypto/fips/build.info +index 2859a08..a690d04 100644 +--- a/crypto/fips/build.info ++++ b/crypto/fips/build.info +@@ -1,11 +1,11 @@ + LIBS=../../libcrypto + SOURCE[../../libcrypto]=\ +- fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \ ++ fips_aes_selftest.c fips_des_selftest.c fips_entropy.c fips_hmac_selftest.c \ + fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \ + fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ +- fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c ++ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c jitterentropy-base.c + + PROGRAMS_NO_INST=\ + fips_standalone_hmac +diff --git a/crypto/fips/fips.c b/crypto/fips/fips.c +index 3b9d3e9..b3e0f43 100644 +--- a/crypto/fips/fips.c ++++ b/crypto/fips/fips.c +@@ -454,6 +454,14 @@ int FIPS_module_mode_set(int onoff) + + fips_post = 1; + ++ if (!FIPS_init_entropy()) { ++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, ++ FIPS_R_ENTROPY_INIT_FAILED); ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++ + if (!FIPS_selftest()) { + fips_selftest_fail = 1; + ret = 0; +diff --git a/crypto/fips/fips_entropy.c b/crypto/fips/fips_entropy.c +new file mode 100644 +index 0000000..a8943a8 +--- /dev/null ++++ b/crypto/fips/fips_entropy.c +@@ -0,0 +1,53 @@ ++# include ++ ++#include "crypto/fips.h" ++#include "crypto/jitterentropy.h" ++ ++static int fips_entropy_init = 0; ++ ++int FIPS_init_entropy(void) ++{ ++ int rv = 1; ++ ++ if (jent_entropy_init() != 0) { ++ rv = 0; ++ } else { ++ fips_entropy_init = 1; ++ } ++ ++ return rv; ++} ++ ++ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen) ++{ ++ ssize_t ent_bytes = -1; ++ struct rand_data* ec = NULL; ++ ++ if (buf == NULL || buflen == 0) { ++ goto end; ++ } ++ ++ /* Ensure entropy source has been initiated */ ++ if (!fips_entropy_init) { ++ if (!FIPS_init_entropy()) { ++ goto end; ++ } ++ } ++ ++ /* Allocate entropy collector */ ++ ec = jent_entropy_collector_alloc(1, JENT_FORCE_FIPS); ++ if (ec == NULL) { ++ goto end; ++ } ++ ++ /* Get entropy */ ++ ent_bytes = jent_read_entropy(ec, (char *)buf, buflen); ++ ++end: ++ /* Free entropy collector */ ++ if (ec != NULL) { ++ jent_entropy_collector_free(ec); ++ } ++ ++ return ent_bytes; ++} +\ No newline at end of file +diff --git a/crypto/fips/fips_err.h b/crypto/fips/fips_err.h +index 3cf8d69..9a9c9a1 100644 +--- a/crypto/fips/fips_err.h ++++ b/crypto/fips/fips_err.h +@@ -138,6 +138,7 @@ static ERR_STRING_DATA FIPS_str_reasons[] = { + {ERR_REASON(FIPS_R_DRBG_NOT_INITIALISED), "drbg not initialised"}, + {ERR_REASON(FIPS_R_DRBG_STUCK), "drbg stuck"}, + {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED), "entropy error undetected"}, ++ {ERR_REASON(FIPS_R_ENTROPY_INIT_FAILED), "entropy init failed"}, + {ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED), + "entropy not requested for reseed"}, + {ERR_REASON(FIPS_R_ENTROPY_SOURCE_STUCK), "entropy source stuck"}, +diff --git a/crypto/fips/jitterentropy-base.c b/crypto/fips/jitterentropy-base.c +new file mode 100644 +index 0000000..9fb5b96 +--- /dev/null ++++ b/crypto/fips/jitterentropy-base.c +@@ -0,0 +1,1458 @@ ++/* ++ * Non-physical true random number generator based on timing jitter. ++ * ++ * Copyright Stephan Mueller , 2014 - 2021 ++ * ++ * Design ++ * ====== ++ * ++ * See documentation in doc/ folder. ++ * ++ * Interface ++ * ========= ++ * ++ * See documentation in jitterentropy(3) man page. ++ * ++ * License ++ * ======= ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU General Public License, in which case the provisions of the GPL2 are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF ++ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT ++ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR ++ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF ++ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE ++ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH ++ * DAMAGE. ++ */ ++ ++#include "crypto/jitterentropy.h" ++ ++#define MAJVERSION 3 /* API / ABI incompatible changes, functional changes that ++ * require consumer to be updated (as long as this number ++ * is zero, the API is not considered stable and can ++ * change without a bump of the major version) */ ++#define MINVERSION 0 /* API compatible, ABI may change, functional ++ * enhancements only, consumer can be left unchanged if ++ * enhancements are not considered */ ++#define PATCHLEVEL 2 /* API / ABI compatible, no functional changes, no ++ * enhancements, bug fixes only */ ++ ++/*************************************************************************** ++ * Jitter RNG Static Definitions ++ * ++ * None of the following should be altered ++ ***************************************************************************/ ++ ++#ifdef __OPTIMIZE__ ++ #error "The CPU Jitter random number generator must not be compiled with optimizations. See documentation. Use the compiler switch -O0 for compiling jitterentropy.c." ++#endif ++ ++/* ++ * JENT_POWERUP_TESTLOOPCOUNT needs some loops to identify edge ++ * systems. 100 is definitely too little. ++ * ++ * SP800-90B requires at least 1024 initial test cycles. ++ */ ++#define JENT_POWERUP_TESTLOOPCOUNT 1024 ++ ++#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) ++ ++/** ++ * jent_version() - Return machine-usable version number of jent library ++ * ++ * The function returns a version number that is monotonic increasing ++ * for newer versions. The version numbers are multiples of 100. For example, ++ * version 1.2.3 is converted to 1020300 -- the last two digits are reserved ++ * for future use. ++ * ++ * The result of this function can be used in comparing the version number ++ * in a calling program if version-specific calls need to be make. ++ * ++ * @return Version number of jitterentropy library ++ */ ++JENT_PRIVATE_STATIC ++unsigned int jent_version(void) ++{ ++ unsigned int version = 0; ++ ++ version = MAJVERSION * 1000000; ++ version += MINVERSION * 10000; ++ version += PATCHLEVEL * 100; ++ ++ return version; ++} ++ ++/*************************************************************************** ++ * Adaptive Proportion Test ++ * ++ * This test complies with SP800-90B section 4.4.2. ++ ***************************************************************************/ ++ ++/** ++ * Reset the APT counter ++ * ++ * @ec [in] Reference to entropy collector ++ */ ++static void jent_apt_reset(struct rand_data *ec, uint64_t current_delta) ++{ ++ /* Reset APT counter */ ++ ec->apt_count = 0; ++ ec->apt_base = current_delta; ++ ec->apt_observations = 0; ++} ++ ++/** ++ * Insert a new entropy event into APT ++ * ++ * @ec [in] Reference to entropy collector ++ * @current_delta [in] Current time delta ++ */ ++static void jent_apt_insert(struct rand_data *ec, uint64_t current_delta) ++{ ++ /* Initialize the base reference */ ++ if (!ec->apt_base_set) { ++ ec->apt_base = current_delta; ++ ec->apt_base_set = 1; ++ return; ++ } ++ ++ if (current_delta == ec->apt_base) { ++ ec->apt_count++; ++ ++ if (ec->apt_count >= JENT_APT_CUTOFF) ++ ec->health_failure = 1; ++ } ++ ++ ec->apt_observations++; ++ ++ if (ec->apt_observations >= JENT_APT_WINDOW_SIZE) ++ jent_apt_reset(ec, current_delta); ++} ++ ++/*************************************************************************** ++ * Stuck Test and its use as Repetition Count Test ++ * ++ * The Jitter RNG uses an enhanced version of the Repetition Count Test ++ * (RCT) specified in SP800-90B section 4.4.1. Instead of counting identical ++ * back-to-back values, the input to the RCT is the counting of the stuck ++ * values during the generation of one Jitter RNG output block. ++ * ++ * The RCT is applied with an alpha of 2^{-30} compliant to FIPS 140-2 IG 9.8. ++ * ++ * During the counting operation, the Jitter RNG always calculates the RCT ++ * cut-off value of C. If that value exceeds the allowed cut-off value, ++ * the Jitter RNG output block will be calculated completely but discarded at ++ * the end. The caller of the Jitter RNG is informed with an error code. ++ ***************************************************************************/ ++ ++/** ++ * Repetition Count Test as defined in SP800-90B section 4.4.1 ++ * ++ * @ec [in] Reference to entropy collector ++ * @stuck [in] Indicator whether the value is stuck ++ */ ++static void jent_rct_insert(struct rand_data *ec, int stuck) ++{ ++ /* ++ * If we have a count less than zero, a previous RCT round identified ++ * a failure. We will not overwrite it. ++ */ ++ if (ec->rct_count < 0) ++ return; ++ ++ if (stuck) { ++ ec->rct_count++; ++ ++ /* ++ * The cutoff value is based on the following consideration: ++ * alpha = 2^-30 as recommended in FIPS 140-2 IG 9.8. ++ * In addition, we require an entropy value H of 1/OSR as this ++ * is the minimum entropy required to provide full entropy. ++ * Note, we collect 64 * OSR deltas for inserting them into ++ * the entropy pool which should then have (close to) 64 bits ++ * of entropy. ++ * ++ * Note, ec->rct_count (which equals to value B in the pseudo ++ * code of SP800-90B section 4.4.1) starts with zero. Hence ++ * we need to subtract one from the cutoff value as calculated ++ * following SP800-90B. ++ */ ++ if ((unsigned int)ec->rct_count >= (31 * ec->osr)) { ++ ec->rct_count = -1; ++ ec->health_failure = 1; ++ } ++ } else { ++ ec->rct_count = 0; ++ } ++} ++ ++/** ++ * Is there an RCT health test failure? ++ * ++ * @ec [in] Reference to entropy collector ++ * ++ * @return ++ * 0 No health test failure ++ * 1 Permanent health test failure ++ */ ++static int jent_rct_failure(struct rand_data *ec) ++{ ++ if (ec->rct_count < 0) ++ return 1; ++ return 0; ++} ++ ++static inline uint64_t jent_delta(uint64_t prev, uint64_t next) ++{ ++ return (next - prev); ++} ++ ++/** ++ * Stuck test by checking the: ++ * 1st derivative of the jitter measurement (time delta) ++ * 2nd derivative of the jitter measurement (delta of time deltas) ++ * 3rd derivative of the jitter measurement (delta of delta of time deltas) ++ * ++ * All values must always be non-zero. ++ * ++ * @ec [in] Reference to entropy collector ++ * @current_delta [in] Jitter time delta ++ * ++ * @return ++ * 0 jitter measurement not stuck (good bit) ++ * 1 jitter measurement stuck (reject bit) ++ */ ++static unsigned int jent_stuck(struct rand_data *ec, uint64_t current_delta) ++{ ++ uint64_t delta2 = jent_delta(ec->last_delta, current_delta); ++ uint64_t delta3 = jent_delta(ec->last_delta2, delta2); ++ ++ ec->last_delta = current_delta; ++ ec->last_delta2 = delta2; ++ ++ /* ++ * Insert the result of the comparison of two back-to-back time ++ * deltas. ++ */ ++ jent_apt_insert(ec, current_delta); ++ ++ if (!current_delta || !delta2 || !delta3) { ++ /* RCT with a stuck bit */ ++ jent_rct_insert(ec, 1); ++ return 1; ++ } ++ ++ /* RCT with a non-stuck bit */ ++ jent_rct_insert(ec, 0); ++ ++ return 0; ++} ++ ++/** ++ * Report any health test failures ++ * ++ * @ec [in] Reference to entropy collector ++ * ++ * @return ++ * 0 No health test failure ++ * 1 Permanent health test failure ++ */ ++static int jent_health_failure(struct rand_data *ec) ++{ ++ /* Test is only enabled in FIPS mode */ ++ if (!ec->fips_enabled) ++ return 0; ++ ++ return ec->health_failure; ++} ++ ++/*************************************************************************** ++ * Message Digest Implementation ++ ***************************************************************************/ ++#define SHA3_SIZE_BLOCK(bits) ((1600 - 2 * bits) >> 3) ++#define SHA3_256_SIZE_BLOCK SHA3_SIZE_BLOCK(SHA3_256_SIZE_DIGEST_BITS) ++#define SHA3_MAX_SIZE_BLOCK SHA3_256_SIZE_BLOCK ++ ++struct sha_ctx { ++ uint64_t state[25]; ++ size_t msg_len; ++ unsigned int r; ++ unsigned int rword; ++ unsigned int digestsize; ++ uint8_t partial[SHA3_MAX_SIZE_BLOCK]; ++}; ++ ++#define aligned(val) __attribute__((aligned(val))) ++#define ALIGNED_BUFFER(name, size, type) \ ++ type name[(size + sizeof(type)-1) / sizeof(type)] aligned(sizeof(type)); ++ ++/* CTX size allows any hash type up to SHA3-224 */ ++#define SHA_MAX_CTX_SIZE 368 ++#define HASH_CTX_ON_STACK(name) \ ++ ALIGNED_BUFFER(name ## _ctx_buf, SHA_MAX_CTX_SIZE, uint64_t) \ ++ struct sha_ctx *name = (struct sha_ctx *) name ## _ctx_buf ++ ++/* ++ * Conversion of Little-Endian representations in byte streams - the data ++ * representation in the integer values is the host representation. ++ */ ++static inline uint32_t ptr_to_le32(const uint8_t *p) ++{ ++ return (uint32_t)p[0] | (uint32_t)p[1] << 8 | ++ (uint32_t)p[2] << 16 | (uint32_t)p[3] << 24; ++} ++ ++static inline uint64_t ptr_to_le64(const uint8_t *p) ++{ ++ return (uint64_t)ptr_to_le32(p) | (uint64_t)ptr_to_le32(p + 4) << 32; ++} ++ ++static inline void le32_to_ptr(uint8_t *p, const uint32_t value) ++{ ++ p[0] = (uint8_t)(value); ++ p[1] = (uint8_t)(value >> 8); ++ p[2] = (uint8_t)(value >> 16); ++ p[3] = (uint8_t)(value >> 24); ++} ++ ++static inline void le64_to_ptr(uint8_t *p, const uint64_t value) ++{ ++ le32_to_ptr(p + 4, (uint32_t)(value >> 32)); ++ le32_to_ptr(p, (uint32_t)(value)); ++} ++ ++/*********************************** Keccak ***********************************/ ++/* state[x + y*5] */ ++#define A(x, y) (x + 5 * y) ++ ++static inline void keccakp_theta(uint64_t s[25]) ++{ ++ uint64_t C[5], D[5]; ++ ++ /* Step 1 */ ++ C[0] = s[A(0, 0)] ^ s[A(0, 1)] ^ s[A(0, 2)] ^ s[A(0, 3)] ^ s[A(0, 4)]; ++ C[1] = s[A(1, 0)] ^ s[A(1, 1)] ^ s[A(1, 2)] ^ s[A(1, 3)] ^ s[A(1, 4)]; ++ C[2] = s[A(2, 0)] ^ s[A(2, 1)] ^ s[A(2, 2)] ^ s[A(2, 3)] ^ s[A(2, 4)]; ++ C[3] = s[A(3, 0)] ^ s[A(3, 1)] ^ s[A(3, 2)] ^ s[A(3, 3)] ^ s[A(3, 4)]; ++ C[4] = s[A(4, 0)] ^ s[A(4, 1)] ^ s[A(4, 2)] ^ s[A(4, 3)] ^ s[A(4, 4)]; ++ ++ /* Step 2 */ ++ D[0] = C[4] ^ rol64(C[1], 1); ++ D[1] = C[0] ^ rol64(C[2], 1); ++ D[2] = C[1] ^ rol64(C[3], 1); ++ D[3] = C[2] ^ rol64(C[4], 1); ++ D[4] = C[3] ^ rol64(C[0], 1); ++ ++ /* Step 3 */ ++ s[A(0, 0)] ^= D[0]; ++ s[A(1, 0)] ^= D[1]; ++ s[A(2, 0)] ^= D[2]; ++ s[A(3, 0)] ^= D[3]; ++ s[A(4, 0)] ^= D[4]; ++ ++ s[A(0, 1)] ^= D[0]; ++ s[A(1, 1)] ^= D[1]; ++ s[A(2, 1)] ^= D[2]; ++ s[A(3, 1)] ^= D[3]; ++ s[A(4, 1)] ^= D[4]; ++ ++ s[A(0, 2)] ^= D[0]; ++ s[A(1, 2)] ^= D[1]; ++ s[A(2, 2)] ^= D[2]; ++ s[A(3, 2)] ^= D[3]; ++ s[A(4, 2)] ^= D[4]; ++ ++ s[A(0, 3)] ^= D[0]; ++ s[A(1, 3)] ^= D[1]; ++ s[A(2, 3)] ^= D[2]; ++ s[A(3, 3)] ^= D[3]; ++ s[A(4, 3)] ^= D[4]; ++ ++ s[A(0, 4)] ^= D[0]; ++ s[A(1, 4)] ^= D[1]; ++ s[A(2, 4)] ^= D[2]; ++ s[A(3, 4)] ^= D[3]; ++ s[A(4, 4)] ^= D[4]; ++} ++ ++static inline void keccakp_rho(uint64_t s[25]) ++{ ++ /* Step 1 */ ++ /* s[A(0, 0)] = s[A(0, 0)]; */ ++ ++#define RHO_ROL(t) (((t + 1) * (t + 2) / 2) % 64) ++ /* Step 3 */ ++ s[A(1, 0)] = rol64(s[A(1, 0)], RHO_ROL(0)); ++ s[A(0, 2)] = rol64(s[A(0, 2)], RHO_ROL(1)); ++ s[A(2, 1)] = rol64(s[A(2, 1)], RHO_ROL(2)); ++ s[A(1, 2)] = rol64(s[A(1, 2)], RHO_ROL(3)); ++ s[A(2, 3)] = rol64(s[A(2, 3)], RHO_ROL(4)); ++ s[A(3, 3)] = rol64(s[A(3, 3)], RHO_ROL(5)); ++ s[A(3, 0)] = rol64(s[A(3, 0)], RHO_ROL(6)); ++ s[A(0, 1)] = rol64(s[A(0, 1)], RHO_ROL(7)); ++ s[A(1, 3)] = rol64(s[A(1, 3)], RHO_ROL(8)); ++ s[A(3, 1)] = rol64(s[A(3, 1)], RHO_ROL(9)); ++ s[A(1, 4)] = rol64(s[A(1, 4)], RHO_ROL(10)); ++ s[A(4, 4)] = rol64(s[A(4, 4)], RHO_ROL(11)); ++ s[A(4, 0)] = rol64(s[A(4, 0)], RHO_ROL(12)); ++ s[A(0, 3)] = rol64(s[A(0, 3)], RHO_ROL(13)); ++ s[A(3, 4)] = rol64(s[A(3, 4)], RHO_ROL(14)); ++ s[A(4, 3)] = rol64(s[A(4, 3)], RHO_ROL(15)); ++ s[A(3, 2)] = rol64(s[A(3, 2)], RHO_ROL(16)); ++ s[A(2, 2)] = rol64(s[A(2, 2)], RHO_ROL(17)); ++ s[A(2, 0)] = rol64(s[A(2, 0)], RHO_ROL(18)); ++ s[A(0, 4)] = rol64(s[A(0, 4)], RHO_ROL(19)); ++ s[A(4, 2)] = rol64(s[A(4, 2)], RHO_ROL(20)); ++ s[A(2, 4)] = rol64(s[A(2, 4)], RHO_ROL(21)); ++ s[A(4, 1)] = rol64(s[A(4, 1)], RHO_ROL(22)); ++ s[A(1, 1)] = rol64(s[A(1, 1)], RHO_ROL(23)); ++} ++ ++static inline void keccakp_pi(uint64_t s[25]) ++{ ++ uint64_t t = s[A(4, 4)]; ++ ++ /* Step 1 */ ++ /* s[A(0, 0)] = s[A(0, 0)]; */ ++ s[A(4, 4)] = s[A(1, 4)]; ++ s[A(1, 4)] = s[A(3, 1)]; ++ s[A(3, 1)] = s[A(1, 3)]; ++ s[A(1, 3)] = s[A(0, 1)]; ++ s[A(0, 1)] = s[A(3, 0)]; ++ s[A(3, 0)] = s[A(3, 3)]; ++ s[A(3, 3)] = s[A(2, 3)]; ++ s[A(2, 3)] = s[A(1, 2)]; ++ s[A(1, 2)] = s[A(2, 1)]; ++ s[A(2, 1)] = s[A(0, 2)]; ++ s[A(0, 2)] = s[A(1, 0)]; ++ s[A(1, 0)] = s[A(1, 1)]; ++ s[A(1, 1)] = s[A(4, 1)]; ++ s[A(4, 1)] = s[A(2, 4)]; ++ s[A(2, 4)] = s[A(4, 2)]; ++ s[A(4, 2)] = s[A(0, 4)]; ++ s[A(0, 4)] = s[A(2, 0)]; ++ s[A(2, 0)] = s[A(2, 2)]; ++ s[A(2, 2)] = s[A(3, 2)]; ++ s[A(3, 2)] = s[A(4, 3)]; ++ s[A(4, 3)] = s[A(3, 4)]; ++ s[A(3, 4)] = s[A(0, 3)]; ++ s[A(0, 3)] = s[A(4, 0)]; ++ s[A(4, 0)] = t; ++} ++ ++static inline void keccakp_chi(uint64_t s[25]) ++{ ++ uint64_t t0[5], t1[5]; ++ ++ t0[0] = s[A(0, 0)]; ++ t0[1] = s[A(0, 1)]; ++ t0[2] = s[A(0, 2)]; ++ t0[3] = s[A(0, 3)]; ++ t0[4] = s[A(0, 4)]; ++ ++ t1[0] = s[A(1, 0)]; ++ t1[1] = s[A(1, 1)]; ++ t1[2] = s[A(1, 2)]; ++ t1[3] = s[A(1, 3)]; ++ t1[4] = s[A(1, 4)]; ++ ++ s[A(0, 0)] ^= ~s[A(1, 0)] & s[A(2, 0)]; ++ s[A(0, 1)] ^= ~s[A(1, 1)] & s[A(2, 1)]; ++ s[A(0, 2)] ^= ~s[A(1, 2)] & s[A(2, 2)]; ++ s[A(0, 3)] ^= ~s[A(1, 3)] & s[A(2, 3)]; ++ s[A(0, 4)] ^= ~s[A(1, 4)] & s[A(2, 4)]; ++ ++ s[A(1, 0)] ^= ~s[A(2, 0)] & s[A(3, 0)]; ++ s[A(1, 1)] ^= ~s[A(2, 1)] & s[A(3, 1)]; ++ s[A(1, 2)] ^= ~s[A(2, 2)] & s[A(3, 2)]; ++ s[A(1, 3)] ^= ~s[A(2, 3)] & s[A(3, 3)]; ++ s[A(1, 4)] ^= ~s[A(2, 4)] & s[A(3, 4)]; ++ ++ s[A(2, 0)] ^= ~s[A(3, 0)] & s[A(4, 0)]; ++ s[A(2, 1)] ^= ~s[A(3, 1)] & s[A(4, 1)]; ++ s[A(2, 2)] ^= ~s[A(3, 2)] & s[A(4, 2)]; ++ s[A(2, 3)] ^= ~s[A(3, 3)] & s[A(4, 3)]; ++ s[A(2, 4)] ^= ~s[A(3, 4)] & s[A(4, 4)]; ++ ++ s[A(3, 0)] ^= ~s[A(4, 0)] & t0[0]; ++ s[A(3, 1)] ^= ~s[A(4, 1)] & t0[1]; ++ s[A(3, 2)] ^= ~s[A(4, 2)] & t0[2]; ++ s[A(3, 3)] ^= ~s[A(4, 3)] & t0[3]; ++ s[A(3, 4)] ^= ~s[A(4, 4)] & t0[4]; ++ ++ s[A(4, 0)] ^= ~t0[0] & t1[0]; ++ s[A(4, 1)] ^= ~t0[1] & t1[1]; ++ s[A(4, 2)] ^= ~t0[2] & t1[2]; ++ s[A(4, 3)] ^= ~t0[3] & t1[3]; ++ s[A(4, 4)] ^= ~t0[4] & t1[4]; ++} ++ ++static const uint64_t keccakp_iota_vals[] = { ++ 0x0000000000000001ULL, 0x0000000000008082ULL, 0x800000000000808aULL, ++ 0x8000000080008000ULL, 0x000000000000808bULL, 0x0000000080000001ULL, ++ 0x8000000080008081ULL, 0x8000000000008009ULL, 0x000000000000008aULL, ++ 0x0000000000000088ULL, 0x0000000080008009ULL, 0x000000008000000aULL, ++ 0x000000008000808bULL, 0x800000000000008bULL, 0x8000000000008089ULL, ++ 0x8000000000008003ULL, 0x8000000000008002ULL, 0x8000000000000080ULL, ++ 0x000000000000800aULL, 0x800000008000000aULL, 0x8000000080008081ULL, ++ 0x8000000000008080ULL, 0x0000000080000001ULL, 0x8000000080008008ULL ++}; ++ ++static inline void keccakp_iota(uint64_t s[25], unsigned int round) ++{ ++ s[0] ^= keccakp_iota_vals[round]; ++} ++ ++static inline void keccakp_1600(uint64_t s[25]) ++{ ++ unsigned int round; ++ ++ for (round = 0; round < 24; round++) { ++ keccakp_theta(s); ++ keccakp_rho(s); ++ keccakp_pi(s); ++ keccakp_chi(s); ++ keccakp_iota(s, round); ++ } ++} ++ ++/*********************************** SHA-3 ************************************/ ++ ++static inline void sha3_init(struct sha_ctx *ctx) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < 25; i++) ++ ctx->state[i] = 0; ++ ctx->msg_len = 0; ++} ++ ++static void sha3_256_init(struct sha_ctx *ctx) ++{ ++ sha3_init(ctx); ++ ctx->r = SHA3_256_SIZE_BLOCK; ++ ctx->rword = SHA3_256_SIZE_BLOCK / sizeof(uint64_t); ++ ctx->digestsize = SHA3_256_SIZE_DIGEST; ++} ++ ++static inline void sha3_fill_state(struct sha_ctx *ctx, const uint8_t *in) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < ctx->rword; i++) { ++ ctx->state[i] ^= ptr_to_le64(in); ++ in += 8; ++ } ++} ++ ++static void sha3_update(struct sha_ctx *ctx, const uint8_t *in, size_t inlen) ++{ ++ size_t partial = ctx->msg_len % ctx->r; ++ ++ ctx->msg_len += inlen; ++ ++ /* Sponge absorbing phase */ ++ ++ /* Check if we have a partial block stored */ ++ if (partial) { ++ size_t todo = ctx->r - partial; ++ ++ /* ++ * If the provided data is small enough to fit in the partial ++ * buffer, copy it and leave it unprocessed. ++ */ ++ if (inlen < todo) { ++ memcpy(ctx->partial + partial, in, inlen); ++ return; ++ } ++ ++ /* ++ * The input data is large enough to fill the entire partial ++ * block buffer. Thus, we fill it and transform it. ++ */ ++ memcpy(ctx->partial + partial, in, todo); ++ inlen -= todo; ++ in += todo; ++ ++ sha3_fill_state(ctx, ctx->partial); ++ keccakp_1600(ctx->state); ++ } ++ ++ /* Perform a transformation of full block-size messages */ ++ for (; inlen >= ctx->r; inlen -= ctx->r, in += ctx->r) { ++ sha3_fill_state(ctx, in); ++ keccakp_1600(ctx->state); ++ } ++ ++ /* If we have data left, copy it into the partial block buffer */ ++ memcpy(ctx->partial, in, inlen); ++} ++ ++static void sha3_final(struct sha_ctx *ctx, uint8_t *digest) ++{ ++ size_t partial = ctx->msg_len % ctx->r; ++ unsigned int i; ++ ++ /* Final round in sponge absorbing phase */ ++ ++ /* Fill the unused part of the partial buffer with zeros */ ++ memset(ctx->partial + partial, 0, ctx->r - partial); ++ ++ /* ++ * Add the leading and trailing bit as well as the 01 bits for the ++ * SHA-3 suffix. ++ */ ++ ctx->partial[partial] = 0x06; ++ ctx->partial[ctx->r - 1] |= 0x80; ++ ++ /* Final transformation */ ++ sha3_fill_state(ctx, ctx->partial); ++ keccakp_1600(ctx->state); ++ ++ /* ++ * Sponge squeeze phase - the digest size is always smaller as the ++ * state size r which implies we only have one squeeze round. ++ */ ++ for (i = 0; i < ctx->digestsize / 8; i++, digest += 8) ++ le64_to_ptr(digest, ctx->state[i]); ++ ++ /* Add remaining 4 bytes if we use SHA3-224 */ ++ if (ctx->digestsize % 8) ++ le32_to_ptr(digest, (uint32_t)(ctx->state[i])); ++ ++ memset(ctx->partial, 0, ctx->r); ++ sha3_init(ctx); ++} ++ ++static int sha3_tester(void) ++{ ++ HASH_CTX_ON_STACK(ctx); ++ static const uint8_t msg_256[] = { 0x5E, 0x5E, 0xD6 }; ++ static const uint8_t exp_256[] = { 0xF1, 0x6E, 0x66, 0xC0, 0x43, 0x72, ++ 0xB4, 0xA3, 0xE1, 0xE3, 0x2E, 0x07, ++ 0xC4, 0x1C, 0x03, 0x40, 0x8A, 0xD5, ++ 0x43, 0x86, 0x8C, 0xC4, 0x0E, 0xC5, ++ 0x5E, 0x00, 0xBB, 0xBB, 0xBD, 0xF5, ++ 0x91, 0x1E }; ++ uint8_t act[SHA3_256_SIZE_DIGEST] = { 0 }; ++ unsigned int i; ++ ++ sha3_256_init(ctx); ++ sha3_update(ctx, msg_256, 3); ++ sha3_final(ctx, act); ++ ++ for (i = 0; i < SHA3_256_SIZE_DIGEST; i++) { ++ if (exp_256[i] != act[i]) ++ return 1; ++ } ++ ++ return 0; ++} ++ ++#ifdef JENT_CONF_ENABLE_INTERNAL_TIMER ++ ++/*************************************************************************** ++ * Timer-less timer replacement ++ * ++ * If there is no high-resolution hardware timer available, we create one ++ * ourselves. This logic is only used when the initialization identifies ++ * that no suitable time source is available. ++ ***************************************************************************/ ++ ++static int jent_force_internal_timer = 0; ++ ++/** ++ * Timer-replacement loop ++ * ++ * @brief The measurement loop triggers the read of the value from the ++ * counter function. It conceptually acts as the low resolution ++ * sampleS timer from a ring oscillator. ++ */ ++static void *jent_notime_sample_timer(void *arg) ++{ ++ struct rand_data *ec = (struct rand_data *)arg; ++ ++ ec->notime_timer = 0; ++ ++ while (1) { ++ if (ec->notime_interrupt) ++ return NULL; ++ ++ ec->notime_timer++; ++ } ++ ++ return NULL; ++} ++ ++/* ++ * Enable the clock: spawn a new thread that holds a counter. ++ * ++ * Note, although creating a thread is expensive, we do that every time a ++ * caller wants entropy from us and terminate the thread afterwards. This ++ * is to ensure an attacker cannot easily identify the ticking thread. ++ */ ++static inline int jent_notime_settick(struct rand_data *ec) ++{ ++ int ret; ++ ++ if (!ec->enable_notime) ++ return 0; ++ ++ ret = -pthread_attr_init(&ec->notime_pthread_attr); ++ if (ret) ++ return ret; ++ ++ ec->notime_interrupt = 0; ++ ec->notime_prev_timer = 0; ++ ec->notime_timer = 0; ++ ++ return -pthread_create(&ec->notime_thread_id, ++ &ec->notime_pthread_attr, ++ jent_notime_sample_timer, ec); ++} ++ ++static inline void jent_notime_unsettick(struct rand_data *ec) ++{ ++ if (!ec->enable_notime) ++ return; ++ ++ ec->notime_interrupt = 1; ++ pthread_join(ec->notime_thread_id, NULL); ++ pthread_attr_destroy(&ec->notime_pthread_attr); ++} ++ ++static inline void jent_get_nstime_internal(struct rand_data *ec, uint64_t *out) ++{ ++ if (ec->enable_notime) { ++ /* ++ * Allow the counting thread to be initialized and guarantee ++ * that it ticked since last time we looked. ++ * ++ * Note, we do not use an atomic operation here for reading ++ * jent_notime_timer since if this integer is garbled, it even ++ * adds to entropy. But on most architectures, read/write ++ * of an uint64_t should be atomic anyway. ++ */ ++ while (ec->notime_timer == ec->notime_prev_timer) ++ ; ++ ++ ec->notime_prev_timer = ec->notime_timer; ++ *out = ec->notime_prev_timer; ++ } else { ++ jent_get_nstime(out); ++ } ++} ++ ++static int jent_time_entropy_init(unsigned int enable_notime); ++static int jent_notime_enable(struct rand_data *ec, unsigned int flags) ++{ ++ /* Use internal timer */ ++ if (jent_force_internal_timer || (flags & JENT_FORCE_INTERNAL_TIMER)) { ++ /* Self test not run yet */ ++ if (!jent_force_internal_timer && jent_time_entropy_init(1)) ++ return EHEALTH; ++ ++ ec->enable_notime = 1; ++ } ++ ++ return 0; ++} ++ ++#else /* JENT_CONF_ENABLE_INTERNAL_TIMER */ ++ ++static inline void jent_get_nstime_internal(struct rand_data *ec, uint64_t *out) ++{ ++ (void)ec; ++ jent_get_nstime(out); ++} ++ ++static inline int jent_notime_enable(struct rand_data *ec, unsigned int flags) ++{ ++ (void)ec; ++ ++ /* If we force the timer-less noise source, we return an error */ ++ if (flags & JENT_FORCE_INTERNAL_TIMER) ++ return EHEALTH; ++ ++ return 0; ++} ++ ++static inline int jent_notime_settick(struct rand_data *ec) ++{ ++ (void)ec; ++ return 0; ++} ++ ++static inline void jent_notime_unsettick(struct rand_data *ec) { (void)ec; } ++ ++#endif /* JENT_CONF_ENABLE_INTERNAL_TIMER */ ++ ++/*************************************************************************** ++ * Noise sources ++ ***************************************************************************/ ++ ++/** ++ * Update of the loop count used for the next round of ++ * an entropy collection. ++ * ++ * @ec [in] entropy collector struct -- may be NULL ++ * @bits [in] is the number of low bits of the timer to consider ++ * @min [in] is the number of bits we shift the timer value to the right at ++ * the end to make sure we have a guaranteed minimum value ++ * ++ * @return Newly calculated loop counter ++ */ ++static uint64_t jent_loop_shuffle(struct rand_data *ec, ++ unsigned int bits, unsigned int min) ++{ ++#ifdef JENT_CONF_DISABLE_LOOP_SHUFFLE ++ ++ (void)ec; ++ (void)bits; ++ ++ return (1<data[0]; ++ } ++ ++ /* ++ * We fold the time value as much as possible to ensure that as many ++ * bits of the time stamp are included as possible. ++ */ ++ for (i = 0; ((DATA_SIZE_BITS + bits - 1) / bits) > i; i++) { ++ shuffle ^= time & mask; ++ time = time >> bits; ++ } ++ ++ /* ++ * We add a lower boundary value to ensure we have a minimum ++ * RNG loop count. ++ */ ++ return (shuffle + (1<data, SHA3_256_SIZE_DIGEST); ++ sha3_update(ctx, (uint8_t *)&time, sizeof(uint64_t)); ++ sha3_update(ctx, (uint8_t *)&j, sizeof(uint64_t)); ++ ++ /* ++ * If the time stamp is stuck, do not finally insert the value ++ * into the entropy pool. Although this operation should not do ++ * any harm even when the time stamp has no entropy, SP800-90B ++ * requires that any conditioning operation to have an identical ++ * amount of input data according to section 3.1.5. ++ */ ++ ++ /* ++ * The sha3_final operations re-initialize the context for the ++ * next loop iteration. ++ */ ++ if (stuck || (j < hash_loop_cnt - 1)) ++ sha3_final(ctx, itermediary); ++ else ++ sha3_final(ctx, ec->data); ++ } ++ ++ jent_memset_secure(ctx, SHA_MAX_CTX_SIZE); ++ jent_memset_secure(itermediary, sizeof(itermediary)); ++} ++ ++/** ++ * Memory Access noise source -- this is a noise source based on variations in ++ * memory access times ++ * ++ * This function performs memory accesses which will add to the timing ++ * variations due to an unknown amount of CPU wait states that need to be ++ * added when accessing memory. The memory size should be larger than the L1 ++ * caches as outlined in the documentation and the associated testing. ++ * ++ * The L1 cache has a very high bandwidth, albeit its access rate is usually ++ * slower than accessing CPU registers. Therefore, L1 accesses only add minimal ++ * variations as the CPU has hardly to wait. Starting with L2, significant ++ * variations are added because L2 typically does not belong to the CPU any more ++ * and therefore a wider range of CPU wait states is necessary for accesses. ++ * L3 and real memory accesses have even a wider range of wait states. However, ++ * to reliably access either L3 or memory, the ec->mem memory must be quite ++ * large which is usually not desirable. ++ * ++ * @ec [in] Reference to the entropy collector with the memory access data -- if ++ * the reference to the memory block to be accessed is NULL, this noise ++ * source is disabled ++ * @loop_cnt [in] if a value not equal to 0 is set, use the given value as ++ * number of loops to perform the hash operation ++ */ ++static void jent_memaccess(struct rand_data *ec, uint64_t loop_cnt) ++{ ++ unsigned int wrap = 0; ++ uint64_t i = 0; ++#define MAX_ACC_LOOP_BIT 7 ++#define MIN_ACC_LOOP_BIT 0 ++ uint64_t acc_loop_cnt = ++ jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT); ++ ++ if (NULL == ec || NULL == ec->mem) ++ return; ++ wrap = ec->memblocksize * ec->memblocks; ++ ++ /* ++ * testing purposes -- allow test app to set the counter, not ++ * needed during runtime ++ */ ++ if (loop_cnt) ++ acc_loop_cnt = loop_cnt; ++ for (i = 0; i < (ec->memaccessloops + acc_loop_cnt); i++) { ++ unsigned char *tmpval = ec->mem + ec->memlocation; ++ /* ++ * memory access: just add 1 to one byte, ++ * wrap at 255 -- memory access implies read ++ * from and write to memory location ++ */ ++ *tmpval = (unsigned char)((*tmpval + 1) & 0xff); ++ /* ++ * Addition of memblocksize - 1 to pointer ++ * with wrap around logic to ensure that every ++ * memory location is hit evenly ++ */ ++ ec->memlocation = ec->memlocation + ec->memblocksize - 1; ++ ec->memlocation = ec->memlocation % wrap; ++ } ++} ++ ++/*************************************************************************** ++ * Start of entropy processing logic ++ ***************************************************************************/ ++ ++/** ++ * This is the heart of the entropy generation: calculate time deltas and ++ * use the CPU jitter in the time deltas. The jitter is injected into the ++ * entropy pool. ++ * ++ * WARNING: ensure that ->prev_time is primed before using the output ++ * of this function! This can be done by calling this function ++ * and not using its result. ++ * ++ * @ec [in] Reference to entropy collector ++ * @loop_cnt [in] see jent_hash_time ++ * @ret_current_delta [out] Test interface: return time delta - may be NULL ++ * ++ * @return: result of stuck test ++ */ ++static unsigned int jent_measure_jitter(struct rand_data *ec, ++ uint64_t loop_cnt, ++ uint64_t *ret_current_delta) ++{ ++ uint64_t time = 0; ++ uint64_t current_delta = 0; ++ unsigned int stuck; ++ ++ /* Invoke one noise source before time measurement to add variations */ ++ jent_memaccess(ec, loop_cnt); ++ ++ /* ++ * Get time stamp and calculate time delta to previous ++ * invocation to measure the timing variations ++ */ ++ jent_get_nstime_internal(ec, &time); ++ current_delta = jent_delta(ec->prev_time, time); ++ ec->prev_time = time; ++ ++ /* Check whether we have a stuck measurement. */ ++ stuck = jent_stuck(ec, current_delta); ++ ++ /* Now call the next noise sources which also injects the data */ ++ jent_hash_time(ec, current_delta, loop_cnt, stuck); ++ ++ /* return the raw entropy value */ ++ if (ret_current_delta) ++ *ret_current_delta = current_delta; ++ ++ return stuck; ++} ++ ++/** ++ * Generator of one 256 bit random number ++ * Function fills rand_data->data ++ * ++ * @ec [in] Reference to entropy collector ++ */ ++static void jent_random_data(struct rand_data *ec) ++{ ++ unsigned int k = 0; ++ ++ /* priming of the ->prev_time value */ ++ jent_measure_jitter(ec, 0, NULL); ++ ++ while (1) { ++ /* If a stuck measurement is received, repeat measurement */ ++ if (jent_measure_jitter(ec, 0, NULL)) ++ continue; ++ ++ /* ++ * We multiply the loop value with ->osr to obtain the ++ * oversampling rate requested by the caller ++ */ ++ if (++k >= (DATA_SIZE_BITS * ec->osr)) ++ break; ++ } ++} ++ ++/*************************************************************************** ++ * Random Number Generation ++ ***************************************************************************/ ++ ++/** ++ * Entry function: Obtain entropy for the caller. ++ * ++ * This function invokes the entropy gathering logic as often to generate ++ * as many bytes as requested by the caller. The entropy gathering logic ++ * creates 64 bit per invocation. ++ * ++ * This function truncates the last 64 bit entropy value output to the exact ++ * size specified by the caller. ++ * ++ * @ec [in] Reference to entropy collector ++ * @data [out] pointer to buffer for storing random data -- buffer must ++ * already exist ++ * @len [in] size of the buffer, specifying also the requested number of random ++ * in bytes ++ * ++ * @return number of bytes returned when request is fulfilled or an error ++ * ++ * The following error codes can occur: ++ * -1 entropy_collector is NULL ++ * -2 RCT failed ++ * -3 APT test failed ++ * -4 The timer cannot be initialized ++ */ ++JENT_PRIVATE_STATIC ++ssize_t jent_read_entropy(struct rand_data *ec, char *data, size_t len) ++{ ++ char *p = data; ++ size_t orig_len = len; ++ int ret = 0; ++ ++ if (NULL == ec) ++ return -1; ++ ++ if (jent_notime_settick(ec)) ++ return -4; ++ ++ while (len > 0) { ++ size_t tocopy; ++ ++ jent_random_data(ec); ++ ++ if (jent_health_failure(ec)) { ++ if (jent_rct_failure(ec)) ++ ret = -2; ++ else ++ ret = -3; ++ ++ goto err; ++ } ++ ++ if ((DATA_SIZE_BITS / 8) < len) ++ tocopy = (DATA_SIZE_BITS / 8); ++ else ++ tocopy = len; ++ memcpy(p, &ec->data, tocopy); ++ ++ len -= tocopy; ++ p += tocopy; ++ } ++ ++ /* ++ * To be on the safe side, we generate one more round of entropy ++ * which we do not give out to the caller. That round shall ensure ++ * that in case the calling application crashes, memory dumps, pages ++ * out, or due to the CPU Jitter RNG lingering in memory for long ++ * time without being moved and an attacker cracks the application, ++ * all he reads in the entropy pool is a value that is NEVER EVER ++ * being used for anything. Thus, he does NOT see the previous value ++ * that was returned to the caller for cryptographic purposes. ++ */ ++ /* ++ * If we use secured memory, do not use that precaution as the secure ++ * memory protects the entropy pool. Moreover, note that using this ++ * call reduces the speed of the RNG by up to half ++ */ ++#ifndef CONFIG_CRYPTO_CPU_JITTERENTROPY_SECURE_MEMORY ++ jent_random_data(ec); ++#endif ++ ++err: ++ jent_notime_unsettick(ec); ++ return ret ? ret : (ssize_t)orig_len; ++} ++ ++/*************************************************************************** ++ * Initialization logic ++ ***************************************************************************/ ++ ++JENT_PRIVATE_STATIC ++struct rand_data *jent_entropy_collector_alloc(unsigned int osr, ++ unsigned int flags) ++{ ++ struct rand_data *entropy_collector; ++ ++ /* ++ * Requesting disabling and forcing of internal timer ++ * makes no sense. ++ */ ++ if ((flags & JENT_DISABLE_INTERNAL_TIMER) && ++ (flags & JENT_FORCE_INTERNAL_TIMER)) ++ return NULL; ++ ++ /* ++ * If the initial test code concludes to force the internal timer ++ * and the user requests it not to be used, do not allocate ++ * the Jitter RNG instance. ++ */ ++ if (jent_force_internal_timer && (flags & JENT_DISABLE_INTERNAL_TIMER)) ++ return NULL; ++ ++ entropy_collector = jent_zalloc(sizeof(struct rand_data)); ++ if (NULL == entropy_collector) ++ return NULL; ++ ++ if (!(flags & JENT_DISABLE_MEMORY_ACCESS)) { ++ /* Allocate memory for adding variations based on memory ++ * access ++ */ ++ entropy_collector->mem = ++ (unsigned char *)jent_zalloc(JENT_MEMORY_SIZE); ++ if (entropy_collector->mem == NULL) ++ goto err; ++ ++ entropy_collector->memblocksize = JENT_MEMORY_BLOCKSIZE; ++ entropy_collector->memblocks = JENT_MEMORY_BLOCKS; ++ entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS; ++ } ++ ++ /* verify and set the oversampling rate */ ++ if (osr < JENT_MIN_OSR) ++ osr = JENT_MIN_OSR; ++ entropy_collector->osr = osr; ++ ++ if (jent_fips_enabled() || (flags & JENT_FORCE_FIPS)) ++ entropy_collector->fips_enabled = 1; ++ ++ /* Use timer-less noise source */ ++ if (!(flags & JENT_DISABLE_INTERNAL_TIMER)) { ++ if (jent_notime_enable(entropy_collector, flags)) ++ goto err; ++ } ++ ++ /* fill the data pad with non-zero values */ ++ if (jent_notime_settick(entropy_collector)) ++ goto err; ++ jent_random_data(entropy_collector); ++ jent_notime_unsettick(entropy_collector); ++ ++ return entropy_collector; ++ ++err: ++ if (entropy_collector->mem != NULL) ++ jent_zfree(entropy_collector->mem, JENT_MEMORY_SIZE); ++ jent_zfree(entropy_collector, sizeof(struct rand_data)); ++ return NULL; ++} ++ ++JENT_PRIVATE_STATIC ++void jent_entropy_collector_free(struct rand_data *entropy_collector) ++{ ++ if (entropy_collector != NULL) { ++ if (entropy_collector->mem != NULL) { ++ jent_zfree(entropy_collector->mem, JENT_MEMORY_SIZE); ++ entropy_collector->mem = NULL; ++ } ++ jent_zfree(entropy_collector, sizeof(struct rand_data)); ++ } ++} ++ ++static int jent_time_entropy_init(unsigned int enable_notime) ++{ ++ int i; ++ uint64_t delta_sum = 0; ++ uint64_t old_delta = 0; ++ unsigned int nonstuck = 0; ++ int time_backwards = 0; ++ int count_mod = 0; ++ int count_stuck = 0; ++ int ret = 0; ++ struct rand_data ec; ++ ++ memset(&ec, 0, sizeof(ec)); ++ ++ if (enable_notime) { ++ ec.enable_notime = 1; ++ jent_notime_settick(&ec); ++ } ++ ++ /* Required for RCT */ ++ ec.osr = 1; ++ if (jent_fips_enabled()) ++ ec.fips_enabled = 1; ++ ++ /* We could perform statistical tests here, but the problem is ++ * that we only have a few loop counts to do testing. These ++ * loop counts may show some slight skew and we produce ++ * false positives. ++ * ++ * Moreover, only old systems show potentially problematic ++ * jitter entropy that could potentially be caught here. But ++ * the RNG is intended for hardware that is available or widely ++ * used, but not old systems that are long out of favor. Thus, ++ * no statistical tests. ++ */ ++ ++ /* ++ * We could add a check for system capabilities such as clock_getres or ++ * check for CONFIG_X86_TSC, but it does not make much sense as the ++ * following sanity checks verify that we have a high-resolution ++ * timer. ++ */ ++ ++#define CLEARCACHE 100 ++ for (i = 0; (JENT_POWERUP_TESTLOOPCOUNT + CLEARCACHE) > i; i++) { ++ uint64_t time = 0; ++ uint64_t time2 = 0; ++ uint64_t delta = 0; ++ unsigned int lowdelta = 0; ++ unsigned int stuck; ++ ++ /* Invoke core entropy collection logic */ ++ jent_get_nstime_internal(&ec, &time); ++ ec.prev_time = time; ++ jent_memaccess(&ec, 0); ++ jent_hash_time(&ec, time, 0, 0); ++ jent_get_nstime_internal(&ec, &time2); ++ ++ /* test whether timer works */ ++ if (!time || !time2) { ++ ret = ENOTIME; ++ goto out; ++ } ++ delta = jent_delta(time, time2); ++ /* ++ * test whether timer is fine grained enough to provide ++ * delta even when called shortly after each other -- this ++ * implies that we also have a high resolution timer ++ */ ++ if (!delta) { ++ ret = ECOARSETIME; ++ goto out; ++ } ++ ++ stuck = jent_stuck(&ec, delta); ++ ++ /* ++ * up to here we did not modify any variable that will be ++ * evaluated later, but we already performed some work. Thus we ++ * already have had an impact on the caches, branch prediction, ++ * etc. with the goal to clear it to get the worst case ++ * measurements. ++ */ ++ if (CLEARCACHE > i) ++ continue; ++ ++ if (stuck) ++ count_stuck++; ++ else { ++ nonstuck++; ++ ++ /* ++ * Ensure that the APT succeeded. ++ * ++ * With the check below that count_stuck must be less ++ * than 10% of the overall generated raw entropy values ++ * it is guaranteed that the APT is invoked at ++ * floor((JENT_POWERUP_TESTLOOPCOUNT * 0.9) / 64) == 14 ++ * times. ++ */ ++ if ((nonstuck % JENT_APT_WINDOW_SIZE) == 0) { ++ jent_apt_reset(&ec, ++ delta & JENT_APT_WORD_MASK); ++ if (jent_health_failure(&ec)) { ++ ret = EHEALTH; ++ goto out; ++ } ++ } ++ } ++ ++ /* Validate RCT */ ++ if (jent_rct_failure(&ec)) { ++ ret = ERCT; ++ goto out; ++ } ++ ++ /* test whether we have an increasing timer */ ++ if (!(time2 > time)) ++ time_backwards++; ++ ++ /* use 32 bit value to ensure compilation on 32 bit arches */ ++ lowdelta = (unsigned int)(time2 - time); ++ if (!(lowdelta % 100)) ++ count_mod++; ++ ++ /* ++ * ensure that we have a varying delta timer which is necessary ++ * for the calculation of entropy -- perform this check ++ * only after the first loop is executed as we need to prime ++ * the old_data value ++ */ ++ if (delta > old_delta) ++ delta_sum += (delta - old_delta); ++ else ++ delta_sum += (old_delta - delta); ++ old_delta = delta; ++ } ++ ++ /* ++ * we allow up to three times the time running backwards. ++ * CLOCK_REALTIME is affected by adjtime and NTP operations. Thus, ++ * if such an operation just happens to interfere with our test, it ++ * should not fail. The value of 3 should cover the NTP case being ++ * performed during our test run. ++ */ ++ if (time_backwards > 3) { ++ ret = ENOMONOTONIC; ++ goto out; ++ } ++ ++ /* ++ * Variations of deltas of time must on average be larger ++ * than 1 to ensure the entropy estimation ++ * implied with 1 is preserved ++ */ ++ if ((delta_sum) <= JENT_POWERUP_TESTLOOPCOUNT) { ++ ret = EMINVARVAR; ++ goto out; ++ } ++ ++ /* ++ * Ensure that we have variations in the time stamp below 10 for at ++ * least 10% of all checks -- on some platforms, the counter increments ++ * in multiples of 100, but not always ++ */ ++ if (JENT_STUCK_INIT_THRES(JENT_POWERUP_TESTLOOPCOUNT) < count_mod) { ++ ret = ECOARSETIME; ++ goto out; ++ } ++ ++ /* ++ * If we have more than 90% stuck results, then this Jitter RNG is ++ * likely to not work well. ++ */ ++ if (JENT_STUCK_INIT_THRES(JENT_POWERUP_TESTLOOPCOUNT) < count_stuck) ++ ret = ESTUCK; ++ ++out: ++ if (enable_notime) ++ jent_notime_unsettick(&ec); ++ ++ return ret; ++} ++ ++JENT_PRIVATE_STATIC ++int jent_entropy_init(void) ++{ ++ int ret; ++ ++ if (sha3_tester()) ++ return EHASH; ++ ++ ret = jent_time_entropy_init(0); ++ ++#ifdef JENT_CONF_ENABLE_INTERNAL_TIMER ++ jent_force_internal_timer = 0; ++ if (ret) { ++ ret = jent_time_entropy_init(1); ++ if (!ret) ++ jent_force_internal_timer = 1; ++ } ++#endif /* JENT_CONF_ENABLE_INTERNAL_TIMER */ ++ ++ return ret; ++} +diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c +index 5ed97cb..4c2d54e 100644 +--- a/crypto/rand/rand_unix.c ++++ b/crypto/rand/rand_unix.c +@@ -634,9 +634,37 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool) + return rand_pool_entropy_available(pool); + # else + size_t entropy_available; ++ int in_post; ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ /* Use jitter entropy in FIPS mode */ ++ for (in_post = fips_in_post(); in_post >= 0; --in_post) { ++ size_t bytes_needed; ++ unsigned char *buffer; ++ ssize_t bytes; ++ /* Maximum allowed number of consecutive unsuccessful attempts */ ++ int attempts = 3; ++ ++ bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); ++ while (bytes_needed !=0 && attempts-- > 0) { ++ buffer = rand_pool_add_begin(pool, bytes_needed); ++ bytes = FIPS_jitter_entropy(buffer, bytes_needed); ++ if (bytes > 0) { ++ rand_pool_add_end(pool, bytes, 8 * bytes); ++ bytes_needed -= bytes; ++ attempts = 3; /* reset counter after successful attempt */ ++ } else if (bytes < 0) { ++ break; ++ } ++ } ++ } ++ entropy_available = rand_pool_entropy_available(pool); ++ return entropy_available; ++ } ++#endif + + # if defined(OPENSSL_RAND_SEED_GETRANDOM) +- int in_post; + + for (in_post = fips_in_post(); in_post >= 0; --in_post) { + { +diff --git a/include/crypto/fips.h b/include/crypto/fips.h +index 564261c..29c4923 100644 +--- a/include/crypto/fips.h ++++ b/include/crypto/fips.h +@@ -94,6 +94,8 @@ void fips_set_selftest_fail(void); + + void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); + ++ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen); ++ + #else + + # define fips_in_post() 0 +diff --git a/include/crypto/jitterentropy-base-user.h b/include/crypto/jitterentropy-base-user.h +new file mode 100644 +index 0000000..e0a3477 +--- /dev/null ++++ b/include/crypto/jitterentropy-base-user.h +@@ -0,0 +1,220 @@ ++/* ++ * Non-physical true random number generator based on timing jitter. ++ * ++ * Copyright Stephan Mueller , 2013 - 2021 ++ * ++ * License ++ * ======= ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU General Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF ++ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT ++ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR ++ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF ++ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE ++ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH ++ * DAMAGE. ++ */ ++ ++#ifndef _JITTERENTROPY_BASE_USER_H ++#define _JITTERENTROPY_BASE_USER_H ++ ++/* ++ * Set the following defines as needed for your environment ++ */ ++/* Compilation for libgcrypt */ ++#ifndef LIBGCRYPT ++#undef LIBGCRYPT ++#endif ++ ++/* Compilation for OpenSSL */ ++#ifndef OPENSSL ++#define OPENSSL ++#endif ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++/* Timer-less entropy source */ ++#ifdef JENT_CONF_ENABLE_INTERNAL_TIMER ++#include ++#endif /* JENT_CONF_ENABLE_INTERNAL_TIMER */ ++ ++#ifdef LIBGCRYPT ++#include ++#include "g10lib.h" ++#endif ++ ++#ifdef OPENSSL ++#include ++#ifdef OPENSSL_FIPS ++#include ++#endif ++#endif ++ ++#ifdef __MACH__ ++#include ++#include ++#include ++#include ++#include ++#endif ++ ++#ifdef __x86_64__ ++ ++# define DECLARE_ARGS(val, low, high) unsigned long low, high ++# define EAX_EDX_VAL(val, low, high) ((low) | (high) << 32) ++# define EAX_EDX_RET(val, low, high) "=a" (low), "=d" (high) ++ ++static inline void jent_get_nstime(uint64_t *out) ++{ ++ DECLARE_ARGS(val, low, high); ++ asm volatile("rdtsc" : EAX_EDX_RET(val, low, high)); ++ *out = EAX_EDX_VAL(val, low, high); ++} ++ ++#else /* __x86_64__ */ ++ ++static inline void jent_get_nstime(uint64_t *out) ++{ ++ /* OSX does not have clock_gettime -- taken from ++ * http://developer.apple.com/library/mac/qa/qa1398/_index.html */ ++# ifdef __MACH__ ++ *out = mach_absolute_time(); ++# elif _AIX ++ /* clock_gettime() on AIX returns a timer value that increments in ++ * steps of 1000 ++ */ ++ uint64_t tmp = 0; ++ timebasestruct_t aixtime; ++ read_real_time(&aixtime, TIMEBASE_SZ); ++ tmp = aixtime.tb_high; ++ tmp = tmp << 32; ++ tmp = tmp | aixtime.tb_low; ++ *out = tmp; ++# else /* __MACH__ */ ++ /* we could use CLOCK_MONOTONIC(_RAW), but with CLOCK_REALTIME ++ * we get some nice extra entropy once in a while from the NTP actions ++ * that we want to use as well... though, we do not rely on that ++ * extra little entropy */ ++ uint64_t tmp = 0; ++ struct timespec time; ++ if (clock_gettime(CLOCK_REALTIME, &time) == 0) ++ { ++ tmp = ((uint64_t)time.tv_sec & 0xFFFFFFFF) * 1000000000UL; ++ tmp = tmp + (uint64_t)time.tv_nsec; ++ } ++ *out = tmp; ++# endif /* __MACH__ */ ++} ++ ++#endif /* __x86_64__ */ ++ ++static inline void *jent_zalloc(size_t len) ++{ ++ void *tmp = NULL; ++#ifdef LIBGCRYPT ++ /* When using the libgcrypt secure memory mechanism, all precautions ++ * are taken to protect our state. If the user disables secmem during ++ * runtime, it is his decision and we thus try not to overrule his ++ * decision for less memory protection. */ ++#define CONFIG_CRYPTO_CPU_JITTERENTROPY_SECURE_MEMORY ++ tmp = gcry_xmalloc_secure(len); ++#elif defined(OPENSSL) ++ /* Does this allocation implies secure memory use? */ ++ tmp = OPENSSL_malloc(len); ++#else ++ /* we have no secure memory allocation! Hence ++ * we do not set CONFIG_CRYPTO_CPU_JITTERENTROPY_SECURE_MEMORY */ ++ tmp = malloc(len); ++#endif /* LIBGCRYPT */ ++ if(NULL != tmp) ++ memset(tmp, 0, len); ++ return tmp; ++} ++ ++static inline void jent_zfree(void *ptr, unsigned int len) ++{ ++#ifdef LIBGCRYPT ++ memset(ptr, 0, len); ++ gcry_free(ptr); ++#elif defined(OPENSSL) ++ OPENSSL_cleanse(ptr, len); ++ OPENSSL_free(ptr); ++#else ++ memset(ptr, 0, len); ++ free(ptr); ++#endif /* LIBGCRYPT */ ++} ++ ++static inline int jent_fips_enabled(void) ++{ ++#ifdef LIBGCRYPT ++ return fips_mode(); ++#elif defined(OPENSSL) ++#ifdef OPENSSL_FIPS ++ return FIPS_mode(); ++#else ++ return 0; ++#endif ++#else ++#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" ++ char buf[2] = "0"; ++ int fd = 0; ++ ++ if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { ++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR); ++ close(fd); ++ } ++ if (buf[0] == '1') ++ return 1; ++ else ++ return 0; ++#endif ++} ++ ++static inline void jent_memset_secure(void *s, size_t n) ++{ ++ memset(s, 0, n); ++ __asm__ __volatile__("" : : "r" (s) : "memory"); ++} ++ ++/* --- helpers needed in user space -- */ ++ ++static inline uint64_t rol64(uint64_t x, int n) ++{ ++ return ( (x << (n&(64-1))) | (x >> ((64-n)&(64-1))) ); ++} ++ ++#endif /* _JITTERENTROPY_BASE_USER_H */ +diff --git a/include/crypto/jitterentropy.h b/include/crypto/jitterentropy.h +new file mode 100644 +index 0000000..078d750 +--- /dev/null ++++ b/include/crypto/jitterentropy.h +@@ -0,0 +1,227 @@ ++/* ++ * Non-physical true random number generator based on timing jitter. ++ * ++ * Copyright Stephan Mueller , 2014 - 2021 ++ * ++ * License ++ * ======= ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU General Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF ++ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT ++ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR ++ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF ++ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE ++ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH ++ * DAMAGE. ++ */ ++ ++#ifndef _JITTERENTROPY_H ++#define _JITTERENTROPY_H ++ ++/*************************************************************************** ++ * Jitter RNG Configuration Section ++ * ++ * You may alter the following options ++ ***************************************************************************/ ++ ++/* ++ * Enable timer-less timer support ++ * ++ * In case the hardware is identified to not provide a high-resolution time ++ * stamp, this option enables a built-in high-resolution time stamp mechanism. ++ * ++ * The timer-less noise source is based on threads. This noise source requires ++ * the linking with the POSIX threads library. I.e. the executing environment ++ * must offer POSIX threads. If this option is disabled, no linking ++ * with the POSIX threads library is needed. ++ */ ++#define JENT_CONF_ENABLE_INTERNAL_TIMER ++ ++/* ++ * Disable the loop shuffle operation ++ * ++ * The shuffle operation enlarges the timing of the conditioning function ++ * by a variable length defined by the LSB of a time stamp. Some mathematicians ++ * are concerned that this pseudo-random selection of the loop iteration count ++ * may create some form of dependency between the different loop counts ++ * and the associated time duration of the conditioning function. It ++ * also complicates entropy assessment because it effectively combines a bunch ++ * of shifted/scaled copies the same distribution and masks failures from the ++ * health testing. ++ * ++ * By enabling this flag, the loop shuffle operation is disabled and ++ * the entropy collection operates in a way that honor the concerns. ++ * ++ * By enabling this flag, the time of collecting entropy may be enlarged. ++ */ ++#define JENT_CONF_DISABLE_LOOP_SHUFFLE ++ ++/*************************************************************************** ++ * Jitter RNG State Definition Section ++ ***************************************************************************/ ++ ++#include "crypto/jitterentropy-base-user.h" ++ ++#define SHA3_256_SIZE_DIGEST_BITS 256 ++#define SHA3_256_SIZE_DIGEST (SHA3_256_SIZE_DIGEST_BITS >> 3) ++ ++/* The entropy pool */ ++struct rand_data ++{ ++ /* all data values that are vital to maintain the security ++ * of the RNG are marked as SENSITIVE. A user must not ++ * access that information while the RNG executes its loops to ++ * calculate the next random value. */ ++ uint8_t data[SHA3_256_SIZE_DIGEST]; /* SENSITIVE Actual random number */ ++ uint64_t prev_time; /* SENSITIVE Previous time stamp */ ++#define DATA_SIZE_BITS (SHA3_256_SIZE_DIGEST_BITS) ++ uint64_t last_delta; /* SENSITIVE stuck test */ ++ uint64_t last_delta2; /* SENSITIVE stuck test */ ++ unsigned int osr; /* Oversampling rate */ ++#define JENT_MEMORY_BLOCKS 64 ++#define JENT_MEMORY_BLOCKSIZE 32 ++#define JENT_MEMORY_ACCESSLOOPS 128 ++#define JENT_MEMORY_SIZE (JENT_MEMORY_BLOCKS*JENT_MEMORY_BLOCKSIZE) ++ unsigned char *mem; /* Memory access location with size of ++ * memblocks * memblocksize */ ++ unsigned int memlocation; /* Pointer to byte in *mem */ ++ unsigned int memblocks; /* Number of memory blocks in *mem */ ++ unsigned int memblocksize; /* Size of one memory block in bytes */ ++ unsigned int memaccessloops; /* Number of memory accesses per random ++ * bit generation */ ++ ++ /* Repetition Count Test */ ++ int rct_count; /* Number of stuck values */ ++ ++ /* Adaptive Proportion Test for a significance level of 2^-30 */ ++#define JENT_APT_CUTOFF 325 /* Taken from SP800-90B sec 4.4.2 */ ++#define JENT_APT_WINDOW_SIZE 512 /* Data window size */ ++ /* LSB of time stamp to process */ ++#define JENT_APT_LSB 16 ++#define JENT_APT_WORD_MASK (JENT_APT_LSB - 1) ++ unsigned int apt_observations; /* Number of collected observations */ ++ unsigned int apt_count; /* APT counter */ ++ uint64_t apt_base; /* APT base reference */ ++ unsigned int apt_base_set:1; /* APT base reference set? */ ++ ++ unsigned int fips_enabled:1; ++ unsigned int health_failure:1; /* Permanent health failure */ ++ unsigned int enable_notime:1; /* Use internal high-res timer */ ++ ++#ifdef JENT_CONF_ENABLE_INTERNAL_TIMER ++ volatile uint8_t notime_interrupt; /* indicator to interrupt ctr */ ++ volatile uint64_t notime_timer; /* high-res timer mock-up */ ++ uint64_t notime_prev_timer; /* previous timer value */ ++ pthread_attr_t notime_pthread_attr; /* pthreads library */ ++ pthread_t notime_thread_id; /* pthreads thread ID */ ++#endif /* JENT_CONF_ENABLE_INTERNAL_TIMER */ ++}; ++ ++/* Flags that can be used to initialize the RNG */ ++#define JENT_DISABLE_STIR (1<<0) /* UNUSED */ ++#define JENT_DISABLE_UNBIAS (1<<1) /* UNUSED */ ++#define JENT_DISABLE_MEMORY_ACCESS (1<<2) /* Disable memory access for more ++ entropy, saves MEMORY_SIZE RAM for ++ entropy collector */ ++#define JENT_FORCE_INTERNAL_TIMER (1<<3) /* Force the use of the internal ++ timer */ ++#define JENT_DISABLE_INTERNAL_TIMER (1<<4) /* Disable the potential use of ++ the internal timer. */ ++#define JENT_FORCE_FIPS (1<<5) /* Force FIPS compliant mode ++ including full SP800-90B ++ compliance. */ ++ ++#ifdef JENT_CONF_DISABLE_LOOP_SHUFFLE ++# define JENT_MIN_OSR 3 ++#else ++# define JENT_MIN_OSR 1 ++#endif ++ ++/* -- BEGIN Main interface functions -- */ ++ ++#ifndef JENT_STUCK_INIT_THRES ++/* ++ * Per default, not more than 90% of all measurements during initialization ++ * are allowed to be stuck. ++ * ++ * It is allowed to change this value as required for the intended environment. ++ */ ++#define JENT_STUCK_INIT_THRES(x) ((x*9) / 10) ++#endif ++ ++#ifdef JENT_PRIVATE_COMPILE ++# define JENT_PRIVATE_STATIC static ++#else /* JENT_PRIVATE_COMPILE */ ++# define JENT_PRIVATE_STATIC ++#endif ++ ++/* Number of low bits of the time value that we want to consider */ ++/* get raw entropy */ ++JENT_PRIVATE_STATIC ++ssize_t jent_read_entropy(struct rand_data *ec, char *data, size_t len); ++/* initialize an instance of the entropy collector */ ++JENT_PRIVATE_STATIC ++struct rand_data *jent_entropy_collector_alloc(unsigned int osr, ++ unsigned int flags); ++/* clearing of entropy collector */ ++JENT_PRIVATE_STATIC ++void jent_entropy_collector_free(struct rand_data *entropy_collector); ++ ++/* initialization of entropy collector */ ++JENT_PRIVATE_STATIC ++int jent_entropy_init(void); ++ ++/* return version number of core library */ ++JENT_PRIVATE_STATIC ++unsigned int jent_version(void); ++ ++/* -- END of Main interface functions -- */ ++ ++/* -- BEGIN error codes for init function -- */ ++#define ENOTIME 1 /* Timer service not available */ ++#define ECOARSETIME 2 /* Timer too coarse for RNG */ ++#define ENOMONOTONIC 3 /* Timer is not monotonic increasing */ ++#define EMINVARIATION 4 /* Timer variations too small for RNG */ ++#define EVARVAR 5 /* Timer does not produce variations of variations ++ (2nd derivation of time is zero) */ ++#define EMINVARVAR 6 /* Timer variations of variations is too small */ ++#define EPROGERR 7 /* Programming error */ ++#define ESTUCK 8 /* Too many stuck results during init. */ ++#define EHEALTH 9 /* Health test failed during initialization */ ++#define ERCT 10 /* RCT failed during initialization */ ++#define EHASH 11 /* Hash self test failed */ ++ ++/* -- BEGIN statistical test functions only complied with CONFIG_CRYPTO_CPU_JITTERENTROPY_STAT -- */ ++ ++#ifdef CONFIG_CRYPTO_CPU_JITTERENTROPY_STAT ++JENT_PRIVATE_STATIC ++uint64_t jent_lfsr_var_stat(struct rand_data *ec, unsigned int min); ++#endif /* CONFIG_CRYPTO_CPU_JITTERENTROPY_STAT */ ++ ++/* -- END of statistical test function -- */ ++ ++#endif /* _JITTERENTROPY_H */ +diff --git a/include/openssl/fips.h b/include/openssl/fips.h +index abbe81b..be84e08 100644 +--- a/include/openssl/fips.h ++++ b/include/openssl/fips.h +@@ -78,6 +78,8 @@ extern "C" { + BN_GENCB *cb); + int FIPS_dsa_paramgen_check_g(DSA *dsa); + ++ int FIPS_init_entropy(void); ++ + /* BEGIN ERROR CODES */ + /* The following lines are auto generated by the script mkerr.pl. Any changes + * made after this point may be overwritten when the script is next run. +@@ -153,6 +155,7 @@ extern "C" { + # define FIPS_R_DRBG_NOT_INITIALISED 152 + # define FIPS_R_DRBG_STUCK 103 + # define FIPS_R_ENTROPY_ERROR_UNDETECTED 104 ++# define FIPS_R_ENTROPY_INIT_FAILED 158 + # define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105 + # define FIPS_R_ENTROPY_SOURCE_STUCK 142 + # define FIPS_R_ERROR_INITIALISING_DRBG 115 +diff --git a/util/libcrypto.num b/util/libcrypto.num +index 2e47840..e354631 100644 +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -4634,4 +4634,5 @@ EVP_KDF_vctrl 6594 1_1_1b EXIST::FUNCTION: + EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION: + EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION: + EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION: +-EC_GROUP_check_named_curve 6598 1_1_1g EXIST::FUNCTION:EC +\ No newline at end of file ++EC_GROUP_check_named_curve 6598 1_1_1g EXIST::FUNCTION:EC ++FIPS_init_entropy 6599 1_1_1k EXIST::FUNCTION: +\ No newline at end of file diff --git a/SPECS/openssl/openssl-1.1.1-rewire-fips-drbg.patch b/SPECS/openssl/openssl-1.1.1-rewire-fips-drbg.patch deleted file mode 100644 index 4d04d37d59..0000000000 --- a/SPECS/openssl/openssl-1.1.1-rewire-fips-drbg.patch +++ /dev/null @@ -1,170 +0,0 @@ -diff -up openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_lib.c ---- openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200 -+++ openssl-1.1.1g/crypto/fips/fips_drbg_lib.c 2020-06-22 13:32:47.675852917 +0200 -@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx, - int FIPS_drbg_reseed(DRBG_CTX *dctx, - const unsigned char *adin, size_t adinlen) - { -+ int len = (int)adinlen; -+ -+ if (len < 0 || (size_t)len != adinlen) { -+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG); -+ return 0; -+ } -+ RAND_seed(adin, len); -+ return 1; -+} -+ -+int FIPS_drbg_reseed_internal(DRBG_CTX *dctx, -+ const unsigned char *adin, size_t adinlen) -+{ - return drbg_reseed(dctx, adin, adinlen, 1); - } - -@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u - int prediction_resistance, - const unsigned char *adin, size_t adinlen) - { -+ int len = (int)outlen; -+ -+ if (len < 0 || (size_t)len != outlen) { -+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG); -+ return 0; -+ } -+ return RAND_bytes(out, len); -+} -+ -+int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen, -+ int prediction_resistance, -+ const unsigned char *adin, size_t adinlen) -+{ - int r = 0; - - if (FIPS_selftest_failed()) { -diff -up openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_rand.c ---- openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200 -+++ openssl-1.1.1g/crypto/fips/fips_drbg_rand.c 2020-06-22 13:32:47.675852917 +0200 -@@ -57,6 +57,8 @@ - #include - #include - #include -+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal -+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal - #include - #include "fips_rand_lcl.h" - -diff -up openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c ---- openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg 2020-06-22 13:32:47.612852927 +0200 -+++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c 2020-06-22 13:32:47.675852917 +0200 -@@ -55,6 +55,8 @@ - #include - #include - #include -+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal -+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal - #include - #include "fips_rand_lcl.h" - #include "fips_locl.h" -diff -up openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_post.c ---- openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200 -+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-22 13:32:47.675852917 +0200 -@@ -79,8 +79,6 @@ int FIPS_selftest(void) - ERR_add_error_data(2, "Type=", "rand_drbg_selftest"); - rv = 0; - } -- if (!FIPS_selftest_drbg()) -- rv = 0; - if (!FIPS_selftest_sha1()) - rv = 0; - if (!FIPS_selftest_sha2()) -diff -up openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_rand_lib.c ---- openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.613852927 +0200 -+++ openssl-1.1.1g/crypto/fips/fips_rand_lib.c 2020-06-22 13:36:28.722817967 +0200 -@@ -120,6 +120,7 @@ void FIPS_rand_reset(void) - - int FIPS_rand_seed(const void *buf, int num) - { -+#if 0 - if (!fips_approved_rand_meth && FIPS_module_mode()) { - FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD); - return 0; -@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int - if (fips_rand_meth && fips_rand_meth->seed) - fips_rand_meth->seed(buf, num); - return 1; -+#else -+ RAND_seed(buf, num); -+ return 1; -+#endif - } - - int FIPS_rand_bytes(unsigned char *buf, int num) - { -+#if 0 - if (!fips_approved_rand_meth && FIPS_module_mode()) { - FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD); - return 0; -@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf, - if (fips_rand_meth && fips_rand_meth->bytes) - return fips_rand_meth->bytes(buf, num); - return 0; -+#else -+ return RAND_bytes(buf, num); -+#endif - } - - int FIPS_rand_status(void) - { -+#if 0 - if (!fips_approved_rand_meth && FIPS_module_mode()) { - FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD); - return 0; -@@ -149,6 +159,9 @@ int FIPS_rand_status(void) - if (fips_rand_meth && fips_rand_meth->status) - return fips_rand_meth->status(); - return 0; -+#else -+ return RAND_status(); -+#endif - } - - /* Return instantiated strength of PRNG. For DRBG this is an internal -diff -up openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips.h ---- openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200 -+++ openssl-1.1.1g/include/openssl/fips.h 2020-06-22 13:32:47.675852917 +0200 -@@ -64,6 +64,11 @@ extern "C" { - - int FIPS_selftest(void); - int FIPS_selftest_failed(void); -+ -+ /* -+ * This function is deprecated as it performs selftest of the old FIPS drbg -+ * implementation that is not validated. -+ */ - int FIPS_selftest_drbg_all(void); - - int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, -diff -up openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips_rand.h ---- openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg 2020-06-22 13:32:47.617852926 +0200 -+++ openssl-1.1.1g/include/openssl/fips_rand.h 2020-06-22 13:32:47.675852917 +0200 -@@ -60,6 +60,20 @@ - # ifdef __cplusplus - extern "C" { - # endif -+ -+/* -+ * IMPORTANT NOTE: -+ * All functions in this header file are deprecated and should not be used -+ * as they use the old FIPS_drbg implementation that is not FIPS validated -+ * anymore. -+ * To provide backwards compatibility for applications that need FIPS compliant -+ * RNG number generation and use FIPS_drbg_generate, this function was -+ * re-wired to call the FIPS validated DRBG instance instead through -+ * the RAND_bytes() call. -+ * -+ * All these functions will be removed in future. -+ */ -+ - typedef struct drbg_ctx_st DRBG_CTX; - /* DRBG external flags */ - /* Flag for CTR mode only: use derivation function ctr_df */ diff --git a/SPECS/openssl/openssl.spec b/SPECS/openssl/openssl.spec index f1d11218bb..191f3c3fc4 100644 --- a/SPECS/openssl/openssl.spec +++ b/SPECS/openssl/openssl.spec @@ -4,7 +4,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1k -Release: 2%{?dist} +Release: 5%{?dist} License: OpenSSL Vendor: Microsoft Corporation Distribution: Mariner @@ -28,7 +28,7 @@ Patch5: openssl-1.1.1-fips.patch Patch6: openssl-1.1.1-version-override.patch Patch7: openssl-1.1.1-seclevel.patch Patch8: openssl-1.1.1-fips-post-rand.patch -Patch9: openssl-1.1.1-evp-kdf.patch +Patch9: openssl-1.1.1-evp-kdf.patch Patch10: openssl-1.1.1-ssh-kdf.patch Patch11: openssl-1.1.1-krb5-kdf.patch Patch12: openssl-1.1.1-edk2-build.patch @@ -37,9 +37,10 @@ Patch14: openssl-1.1.1-fips-drbg-selftest.patch Patch15: openssl-1.1.1-fips-dh.patch Patch16: openssl-1.1.1-s390x-ecc.patch Patch17: openssl-1.1.1-kdf-selftest.patch -Patch18: openssl-1.1.1-rewire-fips-drbg.patch -Patch19: openssl-1.1.1-fips-curves.patch -Patch20: openssl-1.1.1-sp80056arev3.patch +Patch18: openssl-1.1.1-fips-curves.patch +Patch19: openssl-1.1.1-sp80056arev3.patch +Patch20: openssl-1.1.1-jitterentropy.patch +Patch21: openssl-1.1.1-drbg-seed.patch BuildRequires: perl-Test-Warnings BuildRequires: perl-Text-Template Requires: %{name}-libs = %{version}-%{release} @@ -126,13 +127,15 @@ cp %{SOURCE4} test/ %patch18 -p1 %patch19 -p1 %patch20 -p1 +%patch21 -p1 %build # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be # marked as not requiring an executable stack. # Also add -DPURIFY to make using valgrind with openssl easier as we do not # want to depend on the uninitialized memory as a source of entropy anyway. -NEW_RPM_OPT_FLAGS="%{optflags} -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS" +# Also add -O0 to enable optimization, which is needed for jitterentropy +NEW_RPM_OPT_FLAGS="%{optflags} -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS -O0" export HASHBANGPERL=%{_bindir}/perl @@ -320,9 +323,20 @@ rm -rf %{buildroot} %changelog -* Fri Apr 02 2021 Thomas Crain - 1.1.1k-2 -- Merge the following releases from dev to 1.0 spec -- joschmit@microsoft.com, 1.1.1g-7: Use new perl package names. +* Thu Jul 22 2021 Nicolas Ontiveros - 1.1.1k-5 +- In FIPS mode, perform Linux RNG concatenation even if adin/pers functions +- aren't defined in given DRBG + +* Tue Jun 15 2021 Nicolas Ontiveros - 1.1.1k-4 +- In FIPS mode, use jitterentropy for DRBG nonce. +- In FIPS mode, concatenate Linux RNG with personalization string during DRBG instantiation +- In FIPS mode, concatenate Linux RNG with additional input string during DRBG reseed + +* Tue May 18 2021 Nicolas Ontiveros - 1.1.1k-3 +- In FIPS mode, use only jitterentropy for entropy pool + +* Tue May 11 2021 Nicolas Ontiveros - 1.1.1k-2 +- Remove FIPS DRBG rewire patch * Mon Mar 29 2021 Nicolas Ontiveros - 1.1.1k-1 - Update to version 1.1.1k diff --git a/SPECS/openvswitch/openvswitch.spec b/SPECS/openvswitch/openvswitch.spec index 1c335b9f62..36e4d44e71 100644 --- a/SPECS/openvswitch/openvswitch.spec +++ b/SPECS/openvswitch/openvswitch.spec @@ -298,7 +298,7 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck} * Mon Feb 22 2021 Emre Girgin - 2.12.0-3 - Fix CVE-2020-35498. -* Sat May 09 00:21:27 PST 2020 Nick Samson - 2.12.0-2 +* Sat May 09 2020 Nick Samson - 2.12.0-2 - Added %%license line automatically * Tue Mar 31 2020 Henry Beberman 2.12.0-1 diff --git a/SPECS/p7zip/0001-fix-data-null-pointer.patch b/SPECS/p7zip/0001-fix-data-null-pointer.patch new file mode 100644 index 0000000000..9c71025e54 --- /dev/null +++ b/SPECS/p7zip/0001-fix-data-null-pointer.patch @@ -0,0 +1,14 @@ +diff --git a/CPP/7zip/Archive/LzhHandler.cpp b/CPP/7zip/Archive/LzhHandler.cpp +index 21631f7..1f14621 100644 +--- a/CPP/7zip/Archive/LzhHandler.cpp ++++ b/CPP/7zip/Archive/LzhHandler.cpp +@@ -163,7 +163,8 @@ struct CItem + return false; + } + const Byte *data = (const Byte *)(Extensions[index].Data); +- value = GetUi32(data); ++ if (!data) value = 0; ++ else value = GetUi32(data); + return true; + } + diff --git a/SPECS/p7zip/0001-fix-out-of-mem.patch b/SPECS/p7zip/0001-fix-out-of-mem.patch new file mode 100644 index 0000000000..e1b7cba065 --- /dev/null +++ b/SPECS/p7zip/0001-fix-out-of-mem.patch @@ -0,0 +1,26 @@ +diff --git a/C/Alloc.c b/C/Alloc.c +index 2706ec0..3178e7a 100644 +--- a/C/Alloc.c ++++ b/C/Alloc.c +@@ -58,12 +58,18 @@ void align_free(void * ptr) + #else + void *align_alloc(size_t size) + { +- return malloc(size); ++ void * p = malloc(size); ++ if(!p){ ++ printf("Out of memory: can't allocate %u bytes\n",size); ++ abort(); ++ } ++ return p; + } + + void align_free(void * ptr) + { +- free(ptr); ++ if(!ptr) return; ++ free(ptr); + } + + #endif + diff --git a/SPECS/p7zip/02-man.patch b/SPECS/p7zip/02-man.patch new file mode 100644 index 0000000000..909a44e7b2 --- /dev/null +++ b/SPECS/p7zip/02-man.patch @@ -0,0 +1,22 @@ +--- p7zip_16.02/man1/7z.1.orig 2018-02-04 03:47:31.934553305 +0000 ++++ p7zip_16.02/man1/7z.1 2018-02-04 03:54:22.504752021 +0000 +@@ -12,7 +12,7 @@ + .SH DESCRIPTION + 7-Zip is a file archiver supporting 7z (that implements LZMA compression algorithm + featuring very high compression ratio), LZMA2, XZ, ZIP, Zip64, CAB, +-RAR (if the non-free p7zip-rar package is installed), ARJ, GZIP, BZIP2, TAR, CPIO, RPM, ISO, ++RAR (it was removed due a non-free license), ARJ, GZIP, BZIP2, TAR, CPIO, RPM, ISO, + most filesystem images and DEB formats. + Compression ratio in the new 7z format is 30-50% better than ratio in ZIP format. + .PP +--- p7zip_16.02/man1/7za.1.orig 2018-02-04 03:53:54.243463005 +0000 ++++ p7zip_16.02/man1/7za.1 2018-02-04 03:55:12.645264785 +0000 +@@ -12,7 +12,7 @@ + .SH DESCRIPTION + 7-Zip is a file archiver supporting 7z (that implements LZMA compression algorithm + featuring very high compression ratio), LZMA2, XZ, ZIP, Zip64, CAB, +-RAR (if the non-free p7zip-rar package is installed), ARJ, GZIP, BZIP2, TAR, CPIO, RPM, ISO, ++RAR (it was removed due a non-free license), ARJ, GZIP, BZIP2, TAR, CPIO, RPM, ISO, + most filesystem images and DEB formats. + Compression ratio in the new 7z format is 30-50% better than ratio in ZIP format. + .PP diff --git a/SPECS/p7zip/05-hardening-flags.patch b/SPECS/p7zip/05-hardening-flags.patch new file mode 100644 index 0000000000..aa42431970 --- /dev/null +++ b/SPECS/p7zip/05-hardening-flags.patch @@ -0,0 +1,33 @@ +From: Robert Luberda +Date: Fri, 22 Jan 2016 00:53:09 +0100 +Subject: Hardening flags + +Add support for $(CPPFLAGS) and do not override $(CXXFLAGS) +and $(CFLAGS) + +Bug-Debian: https://bugs.debian.org/#682167 +--- + makefile.glb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/makefile.glb b/makefile.glb +index fb001d5..e10ae03 100644 +--- a/makefile.glb ++++ b/makefile.glb +@@ -1,14 +1,14 @@ + + RM=rm -f + +-CFLAGS=-c -I. \ ++CFLAGS+=$(CPPFLAGS) -c -I. \ + -I../../../../C \ + -I../../../../CPP/myWindows \ + -I../../../../CPP/include_windows \ + -I../../../../CPP \ + $(ALLFLAGS) $(ALLFLAGS_C) + +-CXXFLAGS=-c -I. \ ++CXXFLAGS+=$(CPPFLAGS) -c -I. \ + -I../../../../C \ + -I../../../../CPP/myWindows \ + -I../../../../CPP/include_windows \ diff --git a/SPECS/p7zip/14-Fix-g++-warning.patch b/SPECS/p7zip/14-Fix-g++-warning.patch new file mode 100644 index 0000000000..226e239ee9 --- /dev/null +++ b/SPECS/p7zip/14-Fix-g++-warning.patch @@ -0,0 +1,24 @@ +From: Robert Luberda +Date: Sun, 28 Jan 2018 22:19:13 +0100 +Subject: Fix g++ warning + +Fix for "use of an operand of type 'bool' in 'operator++' +is deprecated [-Wdeprecated]" warning taken from 7zip 18.00.beta +package. +--- + CPP/7zip/Archive/Wim/WimHandler.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/CPP/7zip/Archive/Wim/WimHandler.cpp b/CPP/7zip/Archive/Wim/WimHandler.cpp +index 27d3298..4ff5cfe 100644 +--- a/CPP/7zip/Archive/Wim/WimHandler.cpp ++++ b/CPP/7zip/Archive/Wim/WimHandler.cpp +@@ -298,7 +298,7 @@ STDMETHODIMP CHandler::GetArchiveProperty(PROPID propID, PROPVARIANT *value) + + AString res; + +- bool numMethods = 0; ++ unsigned numMethods = 0; + for (unsigned i = 0; i < ARRAY_SIZE(k_Methods); i++) + { + if (methodMask & ((UInt32)1 << i)) diff --git a/SPECS/p7zip/CVE-2016-9296.patch b/SPECS/p7zip/CVE-2016-9296.patch new file mode 100644 index 0000000000..773f92a46e --- /dev/null +++ b/SPECS/p7zip/CVE-2016-9296.patch @@ -0,0 +1,12 @@ +--- ./CPP/7zip/Archive/7z/7zIn.cpp.orig 2016-11-21 01:42:29.460901230 +0000 ++++ ./CPP/7zip/Archive/7z/7zIn.cpp 2016-11-21 01:42:57.481197725 +0000 +@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedS + if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i]) + ThrowIncorrect(); + } +- HeadersSize += folders.PackPositions[folders.NumPackStreams]; ++ if (folders.PackPositions) ++ HeadersSize += folders.PackPositions[folders.NumPackStreams]; + return S_OK; + } + diff --git a/SPECS/p7zip/CVE-2017-17969.patch b/SPECS/p7zip/CVE-2017-17969.patch new file mode 100644 index 0000000000..ebc0ac93ef --- /dev/null +++ b/SPECS/p7zip/CVE-2017-17969.patch @@ -0,0 +1,26 @@ +From 79bca880ce7bcf07216c45f93afea545e0344418 Mon Sep 17 00:00:00 2001 +From: aone +Date: Mon, 5 Feb 2018 13:01:09 +0100 +Subject: [PATCH] Security fix CVE-2017-17969 + +--- + CPP/7zip/Compress/ShrinkDecoder.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/CPP/7zip/Compress/ShrinkDecoder.cpp b/CPP/7zip/Compress/ShrinkDecoder.cpp +index 80b7e67..5bb0559 100644 +--- a/CPP/7zip/Compress/ShrinkDecoder.cpp ++++ b/CPP/7zip/Compress/ShrinkDecoder.cpp +@@ -121,7 +121,12 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream * + { + _stack[i++] = _suffixes[cur]; + cur = _parents[cur]; ++ if (cur >= kNumItems || i >= kNumItems) ++ break; + } ++ ++ if (cur >= kNumItems || i >= kNumItems) ++ break; + + _stack[i++] = (Byte)cur; + lastChar2 = (Byte)cur; diff --git a/SPECS/binutils/CVE-2019-9076.nopatch b/SPECS/p7zip/CVE-2018-5996.nopatch similarity index 100% rename from SPECS/binutils/CVE-2019-9076.nopatch rename to SPECS/p7zip/CVE-2018-5996.nopatch diff --git a/SPECS/p7zip/gcc10-conversion.patch b/SPECS/p7zip/gcc10-conversion.patch new file mode 100644 index 0000000000..45f9f84af4 --- /dev/null +++ b/SPECS/p7zip/gcc10-conversion.patch @@ -0,0 +1,26 @@ +diff -Nrup a/CPP/Windows/ErrorMsg.cpp b/CPP/Windows/ErrorMsg.cpp +--- a/CPP/Windows/ErrorMsg.cpp 2015-01-18 11:20:28.000000000 -0700 ++++ b/CPP/Windows/ErrorMsg.cpp 2019-09-24 13:01:18.887289152 -0600 +@@ -14,14 +14,14 @@ UString MyFormatMessage(DWORD errorCode) + AString msg; + + switch(errorCode) { +- case ERROR_NO_MORE_FILES : txt = "No more files"; break ; +- case E_NOTIMPL : txt = "E_NOTIMPL"; break ; +- case E_NOINTERFACE : txt = "E_NOINTERFACE"; break ; +- case E_ABORT : txt = "E_ABORT"; break ; +- case E_FAIL : txt = "E_FAIL"; break ; +- case STG_E_INVALIDFUNCTION : txt = "STG_E_INVALIDFUNCTION"; break ; +- case E_OUTOFMEMORY : txt = "E_OUTOFMEMORY"; break ; +- case E_INVALIDARG : txt = "E_INVALIDARG"; break ; ++ case unsigned (ERROR_NO_MORE_FILES) : txt = "No more files"; break ; ++ case unsigned (E_NOTIMPL) : txt = "E_NOTIMPL"; break ; ++ case unsigned (E_NOINTERFACE) : txt = "E_NOINTERFACE"; break ; ++ case unsigned (E_ABORT) : txt = "E_ABORT"; break ; ++ case unsigned (E_FAIL) : txt = "E_FAIL"; break ; ++ case unsigned (STG_E_INVALIDFUNCTION) : txt = "STG_E_INVALIDFUNCTION"; break ; ++ case unsigned (E_OUTOFMEMORY) : txt = "E_OUTOFMEMORY"; break ; ++ case unsigned (E_INVALIDARG) : txt = "E_INVALIDARG"; break ; + case ERROR_DIRECTORY : txt = "Error Directory"; break ; + default: + txt = strerror(errorCode); diff --git a/SPECS/p7zip/p7zip-manpages.patch b/SPECS/p7zip/p7zip-manpages.patch new file mode 100644 index 0000000000..8dc4df4aff --- /dev/null +++ b/SPECS/p7zip/p7zip-manpages.patch @@ -0,0 +1,899 @@ +Join of 02-man.patch, 09-man-update.patch and 10-drop-fm-doc.patch from Debian +diff -rup p7zip_16.02.orig/DOC/MANUAL/cmdline/index.htm p7zip_16.02/DOC/MANUAL/cmdline/index.htm +--- p7zip_16.02.orig/DOC/MANUAL/cmdline/index.htm 2016-05-10 10:50:08.000000000 +0100 ++++ p7zip_16.02/DOC/MANUAL/cmdline/index.htm 2018-02-04 03:32:41.200460969 +0000 +@@ -11,12 +11,12 @@ +

Command Line Version User's Guide

+ + +-

7z.exe is the command line version of 7-Zip. 7z.exe uses 7z.dll +-from the 7-Zip package. 7z.dll is used by the 7-Zip File Manager also. ++

7z is the command line version of 7-Zip. 7z uses 7z.so ++from the 7-Zip package. + +-

7za.exe (a = alone) is a standalone version of 7-Zip. +-7za.exe supports only 7z, lzma, cab, zip, gzip, bzip2, Z and tar formats. +-7za.exe doesn't use external modules. ++

7za (a = alone) is a standalone version of 7-Zip. ++7za supports only 7z, lzma, cab, zip, gzip, bzip2, Z and tar formats. ++7za doesn't use external modules. + +

    +
  • Command Line syntax
    • +diff -rup p7zip_16.02.orig/DOC/MANUAL/cmdline/switches/sfx.htm p7zip_16.02/DOC/MANUAL/cmdline/switches/sfx.htm +--- p7zip_16.02.orig/DOC/MANUAL/cmdline/switches/sfx.htm 2016-05-10 10:50:08.000000000 +0100 ++++ p7zip_16.02/DOC/MANUAL/cmdline/switches/sfx.htm 2018-02-04 03:32:41.200460969 +0000 +@@ -22,7 +22,7 @@ +
    {SFX_Module}
    +
    +

    Specifies the SFX module that will be combined with the archive. +- This module must be placed in the same directory as the 7z.exe. ++ This module must be placed in the same directory as the 7z. + If {SFX_Module} is not assigned, 7-Zip will use standard console + SFX module 7zCon.sfx.

    + +diff -rup p7zip_16.02.orig/DOC/MANUAL/general/index.htm p7zip_16.02/DOC/MANUAL/general/index.htm +--- p7zip_16.02.orig/DOC/MANUAL/general/index.htm 2016-05-10 10:50:08.000000000 +0100 ++++ p7zip_16.02/DOC/MANUAL/general/index.htm 2018-02-04 03:32:41.200460969 +0000 +@@ -13,7 +13,6 @@ +

    The main features of 7-Zip

    + +
      +-
    • Powerful file manager
      • +
    • High compression ratio and high speed
      • +
    • Big number of supported archive formats
      • +
    • Additional command line version
      • +@@ -21,7 +20,7 @@ + +

      See Also

      + + + +diff -rup p7zip_16.02.orig/DOC/MANUAL/start.htm p7zip_16.02/DOC/MANUAL/start.htm +--- p7zip_16.02.orig/DOC/MANUAL/start.htm 2016-05-21 09:53:28.000000000 +0100 ++++ p7zip_16.02/DOC/MANUAL/start.htm 2018-02-04 03:32:41.201460979 +0000 +@@ -17,7 +17,6 @@ + + + +@@ -25,7 +24,7 @@ + + + +
      +diff -rup p7zip_16.02.orig/man1/7z.1 p7zip_16.02/man1/7z.1 +--- p7zip_16.02.orig/man1/7z.1 2007-09-21 19:53:12.000000000 +0100 ++++ p7zip_16.02/man1/7z.1 2018-02-04 03:33:07.305726696 +0000 +@@ -1,97 +1,187 @@ +-.TH 7z 1 "September 1 2006" "Mohammed Adnene Trojette" ++.TH 7z 1 "March 6th, 2016" "7-Zip" + .SH NAME +-7z \- A file archiver with highest compression ratio ++7z \- A file archiver with high compression ratio format + .SH SYNOPSIS + .B 7z +-.BR [adeltux] +-.BR [\-] +-.BR [SWITCH] +-.BR +-.BR ... ++.B ++.RB [ "... ]" ++.B ++.RB [ "... ]" ++.RB [ <@listfiles> "... ]" + .PP + .SH DESCRIPTION +-7-Zip is a file archiver with the highest compression ratio. The program supports 7z (that implements LZMA compression algorithm), ZIP, CAB, ARJ, GZIP, BZIP2, TAR, CPIO, RPM and DEB formats. Compression ratio in the new 7z format is 30-50% better than ratio in ZIP format. +-.TP +-7z uses plugins to handle archives. ++7-Zip is a file archiver supporting 7z (that implements LZMA compression algorithm ++featuring very high compression ratio), LZMA2, XZ, ZIP, Zip64, CAB, ++RAR (if the non-free p7zip-rar package is installed), ARJ, GZIP, BZIP2, TAR, CPIO, RPM, ISO, ++most filesystem images and DEB formats. ++Compression ratio in the new 7z format is 30-50% better than ratio in ZIP format. + .PP +-.SH FUNCTION LETTERS ++.B 7z ++uses plugins to handle archives, so it might be slightly slower than ++.BR 7za (1) ++but can handle more archive formats. ++.SH COMMANDS + .TP + .B a +-Add ++Add files to archive ++.TP ++.B b ++Benchmark + .TP + .B d +-Delete ++Delete files from archive + .TP + .B e +-Extract ++Extract files from archive (without using directory names) ++.TP ++.B h ++Calculate hash values for files ++.TP ++.B i ++Show information about supported formats + .TP + .B l +-List ++List contents of archive ++.TP ++.B rn ++Rename files in archive + .TP + .B t +-Test ++Test integrity of archive + .TP + .B u +-Update ++Update files to archive + .TP + .B x +-eXtract with full paths ++eXtract files with full paths + .PP + .SH SWITCHES + .TP +-.B \-ai[r[\-|0]]{@listfile|!wildcard} ++.B \-\- ++Stop switches parsing ++.TP ++.B \-ai[r[-|0]]{@listfile|!wildcard} + Include archives + .TP +-.B \-ax[r[\-|0]]{@listfile|!wildcard} +-eXclude archives ++.B \-ax[r[-|0]]{@listfile|!wildcard} ++Exclude archives ++.TP ++.B \-ao{a|s|t|u} ++Set Overwrite mode ++.TP ++.B \-an ++Disable archive_name field ++.TP ++.B -bb[0-3] ++Set output log level + .TP + .B \-bd +-Disable percentage indicator ++Disable progress indicator ++.TP ++.B \-bs{o|e|p}{0|1|2} ++Set output stream for output/error/progress line ++.TP ++.B \-bt ++Show execution time statistics + .TP + .B \-i[r[\-|0]]{@listfile|!wildcard} + Include filenames + .TP +-.B \-l +-don't store symlinks; store the files/directories they point to (CAUTION : the scanning stage can never end because of recursive symlinks like 'ln \-s .. ldir') +-.TP + .B \-m{Parameters} +-Set Compression Method (see {DEST_SHARE_DOC}/MANUAL/switches/method.htm for a list of methods) +-.TP +-.B \-mhe=on|off +-7z format only : enables or disables archive header encryption (Default : off) ++Set Compression Method (see /usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/method.htm from the p7zip-full package for a list of methods) + .TP + .B \-o{Directory} + Set Output directory + .TP + .B \-p{Password} +-Set Password ++Set Password (NOTE: this flag does not work with 7zr) + .TP + .B \-r[\-|0] + Recurse subdirectories (CAUTION: this flag does not do what you think, avoid using it) + .TP ++.B \-sa{a|e|s} ++Set archive name mode ++.TP ++.B \-scc{UTF\-8|WIN|DOS} ++Set charset for for console input/output ++.TP ++.B \-scs{UTF\-8|UTF\-16LE|UTF\-16BE|WIN|DOS|{id}} ++Set charset for list files ++.TP ++.B \-scrc[CRC32|CRC64|SHA1|SHA256|*] ++Set hash function for x, e, h commands ++.TP ++.B \-sdel ++Delete files after compression ++.TP ++.B \-seml[.] ++Send archive by email ++.TP + .B \-sfx[{name}] + Create SFX archive + .TP +-.B \-si +-Read data from StdIn (eg: tar cf \- directory | 7z a \-si directory.tar.7z) ++.B \-si[{name}] ++Read data from stdin (e.g. tar cf \- directory | 7z a \-si directory.tar.7z) + .TP +-.B \-so +-Write data to StdOut (eg: % echo foo | 7z a dummy \-tgzip \-si \-so > /dev/null) ++.B \-slp ++Set Large Pages mode + .TP + .B \-slt +-Sets technical mode for l (list) command ++Show technical information for l (List) command ++.TP ++.B \-snh ++Store hard links as links ++.TP ++.B \-snl ++Store symbolic links as links ++.TP ++.B \-sni ++Store NT security information ++.TP ++.B \-sns[\-] ++Store NTFS alternate streams ++.TP ++.B \-sfx[{name}] ++Create SFX archive ++.TP ++.B \-so ++Write data to stdout (e.g. 7z x \-so directory.tar.7z | tar xf \-) ++.TP ++.B \-spd ++Disable wildcard matching for file names ++.TP ++.B \-spe ++Eliminate duplication of root folder for extract command ++.TP ++.B \-spf ++Use fully qualified file paths ++.TP ++.B \-ssc[\-] ++Set sensitive case mode ++.TP ++.B \-ssw ++Compress shared files ++.TP ++.B \-stl ++Set archive timestamp from the most recently modified file ++.TP ++.B \-stm{HexMask} ++Set CPU thread affinity mask (hexadecimal number) ++.TP ++.B \-stx{Type} ++Exclude archive type + .TP + .B \-t{Type} +-Type of archive (7z, zip, gzip, bzip2 or tar. 7z format is default) ++Set type of archive ++.TP ++.B \-u[-][p#][q#][r#][x#][y#][z#][!newArchiveName] ++Update options + .TP + .B \-v{Size}[b|k|m|g] + Create volumes + .TP +-.B \-u[\-][p#][q#][r#][x#][y#][z#][!newArchiveName] +-Update options +-.TP + .B \-w[path] +-Set Working directory ++Set working directory. Empty path means a temporary directory + .TP + .B \-x[r[\-|0]]]{@listfile|!wildcard} + Exclude filenames +@@ -105,7 +195,8 @@ Assume Yes on all queries + .IP 0 + Normal (no errors or warnings detected) + .IP 1 +-Warning (Non fatal error(s)). For example, some files cannot be read during compressing. So they were not compressed ++Warning (Non fatal error(s)). For example, some files cannot be read during compressing, ++so they were not compressed + .IP 2 + Fatal error + .IP 7 +@@ -120,13 +211,13 @@ DO NOT USE the 7-zip format for backup p + + .LP + On Linux/Unix, in order to backup directories you must use tar : +- \- to backup a directory : tar cf \- directory | 7za a \-si directory.tar.7z +- \- to restore your backup : 7za x \-so directory.tar.7z | tar xf \- ++ \- to backup a directory : tar cf \- directory | 7z a \-si directory.tar.7z ++ \- to restore your backup : 7z x \-so directory.tar.7z | tar xf \- + + If you want to send files and directories (not the owner of file) + to others Unix/MacOS/Windows users, you can use the 7-zip format. + +- example : 7za a directory.7z directory ++ example : 7z a directory.7z directory + + .LP + Do not use "\-r" because this flag does not do what you think. +@@ -165,10 +256,15 @@ add all files from directory "dir1" to S + 7z a \-mhe=on \-pmy_password archive.7z a_directory + add all files from directory "a_directory" to the archive "archive.7z" (with data and header archive encryption on) + .SH "SEE ALSO" +-7za(1), 7zr(1), bzip2(1), gzip(1), zip(1) ++.BR 7zr (1), ++.BR 7za (1), ++.BR p7zip (1), ++.BR bzip2 (1), ++.BR gzip (1), ++.BR zip(1), + .PP + .SH "HTML Documentation" +-{DEST_SHARE_DOC}/MANUAL/index.htm ++/usr/share/doc/p7zip-full/DOC/MANUAL/start.htm + .SH AUTHOR + .TP +-Written for Debian by Mohammed Adnene Trojette. ++Written for Debian by Mohammed Adnene Trojette. Updated by Robert Luberda. +diff -rup p7zip_16.02.orig/man1/7za.1 p7zip_16.02/man1/7za.1 +--- p7zip_16.02.orig/man1/7za.1 2007-09-21 19:53:24.000000000 +0100 ++++ p7zip_16.02/man1/7za.1 2018-02-04 03:33:07.305726696 +0000 +@@ -1,99 +1,190 @@ +-.TH 7za 1 "September 1 2006" "Mohammed Adnene Trojette" ++.TH 7za 1 "March 6th, 2016" "7-Zip" + .SH NAME +-7za \- A file archiver with highest compression ratio ++7za \- A file archiver with high compression ratio format + .SH SYNOPSIS + .B 7za +-.BR [adeltux] +-.BR [-] +-.BR [SWITCH] +-.BR +-.BR ... ++.B ++.RB [ "... ]" ++.B ++.RB [ "... ]" ++.RB [ <@listfiles> "... ]" + .PP + .SH DESCRIPTION +-7-Zip is a file archiver with the highest compression ratio. The program supports 7z (that implements LZMA compression algorithm), ZIP, CAB, ARJ, GZIP, BZIP2, TAR, CPIO, RPM and DEB formats. Compression ratio in the new 7z format is 30-50% better than ratio in ZIP format. +-.TP +-7za is a stand-alone executable. 7za handles less archive formats than 7z, but does not need any others. ++7-Zip is a file archiver supporting 7z (that implements LZMA compression algorithm ++featuring very high compression ratio), LZMA2, XZ, ZIP, Zip64, CAB, ++RAR (if the non-free p7zip-rar package is installed), ARJ, GZIP, BZIP2, TAR, CPIO, RPM, ISO, ++most filesystem images and DEB formats. ++Compression ratio in the new 7z format is 30-50% better than ratio in ZIP format. + .PP +-.SH FUNCTION LETTERS ++.B 7za ++is a stand-alone executable. ++.B 7za ++handles fewer archive formats than ++.BR 7z (1). ++.SH COMMANDS + .TP + .B a +-Add ++Add files to archive ++.TP ++.B b ++Benchmark + .TP + .B d +-Delete ++Delete files from archive + .TP + .B e +-Extract ++Extract files from archive (without using directory names) ++.TP ++.B h ++Calculate hash values for files ++.TP ++.B i ++Show information about supported formats + .TP + .B l +-List ++List contents of archive ++.TP ++.B rn ++Rename files in archive + .TP + .B t +-Test ++Test integrity of archive + .TP + .B u +-Update ++Update files to archive + .TP + .B x +-eXtract with full paths ++eXtract files with full paths + .PP + .SH SWITCHES + .TP ++.B \-\- ++Stop switches parsing ++.TP + .B \-ai[r[-|0]]{@listfile|!wildcard} + Include archives + .TP + .B \-ax[r[-|0]]{@listfile|!wildcard} +-eXclude archives ++Exclude archives ++.TP ++.B \-ao{a|s|t|u} ++Set Overwrite mode ++.TP ++.B \-an ++Disable archive_name field ++.TP ++.B -bb[0-3] ++Set output log level + .TP + .B \-bd +-Disable percentage indicator ++Disable progress indicator + .TP +-.B \-i[r[-|0]]{@listfile|!wildcard} +-Include filenames ++.B \-bs{o|e|p}{0|1|2} ++Set output stream for output/error/progress line + .TP +-.B \-l +-don't store symlinks; store the files/directories they point to (CAUTION : the scanning stage can never end because of recursive symlinks like 'ln \-s .. ldir') ++.B \-bt ++Show execution time statistics + .TP +-.B \-m{Parameters} +-Set Compression Method (see {DEST_SHARE_DOC}/MANUAL/switches/method.htm for a list of methods) ++.B \-i[r[\-|0]]{@listfile|!wildcard} ++Include filenames + .TP +-.B \-mhe=on|off +-7z format only : enables or disables archive header encryption (Default : off) ++.B \-m{Parameters} ++Set Compression Method (see /usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/method.htm from the p7zip-full package for a list of methods) + .TP + .B \-o{Directory} + Set Output directory + .TP + .B \-p{Password} +-Set Password ++Set Password (NOTE: this flag does not work with 7zr) + .TP +-.B \-r[-|0] ++.B \-r[\-|0] + Recurse subdirectories (CAUTION: this flag does not do what you think, avoid using it) + .TP ++.B \-sa{a|e|s} ++Set archive name mode ++.TP ++.B \-scc{UTF\-8|WIN|DOS} ++Set charset for for console input/output ++.TP ++.B \-scs{UTF\-8|UTF\-16LE|UTF\-16BE|WIN|DOS|{id}} ++Set charset for list files ++.TP ++.B \-scrc[CRC32|CRC64|SHA1|SHA256|*] ++Set hash function for x, e, h commands ++.TP ++.B \-sdel ++Delete files after compression ++.TP ++.B \-seml[.] ++Send archive by email ++.TP + .B \-sfx[{name}] + Create SFX archive + .TP +-.B \-si +-Read data from StdIn (eg: tar cf \- directory | 7za a \-si directory.tar.7z) ++.B \-si[{name}] ++Read data from stdin (e.g. tar cf \- directory | 7za a \-si directory.tar.7z) + .TP +-.B \-so +-Write data to StdOut (eg: % echo foo | 7z a dummy \-tgzip \-si \-so > /dev/null) ++.B \-slp ++Set Large Pages mode + .TP + .B \-slt +-Sets technical mode for l (list) command ++Show technical information for l (List) command + .TP +-.B \-t{Type} +-Type of archive (7z, zip, gzip, bzip2 or tar. 7z format is default) ++.B \-snh ++Store hard links as links + .TP +-.B \-v{Size}[b|k|m|g] +-Create volumes ++.B \-snl ++Store symbolic links as links ++.TP ++.B \-sni ++Store NT security information ++.TP ++.B \-sns[\-] ++Store NTFS alternate streams ++.TP ++.B \-sfx[{name}] ++Create SFX archive ++.TP ++.B \-so ++Write data to stdout (e.g. 7za x \-so directory.tar.7z | tar xf \-) ++.TP ++.B \-spd ++Disable wildcard matching for file names ++.TP ++.B \-spe ++Eliminate duplication of root folder for extract command ++.TP ++.B \-spf ++Use fully qualified file paths ++.TP ++.B \-ssc[\-] ++Set sensitive case mode ++.TP ++.B \-ssw ++Compress shared files ++.TP ++.B \-stl ++Set archive timestamp from the most recently modified file ++.TP ++.B \-stm{HexMask} ++Set CPU thread affinity mask (hexadecimal number) ++.TP ++.B \-stx{Type} ++Exclude archive type ++.TP ++.B \-t{Type} ++Set type of archive + .TP + .B \-u[-][p#][q#][r#][x#][y#][z#][!newArchiveName] + Update options + .TP ++.B \-v{Size}[b|k|m|g] ++Create volumes ++.TP + .B \-w[path] +-Set Working directory ++Set working directory. Empty path means a temporary directory + .TP +-.B \-x[r[-|0]]]{@listfile|!wildcard} ++.B \-x[r[\-|0]]]{@listfile|!wildcard} + Exclude filenames + .TP + .B \-y +@@ -105,7 +196,8 @@ Assume Yes on all queries + .IP 0 + Normal (no errors or warnings detected) + .IP 1 +-Warning (Non fatal error(s)). For example, some files cannot be read during compressing. So they were not compressed ++Warning (Non fatal error(s)). For example, some files cannot be read during compressing, ++so they were not compressed + .IP 2 + Fatal error + .IP 7 +@@ -165,10 +257,15 @@ add all files from directory "dir1" to S + 7za a \-mhe=on \-pmy_password archive.7z a_directory + add all files from directory "a_directory" to the archive "archive.7z" (with data and header archive encryption on) + .SH "SEE ALSO" +-7z(1), 7zr(1), bzip2(1), gzip(1), zip(1) ++.BR 7zr (1), ++.BR 7z (1), ++.BR p7zip (1), ++.BR bzip2 (1), ++.BR gzip (1), ++.BR zip(1), + .PP + .SH "HTML Documentation" +-{DEST_SHARE_DOC}/MANUAL/index.htm ++/usr/share/doc/p7zip-full/DOC/MANUAL/start.htm + .SH AUTHOR + .TP +-Written for Debian by Mohammed Adnene Trojette. ++Written for Debian by Mohammed Adnene Trojette. Updated by Robert Luberda. +diff -rup p7zip_16.02.orig/man1/7zr.1 p7zip_16.02/man1/7zr.1 +--- p7zip_16.02.orig/man1/7zr.1 2007-09-21 19:53:34.000000000 +0100 ++++ p7zip_16.02/man1/7zr.1 2018-02-04 03:33:07.305726696 +0000 +@@ -1,99 +1,192 @@ +-.TH 7zr 1 "September 1 2006" "Mohammed Adnene Trojette" ++.TH 7zr 1 "March 6th, 2016" "7-Zip" + .SH NAME +-7zr \- A file archiver with highest compression ratio ++7zr \- A file archiver with high compression ratio format + .SH SYNOPSIS + .B 7zr +-.BR [adeltux] +-.BR [-] +-.BR [SWITCH] +-.BR +-.BR ... ++.B ++.RB [ "... ]" ++.B ++.RB [ "... ]" ++.RB [ <@listfiles> "... ]" + .PP + .SH DESCRIPTION +-7-Zip is a file archiver with the highest compression ratio. The program supports 7z (that implements LZMA compression algorithm), ZIP, CAB, ARJ, GZIP, BZIP2, TAR, CPIO, RPM and DEB formats. Compression ratio in the new 7z format is 30-50% better than ratio in ZIP format. +-.TP +-7zr is a stand-alone executable. 7zr handles less archive formats than 7z, but does not need any others. 7zr is a "light-version" of 7za that only handles 7z archives. ++7-Zip is a file archiver supporting 7z (that implements LZMA compression algorithm ++featuring very high compression ratio), LZMA2, XZ, ZIP, Zip64, CAB, ++RAR (if the non-free p7zip-rar package is installed), ARJ, GZIP, BZIP2, TAR, CPIO, RPM, ISO, ++most filesystem images and DEB formats. ++Compression ratio in the new 7z format is 30-50% better than ratio in ZIP format. + .PP +-.SH FUNCTION LETTERS ++.B 7zr ++is a stand-alone executable. ++.B 7zr ++is a "light-version" of ++.BR 7za (1). ++.B 7zr ++handles password-less archives in the 7z, LZMA2, and XZ formats only. ++.SH COMMANDS + .TP + .B a +-Add ++Add files to archive ++.TP ++.B b ++Benchmark + .TP + .B d +-Delete ++Delete files from archive + .TP + .B e +-Extract ++Extract files from archive (without using directory names) ++.TP ++.B h ++Calculate hash values for files ++.TP ++.B i ++Show information about supported formats + .TP + .B l +-List ++List contents of archive ++.TP ++.B rn ++Rename files in archive + .TP + .B t +-Test ++Test integrity of archive + .TP + .B u +-Update ++Update files to archive + .TP + .B x +-eXtract with full paths ++eXtract files with full paths + .PP + .SH SWITCHES + .TP ++.B \-\- ++Stop switches parsing ++.TP + .B \-ai[r[-|0]]{@listfile|!wildcard} + Include archives + .TP + .B \-ax[r[-|0]]{@listfile|!wildcard} +-eXclude archives ++Exclude archives ++.TP ++.B \-ao{a|s|t|u} ++Set Overwrite mode ++.TP ++.B \-an ++Disable archive_name field ++.TP ++.B -bb[0-3] ++Set output log level + .TP + .B \-bd +-Disable percentage indicator ++Disable progress indicator + .TP +-.B \-i[r[-|0]]{@listfile|!wildcard} +-Include filenames ++.B \-bs{o|e|p}{0|1|2} ++Set output stream for output/error/progress line + .TP +-.B \-l +-don't store symlinks; store the files/directories they point to (CAUTION : the scanning stage can never end because of recursive symlinks like 'ln \-s .. ldir') ++.B \-bt ++Show execution time statistics + .TP +-.B \-m{Parameters} +-Set Compression Method (see {DEST_SHARE_DOC}/MANUAL/switches/method.htm for a list of methods) ++.B \-i[r[\-|0]]{@listfile|!wildcard} ++Include filenames + .TP +-.B \-mhe=on|off +-7z format only : enables or disables archive header encryption (Default : off) ++.B \-m{Parameters} ++Set Compression Method (see /usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/method.htm from the p7zip-full package for a list of methods) + .TP + .B \-o{Directory} + Set Output directory + .TP +-.B \-p{Password} +-Set Password +-.TP +-.B \-r[-|0] ++.B \-r[\-|0] + Recurse subdirectories (CAUTION: this flag does not do what you think, avoid using it) + .TP ++.B \-sa{a|e|s} ++Set archive name mode ++.TP ++.B \-scc{UTF\-8|WIN|DOS} ++Set charset for for console input/output ++.TP ++.B \-scs{UTF\-8|UTF\-16LE|UTF\-16BE|WIN|DOS|{id}} ++Set charset for list files ++.TP ++.B \-scrc[CRC32|CRC64|SHA1|SHA256|*] ++Set hash function for x, e, h commands ++.TP ++.B \-sdel ++Delete files after compression ++.TP ++.B \-seml[.] ++Send archive by email ++.TP + .B \-sfx[{name}] + Create SFX archive + .TP +-.B \-si +-Read data from StdIn (eg: tar cf \- directory | 7zr a \-si directory.tar.7z) ++.B \-si[{name}] ++Read data from stdin (e.g. tar cf \- directory | 7zr a \-si directory.tar.7z) + .TP +-.B \-so +-Write data to StdOut (eg: 7zr x \-so directory.tar.7z | tar xf \-) ++.B \-slp ++Set Large Pages mode + .TP + .B \-slt +-Sets technical mode for l (list) command ++Show technical information for l (List) command + .TP +-.B \-v{Size}[b|k|m|g] +-Create volumes ++.B \-snh ++Store hard links as links ++.TP ++.B \-snl ++Store symbolic links as links ++.TP ++.B \-sni ++Store NT security information ++.TP ++.B \-sns[\-] ++Store NTFS alternate streams ++.TP ++.B \-sfx[{name}] ++Create SFX archive ++.TP ++.B \-so ++Write data to stdout (e.g. 7zr x \-so directory.tar.7z | tar xf \-) ++.TP ++.B \-spd ++Disable wildcard matching for file names ++.TP ++.B \-spe ++Eliminate duplication of root folder for extract command ++.TP ++.B \-spf ++Use fully qualified file paths ++.TP ++.B \-ssc[\-] ++Set sensitive case mode ++.TP ++.B \-ssw ++Compress shared files ++.TP ++.B \-stl ++Set archive timestamp from the most recently modified file ++.TP ++.B \-stm{HexMask} ++Set CPU thread affinity mask (hexadecimal number) ++.TP ++.B \-stx{Type} ++Exclude archive type ++.TP ++.B \-t{Type} ++Set type of archive + .TP + .B \-u[-][p#][q#][r#][x#][y#][z#][!newArchiveName] + Update options + .TP ++.B \-v{Size}[b|k|m|g] ++Create volumes ++.TP + .B \-w[path] +-Set Working directory ++Set working directory. Empty path means a temporary directory + .TP +-.B \-x[r[-|0]]]{@listfile|!wildcard} ++.B \-x[r[\-|0]]]{@listfile|!wildcard} + Exclude filenames + .TP +-.B \-y ++.B \-y + Assume Yes on all queries + .PP + .SH DIAGNOSTICS +@@ -102,7 +195,8 @@ Assume Yes on all queries + .IP 0 + Normal (no errors or warnings detected) + .IP 1 +-Warning (Non fatal error(s)). For example, some files cannot be read during compressing. So they were not compressed ++Warning (Non fatal error(s)). For example, some files cannot be read during compressing, ++so they were not compressed + .IP 2 + Fatal error + .IP 7 +@@ -117,8 +211,8 @@ DO NOT USE the 7-zip format for backup p + + .LP + On Linux/Unix, in order to backup directories you must use tar : +- \- to backup a directory : tar cf - directory | 7zr a -si directory.tar.7z +- \- to restore your backup : 7zr x -so directory.tar.7z | tar xf - ++ \- to backup a directory : tar cf \- directory | 7zr a \-si directory.tar.7z ++ \- to restore your backup : 7zr x \-so directory.tar.7z | tar xf \- + + If you want to send files and directories (not the owner of file) + to others Unix/MacOS/Windows users, you can use the 7-zip format. +@@ -156,16 +250,16 @@ solid archive = on + .B + 7zr a \-sfx archive.exe dir1 + add all files from directory "dir1" to SFX archive archive.exe (Remark : SFX archive MUST end with ".exe") +-.SH EXAMPLE 3 +-.TP +-.B +-7zr a \-mhe=on \-pmy_password archive.7z a_directory +-add all files from directory "a_directory" to the archive "archive.7z" (with data and header archive encryption on) + .SH "SEE ALSO" +-7z(1), 7za(1), bzip2(1), gzip(1), zip(1) ++.BR 7za (1), ++.BR 7z (1), ++.BR p7zip (1), ++.BR bzip2 (1), ++.BR gzip (1), ++.BR zip(1), + .PP + .SH "HTML Documentation" +-{DEST_SHARE_DOC}/MANUAL/index.htm ++/usr/share/doc/p7zip/DOC/MANUAL/start.htm (avabilable when the p7zip-full package is installed) + .SH AUTHOR + .TP +-Written for Debian by Mohammed Adnene Trojette. ++Written for Debian by Mohammed Adnene Trojette. Updated by Robert Luberda. diff --git a/SPECS/p7zip/p7zip.signatures.json b/SPECS/p7zip/p7zip.signatures.json new file mode 100644 index 0000000000..bea223ea44 --- /dev/null +++ b/SPECS/p7zip/p7zip.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "p7zip_16.02_src_all-norar.tar.bz2": "a79d439abddb3a59ba63a019a7bdc9c9513bcf712c2cc84679845643b17c29fd" + } +} diff --git a/SPECS/p7zip/p7zip.spec b/SPECS/p7zip/p7zip.spec new file mode 100644 index 0000000000..5c9032d3cf --- /dev/null +++ b/SPECS/p7zip/p7zip.spec @@ -0,0 +1,429 @@ +Summary: Very high compression ratio file archiver +Name: p7zip +Version: 16.02 +Release: 22%{?dist} +Vendor: Microsoft Corporation +Distribution: Mariner +# Files under C/Compress/Lzma/ are dual LGPL or CPL +License: LGPLv2 and (LGPLv2+ or CPL) +URL: http://p7zip.sourceforge.net/ +# RAR sources removed since their license is incompatible with the LGPL +#Source: http://downloads.sf.net/p7zip/p7zip_%%{version}_src_all.tar.bz2 +# export VERSION=15.14.1 +# wget http://downloads.sf.net/p7zip/p7zip_${VERSION}_src_all.tar.bz2 +# tar xjvf p7zip_${VERSION}_src_all.tar.bz2 +# rm -rf p7zip_${VERSION}/CPP/7zip/{Archive,Compress,Crypto,QMAKE}/Rar* +# rm p7zip_${VERSION}/DOC/unRarLicense.txt +# tar --numeric-owner -cjvf p7zip_${VERSION}_src_all-norar.tar.bz2 p7zip_${VERSION} +Source: https://src.fedoraproject.org/repo/pkgs/p7zip/p7zip_16.02_src_all-norar.tar.bz2/7202a0bd2aa2935576c13314783d5e1d/p7zip_%{version}_src_all-norar.tar.bz2 +Patch0: p7zip_15.14-norar_cmake.patch +# from Debain +Patch4: p7zip-manpages.patch +Patch5: 02-man.patch +Patch6: CVE-2016-9296.patch +Patch7: 05-hardening-flags.patch +Patch10: CVE-2017-17969.patch +Patch11: 14-Fix-g++-warning.patch +Patch12: gcc10-conversion.patch +Patch13: 0001-fix-data-null-pointer.patch +Patch14: 0001-fix-out-of-mem.patch +# p7zip sources does not include 7-Zips RAR compression code. +# Refer to p7zip no rar sources tar and patch0 for nonrar cmake. +# Patch to fix CVE-2018-5996 is for RAR functionality compression bug. +# It is not vulnerable hence adding nopatch +Patch15: CVE-2018-5996.nopatch + +BuildRequires: make +BuildRequires: gcc +BuildRequires: libstdc++ +BuildRequires: libstdc++-devel +BuildRequires: cmake +%ifarch %{ix86} +BuildRequires: nasm +%endif +%ifarch x86_64 +BuildRequires: yasm +%endif + +%description +p7zip is a port of 7za.exe for Unix. 7-Zip is a file archiver with a very high +compression ratio. The original version can be found at http://www.7-zip.org/. + + +%package plugins +Summary: Additional plugins for p7zip + +%description plugins +Additional plugins that can be used with 7z to extend its abilities. +This package contains also a virtual file system for Midnight Commander. + +%package doc +Summary: Manual documentation and contrib directory +BuildArch: noarch + +%description doc +This package contains the p7zip manual documentation and some code +contributions. + +%prep +%autosetup -p1 -n %{name}_%{version} + +# move license files +mv DOC/License.txt DOC/copying.txt . + +%build +pushd CPP/7zip/CMAKE/ +sh ./generate.sh +popd +%ifarch %{ix86} +cp -f makefile.linux_x86_asm_gcc_4.X makefile.machine +%endif +%ifarch x86_64 +cp -f makefile.linux_amd64_asm makefile.machine +%endif +%ifarch ppc ppc64 +cp -f makefile.linux_any_cpu_gcc_4.X makefile.machine +%endif + +%make_build all2 \ + OPTFLAGS="%{optflags}" \ + DEST_HOME=%{_prefix} \ + DEST_BIN=%{_bindir} \ + DEST_SHARE=%{_libexecdir}/p7zip \ + DEST_MAN=%{_mandir} + + +%install +make install \ + DEST_DIR=%{buildroot} \ + DEST_HOME=%{_prefix} \ + DEST_BIN=%{_bindir} \ + DEST_SHARE=%{_libexecdir}/p7zip \ + DEST_MAN=%{_mandir} + +# remove redundant DOC dir +mv %{buildroot}%{_docdir}/p7zip/DOC/* %{buildroot}%{_docdir}/p7zip +rmdir %{buildroot}%{_docdir}/p7zip/DOC/ + +%check +make test + +%files +%{_docdir}/p7zip +%exclude %{_docdir}/p7zip/MANUAL +%license copying.txt License.txt +%{_bindir}/7za +%dir %{_libexecdir}/p7zip/ +%{_libexecdir}/p7zip/7za +%{_libexecdir}/p7zip/7zCon.sfx +%{_mandir}/man1/7za.1* +%exclude %{_mandir}/man1/7zr.1* + +%files plugins +%{_bindir}/7z +%dir %{_libexecdir}/p7zip/ +%{_libexecdir}/p7zip/7z +%{_libexecdir}/p7zip/7z.so +%{_mandir}/man1/7z.1* + +%files doc +%{_docdir}/p7zip/MANUAL +%doc contrib/ + +%changelog +* Mon May 24 2021 Suresh Babu Chalamalasetty - 16.02-22 +- Add nopatch for CVE-2018-5996 + +* Mon May 17 2021 Suresh Babu Chalamalasetty - 16.02-21 +- Initial CBL-Mariner import from Fedora 34 (license: MIT) +- License verified + +* Thu Apr 22 2021 Sérgio Basto - 16.02-20 +- Fix two Null Pointer Dereferences, thanks to NSFOCUS Security Team + +* Tue Jan 26 2021 Fedora Release Engineering - 16.02-19 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Jul 28 2020 Fedora Release Engineering - 16.02-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jan 29 2020 Fedora Release Engineering - 16.02-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Sep 24 2019 Sérgio Basto - 16.02-16 +- Add gcc10-conversion.patch provide by Red Hat's compiler team + +* Thu Jul 25 2019 Fedora Release Engineering - 16.02-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Feb 01 2019 Fedora Release Engineering - 16.02-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 16.02-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild +- https://fedoraproject.org/wiki/Changes/Remove_GCC_from_BuildRoot + +* Mon Jul 09 2018 Scott Talbert - 16.02-12 +- Rebuild with wxWidgets 3.0 + +* Wed Mar 07 2018 Adam Williamson - 16.02-11 +- Rebuild to fix GCC 8 mis-compilation + See https://da.gd/YJVwk ("GCC 8 ABI change on x86_64") + +* Tue Feb 06 2018 Sérgio Basto - 16.02-10 +- Improve security patch + +* Sat Jan 27 2018 Sérgio Basto - 16.02-9 +- Security fix for CVE-2017-17969 (from Debian) +- Add 05-hardening-flags.patch, 09-man-update.patch, 10-drop-fm-doc.patch + and 14-Fix-g++-warning.patch patches from Debian, very small changes + better documentation, compile flags and compile warning. + +* Wed Jan 24 2018 Sérgio Basto - 16.02-8 +- Add sub-package doc + +* Wed Jan 24 2018 Tomas Hoger - 16.02-7 +- Add conditional for building with(out) GUI support. Keep GUI enabled for + Fedora and EPEL builds, but disabled for RHEL. +- Add missing dependency - 7zG requires 7z.so, so p7zip-gui needs to require + p7zip-plugins. + +* Sun Sep 10 2017 Vasiliy N. Glazov - 16.02-6 +- Cleanup spec + +* Thu Aug 03 2017 Fedora Release Engineering - 16.02-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 16.02-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 16.02-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Nov 21 2016 Sérgio Basto - 16.02-2 +- Security fix for CVE-2016-9296 + +* Mon Jul 18 2016 Sérgio Basto - 16.02-1 +- Update p7zip to 16.02 and fix security issues + +* Sun Mar 27 2016 Sérgio Basto - 15.14.1-1 +- Update to 15.14.1 +- Revert 7zFM build, upstream recomends not build it + http://sourceforge.net/p/p7zip/bugs/175/ + +* Thu Mar 17 2016 Sérgio Basto - 15.14-2 +- Fix non-executable-in-bin for p7zipForFilemanager. +- Remove p7zip_compress2.desktop to not duplicate the menu entries. +- Also build 7zFM, rebuild p7zip_15.14_src_all-norar.tar.bz2, to build 7zFM + instead 7zFM_do_not_use. + +* Tue Mar 15 2016 Sérgio Basto - 15.14-1 +- Update to 15.14 . +- Rebase norar_cmake.patch +- Minor improvement in snippet of documentation. +- Drop patch1, from changelog build on s390 is fixed. +- Drop p7zip-15.09-CVE-2015-1038.patch, from changelog if fixed. +- Drop upstreamed p7zip_15.09-incorrect-fsf-address.patch . +- Drop p7zip_15.09-no7zG_and_7zFM.patch, p7zip build is fixed. +- Add sub-package p7zip-gui with 7zG. + +* Thu Feb 04 2016 Fedora Release Engineering - 15.09-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Jan 25 2016 Sérgio Basto - 15.09-9 +- Add 02_man.patch from Debian + +* Fri Jan 22 2016 Sérgio Basto - 15.09-8 +- Revert better solutions for "create unowned directory" + +* Fri Jan 22 2016 Sérgio Basto - 15.09-7 +- Split incorrect-fsf-address.patch and do not pack backup files + +* Fri Jan 22 2016 Sérgio Basto - 15.09-6 +- Stating in License.txt file that we removed non-Free unrar code + from sources (#190277) +- Fix incorrect fsf address in the license files. +- Add p7zip_15.09-no7zG_and_7zFM.patch in a diferent patch. + +* Fri Jan 22 2016 Sérgio Basto - 15.09-5 +- Add license tag +- better solutions for "create unowned directory" (#917366) + +* Thu Dec 03 2015 Sérgio Basto - 15.09-4 +- Fix CVE-2015-1038 (#1179505) + +* Wed Dec 02 2015 Sérgio Basto - 15.09-3 +- Fix build on s390 architecture (#1286992) + +* Thu Nov 12 2015 Sérgio Basto - 15.09-2 +- fix rhbz #917366 + +* Thu Nov 05 2015 Sérgio Basto - 15.09-1 +- Update to p7zip_15.09 +- Use cmake. +- Refactor norar patch. +- Deleted: p7zip_9.20.1-execstack.patch (upstreamed) +- Deleted: p7zip_9.20.1-install.patch (upstreamed) +- Deleted: p7zip_9.20.1-nostrip.patch (upstreamed) + +* Thu Jun 18 2015 Fedora Release Engineering - 9.20.1-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat May 02 2015 Kalev Lember - 9.20.1-9 +- Rebuilt for GCC 5 C++11 ABI change + +* Sun Aug 17 2014 Fedora Release Engineering - 9.20.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jun 06 2014 Fedora Release Engineering - 9.20.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Aug 03 2013 Fedora Release Engineering - 9.20.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 14 2013 Fedora Release Engineering - 9.20.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jul 20 2012 Fedora Release Engineering - 9.20.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jan 13 2012 Fedora Release Engineering - 9.20.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Jul 26 2011 Matthias Saou 9.20.1-2 +- Execstack patch to fix what's wanted by the yasm code (#718778). + +* Tue Jul 26 2011 Matthias Saou 9.20.1-1 +- Update to 9.20.1 (#688564). +- Update norar, nostrip and install patches. +- Minor clean ups : Don't use trivial macros + new email address. +- Don't require the main package from the plugins package (#690551). +- Use the any_cpu_gcc_4.X makefile for ppc* since the ppc specific one is gone. + +* Tue Feb 08 2011 Fedora Release Engineering - 9.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Jul 8 2010 Matthias Saou 9.13-1 +- Update to 9.13. +- Update norar and nostrip patches. + +* Tue Dec 8 2009 Matthias Saou 9.04-1 +- Update to 9.04. +- Update norar patch. + +* Sat Jul 25 2009 Fedora Release Engineering - 4.65-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sun Apr 12 2009 Matthias Saou 4.65-1 +- Update to 4.65. +- Update norar patch. + +* Thu Feb 26 2009 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Dec 23 2008 Matthias Saou 4.61-1 +- Update to 4.61. +- Update norar patch. +- Use asm for x86 too (nasm). + +* Wed Jun 18 2008 Matthias Saou 4.58-1 +- Update to 4.58. +- Update norar patch. +- Update install patch. + +* Tue Feb 19 2008 Fedora Release Engineering +- Autorebuild for GCC 4.3 + +* Wed Aug 22 2007 Matthias Saou 4.51-3 +- Rebuild for new BuildID feature. + +* Thu Aug 9 2007 Matthias Saou 4.51-2 +- Update License field some more (LGPL+ to LGPLv2+). + +* Sun Aug 5 2007 Matthias Saou 4.51-1 +- Update to 4.51. +- Update License field. + +* Tue Jun 19 2007 Matthias Saou 4.47-1 +- Update to 4.47. +- Include now required patch to exclude removed Rar bits from makefiles. +- Switch to using "make install" for installation... so patch and hack. +- Use the asm makefile for x86_64, so build require yasm for it too. +- Add ppc64 to the main %%ifarch. +- Remove no longer included Codecs and Formats dirs (7z.so replaces them?). +- Remove our wrapper scripts, since the install script creates its own. + +* Thu Mar 1 2007 Matthias Saou 4.44-2 +- Remove _smp_mflags since some builds fail with suspicious errors. + +* Thu Mar 1 2007 Matthias Saou 4.44-1 +- Update to 4.44. + +* Mon Aug 28 2006 Matthias Saou 4.42-2 +- FC6 rebuild. + +* Thu Jun 29 2006 Matthias Saou 4.42-1 +- Update to 4.42. + +* Tue May 2 2006 Matthias Saou 4.39-1 +- Update to 4.39. +- Remove no longer needed gcc 4.1 patch. +- Use the gcc_4.X makefile. +- Remove RAR licensed files and RAR license itself (#190277). + +* Mon Mar 6 2006 Matthias Saou 4.30-3 +- FC5 rebuild. + +* Thu Feb 9 2006 Matthias Saou 4.30-2 +- Rebuild for new gcc/glibc. +- Include gcc 4.1 patch for extra qualification errors. + +* Mon Nov 28 2005 Matthias Saou 4.30-1 +- Update to 4.30. + +* Thu Oct 27 2005 Matthias Saou 4.29-3 +- Double quote args passed inside the shell scripts, to fix #171480. + +* Mon Oct 10 2005 Matthias Saou 4.29-2 +- Update to 4.29. + +* Sun Jun 05 2005 Dag Wieers - 4.20-1 +- Updated to release 4.20. + +* Sun Apr 10 2005 Dag Wieers - 4.16-1 +- Moved inline scripts to %%prep stage. +- Removed quotes for $@ as it should not be necessary. + +* Thu Mar 17 2005 Matthias Saou 4.14.01-1 +- Spec file cleanup. +- Fix wrapper scripts : Double quote $@ for filenames with spaces to work. +- Move files from /usr/share to /usr/libexec. +- Various other minor changes. + +* Mon Jan 24 2005 Marcin Zajaczkowski + - upgraded to 4.14.01 + +* Sun Jan 16 2005 Marcin Zajaczkowski + - upgraded to 4.14 + +* Mon Dec 20 2004 Marcin Zajaczkowski + - added 7za script and moved SFX module to _datadir/name/ to allow 7za & 7z + use it simultaneously + - returned to plugins in separate package + +* Sat Dec 18 2004 Charles Duffy + - upgraded to 4.13 + - added 7z (not just 7za) with a shell wrapper + - added gcc-c++ to the BuildRequires list + +* Sat Nov 20 2004 Marcin Zajaczkowski + - upgraded to 4.12 + - added virtual file system for Midnight Commander + +* Thu Nov 11 2004 Marcin Zajaczkowski + - upgraded to 4.10 + - plugins support was dropped out from p7zip + +* Sun Aug 29 2004 Marcin Zajaczkowski + - initial release + diff --git a/SPECS/p7zip/p7zip_15.14-norar_cmake.patch b/SPECS/p7zip/p7zip_15.14-norar_cmake.patch new file mode 100644 index 0000000000..41a351d234 --- /dev/null +++ b/SPECS/p7zip/p7zip_15.14-norar_cmake.patch @@ -0,0 +1,149 @@ +diff -rup p7zip_15.14.orig/CPP/7zip/Bundles/Format7zFree/makefile.list p7zip_15.14/CPP/7zip/Bundles/Format7zFree/makefile.list +--- p7zip_15.14.orig/CPP/7zip/Bundles/Format7zFree/makefile.list 2016-03-10 07:27:16.000000000 +0000 ++++ p7zip_15.14/CPP/7zip/Bundles/Format7zFree/makefile.list 2016-03-15 13:50:22.638470716 +0000 +@@ -87,8 +87,6 @@ SRCS=\ + ../../../../CPP/7zip/Archive/PeHandler.cpp \ + ../../../../CPP/7zip/Archive/PpmdHandler.cpp \ + ../../../../CPP/7zip/Archive/QcowHandler.cpp \ +- ../../../../CPP/7zip/Archive/Rar/RarHandler.cpp \ +- ../../../../CPP/7zip/Archive/Rar/Rar5Handler.cpp \ + ../../../../CPP/7zip/Archive/RpmHandler.cpp \ + ../../../../CPP/7zip/Archive/SplitHandler.cpp \ + ../../../../CPP/7zip/Archive/SquashfsHandler.cpp \ +@@ -191,9 +189,6 @@ SRCS=\ + ../../../../CPP/7zip/Crypto/MyAesReg.cpp \ + ../../../../CPP/7zip/Crypto/Pbkdf2HmacSha1.cpp \ + ../../../../CPP/7zip/Crypto/RandGen.cpp \ +- ../../../../CPP/7zip/Crypto/Rar20Crypto.cpp \ +- ../../../../CPP/7zip/Crypto/Rar5Aes.cpp \ +- ../../../../CPP/7zip/Crypto/RarAes.cpp \ + ../../../../CPP/7zip/Crypto/WzAes.cpp \ + ../../../../CPP/7zip/Crypto/ZipCrypto.cpp \ + ../../../../CPP/7zip/Crypto/ZipStrong.cpp \ +@@ -485,10 +480,6 @@ PpmdHandler.o : ../../../../CPP/7zip/Arc + $(CXX) $(CXXFLAGS) ../../../../CPP/7zip/Archive/PpmdHandler.cpp + QcowHandler.o : ../../../../CPP/7zip/Archive/QcowHandler.cpp + $(CXX) $(CXXFLAGS) ../../../../CPP/7zip/Archive/QcowHandler.cpp +-RarHandler.o : ../../../../CPP/7zip/Archive/Rar/RarHandler.cpp +- $(CXX) $(CXXFLAGS) ../../../../CPP/7zip/Archive/Rar/RarHandler.cpp +-Rar5Handler.o : ../../../../CPP/7zip/Archive/Rar/Rar5Handler.cpp +- $(CXX) $(CXXFLAGS) ../../../../CPP/7zip/Archive/Rar/Rar5Handler.cpp + RpmHandler.o : ../../../../CPP/7zip/Archive/RpmHandler.cpp + $(CXX) $(CXXFLAGS) ../../../../CPP/7zip/Archive/RpmHandler.cpp + SplitHandler.o : ../../../../CPP/7zip/Archive/SplitHandler.cpp +@@ -693,12 +684,6 @@ Pbkdf2HmacSha1.o : ../../../../CPP/7zip/ + $(CXX) $(CXXFLAGS) ../../../../CPP/7zip/Crypto/Pbkdf2HmacSha1.cpp + RandGen.o : ../../../../CPP/7zip/Crypto/RandGen.cpp + $(CXX) $(CXXFLAGS) ../../../../CPP/7zip/Crypto/RandGen.cpp +-Rar20Crypto.o : ../../../../CPP/7zip/Crypto/Rar20Crypto.cpp +- $(CXX) $(CXXFLAGS) ../../../../CPP/7zip/Crypto/Rar20Crypto.cpp +-Rar5Aes.o : ../../../../CPP/7zip/Crypto/Rar5Aes.cpp +- $(CXX) $(CXXFLAGS) ../../../../CPP/7zip/Crypto/Rar5Aes.cpp +-RarAes.o : ../../../../CPP/7zip/Crypto/RarAes.cpp +- $(CXX) $(CXXFLAGS) ../../../../CPP/7zip/Crypto/RarAes.cpp + WzAes.o : ../../../../CPP/7zip/Crypto/WzAes.cpp + $(CXX) $(CXXFLAGS) ../../../../CPP/7zip/Crypto/WzAes.cpp + ZipCrypto.o : ../../../../CPP/7zip/Crypto/ZipCrypto.cpp +@@ -869,8 +854,6 @@ OBJS=\ + PeHandler.o \ + PpmdHandler.o \ + QcowHandler.o \ +- RarHandler.o \ +- Rar5Handler.o \ + RpmHandler.o \ + SplitHandler.o \ + SquashfsHandler.o \ +@@ -973,9 +956,6 @@ OBJS=\ + MyAesReg.o \ + Pbkdf2HmacSha1.o \ + RandGen.o \ +- Rar20Crypto.o \ +- Rar5Aes.o \ +- RarAes.o \ + WzAes.o \ + ZipCrypto.o \ + ZipStrong.o \ +diff -rup p7zip_15.14.orig/CPP/7zip/CMAKE/Format7zFree/CMakeLists.txt p7zip_15.14/CPP/7zip/CMAKE/Format7zFree/CMakeLists.txt +--- p7zip_15.14.orig/CPP/7zip/CMAKE/Format7zFree/CMakeLists.txt 2016-03-10 07:27:16.000000000 +0000 ++++ p7zip_15.14/CPP/7zip/CMAKE/Format7zFree/CMakeLists.txt 2016-03-15 13:50:22.639470728 +0000 +@@ -126,8 +126,6 @@ add_library(7z MODULE + "../../../../CPP/7zip/Archive/PeHandler.cpp" + "../../../../CPP/7zip/Archive/PpmdHandler.cpp" + "../../../../CPP/7zip/Archive/QcowHandler.cpp" +- "../../../../CPP/7zip/Archive/Rar/RarHandler.cpp" +- "../../../../CPP/7zip/Archive/Rar/Rar5Handler.cpp" + "../../../../CPP/7zip/Archive/RpmHandler.cpp" + "../../../../CPP/7zip/Archive/SplitHandler.cpp" + "../../../../CPP/7zip/Archive/SquashfsHandler.cpp" +@@ -230,9 +228,6 @@ add_library(7z MODULE + "../../../../CPP/7zip/Crypto/MyAesReg.cpp" + "../../../../CPP/7zip/Crypto/Pbkdf2HmacSha1.cpp" + "../../../../CPP/7zip/Crypto/RandGen.cpp" +- "../../../../CPP/7zip/Crypto/Rar20Crypto.cpp" +- "../../../../CPP/7zip/Crypto/Rar5Aes.cpp" +- "../../../../CPP/7zip/Crypto/RarAes.cpp" + "../../../../CPP/7zip/Crypto/WzAes.cpp" + "../../../../CPP/7zip/Crypto/ZipCrypto.cpp" + "../../../../CPP/7zip/Crypto/ZipStrong.cpp" +diff -rup p7zip_15.14.orig/CPP/7zip/CMAKE/generate.sh p7zip_15.14/CPP/7zip/CMAKE/generate.sh +--- p7zip_15.14.orig/CPP/7zip/CMAKE/generate.sh 2016-02-03 04:54:00.000000000 +0000 ++++ p7zip_15.14/CPP/7zip/CMAKE/generate.sh 2016-03-15 13:50:47.596758591 +0000 +@@ -15,15 +15,15 @@ CURDIR=$PWD + cd $CURDIR + doit "Unix" "Unix Makefiles" + +-cd $CURDIR +-doit "codeblocks" "CodeBlocks - Unix Makefiles" ++#cd $CURDIR ++#doit "codeblocks" "CodeBlocks - Unix Makefiles" + + #cd $CURDIR + #doit "KDevelop3" "KDevelop3" + +-cd $CURDIR +-doit "EclipseCDT4" "Eclipse CDT4 - Unix Makefiles" ++#cd $CURDIR ++#doit "EclipseCDT4" "Eclipse CDT4 - Unix Makefiles" + +-cd $CURDIR +-doit "ninja" "Ninja" ++#cd $CURDIR ++#doit "ninja" "Ninja" + +diff -rup p7zip_15.14.orig/DOC/License.txt p7zip_15.14/DOC/License.txt +--- p7zip_15.14.orig/DOC/License.txt 2016-03-02 05:57:39.000000000 +0000 ++++ p7zip_15.14/DOC/License.txt 2016-03-15 13:50:22.640470740 +0000 +@@ -1,3 +1,6 @@ ++ Fedora package note: non-Free unrar code have been removed from the sources ++ (#190277) ++ + 7-Zip source code + ~~~~~~~~~~~~~~~~~ + License for use and distribution +diff -rup p7zip_15.14.orig/makefile p7zip_15.14/makefile +--- p7zip_15.14.orig/makefile 2016-02-29 06:28:31.000000000 +0000 ++++ p7zip_15.14/makefile 2016-03-15 13:50:22.640470740 +0000 +@@ -31,7 +31,6 @@ depend: + $(MAKE) -C CPP/7zip/UI/Client7z depend + $(MAKE) -C CPP/7zip/UI/Console depend + $(MAKE) -C CPP/7zip/Bundles/Format7zFree depend +- $(MAKE) -C CPP/7zip/Compress/Rar depend + $(MAKE) -C CPP/7zip/UI/GUI depend + $(MAKE) -C CPP/7zip/UI/FileManager depend + +@@ -42,7 +41,6 @@ sfx: common + common7z:common + $(MKDIR) bin/Codecs + $(MAKE) -C CPP/7zip/Bundles/Format7zFree all +- $(MAKE) -C CPP/7zip/Compress/Rar all + + lzham:common + $(MKDIR) bin/Codecs +@@ -67,7 +65,6 @@ clean_C: + $(MAKE) -C CPP/7zip/UI/FileManager clean + $(MAKE) -C CPP/7zip/UI/GUI clean + $(MAKE) -C CPP/7zip/Bundles/Format7zFree clean +- $(MAKE) -C CPP/7zip/Compress/Rar clean + $(MAKE) -C CPP/7zip/Compress/Lzham clean + $(MAKE) -C CPP/7zip/Bundles/LzmaCon clean2 + $(MAKE) -C CPP/7zip/Bundles/AloneGCOV clean diff --git a/SPECS/pam/pam.signatures.json b/SPECS/pam/pam.signatures.json index 50b141e5df..e36a6bfeca 100644 --- a/SPECS/pam/pam.signatures.json +++ b/SPECS/pam/pam.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "Linux-PAM-1.3.1.tar.xz": "eff47a4ecd833fbf18de9686632a70ee8d0794b79aecb217ebd0ce11db4cd0db" + "Linux-PAM-1.5.1.tar.xz": "201d40730b1135b1b3cdea09f2c28ac634d73181ccd0172ceddee3649c5792fc" } } \ No newline at end of file diff --git a/SPECS/pam/pam.spec b/SPECS/pam/pam.spec index 21fc785469..3aeee59a79 100644 --- a/SPECS/pam/pam.spec +++ b/SPECS/pam/pam.spec @@ -1,24 +1,27 @@ Summary: Linux Pluggable Authentication Modules Name: pam -Version: 1.3.1 -Release: 5%{?dist} +Version: 1.5.1 +Release: 1%{?dist} License: BSD and GPLv2+ -URL: http://www.linux-pam.org/ +URL: https://github.com/linux-pam/linux-pam Source0: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz Group: System Environment/Security Vendor: Microsoft Corporation Distribution: Mariner BuildRequires: cracklib-devel +BuildRequires: libselinux-devel Requires: cracklib + %description The Linux PAM package contains Pluggable Authentication Modules used to enable the local system administrator to choose how applications authenticate users. -%package lang -Summary: Additional language files for pam -Group: System Environment/Base +%package lang +Summary: Additional language files for pam +Group: System Environment/Base Requires: %{name} = %{version}-%{release} -%description lang + +%description lang These are the additional language files of pam. %package devel @@ -31,54 +34,53 @@ This package contains libraries, header files and documentation for developing applications that use pam. %prep -%setup -qn Linux-PAM-%{version} -%build +%autosetup -n Linux-PAM-%{version} +%build ./configure \ --prefix=%{_prefix} \ --bindir=%{_bindir} \ --libdir=%{_libdir} \ --sysconfdir=/etc \ --enable-securedir=/usr/lib/security \ + --enable-selinux \ --docdir=%{_docdir}/%{name}-%{version} +%make_build -make %{?_smp_mflags} %install -[ %{buildroot} != "/"] && rm -rf %{buildroot}/* -make install DESTDIR=%{buildroot} +%make_install + chmod -v 4755 %{buildroot}/sbin/unix_chkpwd install -v -dm755 %{buildroot}/%{_docdir}/%{name}-%{version} -ln -sf pam_unix.so %{buildroot}/usr/lib/security/pam_unix_auth.so -ln -sf pam_unix.so %{buildroot}/usr/lib/security/pam_unix_acct.so -ln -sf pam_unix.so %{buildroot}/usr/lib/security/pam_unix_passwd.so -ln -sf pam_unix.so %{buildroot}/usr/lib/security/pam_unix_session.so +ln -sf pam_unix.so %{buildroot}%{_libdir}/security/pam_unix_auth.so +ln -sf pam_unix.so %{buildroot}%{_libdir}/security/pam_unix_acct.so +ln -sf pam_unix.so %{buildroot}%{_libdir}/security/pam_unix_passwd.so +ln -sf pam_unix.so %{buildroot}%{_libdir}/security/pam_unix_session.so echo 'PATH="/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"' >> %{buildroot}/etc/environment -find %{buildroot}/%{_libdir} -name '*.la' -delete -find %{buildroot}/usr/lib/ -name '*.la' -delete +find %{buildroot} -name "*.la" -delete -print %{find_lang} Linux-PAM %{_fixperms} %{buildroot}/* %check -install -v -m755 -d /etc/pam.d -cat > /etc/pam.d/other << "EOF" +install -v -m755 -d %{_sysconfdir}/pam.d +cat > %{_sysconfdir}/pam.d/other << "EOF" auth required pam_deny.so account required pam_deny.so password required pam_deny.so session required pam_deny.so EOF -make %{?_smp_mflags} check +%make_build check + +%ldconfig_scriptlets -%post -p /sbin/ldconfig -%postun -p /sbin/ldconfig -%clean -rm -rf %{buildroot}/* %files %defattr(-,root,root) %license COPYING %{_sysconfdir}/* /sbin/* %{_libdir}/security/* +%{_libdir}/systemd/system/pam_namespace.service %{_libdir}/*.so* %{_mandir}/man5/* %{_mandir}/man8/* @@ -93,6 +95,12 @@ rm -rf %{buildroot}/* %{_docdir}/%{name}-%{version}/* %changelog +* Fri Aug 13 2021 Thomas Crain - 1.5.1-1 +- Upgrade to latest upstream version + +* Tue Feb 16 2021 Daniel Burgener 1.3.1-6 +- Add SELinux support (JOSLOBO 7/26/21 bumped dash version to resolve merge conflict) + * Fri Feb 05 2021 Joe Schmitt - 1.3.1-5 - Replace incorrect %%{_lib} usage with %%{_libdir} diff --git a/SPECS/pciutils/pciutils.spec b/SPECS/pciutils/pciutils.spec index 35dcaaade1..15f264c796 100644 --- a/SPECS/pciutils/pciutils.spec +++ b/SPECS/pciutils/pciutils.spec @@ -53,7 +53,7 @@ rm -rf %{buildroot}/* %{_includedir}/* %changelog -* Sat May 09 00:21:41 PST 2020 Nick Samson - 3.6.2-3 +* Sat May 09 2020 Nick Samson - 3.6.2-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 3.6.2-2 diff --git a/SPECS/perl-App-cpanminus/fatunpack b/SPECS/perl-App-cpanminus/fatunpack new file mode 100755 index 0000000000..0cc06522f7 --- /dev/null +++ b/SPECS/perl-App-cpanminus/fatunpack @@ -0,0 +1,114 @@ +#!/usr/bin/perl +use strict; +use warnings; +use File::Path; +use File::Spec; +use Getopt::Long; + +my $libdir = 'lib'; +my $filter = ''; + +GetOptions('libdir=s' => \$libdir, 'filter=s' => \$filter) or + die "Could not parse arguments\n"; +if ($filter eq '') { + # Empty pattern passes previous result by definition. Do not use it. + # Interpolared compilation is fixed in perl 5.18.0. RT#119095. + $filter = qr/(?:)/; +} +eval { $filter = qr{$filter}; 1} or + die "Could not compile filter as a regular expression: $@\n"; + +my ($file, $filename, $delimiter); +while (<>) { + if (/^\$fatpacked\{\s*"([^"]*)"\s*\}\s*=.*<<\s*'([^']*)'\s*;/) { + # Packed module beginning found + $filename = $1; + $delimiter = $2; + if ($filename =~ $filter) { + print STDERR "Extracting `$filename'\n"; + my $directory = (File::Spec->splitpath($filename))[1]; + File::Path::make_path(File::Spec->catfile($libdir, $directory)); + if ($file) { + die "Unballanced fat-packed module at line $.\n"; + } + open($file, '>', File::Spec->catfile($libdir, $filename)) or + die "Could not create `", + File::Spec->catfile($libdir, $filename), "': $!\n"; + } else { + print STDERR "Removing `$filename'\n"; + } + } elsif (defined $delimiter and /^\Q$delimiter\E$/) { + # Packed module end found + if (defined $file) { + close($file) or + die "Could not close `", + File::Spec->catfile($libdir, $filename), "': $!\n"; + $file = undef; + } + $filename = undef; + $delimiter = undef; + } elsif (defined $file) { + # Packed module to extract + s/^ //; # de-escape recursive here-documents + print $file $_; + } elsif (! defined $delimiter) { + # Rest of code to output + print STDOUT $_; + } +} + +__END__ + +=encoding utf8 + +=head1 NAME + +fatunpack - Unpacker for App::FatPacker packets + +=head1 SYNOPSYS + +fatunpack [OPTION…] [PACKED_SCRIPT…] + +=head1 DESCRIPTION + +This tool unpacks scripts packed with App::FatPacker. + +Packed script's file names are specified as positional arguments. If no +argument is given, a script from standard intput will be processed. + +The content of packed script stripped of all bundled modules is written to +standard output. + +=head1 OPTIONS + +=over 8 + +=item B<--libdir DIRECTORY> + +Directory to output unpacked modules to that where bundled into the input +script. Default value is C. + +=item B<--filter REGULAR_EXPRESSION> + +Save only modules whose file name matches the B. The file +names are compared without B<--libdir> prefix. The expession is not anchored +by default. Empty expression matches any file name. Default value is empty +regular expression, i.e. to save all modules. + +=back + +=head1 VERSION + +This is version 2. + +=head1 COPYRIGHT + +Copyright © 2013, 2014 Petr PísaÅ™ . + +=head1 LICENSE + +This is free software. You may redistribute copies of it under the terms of +the GNU General Public License L. +There is NO WARRANTY, to the extent permitted by law. + +=cut diff --git a/SPECS/perl-App-cpanminus/perl-App-cpanminus.signatures.json b/SPECS/perl-App-cpanminus/perl-App-cpanminus.signatures.json new file mode 100644 index 0000000000..79af1acb48 --- /dev/null +++ b/SPECS/perl-App-cpanminus/perl-App-cpanminus.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "App-cpanminus-1.7044.tar.gz": "9b60767fe40752ef7a9d3f13f19060a63389a5c23acc3e9827e19b75500f81f3", + "fatunpack": "07b2d934de6d30dcac0843a095ab1207b406526e6fb151c51eb39d8b8591b6e3" + } +} \ No newline at end of file diff --git a/SPECS/perl-App-cpanminus/perl-App-cpanminus.spec b/SPECS/perl-App-cpanminus/perl-App-cpanminus.spec new file mode 100644 index 0000000000..fbfcaed498 --- /dev/null +++ b/SPECS/perl-App-cpanminus/perl-App-cpanminus.spec @@ -0,0 +1,513 @@ +Name: perl-App-cpanminus +Version: 1.7044 +Release: 9%{?dist} +Summary: Get, unpack, build and install CPAN modules +# Other files: GPL+ OR Artistic +## unbundled +# lib/App/cpanminus/fatscript.pm: File::pushd: ASL 2.0 +## at build-time only +# fatunpack: GPL+ +License: GPL+ OR Artistic +Group: Development/Libraries +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://metacpan.org/release/App-cpanminus +Source0: https://cpan.metacpan.org/authors/id/M/MI/MIYAGAWA/App-cpanminus-%{version}.tar.gz +Source1: fatunpack +BuildArch: noarch +BuildRequires: coreutils +BuildRequires: findutils +BuildRequires: make +BuildRequires: perl +BuildRequires: perl-Pod-Parser +BuildRequires: perl(ExtUtils::MakeMaker) >= 6.30 +BuildRequires: perl(File::Path) +BuildRequires: perl(File::Spec) +BuildRequires: perl(Getopt::Long) +BuildRequires: perl(strict) +BuildRequires: perl(warnings) +# Run-time: +# Nothing special. The tests are very poor. But we run perl -c at built-time +# to check for correct unpacking. So we need non-optional run-time +# dependencies at build-time too: +BuildRequires: perl(Config) +BuildRequires: perl(constant) +# CPAN::DistnameInfo not needed for compilation +# CPAN::Meta not needed for copmilation +# CPAN::Meta::Check not needed for compilation +BuildRequires: perl(CPAN::Meta::Requirements) +# CPAN::Meta::YAML not needed for compilation +BuildRequires: perl(Cwd) +# Digest::SHA not needed for compilation +# ExtUtils::Manifest not needed for compilation +BuildRequires: perl(File::Basename) +BuildRequires: perl(File::Copy) +BuildRequires: perl(File::Find) +# File::HomeDir not needed for compilation +# File::pushd not needed for compilation +BuildRequires: perl(File::Temp) +# HTTP::Tiny not needed for compilation +# JSON::PP not needed for compilation +# local::lib not needed for compilation +# LWP::Protocol::https not needed for compilation +# LWP::UserAgent not needed for compilation +# Module::CoreList not needed for compilation +# Module::CPANfile not needed for compilation +# Module::Metadata not needed for compilation +# Module::Signature not needed for compilation +# Parse::PMFile not needed for compilation +# Safe not needed for compilation +BuildRequires: perl-String-ShellQuote +BuildRequires: perl(Symbol) +BuildRequires: perl(version) +# version::vpp not needed +# Win32 not used +# YAML not needed for compilation +# Tests: +BuildRequires: perl(Test::More) +# There is no way to install core non-duallived modules from CPAN, +# (e.g. Path-Tiny CPAN distribution requiers "open" module), require full Perl +# for that. +Requires: perl +# Current dependency generator cannot parse compressed code. Use PPI to find +# them, and list them manually: +# Archive::Tar is optional +# Archive::Zip is optional +# Compress::Zlib is optional +Requires: perl-CPAN-DistnameInfo +Requires: perl(CPAN::Meta) +Requires: perl-CPAN-Meta-Check +Requires: perl(CPAN::Meta::YAML) +Requires: perl(Digest::SHA) +Requires: perl(ExtUtils::Install) >= 1.46 +Requires: perl(ExtUtils::MakeMaker) >= 6.58 +Requires: perl(ExtUtils::Manifest) +# File::HomeDir is optional +Requires: perl-File-pushd +# HTTP getter by LWP::UserAgent or wget or curl or HTTP::Tiny +Requires: perl(HTTP::Tiny) +Requires: perl-local-lib +# LWP::Protocol::https is optional +# LWP::UserAgent is optional +Requires: perl-Module-Build +Requires: perl(Module::CoreList) +Requires: perl-Module-CPANfile +Requires: perl(Module::Metadata) +# Module::Signature is optional +Requires: perl-Parse-PMFile +Requires: perl(Safe) +# version::vpp not used +# Win32 not used +Requires: perl-YAML +# XXX: Keep Provides: cpanminus to allow `yum install cpanminus' instead of +# longer `yum install perl-App-cpanminus'. +Provides: cpanminus = %{version}-%{release} + +# Filter under-specified dependencies +%global __provides_exclude %{?__provides_exclude:%__provides_exclude|}^perl\\(App::cpanminus\\)$ +# Filter private modules +%global __provides_exclude %{__provides_exclude}|^perl\\(ModuleBuildSkipMan\\) + +%description +Why? It's dependency free, requires zero configuration, and stands alone +but it's maintainable and extensible with plug-ins and friendly to shell +scripting. When running, it requires only 10 MB of RAM. + +%prep +%setup -q -n App-cpanminus-%{version} +# Unbundle fat-packed modules +podselect lib/App/cpanminus.pm > lib/App/cpanminus.pod + +for F in bin/cpanm lib/App/cpanminus/fatscript.pm; do + %{SOURCE1} --libdir lib --filter '^App/cpanminus' "$F" > "${F}.stripped" + perl -c -Ilib "${F}.stripped" + mv "${F}.stripped" "$F" +done + +%build +perl Makefile.PL INSTALLDIRS=vendor +make %{?_smp_mflags} + +%install +make pure_install DESTDIR=%{buildroot} +find %{buildroot} -type f -name .packlist -delete +%{_fixperms} %{buildroot}/* + +%check +make test + +%files +%license LICENSE +%doc Changes README +%{perl_vendorlib}/* +%{_mandir}/man3/* +%{_mandir}/man1/* +%{_bindir}/cpanm + +%changelog +* Fri Jul 02 2021 Suresh Babu Chalamalasetty - 1.7044-9 +- Initial CBL-Mariner import from Fedora 32 (license: MIT) +- License verified + +* Wed Jan 29 2020 Fedora Release Engineering - 1.7044-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jul 26 2019 Fedora Release Engineering - 1.7044-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri May 31 2019 Jitka Plesnikova - 1.7044-6 +- Perl 5.30 rebuild + +* Fri Feb 01 2019 Fedora Release Engineering - 1.7044-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jul 16 2018 Petr Pisar - 1.7044-4 +- Require full Perl for non-duallived sub-packaged core modules + +* Fri Jul 13 2018 Fedora Release Engineering - 1.7044-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jun 28 2018 Jitka Plesnikova - 1.7044-2 +- Perl 5.28 rebuild + +* Fri Apr 20 2018 Jitka Plesnikova - 1.7044-1 +- 1.7044 bump + +* Thu Feb 08 2018 Fedora Release Engineering - 1.7043-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.7043-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sun Jun 04 2017 Jitka Plesnikova - 1.7043-2 +- Perl 5.26 rebuild + +* Mon Apr 03 2017 Jitka Plesnikova - 1.7043-1 +- 1.7043 bump + +* Sat Feb 11 2017 Fedora Release Engineering - 1.7042-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Jun 07 2016 Petr Pisar - 1.7042-1 +- 1.7042 bump + +* Sun May 15 2016 Jitka Plesnikova - 1.7041-2 +- Perl 5.24 rebuild + +* Tue May 10 2016 Jitka Plesnikova - 1.7041-1 +- 1.7041 bump + +* Thu Feb 04 2016 Fedora Release Engineering - 1.7040-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Jan 11 2016 Jitka Plesnikova - 1.7040-1 +- 1.7040 bump + +* Mon Jun 29 2015 Jitka Plesnikova - 1.7039-1 +- 1.7039 bump + +* Wed Jun 24 2015 Jitka Plesnikova - 1.7038-1 +- 1.7038 bump + +* Fri Jun 19 2015 Jitka Plesnikova - 1.7037-1 +- 1.7037 bump + +* Thu Jun 18 2015 Fedora Release Engineering - 1.7036-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Thu Jun 11 2015 Jitka Plesnikova - 1.7036-2 +- Perl 5.22 rebuild + +* Wed Jun 10 2015 Petr Pisar - 1.7036-1 +- 1.7036 bump + +* Fri Jun 05 2015 Jitka Plesnikova - 1.7034-2 +- Perl 5.22 rebuild + +* Mon May 11 2015 Jitka Plesnikova - 1.7034-1 +- 1.7034 bump + +* Thu Apr 23 2015 Jitka Plesnikova - 1.7031-1 +- 1.7031 bump + +* Mon Apr 20 2015 Jitka Plesnikova - 1.7030-1 +- 1.7030 bump + +* Tue Feb 17 2015 Jitka Plesnikova - 1.7027-1 +- 1.7027 bump + +* Mon Feb 09 2015 Petr Pisar - 1.7025-1 +- 1.7025 bump + +* Tue Dec 16 2014 Jitka Plesnikova - 1.7022-1 +- 1.7022 bump + +* Thu Dec 11 2014 Jitka Plesnikova - 1.7020-1 +- 1.7020 bump; README was removed + +* Mon Dec 08 2014 Jitka Plesnikova - 1.7019-1 +- 1.7019 bump + +* Wed Dec 03 2014 Jitka Plesnikova - 1.7018-1 +- 1.7018 bump + +* Tue Nov 18 2014 Jitka Plesnikova - 1.7016-1 +- 1.7016 bump + +* Wed Oct 08 2014 Jitka Plesnikova - 1.7014-1 +- 1.7014 bump + +* Mon Sep 29 2014 Jitka Plesnikova - 1.7012-1 +- 1.7012 bump + +* Tue Sep 23 2014 Jitka Plesnikova - 1.7011-1 +- 1.7011 bump + +* Wed Sep 10 2014 Jitka Plesnikova - 1.7009-1 +- 1.7009 bump + +* Thu Aug 28 2014 Jitka Plesnikova - 1.7004-3 +- Perl 5.20 rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 1.7004-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed Apr 30 2014 Jitka Plesnikova - 1.7004-1 +- 1.7004 bump +- Updated the script fatunpack (ppisar) + +* Wed Sep 11 2013 Petr Pisar - 1.7001-1 +- 1.7001 bump + +* Wed Sep 11 2013 Petr Pisar - 1.6927-3 +- Unbundle all modules (bug #907464) + +* Sat Aug 03 2013 Fedora Release Engineering - 1.6927-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 24 2013 Jitka Plesnikova - 1.6927-1 +- 1.6927 bump + +* Thu Jul 18 2013 Petr Pisar - 1.6922-2 +- Perl 5.18 rebuild + +* Fri Jun 21 2013 Petr Pisar - 1.6922-1 +- 1.6922 bump + +* Thu Jun 20 2013 Jitka Plesnikova - 1.6921-1 +- 1.6921 bump + +* Thu Jun 13 2013 Jitka Plesnikova - 1.6918-1 +- 1.6918 bump + +* Thu May 16 2013 Petr Pisar - 1.6915-1 +- 1.6915 bump + +* Mon May 13 2013 Petr Pisar - 1.6914-1 +- 1.6914 bump + +* Mon May 13 2013 Petr Pisar - 1.6913-1 +- 1.6913 bump + +* Tue May 07 2013 Petr Pisar - 1.6912-1 +- 1.6912 bump + +* Mon May 06 2013 Petr Pisar - 1.6911-1 +- 1.6911 bump + +* Thu May 02 2013 Jitka Plesnikova - 1.6909-1 +- 1.6909 bump + +* Mon Apr 29 2013 Petr Pisar - 1.6907-1 +- 1.6907 bump + +* Mon Apr 22 2013 Jitka Plesnikova - 1.6902-1 +- 1.6902 bump + +* Mon Apr 15 2013 Petr Pisar - 1.6108-1 +- 1.6108 bump + +* Mon Apr 08 2013 Petr Pisar - 1.6107-1 +- 1.6107 bump + +* Mon Apr 08 2013 Petr Pisar - 1.6105-1 +- 1.6105 bump + +* Wed Apr 03 2013 Petr Pisar - 1.6104-1 +- 1.6104 bump + +* Thu Mar 28 2013 Petr Pisar - 1.6102-1 +- 1.6102 bump + +* Tue Mar 26 2013 Petr Pisar - 1.6101-1 +- 1.6101 bump + +* Wed Mar 20 2013 Petr Pisar - 1.6008-1 +- 1.6008 bump + +* Thu Mar 14 2013 Petr Pisar - 1.6006-1 +- 1.6006 bump + +* Mon Mar 11 2013 Jitka Plesnikova - 1.6005-1 +- 1.6005 bump + +* Thu Feb 28 2013 Petr Pisar - 1.6002-1 +- 1.6002 bump + +* Mon Feb 4 2013 Jitka Plesnikova - 1.5021-1 +- 1.5021 bump + +* Wed Jan 02 2013 Petr Pisar - 1.5019-1 +- 1.5019 bump + +* Wed Sep 19 2012 Jitka Plesnikova - 1.5018-1 +- 1.5018 bump + +* Fri Jul 20 2012 Jitka Plesnikova - 1.5017-1 +- 1.5017 bump + +* Fri Jul 20 2012 Fedora Release Engineering - 1.5015-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jun 28 2012 Petr Pisar - 1.5015-2 +- Perl 5.16 rebuild + +* Mon Jun 25 2012 Petr Å abata - 1.5015-1 +- 1.5015 bump + +* Wed Jun 13 2012 Petr Å abata - 1.5014-1 +- 1.5014 bump +- Drop command macros + +* Mon Jun 11 2012 Petr Pisar - 1.5013-2 +- Perl 5.16 rebuild + +* Mon May 14 2012 Jitka Plesnikova - 1.5013-1 +- 1.5013 bump + +* Fri Apr 13 2012 Petr Å abata - 1.5011-1 +- 1.5011 bump + +* Tue Apr 03 2012 Petr Å abata - 1.5010-1 +- 1.5010 bump + +* Mon Mar 19 2012 Marcela MaÅ¡láňová 1.5008-1 +- bump to 1.5008 + +* Fri Jan 13 2012 Fedora Release Engineering - 1.5007-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Dec 21 2011 Marcela MaÅ¡láňová 1.5007-1 +- 1.5007 bump + +* Wed Nov 30 2011 Petr Å abata - 1.5006-1 +- 1.5006 bump + +* Wed Nov 23 2011 Petr Å abata - 1.5005-1 +- 1.5005 bump +- defattr removed + +* Wed Nov 09 2011 Petr Sabata - 1.5004-1 +- 1.5004 bump + +* Wed Oct 19 2011 Petr Sabata - 1.5003-1 +- 1.5003 bump + +* Tue Oct 18 2011 Petr Sabata - 1.5002-1 +- 1.5002 bump + +* Fri Oct 14 2011 Petr Sabata - 1.5001-1 +- 1.5001 bump + +* Thu Oct 13 2011 Petr Sabata - 1.5000-1 +- 1.5000 bump + +* Fri Jul 22 2011 Petr Pisar - 1.4008-3 +- RPM 4.9 dependency filtering added + +* Fri Jun 17 2011 Marcela MaÅ¡láňová - 1.4008-2 +- Perl mass rebuild + +* Thu Jun 16 2011 Petr Pisar - 1.4008-1 +- 1.4008 bump + +* Wed May 18 2011 Petr Pisar - 1.4007-1 +- 1.4007 bump +- LWP is optional since this package bundles HTTP::Tiny. Upstream recognized + LWP being heavy. Follow upstream decision in RPM package dependencies. + +* Tue May 17 2011 Petr Pisar - 1.4006-1 +- 1.4006 bump +- Fix obsoleted version string + +* Thu May 12 2011 Petr Sabata - 1.4005-1 +- 1.4005 bump + +* Fri Mar 11 2011 Petr Sabata - 1.4004-1 +- 1.4004 bump + +* Thu Mar 10 2011 Petr Pisar - 1.4003-1 +- 1.4003 bump + +* Tue Mar 08 2011 Petr Pisar - 1.4000-1 +- 1.4000 bump + +* Fri Mar 04 2011 Petr Pisar - 1.3001-1 +- 1.3001 bump + +* Thu Mar 03 2011 Petr Pisar - 1.3000-1 +- 1.3000 bump +- Clean up spec file +- Require modules needed by cpanm +- Merge cpanminus into main package as cpanminus required main package and + main package did not contain any code (i.e. was useless). + +* Thu Feb 17 2011 Petr Sabata - 1.2001-1 +- 1.2001 bump + +* Tue Feb 08 2011 Fedora Release Engineering - 1.1008-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Jan 27 2011 Petr Pisar - 1.1008-1 +- 1.1008 bump + +* Mon Jan 24 2011 Petr Pisar - 1.1007-1 +- 1.1007 bump + +* Mon Jan 3 2011 Petr Sabata - 1.1006-1 +- 1.1006 bump + +* Thu Dec 2 2010 Petr Sabata - 1.1004-1 +- 1.1004 bump + +* Fri Nov 19 2010 Petr Pisar - 1.1002-1 +- 1.1002 bump + +* Mon Sep 27 2010 Petr Pisar - 1.0015-1 +- 1.0015 bump + +* Thu Sep 23 2010 Petr Pisar - 1.0014-1 +- 1.0014 bump + +* Tue Sep 14 2010 Petr Pisar - 1.0013-1 +- 1.0013 bump +- Correct description spelling + +* Thu Apr 29 2010 Marcela Maslanova - 0.9935-3 +- Mass rebuild with perl-5.12.0 + +* Tue Mar 16 2010 Marcela MaÅ¡láňová 0.9935-2 +- filter unwanted requires + +* Tue Mar 16 2010 Marcela MaÅ¡láňová 0.9935-1 +- update + +* Tue Mar 16 2010 Marcela MaÅ¡láňová 0.9923-1 +- update +- create sub-package + +* Tue Mar 2 2010 Marcela MaÅ¡láňová 0.9911-1 +- new version & fix description + +* Tue Feb 23 2010 Marcela MaÅ¡láňová 0.09-1 +- Specfile autogenerated by cpanspec 1.78. diff --git a/SPECS/perl-CPAN-DistnameInfo/perl-CPAN-DistnameInfo.signatures.json b/SPECS/perl-CPAN-DistnameInfo/perl-CPAN-DistnameInfo.signatures.json new file mode 100644 index 0000000000..7acc688376 --- /dev/null +++ b/SPECS/perl-CPAN-DistnameInfo/perl-CPAN-DistnameInfo.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "CPAN-DistnameInfo-0.12.tar.gz": "2f24fbe9f7eeacbc269d35fc61618322fc17be499ee0cd9018f370934a9f2435" + } +} \ No newline at end of file diff --git a/SPECS/perl-CPAN-DistnameInfo/perl-CPAN-DistnameInfo.spec b/SPECS/perl-CPAN-DistnameInfo/perl-CPAN-DistnameInfo.spec new file mode 100644 index 0000000000..23e54f2db0 --- /dev/null +++ b/SPECS/perl-CPAN-DistnameInfo/perl-CPAN-DistnameInfo.spec @@ -0,0 +1,195 @@ +Name: perl-CPAN-DistnameInfo +Version: 0.12 +Release: 19%{?dist} +Summary: Extract distribution name and version from a distribution filename +License: GPL+ OR Artistic +Group: Development/Libraries +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://metacpan.org/release/CPAN-DistnameInfo +Source0: https://cpan.metacpan.org/authors/id/G/GB/GBARR/CPAN-DistnameInfo-%{version}.tar.gz +BuildArch: noarch +BuildRequires: make +BuildRequires: perl +BuildRequires: perl(version) +BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76 +BuildRequires: perl(strict) +BuildRequires: perl(warnings) +# Tests: +%if %{with_check} +BuildRequires: perl(Data::Dumper) +BuildRequires: perl(Test::More) +%endif +Requires: perl + +%description +Many online services that are centered around CPAN attempt to +associate multiple uploads by extracting a distribution name from the +filename of the upload. For most distributions this is easy as they +have used ExtUtils::MakeMaker or Module::Build to create the +distribution, which results in a uniform name. But sadly not all +uploads are created in this way. + +CPAN::DistnameInfo uses heuristics that have been learnt by +http://search.cpan.org/ to extract the distribution name and version +from filenames and also report if the version is to be treated as a +developer release. + +%prep +%setup -q -n CPAN-DistnameInfo-%{version} + +%build +perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 +%{make_build} + +%install +%{make_install} +%{_fixperms} $RPM_BUILD_ROOT + +%check +make test + +%files +%doc Changes README +%{perl_vendorlib}/CPAN/ +%{_mandir}/man3/CPAN::DistnameInfo.3* + +%changelog +* Fri Jul 02 2021 Suresh Babu Chalamalasetty - 0.12-19 +- Initial CBL-Mariner import from Fedora 32 (license: MIT) +- License verified + +* Wed Jan 29 2020 Fedora Release Engineering - 0.12-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jul 26 2019 Fedora Release Engineering - 0.12-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jul 04 2019 Petr Pisar - 0.12-16 +- Modernize spec file + +* Thu May 30 2019 Jitka Plesnikova - 0.12-15 +- Perl 5.30 rebuild + +* Fri Feb 01 2019 Fedora Release Engineering - 0.12-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 0.12-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jun 27 2018 Jitka Plesnikova - 0.12-12 +- Perl 5.28 rebuild + +* Thu Feb 08 2018 Fedora Release Engineering - 0.12-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.12-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sun Jun 04 2017 Jitka Plesnikova - 0.12-9 +- Perl 5.26 rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 0.12-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Sat May 14 2016 Jitka Plesnikova - 0.12-7 +- Perl 5.24 rebuild + +* Thu Feb 04 2016 Fedora Release Engineering - 0.12-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jun 18 2015 Fedora Release Engineering - 0.12-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Jun 03 2015 Jitka Plesnikova - 0.12-4 +- Perl 5.22 rebuild + +* Wed Aug 27 2014 Jitka Plesnikova - 0.12-3 +- Perl 5.20 rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 0.12-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed Oct 2 2013 Paul Howarth - 0.12-1 +- Update to 0.12 + - Grok dist names ending with something numeric containing underscores +- Make %%files list more explicit +- Drop %%defattr, redundant since rpm 4.4 +- Don't need to remove empty directories from the buildroot +- Use DESTDIR rather than PERL_INSTALL_ROOT +- Don't use macros for commands + +* Sat Aug 03 2013 Fedora Release Engineering - 0.11-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 17 2013 Petr Pisar - 0.11-9 +- Perl 5.18 rebuild + +* Thu Feb 14 2013 Fedora Release Engineering - 0.11-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jul 20 2012 Fedora Release Engineering - 0.11-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jun 08 2012 Petr Pisar - 0.11-6 +- Perl 5.16 rebuild +- Specify all dependencies + +* Fri Jan 13 2012 Fedora Release Engineering - 0.11-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Jun 17 2011 Marcela MaÅ¡láňová - 0.11-4 +- Perl mass rebuild + +* Thu Jun 09 2011 Marcela MaÅ¡láňová - 0.11-3 +- Perl 5.14 mass rebuild + +* Tue Feb 08 2011 Fedora Release Engineering - 0.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Dec 22 2010 Steven Pritchard 0.11-1 +- Update to 0.11. + +* Wed Dec 15 2010 Marcela Maslanova - 0.10-2 +- Rebuild to fix problems with vendorarch/lib (#661697) + +* Sun Dec 12 2010 Steven Pritchard 0.10-1 +- Update to 0.10. + +* Fri Apr 30 2010 Marcela Maslanova - 0.09-2 +- Mass rebuild with perl-5.12.0 + +* Sat Feb 13 2010 Steven Pritchard 0.09-1 +- Update to 0.09. + +* Fri Dec 4 2009 Stepan Kasal - 0.08-3 +- rebuild against perl 5.10.1 + +* Sat Jul 25 2009 Fedora Release Engineering - 0.08-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue May 12 2009 Steven Pritchard 0.08-1 +- Update to 0.08. +- BR Test::More. + +* Thu Feb 26 2009 Fedora Release Engineering - 0.07-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Wed Jul 02 2008 Steven Pritchard 0.07-1 +- Update to 0.07. +- Improve Summary. +- Drop our copies of COPYING and Artistic. + +* Fri Feb 8 2008 Tom "spot" Callaway 0.06-4 +- rebuild for new perl + +* Tue Apr 17 2007 Steven Pritchard 0.06-3 +- Use fixperms macro instead of our own chmod incantation. +- BR ExtUtils::MakeMaker. + +* Sat Sep 16 2006 Steven Pritchard 0.06-2 +- Canonicalize Source0 URL. +- Fix find option order. + +* Mon Sep 19 2005 Steven Pritchard 0.06-1 +- Specfile autogenerated. diff --git a/SPECS/perl-CPAN-Meta-Check/perl-CPAN-Meta-Check.signatures.json b/SPECS/perl-CPAN-Meta-Check/perl-CPAN-Meta-Check.signatures.json new file mode 100644 index 0000000000..a3f350a121 --- /dev/null +++ b/SPECS/perl-CPAN-Meta-Check/perl-CPAN-Meta-Check.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "CPAN-Meta-Check-0.014.tar.gz": "28a0572bfc1c0678d9ce7da48cf521097ada230f96eb3d063fcbae1cfe6a351f" + } +} \ No newline at end of file diff --git a/SPECS/perl-CPAN-Meta-Check/perl-CPAN-Meta-Check.spec b/SPECS/perl-CPAN-Meta-Check/perl-CPAN-Meta-Check.spec new file mode 100644 index 0000000000..ecf7c5be75 --- /dev/null +++ b/SPECS/perl-CPAN-Meta-Check/perl-CPAN-Meta-Check.spec @@ -0,0 +1,173 @@ +Name: perl-CPAN-Meta-Check +Summary: Verify requirements in a CPAN::Meta object +Version: 0.014 +Release: 12%{?dist} +License: GPL+ OR Artistic +Group: Development/Libraries +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://metacpan.org/release/CPAN-Meta-Check +Source0: http://cpan.metacpan.org/authors/id/L/LE/LEONT/CPAN-Meta-Check-%{version}.tar.gz +BuildArch: noarch +# Build +BuildRequires: make +BuildRequires: perl +BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76 +# Module +BuildRequires: perl(base) +BuildRequires: perl(CPAN::Meta::Prereqs) >= 2.132830 +BuildRequires: perl(CPAN::Meta::Requirements) >= 2.121 +BuildRequires: perl(Exporter) +BuildRequires: perl(Module::Metadata) >= 1.000023 +BuildRequires: perl(strict) +BuildRequires: perl(warnings) +# Test +%if %{with_check} +BuildRequires: perl(CPAN::Meta) >= 2.120920 +BuildRequires: perl(Env) +BuildRequires: perl(lib) +BuildRequires: perl(Test::More) >= 0.88 +%endif + +# Runtime +Requires: perl + +%description +This module verifies if requirements described in a CPAN::Meta object are +present. + +%prep +%setup -q -n CPAN-Meta-Check-%{version} + +%build +perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} + +%check +make test + +%files +%license LICENSE +%doc Changes README +%{perl_vendorlib}/CPAN/ +%{_mandir}/man3/CPAN::Meta::Check.3* + +%changelog +* Fri Jul 02 2021 Suresh Babu Chalamalasetty - 0.014-12 +- Initial CBL-Mariner import from Fedora 32 (license: MIT) +- License verified + +* Wed Jan 29 2020 Fedora Release Engineering - 0.014-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jul 26 2019 Fedora Release Engineering - 0.014-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri May 31 2019 Jitka Plesnikova - 0.014-9 +- Perl 5.30 rebuild + +* Fri Feb 01 2019 Fedora Release Engineering - 0.014-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 0.014-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jun 28 2018 Jitka Plesnikova - 0.014-6 +- Perl 5.28 rebuild + +* Thu Feb 08 2018 Fedora Release Engineering - 0.014-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.014-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jun 05 2017 Jitka Plesnikova - 0.014-3 +- Perl 5.26 rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 0.014-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Sat Nov 26 2016 Paul Howarth - 0.014-1 +- Update to 0.014 + - Undef versions are now passed through to CPAN::Meta::Requirements for the + check, rather than failing with "Missing version" errors + +* Thu Jul 21 2016 Paul Howarth - 0.013-1 +- Update to 0.013 + - Make tests more resilient against dev versions of dependencies +- BR: perl-generators +- Drop legacy Group: tag +- Take advantage of features in recent EU::MM to simplify flow + +* Sun May 15 2016 Jitka Plesnikova - 0.012-3 +- Perl 5.24 rebuild + +* Thu Feb 04 2016 Fedora Release Engineering - 0.012-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jun 19 2015 Paul Howarth - 0.012-1 +- Update to 0.012 + - Drop dependency on Exporter 5.57 + +* Thu Jun 18 2015 Fedora Release Engineering - 0.011-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Jun 06 2015 Jitka Plesnikova - 0.011-2 +- Perl 5.22 rebuild + +* Mon Mar 23 2015 Paul Howarth - 0.011-1 +- Update to 0.011 + - Declare the minimum version required for the "merged_requirements" + interface +- Explicitly run the extra tests + +* Mon Feb 2 2015 Paul Howarth - 0.010-1 +- Update to 0.010 + - Bump Module::Metadata prereq for $VERSION parsing (CPAN RT#101095) + - Consistently require same version of CPAN::Meta::Requirements +- Use %%license + +* Thu Aug 28 2014 Jitka Plesnikova - 0.009-3 +- Perl 5.20 rebuild + +* Tue Jul 1 2014 Paul Howarth - 0.009-2 +- Always run the release tests (#1114859) + +* Mon Jun 23 2014 Paul Howarth - 0.009-1 +- Update to 0.009 + - Various POD fixes + +* Sat Jun 07 2014 Fedora Release Engineering - 0.008-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Oct 17 2013 Paul Howarth - 0.008-1 +- Update to 0.008 + - Switch to using merged_requirements + - Test Env instead of Carp for version overshoot (CPAN RT#89591) + - Document $incdirs in the right function + +* Wed Sep 4 2013 Paul Howarth - 0.007-3 +- Skip the release tests when bootstrapping + +* Sat Aug 03 2013 Fedora Release Engineering - 0.007-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 31 2013 Paul Howarth - 0.007-1 +- Update to 0.007 + - Swap conflicts test, as underscore versions broke it (CPAN RT#87438) + +* Sat Jul 27 2013 Paul Howarth - 0.006-1 +- Update to 0.006 + - Fixed bad dereference during conflicts checking + +* Tue Jul 23 2013 Petr Pisar - 0.005-3 +- Perl 5.18 rebuild + +* Wed May 1 2013 Paul Howarth - 0.005-2 +- Sanitize for Fedora submission + +* Sat Apr 27 2013 Paul Howarth - 0.005-1 +- Initial RPM version diff --git a/SPECS/perl-Canary-Stability/perl-Canary-Stability.spec b/SPECS/perl-Canary-Stability/perl-Canary-Stability.spec index 19590c5b8c..475d189cb0 100644 --- a/SPECS/perl-Canary-Stability/perl-Canary-Stability.spec +++ b/SPECS/perl-Canary-Stability/perl-Canary-Stability.spec @@ -42,14 +42,18 @@ rm -rf %{buildroot} %{_mandir}/man3/* %changelog -* Mon Oct 12 2020 Joe Schmitt 2012-5 -- Use new perl package names. -- Provide perl(Canary::Stability). -* Sat May 09 2020 Nick Samson 2012-4 -- Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 2012-3 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Dweep Advani 2012-2 -- Consuming perl version upgrade of 5.28.0 +* Mon Oct 12 2020 Joe Schmitt 2012-5 +- Use new perl package names. +- Provide perl(Canary::Stability). + +* Sat May 09 2020 Nick Samson 2012-4 +- Added %%license line automatically + +* Tue Sep 03 2019 Mateusz Malisz 2012-3 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Dweep Advani 2012-2 +- Consuming perl version upgrade of 5.28.0 + * Wed Apr 05 2017 Robert Qi 2012-1 -- Initial version. +- Initial version. diff --git a/SPECS/perl-DBD-SQLite/perl-DBD-SQLite.spec b/SPECS/perl-DBD-SQLite/perl-DBD-SQLite.spec index 9ad10c7019..7c5c01ff77 100644 --- a/SPECS/perl-DBD-SQLite/perl-DBD-SQLite.spec +++ b/SPECS/perl-DBD-SQLite/perl-DBD-SQLite.spec @@ -56,28 +56,39 @@ make test %{_mandir}/man3/* %changelog -* Mon Oct 12 2020 Joe Schmitt 1.62-4 -- Use new perl package names. -- Provide perl(DBD::SQLite::*). -* Sat May 09 2020 Nick Samson 1.62-3 -- Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 1.62-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Tue Jan 22 2019 Michelle Wang 1.62-1 -- Update to version 1.62. -* Fri Sep 21 2018 Dweep Advani 1.58-1 -- Update to version 1.58. -* Tue Feb 20 2018 Xiaolin Li 1.54-2 -- Build perl-DBD-SQLite with sqlite-autoconf-3.22.0. -* Mon Apr 3 2017 Robert Qi 1.54-1 -- Upgraded to 1.54. -* Wed Nov 16 2016 Alexey Makhalov 1.50-3 -- Use sqlite-devel as a BuildRequires. -* Tue May 24 2016 Priyesh Padmavilasom 1.50-2 -- GA - Bump release of all rpms. -* Tue Feb 23 2016 Harish Udaiya Kumar 1.50-1 -- Upgraded to version 1.50. -* Thu Jan 21 2016 Anish Swaminathan 1.48-1 -- Upgrade version. -* Fri Apr 3 2015 Divya Thaluru 1.46-1 -- Initial version. +* Mon Oct 12 2020 Joe Schmitt 1.62-4 +- Use new perl package names. +- Provide perl(DBD::SQLite::*). + +* Sat May 09 2020 Nick Samson 1.62-3 +- Added %%license line automatically + +* Tue Sep 03 2019 Mateusz Malisz 1.62-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Tue Jan 22 2019 Michelle Wang 1.62-1 +- Update to version 1.62. + +* Fri Sep 21 2018 Dweep Advani 1.58-1 +- Update to version 1.58. + +* Tue Feb 20 2018 Xiaolin Li 1.54-2 +- Build perl-DBD-SQLite with sqlite-autoconf-3.22.0. + +* Mon Apr 3 2017 Robert Qi 1.54-1 +- Upgraded to 1.54. + +* Wed Nov 16 2016 Alexey Makhalov 1.50-3 +- Use sqlite-devel as a BuildRequires. + +* Tue May 24 2016 Priyesh Padmavilasom 1.50-2 +- GA - Bump release of all rpms. + +* Tue Feb 23 2016 Harish Udaiya Kumar 1.50-1 +- Upgraded to version 1.50. + +* Thu Jan 21 2016 Anish Swaminathan 1.48-1 +- Upgrade version. + +* Fri Apr 3 2015 Divya Thaluru 1.46-1 +- Initial version. diff --git a/SPECS/perl-DBI/perl-DBI.spec b/SPECS/perl-DBI/perl-DBI.spec index 0ed59636e7..e53a11882e 100644 --- a/SPECS/perl-DBI/perl-DBI.spec +++ b/SPECS/perl-DBI/perl-DBI.spec @@ -163,20 +163,27 @@ make test %{_mandir}/man3/*.3* %changelog -* Mon Oct 12 2020 Joe Schmitt 1.641-4 -- Use new perl package names. -- Provide perl(DB*) -* Sat May 09 2020 Nick Samson 1.641-3 -- Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 1.641-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Dweep Advani 1.641-1 -- Update to version 1.641 -* Mon Apr 3 2017 Robert Qi 1.636-1 -- Upgraded to 1.636 -* Tue May 24 2016 Priyesh Padmavilasom 1.634-2 -- GA - Bump release of all rpms -* Thu Jan 21 2016 Anish Swaminathan 1.634-1 -- Upgrade version -* Fri Apr 3 2015 Divya Thaluru 1.633-1 -- Initial version. +* Mon Oct 12 2020 Joe Schmitt 1.641-4 +- Use new perl package names. +- Provide perl(DB*) + +* Sat May 09 2020 Nick Samson 1.641-3 +- Added %%license line automatically + +* Tue Sep 03 2019 Mateusz Malisz 1.641-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Dweep Advani 1.641-1 +- Update to version 1.641 + +* Mon Apr 3 2017 Robert Qi 1.636-1 +- Upgraded to 1.636 + +* Tue May 24 2016 Priyesh Padmavilasom 1.634-2 +- GA - Bump release of all rpms + +* Thu Jan 21 2016 Anish Swaminathan 1.634-1 +- Upgrade version + +* Fri Apr 3 2015 Divya Thaluru 1.633-1 +- Initial version. diff --git a/SPECS/perl-Exporter-Tiny/perl-Exporter-Tiny.spec b/SPECS/perl-Exporter-Tiny/perl-Exporter-Tiny.spec index c8ec4eef21..bfc4f7dc43 100644 --- a/SPECS/perl-Exporter-Tiny/perl-Exporter-Tiny.spec +++ b/SPECS/perl-Exporter-Tiny/perl-Exporter-Tiny.spec @@ -61,19 +61,24 @@ rm -rf %{buildroot} %{_mandir}/man3/Exporter::Tiny::Manual* %changelog -* Mon Oct 12 2020 Joe Schmitt 1.002001-4 -- Use new perl package names. -- Provide perl(Exporter::*). -* Sat May 09 00:21:23 PST 2020 Nick Samson - 1.002001-3 +* Mon Oct 12 2020 Joe Schmitt 1.002001-4 +- Use new perl package names. +- Provide perl(Exporter::*). + +* Sat May 09 2020 Nick Samson - 1.002001-3 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 1.002001-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Dweep Advani 1.002001-1 -- Update to version 1.002001 -* Wed Mar 29 2017 Robert Qi 0.044-1 -- Upgraded to 0.044. -* Tue May 24 2016 Priyesh Padmavilasom 0.042-2 -- GA - Bump release of all rpms -* Fri Apr 3 2015 Divya Thaluru 0.042-1 -- Initial version. +* Tue Sep 03 2019 Mateusz Malisz 1.002001-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Dweep Advani 1.002001-1 +- Update to version 1.002001 + +* Wed Mar 29 2017 Robert Qi 0.044-1 +- Upgraded to 0.044. + +* Tue May 24 2016 Priyesh Padmavilasom 0.042-2 +- GA - Bump release of all rpms + +* Fri Apr 3 2015 Divya Thaluru 0.042-1 +- Initial version. diff --git a/SPECS/perl-File-HomeDir/perl-File-HomeDir.spec b/SPECS/perl-File-HomeDir/perl-File-HomeDir.spec index 755eea08bd..ed9db6238b 100644 --- a/SPECS/perl-File-HomeDir/perl-File-HomeDir.spec +++ b/SPECS/perl-File-HomeDir/perl-File-HomeDir.spec @@ -75,20 +75,27 @@ make test %{_mandir}/man3/File::HomeDir::Windows.3pm.gz %changelog -* Mon Oct 12 2020 Joe Schmitt 1.004-5 -- Use new perl package names. -- Provide perl(File::HomeDir*). -* Thu Sep 10 2020 Joe Schmitt 1.004-4 -- Switch to new perl man page extension. -* Sat May 09 00:21:38 PST 2020 Nick Samson 1.004-3 -- Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 1.004-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Dweep Advani 1.004-1 -- Update to version 1.004 -* Tue Aug 08 2017 Chang Lee 1.00-3 -- Add perl-File-Which for make check -* Tue May 24 2016 Priyesh Padmavilasom 1.00-2 -- GA - Bump release of all rpms -* Thu Mar 3 2016 Xiaolin Li 1.00-1 -- Initial version. +* Mon Oct 12 2020 Joe Schmitt 1.004-5 +- Use new perl package names. +- Provide perl(File::HomeDir*). + +* Thu Sep 10 2020 Joe Schmitt 1.004-4 +- Switch to new perl man page extension. + +* Sat May 09 2020 Nick Samson 1.004-3 +- Added %%license line automatically + +* Tue Sep 03 2019 Mateusz Malisz 1.004-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Dweep Advani 1.004-1 +- Update to version 1.004 + +* Tue Aug 08 2017 Chang Lee 1.00-3 +- Add perl-File-Which for make check + +* Tue May 24 2016 Priyesh Padmavilasom 1.00-2 +- GA - Bump release of all rpms + +* Thu Mar 3 2016 Xiaolin Li 1.00-1 +- Initial version. diff --git a/SPECS/perl-File-Which/perl-File-Which.spec b/SPECS/perl-File-Which/perl-File-Which.spec index fd4bc8f97c..0373a9f20d 100644 --- a/SPECS/perl-File-Which/perl-File-Which.spec +++ b/SPECS/perl-File-Which/perl-File-Which.spec @@ -57,18 +57,24 @@ make test %changelog -* Mon Oct 12 2020 Joe Schmitt 1.22-5 -- Use new perl package names. -- Provide perl(File::Which). -* Mon Sep 28 2020 Joe Schmitt 1.22-4 -- Switch to new perl man page extension. -* Sat May 09 2020 Nick Samson 1.22-3 -- Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 1.22-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Dweep Advani 1.22-1 -- Update to version 1.22 -* Tue May 24 2016 Priyesh Padmavilasom 1.21-2 -- GA - Bump release of all rpms -* Thu Mar 3 2016 Xiaolin Li 1.21-1 -- Initial version. +* Mon Oct 12 2020 Joe Schmitt 1.22-5 +- Use new perl package names. +- Provide perl(File::Which). + +* Mon Sep 28 2020 Joe Schmitt 1.22-4 +- Switch to new perl man page extension. + +* Sat May 09 2020 Nick Samson 1.22-3 +- Added %%license line automatically + +* Tue Sep 03 2019 Mateusz Malisz 1.22-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Dweep Advani 1.22-1 +- Update to version 1.22 + +* Tue May 24 2016 Priyesh Padmavilasom 1.21-2 +- GA - Bump release of all rpms + +* Thu Mar 3 2016 Xiaolin Li 1.21-1 +- Initial version. diff --git a/SPECS/perl-File-pushd/perl-File-pushd.signatures.json b/SPECS/perl-File-pushd/perl-File-pushd.signatures.json new file mode 100644 index 0000000000..0271f27c01 --- /dev/null +++ b/SPECS/perl-File-pushd/perl-File-pushd.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "File-pushd-1.016.tar.gz": "d73a7f09442983b098260df3df7a832a5f660773a313ca273fa8b56665f97cdc" + } +} \ No newline at end of file diff --git a/SPECS/perl-File-pushd/perl-File-pushd.spec b/SPECS/perl-File-pushd/perl-File-pushd.spec new file mode 100644 index 0000000000..26fe693873 --- /dev/null +++ b/SPECS/perl-File-pushd/perl-File-pushd.spec @@ -0,0 +1,206 @@ +Name: perl-File-pushd +Version: 1.016 +Release: 8%{?dist} +Summary: Change directory temporarily for a limited scope +License: ASL 2.0 +Group: Development/Libraries +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://metacpan.org/release/File-pushd +Source0: http://cpan.metacpan.org/authors/id/D/DA/DAGOLDEN/File-pushd-%{version}.tar.gz +BuildArch: noarch +# Module Build +BuildRequires: coreutils +BuildRequires: make +BuildRequires: perl +BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76 +# Module Runtime +BuildRequires: perl(Carp) +BuildRequires: perl(Cwd) +BuildRequires: perl(Exporter) +BuildRequires: perl(File::Path) +BuildRequires: perl(File::Spec) +BuildRequires: perl(File::Temp) +BuildRequires: perl(overload) +BuildRequires: perl(strict) +BuildRequires: perl(warnings) +# Test Suite +BuildRequires: perl(Config) +BuildRequires: perl(lib) +BuildRequires: perl(File::Basename) +BuildRequires: perl(File::Spec::Functions) +BuildRequires: perl(Test::More) >= 0.96 +# Optional Tests +BuildRequires: perl(CPAN::Meta) >= 2.120900 +BuildRequires: perl(CPAN::Meta::Prereqs) +# Dependencies +Requires: perl + +%description +File::pushd does a temporary chdir that is easily and automatically reverted, +similar to pushd in some Unix command shells. It works by creating an object +that caches the original working directory. When the object is destroyed, the +destructor calls chdir to revert to the original working directory. By storing +the object in a lexical variable with a limited scope, this happens +automatically at the end of the scope. + +%prep +%setup -q -n File-pushd-%{version} + +%build +perl Makefile.PL INSTALLDIRS=vendor NO_PERLLOCAL=1 NO_PACKLIST=1 +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} +%{_fixperms} -c %{buildroot} + +%check +make test + +%files +%license LICENSE +%doc Changes CONTRIBUTING.mkdn README Todo +%{perl_vendorlib}/File/ +%{_mandir}/man3/File::pushd.3* + +%changelog +* Fri Jul 02 2021 Suresh Babu Chalamalasetty - 1.016-8 +- Initial CBL-Mariner import from Fedora 32 (license: MIT) +- License verified + +* Thu Jan 30 2020 Fedora Release Engineering - 1.016-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jul 26 2019 Fedora Release Engineering - 1.016-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu May 30 2019 Jitka Plesnikova - 1.016-5 +- Perl 5.30 rebuild + +* Fri Feb 01 2019 Fedora Release Engineering - 1.016-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 1.016-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jun 27 2018 Jitka Plesnikova - 1.016-2 +- Perl 5.28 rebuild + +* Mon May 21 2018 Paul Howarth - 1.016-1 +- Update to 1.016 + - Directories created with tempd will only be cleaned up by the PID that + created them, not by forked children +- Switch upstream from search.cpan.org to metacpan.org + +* Thu Feb 08 2018 Fedora Release Engineering - 1.014-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.014-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sun Jun 04 2017 Jitka Plesnikova - 1.014-3 +- Perl 5.26 rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 1.014-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Oct 10 2016 Paul Howarth - 1.014-1 +- Update to 1.014 + - pushd/tempd warn if called in void context (GH#9) + - Fixed test failures on some 5.8 perls +- Simplify find command using -delete +- Use features from recent EUMM to simplify %%install +- Use %%license +- Drop redundant Group: tag +- Make %%files list more explicit + +* Sat May 14 2016 Jitka Plesnikova - 1.009-6 +- Perl 5.24 rebuild + +* Thu Feb 04 2016 Fedora Release Engineering - 1.009-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jun 18 2015 Fedora Release Engineering - 1.009-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Jun 03 2015 Jitka Plesnikova - 1.009-3 +- Perl 5.22 rebuild + +* Wed Aug 27 2014 Jitka Plesnikova - 1.009-2 +- Perl 5.20 rebuild + +* Mon Jul 07 2014 Petr Pisar - 1.009-1 +- 1.009 bump + +* Sat Jun 07 2014 Fedora Release Engineering - 1.007-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Jun 03 2014 Petr Å abata - 1.007-1 +- 1.007 bump, testsuite enhancements + +* Tue Apr 01 2014 Petr Å abata - 1.006-1 +- 1.006 bump, no code changes + +* Sat Aug 03 2013 Fedora Release Engineering - 1.005-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Sun Jul 21 2013 Petr Pisar - 1.005-2 +- Perl 5.18 rebuild + +* Mon Mar 25 2013 Petr Å abata - 1.005-1 +- 1.005 bump + +* Wed Mar 06 2013 Petr Pisar - 1.004-1 +- 1.004 bump + +* Thu Feb 14 2013 Fedora Release Engineering - 1.003-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Nov 29 2012 Petr Å abata - 1.003-1 +- 1.003 bump + +* Fri Jul 20 2012 Fedora Release Engineering - 1.002-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jun 07 2012 Petr Pisar - 1.002-3 +- Perl 5.16 rebuild + +* Fri Jan 13 2012 Fedora Release Engineering - 1.002-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Dec 12 2011 Petr Å abata - 1.002-1 +- 1.002 bump + +* Thu Sep 15 2011 Petr Sabata - 1.001-1 +- 1.001 bump +- Remove now obsolete BuildRoot and defattr +- Migrate to EE::MM +- Correct BR + +* Fri Jun 17 2011 Marcela MaÅ¡láňová - 1.00-9 +- Perl mass rebuild + +* Thu Jun 09 2011 Marcela MaÅ¡láňová - 1.00-8 +- Perl 5.14 mass rebuild + +* Tue Feb 08 2011 Fedora Release Engineering - 1.00-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Dec 16 2010 Marcela Maslanova - 1.00-6 +- 661697 rebuild for fixing problems with vendorach/lib + +* Sat May 01 2010 Marcela Maslanova - 1.00-5 +- Mass rebuild with perl-5.12.0 + +* Mon Dec 7 2009 Stepan Kasal - 1.00-4 +- rebuild against perl 5.10.1 + +* Sat Jul 25 2009 Fedora Release Engineering - 1.00-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Feb 26 2009 Fedora Release Engineering - 1.00-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Jan 12 2009 Marcela MaÅ¡láňová 1.00-1 +- Specfile autogenerated by cpanspec 1.77. diff --git a/SPECS/perl-JSON-XS/perl-JSON-XS.spec b/SPECS/perl-JSON-XS/perl-JSON-XS.spec index 6c0dd1f5df..2bfe91c895 100644 --- a/SPECS/perl-JSON-XS/perl-JSON-XS.spec +++ b/SPECS/perl-JSON-XS/perl-JSON-XS.spec @@ -55,19 +55,24 @@ make test %{_mandir}/man[13]/* %changelog -* Mon Oct 12 2020 Joe Schmitt 1:3.04-4 -- Use new perl package names. -- Provide perl(JSON::XS). -* Sat May 09 00:21:43 PST 2020 Nick Samson - 1:3.04-3 +* Mon Oct 12 2020 Joe Schmitt 1:3.04-4 +- Use new perl package names. +- Provide perl(JSON::XS). + +* Sat May 09 2020 Nick Samson - 1:3.04-3 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 3.04-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Dweep Advani 3.04-1 -- Update to version 3.04 -* Wed Apr 05 2017 Robert Qi 3.03-1 -- Add build requires for perl-Canary-Stability, and pass NO_PACKLIST to Makefile.PL. -* Tue May 24 2016 Priyesh Padmavilasom 3.01-2 -- GA - Bump release of all rpms -* Fri Apr 3 2015 Divya Thaluru 3.01-1 -- Initial version. +* Tue Sep 03 2019 Mateusz Malisz 3.04-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Dweep Advani 3.04-1 +- Update to version 3.04 + +* Wed Apr 05 2017 Robert Qi 3.03-1 +- Add build requires for perl-Canary-Stability, and pass NO_PACKLIST to Makefile.PL. + +* Tue May 24 2016 Priyesh Padmavilasom 3.01-2 +- GA - Bump release of all rpms + +* Fri Apr 3 2015 Divya Thaluru 3.01-1 +- Initial version. diff --git a/SPECS/perl-List-MoreUtils/perl-List-MoreUtils.spec b/SPECS/perl-List-MoreUtils/perl-List-MoreUtils.spec index b07c004584..d82737d301 100644 --- a/SPECS/perl-List-MoreUtils/perl-List-MoreUtils.spec +++ b/SPECS/perl-List-MoreUtils/perl-List-MoreUtils.spec @@ -56,27 +56,41 @@ make test * Fri Apr 02 2021 Thomas Crain - 0.428-7 - Merge the following releases from 1.0 to dev branch - pawelwi@microsoft.com, 1.26-4: Adding 'local::lib' perl5 library to fix test dependencies. -- Removed %%sha1 macro. -- License verified and extended %%license macro to include all license files. +- Removed %%sha1 macro. +- License verified and extended %%license macro to include all license files. -* Mon Oct 12 2020 Joe Schmitt 0.428-6 -- Use new perl package names. -- Provide perl(List::MoreUtils*). -* Mon Sep 28 2020 Joe Schmitt 0.428-5 -- Switch to new perl man page extension. -* Sat May 09 2020 Nick Samson 0.428-4 -- Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 0.428-3 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Dec 03 2018 Dweep Advani 0.428-2 -- Fix makecheck tests -* Fri Sep 21 2018 Dweep Advani 0.428-1 -- Update to version 0.428 -* Wed Apr 05 2017 Robert Qi 0.418-1 -- Update version to 0.418 -* Tue May 24 2016 Priyesh Padmavilasom 0.413-2 -- GA - Bump release of all rpms -* Tue Feb 23 2016 Xiaolin Li 0.413-1 -- Updated to version 0.413 -* Fri Apr 3 2015 Divya Thaluru 0.410-1 -- Initial version. +* Fri Nov 13 2020 Pawel Winogrodzki - 0.428-5 +- Adding 'local::lib' perl5 library to fix test dependencies. +- Removed %%sha1 macro. +- License verified and extended %%license macro to include all license files. + +* Mon Oct 12 2020 Joe Schmitt 0.428-6 +- Use new perl package names. +- Provide perl(List::MoreUtils*). + +* Mon Sep 28 2020 Joe Schmitt 0.428-5 +- Switch to new perl man page extension. + +* Sat May 09 2020 Nick Samson 0.428-4 +- Added %%license line automatically + +* Tue Sep 03 2019 Mateusz Malisz 0.428-3 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Mon Dec 03 2018 Dweep Advani 0.428-2 +- Fix makecheck tests + +* Fri Sep 21 2018 Dweep Advani 0.428-1 +- Update to version 0.428 + +* Wed Apr 05 2017 Robert Qi 0.418-1 +- Update version to 0.418 + +* Tue May 24 2016 Priyesh Padmavilasom 0.413-2 +- GA - Bump release of all rpms + +* Tue Feb 23 2016 Xiaolin Li 0.413-1 +- Updated to version 0.413 + +* Fri Apr 3 2015 Divya Thaluru 0.410-1 +- Initial version. diff --git a/SPECS/perl-Module-Build/perl-Module-Build.spec b/SPECS/perl-Module-Build/perl-Module-Build.spec index 5394e07ff1..8b9d7165cd 100644 --- a/SPECS/perl-Module-Build/perl-Module-Build.spec +++ b/SPECS/perl-Module-Build/perl-Module-Build.spec @@ -79,21 +79,27 @@ LANG=C TEST_SIGNATURE=1 MB_TEST_EXPERIMENTAL=1 ./Build test %{_mandir}/man3/* %changelog -* Mon Oct 12 2020 Joe Schmitt 0.4224-4 -- Use new perl package names. -- Provide perl(Module::Build*) -* Sat May 09 00:20:53 PST 2020 Nick Samson - 0.4224-3 +* Mon Oct 12 2020 Joe Schmitt 0.4224-4 +- Use new perl package names. +- Provide perl(Module::Build*) + +* Sat May 09 2020 Nick Samson - 0.4224-3 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 0.4224-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Dweep Advani 0.4224-1 -- Update to version 0.4224 -* Wed Apr 05 2017 Robert Qi 0.4222-1 -- Update version to 0.4222. -* Tue May 24 2016 Priyesh Padmavilasom 0.4216-2 -- GA - Bump release of all rpms -* Tue Feb 23 2016 Harish Udaiya Kumar 0.4216-1 -- Upgraded to version 0.4216 -* Wed Jan 13 2016 Anish Swaminathan 0.4214-1 -- Initial version. +* Tue Sep 03 2019 Mateusz Malisz 0.4224-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Dweep Advani 0.4224-1 +- Update to version 0.4224 + +* Wed Apr 05 2017 Robert Qi 0.4222-1 +- Update version to 0.4222. + +* Tue May 24 2016 Priyesh Padmavilasom 0.4216-2 +- GA - Bump release of all rpms + +* Tue Feb 23 2016 Harish Udaiya Kumar 0.4216-1 +- Upgraded to version 0.4216 + +* Wed Jan 13 2016 Anish Swaminathan 0.4214-1 +- Initial version. diff --git a/SPECS/perl-Module-CPANfile/perl-Module-CPANfile.signatures.json b/SPECS/perl-Module-CPANfile/perl-Module-CPANfile.signatures.json new file mode 100644 index 0000000000..16601bf9ce --- /dev/null +++ b/SPECS/perl-Module-CPANfile/perl-Module-CPANfile.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "Module-CPANfile-1.1004.tar.gz": "88efbe2e9a642dceaa186430fedfcf999aaf0e06f6cced28a714b8e56b514921" + } +} \ No newline at end of file diff --git a/SPECS/perl-Module-CPANfile/perl-Module-CPANfile.spec b/SPECS/perl-Module-CPANfile/perl-Module-CPANfile.spec new file mode 100644 index 0000000000..3b5fa62215 --- /dev/null +++ b/SPECS/perl-Module-CPANfile/perl-Module-CPANfile.spec @@ -0,0 +1,146 @@ +Name: perl-Module-CPANfile +Version: 1.1004 +Release: 8%{?dist} +Summary: Parse cpanfile +License: GPL+ OR Artistic +Group: Development/Libraries +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://metacpan.org/release/Module-CPANfile +Source0: https://cpan.metacpan.org/authors/id/M/MI/MIYAGAWA/Module-CPANfile-%{version}.tar.gz +BuildArch: noarch +BuildRequires: make +BuildRequires: perl +BuildRequires: perl(base) +BuildRequires: perl(Carp) +BuildRequires: perl(Cwd) +BuildRequires: perl(CPAN::Meta) >= 2.12091 +BuildRequires: perl(CPAN::Meta::Feature) >= 2.12091 +BuildRequires: perl(CPAN::Meta::Prereqs) >= 2.12091 +BuildRequires: perl(CPAN::Meta::Requirements) +BuildRequires: perl(Data::Dumper) +BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76 +BuildRequires: perl(parent) +BuildRequires: perl(strict) +BuildRequires: perl(warnings) +# tests +BuildRequires: perl(Exporter) +BuildRequires: perl-File-pushd +BuildRequires: perl(lib) +BuildRequires: perl(POSIX) +BuildRequires: perl(Test::More) >= 0.88 + +Requires: perl(CPAN::Meta) >= 2.12091 +Requires: perl(CPAN::Meta::Prereqs) >= 2.12091 +Requires: perl(CPAN::Meta::Feature) >= 2.12091 +Requires: perl(Data::Dumper) +Requires: perl(Pod::Usage) +Requires: perl + +%?perl_default_filter +%global __requires_exclude %{?__requires_exclude:%__requires_exclude|}perl\\(CPAN::Meta\\)$ + +%description +Module::CPANfile is a tool to handle cpanfile format to load application +specific dependencies, not just for CPAN distributions. + +%prep +%setup -q -n Module-CPANfile-%{version} + +%build +perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 +make %{?_smp_mflags} + +%install +make pure_install DESTDIR=$RPM_BUILD_ROOT +%{_fixperms} $RPM_BUILD_ROOT/* + +%check +make test + +%files +%license LICENSE +%doc Changes README +%{_bindir}/mymeta-cpanfile +%{_bindir}/cpanfile-dump +%{perl_vendorlib}/* +%{_mandir}/man1/mymeta-cpanfile* +%{_mandir}/man1/cpanfile-dump* +%{_mandir}/man3/* + +%changelog +* Fri Jul 02 2021 Suresh Babu Chalamalasetty - 1.1004-8 +- Initial CBL-Mariner import from Fedora 32 (license: MIT) +- License verified + +* Thu Jan 30 2020 Fedora Release Engineering - 1.1004-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jul 26 2019 Fedora Release Engineering - 1.1004-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri May 31 2019 Jitka Plesnikova - 1.1004-5 +- Perl 5.30 rebuild + +* Fri Feb 01 2019 Fedora Release Engineering - 1.1004-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 1.1004-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jun 28 2018 Jitka Plesnikova - 1.1004-2 +- Perl 5.28 rebuild + +* Fri Apr 27 2018 Jitka Plesnikova - 1.1004-1 +- 1.1004 bump + +* Mon Apr 23 2018 Jitka Plesnikova - 1.1003-1 +- 1.1003 bump + +* Thu Feb 08 2018 Fedora Release Engineering - 1.1002-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.1002-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sun Jun 04 2017 Jitka Plesnikova - 1.1002-4 +- Perl 5.26 rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 1.1002-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Sun May 15 2016 Jitka Plesnikova - 1.1002-2 +- Perl 5.24 rebuild + +* Mon Feb 15 2016 Petr Pisar - 1.1002-1 +- 1.1002 bump + +* Thu Feb 04 2016 Fedora Release Engineering - 1.1001-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Sep 07 2015 Jitka Plesnikova - 1.1001-1 +- 1.1001 bump + +* Thu Jun 18 2015 Fedora Release Engineering - 1.1000-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Jun 03 2015 Jitka Plesnikova - 1.1000-2 +- Perl 5.22 rebuild + +* Fri Sep 19 2014 Jitka Plesnikova - 1.1000-1 +- 1.1000 bump + +* Wed Aug 27 2014 Jitka Plesnikova - 1.0001-5 +- Perl 5.20 rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 1.0001-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Aug 30 2013 Marcela MaÅ¡láňová 1.0001-3 +- fix all problems found in review rhbz#929254 + +* Tue Aug 27 2013 Marcela MaÅ¡láňová 1.0001-2 +- fix all problems found in review rhbz#929254 + +* Tue Aug 27 2013 Marcela MaÅ¡láňová 1.0001-1 +- Specfile autogenerated by cpanspec 1.78. diff --git a/SPECS/perl-Module-Install/perl-Module-Install.spec b/SPECS/perl-Module-Install/perl-Module-Install.spec index 2864995d9a..fc401cfda9 100644 --- a/SPECS/perl-Module-Install/perl-Module-Install.spec +++ b/SPECS/perl-Module-Install/perl-Module-Install.spec @@ -90,23 +90,30 @@ make %{?_smp_mflags} test AUTOMATED_TESTING=1 %{_mandir}/man3/* %changelog -* Mon Oct 12 2020 Joe Schmitt 1.19-4 -- Use new perl package names. -- Provide perl(Module::*). -* Sat May 09 00:20:49 PST 2020 Nick Samson - 1.19-3 +* Mon Oct 12 2020 Joe Schmitt 1.19-4 +- Use new perl package names. +- Provide perl(Module::*). + +* Sat May 09 2020 Nick Samson - 1.19-3 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 1.19-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Dweep Advani 1.19-1 -- Update to version 1.19 -* Wed Apr 05 2017 Robert Qi 1.18-1 -- Update version to 1.18. -* Wed Oct 05 2016 ChangLee 1.16-3 -- Modified %check -* Tue May 24 2016 Priyesh Padmavilasom 1.16-2 -- GA - Bump release of all rpms -* Thu Feb 25 2016 Anish Swaminathan 1.16-1 -- Upgrade version to 1.16 -* Fri Apr 3 2015 Divya Thaluru 1.14-1 -- Initial version. +* Tue Sep 03 2019 Mateusz Malisz 1.19-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Dweep Advani 1.19-1 +- Update to version 1.19 + +* Wed Apr 05 2017 Robert Qi 1.18-1 +- Update version to 1.18. + +* Wed Oct 05 2016 ChangLee 1.16-3 +- Modified %check + +* Tue May 24 2016 Priyesh Padmavilasom 1.16-2 +- GA - Bump release of all rpms + +* Thu Feb 25 2016 Anish Swaminathan 1.16-1 +- Upgrade version to 1.16 + +* Fri Apr 3 2015 Divya Thaluru 1.14-1 +- Initial version. diff --git a/SPECS/perl-Module-ScanDeps/perl-Module-ScanDeps.spec b/SPECS/perl-Module-ScanDeps/perl-Module-ScanDeps.spec index d0de5f521b..2329ee2842 100644 --- a/SPECS/perl-Module-ScanDeps/perl-Module-ScanDeps.spec +++ b/SPECS/perl-Module-ScanDeps/perl-Module-ScanDeps.spec @@ -57,21 +57,27 @@ make %{?_smp_mflags} test %{_mandir}/man3/* %changelog -* Mon Oct 12 2020 Joe Schmitt 1.25-4 -- Use new perl package names. -- Provide perl(Module::ScanDeps*). -* Sat May 09 00:21:28 PST 2020 Nick Samson - 1.25-3 +* Mon Oct 12 2020 Joe Schmitt 1.25-4 +- Use new perl package names. +- Provide perl(Module::ScanDeps*). + +* Sat May 09 2020 Nick Samson - 1.25-3 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 1.25-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Dweep Advani 1.25-1 -- Update to version 1.25 -* Wed Apr 05 2017 Robert Qi 1.23-1 -- Update version to 1.23 -* Wed Oct 05 2016 ChangLee 1.18-3 -- Modified %check -* Tue May 24 2016 Priyesh Padmavilasom 1.18-2 -- GA - Bump release of all rpms -* Fri Apr 3 2015 Divya Thaluru 1.18-1 -- Initial version. +* Tue Sep 03 2019 Mateusz Malisz 1.25-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Dweep Advani 1.25-1 +- Update to version 1.25 + +* Wed Apr 05 2017 Robert Qi 1.23-1 +- Update version to 1.23 + +* Wed Oct 05 2016 ChangLee 1.18-3 +- Modified %check + +* Tue May 24 2016 Priyesh Padmavilasom 1.18-2 +- GA - Bump release of all rpms + +* Fri Apr 3 2015 Divya Thaluru 1.18-1 +- Initial version. diff --git a/SPECS/perl-NetAddr-IP/perl-NetAddr-IP.spec b/SPECS/perl-NetAddr-IP/perl-NetAddr-IP.spec index 6483512e93..6a64e7fef7 100644 --- a/SPECS/perl-NetAddr-IP/perl-NetAddr-IP.spec +++ b/SPECS/perl-NetAddr-IP/perl-NetAddr-IP.spec @@ -46,14 +46,16 @@ make test %{_mandir}/man3/* %changelog -* Mon Oct 12 2020 Joe Schmitt 4.079-4 -- Use new perl package names. -- Change perl_vendorlib to perl_vendorarch directory for packaging. -- Provide perl(NetAddr::IP*). -* Sat May 09 00:21:00 PST 2020 Nick Samson - 4.079-3 +* Mon Oct 12 2020 Joe Schmitt 4.079-4 +- Use new perl package names. +- Change perl_vendorlib to perl_vendorarch directory for packaging. +- Provide perl(NetAddr::IP*). + +* Sat May 09 2020 Nick Samson - 4.079-3 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 4.079-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Thu Sep 27 2018 Srivatsa S. Bhat 4.079-1 -- Initial version. +* Tue Sep 03 2019 Mateusz Malisz 4.079-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Thu Sep 27 2018 Srivatsa S. Bhat 4.079-1 +- Initial version. diff --git a/SPECS/perl-Parse-PMFile/Parse-PMFile-0.41-Do-not-use-ExtUtils-MakeMaker-CPANfile.patch b/SPECS/perl-Parse-PMFile/Parse-PMFile-0.41-Do-not-use-ExtUtils-MakeMaker-CPANfile.patch new file mode 100644 index 0000000000..b776c36cc5 --- /dev/null +++ b/SPECS/perl-Parse-PMFile/Parse-PMFile-0.41-Do-not-use-ExtUtils-MakeMaker-CPANfile.patch @@ -0,0 +1,32 @@ +From 76f72eb15b44af89a089d30b14d5f5d4d6829f7a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Fri, 1 Jun 2018 09:28:17 +0200 +Subject: [PATCH] Do not use ExtUtils::MakeMaker::CPANfile +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The Makefile.PL works as well as with plain ExtUtils::MakeMaker. +rpmbuild does not read dependencies from META, thus cpanfile content +is irrelevant when building an RPM package. + +Signed-off-by: Petr PísaÅ™ +--- + Makefile.PL | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/Makefile.PL b/Makefile.PL +index a4faee1..b4bb0d8 100644 +--- a/Makefile.PL ++++ b/Makefile.PL +@@ -1,6 +1,6 @@ + use strict; + use warnings; +-use ExtUtils::MakeMaker::CPANfile; ++use ExtUtils::MakeMaker; + + my %params = ( + NAME => 'Parse::PMFile', +-- +2.14.4 + diff --git a/SPECS/perl-Parse-PMFile/perl-Parse-PMFile.signatures.json b/SPECS/perl-Parse-PMFile/perl-Parse-PMFile.signatures.json new file mode 100644 index 0000000000..2d58a39dc1 --- /dev/null +++ b/SPECS/perl-Parse-PMFile/perl-Parse-PMFile.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "Parse-PMFile-0.42.tar.gz": "e7f6c70932b86eb4a2426569e33d2b651b52a24e5d0c0dcb3849d045b52c736c" + } +} \ No newline at end of file diff --git a/SPECS/perl-Parse-PMFile/perl-Parse-PMFile.spec b/SPECS/perl-Parse-PMFile/perl-Parse-PMFile.spec new file mode 100644 index 0000000000..be01f907d8 --- /dev/null +++ b/SPECS/perl-Parse-PMFile/perl-Parse-PMFile.spec @@ -0,0 +1,155 @@ +Name: perl-Parse-PMFile +Version: 0.42 +Release: 4%{?dist} +Summary: Parses .pm file as PAUSE does +License: GPL+ OR Artistic +Group: Development/Libraries +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://metacpan.org/release/Parse-PMFile +Source0: https://cpan.metacpan.org/authors/id/I/IS/ISHIGAKI/Parse-PMFile-%{version}.tar.gz +# Remove useless dependency on ExtUtils::MakeMaker::CPANfile +Patch0: Parse-PMFile-0.41-Do-not-use-ExtUtils-MakeMaker-CPANfile.patch +BuildArch: noarch +BuildRequires: make +BuildRequires: perl +BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76 +BuildRequires: perl(strict) +BuildRequires: perl(warnings) +# Run-time +BuildRequires: perl(Dumpvalue) +BuildRequires: perl(File::Spec) +BuildRequires: perl(JSON::PP) >= 2.00 +BuildRequires: perl(Safe) +BuildRequires: perl(version) >= 0.83 +# Tests +%if %{with_check} +BuildRequires: perl(File::Temp) >= 0.19 +BuildRequires: perl(FindBin) +BuildRequires: perl(Opcode) +BuildRequires: perl(Test::More) >= 0.88 +%endif +Requires: perl +Requires: perl(JSON::PP) >= 2.00 +Requires: perl(version) >= 0.83 + +# Remove under-specified dependencies +%global __requires_exclude %{?__requires_exclude:%__requires_exclude|}^perl\\((JSON::PP|version)\\)$ + +%description +The most of the code of this module is taken from the PAUSE code as of +April 2013 almost verbatim. Thus, the heart of this module should be quite +stable. However, I made it not to use pipe ("-|") as well as I stripped +database-related code. If you encounter any issue, that's most probably +because of my modification. + +%prep +%setup -q -n Parse-PMFile-%{version} +%patch0 -p1 + +%build +perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 +%{make_build} + +%install +%{make_install} +%{_fixperms} $RPM_BUILD_ROOT/* + +%check +unset TEST_POD +make test + +%files +%doc Changes README +%{perl_vendorlib}/* +%{_mandir}/man3/* + +%changelog +* Fri Jul 02 2021 Suresh Babu Chalamalasetty - 0.42-4 +- Initial CBL-Mariner import from Fedora 32 (license: MIT) +- License verified + +* Fri Jan 29 2021 Joe Schmitt - 0.42-3 +- Disable optional tests + +* Thu Jan 30 2020 Fedora Release Engineering - 0.42-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Nov 11 2019 Jitka Plesnikova - 0.42-1 +- 0.42 bump + +* Fri Jul 26 2019 Fedora Release Engineering - 0.41-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu May 30 2019 Jitka Plesnikova - 0.41-10 +- Perl 5.30 rebuild + +* Fri Feb 01 2019 Fedora Release Engineering - 0.41-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 0.41-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jun 27 2018 Jitka Plesnikova - 0.41-7 +- Perl 5.28 rebuild + +* Fri Jun 01 2018 Petr Pisar - 0.41-6 +- Remove useless dependency on ExtUtils::MakeMaker::CPANfile +- Modernize the spec file + +* Fri Feb 09 2018 Fedora Release Engineering - 0.41-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.41-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sun Jun 04 2017 Jitka Plesnikova - 0.41-3 +- Perl 5.26 rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 0.41-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Nov 04 2016 Jitka Plesnikova - 0.41-1 +- 0.41 bump + +* Sun May 15 2016 Jitka Plesnikova - 0.40-2 +- Perl 5.24 rebuild + +* Mon Feb 22 2016 Jitka Plesnikova - 0.40-1 +- 0.40 bump + +* Thu Feb 04 2016 Fedora Release Engineering - 0.39-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Jan 11 2016 Jitka Plesnikova - 0.39-1 +- 0.39 bump + +* Thu Jun 18 2015 Fedora Release Engineering - 0.36-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Thu Jun 04 2015 Jitka Plesnikova - 0.36-2 +- Perl 5.22 rebuild + +* Mon Apr 20 2015 Jitka Plesnikova - 0.36-1 +- 0.36 bump + +* Tue Feb 03 2015 Jitka Plesnikova - 0.35-1 +- 0.35 bump + +* Mon Dec 15 2014 Jitka Plesnikova - 0.33-1 +- 0.33 bump + +* Thu Dec 11 2014 Jitka Plesnikova - 0.31-1 +- 0.31 bump + +* Mon Dec 08 2014 Jitka Plesnikova - 0.30-1 +- 0.30 bump + +* Mon Oct 13 2014 Jitka Plesnikova - 0.29-1 +- 0.29 bump + +* Wed Oct 08 2014 Jitka Plesnikova - 0.28-1 +- 0.28 bump + +* Tue Sep 23 2014 Jitka Plesnikova - 0.26-1 +- Specfile autogenerated by cpanspec 1.78. diff --git a/SPECS/perl-Path-Class/perl-Path-Class.spec b/SPECS/perl-Path-Class/perl-Path-Class.spec index ff91f74ea9..4ed782e33a 100644 --- a/SPECS/perl-Path-Class/perl-Path-Class.spec +++ b/SPECS/perl-Path-Class/perl-Path-Class.spec @@ -47,18 +47,22 @@ make test %{_mandir}/man?/* %changelog -* Mon Oct 12 2020 Joe Schmitt 0.37-6 -- Use new perl package names. -- Build with NO_PACKLIST option. -- Provide perl(Path::Class*). -* Sat May 09 00:20:47 PST 2020 Nick Samson - 0.37-5 +* Mon Oct 12 2020 Joe Schmitt 0.37-6 +- Use new perl package names. +- Build with NO_PACKLIST option. +- Provide perl(Path::Class*). + +* Sat May 09 2020 Nick Samson - 0.37-5 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 0.37-4 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Dweep Advani 0.37-3 -- Consuming perl version upgrade of 5.28.0 -* Tue Apr 25 2017 Priyesh Padmavilasom 0.37-2 -- Fix arch -* Wed Apr 19 2017 Xiaolin Li 0.37-1 -- Initial version. +* Tue Sep 03 2019 Mateusz Malisz 0.37-4 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Dweep Advani 0.37-3 +- Consuming perl version upgrade of 5.28.0 + +* Tue Apr 25 2017 Priyesh Padmavilasom 0.37-2 +- Fix arch + +* Wed Apr 19 2017 Xiaolin Li 0.37-1 +- Initial version. diff --git a/SPECS/perl-Pod-Parser/perl-Pod-Parser.signatures.json b/SPECS/perl-Pod-Parser/perl-Pod-Parser.signatures.json new file mode 100644 index 0000000000..4547551586 --- /dev/null +++ b/SPECS/perl-Pod-Parser/perl-Pod-Parser.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "Pod-Parser-1.63.tar.gz": "dbe0b56129975b2f83a02841e8e0ed47be80f060686c66ea37e529d97aa70ccd" + } +} \ No newline at end of file diff --git a/SPECS/perl-Pod-Parser/perl-Pod-Parser.spec b/SPECS/perl-Pod-Parser/perl-Pod-Parser.spec new file mode 100644 index 0000000000..36777d59e6 --- /dev/null +++ b/SPECS/perl-Pod-Parser/perl-Pod-Parser.spec @@ -0,0 +1,206 @@ +Summary: Basic perl modules for handling Plain Old Documentation (POD) +Name: perl-Pod-Parser +Version: 1.63 +Release: 448%{?dist} +License: GPL+ or Artistic +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://metacpan.org/release/Pod-Parser +Source0: https://cpan.metacpan.org/authors/id/M/MA/MAREKR/Pod-Parser-%{version}.tar.gz +BuildArch: noarch +BuildRequires: coreutils +BuildRequires: findutils +BuildRequires: make +BuildRequires: perl-interpreter +BuildRequires: perl(:VERSION) >= 5.5.0 +BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76 +BuildRequires: perl(File::Spec) >= 0.82 +# Run-time: +BuildRequires: perl(Carp) +BuildRequires: perl(Config) +BuildRequires: perl(Cwd) +BuildRequires: perl(Exporter) +BuildRequires: perl(File::Find) +BuildRequires: perl(strict) +# Symbol not used since perl 5.6 +BuildRequires: perl(vars) +# Tests: +%if %{with_check} +BuildRequires: perl(File::Basename) +BuildRequires: perl(FileHandle) +BuildRequires: perl(Test) +BuildRequires: perl(Test::More) >= 0.6 +BuildRequires: perl(IO::String) +BuildRequires: perl(Pod::Checker) >= 1.40 +%endif +Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) +Requires: perl(Config) +# Circular dependency Pod::Usage <-> Pod::Select + +%description +This software distribution contains the packages for using Perl5 POD (Plain +Old Documentation). See the "perlpod" and "perlsyn" manual pages from your +Perl5 distribution for more information about POD. + +%prep +%setup -q -n Pod-Parser-%{version} +find -type f -exec chmod -x {} + +chmod +x scripts/* +for F in ANNOUNCE CHANGES README TODO; do + tr -d '\r' < "$F" > "${F}.unix" + touch -r "$F" "${F}.unix" + mv "${F}.unix" "$F" +done + +%build +perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 +%{make_build} + +%install +%{make_install} +%{_fixperms} $RPM_BUILD_ROOT/* + +%check +make test + +%files +%doc ANNOUNCE CHANGES README TODO +%{_bindir}/podselect +%{perl_vendorlib}/* +%{_mandir}/man1/* +%{_mandir}/man3/* + +%changelog +* Wed Aug 18 2021 Thomas Crain - 1.63-448 +- Initial CBL-Mariner import from Fedora 35 (license: MIT) + +* Tue Jul 27 2021 Fedora Release Engineering - 1.63-447 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri May 21 2021 Jitka Plesnikova - 1.63-446 +- Perl 5.34 rebuild + +* Wed Jan 27 2021 Fedora Release Engineering - 1.63-445 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Jul 28 2020 Petr Pisar - 1.63-444 +- Modernize a spec file + +* Fri Jun 26 2020 Jitka Plesnikova - 1.63-443 +- Perl 5.32 re-rebuild of bootstrapped packages + +* Mon Jun 22 2020 Jitka Plesnikova - 1.63-442 +- Perl 5.32 rebuild + +* Thu Jan 30 2020 Fedora Release Engineering - 1.63-441 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jul 26 2019 Fedora Release Engineering - 1.63-440 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Jun 02 2019 Jitka Plesnikova - 1.63-439 +- Perl 5.30 re-rebuild of bootstrapped packages + +* Thu May 30 2019 Jitka Plesnikova - 1.63-438 +- Increase release to favour standalone package + +* Fri Feb 01 2019 Fedora Release Engineering - 1.63-419 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 1.63-418 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Sat Jun 30 2018 Jitka Plesnikova - 1.63-417 +- Perl 5.28 re-rebuild of bootstrapped packages + +* Wed Jun 27 2018 Jitka Plesnikova - 1.63-416 +- Increase release to favour standalone package + +* Fri Feb 09 2018 Fedora Release Engineering - 1.63-396 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.63-395 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Jun 07 2017 Jitka Plesnikova - 1.63-394 +- Perl 5.26 re-rebuild of bootstrapped packages + +* Sat Jun 03 2017 Jitka Plesnikova - 1.63-393 +- Perl 5.26 rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 1.63-367 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed May 18 2016 Jitka Plesnikova - 1.63-366 +- Perl 5.24 re-rebuild of bootstrapped packages + +* Sat May 14 2016 Jitka Plesnikova - 1.63-365 +- Increase release to favour standalone package + +* Thu Feb 04 2016 Fedora Release Engineering - 1.63-348 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jun 18 2015 Fedora Release Engineering - 1.63-347 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Jun 10 2015 Jitka Plesnikova - 1.63-346 +- Perl 5.22 re-rebuild of bootstrapped packages + +* Thu Jun 04 2015 Jitka Plesnikova - 1.63-345 +- Increase release to favour standalone package + +* Wed Jun 03 2015 Jitka Plesnikova - 1.63-2 +- Perl 5.22 rebuild + +* Wed Feb 11 2015 Petr Pisar - 1.63-1 +- 1.63 bump + +* Sun Sep 07 2014 Jitka Plesnikova - 1.62-311 +- Perl 5.20 re-rebuild of bootstrapped packages + +* Wed Sep 03 2014 Jitka Plesnikova - 1.62-310 +- Increase release to favour standalone package + +* Tue Aug 26 2014 Jitka Plesnikova - 1.62-3 +- Perl 5.20 rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 1.62-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Feb 04 2014 Petr Pisar - 1.62-1 +- 1.62 bump + +* Sun Aug 04 2013 Fedora Release Engineering - 1.61-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Fri Jul 12 2013 Petr Pisar - 1.61-2 +- Perl 5.18 rebuild + +* Tue Jun 04 2013 Petr Pisar - 1.61-1 +- 1.61 bump + +* Mon Feb 11 2013 Petr Pisar - 1.60-3 +- Correct dependencies + +* Fri Feb 08 2013 Petr Pisar - 1.60-2 +- Remove bootstrap conditions + +* Tue Feb 05 2013 Petr Pisar - 1.60-1 +- 1.60 bump + +* Mon Feb 04 2013 Petr Pisar - 1.51-248 +- Sub-package Pod-Usage +- Sub-package Pod-Checker + +* Wed Jan 16 2013 Petr Pisar - 1.51-247 +- Increase release to supersede perl sub-package + +* Fri Jul 20 2012 Fedora Release Engineering - 1.51-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jul 02 2012 Petr Pisar - 1.51-2 +- Perl 5.16 rebuild + +* Mon Jun 25 2012 Petr Pisar - 1.51-1 +- Specfile autogenerated by cpanspec 1.78. \ No newline at end of file diff --git a/SPECS/perl-String-ShellQuote/perl-String-ShellQuote.signatures.json b/SPECS/perl-String-ShellQuote/perl-String-ShellQuote.signatures.json new file mode 100644 index 0000000000..9871f97c57 --- /dev/null +++ b/SPECS/perl-String-ShellQuote/perl-String-ShellQuote.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "String-ShellQuote-1.04.tar.gz": "e606365038ce20d646d255c805effdd32f86475f18d43ca75455b00e4d86dd35" + } +} \ No newline at end of file diff --git a/SPECS/perl-String-ShellQuote/perl-String-ShellQuote.spec b/SPECS/perl-String-ShellQuote/perl-String-ShellQuote.spec new file mode 100644 index 0000000000..d7b695e35e --- /dev/null +++ b/SPECS/perl-String-ShellQuote/perl-String-ShellQuote.spec @@ -0,0 +1,204 @@ +Name: perl-String-ShellQuote +Version: 1.04 +Release: 30%{?dist} +Summary: Perl module for quoting strings for passing through the shell +License: (GPL+ OR Artistic) and GPLv2+ +Group: Development/Libraries +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://metacpan.org/release/String-ShellQuote +Source0: https://cpan.metacpan.org/authors/id/R/RO/ROSCH/String-ShellQuote-%{version}.tar.gz +BuildArch: noarch +# Build +BuildRequires: perl +BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76 +# Runtime +BuildRequires: perl(Carp) +BuildRequires: perl(Exporter) +# RS::Handy is never used +BuildRequires: perl(strict) +BuildRequires: perl(vars) +# Tests only +Requires: perl +Requires: perl(Carp) +Requires: perl(Getopt::Long) + +%description +This package contains a Perl module and a command line utility which +are useful for quoting strings which are going to pass through the +shell or a shell-like object. + +%prep +%setup -q -n String-ShellQuote-%{version} + +%build +perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 +make %{?_smp_mflags} + +%install +make pure_install DESTDIR=%{buildroot} +%{_fixperms} %{buildroot}/* + +%check +make test + +%files +%doc Changes README +%{_bindir}/shell-quote +%{perl_vendorlib}/String +%{_mandir}/man1/* +%{_mandir}/man3/* + +%changelog +* Fri Jul 02 2021 Suresh Babu Chalamalasetty - 1.04-30 +- Initial CBL-Mariner import from Fedora 32 (license: MIT) +- License verified + +* Thu Jan 30 2020 Fedora Release Engineering - 1.04-29 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jul 26 2019 Fedora Release Engineering - 1.04-28 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu May 30 2019 Jitka Plesnikova - 1.04-27 +- Perl 5.30 rebuild + +* Sat Feb 02 2019 Fedora Release Engineering - 1.04-26 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 1.04-25 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jun 27 2018 Jitka Plesnikova - 1.04-24 +- Perl 5.28 rebuild + +* Fri Feb 09 2018 Fedora Release Engineering - 1.04-23 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.04-22 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sun Jun 04 2017 Jitka Plesnikova - 1.04-21 +- Perl 5.26 rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 1.04-20 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Sun May 15 2016 Jitka Plesnikova - 1.04-19 +- Perl 5.24 rebuild + +* Tue Mar 01 2016 Petr Å abata - 1.04-18 +- Package cleanup + +* Thu Feb 04 2016 Fedora Release Engineering - 1.04-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jun 18 2015 Fedora Release Engineering - 1.04-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Jun 03 2015 Jitka Plesnikova - 1.04-15 +- Perl 5.22 rebuild + +* Wed Aug 27 2014 Jitka Plesnikova - 1.04-14 +- Perl 5.20 rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 1.04-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Aug 03 2013 Petr Pisar - 1.04-12 +- Perl 5.18 rebuild + +* Tue Jul 30 2013 Petr Pisar - 1.04-11 +- Add GPLv2+ to the license declaration due to shell-quote(1) +- Specify all dependencies + +* Thu Jul 18 2013 Petr Pisar - 1.04-10 +- Perl 5.18 rebuild + +* Thu Feb 14 2013 Fedora Release Engineering - 1.04-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Aug 17 2012 Petr Pisar - 1.04-8 +- Specify all dependencies + +* Fri Jul 20 2012 Fedora Release Engineering - 1.04-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jun 11 2012 Petr Pisar - 1.04-6 +- Perl 5.16 rebuild + +* Fri Jan 13 2012 Fedora Release Engineering - 1.04-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Jun 17 2011 Marcela MaÅ¡láňová - 1.04-4 +- Perl mass rebuild + +* Wed Feb 09 2011 Fedora Release Engineering - 1.04-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Dec 22 2010 Marcela Maslanova - 1.04-2 +- 661697 rebuild for fixing problems with vendorach/lib + +* Sat Dec 18 2010 Steven Pritchard 1.04-1 +- Update to 1.04. + +* Thu May 06 2010 Marcela Maslanova - 1.03-9 +- Mass rebuild with perl-5.12.0 + +* Mon Dec 7 2009 Stepan Kasal - 1.03-8 +- rebuild against perl 5.10.1 + +* Sun Jul 26 2009 Fedora Release Engineering - 1.03-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Feb 26 2009 Fedora Release Engineering - 1.03-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Mar 6 2008 Tom "spot" Callaway 1.03-5 +- rebuild for new perl + +* Wed Apr 18 2007 Steven Pritchard 1.03-4 +- Reformat to match cpanspec output. +- Use fixperms macro instead of our own chmod incantation. +- BR ExtUtils::MakeMaker. + +* Tue Aug 29 2006 Ville Skyttä - 1.03-3 +- Fix order of arguments to find(1). +- Drop version from perl build dependency. + +* Wed May 4 2005 Ville Skyttä - 1.03-2 +- 1.03. + +* Fri Apr 7 2005 Michael Schwendt +- rebuilt + +* Thu Dec 16 2004 Ville Skyttä - 0:1.00-8 +- Sync with fedora-rpmdevtools' Perl spec template to fix x86_64 build. + +* Thu Sep 11 2003 Ville Skyttä - 0:1.00-0.fdr.7 +- Specfile cleanup, using INSTALLDIRS=vendor, PERL_INSTALL_ROOT and + INSTALLARCHLIB. + +* Sun Aug 31 2003 Ville Skyttä - 0:1.00-0.fdr.6 +- Get rid of perllocal.pod, .packlist and empty *.bs. + Some of the files don't exist with this package but I want a good template + %%install section :) + +* Sun Aug 31 2003 Ville Skyttä - 0:1.00-0.fdr.5 +- Install into vendor dirs. + +* Sun Jul 13 2003 Ville Skyttä - 0:1.00-0.fdr.4 +- Update description. +- Small spec cleanups. + +* Sun May 4 2003 Ville Skyttä - 0:1.00-0.fdr.3 +- Own more dirs. + +* Sun Apr 13 2003 Ville Skyttä - 0:1.00-0.fdr.2 +- Save .spec in UTF-8. + +* Sat Mar 22 2003 Ville Skyttä - 0:1.00-0.fdr.1 +- Update to current Fedora guidelines. + +* Fri Feb 7 2003 Ville Skyttä - 1.00-1.fedora.1 +- First Fedora release. diff --git a/SPECS/perl-Types-Serialiser/perl-Types-Serialiser.spec b/SPECS/perl-Types-Serialiser/perl-Types-Serialiser.spec index 698c4e792e..9875b99ead 100644 --- a/SPECS/perl-Types-Serialiser/perl-Types-Serialiser.spec +++ b/SPECS/perl-Types-Serialiser/perl-Types-Serialiser.spec @@ -60,17 +60,21 @@ rm -rf %{buildroot} %{_mandir}/man3/* %changelog -* Mon Oct 12 2020 Joe Schmitt 1.0-6 -- Use new perl package names. -- Provide perl(Types::Serialiser*). -* Sat May 09 00:21:01 PST 2020 Nick Samson - 1.0-5 +* Mon Oct 12 2020 Joe Schmitt 1.0-6 +- Use new perl package names. +- Provide perl(Types::Serialiser*). + +* Sat May 09 2020 Nick Samson - 1.0-5 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 1.0-4 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Dweep Advani 1.0-3 -- Consuming perl version upgrade of 5.28.0 -* Tue May 24 2016 Priyesh Padmavilasom 1.0-2 -- GA - Bump release of all rpms -* Fri Apr 3 2015 Divya Thaluru 1.0-1 -- Initial version. +* Tue Sep 03 2019 Mateusz Malisz 1.0-4 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Dweep Advani 1.0-3 +- Consuming perl version upgrade of 5.28.0 + +* Tue May 24 2016 Priyesh Padmavilasom 1.0-2 +- GA - Bump release of all rpms + +* Fri Apr 3 2015 Divya Thaluru 1.0-1 +- Initial version. diff --git a/SPECS/perl-WWW-Curl/perl-WWW-Curl.spec b/SPECS/perl-WWW-Curl/perl-WWW-Curl.spec index 7c01710c61..3ca2fa4785 100644 --- a/SPECS/perl-WWW-Curl/perl-WWW-Curl.spec +++ b/SPECS/perl-WWW-Curl/perl-WWW-Curl.spec @@ -7,7 +7,7 @@ Summary: Perl extension interface for libcurl Name: perl-WWW-Curl Version: 4.17 -Release: 10%{?dist} +Release: 11%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -75,28 +75,43 @@ make test %{_mandir}/man3/* %changelog -* Fri Apr 02 2021 Thomas Crain - 4.17-10 +* Fri Apr 02 2021 Thomas Crain - 4.17-11 - Merge the following releases from 1.0 to dev branch - pawelwi@microsoft.com, 4.17-10: Adapting Fedora 32 patch (license: MIT) for "curl" versions >= 7.69.0. +- JOSLOBO 7/26/21: Bump dash version due to merge. -* Mon Oct 12 2020 Joe Schmitt 4.17-9 -- Use new perl package names. -- Provide perl(WWW::Curl*). -* Tue May 19 2020 Pawel Winogrodzki 4.17-8 -- Adding a patch to build with "curl" version >= 7.66.0. -- License verified. -- Updated the 'Source0' and 'URL' tags. -* Sat May 09 00:20:47 PST 2020 Nick Samson - 4.17-7 -- Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 4.17-6 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Dweep Advani 4.17-5 -- Consuming perl version upgrade of 5.28.0 -* Wed Dec 07 2016 Xiaolin Li 4.17-4 -- BuildRequires curl-devel. -* Thu Sep 15 2016 Xiaolin Li 4.17-3 -- Build WWW-Curl with curl 7.50.3 -* Tue May 24 2016 Priyesh Padmavilasom 4.17-2 -- GA - Bump release of all rpms -* Fri Apr 3 2015 Divya Thaluru 4.17-1 -- Initial version. +* Tue Dec 29 2020 Pawel Winogrodzki - 4.17-10 (from 1.0 branch) +- Adapting Fedora 32 patch (license: MIT) for "curl" versions >= 7.69.0. + +* Mon Oct 12 2020 Joe Schmitt 4.17-9 (from dev branch) +- Use new perl package names. +- Provide perl(WWW::Curl*). + +* Tue Aug 11 2020 Andrew Phelps - 4.17-9 (from 1.0 branch) +- Add provides for perl(WWW::Curl::Easy) + +* Tue May 19 2020 Pawel Winogrodzki - 4.17-8 +- Adding a patch to build with "curl" version >= 7.66.0. +- License verified. +- Updated the 'Source0' and 'URL' tags. + +* Sat May 09 2020 Nick Samson - 4.17-7 +- Added %%license line automatically + +* Tue Sep 03 2019 Mateusz Malisz - 4.17-6 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Dweep Advani - 4.17-5 +- Consuming perl version upgrade of 5.28.0 + +* Wed Dec 07 2016 Xiaolin Li - 4.17-4 +- BuildRequires curl-devel. + +* Thu Sep 15 2016 Xiaolin Li - 4.17-3 +- Build WWW-Curl with curl 7.50.3 + +* Tue May 24 2016 Priyesh Padmavilasom - 4.17-2 +- GA - Bump release of all rpms + +* Fri Apr 3 2015 Divya Thaluru - 4.17-1 +- Initial version. diff --git a/SPECS/perl-YAML-Tiny/perl-YAML-Tiny.spec b/SPECS/perl-YAML-Tiny/perl-YAML-Tiny.spec index b1cac2b55f..e0882aa90e 100644 --- a/SPECS/perl-YAML-Tiny/perl-YAML-Tiny.spec +++ b/SPECS/perl-YAML-Tiny/perl-YAML-Tiny.spec @@ -45,21 +45,27 @@ make test %{_mandir}/man3/YAML::Tiny.3* %changelog -* Mon Oct 12 2020 Joe Schmitt 1.73-4 -- Use new perl package names. -- Provide perl(YAML::Tiny). -* Sat May 09 00:21:15 PST 2020 Nick Samson - 1.73-3 +* Mon Oct 12 2020 Joe Schmitt 1.73-4 +- Use new perl package names. +- Provide perl(YAML::Tiny). + +* Sat May 09 2020 Nick Samson - 1.73-3 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 1.73-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Dweep Advani 1.73-1 -- Update to version 1.73 -* Wed Apr 05 2017 Robert Qi 1.70-1 -- Update version to 1.70 -* Tue May 24 2016 Priyesh Padmavilasom 1.69-2 -- GA - Bump release of all rpms -* Tue Feb 23 2016 Harish Udaiya Kumar 1.69-1 -- Upgraded to version 1.69 -* Fri Apr 3 2015 Divya Thaluru 1.66-1 -- Initial version. +* Tue Sep 03 2019 Mateusz Malisz 1.73-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Dweep Advani 1.73-1 +- Update to version 1.73 + +* Wed Apr 05 2017 Robert Qi 1.70-1 +- Update version to 1.70 + +* Tue May 24 2016 Priyesh Padmavilasom 1.69-2 +- GA - Bump release of all rpms + +* Tue Feb 23 2016 Harish Udaiya Kumar 1.69-1 +- Upgraded to version 1.69 + +* Fri Apr 3 2015 Divya Thaluru 1.66-1 +- Initial version. diff --git a/SPECS/perl-common-sense/perl-common-sense.spec b/SPECS/perl-common-sense/perl-common-sense.spec index d08765d9de..68868475de 100644 --- a/SPECS/perl-common-sense/perl-common-sense.spec +++ b/SPECS/perl-common-sense/perl-common-sense.spec @@ -72,19 +72,24 @@ rm -rf %{buildroot} %{_mandir}/man3/common::sense.3* %changelog -* Mon Oct 12 2020 Joe Schmitt 3.74-6 -- Use new perl package names. -- Provide perl(common::sense). -* Sat May 09 00:21:32 PST 2020 Nick Samson - 3.74-5 +* Mon Oct 12 2020 Joe Schmitt 3.74-6 +- Use new perl package names. +- Provide perl(common::sense). + +* Sat May 09 2020 Nick Samson - 3.74-5 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 3.74-4 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Dweep Advani 3.74-3 -- Consuming perl version upgrade of 5.28.0 -* Tue May 24 2016 Priyesh Padmavilasom 3.74-2 -- GA - Bump release of all rpms -* Tue Feb 23 2016 Harish Udaiya Kumar 3.74-1 -- Upgraded to version 3.74 -* Fri Apr 3 2015 Divya Thaluru 3.73-1 -- Initial version. +* Tue Sep 03 2019 Mateusz Malisz 3.74-4 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Dweep Advani 3.74-3 +- Consuming perl version upgrade of 5.28.0 + +* Tue May 24 2016 Priyesh Padmavilasom 3.74-2 +- GA - Bump release of all rpms + +* Tue Feb 23 2016 Harish Udaiya Kumar 3.74-1 +- Upgraded to version 3.74 + +* Fri Apr 3 2015 Divya Thaluru 3.73-1 +- Initial version. diff --git a/SPECS/perl-libintl-perl/perl-libintl-perl.spec b/SPECS/perl-libintl-perl/perl-libintl-perl.spec index 2c0e19bf93..0f649a1fce 100644 --- a/SPECS/perl-libintl-perl/perl-libintl-perl.spec +++ b/SPECS/perl-libintl-perl/perl-libintl-perl.spec @@ -198,22 +198,30 @@ make test %{_mandir}/man?/* %changelog -* Mon Oct 12 2020 Joe Schmitt 1.29-5 -- Use new perl package names. -- Provide perl(Locale::*). -* Sat May 09 2020 Nick Samson 1.29-4 -- Added %%license line automatically -* Thu Apr 30 2020 Emre Girgin 1.29-3 -- Renaming perl-libintl to perl-libintl-perl -* Tue Sep 03 2019 Mateusz Malisz 1.29-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Dweep Advani 1.29-1 -- Update to version 1.29 -* Mon Apr 03 2017 Rongrong Qiu 1.26-1 -- upgrade for 2.0 -* Tue May 24 2016 Priyesh Padmavilasom 1.24-2 -- GA - Bump release of all rpms -* Tue Feb 23 2016 Harish Udaiya Kumar 1.24-1 -- Upgraded to version 1.24 -* Fri Apr 3 2015 Divya Thaluru 1.23-1 -- Initial version. +* Mon Oct 12 2020 Joe Schmitt 1.29-5 +- Use new perl package names. +- Provide perl(Locale::*). + +* Sat May 09 2020 Nick Samson - 1.29-4 +- Added %%license line automatically + +* Thu Apr 30 2020 Emre Girgin 1.29-3 +- Renaming perl-libintl to perl-libintl-perl + +* Tue Sep 03 2019 Mateusz Malisz 1.29-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Dweep Advani 1.29-1 +- Update to version 1.29 + +* Mon Apr 03 2017 Rongrong Qiu 1.26-1 +- upgrade for 2.0 + +* Tue May 24 2016 Priyesh Padmavilasom 1.24-2 +- GA - Bump release of all rpms + +* Tue Feb 23 2016 Harish Udaiya Kumar 1.24-1 +- Upgraded to version 1.24 + +* Fri Apr 3 2015 Divya Thaluru 1.23-1 +- Initial version. diff --git a/SPECS/perl-local-lib/perl-homedir.csh b/SPECS/perl-local-lib/perl-homedir.csh new file mode 100644 index 0000000000..eaacb379aa --- /dev/null +++ b/SPECS/perl-local-lib/perl-homedir.csh @@ -0,0 +1,20 @@ +# invoke local::lib + +# default -- invoke local::lib for all users +setenv PERL_HOMEDIR 1 + +# load our configs, aka opportunities to set PERL_HOMEDIR=0 +if (-f /etc/sysconfig/perl-homedir) then + eval `sed -ne 's|^[[:blank:]]*\([^#=]\{1,\}\)=\([^=]*\)|setenv \1 \2;|p' /etc/sysconfig/perl-homedir` +endif +if (-f "$HOME/.perl-homedir") then + eval `sed -ne 's|^[[:blank:]]*\([^#=]\{1,\}\)=\([^=]*\)|setenv \1 \2;|p' "$HOME/.perl-homedir"` +endif + +alias perlll 'eval "`perl -Mlocal::lib`"' + +# if system default +if ("x$PERL_HOMEDIR" == "x1") then + eval "`perl -Mlocal::lib`" +endif + diff --git a/SPECS/perl-local-lib/perl-homedir.sh b/SPECS/perl-local-lib/perl-homedir.sh new file mode 100644 index 0000000000..8fda14ba31 --- /dev/null +++ b/SPECS/perl-local-lib/perl-homedir.sh @@ -0,0 +1,16 @@ +# invoke local::lib + +# default -- invoke local::lib for all users +PERL_HOMEDIR=1 + +# load our configs, aka opportunities to set PERL_HOMEDIR=0 +[ -f /etc/sysconfig/perl-homedir ] && . /etc/sysconfig/perl-homedir +[ -f $HOME/.perl-homedir ] && . $HOME/.perl-homedir + +alias perlll='eval `perl -Mlocal::lib`' + +# if system default +if [ "x$PERL_HOMEDIR" = "x1" ] ; then + + eval `perl -Mlocal::lib` +fi diff --git a/SPECS/perl-local-lib/perl-local-lib.signatures.json b/SPECS/perl-local-lib/perl-local-lib.signatures.json new file mode 100644 index 0000000000..17018b999e --- /dev/null +++ b/SPECS/perl-local-lib/perl-local-lib.signatures.json @@ -0,0 +1,7 @@ +{ + "Signatures": { + "local-lib-2.000024.tar.gz": "2e9b917bd48a0615e42633b2a327494e04610d8f710765b9493d306cead98a05", + "perl-homedir.csh": "eabd8d1de34302055a4e5c9ee5e8550c718925fc02b88e433a22ad850d48649a", + "perl-homedir.sh": "07715d9e7bb32bc6a741f1b476d2109be6815293733d2b03f89f653fe35026e7" + } +} \ No newline at end of file diff --git a/SPECS/perl-local-lib/perl-local-lib.spec b/SPECS/perl-local-lib/perl-local-lib.spec new file mode 100644 index 0000000000..ee57fd4954 --- /dev/null +++ b/SPECS/perl-local-lib/perl-local-lib.spec @@ -0,0 +1,322 @@ +Name: perl-local-lib +Version: 2.000024 +Release: 9%{?dist} +Summary: Create and use a local lib/ for perl modules +License: GPL+ OR Artistic +Group: Development/Libraries +Vendor: Microsoft Corporation +Distribution: Mariner +Url: https://metacpan.org/release/local-lib +Source: https://cpan.metacpan.org/authors/id/H/HA/HAARG/local-lib-%{version}.tar.gz +Source10: perl-homedir.sh +Source11: perl-homedir.csh +BuildArch: noarch +# Build +BuildRequires: coreutils +BuildRequires: make +BuildRequires: perl +BuildRequires: perl(CPAN) +BuildRequires: perl(CPAN::HandleConfig) +BuildRequires: perl(ExtUtils::MakeMaker) >= 7.00 +# BuildRequires: perl(File::HomeDir) +BuildRequires: perl(File::Spec) +BuildRequires: perl(strict) +BuildRequires: perl(warnings) +# Runtime +BuildRequires: perl(Carp) +BuildRequires: perl(Carp::Heavy) +BuildRequires: perl(Config) +BuildRequires: perl(File::Basename) +BuildRequires: perl(File::Glob) +# Tests only +%if %{with_check} +BuildRequires: perl(base) +BuildRequires: perl(Cwd) +BuildRequires: perl(Data::Dumper) +BuildRequires: perl(Exporter) +BuildRequires: perl(File::Path) +BuildRequires: perl(File::Spec::Functions) +BuildRequires: perl(File::Temp) +BuildRequires: perl(IPC::Open3) +BuildRequires: perl(lib) +BuildRequires: perl(Test::More) +%endif +Requires: perl +Requires: perl(Carp) +Requires: perl(Carp::Heavy) +Requires: perl(File::Basename) +Requires: perl(File::Glob) +Requires: perl(File::Spec) + +%description +This module provides a quick, convenient way of bootstrapping a user- +local Perl module library located within the user's home directory. It +also constructs and prints out for the user the list of environment +variables using the syntax appropriate for the user's current shell (as +specified by the 'SHELL' environment variable), suitable for directly +adding to one's shell configuration file. + +More generally, local::lib allows for the bootstrapping and usage of a +directory containing Perl modules outside of Perl's '@INC'. This makes +it easier to ship an application with an app-specific copy of a Perl module, +or collection of modules. Useful in cases like when an upstream maintainer +hasn't applied a patch to a module of theirs that you need for your +application. + +%package -n perl-homedir +License: GPL+ or Artistic +Summary: Per-user Perl local::lib setup +Requires: %{name} = %{version}-%{release} +Requires: sed + +%description -n perl-homedir +perl-homedir configures the system to automatically create a ~/perl5 +directory in each user's $HOME on user login. This allows each user to +install CPAN packages via the CPAN to their $HOME, with no additional +configuration or privileges, and without installing them system-wide. + +If you want your users to be able to install and use their own Perl modules, +install this package. + +%prep +%setup -q -n local-lib-%{version} + +%build +perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 +make %{?_smp_mflags} + +%install +make pure_install DESTDIR=%{buildroot} +%{_fixperms} %{buildroot}/* +mkdir -p %{buildroot}%{_sysconfdir}/profile.d +install -pm0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/profile.d/ +install -pm0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/profile.d/ + +%check +make test + +%files +%doc Changes +%{perl_vendorlib}/* +%{_mandir}/man3/* + +%files -n perl-homedir +%{_sysconfdir}/profile.d/* + +%changelog +* Fri Jul 02 2021 Suresh Babu Chalamalasetty - 2.000024-9 +- Initial CBL-Mariner import from Fedora 32 (license: MIT) +- License verified + +* Thu Jan 30 2020 Fedora Release Engineering - 2.000024-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jul 26 2019 Fedora Release Engineering - 2.000024-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri May 31 2019 Jitka Plesnikova - 2.000024-6 +- Perl 5.30 rebuild + +* Sat Feb 02 2019 Fedora Release Engineering - 2.000024-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 2.000024-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jun 28 2018 Jitka Plesnikova - 2.000024-3 +- Perl 5.28 rebuild + +* Fri Feb 09 2018 Fedora Release Engineering - 2.000024-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Oct 12 2017 Jitka Plesnikova - 2.000024-1 +- 2.000024 bump + +* Thu Jul 27 2017 Fedora Release Engineering - 2.000023-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jun 12 2017 Jitka Plesnikova - 2.000023-1 +- 2.000023 bump + +* Sun Jun 04 2017 Jitka Plesnikova - 2.000019-4 +- Perl 5.26 rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 2.000019-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Sun May 15 2016 Jitka Plesnikova - 2.000019-2 +- Perl 5.24 rebuild + +* Fri Apr 22 2016 Jitka Plesnikova - 2.000019-1 +- 2.000019 bump + +* Thu Feb 04 2016 Fedora Release Engineering - 2.000018-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Nov 02 2015 Jitka Plesnikova - 2.000018-1 +- 2.000018 bump + +* Tue Oct 06 2015 Petr Å abata - 2.000017-1 +- 2.000017 bump +- Drop the hard CPAN dependency from perl-homedir + +* Thu Jun 18 2015 Fedora Release Engineering - 2.000015-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Jun 06 2015 Jitka Plesnikova - 2.000015-3 +- Perl 5.22 rebuild + +* Thu Jan 15 2015 Petr Pisar - 2.000015-2 +- Do not hard-code /usr/bin + +* Wed Dec 17 2014 Petr Å abata - 2.000015-1 +- 2.000015 bump + +* Tue Nov 11 2014 Jitka Plesnikova - 2.000014-1 +- 2.000014 bump + +* Thu Aug 28 2014 Jitka Plesnikova - 1.008010-8 +- Perl 5.20 rebuild + +* Mon Jul 28 2014 Petr Pisar - 1.008010-7 +- sed(1) is packaged as /bin/sed + +* Fri Jul 25 2014 Petr Pisar - 1.008010-6 +- Parse perl-homedir configuration bash syntax by csh profile script + (bug #1122993) + +* Sat Jun 07 2014 Fedora Release Engineering - 1.008010-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Nov 21 2013 Petr Pisar - 1.008010-4 +- Fix setting undefined variable in CSH (bug #1033018) + +* Sun Aug 04 2013 Fedora Release Engineering - 1.008010-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Fri Aug 02 2013 Petr Pisar - 1.008010-2 +- Perl 5.18 rebuild + +* Fri Jun 07 2013 Iain Arnell 1.008010-1 +- update to latest upstream version + +* Fri Apr 19 2013 Iain Arnell 1.008009-2 +- rebase append-semicolon patch + +* Fri Mar 08 2013 Iain Arnell 1.008009-1 +- update to latest upstream version + +* Tue Feb 19 2013 Iain Arnell 1.008007-1 +- update to latest upstream version + +* Fri Feb 15 2013 Iain Arnell 1.008006-1 +- udpate to latest upstream version + +* Thu Feb 14 2013 Fedora Release Engineering - 1.008004-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Tue Nov 20 2012 Petr Å abata - 1.008004-11 +- Add missing buildtime dependencies +- Drop useless deps +- Drop command macros +- Modernize the spec + +* Mon Aug 20 2012 Petr Pisar - 1.008004-10 +- Fix CSH support (bug #849609) + +* Fri Jul 20 2012 Fedora Release Engineering - 1.008004-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jun 21 2012 Petr Pisar - 1.008004-8 +- Perl 5.16 rebuild + +* Wed Jun 20 2012 Petr Pisar - 1.008004-7 +- Trim Module::Build depencency version to 2 digits because upstream has + regressed the version + +* Sun Jun 17 2012 Petr Pisar - 1.008004-6 +- Perl 5.16 rebuild + +* Thu May 31 2012 Petr Pisar - 1.008004-5 +- Round Module::Build version to 2 digits + +* Fri Feb 10 2012 Iain Arnell 1.008004-4 +- avoid creating ~/perl5/ for all users (rhbz#789146) +- drop defattr in files lists + +* Sat Jan 14 2012 Fedora Release Engineering - 1.008004-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Jun 17 2011 Marcela MaÅ¡láňová - 1.008004-2 +- Perl mass rebuild + +* Wed Mar 16 2011 Iain Arnell 1.008004-1 +- update to latest upstream version + +* Wed Feb 09 2011 Fedora Release Engineering - 1.008001-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Sun Jan 23 2011 Iain Arnell 1.008001-2 +- update requires perl(Module::Build) >= 0.3600 + +* Sun Jan 23 2011 Iain Arnell 1.008001-1 +- update to latest upstream version +- drop R/BR perl(ExtUtils::CBuilder) and perl(ExtUtils::ParseXS) + +* Fri Dec 17 2010 Iain Arnell 1.007000-1 +- update to latest upstream version +- fix typo in description + +* Sun Nov 21 2010 Iain Arnell 1.006007-1 +- update to latest upstream version +- clean up spec for modern rpmbuild +- BR perl(Capture::Tiny) + +* Mon May 03 2010 Marcela Maslanova - 1.004009-3 +- Mass rebuild with perl-5.12.0 + +* Tue Jan 05 2010 Chris Weyl 1.004009-2 +- add perl-homedir subpackage + +* Tue Jan 05 2010 Chris Weyl 1.004009-1 +- add perl_default_filter +- auto-update to 1.004009 (by cpan-spec-update 0.01) + +* Mon Dec 7 2009 Stepan Kasal - 1.004007-2 +- rebuild against perl 5.10.1 + +* Sat Sep 19 2009 Chris Weyl 1.004007-1 +- auto-update to 1.004007 (by cpan-spec-update 0.01) + +* Sat Aug 29 2009 Chris Weyl 1.004006-1 +- auto-update to 1.004006 (by cpan-spec-update 0.01) + +* Tue Aug 25 2009 Chris Weyl 1.004005-1 +- auto-update to 1.004005 (by cpan-spec-update 0.01) + +* Tue Aug 11 2009 Chris Weyl 1.004004-1 +- auto-update to 1.004004 (by cpan-spec-update 0.01) +- added a new br on perl(ExtUtils::Install) (version 1.43) +- added a new req on perl(CPAN) (version 1.80) +- added a new req on perl(ExtUtils::CBuilder) (version 0) +- added a new req on perl(ExtUtils::Install) (version 1.43) +- added a new req on perl(ExtUtils::MakeMaker) (version 6.31) +- added a new req on perl(ExtUtils::ParseXS) (version 0) +- added a new req on perl(Module::Build) (version 0.28) + +* Sun Jul 26 2009 Fedora Release Engineering - 1.004001-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jun 03 2009 Chris Weyl 1.004001-1 +- auto-update to 1.004001 (by cpan-spec-update 0.01) + +* Tue May 19 2009 Chris Weyl 1.004000-1 +- auto-update to 1.004000 (by cpan-spec-update 0.01) +- altered br on perl(ExtUtils::MakeMaker) (6.31 => 6.42) + +* Sun Mar 08 2009 Chris Weyl 1.003002-1 +- submission + +* Sun Mar 08 2009 Chris Weyl 1.003002-0 +- initial RPM packaging +- generated with cpan2dist (CPANPLUS::Dist::RPM version 0.0.8) diff --git a/SPECS/pgbouncer/pgbouncer.spec b/SPECS/pgbouncer/pgbouncer.spec index ffc20c609d..80400d9c2a 100644 --- a/SPECS/pgbouncer/pgbouncer.spec +++ b/SPECS/pgbouncer/pgbouncer.spec @@ -80,7 +80,7 @@ fi /usr/share/doc/pgbouncer/* %changelog -* Sat May 09 00:21:33 PST 2020 Nick Samson - 1.11.0-2 +* Sat May 09 2020 Nick Samson - 1.11.0-2 - Added %%license line automatically * Fri Mar 13 2020 Paul Monson 1.11.0-1 diff --git a/SPECS/pinentry/pinentry.spec b/SPECS/pinentry/pinentry.spec index 3af5516aff..250a8cbd13 100644 --- a/SPECS/pinentry/pinentry.spec +++ b/SPECS/pinentry/pinentry.spec @@ -41,7 +41,7 @@ make DESTDIR=%{buildroot} install %exclude %{_infodir}/dir %changelog -* Sat May 09 00:21:30 PST 2020 Nick Samson - 1.1.0-3 +* Sat May 09 2020 Nick Samson - 1.1.0-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.1.0-2 diff --git a/SPECS/pixman/pixman.spec b/SPECS/pixman/pixman.spec index 548210f52f..ad0ae46989 100644 --- a/SPECS/pixman/pixman.spec +++ b/SPECS/pixman/pixman.spec @@ -57,7 +57,7 @@ make %{?_smp_mflags} -k check %{_libdir}/pkgconfig/*.pc %changelog -* Sat May 09 00:21:02 PST 2020 Nick Samson - 0.36.0-2 +* Sat May 09 2020 Nick Samson - 0.36.0-2 - Added %%license line automatically * Wed Mar 18 2020 Henry Beberman 0.36.0-1 diff --git a/SPECS/policycoreutils/policycoreutils.signatures.json b/SPECS/policycoreutils/policycoreutils.signatures.json new file mode 100644 index 0000000000..dd63456a35 --- /dev/null +++ b/SPECS/policycoreutils/policycoreutils.signatures.json @@ -0,0 +1,10 @@ +{ + "Signatures": { + "selinux-3.2.tar.gz": "cda0b315ea88f93b1e7b6aa9f48d3b568a5506af1f8f401f5d05fa2ce8c7008f", + "selinux-autorelabel": "817911a36413e8cb13fd5107ed94314d3f49962befd00acd9e86038acfa31e73", + "selinux-autorelabel-generator.sh": "ec37c4ed3d2168d367d2bb07c44ea16df052e123908e83010d84aaa1bda1cede", + "selinux-autorelabel-mark.service": "c7707e97067ae344b99a9b59845a4c7335c9ff4e470723bf2a213a6757877707", + "selinux-autorelabel.service": "106ff381e311119d389fd6f9421330a408d3406fab0b990690c73739b02377ac", + "selinux-autorelabel.target": "c340133060c163caf9e22f0624306bd528768e89b3d5faf7285f23d2bada9485" + } +} \ No newline at end of file diff --git a/SPECS/policycoreutils/policycoreutils.spec b/SPECS/policycoreutils/policycoreutils.spec new file mode 100644 index 0000000000..3f29609094 --- /dev/null +++ b/SPECS/policycoreutils/policycoreutils.spec @@ -0,0 +1,5316 @@ +%global libauditver 3.0 +%global libsepolver %{version}-1 +%global libsemanagever %{version}-1 +%global libselinuxver %{version}-1 +%global __python3 %{_bindir}/python3 +%global generatorsdir %{_libdir}/systemd/system-generators +# Disable automatic compilation of Python files in extra directories +%global _python_bytecompile_extra 0 +Summary: SELinux policy core utilities +Name: policycoreutils +Version: 3.2 +Release: 1%{?dist} +License: GPLv2 +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/SELinuxProject/selinux/wiki +Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-%{version}.tar.gz +Source1: selinux-autorelabel +Source2: selinux-autorelabel.service +Source3: selinux-autorelabel-mark.service +Source4: selinux-autorelabel.target +Source5: selinux-autorelabel-generator.sh +BuildRequires: audit-devel +BuildRequires: audit-libs >= %{libauditver} +BuildRequires: dbus-devel +BuildRequires: dbus-glib-devel +BuildRequires: gcc +BuildRequires: gettext +BuildRequires: git +BuildRequires: libcap-devel +BuildRequires: libselinux-devel >= %{libselinuxver} +BuildRequires: libsemanage-devel >= %{libsemanagever} +BuildRequires: libsepol-devel >= %{libsepolver} +BuildRequires: pam-devel +BuildRequires: python3-devel +BuildRequires: pkgconf +BuildRequires: systemd-devel +Requires: coreutils +Requires: diffutils +Requires: gawk +Requires: grep +Requires: libselinux-utils >= %{libselinuxver} +Requires: libsepol >= %{libsepolver} +Requires: rpm +Requires: sed +Requires: util-linux +Conflicts: initscripts < 9.66 +Obsoletes: policycoreutils < 2.0.61-2 +Provides: /sbin/fixfiles +Provides: /sbin/restorecon + +%description +Security-enhanced Linux is a feature of the Linux® kernel and a number +of utilities with enhanced security functionality designed to add +mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These +architectural components provide general support for the enforcement +of many kinds of mandatory access control policies, including those +based on the concepts of Type Enforcement®, Role-based Access +Control, and Multi-level Security. + +policycoreutils contains the policy core utilities that are required +for basic operation of a SELinux system. These utilities include +load_policy to load policies, setfiles to label filesystems, newrole +to switch roles. + +%prep +%autosetup -n selinux-%{version} + +%build +%{set_build_flags} +export PYTHON=python3 + +%make_build -C policycoreutils LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="%{_sbindir}" LIBSEPOLA="%{_libdir}/libsepol.a" +%make_build -C python SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" +%make_build -C semodule-utils SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" +%make_build -C restorecond SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" + +%install +mkdir -p %{buildroot}%{_bindir} +mkdir -p %{buildroot}%{_sbindir} +mkdir -p %{buildroot}%{_mandir}/man1 +mkdir -p %{buildroot}%{_mandir}/man5 +mkdir -p %{buildroot}%{_mandir}/man8 +mkdir -p %{buildroot}/%{_usr}/share/doc/%{name}/ + +%make_install -C policycoreutils LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="%{_sbindir}" LIBSEPOLA="%{_libdir}/libsepol.a" CFLAGS="%{build_cflags} -fno-semantic-interposition" +%make_install -C python PYTHON=python3 SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" CFLAGS="%{build_cflags} -fno-semantic-interposition" +%make_install -C semodule-utils PYTHON=python3 SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" CFLAGS="%{build_cflags} -fno-semantic-interposition" +%make_install -C restorecond PYTHON=python3 SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" SYSTEMDDIR="/usr/lib/systemd" CFLAGS="%{build_cflags} -fno-semantic-interposition" + +# Fix perms on newrole so that objcopy can process it +chmod 0755 %{buildroot}%{_bindir}/newrole + +# Systemd +rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/restorecond + +rm -f %{buildroot}%{_mandir}/ru/man8/genhomedircon.8.gz +rm -f %{buildroot}%{_mandir}/ru/man8/open_init_pty.8* +rm -f %{buildroot}%{_mandir}/ru/man8/semodule_deps.8.gz +rm -f %{buildroot}%{_mandir}/man8/open_init_pty.8 +rm -f %{buildroot}%{_sbindir}/open_init_pty +rm -f %{buildroot}%{_sbindir}/run_init +rm -f %{buildroot}%{_mandir}/ru/man8/run_init.8* +rm -f %{buildroot}%{_mandir}/man8/run_init.8* +rm -f %{buildroot}%{_sysconfdir}/pam.d/run_init* + +mkdir -m 755 -p %{buildroot}/%{generatorsdir} +mkdir -m 755 -p %{buildroot}/%{_unitdir} +install -m 755 -p %{SOURCE1} %{buildroot}%{_libexecdir}/selinux/ +install -m 644 -p %{SOURCE2} %{buildroot}%{_unitdir}/ +install -m 644 -p %{SOURCE3} %{buildroot}%{_unitdir}/ +install -m 644 -p %{SOURCE4} %{buildroot}%{_unitdir}/ +install -m 755 -p %{SOURCE5} %{buildroot}%{generatorsdir}/ + + +%package python-utils +Summary: SELinux policy core python utilities +Requires: policycoreutils-python3 = %{version}-%{release} +BuildArch: noarch + +%description python-utils +The policycoreutils-python-utils package contains the management tools use to manage +an SELinux environment. + +%package python3 +Summary: SELinux policy core python3 interfaces +Requires: checkpolicy +Requires: libselinux-python3 +Requires: libsemanage-python3 >= %{libsemanagever} +Requires: %{name} = %{version}-%{release} +Requires: python3-audit +Requires: setools-python3 >= 4.4.0 +Provides: python3-%{name} = %{version}-%{release} +BuildArch: noarch + +%description python3 +The policycoreutils-python3 package contains the interfaces that can be used +by python 3 in an SELinux environment. + +%package devel +Summary: SELinux policy core policy devel utilities +Requires: dnf +Requires: make +Requires: policycoreutils-python-utils + +%description devel +The policycoreutils-devel package contains the management tools use to develop policy in an SELinux environment. + +%package newrole +Summary: The newrole application for RBAC/MLS +BuildRequires: libcap-ng-devel +Requires: policycoreutils = %{version}-%{release} + +%description newrole +RBAC/MLS policy machines require newrole as a way of changing the role +or level of a logged in user. + +%package restorecond +Summary: SELinux restorecond utilities +BuildRequires: systemd + +%description restorecond +The policycoreutils-restorecond package contains the restorecond service. + +%files python-utils +%license python/COPYING +%{_sbindir}/semanage +%{_bindir}/chcat +%{_bindir}/audit2allow +%{_bindir}/audit2why +%{_mandir}/man1/audit2allow.1* +%{_mandir}/ru/man1/audit2allow.1* +%{_mandir}/man1/audit2why.1* +%{_mandir}/ru/man1/audit2why.1* +%{_mandir}/man8/chcat.8* +%{_mandir}/ru/man8/chcat.8* +%{_mandir}/man8/semanage*.8* +%{_mandir}/ru/man8/semanage*.8* +%{_datadir}/bash-completion/completions/semanage + +%files python3 +%license python/COPYING +%{python3_sitelib}/__pycache__ +%{python3_sitelib}/seobject.py* +%{python3_sitelib}/sepolgen +%dir %{python3_sitelib}/sepolicy +%{python3_sitelib}/sepolicy/templates +%dir %{python3_sitelib}/sepolicy/help +%{python3_sitelib}/sepolicy/help/* +%{python3_sitelib}/sepolicy/__init__.py* +%{python3_sitelib}/sepolicy/booleans.py* +%{python3_sitelib}/sepolicy/communicate.py* +%{python3_sitelib}/sepolicy/generate.py* +%{python3_sitelib}/sepolicy/gui.py* +%{python3_sitelib}/sepolicy/interface.py* +%{python3_sitelib}/sepolicy/manpage.py* +%{python3_sitelib}/sepolicy/network.py* +%{python3_sitelib}/sepolicy/sepolicy.glade +%{python3_sitelib}/sepolicy/transition.py* +%{python3_sitelib}/sepolicy/sedbus.py* +%{python3_sitelib}/sepolicy*.egg-info +%{python3_sitelib}/sepolicy/__pycache__ +%{_mandir}/man8/sepolicy-gui.8.gz + +%files devel +%{_bindir}/sepolgen +%{_bindir}/sepolgen-ifgen +%{_bindir}/sepolgen-ifgen-attr-helper +%dir %{_sharedstatedir}/sepolgen +%{_sharedstatedir}/sepolgen/perm_map +%{_bindir}/sepolicy +%{_mandir}/man8/sepolgen.8* +%{_mandir}/ru/man8/sepolgen.8* +%{_mandir}/man8/sepolicy-booleans.8* +%{_mandir}/man8/sepolicy-generate.8* +%{_mandir}/man8/sepolicy-interface.8* +%{_mandir}/man8/sepolicy-network.8* +%{_mandir}/man8/sepolicy.8* +%{_mandir}/man8/sepolicy-communicate.8* +%{_mandir}/man8/sepolicy-manpage.8* +%{_mandir}/man8/sepolicy-transition.8* +%{_mandir}/ru/man8/sepolicy*.8* +%{_usr}/share/bash-completion/completions/sepolicy + +%files newrole +%license policycoreutils/COPYING +%attr(0755,root,root) %caps(cap_dac_read_search,cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole +%{_mandir}/man1/newrole.1.gz +%{_mandir}/ru/man1/newrole.1.gz +%config(noreplace) %{_sysconfdir}/pam.d/newrole + +%files restorecond +%license restorecond/COPYING +%{_sbindir}/restorecond +%{_unitdir}/restorecond.service +%{_libdir}/systemd/user/restorecond_user.service +%config(noreplace) %{_sysconfdir}/selinux/restorecond.conf +%config(noreplace) %{_sysconfdir}/selinux/restorecond_user.conf +%{_sysconfdir}/xdg/autostart/restorecond.desktop +%{_datadir}/dbus-1/services/org.selinux.Restorecond.service +%{_mandir}/man8/restorecond.8* +%{_mandir}/ru/man8/restorecond.8* +%{_mandir}/ru/man1/audit2why.1* +%{_mandir}/ru/man1/newrole.1* +%{_mandir}/ru/man5/selinux_config.5* +%{_mandir}/ru/man5/sestatus.conf.5* +%{_mandir}/ru/man8/genhomedircon.8* +%{_mandir}/ru/man8/restorecon_xattr.8* +%{_mandir}/ru/man8/semanage-boolean.8* +%{_mandir}/ru/man8/semanage-dontaudit.8* +%{_mandir}/ru/man8/semanage-export.8* +%{_mandir}/ru/man8/semanage-fcontext.8* +%{_mandir}/ru/man8/semanage-ibendport.8* +%{_mandir}/ru/man8/semanage-ibpkey.8* +%{_mandir}/ru/man8/semanage-import.8* +%{_mandir}/ru/man8/semanage-interface.8* +%{_mandir}/ru/man8/semanage-login.8* +%{_mandir}/ru/man8/semanage-module.8* +%{_mandir}/ru/man8/semanage-node.8* +%{_mandir}/ru/man8/semanage-permissive.8* +%{_mandir}/ru/man8/semanage-port.8* +%{_mandir}/ru/man8/semanage-user.8* +%{_mandir}/ru/man8/semodule_unpackage.8* +%{_mandir}/ru/man8/sepolgen.8* +%{_mandir}/ru/man8/sepolicy-booleans.8* +%{_mandir}/ru/man8/sepolicy-communicate.8* +%{_mandir}/ru/man8/sepolicy-generate.8* +%{_mandir}/ru/man8/sepolicy-gui.8* +%{_mandir}/ru/man8/sepolicy-interface.8* +%{_mandir}/ru/man8/sepolicy-manpage.8* +%{_mandir}/ru/man8/sepolicy-network.8* +%{_mandir}/ru/man8/sepolicy-transition.8* +%{_mandir}/ru/man8/sepolicy.8* + +%files +%license policycoreutils/COPYING +%{_sbindir}/restorecon +%{_sbindir}/restorecon_xattr +%{_sbindir}/fixfiles +%{_sbindir}/setfiles +%{_sbindir}/load_policy +%{_sbindir}/genhomedircon +%{_sbindir}/setsebool +%{_sbindir}/semodule +%{_sbindir}/sestatus +%{_bindir}/secon +%{_bindir}/semodule_expand +%{_bindir}/semodule_link +%{_bindir}/semodule_package +%{_bindir}/semodule_unpackage +%{_bindir}/sestatus +%{_libexecdir}/selinux/hll +%{_libexecdir}/selinux/selinux-autorelabel +%{_unitdir}/selinux-autorelabel-mark.service +%{_unitdir}/selinux-autorelabel.service +%{_unitdir}/selinux-autorelabel.target +%{generatorsdir}/selinux-autorelabel-generator.sh +%config(noreplace) %{_sysconfdir}/sestatus.conf +%{_mandir}/man5/selinux_config.5.gz +%{_mandir}/ru/man5/selinux_config.5.gz +%{_mandir}/man5/sestatus.conf.5.gz +%{_mandir}/ru/man5/sestatus.conf.5.gz +%{_mandir}/man8/fixfiles.8* +%{_mandir}/ru/man8/fixfiles.8* +%{_mandir}/man8/load_policy.8* +%{_mandir}/ru/man8/load_policy.8* +%{_mandir}/man8/restorecon.8* +%{_mandir}/ru/man8/restorecon.8* +%{_mandir}/man8/restorecon_xattr.8* +%{_mandir}/ru/man8/restorecon_xattr.8* +%{_mandir}/man8/semodule.8* +%{_mandir}/ru/man8/semodule.8* +%{_mandir}/man8/sestatus.8* +%{_mandir}/ru/man8/sestatus.8* +%{_mandir}/man8/setfiles.8* +%{_mandir}/ru/man8/setfiles.8* +%{_mandir}/man8/setsebool.8* +%{_mandir}/ru/man8/setsebool.8* +%{_mandir}/man1/secon.1* +%{_mandir}/ru/man1/secon.1* +%{_mandir}/man8/genhomedircon.8* +%{_mandir}/ru/man8/genhomedircon.8* +%{_mandir}/man8/semodule_expand.8* +%{_mandir}/ru/man8/semodule_expand.8* +%{_mandir}/man8/semodule_link.8* +%{_mandir}/ru/man8/semodule_link.8* +%{_mandir}/man8/semodule_unpackage.8* +%{_mandir}/ru/man8/semodule_unpackage.8* +%{_mandir}/man8/semodule_package.8* +%{_mandir}/ru/man8/semodule_package.8* +%dir %{_datadir}/bash-completion +%{_datadir}/bash-completion/completions/setsebool +%doc %{_usr}/share/doc/%{name} +%{_datadir}/locale/* + +%post +%systemd_post selinux-autorelabel-mark.service + +%preun +%systemd_preun selinux-autorelabel-mark.service + +%post restorecond +%systemd_post restorecond.service + +%preun restorecond +%systemd_preun restorecond.service + +%postun restorecond +%systemd_postun_with_restart restorecond.service + +%changelog +* Fri Aug 13 2021 Thomas Crain - 3.2-1 +- Upgrade to latest upstream version +- Switch source to use upstream's combined tarball +- Add -fno-semantic-interposition to CFLAGS as recommended by upstream +- Lint spec +- License verified + +* Fri Aug 21 2020 Daniel Burgener - 2.9-6 +- Initial CBL-Mariner import from Fedora 31 (license: MIT) +- License verified + +* Thu Aug 29 2019 Petr Lautrbach - 2.9-5 +- gui: Fix remove module in system-config-selinux (#1740936) + +* Fri Aug 23 2019 Petr Lautrbach - 2.9-4 +- fixfiles: Fix unbound variable problem + +* Mon Aug 5 2019 Petr Lautrbach - 2.9-3 +- Drop python2-policycoreutils +- Update ru man page translations +- fixfiles: Fix [-B] [-F] onboot + +* Fri Jul 26 2019 Fedora Release Engineering - 2.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Mar 18 2019 Petr Lautrbach - 2.9-1 +- SELinux userspace 2.9 release + +* Mon Mar 11 2019 Petr Lautrbach - 2.9-0.rc2.1 +- SELinux userspace 2.9-rc2 release + +* Sat Feb 02 2019 Fedora Release Engineering - 2.9-0.rc1.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jan 25 2019 Petr Lautrbach - 2.9-0.rc1.1 +- SELinux userspace 2.9-rc1 release candidate + +* Fri Jan 25 2019 Petr Lautrbach - 2.8-17 +- python2-policycoreutils requires python2-ipaddress (#1669230) + +* Tue Jan 22 2019 Petr Lautrbach - 2.8-16 +- restorecond: Install DBUS service file with 644 permissions + +* Mon Jan 21 2019 Petr Lautrbach - 2.8-15 +- setsebool: support use of -P on SELinux-disabled hosts +- sepolicy: initialize mislabeled_files in __init__() +- audit2allow: use local sepolgen-ifgen-attr-helper for tests +- audit2allow: allow using audit2why as non-root user +- audit2allow/sepolgen-ifgen: show errors on stderr +- audit2allow/sepolgen-ifgen: add missing \n to error message +- sepolgen: close /etc/selinux/sepolgen.conf after parsing it +- sepolicy: Make policy files sorting more robust +- semanage: Load a store policy and set the store SELinux policy root + +* Thu Dec 20 2018 Petr Lautrbach - 2.8-14 +- chcat: fix removing categories on users with Fedora default setup +- semanage: Include MCS/MLS range when exporting local customizations +- semanage: Start exporting "ibendport" and "ibpkey" entries +- semanage: do not show "None" levels when using a non-MLS policy +- sepolicy: Add sepolicy.load_store_policy(store) +- semanage: import sepolicy only when it's needed +- semanage: move valid_types initialisations to class constructors + +* Mon Dec 10 2018 Petr Lautrbach - 2.8-13 +- chcat: use check_call instead of getstatusoutput +- Use matchbox-window-manager instead of openbox +- Use ipaddress python module instead of IPy +- semanage: Fix handling of -a/-e/-d/-r options +- semanage: Use standard argparse.error() method + +* Mon Nov 12 2018 Petr Lautrbach - 2.8-12 +- sepolicy,semanage: replace aliases with corresponding type names +- sepolicy-generate: Handle more reserved port types +- Fix RESOURCE_LEAK coverity scan defects + +* Tue Oct 16 2018 Petr Lautrbach - 2.8-11 +- sepolicy: Fix get_real_type_name to handle query failure properly +- sepolicy: search() for dontaudit rules as well + +* Tue Oct 2 2018 Petr Lautrbach - 2.8-10 +- semanage: "semanage user" does not use -s, fix documentation +- semanage: add a missing space in ibendport help +- sepolicy: Update to work with setools-4.2.0 + +* Fri Sep 14 2018 Petr Lautrbach - 2.8-9 +- semanage: Stop rejecting aliases in semanage commands +- sepolicy: Stop rejecting aliases in sepolicy commands +- sepolicy: Fix "info" to search aliases as well +- setfiles: Improve description of -d switch + +* Wed Sep 12 2018 Petr Lautrbach - 2.8-8 +- Update translations + +* Tue Sep 4 2018 Petr Lautrbach - 2.8-7 +- Fix typo in newrole.1 manpage +- sepolgen: print all AV rules correctly +- sepolgen: fix access vector initialization +- Add xperms support to audit2allow +- semanage: Stop logging loginRecords changes +- semanage: Fix logger class definition +- semanage: Replace bare except with specific one +- semanage: fix Python syntax of catching several exceptions +- sepolgen: return NotImplemented instead of raising it +- sepolgen: fix refpolicy parsing of "permissive" + +* Mon Aug 6 2018 Petr Lautrbach - 2.8-6 +- Use split translation files + https://github.com/fedora-selinux/selinux/issues/43 + +* Fri Jul 13 2018 Fedora Release Engineering - 2.8-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 02 2018 Miro HronÄok - 2.8-4 +- Rebuilt for Python 3.7 + +* Mon Jun 18 2018 Petr Lautrbach - 2.8-3 +- selinux-autorelabel: Use plymouth --quit rather then --hide-splash (#1592221) +- selinux-autorelabel: Increment boot_indeterminate grub environment variable (#1592221) + +* Fri Jun 15 2018 Miro HronÄok - 2.8-2 +- Rebuilt for Python 3.7 + +* Fri May 25 2018 Petr Lautrbach - 2.8-1 +- SELinux userspace 2.8 release + +* Tue May 22 2018 Petr Lautrbach - 2.8-0.rc3.2 +- selinux-autorelabel: set UEFI boot order (BootNext) same as BootCurrent +- selinux-autorelabel: synchronize cached writes before reboot (#1385272) + +* Tue May 15 2018 Petr Lautrbach - 2.8-0.rc3.1 +- SELinux userspace 2.8-rc2 release candidate + +* Fri May 4 2018 Petr Lautrbach - 2.8-0.rc2.1 +- SELinux userspace 2.8-rc2 release candidate + +* Mon Apr 23 2018 Petr Lautrbach - 2.8-0.rc1.1 +- SELinux userspace 2.8-rc1 release candidate + +* Thu Apr 19 2018 Petr Lautrbach - 2.7-20 +- Drop python2 sepolicy gui files from policycoreutils-gui (#1566618) + +* Wed Apr 18 2018 Iryna Shcherbina - 2.7-19 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Tue Apr 3 2018 Petr Lautrbach - 2.7-18 +- Move semodule_* utilities to policycoreutils package (#1562549) + +* Thu Mar 22 2018 Petr Lautrbach - 2.7-17 +- semanage/seobject.py: Fix undefined store check (#1559174) + +* Fri Mar 16 2018 Petr Lautrbach - 2.7-16 +- Build python only subpackages as noarch +- Move semodule_package to policycoreutils-devel + +* Tue Mar 13 2018 Petr Lautrbach - 2.7-15 +- sepolicy: Fix translated strings with parameters +- sepolicy: Support non-MLS policy +- sepolicy: Initialize policy.ports as a dict in generate.py +- gui/polgengui.py: Use stop_emission_by_name instead of emit_stop_by_name +- Minor update for bash completion +- semodule_package: fix semodule_unpackage man page +- gui/semanagePage: Close "edit" and "add" dialogues when successfull +- gui/fcontextPage: Set default object class in addDialog\ +- sepolgen: fix typo in PolicyGenerator +- build: follow standard semantics for DESTDIR and PREFIX + +* Mon Feb 26 2018 Petr Lautrbach - 2.7-14 +- Use Fedora RPM build flags (#1548740) + +* Tue Feb 20 2018 Petr Lautrbach - 2.7-13 +- Fix mangling of python shebangs + +* Mon Feb 19 2018 Miro HronÄok - 2.7-12 +- Rename the python3 subpackage to have prefix, not suffix +- Use python3 prefixes in requires where possible + +* Thu Feb 15 2018 Petr Lautrbach - 2.7-11 +- Rewrite selinux-polgengui to use Gtk3 +- Drop python2 and gnome-python2 from gui Requires + +* Fri Feb 09 2018 Fedora Release Engineering - 2.7-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Jan 31 2018 Petr Lautrbach - 2.7-9 +- Require audit-libs-python2 + +* Thu Jan 18 2018 Igor Gnatenko - 2.7-8 +- Remove obsolete scriptlets + +* Wed Dec 20 2017 Petr Lautrbach - 2.7-7 +- semanage: bring semanageRecords.set_reload back to seobject.py (#1527745) + +* Wed Dec 13 2017 Petr Lautrbach - 2.7-6 +- semanage: make seobject.py backward compatible +- Own %%{pythonX_sitelib}/site-packages/sepolicy directories (#1522942) + +* Wed Nov 22 2017 Petr Lautrbach - 2.7-5 +- sepolicy: Fix sepolicy manpage +- semanage: Update Infiniband code to work on python3 +- semanage: Fix export of ibendport entries +- semanage: Enforce noreload only if it's requested by -N option + +* Fri Oct 20 2017 Petr Lautrbach - 2.7-4 +- restorecond: check write() and daemon() results +- sepolicy: do not fail when file_contexts.local or .subs do not exist +- sepolicy: remove stray space in section "SEE ALSO" +- sepolicy: fix misspelling of _ra_content_t suffix +- gui: port to Python 3 by migrating to PyGI +- gui: remove the status bar +- gui: fix parsing of "semodule -lfull" in tab Modules +- gui: delete overridden definition of usersPage.delete() +- Enable listing file_contexts.homedirs (#1409813) +- remove semodule_deps + +* Sat Aug 19 2017 Zbigniew JÄ™drzejewski-Szmek - 2.7-3 +- Also add Provides for the old name without %%_isa + +* Sat Aug 19 2017 Zbigniew JÄ™drzejewski-Szmek - 2.7-2 +- Python 2 binary package renamed to python2-policycoreutils + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Mon Aug 07 2017 Petr Lautrbach - 2.7-1 +- Update to upstream release 2017-08-04 +- Move DBUS API from -gui to -dbus package + +* Thu Aug 03 2017 Fedora Release Engineering - 2.6-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Sun Jul 30 2017 Florian Weimer - 2.6-8 +- Rebuild with binutils fix for ppc64le (#1475636) + +* Fri Jul 28 2017 Petr Lautrbach - 2.6-7 +- Make 'sepolicy manpage' and 'sepolicy transition' faster +- open_init_pty: restore stdin/stdout to blocking upon exit +- fixfiles: do not dereference link files in tmp +- fixfiles: use a consistent order for options to restorecon +- fixfiles: don't ignore `-F` when run in `-C` mode +- fixfiles: remove bad modes of "relabel" command +- fixfiles: refactor into the `set -u` dialect +- fixfiles: if restorecon aborts, we should too +- fixfiles: usage errors are fatal +- fixfiles: syntax error +- fixfiles: remove two unused variables +- fixfiles: tidy up usage(), manpage synopsis +- fixfiles: deprecate -l option +- fixfiles: move logit call outside of redirected function +- fixfiles: fix logging about R/O filesystems +- fixfiles: clarify exclude_dirs() +- fixfiles: remove (broken) redundant code + +* Thu Jul 27 2017 Fedora Release Engineering - 2.6-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Apr 06 2017 Petr Lautrbach - 2.6-5 +- semanage: Unify argument handling (#1398987) +- setfiles: set up a logging callback for libselinux +- setfiles: Fix setfiles progress indicator +- setfiles: stdout messages don't need program prefix +- setfiles: don't scramble stdout and stderr together (#1435894) +- restorecond: Decrease loglevel of termination message (#1264505) +- fixfiles should handle path arguments more robustly +- fixfiles: handle unexpected spaces in command +- fixfiles: remove useless use of cat (#1435894) +- semanage: Add checks if a module name is passed in (#1420707) +- semanage: fix export of fcontext socket entries (#1435127) +- selinux-autorelabel: remove incorrect redirection to /dev/null (#1415674) + +* Fri Mar 17 2017 Petr Lautrbach - 2.6-4 +- Fix selinux-polgengui (#1432337) +- sepolicy - fix obtaining domain name in HTMLManPages + +* Tue Feb 28 2017 Petr Lautrbach - 2.6-3 +- Fix several issues in gui and 'sepolicy manpage' (#1416372) + +* Thu Feb 23 2017 Petr Lautrbach - 2.6-2 +- Use %%{__python3} instead of python3 + +* Mon Feb 20 2017 Petr Lautrbach - 2.6-1.1 +- Fix pp crash when processing base module (#1417200) +- Update to upstream release 2016-10-14 + +* Wed Feb 15 2017 Igor Gnatenko - 2.5-22 +- Rebuild for brp-python-bytecompile + +* Sat Feb 11 2017 Fedora Release Engineering - 2.5-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Dec 21 2016 Kevin Fenzi - 2.5-20 +- Rebuild for python 3.6 + +* Thu Dec 01 2016 Petr Lautrbach - 2.5-19 +- seobject: Handle python error returns correctly +- policycoreutils/sepolicy/gui: fix current selinux state radiobutton +- policycoreutils: semodule_package: do not fail with an empty fc file + +* Tue Nov 22 2016 Petr Lautrbach - 2.5-18 +- Update translations +- Fix fcontextPage editing features (#1344842) + +* Mon Oct 03 2016 Petr Lautrbach 2.5-17 +- sandbox: Use dbus-run-session instead of dbus-launch when available +- hll/pp: Change warning for module name not matching filename to match new behavior +- Remove LDFLAGS from CFLAGS +- sandbox: create a new session for sandboxed processes +- sandbox: do not try to setup directories without -X or -M +- sandbox: do not run xmodmap in a new X session +- sandbox: Use GObject introspection binding instead of pygtk2 +- sandbox: fix file labels on copied files +- sandbox: tests - close stdout of p +- sandbox: tests - use sandbox from cwd +- audit2allow: tests should use local copy not system +- audit2allow: fix audit2why import from seobject +- audit2allow: remove audit2why so that it gets symlinked +- semanage: fix man page and help message for import option +- semanage: fix error message for fcontext -m +- semanage: Fix semanage fcontext -D +- semanage: Correct fcontext auditing +- semanage: Default serange to "s0" for port modify +- semanage: Use socket.getprotobyname for protocol +- semanage: fix modify action in node and interface +- fixfiles: Pass -n to restorecon for fixfiles check +- sepolicy: Check get_rpm_nvr_list() return value +- Don't use subprocess.getstatusoutput() in Python 2 code +- semanage: Add auditing of changes in records +- Remove unused 'q' from semodule getopt string + +* Mon Aug 01 2016 Petr Lautrbach 2.5-16 +- Remove unused autoconf files from po/ +- Remove duplicate, empty translation files +- Rebuilt with libsepol-2.5-9, libselinux-2.5-11, libsemanage-2.5-7 + +* Thu Jul 21 2016 Petr Lautrbach 2.5-15 +- Fix sandbox -X issue related to python3 (#1358138) + +* Wed Jul 20 2016 Richard W.M. Jones - 2.5-14 +- Use generator approach to fix autorelabel + +* Tue Jul 19 2016 Fedora Release Engineering - 2.5-13 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Jul 14 2016 Petr Lautrbach - 2.5-12 +- open_init_pty: Do not error on EINTR +- Fix [-s STORE] typos in semanage +- Update sandbox types in sandbox manual +- Update translations + +* Mon Jun 27 2016 Petr Lautrbach - 2.5-11 +- Convert sandbox to gtk-3 using pygi-convert.sh (#1343166) + +* Thu Jun 23 2016 Petr Lautrbach - 2.5-10 +- Fix typos in semanage manpages +- Fix the documentation of -l,--list for semodule +- Minor fix in a French translation +- Fix the extract example in semodule.8 +- Update sandbox.8 man page +- Remove typos from chcat --help +- sepolgen: Remove additional files when cleaning + +* Wed May 11 2016 Petr Lautrbach - 2.5-9 +- Fix multiple spelling errors +- Rebuild with libsepol-2.5-6 + +* Mon May 02 2016 Petr Lautrbach - 2.5-8 +- Rebuilt with libsepol-2.5-5 + +* Fri Apr 29 2016 Petr Lautrbach - 2.5-7 +- hll/pp: Warn if module name different than output filename + +* Mon Apr 25 2016 Petr Lautrbach - 2.5-6 +- Ship selinux-autorelabel utility and systemd unit files (#1328825) + +* Fri Apr 08 2016 Petr Lautrbach - 2.5-5 +- sepolgen: Add support for TYPEBOUNDS statement in INTERFACE policy files (#1319338) + +* Fri Mar 18 2016 Petr Lautrbach - 2.5-4 +- Add documentation for MCS separated domains +- Move svirt man page out of libvirt into its own + +* Thu Mar 17 2016 Petr Lautrbach - 2.5-3 +- policycoreutils: use python3 in chcat(#1318408) + +* Sat Mar 05 2016 Petr Lautrbach 2.5-2 +- policycoreutils/sepolicy: selinux_server.py to use GLib instead of gobject +- policycoreutils-gui requires python-slip-dbus (#1314685) + +* Tue Feb 23 2016 Petr Lautrbach 2.5-1 +- Update to upstream release 2016-02-23 + +* Thu Feb 04 2016 Fedora Release Engineering - 2.4-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Dec 14 2015 Petr Lautrbach - 2.4-20 +- Fix 'semanage permissive -l' subcommand (#1286325) +- Several 'sepolicy gui' fixes (#1281309,#1281309,#1282382) + +* Tue Nov 17 2015 Petr Lautrbach 2.4-19 +- Require at least one argument for 'semanage permissive -d' (#1255676) + +* Mon Nov 16 2015 Petr Lautrbach 2.4-18 +- Improve sepolicy command line interface +- Fix sandbox to propagate specified MCS/MLS Security Level. (#1279006) +- Fix 'audit2allow -R' (#1280418) + +* Thu Nov 12 2015 Fedora Release Engineering - 2.4-17 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Mon Nov 09 2015 Petr Lautrbach 2.4-16 +- policycoreutils-gui needs policycoreutils-python (#1279046) + +* Wed Nov 04 2015 Robert Kuska - 2.4-15 +- Rebuilt for Python3.5 rebuild + +* Thu Oct 08 2015 Petr Lautrbach 2.4-14 +- Revert the attempt to port -gui to GTK 3 (#1269328, #1266059) + +* Fri Oct 02 2015 Petr Lautrbach 2.4-13 +- newrole: Set keepcaps around setresuid calls +- newrole: Open stdin as read/write + +* Fri Sep 04 2015 Petr Lautrbach 2.4-12 +- Fix several semanage issue (#1247714) +- Decode output from subprocess, if error occurred (#1247039) + +* Wed Sep 02 2015 Petr Lautrbach 2.4-11 +- audit2allow, audit2why - ignore setlocale errors (#1208529) + +* Fri Aug 21 2015 Petr Lautrbach 2.4-10 +- Port sandbox to GTK 3 and fix issue with Xephyr + +* Thu Aug 13 2015 Petr Lautrbach 2.4-9 +- Fix another python3 issues mainly in sepolicy (#1247039,#1247575,#1251713) + +* Thu Aug 06 2015 Petr Lautrbach 2.4-8 +- Fix multiple python3 issues in sepolgen (#1249388,#1247575,#1247564) + +* Mon Jul 27 2015 Petr Lautrbach 2.4-7 +- policycoreutils-python3 depends on python-IPy-python3 + +* Mon Jul 27 2015 Petr Lautrbach 2.4-6 +- policycoreutils-devel depends on policycoreutils-python-utils (#1246818) + +* Fri Jul 24 2015 Petr Lautrbach 2.4-5 +- Move python utilities from -python to -python-utilities +- All scripts originally from policycoreutils-python use python 3 now + +* Fri Jul 24 2015 Petr Lautrbach 2.4-4 +- policycoreutils: semanage: fix moduleRecords deleteall method + +* Thu Jul 23 2015 Petr Lautrbach 2.4-3 +- Improve compatibility with python 3 +- Add sepolgen module to python3 package + +* Tue Jul 21 2015 Petr Lautrbach 2.4-2 +- Add Python3 support for sepolgen module (#1125208,#1125209) + +* Tue Jul 21 2015 Petr Lautrbach 2.4-1.1 +- Update to 2.4 release + +* Wed Jul 15 2015 Petr Lautrbach 2.4-0.7 +- Fix typo in semanage args for minimum policy store + +* Fri Jul 03 2015 Petr Lautrbach 2.4-0.6 +- policycoreutils: semanage: update to new source policy infrastructure +- semanage: move permissive module creation to /tmp + +* Thu Jun 18 2015 Fedora Release Engineering - 2.3-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed May 06 2015 Petr Lautrbach 2.3-17 +- setfiles/restorecon: fix -r/-R option (#1211721) + +* Mon Apr 13 2015 Petr Lautrbach 2.4-0.4 +- Update to upstream 2.4 + +* Tue Feb 24 2015 Petr Lautrbach 2.3-16 +- Temporary removed Requires:audit-libs-python from policycoreutils-python3 subpackage (#1195139) +- Simplication of sepolicy-manpage web functionality (#1193552) + +* Mon Feb 02 2015 Petr Lautrbach 2.3-15 +- We need to cover file_context.XXX.homedir to have fixfiles with exclude_dirs working correctly +- Use dnf instead of yum (#1156547) + +* Tue Nov 18 2014 Dan Walsh - 2.3-14 +- Audit2allow will check for mislabeled files, and tells user to fix the label. +- Also checks for basefiles and suggests creating a different label. +- Patch from Ryan Hallisey + +* Wed Nov 5 2014 Miroslav Grepl - 2.3-13 +- Switch back to yum. Need additional fixes to make it working correctly. + +* Wed Nov 5 2014 Miroslav Grepl - 2.3-12 +- Switch over to dnf from yum + +* Tue Sep 23 2014 Miroslav Grepl - 2.3-11 +- Improvements to audit2allow from rhallise@redhat.com + * Check for mislabeled files. + * Check for base file use and + * Suggest writable files as alternatives + +* Sun Aug 17 2014 Fedora Release Engineering - 2.3-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Mon Aug 4 2014 Dan Walsh - 2.3-9 +- Remove build requires for openbox, not needed + +* Thu Jul 31 2014 Tom Callaway - 2.3-8 +- fix license handling + +* Wed Jul 23 2014 Miroslav Grepl - 2.3-7 +- Examples are no longer in the main semanage man page (#1084390) +- Add support for Fedora22 man pages. We need to fix it to not using hardcoding. +- Print usage for all mutually exclusive options. +- Fix selinux man page to refer seinfo and sesearch tools. + +* Sat Jun 07 2014 Fedora Release Engineering - 2.3-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 28 2014 Kalev Lember - 2.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 + +* Tue May 20 2014 Miroslav Grepl - 2.3-4 +- Fix setfiles to work correctly if -r option is defined + +* Fri May 16 2014 Dan Walsh - 2.3-3 +- Update Miroslav Grepl Patches + * If there is no executable we don't want to print a part of STANDARD FILE CON + * Add-manpages-for-typealiased-types + * Make fixfiles_exclude_dirs working if there is a substituion for the given d + +* Mon May 12 2014 Miroslav Grepl - 2.3-2 +- If there is no executable we don't want to print a part of STANDARD FILE CONTEXT + +* Tue May 6 2014 Dan Walsh - 2.3-1 +- Update to upstream + * Add -P semodule option to man page from Dan Walsh. + * selinux_current_policy_path will return none on a disabled SELinux system from Dan Walsh. + * Add new icons for sepolicy gui from Dan Walsh. + * Only return writeable files that are enabled from Dan Walsh. + * Add domain to short list of domains, when -t and -d from Dan Walsh. + * Fix up desktop files to match current standards from Dan Walsh. + * Add support to return sensitivities and categories for python from Dan Walsh. + * Cleanup whitespace from Dan Walsh. + * Add message to tell user to install sandbox policy from Dan Walsh. + * Add systemd unit file for mcstrans from Laurent Bigonville. + * Improve restorecond systemd unit file from Laurent Bigonville. + * Minor man pages improvements from Laurent Bigonville. + +* Tue May 6 2014 Miroslav Grepl - 2.2.5-15 +- Apply patch to use setcon in seunshare from luto@mit.edu + +* Wed Apr 30 2014 Dan Walsh - 2.2.5-14 +- Remove requirement for systemd-units + +* Fri Apr 25 2014 Miroslav Grepl - 2.2.5-13 +- Fix previous Fix-STANDARD_FILE_CONTEXT patch to exclude if non_exec does not exist + +* Thu Apr 24 2014 Miroslav Grepl - 2.2.5-12 +- Add policycoreutils-rhat-revert.patch to revert the last two commits to make build working +- Add 0001-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages patch + +* Tue Apr 1 2014 Dan Walsh - 2.2.5-11 +- Update Translations + +* Thu Mar 27 2014 Miroslav Grepl - 2.2.5-10 +- Add support for Fedora21 html manpage structure +- Fix broken dependencies to require only usermode-gtk + +* Wed Mar 26 2014 Dan Walsh - 2.2.5-9 +- mgrepl [PATCH] Deleteall user customization fails if there is a user used +- for the default login. We do not want to fail on it and continue to delete +- customizations for users which are not used for default login. + +* Mon Mar 24 2014 Dan Walsh - 2.2.5-8 +- Update Translations +- Make selinux-policy build working also on another architectures related to s +- Miroslav grepl patch to fix the creation of man pages on different architectures. +- Add ability to list the actual active modules +- Fix spelling mistake on sesearch in generate man pages. + +* Fri Feb 14 2014 Dan Walsh - 2.2.5-7 +- Allow manpages to be built on aarch64 + +* Fri Feb 14 2014 Dan Walsh - 2.2.5-6 +- Don't be verbose in fixfiles if there is not tty + +* Thu Feb 13 2014 Dan Walsh - 2.2.5-5 +- Yum should only be required for policycoreutils-devel + +* Tue Jan 21 2014 Dan Walsh - 2.2.5-4 +- Update translations + +* Thu Jan 16 2014 Dan Walsh - 2.2.5-3 +- Add Miroslav patch to +- Fix previously_modified_initialize() to show modified changes properly for all selections + +* Wed Jan 8 2014 Dan Walsh - 2.2.5-2 +- Do not require /usr/share/selinux/devel/Makefile to build permissive domains + +* Mon Jan 6 2014 Dan Walsh - 2.2.5-1 +- Update to upstream + * Ignore selevel/serange if MLS is disabled from Sven Vermeulen. + +* Fri Jan 3 2014 Dan Walsh - 2.2.4-8 +- Update Tranlations +- Patch from Yuri Chornoivan to fix typos + +* Fri Jan 3 2014 Dan Walsh - 2.2.4-7 +- Fixes Customized booleans causing a crash of the sepolicy gui + +* Fri Dec 20 2013 Dan Walsh - 2.2.4-6 +- Fix sepolicy gui selection for advanced screen +- Update Translations +- Move requires checkpolicy requirement into policycoreutils-python + +* Mon Dec 16 2013 Dan Walsh - 2.2.4-5 +- Fix semanage man page description of import command +- Fix policy kit file to allow changing to permissive mode + +* Mon Dec 16 2013 Dan Walsh - 2.2.4-4 +- Fix broken dependencies. + +* Fri Dec 13 2013 Dan Walsh - 2.2.4-3 +- Break out python3 code into separate package + +* Fri Dec 6 2013 Dan Walsh - 2.2.4-2 +- Add mgrepl patch +- ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin + +* Tue Dec 3 2013 Dan Walsh - 2.2.4-1 +- Update to upstream + * Revert automatic setting of serange and seuser in seobject; was breaking non-MLS systems. +- Add patches for sepolicy gui from mgrepl to + Fix advanced_item_button_push() to allow to select an application in advanced search menu + Fix previously_modified_initialize() to show modified changes properly for all selections + +* Fri Nov 22 2013 Dan Walsh - 2.2.3-1 +- Update to upstream + * Apply polkit check on all dbus interfaces and restrict to active user from Dan Walsh. + * Fix typo in sepolicy gui dbus.relabel_on_boot call from Dan Walsh. +- Apply Miroslav Grepl patch to fix TEMPLATETYPE_domtrans description in sepolicy generate + +* Wed Nov 20 2013 Dan Walsh - 2.2.2-2 +- Fix selinux-polgengui, get_all_modules call + +* Fri Nov 15 2013 Dan Walsh - 2.2.2-1 +- Speed up startup time of sepolicy gui +- Clean up ports screen to only show enabled ports. +- Update to upstream + * Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh. + * Make yum/extract_rpms optional for sepolicy generate from Dan Walsh. + * Add test suite for audit2allow and sepolgen-ifgen from Dan Walsh. + +* Thu Oct 31 2013 Dan Walsh - 2.2-2 +- Shift around some of the files to more appropriate packages. + * semodule_* packages are required for devel. + +* Thu Oct 31 2013 Dan Walsh - 2.2-1 +- Update to upstream + * Properly build the swig exception file from Laurent Bigonville. + * Fix man pages from Laurent Bigonville. + * Support overriding PATH and INITDIR in Makefile from Laurent Bigonville. + * Fix LDFLAGS usage from Laurent Bigonville. + * Fix init_policy warning from Laurent Bigonville. + * Fix semanage logging from Laurent Bigonville. + * Open newrole stdin as read/write from Sven Vermeulen. + * Fix sepolicy transition from Sven Vermeulen. + * Support overriding CFLAGS from Simon Ruderich. + * Create correct man directory for run_init from Russell Coker. + * restorecon GLOB_BRACE change from Michal Trunecka. + * Extend audit2why to report additional constraint information. + * Catch IOError errors within audit2allow from Dan Walsh. + * semanage export/import fixes from Dan Walsh. + * Improve setfiles progress reporting from Dan Walsh. + * Document setfiles -o option in usage from Dan Walsh. + * Change setfiles to always return -1 on failure from Dan Walsh. + * Improve setsebool error r eporting from Dan Walsh. + * Major overhaul of gui from Dan Walsh. + * Fix sepolicy handling of non-MLS policy from Dan Walsh. + * Support returning type aliases from Dan Walsh. + * Add sepolicy tests from Dan Walsh. + * Add org.selinux.config.policy from Dan Walsh. + * Improve range and user input checking by semanage from Dan Walsh. + * Prevent source or target arguments that end with / for substitutions from Dan Walsh. + * Allow use of <> for semanage fcontext from Dan Walsh. + * Report customized user levels from Dan Walsh. + * Support deleteall for restoring disabled modules from Dan Walsh. + * Improve semanage error reporting from Dan Walsh. + * Only list disabled modules for module locallist from Dan Walsh. + * Fix logging from Dan Walsh. + * Define new constants for file type character codes from Dan Walsh. + * Improve bash completions from Dan Walsh. + * Convert semanage to argparse from Dan Walsh (originally by Dave Quigley). + * Add semanage tests from Dan Walsh. + * Split semanage man pages from Dan Walsh. + * Move bash completion scripts from Dan Walsh. + * Replace genhomedircon script with a link to semodule from Dan Walsh. + * Fix fixfiles from Dan Walsh. + * Add support for systemd service for restorecon from Dan Walsh. + * Spelling corrections from Dan Walsh. + * Improve sandbox support for home dir symlinks and file caps from Dan Walsh. + * Switch sandbox to openbox window manager from Dan Walsh. + * Coalesce audit2why and audit2allow from Dan Walsh. + * Change audit2allow to append to output file from Dan Walsh. + * Update translations from Dan Walsh. + * Change audit2why to use selinux_current_policy_path from Dan Walsh. + +* Fri Oct 25 2013 Dan Walsh - 2.1.14-89 +- Fix handling of man pages. + +* Wed Oct 16 2013 Dan Walsh - 2.1.14-88 +- Cleanup errors found by pychecker +- Apply patch from Michal Trunecka to allow restorecon to handle {} in globs + +* Fri Oct 11 2013 Dan Walsh - 2.1.14-87 +- sepolicy gui + - mgrepl fixes for users and login +- Update Translations. + +* Fri Oct 11 2013 Dan Walsh - 2.1.14-86 +- sepolicy gui + - mgrepl added delete screens for users and login + - Fix lots of bugs. +- Update Translations. + +* Fri Oct 4 2013 Dan Walsh - 2.1.14-85 +- Fixes for fixfiles + * exclude_from_dirs should apply to all types of restorecon calls + * fixfiles check now works + * exit with the correct status +- semanage no longer import selinux + +* Wed Oct 2 2013 Dan Walsh - 2.1.14-84 +- Fixes for sepolicy gui +- Fix setsebool to return 0 on success +- Update Po + +* Mon Sep 30 2013 Dan Walsh - 2.1.14-83 +- Fix sizes of help screens in sepolicy gui + +* Sat Sep 28 2013 Dan Walsh - 2.1.14-82 +- Improvements to sepolicy gui + - Add more help information + - Cleanup code + - Add deny_ptrace on lockdown screen + - Make unconfined/permissivedomains lockdown work + - Add more support for file equivalency + +* Wed Sep 18 2013 Dan Walsh - 2.1.14-81 +- Add back in the help png files +- Begin Adding support for file equivalency. + +* Wed Sep 4 2013 Dan Walsh - 2.1.14-80 +- Random fixes for sepolicy gui + * Do not prompt for password until you make a change + * Add user mappings and selinux users page + * lots of code cleanup +- Verify homedir is owned by user before mounting over it with seunshare +- Fix fixfiles to handle Relabel properly +- Fix semanage fcontext -e / command to allow "/" + +* Wed Sep 4 2013 Dan Walsh - 2.1.14-79 +- Add Miroslav Grepl setsebool patch to give better error message on bad boolean names +- Additional help screens for sepolicy gui + +* Tue Sep 3 2013 Dan Walsh - 2.1.14-78 +- Random fixes for sepolicy gui +- Update Translations + +* Fri Aug 30 2013 Dan Walsh - 2.1.14-77 +- Add help screens for each page +- Fixes for system page + +* Mon Aug 26 2013 Dan Walsh - 2.1.14-76 +- Add Miroslav Grepl Patch to handle semanage -i and semanage -o better +- Update Translations + +* Thu Aug 15 2013 Dan Walsh - 2.1.14-75 +- Update sepolicy gui code, cleanups and add file transition tab +- Fix semanage fcontext -a --ftype code to work. + +* Wed Aug 7 2013 Dan Walsh - 2.1.14-74 +- If policy is not installed get_bools should not crash + +* Wed Aug 7 2013 Dan Walsh - 2.1.14-73 +- Fix doc versioning + +* Tue Aug 6 2013 Dan Walsh - 2.1.14-72 +- Update sepolicy gui code, cleanups and add file transition tab +- Fix semanage argparse problems + +* Fri Aug 2 2013 Dan Walsh - 2.1.14-71 +- Update sepolicy gui code, adding dbus calls +- Update Translations + +* Fri Jul 26 2013 Dan Walsh - 2.1.14-70 +- Fix semanage argparse bugs +- Update Translations +- Add test suite for semanage command lines + +* Wed Jul 24 2013 Dan Walsh - 2.1.14-69 +- Fix semanage argparse bugs + +* Tue Jul 23 2013 Dan Walsh - 2.1.14-68 +- Fix bugs introduced by previous patch. semanage port +- Update Translations +- Add test suite for sepolicy command lines + +* Fri Jul 19 2013 Dan Walsh - 2.1.14-67 +- Fix bugs introduced by previous patch. semanage port +- Update Translations + +* Wed Jul 17 2013 Dan Walsh - 2.1.14-66 +- Rewrite argparse code in semanage and fix reload problem. + +* Tue Jul 16 2013 Dan Walsh - 2.1.14-65 +- Do not generate shell script or spec file for sepolicy generate --newtype +- Update translations +- Fix sepolicy generate --admin_user man page again +- Fix setsebool to print less verbose error messages by default, add -V for ve + +* Mon Jul 15 2013 Dan Walsh - 2.1.14-64 +- Move audit2allow and audit2why back into -python package + +* Wed Jul 10 2013 Dan Walsh - 2.1.14-63 +- Update sepolicy gui. +- Error out of you call sepolicy gui without policycoreutils-gui package installed +- Fix semanage login -d command +- Update Translations + +* Wed Jul 10 2013 Dan Walsh - 2.1.14-62 +- Update sepolicy gui. + +* Fri Jul 5 2013 Dan Walsh - 2.1.14-61 +- Add Ryan Hallisey sepolicy gui. +- Update Translations + +* Mon Jun 24 2013 Dan Walsh - 2.1.14-60 +- Fix semanage module error handling + +* Sun Jun 23 2013 Dan Walsh - 2.1.14-59 +- Add back default exception handling for errors, which argparse rewrite removed. + +* Fri Jun 21 2013 Dan Walsh - 2.1.14-58 +- Fix generation of booleans in man pages + +* Fri Jun 21 2013 Dan Walsh - 2.1.14-57 +- Remove requires for systemd-sysv +- Move systemd-units require to restorecond section +- Update Tranlasions +- More sepolicy interfaces for gui +- Cleanup man pages for sepolicy generate + +* Wed Jun 19 2013 Dan Walsh - 2.1.14-56 +- Fix semanage export/import commands +- Fix semange module command +- Remove --version option from sandbox + +* Tue Jun 18 2013 Dan Walsh - 2.1.14-55 +- Add man page doc for --role and bash complestion support for sepolicy --role + +* Tue Jun 18 2013 Dan Walsh - 2.1.14-54 +- Make fcdict return a dictionary of dictionaries +- Fix for sepolicy manpage + +* Mon Jun 17 2013 Dan Walsh - 2.1.14-53 +- Add new man pages for each semanage subsection + +* Mon Jun 17 2013 Dan Walsh - 2.1.14-52 +- Fix handling of sepolicy network sorting. +- Additional interfaces needed for sepolicy gui + +* Thu Jun 6 2013 Dan Walsh - 2.1.14-51 +- Fix handling of semanage args + +* Thu Jun 6 2013 Dan Walsh - 2.1.14-50 +- Fix sepolicy generate --confined_admin to generate tunables +- Add new interface to generate entrypoints for use with new gui + +* Wed Jun 5 2013 Dan Walsh - 2.1.14-49 +- Fix handing of semanage with no args + +* Tue Jun 4 2013 Dan Walsh - 2.1.14-48 +- Fix audit2allow -o to open file for append +- Fix the name of the spec file generated in the build script + +* Fri May 31 2013 Dan Walsh - 2.1.14-47 +- Fix mgrepl patch to support all semanage command parsing + +* Sun May 26 2013 Dan Walsh - 2.1.14-46 +- Fix the name of the spec file generated in the build script +- Add mgrepl patch to support argparse for semanage command parsing + +* Tue May 21 2013 Dan Walsh - 2.1.14-45 +- Fix sandbox to always use sandbox_file_t, so generated policy will work. +- Update Translations + +* Thu May 16 2013 Dan Walsh - 2.1.14-44 +- Fix sepolicy-generate man page to clear up options/policy type +- Add Miroslav Grepl to not generate man page when doing + sepolicy generate --customize +- Add support for executing semanage user within spec file +- Fix generation of confined admin domains, to handle booleans properly. + +* Tue May 14 2013 Dan Walsh - 2.1.14-43 +- Need to handle gziped policy.xml as well as not compressed. + +* Tue May 14 2013 Dan Walsh - 2.1.14-42 +- Add support for Xephyr -resizable, so sandbox can now resize window +- Add support for compressed policy.xml +- Miroslav Grepl patch to allow sepolicy interface on individual interface fil +- Also add capability to test interfaces for correctness. + +* Mon May 13 2013 Dan Walsh - 2.1.14-41 +- Apply patches from Sven Vermeulen for sepolgen to fix typos. + +* Mon May 13 2013 Dan Walsh - 2.1.14-40 +- Only require selinux-policy-devel for policycoreutils-devel, this will shrink the size of the livecd. + +* Sun May 12 2013 Dan Walsh - 2.1.14-39 +- Run sepolgen-ifgen in audit2allow and sepolicy generate, if needed, first time +- Add Sven Vermeulen patches to cleanup man pages + +* Fri May 10 2013 Dan Walsh - 2.1.14-38 +- No longer run sepolgen-ifgen at install time. +- Run sepolgen-ifgen in audit2allow and sepolicy generate, if needed. +- Update Translations + +* Mon Apr 22 2013 Dan Walsh - 2.1.14-37 +- Fix exceptionion hanling in audit2allow -o +- Generate Man pages for everydomain, not just ones with exec_t entrypoints +- sepolicy comunicate should return ValueError not TypeError +- Trim header line in sepolicy manpage to use less space +- Add missing options to restorecon man page + +* Thu Apr 11 2013 Dan Walsh - 2.1.14-36 +- Raise proper Exception on sepolicy communicate with invalid value + +* Wed Apr 10 2013 Dan Walsh - 2.1.14-35 +- Update translations +- Add patch by Miroslav Grepl to add compile test for sepolicy interface command. + +* Tue Apr 9 2013 Dan Walsh - 2.1.14-34 +- Update translations +- Add patch inspired by Miroslav Grepl to add extended information for sepolicy interface command. + +* Mon Apr 8 2013 Dan Walsh - 2.1.14-33 +- Update translations +- Add missing man pages and fixup existing man pages + +* Wed Apr 3 2013 Dan Walsh - 2.1.14-32 +- Move sepolicy to policycoreutils-devel pacage, since most of it is used for devel +- Apply Miroslav Grepl Patches for sepolicy +-- Fix generate mutually groups option handling +-- EUSER is used for existing policy +-- customize options can be used together with admin_domain option +-- Fix manpage.py to generate correct man pages for SELinux users +-- Fix policy *.te file generated by customize+writepaths options +-- Fix install script for confined_admin option + +* Mon Apr 1 2013 Dan Walsh - 2.1.14-31 +- Add post install scripts for gui to make sure Icon Cache is refreshed. +- Fix grammar issue in secon man page +- Update Translations + +* Thu Mar 28 2013 Dan Walsh - 2.1.14-30 +- Add buildrequires for OpenBox to prevent me from accidently building into RHEL7 +- Add support for returning alias data to sepolicy.info python bindings + +* Wed Mar 27 2013 Dan Walsh - 2.1.14-28 +- Fix audit2allow output to better align analysys with the allow rules +- Apply Miroslav Grepl patch to clean up sepolicy generate usage +- Apply Miroslav Grepl patch to fixupt handing of admin_user generation +- Update Tranlslations + +* Wed Mar 27 2013 Dan Walsh - 2.1.14-27 +- Allow semanage fcontext -a -t "<>" ... to work + +* Mon Mar 25 2013 Dan Walsh - 2.1.14-26 +- Can not unshare IPC in sandbox, since it blows up Xephyr +- Remove bogus error message sandbox about reseting setfsuid + +* Thu Mar 21 2013 Dan Walsh - 2.1.14-25 +- Fix sepolicy generate --customize to generate policy with -w commands + +* Thu Mar 21 2013 Dan Walsh - 2.1.14-24 +- sepolgen-ifgen needs to handle filename transition rules containing ":" + +* Tue Mar 19 2013 Dan Walsh - 2.1.14-23 +- sepolicy manpage: +- use nroff instead of man2html +- Remove checking for name of person who created the man page +- audit2allow +- Fix output to show the level that is different. + +* Thu Mar 14 2013 Dan Walsh - 2.1.14-22 +- Fix newrole to not drop capabilities from the bounding set. +- Stop dropping capabilities from its children. +- Add better error messages. +- Change location of bash_completion files to /usr/share/bash-completion/compl + +* Mon Mar 11 2013 Dan Walsh - 2.1.14-21 +- sepolicy generate should look for booleans that effect equivalence names, and add them to the man page + +* Thu Mar 7 2013 Dan Walsh - 2.1.14-20 +- Mention creation of permissive domains in sepolicy generate man page +- Change sepolicy manpage to use shortname with an "_" to stop accidently grabbing unrelated types for a domain. +- Fix audit2allow to show better information on constraint violations. + +* Wed Mar 6 2013 Dan Walsh - 2.1.14-19 +- Have restorecon exit -1 on errors for consistancy. + +* Tue Mar 5 2013 Dan Walsh - 2.1.14-18 +- Need to provide a value to semanage boolean -m + +* Mon Mar 4 2013 Dan Walsh - 2.1.14-17 +- Fix cut and paste errors for sepolicy network command + +* Fri Mar 1 2013 Dan Walsh - 2.1.14-16 +- Fix sepoicy interface to work properly + +* Thu Feb 28 2013 Dan Walsh - 2.1.14-15 +- Fix fixfiles to use exclude_dirs on fixfiles restore + +* Thu Feb 28 2013 Dan Walsh - 2.1.14-14 +- Allow users with symlinked homedirs to work. call realpath on homedir +- Fix sepolicy reorganization of helper functions. + +* Sun Feb 24 2013 Dan Walsh - 2.1.14-13 +- Update trans +- Fix sepolicy reorganization of helper functions. + +* Sun Feb 24 2013 Rahul Sundaram - 2.1.14-13 +- remove vendor tag from desktop file. https://fedorahosted.org/fpc/ticket/247 +- clean up spec to follow current guidelines + +* Fri Feb 22 2013 Dan Walsh - 2.1.14-12 +- Do not load interface file by default when sepolicy is called, mov get_all_methods to the sepolicy package + +* Fri Feb 22 2013 Dan Walsh - 2.1.14-11 +- sepolgen-ifgen should use the current policy path if selinux is enabled + +* Fri Feb 22 2013 Dan Walsh - 2.1.14-10 +- Fix sepolicy to be able to work on an SELinux disabled system. +- Needed to be able to build man pages in selinux-policy package + +* Thu Feb 21 2013 Dan Walsh - 2.1.14-9 +- Add yum to requires of policycoreutils-python since sepolicy requires it. + +* Thu Feb 21 2013 Dan Walsh - 2.1.14-8 +- Sepolixy should not throw an exception on an SELinux disabled machine +- Switch from using console app to using pkexec, so we will work better +with policykit. +- Add missing import to fix system-config-selinux startup +- Add comment to pamd files about pam_rootok.so +- Fix sepolicy generate to not comment out the first line + +* Wed Feb 20 2013 Dan Walsh - 2.1.14-7 +- Add --root/-r flag to sepolicy manpage, +- This allows us to generate man pages on the fly in the selinux-policy build + +* Mon Feb 18 2013 Dan Walsh - 2.1.14-6 +- Fix newrole to retain cap_audit_write when compiled with namespace, also +do not drop capabilities when run as root. + +* Thu Feb 14 2013 Dan Walsh - 2.1.14-5 +- Fix man page generation and public_content description + +* Thu Feb 14 2013 Dan Walsh - 2.1.14-4 +- Revert some changes which are causing the wrong policy version file to be created +- Switch sandbox to start using openbox rather then matchbox +- Make sepolgen a symlink to sepolicy +- update translations + +* Wed Feb 13 2013 Dan Walsh - 2.1.14-3 +- Fix empty system-config-selinux.png, again + +* Tue Feb 12 2013 Dan Walsh - 2.1.14-2 +- Fix empty system-config-selinux.png + +* Thu Feb 7 2013 Dan Walsh - 2.1.14-1 +- Update to upstream + * setfiles: estimate percent progress + * load_policy: make link at the destination directory + * Rebuild polgen.glade with glade-3 + * sepolicy: new command to unite small utilities + * sepolicy: Update Makefiles and po files + * sandbox: use sepolicy to look for sandbox_t + * gui: switch to use sepolicy + * gui: sepolgen: use sepolicy to generate + * semanage: use sepolicy for boolean dictionary + * add po file configuration information + * po: stop running update-po on all + * semanage: seobject verify policy types before allowing you to assign them. + * gui: Start using Popen, instead of os.spawnl + * sandbox: Copy /var/tmp to /tmp as they are the same inside + * qualifier to shred content + * semanage: Fix handling of boolean_sub names when using the -F flag + * semanage: man: roles instead of role + * gui: system-config-selinux: Catch no DISPLAY= error + * setfiles: print error if no default label found + * semanage: list logins file entries in semanage login -l + * semanage: good error message is sepolgen python module missing + * gui: system-config-selinux: do not use lokkit + * secon: add support for setrans color information in prompt output + * restorecond: remove /etc/mtab from default list + * gui: If you are not able to read enforcemode set it to False + * genhomedircon: regenerate genhomedircon more often + * restorecond: Add /etc/udpatedb.conf to restorecond.conf + * genhomedircon generation to allow spec file to pass in SEMODULE_PATH + * fixfiles: relabel only after specific date + * po: update translations + * sandbox: seunshare: do not reassign realloc value + * seunshare: do checking on setfsuid + * sestatus: rewrite to shut up coverity + +* Thu Jan 31 2013 Dan Walsh - 2.1.12-58 +- Reorginize sepolicy so all get_all functions are in main module +- Add -B capability to fixfiles onboot and fixfiles restore, basically searches for all files created since the last boot. + +* Fri Jan 25 2013 Dan Walsh - 2.1.12-57 +- Update to latest patches from eparis/Upstream +- fixfiles onboot will write any flags handed to it to /.autorelabel. +- * Patch sent to initscripts to have fedora-autorelabel pass flags back to fixfiles restore +- * This should allow fixfiles -F onboot, to force a hard relabel. +- Add -p to show progress on full relabel. + +* Tue Jan 15 2013 Dan Walsh - 2.1.12-56 +- Additional changes for bash completsion and generate man page to match the w +- Add newtype as a new qualifier to sepolicy generate. This new mechanism wil +- a policy write to generate types after the initial policy has been written a +- will autogenerate all of the interfaces. +- I also added a -w options to allow policy writers from the command line to s +- the writable directories of files. +- +- Modify network.py to include interface definitions for newly created port type +- Standardize of te_types just like all of the other templates. +- Change permissive domains creation to raise exception if sepolgen is not ins +- get_te_results no longer needs or uses the opts parameter. +- The compliler was complaining so I just removed the option. +- Start returning analysis data for audit2allow + +* Tue Jan 15 2013 Dan Walsh - 2.1.12-55 +- Update Translations +- Fix handling of semanage generate --cgi -n MODULE PATHTO/CGI +- This fixes the spec file and script file getting wrong names for modules and types. + +* Wed Jan 9 2013 Dan Walsh - 2.1.12-54 +- Additional patch from Miroslav to handle role attributes + +* Wed Jan 9 2013 Dan Walsh - 2.1.12-53 +- Update with Miroslav patch to handle role attributes +- Update Translations +- import sepolicy will only throw exception on missing policy iff selinux is enabled + +* Sat Jan 5 2013 Dan Walsh - 2.1.12-52 +- Update to latest patches from eparis/Upstream +- secon: add support for setrans color information in prompt output +- Update translations + +* Fri Jan 4 2013 Dan Walsh - 2.1.12-51 +- Update translations +- Fix sepolicy booleans to handle autogenerated booleans descriptions +- Cleanups of sepolicy manpage +- Fix crash on git_shell man page generation + +* Thu Jan 3 2013 Dan Walsh - 2.1.12-50 +- Update translations +- update sepolicy manpage to generate fcontext equivalence data and to list +default file context paths. +- Add ability to generate policy for confined admins and domains like puppet. + +* Thu Dec 20 2012 Dan Walsh - 2.1.12-49 +- Fix semanage permissive , this time with the patch. +- Update translations + +* Wed Dec 19 2012 Dan Walsh - 2.1.12-48 +- Fix semanage permissive +- Change to use correct gtk forward button +- Update po + +* Mon Dec 17 2012 Dan Walsh - 2.1.12-47 +- Move audit2why to -devel package + +* Mon Dec 17 2012 Dan Walsh - 2.1.12-46 +- sepolicy transition was blowing up. Also cleanup output when only source is specified. +- sepolicy generate should allow policy modules names that include - or _ + +* Mon Dec 10 2012 Dan Walsh - 2.1.12-45 +- Apply patch from Miroslav to display proper range description in man pages g +- Should print warning on missing default label when run in recusive mode iff +- Remove extra -R description, and fix recursive description + +* Thu Dec 6 2012 Dan Walsh - 2.1.12-44 +- Additional fixes for disabled SELinux Box +- system-config-selinux no longer relies on lokkit for /etc/selinux/config + +* Thu Dec 6 2012 Dan Walsh - 2.1.12-43 +- sepolicy should failover to installed policy file on a disabled SELinux box, if it exists. + +* Wed Dec 5 2012 Dan Walsh - 2.1.12-42 +- Update Translations +- sepolicy network -d needs to accept multiple domains + +* Fri Nov 30 2012 Dan Walsh - 2.1.12-41 +- Add --path as a parameter to sepolicy generate +- Print warning message if program does not exists when generating policy, and do not attempt to run nm command +- Fix sepolicy generate -T to not take an argument, and supress the help message +- Since this is really just a testing tool + +* Fri Nov 30 2012 Dan Walsh - 2.1.12-40 +- Fix sepolicy communicate to handle invalid input + +* Thu Nov 29 2012 Dan Walsh - 2.1.12-39 +- Fix sepolicy network -p to handle high ports + +* Thu Nov 29 2012 Dan Walsh - 2.1.12-38 +- Fix handling of manpages without entrypoints, nsswitch domains +- Update Translations + +* Wed Nov 28 2012 Dan Walsh - 2.1.12-37 +- Move sepogen python bindings back into policycoreutils-python out of -devel, since sepolicy is using the + +* Tue Nov 27 2012 Dan Walsh - 2.1.12-36 +- Fix sepolicy/__init__.py to handle _() + +* Wed Nov 21 2012 Dan Walsh - 2.1.12-35 +- Add Miroslav Grepl patch to create etc_rw_t sock files policy + +* Fri Nov 16 2012 Dan Walsh - 2.1.12-34 +- Fix semanage to work without policycoreutils-devel installed +- Update translations + +* Tue Nov 13 2012 Dan Walsh - 2.1.12-33 +- Fix semanage login -l to list contents of /etc/selinux/POLICY/logins directory + +* Tue Nov 13 2012 Dan Walsh - 2.1.12-32 +- Fix booleansPage not showing booleans +- Fix audit2allow -b + +* Tue Nov 13 2012 Dan Walsh - 2.1.12-31 +- Fix sepolicy booleans again +- Fix man page + +* Mon Nov 12 2012 Dan Walsh - 2.1.12-30 +- Move policy generation tools into policycoreutils-devel + +* Mon Nov 12 2012 Dan Walsh - 2.1.12-29 +- Document and fix sepolicy booleans +- Update Translations +- Fix several spelling mistakes + +* Wed Nov 7 2012 Dan Walsh - 2.1.12-27 +- Only report restorecon warning for missing default label, if not running +recusively +- Update translations + +* Mon Nov 5 2012 Dan Walsh - 2.1.12-26 +- Fix semanage booleans -l, move more boolean_dict handling into sepolicy +- Update translations +- Fixup sepolicy generate to discover /var/log, /var/run and /var/lib directories if they match the name +- Fix kill function call should indicate signal_perms not kill capability +- Error out cleanly in system-config-selinux, if it can not contact XServer + +* Mon Nov 5 2012 Dan Walsh - 2.1.12-25 +- Remove run_init, no longer needed with systemd. +- Fix sepolicy generate to not include subdirs in generated fcontext file. (mgrepl patch) + +* Sat Nov 3 2012 Dan Walsh - 2.1.12-24 +- Fix manpage to generate proper man pages for alternate policy, +basically allow me to build RHEL6 man pages on a Fedora 18 box, as long as +I pull the policy, policy.xml and file_contexts and file_contexts.homedir + +* Thu Nov 1 2012 Dan Walsh - 2.1.12-23 +- Fix some build problems in sepolicy manpage and sepolicy transition + +* Tue Oct 30 2012 Dan Walsh - 2.1.12-22 +- Add alias man pages to sepolicy manpage + +* Mon Oct 29 2012 Dan Walsh - 2.1.12-21 +- Redesign sepolicy to only read the policy file once, not for every call + +* Mon Oct 29 2012 Dan Walsh - 2.1.12-20 +- Fixes to sepolicy transition, allow it to list all transitions from a domain + +* Sat Oct 27 2012 Dan Walsh - 2.1.12-19 +- Change sepolicy python bindings to have python pick policy file, fixes weird memory problems in sepolicy network + +* Fri Oct 26 2012 Dan Walsh - 2.1.12-18 +- Allow sepolicy to specify the policy to generate content from + +* Thu Oct 25 2012 Dan Walsh - 2.1.12-17 +- Fix semanage boolean -F to handle boolean subs + +* Thu Oct 25 2012 Dan Walsh - 2.1.12-16 +- Add Miroslav Grepl patch to generate html man pages +- Update Translations +- Add option to sandbox to shred files before deleting + +* Mon Oct 22 2012 Dan Walsh - 2.1.12-15 +- Add Requires(post) PKGNAME to sepolicy generate /usr/bin/pkg + +* Fri Oct 19 2012 Dan Walsh - 2.1.12-14 +- Add role_allow to sepolicy.search python bindings, this allows us to remove last requirement for setools-cmdline in gui tools. +- Fix man page generator. + +* Wed Oct 17 2012 Dan Walsh - 2.1.12-13 +- Remove dwalsh@redhat.com from man pages +- Fix spec file for sepolicy generate + +* Wed Oct 17 2012 Dan Walsh - 2.1.12-12 +- Add missing spec.py from templates directory needed for sepolicy generate +- Add /var/tmp as collection point for sandbox apps. + +* Tue Oct 16 2012 Dan Walsh - 2.1.12-11 +- Handle audit2allow -b in foreign locales + +* Tue Oct 16 2012 Dan Walsh - 2.1.12-10 +- Update sepolicy generate with patch to create spec file and man page. +- Patch initiated by Miroslav Grepl + +* Wed Oct 10 2012 Dan Walsh - 2.1.12-9 +- Fix semanage to verify that types are appropriate for commands. + * Patch initiated by mgrepl + * Fixes problem of specifying non file_types for fcontext, or not port_types for semanage port + +* Tue Oct 9 2012 Dan Walsh - 2.1.12-8 +- Fix typo in preunstall line for restorecond +- Add mgrepl patch to consolidate file context generated by sepolicy generate + +* Mon Oct 8 2012 Dan Walsh - 2.1.12-7 +- Fix manpage generation, missing import +- Add equiv_dict to get samba booleans into smbd_selinux +- Add proper translations for booleans and remove selinux.tbl + +* Sat Oct 6 2012 Dan Walsh - 2.1.12-6 +- Fix system-config-selinux to use sepolicy.generate instead of sepolgen + +* Thu Oct 4 2012 Dan Walsh - 2.1.12-5 +- Add sepolicy commands, and change tools to use them. + +* Tue Sep 25 2012 Dan Walsh - 2.1.12-4 +- Rebuild without bogus prebuild 64 bit seunshare app + +* Sun Sep 16 2012 Dan Walsh - 2.1.12-3 +- Allow fixfiles to specify -v, so they can get verbosity rather then progress. +- Fix load_file Makefile to use SBINDIR rather then real OS. +- Fix man pages in setfiles and restorecon to reflect what happens when you relabel the entire OS. + +* Sun Sep 16 2012 Dan Walsh - 2.1.12-2 +- Use systemd post install scriptlets + +* Thu Sep 13 2012 Dan Walsh - 2.1.12-1 +- Update to upstream + * genhomedircon: manual page improvements + * setfiles/restorecon minor improvements + * run_init: If open_init_pty is not available then just use exec + * newrole: do not drop capabilities when newrole is run as + * restorecon: only update type by default + * scripts: Don't syslog setfiles changes on a fixfiles restore + * setfiles: do not syslog if no changes + * Disable user restorecond by default + * Make restorecon return 0 when a file has changed context + * setfiles: Fix process_glob error handling + * semanage: allow enable/disable under -m + * add .tx to gitignore + * translations: commit translations from Fedora community + * po: silence build process + * gui: Checking in policy to support polgengui and sepolgen. + * gui: polgen: search for systemd subpackage when generating policy + * gui: for exploring booleans + * gui: system-config-selinux gui + * Add Makefiles to support new gui code + * gui: remove lockdown wizard + * return equivalency records in fcontext customized + * semanage: option to not load new policy into kernel after + * sandbox: manpage update to describe standard types + * setsebool: -N should not reload policy on changes + * semodule: Add -N qualifier to no reload kernel policy + * gui: polgen: sort selinux types of user controls + * gui: polgen: follow symlinks and get the real path to + * gui: Fix missing error function + * setfiles: return errors when bad paths are given + * fixfiles: tell restorecon to ignore missing paths + * setsebool: error when setting multiple options + * semanage: use boolean subs. + * sandbox: Make sure Xephyr never listens on tcp ports + * sepolgen: return and output constraint violation information + * semanage: skip comments while reading external configuration files + * restorecond: relabel all mount runtime files in the restorecond example + * genhomedircon: dynamically create genhomedircon + * Allow returning of bastard matches + * sepolgen: return and output constraint violation information + * audit2allow: one role/type pair per line + +* Wed Aug 8 2012 Dan Walsh - 2.1.11-6 +- Change polgen to generate dbus apps as optional so they can compile on minimal policy system, patch from Miroslav Grepl + +* Fri Jul 27 2012 Dan Walsh - 2.1.11-5 +- Fix sepolgen/audit2allow to handle multiple role/types in avc messages properly + +* Thu Jul 19 2012 Dan Walsh - 2.1.11-4 +- Fix restorecon to generate a better percentage of completion on restorecon -R /. +- Have audit2allow look at the constaint violation and tell the user whether it +- is because of user,role or level + +* Wed Jul 11 2012 Dan Walsh - 2.1.11-3 +- userapps is generating sandbox code in polgengui + +* Thu Jul 5 2012 Dan Walsh - 2.1.11-2 +- Remove load_policy symbolic link on usrmove systems this breaks the system + +* Wed Jul 4 2012 Dan Walsh - 2.1.11-1 +- Update to upstream + - policycoreutils + * restorecond: wrong options should exit with non-zero error code + * restorecond: Add -h option to get usage command + * resorecond: user: fix fd leak + * mcstrans: add -f to run in foreground + * semanage: fix man page range and level defaults + * semanage: bash completion for modules should include -a,-m, -d + * semanage: manpage update for -e + * semanage: dontaudit off should work + * semanage: locallist option does not take an argument + * sepolgen: Make use of setools optional within sepolgen + - sepolgen + * Make use of setools optional within sepolgen + * We need to support files that have a + in them + +* Thu May 24 2012 Dan Walsh - 2.1.11-18 +- Make restorecon exit with an error on a bad path + +* Thu May 24 2012 Dan Walsh - 2.1.11-17 +- Fix setsebool command, handling of = broken. +- Add missing error option in booleansPage + +* Sun May 20 2012 Dan Walsh - 2.1.11-16 +- Fix sepolgen to use realpath on executables handed to it. - Brian Bickford + +* Fri May 18 2012 Dan Walsh - 2.1.11-15 +- Allow stream sock_files to be stored in /tmp and etc_rw_t directories by sepolgen +- Trigger on selinux-policy needs to change to selinux-policy-devel +- Update translations +- Fix semanage dontaudit off/on exception + +* Tue May 8 2012 Dan Walsh - 2.1.11-12 +- Add -N qualifier to semanage, setsebool and semodule to allow you to update +- policy without reloading it into the kernel. + +* Thu May 3 2012 Dan Walsh - 2.1.11-11 +- add some definition to the standard types available for sandboxes + +* Tue May 1 2012 Dan Walsh - 2.1.11-10 +- Remove lockdown wizard + +* Mon Apr 30 2012 Dan Walsh - 2.1.11-9 +- Fix semanage fcontext -E to extract the equivalance customizations. + +* Thu Apr 26 2012 Dan Walsh - 2.1.11-8 +- Add mgrepl patch to have sepolgen search for -systemd rpm packages + +* Tue Apr 24 2012 Dan Walsh - 2.1.11-7 +- Apply Stef Walter patch for semanage man page + +* Mon Apr 23 2012 Dan Walsh - 2.1.11-6 +- Rebuild to get latest libsepol which fixes the file_name transition problems +- Update translations +- Fix calls to close fd for restorecond + +* Fri Apr 13 2012 Dan Walsh - 2.1.11-5 +- Update translations +- Fix sepolgen to discover unit files in /lib/systemd/ + +* Tue Apr 3 2012 Dan Walsh - 2.1.11-4 +- Update translations +- Fix segfault on restorecon + +* Tue Apr 3 2012 Dan Walsh - 2.1.11-3 +- Allow filename transitions to use + in a file name + +* Fri Mar 30 2012 Dan Walsh - 2.1.11-2 +- Change policycoreutils-python to require selinux-policy-devel package + +* Thu Mar 29 2012 Dan Walsh - 2.1.11-1 +- Update to upstream + - policycoreutils + * sandbox: do not propogate inside mounts outside + * sandbox: Removing sandbox init script, should no longer be necessary + * restorecond: Stop using deprecated interfaces for g_io + * semanage: proper auditting of user changes for LSPP + * semanage: audit message to show what record(s) and item(s) have chaged + * scripts: Update Makefiles to handle /usrmove + * mcstrans: Version should have been bumped on last check in + * seunshare: Only drop caps not the Bounding Set from seunshare + * Add bash-completion scripts for setsebool and semanage + * newrole: Use correct capng calls in newrole + * Fix infinite loop with inotify on 2.6.31 kernels + * fix ftbfs with hardening flags + * Only run setfiles if we found read-write filesystems to run it on + * update .po files + * remove empty po files + * do not fail to install if unable to make load_policy lnk file + - sepolgen + * Fix dead links to www.nsa.gov/selinux + * audit.py Dont crash if empty data is passed to sepolgen + * do not use md5 when calculating hash signatures + * fix detection of policy loads + +* Wed Mar 28 2012 Dan Walsh - 2.1.10-30 +- Have sepolgen script specify the pp file with the make command. From mgrepl. + +* Wed Mar 21 2012 Dan Walsh - 2.1.10-29 +- Fix sepolgen handling of unit files. + +* Thu Mar 8 2012 Dan Walsh - 2.1.10-28 +- Require selinux-policy-doc + +* Thu Mar 8 2012 Dan Walsh - 2.1.10-27 +- Fix unit file handling in sepolgen + +* Wed Feb 29 2012 Dan Walsh - 2.1.10-26 +- Add bash_command completion for setsebool/getsebool + +* Mon Feb 27 2012 Dan Walsh - 2.1.10-25 +- Disable restorecond on desktop by default +- Change seunshare to not modify the bounding set + +* Mon Feb 20 2012 Dan Walsh - 2.1.10-24 +- Stop using sandbox init in post install since it no longer exists. + +* Thu Feb 16 2012 Dan Walsh - 2.1.10-23 +- Change to use new selinux_current_policy_path() + +* Wed Feb 15 2012 Dan Walsh - 2.1.10-22 +- Change to use new selinux_binary_policy_path() +- Add systemd_passwd_agent_exec($1), and systemd_read_fifo_file_passwd_run($1) to templates for _admin interface + +* Fri Feb 3 2012 Dan Walsh - 2.1.10-21 +- On full relabels we will now show a estimated percent complete rather then +just *s. + +* Wed Feb 1 2012 Dan Walsh - 2.1.10-20 +- Add unit_file.py for sepolgen + +* Tue Jan 31 2012 Dan Walsh - 2.1.10-19 +- Change sepolgen to use sha256 instead of md5 + +* Mon Jan 30 2012 Dan Walsh - 2.1.10-18 +- Stop syslogging on full restore +- Stop syslogging when restorecon is not changing values + +* Fri Jan 27 2012 Dan Walsh - 2.1.10-17 +- Change semanage to produce proper audit records for Common Criteria +- Cleanup packaging for usrmove + +* Thu Jan 26 2012 Harald Hoyer 2.1.10-16 +- fixed load_policy location + +* Thu Jan 26 2012 Harald Hoyer 2.1.10-15 +- fixed load_policy location + +* Thu Jan 26 2012 Harald Hoyer 2.1.10-14 +- fixed load_policy location + +* Wed Jan 25 2012 Harald Hoyer 2.1.10-13 +- add filesystem guard + +* Wed Jan 25 2012 Harald Hoyer 2.1.10-12 +- install everything in /usr + https://fedoraproject.org/wiki/Features/UsrMove + +* Tue Jan 24 2012 Dan Walsh - 2.1.10-11 +- restorecond fixes: + Stop using depracated g_io interfaces + Exit with non zero exit code if wrong options given + Add -h option + +* Thu Jan 19 2012 Dan Walsh - 2.1.10-10 +- Eliminate not needed Requires + +* Wed Jan 18 2012 Dan Walsh - 2.1.10-9 +- fix sepolgen to not crash on echo "" | audit2allow + +* Mon Jan 16 2012 Dan Walsh - 2.1.10-8 +- Remove sandbox init script, should no longer be necessary + +* Sun Jan 15 2012 Dan Walsh - 2.1.10-7 +- Add unit file support to sepolgen, and cleanup some of the output. + +* Mon Jan 9 2012 Dan Walsh - 2.1.10-5 +- Fix English in templates for sepolgen + +* Fri Dec 23 2011 Dan Walsh - 2.1.10-4 +- Fix the handling of namespaces in seunshare/sandbox. +- Currently mounting of directories within sandbox is propogating to the +- parent namesspace. + +* Thu Dec 22 2011 Dan Walsh - 2.1.10-3 +- Add umount code to seunshare to cleanup left over mounts of /var/tmp + +* Wed Dec 21 2011 Dan Walsh - 2.1.10-2 +- Remove open_init_pty + +* Wed Dec 21 2011 Dan Walsh - 2.1.10-1 +-Update to upstream +- sepolgen + * better analysis of why things broke +- policycoreutils + * Remove excess whitespace + * sandbox: Add back in . functions to sandbox.init script + * Fix Makefile to match other policycoreutils Makefiles + * semanage: drop unused translation getopt + +* Thu Dec 15 2011 Dan Walsh - 2.1.9-3 +- Bump libsepol version requires rebuild + +* Wed Dec 7 2011 Dan Walsh - 2.1.9-2 +- Add back accidently dropped patches for semanage + +* Tue Dec 6 2011 Dan Walsh - 2.1.9-1 +- Upgrade to upstream + * sandbox: move sandbox.conf.5 to just sandbox.5 + * po: Makefile use -p to preserve times to allow multilib simultatious installs + * of po files + * sandbox: Allow user to specify the DPI value for X in a sandbox + * sandbox: make sure the domain launching sandbox has at least 100 categories + * sandbox: do not try forever to find available category set + * sandbox: only complain if sandbox unable to launch + * sandbox: init script run twice is still successful + * semanage: print local and dristo equiv rules + * semanage: check file equivalence rules for conflict + * semanage: Make sure semanage fcontext -l -C prints even if local keys + * are not defined + * semanage: change src,dst to target,substitute for equivalency + * sestatus: Updated sestatus and man pages. + * Added SELinux config file man page. + * add clean target to man Makefile + +* Wed Nov 30 2011 Dan Walsh - 2.1.8-8 +- Fix semange fcontext -a to check for more conflicts on equivalency + +* Tue Nov 29 2011 Dan Walsh - 2.1.8-7 +- Fix dpi handling in sandbox +- Make sure semanage fcontext -l -C prints if only local equiv have changed + +* Wed Nov 16 2011 Dan Walsh - 2.1.8-6 +- Add listing of distribution equivalence class from semanage fcontext -l +- Add checking to semanage fcontext -a to guarantee a file specification will not be masked by an equivalence + +* Wed Nov 16 2011 Dan Walsh - 2.1.8-5 +- Allow ~ as a valid part of a filename in sepolgen + +* Fri Nov 11 2011 Dan Walsh - 2.1.8-4 +- sandbox init script should always return 0 +- sandbox command needs to check range of categories and report error if not big enough + +* Mon Nov 7 2011 Dan Walsh - 2.1.8-3 +- Allow user to specify DPI when running sandbox + +* Mon Nov 7 2011 Dan Walsh - 2.1.8-2 +- Add Miroslav patch to return all attributes + +* Fri Nov 4 2011 Dan Walsh - 2.1.8-1 +- Upgrade to policycoreutils upstream + * sandbox: Maintain the LANG environment into the sandbox + * audit2allow: use audit2why internally + * fixfiles: label /root but not /var/lib/BackupPC + * semanage: update local boolean settings is dealing with localstore + * semanage: missing modify=True + * semanage: set modified correctly + * restorecond: make restorecond dbuss-able + * restorecon: Always check return code on asprintf + * restorecond: make restorecond -u exit when terminal closes + * sandbox: introduce package name and language stuff + * semodule_package: remove semodule_unpackage on clean + * fix sandbox Makefile to support DESTDIR + * semanage: Add -o description to the semanage man page + * make use of the new realpath_not_final function + * setfiles: close /proc/mounts file when finished + * semodule: Document semodule -p in man page + * setfiles: fix use before initialized + * restorecond: Add .local/share as a directory to watch +- Upgrade to sepolgen upstream + * Ignore permissive qualifier if found in an interface + * Return name field in avc data + +* Mon Oct 31 2011 Dan Walsh - 2.1.7-6 +- Rebuild versus newer libsepol + +* Fri Oct 28 2011 Dan Walsh - 2.1.7-5 +- A couple of minor coverity fixes for a potential leaked file descriptor +- An an unchecked return code. +- Add ~/.local/share/* to restorecond_user watches + +* Thu Oct 13 2011 Dan Walsh - 2.1.7-4 +- Have sepolgen return name field in AVC + +* Thu Oct 6 2011 Dan Walsh - 2.1.7-3 +- restorecond -u needs to watch terminal for exit if run outside of dbus. + +* Tue Oct 4 2011 Dan Walsh - 2.1.7-2 +- Do not drop capabilities if running newrole as root + +* Fri Sep 30 2011 Dan Walsh - 2.1.7-1 +-Update to upstream + * semanage: fix indentation error in seobject + +* Thu Sep 29 2011 Dan Walsh - 2.1.6-3 +- Ignore permissive commands in interfaces + +* Thu Sep 29 2011 Dan Walsh - 2.1.6-2 +- Remove gnome requirement from polgengui + +* Mon Sep 19 2011 Dan Walsh - 2.1.6-1 +-Update to upstream + policycoreutils-2.1.6 + * sepolgen-ifgen: new attr-helper does something + * audit2allow: use alternate policy file + * audit2allow: sepolgen-ifgen use the attr helper + * setfiles: switch from stat to stat64 + * setfiles: Fix potential crash using dereferenced ftsent + * setfiles: do not wrap * output at 80 characters + * sandbox: add -Wall and -Werror to makefile + * sandbox: add sandbox cgroup support + * sandbox: rewrite /tmp handling + * sandbox: do not bind mount so much + * sandbox: add level based kill option + * sandbox: cntrl-c should kill entire process control group + * Create a new preserve_tunables flag in sepol_handle_t. + * semanage: show running and disk setting for booleans + * semanage: Dont print heading if no items selected + * sepolgen: audit2allow is mistakakenly not allowing valid module names + * semanage: Catch RuntimeErrors, that can be generated when SELinux is disabled + * More files to ignore + * tree: default make target to all not install + * sandbox: do not load unused generic init functions + sepolgen-1.1.2 + * src: sepolgen: add attribute storing infrastructure + * Change perm-map and add open to try to get better results on + * look for booleans that might solve problems + * sepolgen: audit2allow is mistakakenly not allowing valid module names + * tree: default make target to all not install + +* Wed Sep 14 2011 Dan Walsh - 2.1.5-6 +- Change separator on -L from ; to : + +* Thu Sep 8 2011 Dan Walsh - 2.1.5-5 +- Add back lockdown wizard for booleans using pywebkitgtk + +* Wed Sep 7 2011 Dan Walsh - 2.1.5-4 +- Maintain the LANG environment Variable into the sandbox +- Change restorecon/setfiles to only change type part of the context unless + -f qualifier is given + +* Tue Sep 6 2011 Dan Walsh - 2.1.5-3 +- Remove lockdown wizard, since gtkhtml2 is no longer supported. + +* Fri Sep 2 2011 Dan Walsh - 2.1.5-2 +- Allow setfiles and restorecon to use labeledprefix to speed up processing +and limit memory. + +* Tue Aug 30 2011 Dan Walsh - 2.1.5-1 +-Update to upstream + * policycoreutils + * setfiles: Fix process_glob to handle error situations + * sandbox: Allow seunshare to run as root + * sandbox: trap sigterm to make sure sandbox + * sandbox: pass DPI from the desktop + * sandbox: seunshare: introduce helper spawn_command + * sandbox: seunshare: introduce new filesystem helpers + * sandbox: add -C option to not drop + * sandbox: split seunshare caps dropping + * sandbox: use dbus-launch + * sandbox: numerous simple updates to sandbox + * sandbox: do not require selinux context + * sandbox: Makefile: new man pages + * sandbox: rename dir to srcdir + * sandbox: allow users specify sandbox window size + * sandbox: check for paths up front + * sandbox: use defined values for paths rather + * sandbox: move seunshare globals to the top + * sandbox: whitespace fix + * semodule_package: Add semodule_unpackage executable + * setfiles: get rid of some stupid globals + * setfiles: move exclude_non_seclabel_mounts to a generic location + * sepolgen + * refparser: include open among valid permissions + * refparser: add support for filename_trans rules + +* Thu Aug 18 2011 Dan Walsh - 2.1.4-2 +- Fix bug in glob handling for restorecon + +* Thu Aug 18 2011 Dan Walsh - 2.1.4-1 +-Update to upstream +2.1.4 2011-08-17 + * run_init: clarification of the usage in the + * semanage: fix usage header around booleans + * semanage: remove useless empty lines + * semanage: update man page with new examples + * semanage: update usage text + * semanage: introduce file context equivalencies + * semanage: enable and disable modules + * semanage: output all local modifications + * semanage: introduce extraction of local configuration + * semanage: cleanup error on invalid operation + * semanage: handle being called with no arguments + * semanage: return sooner to save CPU time + * semanage: surround getopt with try/except + * semanage: use define/raise instead of lots of + * semanage: some options are only valid for + * semanage: introduce better deleteall support + * semanage: do not allow spaces in file + * semanage: distinguish between builtin and local permissive + * semanage: centralized ip node handling + * setfiles: make the restore function exclude() non-static + * setfiles: use glob to handle ~ and + * fixfiles: do not hard code types + * fixfiles: stop trying to be smart about + * fixfiles: use new kernel seclabel option + * fixfiles: pipe everything to cat before sending + * fixfiles: introduce /etc/selinux/fixfiles_exclude_dirs + * semodule: support for alternative root paths +2.1.3 2011-08-03 + * semanage: fix indention + * semodule_package: fix man page typo + * semodule_expand: update man page with -a + * semanage: handle os errors + * semanage: fix traceback with bad options + * semanage: show usage on -h or --help + * semanage: introduce more deleteall options + * semanage: verify ports < 65536 + * transaction into semanageRecords + * make get_handle a method of semanageRecords + * remove a needless blank line + * make process_one error if not initialized correctly + * fixfiles: correct usage for r_opts.rootpath + * put -p in help for restorecon and + * fixfiles: do not try to only label + * fixfiles clean up /var/run and /var/lib/debug + * fixfiles delete tmp sockets and pipes rather + * fixfile use find -delete instead of pipe + * chcat man page typo + * add man page for genhomedircon + * setfiles fix typo + * setsebool should inform users they need to + * setsebool typos + * open_init_tty man page typos + * Don't add user site directory to sys.path + * newrole retain CAP_SETPCAP +2.1.2 2011-08-02 + * seunshare: define _GNU_SOURCE earlier + * make ignore_enoent do something + * restorecond: first user logged in is not noticed + * Repo: update .gitignore +2.1.1 2011-08-01 + * Man page updates + * restorecon fix for bad inotify assumptions +2.1.0 2011-07-27 + * Release, minor version bump + +* Tue Jul 26 2011 Dan Walsh 2.0.86-20 +- Fix sepolgen usage statement +- Stop using -k insandbox +- Fix seunshare usage statement + +* Thu Jul 7 2011 Dan Walsh 2.0.86-18 +- Change seunshare to send kill signals to the childs session. +- Also add signal handler to catch sigint, so if user enters ctrl-C sandbox will shutdown. + +* Wed Jul 6 2011 Dan Walsh 2.0.86-17 +- Add -k qualifier to seunshare to have it attempt to kill all processes with +the matching MCS label. + +* Tue Jul 5 2011 Dan Walsh 2.0.86-16 +- Add -C option to sandbox and seunshare to maintain capabilities, otherwise +the bounding set will be dropped. +- Change --cgroups short name -c rather then -C for consistancy +- Fix memory and fd leaks in seunshare + +* Wed Jun 29 2011 Jóhann B. Guðmundsson - 2.0.86-15 +- Introduce systemd unit file for restorecond drop SysV support + +* Mon Jun 13 2011 Dan Walsh 2.0.86-14 +- Do not drop capability bounding set in seunshare, this allows sandbox to +- run setuid apps. + +* Fri Jun 10 2011 Dan Walsh 2.0.86-13 +- Add semanage-bash-completion.sh script + +* Tue Jun 7 2011 Dan Walsh 2.0.86-12 +- Remove mount -o bind calls from sandbox init script +- pam_namespace now has this built in. + +* Tue Jun 7 2011 Dan Walsh 2.0.86-11 +- Pass desktop dpi to sandbox Xephyr window + +* Mon Jun 6 2011 Dan Walsh 2.0.86-10 +- Allow semodule to pick alternate root for selinux files +- Add ~/.config/* to restorcond_user.conf, so restorecond will watch for mislabeled files in this directory. + +* Wed May 25 2011 Dan Walsh 2.0.86-9 +- Fix var_spool template read_spool_files +- Fix sepolgen to handle filename transitions + +* Mon May 23 2011 Dan Walsh 2.0.86-8 +- Templates cleanedup by Dominic Grift + +* Fri Apr 29 2011 Dan Walsh 2.0.86-7 +- Clean up some of the templates for sepolgen + +* Fri Apr 22 2011 Dan Walsh 2.0.86-6 +- Apply patches from Christoph A. + * fix sandbox title + * stop xephyr from li +- Also ignore errors on sandbox include of directory missing files + +* Thu Apr 21 2011 Dan Walsh 2.0.86-5 +- rebuild versus latest libsepol + +* Mon Apr 18 2011 Dan Walsh 2.0.86-4 +- Change fixfiles restore to delete unlabeled sockets in /tmp + +* Mon Apr 18 2011 Dan Walsh 2.0.86-2 +- rebuild versus latest libsepol + +* Tue Apr 12 2011 Dan Walsh 2.0.86-1 +- Update to upstream + * Use correct color range in mcstrand by Richard Haines. + +* Mon Apr 11 2011 Dan Walsh 2.0.85-30 +- Add Elia Pinto patches to allow user to specify directories to ignore + +* Tue Apr 5 2011 Dan Walsh 2.0.85-29 +- Fix policycoreutils-sandbox description + +* Tue Mar 29 2011 Dan Walsh 2.0.85-28 +- rsynccmd should run outside of execcon + +* Thu Mar 24 2011 Dan Walsh 2.0.85-27 +- Fix semange node handling of ipv6 addresses + +* Wed Mar 23 2011 Dan Walsh 2.0.85-26 +- Fix sepolgen-ifgen call, add -p option + +* Wed Mar 23 2011 Dan Walsh 2.0.85-25 +- Fix sepolgen-ifgen call + +* Fri Mar 18 2011 Dan Walsh 2.0.85-24 +- Fix rsync command to work if the directory is old. +- Fix all tests + +* Wed Mar 16 2011 Dan Walsh 2.0.85-23 +- Fix sepolgen to generate network polcy using generic_if and genric_node versus all_if and all_node + +* Wed Mar 16 2011 Dan Walsh 2.0.85-22 +- Return to original seunshare man page + +* Fri Mar 11 2011 Dan Walsh 2.0.85-21 +- change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_* +- This will allow default sandboxes to work on NFS homedirs without allowing + access to homedir data + +* Fri Mar 11 2011 Dan Walsh 2.0.85-20 +- Change sepolgen-ifgen to search all available policy files +- Exit in restorecond if it can not find a UID in the passwd database + +* Wed Mar 9 2011 Dan Walsh 2.0.85-19 +- Fix portspage in system-config-selinux to not crash +- More fixes for seunshare from Tomas Hoger + +* Tue Mar 8 2011 Dan Walsh 2.0.85-18 +- put back in old handling of -T in sandbox command +- Put back setsid in seunshare +- Fix rsync to maintain times + +* Tue Mar 8 2011 Dan Walsh 2.0.85-17 +- Use rewritten seunshare from thoger + +* Mon Mar 7 2011 Dan Walsh 2.0.85-16 +- Require python-IPy for policycoreutils-python package +- Fixes for sepologen + - Usage statement needs -n name + - Names with _ are being prevented + - dbus apps should get _chat interface + +* Thu Mar 3 2011 Dan Walsh 2.0.85-15 +- Fix error message in seunshare, check for tmpdir existance before unlink. + +* Fri Feb 25 2011 Dan Walsh 2.0.85-13 +- Rewrite seunshare to make sure /tmp is mounted stickybit owned by root +- Only allow names in polgengui that contain letters and numbers +- Fix up node handling in semanage command +- Update translations + +* Wed Feb 09 2011 Fedora Release Engineering - 2.0.85-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Feb 3 2011 Dan Walsh 2.0.85-11 +- Fix sandbox policy creation with udp connect ports + +* Thu Feb 3 2011 Dan Walsh 2.0.85-10 +- Cleaup selinux-polgengui to be a little more modern, fix comments and use selected name +- Cleanup chcat man page + +* Wed Feb 2 2011 Dan Walsh 2.0.85-9 +- Report full errors on OSError on Sandbox + +* Fri Jan 21 2011 Dan Walsh 2.0.85-8 +- Fix newrole hanlding of pcap + +* Wed Jan 19 2011 Dan Walsh 2.0.85-7 +- Have restorecond watch more directories in homedir + +* Fri Jan 14 2011 Dan Walsh 2.0.85-6 +- Add sandbox to sepolgen + +* Thu Jan 6 2011 Dan Walsh 2.0.85-4 +- Fix proper handling of getopt errors +- Do not allow modules names to contain spaces + +* Wed Jan 5 2011 Dan Walsh 2.0.85-3 +- Polgengui raises the wrong type of exception. #471078 +- Change semanage to not allow it to semanage module -D +- Change setsebool to suggest run as root on failure + +* Wed Dec 22 2010 Dan Walsh 2.0.85-2 +- Fix restorecond watching utmp file for people logging in our out + +* Tue Dec 21 2010 Dan Walsh 2.0.85-1 +- Update to upstream + +* Thu Dec 16 2010 Dan Walsh 2.0.84-5 +- Change to allow sandbox to run on nfs homedirs, add start python script + +* Wed Dec 15 2010 Dan Walsh 2.0.84-4 +- Move seunshare to sandbox package + +* Mon Nov 29 2010 Dan Walsh 2.0.84-3 +- Fix sandbox to show correct types in usage statement + +* Mon Nov 29 2010 Dan Walsh 2.0.84-2 +- Stop fixfiles from complaining about missing dirs + +* Mon Nov 22 2010 Dan Walsh 2.0.84-1 +- Update to upstream +- List types available for sandbox in usage statement + +* Mon Nov 22 2010 Dan Walsh 2.0.83-37 +- Don't report error on load_policy when system is disabled. + +* Mon Nov 8 2010 Dan Walsh 2.0.83-36 +- Fix up problems pointed out by solar designer on dropping capabilities + +* Mon Nov 1 2010 Dan Walsh 2.0.83-35 +- Check if you have full privs and reset otherwise dont drop caps + +* Mon Nov 1 2010 Dan Walsh 2.0.83-34 +- Fix setools require line + +* Fri Oct 29 2010 Dan Walsh 2.0.83-33 +- Move /etc/pam.d/newrole in to polcicycoreutils-newrole +- Additional capability checking in sepolgen + +* Mon Oct 25 2010 Dan Walsh 2.0.83-32 +- Remove setuid flag and replace with file capabilities +- Fix sandbox handling of files with spaces in them + +* Wed Sep 29 2010 jkeating - 2.0.83-31 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Dan Walsh 2.0.83-30 +- Move restorecond into its own subpackage + +* Thu Sep 23 2010 Dan Walsh 2.0.83-29 +- Fix semanage man page + +* Mon Sep 13 2010 Dan Walsh 2.0.83-28 +- Add seremote, to allow the execution of command inside the sandbox from outside the sandbox. + +* Mon Sep 13 2010 Dan Walsh 2.0.83-27 +- Fix sandbox copyfile when copying a dir with a socket, print error + +* Fri Sep 10 2010 Dan Walsh 2.0.83-26 +- Stop polgengui from crashing if selinux policy is not installed + +* Thu Sep 9 2010 Dan Walsh 2.0.83-25 +- Fix bug preventing sandbox from using -l + +* Tue Sep 7 2010 Dan Walsh 2.0.83-24 +- Eliminate quotes fro desktop files + +* Mon Aug 30 2010 Dan Walsh 2.0.83-23 +- Add -w windowsize patch from Christoph A. + +* Mon Aug 30 2010 Dan Walsh 2.0.83-22 +- Update po + +* Wed Aug 25 2010 Dan Walsh 2.0.83-21 +- Update po + +* Tue Aug 24 2010 Dan Walsh 2.0.83-20 +- Tighten down seunshare to create /tmp dir with sticky bit and MS_NODEV | MS_NOSUID | MS_NOEXEC; +- Remove setsid on seunshare so ^c on sandbox will cause apps to exit +- Add dbus-launch --exit-with-session so all processes launched within the sandbox exit with the sandbox +- Clean up error handling so error will get sent back to sandbox tool + +* Mon Aug 23 2010 Dan Walsh 2.0.83-19 +- Fix translation handling in file context page of system-config-selinux + +* Fri Aug 13 2010 Dan Walsh 2.0.83-18 +- Fix sandbox error handling + +* Fri Aug 13 2010 Dan Walsh 2.0.83-17 +- Apply patch to restorecond from Chris Adams, which will cause restorecond +- to watch first user that logs in. + +* Thu Aug 12 2010 Dan Walsh 2.0.83-16 +- Add COPYING file to doc dir + +* Thu Aug 5 2010 Dan Walsh 2.0.83-15 +- Update po and translations +Resolves: #610473 + +* Thu Aug 5 2010 Dan Walsh 2.0.83-14 +- More fixes for polgen tools + +* Thu Aug 5 2010 Dan Walsh 2.0.83-13 +- Remove requirement to run selinux-polgen as root + +* Thu Aug 5 2010 Dan Walsh 2.0.83-12 +- Update po and translations +- Fix gui policy generation tools + +* Wed Aug 4 2010 Dan Walsh 2.0.83-11 +- Update po and translations + +* Sat Jul 31 2010 David Malcolm - 2.0.83-10 +- rebuild against python 2.7 + +* Wed Jul 28 2010 Dan Walsh 2.0.83-9 +- Update selinux-polgengui to sepolgen policy generation + +* Wed Jul 28 2010 Dan Walsh 2.0.83-8 +- Fix invalid free in seunshare and fix man page + +* Tue Jul 27 2010 Dan Walsh 2.0.83-7 +- Update translations + +* Mon Jul 26 2010 Dan Walsh 2.0.83-6 +- Fix sandbox man page + +* Wed Jul 21 2010 David Malcolm - 2.0.83-5 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Tue Jul 20 2010 Dan Walsh 2.0.83-4 +- Add translations for menus +- Fixup man page from Russell Coker + +* Tue Jun 15 2010 Dan Walsh 2.0.83-3 +- Change python scripts to use -s flag +- Update po + +* Tue Jun 15 2010 Dan Walsh 2.0.83-1 +- Update to upstream + * Add sandbox support from Dan Walsh with modifications from Steve Lawrence. + +* Tue Jun 15 2010 Dan Walsh 2.0.82-31 +- Fix sepolgen code generation +Resolve: #603001 + +* Tue Jun 8 2010 Dan Walsh 2.0.82-30 +- Add cgroup support for sandbox + +* Mon Jun 7 2010 Dan Walsh 2.0.82-29 +- Allow creation of /var/cache/DOMAIN from sepolgen + +* Thu Jun 3 2010 Dan Walsh 2.0.82-28 +- Fix sandbox init script +- Add dbus-launch to sandbox -X +Resolve: #599599 + +* Thu Jun 3 2010 Dan Walsh 2.0.82-27 +- Move genhomedircon.8 to same package as genhomedircon +- Fix sandbox to pass unit test +Resolves: #595796 + +* Wed Jun 2 2010 Dan Walsh 2.0.82-26 +- Fix listing of booleans from audit2allow + +* Wed Jun 2 2010 Dan Walsh 2.0.82-25 +- Fix audit2allow to output if the current policy has avc +- Update translations +- Fix icon + +* Thu May 27 2010 Dan Walsh 2.0.82-24 +- Man page fixes +- sandbox fixes +- Move seunshare to base package + +* Fri May 21 2010 Dan Walsh 2.0.82-23 +- Fix seunshare translations +- Fix seunshare to work on all arches +- Fix icon for system-config-selinux +Resolves: #595276 + +* Fri May 21 2010 Dan Walsh 2.0.82-22 +- Fix can_exec definition in sepolgen + +* Fri May 21 2010 Dan Walsh 2.0.82-21 +- Add man page for seunshare and genhomedircon +Resolves: #594303 +- Fix node management via semanage + +* Wed May 19 2010 Dan Walsh 2.0.82-20 +- Fixes from upstream for sandbox command +Resolves: #580938 + +* Thu May 13 2010 Dan Walsh 2.0.82-18 +- Fix sandbox error handling on copyfile +- Fix desktop files + +* Tue May 11 2010 Dan Walsh 2.0.82-17 +- Fix policy tool to have correct name in menus +- Fix seunshare to handle /tmp being in ~/home +- Fix saving of altered files +- Update translations + +* Tue May 4 2010 Dan Walsh 2.0.82-15 +- Allow audit2allow to specify alternative policy file for analysis + +* Mon May 3 2010 Dan Walsh 2.0.82-14 +- Update po +- Fix sepolgen --no_attrs +Resolves: #588280 + +* Thu Apr 29 2010 Dan Walsh 2.0.82-13 +- Make semanage boolean work on disabled machines and during livecd xguest +- Fix homedir and tmpdir handling in sandbox +Resolves: #587263 + +* Wed Apr 28 2010 Dan Walsh 2.0.82-11 +- Make semanage boolean work on disabled machines + +* Tue Apr 27 2010 Dan Walsh 2.0.82-10 +- Make sepolgen-ifgen be quiet + +* Wed Apr 21 2010 Dan Walsh 2.0.82-8 +- Make sepolgen report on more interfaces +- Fix system-config-selinux display of modules + +* Thu Apr 15 2010 Dan Walsh 2.0.82-7 +- Fix crash when args are empty +Resolves: #582542 +- Fix semange to exit on bad options +- Fix semanage dontaudit man page section +Resolves: #582533 + +* Wed Apr 14 2010 Dan Walsh 2.0.82-6 +- Remove debug line from semanage +- Update po + +* Tue Apr 13 2010 Dan Walsh 2.0.82-5 +- Fix sandbox comment on HOMEDIRS +- Fix sandbox to throw error on bad executable + +* Tue Apr 6 2010 Dan Walsh 2.0.82-4 +- Fix spacing in templates + +* Wed Mar 31 2010 Dan Walsh 2.0.82-3 +- Fix semanage return codes + +* Tue Mar 30 2010 Dan Walsh 2.0.82-2 +- Fix sepolgen to confirm to the "Reference Policy Style Guide" + +* Tue Mar 23 2010 Dan Walsh 2.0.82-1 +- Update to upstream + * Add avc's since boot from Dan Walsh. + * Fix unit tests from Dan Walsh. + +* Tue Mar 23 2010 Dan Walsh 2.0.81-4 +- Update to upstream - sepolgen + * Add since-last-boot option to audit2allow from Dan Walsh. + * Fix sepolgen output to match what Chris expects for upstream + refpolicy from Dan Walsh. + +* Mon Mar 22 2010 Dan Walsh 2.0.81-3 +- Allow restorecon on > 2 Gig files + +* Tue Mar 16 2010 Dan Walsh 2.0.81-2 +- Fix semanage handling of boolean options +- Update translations + +* Fri Mar 12 2010 Dan Walsh 2.0.81-1 +- Update to upstream + * Add dontaudit flag to audit2allow from Dan Walsh. + +* Thu Mar 11 2010 Dan Walsh 2.0.80-2 +- Use --rbind in sandbox init scripts + +* Mon Mar 8 2010 Dan Walsh 2.0.80-1 +- Update to upstream + * Module enable/disable support from Dan Walsh. + +* Mon Mar 1 2010 Dan Walsh 2.0.79-5 +- Rewrite of sandbox script, add unit test for sandbox +- Update translations + +* Mon Mar 1 2010 Dan Walsh 2.0.79-4 +- Fix patch for dontaudit rules from audit2allow for upstream acceptance + +* Fri Feb 26 2010 Dan Walsh 2.0.79-3 +- Fixes for fixfiles + +* Wed Feb 17 2010 Dan Walsh 2.0.79-2 +- Fix sandbox to complain if mount-shared has not been run +- Fix to use /etc/sysconfig/sandbox + +* Tue Feb 16 2010 Dan Walsh 2.0.79-1 +- Update to upstream + * Fix double-free in newrole +- Fix python language handling + +* Thu Feb 11 2010 Dan Walsh 2.0.78-21 +- Fix display of command in sandbox + +* Fri Feb 5 2010 Dan Walsh 2.0.78-20 +- Catch OSError in semanage + +* Wed Feb 3 2010 Dan Walsh 2.0.78-19 +- Fix seobject and fixfiles + +* Fri Jan 29 2010 Dan Walsh 2.0.78-17 +- Change seobject to use translations properly + +* Thu Jan 28 2010 Dan Walsh 2.0.78-16 +- Cleanup spec file +Resolves: 555835 + +* Thu Jan 28 2010 Dan Walsh 2.0.78-15 +- Add use_resolve to sepolgen + +* Wed Jan 27 2010 Dan Walsh 2.0.78-14 +- Add session capability to sandbox +- sandbox -SX -H ~/.homedir -t unconfined_t -l s0:c15 /etc/gdm/Xsession + +* Thu Jan 21 2010 Dan Walsh 2.0.78-13 +- Fix executable template for fifo files + +* Tue Jan 19 2010 Dan Walsh 2.0.78-12 +- Fix patch xod xmodmap +- Exit 0 from script + +* Thu Jan 14 2010 Dan Walsh 2.0.78-11 +- Run with the same xdmodmap in sandbox as outside +- Patch from Josh Cogliati + +* Fri Jan 8 2010 Dan Walsh 2.0.78-10 +- Fix sepolgen to not generate user sh section on non user policy + +* Fri Jan 8 2010 Dan Walsh 2.0.78-9 +- Add -e to semanage man page +- Add -D qualifier to audit2allow to generate dontaudit rules + +* Wed Jan 6 2010 Dan Walsh 2.0.78-8 +- Speed up audit2allow processing of audit2why comments + +* Fri Dec 18 2009 Dan Walsh 2.0.78-7 +- Fixes to sandbox man page + +* Thu Dec 17 2009 Dan Walsh 2.0.78-6 +- Add setools-libs-python to requires for gui + +* Wed Dec 16 2009 Dan Walsh 2.0.78-5 +- If restorecond running as a user has no files to watch then it should exit. (NFS Homedirs) + +* Thu Dec 10 2009 Dan Walsh 2.0.78-4 +- Move sandbox man page to base package + +* Tue Dec 8 2009 Dan Walsh 2.0.78-3 +- Fix audit2allow to report constraints, dontaudits, types, booleans + +* Fri Dec 4 2009 Dan Walsh 2.0.78-2 +- Fix restorecon -i to ignore enoent + +* Tue Dec 1 2009 Dan Walsh 2.0.78-1 +- Update to upstream + * Remove non-working OUTFILE from fixfiles from Dan Walsh. + * Additional exception handling in chcat from Dan Walsh. + * fix sepolgen to read a "type 1403" msg as a policy load by Stephen + Smalley + * Add support for Xen ocontexts from Paul Nuzzi. + +* Tue Nov 24 2009 Dan Walsh 2.0.77-1 +- Update to upstream + * Fixed bug preventing semanage node -a from working + from Chad Sellers + * Fixed bug preventing semanage fcontext -l from working + from Chad Sellers +- Change semanage to use unicode + +* Wed Nov 18 2009 Dan Walsh 2.0.76-1 +- Update to upstream + * Remove setrans management from semanage, as it does not work + from Dan Walsh. + * Move load_policy from /usr/sbin to /sbin from Dan Walsh. + +* Mon Nov 16 2009 Dan Walsh 2.0.75-3 +- Raise exception if user tries to add file context with an embedded space + +* Wed Nov 11 2009 Dan Walsh 2.0.75-2 +- Fix sandbox to setsid so it can run under mozilla without crashing the session + +* Mon Nov 2 2009 Dan Walsh 2.0.75-1 +- Update to upstream + * Factor out restoring logic from setfiles.c into restore.c + +* Fri Oct 30 2009 Dan Walsh 2.0.74-15 +- Fix typo in seobject.py + +* Fri Oct 30 2009 Dan Walsh 2.0.74-14 +- Allow semanage -i and semanage -o to generate customization files. +- semanage -o will generate a customization file that semanage -i can read and set a machines to the same selinux configuration + +* Tue Oct 20 2009 Dan Walsh 2.0.74-13 +- Fix restorecond man page + +* Mon Oct 19 2009 Dan Walsh 2.0.74-12 +- Add generation of the users context file to polgengui + +* Fri Oct 16 2009 Dan Walsh 2.0.74-11 +- Remove tabs from system-config-selinux glade file + +* Thu Oct 15 2009 Dan Walsh 2.0.74-10 +- Remove translations screen from system-config-selinux + +* Wed Oct 14 2009 Dan Walsh 2.0.74-9 +- Move fixfiles man pages into the correct package +- Add genhomedircon to fixfiles restore + +* Tue Oct 6 2009 Dan Walsh 2.0.74-8 +- Add check to sandbox to verify save changes - Chris Pardy +- Fix memory leak in restorecond - Steve Grubb + +* Thu Oct 1 2009 Dan Walsh 2.0.74-7 +- Fixes Templates + +* Thu Oct 1 2009 Dan Walsh 2.0.74-6 +- Fixes for polgengui to handle tcp ports correctly +- Fix semanage node -a + +* Wed Sep 30 2009 Dan Walsh 2.0.74-5 +- Fixes for semanage -equiv, readded modules, --enable, --disable + +* Sun Sep 20 2009 Dan Walsh 2.0.74-4 +- Close sandbox when eclipse exits + +* Fri Sep 18 2009 Dan Walsh 2.0.74-3 +- Security fixes for seunshare +- Fix Sandbox to handle non file input to command. + +* Thu Sep 17 2009 Dan Walsh 2.0.74-2 +- Security fixes for seunshare + +* Thu Sep 17 2009 Dan Walsh 2.0.74-1 +- Update to upstream + * Change semodule upgrade behavior to install even if the module + is not present from Dan Walsh. + * Make setfiles label if selinux is disabled and a seclabel aware + kernel is running from Caleb Case. + * Clarify forkpty() error message in run_init from Manoj Srivastava. + +* Mon Sep 14 2009 Dan Walsh 2.0.73-5 +- Fix sandbox to handle relative paths + +* Mon Sep 14 2009 Dan Walsh 2.0.73-4 +- Add symbolic link to load_policy + +* Mon Sep 14 2009 Dan Walsh 2.0.73-3 +- Fix restorecond script to use force-reload + +* Tue Sep 8 2009 Dan Walsh 2.0.73-2 +- Fix init script to show status in usage message + +* Tue Sep 8 2009 Dan Walsh 2.0.73-1 +- Update to upstream + * Add semanage dontaudit to turn off dontaudits from Dan Walsh. + * Fix semanage to set correct mode for setrans file from Dan Walsh. + * Fix malformed dictionary in portRecord from Dan Walsh. + * Restore symlink handling support to restorecon based on a patch by + Martin Orr. This fixes the restorecon /dev/stdin performed by Debian + udev scripts that was broken by policycoreutils 2.0.70. + +* Thu Sep 3 2009 Dan Walsh 2.0.71-15 +- Add DAC_OVERRIED to seunshare + +* Wed Sep 2 2009 Bill Nottingham 2.0.71-15 +- Fix typo + +* Fri Aug 28 2009 Dan Walsh 2.0.71-14 +- Add enable/disable patch + +* Thu Aug 27 2009 Tomas Mraz - 2.0.71-13 +- rebuilt with new audit + +* Wed Aug 26 2009 Dan Walsh 2.0.71-12 +- Tighten up controls on seunshare.c + +* Wed Aug 26 2009 Dan Walsh 2.0.71-11 +- Add sandboxX + +* Sat Aug 22 2009 Dan Walsh 2.0.71-10 +- Fix realpath usage to only happen on argv input from user + +* Fri Aug 21 2009 Ville Skyttä - 2.0.71-9 +- Don't try to remove restorecond after last erase (done already in %%preun). +- Ensure scriptlets exit with status 0. +- Fix %%post and %%pr + +* Thu Aug 20 2009 Dan Walsh 2.0.71-7 +- Fix glob handling of /.. + +* Wed Aug 19 2009 Dan Walsh 2.0.71-6 +- Redesign restorecond to use setfiles/restore functionality + +* Wed Aug 19 2009 Dan Walsh 2.0.71-5 +- Fix sepolgen again + +* Tue Aug 18 2009 Dan Walsh 2.0.71-4 +- Add --boot flag to audit2allow to get all AVC messages since last boot + +* Tue Aug 18 2009 Dan Walsh 2.0.71-3 +- Fix semanage command + +* Thu Aug 13 2009 Dan Walsh 2.0.71-2 +- exclude unconfined.if from sepolgen + +* Thu Aug 13 2009 Dan Walsh 2.0.71-1 +- Fix chcat to report error on non existing file +- Update to upstream + * Modify setfiles/restorecon checking of exclude paths. Only check + user-supplied exclude paths (not automatically generated ones based on + lack of seclabel support), don't require them to be directories, and + ignore permission denied errors on them (it is ok to exclude a path to + which the caller lacks permission). + +* Mon Aug 10 2009 Dan Walsh 2.0.70-2 +- Don't warn if the user did not specify the exclude if root can not stat file system + +* Wed Aug 5 2009 Dan Walsh 2.0.70-1 +- Update to upstream + * Modify restorecon to only call realpath() on user-supplied pathnames + from Stephen Smalley. + * Fix typo in fixfiles that prevented it from relabeling btrfs + filesystems from Dan Walsh. + +* Wed Jul 29 2009 Dan Walsh 2.0.68-1 +- Fix location of man pages +- Update to upstream + * Modify setfiles to exclude mounts without seclabel option in + /proc/mounts on kernels >= 2.6.30 from Thomas Liu. + * Re-enable disable_dontaudit rules upon semodule -B from Christopher + Pardy and Dan Walsh. + * setfiles converted to fts from Thomas Liu. + +* Sun Jul 26 2009 Fedora Release Engineering - 2.0.64-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue Jul 7 2009 Tom "spot" Callaway 2.0.64-2 +- fix multiple directory ownership of mandirs + +* Fri Jun 26 2009 Dan Walsh 2.0.64-1 +- Update to upstream + * Keep setfiles from spamming console from Dan Walsh. + * Fix chcat's category expansion for users from Dan Walsh. +- Update po files +- Fix sepolgen + +* Thu Jun 4 2009 Dan Walsh 2.0.63-5 +- Add sepolgen executable + +* Mon Jun 1 2009 Dan Walsh 2.0.63-4 +- Fix Sandbox option handling +- Fix fixfiles handling of btrfs + +* Tue May 26 2009 Dan Walsh 2.0.63-3 +- Fix sandbox to be able to execute files in homedir + +* Fri May 22 2009 Dan Walsh 2.0.63-2 +- Change polgen.py to be able to generate policy + +* Wed May 20 2009 Dan Walsh 2.0.63-1 +- Update to upstream + * Fix transaction checking from Dan Walsh. + * Make fixfiles -R (for rpm) recursive. + * Make semanage permissive clean up after itself from Dan Walsh. + * add /root/.ssh/* to restorecond.conf + +* Wed Apr 22 2009 Dan Walsh 2.0.62-14 +- Fix audit2allow -a to retun /var/log/messages + +* Wed Apr 22 2009 Dan Walsh 2.0.62-13 +- Run restorecond as a user service + +* Thu Apr 16 2009 Dan Walsh 2.0.62-12 +- Add semanage module support + +* Tue Apr 14 2009 Dan Walsh 2.0.62-10 +- Do not print \n, if count < 1000; + +* Sat Apr 11 2009 Dan Walsh 2.0.62-9 +- Handle case where subs file does not exist + +* Wed Apr 8 2009 Dan Walsh 2.0.62-8 +- Update po files +- Add --equiv command for semanage + +* Tue Mar 31 2009 Dan Walsh 2.0.62-7 +- Cleanup creation of permissive domains +- Update po files + +* Mon Mar 23 2009 Dan Walsh 2.0.62-6 +- Update po files + +* Thu Mar 12 2009 Dan Walsh 2.0.62-5 +- Fix semanage transations + +* Sat Mar 7 2009 Dan Walsh 2.0.62-4 +- Update polgengui templates to match current upstream policy + +* Thu Feb 26 2009 Fedora Release Engineering - 2.0.62-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Feb 23 2009 Dan Walsh 2.0.62-2 +- Add /root/.ssh to restorecond.conf +- fixfiles -R package should recursively fix files + +* Wed Feb 18 2009 Dan Walsh 2.0.62-1 +- Update to upstream + * Add btrfs to fixfiles from Dan Walsh. + * Remove restorecond error for matching globs with multiple hard links + and fix some error messages from Dan Walsh. + * Make removing a non-existant module a warning rather than an error + from Dan Walsh. + * Man page fixes from Dan Walsh. + +* Mon Feb 16 2009 Dan Walsh 2.0.61-10 +- Fix script created by polgengui to not refer to selinux-policy-devel + +* Mon Feb 9 2009 Dan Walsh 2.0.61-9 +- Change initc scripts to use proper labeling on gui + +* Mon Feb 9 2009 Dan Walsh 2.0.61-8 +- Add obsoletes to cause policycoreuils to update both python and non python version + +* Fri Jan 30 2009 Dan Walsh 2.0.61-7 +- Dont report errors on glob match and multiple links + +* Thu Jan 22 2009 Dan Walsh 2.0.61-6 +- Move sepolgen-ifgen to post python + +* Wed Jan 21 2009 Dan Walsh 2.0.61-4 +- Fix Translations + +* Tue Jan 20 2009 Dan Walsh 2.0.61-3 +- Add Domains Page to system-config-selinux +- Add ability to create dbus confined applications to polgen + +* Wed Jan 14 2009 Dan Walsh 2.0.61-2 +- Split python into a separate package + +* Tue Jan 13 2009 Dan Walsh 2.0.61-1 +- Update to upstream + * chcat: cut categories at arbitrary point (25) from Dan Walsh + * semodule: use new interfaces in libsemanage for compressed files + from Dan Walsh + * audit2allow: string changes for usage + +* Tue Jan 6 2009 Dan Walsh 2.0.60-7 +- Don't error out when removing a non existing module + +* Mon Dec 15 2008 Dan Walsh 2.0.60-6 +- fix audit2allow man page + +* Wed Dec 10 2008 Dan Walsh 2.0.60-5 +- Fix Japanese translations + +* Sat Dec 6 2008 Dan Walsh 2.0.60-4 +- Change md5 to hashlib.md5 in sepolgen + +* Thu Dec 04 2008 Ignacio Vazquez-Abrams - 2.0.60-3 +- Rebuild for Python 2.6 + +* Tue Dec 2 2008 Dan Walsh 2.0.60-2 +- Fix error checking in restorecond, for inotify_add_watch + +* Mon Dec 1 2008 Dan Walsh 2.0.60-1 +- Update to upstream + * semanage: use semanage_mls_enabled() from Stephen Smalley. + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 2.0.59-2 +- Rebuild for Python 2.6 + +* Tue Nov 11 2008 Dan Walsh 2.0.59-1 +- Update to upstream + * fcontext add checked local records twice, fix from Dan Walsh. + +* Mon Nov 10 2008 Dan Walsh 2.0.58-1 +- Update to upstream + * Allow local file context entries to override policy entries in + semanage from Dan Walsh. + * Newrole error message corrections from Dan Walsh. + * Add exception to audit2why call in audit2allow from Dan Walsh. + +* Fri Nov 7 2008 Dan Walsh 2.0.57-12 +- add compression + +* Tue Nov 04 2008 Jesse Keating - 2.0.57-11 +- Move the usermode-gtk requires to the -gui subpackage. + +* Thu Oct 30 2008 Dan Walsh 2.0.57-10 +- Fix traceback in audit2why + +* Wed Oct 29 2008 Dan Walsh 2.0.57-9 +- Make GUI use translations + +* Wed Oct 29 2008 Dan Walsh 2.0.57-8 +- Fix typo in man page + +* Tue Oct 28 2008 Dan Walsh 2.0.57-7 +- Handle selinux disabled correctly +- Handle manipulation of fcontext file correctly + +* Mon Oct 27 2008 Dan Walsh 2.0.57-6 +- Add usermode-gtk requires + +* Thu Oct 23 2008 Dan Walsh 2.0.57-5 +- Allow addition of local modifications of fcontext policy. + +* Mon Oct 20 2008 Dan Walsh 2.0.57-4 +- Fix system-config-selinux booleanspage throwing and exception +- Update po files + +* Fri Oct 17 2008 Dan Walsh 2.0.57-3 +- Fix text in newrole +- Fix revertbutton on booleans page in system-config-selinux + +* Wed Oct 1 2008 Dan Walsh 2.0.57-2 +- Change semodule calls for libsemanage + +* Wed Oct 1 2008 Dan Walsh 2.0.57-1 +- Update to upstream + * Update po files from Dan Walsh. + +* Fri Sep 12 2008 Dan Walsh 2.0.56-1 +- Fix semanage help display +- Update to upstream + * fixfiles will now remove all files in /tmp and will check for + unlabeled_t in /tmp and /var/tmp from Dan Walsh. + * add glob support to restorecond from Dan Walsh. + * allow semanage to handle multi-line commands in a single transaction + from Dan Walsh. + +* Thu Sep 11 2008 Dan Walsh 2.0.55-8 +- Only call gen_requires once in sepolgen + +* Tue Sep 9 2008 Dan Walsh 2.0.55-7 +- Change Requires line to gnome-python2-gnome +- Fix spelling mistakes +- Require libselinux-utils + +* Mon Sep 8 2008 Dan Walsh 2.0.55-5 +- Add node support to semanage + +* Mon Sep 8 2008 Dan Walsh 2.0.55-4 +- Fix fixfiles to correct unlabeled_t files and remove .? files + +* Wed Sep 3 2008 Dan Walsh 2.0.55-2 +- Add glob support to restorecond so it can check every file in the homedir + +* Thu Aug 28 2008 Dan Walsh 2.0.55-1 +- Update to upstream + * Merged semanage node support from Christian Kuester. + +* Fri Aug 15 2008 Dan Walsh 2.0.54-7 +- Add require libsemanage-python + +* Mon Aug 11 2008 Dan Walsh 2.0.54-6 +- Add missing html_util.py file + +* Thu Aug 7 2008 Dan Walsh 2.0.54-5 +- Fixes for multiple transactions + +* Wed Aug 6 2008 Dan Walsh 2.0.54-2 +- Allow multiple transactions in one semanage command + +* Tue Aug 5 2008 Dan Walsh 2.0.54-1 +- Update to upstream + * Add support for boolean files and group support for seusers from Dan Walsh. + * Ensure that setfiles -p output is newline terminated from Russell Coker. + +* Fri Aug 1 2008 Dan Walsh 2.0.53-3 +- Allow semanage user to add group lists % groupname + +* Tue Jul 29 2008 Dan Walsh 2.0.53-2 +- Fix help + +* Tue Jul 29 2008 Dan Walsh 2.0.53-1 +- Update to upstream + * Change setfiles to validate all file_contexts files when using -c from Stephen Smalley. + +* Tue Jul 29 2008 Dan Walsh 2.0.52-6 +- Fix boolean handling +- Upgrade to latest sepolgen +- Update po patch + +* Wed Jul 9 2008 Dan Walsh 2.0.52-5 +- Additial cleanup of boolean handling for semanage + +* Tue Jul 8 2008 Dan Walsh 2.0.52-4 +- Handle ranges of ports in gui + +* Tue Jul 8 2008 Dan Walsh 2.0.52-3 +- Fix indent problems in seobject + +* Wed Jul 2 2008 Dan Walsh 2.0.52-2 +- Add lockdown wizard +- Allow semanage booleans to take an input file an process lots of booleans at once. + +* Wed Jul 2 2008 Dan Walsh 2.0.52-1 +- Default prefix to "user" + +* Tue Jul 1 2008 Dan Walsh 2.0.50-2 +- Remove semodule use within semanage +- Fix launching of polgengui from toolbar + +* Mon Jun 30 2008 Dan Walsh 2.0.50-1 +- Update to upstream + * Fix audit2allow generation of role-type rules from Karl MacMillan. + +* Tue Jun 24 2008 Dan Walsh 2.0.49-10 +- Fix spelling of enforcement + +* Mon Jun 23 2008 Dan Walsh 2.0.49-8 +- Fix sepolgen/audit2allow handling of roles + +* Mon Jun 16 2008 Dan Walsh 2.0.49-7 +- Fix sepolgen-ifgen processing + +* Thu Jun 12 2008 Dan Walsh 2.0.49-6 +- Add deleteall to semanage permissive, cleanup error handling + +* Thu Jun 12 2008 Dan Walsh 2.0.49-5 +- Complete removal of rhpl requirement + +* Wed Jun 11 2008 Dan Walsh 2.0.49-4 +- Add semanage permissive * + +* Fri May 16 2008 Dan Walsh 2.0.49-3 +- Fix fixfiles to cleanup /tmp and /var/tmp + +* Fri May 16 2008 Dan Walsh 2.0.49-2 +- Fix listing of types in gui + +* Mon May 12 2008 Dan Walsh 2.0.49-1 +- Update to upstream + * Remove security_check_context calls for prefix validation from semanage. + * Change setfiles and restorecon to not relabel if the file already has the correct context value even if -F/force is specified. + +* Mon May 12 2008 Dan Walsh 2.0.47-3 +- Remove /usr/share/locale/sr@Latn/LC_MESSAGES/policycoreutils.mo + +* Wed May 7 2008 Dan Walsh 2.0.47-2 +- Add rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* to fixfiles restore +- So that mislabeled files will get removed on full relabel + +* Wed May 7 2008 Dan Walsh 2.0.47-1 +- Make restorecond not start by default +- Fix polgengui to allow defining of confined roles. +- Add patches from Lubomir Rintel + * Add necessary runtime dependencies on setools-console for -gui + * separate stderr when run seinfo commands +- Update to upstream + * Update semanage man page for booleans from Dan Walsh. + * Add further error checking to seobject.py for setting booleans. + +* Fri Apr 18 2008 Matthias Clasen - 2.0.46-5 +- Uninvasive (ie no string or widget changes) HIG approximations + in selinux-polgenui + +* Fri Apr 18 2008 Matthias Clasen - 2.0.46-4 +- Move s-c-selinux to the right menu + +* Sun Apr 6 2008 Dan Walsh 2.0.46-3 +- Fix boolean descriptions +- Fix semanage man page + +* Wed Mar 19 2008 Dan Walsh 2.0.46-2 +- Don't use prefix in gui + +* Tue Mar 18 2008 Dan Walsh 2.0.46-1 +- Update to upstream + * Update audit2allow to report dontaudit cases from Dan Walsh. + * Fix semanage port to use --proto from Caleb Case. + +* Fri Feb 22 2008 Dan Walsh 2.0.44-1 +- Update to upstream + * Fix for segfault when conf file parse error occurs. + +* Wed Feb 13 2008 Dan Walsh 2.0.43-2 +- Don't show tabs on polgengui + +* Wed Feb 13 2008 Dan Walsh 2.0.43-1 +- Update to upstream + * Merged fix fixfiles option processing from Vaclav Ovsik. +- Added existing users, staff and user_t users to polgengui + +* Fri Feb 8 2008 Dan Walsh 2.0.42-3 +- Add messages for audit2allow DONTAUDIT + +* Tue Feb 5 2008 Dan Walsh 2.0.42-2 +- Add ability to transition to roles via polgengui + +* Sat Feb 2 2008 Dan Walsh 2.0.42-1 +- Update to upstream + * Make semodule_expand use sepol_set_expand_consume_base to reduce + peak memory usage. + +* Tue Jan 29 2008 Dan Walsh 2.0.41-1 +- Update to upstream + * Merged audit2why fix and semanage boolean --on/--off/-1/-0 support from Dan Walsh. + * Merged a second fixfiles -C fix from Marshall Miller. + +* Thu Jan 24 2008 Dan Walsh 2.0.39-1 +- Don't initialize audit2allow for audit2why call. Use default +- Update to upstream + * Merged fixfiles -C fix from Marshall Miller. + +* Thu Jan 24 2008 Dan Walsh 2.0.38-1 +- Update to upstream + * Merged audit2allow cleanups and boolean descriptions from Dan Walsh. + * Merged setfiles -0 support by Benny Amorsen via Dan Walsh. + * Merged fixfiles fixes and support for ext4 and gfs2 from Dan Walsh. + +* Wed Jan 23 2008 Dan Walsh 2.0.37-1 +- Update to upstream + * Merged replacement for audit2why from Dan Walsh. + +* Wed Jan 23 2008 Dan Walsh 2.0.36-2 +- Cleanup fixfiles -f message in man page + +* Wed Jan 23 2008 Dan Walsh 2.0.36-1 +- Update to upstream + * Merged update to chcat, fixfiles, and semanage scripts from Dan Walsh. + * Merged sepolgen fixes from Dan Walsh. + +* Tue Jan 22 2008 Dan Walsh 2.0.35-5 +- handle files with spaces on upgrades + +* Tue Jan 22 2008 Dan Walsh 2.0.35-4 +- Add support in fixfiles for ext4 ext4dev and gfs2 + +* Mon Jan 21 2008 Dan Walsh 2.0.35-3 +- Allow files with spaces to be used by setfiles + +* Tue Jan 15 2008 Dan Walsh 2.0.35-2 +- Add descriptions of booleans to audit2allow + +* Fri Jan 11 2008 Dan Walsh 2.0.35-1 +- Update to upstream + * Merged support for non-interactive newrole command invocation from Tim Reed. + +* Thu Jan 10 2008 Dan Walsh 2.0.34-8 +- Change to use selinux bindings to audit2why + +* Tue Jan 8 2008 Dan Walsh 2.0.34-7 +- Fix fixfiles to handle no args + +* Mon Dec 31 2007 Dan Walsh 2.0.34-5 +- Fix roles output when creating a module + +* Mon Dec 31 2007 Dan Walsh 2.0.34-4 +- Handle files with spaces in fixfiles + +* Fri Dec 21 2007 Dan Walsh 2.0.34-3 +- Catch SELINUX_ERR with audit2allow and generate policy + +* Thu Dec 20 2007 Dan Walsh 2.0.34-2 +- Make sepolgen set error exit code when partial failure +- audit2why now checks booleans for avc diagnosis + +* Wed Dec 19 2007 Dan Walsh 2.0.34-1 +- Update to upstream + * Update Makefile to not build restorecond if + /usr/include/sys/inotify.h is not present + +* Wed Dec 19 2007 Dan Walsh 2.0.33-4 +- Fix sepolgen to be able to parse Fedora 9 policy + Handle ifelse statements + Handle refpolicywarn inside of define + Add init.if and inetd.if into parse + Add parse_file to syntax error message + +* Fri Dec 14 2007 Dan Walsh 2.0.33-3 +- Add scroll bar to fcontext gui page + +* Tue Dec 11 2007 Dan Walsh 2.0.33-2 +- Add Russion Man pages + +* Mon Dec 10 2007 Dan Walsh 2.0.33-1 +- Upgrade from NSA + * Drop verbose output on fixfiles -C from Dan Walsh. + * Fix argument handling in fixfiles from Dan Walsh. + * Enhance boolean support in semanage, including using the .xml description when available, from Dan Walsh. +- Fix handling of final screen in polgengui + +* Sun Dec 2 2007 Dan Walsh 2.0.32-2 +- Fix handling of disable selinux button in gui + +* Mon Nov 19 2007 Dan Walsh 2.0.32-1 +- Upgrade from NSA + * load_policy initial load option from Chad Sellers. + +* Mon Nov 19 2007 Dan Walsh 2.0.31-20 +- Don't show error on missing policy.xml + +* Mon Nov 19 2007 Dan Walsh 2.0.31-19 +- GUI Enhancements + - Fix cgi generation + - Use more patterns + +* Mon Nov 19 2007 Dan Walsh 2.0.31-18 +- Remove codec hacking, which seems to be fixed in python + +* Fri Nov 16 2007 Dan Walsh 2.0.31-17 +- Fix typo +- Change to upstream minimal privledge interfaces + +* Fri Nov 16 2007 Dan Walsh 2.0.31-16 +- Fix fixfiles argument parsing + +* Thu Nov 15 2007 Dan Walsh 2.0.31-15 +- Fix File Labeling add + +* Thu Nov 8 2007 Dan Walsh 2.0.31-14 +- Fix semanage to handle state where policy.xml is not installed + +* Mon Nov 5 2007 Dan Walsh 2.0.31-13 +- Remove -v from restorecon in fixfiles + +* Mon Nov 5 2007 Dan Walsh 2.0.31-12 +- Fix filter and search capabilities, add wait cursor + +* Fri Nov 2 2007 Dan Walsh 2.0.31-11 +- Translate booleans via policy.xml +- Allow booleans to be set via semanage + +* Thu Nov 1 2007 Dan Walsh 2.0.31-10 +- Require use of selinux-policy-devel + +* Wed Oct 31 2007 Dan Walsh 2.0.31-9 +- Validate semanage fcontext input +- Fix template names for log files in gui + +* Fri Oct 19 2007 Dan Walsh 2.0.31-8 +- Fix template to generate correct content + +* Fri Oct 19 2007 Dan Walsh 2.0.31-7 +- Fix consolekit link to selinux-polgengui + +* Thu Oct 18 2007 Dan Walsh 2.0.31-6 +- Fix the generation templates + +* Tue Oct 16 2007 Dan Walsh 2.0.31-5 +- Fix enable/disable audit messages + +* Mon Oct 15 2007 Dan Walsh 2.0.31-4 +- Add booleans page + +* Mon Oct 15 2007 Dan Walsh 2.0.31-3 +- Lots of updates to gui + +* Mon Oct 15 2007 Dan Walsh 2.0.31-1 +- Remove no.po +- Update to upstream + * Fix semodule option handling from Dan Walsh. + * Add deleteall support for ports and fcontexts in semanage from Dan Walsh. + +* Thu Oct 11 2007 Dan Walsh 2.0.29-2 +- Fix semodule parameter checking + +* Sun Oct 7 2007 Dan Walsh 2.0.29-1 +- Update to upstream + * Add genhomedircon script to invoke semodule -Bn from Dan Walsh. +- Add deleteall for ports and fcontext + +* Fri Oct 5 2007 Dan Walsh 2.0.28-1 +- Update to upstream + * Update semodule man page for -D from Dan Walsh. + * Add boolean, locallist, deleteall, and store support to semanage from Dan Walsh. + +* Tue Oct 2 2007 Dan Walsh 2.0.27-7 +- Add genhomedircon script to rebuild file_context for shadow-utils + +* Tue Oct 2 2007 Dan Walsh 2.0.27-6 +- Update translations + +* Tue Oct 2 2007 Dan Walsh 2.0.27-5 +- Additional checkboxes for application policy + +* Fri Sep 28 2007 Dan Walsh 2.0.27-4 +- Allow policy writer to select user types to transition to there users + +* Thu Sep 27 2007 Dan Walsh 2.0.27-3 +- Fix bug in building policy with polgengui +- Creating ports correctly + +* Wed Sep 26 2007 Dan Walsh 2.0.27-1 +- Update to upstream + * Improve semodule reporting of system errors from Stephen Smalley. + +* Mon Sep 24 2007 Dan Walsh 2.0.26-3 +- Show local changes with semanage + +* Mon Sep 24 2007 Dan Walsh 2.0.26-2 +- Fixed spelling mistakes in booleans defs +- Update po + +* Tue Sep 18 2007 Dan Walsh 2.0.26-1 +- Update to upstream + * Fix setfiles selabel option flag setting for 64-bit from Stephen Smalley. + +* Tue Sep 18 2007 Dan Walsh 2.0.25-15 +- Fix wording in policy generation tool + +* Fri Sep 14 2007 Dan Walsh 2.0.25-14 +- Fix calls to _admin interfaces + +* Thu Sep 13 2007 Dan Walsh 2.0.25-13 +- Upgrade version of sepolgen from NSA + * Expand the sepolgen parser to parse all current refpolicy modules from Karl MacMillan. + * Suppress generation of rules for non-denials from Karl MacMillan (take 3). + +* Tue Sep 11 2007 Dan Walsh 2.0.25-12 +- Remove bogus import libxml2 + +* Mon Sep 10 2007 Dan Walsh 2.0.25-11 +- Lots of fixes for polgengui + +* Thu Sep 6 2007 Dan Walsh 2.0.25-10 +- Change Requires /bin/rpm to rpm + +* Wed Sep 5 2007 Dan Walsh 2.0.25-9 +- Bump libsemanage version for disable dontaudit +- New gui features for creating admin users + +* Fri Aug 31 2007 Dan Walsh 2.0.25-8 +- Fix generated code for admin policy + +* Fri Aug 31 2007 Dan Walsh 2.0.25-7 +- Lots of fixes for role templates + +* Tue Aug 28 2007 Dan Walsh 2.0.25-6 +- Add more role_templates + +* Tue Aug 28 2007 Dan Walsh 2.0.25-5 +- Update genpolgui to add creation of user domains + +* Mon Aug 27 2007 Dan Walsh 2.0.25-4 +- Fix location of sepolgen-ifgen + +* Sat Aug 25 2007 Dan Walsh 2.0.25-3 +- Add selinux-polgengui to desktop + +* Fri Aug 24 2007 Dan Walsh 2.0.25-2 +- Cleanup spec + +* Thu Aug 23 2007 Dan Walsh 2.0.25-1 +- Update semodule man page + * Fix genhomedircon searching for USER from Todd Miller + * Install run_init with mode 0755 from Dan Walsh. + * Fix chcat from Dan Walsh. + * Fix fixfiles pattern expansion and error reporting from Dan Walsh. + * Optimize genhomedircon to compile regexes once from Dan Walsh. + * Fix semanage gettext call from Dan Walsh. + +* Thu Aug 23 2007 Dan Walsh 2.0.23-2 +- Update semodule man page + +* Mon Aug 20 2007 Dan Walsh 2.0.23-1 +- Update to match NSA + * Disable dontaudits via semodule -D + +* Wed Aug 1 2007 Dan Walsh 2.0.22-13 +- Speed up genhomedircon by an order of magnitude by compiling regex +- Allow semanage fcontext -a -t <> /path to work + +* Fri Jul 27 2007 Dan Walsh 2.0.22-11 +- Fixfiles update required to match new regex + +* Fri Jul 27 2007 Dan Walsh 2.0.22-10 +- Update booleans translations + +* Wed Jul 25 2007 Jeremy Katz - 2.0.22-9 +- rebuild for toolchain bug + +* Tue Jul 24 2007 Dan Walsh 2.0.22-8 +- Add requires libselinux-python + +* Mon Jul 23 2007 Dan Walsh 2.0.22-7 +- Fix fixfiles to report incorrect rpm +- Patch provided by Tony Nelson + +* Fri Jul 20 2007 Dan Walsh 2.0.22-6 +- Clean up spec file + +* Fri Jul 13 2007 Dan Walsh 2.0.22-5 +- Require newer libselinux version + +* Sat Jul 7 2007 Dan Walsh 2.0.22-4 +- Fix checking for conflicting directory specification in genhomedircon + +* Mon Jun 25 2007 Dan Walsh 2.0.22-3 +- Fix spelling mistakes in GUI + +* Fri Jun 22 2007 Dan Walsh 2.0.22-2 +- Fix else path in chcat + +* Thu Jun 21 2007 Dan Walsh 2.0.22-1 +- Update to match NSA + * Rebase setfiles to use new labeling interface. + +* Wed Jun 13 2007 Dan Walsh 2.0.21-2 +- Add filter to all system-config-selinux lists + +* Wed Jun 13 2007 Dan Walsh 2.0.21-1 +- Update to match NSA + * Fixed setsebool (falling through to error path on success). + +* Mon Jun 11 2007 Dan Walsh 2.0.20-1 +- Update to match NSA + * Merged genhomedircon fixes from Dan Walsh. + * Merged setfiles -c usage fix from Dan Walsh. + * Merged restorecon fix from Yuichi Nakamura. + * Dropped -lsepol where no longer needed. + +* Mon Jun 11 2007 Dan Walsh 2.0.19-5 +- Fix translations code, Add more filters to gui + +* Mon Jun 4 2007 Dan Walsh 2.0.19-4 +- Fix setfiles -c to make it work + +* Mon Jun 4 2007 Dan Walsh 2.0.19-3 +- Fix french translation to not crash system-config-selinux + +* Fri Jun 1 2007 Dan Walsh 2.0.19-2 +- Fix genhomedircon to work in stage2 builds of anaconda + +* Sat May 19 2007 Dan Walsh 2.0.19-1 +- Update to match NSA + +* Thu May 17 2007 Dan Walsh 2.0.16-2 +- Fixes for polgentool templates file + +* Fri May 4 2007 Dan Walsh 2.0.16-1 +- Updated version of policycoreutils + * Merged support for modifying the prefix via semanage from Dan Walsh. +- Fixed genhomedircon to find homedirs correctly. + +* Tue May 1 2007 Dan Walsh 2.0.15-1 +- Updated version of policycoreutils + * Merged po file updates from Dan Walsh. +- Fix semanage to be able to modify prefix in user record + +* Mon Apr 30 2007 Dan Walsh 2.0.14-2 +- Fix title on system-config-selinux + +* Wed Apr 25 2007 Dan Walsh 2.0.14-1 +- Updated version of policycoreutils + * Build fix for setsebool. + +* Wed Apr 25 2007 Dan Walsh 2.0.13-1 +- Updated version of policycoreutils + * Merged setsebool patch to only use libsemanage for persistent boolean changes from Stephen Smalley. + * Merged genhomedircon patch to use the __default__ setting from Dan Walsh. + * Dropped -b option from load_policy in preparation for always preserving booleans across reloads in the kernel. + +* Tue Apr 24 2007 Dan Walsh 2.0.10-2 +- Fixes for polgengui + +* Tue Apr 24 2007 Dan Walsh 2.0.10-1 +- Updated version of policycoreutils + * Merged chcat, fixfiles, genhomedircon, restorecond, and restorecon patches from Dan Walsh. + +* Fri Apr 20 2007 Dan Walsh 2.0.9-10 +- Fix genhomedircon to handle non user_u for the default user + +* Wed Apr 18 2007 Dan Walsh 2.0.9-9 +- More cleanups for gui + +* Wed Apr 18 2007 Dan Walsh 2.0.9-8 +- Fix size and use_tmp problem on gui + +* Wed Apr 18 2007 Dan Walsh 2.0.9-7 +- Fix restorecon crash + +* Wed Apr 18 2007 Dan Walsh 2.0.9-6 +- Change polgengui to a druid + +* Tue Apr 17 2007 Dan Walsh 2.0.9-5 +- Fully path script.py + +* Mon Apr 16 2007 Dan Walsh 2.0.9-4 +- Add -l flag to restorecon to not traverse file systems + +* Sat Apr 14 2007 Dan Walsh 2.0.9-3 +- Fixes for policygengui + +* Fri Apr 13 2007 Dan Walsh 2.0.9-2 +- Add polgengui + +* Thu Apr 12 2007 Dan Walsh 2.0.9-1 +- Updated version of sepolgen + * Merged seobject setransRecords patch to return the first alias from Xavier Toth. + +* Wed Apr 11 2007 Dan Walsh 2.0.8-1 +- Updated version of sepolgen + * Merged updates to sepolgen-ifgen from Karl MacMillan. + * Merged updates to sepolgen parser and tools from Karl MacMillan. + This includes improved debugging support, handling of interface + calls with list parameters, support for role transition rules, + updated range transition rule support, and looser matching. + +* Mon Apr 9 2007 Dan Walsh 2.0.7-11 +- Don't generate invalid context with genhomedircon + +* Mon Apr 9 2007 Dan Walsh 2.0.7-10 +- Add filter to booleans page + +* Tue Apr 3 2007 Dan Walsh 2.0.7-9 +- Fix polgen.py to not generate udp rules on tcp input + +* Fri Mar 30 2007 Dan Walsh 2.0.7-8 +- system-config-selinux should be able to run on a disabled system, +- at least enough to get it enabled. + +* Thu Mar 29 2007 Dan Walsh 2.0.7-7 +- Many fixes to polgengui + +* Fri Mar 23 2007 Dan Walsh 2.0.7-6 +- Updated version of sepolgen + * Merged patch to discard self from types when generating requires from Karl MacMillan. + +* Fri Mar 23 2007 Dan Walsh 2.0.7-5 +- Change location of audit2allow and sepol-ifgen to sbin +- Updated version of sepolgen + * Merged patch to move the sepolgen runtime data from /usr/share to /var/lib to facilitate a read-only /usr from Karl MacMillan. + +* Mon Mar 19 2007 Dan Walsh 2.0.7-4 +- Add polgen gui +- Many fixes to system-config-selinux + +* Mon Mar 12 2007 Dan Walsh 2.0.7-3 +- service restorecond status needs to set exit value correctly + +* Mon Mar 12 2007 Dan Walsh 2.0.7-2 +- Fix gui + +* Thu Mar 1 2007 Dan Walsh 2.0.7-1 +- Update to upstream + * Merged restorecond init script LSB compliance patch from Steve Grubb. + -sepolgen + * Merged better matching for refpolicy style from Karl MacMillan + * Merged support for extracting interface paramaters from interface calls from Karl MacMillan + * Merged support for parsing USER_AVC audit messages from Karl MacMillan. + +* Tue Feb 27 2007 Dan Walsh 2.0.6-3 +- Update to upstream + -sepolgen + * Merged support for enabling parser debugging from Karl MacMillan. +- Add sgrupp cleanup of restorcon init script + +* Mon Feb 26 2007 Dan Walsh 2.0.6-2 +- Add Bill Nottinham patch to run restorcond condrestart in postun + +* Fri Feb 23 2007 Dan Walsh 2.0.6-1 +- Update to upstream + - policycoreutils + * Merged newrole O_NONBLOCK fix from Linda Knippers. + * Merged sepolgen and audit2allow patches to leave generated files + in the current directory from Karl MacMillan. + * Merged restorecond memory leak fix from Steve Grubb. + -sepolgen + * Merged patch to leave generated files (e.g. local.te) in current directory from Karl MacMillan. + * Merged patch to make run-tests.py use unittest.main from Karl MacMillan. + * Merged patch to update PLY from Karl MacMillan. + * Merged patch to update the sepolgen parser to handle the latest reference policy from Karl MacMillan. + +* Thu Feb 22 2007 Dan Walsh 2.0.3-2 +- Do not fail on sepolgen-ifgen + +* Thu Feb 22 2007 Dan Walsh 2.0.3-1 +- Update to upstream + * Merged translations update from Dan Walsh. + * Merged chcat fixes from Dan Walsh. + * Merged man page fixes from Dan Walsh. + * Merged seobject prefix validity checking from Dan Walsh. + * Merged Makefile and refparser.py patch from Dan Walsh. + Fixes PYTHONLIBDIR definition and error handling on interface files. + +* Tue Feb 20 2007 Dan Walsh 2.0.2-3 +- Updated newrole NONBlOCK patch + +* Tue Feb 20 2007 Dan Walsh 2.0.2-2 +- Remove Requires: %%{name}-plugins + +* Tue Feb 20 2007 Dan Walsh 2.0.2-1 +- Update to upstream + * Merged seobject exception handler fix from Caleb Case. + * Merged setfiles memory leak patch from Todd Miller. + +* Thu Feb 15 2007 Dan Walsh 2.0.1-2 +- Cleanup man pages syntax +- Add sepolgen + +* Mon Feb 12 2007 Dan Walsh 2.0.1-1 +- Update to upstream + * Merged small fix to correct include of errcodes.h in semodule_deps from Dan Walsh. + +* Wed Feb 7 2007 Dan Walsh 2.0.0-1 +- Update to upstream + * Merged new audit2allow from Karl MacMillan. + This audit2allow depends on the new sepolgen python module. + Note that you must run the sepolgen-ifgen tool to generate + the data needed by audit2allow to generate refpolicy. + * Fixed newrole non-pam build. +- Fix Changelog and spelling error in man page + +* Thu Feb 1 2007 Dan Walsh 1.34.1-4 +- Fix audit2allow on missing translations + +* Wed Jan 24 2007 Dan Walsh 1.34.1-3 +- More chcat fixes + +* Wed Jan 24 2007 Dan Walsh 1.34.1-2 +- Change chcat to exec semodule so file context is maintained + +* Wed Jan 24 2007 Dan Walsh 1.34.1-1 +- Fix system-config-selinux ports view +- Update to upstream + * Fixed newrole non-pam build. + * Updated version for stable branch. + +* Wed Jan 17 2007 Dan Walsh 1.33.15-1 +- Update to upstream + * Merged unicode-to-string fix for seobject audit from Dan Walsh. + * Merged man page updates to make "apropos selinux" work from Dan Walsh. + +* Tue Jan 16 2007 Dan Walsh 1.33.14-1 + * Merged newrole man page patch from Michael Thompson. + * Merged patch to fix python unicode problem from Dan Walsh. + +* Tue Jan 16 2007 Dan Walsh 1.33.12-3 +- Fix handling of audit messages for useradd change +Resolves: #222159 + +* Fri Jan 12 2007 Dan Walsh 1.33.12-2 +- Update man pages by adding SELinux to header to fix apropos database +Resolves: #217881 + +* Tue Jan 9 2007 Dan Walsh 1.33.12-1 +- Want to update to match api +- Update to upstream + * Merged newrole securetty check from Dan Walsh. + * Merged semodule patch to generalize list support from Karl MacMillan. +Resolves: #200110 + +* Tue Jan 9 2007 Dan Walsh 1.33.11-1 +- Update to upstream + * Merged fixfiles and seobject fixes from Dan Walsh. + * Merged semodule support for list of modules after -i from Karl MacMillan. + +* Tue Jan 9 2007 Dan Walsh 1.33.10-1 +- Update to upstream + * Merged patch to correctly handle a failure during semanage handle + creation from Karl MacMillan. + * Merged patch to fix seobject role modification from Dan Walsh. + +* Fri Jan 5 2007 Dan Walsh 1.33.8-2 +- Stop newrole -l from working on non secure ttys +Resolves: #200110 + +* Thu Jan 4 2007 Dan Walsh 1.33.8-1 +- Update to upstream + * Merged patches from Dan Walsh to: + - omit the optional name from audit2allow + - use the installed python version in the Makefiles + - re-open the tty with O_RDWR in newrole + +* Wed Jan 3 2007 Dan Walsh 1.33.7-1 +- Update to upstream + * Patch from Dan Walsh to correctly suppress warnings in load_policy. + +* Tue Jan 2 2007 Dan Walsh 1.33.6-9 +- Fix fixfiles script to use tty command correctly. If this command fails, it +should set the LOGFILE to /dev/null +Resolves: #220879 + +* Wed Dec 20 2006 Dan Walsh 1.33.6-8 +- Remove hard coding of python2.4 from Makefiles + +* Tue Dec 19 2006 Dan Walsh 1.33.6-7 +- add exists switch to semanage to tell it not to check for existance of Linux user +Resolves: #219421 + +* Mon Dec 18 2006 Dan Walsh 1.33.6-6 +- Fix audit2allow generating reference policy +- Fix semanage to manage user roles properly +Resolves: #220071 + +* Fri Dec 8 2006 Dan Walsh 1.33.6-5 +- Update po files +- Fix newrole to open stdout and stderr rdrw so more will work on MLS machines +Resolves: #216920 + +* Thu Dec 7 2006 Jeremy Katz - 1.33.6-4 +- rebuild for python 2.5 + +* Wed Dec 6 2006 Dan Walsh 1.33.6-3 +- Update po files +Resolves: #216920 + +* Fri Dec 1 2006 Dan Walsh 1.33.6-2 +- Update po files +Resolves: #216920 + +* Wed Nov 29 2006 Dan Walsh 1.33.6-1 +- Update to upstream + * Patch from Dan Walsh to add an pam_acct_msg call to run_init + * Patch from Dan Walsh to fix error code returns in newrole + * Patch from Dan Walsh to remove verbose flag from semanage man page + * Patch from Dan Walsh to make audit2allow use refpolicy Makefile + in /usr/share/selinux/ + +* Wed Nov 29 2006 Dan Walsh 1.33.5-4 +- Fixing the Makefile line again to build with LSPP support +Resolves: #208838 + +* Wed Nov 29 2006 Dan Walsh 1.33.5-3 +- Don't report errors on restorecond when file system does not support XATTRS +Resolves: #217694 + +* Tue Nov 28 2006 Dan Walsh 1.33.5-2 +- Fix -q qualifier on load_policy +Resolves: #214827 + +* Tue Nov 28 2006 Dan Walsh 1.33.5-1 +- Merge to upstream +- Fix makefile line +Resolves: #208838 + +* Fri Nov 24 2006 Dan Walsh 1.33.4-2 +- Additional po changes +- Added all booleans definitions + +* Wed Nov 22 2006 Dan Walsh 1.33.4-1 +- Upstream accepted my patches + * Merged setsebool patch from Karl MacMillan. + This fixes a bug reported by Yuichi Nakamura with + always setting booleans persistently on an unmanaged system. + +* Mon Nov 20 2006 Dan Walsh 1.33.2-2 +- Fixes for the gui + +* Mon Nov 20 2006 Dan Walsh 1.33.2-1 +- Upstream accepted my patches + +* Fri Nov 17 2006 Dan Walsh 1.33.1-9 +- Add Amy Grifis Patch to preserve newrole exit status + +* Thu Nov 16 2006 Dan Walsh 1.33.1-8 +- Fix display of gui + +* Thu Nov 16 2006 Dan Walsh 1.33.1-7 +- Add patch by Jose Plans to make run_init use pam_acct_mgmt + +* Wed Nov 15 2006 Dan Walsh 1.33.1-6 +- More fixes to gui + +* Wed Nov 15 2006 Dan Walsh 1.33.1-5 +- Fix audit2allow to generate referene policy + +* Wed Nov 15 2006 Dan Walsh 1.33.1-4 +- Add group sort for portsPage.py +- Add enable/disableaudit to modules page + +* Wed Nov 15 2006 Dan Walsh 1.33.1-3 +- Add glade file + +* Tue Nov 14 2006 Dan Walsh 1.33.1-2 +- Fix Module handling in system-config-selinux + +* Tue Nov 14 2006 Dan Walsh 1.33.1-1 +- Update to upstream + * Merged newrole patch set from Michael Thompson. +- Add policycoreutils-gui + +* Thu Nov 9 2006 Dan Walsh 1.32-3 +- No longer requires rhpl + +* Mon Nov 6 2006 Dan Walsh 1.32-2 +- Fix genhomedircon man page + +* Mon Oct 9 2006 Dan Walsh 1.32-1 +- Add newrole audit patch from sgrubb +- Update to upstream + * Merged audit2allow -l fix from Yuichi Nakamura. + * Merged restorecon -i and -o - support from Karl MacMillan. + * Merged semanage/seobject fix from Dan Walsh. + * Merged fixfiles -R and verify changes from Dan Walsh. + +* Fri Oct 6 2006 Dan Walsh 1.30.30-2 +- Separate out newrole into its own package + +* Fri Sep 29 2006 Dan Walsh 1.30.30-1 +- Update to upstream + * Merged newrole auditing of failures due to user actions from + Michael Thompson. + +* Thu Sep 21 2006 Dan Walsh 1.30.29-6 +- Pass -i qualifier to restorecon for fixfiles -R +- Update translations + +* Thu Sep 21 2006 Dan Walsh 1.30.29-5 +- Remove recursion from fixfiles -R calls +- Fix semanage to verify prefix + +* Thu Sep 21 2006 Dan Walsh 1.30.29-4 +- More translations +- Compile with -pie + +* Mon Sep 18 2006 Dan Walsh 1.30.29-3 +- Add translations +- Fix audit2allow -l + +* Thu Sep 14 2006 Dan Walsh 1.30.29-2 +- Rebuild + +* Thu Sep 14 2006 Dan Walsh 1.30.29-1 +- Update to upstream +- Change -o to take "-" for stdout + +* Wed Sep 13 2006 Dan Walsh 1.30.28-9 +- Add -h support for genhomedircon + +* Wed Sep 13 2006 Dan Walsh 1.30.28-8 +- Fix fixfiles handling of -o + +* Mon Sep 11 2006 Dan Walsh 1.30.28-7 +- Make restorecon return the number of changes files if you use the -n flag + +* Fri Sep 8 2006 Dan Walsh 1.30.28-6 +- Change setfiles and restorecon to use stderr except for -o flag +- Also -o flag will now output files + +* Thu Sep 7 2006 Dan Walsh 1.30.28-5 +- Put back Erich's change + +* Wed Sep 6 2006 Dan Walsh 1.30.28-4 +- Remove recursive switch when using rpm + +* Wed Sep 6 2006 Dan Walsh 1.30.28-3 +- Fix fixfiles to handle multiple rpm and make -o work + +* Fri Sep 1 2006 Dan Walsh 1.30.28-2 +- Apply patch + +* Fri Sep 1 2006 Dan Walsh 1.30.28-1 +- Security fixes to run python in a more locked down manner +- More Translations +- Update to upstream + * Merged fix for restorecon // handling from Erich Schubert. + * Merged translations update and fixfiles fix from Dan Walsh. + +* Thu Aug 31 2006 Dan Walsh 1.30.27-5 +- Change scripts to use /usr/sbin/python + +* Thu Aug 31 2006 Dan Walsh 1.30.27-4 +- Add -i qualified to restorecon to tell it to ignore files that do not exist +- Fixfiles also modified for this change + +* Thu Aug 31 2006 Dan Walsh 1.30.27-3 +- Ignore sigpipe + +* Thu Aug 31 2006 Dan Walsh 1.30.27-2 +- Fix init script and add translations + +* Thu Aug 24 2006 Dan Walsh 1.30.27-1 +- Update to upstream + * Merged fix for restorecon symlink handling from Erich Schubert. + +* Sat Aug 12 2006 Dan Walsh 1.30.26-1 +- Update to upstream + * Merged semanage local file contexts patch from Chris PeBenito. +- Fix fixfiles log creation +- More translations + +* Thu Aug 3 2006 Dan Walsh 1.30.25-1 +- Update to upstream + * Merged patch from Dan Walsh with: + * audit2allow: process MAC_POLICY_LOAD events + * newrole: run shell with - prefix to start a login shell + * po: po file updates + * restorecond: bail if SELinux not enabled + * fixfiles: omit -q + * genhomedircon: fix exit code if non-root + * semodule_deps: install man page + * Merged secon Makefile fix from Joshua Brindle. + * Merged netfilter contexts support patch from Chris PeBenito. + +* Wed Aug 2 2006 Dan Walsh 1.30.22-3 +- Fix audit2allow to handle reload of policy + +* Wed Aug 2 2006 Dan Walsh 1.30.22-2 +- Stop restorecond init script when selinux is not enabled + +* Tue Aug 1 2006 Dan Walsh 1.30.22-1 +- Update to upstream + * Merged restorecond size_t fix from Joshua Brindle. + * Merged secon keycreate patch from Michael LeMay. + * Merged restorecond fixes from Dan Walsh. + Merged updated po files from Dan Walsh. + * Merged python gettext patch from Stephen Bennett. + * Merged semodule_deps from Karl MacMillan. + +* Thu Jul 27 2006 Dan Walsh 1.30.17-7 +- Change newrole to exec a login shell to prevent suspend. + +* Fri Jul 21 2006 Dan Walsh 1.30.17-6 +- Report error when selinux not enabled in restorecond + +* Tue Jul 18 2006 Dan Walsh 1.30.17-5 +- Fix handling of restorecond + +* Mon Jul 17 2006 Dan Walsh 1.30.17-4 +- Fix creation of restorecond pidfile + +* Mon Jul 17 2006 Dan Walsh 1.30.17-3 +- Update translations +- Update to new GCC + +* Mon Jul 10 2006 Dan Walsh 1.30.17-2 +- Add verbose flag to restorecond and update translations + +* Tue Jul 4 2006 Dan Walsh 1.30.17-1 +- Update to upstream + * Lindent. + * Merged patch from Dan Walsh with: + * -p option (progress) for setfiles and restorecon. + * disable context translation for setfiles and restorecon. + * on/off values for setsebool. + * Merged setfiles and semodule_link fixes from Joshua Brindle. + +* Thu Jun 22 2006 Dan Walsh 1.30.14-5 +- Add progress indicator on fixfiles/setfiles/restorecon + +* Wed Jun 21 2006 Dan Walsh 1.30.14-4 +- Don't use translations with matchpathcon + +* Tue Jun 20 2006 Dan Walsh 1.30.14-3 +- Prompt for selinux-policy-devel package in audit2allow + +* Mon Jun 19 2006 Dan Walsh 1.30.14-2 +- Allow setsebool to use on/off +- Update translations + +* Fri Jun 16 2006 Dan Walsh 1.30.14-1 +- Update to upstream + * Merged fix for setsebool error path from Serge Hallyn. + * Merged patch from Dan Walsh with: + * Updated po files. + * Fixes for genhomedircon and seobject. + * Audit message for mass relabel by setfiles. + +* Tue Jun 13 2006 James Antill 1.30.12-5 +- Update audit mass relabel to only compile in when audit is installed. + +* Mon Jun 12 2006 Dan Walsh 1.30.12-4 +- Update to required versions +- Update translation + +* Wed Jun 7 2006 Dan Walsh 1.30.12-3 +- Fix shell selection + +* Mon Jun 5 2006 Dan Walsh 1.30.12-2 +- Add BuildRequires for gettext + +* Mon Jun 5 2006 Dan Walsh 1.30.12-1 + * Updated fixfiles script for new setfiles location in /sbin. + +* Tue May 30 2006 Dan Walsh 1.30.11-1 +- Update to upstream + * Merged more translations from Dan Walsh. + * Merged patch to relocate setfiles to /sbin for early relabel + when /usr might not be mounted from Dan Walsh. + * Merged semanage/seobject patch to preserve fcontext ordering in list. + * Merged secon patch from James Antill. + +* Fri May 26 2006 Dan Walsh 1.30.10-4 +- Fix seobject.py to not sort the file_context file. +- move setfiles to /sbin + +* Wed May 24 2006 James Antill 1.30.10-3 +- secon man page and getopt fixes. +- Enable mass relabel audit, even though it doesn't work. + +* Wed May 24 2006 James Antill 1.30.10-2 +- secon fixes for --self-exec etc. +- secon change from level => sensitivity, add clearance. +- Add mass relabel AUDIT patch, but disable it until kernel problem solved. + +* Tue May 23 2006 Dan Walsh 1.30.10-1 +- Update to upstream + * Merged patch with updates to audit2allow, secon, genhomedircon, + and semanage from Dan Walsh. + +* Sat May 20 2006 Dan Walsh 1.30.9-4 +- Fix exception in genhomedircon + +* Mon May 15 2006 James Antill 1.30.9-3 +- Add rhpl dependancy + +* Mon May 15 2006 James Antill 1.30.9-2 +- Add secon man page and prompt options. + +* Mon May 15 2006 Dan Walsh 1.30.9-1 +- Update to upstream + * Fixed audit2allow and po Makefiles for DESTDIR= builds. + * Merged .po file patch from Dan Walsh. + * Merged bug fix for genhomedircon. + +* Wed May 10 2006 Dan Walsh 1.30.8-2 +- Fix exception on bad file_context + +* Mon May 8 2006 Dan Walsh 1.30.8-1 +- Update to upstream + * Merged fix warnings patch from Karl MacMillan. + * Merged patch from Dan Walsh. + This includes audit2allow changes for analysis plugins, + internationalization support for several additional programs + and added po files, some fixes for semanage, and several cleanups. + It also adds a new secon utility. + +* Sun May 7 2006 Dan Walsh 1.30.6-5 +- Fix genhomedircon to catch duplicate homedir problem + +* Thu May 4 2006 Dan Walsh 1.30.6-4 +- Add secon program +- Add translations + +* Thu Apr 20 2006 Dan Walsh 1.30.6-3 +- Fix check for "msg" + +* Mon Apr 17 2006 Dan Walsh 1.30.6-2 +- Ship avc.py + +* Fri Apr 14 2006 Dan Walsh 1.30.6-1 +- Add /etc/samba/secrets.tdb to restorecond.conf +- Update from upstream + * Merged semanage prefix support from Russell Coker. + * Added a test to setfiles to check that the spec file is + a regular file. + +* Thu Apr 06 2006 Karsten Hopp 1.30.4-4 +- added some missing buildrequires +- added Requires: initscripts for /sbin/service + +* Thu Apr 06 2006 Karsten Hopp 1.30.4-3 +- use absolute path /sbin/service + +* Wed Apr 5 2006 Dan Walsh 1.30.4-2 +- Fix audit2allow to not require ausearch. +- Fix man page +- Add libflashplayer to restorecond.conf + +* Wed Mar 29 2006 Dan Walsh 1.30.4-1 +- Update from upstream + * Merged audit2allow fixes for refpolicy from Dan Walsh. + * Merged fixfiles patch from Dan Walsh. + * Merged restorecond daemon from Dan Walsh. + * Merged semanage non-MLS fixes from Chris PeBenito. + * Merged semanage and semodule man page examples from Thomas Bleher. + +* Tue Mar 28 2006 Dan Walsh 1.30.1-4 +- Clean up reference policy generation in audit2allow + +* Tue Mar 21 2006 Dan Walsh 1.30.1-3 +- Add IN_MOVED_TO to catch renames + +* Tue Mar 21 2006 Dan Walsh 1.30.1-2 +- make restorecond only ignore non directories with lnk > 1 + +* Tue Mar 21 2006 Dan Walsh 1.30.1-1 +- Make audit2allow translate dontaudit as well as allow rules +- Update from upstream + * Merged semanage labeling prefix patch from Ivan Gyurdiev. + +* Tue Mar 21 2006 Dan Walsh 1.30-5 +- Fix audit2allow to retrieve dontaudit rules + +* Mon Mar 20 2006 Dan Walsh 1.30-4 +- Open file descriptor to make sure file does not change from underneath. + +* Fri Mar 17 2006 Dan Walsh 1.30-3 +- Fixes for restorecond attack via symlinks +- Fixes for fixfiles + +* Fri Mar 17 2006 Dan Walsh 1.30-2 +- Restorecon has to handle suspend/resume + +* Fri Mar 17 2006 Dan Walsh 1.30-1 +- Update to upstream + +* Fri Mar 10 2006 Dan Walsh 1.29.27-1 +- Add restorecond + +* Fri Mar 10 2006 Dan Walsh 1.29.26-6 +- Remove prereq + +* Mon Mar 6 2006 Dan Walsh 1.29.26-5 +- Fix audit2allow to generate all rules + +* Fri Mar 3 2006 Dan Walsh 1.29.26-4 +- Minor fixes to chcat and semanage + +* Fri Feb 24 2006 Dan Walsh 1.29.26-3 +- Add missing setsebool man page + +* Thu Feb 23 2006 Dan Walsh 1.29.26-2 +- Change audit2allow to use devel instead of refpolicy + +* Mon Feb 20 2006 Dan Walsh 1.29.26-1 +- Update from upstream + * Merged semanage bug fix patch from Ivan Gyurdiev. + * Merged improve bindings patch from Ivan Gyurdiev. + * Merged semanage usage patch from Ivan Gyurdiev. + * Merged use PyList patch from Ivan Gyurdiev. + +* Mon Feb 13 2006 Dan Walsh 1.29.23-1 +- Update from upstream + * Merged newrole -V/--version support from Glauber de Oliveira Costa. + * Merged genhomedircon prefix patch from Dan Walsh. + * Merged optionals in base patch from Joshua Brindle. + +* Fri Feb 10 2006 Jesse Keating - 1.29.20-2.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Dan Walsh 1.29.20-2 +- Fix auditing to semanage +- Change genhomedircon to use new prefix interface in libselinux + +* Tue Feb 07 2006 Dan Walsh 1.29.20-1 +- Update from upstream + * Merged seuser/user_extra support patch to semodule_package + from Joshua Brindle. + * Merged getopt type fix for semodule_link/expand and sestatus + from Chris PeBenito. +- Fix genhomedircon output + +* Tue Feb 07 2006 Jesse Keating - 1.29.18-2.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Feb 3 2006 Dan Walsh 1.29.18-2 +- Add auditing to semanage + +* Thu Feb 2 2006 Dan Walsh 1.29.18-1 +- Update from upstream + * Merged clone record on set_con patch from Ivan Gyurdiev. + +* Mon Jan 30 2006 Dan Walsh 1.29.17-1 +- Update from upstream + * Merged genhomedircon fix from Dan Walsh. + * Merged seusers.system patch from Ivan Gyurdiev. + * Merged improve port/fcontext API patch from Ivan Gyurdiev. + * Merged genhomedircon patch from Dan Walsh. + +* Fri Jan 27 2006 Dan Walsh 1.29.15-1 +- Update from upstream + * Merged newrole audit patch from Steve Grubb. + * Merged seuser -> seuser local rename patch from Ivan Gyurdiev. + * Merged semanage and semodule access check patches from Joshua Brindle. + +* Wed Jan 25 2006 Dan Walsh 1.29.12-1 +- Add a default of /export/home + +* Wed Jan 25 2006 Dan Walsh 1.29.11-3 +- Cleanup of the patch + +* Wed Jan 25 2006 Dan Walsh 1.29.11-2 +- Correct handling of symbolic links in restorecon + +* Wed Jan 25 2006 Dan Walsh 1.29.11-1 +- Added translation support to semanage +- Update from upstream + * Modified newrole and run_init to use the loginuid when + supported to obtain the Linux user identity to re-authenticate, + and to fall back to real uid. Dropped the use of the SELinux + user identity, as Linux users are now mapped to SELinux users + via seusers and the SELinux user identity space is separate. + * Merged semanage bug fixes from Ivan Gyurdiev. + * Merged semanage fixes from Russell Coker. + * Merged chcat.8 and genhomedircon patches from Dan Walsh. + +* Thu Jan 19 2006 Dan Walsh 1.29.9-2 +- Fix genhomedircon to work on MLS policy + +* Thu Jan 19 2006 Dan Walsh 1.29.9-1 +- Update to match NSA + * Merged chcat, semanage, and setsebool patches from Dan Walsh. + +* Thu Jan 19 2006 Dan Walsh 1.29.8-4 +- Fixes for "add"-"modify" error messages +- Fixes for chcat + +* Wed Jan 18 2006 Dan Walsh 1.29.8-3 +- Add management of translation file to semaange and seobject + +* Wed Jan 18 2006 Dan Walsh 1.29.8-2 +- Fix chcat -l -L to work while not root + +* Wed Jan 18 2006 Dan Walsh 1.29.8-1 +- Update to match NSA + * Merged semanage fixes from Ivan Gyurdiev. + * Merged semanage fixes from Russell Coker. + * Merged chcat, genhomedircon, and semanage diffs from Dan Walsh. + +* Tue Jan 17 2006 Dan Walsh 1.29.7-4 +- Update chcat to manage user categories also + +* Sat Jan 14 2006 Dan Walsh 1.29.7-3 +- Add check for root for semanage, genhomedircon + +* Sat Jan 14 2006 Dan Walsh 1.29.7-2 +- Add ivans patch + +* Fri Jan 13 2006 Dan Walsh 1.29.7-1 +- Update to match NSA + * Merged newrole cleanup patch from Steve Grubb. + * Merged setfiles/restorecon performance patch from Russell Coker. + * Merged genhomedircon and semanage patches from Dan Walsh. + * Merged remove add_local/set_local patch from Ivan Gyurdiev. + +* Tue Jan 10 2006 Dan Walsh 1.29.5-3 +- Fixes for mls policy + +* Tue Jan 10 2006 Dan Walsh 1.29.5-2 +- Update semanage and split out seobject +- Fix labeleing of home_root + +* Thu Jan 5 2006 Dan Walsh 1.29.5-1 +- Update to match NSA + * Added filename to semodule error reporting. + +* Thu Jan 5 2006 Dan Walsh 1.29.4-1 +- Update to match NSA + * Merged genhomedircon and semanage patch from Dan Walsh. + * Changed semodule error reporting to include argv[0]. + +* Wed Jan 4 2006 Dan Walsh 1.29.3-1 +- Update to match NSA + * Merged semanage getpwnam bug fix from Serge Hallyn (IBM). + * Merged patch series from Ivan Gyurdiev. + This includes patches to: + - cleanup setsebool + - update setsebool to apply active booleans through libsemanage + - update semodule to use the new semanage_set_rebuild() interface + - fix various bugs in semanage + * Merged patch from Dan Walsh (Red Hat). + This includes fixes for restorecon, chcat, fixfiles, genhomedircon, + and semanage. + +* Mon Jan 2 2006 Dan Walsh 1.29.2-10 +- Fix restorecon to not say it is changing user section when -vv is specified + +* Tue Dec 27 2005 Dan Walsh 1.29.2-9 +- Fixes for semanage, patch from Ivan and added a test script + +* Sat Dec 24 2005 Dan Walsh 1.29.2-8 +- Fix getpwnam call + +* Fri Dec 23 2005 Dan Walsh 1.29.2-7 +- Anaconda fixes + +* Thu Dec 22 2005 Dan Walsh 1.29.2-6 +- Turn off try catch block to debug anaconda failure + +* Tue Dec 20 2005 Dan Walsh 1.29.2-5 +- More fixes for chcat + +* Tue Dec 20 2005 Dan Walsh 1.29.2-4 +- Add try catch for files that may not exists + +* Mon Dec 19 2005 Dan Walsh 1.29.2-3 +- Remove commands from genhomedircon for installer + +* Wed Dec 14 2005 Dan Walsh 1.29.2-1 +- Fix genhomedircon to work in installer +- Update to match NSA + * Merged patch for chcat script from Dan Walsh. + +* Fri Dec 9 2005 Dan Walsh 1.29.1-2 +- More fixes to chcat + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Thu Dec 8 2005 Dan Walsh 1.29.1-1 +- Update to match NSA + * Merged fix for audit2allow long option list from Dan Walsh. + * Merged -r option for restorecon (alias for -R) from Dan Walsh. + * Merged chcat script and man page from Dan Walsh. + +* Wed Dec 7 2005 Dan Walsh 1.28-1 +- Update to match NSA +- Add gfs support + +* Wed Dec 7 2005 Dan Walsh 1.27.37-1 +- Update to match NSA +- Add chcat to policycoreutils, adding +/- syntax +` + +* Tue Dec 6 2005 Dan Walsh 1.27.36-2 +- Require new version of libsemanage + +* Mon Dec 5 2005 Dan Walsh 1.27.36-1 +- Update to match NSA + * Changed genhomedircon to warn on use of ROLE in homedir_template + if using managed policy, as libsemanage does not yet support it. + +* Sun Dec 4 2005 Dan Walsh 1.27.35-1 +- Update to match NSA + * Merged genhomedircon bug fix from Dan Walsh. + * Revised semodule* man pages to refer to checkmodule and + to include example sections. + +* Thu Dec 1 2005 Dan Walsh 1.27.33-1 +- Update to match NSA + * Merged audit2allow --tefile and --fcfile support from Dan Walsh. + * Merged genhomedircon fix from Dan Walsh. + * Merged semodule* man pages from Dan Walsh, and edited them. + * Changed setfiles to set the MATCHPATHCON_VALIDATE flag to + retain validation/canonicalization of contexts during init. + +* Wed Nov 30 2005 Dan Walsh 1.27.31-1 +- Update to match NSA + * Changed genhomedircon to always use user_r for the role in the + managed case since user_get_defrole is broken. +- Add te file capabilities to audit2allow +- Add man pages for semodule + +* Tue Nov 29 2005 Dan Walsh 1.27.30-1 +- Update to match NSA + * Merged sestatus, audit2allow, and semanage patch from Dan Walsh. + * Fixed semodule -v option. + +* Mon Nov 28 2005 Dan Walsh 1.27.29-1 +- Update to match NSA + * Merged audit2allow python script from Dan Walsh. + (old script moved to audit2allow.perl, will be removed later). + * Merged genhomedircon fixes from Dan Walsh. + * Merged semodule quieting patch from Dan Walsh + (inverts default, use -v to restore original behavior). + +* Thu Nov 17 2005 Dan Walsh 1.27.28-3 +- Audit2allow + * Add more error checking + * Add gen policy package + * Add gen requires + +* Wed Nov 16 2005 Dan Walsh 1.27.28-2 +- Update to match NSA + * Merged genhomedircon rewrite from Dan Walsh. +- Rewrite audit2allow to python + +* Mon Nov 14 2005 Dan Walsh 1.27.27-5 +- Fix genhomedircon to work with non libsemanage systems + +* Fri Nov 11 2005 Dan Walsh 1.27.27-3 +- Patch genhomedircon to use libsemanage.py stuff + +* Wed Nov 9 2005 Dan Walsh 1.27.27-1 +- Update to match NSA + * Merged setsebool cleanup patch from Ivan Gyurdiev. + +* Wed Nov 9 2005 Dan Walsh 1.27.26-4 +- Fix genhomedircon to use seusers file, temporary fix until swigified semanage + +* Tue Nov 8 2005 Dan Walsh 1.27.26-1 + * Added -B (--build) option to semodule to force a rebuild. + * Reverted setsebool patch to call semanage_set_reload_bools(). + * Changed setsebool to disable policy reload and to call + security_set_boolean_list to update the runtime booleans. + * Changed setfiles -c to use new flag to set_matchpathcon_flags() + to disable context translation by matchpathcon_init(). + +* Tue Nov 8 2005 Dan Walsh 1.27.23-1 +- Update to match NSA + * Changed setfiles for the context canonicalization support. + * Changed setsebool to call semanage_is_managed() interface + and fall back to security_set_boolean_list() if policy is + not managed. + * Merged setsebool memory leak fix from Ivan Gyurdiev. + * Merged setsebool patch to call semanage_set_reload_bools() + interface from Ivan Gyurdiev. + +* Mon Nov 7 2005 Dan Walsh 1.27.20-1 +- Update to match NSA + * Merged setsebool patch from Ivan Gyurdiev. + This moves setsebool from libselinux/utils to policycoreutils, + and rewrites it to use libsemanage for permanent boolean changes. + +* Tue Oct 25 2005 Dan Walsh 1.27.19-2 +- Rebuild to use latest libselinux, libsemanage, and libsepol + +* Tue Oct 25 2005 Dan Walsh 1.27.19-1 +- Update to match NSA + * Merged semodule support for reload, noreload, and store options + from Joshua Brindle. + * Merged semodule_package rewrite from Joshua Brindle. + +* Thu Oct 20 2005 Dan Walsh 1.27.18-1 +- Update to match NSA + * Cleaned up usage and error messages and releasing of memory by + semodule utilities. + * Corrected error reporting by semodule. + * Updated semodule_expand for change to sepol interface. + * Merged fixes for make DESTDIR= builds from Joshua Brindle. + +* Tue Oct 18 2005 Dan Walsh 1.27.14-1 +- Update to match NSA + * Updated semodule_package for sepol interface changes. + +* Tue Oct 18 2005 Dan Walsh 1.27.13-1 +- Update to match NSA + * Updated semodule_expand/link for sepol interface changes. + +* Sat Oct 15 2005 Dan Walsh 1.27.12-1 +- Update to match NSA + * Merged non-PAM Makefile support for newrole and run_init from Timothy Wood. + +* Fri Oct 14 2005 Dan Walsh 1.27.11-1 +- Update to match NSA + * Updated semodule_expand to use get interfaces for hidden sepol_module_package type. + * Merged newrole and run_init pam config patches from Dan Walsh (Red Hat). + * Merged fixfiles patch from Dan Walsh (Red Hat). + * Updated semodule for removal of semanage_strerror. + +* Thu Oct 13 2005 Dan Walsh 1.27.7-2 +- Fix run_init.pamd and spec file + +* Wed Oct 12 2005 Dan Walsh 1.27.7-1 +- Update to match NSA + * Updated semodule_link and semodule_expand to use shared libsepol. + Fixed audit2why to call policydb_init prior to policydb_read (still + uses the static libsepol). + +* Mon Oct 10 2005 Dan Walsh 1.27.6-1 +- Update to match NSA + * Updated for changes to libsepol. + Changed semodule and semodule_package to use the shared libsepol. + Disabled build of semodule_link and semodule_expand for now. + Updated audit2why for relocated policydb internal headers, + still needs to be converted to a shared lib interface. + +* Fri Oct 7 2005 Dan Walsh 1.27.5-3 +- Update newrole pam file to remove pam-stack +- Update run_init pam file to remove pam-stack + +* Thu Oct 6 2005 Dan Walsh 1.27.5-1 +- Update to match NSA + * Fixed warnings in load_policy. + * Rewrote load_policy to use the new selinux_mkload_policy() + interface provided by libselinux. + +* Wed Oct 5 2005 Dan Walsh 1.27.3-2 +- Rebuild with newer libararies + +* Wed Sep 28 2005 Dan Walsh 1.27.3-1 +- Update to match NSA + * Merged patch to update semodule to the new libsemanage API + and improve the user interface from Karl MacMillan (Tresys). + * Modified semodule for the create/connect API split. + +* Wed Sep 28 2005 Dan Walsh 1.27.2-2 +- More fixes to stop find from following nfs paths + +* Wed Sep 21 2005 Dan Walsh 1.27.2-1 +- Update to match NSA + * Merged run_init open_init_pty bug fix from Manoj Srivastava + (unblock SIGCHLD). Bug reported by Erich Schubert. + +* Tue Sep 20 2005 Dan Walsh 1.27.1-1 +- Update to match NSA + * Merged error shadowing bug fix for restorecon from Dan Walsh. + * Merged setfiles usage/man page update for -r option from Dan Walsh. + * Merged fixfiles -C patch to ignore :s0 addition on update + to a MCS/MLS policy from Dan Walsh. + +* Thu Sep 15 2005 Dan Walsh 1.26-3 +- Add chcat script for use with chcon. + +* Tue Sep 13 2005 Dan Walsh 1.26-2 +- Fix restorecon to exit with error code + +* Mon Sep 12 2005 Dan Walsh 1.26-1 + * Updated version for release. + +* Tue Sep 6 2005 Dan Walsh 1.25.9-2 +- Add prereq for mount command + +* Thu Sep 1 2005 Dan Walsh 1.25.9-1 +- Update to match NSA + * Changed setfiles -c to translate the context to raw format + prior to calling libsepol. + +* Fri Aug 26 2005 Dan Walsh 1.25.7-3 +- Use new version of libsemange and require it for install + +* Fri Aug 26 2005 Dan Walsh 1.25.7-2 +- Ignore s0 in file context + +* Thu Aug 25 2005 Dan Walsh 1.25.7-1 +- Update to match NSA + * Merged patch for fixfiles -C from Dan Walsh. + +* Tue Aug 23 2005 Dan Walsh 1.25.6-1 +- Update to match NSA + * Merged fixes for semodule_link and sestatus from Serge Hallyn (IBM). + Bugs found by Coverity. + +* Mon Aug 22 2005 Dan Walsh 1.25.5-3 +- Fix fixfiles to call sort -u followed by sort -d. + +* Wed Aug 17 2005 Dan Walsh 1.25.5-2 +- Change fixfiles to ignore /home directory on updates + +* Fri Aug 5 2005 Dan Walsh 1.25.5-1 +- Update to match NSA + * Merged patch to move module read/write code from libsemanage + to libsepol from Jason Tang (Tresys). + +* Thu Jul 28 2005 Dan Walsh 1.25.4-1 +- Update to match NSA + * Changed semodule* to link with libsemanage. + +* Wed Jul 27 2005 Dan Walsh 1.25.3-1 +- Update to match NSA + * Merged restorecon patch from Ivan Gyurdiev. + +* Mon Jul 18 2005 Dan Walsh 1.25.2-1 +- Update to match NSA + * Merged load_policy, newrole, and genhomedircon patches from Red Hat. + +* Thu Jul 7 2005 Dan Walsh 1.25.1-1 +- Update to match NSA + * Merged loadable module support from Tresys Technology. + +* Wed Jun 29 2005 Dan Walsh 1.24-1 +- Update to match NSA + * Updated version for release. + +* Tue Jun 14 2005 Dan Walsh 1.23.11-4 +- Fix Ivan's patch for user role changes + +* Sat May 28 2005 Dan Walsh 1.23.11-3 +- Add Ivan's patch for user role changes in genhomedircon + +* Thu May 26 2005 Dan Walsh 1.23.11-2 +- Fix warning message on reload of booleans + +* Fri May 20 2005 Dan Walsh 1.23.11-1 +- Update to match NSA + * Merged fixfiles and newrole patch from Dan Walsh. + * Merged audit2why man page from Dan Walsh. + +* Thu May 19 2005 Dan Walsh 1.23.10-2 +- Add call to pam_acct_mgmt in newrole. + +* Tue May 17 2005 Dan Walsh 1.23.10-1 +- Update to match NSA + * Extended audit2why to incorporate booleans and local user + settings when analyzing audit messages. + +* Mon May 16 2005 Dan Walsh 1.23.9-1 +- Update to match NSA + * Updated audit2why for sepol_ prefixes on Flask types to + avoid namespace collision with libselinux, and to + include now. + +* Fri May 13 2005 Dan Walsh 1.23.8-1 +- Fix fixfiles to accept -f +- Update to match NSA + * Added audit2why utility. + +* Fri Apr 29 2005 Dan Walsh 1.23.7-1 +- Change -f flag in fixfiles to remove stuff from /tmp +- Change -F flag to pass -F flag to restorecon/fixfiles. (IE Force relabel). + +* Thu Apr 14 2005 Dan Walsh 1.23.6-1 +- Update to match NSA + * Fixed signed/unsigned pointer bug in load_policy. + * Reverted context validation patch for genhomedircon. + +* Wed Apr 13 2005 Dan Walsh 1.23.5-1 +- Update to match NSA + * Reverted load_policy is_selinux_enabled patch from Dan Walsh. + Otherwise, an initial policy load cannot be performed using + load_policy, e.g. for anaconda. + +* Mon Apr 11 2005 Dan Walsh 1.23.4-3 +- remove is_selinux_enabled check from load_policy (Bad idea) + +* Mon Apr 11 2005 Dan Walsh 1.23.4-1 +- Update to version from NSA + * Merged load_policy is_selinux_enabled patch from Dan Walsh. + * Merged restorecon verbose output patch from Dan Walsh. + * Merged setfiles altroot patch from Chris PeBenito. + +* Thu Apr 7 2005 Dan Walsh 1.23.3-2 +- Don't run load_policy on a non SELinux kernel. + +* Wed Apr 6 2005 Dan Walsh 1.23.3-1 +- Update to version from NSA + * Merged context validation patch for genhomedircon from Eric Paris. +- Fix verbose output of restorecon + +* Thu Mar 17 2005 Dan Walsh 1.23.2-1 +- Update to version from NSA + * Changed setfiles -c to call set_matchpathcon_flags(3) to + turn off processing of .homedirs and .local. + +* Tue Mar 15 2005 Dan Walsh 1.23.1-1 +- Update to released version from NSA + * Merged rewrite of genhomedircon by Eric Paris. + * Changed fixfiles to relabel jfs since it now supports security xattrs + (as of 2.6.11). Removed reiserfs until 2.6.12 is released with + fixed support for reiserfs and selinux. + +* Thu Mar 10 2005 Dan Walsh 1.22-2 +- Update to released version from NSA +- Patch genhomedircon to handle passwd in different places. + +* Wed Mar 9 2005 Dan Walsh 1.21.22-2 +- Fix genhomedircon to not put bad userad error in file_contexts.homedir + +* Tue Mar 8 2005 Dan Walsh 1.21.22-1 +- Cleanup error reporting + +* Tue Mar 1 2005 Dan Walsh 1.21.21-1 + * Merged load_policy and genhomedircon patch from Dan Walsh. + +* Mon Feb 28 2005 Dan Walsh 1.21.20-3 +- Fix genhomedircon to add extr "\n" + +* Fri Feb 25 2005 Dan Walsh 1.21.20-2 +- Fix genhomedircon to handle blank users + +* Fri Feb 25 2005 Dan Walsh 1.21.20-1 +- Update to latest from NSA +- Add call to libsepol + +* Thu Feb 24 2005 Dan Walsh 1.21.19-4 +- Fix genhomedircon to handle root +- Fix fixfiles to better handle file system types + +* Wed Feb 23 2005 Dan Walsh 1.21.19-2 +- Fix genhomedircon to handle spaces in SELINUXPOLICYTYPE + +* Tue Feb 22 2005 Dan Walsh 1.21.19-1 +- Update to latest from NSA + * Merged several fixes from Ulrich Drepper. + +* Mon Feb 21 2005 Dan Walsh 1.21.18-2 +- Apply Uli patch + * The Makefiles should use the -Wall option even if compiled in beehive + * Add -W, too + * use -Werror when used outside of beehive. This could also be used unconditionally + * setfiles/setfiles.c: fix resulting warning + * restorecon/restorecon.c: Likewise + * run_init/open_init_pty.c: argc hasn't been checked, the program would crash if +called without parameters. ignore the return value of nice properly. + * run_init: don't link with -ldl lutil + * load_policy: that's the bad bug. pointer to unsigned int is passed, size_t is +written to. fails on 64-bit archs + * sestatus: signed vs unsigned problem + * newrole: don't link with -ldl + +* Sat Feb 19 2005 Dan Walsh 1.21.18-1 +- Update to latest from NSA + * Changed load_policy to fall back to the original policy upon + an error from sepol_genusers(). + +* Thu Feb 17 2005 Dan Walsh 1.21.17-2 +- Only restorecon on ext[23], reiser and xfs + +* Thu Feb 17 2005 Dan Walsh 1.21.17-1 +- Update to latest from NSA + * Merged new genhomedircon script from Dan Walsh. + * Changed load_policy to call sepol_genusers(). + +* Thu Feb 17 2005 Dan Walsh 1.21.15-9 +- Remove Red Hat rhpl usage +- Add back in original syntax +- Update man page to match new syntax + +* Fri Feb 11 2005 Dan Walsh 1.21.15-8 +- Fix genhomedircon regular expression +- Fix exclude in restorecon + +* Thu Feb 10 2005 Dan Walsh 1.21.15-5 +- Trap failure on write +- Rewrite genhomedircon to generate file_context.homedirs +- several passes + +* Thu Feb 10 2005 Dan Walsh 1.21.15-1 +- Update from NSA + * Changed relabel Makefile target to use restorecon. + +* Wed Feb 9 2005 Dan Walsh 1.21.14-1 +- Update from NSA + * Merged restorecon patch from Dan Walsh. + +* Tue Feb 8 2005 Dan Walsh 1.21.13-1 +- Update from NSA + * Merged further change to fixfiles -C from Dan Walsh. + * Merged updated fixfiles script from Dan Walsh. +- Fix error handling of restorecon + +* Mon Feb 7 2005 Dan Walsh 1.21.12-2 +- Fix sestatus for longer booleans + +* Wed Feb 2 2005 Dan Walsh 1.21.12-1 +- More cleanup of fixfiles sed patch + * Merged further patches for restorecon/setfiles -e and fixfiles -C. + +* Wed Feb 2 2005 Dan Walsh 1.21.10-2 +- More cleanup of fixfiles sed patch + +* Mon Jan 31 2005 Dan Walsh 1.21.10-1 +- More cleanup of fixfiles sed patch +- Upgrade to latest from NSA + * Merged patch for open_init_pty from Manoj Srivastava. + +* Fri Jan 28 2005 Dan Walsh 1.21.9-1 +- More cleanup of sed patch +- Upgrade to latest from NSA + * Merged updated fixfiles script from Dan Walsh. + * Merged updated man page for fixfiles from Dan Walsh and re-added unzipped. + * Reverted fixfiles patch for file_contexts.local; + obsoleted by setfiles rewrite. + * Merged error handling patch for restorecon from Dan Walsh. + * Merged semi raw mode for open_init_pty helper from Manoj Srivastava. + * Rewrote setfiles to use matchpathcon and the new interfaces + exported by libselinux (>= 1.21.5). + +* Fri Jan 28 2005 Dan Walsh 1.21.7-3 +- Fix fixfiles patch +- Upgrade to latest from NSA + * Prevent overflow of spec array in setfiles. +- Add diff comparason between file_contexts to fixfiles +- Allow restorecon to give an warning on file not found instead of exiting + +* Thu Jan 27 2005 Dan Walsh 1.21.5-1 +- Upgrade to latest from NSA + * Merged newrole -l support from Darrel Goeddel (TCS). +- Fix genhomedircon STARTING_UID + +* Wed Jan 26 2005 Dan Walsh 1.21.4-1 +- Upgrade to latest from NSA + * Merged fixfiles patch for file_contexts.local from Dan Walsh. + +* Fri Jan 21 2005 Dan Walsh 1.21.3-2 +- Temp file needs to be created in /etc/selinux/POLICYTYPE/contexts/files/ directory. + +* Fri Jan 21 2005 Dan Walsh 1.21.3-1 +- Upgrade to latest from NSA + * Fixed restorecon to not treat errors from is_context_customizable() + as a customizable context. + * Merged setfiles/restorecon patch to not reset user field unless + -F option is specified from Dan Walsh. + * Merged open_init_pty helper for run_init from Manoj Srivastava. + * Merged audit2allow and genhomedircon man pages from Manoj Srivastava. + +* Fri Jan 21 2005 Dan Walsh 1.21.1-3 +- Don't change user componant if it is all that changed unless forced. +- Change fixfiles to concatinate file_context.local for setfiles + +* Thu Jan 20 2005 Dan Walsh 1.21.1-1 +- Update to latest from NSA + +* Mon Jan 10 2005 Dan Walsh 1.20.1-2 +- Fix restorecon segfault + +* Mon Jan 3 2005 Dan Walsh 1.20.1-1 +- Update to latest from NSA + * Merged fixfiles rewrite from Dan Walsh. + * Merged restorecon patch from Dan Walsh. + +* Mon Jan 3 2005 Dan Walsh 1.19.3-1 +- Update to latest from NSA + * Merged fixfiles and restorecon patches from Dan Walsh. + * Don't display change if only user part changed. + +* Mon Jan 3 2005 Dan Walsh 1.19.2-4 +- Fix fixfiles handling of rpm +- Fix restorecon to not warn on symlinks unless -v -v +- Fix output of verbose to show old context as well as new context + +* Wed Dec 29 2004 Dan Walsh 1.19.2-1 +- Update to latest from NSA + * Changed restorecon to ignore ENOENT errors from matchpathcon. + * Merged nonls patch from Chris PeBenito. + +* Mon Dec 20 2004 Dan Walsh 1.19.1-1 +- Update to latest from NSA + * Removed fixfiles.cron. + * Merged run_init.8 patch from Dan Walsh. + +* Thu Nov 18 2004 Dan Walsh 1.18.1-3 +- Fix run_init.8 to refer to correct location of initrc_context + +* Wed Nov 3 2004 Dan Walsh 1.18.1-1 +- Upgrade to latest from NSA + +* Wed Oct 27 2004 Steve Grubb 1.17.7-3 +- Add code to sestatus to output the current policy from config file + +* Fri Oct 22 2004 Dan Walsh 1.17.7-2 +- Patch audit2allow to return self and no brackets if only one rule + +* Fri Oct 22 2004 Dan Walsh 1.17.7-1 +- Update to latest from NSA +- Eliminate fixfiles.cron + +* Tue Oct 12 2004 Dan Walsh 1.17.6-2 +- Only run fixfiles.cron once a week, and eliminate null message + +* Fri Oct 1 2004 Dan Walsh 1.17.6-1 +- Update with NSA + * Added -l option to setfiles to log changes via syslog. + * Merged -e option to setfiles to exclude directories. + * Merged -R option to restorecon for recursive descent. + +* Fri Oct 1 2004 Dan Walsh 1.17.5-6 +- Add -e (exclude directory) switch to setfiles +- Add syslog to setfiles + +* Fri Sep 24 2004 Dan Walsh 1.17.5-5 +- Add -R (recursive) switch to restorecon. + +* Thu Sep 23 2004 Dan Walsh 1.17.5-4 +- Change to only display to terminal if tty is specified + +* Tue Sep 21 2004 Dan Walsh 1.17.5-3 +- Only display to stdout if logfile not specified + +* Thu Sep 9 2004 Dan Walsh 1.17.5-2 +- Add Steve Grubb patch to cleanup log files. + +* Mon Aug 30 2004 Dan Walsh 1.17.5-1 +- Add optargs +- Update to match NSA + +* Wed Aug 25 2004 Dan Walsh 1.17.4-1 +- Add fix to get cdrom info from /proc/media in fixfiles. + +* Wed Aug 25 2004 Dan Walsh 1.17.3-4 +- Add Steve Grub patches for + * Fix fixfiles.cron MAILTO + * Several problems in sestatus + +* Wed Aug 25 2004 Dan Walsh 1.17.3-3 +- Add -q (quiet) qualifier to load_policy to not report warnings + +* Tue Aug 24 2004 Dan Walsh 1.17.3-2 +- Add requires for libsepol >= 1.1.1 + +* Tue Aug 24 2004 Dan Walsh 1.17.3-1 +- Update to latest from upstream + +* Mon Aug 23 2004 Dan Walsh 1.17.2-1 +- Update to latest from upstream +- Includes Colin patch for verifying file_contexts + +* Sun Aug 22 2004 Dan Walsh 1.17.1-1 +- Update to latest from upstream + +* Mon Aug 16 2004 Dan Walsh 1.15.7-1 +- Update to latest from upstream + +* Thu Aug 12 2004 Dan Walsh 1.15.6-1 +- Add Man page for load_policy + +* Tue Aug 10 2004 Dan Walsh 1.15.5-1 +- new version from NSA uses libsepol + +* Mon Aug 2 2004 Dan Walsh 1.15.3-2 +- Fix genhomedircon join command + +* Thu Jul 29 2004 Dan Walsh 1.15.3-1 +- Latest from NSA + +* Mon Jul 26 2004 Dan Walsh 1.15.2-4 +- Change fixfiles to not change when running a check + +* Tue Jul 20 2004 Dan Walsh 1.15.2-3 +- Fix restorecon getopt call to stop hang on IBM Arches + +* Mon Jul 19 2004 Dan Walsh 1.15.2-2 +- Only mail files less than 100 lines from fixfiles.cron +- Add Russell's fix for genhomedircon + +* Fri Jul 16 2004 Dan Walsh 1.15.2-1 +- Latest from NSA + +* Thu Jul 8 2004 Dan Walsh 1.15.1-2 +- Add ro warnings + +* Thu Jul 8 2004 Dan Walsh 1.15.1-1 +- Latest from NSA +- Fix fixfiles.cron to delete outfile + +* Tue Jul 6 2004 Dan Walsh 1.14.1-2 +- Fix fixfiles.cron to not run on non SELinux boxes +- Fix several problems in fixfiles and fixfiles.cron + +* Wed Jun 30 2004 Dan Walsh 1.14.1-1 +- Update from NSA +- Add cron capability to fixfiles + +* Fri Jun 25 2004 Dan Walsh 1.13.4-1 +- Update from NSA + +* Thu Jun 24 2004 Dan Walsh 1.13.3-2 +- Fix fixfiles to handle no rpm file on relabel + +* Wed Jun 23 2004 Dan Walsh 1.13.3-1 +- Update latest from NSA +- Add -o option to setfiles to save output of any files with incorrect context. + +* Tue Jun 22 2004 Dan Walsh 1.13.2-2 +- Add rpm support to fixfiles +- Update restorecon to add file input support + +* Fri Jun 18 2004 Dan Walsh 1.13.2-1 +- Update with NSA Latest + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Sat Jun 12 2004 Dan Walsh 1.13.1-2 +- Fix run_init to use policy formats + +* Wed Jun 2 2004 Dan Walsh 1.13.1-1 +- Update from NSA + +* Tue May 25 2004 Dan Walsh 1.13-3 +- Change location of file_context file + +* Tue May 25 2004 Dan Walsh 1.13-2 +- Change to use /etc/sysconfig/selinux to determine location of policy files + +* Fri May 21 2004 Dan Walsh 1.13-1 +- Update to latest from NSA +- Change fixfiles to prompt before deleteing /tmp files + +* Tue May 18 2004 Dan Walsh 1.12-2 +- have restorecon ingnore <> +- Hand matchpathcon the file status + +* Thu May 13 2004 Dan Walsh 1.12-1 +- Update to match NSA + +* Mon May 10 2004 Dan Walsh 1.11-4 +- Move location of log file to /var/tmp + +* Mon May 10 2004 Dan Walsh 1.11-3 +- Better grep command for bind + +* Fri May 7 2004 Dan Walsh 1.11-2 +- Eliminate bind and context mounts + +* Wed May 5 2004 Dan Walsh 1.11-1 +- update to match NSA + +* Wed Apr 28 2004 Dan Walsh 1.10-4 +- Log fixfiles to the /tmp directory + +* Wed Apr 21 2004 Colin Walters 1.10-3 +- Add patch to fall back to authenticating via uid if + the current user's SELinux user identity is the default + identity +- Add BuildRequires pam-devel + +* Mon Apr 12 2004 Dan Walsh 1.10-2 +- Add man page, thanks to Richard Halley + +* Thu Apr 8 2004 Dan Walsh 1.10-1 +- Upgrade to latest from NSA + +* Fri Apr 2 2004 Dan Walsh 1.9.2-1 +- Update with latest from gentoo and NSA + +* Thu Apr 1 2004 Dan Walsh 1.9.1-1 +- Check return codes in sestatus.c + +* Mon Mar 29 2004 Dan Walsh 1.9-19 +- Fix sestatus to not double free +- Fix sestatus.conf to be unix format + +* Mon Mar 29 2004 Dan Walsh 1.9-18 +- Warn on setfiles failure to relabel. + +* Mon Mar 29 2004 Dan Walsh 1.9-17 +- Updated version of sestatus + +* Mon Mar 29 2004 Dan Walsh 1.9-16 +- Fix fixfiles to checklabel properly + +* Fri Mar 26 2004 Dan Walsh 1.9-15 +- add sestatus + +* Thu Mar 25 2004 Dan Walsh 1.9-14 +- Change free call to freecon +- Cleanup + +* Tue Mar 23 2004 Dan Walsh 1.9-12 +- Remove setfiles-assoc patch +- Fix restorecon to not crash on missing dir + +* Thu Mar 18 2004 Dan Walsh 1.9-11 +- Eliminate trailing / in restorecon + +* Thu Mar 18 2004 Dan Walsh 1.9-10 +- Add Verbosity check + +* Thu Mar 18 2004 Dan Walsh 1.9-9 +- Change restorecon to not follow symlinks. It is too difficult and confusing +- to figure out the file context for the file pointed to by a symlink. + +* Wed Mar 17 2004 Dan Walsh 1.9-8 +- Fix restorecon + +* Wed Mar 17 2004 Dan Walsh 1.9-7 +- Read restorecon patch + +* Wed Mar 17 2004 Dan Walsh 1.9-6 +- Change genhomedircon to take POLICYSOURCEDIR from command line + +* Wed Mar 17 2004 Dan Walsh 1.9-5 +- Add checkselinux +- move fixfiles and restorecon to /sbin + +* Wed Mar 17 2004 Dan Walsh 1.9-4 +- Restore patch of genhomedircon + +* Mon Mar 15 2004 Dan Walsh 1.9-3 +- Add setfiles-assoc patch to try to freeup memory use + +* Mon Mar 15 2004 Dan Walsh 1.9-2 +- Add fixlabels + +* Mon Mar 15 2004 Dan Walsh 1.9-1 +- Update to latest from NSA + +* Wed Mar 10 2004 Dan Walsh 1.6-8 +- Increase the size of buffer accepted by setfiles to BUFSIZ. + +* Tue Mar 9 2004 Dan Walsh 1.6-7 +- genhomedircon should complete even if it can't read /etc/default/useradd + +* Tue Mar 9 2004 Dan Walsh 1.6-6 +- fix restorecon to relabel unlabled files. + +* Fri Mar 5 2004 Dan Walsh 1.6-5 +- Add genhomedircon from tresys +- Fixed patch for restorecon + +* Thu Feb 26 2004 Dan Walsh 1.6-4 +- exit out when selinux is not enabled + +* Thu Feb 26 2004 Dan Walsh 1.6-3 +- Fix minor bugs in restorecon + +* Thu Feb 26 2004 Dan Walsh 1.6-2 +- Add restorecon c program + +* Tue Feb 24 2004 Dan Walsh 1.6-1 +- Update to latest tarball from NSA + +* Thu Feb 19 2004 Dan Walsh 1.4-9 +- Add sort patch + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Thu Jan 29 2004 Dan Walsh 1.4-7 +- remove mods to run_init since init scripts don't require it anymore + +* Wed Jan 28 2004 Dan Walsh 1.4-6 +- fix genhomedircon not to return and error + +* Wed Jan 28 2004 Dan Walsh 1.4-5 +- add setfiles quiet patch + +* Tue Jan 27 2004 Dan Walsh 1.4-4 +- add checkcon to verify context match file_context + +* Wed Jan 7 2004 Dan Walsh 1.4-3 +- fix command parsing restorecon + +* Tue Jan 6 2004 Dan Walsh 1.4-2 +- Add restorecon + +* Sat Dec 6 2003 Dan Walsh 1.4-1 +- Update to latest NSA 1.4 + +* Tue Nov 25 2003 Dan Walsh 1.2-9 +- Change run_init.console to run as run_init_t + +* Tue Oct 14 2003 Dan Walsh 1.2-8 +- Remove dietcc since load_policy is not in mkinitrd +- Change to use CONSOLEHELPER flag + +* Tue Oct 14 2003 Dan Walsh 1.2-7 +- Don't authenticate run_init when used with consolehelper + +* Wed Oct 01 2003 Dan Walsh 1.2-6 +- Add run_init consolehelper link + +* Wed Sep 24 2003 Dan Walsh 1.2-5 +- Add russell spead up patch to deal with file path stems + +* Fri Sep 12 2003 Dan Walsh 1.2-4 +- Build load_policy with diet gcc in order to save space on initrd + +* Fri Sep 12 2003 Dan Walsh 1.2-3 +- Update with NSA latest + +* Thu Aug 7 2003 Dan Walsh 1.2-1 +- remove i18n +- Temp remove gtk support + +* Thu Aug 7 2003 Dan Walsh 1.1-4 +- Remove wnck requirement + +* Thu Aug 7 2003 Dan Walsh 1.1-3 +- Add gtk support to run_init + +* Tue Aug 5 2003 Dan Walsh 1.1-2 +- Add internationalization + +* Mon Jun 2 2003 Dan Walsh 1.0-1 +- Initial version diff --git a/SPECS/policycoreutils/selinux-autorelabel b/SPECS/policycoreutils/selinux-autorelabel new file mode 100755 index 0000000000..22c2143828 --- /dev/null +++ b/SPECS/policycoreutils/selinux-autorelabel @@ -0,0 +1,73 @@ +#!/bin/bash +# +# Do automatic relabelling +# + +# . /etc/init.d/functions + +# If the user has this (or similar) UEFI boot order: +# +# Windows | grub | Linux +# +# And decides to boot into grub/Linux, then the reboot at the end of autorelabel +# would cause the system to boot into Windows again, if the autorelabel was run. +# +# This function restores the UEFI boot order, so the user will boot into the +# previously set (and expected) partition. +efi_set_boot_next() { + # NOTE: The [ -x /usr/sbin/efibootmgr ] test is not sufficent -- it could + # succeed even on system which is not EFI-enabled... + if ! efibootmgr > /dev/null 2>&1; then + return + fi + + # NOTE: It it possible that some other services might be setting the + # 'BootNext' item for any reasons, and we shouldn't override it if so. + if ! efibootmgr | grep --quiet -e 'BootNext'; then + CURRENT_BOOT="$(efibootmgr | grep -e 'BootCurrent' | sed -re 's/(^.+:[[:space:]]*)([[:xdigit:]]+)/\2/')" + efibootmgr -n "${CURRENT_BOOT}" > /dev/null 2>&1 + fi +} + +relabel_selinux() { + # if /sbin/init is not labeled correctly this process is running in the + # wrong context, so a reboot will be required after relabel + AUTORELABEL= + . /etc/selinux/config + echo "0" > /sys/fs/selinux/enforce + [ -x /bin/plymouth ] && plymouth --quit + + if [ "$AUTORELABEL" = "0" ]; then + echo + echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. " + echo $"*** /etc/selinux/config indicates you want to manually fix labeling" + echo $"*** problems. Dropping you to a shell; the system will reboot" + echo $"*** when you leave the shell." + sulogin + + else + echo + echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required." + echo $"*** Relabeling could take a very long time, depending on file" + echo $"*** system size and speed of hard drives." + + FORCE=`cat /.autorelabel` + [ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug + /sbin/fixfiles $FORCE restore + fi + + rm -f /.autorelabel + /usr/lib/dracut/dracut-initramfs-restore + efi_set_boot_next + if [ -x /usr/bin/grub2-editenv ]; then + grub2-editenv - incr boot_indeterminate >/dev/null 2>&1 + fi + sync + systemctl --force reboot +} + +# Check to see if a full relabel is needed +if [ "$READONLY" != "yes" ]; then + restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1 + relabel_selinux +fi diff --git a/SPECS/policycoreutils/selinux-autorelabel-generator.sh b/SPECS/policycoreutils/selinux-autorelabel-generator.sh new file mode 100644 index 0000000000..be6048766d --- /dev/null +++ b/SPECS/policycoreutils/selinux-autorelabel-generator.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +# This systemd.generator(7) detects if SELinux is running and if the +# user requested an autorelabel, and if so sets the default target to +# selinux-autorelabel.target, which will cause the filesystem to be +# relabelled and then the system will reboot again and boot into the +# real default target. + +PATH=/usr/sbin:$PATH +unitdir=/usr/lib/systemd/system + +# If invoked with no arguments (for testing) write to /tmp. +earlydir="/tmp" +if [ -n "$2" ]; then + earlydir="$2" +fi + +set_target () +{ + ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target" +} + +if selinuxenabled; then + if test -f /.autorelabel; then + set_target + elif grep -sqE "\bautorelabel\b" /proc/cmdline; then + set_target + fi +fi diff --git a/SPECS/policycoreutils/selinux-autorelabel-mark.service b/SPECS/policycoreutils/selinux-autorelabel-mark.service new file mode 100644 index 0000000000..dc17df384d --- /dev/null +++ b/SPECS/policycoreutils/selinux-autorelabel-mark.service @@ -0,0 +1,18 @@ +[Unit] +Description=Mark the need to relabel after reboot +DefaultDependencies=no +Requires=local-fs.target +Conflicts=shutdown.target +After=local-fs.target +Before=sysinit.target shutdown.target +ConditionSecurity=!selinux +ConditionPathIsDirectory=/etc/selinux +ConditionPathExists=!/.autorelabel + +[Service] +ExecStart=-/bin/touch /.autorelabel +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=sysinit.target diff --git a/SPECS/policycoreutils/selinux-autorelabel.service b/SPECS/policycoreutils/selinux-autorelabel.service new file mode 100644 index 0000000000..b8461e6d31 --- /dev/null +++ b/SPECS/policycoreutils/selinux-autorelabel.service @@ -0,0 +1,14 @@ +[Unit] +Description=Relabel all filesystems +DefaultDependencies=no +Conflicts=shutdown.target +After=sysinit.target +Before=shutdown.target +ConditionSecurity=selinux + +[Service] +ExecStart=/usr/libexec/selinux/selinux-autorelabel +Type=oneshot +TimeoutSec=0 +RemainAfterExit=yes +StandardInput=tty diff --git a/SPECS/policycoreutils/selinux-autorelabel.target b/SPECS/policycoreutils/selinux-autorelabel.target new file mode 100644 index 0000000000..a4f63abe53 --- /dev/null +++ b/SPECS/policycoreutils/selinux-autorelabel.target @@ -0,0 +1,7 @@ +[Unit] +Description=Relabel all filesystems and reboot +DefaultDependencies=no +Requires=sysinit.target selinux-autorelabel.service +Conflicts=shutdown.target +After=sysinit.target selinux-autorelabel.service +ConditionSecurity=selinux diff --git a/SPECS/polkit/CVE-2021-3560.patch b/SPECS/polkit/CVE-2021-3560.patch new file mode 100644 index 0000000000..c4bea97d19 --- /dev/null +++ b/SPECS/polkit/CVE-2021-3560.patch @@ -0,0 +1,27 @@ +From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001 +From: Jan Rybar +Date: Wed, 2 Jun 2021 15:43:38 +0200 +Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in polkit + +initial values returned if error caught +--- + src/polkit/polkitsystembusname.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c +index 8daa12c..8ed1363 100644 +--- a/src/polkit/polkitsystembusname.c ++++ b/src/polkit/polkitsystembusname.c +@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) + g_main_context_iteration (tmp_context, TRUE); + ++ if (data.caught_error) ++ goto out; ++ + if (out_uid) + *out_uid = data.uid; + if (out_pid) +-- +GitLab + diff --git a/SPECS/polkit/polkit.spec b/SPECS/polkit/polkit.spec index 39ba3d414f..0913b40b2c 100644 --- a/SPECS/polkit/polkit.spec +++ b/SPECS/polkit/polkit.spec @@ -1,12 +1,13 @@ Summary: A toolkit for defining and handling authorizations. Name: polkit Version: 0.116 -Release: 3%{?dist} +Release: 5%{?dist} Group: Applications/System Vendor: Microsoft Corporation License: LGPLv2+ URL: https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html Source0: https://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz +Patch0: CVE-2021-3560.patch Distribution: Mariner BuildRequires: autoconf BuildRequires: expat-devel @@ -38,7 +39,10 @@ Requires: polkit = %{version}-%{release} header files and libraries for polkit %prep -%setup -q +%autosetup -p1 +# Disable polkitbackend tests, which fail since dbus is not available in the worker chroot +sed -i 's/polkitbackend//g' test/Makefile.am +sed -i 's/polkitbackend//g' test/Makefile.in %build %configure \ @@ -63,7 +67,7 @@ session include system-session EOF %check -# Disable check. It requires dbus - not available in chroot/container. +make check %pre getent group polkitd > /dev/null || groupadd -fg 27 polkitd && @@ -111,24 +115,37 @@ fi %{_datadir}/gettext/its/polkit.loc %changelog -* Sat May 09 00:21:16 PST 2020 Nick Samson - 0.116-3 -- Added %%license line automatically +* Thu Jun 03 2021 Andrew Phelps - 0.116-5 +- Enable check tests (with exception of unsupported "polkitbackend" tests) + +* Thu Jun 03 2021 Jon Slobodzian - 0.116-4 +- Patch for CVE 2021-3560. Fix changelog formatting. + +* Sat May 09 2020 Nick Samson - 0.116-3 +- Added %%license line automatically * Tue Apr 28 2020 Emre Girgin 0.116-2 - Renaming Linux-PAM to pam + * Thu Apr 16 2020 Nicolas Ontiveros 0.116-1 - Update to version 0.116. - License verified. - Use mozjs60 instead of js for requires and BR. + * Tue Sep 03 2019 Mateusz Malisz 0.113-5 - Initial CBL-Mariner import from Photon (license: Apache2). + * Thu Jan 10 2019 Dweep Advani 0.113-4 - Fix for CVE-2018-19788 + * Thu Dec 07 2017 Alexey Makhalov 0.113-3 - Added pre and postun requires for shadow tools + * Thu Oct 05 2017 Vinay Kulkarni 0.113-2 - Enable PAM and systemd. + * Wed Oct 04 2017 Dheeraj Shetty 0.113-1 - Upgrade to 0.113-1 + * Fri May 22 2015 Alexey Makhalov 0.112-1 - initial version diff --git a/SPECS/popt/popt.spec b/SPECS/popt/popt.spec index 4cf17c7abf..b1b42b6f43 100644 --- a/SPECS/popt/popt.spec +++ b/SPECS/popt/popt.spec @@ -60,7 +60,7 @@ make %{?_smp_mflags} check %defattr(-,root,root) %changelog -* Sat May 09 00:21:02 PST 2020 Nick Samson - 1.16-7 +* Sat May 09 2020 Nick Samson - 1.16-7 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.16-6 diff --git a/SPECS/postgresql/postgresql.signatures.json b/SPECS/postgresql/postgresql.signatures.json index 180e9d48e1..5dc58412ec 100644 --- a/SPECS/postgresql/postgresql.signatures.json +++ b/SPECS/postgresql/postgresql.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "postgresql-12.6.tar.bz2": "df7dd98d5ccaf1f693c7e1d0d084e9fed7017ee248bba5be0167c42ad2d70a09" + "postgresql-12.7.tar.bz2": "8490741f47c88edc8b6624af009ce19fda4dc9b31c4469ce2551d84075d5d995" } } \ No newline at end of file diff --git a/SPECS/postgresql/postgresql.spec b/SPECS/postgresql/postgresql.spec index 4c80a4e331..a376701071 100644 --- a/SPECS/postgresql/postgresql.spec +++ b/SPECS/postgresql/postgresql.spec @@ -1,6 +1,6 @@ Summary: PostgreSQL database engine Name: postgresql -Version: 12.6 +Version: 12.7 Release: 1%{?dist} License: PostgreSQL Vendor: Microsoft Corporation @@ -169,6 +169,9 @@ rm -rf %{buildroot}/* %{_libdir}/libpgtypes.a %changelog +* Fri Jun 11 2021 Henry Beberman - 12.7-1 +- Update to version 12.7 to resolve CVE-2021-32027. + * Tue Mar 02 2021 Neha Agarwal - 12.6-1 - Update package version to resolve CVE-2021-20229 and CVE-2021-3393. diff --git a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec index a3ec9d6ddb..d0ee15bc6e 100644 --- a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec +++ b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec @@ -2,7 +2,7 @@ Summary: Prebuilt version of ca-certificates-base package. Name: prebuilt-ca-certificates-base Version: 20200720 -Release: 13%{?dist} +Release: 15%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -47,6 +47,12 @@ rm %{buildroot}%{_sysconfdir}/pki/rpm-gpg/* %{_datadir}/pki/ca-trust-legacy/* %changelog +* Wed Jul 07 2021 CBL-Mariner Service Account - 20200720-15 +- Making 'Release' match with 'ca-certificates'. + +* Thu Jun 03 2021 CBL-Mariner Service Account - 20200720-14 +- Making 'Release' match with 'ca-certificates'. + * Fri Mar 12 2021 CBL-Mariner Servicing Account - 20200720-13 - Making 'Release' match with 'ca-certificates'. diff --git a/SPECS/procps-ng/procps-ng.spec b/SPECS/procps-ng/procps-ng.spec index d016f679d1..1b5a984617 100644 --- a/SPECS/procps-ng/procps-ng.spec +++ b/SPECS/procps-ng/procps-ng.spec @@ -105,33 +105,46 @@ make %{?_smp_mflags} check * Fri Feb 05 2021 Joe Schmitt - 3.3.15-5 - Replace incorrect %%{_lib} usage with %%{_libdir} -* Mon Sep 28 2020 Ruying Chen 3.3.15-4 -- Provide procps and /bin/ps -* Sat May 09 2020 Nick Samson 3.3.15-3 -- Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 3.3.15-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Aug 10 2018 Tapas Kundu 3.3.15-1 -- Upgrade version to 3.3.15. -- Fix for CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 -- Fix for CVE-2018-1126 -* Mon Oct 02 2017 Alexey Makhalov 3.3.12-3 -- Added conflicts toybox -* Tue May 02 2017 Anish Swaminathan 3.3.12-2 -- Add lang package. -* Mon Apr 03 2017 Rongrong Qiu 3.3.12-1 -- Upgrade to 3.3.12 -* Wed Dec 07 2016 Xiaolin Li 3.3.11-5 -- Moved man3 to devel subpackage. -* Mon Oct 03 2016 ChangLee 3.3.11-4 -- Modified %check -* Tue Jun 21 2016 Divya Thaluru 3.3.11-3 -- Added patch to interpret ASCII sequence correctly -* Tue May 24 2016 Priyesh Padmavilasom 3.3.11-2 -- GA - Bump release of all rpms -* Thu Jan 21 2016 Anish Swaminathan 3.3.11-1 -- Upgrade version -* Mon May 18 2015 Touseef Liaqat 3.3.9-2 -- Update according to UsrMove. -* Wed Nov 5 2014 Divya Thaluru 3.3.9-1 -- Initial build. First version +* Mon Sep 28 2020 Ruying Chen 3.3.15-4 +- Provide procps and /bin/ps + +* Sat May 09 2020 Nick Samson 3.3.15-3 +- Added %%license line automatically + +* Tue Sep 03 2019 Mateusz Malisz 3.3.15-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Aug 10 2018 Tapas Kundu 3.3.15-1 +- Upgrade version to 3.3.15. +- Fix for CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 +- Fix for CVE-2018-1126 + +* Mon Oct 02 2017 Alexey Makhalov 3.3.12-3 +- Added conflicts toybox + +* Tue May 02 2017 Anish Swaminathan 3.3.12-2 +- Add lang package. + +* Mon Apr 03 2017 Rongrong Qiu 3.3.12-1 +- Upgrade to 3.3.12 + +* Wed Dec 07 2016 Xiaolin Li 3.3.11-5 +- Moved man3 to devel subpackage. + +* Mon Oct 03 2016 ChangLee 3.3.11-4 +- Modified %check + +* Tue Jun 21 2016 Divya Thaluru 3.3.11-3 +- Added patch to interpret ASCII sequence correctly + +* Tue May 24 2016 Priyesh Padmavilasom 3.3.11-2 +- GA - Bump release of all rpms + +* Thu Jan 21 2016 Anish Swaminathan 3.3.11-1 +- Upgrade version + +* Mon May 18 2015 Touseef Liaqat 3.3.9-2 +- Update according to UsrMove. + +* Wed Nov 5 2014 Divya Thaluru 3.3.9-1 +- Initial build. First version diff --git a/SPECS/psmisc/psmisc.spec b/SPECS/psmisc/psmisc.spec index e7634076f4..510e01ff2d 100644 --- a/SPECS/psmisc/psmisc.spec +++ b/SPECS/psmisc/psmisc.spec @@ -37,7 +37,7 @@ make %{?_smp_mflags} check %{_bindir}/* %{_mandir}/*/* %changelog -* Sat May 09 00:20:46 PST 2020 Nick Samson - 23.2-4 +* Sat May 09 2020 Nick Samson - 23.2-4 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 23.2-3 diff --git a/SPECS/pth/pth.spec b/SPECS/pth/pth.spec index d712678b05..e67bc4e424 100644 --- a/SPECS/pth/pth.spec +++ b/SPECS/pth/pth.spec @@ -59,7 +59,7 @@ make %{?_smp_mflags} -k check %{_datadir}/aclocal/* %changelog -* Sat May 09 00:20:43 PST 2020 Nick Samson - 2.0.7-4 +* Sat May 09 2020 Nick Samson - 2.0.7-4 - Added %%license line automatically * Mon Apr 27 2020 Nick Samson 2.0.7-3 diff --git a/SPECS/pyOpenSSL/pyOpenSSL.spec b/SPECS/pyOpenSSL/pyOpenSSL.spec index 9c5fd7b494..6bd04f83b4 100644 --- a/SPECS/pyOpenSSL/pyOpenSSL.spec +++ b/SPECS/pyOpenSSL/pyOpenSSL.spec @@ -112,7 +112,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:21:13 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Wed Apr 29 2020 Emre Girgin 18.0.0-5 diff --git a/SPECS/pyasn1-modules/pyasn1-modules.spec b/SPECS/pyasn1-modules/pyasn1-modules.spec index acb0cc8d50..2f40814174 100644 --- a/SPECS/pyasn1-modules/pyasn1-modules.spec +++ b/SPECS/pyasn1-modules/pyasn1-modules.spec @@ -93,7 +93,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:21:32 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Wed Apr 29 2020 Emre Girgin 0.2.2-4 diff --git a/SPECS/pyelftools/pyelftools.signatures.json b/SPECS/pyelftools/pyelftools.signatures.json new file mode 100644 index 0000000000..5f1b1dbe3a --- /dev/null +++ b/SPECS/pyelftools/pyelftools.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "pyelftools-0.27.tar.gz": "2958edd7c32909f1d541b8122797fee903db700d02d168b2789aa6b667fc4a30" + } +} \ No newline at end of file diff --git a/SPECS/pyelftools/pyelftools.spec b/SPECS/pyelftools/pyelftools.spec new file mode 100644 index 0000000000..c87f138ab7 --- /dev/null +++ b/SPECS/pyelftools/pyelftools.spec @@ -0,0 +1,195 @@ +%{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} +%{!?python3_version: %define python3_version %(python3 -c "import sys; sys.stdout.write(sys.version[:3])")} +# main package is archful to run tests everywhere but produces noarch packages +%global debug_package %{nil} + +Name: pyelftools +Version: 0.27 +Release: 3%{?dist} +Summary: Pure-Python library for parsing and analyzing ELF files +License: Public Domain AND MIT +Group: Development/Languages/Python +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/eliben/pyelftools +Source0: https://github.com/eliben/pyelftools/archive/v%{version}/%{name}-%{version}.tar.gz +%global _description \ +Pure-Python library for parsing and analyzing ELF files\ +and DWARF debugging information. +%description %_description + +%package -n python3-%{name} +Summary: %{summary} +# https://github.com/eliben/pyelftools/issues/180 +Provides: bundled(python3-construct) = 2.6 +BuildRequires: binutils +BuildRequires: python3 +BuildRequires: python3-libs +BuildRequires: python3-devel +BuildRequires: python3-setuptools +Requires: python3 +Requires: python3-libs +BuildArch: noarch +%{?python_provide:%python_provide python3-%{name}} +%description -n python3-%{name} %_description + +%prep +%setup -q +%ifnarch x86_64 +rm test/external_tools/readelf +%endif + +%build +python3 setup.py build + +%install +python3 setup.py install --prefix=%{_prefix} --root=%{buildroot} +pushd %{buildroot}%{_bindir} +mv readelf.py pyreadelf-%{python3_version} +ln -s pyreadelf-%{python3_version} pyreadelf-3 +ln -s pyreadelf-3 pyreadelf +popd + +%check +python3 test/run_all_unittests.py +python3 test/run_examples_test.py +# tests may fail because of differences in output-formatting +# from binutils' readelf. See: +# https://github.com/eliben/pyelftools/wiki/Hacking-guide#tests +python3 test/run_readelf_tests.py || : + +%files -n python3-%{name} +%license LICENSE +%doc CHANGES +%{_bindir}/pyreadelf +%{_bindir}/pyreadelf-%{python3_version} +%{_bindir}/pyreadelf-3 +%{python3_sitelib}/elftools +%{python3_sitelib}/pyelftools-*.egg-info + +%changelog +* Fri Jul 02 2021 Suresh Babu Chalamalasetty - 0.27-3 +- Initial CBL-Mariner import from Fedora 34 (license: MIT) +- License verified + +* Wed Jan 27 2021 Fedora Release Engineering - 0.27-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Oct 30 2020 Dominik Mierzejewski - 0.27-1 +- update to 0.27 (#1891845) +- run readelf tests on all arches + +* Tue Jul 28 2020 Fedora Release Engineering - 0.26-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue May 26 2020 Miro HronÄok - 0.26-3 +- Rebuilt for Python 3.9 + +* Thu Jan 30 2020 Fedora Release Engineering - 0.26-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Dec 17 2019 Dominik Mierzejewski - 0.26-1 +- update to 0.26 (#1780153) +- make main package archful to run tests on all arches + (pythonN-pyelftools subpackages are still noarch) +- run readelf tests on x86_64 only for now +- rename binaries to conform to Python packaging guidelines +- enable python3 subpackage for EPEL7 +- declare bundled old construct module instead of needlessly requiring it + +* Thu Oct 03 2019 Miro HronÄok - 0.25-5 +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Mon Aug 19 2019 Miro HronÄok - 0.25-4 +- Rebuilt for Python 3.8 + +* Fri Jul 26 2019 Fedora Release Engineering - 0.25-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jun 11 2019 Terje Rosten - 0.25-2 +- Still support Python 2 on Fedora 31 + +* Sun May 05 2019 Terje Rosten - 0.25-1 +- 0.25 +- Use bundled construct as construct 2.9 is incompatible +- Drop Python 2 stuff on el8 and Python 31 or newer + +* Sat Feb 02 2019 Fedora Release Engineering - 0.24-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 0.24-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jun 19 2018 Miro HronÄok - 0.24-2 +- Rebuilt for Python 3.7 + +* Sun Jun 17 2018 Terje Rosten - 0.24-1 +- 0.24 +- some clean up +- remove naked provide for Fedora 29 and later +- switch to Python 3 for pyreadelf for Fedora 29 and later + +* Wed Feb 21 2018 Iryna Shcherbina - 0.22-0.16.git20130619.a1d9681 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Fri Feb 09 2018 Fedora Release Engineering - 0.22-0.15.git20130619.a1d9681 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Aug 19 2017 Zbigniew JÄ™drzejewski-Szmek - 0.22-0.14.git20130619.a1d9681 +- Python 2 binary package renamed to python2-pyelftools + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Thu Aug 03 2017 Fedora Release Engineering - 0.22-0.13.git20130619.a1d9681 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.22-0.12.git20130619.a1d9681 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 0.22-0.11.git20130619.a1d9681 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Dec 19 2016 Miro HronÄok - 0.22-0.10.git20130619.a1d9681 +- Rebuild for Python 3.6 + +* Tue Jul 19 2016 Fedora Release Engineering - 0.22-0.9.git20130619.a1d9681 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Feb 04 2016 Fedora Release Engineering - 0.22-0.8.git20130619.a1d9681 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Nov 10 2015 Fedora Release Engineering - 0.22-0.7.git20130619.a1d9681 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Thu Jun 18 2015 Fedora Release Engineering - 0.22-0.6.git20130619.a1d9681 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sun Aug 17 2014 Fedora Release Engineering - 0.22-0.5.git20130619.a1d9681 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 0.22-0.4.git20130619.a1d9681 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue May 27 2014 Kalev Lember - 0.22-0.3.git20130619.a1d9681 +- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 + +* Wed Oct 02 2013 Björn Esser - 0.22-0.2.git20130619.a1d9681 +- adaptions for new Python-guidelines + +* Fri Aug 16 2013 Björn Esser - 0.22-0.1.git20130619.a1d9681 +- update to latest pre-release git snapshot +- add python3-package +- build on all arches to get some conclusion from testsuite, + but create noarch pkgs + +* Sat Jun 08 2013 Terje Rosten - 0.21-2 +- Remove bundled construct lib + +* Thu May 09 2013 Terje Rosten - 0.21-1 +- 0.21 +- Run test +- Updated source url +- Drop defattr + +* Wed Jun 06 2012 Kushal Das 0.20-1 +- Intial package (#829676) diff --git a/SPECS/pytest/pytest.spec b/SPECS/pytest/pytest.spec index f7098e5715..3d1bda322a 100644 --- a/SPECS/pytest/pytest.spec +++ b/SPECS/pytest/pytest.spec @@ -106,30 +106,30 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck} * Tue Jan 05 2021 Ruying Chen - 3.8.2-7 - Disable auto dependency generator. -* Sat May 09 00:21:35 PST 2020 Nick Samson - 3.8.2-6 +* Sat May 09 2020 Nick Samson - 3.8.2-6 - Added %%license line automatically -* Thu Apr 30 2020 Emre Girgin 3.8.2-5 -- Renaming python-pytest to pytest +* Thu Apr 30 2020 Emre Girgin 3.8.2-5 +- Renaming python-pytest to pytest -* Tue Apr 28 2020 Emre Girgin 3.8.2-4 -- Renaming python-Twisted to python-twisted +* Tue Apr 28 2020 Emre Girgin 3.8.2-4 +- Renaming python-Twisted to python-twisted -* Mon Apr 20 2020 Eric Li 3.8.2-3 -- Update Source0:, add #Source0, and delete sha1. License verified. +* Mon Apr 20 2020 Eric Li 3.8.2-3 +- Update Source0:, add #Source0, and delete sha1. License verified. -* Tue Sep 03 2019 Mateusz Malisz 3.8.2-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 3.8.2-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Tue Oct 09 2018 Tapas Kundu 3.8.2-1 -- Updated to release 3.8.2 -- Removed buildrequires from subpackage. +* Tue Oct 09 2018 Tapas Kundu 3.8.2-1 +- Updated to release 3.8.2 +- Removed buildrequires from subpackage. -* Wed Jun 07 2017 Xiaolin Li 3.0.7-3 -- Add python3-setuptools and python3-xml to python3 sub package Buildrequires. +* Wed Jun 07 2017 Xiaolin Li 3.0.7-3 +- Add python3-setuptools and python3-xml to python3 sub package Buildrequires. -* Thu Jun 01 2017 Dheeraj Shetty 3.0.7-2 -- Use python2 instead of python and rename the scripts in bin directory +* Thu Jun 01 2017 Dheeraj Shetty 3.0.7-2 +- Use python2 instead of python and rename the scripts in bin directory -* Tue Apr 25 2017 Dheeraj Shetty 3.0.7-1 -- Initial +* Tue Apr 25 2017 Dheeraj Shetty 3.0.7-1 +- Initial diff --git a/SPECS/python-attrs/python-attrs.spec b/SPECS/python-attrs/python-attrs.spec index 573344382b..62f59fbc22 100644 --- a/SPECS/python-attrs/python-attrs.spec +++ b/SPECS/python-attrs/python-attrs.spec @@ -82,7 +82,7 @@ LANG=en_US.UTF-8 tox -e py37 - Use tox to run tests. * Wed Jul 08 2020 Henry Beberman 18.2.0-6 - Fix typo in BuildRequires for python3-zope-interface -* Sat May 09 00:20:45 PST 2020 Nick Samson 18.2.0-5 +* Sat May 09 2020 Nick Samson 18.2.0-5 - Added %%license line automatically * Fri Apr 24 2020 Nick Samson 18.2.0-4 - Updated Source0, license verified. Removed %%define sha1 diff --git a/SPECS/python-boto3/python-boto3.spec b/SPECS/python-boto3/python-boto3.spec index 71cf127f8d..fbfdad7855 100644 --- a/SPECS/python-boto3/python-boto3.spec +++ b/SPECS/python-boto3/python-boto3.spec @@ -79,7 +79,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:21:11 PST 2020 Nick Samson - 1.10.21-2 +* Sat May 09 2020 Nick Samson - 1.10.21-2 - Added %%license line automatically * Wed Mar 18 2020 Henry Beberman 1.10.21-1 diff --git a/SPECS/python-botocore/python-botocore.spec b/SPECS/python-botocore/python-botocore.spec index b31b68750b..165812f47d 100644 --- a/SPECS/python-botocore/python-botocore.spec +++ b/SPECS/python-botocore/python-botocore.spec @@ -84,7 +84,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:20:35 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Wed Mar 18 2020 Henry Beberman 1.13.21-1 diff --git a/SPECS/python-cachetools/python-cachetools.spec b/SPECS/python-cachetools/python-cachetools.spec index fd24a9303e..bcec3084be 100644 --- a/SPECS/python-cachetools/python-cachetools.spec +++ b/SPECS/python-cachetools/python-cachetools.spec @@ -7,7 +7,7 @@ Version: 4.1.1 Release: 1%{?dist} License: MIT URL: https://github.com/tkem/cachetools -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner Source0: https://pypi.python.org/packages/source/c/%{pkgname}/%{pkgname}-%{version}.tar.gz @@ -44,4 +44,5 @@ python3 setup.py install --skip-build --root=%{buildroot} %changelog * Fri Aug 21 2020 Thomas Crain - 1.20.1-1 -- Original CBL-Mariner version +- Original version for CBL-Mariner +- License verified diff --git a/SPECS/python-certifi/python-certifi.spec b/SPECS/python-certifi/python-certifi.spec index 623957e12a..ceafb187cb 100644 --- a/SPECS/python-certifi/python-certifi.spec +++ b/SPECS/python-certifi/python-certifi.spec @@ -67,7 +67,7 @@ python3 setup.py test %changelog * Tue Oct 20 2020 Andrew Phelps 2018.10.15-5 - Fix check test -* Sat May 09 00:20:57 PST 2020 Nick Samson 2018.10.15-4 +* Sat May 09 2020 Nick Samson 2018.10.15-4 - Added %%license line automatically * Wed May 06 2020 Pawel Winogrodzki 2018.10.15-3 - Removing *Requires for "ca-certificates". diff --git a/SPECS/python-chardet/python-chardet.spec b/SPECS/python-chardet/python-chardet.spec index 8a1b8e14dd..cc21599495 100644 --- a/SPECS/python-chardet/python-chardet.spec +++ b/SPECS/python-chardet/python-chardet.spec @@ -72,7 +72,7 @@ python3 setup.py install --prefix=%{_prefix} --root=%{buildroot} %{_bindir}/chardetect %changelog -* Sat May 09 00:21:23 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin 3.0.4-4 diff --git a/SPECS/python-cherrypy/python-cherrypy.spec b/SPECS/python-cherrypy/python-cherrypy.spec index 6d7d9f34a1..2b6bf15e2a 100644 --- a/SPECS/python-cherrypy/python-cherrypy.spec +++ b/SPECS/python-cherrypy/python-cherrypy.spec @@ -63,4 +63,5 @@ tox %changelog * Fri Aug 21 2020 Thomas Crain 1.4.0-1 -- Original CBL-Mariner version +- Original version for CBL-Mariner +- License verified diff --git a/SPECS/python-constantly/python-constantly.spec b/SPECS/python-constantly/python-constantly.spec index 8671c30143..86ffcf1bfe 100644 --- a/SPECS/python-constantly/python-constantly.spec +++ b/SPECS/python-constantly/python-constantly.spec @@ -73,7 +73,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:20:41 PST 2020 Nick Samson - 15.1.0-5 +* Sat May 09 2020 Nick Samson - 15.1.0-5 - Added %%license line automatically * Wed Apr 09 2020 Pawel Winogrodzki 15.1.0-4 diff --git a/SPECS/python-coverage/python-coverage.spec b/SPECS/python-coverage/python-coverage.spec index 7b735ff12d..07d0168f45 100644 --- a/SPECS/python-coverage/python-coverage.spec +++ b/SPECS/python-coverage/python-coverage.spec @@ -88,7 +88,7 @@ popd %{_bindir}/coverage-%{python3_version} %changelog -* Sat May 09 00:21:28 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin 4.5.1-3 diff --git a/SPECS/python-cryptography/python-cryptography.spec b/SPECS/python-cryptography/python-cryptography.spec index 384e1c2dd4..148be9314b 100644 --- a/SPECS/python-cryptography/python-cryptography.spec +++ b/SPECS/python-cryptography/python-cryptography.spec @@ -105,7 +105,7 @@ python3 setup.py test * Wed Jan 20 2021 Henry Beberman 2.3.1-4 - Patch CVE-2020-25659 - License verified -* Sat May 09 00:20:51 PST 2020 Nick Samson 2.3.1-3 +* Sat May 09 2020 Nick Samson 2.3.1-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 2.3.1-2 - Initial CBL-Mariner import from Photon (license: Apache2). diff --git a/SPECS/python-daemon/python-daemon.spec b/SPECS/python-daemon/python-daemon.spec index 636b74a583..0db1212da8 100644 --- a/SPECS/python-daemon/python-daemon.spec +++ b/SPECS/python-daemon/python-daemon.spec @@ -86,7 +86,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:20:37 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 2.2.0-3 diff --git a/SPECS/python-dateutil/python-dateutil.spec b/SPECS/python-dateutil/python-dateutil.spec index 2635223107..a0839dca73 100644 --- a/SPECS/python-dateutil/python-dateutil.spec +++ b/SPECS/python-dateutil/python-dateutil.spec @@ -75,7 +75,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:20:42 PST 2020 Nick Samson - 2.7.3-4 +* Sat May 09 2020 Nick Samson - 2.7.3-4 - Added %%license line automatically * Thu Apr 23 2020 Pawel Winogrodzki 2.7.3-3 diff --git a/SPECS/python-defusedxml/python-defusedxml.spec b/SPECS/python-defusedxml/python-defusedxml.spec index b54d4e2757..5a72125a07 100644 --- a/SPECS/python-defusedxml/python-defusedxml.spec +++ b/SPECS/python-defusedxml/python-defusedxml.spec @@ -80,7 +80,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:20:56 PST 2020 Nick Samson - 0.6.0-2 +* Sat May 09 2020 Nick Samson - 0.6.0-2 - Added %%license line automatically * Wed Mar 18 2020 Henry Beberman 0.6.0-1 diff --git a/SPECS/python-docopt/python-docopt.spec b/SPECS/python-docopt/python-docopt.spec index 15b3842a4b..3e5b3f2acb 100644 --- a/SPECS/python-docopt/python-docopt.spec +++ b/SPECS/python-docopt/python-docopt.spec @@ -73,7 +73,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:21:40 PST 2020 Nick Samson - 0.6.2-5 +* Sat May 09 2020 Nick Samson - 0.6.2-5 - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin 0.6.2-4 diff --git a/SPECS/python-docutils/python-docutils.spec b/SPECS/python-docutils/python-docutils.spec index 17c7b6fe4a..0c91899408 100644 --- a/SPECS/python-docutils/python-docutils.spec +++ b/SPECS/python-docutils/python-docutils.spec @@ -5,7 +5,7 @@ Summary: Docutils -- Python Documentation Utilities. Name: python-docutils Version: 0.14 Release: 4%{?dist} -License: Public Domain, Python, BSD, GPLv3 +License: Public Domain, PSF-2.0, BSD, GPLv3 Group: Development/Languages/Python Vendor: Microsoft Corporation Distribution: Mariner @@ -137,12 +137,13 @@ popd %changelog * Fri Aug 21 2020 Thomas Crain - 0.14-4 - Follow the Fedora convention of providing a suffix-less binary name +- License verified -* Sat May 09 00:21:15 PST 2020 Nick Samson - 0.14-3 +* Sat May 09 2020 Nick Samson - 0.14-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 0.14-2 -- Initial import from Photon (license: dual Apache2/GPL2). +- Initial CBL-Mariner import from Photon (license: Apache2). * Sun Sep 09 2018 Tapas Kundu 0.14-1 - Update to version 0.14 diff --git a/SPECS/python-ecdsa/python-ecdsa.spec b/SPECS/python-ecdsa/python-ecdsa.spec index e9474a7580..96c3d74f4d 100644 --- a/SPECS/python-ecdsa/python-ecdsa.spec +++ b/SPECS/python-ecdsa/python-ecdsa.spec @@ -75,7 +75,7 @@ rm -rf %{buildroot} - Add openssl to BR - Disable OpenSSL NIST192 tests since OpenSSL no longer supports NIST192 EC. -* Sat May 09 00:21:04 PST 2020 Nick Samson - 0.13.3-3 +* Sat May 09 2020 Nick Samson - 0.13.3-3 - Added %%license line automatically * Tue Apr 28 2020 Emre Girgin 0.13.3-2 diff --git a/SPECS/python-enum34/python-enum34.spec b/SPECS/python-enum34/python-enum34.spec index 794bcfdecd..6dd71214cd 100644 --- a/SPECS/python-enum34/python-enum34.spec +++ b/SPECS/python-enum34/python-enum34.spec @@ -45,7 +45,7 @@ PYTHONPATH=%{buildroot}%{python_sitelib} \ %{python2_sitelib}/* %changelog -* Sat May 09 00:20:57 PST 2020 Nick Samson - 1.1.6-4 +* Sat May 09 2020 Nick Samson - 1.1.6-4 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.1.6-3 diff --git a/SPECS/python-execnet/python-execnet.spec b/SPECS/python-execnet/python-execnet.spec index c862670ff7..2ab4ac9c2d 100644 --- a/SPECS/python-execnet/python-execnet.spec +++ b/SPECS/python-execnet/python-execnet.spec @@ -6,10 +6,10 @@ Summary: Python execution distributor Name: python-%{pkgname} Version: 1.7.1 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT URL: https://codespeak.net/execnet/ -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner Source0: https://pypi.io/packages/source/e/%{pkgname}/%{pkgname}-%{version}.tar.gz @@ -56,7 +56,7 @@ python3 setup.py install --root=%{buildroot} %if %{with check} %check pip3 install tox -tox +LANG=en_US.UTF-8 tox -e py37 %endif %files -n python3-%{pkgname} @@ -65,5 +65,9 @@ tox %{python3_sitelib}/* %changelog -* Fri Aug 21 2020 Thomas Crain 0.3.5-1 -- Original CBL-Mariner version +* Tue Jun 08 2021 Andrew Phelps 1.7.1-2 +- Fix check tests + +* Fri Aug 21 2020 Thomas Crain 1.7.1-1 +- Original version for CBL-Mariner +- License verified diff --git a/SPECS/python-futures/python-futures.spec b/SPECS/python-futures/python-futures.spec index 085f9e39c0..4ce824f6fb 100644 --- a/SPECS/python-futures/python-futures.spec +++ b/SPECS/python-futures/python-futures.spec @@ -37,7 +37,7 @@ easy_install py %{python2_sitelib}/* %changelog -* Sat May 09 00:21:20 PST 2020 Nick Samson - 3.2.0-4 +* Sat May 09 2020 Nick Samson - 3.2.0-4 - Added %%license line automatically * Mon Apr 27 2020 Nick Samson 3.2.0-3 diff --git a/SPECS/python-gevent/python-gevent.spec b/SPECS/python-gevent/python-gevent.spec index f14572c592..450193012c 100644 --- a/SPECS/python-gevent/python-gevent.spec +++ b/SPECS/python-gevent/python-gevent.spec @@ -101,25 +101,34 @@ popd * Sat May 09 2020 Nick Samson - 1.3.6-5 - Added %%license line automatically -* Thu Apr 09 2020 Joe Schmitt 1.3.6-4 -- Update Source0 with valid URL. -- Remove sha1 macro. -- License verified. -* Tue Sep 03 2019 Mateusz Malisz 1.3.6-3 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Jan 14 2019 Tapas Kundu 1.3.6-2 -- Fix make check -* Wed Sep 12 2018 Tapas Kundu 1.3.6-1 -- Updated to version 1.3.6 -* Wed Sep 20 2017 Bo Gan 1.2.1-6 -- Fix build and make check issues -* Wed Sep 13 2017 Rongrong Qiu 1.2.1-5 -- Update make check for bug 1900401 -* Wed Jun 07 2017 Xiaolin Li 1.2.1-4 -- Add python3-setuptools and python3-xml to python3 sub package Buildrequires. -* Thu Jun 01 2017 Dheeraj Shetty 1.2.1-3 -- Removed erroneous line -* Tue May 16 2017 Rongrong Qiu 1.2.1-2 -- Add requires python-greenlet and python3-greenlet -* Thu Mar 02 2017 Xiaolin Li 1.2.1-1 -- Initial packaging for Photon +* Thu Apr 09 2020 Joe Schmitt 1.3.6-4 +- Update Source0 with valid URL. +- Remove sha1 macro. +- License verified. + +* Tue Sep 03 2019 Mateusz Malisz 1.3.6-3 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Mon Jan 14 2019 Tapas Kundu 1.3.6-2 +- Fix make check + +* Wed Sep 12 2018 Tapas Kundu 1.3.6-1 +- Updated to version 1.3.6 + +* Wed Sep 20 2017 Bo Gan 1.2.1-6 +- Fix build and make check issues + +* Wed Sep 13 2017 Rongrong Qiu 1.2.1-5 +- Update make check for bug 1900401 + +* Wed Jun 07 2017 Xiaolin Li 1.2.1-4 +- Add python3-setuptools and python3-xml to python3 sub package Buildrequires. + +* Thu Jun 01 2017 Dheeraj Shetty 1.2.1-3 +- Removed erroneous line + +* Tue May 16 2017 Rongrong Qiu 1.2.1-2 +- Add requires python-greenlet and python3-greenlet + +* Thu Mar 02 2017 Xiaolin Li 1.2.1-1 +- Initial packaging for Photon diff --git a/SPECS/python-google-auth/python-google-auth.spec b/SPECS/python-google-auth/python-google-auth.spec index 4e49b2b779..34140d63e3 100644 --- a/SPECS/python-google-auth/python-google-auth.spec +++ b/SPECS/python-google-auth/python-google-auth.spec @@ -7,7 +7,7 @@ Release: 1%{?dist} Summary: Google Auth Python Library License: ASL 2.0 URL: https://github.com/googleapis/google-auth-library-python -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner Source0: https://pypi.python.org/packages/source/g/%{library}/%{library}-%{version}.tar.gz @@ -54,6 +54,7 @@ python3 setup.py install --skip-build --root=%{buildroot} %changelog * Fri Aug 21 2020 Thomas Crain - 1.20.1-1 - Initial CBL-Mariner import from Fedora 33 (license: MIT) +- License verified * Wed Jul 29 2020 Jason Montleon - 1:1.20.0-1 - Update to 1.20.0 (#1858426) diff --git a/SPECS/python-greenlet/python-greenlet.spec b/SPECS/python-greenlet/python-greenlet.spec index 1c70c9eb2a..9df54b04cf 100644 --- a/SPECS/python-greenlet/python-greenlet.spec +++ b/SPECS/python-greenlet/python-greenlet.spec @@ -65,7 +65,7 @@ python2 setup.py test /usr/include/python3.7m/greenlet/greenlet.h %changelog -* Sat May 09 00:21:02 PST 2020 Nick Samson - 0.4.15-5 +* Sat May 09 2020 Nick Samson - 0.4.15-5 - Added %%license line automatically * Tue Apr 14 2020 Nick Samson 0.4.15-4 diff --git a/SPECS/python-hyperlink/python-hyperlink.spec b/SPECS/python-hyperlink/python-hyperlink.spec index 4338809fd3..dec1879d90 100644 --- a/SPECS/python-hyperlink/python-hyperlink.spec +++ b/SPECS/python-hyperlink/python-hyperlink.spec @@ -83,7 +83,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:21:33 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Wed Mar 18 2020 Henry Beberman 19.0.0-1 diff --git a/SPECS/python-hypothesis/python-hypothesis.spec b/SPECS/python-hypothesis/python-hypothesis.spec index eccf0355dc..b7d710d006 100644 --- a/SPECS/python-hypothesis/python-hypothesis.spec +++ b/SPECS/python-hypothesis/python-hypothesis.spec @@ -72,7 +72,7 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck} %{python3_sitelib}/* %changelog -* Sat May 09 00:20:36 PST 2020 Nick Samson - 3.71.0-4 +* Sat May 09 2020 Nick Samson - 3.71.0-4 - Added %%license line automatically * Mon Apr 13 2020 Jon Slobodizan 3.71.0-3 diff --git a/SPECS/python-idna/python-idna.spec b/SPECS/python-idna/python-idna.spec index aea0553138..6438e06035 100644 --- a/SPECS/python-idna/python-idna.spec +++ b/SPECS/python-idna/python-idna.spec @@ -78,7 +78,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:21:03 PST 2020 Nick Samson - 2.7-4 +* Sat May 09 2020 Nick Samson - 2.7-4 - Added %%license line automatically * Thu Apr 09 2020 Joe Schmitt 2.7-3 diff --git a/SPECS/python-incremental/python-incremental.spec b/SPECS/python-incremental/python-incremental.spec index f5da5003ff..a08b150c46 100644 --- a/SPECS/python-incremental/python-incremental.spec +++ b/SPECS/python-incremental/python-incremental.spec @@ -63,7 +63,7 @@ python3 setup.py test %{python3_sitelib}/* %changelog -* Sat May 09 00:21:31 PST 2020 Nick Samson - 17.5.0-4 +* Sat May 09 2020 Nick Samson - 17.5.0-4 - Added %%license line automatically * Fri Apr 24 2020 Andrew Phelps 17.5.0-3 diff --git a/SPECS/python-iniparse/python-iniparse.spec b/SPECS/python-iniparse/python-iniparse.spec index 99163cacb9..00d0636708 100644 --- a/SPECS/python-iniparse/python-iniparse.spec +++ b/SPECS/python-iniparse/python-iniparse.spec @@ -87,7 +87,7 @@ popd %changelog -* Sat May 09 00:20:46 PST 2020 Nick Samson - 0.4-9 +* Sat May 09 2020 Nick Samson - 0.4-9 - Added %%license line automatically * Tue Apr 14 2020 Nick Samson 0.4-8 diff --git a/SPECS/python-ipaddress/python-ipaddress.spec b/SPECS/python-ipaddress/python-ipaddress.spec index 7f59cf9888..0724dae886 100644 --- a/SPECS/python-ipaddress/python-ipaddress.spec +++ b/SPECS/python-ipaddress/python-ipaddress.spec @@ -41,7 +41,7 @@ python2 setup.py test %{python2_sitelib}/* %changelog -* Sat May 09 00:21:32 PST 2020 Nick Samson - 1.0.22-5 +* Sat May 09 2020 Nick Samson - 1.0.22-5 - Added %%license line automatically * Fri Apr 24 2020 Andrew Phelps 1.0.22-4 diff --git a/SPECS/python-jmespath/python-jmespath.spec b/SPECS/python-jmespath/python-jmespath.spec index 9b9d404ec0..044d416983 100644 --- a/SPECS/python-jmespath/python-jmespath.spec +++ b/SPECS/python-jmespath/python-jmespath.spec @@ -83,7 +83,7 @@ popd %{_bindir}/jp.py-%{python3_version} %changelog -* Sat May 09 00:21:44 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 0.9.3-3 diff --git a/SPECS/python-jsonpatch/python-jsonpatch.spec b/SPECS/python-jsonpatch/python-jsonpatch.spec index f84443510a..27e63f497b 100644 --- a/SPECS/python-jsonpatch/python-jsonpatch.spec +++ b/SPECS/python-jsonpatch/python-jsonpatch.spec @@ -70,7 +70,7 @@ popd %{_bindir}/jsonpatch3 %changelog -* Sat May 09 00:20:54 PST 2020 Nick Samson - 1.23-4 +* Sat May 09 2020 Nick Samson - 1.23-4 - Added %%license line automatically * Tue Apr 21 2020 Eric Li 1.23-3 diff --git a/SPECS/python-jsonschema/python-jsonschema.spec b/SPECS/python-jsonschema/python-jsonschema.spec index fb184e4dab..8a89f3434f 100644 --- a/SPECS/python-jsonschema/python-jsonschema.spec +++ b/SPECS/python-jsonschema/python-jsonschema.spec @@ -70,7 +70,7 @@ popd %{_bindir}/jsonschema3 %changelog -* Sat May 09 00:20:37 PST 2020 Nick Samson - 2.6.0-5 +* Sat May 09 2020 Nick Samson - 2.6.0-5 - Added %%license line automatically * Wed May 06 2020 Paul Monson 2.6.0-4 - Restore python-vcversioner to enable build without internet access. diff --git a/SPECS/python-jwt/python-jwt.spec b/SPECS/python-jwt/python-jwt.spec index 1b5eae790d..313a03ed94 100644 --- a/SPECS/python-jwt/python-jwt.spec +++ b/SPECS/python-jwt/python-jwt.spec @@ -1,3 +1,4 @@ +%{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} # what it's called on pypi %global srcname PyJWT # what it's imported as @@ -6,9 +7,9 @@ %global eggname %{srcname} # package name fragment %global pkgname %{libname} +%global python3_version 3.7 %bcond_without python3 -%bcond_with python2 %global common_description %{expand: A Python implementation of JSON Web Token draft 01. This library provides a @@ -18,7 +19,7 @@ encrypted JSON objects.} Name: python-%{pkgname} Version: 1.7.1 -Release: 8%{?dist} +Release: 9%{?dist} Summary: JSON Web Token implementation in Python License: MIT Vendor: Microsoft Corporation @@ -27,39 +28,23 @@ URL: https://github.com/jpadilla/pyjwt Source0: https://files.pythonhosted.org/packages/2f/38/ff37a24c0243c5f45f5798bd120c0f873eeed073994133c084e1cf13b95c/%{srcname}-%{version}.tar.gz BuildArch: noarch - %description %{common_description} - -%if %{with python2} -%package -n python2-%{pkgname} -Summary: %{summary} -BuildRequires: python2-devel -BuildRequires: python2-setuptools -BuildRequires: python2-cryptography >= 1.4.0 -BuildRequires: python2-pytest -Requires: python2-cryptography >= 1.4.0 -%{?python_provide:%python_provide python2-%{pkgname}} - - -%description -n python2-%{pkgname} %{common_description} -%endif - - %if %{with python3} -%package -n python%{python3_pkgversion}-%{pkgname} +%package -n python3-%{pkgname} Summary: %{summary} -BuildRequires: python%{python3_pkgversion}-devel -BuildRequires: python%{python3_pkgversion}-setuptools -BuildRequires: python%{python3_pkgversion}-cryptography >= 1.4.0 -BuildRequires: python%{python3_pkgversion}-pytest -Requires: python%{python3_pkgversion}-cryptography >= 1.4.0 -%{?python_provide:%python_provide python%{python3_pkgversion}-%{pkgname}} - - -%description -n python%{python3_pkgversion}-%{pkgname} %{common_description} +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-cryptography >= 1.4.0 +Requires: python3-cryptography >= 1.4.0 +%if %{with_check} +BuildRequires: python3-pip +BuildRequires: python3-atomicwrites %endif +%{?python_provide:%python_provide python3-%{pkgname}} +%description -n python3-%{pkgname} %{common_description} +%endif %prep %autosetup -n %{srcname}-%{version} @@ -67,42 +52,32 @@ rm -rf %{eggname}.egg-info # prevent pullng in `addopts` for pytest run later rm setup.cfg - %build -%{?with_python2:%py2_build} -%{?with_python3:%py3_build} - +%{?with_python3:python3 setup.py build} %install -%{?with_python2:%py2_install} -%{?with_python3:%py3_install} - +%{?with_python3:python3 setup.py install --skip-build --root=%{buildroot}} %check -%{?with_python2:PYTHONPATH=%{buildroot}%{python2_sitelib} py.test-%{python2_version} --verbose tests} -%{?with_python3:PYTHONPATH=%{buildroot}%{python3_sitelib} py.test-%{python3_version} --verbose tests} - - -%if %{with python2} -%files -n python2-%{pkgname} -%doc README.rst AUTHORS -%license LICENSE -%{python2_sitelib}/%{libname} -%{python2_sitelib}/%{eggname}-%{version}-py%{python2_version}.egg-info -%endif - +pip3 install pluggy>=0.7 more-itertools>=4.0.0 attrs==19.1.0 pytest==4.0.1 +PATH=%{buildroot}%{_bindir}:${PATH} \ +PYTHONPATH=%{buildroot}%{python3_sitelib} \ + python%{python3_version} -m pytest -v %if %{with python3} -%files -n python%{python3_pkgversion}-%{pkgname} +%files -n python3-%{pkgname} %doc README.rst AUTHORS %license LICENSE %{python3_sitelib}/%{libname} %{python3_sitelib}/%{eggname}-%{version}-py%{python3_version}.egg-info +#%{python3_sitelib}/%{eggname}-%{version}-py3.7.egg-info %{_bindir}/pyjwt %endif - %changelog +* Wed Jun 23 2021 Neha Agarwal - 1.7.1-9 +- Pass check section + * Thu Feb 04 2021 Joe Schmitt - 1.7.1-8 - Initial CBL-Mariner import from Fedora 32 (license: MIT). - Update Source0 to a full url instead of a macro. diff --git a/SPECS/python-kubernetes/python-kubernetes.spec b/SPECS/python-kubernetes/python-kubernetes.spec index 99ad2878a0..926dd6f4e4 100644 --- a/SPECS/python-kubernetes/python-kubernetes.spec +++ b/SPECS/python-kubernetes/python-kubernetes.spec @@ -81,6 +81,7 @@ cp -pr kubernetes/e2e_test %{buildroot}%{python3_sitelib}/%{library}/ %changelog * Fri Aug 21 2020 Thomas Crain - 11.0.0-5 - Initial CBL-Mariner import from Fedora 33 (license: MIT) +- License verified * Wed Jul 29 2020 Fedora Release Engineering - 11.0.0-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/SPECS/python-lockfile/python-lockfile.spec b/SPECS/python-lockfile/python-lockfile.spec index 586a1fd216..1a404db235 100644 --- a/SPECS/python-lockfile/python-lockfile.spec +++ b/SPECS/python-lockfile/python-lockfile.spec @@ -72,7 +72,7 @@ popd %{python3_sitelib}/lockfile %changelog -* Sat May 09 00:20:56 PST 2020 Nick Samson - 0.12.2-5 +* Sat May 09 2020 Nick Samson - 0.12.2-5 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 0.12.2-4 diff --git a/SPECS/python-logutils/python-logutils.spec b/SPECS/python-logutils/python-logutils.spec index 96e890bb66..d059f7edee 100644 --- a/SPECS/python-logutils/python-logutils.spec +++ b/SPECS/python-logutils/python-logutils.spec @@ -57,4 +57,5 @@ python3 setup.py test %changelog * Fri Aug 21 2020 Thomas Crain 1.4.0-1 -- Original CBL-Mariner version +- Original version for CBL-Mariner +- License verified diff --git a/SPECS/python-lxml/python-lxml.spec b/SPECS/python-lxml/python-lxml.spec index ae7d8cac1c..a2e6721b11 100644 --- a/SPECS/python-lxml/python-lxml.spec +++ b/SPECS/python-lxml/python-lxml.spec @@ -6,7 +6,7 @@ Release: 7%{?dist} # Test suite (and only the test suite) is GPLv2+ License: BSD and GPLv2+ URL: https://lxml.de -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner # Source0: https://files.pythonhosted.org/packages/ca/63/139b710671c1655aed3b20c1e6776118c62e9f9311152f4c6031e12a0554/lxml-%{version}.tar.gz @@ -61,7 +61,8 @@ rm -rf %{buildroot} %changelog * Wed Aug 26 2020 Thomas Crain 4.2.4-7 - Remove python2 support. -* Sat May 09 00:20:50 PST 2020 Nick Samson 4.2.4-6 +- License verified. +* Sat May 09 2020 Nick Samson 4.2.4-6 - Added %%license line automatically * Wed Apr 29 2020 Emre Girgin 4.2.4-5 - Renaming cython to Cython diff --git a/SPECS/python-m2r/python-m2r.spec b/SPECS/python-m2r/python-m2r.spec index 4b0e12ecdc..6d6e90102c 100644 --- a/SPECS/python-m2r/python-m2r.spec +++ b/SPECS/python-m2r/python-m2r.spec @@ -96,7 +96,7 @@ popd %{_bindir}/m2r3 %changelog -* Sat May 09 00:21:14 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Wed Apr 29 2020 Emre Girgin 0.2.0-4 diff --git a/SPECS/python-markupsafe/python-markupsafe.spec b/SPECS/python-markupsafe/python-markupsafe.spec index aa6bb4e835..e8f473b898 100644 --- a/SPECS/python-markupsafe/python-markupsafe.spec +++ b/SPECS/python-markupsafe/python-markupsafe.spec @@ -66,7 +66,7 @@ python3 setup.py test - Remove inline sha1 - Lint to Mariner style -* Sat May 09 00:21:01 PST 2020 Nick Samson - 1.0-5 +* Sat May 09 2020 Nick Samson - 1.0-5 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz - 1.0-4 diff --git a/SPECS/python-mistune/python-mistune.spec b/SPECS/python-mistune/python-mistune.spec index 6c62172c71..7830855cab 100644 --- a/SPECS/python-mistune/python-mistune.spec +++ b/SPECS/python-mistune/python-mistune.spec @@ -74,7 +74,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:21:37 PST 2020 Nick Samson - 0.8.3-3 +* Sat May 09 2020 Nick Samson - 0.8.3-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 0.8.3-2 diff --git a/SPECS/python-msgpack/python-msgpack.spec b/SPECS/python-msgpack/python-msgpack.spec index 0de09a7f52..20dc803003 100644 --- a/SPECS/python-msgpack/python-msgpack.spec +++ b/SPECS/python-msgpack/python-msgpack.spec @@ -63,7 +63,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:20:41 PST 2020 Nick Samson - 0.6.2-2 +* Sat May 09 2020 Nick Samson - 0.6.2-2 - Added %%license line automatically * Wed Mar 18 2020 Paul Monson 0.6.2-1 diff --git a/SPECS/python-netifaces/python-netifaces.spec b/SPECS/python-netifaces/python-netifaces.spec index 8898929bf3..0bc0553719 100644 --- a/SPECS/python-netifaces/python-netifaces.spec +++ b/SPECS/python-netifaces/python-netifaces.spec @@ -64,7 +64,7 @@ rm -rf %{buildroot}/* %{python3_sitelib}/* %changelog -* Sat May 09 00:21:19 PST 2020 Nick Samson - 0.10.9-3 +* Sat May 09 2020 Nick Samson - 0.10.9-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 0.10.9-2 diff --git a/SPECS/python-nocasedict/python-nocasedict.spec b/SPECS/python-nocasedict/python-nocasedict.spec index c281f8f6ee..cf3dac0ef9 100644 --- a/SPECS/python-nocasedict/python-nocasedict.spec +++ b/SPECS/python-nocasedict/python-nocasedict.spec @@ -1,57 +1,33 @@ -%{!?python2_sitelib: %define python2_sitelib %(python2 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} %{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} + %define pkgname nocasedict -%bcond_without python2 + Summary: Case-insensitive ordered dictionary library for Python Name: python-%{pkgname} Version: 0.5.0 -Release: 2%{?dist} +Release: 1%{?dist} License: LGPLv2+ +URL: https://github.com/pywbem/nocasedict Vendor: Microsoft Corporation Distribution: Mariner -URL: https://github.com/pywbem/nocasedict #Source0: https://github.com/pywbem/%{pkgname}/archive/%{version}.tar.gz Source0: %{pkgname}-%{version}.tar.gz BuildArch: noarch -%description +%description The NocaseDict class supports the functionality of the built-in dict class of Python 3.8. -%if %{with python2} -%package -n python2-%{pkgname} -Summary: %{summary} -BuildRequires: python-setuptools -BuildRequires: python-six -BuildRequires: python-xml -BuildRequires: python2-devel -Requires: python-six -Requires: python2 -AutoReqProv: no -Provides: python2dist(nocasedict) = %{version}-%{release} -Provides: python2.7dist(nocasedict) = %{version}-%{release} -%if %{with tests} -BuildRequires: python2-pytest >= 3.0.7 -%endif - -%description -n python2-%{pkgname} -The NocaseDict class supports the functionality of the built-in dict class of Python 3.8. -%endif - %package -n python3-%{pkgname} Summary: %{summary} BuildRequires: python3-devel BuildRequires: python3-setuptools -BuildRequires: python3-six BuildRequires: python3-xml +BuildRequires: python3-six +BuildRequires: python3-pytest >= 3.0.7 Requires: python3 Requires: python3-six -AutoReqProv: no -Provides: python3dist(nocasedict) = %{version}-%{release} -Provides: python3.7dist(nocasedict) = %{version}-%{release} -%if %{with tests} -BuildRequires: python3-pytest >= 3.0.7 -%endif + %description -n python3-%{pkgname} The NocaseDict class supports the functionality of the built-in dict class of Python 3.8. @@ -62,37 +38,19 @@ rm -rf *.egg-info %build -%if %{with python2} -python2 setup.py build -%endif python3 setup.py build %install -%if %{with python2} -python2 setup.py install --skip-build --root=%{buildroot} -%endif python3 setup.py install --skip-build --root=%{buildroot} %if %{with tests} %check -%if %{with python2} -python2 setup.py test -%endif python3 setup.py test %endif -%if %{with python2} -%files -n python2-%{pkgname} -%license LICENSE -%doc README.rst -%{python2_sitelib}/%{pkgname} -%{python2_sitelib}/*.egg-info -%endif - - %files -n python3-%{pkgname} %license LICENSE %doc README.rst @@ -106,3 +64,4 @@ python3 setup.py test * Fri Aug 21 2020 Thomas Crain - 0.5.0-1 - Original CBL-Mariner version. +- License verified. diff --git a/SPECS/python-oauthlib/python-oauthlib.spec b/SPECS/python-oauthlib/python-oauthlib.spec index 07d49d8f61..1f891a444b 100644 --- a/SPECS/python-oauthlib/python-oauthlib.spec +++ b/SPECS/python-oauthlib/python-oauthlib.spec @@ -75,7 +75,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:21:27 PST 2020 Nick Samson - 2.1.0-4 +* Sat May 09 2020 Nick Samson - 2.1.0-4 - Added %%license line automatically * Mon Apr 13 2020 Jon Slobodzian 2.1.0-3 diff --git a/SPECS/python-packaging/python-packaging.spec b/SPECS/python-packaging/python-packaging.spec index 26f64465e3..c429179b83 100644 --- a/SPECS/python-packaging/python-packaging.spec +++ b/SPECS/python-packaging/python-packaging.spec @@ -89,7 +89,7 @@ PYTHONPATH=./ pytest %{python3_sitelib}/* %changelog -* Sat May 09 00:20:36 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Fri Apr 17 2020 Nicolas Ontiveros 17.1-5 diff --git a/SPECS/python-pam/python-pam.spec b/SPECS/python-pam/python-pam.spec index 5d3a42454c..fc986f5230 100644 --- a/SPECS/python-pam/python-pam.spec +++ b/SPECS/python-pam/python-pam.spec @@ -73,7 +73,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:21:23 PST 2020 Nick Samson - 1.8.4-2 +* Sat May 09 2020 Nick Samson - 1.8.4-2 - Added %%license line automatically * Wed Mar 18 2020 Paul Monson 1.8.4-1 diff --git a/SPECS/python-pecan/python-pecan.spec b/SPECS/python-pecan/python-pecan.spec index 38568520cb..01ddac429d 100644 --- a/SPECS/python-pecan/python-pecan.spec +++ b/SPECS/python-pecan/python-pecan.spec @@ -6,7 +6,7 @@ Summary: A lean and fast WSGI object-dispatching web framework Name: python-%{pkgname} Version: 1.4.0 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Url: https://www.pecanpy.org/ Vendor: Microsoft Corporation @@ -55,7 +55,7 @@ python3 setup.py install --root=%{buildroot} %if %{with check} %check -pip3 install tox +pip3 install tox==3.4.0 tox %endif @@ -66,5 +66,9 @@ tox %{_bindir}/gunicorn_pecan %changelog +* Wed Jun 23 2021 Neha Agarwal 1.4.0-2 +- Pass check section + * Fri Aug 21 2020 Thomas Crain 1.4.0-1 -- Original CBL-Mariner version +- Original version for CBL-Mariner +- License verified diff --git a/SPECS/python-pexpect/python-pexpect.signatures.json b/SPECS/python-pexpect/python-pexpect.signatures.json new file mode 100644 index 0000000000..71b6f7085a --- /dev/null +++ b/SPECS/python-pexpect/python-pexpect.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "pexpect-4.8.0.tar.gz": "f2ea54a12cc893636a60421e8da0a36c40caad7825eb674697f1e25f5f91245e" + } +} diff --git a/SPECS/python-pexpect/python-pexpect.spec b/SPECS/python-pexpect/python-pexpect.spec new file mode 100644 index 0000000000..8c813e525c --- /dev/null +++ b/SPECS/python-pexpect/python-pexpect.spec @@ -0,0 +1,350 @@ +%{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} +%global modname pexpect +Summary: Unicode-aware Pure Python Expect-like module +Name: python-%{modname} +Version: 4.8.0 +Release: 10%{?dist} +License: ISC +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/pexpect/pexpect +Source0: %{url}/archive/%{version}/%{modname}-%{version}.tar.gz +# sys_executable.patch fixes package tests on systems without a /usr/bin/python executable +# Upstream link: https://github.com/pexpect/pexpect/pull/629 +Patch0: sys_executable.patch +BuildArch: noarch +%if %{with_check} +BuildRequires: man-db +BuildRequires: openssl +BuildRequires: python3-pip +%endif + +%description +Pexpect is a pure Python module for spawning child applications; controlling +them; and responding to expected patterns in their output. Pexpect works like +Don Libes' Expect. Pexpect allows your script to spawn a child application and +control it as if a human were typing commands. + +Pexpect can be used for automating interactive applications such as ssh, ftp, +passwd, telnet, etc. It can be used to automate setup scripts for duplicating +software package installations on different servers. And it can be used for +automated software testing. Pexpect is in the spirit of Don Libes' Expect, but +Pexpect is pure Python. Unlike other Expect-like modules for Python, Pexpect +does not require TCL or Expect nor does it require C extensions to be +compiled. It should work on any platform that supports the standard Python +pty module. + +%package -n python3-%{modname} +Summary: %{summary} +BuildRequires: python3-devel +BuildRequires: python3-ptyprocess +BuildRequires: python3-setuptools +Requires: python3-ptyprocess + +%description -n python3-%{modname} +Pexpect is a pure Python module for spawning child applications; controlling +them; and responding to expected patterns in their output. Pexpect works like +Don Libes' Expect. Pexpect allows your script to spawn a child application and +control it as if a human were typing commands. This package contains the +python3 version of this module. + +Pexpect can be used for automating interactive applications such as ssh, ftp, +passwd, telnet, etc. It can be used to automate setup scripts for duplicating +software package installations on different servers. And it can be used for +automated software testing. Pexpect is in the spirit of Don Libes' Expect, but +Pexpect is pure Python. Unlike other Expect-like modules for Python, Pexpect +does not require TCL or Expect nor does it require C extensions to be +compiled. It should work on any platform that supports the standard Python +pty module. + +%prep +%autosetup -p1 -n %{modname}-%{version} + +%build +python3 setup.py build + +%install +python3 setup.py install --skip-build --prefix=%{_prefix} --root=%{buildroot} + +%check +export PYTHONIOENCODING=UTF-8 +# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1914843 +# upstream: https://github.com/pexpect/pexpect/issues/669 +# There's a patch upstream that we can presumable remove this after +# it merges and is released. +# Thx for the suggestion Miro: https://www.spinics.net/lists/fedora-devel/msg283026.html +echo "set enable-bracketed-paste off" > .inputrc +export INPUTRC=$PWD/.inputrc + +python3 ./tools/display-sighandlers.py +python3 ./tools/display-terminalinfo.py + +pip3 install pytest +TRAVIS=true python3 -m pytest -v + +%files -n python3-%{modname} +%license LICENSE +%doc doc examples +%{python3_sitelib}/%{modname}/ +%{python3_sitelib}/%{modname}-*.egg-info + +%changelog +* Wed Jun 23 2021 Thomas Crain - 4.8.0-10 +- Fix package tests by using pip to install testing requirements +- Fix package tests by taking sys_executable patch from upstream + +* Tue May 11 2021 Thomas Crain - 4.8.0-9 +- Remove /usr/bin/man dependency, replace with check-time man-db dependency + +* Mon May 10 2021 Thomas Crain - 4.8.0-8 +- Initial CBL-Mariner import from Fedora 34 (license: MIT) +- License verified + +* Wed Jan 27 2021 Fedora Release Engineering - 4.8.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Jan 19 2021 Dan Radez - 4.8.0-6 +- adding workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1914843 +- while we wait for upstream fix: https://github.com/pexpect/pexpect/issues/669 + +* Wed Sep 16 2020 Kalev Lember - 4.8.0-5 +- Avoid using bindir macro in BuildRequires + +* Wed Jul 29 2020 Fedora Release Engineering - 4.8.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Sat May 23 2020 Miro HronÄok - 4.8.0-3 +- Rebuilt for Python 3.9 + +* Wed Apr 08 2020 Scott Talbert - 4.8.0-2 +- Fix tests when building under COPR (#1822060) + +* Tue Apr 07 2020 Scott Talbert - 4.8.0-1 +- Update to new upstream release 4.8.0 and re-enable tests (#1793613) + +* Thu Jan 30 2020 Fedora Release Engineering - 4.7.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Sep 24 2019 Dan Radez - 4.7.0-4 +- Remove Python2 packaging + +* Fri Aug 16 2019 Miro HronÄok - 4.7.0-3 +- Rebuilt for Python 3.8 + +* Fri Jul 26 2019 Fedora Release Engineering - 4.7.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Apr 11 2019 Dan Radez - 4.7.0-1 +- update to 4.7.0 + +* Sat Feb 02 2019 Fedora Release Engineering - 4.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sun Nov 18 2018 Zbigniew JÄ™drzejewski-Szmek - 4.6-2 +- Drop explicit locale setting + See https://fedoraproject.org/wiki/Changes/Remove_glibc-langpacks-all_from_buildroot + +* Wed Jul 25 2018 Dan Radez - 4.6-1 +- update to 4.6 + +* Sat Jul 14 2018 Fedora Release Engineering - 4.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 15 2018 Miro HronÄok - 4.5-2 +- Rebuilt for Python 3.7 + +* Wed May 23 2018 Igor Gnatenko - 4.5.0-1 +- Update to 4.5.0 + +* Mon Mar 12 2018 Igor Gnatenko - 4.4.0-1 +- Update to 4.4.0 + +* Fri Feb 09 2018 Fedora Release Engineering - 4.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Dec 22 2017 Igor Gnatenko - 4.3.1-1 +- Update to 4.3.1 + +* Fri Nov 10 2017 Igor Gnatenko - 4.3-1 +- Update to 4.3 + +* Thu Jul 27 2017 Fedora Release Engineering - 4.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Feb 14 2017 Igor Gnatenko - 4.2.1-1 +- Update to 4.2.1 + +* Sat Feb 11 2017 Fedora Release Engineering - 4.1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Dec 13 2016 Stratakis Charalampos - 4.1.0-3 +- Rebuild for Python 3.6 + +* Tue Jul 19 2016 Fedora Release Engineering - 4.1.0-2 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Jun 30 2016 Igor Gnatenko - 4.1.0-1 +- Update to 4.1.0 +- Improve packaging + +* Thu Feb 04 2016 Fedora Release Engineering - 4.0.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Nov 10 2015 Fedora Release Engineering - 4.0.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Sun Oct 18 2015 Kalev Lember - 4.0.1-4 +- Move pexpect provides to the right subpackage + +* Tue Oct 13 2015 Igor Gnatenko - 4.0.1-3 +- Fix asyncio issue (3.4.3+) + +* Thu Oct 08 2015 Igor Gnatenko - 4.0.1-2 +- Fix RPM macroses + +* Tue Oct 06 2015 Igor Gnatenko - 4.0.1-1 +- Update to 4.0.1 + +* Mon Oct 05 2015 Igor Gnatenko - 4.0-1 +- Update to 4.0 +- Follow modern RPM Packaging guidelines + +* Thu Jun 18 2015 Fedora Release Engineering - 3.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 3.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 14 2014 Bohuslav Kabrda - 3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 + +* Tue Apr 08 2014 Fabian Deutsch - 3.1-1 +- Update to 3.1 + +* Tue Nov 12 2013 Thomas Spura - 3.0-1 +- update to 3.0 + +* Wed Oct 30 2013 Thomas Spura - 3.0-0.1 +- new upstream is github/pexpect/pexpect +- update to rc3 +- build on noarch again +- consistently use %%{buildroot} everywhere +- be more explicit in %%files +- remove CFLAGS + +* Thu Sep 05 2013 Andrew McNabb - 2.5.1-11 +- Fix the name of the arm architecture in ExcludeArch + +* Thu Sep 05 2013 Andrew McNabb - 2.5.1-10 +- Remove noarch because of arm build problems (bug #999174) + +* Tue Aug 20 2013 Andrew McNabb - 2.5.1-9 +- Exclude the arm architecture (bug #999174) + +* Tue Aug 20 2013 Andrew McNabb - 2.5.1-8 +- Bump the obsoletes version + +* Sun Aug 04 2013 Fedora Release Engineering - 2.5.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 14 2013 Fedora Release Engineering - 2.5.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Tue Nov 20 2012 Andrew McNabb - 2.5.1-5 +- Exclude test scripts from the files list + +* Tue Nov 20 2012 Andrew McNabb - 2.5.1-4 +- Moved unit tests to a check section + +* Tue Nov 20 2012 Andrew McNabb - 2.5.1-3 +- Added unit tests and fixed metadata fields + +* Tue Nov 20 2012 Andrew McNabb - 2.5.1-2 +- Added versions to the obsoletes and provides fields + +* Tue Nov 20 2012 Andrew McNabb - 2.5.1-1 +- Updated to version 2.5.1 (pexpect-u fork) and added support for Python 3 + +* Wed Feb 09 2011 Fedora Release Engineering - 2.3-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jul 21 2010 David Malcolm - 2.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Sun Jul 26 2009 Fedora Release Engineering - 2.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Feb 23 2009 Robert Scheck 2.3-3 +- Rebuild for gcc 4.4 and rpm 4.6 + +* Fri Dec 5 2008 Jeremy Katz - 2.3-2 +- Rebuild for python 2.6 + +* Tue Jan 08 2008 Robert Scheck 2.3-1 +- Upgrade to 2.3 +- Updated the source URL to match with the guidelines + +* Wed Aug 29 2007 Robert Scheck 2.1-5 +- Rebuilt (and some minor spec file tweaks) + +* Sat Dec 09 2006 Toshio Kuratomi - 2.1-4 +- Bump and rebuild because I forgot to cvs up before the last build. + +* Sat Dec 09 2006 Toshio Kuratomi - 2.1-3 +- Bump and rebuild for python 2.5 on devel. +- Add BR: python-devel as it provides a header necessary for python modules + on python 2.5. + +* Fri Sep 01 2006 Toshio Kuratomi - 2.1-2 +- Remove pyver define as it's not needed with the automatic python(abi). +- Stop ghosting .pyos. +- Let automatic python compilation take care of creating pyos. +- Rebuild for FC6. + +* Mon Jul 17 2006 Toshio Kuratomi - 2.1-1 +- Update to 2.1. + +* Thu Feb 16 2006 Toshio Kuratomi - 2.0-2 +- Bump and rebuild for FC5. +- Convert from python-abi to python(abi) requires. + +* Thu Nov 17 2005 Toshio Kuratomi - 2.0-1 +- Update to 2.0. + +* Sat Sep 3 2005 Toshio Kuratomi 0.99999b-2 +- Add LICENSE File. +- Make noarch. +- Remove executable permissions from the modules copied to examples. + +* Fri Sep 2 2005 Toshio Kuratomi 0.99999b +- Update to version 0.99999b. +- Add dist tag. + +* Thu Apr 7 2005 Michael Schwendt +- rebuilt + +* Thu Feb 03 2005 Toshio Kuratomi 0.999-2 +- Use python_sitelib macro to resolve build issues on x86_64. +- %%ghost *.pyo +- Install ANSI.py, screen.py, and FSM.py into the examples. These are intended + to suplement pexpect eventually but they are currently much less robust and + not installed to by default. But they are needed by some examples. +- Use __python macro in build/install for consistency. +- Add --skip-build to the invocation of setup.py in install. + +* Mon May 31 2004 Panu Matilainen 0.999-0.fdr.1 +- get rid of distrel munging, buildsys does that... +- update to 0.999 +- update doc and example tarballs +- fix build on python <> 2.2 +- use -O1 in install to generate .pyo files instead of manually creating the files +- require python-abi = pyver to get dependencies right + +* Sun Jul 27 2003 Panu Matilainen 0.98-0.fdr.3 +- own .pyo files too as suggested by Ville (#517) + +* Sat Jul 26 2003 Panu Matilainen 0.98-0.fdr.2 +- fixes by Ville (bug #517) applied + +* Sat Jul 26 2003 Panu Matilainen +- Initial Fedora packaging diff --git a/SPECS/python-pexpect/sys_executable.patch b/SPECS/python-pexpect/sys_executable.patch new file mode 100644 index 0000000000..6d0c6acb90 --- /dev/null +++ b/SPECS/python-pexpect/sys_executable.patch @@ -0,0 +1,110 @@ +From 6f78e3b7cec5adc7db56bae37f97adb05ca2ae5c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= +Date: Thu, 12 Mar 2020 12:35:21 +0100 +Subject: [PATCH] Do not directly call python and use sys.executable + +This makes sure the tests and wrapper works on systems where there +is no python2 nor /usr/bin/python available +--- + pexpect/replwrap.py | 2 +- + tests/test_performance.py | 10 +++++----- + tests/test_replwrap.py | 3 ++- + tests/test_run.py | 2 +- + 4 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/pexpect/replwrap.py b/pexpect/replwrap.py +index c930f1e4..6c34ce41 100644 +--- a/pexpect/replwrap.py ++++ b/pexpect/replwrap.py +@@ -108,7 +108,7 @@ def run_command(self, command, timeout=-1, async_=False): + + command) + return u''.join(res + [self.child.before]) + +-def python(command="python"): ++def python(command=sys.executable): + """Start a Python shell and return a :class:`REPLWrapper` object.""" + return REPLWrapper(command, u">>> ", u"import sys; sys.ps1={0!r}; sys.ps2={1!r}") + +diff --git a/tests/test_performance.py b/tests/test_performance.py +index 63778af6..d7e2cd6a 100755 +--- a/tests/test_performance.py ++++ b/tests/test_performance.py +@@ -45,7 +45,7 @@ def _iter_n(n): + return 'for n in range(1, %d+1): print(n)' % n + + def plain_range(self, n): +- e = pexpect.spawn('python', timeout=100) ++ e = pexpect.spawn(sys.executable, timeout=100) + self.assertEqual(e.expect(b'>>>'), 0) + e.sendline(self._iter_n(n)) + self.assertEqual(e.expect(br'\.{3}'), 0) +@@ -53,7 +53,7 @@ def plain_range(self, n): + self.assertEqual(e.expect([b'inquisition', '%d' % n]), 1) + + def window_range(self, n): +- e = pexpect.spawn('python', timeout=100) ++ e = pexpect.spawn(sys.executable, timeout=100) + self.assertEqual(e.expect(b'>>>'), 0) + e.sendline(self._iter_n(n)) + self.assertEqual(e.expect(r'\.{3}'), 0) +@@ -61,7 +61,7 @@ def window_range(self, n): + self.assertEqual(e.expect([b'inquisition', '%d' % n], searchwindowsize=20), 1) + + def exact_range(self, n): +- e = pexpect.spawn('python', timeout=100) ++ e = pexpect.spawn(sys.executable, timeout=100) + self.assertEqual(e.expect_exact([b'>>>']), 0) + e.sendline(self._iter_n(n)) + self.assertEqual(e.expect_exact([b'...']), 0) +@@ -69,7 +69,7 @@ def exact_range(self, n): + self.assertEqual(e.expect_exact([b'inquisition', '%d' % n],timeout=520), 1) + + def ewin_range(self, n): +- e = pexpect.spawn('python', timeout=100) ++ e = pexpect.spawn(sys.executable, timeout=100) + self.assertEqual(e.expect_exact([b'>>>']), 0) + e.sendline(self._iter_n(n)) + self.assertEqual(e.expect_exact([b'...']), 0) +@@ -77,7 +77,7 @@ def ewin_range(self, n): + self.assertEqual(e.expect_exact([b'inquisition', '%d' % n], searchwindowsize=20), 1) + + def faster_range(self, n): +- e = pexpect.spawn('python', timeout=100) ++ e = pexpect.spawn(sys.executable, timeout=100) + self.assertEqual(e.expect(b'>>>'), 0) + e.sendline(('list(range(1, %d+1))' % n).encode('ascii')) + self.assertEqual(e.expect([b'inquisition', '%d' % n]), 1) +diff --git a/tests/test_replwrap.py b/tests/test_replwrap.py +index 06ca07b9..1e5ff873 100644 +--- a/tests/test_replwrap.py ++++ b/tests/test_replwrap.py +@@ -2,6 +2,7 @@ + import unittest + import re + import os ++import sys + + import pexpect + from pexpect import replwrap +@@ -108,7 +109,7 @@ def test_no_change_prompt(self): + if platform.python_implementation() == 'PyPy': + raise unittest.SkipTest(skip_pypy) + +- child = pexpect.spawn('python', echo=False, timeout=5, encoding='utf-8') ++ child = pexpect.spawn(sys.executable, echo=False, timeout=5, encoding='utf-8') + # prompt_change=None should mean no prompt change + py = replwrap.REPLWrapper(child, u">>> ", prompt_change=None, + continuation_prompt=u"... ") +diff --git a/tests/test_run.py b/tests/test_run.py +index 401ddc63..f750fb29 100755 +--- a/tests/test_run.py ++++ b/tests/test_run.py +@@ -69,7 +69,7 @@ def tearDown(self): + super(RunFuncTestCase, self).tearDown() + + def test_run_exit(self): +- (data, exitstatus) = self.runfunc('python exit1.py', withexitstatus=1) ++ (data, exitstatus) = self.runfunc(sys.executable + ' exit1.py', withexitstatus=1) + assert exitstatus == 1, "Exit status of 'python exit1.py' should be 1." + + def test_run(self): diff --git a/SPECS/python-prettytable/python-prettytable.spec b/SPECS/python-prettytable/python-prettytable.spec index 462406c2ed..7eefc55f82 100644 --- a/SPECS/python-prettytable/python-prettytable.spec +++ b/SPECS/python-prettytable/python-prettytable.spec @@ -78,7 +78,7 @@ popd %changelog -* Sat May 09 00:21:31 PST 2020 Nick Samson - 0.7.2-8 +* Sat May 09 2020 Nick Samson - 0.7.2-8 - Added %%license line automatically * Mon Apr 13 2020 Nick Samson 0.7.2-7 diff --git a/SPECS/python-psutil/python-psutil.spec b/SPECS/python-psutil/python-psutil.spec index 60cca52e3d..e77a634e8d 100644 --- a/SPECS/python-psutil/python-psutil.spec +++ b/SPECS/python-psutil/python-psutil.spec @@ -95,7 +95,7 @@ LANG=en_US.UTF-8 make test PYTHON=python%{python3_version} %{python3_sitelib}/* %changelog -* Sat May 09 00:20:46 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Tue Apr 14 2020 Emre Girgin 5.6.3-3 diff --git a/SPECS/python-psycopg2/python-psycopg2.spec b/SPECS/python-psycopg2/python-psycopg2.spec index f7df29f053..58bc8b9710 100644 --- a/SPECS/python-psycopg2/python-psycopg2.spec +++ b/SPECS/python-psycopg2/python-psycopg2.spec @@ -119,15 +119,20 @@ rm -r /home/postgres/data &>/dev/null ||: * Sat May 09 2020 Nick Samson - 2.7.5-4 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 2.7.5-3 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Sep 21 2018 Dweep Advani 2.7.5-2 -- Consuming postgresql 10.5 version -* Sun Sep 09 2018 Tapas Kundu 2.7.5-1 -- Update to version 2.7.5 -* Wed Aug 09 2017 Xiaolin Li 2.7.1-3 -- Fixed make check errors -* Thu Jul 6 2017 Divya Thaluru 2.7.1-2 -- Added build requires on postgresql-devel -* Wed Apr 26 2017 Xialin Li 2.7.1-1 -- Initial packaging for Photon +* Tue Sep 03 2019 Mateusz Malisz 2.7.5-3 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Fri Sep 21 2018 Dweep Advani 2.7.5-2 +- Consuming postgresql 10.5 version + +* Sun Sep 09 2018 Tapas Kundu 2.7.5-1 +- Update to version 2.7.5 + +* Wed Aug 09 2017 Xiaolin Li 2.7.1-3 +- Fixed make check errors + +* Thu Jul 6 2017 Divya Thaluru 2.7.1-2 +- Added build requires on postgresql-devel + +* Wed Apr 26 2017 Xialin Li 2.7.1-1 +- Initial packaging for Photon diff --git a/SPECS/python-ptyprocess/python-ptyprocess.signatures.json b/SPECS/python-ptyprocess/python-ptyprocess.signatures.json new file mode 100644 index 0000000000..e0e60e43e8 --- /dev/null +++ b/SPECS/python-ptyprocess/python-ptyprocess.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "ptyprocess-0.7.0.tar.gz": "5c5d0a3b48ceee0b48485e0c26037c0acd7d29765ca3fbb5cb3831d347423220" + } +} diff --git a/SPECS/python-ptyprocess/python-ptyprocess.spec b/SPECS/python-ptyprocess/python-ptyprocess.spec new file mode 100644 index 0000000000..8d380c0659 --- /dev/null +++ b/SPECS/python-ptyprocess/python-ptyprocess.spec @@ -0,0 +1,147 @@ +%{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} +%global srcname ptyprocess +Summary: Run a subprocess in a pseudo terminal +Name: python-%{srcname} +Version: 0.7.0 +Release: 2%{?dist} +License: ISC +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/pexpect/ptyprocess +Source0: https://pypi.io/packages/source/p/%{srcname}/%{srcname}-%{version}.tar.gz +BuildArch: noarch +%if %{with_check} +BuildRequires: python3-pip +BuildRequires: python3-setuptools +%endif + +%description +Launch a subprocess in a pseudo terminal (pty), and interact with both the +process and its pty. + +%package -n python3-ptyprocess +Summary: Run a subprocess in a pseudo terminal +BuildRequires: python3-devel + +%description -n python3-ptyprocess +Launch a subprocess in a pseudo terminal (pty), and interact with both the +process and its pty. + +%prep +%autosetup -n %{srcname}-%{version} + +%build +python3 setup.py build + +%install +python3 setup.py install --skip-build --prefix=%{_prefix} --root=%{buildroot} + +%check +pip3 install pytest +python3 -m pytest -v + +%files -n python3-ptyprocess +%license LICENSE +%doc README.rst +%{python3_sitelib}/ptyprocess/ +%{python3_sitelib}/ptyprocess-*.egg-info + +%changelog +* Wed Jun 23 2021 Thomas Crain - 0.7.0-2 +- Fix package test by using pip to install test requirements + +* Mon May 10 2021 Thomas Crain - 0.7.0-1 +- Initial CBL-Mariner import from Fedora 34 (license: MIT) +- Updated to latest package version +- License verified + +* Wed Jan 27 2021 Fedora Release Engineering - 0.6.0-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 0.6.0-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri May 22 2020 Miro HronÄok - 0.6.0-10 +- Rebuilt for Python 3.9 + +* Thu Jan 30 2020 Fedora Release Engineering - 0.6.0-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Oct 01 2019 Miro HronÄok - 0.6.0-8 +- Subpackage python2-ptyprocess has been removed + See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal + +* Fri Aug 16 2019 Miro HronÄok - 0.6.0-7 +- Rebuilt for Python 3.8 + +* Mon Jul 29 07:16:43 CEST 2019 Igor Gnatenko - 0.6.0-6 +- Fix FTBFS + +* Fri Jul 26 2019 Fedora Release Engineering - 0.6.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sat Feb 02 2019 Fedora Release Engineering - 0.6.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sun Nov 18 2018 Zbigniew JÄ™drzejewski-Szmek - 0.6.0-3 +- Drop explicit locale setting + See https://fedoraproject.org/wiki/Changes/Remove_glibc-langpacks-all_from_buildroot + +* Sat Jul 14 2018 Fedora Release Engineering - 0.6.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 22 2018 Orion Poplawski - 0.6.0-1 +- Update to 0.6.0 + +* Fri Jun 15 2018 Miro HronÄok - 0.5.2-4 +- Rebuilt for Python 3.7 + +* Fri Feb 09 2018 Fedora Release Engineering - 0.5.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.5.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jul 03 2017 Charalampos Stratakis - 0.5.2-1 +- Update to 0.5.2 (#1467330) + +* Thu Feb 23 2017 Orion Poplawski - 0.5.1-6 +- Really build python3 on EPEL + +* Thu Feb 23 2017 Orion Poplawski - 0.5.1-5 +- Build python3 on EPEL +- Run tests verbosely + +* Sat Feb 11 2017 Fedora Release Engineering - 0.5.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Dec 13 2016 Stratakis Charalampos - 0.5.1-3 +- Rebuild for Python 3.6 + +* Tue Jul 19 2016 Fedora Release Engineering - 0.5.1-2 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Mon Apr 04 2016 Thomas Spura - 0.5.1-1 +- update to 0.5.1 (#1304136) + +* Thu Feb 04 2016 Fedora Release Engineering - 0.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Oct 14 2015 Thomas Spura - 0.5-3 +- Use new python macros + +* Thu Jun 18 2015 Fedora Release Engineering - 0.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Thu May 21 2015 Thomas Spura - 0.5-1 +- update to 0.5 (#1223718) + +* Wed Jan 07 2015 Thomas Spura - 0.4-1 +- update to 0.4 + +* Wed Dec 03 2014 Thomas Spura - 0.3.1-2 +- Generalize with_python3 macro +- Add comment to tests section + +* Tue Nov 25 2014 Thomas Spura - 0.3.1-1 +- initial spec for ptyprocess (#1167830) diff --git a/SPECS/python-pyasn1/python-pyasn1.spec b/SPECS/python-pyasn1/python-pyasn1.spec index 521b808789..9b94f06394 100644 --- a/SPECS/python-pyasn1/python-pyasn1.spec +++ b/SPECS/python-pyasn1/python-pyasn1.spec @@ -70,7 +70,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:21:24 PST 2020 Nick Samson - 0.4.4-3 +* Sat May 09 2020 Nick Samson - 0.4.4-3 - Added %%license line automatically. * Tue Apr 07 2020 Pawel Winogrodzki 0.4.4-2 - Initial CBL-Mariner import from Photon (license: Apache2). diff --git a/SPECS/python-pycparser/python-pycparser.spec b/SPECS/python-pycparser/python-pycparser.spec index 99c5483519..b73e0edfbb 100644 --- a/SPECS/python-pycparser/python-pycparser.spec +++ b/SPECS/python-pycparser/python-pycparser.spec @@ -61,7 +61,7 @@ python2 all_tests.py %{python3_sitelib}/* %changelog -* Sat May 09 00:20:51 PST 2020 Nick Samson - 2.18-3 +* Sat May 09 2020 Nick Samson - 2.18-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 2.18-2 diff --git a/SPECS/python-pycurl/python-pycurl.spec b/SPECS/python-pycurl/python-pycurl.spec index 1359dede96..f77e0f2fa0 100644 --- a/SPECS/python-pycurl/python-pycurl.spec +++ b/SPECS/python-pycurl/python-pycurl.spec @@ -5,7 +5,7 @@ Name: python-pycurl Version: 7.43.0.2 -Release: 7%{?dist} +Release: 8%{?dist} Summary: A Python interface to libcurl Group: Development/Languages License: LGPLv2+ or MIT @@ -13,17 +13,20 @@ URL: http://pycurl.sourceforge.net/ Source0: https://pypi.io/packages/source/p/pycurl/pycurl-%{version}.tar.gz Vendor: Microsoft Corporation Distribution: Mariner +Patch0: skip-incompatible-libcurl-tests.patch BuildRequires: openssl-devel BuildRequires: python2-devel BuildRequires: python2-libs BuildRequires: curl-devel - BuildRequires: python3 BuildRequires: python3-devel BuildRequires: python3-libs %if %{with_check} -BuildRequires: python-setuptools, vsftpd, curl-libs -BuildRequires: python3-setuptools, python3-xml +BuildRequires: python-setuptools +BuildRequires: vsftpd +BuildRequires: curl-libs +BuildRequires: python3-setuptools +BuildRequires: python3-xml %endif %description @@ -60,6 +63,7 @@ Documentation and examples for pycurl %prep %setup -q -n pycurl-%{version} +%patch0 -p1 rm -f doc/*.xml_validity #chmod a-x examples/* @@ -118,42 +122,63 @@ rm -rf %{buildroot} %doc COPYING-LGPL COPYING-MIT RELEASE-NOTES.rst ChangeLog README.rst examples doc tests %changelog +* Wed Jun 16 2021 Andrew Phelps 7.43.0.2-8 +- Add patch to fix libcurl package test issue +- (JOSLOBO: 7/26/21 Bumped dash verison due to merge conflict) + * Mon May 17 2021 Thomas Crain - 7.43.0.2-7 - Update source URL -* Wed Mar 03 2021 Andrew Phelps 7.43.0.2-6 -- Disable unreliable multi_timer_test -* Wed Jan 20 2021 Andrew Phelps 7.43.0.2-5 -- Disable unreliable memory_mgmt_test -* Fri Jan 15 2021 Andrew Phelps 7.43.0.2-4 -- Fix check tests by setting PYCURL_SSL_LIBRARY and using specific bottle version. -* Sat May 09 2020 Nick Samson 7.43.0.2-3 -- Added %%license line automatically -* Wed Apr 29 2020 Emre Girgin 7.43.0.2-2 -- Renaming pycurl to python-pycurl -* Fri Mar 13 2020 Paul Monson 7.43.0.2-1 -- Update to version 7.43.0.2. License verified. Remove fixed patch. -* Tue Sep 03 2019 Mateusz Malisz 7.43.0-5 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Nov 12 2018 Tapas Kundu 7.43.0-4 -- Fixed the make check. -* Mon Aug 14 2017 Chang Lee 7.43.0-3 -- Added check requires and fixed check -* Wed May 31 2017 Dheeraj Shetty 7.43.0-2 -- Using python2 explicitly while building -* Mon Apr 03 2017 Rongrong Qiu 7.43.0-1 -- Upgrade to 7.43.0 and add pycurl3 -* Wed Dec 07 2016 Xiaolin Li 7.21.5-5 -- BuildRequires curl-devel. -* Mon Oct 10 2016 ChangLee 7.21.5-4 -- Modified %check -* Tue May 24 2016 Priyesh Padmavilasom 7.21.5-3 -- GA - Bump release of all rpms -* Fri Apr 29 2016 Divya Thaluru 7.21.5-2 -- Removing prebuilt binaries -* Thu Jan 21 2016 Anish Swaminathan 7.21.5-1 -- Upgrade version -* Mon Jul 6 2015 Alexey Makhalov 7.19.5.1-2 -- Added Doc subpackage. Removed chmod a-x for examples. -* Sat Jan 24 2015 Touseef Liaqat 7.19.5.1 -- Initial build. First version +* Wed Mar 03 2021 Andrew Phelps 7.43.0.2-6 +- Disable unreliable multi_timer_test + +* Wed Jan 20 2021 Andrew Phelps 7.43.0.2-5 +- Disable unreliable memory_mgmt_test + +* Fri Jan 15 2021 Andrew Phelps 7.43.0.2-4 +- Fix check tests by setting PYCURL_SSL_LIBRARY and using specific bottle version. + +* Sat May 09 2020 Nick Samson 7.43.0.2-3 +- Added %%license line automatically + +* Wed Apr 29 2020 Emre Girgin 7.43.0.2-2 +- Renaming pycurl to python-pycurl + +* Fri Mar 13 2020 Paul Monson 7.43.0.2-1 +- Update to version 7.43.0.2. License verified. Remove fixed patch. + +* Tue Sep 03 2019 Mateusz Malisz 7.43.0-5 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Mon Nov 12 2018 Tapas Kundu 7.43.0-4 +- Fixed the make check. + +* Mon Aug 14 2017 Chang Lee 7.43.0-3 +- Added check requires and fixed check + +* Wed May 31 2017 Dheeraj Shetty 7.43.0-2 +- Using python2 explicitly while building + +* Mon Apr 03 2017 Rongrong Qiu 7.43.0-1 +- Upgrade to 7.43.0 and add pycurl3 + +* Wed Dec 07 2016 Xiaolin Li 7.21.5-5 +- BuildRequires curl-devel. + +* Mon Oct 10 2016 ChangLee 7.21.5-4 +- Modified %check + +* Tue May 24 2016 Priyesh Padmavilasom 7.21.5-3 +- GA - Bump release of all rpms + +* Fri Apr 29 2016 Divya Thaluru 7.21.5-2 +- Removing prebuilt binaries + +* Thu Jan 21 2016 Anish Swaminathan 7.21.5-1 +- Upgrade version + +* Mon Jul 6 2015 Alexey Makhalov 7.19.5.1-2 +- Added Doc subpackage. Removed chmod a-x for examples. + +* Sat Jan 24 2015 Touseef Liaqat 7.19.5.1 +- Initial build. First version diff --git a/SPECS/python-pycurl/skip-incompatible-libcurl-tests.patch b/SPECS/python-pycurl/skip-incompatible-libcurl-tests.patch new file mode 100644 index 0000000000..b7bfe3bf91 --- /dev/null +++ b/SPECS/python-pycurl/skip-incompatible-libcurl-tests.patch @@ -0,0 +1,76 @@ +diff -urN a/tests/failonerror_test.py b/tests/failonerror_test.py +--- a/tests/failonerror_test.py 2021-06-16 13:54:20.634340403 -0700 ++++ b/tests/failonerror_test.py 2021-06-16 13:56:19.337945639 -0700 +@@ -21,6 +21,8 @@ + # not sure what the actual min is but 7.26 is too old + # and does not include status text, only the status code + @util.min_libcurl(7, 38, 0) ++ # no longer supported by libcurl: https://github.com/curl/curl/issues/6615 ++ @util.removed_in_libcurl(7, 75, 0) + def test_failonerror(self): + self.curl.setopt(pycurl.URL, 'http://%s:8380/status/403' % localhost) + sio = util.BytesIO() +@@ -41,6 +43,8 @@ + # not sure what the actual min is but 7.26 is too old + # and does not include status text, only the status code + @util.min_libcurl(7, 38, 0) ++ # no longer supported by libcurl: https://github.com/curl/curl/issues/6615 ++ @util.removed_in_libcurl(7, 75, 0) + def test_failonerror_status_line_invalid_utf8_python2(self): + self.curl.setopt(pycurl.URL, 'http://%s:8380/status_invalid_utf8' % localhost) + sio = util.BytesIO() +@@ -61,6 +65,8 @@ + # not sure what the actual min is but 7.26 is too old + # and does not include status text, only the status code + @util.min_libcurl(7, 38, 0) ++ # no longer supported by libcurl: https://github.com/curl/curl/issues/6615 ++ @util.removed_in_libcurl(7, 75, 0) + def test_failonerror_status_line_invalid_utf8_python3(self): + self.curl.setopt(pycurl.URL, 'http://%s:8380/status_invalid_utf8' % localhost) + sio = util.BytesIO() +diff -urN a/tests/option_constants_test.py b/tests/option_constants_test.py +--- a/tests/option_constants_test.py 2021-06-16 13:54:32.058302421 -0700 ++++ b/tests/option_constants_test.py 2021-06-16 13:57:26.629721761 -0700 +@@ -164,9 +164,16 @@ + def test_sslversion_options(self): + curl = pycurl.Curl() + curl.setopt(curl.SSLVERSION, curl.SSLVERSION_DEFAULT) ++ curl.setopt(curl.SSLVERSION, curl.SSLVERSION_TLSv1) ++ curl.close() ++ ++ # SSLVERSION_SSLv* return CURLE_BAD_FUNCTION_ARGUMENT with curl-7.77.0 ++ @util.removed_in_libcurl(7, 77, 0) ++ @util.only_ssl ++ def test_legacy_sslversion_options(self): ++ curl = pycurl.Curl() + curl.setopt(curl.SSLVERSION, curl.SSLVERSION_SSLv2) + curl.setopt(curl.SSLVERSION, curl.SSLVERSION_SSLv3) +- curl.setopt(curl.SSLVERSION, curl.SSLVERSION_TLSv1) + curl.close() + + @util.min_libcurl(7, 34, 0) +diff -urN a/tests/util.py b/tests/util.py +--- a/tests/util.py 2021-06-16 13:54:05.910389353 -0700 ++++ b/tests/util.py 2021-06-16 13:58:05.345592928 -0700 +@@ -122,6 +122,21 @@ + + return decorator + ++def removed_in_libcurl(major, minor, patch): ++ import nose.plugins.skip ++ ++ def decorator(fn): ++ @functools.wraps(fn) ++ def decorated(*args, **kwargs): ++ if not pycurl_version_less_than(major, minor, patch): ++ raise nose.plugins.skip.SkipTest('libcurl >= %d.%d.%d' % (major, minor, patch)) ++ ++ return fn(*args, **kwargs) ++ ++ return decorated ++ ++ return decorator ++ + def only_ssl(fn): + import nose.plugins.skip + import pycurl diff --git a/SPECS/python-pyvmomi/python-pyvmomi.spec b/SPECS/python-pyvmomi/python-pyvmomi.spec index cdd635ce12..720028ad38 100644 --- a/SPECS/python-pyvmomi/python-pyvmomi.spec +++ b/SPECS/python-pyvmomi/python-pyvmomi.spec @@ -67,7 +67,7 @@ python3 setup.py test %{python3_sitelib}/* %changelog -* Sat May 09 00:20:41 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Wed Mar 18 2020 Paul Monson 6.7.3-1 diff --git a/SPECS/python-pywbem/python-pywbem.spec b/SPECS/python-pywbem/python-pywbem.spec index beba266b8a..8b0571a079 100644 --- a/SPECS/python-pywbem/python-pywbem.spec +++ b/SPECS/python-pywbem/python-pywbem.spec @@ -1,11 +1,9 @@ -%{!?python2_sitelib: %define python2_sitelib %(python2 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} -%{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} %define pkgname pywbem -%bcond_without python2 + Summary: Python WBEM client interface and related utilities Name: python-%{pkgname} Version: 1.0.1 -Release: 3%{?dist} +Release: 4%{?dist} License: LGPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -55,60 +53,13 @@ and DSP0201. The CIM/WBEM infrastructure is used for a wide variety of systems management tasks supported by systems running WBEM servers. See WBEM Standards for more information about WBEM. -%if %{with python2} -%package -n python2-%{pkgname} -Summary: Python2 WBEM Client and Provider Interface -BuildRequires: PyYAML -BuildRequires: python-pbr -BuildRequires: python-pip -BuildRequires: python-ply -BuildRequires: python-setuptools -BuildRequires: python2-devel -Requires: PyYAML -Requires: python-ply -Requires: python-requests -Requires: python-xml -Requires: python2 -Requires: python2-nocasedict -Requires: python2-yamlloader -AutoReqProv: no -Provides: python2dist(pywbem) = %{version}-%{release} -Provides: python2.7dist(pyweb) = %{version}-%{release} -BuildArch: noarch - -%description -n python2-%{pkgname} -A WBEM client allows issuing operations to a WBEM server, using the CIM -operations over HTTP (CIM-XML) protocol defined in the DMTF standards DSP0200 -and DSP0201. The CIM/WBEM infrastructure is used for a wide variety of systems -management tasks supported by systems running WBEM servers. See WBEM Standards -for more information about WBEM. -%endif - %prep %setup -q -n %{pkgname}-%{version} -rm -rf ../p2dir -cp -a . ../p2dir %build - -%if %{with python2} -pushd ../p2dir -PBR_VERSION="%{version}" CFLAGS="%{build_cflags}" python2 setup.py build -popd -%endif - PBR_VERSION="%{version}" CFLAGS="%{build_cflags}" python3 setup.py build %install -%if %{with python2} -pushd ../p2dir -env PYTHONPATH=%{buildroot}/%{python2_sitelib} \ - PBR_VERSION="%{version}" \ - python2 setup.py install -O1 --skip-build --root %{buildroot} --prefix=%{_prefix} -rm -rf %{buildroot}%{_bindir}/*.bat -popd -%endif - env PYTHONPATH=%{buildroot}/%{python3_sitelib} \ PBR_VERSION="%{version}" \ python3 setup.py install -O1 --skip-build --root %{buildroot} --prefix=%{_prefix} @@ -122,15 +73,10 @@ rm -rf %{buildroot}%{_bindir}/*.bat %{_bindir}/mof_compiler %doc README.rst -%if %{with python2} -%files -n python2-%{pkgname} -%license LICENSE.txt -%{python2_sitelib}/*.egg-info -%{python2_sitelib}/pywbem -%{python2_sitelib}/pywbem_mock -%endif - %changelog +* Fri Aug 13 2021 Jon Slobodzian - 1.0.1-4 +- Remove python2 + * Tue Jan 05 2021 Ruying Chen - 1.0.1-3 - Disable auto dependency generator. diff --git a/SPECS/python-remoto/python-remoto.spec b/SPECS/python-remoto/python-remoto.spec index e8c7d6a5e6..1f8ed34313 100644 --- a/SPECS/python-remoto/python-remoto.spec +++ b/SPECS/python-remoto/python-remoto.spec @@ -6,10 +6,10 @@ Summary: A very simplistic remote-command-executor Name: python-%{pkgname} Version: 1.2.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT URL: https://github.com/alfredodeza/remoto -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner Source0: https://pypi.io/packages/source/r/%{pkgname}/%{pkgname}-%{version}.tar.gz @@ -50,7 +50,7 @@ python3 setup.py install --root=%{buildroot} %if %{with check} %check -pip3 install tox +pip3 install tox==3.4.0 tox %endif @@ -60,5 +60,9 @@ tox %{python3_sitelib}/* %changelog +* Wed Jun 23 2021 Neha Agarwal 1.2.0-2 +- Pass check section + * Fri Aug 21 2020 Thomas Crain 1.2.0-1 -- Original CBL-Mariner version +- Original version for CBL-Mariner +- License verified diff --git a/SPECS/python-repoze-lru/python-repoze-lru.spec b/SPECS/python-repoze-lru/python-repoze-lru.spec index 277bd2e4c1..5490f86cde 100644 --- a/SPECS/python-repoze-lru/python-repoze-lru.spec +++ b/SPECS/python-repoze-lru/python-repoze-lru.spec @@ -7,10 +7,10 @@ Summary: A tiny LRU cache implementation and decorator Name: python-%{pkgname} Version: 0.7 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD URL: https://github.com/repoze/repoze.lru -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner #Source0: https://pypi.io/packages/source/r/%{pypiname}/%{pypiname}-%{version}.tar.gz Source0: %{pkgname}-%{version}.tar.gz @@ -48,7 +48,7 @@ python3 setup.py install --root=%{buildroot} %if %{with check} %check pip3 install tox -tox +LANG=en_US.UTF-8 tox -e py37 %endif %files -n python3-%{pkgname} @@ -57,5 +57,9 @@ tox %{python3_sitelib}/* %changelog -* Fri Aug 21 2020 Thomas Crain 2.4.1-1 -- Original CBL-Mariner version +* Tue Jun 08 2021 Andrew Phelps 0.7-2 +- Fix check tests + +* Fri Aug 21 2020 Thomas Crain 0.7-1 +- Original version for CBL-Mariner +- License verified diff --git a/SPECS/python-routes/python-routes.spec b/SPECS/python-routes/python-routes.spec index ed0b6d7be6..018fa99072 100644 --- a/SPECS/python-routes/python-routes.spec +++ b/SPECS/python-routes/python-routes.spec @@ -7,10 +7,10 @@ Summary: Python re-implementation of the Rails routes system Name: python-%{pkgname} Version: 2.4.1 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT URL: https://routes.readthedocs.io/en/latest/ -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner Source0: https://pypi.io/packages/source/R/%{upname}/%{upname}-%{version}.tar.gz @@ -51,7 +51,7 @@ python3 setup.py install --root=%{buildroot} %if %{with check} %check -pip3 install tox +pip3 install tox==3.4.0 tox %endif @@ -61,5 +61,9 @@ tox %{python3_sitelib}/* %changelog +* Wed Jun 23 2021 Neha Agarwal 2.4.1-2 +- Pass check section + * Fri Aug 21 2020 Thomas Crain 2.4.1-1 -- Original CBL-Mariner version +- Original version for CBL-Mariner +- License verified diff --git a/SPECS/python-rsa/python-rsa.signatures.json b/SPECS/python-rsa/python-rsa.signatures.json index 5e15fba0bb..657d2a1765 100644 --- a/SPECS/python-rsa/python-rsa.signatures.json +++ b/SPECS/python-rsa/python-rsa.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "rsa-4.6.tar.gz": "109ea5a66744dd859bf16fe904b8d8b627adafb9408753161e766a92e7d681fa" + "rsa-4.7.2.tar.gz": "9d689e6ca1b3038bc82bf8d23e944b6b6037bc02301a574935b2dd946e0353b9" } } \ No newline at end of file diff --git a/SPECS/python-rsa/python-rsa.spec b/SPECS/python-rsa/python-rsa.spec index 6a2659bbfb..9e1636835a 100644 --- a/SPECS/python-rsa/python-rsa.spec +++ b/SPECS/python-rsa/python-rsa.spec @@ -3,11 +3,11 @@ Summary: Purely Python RSA implementation Name: python-%{pkgname} -Version: 4.6 +Version: 4.7.2 Release: 1%{?dist} License: ASL 2.0 URL: https://stuvel.eu/software/rsa/ -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner Source0: https://pypi.python.org/packages/source/r/%{pkgname}/%{pkgname}-%{version}.tar.gz @@ -45,5 +45,9 @@ python3 setup.py install --skip-build --root=%{buildroot} %{_bindir}/* %changelog +* Fri May 21 2021 Neha Agarwal - 4.7.2-1 +- Update package version to fix CVE-2020-25658 + * Fri Aug 21 2020 Thomas Crain - 4.6-1 -- Original CBL-Mariner version +- Original version for CBL-Mariner +- License verified diff --git a/SPECS/python-setuptools/python-setuptools.spec b/SPECS/python-setuptools/python-setuptools.spec index b55966c17c..8a3c2a4f5f 100644 --- a/SPECS/python-setuptools/python-setuptools.spec +++ b/SPECS/python-setuptools/python-setuptools.spec @@ -60,7 +60,7 @@ rm -rf %{buildroot} * Fri Jan 15 2021 Ruying Chen - 40.2.0-6 - Add dist provides. -* Sat May 09 00:21:39 PST 2020 Nick Samson - 40.2.0-5 +* Sat May 09 2020 Nick Samson - 40.2.0-5 - Added %%license line automatically * Tue Apr 07 2020 Pawel Winogrodzki 40.2.0-4 diff --git a/SPECS/python-setuptools_scm/python-setuptools_scm.spec b/SPECS/python-setuptools_scm/python-setuptools_scm.spec index 3d4aeba0c1..fc593b7a19 100644 --- a/SPECS/python-setuptools_scm/python-setuptools_scm.spec +++ b/SPECS/python-setuptools_scm/python-setuptools_scm.spec @@ -74,7 +74,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:21:33 PST 2020 Nick Samson - 3.1.0-3 +* Sat May 09 2020 Nick Samson - 3.1.0-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 3.1.0-2 diff --git a/SPECS/python-simplejson/python-simplejson.spec b/SPECS/python-simplejson/python-simplejson.spec index e55a3b8936..bc1ef76def 100644 --- a/SPECS/python-simplejson/python-simplejson.spec +++ b/SPECS/python-simplejson/python-simplejson.spec @@ -59,7 +59,7 @@ python3 setup.py test %{python3_sitelib}/* %changelog -* Sat May 09 00:21:11 PST 2020 Nick Samson - 3.17.0-2 +* Sat May 09 2020 Nick Samson - 3.17.0-2 - Added %%license line automatically * Thu Mar 19 2020 Paul Monson 3.17.0-1 diff --git a/SPECS/python-snowballstemmer/python-snowballstemmer.spec b/SPECS/python-snowballstemmer/python-snowballstemmer.spec index ce76163a0a..ca16dde6a5 100644 --- a/SPECS/python-snowballstemmer/python-snowballstemmer.spec +++ b/SPECS/python-snowballstemmer/python-snowballstemmer.spec @@ -83,7 +83,7 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck} %{python3_sitelib}/* %changelog -* Sat May 09 00:21:18 PST 2020 Nick Samson - 1.2.1-4 +* Sat May 09 2020 Nick Samson - 1.2.1-4 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.2.1-3 diff --git a/SPECS/python-sphinx-theme-alabaster/python-sphinx-theme-alabaster.spec b/SPECS/python-sphinx-theme-alabaster/python-sphinx-theme-alabaster.spec index 3bbf4b7525..24b4ae09dd 100644 --- a/SPECS/python-sphinx-theme-alabaster/python-sphinx-theme-alabaster.spec +++ b/SPECS/python-sphinx-theme-alabaster/python-sphinx-theme-alabaster.spec @@ -66,7 +66,7 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck} %{python3_sitelib}/* %changelog -* Sat May 09 00:21:16 PST 2020 Nick Samson - 0.7.11-5 +* Sat May 09 2020 Nick Samson - 0.7.11-5 - Added %%license line automatically * Tue Apr 28 2020 Emre Girgin 0.7.11-4 diff --git a/SPECS/python-sphinx/python-sphinx.spec b/SPECS/python-sphinx/python-sphinx.spec index 4ba306199d..aea3aa32c0 100644 --- a/SPECS/python-sphinx/python-sphinx.spec +++ b/SPECS/python-sphinx/python-sphinx.spec @@ -4,7 +4,7 @@ Summary: Python documentation generator Name: python-sphinx Version: 1.7.9 -Release: 14%{?dist} +Release: 15%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -36,6 +36,7 @@ Requires: python-imagesize Requires: python-jinja2 Requires: python-pygments Requires: python-requests +Requires: python-setuptools Requires: python-six Requires: python-snowballstemmer Requires: python-sphinx-theme-alabaster @@ -79,6 +80,7 @@ Requires: python3-jinja2 Requires: python3-libs Requires: python3-pygments Requires: python3-requests +Requires: python3-setuptools Requires: python3-six Requires: python3-snowballstemmer Requires: python3-sphinx-theme-alabaster @@ -156,6 +158,12 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck} %{python3_sitelib}/* %changelog +* Tue Aug 10 2021 Jon Slobodzian - 1.7.9-15 +- Merged change from 1.0 branch and bumped dash number +- Mon Jun 14 2021 Tom Fay - 1.7.9-12 +- Add python*-setuptools as a runtime dependency. +- Clean spec. + * Mon Feb 15 2021 Henry Li - 1.7.9-14 - Provides python-sphinx-locale, python-sphinx-doc. @@ -167,60 +175,60 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck} - Reserve unversioned sphinx-* binaries for python3. - Rename python2 sphinx-* binaries to sphinx-*-2. -* Fri Aug 21 2020 Thomas Crain 1.7.9-11 -- Add sphinx-*-3 binary symlinks for Fedora compatibility -- Add Requires: python(2/3)-sphinxcontrib-websupport -- Correct license shortname +* Fri Aug 21 2020 Thomas Crain 1.7.9-11 +- Add sphinx-*-3 binary symlinks for Fedora compatibility +- Add Requires: python(2/3)-sphinxcontrib-websupport +- Correct license shortname -* Tue Jun 02 2020 Jon Slobodzian 1.7.9-10 -- Add python-typing back. +* Tue Jun 02 2020 Jon Slobodzian 1.7.9-10 +- Add python-typing back. -* Sat May 09 2020 Nick Samson 1.7.9-9 -- Added %%license line automatically +* Sat May 09 2020 Nick Samson 1.7.9-9 +- Added %%license line automatically -* Thu Apr 30 2020 Emre Girgin 1.7.9-8 -- Renaming python-pytest to pytest +* Thu Apr 30 2020 Emre Girgin 1.7.9-8 +- Renaming python-pytest to pytest -* Wed Apr 29 2020 Emre Girgin 1.7.9-7 -- Renaming python-babel to babel +* Wed Apr 29 2020 Emre Girgin 1.7.9-7 +- Renaming python-babel to babel -* Wed Apr 29 2020 Emre Girgin 1.7.9-6 -- Renaming python-Pygments to python-pygments +* Wed Apr 29 2020 Emre Girgin 1.7.9-6 +- Renaming python-Pygments to python-pygments -* Tue Apr 28 2020 Emre Girgin 1.7.9-5 -- Renaming python-alabaster to python-sphinx-theme-alabaster +* Tue Apr 28 2020 Emre Girgin 1.7.9-5 +- Renaming python-alabaster to python-sphinx-theme-alabaster -* Mon Apr 13 2020 Nicolas Ontiveros 1.7.9-4 -- Remove python-typing from BuildRequires and Requires. +* Mon Apr 13 2020 Nicolas Ontiveros 1.7.9-4 +- Remove python-typing from BuildRequires and Requires. -* Tue Apr 07 2020 Joe Schmitt 1.7.9-3 -- Update URL. -- Update Source0 with valid URL. -- Remove sha1 macro. -- License verified. +* Tue Apr 07 2020 Joe Schmitt 1.7.9-3 +- Update URL. +- Update Source0 with valid URL. +- Remove sha1 macro. +- License verified. -* Tue Sep 03 2019 Mateusz Malisz 1.7.9-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 1.7.9-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Sun Sep 09 2018 Tapas Kundu 1.7.9-1 -- Update to version 1.7.9 +* Sun Sep 09 2018 Tapas Kundu 1.7.9-1 +- Update to version 1.7.9 -* Wed Jun 07 2017 Xiaolin Li 1.5.3-5 -- Add python3-setuptools and python3-xml to python3 sub package Buildrequires. +* Wed Jun 07 2017 Xiaolin Li 1.5.3-5 +- Add python3-setuptools and python3-xml to python3 sub package Buildrequires. -* Thu Jun 01 2017 Dheeraj Shetty 1.5.3-4 -- Keep the original python2 scripts and rename the python3 scripts +* Thu Jun 01 2017 Dheeraj Shetty 1.5.3-4 +- Keep the original python2 scripts and rename the python3 scripts -* Wed Apr 26 2017 Dheeraj Shetty 1.5.3-3 -- BuildRequires and Requires python-babel, python-docutils, python-jinja2, - python-Pygments, python-six, python-alabaster, python-imagesize, - python-requests and python-snowballstemmer. Adding python3 version +* Wed Apr 26 2017 Dheeraj Shetty 1.5.3-3 +- BuildRequires and Requires python-babel, python-docutils, python-jinja2, + python-Pygments, python-six, python-alabaster, python-imagesize, + python-requests and python-snowballstemmer. Adding python3 version -* Tue Apr 25 2017 Priyesh Padmavilasom 1.5.3-2 -- Fix arch +* Tue Apr 25 2017 Priyesh Padmavilasom 1.5.3-2 +- Fix arch -* Thu Mar 30 2017 Sarah Choi 1.5.3-1 -- Upgrade version to 1.5.3 +* Thu Mar 30 2017 Sarah Choi 1.5.3-1 +- Upgrade version to 1.5.3 -* Fri Dec 16 2016 Dheeraj Shetty 1.5.1-1 -- Initial +* Fri Dec 16 2016 Dheeraj Shetty 1.5.1-1 +- Initial diff --git a/SPECS/python-sphinxcontrib-websupport/python-sphinxcontrib-websupport.spec b/SPECS/python-sphinxcontrib-websupport/python-sphinxcontrib-websupport.spec index afb5169147..802bbad083 100644 --- a/SPECS/python-sphinxcontrib-websupport/python-sphinxcontrib-websupport.spec +++ b/SPECS/python-sphinxcontrib-websupport/python-sphinxcontrib-websupport.spec @@ -10,7 +10,7 @@ Version: 1.1.2 Release: 1%{?dist} License: BSD URL: https://github.com/sphinx-doc/sphinxcontrib-websupport -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner #Source0: https://github.com/sphinx-doc/%{pkgname}/archive/%{version}.tar.gz Source0: %{pkgname}-%{version}.tar.gz @@ -93,4 +93,5 @@ tox %changelog * Fri Aug 21 2020 Thomas Crain - 0.5.0-1 -- Original CBL-Mariner version. \ No newline at end of file +- Original version for CBL-Mariner. +- License verified. diff --git a/SPECS/python-twisted/python-twisted.spec b/SPECS/python-twisted/python-twisted.spec index c4ae24f0c5..9d0e1d206d 100644 --- a/SPECS/python-twisted/python-twisted.spec +++ b/SPECS/python-twisted/python-twisted.spec @@ -134,7 +134,7 @@ popd * Tue Jan 05 2021 Ruying Chen - 19.2.1-6 - Disable auto dependency generator -* Sat May 09 00:21:10 PST 2020 Nick Samson - 19.2.1-5 +* Sat May 09 2020 Nick Samson - 19.2.1-5 - Added %%license line automatically * Wed Apr 29 2020 Emre Girgin 19.2.1-4 diff --git a/SPECS/python-urllib3/CVE-2021-33503.patch b/SPECS/python-urllib3/CVE-2021-33503.patch new file mode 100644 index 0000000000..83a195f231 --- /dev/null +++ b/SPECS/python-urllib3/CVE-2021-33503.patch @@ -0,0 +1,64 @@ +From 2d4a3fee6de2fa45eb82169361918f759269b4ec Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson +Date: Wed, 26 May 2021 10:43:12 -0500 +Subject: [PATCH] Improve performance of sub-authority splitting in URL + +--- + src/urllib3/util/url.py | 8 +++++--- + test/test_util.py | 10 ++++++++++ + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py +index 6ff238fe..81a03da9 100644 +--- a/src/urllib3/util/url.py ++++ b/src/urllib3/util/url.py +@@ -63,12 +63,12 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$") + BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$") + ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$") + +-SUBAUTHORITY_PAT = (u"^(?:(.*)@)?(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( ++_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( + REG_NAME_PAT, + IPV4_PAT, + IPV6_ADDRZ_PAT, + ) +-SUBAUTHORITY_RE = re.compile(SUBAUTHORITY_PAT, re.UNICODE | re.DOTALL) ++_HOST_PORT_RE = re.compile(_HOST_PORT_PAT, re.UNICODE | re.DOTALL) + + UNRESERVED_CHARS = set( + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-~" +@@ -365,7 +365,9 @@ def parse_url(url): + scheme = scheme.lower() + + if authority: +- auth, host, port = SUBAUTHORITY_RE.match(authority).groups() ++ auth, _, host_port = authority.rpartition("@") ++ auth = auth or None ++ host, port = _HOST_PORT_RE.match(host_port).groups() + if auth and normalize_uri: + auth = _encode_invalid_chars(auth, USERINFO_CHARS) + if port == "": +diff --git a/test/test_util.py b/test/test_util.py +index a5b68a08..88409e2d 100644 +--- a/test/test_util.py ++++ b/test/test_util.py +@@ -438,6 +438,16 @@ class TestUtil(object): + fragment="hash", + ), + ), ++ # Tons of '@' causing backtracking ++ ("https://" + ("@" * 10000) + "[", False), ++ ( ++ "https://user:" + ("@" * 10000) + "example.com", ++ Url( ++ scheme="https", ++ auth="user:" + ("%40" * 9999), ++ host="example.com", ++ ), ++ ), + ] + + @pytest.mark.parametrize("url, expected_url", url_vulnerabilities) +-- +2.17.1 + diff --git a/SPECS/python-urllib3/python-urllib3.spec b/SPECS/python-urllib3/python-urllib3.spec index 33c263b05a..62ae2aadda 100644 --- a/SPECS/python-urllib3/python-urllib3.spec +++ b/SPECS/python-urllib3/python-urllib3.spec @@ -3,13 +3,14 @@ Summary: A powerful, sanity-friendly HTTP client for Python. Name: python-urllib3 Version: 1.25.9 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner Group: Development/Languages/Python URL: https://pypi.python.org/pypi/urllib3 Source0: https://github.com/shazow/urllib3/archive/%{version}/urllib3-%{version}.tar.gz +Patch0: CVE-2021-33503.patch BuildRequires: curl-devel #%if %{with_check} BuildRequires: openssl-devel @@ -43,6 +44,7 @@ Python 3 version. %prep %setup -q -n urllib3-%{version} +%patch0 -p1 # Dummyserver tests are failing when running in chroot. So disabling the tests. rm -rf test/with_dummyserver/ @@ -98,6 +100,9 @@ ulimit -n $nofiles %{python3_sitelib}/* %changelog +* Tue Jul 09 2021 Henry Li - 1.25.9-2 +- Resolve CVE-2021-33503 + * Wed Dec 23 2020 Rachel Menge - 1.25.9-1 - Updated to version 1.25.9 diff --git a/SPECS/python-virtualenv/python-virtualenv.spec b/SPECS/python-virtualenv/python-virtualenv.spec index ee700a2cfb..fb20fc9688 100644 --- a/SPECS/python-virtualenv/python-virtualenv.spec +++ b/SPECS/python-virtualenv/python-virtualenv.spec @@ -73,7 +73,7 @@ popd * Mon Feb 15 2021 Henry Li - 16.0.0-6 - Provides python-virtualenv-doc -* Sat May 09 00:20:41 PST 2020 Nick Samson - 16.0.0-5 +* Sat May 09 2020 Nick Samson - 16.0.0-5 - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin 16.0.0-4 diff --git a/SPECS/python-wcwidth/python-wcwidth.spec b/SPECS/python-wcwidth/python-wcwidth.spec index 03831e0c5f..c76a1c8fe3 100644 --- a/SPECS/python-wcwidth/python-wcwidth.spec +++ b/SPECS/python-wcwidth/python-wcwidth.spec @@ -72,7 +72,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:20:59 PST 2020 Nick Samson - 0.1.7-4 +* Sat May 09 2020 Nick Samson - 0.1.7-4 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 0.1.7-3 diff --git a/SPECS/python-webob/python-webob.spec b/SPECS/python-webob/python-webob.spec index 7136f94a7f..ed09a668ad 100644 --- a/SPECS/python-webob/python-webob.spec +++ b/SPECS/python-webob/python-webob.spec @@ -79,7 +79,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:20:48 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin 1.8.5-2 diff --git a/SPECS/python-yamlloader/python-yamlloader.spec b/SPECS/python-yamlloader/python-yamlloader.spec index 543062ff84..df9aa4a8a7 100644 --- a/SPECS/python-yamlloader/python-yamlloader.spec +++ b/SPECS/python-yamlloader/python-yamlloader.spec @@ -1,7 +1,5 @@ -%{!?python2_sitelib: %define python2_sitelib %(python2 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} %{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} -%bcond_without python2 %define pkgname yamlloader Summary: Loaders and dumpers for PyYAML @@ -10,7 +8,7 @@ Version: 0.5.4 Release: 1%{?dist} License: MIT URL: https://github.com/Phynix/yamlloader -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner #Source0: https://github.com/Phynix/%{pkgname}/archive/%{version}.tar.gz Source0: %{pkgname}-%{version}.tar.gz @@ -20,21 +18,6 @@ BuildArch: noarch This module provides loaders and dumpers for PyYAML. -%if %{with python2} -%package -n python2-%{pkgname} -Summary: %{summary} -BuildRequires: python2-devel -BuildRequires: python-setuptools -BuildRequires: python-xml -BuildRequires: PyYAML -Requires: python2 -Requires: PyYAML - -%description -n python2-%{pkgname} -This module provides loaders and dumpers for PyYAML. -%endif - - %package -n python3-%{pkgname} Summary: %{summary} BuildRequires: python3-devel @@ -55,28 +38,13 @@ rm -rf *.egg-info %build -%if %{with python2} -python2 setup.py build -%endif python3 setup.py build %install -%if %{with python2} -python2 setup.py install --skip-build --root=%{buildroot} -%endif python3 setup.py install --skip-build --root=%{buildroot} -%if %{with python2} -%files -n python2-%{pkgname} -%license LICENSE -%doc README.rst -%{python2_sitelib}/%{pkgname} -%{python2_sitelib}/*.egg-info -%endif - - %files -n python3-%{pkgname} %license LICENSE %doc README.rst @@ -86,4 +54,5 @@ python3 setup.py install --skip-build --root=%{buildroot} %changelog * Fri Aug 21 2020 Thomas Crain - 0.5.4-1 -- Original CBL-Mariner version. \ No newline at end of file +- Original version for CBL-Mariner +- License verified diff --git a/SPECS/python2/python2.spec b/SPECS/python2/python2.spec index ff84971000..6a372d8391 100644 --- a/SPECS/python2/python2.spec +++ b/SPECS/python2/python2.spec @@ -3,7 +3,7 @@ Summary: A high-level scripting language Name: python2 Version: 2.7.18 -Release: 7%{?dist} +Release: 8%{?dist} License: PSF URL: http://www.python.org/ Group: System Environment/Programming @@ -62,7 +62,6 @@ Requires: sqlite-libs Requires: expat >= 2.1.0 Requires: libffi >= 3.0.13 Requires: ncurses -Requires: coreutils Requires: gdbm Requires: bzip2-libs %global __requires_exclude ^(/usr/bin/python|python\\(abi\\) = 2\\.7)$ @@ -248,9 +247,13 @@ make test %{_libdir}/python2.7/test/* %changelog -* Fri Apr 02 2021 Thomas Crain - 2.7.18-7 +* Fri Apr 02 2021 Thomas Crain - 2.7.18-8 - Merge the following releases from dev to 1.0 spec - joschmit@microsoft.com, 2.7.18-4: Turn off byte compilation since it requires this package to already be built and present. +- JOSLOBO 7/26/21 (Dash roll to resolve merge conflict) + +* Tue Mar 23 2021 Daniel Burgener 2.7.18-7 +- Remove coreutils dependency to remove circular dependency with libselinux * Mon Mar 01 2021 Thomas Crain - 2.7.18-6 - Add backported patch for CVE-2021-23336 diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec index a1ee36ae8a..5016927b5f 100644 --- a/SPECS/python3/python3.spec +++ b/SPECS/python3/python3.spec @@ -3,7 +3,7 @@ Summary: A high-level scripting language Name: python3 Version: 3.7.10 -Release: 1%{?dist} +Release: 3%{?dist} License: PSF Vendor: Microsoft Corporation Distribution: Mariner @@ -50,7 +50,6 @@ code. It is incompatible with Python 2.x releases. Summary: The libraries for python runtime Group: Applications/System Requires: bzip2-libs -Requires: coreutils Requires: expat >= 2.1.0 Requires: libffi >= 3.0.13 Requires: ncurses @@ -153,7 +152,8 @@ export OPT="%{optflags} %{openssl_flags}" --enable-shared \ --with-system-expat \ --with-system-ffi \ - --with-dbmliborder=gdbm:ndbm + --with-dbmliborder=gdbm:ndbm \ + --with-ensurepip=yes make %{?_smp_mflags} %install @@ -273,7 +273,13 @@ rm -rf %{buildroot}%{_bindir}/__pycache__ %{_libdir}/python3.7/test/* %changelog -* Fri Apr 27 2021 Thomas Crain - 3.7.10-1 +* Fri May 07 2021 Daniel Burgener 3.7.10-3 +- Remove coreutils dependency to remove circular dependency with libselinux + +* Wed Apr 28 2021 Andrew Phelps - 3.7.10-2 +- Add patch to fix test_ssl tests. + +* Tue Apr 27 2021 Thomas Crain - 3.7.10-1 - Merge the following releases from 1.0 to dev branch - thcrain@microsoft.com, 3.7.9-1: Update to 3.7.9, the latest security release for 3.7 - thcrain@microsoft.com, 3.7.9-2: Patch CVE-2020-27619 @@ -304,142 +310,142 @@ rm -rf %{buildroot}%{_bindir}/__pycache__ - pathfix.py spec changes imported from Fedora 32 (license: MIT) - Provide python3dist(setuptools). -* Thu Oct 15 2020 Joe Schmitt 3.7.7-5 -- Add OPENSSL_NO_COMP flag to configuration. +* Thu Oct 15 2020 Joe Schmitt 3.7.7-5 +- Add OPENSSL_NO_COMP flag to configuration. -* Mon Sep 28 2020 Joe Schmitt 3.7.7-4 -- Comment out check section to avoid unmet dependencies. +* Mon Sep 28 2020 Joe Schmitt 3.7.7-4 +- Comment out check section to avoid unmet dependencies. -* Mon Sep 28 2020 Ruying Chen 3.7.7-3 -- Add Requires for python3-xml and python3-setuptools in python3-devel. +* Mon Sep 28 2020 Ruying Chen 3.7.7-3 +- Add Requires for python3-xml and python3-setuptools in python3-devel. -* Mon Jul 06 2020 Henry Beberman 3.7.7-2 -- Add BuildRequires for iana-etc and tzdata for check section. +* Mon Jul 06 2020 Henry Beberman 3.7.7-2 +- Add BuildRequires for iana-etc and tzdata for check section. -* Wed Jun 10 2020 Paul Monson 3.7.7-1 -- Update to Python 3.7.7 to fix CVEs +* Wed Jun 10 2020 Paul Monson 3.7.7-1 +- Update to Python 3.7.7 to fix CVEs -* Thu May 21 2020 Suresh Babu Chalamalasetty 3.7.3-10 -- Fix CVE-2019-16056. +* Thu May 21 2020 Suresh Babu Chalamalasetty 3.7.3-10 +- Fix CVE-2019-16056. -* Wed May 20 2020 Nicolas Ontiveros 3.7.3-9 -- Fix CVE-2020-8492. +* Wed May 20 2020 Nicolas Ontiveros 3.7.3-9 +- Fix CVE-2020-8492. -* Wed May 20 2020 Paul Monson 3.7.3-8 -- Fix variable use. +* Wed May 20 2020 Paul Monson 3.7.3-8 +- Fix variable use. -* Sat May 09 00:20:54 PST 2020 Nick Samson - 3.7.3-7 -- Added %%license line automatically +* Sat May 09 2020 Nick Samson - 3.7.3-7 +- Added %%license line automatically -* Wed May 06 2020 Paul Monson 3.7.3-6 -- Replace unsupported TLS methods with a patch. +* Wed May 06 2020 Paul Monson 3.7.3-6 +- Replace unsupported TLS methods with a patch. -* Thu Apr 09 2020 Nicolas Ontiveros 3.7.3-5 -- Remove toybox and only use coreutils for requires. +* Thu Apr 09 2020 Nicolas Ontiveros 3.7.3-5 +- Remove toybox and only use coreutils for requires. -* Mon Nov 25 2019 Andrew Phelps 3.7.3-4 -- Remove duplicate libpython3.so from devel package +* Mon Nov 25 2019 Andrew Phelps 3.7.3-4 +- Remove duplicate libpython3.so from devel package -* Tue Sep 03 2019 Mateusz Malisz 3.7.3-3 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 3.7.3-3 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Jun 17 2019 Tapas Kundu 3.7.3-2 -- Fix for CVE-2019-10160 +* Mon Jun 17 2019 Tapas Kundu 3.7.3-2 +- Fix for CVE-2019-10160 -* Mon Jun 10 2019 Tapas Kundu 3.7.3-1 -- Update to Python 3.7.3 release +* Mon Jun 10 2019 Tapas Kundu 3.7.3-1 +- Update to Python 3.7.3 release -* Thu May 23 2019 Tapas Kundu 3.7.0-6 -- Fix for CVE-2019-5010 -- Fix for CVE-2019-9740 +* Thu May 23 2019 Tapas Kundu 3.7.0-6 +- Fix for CVE-2019-5010 +- Fix for CVE-2019-9740 -* Tue Mar 12 2019 Tapas Kundu 3.7.0-5 -- Fix for CVE-2019-9636 +* Tue Mar 12 2019 Tapas Kundu 3.7.0-5 +- Fix for CVE-2019-9636 -* Mon Feb 11 2019 Taps Kundu 3.7.0-4 -- Fix for CVE-2018-20406 +* Mon Feb 11 2019 Taps Kundu 3.7.0-4 +- Fix for CVE-2018-20406 -* Fri Dec 21 2018 Tapas Kundu 3.7.0-3 -- Fix for CVE-2018-14647 +* Fri Dec 21 2018 Tapas Kundu 3.7.0-3 +- Fix for CVE-2018-14647 -* Tue Dec 04 2018 Tapas Kundu 3.7.0-2 -- Excluded windows installer from python3 libs packaging. +* Tue Dec 04 2018 Tapas Kundu 3.7.0-2 +- Excluded windows installer from python3 libs packaging. -* Wed Sep 26 2018 Tapas Kundu 3.7.0-1 -- Updated to version 3.7.0 +* Wed Sep 26 2018 Tapas Kundu 3.7.0-1 +- Updated to version 3.7.0 -* Mon Sep 18 2017 Alexey Makhalov 3.6.1-9 -- Requires coreutils or toybox -- Requires bzip2-libs +* Mon Sep 18 2017 Alexey Makhalov 3.6.1-9 +- Requires coreutils or toybox +- Requires bzip2-libs -* Fri Sep 15 2017 Bo Gan 3.6.1-8 -- Remove devpts mount in check +* Fri Sep 15 2017 Bo Gan 3.6.1-8 +- Remove devpts mount in check -* Mon Aug 28 2017 Dheeraj Shetty 3.6.1-7 -- Add pty for tests to pass +* Mon Aug 28 2017 Dheeraj Shetty 3.6.1-7 +- Add pty for tests to pass -* Wed Jul 12 2017 Xiaolin Li 3.6.1-6 -- Add python3-test package. +* Wed Jul 12 2017 Xiaolin Li 3.6.1-6 +- Add python3-test package. -* Fri Jun 30 2017 Dheeraj Shetty 3.6.1-5 -- Remove the imaplib tests. +* Fri Jun 30 2017 Dheeraj Shetty 3.6.1-5 +- Remove the imaplib tests. -* Mon Jun 05 2017 Xiaolin Li 3.6.1-4 -- Added pip, setuptools, xml, and curses sub packages. +* Mon Jun 05 2017 Xiaolin Li 3.6.1-4 +- Added pip, setuptools, xml, and curses sub packages. -* Sun Jun 04 2017 Bo Gan 3.6.1-3 -- Fix symlink and script +* Sun Jun 04 2017 Bo Gan 3.6.1-3 +- Fix symlink and script -* Wed May 10 2017 Harish Udaiya Kumar 3.6.1-2 -- Exclude idle3. +* Wed May 10 2017 Harish Udaiya Kumar 3.6.1-2 +- Exclude idle3. -* Wed Apr 26 2017 Siju Maliakkal 3.6.1-1 -- Updating to latest +* Wed Apr 26 2017 Siju Maliakkal 3.6.1-1 +- Updating to latest -* Fri Apr 14 2017 Alexey Makhalov 3.5.3-3 -- Python3-devel requires expat-devel. +* Fri Apr 14 2017 Alexey Makhalov 3.5.3-3 +- Python3-devel requires expat-devel. -* Thu Mar 23 2017 Xiaolin Li 3.5.3-2 -- Provides /bin/python3. +* Thu Mar 23 2017 Xiaolin Li 3.5.3-2 +- Provides /bin/python3. -* Tue Feb 28 2017 Xiaolin Li 3.5.3-1 -- Updated to version 3.5.3. +* Tue Feb 28 2017 Xiaolin Li 3.5.3-1 +- Updated to version 3.5.3. -* Fri Jan 20 2017 Dheeraj Shetty 3.5.1-10 -- Added patch to support Photon OS +* Fri Jan 20 2017 Dheeraj Shetty 3.5.1-10 +- Added patch to support Photon OS -* Tue Dec 20 2016 Xiaolin Li 3.5.1-9 -- Move easy_install-3.5 to devel subpackage. +* Tue Dec 20 2016 Xiaolin Li 3.5.1-9 +- Move easy_install-3.5 to devel subpackage. -* Wed Nov 16 2016 Alexey Makhalov 3.5.1-8 -- Use sqlite-{devel,libs} +* Wed Nov 16 2016 Alexey Makhalov 3.5.1-8 +- Use sqlite-{devel,libs} -* Thu Oct 27 2016 Anish Swaminathan 3.5.1-7 -- Patch for CVE-2016-5636 +* Thu Oct 27 2016 Anish Swaminathan 3.5.1-7 +- Patch for CVE-2016-5636 -* Mon Oct 10 2016 ChangLee 3.5.1-6 -- Modified %check +* Mon Oct 10 2016 ChangLee 3.5.1-6 +- Modified %check -* Tue May 24 2016 Priyesh Padmavilasom 3.5.1-5 -- GA - Bump release of all rpms +* Tue May 24 2016 Priyesh Padmavilasom 3.5.1-5 +- GA - Bump release of all rpms -* Wed May 04 2016 Anish Swaminathan 3.5.1-4 -- Edit scriptlets. +* Wed May 04 2016 Anish Swaminathan 3.5.1-4 +- Edit scriptlets. -* Wed Apr 13 2016 Priyesh Padmavilasom 3.5.1-3 -- update python to require python-libs +* Wed Apr 13 2016 Priyesh Padmavilasom 3.5.1-3 +- update python to require python-libs -* Thu Apr 07 2016 Mahmoud Bassiouny 3.5.1-2 -- Providing python3 binaries instead of the minor versions. +* Thu Apr 07 2016 Mahmoud Bassiouny 3.5.1-2 +- Providing python3 binaries instead of the minor versions. -* Tue Feb 23 2016 Harish Udaiya Kumar 3.5.1-1 -- Updated to version 3.5.1 +* Tue Feb 23 2016 Harish Udaiya Kumar 3.5.1-1 +- Updated to version 3.5.1 -* Wed Dec 09 2015 Anish Swaminathan 3.4.3-3 -- Edit post script. +* Wed Dec 09 2015 Anish Swaminathan 3.4.3-3 +- Edit post script. -* Mon Aug 17 2015 Vinay Kulkarni 3.4.3-2 -- Remove python.o file, and minor cleanups. +* Mon Aug 17 2015 Vinay Kulkarni 3.4.3-2 +- Remove python.o file, and minor cleanups. -* Wed Jul 1 2015 Vinay Kulkarni 3.4.3 -- Add Python3 package to Photon. +* Wed Jul 1 2015 Vinay Kulkarni 3.4.3 +- Add Python3 package to Photon. diff --git a/SPECS/pytz/pytz.spec b/SPECS/pytz/pytz.spec index e6ecb3fa17..a98278137b 100644 --- a/SPECS/pytz/pytz.spec +++ b/SPECS/pytz/pytz.spec @@ -87,7 +87,7 @@ popd %{python3_sitelib}/* %changelog -* Sat May 09 00:20:48 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin 2018.5-4 diff --git a/SPECS/binutils/CVE-2020-35496.nopatch b/SPECS/qemu-kvm/CVE-2020-27661.nopatch similarity index 100% rename from SPECS/binutils/CVE-2020-35496.nopatch rename to SPECS/qemu-kvm/CVE-2020-27661.nopatch diff --git a/SPECS/qemu-kvm/CVE-2021-20181.patch b/SPECS/qemu-kvm/CVE-2021-20181.patch new file mode 100644 index 0000000000..1fa69ebb67 --- /dev/null +++ b/SPECS/qemu-kvm/CVE-2021-20181.patch @@ -0,0 +1,29 @@ +CVE-2021-20181 patch adapted from QEMU patch by Greg Kurz + +Taken from upstream https://git.qemu.org/?p=qemu.git;a=commit;h=89fbea8737e8f7b954745a1ffc4238d377055305 + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 94df440..6026b51 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) + { + int err; + V9fsState *s = pdu->s; +- V9fsFidState *fidp, head_fid; ++ V9fsFidState *fidp; + +- head_fid.next = s->fid_list; ++again: + for (fidp = s->fid_list; fidp; fidp = fidp->next) { + if (fidp->path.size != path->size) { + continue; +@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) + * switched to the worker thread + */ + if (err == 0) { +- fidp = &head_fid; ++ goto again; + } + } + } diff --git a/SPECS/qemu-kvm/CVE-2021-20221.patch b/SPECS/qemu-kvm/CVE-2021-20221.patch new file mode 100644 index 0000000000..4cfb1b54b5 --- /dev/null +++ b/SPECS/qemu-kvm/CVE-2021-20221.patch @@ -0,0 +1,13 @@ +diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c +index c33b1c8c4bc7c422c7fa28746b66f18ef56e9d60..a994b1f0245042ca603a2eb386b7f17cfa810682 100644 +--- a/hw/intc/arm_gic.c ++++ b/hw/intc/arm_gic.c +@@ -1477,7 +1477,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset, + int target_cpu; + + cpu = gic_get_current_cpu(s); +- irq = value & 0x3ff; ++ irq = value & 0xf; + switch ((value >> 24) & 3) { + case 0: + mask = (value >> 16) & ALL_CPU_MASK; diff --git a/SPECS/qemu-kvm/CVE-2021-3527.patch b/SPECS/qemu-kvm/CVE-2021-3527.patch new file mode 100644 index 0000000000..71ecdae577 --- /dev/null +++ b/SPECS/qemu-kvm/CVE-2021-3527.patch @@ -0,0 +1,99 @@ +Backported from upstream commits by Gerd Hoffmann +https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg00564.html + +Signed-off-by: Nicolas Ontiveros +--- a/hw/usb/dev-hid.c 2019-12-12 10:20:47.000000000 -0800 ++++ b/hw/usb/dev-hid.c 2021-06-18 10:24:36.926202610 -0700 +@@ -667,7 +667,7 @@ + { + USBHIDState *us = USB_HID(dev); + HIDState *hs = &us->hid; +- uint8_t buf[p->iov.size]; ++ g_autofree uint8_t *buf = g_malloc(p->iov.size); + int len = 0; + + switch (p->pid) { + +--- a/hw/usb/dev-wacom.c 2019-12-12 10:20:47.000000000 -0800 ++++ b/hw/usb/dev-wacom.c 2021-06-18 10:25:31.758748961 -0700 +@@ -306,7 +306,7 @@ + static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p) + { + USBWacomState *s = (USBWacomState *) dev; +- uint8_t buf[p->iov.size]; ++ g_autofree uint8_t *buf = g_malloc(p->iov.size); + int len = 0; + + switch (p->pid) { + +--- a/hw/usb/redirect.c 2019-12-12 10:20:47.000000000 -0800 ++++ b/hw/usb/redirect.c 2021-06-18 10:30:00.137462057 -0700 +@@ -607,7 +607,7 @@ + .endpoint = ep, + .length = p->iov.size + }; +- uint8_t buf[p->iov.size]; ++ g_autofree uint8_t *buf = g_malloc(p->iov.size); + /* No id, we look at the ep when receiving a status back */ + usb_packet_copy(p, buf, p->iov.size); + usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet, +@@ -805,7 +805,7 @@ + usbredirparser_send_bulk_packet(dev->parser, p->id, + &bulk_packet, NULL, 0); + } else { +- uint8_t buf[size]; ++ g_autofree uint8_t *buf = g_malloc(size); + usb_packet_copy(p, buf, size); + usbredir_log_data(dev, "bulk data out:", buf, size); + usbredirparser_send_bulk_packet(dev->parser, p->id, +@@ -910,7 +910,7 @@ + USBPacket *p, uint8_t ep) + { + struct usb_redir_interrupt_packet_header interrupt_packet; +- uint8_t buf[p->iov.size]; ++ g_autofree uint8_t *buf = g_malloc(p->iov.size); + + DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep, + p->iov.size, p->id); + +--- a/hw/usb/dev-mtp.c 2019-12-12 10:20:47.000000000 -0800 ++++ b/hw/usb/dev-mtp.c 2021-06-18 10:32:03.890772495 -0700 +@@ -906,7 +906,8 @@ + MTPObject *o) + { + MTPData *d = usb_mtp_data_alloc(c); +- uint32_t i = 0, handles[o->nchildren]; ++ uint32_t i = 0; ++ g_autofree uint32_t *handles = g_new(uint32_t, o->nchildren); + MTPObject *iter; + + trace_usb_mtp_op_get_object_handles(s->dev.addr, o->handle, o->path); + +--- a/hw/usb/hcd-xhci.c 2019-12-12 10:20:47.000000000 -0800 ++++ b/hw/usb/hcd-xhci.c 2021-06-18 10:35:58.137218301 -0700 +@@ -1616,6 +1616,11 @@ + usb_packet_setup(&xfer->packet, dir, ep, xfer->streamid, + xfer->trbs[0].addr, false, xfer->int_req); + usb_packet_map(&xfer->packet, &xfer->sgl); ++ if (xfer->packet.iov.size > ep->max_packet_size) { ++ usb_packet_unmap(&xfer->packet, &xfer->sgl); ++ qemu_sglist_destroy(&xfer->sgl); ++ return -1; ++ } + DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n", + xfer->packet.pid, ep->dev->addr, ep->nr); + return 0; + +--- a/hw/usb/combined-packet.c 2019-12-12 10:20:47.000000000 -0800 ++++ b/hw/usb/combined-packet.c 2021-06-18 10:37:22.794093862 -0700 +@@ -171,7 +171,9 @@ + if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || + next == NULL || + /* Work around for Linux usbfs bulk splitting + migration */ +- (totalsize == (16 * KiB - 36) && p->int_req)) { ++ (totalsize == (16 * KiB - 36) && p->int_req) || ++ /* Next package may grow combined package over 1MiB */ ++ totalsize > 1 * MiB - ep->max_packet_size) { + usb_device_handle_data(ep->dev, first); + assert(first->status == USB_RET_ASYNC); + if (first->combined) { diff --git a/SPECS/qemu-kvm/CVE-2021-3546.patch b/SPECS/qemu-kvm/CVE-2021-3546.patch new file mode 100644 index 0000000000..bb04b9af76 --- /dev/null +++ b/SPECS/qemu-kvm/CVE-2021-3546.patch @@ -0,0 +1,32 @@ +If 'virgl_cmd_get_capset' set 'max_size' to 0, +the 'virgl_renderer_fill_caps' will write the data after the 'resp'. +This patch avoid this by checking the returned 'max_size'. + +virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check +virgl capabilities max_size") + +Fixes: CVE-2021-3546 +Reported-by: Li Qiang +Reviewed-by: Prasad J Pandit +Signed-off-by: Li Qiang +--- + contrib/vhost-user-gpu/virgl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index a16a311d80..7172104b19 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -177,6 +177,10 @@ virgl_cmd_get_capset(VuGpu *g, + + virgl_renderer_get_cap_set(gc.capset_id, &max_ver, + &max_size); ++ if (!max_size) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; ++ return; ++ } + resp = g_malloc0(sizeof(*resp) + max_size); + + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; +-- +2.25.1 \ No newline at end of file diff --git a/SPECS/qemu-kvm/qemu-kvm.spec b/SPECS/qemu-kvm/qemu-kvm.spec index db71a36969..8d86dee43b 100644 --- a/SPECS/qemu-kvm/qemu-kvm.spec +++ b/SPECS/qemu-kvm/qemu-kvm.spec @@ -1,7 +1,7 @@ Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 4.2.0 -Release: 29%{?dist} +Release: 34%{?dist} License: GPLv2 AND GPLv2+ AND CC-BY AND BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -50,6 +50,12 @@ Patch31: CVE-2021-20255.patch Patch32: CVE-2021-3416.patch Patch33: CVE-2021-3392.patch Patch34: CVE-2021-3409.patch +Patch35: CVE-2021-20181.patch +Patch36: CVE-2021-20221.patch +Patch37: CVE-2021-3527.patch +Patch38: CVE-2020-27661.nopatch +Patch39: CVE-2021-3546.patch + BuildRequires: alsa-lib-devel BuildRequires: glib-devel BuildRequires: pixman-devel @@ -109,6 +115,13 @@ This package provides a command line tool for manipulating disk images. %patch32 -p1 %patch33 -p1 %patch34 -p1 +%patch35 -p1 +%patch36 -p1 +%patch37 -p1 +%patch39 -p1 + +# Remove invalid flag exposed by binutils 2.36.1 +sed -i "/LDFLAGS_NOPIE/d" configure %build @@ -205,6 +218,22 @@ fi %{_bindir}/qemu-nbd %changelog +* Tue Jul 06 2021 Henry Li - 4.2.0-34 +- Patch CVE-2021-3546 + +* Tue Jun 22 2021 Suresh Babu Chalamalasetty - 4.2.0-33 +- Mark CVE-2020-27661 as nopatch + +* Thu Jun 17 2021 Nicolas Ontiveros - 4.2.0-32 +- Patch CVE-2021-20221 +- Patch CVE-2021-3527 + +* Mon Jun 07 2021 Henry Beberman - 4.2.0-31 +- Patch CVE-2021-20181 + +* Tue May 11 2021 Andrew Phelps - 4.2.0-30 +- Remove LDFLAGS_NOPIE to compile with binutils 2.36.1 + * Wed Apr 07 2021 Neha Agarwal - 4.2.0-29 - Patch CVE-2021-3392 and CVE-2021-3409. @@ -289,7 +318,7 @@ fi * Thu May 21 2020 Suresh Babu Chalamalasetty - 4.2.0-8 - Fix CVE-2020-1711 and CVE-2020-7211. -* Sat May 09 00:20:51 PST 2020 Nick Samson - 4.2.0-7 +* Sat May 09 2020 Nick Samson - 4.2.0-7 - Added %%license line automatically * Fri May 1 2020 Emre Girgin - 4.2.0-6 diff --git a/SPECS/ragel/ragel.signatures.json b/SPECS/ragel/ragel.signatures.json new file mode 100644 index 0000000000..2f63bb087e --- /dev/null +++ b/SPECS/ragel/ragel.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "ragel-7.0.0.12.tar.gz": "3999ef97fb108b39d11d9b96986f5e05c74bd95de8dd474301d86c5aca887a74" + } +} \ No newline at end of file diff --git a/SPECS/ragel/ragel.spec b/SPECS/ragel/ragel.spec new file mode 100644 index 0000000000..f2203b9291 --- /dev/null +++ b/SPECS/ragel/ragel.spec @@ -0,0 +1,231 @@ +Name: ragel +Version: 7.0.0.12 +Release: 5%{?dist} +Summary: Finite state machine compiler +# aapl/ is the LGPLv2+ +License: MIT AND LGPLv2+ +Group: Development/Libraries +Vendor: Microsoft Corporation +Distribution: Mariner +URL: http://www.colm.net/open-source/%{name}/ +Source0: https://www.colm.net/files/%{name}/%{name}-%{version}.tar.gz + +BuildRequires: gcc +BuildRequires: libstdc++ +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +BuildRequires: make +BuildRequires: colm-devel = 0.13.0.7 + +%description +Ragel compiles executable finite state machines from regular languages. +Ragel targets C, C++ and ASM. Ragel state machines can not only recognize +byte sequences as regular expression machines do, but can also execute code +at arbitrary points in the recognition of a regular language. Code embedding +is done using inline operators that do not disrupt the regular language syntax. + +%package devel +Summary: Development libraries header files for %{name} +Requires: %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release} + +%description devel +%{summary}. + +%prep +%autosetup +# Do not pollute with docs +sed -i -e "/dist_doc_DATA/d" Makefile.am + +%build +autoreconf -vfi +%configure --disable-static +%make_build + +%install +%make_install +find %{buildroot}%{_libdir} -type f -name '*.la' -print -delete +install -p -m 0644 -D %{name}.vim %{buildroot}%{_datadir}/vim/vimfiles/syntax/%{name}.vim + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%license COPYING +%doc CREDITS ChangeLog +%{_bindir}/%{name} +%{_bindir}/%{name}-* +%{_mandir}/man1/%{name}.1* +%{_libdir}/libfsm.so.* +%{_libdir}/libragel.so.* +%{_datarootdir}/%{name}.lm +%dir %{_datadir}/vim +%dir %{_datadir}/vim/vimfiles +%dir %{_datadir}/vim/vimfiles/syntax +%{_datadir}/vim/vimfiles/syntax/%{name}.vim + +%files devel +%{_libdir}/libfsm.so +%{_libdir}/libragel.so +%{_includedir}/%{name}/ + +%changelog +* Sat Jul 10 2021 Henry Li - 7.0.0.12-5 +- Remove Provides bundled(aapl) + +* Fri Jul 02 2021 Suresh Babu Chalamalasetty - 7.0.0.12-4 +- Initial CBL-Mariner import from Fedora 32 (license: MIT) +- License verified + +* Thu Jan 30 2020 Fedora Release Engineering - 7.0.0.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sun Jul 28 2019 Christian Glombek - 7.0.0.12-2 +- Explicitly require colm 0.13.07 for the build + +* Sun Jul 28 2019 Christian Glombek - 7.0.0.12-1 +- Updated to version 7.0.0.12 + +* Fri Jul 26 2019 Fedora Release Engineering - 7.0.0.11-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sat Feb 02 2019 Fedora Release Engineering - 7.0.0.11-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Jul 14 2018 Fedora Release Engineering - 7.0.0.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jul 06 2018 Christian Glombek - 7.0.0.11-1 +- Update to 7.0.0.11 + +* Fri Feb 09 2018 Fedora Release Engineering - 7.0.0.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Dec 11 2017 Jason Taylor - 7.0.0.10-1 +- Upstream bugfix release +- Updated spec to reflect MIT license + +* Thu Aug 03 2017 Fedora Release Engineering - 7.0.0.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 7.0.0.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 7.0.0.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Oct 07 2016 Igor Gnatenko - 7.0.0.9-1 +- Fix FTBFS +- Update to 7.0.0.9 +- Trivial fixes in spec + +* Thu Feb 04 2016 Fedora Release Engineering - 6.8-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jun 18 2015 Fedora Release Engineering - 6.8-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat May 02 2015 Kalev Lember - 6.8-4 +- Rebuilt for GCC 5 C++11 ABI change + +* Sun Aug 17 2014 Fedora Release Engineering - 6.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 6.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sun Sep 08 2013 Jeremy Hinegardner - 6.8-1 +- Update to upstream 6.8 + +* Sun Aug 04 2013 Fedora Release Engineering - 6.6-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 14 2013 Fedora Release Engineering - 6.6-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Aug 1 2012 Mamoru Tasaka - 6.6-6 +- Fix build with gcc47 +- Pass fedora cflags correctly + +* Sat Jul 21 2012 Fedora Release Engineering - 6.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sat Jan 14 2012 Fedora Release Engineering - 6.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Feb 09 2011 Fedora Release Engineering - 6.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Aug 24 2010 Adam Tkac - 6.6-2 +- rebuild to ensure F14 has higher NVR than F13 + +* Thu Feb 18 2010 Jeremy Hinegardner - 6.6-0 +- update to 6.6 +- remove patch, fix applied upstream + +* Sun Aug 02 2009 Jeremy Hinegardner - 6.5-2 +- fix build process + +* Sun Aug 02 2009 Jeremy Hinegardner - 6.5-1 +- Update to 6.5 + +* Sun Jul 26 2009 Fedora Release Engineering - 6.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue Apr 14 2009 Jeremy Hinegardner 6.4-3 +- remove main.cpp patch for testing + +* Sat Apr 11 2009 Jeremy Hinegardner 6.4-2 +- add patch for main.cpp + +* Sat Apr 11 2009 Jeremy Hinegardner 6.4-1 +- Update to 6.4 + +* Wed Feb 25 2009 Fedora Release Engineering - 6.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sat Aug 30 2008 Jeremy Hinegardner - 6.3-1 +- update to 6.3 + +* Mon May 12 2008 Jeremy Hinegardner - 6.2-1 +- update to 6.2 + +* Mon Apr 14 2008 Jeremy Hinegardner - 6.1-1 +- update to 6.1 + +* Tue Feb 19 2008 Fedora Release Engineering - 6.0-2 +- Autorebuild for GCC 4.3 + +* Sat Jan 19 2008 Jeremy Hinegardner - 6.0-1 +- update to 6.0 + +* Sun Jan 06 2008 Jeremy Hinegardner - 5.25-1 +- update to 5.25 + +* Tue Sep 18 2007 Jeremy Hinegardner - 5.24-1 +- update to 5.24 +- update License tag + +* Wed Aug 29 2007 Fedora Release Engineering - 5.23-2 +- Rebuild for selinux ppc32 issue. + +* Tue Jul 24 2007 Jeremy Hinegardner - 5.23-1 +- update to 5.23 +- removed ragel-rlcodegen-replace.patch - it was applied upstream + +* Mon Jun 18 2007 Jeremy Hinegardner - 5.22-1 +- update to 5.22 +- remove ragel-Makefile-in.patch - it was applied upstream +- update ragel-rlcodegen-replace.patch to apply cleanly + +* Sat Mar 24 2007 Jeremy Hinegardner - 5.19-4 +- further replacement of rlcodegen +- rework patches + +* Fri Mar 23 2007 Jeremy Hinegardner - 5.19-3 +- replace RPM_BUILD_ROOT in spec file with buildroot macro +- cleanup rpmlint errors for the src.rpm +- add ragel(1) man page patch + +* Tue Mar 20 2007 Jeremy Hinegardner - 5.19-1 +- Creation of spec file diff --git a/SPECS/rdma-core/rdma-core.spec b/SPECS/rdma-core/rdma-core.spec index 7f982904dd..de98c8357a 100644 --- a/SPECS/rdma-core/rdma-core.spec +++ b/SPECS/rdma-core/rdma-core.spec @@ -6,7 +6,7 @@ Name: rdma-core Version: 31.0 Release: 2%{?dist} URL: https://github.com/linux-rdma/rdma-core -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner # Almost everything is licensed under the OFA dual GPLv2, 2 Clause BSD license @@ -617,7 +617,7 @@ fi %changelog * Fri Aug 21 2020 Thomas Crain - 31.0-2 -- Initial CBL-Mariner import from Fedora 33 (license: MIT) +- Initial CBL-Mariner import from Fedora 33 (license: MIT). License verified. * Wed Aug 19 2020 Honggang Li - 31.0-1 - Rebase to upstream release v31.0 diff --git a/SPECS/re2/re2-soname.patch b/SPECS/re2/re2-soname.patch new file mode 100644 index 0000000000..5fce1630c5 --- /dev/null +++ b/SPECS/re2/re2-soname.patch @@ -0,0 +1,12 @@ +diff -up re2-2019-08-01/Makefile.soname re2-2019-08-01/Makefile +--- re2-2019-08-01/Makefile.soname 2019-08-09 16:17:57.364309804 -0500 ++++ re2-2019-08-01/Makefile 2019-08-09 16:07:04.674225074 -0500 +@@ -44,7 +44,7 @@ endif + + # ABI version + # http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html +-SONAME=0 ++SONAME=0a + + # To rebuild the Tables generated by Perl and Python scripts (requires Internet + # access for Unicode data), uncomment the following line: diff --git a/SPECS/re2/re2.signatures.json b/SPECS/re2/re2.signatures.json new file mode 100644 index 0000000000..d2102fe898 --- /dev/null +++ b/SPECS/re2/re2.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "re2-2019-08-01.tar.gz": "38bc0426ee15b5ed67957017fd18201965df0721327be13f60496f2b356e3e01" + } +} diff --git a/SPECS/re2/re2.spec b/SPECS/re2/re2.spec new file mode 100644 index 0000000000..ca7ba3a5bc --- /dev/null +++ b/SPECS/re2/re2.spec @@ -0,0 +1,179 @@ +%global longver 2019-08-01 +%global shortver %(echo %{longver}|sed 's|-||g') +Summary: C++ fast alternative to backtracking RE engines +Name: re2 +Version: %{shortver} +Release: 9%{?dist} +License: BSD +Vendor: Microsoft Corporation +Distribution: Mariner +URL: http://github.com/google/%{name}/ +Source0: %{name}-%{longver}.tar.gz +# downstream patch to change soname .0 => .0a +# This is in response to symbol changes in recent release per +# https://bugzilla.redhat.com/show_bug.cgi?id=1672014#c10 +# TODO: poke upstream on their policy/intentions regarding maintaining +# stable ABI, or at least get them to bump soname appropriately so we +# won't have to handle it ourselves downsream via this patch indefinitely. +Patch1: re2-soname.patch +BuildRequires: gcc +BuildRequires: make + +%description +RE2 is a C++ library providing a fast, safe, thread-friendly alternative to +backtracking regular expression engines like those used in PCRE, Perl, and +Python. + +Backtracking engines are typically full of features and convenient syntactic +sugar but can be forced into taking exponential amounts of time on even small +inputs. + +In contrast, RE2 uses automata theory to guarantee that regular expression +searches run in time linear in the size of the input, at the expense of some +missing features (e.g back references and generalized assertions). + +%package devel +Summary: C++ header files and library symbolic links for %{name} +Requires: %{name} = %{version} + +%description devel +This package contains the C++ header files and symbolic links to the shared +libraries for %{name}. If you would like to develop programs using %{name}, +you will need to install %{name}-devel. + +%prep +%setup -q -n %{name}-%{longver} + +%patch1 -p1 -b .soname + +%build +# The -pthread flag issue has been submitted upstream: +# http://groups.google.com/forum/?fromgroups=#!topic/re2-dev/bkUDtO5l6Lo +# The RPM macro for the linker flags does not exist on EPEL +%{!?__global_ldflags: %global __global_ldflags -Wl,-z,relro} +CXXFLAGS="${CXXFLAGS:-%{optflags}} -pthread" +LDFLAGS="${LDFLAGS:-%{__global_ldflags}} -pthread" + +%make_build \ + CXXFLAGS="$CXXFLAGS"\ + LDFLAGS="$LDFLAGS" \ + includedir=%{_includedir}\ + libdir=%{_libdir} + +%install +%make_install \ + INSTALL="install -p"\ + includedir=%{_includedir}\ + libdir=%{_libdir} + +# Suppress the static library +rm -fv %{buildroot}%{_libdir}/libre2.a + +%check +%make_build shared-test + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%license LICENSE +%doc AUTHORS CONTRIBUTORS README +%{_libdir}/libre2.so.0a* + +%files devel +%{_includedir}/re2/ +%{_libdir}/libre2.so +%{_libdir}/pkgconfig/re2.pc + +%changelog +* Thu Jun 03 2021 Suresh Babu Chalamalasetty - 1:20190801-9 +- Initial CBL-Mariner import from Fedora 35 (license: MIT) +- License verified + +* Tue Mar 30 2021 Jonathan Wakely - 1:20190801-8 +- Rebuilt for removed libstdc++ symbol (#1937698) + +* Wed Jan 27 2021 Fedora Release Engineering - 1:20190801-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Aug 26 2020 Jeff Law - 1:20190801-6 +- No longer force C++11 + +* Wed Jul 29 2020 Fedora Release Engineering - 1:20190801-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Jan 30 2020 Fedora Release Engineering - 1:20190801-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Aug 14 2019 Rex Dieter - 1:20190801-3 +- -devel: use epoch in versioned dep + +* Wed Aug 14 2019 Rex Dieter - 1:20190801-2 +- bump soname +- tighten %%files, track soname explicitly +- use %%make_build %%make_install macros +- Epoch:1 for upgrade path (from f29) + +* Sat Aug 03 2019 Lukas Vrabec - 20190801-1 +- update to 20190801 + +* Fri Jul 26 2019 Fedora Release Engineering - 20160401-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sat Feb 02 2019 Fedora Release Engineering - 20160401-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Jul 14 2018 Fedora Release Engineering - 20160401-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Feb 09 2018 Fedora Release Engineering - 20160401-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 20160401-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 20160401-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 20160401-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Apr 29 2016 Tom Callaway - 20160401-2 +- hardcode -std=c++11 for older compilers + +* Fri Apr 29 2016 Tom Callaway - 20160401-1 +- update to 20160401 + +* Thu Feb 04 2016 Fedora Release Engineering - 20131024-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jun 18 2015 Fedora Release Engineering - 20131024-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Apr 15 2015 Petr Pisar - 20131024-4 +- Rebuild owing to C++ ABI change in GCC-5 (bug #1195351) + +* Sun Aug 17 2014 Fedora Release Engineering - 20131024-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 20131024-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Mon Nov 11 2013 Tom Callaway - 20131024-1 +- update to 20131024 +- fix symbols export to stop test from failing + +* Sun Aug 04 2013 Fedora Release Engineering - 20130115-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Sun Feb 17 2013 Denis Arnaud 20130115-2 +- Took into account the feedback from review request (#868578). + +* Sun Feb 10 2013 Denis Arnaud 20130115-1 +- The download source comes now directly from the project. + +* Thu Oct 25 2012 Denis Arnaud 0.0.0-2 +- Took into account review request (#868578) feedback. + +* Sat Oct 20 2012 Denis Arnaud 0.0.0-1 +- RPM release for Fedora 18 diff --git a/SPECS/readline/readline.spec b/SPECS/readline/readline.spec index d0c7b106f0..fe40a21c5e 100644 --- a/SPECS/readline/readline.spec +++ b/SPECS/readline/readline.spec @@ -98,27 +98,32 @@ make %{?_smp_mflags} check %{_mandir}/man3/readline.3.gz %changelog -* Fri Feb 05 2021 Joe Schmitt - 7.0-5 -- Replace incorrect %%{_lib} usage with %%{_libdir} - * Sat May 09 2020 Nick Samson - 7.0-4 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 7.0-3 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Sun Jun 04 2017 Bo Gan 7.0-2 -- Fix dependency -* Fri Jan 13 2017 Dheeraj Shetty 7.0-1 -- Updated to version 7.0 -* Wed Nov 16 2016 Alexey Makhalov 6.3-6 -- Move docs and man to the devel package -* Mon Oct 04 2016 ChangLee 6.3-5 -- Modified %check -* Tue May 24 2016 Priyesh Padmavilasom 6.3-4 -- GA - Bump release of all rpms -* Wed Jun 3 2015 Divya Thaluru 6.3-3 -- Adding ncurses to run time require package -* Mon May 18 2015 Touseef Liaqat 6.3-2 -- Update according to UsrMove. -* Wed Oct 22 2014 Divya Thaluru 6.3-1 -- Initial build. First version +* Tue Sep 03 2019 Mateusz Malisz 7.0-3 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Sun Jun 04 2017 Bo Gan 7.0-2 +- Fix dependency + +* Fri Jan 13 2017 Dheeraj Shetty 7.0-1 +- Updated to version 7.0 + +* Wed Nov 16 2016 Alexey Makhalov 6.3-6 +- Move docs and man to the devel package + +* Mon Oct 04 2016 ChangLee 6.3-5 +- Modified %check + +* Tue May 24 2016 Priyesh Padmavilasom 6.3-4 +- GA - Bump release of all rpms + +* Wed Jun 3 2015 Divya Thaluru 6.3-3 +- Adding ncurses to run time require package + +* Mon May 18 2015 Touseef Liaqat 6.3-2 +- Update according to UsrMove. + +* Wed Oct 22 2014 Divya Thaluru 6.3-1 +- Initial build. First version diff --git a/SPECS/rpcbind/rpcbind.spec b/SPECS/rpcbind/rpcbind.spec index cea1f0232f..900f8f3715 100644 --- a/SPECS/rpcbind/rpcbind.spec +++ b/SPECS/rpcbind/rpcbind.spec @@ -93,7 +93,7 @@ fi rm -rf %{buildroot}/* %changelog -* Sat May 09 00:20:40 PST 2020 Nick Samson - 1.2.5-3 +* Sat May 09 2020 Nick Samson - 1.2.5-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.2.5-2 diff --git a/SPECS/rpcsvc-proto/rpcsvc-proto.spec b/SPECS/rpcsvc-proto/rpcsvc-proto.spec index d5284f6895..ff0da72629 100644 --- a/SPECS/rpcsvc-proto/rpcsvc-proto.spec +++ b/SPECS/rpcsvc-proto/rpcsvc-proto.spec @@ -43,11 +43,11 @@ make install DESTDIR=%{buildroot} %{_includedir}/rpcsvc/* %changelog -* Mon Sep 28 2020 Ruying Chen 1.4-4 -- Explicit provides rpcgen -* Sat May 09 2020 Nick Samson 1.4-3 -- Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 1.4-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Sat May 09 2020 Nick Samson - 1.4-3 +- Added %%license line automatically + +* Tue Sep 03 2019 Mateusz Malisz 1.4-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + * Fri Sep 21 2018 Alexey Makhalov 1.4-1 - Initial version diff --git a/SPECS/rpm/CVE-2021-20266.patch b/SPECS/rpm/CVE-2021-20266.patch new file mode 100644 index 0000000000..4041e849a5 --- /dev/null +++ b/SPECS/rpm/CVE-2021-20266.patch @@ -0,0 +1,104 @@ +From 8f4b3c3cab8922a2022b9e47c71f1ecf906077ef Mon Sep 17 00:00:00 2001 +From: Demi Marie Obenour +Date: Mon, 8 Feb 2021 16:05:01 -0500 +Subject: [PATCH] hdrblobInit() needs bounds checks too + +Users can pass untrusted data to hdrblobInit() and it must be robust +against this. + +Modified to fit CBL-Mariner. +--- + lib/header.c | 48 +++++++++++++++++++++++++++++++----------------- + 1 file changed, 31 insertions(+), 17 deletions(-) + +diff --git a/lib/header.c b/lib/header.c +index ea39e679f4..ebba9c2b09 100644 +--- a/lib/header.c ++++ b/lib/header.c +@@ -11,6 +11,7 @@ + #include "system.h" + #include + #include ++#include + #include + #include + #include "lib/header_internal.h" +@@ -1912,6 +1913,25 @@ hdrblob hdrblobFree(hdrblob blob) + return NULL; + } + ++static rpmRC hdrblobVerifyLengths(rpmTagVal regionTag, uint32_t il, uint32_t dl, ++ char **emsg) { ++ uint32_t il_max = HEADER_TAGS_MAX; ++ uint32_t dl_max = HEADER_DATA_MAX; ++ if (regionTag == RPMTAG_HEADERSIGNATURES) { ++ il_max = 32; ++ dl_max = 64 * 1024 * 1024; ++ } ++ if (hdrchkRange(il_max, il)) { ++ rasprintf(emsg, _("hdr tags: BAD, no. of tags(%" PRIu32 ") out of range"), il); ++ return RPMRC_FAIL; ++ } ++ if (hdrchkRange(dl_max, dl)) { ++ rasprintf(emsg, _("hdr data: BAD, no. of bytes(%" PRIu32 ") out of range"), dl); ++ return RPMRC_FAIL; ++ } ++ return RPMRC_OK; ++} ++ + rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrblob blob, char **emsg) + { + int32_t block[4]; +@@ -1924,13 +1944,6 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl + size_t nb; + rpmRC rc = RPMRC_FAIL; /* assume failure */ + int xx; +- int32_t il_max = HEADER_TAGS_MAX; +- int32_t dl_max = HEADER_DATA_MAX; +- +- if (regionTag == RPMTAG_HEADERSIGNATURES) { +- il_max = 32; +- dl_max = 8192; +- } + + memset(block, 0, sizeof(block)); + if ((xx = Freadall(fd, bs, blen)) != blen) { +@@ -1943,15 +1956,9 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl + goto exit; + } + il = ntohl(block[2]); +- if (hdrchkRange(il_max, il)) { +- rasprintf(emsg, _("hdr tags: BAD, no. of tags(%d) out of range"), il); +- goto exit; +- } + dl = ntohl(block[3]); +- if (hdrchkRange(dl_max, dl)) { +- rasprintf(emsg, _("hdr data: BAD, no. of bytes(%d) out of range"), dl); ++ if (hdrblobVerifyLengths(regionTag, il, dl, emsg)) + goto exit; +- } + + nb = (il * sizeof(struct entryInfo_s)) + dl; + uc = sizeof(il) + sizeof(dl) + nb; +@@ -1995,11 +2002,18 @@ rpmRC hdrblobInit(const void *uh, size_t uc, + struct hdrblob_s *blob, char **emsg) + { + rpmRC rc = RPMRC_FAIL; +- + memset(blob, 0, sizeof(*blob)); ++ if (uc && uc < 8) { ++ rasprintf(emsg, _("hdr length: BAD")); ++ goto exit; ++ } ++ + blob->ei = (int32_t *) uh; /* discards const */ +- blob->il = ntohl(blob->ei[0]); +- blob->dl = ntohl(blob->ei[1]); ++ blob->il = ntohl((uint32_t)(blob->ei[0])); ++ blob->dl = ntohl((uint32_t)(blob->ei[1])); ++ if (hdrblobVerifyLengths(regionTag, blob->il, blob->dl, emsg) != RPMRC_OK) ++ goto exit; ++ + blob->pe = (entryInfo) &(blob->ei[2]); + blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) + + (blob->il * sizeof(*blob->pe)) + blob->dl; diff --git a/SPECS/rpm/rpm.spec b/SPECS/rpm/rpm.spec index 76886b4756..c3b7456468 100644 --- a/SPECS/rpm/rpm.spec +++ b/SPECS/rpm/rpm.spec @@ -21,6 +21,7 @@ BuildRequires: file-devel BuildRequires: libarchive-devel BuildRequires: libcap-devel BuildRequires: libdb-devel +BuildRequires: libselinux-devel BuildRequires: lua-devel BuildRequires: nss-devel BuildRequires: popt-devel @@ -30,6 +31,7 @@ BuildRequires: zstd-devel Requires: bash Requires: libarchive Requires: libdb +Requires: libselinux Requires: lua Requires: rpm-libs = %{version}-%{release} @@ -122,7 +124,8 @@ sed -i 's/extra_link_args/library_dirs/g' python/setup.py.in --with-cap \ --with-lua \ --disable-silent-rules \ - --with-external-db + --with-external-db \ + --with-selinux make %{?_smp_mflags} pushd python @@ -300,7 +303,7 @@ popd * Wed May 20 2020 Henry Beberman - 4.14.2-7 - Add BuildRequires and Requires for zstd support. -* Sat May 09 00:20:45 PST 2020 Nick Samson - 4.14.2-6 +* Sat May 09 2020 Nick Samson - 4.14.2-6 - Added %%license line automatically * Wed May 06 2020 Emre Girgin - 4.14.2-5 diff --git a/SPECS/rrdtool/rrdtool.spec b/SPECS/rrdtool/rrdtool.spec index d25a43bc02..6850335ed1 100644 --- a/SPECS/rrdtool/rrdtool.spec +++ b/SPECS/rrdtool/rrdtool.spec @@ -165,20 +165,20 @@ rm -rf %{buildroot}%{_libdir}/python2.7 * Mon Jan 11 2021 Ruying Chen - 1.7.0-6 - Build with lua, python3, and ruby support. -* Sat May 09 00:21:18 PST 2020 Nick Samson - 1.7.0-5 +* Sat May 09 2020 Nick Samson - 1.7.0-5 - Added %%license line automatically -* Thu Apr 30 2020 Nicolas Ontiveros 1.7.0-4 -- Rename freetype2-devel to freetype-devel. +* Thu Apr 30 2020 Nicolas Ontiveros 1.7.0-4 +- Rename freetype2-devel to freetype-devel. -* Mon Apr 13 2020 Jon Slobodzian 1.7.0-3 -- Verified license. Removed sha1. Fixed Source0 URL and URL. +* Mon Apr 13 2020 Jon Slobodzian 1.7.0-3 +- Verified license. Removed sha1. Fixed Source0 URL and URL. -* Tue Sep 03 2019 Mateusz Malisz 1.7.0-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 1.7.0-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Sep 10 2018 Keerthana K 1.7.0-1 -- Updated to version 1.7.0 +* Mon Sep 10 2018 Keerthana K 1.7.0-1 +- Updated to version 1.7.0 -* Wed Apr 5 2017 Dheeraj Shetty 1.6.0-1 -- Initial version +* Wed Apr 5 2017 Dheeraj Shetty 1.6.0-1 +- Initial version diff --git a/SPECS/rsync/rsync.spec b/SPECS/rsync/rsync.spec index 4788594c63..3ac3d9192f 100644 --- a/SPECS/rsync/rsync.spec +++ b/SPECS/rsync/rsync.spec @@ -58,7 +58,7 @@ make %{?_smp_mflags} check %{_libdir}/systemd/system/rsyncd.service %{_sysconfdir}/rsyncd.conf %changelog -* Sat May 09 00:20:50 PST 2020 Nick Samson - 3.1.3-5 +* Sat May 09 2020 Nick Samson - 3.1.3-5 - Added %%license line automatically * Wed Apr 22 2020 Nicolas Ontiveros 3.1.3-4 diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec index b6b65011a3..5c93da8164 100644 --- a/SPECS/ruby/ruby.spec +++ b/SPECS/ruby/ruby.spec @@ -174,7 +174,7 @@ sudo -u test make test TESTS="-v" %{_bindir}/* %{_includedir}/* %{_libdir}/*.so -%{_libdir}/*.so.* +%{_libdir}/*.so.2.7* %{_libdir}/pkgconfig/*.pc %{_libdir}/ruby/* %{_datadir}/ri/* @@ -226,7 +226,7 @@ sudo -u test make test TESTS="-v" * Thu Oct 15 2020 Emre Girgin - 2.6.6-1 - Upgrade to 2.6.6 to resolve CVEs. -* Sat May 09 00:20:42 PST 2020 Nick Samson - 2.6.3-3 +* Sat May 09 2020 Nick Samson - 2.6.3-3 - Added %%license line automatically * Wed May 06 2020 Pawel Winogrodzki - 2.6.3-2 diff --git a/SPECS/rust/rust.spec b/SPECS/rust/rust.spec index 6cc0988400..81c28ced71 100644 --- a/SPECS/rust/rust.spec +++ b/SPECS/rust/rust.spec @@ -145,7 +145,7 @@ rm %{buildroot}%{_docdir}/%{name}/*.old * Thu May 28 2020 Chris Co - 1.39.0-5 - Update source checkout and prep steps -* Sat May 09 00:20:39 PST 2020 Nick Samson - 1.39.0-4 +* Sat May 09 2020 Nick Samson - 1.39.0-4 - Added %%license line automatically * Mon May 4 2020 Nicolas Guibourge - 1.39.0-3 diff --git a/SPECS/scons/scons.spec b/SPECS/scons/scons.spec index e9ce9928f6..19214d8611 100644 --- a/SPECS/scons/scons.spec +++ b/SPECS/scons/scons.spec @@ -45,7 +45,7 @@ rm -rf %{buildroot} %{_datadir}/* %changelog -* Sat May 09 00:21:02 PST 2020 Nick Samson - 3.0.1-4 +* Sat May 09 2020 Nick Samson - 3.0.1-4 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 3.0.1-3 diff --git a/SPECS/secilc/Allow-setting-arguments-to-xmlto-via-environmental-var.patch b/SPECS/secilc/Allow-setting-arguments-to-xmlto-via-environmental-var.patch new file mode 100644 index 0000000000..a233d1eee8 --- /dev/null +++ b/SPECS/secilc/Allow-setting-arguments-to-xmlto-via-environmental-var.patch @@ -0,0 +1,30 @@ +From 170281f8d756f561b2ffe612e0076b6bfff5f482 Mon Sep 17 00:00:00 2001 +From: Daniel Burgener +Date: Fri, 28 Aug 2020 13:32:31 +0000 +Subject: [PATCH] Allow setting arguments to xmlto via environmental variable. + +This will allow us to control xmlto behavior from the spec file +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile.original b/Makefile +index d4a1c35..c4fd438 100644 +--- a/Makefile.original ++++ b/Makefile +@@ -40,10 +40,10 @@ $(SECIL2CONF): $(SECIL2CONF_OBJS) + man: $(SECILC_MANPAGE) $(SECIL2CONF_MANPAGE) + + $(SECILC_MANPAGE): $(SECILC_MANPAGE).xml +- $(XMLTO) man $(SECILC_MANPAGE).xml ++ $(XMLTO) $(XMLARGS) man $(SECILC_MANPAGE).xml + + $(SECIL2CONF_MANPAGE): $(SECIL2CONF_MANPAGE).xml +- $(XMLTO) man $(SECIL2CONF_MANPAGE).xml ++ $(XMLTO) $(XMLARGS) man $(SECIL2CONF_MANPAGE).xml + + install: all man + -mkdir -p $(DESTDIR)$(BINDIR) +-- +2.17.1 + diff --git a/SPECS/secilc/secilc.signatures.json b/SPECS/secilc/secilc.signatures.json new file mode 100644 index 0000000000..ec6737a3d9 --- /dev/null +++ b/SPECS/secilc/secilc.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "secilc-3.2.tar.gz": "5f6e6528a281b29ac5e558babffc3d8aab682fd8df8977daff5f266a50292cc3" + } +} \ No newline at end of file diff --git a/SPECS/secilc/secilc.spec b/SPECS/secilc/secilc.spec new file mode 100644 index 0000000000..63fd18fef1 --- /dev/null +++ b/SPECS/secilc/secilc.spec @@ -0,0 +1,155 @@ +%global libsepolver %{version}-1 +Summary: The SELinux CIL Compiler +Name: secilc +Version: 3.2 +Release: 1%{?dist} +License: BSD +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/SELinuxProject/selinux/wiki +Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz +Patch0: Allow-setting-arguments-to-xmlto-via-environmental-var.patch +BuildRequires: flex +BuildRequires: gcc +BuildRequires: libsepol-devel >= %{libsepolver} +BuildRequires: xmlto + +%description +The SELinux CIL Compiler is a compiler that converts the CIL language as +described on the CIL design wiki into a kernel binary policy file. +Please see the CIL Design Wiki at: +http://github.com/SELinuxProject/cil/wiki/ +for more information about the goals and features on the CIL language. + +%prep +%autosetup -p1 + +%build +%{set_build_flags} +# xmlto wants to access a network resource for validation, so skip it +%make_build LIBSEPOL_STATIC=%{_libdir}/libsepol.a XMLARGS="--skip-validation" CFLAGS="%{build_cflags} -fno-semantic-interposition" + +%install +%make_install SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" + +%files +%license COPYING +%{_bindir}/secilc +%{_bindir}/secil2conf +%{_mandir}/man8/secilc.8.gz +%{_mandir}/man8/secil2conf.8.gz + +%changelog +* Fri Aug 13 2021 Thomas Crain - 3.2-1 +- Upgrade to latest upstream version and rebase patch +- Add -fno-semantic-interposition to CFLAGS as recommended by upstream +- Update source URL to new format +- Lint spec +- License verified + +* Fri Oct 09 2020 Thomas Crain - 2.9-4 +- Add missing %libsepolver definition + +* Thu Aug 27 2020 Daniel Burgener - 2.9-3 +- Initial CBL-Mariner import from Fedora 31 (license: MIT) +- License verified + +* Fri Jul 26 2019 Fedora Release Engineering - 2.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Mar 19 2019 Petr Lautrbach - 2.9-1 +- SELinux userspace 2.9 release + +* Mon Mar 11 2019 Petr Lautrbach - 2.9-0.rc2.1 +- SELinux userspace 2.9-rc2 release + +* Sat Feb 02 2019 Fedora Release Engineering - 2.9-0.rc1.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jan 25 2019 Petr Lautrbach - 2.9-0.rc1.1 +- SELinux userspace 2.9-rc1 release + +* Sat Jul 14 2018 Fedora Release Engineering - 2.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri May 25 2018 Petr Lautrbach - 2.8-1 +- SELinux userspace 2.8 release + +* Tue May 15 2018 Petr Lautrbach - 2.8-0.rc3.1 +- SELinux userspace 2.8-rc3 release candidate + +* Mon Apr 23 2018 Petr Lautrbach - 2.8-0.rc1.1 +- SELinux userspace 2.8-rc1 release candidate + +* Tue Mar 13 2018 Petr Lautrbach - 2.7-5 +- build: follow standard semantics for DESTDIR and PREFIX +- Describe multiple-decls in secilc.8.xml + +* Fri Feb 09 2018 Fedora Release Engineering - 2.7-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Nov 22 2017 Petr Lautrbach - 2.7-3 +- Rebuild with libsepol-2.7-3 + +* Fri Oct 20 2017 Petr Lautrbach - 2.7-2 +- Fixed bad reference in roleattribute +- cil: Add ability to redeclare types[attributes] + +* Mon Aug 07 2017 Petr Lautrbach - 2.7-1 +- Update to upstream release 2017-08-04 + +* Thu Aug 03 2017 Fedora Release Engineering - 2.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 2.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Feb 15 2017 Petr Lautrbach - 2.6-1 +- Update to upstream release 2016-10-14 + +* Sat Feb 11 2017 Fedora Release Engineering - 2.5-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Oct 04 2016 Petr Lautrbach 2.5-6 +- Rebuilt with libsepol-2.5-10 + +* Mon Aug 01 2016 Petr Lautrbach 2.5-5 +- Rebuilt with libsepol-2.5-9 + +* Thu Jun 23 2016 Petr Lautrbach - 2.5-4 +- Rebuilt with libsepol-2.5-7 + +* Wed May 11 2016 Petr Lautrbach - 2.5-3 +- Rebuilt with libsepol-2.5-6 + +* Fri Apr 08 2016 - 2.5-2 +- Add documentation and test rule for portcon dccp protocol + +* Tue Feb 23 2016 Petr Lautrbach 2.5-1 +- Update to upstream release 2016-02-23 + +* Sun Feb 21 2016 Petr Lautrbach 2.5-0.1.rc1 +- Update to upstream rc1 release 2016-01-07 + +* Thu Feb 04 2016 Fedora Release Engineering - 2.4-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Sep 01 2015 Marcin Juszkiewicz - 2.4-6 +- tell make where libsepol.a is to fix FTBFS on non-x86 64-bit archs - rhbz#1249522 + +* Wed Jul 29 2015 Petr Lautrbach 2.4-5 +- secilc-doc do not need the base package +- Fedora package review https://bugzilla.redhat.com/show_bug.cgi?id=1245270 + +* Thu Jul 23 2015 Petr Lautrbach 2.4-4 +- add license file + +* Wed Jul 22 2015 Petr Lautrbach 2.4-3 +- remove unnecessary dependencies +- don't build libsepol + +* Tue Jul 21 2015 Petr Lautrbach 2.4-2 +- make secilc-doc package noarch + +* Tue Jul 21 2015 Petr Lautrbach 2.4-1 +- initial build based on libsepol-2.4 sources diff --git a/SPECS/sed/sed.spec b/SPECS/sed/sed.spec index b5b5b011c8..da3c3d3fd7 100644 --- a/SPECS/sed/sed.spec +++ b/SPECS/sed/sed.spec @@ -52,7 +52,7 @@ make check %defattr(-,root,root) %changelog -* Sat May 09 00:21:19 PST 2020 Nick Samson - 4.5-3 +* Sat May 09 2020 Nick Samson - 4.5-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 4.5-2 diff --git a/SPECS/selinux-policy/Makefile.devel b/SPECS/selinux-policy/Makefile.devel new file mode 100644 index 0000000000..b1c6bfe71f --- /dev/null +++ b/SPECS/selinux-policy/Makefile.devel @@ -0,0 +1,22 @@ +# installation paths +SHAREDIR := /usr/share/selinux + +AWK ?= gawk +NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)) + +ifeq ($(MLSENABLED),) + MLSENABLED := 1 +endif + +ifeq ($(MLSENABLED),1) + NTYPE = mcs +endif + +ifeq ($(NAME),mls) + NTYPE = mls +endif + +TYPE ?= $(NTYPE) + +HEADERDIR := $(SHAREDIR)/devel/include +include $(HEADERDIR)/Makefile diff --git a/SPECS/selinux-policy/selinux-policy.signatures.json b/SPECS/selinux-policy/selinux-policy.signatures.json new file mode 100644 index 0000000000..4d196c3e9b --- /dev/null +++ b/SPECS/selinux-policy/selinux-policy.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "refpolicy-2.20200818.tar.bz2": "1488f9b94060de28addbcb29fb8437ee0d75cba15e11280dd9dfa3e09986f57b", + "Makefile.devel": "cd065e896d7eb11e238a05b9102359ea370ec75b27785a81935c985899ed2df6" + } +} diff --git a/SPECS/selinux-policy/selinux-policy.spec b/SPECS/selinux-policy/selinux-policy.spec new file mode 100644 index 0000000000..05b4bfc4a0 --- /dev/null +++ b/SPECS/selinux-policy/selinux-policy.spec @@ -0,0 +1,14032 @@ +# upstream does not currently have a build tag for mariner customizations +# Work item to refine Mariner-specific policy customizations: +# https://microsoft.visualstudio.com/OS/_workitems/edit/29662332 +%define distro redhat +%define polyinstatiate n +%define monolithic n +%define POLICYVER 33 +%define POLICYCOREUTILSVER 3.2 +%define CHECKPOLICYVER 3.2 +Summary: SELinux policy +Name: selinux-policy +Version: 2.20200818 +Release: 2%{?dist} +License: GPLv2 +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/SELinuxProject/refpolicy +Source0: %{url}/releases/download/RELEASE_2_20200818/refpolicy-%{version}.tar.bz2 +Source1: Makefile.devel +BuildRequires: bzip2 +BuildRequires: checkpolicy >= %{CHECKPOLICYVER} +BuildRequires: m4 +BuildRequires: policycoreutils-devel >= %{POLICYCOREUTILSVER} +BuildRequires: python3 +BuildRequires: python3-xml +Requires(pre): coreutils +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +BuildArch: noarch + +%description +SELinux policy describes security properties of system components, to be +enforced by the kernel when running with SELinux enabled. + +%files +%license COPYING +%dir %{_usr}/share/selinux +%dir %{_usr}/share/selinux/packages +%dir %{_sysconfdir}/selinux +%ghost %config(noreplace) %{_sysconfdir}/selinux/config +%ghost %{_sysconfdir}/sysconfig/selinux +%{_datadir}/selinux/refpolicy +%dir %{_sysconfdir}/selinux/refpolicy +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/refpolicy/seusers +%dir %{_sysconfdir}/selinux/refpolicy/logins +%dir %{_sharedstatedir}/selinux/refpolicy/active +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/refpolicy/semanage.read.LOCK +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/refpolicy/semanage.trans.LOCK +%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/refpolicy/active/modules +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/refpolicy/active/modules/100/base +%dir %{_sysconfdir}/selinux/refpolicy/policy/ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/refpolicy/policy/policy.%{POLICYVER} +%dir %{_sysconfdir}/selinux/refpolicy/contexts +%config %{_sysconfdir}/selinux/refpolicy/contexts/customizable_types +%config(noreplace) %{_sysconfdir}/selinux/refpolicy/contexts/securetty_types +%config(noreplace) %{_sysconfdir}/selinux/refpolicy/contexts/dbus_contexts +%config %{_sysconfdir}/selinux/refpolicy/contexts/x_contexts +%config %{_sysconfdir}/selinux/refpolicy/contexts/default_contexts +%config %{_sysconfdir}/selinux/refpolicy/contexts/virtual_domain_context +%config %{_sysconfdir}/selinux/refpolicy/contexts/virtual_image_context +%config %{_sysconfdir}/selinux/refpolicy/contexts/lxc_contexts +%config %{_sysconfdir}/selinux/refpolicy/contexts/sepgsql_contexts +%config %{_sysconfdir}/selinux/refpolicy/contexts/openrc_contexts +%config(noreplace) %{_sysconfdir}/selinux/refpolicy/contexts/default_type +%config(noreplace) %{_sysconfdir}/selinux/refpolicy/contexts/failsafe_context +%config(noreplace) %{_sysconfdir}/selinux/refpolicy/contexts/initrc_context +%config(noreplace) %{_sysconfdir}/selinux/refpolicy/contexts/removable_context +%config(noreplace) %{_sysconfdir}/selinux/refpolicy/contexts/userhelper_context +%dir %{_sysconfdir}/selinux/refpolicy/contexts/files +%verify(not md5 size mtime) %{_sysconfdir}/selinux/refpolicy/contexts/files/file_contexts +%ghost %{_sysconfdir}/selinux/refpolicy/contexts/files/file_contexts.bin +%verify(not md5 size mtime) %{_sysconfdir}/selinux/refpolicy/contexts/files/file_contexts.homedirs +%ghost %{_sysconfdir}/selinux/refpolicy/contexts/files/file_contexts.homedirs.bin +%config(noreplace) %{_sysconfdir}/selinux/refpolicy/contexts/files/file_contexts.local +%ghost %{_sysconfdir}/selinux/refpolicy/contexts/files/file_contexts.local.bin +%config(noreplace) %{_sysconfdir}/selinux/refpolicy/contexts/files/file_contexts.subs +%{_sysconfdir}/selinux/refpolicy/contexts/files/file_contexts.subs_dist +%config %{_sysconfdir}/selinux/refpolicy/contexts/files/media +%dir %{_sysconfdir}/selinux/refpolicy/contexts/users +%config(noreplace) %{_sysconfdir}/selinux/refpolicy/contexts/users/root +%config(noreplace) %{_sysconfdir}/selinux/refpolicy/contexts/users/guest_u +%config(noreplace) %{_sysconfdir}/selinux/refpolicy/contexts/users/xguest_u +%config(noreplace) %{_sysconfdir}/selinux/refpolicy/contexts/users/user_u +%config(noreplace) %{_sysconfdir}/selinux/refpolicy/contexts/users/staff_u +%config(noreplace) %{_sysconfdir}/selinux/refpolicy/contexts/users/unconfined_u +%{_sharedstatedir}/selinux/refpolicy/active/commit_num +%{_sharedstatedir}/selinux/refpolicy/active/users_extra +%{_sharedstatedir}/selinux/refpolicy/active/homedir_template +%{_sharedstatedir}/selinux/refpolicy/active/seusers +%{_sharedstatedir}/selinux/refpolicy/active/file_contexts +%{_sharedstatedir}/selinux/refpolicy/active/policy.kern +%ghost %{_sharedstatedir}/selinux/refpolicy/active/policy.linked +%ghost %{_sharedstatedir}/selinux/refpolicy/active/seusers.linked +%ghost %{_sharedstatedir}/selinux/refpolicy/active/users_extra.linked +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/refpolicy/active/file_contexts.homedirs +%ghost %{_sharedstatedir}/selinux/refpolicy/active/modules/100/* + +%package devel +Summary: SELinux policy devel +Requires: %{_bindir}/make +Requires: checkpolicy >= %{CHECKPOLICYVER} +Requires: m4 +Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER} + +%description devel +SELinux policy development and man page package + +%files devel +%dir %{_usr}/share/selinux/devel +%dir %{_usr}/share/selinux/devel/include +%{_usr}/share/selinux/devel/include/* +%{_usr}/share/selinux/devel/Makefile +%{_usr}/share/selinux/devel/example.* +%{_usr}/share/selinux/devel/policy.* +%ghost %{_sharedstatedir}/sepolgen/interface_info + +%post devel +selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null +exit 0 + +%package doc +Summary: SELinux policy documentation +Requires: selinux-policy = %{version}-%{release} +Requires(pre): selinux-policy = %{version}-%{release} + +%description doc +SELinux policy documentation package + +%files doc +%{_mandir}/man*/* +%{_mandir}/ru/*/* +%doc %{_usr}/share/doc/%{name} + +%define makeCmds() \ +%make_build UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} DISTRO=%{distro} UBAC=n DIRECT_INITRC=%{3} MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \ +%make_build UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} DISTRO=%{distro} UBAC=n DIRECT_INITRC=%{3} MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf +%define installCmds() \ +%make_build UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} DISTRO=%{distro} UBAC=n DIRECT_INITRC=%{3} MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 base.pp \ +%make_build validate UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} DISTRO=%{distro} UBAC=n DIRECT_INITRC=%{3} MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \ +make UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} DISTRO=%{distro} UBAC=n DIRECT_INITRC=%{3} MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \ +make UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} DISTRO=%{distro} UBAC=n DIRECT_INITRC=%{3} MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \ +make UNK_PERMS=%{4} NAME=%{1} TYPE=%{2} DISTRO=%{distro} UBAC=n DIRECT_INITRC=%{3} MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 SEMODULE="semodule -p %{buildroot} -X 100 " load \ +mkdir -p %{buildroot}/%{_sysconfdir}/selinux/%{1}/logins \ +touch %{buildroot}%{_sysconfdir}/selinux/%{1}/contexts/files/file_contexts.subs \ +install -m0644 config/appconfig-%{2}/securetty_types %{buildroot}%{_sysconfdir}/selinux/%{1}/contexts/securetty_types \ +install -m0644 config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%{1}/contexts/files \ +touch %{buildroot}%{_sysconfdir}/selinux/%{1}/contexts/files/file_contexts.bin \ +touch %{buildroot}%{_sysconfdir}/selinux/%{1}/contexts/files/file_contexts.local \ +touch %{buildroot}%{_sysconfdir}/selinux/%{1}/contexts/files/file_contexts.local.bin \ +rm -f %{buildroot}/%{_usr}/share/selinux/%{1}/*pp* \ +rm -rf %{buildroot}%{_sysconfdir}/selinux/%{1}/contexts/netfilter_contexts \ +rm -rf %{buildroot}%{_sysconfdir}/selinux/%{1}/modules/active/policy.kern \ +rm -f %{buildroot}%{_sharedstatedir}/selinux/%{1}/active/*.linked \ +%{nil} + +%define relabel() \ +. %{_sysconfdir}/selinux/config; \ +FILE_CONTEXT=%{_sysconfdir}/selinux/%{1}/contexts/files/file_contexts; \ +%{_sbindir}/selinuxenabled; \ +if [ $? = 0 -a "${SELINUXTYPE}" = %{1} -a -f ${FILE_CONTEXT}.pre ]; then \ + /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \ + rm -f ${FILE_CONTEXT}.pre; \ +fi; \ +if /sbin/restorecon -e /run/media -R /root %{_var}/log %{_var}/run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null;then \ + continue; \ +fi; + +%define preInstall() \ +if [ -s %{_sysconfdir}/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ + FILE_CONTEXT=%{_sysconfdir}/selinux/%{1}/contexts/files/file_contexts; \ + if [ "${SELINUXTYPE}" = %{1} -a -f ${FILE_CONTEXT} ]; then \ + [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ + fi; \ + touch %{_sysconfdir}/selinux/%{1}/.rebuild; \ +fi; + +%define postInstall() \ +. %{_sysconfdir}/selinux/config; \ +if [ -e %{_sysconfdir}/selinux/%{2}/.rebuild ]; then \ + rm %{_sysconfdir}/selinux/%{2}/.rebuild; \ + %{_sbindir}/semodule -B -n -s %{2}; \ +fi; \ +[ "${SELINUXTYPE}" == "%{2}" ] && selinuxenabled && load_policy; \ +if [ %{1} -eq 1 ]; then \ + /sbin/restorecon -R /root %{_var}/log /run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null; \ +else \ +%relabel %{2} \ +fi; + +%prep +%setup -q -n refpolicy + +%install +# Build policy +mkdir -p %{buildroot}%{_sysconfdir}/selinux +mkdir -p %{buildroot}%{_sysconfdir}/sysconfig +touch %{buildroot}%{_sysconfdir}/selinux/config +touch %{buildroot}%{_sysconfdir}/sysconfig/selinux +mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ +mkdir -p %{buildroot}%{_bindir} + +# Always create policy module package directories +mkdir -p %{buildroot}%{_usr}/share/selinux/refpolicy +mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{refpolicy,modules}/ + +mkdir -p %{buildroot}%{_usr}/share/selinux/packages + +# Install devel +make clean +%makeCmds refpolicy mcs n allow +%installCmds refpolicy mcs n allow + +# remove leftovers when save-previous=true (semanage.conf) is used +rm -rf %{buildroot}%{_sharedstatedir}/selinux/refpolicy/previous + +mkdir -p %{buildroot}%{_mandir} +cp -R man/* %{buildroot}%{_mandir} +make UNK_PERMS=allow NAME=refpolicy TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-docs +make UNK_PERMS=allow NAME=refpolicy TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-headers +mkdir %{buildroot}%{_usr}/share/selinux/devel/ +mv %{buildroot}%{_usr}/share/selinux/refpolicy/include %{buildroot}%{_usr}/share/selinux/devel/include +install -m 644 %{SOURCE1} %{buildroot}%{_usr}/share/selinux/devel/Makefile +install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/ +install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/ + +%post +if [ ! -s %{_sysconfdir}/selinux/config ]; then +# Permissive by default. Enforcing support will be added in a later phase +echo " +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=permissive +# SELINUXTYPE= defines the policy to load +# Currently the only supported option is refpolicy +SELINUXTYPE=refpolicy + +" > %{_sysconfdir}/selinux/config + + ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux + restorecon %{_sysconfdir}/selinux/config 2> /dev/null || : +else + . %{_sysconfdir}/selinux/config +fi +%postInstall $1 repolicy +exit 0 + +%postun +if [ $1 = 0 ]; then + setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi +fi +exit 0 + +%pre +%preInstall refpolicy + +%triggerin -- pcre +selinuxenabled && semodule -nB +exit 0 + +%changelog +* Fri Aug 13 2021 Thomas Crain - 2.20200818-2 +- Update versions on checkpolicy, policycoreutils dependencies + +* Mon Aug 31 2020 Daniel Burgener - 2.20200818-1 +- Initial CBL-Mariner import from Fedora 31 (license: MIT) +- Heavy modifications to build from upstream reference policy rather than from fedora selinux policy. + Fedora's policy and versioning tracks their policy fork specificially, whereas this tracks the upstream + policy that Fedora's policy is based on. +- License verified + +* Wed Oct 09 2019 Lukas Vrabec - 3.14.4-37 +- Remove duplicate file context for /usr//bin/nova-api-metadata +- Introduce new bolean httpd_use_opencryptoki +- Allow setroubleshoot_fixit_t to read random_device_t +- Label /etc/named direcotory as named_conf_t BZ(1759495) +- Allow dkim to execute sendmail +- Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files +- Update aide_t domain to allow this tool to analyze also /dev filesystem +- Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files BZ(1758634) +- Allow avahi_t to send msg to xdm_t +- Update dev_manage_sysfs() to support managing also lnk files BZ(1759019) +- Allow systemd_logind_t domain to read blk_files in domain removable_device_t +- Add new interface udev_getattr_rules_chr_files() + +* Fri Oct 04 2019 Lukas Vrabec - 3.14.4-36 +- Update aide_t domain to allow this tool to analyze also /dev filesystem +- Allow bitlbee_t domain map files in /usr +- Allow stratisd to getattr of fixed disk device nodes +- Add net_broadcast capability to openvswitch_t domain BZ(1716044) +- Allow exim_t to read mysqld conf files if exim_can_connect_db is enabled. BZ(1756973) +- Allow cobblerd_t domain search apache configuration dirs +- Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428) +- Label /var/log/collectd.log as collectd_log_t +- Allow boltd_t domain to manage sysfs files and dirs BZ(1754360) +- Add fowner capability to the pcp_pmlogger_t domain BZ(1754767) +- networkmanager: allow NetworkManager_t to create bluetooth_socket +- Fix ipa_custodia_stream_connect interface +- Add new interface udev_getattr_rules_chr_files() +- Make dbus-broker service working on s390x arch +- Add new interface dev_mounton_all_device_nodes() +- Add new interface dev_create_all_files() +- Allow systemd(init_t) to load kernel modules +- Allow ldconfig_t domain to manage initrc_tmp_t objects +- Add new interface init_write_initrc_tmp_pipes() +- Add new interface init_manage_script_tmp_files() +- Allow xdm_t setpcap capability in user namespace BZ(1756790) +- Allow xdm_t domain to user netlink_route sockets BZ(1756791) +- Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory BZ(1754245) +- Allow sudo userdomain to run rpm related commands +- Add sys_admin capability for ipsec_t domain +- Allow systemd_modules_load_t domain to read systemd pid files +- Add new interface init_read_pid_files() +- Allow systemd labeled as init_t domain to manage faillog_t objects +- Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc +- Make ipa_custodia policy active +- Make stratisd policy active + +* Fri Sep 20 2019 Lukas Vrabec - 3.14.4-35 +- Fix ipa_custodia_stream_connect interface +- Allow systemd_modules_load_t domain to read systemd pid files +- Add new interface init_read_pid_files() +- Allow systemd labeled as init_t domain to manage faillog_t objects +- Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc + +* Fri Sep 20 2019 Lukas Vrabec - 3.14.4-34 +- Run ipa-custodia as ipa_custodia_t +- Update webalizer_t SELinux policy +- Dontaudit thumb_t domain to getattr of nsfs_t files BZ(1753598) +- Allow rhsmcertd_t domain to read rtas_errd lock files +- Add new interface rtas_errd_read_lock() +- Update allow rules set for nrpe_t domain +- Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if +- Allow avahi_t to send msg to lpr_t +- Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label +- Allow dlm_controld_t domain to read random device +- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816) +- Allow gssproxy_t domain read state of all processes on system +- Make ipa_custodia policy active +- Make stratisd policy active +- Introduce xdm_manage_bootloader booelan +- Add new macro systemd_timedated_status to systemd.if to get timedated service status +- Allow xdm_t domain to read sssd pid files BZ(1753240) + +* Fri Sep 13 2019 Lukas Vrabec - 3.14.4-33 +- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816) +- Allow gssproxy_t domain read state of all processes on system +- Update travis-CI file +- Fix syntax erros in keepalived policy +- Add sys_admin capability for keepalived_t labeled processes +- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t. +- Create new type ipmievd_helper_t domain for loading kernel modules. +- Run stratisd service as stratisd_t +- Fix abrt_upload_watch_t in abrt policy +- Update keepalived policy +- Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types +- Revert "Create admin_crontab_t and admin_crontab_tmp_t types" +- Revert "Update cron_role() template to accept third parameter with SELinux domain prefix" +- Allow amanda_t to manage its var lib files and read random_device_t +- Create admin_crontab_t and admin_crontab_tmp_t types +- Add setgid and setuid capabilities to keepalived_t domain +- Update cron_role() template to accept third parameter with SELinux domain prefix +- Allow psad_t domain to create tcp diag sockets BZ(1750324) +- Allow systemd to mount fwupd_cache_t BZ(1750288) +- Allow chronyc_t domain to append to all non_security files +- Update zebra SELinux policy to make it work also with frr service +- Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024) +- Dontaudit rhsmcertd_t to write to dirs labeled as lib_t BZ(1556763) +- Label /var/run/mysql as mysqld_var_run_t +- Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects. +- Update timedatex policy to manage localization +- Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces +- Update gnome_dontaudit_read_config +- Allow devicekit_var_lib_t dirs to be created by systemd during service startup. BZ(1748997) +- Update travis-CI file +- Allow systemd labeled as init_t domain to remount rootfs filesystem +- Add interface files_remount_rootfs() +- Dontaudit sys_admin capability for iptables_t SELinux domain +- Allow userdomains to dbus chat with policykit daemon +- Update userdomains to pass correct parametes based on updates from cron_*_role interfaces +- New interface files_append_non_security_files() +- Label 2618/tcp and 2618/udp as priority_e_com_port_t +- Label 2616/tcp and 2616/udp as appswitch_emp_port_t +- Label 2615/tcp and 2615/udp as firepower_port_t +- Label 2610/tcp and 2610/udp as versa_tek_port_t +- Label 2613/tcp and 2613/udp as smntubootstrap_port_t +- Label 3784/tcp and 3784/udp as bfd_control_port_t +- Remove rule allowing all processes to stream connect to unconfined domains + +* Wed Sep 04 2019 Lukas Vrabec - 3.14.4-32 +- Allow zabbix_t domain to manage zabbix_var_lib_t sock files and connect to unix_stream_socket +- Dontaudit sandbox web types to setattr lib_t dirs +- Dontaudit system_mail_t domains to check for existence other applications on system BZ(1747369) +- Allow haproxy_t domain to read network state of system +- Allow processes labeled as keepalived_t domain to get process group +- Introduce dbusd_unit_file_type +- Allow pesign_t domain to read/write named cache files. +- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces. +- Allow httpd_t domain to read/write named_cache_t files +- Add new interface bind_rw_cache() +- Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t. +- Update cpucontrol_t SELinux policy +- Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t +- Run lldpd service as lldpad_t. +- Allow spamd_update_t domain to create unix dgram sockets. +- Update dbus role template for confined users to allow login into x session +- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t +- Fix typo in networkmanager_append_log() interface +- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label +- Allow login user type to use systemd user session +- Allow xdm_t domain to start dbusd services. +- Introduce new type xdm_unit_file_t +- Remove allowing all domain to communicate over pipes with all domain under rpm_transition_domain attribute +- Allow systemd labeled as init_t to remove sockets with tmp_t label BZ(1745632) +- Allow ipsec_t domain to read/write named cache files +- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label +- Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus +- Label udp 8125 port as statsd_port_t + +* Tue Aug 13 2019 Lukas Vrabec - 3.14.4-31 +- Update timedatex policy BZ(1734197) + +* Tue Aug 13 2019 Lukas Vrabec - 3.14.4-30 +- cockpit: Allow cockpit-session to read cockpit-tls state +- Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983) +- Allow named_t domain to read/write samba_var_t files BZ(1738794) +- Dontaudit abrt_t domain to read root_t files +- Allow ipa_dnskey_t domain to read kerberos keytab +- Allow mongod_t domain to read cgroup_t files BZ(1739357) +- Update ibacm_t policy +- Allow systemd to relabel all files on system. +- Revert "Add new boolean systemd_can_relabel" +- Allow xdm_t domain to read kernel sysctl BZ(1740385) +- Add sys_admin capability for xdm_t in user namespace. BZ(1740386) +- Allow dbus communications with resolved for DNS lookups +- Add new boolean systemd_can_relabel +- Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp +- Label '/var/usrlocal/(.*/)?sbin(/.*)?' as bin_t +- Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs +- Run lvmdbusd service as lvm_t + +* Wed Aug 07 2019 Lukas Vrabec - 3.14.4-29 +- Allow dlm_controld_t domain setgid capability +- Fix SELinux modules not installing in chroots. +Resolves: rhbz#1665643 + +* Tue Aug 06 2019 Lukas Vrabec - 3.14.4-28 +- Allow systemd to create and bindmount dirs. BZ(1734831) + +* Mon Aug 05 2019 Lukas Vrabec - 3.14.4-27 +- Allow tlp domain run tlp in trace mode BZ(1737106) +- Make timedatex_t domain system dbus bus client BZ(1737239) +- Allow cgdcbxd_t domain to list cgroup dirs +- Allow systemd to create and bindmount dirs. BZ(1734831) + +* Tue Jul 30 2019 Lukas Vrabec - 3.14.4-26 +- New policy for rrdcached +- Allow dhcpd_t domain to read network sysctls. +- Allow nut services to communicate with unconfined domains +- Allow virt_domain to Support ecryptfs home dirs. +- Allow domain transition lsmd_t to sensord_t +- Allow httpd_t to signull mailman_cgi_t process +- Make rrdcached policy active +- Label /etc/sysconfig/ip6?tables\.save as system_conf_t Resolves: rhbz#1733542 +- Allow machinectl to run pull-tar BZ(1724247) + +* Fri Jul 26 2019 Lukas Vrabec - 3.14.4-25 +- Allow spamd_update_t domain to read network state of system BZ(1733172) +- Allow dlm_controld_t domain to transition to the lvm_t +- Allow sandbox_web_client_t domain to do sys_chroot in user namespace +- Allow virtlockd process read virtlockd.conf file +- Add more permissions for session dbus types to make working dbus broker with systemd user sessions +- Allow sssd_t domain to read gnome config and named cache files +- Allow brltty to request to load kernel module +- Add svnserve_tmp_t label forl svnserve temp files to system private tmp +- Allow sssd_t domain to read kernel net sysctls BZ(1732185) +- Run timedatex service as timedatex_t +- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool +- Allow cyrus work with PrivateTmp +- Make cgdcbxd_t domain working with SELinux enforcing. +- Make working wireshark execute byt confined users staff_t and sysadm_t +- Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963) +- Allow svnserve_t domain to read system state +- allow named_t to map named_cache_t files +- Label user cron spool file with user_cron_spool_t +- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession +- Allow lograte_t domain to manage collect_rw_content files and dirs +- Add interface collectd_manage_rw_content() +- Allow ifconfig_t domain to manage vmware logs +- Remove system_r role from staff_u user. +- Make new timedatex policy module active +- Add systemd_private_tmp_type attribute +- Allow systemd to load kernel modules during boot process. +- Allow sysadm_t and staff_t domains to read wireshark shared memory +- Label /usr/libexec/utempter/utempter as utemper_exec_t +- Allow ipsec_t domain to read/write l2tpd pipe BZ(1731197) +- Allow sysadm_t domain to create netlink selinux sockets +- Make cgdcbxd active in Fedora upstream sources + +* Wed Jul 17 2019 Lukas Vrabec - 3.14.4-24 +- Label user cron spool file with user_cron_spool_t +- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession +- Allow lograte_t domain to manage collect_rw_content files and dirs +- Add interface collectd_manage_rw_content() +- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain +- Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports +- Allow mysqld_t domain to manage cluster pid files +- Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t. +- Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool +- Allow dkim-milter to send e-mails BZ(1716937) +- Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script BZ(1711799) +- Update svnserve_t policy to make working svnserve hooks +- Allow varnishlog_t domain to check for presence of varnishd_t domains +- Update sandboxX policy to make working firefox inside SELinux sandbox +- Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services +- Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices +- Allow gssd_t domain to list tmpfs_t dirs +- Allow mdadm_t domain to read tmpfs_t files +- Allow sbd_t domain to check presence of processes labeled as cluster_t +- Dontaudit httpd_sys_script_t to read systemd unit files +- Allow blkmapd_t domain to read nvme devices +- Update cpucontrol_t domain to make working microcode service +- Allow domain transition from logwatch_t do postfix_postqueue_t +- Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test' +- Allow httpd_sys_script_t domain to mmap httpcontent +- Allow sbd_t to manage cgroups_t files +- Update wireshark policy to make working tshar labeled as wireshark_t +- Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files +- Allow sysadm_t domain to create netlink selinux sockets +- Make cgdcbxd active in Fedora upstream sources +- Allow sysadm_t domain to dbus chat with rtkit daemon +- Allow x_userdomains to nnp domain transition to thumb_t domain +- Allow unconfined_domain_type to setattr own process lnk files. +- Add interface files_write_generic_pid_sockets() +- Dontaudit writing to user home dirs by gnome-keyring-daemon +- Allow staff and admin domains to setpcap in user namespace +- Allow staff and sysadm to use lockdev +- Allow staff and sysadm users to run iotop. +- Dontaudit traceroute_t domain require sys_admin capability +- Dontaudit dbus chat between kernel_t and init_t +- Allow systemd labeled as init_t to create mountpoints without any specific label as default_t + +* Wed Jul 10 2019 Lukas Vrabec - 3.14.4-23 +- Update dbusd policy and netowrkmanager to allow confined users to connect to vpn over NetworkManager +- Fix all interfaces which cannot by compiled because of typos +- Allow X userdomains to mmap user_fonts_cache_t dirs + +* Mon Jul 08 2019 Lukas Vrabec - 3.14.4-22 +- Label /var/kerberos/krb5 as krb5_keytab_t +- Allow glusterd_t domain to setpgid +- Allow lsmd_t domain to execute /usr/bin/debuginfo-install +- Allow sbd_t domain to manage cgroup dirs +- Allow opafm_t domain to modify scheduling information of another process. +- Allow wireshark_t domain to create netlink netfilter sockets +- Allow gpg_agent_t domain to use nsswitch +- Allow httpd script types to mmap httpd rw content +- Allow dkim_milter_t domain to execute shell BZ(17116937) +- Allow sbd_t domain to use nsswitch +- Allow rhsmcertd_t domain to send signull to all domains +- Allow snort_t domain to create netlink netfilter sockets BZ(1723184) +- Dontaudit blueman to read state of all domains on system BZ(1722696) +- Allow boltd_t domain to use ps and get state of all domains on system. BZ(1723217) +- Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308) +- Replace "-" by "_" in types names +- Change condor_domain declaration in condor_systemctl +- Allow firewalld_t domain to read iptables_var_run_t files BZ(1722405) +- Allow auditd_t domain to send signals to audisp_remote_t domain +- Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132) +- Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files +- Add interface kernel_relabelfrom_usermodehelper() +- Dontaudit unpriv_userdomain to manage boot_t files +- Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509) +- Allow systemd to execute bootloader grub2-set-bootflag BZ(1722531) +- Allow associate efivarfs_t on sysfs_t + +* Tue Jun 18 2019 Lukas Vrabec - 3.14.4-21 +- Add vnstatd_var_lib_t to mountpoint attribute BZ(1648864) +- cockpit: Support split-out TLS proxy +- Allow dkim_milter_t to use shell BZ(1716937) +- Create explicit fc rule for mailman executable BZ(1666004) +- Update interface networkmanager_manage_pid_files() to allow manage also dirs +- Allow dhcpd_t domain to mmap dnssec_t files BZ(1718701) +- Add new interface bind_map_dnssec_keys() +- Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files +- Allow redis_t domain to read public sssd files +- Allow fetchmail_t to connect to dovecot stream sockets BZ(1715569) +- Allow confined users to login via cockpit +- Allow nfsd_t domain to do chroot becasue of new version of nfsd +- Add gpg_agent_roles to system_r roles +- Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files +- Allow rhsmcertd_t domain to manage rpm cache +- Allow sbd_t domain to read tmpfs_t symlinks +- Allow ctdb_t domain to manage samba_var_t files/links/sockets and dirs +- Allow kadmind_t domain to read home config data +- Allow sbd_t domain to readwrite cgroups +- Allow NetworkManager_t domain to read nsfs_t files BZ(1715597) +- Label /var/log/pacemaker/pacemaker as cluster_var_log_t +- Allow certmonger_t domain to manage named cache files/dirs +- Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800) +- Allow crack_t domain read /et/passwd files +- Label fontconfig cache and config files and directories BZ(1659905) +- Allow dhcpc_t domain to manage network manager pid files +- Label /usr/sbin/nft as iptables_exec_t +- Allow userdomain attribute to manage cockpit_ws_t stream sockets +- Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes +- Add interface ssh_agent_signal() + +* Thu May 30 2019 Lukas Vrabec - 3.14.4-20 +- Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800) +- Allow spamd_update_t to exec itsef +- Fix broken logwatch SELinux module +- Allow logwatch_mail_t to manage logwatch cache files/dirs +- Update wireshark_t domain to use several sockets +- Allow sysctl_rpc_t and sysctl_irq_t to be stored on fs_t + +* Mon May 27 2019 Lukas Vrabec - 3.14.4-19 +- Fix bind_read_cache() interface to allow only read perms to caller domains +- [speech-dispatcher.if] m4 macro names can not have - in them +- Grant varnishlog_t access to varnishd_etc_t +- Allow nrpe_t domain to read process state of systemd_logind_t +- Allow mongod_t domain to connect on https port BZ(1711922) +- Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram sockets +- Dontaudit spamd_update_t domain to read all domains states BZ(1711799) +- Allow pcp_pmie_t domain to use sys_ptrace usernamespace cap BZ(1705871) +- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119) +- Revert "Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)" +- Make boinc_var_lib_t mountpoint BZ(1711682) +- Allow wireshark_t domain to create fifo temp files +- All NetworkManager_ssh_t rules have to be in same optional block with ssh_basic_client_template(), fixing this bug in NetworkManager policy +- Allow dbus chat between NetworkManager_t and NetworkManager_ssh_t domains. BZ(1677484) +- Fix typo in gpg SELinux module +- Update gpg policy to make ti working with confined users +- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t +- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files +- Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t +- Add dac_override capability to namespace_init_t domain +- Label /usr/sbin/corosync-qdevice as cluster_exec_t +- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484) +- Label /usr/libexec/dnf-utils as debuginfo_exec_t +- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on +- Allow nrpe_t domain to be dbus cliennt +- Add interface sssd_signull() +- Build in parallel on Travis +- Fix parallel build of the policy +- Revert "Make able deply overcloud via neutron_t to label nsfs as fs_t" +- Add interface systemd_logind_read_state() +- Fix find commands in Makefiles +- Allow systemd-timesyncd to read network state BZ(1694272) +- Update userdomains to allow confined users to create gpg keys +- Allow associate all filesystem_types with fs_t +- Dontaudit syslogd_t using kill in unamespaces BZ(1711122) +- Allow init_t to manage session_dbusd_tmp_t dirs +- Allow systemd_gpt_generator_t to read/write to clearance +- Allow su_domain_type to getattr to /dev/gpmctl +- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users + +* Fri May 17 2019 Lukas Vrabec - 3.14.4-18 +- Fix typo in gpg SELinux module +- Update gpg policy to make ti working with confined users +- Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t +- Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files +- Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t +- Add dac_override capability to namespace_init_t domain +- Label /usr/sbin/corosync-qdevice as cluster_exec_t +- Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484) +- Label /usr/libexec/dnf-utils as debuginfo_exec_t +- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on +- Allow nrpe_t domain to be dbus cliennt +- Add interface sssd_signull() +- Label /usr/bin/tshark as wireshark_exec_t +- Update userdomains to allow confined users to create gpg keys +- Allow associate all filesystem_types with fs_t +- Dontaudit syslogd_t using kill in unamespaces BZ(1711122) +- Allow init_t to manage session_dbusd_tmp_t dirs +- Allow systemd_gpt_generator_t to read/write to clearance +- Allow su_domain_type to getattr to /dev/gpmctl +- Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users + +* Fri May 17 2019 Lukas Vrabec - 3.14.4-17 +- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on +- Allow nrpe_t domain to be dbus cliennt +- Add interface sssd_signull() +- Label /usr/bin/tshark as wireshark_exec_t +- Fix typo in dbus_role_template() +- Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119) +- Allow userdomains dbus domain to execute dbus broker. BZ(1710113) +- Allow dovedot_deliver_t setuid/setgid capabilities BZ(1709572) +- Allow virt domains to access xserver devices BZ(1705685) +- Allow aide to be executed by systemd with correct (aide_t) domain BZ(1648512) +- Dontaudit svirt_tcg_t domain to read process state of libvirt BZ(1594598) +- Allow pcp_pmie_t domain to use fsetid capability BZ(1708082) +- Allow pcp_pmlogger_t to use setrlimit BZ(1708951) +- Allow gpsd_t domain to read udev db BZ(1709025) +- Add sys_ptrace capaiblity for namespace_init_t domain +- Allow systemd to execute sa-update in spamd_update_t domain BZ(1705331) +- Allow rhsmcertd_t domain to read rpm cache files +- Label /efi same as /boot/efi boot_t BZ(1571962) +- Allow transition from udev_t to tlp_t BZ(1705246) +- Remove initrc_exec_t for /usr/sbin/apachectl file + +* Fri May 03 2019 Lukas Vrabec - 3.14.4-16 +- Add fcontext for apachectl util to fix missing output when executed "httpd -t" from this script. + +* Thu May 02 2019 Lukas Vrabec - 3.14.4-15 +- Allow iscsid_t domain to mmap modules_dep_t files +- Allow ngaios to use chown capability +- Dontaudit gpg_domain to create netlink_audit sockets +- Remove role transition in rpm_run() interface to allow sysadm_r jump to rpm_t type. BZ(1704251) +- Allow dirsrv_t domain to execute own tmp files BZ(1703111) +- Update fs_rw_cephfs_files() interface to allow also caller domain to read/write cephpfs_t lnk files +- Update domain_can_mmap_files() boolean to allow also mmap lnk files +- Improve userdom interfaces to drop guest_u SELinux user to use nsswitch + +* Fri Apr 26 2019 Lukas Vrabec - 3.14.4-14 +- Allow transition from cockpit_session to unpriv user domains + +* Thu Apr 25 2019 Lukas Vrabec - 3.14.4-13 +- Introduce deny_bluetooth boolean +- Allow greylist_milter_t to read network system state BZ(1702672) +- Allow freeipmi domains to mmap freeipmi_var_cache_t files +- Allow rhsmcertd_t and rpm_t domains to chat over dbus +- Allow thumb_t domain to delete cache_home_t files BZ(1701643) +- Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus +- Add new interface boltd_dbus_chat() +- Allow fwupd_t and modemmanager_t domains to communicate over dbus BZ(1701791) +- Allow keepalived_t domain to create and use netlink_connector sockets BZ(1701750) +- Allow cockpit_ws_t domain to set limits BZ(1701703) +- Update Nagios policy when sudo is used +- Deamon rhsmcertd is able to install certs for docker again +- Introduce deny_bluetooth boolean +- Don't allow a container to connect to random services +- Remove file context /usr/share/spamassassin/sa-update\.cron -> bin_t to label sa-update.cron as spamd_update_exec_t. +- Allow systemd_logind_t and systemd_resolved_t domains to chat over dbus +- Allow unconfined_t to use bpf tools +- Allow x_userdomains to communicate with boltd daemon over dbus + +* Fri Apr 19 2019 Lukas Vrabec - 3.14.4-12 +- Fix typo in cups SELinux policy +- Allow iscsid_t to read modules deps BZ(1700245) +- Allow cups_pdf_t domain to create cupsd_log_t dirs in /var/log BZ(1700442) +- Allow httpd_rotatelogs_t to execute generic binaries +- Update system_dbus policy because of dbus-broker-20-2 +- Allow httpd_t doman to read/write /dev/zero device BZ(1700758) +- Allow tlp_t domain to read module deps files BZ(1699459) +- Add file context for /usr/lib/dotnet/dotnet +- Update dev_rw_zero() interface by adding map permission +- Allow bounded transition for executing init scripts + +* Fri Apr 12 2019 Lukas Vrabec - 3.14.4-11 +- Allow mongod_t domain to lsearch in cgroups BZ(1698743) +- Allow rngd communication with pcscd BZ(1679217) +- Create cockpit_tmpfs_t and allow cockpit ws and session to use it BZ(1698405) +- Fix broken networkmanager interface for allowing manage lib files for dnsmasq_t. +- Update logging_send_audit_msgs(sudodomain() to control TTY auditing for netlink socket for audit service + +* Tue Apr 09 2019 Lukas Vrabec - 3.14.4-10 +- Allow systemd_modules_load to read modules_dep_t files +- Allow systemd labeled as init_t to setattr on unallocated ttys BZ(1697667) + +* Mon Apr 08 2019 Lukas Vrabec - 3.14.4-9 +- Merge #18 `Add check for config file consistency` +- Allow tlp_t domain also write to nvme_devices block devices BZ(1696943) +- Fix typo in rhsmcertd SELinux module +- Allow dnsmasq_t domain to manage NetworkManager_var_lib_t files +- Allow rhsmcertd_t domain to read yum.log file labeled as rpm_log_t +- Allow unconfined users to use vsock unlabeled sockets +- Add interface kernel_rw_unlabeled_vsock_socket() +- Allow unconfined users to use smc unlabeled sockets +- Add interface kernel_rw_unlabeled_smc_socket +- Allow systemd_resolved_t domain to read system network state BZ(1697039) +- Allow systemd to mounton kernel sysctls BZ(1696201) +- Add interface kernel_mounton_kernel_sysctl() BZ(1696201) +- Allow systemd to mounton several systemd direstory to increase security of systemd Resolves: rhbz#1696201 + +* Fri Apr 05 2019 Lukas Vrabec - 3.14.4-8 +- Allow systemd to mounton several systemd direstory to increase security of systemd +Resolves: rhbz#1696201 + +* Wed Apr 03 2019 Lukas Vrabec - 3.14.4-7 +- Allow fontconfig file transition for xguest_u user +- Add gnome_filetrans_fontconfig_home_content interface +- Add permissions needed by systemd's machinectl shell/login +- Update SELinux policy for xen services +- Add dac_override capability for kdumpctl_t process domain +- Allow chronyd_t domain to exec shell +- Fix varnisncsa typo +- Allow init start freenx-server BZ(1678025) +- Create logrotate_use_fusefs boolean +- Add tcpd_wrapped_domain for telnetd BZ(1676940) +- Allow tcpd bind to services ports BZ(1676940) +- Update mysql_filetrans_named_content() to allow cluster to create mysql dirs in /var/run with proper label mysqld_var_run_t +- Make shell_exec_t type as entrypoint for vmtools_unconfined_t. +- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide +- Allow virtlogd_t domain to create virt_etc_rw_t files in virt_etc_t +- Allow esmtp access .esmtprc BZ(1691149) +- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide +- Allow tlp_t domain to read nvme block devices BZ(1692154) +- Add support for smart card authentication in cockpit BZ(1690444) +- Add permissions needed by systemd's machinectl shell/login +- Allow kmod_t domain to mmap modules_dep_t files. +- Allow systemd_machined_t dac_override capability BZ(1670787) +- Update modutils_read_module_deps_files() interface to also allow mmap module_deps_t files +- Allow unconfined_domain_type to use bpf tools BZ(1694115) +- Revert "Allow unconfined_domain_type to use bpf tools BZ(1694115)" +- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide +- Allow unconfined_domain_type to use bpf tools BZ(1694115) +- Allow init_t read mnt_t symlinks BZ(1637070) +- Update dev_filetrans_all_named_dev() interface +- Allow xdm_t domain to execmod temp files BZ(1686675) +- Revert "Allow xdm_t domain to create own tmp files BZ(1686675)" +- Allow getty_t, local_login_t, chkpwd_t and passwd_t to use usbttys. BZ(1691582) +- Allow confined users labeled as staff_t to run iptables. +- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide +- Allow xdm_t domain to create own tmp files BZ(1686675) +- Add miscfiles_dontaudit_map_generic_certs interface. + +* Sat Mar 23 2019 Lukas Vrabec - 3.14.4-6 +- Allow boltd_t domain to write to sysfs_t dirs BZ(1689287) +- Allow fail2ban execute journalctl BZ(1689034) +- Update sudodomains to make working confined users run sudo/su +- Introduce new boolean unconfined_dyntrans_all. +- Allow iptables_t domain to read NetworkManager state BZ(1690881) + +* Tue Mar 19 2019 Lukas Vrabec - 3.14.4-5 +- Update xen SELinux module +- Improve labeling for PCP plugins +- Allow varnishd_t domain to read sysfs_t files +- Update vmtools policy +- Allow virt_qemu_ga_t domain to read udev_var_run_t files +- Update nagios_run_sudo boolean with few allow rules related to accessing sssd +- Update file context for modutils rhbz#1689975 +- Label /dev/xen/hypercall and /dev/xen/xenbus_backend as xen_device_t Resolves: rhbz#1679293 +- Grant permissions for onloadfs files of all classes. +- Allow all domains to send dbus msgs to vmtools_unconfined_t processes +- Label /dev/pkey as crypt_device_t +- Allow sudodomains to write to systemd_logind_sessions_t pipes. +- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t. + +* Tue Mar 12 2019 Lukas Vrabec - 3.14.4-4 +- Update vmtools policy +- Allow virt_qemu_ga_t domain to read udev_var_run_t files +- Update nagios_run_sudo boolean with few allow rules related to accessing sssd +- Update travis CI to install selinux-policy dependencies without checking for gpg check +- Allow journalctl_t domain to mmap syslogd_var_run_t files +- Allow smokeping process to mmap own var lib files and allow set process group. Resolves: rhbz#1661046 +- Allow sbd_t domain to bypass permission checks for sending signals +- Allow sbd_t domain read/write all sysctls +- Allow kpatch_t domain to communicate with policykit_t domsin over dbus +- Allow boltd_t to stream connect to sytem dbus +- Allow zabbix_t domain to create sockets labeled as zabbix_var_run_t BZ(1683820) +- Allow all domains to send dbus msgs to vmtools_unconfined_t processes +- Label /dev/pkey as crypt_device_t +- Allow sudodomains to write to systemd_logind_sessions_t pipes. +- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t. +- Allow ifconfig_t domain to read /dev/random BZ(1687516) +- Fix interface modutils_run_kmod() where was used old interface modutils_domtrans_insmod instead of new one modutils_domtrans_kmod() Resolves: rhbz#1686660 +- Update travis CI to install selinux-policy dependencies without checking for gpg check +- Label /usr/sbin/nodm as xdm_exec_t same as other display managers +- Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin +- Label /usr/sbin/e2mmpstatus as fsadm_exec_t Resolves: rhbz#1684221 +- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process. + +* Wed Feb 27 2019 Lukas Vrabec - 3.14.4-3 +- Reverting https://src.fedoraproject.org/rpms/selinux-policy/pull-request/15 because "%pretrans" cannot use shell scripts. +Resolves: rhbz#1683365 + +* Tue Feb 26 2019 Lukas Vrabec - 3.14.4-2 +- Merge insmod_t, depmod_t and update_modules_t do kmod_t + +* Mon Feb 25 2019 Lukas Vrabec - 3.14.4-1 +- Allow openvpn_t domain to set capability BZ(1680276) +- Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned on +- Allow chronyd_t domain to send data over dgram socket +- Add rolekit_dgram_send() interface +- Fix bug in userdom_restricted_xwindows_user_template() template to disallow all user domains to access admin_home_t - kernel/files.fc: Label /var/run/motd.d(./*)? and /var/run/motd as pam_var_run_t + +* Thu Feb 14 2019 Lukas Vrabec - 3.14.3-22 +- Allow dovecot_t domain to connect to mysql db +- Add dac_override capability for sbd_t SELinux domain +- Add dac_override capability for spamd_update_t domain +- Allow nnp transition for domains fsadm_t, lvm_t and mount_t - Add fs_manage_fusefs_named_pipes interface + +* Tue Feb 12 2019 Lukas Vrabec - 3.14.3-21 +- Allow glusterd_t to write to automount unnamed pipe Resolves: rhbz#1674243 +- Allow ddclient_t to setcap Resolves: rhbz#1674298 +- Add dac_override capability to vpnc_t domain +- Add dac_override capability to spamd_t domain +- Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/run +- Allow read network state of system for processes labeled as ibacm_t +- Allow ibacm_t domain to send dgram sockets to kernel processes +- Allow dovecot_t to connect to MySQL UNIX socket +- Fix CI for use on forks +- Fix typo bug in sensord policy +- Update ibacm_t policy after testing lastest version of this component +- Allow sensord_t domain to mmap own log files +- Allow virt_doamin to read/write dev device +- Add dac_override capability for ipa_helper_t +- Update policy with multiple allow rules to make working installing VM in MLS policy +- Allow syslogd_t domain to send null signal to all domains on system Resolves: rhbz#1673847 - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow systemd-logind daemon to remove shared memory during logout Resolves: rhbz#1674172 - Always label /home symlinks as home_root_t - Update mount_read_pid_files macro to allow also list mount_var_run_t dirs - Fix typo bug in userdomain SELinux policy - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow user domains to stop systemd user sessions during logout process - Fix CI for use on forks - Label /dev/sev char device as sev_device_t - Add s_manage_fusefs_named_sockets interface - Allow systemd-journald to receive messages including a memfd + +* Sat Feb 02 2019 Lukas Vrabec - 3.14.3-20 +- Allow sensord_t domain to use nsswitch and execute shell +- Allow opafm_t domain to execute lib_t files +- Allow opafm_t domain to manage kdump_crash_t files and dirs +- Allow virt domains to read/write cephfs filesystems +- Allow virtual machine to write to fixed_disk_device_t +- Update kdump_manage_crash() interface to allow also manage dirs by caller domain Resolves: rhbz#1491585 +- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t +- Allow vhostmd_t read libvirt configuration files +- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains +- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block - Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t - Allow staff_t user to systemctl iptables units. - Allow systemd to read selinux logind config - obj_perm_sets.spt: Add xdp_socket to socket_class_set. - Add xdp_socket security class and access vectors - Allow transition from init_t domain to user_t domain during ssh login with confined user user_u + +* Tue Jan 29 2019 Lukas Vrabec - 3.14.3-19 +- Add new xdp_socket class +- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains +- Allow boltd_t domain to read cache_home_t files BZ(1669911) +- Allow winbind_t domain to check for existence of processes labeled as systemd_hostnamed_t BZ(1669912) +- Allow gpg_agent_t to create own tmpfs dirs and sockets +- Allow openvpn_t domain to manage vpnc pidfiles BZ(1667572) +- Add multiple interfaces for vpnc interface file +- Label /var/run/fcgiwrap dir as httpd_var_run_t BZ(1655702) +- In MongoDB 3.4.16, 3.6.6, 4.0.0 and later, mongod reads netstat info from proc and stores it in its diagnostic system (FTDC). See: https://jira.mongodb.org/browse/SERVER-31400 This means that we need to adjust the policy so that the mongod process is allowed to open and read /proc/net/netstat, which typically has symlinks (e.g. /proc/net/snmp). +- Allow gssd_t domain to manage kernel keyrings of every domain. +- Revert "Allow gssd_t domain to read/write kernel keyrings of every domain." +- Allow plymouthd_t search efivarfs directory BZ(1664143) + +* Tue Jan 15 2019 Lukas Vrabec - 3.14.3-18 +- Allow plymouthd_t search efivarfs directory BZ(1664143) +- Allow arpwatch send e-mail notifications BZ(1657327) +- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_t +- Allow gssd_t domain to read/write kernel keyrings of every domain. +- Allow systemd_timedated_t domain nnp_transition BZ(1666222) +- Add the fs_search_efivarfs_dir interface +- Create tangd_port_t with default label tcp/7406 +- Add interface domain_rw_all_domains_keyrings() +- Some of the selinux-policy macros doesn't work in chroots/initial installs. BZ(1665643) + +* Fri Jan 11 2019 Lukas Vrabec - 3.14.3-17 +- Allow staff_t domain to read read_binfmt_misc filesystem +- Add interface fs_read_binfmt_misc() +- Revert "Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)" + +* Fri Jan 11 2019 Lukas Vrabec - 3.14.3-16 +- Allow sensord_t to execute own binary files +- Allow pcp_pmlogger_t domain to getattr all filesystem BZ(1662432) +- Allow virtd_lxc_t domains use BPF BZ(1662613) +- Allow openvpn_t domain to read systemd state BZ(1661065) +- Dontaudit ptrace all domains for blueman_t BZ(1653671) +- Used correct renamed interface for imapd_t domain +- Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_t BZ(1662922) +- Allow hddtemp_t domain to read nvme block devices BZ(1663579) +- Add dac_override capability to spamd_t domain BZ(1645667) +- Allow pcp_pmlogger_t to mount tracefs_t filesystem BZ(1662983) +- Allow pcp_pmlogger_t domain to read al sysctls BZ(1662441) +- Specify recipients that will be notified about build CI results. +- Allow saslauthd_t domain to mmap own pid files BZ(1653024) +- Add dac_override capability for snapperd_t domain BZ(1619356) +- Make kpatch_t domain application domain to allow users to execute kpatch in kpatch_t domain. +- Add ipc_owner capability to pcp_pmcd_t domain BZ(1655282) +- Update pulseaudio_stream_connect() to allow caller domain create stream sockets to cumminicate with pulseaudio +- Allow pcp_pmlogger_t domain to send signals to rpm_script_t BZ(1651030) +- Add new interface: rpm_script_signal() +- Allow init_t domain to mmap init_var_lib_t files and dontaudit leaked fd. BZ(1651008) +- Make workin: systemd-run --system --pty bash BZ(1647162) +- Allow ipsec_t domain dbus chat with systemd_resolved_t BZ(1662443) +- Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975) +- Specify recipients that will be notified about build CI results. +- Label /usr/lib/systemd/user as systemd_unit_file_t BZ(1652814) +- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domain +- Add rules to allow systemd to mounton systemd_timedated_var_lib_t. +- Allow x_userdomains to stream connect to pulseaudio BZ(1658286) + +* Sun Dec 16 2018 Lukas Vrabec - 3.14.3-15 +- Add macro-expander script to selinux-policy-devel package + +* Thu Dec 06 2018 Lukas Vrabec - 3.14.3-14 +- Remove all ganesha bits from gluster and rpc policy +- Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t +- Add dac_override capability to ssad_t domains +- Allow pesign_t domain to read gnome home configs +- Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t +- Allow rngd_t domains read kernel state +- Allow certmonger_t domains to read bind cache +- Allow ypbind_t domain to stream connect to sssd +- Allow rngd_t domain to setsched +- Allow sanlock_t domain to read/write sysfs_t files +- Add dac_override capability to postfix_local_t domain +- Allow ypbind_t to search sssd_var_lib_t dirs +- Allow virt_qemu_ga_t domain to write to user_tmp_t files +- Allow systemd_logind_t to dbus chat with virt_qemu_ga_t +- Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files +- Add new interface sssd_signal() +- Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t +- Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t +- Add sys_resource capability to the systemd_passwd_agent_t domain +- Allow ipsec_t domains to read bind cache +- kernel/files.fc: Label /run/motd as etc_t +- Allow systemd to stream connect to userdomain processes +- Label /var/lib/private/systemd/ as init_var_lib_t +- Allow initrc_t domain to create new socket labeled as init_T +- Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket. +- Add tracefs_t type to mountpoint attribute +- Allow useradd_t and groupadd_t domains to send signals to sssd_t +- Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636) +- Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils + +* Wed Nov 07 2018 Lukas Vrabec - 3.14.3-13 +- Update pesign policy to allow pesign_t domain to read bind cache files/dirs +- Add dac_override capability to mdadm_t domain +- Create ibacm_tmpfs_t type for the ibacm policy +- Dontaudit capability sys_admin for dhcpd_t domain +- Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts. +- Allow abrt_t domain to mmap generic tmp_t files +- Label /usr/sbin/wpa_cli as wpa_cli_exec_t +- Allow sandbox_xserver_t domain write to user_tmp_t files +- Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpoints +- Add interface files_map_generic_tmp_files() +- Add dac_override capability to the syslogd_t domain +- Create systemd_timedated_var_run_t label +- Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202) +- Add init_read_var_lib_lnk_files and init_read_var_lib_sock_files interfaces + +* Sun Nov 04 2018 Lukas Vrabec - 3.14.3-12 +- Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672) +- Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766) +- Add dac_override capability to postgrey_t domain BZ(1638954) +- Allow thumb_t domain to execute own tmpfs files BZ(1643698) +- Allow xdm_t domain to manage dosfs_t files BZ(1645770) +- Label systemd-timesyncd binary as systemd_timedated_exec_t to make it run in systemd_timedated_t domain BZ(1640801) +- Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675) +- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313) + +* Sun Nov 04 2018 Lukas Vrabec - 3.14.3-11 +- Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063) +- Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948) +- Add dac_override capability to ftpd_t domain +- Allow gpg_t to create own tmpfs dirs and sockets +- Allow rhsmcertd_t domain to relabel cert_t files +- Add SELinux policy for kpatch +- Allow nova_t domain to use pam +- sysstat: grant sysstat_t the search_dir_perms set +- Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313) +- Allow systemd_logind_t to read fixed dist device BZ(1645631) +- Allow systemd_logind_t domain to read nvme devices BZ(1645567) +- Allow systemd_rfkill_t domain to comunicate via dgram sockets with syslogd BZ(1638981) +- kernel/files.fc: Label /run/motd.d(/.*)? as etc_t +- Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949) +- Allow X display manager to check status and reload services which are part of x_domain attribute +- Add interface miscfiles_relabel_generic_cert() +- Make kpatch policy active +- Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs +- Dontaudit sys_admin capability for netutils_t domain +- Label tcp and udp ports 2611 as qpasa_agent_port_t + +* Tue Oct 16 2018 Lukas Vrabec - 3.14.3-10 +- Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786) + +* Mon Oct 15 2018 Lukas Vrabec - 3.14.3-9 +- Allow caller domains using cron_*_role to have entrypoint permission on system_cron_spool_t files BZ(1625645) +- Add interface cron_system_spool_entrypoint() +- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676) +- Add interfaces for boltd SELinux module +- Add dac_override capability to modemmanager_t domain BZ(1636608) +- Allow systemd to mount boltd_var_run_t dirs BZ(1636823) +- Label correctly /var/named/chroot*/dev/unrandom in bind chroot. + +* Sat Oct 13 2018 Lukas Vrabec - 3.14.3-8 +- ejabberd SELinux module removed, it's shipped by ejabberd-selinux package + +* Sat Oct 13 2018 Lukas Vrabec - 3.14.3-7 +- Update rpm macros for selinux policy from sources repository: https://github.com/fedora-selinux/selinux-policy-macros + +* Tue Oct 09 2018 Lukas Vrabec - 3.14.3-6 +- Allow boltd_t to be activated by init socket activation +- Allow virt_domain to read/write to virtd_t unix_stream socket because of new version of libvirt 4.4. BZ(1635803) +- Update SELinux policy for libreswan based on the latest rebase 3.26 +- Fix typo in init_named_socket_activation interface + +* Thu Oct 04 2018 Lukas Vrabec - 3.14.3-5 +- Allow dictd_t domain to mmap dictd_var_lib_t files BZ(1634650) +- Fix typo in boltd.te policy +- Allow fail2ban_t domain to mmap journal +- Add kill capability to named_t domain +- Allow neutron domain to read/write /var/run/utmp +- Create boltd_var_run_t type for boltd pid files +- Allow tomcat_domain to read /dev/random +- Allow neutron_t domain to use pam +- Add the port used by nsca (Nagios Service Check Acceptor) + +* Mon Sep 24 2018 Lukas Vrabec - 3.14.3-4 +- Update sources to include SELinux policy for containers + +* Thu Sep 20 2018 Lukas Vrabec - 3.14.3-3 +- Allow certmonger to manage cockpit_var_run_t pid files +- Allow cockpit_ws_t domain to manage cockpit services +- Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirs +- Add interface apache_read_tmp_dirs() +- Fix typo in cockpit interfaces we have cockpit_var_run_t files not cockpit_var_pid_t +- Add interface apcupsd_read_power_files() +- Allow systemd labeled as init_t to execute logrotate in logrotate_t domain +- Allow dac_override capability to amanda_t domain +- Allow geoclue_t domain to get attributes of fs_t filesystems +- Update selinux policy for rhnsd_t domain based on changes in spacewalk-2.8-client +- Allow cockpit_t domain to read systemd state +- Allow abrt_t domain to write to usr_t files +- Allow cockpit to create motd file in /var/run/cockpit +- Label /usr/sbin/pcsd as cluster_exec_t +- Allow pesign_t domain to getattr all fs +- Allow tomcat servers to manage usr_t files +- Dontaudit tomcat serves to append to /dev/random device +- Allow dirsrvadmin_script_t domain to read httpd tmp files +- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs +- Fix path where are sources for CI +- Revert "Allow firewalld_t domain to read random device" +- Add travis CI for selinux-policy-contrib repo +- Allow postfix domains to mmap system db files +- Allow geoclue_t domain to execute own tmp files +- Update ibacm_read_pid_files interface to allow also reading link files +- Allow zebra_t domain to create packet_sockets +- Allow opafm_t domain to list sysfs +- Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t +- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs. +- Allow chronyd_t domain to read virt_var_lib_t files +- Allow systemd to read apcupsd power files +- Revert "Allow polydomain to create /tmp-inst labeled as tmp_t" +- Allow polydomain to create /tmp-inst labeled as tmp_t +- Allow polydomain to create /tmp-inst labeled as tmp_t +- Allow systemd_resolved_t domain to bind on udp howl port +- Add new boolean use_virtualbox Resolves: rhbz#1510478 +- Allow sshd_t domain to read cockpit pid files +- Allow syslogd_t domain to manage cert_t files +- Fix path where are sources for CI +- Add travis.yml to to create CI for selinux-policy sources +- Allow getattr as part of files_mounton_kernel_symbol_table. +- Fix typo "aduit" -> "audit" +- Revert "Add new interface dev_map_userio()" +- Add new interface dev_map_userio() +- Allow systemd to read ibacm pid files + +* Thu Sep 06 2018 Lukas Vrabec - 3.14.3-2 +- Allow tomcat services create link file in /tmp +- Label /etc/shorewall6 as shorewall_etc_t +- Allow winbind_t domain kill in user namespaces +- Allow firewalld_t domain to read random device +- Allow abrt_t domain to do execmem +- Allow geoclue_t domain to execute own var_lib_t files +- Allow openfortivpn_t domain to read system network state +- Allow dnsmasq_t domain to read networkmanager lib files +- sssd: Allow to limit capabilities using libcap +- sssd: Remove unnecessary capability +- sssd: Do not audit usage of lib nss_systemd.so +- Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file +- Add correct namespace_init_exec_t context to /etc/security/namespace.d/* +- Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files +- Allow exim_t domain to mmap bin files +- Allow mysqld_t domain to executed with nnp transition +- Allow svirt_t domain to mmap svirt_image_t block files +- Add caps dac_read_search and dav_override to pesign_t domain +- Allow iscsid_t domain to mmap userio chr files +- Add read interfaces for mysqld_log_t that was added in commit df832bf +- Allow boltd_t to dbus chat with xdm_t +- Conntrackd need to load kernel module to work +- Allow mysqld sys_nice capability +- Update boltd policy based on SELinux denials from rhbz#1607974 +- Allow systemd to create symlinks in for /var/lib +- Add comment to show that template call also allows changing shells +- Document userdom_change_password_template() behaviour +- update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file +- Fix typo in logging SELinux module +- Allow usertype to mmap user_tmp_type files +- In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue +- Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern" +- Add boolean: domain_can_mmap_files. +- Allow ipsec_t domian to mmap own tmp files +- Add .gitignore file +- Add execute_no_trans permission to mmap_exec_file_perms pattern +- Allow sudodomain to search caller domain proc info +- Allow audisp_remote_t domain to read auditd_etc_t +- netlabel: Remove unnecessary sssd nsswitch related macros +- Allow to use sss module in auth_use_nsswitch +- Limit communication with init_t over dbus +- Add actual modules.conf to the git repo +- Add few interfaces to optional block +- Allow sysadm_t and staff_t domain to manage systemd unit files +- Add interface dev_map_userio_dev() + +* Tue Aug 28 2018 Lukas Vrabec - 3.14.3-1 +- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket +- Add interface devicekit_mounton_var_lib() +- Allow httpd_t domain to mmap tmp files +- Allow tcsd_t domain to have dac_override capability +- Allow cupsd_t to rename cupsd_etc_t files +- Allow iptables_t domain to create rawip sockets +- Allow amanda_t domain to mmap own tmpfs files +- Allow fcoemon_t domain to write to sysfs_t dirs +- Allow dovecot_auth_t domain to have dac_override capability +- Allow geoclue_t domain to mmap own tmp files +- Allow chronyc_t domain to read network state +- Allow apcupsd_t domain to execute itself +- Allow modemmanager_t domain to stream connect to sssd +- Allow chonyc_t domain to rw userdomain pipes +- Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks +- Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files +- Allow nagios_script_t domain to mmap nagios_spool_t files +- Allow geoclue_t domain to mmap geoclue_var_lib_t files +- Allow geoclue_t domain to map generic certs +- Update munin_manage_var_lib_files to allow manage also dirs +- Allow nsd_t domain to create new socket file in /var/run/nsd.ctl +- Fix typo in virt SELinux policy module +- Allow virtd_t domain to create netlink_socket +- Allow rpm_t domain to write to audit +- Allow nagios_script_t domain to mmap nagios_etc_t files +- Update nscd_socket_use() to allow caller domain to stream connect to nscd_t +- Allow kdumpctl_t domain to getattr fixed disk device in mls +- Fix typo in stapserver policy +- Dontaudit abrt_t domain to write to usr_t dirs +- Revert "Allow rpcbind to bind on all unreserved udp ports" +- Allow rpcbind to bind on all unreserved udp ports +- Allow virtlogd to execute itself +- Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files +- Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs +- Allos systemd to socket activate ibacm service +- Allow dirsrv_t domain to mmap user_t files +- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files +- Allow kdumpctl to write to files on all levels +- Allow httpd_t domain to mmap httpd_config_t files +- Allow sanlock_t domain to connectto to unix_stream_socket +- Revert "Add same context for symlink as binary" +- Allow mysql execute rsync +- Update nfsd_t policy because of ganesha features +- Allow conman to getattr devpts_t +- Allow tomcat_domain to connect to smtp ports +- Allow tomcat_t domain to mmap tomcat_var_lib_t files +- Allow nagios_t domain to mmap nagios_log_t files +- Allow kpropd_t domain to mmap krb5kdc_principal_t files +- Allow kdumpctl_t domain to read fixed disk storage +- Fix issue with aliases in apache interface file +- Add same context for symlink as binary +- Allow boltd_t to send logs to journal +- Allow colord_use_nfs to allow colord also mmap nfs_t files +- Allow mysqld_safe_t do execute itself +- Allow smbd_t domain to chat via dbus with avahi daemon +- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t +- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain +- Add alias httpd__script_t to _script_t to make sepolicy generate working +- Allow dhcpc_t domain to read /dev/random +- Allow systemd to mounton kernel system table +- Allow systemd to mounton device_var_lib_t dirs +- Label also chr_file /dev/mtd.* devices as fixed_disk_device_t +- Allow syslogd_t domain to create netlink generic sockets +- Label /dev/tpmrm[0-9]* as tpm_device_t +- Update dev_filetrans_all_named_dev() to allow create event22-30 character files with label event_device_t +- Update userdom_security_admin() and userdom_security_admin_template() to allow use auditctl +- Allow insmod_t domain to read iptables pid files +- Allow systemd to mounton /etc +- Allow initrc_domain to mmap all binaries labeled as systemprocess_entry +- Allow xserver_t domain to start using systemd socket activation +- Tweak SELinux policy for systemd to allow DynamicUsers systemd feature +- Associate several proc labels to fs_t +- Update init_named_socket_activation() interface to allow systemd also create link files in /var/run +- Fix typo in syslogd policy +- Update syslogd policy to make working elasticsearch +- Label tcp and udp ports 9200 as wap_wsp_port +- Allow few domains to rw inherited kdumpctl tmp pipes +- label /var/lib/pgsql/data/log as postgresql_log_t +- Allow sysadm_t domain to accept socket +- Allow systemd to manage passwd_file_t + +* Fri Aug 10 2018 Lukas Vrabec - 3.14.2-32 +- Fix issue with aliases in apache interface file +- Add same context for symlink as binary +- Allow boltd_t to send logs to journal +- Allow colord_use_nfs to allow colord also mmap nfs_t files +- Allow mysqld_safe_t do execute itself +- Allow smbd_t domain to chat via dbus with avahi daemon +- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t +- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain +- Add alias httpd__script_t to _script_t to make sepolicy generate working +- Allow gpg_t domain to mmap gpg_agent_tmp_t files +- label /var/lib/pgsql/data/log as postgresql_log_t +- Allow sysadm_t domain to accept socket +- Allow systemd to manage passwd_file_t +- Allow sshd_t domain to mmap user_tmp_t files + +* Tue Aug 07 2018 Lukas Vrabec - 3.14.2-31 +- Allow kprop_t domain to read network state +- Add support boltd policy +- Allow kpropd domain to exec itself +- Allow pdns_t to bind on tcp transproxy port +- Add support for opafm service +- Allow hsqldb_t domain to read cgroup files +- Allow rngd_t domain to read generic certs +- Allow innd_t domain to mmap own var_lib_t files +- Update screen_role_temaplate interface +- Allow chronyd_t domain to mmap own tmpfs files +- Allow sblim_sfcbd_t domain to mmap own tmpfs files +- Allow systemd to mounont boltd lib dirs +- Allow sysadm_t domain to create rawip sockets +- Allow sysadm_t domain to listen on socket +- Update sudo_role_template() to allow caller domain also setattr generic ptys +- Update logging_manage_all_logs() interface to allow caller domain map all logfiles + +* Sun Jul 29 2018 Lukas Vrabec - 3.14.2-30 +- Allow sblim_sfcbd_t domain to mmap own tmpfs files +- Allow nfsd_t domain to read krb5 keytab files +- Allow nfsd_t domain to manage fadm pid files +- Allow virt_domain to create icmp sockets BZ(1609142) +- Dontaudit oracleasm_t domain to request sys_admin capability +- Update logging_manage_all_logs() interface to allow caller domain map all logfiles + +* Wed Jul 25 2018 Lukas Vrabec - 3.14.2-29 +- Allow aide to mmap all files +- Revert "Allow firewalld to create rawip sockets" +- Revert "Allow firewalld_t do read iptables_var_run_t files" +- Allow svirt_tcg_t domain to read system state of virtd_t domains +- Update rhcs contexts to reflects the latest fenced changes +- Allow httpd_t domain to rw user_tmp_t files +- Fix typo in openct policy +- Allow winbind_t domian to connect to all ephemeral ports +- Allow firewalld_t do read iptables_var_run_t files +- Allow abrt_t domain to mmap data_home files +- Allow glusterd_t domain to mmap user_tmp_t files +- Allow mongodb_t domain to mmap own var_lib_t files +- Allow firewalld to read kernel usermodehelper state +- Allow modemmanager_t to read sssd public files +- Allow openct_t domain to mmap own var_run_t files +- Allow nnp transition for devicekit daemons +- Allow firewalld to create rawip sockets +- Allow firewalld to getattr proc filesystem +- Dontaudit sys_admin capability for pcscd_t domain +- Revert "Allow pcsd_t domain sys_admin capability" +- Allow fetchmail_t domain to stream connect to sssd +- Allow pcsd_t domain sys_admin capability +- Allow cupsd_t to create cupsd_etc_t dirs +- Allow varnishlog_t domain to list varnishd_var_lib_t dirs +- Allow mongodb_t domain to read system network state BZ(1599230) +- Allow tgtd_t domain to create dirs in /var/run labeled as tgtd_var_run_t BZ(1492377) +- Allow iscsid_t domain to mmap sysfs_t files +- Allow httpd_t domain to mmap own cache files +- Add sys_resource capability to nslcd_t domain +- Fixed typo in logging_audisp_domain interface +- Add interface files_mmap_all_files() +- Add interface iptables_read_var_run() +- Allow systemd to mounton init_var_run_t files +- Update policy rules for auditd_t based on changes in audit version 3 +- Allow systemd_tmpfiles_t do mmap system db files +- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide +- Improve domain_transition_pattern to allow mmap entrypoint bin file. +- Don't setup unlabeled_t as an entry_type +- Allow unconfined_service_t to transition to container_runtime_t + +* Wed Jul 18 2018 Lukas Vrabec - 3.14.2-28 +- Allow cupsd_t domain to mmap cupsd_etc_t files +- Allow kadmind_t domain to mmap krb5kdc_principal_t +- Allow virtlogd_t domain to read virt_etc_t link files +- Allow dirsrv_t domain to read crack db +- Dontaudit pegasus_t to require sys_admin capability +- Allow mysqld_t domain to exec mysqld_exec_t binary files +- Allow abrt_t odmain to read rhsmcertd lib files +- Allow winbind_t domain to request kernel module loads +- Allow tomcat_domain to read cgroup_t files +- Allow varnishlog_t domain to mmap varnishd_var_lib_t files +- Allow innd_t domain to mmap news_spool_t files +- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t +- Allow fenced_t domain to reboot +- Allow amanda_t domain to read network system state +- Allow abrt_t domain to read rhsmcertd logs +- Fix typo in radius policy +- Update zoneminder policy to reflect latest features in zoneminder BZ(1592555) +- Label /usr/bin/esmtp-wrapper as sendmail_exec_t +- Update raid_access_check_mdadm() interface to dontaudit caller domain to mmap mdadm_exec_t binary files +- Dontaudit thumb to read mmap_min_addr +- Allow chronyd_t to send to system_cronjob_t via unix dgram socket BZ(1494904) +- Allow mpd_t domain to mmap mpd_tmpfs_t files BZ(1585443) +- Allow collectd_t domain to use ecryptfs files BZ(1592640) +- Dontaudit mmap home type files for abrt_t domain +- Allow fprintd_t domain creating own tmp files BZ(1590686) +- Allow collectd_t domain to bind on bacula_port_t BZ(1590830) +- Allow fail2ban_t domain to getpgid BZ(1591421) +- Allow nagios_script_t domain to mmap nagios_log_t files BZ(1593808) +- Allow pcp_pmcd_t domain to use sys_ptrace usernamespace cap +- Allow sssd_selinux_manager_t to read/write to systemd sockets BZ(1595458) +- Allow virt_qemu_ga_t domain to read network state BZ(1592145) +- Allow radiusd_t domain to mmap radius_etc_rw_t files +- Allow git_script_t domain to read and mmap gitosis_var_lib_t files BZ(1591729) +- Add dac_read_search capability to thumb_t domain +- Add dac_override capability to cups_pdf_t domain BZ(1594271) +- Add net_admin capability to connntrackd_t domain BZ(1594221) +- Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234) +- Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476) +- Allow motion_t to mmap video devices BZ(1590446) +- Add dac_override capability to mpd_t domain BZ(1585358) +- Allow fsdaemon_t domain to write to mta home files BZ(1588212) +- Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337) +- Allow sssd_t domain to write to general cert files BZ(1589339) +- Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483) +- Allow cockpit_session_t to read kernel network state BZ(1596941) +- Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817) +- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files +- Allow chronyc_t domain to use nscd shm +- Label /var/lib/tomcats dir as tomcat_var_lib_t +- Allow lsmd_t domain to mmap lsmd_plugin_exec_t files +- Add ibacm policy +- Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t +- Allow kdumpgui_t domain to allow execute and mmap all binaries labeled as kdumpgui_tmp_t +- Dontaudit syslogd to watching top llevel dirs when imfile module is enabled +- Allow userdomain sudo domains to use generic ptys +- Allow systemd labeled as init_t to get sysvipc info BZ(1600877) +- Label /sbin/xtables-legacy-multi and /sbin/xtables-nft-multi as iptables_exec_t BZ(1600690) +- Remove duplicated userdom_delete_user_home_content_files +- Merge pull request #216 from rhatdan/resolved +- Allow load_policy_t domain to read/write to systemd sockets BZ(1582812) +- Add new interface init_prog_run_bpf() +- Allow unconfined and sysadm users to use bpftool BZ(1591440) +- Label /run/cockpit/motd as etc_t BZ(1584167) +- Allow systemd_machined_t domain to sendto syslogd_t over unix dgram sockets +- Add interface userdom_dontaudit_mmap_user_home_content_files() +- Allow systemd to listen bluetooth sockets BZ(1592223) +- Allow systemd to remove user_home_t files BZ(1418463) +- Allow xdm_t domain to mmap and read cert_t files BZ(1553761) +- Allow nsswitch_domain to mmap passwd_file_t files BZ(1518655) +- Allow systemd to delete user temp files BZ(1595189) +- Allow systemd to mounton core kernel interface +- Add dac_override capability to ipsec_t domain BZ(1589534) +- Allow systemd domain to mmap lvm config files BZ(1594584) +- Allow systemd to write systemd_logind_inhibit_var_run_t fifo files +- Allows systemd to get attribues of core kernel interface BZ(1596928) +- Allow systemd_modules_load_t to access unabeled infiniband pkeys +- Add systemd_dbus_chat_resolved interface +- Allow init_t domain to create netlink rdma sockets for ibacm policy +- Update corecmd_exec_shell() interface to allow caller domain to mmap shell_exec_t files +- Allow lvm_t domain to write files to all mls levels +- Add to su_role_template allow rule for creating netlink_selinux sockets + +* Sat Jul 14 2018 Fedora Release Engineering - 3.14.2-27 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jun 27 2018 Lukas Vrabec - 3.14.2-26 +- Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary +- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label +- Allow abrt_t domain to write to rhsmcertd pid files +- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control +- Add vhostmd_t domain to read/write to svirt images +- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files +- Allow sssd_t and slpad_t domains to mmap generic certs +- Allow chronyc_t domain use inherited user ttys +- Allow stapserver_t domain to mmap own tmp files +- Update nscd_dontaudit_write_sock_file() to dontaudit also stream connect to nscd_t domain +- Merge pull request #60 from vmojzis/rawhide +- Allow tangd_t domain stream connect to sssd +- Allow oddjob_t domain to chat with systemd via dbus +- Allow freeipmi domains to mmap sysfs files +- Fix typo in logwatch interface file +- Allow sysadm_t and staff_t domains to use sudo io logging +- Allow sysadm_t domain create sctp sockets +- Allow traceroute_t domain to exec bin_t binaries +- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override +- Add new interface dev_map_sysfs() + +* Thu Jun 14 2018 Lukas Vrabec - 3.14.2-25 +- Merge pull request #60 from vmojzis/rawhide +- Allow tangd_t domain stream connect to sssd +- Allow oddjob_t domain to chat with systemd via dbus +- Allow freeipmi domains to mmap sysfs files +- Fix typo in logwatch interface file +- Allow spamd_t to manage logwatch_cache_t files/dirs +- Allow dnsmasw_t domain to create own tmp files and manage mnt files +- Allow fail2ban_client_t to inherit rlimit information from parent process +- Allow nscd_t to read kernel sysctls +- Label /var/log/conman.d as conman_log_t +- Add dac_override capability to tor_t domain +- Allow certmonger_t to readwrite to user_tmp_t dirs +- Allow abrt_upload_watch_t domain to read general certs +- Allow chornyd_t read phc2sys_t shared memory +- Add several allow rules for pesign policy: +- Add setgid and setuid capabilities to mysqlfd_safe_t domain +- Add tomcat_can_network_connect_db boolean +- Update virt_use_sanlock() boolean to read sanlock state +- Add sanlock_read_state() interface +- Allow zoneminder_t to getattr of fs_t +- Allow rhsmcertd_t domain to send signull to postgresql_t domain +- Add log file type to collectd and allow corresponding access +- Allow policykit_t domain to dbus chat with dhcpc_t +- Allow traceroute_t domain to exec bin_t binaries +- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override +- Add new interface dev_map_sysfs() +- Allow sshd_keygen_t to execute plymouthd +- Allow systemd_networkd_t create and relabel tun sockets +- Add new interface postgresql_signull() + +* Tue Jun 12 2018 Lukas Vrabec - 3.14.2-24 +- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type +- Allow ntop_t domain to create/map various sockets/files. +- Enable the dictd to communicate via D-bus. +- Allow inetd_child process to chat via dbus with abrt +- Allow zabbix_agent_t domain to connect to redis_port_t +- Allow rhsmcertd_t domain to read xenfs_t files +- Allow zabbix_agent_t to run zabbix scripts +- Fix openvswith SELinux module +- Fix wrong path in tlp context file BZ(1586329) +- Update brltty SELinux module +- Allow rabbitmq_t domain to create own tmp files/dirs +- Allow policykit_t mmap policykit_auth_exec_t files +- Allow ipmievd_t domain to read general certs +- Add sys_ptrace capability to pcp_pmie_t domain +- Allow squid domain to exec ldconfig +- Update gpg SELinux policy module +- Allow mailman_domain to read system network state +- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices +- Allow antivirus_domain to read all domain system state +- Allow targetd_t domain to red gconf_home_t files/dirs +- Label /usr/libexec/bluetooth/obexd as obexd_exec_t +- Add interface nagios_unconfined_signull() +- Fix typos in zabbix.te file +- Add missing requires +- Allow tomcat domain sends email +- Fix typo in sge policy +- Merge pull request #214 from wrabcak/fb-dhcpc +- Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971) +- Allow confined users get AFS tokens +- Allow sysadm_t domain to chat via dbus +- Associate sysctl_kernel_t type with filesystem attribute +- Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t +- Fix typo in netutils.te file + +* Wed Jun 06 2018 Lukas Vrabec - 3.14.2-23 +- Add dac_override capability to sendmail_t domian + +* Wed Jun 06 2018 Lukas Vrabec - 3.14.2-22 +- Fix typo in authconfig policy +- Update ctdb domain to support gNFS setup +- Allow authconfig_t dbus chat with policykit +- Allow lircd_t domain to read system state +- Revert "Allow fsdaemon_t do send emails BZ(1582701)" +- Typo in uuidd policy +- Allow tangd_t domain read certs +- Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107) +- Allow vpnc_t domain to read generic certs BZ(1583100) +- Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811) +- Allow NetworkManager_ssh_t domain to be system dbud client +- Allow virt_qemu_ga_t read utmp +- Add capability dac_override to system_mail_t domain +- Update uuidd policy to reflect last changes from base branch +- Add cap dac_override to procmail_t domain +- Allow sendmail to mmap etc_aliases_t files BZ(1578569) +- Add new interface dbus_read_pid_sock_files() +- Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled +- Allow fsdaemon_t do send emails BZ(1582701) +- Allow firewalld_t domain to request kernel module BZ(1573501) +- Allow chronyd_t domain to send send msg via dgram socket BZ(1584757) +- Add sys_admin capability to fprint_t SELinux domain +- Allow cyrus_t domain to create own files under /var/run BZ(1582885) +- Allow cachefiles_kernel_t domain to have capability dac_override +- Update policy for ypserv_t domain +- Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t +- Allow cyrus to have dac_override capability +- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets +- Fix homedir polyinstantion under mls +- Fixed typo in init.if file +- Allow systemd to remove generic tmpt files BZ(1583144) +- Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation +- Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075) +- Fix typo in authlogin SELinux security module +- Allod nsswitch_domain attribute to be system dbusd client BZ(1584632) +- Allow audisp_t domain to mmap audisp_exec_t binary +- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file +- Label tcp/udp ports 2612 as qpasa_agetn_port_t + +* Sat May 26 2018 Lukas Vrabec - 3.14.2-21 +- Add dac_override to exim policy BZ(1574303) +- Fix typo in conntrackd.fc file +- Allow sssd_t to kill sssd_selinux_manager_t +- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on +- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp +- Allow policykit_auth_t to read udev db files BZ(1574419) +- Allow varnishd_t do be dbus client BZ(1582251) +- Allow cyrus_t domain to mmap own pid files BZ(1582183) +- Allow user_mail_t domain to mmap etc_aliases_t files +- Allow gkeyringd domains to run ssh agents +- Allow gpg_pinentry_t domain read ssh state +- Allow sysadm_u use xdm +- Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495) +- Add interface ssh_read_state() +- Fix typo in sysnetwork.if file + +* Thu May 24 2018 Lukas Vrabec - 3.14.2-20 +- Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files +- Allow mailman_mail_t domain to search for apache configs +- Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets. +- Improve procmail_domtrans() to allow mmaping procmail_exec_t +- Allow ptrace arbitrary processes +- Allow jabberd_router_t domain read kerberos keytabs BZ(1573945) +- Allow certmonger to geattr of filesystems BZ(1578755) +- Update dev_map_xserver_misc interface to allo mmaping char devices instead of files +- Allow noatsecure permission for all domain transitions from systemd. +- Allow systemd to read tangd db files +- Fix typo in ssh.if file +- Allow xdm_t domain to mmap xserver_misc_device_t files +- Allow xdm_t domain to execute systemd-coredump binary +- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set +- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries +- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary +- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries +- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries. +- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface +- Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used + +* Tue May 22 2018 Lukas Vrabec - 3.14.2-19 +- Increase dependency versions of policycoreutils and checkpolicy packages + +* Mon May 21 2018 Lukas Vrabec - 3.14.2-18 +- Disable secure mode environment cleansing for dirsrv_t +- Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label. + +* Mon May 21 2018 Lukas Vrabec - 3.14.2-17 +- Add dac_override capability to remote_login_t domain +- Allow chrome_sandbox_t to mmap tmp files +- Update ulogd SELinux security policy +- Allow rhsmcertd_t domain send signull to apache processes +- Allow systemd socket activation for modemmanager +- Allow geoclue to dbus chat with systemd +- Fix file contexts on conntrackd policy +- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE +- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets +- Add label for /usr/sbin/pacemaker-remoted to have cluster_exec_t +- Allow nscd_t domain to be system dbusd client +- Allow abrt_t domain to read sysctl +- Add dac_read_search capability for tangd +- Allow systemd socket activation for rshd domain +- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t +- Allow kdump_t domain to map /boot files +- Allow conntrackd_t domain to send msgs to syslog +- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t +- Allow swnserve_t domain to stream connect to sasl domain +- Allow smbcontrol_t to create dirs with samba_var_t label +- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760) +- Allow tangd to read public sssd files BZ(1509054) +- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212) +- Allow ctdb_t domain modify ctdb_exec_t files +- Allow firewalld_t domain to create netlink_netfilter sockets +- Allow radiusd_t domain to read network sysctls +- Allow pegasus_t domain to mount tracefs_t filesystem +- Allow create systemd to mount pid files +- Add files_map_boot_files() interface +- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760) +- Fix typo xserver SELinux module +- Allow systemd to mmap files with var_log_t label +- Allow x_userdomains read/write to xserver session + +* Mon Apr 30 2018 Lukas Vrabec - 3.14.2-16 +- Allow systemd to mmap files with var_log_t label +- Allow x_userdomains read/write to xserver session + +* Sat Apr 28 2018 Lukas Vrabec - 3.14.2-15 +- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806) + +* Fri Apr 27 2018 Lukas Vrabec - 3.14.2-14 +- Add dac_override capability to mailman_mail_t domain +- Add dac_override capability to radvd_t domain +- Update openvswitch policy +- Add dac_override capability to oddjob_homedir_t domain +- Allow slapd_t domain to mmap slapd_var_run_t files +- Rename tang policy to tangd +- Allow virtd_t domain to relabel virt_var_lib_t files +- Allow logrotate_t domain to stop services via systemd +- Add tang policy +- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t +- Allow snapperd_t daemon to create unlabeled dirs. +- Make httpd_var_run_t mountpoint +- Allow hsqldb_t domain to mmap own temp files +- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence +- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP +- Add new Boolean tomcat_use_execmem +- Allow nfsd_t domain to read/write sysctl fs files +- Allow conman to read system state +- Allow brltty_t domain to be dbusd system client +- Allow zebra_t domain to bind on babel udp port +- Allow freeipmi domain to read sysfs_t files +- Allow targetd_t domain mmap lvm config files +- Allow abrt_t domain to manage kdump crash files +- Add capability dac_override to antivirus domain +- Allow svirt_t domain mmap svirt_image_t files BZ(1514538) +- Allow ftpd_t domain to chat with systemd +- Allow systemd init named socket activation for uuidd policy +- Allow networkmanager domain to write to ecryptfs_t files BZ(1566706) +- Allow l2tpd domain to stream connect to sssd BZ(1568160) +- Dontaudit abrt_t to write to lib_t dirs BZ(1566784) +- Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630) +- Allow certwatch to manage cert files BZ(1561418) +- Merge pull request #53 from tmzullinger/rawhide +- Merge pull request #52 from thetra0/rawhide +- Allow abrt_dump_oops_t domain to mmap all non security files BZ(1565748) +- Allow gpg_t domain mmap cert_t files Allow gpg_t mmap gpg_agent_t files +- Allow NetworkManager_ssh_t domain use generic ptys. BZ(1565851) +- Allow pppd_t domain read/write l2tpd pppox sockets BZ(1566096) +- Allow xguest user use bluetooth sockets if xguest_use_bluetooth boolean is turned on. +- Allow pppd_t domain creating pppox sockets BZ(1566271) +- Allow abrt to map var_lib_t files +- Allow chronyc to read system state BZ(1565217) +- Allow keepalived_t domain to chat with systemd via dbus +- Allow git to mmap git_(sys|user)_content_t files BZ(1518027) +- Allow netutils_t domain to create bluetooth sockets +- Allow traceroute to bind on generic sctp node +- Allow traceroute to search network sysctls +- Allow systemd to use virtio console +- Label /dev/op_panel and /dev/opal-prd as opal_device_t +- Label /run/ebtables.lock as iptables_var_run_t +- Allow udev_t domain to manage udev_rules_t char files. +- Assign babel_port_t label to udp port 6696 +- Add new interface lvm_map_config +- Merge pull request #212 from stlaz/patch-1 +- Allow local_login_t reads of udev_var_run_t context +- Associate sysctl_crypto_t fs with fs_t BZ(1569313) +- Label /dev/vhost-vsock char device as vhost_device_t +- Allow iptables_t domain to create dirs in etc_t with system_conf_t labels +- Allow x userdomain to mmap xserver_tmpfs_t files +- Allow sysadm_t to mount tracefs_t +- Allow unconfined user all perms under bpf class BZ(1565738) +- Allow SELinux users (except guest and xguest) to using bluetooth sockets +- Add new interface files_map_var_lib_files() +- Allow user_t and staff_t domains create netlink tcpdiag sockets +- Allow systemd-networkd to read sysctl_t files +- Allow systemd_networkd_t to read/write tun tap devices +- refpolicy: Update for kernel sctp support + +* Thu Apr 12 2018 Lukas Vrabec - 3.14.2-13 +- refpolicy: Update for kernel sctp support +- Allow smbd_t send to nmbd_t via dgram sockets BZ(1563791) +- Allow antivirus domain to be client for system dbus BZ(1562457) +- Dontaudit requesting tlp_t domain kernel modules, its a kernel bug BZ(1562383) +- Add new boolean: colord_use_nfs() BZ(1562818) +- Allow pcp_pmcd_t domain to check access to mdadm BZ(1560317) +- Allow colord_t to mmap gconf_home_t files +- Add new boolean redis_enable_notify() +- Label /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t +- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/ +- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t + +* Sat Apr 07 2018 Lukas Vrabec - 3.14.2-12 +- Add new boolean redis_enable_notify() +- Label /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t +- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/ +- Allow svnserve_t domain to manage kerberos rcache and read krb5 keytab +- Add dac_override and dac_read_search capability to hypervvssd_t domain +- Label /usr/lib/systemd/systemd-fence_sanlockd as fenced_exec_t +- Allow samba to create /tmp/host_0 as krb5_host_rcache_t +- Add dac_override capability to fsdaemon_t BZ(1564143) +- Allow abrt_t domain to map dos files BZ(1564193) +- Add dac_override capability to automount_t domain +- Allow keepalived_t domain to connect to system dbus bus +- Allow nfsd_t to read nvme block devices BZ(1562554) +- Allow lircd_t domain to execute bin_t files BZ(1562835) +- Allow l2tpd_t domain to read sssd public files BZ(1563355) +- Allow logrotate_t domain to do dac_override BZ(1539327) +- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t +- Add capability sys_resource to systemd_sysctl_t domain +- Label all /dev/rbd* devices as fixed_disk_device_t +- Allow xdm_t domain to mmap xserver_log_t files BZ(1564469) +- Allow local_login_t domain to rread udev db +- Allow systemd_gpt_generator_t to read /dev/random device +- add definition of bpf class and systemd perms + +* Thu Mar 29 2018 Lukas Vrabec - 3.14.2-11 +- Allow accountsd_t domain to dac override BZ(1561304) +- Allow cockpit_ws_t domain to read system state BZ(1561053) +- Allow postfix_map_t domain to use inherited user ptys BZ(1561295) +- Allow abrt_dump_oops_t domain dac override BZ(1561467) +- Allow l2tpd_t domain to run stream connect for sssd_t BZ(1561755) +- Allow crontab domains to do dac override +- Allow snapperd_t domain to unmount fs_t filesystems +- Allow pcp processes to read fixed_disk devices BZ(1560816) +- Allow unconfined and confined users to use dccp sockets +- Allow systemd to manage bpf dirs/files +- Allow traceroute_t to create dccp_sockets + +* Mon Mar 26 2018 Lukas Vrabec - 3.14.2-10 +- Fedora Atomic host using for temp files /sysroot/tmp patch, we should label same as /tmp adding file context equivalence BZ(1559531) + +* Sun Mar 25 2018 Lukas Vrabec - 3.14.2-9 +- Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795) +- Allow nagios to exec itself and mmap nagios spool files BZ(1559683) +- Allow nagios to mmap nagios config files BZ(1559683) +- Fixing Ganesha module +- Fix typo in NetworkManager module +- Fix bug in gssproxy SELinux module +- Allow abrt_t domain to mmap container_file_t files BZ(1525573) +- Allow networkmanager to be run ssh client BZ(1558441) +- Allow pcp domains to do dc override BZ(1557913) +- Dontaudit pcp_pmie_t to reaquest lost kernel module +- Allow pcp_pmcd_t to manage unpriv userdomains semaphores BZ(1554955) +- Allow httpd_t to read httpd_log_t dirs BZ(1554912) +- Allow fail2ban_t to read system network state BZ(1557752) +- Allow dac override capability to mandb_t domain BZ(1529399) +- Allow collectd_t domain to mmap collectd_var_lib_t files BZ(1556681) +- Dontaudit bug in kernel 4.16 when domains requesting loading kernel modules BZ(1555369) +- Add Domain transition from gssproxy_t to httpd_t domains BZ(1548439) +- Allow httpd_t to mmap user_home_type files if boolean httpd_read_user_content is enabled BZ(1555359) +- Allow snapperd to relabel snapperd_data_t +- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets +- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled +- Allow insmod_t to load modules BZ(1544189) +- Allow systemd_rfkill_t domain sys_admin capability BZ(1557595) +- Allow systemd_networkd_t to read/write tun tap devices +- Add shell_exec_t file as domain entry for init_t +- Label also /run/systemd/resolved/ as systemd_resolved_var_run_t BZ(1556862) +- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module BZ(1557347) +- Improve userdom_mmap_user_home_content_files +- Allow systemd_logind_t domain to setattributes on fixed disk devices BZ(1555414) +- Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module +- Allow semanage_t domain mmap usr_t files +- Add new boolean: ssh_use_tcpd() + +* Wed Mar 21 2018 Lukas Vrabec - 3.14.2-8 +- Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets +- Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled +- Allow semanage_t domain mmap usr_t files +- Add new boolean: ssh_use_tcpd() + +* Tue Mar 20 2018 Lukas Vrabec - 3.14.2-7 +- Update screen_role_template() to allow also creating sockets in HOMEDIR/screen/ +- Allow newrole_t dacoverride capability +- Allow traceroute_t domain to mmap packet sockets +- Allow netutils_t domain to mmap usmmon device +- Allow netutils_t domain to use mmap on packet_sockets +- Allow traceroute to create icmp packets +- Allos sysadm_t domain to create tipc sockets +- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets + +* Thu Mar 15 2018 Lukas Vrabec - 3.14.2-6 +- Allow rpcd_t domain dac override +- Allow rpm domain to mmap rpm_var_lib_t files +- Allow arpwatch domain to create bluetooth sockets +- Allow secadm_t domain to mmap audit config and log files +- Update init_abstract_socket_activation() to allow also creating tcp sockets +- getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain. +- Add SELinux support for systemd-importd +- Create new type bpf_t and label /sys/fs/bpf with this type + +* Mon Mar 12 2018 Lukas Vrabec - 3.14.2-5 +- Allow bluetooth_t domain to create alg_socket BZ(1554410) +- Allow tor_t domain to execute bin_t files BZ(1496274) +- Allow iscsid_t domain to mmap kernel modules BZ(1553759) +- Update minidlna SELinux policy BZ(1554087) +- Allow motion_t domain to read sysfs_t files BZ(1554142) +- Allow snapperd_t domain to getattr on all files,dirs,sockets,pipes BZ(1551738) +- Allow l2tp_t domain to read ipsec config files BZ(1545348) +- Allow colord_t to mmap home user files BZ(1551033) +- Dontaudit httpd_t creating kobject uevent sockets BZ(1552536) +- Allow ipmievd_t to mmap kernel modules BZ(1552535) +- Allow boinc_t domain to read cgroup files BZ(1468381) +- Backport allow rules from refpolicy upstream repo +- Allow gpg_t domain to bind on all unereserved udp ports +- Allow systemd to create systemd_rfkill_var_lib_t dirs BZ(1502164) +- Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655) +- Allow xdm_t domain to sys_ptrace BZ(1554150) +- Allow application_domain_type also mmap inherited user temp files BZ(1552765) +- Update ipsec_read_config() interface +- Fix broken sysadm SELinux module +- Allow ipsec_t to search for bind cache BZ(1542746) +- Allow staff_t to send sigkill to mount_t domain BZ(1544272) +- Label /run/systemd/resolve/stub-resolv.conf as net_conf_t BZ(1471545) +- Label ip6tables.init as iptables_exec_t BZ(1551463) +- Allow hostname_t to use usb ttys BZ(1542903) +- Add fsetid capability to updpwd_t domain BZ(1543375) +- Allow systemd machined send signal to all domains BZ(1372644) +- Dontaudit create netlink selinux sockets for unpriv SELinux users BZ(1547876) +- Allow sysadm_t to create netlink generic sockets BZ(1547874) +- Allow passwd_t domain chroot +- Dontaudit confined unpriviliged users setuid capability + +* Tue Mar 06 2018 Lukas Vrabec - 3.14.2-4 +- Allow l2tpd_t domain to create pppox sockets +- Update dbus_system_bus_client() so calling domain could read also system_dbusd_var_lib_t link files BZ(1544251) +- Add interface abrt_map_cache() +- Update gnome_manage_home_config() to allow also map permission BZ(1544270) +- Allow oddjob_mkhomedir_t domain to be dbus system client BZ(1551770) +- Dontaudit kernel bug when several services requesting load kernel module +- Allow traceroute and unconfined domains creating sctp sockets +- Add interface corenet_sctp_bind_generic_node() +- Allow ping_t domain to create icmp sockets +- Allow staff_t to mmap abrt_var_cache_t BZ(1544273) +- Fix typo bug in dev_map_framebuffer() interface BZ(1551842) +- Dontaudit kernel bug when several services requesting load kernel module + +* Mon Mar 05 2018 Lukas Vrabec - 3.14.2-3 +- Allow vdagent_t domain search cgroup dirs BZ(1541564) +- Allow bluetooth_t domain listen on bluetooth sockets BZ(1549247) +- Allow bluetooth domain creating bluetooth sockets BZ(1551577) +- pki_log_t should be log_file +- Allow gpgdomain to unix_stream socket connectto +- Make working gpg agent in gpg_agent_t domain +- Dontaudit thumb_t to rw lvm pipes BZ(154997) +- Allow start cups_lpd via systemd socket activation BZ(1532015) +- Improve screen_role_template Resolves: rhbz#1534111 +- Dontaudit modemmanager to setpgid. BZ(1520482) +- Dontaudit kernel bug when systemd requesting load kernel module BZ(1547227) +- Allow systemd-networkd to create netlink generic sockets BZ(1551578) +- refpolicy: Define getrlimit permission for class process +- refpolicy: Define smc_socket security class +- Allow transition from sysadm role into mdadm_t domain. +- ssh_t trying to communicate with gpg agent not sshd_t +- Allow sshd_t communicate with gpg_agent_t +- Allow initrc domains to mmap binaries with direct_init_entry attribute BZ(1545643) +- Revert "Allow systemd_rfkill_t domain to reguest kernel load module BZ(1543650)" +- Revert "Allow systemd to request load kernel module BZ(1547227)" +- Allow systemd to write to all pidfile socketes because of SocketActivation unit option ListenStream= BZ(1543576) +- Add interface lvm_dontaudit_rw_pipes() BZ(154997) +- Add interfaces for systemd socket activation +- Allow systemd-resolved to create stub-resolv.conf with right label net_conf_t BZ(1547098) + +* Thu Feb 22 2018 Lukas Vrabec - 3.14.2-2 +- refpolicy: Define extended_socket_class policy capability and socket classes +- Make bluetooth_var_lib_t as mountpoint BZ(1547416) +- Allow systemd to request load kernel module BZ(1547227) +- Allow ipsec_t domain to read l2tpd pid files +- Allow sysadm to read/write trace filesystem BZ(1547875) +- Allow syslogd_t to mmap systemd coredump tmpfs files BZ(1547761) + +* Wed Feb 21 2018 Lukas Vrabec - 3.14.2-1 +- Rebuild for current rawhide (fc29) + +* Tue Feb 20 2018 Lukas Vrabec - 3.14.1-9 +- Fix broken cups Security Module +- Allow dnsmasq_t domain dbus chat with unconfined users. BZ(1532079) +- Allow geoclue to connect to tcp nmea port BZ(1362118) +- Allow pcp_pmcd_t to read mock lib files BZ(1536152) +- Allow abrt_t domain to mmap passwd file BZ(1540666) +- Allow gpsd_t domain to get session id of another process BZ(1540584) +- Allow httpd_t domain to mmap httpd_tmpfs_t files BZ(1540405) +- Allow cluster_t dbus chat with systemd BZ(1540163) +- Add interface raid_stream_connect() +- Allow nscd_t to mmap nscd_var_run_t files BZ(1536689) +- Allow dovecot_delivery_t to mmap mail_home_rw_t files BZ(1531911) +- Make cups_pdf_t domain system dbusd client BZ(1532043) +- Allow logrotate to read auditd_log_t files BZ(1525017) +- Improve snapperd SELinux policy BZ(1514272) +- Allow virt_domain to read virt_image_t files BZ(1312572) +- Allow openvswitch_t stream connect svirt_t +- Update dbus_dontaudit_stream_connect_system_dbusd() interface +- Allow openvswitch domain to manage svirt_tmp_t sock files +- Allow named_filetrans_domain domains to create .heim_org.h5l.kcm-socket sock_file with label sssd_var_run_t BZ(1538210) +- Merge pull request #50 from dodys/pkcs +- Label tcp and udp ports 10110 as nmea_port_t BZ(1362118) +- Allow systemd to access rfkill lib dirs BZ(1539733) +- Allow systemd to mamange raid var_run_t sockfiles and files BZ(1379044) +- Allow vxfs filesystem to use SELinux labels +- Allow systemd to setattr on systemd_rfkill_var_lib_t dirs BZ(1512231) +- Allow few services to dbus chat with snapperd BZ(1514272) +- Allow systemd to relabel system unit symlink to systemd_unit_file_t. BZ(1535180) +- Fix logging as staff_u into Fedora 27 +- Fix broken systemd_tmpfiles_run() interface + +* Fri Feb 09 2018 Igor Gnatenko - 3.14.1-8 +- Escape macros in %%changelog + +* Thu Feb 08 2018 Lukas Vrabec - 3.14.1-7 +- Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_t +- Allow certmonger_t domain to access /etc/pki/pki-tomcat BZ(1542600) +- Allow keepalived_t domain getattr proc filesystem +- Allow init_t to create UNIX sockets for unconfined services (BZ1543049) +- Allow ipsec_mgmt_t execute ifconfig_exec_t binaries Allow ipsec_mgmt_t nnp domain transition to ifconfig_t +- Allow ipsec_t nnp transistions to domains ipsec_mgmt_t and ifconfig_t + +* Tue Feb 06 2018 Lukas Vrabec - 3.14.1-6 +- Allow openvswitch_t domain to read cpuid, write to sysfs files and creating openvswitch_tmp_t sockets +- Add new interface ppp_filetrans_named_content() +- Allow keepalived_t read sysctl_net_t files +- Allow puppetmaster_t domtran to puppetagent_t +- Allow kdump_t domain to read kernel ring buffer +- Allow boinc_t to mmap boinc tmpfs files BZ(1540816) +- Merge pull request #47 from masatake/keepalived-signal +- Allow keepalived_t create and write a file under /tmp +- Allow ipsec_t domain to exec ifconfig_exec_t binaries. +- Allow unconfined_domain_typ to create pppd_lock_t directory in /var/lock +- Allow updpwd_t domain to create files in /etc with shadow_t label + +* Tue Jan 30 2018 Lukas Vrabec - 3.14.1-5 +- Allow opendnssec daemon to execute ods-signer BZ(1537971) + +* Tue Jan 30 2018 Lukas Vrabec - 3.14.1-4 +- rpm: Label /usr/share/rpm usr_t (ostree/Atomic systems) +- Update dbus_role_template() BZ(1536218) +- Allow lldpad_t domain to mmap own tmpfs files BZ(1534119) +- Allow blueman_t dbus chat with policykit_t BZ(1470501) +- Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t BZ(1507110) +- Allow postfix_master_t and postfix_local_t to connect to system dbus. BZ(1530275) +- Allow system_munin_plugin_t domain to read sssd public files and allow stream connect to ssd daemon BZ(1528471) +- Allow rkt_t domain to bind on rkt_port_t tcp BZ(1534636) +- Allow jetty_t domain to mmap own temp files BZ(1534628) +- Allow sslh_t domain to read sssd public files and stream connect to sssd. BZ(1534624) +- Consistently label usr_t for kernel/initrd in /usr +- kernel/files.fc: Label /usr/lib/sysimage as usr_t +- Allow iptables sysctl load list support with SELinux enforced +- Label HOME_DIR/.config/systemd/user/* user unit files as systemd_unit_file_t BZ(1531864) + +* Fri Jan 19 2018 Lukas Vrabec - 3.14.1-3 +- Merge pull request #45 from jlebon/pr/rot-sd-dbus-rawhide +- Allow virt_domains to acces infiniband pkeys. +- Allow systemd to relabelfrom tmpfs_t link files in /var/run/systemd/units/ BZ(1535180) +- Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_t +- Allow audisp_remote_t domain write to files on all levels + +* Mon Jan 15 2018 Lukas Vrabec - 3.14.1-2 +- Allow aide to mmap usr_t files BZ(1534182) +- Allow ypserv_t domain to connect to tcp ports BZ(1534245) +- Allow vmtools_t domain creating vmware_log_t files +- Allow openvswitch_t domain to acces infiniband devices +- Allow dirsrv_t domain to create tmp link files +- Allow pcp_pmie_t domain to exec itself. BZ(153326) +- Update openvswitch SELinux module +- Allow virtd_t to create also sock_files with label virt_var_run_t +- Allow chronyc_t domain to manage chronyd_keys_t files. +- Allow logwatch to exec journal binaries BZ(1403463) +- Allow sysadm_t and staff_t roles to manage user systemd services BZ(1531864) +- Update logging_read_all_logs to allow mmap all logfiles BZ(1403463) +- Add Label systemd_unit_file_t for /var/run/systemd/units/ + +* Mon Jan 08 2018 Lukas Vrabec - 3.14.1-1 +- Removed big SELinux policy patches against tresys refpolicy and use tarballs from fedora-selinux github organisation + +* Mon Jan 08 2018 Lukas Vrabec - 3.13.1-310 +- Use python3 package in BuildRequires to ensure python version 3 will be used for compiling SELinux policy + +* Fri Jan 05 2018 Lukas Vrabec - 3.13.1-309 +- auth_use_nsswitch() interface cannot be used for attributes fixing munin policy +- Allow git_script_t to mmap git_user_content_t files BZ(1530937) +- Allow certmonger domain to create temp files BZ(1530795) +- Improve interface mock_read_lib_files() to include also symlinks. BZ(1530563) +- Allow fsdaemon_t to read nvme devices BZ(1530018) +- Dontaudit fsdaemon_t to write to admin homedir. BZ(153030) +- Update munin plugin policy BZ(1528471) +- Allow sendmail_t domain to be system dbusd client BZ(1478735) +- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645) +- Allow named file transition to create rpmrebuilddb dir with proper SELinux context BZ(1461313) +- Dontaudit httpd_passwd_t domain to read state of systemd BZ(1522672) +- Allow thumb_t to mmap non security files BZ(1517393) +- Allow smbd_t to mmap files with label samba_share_t BZ(1530453) +- Fix broken sysnet_filetrans_named_content() interface +- Allow init_t to create tcp sockets for unconfined services BZ(1366968) +- Allow xdm_t to getattr on xserver_t process files BZ(1506116) +- Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297) +- Allow X userdomains to send dgram msgs to xserver_t BZ(1515967) +- Add interface files_map_non_security_files() + +* Thu Jan 04 2018 Lukas Vrabec - 3.13.1-308 +- Make working SELinux sandbox with Wayland. BZ(1474082) +- Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169) +- Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723) +- Allow collectd to connect to lmtp_port_t BZ(1304029) +- Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776) +- Allow thumb_t to mmap removable_t files. BZ(1522724) +- Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118) +- Add interface fs_mmap_removable_files() + +* Tue Dec 19 2017 Lukas Vrabec - 3.13.1-307 +- Allow crond_t to read pcp lib files BZ(1525420) +- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783) +- Allow certwatch_t to mmap generic certs. BZ(1527173) +- Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876) +- Add interface userdom_map_user_home_files() +- Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202) +- Allow xdm_t dbus chat with modemmanager_t BZ(1526722) +- All domains accessing home_cert_t objects should also mmap it. BZ(1519810) + +* Wed Dec 13 2017 Lukas Vrabec - 3.13.1-306 +- Allow thumb_t domain to dosfs_t BZ(1517720) +- Allow gssd_t to read realmd_var_lib_t files BZ(1521125) +- Allow domain transition from logrotate_t to chronyc_t BZ(1436013) +- Allow git_script_t to mmap git_sys_content_t BZ(1517541) +- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t BZ(1464803) +- Label /run/openvpn-server/ as openvpn_var_run_t BZ(1478642) +- Allow colord_t to mmap xdm pid files BZ(1518382) +- Allow arpwatch to mmap usbmon device BZ(152456) +- Allow mandb_t to read public sssd files BZ(1514093) +- Allow ypbind_t stream connect to rpcbind_t domain BZ(1508659) +- Allow qpid to map files. +- Allow plymouthd_t to mmap firamebuf device BZ(1517405) +- Dontaudit pcp_pmlogger_t to sys_ptrace capability BZ(1416611) +- Update mta_manage_spool() interface to allow caller domain also mmap mta_spool_t files BZ(1517449) +- Allow antivirus_t domain to mmap antivirus_db_t files BZ(1516816) +- Allow cups_pdf_t domain to read cupd_etc_t dirs BZ(1516282) +- Allow openvpn_t domain to relabel networkmanager tun device BZ(1436048) +- Allow mysqld_t to mmap mysqld_tmp_t files BZ(1516899) +- Update samba_manage_var_files() interface by adding map permission. BZ(1517125) +- Allow pcp_pmlogger_t domain to execute itself. BZ(1517395) +- Dontaudit sys_ptrace capability for mdadm_t BZ(1515849) +- Allow pulseaudio_t domain to mmap pulseaudio_home_t files BZ(1515956) +- Allow bugzilla_script_t domain to create netlink route sockets and udp sockets BZ(1427019) +- Add interface fs_map_dos_files() +- Update interface userdom_manage_user_home_content_files() to allow caller domain to mmap user_home_t files. BZ(1519729) +- Add interface xserver_map_xdm_pid() BZ(1518382) +- Add new interface dev_map_usbmon_dev() BZ(1524256) +- Update miscfiles_read_fonts() interface to allow also mmap fonts_cache_t for caller domains BZ(1521137) +- Allow ipsec_t to mmap cert_t and home_cert_t files BZ(1519810) +- Fix typo in filesystem.if +- Add interface dev_map_framebuffer() +- Allow chkpwd command to mmap /etc/shadow BZ(1513704) +- Fix systemd-resolved to run properly with SELinux in enforcing state BZ(1517529) +- Allow thumb_t domain to mmap fusefs_t files BZ(1517517) +- Allow userdom_home_reader_type attribute to mmap cifs_t files BZ(1517125) +- Add interface fs_map_cifs_files() +- Merge pull request #207 from rhatdan/labels +- Merge pull request #208 from rhatdan/logdir +- Allow domains that manage logfiles to man logdirs + +* Fri Nov 24 2017 Lukas Vrabec - 3.13.1-305 +- Make ganesha nfs server + +* Tue Nov 21 2017 Lukas Vrabec - 3.13.1-304 +- Add interface raid_relabel_mdadm_var_run_content() +- Fix iscsi SELinux module +- Allow spamc_t domain to read home mail content BZ(1414366) +- Allow sendmail_t to list postfix config dirs BZ(1514868) +- Allow dovecot_t domain to mmap mail content in homedirs BZ(1513153) +- Allow iscsid_t domain to requesting loading kernel modules BZ(1448877) +- Allow svirt_t domain to mmap svirt_tmpfs_t files BZ(1515304) +- Allow cupsd_t domain to localization BZ(1514350) +- Allow antivirus_t nnp domain transition because of systemd security features. BZ(1514451) +- Allow tlp_t domain transition to systemd_rfkill_t domain BZ(1416301) +- Allow abrt_t domain to mmap fusefs_t files BZ(1515169) +- Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867) +- Allow httpd_t domain to mmap all httpd content type BZ(1514866) +- Allow mandb_t to read /etc/passwd BZ(1514903) +- Allow mandb_t domain to mmap files with label mandb_cache_t BZ(1514093) +- Allow abrt_t domain to mmap files with label syslogd_var_run_t BZ(1514975) +- Allow nnp transition for systemd-networkd daemon to run in proper SELinux domain BZ(1507263) +- Allow systemd to read/write to mount_var_run_t files BZ(1515373) +- Allow systemd to relabel mdadm_var_run_t sock files BZ(1515373) +- Allow home managers to mmap nfs_t files BZ(1514372) +- Add interface fs_mmap_nfs_files() +- Allow systemd-mount to create new directory for mountpoint BZ(1514880) +- Allow getty to use usbttys +- Add interface systemd_rfkill_domtrans() +- Allow syslogd_t to mmap files with label syslogd_var_lib_t BZ(1513403) +- Add interface fs_mmap_fusefs_files() +- Allow ipsec_t domain to mmap files with label ipsec_key_file_t BZ(1514251) + +* Thu Nov 16 2017 Lukas Vrabec - 3.13.1-303 +- Allow pcp_pmlogger to send logs to journal BZ(1512367) +- Merge pull request #40 from lslebodn/kcm_kerberos +- Allow services to use kerberos KCM BZ(1512128) +- Allow system_mail_t domain to be system_dbus_client BZ(1512476) +- Allow aide domain to stream connect to sssd_t BZ(1512500) +- Allow squid_t domain to mmap files with label squid_tmpfs_t BZ(1498809) +- Allow nsd_t domain to mmap files with labels nsd_tmp_t and nsd_zone_t BZ(1511269) +- Include cupsd_config_t domain into cups_execmem boolean. BZ(1417584) +- Allow samba_net_t domain to mmap samba_var_t files BZ(1512227) +- Allow lircd_t domain to execute shell BZ(1512787) +- Allow thumb_t domain to setattr on cache_home_t dirs BZ(1487814) +- Allow redis to creating tmp files with own label BZ(1513518) +- Create new interface thumb_nnp_domtrans allowing domaintransition with NoNewPrivs. This interface added to thumb_run() BZ(1509502) +- Allow httpd_t to mmap httpd_tmp_t files BZ(1502303) +- Add map permission to samba_rw_var_files interface. BZ(1513908) +- Allow cluster_t domain creating bundles directory with label var_log_t instead of cluster_var_log_t +- Add dac_read_search and dac_override capabilities to ganesha +- Allow ldap_t domain to manage also slapd_tmp_t lnk files +- Allow snapperd_t domain to relabeling from snapperd_data_t BZ(1510584) +- Add dac_override capability to dhcpd_t doamin BZ(1510030) +- Allow snapperd_t to remove old snaps BZ(1510862) +- Allow chkpwd_t domain to mmap system_db_t files and be dbus system client BZ(1513704) +- Allow xdm_t send signull to all xserver unconfined types BZ(1499390) +- Allow fs associate for sysctl_vm_t BZ(1447301) +- Label /etc/init.d/vboxdrv as bin_t to run virtualbox as unconfined_service_t BZ(1451479) +- Allow xdm_t domain to read usermodehelper_t state BZ(1412609) +- Allow dhcpc_t domain to stream connect to userdomain domains BZ(1511948) +- Allow systemd to mmap kernel modules BZ(1513399) +- Allow userdomains to mmap fifo_files BZ(1512242) +- Merge pull request #205 from rhatdan/labels +- Add map permission to init_domtrans() interface BZ(1513832) +- Allow xdm_t domain to mmap and execute files in xdm_var_run_t BZ(1513883) +- Unconfined domains, need to create content with the correct labels +- Container runtimes are running iptables within a different user namespace +- Add interface files_rmdir_all_dirs() + +* Mon Nov 06 2017 Lukas Vrabec - 3.13.1-302 +- Allow jabber domains to connect to postgresql ports +- Dontaudit slapd_t to block suspend system +- Allow spamc_t to stream connect to cyrys. +- Allow passenger to connect to mysqld_port_t +- Allow ipmievd to use nsswitch +- Allow chronyc_t domain to use user_ptys +- Label all files /var/log/opensm.* as opensm_log_t because opensm creating new log files with name opensm-subnet.lst +- Fix typo bug in tlp module +- Allow userdomain gkeyringd domain to create stream socket with userdomain + +* Fri Nov 03 2017 Lukas Vrabec - 3.13.1-301 +- Merge pull request #37 from milosmalik/rawhide +- Allow mozilla_plugin_t domain to dbus chat with devicekit +- Dontaudit leaked logwatch pipes +- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon. +- Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546) +- Allow chronyd daemon to execute chronyc. BZ(1507478) +- Allow pdns to read network system state BZ(1507244) +- Allow gssproxy to read network system state Resolves: rhbz#1507191 +- Allow nfsd_t domain to read configfs_t files/dirs +- Allow tgtd_t domain to read generic certs +- Allow ptp4l to send msgs via dgram socket to unprivileged user domains +- Allow dirsrv_snmp_t to use inherited user ptys and read system state +- Allow glusterd_t domain to create own tmpfs dirs/files +- Allow keepalived stream connect to snmp + +* Thu Oct 26 2017 Lukas Vrabec - 3.13.1-300 +- Allow zabbix_t domain to change its resource limits +- Add new boolean nagios_use_nfs +- Allow system_mail_t to search network sysctls +- Hide all allow rules with ptrace inside deny_ptrace boolean +- Allow nagios_script_t to read nagios_spool_t files +- Allow sbd_t to create own sbd_tmpfs_t dirs/files +- Allow firewalld and networkmanager to chat with hypervkvp via dbus +- Allow dmidecode to read rhsmcert_log_t files +- Allow mail system to connect mariadb sockets. +- Allow nmbd_t domain to mmap files labeled as samba_var_t. BZ(1505877) +- Make user account setup in gnome-initial-setup working in Workstation Live system. BZ(1499170) +- Allow iptables_t to run setfiles to restore context on system +- Updatre unconfined_dontaudit_read_state() interface to dontaudit also acess to files. BZ(1503466) + +* Tue Oct 24 2017 Lukas Vrabec - 3.13.1-299 +- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t +- Allow chronyd_t do request kernel module and block_suspend capability +- Allow system_cronjob_t to create /var/lib/letsencrypt dir with right label +- Allow slapd_t domain to mmap files labeled as slpad_db_t BZ(1505414) +- Allow dnssec_trigger_t domain to execute binaries with dnssec_trigeer_exec_t BZ(1487912) +- Allow l2tpd_t domain to send SIGKILL to ipsec_mgmt_t domains BZ(1505220) +- Allow thumb_t creating thumb_home_t files in user_home_dir_t direcotry BZ(1474110) +- Allow httpd_t also read httpd_user_content_type dirs when httpd_enable_homedirs is enables +- Allow svnserve to use kerberos +- Allow conman to use ptmx. Add conman_use_nfs boolean +- Allow nnp transition for amavis and tmpreaper SELinux domains +- Allow chronyd_t to mmap chronyc_exec_t binary files +- Add dac_read_search capability to openvswitch_t domain +- Allow svnserve to manage own svnserve_log_t files/dirs +- Allow keepalived_t to search network sysctls +- Allow puppetagent_t domain dbus chat with rhsmcertd_t domain +- Add kill capability to openvswitch_t domain +- Label also compressed logs in /var/log for different services +- Allow inetd_child_t and system_cronjob_t to run chronyc. +- Allow chrony to create netlink route sockets +- Add SELinux support for chronyc +- Add support for running certbot(letsencrypt) in crontab +- Allow nnp trasintion for unconfined_service_t +- Allow unpriv user domains and unconfined_service_t to use chronyc + +* Sun Oct 22 2017 Lukas Vrabec - 3.13.1-298 +- Drop *.lst files from file list +- Ship file_contexts.homedirs in store +- Allow proper transition when systems starting pdns to pdns_t domain. BZ(1305522) +- Allow haproxy daemon to reexec itself. BZ(1447800) +- Allow conmand to use usb ttys. +- Allow systemd_machined to read mock lib files. BZ(1504493) +- Allow systemd_resolved_t to dbusd chat with NetworkManager_t BZ(1505081) + +* Fri Oct 20 2017 Lukas Vrabec - 3.13.1-297 +- Fix typo in virt file contexts file +- allow ipa_dnskey_t to read /proc/net/unix file +- Allow openvswitch to run setfiles in setfiles_t domain. +- Allow openvswitch_t domain to read process data of neutron_t domains +- Fix typo in ipa_cert_filetrans_named_content() interface +- Fix typo bug in summary of xguest SELinux module +- Allow virtual machine with svirt_t label to stream connect to openvswitch. +- Label qemu-pr-helper script as virt_exec_t so this script won't run as unconfined_service_t + +* Tue Oct 17 2017 Lukas Vrabec - 3.13.1-296 +- Merge pull request #19 from RodrigoQuesadaDev/snapper-fix-1 +- Allow httpd_t domain to mmap httpd_user_content_t files. BZ(1494852) +- Add nnp transition rule for services using NoNewPrivileges systemd feature +- Add map permission into dev_rw_infiniband_dev() interface to allow caller domain mmap infiniband chr device BZ(1500923) +- Add init_nnp_daemon_domain interface +- Allow nnp transition capability +- Merge pull request #204 from konradwilk/rhbz1484908 +- Label postgresql-check-db-dir as postgresql_exec_t + +* Tue Oct 10 2017 Lukas Vrabec - 3.13.1-295 +- Allow boinc_t to mmap files with label boinc_project_var_lib_t BZ(1500088) +- Allow fail2ban_t domain to mmap journals. BZ(1500089) +- Add dac_override to abrt_t domain BZ(1499860) +- Allow pppd domain to mmap own pid files BZ(1498587) +- Allow webserver services to mmap files with label httpd_sys_content_t BZ(1498451) +- Allow tlp domain to read sssd public files Allow tlp domain to mmap kernel modules +- Allow systemd to read sysfs sym links. BZ(1499327) +- Allow systemd to mmap systemd_networkd_exec_t files BZ(1499863) +- Make systemd_networkd_var_run as mountpoint BZ(1499862) +- Allow noatsecure for java-based unconfined services. BZ(1358476) +- Allow systemd_modules_load_t domain to mmap kernel modules. BZ(1490015) + +* Mon Oct 09 2017 Lukas Vrabec - 3.13.1-294 +- Allow cloud-init to create content in /var/run/cloud-init +- Dontaudit VM to read gnome-boxes process data BZ(1415975) +- Allow winbind_t domain mmap samba_var_t files +- Allow cupsd_t to execute ld_so_cache_t BZ(1478602) +- Update dev_rw_xserver_misc() interface to allo source domains to mmap xserver devices BZ(1334035) +- Add dac_override capability to groupadd_t domain BZ(1497091) +- Allow unconfined_service_t to start containers + +* Sun Oct 08 2017 Petr Lautrbach - 3.13.1-293 +- Drop policyhelp utility BZ(1498429) + +* Tue Oct 03 2017 Lukas Vrabec - 3.13.1-292 +- Allow cupsd_t to execute ld_so_cache_t BZ(1478602) +- Allow firewalld_t domain to change object identity because of relabeling after using firewall-cmd BZ(1469806) +- Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026) +- Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin. BZ(1487531) +- Add unix_stream_socket recvfrom perm for init_t domain BZ(1496318) +- Allow systemd to maange sysfs BZ(1471361) + +* Tue Oct 03 2017 Lukas Vrabec - 3.13.1-291 +- Switch default value of SELinux boolean httpd_graceful_shutdown to off. + +* Fri Sep 29 2017 Lukas Vrabec - 3.13.1-290 +- Allow virtlogd_t domain to write inhibit systemd pipes. +- Add dac_override capability to openvpn_t domain +- Add dac_override capability to xdm_t domain +- Allow dac_override to groupadd_t domain BZ(1497081) +- Allow cloud-init to create /var/run/cloud-init dir with net_conf_t SELinux label.BZ(1489166) + +* Wed Sep 27 2017 Lukas Vrabec - 3.13.1-289 +- Allow tlp_t domain stream connect to sssd_t domain +- Add missing dac_override capability +- Add systemd_tmpfiles_t dac_override capability + +* Fri Sep 22 2017 Lukas Vrabec - 3.13.1-288 +- Remove all unnecessary dac_override capability in SELinux modules + +* Fri Sep 22 2017 Lukas Vrabec - 3.13.1-287 +- Allow init noatsecure httpd_t +- Allow mysqld_t domain to mmap mysqld db files. BZ(1483331) +- Allow unconfined_t domain to create new users with proper SELinux lables +- Allow init noatsecure httpd_t +- Label tcp port 3269 as ldap_port_t + +* Mon Sep 18 2017 Lukas Vrabec - 3.13.1-286 +- Add new boolean tomcat_read_rpm_db() +- Allow tomcat to connect on mysqld tcp ports +- Add new interface apache_delete_tmp() +- Add interface fprintd_exec() +- Add interface fprintd_mounton_var_lib() +- Allow mozilla plugin to mmap video devices BZ(1492580) +- Add ctdbd_t domain sys_source capability and allow setrlimit +- Allow systemd-logind to use ypbind +- Allow systemd to remove apache tmp files +- Allow ldconfig domain to mmap ldconfig cache files +- Allow systemd to exec fprintd BZ(1491808) +- Allow systemd to mounton fprintd lib dir + +* Thu Sep 14 2017 Lukas Vrabec - 3.13.1-285 +- Allow svirt_t read userdomain state + +* Thu Sep 14 2017 Lukas Vrabec - 3.13.1-284 +- Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files +- Allow automount domain to manage mount pid files +- Allow stunnel_t domain setsched +- Add keepalived domain setpgid capability +- Merge pull request #24 from teg/rawhide +- Merge pull request #28 from lslebodn/revert_1e8403055 +- Allow sysctl_irq_t assciate with proc_t +- Enable cgourp sec labeling +- Allow sshd_t domain to send signull to xdm_t processes + +* Tue Sep 12 2017 Lukas Vrabec - 3.13.1-283 +- Allow passwd_t domain mmap /etc/shadow and /etc/passwd +- Allow pulseaudio_t domain to map user tmp files +- Allow mozilla plugin to mmap mozilla tmpfs files + +* Mon Sep 11 2017 Lukas Vrabec - 3.13.1-282 +- Add new bunch of map rules +- Merge pull request #25 from NetworkManager/nm-ovs +- Make working webadm_t userdomain +- Allow redis domain to execute shell scripts. +- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t +- Add couple capabilities to keepalived domain and allow get attributes of all domains +- Allow dmidecode read rhsmcertd lock files +- Add new interface rhsmcertd_rw_lock_files() +- Add new bunch of map rules +- Merge pull request #199 from mscherer/add_conntrackd +- Add support labeling for vmci and vsock device +- Add userdom_dontaudit_manage_admin_files() interface + +* Mon Sep 11 2017 Lukas Vrabec - 3.13.1-281 +- Allow domains reading raw memory also use mmap. + +* Thu Sep 07 2017 Lukas Vrabec - 3.13.1-280 +- Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404) +- Fix denials during ipa-server-install process on F27+ +- Allow httpd_t to mmap cert_t +- Add few rules to make tlp_t domain working in enforcing mode +- Allow cloud_init_t to dbus chat with systemd_timedated_t +- Allow logrotate_t to write to kmsg +- Add capability kill to rhsmcertd_t +- Allow winbind to manage smbd_tmp_t files +- Allow groupadd_t domain to dbus chat with systemd.BZ(1488404) +- Add interface miscfiles_map_generic_certs() + +* Tue Sep 05 2017 Lukas Vrabec - 3.13.1-279 +- Allow abrt_dump_oops_t to read sssd_public_t files +- Allow cockpit_ws_t to mmap usr_t files +- Allow systemd to read/write dri devices. + +* Thu Aug 31 2017 Lukas Vrabec - 3.13.1-278 +- Add couple rules related to map permissions +- Allow ddclient use nsswitch BZ(1456241) +- Allow thumb_t domain getattr fixed_disk device. BZ(1379137) +- Add interface dbus_manage_session_tmp_dirs() +- Dontaudit useradd_t sys_ptrace BZ(1480121) +- Allow ipsec_t can exec ipsec_exec_t +- Allow systemd_logind_t to mamange session_dbusd_tmp_t dirs + +* Mon Aug 28 2017 Lukas Vrabec - 3.13.1-277 +- Allow cupsd_t to execute ld_so_cache +- Add cgroup_seclabel policycap. +- Allow xdm_t to read systemd hwdb +- Add new interface systemd_hwdb_mmap_config() +- Allow auditd_t domain to mmap conf files labeled as auditd_etc_t BZ(1485050) + +* Sat Aug 26 2017 Lukas Vrabec - 3.13.1-276 +- Allow couple map rules + +* Wed Aug 23 2017 Lukas Vrabec - 3.13.1-275 +- Make confined users working +- Allow ipmievd_t domain to load kernel modules +- Allow logrotate to reload transient systemd unit + +* Wed Aug 23 2017 Lukas Vrabec - 3.13.1-274 +- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain +- Allow nscd_t domain to search network sysctls +- Allow iscsid_t domain to read mount pid files +- Allow ksmtuned_t domain manage sysfs_t files/dirs +- Allow keepalived_t domain domtrans into iptables_t +- Allow rshd_t domain reads net sysctls +- Allow systemd to create syslog netlink audit socket +- Allow ifconfig_t domain unmount fs_t +- Label /dev/gpiochip* devices as gpio_device_t + +* Tue Aug 22 2017 Lukas Vrabec - 3.13.1-273 +- Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170) +- Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects. +- Label /var/run/agetty.reload as getty_var_run_t +- Add missing filecontext for sln binary +- Allow systemd to read/write to event_device_t BZ(1471401) + +* Tue Aug 15 2017 Lukas Vrabec - 3.13.1-272 +- Allow sssd_t domain to map sssd_var_lib_t files +- allow map permission where needed +- contrib: allow map permission where needed +- Allow syslogd_t to map syslogd_var_run_t files +- allow map permission where needed + +* Mon Aug 14 2017 Lukas Vrabec - 3.13.1-271 +- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc +- Label /usr/libexec/sudo/sesh as shell_exec_t + +* Thu Aug 10 2017 Lukas Vrabec - 3.13.1-270 +- refpolicy: Infiniband pkeys and endport + +* Thu Aug 10 2017 Lukas Vrabec - 3.13.1-269 +- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524) +- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy +- refpolicy: Define and allow map permission +- init: Add NoNewPerms support for systemd. +- Add nnp_nosuid_transition policycap and related class/perm definitions. + +* Mon Aug 07 2017 Petr Lautrbach - 3.13.1-268 +- Update for SELinux userspace release 20170804 / 2.7 +- Omit precompiled regular expressions from file_contexts.bin files + +* Mon Aug 07 2017 Lukas Vrabec - 3.13.1-267 +- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy + +* Thu Jul 27 2017 Fedora Release Engineering - 3.13.1-266 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Jul 21 2017 Lukas Vrabec - 3.13.1-265 +- Allow llpdad send dgram to libvirt +- Allow abrt_t domain dac_read_search capability +- Allow init_t domain mounton dirs labeled as init_var_lib_t BZ(1471476) +- Allow xdm_t domain read unique machine-id generated during system installation. BZ(1467036) +- Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518) + +* Mon Jul 17 2017 Lukas Vrabec - 3.13.1-264 +- Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518) + +* Tue Jul 11 2017 Lukas Vrabec - 3.13.1-263 +- Add new boolean gluster_use_execmem + +* Mon Jul 10 2017 Lukas Vrabec - 3.13.1-262 +- Allow cluster_t and glusterd_t domains to dbus chat with ganesha service +- Allow iptables to read container runtime files + +* Fri Jun 23 2017 Lukas Vrabec - 3.13.1-261 +- Allow boinc_t nsswitch +- Dontaudit firewalld to write to lib_t dirs +- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t +- Allow thumb_t domain to allow create dgram sockets +- Disable mysqld_safe_t secure mode environment cleansing +- Allow couple rules needed to start targetd daemon with SELinux in enforcing mode +- Allow dirsrv domain setrlimit +- Dontaudit staff_t user read admin_home_t files. +- Add interface lvm_manage_metadata +- Add permission open to files_read_inherited_tmp_files() interface + +* Mon Jun 19 2017 Lukas Vrabec - 3.13.1-260 +- Allow sssd_t to read realmd lib files. +- Fix init interface file. init_var_run_t is type not attribute + +* Mon Jun 19 2017 Lukas Vrabec - 3.13.1-258 +- Allow rpcbind_t to execute systemd_tmpfiles_exec_t binary files. +- Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide +- Allow qemu to authenticate SPICE connections with SASL GSSAPI when SSSD is in use +- Fix dbus_dontaudit_stream_connect_system_dbusd() interface to require TYPE rather than ATTRIBUTE for systemd_dbusd_t. +- Allow httpd_t to read realmd_var_lib_t files +- Allow unconfined_t user all user namespace capabilties. +- Add interface systemd_tmpfiles_exec() +- Add interface libs_dontaudit_setattr_lib_files() +- Dontaudit xdm_t domain to setattr on lib_t dirs +- Allow sysadm_r role to jump into dirsrv_t + +* Thu Jun 08 2017 Lukas Vrabec - 3.13.1-257 +- Merge pull request #10 from mscherer/fix_tor_dac +- Merge pull request #9 from rhatdan/rawhide +- Merge pull request #13 from vinzent/allow_zabbix_t_to_kill_zabbix_script_t +- Allow kdumpgui to read removable disk device +- Allow systemd_dbusd_t domain read/write to nvme devices +- Allow udisks2 domain to read removable devices BZ(1443981) +- Allow virtlogd_t to execute itself +- Allow keepalived to read/write usermodehelper state +- Allow named_t to bind on udp 4321 port +- Fix interface tlp_manage_pid_files() +- Allow collectd domain read lvm config files. BZ(1459097) +- Merge branch 'rawhide' of github.com:wrabcak/selinux-policy-contrib into rawhide +- Allow samba_manage_home_dirs boolean to manage user content +- Merge pull request #14 from lemenkov/rabbitmq_systemd_notify +- Allow pki_tomcat_t execute ldconfig. +- Merge pull request #191 from rhatdan/udev +- Allow systemd_modules_load_t to load modules + +* Mon Jun 05 2017 Lukas Vrabec - 3.13.1-256 +- Allow keepalived domain connect to squid tcp port +- Allow krb5kdc_t domain read realmd lib files. +- Allow tomcat to connect on all unreserved ports +- Allow keepalived domain connect to squid tcp port +- Allow krb5kdc_t domain read realmd lib files. +- Allow tomcat to connect on all unreserved ports +- Allow ganesha to connect to all rpc ports +- Update ganesha with few allow rules +- Update rpc_read_nfs_state_data() interface to allow read also lnk_files. +- virt_use_glusterd boolean should be in optional block +- Add new boolean virt_use_glusterd +- Add capability sys_boot for sbd_t domain Allow sbd_t domain to create rpc sysctls. +- Allow ganesha_t domain to manage glusterd_var_run_t pid files. +- Create new interface: glusterd_read_lib_files() Allow ganesha read glusterd lib files. Allow ganesha read network sysctls +- Add few allow rules to ganesha module +- Allow condor_master_t to read sysctls. +- Add dac_override cap to ctdbd_t domain +- Add ganesha_use_fusefs boolean. +- Allow httpd_t reading kerberos kdc config files +- Allow tomcat_t domain connect to ibm_dt_2 tcp port. +- Allow stream connect to initrc_t domains +- Add pki_exec_common_files() interface +- Allow dnsmasq_t domain to read systemd-resolved pid files. +- Allow tomcat domain name_bind on tcp bctp_port_t +- Allow smbd_t domain generate debugging files under /var/run/gluster. These files are created through the libgfapi.so library that provides integration of a GlusterFS client in the Samba (vfs_glusterfs) process. +- Allow condor_master_t write to sysctl_net_t +- Allow nagios check disk plugin read /sys/kernel/config/ +- Allow pcp_pmie_t domain execute systemctl binary +- Allow nagios to connect to stream sockets. Allow nagios start httpd via systemctl +- xdm_t should view kernel keys +- Hide broken symptoms when machine is configured with network bounding. +- Label 8750 tcp/udp port as dey_keyneg_port_t +- Label tcp/udp port 1792 as ibm_dt_2_port_t +- Add interface fs_read_configfs_dirs() +- Add interface fs_read_configfs_files() +- Fix systemd_resolved_read_pid interface +- Add interface systemd_resolved_read_pid() +- Allow sshd_net_t domain read/write into crypto devices +- Label 8999 tcp/udp as bctp_port_t + +* Thu May 18 2017 Lukas Vrabec - 3.13.1-255 +- Dontaudit net_admin capability for domains postfix_master_t and postfix_qmgr_t +- Add interface pki_manage_common_files() +- Allow rngd domain read sysfs_t +- Allow tomcat_t domain to manage pki_common_t files and dirs +- Merge pull request #3 from rhatdan/devicekit +- Merge pull request #12 from lslebodn/sssd_sockets_fc +- Allow certmonger reads httpd_config_t files +- Allow keepalived_t domain creating netlink_netfilter_socket. +- Use stricter fc rules for sssd sockets in /var/run +- Allow tomcat domain read rpm_var_lib_t files Allow tomcat domain exec rpm_exec_t files Allow tomcat domain name connect on oracle_port_t Allow tomcat domain read cobbler_var_lib_t files. +- Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/ +- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit +- ejabberd small fixes +- Update targetd policy to accommodate changes in the service +- Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls +- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit +- Dontaudit net_admin capability for useradd_t domain +- Allow systemd_localed_t and systemd_timedated_t create files in /etc with label locate_t BZ(1443723) +- Make able deply overcloud via neutron_t to label nsfs as fs_t +- Add fs_manage_configfs_lnk_files() interface + +* Mon May 15 2017 Lukas Vrabec - 3.13.1-254 +- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit +- ejabberd small fixes +- Update targetd policy to accommodate changes in the service +- Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls +- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit +- Allow glusterd_t domain start ganesha service +- Made few cosmetic changes in sssd SELinux module +- Merge pull request #11 from lslebodn/sssd_kcm +- Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options. +- Allow keepalived_t domain read usermodehelper_t +- Allow radius domain stream connec to postgresql +- Merge pull request #8 from bowlofeggs/142-rawhide +- Add fs_manage_configfs_lnk_files() interface + +* Fri May 12 2017 Lukas Vrabec - 3.13.1-253 +- auth_use_nsswitch can call only domain not attribute +- Dontaudit net_admin cap for winbind_t +- Allow tlp_t domain to stream connect to system bus +- Allow tomcat_t domain read pki_common_t files +- Add interface pki_read_common_files() +- Fix broken cermonger module +- Fix broken apache module +- Allow hypervkvp_t domain execute hostname +- Dontaudit sssd_selinux_manager_t use of net_admin capability +- Allow tomcat_t stream connect to pki_common_t +- Dontaudit xguest_t's attempts to listen to its tcp_socket +- Allow sssd_selinux_manager_t to ioctl init_t sockets +- Improve ipa_cert_filetrans_named_content() interface to also allow caller domain manage ipa_cert_t type. +- Allow pki_tomcat_t domain read /etc/passwd. +- Allow tomcat_t domain read ipa_tmp_t files +- Label new path for ipa-otpd +- Allow radiusd_t domain stream connect to postgresql_t +- Allow rhsmcertd_t to execute hostname_exec_t binaries. +- Allow virtlogd to append nfs_t files when virt_use_nfs=1 +- Allow httpd_t domain read also httpd_user_content_type lnk_files. +- Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with label ipa_cert_t +- Dontaudit _gkeyringd_t stream connect to system_dbusd_t +- Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t +- Add interface ipa_filetrans_named_content() +- Allow tomcat use nsswitch +- Allow certmonger_t start/status generic services +- Allow dirsrv read cgroup files. +- Allow ganesha_t domain read/write infiniband devices. +- Allow sendmail_t domain sysctl_net_t files +- Allow targetd_t domain read network state and getattr on loop_control_device_t +- Allow condor_schedd_t domain send mails. +- Allow ntpd to creating sockets. BZ(1434395) +- Alow certmonger to create own systemd unit files. +- Add kill namespace capability to xdm_t domain +- Revert "su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization." +- Revert "Allow _su_t to create netlink_selinux_socket" +- Allow _su_t to create netlink_selinux_socket +- Allow unconfined_t to module_load any file +- Allow staff to systemctl virt server when staff_use_svirt=1 +- Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t context +- Allow netutils setpcap capability +- Dontaudit leaked file descriptor happening in setfiles_t domain BZ(1388124) + +* Thu Apr 20 2017 Michael Scherer - 3.13.1-252 +- fix #1380325, selinux-policy-sandbox always removing sandbox module on upgrade + +* Tue Apr 18 2017 Lukas Vrabec - 3.13.1-251 +- Fix abrt module to reflect all changes in abrt release + +* Tue Apr 18 2017 Lukas Vrabec - 3.13.1-250 +- Allow tlp_t domain to ioctl removable devices BZ(1436830) +- Allow tlp_t domain domtrans into mount_t BZ(1442571) +- Allow lircd_t to read/write to sysfs BZ(1442443) +- Fix policy to reflect all changes in new IPA release +- Allow virtlogd_t to creating tmp files with virt_tmp_t labels. +- Allow sbd_t to read/write fixed disk devices +- Add sys_ptrace capability to radiusd_t domain +- Allow cockpit_session_t domain connects to ssh tcp ports. +- Update tomcat policy to make working ipa install process +- Allow pcp_pmcd_t net_admin capability. Allow pcp_pmcd_t read net sysctls Allow system_cronjob_t create /var/run/pcp with pcp_var_run_t +- Fix all AVC denials during pkispawn of CA Resolves: rhbz#1436383 +- Update pki interfaces and tomcat module +- Allow sendmail to search network sysctls +- Add interface gssd_noatsecure() +- Add interface gssproxy_noatsecure() +- Allow chronyd_t net_admin capability to allow support HW timestamping. +- Update tomcat policy. +- Allow certmonger to start haproxy service +- Fix init Module +- Make groupadd_t domain as system bus client BZ(1416963) +- Make useradd_t domain as system bus client BZ(1442572) +- Allow xdm_t to gettattr /dev/loop-control device BZ(1385090) +- Dontaudit gdm-session-worker to view key unknown. BZ(1433191) +- Allow init noatsecure for gssd and gssproxy +- Allow staff user to read fwupd_cache_t files +- Remove typo bugs +- Remove /proc <> from fedora policy, it's no longer necessary + +* Mon Apr 03 2017 Lukas Vrabec - 3.13.1-249 +- Merge pull request #4 from lslebodn/sssd_socket_activated +- Remove /proc <> from fedora policy, it's no longer necessary +- Allow iptables get list of kernel modules +- Allow unconfined_domain_type to enable/disable transient unit +- Add interfaces init_enable_transient_unit() and init_disable_transient_unit +- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd" +- Label sysroot dir under ostree as root_t + +* Mon Mar 27 2017 Adam Williamson - 3.13.1-248 +- Put tomcat_t back in unconfined domains for now. BZ(1436434) + +* Tue Mar 21 2017 Lukas Vrabec - 3.13.1-247 +- Make fwupd_var_lib_t type mountpoint. BZ(1429341) +- Remove tomcat_t domain from unconfined domains +- Create new boolean: sanlock_enable_home_dirs() +- Allow mdadm_t domain to read/write nvme_device_t +- Remove httpd_user_*_content_t domains from user_home_type attribute. This tighten httpd policy and acces to user data will be more strinct, and also fix mutual influente between httpd_enable_homedirs and httpd_read_user_content +- Add interface dev_rw_nvme +- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555) + +* Sat Mar 18 2017 Lukas Vrabec - 3.13.1-246 +- Label all files containing hostname substring in /etc/ created by systemd_hostnamed_t as hostname_etc_t. BZ(1433555) + +* Fri Mar 17 2017 Lukas Vrabec - 3.13.1-245 +- Allow vdagent domain to getattr cgroup filesystem +- Allow abrt_dump_oops_t stream connect to sssd_t domain +- Allow cyrus stream connect to gssproxy +- Label /usr/libexec/cockpit-ssh as cockpit_session_exec_t and allow few rules +- Allow colord_t to read systemd hwdb.bin file +- Allow dirsrv_t to create /var/lock/dirsrv labeled as dirsrc_var_lock_t +- Allow certmonger to manage /etc/krb5kdc_conf_t +- Allow kdumpctl to getenforce +- Allow ptp4l wake_alarm capability +- Allow ganesha to chat with unconfined domains via dbus +- Add nmbd_t capability2 block_suspend +- Add domain transition from sosreport_t to iptables_t +- Dontaudit init_t to mounton modules_object_t +- Add interface files_dontaudit_mounton_modules_object +- Allow xdm_t to execute files labeled as xdm_var_lib_t +- Make mtrr_device_t mountpoint. +- Fix path to /usr/lib64/erlang/erts-5.10.4/bin/epmd + +* Tue Mar 07 2017 Lukas Vrabec - 3.13.1-244 +- Update fwupd policy +- /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t +- Update ganesha policy +- Allow chronyd to read adjtime +- Merge pull request #194 from hogarthj/certbot_policy +- get the correct cert_t context on certbot certificates bz#1289778 +- Label /dev/ss0 as gpfs_device_t + +* Thu Mar 02 2017 Lukas Vrabec - 3.13.1-243 +- Allow abrt_t to send mails. + +* Mon Feb 27 2017 Lukas Vrabec - 3.13.1-242 +- Add radius_use_jit boolean +- Allow nfsd_t domain to create sysctls_rpc_t files +- add the policy required for nextcloud +- Allow can_load_kernmodule to load kernel modules. BZ(1426741) +- Create kernel_create_rpc_sysctls() interface + +* Tue Feb 21 2017 Lukas Vrabec - 3.13.1-241 +- Remove ganesha from gluster module and create own module for ganesha +- FIx label for /usr/lib/libGLdispatch.so.0.0.0 + +* Wed Feb 15 2017 Lukas Vrabec - 3.13.1-240 +- Dontaudit xdm_t wake_alarm capability2 +- Allow systemd_initctl_t to create and connect unix_dgram sockets +- Allow ifconfig_t to mount/unmount nsfs_t filesystem +- Add interfaces allowing mount/unmount nsfs_t filesystem +- Label /usr/lib/libGLdispatch.so.0.0.0 as textrel_shlib_t BZ(1419944) + +* Mon Feb 13 2017 Lukas Vrabec - 3.13.1-239 +- Allow syslog client to connect to kernel socket. BZ(1419946) + +* Thu Feb 09 2017 Lukas Vrabec - 3.13.1-238 +- Allow shiftfs to use xattr SELinux labels +- Fix ssh_server_template by add sshd_t to require section. + +* Wed Feb 08 2017 Lukas Vrabec - 3.13.1-237 +- Merge pull request #187 from rhatdan/container-selinux +- Allow rhsmcertd domain signull kernel. +- Allow container-selinux to handle all policy for container processes +- Fix label for nagios plugins in nagios file conxtext file +- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987 +- Add SELinux support for systemd-initctl daemon +- Add SELinux support for systemd-bootchart +- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987 +- Add module_load permission to can_load_kernmodule +- Add module_load permission to class system +- Add the validate_trans access vector to the security class +- Restore connecto permssions for init_t + +* Thu Feb 02 2017 Lukas Vrabec - 3.13.1-236 +- Allow kdumpgui domain to read nvme device +- Add amanda_tmpfs_t label. BZ(1243752) +- Fix typo in sssd interface file +- Allow sssd_t domain setpgid BZ(1411437) +- Allow ifconfig_t domain read nsfs_t +- Allow ping_t domain to load kernel modules. +- Allow systemd to send user information back to pid1. BZ(1412750) +- rawhide-base: Fix wrong type/attribute flavors in require blocks + +* Tue Jan 17 2017 Lukas Vrabec - 3.13.1-235 +- Allow libvirt daemon to create /var/chace/libvirt dir. +- Allow systemd using ProtectKernelTunables securit feature. BZ(1392161) +- F26 Wide change: Coredumps enabled by default. Allowing inherits process limits to enable coredumps.BZ(1341829) + +* Tue Jan 17 2017 Lukas Vrabec - 3.13.1-234 +- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017) +- Tighten security on containe types +- Make working cracklib_password_check for MariaDB service +- Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t BZ(1410505) + +* Sun Jan 08 2017 Lukas Vrabec - 3.13.1-233 +-Allow thumb domain sendto via dgram sockets. BZ(1398813) +- Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077) +- Allow cobbler domain to create netlink_audit sockets BZ(1384600) +- Allow networkmanager to manage networkmanager_var_lib_t lnk files BZ(1408626) +- Add dhcpd_t domain fowner capability BZ(1409963) +- Allow thumb to create netlink_kobject_uevent sockets. BZ(1410942) +- Fix broken interfaces +- Allow setfiles_t domain rw inherited kdumpctl tmp pipes BZ(1356456) +- Allow user_t run systemctl --user BZ(1401625) + +* Fri Jan 06 2017 Lukas Vrabec - 3.13.1-232 +- Add tlp_var_lib_t label for /var/lib/tlp directory BZ(1409977) +- Allow tlp_t domain to read proc_net_t BZ(1403487) +- Merge pull request #179 from rhatdan/virt1 +- Allow tlp_t domain to read/write cpu microcode BZ(1403103) +- Allow virt domain to use interited virtlogd domains fifo_file +- Fixes for containers +- Allow glusterd_t to bind on glusterd_port_t udp ports. +- Update ctdbd_t policy to reflect all changes. +- Allow ctdbd_t domain transition to rpcd_t + +* Wed Dec 14 2016 Lukas Vrabec - 3.13.1-231 +- Allow pptp_t to read /dev/random BZ(1404248) +- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t +- Allow systemd to stop glusterd_t domains. +- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base +- Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323) +- Revert "Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs." + +* Thu Dec 08 2016 Lukas Vrabec - 3.13.1-230 +- Label /usr/bin/rpcbind as rpcbind_exec_t +- Dontaudit mozilla plugin rawip socket creation. BZ(1275961) +- Merge pull request #174 from rhatdan/netlink + +* Wed Dec 07 2016 Lukas Vrabec - 3.13.1-229 +- Label /usr/bin/rpcbind as rpcbind_exec_t. Label /usr/lib/systemd/systemd/rpcbind.service +- Allot tlp domain to create unix_dgram sockets BZ(1401233) +- Allow antivirus domain to create lnk_files in /tmp +- Allow cupsd_t to create lnk_files in /tmp. BZ(1401634) +- Allow svnserve_t domain to read /dev/random BZ(1401827) +- Allow lircd to use nsswitch. BZ(1401375) +- Allow hostname_t domain to manage cluster_tmp_t files + +* Mon Dec 05 2016 Lukas Vrabec - 3.13.1-228 +- Fix some boolean descriptions. +- Add fwupd_dbus_chat() interface +- Allow tgtd_t domain wake_alarm +- Merge pull request #172 from vinzent/allow_puppetagent_timedated +- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081) +- Allow systemd_machined_t to start unit files labeled as init_var_run_t +- Add init_manage_config_transient_files() interface +- In Atomic /usr/local is a soft symlink to /var/usrlocal, so the default policy to apply bin_t on /usr/...bin doesn't work and binaries dumped here get mislabeled as var_t. +- Allow systemd to raise rlimit to all domains.BZ(1365435) +- Add interface domain_setrlimit_all_domains() interface +- Allow staff_t user to chat with fwupd_t domain via dbus +- Update logging_create_devlog_dev() interface to allow calling domain create also sock_file dev-log. BZ(1393774) +- Allow systemd-networkd to read network state BZ(1400016) +- Allow systemd-resolved bind to dns port. BZ(1400023) +- Allow systemd create /dev/log in own mount-namespace. BZ(1383867) +- Add interface fs_dontaudit_getattr_nsfs_files() +- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853) + +* Tue Nov 29 2016 Lukas Vrabec - 3.13.1-227 +- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081) +- Allow pmie daemon to send signal pcmd daemon BZ(1398078) +- Allow spamd_t to manage /var/spool/mail. BZ(1398437) +- Label /run/rpc.statd.lock as rpcd_lock_t and allow rpcd_t domain to manage it. BZ(1397254) +- Merge pull request #171 from t-woerner/rawhide-contrib +- Allow firewalld to getattr open search read modules_object_t:dir +- Allow systemd create /dev/log in own mount-namespace. BZ(1383867) +- Add interface fs_dontaudit_getattr_nsfs_files() +- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853) +- Dontaudit systemd_journal sys_ptrace userns capability. BZ(1374187) + +* Wed Nov 16 2016 Lukas Vrabec - 3.13.1-226 +- Adding policy for tlp +- Add interface dev_manage_sysfs() +- Allow ifconfig domain to manage tlp pid files. + +* Wed Nov 09 2016 Lukas Vrabec - 3.13.1-225 +- Allow systemd_logind_t domain to communicate with devicekit_t domain via dbus bz(1393373) + +* Tue Nov 08 2016 Lukas Vrabec - 3.13.1-224 +- Allow watching netflix using Firefox + +* Mon Nov 07 2016 Lukas Vrabec - 3.13.1-223 +- nmbd_t needs net_admin capability like smbd +- Add interface chronyd_manage_pid() Allow logrotate to manage chrony pids +- Add wake_alarm capability2 to openct_t domain +- Allow abrt_t to getattr on nsfs_t files. +- Add cupsd_t domain wake_alarm capability. +- Allow sblim_reposd_t domain to read cert_f files. +- Allow abrt_dump_oops_t to drop capabilities. bz(1391040) +- Revert "Allow abrt_dump_oops_t to drop capabilities. bz(1391040)" +- Allow isnsd_t to accept tcp connections + +* Wed Nov 02 2016 Lukas Vrabec - 3.13.1-222 +- Allow abrt_dump_oops_t to drop capabilities. bz(1391040) +- Add named_t domain net_raw capability bz(1389240) +- Allow geoclue to read system info. bz(1389320) +- Make openfortivpn_t as init_deamon_domain. bz(1159899) +- Allow nfsd domain to create nfsd_unit_file_t files. bz(1382487) +- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib +- Add interace lldpad_relabel_tmpfs +- Merge pull request #155 from rhatdan/sandbox_nfs +- Add pscsd_t wake_alarm capability2 +- Allow sandbox domains to mount fuse file systems +- Add boolean to allow sandbox domains to mount nfs +- Allow hypervvssd_t to read all dirs. +- Allow isnsd_t to connect to isns_port_t +- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib +- Allow GlusterFS with RDMA transport to be started correctly. It requires ipc_lock capability together with rw permission on rdma_cm device. +- Make tor_var_lib_t and tor_var_log_t as mountpoints. +- Allow systemd-rfkill to write to /proc/kmsg bz(1388669) +- Allow init_t to relabel /dev/shm/lldpad.state +- Merge pull request #168 from rhatdan/docker +- Label tcp 51954 as isns_port_t +- Lots of new domains like OCID and RKT are user container processes + +* Mon Oct 17 2016 Miroslav Grepl - 3.13.1-221 +- Add container_file_t into contexts/customizable_types. + +* Sun Oct 16 2016 Lukas Vrabec - 3.13.1-220 +- Disable container_runtime_typebounds() due to typebounds issues which can not be resolved during build. +- Disable unconfined_typebounds in sandbox.te due to entrypoint check which exceed for sandbox domains unconfined_t domain. +- Disable unconfined_typebounds due to entrypoint check which exceed for sandbox domains unconfined_t domain. +- Merge pull request #167 from rhatdan/container +- Add transition rules for sandbox domains +- container_typebounds() should be part of sandbox domain template +- Fix broken container_* interfaces +- unconfined_typebounds() should be part of sandbox domain template +- Fixed unrecognized characters at sandboxX module +- unconfined_typebounds() should be part of sandbox domain template +- svirt_file_type is atribute no type. +- Merge pull request #166 from rhatdan/container +- Allow users to transition from unconfined_t to container types +- Add dbus_stream_connect_system_dbusd() interface. +- Merge pull request #152 from rhatdan/network_filetrans +- Fix typo in filesystem module +- Allow nss_plugin to resolve host names via the systemd-resolved. BZ(1383473) + +* Mon Oct 10 2016 Lukas Vrabec - 3.13.1-219 +- Dontaudit leaked file descriptors for thumb. BZ(1383071) +- Fix typo in cobbler SELinux module +- Merge pull request #165 from rhatdan/container +- Allow cockpit_ws_t to manage cockpit_lib_t dirs and files. BZ(1375156) +- Allow cobblerd_t to delete dirs labeled as tftpdir_rw_t +- Rename svirt_lxc_net_t to container_t +- Rename docker.pp to container.pp, causes change in interface name +- Allow httpd_t domain to list inotify filesystem. +- Fix couple AVC to start roundup properly +- Allow dovecot_t send signull to dovecot_deliver_t +- Add sys_ptrace capability to pegasus domain +- Allow firewalld to stream connect to NetworkManager. BZ(1380954) +- rename docker intefaces to container +- Merge pull request #164 from rhatdan/docker-base +- Rename docker.pp to container.pp, causes change in interface name +- Allow gvfs to read /dev/nvme* devices BZ(1380951) + +* Wed Oct 05 2016 Colin Walters - 3.13.1-218 +- Revert addition of systemd service for factory reset, since it is + basically worse than what we had before. BZ(1290659) + +* Fri Sep 30 2016 Lukas Vrabec 3.13.1-216 +- Allow devicekit to chat with policykit via DBUS. BZ(1377113) +- Add interface virt_rw_stream_sockets_svirt() BZ(1379314) +- Allow xdm_t to read mount pid files. BZ(1377113) +- Allow staff to rw svirt unix stream sockets. BZ(1379314) +- Allow staff_t to read tmpfs files BZ(1378446) + +* Fri Sep 23 2016 Lukas Vrabec 3.13.1-215 +- Make tor_var_run_t as mountpoint. BZ(1368621) +- Fix typo in ftpd SELinux module. +- Allow cockpit-session to reset expired passwords BZ(1374262) +- Allow ftp daemon to manage apache_user_content +- Label /etc/sysconfig/oracleasm as oracleasm_conf_t +- Allow oracleasm to rw inherited fixed disk device +- Allow collectd to connect on unix_stream_socket +- Add abrt_dump_oops_t kill user namespace capability. BZ(1376868) +- Dontaudit systemd is mounting unlabeled dirs BZ(1367292) +- Add interface files_dontaudit_mounton_isid() + +* Thu Sep 15 2016 Lukas Vrabec 3.13.1-214 +- Allow attach usb device to virtual machine BZ(1276873) +- Dontaudit mozilla_plugin to sys_ptrace +- Allow nut_upsdrvctl_t domain to read udev db BZ(1375636) +- Fix typo +- Allow geoclue to send msgs to syslog. BZ(1371818) +- Allow abrt to read rpm_tmp_t dirs +- Add interface rpm_read_tmp_files() +- Remove labels for somr docker sandbox files for now. This needs to be reverted after fixes in docker-selinux +- Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain. +- Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service +- Revert "label /var/lib/kubelet as svirt_sandbox_file_t" +- Remove file context for /var/lib/kubelet. This filecontext is part of docker now +- Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm +- Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t +- Allow mdadm_t to getattr all device nodes +- Dontaudit gkeyringd_domain to connect to system_dbusd_t +- Add interface dbus_dontaudit_stream_connect_system_dbusd() +- Allow guest-set-user-passwd to set users password. +- Allow domains using kerberos to read also kerberos config dirs +- Allow add new interface to new namespace BZ(1375124) +- Allow systemd to relalbel files stored in /run/systemd/inaccessible/ +- Add interface fs_getattr_tmpfs_blk_file() +- Dontaudit domain to create any file in /proc. This is kernel bug. +- Improve regexp for power_unit_file_t files. To catch just systemd power unit files. +- Add new interface fs_getattr_oracleasmfs_fs() +- Add interface fs_manage_oracleasm() +- Label /dev/kfd as hsa_device_t +- Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs + +* Fri Sep 02 2016 Lukas Vrabec 3.13.1-213 +- Label /var/lib/docker/vfs as svirt_sandbox_file_t in virt SELinux module +- Label /usr/bin/pappet as puppetagent_exec_t +- Allow amanda to create dir in /var/lib/ with amanda_var_lib_t label +- Allow run sulogin_t in range mls_systemlow-mls_systemhigh. + +* Wed Aug 31 2016 Lukas Vrabec 3.13.1-212 +- udisk2 module is part of devicekit module now +- Fix file context for /etc/pki/pki-tomcat/ca/ +- new interface oddjob_mkhomedir_entrypoint() +- Allow mdadm to get attributes from all devices. +- Label /etc/puppetlabs as puppet_etc_t. +- quota: allow init to run quota tools +- Add new domain ipa_ods_exporter_t BZ(1366640) +- Create new interface opendnssec_stream_connect() +- Allow VirtualBox to manage udev rules. +- Allow systemd_resolved to send dbus msgs to userdomains +- Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t +- Label all files in /dev/oracleasmfs/ as oracleasmfs_t + +* Thu Aug 25 2016 Lukas Vrabec 3.13.1-211 +- Add new domain ipa_ods_exporter_t BZ(1366640) +- Create new interface opendnssec_stream_connect() +- Allow systemd-machined to communicate to lxc container using dbus +- Dontaudit accountsd domain creating dirs in /root +- Add new policy for Disk Manager called udisks2 +- Dontaudit firewalld wants write to /root +- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t +- Allow certmonger to manage all systemd unit files +- Allow ipa_helper_t stream connect to dirsrv_t domain +- Update oracleasm SELinux module +- label /var/lib/kubelet as svirt_sandbox_file_t +- Allow systemd to create blk and chr files with correct label in /var/run/systemd/inaccessible BZ(1367280) +- Label /usr/libexec/gsd-backlight-helper as xserver_exec_t. This allows also confined users to manage screen brightness +- Add new userdom_dontaudit_manage_admin_dir() interface +- Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type + +* Tue Aug 23 2016 Lukas Vrabec 3.13.1-210 +- Add few interfaces to cloudform.if file +- Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module +- Allow krb5kdc_t to read krb4kdc_conf_t dirs. +- Update networkmanager_filetrans_named_content() interface to allow source domain to create also temad dir in /var/run. +- Make confined users working again +- Fix hypervkvp module +- Allow ipmievd domain to create lock files in /var/lock/subsys/ +- Update policy for ipmievd daemon. Contain: Allowing reading sysfs, passwd,kernel modules Execuring bin_t,insmod_t +- A new version of cloud-init that supports the effort to provision RHEL Atomic on Microsoft Azure requires some a new rules that allows dhclient/dhclient hooks to call cloud-init. +- Allow systemd to stop systemd-machined daemon. This allows stop virtual machines. +- Label /usr/libexec/iptables/iptables.init as iptables_exec_t Allow iptables creating lock file in /var/lock/subsys/ + +* Tue Aug 16 2016 Lukas Vrabec 3.13.1-209 +- Fix lsm SELinux module +- Dontaudit firewalld to create dirs in /root/ BZ(1340611) +- Label /run/corosync-qdevice and /run/corosync-qnetd as corosync_var_run_t +- Allow fprintd and cluster domains to cummunicate via dbus BZ(1355774) +- Allow cupsd_config_t domain to read cupsd_var_run_t sock_file. BZ(1361299) +- Add sys_admin capability to sbd domain +- Allow vdagent to comunnicate with systemd-logind via dbus +- Allow lsmd_plugin_t domain to create fixed_disk device. +- Allow opendnssec domain to create and manage own tmp dirs/files +- Allow opendnssec domain to read system state +- Allow systemd_logind stop system init_t +- Add interface init_stop() +- Add interface userdom_dontaudit_create_admin_dir() +- Label /var/run/storaged as lvm_var_run_t. +- Allow unconfineduser to run ipa_helper_t. + +* Fri Aug 12 2016 Lukas Vrabec 3.13.1-208 +- Allow cups_config_t domain also mange sock_files. BZ(1361299) +- Add wake_alarm capability to fprintd domain BZ(1362430) +- Allow firewalld_t to relabel net_conf_t files. BZ(1365178) +- Allow nut_upsmon_t domain to chat with logind vie dbus about scheduleing a shutdown when UPS battery is low. BZ(1361802) +- Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333) +- Allow crond and cronjob domains to creating mail_home_rw_t objects in admin_home_t BZ(1366173) +- Dontaudit mock to write to generic certs. +- Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t +- Revert "Label corosync-qnetd and corosync-qdevice as corosync_t domain" +- Merge pull request #144 from rhatdan/modemmanager +- Allow modemmanager to write to systemd inhibit pipes +- Label corosync-qnetd and corosync-qdevice as corosync_t domain +- Allow ipa_helper to read network state +- Label oddjob_reqiest as oddjob_exec_t +- Add interface oddjob_run() +- Allow modemmanager chat with systemd_logind via dbus +- Allow NetworkManager chat with puppetagent via dbus +- Allow NetworkManager chat with kdumpctl via dbus +- Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls. +- Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t +- Allow rasdaemon to use tracefs filesystem +- Fix typo bug in dirsrv policy +- Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd. +- Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t +- Allow dirsrv to read dirsrv_share_t content +- Allow virtlogd_t to append svirt_image_t files. +- Allow hypervkvp domain to read hugetlbfs dir/files. +- Allow mdadm daemon to read nvme_device_t blk files +- Allow systemd_resolved to connect on system bus. BZ(1366334) +- Allow systemd to create netlink_route_socket and communicate with systemd_networkd BZ(1306344) +- Allow systemd-modules-load to load kernel modules in early boot. BZ(1322625) +- label tcp/udp port 853 as dns_port_t. BZ(1365609) +- Merge pull request #145 from rhatdan/init +- systemd is doing a gettattr on blk and chr devices in /run +- Allow selinuxusers and unconfineduser to run oddjob_request +- Allow sshd server to acces to Crypto Express 4 (CEX4) devices. +- Fix typo in device interfaces +- Add interfaces for managing ipmi devices +- Add interfaces to allow mounting/umounting tracefs filesystem +- Add interfaces to allow rw tracefs filesystem +- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base +- Merge pull request #138 from rhatdan/userns +- Allow iptables to creating netlink generic sockets. +- Fix filecontext for systemd shared lib. + +* Thu Aug 04 2016 Lukas Vrabec 3.13.1-207 +- Fix filesystem inteface file, we don't have nsfs_fs_t type, just nsfs_t + +* Tue Aug 02 2016 Lukas Vrabec 3.13.1-206 +- collectd: update policy for 5.5 +- Allow puppet_t transtition to shorewall_t +- Grant certmonger "chown" capability +- Boinc updates from Russell Coker. +- Allow sshd setcap capability. This is needed due to latest changes in sshd. +- Revert "Allow sshd setcap capability. This is needed due to latest changes in sshd" +- Revert "Fix typo in ssh policy" +- Get attributes of generic ptys, from Russell Coker. + +* Fri Jul 29 2016 Lukas Vrabec 3.13.1-205 +- Dontaudit mock_build_t can list all ptys. +- Allow ftpd_t to mamange userhome data without any boolean. +- Add logrotate permissions for creating netlink selinux sockets. +- Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data. +- Label all VBox libraries stored in /var/lib/VBoxGuestAdditions/lib/ as textrel_shlib_t BZ(1356654) +- Allow systemd gpt generator to run fstools BZ(1353585) +- Label /usr/lib/systemd/libsystemd-shared-231.so as lib_t. BZ(1360716) +- Allow gnome-keyring also manage user_tmp_t sockets. +- Allow systemd to mounton /etc filesystem. BZ(1341753) + +* Tue Jul 26 2016 Lukas Vrabec 3.13.1-204 +- Allow lsmd_plugin_t to exec ldconfig. +- Allow vnstatd domain to read /sys/class/net/ files +- Remove duplicate allow rules in spamassassin SELinux module +- Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs +- Allow ipa_dnskey domain to search cache dirs +- Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file +- Allow ipa-dnskey read system state. +- Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1356245 +- Add interface to write to nsfs inodes +- Allow init_t domain to read rpm db. This is needed due dnf-upgrade process failing. BZ(1349721) +- Allow systemd_modules_load_t to read /etc/modprobe.d/lockd.conf +- sysadmin should be allowed to use docker. + +* Mon Jul 18 2016 Lukas Vrabec 3.13.1-203 +- Allow hypervkvp domain to run restorecon. +- Allow firewalld to manage net_conf_t files +- Remove double graphite-web context declaration +- Fix typo in rhsmcertd SELinux policy +- Allow logrotate read logs inside containers. +- Allow sssd to getattr on fs_t +- Allow opendnssec domain to manage bind chace files +- Allow systemd to get status of systemd-logind daemon +- Label more ndctl devices not just ndctl0 + +* Wed Jul 13 2016 Lukas Vrabec 3.13.1-202 +- Allow systemd_logind_t to start init_t BZ(1355861) +- Add init_start() interface +- Allow sysadm user to run systemd-tmpfiles +- Add interface systemd_tmpfiles_run + +* Mon Jul 11 2016 Lukas Vrabec 3.13.1-201 +- Allow lttng tools to block suspending +- Allow creation of vpnaas in openstack +- remove rules with compromised_kernel permission +- Allow dnssec-trigger to chat with NetworkManager over DBUS BZ(1350100) +- Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263 +- Update makefile to support snapperd_contexts file +- Remove compromize_kernel permission Remove unused mac_admin permission Add undefined system permission +- Remove duplicate declaration of class service +- Fix typo in access_vectors file +- Merge branch 'rawhide-base-modules-load' into rawhide-base +- Add new policy for systemd-modules-load +- Add systemd access vectors. +- Revert "Revert "Revert "Missed this version of exec_all""" +- Revert "Revert "Missed this version of exec_all"" +- Revert "Missed this version of exec_all" +- Revert "Revert "Fix name of capability2 secure_firmware->compromise_kernel"" BZ(1351624) This reverts commit 3e0e7e70de481589440f3f79cccff08d6e62f644. +- Revert "Fix name of capability2 secure_firmware->compromise_kernel" BZ(1351624) This reverts commit 7a0348a2d167a72c8ab8974a1b0fc33407f72c48. +- Revert "Allow xserver to compromise_kernel access"BZ(1351624) +- Revert "Allow anyone who can load a kernel module to compromise_kernel"BZ(1351624) +- Revert "add ptrace_child access to process" (BZ1351624) +- Add user namespace capability object classes. +- Allow udev to manage systemd-hwdb files +- Add interface systemd_hwdb_manage_config() +- Fix paths to infiniband devices. This allows use more then two infiniband interfaces. +- corecmd: Remove fcontext for /etc/sysconfig/libvirtd +- iptables: add fcontext for nftables + +* Tue Jul 05 2016 Lukas Vrabec 3.13.1-200 +- Fix typo in brltty policy +- Add new SELinux module sbd +- Allow pcp dmcache metrics collection +- Allow pkcs_slotd_t to create dir in /var/lock Add label pkcs_slotd_log_t +- Allow openvpn to create sock files labeled as openvpn_var_run_t +- Allow hypervkvp daemon to getattr on all filesystem types. +- Allow firewalld to create net_conf_t files +- Allow mock to use lvm +- Allow mirromanager creating log files in /tmp +- Allow vmtools_t to transition to rpm_script domain +- Allow nsd daemon to manage nsd_conf_t dirs and files +- Allow cluster to create dirs in /var/run labeled as cluster_var_run_t +- Allow sssd read also sssd_conf_t dirs +- Allow opensm daemon to rw infiniband_mgmt_device_t +- Allow krb5kdc_t to communicate with sssd +- Allow prosody to bind on prosody ports +- Add dac_override caps for fail2ban-client Resolves: rhbz#1316678 +- dontaudit read access for svirt_t on the file /var/db/nscd/group Resolves: rhbz#1301637 +- Allow inetd child process to communicate via dbus with systemd-logind Resolves: rhbz#1333726 +- Add label for brltty log file Resolves: rhbz#1328818 +- Allow snort_t to communicate with sssd Resolves: rhbz#1284908 +- Add interface lttng_sessiond_tmpfs_t() +- Dontaudit su_role_template interface to getattr /proc/kcore Dontaudit su_role_template interface to getattr /dev/initctl +- Add interface lvm_getattr_exec_files() +- Make label for new infiniband_mgmt deivices +- Add prosody ports Resolves: rhbz#1304664 + +* Tue Jun 28 2016 Lukas Vrabec 3.13.1-199 +- Label /var/lib/softhsm as named_cache_t. Allow named_t to manage named_cache_t dirs. +- Allow glusterd daemon to get systemd status +- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib +- Merge pull request #135 from rhatdan/rawip_socket +- Allow logrotate dbus-chat with system_logind daemon +- Allow pcp_pmlogger to read kernel network state Allow pcp_pmcd to read cron pid files +- Add interface cron_read_pid_files() +- Allow pcp_pmlogger to create unix dgram sockets +- Add interface dirsrv_run() +- Remove non-existing jabberd_spool_t() interface and add new jabbertd_var_spool_t. +- Remove non-existing interface salk_resetd_systemctl() and replace it with sanlock_systemctl_sanlk_resetd() +- Create label for openhpid log files. +- Container processes need to be able to listen on rawip sockets +- Label /var/lib/ganglia as httpd_var_lib_t +- Allow firewalld_t to create entries in net_conf_t dirs. +- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals +- Label /etc/dhcp/scripts dir as bin_t +- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. + +* Wed Jun 22 2016 Lukas Vrabec 3.13.1-198 +- Allow firewalld_t to create entries in net_conf_t dirs. +- Allow journalctl to read syslogd_var_run_t files. This allows to staff_t and sysadm_t to read journals +- Allow rhsmcertd connect to port tcp 9090 +- Label for /bin/mail(x) was removed but /usr/bin/mail(x) not. This path is also needed to remove. +- Label /usr/libexec/mimedefang-wrapper as spamd_exec_t. +- Add new boolean spamd_update_can_network. +- Add proper label for /var/log/proftpd.log +- Allow rhsmcertd connect to tcp netport_port_t +- Fix SELinux context for /usr/share/mirrormanager/server/mirrormanager to Label all binaries under dir as mirrormanager_exec_t. +- Allow prosody to bind to fac_restore tcp port. +- Fix SELinux context for usr/share/mirrormanager/server/mirrormanager +- Allow ninfod to read raw packets +- Fix broken hostapd policy +- Allow hostapd to create netlink_generic sockets. BZ(1343683) +- Merge pull request #133 from vinzent/allow_puppet_transition_to_shorewall +- Allow pegasus get attributes from qemu binary files. +- Allow tuned to use policykit. This change is required by cockpit. +- Allow conman_t to read dir with conman_unconfined_script_t binary files. +- Allow pegasus to read /proc/sysinfo. +- Allow puppet_t transtition to shorewall_t +- Allow conman to kill conman_unconfined_script. +- Allow sysadm_role to run journalctl_t domain. This allows sysadm user to read journals. +- Merge remote-tracking branch 'refs/remotes/origin/rawhide-base' into rawhide-base +- Allow systemd to execute all init daemon executables. +- Add init_exec_notrans_direct_init_entry() interface. +- Label tcp ports:16379, 26379 as redis_port_t +- Allow systemd to relabel /var and /var/lib directories during boot. +- Add files_relabel_var_dirs() and files_relabel_var_dirs() interfaces. +- Add files_relabelto_var_lib_dirs() interface. +- Label tcp and udp port 5582 as fac_restore_port_t +- Allow sysadm_t user to run postgresql-setup. +- Allow sysadm_t user to dbus chat with oddjob_t. This allows confined admin run oddjob mkhomedirfor script. +- Allow systemd-resolved to connect to llmnr tcp port. BZ(1344849) +- Allow passwd_t also manage user_tmp_t dirs, this change is needed by gnome-keyringd + +* Thu Jun 16 2016 Lukas Vrabec 3.13.1-197 +- Allow conman to kill conman_unconfined_script. +- Make conman_unconfined_script_t as init_system_domain. +- Allow init dbus chat with apmd. +- Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t. +- Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t +- Allow collectd_t to stream connect to postgresql. +- Allow mysqld_safe to inherit rlimit information from mysqld +- Allow ip netns to mounton root fs and unmount proc_t fs. +- Allow sysadm_t to run newaliases command. + +* Mon Jun 13 2016 Lukas Vrabec 3.13.1-196 +- Allow svirt_sandbox_domains to r/w onload sockets +- Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc. +- Add interface sysnet_filetrans_named_net_conf() +- Rawhide fails to boot, systemd-logind needs to config transient config files +- User Namespace is requires create on process domains + +* Wed Jun 08 2016 Lukas Vrabec 3.13.1-195 +- Add hwloc-dump-hwdata SELinux policy +- Add labels for mediawiki123 +- Fix label for all fence_scsi_check scripts +- Allow setcap for fenced +- Allow glusterd domain read krb5_keytab_t files. +- Allow tmpreaper_t to read/setattr all non_security_file_type dirs +- Update refpolicy to handle hwloc +- Fix typo in files_setattr_non_security_dirs. +- Add interface files_setattr_non_security_dirs() + +* Tue Jun 07 2016 Lukas Vrabec 3.13.1-194 +- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886) +- Add nrpe_dontaudit_write_pipes() +- Merge pull request #129 from rhatdan/onload +- Add support for onloadfs +- Merge pull request #127 from rhatdan/device-node +- Additional access required for unconfined domains +- Dontaudit ping attempts to write to nrpe unnamed pipes +- Allow ifconfig_t to mounton also ifconfig_var_run_t dirs, not just files. Needed for: #ip netns add foo BZ(1340952) + +* Mon May 30 2016 Lukas Vrabec 3.13.1-193 +- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te +- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs +- Allow gssproxy to get attributes on all filesystem object types. BZ(1333778) +- Allow ipa_dnskey_t search httpd config files. +- Dontaudit certmonger to write to etc_runtime_t +- Update opendnssec_read_conf() interface to allow caller domain also read opendnssec_conf_t dirs. +- Add interface ipa_delete_tmp() +- Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t. +- Allow systemd to remove ipa temp files during uinstalling ipa. BZ(1333106) + +* Wed May 25 2016 Lukas Vrabec 3.13.1-192 +- Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106) +- Add SELinux policy for opendnssec service. BZ(1333106) + +* Tue May 24 2016 Lukas Vrabec 3.13.1-191 +- Label /usr/share/ovirt-guest-agent/ovirt-guest-agent.py as rhev_agentd_exec_t +- Allow dnssec_trigger_t to create lnk_file labeled as dnssec_trigger_var_run_t. BZ(1335954) +- Allow ganesha-ha.sh script running under unconfined_t domain communicate with glusterd_t domains via dbus. +- Allow ganesha daemon labeled as glusterd_t create /var/lib/nfs/ganesha dir labeled as var_lib_nfs_t. +- Merge pull request #122 from NetworkManager/th/nm-dnsmasq-dbus +- Merge pull request #125 from rhatdan/typebounds +- Typebounds user domains +- Allow systemd_resolved_t to check if ipv6 is disabled. +- systemd added a new directory for unit files /run/systemd/transient. It should be labelled system_u:object_r:systemd_unit_file_t:s0, the same as /run/systemd/system, PID 1 will write units there. Resolves: #120 +- Label /dev/xen/privcmd as xen_device_t. BZ(1334115) + +* Mon May 16 2016 Lukas Vrabec 3.13.1-190 +- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t. +- Allow zabbix to connect to postgresql port +- Label /usr/libexec/openssh/sshd-keygen as sshd_keygen_exec_t. BZ(1335149) +- Allow systemd to read efivarfs. Resolve: #121 + +* Tue May 10 2016 Lukas Vrabec 3.13.1-189 +- Revert temporary fix: Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed + +* Mon May 09 2016 Lukas Vrabec 3.13.1-188 +- Label tcp port 8181 as intermapper_port_t. +- Label /usr/libexec/storaged/storaged as lvm_exec_t to run storaged daemon in lvm_t SELinux domain. BZ(1333588) +- Label tcp/udp port 2024 as xinuexpansion4_port_t +- Label tcp port 7002 as afs_pt_port_t Label tcp/udp port 2023 as xinuexpansion3_port_t + +* Thu May 05 2016 Lukas Vrabec 3.13.1-187 +- Allow stunnel create log files. BZ(1333033) +- Label dev/shm/squid-cf__metadata.shm as squid_tmpfs_t. BZ(1331574) +- Allow stunnel sys_nice capability. Stunnel sched_* syscalls in some cases. BZ(1332287) +- Label /usr/bin/ganesha.nfsd as glusterd_exec_t to run ganesha as glusterd_t. Allow glusterd_t stream connect to rpbind_t. Allow cluster_t to create symlink /var/lib/nfs labeled as var_lib_nfs_t. Add interface rpc_filetrans_var_lib_nfs_content() Add new boolean: rpcd_use_fusefs to allow rpcd daemon use fusefs. +- Allow systemd-user-sessions daemon to mamange systemd_logind_var_run_t pid files. BZ(1331980) +- Modify kernel_steam_connect() interface by adding getattr permission. BZ(1331927) +- Label /usr/sbin/xrdp* files as bin_t BZ(1258453) +- Allow rpm-ostree domain transition to install_t domain from init_t. rhbz#1330318 + +* Fri Apr 29 2016 Lukas Vrabec 3.13.1-186 +- Allow snapperd sys_admin capability Allow snapperd to set scheduler. BZ(1323732) +- Label named-pkcs11 binary as named_exec_t. BZ(1331316) +- Revert "Add new permissions stop/start to class system. rhbz#1324453" +- Fix typo in module compilation message + +* Wed Apr 27 2016 Lukas Vrabec 3.13.1-185 +- Allow runnig php7 in fpm mode. From selinux-policy side, we need to allow httpd to read/write hugetlbfs. +- Allow openvswitch daemons to run under openvswitch Linux user instead of root. This change needs allow set capabilities: chwon, setgid, setuid, setpcap. BZ(1330895) +- Allow KDM to get status about power services. This change allow kdm to be able do shutdown BZ(1330970) +- Add mls support for some db classes + +* Tue Apr 26 2016 Lukas Vrabec 3.13.1-184 +- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits. +- Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1330448 +- Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732 +- Make virt_use_pcscd boolean off by default. +- Create boolean to allow virtual machine use smartcards. rhbz#1029297 +- Allow snapperd to relabel btrfs snapshot subvolume to snapperd_data_t. rhbz#1323754 +- Allow mongod log to syslog. +- Allow nsd daemon to create log file in /var/log as nsd_log_t +- unlabeled_t can not be an entrypoint. +- Modify interface den_read_nvme() to allow also read nvme_device_t block files. rhbz#1327909 +- Add new permissions stop/start to class system. rhbz#1324453 + +* Mon Apr 18 2016 Lukas Vrabec 3.13.1-183 +- Allow modemmanager to talk to logind +- Dontaudit tor daemon needs net_admin capability. rhbz#1311788 +- Allow GDM write to event devices. This rule is needed for GDM, because other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session. rhbz#1232042 +- Xorg now writes content in users homedir. + +* Fri Apr 08 2016 Lukas Vrabec 3.13.1-182 +- rename several contrib modules according to their filenames +- Add interface gnome_filetrans_cert_home_content() +- By default container domains should not be allowed to create devices +- Allow unconfined_t to create ~/.local/share/networkmanagement/certificates/ as home_cert_t instead of data_home_t. +- Allow systemd_resolved_t to read /etc/passwd file. Allow systemd_resolved_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used +- Allow systemd gpt generator to read removable devices. BZ(1323458) +- Allow systemd_gpt_generator_t sys_rawio capability. This access is needed to allow systemd gpt generator various device commands BZ(1323454) + +* Fri Apr 01 2016 Lukas Vrabec 3.13.1-181 +- Label /usr/libexec/rpm-ostreed as rpm_exec_t. BZ(1309075) +- /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. In this case we need to label /bin/mailx as bin_t. BZ(1323224) +- Label all run tgtd files, not just socket files. +- Allow prosody to stream connect to sasl. This will allow using cyrus authentication in prosody. +- Allow prosody to listen on port 5000 for mod_proxy65. BZ(1322815) +- Allow targetd to read/write to /dev/mapper/control device. BZ(1241415) +- Label /etc/selinux/(minimum|mls|targeted)/active/ as semanage_store_t. +- Allow systemd_resolved to read systemd_networkd run files. BZ(1322921) +- New cgroup2 file system in Rawhide + +* Wed Mar 30 2016 Lukas Vrabec 3.13.1-180 +- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415) +- Allow colord to read /etc/udev/hwdb.bin. rhzb#1316514 +- sandboxX.te: Allow sandbox domain to have entrypoint access only for executables and mountpoints. +- Allow sandbox domain to have entrypoint access only for executables and mountpoints. +- Allow bitlee to create bitlee_var_t dirs. +- Allow CIM provider to read sssd public files. +- Fix some broken interfaces in distro policy. +- Allow power button to shutdown the laptop. +- Allow lsm plugins to create named fixed disks. rhbz#1238066 +- Allow hyperv domains to rw hyperv devices. rhbz#1241636 +- Label /var/www/html(/.*)?/wp_backups(/.*)? as httpd_sys_rw_content_t. +- Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/ +- Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks. +- Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnostics +- Label nagios scripts as httpd_sys_script_exec_t. +- Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid. +- Fix couple of cosmetic thing in new virtlogd_t policy. rhbz #1311576 +- Merge pull request #104 from berrange/rawhide-contrib-virtlogd +- Label /var/run/ecblp0 as cupsd_var_run_t due to this fifo_file is used by epson drivers. rhbz#1310336 +- Dontaudit logrotate to setrlimit itself. rhbz#1309604 +- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface. +- Allow pcp_pmie and pcp_pmlogger to read all domains state. +- Allow systemd-gpt-generator to create and manage systemd gpt generator unit files. BZ(1319446) +- Merge pull request #115 from rhatdan/nvidea +- Label all nvidia binaries as xserver_exec_t +- Add new systemd_hwdb_read_config() interface. rhbz#1316514 +- Add back corecmd_read_all_executables() interface. +- Call files_type() instead of file_type() for unlabeled_t. +- Add files_entrypoint_all_mountpoint() interface. +- Make unlabeled only as a file_type type. It is a type for fallback if there is an issue with labeling. +- Add corecmd_entrypoint_all_executables() interface. +- Create hyperv* devices and create rw interfaces for this devices. rhbz#1309361 +- Add neverallow assertion for unlabaled_t to increase policy security. +- Allow systemd-rfkill to create /var/lib/systemd/rfkill dir. rhbz#1319499 +- Label 8952 tcp port as nsd_control. +- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020 + +* Wed Mar 16 2016 Lukas Vrabec 3.13.1-179 +- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface. +- Revert "Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content." +- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content. +- Allow pcp_pmie and pcp_pmlogger to read all domains state. +- Make fwupd domain unconfined. We need to discuss solution related to using gpg. rhbz#1316717 +- Merge pull request #108 from rhatdan/rkt +- Merge pull request #109 from rhatdan/virt_sandbox +- Add new interface to define virt_sandbox_network domains +- Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port. +- Fix typo in drbd policy +- Remove declaration of empty booleans in virt policy. +- Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs. +- Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files. +- Additional rules to make rkt work in enforcing mode +- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020 +- Allow ipsec to use pam. rhbz#1317988 +- Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968 +- Allow setrans daemon to read /proc/meminfo. +- Merge pull request #107 from rhatdan/rkt-base +- Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used. +- Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t. + +* Thu Mar 10 2016 Lukas Vrabec 3.13.1-178 +- Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution +- Add support systemd-resolved. + +* Tue Mar 08 2016 Lukas Vrabec 3.13.1-177 +- Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251 +- Allow sending dbus msgs between firewalld and system_cronjob domains. +- Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. rhbz#1315354 +- Allow snapperd mounton permissions for snapperd_data_t. BZ(#1314972) +- Add support for systemd-gpt-auto-generator. rhbz#1314968 +- Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices. +- Add support for systemd-hwdb daemon. rhbz#1306243 + +* Thu Mar 03 2016 Lukas Vrabec 3.13.1-176 +- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba. +- Merge pull request #105 from rhatdan/NO_NEW_PRIV +- Fix new rkt policy +- Remove some redundant rules. +- Fix cosmetic issues in interface file. +- Merge pull request #100 from rhatdan/rawhide-contrib +- Add interface fs_setattr_cifs_dirs(). +- Merge pull request #106 from rhatdan/NO_NEW_PRIV_BASE +- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) +-Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase. + This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files, + file_contexts is parsed in selabel_open(). +Resolves: rhbz#1314372 + +* Fri Feb 26 2016 Lukas Vrabec 3.13.1-175 +- Fix new rkt policy (Remove some redundant rules, Fix cosmetic issues in interface file) +- Add policy for rkt services + +* Fri Feb 26 2016 Lukas Vrabec 3.13.1-174 +- Revert "Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019" +- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/ rhbz#1285019 + +* Fri Feb 26 2016 Lukas Vrabec 3.13.1-173 +- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759 +- Allow keepalived to create netlink generic sockets. rhbz#1311756 +- Allow modemmanager to read /etc/passwd file. +- Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t. +- Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255 +- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019 +- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444 +- Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319 + +* Thu Feb 25 2016 Lukas Vrabec 3.13.1-172 +- Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy. +- Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033 +- Allow collectd setgid capability Resolves:#1310896 +- Allow adcli running as sssd_t to write krb5.keytab file. +- Allow abrt-hook-ccpp to getattr on all executables. BZ(1284304) +- Allow kexec to read kernel module files in /usr/lib/modules. +- Add httpd_log_t for /var/log/graphite-web rhbz#1306981 +- Remove redudant rules and fix _admin interface. +- Add SELinux policy for LTTng 2.x central tracing registry session daemon. +- Allow create mongodb unix dgram sockets. rhbz#1306819 +- Support for InnoDB Tablespace Encryption. +- Dontaudit leaded file descriptors from firewalld +- Add port for rkt services +- Add support for the default lttng-sessiond port - tcp/5345. This port is used by LTTng 2.x central tracing registry session daemon. + +* Thu Feb 11 2016 Lukas Vrabec 3.13.1-171 +- Allow setroubleshoot_fixit_t to use temporary files + +* Wed Feb 10 2016 Lukas Vrabec 3.13.1-170 +- Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334 +- Allow ulogd_t to create netlink_netfilter sockets. rhbz#1305426 +- Create new type fwupd_cert_t Label /etc/pki/(fwupd|fwupd-metadata) dirs as fwupd_cert_t Allow fwupd_t domain to read fwupd_cert_t files|lnk_files rhbz#1303533 +- Add interface to dontaudit leaked files from firewalld +- fwupd needs to dbus chat with policykit +- Allow fwupd domain transition to gpg domain. Fwupd signing firmware updates by gpg. rhbz#1303531 +- Allow abrt_dump_oops_t to check permissions for a /usr/bin/Xorg. rhbz#1284967 +- Allow prelink_cron_system_t domain set resource limits. BZ(1190364) +- Allow pppd_t domain to create sockfiles in /var/run labeled as pppd_var_run_t label. BZ(1302666) +- Fix wrong name for openqa_websockets tcp port. +- Allow run sshd-keygen on second boot if first boot fails after some reason and content is not syncedon the disk. These changes are reflecting this commit in sshd. http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/commit/?id=af94f46861844cbd6ba4162115039bebcc8f78ba rhbz#1299106 +- Add interface ssh_getattr_server_keys() interface. rhbz#1299106 +- Added Label openqa for tcp port (9526) Added Label openqa-websockets for tcp port (9527) rhbz#1277312 +- Add interface fs_getattr_nsfs_files() +- Add interface xserver_exec(). +- Revert "Allow all domains some process flags."BZ(1190364) + +* Wed Feb 03 2016 Lukas Vrabec 3.13.1-169 +- Allow openvswitch domain capability sys_rawio. +- Revert "Allow NetworkManager create dhcpc pid files. BZ(1229755)" +- Allow openvswitch to manage hugetlfs files and dirs. +- Allow NetworkManager create dhcpc pid files. BZ(1229755) +- Allow apcupsd to read kernel network state. BZ(1282003) +- Label /sys/kernel/debug/tracing filesystem +- Add fs_manage_hugetlbfs_files() interface. +- Add sysnet_filetrans_dhcpc_pid() interface. + +* Wed Jan 20 2016 Lukas Vrabec 3.13.1-168 +- Label virtlogd binary as virtd_exec_t. BZ(1291940) +- Allow iptables to read nsfs files. BZ(1296826) + +* Mon Jan 18 2016 Lukas Vrabec 3.13.1-167 +- Add fwupd policy for daemon to allow session software to update device firmware +- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930) +- Allow systemd services to use PrivateNetwork feature +- Add a type and genfscon for nsfs. +- Fix SELinux context for rsyslog unit file. BZ(1284173) + +* Wed Jan 13 2016 Lukas Vrabec 3.13.1-166 +- Allow logrotate to systemctl rsyslog service. BZ(1284173) +- Allow condor_master_t domain capability chown. BZ(1297048) +- Allow chronyd to be dbus bus client. BZ(1297129) +- Allow openvswitch read/write hugetlb filesystem. +- Revert "Allow openvswitch read/write hugetlb filesystem." +- Allow smbcontrol domain to send sigchld to ctdbd domain. +- Allow openvswitch read/write hugetlb filesystem. +- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib +- Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930) +- Allow keepalived to connect to 3306/tcp port - mysqld_port_t. +- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib +- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib +- Merge pull request #86 from rhatdan/rawhide-contrib +- Label some new nsd binaries as nsd_exec_t Allow nsd domain net_admin cap. Create label nsd_tmp_t for nsd tmp files/dirs BZ (1293146) +- Added interface logging_systemctl_syslogd +- Label rsyslog unit file +- Added policy for systemd-coredump service. Added domain transition from kernel_t to systemd_coredump_t. Allow syslogd_t domain to read/write tmpfs systemd-coredump files. Make new domain uconfined for now. + +* Wed Jan 06 2016 Lukas Vrabec 3.13.1-165 +- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085) +- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices." +- Allow arping running as netutils_t sys_module capability for removing tap devices. +- Add userdom_connectto_stream() interface. +- Allow systemd-logind to read /run/utmp. BZ(#1278662) +- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085) +- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices." +- Allow arping running as netutils_t sys_module capability for removing tap devices. +- Add userdom_connectto_stream() interface. +- Allow systemd-logind to read /run/utmp. BZ(#1278662) + +* Tue Dec 15 2015 Lukas Vrabec 3.13.1-164 +- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243) +- Add interface firewalld_read_pid_files() +- Allow iptables to read firewalld pid files. BZ(1291243) +- Allow the user cronjobs to run in their userdomain +- Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1288111) +- Merge pull request #81 from rhatdan/rawhide-base +- New access needed by systemd domains + +* Wed Dec 09 2015 Lukas Vrabec 3.13.1-163 +- Allow whack executed by sysadm SELinux user to access /var/run/pluto/pluto.ctl. It fixes "ipsec auto --status" executed by sysadm_t. +- Add ipsec_read_pid() interface + +* Mon Dec 07 2015 Miroslav Grepl 3.13.1-162 +- Label /usr/sbin/lvmlockd binary file as lvm_exec_t. BZ(1287739) +- Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182) +- Update init policy to have userdom_noatsecure_login_userdomain() and userdom_sigchld_login_userdomain() called for init_t. +- init_t domain should be running without unconfined_domain attribute. +- Add a new SELinux policy for /usr/lib/systemd/systemd-rfkill. +- Update userdom_transition_login_userdomain() to have "sigchld" and "noatsecure" permissions. +- systemd needs to access /dev/rfkill on early boot. +- Allow dspam to read /etc/passwd + +* Mon Nov 30 2015 Lukas Vrabec 3.13.1-161 +- Set default value as true in boolean mozilla_plugin_can_network_connect. BZ(1286177) + +* Tue Nov 24 2015 Lukas Vrabec 3.13.1-160 +- Allow apcupsd sending mails about battery state. BZ(1274018) +- Allow pcp_pmcd_t domain transition to lvm_t. BZ(1277779) +- Merge pull request #68 from rhatdan/rawhide-contrib +- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048). #1248785 +- Allow systemd-networkd to bind dhcpd ports if DHCP=yes in *.network conf file. BZ(#1280092) +- systemd-tmpfiles performs operations on System V IPC objects which requires sys_admin capability. BZ(#1279269) + +* Fri Nov 20 2015 Miroslav Grepl 3.13.1-159 +- Allow antivirus_t to bind to all unreserved ports. Clamd binds to random unassigned port (by default in range 1024-2048) +- Allow abrt-hook-ccpp to change SELinux user identity for created objects. +- Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern. +- Allow setuid/setgid capabilities for abrt-hook-ccpp. +- Add default labeling for /etc/Pegasus/cimserver_current.conf. It is a correct patch instead of the current /etc/Pegasus/pegasus_current.conf. +- Allow fenced node dbus msg when using foghorn witch configured foghorn, snmpd, and snmptrapd. +- cockpit has grown content in /var/run directory +- Add support for /dev/mptctl device used to check RAID status. +- Allow systemd-hostnamed to communicate with dhcp via dbus. +- systemd-logind remove all IPC objects owned by a user on a logout. This covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments. +- Add userdom_destroy_unpriv_user_shared_mem() interface. +- Label /var/run/systemd/shutdown directory as systemd_logind_var_run_t to allow systemd-logind to access it if shutdown is invoked. +- Access needed by systemd-machine to manage docker containers +- Allow systemd-logind to read /run/utmp when shutdown is invoked. + +* Tue Nov 10 2015 Miroslav Grepl 3.13.1-158 +- Merge pull request #48 from lkundrak/contrib-openfortivpn +- unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets. + +* Mon Nov 09 2015 Miroslav Grepl 3.13.1-157 +- The ABRT coredump handler has code to emulate default core file creation The handler runs in a separate process with abrt_dump_oops_t SELinux process type. abrt-hook-ccpp also saves the core dump file in the very same way as kernel does and a user can specify CWD location for a coredump. abrt-hook-ccpp has been made as a SELinux aware apps to create this coredumps with correct labeling and with this commit the policy rules have been updated to allow access all non security files on a system. +- Since /dev/log is a symlink, we need to allow relabelto also symlink. This commit update logging_relabel_devlog_dev() interface to allow it. +- systemd-user has pam_selinux support and needs to able to compute user security context if init_t is not unconfined domain. + +* Tue Oct 27 2015 Lukas Vrabec 3.13.1-156 +- Allow fail2ban-client to execute ldconfig. #1268715 +- Add interface virt_sandbox_domain() +- Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift. +-all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets(). +- Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets(). +- Remove auth_login_pgm_domain(init_t) which has been added by accident. +- init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by "selinux.get_default_context(sel_user,fromcon)" defined in the policy user config files. +- Add interface auth_use_nsswitch() to systemd_domain_template. +- Revert "auth_use_nsswitch can be used with attribute systemd_domain." +- auth_use_nsswitch can be used with attribute systemd_domain. +- ipsec: fix stringSwan charon-nm +- docker is communicating with systemd-machined +- Add missing systemd_dbus_chat_machined, needed by docker + +* Tue Oct 20 2015 Lukas Vrabec 3.13.1-155 +- Build including docker selinux interfaces. + +* Tue Oct 20 2015 Lukas Vrabec 3.13.1-154 +- Allow winbindd to send signull to kernel. BZ(#1269193) +- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib +- Fixes for chrony version 2.2 BZ(#1259636) + * Allow chrony chown capability + * Allow sendto dgram_sockets to itself and to unconfined_t domains. +- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib +- Add boolean allowing mysqld to connect to http port. #1262125 +- Merge pull request #52 from 1dot75cm/rawhide-base +- Allow systemd_hostnamed to read xenfs_t files. BZ(#1233877) +- Fix attribute in corenetwork.if.in + +* Tue Oct 13 2015 Lukas Vrabec 3.13.1-153 +- Allow abrt_t to read sysctl_net_t files. BZ(#1194280) +- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib +- Add abrt_stub interface. +- Add support for new mock location - /usr/libexec/mock/mock. BZ(#1270972) +- Allow usbmuxd to access /run/udev/data/+usb:*. BZ(#1269633) +- Allow qemu-bridge-helper to read /dev/random and /dev/urandom. BZ(#1267217) +- Allow sssd_t to manage samba var files/dirs to SSSD's GPO support which is enabled against an Active Directory domain. BZ(#1225200). +- Add samba_manage_var_dirs() interface. +- Allow pcp_pmlogger to exec bin_t BZ(#1258698) +- Allow spamd to read system network state. BZ(1260234) +- Allow fcoemon to create netlink scsitransport sockets BZ(#1260882) +- Allow networkmanager to create networkmanager_var_lib_t files. BZ(1270201) +- Allow systemd-networkd to read XEN state for Xen hypervisor. BZ(#1269916) +- Add fs_read_xenfs_files() interface. +- Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make 'machinectl shell' working correctly. +- Allow systemd running as init_t to override the default context for key creation. BZ(#1267850) + +* Thu Oct 08 2015 Lukas Vrabec 3.13.1-152 +- Allow pcp_pmlogger to read system state. BZ(1258699) +- Allow cupsd to connect on socket. BZ(1258089) +- Allow named to bind on ephemeral ports. BZ(#1259766) +- Allow iscsid create netlink iscsid sockets. +- We need allow connect to xserver for all sandbox_x domain because we have one type for all sandbox processes. +- Allow NetworkManager_t and policykit_t read access to systemd-machined pid files. #1255305 +- Add missing labeling for /usr/libexec/abrt-hook-ccpp as a part of #1245477 and #1242467 bugs. +- Allow search dirs in sysfs types in kernel_read_security_state. +- Fix kernel_read_security_state interface that source domain of this interface can search sysctl_fs_t dirs. + +* Fri Oct 02 2015 Lukas Vrabec 3.13.1-151 +- Update modules_filetrans_named_content() to make sure we don't get modules_dep labeling by filename transitions. +- Remove /usr/lib/modules/[^/]+/modules\..+ labeling +- Add modutils_read_module_deps_files() which is called from files_read_kernel_modules() for module deps which are still labeled as modules_dep_t. +- Remove modules_dep_t labeling for kernel module deps. depmod is a symlink to kmod which is labeled as insmod_exec_t which handles modules_object_t and there is no transition to modules_dep_t. Also some of these module deps are placed by cpio during install/update of kernel package. + +* Fri Oct 02 2015 Lukas Vrabec 3.13.1-150 +- Allow acpid to attempt to connect to the Linux kernel via generic netlink socket. +- Clean up pkcs11proxyd policy. +- We need to require sandbox_web_type attribute in sandbox_x_domain_template(). +- Revert "depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t." +- depmod is a symlink to insmod so it runs as insmod_t. It causes that dep kernel modules files are not created with the correct labeling modules_dep_t. This fix adds filenamtrans rules for insmod_t. +- Update files_read_kernel_modules() to contain modutils_read_module_deps() calling because module deps labeling has been updated and it allows to avoid regressions. +- Update modules_filetrans_named_content() interface to cover more modules.* files. +- New policy for systemd-machined. #1255305 +- In Rawhide/F24, we added pam_selinux.so support for systemd-users to have user sessions running under correct SELinux labeling. It also supports another new feature with systemd+dbus and we have sessions dbuses running with the correct labeling - unconfined_dbus_t for example. +- Allow systemd-logind read access to efivarfs - Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables). #1244973, #1267207 (partial solution) +- Merge pull request #42 from vmojzis/rawhide-base +- Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables) + +* Tue Sep 29 2015 Lukas Vrabec 3.13.1-149 +- Add few rules related to new policy for pkcs11proxyd +- Added new policy for pkcs11proxyd daemon +- We need to require sandbox_web_type attribute in sandbox_x_domain_template(). +- Dontaudit abrt_t to rw lvm_lock_t dir. +- Allow abrt_d domain to write to kernel msg device. +- Add interface lvm_dontaudit_rw_lock_dir() +- Merge pull request #35 from lkundrak/lr-libreswan + +* Tue Sep 22 2015 Lukas Vrabec 3.13.1-148 +- Update config.tgz to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users. +- Added support for permissive domains +- Allow rpcbind_t domain to change file owner and group +- rpm-ostree has a daemon mode now and need to speak to polkit/logind for authorization. BZ(#1264988) +- Allow dnssec-trigger to send generic signal to Network-Manager. BZ(#1242578) +- Allow smbcontrol to create a socket in /var/samba which uses for a communication with smbd, nmbd and winbind. +- Revert "Add apache_read_pid_files() interface" +- Allow dirsrv-admin read httpd pid files. +- Add apache_read_pid_files() interface +- Add label for dirsrv-admin unit file. +- Allow qpid daemon to connect on amqp tcp port. +- Allow dirsrvadmin-script read /etc/passwd file Allow dirsrvadmin-script exec systemctl +- Add labels for afs binaries: dafileserver, davolserver, salvageserver, dasalvager +- Add lsmd_plugin_t sys_admin capability, Allow lsmd_plugin_t getattr from sysfs filesystem. +- Allow rhsmcertd_t send signull to unconfined_service_t domains. +- Revert "Allow pcp to read docker lib files." +- Label /usr/libexec/dbus-1/dbus-daemon-launch-helper as dbusd_exec_t to have systemd dbus services running in the correct domain instead of unconfined_service_t if unconfined.pp module is enabled. BZ(#1262993) +- Allow pcp to read docker lib files. +- Revert "init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so" +- Add login_userdomain attribute also for unconfined_t. +- Add userdom_login_userdomain() interface. +- Label /etc/ipa/nssdb dir as cert_t +- init_t needs to be login_pgm domain because of systemd-users + pam_selinux.so +- Add interface unconfined_server_signull() to allow domains send signull to unconfined_service_t +- Call userdom_transition_login_userdomain() instead of userdom_transition() in init.te related to pam_selinux.so+systemd-users. +- Add userdom_transition_login_userdomain() interface +- Allow user domains with login_userdomain to have entrypoint access on init_exec. It is needed by pam_selinux.so call in systemd-users. BZ(#1263350) +- Add init_entrypoint_exec() interface. +- Allow init_t to have transition allow rule for userdomain if pam_selinux.so is used in /etc/pam.d/systemd-user. It ensures that systemd user sessions will run with correct userdomain types instead of init_t. BZ(#1263350) + +* Mon Sep 14 2015 Lukas Vrabec 3.13.1-147 +- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272) +- Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling. +- Dontaudit fenced search gnome config +- Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180) +- Fix for watchdog_unconfined_exec_read_lnk_files, Add also dir search perms in watchdog_unconfined_exec_t. +- Sanlock policy update. #1255307 - New sub-domain for sanlk-reset daemon +- Fix labeling for fence_scsi_check script +- Allow openhpid to read system state Aloow openhpid to connect to tcp http port. +- Allow openhpid to read snmp var lib files. +- Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe +- Fix regexp in chronyd.fc file +- systemd-logind needs to be able to act with /usr/lib/systemd/system/poweroff.target to allow shutdown system. BZ(#1260175) +- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS. +- Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t +- Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl + +* Tue Sep 01 2015 Lukas Vrabec 3.13.1-146 +- Allow passenger to getattr filesystem xattr +- Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc." +- Label mdadm.conf.anackbak as mdadm_conf_t file. +- Allow dnssec-ttrigger to relabel net_conf_t files. BZ(1251765) +- Allow dnssec-trigger to exec pidof. BZ(#1256737) +- Allow blueman to create own tmp files in /tmp. (#1234647) +- Add new audit_read access vector in capability2 class +- Add "binder" security class and access vectors +- Update netlink socket classes. +- Allow getty to read network state. BZ(#1255177) +- Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t. + +* Sun Aug 30 2015 Lukas Vrabec 3.13.1-145 +- Allow watchdog execute fenced python script. +- Added inferface watchdog_unconfined_exec_read_lnk_files() +- Allow pmweb daemon to exec shell. BZ(1256127) +- Allow pmweb daemon to read system state. BZ(#1256128) +- Add file transition that cermonger can create /run/ipa/renewal.lock with label ipa_var_run_t. +- Revert "Revert default_range change in targeted policy" +- Allow dhcpc_t domain transition to chronyd_t + +* Mon Aug 24 2015 Lukas Vrabec 3.13.1-144 +- Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080) +- Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764) +- Add interface dnssec_trigger_sigkill +- Allow smsd use usb ttys. BZ(#1250536) +- Fix postfix_spool_maildrop_t,postfix_spool_flush_t contexts in postfix.fc file. +- Revert default_range change in targeted policy +- Allow systemd-sysctl cap. sys_ptrace BZ(1253926) + +* Fri Aug 21 2015 Miroslav Grepl 3.13.1-143 +- Add ipmievd policy creaed by vmojzis@redhat.com +- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled. +- Allow NetworkManager to write audit log messages +- Add new policy for ipmievd (ipmitool). +- mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block. +- Allow sandbox domain to be also /dev/mem writer +- Fix neverallow assertion for sys_module capability for openvswitch. +- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t. +- Fix neverallow assertion for sys_module capability. +- Add more attributes for sandbox domains to avoid neverallow assertion issues. +- Add neverallow asserition fixes related to storage. +- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS +- Allow openhpid_t to read system state. +- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type. +- Added labels for files provided by rh-nginx18 collection +- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db. +- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution. +- Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions. +- Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion. +- seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues. +- Add dev_raw_memory_writer() interface +- Add auth_reader_shadow() and auth_writer_shadow() interfaces +- Add dev_raw_memory_reader() interface. +- Add storage_rw_inherited_scsi_generic() interface. +- Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working. +- Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t. +- Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process. + +* Tue Aug 18 2015 Lukas Vrabec 3.13.1-142 +- Allow samba_net_t to manage samba_var_t sock files. +- Allow httpd daemon to manage httpd_var_lib_t lnk_files. +- Allow collectd stream connect to pdns.(BZ #1191044) +- Add interface pdns_stream_connect() +- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib +- Allow chronyd exec systemctl +- Merge pull request #30 from vmojzis/rawhide-contrib +- Hsqldb policy upgrade -Allow sock_file management +- Add inteface chronyd_signal Allow timemaster_t send generic signals to chronyd_t. +- Hsqldb policy upgrade. -Disallow hsqldb_tmp_t link_file management +- Hsqldb policy upgrade: -Remove tmp link_file transition -Add policy summary -Remove redundant parameter for "hsqldb_admin" interface +- Label /var/run/chrony-helper dir as chronyd_var_run_t. +- Allow lldpad_t to getattr tmpfs_t. Label /dev/shm/lldpad.* as lldapd_tmpfs_t +- Fix label on /var/tmp/kiprop_0 +- Add mountpoint dontaudit access check in rhsmcertd policy. +- Allow pcp_domain to manage pcp_var_lib_t lnk_files. +- Allow chronyd to execute mkdir command. +- Allow chronyd_t to read dhcpc state. +- Label /usr/libexec/chrony-helper as chronyd_exec_t +- Allow openhpid liboa_soap plugin to read resolv.conf file. +- Allow openhpid liboa_soap plugin to read generic certs. +- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device) +- Allow logrotate to reload services. +- Allow apcupsd_t to read /sys/devices +- Allow kpropd to connect to kropd tcp port. +- Allow systemd_networkd to send logs to syslog. +- Added interface fs_dontaudit_write_configfs_dirs +- Allow audisp client to read system state. +- Label /var/run/xtables.lock as iptables_var_run_t. +- Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde +- Add interface to read/write watchdog device. +- Add transition rule for iptables_var_lib_t + +* Mon Aug 10 2015 Lukas Vrabec 3.13.1-141 +- Allow chronyd to execute mkdir command. +- Allow chronyd_t to read dhcpc state. +- Label /usr/libexec/chrony-helper as chronyd_exec_t +- Allow openhpid liboa_soap plugin to read resolv.conf file. +- Allow openhpid liboa_soap plugin to read generic certs. +- Allow openhpid use libwatchdog plugin. (Allow openhpid_t rw watchdog device) +- Allow logrotate to reload services. +- Allow apcupsd_t to read /sys/devices +- Allow kpropd to connect to kropd tcp port. +- Allow lsmd also setuid capability. Some commands need to executed under root privs. Other commands are executed under unprivileged user. +- Allow snapperd to pass data (one way only) via pipe negotiated over dbus. +- Add snapper_read_inherited_pipe() interface. +- Add missing ";" in kerberos.te +- Add support for /var/lib/kdcproxy and label it as krb5kdc_var_lib_t. It needs to be accessible by useradd_t. +- Add support for /etc/sanlock which is writable by sanlock daemon. +- Allow mdadm to access /dev/random and add support to create own files/dirs as mdadm_tmpfs_t. +- Add labels for /dev/memory_bandwith and /dev/vhci. Thanks ssekidde +- Add interface to read/write watchdog device. +- Add transition rule for iptables_var_lib_t +- Allow useradd add homedir located in /var/lib/kdcproxy in ipa-server RPM scriplet. +- Revert "Allow grubby to manage and create /run/blkid with correct labeling" +- Allow grubby to manage and create /run/blkid with correct labeling +- Add fstools_filetrans_named_content_fsadm() and call it for named_filetrans_domain domains. We need to be sure that /run/blkid is created with correct labeling. +- arping running as netutils_t needs to access /etc/ld.so.cache in MLS. +- Allow sysadm to execute systemd-sysctl in the sysadm_t domain. It is needed for ifup command in MLS mode. +- Add systemd_exec_sysctl() and systemd_domtrans_sysctl() interfaces. +- Allow udev, lvm and fsadm to access systemd-cat in /var/tmp/dracut if 'dracut -fv' is executed in MLS. +- Allow admin SELinu users to communicate with kernel_t. It is needed to access /run/systemd/journal/stdout if 'dracut -vf' is executed. We allow it for other SELinux users. +- depmod runs as insmod_t and it needs to manage user tmp files which was allowed for depmod_t. It is needed by dracut command for SELinux restrictive policy (confined users, MLS). + +* Wed Aug 05 2015 Miroslav Grepl 3.13.1-140 +- firewalld needs to relabel own config files. BZ(#1250537) +- Allow rhsmcertd to send signull to unconfined_service +- Allow lsm_plugin_t to rw raw_fixed_disk. +- Allow lsm_plugin_t to read sysfs, read hwdata, rw to scsi_generic_device +- Allow openhpid to use libsnmp_bc plugin (allow read snmp lib files). + +* Tue Aug 04 2015 Lukas Vrabec 3.13.1-139 +- Add header for sslh.if file +- Fix sslh_admin() interface +- Clean up sslh.if +- Fix typo in pdns.if +- Allow qpid to create lnk_files in qpid_var_lib_t. +- Allow httpd_suexec_t to read and write Apache stream sockets +- Merge pull request #21 from hogarthj/rawhide-contrib +- Allow virt_qemu_ga_t domtrans to passwd_t. +- use read and manage files_patterns and the description for the admin interface +- Merge pull request #17 from rubenk/pdns-policy +- Allow redis to read kernel parameters. +- Label /etc/rt dir as httpd_sys_rw_content_t BZ(#1185500) +- Allow hostapd to manage sock file in /va/run/hostapd Add fsetid cap. for hostapd Add net_raw cap. for hostpad BZ(#1237343) +- Allow bumblebee to seng kill signal to xserver +- glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes. +- Allow drbd to get attributes from filesystems. +- Allow drbd to read configuration options used when loading modules. +- fix the description for the write config files, add systemd administration support and fix a missing gen_require in the admin interface +- Added Booleans: pcp_read_generic_logs. +- Allow pcp_pmcd daemon to read postfix config files. Allow pcp_pmcd daemon to search postfix spool dirs. +- Allow glusterd to communicate with cluster domains over stream socket. +- fix copy paste error with writing the admin interface +- fix up the regex in sslh.fc, add sslh_admin() interface +- adding selinux policy files for sslh +- Remove diplicate sftpd_write_ssh_home boolean rule. +- Revert "Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs." +- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te +- Allow glusterd to manage nfsd and rpcd services. +- Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode. +- kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp +- kdbusfs should not be accessible for now. +- Add support for /sys/fs/kdbus and allow login_pgm domain to access it. +- Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds). +- Label /usr/sbin/chpasswd as passwd_exec_t. +- Allow audisp_remote_t to read/write user domain pty. +- Allow audisp_remote_t to start power unit files domain to allow halt system. + +* Mon Jul 20 2015 Lukas Vrabec 3.13.1-138 +- Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration. +- Prepare selinux-policy package for SELinux store migration +- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te +- Allow glusterd to manage nfsd and rpcd services. +- Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs. +- Add samba_manage_winbind_pid() interface +- Allow networkmanager to communicate via dbus with systemd_hostanmed. +- Allow stream connect logrotate to prosody. +- Add prosody_stream_connect() interface. +- httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t. +- Allow prosody to create own tmp files/dirs. +- Allow keepalived request kernel load module +- kadmind should not read generic files in /usr +- Allow kadmind_t access to /etc/krb5.keytab +- Add more fixes to kerberos.te +- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0 +- Add lsmd_t to nsswitch_domain. +- Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc. +- Add fixes to pegasus_openlmi_domain +- Allow Glance Scrubber to connect to commplex_main port +- Allow RabbitMQ to connect to amqp port +- Allow isnsd read access on the file /proc/net/unix +- Allow qpidd access to /proc//net/psched +- Allow openshift_initrc_t to communicate with firewalld over dbus. +- Allow ctdbd_t send signull to samba_unconfined_net_t. +- Add samba_signull_unconfined_net() +- Add samba_signull_winbind() +- Revert "Add interfaces winbind_signull(), samba_unconfined_net_signull()." +- Fix ctdb policy +- Label /var/db/ as system_db_t. + +* Wed Jul 15 2015 Lukas Vrabec 3.13.1-137 +- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t +- Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib. + +* Tue Jul 14 2015 Lukas Vrabec 3.13.1-136 +- Add samba_unconfined_script_exec_t to samba_admin header. +- Add jabberd_lock_t label to jabberd_admin header. +- Add rpm_var_run_t label to rpm_admin header. +- Make all interfaces related to openshift_cache_t as deprecated. +- Remove non exits nfsd_ro_t label. +- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config +- Fix *_admin intefaces where body is not consistent with header. +- Allow networkmanager read rfcomm port. +- Fix nova_domain_template interface, Fix typo bugs in nova policy +- Create nova sublabels. +- Merge all nova_* labels under one nova_t. +- Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?" +- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files. +- Fix label openstack-nova-metadata-api binary file +- Allow nova_t to bind on geneve tcp port, and all udp ports +- Label swift-container-reconciler binary as swift_t. +- Allow glusterd to execute showmount in the showmount domain. +- Allow NetworkManager_t send signull to dnssec_trigger_t. +- Add support for openstack-nova-* packages. +- Allow audisp-remote searching devpts. +- Label 6080 tcp port as geneve + +* Thu Jul 09 2015 Lukas Vrabec 3.13.1-135 +- Update mta_filetrans_named_content() interface to cover more db files. +- Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling." +- Allow pcp domains to connect to own process using unix_stream_socket. +- Typo in abrt.te +- Allow abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly. +- Add nagios_domtrans_unconfined_plugins() interface. +- Add nagios_domtrans_unconfined_plugins() interface. +- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob. +- Add support for oddjob based helper in FreeIPA. BZ(1238165) +- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840) +- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879) +- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission. +- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types. +- nrpe needs kill capability to make gluster moniterd nodes working. +- Revert "Dontaudit ctbd_t sending signull to smbd_t." +- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t) +- Allow prosody connect to postgresql port. +- Fix logging_syslogd_run_nagios_plugins calling in logging.te +- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins. +- Add support for oddjob based helper in FreeIPA. BZ(1238165) +- Add new interfaces +- Add fs_fusefs_entry_type() interface. + +* Thu Jul 02 2015 Lukas Vrabec 3.13.1-134 +- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879) +- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission. +- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types. +- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib +- nrpe needs kill capability to make gluster moniterd nodes working. +- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t) +- Allow prosody connect to postgresql port. +- Add new interfaces +- Add fs_fusefs_entry_type() interface. + +* Tue Jun 30 2015 Lukas Vrabec 3.13.1-133 +- Cleanup permissive domains. + +* Mon Jun 29 2015 Lukas Vrabec 3.13.1-132 +- Rename xodbc-connect port to xodbc_connect +- Dontaudit apache to manage snmpd_var_lib_t files/dirs. BZ(1189214) +- Add interface snmp_dontaudit_manage_snmp_var_lib_files(). +- Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. BZ(1179809) +- Dontaudit mozilla_plugin_t cap. sys_ptrace. BZ(1202043) +- Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. BZ(1181476) +- Dontaudit chrome to read passwd file. BZ(1204307) +- Allow firewalld exec ldconfig. BZ(1232748) +- Allow dnssec_trigger_t read networkmanager conf files. BZ(1231798) +- Allow in networkmanager_read_conf() also read NetworkManager_etc_rw_t files. BZ(1231798) +- Allow NetworkManager write to sysfs. BZ(1234086) +- Fix bogus line in logrotate.fc. +- Add dontaudit interface for kdumpctl_tmp_t +- Rename xodbc-connect port to xodbc_connect +- Label tcp port 6632 as xodbc-connect port. BZ (1179809) +- Label tcp port 6640 as ovsdb port. BZ (1179809) + +* Tue Jun 23 2015 Lukas Vrabec 3.13.1-131 +- Allow NetworkManager write to sysfs. BZ(1234086) +- Fix bogus line in logrotate.fc. +- Add dontaudit interface for kdumpctl_tmp_t +- Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te +- Add postgresql support for systemd unit files. +- Fix missing bracket +- Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18 +- Fixed obsoleted userdom_delete_user_tmpfs_files() inteface + +* Thu Jun 18 2015 Miroslav Grepl 3.13.1-130 +- Allow glusterd to interact with gluster tools running in a user domain +- rpm_transition_script() is called from rpm_run. Update cloud-init rules. +- Call rpm_transition_script() from rpm_run() interface. +- Allow radvd has setuid and it requires dac_override. BZ(1224403) +- Add glusterd_manage_lib_files() interface. +- Allow samba_t net_admin capability to make CIFS mount working. +- S30samba-start gluster hooks wants to search audit logs. Dontaudit it. +- Reflect logrotate change which moves /var/lib/logrotate.status to /var/lib/logrotate/logrotate.status. BZ(1228531) +- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822) +- Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484) +- Allow nagios to generate charts. +- Allow glusterd to send generic signals to systemd_passwd_agent processes. +- Allow glusterd to run init scripts. +- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain. +- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block. +- Allow samba-net to access /var/lib/ctdbd dirs/files. +- Allow glusterd to send a signal to smbd. +- Make ctdbd as home manager to access also FUSE. +- Allow glusterd to use geo-replication gluster tool. +- Allow glusterd to execute ssh-keygen. +- Allow glusterd to interact with cluster services. +- Add rhcs_dbus_chat_cluster() +- systemd-logind accesses /dev/shm. BZ(1230443) +- Label gluster python hooks also as bin_t. +- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so. +- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password. + +* Tue Jun 09 2015 Miroslav Grepl 3.13.1-129 +- We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. BZ(1228489) + +* Tue Jun 09 2015 Miroslav Grepl 3.13.1-128 +- Add ipsec_rw_inherited_pipes() interface. +- Allow ibus-x11 running as xdm_t to connect uder session buses. We already allow to connect to userdomains over unix_stream_socket. +- Label /usr/libexec/Xorg.wrap as xserver_exec_t. +- Allow systemd-networkd to bind dhcpc ports if DHCP=yes in *.network conf file. +- Add fixes for selinux userspace moving the policy store to /var/lib/selinux. +- Remove optional else block for dhcp ping (needed by CIL) +- Label all gluster hooks in /var/lib/gluster as bin_t. They are not created on the fly. +- Access required to run with unconfine.pp disabled +- Fix selinux_search_fs() interface. +- Update selinux_search_fs(domain) rule to have ability to search /etc/selinuc/ to check if /etc/selinux/config exists. +- Add seutil_search_config() interface. +- Make ssh-keygen as nsswitch domain to access SSSD. +- Label ctdb events scripts as bin_t. +- Add support for /usr/sbin/lvmpolld. +- Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint. +- Add support for ~/.local/share/networkmanagement/certificates and update filename transitions rules. +- Allow login_pgm domains to access kernel keyring for nsswitch domains. +- Allow hypervkvp to read /dev/urandom and read addition states/config files. +- Add cgdcbxd policy. +- Allow hypervkvp to execute arping in own domain and make it as nsswitch domain. +- Add labeling for pacemaker.log. +- Allow ntlm_auth running in winbind_helper_t to access /dev/urandom. +- Allow lsmd plugin to connect to tcp/5989 by default. +- Allow lsmd plugin to connect to tcp/5988 by default. +- Allow setuid/setgid for selinux_child. +- Allow radiusd to connect to radsec ports. +- ALlow bind to read/write inherited ipsec pipes. +- Allow fowner capability for sssd because of selinux_child handling. +- Allow pki-tomcat relabel pki_tomcat_etc_rw_t. +- Allow cluster domain to dbus chat with systemd-logind. +- Allow tmpreaper_t to manage ntp log content +- Allow openvswitch_t to communicate with sssd. +- Allow isnsd_t to communicate with sssd. +- Allow rwho_t to communicate with sssd. +- Allow pkcs_slotd_t to communicate with sssd. +- Add httpd_var_lib_t label for roundcubemail +- Allow puppetagent_t to transfer firewalld messages over dbus. +- Allow glusterd to have mknod capability. It creates a special file using mknod in a brick. +- Update rules related to glusterd_brick_t. +- Allow glusterd to execute lvm tools in the lvm_t target domain. +- Allow glusterd to execute xfs_growfs in the target domain. +- Allow sysctl to have running under hypervkvp_t domain. +- Allow smartdnotify to use user terminals. +- Allow pcp domains to create root.socket in /var/lip/pcp directroy. +- Allow NM to execute dnssec-trigger-script in dnssec_trigger_t domain. +- Allow rpcbind to create rpcbind.xdr as a temporary file. +- Allow dnssec-trigger connections to the system DBUS. It uses libnm-glib Python bindings. +- Allow hostapd net_admin capability. hostapd needs to able to set an interface flag. +- rsync server can be setup to send mail +- Make "ostree admin upgrade -r" command which suppose to upgrade the system and reboot working again. +- Remove ctdbd_manage_var_files() interface which is not used and is declared for the wrong type. +- Fix samba_load_libgfapi decl in samba.te. +- Fix typo in nagios_run_sudo() boolean. +- remove duplicate declaration from hypervkvp.te. +- Move ctdd_domtrans() from ctdbd to gluster. +- Allow smbd to access /var/lib/ctdb/persistent/secrets.tdb.0. +- Glusterd wants to manage samba config files if they are setup together. +- ALlow NM to do access check on /sys. +- Allow NetworkManager to keep RFCOMM connection for Bluetooth DUN open . Based on fixes from Lubomir Rintel. +- Allow NetworkManager nm-dispacher to read links. +- Allow gluster hooks scripts to transition to ctdbd_t. +- Allow glusterd to read/write samba config files. +- Update mysqld rules related to mysqld log files. +- Add fixes for hypervkvp realed to ifdown/ifup scripts. +- Update netlink_route_socket for ptp4l. +- Allow glusterd to connect to /var/run/dbus/system_bus_socket. +- ALlow glusterd to have sys_ptrace capability. Needed by gluster+samba configuration. +- Add new boolean samba_load_libgfapi to allow smbd load libgfapi from gluster. Allow smbd to read gluster config files by default. +- Allow gluster to transition to smbd. It is needed for smbd+gluster configuration. +- Allow glusterd to read /dev/random. +- Update nagios_run_sudo boolean to allow run chkpwd. +- Allow docker and container tools to control caps, don't rely on SELinux for now. Since there is no easy way for SELinux modification of policy as far as caps. docker run --cap-add will work now +- Allow sosreport to dbus chat with NM. +- Allow anaconda to run iscsid in own domain. BZ(1220948). +- Allow rhsmcetd to use the ypbind service to access NIS services. +- Add nagios_run_pnp4nagios and nagios_run_sudo booleans to allow run sudo from NRPE utils scripts and allow run nagios in conjunction with PNP4Nagios. +- Allow ctdb to create rawip socket. +- Allow ctdbd to bind smbd port. +- Make ctdbd as userdom_home_reader. +- Dontaudit chrome-sandbox write access its parent process information. BZ(1220958) +- Allow net_admin cap for dnssec-trigger to make wifi reconnect working. +- Add support for /var/lib/ipsilon dir and label it as httpd_var_lib_t. BZ(1186046) +- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd. +- Add glusterd_filetrans_named_pid() interface. +- Allow antivirus_t to read system state info. +- Dontaudit use console for chrome-sandbox. +- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot. +- Clamd needs to have fsetid capability. +- Allow cinder-backup to dbus chat with systemd-logind. +- Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files. +- Allow gssd to access kernel keyring for login_pgm domains. +- Add more fixes related to timemaster+ntp+ptp4l. +- Allow docker sandbox domains to search all mountpoiunts +- update winbind_t rules to allow IPC for winbind. +- Add rpm_exec_t labeling for /usr/bin/dnf-automatic,/usr/bin/dnf-2 and /usr/bin/dnf-3. +- Allow inet_gethost called by couchdb to access /proc/net/unix. +- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so +- Label /usr/bin/yum-deprecated as rpm_exec_t. + +* Tue May 05 2015 Lukas Vrabec 3.13.1-127 +- Add missing typealiases in apache_content_template() for script domain/executable. +- Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead. +- Add support for new cobbler dir locations: +- Add support for iprdbg logging files in /var/log. +- Add relabel_user_home_dirs for use by docker_t + +* Thu Apr 30 2015 Lukas Vrabec 3.13.1-126 +- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd . +- Add nagios_read_lib() interface. +- Additional fix for mongod_unit_file_t in mongodb.te. +- Fix decl of mongod_unit_file to mongod_unit_file_t. +- Fix mongodb unit file declaration. +- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type. +- Fix labeling for /usr/libexec/mysqld_safe-scl-helper. +- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons. +- Allow sys_ptrace cap for sblim-gatherd caused by ps. +- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script. +- Add support for mongod/mongos systemd unit files. +- Allow dnssec-trigger to send sigchld to networkmanager +- add interface networkmanager_sigchld +- Add dnssec-trigger unit file Label dnssec-trigger script in libexec +- Remove duplicate specification for /etc/localtime. +- Add default labeling for /etc/localtime symlink. + +* Mon Apr 20 2015 Lukas Vrabec 3.13.1-125 +- Define ipa_var_run_t type +- Allow certmonger to manage renewal.lock. BZ(1213256) +- Add ipa_manage_pid_files interface. +- Add rules for netlink_socket in iotop. +- Allow iotop netlink socket. +- cloudinit and rhsmcertd need to communicate with dbus +- Allow apcupsd to use USBttys. BZ(1210960) +- Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574) +- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user. +- Allow syslogd_t to manage devlog_t lnk files. BZ(1210968) + +* Wed Apr 15 2015 Lukas Vrabec 3.13.1-124 +- Add more restriction on entrypoint for unconfined domains. + +* Tue Apr 14 2015 Lukas Vrabec 3.13.1-123 +- Allow abrtd to list home config. BZ(1199658) +- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250) +- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481) +- Allow mock_t to use ptmx. BZ(1181333) +- Allow dnssec_trigger_t to stream connect to networkmanager. +- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t +- Fix labeling for keystone CGI scripts. + +* Tue Apr 07 2015 Lukas Vrabec 3.13.1-122 +- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013) +- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180) +- Allow mongod to work with configured SSSD. +- Add collectd net_raw capability. BZ(1194169) +- Merge postfix spool types(maildrop,flush) to one postfix_spool_t +- Allow dhcpd kill capability. +- Make rwhod as nsswitch domain. +- Add support for new fence agent fence_mpath which is executed by fence_node. +- Fix cloudform policy.(m4 is case sensitive) +- Allow networkmanager and cloud_init_t to dbus chat +- Allow lsmd plugin to run with configured SSSD. +- Allow bacula access to tape devices. +- Allow sblim domain to read sysctls.. +- Allow timemaster send a signal to ntpd. +- Allow mysqld_t to use pam.It is needed by MariDB if auth_apm.so auth plugin is used. +- two 'l' is enough. +- Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files. +- Allow polkit to dbus chat with xserver. (1207478) +- Add lvm_stream_connect() interface. +- Set label of /sys/kernel/debug + +* Mon Mar 30 2015 Lukas Vrabec 3.13.1-121 +- Allow kmscon to read system state. BZ (1206871) +- Label ~/.abrt/ as abrt_etc_t. BZ(1199658) +- Allow xdm_t to read colord_var_lib_t files. BZ(1201985) + +* Mon Mar 23 2015 Lukas Vrabec 3.13.1-120 +- Allow mysqld_t to use pam. BZ(1196104) +- Added label mysqld_etc_t for /etc/my.cnf.d/ dir. BZ(1203989) +- Allow fetchmail to read mail_spool_t. BZ(1200552) +- Dontaudit blueman_t write to all mountpoints. BZ(1198272) +- Allow all domains some process flags. +- Merge branch 'rawhide-base' of github.com:selinux-policy/selinux-policy into rawhide-base +- Turn on overlayfs labeling for testin, we need this backported to F22 and Rawhide. Eventually will need this in RHEL + +* Wed Mar 18 2015 Lukas Vrabec 3.13.1-119 +- build without docker + +* Mon Mar 16 2015 Lukas Vrabec 3.13.1-118 +- docker watches for content in the /etc directory +- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib +- Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling. +- Allow docker to communicate with openvswitch +- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib +- Allow docker to relablefrom/to sockets and docker_log_t +- Allow journald to set loginuid. BZ(1190498) +- Add cap. sys_admin for passwd_t. BZ(1185191) +- Allow abrt-hook-ccpp running as kernel_t to allow create /var/tmp/abrt with correct labeling. + +* Mon Mar 09 2015 Lukas Vrabec 3.13.1-117 +- Allow spamc read spamd_etc_t files. BZ(1199339). +- Allow collectd to write to smnpd_var_lib_t dirs. BZ(1199278) +- Allow abrt_watch_log_t read passwd file. BZ(1197396) +- Allow abrt_watch_log_t to nsswitch_domain. BZ(1199659) +- Allow cups to read colord_var_lib_t files. BZ(1199765) + +* Fri Mar 06 2015 Lukas Vrabec 3.13.1-116 +- Turn on rolekit in F23 + +* Thu Mar 05 2015 Lukas Vrabec 3.13.1-115 +- Allow glusterd_t exec glusterd_var_lib_t files. BZ(1198406) +- Add gluster_exec_lib interface. +- Allow l2tpd to manage NetworkManager pid files +- Allow firewalld_t relabelfrom firewalld_rw_etc_t. BZ(1195327) +- Allow cyrus bind tcp berknet port. BZ(1198347) +- Add nsswitch domain for more serviecs. +- Allow abrt_dump_oops_t read /etc/passwd file. BZ(1197190) +- Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling. +- Make munin yum plugin as unconfined by default. +- Allow bitlbee connections to the system DBUS. +- Allow system apache scripts to send log messages. +- Allow denyhosts execute iptables. BZ(1197371) +- Allow brltty rw event device. BZ(1190349) +- Allow cupsd config to execute ldconfig. BZ(1196608) +- xdm_t now needs to manage user ttys +- Allow ping_t read urand. BZ(1181831) +- Add support for tcp/2005 port. +- Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile. +- In F23 we are running xserver as the user, need this to allow confined users to us X + +* Wed Feb 25 2015 Lukas Vrabec 3.13.1-114 +- Fix source filepath for moving html files. + +* Mon Feb 23 2015 Lukas Vrabec 3.13.1-113 +- Xserver needs to be transitioned to from confined users +- Added logging_syslogd_pid_filetrans +- xdm_t now talks to hostnamed +- Label new strongswan binary swanctl and new unit file strongswan-swanctl.service. BZ(1193102) +- Additional fix for labeleling /dev/log correctly. +- cups chats with network manager +- Allow parent domains to read/write fifo files in mozilla plugin +- Allow spc_t to transition to svirt domains +- Cleanup spc_t +- docker needs more control over spc_t +- pcp domains are executed out of cron + +* Mon Feb 16 2015 Lukas Vrabec 3.13.1-112 +- Allow audisp to connect to system DBUS for service. +- Label /dev/log correctly. +- Add interface init_read_var_lib_files(). +- Allow abrt_dump_oops_t read /var/lib/systemd/, Allow abrt_dump_oops_t cap. chown,fsetid,fowner, BZ(1187017) + +* Tue Feb 10 2015 Lukas Vrabec 3.13.1-111 +- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. BZ(1191004) +- Remove automatcically running filetrans_named_content form sysnet_manage_config +- Allow syslogd/journal to read netlink audit socket +- Allow brltty ioctl on usb_device_t. BZ(1190349) +- Make sure NetworkManager configures resolv.conf correctly + +* Thu Feb 05 2015 Lukas Vrabec 3.13.1-110 +- Allow cockpit_session_t to create tmp files +- apmd needs sys_resource when shutting down the machine +- Fix path label to resolv.conf under NetworkManager + +* Wed Feb 04 2015 Lukas Vrabec 3.13.1-109 +- Allow search all pid dirs when managing net_conf_t files. + +* Wed Feb 04 2015 Lukas Vrabec 3.13.1-108 +- Fix labels, improve sysnet_manage_config interface. +- Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t. +- Dontaudit network connections related to thumb_t. BZ(1187981) +- Remove sysnet_filetrans_named_content from fail2ban + +* Mon Feb 02 2015 Lukas Vrabec 3.13.1-107 +- Fix labels on new location of resolv.conf +- syslog is not writing to the audit socket +- seunshare is doing getattr on unix_stream_sockets leaked into it +- Allow sshd_t to manage gssd keyring +- Allow apps that create net_conf_t content to create .resolv.conf.NetworkManager +- Posgresql listens on port 9898 when running PCP (pgpool Control Port) +- Allow svirt sandbox domains to read /proc/mtrr +- Allow polipo_deamon connect to all ephemeral ports. BZ(1187723) +- Allow dovecot domains to use sys_resouce +- Allow sshd_t to manage gssd keyring +- gpg_pinentry_t needs more access in f22 + +* Thu Jan 29 2015 Lukas Vrabec 3.13.1-106 +- Allow docker to attach to the sandbox and user domains tun devices +- Allow pingd to read /dev/urandom. BZ(1181831) +- Allow virtd to list all mountpoints +- Allow sblim-sfcb to search images +- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t. +- Call correct macro in virt_read_content(). +- Dontaudit couchdb search in gconf_home_t. BZ(1177717) +- Allow docker_t to changes it rlimit +- Allow neutron to read rpm DB. +- Allow radius to connect/bind radsec ports +- Allow pm-suspend running as virt_qemu_ga to read /var/log/pm-suspend.log. +- Add devicekit_read_log_files(). +- Allow virt_qemu_ga to dbus chat with rpm. +- Allow netutils chown capability to make tcpdump working with -w. +- Label /ostree/deploy/rhel-atomic-host/deploy directory as system_conf_t. +- journald now reads the netlink audit socket +- Add auditing support for ipsec. + +* Thu Jan 29 2015 Lukas Vrabec 3.13.1-105 +- Bump release + +* Thu Jan 15 2015 Lukas Vrabec 3.13.1-104 +- remove duplicate filename transition rules. +- Call proper interface in sosreport.te. +- Allow fetchmail to manage its keyring +- Allow mail munin to create udp_sockets +- Allow couchdb to sendto kernel unix domain sockets + +* Sat Jan 3 2015 Dan Walsh 3.13.1-103 +- Add /etc/selinux/targeted/contexts/openssh_contexts + +* Mon Dec 15 2014 Lukas Vrabec 3.13.1-101 +- Allow logrotate to read hawkey.log in /var/cache/dnf/ BZ(1163438) +- Allow virt_qemu_ga_t to execute kmod. +- Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean +- Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs. +- Add support for /usr/share/vdsm/daemonAdapter. +- Docker has a new config/key file it writes to /etc/docker +- Allow bacula to connect also to postgresql. + +* Thu Dec 11 2014 Lukas Vrabec 3.13.1-100 +- Allow admin SELinux users mounting / as private within a new mount namespace as root in MLS. +- Fix miscfiles_manage_generic_cert_files() to allow manage link files +- Allow pegasus_openlmi_storage_t use nsswitch. BZ(1172258) +- Add support for /var/run/gluster. +- Allow openvpn manage systemd_passwd_var_run_t files. BZ(1170085) + +* Tue Dec 02 2014 Lukas Vrabec 3.13.1-99 +- Add files_dontaudit_list_security_dirs() interface. +- Added seutil_dontaudit_access_check_semanage_module_store interface. +- Allow docker to create /root/.docker +- Allow rlogind to use also rlogin ports +- dontaudit list security dirs for samba domain +- Dontaudit couchdb to list /var + +* Sat Nov 29 2014 Lukas Vrabec 3.13.1-98 +- Update to have all _systemctl() interface also init_reload_services() +- Dontaudit access check on SELinux module store for sssd. +- Label /var/lib/rpmrebuilddb/ as rpm_var_lib_t. BZ (1167946) + +* Fri Nov 28 2014 Lukas Vrabec 3.13.1-97 +- Allow reading of symlinks in /etc/puppet +- Added TAGS to gitignore +- I guess there can be content under /var/lib/lockdown #1167502 +- Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working. +- Allow keystone to send a generic signal to own process. +- Allow radius to bind tcp/1812 radius port. +- Dontaudit list user_tmp files for system_mail_t +- label virt-who as virtd_exec_t +- Allow rhsmcertd to send a null signal to virt-who running as virtd_t +- Add virt_signull() interface +- Add missing alias for _content_rw_t +- Allow .snapshots to be created in other directories, on all mountpoints +- Allow spamd to access razor-agent.log +- Add fixes for sfcb from libvirt-cim TestOnly bug. (#1152104) +- Allow .snapshots to be created in other directories, on all mountpoints +- Label tcp port 5280 as ejabberd port. BZ(1059930) +- Make /usr/bin/vncserver running as unconfined_service_t +- Label /etc/docker/certs.d as cert_t +- Allow all systemd domains to search file systems + +* Thu Nov 20 2014 Lukas Vrabec 3.13.1-96 +- Allow NetworkManager stream connect on openvpn. BZ(1165110) + +* Wed Nov 19 2014 Lukas Vrabec 3.13.1-95 +- Allow networkmanager manage also openvpn sock pid files. + +* Wed Nov 19 2014 Lukas Vrabec 3.13.1-94 +- Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling. +- Allow sendmail to create dead.letter. BZ(1165443) +- Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active. +- Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t. +- Label sock file charon.vici as ipsec_var_run_t. BZ(1165065) +- Add additional interfaces for load_policy/setfiles/read_lock related to access checks. + +* Fri Nov 14 2014 Lukas Vrabec 3.13.1-93 +- Allow bumblebee to use nsswitch. BZ(1155339) +- Allow openvpn to stream connect to networkmanager. BZ(1164182) +- Allow smbd to create HOMEDIRS is pam_oddjob_mkhomedir in MLS. +- Allow cpuplug rw virtual memory sysctl. BZ (1077831) +- Docker needs to write to sysfs, needs back port to F20,F21, RHEL7 + +* Mon Nov 10 2014 Lukas Vrabec 3.13.1-92 +- Add kdump_rw_inherited_kdumpctl_tmp_pipes() +- Added fixes related to linuxptp. BZ (1149693) +- Label keystone cgi files as keystone_cgi_script_exec_t. BZ(1138424 +- Dontaudit policykit_auth_t to access to user home dirs. BZ (1157256) +- Fix seutil_dontaudit_access_check_load_policy() +- Add dontaudit interfaces for audit_access in seutil +- Label /etc/strongimcv as ipsec_conf_file_t. + +* Fri Nov 07 2014 Lukas Vrabec 3.13.1-91 +- Added interface userdom_dontaudit_manage_user_home_dirs +- Fix unconfined_server_dbus_chat() interface. +- Add unconfined_server_dbus_chat() inteface. +- Allow login domains to create kernel keyring with different level. +- Dontaudit policykit_auth_t to write to user home dirs. BZ (1157256) +- Make tuned as unconfined domain. +- Added support for linuxptp policy. BZ(1149693) +- make zoneminder as dbus client by default. +- Allow bluetooth read/write uhid devices. BZ (1161169) +- Add fixes for hypervkvp daemon +- Allow guest to connect to libvirt using unix_stream_socket. +- Allow all bus client domains to dbus chat with unconfined_service_t. +- Allow inetd service without own policy to run in inetd_child_t which is unconfined domain. +- Make opensm as nsswitch domain to make it working with sssd. +- Allow brctl to read meminfo. +- Allow winbind-helper to execute ntlm_auth in the caller domain. +- Make plymouthd as nsswitch domain to make it working with sssd. +- Make drbd as nsswitch domain to make it working with sssd. +- Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working. +- Add support for /var/lib/sntp directory. + +* Mon Nov 03 2014 Lukas Vrabec 3.13.1-90 +- Add support for /dev/nvme controllerdevice nodes created by nvme driver. +- Add 15672 as amqp_port_t +- Allow wine domains to read user homedir content +- Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc +- Allow winbind to read usermodehelper +- Allow telepathy domains to execute shells and bin_t +- Allow gpgdomains to create netlink_kobject_uevent_sockets +- Allow abrt to read software raid state. BZ (1157770) +- Fix rhcs_signull_haproxy() interface. +- Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability. +- Allow snapperd to dbus chat with system cron jobs. +- Allow nslcd to read /dev/urandom. +- Allow dovecot to create user's home directory when they log into IMAP. +- Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835) +- Allow wine domains to read user homedir content +- Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc + +* Wed Oct 29 2014 Lukas Vrabec 3.13.1-89 +- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424) +- Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld +- Allow rabbitmq to read nfs state data. BZ(1122412) +- Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t. +- Add rolekit policy +- ALlow rolekit domtrans to sssd_t. +- Add kerberos_tmp_filetrans_kadmin() interface. +- rolekit should be noaudit. +- Add rolekit_manage_keys(). +- Need to label rpmnew file correctly +- Allow modemmanger to connectto itself + +* Tue Oct 21 2014 Lukas Vrabec 3.13.1-88 +- Allow couchdb read sysctl_fs_t files. BZ(1154327) +- Allow osad to connect to jabber client port. BZ (1154242) +- Allow mon_statd to send syslog msgs. BZ (1077821 +- Allow apcupsd to get attributes of filesystems with xattrs + +* Fri Oct 17 2014 Miroslav Grepl 3.13.1-87 +- Allow systemd-networkd to be running as dhcp client. +- Label /usr/bin/cockpit-bridge as shell_exec_t. +- Add label for /var/run/systemd/resolve/resolv.conf. +- ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t. +- Allow systemd-networkd to be running as dhcp client. +- Label /usr/bin/cockpit-bridge as shell_exec_t. +- Add label for /var/run/systemd/resolve/resolv.conf. +- ALlow listen and accept on tcp socket for init_t in MLS. Previously it was for xinetd_t. + +* Tue Oct 14 2014 Lukas Vrabec 3.13.1-86 +- Dontaudit aicuu to search home config dir. BZ (#1104076) +- couchdb is using erlang so it needs execmem privs +- ALlow sanlock to send a signal to virtd_t. +- Allow mondogdb to 'accept' accesses on the tcp_socket port. +- Make sosreport as unconfined domain. +- Allow nova-console to connect to mem_cache port. +- Allow mandb to getattr on file systems +- Allow read antivirus domain all kernel sysctls. +- Allow lmsd_plugin to read passwd file. BZ(1093733) +- Label /usr/share/corosync/corosync as cluster_exec_t. +- ALlow sensord to getattr on sysfs. +- automount policy is non-base module so it needs to be called in optional block. +- Add auth_use_nsswitch for portreserve to make it working with sssd. +- Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files. +- Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd. +- Allow openvpn to access /sys/fs/cgroup dir. +- Allow nova-scheduler to read certs +- Add support for /var/lib/swiftdirectory. +- Allow neutron connections to system dbus. +- Allow mongodb to manage own log files. +- Allow opensm_t to read/write /dev/infiniband/umad1. +- Added policy for mon_statd and mon_procd services. BZ (1077821) +- kernel_read_system_state needs to be called with type. Moved it to antivirus.if. +- Allow dnssec_trigger_t to execute unbound-control in own domain. +- Allow all RHCS services to read system state. +- Added monitor device +- Add interfaces for /dev/infiniband +- Add infiniband_device_t for /dev/infiniband instead of fixed_disk_device_t type. +- Add files_dontaudit_search_security_files() +- Add selinuxuser_udp_server boolean +- ALlow syslogd_t to create /var/log/cron with correct labeling +- Add support for /etc/.updated and /var/.updated +- Allow iptables read fail2ban logs. BZ (1147709) +- ALlow ldconfig to read proc//net/sockstat. + +* Mon Oct 06 2014 Lukas Vrabec 3.13.1-85 +- Allow nova domains to getattr on all filesystems. +- ALlow zebra for user/group look-ups. +- Allow lsmd to search own plguins. +- Allow sssd to read selinux config to add SELinux user mapping. +- Allow swift to connect to all ephemeral ports by default. +- Allow NetworkManager to create Bluetooth SDP sockets +- Allow keepalived manage snmp var lib sock files. BZ(1102228) +- Added policy for blrtty. BZ(1083162) +- Allow rhsmcertd manage rpm db. BZ(#1134173) +- Allow rhsmcertd send signull to setroubleshoot. BZ (#1134173) +- Label /usr/libexec/rhsmd as rhsmcertd_exec_t +- Fix broken interfaces +- Added sendmail_domtrans_unconfined interface +- Added support for cpuplug. BZ (#1077831) +- Fix bug in drbd policy, BZ (#1134883) +- Make keystone_cgi_script_t domain. BZ (#1138424) +- fix dev_getattr_generic_usb_dev interface +- Label 4101 tcp port as brlp port +- Allow libreswan to connect to VPN via NM-libreswan. +- Add userdom_manage_user_tmpfs_files interface + +* Tue Sep 30 2014 Lukas Vrabec 3.13.1-84 +- Allow all domains to read fonts +- Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. BZ (#1147028) +- Allow pki-tomcat to change SELinux object identity. +- Allow radious to connect to apache ports to do OCSP check +- Allow git cgi scripts to create content in /tmp +- Allow cockpit-session to do GSSAPI logins. + +* Mon Sep 22 2014 Lukas Vrabec 3.13.1-83 +- Make sure /run/systemd/generator and system is labeled correctly on creation. +- Additional access required by usbmuxd +- Allow sensord read in /proc BZ(#1143799) + +* Thu Sep 18 2014 Miroslav Grepl 3.13.1-82 +- Allow du running in logwatch_t read hwdata. +- Allow sys_admin capability for antivirus domians. +- Use nagios_var_lib_t instead of nagios_lib_t in nagios.fc. +- Add support for pnp4nagios. +- Add missing labeling for /var/lib/cockpit. +- Label resolv.conf as docker_share_t under docker so we can read within a container +- Remove labeling for rabbitmqctl +- setfscreate in pki.te is not capability class. +- Allow virt domains to use virtd tap FDs until we get proper handling in libvirtd. +- Allow wine domains to create cache dirs. +- Allow newaliases to systemd inhibit pipes. +- Add fixes for pki-tomcat scriptlet handling. +- Allow user domains to manage all gnome home content +- Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems +- Allow usbmuxd chown capabilitiesllow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems + +* Thu Sep 11 2014 Lukas Vrabec 3.13.1-81 +- Label /usr/lib/erlang/erts.*/bin files as bin_t +- Added changes related to rabbitmq daemon. +- Fix labeling in couchdb policy +- Allow rabbitmq bind on epmd port +- Clean up rabbitmq policy +- fix domtrans_rabbitmq interface +- Added rabbitmq_beam_t and rabbitmq_epmd_t alias +- Allow couchdb to getattr +- Allow couchdb write to couchdb_conf files +- Allow couchdb to create dgram_sockets +- Added support for ejabberd + +* Wed Sep 10 2014 Lukas Vrabec 3.13.1-80 +- Back port workaround for #1134389 from F20. It needs to be removed from rawhide once we ship F21. +- Since docker will now label volumes we can tighten the security of docker + +* Wed Sep 10 2014 Lukas Vrabec 3.13.1-79 +- Re-arange openshift_net_read_t rules. +- Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide +- Allow jockey_t to use tmpfs files +- Allow pppd to create sock_files in /var/run +- Allow geoclue to stream connect to smart card service +- Allow docker to read all of /proc +- ALlow passeneger to read/write apache stream socket. +- Dontaudit read init state for svirt_t. +- Label /usr/sbin/unbound-control as named_exec_t (#1130510) +- Add support for /var/lbi/cockpit directory. +- Add support for ~/. speech-dispatcher. +- Allow nmbd to read /proc/sys/kernel/core_pattern. +- aLlow wine domains to create wine_home symlinks. +- Allow policykit_auth_t access check and read usr config files. +- Dontaudit access check on home_root_t for policykit-auth. +- hv_vss_daemon wants to list /boot +- update gpg_agent_env_file booelan to allow manage user tmp files for gpg-agent +- Fix label for /usr/bin/courier/bin/sendmail +- Allow munin services plugins to execute fail2ban-client in fail2ban_client_t domain. +- Allow unconfined_r to access unconfined_service_t. +- Add label for ~/.local/share/fonts +- Add init_dontaudit_read_state() interface. +- Add systemd_networkd_var_run_t labeling for /var/run/systemd/netif and allow systemd-networkd to manage it. +- Allow udev_t mounton udev_var_run_t dirs #(1128618) +- Add files_dontaudit_access_check_home_dir() inteface. + +* Tue Sep 02 2014 Lukas Vrabec 3.13.1-78 +- Allow unconfined_service_t to dbus chat with all dbus domains +- Assign rabbitmq port. BZ#1135523 +- Add new interface to allow creation of file with lib_t type +- Allow init to read all config files +- We want to remove openshift_t domains ability to look at /proc/net +- I guess lockdown is a file not a directory +- Label /var/bacula/ as bacula_store_t +- Allow rhsmcertd to seng signull to sosreport. +- Allow sending of snmp trap messages by radiusd. +- remove redundant rule fron nova.te. +- Add auth_use_nsswitch() for ctdbd. +- call nova_vncproxy_t instead of vncproxy. +- Allow nova-vncproxy to use varnishd port. +- Fix rhnsd_manage_config() to allow manage also symlinks. +- Allow bacula to create dirs/files in /tmp +- Allow nova-api to use nsswitch. +- Clean up nut policy. Allow nut domains to create temp files. Add nut_domain_template() template interface. +- Allow usbmuxd connect to itself by stream socket. (#1135945) +- I see no reason why unconfined_t should transition to crontab_t, this looks like old cruft +- Allow nswrapper_32_64.nppdf.so to be created with the proper label +- Assign rabbitmq port. BZ#1135523 +- Dontaudit leaks of file descriptors from domains that transition to thumb_t +- Fixes for usbmuxd, addition of /var/lib/lockdown, and allow it to use urand, dontaudit sys_resource +- Allow unconfined_service_t to dbus chat with all dbus domains +- Allow avahi_t communicate with pcp_pmproxy_t over dbus.(better way) +- Allow avahi_t communicate with pcp_pmproxy_t over dbus. + +* Thu Aug 28 2014 Lukas Vrabec 3.13.1-77 +- Allow aide to read random number generator +- Allow pppd to connect to http port. (#1128947) +- sssd needs to be able write krb5.conf. +- Labeli initial-setup as install_exec_t. +- Allow domains to are allowed to mounton proc to mount on files as well as dirs + +* Tue Aug 26 2014 Lukas Vrabec 3.13.1-76 +- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t +- Add a port definition for shellinaboxd +- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories +- Allow thumb_t to read/write video devices +- fail2ban 0.9 reads the journal by default. +- Allow sandbox net domains to bind to rawip socket + +* Fri Aug 22 2014 Lukas Vrabec 3.13.1-75 +- Allow haproxy to read /dev/random and /dev/urandom. +- Allow mdadm to seng signull kernel_t which is proces type of mdadm on early boot. +- geoclue needs to connect to http and http_cache ports +- Allow passenger to use unix_stream_sockets leaked into it, from httpd +- Add SELinux policy for highly-available key value store for shared configuration. +- drbd executes modinfo. +- Add glance_api_can_network boolean since glance-api uses huge range port. +- Fix glance_api_can_network() definition. +- Allow smoltclient to connect on http_cache port. (#982199) +- Allow userdomains to stream connect to pcscd for smart cards +- Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix) +- Added MLS fixes to support labeled socket activation which is going to be done by systemd +- Add kernel_signull() interface. +- sulogin_t executes plymouth commands +- lvm needs to be able to accept connections on stream generic sockets + +* Thu Aug 21 2014 Kevin Fenzi - 3.13.1-74 +- Rebuild for rpm bug 1131960 + +* Mon Aug 18 2014 Lukas Vrabec 3.13.1-73 +- Allow ssytemd_logind_t to list tmpfs directories +- Allow lvm_t to create undefined sockets +- Allow passwd_t to read/write stream sockets +- Allow docker lots more access. +- Fix label for ports +- Add support for arptables-{restore,save} and also labeling for /usr/lib/systemd/system/arptables.service. +- Label tcp port 4194 as kubernetes port. +- Additional access required for passenger_t +- sandbox domains should be allowed to use libraries which require execmod +- Allow qpid to read passwd files BZ (#1130086) +- Remove cockpit port, it is now going to use websm port +- Add getattr to the list of access to dontaudit on unix_stream_sockets +- Allow sendmail to append dead.letter located in var/spool/nagios/dead.letter. + +* Tue Aug 12 2014 Lukas Vrabec 3.13.1-72 +- docker needs to be able to look at everything in /dev +- Allow all processes to send themselves signals +- Allow sysadm_t to create netlink_tcpdiag socket +- sysadm_t should be allowed to communicate with networkmanager +- These are required for bluejeans to work on a unconfined.pp disabled machine +- docker needs setfcap +- Allow svirt domains to manage chr files and blk files for mknod commands +- Allow fail2ban to read audit logs +- Allow cachefilesd_t to send itself signals +- Allow smokeping cgi script to send syslog messages +- Allow svirt sandbox domains to relabel content +- Since apache content can be placed anywhere, we should just allow apache to search through any directory +- These are required for bluejeans to work on a unconfined.pp disabled machin + +* Mon Aug 4 2014 Miroslav Grepl 3.13.1-71 +- shell_exec_t should not be in cockip.fc + +* Mon Aug 4 2014 Miroslav Grepl 3.13.1-70 +- Add additional fixes for abrt-dump-journal-oops which is now labeled as abrt_dump_oops_exec_t. +- Allow denyhosts to enable synchronization which needs to connect to tcp/9911 port. +- Allow nacl_helper_boo running in :chrome_sandbox_t to send SIGCHLD to chrome_sandbox_nacl_t. +- Dontaudit write access on generic cert files. We don't audit also access check. +- Add support for arptables. +- Add labels and filenametrans rules for ostree repo directories which needs to be writable by subscription-manager. + +* Mon Aug 4 2014 Tom Callaway 3.13.1-69 +- fix license handling + +* Thu Jul 31 2014 Miroslav Grepl 3.13.1-68 +- Add new mozilla_plugin_bind_unreserved_ports boolean to allow mozilla plugin to use tcp/udp unreserved ports. There is a lot of plugins which binds ports without SELinux port type. We want to allow users to use these plugins properly using this boolean. (#1109681) +- Allow smokeping cgi scripts to accept connection on httpd stream socket. +- docker does a getattr on all file systems +- Label all abort-dump programs +- Allow alsa to create lock file to see if it fixes. +- Add support for zabbix external scripts for which zabbix_script_t domain has been created. This domain is unconfined by default and user needs to run "semodule -d unconfined" to make system running without unconfined domains. The default location of these scripts is /usr/lib/zabbix/externalscripts. If a user change DATADIR in CONFIG_EXTERNALSCRIPTS then he needs to set labeling for this new location. +- Add interface for journalctl_exec +- Add labels also for glusterd sockets. +- Change virt.te to match default docker capabilies +- Add additional booleans for turning on mknod or all caps. +- Also add interface to allow users to write policy that matches docker defaults +- for capabilies. +- Label dhcpd6 unit file. +- Add support also for dhcp IPv6 services. +- Added support for dhcrelay service +- Additional access for bluejeans +- docker needs more access, need back port to RHEL7 +- Allow mdadm to connect to own socket created by mdadm running as kernel_t. +- Fix pkcs, Remove pkcs_lock_filetrans and Add files_search_locks +- Allow bacula manage bacula_log_t dirs +- Allow pkcs_slotd_t read /etc/passwd, Label /var/lock/opencryptoki as pkcs_slotd_lock_t +- Fix mistakes keystone and quantum +- Label neutron var run dir +- Label keystone var run dir +- Fix bad labeling for /usr/s?bin/(oo|rhc)-restorer-wrapper.sh in openshift.fc. +- Dontaudit attempts to access check cert dirs/files for sssd. +- Allow sensord to send a signal. +- Allow certmonger to stream connect to dirsrv to make ipa-server-install working. +- Label zabbix_var_lib_t directories +- Label conmans pid file as conman_var_run_t +- Label also /var/run/glusterd.socket file as gluster_var_run_t +- Fix policy for pkcsslotd from opencryptoki +- Update cockpik policy from cockpit usptream. +- Allow certmonger to exec ldconfig to make ipa-server-install working. +- Added support for Naemon policy +- Allow keepalived manage snmp files +- Add setpgid process to mip6d +- remove duplicate rule +- Allow postfix_smtpd to stream connect to antivirus +- Dontaudit list /tmp for icecast +- Allow zabbix domains to access /proc//net/dev. + +* Wed Jul 23 2014 Lukas Vrabec 3.13.1-67 +- Allow zabbix domains to access /proc//net/dev. +- Dontaudit list /tmp for icecast (#894387) +- Allow postfix_smtpd to stream connect to antivirus (#1105889) +- Add setpgid process to mip6d +- Allow keepalived manage snmp files(#1053450) +- Added support for Naemon policy (#1120789). +- Allow certmonger to exec ldconfig to make ipa-server-install working. (#1122110) +- Update cockpik policy from cockpit usptream. + +* Mon Jul 21 2014 Miroslav Grepl 3.13.1-66 +- Revert labeling back to /var/run/systemd/initctl/fifo +- geoclue dbus chats with modemmanger +- Bluejeans wants to connect to port 5000 +- geoclue dbus chats with modemmange + +* Fri Jul 18 2014 Lukas Vrabec 3.13.1-65 +- Allow sysadm to dbus chat with systemd +- Add logging_dontaudit_search_audit_logs() +- Add new files_read_all_mountpoint_symlinks() +- Fix labeling path from /var/run/systemd/initctl/fifo to /var/run/initctl/fifo. +- Allow ndc to read random and urandom device (#1110397) +- Allow zabbix to read system network state +- Allow fprintd to execute usr_t/bin_t +- Allow mailserver_domain domains to append dead.letter labeled as mail_home_t +- Add glance_use_execmem boolean to have glance configured to use Ceph/rbd +- Dontaudit search audit logs for fail2ban +- Allow mailserver_domain domains to create mail home content with right labeling +- Dontaudit svirt_sandbox_domain doing access checks on /proc +- Fix files_pid_filetrans() calling in nut.te to reflect allow rules. +- Use nut_domain attribute for files_pid_filetrans() for nut domains. +- Allow sandbox domains read all mountpoint symlinks to make symlinked homedirs +- Fix nut domains only have type transition on dirs in /run/nut directory. +- Allow net_admin/net_raw capabilities for haproxy_t. haproxy uses setsockopt() +- Clean up osad policy. Remove additional interfaces/rules + +* Mon Jul 14 2014 Lukas Vrabec 3.13.1-64 +- Allow systemd domains to check lvm status +- Allow getty to execute plymouth.#1112870 +- Allow sshd to send signal to chkpwd_t +- initrctl fifo file has been renamed +- Set proper labeling on /var/run/sddm +- Fix labeling for cloud-init logs +- Allow kexec to read kallsyms +- Add rhcs_stream_connect_haproxy interface, Allow neutron stream connect to rhcs +- Add fsetid caps for mandb. #1116165 +- Allow all nut domains to read /dev/(u)?random. +- Allow deltacloudd_t to read network state BZ #1116940 +- Add support for KVM virtual machines to use NUMA pre-placement +- Allow utilize winbind for authentication to AD +- Allow chrome sandbox to use udp_sockets leaked in by its parent +- Allow gfs_controld_t to getattr on all file systems +- Allow logrotate to manage virt_cache +- varnishd needs to have fsetid capability +- Allow dovecot domains to send signal perms to themselves +- Allow apache to manage pid sock files +- Allow nut_upsmon_t to create sock_file in /run dir +- Add capability sys_ptrace to stapserver +- Mysql can execute scripts when run in a cluster to see if someone is listening on a socket, basically runs lsof +- Added support for vdsm + +* Fri Jul 4 2014 Miroslav Grepl 3.13.1-63 +- If I can create a socket I need to be able to set the attributes +- Add tcp/8775 port as neutron port +- Add additional ports for swift ports +- Added changes to fedora from bug bz#1082183 +- Add support for tcp/6200 port +- Allow collectd getattr access to configfs_t dir Fixes Bug 1115040 +- Update neutron_manage_lib_files() interface +- Allow glustered to connect to ephemeral ports +- Allow apache to search ipa lib files by default +- Allow neutron to domtrans to haproxy +- Add rhcs_domtrans_haproxy() +- Add support for openstack-glance-* unit files +- Add initial support for /usr/bin/glance-scrubber +- Allow swift to connect to keystone and memcache ports. +- Fix labeling for /usr/lib/systemd/system/openstack-cinder-backup +- Add policies for openstack-cinder +- Add support for /usr/bin/nova-conductor +- Add neutron_can_network boolean +- Allow neutron to connet to neutron port +- Allow glance domain to use syslog +- Add support for /usr/bin/swift-object-expirer and label it as swift_exec_t + +* Wed Jun 25 2014 Miroslav Grepl 3.13.1-62 +- Allow swift to use tcp/6200 swift port +- ALlow swift to search apache configs +- Remove duplicate .fc entry for Grilo plugin bookmarks +- Remove duplicate .fc entry for telepathy-gabble +- Additional allow rules for docker sandbox processes +- Allow keepalived connect to agentx port +- Allow neutron-ns-metadata to connectto own unix stream socket +- Add support for tcp/6200 port +- Remove ability for confined users to run xinit +- New tool for managing wireless /usr/sbin/iw + +* Fri Jun 20 2014 Miroslav Grepl 3.13.1-61 +- Add back MLS policy + +* Thu Jun 19 2014 Miroslav Grepl 3.13.1-60 +- Implement new spec file handling for *.pp modules which allows us to move a policy module out of the policy + +* Tue Jun 17 2014 Miroslav Grepl 3.13.1-59 +- Allow system_bus_types to use stream_sockets inherited from system_dbusd +- Allow journalctl to call getpw +- New access needed by dbus to talk to kernel stream +- Label sm-notifypid files correctly +- contrib: Add KMSCon policy module + +* Wed Jun 11 2014 Miroslav Grepl 3.13.1-58 +- Add mozilla_plugin_use_bluejeans boolean +- Add additional interfaces needed by mozilla_plugin_use_bluejeans boolean + +* Mon Jun 9 2014 Miroslav Grepl 3.13.1-57 +- Allow staff_t to communicate and run docker +- Fix *_ecryptfs_home_dirs booleans +- Allow ldconfig_t to read/write inherited user tmp pipes +- Allow storaged to dbus chat with lvm_t +- Add support for storaged and storaged-lvm-helper. Labeled it as lvm_exec_t. +- Use proper calling in ssh.te for userdom_home_manager attribute +- Use userdom_home_manager_type() also for ssh_keygen_t +- Allow locate to list directories without labels +- Allow bitlbee to use tcp/7778 port +- /etc/cron.daily/logrotate to execute fail2ban-client. +- Allow keepalives to connect to SNMP port. Support to do SNMP stuff +- Allow staff_t to communicate and run docker +- Dontaudit search mgrepl/.local for cobblerd_t +- Allow neutron to execute kmod in insmod_t +- Allow neutron to execute udevadm in udev_t +- Allow also fowner cap for varnishd +- Allow keepalived to execute bin_t/shell_exec_t +- rhsmcertd seems to need these accesses. We need this backported to RHEL7 and perhaps RHEL6 policy +- Add cups_execmem boolean +- Allow gear to manage gear service +- New requires for gear to use systemctl and init var_run_t +- Allow cups to execute its rw_etc_t files, for brothers printers +- Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin conf dirs and manage munin logs. +- Allow swift to execute bin_t +- Allow swift to bind http_cache + +* Sun Jun 08 2014 Fedora Release Engineering - 3.13.1-56 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue May 27 2014 Miroslav Grepl 3.13.1-55 +- Add decl for cockip port +- Allow sysadm_t to read all kernel proc +- Allow logrotate to execute all executables +- Allow lircd_t to use tty_device_t for use withmythtv +- Make sure all zabbix files direcories in /var/log have the correct label +- Allow bittlebee to create directories and files in /var/log with the correct label +- Label /var/log/horizon as an apache log +- Add squid directory in /var/run +- Add transition rules to allow rabbitmq to create log files and var_lib files with the correct label +- Wronly labeled avahi_var_lib_t as a pid file +- Fix labels on rabbitmq_var_run_t on file/dir creation +- Allow neutron to create sock files +- Allow postfix domains to getattr on all file systems +- Label swift-proxy-server as swift_exec_t +- Tighten SELinux capabilities to match docker capabilities +- Add fixes for squid which is configured to run with more than one worker. +- Allow cockpit to bind to its port + +* Tue May 20 2014 Miroslav Grepl 3.13.1-54 +- geard seems to do a lot of relabeling +- Allow system_mail_t to append to munin_var_lib_t +- Allow mozilla_plugin to read alsa_rw_ content +- Allow asterisk to connect to the apache ports +- Dontaudit attempts to read fixed disk +- Dontaudit search gconf_home_t +- Allow rsync to create swift_server.lock with swift.log labeling +- Add labeling for swift lock files +- Use swift_virt_lock in swift.te +- Allow openwsman to getattr on sblim_sfcbd executable +- Fix sblim_stream_connect_sfcb() to contain also sblim_tmp_t +- Allow openwsman_t to read/write sblim-sfcb shared mem +- Allow openwsman to stream connec to sblim-sfcbd +- Allow openwsman to create tmpfs files/dirs +- dontaudit acces to rpm db if rpm_exec for swift_t and sblim_sfcbd_t +- Allow sblim_sfcbd to execute shell +- Allow swift to create lock file +- Allow openwsman to use tcp/80 +- Allow neutron to create also dirs in /tmp +- Allow seunshare domains to getattr on all executables +- Allow ssh-keygen to create temporary files/dirs needed by OpenStack +- Allow named_filetrans_domain to create /run/netns +- Allow ifconfig to create /run/netns + +* Tue May 13 2014 Miroslav Grepl 3.13.1-53 +- Add missing dyntransition for sandbox_x_domain + +* Wed May 7 2014 Miroslav Grepl 3.13.1-52 +- More rules for gears and openshift +- Added iotop policy. Thanks William Brown +- Allow spamc to read .pyzor located in /var/spool/spampd +- Allow spamc to create home content with correct labeling +- Allow logwatch_mail_t to create dead.letter with correct labelign +- Add labeling for min-cloud-agent +- Allow geoclue to read unix in proc. +- Add support for /usr/local/Brother labeling. We removed /usr/local equiv. +- add support for min-cloud-agent +- Allow ulogd to request the kernel to load a module +- remove unconfined_domain for openwsman_t +- Add openwsman_tmp_t rules +- Allow openwsman to execute chkpwd and make this domain as unconfined for F20. +- Allow nova-scheduler to read passwd file +- Allow neutron execute arping in neutron_t +- Dontaudit logrotate executing systemctl command attempting to net_admin +- Allow mozilla plugins to use /dev/sr0 +- svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift files +- Any app that executes systemctl will attempt a net_admin +- Fix path to mmap_min_addr + +* Wed May 7 2014 Miroslav Grepl 3.13.1-51 +- Add gear fixes from dwalsh + +* Tue May 6 2014 Miroslav Grepl 3.13.1-50 +- selinux_unconfined_type should not be able to set booleans if the securemode is set +- Update sandbox_transition() to call sandbox_dyntrasition(). #885288. + +* Mon May 5 2014 Miroslav Grepl 3.13.1-49 +- Fix labeling for /root/\.yubico +- userdom_search_admin_dir() calling needs to be optional in kernel.te +- Dontaudit leaked xserver_misc_device_t into plugins +- Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy +- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains +- Bootloader wants to look at init state +- Add MCS/MLS Constraints to kernel keyring, also add MCS Constraints to ipc, sem.msgq, shm +- init reads kdbump etc files +- Add support for tcp/9697 +- Fix labeling for /var/run/user//gvfs +- Add support for us_cli ports +- fix sysnet_use_ldap +- Allow mysql to execute ifconfig if Red Hat OpenStack +- ALlow stap-server to get attr on all fs +- Fix mail_pool_t to mail_spool_t +- Dontaudit leaked xserver_misc_device_t into plugins +- Need to allow sssd_t to manage kernel keyrings in login programs since they don't get labeled with user domains +- Add new labeling for /var/spool/smtpd +- Allow httpd_t to kill passenger +- Allow apache cgi scripts to use inherited httpd_t unix_stream_sockets +- Allow nova-scheduler to read passwd/utmp files +- Additional rules required by openstack, needs backport to F20 and RHEL7 +- Additional access required by docker +- ALlow motion to use tcp/8082 port + +* Fri Apr 25 2014 Miroslav Grepl 3.13.1-48 +- Fix virt_use_samba boolean +- Looks like all domains that use dbus libraries are now reading /dev/urand +- Add glance_use_fusefs() boolean +- Allow tgtd to read /proc/net/psched +- Additional access required for gear management of openshift directories +- Allow sys_ptrace for mock-build +- Fix mock_read_lib_files() interface +- Allow mock-build to write all inherited ttys and ptys +- Allow spamd to create razor home dirs with correct labeling +- Clean up sysnet_use_ldap() +- systemd calling needs to be optional +- Allow init_t to setattr/relabelfrom dhcp state files + +* Wed Apr 23 2014 Miroslav Grepl 3.13.1-47 +- mongod should not be a part of cloudforms.pp +- Fix labeling in snapper.fc +- Allow docker to read unconfined_t process state +- geoclue dbus chats with NetworkManager +- Add cockpit policy +- Add interface to allow tools to check the processes state of bind/named +- Allow myslqd to use the tram port for Galera/MariaDB + +* Fri Apr 18 2014 Miroslav Grepl 3.13.1-46 +- Allow init_t to setattr/relabelfrom dhcp state files +- Allow dmesg to read hwdata and memory dev +- Allow strongswan to create ipsec.secrets with correct labeling in /etc/strongswan +- Dontaudit antivirus domains read access on all security files by default +- Add missing alias for old amavis_etc_t type +- Additional fixes for instack overcloud +- Allow block_suspend cap for haproxy +- Allow OpenStack to read mysqld_db links and connect to MySQL +- Remove dup filename rules in gnome.te +- Allow sys_chroot cap for httpd_t and setattr on httpd_log_t +- Add labeling for /lib/systemd/system/thttpd.service +- Allow iscsid to handle own unit files +- Add iscsi_systemctl() +- Allow mongod also create sock_file with correct labeling in /run +- Allow aiccu stream connect to pcscd +- Allow rabbitmq_beam to connect to httpd port +- Allow httpd to send signull to apache script domains and don't audit leaks +- Fix labeling in drbd.fc +- Allow sssd to connect to the smbd port for handing logins using active directory, needs back port for rhel7 +- Allow all freeipmi domains to read/write ipmi devices +- Allow rabbitmq_epmd to manage rabbit_var_log_t files +- Allow sblim_sfcbd to use also pegasus-https port +- Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input +- Add httpd_run_preupgrade boolean +- Add interfaces to access preupgrade_data_t +- Add preupgrade policy +- Add labeling for puppet helper scripts + +* Tue Apr 8 2014 Miroslav Grepl 3.13.1-45 +Rename puppet_t to puppetagent_t and used it only for puppet agent which can be started by init. Also make it as unconfined_noaudit because there is no reason to confine it but we wantto avoid init_t. + +* Tue Apr 8 2014 Miroslav Grepl 3.13.1-44 +- Change hsperfdata_root to have as user_tmp_t +- Allow rsyslog low-level network access +- Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by lightdm +- Allow conman to resolve DNS and use user ptys +- update pegasus_openlmi_admin_t policy +- nslcd wants chown capability +- Dontaudit exec insmod in boinc policy + +* Fri Apr 4 2014 Miroslav Grepl 3.13.1-43 +- Add labels for /var/named/chroot_sdb/dev devices +- Add support for strongimcv +- Add additional fixes for yubikeys based on william@firstyear.id.au +- Allow init_t run /sbin/augenrules +- Remove dup decl for dev_unmount_sysfs_fs +- Allow unpriv SELinux user to use sandbox +- Fix ntp_filetrans_named_content for sntp-kod file +- Add httpd_dbus_sssd boolean +- Dontaudit exec insmod in boinc policy +- Add dbus_filetrans_named_content_system() +- We want to label only /usr/bin/start-puppet-master to avoid puppet agent running in puppet_t +- varnishd wants chown capability +- update ntp_filetrans_named_content() interface +- Add additional fixes for neutron_t. #1083335 +- Dontaudit sandbox_t getattr on proc_kcore_t +- Allow pki_tomcat_t to read ipa lib files + +* Tue Apr 1 2014 Miroslav Grepl 3.13.1-42 +- Merge user_tmp_t and user_tmpfs_t together to have only user_tmp_t + +* Thu Mar 27 2014 Miroslav Grepl 3.13.1-41 +- Turn on gear_port_t +- Add gear policy and remove permissive domains. +- Add labels for ostree +- Add SELinux awareness for NM +- Label /usr/sbin/pwhistory_helper as updpwd_exec_t + +* Wed Mar 26 2014 Miroslav Grepl 3.13.1-40 +- update storage_filetrans_all_named_dev for sg* devices +- Allow auditctl_t to getattr on all removeable devices +- Allow nsswitch_domains to stream connect to nmbd +- Allow rasdaemon to rw /dev/cpu//msr +- fix /var/log/pki file spec +- make bacula_t as auth_nsswitch domain +- Allow certmonger to manage ipa lib files +- Add support for /var/lib/ipa + +* Tue Mar 25 2014 Miroslav Grepl 3.13.1-39 +- Manage_service_perms should include enable and disable, need backport to RHEL7 +- Allow also unpriv user to run vmtools +- Allow secadm to read /dev/urandom and meminfo +- Add userdom_tmp_role for secadm_t +- Allow postgresql to read network state +- Add a new file context for /var/named/chroot/run directory +- Add booleans to allow docker processes to use nfs and samba +- Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t +- Allow puppet stream connect to mysql +- Fixed some rules related to puppet policy +- Allow vmware-user-sui to use user ttys +- Allow talk 2 users logged via console too +- Additional avcs for docker when running tests +- allow anaconda to dbus chat with systemd-localed +- clean up rhcs.te +- remove dup rules from haproxy.te +- Add fixes for haproxy based on bperkins@redhat.com +- Allow cmirrord to make dmsetup working +- Allow NM to execute arping +- Allow users to send messages through talk +- update rtas_errd policy +- Add support for /var/spool/rhsm/debug +- Make virt_sandbox_use_audit as True by default +- Allow svirt_sandbox_domains to ptrace themselves +- Allow snmpd to getattr on removeable and fixed disks +- Allow docker containers to manage /var/lib/docker content + +* Mon Mar 17 2014 Miroslav Grepl 3.13.1-38 +- Label sddm as xdm_exec_t to make KDE working again +- Allow postgresql to read network state +- Allow java running as pki_tomcat to read network sysctls +- Fix cgroup.te to allow cgred to read cgconfig_etc_t +- Allow beam.smp to use ephemeral ports +- Allow winbind to use the nis to authenticate passwords + +* Mon Mar 17 2014 Miroslav Grepl 3.13.1-37 +- Allow collectd to talk to libvirt +- Allow chrome_sandbox to use leaked unix_stream_sockets +- Dontaudit leaks of sockets into chrome_sandbox_t +- If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t +- Run vmtools as unconfined domains +- Allow snort to manage its log files +- Allow systemd_cronjob_t to be entered via bin_t +- Allow procman to list doveconf_etc_t +- allow keyring daemon to create content in tmpfs directories +- Add proper labelling for icedtea-web +- vpnc is creating content in networkmanager var run directory +- unconfined_service should be allowed to transition to rpm_script_t +- Allow couchdb to listen on port 6984 +- Dontaudit attempts by unpriv user domain to write to /run/mount directory, caused by running mount command +- Allow systemd-logind to setup user tmpfs directories +- Add additional fixes for systemd_networkd_t +- Allow systemd-logind to manage user_tmpfs_t +- Allow systemd-logind to mount /run/user/1000 to get gdm working + +* Fri Mar 14 2014 Miroslav Grepl 3.13.1-36 +- Add additional fixes for systemd_networkd_t +- Allow systemd-logind to manage user_tmpfs_t +- Allow systemd-logind to mount /run/user/1000 to get gdm working +- Dontaudit attempts to setsched on the kernel_t threads +- Allow munin mail plugins to read network systcl +- Fix git_system_enable_homedirs boolean +- Make cimtest script 03_defineVS.py of ComputerSystem group working +- Make abrt-java-connector working +- Allow net_admin cap for fence_virtd running as fenced_t +- Allow vmtools_helper_t to execute bin_t +- Add support for /usr/share/joomla + +* Thu Mar 13 2014 Miroslav Grepl 3.13.1-35 +- sshd to read network sysctls +- Allow vmtools_helper_t to execute bin_t +- Add support for /usr/share/joomla +- /var/lib/containers should be labeled as openshift content for now +- Allow docker domains to talk to the login programs, to allow a process to login into the container + +* Wed Mar 12 2014 Miroslav Grepl 3.13.1-34 +- Add install_t for anaconda + +* Wed Mar 12 2014 Miroslav Grepl 3.13.1-33 +- Allow init_t to stream connect to ipsec +- Add /usr/lib/systemd/systemd-networkd policy +- Add sysnet_manage_config_dirs() +- Add support for /var/run/systemd/network and labeled it as net_conf_t +- Allow unpriv SELinux users to dbus chat with firewalld +- Add lvm_write_metadata() +- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type +- Add support for /dev/vmcp and /dev/sclp +- Add docker_connect_any boolean +- Fix zabbix policy +- Allow zabbix to send system log msgs +- Allow pegasus_openlmi_storage_t to write lvm metadata +- Updated pcp_bind_all_unreserved_ports +- Allow numad to write scan_sleep_millisecs +- Turn on entropyd_use_audio boolean by default +- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. +- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo + +* Mon Mar 10 2014 Miroslav Grepl 3.13.1-32 +- Allow numad to write scan_sleep_millisecs +- Turn on entropyd_use_audio boolean by default +- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. +- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo +- Allow numad to write scan_sleep_millisecs +- Turn on entropyd_use_audio boolean by default +- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. +- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo +- Fix label on irclogs in the homedir + +* Fri Mar 7 2014 Miroslav Grepl 3.13.1-31 +- Modify xdm_write_home to allow create files/links in /root with xdm_home_t +- Add more fixes for https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights +- Add xserver_dbus_chat() interface +- Add sysnet_filetrans_named_content_ifconfig() interface +- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask +- Turn on cron_userdomain_transition by default for now. Until we get a fix for #1063503 +- Allow lscpu running as rhsmcertd_t to read sysinfo +- Allow virt domains to read network state +- Added pcp rules +- Allow ctdbd to connect own ports +- Fix samba_export_all_rw booleanto cover also non security dirs +- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs +- Allow neutron to create /run/netns with correct labeling +- Allow to run ip cmd in neutron_t domain +- Allow rpm_script_t to dbus chat also with systemd-located +- Fix ipa_stream_connect_otpd() + +* Tue Mar 4 2014 Miroslav Grepl 3.13.1-30 +- Allow block_suspend cap2 for systemd-logind and rw dri device +- Add labeling for /usr/libexec/nm-libreswan-service +- Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working +- Add xserver_rw_xdm_keys() +- Allow rpm_script_t to dbus chat also with systemd-located +- Fix ipa_stream_connect_otpd() +- update lpd_manage_spool() interface +- Allow krb5kdc to stream connect to ipa-otpd +- Add ipa_stream_connect_otpd() interface +- Allow vpnc to unlink NM pids +- Add networkmanager_delete_pid_files() +- Allow munin plugins to access unconfined plugins +- update abrt_filetrans_named_content to cover /var/spool/debug +- Label /var/spool/debug as abrt_var_cache_t +- Allow rhsmcertd to connect to squid port +- Make docker_transition_unconfined as optional boolean +- Allow certmonger to list home dirs + +* Fri Feb 28 2014 Miroslav Grepl 3.13.1-29 +- Make docker as permissive domain + +* Thu Feb 27 2014 Miroslav Grepl 3.13.1-28 +- Allow bumblebeed to send signal to insmod +- Dontaudit attempts by crond_t net_admin caused by journald +- Allow the docker daemon to mounton tty_device_t +- Add addtional snapper fixes to allo relabel file_t +- Allow setattr for all mountpoints +- Allow snapperd to write all dirs +- Add support for /etc/sysconfig/snapper +- Allow mozilla_plugin to getsession +- Add labeling for thttpd +- Allow sosreport to execute grub2-probe +- Allow NM to manage hostname config file +- Allow systemd_timedated_t to dbus chat with rpm_script_t +- Allow lsmd plugins to connect to http/ssh/http_cache ports by default +- Add lsmd_plugin_connect_any boolea +- Add support for ipset +- Add support for /dev/sclp_line0 +- Add modutils_signal_insmod() +- Add files_relabelto_all_mountpoints() interface +- Allow the docker daemon to mounton tty_device_t +- Allow all systemd domains to read /proc/1 +- Login programs talking to journald are attempting to net_admin, add dontaudit +- init is not gettar on processes as shutdown time +- Add systemd_hostnamed_manage_config() interface +- Make unconfined_service_t valid in enforcing +- Remove transition for temp dirs created by init_t +- gdm-simple-slave uses use setsockopt +- Add lvm_read_metadata() + +* Mon Feb 24 2014 Miroslav Grepl 3.13.1-27 +- Make unconfined_service_t valid in enforcing +- Remove transition for temp dirs created by init_t +- gdm-simple-slave uses use setsockopt +- Treat usermodehelper_t as a sysctl_type +- xdm communicates with geo +- Add lvm_read_metadata() +- Allow rabbitmq_beam to connect to jabber_interserver_port +- Allow logwatch_mail_t to transition to qmail_inject and queueu +- Added new rules to pcp policy +- Allow vmtools_helper_t to change role to system_r +- Allow NM to dbus chat with vmtools + +* Fri Feb 21 2014 Miroslav Grepl 3.13.1-26 +- Add labeling for /usr/sbin/amavi +- Colin asked for this program to be treated as cloud-init +- Allow ftp services to manage xferlog_t +- Fix vmtools policy to allow user roles to access vmtools_helper_t +- Allow block_suspend cap2 for ipa-otpd +- Allow certmonger to search home content +- Allow pkcsslotd to read users state +- Allow exim to use pam stack to check passwords +- Add labeling for /usr/sbin/amavi +- Colin asked for this program to be treated as cloud-init +- Allow ftp services to manage xferlog_t +- Fix vmtools policy to allow user roles to access vmtools_helper_t +- Allow block_suspend cap2 for ipa-otpd +- Allow certmonger to search home content +- Allow pkcsslotd to read users state +- Allow exim to use pam stack to check passwords + +* Tue Feb 18 2014 Miroslav Grepl 3.13.1-25 +- Add lvm_read_metadata() +- Allow auditadm to search /var/log/audit dir +- Add lvm_read_metadata() interface +- Allow confined users to run vmtools helpers +- Fix userdom_common_user_template() +- Generic systemd unit scripts do write check on / +- Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files +- Add additional fixes needed for init_t and setup script running in generic unit files +- Allow general users to create packet_sockets +- added connlcli port +- Add init_manage_transient_unit() interface +- Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t +- Fix userdomain.te to require passwd class +- devicekit_power sends out a signal to all processes on the message bus when power is going down +- Dontaudit rendom domains listing /proc and hittping system_map_t +- Dontauit leaks of var_t into ifconfig_t +- Allow domains that transition to ssh_t to manipulate its keyring +- Define oracleasm_t as a device node +- Change to handle /root as a symbolic link for os-tree +- Allow sysadm_t to create packet_socket, also move some rules to attributes +- Add label for openvswitch port +- Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label. +- Allow postfix_local to read .forward in pcp lib files +- Allow pegasus_openlmi_storage_t to read lvm metadata +- Add additional fixes for pegasus_openlmi_storage_t +- Allow bumblebee to manage debugfs +- Make bumblebee as unconfined domain +- Allow snmp to read etc_aliases_t +- Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem +- Allow pegasus_openlmi_storage_t to read /proc/1/environ +- Dontaudit read gconf files for cupsd_config_t +- make vmtools as unconfined domain +- Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig. +- Allow collectd_t to use a mysql database +- Allow ipa-otpd to perform DNS name resolution +- Added new policy for keepalived +- Allow openlmi-service provider to manage transitient units and allow stream connect to sssd +- Add additional fixes new pscs-lite+polkit support +- Add labeling for /run/krb5kdc +- Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20 +- Allow pcscd to read users proc info +- Dontaudit smbd_t sending out random signuls +- Add boolean to allow openshift domains to use nfs +- Allow w3c_validator to create content in /tmp +- zabbix_agent uses nsswitch +- Allow procmail and dovecot to work together to deliver mail +- Allow spamd to execute files in homedir if boolean turned on +- Allow openvswitch to listen on port 6634 +- Add net_admin capability in collectd policy +- Fixed snapperd policy +- Fixed bugsfor pcp policy +- Allow dbus_system_domains to be started by init +- Fixed some interfaces +- Add kerberos_keytab_domain attribute +- Fix snapperd_conf_t def + +* Fri Feb 14 2014 Miroslav Grepl 3.13.1-24 +- Dontaudit rendom domains listing /proc and hittping system_map_t +- devicekit_power sends out a signal to all processes on the message bus when power is going down +- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true +- systemd_tmpfiles_t needs to _setcheckreqprot +- Add unconfined_server to be run by init_t when it executes files labeled bin_t, or usr_t, allow all domains to communicate with it +- Fixed snapperd policy +- Fixed broken interfaces +- Should use rw_socket_perms rather then sock_file on a unix_stream_socket +- Fixed bugsfor pcp policy +- pcscd seems to be using policy kit and looking at domains proc data that transition to it +- Allow dbus_system_domains to be started by init +- Fixed some interfaces +- Addopt corenet rules for unbound-anchor to rpm_script_t +- Allow runuser to send send audit messages. +- Allow postfix-local to search .forward in munin lib dirs +- Allow udisks to connect to D-Bus +- Allow spamd to connect to spamd port +- Fix syntax error in snapper.te +- Dontaudit osad to search gconf home files +- Allow rhsmcertd to manage /etc/sysconf/rhn director +- Fix pcp labeling to accept /usr/bin for all daemon binaries +- Fix mcelog_read_log() interface +- Allow iscsid to manage iscsi lib files +- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. +- Allow ABRT to read puppet certs +- Allow virtd_lxc_t to specify the label of a socket +- New version of docker requires more access + +* Mon Feb 10 2014 Miroslav Grepl 3.13.1-23 +- Addopt corenet rules for unbound-anchor to rpm_script_t +- Allow runuser to send send audit messages. +- Allow postfix-local to search .forward in munin lib dirs +- Allow udisks to connect to D-Bus +- Allow spamd to connect to spamd port +- Fix syntax error in snapper.te +- Dontaudit osad to search gconf home files +- Allow rhsmcertd to manage /etc/sysconf/rhn director +- Fix pcp labeling to accept /usr/bin for all daemon binaries +- Fix mcelog_read_log() interface +- Allow iscsid to manage iscsi lib files +- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. +- Make tuned_t as unconfined domain for RHEL7.0 +- Allow ABRT to read puppet certs +- Add sys_time capability for virt-ga +- Allow gemu-ga to domtrans to hwclock_t +- Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages +- Fix some AVCs in pcp policy +- Add to bacula capability setgid and setuid and allow to bind to bacula ports +- Changed label from rhnsd_rw_conf_t to rhnsd_conf_t +- Add access rhnsd and osad to /etc/sysconfig/rhn +- drbdadm executes drbdmeta +- Fixes needed for docker +- Allow epmd to manage /var/log/rabbitmq/startup_err file +- Allow beam.smp connect to amqp port +- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true +- Allow init_t to manage pluto.ctl because of init_t instead of initrc_t +- Allow systemd_tmpfiles_t to manage all non security files on the system +- Added labels for bacula ports +- Fix label on /dev/vfio/vfio +- Add kernel_mounton_messages() interface +- init wants to manage lock files for iscsi + +* Wed Feb 5 2014 Miroslav Grepl 3.13.1-22 +- Fix /dev/vfio/vfio labeling + +* Wed Feb 5 2014 Miroslav Grepl 3.13.1-21 +- Add kernel_mounton_messages() interface +- init wants to manage lock files for iscsi +- Add support for dey_sapi port +- Fixes needed for docker +- Allow epmd to manage /var/log/rabbitmq/startup_err file +- Allow beam.smp connect to amqp port +- drbdadm executes drbdmeta +- Added osad policy +- Allow postfix to deliver to procmail +- Allow vmtools to execute /usr/bin/lsb_release +- Allow geoclue to read /etc/passwd +- Allow docker to write system net ctrls +- Add support for rhnsd unit file +- Add dbus_chat_session_bus() interface +- Add dbus_stream_connect_session_bus() interface +- Fix pcp.te +- Fix logrotate_use_nfs boolean +- Add lot of pcp fixes found in RHEL7 +- fix labeling for pmie for pcp pkg +- Change thumb_t to be allowed to chat/connect with session bus type +- Add logrotate_use_nfs boolean +- Allow setroubleshootd to read rpc sysctl + +* Thu Jan 30 2014 Miroslav Grepl 3.13.1-20 +- Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring +- Allow geoclue to create temporary files/dirs in /tmp +- Add httpd_dontaudit_search_dirs boolean +- Add support for winbind.service +- ALlow also fail2ban-client to read apache logs +- Allow vmtools to getattr on all fs + +* Tue Jan 28 2014 Miroslav Grepl 3.13.1-19 +- Add net_admin also for systemd_passwd_agent_t +- Allow Associate usermodehelper_t to sysfs filesystem +- Allow gdm to create /var/gdm with correct labeling +- Allow domains to append rkhunterl lib files. #1057982 +- Allow systemd_tmpfiles_t net_admin to communicate with journald +- update libs_filetrans_named_content() to have support for /usr/lib/debug directory +- Adding a new service script to enable setcheckreqprot +- Add interface to getattr on an isid_type for any type of file +- Allow initrc_t domtrans to authconfig if unconfined is enabled +- Add labeling for snapper.log +- Allow tumbler to execute dbusd-daemon in thumb_t +- Add dbus_exec_dbusd() +- Add snapperd_data_t type +- Add additional fixes for snapperd +- FIx bad calling in samba.te +- Allow smbd to create tmpfs +- Allow rhsmcertd-worker send signull to rpm process +- Allow net_admin capability and send system log msgs +- Allow lldpad send dgram to NM +- Add networkmanager_dgram_send() +- rkhunter_var_lib_t is correct type +- Allow openlmi-storage to read removable devices +- Allow system cron jobs to manage rkhunter lib files +- Add rkhunter_manage_lib_files() +- Fix ftpd_use_fusefs boolean to allow manage also symlinks +- Allow smbcontrob block_suspend cap2 +- Allow slpd to read network and system state info +- Allow NM domtrans to iscsid_t if iscsiadm is executed +- Allow slapd to send a signal itself +- Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA. +- Fix plymouthd_create_log() interface +- Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package +- Allow postfix and cyrus-imapd to work out of box +- Remove logwatch_can_sendmail which is no longer used +- Allow fcoemon to talk with unpriv user domain using unix_stream_socket +- snapperd is D-Bus service +- Allow OpenLMI PowerManagement to call 'systemctl --force reboot' + +* Fri Jan 24 2014 Miroslav Grepl 3.13.1-18 +- Add haproxy_connect_any boolean +- Allow haproxy also to use http cache port by default +- Fix /usr/lib/firefox/plugin-container decl +- Allow haproxy to work as simple HTTP proxy. HAProxy For TCP And HTTP Based Applications +- Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t +- Fix type in docker.te +- Fix bs_filetrans_named_content() to have support for /usr/lib/debug directory +- Adding a new service script to enable setcheckreqprot +- Add interface to getattr on an isid_type for any type of file +- Allow initrc_t domtrans to authconfig if unconfined is enabled +type in docker.te +- Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-container + +* Thu Jan 23 2014 Miroslav Grepl 3.13.1-17 +- init calling needs to be optional in domain.te +- Allow docker and mount on devpts chr_file +- Allow docker to transition to unconfined_t if boolean set +- Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t +- Fix type in docker.te +- Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-container +- Allow docker to use the network and build images +- Allow docker to read selinux files for labeling, and mount on devpts chr_file +- Allow domains that transition to svirt_sandbox to send it signals +- Allow docker to transition to unconfined_t if boolean set + +* Wed Jan 22 2014 Miroslav Grepl 3.13.1-16 +- New access needed to allow docker + lxc +SELinux to work together +- Allow apache to write to the owncloud data directory in /var/www/html... +- Cleanup sandbox X AVC's +- Allow consolekit to create log dir +- Add support for icinga CGI scripts +- Add support for icinga +- Allow kdumpctl_t to create kdump lock file +- Allow kdump to create lnk lock file +- Allow ABRT write core_pattern +- Allwo ABRT to read core_pattern +- Add policy for Geoclue. Geoclue is a D-Bus service that provides location information +- Allow nscd_t block_suspen capability +- Allow unconfined domain types to manage own transient unit file +- Allow systemd domains to handle transient init unit files +- No longer need the rpm_script_roles line since rpm_transition_script now does this for us +- Add/fix interfaces for usermodehelper_t +- Add interfaces to handle transient +- Fixes for new usermodehelper and proc_securit_t types, added to increase security on /proc and /sys file systems + +* Mon Jan 20 2014 Miroslav Grepl 3.13.1-15 +- Add cron unconfined role support for uncofined SELinux user +- Call kernel_rw_usermodehelper_state() in init.te +- Call corenet_udp_bind_all_ports() in milter.te +- Allow fence_virtd to connect to zented port +- Fix header for mirrormanager_admin() +- Allow dkim-milter to bind udp ports +- Allow milter domains to send signull itself +- Allow block_suspend for yum running as mock_t +- Allow beam.smp to manage couchdb files +- Add couchdb_manage_files() +- Add labeling for /var/log/php_errors.log +- Allow bumblebee to stream connect to xserver +- Allow bumblebee to send a signal to xserver +- gnome-thumbnail to stream connect to bumblebee +- Fix calling usermodehelper to use _state in interface name +- Allow xkbcomp running as bumblebee_t to execute bin_t +- Allow logrotate to read squid.conf +- Additional rules to get docker and lxc to play well with SELinux +- Call kernel_read_usermodhelper/kernel_rw_usermodhelper +- Make rpm_transition_script accept a role +- Added new policy for pcp +- Allow bumbleed to connect to xserver port +- Allow pegasus_openlmi_storage_t to read hwdata + +* Fri Jan 17 2014 Miroslav Grepl 3.13.1-14 +- Make rpm_transition_script accept a role +- Clean up pcp.te +- Added new policy for pcp +- Allow bumbleed to connect to xserver port +- Added support for named-sdb in bind policy +- Allow NetworkManager to signal and sigkill init scripts +- Allow pegasus_openlmi_storage_t to read hwdata +- Fix rhcs_rw_cluster_tmpfs() +- Allow fenced_t to bind on zented udp port +- Fix mirrormanager_read_lib_files() +- Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files +- Dontaudit read/write to init stream socket for lsmd_plugin_t +- Allow automount to read nfs link files +- Allow lsm plugins to read/write lsmd stream socket +- Allow svirt_lxc domains to umount dockersocket filesytem +- Allow gnome keyring domains to create gnome config dirs +- Allow rpm scritplets to create /run/gather with correct labeling +- Add sblim_filetrans_named_content() interface +- Allow ctdb to create sock files in /var/run/ctdb +- Add also labeling for /var/run/ctdb +- Add missing labeling for /var/lib/ctdb +- ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446 +- Dontaudit hypervkvp to search homedirs +- Dontaudit hypervkvp to search admin homedirs +- Allow hypervkvp to execute bin_t and ifconfig in the caller domain +- Dontaudit xguest_t to read ABRT conf files +- Add abrt_dontaudit_read_config() +- Allow namespace-init to getattr on fs +- Add thumb_role() also for xguest +- Add filename transitions to create .spamassassin with correct labeling +- Allow apache domain to read mirrormanager pid files +- Allow domains to read/write shm and sem owned by mozilla_plugin_t +- Allow alsactl to send a generic signal to kernel_t +- Allow plymouthd to read run/udev/queue.bin +- Allow sys_chroot for NM required by iodine service +- Change glusterd to allow mounton all non security +- Labeled ~/.nv/GLCache as being gstreamer output +- Restrict the ability to set usermodehelpers and proc security settings. +- Limit the ability to write to the files that configure kernel i +- usermodehelpers and security-sensitive proc settings to the init domain. i +- Permissive domains can also continue to set these values. +- The current list is not exhaustive, just an initial set. +- Not all of these files will exist on all kernels/devices. +- Controlling access to certain kernel usermodehelpers, e.g. cgroup +- release_agent, will require kernel changes to support and cannot be +- addressed here. +- Ideas come from Stephen Smalley and seandroid +- Make rpm_transition_script accept a role +- Make rpm_transition_script accept a role +- Allow NetworkManager to signal and sigkill init scripts +- Allow init_t to work on transitient and snapshot unit files +- Add logging_manage_syslog_config() +- Update sysnet_dns_name_resolve() to allow connect to dnssec port + +* Mon Jan 13 2014 Miroslav Grepl 3.13.1-13 +- Remove file_t from the system and realias it with unlabeled_t + +* Thu Jan 9 2014 Miroslav Grepl 3.13.1-12 +- Add gluster fixes +- Remove ability to transition to unconfined_t from confined domains +- Additional allow rules to get libvirt-lxc containers working with docker + +* Mon Jan 6 2014 Miroslav Grepl 3.13.1-11 +- passwd to create gnome-keyring passwd socket +- systemd_systemctl needs sys_admin capability +- Allow cobbler to search dhcp_etc_t directory +- Allow sytemd_tmpfiles_t to delete all directories +- allow sshd to write to all process levels in order to change passwd when running at a level +- Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range +- Allow apcuspd_t to status and start the power unit file +- Allow udev to manage kdump unit file +- Added new interface modutils_dontaudit_exec_insmod +- Add labeling for /var/lib/servicelog/servicelog.db-journal +- Allow init_t to create tmpfs_t lnk_file +- Add label for ~/.cvsignore +- Allow fprintd_t to send syslog messages +- Add zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port +- Allow mozilla plugin to chat with policykit, needed for spice +- Allow gssprozy to change user and gid, as well as read user keyrings +- Allow sandbox apps to attempt to set and get capabilties +- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly +- allow modemmanger to read /dev/urand +- Allow polipo to connect to http_cache_ports +- Allow cron jobs to manage apache var lib content +- Allow yppassword to manage the passwd_file_t +- Allow showall_t to send itself signals +- Allow cobbler to restart dhcpc, dnsmasq and bind services +- Allow rsync_t to manage all non auth files +- Allow certmonger to manage home cert files +- Allow user_mail_domains to write certain files to the /root and ~/ directories +- Allow apcuspd_t to status and start the power unit file +- Allow cgroupdrulesengd to create content in cgoups directories +- Add new access for mythtv +- Allow irc_t to execute shell and bin-t files: +- Allow smbd_t to signull cluster +- Allow sssd to read systemd_login_var_run_t +- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t +- Add label for /var/spool/cron.aquota.user +- Allow sandbox_x domains to use work with the mozilla plugin semaphore +- Added new policy for speech-dispatcher +- Added dontaudit rule for insmod_exec_t in rasdaemon policy +- Updated rasdaemon policy +- Allow virt_domains to read cert files +- Allow system_mail_t to transition to postfix_postdrop_t +- Clean up mirrormanager policy +- Allow subscription-manager running as sosreport_t to manage rhsmcertd +- Remove ability to do mount/sys_admin by default in virt_sandbox domains +- New rules required to run docker images within libivrt +- Fixed bumblebee_admin() and mip6d_admin() +- Add log support for sensord +- Add label for ~/.cvsignore +- Change mirrormanager to be run by cron +- Add mirrormanager policy +- Additional fixes for docker.te +- Allow cobblerd to read/write undionly.kpxe located in /var/lib/tftpboot +- Add tftp_write_rw_content/tftp_read_rw_content interfaces +- Allow amanda to do backups over UDP + +* Fri Dec 13 2013 Miroslav Grepl 3.13.1-10 +- Allow freeipmi_ipmidetectd_t to use freeipmi port +- Update freeipmi_domain_template() +- Allow journalctl running as ABRT to read /run/log/journal +- Allow NM to read dispatcher.d directory +- Update freeipmi policy +- Type transitions with a filename not allowed inside conditionals +- Allow tor to bind to hplip port +- Make new type to texlive files in homedir +- Allow zabbix_agent to transition to dmidecode +- Add rules for docker +- Allow sosreport to send signull to unconfined_t +- Add virt_noatsecure and virt_rlimitinh interfaces +- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port +- Add sysadm_u_default_contexts +- Add logging_read_syslog_pid() +- Fix userdom_manage_home_texlive() interface +- Make new type to texlive files in homedir +- Add filename transitions for /run and /lock links +- Allow virtd to inherit rlimit information + +* Mon Dec 9 2013 Miroslav Grepl 3.13.1-9 +- DRM master and input event devices are used by the TakeDevice API +- Clean up bumblebee policy +- Update pegasus_openlmi_storage_t policy +- opensm policy clean up +- openwsman policy clean up +- ninfod policy clean up +- Allow conman to connect to freeipmi services and clean up conman policy +- Allow conmand just bind on 7890 port +- Add freeipmi_stream_connect() interface +- Allow logwatch read madm.conf to support RAID setup +- Add raid_read_conf_files() interface +- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling +- add rpm_named_filetrans_log_files() interface +- Added policy for conmand +- Allow dkim-milter to create files/dirs in /tmp +- update freeipmi policy +- Add policy for freeipmi services +- Added rdisc_admin and rdisc_systemctl interfaces +- Fix aliases in pegasus.te +- Allow chrome sandbox to read generic cache files in homedir +- Dontaudit mandb searching all mountpoints +- Make sure wine domains create .wine with the correct label +- Add proper aliases for pegasus_openlmi_services_exec_t and pegasus_openlmi_services_t +- Allow windbind the kill capability +- DRM master and input event devices are used by the TakeDevice API +- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev() +- Added support for default conman port +- Add interfaces for ipmi devices +- Make sure wine domains create .wine with the correct label +- Allow manage dirs in kernel_manage_debugfs interface. +- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service +- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t +- Fix userdom_confined_admin_template() +- Add back exec_content boolean for secadm, logadm, auditadm +- Fix files_filetrans_system_db_named_files() interface +- Allow sulogin to getattr on /proc/kcore +- Add filename transition also for servicelog.db-journal +- Add files_dontaudit_access_check_root() +- Add lvm_dontaudit_access_check_lock() interface +- Allow mount to manage mount_var_run_t files/dirs + +* Tue Dec 3 2013 Miroslav Grepl 3.13.1-8 +- Add back fixes for gnome_role_template() +- Label /usr/sbin/htcacheclean as httpd_exec_t +- Add missing alias for pegasus_openlmi_service_exec_t +- Added support for rdisc unit file +- Added new policy for ninfod +- Added new policy for openwsman +- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs +- Allow runuser running as logrotate connections to system DBUS +- Add connectto perm for NM unix stream socket +- Allow watchdog to be executed from cron +- Allow cloud_init to transition to rpm_script_t +- Allow lsmd_plugin_t send system log messages +- Label /var/log/up2date as rpm_log_t and allow sosreport to manage rpm log/pid/cache files which is a part of ABRT policy for sosreport running as abrt_t +- Added new capabilities for mip6d policy +- Label bcache devices as fixed_disk_device_t +- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service +- label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t + +* Tue Nov 26 2013 Miroslav Grepl 3.13.1-7 +- Add lsmd_plugin_t for lsm plugins +- Allow dovecot-deliver to search mountpoints +- Add labeling for /etc/mdadm.conf +- Allow opelmi admin providers to dbus chat with init_t +- Allow sblim domain to read /dev/urandom and /dev/random +- Add back exec_content boolean for secadm, logadm, auditadm +- Allow sulogin to getattr on /proc/kcore + +* Tue Nov 26 2013 Miroslav Grepl 3.13.1-6 +- Add filename transition also for servicelog.db-journal +- Add files_dontaudit_access_check_root() +- Add lvm_dontaudit_access_check_lock() interface +- Allow mount to manage mount_var_run_t files/dirs +- Allow updapwd_t to ignore mls levels for writign shadow_t at a lower level +- Make sure boot.log is created with the correct label +- call logging_relabel_all_log_dirs() in systemd.te +- Allow systemd_tmpfiles to relabel log directories +- Allow staff_t to run frequency command +- Allow staff_t to read xserver_log file +- This reverts commit c0f9f125291f189271cbbca033f87131dab1e22f. +- Label hsperfdata_root as tmp_t +- Add plymouthd_create_log() +- Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6 +- Allow sssd to request the kernel loads modules +- Allow gpg_agent to use ssh-add +- Allow gpg_agent to use ssh-add +- Dontaudit access check on /root for myslqd_safe_t +- Add glusterd_brick_t files type +- Allow ctdb to getattr on al filesystems +- Allow abrt to stream connect to syslog +- Allow dnsmasq to list dnsmasq.d directory +- Watchdog opens the raw socket +- Allow watchdog to read network state info +- Dontaudit access check on lvm lock dir +- Allow sosreport to send signull to setroubleshootd +- Add setroubleshoot_signull() interface +- Fix ldap_read_certs() interface +- Allow sosreport all signal perms +- Allow sosreport to run systemctl +- Allow sosreport to dbus chat with rpm +- Allow zabbix_agentd to read all domain state +- Allow sblim_sfcbd_t to read from /dev/random and /dev/urandom +- Allow smoltclient to execute ldconfig +- Allow sosreport to request the kernel to load a module +- Clean up rtas.if +- Clean up docker.if +- drop /var/lib/glpi/files labeling in cron.fc +- Added new policy for rasdaemon +- Add apache labeling for glpi +- Allow pegasus to transition to dmidecode +- Make sure boot.log is created with the correct label +- Fix typo in openshift.te +- remove dup bumblebee_systemctl() +- Allow watchdog to read /etc/passwd +- Allow condor domains to read/write condor_master udp_socket +- Allow openshift_cron_t to append to openshift log files, label /var/log/openshift +- Add back file_pid_filetrans for /var/run/dlm_controld +- Allow smbd_t to use inherited tmpfs content +- Allow mcelog to use the /dev/cpu device +- sosreport runs rpcinfo +- sosreport runs subscription-manager +- Allow setpgid for sosreport +- Allow browser plugins to connect to bumblebee +- New policy for bumblebee and freqset +- Add new policy for mip6d daemon +- Add new policy for opensm daemon + +* Mon Nov 18 2013 Miroslav Grepl 3.13.1-5 +- Add back /dev/shm labeling + +* Mon Nov 18 2013 Miroslav Grepl 3.13.1-4 +- Fix gnome_role_template() interface + +* Thu Nov 14 2013 Miroslav Grepl 3.13.1-3 +- Add policy-rawhide-contrib-apache-content.patch to re-write apache_content_template() by dwalsh + +* Thu Nov 14 2013 Dan Walsh 3.13.1-2 +- Fix config.tgz to include lxc_contexts and systemd_contexts + +* Wed Nov 13 2013 Miroslav Grepl 3.13.1-1 +- Update to upstream + +* Tue Nov 12 2013 Miroslav Grepl 3.12.1-100 +- Fix passenger_stream_connect interface +- setroubleshoot_fixit wants to read network state +- Allow procmail_t to connect to dovecot stream sockets +- Allow cimprovagt service providers to read network states +- Add labeling for /var/run/mariadb +- pwauth uses lastlog() to update system's lastlog +- Allow account provider to read login records +- Add support for texlive2013 +- More fixes for user config files to make crond_t running in userdomain +- Add back disable/reload/enable permissions for system class +- Fix manage_service_perms macro +- Allow passwd_t to connect to gnome keyring to change password +- Update mls config files to have cronjobs in the user domains +- Remove access checks that systemd does not actually do + +* Fri Nov 8 2013 Miroslav Grepl 3.12.1-99 +- Add support for yubikey in homedir +- Add support for upd/3052 port +- Allow apcupsd to use PowerChute Network Shutdown +- Allow lsmd to execute various lsmplugins +- Add labeling also for /etc/watchdog\.d where are watchdog scripts located too +- Update gluster_export_all_rw boolean to allow relabel all base file types +- Allow x86_energy_perf tool to modify the MSR +- Fix /var/lib/dspam/data labeling + +* Wed Nov 6 2013 Miroslav Grepl 3.12.1-98 +- Add files_relabel_base_file_types() interface +- Allow netlabel-config to read passwd +- update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr() +- Allow x86_energy_perf tool to modify the MSR +- Fix /var/lib/dspam/data labeling +- Allow pegasus to domtrans to mount_t +- Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts +- Add support for unconfined watchdog scripts +- Allow watchdog to manage own log files + +* Wed Nov 6 2013 Miroslav Grepl 3.12.1-97 +- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory. +- Label /etc/yum.repos.d as system_conf_t +- Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t +- Allow dac_override for sysadm_screen_t +- Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file. +- Allow netlabel-config to read meminfo +- Add interface to allow docker to mounton file_t +- Add new interface to exec unlabeled files +- Allow lvm to use docker semaphores +- Setup transitons for .xsessions-errors.old +- Change labels of files in /var/lib/*/.ssh to transition properly +- Allow staff_t and user_t to look at logs using journalctl +- pluto wants to manage own log file +- Allow pluto running as ipsec_t to create pluto.log +- Fix alias decl in corenetwork.te.in +- Add support for fuse.glusterfs +- Allow dmidecode to read/write /run/lock/subsys/rhsmcertd +- Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files. +- Additional access for docker +- Added more rules to sblim policy +- Fix kdumpgui_run_bootloader boolean +- Allow dspam to connect to lmtp port +- Included sfcbd service into sblim policy +- rhsmcertd wants to manaage /etc/pki/consumer dir +- Add kdumpgui_run_bootloader boolean +- Add support for /var/cache/watchdog +- Remove virt_domain attribute for virt_qemu_ga_unconfined_t +- Fixes for handling libvirt containes +- Dontaudit attempts by mysql_safe to write content into / +- Dontaudit attempts by system_mail to modify network config +- Allow dspam to bind to lmtp ports +- Add new policy to allow staff_t and user_t to look at logs using journalctl +- Allow apache cgi scripts to list sysfs +- Dontaudit attempts to write/delete user_tmp_t files +- Allow all antivirus domains to manage also own log dirs +- Allow pegasus_openlmi_services_t to stream connect to sssd_t + +* Fri Nov 1 2013 Miroslav Grepl 3.12.1-96 +- Add missing permission checks for nscd + +* Wed Oct 30 2013 Miroslav Grepl 3.12.1-95 +- Fix alias decl in corenetwork.te.in +- Add support for fuse.glusterfs +- Add file transition rules for content created by f5link +- Rename quantum_port information to neutron +- Allow all antivirus domains to manage also own log dirs +- Rename quantum_port information to neutron +- Allow pegasus_openlmi_services_t to stream connect to sssd_t + +* Mon Oct 28 2013 Miroslav Grepl 3.12.1-94 +- Allow sysadm_t to read login information +- Allow systemd_tmpfiles to setattr on var_log_t directories +- Udpdate Makefile to include systemd_contexts +- Add systemd_contexts +- Add fs_exec_hugetlbfs_files() interface +- Add daemons_enable_cluster_mode boolean +- Fix rsync_filetrans_named_content() +- Add rhcs_read_cluster_pid_files() interface +- Update rhcs.if with additional interfaces from RHEL6 +- Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t +- Allow glusterd_t to mounton glusterd_tmp_t +- Allow glusterd to unmout al filesystems +- Allow xenstored to read virt config +- Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct label +- Allow mozilla_plugin_t to mmap hugepages as an executable + +* Thu Oct 24 2013 Miroslav Grepl 3.12.1-93 +- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp + +* Tue Oct 22 2013 Miroslav Grepl 3.12.1-92 +- Allow sshd_t to read openshift content, needs backport to RHEL6.5 +- Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t +- Make sur kdump lock is created with correct label if kdumpctl is executed +- gnome interface calls should always be made within an optional_block +- Allow syslogd_t to connect to the syslog_tls port +- Add labeling for /var/run/charon.ctl socket +- Add kdump_filetrans_named_content() +- Allo setpgid for fenced_t +- Allow setpgid and r/w cluster tmpfs for fenced_t +- gnome calls should always be within optional blocks +- wicd.pid should be labeled as networkmanager_var_run_t +- Allow sys_resource for lldpad + +* Thu Oct 17 2013 Miroslav Grepl 3.12.1-91 +- Add rtas policy + +* Thu Oct 17 2013 Miroslav Grepl 3.12.1-90 +- Allow mailserver_domains to manage and transition to mailman data +- Dontaudit attempts by mozilla plugin to relabel content, caused by using mv and cp commands +- Allow mailserver_domains to manage and transition to mailman data +- Allow svirt_domains to read sysctl_net_t +- Allow thumb_t to use tmpfs inherited from the user +- Allow mozilla_plugin to bind to the vnc port if running with spice +- Add new attribute to discover confined_admins and assign confined admin to it +- Fix zabbix to handle attributes in interfaces +- Fix zabbix to read system states for all zabbix domains +- Fix piranha_domain_template() +- Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files. +- Allow lldpad sys_rouserce cap due to #986870 +- Allow dovecot-auth to read nologin +- Allow openlmi-networking to read /proc/net/dev +- Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t +- Add zabbix_domain attribute for zabbix domains to treat them together +- Add labels for zabbix-poxy-* (#1018221) +- Update openlmi-storage policy to reflect #1015067 +- Back port piranha tmpfs fixes from RHEL6 +- Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop +- Add postfix_rw_spool_maildrop_files interface +- Call new userdom_admin_user_templat() also for sysadm_secadm.pp +- Fix typo in userdom_admin_user_template() +- Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey +- Add new attribute to discover confined_admins +- Fix labeling for /etc/strongswan/ipsec.d +- systemd_logind seems to pass fd to anyone who dbus communicates with it +- Dontaudit leaked write descriptor to dmesg + +* Mon Oct 14 2013 Miroslav Grepl 3.12.1-89 +- Fix gnome_read_generic_data_home_files() +- allow openshift_cgroup_t to read/write inherited openshift file types +- Remove httpd_cobbler_content * from cobbler_admin interface +- Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd will work within a container +- Allow httpd_t to read also git sys content symlinks +- Allow init_t to read gnome home data +- Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it. +- Allow virsh to execute systemctl +- Fix for nagios_services plugins +- add type defintion for ctdbd_var_t +- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file +- Allow net_admin/netlink_socket all hyperv_domain domains +- Add labeling for zarafa-search.log and zarafa-search.pid +- Fix hypervkvp.te +- Fix nscd_shm_use() +- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. +- Add hypervkvp_unit_file_t type +- Fix logging policy +- Allow syslog to bind to tls ports +- Update labeling for /dev/cdc-wdm +- Allow to su_domain to read init states +- Allow init_t to read gnome home data +- Make sure if systemd_logind creates nologin file with the correct label +- Clean up ipsec.te + +* Tue Oct 8 2013 Miroslav Grepl 3.12.1-88 +- Add auth_exec_chkpwd interface +- Fix port definition for ctdb ports +- Allow systemd domains to read /dev/urand +- Dontaudit attempts for mozilla_plugin to append to /dev/random +- Add label for /var/run/charon.* +- Add labeling for /usr/lib/systemd/system/lvm2.*dd policy for motion service +- Fix for nagios_services plugins +- Fix some bugs in zoneminder policy +- add type defintion for ctdbd_var_t +- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file +- Allow net_admin/netlink_socket all hyperv_domain domains +- Add labeling for zarafa-search.log and zarafa-search.pid +- glusterd binds to random unreserved ports +- Additional allow rules found by testing glusterfs +- apcupsd needs to send a message to all users on the system so needs to look them up +- Fix the label on ~/.juniper_networks +- Dontaudit attempts for mozilla_plugin to append to /dev/random +- Allow polipo_daemon to connect to flash ports +- Allow gssproxy_t to create replay caches +- Fix nscd_shm_use() +- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. +- Add hypervkvp_unit_file_t type + +* Fri Oct 4 2013 Miroslav Grepl 3.12.1-87 +- init reload from systemd_localed_t +- Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd +- Allow systemd_localed_t to ask systemd to reload the locale. +- Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory +- Allow readahead to read /dev/urand +- Fix lots of avcs about tuned +- Any file names xenstored in /var/log should be treated as xenstored_var_log_t +- Allow tuned to inderact with hugepages +- Allow condor domains to list etc rw dirs + +* Fri Oct 4 2013 Miroslav Grepl 3.12.1-86 +- Fix nscd_shm_use() +- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. +- Add hypervkvp_unit_file_t type +- Add additional fixes forpegasus_openlmi_account_t +- Allow mdadm to read /dev/urand +- Allow pegasus_openlmi_storage_t to create mdadm.conf and write it +- Add label/rules for /etc/mdadm.conf +- Allow pegasus_openlmi_storage_t to transition to fsadm_t +- Fixes for interface definition problems +- Dontaudit dovecot-deliver to gettatr on all fs dirs +- Allow domains to search data_home_t directories +- Allow cobblerd to connect to mysql +- Allow mdadm to r/w kdump lock files +- Add support for kdump lock files +- Label zarafa-search as zarafa-indexer +- Openshift cgroup wants to read /etc/passwd +- Add new sandbox domains for kvm +- Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on +- Fix labeling for /usr/lib/systemd/system/lvm2.* +- Add labeling for /usr/lib/systemd/system/lvm2.* +- Fix typos to get a new build. We should not cover filename trans rules to prevent duplicate rules +- Add sshd_keygen_t policy for sshd-keygen +- Fix alsa_home_filetrans interface name and definition +- Allow chown for ssh_keygen_t +- Add fs_dontaudit_getattr_all_dirs() +- Allow init_t to manage etc_aliases_t and read xserver_var_lib_t and chrony keys +- Fix up patch to allow systemd to manage home content +- Allow domains to send/recv unlabeled traffic if unlabelednet.pp is enabled +- Allow getty to exec hostname to get info +- Add systemd_home_t for ~/.local/share/systemd directory + +* Wed Oct 2 2013 Miroslav Grepl 3.12.1-85 +- Fix lxc labeling in config.tgz + +* Mon Sep 30 2013 Miroslav Grepl 3.12.1-84 +- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper +- Allow tuned to search all file system directories +- Allow alsa_t to sys_nice, to get top performance for sound management +- Add support for MySQL/PostgreSQL for amavis +- Allow openvpn_t to manage openvpn_var_log_t files. +- Allow dirsrv_t to create tmpfs_t directories +- Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label +- Dontaudit leaked unix_stream_sockets into gnome keyring +- Allow telepathy domains to inhibit pipes on telepathy domains +- Allow cloud-init to domtrans to rpm +- Allow abrt daemon to manage abrt-watch tmp files +- Allow abrt-upload-watcher to search /var/spool directory +- Allow nsswitch domains to manage own process key +- Fix labeling for mgetty.* logs +- Allow systemd to dbus chat with upower +- Allow ipsec to send signull to itself +- Allow setgid cap for ipsec_t +- Match upstream labeling + +* Wed Sep 25 2013 Miroslav Grepl 3.12.1-83 +- Do not build sanbox pkg on MLS + +* Wed Sep 25 2013 Miroslav Grepl 3.12.1-82 +- wine_tmp is no longer needed +- Allow setroubleshoot to look at /proc +- Allow telepathy domains to dbus with systemd logind +- Fix handling of fifo files of rpm +- Allow mozilla_plugin to transition to itself +- Allow certwatch to write to cert_t directories +- New abrt application +- Allow NetworkManager to set the kernel scheduler +- Make wine_domain shared by all wine domains +- Allow mdadm_t to read images labeled svirt_image_t +- Allow amanda to read /dev/urand +- ALlow my_print_default to read /dev/urand +- Allow mdadm to write to kdumpctl fifo files +- Allow nslcd to send signull to itself +- Allow yppasswd to read /dev/urandom +- Fix zarafa_setrlimit +- Add support for /var/lib/php/wsdlcache +- Add zarafa_setrlimit boolean +- Allow fetchmail to send mails +- Add additional alias for user_tmp_t because wine_tmp_t is no longer used +- More handling of ther kernel keyring required by kerberos +- New privs needed for init_t when running without transition to initrc_t over bin_t, and without unconfined domain installed + +* Thu Sep 19 2013 Miroslav Grepl 3.12.1-81 +- Dontaudit attempts by sosreport to read shadow_t +- Allow browser sandbox plugins to connect to cups to print +- Add new label mpd_home_t +- Label /srv/www/logs as httpd_log_t +- Add support for /var/lib/php/wsdlcache +- Add zarafa_setrlimit boolean +- Allow fetchmail to send mails +- Add labels for apache logs under miq package +- Allow irc_t to use tcp sockets +- fix labels in puppet.if +- Allow tcsd to read utmp file +- Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys +- Define svirt_socket_t as a domain_type +- Take away transition from init_t to initrc_t when executing bin_t, allow init_t to run chk_passwd_t +- Fix label on pam_krb5 helper apps + +* Thu Sep 12 2013 Miroslav Grepl 3.12.1-80 +- Allow ldconfig to write to kdumpctl fifo files +- allow neutron to connect to amqp ports +- Allow kdump_manage_crash to list the kdump_crash_t directory +- Allow glance-api to connect to amqp port +- Allow virt_qemu_ga_t to read meminfo +- Add antivirus_home_t type for antivirus date in HOMEDIRS +- Allow mpd setcap which is needed by pulseaudio +- Allow smbcontrol to create content in /var/lib/samba +- Allow mozilla_exec_t to be used as a entrypoint to mozilla_domtrans_spec +- Add additional labeling for qemu-ga/fsfreeze-hook.d scripts +- amanda_exec_t needs to be executable file +- Allow block_suspend cap for samba-net +- Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t +- Allow init_t to run crash utility +- Treat usr_t just like bin_t for transitions and executions +- Add port definition of pka_ca to port 829 for openshift +- Allow selinux_store to use symlinks + +* Mon Sep 9 2013 Miroslav Grepl 3.12.1-79 +- Allow block_suspend cap for samba-net +- Allow t-mission-control to manage gabble cache files +- Allow nslcd to read /sys/devices/system/cpu +- Allow selinux_store to use symlinks + +* Mon Sep 9 2013 Miroslav Grepl 3.12.1-78 +- Allow xdm_t to transition to itself +- Call neutron interfaces instead of quantum +- Allow init to change targed role to make uncofined services (xrdp which now has own systemd unit file) working. We want them to have in unconfined_t +- Make sure directories in /run get created with the correct label +- Make sure /root/.pki gets created with the right label +- try to remove labeling for motion from zoneminder_exec_t to bin_t +- Allow inetd_t to execute shell scripts +- Allow cloud-init to read all domainstate +- Fix to use quantum port +- Add interface netowrkmanager_initrc_domtrans +- Fix boinc_execmem +- Allow t-mission-control to read gabble cache home +- Add labeling for ~/.cache/telepathy/avatars/gabble +- Allow memcache to read sysfs data +- Cleanup antivirus policy and add additional fixes +- Add boolean boinc_enable_execstack +- Add support for couchdb in rabbitmq policy +- Add interface couchdb_search_pid_dirs +- Allow firewalld to read NM state +- Allow systemd running as git_systemd to bind git port +- Fix mozilla_plugin_rw_tmpfs_files() + +* Thu Sep 5 2013 Miroslav Grepl 3.12.1-77 +- Split out rlogin ports from inetd +- Treat files labeld as usr_t like bin_t when it comes to transitions +- Allow staff_t to read login config +- Allow ipsec_t to read .google authenticator data +- Allow systemd running as git_systemd to bind git port +- Fix mozilla_plugin_rw_tmpfs_files() +- Call the correct interface - corenet_udp_bind_ktalkd_port() +- Allow all domains that can read gnome_config to read kde config +- Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work +- Allow mdadm to getattr any file system +- Allow a confined domain to executes mozilla_exec_t via dbus +- Allow cupsd_lpd_t to bind to the printer port +- Dontaudit attempts to bind to ports < 1024 when nis is turned on +- Allow apache domain to connect to gssproxy socket +- Allow rlogind to bind to the rlogin_port +- Allow telnetd to bind to the telnetd_port +- Allow ktalkd to bind to the ktalkd_port +- Allow cvs to bind to the cvs_port + +* Wed Sep 4 2013 Miroslav Grepl 3.12.1-76 +- Cleanup related to init_domain()+inetd_domain fixes +- Use just init_domain instead of init_daemon_domain in inetd_core_service_domain +- svirt domains neeed to create kobject_uevint_sockets +- Lots of new access required for sosreport +- Allow tgtd_t to connect to isns ports +- Allow init_t to transition to all inetd domains: +- openct needs to be able to create netlink_object_uevent_sockets +- Dontaudit leaks into ldconfig_t +- Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls +- Move kernel_stream_connect into all Xwindow using users +- Dontaudit inherited lock files in ifconfig o dhcpc_t + +* Tue Sep 3 2013 Miroslav Grepl 3.12.1-75 +- Also sock_file trans rule is needed in lsm +- Fix labeling for fetchmail pid files/dirs +- Add additional fixes for abrt-upload-watch +- Fix polipo.te +- Fix transition rules in asterisk policy +- Add fowner capability to networkmanager policy +- Allow polipo to connect to tor ports +- Cleanup lsmd.if +- Cleanup openhpid policy +- Fix kdump_read_crash() interface +- Make more domains as init domain +- Fix cupsd.te +- Fix requires in rpm_rw_script_inherited_pipes +- Fix interfaces in lsm.if +- Allow munin service plugins to manage own tmpfs files/dirs +- Allow virtd_t also relabel unix stream sockets for virt_image_type +- Make ktalk as init domain +- Fix to define ktalkd_unit_file_t correctly +- Fix ktalk.fc +- Add systemd support for talk-server +- Allow glusterd to create sock_file in /run +- Allow xdm_t to delete gkeyringd_tmp_t files on logout +- Add fixes for hypervkvp policy +- Add logwatch_can_sendmail boolean +- Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb +- Allow xdm_t to delete gkeyringd_tmp_t files on logout + +* Thu Aug 29 2013 Miroslav Grepl 3.12.1-74 +- Add selinux-policy-sandbox pkg + +* Tue Aug 27 2013 Miroslav Grepl 3.12.1-73 +0 +- Allow rhsmcertd to read init state +- Allow fsetid for pkcsslotd +- Fix labeling for /usr/lib/systemd/system/pkcsslotd.service +- Allow fetchmail to create own pid with correct labeling +- Fix rhcs_domain_template() +- Allow roles which can run mock to read mock lib files to view results +- Allow rpcbind to use nsswitch +- Fix lsm.if summary +- Fix collectd_t can read /etc/passwd file +- Label systemd unit files under dracut correctly +- Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh +- Add support for .Xauthority-n +- Label umount.crypt as lvm_exec_t +- Allow syslogd to search psad lib files +- Allow ssh_t to use /dev/ptmx +- Make sure /run/pluto dir is created with correct labeling +- Allow syslog to run shell and bin_t commands +- Allow ip to relabel tun_sockets +- Allow mount to create directories in files under /run +- Allow processes to use inherited fifo files + +* Fri Aug 23 2013 Miroslav Grepl 3.12.1-72 +- Add policy for lsmd +- Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory +- Update condor_master rules to allow read system state info and allow logging +- Add labeling for /etc/condor and allow condor domain to write it (bug) +- Allow condor domains to manage own logs +- Allow glusterd to read domains state +- Fix initial hypervkvp policy +- Add policy for hypervkvpd +- Fix redis.if summary + +* Wed Aug 21 2013 Miroslav Grepl 3.12.1-71 +- Allow boinc to connect to @/tmp/.X11-unix/X0 +- Allow beam.smp to connect to tcp/5984 +- Allow named to manage own log files +- Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t +- Add virt_transition_userdomain boolean decl +- Allow httpd_t to sendto unix_dgram sockets on its children +- Allow nova domains to execute ifconfig +- bluetooth wants to create fifo_files in /tmp +- exim needs to be able to manage mailman data +- Allow sysstat to getattr on all file systems +- Looks like bluetoothd has moved +- Allow collectd to send ping packets +- Allow svirt_lxc domains to getpgid +- Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff +- Allow frpintd_t to read /dev/urandom +- Allow asterisk_t to create sock_file in /var/run +- Allow usbmuxd to use netlink_kobject +- sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket +- More cleanup of svirt_lxc policy +- virtd_lxc_t now talks to dbus +- Dontaudit leaked ptmx_t +- Allow processes to use inherited fifo files +- Allow openvpn_t to connect to squid ports +- Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert() +- Allow ssh_t to use /dev/ptmx +- Make sure /run/pluto dir is created with correct labeling +- Allow syslog to run shell and bin_t commands +- Allow ip to relabel tun_sockets +- Allow mount to create directories in files under /run +- Allow processes to use inherited fifo files +- Allow user roles to connect to the journal socket + +* Thu Aug 8 2013 Miroslav Grepl 3.12.1-70 +- selinux_set_enforce_mode needs to be used with type +- Add append to the dontaudit for unix_stream_socket of xdm_t leak +- Allow xdm_t to create symlinks in log direcotries +- Allow login programs to read afs config +- Label 10933 as a pop port, for dovecot +- New policy to allow selinux_server.py to run as semanage_t as a dbus service +- Add fixes to make netlabelctl working on MLS +- AVCs required for running sepolicy gui as staff_t +- Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this type of AVC +- New dbus server to be used with new gui +- After modifying some files in /etc/mail, I saw this needed on the next boot +- Loading a vm from /usr/tmp with virt-manager +- Clean up oracleasm policy for Fedora +- Add oracleasm policy written by rlopez@redhat.com +- Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it is executed by apache +- Add label for /var/crash +- Allow fenced to domtrans to sanclok_t +- Allow nagios to manage nagios spool files +- Make tfptd as home_manager +- Allow kdump to read kcore on MLS system +- Allow mysqld-safe sys_nice/sys_resource caps +- Allow apache to search automount tmp dirs if http_use_nfs is enabled +- Allow crond to transition to named_t, for use with unbound +- Allow crond to look at named_conf_t, for unbound +- Allow mozilla_plugin_t to transition its home content +- Allow dovecot_domain to read all system and network state +- Allow httpd_user_script_t to call getpw +- Allow semanage to read pid files +- Dontaudit leaked file descriptors from user domain into thumb +- Make PAM authentication working if it is enabled in ejabberd +- Add fixes for rabbit to fix ##992920,#992931 +- Allow glusterd to mount filesystems +- Loading a vm from /usr/tmp with virt-manager +- Trying to load a VM I got an AVC from devicekit_disk for loopcontrol device +- Add fix for pand service +- shorewall touches own log +- Allow nrpe to list /var +- Mozilla_plugin_roles can not be passed into lpd_run_lpr +- Allow afs domains to read afs_config files +- Allow login programs to read afs config +- Allow virt_domain to read virt_var_run_t symlinks +- Allow smokeping to send its process signals +- Allow fetchmail to setuid +- Add kdump_manage_crash() interface +- Allow abrt domain to write abrt.socket + +* Wed Jul 31 2013 Miroslav Grepl 3.12.1-69 +- Add more aliases in pegasus.te +- Add more fixes for *_admin interfaces +- Add interface fixes +- Allow nscd to stream connect to nmbd +- Allow gnupg apps to write to pcscd socket +- Add more fixes for openlmi provides. Fix naming and support for additionals +- Allow fetchmail to resolve host names +- Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t +- Add labeling for cmpiLMI_Fan-cimprovagt +- Allow net_admin for glusterd +- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ +- Add pegasus_openlmi_system_t +- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te +- Fix corecmd_exec_chroot() +- Fix logging_relabel_syslog_pid_socket interface +- Fix typo in unconfineduser.te +- Allow system_r to access unconfined_dbusd_t to run hp_chec + +* Tue Jul 30 2013 Miroslav Grepl 3.12.1-68 +- Allow xdm_t to act as a dbus client to itsel +- Allow fetchmail to resolve host names +- Allow gnupg apps to write to pcscd socket +- Add labeling for cmpiLMI_Fan-cimprovagt +- Allow net_admin for glusterd +- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ +- Add pegasus_openlmi_system_t +- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te +-httpd_t does access_check on certs + +* Fri Jul 26 2013 Miroslav Grepl 3.12.1-67 +- Add support for cmpiLMI_Service-cimprovagt +- Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t +- Label pycmpiLMI_Software-cimprovagt as rpm_exec_t +- Add support for pycmpiLMI_Storage-cimprovagt +- Add support for cmpiLMI_Networking-cimprovagt +- Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working +- Allow virtual machines and containers to run as user doains, needed for virt-sandbox +- Allow buglist.cgi to read cpu info + +* Mon Jul 22 2013 Miroslav Grepl 3.12.1-66 +- Allow systemd-tmpfile to handle tmp content in print spool dir +- Allow systemd-sysctl to send system log messages +- Add support for RTP media ports and fmpro-internal +- Make auditd working if audit is configured to perform SINGLE action on disk error +- Add interfaces to handle systemd units +- Make systemd-notify working if pcsd is used +- Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t +- Instead of having all unconfined domains get all of the named transition rules, +- Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default. +- Add definition for the salt ports +- Allow xdm_t to create link files in xdm_var_run_t +- Dontaudit reads of blk files or chr files leaked into ldconfig_t +- Allow sys_chroot for useradd_t +- Allow net_raw cap for ipsec_t +- Allow sysadm_t to reload services +- Add additional fixes to make strongswan working with a simple conf +- Allow sysadm_t to enable/disable init_t services +- Add additional glusterd perms +- Allow apache to read lnk files in the /mnt directory +- Allow glusterd to ask the kernel to load a module +- Fix description of ftpd_use_fusefs boolean +- Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t +- Allow glusterds to request load a kernel module +- Allow boinc to stream connect to xserver_t +- Allow sblim domains to read /etc/passwd +- Allow mdadm to read usb devices +- Allow collectd to use ping plugin +- Make foghorn working with SNMP +- Allow sssd to read ldap certs +- Allow haproxy to connect to RTP media ports +- Add additional trans rules for aide_db +- Add labeling for /usr/lib/pcsd/pcsd +- Add labeling for /var/log/pcsd +- Add support for pcs which is a corosync and pacemaker configuration tool + +* Wed Jul 17 2013 Miroslav Grepl 3.12.1-65 +- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t +- Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1 +- Allow all domains that can domtrans to shutdown, to start the power services script to shutdown +- consolekit needs to be able to shut down system +- Move around interfaces +- Remove nfsd_rw_t and nfsd_ro_t, they don't do anything +- Add additional fixes for rabbitmq_beam to allow getattr on mountpoints +- Allow gconf-defaults-m to read /etc/passwd +- Fix pki_rw_tomcat_cert() interface to support lnk_files + +* Fri Jul 12 2013 Miroslav Grepl 3.12.1-64 +- Add support for gluster ports +- Make sure that all keys located in /etc/ssh/ are labeled correctly +- Make sure apcuspd lock files get created with the correct label +- Use getcap in gluster.te +- Fix gluster policy +- add additional fixes to allow beam.smp to interact with couchdb files +- Additional fix for #974149 +- Allow gluster to user gluster ports +- Allow glusterd to transition to rpcd_t and add additional fixes for #980683 +- Allow tgtd working when accessing to the passthrough device +- Fix labeling for mdadm unit files + +* Thu Jul 11 2013 Miroslav Grepl 3.12.1-63 +- Add mdadm fixes + +* Tue Jul 9 2013 Miroslav Grepl 3.12.1-62 +- Fix definition of sandbox.disabled to sandbox.pp.disabled + +* Mon Jul 8 2013 Miroslav Grepl 3.12.1-61 +- Allow mdamd to execute systemctl +- Allow mdadm to read /dev/kvm +- Allow ipsec_mgmt_t to read l2tpd pid content + +* Mon Jul 8 2013 Miroslav Grepl 3.12.1-60 +- Allow nsd_t to read /dev/urand +- Allow mdadm_t to read framebuffer +- Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t +- Allow mozilla_plugin_config_t to create tmp files +- Cleanup openvswitch policy +- Allow mozilla plugin to getattr on all executables +- Allow l2tpd_t to create fifo_files in /var/run +- Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory +- Allow mdadm to connecto its own unix_stream_socket +- FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now. +- Allow apache to access smokeping pid files +- Allow rabbitmq_beam_t to getattr on all filesystems +- Add systemd support for iodined +- Allow nup_upsdrvctl_t to execute its entrypoint +- Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch +- add labeling for ~/.cache/libvirt-sandbox +- Add interface to allow domains transitioned to by confined users to send sigchld to screen program +- Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab +- Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service +- Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs. +- Allow staff to getsched all domains, required to run htop +- Add port definition for redis port +- fix selinuxuser_use_ssh_chroot boolean + +* Wed Jul 3 2013 Miroslav Grepl 3.12.1-59 +- Add prosody policy written by Michael Scherer +- Allow nagios plugins to read /sys info +- ntpd needs to manage own log files +- Add support for HOME_DIR/.IBMERS +- Allow iptables commands to read firewalld config +- Allow consolekit_t to read utmp +- Fix filename transitions on .razor directory +- Add additional fixes to make DSPAM with LDA working +- Allow snort to read /etc/passwd +- Allow fail2ban to communicate with firewalld over dbus +- Dontaudit openshift_cgreoup_file_t read/write leaked dev +- Allow nfsd to use mountd port +- Call th proper interface +- Allow openvswitch to read sys and execute plymouth +- Allow tmpwatch to read /var/spool/cups/tmp +- Add support for /usr/libexec/telepathy-rakia +- Add systemd support for zoneminder +- Allow mysql to create files/directories under /var/log/mysql +- Allow zoneminder apache scripts to rw zoneminder tmpfs +- Allow httpd to manage zoneminder lib files +- Add zoneminder_run_sudo boolean to allow to start zoneminder +- Allow zoneminder to send mails +- gssproxy_t sock_file can be under /var/lib +- Allow web domains to connect to whois port. +- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t. +- We really need to add an interface to corenet to define what a web_client_domain is and +- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain. +- Add labeling for cmpiLMI_LogicalFile-cimprovagt +- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules +- Update policy rules for pegasus_openlmi_logicalfile_t +- Add initial types for logicalfile/unconfined OpenLMI providers +- mailmanctl needs to read own log +- Allow logwatch manage own lock files +- Allow nrpe to read meminfo +- Allow httpd to read certs located in pki-ca +- Add pki_read_tomcat_cert() interface +- Add support for nagios openshift plugins +- Add port definition for redis port +- fix selinuxuser_use_ssh_chroot boolean + +* Fri Jun 28 2013 Miroslav Grepl 3.12.1-58 +- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. +- Allow bootloader to manage generic log files +- Allow ftp to bind to port 989 +- Fix label of new gear directory +- Add support for new directory /var/lib/openshift/gears/ +- Add openshift_manage_lib_dirs() +- allow virtd domains to manage setrans_var_run_t +- Allow useradd to manage all openshift content +- Add support so that mozilla_plugin_t can use dri devices +- Allow chronyd to change the scheduler +- Allow apmd to shut downthe system +- Devicekit_disk_t needs to manage /etc/fstab + +* Wed Jun 26 2013 Miroslav Grepl 3.12.1-57 +- Make DSPAM to act as a LDA working +- Allow ntop to create netlink socket +- Allow policykit to send a signal to policykit-auth +- Allow stapserver to dbus chat with avahi/systemd-logind +- Fix labeling on haproxy unit file +- Clean up haproxy policy +- A new policy for haproxy and placed it to rhcs.te +- Add support for ldirectord and treat it with cluster_t +- Make sure anaconda log dir is created with var_log_t + +* Mon Jun 24 2013 Miroslav Grepl 3.12.1-56 +- Allow lvm_t to create default targets for filesystem handling +- Fix labeling for razor-lightdm binaries +- Allow insmod_t to read any file labeled var_lib_t +- Add policy for pesign +- Activate policy for cmpiLMI_Account-cimprovagt +- Allow isnsd syscall=listen +- /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler +- Allow ctdbd to use udp/4379 +- gatherd wants sys_nice and setsched +- Add support for texlive2012 +- Allow NM to read file_t (usb stick with no labels used to transfer keys for example) +- Allow cobbler to execute apache with domain transition + +* Fri Jun 21 2013 Miroslav Grepl 3.12.1-55 +- condor_collector uses tcp/9000 +- Label /usr/sbin/virtlockd as virtd_exec_t for now +- Allow cobbler to execute ldconfig +- Allow NM to execute ssh +- Allow mdadm to read /dev/crash +- Allow antivirus domains to connect to snmp port +- Make amavisd-snmp working correctly +- Allow nfsd_t to mounton nfsd_fs_t +- Add initial snapper policy +- We still need to have consolekit policy +- Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t +- Dontaudit sandbox apps attempting to open user_devpts_t +- Allow dirsrv to read network state +- Fix pki_read_tomcat_lib_files +- Add labeling for /usr/libexec/nm-ssh-service +- Add label cert_t for /var/lib/ipa/pki-ca/publish +- Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant +- Allow nfsd_t to mounton nfsd_fs_t +- Dontaudit sandbox apps attempting to open user_devpts_t +- Allow passwd_t to change role to system_r from unconfined_r + +* Wed Jun 19 2013 Miroslav Grepl 3.12.1-54 +- Don't audit access checks by sandbox xserver on xdb var_lib +- Allow ntop to read usbmon devices +- Add labeling for new polcykit authorizor +- Dontaudit access checks from fail2ban_client +- Don't audit access checks by sandbox xserver on xdb var_lib +- Allow apps that connect to xdm stream to conenct to xdm_dbusd_t stream +- Fix labeling for all /usr/bim/razor-lightdm-* binaries +- Add filename trans for /dev/md126p1 + +* Tue Jun 18 2013 Miroslav Grepl 3.12.1-53 +- Make vdagent able to request loading kernel module +- Add support for cloud-init make it as unconfined domain +- Allow snmpd to run smartctl in fsadm_t domain +- remove duplicate openshift_search_lib() interface +- Allow mysqld to search openshift lib files +- Allow openshift cgroup to interact with passedin file descriptors +- Allow colord to list directories inthe users homedir +- aide executes prelink to check files +- Make sure cupsd_t creates content in /etc/cups with the correct label +- Lest dontaudit apache read all domains, so passenger will not cause this avc +- Allow gssd to connect to gssproxy +- systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS +- Allow systemd-tmpfiles to relabel also lock files +- Allow useradd to add homdir in /var/lib/openshift +- Allow setfiles and semanage to write output to /run/files + +* Fri Jun 14 2013 Miroslav Grepl 3.12.1-52 +- Add labeling for /dev/tgt +- Dontaudit leak fd from firewalld for modprobe +- Allow runuser running as rpm_script_t to create netlink_audit socket +- Allow mdadm to read BIOS non-volatile RAM + +* Thu Jun 13 2013 Miroslav Grepl 3.12.1-51 +- accountservice watches when accounts come and go in wtmp +- /usr/java/jre1.7.0_21/bin/java needs to create netlink socket +- Add httpd_use_sasl boolean +- Allow net_admin for tuned_t +- iscsid needs sys_module to auto-load kernel modules +- Allow blueman to read bluetooth conf +- Add nova_manage_lib_files() interface +- Fix mplayer_filetrans_home_content() +- Add mplayer_filetrans_home_content() +- mozilla_plugin_config_roles need to be able to access mozilla_plugin_config_t +- Revert "Allow thumb_t to append inherited xdm stream socket" +- Add iscsi_filetrans_named_content() interface +- Allow to create .mplayer with the correct labeling for unconfined +- Allow iscsiadmin to create lock file with the correct labeling + +* Tue Jun 11 2013 Miroslav Grepl 3.12.1-50 +- Allow wine to manage wine home content +- Make amanda working with socket actiovation +- Add labeling for /usr/sbin/iscsiadm +- Add support for /var/run/gssproxy.sock +- dnsmasq_t needs to read sysctl_net_t + +* Fri Jun 7 2013 Miroslav Grepl 3.12.1-49 +- Fix courier_domain_template() interface +- Allow blueman to write ip_forward +- Allow mongodb to connect to mongodb port +- Allow mongodb to connect to mongodb port +- Allow java to bind jobss_debug port +- Fixes for *_admin interfaces +- Allow iscsid auto-load kernel modules needed for proper iSCSI functionality +- Need to assign attribute for courier_domain to all courier_domains +- Fail2ban reads /etc/passwd +- postfix_virtual will create new files in postfix_spool_t +- abrt triggers sys_ptrace by running pidof +- Label ~/abc as mozilla_home_t, since java apps as plugin want to create it +- Add passenger fixes needed by foreman +- Remove dup interfaces +- Add additional interfaces for quantum +- Add new interfaces for dnsmasq +- Allow passenger to read localization and send signull to itself +- Allow dnsmasq to stream connect to quantum +- Add quantum_stream_connect() +- Make sure that mcollective starts the service with the correct labeling +- Add labels for ~/.manpath +- Dontaudit attempts by svirt_t to getpw* calls +- sandbox domains are trying to look at parent process data +- Allow courior auth to create its pid file in /var/spool/courier subdir +- Add fixes for beam to have it working with couchdb +- Add labeling for /run/nm-xl2tpd.con +- Allow apache to stream connect to thin +- Add systemd support for amand +- Make public types usable for fs mount points +- Call correct mandb interface in domain.te +- Allow iptables to r/w quantum inherited pipes and send sigchld +- Allow ifconfig domtrans to iptables and execute ldconfig +- Add labels for ~/.manpath +- Allow systemd to read iscsi lib files +- seunshare is trying to look at parent process data + +* Mon Jun 3 2013 Miroslav Grepl 3.12.1-48 +- Fix openshift_search_lib +- Add support for abrt-uefioops-oops +- Allow colord to getattr any file system +- Allow chrome processes to look at each other +- Allow sys_ptrace for abrt_t +- Add new policy for gssproxy +- Dontaudit leaked file descriptor writes from firewalld +- openshift_net_type is interface not template +- Dontaudit pppd to search gnome config +- Update openshift_search_lib() interface +- Add fs_list_pstorefs() +- Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18 +- Better labels for raspberry pi devices +- Allow init to create devpts_t directory +- Temporarily label rasbery pi devices as memory_device_t, needs back port to f18 +- Allow sysadm_t to build kernels +- Make sure mount creates /var/run/blkid with the correct label, needs back port to F18 +- Allow userdomains to stream connect to gssproxy +- Dontaudit leaked file descriptor writes from firewalld +- Allow xserver to read /dev/urandom +- Add additional fixes for ipsec-mgmt +- Make SSHing into an Openshift Enterprise Node working + +* Wed May 29 2013 Miroslav Grepl 3.12.1-47 +- Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime +- with the proper label. +- Update files_filetrans_named_content() interface to get right labeling for pam.d conf files +- Allow systemd-timedated to create adjtime +- Add clock_create_adjtime() +- Additional fix ifconfing for #966106 +- Allow kernel_t to create boot.log with correct labeling +- Remove unconfined_mplayer for which we don't have rules +- Rename interfaces +- Add userdom_manage_user_home_files/dirs interfaces +- Fix files_dontaudit_read_all_non_security_files +- Fix ipsec_manage_key_file() +- Fix ipsec_filetrans_key_file() +- Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t +- Fix labeling for ipse.secrets +- Add interfaces for ipsec and labeling for ipsec.info and ipsec_setup.pid +- Add files_dontaudit_read_all_non_security_files() interface +- /var/log/syslog-ng should be labeled var_log_t +- Make ifconfig_var_run_t a mountpoint +- Add transition from ifconfig to dnsmasq +- Allow ifconfig to execute bin_t/shell_exec_t +- We want to have hwdb.bin labeled as etc_t +- update logging_filetrans_named_content() interface +- Allow systemd_timedate_t to manage /etc/adjtime +- Allow NM to send signals to l2tpd +- Update antivirus_can_scan_system boolean +- Allow devicekit_disk_t to sys_config_tty +- Run abrt-harvest programs as abrt_t, and allow abrt_t to list all filesystem directories +- Make printing from vmware working +- Allow php-cgi from php54 collection to access /var/lib/net-snmp/mib_indexes +- Add virt_qemu_ga_data_t for qemu-ga +- Make chrome and mozilla able to connect to same ports, add jboss_management_port_t to both +- Fix typo in virt.te +- Add virt_qemu_ga_unconfined_t for hook scripts +- Make sure NetworkManager files get created with the correct label +- Add mozilla_plugin_use_gps boolean +- Fix cyrus to have support for net-snmp +- Additional fixes for dnsmasq and quantum for #966106 +- Add plymouthd_create_log() +- remove httpd_use_oddjob for which we don't have rules +- Add missing rules for httpd_can_network_connect_cobbler +- Add missing cluster_use_execmem boolean +- Call userdom_manage_all_user_home_type_files/dirs +- Additional fix for ftp_home_dir +- Fix ftp_home_dir boolean +- Allow squit to recv/send client squid packet +- Fix nut.te to have nut_domain attribute +- Add support for ejabberd; TODO: revisit jabberd and rabbit policy +- Fix amanda policy +- Add more fixes for domains which use libusb +- Make domains which use libusb working correctly +- Allow l2tpd to create ipsec key files with correct labeling and manage them +- Fix cobbler_manage_lib_files/cobbler_read_lib_files to cover also lnk files +- Allow rabbitmq-beam to bind generic node +- Allow l2tpd to read ipse-mgmt pid files +- more fixes for l2tpd, NM and pppd from #967072 + +* Wed May 22 2013 Miroslav Grepl 3.12.1-46 +- Dontaudit to getattr on dirs for dovecot-deliver +- Allow raiudusd server connect to postgresql socket +- Add kerberos support for radiusd +- Allow saslauthd to connect to ldap port +- Allow postfix to manage postfix_private_t files +- Add chronyd support for #965457 +- Fix labeling for HOME_DIR/\.icedtea +- CHange squid and snmpd to be allowed also write own logs +- Fix labeling for /usr/libexec/qemu-ga +- Allow virtd_t to use virt_lock_t +- Allow also sealert to read the policy from the kernel +- qemu-ga needs to execute scripts in /usr/libexec/qemu-ga and to use /tmp content +- Dontaudit listing of users homedir by sendmail Seems like a leak +- Allow passenger to transition to puppet master +- Allow apache to connect to mythtv +- Add definition for mythtv ports + +* Fri May 17 2013 Miroslav Grepl 3.12.1-45 +- Add additional fixes for #948073 bug +- Allow sge_execd_t to also connect to sge ports +- Allow openshift_cron_t to manage openshift_var_lib_t sym links +- Allow openshift_cron_t to manage openshift_var_lib_t sym links +- Allow sge_execd to bind sge ports. Allow kill capability and reads cgroup files +- Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is a part of pulseaudio_manage_home_files +- Add networkmanager_stream_connect() +- Make gnome-abrt wokring with staff_t +- Fix openshift_manage_lib_files() interface +- mdadm runs ps command which seems to getattr on random log files +- Allow mozilla_plugin_t to create pulseaudit_home_t directories +- Allow qemu-ga to shutdown virtual hosts +- Add labelling for cupsd-browsed +- Add web browser plugins to connect to aol ports +- Allow nm-dhcp-helper to stream connect to NM +- Add port definition for sge ports + +* Mon May 13 2013 Miroslav Grepl 3.12.1-44 +- Make sure users and unconfined domains create .hushlogin with the correct label +- Allow pegaus to chat with realmd over DBus +- Allow cobblerd to read network state +- Allow boicn-client to stat on /dev/input/mice +- Allow certwatch to read net_config_t when it executes apache +- Allow readahead to create /run/systemd and then create its own directory with the correct label + +* Mon May 13 2013 Miroslav Grepl 3.12.1-43 +- Transition directories and files when in a user_tmp_t directory +- Change certwatch to domtrans to apache instead of just execute +- Allow virsh_t to read xen lib files +- update policy rules for pegasus_openlmi_account_t +- Add support for svnserve_tmp_t +- Activate account openlmi policy +- pegasus_openlmi_domain_template needs also require pegasus_t +- One more fix for policykit.te +- Call fs_list_cgroups_dirs() in policykit.te +- Allow nagios service plugin to read mysql config files +- Add labeling for /var/svn +- Fix chrome.te +- Fix pegasus_openlmi_domain_template() interfaces +- Fix dev_rw_vfio_dev definiton, allow virtd_t to read tmpfs_t symlinks +- Fix location of google-chrome data +- Add support for chome_sandbox to store content in the homedir +- Allow policykit to watch for changes in cgroups file system +- Add boolean to allow mozilla_plugin_t to use spice +- Allow collectd to bind to udp port +- Allow collected_t to read all of /proc +- Should use netlink socket_perms +- Should use netlink socket_perms +- Allow glance domains to connect to apache ports +- Allow apcupsd_t to manage its log files +- Allow chrome objects to rw_inherited unix_stream_socket from callers +- Allow staff_t to execute virtd_exec_t for running vms +- nfsd_t needs to bind mountd port to make nfs-mountd.service working +- Allow unbound net_admin capability because of setsockopt syscall +- Fix fs_list_cgroup_dirs() +- Label /usr/lib/nagios/plugins/utils.pm as bin_t +- Remove uplicate definition of fs_read_cgroup_files() +- Remove duplicate definition of fs_read_cgroup_files() +- Add files_mountpoint_filetrans interface to be used by quotadb_t and snapperd +- Additional interfaces needed to list and read cgroups config +- Add port definition for collectd port +- Add labels for /dev/ptp* +- Allow staff_t to execute virtd_exec_t for running vms + +* Mon May 6 2013 Miroslav Grepl 3.12.1-42 +- Allow samba-net to also read realmd tmp files +- Allow NUT to use serial ports +- realmd can be started by systemctl now + +* Mon May 6 2013 Miroslav Grepl 3.12.1-41 +- Remove userdom_home_manager for xdm_t and move all rules to xserver.te directly +- Add new xdm_write_home boolean to allow xdm_t to create files in HOME dirs with xdm_home_t +- Allow postfix-showq to read/write unix.showq in /var/spool/postfix/pid +- Allow virsh to read xen lock file +- Allow qemu-ga to create files in /run with proper labeling +- Allow glusterd to connect to own socket in /tmp +- Allow glance-api to connect to http port to make glance image-create working +- Allow keystonte_t to execute rpm + +* Fri May 3 2013 Miroslav Grepl 3.12.1-40 +- Fix realmd cache interfaces + +* Fri May 3 2013 Miroslav Grepl 3.12.1-39 +- Allow tcpd to execute leafnode +- Allow samba-net to read realmd cache files +- Dontaudit sys_tty_config for alsactl +- Fix allow rules for postfix_var_run +- Allow cobblerd to read /etc/passwd +- Allow pegasus to read exports +- Allow systemd-timedate to read xdm state +- Allow mout to stream connect to rpcbind +- Add labeling just for /usr/share/pki/ca-trust-source instead of /usr/share/pki + +* Tue Apr 30 2013 Miroslav Grepl 3.12.1-38 +- Allow thumbnails to share memory with apps which run thumbnails +- Allow postfix-postqueue block_suspend +- Add lib interfaces for smsd +- Add support for nginx +- Allow s2s running as jabberd_t to connect to jabber_interserver_port_t +- Allow pki apache domain to create own tmp files and execute httpd_suexec +- Allow procmail to manger user tmp files/dirs/lnk_files +- Add virt_stream_connect_svirt() interface +- Allow dovecot-auth to execute bin_t +- Allow iscsid to request that kernel load a kernel module +- Add labeling support for /var/lib/mod_security +- Allow iw running as tuned_t to create netlink socket +- Dontaudit sys_tty_config for thumb_t +- Add labeling for nm-l2tp-service +- Allow httpd running as certwatch_t to open tcp socket +- Allow useradd to manager smsd lib files +- Allow useradd_t to add homedirs in /var/lib +- Fix typo in userdomain.te +- Cleanup userdom_read_home_certs +- Implement userdom_home_reader_certs_type to allow read certs also on encrypt /home with ecryptfs_t +- Allow staff to stream connect to svirt_t to make gnome-boxes working + +* Fri Apr 26 2013 Miroslav Grepl 3.12.1-37 +- Allow lvm to create its own unit files +- Label /var/lib/sepolgen as selinux_config_t +- Add filetrans rules for tw devices +- Add transition from cupsd_config_t to cupsd_t + +* Wed Apr 24 2013 Miroslav Grepl 3.12.1-36 +- Add filetrans rules for tw devices +- Cleanup bad transition lines + +* Tue Apr 23 2013 Miroslav Grepl 3.12.1-35 +- Fix lockdev_manage_files() +- Allow setroubleshootd to read var_lib_t to make email_alert working +- Add lockdev_manage_files() +- Call proper interface in virt.te +- Allow gkeyring_domain to create /var/run/UID/config/dbus file +- system dbus seems to be blocking suspend +- Dontaudit attemps to sys_ptrace, which I believe gpsd does not need +- When you enter a container from root, you generate avcs with a leaked file descriptor +- Allow mpd getattr on file system directories +- Make sure realmd creates content with the correct label +- Allow systemd-tty-ask to write kmsg +- Allow mgetty to use lockdev library for device locking +- Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music +- When you enter a container from root, you generate avcs with a leaked file descriptor +- Make sure init.fc files are labeled correctly at creation +- File name trans vconsole.conf +- Fix labeling for nagios plugins +- label shared libraries in /opt/google/chrome as testrel_shlib_t + +* Thu Apr 18 2013 Miroslav Grepl 3.12.1-34 +- Allow certmonger to dbus communicate with realmd +- Make realmd working + +* Thu Apr 18 2013 Miroslav Grepl 3.12.1-33 +- Fix mozilla specification of homedir content +- Allow certmonger to read network state +- Allow tmpwatch to read tmp in /var/spool/{cups,lpd} +- Label all nagios plugin as unconfined by default +- Add httpd_serve_cobbler_files() +- Allow mdadm to read /dev/sr0 and create tmp files +- Allow certwatch to send mails +- Fix labeling for nagios plugins +- label shared libraries in /opt/google/chrome as testrel_shlib_t + +* Wed Apr 17 2013 Miroslav Grepl 3.12.1-32 +- Allow realmd to run ipa, really needs to be an unconfined_domain +- Allow sandbox domains to use inherted terminals +- Allow pscd to use devices labeled svirt_image_t in order to use cat cards. +- Add label for new alsa pid +- Alsa now uses a pid file and needs to setsched +- Fix oracleasmfs_t definition +- Add support for sshd_unit_file_t +- Add oracleasmfs_t +- Allow unlabeled_t files to be stored on unlabeled_t filesystems + +* Tue Apr 16 2013 Miroslav Grepl 3.12.1-31 +- Fix description of deny_ptrace boolean +- Remove allow for execmod lib_t for now +- Allow quantum to connect to keystone port +- Allow nova-console to talk with mysql over unix stream socket +- Allow dirsrv to stream connect to uuidd +- thumb_t needs to be able to create ~/.cache if it does not exist +- virtd needs to be able to sys_ptrace when starting and stoping containers + +* Mon Apr 15 2013 Miroslav Grepl 3.12.1-30 +- Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms... +- Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets +- Fix deny_ptrace boolean, certain ptrace leaked into the system +- Allow winbind to manage kerberos_rcache_host +- Allow spamd to create spamd_var_lib_t directories +- Remove transition to mozilla_tmp_t by mozilla_t, to allow it to manage the users tmp dirs +- Add mising nslcd_dontaudit_write_sock_file() interface +- one more fix +- Fix pki_read_tomcat_lib_files() interface +- Allow certmonger to read pki-tomcat lib files +- Allow certwatch to execute bin_t +- Allow snmp to manage /var/lib/net-snmp files +- Call snmp_manage_var_lib_files(fogorn_t) instead of snmp_manage_var_dirs +- Fix vmware_role() interface +- Fix cobbler_manage_lib_files() interface +- Allow nagios check disk plugins to execute bin_t +- Allow quantum to transition to openvswitch_t +- Allow postdrop to stream connect to postfix-master +- Allow quantum to stream connect to openvswitch +- Add xserver_dontaudit_xdm_rw_stream_sockets() interface +- Allow daemon to send dgrams to initrc_t +- Allow kdm to start the power service to initiate a reboot or poweroff + +* Thu Apr 11 2013 Miroslav Grepl 3.12.1-29 +- Add mising nslcd_dontaudit_write_sock_file() interface +- one more fix +- Fix pki_read_tomcat_lib_files() interface +- Allow certmonger to read pki-tomcat lib files +- Allow certwatch to execute bin_t +- Allow snmp to manage /var/lib/net-snmp files +- Don't audit attempts to write to stream socket of nscld by thumbnailers +- Allow git_system_t to read network state +- Allow pegasas to execute mount command +- Fix desc for drdb_admin +- Fix condor_amin() +- Interface fixes for uptime, vdagent, vnstatd +- Fix labeling for moodle in /var/www/moodle/data +- Add interface fixes +- Allow bugzilla to read certs +- /var/www/moodle needs to be writable by apache +- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest +- Fix namespace_init_t to create content with proper labels, and allow it to manage all user content +- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean +- Fixes for dlm_controld +- Fix apache_read_sys_content_rw_dirs() interface +- Allow logrotate to read /var/log/z-push dir +- Fix sys_nice for cups_domain +- Allow postfix_postdrop to acces postfix_public socket +- Allow sched_setscheduler for cupsd_t +- Add missing context for /usr/sbin/snmpd +- Kernel_t needs mac_admin in order to support labeled NFS +- Fix systemd_dontaudit_dbus_chat() interface +- Add interface to dontaudit attempts to send dbus messages to systemd domains, for xguest +- Allow consolehelper domain to write Xauth files in /root +- Add port definition for osapi_compute port +- Allow unconfined to create /etc/hostname with correct labeling +- Add systemd_filetrans_named_hostname() interface + +* Mon Apr 8 2013 Dan Walsh 3.12.1-28 +- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean +- Fixes for dlm_controld +- Fix apache_read_sys_content_rw_dirs() interface +- Allow logrotate to read /var/log/z-push dir +- Allow postfix_postdrop to acces postfix_public socket +- Allow sched_setscheduler for cupsd_t +- Add missing context for /usr/sbin/snmpd +- Allow consolehelper more access discovered by Tom London +- Allow fsdaemon to send signull to all domain +- Add port definition for osapi_compute port +- Allow unconfined to create /etc/hostname with correct labeling +- Add systemd_filetrans_named_hostname() interface + +* Sat Apr 6 2013 Dan Walsh 3.12.1-27 +- Fix file_contexts.subs to label /run/lock correctly + +* Fri Apr 5 2013 Miroslav Grepl 3.12.1-26 +- Try to label on controlC devices up to 30 correctly +- Add mount_rw_pid_files() interface +- Add additional mount/umount interfaces needed by mock +- fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk +- Fix tabs +- Allow initrc_domain to search rgmanager lib files +- Add more fixes which make mock working together with confined users + * Allow mock_t to manage rpm files + * Allow mock_t to read rpm log files + * Allow mock to setattr on tmpfs, devpts + * Allow mount/umount filesystems +- Add rpm_read_log() interface +- yum-cron runs rpm from within it. +- Allow tuned to transition to dmidecode +- Allow firewalld to do net_admin +- Allow mock to unmont tmpfs_t +- Fix virt_sigkill() interface +- Add additional fixes for mock. Mainly caused by mount running in mock_t +- Allow mock to write sysfs_t and mount pid files +- Add mailman_domain to mailman_template() +- Allow openvswitch to execute shell +- Allow qpidd to use kerberos +- Allow mailman to use fusefs, needs back port to RHEL6 +- Allow apache and its scripts to use anon_inodefs +- Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7 +- Realmd needs to connect to samba ports, needs back port to F18 also +- Allow colord to read /run/initial-setup- +- Allow sanlock-helper to send sigkill to virtd which is registred to sanlock +- Add virt_kill() interface +- Add rgmanager_search_lib() interface +- Allow wdmd to getattr on all filesystems. Back ported from RHEL6 + +* Tue Apr 2 2013 Miroslav Grepl 3.12.1-25 +- Allow realmd to create tmp files +- FIx ircssi_home_t type to irssi_home_t +- Allow adcli running as realmd_t to connect to ldap port +- Allow NetworkManager to transition to ipsec_t, for running strongswan +- Make openshift_initrc_t an lxc_domain +- Allow gssd to manage user_tmp_t files +- Fix handling of irclogs in users homedir +- Fix labeling for drupal an wp-content in subdirs of /var/www/html +- Allow abrt to read utmp_t file +- Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a tmpfs_t, needs back port to RHEL6 +- fix labeling for (oo|rhc)-restorer-wrapper.sh +- firewalld needs to be able to write to network sysctls +- Fix mozilla_plugin_dontaudit_rw_sem() interface +- Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains +- Add mozilla_plugin_dontaudit_rw_sem() interface +- Allow svirt_lxc_t to transition to openshift domains +- Allow condor domains block_suspend and dac_override caps +- Allow condor_master to read passd +- Allow condor_master to read system state +- Allow NetworkManager to transition to ipsec_t, for running strongswan +- Lots of access required by lvm_t to created encrypted usb device +- Allow xdm_t to dbus communicate with systemd_localed_t +- Label strongswan content as ipsec_exec_mgmt_t for now +- Allow users to dbus chat with systemd_localed +- Fix handling of .xsession-errors in xserver.if, so kde will work +- Might be a bug but we are seeing avc's about people status on init_t:service +- Make sure we label content under /var/run/lock as <> +- Allow daemon and systemprocesses to search init_var_run_t directory +- Add boolean to allow xdm to write xauth data to the home directory +- Allow mount to write keys for the unconfined domain +- Add unconfined_write_keys() interface + +* Tue Mar 26 2013 Miroslav Grepl 3.12.1-24 +- Add labeling for /usr/share/pki +- Allow programs that read var_run_t symlinks also read var_t symlinks +- Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports +- Fix labeling for /etc/dhcp directory +- add missing systemd_stub_unit_file() interface +- Add files_stub_var() interface +- Add lables for cert_t directories +- Make localectl set-x11-keymap working at all +- Allow abrt to manage mock build environments to catch build problems. +- Allow virt_domains to setsched for running gdb on itself +- Allow thumb_t to execute user home content +- Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000 +- Allow certwatch to execut /usr/bin/httpd +- Allow cgred to send signal perms to itself, needs back port to RHEL6 +- Allow openshift_cron_t to look at quota +- Allow cups_t to read inhered tmpfs_t from the kernel +- Allow yppasswdd to use NIS +- Tuned wants sys_rawio capability +- Add ftpd_use_fusefs boolean +- Allow dirsrvadmin_t to signal itself + +* Wed Mar 20 2013 Miroslav Grepl 3.12.1-23 +- Allow localectl to read /etc/X11/xorg.conf.d directory +- Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors"" +- Allow mount to transition to systemd_passwd_agent +- Make sure abrt directories are labeled correctly +- Allow commands that are going to read mount pid files to search mount_var_run_t +- label /usr/bin/repoquery as rpm_exec_t +- Allow automount to block suspend +- Add abrt_filetrans_named_content so that abrt directories get labeled correctly +- Allow virt domains to setrlimit and read file_context + +* Mon Mar 18 2013 Miroslav Grepl 3.12.1-22 +- Allow nagios to manage nagios spool files +- /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6 +- Add swift_alias.* policy files which contain typealiases for swift types +- Add support for /run/lock/opencryptoki +- Allow pkcsslotd chown capability +- Allow pkcsslotd to read passwd +- Add rsync_stub() interface +- Allow systemd_timedate also manage gnome config homedirs +- Label /usr/lib64/security/pam_krb5/pam_krb5_cchelper as bin_t +- Fix filetrans rules for kdm creates .xsession-errors +- Allow sytemd_tmpfiles to create wtmp file +- Really should not label content under /var/lock, since it could have labels on it different from var_lock_t +- Allow systemd to list all file system directories +- Add some basic stub interfaces which will be used in PRODUCT policies + +* Wed Mar 13 2013 Miroslav Grepl 3.12.1-21 +- Fix log transition rule for cluster domains +- Start to group all cluster log together +- Dont use filename transition for POkemon Advanced Adventure until a new checkpolicy update +- cups uses usbtty_device_t devices +- These fixes were all required to build a MLS virtual Machine with single level desktops +- Allow domains to transiton using httpd_exec_t +- Allow svirt domains to manage kernel key rings +- Allow setroubleshoot to execute ldconfig +- Allow firewalld to read generate gnome data +- Allow bluetooth to read machine-info +- Allow boinc domain to send signal to itself +- Fix gnome_filetrans_home_content() interface +- Allow mozilla_plugins to list apache modules, for use with gxine +- Fix labels for POkemon in the users homedir +- Allow xguest to read mdstat +- Dontaudit virt_domains getattr on /dev/* +- These fixes were all required to build a MLS virtual Machine with single level desktops +- Need to back port this to RHEL6 for openshift +- Add tcp/8891 as milter port +- Allow nsswitch domains to read sssd_var_lib_t files +- Allow ping to read network state. +- Fix typo +- Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them + +* Fri Mar 8 2013 Miroslav Grepl 3.12.1-20 +- Adopt swift changes from lhh@redhat.com +- Add rhcs_manage_cluster_pid_files() interface +- Allow screen domains to configure tty and setup sock_file in ~/.screen directory +- ALlow setroubleshoot to read default_context_t, needed to backport to F18 +- Label /etc/owncloud as being an apache writable directory +- Allow sshd to stream connect to an lxc domain + +* Thu Mar 7 2013 Miroslav Grepl 3.12.1-19 +- Allow postgresql to manage rgmanager pid files +- Allow postgresql to read ccs data +- Allow systemd_domain to send dbus messages to policykit +- Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostnamed to create them +- All systemd domains that create content are reading the file_context file and setfscreate +- Systemd domains need to search through init_var_run_t +- Allow sshd to communicate with libvirt to set containers labels +- Add interface to manage pid files +- Allow NetworkManger_t to read /etc/hostname +- Dontaudit leaked locked files into openshift_domains +- Add fixes for oo-cgroup-read - it nows creates tmp files +- Allow gluster to manage all directories as well as files +- Dontaudit chrome_sandbox_nacl_t using user terminals +- Allow sysstat to manage its own log files +- Allow virtual machines to setrlimit and send itself signals. +- Add labeling for /var/run/hplip + +* Mon Mar 4 2013 Miroslav Grepl 3.12.1-18 +- Fix POSTIN scriptlet + +* Fri Mar 1 2013 Miroslav Grepl 3.12.1-17 +- Merge rgmanger, corosync,pacemaker,aisexec policies to cluster_t in rhcs.pp + +* Wed Feb 27 2013 Miroslav Grepl 3.12.1-16 +- Fix authconfig.py labeling +- Make any domains that write homedir content do it correctly +- Allow glusterd to read/write anyhwere on the file system by default +- Be a little more liberal with the rsync log files +- Fix iscsi_admin interface +- Allow iscsid_t to read /dev/urand +- Fix up iscsi domain for use with unit files +- Add filename transition support for spamassassin policy +- Allow web plugins to use badly formated libraries +- Allow nmbd_t to create samba_var_t directories +- Add filename transition support for spamassassin policy +- Add filename transition support for tvtime +- Fix alsa_home_filetrans_alsa_home() interface +- Move all userdom_filetrans_home_content() calling out of booleans +- Allow logrotote to getattr on all file sytems +- Remove duplicate userdom_filetrans_home_content() calling +- Allow kadmind to read /etc/passwd +- Dontaudit append .xsession-errors file on ecryptfs for policykit-auth +- Allow antivirus domain to manage antivirus db links +- Allow logrotate to read /sys +- Allow mandb to setattr on man dirs +- Remove mozilla_plugin_enable_homedirs boolean +- Fix ftp_home_dir boolean +- homedir mozilla filetrans has been moved to userdom_home_manager +- homedir telepathy filetrans has been moved to userdom_home_manager +- Remove gnome_home_dir_filetrans() from gnome_role_gkeyringd() +- Might want to eventually write a daemon on fusefsd. +- Add policy fixes for sshd [net] child from plautrba@redhat.com +- Tor uses a new port +- Remove bin_t for authconfig.py +- Fix so only one call to userdom_home_file_trans +- Allow home_manager_types to create content with the correctl label +- Fix all domains that write data into the homedir to do it with the correct label +- Change the postgresql to use proper boolean names, which is causing httpd_t to +- not get access to postgresql_var_run_t +- Hostname needs to send syslog messages +- Localectl needs to be able to send dbus signals to users +- Make sure userdom_filetrans_type will create files/dirs with user_home_t labeling by default +- Allow user_home_manger domains to create spam* homedir content with correct labeling +- Allow user_home_manger domains to create HOMEDIR/.tvtime with correct labeling +- Add missing miscfiles_setattr_man_pages() interface and for now comment some rules for userdom_filetrans_type to make build process working +- Declare userdom_filetrans_type attribute +- userdom_manage_home_role() needs to be called withoout usertype attribute because of userdom_filetrans_type attribute +- fusefsd is mounding a fuse file system on /run/user/UID/gvfs + +* Thu Feb 21 2013 Miroslav Grepl 3.12.1-15 +- Man pages are now generated in the build process +- Allow cgred to list inotifyfs filesystem + +* Wed Feb 20 2013 Miroslav Grepl 3.12.1-14 +- Allow gluster to get attrs on all fs +- New access required for virt-sandbox +- Allow dnsmasq to execute bin_t +- Allow dnsmasq to create content in /var/run/NetworkManager +- Fix openshift_initrc_signal() interface +- Dontaudit openshift domains doing getattr on other domains +- Allow consolehelper domain to communicate with session bus +- Mock should not be transitioning to any other domains, we should keep mock_t as mock_t +- Update virt_qemu_ga_t policy +- Allow authconfig running from realmd to restart oddjob service +- Add systemd support for oddjob +- Add initial policy for realmd_consolehelper_t which if for authconfig executed by realmd +- Add labeling for gnashpluginrc +- Allow chrome_nacl to execute /dev/zero +- Allow condor domains to read /proc +- mozilla_plugin_t will getattr on /core if firefox crashes +- Allow condor domains to read /etc/passwd +- Allow dnsmasq to execute shell scripts, openstack requires this access +- Fix glusterd labeling +- Allow virtd_t to interact with the socket type +- Allow nmbd_t to override dac if you turned on sharing all files +- Allow tuned to created kobject_uevent socket +- Allow guest user to run fusermount +- Allow openshift to read /proc and locale +- Allow realmd to dbus chat with rpm +- Add new interface for virt +- Remove depracated interfaces +- Allow systemd_domains read access on etc, etc_runtime and usr files, also allow them to connect stream to syslog socket +- /usr/share/munin/plugins/plugin.sh should be labeled as bin_t +- Remove some more unconfined_t process transitions, that I don't believe are necessary +- Stop transitioning uncofnined_t to checkpc +- dmraid creates /var/lock/dmraid +- Allow systemd_localed to creatre unix_dgram_sockets +- Allow systemd_localed to write kernel messages. +- Also cleanup systemd definition a little. +- Fix userdom_restricted_xwindows_user_template() interface +- Label any block devices or char devices under /dev/infiniband as fixed_disk_device_t +- User accounts need to dbus chat with accountsd daemon +- Gnome requires all users to be able to read /proc/1/ + +* Thu Feb 14 2013 Miroslav Grepl 3.12.1-13 +- virsh now does a setexeccon call +- Additional rules required by openshift domains +- Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-service execute work +- Allow spamd_update_t to search spamc_home_t +- Avcs discovered by mounting an isci device under /mnt +- Allow lspci running as logrotate to read pci.ids +- Additional fix for networkmanager_read_pid_files() +- Fix networkmanager_read_pid_files() interface +- Allow all svirt domains to connect to svirt_socket_t +- Allow virsh to set SELinux context for a process. +- Allow tuned to create netlink_kobject_uevent_socket +- Allow systemd-timestamp to set SELinux context +- Add support for /var/lib/systemd/linger +- Fix ssh_sysadm_login to be working on MLS as expected + +* Mon Feb 11 2013 Miroslav Grepl 3.12.1-12 +- Rename files_rw_inherited_tmp_files to files_rw_inherited_tmp_file +- Add missing files_rw_inherited_tmp_files interface +- Add additional interface for ecryptfs +- ALlow nova-cert to connect to postgresql +- Allow keystone to connect to postgresql +- Allow all cups domains to getattr on filesystems +- Allow pppd to send signull +- Allow tuned to execute ldconfig +- Allow gpg to read fips_enabled +- Add additional fixes for ecryptfs +- Allow httpd to work with posgresql +- Allow keystone getsched and setsched + +* Fri Feb 8 2013 Miroslav Grepl 3.12.1-11 +- Allow gpg to read fips_enabled +- Add support for /var/cache/realmd +- Add support for /usr/sbin/blazer_usb and systemd support for nut +- Add labeling for fenced_sanlock and allow sanclok transition to fenced_t +- bitlbee wants to read own log file +- Allow glance domain to send a signal itself +- Allow xend_t to request that the kernel load a kernel module +- Allow pacemaker to execute heartbeat lib files +- cleanup new swift policy + +* Tue Feb 5 2013 Miroslav Grepl 3.12.1-10 +- Fix smartmontools +- Fix userdom_restricted_xwindows_user_template() interface +- Add xserver_xdm_ioctl_log() interface +- Allow Xusers to ioctl lxdm.log to make lxdm working +- Add MLS fixes to make MLS boot/log-in working +- Add mls_socket_write_all_levels() also for syslogd +- fsck.xfs needs to read passwd +- Fix ntp_filetrans_named_content calling in init.te +- Allow postgresql to create pg_log dir +- Allow sshd to read rsync_data_t to make rsync working +- Change ntp.conf to be labeled net_conf_t +- Allow useradd to create homedirs in /run. ircd-ratbox does this and we should just allow it +- Allow xdm_t to execute gstreamer home content +- Allod initrc_t and unconfined domains, and sysadm_t to manage ntp +- New policy for openstack swift domains +- More access required for openshift_cron_t +- Use cupsd_log_t instead of cupsd_var_log_t +- rpm_script_roles should be used in rpm_run +- Fix rpm_run() interface +- Fix openshift_initrc_run() +- Fix sssd_dontaudit_stream_connect() interface +- Fix sssd_dontaudit_stream_connect() interface +- Allow LDA's job to deliver mail to the mailbox +- dontaudit block_suspend for mozilla_plugin_t +- Allow l2tpd_t to all signal perms +- Allow uuidgen to read /dev/random +- Allow mozilla-plugin-config to read power_supply info +- Implement cups_domain attribute for cups domains +- We now need access to user terminals since we start by executing a command outside the tty +- We now need access to user terminals since we start by executing a command outside the tty +- svirt lxc containers want to execute userhelper apps, need these changes to allow this to happen +- Add containment of openshift cron jobs +- Allow system cron jobs to create tmp directories +- Make userhelp_conf_t a config file +- Change rpm to use rpm_script_roles +- More fixes for rsync to make rsync wokring +- Allow logwatch to domtrans to mdadm +- Allow pacemaker to domtrans to ifconfig +- Allow pacemaker to setattr on corosync.log +- Add pacemaker_use_execmem for memcheck-amd64 command +- Allow block_suspend capability +- Allow create fifo_file in /tmp with pacemaker_tmp_t +- Allow systat to getattr on fixed disk +- Relabel /etc/ntp.conf to be net_conf_t +- ntp_admin should create files in /etc with the correct label +- Add interface to create ntp_conf_t files in /etc +- Add additional labeling for quantum +- Allow quantum to execute dnsmasq with transition + +* Wed Jan 30 2013 Miroslav Grepl 3.12.1-9 +- boinc_cliean wants also execmem as boinc projecs have +- Allow sa-update to search admin home for /root/.spamassassin +- Allow sa-update to search admin home for /root/.spamassassin +- Allow antivirus domain to read net sysctl +- Dontaudit attempts from thumb_t to connect to ssd +- Dontaudit attempts by readahead to read sock_files +- Dontaudit attempts by readahead to read sock_files +- Create tmpfs file while running as wine as user_tmpfs_t +- Dontaudit attempts by readahead to read sock_files +- libmpg ships badly created librarie + +* Mon Jan 28 2013 Miroslav Grepl 3.12.1-8 +- Change ssh_use_pts to use macro and only inherited sshd_devpts_t +- Allow confined users to read systemd_logind seat information +- libmpg ships badly created libraries +- Add support for strongswan.service +- Add labeling for strongswan +- Allow l2tpd_t to read network manager content in /run directory +- Allow rsync to getattr any file in rsync_data_t +- Add labeling and filename transition for .grl-podcasts + +* Fri Jan 25 2013 Miroslav Grepl 3.12.1-7 +- mount.glusterfs executes glusterfsd binary +- Allow systemd_hostnamed_t to stream connect to systemd +- Dontaudit any user doing a access check +- Allow obex-data-server to request the kernel to load a module +- Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-info) +- Allow gpg-agent to read /proc/sys/crypto/fips_enabled +- Add new types for antivirus.pp policy module +- Allow gnomesystemmm_t caps because of ioprio_set +- Make sure if mozilla_plugin creates files while in permissive mode, they get created with the correct label, user_home_t +- Allow gnomesystemmm_t caps because of ioprio_set +- Allow NM rawip socket +- files_relabel_non_security_files can not be used with boolean +- Add interface to thumb_t dbus_chat to allow it to read remote process state +- ALlow logrotate to domtrans to mdadm_t +- kde gnomeclock wants to write content to /tmp + +* Wed Jan 23 2013 Miroslav Grepl 3.12.1-6 +- kde gnomeclock wants to write content to /tmp +- /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde +- Allow blueman_t to rwx zero_device_t, for some kind of jre +- Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre +- Ftp full access should be allowed to create directories as well as files +- Add boolean to allow rsync_full_acces, so that an rsync server can write all +- over the local machine +- logrotate needs to rotate logs in openshift directories, needs back port to RHEL6 +- Add missing vpnc_roles type line +- Allow stapserver to write content in /tmp +- Allow gnome keyring to create keyrings dir in ~/.local/share +- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on +- Add interface to colord_t dbus_chat to allow it to read remote process state +- Allow colord_t to read cupsd_t state +- Add mate-thumbnail-font as thumnailer +- Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data. +- Allow qpidd to list /tmp. Needed by ssl +- Only allow init_t to transition to rsync_t domain, not initrc_t. This should be back ported to F17, F18 +- - Added systemd support for ksmtuned +- Added booleans + ksmtuned_use_nfs + ksmtuned_use_cifs +- firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm. Would like to clean this up but for now we will allow +- Looks like qpidd_t needs to read /dev/random +- Lots of probing avc's caused by execugting gpg from staff_t +- Dontaudit senmail triggering a net_admin avc +- Change thumb_role to use thumb_run, not sure why we have a thumb_role, needs back port +- Logwatch does access check on mdadm binary +- Add raid_access_check_mdadm() iterface + +* Wed Jan 16 2013 Miroslav Grepl 3.12.1-5 +- Fix systemd_manage_unit_symlinks() interface +- Call systemd_manage_unit_symlinks(() which is correct interface +- Add filename transition for opasswd +- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock +- Allow sytstemd-timedated to get status of init_t +- Add new systemd policies for hostnamed and rename gnomeclock_t to systemd_timedate_t +- colord needs to communicate with systemd and systemd_logind, also remove duplicate rules +- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock +- Allow gpg_t to manage all gnome files +- Stop using pcscd_read_pub_files +- New rules for xguest, dontaudit attempts to dbus chat +- Allow firewalld to create its mmap files in tmpfs and tmp directories +- Allow firewalld to create its mmap files in tmpfs and tmp directories +- run unbound-chkconf as named_t, so it can read dnssec +- Colord is reading xdm process state, probably reads state of any apps that sends dbus message +- Allow mdadm_t to change the kernel scheduler +- mythtv policy +- Update mandb_admin() interface +- Allow dsspam to listen on own tpc_socket +- seutil_filetrans_named_content needs to be optional +- Allow sysadm_t to execute content in his homedir +- Add attach_queue to tun_socket, new patch from Paul Moore +- Change most of selinux configuration types to security_file_type. +- Add filename transition rules for selinux configuration +- ssh into a box with -X -Y requires ssh_use_ptys +- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on +- Allow all unpriv userdomains to send dbus messages to hostnamed and timedated +- New allow rules found by Tom London for systemd_hostnamed + +* Mon Jan 14 2013 Miroslav Grepl 3.12.1-4 +- Allow systemd-tmpfiles to relabel lpd spool files +- Ad labeling for texlive bash scripts +- Add xserver_filetrans_fonts_cache_home_content() interface +- Remove duplicate rules from *.te +- Add support for /var/lock/man-db.lock +- Add support for /var/tmp/abrt(/.*)? +- Add additional labeling for munin cgi scripts +- Allow httpd_t to read munin conf files +- Allow certwatch to read meminfo +- Fix nscd_dontaudit_write_sock_file() interfac +- Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t +- llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling + +* Fri Jan 11 2013 Miroslav Grepl 3.12.1-3 +- Allow gnomeclock to talk to puppet over dbus +- Allow numad access discovered by Dominic +- Add support for HOME_DIR/.maildir +- Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this domain +- Allow udev to relabel udev_var_run_t lnk_files +- New bin_t file in mcelog + +* Thu Jan 10 2013 Miroslav Grepl 3.12.1-2 +- Remove all mcs overrides and replace with t1 != mcs_constrained_types +- Add attribute_role for iptables +- mcs_process_set_categories needs to be called for type +- Implement additional role_attribute statements +- Sodo domain is attempting to get the additributes of proc_kcore_t +- Unbound uses port 8953 +- Allow svirt_t images to compromise_kernel when using pci-passthrough +- Add label for dns lib files +- Bluetooth aquires a dbus name +- Remove redundant files_read_usr_file calling +- Remove redundant files_read_etc_file calling +- Fix mozilla_run_plugin() +- Add role_attribute support for more domains + +* Wed Jan 9 2013 Miroslav Grepl 3.12.1-1 +- Mass merge with upstream + +* Sat Jan 5 2013 Dan Walsh 3.11.1-69.1 +- Bump the policy version to 28 to match selinux userspace +- Rebuild versus latest libsepol + +* Wed Jan 2 2013 Miroslav Grepl 3.11.1-69 +- Add systemd_status_all_unit_files() interface +- Add support for nshadow +- Allow sysadm_t to administrate the postfix domains +- Add interface to setattr on isid directories for use by tmpreaper +- Allow sshd_t sys_admin for use with afs logins +- Allow systemd to read/write all sysctls +- Allow sshd_t sys_admin for use with afs logins +- Allow systemd to read/write all sysctls +- Add systemd_status_all_unit_files() interface +- Add support for nshadow +- Allow sysadm_t to administrate the postfix domains +- Add interface to setattr on isid directories for use by tmpreaper +- Allow sshd_t sys_admin for use with afs logins +- Allow systemd to read/write all sysctls +- Allow sshd_t sys_admin for use with afs logins +- Add labeling for /var/named/chroot/etc/localtim + +* Thu Dec 27 2012 Miroslav Grepl 3.11.1-68 +- Allow setroubleshoot_fixit to execute rpm +- zoneminder needs to connect to httpd ports where remote cameras are listening +- Allow firewalld to execute content created in /run directory +- Allow svirt_t to read generic certs +- Dontaudit leaked ps content to mozilla plugin +- Allow sshd_t sys_admin for use with afs logins +- Allow systemd to read/write all sysctls +- init scripts are creating systemd_unit_file_t directories + +* Fri Dec 21 2012 Miroslav Grepl 3.11.1-67 +- systemd_logind_t is looking at all files under /run/user/apache +- Allow systemd to manage all user tmp files +- Add labeling for /var/named/chroot/etc/localtime +- Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6 +- Keystone is now using a differnt port +- Allow xdm_t to use usbmuxd daemon to control sound +- Allow passwd daemon to execute gnome_exec_keyringd +- Fix chrome_sandbox policy +- Add labeling for /var/run/checkquorum-timer +- More fixes for the dspam domain, needs back port to RHEL6 +- More fixes for the dspam domain, needs back port to RHEL6 +- sssd needs to connect to kerberos password port if a user changes his password +- Lots of fixes from RHEL testing of dspam web +- Allow chrome and mozilla_plugin to create msgq and semaphores +- Fixes for dspam cgi scripts +- Fixes for dspam cgi scripts +- Allow confine users to ptrace screen +- Backport virt_qemu_ga_t changes from RHEL +- Fix labeling for dspam.cgi needed for RHEL6 +- We need to back port this policy to RHEL6, for lxc domains +- Dontaudit attempts to set sys_resource of logrotate +- Allow corosync to read/write wdmd's tmpfs files +- I see a ptrace of mozilla_plugin_t by staff_t, will allow without deny_ptrace being set +- Allow cron jobs to read bind config for unbound +- libvirt needs to inhibit systemd +- kdumpctl needs to delete boot_t files +- Fix duplicate gnome_config_filetrans +- virtd_lxc_t is using /dev/fuse +- Passenger needs to create a directory in /var/log, needs a backport to RHEL6 for openshift +- apcupsd can be setup to listen to snmp trafic +- Allow transition from kdumpgui to kdumpctl +- Add fixes for munin CGI scripts +- Allow deltacloud to connect to openstack at the keystone port +- Allow domains that transition to svirt domains to be able to signal them +- Fix file context of gstreamer in .cache directory +- libvirt is communicating with logind +- NetworkManager writes to the systemd inhibit pipe + +* Mon Dec 17 2012 Miroslav Grepl 3.11.1-66 +- Allow munin disk plugins to get attributes of all directories +- Allow munin disk plugins to get attributes of all directorie +- Allow logwatch to get attributes of all directories +- Fix networkmanager_manage_lib() interface +- Fix gnome_manage_config() to allow to manage sock_file +- Fix virtual_domain_context +- Add support for dynamic DNS for DHCPv6 + +* Sat Dec 15 2012 Miroslav Grepl 3.11.1-65 +- Allow svirt to use netlink_route_socket which was a part of auth_use_nsswitch +- Add additional labeling for /var/www/openshift/broker +- Fix rhev policy +- Allow openshift_initrc domain to dbus chat with systemd_logind +- Allow httpd to getattr passenger log file if run_stickshift +- Allow consolehelper-gtk to connect to xserver +- Add labeling for the tmp-inst directory defined in pam_namespace.conf +- Add lvm_metadata_t labeling for /etc/multipath + +* Fri Dec 14 2012 Miroslav Grepl 3.11.1-64 +- consoletype is no longer used + +* Wed Dec 12 2012 Miroslav Grepl 3.11.1-63 +- Add label for efivarfs +- Allow certmonger to send signal to itself +- Allow plugin-config to read own process status +- Add more fixes for pacemaker +- apache/drupal can run clamscan on uploaded content +- Allow chrome_sandbox_nacl_t to read pid 1 content + +* Tue Dec 11 2012 Miroslav Grepl 3.11.1-62 +- Fix MCS Constraints to control ingres and egres controls on the network. +- Change name of svirt_nokvm_t to svirt_tcg_t +- Allow tuned to request the kernel to load kernel modules + +* Mon Dec 10 2012 Miroslav Grepl 3.11.1-61 +- Label /var/lib/pgsql/.ssh as ssh_home_t +- Add labeling for /usr/bin/pg_ctl +- Allow systemd-logind to manage keyring user tmp dirs +- Add support for 7389/tcp port +- gems seems to be placed in lots of places +- Since xdm is running a full session, it seems to be trying to execute lots of executables via dbus +- Add back tcp/8123 port as http_cache port +- Add ovirt-guest-agent\.pid labeling +- Allow xend to run scsi_id +- Allow rhsmcertd-worker to read "physical_package_id" +- Allow pki_tomcat to connect to ldap port +- Allow lpr to read /usr/share/fonts +- Allow open file from CD/DVD drive on domU +- Allow munin services plugins to talk to SSSD +- Allow all samba domains to create samba directory in var_t directories +- Take away svirt_t ability to use nsswitch +- Dontaudit attempts by openshift to read apache logs +- Allow apache to create as well as append _ra_content_t +- Dontaudit sendmail_t reading a leaked file descriptor +- Add interface to have admin transition /etc/prelink.cache to the proper label +- Add sntp support to ntp policy +- Allow firewalld to dbus chat with devicekit_power +- Allow tuned to call lsblk +- Allow tor to read /proc/sys/kernel/random/uuid +- Add tor_can_network_relay boolean + +* Wed Dec 5 2012 Miroslav Grepl 3.11.1-60 +- Add openshift_initrc_signal() interface +- Fix typos +- dspam port is treat as spamd_port_t +- Allow setroubleshoot to getattr on all executables +- Allow tuned to execute profiles scripts in /etc/tuned +- Allow apache to create directories to store its log files +- Allow all directories/files in /var/log starting with passenger to be labeled passenger_log_t +- Looks like apache is sending sinal to openshift_initrc_t now,needs back port to RHEL6 +- Allow Postfix to be configured to listen on TCP port 10026 for email from DSPAM +- Add filename transition for /etc/tuned/active_profile +- Allow condor_master to send mails +- Allow condor_master to read submit.cf +- Allow condor_master to create /tmp files/dirs +- Allow condor_mater to send sigkill to other condor domains +- Allow condor_procd sigkill capability +- tuned-adm wants to talk with tuned daemon +- Allow kadmind and krb5kdc to also list sssd_public_t +- Allow accountsd to dbus chat with init +- Fix git_read_generic_system_content_files() interface +- pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler" +- Fix mozilla_plugin_can_network_connect to allow to connect to all ports +- Label all munin plugins which are not covered by munin plugins policy as unconfined_munin_plugin_exec_t +- dspam wants to search /var/spool for opendkim data +- Revert "Add support for tcp/10026 port as dspam_port_t" +- Turning on labeled networking requires additional access for netlabel_peer_t; these allow rules need to be back ported to RHEL6 +- Allow all application domains to use fifo_files passed in from userdomains, also allow them to write to tmp_files inherited from userdomain +- Allow systemd_tmpfiles_t to setattr on mandb_cache_t + +* Sat Dec 1 2012 Miroslav Grepl 3.11.1-59 +- consolekit.pp was not removed from the postinstall script + +* Fri Nov 30 2012 Miroslav Grepl 3.11.1-58 +- Add back consolekit policy +- Silence bootloader trying to use inherited tty +- Silence xdm_dbusd_t trying to execute telepathy apps +- Fix shutdown avcs when machine has unconfined.pp disabled +- The host and a virtual machine can share the same printer on a usb device +- Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob +- Allow abrt_watch_log_t to execute bin_t +- Allow chrome sandbox to write content in ~/.config/chromium +- Dontaudit setattr on fontconfig dir for thumb_t +- Allow lircd to request the kernel to load module +- Make rsync as userdom_home_manager +- Allow rsync to search automount filesystem +- Add fixes for pacemaker + +* Wed Nov 28 2012 Miroslav Grepl 3.11.1-57 +- Add support for 4567/tcp port +- Random fixes from Tuomo Soini +- xdm wants to get init status +- Allow programs to run in fips_mode +- Add interface to allow the reading of all blk device nodes +- Allow init to relabel rpcbind sock_file +- Fix labeling for lastlog and faillog related to logrotate +- ALlow aeolus_configserver to use TRAM port +- Add fixes for aeolus_configserver +- Allow snmpd to connect to snmp port +- Allow spamd_update to create spamd_var_lib_t directories +- Allow domains that can read sssd_public_t files to also list the directory +- Remove miscfiles_read_localization, this is defined for all domains + +* Mon Nov 26 2012 Miroslav Grepl 3.11.1-56 +- Allow syslogd to request the kernel to load a module +- Allow syslogd_t to read the network state information +- Allow xdm_dbusd_t connect to the system DBUS +- Add support for 7389/tcp port +- Allow domains to read/write all inherited sockets +- Allow staff_t to read kmsg +- Add awstats_purge_apache_log boolean +- Allow ksysguardproces to read /.config/Trolltech.conf +- Allow passenger to create and append puppet log files +- Add puppet_append_log and puppet_create_log interfaces +- Add puppet_manage_log() interface +- Allow tomcat domain to search tomcat_var_lib_t +- Allow pki_tomcat_t to connect to pki_ca ports +- Allow pegasus_t to have net_admin capability +- Allow pegasus_t to write /sys/class/net//flags +- Allow mailserver_delivery to manage mail_home_rw_t lnk_files +- Allow fetchmail to create log files +- Allow gnomeclock to manage home config in .kde +- Allow bittlebee to read kernel sysctls +- Allow logrotate to list /root + +* Mon Nov 19 2012 Miroslav Grepl 3.11.1-55 +- Fix userhelper_console_role_template() +- Allow enabling Network Access Point service using blueman +- Make vmware_host_t as unconfined domain +- Allow authenticate users in webaccess via squid, using mysql as backend +- Allow gathers to get various metrics on mounted file systems +- Allow firewalld to read /etc/hosts +- Fix cron_admin_role() to make sysadm cronjobs running in the sysadm_t instead of cronjob_t +- Allow kdumpgui to read/write to zipl.conf +- Commands needed to get mock to build from staff_t in enforcing mode +- Allow mdadm_t to manage cgroup files +- Allow all daemons and systemprocesses to use inherited initrc_tmp_t files +- dontaudit ifconfig_t looking at fifo_files that are leaked to it +- Add lableing for Quest Authentication System + +* Thu Nov 15 2012 Miroslav Grepl 3.11.1-54 +- Fix filetrans interface definitions +- Dontaudit xdm_t to getattr on BOINC lib files +- Add systemd_reload_all_services() interface +- Dontaudit write access on /var/lib/net-snmp/mib_indexes +- Only stop mcsuntrustedproc from relableing files +- Allow accountsd to dbus chat with gdm +- Allow realmd to getattr on all fs +- Allow logrotate to reload all services +- Add systemd unit file for radiusd +- Allow winbind to create samba pid dir +- Add labeling for /var/nmbd/unexpected +- Allow chrome and mozilla plugin to connect to msnp ports + +* Mon Nov 12 2012 Miroslav Grepl 3.11.1-53 +- Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file +- Dontaudit setfiles reading /dev/random +- On initial boot gnomeclock is going to need to be set buy gdm +- Fix tftp_read_content() interface +- Random apps looking at kernel file systems +- Testing virt with lxc requiers additional access for virsh_t +- New allow rules requied for latest libvirt, libvirt talks directly to journald,lxc setup tool needs compromize_kernel,and we need ipc_lock in the container +- Allow MPD to read /dev/radnom +- Allow sandbox_web_type to read logind files which needs to read pulseaudio +- Allow mozilla plugins to read /dev/hpet +- Add labeling for /var/lib/zarafa-webap +- Allow BOINC client to use an HTTP proxy for all connections +- Allow rhsmertd to domain transition to dmidecod +- Allow setroubleshootd to send D-Bus msg to ABRT + +* Thu Nov 8 2012 Miroslav Grepl 3.11.1-52 +- Define usbtty_device_t as a term_tty +- Allow svnserve to accept a connection +- Allow xend manage default virt_image_t type +- Allow prelink_cron_system_t to overide user componant when executing cp +- Add labeling for z-push +- Gnomeclock sets the realtime clock +- Openshift seems to be storing apache logs in /var/lib/openshift/.log/httpd +- Allow lxc domains to use /dev/random and /dev/urandom + +* Wed Nov 7 2012 Miroslav Grepl 3.11.1-51 +- Add port defintion for tcp/9000 +- Fix labeling for /usr/share/cluster/checkquorum to label also checkquorum.wdmd +- Add rules and labeling for $HOME/cache/\.gstreamer-.* directory +- Add support for CIM provider openlmi-networking which uses NetworkManager dbus API +- Allow shorewall_t to create netlink_socket +- Allow krb5admind to block suspend +- Fix labels on /var/run/dlm_controld /var/log/dlm_controld +- Allow krb5kdc to block suspend +- gnomessytemmm_t needs to read /etc/passwd +- Allow cgred to read all sysctls + +* Tue Nov 6 2012 Miroslav Grepl 3.11.1-50 +- Allow all domains to read /proc/sys/vm/overcommit_memory +- Make proc_numa_t an MLS Trusted Object +- Add /proc/numactl support for confined users +- Allow ssh_t to connect to any port > 1023 +- Add openvswitch domain +- Pulseaudio tries to create directories in gnome_home_t directories +- New ypbind pkg wants to search /var/run which is caused by sd_notify +- Allow NM to read certs on NFS/CIFS using use_nfs_*, use_samba_* booleans +- Allow sanlock to read /dev/random +- Treat php-fpm with httpd_t +- Allow domains that can read named_conf_t to be able to list the directories +- Allow winbind to create sock files in /var/run/samba + +* Thu Nov 1 2012 Miroslav Grepl 3.11.1-49 +- Add smsd policy +- Add support for OpenShift sbin labelin +- Add boolean to allow virt to use rawip +- Allow mozilla_plugin to read all file systems with noxattrs support +- Allow kerberos to write on anon_inodefs fs +- Additional access required by fenced +- Add filename transitions for passwd.lock/group.lock +- UPdate man pages +- Create coolkey directory in /var/cache with the correct label + +* Tue Oct 30 2012 Miroslav Grepl 3.11.1-48 +- Fix label on /etc/group.lock +- Allow gnomeclock to create lnk_file in /etc +- label /root/.pki as a home_cert_t +- Add interface to make sure rpcbind.sock is created with the correct label +- Add definition for new directory /var/lib/os-probe and bootloader wants to read udev rules +- opendkim should be a part of milter +- Allow libvirt to set the kernel sched algorythm +- Allow mongod to read sysfs_t +- Add authconfig policy +- Remove calls to miscfiles_read_localization all domains get this +- Allow virsh_t to read /root/.pki/ content +- Add label for log directory under /var/www/stickshift + +* Mon Oct 29 2012 Miroslav Grepl 3.11.1-47 +- Allow getty to setattr on usb ttys +- Allow sshd to search all directories for sshd_home_t content +- Allow staff domains to send dbus messages to kdumpgui +- Fix labels on /etc/.pwd.lock and friends to be passwd_file_t +- Dontaudit setfiles reading urand +- Add files_dontaudit_list_tmp() for domains to which we added sys_nice/setsched +- Allow staff_gkeyringd_t to read /home/$USER/.local/share/keyrings dir +- Allow systemd-timedated to read /dev/urandom +- Allow entropyd_t to read proc_t (meminfo) +- Add unconfined munin plugin +- Fix networkmanager_read_conf() interface +- Allow blueman to list /tmp which is needed by sys_nic/setsched +- Fix label of /etc/mail/aliasesdb-stamp +- numad is searching cgroups +- realmd is communicating with networkmanager using dbus +- Lots of fixes to try to get kdump to work + +* Fri Oct 26 2012 Miroslav Grepl 3.11.1-46 +- Allow loging programs to dbus chat with realmd +- Make apache_content_template calling as optional +- realmd is using policy kit + +* Fri Oct 26 2012 Miroslav Grepl 3.11.1-45 +- Add new selinuxuser_use_ssh_chroot boolean +- dbus needs to be able to read/write inherited fixed disk device_t passed through it +- Cleanup netutils process allow rule +- Dontaudit leaked fifo files from openshift to ping +- sanlock needs to read mnt_t lnk files +- Fail2ban needs to setsched and sys_nice + +* Wed Oct 24 2012 Miroslav Grepl 3.11.1-44 +- Change default label of all files in /var/run/rpcbind +- Allow sandbox domains (java) to read hugetlbfs_t +- Allow awstats cgi content to create tmp files and read apache log files +- Allow setuid/setgid for cupsd-config +- Allow setsched/sys_nice pro cupsd-config +- Fix /etc/localtime sym link to be labeled locale_t +- Allow sshd to search postgresql db t since this is a homedir +- Allow xwindows users to chat with realmd +- Allow unconfined domains to configure all files and null_device_t service + +* Tue Oct 23 2012 Miroslav Grepl 3.11.1-43 +- Adopt pki-selinux policy + +* Mon Oct 22 2012 Miroslav Grepl 3.11.1-42 +- pki is leaking which we dontaudit until a pki code fix +- Allow setcap for arping +- Update man pages +- Add labeling for /usr/sbin/mcollectived +- pki fixes +- Allow smokeping to execute fping in the netutils_t domain + +* Fri Oct 19 2012 Miroslav Grepl 3.11.1-41 +- Allow mount to relabelfrom unlabeled file systems +- systemd_logind wants to send and receive messages from devicekit disk over dbus to make connected mouse working +- Add label to get bin files under libreoffice labeled correctly +- Fix interface to allow executing of base_ro_file_type +- Add fixes for realmd +- Update pki policy +- Add tftp_homedir boolean +- Allow blueman sched_setscheduler +- openshift user domains wants to r/w ssh tcp sockets + +* Wed Oct 17 2012 Miroslav Grepl 3.11.1-40 +- Additional requirements for disable unconfined module when booting +- Fix label of systemd script files +- semanage can use -F /dev/stdin to get input +- syslog now uses kerberos keytabs +- Allow xserver to compromise_kernel access +- Allow nfsd to write to mount_var_run_t when running the mount command +- Add filename transition rule for bin_t directories +- Allow files to read usr_t lnk_files +- dhcpc wants chown +- Add support for new openshift labeling +- Clean up for tunable+optional statements +- Add labeling for /usr/sbin/mkhomedir_helper +- Allow antivirus domain to managa amavis spool files +- Allow rpcbind_t to read passwd +- Allow pyzor running as spamc to manage amavis spool + +* Tue Oct 16 2012 Miroslav Grepl 3.11.1-39 +- Add interfaces to read kernel_t proc info +- Missed this version of exec_all +- Allow anyone who can load a kernel module to compromise kernel +- Add oddjob_dbus_chat to openshift apache policy +- Allow chrome_sandbox_nacl_t to send signals to itself +- Add unit file support to usbmuxd_t +- Allow all openshift domains to read sysfs info +- Allow openshift domains to getattr on all domains + +* Fri Oct 12 2012 Miroslav Grepl 3.11.1-38 +- MLS fixes from Dan +- Fix name of capability2 secure_firmware->compromise_kerne + +* Thu Oct 11 2012 Miroslav Grepl 3.11.1-37 +- Allow xdm to search all file systems +- Add interface to allow the config of all files +- Add rngd policy +- Remove kgpg as a gpg_exec_t type +- Allow plymouthd to block suspend +- Allow systemd_dbus to config any file +- Allow system_dbus_t to configure all services +- Allow freshclam_t to read usr_files +- varnishd requires execmem to load modules + +* Thu Oct 11 2012 Miroslav Grepl 3.11.1-36 +- Allow semanage to verify types +- Allow sudo domain to execute user home files +- Allow session_bus_type to transition to user_tmpfs_t +- Add dontaudit caused by yum updates +- Implement pki policy but not activated + +* Wed Oct 10 2012 Miroslav Grepl 3.11.1-35 +- tuned wants to getattr on all filesystems +- tuned needs also setsched. The build is needed for test day + +* Wed Oct 10 2012 Miroslav Grepl 3.11.1-34 +- Add policy for qemu-qa +- Allow razor to write own config files +- Add an initial antivirus policy to collect all antivirus program +- Allow qdisk to read usr_t +- Add additional caps for vmware_host +- Allow tmpfiles_t to setattr on mandb_cache_t +- Dontaudit leaked files into mozilla_plugin_config_t +- Allow wdmd to getattr on tmpfs +- Allow realmd to use /dev/random +- allow containers to send audit messages +- Allow root mount any file via loop device with enforcing mls policy +- Allow tmpfiles_t to setattr on mandb_cache_t +- Allow tmpfiles_t to setattr on mandb_cache_t +- Make userdom_dontaudit_write_all_ not allow open +- Allow init scripts to read all unit files +- Add support for saphostctrl ports + +* Mon Oct 8 2012 Miroslav Grepl 3.11.1-33 +- Add kernel_read_system_state to sandbox_client_t +- Add some of the missing access to kdumpgui +- Allow systemd_dbusd_t to status the init system +- Allow vmnet-natd to request the kernel to load a module +- Allow gsf-office-thum to append .cache/gdm/session.log +- realmd wants to read .config/dconf/user +- Firewalld wants sys_nice/setsched +- Allow tmpreaper to delete mandb cache files +- Firewalld wants sys_nice/setsched +- Allow firewalld to perform a DNS name resolution +- Allown winbind to read /usr/share/samba/codepages/lowcase.dat +- Add support for HTTPProxy* in /etc/freshclam.conf +- Fix authlogin_yubike boolean +- Extend smbd_selinux man page to include samba booleans +- Allow dhcpc to execute consoletype +- Allow ping to use inherited tmp files created in init scripts +- On full relabel with unconfined domain disabled, initrc was running some chcon's +- Allow people who delete man pages to delete mandb cache files + +* Thu Oct 4 2012 Miroslav Grepl 3.11.1-32 +- Add missing permissive domains + +* Thu Oct 4 2012 Miroslav Grepl 3.11.1-31 +- Add new mandb policy +- ALlow systemd-tmpfiles_t to relabel mandb_cache_t +- Allow logrotate to start all unit files + +* Thu Oct 4 2012 Miroslav Grepl 3.11.1-30 +- Add fixes for ctbd +- Allow nmbd to stream connect to ctbd +- Make cglear_t as nsswitch_domain +- Fix bogus in interfaces +- Allow openshift to read/write postfix public pipe +- Add postfix_manage_spool_maildrop_files() interface +- stickshift paths have been renamed to openshift +- gnome-settings-daemon wants to write to /run/systemd/inhibit/ pipes +- Update man pages, adding ENTRYPOINTS + +* Tue Oct 2 2012 Miroslav Grepl 3.11.1-29 +- Add mei_device_t +- Make sure gpg content in homedir created with correct label +- Allow dmesg to write to abrt cache files +- automount wants to search virtual memory sysctls +- Add support for hplip logs stored in /var/log/hp/tmp +- Add labeling for /etc/owncloud/config.php +- Allow setroubleshoot to send analysys to syslogd-journal +- Allow virsh_t to interact with new fenced daemon +- Allow gpg to write to /etc/mail/spamassassiin directories +- Make dovecot_deliver_t a mail server delivery type +- Add label for /var/tmp/DNS25 + +* Thu Sep 27 2012 Miroslav Grepl 3.11.1-28 +- Fixes for tomcat_domain template interface + +* Thu Sep 27 2012 Miroslav Grepl 3.11.1-27 +- Remove init_systemd and init_upstart boolean, Move init_daemon_domain and init_system_domain to use attributes +- Add attribute to all base os types. Allow all domains to read all ro base OS types + +* Wed Sep 26 2012 Miroslav Grepl 3.11.1-26 +- Additional unit files to be defined as power unit files +- Fix more boolean names + +* Tue Sep 25 2012 Miroslav Grepl 3.11.1-25 +- Fix boolean name so subs will continue to work + +* Tue Sep 25 2012 Miroslav Grepl 3.11.1-24 +- dbus needs to start getty unit files +- Add interface to allow system_dbusd_t to start the poweroff service +- xdm wants to exec telepathy apps +- Allow users to send messages to systemdlogind +- Additional rules needed for systemd and other boot apps +- systemd wants to list /home and /boot +- Allow gkeyringd to write dbus/conf file +- realmd needs to read /dev/urand +- Allow readahead to delete /.readahead if labeled root_t, might get created before policy is loaded + +* Thu Sep 20 2012 Miroslav Grepl 3.11.1-23 +- Fixes to safe more rules +- Re-write tomcat_domain_template() +- Fix passenger labeling +- Allow all domains to read man pages +- Add ephemeral_port_t to the 'generic' port interfaces +- Fix the names of postgresql booleans + +* Tue Sep 18 2012 Miroslav Grepl 3.11.1-22 +- Stop using attributes form netlabel_peer and syslog, auth_use_nsswitch setsup netlabel_peer +- Move netlable_peer check out of booleans +- Remove call to recvfrom_netlabel for kerberos call +- Remove use of attributes when calling syslog call +- Move -miscfiles_read_localization to domain.te to save hundreds of allow rules +- Allow all domains to read locale files. This eliminates around 1500 allow rules- Cleanup nis_use_ypbind_uncond interface +- Allow rndc to block suspend +- tuned needs to modify the schedule of the kernel +- Allow svirt_t domains to read alsa configuration files +- ighten security on irc domains and make sure they label content in homedir correctly +- Add filetrans_home_content for irc files +- Dontaudit all getattr access for devices and filesystems for sandbox domains +- Allow stapserver to search cgroups directories +- Allow all postfix domains to talk to spamd + +* Mon Sep 17 2012 Miroslav Grepl 3.11.1-21 +- Add interfaces to ignore setattr until kernel fixes this to be checked after the DAC check +- Change pam_t to pam_timestamp_t +- Add dovecot_domain attribute and allow this attribute block_suspend capability2 +- Add sanlock_use_fusefs boolean +- numad wants send/recieve msg +- Allow rhnsd to send syslog msgs +- Make piranha-pulse as initrc domain +- Update openshift instances to dontaudit setattr until the kernel is fixed. + +* Fri Sep 14 2012 Miroslav Grepl 3.11.1-20 +- Fix auth_login_pgm_domain() interface to allow domains also managed user tmp dirs because of #856880 related to pam_systemd +- Remove pam_selinux.8 which conflicts with man page owned by the pam package +- Allow glance-api to talk to mysql +- ABRT wants to read Xorg.0.log if if it detects problem with Xorg +- Fix gstreamer filename trans. interface + +* Thu Sep 13 2012 Miroslav Grepl 3.11.1-19 +- Man page fixes by Dan Walsh + +* Tue Sep 11 2012 Miroslav Grepl 3.11.1-18 +- Allow postalias to read postfix config files +- Allow man2html to read man pages +- Allow rhev-agentd to search all mountpoints +- Allow rhsmcertd to read /dev/random +- Add tgtd_stream_connect() interface +- Add cyrus_write_data() interface +- Dontaudit attempts by sandboxX clients connectiing to the xserver_port_t +- Add port definition for tcp/81 as http_port_t +- Fix /dev/twa labeling +- Allow systemd to read modules config + +* Mon Sep 10 2012 Miroslav Grepl 3.11.1-17 +- Merge openshift policy +- Allow xauth to read /dev/urandom +- systemd needs to relabel content in /run/systemd directories +- Files unconfined should be able to perform all services on all files +- Puppet tmp file can be leaked to all domains +- Dontaudit rhsmcertd-worker to search /root/.local +- Allow chown capability for zarafa domains +- Allow system cronjobs to runcon into openshift domains +- Allow virt_bridgehelper_t to manage content in the svirt_home_t labeled directories + +* Fri Sep 7 2012 Miroslav Grepl 3.11.1-16 +- nmbd wants to create /var/nmbd +- Stop transitioning out of anaconda and firstboot, just causes AVC messages +- Allow clamscan to read /etc files +- Allow bcfg2 to bind cyphesis port +- heartbeat should be run as rgmanager_t instead of corosync_t +- Add labeling for /etc/openldap/certs +- Add labeling for /opt/sartest directory +- Make crontab_t as userdom home reader +- Allow tmpreaper to list admin_home dir +- Add defition for imap_0 replay cache file +- Add support for gitolite3 +- Allow virsh_t to send syslog messages +- allow domains that can read samba content to be able to list the directories also +- Add realmd_dbus_chat to allow all apps that use nsswitch to talk to realmd +- Separate out sandbox from sandboxX policy so we can disable it by default +- Run dmeventd as lvm_t +- Mounting on any directory requires setattr and write permissions +- Fix use_nfs_home_dirs() boolean +- New labels for pam_krb5 +- Allow init and initrc domains to sys_ptrace since this is needed to look at processes not owned by uid 0 +- Add realmd_dbus_chat to allow all apps that use nsswitch to talk to realmd + +* Fri Aug 31 2012 Dan Walsh 3.11.1-15 +- Separate sandbox policy into sandbox and sandboxX, and disable sandbox by default on fresh installs +- Allow domains that can read etc_t to read etc_runtime_t +- Allow all domains to use inherited tmpfiles + +* Wed Aug 29 2012 Miroslav Grepl 3.11.1-14 +- Allow realmd to read resolv.conf +- Add pegasus_cache_t type +- Label /usr/sbin/fence_virtd as virsh_exec_t +- Add policy for pkcsslotd +- Add support for cpglockd +- Allow polkit-agent-helper to read system-auth-ac +- telepathy-idle wants to read gschemas.compiled +- Allow plymouthd to getattr on fs_t +- Add slpd policy +- Allow ksysguardproces to read/write config_usr_t + +* Sat Aug 25 2012 Dan Walsh 3.11.1-13 +- Fix labeling substitution so rpm will label /lib/systemd content correctly + +* Fri Aug 24 2012 Miroslav Grepl 3.11.1-12 +- Add file name transitions for ttyACM0 +- spice-vdagent(d)'s are going to log over to syslog +- Add sensord policy +- Add more fixes for passenger policy related to puppet +- Allow wdmd to create wdmd_tmpfs_t +- Fix labeling for /var/run/cachefilesd\.pid +- Add thumb_tmpfs_t files type + +* Mon Aug 20 2012 Miroslav Grepl 3.11.1-11 +- Allow svirt domains to manage the network since this is containerized +- Allow svirt_lxc_net_t to send audit messages + +* Mon Aug 20 2012 Miroslav Grepl 3.11.1-10 +- Make "snmpwalk -mREDHAT-CLUSTER-MIB ...." working +- Allow dlm_controld to execute dlm_stonith labeled as bin_t +- Allow GFS2 working on F17 +- Abrt needs to execute dmesg +- Allow jockey to list the contents of modeprobe.d +- Add policy for lightsquid as squid_cron_t +- Mailscanner is creating files and directories in /tmp +- dmesg is now reading /dev/kmsg +- Allow xserver to communicate with secure_firmware +- Allow fsadm tools (fsck) to read /run/mount contnet +- Allow sysadm types to read /dev/kmsg +- + +* Thu Aug 16 2012 Dan Walsh 3.11.1-9 +- Allow postfix, sssd, rpcd to block_suspend +- udev seems to need secure_firmware capability +- Allow virtd to send dbus messages to firewalld so it can configure the firewall + +* Thu Aug 16 2012 Dan Walsh 3.11.1-8 +- Fix labeling of content in /run created by virsh_t +- Allow condor domains to read kernel sysctls +- Allow condor_master to connect to amqp +- Allow thumb drives to create shared memory and semaphores +- Allow abrt to read mozilla_plugin config files +- Add labels for lightsquid +- Default files in /opt and /usr that end in .cgi as httpd_sys_script_t, allow +- dovecot_auth_t uses ldap for user auth +- Allow domains that can read dhcp_etc_t to read lnk_files +- Add more then one watchdog device +- Allow useradd_t to manage etc_t files so it can rename it and edit them +- Fix invalid class dir should be fifo_file +- Move /run/blkid to fsadm and make sure labeling is correct + +* Tue Aug 14 2012 Dan Walsh 3.11.1-7 +- Fix bogus regex found by eparis +- Fix manage run interface since lvm needs more access +- syslogd is searching cgroups directory +- Fixes to allow virt-sandbox-service to manage lxc var run content + +* Mon Aug 13 2012 Dan Walsh 3.11.1-6 +- Fix Boolean settings +- Add new libjavascriptcoregtk as textrel_shlib_t +- Allow xdm_t to create xdm_home_t directories +- Additional access required for systemd +- Dontaudit mozilla_plugin attempts to ipc_lock +- Allow tmpreaper to delete unlabeled files +- Eliminate screen_tmp_t and allow it to manage user_tmp_t +- Dontaudit mozilla_plugin_config_t to append to leaked file descriptors +- Allow web plugins to connect to the asterisk ports +- Condor will recreate the lock directory if it does not exist +- Oddjob mkhomedir needs to connectto user processes +- Make oddjob_mkhomedir_t a userdom home manager + +* Thu Aug 9 2012 Miroslav Grepl 3.11.1-5 +- Put placeholder back in place for proper numbering of capabilities +- Systemd also configures init scripts + +* Thu Aug 9 2012 Miroslav Grepl 3.11.1-4 +- Fix ecryptfs interfaces +- Bootloader seems to be trolling around /dev/shm and /dev +- init wants to create /etc/systemd/system-update.target.wants +- Fix systemd_filetrans call to move it out of tunable +- Fix up policy to work with systemd userspace manager +- Add secure_firmware capability and remove bogus epolwakeup +- Call seutil_*_login_config interfaces where should be needed +- Allow rhsmcertd to send signal to itself +- Allow thin domains to send signal to itself +- Allow Chrome_ChildIO to read dosfs_t + +* Tue Aug 7 2012 Miroslav Grepl 3.11.1-3 +- Add role rules for realmd, sambagui + +* Tue Aug 7 2012 Miroslav Grepl 3.11.1-2 +- Add new type selinux_login_config_t for /etc/selinux//logins/ +- Additional fixes for seutil_manage_module_store() +- dbus_system_domain() should be used with optional_policy +- Fix svirt to be allowed to use fusefs file system +- Allow login programs to read /run/ data created by systemd_login +- sssd wants to write /etc/selinux//logins/ for SELinux PAM module +- Fix svirt to be allowed to use fusefs file system +- Allow piranha domain to use nsswitch +- Sanlock needs to send Kill Signals to non root processes +- Pulseaudio wants to execute /run/user/PID/.orc + +* Fri Aug 3 2012 Miroslav Grepl 3.11.1-1 +- Fix saslauthd when it tries to read /etc/shadow +- Label gnome-boxes as a virt homedir +- Need to allow svirt_t ability to getattr on nfs_t file systems +- Update sanlock policy to solve all AVC's +- Change confined users can optionally manage virt content +- Handle new directories under ~/.cache +- Add block suspend to appropriate domains +- More rules required for containers +- Allow login programs to read /run/ data created by systemd_logind +- Allow staff users to run svirt_t processes + +* Thu Aug 2 2012 Miroslav Grepl 3.11.1-0 +- Update to upstream + +* Mon Jul 30 2012 Miroslav Grepl 3.11.0-15 +- More fixes for systemd to make rawhide booting from Dan Walsh + +* Mon Jul 30 2012 Miroslav Grepl 3.11.0-14 +- Add systemd fixes to make rawhide booting + +* Fri Jul 27 2012 Miroslav Grepl 3.11.0-13 +- Add systemd_logind_inhibit_var_run_t attribute +- Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type +- Add interface for mysqld to dontaudit signull to all processes +- Label new /var/run/journal directory correctly +- Allow users to inhibit suspend via systemd +- Add new type for the /var/run/inhibit directory +- Add interface to send signull to systemd_login so avahi can send them +- Allow systemd_passwd to send syslog messages +- Remove corenet_all_recvfrom_unlabeled() calling fro policy files +- Allow editparams.cgi running as httpd_bugzilla_script_t to read /etc/group +- Allow smbd to read cluster config +- Add additional labeling for passenger +- Allow dbus to inhibit suspend via systemd +- Allow avahi to send signull to systemd_login + +* Mon Jul 23 2012 Miroslav Grepl 3.11.0-12 +- Add interface to dontaudit getattr access on sysctls +- Allow sshd to execute /bin/login +- Looks like xdm is recreating the xdm directory in ~/.cache/ on login +- Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jounald +- Fix semanage to work with unconfined domain disabled on F18 +- Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls +- Virt seems to be using lock files +- Dovecot seems to be searching directories of every mountpoint +- Allow jockey to read random/urandom, execute shell and install third-party drivers +- Add aditional params to allow cachedfiles to manage its content +- gpg agent needs to read /dev/random +- The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd wants to read and write +- Add a bunch of dontaudit rules to quiet svirt_lxc domains +- Additional perms needed to run svirt_lxc domains +- Allow cgclear to read cgconfig +- Allow sys_ptrace capability for snmp +- Allow freshclam to read /proc +- Allow procmail to manage /home/user/Maildir content +- Allow NM to execute wpa_cli +- Allow amavis to read clamd system state +- Regenerate man pages + +* Sat Jul 21 2012 Fedora Release Engineering - 3.11.0-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jul 16 2012 Miroslav Grepl 3.11.0-10 +- Add realmd and stapserver policies +- Allow useradd to manage stap-server lib files +- Tighten up capabilities for confined users +- Label /etc/security/opasswd as shadow_t +- Add label for /dev/ecryptfs +- Allow condor_startd_t to start sshd with the ranged +- Allow lpstat.cups to read fips_enabled file +- Allow pyzor running as spamc_t to create /root/.pyzor directory +- Add labelinf for amavisd-snmp init script +- Add support for amavisd-snmp +- Allow fprintd sigkill self +- Allow xend (w/o libvirt) to start virtual machines +- Allow aiccu to read /etc/passwd +- Allow condor_startd to Make specified domain MCS trusted for setting any category set for the processes it executes +- Add condor_startd_ranged_domtrans_to() interface +- Add ssd_conf_t for /etc/sssd +- accountsd needs to fchown some files/directories +- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content +- SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works, adding dontaudit +- Allow xend_t to read the /etc/passwd file + +* Wed Jul 11 2012 Miroslav Grepl 3.11.0-9 +- Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t +- Add init_access_check() interface +- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t +- Allow tcpdump to create a netlink_socket +- Label newusers like useradd +- Change xdm log files to be labeled xdm_log_t +- Allow sshd_t with privsep to work in MLS +- Allow freshclam to update databases thru HTTP proxy +- Allow s-m-config to access check on systemd +- Allow abrt to read public files by default +- Fix amavis_create_pid_files() interface +- Add labeling and filename transition for dbomatic.log +- Allow system_dbusd_t to stream connect to bluetooth, and use its socket +- Allow amavisd to execute fsav +- Allow tuned to use sys_admin and sys_nice capabilities +- Add php-fpm policy from Bryan +- Add labeling for aeolus-configserver-thinwrapper +- Allow thin domains to execute shell +- Fix gnome_role_gkeyringd() interface description +- Lot of interface fixes +- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files +- Allow OpenMPI job to use kerberos +- Make deltacloudd_t as nsswitch_domain +- Allow xend_t to run lsscsi +- Allow qemu-dm running as xend_t to create tun_socket +- Add labeling for /opt/brother/Printers(.*/)?inf +- Allow jockey-backend to read pyconfig-64.h labeled as usr_t +- Fix clamscan_can_scan_system boolean +- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11 + +* Tue Jul 3 2012 Miroslav Grepl 3.11.0-8 +- initrc is calling exportfs which is not confined so it attempts to read nfsd_files +- Fixes for passenger running within openshift. +- Add labeling for all tomcat6 dirs +- Add support for tomcat6 +- Allow cobblerd to read /etc/passwd +- Allow jockey to read sysfs and and execute binaries with bin_t +- Allow thum to use user terminals +- Allow cgclear to read cgconfig config files +- Fix bcf2g.fc +- Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other domains +- Allow dbomatic to execute ruby +- abrt_watch_log should be abrt_domain +- Allow mozilla_plugin to connect to gatekeeper port + +* Wed Jun 27 2012 Miroslav Grepl 3.11.0-7 +- add ptrace_child access to process +- remove files_read_etc_files() calling from all policies which have auth_use_nsswith() +- Allow boinc domains to manage boinc_lib_t lnk_files +- Add support for boinc-client.service unit file +- Add support for boinc.log +- Allow mozilla_plugin execmod on mozilla home files if allow_ex +- Allow dovecot_deliver_t to read dovecot_var_run_t +- Allow ldconfig and insmod to manage kdumpctl tmp files +- Move thin policy out from cloudform.pp and add a new thin poli +- pacemaker needs to communicate with corosync streams +- abrt is now started on demand by dbus +- Allow certmonger to talk directly to Dogtag servers +- Change labeling for /var/lib/cobbler/webui_sessions to httpd_c +- Allow mozila_plugin to execute gstreamer home files +- Allow useradd to delete all file types stored in the users hom +- rhsmcertd reads the rpm database +- Add support for lightdm + +* Mon Jun 25 2012 Miroslav Grepl 3.11.0-6 +- Add tomcat policy +- Remove pyzor/razor policy +- rhsmcertd reads the rpm database +- Dontaudit thumb to setattr on xdm_tmp dir +- Allow wicd to execute ldconfig in the networkmanager_t domain +- Add /var/run/cherokee\.pid labeling +- Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too +- Allow postfix-master to r/w pipes other postfix domains +- Allow snort to create netlink_socket +- Add kdumpctl policy +- Allow firstboot to create tmp_t files/directories +- /usr/bin/paster should not be labeled as piranha_exec_t +- remove initrc_domain from tomcat +- Allow ddclient to read /etc/passwd +- Allow useradd to delete all file types stored in the users homedir +- Allow ldconfig and insmod to manage kdumpctl tmp files +- Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those +- Transition xauth files within firstboot_tmp_t +- Fix labeling of /run/media to match /media +- Label all lxdm.log as xserver_log_t +- Add port definition for mxi port +- Allow local_login_t to execute tmux + +* Tue Jun 19 2012 Miroslav Grepl 3.11.0-5 +- apcupsd needs to read /etc/passwd +- Sanlock allso sends sigkill +- Allow glance_registry to connect to the mysqld port +- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl +- Allow firefox plugins/flash to connect to port 1234 +- Allow mozilla plugins to delete user_tmp_t files +- Add transition name rule for printers.conf.O +- Allow virt_lxc_t to read urand +- Allow systemd_loigind to list gstreamer_home_dirs +- Fix labeling for /usr/bin +- Fixes for cloudform services + * support FIPS +- Allow polipo to work as web caching +- Allow chfn to execute tmux + +* Fri Jun 15 2012 Miroslav Grepl 3.11.0-4 +- Add support for ecryptfs + * ecryptfs does not support xattr + * we need labeling for HOMEDIR +- Add policy for (u)mount.ecryptfs* +- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage host cache +- Allow dovecot to manage Maildir content, fix transitions to Maildir +- Allow postfix_local to transition to dovecot_deliver +- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code +- Cleanup interface definitions +- Allow apmd to change with the logind daemon +- Changes required for sanlock in rhel6 +- Label /run/user/apache as httpd_tmp_t +- Allow thumb to use lib_t as execmod if boolean turned on +- Allow squid to create the squid directory in /var with the correct labe +- Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.com) +- Allow virtd to exec xend_exec_t without transition +- Allow virtd_lxc_t to unmount all file systems + +* Tue Jun 12 2012 Miroslav Grepl 3.11.0-3 +- PolicyKit path has changed +- Allow httpd connect to dirsrv socket +- Allow tuned to write generic kernel sysctls +- Dontaudit logwatch to gettr on /dev/dm-2 +- Allow policykit-auth to manage kerberos files +- Make condor_startd and rgmanager as initrc domain +- Allow virsh to read /etc/passwd +- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs +- xdm now needs to execute xsession_exec_t +- Need labels for /var/lib/gdm +- Fix files_filetrans_named_content() interface +- Add new attribute - initrc_domain +- Allow systemd_logind_t to signal, signull, sigkill all processes +- Add filetrans rules for etc_runtime files + +* Sat Jun 9 2012 Miroslav Grepl 3.11.0-2 +- Rename boolean names to remove allow_ + +* Thu Jun 7 2012 Miroslav Grepl 3.11.0-1 +- Mass merge with upstream + * new policy topology to include contrib policy modules + * we have now two base policy patches + +* Wed May 30 2012 Miroslav Grepl 3.10.0-128 +- Fix description of authlogin_nsswitch_use_ldap +- Fix transition rule for rhsmcertd_t needed for RHEL7 +- Allow useradd to list nfs state data +- Allow openvpn to manage its log file and directory +- We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly +- Allow thumb to use nvidia devices +- Allow local_login to create user_tmp_t files for kerberos +- Pulseaudio needs to read systemd_login /var/run content +- virt should only transition named system_conf_t config files +- Allow munin to execute its plugins +- Allow nagios system plugin to read /etc/passwd +- Allow plugin to connect to soundd port +- Fix httpd_passwd to be able to ask passwords +- Radius servers can use ldap for backing store +- Seems to need to mount on /var/lib for xguest polyinstatiation to work. +- Allow systemd_logind to list the contents of gnome keyring +- VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL +- Add policy for isns-utils + +* Mon May 28 2012 Miroslav Grepl 3.10.0-127 +- Add policy for subversion daemon +- Allow boinc to read passwd +- Allow pads to read kernel network state +- Fix man2html interface for sepolgen-ifgen +- Remove extra /usr/lib/systemd/system/smb +- Remove all /lib/systemd and replace with /usr/lib/systemd +- Add policy for man2html +- Fix the label of kerberos_home_t to krb5_home_t +- Allow mozilla plugins to use Citrix +- Allow tuned to read /proc/sys/kernel/nmi_watchdog +- Allow tune /sys options via systemd's tmpfiles.d "w" type + +* Wed May 23 2012 Miroslav Grepl 3.10.0-126 +- Dontaudit lpr_t to read/write leaked mozilla tmp files +- Add file name transition for .grl-podcasts directory +- Allow corosync to read user tmp files +- Allow fenced to create snmp lib dirs/files +- More fixes for sge policy +- Allow mozilla_plugin_t to execute any application +- Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain +- Allow mongod to read system state information +- Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t +- Allow polipo to manage polipo_cache dirs +- Add jabbar_client port to mozilla_plugin_t +- Cleanup procmail policy +- system bus will pass around open file descriptors on files that do not have labels on them +- Allow l2tpd_t to read system state +- Allow tuned to run ls /dev +- Allow sudo domains to read usr_t files +- Add label to machine-id +- Fix corecmd_read_bin_symlinks cut and paste error + +* Wed May 16 2012 Miroslav Grepl 3.10.0-125 +- Fix pulseaudio port definition +- Add labeling for condor_starter +- Allow chfn_t to creat user_tmp_files +- Allow chfn_t to execute bin_t +- Allow prelink_cron_system_t to getpw calls +- Allow sudo domains to manage kerberos rcache files +- Allow user_mail_domains to work with courie +- Port definitions necessary for running jboss apps within openshift +- Add support for openstack-nova-metadata-api +- Add support for nova-console* +- Add support for openstack-nova-xvpvncproxy +- Fixes to make privsep+SELinux working if we try to use chage to change passwd +- Fix auth_role() interface +- Allow numad to read sysfs +- Allow matahari-rpcd to execute shell +- Add label for ~/.spicec +- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it +- Devicekit_disk wants to read the logind sessions file when writing a cd +- Add fixes for condor to make condor jobs working correctly +- Change label of /var/log/rpmpkgs to cron_log_t +- Access requires to allow systemd-tmpfiles --create to work. +- Fix obex to be a user application started by the session bus. +- Add additional filename trans rules for kerberos +- Fix /var/run/heartbeat labeling +- Allow apps that are managing rcache to file trans correctly +- Allow openvpn to authenticate against ldap server +- Containers need to listen to network starting and stopping events + +* Wed May 9 2012 Miroslav Grepl 3.10.0-124 +- Make systemd unit files less specific + +* Tue May 8 2012 Miroslav Grepl 3.10.0-123 +- Fix zarafa labeling +- Allow guest_t to fix labeling +- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean +- add lxc_contexts +- Allow accountsd to read /proc +- Allow restorecond to getattr on all file sytems +- tmpwatch now calls getpw +- Allow apache daemon to transition to pwauth domain +- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t +- The obex socket seems to be a stream socket +- dd label for /var/run/nologin + +* Mon May 7 2012 Miroslav Grepl 3.10.0-122 +- Allow jetty running as httpd_t to read hugetlbfs files +- Allow sys_nice and setsched for rhsmcertd +- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports +- Allow setfiles to append to xdm_tmp_t +- Add labeling for /export as a usr_t directory +- Add labels for .grl files created by gstreamer + +* Fri May 4 2012 Miroslav Grepl 3.10.0-121 +- Add labeling for /usr/share/jetty/bin/jetty.sh +- Add jetty policy which contains file type definitios +- Allow jockey to use its own fifo_file and make this the default for all domains +- Allow mozilla_plugins to use spice (vnc_port/couchdb) +- asterisk wants to read the network state +- Blueman now uses /var/lib/blueman- Add label for nodejs_debug +- Allow mozilla_plugin_t to create ~/.pki directory and content + +* Wed May 2 2012 Miroslav Grepl 3.10.0-120 +- Add clamscan_can_scan_system boolean +- Allow mysqld to read kernel network state +- Allow sshd to read/write condor lib files +- Allow sshd to read/write condor-startd tcp socket +- Fix description on httpd_graceful_shutdown +- Allow glance_registry to communicate with mysql +- dbus_system_domain is using systemd to lauch applications +- add interfaces to allow domains to send kill signals to user mail agents +- Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t +- Lots of new access required for secure containers +- Corosync needs sys_admin capability +- ALlow colord to create shm +- .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific +- Add boolean to control whether or not mozilla plugins can create random content in the users homedir +- Add new interface to allow domains to list msyql_db directories, needed for libra +- shutdown has to be allowed to delete etc_runtime_t +- Fail2ban needs to read /etc/passwd +- Allow ldconfig to create /var/cache/ldconfig +- Allow tgtd to read hardware state information +- Allow collectd to create packet socket +- Allow chronyd to send signal to itself +- Allow collectd to read /dev/random +- Allow collectd to send signal to itself +- firewalld needs to execute restorecon +- Allow restorecon and other login domains to execute restorecon + +* Tue Apr 24 2012 Miroslav Grepl 3.10.0-119 +- Allow logrotate to getattr on systemd unit files +- Add support for tor systemd unit file +- Allow apmd to create /var/run/pm-utils with the correct label +- Allow l2tpd to send sigkill to pppd +- Allow pppd to stream connect to l2tpd +- Add label for scripts in /etc/gdm/ +- Allow systemd_logind_t to ignore mcs constraints on sigkill +- Fix files_filetrans_system_conf_named_files() interface +- Add labels for /usr/share/wordpress/wp-includes/*.php +- Allow cobbler to get SELinux mode and booleans + +* Mon Apr 23 2012 Miroslav Grepl 3.10.0-118 +- Add unconfined_execmem_exec_t as an alias to bin_t +- Allow fenced to read snmp var lib files, also allow it to read usr_t +- ontaudit access checks on all executables from mozilla_plugin +- Allow all user domains to setexec, so that sshd will work properly if it call setexec(NULL) while running withing a user mode +- Allow systemd_tmpfiles_t to getattr all pipes and sockets +- Allow glance-registry to send system log messages +- semanage needs to manage mock lib files/dirs + +* Sun Apr 22 2012 Miroslav Grepl 3.10.0-117 +- Add policy for abrt-watch-log +- Add definitions for jboss_messaging ports +- Allow systemd_tmpfiles to manage printer devices +- Allow oddjob to use nsswitch +- Fix labeling of log files for postgresql +- Allow mozilla_plugin_t to execmem and execstack by default +- Allow firewalld to execute shell +- Fix /etc/wicd content files to get created with the correct label +- Allow mcelog to exec shell +- Add ~/.orc as a gstreamer_home_t +- /var/spool/postfix/lib64 should be labeled lib_t +- mpreaper should be able to list all file system labeled directories +- Add support for apache to use openstack +- Add labeling for /etc/zipl.conf and zipl binary +- Turn on allow_execstack and turn off telepathy transition for final release + +* Mon Apr 16 2012 Miroslav Grepl 3.10.0-116 +- More access required for virt_qmf_t +- Additional assess required for systemd-logind to support multi-seat +- Allow mozilla_plugin to setrlimit +- Revert changes to fuse file system to stop deadlock + +* Mon Apr 16 2012 Miroslav Grepl 3.10.0-115 +- Allow condor domains to connect to ephemeral ports +- More fixes for condor policy +- Allow keystone to stream connect to mysqld +- Allow mozilla_plugin_t to read generic USB device to support GPS devices +- Allow thum to file name transition gstreamer home content +- Allow thum to read all non security files +- Allow glance_api_t to connect to ephemeral ports +- Allow nagios plugins to read /dev/urandom +- Allow syslogd to search postfix spool to support postfix chroot env +- Fix labeling for /var/spool/postfix/dev +- Allow wdmd chown +- Label .esd_auth as pulseaudio_home_t +- Have no idea why keyring tries to write to /run/user/dwalsh/dconf/user, but we can dontaudit for now + +* Fri Apr 13 2012 Miroslav Grepl 3.10.0-114 +- Add support for clamd+systemd +- Allow fresclam to execute systemctl to handle clamd +- Change labeling for /usr/sbin/rpc.ypasswd.env + - Allow yppaswd_t to execute yppaswd_exec_t + - Allow yppaswd_t to read /etc/passwd +- Gnomekeyring socket has been moved to /run/user/USER/ +- Allow samba-net to connect to ldap port +- Allow signal for vhostmd +- allow mozilla_plugin_t to read user_home_t socket +- New access required for secure Linux Containers +- zfs now supports xattrs +- Allow quantum to execute sudo and list sysfs +- Allow init to dbus chat with the firewalld +- Allow zebra to read /etc/passwd + +* Tue Apr 10 2012 Miroslav Grepl 3.10.0-113 +- Allow svirt_t to create content in the users homedir under ~/.libvirt +- Fix label on /var/lib/heartbeat +- Allow systemd_logind_t to send kill signals to all processes started by a user +- Fuse now supports Xattr Support + +* Tue Apr 10 2012 Miroslav Grepl 3.10.0-112 +- upowered needs to setsched on the kernel +- Allow mpd_t to manage log files +- Allow xdm_t to create /var/run/systemd/multi-session-x +- Add rules for missedfont.log to be used by thumb.fc +- Additional access required for virt_qmf_t +- Allow dhclient to dbus chat with the firewalld +- Add label for lvmetad +- Allow systemd_logind_t to remove userdomain sock_files +- Allow cups to execute usr_t files +- Fix labeling on nvidia shared libraries +- wdmd_t needs access to sssd and /etc/passwd +- Add boolean to allow ftp servers to run in passive mode +- Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with +- Fix using httpd_use_fusefs +- Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox + +* Fri Apr 6 2012 Miroslav Grepl 3.10.0-111 +- Rename rdate port to time port, and allow gnomeclock to connect to it +- We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda +- /etc/auto.* should be labeled bin_t +- Add httpd_use_fusefs boolean +- Add fixes for heartbeat +- Allow sshd_t to signal processes that it transitions to +- Add condor policy +- Allow svirt to create monitors in ~/.libvirt +- Allow dovecot to domtrans sendmail to handle sieve scripts +- Lot of fixes for cfengine + +* Tue Apr 3 2012 Miroslav Grepl 3.10.0-110 +- /var/run/postmaster.* labeling is no longer needed +- Alllow drbdadmin to read /dev/urandom +- l2tpd_t seems to use ptmx +- group+ and passwd+ should be labeled as /etc/passwd +- Zarafa-indexer is a socket + +* Fri Mar 30 2012 Miroslav Grepl 3.10.0-109 +- Ensure lastlog is labeled correctly +- Allow accountsd to read /proc data about gdm +- Add fixes for tuned +- Add bcfg2 fixes which were discovered during RHEL6 testing +- More fixes for gnome-keyring socket being moved +- Run semanage as a unconfined domain, and allow initrc_t to create tmpfs_t sym links on shutdown +- Fix description for files_dontaudit_read_security_files() interface + +* Wed Mar 28 2012 Miroslav Grepl 3.10.0-108 +- Add new policy and man page for bcfg2 +- cgconfig needs to use getpw calls +- Allow domains that communicate with the keyring to use cache_home_t instead of gkeyringd_tmpt +- gnome-keyring wants to create a directory in cache_home_t +- sanlock calls getpw + +* Wed Mar 28 2012 Miroslav Grepl 3.10.0-107 +- Add numad policy and numad man page +- Add fixes for interface bugs discovered by SEWatch +- Add /tmp support for squid +- Add fix for #799102 + * change default labeling for /var/run/slapd.* sockets +- Make thumb_t as userdom_home_reader +- label /var/lib/sss/mc same as pubconf, so getpw domains can read it +- Allow smbspool running as cups_t to stream connect to nmbd +- accounts needs to be able to execute passwd on behalf of users +- Allow systemd_tmpfiles_t to delete boot flags +- Allow dnssec_trigger to connect to apache ports +- Allow gnome keyring to create sock_files in ~/.cache +- google_authenticator is using .google_authenticator +- sandbox running from within firefox is exposing more leaks +- Dontaudit thumb to read/write /dev/card0 +- Dontaudit getattr on init_exec_t for gnomeclock_t +- Allow certmonger to do a transition to certmonger_unconfined_t +- Allow dhcpc setsched which is caused by nmcli +- Add rpm_exec_t for /usr/sbin/bcfg2 +- system cronjobs are sending dbus messages to systemd_logind +- Thumnailers read /dev/urand + +* Thu Mar 22 2012 Miroslav Grepl 3.10.0-106 +- Allow auditctl getcap +- Allow vdagent to use libsystemd-login +- Allow abrt-dump-oops to search /etc/abrt +- Got these avc's while trying to print a boarding pass from firefox +- Devicekit is now putting the media directory under /run/media +- Allow thumbnailers to create content in ~/.thumbails directory +- Add support for proL2TPd by Dominick Grift +- Allow all domains to call getcap +- wdmd seems to get a random chown capability check that it does not need +- Allow vhostmd to read kernel sysctls + +* Wed Mar 21 2012 Miroslav Grepl 3.10.0-105 +- Allow chronyd to read unix +- Allow hpfax to read /etc/passwd +- Add support matahari vios-proxy-* apps and add virtd_exec_t label for them +- Allow rpcd to read quota_db_t +- Update to man pages to match latest policy +- Fix bug in jockey interface for sepolgen-ifgen +- Add initial svirt_prot_exec_t policy + +* Mon Mar 19 2012 Miroslav Grepl 3.10.0-104 +- More fixes for systemd from Dan Walsh + +* Mon Mar 19 2012 Miroslav Grepl 3.10.0-103 +- Add a new type for /etc/firewalld and allow firewalld to write to this directory +- Add definition for ~/Maildir, and allow mail deliver domains to write there +- Allow polipo to run from a cron job +- Allow rtkit to schedule wine processes +- Allow mozilla_plugin_t to acquire a bug, and allow it to transition gnome content in the home dir to the proper label +- Allow users domains to send signals to consolehelper domains + +* Fri Mar 16 2012 Miroslav Grepl 3.10.0-102 +- More fixes for boinc policy +- Allow polipo domain to create its own cache dir and pid file +- Add systemctl support to httpd domain +- Add systemctl support to polipo, allow NetworkManager to manage the service +- Add policy for jockey-backend +- Add support for motion daemon which is now covered by zoneminder policy +- Allow colord to read/write motion tmpfs +- Allow vnstat to search through var_lib_t directories +- Stop transitioning to quota_t, from init an sysadm_t + +* Wed Mar 14 2012 Miroslav Grepl 3.10.0-101 +- Add svirt_lxc_file_t as a customizable type + +* Wed Mar 14 2012 Miroslav Grepl 3.10.0-100 +- Add additional fixes for icmp nagios plugin +- Allow cron jobs to open fifo_files from cron, since service script opens /dev/stdin +- Add certmonger_unconfined_exec_t +- Make sure tap22 device is created with the correct label +- Allow staff users to read systemd unit files +- Merge in previously built policy +- Arpwatch needs to be able to start netlink sockets in order to start +- Allow cgred_t to sys_ptrace to look at other DAC Processes + +* Mon Mar 12 2012 Miroslav Grepl 3.10.0-99 +- Back port some of the access that was allowed in nsplugin_t +- Add definitiona for couchdb ports +- Allow nagios to use inherited users ttys +- Add git support for mock +- Allow inetd to use rdate port +- Add own type for rdate port +- Allow samba to act as a portmapper +- Dontaudit chrome_sandbox attempts to getattr on chr_files in /dev +- New fixes needed for samba4 +- Allow apps that use lib_t to read lib_t symlinks + +* Fri Mar 9 2012 Miroslav Grepl 3.10.0-98 +- Add policy for nove-cert +- Add labeling for nova-openstack systemd unit files +- Add policy for keystoke + +* Thu Mar 8 2012 Miroslav Grepl 3.10.0-97 +- Fix man pages fro domains +- Add man pages for SELinux users and roles +- Add storage_dev_filetrans_named_fixed_disk() and use it for smartmon +- Add policy for matahari-rpcd +- nfsd executes mount command on restart +- Matahari domains execute renice and setsched +- Dontaudit leaked tty in mozilla_plugin_config +- mailman is changing to a per instance naming +- Add 7600 and 4447 as jboss_management ports +- Add fixes for nagios event handlers +- Label httpd.event as httpd_exec_t, it is an apache daemon + +* Mon Mar 5 2012 Miroslav Grepl 3.10.0-96 +- Add labeling for /var/spool/postfix/dev/log +- NM reads sysctl.conf +- Iscsi log file context specification fix +- Allow mozilla plugins to send dbus messages to user domains that transition to it +- Allow mysql to read the passwd file +- Allow mozilla_plugin_t to create mozilla home dirs in user homedir +- Allow deltacloud to read kernel sysctl +- Allow postgresql_t to connectto itselfAllow postgresql_t to connectto itself +- Allow postgresql_t to connectto itself +- Add login_userdomain attribute for users which can log in using terminal + +* Tue Feb 28 2012 Miroslav Grepl 3.10.0-95 +- Allow sysadm_u to reach system_r by default #784011 +- Allow nagios plugins to use inherited user terminals +- Razor labeling is not used no longer +- Add systemd support for matahari +- Add port_types to man page, move booleans to the top, fix some english +- Add support for matahari-sysconfig-console +- Clean up matahari.fc +- Fix matahari_admin() interfac +- Add labels for/etc/ssh/ssh_host_*.pub keys + +* Mon Feb 27 2012 Miroslav Grepl 3.10.0-94 +- Allow ksysguardproces to send system log msgs +- Allow boinc setpgid and signull +- Allow xdm_t to sys_ptrace to run pidof command +- Allow smtpd_t to manage spool files/directories and symbolic links +- Add labeling for jetty +- Needed changes to get unbound/dnssec to work with openswan + +* Thu Feb 23 2012 Miroslav Grepl 3.10.0-93 +- Add user_fonts_t alias xfs_tmp_t +- Since depmod now runs as insmod_t we need to write to kernel_object_t +- Allow firewalld to dbus chat with networkmanager +- Allow qpidd to connect to matahari ports +- policykit needs to read /proc for uses not owned by it +- Allow systemctl apps to connecto the init stream + +* Wed Feb 22 2012 Miroslav Grepl 3.10.0-92 +- Turn on deny_ptrace boolean + +* Tue Feb 21 2012 Miroslav Grepl 3.10.0-91 +- Remove pam_selinux.8 man page. There was a conflict. + +* Tue Feb 21 2012 Miroslav Grepl 3.10.0-90 +- Add proxy class and read access for gssd_proxy +- Separate out the sharing public content booleans +- Allow certmonger to execute a script and send signals to apache and dirsrv to reload the certificate +- Add label transition for gstream-0.10 and 12 +- Add booleans to allow rsync to share nfs and cifs file sytems +- chrome_sandbox wants to read the /proc/PID/exe file of the program that executed it +- Fix filename transitions for cups files +- Allow denyhosts to read "unix" +- Add file name transition for locale.conf.new +- Allow boinc projects to gconf config files +- sssd needs to be able to increase the socket limit under certain loads +- sge_execd needs to read /etc/passwd +- Allow denyhost to check network state +- NetworkManager needs to read sessions data +- Allow denyhost to check network state +- Allow xen to search virt images directories +- Add label for /dev/megaraid_sas_ioctl_node +- Add autogenerated man pages + +* Thu Feb 16 2012 Miroslav Grepl 3.10.0-89 +- Allow boinc project to getattr on fs +- Allow init to execute initrc_state_t +- rhev-agent package was rename to ovirt-guest-agent +- If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly +- sytemd writes content to /run/initramfs and executes it on shutdown +- kdump_t needs to read /etc/mtab, should be back ported to F16 +- udev needs to load kernel modules in early system boot + +* Tue Feb 14 2012 Miroslav Grepl 3.10.0-88 +- Need to add sys_ptrace back in since reading any content in /proc can cause these accesses +- Add additional systemd interfaces which are needed fro *_admin interfaces +- Fix bind_admin() interface + +* Mon Feb 13 2012 Miroslav Grepl 3.10.0-87 +- Allow firewalld to read urand +- Alias java, execmem_mono to bin_t to allow third parties +- Add label for kmod +- /etc/redhat-lsb contains binaries +- Add boolean to allow gitosis to send mail +- Add filename transition also for "event20" +- Allow systemd_tmpfiles_t to delete all file types +- Allow collectd to ipc_lock + +* Fri Feb 10 2012 Miroslav Grepl 3.10.0-86 +- make consoletype_exec optional, so we can remove consoletype policy +- remove unconfined_permisive.patch +- Allow openvpn_t to inherit user home content and tmp content +- Fix dnssec-trigger labeling +- Turn on obex policy for staff_t +- Pem files should not be secret +- Add lots of rules to fix AVC's when playing with containers +- Fix policy for dnssec +- Label ask-passwd directories correctly for systemd + +* Thu Feb 9 2012 Miroslav Grepl 3.10.0-85 +- sshd fixes seem to be causing unconfined domains to dyntrans to themselves +- fuse file system is now being mounted in /run/user +- systemd_logind is sending signals to processes that are dbus messaging with it +- Add support for winshadow port and allow iscsid to connect to this port +- httpd should be allowed to bind to the http_port_t udp socket +- zarafa_var_lib_t can be a lnk_file +- A couple of new .xsession-errors files +- Seems like user space and login programs need to read logind_sessions_files +- Devicekit disk seems to be being launched by systemd +- Cleanup handling of setfiles so most of rules in te file +- Correct port number for dnssec +- logcheck has the home dir set to its cache + +* Tue Feb 7 2012 Miroslav Grepl 3.10.0-84 +- Add policy for grindengine MPI jobs + +* Mon Feb 6 2012 Miroslav Grepl 3.10.0-83 +- Add new sysadm_secadm.pp module + * contains secadm definition for sysadm_t +- Move user_mail_domain access out of the interface into the te file +- Allow httpd_t to create httpd_var_lib_t directories as well as files +- Allow snmpd to connect to the ricci_modcluster stream +- Allow firewalld to read /etc/passwd +- Add auth_use_nsswitch for colord +- Allow smartd to read network state +- smartdnotify needs to read /etc/group + +* Fri Feb 3 2012 Miroslav Grepl 3.10.0-82 +- Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory +- lxdm startup scripts should be labeled bin_t, so confined users will work +- mcstransd now creates a pid, needs back port to F16 +- qpidd should be allowed to connect to the amqp port +- Label devices 010-029 as usb devices +- ypserv packager says ypserv does not use tmp_t so removing selinux policy types +- Remove all ptrace commands that I believe are caused by the kernel/ps avcs +- Add initial Obex policy +- Add logging_syslogd_use_tty boolean +- Add polipo_connect_all_unreserved bolean +- Allow zabbix to connect to ftp port +- Allow systemd-logind to be able to switch VTs +- Allow apache to communicate with memcached through a sock_file + +* Tue Jan 31 2012 Dan Walsh 3.10.0-81.2 +- Fix file_context.subs_dist for now to work with pre usrmove + +* Mon Jan 30 2012 Miroslav Grepl 3.10.0-81 +- More /usr move fixes + +* Thu Jan 26 2012 Miroslav Grepl 3.10.0-80 +- Add zabbix_can_network boolean +- Add httpd_can_connect_zabbix boolean +- Prepare file context labeling for usrmove functions +- Allow system cronjobs to read kernel network state +- Add support for selinux_avcstat munin plugin +- Treat hearbeat with corosync policy +- Allow corosync to read and write to qpidd shared mem +- mozilla_plugin is trying to run pulseaudio +- Fixes for new sshd patch for running priv sep domains as the users context +- Turn off dontaudit rules when turning on allow_ypbind +- udev now reads /etc/modules.d directory + +* Tue Jan 24 2012 Miroslav Grepl 3.10.0-79 +- Turn on deny_ptrace boolean for the Rawhide run, so we can test this out +- Cups exchanges dbus messages with init +- udisk2 needs to send syslog messages +- certwatch needs to read /etc/passwd + +* Mon Jan 23 2012 Miroslav Grepl 3.10.0-78 +- Add labeling for udisks2 +- Allow fsadmin to communicate with the systemd process + +* Mon Jan 23 2012 Miroslav Grepl 3.10.0-77 +- Treat Bip with bitlbee policy + * Bip is an IRC proxy +- Add port definition for interwise port +- Add support for ipa_memcached socket +- systemd_jounald needs to getattr on all processes +- mdadmin fixes + * uses getpw +- amavisd calls getpwnam() +- denyhosts calls getpwall() + +* Fri Jan 20 2012 Miroslav Grepl 3.10.0-76 +- Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there +- bluetooth says they do not use /tmp and want to remove the type +- Allow init to transition to colord +- Mongod needs to read /proc/sys/vm/zone_reclaim_mode +- Allow postfix_smtpd_t to connect to spamd +- Add boolean to allow ftp to connect to all ports > 1023 +- Allow sendmain to write to inherited dovecot tmp files +- setroubleshoot needs to be able to execute rpm to see what version of packages + +* Mon Jan 16 2012 Miroslav Grepl 3.10.0-75 +- Merge systemd patch +- systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online +- Allow deltacloudd dac_override, setuid, setgid caps +- Allow aisexec to execute shell +- Add use_nfs_home_dirs boolean for ssh-keygen + +* Fri Jan 13 2012 Dan Walsh 3.10.0-74.2 +- Fixes to make rawhide boot in enforcing mode with latest systemd changes + +* Wed Jan 11 2012 Miroslav Grepl 3.10.0-74 +- Add labeling for /var/run/systemd/journal/syslog +- libvirt sends signals to ifconfig +- Allow domains that read logind session files to list them + +* Wed Jan 11 2012 Miroslav Grepl 3.10.0-73 +- Fixed destined form libvirt-sandbox +- Allow apps that list sysfs to also read sympolicy links in this filesystem +- Add ubac_constrained rules for chrome_sandbox +- Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra +- Allow postgresql to be executed by the caller +- Standardize interfaces of daemons +- Add new labeling for mm-handler +- Allow all matahari domains to read network state and etc_runtime_t files + +* Wed Jan 4 2012 Miroslav Grepl 3.10.0-72 +- New fix for seunshare, requires seunshare_domains to be able to mounton / +- Allow systemctl running as logrotate_t to connect to private systemd socket +- Allow tmpwatch to read meminfo +- Allow rpc.svcgssd to read supported_krb5_enctype +- Allow zarafa domains to read /dev/random and /dev/urandom +- Allow snmpd to read dev_snmp6 +- Allow procmail to talk with cyrus +- Add fixes for check_disk and check_nagios plugins + +* Tue Dec 20 2011 Miroslav Grepl 3.10.0-71 +- default trans rules for Rawhide policy +- Make sure sound_devices controlC* are labeled correctly on creation +- sssd now needs sys_admin +- Allow snmp to read all proc_type +- Allow to setup users homedir with quota.group + +* Mon Dec 19 2011 Miroslav Grepl 3.10.0-70 +- Add httpd_can_connect_ldap() interface +- apcupsd_t needs to use seriel ports connected to usb devices +- Kde puts procmail mail directory under ~/.local/share +- nfsd_t can trigger sys_rawio on tests that involve too many mountpoints, dontaudit for now +- Add labeling for /sbin/iscsiuio + +* Wed Dec 14 2011 Miroslav Grepl 3.10.0-69 +- Add label for /var/lib/iscan/interpreter +- Dont audit writes to leaked file descriptors or redirected output for nacl +- NetworkManager needs to write to /sys/class/net/ib*/mode + +* Tue Dec 13 2011 Miroslav Grepl 3.10.0-68 +- Allow abrt to request the kernel to load a module +- Make sure mozilla content is labeled correctly +- Allow tgtd to read system state +- More fixes for boinc + * allow to resolve dns name + * re-write boinc policy to use boinc_domain attribute +- Allow munin services plugins to use NSCD services + +* Thu Dec 8 2011 Miroslav Grepl 3.10.0-67 +- Allow mozilla_plugin_t to manage mozilla_home_t +- Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain +- Add label for tumblerd + +* Wed Dec 7 2011 Miroslav Grepl 3.10.0-66 +- Fixes for xguest package + +* Tue Dec 6 2011 Miroslav Grepl 3.10.0-65 +- Fixes related to /bin, /sbin +- Allow abrt to getattr on blk files +- Add type for rhev-agent log file +- Fix labeling for /dev/dmfm +- Dontaudit wicd leaking +- Allow systemd_logind_t to look at process info of apps that exchange dbus messages with it +- Label /etc/locale.conf correctly +- Allow user_mail_t to read /dev/random +- Allow postfix-smtpd to read MIMEDefang +- Add label for /var/log/suphp.log +- Allow swat_t to connect and read/write nmbd_t sock_file +- Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf +- Allow systemd-tmpfiles to change user identity in object contexts +- More fixes for rhev_agentd_t consolehelper policy + +* Thu Dec 1 2011 Miroslav Grepl 3.10.0-64 +- Use fs_use_xattr for squashf +- Fix procs_type interface +- Dovecot has a new fifo_file /var/run/dovecot/stats-mail +- Dovecot has a new fifo_file /var/run/stats-mail +- Colord does not need to connect to network +- Allow system_cronjob to dbus chat with NetworkManager +- Puppet manages content, want to make sure it labels everything correctly + +* Tue Nov 29 2011 Miroslav Grepl 3.10.0-63 +- Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it +- Allow all postfix domains to use the fifo_file +- Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t +- Allow apmd_t to read grub.cfg +- Let firewallgui read the selinux config +- Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp +- Fix devicekit_manage_pid_files() interface +- Allow squid to check the network state +- Dontaudit colord getattr on file systems +- Allow ping domains to read zabbix_tmp_t files + +* Wed Nov 23 2011 Miroslav Grepl 3.10.0-59 +- Allow mcelog_t to create dir and file in /var/run and label it correctly +- Allow dbus to manage fusefs +- Mount needs to read process state when mounting gluster file systems +- Allow collectd-web to read collectd lib files +- Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr +- Allow colord to get the attributes of tmpfs filesystem +- Add sanlock_use_nfs and sanlock_use_samba booleans +- Add bin_t label for /usr/lib/virtualbox/VBoxManage + +* Wed Nov 16 2011 Miroslav Grepl 3.10.0-58 +- Add ssh_dontaudit_search_home_dir +- Changes to allow namespace_init_t to work +- Add interface to allow exec of mongod, add port definition for mongod port, 27017 +- Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t +- Allow spamd and clamd to steam connect to each other +- Add policy label for passwd.OLD +- More fixes for postfix and postfix maildro +- Add ftp support for mozilla plugins +- Useradd now needs to manage policy since it calls libsemanage +- Fix devicekit_manage_log_files() interface +- Allow colord to execute ifconfig +- Allow accountsd to read /sys +- Allow mysqld-safe to execute shell +- Allow openct to stream connect to pcscd +- Add label for /var/run/nm-dns-dnsmasq\.conf +- Allow networkmanager to chat with virtd_t + +* Fri Nov 11 2011 Dan Walsh 3.10.0-57 +- Pulseaudio changes +- Merge patches + +* Thu Nov 10 2011 Dan Walsh 3.10.0-56 +- Merge patches back into git repository. + +* Tue Nov 8 2011 Dan Walsh 3.10.0-55.2 +- Remove allow_execmem boolean and replace with deny_execmem boolean + +* Tue Nov 8 2011 Dan Walsh 3.10.0-55.1 +- Turn back on allow_execmem boolean + +* Mon Nov 7 2011 Miroslav Grepl 3.10.0-55 +- Add more MCS fixes to make sandbox working +- Make faillog MLS trusted to make sudo_$1_t working +- Allow sandbox_web_client_t to read passwd_file_t +- Add .mailrc file context +- Remove execheap from openoffice domain +- Allow chrome_sandbox_nacl_t to read cpu_info +- Allow virtd to relabel generic usb which is need if USB device +- Fixes for virt.if interfaces to consider chr_file as image file type + +* Fri Nov 4 2011 Dan Walsh 3.10.0-54.1 +- Remove Open Office policy +- Remove execmem policy + +* Fri Nov 4 2011 Miroslav Grepl 3.10.0-54 +- MCS fixes +- quota fixes + +* Thu Nov 3 2011 Dan Walsh 3.10.0-53.1 +- Remove transitions to consoletype + +* Tue Nov 1 2011 Miroslav Grepl 3.10.0-53 +- Make nvidia* to be labeled correctly +- Fix abrt_manage_cache() interface +- Make filetrans rules optional so base policy will build +- Dontaudit chkpwd_t access to inherited TTYS +- Make sure postfix content gets created with the correct label +- Allow gnomeclock to read cgroup +- Fixes for cloudform policy + +* Thu Oct 27 2011 Miroslav Grepl 3.10.0-52 +- Check in fixed for Chrome nacl support + +* Thu Oct 27 2011 Miroslav Grepl 3.10.0-51 +- Begin removing qemu_t domain, we really no longer need this domain. +- systemd_passwd needs dac_overide to communicate with users TTY's +- Allow svirt_lxc domains to send kill signals within their container + +* Thu Oct 27 2011 Dan Walsh 3.10.0-50.2 +- Remove qemu.pp again without causing a crash + +* Wed Oct 26 2011 Dan Walsh 3.10.0-50.1 +- Remove qemu.pp, everything should use svirt_t or stay in its current domain + +* Wed Oct 26 2011 Miroslav Grepl 3.10.0-50 +- Allow policykit to talk to the systemd via dbus +- Move chrome_sandbox_nacl_t to permissive domains +- Additional rules for chrome_sandbox_nacl + +* Tue Oct 25 2011 Miroslav Grepl 3.10.0-49 +- Change bootstrap name to nacl +- Chrome still needs execmem +- Missing role for chrome_sandbox_bootstrap +- Add boolean to remove execmem and execstack from virtual machines +- Dontaudit xdm_t doing an access_check on etc_t directories + +* Mon Oct 24 2011 Miroslav Grepl 3.10.0-48 +- Allow named to connect to dirsrv by default +- add ldapmap1_0 as a krb5_host_rcache_t file +- Google chrome developers asked me to add bootstrap policy for nacl stuff +- Allow rhev_agentd_t to getattr on mountpoints +- Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets + +* Mon Oct 24 2011 Miroslav Grepl 3.10.0-47 +- Fixes for cloudform policies which need to connect to random ports +- Make sure if an admin creates modules content it creates them with the correct label +- Add port 8953 as a dns port used by unbound +- Fix file name transition for alsa and confined users + +* Fri Oct 21 2011 Dan Walsh 3.10.0-46.1 +- Turn on mock_t and thumb_t for unconfined domains + +* Fri Oct 21 2011 Miroslav Grepl 3.10.0-46 +- Policy update should not modify local contexts + +* Thu Oct 20 2011 Dan Walsh 3.10.0-45.1 +- Remove ada policy + +* Thu Oct 20 2011 Miroslav Grepl 3.10.0-45 +- Remove tzdata policy +- Add labeling for udev +- Add cloudform policy +- Fixes for bootloader policy + +* Wed Oct 19 2011 Miroslav Grepl 3.10.0-43 +- Add policies for nova openstack + +* Tue Oct 18 2011 Miroslav Grepl 3.10.0-42 +- Add fixes for nova-stack policy + +* Tue Oct 18 2011 Miroslav Grepl 3.10.0-41 +- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain +- Allow init process to setrlimit on itself +- Take away transition rules for users executing ssh-keygen +- Allow setroubleshoot_fixit_t to read /dev/urand +- Allow sshd to relbale tunnel sockets +- Allow fail2ban domtrans to shorewall in the same way as with iptables +- Add support for lnk files in the /var/lib/sssd directory +- Allow system mail to connect to courier-authdaemon over an unix stream socket + +* Mon Oct 17 2011 Dan Walsh 3.10.0-40.2 +- Add passwd_file_t for /etc/ptmptmp + +* Fri Oct 14 2011 Miroslav Grepl 3.10.0-40 +- Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK) +- Make corosync to be able to relabelto cluster lib fies +- Allow samba domains to search /var/run/nmbd +- Allow dirsrv to use pam +- Allow thumb to call getuid +- chrome less likely to get mmap_zero bug so removing dontaudit +- gimp help-browser has built in javascript +- Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t +- Re-write glance policy + +* Thu Oct 13 2011 Dan Walsh 3.10.0-39.3 +- Move dontaudit sys_ptrace line from permissive.te to domain.te +- Remove policy for hal, it no longer exists + +* Wed Oct 12 2011 Dan Walsh 3.10.0-39.2 +- Don't check md5 size or mtime on certain config files + +* Tue Oct 11 2011 Dan Walsh 3.10.0-39.1 +- Remove allow_ptrace and replace it with deny_ptrace, which will remove all +ptrace from the system +- Remove 2000 dontaudit rules between confined domains on transition +and replace with single +dontaudit domain domain:process { noatsecure siginh rlimitinh } ; + +* Mon Oct 10 2011 Miroslav Grepl 3.10.0-39 +- Fixes for bootloader policy +- $1_gkeyringd_t needs to read $HOME/%%USER/.local/share/keystore +- Allow nsplugin to read /usr/share/config +- Allow sa-update to update rules +- Add use_fusefs_home_dirs for chroot ssh option +- Fixes for grub2 +- Update systemd_exec_systemctl() interface +- Allow gpg to read the mail spool +- More fixes for sa-update running out of cron job +- Allow ipsec_mgmt_t to read hardware state information +- Allow pptp_t to connect to unreserved_port_t +- Dontaudit getattr on initctl in /dev from chfn +- Dontaudit getattr on kernel_core from chfn +- Add systemd_list_unit_dirs to systemd_exec_systemctl call +- Fixes for collectd policy +- CHange sysadm_t to create content as user_tmp_t under /tmp + +* Thu Oct 6 2011 Dan Walsh 3.10.0-38.1 +- Shrink size of policy through use of attributes for userdomain and apache + +* Wed Oct 5 2011 Miroslav Grepl 3.10.0-38 +- Allow virsh to read xenstored pid file +- Backport corenetwork fixes from upstream +- Do not audit attempts by thumb to search config_home_t dirs (~/.config) +- label ~/.cache/telepathy/logger telepathy_logger_cache_home_t +- allow thumb to read generic data home files (mime.type) + +* Wed Oct 5 2011 Miroslav Grepl 3.10.0-37 +- Allow nmbd to manage sock file in /var/run/nmbd +- ricci_modservice send syslog msgs +- Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly +- Allow systemd_logind_t to manage /run/USER/dconf/user + +* Tue Oct 4 2011 Dan Walsh 3.10.0-36.1 +- Fix missing patch from F16 + +* Mon Oct 3 2011 Miroslav Grepl 3.10.0-36 +- Allow logrotate setuid and setgid since logrotate is supposed to do it +- Fixes for thumb policy by grift +- Add new nfsd ports +- Added fix to allow confined apps to execmod on chrome +- Add labeling for additional vdsm directories +- Allow Exim and Dovecot SASL +- Add label for /var/run/nmbd +- Add fixes to make virsh and xen working together +- Colord executes ls +- /var/spool/cron is now labeled as user_cron_spool_t + +* Mon Oct 3 2011 Dan Walsh 3.10.0-35 +- Stop complaining about leaked file descriptors during install + +* Fri Sep 30 2011 Dan Walsh 3.10.0-34.7 +- Remove java and mono module and merge into execmem + +* Fri Sep 30 2011 Dan Walsh 3.10.0-34.6 +- Fixes for thumb policy and passwd_file_t + +* Fri Sep 30 2011 Dan Walsh 3.10.0-34.4 +- Fixes caused by the labeling of /etc/passwd +- Add thumb.patch to transition unconfined_t to thumb_t for Rawhide + +* Thu Sep 29 2011 Miroslav Grepl 3.10.0-34.3 +- Add support for Clustered Samba commands +- Allow ricci_modrpm_t to send log msgs +- move permissive virt_qmf_t from virt.te to permissivedomains.te +- Allow ssh_t to use kernel keyrings +- Add policy for libvirt-qmf and more fixes for linux containers +- Initial Polipo +- Sanlock needs to run ranged in order to kill svirt processes +- Allow smbcontrol to stream connect to ctdbd + +* Mon Sep 26 2011 Dan Walsh 3.10.0-34.2 +- Add label for /etc/passwd + +* Mon Sep 26 2011 Dan Walsh 3.10.0-34.1 +- Change unconfined_domains to permissive for Rawhide +- Add definition for the ephemeral_ports + +* Mon Sep 26 2011 Miroslav Grepl 3.10.0-34 +- Make mta_role() active +- Allow asterisk to connect to jabber client port +- Allow procmail to read utmp +- Add NIS support for systemd_logind_t +- Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled as config_home_t +- Fix systemd_manage_unit_dirs() interface +- Allow ssh_t to manage directories passed into it +- init needs to be able to create and delete unit file directories +- Fix typo in apache_exec_sys_script +- Add ability for logrotate to transition to awstat domain + +* Fri Sep 23 2011 Miroslav Grepl 3.10.0-33 +- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state +- Add SELinux support for ssh pre-auth net process in F17 +- Add logging_syslogd_can_sendmail boolean + +* Wed Sep 21 2011 Dan Walsh 3.10.0-31.1 +- Add definition for ephemeral ports +- Define user_tty_device_t as a customizable_type + +* Tue Sep 20 2011 Miroslav Grepl 3.10.0-31 +- Needs to require a new version of checkpolicy +- Interface fixes + +* Fri Sep 16 2011 Miroslav Grepl 3.10.0-29 +- Allow sanlock to manage virt lib files +- Add virt_use_sanlock booelan +- ksmtuned is trying to resolve uids +- Make sure .gvfs is labeled user_home_t in the users home directory +- Sanlock sends kill signals and needs the kill capability +- Allow mockbuild to work on nfs homedirs +- Fix kerberos_manage_host_rcache() interface +- Allow exim to read system state + +* Tue Sep 13 2011 Miroslav Grepl 3.10.0-28 +- Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files +- We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t + +* Tue Sep 13 2011 Miroslav Grepl 3.10.0-27 +- Allow collectd to read hardware state information +- Add loop_control_device_t +- Allow mdadm to request kernel to load module +- Allow domains that start other domains via systemctl to search unit dir +- systemd_tmpfiles, needs to list any file systems mounted on /tmp +- No one can explain why radius is listing the contents of /tmp, so we will dontaudit +- If I can manage etc_runtime files, I should be able to read the links +- Dontaudit hostname writing to mock library chr_files +- Have gdm_t setup labeling correctly in users home dir +- Label content unde /var/run/user/NAME/dconf as config_home_t +- Allow sa-update to execute shell +- Make ssh-keygen working with fips_enabled +- Make mock work for staff_t user +- Tighten security on mock_t + +* Fri Sep 9 2011 Miroslav Grepl 3.10.0-26 +- removing unconfined_notrans_t no longer necessary +- Clean up handling of secure_mode_insmod and secure_mode_policyload +- Remove unconfined_mount_t + +* Tue Sep 6 2011 Miroslav Grepl 3.10.0-25 +- Add exim_exec_t label for /usr/sbin/exim_tidydb +- Call init_dontaudit_rw_stream_socket() interface in mta policy +- sssd need to search /var/cache/krb5rcache directory +- Allow corosync to relabel own tmp files +- Allow zarafa domains to send system log messages +- Allow ssh to do tunneling +- Allow initrc scripts to sendto init_t unix_stream_socket +- Changes to make sure dmsmasq and virt directories are labeled correctly +- Changes needed to allow sysadm_t to manage systemd unit files +- init is passing file descriptors to dbus and on to system daemons +- Allow sulogin additional access Reported by dgrift and Jeremy Miller +- Steve Grubb believes that wireshark does not need this access +- Fix /var/run/initramfs to stop restorecon from looking at +- pki needs another port +- Add more labels for cluster scripts +- Allow apps that manage cgroup_files to manage cgroup link files +- Fix label on nfs-utils scripts directories +- Allow gatherd to read /dev/rand and /dev/urand + +* Wed Aug 31 2011 Miroslav Grepl 3.10.0-24 +- pki needs another port +- Add more labels for cluster scripts +- Fix label on nfs-utils scripts directories +- Fixes for cluster +- Allow gatherd to read /dev/rand and /dev/urand +- abrt leaks fifo files + +* Tue Aug 30 2011 Miroslav Grepl 3.10.0-23 +- Add glance policy +- Allow mdadm setsched +- /var/run/initramfs should not be relabeled with a restorecon run +- memcache can be setup to override sys_resource +- Allow httpd_t to read tetex data +- Allow systemd_tmpfiles to delete kernel modules left in /tmp directory. + +* Mon Aug 29 2011 Miroslav Grepl 3.10.0-22 +- Allow Postfix to deliver to Dovecot LMTP socket +- Ignore bogus sys_module for lldpad +- Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock +- systemd_logind_t sets the attributes on usb devices +- Allow hddtemp_t to read etc_t files +- Add permissivedomains module +- Move all permissive domains calls to permissivedomain.te +- Allow pegasis to send kill signals to other UIDs + +* Wed Aug 24 2011 Miroslav Grepl 3.10.0-21 +- Allow insmod_t to use fds leaked from devicekit +- dontaudit getattr between insmod_t and init_t unix_stream_sockets +- Change sysctl unit file interfaces to use systemctl +- Add support for chronyd unit file +- Allow mozilla_plugin to read gnome_usr_config +- Add policy for new gpsd +- Allow cups to create kerberos rhost cache files +- Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly + +* Tue Aug 23 2011 Dan Walsh 3.10.0-20 +- Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten + +* Tue Aug 23 2011 Miroslav Grepl 3.10.0-19 +- Add policy for sa-update being run out of cron jobs +- Add create perms to postgresql_manage_db +- ntpd using a gps has to be able to read/write generic tty_device_t +- If you disable unconfined and unconfineduser, rpm needs more privs to manage /dev +- fix spec file +- Remove qemu_domtrans_unconfined() interface +- Make passenger working together with puppet +- Add init_dontaudit_rw_stream_socket interface +- Fixes for wordpress + +* Thu Aug 11 2011 Miroslav Grepl 3.10.0-18 +- Turn on allow_domain_fd_use boolean on F16 +- Allow syslog to manage all log files +- Add use_fusefs_home_dirs boolean for chrome +- Make vdagent working with confined users +- Add abrt_handle_event_t domain for ABRT event scripts +- Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change +- Allow httpd_git_script_t to read passwd data +- Allow openvpn to set its process priority when the nice parameter is used + +* Wed Aug 10 2011 Miroslav Grepl 3.10.0-17 +- livecd fixes +- spec file fixes + +* Thu Aug 4 2011 Miroslav Grepl 3.10.0-16 +- fetchmail can use kerberos +- ksmtuned reads in shell programs +- gnome_systemctl_t reads the process state of ntp +- dnsmasq_t asks the kernel to load multiple kernel modules +- Add rules for domains executing systemctl +- Bogus text within fc file + +* Wed Aug 3 2011 Miroslav Grepl 3.10.0-14 +- Add cfengine policy + +* Tue Aug 2 2011 Miroslav Grepl 3.10.0-13 +- Add abrt_domain attribute +- Allow corosync to manage cluster lib files +- Allow corosync to connect to the system DBUS + +* Mon Aug 1 2011 Miroslav Grepl 3.10.0-12 +- Add sblim, uuidd policies +- Allow kernel_t dyntrasition to init_t + +* Fri Jul 29 2011 Miroslav Grepl 3.10.0-11 +- init_t need setexec +- More fixes of rules which cause an explosion in rules by Dan Walsh + +* Tue Jul 26 2011 Miroslav Grepl 3.10.0-10 +- Allow rcsmcertd to perform DNS name resolution +- Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts +- Allow tmux to run as screen +- New policy for collectd +- Allow gkeyring_t to interact with all user apps +- Add rules to allow firstboot to run on machines with the unconfined.pp module removed + +* Sat Jul 23 2011 Miroslav Grepl 3.10.0-9 +- Allow systemd_logind to send dbus messages with users +- allow accountsd to read wtmp file +- Allow dhcpd to get and set capabilities + +* Fri Jul 22 2011 Miroslav Grepl 3.10.0-8 +- Fix oracledb_port definition +- Allow mount to mounton the selinux file system +- Allow users to list /var directories + +* Thu Jul 21 2011 Miroslav Grepl 3.10.0-7 +- systemd fixes + +* Tue Jul 19 2011 Miroslav Grepl 3.10.0-6 +- Add initial policy for abrt_dump_oops_t +- xtables-multi wants to getattr of the proc fs +- Smoltclient is connecting to abrt +- Dontaudit leaked file descriptors to postdrop +- Allow abrt_dump_oops to look at kernel sysctls +- Abrt_dump_oops_t reads kernel ring buffer +- Allow mysqld to request the kernel to load modules +- systemd-login needs fowner +- Allow postfix_cleanup_t to searh maildrop + +* Mon Jul 18 2011 Miroslav Grepl 3.10.0-5 +- Initial systemd_logind policy +- Add policy for systemd_logger and additional proivs for systemd_logind +- More fixes for systemd policies + +* Thu Jul 14 2011 Miroslav Grepl 3.10.0-4 +- Allow setsched for virsh +- Systemd needs to impersonate cups, which means it needs to create tcp_sockets in cups_t domain, as well as manage spool directories +- iptables: the various /sbin/ip6?tables.* are now symlinks for +/sbin/xtables-multi + +* Tue Jul 12 2011 Miroslav Grepl 3.10.0-3 +- A lot of users are running yum -y update while in /root which is causing ldconfig to list the contents, adding dontaudit +- Allow colord to interact with the users through the tmpfs file system +- Since we changed the label on deferred, we need to allow postfix_qmgr_t to be able to create maildrop_t files +- Add label for /var/log/mcelog +- Allow asterisk to read /dev/random if it uses TLS +- Allow colord to read ini files which are labeled as bin_t +- Allow dirsrvadmin sys_resource and setrlimit to use ulimit +- Systemd needs to be able to create sock_files for every label in /var/run directory, cupsd being the first. +- Also lists /var and /var/spool directories +- Add openl2tpd to l2tpd policy +- qpidd is reading the sysfs file + +* Thu Jun 30 2011 Miroslav Grepl 3.10.0-2 +- Change usbmuxd_t to dontaudit attempts to read chr_file +- Add mysld_safe_exec_t for libra domains to be able to start private mysql domains +- Allow pppd to search /var/lock dir +- Add rhsmcertd policy + +* Mon Jun 27 2011 Miroslav Grepl 3.10.0-1 +- Update to upstream + +* Mon Jun 27 2011 Miroslav Grepl 3.9.16-30 +- More fixes + * http://git.fedorahosted.org/git/?p=selinux-policy.git + +* Thu Jun 16 2011 Dan Walsh 3.9.16-29.1 +- Fix spec file to not report Verify errors + +* Thu Jun 16 2011 Miroslav Grepl 3.9.16-29 +- Add dspam policy +- Add lldpad policy +- dovecot auth wants to search statfs #713555 +- Allow systemd passwd apps to read init fifo_file +- Allow prelink to use inherited terminals +- Run cherokee in the httpd_t domain +- Allow mcs constraints on node connections +- Implement pyicqt policy +- Fixes for zarafa policy +- Allow cobblerd to send syslog messages + +* Wed Jun 8 2011 Dan Walsh 3.9.16-28.1 +- Add policy.26 to the payload +- Remove olpc stuff +- Remove policygentool + +* Wed Jun 8 2011 Miroslav Grepl 3.9.16-27 +- Fixes for zabbix +- init script needs to be able to manage sanlock_var_run_... +- Allow sandlock and wdmd to create /var/run directories... +- mixclip.so has been compiled correctly +- Fix passenger policy module name + +* Tue Jun 7 2011 Miroslav Grepl 3.9.16-26 +- Add mailscanner policy from dgrift +- Allow chrome to optionally be transitioned to +- Zabbix needs these rules when starting the zabbix_server_mysql +- Implement a type for freedesktop openicc standard (~/.local/share/icc) +- Allow system_dbusd_t to read inherited icc_data_home_t files. +- Allow colord_t to read icc_data_home_t content. #706975 +- Label stuff under /usr/lib/debug as if it was labeled under / + +* Thu Jun 2 2011 Miroslav Grepl 3.9.16-25 +- Fixes for sanlock policy +- Fixes for colord policy +- Other fixes + * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log + +* Thu May 26 2011 Miroslav Grepl 3.9.16-24 +- Add rhev policy module to modules-targeted.conf + +* Tue May 24 2011 Miroslav Grepl 3.9.16-23 +- Lot of fixes + * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log + +* Thu May 19 2011 Miroslav Grepl 3.9.16-22 +- Allow logrotate to execute systemctl +- Allow nsplugin_t to getattr on gpmctl +- Fix dev_getattr_all_chr_files() interface +- Allow shorewall to use inherited terms +- Allow userhelper to getattr all chr_file devices +- sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t +- Fix labeling for ABRT Retrace Server + +* Mon May 9 2011 Miroslav Grepl 3.9.16-21 +- Dontaudit sys_module for ifconfig +- Make telepathy and gkeyringd daemon working with confined users +- colord wants to read files in users homedir +- Remote login should be creating user_tmp_t not its own tmp files + +* Thu May 5 2011 Miroslav Grepl 3.9.16-20 +- Fix label for /usr/share/munin/plugins/munin_* plugins +- Add support for zarafa-indexer +- Fix boolean description +- Allow colord to getattr on /proc/scsi/scsi +- Add label for /lib/upstart/init +- Colord needs to list /mnt + +* Tue May 3 2011 Miroslav Grepl 3.9.16-19 +- Forard port changes from F15 for telepathy +- NetworkManager should be allowed to use /dev/rfkill +- Fix dontaudit messages to say Domain to not audit +- Allow telepathy domains to read/write gnome_cache files +- Allow telepathy domains to call getpw +- Fixes for colord and vnstatd policy + +* Wed Apr 27 2011 Miroslav Grepl 3.9.16-18 +- Allow init_t getcap and setcap +- Allow namespace_init_t to use nsswitch +- aisexec will execute corosync +- colord tries to read files off noxattr file systems +- Allow init_t getcap and setcap + +* Thu Apr 21 2011 Miroslav Grepl 3.9.16-17 +- Add support for ABRT retrace server +- Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners +- Allow telepath_msn_t to read /proc/PARENT/cmdline +- ftpd needs kill capability +- Allow telepath_msn_t to connect to sip port +- keyring daemon does not work on nfs homedirs +- Allow $1_sudo_t to read default SELinux context +- Add label for tgtd sock file in /var/run/ +- Add apache_exec_rotatelogs interface +- allow all zaraha domains to signal themselves, server writes to /tmp +- Allow syslog to read the process state +- Add label for /usr/lib/chromium-browser/chrome +- Remove the telepathy transition from unconfined_t +- Dontaudit sandbox domains trying to mounton sandbox_file_t, this is caused by fuse mounts +- Allow initrc_t domain to manage abrt pid files +- Add support for AEOLUS project +- Virt_admin should be allowed to manage images and processes +- Allow plymountd to send signals to init +- Change labeling of fping6 + +* Tue Apr 19 2011 Dan Walsh 3.9.16-16.1 +- Add filename transitions + +* Tue Apr 19 2011 Miroslav Grepl 3.9.16-16 +- Fixes for zarafa policy +- Add support for AEOLUS project +- Change labeling of fping6 +- Allow plymountd to send signals to init +- Allow initrc_t domain to manage abrt pid files +- Virt_admin should be allowed to manage images and processes + +* Fri Apr 15 2011 Miroslav Grepl 3.9.16-15 +- xdm_t needs getsession for switch user +- Every app that used to exec init is now execing systemdctl +- Allow squid to manage krb5_host_rcache_t files +- Allow foghorn to connect to agentx port - Fixes for colord policy + +* Mon Apr 11 2011 Miroslav Grepl 3.9.16-14 +- Add Dan's patch to remove 64 bit variants +- Allow colord to use unix_dgram_socket +- Allow apps that search pids to read /var/run if it is a lnk_file +- iscsid_t creates its own directory +- Allow init to list var_lock_t dir +- apm needs to verify user accounts auth_use_nsswitch +- Add labeling for systemd unit files +- Allow gnomeclok to enable ntpd service using systemctl - systemd_systemctl_t domain was added +- Add label for matahari-broker.pid file +- We want to remove untrustedmcsprocess from ability to read /proc/pid +- Fixes for matahari policy +- Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir +- Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on + +* Tue Apr 5 2011 Miroslav Grepl 3.9.16-13 +- Fix typo + +* Mon Apr 4 2011 Miroslav Grepl 3.9.16-12 +- Add /var/run/lock /var/lock definition to file_contexts.subs +- nslcd_t is looking for kerberos cc files +- SSH_USE_STRONG_RNG is 1 which requires /dev/random +- Fix auth_rw_faillog definition +- Allow sysadm_t to set attributes on fixed disks +- allow user domains to execute lsof and look at application sockets +- prelink_cron job calls telinit -u if init is rewritten +- Fixes to run qemu_t from staff_t + +* Mon Apr 4 2011 Miroslav Grepl 3.9.16-11 +- Fix label for /var/run/udev to udev_var_run_t +- Mock needs to be able to read network state + +* Fri Apr 1 2011 Miroslav Grepl 3.9.16-10 +- Add file_contexts.subs to handle /run and /run/lock +- Add other fixes relating to /run changes from F15 policy + +* Fri Mar 25 2011 Miroslav Grepl 3.9.16-7 +- Allow $1_sudo_t and $1_su_t open access to user terminals +- Allow initrc_t to use generic terminals +- Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs +-systemd is going to be useing /run and /run/lock for early bootup files. +- Fix some comments in rlogin.if +- Add policy for KDE backlighthelper +- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems +- sssd wants to read .k5login file in users homedir +- setroubleshoot reads executables to see if they have TEXTREL +- Add /var/spool/audit support for new version of audit +- Remove kerberos_connect_524() interface calling +- Combine kerberos_master_port_t and kerberos_port_t +- systemd has setup /dev/kmsg as stderr for apps it executes +- Need these access so that init can impersonate sockets on unix_dgram_socket + +* Wed Mar 23 2011 Miroslav Grepl 3.9.16-6 +- Remove some unconfined domains +- Remove permissive domains +- Add policy-term.patch from Dan + +* Thu Mar 17 2011 Miroslav Grepl 3.9.16-5 +- Fix multiple specification for boot.log +- devicekit leaks file descriptors to setfiles_t +- Change all all_nodes to generic_node and all_if to generic_if +- Should not use deprecated interface +- Switch from using all_nodes to generic_node and from all_if to generic_if +- Add support for xfce4-notifyd +- Fix file context to show several labels as SystemHigh +- seunshare needs to be able to mounton nfs/cifs/fusefs homedirs +- Add etc_runtime_t label for /etc/securetty +- Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly +- login.krb needs to be able to write user_tmp_t +- dirsrv needs to bind to port 7390 for dogtag +- Fix a bug in gpg policy +- gpg sends audit messages +- Allow qpid to manage matahari files + +* Tue Mar 15 2011 Miroslav Grepl 3.9.16-4 +- Initial policy for matahari +- Add dev_read_watchdog +- Allow clamd to connect clamd port +- Add support for kcmdatetimehelper +- Allow shutdown to setrlimit and sys_nice +- Allow systemd_passwd to talk to /dev/log before udev or syslog is running +- Purge chr_file and blk files on /tmp +- Fixes for pads +- Fixes for piranha-pulse +- gpg_t needs to be able to encyprt anything owned by the user + +* Thu Mar 10 2011 Miroslav Grepl 3.9.16-3 +- mozilla_plugin_tmp_t needs to be treated as user tmp files +- More dontaudits of writes from readahead +- Dontaudit readahead_t file_type:dir write, to cover up kernel bug +- systemd_tmpfiles needs to relabel faillog directory as well as the file +- Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost + +* Thu Mar 10 2011 Miroslav Grepl 3.9.16-2 +- Add policykit fixes from Tim Waugh +- dontaudit sandbox domains sandbox_file_t:dir mounton +- Add new dontaudit rules for sysadm_dbusd_t +- Change label for /var/run/faillock + * other fixes which relate with this change + +* Tue Mar 8 2011 Miroslav Grepl 3.9.16-1 +- Update to upstream +- Fixes for telepathy +- Add port defition for ssdp port +- add policy for /bin/systemd-notify from Dan +- Mount command requires users read mount_var_run_t +- colord needs to read konject_uevent_socket +- User domains connect to the gkeyring socket +- Add colord policy and allow user_t and staff_t to dbus chat with it +- Add lvm_exec_t label for kpartx +- Dontaudit reading the mail_spool_t link from sandbox -X +- systemd is creating sockets in avahi_var_run and system_dbusd_var_run + +* Tue Mar 1 2011 Miroslav Grepl 3.9.15-5 +- gpg_t needs to talk to gnome-keyring +- nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd +- enforce MCS labeling on nodes +- Allow arpwatch to read meminfo +- Allow gnomeclock to send itself signals +- init relabels /dev/.udev files on boot +- gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_exec_t +- nautilus checks access on /media directory before mounting usb sticks, dontaudit access_check on mnt_t +- dnsmasq can run as a dbus service, needs acquire service +- mysql_admin should be allowed to connect to mysql service +- virt creates monitor sockets in the users home dir + +* Mon Feb 21 2011 Miroslav Grepl 3.9.15-2 +- Allow usbhid-ups to read hardware state information +- systemd-tmpfiles has moved +- Allo cgroup to sys_tty_config +- For some reason prelink is attempting to read gconf settings +- Add allow_daemons_use_tcp_wrapper boolean +- Add label for ~/.cache/wocky to make telepathy work in enforcing mode +- Add label for char devices /dev/dasd* +- Fix for apache_role +- Allow amavis to talk to nslcd +- allow all sandbox to read selinux poilcy config files +- Allow cluster domains to use the system bus and send each other dbus messages + +* Wed Feb 16 2011 Miroslav Grepl 3.9.15-1 +- Update to upstream + +* Wed Feb 09 2011 Fedora Release Engineering - 3.9.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Feb 8 2011 Dan Walsh 3.9.14-1 +- Update to ref policy +- cgred needs chown capability +- Add /dev/crash crash_dev_t +- systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability + +* Tue Feb 8 2011 Miroslav Grepl 3.9.13-10 +- New labeling for postfmulti #675654 +- dontaudit xdm_t listing noxattr file systems +- dovecot-auth needs to be able to connect to mysqld via the network as well as locally +- shutdown is passed stdout to a xdm_log_t file +- smartd creates a fixed disk device +- dovecot_etc_t contains a lnk_file that domains need to read +- mount needs to be able to read etc_runtim_t:lnk_file since in rawhide this is a link created at boot + +* Thu Feb 3 2011 Miroslav Grepl 3.9.13-9 +- syslog_t needs syslog capability +- dirsrv needs to be able to create /var/lib/snmp +- Fix labeling for dirsrv +- Fix for dirsrv policy missing manage_dirs_pattern +- corosync needs to delete clvm_tmpfs_t files +- qdiskd needs to list hugetlbfs +- Move setsched to sandbox_x_domain, so firefox can run without network access +- Allow hddtemp to read removable devices +- Adding syslog and read_policy permissions to policy + * syslog + Allow unconfined, sysadm_t, secadm_t, logadm_t + * read_policy + allow unconfined, sysadm_t, secadm_t, staff_t on Targeted + allow sysadm_t (optionally), secadm_t on MLS +- mdadm application will write into /sys/.../uevent whenever arrays are +assembled or disassembled. + +* Tue Feb 1 2011 Dan Walsh 3.9.13-8 +- Add tcsd policy + +* Tue Feb 1 2011 Miroslav Grepl 3.9.13-7 +- ricci_modclusterd_t needs to bind to rpc ports 500-1023 +- Allow dbus to use setrlimit to increase resoueces +- Mozilla_plugin is leaking to sandbox +- Allow confined users to connect to lircd over unix domain stream socket which allow to use remote control +- Allow awstats to read squid logs +- seunshare needs to manage tmp_t +- apcupsd cgi scripts have a new directory + +* Thu Jan 27 2011 Miroslav Grepl 3.9.13-6 +- Fix xserver_dontaudit_read_xdm_pid +- Change oracle_port_t to oracledb_port_t to prevent conflict with satellite +- Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file. + * These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t +- Allow readahead to manage readahead pid dirs +- Allow readahead to read all mcs levels +- Allow mozilla_plugin_t to use nfs or samba homedirs + +* Tue Jan 25 2011 Miroslav Grepl 3.9.13-5 +- Allow nagios plugin to read /proc/meminfo +- Fix for mozilla_plugin +- Allow samba_net_t to create /etc/keytab +- pppd_t setting up vpns needs to run unix_chkpwd, setsched its process and write wtmp_t +- nslcd can read user credentials +- Allow nsplugin to delete mozilla_plugin_tmpfs_t +- abrt tries to create dir in rpm_var_lib_t +- virt relabels fifo_files +- sshd needs to manage content in fusefs homedir +- mock manages link files in cache dir + +* Fri Jan 21 2011 Miroslav Grepl 3.9.13-4 +- nslcd needs setsched and to read /usr/tmp +- Invalid call in likewise policy ends up creating a bogus role +- Cannon puts content into /var/lib/bjlib that cups needs to be able to write +- Allow screen to create screen_home_t in /root +- dirsrv sends syslog messages +- pinentry reads stuff in .kde directory +- Add labels for .kde directory in homedir +- Treat irpinit, iprupdate, iprdump services with raid policy + +* Wed Jan 19 2011 Miroslav Grepl 3.9.13-3 +- NetworkManager wants to read consolekit_var_run_t +- Allow readahead to create /dev/.systemd/readahead +- Remove permissive domains +- Allow newrole to run namespace_init + +* Tue Jan 18 2011 Miroslav Grepl 3.9.13-2 +- Add sepgsql_contexts file + +* Mon Jan 17 2011 Miroslav Grepl 3.9.13-1 +- Update to upstream + +* Mon Jan 17 2011 Miroslav Grepl 3.9.12-8 +- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on +- Add puppetmaster_use_db boolean +- Fixes for zarafa policy +- Fixes for gnomeclock poliy +- Fix systemd-tmpfiles to use auth_use_nsswitch + +* Fri Jan 14 2011 Miroslav Grepl 3.9.12-7 +- gnomeclock executes a shell +- Update for screen policy to handle pipe in homedir +- Fixes for polyinstatiated homedir +- Fixes for namespace policy and other fixes related to polyinstantiation +- Add namespace policy +- Allow dovecot-deliver transition to sendmail which is needed by sieve scripts +- Fixes for init, psad policy which relate with confined users +- Do not audit bootloader attempts to read devicekit pid files +- Allow nagios service plugins to read /proc + +* Tue Jan 11 2011 Miroslav Grepl 3.9.12-6 +- Add firewalld policy +- Allow vmware_host to read samba config +- Kernel wants to read /proc Fix duplicate grub def in cobbler +- Chrony sends mail, executes shell, uses fifo_file and reads /proc +- devicekitdisk getattr all file systems +- sambd daemon writes wtmp file +- libvirt transitions to dmidecode + +* Wed Jan 5 2011 Miroslav Grepl 3.9.12-5 +- Add initial policy for system-setup-keyboard which is now daemon +- Label /var/lock/subsys/shorewall as shorewall_lock_t +- Allow users to communicate with the gpg_agent_t +- Dontaudit mozilla_plugin_t using the inherited terminal +- Allow sambagui to read files in /usr +- webalizer manages squid log files +- Allow unconfined domains to bind ports to raw_ip_sockets +- Allow abrt to manage rpm logs when running yum +- Need labels for /var/run/bittlebee +- Label .ssh under amanda +- Remove unused genrequires for virt_domain_template +- Allow virt_domain to use fd inherited from virtd_t +- Allow iptables to read shorewall config + +* Tue Dec 28 2010 Dan Walsh 3.9.12-4 +- Gnome apps list config_home_t +- mpd creates lnk files in homedir +- apache leaks write to mail apps on tmp files +- /var/stockmaniac/templates_cache contains log files +- Abrt list the connects of mount_tmp_t dirs +- passwd agent reads files under /dev and reads utmp file +- squid apache script connects to the squid port +- fix name of plymouth log file +- teamviewer is a wine app +- allow dmesg to read system state +- Stop labeling files under /var/lib/mock so restorecon will not go into this +- nsplugin needs to read network state for google talk + +* Thu Dec 23 2010 Dan Walsh 3.9.12-3 +- Allow xdm and syslog to use /var/log/boot.log +- Allow users to communicate with mozilla_plugin and kill it +- Add labeling for ipv6 and dhcp + +* Tue Dec 21 2010 Dan Walsh 3.9.12-2 +- New labels for ghc http content +- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev +- pm-suspend now creates log file for append access so we remove devicekit_wri +- Change authlogin_use_sssd to authlogin_nsswitch_use_ldap +- Fixes for greylist_milter policy + +* Tue Dec 21 2010 Miroslav Grepl 3.9.12-1 +- Update to upstream +- Fixes for systemd policy +- Fixes for passenger policy +- Allow staff users to run mysqld in the staff_t domain, akonadi needs this +- Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py +- auth_use_nsswitch does not need avahi to read passwords,needed for resolving data +- Dontaudit (xdm_t) gok attempting to list contents of /var/account +- Telepathy domains need to read urand +- Need interface to getattr all file classes in a mock library for setroubleshoot + +* Wed Dec 15 2010 Dan Walsh 3.9.11-2 +- Update selinux policy to handle new /usr/share/sandbox/start script + +* Wed Dec 15 2010 Miroslav Grepl 3.9.11-1 +- Update to upstream +- Fix version of policy in spec file + +* Tue Dec 14 2010 Miroslav Grepl 3.9.10-13 +- Allow sandbox to run on nfs partitions, fixes for systemd_tmpfs +- remove per sandbox domains devpts types +- Allow dkim-milter sending signal to itself + +* Mon Dec 13 2010 Dan Walsh 3.9.10-12 +- Allow domains that transition to ping or traceroute, kill them +- Allow user_t to conditionally transition to ping_t and traceroute_t +- Add fixes to systemd- tools, including new labeling for systemd-fsck, systemd-cryptsetup + +* Mon Dec 13 2010 Miroslav Grepl 3.9.10-11 +- Turn on systemd policy +- mozilla_plugin needs to read certs in the homedir. +- Dontaudit leaked file descriptors from devicekit +- Fix ircssi to use auth_use_nsswitch +- Change to use interface without param in corenet to disable unlabelednet packets +- Allow init to relabel sockets and fifo files in /dev +- certmonger needs dac* capabilities to manage cert files not owned by root +- dovecot needs fsetid to change group membership on mail +- plymouthd removes /var/log/boot.log +- systemd is creating symlinks in /dev +- Change label on /etc/httpd/alias to be all cert_t + +* Fri Dec 10 2010 Miroslav Grepl 3.9.10-10 +- Fixes for clamscan and boinc policy +- Add boinc_project_t setpgid +- Allow alsa to create tmp files in /tmp + +* Tue Dec 7 2010 Miroslav Grepl 3.9.10-9 +- Push fixes to allow disabling of unlabeled_t packet access +- Enable unlabelednet policy + +* Tue Dec 7 2010 Miroslav Grepl 3.9.10-8 +- Fixes for lvm to work with systemd + +* Mon Dec 6 2010 Miroslav Grepl 3.9.10-7 +- Fix the label for wicd log +- plymouthd creates force-display-on-active-vt file +- Allow avahi to request the kernel to load a module +- Dontaudit hal leaks +- Fix gnome_manage_data interface +- Add new interface corenet_packet to define a type as being an packet_type. +- Removed general access to packet_type from icecast and squid. +- Allow mpd to read alsa config +- Fix the label for wicd log +- Add systemd policy + +* Fri Dec 3 2010 Miroslav Grepl 3.9.10-6 +- Fix gnome_manage_data interface +- Dontaudit sys_ptrace capability for iscsid +- Fixes for nagios plugin policy + +* Thu Dec 2 2010 Miroslav Grepl 3.9.10-5 +- Fix cron to run ranged when started by init +- Fix devicekit to use log files +- Dontaudit use of devicekit_var_run_t for fstools +- Allow init to setattr on logfile directories +- Allow hald to manage files in /var/run/pm-utils/ dir which is now labeled as devicekit_var_run_t + +* Tue Nov 30 2010 Dan Walsh 3.9.10-4 +- Fix up handling of dnsmasq_t creating /var/run/libvirt/network +- Turn on sshd_forward_ports boolean by default +- Allow sysadmin to dbus chat with rpm +- Add interface for rw_tpm_dev +- Allow cron to execute bin +- fsadm needs to write sysfs +- Dontaudit consoletype reading /var/run/pm-utils +- Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin +- certmonger needs to manage dirsrv data +- /var/run/pm-utils should be labeled as devicekit_var_run_t + +* Tue Nov 30 2010 Miroslav Grepl 3.9.10-3 +- fixes to allow /var/run and /var/lock as tmpfs +- Allow chrome sandbox to connect to web ports +- Allow dovecot to listem on lmtp and sieve ports +- Allov ddclient to search sysctl_net_t +- Transition back to original domain if you execute the shell + +* Thu Nov 25 2010 Miroslav Grepl 3.9.10-2 +- Remove duplicate declaration + +* Thu Nov 25 2010 Miroslav Grepl 3.9.10-1 +- Update to upstream +- Cleanup for sandbox +- Add attribute to be able to select sandbox types + +* Mon Nov 22 2010 Miroslav Grepl 3.9.9-4 +- Allow ddclient to fix file mode bits of ddclient conf file +- init leaks file descriptors to daemons +- Add labels for /etc/lirc/ and +- Allow amavis_t to exec shell +- Add label for gssd_tmp_t for /var/tmp/nfs_0 + +* Thu Nov 18 2010 Dan Walsh 3.9.9-3 +- Put back in lircd_etc_t so policy will install + +* Thu Nov 18 2010 Miroslav Grepl 3.9.9-2 +- Turn on allow_postfix_local_write_mail_spool +- Allow initrc_t to transition to shutdown_t +- Allow logwatch and cron to mls_read_to_clearance for MLS boxes +- Allow wm to send signull to all applications and receive them from users +- lircd patch from field +- Login programs have to read /etc/samba +- New programs under /lib/systemd +- Abrt needs to read config files + +* Tue Nov 16 2010 Miroslav Grepl 3.9.9-1 +- Update to upstream +- Dontaudit leaked sockets from userdomains to user domains +- Fixes for mcelog to handle scripts +- Apply patch from Ruben Kerkhof +- Allow syslog to search spool dirs + +* Mon Nov 15 2010 Miroslav Grepl 3.9.8-7 +- Allow nagios plugins to read usr files +- Allow mysqld-safe to send system log messages +- Fixes fpr ddclient policy +- Fix sasl_admin interface +- Allow apache to search zarafa config +- Allow munin plugins to search /var/lib directory +- Allow gpsd to read sysfs_t +- Fix labels on /etc/mcelog/triggers to bin_t + +* Fri Nov 12 2010 Dan Walsh 3.9.8-6 +- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t +- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp +- Fix xserver interface +- Fix definition of /var/run/lxdm + +* Fri Nov 12 2010 Miroslav Grepl 3.9.8-5 +- Turn on mediawiki policy +- kdump leaks kdump_etc_t to ifconfig, add dontaudit +- uux needs to transition to uucpd_t +- More init fixes relabels man,faillog +- Remove maxima defs in libraries.fc +- insmod needs to be able to create tmpfs_t files +- ping needs setcap + +* Wed Nov 10 2010 Miroslav Grepl 3.9.8-4 +- Allow groupd transition to fenced domain when executes fence_node +- Fixes for rchs policy +- Allow mpd to be able to read samba/nfs files + +* Tue Nov 9 2010 Dan Walsh 3.9.8-3 +- Fix up corecommands.fc to match upstream +- Make sure /lib/systemd/* is labeled init_exec_t +- mount wants to setattr on all mountpoints +- dovecot auth wants to read dovecot etc files +- nscd daemon looks at the exe file of the comunicating daemon +- openvpn wants to read utmp file +- postfix apps now set sys_nice and lower limits +- remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly +- Also resolves nsswitch +- Fix labels on /etc/hosts.* +- Cleanup to make upsteam patch work +- allow abrt to read etc_runtime_t + +* Fri Nov 5 2010 Dan Walsh 3.9.8-2 +- Add conflicts for dirsrv package + +* Fri Nov 5 2010 Dan Walsh 3.9.8-1 +- Update to upstream +- Add vlock policy + +* Wed Nov 3 2010 Dan Walsh 3.9.7-10 +- Fix sandbox to work on nfs homedirs +- Allow cdrecord to setrlimit +- Allow mozilla_plugin to read xauth +- Change label on systemd-logger to syslogd_exec_t +- Install dirsrv policy from dirsrv package + +* Tue Nov 2 2010 Dan Walsh 3.9.7-9 +- Add virt_home_t, allow init to setattr on xserver_tmp_t and relabel it +- Udev needs to stream connect to init and kernel +- Add xdm_exec_bootloader boolean, which allows xdm to execute /sbin/grub and read files in /boot directory + +* Mon Nov 1 2010 Dan Walsh 3.9.7-8 +- Allow NetworkManager to read openvpn_etc_t +- Dontaudit hplip to write of /usr dirs +- Allow system_mail_t to create /root/dead.letter as mail_home_t +- Add vdagent policy for spice agent daemon + +* Thu Oct 28 2010 Dan Walsh 3.9.7-7 +- Dontaudit sandbox sending sigkill to all user domains +- Add policy for rssh_chroot_helper +- Add missing flask definitions +- Allow udev to relabelto removable_t +- Fix label on /var/log/wicd.log +- Transition to initrc_t from init when executing bin_t +- Add audit_access permissions to file +- Make removable_t a device_node +- Fix label on /lib/systemd/* + +* Fri Oct 22 2010 Dan Walsh 3.9.7-6 +- Fixes for systemd to manage /var/run +- Dontaudit leaks by firstboot + +* Tue Oct 19 2010 Dan Walsh 3.9.7-5 +- Allow chome to create netlink_route_socket +- Add additional MATHLAB file context +- Define nsplugin as an application_domain +- Dontaudit sending signals from sandboxed domains to other domains +- systemd requires init to build /tmp /var/auth and /var/lock dirs +- mount wants to read devicekit_power /proc/ entries +- mpd wants to connect to soundd port +- Openoffice causes a setattr on a lib_t file for normal users, add dontaudit +- Treat lib_t and textrel_shlib_t directories the same +- Allow mount read access on virtual images + +* Fri Oct 15 2010 Dan Walsh 3.9.7-4 +- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs. +- Allow devicekit_power to domtrans to mount +- Allow dhcp to bind to udp ports > 1024 to do named stuff +- Allow ssh_t to exec ssh_exec_t +- Remove telepathy_butterfly_rw_tmp_files(), dev_read_printk() interfaces which are nolonger used +- Fix clamav_append_log() intefaces +- Fix 'psad_rw_fifo_file' interface + +* Fri Oct 15 2010 Dan Walsh 3.9.7-3 +- Allow cobblerd to list cobler appache content + +* Fri Oct 15 2010 Dan Walsh 3.9.7-2 +- Fixup for the latest version of upowed +- Dontaudit sandbox sending SIGNULL to desktop apps + +* Wed Oct 13 2010 Dan Walsh 3.9.7-1 +- Update to upstream + +* Tue Oct 12 2010 Dan Walsh 3.9.6-3 +-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access +- dovecot-auth_t needs ipc_lock +- gpm needs to use the user terminal +- Allow system_mail_t to append ~/dead.letter +- Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf +- Add pid file to vnstatd +- Allow mount to communicate with gfs_controld +- Dontaudit hal leaks in setfiles + +* Fri Oct 8 2010 Dan Walsh 3.9.6-2 +- Lots of fixes for systemd +- systemd now executes readahead and tmpwatch type scripts +- Needs to manage random seed + +* Thu Oct 7 2010 Dan Walsh 3.9.6-1 +- Allow smbd to use sys_admin +- Remove duplicate file context for tcfmgr +- Update to upstream + +* Wed Oct 6 2010 Dan Walsh 3.9.5-11 +- Fix fusefs handling +- Do not allow sandbox to manage nsplugin_rw_t +- Allow mozilla_plugin_t to connecto its parent +- Allow init_t to connect to plymouthd running as kernel_t +- Add mediawiki policy +- dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs. +- Disable transition from dbus_session_domain to telepathy for F14 +- Allow boinc_project to use shm +- Allow certmonger to search through directories that contain certs +- Allow fail2ban the DAC Override so it can read log files owned by non root users + +* Mon Oct 4 2010 Dan Walsh 3.9.5-10 +- Start adding support for use_fusefs_home_dirs +- Add /var/lib/syslog directory file context +- Add /etc/localtime as locale file context + +* Thu Sep 30 2010 Dan Walsh 3.9.5-9 +- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user +- Turn off iptables from unconfined user +- Allow sudo to send signals to any domains the user could have transitioned to. +- Passwd in single user mode needs to talk to console_device_t +- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio +- locate tried to read a symbolic link, will dontaudit +- New labels for telepathy-sunshine content in homedir +- Google is storing other binaries under /opt/google/talkplugin +- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug +- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15 +- modemmanger and bluetooth send dbus messages to devicekit_power +- Samba needs to getquota on filesystems labeld samba_share_t + +* Wed Sep 29 2010 Dan Walsh 3.9.5-8 +- Dontaudit attempts by xdm_t to write to bin_t for kdm +- Allow initrc_t to manage system_conf_t + +* Mon Sep 27 2010 Dan Walsh 3.9.5-7 +- Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory. +- Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets +- Allow confined users to read xdm_etc_t files +- Allow xdm_t to transition to xauth_t for lxdm program + +* Sun Sep 26 2010 Dan Walsh 3.9.5-6 +- Rearrange firewallgui policy to be more easily updated to upstream, dontaudit search of /home +- Allow clamd to send signals to itself +- Allow mozilla_plugin_t to read user home content. And unlink pulseaudio shm. +- Allow haze to connect to yahoo chat and messenger port tcp:5050. +Bz #637339 +- Allow guest to run ps command on its processes by allowing it to read /proc +- Allow firewallgui to sys_rawio which seems to be required to setup masqerading +- Allow all domains to search through default_t directories, in order to find differnet labels. For example people serring up /foo/bar to be share via samba. +- Add label for /var/log/slim.log + +* Fri Sep 24 2010 Dan Walsh 3.9.5-5 +- Pull in cleanups from dgrift +- Allow mozilla_plugin_t to execute mozilla_home_t +- Allow rpc.quota to do quotamod + +* Thu Sep 23 2010 Dan Walsh 3.9.5-4 +- Cleanup policy via dgrift +- Allow dovecot_deliver to append to inherited log files +- Lots of fixes for consolehelper + +* Wed Sep 22 2010 Dan Walsh 3.9.5-3 +- Fix up Xguest policy + +* Thu Sep 16 2010 Dan Walsh 3.9.5-2 +- Add vnstat policy +- allow libvirt to send audit messages +- Allow chrome-sandbox to search nfs_t + +* Thu Sep 16 2010 Dan Walsh 3.9.5-1 +- Update to upstream + +* Wed Sep 15 2010 Dan Walsh 3.9.4-3 +- Add the ability to send audit messages to confined admin policies +- Remove permissive domain from cmirrord and dontaudit sys_tty_config +- Split out unconfined_domain() calls from other unconfined_ calls so we can d +- virt needs to be able to read processes to clearance for MLS + +* Tue Sep 14 2010 Dan Walsh 3.9.4-2 +- Allow all domains that can use cgroups to search tmpfs_t directory +- Allow init to send audit messages + +* Thu Sep 9 2010 Dan Walsh 3.9.4-1 +- Update to upstream + +* Thu Sep 9 2010 Dan Walsh 3.9.3-4 +- Allow mdadm_t to create files and sock files in /dev/md/ + +* Thu Sep 9 2010 Dan Walsh 3.9.3-3 +- Add policy for ajaxterm + +* Wed Sep 8 2010 Dan Walsh 3.9.3-2 +- Handle /var/db/sudo +- Allow pulseaudio to read alsa config +- Allow init to send initrc_t dbus messages + +* Tue Sep 7 2010 Dan Walsh 3.9.3-1 +Allow iptables to read shorewall tmp files +Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr +intd +label vlc as an execmem_exec_t +Lots of fixes for mozilla_plugin to run google vidio chat +Allow telepath_msn to execute ldconfig and its own tmp files +Fix labels on hugepages +Allow mdadm to read files on /dev +Remove permissive domains and change back to unconfined +Allow freshclam to execute shell and bin_t +Allow devicekit_power to transition to dhcpc +Add boolean to allow icecast to connect to any port + +* Tue Aug 31 2010 Dan Walsh 3.9.2-1 +- Merge upstream fix of mmap_zero +- Allow mount to write files in debugfs_t +- Allow corosync to communicate with clvmd via tmpfs +- Allow certmaster to read usr_t files +- Allow dbus system services to search cgroup_t +- Define rlogind_t as a login pgm + +* Tue Aug 31 2010 Dan Walsh 3.9.1-3 +- Allow mdadm_t to read/write hugetlbfs + +* Tue Aug 31 2010 Dan Walsh 3.9.1-2 +- Dominic Grift Cleanup +- Miroslav Grepl policy for jabberd +- Various fixes for mount/livecd and prelink + +* Mon Aug 30 2010 Dan Walsh 3.9.1-1 +- Merge with upstream + +* Thu Aug 26 2010 Dan Walsh 3.9.0-2 +- More access needed for devicekit +- Add dbadm policy + +* Thu Aug 26 2010 Dan Walsh 3.9.0-1 +- Merge with upstream + +* Tue Aug 24 2010 Dan Walsh 3.8.8-21 +- Allow seunshare to fowner + +* Tue Aug 24 2010 Dan Walsh 3.8.8-20 +- Allow cron to look at user_cron_spool links +- Lots of fixes for mozilla_plugin_t +- Add sysv file system +- Turn unconfined domains to permissive to find additional avcs + +* Mon Aug 23 2010 Dan Walsh 3.8.8-19 +- Update policy for mozilla_plugin_t + +* Mon Aug 23 2010 Dan Walsh 3.8.8-18 +- Allow clamscan to read proc_t +- Allow mount_t to write to debufs_t dir +- Dontaudit mount_t trying to write to security_t dir + +* Thu Aug 19 2010 Dan Walsh 3.8.8-17 +- Allow clamscan_t execmem if clamd_use_jit set +- Add policy for firefox plugin-container + +* Wed Aug 18 2010 Dan Walsh 3.8.8-16 +- Fix /root/.forward definition + +* Tue Aug 17 2010 Dan Walsh 3.8.8-15 +- label dead.letter as mail_home_t + +* Fri Aug 13 2010 Dan Walsh 3.8.8-14 +- Allow login programs to search /cgroups + +* Thu Aug 12 2010 Dan Walsh 3.8.8-13 +- Fix cert handling + +* Tue Aug 10 2010 Dan Walsh 3.8.8-12 +- Fix devicekit_power bug +- Allow policykit_auth_t more access. + +* Thu Aug 5 2010 Dan Walsh 3.8.8-11 +- Fix nis calls to allow bind to ports 512-1024 +- Fix smartmon + +* Wed Aug 4 2010 Dan Walsh 3.8.8-10 +- Allow pcscd to read sysfs +- systemd fixes +- Fix wine_mmap_zero_ignore boolean + +* Tue Aug 3 2010 Dan Walsh 3.8.8-9 +- Apply Miroslav munin patch +- Turn back on allow_execmem and allow_execmod booleans + +* Tue Jul 27 2010 Dan Walsh 3.8.8-8 +- Merge in fixes from dgrift repository + +* Tue Jul 27 2010 Dan Walsh 3.8.8-7 +- Update boinc policy +- Fix sysstat policy to allow sys_admin +- Change failsafe_context to unconfined_r:unconfined_t:s0 + +* Mon Jul 26 2010 Dan Walsh 3.8.8-6 +- New paths for upstart + +* Mon Jul 26 2010 Dan Walsh 3.8.8-5 +- New permissions for syslog +- New labels for /lib/upstart + +* Fri Jul 23 2010 Dan Walsh 3.8.8-4 +- Add mojomojo policy + +* Thu Jul 22 2010 Dan Walsh 3.8.8-3 +- Allow systemd to setsockcon on sockets to immitate other services + +* Wed Jul 21 2010 Dan Walsh 3.8.8-2 +- Remove debugfs label + +* Tue Jul 20 2010 Dan Walsh 3.8.8-1 +- Update to latest policy + +* Wed Jul 14 2010 Dan Walsh 3.8.7-3 +- Fix eclipse labeling from IBMSupportAssasstant packageing + +* Wed Jul 14 2010 Dan Walsh 3.8.7-2 +- Make boot with systemd in enforcing mode + +* Wed Jul 14 2010 Dan Walsh 3.8.7-1 +- Update to upstream + +* Mon Jul 12 2010 Dan Walsh 3.8.6-3 +- Add boolean to turn off port forwarding in sshd. + +* Fri Jul 9 2010 Miroslav Grepl 3.8.6-2 +- Add support for ebtables +- Fixes for rhcs and corosync policy + +* Tue Jun 22 2010 Dan Walsh 3.8.6-1 +-Update to upstream + +* Mon Jun 21 2010 Dan Walsh 3.8.5-1 +-Update to upstream + +* Thu Jun 17 2010 Dan Walsh 3.8.4-1 +-Update to upstream + +* Wed Jun 16 2010 Dan Walsh 3.8.3-4 +- Add Zarafa policy + +* Wed Jun 9 2010 Dan Walsh 3.8.3-3 +- Cleanup of aiccu policy +- initial mock policy + +* Wed Jun 9 2010 Dan Walsh 3.8.3-2 +- Lots of random fixes + +* Tue Jun 8 2010 Dan Walsh 3.8.3-1 +- Update to upstream + +* Fri Jun 4 2010 Dan Walsh 3.8.2-1 +- Update to upstream +- Allow prelink script to signal itself +- Cobbler fixes + +* Wed Jun 2 2010 Dan Walsh 3.8.1-5 +- Add xdm_var_run_t to xserver_stream_connect_xdm +- Add cmorrord and mpd policy from Miroslav Grepl + +* Tue Jun 1 2010 Dan Walsh 3.8.1-4 +- Fix sshd creation of krb cc files for users to be user_tmp_t + +* Thu May 27 2010 Dan Walsh 3.8.1-3 +- Fixes for accountsdialog +- Fixes for boinc + +* Thu May 27 2010 Dan Walsh 3.8.1-2 +- Fix label on /var/lib/dokwiki +- Change permissive domains to enforcing +- Fix libvirt policy to allow it to run on mls + +* Tue May 25 2010 Dan Walsh 3.8.1-1 +- Update to upstream + +* Tue May 25 2010 Dan Walsh 3.7.19-22 +- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t +- Fix /var/run/abrtd.lock label + +* Mon May 24 2010 Dan Walsh 3.7.19-21 +- Allow login programs to read krb5_home_t +Resolves: 594833 +- Add obsoletes for cachefilesfd-selinux package +Resolves: #575084 + +* Thu May 20 2010 Dan Walsh 3.7.19-20 +- Allow mount to r/w abrt fifo file +- Allow svirt_t to getattr on hugetlbfs +- Allow abrt to create a directory under /var/spool + +* Wed May 19 2010 Dan Walsh 3.7.19-19 +- Add labels for /sys +- Allow sshd to getattr on shutdown +- Fixes for munin +- Allow sssd to use the kernel key ring +- Allow tor to send syslog messages +- Allow iptabels to read usr files +- allow policykit to read all domains state + +* Thu May 13 2010 Dan Walsh 3.7.19-17 +- Fix path for /var/spool/abrt +- Allow nfs_t as an entrypoint for http_sys_script_t +- Add policy for piranha +- Lots of fixes for sosreport + +* Wed May 12 2010 Dan Walsh 3.7.19-16 +- Allow xm_t to read network state and get and set capabilities +- Allow policykit to getattr all processes +- Allow denyhosts to connect to tcp port 9911 +- Allow pyranha to use raw ip sockets and ptrace itself +- Allow unconfined_execmem_t and gconfsd mechanism to dbus +- Allow staff to kill ping process +- Add additional MLS rules + +* Mon May 10 2010 Dan Walsh 3.7.19-15 +- Allow gdm to edit ~/.gconf dir +Resolves: #590677 +- Allow dovecot to create directories in /var/lib/dovecot +Partially resolves 590224 +- Allow avahi to dbus chat with NetworkManager +- Fix cobbler labels +- Dontaudit iceauth_t leaks +- fix /var/lib/lxdm file context +- Allow aiccu to use tun tap devices +- Dontaudit shutdown using xserver.log + +* Fri May 7 2010 Dan Walsh 3.7.19-14 +- Fixes for sandbox_x_net_t to match access for sandbox_web_t ++ +- Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory +- Add dontaudit interface for bluetooth dbus +- Add chronyd_read_keys, append_keys for initrc_t +- Add log support for ksmtuned +Resolves: #586663 + +* Thu May 6 2010 Dan Walsh 3.7.19-13 +- Allow boinc to send mail + +* Wed May 5 2010 Dan Walsh 3.7.19-12 +- Allow initrc_t to remove dhcpc_state_t +- Fix label on sa-update.cron +- Allow dhcpc to restart chrony initrc +- Don't allow sandbox to send signals to its parent processes +- Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t +Resolves: #589136 + +* Mon May 3 2010 Dan Walsh 3.7.19-11 +- Fix location of oddjob_mkhomedir +Resolves: #587385 +- fix labeling on /root/.shosts and ~/.shosts +- Allow ipsec_mgmt_t to manage net_conf_t +Resolves: #586760 + +* Fri Apr 30 2010 Dan Walsh 3.7.19-10 +- Dontaudit sandbox trying to connect to netlink sockets +Resolves: #587609 +- Add policy for piranha + +* Thu Apr 29 2010 Dan Walsh 3.7.19-9 +- Fixups for xguest policy +- Fixes for running sandbox firefox + +* Wed Apr 28 2010 Dan Walsh 3.7.19-8 +- Allow ksmtuned to use terminals +Resolves: #586663 +- Allow lircd to write to generic usb devices + +* Tue Apr 27 2010 Dan Walsh 3.7.19-7 +- Allow sandbox_xserver to connectto unconfined stream +Resolves: #585171 + +* Mon Apr 26 2010 Dan Walsh 3.7.19-6 +- Allow initrc_t to read slapd_db_t +Resolves: #585476 +- Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf +Resolves: #585963 + +* Thu Apr 22 2010 Dan Walsh 3.7.19-5 +- Allow rlogind_t to search /root for .rhosts +Resolves: #582760 +- Fix path for cached_var_t +- Fix prelink paths /var/lib/prelink +- Allow confined users to direct_dri +- Allow mls lvm/cryptosetup to work + +* Wed Apr 21 2010 Dan Walsh 3.7.19-4 +- Allow virtd_t to manage firewall/iptables config +Resolves: #573585 + +* Tue Apr 20 2010 Dan Walsh 3.7.19-3 +- Fix label on /root/.rhosts +Resolves: #582760 +- Add labels for Picasa +- Allow openvpn to read home certs +- Allow plymouthd_t to use tty_device_t +- Run ncftool as iptables_t +- Allow mount to unmount unlabeled_t +- Dontaudit hal leaks + +* Wed Apr 14 2010 Dan Walsh 3.7.19-2 +- Allow livecd to transition to mount + +* Tue Apr 13 2010 Dan Walsh 3.7.19-1 +- Update to upstream +- Allow abrt to delete sosreport +Resolves: #579998 +- Allow snmp to setuid and gid +Resolves: #582155 +- Allow smartd to use generic scsi devices +Resolves: #582145 + +* Tue Apr 13 2010 Dan Walsh 3.7.18-3 +- Allow ipsec_t to create /etc/resolv.conf with the correct label +- Fix reserved port destination +- Allow autofs to transition to showmount +- Stop crashing tuned + +* Mon Apr 12 2010 Dan Walsh 3.7.18-2 +- Add telepathysofiasip policy + +* Mon Apr 5 2010 Dan Walsh 3.7.18-1 +- Update to upstream +- Fix label for /opt/google/chrome/chrome-sandbox +- Allow modemmanager to dbus with policykit + +* Mon Apr 5 2010 Dan Walsh 3.7.17-6 +- Fix allow_httpd_mod_auth_pam to use auth_use_pam(httpd_t) +- Allow accountsd to read shadow file +- Allow apache to send audit messages when using pam +- Allow asterisk to bind and connect to sip tcp ports +- Fixes for dovecot 2.0 +- Allow initrc_t to setattr on milter directories +- Add procmail_home_t for .procmailrc file + +* Thu Apr 1 2010 Dan Walsh 3.7.17-5 +- Fixes for labels during install from livecd + +* Thu Apr 1 2010 Dan Walsh 3.7.17-4 +- Fix /cgroup file context +- Fix broken afs use of unlabled_t +- Allow getty to use the console for s390 + +* Wed Mar 31 2010 Dan Walsh 3.7.17-3 +- Fix cgroup handling adding policy for /cgroup +- Allow confined users to write to generic usb devices, if user_rw_noexattrfile boolean set + +* Tue Mar 30 2010 Dan Walsh 3.7.17-2 +- Merge patches from dgrift + +* Mon Mar 29 2010 Dan Walsh 3.7.17-1 +- Update upstream +- Allow abrt to write to the /proc under any process + +* Fri Mar 26 2010 Dan Walsh 3.7.16-2 + - Fix ~/.fontconfig label +- Add /root/.cert label +- Allow reading of the fixed_file_disk_t:lnk_file if you can read file +- Allow qemu_exec_t as an entrypoint to svirt_t + +* Tue Mar 23 2010 Dan Walsh 3.7.16-1 +- Update to upstream +- Allow tmpreaper to delete sandbox sock files +- Allow chrome-sandbox_t to use /dev/zero, and dontaudit getattr file systems +- Fixes for gitosis +- No transition on livecd to passwd or chfn +- Fixes for denyhosts + +* Tue Mar 23 2010 Dan Walsh 3.7.15-4 +- Add label for /var/lib/upower +- Allow logrotate to run sssd +- dontaudit readahead on tmpfs blk files +- Allow tmpreaper to setattr on sandbox files +- Allow confined users to execute dos files +- Allow sysadm_t to kill processes running within its clearance +- Add accountsd policy +- Fixes for corosync policy +- Fixes from crontab policy +- Allow svirt to manage svirt_image_t chr files +- Fixes for qdisk policy +- Fixes for sssd policy +- Fixes for newrole policy + +* Thu Mar 18 2010 Dan Walsh 3.7.15-3 +- make libvirt work on an MLS platform + +* Thu Mar 18 2010 Dan Walsh 3.7.15-2 +- Add qpidd policy + +* Thu Mar 18 2010 Dan Walsh 3.7.15-1 +- Update to upstream + +* Tue Mar 16 2010 Dan Walsh 3.7.14-5 +- Allow boinc to read kernel sysctl +- Fix snmp port definitions +- Allow apache to read anon_inodefs + +* Sun Mar 14 2010 Dan Walsh 3.7.14-4 +- Allow shutdown dac_override + +* Sat Mar 13 2010 Dan Walsh 3.7.14-3 +- Add device_t as a file system +- Fix sysfs association + +* Fri Mar 12 2010 Dan Walsh 3.7.14-2 +- Dontaudit ipsec_mgmt sys_ptrace +- Allow at to mail its spool files +- Allow nsplugin to search in .pulse directory + +* Fri Mar 12 2010 Dan Walsh 3.7.14-1 +- Update to upstream + +* Fri Mar 12 2010 Dan Walsh 3.7.13-4 +- Allow users to dbus chat with xdm +- Allow users to r/w wireless_device_t +- Dontaudit reading of process states by ipsec_mgmt + +* Thu Mar 11 2010 Dan Walsh 3.7.13-3 +- Fix openoffice from unconfined_t + +* Wed Mar 10 2010 Dan Walsh 3.7.13-2 +- Add shutdown policy so consolekit can shutdown system + +* Tue Mar 9 2010 Dan Walsh 3.7.13-1 +- Update to upstream + +* Thu Mar 4 2010 Dan Walsh 3.7.12-1 +- Update to upstream + +* Thu Mar 4 2010 Dan Walsh 3.7.11-1 +- Update to upstream - These are merges of my patches +- Remove 389 labeling conflicts +- Add MLS fixes found in RHEL6 testing +- Allow pulseaudio to run as a service +- Add label for mssql and allow apache to connect to this database port if boolean set +- Dontaudit searches of debugfs mount point +- Allow policykit_auth to send signals to itself +- Allow modcluster to call getpwnam +- Allow swat to signal winbind +- Allow usbmux to run as a system role +- Allow svirt to create and use devpts + +* Mon Mar 1 2010 Dan Walsh 3.7.10-5 +- Add MLS fixes found in RHEL6 testing +- Allow domains to append to rpm_tmp_t +- Add cachefilesfd policy +- Dontaudit leaks when transitioning + +* Wed Feb 24 2010 Dan Walsh 3.7.10-4 +- Change allow_execstack and allow_execmem booleans to on +- dontaudit acct using console +- Add label for fping +- Allow tmpreaper to delete sandbox_file_t +- Fix wine dontaudit mmap_zero +- Allow abrt to read var_t symlinks + +* Tue Feb 23 2010 Dan Walsh 3.7.10-3 +- Additional policy for rgmanager + +* Mon Feb 22 2010 Dan Walsh 3.7.10-2 +- Allow sshd to setattr on pseudo terms + +* Mon Feb 22 2010 Dan Walsh 3.7.10-1 +- Update to upstream + +* Thu Feb 18 2010 Dan Walsh 3.7.9-4 +- Allow policykit to send itself signals + +* Wed Feb 17 2010 Dan Walsh 3.7.9-3 +- Fix duplicate cobbler definition + +* Wed Feb 17 2010 Dan Walsh 3.7.9-2 +- Fix file context of /var/lib/avahi-autoipd + +* Fri Feb 12 2010 Dan Walsh 3.7.9-1 +- Merge with upstream + +* Thu Feb 11 2010 Dan Walsh 3.7.8-11 +- Allow sandbox to work with MLS + +* Tue Feb 9 2010 Dan Walsh 3.7.8-9 +- Make Chrome work with staff user + +* Thu Feb 4 2010 Dan Walsh 3.7.8-8 +- Add icecast policy +- Cleanup spec file + +* Wed Feb 3 2010 Dan Walsh 3.7.8-7 +- Add mcelog policy + +* Mon Feb 1 2010 Dan Walsh 3.7.8-6 +- Lots of fixes found in F12 + +* Thu Jan 28 2010 Dan Walsh 3.7.8-5 +- Fix rpm_dontaudit_leaks + +* Wed Jan 27 2010 Dan Walsh 3.7.8-4 +- Add getsched to hald_t +- Add file context for Fedora/Redhat Directory Server + +* Mon Jan 25 2010 Dan Walsh 3.7.8-3 +- Allow abrt_helper to getattr on all filesystems +- Add label for /opt/real/RealPlayer/plugins/oggfformat\.so + +* Thu Jan 21 2010 Dan Walsh 3.7.8-2 +- Add gstreamer_home_t for ~/.gstreamer + +* Mon Jan 18 2010 Dan Walsh 3.7.8-1 +- Update to upstream + +* Fri Jan 15 2010 Dan Walsh 3.7.7-3 +- Fix git + +* Thu Jan 7 2010 Dan Walsh 3.7.7-2 +- Turn on puppet policy +- Update to dgrift git policy + +* Thu Jan 7 2010 Dan Walsh 3.7.7-1 +- Move users file to selection by spec file. +- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t + +* Thu Jan 7 2010 Dan Walsh 3.7.6-1 +- Update to upstream + +* Wed Jan 6 2010 Dan Walsh 3.7.5-8 +- Remove most of the permissive domains from F12. + +* Tue Jan 5 2010 Dan Walsh 3.7.5-7 +- Add cobbler policy from dgrift + +* Mon Jan 4 2010 Dan Walsh 3.7.5-6 +- add usbmon device +- Add allow rulse for devicekit_disk + +* Wed Dec 30 2009 Dan Walsh 3.7.5-5 +- Lots of fixes found in F12, fixes from Tom London + +* Wed Dec 23 2009 Dan Walsh 3.7.5-4 +- Cleanups from dgrift + +* Tue Dec 22 2009 Dan Walsh 3.7.5-3 +- Add back xserver_manage_home_fonts + +* Mon Dec 21 2009 Dan Walsh 3.7.5-2 +- Dontaudit sandbox trying to read nscd and sssd + +* Fri Dec 18 2009 Dan Walsh 3.7.5-1 +- Update to upstream + +* Thu Dec 17 2009 Dan Walsh 3.7.4-4 +- Rename udisks-daemon back to devicekit_disk_t policy + +* Wed Dec 16 2009 Dan Walsh 3.7.4-3 +- Fixes for abrt calls + +* Fri Dec 11 2009 Dan Walsh 3.7.4-2 +- Add tgtd policy + +* Fri Dec 4 2009 Dan Walsh 3.7.4-1 +- Update to upstream release + +* Mon Nov 16 2009 Dan Walsh 3.7.3-1 +- Add asterisk policy back in +- Update to upstream release 2.20091117 + +* Mon Nov 16 2009 Dan Walsh 3.7.1-1 +- Update to upstream release 2.20091117 + +* Mon Nov 16 2009 Dan Walsh 3.6.33-2 +- Fixup nut policy + +* Thu Nov 12 2009 Dan Walsh 3.6.33-1 +- Update to upstream + +* Thu Oct 1 2009 Dan Walsh 3.6.32-17 +- Allow vpnc request the kernel to load modules + +* Wed Sep 30 2009 Dan Walsh 3.6.32-16 +- Fix minimum policy installs +- Allow udev and rpcbind to request the kernel to load modules + +* Wed Sep 30 2009 Dan Walsh 3.6.32-15 +- Add plymouth policy +- Allow local_login to sys_admin + +* Tue Sep 29 2009 Dan Walsh 3.6.32-13 +- Allow cupsd_config to read user tmp +- Allow snmpd_t to signal itself +- Allow sysstat_t to makedir in sysstat_log_t + +* Fri Sep 25 2009 Dan Walsh 3.6.32-12 +- Update rhcs policy + +* Thu Sep 24 2009 Dan Walsh 3.6.32-11 +- Allow users to exec restorecond + +* Tue Sep 22 2009 Dan Walsh 3.6.32-10 +- Allow sendmail to request kernel modules load + +* Mon Sep 21 2009 Dan Walsh 3.6.32-9 +- Fix all kernel_request_load_module domains + +* Mon Sep 21 2009 Dan Walsh 3.6.32-8 +- Fix all kernel_request_load_module domains + +* Sun Sep 20 2009 Dan Walsh 3.6.32-7 +- Remove allow_exec* booleans for confined users. Only available for unconfined_t + +* Fri Sep 18 2009 Dan Walsh 3.6.32-6 +- More fixes for sandbox_web_t + +* Fri Sep 18 2009 Dan Walsh 3.6.32-5 +- Allow sshd to create .ssh directory and content + +* Fri Sep 18 2009 Dan Walsh 3.6.32-4 +- Fix request_module line to module_request + +* Fri Sep 18 2009 Dan Walsh 3.6.32-3 +- Fix sandbox policy to allow it to run under firefox. +- Dont audit leaks. + +* Thu Sep 17 2009 Dan Walsh 3.6.32-2 +- Fixes for sandbox + +* Wed Sep 16 2009 Dan Walsh 3.6.32-1 +- Update to upstream +- Dontaudit nsplugin search /root +- Dontaudit nsplugin sys_nice + +* Tue Sep 15 2009 Dan Walsh 3.6.31-5 +- Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service +- Remove policycoreutils-python requirement except for minimum + +* Mon Sep 14 2009 Dan Walsh 3.6.31-4 +- Fix devicekit_disk_t to getattr on all domains sockets and fifo_files +- Conflicts seedit (You can not use selinux-policy-targeted and seedit at the same time.) + +* Thu Sep 10 2009 Dan Walsh 3.6.31-3 +- Add wordpress/wp-content/uploads label +- Fixes for sandbox when run from staff_t + +* Thu Sep 10 2009 Dan Walsh 3.6.31-2 +- Update to upstream +- Fixes for devicekit_disk + +* Tue Sep 8 2009 Dan Walsh 3.6.30-6 +- More fixes + +* Tue Sep 8 2009 Dan Walsh 3.6.30-5 +- Lots of fixes for initrc and other unconfined domains + +* Fri Sep 4 2009 Dan Walsh 3.6.30-4 +- Allow xserver to use netlink_kobject_uevent_socket + +* Thu Sep 3 2009 Dan Walsh 3.6.30-3 +- Fixes for sandbox + +* Mon Aug 31 2009 Dan Walsh 3.6.30-2 +- Dontaudit setroubleshootfix looking at /root directory + +* Mon Aug 31 2009 Dan Walsh 3.6.30-1 +- Update to upsteam + +* Mon Aug 31 2009 Dan Walsh 3.6.29-2 +- Allow gssd to send signals to users +- Fix duplicate label for apache content + +* Fri Aug 28 2009 Dan Walsh 3.6.29-1 +- Update to upstream + +* Fri Aug 28 2009 Dan Walsh 3.6.28-9 +- Remove polkit_auth on upgrades + +* Wed Aug 26 2009 Dan Walsh 3.6.28-8 +- Add back in unconfined.pp and unconfineduser.pp +- Add Sandbox unshare + +* Tue Aug 25 2009 Dan Walsh 3.6.28-7 +- Fixes for cdrecord, mdadm, and others + +* Sat Aug 22 2009 Dan Walsh 3.6.28-6 +- Add capability setting to dhcpc and gpm + +* Sat Aug 22 2009 Dan Walsh 3.6.28-5 +- Allow cronjobs to read exim_spool_t + +* Fri Aug 21 2009 Dan Walsh 3.6.28-4 +- Add ABRT policy + +* Thu Aug 20 2009 Dan Walsh 3.6.28-3 +- Fix system-config-services policy + +* Wed Aug 19 2009 Dan Walsh 3.6.28-2 +- Allow libvirt to change user componant of virt_domain + +* Tue Aug 18 2009 Dan Walsh 3.6.28-1 +- Allow cupsd_config_t to be started by dbus +- Add smoltclient policy + +* Fri Aug 14 2009 Dan Walsh 3.6.27-1 +- Add policycoreutils-python to pre install + +* Thu Aug 13 2009 Dan Walsh 3.6.26-11 +- Make all unconfined_domains permissive so we can see what AVC's happen + +* Mon Aug 10 2009 Dan Walsh 3.6.26-10 +- Add pt_chown policy + +* Mon Aug 10 2009 Dan Walsh 3.6.26-9 +- Add kdump policy for Miroslav Grepl +- Turn off execstack boolean + +* Fri Aug 7 2009 Bill Nottingham 3.6.26-8 +- Turn on execstack on a temporary basis (#512845) + +* Thu Aug 6 2009 Dan Walsh 3.6.26-7 +- Allow nsplugin to connecto the session bus +- Allow samba_net to write to coolkey data + +* Wed Aug 5 2009 Dan Walsh 3.6.26-6 +- Allow devicekit_disk to list inotify + +* Wed Aug 5 2009 Dan Walsh 3.6.26-5 +- Allow svirt images to create sock_file in svirt_var_run_t + +* Tue Aug 4 2009 Dan Walsh 3.6.26-4 +- Allow exim to getattr on mountpoints +- Fixes for pulseaudio + +* Fri Jul 31 2009 Dan Walsh 3.6.26-3 +- Allow svirt_t to stream_connect to virtd_t + +* Fri Jul 31 2009 Dan Walsh 3.6.26-2 +- Allod hald_dccm_t to create sock_files in /tmp + +* Thu Jul 30 2009 Dan Walsh 3.6.26-1 +- More fixes from upstream + +* Tue Jul 28 2009 Dan Walsh 3.6.25-1 +- Fix polkit label +- Remove hidebrokensymptoms for nss_ldap fix +- Add modemmanager policy +- Lots of merges from upstream +- Begin removing textrel_shlib_t labels, from fixed libraries + +* Tue Jul 28 2009 Dan Walsh 3.6.24-1 +- Update to upstream + +* Mon Jul 27 2009 Dan Walsh 3.6.23-2 +- Allow certmaster to override dac permissions + +* Thu Jul 23 2009 Dan Walsh 3.6.23-1 +- Update to upstream + +* Tue Jul 21 2009 Dan Walsh 3.6.22-3 +- Fix context for VirtualBox + +* Tue Jul 14 2009 Dan Walsh 3.6.22-1 +- Update to upstream + +* Fri Jul 10 2009 Dan Walsh 3.6.21-4 +- Allow clamscan read amavis spool files + +* Wed Jul 8 2009 Dan Walsh 3.6.21-3 +- Fixes for xguest + +* Tue Jul 7 2009 Tom "spot" Callaway 3.6.21-2 +- fix multiple directory ownership of mandirs + +* Wed Jul 1 2009 Dan Walsh 3.6.21-1 +- Update to upstream + +* Tue Jun 30 2009 Dan Walsh 3.6.20-2 +- Add rules for rtkit-daemon + +* Thu Jun 25 2009 Dan Walsh 3.6.20-1 +- Update to upstream +- Fix nlscd_stream_connect + +* Thu Jun 25 2009 Dan Walsh 3.6.19-5 +- Add rtkit policy + +* Wed Jun 24 2009 Dan Walsh 3.6.19-4 +- Allow rpcd_t to stream connect to rpcbind + +* Tue Jun 23 2009 Dan Walsh 3.6.19-3 +- Allow kpropd to create tmp files + +* Tue Jun 23 2009 Dan Walsh 3.6.19-2 +- Fix last duplicate /var/log/rpmpkgs + +* Mon Jun 22 2009 Dan Walsh 3.6.19-1 +- Update to upstream + * add sssd + +* Sat Jun 20 2009 Dan Walsh 3.6.18-1 +- Update to upstream + * cleanup + +* Fri Jun 19 2009 Dan Walsh 3.6.17-1 +- Update to upstream +- Additional mail ports +- Add virt_use_usb boolean for svirt + +* Thu Jun 18 2009 Dan Walsh 3.6.16-4 +- Fix mcs rules to include chr_file and blk_file + +* Tue Jun 16 2009 Dan Walsh 3.6.16-3 +- Add label for udev-acl + +* Mon Jun 15 2009 Dan Walsh 3.6.16-2 +- Additional rules for consolekit/udev, privoxy and various other fixes + +* Fri Jun 12 2009 Dan Walsh 3.6.16-1 +- New version for upstream + +* Thu Jun 11 2009 Dan Walsh 3.6.14-3 +- Allow NetworkManager to read inotifyfs + +* Wed Jun 10 2009 Dan Walsh 3.6.14-2 +- Allow setroubleshoot to run mlocate + +* Mon Jun 8 2009 Dan Walsh 3.6.14-1 +- Update to upstream + +* Tue Jun 2 2009 Dan Walsh 3.6.13-3 +- Add fish as a shell +- Allow fprintd to list usbfs_t +- Allow consolekit to search mountpoints +- Add proper labeling for shorewall + +* Tue May 26 2009 Dan Walsh 3.6.13-2 +- New log file for vmware +- Allow xdm to setattr on user_tmp_t + +* Thu May 21 2009 Dan Walsh 3.6.13-1 +- Upgrade to upstream + +* Wed May 20 2009 Dan Walsh 3.6.12-39 +- Allow fprintd to access sys_ptrace +- Add sandbox policy + +* Mon May 18 2009 Dan Walsh 3.6.12-38 +- Add varnishd policy + +* Thu May 14 2009 Dan Walsh 3.6.12-37 +- Fixes for kpropd + +* Tue May 12 2009 Dan Walsh 3.6.12-36 +- Allow brctl to r/w tun_tap_device_t + +* Mon May 11 2009 Dan Walsh 3.6.12-35 +- Add /usr/share/selinux/packages + +* Mon May 11 2009 Dan Walsh 3.6.12-34 +- Allow rpcd_t to send signals to kernel threads + +* Fri May 8 2009 Dan Walsh 3.6.12-33 +- Fix upgrade for F10 to F11 + +* Thu May 7 2009 Dan Walsh 3.6.12-31 +- Add policy for /var/lib/fprint + +* Tue May 5 2009 Dan Walsh 3.6.12-30 +-Remove duplicate line + +* Tue May 5 2009 Dan Walsh 3.6.12-29 +- Allow svirt to manage pci and other sysfs device data + +* Mon May 4 2009 Dan Walsh 3.6.12-28 +- Fix package selection handling + +* Fri May 1 2009 Dan Walsh 3.6.12-27 +- Fix /sbin/ip6tables-save context +- Allod udev to transition to mount +- Fix loading of mls policy file + +* Thu Apr 30 2009 Dan Walsh 3.6.12-26 +- Add shorewall policy + +* Wed Apr 29 2009 Dan Walsh 3.6.12-25 +- Additional rules for fprintd and sssd + +* Tue Apr 28 2009 Dan Walsh 3.6.12-24 +- Allow nsplugin to unix_read unix_write sem for unconfined_java + +* Tue Apr 28 2009 Dan Walsh 3.6.12-23 +- Fix uml files to be owned by users + +* Tue Apr 28 2009 Dan Walsh 3.6.12-22 +- Fix Upgrade path to install unconfineduser.pp when unocnfined package is 3.0.0 or less + +* Mon Apr 27 2009 Dan Walsh 3.6.12-21 +- Allow confined users to manage virt_content_t, since this is home dir content +- Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection + +* Mon Apr 27 2009 Dan Walsh 3.6.12-20 +- Fix labeling on /var/lib/misc/prelink* +- Allow xserver to rw_shm_perms with all x_clients +- Allow prelink to execute files in the users home directory + +* Fri Apr 24 2009 Dan Walsh 3.6.12-19 +- Allow initrc_t to delete dev_null +- Allow readahead to configure auditing +- Fix milter policy +- Add /var/lib/readahead + +* Fri Apr 24 2009 Dan Walsh 3.6.12-16 +- Update to latest milter code from Paul Howarth + +* Thu Apr 23 2009 Dan Walsh 3.6.12-15 +- Additional perms for readahead + +* Thu Apr 23 2009 Dan Walsh 3.6.12-14 +- Allow pulseaudio to acquire_svc on session bus +- Fix readahead labeling + +* Thu Apr 23 2009 Dan Walsh 3.6.12-13 +- Allow sysadm_t to run rpm directly +- libvirt needs fowner + +* Wed Apr 22 2009 Dan Walsh 3.6.12-12 +- Allow sshd to read var_lib symlinks for freenx + +* Tue Apr 21 2009 Dan Walsh 3.6.12-11 +- Allow nsplugin unix_read and write on users shm and sem +- Allow sysadm_t to execute su + +* Tue Apr 21 2009 Dan Walsh 3.6.12-10 +- Dontaudit attempts to getattr user_tmpfs_t by lvm +- Allow nfs to share removable media + +* Mon Apr 20 2009 Dan Walsh 3.6.12-9 +- Add ability to run postdrop from confined users + +* Sat Apr 18 2009 Dan Walsh 3.6.12-8 +- Fixes for podsleuth + +* Fri Apr 17 2009 Dan Walsh 3.6.12-7 +- Turn off nsplugin transition +- Remove Konsole leaked file descriptors for release + +* Fri Apr 17 2009 Dan Walsh 3.6.12-6 +- Allow cupsd_t to create link files in print_spool_t +- Fix iscsi_stream_connect typo +- Fix labeling on /etc/acpi/actions +- Don't reinstall unconfine and unconfineuser on upgrade if they are not installed + +* Tue Apr 14 2009 Dan Walsh 3.6.12-5 +- Allow audioentroy to read etc files + +* Mon Apr 13 2009 Dan Walsh 3.6.12-4 +- Add fail2ban_var_lib_t +- Fixes for devicekit_power_t + +* Thu Apr 9 2009 Dan Walsh 3.6.12-3 +- Separate out the ucnonfined user from the unconfined.pp package + +* Wed Apr 8 2009 Dan Walsh 3.6.12-2 +- Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t. + +* Tue Apr 7 2009 Dan Walsh 3.6.12-1 +- Upgrade to latest upstream +- Allow devicekit_disk sys_rawio + +* Mon Apr 6 2009 Dan Walsh 3.6.11-1 +- Dontaudit binds to ports < 1024 for named +- Upgrade to latest upstream + +* Fri Apr 3 2009 Dan Walsh 3.6.10-9 +- Allow podsleuth to use tmpfs files + +* Fri Apr 3 2009 Dan Walsh 3.6.10-8 +- Add customizable_types for svirt + +* Fri Apr 3 2009 Dan Walsh 3.6.10-7 +- Allow setroubelshoot exec* privs to prevent crash from bad libraries +- add cpufreqselector + +* Thu Apr 2 2009 Dan Walsh 3.6.10-6 +- Dontaudit listing of /root directory for cron system jobs + +* Mon Mar 30 2009 Dan Walsh 3.6.10-5 +- Fix missing ld.so.cache label + +* Fri Mar 27 2009 Dan Walsh 3.6.10-4 +- Add label for ~/.forward and /root/.forward + +* Thu Mar 26 2009 Dan Walsh 3.6.10-3 +- Fixes for svirt + +* Thu Mar 19 2009 Dan Walsh 3.6.10-2 +- Fixes to allow svirt read iso files in homedir + +* Thu Mar 19 2009 Dan Walsh 3.6.10-1 +- Add xenner and wine fixes from mgrepl + +* Wed Mar 18 2009 Dan Walsh 3.6.9-4 +- Allow mdadm to read/write mls override + +* Tue Mar 17 2009 Dan Walsh 3.6.9-3 +- Change to svirt to only access svirt_image_t + +* Thu Mar 12 2009 Dan Walsh 3.6.9-2 +- Fix libvirt policy + +* Thu Mar 12 2009 Dan Walsh 3.6.9-1 +- Upgrade to latest upstream + +* Tue Mar 10 2009 Dan Walsh 3.6.8-4 +- Fixes for iscsid and sssd +- More cleanups for upgrade from F10 to Rawhide. + +* Mon Mar 9 2009 Dan Walsh 3.6.8-3 +- Add pulseaudio, sssd policy +- Allow networkmanager to exec udevadm + +* Sat Mar 7 2009 Dan Walsh 3.6.8-2 +- Add pulseaudio context + +* Thu Mar 5 2009 Dan Walsh 3.6.8-1 +- Upgrade to latest patches + +* Wed Mar 4 2009 Dan Walsh 3.6.7-2 +- Fixes for libvirt + +* Mon Mar 2 2009 Dan Walsh 3.6.7-1 +- Update to Latest upstream + +* Sat Feb 28 2009 Dan Walsh 3.6.6-9 +- Fix setrans.conf to show SystemLow for s0 + +* Fri Feb 27 2009 Dan Walsh 3.6.6-8 +- Further confinement of qemu images via svirt + +* Wed Feb 25 2009 Fedora Release Engineering - 3.6.6-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Feb 19 2009 Dan Walsh 3.6.6-6 +- Allow NetworkManager to manage /etc/NetworkManager/system-connections + +* Wed Feb 18 2009 Dan Walsh 3.6.6-5 +- add virtual_image_context and virtual_domain_context files + +* Tue Feb 17 2009 Dan Walsh 3.6.6-4 +- Allow rpcd_t to send signal to mount_t +- Allow libvirtd to run ranged + +* Tue Feb 17 2009 Dan Walsh 3.6.6-3 +- Fix sysnet/net_conf_t + +* Tue Feb 17 2009 Dan Walsh 3.6.6-2 +- Fix squidGuard labeling + +* Wed Feb 11 2009 Dan Walsh 3.6.6-1 +- Re-add corenet_in_generic_if(unlabeled_t) + +* Wed Feb 11 2009 Dan Walsh 3.6.5-3 + +* Tue Feb 10 2009 Dan Walsh 3.6.5-2 +- Add git web policy + +* Mon Feb 9 2009 Dan Walsh 3.6.5-1 +- Add setrans contains from upstream + +* Mon Feb 9 2009 Dan Walsh 3.6.4-6 +- Do transitions outside of the booleans + +* Sun Feb 8 2009 Dan Walsh 3.6.4-5 +- Allow xdm to create user_tmp_t sockets for switch user to work + +* Thu Feb 5 2009 Dan Walsh 3.6.4-4 +- Fix staff_t domain + +* Thu Feb 5 2009 Dan Walsh 3.6.4-3 +- Grab remainder of network_peer_controls patch + +* Wed Feb 4 2009 Dan Walsh 3.6.4-2 +- More fixes for devicekit + +* Tue Feb 3 2009 Dan Walsh 3.6.4-1 +- Upgrade to latest upstream + +* Mon Feb 2 2009 Dan Walsh 3.6.3-13 +- Add boolean to disallow unconfined_t login + +* Fri Jan 30 2009 Dan Walsh 3.6.3-12 +- Add back transition from xguest to mozilla + +* Fri Jan 30 2009 Dan Walsh 3.6.3-11 +- Add virt_content_ro_t and labeling for isos directory + +* Tue Jan 27 2009 Dan Walsh 3.6.3-10 +- Fixes for wicd daemon + +* Mon Jan 26 2009 Dan Walsh 3.6.3-9 +- More mls/rpm fixes + +* Fri Jan 23 2009 Dan Walsh 3.6.3-8 +- Add policy to make dbus/nm-applet work + +* Thu Jan 22 2009 Dan Walsh 3.6.3-7 +- Remove polgen-ifgen from post and add trigger to policycoreutils-python + +* Wed Jan 21 2009 Dan Walsh 3.6.3-6 +- Add wm policy +- Make mls work in graphics mode + +* Tue Jan 20 2009 Dan Walsh 3.6.3-3 +- Fixed for DeviceKit + +* Mon Jan 19 2009 Dan Walsh 3.6.3-2 +- Add devicekit policy + +* Mon Jan 19 2009 Dan Walsh 3.6.3-1 +- Update to upstream + +* Thu Jan 15 2009 Dan Walsh 3.6.2-5 +- Define openoffice as an x_domain + +* Mon Jan 12 2009 Dan Walsh 3.6.2-4 +- Fixes for reading xserver_tmp_t + +* Thu Jan 8 2009 Dan Walsh 3.6.2-3 +- Allow cups_pdf_t write to nfs_t + +* Tue Jan 6 2009 Dan Walsh 3.6.2-2 +- Remove audio_entropy policy + +* Mon Jan 5 2009 Dan Walsh 3.6.2-1 +- Update to upstream + +* Sun Jan 4 2009 Dan Walsh 3.6.1-15 +- Allow hal_acl_t to getattr/setattr fixed_disk + +* Sat Dec 27 2008 Dan Walsh 3.6.1-14 +- Change userdom_read_all_users_state to include reading symbolic links in /proc + +* Mon Dec 22 2008 Dan Walsh 3.6.1-13 +- Fix dbus reading /proc information + +* Thu Dec 18 2008 Dan Walsh 3.6.1-12 +- Add missing alias for home directory content + +* Wed Dec 17 2008 Dan Walsh 3.6.1-11 +- Fixes for IBM java location + +* Thu Dec 11 2008 Dan Walsh 3.6.1-10 +- Allow unconfined_r unconfined_java_t + +* Tue Dec 9 2008 Dan Walsh 3.6.1-9 +- Add cron_role back to user domains + +* Mon Dec 8 2008 Dan Walsh 3.6.1-8 +- Fix sudo setting of user keys + +* Thu Dec 4 2008 Dan Walsh 3.6.1-7 +- Allow iptables to talk to terminals +- Fixes for policy kit +- lots of fixes for booting. + +* Wed Dec 3 2008 Dan Walsh 3.6.1-4 +- Cleanup policy + +* Mon Dec 01 2008 Ignacio Vazquez-Abrams - 3.6.1-2 +- Rebuild for Python 2.6 + +* Fri Nov 7 2008 Dan Walsh 3.5.13-19 +- Fix labeling on /var/spool/rsyslog + +* Thu Nov 6 2008 Dan Walsh 3.5.13-18 +- Allow postgresl to bind to udp nodes + +* Wed Nov 5 2008 Dan Walsh 3.5.13-17 +- Allow lvm to dbus chat with hal +- Allow rlogind to read nfs_t + +* Wed Nov 5 2008 Dan Walsh 3.5.13-16 +- Fix cyphesis file context + +* Tue Nov 4 2008 Dan Walsh 3.5.13-15 +- Allow hal/pm-utils to look at /var/run/video.rom +- Add ulogd policy + +* Tue Nov 4 2008 Dan Walsh 3.5.13-14 +- Additional fixes for cyphesis +- Fix certmaster file context +- Add policy for system-config-samba +- Allow hal to read /var/run/video.rom + +* Mon Nov 3 2008 Dan Walsh 3.5.13-13 +- Allow dhcpc to restart ypbind +- Fixup labeling in /var/run + +* Thu Oct 30 2008 Dan Walsh 3.5.13-12 +- Add certmaster policy + +* Wed Oct 29 2008 Dan Walsh 3.5.13-11 +- Fix confined users +- Allow xguest to read/write xguest_dbusd_t + +* Mon Oct 27 2008 Dan Walsh 3.5.13-9 +- Allow openoffice execstack/execmem privs + +* Fri Oct 24 2008 Dan Walsh 3.5.13-8 +- Allow mozilla to run with unconfined_execmem_t + +* Thu Oct 23 2008 Dan Walsh 3.5.13-7 +- Dontaudit domains trying to write to .xsession-errors + +* Thu Oct 23 2008 Dan Walsh 3.5.13-6 +- Allow nsplugin to look at autofs_t directory + +* Wed Oct 22 2008 Dan Walsh 3.5.13-5 +- Allow kerneloops to create tmp files + +* Wed Oct 22 2008 Dan Walsh 3.5.13-4 +- More alias for fastcgi + +* Tue Oct 21 2008 Dan Walsh 3.5.13-3 +- Remove mod_fcgid-selinux package + +* Mon Oct 20 2008 Dan Walsh 3.5.13-2 +- Fix dovecot access + +* Fri Oct 17 2008 Dan Walsh 3.5.13-1 +- Policy cleanup + +* Thu Oct 16 2008 Dan Walsh 3.5.12-3 +- Remove Multiple spec +- Add include +- Fix makefile to not call per_role_expansion + +* Wed Oct 15 2008 Dan Walsh 3.5.12-2 +- Fix labeling of libGL + +* Fri Oct 10 2008 Dan Walsh 3.5.12-1 +- Update to upstream + +* Wed Oct 8 2008 Dan Walsh 3.5.11-1 +- Update to upstream policy + +* Mon Oct 6 2008 Dan Walsh 3.5.10-3 +- Fixes for confined xwindows and xdm_t + +* Fri Oct 3 2008 Dan Walsh 3.5.10-2 +- Allow confined users and xdm to exec wm +- Allow nsplugin to talk to fifo files on nfs + +* Fri Oct 3 2008 Dan Walsh 3.5.10-1 +- Allow NetworkManager to transition to avahi and iptables +- Allow domains to search other domains keys, coverup kernel bug + +* Wed Oct 1 2008 Dan Walsh 3.5.9-4 +- Fix labeling for oracle + +* Wed Oct 1 2008 Dan Walsh 3.5.9-3 +- Allow nsplugin to comminicate with xdm_tmp_t sock_file + +* Mon Sep 29 2008 Dan Walsh 3.5.9-2 +- Change all user tmpfs_t files to be labeled user_tmpfs_t +- Allow radiusd to create sock_files + +* Wed Sep 24 2008 Dan Walsh 3.5.9-1 +- Upgrade to upstream + +* Tue Sep 23 2008 Dan Walsh 3.5.8-7 +- Allow confined users to login with dbus + +* Mon Sep 22 2008 Dan Walsh 3.5.8-6 +- Fix transition to nsplugin + +* Mon Sep 22 2008 Dan Walsh 3.5.8-5 +- Add file context for /dev/mspblk.* + +* Sun Sep 21 2008 Dan Walsh 3.5.8-4 +- Fix transition to nsplugin +' + +* Thu Sep 18 2008 Dan Walsh 3.5.8-3 +- Fix labeling on new pm*log +- Allow ssh to bind to all nodes + +* Thu Sep 11 2008 Dan Walsh 3.5.8-1 +- Merge upstream changes +- Add Xavier Toth patches + +* Wed Sep 10 2008 Dan Walsh 3.5.7-2 +- Add qemu_cache_t for /var/cache/libvirt + +* Fri Sep 5 2008 Dan Walsh 3.5.7-1 +- Remove gamin policy + +* Thu Sep 4 2008 Dan Walsh 3.5.6-2 +- Add tinyxs-max file system support + +* Wed Sep 3 2008 Dan Walsh 3.5.6-1 +- Update to upstream +- New handling of init scripts + +* Fri Aug 29 2008 Dan Walsh 3.5.5-4 +- Allow pcsd to dbus +- Add memcache policy + +* Fri Aug 29 2008 Dan Walsh 3.5.5-3 +- Allow audit dispatcher to kill his children + +* Tue Aug 26 2008 Dan Walsh 3.5.5-2 +- Update to upstream +- Fix crontab use by unconfined user + +* Tue Aug 12 2008 Dan Walsh 3.5.4-2 +- Allow ifconfig_t to read dhcpc_state_t + +* Mon Aug 11 2008 Dan Walsh 3.5.4-1 +- Update to upstream + +* Thu Aug 7 2008 Dan Walsh 3.5.3-1 +- Update to upstream + +* Sat Aug 2 2008 Dan Walsh 3.5.2-2 +- Allow system-config-selinux to work with policykit + +* Fri Jul 25 2008 Dan Walsh 3.5.1-5 +- Fix novel labeling + +* Fri Jul 25 2008 Dan Walsh 3.5.1-4 +- Consolodate pyzor,spamassassin, razor into one security domain +- Fix xdm requiring additional perms. + +* Fri Jul 25 2008 Dan Walsh 3.5.1-3 +- Fixes for logrotate, alsa + +* Thu Jul 24 2008 Dan Walsh 3.5.1-2 +- Eliminate vbetool duplicate entry + +* Wed Jul 16 2008 Dan Walsh 3.5.1-1 +- Fix xguest -> xguest_mozilla_t -> xguest_openiffice_t +- Change dhclient to be able to red networkmanager_var_run + +* Tue Jul 15 2008 Dan Walsh 3.5.0-1 +- Update to latest refpolicy +- Fix libsemanage initial install bug + +* Wed Jul 9 2008 Dan Walsh 3.4.2-14 +- Add inotify support to nscd + +* Tue Jul 8 2008 Dan Walsh 3.4.2-13 +- Allow unconfined_t to setfcap + +* Mon Jul 7 2008 Dan Walsh 3.4.2-12 +- Allow amanda to read tape +- Allow prewikka cgi to use syslog, allow audisp_t to signal cgi +- Add support for netware file systems + +* Thu Jul 3 2008 Dan Walsh 3.4.2-11 +- Allow ypbind apps to net_bind_service + +* Wed Jul 2 2008 Dan Walsh 3.4.2-10 +- Allow all system domains and application domains to append to any log file + +* Sun Jun 29 2008 Dan Walsh 3.4.2-9 +- Allow gdm to read rpm database +- Allow nsplugin to read mplayer config files + +* Thu Jun 26 2008 Dan Walsh 3.4.2-8 +- Allow vpnc to run ifconfig + +* Tue Jun 24 2008 Dan Walsh 3.4.2-7 +- Allow confined users to use postgres +- Allow system_mail_t to exec other mail clients +- Label mogrel_rails as an apache server + +* Mon Jun 23 2008 Dan Walsh 3.4.2-6 +- Apply unconfined_execmem_exec_t to haskell programs + +* Sun Jun 22 2008 Dan Walsh 3.4.2-5 +- Fix prelude file context + +* Fri Jun 13 2008 Dan Walsh 3.4.2-4 +- allow hplip to talk dbus +- Fix context on ~/.local dir + +* Thu Jun 12 2008 Dan Walsh 3.4.2-3 +- Prevent applications from reading x_device + +* Thu Jun 12 2008 Dan Walsh 3.4.2-2 +- Add /var/lib/selinux context + +* Wed Jun 11 2008 Dan Walsh 3.4.2-1 +- Update to upstream + +* Wed Jun 4 2008 Dan Walsh 3.4.1-5 +- Add livecd policy + +* Wed Jun 4 2008 Dan Walsh 3.4.1-3 +- Dontaudit search of admin_home for init_system_domain +- Rewrite of xace interfaces +- Lots of new fs_list_inotify +- Allow livecd to transition to setfiles_mac + +* Fri May 9 2008 Dan Walsh 3.4.1-2 +- Begin XAce integration + +* Fri May 9 2008 Dan Walsh 3.4.1-1 +- Merge Upstream + +* Wed May 7 2008 Dan Walsh 3.3.1-48 +- Allow amanada to create data files + +* Wed May 7 2008 Dan Walsh 3.3.1-47 +- Fix initial install, semanage setup + +* Tue May 6 2008 Dan Walsh 3.3.1-46 +- Allow system_r for httpd_unconfined_script_t + +* Wed Apr 30 2008 Dan Walsh 3.3.1-45 +- Remove dmesg boolean +- Allow user domains to read/write game data + +* Mon Apr 28 2008 Dan Walsh 3.3.1-44 +- Change unconfined_t to transition to unconfined_mono_t when running mono +- Change XXX_mono_t to transition to XXX_t when executing bin_t files, so gnome-do will work + +* Mon Apr 28 2008 Dan Walsh 3.3.1-43 +- Remove old booleans from targeted-booleans.conf file + +* Fri Apr 25 2008 Dan Walsh 3.3.1-42 +- Add boolean to mmap_zero +- allow tor setgid +- Allow gnomeclock to set clock + +* Thu Apr 24 2008 Dan Walsh 3.3.1-41 +- Don't run crontab from unconfined_t + +* Wed Apr 23 2008 Dan Walsh 3.3.1-39 +- Change etc files to config files to allow users to read them + +* Fri Apr 18 2008 Dan Walsh 3.3.1-37 +- Lots of fixes for confined domains on NFS_t homedir + +* Mon Apr 14 2008 Dan Walsh 3.3.1-36 +- dontaudit mrtg reading /proc +- Allow iscsi to signal itself +- Allow gnomeclock sys_ptrace + +* Thu Apr 10 2008 Dan Walsh 3.3.1-33 +- Allow dhcpd to read kernel network state + +* Thu Apr 10 2008 Dan Walsh 3.3.1-32 +- Label /var/run/gdm correctly +- Fix unconfined_u user creation + +* Tue Apr 8 2008 Dan Walsh 3.3.1-31 +- Allow transition from initrc_t to getty_t + +* Tue Apr 8 2008 Dan Walsh 3.3.1-30 +- Allow passwd to communicate with user sockets to change gnome-keyring + +* Sat Apr 5 2008 Dan Walsh 3.3.1-29 +- Fix initial install + +* Fri Apr 4 2008 Dan Walsh 3.3.1-28 +- Allow radvd to use fifo_file +- dontaudit setfiles reading links +- allow semanage sys_resource +- add allow_httpd_mod_auth_ntlm_winbind boolean +- Allow privhome apps including dovecot read on nfs and cifs home +dirs if the boolean is set + +* Tue Apr 1 2008 Dan Walsh 3.3.1-27 +- Allow nsplugin to read /etc/mozpluggerrc, user_fonts +- Allow syslog to manage innd logs. +- Allow procmail to ioctl spamd_exec_t + +* Sat Mar 29 2008 Dan Walsh 3.3.1-26 +- Allow initrc_t to dbus chat with consolekit. + +* Thu Mar 27 2008 Dan Walsh 3.3.1-25 +- Additional access for nsplugin +- Allow xdm setcap/getcap until pulseaudio is fixed + +* Tue Mar 25 2008 Dan Walsh 3.3.1-24 +- Allow mount to mkdir on tmpfs +- Allow ifconfig to search debugfs + +* Fri Mar 21 2008 Dan Walsh 3.3.1-23 +- Fix file context for MATLAB +- Fixes for xace + +* Tue Mar 18 2008 Dan Walsh 3.3.1-22 +- Allow stunnel to transition to inetd children domains +- Make unconfined_dbusd_t an unconfined domain + +* Mon Mar 17 2008 Dan Walsh 3.3.1-21 +- Fixes for qemu/virtd + +* Fri Mar 14 2008 Dan Walsh 3.3.1-20 +- Fix bug in mozilla policy to allow xguest transition +- This will fix the +libsemanage.dbase_llist_query: could not find record value +libsemanage.dbase_llist_query: could not query record value (No such file or +directory) + bug in xguest + +* Fri Mar 14 2008 Dan Walsh 3.3.1-19 +- Allow nsplugin to run acroread + +* Thu Mar 13 2008 Dan Walsh 3.3.1-18 +- Add cups_pdf policy +- Add openoffice policy to run in xguest + +* Thu Mar 13 2008 Dan Walsh 3.3.1-17 +- prewika needs to contact mysql +- Allow syslog to read system_map files + +* Wed Mar 12 2008 Dan Walsh 3.3.1-16 +- Change init_t to an unconfined_domain + +* Tue Mar 11 2008 Dan Walsh 3.3.1-15 +- Allow init to transition to initrc_t on shell exec. +- Fix init to be able to sendto init_t. +- Allow syslog to connect to mysql +- Allow lvm to manage its own fifo_files +- Allow bugzilla to use ldap +- More mls fixes + +* Tue Mar 11 2008 Bill Nottingham 3.3.1-14 +- fixes for init policy (#436988) +- fix build + +* Mon Mar 10 2008 Dan Walsh 3.3.1-13 +- Additional changes for MLS policy + +* Thu Mar 6 2008 Dan Walsh 3.3.1-12 +- Fix initrc_context generation for MLS + +* Mon Mar 3 2008 Dan Walsh 3.3.1-11 +- Fixes for libvirt + +* Mon Mar 3 2008 Dan Walsh 3.3.1-10 +- Allow bitlebee to read locale_t + +* Fri Feb 29 2008 Dan Walsh 3.3.1-9 +- More xselinux rules + +* Thu Feb 28 2008 Dan Walsh 3.3.1-8 +- Change httpd_$1_script_r*_t to httpd_$1_content_r*_t + +* Wed Feb 27 2008 Dan Walsh 3.3.1-6 +- Prepare policy for beta release +- Change some of the system domains back to unconfined +- Turn on some of the booleans + +* Tue Feb 26 2008 Dan Walsh 3.3.1-5 +- Allow nsplugin_config execstack/execmem +- Allow nsplugin_t to read alsa config +- Change apache to use user content + +* Tue Feb 26 2008 Dan Walsh 3.3.1-4 +- Add cyphesis policy + +* Tue Feb 26 2008 Dan Walsh 3.3.1-2 +- Fix Makefile.devel to build mls modules +- Fix qemu to be more specific on labeling + +* Tue Feb 26 2008 Dan Walsh 3.3.1-1 +- Update to upstream fixes + +* Fri Feb 22 2008 Dan Walsh 3.3.0-2 +- Allow staff to mounton user_home_t + +* Fri Feb 22 2008 Dan Walsh 3.3.0-1 +- Add xace support + +* Thu Feb 21 2008 Dan Walsh 3.2.9-2 +- Add fusectl file system + +* Wed Feb 20 2008 Dan Walsh 3.2.9-1 +- Fixes from yum-cron +- Update to latest upstream + +* Tue Feb 19 2008 Dan Walsh 3.2.8-2 +- Fix userdom_list_user_files + +* Fri Feb 15 2008 Dan Walsh 3.2.8-1 +- Merge with upstream + +* Thu Feb 7 2008 Dan Walsh 3.2.7-6 +- Allow udev to send audit messages + +* Thu Feb 7 2008 Dan Walsh 3.2.7-5 +- Add additional login users interfaces + - userdom_admin_login_user_template(staff) + +* Thu Feb 7 2008 Dan Walsh 3.2.7-3 +- More fixes for polkit + +* Thu Feb 7 2008 Dan Walsh 3.2.7-2 +- Eliminate transition from unconfined_t to qemu by default +- Fixes for gpg + +* Tue Feb 5 2008 Dan Walsh 3.2.7-1 +- Update to upstream + +* Tue Feb 5 2008 Dan Walsh 3.2.6-7 +- Fixes for staff_t + +* Tue Feb 5 2008 Dan Walsh 3.2.6-6 +- Add policy for kerneloops +- Add policy for gnomeclock + +* Mon Feb 4 2008 Dan Walsh 3.2.6-5 +- Fixes for libvirt + +* Sun Feb 3 2008 Dan Walsh 3.2.6-4 +- Fixes for nsplugin + +* Sat Feb 2 2008 Dan Walsh 3.2.6-3 +- More fixes for qemu + +* Sat Feb 2 2008 Dan Walsh 3.2.6-2 +- Additional ports for vnc and allow qemu and libvirt to search all directories + +* Fri Feb 1 2008 Dan Walsh 3.2.6-1 +- Update to upstream +- Add libvirt policy +- add qemu policy + +* Fri Feb 1 2008 Dan Walsh 3.2.5-25 +- Allow fail2ban to create a socket in /var/run + +* Wed Jan 30 2008 Dan Walsh 3.2.5-24 +- Allow allow_httpd_mod_auth_pam to work + +* Wed Jan 30 2008 Dan Walsh 3.2.5-22 +- Add audisp policy and prelude + +* Mon Jan 28 2008 Dan Walsh 3.2.5-21 +- Allow all user roles to executae samba net command + +* Fri Jan 25 2008 Dan Walsh 3.2.5-20 +- Allow usertypes to read/write noxattr file systems + +* Thu Jan 24 2008 Dan Walsh 3.2.5-19 +- Fix nsplugin to allow flashplugin to work in enforcing mode + +* Wed Jan 23 2008 Dan Walsh 3.2.5-18 +- Allow pam_selinux_permit to kill all processes + +* Mon Jan 21 2008 Dan Walsh 3.2.5-17 +- Allow ptrace or user processes by users of same type +- Add boolean for transition to nsplugin + +* Mon Jan 21 2008 Dan Walsh 3.2.5-16 +- Allow nsplugin sys_nice, getsched, setsched + +* Mon Jan 21 2008 Dan Walsh 3.2.5-15 +- Allow login programs to talk dbus to oddjob + +* Thu Jan 17 2008 Dan Walsh 3.2.5-14 +- Add procmail_log support +- Lots of fixes for munin + +* Tue Jan 15 2008 Dan Walsh 3.2.5-13 +- Allow setroubleshoot to read policy config and send audit messages + +* Mon Jan 14 2008 Dan Walsh 3.2.5-12 +- Allow users to execute all files in homedir, if boolean set +- Allow mount to read samba config + +* Sun Jan 13 2008 Dan Walsh 3.2.5-11 +- Fixes for xguest to run java plugin + +* Mon Jan 7 2008 Dan Walsh 3.2.5-10 +- dontaudit pam_t and dbusd writing to user_home_t + +* Mon Jan 7 2008 Dan Walsh 3.2.5-9 +- Update gpg to allow reading of inotify + +* Wed Jan 2 2008 Dan Walsh 3.2.5-8 +- Change user and staff roles to work correctly with varied perms + +* Mon Dec 31 2007 Dan Walsh 3.2.5-7 +- Fix munin log, +- Eliminate duplicate mozilla file context +- fix wpa_supplicant spec + +* Mon Dec 24 2007 Dan Walsh 3.2.5-6 +- Fix role transition from unconfined_r to system_r when running rpm +- Allow unconfined_domains to communicate with user dbus instances + +* Sat Dec 22 2007 Dan Walsh 3.2.5-5 +- Fixes for xguest + +* Thu Dec 20 2007 Dan Walsh 3.2.5-4 +- Let all uncofined domains communicate with dbus unconfined + +* Thu Dec 20 2007 Dan Walsh 3.2.5-3 +- Run rpm in system_r + +* Wed Dec 19 2007 Dan Walsh 3.2.5-2 +- Zero out customizable types + +* Wed Dec 19 2007 Dan Walsh 3.2.5-1 +- Fix definiton of admin_home_t + +* Wed Dec 19 2007 Dan Walsh 3.2.4-5 +- Fix munin file context + +* Tue Dec 18 2007 Dan Walsh 3.2.4-4 +- Allow cron to run unconfined apps + +* Mon Dec 17 2007 Dan Walsh 3.2.4-3 +- Modify default login to unconfined_u + +* Thu Dec 13 2007 Dan Walsh 3.2.4-1 +- Dontaudit dbus user client search of /root + +* Wed Dec 12 2007 Dan Walsh 3.2.4-1 +- Update to upstream + +* Tue Dec 11 2007 Dan Walsh 3.2.3-2 +- Fixes for polkit +- Allow xserver to ptrace + +* Tue Dec 11 2007 Dan Walsh 3.2.3-1 +- Add polkit policy +- Symplify userdom context, remove automatic per_role changes + +* Tue Dec 4 2007 Dan Walsh 3.2.2-1 +- Update to upstream +- Allow httpd_sys_script_t to search users homedirs + +* Mon Dec 3 2007 Dan Walsh 3.2.1-3 +- Allow rpm_script to transition to unconfined_execmem_t + +* Fri Nov 30 2007 Dan Walsh 3.2.1-1 +- Remove user based home directory separation + +* Wed Nov 28 2007 Dan Walsh 3.1.2-2 +- Remove user specific crond_t + +* Mon Nov 19 2007 Dan Walsh 3.1.2-1 +- Merge with upstream +- Allow xsever to read hwdata_t +- Allow login programs to setkeycreate + +* Sat Nov 10 2007 Dan Walsh 3.1.1-1 +- Update to upstream + +* Mon Oct 22 2007 Dan Walsh 3.1.0-1 +- Update to upstream + +* Mon Oct 22 2007 Dan Walsh 3.0.8-30 +- Allow XServer to read /proc/self/cmdline +- Fix unconfined cron jobs +- Allow fetchmail to transition to procmail +- Fixes for hald_mac +- Allow system_mail to transition to exim +- Allow tftpd to upload files +- Allow xdm to manage unconfined_tmp +- Allow udef to read alsa config +- Fix xguest to be able to connect to sound port + +* Fri Oct 19 2007 Dan Walsh 3.0.8-28 +- Fixes for hald_mac +- Treat unconfined_home_dir_t as a home dir +- dontaudit rhgb writes to fonts and root + +* Fri Oct 19 2007 Dan Walsh 3.0.8-27 +- Fix dnsmasq +- Allow rshd full login privs + +* Thu Oct 18 2007 Dan Walsh 3.0.8-26 +- Allow rshd to connect to ports > 1023 + +* Thu Oct 18 2007 Dan Walsh 3.0.8-25 +- Fix vpn to bind to port 4500 +- Allow ssh to create shm +- Add Kismet policy + +* Tue Oct 16 2007 Dan Walsh 3.0.8-24 +- Allow rpm to chat with networkmanager + +* Mon Oct 15 2007 Dan Walsh 3.0.8-23 +- Fixes for ipsec and exim mail +- Change default to unconfined user + +* Fri Oct 12 2007 Dan Walsh 3.0.8-22 +- Pass the UNK_PERMS param to makefile +- Fix gdm location + +* Wed Oct 10 2007 Dan Walsh 3.0.8-21 +- Make alsa work + +* Tue Oct 9 2007 Dan Walsh 3.0.8-20 +- Fixes for consolekit and startx sessions + +* Mon Oct 8 2007 Dan Walsh 3.0.8-19 +- Dontaudit consoletype talking to unconfined_t + +* Thu Oct 4 2007 Dan Walsh 3.0.8-18 +- Remove homedir_template + +* Tue Oct 2 2007 Dan Walsh 3.0.8-17 +- Check asound.state + +* Mon Oct 1 2007 Dan Walsh 3.0.8-16 +- Fix exim policy + +* Thu Sep 27 2007 Dan Walsh 3.0.8-15 +- Allow tmpreadper to read man_t +- Allow racoon to bind to all nodes +- Fixes for finger print reader + +* Tue Sep 25 2007 Dan Walsh 3.0.8-14 +- Allow xdm to talk to input device (fingerprint reader) +- Allow octave to run as java + +* Tue Sep 25 2007 Dan Walsh 3.0.8-13 +- Allow login programs to set ioctl on /proc + +* Mon Sep 24 2007 Dan Walsh 3.0.8-12 +- Allow nsswitch apps to read samba_var_t + +* Mon Sep 24 2007 Dan Walsh 3.0.8-11 +- Fix maxima + +* Mon Sep 24 2007 Dan Walsh 3.0.8-10 +- Eliminate rpm_t:fifo_file avcs +- Fix dbus path for helper app + +* Sat Sep 22 2007 Dan Walsh 3.0.8-9 +- Fix service start stop terminal avc's + +* Fri Sep 21 2007 Dan Walsh 3.0.8-8 +- Allow also to search var_lib +- New context for dbus launcher + +* Fri Sep 21 2007 Dan Walsh 3.0.8-7 +- Allow cupsd_config_t to read/write usb_device_t +- Support for finger print reader, +- Many fixes for clvmd +- dbus starting networkmanager + +* Thu Sep 20 2007 Dan Walsh 3.0.8-5 +- Fix java and mono to run in xguest account + +* Wed Sep 19 2007 Dan Walsh 3.0.8-4 +- Fix to add xguest account when inititial install +- Allow mono, java, wine to run in userdomains + +* Wed Sep 19 2007 Dan Walsh 3.0.8-3 +- Allow xserver to search devpts_t +- Dontaudit ldconfig output to homedir + +* Tue Sep 18 2007 Dan Walsh 3.0.8-2 +- Remove hplip_etc_t change back to etc_t. + +* Mon Sep 17 2007 Dan Walsh 3.0.8-1 +- Allow cron to search nfs and samba homedirs + +* Tue Sep 11 2007 Dan Walsh 3.0.7-10 +- Allow NetworkManager to dbus chat with yum-updated + +* Tue Sep 11 2007 Dan Walsh 3.0.7-9 +- Allow xfs to bind to port 7100 + +* Mon Sep 10 2007 Dan Walsh 3.0.7-8 +- Allow newalias/sendmail dac_override +- Allow bind to bind to all udp ports + +* Fri Sep 7 2007 Dan Walsh 3.0.7-7 +- Turn off direct transition + +* Fri Sep 7 2007 Dan Walsh 3.0.7-6 +- Allow wine to run in system role + +* Thu Sep 6 2007 Dan Walsh 3.0.7-5 +- Fix java labeling + +* Thu Sep 6 2007 Dan Walsh 3.0.7-4 +- Define user_home_type as home_type + +* Tue Aug 28 2007 Dan Walsh 3.0.7-3 +- Allow sendmail to create etc_aliases_t + +* Tue Aug 28 2007 Dan Walsh 3.0.7-2 +- Allow login programs to read symlinks on homedirs + +* Mon Aug 27 2007 Dan Walsh 3.0.7-1 +- Update an readd modules + +* Fri Aug 24 2007 Dan Walsh 3.0.6-3 +- Cleanup spec file + +* Fri Aug 24 2007 Dan Walsh 3.0.6-2 +- Allow xserver to be started by unconfined process and talk to tty + +* Wed Aug 22 2007 Dan Walsh 3.0.6-1 +- Upgrade to upstream to grab postgressql changes + +* Tue Aug 21 2007 Dan Walsh 3.0.5-11 +- Add setransd for mls policy + +* Mon Aug 20 2007 Dan Walsh 3.0.5-10 +- Add ldconfig_cache_t + +* Sat Aug 18 2007 Dan Walsh 3.0.5-9 +- Allow sshd to write to proc_t for afs login + +* Sat Aug 18 2007 Dan Walsh 3.0.5-8 +- Allow xserver access to urand + +* Tue Aug 14 2007 Dan Walsh 3.0.5-7 +- allow dovecot to search mountpoints + +* Sat Aug 11 2007 Dan Walsh 3.0.5-6 +- Fix Makefile for building policy modules + +* Fri Aug 10 2007 Dan Walsh 3.0.5-5 +- Fix dhcpc startup of service + +* Fri Aug 10 2007 Dan Walsh 3.0.5-4 +- Fix dbus chat to not happen for xguest and guest users + +* Mon Aug 6 2007 Dan Walsh 3.0.5-3 +- Fix nagios cgi +- allow squid to communicate with winbind + +* Mon Aug 6 2007 Dan Walsh 3.0.5-2 +- Fixes for ldconfig + +* Thu Aug 2 2007 Dan Walsh 3.0.5-1 +- Update from upstream + +* Wed Aug 1 2007 Dan Walsh 3.0.4-6 +- Add nasd support + +* Wed Aug 1 2007 Dan Walsh 3.0.4-5 +- Fix new usb devices and dmfm + +* Mon Jul 30 2007 Dan Walsh 3.0.4-4 +- Eliminate mount_ntfs_t policy, merge into mount_t + +* Mon Jul 30 2007 Dan Walsh 3.0.4-3 +- Allow xserver to write to ramfs mounted by rhgb + +* Tue Jul 24 2007 Dan Walsh 3.0.4-2 +- Add context for dbus machine id + +* Tue Jul 24 2007 Dan Walsh 3.0.4-1 +- Update with latest changes from upstream + +* Tue Jul 24 2007 Dan Walsh 3.0.3-6 +- Fix prelink to handle execmod + +* Mon Jul 23 2007 Dan Walsh 3.0.3-5 +- Add ntpd_key_t to handle secret data + +* Fri Jul 20 2007 Dan Walsh 3.0.3-4 +- Add anon_inodefs +- Allow unpriv user exec pam_exec_t +- Fix trigger + +* Fri Jul 20 2007 Dan Walsh 3.0.3-3 +- Allow cups to use generic usb +- fix inetd to be able to run random apps (git) + +* Thu Jul 19 2007 Dan Walsh 3.0.3-2 +- Add proper contexts for rsyslogd + +* Thu Jul 19 2007 Dan Walsh 3.0.3-1 +- Fixes for xguest policy + +* Tue Jul 17 2007 Dan Walsh 3.0.2-9 +- Allow execution of gconf + +* Sat Jul 14 2007 Dan Walsh 3.0.2-8 +- Fix moilscanner update problem + +* Thu Jul 12 2007 Dan Walsh 3.0.2-7 +- Begin adding policy to separate setsebool from semanage +- Fix xserver.if definition to not break sepolgen.if + +* Wed Jul 11 2007 Dan Walsh 3.0.2-5 +- Add new devices + +* Tue Jul 10 2007 Dan Walsh 3.0.2-4 +- Add brctl policy + +* Fri Jul 6 2007 Dan Walsh 3.0.2-3 +- Fix root login to include system_r + +* Fri Jul 6 2007 Dan Walsh 3.0.2-2 +- Allow prelink to read kernel sysctls + +* Mon Jul 2 2007 Dan Walsh 3.0.1-5 +- Default to user_u:system_r:unconfined_t + +* Sun Jul 1 2007 Dan Walsh 3.0.1-4 +- fix squid +- Fix rpm running as uid + +* Tue Jun 26 2007 Dan Walsh 3.0.1-3 +- Fix syslog declaration + +* Tue Jun 26 2007 Dan Walsh 3.0.1-2 +- Allow avahi to access inotify +- Remove a lot of bogus security_t:filesystem avcs + +* Fri May 25 2007 Dan Walsh 3.0.1-1 +- Remove ifdef strict policy from upstream + +* Fri May 18 2007 Dan Walsh 2.6.5-3 +- Remove ifdef strict to allow user_u to login + +* Fri May 18 2007 Dan Walsh 2.6.5-2 +- Fix for amands +- Allow semanage to read pp files +- Allow rhgb to read xdm_xserver_tmp + +* Fri May 18 2007 Dan Walsh 2.6.4-7 +- Allow kerberos servers to use ldap for backing store + +* Thu May 17 2007 Dan Walsh 2.6.4-6 +- allow alsactl to read kernel state + +* Wed May 16 2007 Dan Walsh 2.6.4-5 +- More fixes for alsactl +- Transition from hal and modutils +- Fixes for suspend resume. + - insmod domtrans to alsactl + - insmod writes to hal log + +* Wed May 16 2007 Dan Walsh 2.6.4-2 +- Allow unconfined_t to transition to NetworkManager_t +- Fix netlabel policy + +* Mon May 14 2007 Dan Walsh 2.6.4-1 +- Update to latest from upstream + +* Fri May 4 2007 Dan Walsh 2.6.3-1 +- Update to latest from upstream + +* Mon Apr 30 2007 Dan Walsh 2.6.2-1 +- Update to latest from upstream + +* Fri Apr 27 2007 Dan Walsh 2.6.1-4 +- Allow pcscd_t to send itself signals + +* Wed Apr 25 2007 Dan Walsh 2.6.1-2 +- Fixes for unix_update +- Fix logwatch to be able to search all dirs + +* Mon Apr 23 2007 Dan Walsh 2.6.1-1 +- Upstream bumped the version + +* Thu Apr 19 2007 Dan Walsh 2.5.12-12 +- Allow consolekit to syslog +- Allow ntfs to work with hal + +* Thu Apr 19 2007 Dan Walsh 2.5.12-11 +- Allow iptables to read etc_runtime_t + +* Thu Apr 19 2007 Dan Walsh 2.5.12-10 +- MLS Fixes + +* Wed Apr 18 2007 Dan Walsh 2.5.12-8 +- Fix path of /etc/lvm/cache directory +- Fixes for alsactl and pppd_t +- Fixes for consolekit + +* Tue Apr 17 2007 Dan Walsh 2.5.12-5 +- Allow insmod_t to mount kvmfs_t filesystems + +* Tue Apr 17 2007 Dan Walsh 2.5.12-4 +- Rwho policy +- Fixes for consolekit + +* Fri Apr 13 2007 Dan Walsh 2.5.12-3 +- fixes for fusefs + +* Thu Apr 12 2007 Dan Walsh 2.5.12-2 +- Fix samba_net to allow it to view samba_var_t + +* Tue Apr 10 2007 Dan Walsh 2.5.12-1 +- Update to upstream + +* Tue Apr 10 2007 Dan Walsh 2.5.11-8 +- Fix Sonypic backlight +- Allow snmp to look at squid_conf_t + +* Mon Apr 9 2007 Dan Walsh 2.5.11-7 +- Fixes for pyzor, cyrus, consoletype on everything installs + +* Mon Apr 9 2007 Dan Walsh 2.5.11-6 +- Fix hald_acl_t to be able to getattr/setattr on usb devices +- Dontaudit write to unconfined_pipes for load_policy + +* Thu Apr 5 2007 Dan Walsh 2.5.11-5 +- Allow bluetooth to read inotifyfs + +* Wed Apr 4 2007 Dan Walsh 2.5.11-4 +- Fixes for samba domain controller. +- Allow ConsoleKit to look at ttys + +* Tue Apr 3 2007 Dan Walsh 2.5.11-3 +- Fix interface call + +* Tue Apr 3 2007 Dan Walsh 2.5.11-2 +- Allow syslog-ng to read /var +- Allow locate to getattr on all filesystems +- nscd needs setcap + +* Mon Mar 26 2007 Dan Walsh 2.5.11-1 +- Update to upstream + +* Fri Mar 23 2007 Dan Walsh 2.5.10-2 +- Allow samba to run groupadd + +* Thu Mar 22 2007 Dan Walsh 2.5.10-1 +- Update to upstream + +* Thu Mar 22 2007 Dan Walsh 2.5.9-6 +- Allow mdadm to access generic scsi devices + +* Wed Mar 21 2007 Dan Walsh 2.5.9-5 +- Fix labeling on udev.tbl dirs + +* Tue Mar 20 2007 Dan Walsh 2.5.9-4 +- Fixes for logwatch + +* Tue Mar 20 2007 Dan Walsh 2.5.9-3 +- Add fusermount and mount_ntfs policy + +* Tue Mar 20 2007 Dan Walsh 2.5.9-2 +- Update to upstream +- Allow saslauthd to use kerberos keytabs + +* Mon Mar 19 2007 Dan Walsh 2.5.8-8 +- Fixes for samba_var_t + +* Mon Mar 19 2007 Dan Walsh 2.5.8-7 +- Allow networkmanager to setpgid +- Fixes for hal_acl_t + +* Mon Mar 19 2007 Dan Walsh 2.5.8-6 +- Remove disable_trans booleans +- hald_acl_t needs to talk to nscd + +* Thu Mar 15 2007 Dan Walsh 2.5.8-5 +- Fix prelink to be able to manage usr dirs. + +* Tue Mar 13 2007 Dan Walsh 2.5.8-4 +- Allow insmod to launch init scripts + +* Tue Mar 13 2007 Dan Walsh 2.5.8-3 +- Remove setsebool policy + +* Mon Mar 12 2007 Dan Walsh 2.5.8-2 +- Fix handling of unlabled_t packets + +* Thu Mar 8 2007 Dan Walsh 2.5.8-1 +- More of my patches from upstream + +* Thu Mar 1 2007 Dan Walsh 2.5.7-1 +- Update to latest from upstream +- Add fail2ban policy + +* Wed Feb 28 2007 Dan Walsh 2.5.6-1 +- Update to remove security_t:filesystem getattr problems + +* Fri Feb 23 2007 Dan Walsh 2.5.5-2 +- Policy for consolekit + +* Fri Feb 23 2007 Dan Walsh 2.5.5-1 +- Update to latest from upstream + +* Wed Feb 21 2007 Dan Walsh 2.5.4-2 +- Revert Nemiver change +- Set sudo as a corecmd so prelink will work, remove sudoedit mapping, since this will not work, it does not transition. +- Allow samba to execute useradd + +* Tue Feb 20 2007 Dan Walsh 2.5.4-1 +- Upgrade to the latest from upstream + +* Thu Feb 15 2007 Dan Walsh 2.5.3-3 +- Add sepolgen support +- Add bugzilla policy + +* Wed Feb 14 2007 Dan Walsh 2.5.3-2 +- Fix file context for nemiver + +* Sun Feb 11 2007 Dan Walsh 2.5.3-1 +- Remove include sym link + +* Mon Feb 5 2007 Dan Walsh 2.5.2-6 +- Allow mozilla, evolution and thunderbird to read dev_random. +Resolves: #227002 +- Allow spamd to connect to smtp port +Resolves: #227184 +- Fixes to make ypxfr work +Resolves: #227237 + +* Sun Feb 4 2007 Dan Walsh 2.5.2-5 +- Fix ssh_agent to be marked as an executable +- Allow Hal to rw sound device + +* Thu Feb 1 2007 Dan Walsh 2.5.2-4 +- Fix spamassisin so crond can update spam files +- Fixes to allow kpasswd to work +- Fixes for bluetooth + +* Fri Jan 26 2007 Dan Walsh 2.5.2-3 +- Remove some targeted diffs in file context file + +* Thu Jan 25 2007 Dan Walsh 2.5.2-2 +- Fix squid cachemgr labeling + +* Thu Jan 25 2007 Dan Walsh 2.5.2-1 +- Add ability to generate webadm_t policy +- Lots of new interfaces for httpd +- Allow sshd to login as unconfined_t + +* Mon Jan 22 2007 Dan Walsh 2.5.1-5 +- Continue fixing, additional user domains + +* Wed Jan 10 2007 Dan Walsh 2.5.1-4 +- Begin adding user confinement to targeted policy + +* Wed Jan 10 2007 Dan Walsh 2.5.1-2 +- Fixes for prelink, ktalkd, netlabel + +* Mon Jan 8 2007 Dan Walsh 2.5.1-1 +- Allow prelink when run from rpm to create tmp files +Resolves: #221865 +- Remove file_context for exportfs +Resolves: #221181 +- Allow spamassassin to create ~/.spamassissin +Resolves: #203290 +- Allow ssh access to the krb tickets +- Allow sshd to change passwd +- Stop newrole -l from working on non securetty +Resolves: #200110 +- Fixes to run prelink in MLS machine +Resolves: #221233 +- Allow spamassassin to read var_lib_t dir +Resolves: #219234 + +* Fri Dec 29 2006 Dan Walsh 2.4.6-20 +- fix mplayer to work under strict policy +- Allow iptables to use nscd +Resolves: #220794 + +* Thu Dec 28 2006 Dan Walsh 2.4.6-19 +- Add gconf policy and make it work with strict + +* Sat Dec 23 2006 Dan Walsh 2.4.6-18 +- Many fixes for strict policy and by extension mls. + +* Fri Dec 22 2006 Dan Walsh 2.4.6-17 +- Fix to allow ftp to bind to ports > 1024 +Resolves: #219349 + +* Tue Dec 19 2006 Dan Walsh 2.4.6-16 +- Allow semanage to exec it self. Label genhomedircon as semanage_exec_t +Resolves: #219421 +- Allow sysadm_lpr_t to manage other print spool jobs +Resolves: #220080 + +* Mon Dec 18 2006 Dan Walsh 2.4.6-15 +- allow automount to setgid +Resolves: #219999 + +* Thu Dec 14 2006 Dan Walsh 2.4.6-14 +- Allow cron to polyinstatiate +- Fix creation of boot flags +Resolves: #207433 + +* Thu Dec 14 2006 Dan Walsh 2.4.6-13 +- Fixes for irqbalance +Resolves: #219606 + +* Thu Dec 14 2006 Dan Walsh 2.4.6-12 +- Fix vixie-cron to work on mls +Resolves: #207433 + +* Wed Dec 13 2006 Dan Walsh 2.4.6-11 +Resolves: #218978 + +* Tue Dec 12 2006 Dan Walsh 2.4.6-10 +- Allow initrc to create files in /var directories +Resolves: #219227 + +* Fri Dec 8 2006 Dan Walsh 2.4.6-9 +- More fixes for MLS +Resolves: #181566 + +* Wed Dec 6 2006 Dan Walsh 2.4.6-8 +- More Fixes polyinstatiation +Resolves: #216184 + +* Wed Dec 6 2006 Dan Walsh 2.4.6-7 +- More Fixes polyinstatiation +- Fix handling of keyrings +Resolves: #216184 + +* Mon Dec 4 2006 Dan Walsh 2.4.6-6 +- Fix polyinstatiation +- Fix pcscd handling of terminal +Resolves: #218149 +Resolves: #218350 + +* Fri Dec 1 2006 Dan Walsh 2.4.6-5 +- More fixes for quota +Resolves: #212957 + +* Fri Dec 1 2006 Dan Walsh 2.4.6-4 +- ncsd needs to use avahi sockets +Resolves: #217640 +Resolves: #218014 + +* Thu Nov 30 2006 Dan Walsh 2.4.6-3 +- Allow login programs to polyinstatiate homedirs +Resolves: #216184 +- Allow quotacheck to create database files +Resolves: #212957 + +* Tue Nov 28 2006 Dan Walsh 2.4.6-1 +- Dontaudit appending hal_var_lib files +Resolves: #217452 +Resolves: #217571 +Resolves: #217611 +Resolves: #217640 +Resolves: #217725 + +* Tue Nov 21 2006 Dan Walsh 2.4.5-4 +- Fix context for helix players file_context #216942 + +* Mon Nov 20 2006 Dan Walsh 2.4.5-3 +- Fix load_policy to be able to mls_write_down so it can talk to the terminal + +* Mon Nov 20 2006 Dan Walsh 2.4.5-2 +- Fixes for hwclock, clamav, ftp + +* Wed Nov 15 2006 Dan Walsh 2.4.5-1 +- Move to upstream version which accepted my patches + +* Wed Nov 15 2006 Dan Walsh 2.4.4-2 +- Fixes for nvidia driver + +* Tue Nov 14 2006 Dan Walsh 2.4.4-2 +- Allow semanage to signal mcstrans + +* Tue Nov 14 2006 Dan Walsh 2.4.4-1 +- Update to upstream + +* Mon Nov 13 2006 Dan Walsh 2.4.3-13 +- Allow modstorage to edit /etc/fstab file + +* Mon Nov 13 2006 Dan Walsh 2.4.3-12 +- Fix for qemu, /dev/ + +* Mon Nov 13 2006 Dan Walsh 2.4.3-11 +- Fix path to realplayer.bin + +* Fri Nov 10 2006 Dan Walsh 2.4.3-10 +- Allow xen to connect to xen port + +* Fri Nov 10 2006 Dan Walsh 2.4.3-9 +- Allow cups to search samba_etc_t directory +- Allow xend_t to list auto_mountpoints + +* Thu Nov 9 2006 Dan Walsh 2.4.3-8 +- Allow xen to search automount + +* Thu Nov 9 2006 Dan Walsh 2.4.3-7 +- Fix spec of jre files + +* Wed Nov 8 2006 Dan Walsh 2.4.3-6 +- Fix unconfined access to shadow file + +* Wed Nov 8 2006 Dan Walsh 2.4.3-5 +- Allow xend to create files in xen_image_t directories + +* Wed Nov 8 2006 Dan Walsh 2.4.3-4 +- Fixes for /var/lib/hal + +* Tue Nov 7 2006 Dan Walsh 2.4.3-3 +- Remove ability for sysadm_t to look at audit.log + +* Tue Nov 7 2006 Dan Walsh 2.4.3-2 +- Fix rpc_port_types +- Add aide policy for mls + +* Mon Nov 6 2006 Dan Walsh 2.4.3-1 +- Merge with upstream + +* Fri Nov 3 2006 Dan Walsh 2.4.2-8 +- Lots of fixes for ricci + +* Fri Nov 3 2006 Dan Walsh 2.4.2-7 +- Allow xen to read/write fixed devices with a boolean +- Allow apache to search /var/log + +* Thu Nov 2 2006 James Antill 2.4.2-6 +- Fix policygentool specfile problem. +- Allow apache to send signals to it's logging helpers. +- Resolves: rhbz#212731 + +* Wed Nov 1 2006 Dan Walsh 2.4.2-5 +- Add perms for swat + +* Tue Oct 31 2006 Dan Walsh 2.4.2-4 +- Add perms for swat + +* Mon Oct 30 2006 Dan Walsh 2.4.2-3 +- Allow daemons to dump core files to / + +* Fri Oct 27 2006 Dan Walsh 2.4.2-2 +- Fixes for ricci + +* Fri Oct 27 2006 Dan Walsh 2.4.2-1 +- Allow mount.nfs to work + +* Fri Oct 27 2006 Dan Walsh 2.4.1-5 +- Allow ricci-modstorage to look at lvm_etc_t + +* Mon Oct 23 2006 Dan Walsh 2.4.1-4 +- Fixes for ricci using saslauthd + +* Mon Oct 23 2006 Dan Walsh 2.4.1-3 +- Allow mountpoint on home_dir_t and home_t + +* Mon Oct 23 2006 Dan Walsh 2.4.1-2 +- Update xen to read nfs files + +* Mon Oct 23 2006 Dan Walsh 2.4-4 +- Allow noxattrfs to associate with other noxattrfs + +* Mon Oct 23 2006 Dan Walsh 2.4-3 +- Allow hal to use power_device_t + +* Fri Oct 20 2006 Dan Walsh 2.4-2 +- Allow procemail to look at autofs_t +- Allow xen_image_t to work as a fixed device + +* Thu Oct 19 2006 Dan Walsh 2.4-1 +- Refupdate from upstream + +* Thu Oct 19 2006 Dan Walsh 2.3.19-4 +- Add lots of fixes for mls cups + +* Wed Oct 18 2006 Dan Walsh 2.3.19-3 +- Lots of fixes for ricci + +* Mon Oct 16 2006 Dan Walsh 2.3.19-2 +- Fix number of cats + +* Mon Oct 16 2006 Dan Walsh 2.3.19-1 +- Update to upstream + +* Thu Oct 12 2006 James Antill 2.3.18-10 +- More iSCSI changes for #209854 + +* Tue Oct 10 2006 James Antill 2.3.18-9 +- Test ISCSI fixes for #209854 + +* Sun Oct 8 2006 Dan Walsh 2.3.18-8 +- allow semodule to rmdir selinux_config_t dir + +* Fri Oct 6 2006 Dan Walsh 2.3.18-7 +- Fix boot_runtime_t problem on ppc. Should not be creating these files. + +* Thu Oct 5 2006 Dan Walsh 2.3.18-6 +- Fix context mounts on reboot +- Fix ccs creation of directory in /var/log + +* Thu Oct 5 2006 Dan Walsh 2.3.18-5 +- Update for tallylog + +* Thu Oct 5 2006 Dan Walsh 2.3.18-4 +- Allow xend to rewrite dhcp conf files +- Allow mgetty sys_admin capability + +* Wed Oct 4 2006 Dan Walsh 2.3.18-3 +- Make xentapctrl work + +* Tue Oct 3 2006 Dan Walsh 2.3.18-2 +- Don't transition unconfined_t to bootloader_t +- Fix label in /dev/xen/blktap + +* Tue Oct 3 2006 Dan Walsh 2.3.18-1 +- Patch for labeled networking + +* Mon Oct 2 2006 Dan Walsh 2.3.17-2 +- Fix crond handling for mls + +* Fri Sep 29 2006 Dan Walsh 2.3.17-1 +- Update to upstream + +* Fri Sep 29 2006 Dan Walsh 2.3.16-9 +- Remove bluetooth-helper transition +- Add selinux_validate for semanage +- Require new version of libsemanage + +* Fri Sep 29 2006 Dan Walsh 2.3.16-8 +- Fix prelink + +* Fri Sep 29 2006 Dan Walsh 2.3.16-7 +- Fix rhgb + +* Thu Sep 28 2006 Dan Walsh 2.3.16-6 +- Fix setrans handling on MLS and useradd + +* Wed Sep 27 2006 Dan Walsh 2.3.16-5 +- Support for fuse +- fix vigr + +* Wed Sep 27 2006 Dan Walsh 2.3.16-4 +- Fix dovecot, amanda +- Fix mls + +* Mon Sep 25 2006 Dan Walsh 2.3.16-2 +- Allow java execheap for itanium + +* Mon Sep 25 2006 Dan Walsh 2.3.16-1 +- Update with upstream + +* Mon Sep 25 2006 Dan Walsh 2.3.15-2 +- mls fixes + +* Fri Sep 22 2006 Dan Walsh 2.3.15-1 +- Update from upstream + +* Fri Sep 22 2006 Dan Walsh 2.3.14-8 +- More fixes for mls +- Revert change on automount transition to mount + +* Wed Sep 20 2006 Dan Walsh 2.3.14-7 +- Fix cron jobs to run under the correct context + +* Tue Sep 19 2006 Dan Walsh 2.3.14-6 +- Fixes to make pppd work + +* Mon Sep 18 2006 Dan Walsh 2.3.14-4 +- Multiple policy fixes +- Change max categories to 1023 + +* Sat Sep 16 2006 Dan Walsh 2.3.14-3 +- Fix transition on mcstransd + +* Fri Sep 15 2006 Dan Walsh 2.3.14-2 +- Add /dev/em8300 defs + +* Fri Sep 15 2006 Dan Walsh 2.3.14-1 +- Upgrade to upstream + +* Thu Sep 14 2006 Dan Walsh 2.3.13-6 +- Fix ppp connections from network manager + +* Wed Sep 13 2006 Dan Walsh 2.3.13-5 +- Add tty access to all domains boolean +- Fix gnome-pty-helper context for ia64 + +* Mon Sep 11 2006 Dan Walsh 2.3.13-4 +- Fixed typealias of firstboot_rw_t + +* Thu Sep 7 2006 Dan Walsh 2.3.13-3 +- Fix location of xel log files +- Fix handling of sysadm_r -> rpm_exec_t + +* Thu Sep 7 2006 Dan Walsh 2.3.13-2 +- Fixes for autofs, lp + +* Wed Sep 6 2006 Dan Walsh 2.3.13-1 +- Update from upstream + +* Tue Sep 5 2006 Dan Walsh 2.3.12-2 +- Fixup for test6 + +* Tue Sep 5 2006 Dan Walsh 2.3.12-1 +- Update to upstream + +* Fri Sep 1 2006 Dan Walsh 2.3.11-1 +- Update to upstream + +* Fri Sep 1 2006 Dan Walsh 2.3.10-7 +- Fix suspend to disk problems + +* Thu Aug 31 2006 Dan Walsh 2.3.10-6 +- Lots of fixes for restarting daemons at the console. + +* Wed Aug 30 2006 Dan Walsh 2.3.10-3 +- Fix audit line +- Fix requires line + +* Tue Aug 29 2006 Dan Walsh 2.3.10-1 +- Upgrade to upstream + +* Mon Aug 28 2006 Dan Walsh 2.3.9-6 +- Fix install problems + +* Fri Aug 25 2006 Dan Walsh 2.3.9-5 +- Allow setroubleshoot to getattr on all dirs to gather RPM data + +* Thu Aug 24 2006 Dan Walsh 2.3.9-4 +- Set /usr/lib/ia32el/ia32x_loader to unconfined_execmem_exec_t for ia32 platform +- Fix spec for /dev/adsp + +* Thu Aug 24 2006 Dan Walsh 2.3.9-3 +- Fix xen tty devices + +* Thu Aug 24 2006 Dan Walsh 2.3.9-2 +- Fixes for setroubleshoot + +* Wed Aug 23 2006 Dan Walsh 2.3.9-1 +- Update to upstream + +* Tue Aug 22 2006 Dan Walsh 2.3.8-2 +- Fixes for stunnel and postgresql +- Update from upstream + +* Sat Aug 12 2006 Dan Walsh 2.3.7-1 +- Update from upstream +- More java fixes + +* Fri Aug 11 2006 Dan Walsh 2.3.6-4 +- Change allow_execstack to default to on, for RHEL5 Beta. + This is required because of a Java compiler problem. + Hope to turn off for next beta + +* Thu Aug 10 2006 Dan Walsh 2.3.6-3 +- Misc fixes + +* Wed Aug 9 2006 Dan Walsh 2.3.6-2 +- More fixes for strict policy + +* Tue Aug 8 2006 Dan Walsh 2.3.6-1 +- Quiet down anaconda audit messages + +* Mon Aug 7 2006 Dan Walsh 2.3.5-1 +- Fix setroubleshootd + +* Thu Aug 3 2006 Dan Walsh 2.3.4-1 +- Update to the latest from upstream + +* Thu Aug 3 2006 Dan Walsh 2.3.3-20 +- More fixes for xen + +* Thu Aug 3 2006 Dan Walsh 2.3.3-19 +- Fix anaconda transitions + +* Wed Aug 2 2006 Dan Walsh 2.3.3-18 +- yet more xen rules + +* Tue Aug 1 2006 Dan Walsh 2.3.3-17 +- more xen rules + +* Mon Jul 31 2006 Dan Walsh 2.3.3-16 +- Fixes for Samba + +* Sat Jul 29 2006 Dan Walsh 2.3.3-15 +- Fixes for xen + +* Fri Jul 28 2006 Dan Walsh 2.3.3-14 +- Allow setroubleshootd to send mail + +* Wed Jul 26 2006 Dan Walsh 2.3.3-13 +- Add nagios policy + +* Wed Jul 26 2006 Dan Walsh 2.3.3-12 +- fixes for setroubleshoot + +* Wed Jul 26 2006 Dan Walsh 2.3.3-11 +- Added Paul Howarth patch to only load policy packages shipped + with this package +- Allow pidof from initrc to ptrace higher level domains +- Allow firstboot to communicate with hal via dbus + +* Mon Jul 24 2006 Dan Walsh 2.3.3-10 +- Add policy for /var/run/ldapi + +* Sat Jul 22 2006 Dan Walsh 2.3.3-9 +- Fix setroubleshoot policy + +* Fri Jul 21 2006 Dan Walsh 2.3.3-8 +- Fixes for mls use of ssh +- named has a new conf file + +* Fri Jul 21 2006 Dan Walsh 2.3.3-7 +- Fixes to make setroubleshoot work + +* Wed Jul 19 2006 Dan Walsh 2.3.3-6 +- Cups needs to be able to read domain state off of printer client + +* Wed Jul 19 2006 Dan Walsh 2.3.3-5 +- add boolean to allow zebra to write config files + +* Tue Jul 18 2006 Dan Walsh 2.3.3-4 +- setroubleshootd fixes + +* Mon Jul 17 2006 Dan Walsh 2.3.3-3 +- Allow prelink to read bin_t symlink +- allow xfs to read random devices +- Change gfs to support xattr + +* Mon Jul 17 2006 Dan Walsh 2.3.3-2 +- Remove spamassassin_can_network boolean + +* Fri Jul 14 2006 Dan Walsh 2.3.3-1 +- Update to upstream +- Fix lpr domain for mls + +* Fri Jul 14 2006 Dan Walsh 2.3.2-4 +- Add setroubleshoot policy + +* Fri Jul 7 2006 Dan Walsh 2.3.2-3 +- Turn off auditallow on setting booleans + +* Fri Jul 7 2006 Dan Walsh 2.3.2-2 +- Multiple fixes + +* Fri Jul 7 2006 Dan Walsh 2.3.2-1 +- Update to upstream + +* Thu Jun 22 2006 Dan Walsh 2.3.1-1 +- Update to upstream +- Add new class for kernel key ring + +* Wed Jun 21 2006 Dan Walsh 2.2.49-1 +- Update to upstream + +* Tue Jun 20 2006 Dan Walsh 2.2.48-1 +- Update to upstream + +* Tue Jun 20 2006 Dan Walsh 2.2.47-5 +- Break out selinux-devel package + +* Fri Jun 16 2006 Dan Walsh 2.2.47-4 +- Add ibmasmfs + +* Thu Jun 15 2006 Dan Walsh 2.2.47-3 +- Fix policygentool gen_requires + +* Tue Jun 13 2006 Dan Walsh 2.2.47-1 +- Update from Upstream + +* Tue Jun 13 2006 Dan Walsh 2.2.46-2 +- Fix spec of realplay + +* Tue Jun 13 2006 Dan Walsh 2.2.46-1 +- Update to upstream + +* Mon Jun 12 2006 Dan Walsh 2.2.45-3 +- Fix semanage + +* Mon Jun 12 2006 Dan Walsh 2.2.45-2 +- Allow useradd to create_home_dir in MLS environment + +* Thu Jun 8 2006 Dan Walsh 2.2.45-1 +- Update from upstream + +* Tue Jun 6 2006 Dan Walsh 2.2.44-1 +- Update from upstream + +* Tue Jun 6 2006 Dan Walsh 2.2.43-4 +- Add oprofilefs + +* Sun May 28 2006 Dan Walsh 2.2.43-3 +- Fix for hplip and Picasus + +* Sat May 27 2006 Dan Walsh 2.2.43-2 +- Update to upstream + +* Fri May 26 2006 Dan Walsh 2.2.43-1 +- Update to upstream + +* Fri May 26 2006 Dan Walsh 2.2.42-4 +- fixes for spamd + +* Wed May 24 2006 Dan Walsh 2.2.42-3 +- fixes for java, openldap and webalizer + +* Mon May 22 2006 Dan Walsh 2.2.42-2 +- Xen fixes + +* Thu May 18 2006 Dan Walsh 2.2.42-1 +- Upgrade to upstream + +* Thu May 18 2006 Dan Walsh 2.2.41-1 +- allow hal to read boot_t files +- Upgrade to upstream + +* Wed May 17 2006 Dan Walsh 2.2.40-2 +- allow hal to read boot_t files + +* Tue May 16 2006 Dan Walsh 2.2.40-1 +- Update from upstream + +* Mon May 15 2006 Dan Walsh 2.2.39-2 +- Fixes for amavis + +* Mon May 15 2006 Dan Walsh 2.2.39-1 +- Update from upstream + +* Fri May 12 2006 Dan Walsh 2.2.38-6 +- Allow auditctl to search all directories + +* Thu May 11 2006 Dan Walsh 2.2.38-5 +- Add acquire service for mono. + +* Thu May 11 2006 Dan Walsh 2.2.38-4 +- Turn off allow_execmem boolean +- Allow ftp dac_override when allowed to access users homedirs + +* Wed May 10 2006 Dan Walsh 2.2.38-3 +- Clean up spec file +- Transition from unconfined_t to prelink_t + +* Mon May 8 2006 Dan Walsh 2.2.38-2 +- Allow execution of cvs command + +* Fri May 5 2006 Dan Walsh 2.2.38-1 +- Update to upstream + +* Wed May 3 2006 Dan Walsh 2.2.37-1 +- Update to upstream + +* Mon May 1 2006 Dan Walsh 2.2.36-2 +- Fix libjvm spec + +* Tue Apr 25 2006 Dan Walsh 2.2.36-1 +- Update to upstream + +* Tue Apr 25 2006 James Antill 2.2.35-2 +- Add xm policy +- Fix policygentool + +* Mon Apr 24 2006 Dan Walsh 2.2.35-1 +- Update to upstream +- Fix postun to only disable selinux on full removal of the packages + +* Fri Apr 21 2006 Dan Walsh 2.2.34-3 +- Allow mono to chat with unconfined + +* Thu Apr 20 2006 Dan Walsh 2.2.34-2 +- Allow procmail to sendmail +- Allow nfs to share dosfs + +* Thu Apr 20 2006 Dan Walsh 2.2.34-1 +- Update to latest from upstream +- Allow selinux-policy to be removed and kernel not to crash + +* Tue Apr 18 2006 Dan Walsh 2.2.33-1 +- Update to latest from upstream +- Add James Antill patch for xen +- Many fixes for pegasus + +* Sat Apr 15 2006 Dan Walsh 2.2.32-2 +- Add unconfined_mount_t +- Allow privoxy to connect to httpd_cache +- fix cups labeleing on /var/cache/cups + +* Fri Apr 14 2006 Dan Walsh 2.2.32-1 +- Update to latest from upstream + +* Fri Apr 14 2006 Dan Walsh 2.2.31-1 +- Update to latest from upstream +- Allow mono and unconfined to talk to initrc_t dbus objects + +* Tue Apr 11 2006 Dan Walsh 2.2.30-2 +- Change libraries.fc to stop shlib_t form overriding texrel_shlib_t + +* Tue Apr 11 2006 Dan Walsh 2.2.30-1 +- Fix samba creating dirs in homedir +- Fix NFS so its booleans would work + +* Mon Apr 10 2006 Dan Walsh 2.2.29-6 +- Allow secadm_t ability to relabel all files +- Allow ftp to search xferlog_t directories +- Allow mysql to communicate with ldap +- Allow rsync to bind to rsync_port_t + +* Mon Apr 10 2006 Russell Coker 2.2.29-5 +- Fixed mailman with Postfix #183928 +- Allowed semanage to create file_context files. +- Allowed amanda_t to access inetd_t TCP sockets and allowed amanda_recover_t + to bind to reserved ports. #149030 +- Don't allow devpts_t to be associated with tmp_t. +- Allow hald_t to stat all mountpoints. +- Added boolean samba_share_nfs to allow smbd_t full access to NFS mounts. + #169947 +- Make mount run in mount_t domain from unconfined_t to prevent mislabeling of + /etc/mtab. +- Changed the file_contexts to not have a regex before the first ^/[a-z]/ + whenever possible, makes restorecon slightly faster. +- Correct the label of /etc/named.caching-nameserver.conf +- Now label /usr/src/kernels/.+/lib(/.*)? as usr_t instead of + /usr/src(/.*)?/lib(/.*)? - I don't think we need anything else under /usr/src + hit by this. +- Granted xen access to /boot, allowed mounting on xend_var_lib_t, and allowed + xenstored_t rw access to the xen device node. + +* Tue Apr 4 2006 Dan Walsh 2.2.29-4 +- More textrel_shlib_t file path fixes +- Add ada support + +* Mon Apr 3 2006 Dan Walsh 2.2.29-3 +- Get auditctl working in MLS policy + +* Mon Apr 3 2006 Dan Walsh 2.2.29-2 +- Add mono dbus support +- Lots of file_context fixes for textrel_shlib_t in FC5 +- Turn off execmem auditallow since they are filling log files + +* Fri Mar 31 2006 Dan Walsh 2.2.29-1 +- Update to upstream + +* Thu Mar 30 2006 Dan Walsh 2.2.28-3 +- Allow automount and dbus to read cert files + +* Thu Mar 30 2006 Dan Walsh 2.2.28-2 +- Fix ftp policy +- Fix secadm running of auditctl + +* Mon Mar 27 2006 Dan Walsh 2.2.28-1 +- Update to upstream + +* Wed Mar 22 2006 Dan Walsh 2.2.27-1 +- Update to upstream + +* Wed Mar 22 2006 Dan Walsh 2.2.25-3 +- Fix policyhelp + +* Wed Mar 22 2006 Dan Walsh 2.2.25-2 +- Fix pam_console handling of usb_device +- dontaudit logwatch reading /mnt dir + +* Fri Mar 17 2006 Dan Walsh 2.2.24-1 +- Update to upstream + +* Wed Mar 15 2006 Dan Walsh 2.2.23-19 +- Get transition rules to create policy.20 at SystemHigh + +* Tue Mar 14 2006 Dan Walsh 2.2.23-18 +- Allow secadmin to shutdown system +- Allow sendmail to exec newalias + +* Tue Mar 14 2006 Dan Walsh 2.2.23-17 +- MLS Fixes + dmidecode needs mls_file_read_up +- add ypxfr_t +- run init needs access to nscd +- udev needs setuid +- another xen log file +- Dontaudit mount getattr proc_kcore_t + +* Tue Mar 14 2006 Karsten Hopp 2.2.23-16 +- fix buildroot usage (#185391) + +* Thu Mar 9 2006 Dan Walsh 2.2.23-15 +- Get rid of mount/fsdisk scan of /dev messages +- Additional fixes for suspend/resume + +* Thu Mar 9 2006 Dan Walsh 2.2.23-14 +- Fake make to rebuild enableaudit.pp + +* Thu Mar 9 2006 Dan Walsh 2.2.23-13 +- Get xen networking running. + +* Thu Mar 9 2006 Dan Walsh 2.2.23-12 +- Fixes for Xen +- enableaudit should not be the same as base.pp +- Allow ps to work for all process + +* Thu Mar 9 2006 Jeremy Katz - 2.2.23-11 +- more xen policy fixups + +* Wed Mar 8 2006 Jeremy Katz - 2.2.23-10 +- more xen fixage (#184393) + +* Wed Mar 8 2006 Dan Walsh 2.2.23-9 +- Fix blkid specification +- Allow postfix to execute mailman_que + +* Wed Mar 8 2006 Dan Walsh 2.2.23-8 +- Blkid changes +- Allow udev access to usb_device_t +- Fix post script to create targeted policy config file + +* Wed Mar 8 2006 Dan Walsh 2.2.23-7 +- Allow lvm tools to create drevice dir + +* Tue Mar 7 2006 Dan Walsh 2.2.23-5 +- Add Xen support + +* Mon Mar 6 2006 Dan Walsh 2.2.23-4 +- Fixes for cups +- Make cryptosetup work with hal + +* Sun Mar 5 2006 Dan Walsh 2.2.23-3 +- Load Policy needs translock + +* Sat Mar 4 2006 Dan Walsh 2.2.23-2 +- Fix cups html interface + +* Sat Mar 4 2006 Dan Walsh 2.2.23-1 +- Add hal changes suggested by Jeremy +- add policyhelp to point at policy html pages + +* Mon Feb 27 2006 Dan Walsh 2.2.22-2 +- Additional fixes for nvidia and cups + +* Mon Feb 27 2006 Dan Walsh 2.2.22-1 +- Update to upstream +- Merged my latest fixes +- Fix cups policy to handle unix domain sockets + +* Sat Feb 25 2006 Dan Walsh 2.2.21-9 +- NSCD socket is in nscd_var_run_t needs to be able to search dir + +* Fri Feb 24 2006 Dan Walsh 2.2.21-8 +- Fixes Apache interface file + +* Fri Feb 24 2006 Dan Walsh 2.2.21-7 +- Fixes for new version of cups + +* Fri Feb 24 2006 Dan Walsh 2.2.21-6 +- Turn off polyinstatiate util after FC5 + +* Fri Feb 24 2006 Dan Walsh 2.2.21-5 +- Fix problem with privoxy talking to Tor + +* Thu Feb 23 2006 Dan Walsh 2.2.21-4 +- Turn on polyinstatiation + +* Thu Feb 23 2006 Dan Walsh 2.2.21-3 +- Don't transition from unconfined_t to fsadm_t + +* Thu Feb 23 2006 Dan Walsh 2.2.21-2 +- Fix policy update model. + +* Thu Feb 23 2006 Dan Walsh 2.2.21-1 +- Update to upstream + +* Wed Feb 22 2006 Dan Walsh 2.2.20-1 +- Fix load_policy to work on MLS +- Fix cron_rw_system_pipes for postfix_postdrop_t +- Allow audotmount to run showmount + +* Tue Feb 21 2006 Dan Walsh 2.2.19-2 +- Fix swapon +- allow httpd_sys_script_t to be entered via a shell +- Allow httpd_sys_script_t to read eventpolfs + +* Tue Feb 21 2006 Dan Walsh 2.2.19-1 +- Update from upstream + +* Tue Feb 21 2006 Dan Walsh 2.2.18-2 +- allow cron to read apache files + +* Tue Feb 21 2006 Dan Walsh 2.2.18-1 +- Fix vpnc policy to work from NetworkManager + +* Mon Feb 20 2006 Dan Walsh 2.2.17-2 +- Update to upstream +- Fix semoudle polcy + +* Thu Feb 16 2006 Dan Walsh 2.2.16-1 +- Update to upstream +- fix sysconfig/selinux link + +* Wed Feb 15 2006 Dan Walsh 2.2.15-4 +- Add router port for zebra +- Add imaze port for spamd +- Fixes for amanda and java + +* Tue Feb 14 2006 Dan Walsh 2.2.15-3 +- Fix bluetooth handling of usb devices +- Fix spamd reading of ~/ +- fix nvidia spec + +* Tue Feb 14 2006 Dan Walsh 2.2.15-1 +- Update to upsteam + +* Mon Feb 13 2006 Dan Walsh 2.2.14-2 +- Add users_extra files + +* Fri Feb 10 2006 Dan Walsh 2.2.14-1 +- Update to upstream + +* Fri Feb 10 2006 Dan Walsh 2.2.13-1 +- Add semodule policy + +* Tue Feb 7 2006 Dan Walsh 2.2.12-1 +- Update from upstream + +* Mon Feb 6 2006 Dan Walsh 2.2.11-2 +- Fix for spamd to use razor port + +* Fri Feb 3 2006 Dan Walsh 2.2.11-1 +- Fixes for mcs +- Turn on mount and fsadm for unconfined_t + +* Wed Feb 1 2006 Dan Walsh 2.2.10-1 +- Fixes for the -devel package + +* Wed Feb 1 2006 Dan Walsh 2.2.9-2 +- Fix for spamd to use ldap + +* Fri Jan 27 2006 Dan Walsh 2.2.9-1 +- Update to upstream + +* Fri Jan 27 2006 Dan Walsh 2.2.8-2 +- Update to upstream +- Fix rhgb, and other Xorg startups + +* Thu Jan 26 2006 Dan Walsh 2.2.7-1 +- Update to upstream + +* Thu Jan 26 2006 Dan Walsh 2.2.6-3 +- Separate out role of secadm for mls + +* Thu Jan 26 2006 Dan Walsh 2.2.6-2 +- Add inotifyfs handling + +* Thu Jan 26 2006 Dan Walsh 2.2.6-1 +- Update to upstream +- Put back in changes for pup/zen + +* Tue Jan 24 2006 Dan Walsh 2.2.5-1 +- Many changes for MLS +- Turn on strict policy + +* Mon Jan 23 2006 Dan Walsh 2.2.4-1 +- Update to upstream + +* Wed Jan 18 2006 Dan Walsh 2.2.3-1 +- Update to upstream +- Fixes for booting and logging in on MLS machine + +* Wed Jan 18 2006 Dan Walsh 2.2.2-1 +- Update to upstream +- Turn off execheap execstack for unconfined users +- Add mono/wine policy to allow execheap and execstack for them +- Add execheap for Xdm policy + +* Wed Jan 18 2006 Dan Walsh 2.2.1-1 +- Update to upstream +- Fixes to fetchmail, + +* Tue Jan 17 2006 Dan Walsh 2.1.13-1 +- Update to upstream + +* Tue Jan 17 2006 Dan Walsh 2.1.12-3 +- Fix for procmail/spamassasin +- Update to upstream +- Add rules to allow rpcd to work with unlabeled_networks. + +* Sat Jan 14 2006 Dan Walsh 2.1.11-1 +- Update to upstream +- Fix ftp Man page + +* Fri Jan 13 2006 Dan Walsh 2.1.10-1 +- Update to upstream + +* Wed Jan 11 2006 Jeremy Katz - 2.1.9-2 +- fix pup transitions (#177262) +- fix xen disks (#177599) + +* Tue Jan 10 2006 Dan Walsh 2.1.9-1 +- Update to upstream + +* Tue Jan 10 2006 Dan Walsh 2.1.8-3 +- More Fixes for hal and readahead + +* Mon Jan 9 2006 Dan Walsh 2.1.8-2 +- Fixes for hal and readahead + +* Mon Jan 9 2006 Dan Walsh 2.1.8-1 +- Update to upstream +- Apply + +* Fri Jan 6 2006 Dan Walsh 2.1.7-4 +- Add wine and fix hal problems + +* Thu Jan 5 2006 Dan Walsh 2.1.7-3 +- Handle new location of hal scripts + +* Thu Jan 5 2006 Dan Walsh 2.1.7-2 +- Allow su to read /etc/mtab + +* Wed Jan 4 2006 Dan Walsh 2.1.7-1 +- Update to upstream + +* Tue Jan 3 2006 Dan Walsh 2.1.6-24 +- Fix "libsemanage.parse_module_headers: Data did not represent a module." problem + +* Tue Jan 3 2006 Dan Walsh 2.1.6-23 +- Allow load_policy to read /etc/mtab + +* Mon Jan 2 2006 Dan Walsh 2.1.6-22 +- Fix dovecot to allow dovecot_auth to look at /tmp + +* Mon Jan 2 2006 Dan Walsh 2.1.6-21 +- Allow restorecon to read unlabeled_t directories in order to fix labeling. + +* Fri Dec 30 2005 Dan Walsh 2.1.6-20 +- Add Logwatch policy + +* Wed Dec 28 2005 Dan Walsh 2.1.6-18 +- Fix /dev/ub[a-z] file context + +* Tue Dec 27 2005 Dan Walsh 2.1.6-17 +- Fix library specification +- Give kudzu execmem privs + +* Thu Dec 22 2005 Dan Walsh 2.1.6-16 +- Fix hostname in targeted policy + +* Wed Dec 21 2005 Dan Walsh 2.1.6-15 +- Fix passwd command on mls + +* Wed Dec 21 2005 Dan Walsh 2.1.6-14 +- Lots of fixes to make mls policy work + +* Tue Dec 20 2005 Dan Walsh 2.1.6-13 +- Add dri libs to textrel_shlib_t +- Add system_r role for java +- Add unconfined_exec_t for vncserver +- Allow slapd to use kerberos + +* Mon Dec 19 2005 Dan Walsh 2.1.6-11 +- Add man pages + +* Fri Dec 16 2005 Dan Walsh 2.1.6-10 +- Add enableaudit.pp + +* Fri Dec 16 2005 Dan Walsh 2.1.6-9 +- Fix mls policy + +* Fri Dec 16 2005 Dan Walsh 2.1.6-8 +- Update mls file from old version + +* Thu Dec 15 2005 Dan Walsh 2.1.6-5 +- Add sids back in +- Rebuild with update checkpolicy + +* Thu Dec 15 2005 Dan Walsh 2.1.6-4 +- Fixes to allow automount to use portmap +- Fixes to start kernel in s0-s15:c0.c255 + +* Wed Dec 14 2005 Dan Walsh 2.1.6-3 +- Add java unconfined/execmem policy + +* Wed Dec 14 2005 Dan Walsh 2.1.6-2 +- Add file context for /var/cvs +- Dontaudit webalizer search of homedir + +* Tue Dec 13 2005 Dan Walsh 2.1.6-1 +- Update from upstream + +* Tue Dec 13 2005 Dan Walsh 2.1.4-2 +- Clean up spec +- range_transition crond to SystemHigh + +* Mon Dec 12 2005 Dan Walsh 2.1.4-1 +- Fixes for hal +- Update to upstream + +* Mon Dec 12 2005 Dan Walsh 2.1.3-1 +- Turn back on execmem since we need it for java, firefox, ooffice +- Allow gpm to stream socket to itself + +* Mon Dec 12 2005 Jeremy Katz - 2.1.2-3 +- fix requirements to be on the actual packages so that policy can get + created properly at install time + +* Sun Dec 11 2005 Dan Walsh 2.1.2-2 +- Allow unconfined_t to execmod texrel_shlib_t + +* Sat Dec 10 2005 Dan Walsh 2.1.2-1 +- Update to upstream +- Turn off allow_execmem and allow_execmod booleans +- Add tcpd and automount policies + +* Fri Dec 9 2005 Dan Walsh 2.1.1-3 +- Add two new httpd booleans, turned off by default + * httpd_can_network_relay + * httpd_can_network_connect_db + +* Fri Dec 9 2005 Dan Walsh 2.1.1-2 +- Add ghost for policy.20 + +* Thu Dec 8 2005 Dan Walsh 2.1.1-1 +- Update to upstream +- Turn off boolean allow_execstack + +* Thu Dec 8 2005 Dan Walsh 2.1.0-3 +- Change setrans-mls to use new libsetrans +- Add default_context rule for xdm + +* Thu Dec 8 2005 Dan Walsh 2.1.0-2. +- Change Requires to PreReg for requiring of policycoreutils on install + +* Wed Dec 7 2005 Dan Walsh 2.1.0-1. +- New upstream release + +* Wed Dec 7 2005 Dan Walsh 2.0.11-2. +Add xdm policy + +* Tue Dec 6 2005 Dan Walsh 2.0.11-1. +Update from upstream + +* Fri Dec 2 2005 Dan Walsh 2.0.9-1. +Update from upstream + +* Fri Dec 2 2005 Dan Walsh 2.0.8-1. +Update from upstream + +* Fri Dec 2 2005 Dan Walsh 2.0.7-3 +- Also trigger to rebuild policy for versions up to 2.0.7. + +* Tue Nov 29 2005 Dan Walsh 2.0.7-2 +- No longer installing policy.20 file, anaconda handles the building of the app. + +* Tue Nov 29 2005 Dan Walsh 2.0.6-2 +- Fixes for dovecot and saslauthd + +* Wed Nov 23 2005 Dan Walsh 2.0.5-4 +- Cleanup pegasus and named +- Fix spec file +- Fix up passwd changing applications + +* Tue Nov 22 2005 Dan Walsh 2.0.5-1 +-Update to latest from upstream + +* Tue Nov 22 2005 Dan Walsh 2.0.4-1 +- Add rules for pegasus and avahi + +* Mon Nov 21 2005 Dan Walsh 2.0.2-2 +- Start building MLS Policy + +* Fri Nov 18 2005 Dan Walsh 2.0.2-1 +- Update to upstream + +* Wed Nov 9 2005 Dan Walsh 2.0.1-2 +- Turn on bash + +* Wed Nov 9 2005 Dan Walsh 2.0.1-1 +- Initial version diff --git a/SPECS/setools/setools.signatures.json b/SPECS/setools/setools.signatures.json new file mode 100644 index 0000000000..b85d94944a --- /dev/null +++ b/SPECS/setools/setools.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "setools-4.4.0.tar.bz2": "f3786677e40b7f16a226f48f233dcf835e700739614a7dbed2ff61cc9607814e" + } +} diff --git a/SPECS/setools/setools.spec b/SPECS/setools/setools.spec new file mode 100644 index 0000000000..e60b24c0d6 --- /dev/null +++ b/SPECS/setools/setools.spec @@ -0,0 +1,192 @@ +%global libselinux_ver 3.2-1 +%global libsepol_ver 3.2-1 +Summary: Policy analysis tools for SELinux +Name: setools +Version: 4.4.0 +Release: 1%{?dist} +# binaries are GPL and libraries are LGPL. See COPYING. +License: GPLv2 AND LGPLv2+ +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/SELinuxProject/setools +Source0: https://github.com/SELinuxProject/setools/releases/download/%{version}/%{name}-%{version}.tar.bz2 +BuildRequires: bison +BuildRequires: flex +BuildRequires: gcc +BuildRequires: git +BuildRequires: glibc-devel +BuildRequires: libselinux-devel >= %{libselinux_ver} +BuildRequires: libsepol-devel >= %{libsepol_ver} +BuildRequires: python3-Cython +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-xml +BuildRequires: qt5-qtbase-devel +BuildRequires: swig + +%description +SETools is a collection of graphical tools, command-line tools, and +Python modules designed to facilitate SELinux policy analysis. + +%package console +Summary: Policy analysis command-line tools for SELinux +License: GPLv2 +Requires: libselinux >= %{libselinux_ver} +Requires: %{name}-python3 = %{version}-%{release} + +%description console +SETools is a collection of graphical tools, command-line tools, and +libraries designed to facilitate SELinux policy analysis. + +This package includes the following console tools: + + sediff Compare two policies to find differences. + seinfo List policy components. + sesearch Search rules (allow, type_transition, etc.) + +%package python3 +Summary: Policy analysis tools for SELinux +License: GPLv2 AND LGPLv2+ +Requires: python3-setuptools +Recommends: libselinux-python3 +Provides: python3-%{name} = %{version}-%{release} +Obsoletes: %{name}-libs < 4.0.0 + +%description python3 +SETools is a collection of graphical tools, command-line tools, and +Python 3 modules designed to facilitate SELinux policy analysis. + +%prep +%autosetup -n %{name} + +%build +%python3 setup.py build_ext +%python3 setup.py build + +%install +%py3_install + +# Remove unpackaged files. These are tools for which the dependencies +# are not yet available on mariner (python3-networkx) +rm -rf %{buildroot}%{_bindir}/sedta +rm -rf %{buildroot}%{_bindir}/seinfoflow +rm -rf %{buildroot}%{_mandir}/{,ru/}man1/sedta* +rm -rf %{buildroot}%{_mandir}/{,ru/}man1/seinfoflow* +rm -rf %{buildroot}%{_bindir}/apol +rm -rf %{buildroot}%{python3_sitearch}/setoolsgui +rm -rf %{buildroot}%{_mandir}/{,ru/}man1/apol* + +%files console +%license COPYING COPYING.GPL COPYING.LGPL +%{_bindir}/sechecker +%{_bindir}/sediff +%{_bindir}/seinfo +%{_bindir}/sesearch +%{_mandir}/man1/sechecker* +%{_mandir}/man1/sediff* +%{_mandir}/ru/man1/sediff* +%{_mandir}/man1/seinfo* +%{_mandir}/ru/man1/seinfo* +%{_mandir}/man1/sesearch* +%{_mandir}/ru/man1/sesearch* + +%files python3 +%license COPYING COPYING.GPL COPYING.LGPL +%{python3_sitearch}/setools +%{python3_sitearch}/setools-* + +%changelog +* Fri Aug 13 2021 Thomas Crain - 4.4.0-1 +- Upgrade to latest upstream +- Update version of libselinux/libsepol dependencies +- Add python3-setools provides to python3 subpackage +- Lint spec +- License verified + +* Tue Sep 01 2020 Daniel Burgener - 4.2.2-2 +- Initial CBL-Mariner import from Fedora 31 (license: MIT) +- License verified + +* Mon Jul 08 2019 Vit Mojzis - 4.2.2-1 +- SETools 4.2.2 release + +* Mon May 13 2019 Vit Mojzis - 4.2.1-3 +- Use %set_build_flags instead of %optflags + +* Mon May 06 2019 Vit Mojzis - 4.2.1-2 +- SELinuxPolicy: Create a map of aliases on policy load (#1672631) + +* Tue Mar 26 2019 Petr Lautrbach - 4.2.1-1 +- SETools 4.2.1 release (#1581761, #1595582) + +* Wed Nov 14 2018 Vit Mojzis - 4.2.0-1 +- Update source to SETools 4.2.0 release + +* Mon Oct 01 2018 Vit Mojzis - 4.2.0-0.3.rc +- Update upstream source to 4.2.0-rc + +* Wed Sep 19 2018 Vit Mojzis - 4.2.0-0.2.beta +- Require userspace release 2.8 +- setools-gui requires python3-setools +- Add Requires for python[23]-setuptools - no longer required (just recommended) by python[23] (#1623371) +- Drop python2 subpackage (4.2.0 no longer supports python2) + +* Wed Aug 29 2018 Vit Mojzis - 4.1.1-13 +- Add Requires for python[23]-setuptools - no longer required (just recommended) + by python[23] (#1623371) + +* Wed Aug 22 2018 Petr Lautrbach - 4.1.1-12.1 +- Fix SCTP patch - https://github.com/SELinuxProject/setools/issues/9 + +* Sat Jul 14 2018 Fedora Release Engineering - 4.1.1-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jun 19 2018 Miro HronÄok - 4.1.1-10 +- Rebuilt for Python 3.7 + +* Thu Jun 14 2018 Petr Lautrbach - 4.1.1-9 +- Move gui python files to -gui subpackage + +* Thu Apr 26 2018 Vit Mojzis - 4.1.1-8 +- Add support for SCTP protocol (#1568333) + +* Thu Apr 19 2018 Iryna Shcherbina - 4.1.1-7 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Fri Feb 09 2018 Fedora Release Engineering - 4.1.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Sep 04 2017 Petr Lautrbach - 4.1.1-5 +- setools-python2 requires python2-enum34 + +* Sun Aug 20 2017 Zbigniew JÄ™drzejewski-Szmek - 4.1.1-4 +- Add Provides for the old name without %%_isa + +* Thu Aug 10 2017 Zbigniew JÄ™drzejewski-Szmek - 4.1.1-3 +- Python 2 binary package renamed to python2-setools + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 +- Python 3 binary package renamed to python3-setools + +* Thu Aug 10 2017 Petr Lautrbach - 4.1.1-2 +- bswap_* macros are defined in byteswap.h + +* Mon Aug 07 2017 Petr Lautrbach - 4.1.1-1 +- New upstream release + +* Thu Aug 03 2017 Fedora Release Engineering - 4.1.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 4.1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon May 22 2017 Petr Lautrbach - 4.1.0-3 +- setools-python{,3} packages should have a weak dependency on libselinux-python{,3} + (#1447747) + +* Thu Feb 23 2017 Petr Lautrbach - 4.1.0-2 +- Move python networkx dependency to -gui and -console-analyses +- Ship sedta and seinfoflow in setools-console-analyses + +* Wed Feb 15 2017 Petr Lautrbach - 4.1.0-1 +- New upstream release. diff --git a/SPECS/sg3_utils/sg3_utils.spec b/SPECS/sg3_utils/sg3_utils.spec index e910e79aac..25b4b83d8b 100644 --- a/SPECS/sg3_utils/sg3_utils.spec +++ b/SPECS/sg3_utils/sg3_utils.spec @@ -61,20 +61,20 @@ install -m 755 scripts/rescan-scsi-bus.sh %{buildroot}/%{_bindir} * Sat May 09 2020 Nick Samson - 1.44-2 - Added %%license line automatically -* Wed Mar 18 2020 Henry Beberman 1.44-1 -- Update to 1.44. Removed ctr patch (fixed upstream). Fix URL. Fix Source0 URL. License verified. +* Wed Mar 18 2020 Henry Beberman 1.44-1 +- Update to 1.44. Removed ctr patch (fixed upstream). Fix URL. Fix Source0 URL. License verified. -* Tue Sep 03 2019 Mateusz Malisz 1.43-3 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 1.43-3 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Sep 10 2018 Alexey Makhalov 1.43-2 -- Fix compilation issue against glibc-2.28 +* Mon Sep 10 2018 Alexey Makhalov 1.43-2 +- Fix compilation issue against glibc-2.28 -* Tue Oct 03 2017 Vinay Kulkarni 1.43-1 -- Update to v1.43 +* Tue Oct 03 2017 Vinay Kulkarni 1.43-1 +- Update to v1.43 -* Tue May 24 2016 Priyesh Padmavilasom 1.42-2 -- GA - Bump release of all rpms +* Tue May 24 2016 Priyesh Padmavilasom 1.42-2 +- GA - Bump release of all rpms * Thu Apr 14 2016 Kumar Kaushik 1.42-1 - Initial build. First version diff --git a/SPECS/sgml-common/sgml-common.spec b/SPECS/sgml-common/sgml-common.spec index 7cd15083d4..c24558f933 100644 --- a/SPECS/sgml-common/sgml-common.spec +++ b/SPECS/sgml-common/sgml-common.spec @@ -12,7 +12,7 @@ BuildArch: noarch #page you could get complete ISO 8879 listing as was on the #old page - only part of it is included in sgml-common package. URL: http://www.w3.org/2003/entities/ -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner Source0: ftp://sources.redhat.com/pub/docbook-tools/new-trials/SOURCES/%{name}-%{version}.tgz # Following 4 from openjade/pubtext - same maintainer as in SGML-common, so up2date: @@ -68,15 +68,15 @@ done %configure %install -rm -rf $RPM_BUILD_ROOT -make install DESTDIR="$RPM_BUILD_ROOT" htmldir='%{_datadir}/doc' INSTALL='install -p' -mkdir $RPM_BUILD_ROOT%{_sysconfdir}/xml -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sgml/docbook -mkdir -p $RPM_BUILD_ROOT%{_datadir}/sgml/docbook +rm -rf %{buildroot} +make install DESTDIR="%{buildroot}" htmldir='%{_datadir}/doc' INSTALL='install -p' +mkdir %{buildroot}%{_sysconfdir}/xml +mkdir -p %{buildroot}%{_sysconfdir}/sgml/docbook +mkdir -p %{buildroot}%{_datadir}/sgml/docbook # Touch SGML catalog -touch $RPM_BUILD_ROOT%{_sysconfdir}/sgml/catalog +touch %{buildroot}%{_sysconfdir}/sgml/catalog # Create an empty XML catalog. -XMLCATALOG=$RPM_BUILD_ROOT%{_sysconfdir}/xml/catalog +XMLCATALOG=%{buildroot}%{_sysconfdir}/xml/catalog %{_bindir}/xmlcatalog --noout --create $XMLCATALOG # ...and add xml.xsd in it for type in system uri ; do @@ -117,23 +117,23 @@ done # Also create the common DocBook catalog %{_bindir}/xmlcatalog --noout --create \ - $RPM_BUILD_ROOT%{_sysconfdir}/sgml/docbook/xmlcatalog + %{buildroot}%{_sysconfdir}/sgml/docbook/xmlcatalog ln -sf %{_sysconfdir}/sgml/docbook/xmlcatalog\ - $RPM_BUILD_ROOT%{_datadir}/sgml/docbook/xmlcatalog + %{buildroot}%{_datadir}/sgml/docbook/xmlcatalog -rm -f $RPM_BUILD_ROOT%{_datadir}/sgml/xml.dcl +rm -f %{buildroot}%{_datadir}/sgml/xml.dcl install -p -m0644 %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} \ - $RPM_BUILD_ROOT%{_datadir}/sgml -rm -rf $RPM_BUILD_ROOT%{_datadir}/xml/* + %{buildroot}%{_datadir}/sgml +rm -rf %{buildroot}%{_datadir}/xml/* install -p -m0644 %{SOURCE5} %{SOURCE6} %{SOURCE7} %{SOURCE8} \ - $RPM_BUILD_ROOT%{_datadir}/xml -mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1 -mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5 -install -p -m0644 %{SOURCE9} $RPM_BUILD_ROOT%{_mandir}/man1 -install -p -m0644 %{SOURCE10} $RPM_BUILD_ROOT%{_mandir}/man5 + %{buildroot}%{_datadir}/xml +mkdir -p %{buildroot}%{_mandir}/man1 +mkdir -p %{buildroot}%{_mandir}/man5 +install -p -m0644 %{SOURCE9} %{buildroot}%{_mandir}/man1 +install -p -m0644 %{SOURCE10} %{buildroot}%{_mandir}/man5 # remove installed doc file and prepare installation with %%doc -rm $RPM_BUILD_ROOT%{_datadir}/doc/*.html +rm %{buildroot}%{_datadir}/doc/*.html rm -rf __dist_doc/html/ mkdir -p __dist_doc/html/ cp -p doc/HTML/*.html __dist_doc/html/ diff --git a/SPECS/shadow-utils/chkname-allowcase.patch b/SPECS/shadow-utils/chkname-allowcase.patch index 547c9d4c21..17c39b3f91 100644 --- a/SPECS/shadow-utils/chkname-allowcase.patch +++ b/SPECS/shadow-utils/chkname-allowcase.patch @@ -1,8 +1,8 @@ ---- a/libmisc/chkname.c 2014-05-08 01:43:11.000000000 -0700 -+++ b/libmisc/chkname.c 2017-04-27 11:47:16.789145415 -0700 -@@ -52,15 +52,17 @@ - * User/group names must match [a-z_][a-z0-9_-]*[$] +--- a/libmisc/chkname.c.orig 2021-08-13 16:07:31.746379418 -0500 ++++ b/libmisc/chkname.c 2021-08-13 16:08:17.156379789 -0500 +@@ -59,15 +59,17 @@ */ + if (('\0' == *name) || - !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) { + !((('a' <= *name) && ('z' >= *name)) || ('_' == *name) || (('A' <= *name) && ('Z' >= *name)))) { diff --git a/SPECS/shadow-utils/libsubid-pam-link.patch b/SPECS/shadow-utils/libsubid-pam-link.patch new file mode 100644 index 0000000000..58d75f101c --- /dev/null +++ b/SPECS/shadow-utils/libsubid-pam-link.patch @@ -0,0 +1,25 @@ +From f4a84efb468b8be21be124700ce35159c444e9d6 Mon Sep 17 00:00:00 2001 +From: Xi Ruoyao +Date: Fri, 23 Jul 2021 14:38:08 +0800 +Subject: [PATCH] libsubid: link to PAM libraries + +libsubid.so links to libmisc.a, which contains several routines referring to +PAM functions. +--- + libsubid/Makefile.am | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am +index 189165b0..83051560 100644 +--- a/libsubid/Makefile.am ++++ b/libsubid/Makefile.am +@@ -16,7 +16,8 @@ MISCLIBS = \ + $(LIBCRYPT) \ + $(LIBACL) \ + $(LIBATTR) \ +- $(LIBTCB) ++ $(LIBTCB) \ ++ $(LIBPAM) + + libsubid_la_LIBADD = \ + $(top_srcdir)/lib/libshadow.la \ diff --git a/SPECS/shadow-utils/login-defs b/SPECS/shadow-utils/login-defs new file mode 100644 index 0000000000..e864aefc46 --- /dev/null +++ b/SPECS/shadow-utils/login-defs @@ -0,0 +1,400 @@ +# +# /etc/login.defs - Configuration control definitions for the shadow package. +# +# $Id$ +# + +# +# Delay in seconds before being allowed another attempt after a login failure +# Note: When PAM is used, some modules may enforce a minimum delay (e.g. +# pam_unix(8) enforces a 2s delay) +# +# FAIL_DELAY 3 + +# +# Enable logging and display of /var/log/faillog login(1) failure info. +# +# FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login(1) failures are recorded. +# +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable logging and display of /var/log/lastlog login(1) time info. +# +# LASTLOG_ENAB yes + +# +# Enable checking and display of mailbox status upon login. +# +# Disable if the shell startup files already check for mail +# ("mailx -e" or equivalent). +# +# MAIL_CHECK_ENAB yes + +# +# Enable additional checks upon password changes. +# +# OBSCURE_CHECKS_ENAB yes + +# +# Enable checking of time restrictions specified in /etc/porttime. +# +# PORTTIME_CHECKS_ENAB yes + +# +# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field. +# +# QUOTAS_ENAB yes + +# +# Enable "syslog" logging of su(1) activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1). +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# from these devices. +# +# CONSOLE /etc/securetty +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# If defined, all su(1) activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, ":" delimited list of "message of the day" files to +# be displayed upon login. +# +# MOTD_FILE /etc/motd +#MOTD_FILE /etc/motd:/usr/lib/news/news-motd + +# +# If defined, this file will be output before each login(1) prompt. +# +#ISSUE_FILE /etc/issue + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format similar to "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login(1) failures will be logged here in a utmp format. +# last(1), when invoked as lastb(1), will read /var/log/btmp, so... +# +# FTMP_FILE /var/log/btmp + +# +# If defined, name of file whose presence will inhibit non-root +# logins. The content of this file should be a message indicating +# why logins are inhibited. +# +# NOLOGINS_FILE /etc/nologin + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then ps(1) will display the +# command as "-su". If not defined, then ps(1) will display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# If defined, either a TZ environment parameter spec or the +# fully-rooted pathname of a file containing such a spec. +# +#ENV_TZ TZ=CST6CDT +#ENV_TZ /etc/tzname + +# +# If defined, an HZ environment parameter spec. +# +# for Linux/x86 +# ENV_HZ HZ=100 +# For Linux/Alpha... +#ENV_HZ HZ=1024 + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +ENV_PATH PATH=/bin:/usr/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a write(1) program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP as the number of such group +# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and +# set TTYPERM to either 622 or 600. +# +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# ULIMIT Default "ulimit" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# The ULIMIT is used only if the system supports it. +# (now it works with setrlimit too; ulimit is in 512-byte units) +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +#ULIMIT 2097152 + +# Default initial "umask" value used by login(1) on non-PAM enabled systems. +# Default "umask" value for pam_umask(8) on PAM enabled systems. +# UMASK is also used by useradd(8) and newusers(8) to set the mode for new +# home directories. +# 022 is the default value, but 027, or even 077, could be considered +# for increased privacy. There is no One True Answer here: each sysadmin +# must make up their mind. +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +# PASS_MIN_LEN 5 +PASS_WARN_AGE 7 + +# +# If "yes", the user must be listed as a member of the first gid 0 group +# in /etc/group (called "root" on most Linux systems) to be able to "su" +# to uid 0 accounts. If the group doesn't exist or is empty, no one +# will be able to "su" to uid 0. +# +# SU_WHEEL_ONLY no + +# +# If compiled with cracklib support, sets the path to the dictionaries +# +# CRACKLIB_DICTPATH /usr/share/cracklib/pw_dict + +# +# Min/max values for automatic uid selection in useradd(8) +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +SYS_UID_MIN 101 +SYS_UID_MAX 999 +# Extra per user uids +SUB_UID_MIN 100000 +SUB_UID_MAX 600100000 +SUB_UID_COUNT 65536 + +# +# Min/max values for automatic gid selection in groupadd(8) +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +SYS_GID_MIN 101 +SYS_GID_MAX 999 +# Extra per user group ids +SUB_GID_MIN 100000 +SUB_GID_MAX 600100000 +SUB_GID_COUNT 65536 + +# +# Max number of login(1) retries if password is bad +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login(1) +# +LOGIN_TIMEOUT 60 + +# +# Maximum number of attempts to change password if rejected (too easy) +# +# PASS_CHANGE_TRIES 5 + +# +# Warn about weak passwords (but still allow them) if you are root. +# +# PASS_ALWAYS_WARN yes + +# +# Number of significant characters in the password for crypt(). +# Default is 8, don't change unless your crypt() is better. +# Ignored if MD5_CRYPT_ENAB set to "yes". +# +#PASS_MAX_LEN 8 + +# +# Require password before chfn(1)/chsh(1) can make any changes. +# +# CHFN_AUTH yes + +# +# Which fields may be changed by regular users using chfn(1) - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Password prompt (%s will be replaced by user name). +# +# XXX - it doesn't work correctly yet, for now leave it commented out +# to use the default which is just "Password: ". +#LOGIN_STRING "%s's Password: " + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# Note: If you use PAM, it is recommended to use a value consistent with +# the PAM modules configuration. +# +# This variable is deprecated. You should use ENCRYPT_METHOD instead. +# +#MD5_CRYPT_ENAB no + +# +# Only works if compiled with ENCRYPTMETHOD_SELECT defined: +# If set to MD5, MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: If you use PAM, it is recommended to use a value consistent with +# the PAM modules configuration. +# +# ENCRYPT_METHOD SHA512 + +# +# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute-force the password. +# However, more CPU resources will be needed to authenticate users if +# this value is increased. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be within the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +# +# List of groups to add to the user's supplementary group set +# when logging in from the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in from the console. +# How to do it is left as an exercise for the reader... +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Should login be allowed if we can't cd to the home directory? +# Default is no. +# +DEFAULT_HOME yes + +# +# If this file exists and is readable, login environment will be +# read from it. Every line should be in the form name=value. +# +# ENVIRON_FILE /etc/environment + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# Enable setting of the umask group bits to be the same as owner bits +# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is +# the same as gid, and username is the same as the primary group name. +# +# This also enables userdel(8) to remove user groups if no members exist. +# +USERGROUPS_ENAB yes + +# +# If set to a non-zero number, the shadow utilities will make sure that +# groups never have more than this number of users on one line. +# This permits to support split groups (groups split into multiple lines, +# with the same group ID, to avoid limitation of the line length in the +# group file). +# +# 0 is the default value and disables this feature. +# +#MAX_MEMBERS_PER_GROUP 0 + +# +# If useradd(8) should create home directories for users by default (non +# system users only). +# This option is overridden with the -M or -m flags on the useradd(8) +# command-line. +# +#CREATE_HOME yes + +# +# Force use shadow, even if shadow passwd & shadow group files are +# missing. +# +#FORCE_SHADOW yes diff --git a/SPECS/shadow-utils/shadow-utils.signatures.json b/SPECS/shadow-utils/shadow-utils.signatures.json index 6003d6fac1..d8646ef59b 100644 --- a/SPECS/shadow-utils/shadow-utils.signatures.json +++ b/SPECS/shadow-utils/shadow-utils.signatures.json @@ -3,14 +3,16 @@ "chage": "7c150a795713d1b3a47a93f835bf415c281e9053405299c6320cd7cb5af40c48", "chpasswd": "50f35a317009f0a24a0d579c23f7296a87734ecd6ce5d5f7fa8e2ebee7acd4c4", "login": "ea50ed3eb831f405d65bdef2f01aee9f8899f7e689a4c6c9f420ca1f670ac6ce", + "login-defs": "ed6b875273ed7e817db4315bac451847a415768ed0f0df948cf8e06c0a3fec8b", "other": "461e53f138a8e5d1ed20033f8d9363c56f2187ce2a0551d57860140da40e1697", "passwd": "9a5ed6eb156b0bafc462056ec22f0ee8d2a2c7507af79d41f8a71c268806c4c6", - "shadow-4.6.tar.xz": "0998c8d84242a231ab0acb7f8613927ff5bcff095f8aa6b79478893a03f05583", + "shadow-4.9.tar.xz": "feec1f2ce9c1b62798afd35a7d1b04cefdfa3a0a30ff3e75d6965ba8978c9144", "sshd": "85b5c5146c920146d1c0ada62b9bfeefec797023bff7c486f034a6f6faad0202", "su": "c7f5f066e5e021deae9dd72cc897240cfdef869da33148f19c8d5e13f5bd0510", "system-account": "a8295e4780b323cac83ca08c65c8cd47ca26e516d64ed857fd3f4ac1f1a8ccc4", "system-auth": "da912d0b5fe0ee9d70403ca88402974f2c24b6dfeb2c8adc037c72297a859590", "system-password": "f3e1667d6e5d7129cfe062e17ce9fc86ea94979bc8fecd592234e7d22c9ddc43", - "system-session": "6f23e44b3af0ac754494aee8a6ce4f3a203020dbff7a6ea5de3b75bad3b2f6ab" + "system-session": "6f23e44b3af0ac754494aee8a6ce4f3a203020dbff7a6ea5de3b75bad3b2f6ab", + "useradd-default": "b239b5620f0c23ef901ea19172e60e38322abbe366e04c94d03ca08f5b936125" } } \ No newline at end of file diff --git a/SPECS/shadow-utils/shadow-utils.spec b/SPECS/shadow-utils/shadow-utils.spec index 799da74890..4c61ee472f 100644 --- a/SPECS/shadow-utils/shadow-utils.spec +++ b/SPECS/shadow-utils/shadow-utils.spec @@ -1,13 +1,13 @@ Summary: Programs for handling passwords in a secure way Name: shadow-utils -Version: 4.6 -Release: 11%{?dist} +Version: 4.9 +Release: 1%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner Group: Applications/System URL: https://github.com/shadow-maint/shadow/ -Source0: https://github.com/shadow-maint/shadow/releases/download/4.6/shadow-%{version}.tar.xz +Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz Source1: chage Source2: chpasswd Source3: login @@ -19,22 +19,49 @@ Source8: system-account Source9: system-auth Source10: system-password Source11: system-session -Patch1: chkname-allowcase.patch +Source12: useradd-default +Source13: login-defs +Patch0: chkname-allowcase.patch +Patch1: libsubid-pam-link.patch BuildRequires: cracklib BuildRequires: cracklib-devel +BuildRequires: libselinux-devel +BuildRequires: libsemanage-devel BuildRequires: pam-devel +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool Requires: cracklib Requires: pam Provides: /sbin/nologin Provides: passwd = %{version}-%{release} +Requires: libselinux +Requires: libsemanage %description The Shadow package contains programs for handling passwords in a secure way. +%package subid +Summary: A library to manage subordinate uid and gid ranges + +%description subid +Utility library that provides a way to manage subid ranges. + +%package subid-devel +Summary: Libraries and headers for libsubid +Requires: %{name}-subid = %{version}-%{release} + +%description subid-devel +Libraries and headers for libsubid + %prep %setup -q -n shadow-%{version} +%patch0 -p1 %patch1 -p1 + +autoreconf -fiv + sed -i 's/groups$(EXEEXT) //' src/Makefile.in find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \ @@ -44,21 +71,23 @@ sed -i 's@DICTPATH.*@DICTPATH\t/usr/share/cracklib/pw_dict@' \ etc/login.defs %build -%configure --sysconfdir=%{_sysconfdir} --with-libpam \ - --with-libcrack --with-group-name-max-length=32 -make %{?_smp_mflags} +%configure \ + --sysconfdir=%{_sysconfdir} \ + --with-libpam \ + --with-libcrack \ + --with-group-name-max-length=32 \ + --with-selinux \ + --enable-man +%make_build %install -make DESTDIR=%{buildroot} install +%make_install install -vdm 755 %{buildroot}/bin +install -vdm755 %{buildroot}%{_sysconfdir}/default mv -v %{buildroot}%{_bindir}/passwd %{buildroot}/bin -sed -i 's/yes/no/' %{buildroot}%{_sysconfdir}/default/useradd +install -vm644 %{SOURCE12} %{buildroot}%{_sysconfdir}/default/useradd +install -vm644 %{SOURCE13} %{buildroot}%{_sysconfdir}/login.defs ln -s useradd %{buildroot}%{_sbindir}/adduser -# Use group id 100(users) by default -sed -i 's/GROUP.*/GROUP=100/' %{buildroot}%{_sysconfdir}/default/useradd -# Disable usergroups. Use "users" group by default (see /etc/default/useradd) -# for all nonroot users. -sed -i 's/USERGROUPS_ENAB.*/USERGROUPS_ENAB no/' %{buildroot}%{_sysconfdir}/login.defs cp etc/{limits,login.access} %{buildroot}%{_sysconfdir} for FUNCTION in FAIL_DELAY \ FAILLOG_ENAB \ @@ -99,10 +128,12 @@ do sed -i "s/chage/$PROGRAM/" %{buildroot}%{_sysconfdir}/pam.d/${PROGRAM} done +find %{buildroot} -type f -name "*.la" -delete -print + %find_lang shadow %check -make %{?_smp_mflags} check +%make_build check %post %{_sbindir}/pwconv @@ -141,110 +172,139 @@ make %{?_smp_mflags} check %exclude %{_mandir}/zh_TW %config(noreplace) %{_sysconfdir}/pam.d/* +%files subid +%{_libdir}/libsubid.so.3* + +%files subid-devel +%{_includedir}/shadow/subid.h +%{_libdir}/libsubid.so + %changelog -* Fri Mar 26 2021 Thomas Crain - 4.6-11 +* Fri Aug 13 2021 Thomas Crain - 4.9-1 +- Upgrade to latest upstream version and rebase chkname patch +- Add upstream patch to deal with libsubid build failure when linking to pam +- Add %%{_sysconfdir}/login.defs and %{_syconfdir}/default/useradd to sources +- since they are not auto-generated during packaging +- Create %%{name}-subid and %%{name}-subid-devel subpackages + +* Thu Jul 29 2021 Jon Slobodzian - 4.6-15 +- Dash Rolled for Merge from 1.0 branch + +* Tue Jun 15 2021 Daniel Burgener - 4.6-14 +- Fix issue with undocumented libselinux and libsemanage requirements + +* Wed May 26 2021 Daniel Burgener - 4.6-13 +- Add SELinux support + +* Thu May 20 2021 Thomas Crain - 4.6-12 +- Enable usergroups for useradd + +* Fri Mar 26 2021 Thomas Crain 4.6-11 - Merge the following releases from 1.0 to dev branch - schalam@microsoft.com, 4.6-9: Remove PASS_MAX_DAYS customized value 90 to set default value - lihl@microsoft.com, 4.6-10: Add sym link to adduser from useradd and create the file for adduser +* Mon Mar 01 2021 Henry Li - 4.6-10 +- Add sym link to adduser from useradd and create the file for adduser + * Fri Dec 11 2020 Joe Schmitt - 4.6-10 - Provide passwd. * Tue Nov 03 2020 Joe Schmitt - 4.6-9 - Provide /sbin/nologin. -* Sat May 09 00:20:53 PST 2020 Nick Samson - 4.6-8 +* Sat May 09 2020 Nick Samson - 4.6-8 - Added %%license line automatically -* Tue Apr 28 2020 Emre Girgin 4.6-7 -- Renaming Linux-PAM to pam +* Tue Apr 28 2020 Emre Girgin - 4.6-7 +- Renaming Linux-PAM to pam -* Mon Apr 14 2020 Emre Girgin 4.6-6 -- Consolidate all subpackages as one and rename it to shadow-utils. -- Update the URL. +* Tue Apr 14 2020 Emre Girgin - 4.6-6 +- Consolidate all subpackages as one and rename it to shadow-utils. +- Update the URL. -* Thu Apr 09 2020 Nicolas Ontiveros 4.6-5 -- Remove toybox and only use shadow-tools for requires. +* Thu Apr 09 2020 Nicolas Ontiveros - 4.6-5 +- Remove toybox and only use shadow-tools for requires. -* Tue Sep 03 2019 Mateusz Malisz 4.6-4 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz - 4.6-4 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Wed Oct 24 2018 Michelle Wang 4.6-3 -- Add su and login into shadow-tool. +* Wed Oct 24 2018 Michelle Wang - 4.6-3 +- Add su and login into shadow-tool. -* Tue Oct 2 2018 Michelle Wang 4.6-2 -- Add conflict toybox for shadow-tools. +* Tue Oct 2 2018 Michelle Wang - 4.6-2 +- Add conflict toybox for shadow-tools. -* Wed Sep 19 2018 Srinidhi Rao 4.6-1 -- Upgrading the version to 4.6. +* Wed Sep 19 2018 Srinidhi Rao - 4.6-1 +- Upgrading the version to 4.6. -* Mon Jul 30 2018 Tapas Kundu 4.2.1-16 -- Added fix for CVE-2018-7169. +* Mon Jul 30 2018 Tapas Kundu - 4.2.1-16 +- Added fix for CVE-2018-7169. -* Fri Apr 20 2018 Alexey Makhalov 4.2.1-15 -- Move pam.d config file to here for better tracking. -- Add pam_loginuid module as optional in a session. +* Fri Apr 20 2018 Alexey Makhalov - 4.2.1-15 +- Move pam.d config file to here for better tracking. +- Add pam_loginuid module as optional in a session. -* Tue Oct 10 2017 Alexey Makhalov 4.2.1-14 -- Added -tools subpackage. -- Main package requires -tools or toybox. +* Tue Oct 10 2017 Alexey Makhalov - 4.2.1-14 +- Added -tools subpackage. +- Main package requires -tools or toybox. -* Tue Aug 15 2017 Anish Swaminathan 4.2.1-13 -- Added fix for CVE-2017-12424, CVE-2016-6252. +* Tue Aug 15 2017 Anish Swaminathan - 4.2.1-13 +- Added fix for CVE-2017-12424, CVE-2016-6252. -* Thu Apr 27 2017 Divya Thaluru 4.2.1-12 -- Allow '.' in username. +* Thu Apr 27 2017 Divya Thaluru - 4.2.1-12 +- Allow '.' in username. -* Wed Dec 07 2016 Xiaolin Li 4.2.1-11 -- BuildRequires Linux-PAM-devel. +* Wed Dec 07 2016 Xiaolin Li - 4.2.1-11 +- BuildRequires Linux-PAM-devel. -* Wed Nov 23 2016 Alexey Makhalov 4.2.1-10 -- Added -lang subpackage. +* Wed Nov 23 2016 Alexey Makhalov - 4.2.1-10 +- Added -lang subpackage. -* Tue Oct 04 2016 ChangLee 4.2.1-9 -- Modified %check. +* Tue Oct 04 2016 ChangLee - 4.2.1-9 +- Modified %check. -* Tue Jun 21 2016 Divya Thaluru 4.2.1-8 -- Added logic to not replace pam.d conf files in upgrade scenario. +* Tue Jun 21 2016 Divya Thaluru - 4.2.1-8 +- Added logic to not replace pam.d conf files in upgrade scenario. -* Fri May 27 2016 Divya Thaluru 4.2.1-7 -- Adding pam_cracklib module as requisite to pam password configuration. +* Fri May 27 2016 Divya Thaluru - 4.2.1-7 +- Adding pam_cracklib module as requisite to pam password configuration. -* Wed May 25 2016 Divya Thaluru 4.2.1-6 -- Modifying pam_systemd module as optional in a session. +* Wed May 25 2016 Divya Thaluru - 4.2.1-6 +- Modifying pam_systemd module as optional in a session. -* Tue May 24 2016 Priyesh Padmavilasom 4.2.1-5 -- GA Bump release of all rpms. +* Tue May 24 2016 Priyesh Padmavilasom - 4.2.1-5 +- GA Bump release of all rpms. -* Mon May 2 2016 Xiaolin Li 4.2.1-4 -- Enabling pam_systemd module in a session. +* Mon May 2 2016 Xiaolin Li - 4.2.1-4 +- Enabling pam_systemd module in a session. -* Fri Apr 29 2016 Divya Thaluru 4.2.1-3 -- Setting password aging limits to 90 days. +* Fri Apr 29 2016 Divya Thaluru - 4.2.1-3 +- Setting password aging limits to 90 days. -* Wed Apr 27 2016 Divya Thaluru 4.2.1-3 -- Setting password aging limits to 365 days. +* Wed Apr 27 2016 Divya Thaluru - 4.2.1-3 +- Setting password aging limits to 365 days. -* Wed Mar 23 2016 Divya Thaluru 4.2.1-2 -- Enabling pam_limits module in a session. +* Wed Mar 23 2016 Divya Thaluru - 4.2.1-2 +- Enabling pam_limits module in a session. -* Tue Jan 12 2016 Anish Swaminathan 4.2.1-1 -- Update version. +* Tue Jan 12 2016 Anish Swaminathan - 4.2.1-1 +- Update version. -* Wed Dec 2 2015 Divya Thaluru 4.1.5.1-6 -- Fixed PAM Configuration file for passwd. +* Wed Dec 2 2015 Divya Thaluru - 4.1.5.1-6 +- Fixed PAM Configuration file for passwd. -* Mon Oct 26 2015 Sharath George 4.1.5.1-5 -- Allow mixed case in username. +* Mon Oct 26 2015 Sharath George - 4.1.5.1-5 +- Allow mixed case in username. -* Mon Jun 29 2015 Divya Thaluru 4.1.5.1-4 -- Fixed PAM Configuration file for chpasswd. +* Mon Jun 29 2015 Divya Thaluru - 4.1.5.1-4 +- Fixed PAM Configuration file for chpasswd. -* Tue Jun 16 2015 Alexey Makhalov 4.1.5.1-3 -- Use group id 100(users) by default. +* Tue Jun 16 2015 Alexey Makhalov - 4.1.5.1-3 +- Use group id 100(users) by default. -* Wed May 27 2015 Divya Thaluru 4.1.5.1-2 -- Adding PAM support. +* Wed May 27 2015 Divya Thaluru - 4.1.5.1-2 +- Adding PAM support. -* Wed Nov 5 2014 Divya Thaluru 4.1.5.1-1 -- Initial build First version. +* Wed Nov 5 2014 Divya Thaluru - 4.1.5.1-1 +- Initial build First version. diff --git a/SPECS/shadow-utils/useradd-default b/SPECS/shadow-utils/useradd-default new file mode 100644 index 0000000000..b601bc9c6a --- /dev/null +++ b/SPECS/shadow-utils/useradd-default @@ -0,0 +1,8 @@ +# useradd defaults file +GROUP=100 +HOME=/home +INACTIVE=-1 +EXPIRE= +SHELL=/bin/bash +SKEL=/etc/skel +CREATE_MAIL_SPOOL=no \ No newline at end of file diff --git a/SPECS/slang/slang.spec b/SPECS/slang/slang.spec index 0d0406d9d8..af751bbf79 100644 --- a/SPECS/slang/slang.spec +++ b/SPECS/slang/slang.spec @@ -62,7 +62,7 @@ make check %{_libdir}/pkgconfig/*.pc %changelog -* Sat May 09 00:21:27 PST 2020 Nick Samson - 2.3.2-3 +* Sat May 09 2020 Nick Samson - 2.3.2-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 2.3.2-2 diff --git a/SPECS/snappy/snappy.spec b/SPECS/snappy/snappy.spec index 2c7296e7a6..0410e07944 100644 --- a/SPECS/snappy/snappy.spec +++ b/SPECS/snappy/snappy.spec @@ -66,7 +66,7 @@ make test %{_lib64dir}/libsnappy.so %changelog -* Sat May 09 00:21:08 PST 2020 Nick Samson - 1.1.7-5 +* Sat May 09 2020 Nick Samson - 1.1.7-5 - Added %%license line automatically * Fri Apr 10 2020 Nick Samson 1.1.7-4 diff --git a/SPECS/socat/socat.spec b/SPECS/socat/socat.spec index 1fa068e3f1..071e3b85b2 100644 --- a/SPECS/socat/socat.spec +++ b/SPECS/socat/socat.spec @@ -39,7 +39,7 @@ rm -rf %{buildroot}/* %{_mandir}/man1/* %changelog -* Sat May 09 00:21:12 PST 2020 Nick Samson - 1.7.3.4-2 +* Sat May 09 2020 Nick Samson - 1.7.3.4-2 - Added %%license line automatically * Tue Mar 24 2020 Henry Beberman 1.7.3.4-1 diff --git a/SPECS/sos/sos.signatures.json b/SPECS/sos/sos.signatures.json new file mode 100644 index 0000000000..b3d926b1c6 --- /dev/null +++ b/SPECS/sos/sos.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "sos-4.1.tar.gz": "5edc75a655a43a1b21d8d1cec3371d4d188157501ccf60984a9e189e205444ec" + } +} \ No newline at end of file diff --git a/SPECS/sos/sos.spec b/SPECS/sos/sos.spec new file mode 100644 index 0000000000..006750ee75 --- /dev/null +++ b/SPECS/sos/sos.spec @@ -0,0 +1,643 @@ +%{!?python3_sitelib: %global python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} +Summary: A set of tools to gather troubleshooting information from a system +Name: sos +Version: 4.1 +Release: 3%{?dist} +License: GPLv2+ +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/sosreport/sos +#Source0: https://github.com/sosreport/sos/archive/%%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz +BuildRequires: gettext +BuildRequires: python3-devel +BuildRequires: python3-setuptools +Requires: bzip2 +Requires: python3 +Requires: python3-libxml2 +Requires: python3-pexpect +Requires: python3-rpm +Requires: tar +Requires: xz +BuildArch: noarch + +%description +Sos is a set of tools that gathers information about system +hardware and configuration. The information can then be used for +diagnostic purposes and debugging. Sos is commonly used to help +support technicians and developers. + +%prep +%autosetup -n %{name}-%{version} + +%build +python3 setup.py build + +%install +python3 setup.py install --skip-build --prefix=%{_prefix} --root=%{buildroot} --install-scripts=%{_sbindir} + +# Remove doubly-packaged documentation files +rm -rf %{buildroot}%{_datadir}/licenses/sos +rm -rf %{buildroot}%{_datadir}/doc/sos + +install -d -m 755 %{buildroot}%{_sysconfdir}/%{name} +install -d -m 700 %{buildroot}%{_sysconfdir}/%{name}/cleaner +install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}/presets.d +install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}/groups.d +install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}/extras.d +install -m 644 %{name}.conf %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf + +rm -rf %{buildroot}%{_prefix}/config/ + +%find_lang %{name} || echo 0 + +%files -f %{name}.lang +%license LICENSE +%doc AUTHORS README.md +%{_sbindir}/sos +%{_sbindir}/sosreport +%{_sbindir}/sos-collector +%dir %{_sysconfdir}/sos/cleaner +%dir %{_sysconfdir}/sos/presets.d +%dir %{_sysconfdir}/sos/extras.d +%dir %{_sysconfdir}/sos/groups.d +%{python3_sitelib}/* +%{_mandir}/man1/* +%{_mandir}/man5/* + +%config(noreplace) %{_sysconfdir}/sos/sos.conf + +%changelog +* Wed May 12 2021 Thomas Crain - 4.1-3 +- Fix build break due to doubly-packaged license/doc files + +* Mon May 10 2021 Thomas Crain - 4.1-2 +- Initial CBL-Mariner import from Fedora 34 (license: MIT) +- Linted spec to Mariner style +- License verified + +* Wed Mar 10 2021 Sandro Bonazzola - 4.1-1 +- Update to 4.1 (#1933183) + +* Wed Jan 27 2021 Fedora Release Engineering - 4.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Sep 24 2020 Sandro Bonazzola - 4.0-2 +- Fixes BZ#1882015 + +* Mon Sep 14 2020 Sandro Bonazzola - 4.0-1 +- Update to 4.0 (#1869464) + +* Wed Jul 29 2020 Fedora Release Engineering - 3.9.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue May 26 2020 Miro HronÄok - 3.9.1-2 +- Rebuilt for Python 3.9 + +* Fri Mar 27 2020 Sandro Bonazzola - 3.9.1-1 +- Update to 3.9.1 (#1803339) + +* Thu Jan 30 2020 Fedora Release Engineering - 3.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Aug 29 2019 Sandro Bonazzola - 3.8-1 +- Update to 3.8 (#1747060) +- Conflicts with vdsm <= 4.30.17 (#1706060) + +* Mon Aug 19 2019 Miro HronÄok - 3.7-3 +- Rebuilt for Python 3.8 + +* Fri Jul 26 2019 Fedora Release Engineering - 3.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Mar 28 2019 Sandro Bonazzola - 3.7-1 +- Rebase on upstream 3.7 +- Resolves: BZ#1693419 + +* Sun Feb 03 2019 Fedora Release Engineering - 3.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Jul 14 2018 Fedora Release Engineering - 3.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jun 25 2018 Sandro Bonazzola - 3.6-3 +- Rebuilt for Python 3.7 + +* Mon Jun 25 2018 Sandro Bonazzola - 3.6-2 +- Upstream re-tagged the source package + +* Mon Jun 25 2018 Sandro Bonazzola - 3.6-1 +- Rebase on upstream 3.6 +- Added python3-six build requirement +- Resolves: BZ#1594443 + +* Tue Jun 19 2018 Miro HronÄok - 3.5.1-2 +- Rebuilt for Python 3.7 + +* Tue May 29 2018 Sandro Bonazzola - 3.5.1-1 +- Rebase on upstream 3.5.1 +- Resolves: BZ#1583580 + +* Fri Feb 09 2018 Fedora Release Engineering - 3.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Nov 14 2017 Sandro Bonazzola - 3.5-1 +- Rebase on upstream 3.5 +- Resolves: BZ#1513030 + +* Thu Jul 27 2017 Fedora Release Engineering - 3.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Mar 29 2017 Sandro Bonazzola - 3.4-1 +- Rebase on upstream 3.4 +- Resolves: BZ#1436969 +- Resolves: BZ#1427445 + +* Thu Feb 23 2017 Sandro Bonazzola - 3.3-1 +- Rebase on upstream 3.3 +- Resolves: BZ#1411314 + +* Sat Feb 11 2017 Fedora Release Engineering - 3.2-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Dec 19 2016 Miro HronÄok - 3.2-5 +- Rebuild for Python 3.6 + +* Tue Jul 19 2016 Fedora Release Engineering - 3.2-4 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Fri Feb 05 2016 Fedora Release Engineering - 3.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Dec 16 2015 Bryn M. Reeves = 3.2-2 +- [sosreport] ensure private temporary directory is removed +- [global] sync rawhide package with upstream +- [ceph] collect /var/lib/ceph and /var/run/ceph +- [sosreport] prepare report in a private subdirectory (CVE-2015-7529) +- [docker] collect journald logs for docker unit +- [sosreport] fix command-line report defaults +- [openstack_neutron] obfuscate server_auth in restproxy.ini +- [memory] collect swapon --show output in bytes +- [sosreport] fix command-line report defaults (proper patch ordering) +- [sapnw] call self methods properly +- [openvswitch] capture the logs, db and OVS bridges details +- [logs] fix reference to missing 'rsyslog_conf' variable +- [sapnw] Add check if saphostctrl is not present, dont use Set +- [Plugin] fix handling of symlinks in non-sysroot environments +- [openstack] Ensure openstack passwords and secrets are obfuscated +- [plugin] pass stderr through _collect_cmd_output +- [kubernetes,plugin] Support running sos inside a container +- [openstack] New Openstack Trove (DBaaS) plugin +- [services] Add more diagnostics to applications +- [openstack_neutron] Obscure passwords and secrets +- [ceph] add calamari and ragos logs and configs +- [iprconfig] enable plugin for ppc64* architectures +- [general] verify --profile contains valid plugins only +- [kernel,mpt,memory] additional kernel-related diagnostics +- [cluster] enable crm_report password scrubbing +- [sosreport] fix command-line report defaults +- [virsh] add new plugin, add listing of qemu +- [sap*,vhostmd] new plugins for SAP +- [cluster] crm_report fails to run because dir already exists +- [foreman] Skip collection of generic resources +- [apache] Added collection of conf.modules.d dir for httpd 2.4 +- [pcp] collect /etc/pcp.conf +- [puppet] adding new plugin for puppet +- [block] Don't use parted human readable output +- [general] Better handling --name and --ticket-number in +- [networking] additional ip, firewall and traffic shaping +- [infiniband] add opensm and infiniband-diags support +- [plugins/rabbitmq] Added cluster_status command output +- [networking] re-add 'ip addr' with a root symlink +- [kimchi] add new plugin +- [iprconfig] add plugin for IBM Power RAID adapters +- [ovirt] Collect engine tunables and domain information. +- [activemq] Honour all_logs and get config on RHEL +- [cluster] Add luci to packages for standalone luci servers +- [hpasm] hpasmcli commands hang under timeout +- [mysql] Collect log file +- [chrony] add chrony plugin +- [openstack_sahara] redact secrets from sahara configuration +- [openstack_sahara] add new openstack_sahara plugin +- [openstack_neutron] neutron configuration and logs files not captured +- [ovirt] remove ovirt-engine setup answer file password leak +- [networking] network plugin fails if NetworkManager is disabled +- [cluster] crm_report fails to run because dir already exists +- [mysql] improve handling of dbuser, dbpass and MYSQL_PWD +- [mysql] test for boolean values in dbuser and dbpass +- [plugin] limit path names to PC_NAME_MAX +- [squid] collect files from /var/log/squid +- [sosreport] log plugin exceptions to a file +- [ctdb] fix collection of /etc/sysconfig/ctdb +- [sosreport] fix silent exception handling +- [sosreport] do not make logging calls after OSError +- [sosreport] catch OSError exceptions in SoSReport.execute() +- [anaconda] make useradd password regex tolerant of whitespace +- [mysql] fix handling of mysql.dbpass option +- [navicli] catch exceptions if stdin is unreadable +- [docs] update man page for new options +- [sosreport] make all utf-8 handling user errors=ignore +- [kpatch] do not attempt to collect data if kpatch is not installed +- [archive] drop support for Zip archives +- [sosreport] fix archive permissions regression +- [tomcat] add support for tomcat7 and default log size limits +- [mysql] obtain database password from the environment +- [corosync] add postprocessing for corosync-objctl output +- [ovirt_hosted_engine] fix exception when force-enabled +- [yum] call rhsm-debug with --no-subscriptions +- [powerpc] allow PowerPC plugin to run on ppc64le +- [package] add Obsoletes for sos-plugins-openstack +- [pam] add pam_tally2 and faillock support +- [postgresql] obtain db password from the environment +- [pcp] add Performance Co-Pilot plugin +- [nfsserver] collect /etc/exports.d +- [sosreport] handle --compression-type correctly +- [anaconda] redact passwords in kickstart configurations +- [haproxy] add new plugin +- [keepalived] add new plugin +- [lvm2] set locking_type=0 when calling lvm commands +- [tuned] add new plugin +- [cgroups] collect /etc/sysconfig/cgred +- [plugins] ensure doc text is always displayed for plugins +- [sosreport] fix the distribution version API call +- [docker] add new plugin +- [openstack_*] include broken-out openstack plugins +- [mysql] support MariaDB +- [openstack] do not collect /var/lib/nova +- [grub2] collect grub.cfg on UEFI systems +- [sosreport] handle out-of-space errors gracefully +- [firewalld] new plugin +- [networking] collect NetworkManager status +- [kpatch] new plugin +- [global] update to upstream 3.2 release +- [foreman] add new plugin + +* Tue Nov 10 2015 Fedora Release Engineering - 3.2-0.4.a +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Fri Jul 17 2015 Miro HronÄok - 3.2-0.3.a +- Use Python 3 (#1014595) +- Use setup.py instead of make +- Remove some deprecated statements + +* Fri Jun 19 2015 Fedora Release Engineering - 3.2-0.2.a +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Jun 17 2014 Bryn M. Reeves = 3.2-0.1.a +- Make source URL handling compliant with packaging guidelines +- Update to new upstream pre-release sos-3.2-alpha1 + +* Sun Jun 08 2014 Fedora Release Engineering - 3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Apr 01 2014 Bryn M. Reeves = 3.1-1 +- Update to new upstream release sos-3.1 +- Add collection of grub configuration for UEFI systems +- Raise a TypeError if add_copy_specs() is called with a string +- Add tests for Plugin.add_copy_spec()/add_copy_specs() +- Update Plugin tests to treat copy_paths as a set +- Use a set for Plugin.copy_paths +- Remove references to 'sub' parameter from plugin tests +- Remove 'sub' parameter from Plugin.add_copy_spec*() +- Drop RedHatPlugin from procenv +- Update plugin_tests.py to match new method names +- Remove obsolete checksum reference from utilities_tests.py +- Refactor Plugin.collect() pathway +- Fix x86 arch detection in processor plugin +- Pythonify Plugin._path_in_pathlist() +- Clean up package checks in processor plugin +- Replace self.policy().pkg_by_name() us in Logs plugin +- Convert infiniband to package list +- Dead code removal: PluginException +- Dead code removal: sos.plugins.common_prefix() +- Add vim tags to all python source files +- Dead code removal: utilities.checksum() +- Dead code removal: DirTree +- Dead code removal: sos_relative_path() +- Remove --profile support +- Fix plugin_test exception on six.PY2 +- Call rhsm-debug with the --sos switch +- Do not collect isos in cobbler plugin +- Match plugins against policies +- Update policy_tests.py for validate_plugin change +- Rename validatePlugin to validate_plugin +- Fix broken binary detection in satellite plugin +- Clean up get_cmd_path/make_cmd_path/make_cmd_dirs mess +- Add tuned plugin +- Update systemd support +- Fix remaining use of obsolete 'get_cmd_dir()' in plugins +- Add PowerNV specific debug data +- powerpc: Move VPD related tool under common code +- Remove the rhevm plugin. +- Replace package check with file check in anacron +- Scrub ldap_default_authtok password in sssd plugin +- Eliminate hard-coded /var/log/sa paths in sar plugin +- Remove useless check_enabled() from sar plugin +- Improve error message when cluster.crm_from is invalid +- Fix command output substitution exception +- Add distupgrade plugin +- Fix gluster volume name extraction +- Ensure unused fds are closed when calling subprocesses via Popen +- Pass --no-archive to rhsm-debug script +- postgresql: allow use TCP socket +- postgresql: added license and copyright +- postgresql: add logs about errors / warnings +- postgresql: minor fixes +- Include geo-replication status in gluster plugin +- Make get_cmd_output_now() behaviour match 2.2 +- Add rhsm-debug collection to yum plugin +- Always treat rhevm vdsmlogs option as string +- Fix verbose file logging +- Fix get_option() use in cluster plugin +- Fix cluster postproc regression +- Ensure superclass postproc method is called in ldap plugin +- Remove obsolete diagnostics code from ldap plugin +- Fix cluster module crm_report support + +* Thu Mar 20 2014 Bryn M. Reeves = 3.0-23 +- Call rhsm-debug with the --sos switch + +* Mon Mar 03 2014 Bryn M. Reeves +- Fix package check in anacron plugin + +* Wed Feb 12 2014 Bryn M. Reeves +- Remove obsolete rhel_version() usage from yum plugin + +* Tue Feb 11 2014 Bryn M. Reeves +- Prevent unhandled exception during command output substitution + +* Mon Feb 10 2014 Bryn M. Reeves +- Fix generation of volume names in gluster plugin +- Add distupgrade plugin + +* Tue Feb 04 2014 Bryn M. Reeves +- Prevent file descriptor leaks when using Popen +- Disable zip archive creation when running rhsm-debug +- Include volume geo-replication status in gluster plugin + +* Mon Feb 03 2014 Bryn M. Reeves +- Fix get_option use in cluster plugin +- Fix debug logging to file when given '-v' +- Always treat rhevm plugin's vdsmlogs option as a string +- Run the rhsm-debug script from yum plugin + +* Fri Jan 31 2014 Bryn M. Reeves +- Add new plugin to collect OpenHPI configuration +- Fix cluster plugin crm_report support +- Fix file postprocessing in ldap plugin +- Remove collection of anaconda-ks.cfg from general plugin + +* Fri Jan 24 2014 Bryn M. Reeves +- Remove debug statements from logs plugin +- Make ethernet interface detection more robust +- Fix specifying multiple plugin options on the command line +- Make log and message levels match previous versions +- Log a warning message when external commands time out +- Remove --upload command line option +- Update sos UI text to match upstream + +* Fri Dec 27 2013 Daniel Mach +- Mass rebuild 2013-12-27 + +* Thu Nov 14 2013 Bryn M. Reeves +- Fix regressions introduced with --build option + +* Tue Nov 12 2013 Bryn M. Reeves +- Fix typo in yum plug-in add_forbidden_paths +- Add krb5 plug-in and drop collection of krb5.keytab + +* Fri Nov 8 2013 Bryn M. Reeves +- Add nfs client plug-in +- Fix traceback when sar module force-enabled + +* Thu Nov 7 2013 Bryn M. Reeves +- Restore --build command line option +- Collect saved vmcore-dmesg.txt files +- Normalize temporary directory paths + +* Tue Nov 5 2013 Bryn M. Reeves +- Add domainname output to NIS plug-in +- Collect /var/log/squid in squid plug-in +- Collect mountstats and mountinfo in filesys plug-in +- Add PowerPC plug-in from upstream + +* Thu Oct 31 2013 Bryn M. Reeves +- Remove version checks in gluster plug-in +- Check for usable temporary directory +- Fix --alloptions command line option +- Fix configuration fail regression + +* Wed Oct 30 2013 Bryn M. Reeves +- Include /etc/yaboot.conf in boot plug-in +- Fix collection of brctl output in networking plug-in +- Verify limited set of RPM packages by default +- Do not strip newlines from command output +- Limit default sar data collection + +* Thu Oct 3 2013 Bryn M. Reeves +- Do not attempt to read RPC pseudo files in networking plug-in +- Restrict wbinfo collection to the current domain +- Add obfuscation of luci secrets to cluster plug-in +- Add XFS plug-in +- Fix policy class handling of --tmp-dir +- Do not set batch mode if stdin is not a TTY +- Attempt to continue when reading bad input in interactive mode + +* Wed Aug 14 2013 Bryn M. Reeves +- Add crm_report support to cluster plug-in +- Fix rhel_version() usage in cluster and s390 plug-ins +- Strip trailing newline from command output + +* Mon Jun 10 2013 Bryn M. Reeves +- Silence 'could not run' messages at default verbosity +- New upstream release + +* Thu May 23 2013 Bryn M. Reeves +- Always invoke tar with '-f-' option + +* Mon Jan 21 2013 Bryn M. Reeves +- Fix interactive mode regression when --ticket unspecified + +* Fri Jan 18 2013 Bryn M. Reeves +- Fix propagation of --ticket parameter in interactive mode + +* Thu Jan 17 2013 Bryn M. Reeves +- Revert OpenStack patch + +* Wed Jan 9 2013 Bryn M. Reeves +- Report --name and --ticket values as defaults +- Fix device-mapper command execution logging +- Fix data collection and rename PostreSQL module to pgsql + +* Fri Oct 19 2012 Bryn M. Reeves +- Add support for content delivery hosts to RHUI module + +* Thu Oct 18 2012 Bryn M. Reeves +- Add Red Hat Update Infrastructure module +- Collect /proc/iomem in hardware module +- Collect subscription-manager output in general module +- Collect rhsm log files in general module +- Fix exception in gluster module on non-gluster systems +- Fix exception in psql module when dbname is not given + +* Wed Oct 17 2012 Bryn M. Reeves +- Collect /proc/pagetypeinfo in memory module +- Strip trailing newline from command output +- Add sanlock module +- Do not collect archived accounting files in psacct module +- Call spacewalk-debug from rhn module to collect satellite data + +* Mon Oct 15 2012 Bryn M. Reeves +- Avoid calling volume status when collecting gluster statedumps +- Use a default report name if --name is empty +- Quote tilde characters passed to shell in RPM module +- Collect KDC and named configuration in ipa module +- Sanitize hostname characters before using as report path +- Collect /etc/multipath in device-mapper module +- New plug-in for PostgreSQL +- Add OpenStack module +- Avoid deprecated sysctls in /proc/sys/net +- Fix error logging when calling external programs +- Use ip instead of ifconfig to generate network interface lists + +* Wed May 23 2012 Bryn M. Reeves +- Collect the swift configuration directory in gluster module +- Update IPA module and related plug-ins + +* Fri May 18 2012 Bryn M. Reeves +- Collect mcelog files in the hardware module + +* Wed May 02 2012 Bryn M. Reeves +- Add nfs statedump collection to gluster module + +* Tue May 01 2012 Bryn M. Reeves +- Use wildcard to match possible libvirt log paths + +* Mon Apr 23 2012 Bryn M. Reeves +- Add forbidden paths for new location of gluster private keys + +* Fri Mar 9 2012 Bryn M. Reeves +- Fix katello and aeolus command string syntax +- Remove stray hunk from gluster module patch + +* Thu Mar 8 2012 Bryn M. Reeves +- Correct aeolus debug invocation in CloudForms module +- Update gluster module for gluster-3.3 +- Add additional command output to gluster module +- Add support for collecting gluster configuration and logs + +* Wed Mar 7 2012 Bryn M. Reeves +- Collect additional diagnostic information for realtime systems +- Improve sanitization of RHN user and case number in report name +- Fix verbose output and debug logging +- Add basic support for CloudForms data collection +- Add support for Subscription Asset Manager diagnostics + +* Tue Mar 6 2012 Bryn M. Reeves +- Collect fence_virt.conf in cluster module +- Fix collection of /proc/net directory tree +- Gather output of cpufreq-info when present +- Fix brctl showstp output when bridges contain multiple interfaces +- Add /etc/modprobe.d to kernel module +- Ensure relative symlink targets are correctly handled when copying +- Fix satellite and proxy package detection in rhn plugin +- Collect stderr output from external commands +- Collect /proc/cgroups in the cgroups module + Resolve: bz784874 +- Collect /proc/irq in the kernel module +- Fix installed-rpms formatting for long package names +- Add symbolic links for truncated log files +- Collect non-standard syslog and rsyslog log files +- Use correct paths for tomcat6 in RHN module +- Obscure root password if present in anacond-ks.cfg +- Do not accept embedded forward slashes in RHN usernames +- Add new sunrpc module to collect rpcinfo for gluster systems + +* Tue Nov 1 2011 Bryn M. Reeves +- Do not collect subscription manager keys in general plugin + +* Fri Sep 23 2011 Bryn M. Reeves +- Fix execution of RHN hardware.py from hardware plugin +- Fix hardware plugin to support new lsusb path + +* Fri Sep 09 2011 Bryn M. Reeves +- Fix brctl collection when a bridge contains no interfaces +- Fix up2dateclient path in hardware plugin + +* Mon Aug 15 2011 Bryn M. Reeves +- Collect brctl show and showstp output +- Collect nslcd.conf in ldap plugin + +* Sun Aug 14 2011 Bryn M. Reeves +- Truncate files that exceed specified size limit +- Add support for collecting Red Hat Subscrition Manager configuration +- Collect /etc/init on systems using upstart +- Don't strip whitespace from output of external programs +- Collect ipv6 neighbour table in network module +- Collect basic cgroups configuration data + +* Sat Aug 13 2011 Bryn M. Reeves +- Fix collection of data from LVM2 reporting tools in devicemapper plugin +- Add /proc/vmmemctl collection to vmware plugin + +* Fri Aug 12 2011 Bryn M. Reeves +- Collect yum repository list by default +- Add basic Infiniband plugin +- Add plugin for scsi-target-utils iSCSI target +- Fix autofs plugin LC_ALL usage +- Fix collection of lsusb and add collection of -t and -v outputs +- Extend data collection by qpidd plugin +- Add ethtool pause, coalesce and ring (-a, -c, -g) options to network plugin + +* Thu Apr 07 2011 Bryn M. Reeves +- Use sha256 for report digest when operating in FIPS mode + +* Tue Apr 05 2011 Bryn M. Reeves +- Fix parted and dumpe2fs output on s390 + +* Fri Feb 25 2011 Bryn M. Reeves +- Fix collection of chkconfig output in startup.py +- Collect /etc/dhcp in dhcp.py plugin +- Collect dmsetup ls --tree output in devicemapper.py +- Collect lsblk output in filesys.py + +* Thu Feb 24 2011 Bryn M. Reeves +- Fix collection of logs and config files in sssd.py +- Add support for collecting entitlement certificates in rhn.py + +* Thu Feb 03 2011 Bryn M. Reeves +- Fix cluster plugin dlm lockdump for el6 +- Add sssd plugin to collect configuration and logs +- Collect /etc/anacrontab in system plugin +- Correct handling of redhat-release for el6 + +* Thu Jul 29 2010 Adam Stokes + +* Thu Jun 10 2010 Adam Stokes + +* Wed Apr 28 2010 Adam Stokes + +* Mon Apr 12 2010 Adam Stokes + +* Tue Mar 30 2010 Adam Stokes +- fix setup.py to autocompile translations and man pages +- rebase 1.9 + +* Fri Mar 19 2010 Adam Stokes +- updated translations + +* Thu Mar 04 2010 Adam Stokes +- version bump 1.9 +- replaced compression utility with xz +- strip threading/multiprocessing +- simplified progress indicator +- pylint update +- put global vars in class container +- unittests +- simple profiling +- make use of xgettext as pygettext is deprecated + +* Mon Jan 18 2010 Adam Stokes +- more sanitizing options for log files +- rhbz fixes from RHEL version merged into trunk +- progressbar update diff --git a/SPECS/sshpass/sshpass.spec b/SPECS/sshpass/sshpass.spec index 83683c029a..450a9063ac 100644 --- a/SPECS/sshpass/sshpass.spec +++ b/SPECS/sshpass/sshpass.spec @@ -35,7 +35,7 @@ rm -rf %{buildroot}/* %{_mandir}/man1 %changelog -* Sat May 09 00:21:39 PST 2020 Nick Samson - 1.06-3 +* Sat May 09 2020 Nick Samson - 1.06-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.06-2 diff --git a/SPECS/syslinux/syslinux.spec b/SPECS/syslinux/syslinux.spec index d717c09eae..c39f58dd31 100644 --- a/SPECS/syslinux/syslinux.spec +++ b/SPECS/syslinux/syslinux.spec @@ -68,7 +68,7 @@ rm %{buildroot}/%{_bindir}/sha1pass %changelog * Thu Jun 11 2020 Henry Beberman 6.04-9 - Disable hardened ldflags to fix build. -* Sat May 09 00:20:51 PST 2020 Nick Samson - 6.04-8 +* Sat May 09 2020 Nick Samson - 6.04-8 - Added %%license line automatically * Mon May 04 2020 Emre Girgin 6.04-7 - Replace BuildArch with ExclusiveArch diff --git a/SPECS/systemd/CVE-2021-33910.patch b/SPECS/systemd/CVE-2021-33910.patch new file mode 100644 index 0000000000..e3b4e13926 --- /dev/null +++ b/SPECS/systemd/CVE-2021-33910.patch @@ -0,0 +1,64 @@ +From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 23 Jun 2021 11:46:41 +0200 +Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path + +The path may have unbounded length, for example through a fuse mount. + +CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and +ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo +and each mountpoint is passed to mount_setup_unit(), which calls +unit_name_path_escape() underneath. A local attacker who is able to mount a +filesystem with a very long path can crash systemd and the whole system. + +https://bugzilla.redhat.com/show_bug.cgi?id=1970887 + +The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we +can't easily check the length after simplification before doing the +simplification, which in turns uses a copy of the string we can write to. +So we can't reject paths that are too long before doing the duplication. +Hence the most obvious solution is to switch back to strdup(), as before +7410616cd9dbbec97cf98d75324da5cda2b2f7a2. +--- + src/basic/unit-name.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c +index 284a773483..a22763443f 100644 +--- a/src/basic/unit-name.c ++++ b/src/basic/unit-name.c +@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) { + } + + int unit_name_path_escape(const char *f, char **ret) { +- char *p, *s; ++ _cleanup_free_ char *p = NULL; ++ char *s; + + assert(f); + assert(ret); + +- p = strdupa(f); ++ p = strdup(f); + if (!p) + return -ENOMEM; + +@@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) { + if (!path_is_normalized(p)) + return -EINVAL; + +- /* Truncate trailing slashes */ ++ /* Truncate trailing slashes and skip leading slashes */ + delete_trailing_chars(p, "/"); +- +- /* Truncate leading slashes */ +- p = skip_leading_chars(p, "/"); +- +- s = unit_name_escape(p); ++ s = unit_name_escape(skip_leading_chars(p, "/")); + } + if (!s) + return -ENOMEM; +-- +GitLab + diff --git a/SPECS/systemd/systemd-bootstrap.spec b/SPECS/systemd/systemd-bootstrap.spec index c4e8ce81f6..3c5fa9e991 100644 --- a/SPECS/systemd/systemd-bootstrap.spec +++ b/SPECS/systemd/systemd-bootstrap.spec @@ -1,7 +1,7 @@ Summary: Bootstrap version of systemd. Workaround for systemd circular dependency. Name: systemd-bootstrap Version: 239 -Release: 34%{?dist} +Release: 35%{?dist} License: LGPLv2+ AND GPLv2+ AND MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -41,6 +41,7 @@ Patch22: CVE-2020-13776.patch # DoT is only enabled when systemd is build against gnutls. # Furthermore, strict mode DoT is not supported before v243. Patch23: CVE-2018-21029.nopatch +Patch24: CVE-2021-33910.patch BuildRequires: docbook-dtd-xml BuildRequires: docbook-style-xsl BuildRequires: gettext @@ -56,7 +57,6 @@ BuildRequires: lz4-devel BuildRequires: meson BuildRequires: pam-devel BuildRequires: perl-XML-Parser -BuildRequires: shadow-utils BuildRequires: util-linux-devel >= 2.30 BuildRequires: xz-devel Requires: filesystem >= 1.1 @@ -242,12 +242,18 @@ rm -rf %{buildroot}/* %{_mandir}/man3/* %changelog -* Fri Apr 02 2021 Thomas Crain - 239-34 +* Tue Jul 20 2021 Neha Agarwal 239-35 +- CVE-2021-33910 fix + +* Fri Apr 02 2021 Thomas Crain - 239-34 (from dev branch) - Merge the following releases from dev to 1.0 spec - v-ruyche@microsoft.com, 239-30: Configure to support merged /usr. - joschmit@microsoft.com, 239-31: Replace incorrect %%{_lib} usage with %%{_libdir} - Turn off dependency generators +* Tue Mar 23 2021 Daniel Burgener 239-34 (from 1.0 branch) +- Remove build dependency on shadow-utils to break circular dependency + * Thu Mar 11 2021 Chris Co - 239-33 - Disallow unprivileged BPF scripts by default. Additional mitigation for CVE-2021-20194 diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec index 2d42280cfd..50b52e4474 100644 --- a/SPECS/systemd/systemd.spec +++ b/SPECS/systemd/systemd.spec @@ -1,7 +1,7 @@ Summary: Systemd-239 Name: systemd Version: 239 -Release: 40%{?dist} +Release: 41%{?dist} License: LGPLv2+ AND GPLv2+ AND MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -41,6 +41,7 @@ Patch22: CVE-2020-13776.patch # DoT is only enabled when systemd is build against gnutls. # Furthermore, strict mode DoT is not supported before v243. Patch23: CVE-2018-21029.nopatch +Patch24: CVE-2021-33910.patch #Portablectl patches for --now --enable and --no-block flags support Patch100: 100-portabled-allow-to-detach-an-image-with-a-unit-in-li.patch Patch101: 101-Portabled-fix-inspect-on-image-attached-as-directory.patch @@ -60,12 +61,12 @@ BuildRequires: kbd BuildRequires: kmod-devel BuildRequires: libcap-devel BuildRequires: libgcrypt-devel +BuildRequires: libselinux-devel BuildRequires: libxslt BuildRequires: lz4-devel BuildRequires: meson BuildRequires: pam-devel BuildRequires: perl-XML-Parser -BuildRequires: shadow-utils BuildRequires: util-linux-devel >= 2.30 BuildRequires: xz-devel Requires: %{name}-rpm-macros = %{version}-%{release} @@ -154,6 +155,7 @@ meson --prefix %{_prefix} \ -Ddbussystemservicedir=%{_datadir}/dbus-1/system-services \ -Dsysvinit-path=%{_sysconfdir}/rc.d/init.d \ -Drc-local=%{_sysconfdir}/rc.d/rc.local \ + -Dselinux=true \ $PWD build && cd build && %ninja_build @@ -186,6 +188,9 @@ install -dm 0755 %{buildroot}/%{_sysconfdir}/systemd/network install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/systemd/network %find_lang %{name} ../%{name}.lang +%check +meson test -C build + %post -p /sbin/ldconfig %postun -p /sbin/ldconfig @@ -284,6 +289,10 @@ rm -rf %{buildroot}/* %files lang -f %{name}.lang %changelog +* Wed Aug 18 2021 Jon Slobodzian - 239-41 +- Merge from 1.0 to dev branch +- nehaagarwal@microsoft.com, 2.39-38: CVE-2021-33910 fix + * Wed Jul 28 2021 Henry Li - 239-40 - Enable building systemd-sysusers - Ship systemd-sysusers and related conf files from systemd package @@ -305,6 +314,10 @@ rm -rf %{buildroot}/* * Mon Apr 26 2021 Henry Li - 239-38 - Provides system-setup-keyboard. +* Tue Mar 23 2021 Daniel Burgener 239-37 (on 1.0 branch) +- Enable SELinux support +- Remove unused BuildRequires shadow-utils + * Fri Feb 05 2021 Joe Schmitt - 239-37 - Replace incorrect %%{_lib} usage with %%{_libdir} diff --git a/SPECS/systemtap/systemtap.spec b/SPECS/systemtap/systemtap.spec index 90dba9b8de..801c7b8067 100644 --- a/SPECS/systemtap/systemtap.spec +++ b/SPECS/systemtap/systemtap.spec @@ -361,60 +361,61 @@ fi %{_mandir}/man8/systemtap-service.8* %changelog -* Mon Sep 28 2020 Joe Schmitt 4.1-6 -- Explicitly use python3 during build. -- Use lib macros for paths. -* Sat May 09 00:20:54 PST 2020 Nick Samson - 4.1-5 +* Mon Sep 28 2020 Joe Schmitt 4.1-6 +- Explicitly use python3 during build. +- Use lib macros for paths. + +* Sat May 09 2020 Nick Samson - 4.1-5 - Added %%license line automatically -* Tue Apr 28 2020 Emre Girgin 4.1-4 -- Renaming linux to kernel -* Fri Apr 17 2020 Emre Girgin 4.1-3 -- Rename shadow to shadow-utils. -* Thu Apr 09 2020 Nicolas Ontiveros 4.1-2 -- Remove toybox and only use coreutils for requires. -* Wed Mar 18 2020 Henry Beberman 4.1-1 -- Update to 4.1. License verified. -* Tue Sep 03 2019 Mateusz Malisz 4.0-3 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Thu Jan 10 2019 Alexey Makhalov 4.0-2 -- Added BuildRequires python2-devel -* Tue Dec 04 2018 Keerthana K 4.0-1 -- Updated to version 4.0 -* Mon Sep 10 2018 Keerthana K 3.3-1 -- Updated to version 3.3 -* Tue Jan 23 2018 Divya Thaluru 3.2-1 -- Updated to version 3.2 -* Thu Dec 28 2017 Divya Thaluru 3.1-5 -- Fixed the log file directory structure -* Mon Sep 18 2017 Alexey Makhalov 3.1-4 -- Remove shadow from requires and use explicit tools for post actions -* Mon Sep 18 2017 Alexey Makhalov 3.1-3 -- Requires coreutils or toybox -* Thu Aug 10 2017 Alexey Makhalov 3.1-2 -- systemtap-sdt-devel requires systemtap -* Tue Apr 11 2017 Vinay Kulkarni 3.1-1 -- Update to version 3.1 -* Mon Nov 21 2016 Priyesh Padmavilasom 3.0-4 -- add shadow to requires -* Wed Nov 16 2016 Alexey Makhalov 3.0-3 -- Use sqlite-{devel,libs} -* Tue Oct 04 2016 ChangLee 3.0-2 -- Modified %check -* Fri Jul 22 2016 Divya Thaluru 3.0-1 -- Updated version to 3.0 -- Removing patch to enable kernel (fix is present in upstream) -* Tue May 24 2016 Priyesh Padmavilasom 2.9-5 -- GA - Bump release of all rpms -* Mon May 23 2016 Harish Udaiya KUmar 2.9-4 -- Added the patch to enable kernel building with Kernel 4.4 -* Fri May 20 2016 Harish Udaiya Kumar 2.9-3 -- Fixed the stap-prep script to be compatible with Photon -* Wed May 4 2016 Priyesh Padmavilasom 2.9-2 -- Fix for upgrade issues -* Wed Dec 16 2015 Harish Udaiya Kumar 2.9-1 -- Updated version to 2.9 -* Fri Dec 11 2015 Xiaolin Li 2.7-2 -- Move dtrace to the main package. -* Wed Nov 18 2015 Anish Swaminathan 2.7-1 -- Initial build. First version +* Tue Apr 28 2020 Emre Girgin 4.1-4 +- Renaming linux to kernel +* Fri Apr 17 2020 Emre Girgin 4.1-3 +- Rename shadow to shadow-utils. +* Thu Apr 09 2020 Nicolas Ontiveros 4.1-2 +- Remove toybox and only use coreutils for requires. +* Wed Mar 18 2020 Henry Beberman 4.1-1 +- Update to 4.1. License verified. +* Tue Sep 03 2019 Mateusz Malisz 4.0-3 +- Initial CBL-Mariner import from Photon (license: Apache2). +* Thu Jan 10 2019 Alexey Makhalov 4.0-2 +- Added BuildRequires python2-devel +* Tue Dec 04 2018 Keerthana K 4.0-1 +- Updated to version 4.0 +* Mon Sep 10 2018 Keerthana K 3.3-1 +- Updated to version 3.3 +* Tue Jan 23 2018 Divya Thaluru 3.2-1 +- Updated to version 3.2 +* Thu Dec 28 2017 Divya Thaluru 3.1-5 +- Fixed the log file directory structure +* Mon Sep 18 2017 Alexey Makhalov 3.1-4 +- Remove shadow from requires and use explicit tools for post actions +* Mon Sep 18 2017 Alexey Makhalov 3.1-3 +- Requires coreutils or toybox +* Thu Aug 10 2017 Alexey Makhalov 3.1-2 +- systemtap-sdt-devel requires systemtap +* Tue Apr 11 2017 Vinay Kulkarni 3.1-1 +- Update to version 3.1 +* Mon Nov 21 2016 Priyesh Padmavilasom 3.0-4 +- add shadow to requires +* Wed Nov 16 2016 Alexey Makhalov 3.0-3 +- Use sqlite-{devel,libs} +* Tue Oct 04 2016 ChangLee 3.0-2 +- Modified %check +* Fri Jul 22 2016 Divya Thaluru 3.0-1 +- Updated version to 3.0 +- Removing patch to enable kernel (fix is present in upstream) +* Tue May 24 2016 Priyesh Padmavilasom 2.9-5 +- GA - Bump release of all rpms +* Mon May 23 2016 Harish Udaiya KUmar 2.9-4 +- Added the patch to enable kernel building with Kernel 4.4 +* Fri May 20 2016 Harish Udaiya Kumar 2.9-3 +- Fixed the stap-prep script to be compatible with Photon +* Wed May 4 2016 Priyesh Padmavilasom 2.9-2 +- Fix for upgrade issues +* Wed Dec 16 2015 Harish Udaiya Kumar 2.9-1 +- Updated version to 2.9 +* Fri Dec 11 2015 Xiaolin Li 2.7-2 +- Move dtrace to the main package. +* Wed Nov 18 2015 Anish Swaminathan 2.7-1 +- Initial build. First version diff --git a/SPECS/tboot/no_error_packed_member.patch b/SPECS/tboot/no_error_packed_member.patch deleted file mode 100644 index fe8f14bd5a..0000000000 --- a/SPECS/tboot/no_error_packed_member.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- tboot-1.9.7/Config.mk 2020-03-24 22:12:28.096834349 +0000 -+++ tboot-1.9.7/Config.mk 2020-03-24 22:12:51.324779226 +0000 -@@ -43,7 +43,7 @@ - -Wextra -Winit-self -Wswitch-default -Wunused-parameter \ - -Wwrite-strings \ - $(call cc-option,$(CC),-Wlogical-op,) \ -- -Wno-missing-field-initializers -+ -Wno-missing-field-initializers -Wno-address-of-packed-member - - AS = as - LD = ld diff --git a/SPECS/tboot/tboot.signatures.json b/SPECS/tboot/tboot.signatures.json index 68cd0eecbb..af1de344a5 100644 --- a/SPECS/tboot/tboot.signatures.json +++ b/SPECS/tboot/tboot.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "tboot-1.9.7.tar.gz": "7cfd83e37e3c010a92d6bbf0fe3697736c6cb7397395699642f50b2e3eb2ebab" + "tboot-1.9.12.tar.gz": "007212deacab8eb159d71449766f9b2e0523439f1c4fd64d1932eb38cb60e053" } } \ No newline at end of file diff --git a/SPECS/tboot/tboot.spec b/SPECS/tboot/tboot.spec index 8c289e1d83..619d90fc44 100644 --- a/SPECS/tboot/tboot.spec +++ b/SPECS/tboot/tboot.spec @@ -1,18 +1,17 @@ -Summary: Trusted pre-kernel module and tools. -Name: tboot -Version: 1.9.7 -Release: 7%{?dist} -License: BSD -URL: https://sourceforge.net/projects/tboot/ -Group: System Environment/Security +Summary: Trusted pre-kernel module and tools. +Name: tboot +Version: 1.9.12 +Release: 1%{?dist} +License: BSD Vendor: Microsoft Corporation Distribution: Mariner -Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz -ExclusiveArch: x86_64 -BuildRequires: trousers-devel -Requires: libtspi +Group: System Environment/Security +URL: https://sourceforge.net/projects/tboot/ +Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz +BuildRequires: trousers-devel +Requires: libtspi +ExclusiveArch: x86_64 -Patch0: no_error_packed_member.patch %description Trusted Boot (tboot) is an open source, pre- kernel/VMM module that uses Intel(R) Trusted Execution Technology (Intel(R) TXT) to perform a measured @@ -20,10 +19,9 @@ and verified launch of an OS kernel/VMM. %prep %setup -q -%patch0 -p1 %build -CFLAGS="%{optflags}" +CFLAGS="%{optflags} -Wno-error=implicit-fallthrough= " export CFLAGS make debug=y %{?_smp_mflags} @@ -40,9 +38,10 @@ make debug=y DESTDIR=%{buildroot} install %exclude %{_sysconfdir} %changelog -* Sat May 09 00:20:59 PST 2020 Nick Samson - 1.9.7-7 -- Added %%license line automatically - +* Tue May 11 2021 Andrew Phelps 1.9.12-1 +- Update to version 1.9.12 for binutils 2.36.1 compatibility +* Sat May 09 2020 Nick Samson 1.9.7-7 +- Added %%license line automatically * Mon May 04 2020 Emre Girgin 1.9.7-6 - Replace BuildArch with ExclusiveArch * Tue Mar 24 2020 Henry Beberman 1.9.7-5 diff --git a/SPECS/tcl/tcl.spec b/SPECS/tcl/tcl.spec index 38cac94009..5953d19dbc 100644 --- a/SPECS/tcl/tcl.spec +++ b/SPECS/tcl/tcl.spec @@ -99,7 +99,7 @@ make test %changelog -* Sat May 09 00:20:55 PST 2020 Nick Samson - 8.6.8-3 +* Sat May 09 2020 Nick Samson - 8.6.8-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 8.6.8-2 diff --git a/SPECS/tcpdump/tcpdump.spec b/SPECS/tcpdump/tcpdump.spec index 1508234174..e647b9e13d 100644 --- a/SPECS/tcpdump/tcpdump.spec +++ b/SPECS/tcpdump/tcpdump.spec @@ -42,7 +42,7 @@ make %{?_smp_mflags} check - Patch CVE-2020-8037 - Lint to Mariner style -* Sat May 09 00:21:40 PST 2020 Nick Samson - 4.9.3-2 +* Sat May 09 2020 Nick Samson - 4.9.3-2 - Added %%license line automatically * Tue Apr 21 2020 Emre Girgin - 4.9.3-1 diff --git a/SPECS/tdnf/tdnf.spec b/SPECS/tdnf/tdnf.spec index 0e4c9be0ee..cb1c74e8f1 100644 --- a/SPECS/tdnf/tdnf.spec +++ b/SPECS/tdnf/tdnf.spec @@ -226,7 +226,7 @@ find %{buildroot} -name '*.pyc' -delete - Upgrade to 2.1.0. - Add support for multiple gpgkeys in the .repo file. -* Sat May 09 00:21:26 PST 2020 Nick Samson +* Sat May 09 2020 Nick Samson - Added %%license line automatically * Tue Apr 07 2020 Nicolas Ontiveros - 2.0.0-16 diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec index 71c8a7de42..b0797f804e 100644 --- a/SPECS/telegraf/telegraf.spec +++ b/SPECS/telegraf/telegraf.spec @@ -1,7 +1,7 @@ Summary: agent for collecting, processing, aggregating, and writing metrics. Name: telegraf Version: 1.14.5 -Release: 5%{?dist} +Release: 7%{?dist} License: MIT Group: Development/Tools Vendor: Microsoft Corporation @@ -80,6 +80,10 @@ fi %dir %{_sysconfdir}/%{name}/telegraf.d %changelog +* Tue Jun 08 2021 Henry Beberman 1.14.5-7 +- Increment release to force republishing using golang 1.15.13. +* Mon Apr 26 2021 Nicolas Guibourge 1.14.5-6 +- Increment release to force republishing using golang 1.15.11. * Thu Dec 10 2020 Andrew Phelps 1.14.5-5 - Increment release to force republishing using golang 1.15. * Thu Oct 15 2020 Pawel Winogrodzki 1.14.5-4 diff --git a/SPECS/texinfo/texinfo.spec b/SPECS/texinfo/texinfo.spec index 0344f2eb6d..aa13f42dca 100644 --- a/SPECS/texinfo/texinfo.spec +++ b/SPECS/texinfo/texinfo.spec @@ -58,41 +58,43 @@ rm -rf %{buildroot}%{_infodir} %{_libdir}/texinfo/* %changelog -* Mon Sep 28 2020 Ruying Chen 6.5-8 -- Provide info and texinfo-tex -* Sat May 09 2020 Nick Samson 6.5-7 -- Added %%license line automatically -* Thu Apr 30 2020 Emre Girgin 6.5-6 -- Renaming perl-libintl to perl-libintl-perl -* Mon Apr 20 2020 Eric Li 6.5-5 -- Fix URL and Source0:, delete sha1. License verified. -* Wed Jan 22 2020 Henry Beberman 6.5-4 -- Add missing Requires for perl-libintl to ensure the package exists for iso installs. -* Tue Sep 03 2019 Mateusz Malisz 6.5-3 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Fri Nov 02 2018 Anish Swaminathan 6.5-2 -- Fix texinfo issue with locales -- http://lists.gnu.org/archive/html/bug-texinfo/2018-06/msg00029.html -* Fri Sep 07 2018 Michelle Wang 6.5-1 -- Update version to 6.5. -* Fri May 05 2017 Xiaolin Li 6.3-3 -- Excluded pdftexi2dvi, texi2dvi, texi2pdf from package, -- because these commands depend on installation of tex. -* Tue Apr 18 2017 Robert Qi 6.3-2 -- Updated to version 6.3-2 due to perl build requires. -* Tue Mar 28 2017 Xiaolin Li 6.3-1 -- Updated to version 6.3. -* Mon Oct 04 2016 ChangLee 6.1-4 -- Modified %check -* Wed Jun 27 2016 Divya Thaluru 6.1-3 -- Removed packaging of debug files -* Tue May 24 2016 Priyesh Padmavilasom 6.1-2 -- GA - Bump release of all rpms -* Mon Feb 22 2016 Xiaolin Li 6.1-1 -- Updated to version 6.1 -* Tue Nov 10 2015 Xiaolin Li 5.2-3 -- Handled locale files with macro find_lang -* Wed Jun 3 2015 Divya Thaluru 5.2-2 -- Removing perl-libintl package from run-time required packages -* Wed Nov 5 2014 Divya Thaluru 5.2-1 -- Upgrade version +* Mon Sep 28 2020 Ruying Chen 6.5-8 +- Provide info and texinfo-tex + +* Sat May 09 2020 Nick Samson - 6.5-7 +- Added %%license line automatically + +* Thu Apr 30 2020 Emre Girgin 6.5-6 +- Renaming perl-libintl to perl-libintl-perl +* Mon Apr 20 2020 Eric Li 6.5-5 +- Fix URL and Source0:, delete sha1. License verified. +* Wed Jan 22 2020 Henry Beberman 6.5-4 +- Add missing Requires for perl-libintl to ensure the package exists for iso installs. +* Tue Sep 03 2019 Mateusz Malisz 6.5-3 +- Initial CBL-Mariner import from Photon (license: Apache2). +* Fri Nov 02 2018 Anish Swaminathan 6.5-2 +- Fix texinfo issue with locales +- http://lists.gnu.org/archive/html/bug-texinfo/2018-06/msg00029.html +* Fri Sep 07 2018 Michelle Wang 6.5-1 +- Update version to 6.5. +* Fri May 05 2017 Xiaolin Li 6.3-3 +- Excluded pdftexi2dvi, texi2dvi, texi2pdf from package, +- because these commands depend on installation of tex. +* Tue Apr 18 2017 Robert Qi 6.3-2 +- Updated to version 6.3-2 due to perl build requires. +* Tue Mar 28 2017 Xiaolin Li 6.3-1 +- Updated to version 6.3. +* Mon Oct 04 2016 ChangLee 6.1-4 +- Modified %check +* Wed Jun 27 2016 Divya Thaluru 6.1-3 +- Removed packaging of debug files +* Tue May 24 2016 Priyesh Padmavilasom 6.1-2 +- GA - Bump release of all rpms +* Mon Feb 22 2016 Xiaolin Li 6.1-1 +- Updated to version 6.1 +* Tue Nov 10 2015 Xiaolin Li 5.2-3 +- Handled locale files with macro find_lang +* Wed Jun 3 2015 Divya Thaluru 5.2-2 +- Removing perl-libintl package from run-time required packages +* Wed Nov 5 2014 Divya Thaluru 5.2-1 +- Upgrade version diff --git a/SPECS/tmux/tmux.spec b/SPECS/tmux/tmux.spec index 2331d4470e..870661a3ea 100644 --- a/SPECS/tmux/tmux.spec +++ b/SPECS/tmux/tmux.spec @@ -33,7 +33,7 @@ make %{?_smp_mflags} check /usr/share/* %exclude /usr/src %changelog -* Sat May 09 00:20:46 PST 2020 Nick Samson - 2.7-3 +* Sat May 09 2020 Nick Samson - 2.7-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 2.7-2 diff --git a/SPECS/tpm2-tools/CVE-2021-3565.patch b/SPECS/tpm2-tools/CVE-2021-3565.patch new file mode 100644 index 0000000000..3afc288d0c --- /dev/null +++ b/SPECS/tpm2-tools/CVE-2021-3565.patch @@ -0,0 +1,46 @@ +From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Fri, 21 May 2021 12:22:31 -0500 +Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565 + +tpm2_import used a fixed AES key for the inner wrapper, which means that +a MITM attack would be able to unwrap the imported key. Even the +use of an encrypted session will not prevent this. The TPM only +encrypts the first parameter which is the fixed symmetric key. + +To fix this, ensure the key size is 16 bytes or bigger and use +OpenSSL to generate a secure random AES key. + +Fixes: #2738 + +Signed-off-by: William Roberts +--- + tools/tpm2_import.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c +index cfb6f207..f44326c8 100644 +--- a/tools/tpm2_import.c ++++ b/tools/tpm2_import.c +@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub, + TPM2B_DATA enc_sensitive_key = { + .size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8 + }; +- memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size); ++ ++ if(enc_sensitive_key.size < 16) { ++ LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size); ++ return tool_rc_general_error; ++ } ++ ++ int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size); ++ if (ossl_rc != 1) { ++ LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL)); ++ return tool_rc_general_error; ++ } + + /* + * Calculate the object name. +-- +2.26.3 + diff --git a/SPECS/tpm2-tools/tpm2-tools.spec b/SPECS/tpm2-tools/tpm2-tools.spec index 9bd32b9e23..ad3aed6485 100644 --- a/SPECS/tpm2-tools/tpm2-tools.spec +++ b/SPECS/tpm2-tools/tpm2-tools.spec @@ -1,13 +1,14 @@ Summary: The source repository for the TPM (Trusted Platform Module) 2 tools Name: tpm2-tools Version: 4.2 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD 3-Clause URL: https://github.com/tpm2-software/tpm2-tools Group: System Environment/Security Vendor: Microsoft Corporation Distribution: Mariner Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz +Patch0: CVE-2021-3565.patch BuildRequires: openssl-devel BuildRequires: curl-devel BuildRequires: tpm2-tss-devel >= 2.3.0 @@ -18,7 +19,7 @@ Requires: /bin/awk The source repository for the TPM (Trusted Platform Module) 2 tools %prep -%setup -q +%autosetup -p1 %build %configure \ --disable-static @@ -37,6 +38,9 @@ make DESTDIR=%{buildroot} install %{_datarootdir}/bash-completion/completions/tss2_* %changelog +* Tue Jun 22 2021 Suresh Babu Chalamalasetty 4.2-2 +- CVE-2021-3565 fix + * Tue Aug 25 2020 Daniel McIlvaney 4.2-1 - Update to 4.2. * Sat May 09 2020 Nick Samson 3.1.4-2 diff --git a/SPECS/traceroute/traceroute.spec b/SPECS/traceroute/traceroute.spec index 84e6435351..ad9a5bd5e6 100644 --- a/SPECS/traceroute/traceroute.spec +++ b/SPECS/traceroute/traceroute.spec @@ -52,7 +52,7 @@ rm -rf $RPM_BUILD_ROOT %changelog -* Sat May 09 00:21:24 PST 2020 Nick Samson - 2.1.0-5 +* Sat May 09 2020 Nick Samson - 2.1.0-5 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 2.1.0-4 diff --git a/SPECS/tree/tree.spec b/SPECS/tree/tree.spec index 97eb51fbcd..0ef40da59d 100644 --- a/SPECS/tree/tree.spec +++ b/SPECS/tree/tree.spec @@ -31,7 +31,7 @@ make install BINDIR=%{buildroot}%{_bindir} \ %{_mandir}/man1/* %changelog -* Sat May 09 00:21:03 PST 2020 Nick Samson - 1.7.0-3 +* Sat May 09 2020 Nick Samson - 1.7.0-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 1.7.0-2 diff --git a/SPECS/uclibc-ng/uclibc-ng.signatures.json b/SPECS/uclibc-ng/uclibc-ng.signatures.json index 5c996e4fd8..f735db6459 100644 --- a/SPECS/uclibc-ng/uclibc-ng.signatures.json +++ b/SPECS/uclibc-ng/uclibc-ng.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "uClibc-ng-1.0.36.tar.xz": "010f40841669809422e01b47e7169d49c61bf3382f493c2571a8a96634ed300c", + "uClibc-ng-1.0.37.tar.xz": "b2b815d20645cf604b99728202bf3ecb62507ce39dfa647884b4453caf86212c", "uClibc.config": "5cd0bebdcc29597e6abdcfcbb0d7309633dd843b273b0baca718e6d5f2fb0f1f" } } \ No newline at end of file diff --git a/SPECS/uclibc-ng/uclibc-ng.spec b/SPECS/uclibc-ng/uclibc-ng.spec index cf08d097db..811eb624ce 100644 --- a/SPECS/uclibc-ng/uclibc-ng.spec +++ b/SPECS/uclibc-ng/uclibc-ng.spec @@ -3,7 +3,7 @@ %global debug_package %{nil} Summary: C library for embedded Linux Name: uclibc-ng -Version: 1.0.36 +Version: 1.0.37 Release: 1%{?dist} License: LGPLv2 Vendor: Microsoft Corporation @@ -81,6 +81,9 @@ rm -rf %{buildroot}/include/ %{_libdir}/uClibc %changelog +* Wed May 05 2021 Pawel Winogrodzki - 1.0.37-1 +- Updating to version 1.0.37 to fix CVE-2021-27419. + * Thu Oct 15 2020 Mateusz Malisz - 1.0.36-1 - Initial CBL-Mariner import from Fedora 32 (license: MIT) - License Verified diff --git a/SPECS/unixODBC/unixODBC.spec b/SPECS/unixODBC/unixODBC.spec index 8c95da4074..9d6c7cb04c 100644 --- a/SPECS/unixODBC/unixODBC.spec +++ b/SPECS/unixODBC/unixODBC.spec @@ -71,7 +71,7 @@ rm -rf %{buildroot}%{_datadir}/libtool %{_libdir}/pkgconfig %changelog -* Sat May 09 00:20:58 PST 2020 Nick Samson - 2.3.7-3 +* Sat May 09 2020 Nick Samson - 2.3.7-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 2.3.7-2 diff --git a/SPECS/userspace-rcu/userspace-rcu.spec b/SPECS/userspace-rcu/userspace-rcu.spec index b779deca96..16ad798038 100644 --- a/SPECS/userspace-rcu/userspace-rcu.spec +++ b/SPECS/userspace-rcu/userspace-rcu.spec @@ -61,25 +61,25 @@ make %{?_smp_mflags} check * Fri Feb 05 2021 Joe Schmitt - 0.10.1-5 - Replace incorrect %%{_lib} usage with %%{_libdir} -* Sat May 09 00:21:25 PST 2020 Nick Samson - 0.10.1-4 +* Sat May 09 2020 Nick Samson - 0.10.1-4 - Added %%license line automatically -* Tue Apr 07 2020 Joe Schmitt 0.10.1-3 -- Update URL. -- Update Source0 with valid URL. -- Remove sha1 macro. -- License verified. -* Tue Sep 03 2019 Mateusz Malisz 0.10.1-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Sep 10 2018 Michelle Wang 0.10.1-1 -- Updated to version 0.10.1. -* Wed Apr 05 2017 Xiaolin Li 0.9.3-1 -- Updated to version 0.9.3. -* Wed Oct 05 2016 ChangLee 0.9.1-4 -- Modified %check -* Mon Jul 25 2016 Divya Thaluru 0.9.1-3 -- Added devel package and removed packaging of debug files -* Tue May 24 2016 Priyesh Padmavilasom 0.9.1-2 -- GA - Bump release of all rpms -* Tue Nov 24 2015 Xiaolin Li 2.7.0-1 -- Initial build. First version +* Tue Apr 07 2020 Joe Schmitt 0.10.1-3 +- Update URL. +- Update Source0 with valid URL. +- Remove sha1 macro. +- License verified. +* Tue Sep 03 2019 Mateusz Malisz 0.10.1-2 +- Initial CBL-Mariner import from Photon (license: Apache2). +* Mon Sep 10 2018 Michelle Wang 0.10.1-1 +- Updated to version 0.10.1. +* Wed Apr 05 2017 Xiaolin Li 0.9.3-1 +- Updated to version 0.9.3. +* Wed Oct 05 2016 ChangLee 0.9.1-4 +- Modified %check +* Mon Jul 25 2016 Divya Thaluru 0.9.1-3 +- Added devel package and removed packaging of debug files +* Tue May 24 2016 Priyesh Padmavilasom 0.9.1-2 +- GA - Bump release of all rpms +* Tue Nov 24 2015 Xiaolin Li 2.7.0-1 +- Initial build. First version diff --git a/SPECS/utf8proc/utf8proc.spec b/SPECS/utf8proc/utf8proc.spec index 8495f5defa..b87a0f6693 100644 --- a/SPECS/utf8proc/utf8proc.spec +++ b/SPECS/utf8proc/utf8proc.spec @@ -58,7 +58,7 @@ make check %{_libdir}/libutf8proc.so %changelog -* Sat May 09 00:21:13 PST 2020 Nick Samson - 2.2.0-3 +* Sat May 09 2020 Nick Samson - 2.2.0-3 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 2.2.0-2 diff --git a/SPECS/util-linux/util-linux.spec b/SPECS/util-linux/util-linux.spec index 78d84afbcb..1508ef3ff4 100644 --- a/SPECS/util-linux/util-linux.spec +++ b/SPECS/util-linux/util-linux.spec @@ -16,7 +16,9 @@ Provides: %{name}-ng = %{version}-%{release} %if %{with_check} BuildRequires: ncurses-term %endif - +BuildRequires: libselinux-devel +Requires: %{name}-libs = %{version}-%{release} +Conflicts: toybox %description Utilities for handling file systems, consoles, partitions, and messages. @@ -66,7 +68,8 @@ autoreconf -fi --disable-silent-rules \ --disable-static \ --disable-use-tty-group \ - --without-python + --without-python \ + --with-selinux make %{?_smp_mflags} %install @@ -121,6 +124,7 @@ rm -rf %{buildroot}/lib/systemd/system %{_mandir}/man3/* %changelog + * Mon Mar 15 2021 Henry Li - 2.36.1-3 - Provide util-linux-ng - Add files to util-linux-devel @@ -133,68 +137,71 @@ rm -rf %{buildroot}/lib/systemd/system - Upgrade to version 2.36.1. - Provide hardlink. -* Mon Sep 28 2020 Ruying Chen 2.32.1-4 -- Provide libmount-devel, libblkid-devel, libuuid-devel in util-linux-devel +* Mon Sep 28 2020 Ruying Chen 2.32.1-4 +- Provide libmount-devel, libblkid-devel, libuuid-devel in util-linux-devel -* Sat May 09 2020 Nick Samson 2.23.1-3 -- Added %%license line automatically +* Fri Sep 04 2020 Daniel Burgener 2.32.1-4 +- Enable SELinux support (Merged from Mariner 1.0 branch) -* Tue Apr 14 2020 Emre Girgin 2.32.1-2 -- Rename ncurses-terminfo to ncurses-term. +* Sat May 09 2020 Nick Samson 2.23.1-3 +- Added %%license line automatically -* Tue Mar 17 2020 Andrew Phelps 2.32.1-1 -- Update version to 2.32.1. License verified. +* Tue Apr 14 2020 Emre Girgin 2.32.1-2 +- Rename ncurses-terminfo to ncurses-term. -* Thu Feb 27 2020 Henry Beberman 2.32-4 -- Disable chfn, chsh, login, and su builds. These are provided by shadow. +* Tue Mar 17 2020 Andrew Phelps 2.32.1-1 +- Update version to 2.32.1. License verified. -* Tue Dec 03 2019 Andrew Phelps 2.32-3 -- Run autoconf to remake build system files +* Thu Feb 27 2020 Henry Beberman 2.32-4 +- Disable chfn, chsh, login, and su builds. These are provided by shadow. -* Tue Sep 03 2019 Mateusz Malisz 2.32-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Dec 03 2019 Andrew Phelps 2.32-3 +- Run autoconf to remake build system files -* Mon Apr 09 2018 Xiaolin Li 2.32-1 -- Update to version 2.32, fix CVE-2018-7738 +* Tue Sep 03 2019 Mateusz Malisz 2.32-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Wed Dec 27 2017 Anish Swaminathan 2.31.1-1 -- Upgrade to version 2.31.1. +* Mon Apr 09 2018 Xiaolin Li 2.32-1 +- Update to version 2.32, fix CVE-2018-7738 -* Mon Oct 02 2017 Alexey Makhalov 2.29.2-5 -- Added conflicts toybox +* Wed Dec 27 2017 Anish Swaminathan 2.31.1-1 +- Upgrade to version 2.31.1. -* Fri Sep 15 2017 Bo Gan 2.29.2-4 -- Cleanup check +* Mon Oct 02 2017 Alexey Makhalov 2.29.2-5 +- Added conflicts toybox -* Mon Jul 31 2017 Xiaolin Li 2.29.2-3 -- Fixed rpm check errors. +* Fri Sep 15 2017 Bo Gan 2.29.2-4 +- Cleanup check -* Thu Apr 20 2017 Alexey Makhalov 2.29.2-2 -- Added -libs subpackage to strip docker image. +* Mon Jul 31 2017 Xiaolin Li 2.29.2-3 +- Fixed rpm check errors. -* Wed Apr 05 2017 Xiaolin Li 2.29.2-1 -- Updated to version 2.29.2. +* Thu Apr 20 2017 Alexey Makhalov 2.29.2-2 +- Added -libs subpackage to strip docker image. -* Wed Dec 07 2016 Xiaolin Li 2.27.1-5 -- Moved man3 to devel subpackage. +* Wed Apr 05 2017 Xiaolin Li 2.29.2-1 +- Updated to version 2.29.2. -* Thu Nov 17 2016 Alexey Makhalov 2.27.1-4 -- Disable use tty droup +* Wed Dec 07 2016 Xiaolin Li 2.27.1-5 +- Moved man3 to devel subpackage. -* Wed Oct 05 2016 ChangLee 2.27.1-3 -- Modified %check +* Thu Nov 17 2016 Alexey Makhalov 2.27.1-4 +- Disable use tty droup -* Tue May 24 2016 Priyesh Padmavilasom 2.27.1-2 -- GA - Bump release of all rpms +* Wed Oct 05 2016 ChangLee 2.27.1-3 +- Modified %check -* Fri Dec 11 2015 Anish Swaminathan 2.27.1-1 -- Upgrade version. +* Tue May 24 2016 Priyesh Padmavilasom 2.27.1-2 +- GA - Bump release of all rpms -* Tue Oct 6 2015 Xiaolin Li 2.24.1-3 -- Disable static, move header files, .so and config files to devel package. +* Fri Dec 11 2015 Anish Swaminathan 2.27.1-1 +- Upgrade version. -* Mon May 18 2015 Touseef Liaqat 2.24.1-2 -- Update according to UsrMove. +* Tue Oct 6 2015 Xiaolin Li 2.24.1-3 +- Disable static, move header files, .so and config files to devel package. -* Wed Nov 5 2014 Divya Thaluru 2.24.1-1 -- Initial build. First version +* Mon May 18 2015 Touseef Liaqat 2.24.1-2 +- Update according to UsrMove. + +* Wed Nov 5 2014 Divya Thaluru 2.24.1-1 +- Initial build. First version diff --git a/SPECS/valgrind/valgrind.spec b/SPECS/valgrind/valgrind.spec index d30d0056ad..c348a93027 100644 --- a/SPECS/valgrind/valgrind.spec +++ b/SPECS/valgrind/valgrind.spec @@ -52,23 +52,23 @@ make %{?_smp_mflags} -k check * Mon Jun 01 2020 Henry Beberman - 3.15.0-3 - Fix compilation by disabling -fstack-protector-strong -* Sat May 09 00:21:13 PST 2020 Nick Samson - 3.15.0-2 -- Added %%license line automaticall +* Sat May 09 00:21:13 PST 2020 Nick Samson - 3.15.0-2 +- Added %%license line automaticall -* Wed Mar 18 2020 Henry Beberman 3.15.0-1 -- Update to 3.15.0. Fix Source0 URL. Removed patch fixed upstream. License verified. +* Wed Mar 18 2020 Henry Beberman 3.15.0-1 +- Update to 3.15.0. Fix Source0 URL. Removed patch fixed upstream. License verified. -* Tue Sep 03 2019 Mateusz Malisz 3.13.0-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 3.13.0-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Wed Sep 12 2018 Anish Swaminathan 3.13.0-1 -- Update to version 3.13.0 +* Wed Sep 12 2018 Anish Swaminathan 3.13.0-1 +- Update to version 3.13.0 -* Tue Sep 19 2017 Bo Gan 3.12.0-2 -- Fix make check issue +* Tue Sep 19 2017 Bo Gan 3.12.0-2 +- Fix make check issue -* Wed Apr 05 2017 Xiaolin Li 3.12.0-1 -- Updated to version 3.12.0. +* Wed Apr 05 2017 Xiaolin Li 3.12.0-1 +- Updated to version 3.12.0. -* Fri Aug 05 2016 Kumar Kaushik 3.11.0-1 -- Initial Build. +* Fri Aug 05 2016 Kumar Kaushik 3.11.0-1 +- Initial Build. diff --git a/SPECS/vsftpd/vsftpd.spec b/SPECS/vsftpd/vsftpd.spec index cac7a18a47..c365462de2 100644 --- a/SPECS/vsftpd/vsftpd.spec +++ b/SPECS/vsftpd/vsftpd.spec @@ -85,7 +85,7 @@ fi %{_datadir}/* %changelog -* Sat May 09 00:20:57 PST 2020 Nick Samson - 3.0.3-10 +* Sat May 09 2020 Nick Samson - 3.0.3-10 - Added %%license line automatically * Tue Apr 28 2020 Emre Girgin 3.0.3-9 diff --git a/SPECS/which/which.spec b/SPECS/which/which.spec index e52a89c252..154025719a 100644 --- a/SPECS/which/which.spec +++ b/SPECS/which/which.spec @@ -26,7 +26,7 @@ rm -rf %{buildroot}%{_infodir} %{_bindir}/* %{_mandir}/man1/* %changelog -* Sat May 09 00:21:25 PST 2020 Nick Samson - 2.21-7 +* Sat May 09 2020 Nick Samson - 2.21-7 - Added %%license line automatically * Tue Sep 03 2019 Mateusz Malisz 2.21-6 diff --git a/SPECS/wpa_supplicant/wpa_supplicant.spec b/SPECS/wpa_supplicant/wpa_supplicant.spec index 3682e699fa..c9172bc75f 100644 --- a/SPECS/wpa_supplicant/wpa_supplicant.spec +++ b/SPECS/wpa_supplicant/wpa_supplicant.spec @@ -112,7 +112,7 @@ EOF - Update version to 2.9. - Add patch for CVE-2019-16275. -* Sat May 09 00:20:37 PST 2020 Nick Samson - 2.7-4 +* Sat May 09 2020 Nick Samson - 2.7-4 - Added %%license line automatically * Fri Apr 17 2020 Nicolas Ontiveros - 2.7-3 diff --git a/SPECS/xfsprogs/xfsprogs.spec b/SPECS/xfsprogs/xfsprogs.spec index 0ccc6fff3a..38f836297a 100644 --- a/SPECS/xfsprogs/xfsprogs.spec +++ b/SPECS/xfsprogs/xfsprogs.spec @@ -87,7 +87,7 @@ rm -rf %{buildroot}/* %defattr(-,root,root) %changelog -* Sat May 09 00:21:13 PST 2020 Nick Samson - 5.0.0-2 +* Sat May 09 2020 Nick Samson - 5.0.0-2 - Added %%license line automatically * Wed Mar 18 2020 Henry Beberman 5.0.0-1 diff --git a/SPECS/xinetd/xinetd.spec b/SPECS/xinetd/xinetd.spec index eacbda2400..b8f54a20f4 100644 --- a/SPECS/xinetd/xinetd.spec +++ b/SPECS/xinetd/xinetd.spec @@ -71,7 +71,7 @@ rm -rf %{buildroot} %{_libdir}/systemd/system-preset/50-xinetd.preset %changelog -* Sat May 09 00:21:40 PST 2020 Nick Samson - 2.3.15-12 +* Sat May 09 2020 Nick Samson - 2.3.15-12 - Added %%license line automatically * Tue Apr 07 2020 Joe Schmitt 2.3.15-11 diff --git a/SPECS/xmlsec1/xmlsec1.spec b/SPECS/xmlsec1/xmlsec1.spec index e406283c2a..e796fe977a 100644 --- a/SPECS/xmlsec1/xmlsec1.spec +++ b/SPECS/xmlsec1/xmlsec1.spec @@ -108,15 +108,15 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck} * Sat May 09 00:21:10 PST 2020 Nick Samson - 1.2.26-5 - Added %%license line automatically -* Fri Apr 24 2020 Pawel Winogrodzki 1.2.26-4 -- License verified. -- Fixed Source0 tag. +* Fri Apr 24 2020 Pawel Winogrodzki 1.2.26-4 +- License verified. +- Fixed Source0 tag. -* Tue Sep 03 2019 Mateusz Malisz 1.2.26-3 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Tue Sep 03 2019 Mateusz Malisz 1.2.26-3 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Tue Sep 25 2018 Alexey Makhalov 1.2.26-2 -- Fix requires. +* Tue Sep 25 2018 Alexey Makhalov 1.2.26-2 +- Fix requires. -* Mon Jul 02 2018 Ankit Jain 1.2.26-1 -- Initial version +* Mon Jul 02 2018 Ankit Jain 1.2.26-1 +- Initial version diff --git a/SPECS/xmlstarlet/xmlstarlet.spec b/SPECS/xmlstarlet/xmlstarlet.spec index f5fa525604..1ed04ea890 100644 --- a/SPECS/xmlstarlet/xmlstarlet.spec +++ b/SPECS/xmlstarlet/xmlstarlet.spec @@ -6,7 +6,7 @@ Version: 1.6.1 Release: 16%{?dist} License: MIT URL: http://xmlstar.sourceforge.net/ -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner Source0: https://downloads.sourceforge.net/project/xmlstar/%{name}/%{version}/%{name}-%{version}.tar.gz @@ -43,9 +43,9 @@ make %{?_smp_mflags} %install rm -fr %{buildroot} -make install DESTDIR=$RPM_BUILD_ROOT +make install DESTDIR=%{buildroot} # Avoid name kludging in autotools -mv $RPM_BUILD_ROOT%{_bindir}/xml $RPM_BUILD_ROOT%{_bindir}/xmlstarlet +mv %{buildroot}%{_bindir}/xml %{buildroot}%{_bindir}/xmlstarlet %check @@ -62,6 +62,7 @@ make check %changelog * Fri Aug 21 2020 Thomas Crain - 1.6.1-16 * Initial CBL-Mariner import from Fedora 33 (license: MIT) +- License verified * Wed Jul 29 2020 Fedora Release Engineering - 1.6.1-15 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/SPECS/xmlto/xmlto.spec b/SPECS/xmlto/xmlto.spec index 4946570ad0..1c5db23126 100644 --- a/SPECS/xmlto/xmlto.spec +++ b/SPECS/xmlto/xmlto.spec @@ -48,7 +48,7 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck} %{_datadir}/xmlto/* %changelog -* Sat May 09 00:21:23 PST 2020 Nick Samson - 0.0.28-5 +* Sat May 09 2020 Nick Samson - 0.0.28-5 - Added %%license line automatically * Tue May 05 2020 Emre Girgin 0.0.28-4 diff --git a/SPECS/yajl/yajl.signatures.json b/SPECS/yajl/yajl.signatures.json index 62ea142dd9..2d04b728c3 100644 --- a/SPECS/yajl/yajl.signatures.json +++ b/SPECS/yajl/yajl.signatures.json @@ -2,4 +2,4 @@ "Signatures": { "yajl-2.1.0.tar.gz": "3fb73364a5a30efe615046d07e6db9d09fd2b41c763c5f7d3bfb121cd5c5ac5a" } -} \ No newline at end of file +} diff --git a/SPECS/yajl/yajl.spec b/SPECS/yajl/yajl.spec index 2969fdd923..0133f7c3ab 100644 --- a/SPECS/yajl/yajl.spec +++ b/SPECS/yajl/yajl.spec @@ -1,20 +1,28 @@ Summary: Yet Another JSON Library (YAJL) Name: yajl Version: 2.1.0 -Release: 15%{?dist} +Release: 17%{?dist} License: ISC Vendor: Microsoft Corporation Distribution: Mariner URL: http://lloyd.github.com/yajl/ -#Source0: https://github.com/lloyd/%%{name}/archive/refs/tags/%%{version}.tar.gz +# +# NB, upstream does not provide pre-built tar.gz downloads. Instead +# they make you use the 'on the fly' generated tar.gz from GITHub's +# web interface +# +# The Source0 for any version is obtained by a URL +# +# https://github.com/lloyd/yajl/releases/tag/2.1.0 +# Source0: %{name}-%{version}.tar.gz Patch1: %{name}-%{version}-pkgconfig-location.patch Patch2: %{name}-%{version}-pkgconfig-includedir.patch Patch3: %{name}-%{version}-test-location.patch Patch4: %{name}-%{version}-dynlink-binaries.patch - BuildRequires: cmake BuildRequires: gcc +BuildRequires: which %package devel Summary: Libraries, includes, etc to develop with YAJL @@ -78,10 +86,15 @@ cd test %{_libdir}/pkgconfig/yajl.pc %changelog -* Mon Jul 12 2021 Pawel Winogrodzki - 2.1.0-15 -- Initial CBL-Mariner import from Fedora 32 (license: MIT). -- Using the '%%make_build' macro instead of 'make'. -- License verified. +* Thu Jun 03 2021 Suresh Babu Chalamalasetty - 2.1.0-17 +- Initial CBL-Mariner import from Fedora 34 (license: MIT) +- License verified + +* Thu Jan 28 2021 Fedora Release Engineering - 2.1.0-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 2.1.0-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild * Fri Jan 31 2020 Fedora Release Engineering - 2.1.0-14 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild diff --git a/SPECS/yasm/yasm.spec b/SPECS/yasm/yasm.spec index 3d2c39db96..835389ab8a 100644 --- a/SPECS/yasm/yasm.spec +++ b/SPECS/yasm/yasm.spec @@ -4,9 +4,9 @@ Version: 1.3.0 Release: 13%{?dist} License: BSD and (GPLv2+ or Artistic or LGPLv2+) and LGPLv2 URL: https://yasm.tortall.net/ -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner -Source0: http://www.tortall.net/projects/%{name}/releases/%{name}-%{version}.tar.gz +Source0: https://www.tortall.net/projects/%{name}/releases/%{name}-%{version}.tar.gz Patch1: 0001-Update-elf-objfmt.c.patch BuildRequires: gcc @@ -76,6 +76,7 @@ make install DESTDIR=%{buildroot} %changelog * Fri Aug 21 2020 Thomas Crain 1.3.0-13 - Initial CBL-Mariner version imported from Fedora 33 (license: MIT) +- License verified * Wed Jul 29 2020 Fedora Release Engineering - 1.3.0-12 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/SPECS/zeromq/zeromq.signatures.json b/SPECS/zeromq/zeromq.signatures.json index 1ad8074056..30157d315d 100644 --- a/SPECS/zeromq/zeromq.signatures.json +++ b/SPECS/zeromq/zeromq.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "libzmq-4.3.2.tar.gz": "02ecc88466ae38cf2c8d79f09cfd2675ba299a439680b64ade733e26a349edeb" + "zeromq-4.3.4.tar.gz": "c593001a89f5a85dd2ddf564805deb860e02471171b3f204944857336295c3e5" } -} \ No newline at end of file +} diff --git a/SPECS/zeromq/zeromq.spec b/SPECS/zeromq/zeromq.spec index fb74d313ac..ea89579dee 100644 --- a/SPECS/zeromq/zeromq.spec +++ b/SPECS/zeromq/zeromq.spec @@ -1,13 +1,13 @@ Summary: library for fast, message-based applications Name: zeromq -Version: 4.3.2 -Release: 2%{?dist} -URL: https://www.zeromq.org +Version: 4.3.4 +Release: 1%{?dist} License: LGPLv3+ -Group: System Environment/Libraries Vendor: Microsoft Corporation Distribution: Mariner -Source0: https://github.com/zeromq/libzmq/archive/v%{version}/libzmq-%{version}.tar.gz +Group: System Environment/Libraries +URL: https://www.zeromq.org +Source0: https://github.com/zeromq/libzmq/releases/download/v%{version}/zeromq-%{version}.tar.gz Requires: libstdc++ %description @@ -18,24 +18,27 @@ queues, multiple messaging patterns, message filtering (subscriptions), seamless access to multiple transport protocols and more. %package devel -Summary: Header and development files for zeromq -Requires: %{name} = %{version} +Summary: Header and development files for zeromq +Requires: %{name} = %{version} + %description devel It contains the libraries and header files to create applications %prep -%setup -q -n libzmq-%{version} +%autosetup -n zeromq-%{version} -p1 + %build ./autogen.sh ./configure \ --prefix=%{_prefix} \ --with-libsodium=no \ + --without-docs \ --disable-static make %{?_smp_mflags} %install make DESTDIR=%{buildroot} install -find %{buildroot}%{_libdir} -name '*.la' -delete +find %{buildroot} -type f -name "*.la" -delete -print %check make check @@ -56,18 +59,26 @@ make check %{_includedir}/ %changelog -* Sat May 09 00:20:47 PST 2020 Nick Samson - 4.3.2-2 +* Thu Jun 03 2021 Nick Samson - 4.3.4-1 +- Upgraded to 4.3.4 to address CVE-2021-20236, updated URL + +* Sat May 09 2020 Nick Samson - 4.3.2-2 - Added %%license line automatically * Wed Mar 18 2020 Henry Beberman 4.3.2-1 - Update to 4.3.2. Source0 URL fixed. License verified. + * Tue Sep 03 2019 Mateusz Malisz 4.2.3-2 - Initial CBL-Mariner import from Photon (license: Apache2). + * Thu Sep 13 2018 Siju Maliakkal 4.2.3-1 - Updated to latest version + * Fri Sep 15 2017 Bo Gan 4.1.4-3 - Remove devpts mount + * Mon Aug 07 2017 Chang Lee 4.1.4-2 - Fixed %check + * Thu Apr 13 2017 Dheeraj Shetty 4.1.4-1 - Initial build. First version diff --git a/SPECS/zsh/zsh.spec b/SPECS/zsh/zsh.spec index 1b20d91adb..6379006bfb 100644 --- a/SPECS/zsh/zsh.spec +++ b/SPECS/zsh/zsh.spec @@ -140,7 +140,7 @@ fi - Adding a patch to skip globbing test if ran as root. - Removing redundant 'sed' and 'chmod' commands in %%install. -* Sat May 09 00:20:44 PST 2020 Nick Samson - 5.8-3 +* Sat May 09 2020 Nick Samson - 5.8-3 - Added %%license line automatically * Thu Apr 30 2020 Emre Girgin - 5.8-2 diff --git a/SUPPORT.md b/SUPPORT.md new file mode 100644 index 0000000000..aba08d50a7 --- /dev/null +++ b/SUPPORT.md @@ -0,0 +1,17 @@ +# Support + +## How to file issues and get help + +This project uses [GitHub issues][gh-issue] to [track bugs][gh-bug] and [feature requests][gh-feature]. Please search the existing issues before filing new issues to avoid duplicates. For new topics, file your bug or feature request as a new issue. + +For questions about using this project, please look at the [Demo repo for CBL-Mariner][demo] and our [Contributor's Guide][contributor] if you want to work on CBL-Mariner. + +## Microsoft Support Policy + +Support for CBL-Mariner is limited to the resources listed above. + +[gh-issue]: https://github.com/microsoft/CBL-Mariner/issues/new/choose +[gh-bug]: https://github.com/microsoft/CBL-Mariner/issues/new?labels=bug +[gh-feature]: https://github.com/microsoft/CBL-Mariner/issues/new?labels=enhancement +[demo]: https://github.com/Microsoft/CBL-MarinerDemo +[contributor]: https://github.com/microsoft/CBL-Mariner/blob/main/CONTRIBUTING.md diff --git a/cgmanifest.json b/cgmanifest.json index 863ea08346..89230c2031 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -1,95 +1,5 @@ { "Registrations": [ - { - "component": { - "type": "other", - "other": { - "name": "CUnit", - "version": "2.1.3", - "downloadUrl": "https://downloads.sourceforge.net/CUnit/CUnit-2.1-3.tar.bz2" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "Cython", - "version": "0.29.13", - "downloadUrl": "https://github.com/cython/cython/archive/0.29.13.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "GSL", - "version": "2.0.0", - "downloadUrl": "https://github.com/microsoft/GSL/archive/v2.0.0.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "ModemManager", - "version": "1.10.4", - "downloadUrl": "https://www.freedesktop.org/software/ModemManager/ModemManager-1.10.4.tar.xz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "OpenIPMI", - "version": "2.0.25", - "downloadUrl": "https://sourceforge.net/projects/openipmi/files/latest/download/openipmi-2.0.25.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "PyPAM", - "version": "0.5.0", - "downloadUrl": "https://src.fedoraproject.org/repo/pkgs/PyPAM/PyPAM-0.5.0.tar.gz/f1e7c2c56421dda28a75ace59a3c8871/PyPAM-0.5.0.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "PyYAML", - "version": "3.13", - "downloadUrl": "https://pyyaml.org/download/pyyaml/PyYAML-3.13.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "R", - "version": "4.1.0", - "downloadUrl": "https://cran.r-project.org/src/base/R-4/R-4.1.0.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "WALinuxAgent", - "version": "2.2.52", - "downloadUrl": "https://github.com/Azure/WALinuxAgent/archive/v2.2.52.tar.gz" - } - } - }, { "component": { "type": "other", @@ -125,8 +35,8 @@ "type": "other", "other": { "name": "ansible", - "version": "2.9.12", - "downloadUrl": "https://releases.ansible.com/ansible/ansible-2.9.12.tar.gz" + "version": "2.9.18", + "downloadUrl": "https://releases.ansible.com/ansible/ansible-2.9.18.tar.gz" } } }, @@ -135,8 +45,8 @@ "type": "other", "other": { "name": "ant", - "version": "1.10.9", - "downloadUrl": "https://archive.apache.org/dist/ant/source/apache-ant-1.10.9-src.tar.xz" + "version": "1.10.11", + "downloadUrl": "https://archive.apache.org/dist/ant/source/apache-ant-1.10.11-src.tar.gz" } } }, @@ -190,6 +100,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "archivemount", + "version": "0.9.1", + "downloadUrl": "https://www.cybernoia.de/software/archivemount/archivemount-0.9.1.tar.gz" + } + } + }, { "component": { "type": "other", @@ -205,8 +125,8 @@ "type": "other", "other": { "name": "aspnetcore-runtime-3.1", - "version": "3.1.5", - "downloadUrl": "https://download.visualstudio.microsoft.com/download/pr/6827d794-a218-4352-b3b3-a19ec773c975/e3e53bc2f20df220a29c6e09f74d8a00/aspnetcore-runtime-3.1.5-linux-x64.tar.gz" + "version": "3.1.15", + "downloadUrl": "https://download.visualstudio.microsoft.com/download/pr/8aaf94dc-ce57-4d00-9d2d-70e8b760619e/2979ffe47a37c1aa5d931ee1953613f3/aspnetcore-runtime-3.1.15-linux-x64.tar.gz" } } }, @@ -290,6 +210,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "autoconf213", + "version": "2.13", + "downloadUrl": "ftp://prep.ai.mit.edu/pub/gnu/autoconf/autoconf-2.13.tar.gz" + } + } + }, { "component": { "type": "other", @@ -304,9 +234,9 @@ "component": { "type": "other", "other": { - "name": "autoconf213", - "version": "2.13", - "downloadUrl": "ftp://prep.ai.mit.edu/pub/gnu/autoconf/autoconf-2.13.tar.gz" + "name": "autoconf", + "version": "2.69", + "downloadUrl": "http://ftp.gnu.org/gnu/autoconf/autoconf-2.69.tar.xz" } } }, @@ -355,8 +285,8 @@ "type": "other", "other": { "name": "azure-iotedge", - "version": "1.1.0", - "downloadUrl": "https://github.com/Azure/iotedge/archive/1.1.0.tar.gz" + "version": "1.1.2", + "downloadUrl": "https://github.com/Azure/iotedge/archive/1.1.2.tar.gz" } } }, @@ -450,13 +380,23 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "bigreqsproto", + "version": "1.1.2", + "downloadUrl": "https://www.x.org/pub/individual/proto/bigreqsproto-1.1.2.tar.bz2" + } + } + }, { "component": { "type": "other", "other": { "name": "bind", - "version": "9.16.3", - "downloadUrl": "https://ftp.isc.org/isc/bind9/9.16.3/bind-9.16.3.tar.xz" + "version": "9.16.15", + "downloadUrl": "https://ftp.isc.org/isc/bind9/9.16.15/bind-9.16.15.tar.xz" } } }, @@ -465,8 +405,8 @@ "type": "other", "other": { "name": "binutils", - "version": "2.32", - "downloadUrl": "http://ftp.gnu.org/gnu/binutils/binutils-2.32.tar.xz" + "version": "2.36.1", + "downloadUrl": "http://ftp.gnu.org/gnu/binutils/binutils-2.36.1.tar.xz" } } }, @@ -705,8 +645,8 @@ "type": "other", "other": { "name": "ceph", - "version": "15.2.4", - "downloadUrl": "https://download.ceph.com/tarballs/ceph-15.2.4.tar.gz" + "version": "16.2.0", + "downloadUrl": "https://download.ceph.com/tarballs/ceph-16.2.0.tar.gz" } } }, @@ -720,6 +660,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "checkpolicy", + "version": "3.2", + "downloadUrl": "https://github.com/SELinuxProject/selinux/releases/download/3.2/checkpolicy-3.2.tar.gz" + } + } + }, { "component": { "type": "other", @@ -850,6 +800,36 @@ } } }, +{ + "component": { + "type": "other", + "other": { + "name": "collectd", + "version": "5.12.0", + "downloadUrl": "https://github.com/collectd/collectd/releases/download/collectd-5.12.0/collectd-5.12.0.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "colm", + "version": "0.13.0.7", + "downloadUrl": "https://www.colm.net/files/colm/colm-0.13.0.7.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "compositeproto", + "version": "0.4.2", + "downloadUrl": "https://www.x.org/pub/individual/proto/compositeproto-0.4.2.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -1000,6 +980,26 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "CUnit", + "version": "2.1.3", + "downloadUrl": "https://downloads.sourceforge.net/cunit/CUnit-2.1-3.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "cups", + "version": "2.2.4", + "downloadUrl": "https://github.com/apple/cups/releases/download/v2.2.4/cups-2.2.4-source.tar.gz" + } + } + }, { "component": { "type": "other", @@ -1020,6 +1020,26 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "Cython", + "version": "0.28.5", + "downloadUrl": "https://github.com/cython/cython/archive/0.28.5.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "damageproto", + "version": "1.2.1", + "downloadUrl": "https://www.x.org/pub/individual/proto/damageproto-1.2.1.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -1070,6 +1090,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "device-mapper-multipath", + "version": "0.8.6", + "downloadUrl": "https://github.com/opensvc/multipath-tools/archive/refs/tags/0.8.6.tar.gz" + } + } + }, { "component": { "type": "other", @@ -1120,6 +1150,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "dmxproto", + "version": "2.3.1", + "downloadUrl": "https://www.x.org/pub/individual/proto/dmxproto-2.3.1.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -1195,8 +1235,8 @@ "type": "other", "other": { "name": "dotnet-runtime-3.1", - "version": "3.1.5", - "downloadUrl": "https://download.visualstudio.microsoft.com/download/pr/d00eaeea-6d7b-4e73-9d96-c0234ed3b665/0d25d9d1aeaebdeef01d15370d5cd22b/dotnet-runtime-3.1.5-linux-x64.tar.gz" + "version": "3.1.15", + "downloadUrl": "https://download.visualstudio.microsoft.com/download/pr/692284f9-e1e7-4b31-9191-cd8043441024/ac45c17d4327b1f992b7fe3956a99129/dotnet-runtime-3.1.15-linux-x64.tar.gz" } } }, @@ -1205,8 +1245,8 @@ "type": "other", "other": { "name": "dotnet-sdk-3.1", - "version": "3.1.105", - "downloadUrl": "https://download.visualstudio.microsoft.com/download/pr/37268c18-226d-436b-b13c-4b77b7f42140/17e8a85360206006a557d634d16713cd/dotnet-sdk-3.1.105-linux-x64.tar.gz" + "version": "3.1.115", + "downloadUrl": "https://download.visualstudio.microsoft.com/download/pr/cc86b0c8-9e72-4410-b3b0-2c5a8f90d8a4/426913359d4c524560e42c4f2ee18fa1/dotnet-sdk-3.1.115-linux-x64.tar.gz" } } }, @@ -1230,6 +1270,26 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "dri2proto", + "version": "2.8", + "downloadUrl": "https://www.x.org/pub/individual/proto/dri2proto-2.8.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "dri3proto", + "version": "1.0", + "downloadUrl": "https://www.x.org/pub/individual/proto/dri3proto-1.0.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -1329,6 +1389,16 @@ "downloadUrl": "https://github.com/envoyproxy/envoy/archive/refs/tags/v1.14.4.tar.gz" } } + }, + { + "component": { + "type": "other", + "other": { + "name": "eppic", + "version": "e8844d3793471163ae4a56d8f95897be9e5bd554", + "downloadUrl": "https://github.com/lucchouina/eppic/archive/e8844d3793471163ae4a56d8f95897be9e5bd554/eppic-e8844d3.tar.gz" + } + } }, { "component": { @@ -1365,8 +1435,8 @@ "type": "other", "other": { "name": "etcd", - "version": "3.4.13", - "downloadUrl": "https://github.com/etcd-io/etcd/archive/v3.4.13.tar.gz" + "version": "3.4.3", + "downloadUrl": "https://github.com/etcd-io/etcd/archive/v3.4.3.tar.gz" } } }, @@ -1375,8 +1445,8 @@ "type": "other", "other": { "name": "etcd", - "version": "3.4.3", - "downloadUrl": "https://github.com/etcd-io/etcd/archive/v3.4.3.tar.gz" + "version": "3.4.13", + "downloadUrl": "https://github.com/etcd-io/etcd/archive/v3.4.13.tar.gz" } } }, @@ -1440,6 +1510,7 @@ } } }, + { "component": { "type": "other", @@ -1480,6 +1551,17 @@ } } }, + + { + "component": { + "type": "other", + "other": { + "name": "fixesproto", + "version": "5.0", + "downloadUrl": "https://www.x.org/pub/individual/proto/fixesproto-5.0.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -1505,8 +1587,8 @@ "type": "other", "other": { "name": "fluent-bit", - "version": "1.4.1", - "downloadUrl": "https://github.com/fluent/fluent-bit/archive/v1.4.1.tar.gz" + "version": "1.5.2", + "downloadUrl": "https://github.com/fluent/fluent-bit/archive/v1.5.2.tar.gz" } } }, @@ -1520,6 +1602,7 @@ } } }, + { "component": { "type": "other", @@ -1530,6 +1613,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "fontsproto", + "version": "2.1.3", + "downloadUrl": "https://www.x.org/pub/individual/proto/fontsproto-2.1.3.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -1580,6 +1673,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "fuse-zip", + "version": "0.7.2", + "downloadUrl": "https://bitbucket.org/agalanin/fuse-zip/downloads/fuse-zip-0.7.2.tar.gz" + } + } + }, { "component": { "type": "other", @@ -1710,6 +1813,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "glproto", + "version": "1.4.17", + "downloadUrl": "https://www.x.org/pub/individual/proto/glproto-1.4.17.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -1750,6 +1863,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "gnulib", + "version": "d271f868a8df9bbec29049d01e056481b7a1a263", + "downloadUrl": "https://git.savannah.gnu.org/cgit/gnulib.git/snapshot/gnulib-d271f868a8df9bbec29049d01e056481b7a1a263.tar.gz" + } + } + }, { "component": { "type": "other", @@ -1805,8 +1928,18 @@ "type": "other", "other": { "name": "golang", - "version": "1.15.7", - "downloadUrl": "https://dl.google.com/go/go1.15.7.src.tar.gz" + "version": "1.15.13", + "downloadUrl": "https://dl.google.com/go/go1.15.13.src.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "golang-crypto", + "version": "c07d793c2f9aacf728fe68cbd7acd73adbd04159", + "downloadUrl": "https://github.com/golang/crypto/archive/golang-crypto-c07d793c2f9aacf728fe68cbd7acd73adbd04159.tar.gz" } } }, @@ -1820,6 +1953,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "golang-sys", + "version": "b0526f3d87448f0401ea3f7f3a81aa9e6ab4804d", + "downloadUrl": "https://github.com/golang/sys/archive/golang-sys-b0526f3d87448f0401ea3f7f3a81aa9e6ab4804d.tar.gz" + } + } + }, { "component": { "type": "other", @@ -1904,9 +2047,9 @@ "component": { "type": "other", "other": { - "name": "gnulib", - "version": "d271f868a8df9bbec29049d01e056481b7a1a263", - "downloadUrl": "https://git.savannah.gnu.org/cgit/gnulib.git/snapshot/gnulib-d271f868a8df9bbec29049d01e056481b7a1a263.tar.gz" + "name": "GSL", + "version": "2.0.0", + "downloadUrl": "https://github.com/microsoft/GSL/archive/v2.0.0.tar.gz" } } }, @@ -2044,19 +2187,40 @@ "component": { "type": "other", "other": { - "name": "hwdata", - "version": "0.341", - "downloadUrl": "https://github.com/vcrhonek/hwdata/archive/v0.341.tar.gz" + "name": "http-parser", + "version": "2.8.1", + "downloadUrl": "https://github.com/nodejs/http-parser/archive/v2.8.1.tar.gz" } } }, + { + "component": { + "type": "other", + "other": { + "name": "hyperscan", + "version": "5.4.0", + "downloadUrl": "https://github.com/intel/hyperscan/archive/v5.4.0.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "hwdata", + "version": "0.341", + "downloadUrl": "https://github.com/vcrhonek/hwdata/archive/v0.341.tar.gz" + } + } + }, + { "component": { "type": "other", "other": { "name": "hyperv-daemons", - "version": "5.10.28.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.28.1.tar.gz" + "version": "5.10.52.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.52.1.tar.gz" } } }, @@ -2110,6 +2274,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "inputproto", + "version": "2.3.2", + "downloadUrl": "https://www.x.org/pub/individual/proto/inputproto-2.3.2.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -2360,6 +2534,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "kbproto", + "version": "1.0.7", + "downloadUrl": "https://www.x.org/pub/individual/proto/kbproto-1.0.7.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -2380,13 +2564,23 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "kernel", + "version": "5.10.52.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.52.1.tar.gz" + } + } + }, { "component": { "type": "other", "other": { "name": "kernel-headers", - "version": "5.10.28.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.28.1.tar.gz" + "version": "5.10.52.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.52.1.tar.gz" } } }, @@ -2395,18 +2589,8 @@ "type": "other", "other": { "name": "kernel-hyperv", - "version": "5.10.28.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.28.1.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "kernel", - "version": "5.10.28.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.28.1.tar.gz" + "version": "5.10.52.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.52.1.tar.gz" } } }, @@ -2500,66 +2684,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "kubernetes", - "version": "1.18.14", - "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.18.14-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "kubernetes", - "version": "1.18.17", - "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.18.17-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "kubernetes", - "version": "1.19.7", - "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.19.7-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "kubernetes", - "version": "1.19.9", - "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.19.9-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "kubernetes", - "version": "1.20.2", - "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.20.2-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "kubernetes", - "version": "1.20.5", - "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.20.5-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz" - } - } - }, { "component": { "type": "other", @@ -2760,6 +2884,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "libdmx", + "version": "1.1.3", + "downloadUrl": "https://www.x.org/pub/individual/lib/libdmx-1.1.3.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -2775,8 +2909,8 @@ "type": "other", "other": { "name": "libdnf", - "version": "0.39.1", - "downloadUrl": "https://github.com/rpm-software-management/libdnf/archive/0.39.1.tar.gz" + "version": "0.43.1", + "downloadUrl": "https://github.com/rpm-software-management/libdnf/archive/0.43.1.tar.gz" } } }, @@ -2840,6 +2974,26 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "libfontenc", + "version": "1.1.3", + "downloadUrl": "https://www.x.org/pub/individual/lib/libfontenc-1.1.3.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libFS", + "version": "1.0.7", + "downloadUrl": "https://www.x.org/pub/individual/lib/libFS-1.0.7.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -2890,13 +3044,23 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "libICE", + "version": "1.0.9", + "downloadUrl": "https://www.x.org/pub/individual/lib/libICE-1.0.9.tar.bz2" + } + } + }, { "component": { "type": "other", "other": { "name": "libiothsm-std", - "version": "1.1.0", - "downloadUrl": "https://github.com/Azure/iotedge/archive/1.1.0.tar.gz" + "version": "1.1.2", + "downloadUrl": "https://github.com/Azure/iotedge/archive/1.1.2.tar.gz" } } }, @@ -3120,6 +3284,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "libnvidia-container", + "version": "1.3.3", + "downloadUrl": "https://github.com/NVIDIA/libnvidia-container/archive/v1.3.3.tar.gz" + } + } + }, { "component": { "type": "other", @@ -3245,8 +3419,18 @@ "type": "other", "other": { "name": "libselinux", - "version": "2.9", - "downloadUrl": "https://github.com/SELinuxProject/selinux/releases/download/20190315/libselinux-2.9.tar.gz" + "version": "3.2", + "downloadUrl": "https://github.com/SELinuxProject/selinux/releases/download/3.2/libselinux-3.2.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libsemanage", + "version": "3.2", + "downloadUrl": "https://github.com/SELinuxProject/selinux/releases/download/3.2/libsemanage-3.2.tar.gz" } } }, @@ -3255,8 +3439,8 @@ "type": "other", "other": { "name": "libsepol", - "version": "3.1", - "downloadUrl": "https://github.com/SELinuxProject/selinux/releases/download/20200710/libsepol-3.1.tar.gz" + "version": "3.2", + "downloadUrl": "https://github.com/SELinuxProject/selinux/releases/download/3.2/libsepol-3.2.tar.gz" } } }, @@ -3280,6 +3464,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "libSM", + "version": "1.2.2", + "downloadUrl": "https://www.x.org/pub/individual/lib/libSM-1.2.2.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -3435,8 +3629,48 @@ "type": "other", "other": { "name": "libwebp", - "version": "1.0.0", - "downloadUrl": "https://github.com/webmproject/libwebp/archive/v1.0.0.tar.gz" + "version": "1.0.3", + "downloadUrl": "https://github.com/webmproject/libwebp/archive/v1.0.3.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libX11", + "version": "1.6.5", + "downloadUrl": "https://www.x.org/pub/individual/lib/libX11-1.6.5.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXau", + "version": "1.0.8", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXau-1.0.8.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXaw", + "version": "1.0.13", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXaw-1.0.13.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libxcb", + "version": "1.12", + "downloadUrl": "https://xcb.freedesktop.org/dist/libxcb-1.12.tar.bz2" } } }, @@ -3450,6 +3684,226 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "libXcursor", + "version": "1.1.14", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXcursor-1.1.14.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXdamage", + "version": "1.1.4", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXdamage-1.1.4.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXext", + "version": "1.3.3", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXext-1.3.3.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXfixes", + "version": "5.0.3", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXfixes-5.0.3.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXfont2", + "version": "2.0.1", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXfont2-2.0.1.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXft", + "version": "2.3.2", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXft-2.3.2.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXi", + "version": "1.7.9", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXi-1.7.9.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXinerama", + "version": "1.1.3", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXinerama-1.1.3.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libxkbfile", + "version": "1.0.9", + "downloadUrl": "https://www.x.org/pub/individual/lib/libxkbfile-1.0.9.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXmu", + "version": "1.1.2", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXmu-1.1.2.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXpm", + "version": "3.5.12", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXpm-3.5.12.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXrandr", + "version": "1.5.1", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXrandr-1.5.1.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXrender", + "version": "0.9.10", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXrender-0.9.10.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXres", + "version": "1.0.7", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXres-1.0.7.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXScrnSaver", + "version": "1.2.2", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXScrnSaver-1.2.2.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libxshmfence", + "version": "1.2", + "downloadUrl": "https://www.x.org/pub/individual/lib/libxshmfence-1.2.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXt", + "version": "1.1.5", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXt-1.1.5.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXtst", + "version": "1.2.3", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXtst-1.2.3.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXv", + "version": "1.0.11", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXv-1.0.11.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXvMC", + "version": "1.0.10", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXvMC-1.0.10.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXxf86dga", + "version": "1.1.4", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXxf86dga-1.1.4.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libXxf86vm", + "version": "1.1.4", + "downloadUrl": "https://www.x.org/pub/individual/lib/libXxf86vm-1.1.4.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -3465,8 +3919,8 @@ "type": "other", "other": { "name": "libxml2", - "version": "2.9.10", - "downloadUrl": "ftp://xmlsoft.org/libxml2/libxml2-2.9.10.tar.gz" + "version": "2.9.12", + "downloadUrl": "ftp://xmlsoft.org/libxml2/libxml2-2.9.12.tar.gz" } } }, @@ -3485,8 +3939,18 @@ "type": "other", "other": { "name": "libyaml", - "version": "0.2.5", - "downloadUrl": "https://pyyaml.org/download/libyaml/yaml-0.2.5.tar.gz" + "version": "0.2.1", + "downloadUrl": "http://pyyaml.org/download/libyaml/yaml-0.2.1.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "libzip", + "version": "1.7.3", + "downloadUrl": "https://libzip.org/download/libzip-1.7.3.tar.xz" } } }, @@ -3565,8 +4029,18 @@ "type": "other", "other": { "name": "logrotate", - "version": "3.16.0", - "downloadUrl": "https://github.com/logrotate/logrotate//archive/3.16.0.tar.gz" + "version": "3.18.1", + "downloadUrl": "https://github.com/logrotate/logrotate/releases/download/3.18.1/logrotate-3.18.1.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "logrus", + "version": "1.8.1", + "downloadUrl": "https://github.com/sirupsen/logrus/archive/v1.8.1.tar.gz" } } }, @@ -3790,6 +4264,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "mcstrans", + "version": "3.2", + "downloadUrl": "https://github.com/SELinuxProject/selinux/releases/download/3.2/mcstrans-3.2.tar.gz" + } + } + }, { "component": { "type": "other", @@ -3875,8 +4359,18 @@ "type": "other", "other": { "name": "moby-runc", - "version": "1.0.0-rc10+azure", - "downloadUrl": "https://github.com/opencontainers/runc/releases/download/v1.0.0-rc10/runc.tar.xz" + "version": "1.0.0~rc95+azure", + "downloadUrl": "https://github.com/opencontainers/runc/releases/download/v1.0.0-rc95/runc.tar.xz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "ModemManager", + "version": "1.10.4", + "downloadUrl": "https://www.freedesktop.org/software/ModemManager/ModemManager-1.10.4.tar.xz" } } }, @@ -4085,8 +4579,8 @@ "type": "other", "other": { "name": "nginx", - "version": "1.16.1", - "downloadUrl": "https://nginx.org/download/nginx-1.16.1.tar.gz" + "version": "1.20.1", + "downloadUrl": "https://nginx.org/download/nginx-1.20.1.tar.gz" } } }, @@ -4124,9 +4618,9 @@ "component": { "type": "other", "other": { - "name": "nmi", - "version": "1.7.0", - "downloadUrl": "https://github.com/Azure/aad-pod-identity/archive/refs/tags/v1.7.0.tar.gz" + "name": "node-problem-detector", + "version": "0.8.8", + "downloadUrl": "https://github.com/kubernetes/node-problem-detector/archive/refs/tags/v0.8.8.tar.gz" } } }, @@ -4135,18 +4629,8 @@ "type": "other", "other": { "name": "nodejs", - "version": "8.11.4", - "downloadUrl": "https://nodejs.org/download/release/v8.11.4/node-v8.11.4.tar.xz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "nodejs", - "version": "9.11.2", - "downloadUrl": "https://nodejs.org/download/release/v9.11.2/node-v9.11.2.tar.xz" + "version": "14.17.2", + "downloadUrl": "https://nodejs.org/download/release/v14.17.2/node-v14.17.2.tar.xz" } } }, @@ -4250,6 +4734,36 @@ } } }, +{ + "component": { + "type": "other", + "other": { + "name": "nvidia-container-toolkit", + "version": "1.4.2", + "downloadUrl": "https://github.com/NVIDIA/nvidia-container-toolkit/archive/v1.4.2.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "nvidia-docker2", + "version": "2.6.0", + "downloadUrl": "https://github.com/NVIDIA/nvidia-docker/archive/v2.6.0.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "nvidia-modprobe", + "version": "450.57", + "downloadUrl": "https://github.com/NVIDIA/nvidia-modprobe/archive/450.57.tar.gz" + } + } + }, { "component": { "type": "other", @@ -4300,6 +4814,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "OpenIPMI", + "version": "2.0.25", + "downloadUrl": "https://sourceforge.net/projects/openipmi/files/latest/download/openipmi-2.0.25.tar.gz" + } + } + }, { "component": { "type": "other", @@ -4360,6 +4884,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "open-vm-tools", + "version": "11.1.0", + "downloadUrl": "https://github.com/vmware/open-vm-tools/releases/download/stable-11.1.0/open-vm-tools-11.1.0-16036546.tar.gz" + } + } + }, { "component": { "type": "other", @@ -4390,6 +4924,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "p7zip", + "version": "16.02", + "downloadUrl": "https://src.fedoraproject.org/repo/pkgs/p7zip/p7zip_16.02_src_all-norar.tar.bz2/7202a0bd2aa2935576c13314783d5e1d/p7zip_16.02_src_all-norar.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -4405,8 +4949,8 @@ "type": "other", "other": { "name": "pam", - "version": "1.3.1", - "downloadUrl": "https://github.com/linux-pam/linux-pam/releases/download/v1.3.1/Linux-PAM-1.3.1.tar.xz" + "version": "1.5.1", + "downloadUrl": "https://github.com/linux-pam/linux-pam/releases/download/v1.5.1/Linux-PAM-1.5.1.tar.xz" } } }, @@ -4504,9 +5048,9 @@ "component": { "type": "other", "other": { - "name": "perl-Archive-Zip", - "version": "1.67", - "downloadUrl": "https://cpan.metacpan.org/authors/id/P/PH/PHRED/Archive-Zip-1.67.tar.gz" + "name": "perl-App-cpanminus", + "version": "1.7044", + "downloadUrl": "https://cpan.metacpan.org/authors/id/M/MI/MIYAGAWA/App-cpanminus-1.7044.tar.gz" } } }, @@ -4514,9 +5058,9 @@ "component": { "type": "other", "other": { - "name": "perl-CGI", - "version": "4.40", - "downloadUrl": "https://cpan.metacpan.org/authors/id/L/LE/LEEJO/CGI-4.40.tar.gz" + "name": "perl-Archive-Zip", + "version": "1.67", + "downloadUrl": "https://cpan.metacpan.org/authors/id/P/PH/PHRED/Archive-Zip-1.67.tar.gz" } } }, @@ -4530,6 +5074,26 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "perl-CGI", + "version": "4.40", + "downloadUrl": "https://cpan.metacpan.org/authors/id/L/LE/LEEJO/CGI-4.40.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "perl-common-sense", + "version": "3.74", + "downloadUrl": "http://search.cpan.org/CPAN/authors/id/M/ML/MLEHMANN/common-sense-3.74.tar.gz" + } + } + }, { "component": { "type": "other", @@ -4540,6 +5104,26 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "perl-CPAN-DistnameInfo", + "version": "0.12", + "downloadUrl": "https://cpan.metacpan.org/authors/id/G/GB/GBARR/CPAN-DistnameInfo-0.12.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "perl-CPAN-Meta-Check", + "version": "0.014", + "downloadUrl": "http://cpan.metacpan.org/authors/id/L/LE/LEONT/CPAN-Meta-Check-0.014.tar.gz" + } + } + }, { "component": { "type": "other", @@ -4600,6 +5184,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "perl-File-pushd", + "version": "1.016", + "downloadUrl": "http://cpan.metacpan.org/authors/id/D/DA/DAGOLDEN/File-pushd-1.016.tar.gz" + } + } + }, { "component": { "type": "other", @@ -4650,6 +5244,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "perl-libintl-perl", + "version": "1.29", + "downloadUrl": "https://cpan.metacpan.org/authors/id/G/GU/GUIDO/libintl-perl-1.29.tar.gz" + } + } + }, { "component": { "type": "other", @@ -4660,6 +5264,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "perl-local-lib", + "version": "2.000024", + "downloadUrl": "https://cpan.metacpan.org/authors/id/H/HA/HAARG/local-lib-2.000024.tar.gz" + } + } + }, { "component": { "type": "other", @@ -4670,6 +5284,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "perl-Module-CPANfile", + "version": "1.1004", + "downloadUrl": "https://cpan.metacpan.org/authors/id/M/MI/MIYAGAWA/Module-CPANfile-1.1004.tar.gz" + } + } + }, { "component": { "type": "other", @@ -4720,6 +5344,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "perl-Parse-PMFile", + "version": "0.42", + "downloadUrl": "https://cpan.metacpan.org/authors/id/I/IS/ISHIGAKI/Parse-PMFile-0.42.tar.gz" + } + } + }, { "component": { "type": "other", @@ -4730,6 +5364,26 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "perl-Pod-Parser", + "version": "1.63", + "downloadUrl": "https://cpan.metacpan.org/authors/id/M/MA/MAREKR/Pod-Parser-1.63.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "perl-String-ShellQuote", + "version": "1.04", + "downloadUrl": "https://cpan.metacpan.org/authors/id/R/RO/ROSCH/String-ShellQuote-1.04.tar.gz" + } + } + }, { "component": { "type": "other", @@ -4810,26 +5464,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "perl-common-sense", - "version": "3.74", - "downloadUrl": "http://search.cpan.org/CPAN/authors/id/M/ML/MLEHMANN/common-sense-3.74.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "perl-libintl-perl", - "version": "1.29", - "downloadUrl": "https://cpan.metacpan.org/authors/id/G/GU/GUIDO/libintl-perl-1.29.tar.gz" - } - } - }, { "component": { "type": "other", @@ -4890,6 +5524,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "policycoreutils", + "version": "3.2", + "downloadUrl": "https://github.com/SELinuxProject/selinux/releases/download/3.2/selinux-3.2.tar.gz" + } + } + }, { "component": { "type": "other", @@ -4915,8 +5559,8 @@ "type": "other", "other": { "name": "postgresql", - "version": "12.6", - "downloadUrl": "https://ftp.postgresql.org/pub/source/v12.6/postgresql-12.6.tar.bz2" + "version": "12.7", + "downloadUrl": "https://ftp.postgresql.org/pub/source/v12.7/postgresql-12.7.tar.bz2" } } }, @@ -4930,6 +5574,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "presentproto", + "version": "1.1", + "downloadUrl": "https://www.x.org/pub/individual/proto/presentproto-1.1.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -5000,16 +5654,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "pyOpenSSL", - "version": "18.0.0", - "downloadUrl": "https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-18.0.0.tar.gz" - } - } - }, { "component": { "type": "other", @@ -5030,6 +5674,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "pyelftools", + "version": "0.27", + "downloadUrl": "https://github.com/eliben/pyelftools/archive/v0.27/pyelftools-0.27.tar.gz" + } + } + }, { "component": { "type": "other", @@ -5040,6 +5694,26 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "pyOpenSSL", + "version": "18.0.0", + "downloadUrl": "https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-18.0.0.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "PyPAM", + "version": "0.5.0", + "downloadUrl": "https://src.fedoraproject.org/repo/pkgs/PyPAM/PyPAM-0.5.0.tar.gz/f1e7c2c56421dda28a75ace59a3c8871/PyPAM-0.5.0.tar.gz" + } + } + }, { "component": { "type": "other", @@ -5060,6 +5734,26 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "python2", + "version": "2.7.18", + "downloadUrl": "http://www.python.org/ftp/python/2.7.18/Python-2.7.18.tar.xz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "python3", + "version": "3.7.10", + "downloadUrl": "https://www.python.org/ftp/python/3.7.10/Python-3.7.10.tar.xz" + } + } + }, { "component": { "type": "other", @@ -5070,6 +5764,17 @@ } } }, + + { + "component": { + "type": "other", + "other": { + "name": "python-asn1crypto", + "version": "0.24.0", + "downloadUrl": "https://files.pythonhosted.org/packages/fc/f1/8db7daa71f414ddabfa056c4ef792e1461ff655c2ae2928a2b675bfed6b4/asn1crypto-0.24.0.tar.gz" + } + } + }, { "component": { "type": "other", @@ -5080,16 +5785,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "python-asn1crypto", - "version": "0.24.0", - "downloadUrl": "https://files.pythonhosted.org/packages/fc/f1/8db7daa71f414ddabfa056c4ef792e1461ff655c2ae2928a2b675bfed6b4/asn1crypto-0.24.0.tar.gz" - } - } - }, { "component": { "type": "other", @@ -5771,6 +6466,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "python-pexpect", + "version": "4.8.0", + "downloadUrl": "https://github.com/pexpect/pexpect/archive/4.8.0/pexpect-4.8.0.tar.gz" + } + } + }, { "component": { "type": "other", @@ -5831,6 +6536,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "python-ptyprocess", + "version": "0.7.0", + "downloadUrl": "https://pypi.io/packages/source/p/ptyprocess/ptyprocess-0.7.0.tar.gz" + } + } + }, { "component": { "type": "other", @@ -6036,8 +6751,8 @@ "type": "other", "other": { "name": "python-rsa", - "version": "4.6", - "downloadUrl": "https://pypi.python.org/packages/source/r/rsa/rsa-4.6.tar.gz" + "version": "4.7.2", + "downloadUrl": "https://pypi.python.org/packages/source/r/rsa/rsa-4.7.2.tar.gz" } } }, @@ -6331,6 +7046,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "PyYAML", + "version": "3.13", + "downloadUrl": "http://pyyaml.org/download/pyyaml/PyYAML-3.13.tar.gz" + } + } + }, { "component": { "type": "other", @@ -6385,9 +7110,19 @@ "component": { "type": "other", "other": { - "name": "rapidjson", - "version": "1.0.2", - "downloadUrl": "https://github.com/Tencent/rapidjson/archive/v1.0.2.tar.gz" + "name": "ragel", + "version": "7.0.0.12", + "downloadUrl": "https://www.colm.net/files/ragel/ragel-7.0.0.12.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "randrproto", + "version": "1.5.0", + "downloadUrl": "https://www.x.org/pub/individual/proto/randrproto-1.5.0.tar.bz2" } } }, @@ -6411,6 +7146,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "re2", + "version": "20190801", + "downloadUrl": "https://github.com/google/re2/archive/2019-08-01.tar.gz" + } + } + }, { "component": { "type": "other", @@ -6421,6 +7166,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "recordproto", + "version": "1.14.2", + "downloadUrl": "https://www.x.org/pub/individual/proto/recordproto-1.14.2.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -6431,6 +7186,26 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "renderproto", + "version": "0.11.1", + "downloadUrl": "https://www.x.org/pub/individual/proto/renderproto-0.11.1.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "resourceproto", + "version": "1.2.0", + "downloadUrl": "https://www.x.org/pub/individual/proto/resourceproto-1.2.0.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -6521,16 +7296,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "ruby", - "version": "2.6.6", - "downloadUrl": "https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.6.tar.xz" - } - } - }, { "component": { "type": "other", @@ -6661,16 +7426,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "rubygem-bundler", - "version": "1.16.4", - "downloadUrl": "https://rubygems.org/downloads/bundler-1.16.4.gem" - } - } - }, { "component": { "type": "other", @@ -7315,9 +8070,9 @@ "component": { "type": "other", "other": { - "name": "runc", - "version": "1.0.0.rc8", - "downloadUrl": "https://github.com/opencontainers/runc/archive/v1.0.0-rc8.tar.gz" + "name": "runtime-spec", + "version": "1.0.2", + "downloadUrl": "https://github.com/opencontainers/runtime-spec/archive/v1.0.2.tar.gz" } } }, @@ -7351,6 +8106,26 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "scrnsaverproto", + "version": "1.2.2", + "downloadUrl": "https://www.x.org/pub/individual/proto/scrnsaverproto-1.2.2.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "secilc", + "version": "3.2", + "downloadUrl": "https://github.com/SELinuxProject/selinux/releases/download/3.2/secilc-3.2.tar.gz" + } + } + }, { "component": { "type": "other", @@ -7361,6 +8136,26 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "selinux-policy", + "version": "2.20200818", + "downloadUrl": "https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20200818/refpolicy-2.20200818.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "setools", + "version": "4.4.0", + "downloadUrl": "https://github.com/SELinuxProject/setools/releases/download/4.4.0/setools-4.4.0.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -7377,7 +8172,7 @@ "other": { "name": "sgml-common", "version": "0.6.3", - "downloadUrl": "ftp://sources.redhat.com/pub/docbook-tools/new-trials/SOURCES/sgml-common-0.6.3.tgz" + "downloadUrl": "https://sourceware.org/ftp/docbook-tools/new-trials/SOURCES/sgml-common-0.6.3.tgz" } } }, @@ -7386,8 +8181,8 @@ "type": "other", "other": { "name": "shadow-utils", - "version": "4.6", - "downloadUrl": "https://github.com/shadow-maint/shadow/releases/download/4.6/shadow-4.6.tar.xz" + "version": "4.9", + "downloadUrl": "https://github.com/shadow-maint/shadow/releases/download/v4.9/shadow-4.9.tar.xz" } } }, @@ -7441,6 +8236,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "sos", + "version": "4.1", + "downloadUrl": "https://github.com/sosreport/sos/archive/4.1.tar.gz" + } + } + }, { "component": { "type": "other", @@ -7616,8 +8421,8 @@ "type": "other", "other": { "name": "tboot", - "version": "1.9.7", - "downloadUrl": "http://downloads.sourceforge.net/tboot/tboot-1.9.7.tar.gz" + "version": "1.9.12", + "downloadUrl": "http://downloads.sourceforge.net/tboot/tboot-1.9.12.tar.gz" } } }, @@ -7816,8 +8621,8 @@ "type": "other", "other": { "name": "uclibc-ng", - "version": "1.0.36", - "downloadUrl": "https://downloads.uclibc-ng.org/releases/1.0.36/uClibc-ng-1.0.36.tar.xz" + "version": "1.0.37", + "downloadUrl": "https://downloads.uclibc-ng.org/releases/1.0.37/uClibc-ng-1.0.37.tar.xz" } } }, @@ -7851,6 +8656,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "urfave-cli", + "version": "2.3.0", + "downloadUrl": "https://github.com/urfave/cli/archive/v2.3.0.tar.gz" + } + } + }, { "component": { "type": "other", @@ -7921,6 +8736,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "videoproto", + "version": "2.3.3", + "downloadUrl": "https://www.x.org/pub/individual/proto/videoproto-2.3.3.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -7961,6 +8786,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "WALinuxAgent", + "version": "2.2.54.2", + "downloadUrl": "https://github.com/Azure/WALinuxAgent/archive/refs/tags/v2.2.54.2.tar.gz" + } + } + }, { "component": { "type": "other", @@ -8011,6 +8846,26 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "xcb-proto", + "version": "1.12", + "downloadUrl": "https://xcb.freedesktop.org/dist/xcb-proto-1.12.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "xcmiscproto", + "version": "1.2.2", + "downloadUrl": "https://www.x.org/pub/individual/proto/xcmiscproto-1.2.2.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -8021,6 +8876,56 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "xextproto", + "version": "7.3.0", + "downloadUrl": "https://www.x.org/pub/individual/proto/xextproto-7.3.0.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "xf86bigfontproto", + "version": "1.2.0", + "downloadUrl": "https://www.x.org/pub/individual/proto/xf86bigfontproto-1.2.0.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "xf86dgaproto", + "version": "2.1", + "downloadUrl": "https://www.x.org/pub/individual/proto/xf86dgaproto-2.1.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "xf86driproto", + "version": "2.1.1", + "downloadUrl": "https://www.x.org/pub/individual/proto/xf86driproto-2.1.1.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "xf86vidmodeproto", + "version": "2.3.1", + "downloadUrl": "https://www.x.org/pub/individual/proto/xf86vidmodeproto-2.3.1.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -8031,6 +8936,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "xineramaproto", + "version": "1.2.1", + "downloadUrl": "https://www.x.org/pub/individual/proto/xineramaproto-1.2.1.tar.bz2" + } + } + }, { "component": { "type": "other", @@ -8075,9 +8990,19 @@ "component": { "type": "other", "other": { - "name": "xorg-x11-util-macros", - "version": "1.19.2", - "downloadUrl": "https://www.x.org/pub/individual/util/util-macros-1.19.2.tar.bz2" + "name": "xproto", + "version": "7.0.31", + "downloadUrl": "https://www.x.org/pub/individual/proto/xproto-7.0.31.tar.bz2" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "xtrans", + "version": "1.3.5", + "downloadUrl": "https://www.x.org/pub/individual/lib/xtrans-1.3.5.tar.bz2" } } }, @@ -8097,7 +9022,7 @@ "other": { "name": "yajl", "version": "2.1.0", - "downloadUrl": "https://github.com/lloyd/yajl/archive/refs/tags/2.1.0.tar.gz" + "downloadUrl": "https://github.com/lloyd/yajl/archive/2.1.0.tar.gz" } } }, @@ -8136,8 +9061,8 @@ "type": "other", "other": { "name": "zeromq", - "version": "4.3.2", - "downloadUrl": "https://github.com/zeromq/libzmq/archive/v4.3.2/libzmq-4.3.2.tar.gz" + "version": "4.3.4", + "downloadUrl": "https://github.com/zeromq/libzmq/releases/download/v4.3.4/zeromq-4.3.4.tar.gz" } } }, diff --git a/toolkit/Makefile b/toolkit/Makefile index 0ce58a0381..2af1c866b9 100644 --- a/toolkit/Makefile +++ b/toolkit/Makefile @@ -23,6 +23,7 @@ INCREMENTAL_TOOLCHAIN ?= n UPDATE_TOOLCHAIN_LIST ?= n REBUILD_PACKAGES ?= y DOWNLOAD_SRPMS ?= n +ALLOW_SRPM_DOWNLOAD_FAIL ?= n REBUILD_TOOLS ?= n RUN_CHECK ?= n USE_UPDATE_REPO ?= y @@ -43,6 +44,7 @@ CONCURRENT_PACKAGE_BUILDS ?= 0 NUM_OF_ANALYTICS_RESULTS ?= 10 CLEANUP_PACKAGE_BUILDS ?= y USE_PACKAGE_BUILD_CACHE ?= y +REBUILD_DEP_CHAINS ?= y # Folder defines toolkit_root := $(abspath $(dir $(lastword $(MAKEFILE_LIST)))) diff --git a/toolkit/docs/building/building.md b/toolkit/docs/building/building.md index cd443d8810..0869491919 100644 --- a/toolkit/docs/building/building.md +++ b/toolkit/docs/building/building.md @@ -6,7 +6,7 @@ - [Toolchain Stage](#toolchain-stage) - [Populate Toolchain](#populate-toolchain) - [Rebuild Toolchain](#rebuild-toolchain) - - [Package Stage](#package-stage) + - [Package Stage](#package-stage) - [Rebuild All Packages](#rebuild-all-packages) - [Rebuild Minimal Required Packages](#rebuild-minimal-required-packages) - [Image Stage](#image-stage) @@ -70,11 +70,11 @@ ## Overview -The following documentation describes how to fully build CBL-Mariner end-to-end as well as advanced techniques for performing toolchain, or package builds. Full builds of CBL-Mariner _**is not**_ generally needed. All CBL-Mariner packages are built signed and released to an RPM repository at [pacakages.microsoft.com](https://packages.microsoft.com/cbl-mariner/1.0/prod/) +The following documentation describes how to fully build CBL-Mariner end-to-end as well as advanced techniques for performing toolchain, or package builds. Full builds of CBL-Mariner _**is not**_ generally needed. All CBL-Mariner packages are built signed and released to an RPM repository at [pacakages.microsoft.com](https://packages.microsoft.com/cbl-mariner/1.0/prod/) However, to test-drive CBL-Mariner, building an ISO, VHD or VHDX _**is** currently_ required. There are two approaches. The fastest way to achieve this is through the [Quick Start Instructions](../quick_start/quickstart.md). This is recommended for anyone that just wants to run CBL-Mariner. The second, approach is to build a custom CBL-Mariner based image. This is recommended for developers that want to experiment with CBL-Mariner in a focused environment and is usually faster and easier than working with full CBL-Mariner builds. To work in a more focused environment, refer to the tutorial in the [CBL-MarinerDemo](https://github.com/microsoft/CBL-MarinerDemo) repository. -The CBL-Mariner build system consists of several phases and tools, but at a high level it can be viewed simply as 3 distinct build stages: +The CBL-Mariner build system consists of several phases and tools, but at a high level it can be viewed simply as 3 distinct build stages: - **Toolchain** This stage builds several compilers and tools needed in the subsequent package build stage. Building is serialized in this stage. @@ -117,7 +117,7 @@ Alternate branches are not generally buildable because community builds require The toolchain builds in two sub-phases. The first phase builds an initial _bootstrap_ toolchain which is then used to build the _final_ toolchain used in package building. In the first phase, the bootstrap toolchain downloads a series of source packages from upstream sources. The second phase downloads SRPMS from packages.microsoft.com. -For expediency, the toolchain may be populated from upstream binaries, or may be completely rebuilt. +For expediency, the toolchain may be populated from upstream binaries, or may be completely rebuilt. ### **Populate Toolchain** @@ -141,7 +141,7 @@ sudo make toolchain REBUILD_TOOLS=y REBUILD_TOOLCHAIN=y SOURCE_URL=https://cblma After the toolchain is built or populated, package building is possible. The CBL-Mariner ecosystem provides a significant number of packages, but most of those packages are not used in an image. When rebuilding packages, you can choose to build everything, or you can choose to build just what you need for a specific image. This can save significant time because only the subset of the CBL-Mariner packages needed for an image are built. -The CONFIG_FILE argument provides a quick way to declare what to build. To manually build **all** packages you can clear the configuration with `CONFIG_FILE=` and invoke the package build target. To build packages needed for a specific image, you must set the CONFIG_FILE= parameter to an image configuration file of your choice. The standard image configuration files are in the toolkit/imageconfigs folder. +The CONFIG_FILE argument provides a quick way to declare what to build. To manually build **all** packages you can clear the configuration with `CONFIG_FILE=` and invoke the package build target. To build packages needed for a specific image, you must set the CONFIG_FILE= parameter to an image configuration file of your choice. The standard image configuration files are in the toolkit/imageconfigs folder. Large parts of the package build stage are parallelized. Enable this by setting the `-j` flag for `make` to the number of parallel jobs to allow. (Recommend setting this value to the number of logical cores available on your system, or less) @@ -174,7 +174,7 @@ Note that the image build commands in [Build Images](#build-images) will **autom ## **Image Stage** -Different images and image formats can be produced from the build system. Images are assembled from a combination of _Image Configuration_ files and _Package list_ files. Each [Package List](https://github.com/microsoft/CBL-MarinerDemo#package-lists) file (in [toolkit/imageconfigs/packagelists](https://github.com/microsoft/CBL-Mariner/tree/1.0/toolkit/imageconfigs/packagelists)) describes a set of packages to install in an image. Each Image Configuration file defines the image output format and selects one or more Package Lists to include in the image. +Different images and image formats can be produced from the build system. Images are assembled from a combination of _Image Configuration_ files and _Package list_ files. Each [Package List](https://github.com/microsoft/CBL-MarinerDemo#package-lists) file (in [toolkit/imageconfigs/packagelists](https://github.com/microsoft/CBL-Mariner/tree/1.0/toolkit/imageconfigs/packagelists)) describes a set of packages to install in an image. Each Image Configuration file defines the image output format and selects one or more Package Lists to include in the image. All images are generated in the `out/images` folder. @@ -379,7 +379,13 @@ If that is not desired all remote sources can be disabled by clearing the follow #### `REPO_LIST=...` -> List of RPM repositories to pull packages from. These packages are used to satisfy dependencies during the build process, and to compose a final image. Locally available packages are always prioritized. The repos are prioritized based on the order they appear in the list: Repos earlier in the list are higher priority. +> List of RPM repositories to pull packages from. These packages are used to satisfy dependencies during the build process, and to compose a final image. Locally available packages are always prioritized. The repos are prioritized based on the order they appear in the list: repos earlier in the list are higher priority. CBL-Mariner provides a set of pre-populated RPM repositories accessible inside the toolkit folder under `toolkit/repos`: +> +> - `mariner-official-base.repo` and `mariner-official-update.repo` - default, always-on CBL-Mariner repositories. +> - `mariner-preview.repo` - CBL-Mariner repository containing pre-release versions of RPMs **subject to change without notice**. Using this .repo file is equivallent to adding the [`USE_PREVIEW_REPO=y`](#use_preview_repoy) argument to your build command. +> - `mariner-ui.repo` and `mariner-ui-preview.repo` - CBL-Mariner repository containing packages related to any UI components. The preview version serves the same purpose as the official preview repo. +> - `mariner-extras.repo` and `mariner-extras-preview.repo` - CBL-Mariner repository containing proprietory RPMs with sources not viewable to the public. The preview version serves the same purpose as the official preview repo. +> #### Build Enable/Disable Flags @@ -523,15 +529,17 @@ By default the build system will pull the highest possible version of external p ### Build Summaries -The build system supports this behavior through summary files, a JSON representation of packages consumed during a build. By referencing these summary files, the build system can consume the exact same version of external packages later on. +The build system supports this behavior through summary files, a JSON representation of packages consumed during a build. By referencing these summary files, the build system can consume the exact same version of packages later on. Since the summary files are regenerated every build, if you wish to reproduce a build, you should save the summary files to another location for future use. | Type of Build | Summary File Location | Description |:------------------------------|:-------------------------------------------------------------------------------------------------------|:--- -| Package Build | `$(PKGBUILD_DIR)/graph_external_deps.json` | Generated every package build. Can be saved and used later with the `$(PACKAGE_CACHE_SUMMARY)` variable to reproduce a package build. -| Image Build | `$(IMAGEGEN_DIR)/{imagename}/image_deps.json` | Generated every image build. Can be saved and used later with the `$(IMAGE_CACHE_SUMMARY)` variable to reproduce an image build. -| Initrd Build | `$(IMAGEGEN_DIR)/iso_initrd/image_deps.json` | Generated every initrd and ISO build. Can be saved and used later with the `$(INITRD_CACHE_SUMMARY)` variable to reproduce an initrd build. +| Package Build | `$(PKGBUILD_DIR)/graph_external_deps.json` | Generated every package build. Can be saved and used later with the `PACKAGE_CACHE_SUMMARY` variable to reproduce a package build. Contains **only the external** packages required to build the local packages. +| Image Build | `$(IMAGEGEN_DIR)/{imagename}/image_deps.json` | Generated every image build. Can be saved and used later with the `IMAGE_CACHE_SUMMARY` variable to reproduce an image build. Contains **all (both external and local)** packages required to build the image. +| Initrd Build | `$(IMAGEGEN_DIR)/iso_initrd/image_deps.json` | Generated every initrd and ISO build. Can be saved and used later with the `INITRD_CACHE_SUMMARY` variable to reproduce an initrd build. Contains **all (both external and local)** packages required to build the image. However, unless you modified the initrd image packages JSON or have your own version of its PMC packages locally, all the required packages are external. + +**WARNING**: the `graph_external_deps.json` contains **ALL** external packages required to build your local spec files. If you depend on any external packages outside the core Mariner's PMC repository, you **MUST** make sure you still have access to them when attempting to reproduce a build. ### Building From Summaries @@ -540,7 +548,7 @@ To reproduce a build, there are four constraints: 1. The local SPEC files must be the same. That is, you cannot reproduce a build having modified any of the local SPEC files since when the summary files were generated. 2. What is being built must be the same. That is, if the summary files were generated from an image build then the reproduced build must be building the exact same image configuration. 3. The toolkit version must be the same. That is, if the summary files were generated from a `1.0` toolkit, then the reproduced build must be done using the `1.0` toolkit. -4. The builds must be from clean. Both the build that generated the summary files and the reproduced build must be done from a clean state, otherwise there may be leftover files that affect the summary files. +4. The builds must be from clean. Both the build that generated the summary files and the reproduced build must be done from a clean state, otherwise there may be leftover files that affect the summary files. The only exception is the mentioned case of using external packages not present in the PMC repository - in this case you'll need to pre-populate the local cache with these packages after cleaning your repository, but before running the build. If the above constraints are met then a build can be reproduced from summary files. @@ -573,7 +581,7 @@ To reproduce an ISO build, run the same make invocation as before, but set: | Variable | Default | Description |:------------------------------|:-------------------------------------------------------------------------------------------------------|:--- -| CONFIG_FILE | `$(RESOURCES_DIR)`/imageconfigs/core-efi/core-efi.json | Image config file to build. +| CONFIG_FILE | `$(RESOURCES_DIR)`/imageconfigs/core-efi/core-efi.json | [Image config file](https://github.com/microsoft/CBL-MarinerDemo#image-config-file) to build. | CONFIG_BASE_DIR | `$(dir $(CONFIG_FILE))` | Base directory on the **build machine** to search for any **relative** file paths mentioned inside the [image config file](https://github.com/microsoft/CBL-MarinerDemo#image-config-file). This has no effect on **absolute** file paths or file paths on the **built image**. | UNATTENDED_INSTALLER | | Create unattended ISO installer if set. Overrides all other installer options. | PACKAGE_BUILD_LIST | | Additional packages to build. The package will be skipped if the build system thinks it is already up-to-date. @@ -629,6 +637,7 @@ To reproduce an ISO build, run the same make invocation as before, but set: | CLEANUP_PACKAGE_BUILDS | y | Cleanup a package build's working directory when it finishes. Note that `build` directory will still be removed on a successful package build even when this is turned off. | USE_PACKAGE_BUILD_CACHE | y | Skip building a package if it and its dependencies are already built. | NUM_OF_ANALYTICS_RESULTS | 10 | The number of entries to print when using the `graphanalytics` tool. If set to 0 this will print all available results. +| REBUILD_DEP_CHAINS | y | Rebuild packages if their dependencies need to be built, even though the package has already been built. --- diff --git a/toolkit/docs/nvidia/mariner-nvidia.repo b/toolkit/docs/nvidia/mariner-nvidia.repo new file mode 100644 index 0000000000..33ba657e50 --- /dev/null +++ b/toolkit/docs/nvidia/mariner-nvidia.repo @@ -0,0 +1,9 @@ +[mariner-official-nvidia] +name=CBL-Mariner Official Nvidia $releasever $basearch +baseurl=https://packages.microsoft.com/cbl-mariner/$releasever/prod/NVIDIA/$basearch/rpms +gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY file:///etc/pki/rpm-gpg/MICROSOFT-METADATA-GPG-KEY +gpgcheck=1 +repo_gpgcheck=1 +enabled=1 +skip_if_unavailable=True +sslverify=1 \ No newline at end of file diff --git a/toolkit/docs/nvidia/nvidia.md b/toolkit/docs/nvidia/nvidia.md new file mode 100644 index 0000000000..0ee5eb0a73 --- /dev/null +++ b/toolkit/docs/nvidia/nvidia.md @@ -0,0 +1,19 @@ +# Nvidia Repository Configuration + +## Overview +The following documentation describes how to access CBL-Mariner packages from the NVIDIA RPM repository at [packages.microsoft.com](https://packages.microsoft.com/cbl-mariner/1.0/prod/NVIDIA/) + +## Licensing +The software in the NVIDIA RPM repository is subject to the following: + +> NVIDIA Software. The software may include components developed and owned by NVIDIA Corporation or its licensors. The use of these components is governed by the NVIDIA end user license agreement located at [https://www.nvidia.com/content/DriverDownload-March2009/licence.php?lang=us](https://www.nvidia.com/content/DriverDownload-March2009/licence.php?lang=us). + +## Instructions +The following instructions register the nvidia package store with the package manager. +```ls +# Navigate to the package manager configuration file directory +cd /etc/yum.repos.d + +# Copy the configuration to your directory to register the NVIDIA RPM repository with your package manager +sudo wget https://raw.githubusercontent.com/microsoft/CBL-Mariner/toolkit/docs/nvidia/mariner-nvidia.repo +``` diff --git a/toolkit/docs/quick_start/quickstart.md b/toolkit/docs/quick_start/quickstart.md index 19f44a22bf..6908c341df 100644 --- a/toolkit/docs/quick_start/quickstart.md +++ b/toolkit/docs/quick_start/quickstart.md @@ -67,7 +67,7 @@ Copy your binary image(s) to your VM Host Machine using your preferred technique **[Gen2/VHDX Only] Fix Boot Options** 1. Right click your virtual machine from Hyper-V Manager 1. Select _Settings..._. -1. Select Security and disable _Enable Secure Boot_. +1. Select Security and under _Template:_ select _Microsoft UEFI Certificate Authority_. 1. Select the SCSI Controller from the Hardware panel. 1. Select DVD Drive and press Add. @@ -120,7 +120,7 @@ Copy your binary image(s) to your VM Host Machine using your preferred technique 1. Right click your virtual machine from Hyper-V Manager 1. Select _Settings..._ -1. Select Security and disable _Enable Secure Boot_. +1. Select Security and under _Template:_ select _Microsoft UEFI Certificate Authority_. 1. Select Firmware and adjust the boot order so DVD is first and Hard Drive is second. 1. Select _Apply_ to apply all changes. diff --git a/toolkit/docs/security/security-features.md b/toolkit/docs/security/security-features.md index 05a0d351b4..219441db0b 100644 --- a/toolkit/docs/security/security-features.md +++ b/toolkit/docs/security/security-features.md @@ -59,6 +59,7 @@ | | Password hashing | By default | SHA-512 | | Filesystem Capabilities | Available | [Capabilities](https://github.com/torvalds/linux/blob/master/Documentation/security/credentials.rst) and [chattr](https://sourceforge.net/p/e2fsprogs/code/ci/master/tree/misc/chattr.c) | | Tamper Resistant Logs | Available | [journalctl --verify](https://www.freedesktop.org/software/systemd/man/journalctl.html) +| | Kernel Lockdown | Integrity mode by default | [kernel lockdown](https://github.com/torvalds/linux/blob/master/security/lockdown/Kconfig) # References diff --git a/toolkit/imageconfigs/additionalconfigs/cloud-init.cfg b/toolkit/imageconfigs/additionalconfigs/cloud-init.cfg new file mode 100644 index 0000000000..531f338cc8 --- /dev/null +++ b/toolkit/imageconfigs/additionalconfigs/cloud-init.cfg @@ -0,0 +1,91 @@ +# The top level settings are used as module +# and system configuration. + +# A set of users which may be applied and/or used by various modules +# when a 'default' entry is found it will reference the 'default_user' +# from the distro configuration specified below +users: + - default + - name: root + lock-passwd: false + +# If this is set, 'root' will not be able to ssh in and they +# will get a message to login instead as the above $user (ubuntu) +disable_root: false + +#Vmware guest customization. +disable_vmware_customization: true + +# This will cause the set+update hostname module to not operate (if true) +preserve_hostname: false + +# datasources to check for cloud-config +datasource_list: [ + Azure, + NoCloud, + None + ] + +# Example datasource config +# datasource: +# Ec2: +# metadata_urls: [ 'blah.com' ] +# timeout: 5 # (defaults to 50 seconds) +# max_wait: 10 # (defaults to 120 seconds) + +# The modules that run in the 'init' stage +cloud_init_modules: + - bootcmd + - write-files + - growpart + - resizefs + - disk_setup + - mounts + - set_hostname + - update_hostname + - update_etc_hosts + - rsyslog + - users-groups + - ssh + +# The modules that run in the 'config' stage +cloud_config_modules: +# Emit the cloud config ready event +# this can be used by upstart jobs for 'start on cloud-config'. + - ssh-import-id + - set-passwords + - package-update-upgrade-install + - runcmd + - yum-add-repo + +# The modules that run in the 'final' stage +cloud_final_modules: + - scripts-vendor + - scripts-per-once + - scripts-per-boot + - scripts-per-instance + - scripts-user + - ssh-authkey-fingerprints + - final-message + +# System and/or distro specific settings +# (not accessible to handlers/transforms) +system_info: + # This will affect which distro class gets used + distro: mariner + # Default user name + that default users groups (if added/used) + default_user: + name: mariner + lock_passwd: true + gecos: Mariner + groups: [sudo, docker] + sudo: ["ALL=(ALL) NOPASSWD:ALL"] + shell: /bin/bash + # Automatically discover the best ntp_client + ntp_client: auto + # Other config here will be given to the distro class and/or path classes + paths: + cloud_dir: /var/lib/cloud/ + templates_dir: /etc/cloud/templates/ + + ssh_svcname: sshd diff --git a/toolkit/imageconfigs/additionalconfigs/configure-image.sh b/toolkit/imageconfigs/additionalconfigs/configure-image.sh new file mode 100755 index 0000000000..896fed1675 --- /dev/null +++ b/toolkit/imageconfigs/additionalconfigs/configure-image.sh @@ -0,0 +1,2 @@ +echo Enabling service for Azure Serial Console +systemctl enable serial-getty@ttyS0.service diff --git a/toolkit/imageconfigs/marketplace-gen1.json b/toolkit/imageconfigs/marketplace-gen1.json new file mode 100644 index 0000000000..35636be9e3 --- /dev/null +++ b/toolkit/imageconfigs/marketplace-gen1.json @@ -0,0 +1,66 @@ +{ + "Disks": [ + { + "PartitionTableType": "gpt", + "MaxSize": 1500, + "Artifacts": [ + { + "Name": "cblmariner-gen1", + "Type": "vhd" + } + ], + "Partitions": [ + { + "ID": "boot", + "Flags": [ + "grub" + ], + "Start": 1, + "End": 9, + "FsType": "fat32" + }, + { + "ID": "rootfs", + "Start": 9, + "End": 0, + "FsType": "ext4" + } + ] + } + ], + "SystemConfigs": [ + { + "Name": "Standard", + "BootType": "legacy", + "PartitionSettings": [ + { + "ID": "boot", + "MountPoint": "" + }, + { + "ID": "rootfs", + "MountPoint": "/" + } + ], + "PackageLists": [ + "packagelists/core-packages-image.json", + "packagelists/azurevm-packages.json" + ], + "AdditionalFiles": { + "additionalconfigs/cloud-init.cfg": "/etc/cloud/cloud.cfg" + }, + "PostInstallScripts": [ + { + "Path": "additionalconfigs/configure-image.sh" + } + ], + "KernelOptions": { + "default": "kernel" + }, + "KernelCommandLine": { + "ExtraCommandLine": "console=ttyS0" + }, + "Hostname": "cbl-mariner" + } + ] +} diff --git a/toolkit/imageconfigs/marketplace-gen2.json b/toolkit/imageconfigs/marketplace-gen2.json new file mode 100644 index 0000000000..93c28f4c22 --- /dev/null +++ b/toolkit/imageconfigs/marketplace-gen2.json @@ -0,0 +1,68 @@ +{ + "Disks": [ + { + "PartitionTableType": "gpt", + "MaxSize": 1500, + "Artifacts": [ + { + "Name": "cblmariner-gen2", + "Type": "vhd" + } + ], + "Partitions": [ + { + "ID": "boot", + "Flags": [ + "esp", + "boot" + ], + "Start": 1, + "End": 9, + "FsType": "fat32" + }, + { + "ID": "rootfs", + "Start": 9, + "End": 0, + "FsType": "ext4" + } + ] + } + ], + "SystemConfigs": [ + { + "Name": "Standard", + "BootType": "efi", + "PartitionSettings": [ + { + "ID": "boot", + "MountPoint": "/boot/efi", + "MountOptions" : "umask=0077" + }, + { + "ID": "rootfs", + "MountPoint": "/" + } + ], + "PackageLists": [ + "packagelists/core-packages-image.json", + "packagelists/azurevm-packages.json" + ], + "AdditionalFiles": { + "additionalconfigs/cloud-init.cfg": "/etc/cloud/cloud.cfg" + }, + "PostInstallScripts": [ + { + "Path": "additionalconfigs/configure-image.sh" + } + ], + "KernelOptions": { + "default": "kernel" + }, + "KernelCommandLine": { + "ExtraCommandLine": "console=ttyS0" + }, + "Hostname": "cbl-mariner" + } + ] +} diff --git a/toolkit/imageconfigs/packagelists/azurevm-packages.json b/toolkit/imageconfigs/packagelists/azurevm-packages.json new file mode 100644 index 0000000000..6a039f7360 --- /dev/null +++ b/toolkit/imageconfigs/packagelists/azurevm-packages.json @@ -0,0 +1,10 @@ +{ + "packages": [ + "cloud-init", + "cloud-utils-growpart", + "dhcp-client", + "hyperv-daemons", + "openssh-server", + "WALinuxAgent" + ] +} diff --git a/toolkit/imageconfigs/packagelists/core-packages-image-aarch64.json b/toolkit/imageconfigs/packagelists/core-packages-image-aarch64.json index 15aff253e4..f72872a617 100644 --- a/toolkit/imageconfigs/packagelists/core-packages-image-aarch64.json +++ b/toolkit/imageconfigs/packagelists/core-packages-image-aarch64.json @@ -3,6 +3,8 @@ "shim-unsigned", "grub2-efi-binary", "ca-certificates", + "cronie", + "logrotate", "core-packages-base-image", "initramfs" ], diff --git a/toolkit/imageconfigs/packagelists/core-packages-image.json b/toolkit/imageconfigs/packagelists/core-packages-image.json index 865b8595e2..6125487baa 100644 --- a/toolkit/imageconfigs/packagelists/core-packages-image.json +++ b/toolkit/imageconfigs/packagelists/core-packages-image.json @@ -3,6 +3,8 @@ "shim", "grub2-efi-binary", "ca-certificates", + "cronie", + "logrotate", "core-packages-base-image", "initramfs" ], diff --git a/toolkit/resources/assets/isomaker/iso_root_static_files/boot/grub2/grub.cfg b/toolkit/resources/assets/isomaker/iso_root_static_files/boot/grub2/grub.cfg index 98d8356b4b..49bd713f4b 100644 --- a/toolkit/resources/assets/isomaker/iso_root_static_files/boot/grub2/grub.cfg +++ b/toolkit/resources/assets/isomaker/iso_root_static_files/boot/grub2/grub.cfg @@ -4,6 +4,6 @@ set timeout=0 # but it is observed to be needed to boot on some hardware/SoCs. menuentry "CBL-Mariner" { search --label CDROM --set root - linux /isolinux/vmlinuz root=/dev/ram0 loglevel=3 mariner.media=CDROM + linux /isolinux/vmlinuz root=/dev/ram0 loglevel=3 mariner.media=CDROM lockdown=integrity initrd /isolinux/initrd.img } diff --git a/toolkit/resources/assets/meta-user-data/user-data b/toolkit/resources/assets/meta-user-data/user-data index 4d7c7d27cc..f5b6402000 100644 --- a/toolkit/resources/assets/meta-user-data/user-data +++ b/toolkit/resources/assets/meta-user-data/user-data @@ -20,4 +20,6 @@ packages: - openssh-server runcmd: - sudo systemctl start sshd + - sudo systemctl stop waagent || true + - sudo systemctl disable waagent || true \ No newline at end of file diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 0aac50bedd..225bd7279b 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,19 +1,19 @@ filesystem-1.1-8.cm2.aarch64.rpm -kernel-headers-5.10.28.1-6.cm2.noarch.rpm -glibc-2.28-17.cm2.aarch64.rpm -glibc-devel-2.28-17.cm2.aarch64.rpm -glibc-i18n-2.28-17.cm2.aarch64.rpm -glibc-iconv-2.28-17.cm2.aarch64.rpm -glibc-lang-2.28-17.cm2.aarch64.rpm -glibc-nscd-2.28-17.cm2.aarch64.rpm -glibc-tools-2.28-17.cm2.aarch64.rpm +kernel-headers-5.10.52.1-1.cm2.noarch.rpm +glibc-2.28-18.cm2.aarch64.rpm +glibc-devel-2.28-18.cm2.aarch64.rpm +glibc-i18n-2.28-18.cm2.aarch64.rpm +glibc-iconv-2.28-18.cm2.aarch64.rpm +glibc-lang-2.28-18.cm2.aarch64.rpm +glibc-nscd-2.28-18.cm2.aarch64.rpm +glibc-tools-2.28-18.cm2.aarch64.rpm zlib-1.2.11-5.cm2.aarch64.rpm zlib-devel-1.2.11-5.cm2.aarch64.rpm file-5.38-2.cm2.aarch64.rpm file-devel-5.38-2.cm2.aarch64.rpm file-libs-5.38-2.cm2.aarch64.rpm -binutils-2.32-5.cm2.aarch64.rpm -binutils-devel-2.32-5.cm2.aarch64.rpm +binutils-2.36.1-1.cm2.aarch64.rpm +binutils-devel-2.36.1-1.cm2.aarch64.rpm gmp-6.1.2-5.cm2.aarch64.rpm gmp-devel-6.1.2-5.cm2.aarch64.rpm mpfr-4.0.1-3.cm2.aarch64.rpm @@ -39,8 +39,8 @@ ncurses-libs-6.2-4.cm2.aarch64.rpm ncurses-term-6.2-4.cm2.aarch64.rpm readline-7.0-5.cm2.aarch64.rpm readline-devel-7.0-5.cm2.aarch64.rpm -coreutils-8.30-8.cm2.aarch64.rpm -coreutils-lang-8.30-8.cm2.aarch64.rpm +coreutils-8.30-10.cm2.aarch64.rpm +coreutils-lang-8.30-10.cm2.aarch64.rpm bash-4.4.18-7.cm2.aarch64.rpm bash-devel-4.4.18-7.cm2.aarch64.rpm bash-lang-4.4.18-7.cm2.aarch64.rpm @@ -53,8 +53,8 @@ procps-ng-3.3.15-5.cm2.aarch64.rpm procps-ng-devel-3.3.15-5.cm2.aarch64.rpm procps-ng-lang-3.3.15-5.cm2.aarch64.rpm m4-1.4.18-4.cm2.aarch64.rpm -grep-3.1-4.cm2.aarch64.rpm -grep-lang-3.1-4.cm2.aarch64.rpm +grep-3.1-5.cm2.aarch64.rpm +grep-lang-3.1-5.cm2.aarch64.rpm diffutils-3.6-4.cm2.aarch64.rpm gawk-4.2.1-4.cm2.aarch64.rpm findutils-4.6.0-7.cm2.aarch64.rpm @@ -87,9 +87,9 @@ nspr-devel-4.21-2.cm2.aarch64.rpm sqlite-3.34.1-1.cm2.aarch64.rpm sqlite-devel-3.34.1-1.cm2.aarch64.rpm sqlite-libs-3.34.1-1.cm2.aarch64.rpm -nss-3.44-4.cm2.aarch64.rpm -nss-devel-3.44-4.cm2.aarch64.rpm -nss-libs-3.44-4.cm2.aarch64.rpm +nss-3.44-7.cm2.aarch64.rpm +nss-devel-3.44-7.cm2.aarch64.rpm +nss-libs-3.44-7.cm2.aarch64.rpm elfutils-0.176-4.cm2.aarch64.rpm elfutils-devel-0.176-4.cm2.aarch64.rpm elfutils-devel-static-0.176-4.cm2.aarch64.rpm @@ -164,14 +164,15 @@ perl-vars-1.05-463.cm2.noarch.rpm texinfo-6.5-8.cm2.aarch64.rpm autoconf-2.69-11.cm2.noarch.rpm automake-1.16.1-3.cm2.noarch.rpm -openssl-1.1.1k-2.cm2.aarch64.rpm -openssl-devel-1.1.1k-2.cm2.aarch64.rpm -openssl-libs-1.1.1k-2.cm2.aarch64.rpm -openssl-perl-1.1.1k-2.cm2.aarch64.rpm -openssl-static-1.1.1k-2.cm2.aarch64.rpm -openssl-debuginfo-1.1.1k-2.cm2.aarch64.rpm +openssl-1.1.1k-5.cm2.aarch64.rpm +openssl-devel-1.1.1k-5.cm2.aarch64.rpm +openssl-libs-1.1.1k-5.cm2.aarch64.rpm +openssl-perl-1.1.1k-5.cm2.aarch64.rpm +openssl-static-1.1.1k-5.cm2.aarch64.rpm +openssl-debuginfo-1.1.1k-5.cm2.aarch64.rpm libcap-2.26-2.cm2.aarch64.rpm libcap-devel-2.26-2.cm2.aarch64.rpm +libcap-ng-0.7.9-4.cm2.aarch64.rpm libdb-5.3.28-5.cm2.aarch64.rpm libdb-devel-5.3.28-5.cm2.aarch64.rpm libdb-docs-5.3.28-5.cm2.aarch64.rpm @@ -188,21 +189,21 @@ libsolv-0.7.7-4.cm2.aarch64.rpm libsolv-devel-0.7.7-4.cm2.aarch64.rpm libssh2-1.9.0-1.cm2.aarch64.rpm libssh2-devel-1.9.0-1.cm2.aarch64.rpm -curl-7.76.0-2.cm2.aarch64.rpm -curl-devel-7.76.0-2.cm2.aarch64.rpm -curl-libs-7.76.0-2.cm2.aarch64.rpm +curl-7.76.0-5.cm2.aarch64.rpm +curl-devel-7.76.0-5.cm2.aarch64.rpm +curl-libs-7.76.0-5.cm2.aarch64.rpm tdnf-2.1.0-7.cm2.aarch64.rpm tdnf-cli-libs-2.1.0-7.cm2.aarch64.rpm tdnf-devel-2.1.0-7.cm2.aarch64.rpm tdnf-plugin-repogpgcheck-2.1.0-7.cm2.aarch64.rpm createrepo_c-0.11.1-6.cm2.aarch64.rpm -libxml2-2.9.10-8.cm2.aarch64.rpm -libxml2-devel-2.9.10-8.cm2.aarch64.rpm -libsepol-3.1-1.cm2.aarch64.rpm -libselinux-2.9-6.cm2.aarch64.rpm +libxml2-2.9.12-2.cm2.aarch64.rpm +libxml2-devel-2.9.12-2.cm2.aarch64.rpm +libsepol-3.2-1.cm2.aarch64.rpm glib-2.60.1-5.cm2.aarch64.rpm libltdl-2.4.6-7.cm2.aarch64.rpm libltdl-devel-2.4.6-7.cm2.aarch64.rpm +pcre-8.44-3.cm2.aarch64.rpm pcre-libs-8.44-3.cm2.aarch64.rpm krb5-1.18-1.cm2.aarch64.rpm lua-5.3.5-11.cm2.aarch64.rpm @@ -211,7 +212,7 @@ mariner-rpm-macros-2.0-2.cm2.noarch.rpm mariner-check-macros-2.0-2.cm2.noarch.rpm libassuan-2.5.1-5.cm2.aarch64.rpm libgpg-error-1.32-5.cm2.aarch64.rpm -libgcrypt-1.8.7-1.cm2.aarch64.rpm +libgcrypt-1.8.7-2.cm2.aarch64.rpm libksba-1.3.5-4.cm2.aarch64.rpm npth-1.6-3.cm2.aarch64.rpm pinentry-1.1.0-3.cm2.aarch64.rpm @@ -224,15 +225,18 @@ libffi-devel-3.2.1-12.cm2.aarch64.rpm libtasn1-4.14-3.cm2.aarch64.rpm p11-kit-0.23.22-2.cm2.aarch64.rpm p11-kit-trust-0.23.22-2.cm2.aarch64.rpm -ca-certificates-shared-20200720-13.cm2.noarch.rpm -ca-certificates-tools-20200720-13.cm2.noarch.rpm -ca-certificates-base-20200720-13.cm2.noarch.rpm +ca-certificates-shared-20200720-15.cm2.noarch.rpm +ca-certificates-tools-20200720-15.cm2.noarch.rpm +ca-certificates-base-20200720-15.cm2.noarch.rpm dwz-0.13-4.cm2.aarch64.rpm unzip-6.0-19.cm2.aarch64.rpm -python3-3.7.10-1.cm2.aarch64.rpm -python3-devel-3.7.10-1.cm2.aarch64.rpm -python3-libs-3.7.10-1.cm2.aarch64.rpm -python3-setuptools-3.7.10-1.cm2.noarch.rpm -python3-xml-3.7.10-1.cm2.aarch64.rpm -systemd-rpm-macros-239-40.cm2.noarch.rpm +python3-3.7.10-3.cm2.aarch64.rpm +python3-audit-3.0-6.cm2.aarch64.rpm +python3-devel-3.7.10-3.cm2.aarch64.rpm +python3-libcap-ng-0.7.9-4.cm2.aarch64.rpm +python3-libs-3.7.10-3.cm2.aarch64.rpm +python3-setuptools-3.7.10-3.cm2.noarch.rpm +python3-xml-3.7.10-3.cm2.aarch64.rpm +systemd-rpm-macros-239-41.cm2.noarch.rpm which-2.21-7.cm2.aarch64.rpm +libselinux-3.2-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 7029226a94..4e5321ebe4 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,19 +1,19 @@ filesystem-1.1-8.cm2.x86_64.rpm -kernel-headers-5.10.28.1-6.cm2.noarch.rpm -glibc-2.28-17.cm2.x86_64.rpm -glibc-devel-2.28-17.cm2.x86_64.rpm -glibc-i18n-2.28-17.cm2.x86_64.rpm -glibc-iconv-2.28-17.cm2.x86_64.rpm -glibc-lang-2.28-17.cm2.x86_64.rpm -glibc-nscd-2.28-17.cm2.x86_64.rpm -glibc-tools-2.28-17.cm2.x86_64.rpm +kernel-headers-5.10.52.1-1.cm2.noarch.rpm +glibc-2.28-18.cm2.x86_64.rpm +glibc-devel-2.28-18.cm2.x86_64.rpm +glibc-i18n-2.28-18.cm2.x86_64.rpm +glibc-iconv-2.28-18.cm2.x86_64.rpm +glibc-lang-2.28-18.cm2.x86_64.rpm +glibc-nscd-2.28-18.cm2.x86_64.rpm +glibc-tools-2.28-18.cm2.x86_64.rpm zlib-1.2.11-5.cm2.x86_64.rpm zlib-devel-1.2.11-5.cm2.x86_64.rpm file-5.38-2.cm2.x86_64.rpm file-devel-5.38-2.cm2.x86_64.rpm file-libs-5.38-2.cm2.x86_64.rpm -binutils-2.32-5.cm2.x86_64.rpm -binutils-devel-2.32-5.cm2.x86_64.rpm +binutils-2.36.1-1.cm2.x86_64.rpm +binutils-devel-2.36.1-1.cm2.x86_64.rpm gmp-6.1.2-5.cm2.x86_64.rpm gmp-devel-6.1.2-5.cm2.x86_64.rpm mpfr-4.0.1-3.cm2.x86_64.rpm @@ -39,8 +39,8 @@ ncurses-libs-6.2-4.cm2.x86_64.rpm ncurses-term-6.2-4.cm2.x86_64.rpm readline-7.0-5.cm2.x86_64.rpm readline-devel-7.0-5.cm2.x86_64.rpm -coreutils-8.30-8.cm2.x86_64.rpm -coreutils-lang-8.30-8.cm2.x86_64.rpm +coreutils-8.30-10.cm2.x86_64.rpm +coreutils-lang-8.30-10.cm2.x86_64.rpm bash-4.4.18-7.cm2.x86_64.rpm bash-devel-4.4.18-7.cm2.x86_64.rpm bash-lang-4.4.18-7.cm2.x86_64.rpm @@ -53,8 +53,8 @@ procps-ng-3.3.15-5.cm2.x86_64.rpm procps-ng-devel-3.3.15-5.cm2.x86_64.rpm procps-ng-lang-3.3.15-5.cm2.x86_64.rpm m4-1.4.18-4.cm2.x86_64.rpm -grep-3.1-4.cm2.x86_64.rpm -grep-lang-3.1-4.cm2.x86_64.rpm +grep-3.1-5.cm2.x86_64.rpm +grep-lang-3.1-5.cm2.x86_64.rpm diffutils-3.6-4.cm2.x86_64.rpm gawk-4.2.1-4.cm2.x86_64.rpm findutils-4.6.0-7.cm2.x86_64.rpm @@ -87,9 +87,9 @@ nspr-devel-4.21-2.cm2.x86_64.rpm sqlite-3.34.1-1.cm2.x86_64.rpm sqlite-devel-3.34.1-1.cm2.x86_64.rpm sqlite-libs-3.34.1-1.cm2.x86_64.rpm -nss-3.44-4.cm2.x86_64.rpm -nss-devel-3.44-4.cm2.x86_64.rpm -nss-libs-3.44-4.cm2.x86_64.rpm +nss-3.44-7.cm2.x86_64.rpm +nss-devel-3.44-7.cm2.x86_64.rpm +nss-libs-3.44-7.cm2.x86_64.rpm elfutils-0.176-4.cm2.x86_64.rpm elfutils-devel-0.176-4.cm2.x86_64.rpm elfutils-devel-static-0.176-4.cm2.x86_64.rpm @@ -164,14 +164,15 @@ perl-vars-1.05-463.cm2.noarch.rpm texinfo-6.5-8.cm2.x86_64.rpm autoconf-2.69-11.cm2.noarch.rpm automake-1.16.1-3.cm2.noarch.rpm -openssl-1.1.1k-2.cm2.x86_64.rpm -openssl-devel-1.1.1k-2.cm2.x86_64.rpm -openssl-libs-1.1.1k-2.cm2.x86_64.rpm -openssl-perl-1.1.1k-2.cm2.x86_64.rpm -openssl-static-1.1.1k-2.cm2.x86_64.rpm -openssl-debuginfo-1.1.1k-2.cm2.x86_64.rpm +openssl-1.1.1k-5.cm2.x86_64.rpm +openssl-devel-1.1.1k-5.cm2.x86_64.rpm +openssl-libs-1.1.1k-5.cm2.x86_64.rpm +openssl-perl-1.1.1k-5.cm2.x86_64.rpm +openssl-static-1.1.1k-5.cm2.x86_64.rpm +openssl-debuginfo-1.1.1k-5.cm2.x86_64.rpm libcap-2.26-2.cm2.x86_64.rpm libcap-devel-2.26-2.cm2.x86_64.rpm +libcap-ng-0.7.9-4.cm2.x86_64.rpm libdb-5.3.28-5.cm2.x86_64.rpm libdb-devel-5.3.28-5.cm2.x86_64.rpm libdb-docs-5.3.28-5.cm2.x86_64.rpm @@ -188,21 +189,21 @@ libsolv-0.7.7-4.cm2.x86_64.rpm libsolv-devel-0.7.7-4.cm2.x86_64.rpm libssh2-1.9.0-1.cm2.x86_64.rpm libssh2-devel-1.9.0-1.cm2.x86_64.rpm -curl-7.76.0-2.cm2.x86_64.rpm -curl-devel-7.76.0-2.cm2.x86_64.rpm -curl-libs-7.76.0-2.cm2.x86_64.rpm +curl-7.76.0-5.cm2.x86_64.rpm +curl-devel-7.76.0-5.cm2.x86_64.rpm +curl-libs-7.76.0-5.cm2.x86_64.rpm tdnf-2.1.0-7.cm2.x86_64.rpm tdnf-cli-libs-2.1.0-7.cm2.x86_64.rpm tdnf-devel-2.1.0-7.cm2.x86_64.rpm tdnf-plugin-repogpgcheck-2.1.0-7.cm2.x86_64.rpm createrepo_c-0.11.1-6.cm2.x86_64.rpm -libxml2-2.9.10-8.cm2.x86_64.rpm -libxml2-devel-2.9.10-8.cm2.x86_64.rpm -libsepol-3.1-1.cm2.x86_64.rpm -libselinux-2.9-6.cm2.x86_64.rpm +libxml2-2.9.12-2.cm2.x86_64.rpm +libxml2-devel-2.9.12-2.cm2.x86_64.rpm +libsepol-3.2-1.cm2.x86_64.rpm glib-2.60.1-5.cm2.x86_64.rpm libltdl-2.4.6-7.cm2.x86_64.rpm libltdl-devel-2.4.6-7.cm2.x86_64.rpm +pcre-8.44-3.cm2.x86_64.rpm pcre-libs-8.44-3.cm2.x86_64.rpm krb5-1.18-1.cm2.x86_64.rpm lua-5.3.5-11.cm2.x86_64.rpm @@ -211,7 +212,7 @@ mariner-rpm-macros-2.0-2.cm2.noarch.rpm mariner-check-macros-2.0-2.cm2.noarch.rpm libassuan-2.5.1-5.cm2.x86_64.rpm libgpg-error-1.32-5.cm2.x86_64.rpm -libgcrypt-1.8.7-1.cm2.x86_64.rpm +libgcrypt-1.8.7-2.cm2.x86_64.rpm libksba-1.3.5-4.cm2.x86_64.rpm npth-1.6-3.cm2.x86_64.rpm pinentry-1.1.0-3.cm2.x86_64.rpm @@ -224,15 +225,18 @@ libffi-devel-3.2.1-12.cm2.x86_64.rpm libtasn1-4.14-3.cm2.x86_64.rpm p11-kit-0.23.22-2.cm2.x86_64.rpm p11-kit-trust-0.23.22-2.cm2.x86_64.rpm -ca-certificates-shared-20200720-13.cm2.noarch.rpm -ca-certificates-tools-20200720-13.cm2.noarch.rpm -ca-certificates-base-20200720-13.cm2.noarch.rpm +ca-certificates-shared-20200720-15.cm2.noarch.rpm +ca-certificates-tools-20200720-15.cm2.noarch.rpm +ca-certificates-base-20200720-15.cm2.noarch.rpm dwz-0.13-4.cm2.x86_64.rpm unzip-6.0-19.cm2.x86_64.rpm -python3-3.7.10-1.cm2.x86_64.rpm -python3-devel-3.7.10-1.cm2.x86_64.rpm -python3-libs-3.7.10-1.cm2.x86_64.rpm -python3-setuptools-3.7.10-1.cm2.noarch.rpm -python3-xml-3.7.10-1.cm2.x86_64.rpm -systemd-rpm-macros-239-40.cm2.noarch.rpm +python3-3.7.10-3.cm2.x86_64.rpm +python3-audit-3.0-6.cm2.x86_64.rpm +python3-devel-3.7.10-3.cm2.x86_64.rpm +python3-libcap-ng-0.7.9-4.cm2.x86_64.rpm +python3-libs-3.7.10-3.cm2.x86_64.rpm +python3-setuptools-3.7.10-3.cm2.noarch.rpm +python3-xml-3.7.10-3.cm2.x86_64.rpm +systemd-rpm-macros-239-41.cm2.noarch.rpm which-2.21-7.cm2.x86_64.rpm +libselinux-3.2-1.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 3623fb2f7b..8ed1abbf78 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -2,34 +2,38 @@ alsa-lib-1.2.2-2.cm2.aarch64.rpm alsa-lib-debuginfo-1.2.2-2.cm2.aarch64.rpm alsa-lib-devel-1.2.2-2.cm2.aarch64.rpm asciidoc-9.1.0-1.cm2.noarch.rpm +audit-3.0-6.cm2.aarch64.rpm +audit-debuginfo-3.0-6.cm2.aarch64.rpm +audit-devel-3.0-6.cm2.aarch64.rpm +audit-libs-3.0-6.cm2.aarch64.rpm autoconf-2.69-11.cm2.noarch.rpm automake-1.16.1-3.cm2.noarch.rpm bash-4.4.18-7.cm2.aarch64.rpm bash-debuginfo-4.4.18-7.cm2.aarch64.rpm bash-devel-4.4.18-7.cm2.aarch64.rpm bash-lang-4.4.18-7.cm2.aarch64.rpm -binutils-2.32-5.cm2.aarch64.rpm -binutils-debuginfo-2.32-5.cm2.aarch64.rpm -binutils-devel-2.32-5.cm2.aarch64.rpm +binutils-2.36.1-1.cm2.aarch64.rpm +binutils-debuginfo-2.36.1-1.cm2.aarch64.rpm +binutils-devel-2.36.1-1.cm2.aarch64.rpm bison-3.1-4.cm2.aarch64.rpm bison-debuginfo-3.1-4.cm2.aarch64.rpm bzip2-1.0.6-16.cm2.aarch64.rpm bzip2-debuginfo-1.0.6-16.cm2.aarch64.rpm bzip2-devel-1.0.6-16.cm2.aarch64.rpm bzip2-libs-1.0.6-16.cm2.aarch64.rpm -ca-certificates-20200720-13.cm2.noarch.rpm -ca-certificates-base-20200720-13.cm2.noarch.rpm -ca-certificates-legacy-20200720-13.cm2.noarch.rpm -ca-certificates-microsoft-20200720-13.cm2.noarch.rpm -ca-certificates-shared-20200720-13.cm2.noarch.rpm -ca-certificates-tools-20200720-13.cm2.noarch.rpm +ca-certificates-20200720-15.cm2.noarch.rpm +ca-certificates-base-20200720-15.cm2.noarch.rpm +ca-certificates-legacy-20200720-15.cm2.noarch.rpm +ca-certificates-microsoft-20200720-15.cm2.noarch.rpm +ca-certificates-shared-20200720-15.cm2.noarch.rpm +ca-certificates-tools-20200720-15.cm2.noarch.rpm check-0.12.0-5.cm2.aarch64.rpm check-debuginfo-0.12.0-5.cm2.aarch64.rpm cmake-3.17.3-5.cm2.aarch64.rpm cmake-debuginfo-3.17.3-5.cm2.aarch64.rpm -coreutils-8.30-8.cm2.aarch64.rpm -coreutils-debuginfo-8.30-8.cm2.aarch64.rpm -coreutils-lang-8.30-8.cm2.aarch64.rpm +coreutils-8.30-10.cm2.aarch64.rpm +coreutils-debuginfo-8.30-10.cm2.aarch64.rpm +coreutils-lang-8.30-10.cm2.aarch64.rpm cpio-2.13-2.cm2.aarch64.rpm cpio-debuginfo-2.13-2.cm2.aarch64.rpm cpio-lang-2.13-2.cm2.aarch64.rpm @@ -46,10 +50,12 @@ cryptsetup-debuginfo-2.3.3-2.cm2.aarch64.rpm cryptsetup-devel-2.3.3-2.cm2.aarch64.rpm cryptsetup-libs-2.3.3-2.cm2.aarch64.rpm cryptsetup-reencrypt-2.3.3-2.cm2.aarch64.rpm -curl-7.76.0-2.cm2.aarch64.rpm -curl-debuginfo-7.76.0-2.cm2.aarch64.rpm -curl-devel-7.76.0-2.cm2.aarch64.rpm -curl-libs-7.76.0-2.cm2.aarch64.rpm +curl-7.76.0-5.cm2.aarch64.rpm +curl-debuginfo-7.76.0-5.cm2.aarch64.rpm +curl-devel-7.76.0-5.cm2.aarch64.rpm +curl-libs-7.76.0-5.cm2.aarch64.rpm +cyrus-sasl-2.1.27-5.cm2.aarch64.rpm +cyrus-sasl-debuginfo-2.1.27-5.cm2.aarch64.rpm device-mapper-2.03.05-7.cm2.aarch64.rpm device-mapper-devel-2.03.05-7.cm2.aarch64.rpm device-mapper-event-2.03.05-7.cm2.aarch64.rpm @@ -87,6 +93,9 @@ filesystem-1.1-8.cm2.aarch64.rpm findutils-4.6.0-7.cm2.aarch64.rpm findutils-debuginfo-4.6.0-7.cm2.aarch64.rpm findutils-lang-4.6.0-7.cm2.aarch64.rpm +finger-0.17-4.cm2.aarch64.rpm +finger-debuginfo-0.17-4.cm2.aarch64.rpm +finger-server-0.17-4.cm2.aarch64.rpm flex-2.6.4-7.cm2.aarch64.rpm flex-debuginfo-2.6.4-7.cm2.aarch64.rpm flex-devel-2.6.4-7.cm2.aarch64.rpm @@ -113,13 +122,13 @@ glib-debuginfo-2.60.1-5.cm2.aarch64.rpm glib-devel-2.60.1-5.cm2.aarch64.rpm glib-doc-2.60.1-5.cm2.noarch.rpm glib-schemas-2.60.1-5.cm2.aarch64.rpm -glibc-2.28-17.cm2.aarch64.rpm -glibc-devel-2.28-17.cm2.aarch64.rpm -glibc-i18n-2.28-17.cm2.aarch64.rpm -glibc-iconv-2.28-17.cm2.aarch64.rpm -glibc-lang-2.28-17.cm2.aarch64.rpm -glibc-nscd-2.28-17.cm2.aarch64.rpm -glibc-tools-2.28-17.cm2.aarch64.rpm +glibc-2.28-18.cm2.aarch64.rpm +glibc-devel-2.28-18.cm2.aarch64.rpm +glibc-i18n-2.28-18.cm2.aarch64.rpm +glibc-iconv-2.28-18.cm2.aarch64.rpm +glibc-lang-2.28-18.cm2.aarch64.rpm +glibc-nscd-2.28-18.cm2.aarch64.rpm +glibc-tools-2.28-18.cm2.aarch64.rpm gmock-1.8.1-5.cm2.aarch64.rpm gmock-devel-1.8.1-5.cm2.aarch64.rpm gmock-static-1.8.1-5.cm2.aarch64.rpm @@ -128,14 +137,17 @@ gmp-debuginfo-6.1.2-5.cm2.aarch64.rpm gmp-devel-6.1.2-5.cm2.aarch64.rpm gnupg2-2.2.20-4.cm2.aarch64.rpm gnupg2-debuginfo-2.2.20-4.cm2.aarch64.rpm +golang-1.15.13-1.cm2.aarch64.rpm gperf-3.1-3.cm2.aarch64.rpm gperf-debuginfo-3.1-3.cm2.aarch64.rpm gpgme-1.13.1-7.cm2.aarch64.rpm gpgme-debuginfo-1.13.1-7.cm2.aarch64.rpm gpgme-devel-1.13.1-7.cm2.aarch64.rpm -grep-3.1-4.cm2.aarch64.rpm -grep-debuginfo-3.1-4.cm2.aarch64.rpm -grep-lang-3.1-4.cm2.aarch64.rpm +grep-3.1-5.cm2.aarch64.rpm +grep-debuginfo-3.1-5.cm2.aarch64.rpm +grep-lang-3.1-5.cm2.aarch64.rpm +groff-1.22.3-7.cm2.aarch64.rpm +groff-debuginfo-1.22.3-7.cm2.aarch64.rpm gtest-1.8.1-5.cm2.aarch64.rpm gtest-debuginfo-1.8.1-5.cm2.aarch64.rpm gtest-devel-1.8.1-5.cm2.aarch64.rpm @@ -151,7 +163,7 @@ json-c-debuginfo-0.14-3.cm2.aarch64.rpm json-c-devel-0.14-3.cm2.aarch64.rpm kbd-2.0.4-5.cm2.aarch64.rpm kbd-debuginfo-2.0.4-5.cm2.aarch64.rpm -kernel-headers-5.10.28.1-6.cm2.noarch.rpm +kernel-headers-5.10.52.1-1.cm2.noarch.rpm kmod-25-6.cm2.aarch64.rpm kmod-debuginfo-25-6.cm2.aarch64.rpm kmod-devel-25-6.cm2.aarch64.rpm @@ -170,6 +182,9 @@ libassuan-debuginfo-2.5.1-5.cm2.aarch64.rpm libcap-2.26-2.cm2.aarch64.rpm libcap-debuginfo-2.26-2.cm2.aarch64.rpm libcap-devel-2.26-2.cm2.aarch64.rpm +libcap-ng-0.7.9-4.cm2.aarch64.rpm +libcap-ng-debuginfo-0.7.9-4.cm2.aarch64.rpm +libcap-ng-devel-0.7.9-4.cm2.aarch64.rpm libdb-5.3.28-5.cm2.aarch64.rpm libdb-debuginfo-5.3.28-5.cm2.aarch64.rpm libdb-devel-5.3.28-5.cm2.aarch64.rpm @@ -181,9 +196,9 @@ libffi-devel-3.2.1-12.cm2.aarch64.rpm libgcc-9.1.0-11.cm2.aarch64.rpm libgcc-atomic-9.1.0-11.cm2.aarch64.rpm libgcc-devel-9.1.0-11.cm2.aarch64.rpm -libgcrypt-1.8.7-1.cm2.aarch64.rpm -libgcrypt-debuginfo-1.8.7-1.cm2.aarch64.rpm -libgcrypt-devel-1.8.7-1.cm2.aarch64.rpm +libgcrypt-1.8.7-2.cm2.aarch64.rpm +libgcrypt-debuginfo-1.8.7-2.cm2.aarch64.rpm +libgcrypt-devel-1.8.7-2.cm2.aarch64.rpm libgomp-9.1.0-11.cm2.aarch64.rpm libgomp-devel-9.1.0-11.cm2.aarch64.rpm libgpg-error-1.32-5.cm2.aarch64.rpm @@ -196,6 +211,9 @@ libltdl-2.4.6-7.cm2.aarch64.rpm libltdl-devel-2.4.6-7.cm2.aarch64.rpm libmpc-1.1.0-6.cm2.aarch64.rpm libmpc-debuginfo-1.1.0-6.cm2.aarch64.rpm +libnsl2-1.2.0-4.cm2.aarch64.rpm +libnsl2-debuginfo-1.2.0-4.cm2.aarch64.rpm +libnsl2-devel-1.2.0-4.cm2.aarch64.rpm libpipeline-1.5.0-4.cm2.aarch64.rpm libpipeline-debuginfo-1.5.0-4.cm2.aarch64.rpm libpipeline-devel-1.5.0-4.cm2.aarch64.rpm @@ -204,14 +222,18 @@ libpkgconf-devel-1.7.0-3.cm2.aarch64.rpm libpwquality-1.4.2-6.cm2.aarch64.rpm libpwquality-debuginfo-1.4.2-6.cm2.aarch64.rpm libpwquality-devel-1.4.2-6.cm2.aarch64.rpm -libselinux-2.9-6.cm2.aarch64.rpm -libselinux-debuginfo-2.9-6.cm2.aarch64.rpm -libselinux-devel-2.9-6.cm2.aarch64.rpm -libselinux-python3-2.9-6.cm2.aarch64.rpm -libselinux-utils-2.9-6.cm2.aarch64.rpm -libsepol-3.1-1.cm2.aarch64.rpm -libsepol-debuginfo-3.1-1.cm2.aarch64.rpm -libsepol-devel-3.1-1.cm2.aarch64.rpm +libselinux-3.2-1.cm2.aarch64.rpm +libselinux-debuginfo-3.2-1.cm2.aarch64.rpm +libselinux-devel-3.2-1.cm2.aarch64.rpm +libselinux-python3-3.2-1.cm2.aarch64.rpm +libselinux-utils-3.2-1.cm2.aarch64.rpm +libsemanage-3.2-1.cm2.aarch64.rpm +libsemanage-debuginfo-3.2-1.cm2.aarch64.rpm +libsemanage-devel-3.2-1.cm2.aarch64.rpm +libsemanage-python3-3.2-1.cm2.aarch64.rpm +libsepol-3.2-1.cm2.aarch64.rpm +libsepol-debuginfo-3.2-1.cm2.aarch64.rpm +libsepol-devel-3.2-1.cm2.aarch64.rpm libsolv-0.7.7-4.cm2.aarch64.rpm libsolv-debuginfo-0.7.7-4.cm2.aarch64.rpm libsolv-devel-0.7.7-4.cm2.aarch64.rpm @@ -224,11 +246,14 @@ libstdc++-devel-9.1.0-11.cm2.aarch64.rpm libtasn1-4.14-3.cm2.aarch64.rpm libtasn1-debuginfo-4.14-3.cm2.aarch64.rpm libtasn1-devel-4.14-3.cm2.aarch64.rpm +libtirpc-1.1.4-4.cm2.aarch64.rpm +libtirpc-debuginfo-1.1.4-4.cm2.aarch64.rpm +libtirpc-devel-1.1.4-4.cm2.aarch64.rpm libtool-2.4.6-7.cm2.aarch64.rpm libtool-debuginfo-2.4.6-7.cm2.aarch64.rpm -libxml2-2.9.10-8.cm2.aarch64.rpm -libxml2-debuginfo-2.9.10-8.cm2.aarch64.rpm -libxml2-devel-2.9.10-8.cm2.aarch64.rpm +libxml2-2.9.12-2.cm2.aarch64.rpm +libxml2-debuginfo-2.9.12-2.cm2.aarch64.rpm +libxml2-devel-2.9.12-2.cm2.aarch64.rpm libxslt-1.1.34-4.cm2.aarch64.rpm libxslt-debuginfo-1.1.34-4.cm2.aarch64.rpm libxslt-devel-1.1.34-4.cm2.aarch64.rpm @@ -253,6 +278,8 @@ mariner-release-2.0-1.cm2.noarch.rpm mariner-repos-2.0-1.cm2.noarch.rpm mariner-repos-extras-2.0-1.cm2.noarch.rpm mariner-repos-extras-preview-2.0-1.cm2.noarch.rpm +mariner-repos-microsoft-2.0-1.cm2.noarch.rpm +mariner-repos-microsoft-preview-2.0-1.cm2.noarch.rpm mariner-repos-preview-2.0-1.cm2.noarch.rpm mariner-repos-ui-2.0-1.cm2.noarch.rpm mariner-repos-ui-preview-2.0-1.cm2.noarch.rpm @@ -275,31 +302,33 @@ npth-devel-1.6-3.cm2.aarch64.rpm nspr-4.21-2.cm2.aarch64.rpm nspr-debuginfo-4.21-2.cm2.aarch64.rpm nspr-devel-4.21-2.cm2.aarch64.rpm -nss-3.44-4.cm2.aarch64.rpm -nss-debuginfo-3.44-4.cm2.aarch64.rpm -nss-devel-3.44-4.cm2.aarch64.rpm -nss-libs-3.44-4.cm2.aarch64.rpm +nss-3.44-7.cm2.aarch64.rpm +nss-debuginfo-3.44-7.cm2.aarch64.rpm +nss-devel-3.44-7.cm2.aarch64.rpm +nss-libs-3.44-7.cm2.aarch64.rpm openjdk8-1.8.0.292-1.cm2.aarch64.rpm openjdk8-debuginfo-1.8.0.292-1.cm2.aarch64.rpm openjdk8-doc-1.8.0.292-1.cm2.aarch64.rpm openjdk8-sample-1.8.0.292-1.cm2.aarch64.rpm openjdk8-src-1.8.0.292-1.cm2.aarch64.rpm openjre8-1.8.0.292-1.cm2.aarch64.rpm -openssl-1.1.1k-2.cm2.aarch64.rpm -openssl-debuginfo-1.1.1k-2.cm2.aarch64.rpm -openssl-devel-1.1.1k-2.cm2.aarch64.rpm -openssl-libs-1.1.1k-2.cm2.aarch64.rpm -openssl-perl-1.1.1k-2.cm2.aarch64.rpm -openssl-static-1.1.1k-2.cm2.aarch64.rpm +openldap-2.4.57-4.cm2.aarch64.rpm +openldap-debuginfo-2.4.57-4.cm2.aarch64.rpm +openssl-1.1.1k-5.cm2.aarch64.rpm +openssl-debuginfo-1.1.1k-5.cm2.aarch64.rpm +openssl-devel-1.1.1k-5.cm2.aarch64.rpm +openssl-libs-1.1.1k-5.cm2.aarch64.rpm +openssl-perl-1.1.1k-5.cm2.aarch64.rpm +openssl-static-1.1.1k-5.cm2.aarch64.rpm p11-kit-0.23.22-2.cm2.aarch64.rpm p11-kit-debuginfo-0.23.22-2.cm2.aarch64.rpm p11-kit-devel-0.23.22-2.cm2.aarch64.rpm p11-kit-server-0.23.22-2.cm2.aarch64.rpm p11-kit-trust-0.23.22-2.cm2.aarch64.rpm -pam-1.3.1-5.cm2.aarch64.rpm -pam-debuginfo-1.3.1-5.cm2.aarch64.rpm -pam-devel-1.3.1-5.cm2.aarch64.rpm -pam-lang-1.3.1-5.cm2.aarch64.rpm +pam-1.5.1-1.cm2.aarch64.rpm +pam-debuginfo-1.5.1-1.cm2.aarch64.rpm +pam-devel-1.5.1-1.cm2.aarch64.rpm +pam-lang-1.5.1-1.cm2.aarch64.rpm patch-2.7.6-7.cm2.aarch64.rpm patch-debuginfo-2.7.6-7.cm2.aarch64.rpm pcre-8.44-3.cm2.aarch64.rpm @@ -522,25 +551,30 @@ procps-ng-3.3.15-5.cm2.aarch64.rpm procps-ng-debuginfo-3.3.15-5.cm2.aarch64.rpm procps-ng-devel-3.3.15-5.cm2.aarch64.rpm procps-ng-lang-3.3.15-5.cm2.aarch64.rpm -python3-3.7.10-1.cm2.aarch64.rpm +python3-3.7.10-3.cm2.aarch64.rpm +python3-audit-3.0-6.cm2.aarch64.rpm python3-cracklib-2.9.7-3.cm2.aarch64.rpm -python3-curses-3.7.10-1.cm2.aarch64.rpm -python3-debuginfo-3.7.10-1.cm2.aarch64.rpm -python3-devel-3.7.10-1.cm2.aarch64.rpm +python3-curses-3.7.10-3.cm2.aarch64.rpm +python3-debuginfo-3.7.10-3.cm2.aarch64.rpm +python3-devel-3.7.10-3.cm2.aarch64.rpm python3-gpg-1.13.1-7.cm2.aarch64.rpm -python3-libs-3.7.10-1.cm2.aarch64.rpm -python3-libxml2-2.9.10-8.cm2.aarch64.rpm +python3-libcap-ng-0.7.9-4.cm2.aarch64.rpm +python3-libs-3.7.10-3.cm2.aarch64.rpm +python3-libxml2-2.9.12-2.cm2.aarch64.rpm python3-magic-5.38-2.cm2.noarch.rpm -python3-pip-3.7.10-1.cm2.noarch.rpm +python3-pip-3.7.10-3.cm2.noarch.rpm python3-pwquality-1.4.2-6.cm2.aarch64.rpm python3-rpm-4.14.2.1-4.cm2.aarch64.rpm -python3-setuptools-3.7.10-1.cm2.noarch.rpm -python3-test-3.7.10-1.cm2.aarch64.rpm -python3-tools-3.7.10-1.cm2.aarch64.rpm -python3-xml-3.7.10-1.cm2.aarch64.rpm +python3-setuptools-3.7.10-3.cm2.noarch.rpm +python3-test-3.7.10-3.cm2.aarch64.rpm +python3-tools-3.7.10-3.cm2.aarch64.rpm +python3-xml-3.7.10-3.cm2.aarch64.rpm readline-7.0-5.cm2.aarch64.rpm readline-debuginfo-7.0-5.cm2.aarch64.rpm readline-devel-7.0-5.cm2.aarch64.rpm +rpcsvc-proto-1.4-4.cm2.aarch64.rpm +rpcsvc-proto-debuginfo-1.4-4.cm2.aarch64.rpm +rpcsvc-proto-devel-1.4-4.cm2.aarch64.rpm rpm-4.14.2.1-4.cm2.aarch64.rpm rpm-build-4.14.2.1-4.cm2.aarch64.rpm rpm-build-libs-4.14.2.1-4.cm2.aarch64.rpm @@ -551,24 +585,29 @@ rpm-libs-4.14.2.1-4.cm2.aarch64.rpm sed-4.5-3.cm2.aarch64.rpm sed-debuginfo-4.5-3.cm2.aarch64.rpm sed-lang-4.5-3.cm2.aarch64.rpm -shadow-utils-4.6-11.cm2.aarch64.rpm -shadow-utils-debuginfo-4.6-11.cm2.aarch64.rpm +shadow-utils-4.9-1.cm2.aarch64.rpm +shadow-utils-debuginfo-4.9-1.cm2.aarch64.rpm +shadow-utils-subid-4.9-1.cm2.aarch64.rpm +shadow-utils-subid-devel-4.9-1.cm2.aarch64.rpm sqlite-3.34.1-1.cm2.aarch64.rpm sqlite-debuginfo-3.34.1-1.cm2.aarch64.rpm sqlite-devel-3.34.1-1.cm2.aarch64.rpm sqlite-libs-3.34.1-1.cm2.aarch64.rpm swig-4.0.2-2.cm2.aarch64.rpm swig-debuginfo-4.0.2-2.cm2.aarch64.rpm -systemd-239-40.cm2.aarch64.rpm -systemd-bootstrap-239-34.cm2.aarch64.rpm -systemd-bootstrap-debuginfo-239-34.cm2.aarch64.rpm -systemd-bootstrap-devel-239-34.cm2.aarch64.rpm -systemd-debuginfo-239-40.cm2.aarch64.rpm -systemd-devel-239-40.cm2.aarch64.rpm -systemd-lang-239-40.cm2.aarch64.rpm -systemd-rpm-macros-239-40.cm2.noarch.rpm +systemd-239-41.cm2.aarch64.rpm +systemd-bootstrap-239-35.cm2.aarch64.rpm +systemd-bootstrap-debuginfo-239-35.cm2.aarch64.rpm +systemd-bootstrap-devel-239-35.cm2.aarch64.rpm +systemd-debuginfo-239-41.cm2.aarch64.rpm +systemd-devel-239-41.cm2.aarch64.rpm +systemd-lang-239-41.cm2.aarch64.rpm +systemd-rpm-macros-239-41.cm2.noarch.rpm tar-1.32-2.cm2.aarch64.rpm tar-debuginfo-1.32-2.cm2.aarch64.rpm +tcp_wrappers-7.6-9.cm2.aarch64.rpm +tcp_wrappers-debuginfo-7.6-9.cm2.aarch64.rpm +tcp_wrappers-devel-7.6-9.cm2.aarch64.rpm tdnf-2.1.0-7.cm2.aarch64.rpm tdnf-cli-libs-2.1.0-7.cm2.aarch64.rpm tdnf-debuginfo-2.1.0-7.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 5a638adb00..3318ca4e6a 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -2,34 +2,38 @@ alsa-lib-1.2.2-2.cm2.x86_64.rpm alsa-lib-debuginfo-1.2.2-2.cm2.x86_64.rpm alsa-lib-devel-1.2.2-2.cm2.x86_64.rpm asciidoc-9.1.0-1.cm2.noarch.rpm +audit-3.0-6.cm2.x86_64.rpm +audit-debuginfo-3.0-6.cm2.x86_64.rpm +audit-devel-3.0-6.cm2.x86_64.rpm +audit-libs-3.0-6.cm2.x86_64.rpm autoconf-2.69-11.cm2.noarch.rpm automake-1.16.1-3.cm2.noarch.rpm bash-4.4.18-7.cm2.x86_64.rpm bash-debuginfo-4.4.18-7.cm2.x86_64.rpm bash-devel-4.4.18-7.cm2.x86_64.rpm bash-lang-4.4.18-7.cm2.x86_64.rpm -binutils-2.32-5.cm2.x86_64.rpm -binutils-debuginfo-2.32-5.cm2.x86_64.rpm -binutils-devel-2.32-5.cm2.x86_64.rpm +binutils-2.36.1-1.cm2.x86_64.rpm +binutils-debuginfo-2.36.1-1.cm2.x86_64.rpm +binutils-devel-2.36.1-1.cm2.x86_64.rpm bison-3.1-4.cm2.x86_64.rpm bison-debuginfo-3.1-4.cm2.x86_64.rpm bzip2-1.0.6-16.cm2.x86_64.rpm bzip2-debuginfo-1.0.6-16.cm2.x86_64.rpm bzip2-devel-1.0.6-16.cm2.x86_64.rpm bzip2-libs-1.0.6-16.cm2.x86_64.rpm -ca-certificates-20200720-13.cm2.noarch.rpm -ca-certificates-base-20200720-13.cm2.noarch.rpm -ca-certificates-legacy-20200720-13.cm2.noarch.rpm -ca-certificates-microsoft-20200720-13.cm2.noarch.rpm -ca-certificates-shared-20200720-13.cm2.noarch.rpm -ca-certificates-tools-20200720-13.cm2.noarch.rpm +ca-certificates-20200720-15.cm2.noarch.rpm +ca-certificates-base-20200720-15.cm2.noarch.rpm +ca-certificates-legacy-20200720-15.cm2.noarch.rpm +ca-certificates-microsoft-20200720-15.cm2.noarch.rpm +ca-certificates-shared-20200720-15.cm2.noarch.rpm +ca-certificates-tools-20200720-15.cm2.noarch.rpm check-0.12.0-5.cm2.x86_64.rpm check-debuginfo-0.12.0-5.cm2.x86_64.rpm cmake-3.17.3-5.cm2.x86_64.rpm cmake-debuginfo-3.17.3-5.cm2.x86_64.rpm -coreutils-8.30-8.cm2.x86_64.rpm -coreutils-debuginfo-8.30-8.cm2.x86_64.rpm -coreutils-lang-8.30-8.cm2.x86_64.rpm +coreutils-8.30-10.cm2.x86_64.rpm +coreutils-debuginfo-8.30-10.cm2.x86_64.rpm +coreutils-lang-8.30-10.cm2.x86_64.rpm cpio-2.13-2.cm2.x86_64.rpm cpio-debuginfo-2.13-2.cm2.x86_64.rpm cpio-lang-2.13-2.cm2.x86_64.rpm @@ -46,10 +50,12 @@ cryptsetup-debuginfo-2.3.3-2.cm2.x86_64.rpm cryptsetup-devel-2.3.3-2.cm2.x86_64.rpm cryptsetup-libs-2.3.3-2.cm2.x86_64.rpm cryptsetup-reencrypt-2.3.3-2.cm2.x86_64.rpm -curl-7.76.0-2.cm2.x86_64.rpm -curl-debuginfo-7.76.0-2.cm2.x86_64.rpm -curl-devel-7.76.0-2.cm2.x86_64.rpm -curl-libs-7.76.0-2.cm2.x86_64.rpm +curl-7.76.0-5.cm2.x86_64.rpm +curl-debuginfo-7.76.0-5.cm2.x86_64.rpm +curl-devel-7.76.0-5.cm2.x86_64.rpm +curl-libs-7.76.0-5.cm2.x86_64.rpm +cyrus-sasl-2.1.27-5.cm2.x86_64.rpm +cyrus-sasl-debuginfo-2.1.27-5.cm2.x86_64.rpm device-mapper-2.03.05-7.cm2.x86_64.rpm device-mapper-devel-2.03.05-7.cm2.x86_64.rpm device-mapper-event-2.03.05-7.cm2.x86_64.rpm @@ -87,6 +93,9 @@ filesystem-1.1-8.cm2.x86_64.rpm findutils-4.6.0-7.cm2.x86_64.rpm findutils-debuginfo-4.6.0-7.cm2.x86_64.rpm findutils-lang-4.6.0-7.cm2.x86_64.rpm +finger-0.17-4.cm2.x86_64.rpm +finger-debuginfo-0.17-4.cm2.x86_64.rpm +finger-server-0.17-4.cm2.x86_64.rpm flex-2.6.4-7.cm2.x86_64.rpm flex-debuginfo-2.6.4-7.cm2.x86_64.rpm flex-devel-2.6.4-7.cm2.x86_64.rpm @@ -113,13 +122,13 @@ glib-debuginfo-2.60.1-5.cm2.x86_64.rpm glib-devel-2.60.1-5.cm2.x86_64.rpm glib-doc-2.60.1-5.cm2.noarch.rpm glib-schemas-2.60.1-5.cm2.x86_64.rpm -glibc-2.28-17.cm2.x86_64.rpm -glibc-devel-2.28-17.cm2.x86_64.rpm -glibc-i18n-2.28-17.cm2.x86_64.rpm -glibc-iconv-2.28-17.cm2.x86_64.rpm -glibc-lang-2.28-17.cm2.x86_64.rpm -glibc-nscd-2.28-17.cm2.x86_64.rpm -glibc-tools-2.28-17.cm2.x86_64.rpm +glibc-2.28-18.cm2.x86_64.rpm +glibc-devel-2.28-18.cm2.x86_64.rpm +glibc-i18n-2.28-18.cm2.x86_64.rpm +glibc-iconv-2.28-18.cm2.x86_64.rpm +glibc-lang-2.28-18.cm2.x86_64.rpm +glibc-nscd-2.28-18.cm2.x86_64.rpm +glibc-tools-2.28-18.cm2.x86_64.rpm gmock-1.8.1-5.cm2.x86_64.rpm gmock-devel-1.8.1-5.cm2.x86_64.rpm gmock-static-1.8.1-5.cm2.x86_64.rpm @@ -128,14 +137,17 @@ gmp-debuginfo-6.1.2-5.cm2.x86_64.rpm gmp-devel-6.1.2-5.cm2.x86_64.rpm gnupg2-2.2.20-4.cm2.x86_64.rpm gnupg2-debuginfo-2.2.20-4.cm2.x86_64.rpm +golang-1.15.13-1.cm2.x86_64.rpm gperf-3.1-3.cm2.x86_64.rpm gperf-debuginfo-3.1-3.cm2.x86_64.rpm gpgme-1.13.1-7.cm2.x86_64.rpm gpgme-debuginfo-1.13.1-7.cm2.x86_64.rpm gpgme-devel-1.13.1-7.cm2.x86_64.rpm -grep-3.1-4.cm2.x86_64.rpm -grep-debuginfo-3.1-4.cm2.x86_64.rpm -grep-lang-3.1-4.cm2.x86_64.rpm +grep-3.1-5.cm2.x86_64.rpm +grep-debuginfo-3.1-5.cm2.x86_64.rpm +grep-lang-3.1-5.cm2.x86_64.rpm +groff-1.22.3-7.cm2.x86_64.rpm +groff-debuginfo-1.22.3-7.cm2.x86_64.rpm gtest-1.8.1-5.cm2.x86_64.rpm gtest-debuginfo-1.8.1-5.cm2.x86_64.rpm gtest-devel-1.8.1-5.cm2.x86_64.rpm @@ -151,7 +163,7 @@ json-c-debuginfo-0.14-3.cm2.x86_64.rpm json-c-devel-0.14-3.cm2.x86_64.rpm kbd-2.0.4-5.cm2.x86_64.rpm kbd-debuginfo-2.0.4-5.cm2.x86_64.rpm -kernel-headers-5.10.28.1-6.cm2.noarch.rpm +kernel-headers-5.10.52.1-1.cm2.noarch.rpm kmod-25-6.cm2.x86_64.rpm kmod-debuginfo-25-6.cm2.x86_64.rpm kmod-devel-25-6.cm2.x86_64.rpm @@ -170,6 +182,9 @@ libassuan-debuginfo-2.5.1-5.cm2.x86_64.rpm libcap-2.26-2.cm2.x86_64.rpm libcap-debuginfo-2.26-2.cm2.x86_64.rpm libcap-devel-2.26-2.cm2.x86_64.rpm +libcap-ng-0.7.9-4.cm2.x86_64.rpm +libcap-ng-debuginfo-0.7.9-4.cm2.x86_64.rpm +libcap-ng-devel-0.7.9-4.cm2.x86_64.rpm libdb-5.3.28-5.cm2.x86_64.rpm libdb-debuginfo-5.3.28-5.cm2.x86_64.rpm libdb-devel-5.3.28-5.cm2.x86_64.rpm @@ -181,9 +196,9 @@ libffi-devel-3.2.1-12.cm2.x86_64.rpm libgcc-9.1.0-11.cm2.x86_64.rpm libgcc-atomic-9.1.0-11.cm2.x86_64.rpm libgcc-devel-9.1.0-11.cm2.x86_64.rpm -libgcrypt-1.8.7-1.cm2.x86_64.rpm -libgcrypt-debuginfo-1.8.7-1.cm2.x86_64.rpm -libgcrypt-devel-1.8.7-1.cm2.x86_64.rpm +libgcrypt-1.8.7-2.cm2.x86_64.rpm +libgcrypt-debuginfo-1.8.7-2.cm2.x86_64.rpm +libgcrypt-devel-1.8.7-2.cm2.x86_64.rpm libgomp-9.1.0-11.cm2.x86_64.rpm libgomp-devel-9.1.0-11.cm2.x86_64.rpm libgpg-error-1.32-5.cm2.x86_64.rpm @@ -196,6 +211,9 @@ libltdl-2.4.6-7.cm2.x86_64.rpm libltdl-devel-2.4.6-7.cm2.x86_64.rpm libmpc-1.1.0-6.cm2.x86_64.rpm libmpc-debuginfo-1.1.0-6.cm2.x86_64.rpm +libnsl2-1.2.0-4.cm2.x86_64.rpm +libnsl2-debuginfo-1.2.0-4.cm2.x86_64.rpm +libnsl2-devel-1.2.0-4.cm2.x86_64.rpm libpipeline-1.5.0-4.cm2.x86_64.rpm libpipeline-debuginfo-1.5.0-4.cm2.x86_64.rpm libpipeline-devel-1.5.0-4.cm2.x86_64.rpm @@ -204,14 +222,18 @@ libpkgconf-devel-1.7.0-3.cm2.x86_64.rpm libpwquality-1.4.2-6.cm2.x86_64.rpm libpwquality-debuginfo-1.4.2-6.cm2.x86_64.rpm libpwquality-devel-1.4.2-6.cm2.x86_64.rpm -libselinux-2.9-6.cm2.x86_64.rpm -libselinux-debuginfo-2.9-6.cm2.x86_64.rpm -libselinux-devel-2.9-6.cm2.x86_64.rpm -libselinux-python3-2.9-6.cm2.x86_64.rpm -libselinux-utils-2.9-6.cm2.x86_64.rpm -libsepol-3.1-1.cm2.x86_64.rpm -libsepol-debuginfo-3.1-1.cm2.x86_64.rpm -libsepol-devel-3.1-1.cm2.x86_64.rpm +libselinux-3.2-1.cm2.x86_64.rpm +libselinux-debuginfo-3.2-1.cm2.x86_64.rpm +libselinux-devel-3.2-1.cm2.x86_64.rpm +libselinux-python3-3.2-1.cm2.x86_64.rpm +libselinux-utils-3.2-1.cm2.x86_64.rpm +libsemanage-3.2-1.cm2.x86_64.rpm +libsemanage-debuginfo-3.2-1.cm2.x86_64.rpm +libsemanage-devel-3.2-1.cm2.x86_64.rpm +libsemanage-python3-3.2-1.cm2.x86_64.rpm +libsepol-3.2-1.cm2.x86_64.rpm +libsepol-debuginfo-3.2-1.cm2.x86_64.rpm +libsepol-devel-3.2-1.cm2.x86_64.rpm libsolv-0.7.7-4.cm2.x86_64.rpm libsolv-debuginfo-0.7.7-4.cm2.x86_64.rpm libsolv-devel-0.7.7-4.cm2.x86_64.rpm @@ -224,11 +246,14 @@ libstdc++-devel-9.1.0-11.cm2.x86_64.rpm libtasn1-4.14-3.cm2.x86_64.rpm libtasn1-debuginfo-4.14-3.cm2.x86_64.rpm libtasn1-devel-4.14-3.cm2.x86_64.rpm +libtirpc-1.1.4-4.cm2.x86_64.rpm +libtirpc-debuginfo-1.1.4-4.cm2.x86_64.rpm +libtirpc-devel-1.1.4-4.cm2.x86_64.rpm libtool-2.4.6-7.cm2.x86_64.rpm libtool-debuginfo-2.4.6-7.cm2.x86_64.rpm -libxml2-2.9.10-8.cm2.x86_64.rpm -libxml2-debuginfo-2.9.10-8.cm2.x86_64.rpm -libxml2-devel-2.9.10-8.cm2.x86_64.rpm +libxml2-2.9.12-2.cm2.x86_64.rpm +libxml2-debuginfo-2.9.12-2.cm2.x86_64.rpm +libxml2-devel-2.9.12-2.cm2.x86_64.rpm libxslt-1.1.34-4.cm2.x86_64.rpm libxslt-debuginfo-1.1.34-4.cm2.x86_64.rpm libxslt-devel-1.1.34-4.cm2.x86_64.rpm @@ -253,6 +278,8 @@ mariner-release-2.0-1.cm2.noarch.rpm mariner-repos-2.0-1.cm2.noarch.rpm mariner-repos-extras-2.0-1.cm2.noarch.rpm mariner-repos-extras-preview-2.0-1.cm2.noarch.rpm +mariner-repos-microsoft-2.0-1.cm2.noarch.rpm +mariner-repos-microsoft-preview-2.0-1.cm2.noarch.rpm mariner-repos-preview-2.0-1.cm2.noarch.rpm mariner-repos-ui-2.0-1.cm2.noarch.rpm mariner-repos-ui-preview-2.0-1.cm2.noarch.rpm @@ -275,31 +302,33 @@ npth-devel-1.6-3.cm2.x86_64.rpm nspr-4.21-2.cm2.x86_64.rpm nspr-debuginfo-4.21-2.cm2.x86_64.rpm nspr-devel-4.21-2.cm2.x86_64.rpm -nss-3.44-4.cm2.x86_64.rpm -nss-debuginfo-3.44-4.cm2.x86_64.rpm -nss-devel-3.44-4.cm2.x86_64.rpm -nss-libs-3.44-4.cm2.x86_64.rpm +nss-3.44-7.cm2.x86_64.rpm +nss-debuginfo-3.44-7.cm2.x86_64.rpm +nss-devel-3.44-7.cm2.x86_64.rpm +nss-libs-3.44-7.cm2.x86_64.rpm openjdk8-1.8.0.292-1.cm2.x86_64.rpm openjdk8-debuginfo-1.8.0.292-1.cm2.x86_64.rpm openjdk8-doc-1.8.0.292-1.cm2.x86_64.rpm openjdk8-sample-1.8.0.292-1.cm2.x86_64.rpm openjdk8-src-1.8.0.292-1.cm2.x86_64.rpm openjre8-1.8.0.292-1.cm2.x86_64.rpm -openssl-1.1.1k-2.cm2.x86_64.rpm -openssl-debuginfo-1.1.1k-2.cm2.x86_64.rpm -openssl-devel-1.1.1k-2.cm2.x86_64.rpm -openssl-libs-1.1.1k-2.cm2.x86_64.rpm -openssl-perl-1.1.1k-2.cm2.x86_64.rpm -openssl-static-1.1.1k-2.cm2.x86_64.rpm +openldap-2.4.57-4.cm2.x86_64.rpm +openldap-debuginfo-2.4.57-4.cm2.x86_64.rpm +openssl-1.1.1k-5.cm2.x86_64.rpm +openssl-debuginfo-1.1.1k-5.cm2.x86_64.rpm +openssl-devel-1.1.1k-5.cm2.x86_64.rpm +openssl-libs-1.1.1k-5.cm2.x86_64.rpm +openssl-perl-1.1.1k-5.cm2.x86_64.rpm +openssl-static-1.1.1k-5.cm2.x86_64.rpm p11-kit-0.23.22-2.cm2.x86_64.rpm p11-kit-debuginfo-0.23.22-2.cm2.x86_64.rpm p11-kit-devel-0.23.22-2.cm2.x86_64.rpm p11-kit-server-0.23.22-2.cm2.x86_64.rpm p11-kit-trust-0.23.22-2.cm2.x86_64.rpm -pam-1.3.1-5.cm2.x86_64.rpm -pam-debuginfo-1.3.1-5.cm2.x86_64.rpm -pam-devel-1.3.1-5.cm2.x86_64.rpm -pam-lang-1.3.1-5.cm2.x86_64.rpm +pam-1.5.1-1.cm2.x86_64.rpm +pam-debuginfo-1.5.1-1.cm2.x86_64.rpm +pam-devel-1.5.1-1.cm2.x86_64.rpm +pam-lang-1.5.1-1.cm2.x86_64.rpm patch-2.7.6-7.cm2.x86_64.rpm patch-debuginfo-2.7.6-7.cm2.x86_64.rpm pcre-8.44-3.cm2.x86_64.rpm @@ -522,25 +551,30 @@ procps-ng-3.3.15-5.cm2.x86_64.rpm procps-ng-debuginfo-3.3.15-5.cm2.x86_64.rpm procps-ng-devel-3.3.15-5.cm2.x86_64.rpm procps-ng-lang-3.3.15-5.cm2.x86_64.rpm -python3-3.7.10-1.cm2.x86_64.rpm +python3-3.7.10-3.cm2.x86_64.rpm +python3-audit-3.0-6.cm2.x86_64.rpm python3-cracklib-2.9.7-3.cm2.x86_64.rpm -python3-curses-3.7.10-1.cm2.x86_64.rpm -python3-debuginfo-3.7.10-1.cm2.x86_64.rpm -python3-devel-3.7.10-1.cm2.x86_64.rpm +python3-curses-3.7.10-3.cm2.x86_64.rpm +python3-debuginfo-3.7.10-3.cm2.x86_64.rpm +python3-devel-3.7.10-3.cm2.x86_64.rpm python3-gpg-1.13.1-7.cm2.x86_64.rpm -python3-libs-3.7.10-1.cm2.x86_64.rpm -python3-libxml2-2.9.10-8.cm2.x86_64.rpm +python3-libcap-ng-0.7.9-4.cm2.x86_64.rpm +python3-libs-3.7.10-3.cm2.x86_64.rpm +python3-libxml2-2.9.12-2.cm2.x86_64.rpm python3-magic-5.38-2.cm2.noarch.rpm -python3-pip-3.7.10-1.cm2.noarch.rpm +python3-pip-3.7.10-3.cm2.noarch.rpm python3-pwquality-1.4.2-6.cm2.x86_64.rpm python3-rpm-4.14.2.1-4.cm2.x86_64.rpm -python3-setuptools-3.7.10-1.cm2.noarch.rpm -python3-test-3.7.10-1.cm2.x86_64.rpm -python3-tools-3.7.10-1.cm2.x86_64.rpm -python3-xml-3.7.10-1.cm2.x86_64.rpm +python3-setuptools-3.7.10-3.cm2.noarch.rpm +python3-test-3.7.10-3.cm2.x86_64.rpm +python3-tools-3.7.10-3.cm2.x86_64.rpm +python3-xml-3.7.10-3.cm2.x86_64.rpm readline-7.0-5.cm2.x86_64.rpm readline-debuginfo-7.0-5.cm2.x86_64.rpm readline-devel-7.0-5.cm2.x86_64.rpm +rpcsvc-proto-1.4-4.cm2.x86_64.rpm +rpcsvc-proto-debuginfo-1.4-4.cm2.x86_64.rpm +rpcsvc-proto-devel-1.4-4.cm2.x86_64.rpm rpm-4.14.2.1-4.cm2.x86_64.rpm rpm-build-4.14.2.1-4.cm2.x86_64.rpm rpm-build-libs-4.14.2.1-4.cm2.x86_64.rpm @@ -551,24 +585,29 @@ rpm-libs-4.14.2.1-4.cm2.x86_64.rpm sed-4.5-3.cm2.x86_64.rpm sed-debuginfo-4.5-3.cm2.x86_64.rpm sed-lang-4.5-3.cm2.x86_64.rpm -shadow-utils-4.6-11.cm2.x86_64.rpm -shadow-utils-debuginfo-4.6-11.cm2.x86_64.rpm +shadow-utils-4.9-1.cm2.x86_64.rpm +shadow-utils-debuginfo-4.9-1.cm2.x86_64.rpm +shadow-utils-subid-4.9-1.cm2.x86_64.rpm +shadow-utils-subid-devel-4.9-1.cm2.x86_64.rpm sqlite-3.34.1-1.cm2.x86_64.rpm sqlite-debuginfo-3.34.1-1.cm2.x86_64.rpm sqlite-devel-3.34.1-1.cm2.x86_64.rpm sqlite-libs-3.34.1-1.cm2.x86_64.rpm swig-4.0.2-2.cm2.x86_64.rpm swig-debuginfo-4.0.2-2.cm2.x86_64.rpm -systemd-239-40.cm2.x86_64.rpm -systemd-bootstrap-239-34.cm2.x86_64.rpm -systemd-bootstrap-debuginfo-239-34.cm2.x86_64.rpm -systemd-bootstrap-devel-239-34.cm2.x86_64.rpm -systemd-debuginfo-239-40.cm2.x86_64.rpm -systemd-devel-239-40.cm2.x86_64.rpm -systemd-lang-239-40.cm2.x86_64.rpm -systemd-rpm-macros-239-40.cm2.noarch.rpm +systemd-239-41.cm2.x86_64.rpm +systemd-bootstrap-239-35.cm2.x86_64.rpm +systemd-bootstrap-debuginfo-239-35.cm2.x86_64.rpm +systemd-bootstrap-devel-239-35.cm2.x86_64.rpm +systemd-debuginfo-239-41.cm2.x86_64.rpm +systemd-devel-239-41.cm2.x86_64.rpm +systemd-lang-239-41.cm2.x86_64.rpm +systemd-rpm-macros-239-41.cm2.noarch.rpm tar-1.32-2.cm2.x86_64.rpm tar-debuginfo-1.32-2.cm2.x86_64.rpm +tcp_wrappers-7.6-9.cm2.x86_64.rpm +tcp_wrappers-debuginfo-7.6-9.cm2.x86_64.rpm +tcp_wrappers-devel-7.6-9.cm2.x86_64.rpm tdnf-2.1.0-7.cm2.x86_64.rpm tdnf-cli-libs-2.1.0-7.cm2.x86_64.rpm tdnf-debuginfo-2.1.0-7.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/update_manifests.sh b/toolkit/resources/manifests/package/update_manifests.sh index c6856e8031..9fa7ce1439 100755 --- a/toolkit/resources/manifests/package/update_manifests.sh +++ b/toolkit/resources/manifests/package/update_manifests.sh @@ -45,6 +45,7 @@ remove_packages_for_pkggen_core () { sed -i '/ca-certificates-[0-9]/d' $TmpPkgGen sed -i '/ca-certificates-legacy/d' $TmpPkgGen sed -i '/ca-certificates-microsoft/d' $TmpPkgGen + sed -i '/cyrus-sasl/d' $TmpPkgGen sed -i '/libtasn1-d/d' $TmpPkgGen sed -i '/libpkgconf-devel/d' $TmpPkgGen sed -i '/lua-static/d' $TmpPkgGen @@ -61,6 +62,7 @@ remove_packages_for_pkggen_core () { sed -i '/e2fsprogs-lang/d' $TmpPkgGen sed -i '/openj/d' $TmpPkgGen sed -i '/freetype2/d' $TmpPkgGen + sed -i '/finger-[[:alpha:]]/d' $TmpPkgGen sed -i '/gfortran/d' $TmpPkgGen sed -i '/glib-devel/d' $TmpPkgGen sed -i '/glib-schemas/d' $TmpPkgGen @@ -73,20 +75,19 @@ remove_packages_for_pkggen_core () { sed -i '/kmod/d' $TmpPkgGen sed -i '/krb5-[[:alpha:]]/d' $TmpPkgGen sed -i '/libarchive/d' $TmpPkgGen + sed -i '/libcap-ng-[[:alpha:]]/d' $TmpPkgGen sed -i '/libdb-utils/d' $TmpPkgGen sed -i '/libgpg-error-[[:alpha:]]/d' $TmpPkgGen sed -i '/libgcrypt-[[:alpha:]]/d' $TmpPkgGen - sed -i '/libselinux-devel/d' $TmpPkgGen - sed -i '/libselinux-python3/d' $TmpPkgGen - sed -i '/libselinux-utils/d' $TmpPkgGen - sed -i '/libsepol-devel/d' $TmpPkgGen + sed -i '/libsemanage-[[:alpha:]]/d' $TmpPkgGen + sed -i '/libselinux-[[:alpha:]]/d' $TmpPkgGen + sed -i '/libsepol-[[:alpha:]]/d' $TmpPkgGen sed -i '/libsolv-tools/d' $TmpPkgGen sed -i '/libxslt/d' $TmpPkgGen sed -i '/Linux-PAM/d' $TmpPkgGen sed -i '/lua-devel/d' $TmpPkgGen - sed -ri '/mariner-repos-(extras|ui)/d' $TmpPkgGen + sed -ri '/mariner-repos-(extras|ui|microsoft)/d' $TmpPkgGen sed -i '/npth-[[:alpha:]]/d' $TmpPkgGen - sed -i '/pcre-[0-9]/d' $TmpPkgGen sed -i '/pcre-devel/d' $TmpPkgGen sed -i '/perl-5/d' $TmpPkgGen sed -i '/perl-A/d' $TmpPkgGen @@ -200,6 +201,7 @@ remove_packages_for_pkggen_core () { sed -i '/python3-tools/d' $TmpPkgGen sed -i '/shadow/d' $TmpPkgGen sed -i '/tdnf-python/d' $TmpPkgGen + sed -i '/tcp_wrappers-[[:alpha:]]/d' $TmpPkgGen sed -i '/util-linux-lang/d' $TmpPkgGen sed -i '/wget/d' $TmpPkgGen sed -i '/XML-Parser/d' $TmpPkgGen @@ -275,7 +277,6 @@ generate_pkggen_core () { grep "^createrepo_c-" $TmpPkgGen grep "^libxml2-" $TmpPkgGen grep "^libsepol-" $TmpPkgGen - grep "^libselinux-" $TmpPkgGen grep "^glib-" $TmpPkgGen grep "^libltdl-" $TmpPkgGen grep "^pcre-" $TmpPkgGen @@ -303,6 +304,8 @@ generate_pkggen_core () { grep "^python3-" $TmpPkgGen grep "^systemd-rpm-macros-" $TmpPkgGen grep "^which-" $TmpPkgGen + grep "^cyrus-sasl-" $TmpPkgGen + grep "^libselinux-" $TmpPkgGen } > "$1" } diff --git a/toolkit/scripts/download-packages.sh b/toolkit/scripts/download-packages.sh new file mode 100755 index 0000000000..a8d50190f7 --- /dev/null +++ b/toolkit/scripts/download-packages.sh @@ -0,0 +1,99 @@ +#!/bin/bash -e + +function get_packages { + # First argument is an URL to a directory containing packages + download_url="$1" + + # wget -nv -O - "$download_url" -- Download HTML of package directory and send to stdout (-nv reduces verbosity) + # | grep 'a href' -- Filter out lines that are not links (we're looking for links to rpms) + # | sed -E -e 's: space-separated list of directories in the RPM repository (passed with the -u) (e.g. "base update")' + echo '[OPTIONAL] -h -> print this help dialogue and exit' + echo '[MANDATORY] -t TYPE -> select which type of packages to download. Can provide more than one type, separated by space. The valid types are: x86_64 aarch64 srpms' + echo '[MANDATORY] -u URL -> URL to a root directory of a repository (e.g. https://packages.microsoft.com/cbl-mariner/1.0/prod/)' + echo '[OPTIONAL] -z -> create a tarball for each downloaded package type and clean up' +} + +repository_url= +packages_types= +directories= +tar_packages=0 + +while getopts "d:ht:u:z" OPTIONS; do + case ${OPTIONS} in + d ) directories="$OPTARG" ;; + h ) help; exit 0 ;; + t ) packages_types="$OPTARG" ;; + u ) repository_url=$OPTARG ;; + z ) tar_packages=1 ;; + ? ) echo -e "ERROR: INVALID OPTION.\n\n"; help; exit 1 ;; + esac +done + +if [[ -z "$directories" ]] || [[ -z "$packages_types" ]] || [[ -z "$repository_url" ]]; then + echo -e "ERROR: Arguments '-d', '-t' and '-u' are mandatory!\n\n" + help + exit 2 +fi + +# Remove trailing directory separator, if any +if [[ $repository_url =~ ^.+/$ ]]; then + echo "-- Removing trailing directory separator from $repository_url" + repository_url=`echo $repository_url | head -c -2` +fi + +# For benchmark purposes +before_run=$(date +%s) + +# Iterate over directories and types, downloading the files +for directory in $directories; do + echo "-- Downloading directory $directory..." + for package_type in $packages_types; do + echo "-- Downloading type $package_type for directory $directory..." + + # If these are not srpms, there is additional directory to skip + appendix= + if [[ ! "$package_type" == "srpms" ]]; then + echo "-- Downloading RPMS - adding additional directory." + appendix="/rpms" + fi + + # Appendix contains the slash, if needed. + get_packages "$repository_url"/"$directory"/"$package_type""$appendix" + done +done + +if [[ 1 == $tar_packages ]]; then + make_tarball +fi + +echo "Total execution time:" +after_run=$(date +%s) +date -d@$((before_run - now)) -u +%H:%M:%S diff --git a/toolkit/scripts/filter-packages.sh b/toolkit/scripts/filter-packages.sh new file mode 100755 index 0000000000..ddbab17505 --- /dev/null +++ b/toolkit/scripts/filter-packages.sh @@ -0,0 +1,76 @@ +#!/bin/bash -e + +function filter_packages { + # First argument is a path to the packages directory + rpms_directory="$1" + + # Used later + fields_cutoff=2 + if [[ $ignore_versions -eq 1 ]]; then + fields_cutoff=3 + fi + + duplicates_list=$(find "$rpms_directory" -name '*.rpm' -exec basename {} \; | # Find all the rpms leaving only file names + sort -V | # Sort to stack duplicates together. Sort like version numbers (-V) + rev | # Read backwards to inverse the order of the fields + cut -d'-' -f ${fields_cutoff}- | # Separate into fields by '-' skipping the first two (in case of ignore_versions - 3) + # (actually last - we're inversed) fields (filters out release and extension) + # in case of -i being passed, ignore versions as well. + rev | # Return to normal order + uniq -d | # Print only duplicates + awk '{print}' ORS=' ') # Join lines with space instead of newline + + remove_function="rm -v" + if [[ $pretend -eq 1 ]]; then + remove_function="echo Would remove: " + fi + + for duplicate in $duplicates_list; do + echo "Processing package '$duplicate'." + name_search="${duplicate}-[0-9]*" + + # and remove them (explicitly list removed items) + packages_to_remove=$(find "$rpms_directory" -name "$name_search" |# Find all the RPM files with the same name (different versions treated as different names without -i) + sort -V -r | # Read backwards and sort a version numbers (-V) and print in reverse(-r) to have the latest version at the top. + tail -n +2) # After the sort, the first path is of the latest version. Get a list of all the other RPMs (duplicates), starting line 2. + + for package in $packages_to_remove; do + $remove_function "$package" + done + + # Run a more advanced query again to work correctly when doing a -p run + echo "Left:" $(find "$rpms_directory" -name "$name_search" | sort -V -r | awk '{print}' ORS=' ' | cut -d' ' -f1 ) + echo #newline + done +} + +function help { + echo "Package filter. Filter out (remove) duplicate packages." + echo "Usage:" + echo '[MANDATORY] -d DIR -> path to the directory which contains RPMS (this will) affect all subdirectories' + echo '[OPTIONAL] -h -> print this help dialogue and exit' + echo '[OPTIONAL] -i -> ignore version numbers when looking for the duplicates.' + echo '[OPTIONAL] -p -> pretend mode - just print the packages without removing them' +} + +directory= +pretend=0 +ignore_versions=0 + +while getopts "d:hpi" OPTIONS; do + case ${OPTIONS} in + d ) directory="$OPTARG" ;; + h ) help; exit 0 ;; + i ) ignore_versions=1 ;; + p ) pretend=1 ;; + ? ) echo -e "ERROR: INVALID OPTION.\n\n"; help; exit 1 ;; + esac +done + +if [[ -z "$directory" ]]; then + echo -e "ERROR: Argument '-d' is mandatory!\n\n" + help + exit 2 +fi + +filter_packages "$directory" diff --git a/toolkit/scripts/kubernertes-container/CreateContainerImages.sh b/toolkit/scripts/kubernertes-container/CreateContainerImages.sh deleted file mode 100755 index 2d92c3f2ea..0000000000 --- a/toolkit/scripts/kubernertes-container/CreateContainerImages.sh +++ /dev/null @@ -1,248 +0,0 @@ -#!/bin/bash -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. - -set -e - -SCRIPT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -ROOT_FOLDER="$(git rev-parse --show-toplevel)" - -BASE_IMAGE_NAME="cbl-mariner-base" -BASE_IMAGE_FULL_NAME="$BASE_IMAGE_NAME:1.0" -DISTROLESS_IMAGE_NAME="cbl-mariner-distroless" -DISTROLESS_IMAGE_FULL_NAME="$DISTROLESS_IMAGE_NAME:1.0" - -K8S_CONTAINER_PREFIX_BASE="k8s-container-base" -K8S_CONTAINER_PREFIX_DISTROLESS="k8s-container-distroless" - -# parse script parameters: -# -# -d -> distroless image tarball -# -b -> base image tarball -# -f -> folder where RPMs file are stored -# -o -> output folder -# -while getopts ":d:b:f:o:" OPTIONS; do - case ${OPTIONS} in - d ) - DISTROLESS_IMAGE_TARBALL=$OPTARG - echo "+++ DISTROLESS_IMAGE_TARBALL -> $DISTROLESS_IMAGE_TARBALL";; - b ) - BASE_IMAGE_TARBALL=$OPTARG - echo "+++ BASE_IMAGE_TARBALL -> $BASE_IMAGE_TARBALL";; - f ) - RPMS_FOLDER=$OPTARG - echo "+++ RPMS_FOLDER -> $RPMS_FOLDER";; - o ) - OUTPUT_FOLDER=$OPTARG - echo "+++ OUTPUT_FOLDER -> $OUTPUT_FOLDER";; - - \? ) - echo "Error - Invalid Option: -$OPTARG" 1>&2 - exit 1 - ;; - : ) - echo "Error - Invalid Option: -$OPTARG requires an argument" 1>&2 - exit 1 - ;; - esac -done - -if [[ (! -n $BASE_IMAGE_TARBALL) || \ - (! -f $BASE_IMAGE_TARBALL) ]]; then - echo "Error - NO base image tarball" - exit 1 -fi - -if [[ (! -n $DISTROLESS_IMAGE_TARBALL) || \ - (! -f $DISTROLESS_IMAGE_TARBALL) ]]; then - echo "Error - NO distroless image tarball" - exit 1 -fi - -if [[ (! -n $RPMS_FOLDER) || \ - (! -d $RPMS_FOLDER) ]]; then - echo "Error - NO RPMs folder" - exit 1 -fi - -if [[ (! -n $OUTPUT_FOLDER) || \ - (! -d $OUTPUT_FOLDER) ]]; then - echo "Error - NO output folder" - exit 1 -fi - -TEMPDIR=$(mktemp -d) - -function cleanup { - echo "+++ remove $TEMPDIR" - rm -rf $TEMPDIR - - echo "+++ cleanup docker containers" - BASE_CONTAINER_IDS=$(docker ps -a -f "name=$K8S_CONTAINER_PREFIX_BASE*" --format="{{.ID}}") - for CONTAINER_ID in $BASE_CONTAINER_IDS ; do - docker rm -f $CONTAINER_ID - done - - echo "+++ cleanup docker images" - K8S_DISTROLESS_IMAGE_IDS=$(docker images $K8S_CONTAINER_PREFIX_DISTROLESS* --format="{{.ID}}") - for K8S_IMAGE_ID in $K8S_DISTROLESS_IMAGE_IDS ; do - docker rmi -f $K8S_IMAGE_ID - done - - BASE_IMAGE_ID=$(docker images $BASE_IMAGE_NAME --format="{{.ID}}") - if [[ -n $BASE_IMAGE_ID ]]; then - docker rmi -f $BASE_IMAGE_ID - fi - - DISTROLESS_IMAGE_ID=$(docker images $DISTROLESS_IMAGE_NAME --format="{{.ID}}") - if [[ -n $DISTROLESS_IMAGE_ID ]]; then - docker rmi -f $DISTROLESS_IMAGE_ID - fi - - docker system prune -f -} -trap cleanup EXIT - -RPM_NAME="" -RPM_VERSION="" -RPM_REVISION="" - -function get_rpm_info { - # $1: rpm file name - RPM_FILE=$1 - - # get component name, version and revision from RPM file name - # file name pattern: 'component-name-x.y.z-r.cm1.arch.rpm' - # - component-name -> name of the component (can contain '-') - # - x.y.z -> version (cannot contain '-') - # - r -> revision number - # - cm1.arch.rpm -> RPM file extension (arch is the architecture: noarch, x86_64 or aarch64) - FILE_NAME=$(basename $RPM_FILE) - - OLDIFS=$IFS - IFS='-' - read -ra NAME_PARTS <<< $FILE_NAME - - RPM_NAME="" - for (( i=0; i<${#NAME_PARTS[@]}-2; i++ )); do - if [[ $i == 0 ]]; then - RPM_NAME="${NAME_PARTS[$i]}" - else - RPM_NAME="$RPM_NAME-${NAME_PARTS[$i]}" - fi - done - - RPM_VERSION=${NAME_PARTS[${#NAME_PARTS[@]}-2]} - IFS='.' - read -ra EXTENSION_PARTS <<< ${NAME_PARTS[${#NAME_PARTS[@]}-1]} - RPM_REVISION=${EXTENSION_PARTS[0]} - IFS=$OLDIFS -} - -function create_container_image_base { - # $1: kubernetes component name - # $2: rpm file name - K8S_COMPONENT=$1 - RPM_FILE=$2 - - get_rpm_info $RPM_FILE - - echo - echo "----------------------------------------------------------------------" - echo "+++ create base container for $K8S_COMPONENT version $RPM_VERSION-$RPM_REVISION" - echo "----------------------------------------------------------------------" - - K8S_CONTAINER_NAME="$K8S_CONTAINER_PREFIX_BASE-$K8S_COMPONENT-$RPM_VERSION" - K8S_IMAGE_NAME="$K8S_CONTAINER_NAME-$RPM_REVISION" - - cp $SCRIPT_FOLDER/InstallComponentsBase.sh $TEMPDIR - cp $ROOT_FOLDER/toolkit/resources/manifests/package/local.repo $TEMPDIR - - pushd $TEMPDIR - docker run \ - --name $K8S_CONTAINER_NAME \ - -v $RPMS_FOLDER:/upstream-cached-rpms \ - -v $TEMPDIR:/temp \ - -di $BASE_IMAGE_FULL_NAME /temp/InstallComponentsBase.sh -c $RPM_NAME-$RPM_VERSION -r /temp/local.repo - docker wait $K8S_CONTAINER_NAME - docker logs $K8S_CONTAINER_NAME - - echo "+++ export container $K8S_CONTAINER_NAME -> $K8S_IMAGE_NAME" - docker export -o "$OUTPUT_FOLDER/$K8S_IMAGE_NAME.tar.gz" $K8S_CONTAINER_NAME - popd - - # clean up temp folder - rm -rf $TEMPDIR/* -} - -function create_container_image_distroless { - # $1: kubernetes component name - # $2: rpm file name - K8S_COMPONENT=$1 - RPM_FILE=$2 - - get_rpm_info $RPM_FILE - - echo - echo "----------------------------------------------------------------------" - echo "+++ create distroless container for $K8S_COMPONENT version $RPM_VERSION-$RPM_REVISION" - echo "----------------------------------------------------------------------" - - FOLDERS_TO_INSTALL_DIR=folder-to-install - mkdir -p $TEMPDIR/$FOLDERS_TO_INSTALL_DIR - cp $SCRIPT_FOLDER/Dockerfile-Distroless $TEMPDIR/Dockerfile - cp $RPM_FILE $TEMPDIR/$FOLDERS_TO_INSTALL_DIR - - # expand RPM so folders it contains can be copied into the container - echo "+++ extract $RPM_FILE into $TEMPDIR/$FOLDERS_TO_INSTALL_DIR" - pushd $TEMPDIR/$FOLDERS_TO_INSTALL_DIR - rpm2cpio *.rpm | cpio -idm - rm *.rpm - popd - - K8S_IMAGE_BASE_NAME="$K8S_CONTAINER_PREFIX_DISTROLESS-$K8S_COMPONENT" - K8S_IMAGE_NAME_FULL="$K8S_IMAGE_BASE_NAME:$RPM_VERSION-$RPM_REVISION" - - pushd $TEMPDIR - docker image build -t $K8S_IMAGE_NAME_FULL . - TARBALL_FILE="$OUTPUT_FOLDER/$K8S_IMAGE_BASE_NAME-$RPM_VERSION-$RPM_REVISION.tar.gz" - echo "+++ save docker image to $TARBALL_FILE" - docker image save -o $TARBALL_FILE $K8S_IMAGE_NAME_FULL - popd - - # clean up temp folder - rm -rf $TEMPDIR/* -} - -# import base and distroless images -echo "+++ import container image $BASE_IMAGE_FULL_NAME" -cat $BASE_IMAGE_TARBALL | docker import - $BASE_IMAGE_FULL_NAME -echo "+++ import container image $DISTROLESS_IMAGE_FULL_NAME" -cat $DISTROLESS_IMAGE_TARBALL | docker import - $DISTROLESS_IMAGE_FULL_NAME - -cd $RPMS_FOLDER -DISTROLESS_COMPONENTS="kubernetes-kube-apiserver kubernetes-kube-controller-manager kubernetes-kube-scheduler kubernetes-pause etcd coredns flannel" -BASE_ONLY_COMPONENTS="kubernetes-kube-proxy" - -# create container based on cbl-mariner base -echo "======================================================================" -KUBERNETES_COMPONENTS="$DISTROLESS_COMPONENTS $BASE_ONLY_COMPONENTS" -echo "+++ create containers based on $BASE_IMAGE_FULL_NAME for $KUBERNETES_COMPONENTS" -for KUBERNETES_COMPONENT in $KUBERNETES_COMPONENTS ; do - for KUBERNETES_COMPONENT_RPM in $(find -name "$KUBERNETES_COMPONENT-[0-9]*") ; do - create_container_image_base $KUBERNETES_COMPONENT $KUBERNETES_COMPONENT_RPM - done -done - -echo - -# create container based on cbl-mariner distroless -echo "======================================================================" -KUBERNETES_COMPONENTS="$DISTROLESS_COMPONENTS" -echo "+++ create containers based on $DISTROLESS_IMAGE_FULL_NAME for $KUBERNETES_COMPONENTS" -for KUBERNETES_COMPONENT in $KUBERNETES_COMPONENTS ; do - for KUBERNETES_COMPONENT_RPM in $(find -name "$KUBERNETES_COMPONENT-[0-9]*") ; do - create_container_image_distroless $KUBERNETES_COMPONENT $KUBERNETES_COMPONENT_RPM - done -done diff --git a/toolkit/scripts/kubernertes-container/Dockerfile-Distroless b/toolkit/scripts/kubernertes-container/Dockerfile-Distroless deleted file mode 100644 index 44871eaf37..0000000000 --- a/toolkit/scripts/kubernertes-container/Dockerfile-Distroless +++ /dev/null @@ -1,8 +0,0 @@ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. - -# Use the cbl-mariner distroless container image as a parent image -FROM cbl-mariner-distroless:1.0 - -# copy files -COPY /folder-to-install/* / diff --git a/toolkit/scripts/kubernertes-container/InstallComponentsBase.sh b/toolkit/scripts/kubernertes-container/InstallComponentsBase.sh deleted file mode 100755 index 153b95adde..0000000000 --- a/toolkit/scripts/kubernertes-container/InstallComponentsBase.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. - -set -e - -# parse script parameters: -# -# -c -> component to install -# -r -> repo file -# -while getopts ":c:r:" OPTIONS; do - case ${OPTIONS} in - c ) COMPONENT=$OPTARG ;; - r ) REPO_FILE=$OPTARG ;; - - \? ) - echo " ---> Error - Invalid Option: -$OPTARG" 1>&2 - exit 1 - ;; - : ) - echo " ---> Error - Invalid Option: -$OPTARG requires an argument" 1>&2 - exit 1 - ;; - esac -done - -if [[ -f $REPO_FILE ]]; then - cp $REPO_FILE /etc/yum.repos.d -else - echo " ---> Error - no repo file" -fi - -echo " ---> install $COMPONENT" -tdnf -y install $COMPONENT - -FILE_NAME=$(basename $REPO_FILE) -rm /etc/yum.repos.d/$FILE_NAME diff --git a/toolkit/scripts/licenses/license_map.py b/toolkit/scripts/licenses/license_map.py index f49ddb449d..d8e80af101 100644 --- a/toolkit/scripts/licenses/license_map.py +++ b/toolkit/scripts/licenses/license_map.py @@ -7,6 +7,8 @@ from pathlib import Path import sys from types import SimpleNamespace +spec_dir_exceptions = { "kubernetes-1.18.14", "kubernetes-1.18.17", "kubernetes-1.19.7", "kubernetes-1.19.9", "kubernetes-1.20.2", "kubernetes-1.20.5" } + # Expected Schema: # class LicenseCollection: # header: str @@ -48,6 +50,7 @@ def get_missing_specs(spec_directories, license_collection): specs_not_in_json = specs_in_dir - specs_in_json specs_not_in_dir = specs_in_json - specs_in_dir + specs_not_in_dir -= spec_dir_exceptions return specs_not_in_json, specs_not_in_dir diff --git a/toolkit/scripts/toolchain.mk b/toolkit/scripts/toolchain.mk index 628a73a8c6..ba386e8388 100644 --- a/toolkit/scripts/toolchain.mk +++ b/toolkit/scripts/toolchain.mk @@ -23,18 +23,17 @@ raw_toolchain = $(toolchain_build_dir)/toolchain_from_container.tar.gz final_toolchain = $(toolchain_build_dir)/toolchain_built_rpms_all.tar.gz toolchain_files = \ $(shell find $(SCRIPTS_DIR)/toolchain -name *.sh) \ - $(shell find $(SCRIPTS_DIR)/toolchain/SCRIPTS ) \ $(SCRIPTS_DIR)/toolchain/container/Dockerfile -toolchain_manifest = $(TOOLCHAIN_MANIFESTS_DIR)/toolchain_$(build_arch).txt +TOOLCHAIN_MANIFEST ?= $(TOOLCHAIN_MANIFESTS_DIR)/toolchain_$(build_arch).txt # Find the *.rpm corresponding to each of the entries in the manifest # regex operation: (.*\.([^\.]+)\.rpm) extracts *.().rpm" to determine # the exact path of the required rpm # Outputs: $(toolchain_rpms_dir)//..rpm sed_regex_full_path = 's`(.*\.([^\.]+)\.rpm)`$(toolchain_rpms_dir)/\2/\1`p' -toolchain_rpms := $(shell sed -nr $(sed_regex_full_path) < $(toolchain_manifest)) -toolchain_rpms_buildarch := $(shell grep $(build_arch) $(toolchain_manifest)) -toolchain_rpms_noarch := $(shell grep noarch $(toolchain_manifest)) +toolchain_rpms := $(shell sed -nr $(sed_regex_full_path) < $(TOOLCHAIN_MANIFEST)) +toolchain_rpms_buildarch := $(shell grep $(build_arch) $(TOOLCHAIN_MANIFEST)) +toolchain_rpms_noarch := $(shell grep noarch $(TOOLCHAIN_MANIFEST)) $(call create_folder,$(toolchain_build_dir)) $(call create_folder,$(toolchain_downloads_logs_dir)) @@ -173,7 +172,7 @@ ifeq ($(REBUILD_TOOLCHAIN),y) # The basic set of RPMs can always be produced by bootstrapping the toolchain. # Try to skip extracting individual RPMS if the toolchain step has already placed # them into the RPM folder. -$(toolchain_rpms): $(toolchain_manifest) | $(final_toolchain) +$(toolchain_rpms): $(TOOLCHAIN_MANIFEST) | $(final_toolchain) @echo Extracting RPM $@ from toolchain && \ if [ ! -f $@ -o $(final_toolchain) -nt $@ ]; then \ mkdir -p $(dir $@) && \ @@ -193,7 +192,7 @@ $(STATUS_FLAGS_DIR)/toolchain_local_temp.flag: $(TOOLCHAIN_ARCHIVE) $(shell find touch $(BUILD_DIR)/toolchain_temp/* && \ touch $@ -$(toolchain_rpms): $(toolchain_manifest) $(toolchain_local_temp) +$(toolchain_rpms): $(TOOLCHAIN_MANIFEST) $(toolchain_local_temp) tempFile=$(toolchain_local_temp)/$(notdir $@) && \ if [ ! -f $@ -o $(TOOLCHAIN_ARCHIVE) -nt $@ ]; then \ echo Extracting RPM $@ from toolchain && \ @@ -205,7 +204,7 @@ $(toolchain_rpms): $(toolchain_manifest) $(toolchain_local_temp) else # Download from online package server $(toolchain_rpms): - @rpm_filename="$(notdir $@)" && \ + rpm_filename="$(notdir $@)" && \ rpm_dir="$(dir $@)" && \ log_file="$(toolchain_downloads_logs_dir)/$$rpm_filename.log" && \ echo "Downloading toolchain RPM: $$rpm_filename" | tee "$$log_file" && \ @@ -215,15 +214,14 @@ $(toolchain_rpms): wget $$url/$$rpm_filename \ $(if $(TLS_CERT),--certificate=$(TLS_CERT)) \ $(if $(TLS_KEY),--private-key=$(TLS_KEY)) \ - -a $$log_file \ - && \ + -a $$log_file && \ echo "Downloaded toolchain RPM: $$rpm_filename" >> $$log_file && \ break; \ done || { \ - echo "\nERROR: Failed to download toolchain package: $$rpm_filename." && \ - echo "ERROR: Last $(toolchain_log_tail_length) lines from log '$$log_file':\n" && \ - tail -n$(toolchain_log_tail_length) $$log_file | sed 's/^/\t/' && \ - $(call print_error,\nToolchain download failed. See above errors for more details.) \ - } + echo "\nERROR: Failed to download toolchain package: $$rpm_filename." && \ + echo "ERROR: Last $(toolchain_log_tail_length) lines from log '$$log_file':\n" && \ + tail -n$(toolchain_log_tail_length) $$log_file | sed 's/^/\t/' && \ + $(call print_error,\nToolchain download failed. See above errors for more details.) \ + } endif endif diff --git a/toolkit/scripts/toolchain/SCRIPTS/brp-strip-debug-symbols b/toolkit/scripts/toolchain/SCRIPTS/brp-strip-debug-symbols deleted file mode 100755 index 3c7c3cdc37..0000000000 --- a/toolkit/scripts/toolchain/SCRIPTS/brp-strip-debug-symbols +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh -# If using normal root, avoid changing anything. -if [ -z "$RPM_BUILD_ROOT" -o "$RPM_BUILD_ROOT" = "/" ]; then - exit 0 -fi - -STRIP=${1:-strip} - -case `uname -a` in -Darwin*) exit 0 ;; -*) ;; -esac - -# Strip ELF binaries -for f in `find "$RPM_BUILD_ROOT" -type f -exec file {} \; | \ - sed -n -e 's/^\(.*\):[ ]*ELF.*, not stripped/\1/p'`; do - $STRIP --strip-debug -g "$f" || : -done diff --git a/toolkit/scripts/toolchain/SCRIPTS/brp-strip-unneeded b/toolkit/scripts/toolchain/SCRIPTS/brp-strip-unneeded deleted file mode 100755 index a323675bbf..0000000000 --- a/toolkit/scripts/toolchain/SCRIPTS/brp-strip-unneeded +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh -# If using normal root, avoid changing anything. -if [ -z "$RPM_BUILD_ROOT" -o "$RPM_BUILD_ROOT" = "/" ]; then - exit 0 -fi - -STRIP=${1:-strip} - -case `uname -a` in -Darwin*) exit 0 ;; -*) ;; -esac - -# Strip ELF binaries -for f in `find "$RPM_BUILD_ROOT" -type f -exec file {} \; | \ - sed -n -e 's/^\(.*\):[ ]*ELF.*, not stripped/\1/p'`; do - $STRIP --strip-unneeded -g "$f" || : -done diff --git a/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh b/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh index b3b0500018..596b570265 100755 --- a/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh +++ b/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh @@ -201,6 +201,8 @@ cp -v $MARINER_TOOLCHAIN_MANIFESTS_DIR/macros.override $LFS/usr/lib/rpm/macros.d chmod +x $LFS/usr/lib/rpm/brp* cp /etc/resolv.conf $LFS/etc/ +chroot_and_print_installed_rpms + echo Building final list of toolchain RPMs build_rpm_in_chroot_no_install mariner-rpm-macros copy_rpm_subpackage mariner-check-macros @@ -226,7 +228,6 @@ build_rpm_in_chroot_no_install gettext build_rpm_in_chroot_no_install sqlite build_rpm_in_chroot_no_install nspr build_rpm_in_chroot_no_install expat -build_rpm_in_chroot_no_install grep build_rpm_in_chroot_no_install libffi build_rpm_in_chroot_no_install xz build_rpm_in_chroot_no_install zstd @@ -235,7 +236,6 @@ build_rpm_in_chroot_no_install m4 build_rpm_in_chroot_no_install libdb build_rpm_in_chroot_no_install libcap build_rpm_in_chroot_no_install popt -build_rpm_in_chroot_no_install util-linux build_rpm_in_chroot_no_install findutils build_rpm_in_chroot_no_install tar build_rpm_in_chroot_no_install gawk @@ -306,8 +306,6 @@ chroot_and_install_rpms alsa-lib build_rpm_in_chroot_no_install gperf chroot_and_install_rpms gperf -# Python2 needs to be installed for RPM and openjdk's dependencies to build - # Python3 needs to be installed for RPM to build build_rpm_in_chroot_no_install python3 rm -vf $FINISHED_RPM_DIR/python3*debuginfo*.rpm @@ -343,12 +341,13 @@ chroot_and_install_rpms openjdk8 cp -v $CHROOT_RPMS_DIR_ARCH/openjre8* $FINISHED_RPM_DIR chroot_and_install_rpms openjre8 +# PCRE needs to be installed (above) for grep to build with perl regexp support +build_rpm_in_chroot_no_install grep + # Lua needs to be installed for RPM to build build_rpm_in_chroot_no_install lua chroot_and_install_rpms lua -build_rpm_in_chroot_no_install rpm - # Build tdnf-2.1.0 build_rpm_in_chroot_no_install kmod build_rpm_in_chroot_no_install perl-XML-Parser @@ -397,10 +396,6 @@ build_rpm_in_chroot_no_install libxslt chroot_and_install_rpms pam build_rpm_in_chroot_no_install docbook-style-xsl -# shadow-utils needs the pam.d sources in the root of SOURCES_DIR -cp $SPECROOT/shadow-utils/pam.d/* $CHROOT_SOURCES_DIR -build_rpm_in_chroot_no_install shadow-utils - # gtest needs cmake chroot_and_install_rpms cmake build_rpm_in_chroot_no_install gtest @@ -426,6 +421,7 @@ build_rpm_in_chroot_no_install gtk-doc # p11-kit, libtasn1 and glib need gtk-doc chroot_and_install_rpms gtk-doc +build_rpm_in_chroot_no_install libtasn1 # ninja-build requires gtest chroot_and_install_rpms gtest @@ -479,19 +475,33 @@ build_rpm_in_chroot_no_install createrepo_c build_rpm_in_chroot_no_install libpwquality build_rpm_in_chroot_no_install json-c +build_rpm_in_chroot_no_install libsepol -# systemd-bootstrap requires libcap, xz, kbd, kmod, util-linux, shadow-utils +# libselinux requires libsepol +chroot_and_install_rpms libsepol +build_rpm_in_chroot_no_install libselinux +# util-linux, rpm, libsemanage and shadow-utils require libselinux +chroot_and_install_rpms libselinux +build_rpm_in_chroot_no_install util-linux +build_rpm_in_chroot_no_install rpm + +# rebuild pam with selinux support +build_rpm_in_chroot_no_install pam + +# systemd-bootstrap requires libcap, xz, kbd, kmod, util-linux, meson chroot_and_install_rpms libcap chroot_and_install_rpms lz4 chroot_and_install_rpms xz chroot_and_install_rpms kbd chroot_and_install_rpms kmod chroot_and_install_rpms util-linux -chroot_and_install_rpms shadow-utils +chroot_and_install_rpms meson build_rpm_in_chroot_no_install systemd-bootstrap build_rpm_in_chroot_no_install libaio -# lvm2 requires ncurses, systemd-bootstrap, libaio, +# lvm2 requires libselinux, libsepol, ncurses, systemd-bootstrap, libaio, +chroot_and_install_rpms libselinux +chroot_and_install_rpms libsepol chroot_and_install_rpms ncurses chroot_and_install_rpms systemd-bootstrap chroot_and_install_rpms libaio @@ -506,11 +516,58 @@ chroot_and_install_rpms libpwquality chroot_and_install_rpms json-c build_rpm_in_chroot_no_install cryptsetup -# systemd needs intltool, util-linux +# systemd needs intltool, gperf, util-linux chroot_and_install_rpms intltool +chroot_and_install_rpms gperf chroot_and_install_rpms cryptsetup build_rpm_in_chroot_no_install systemd -build_rpm_in_chroot_no_install libtasn1 + +build_rpm_in_chroot_no_install golang-1.15 +build_rpm_in_chroot_no_install groff + +# libtiprc needs krb5 +chroot_and_install_rpms krb5 +build_rpm_in_chroot_no_install libtirpc +build_rpm_in_chroot_no_install rpcsvc-proto + +# libnsl2 needs libtirpc and rpcsvc-proto +chroot_and_install_rpms libtirpc +chroot_and_install_rpms rpcsvc-proto +build_rpm_in_chroot_no_install libnsl2 + +build_rpm_in_chroot_no_install finger + +# tcp_wrappers needs libnsl2, finger +chroot_and_install_rpms libnsl2 +chroot_and_install_rpms finger +build_rpm_in_chroot_no_install tcp_wrappers + +build_rpm_in_chroot_no_install cyrus-sasl + +# openldap needs groff, cyrus-sasl +chroot_and_install_rpms groff +chroot_and_install_rpms cyrus-sasl +build_rpm_in_chroot_no_install openldap + +build_rpm_in_chroot_no_install libcap-ng + +# audit needs systemd, golang, openldap, tcp_wrappers and libcap-ng +chroot_and_install_rpms systemd +chroot_and_install_rpms golang +chroot_and_install_rpms openldap +chroot_and_install_rpms tcp_wrappers +chroot_and_install_rpms libcap-ng +build_rpm_in_chroot_no_install audit + +# libsemanage requires libaudit +chroot_and_install_rpms audit +build_rpm_in_chroot_no_install libsemanage + +# shadow-utils requires libsemanage +chroot_and_install_rpms libsemanage +# shadow-utils needs the pam.d sources in the root of SOURCES_DIR +cp $SPECROOT/shadow-utils/pam.d/* $CHROOT_SOURCES_DIR +build_rpm_in_chroot_no_install shadow-utils # p11-kit needs libtasn1 chroot_and_install_rpms libtasn1 diff --git a/toolkit/scripts/toolchain/container/Dockerfile b/toolkit/scripts/toolchain/container/Dockerfile index 16a4992177..4e9a36e1c4 100644 --- a/toolkit/scripts/toolchain/container/Dockerfile +++ b/toolkit/scripts/toolchain/container/Dockerfile @@ -69,7 +69,7 @@ COPY [ "./toolchain-md5sums", \ WORKDIR $LFS/sources RUN wget -nv --no-clobber --timeout=30 --no-check-certificate --continue --input-file=$LFS/tools/toolchain-local-wget-list --directory-prefix=$LFS/sources; exit 0 RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolchain-remote-wget-list --directory-prefix=$LFS/sources; exit 0 -RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.28.1.tar.gz -O kernel-5.10.28.1.tar.gz --directory-prefix=$LFS/sources; exit 0 +RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.52.1.tar.gz -O kernel-5.10.52.1.tar.gz --directory-prefix=$LFS/sources; exit 0 USER root RUN /tools/toolchain-jdk8-wget.sh; exit 0 RUN md5sum -c $LFS/tools/toolchain-md5sums && \ diff --git a/toolkit/scripts/toolchain/container/jdk8-build-raw.sh b/toolkit/scripts/toolchain/container/jdk8-build-raw.sh index 8781351272..fd89628ba0 100755 --- a/toolkit/scripts/toolchain/container/jdk8-build-raw.sh +++ b/toolkit/scripts/toolchain/container/jdk8-build-raw.sh @@ -118,34 +118,34 @@ popd rm -rf libxcb-1.12 # freetype 2 -echo freetype-2.8 -tar xf freetype-2.8.tar.bz2 -pushd freetype-2.8 +echo freetype-2.9.1 +tar xf freetype-2.9.1.tar.gz +pushd freetype-2.9.1 sed -ri "s:.*(AUX_MODULES.*valid):\1:" modules.cfg sed -r "s:.*(#.*SUBPIXEL_RENDERING) .*:\1:" \ -i include/freetype/config/ftoption.h ./configure --prefix=/usr --disable-static make make install -install -v -m755 -d /usr/share/doc/freetype-2.8 -cp -v -R docs/* /usr/share/doc/freetype-2.8 +install -v -m755 -d /usr/share/doc/freetype-2.9.1 +cp -v -R docs/* /usr/share/doc/freetype-2.9.1 popd -rm -rf freetype-2.8 +rm -rf freetype-2.9.1 # fontconfig -echo fontconfig-2.12.4 -tar xf fontconfig-2.12.4.tar.bz2 -pushd fontconfig-2.12.4 +echo fontconfig-2.13.91 +tar xf fontconfig-2.13.91.tar.gz +pushd fontconfig-2.13.91 rm -f src/fcobjshash.h ./configure --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ --disable-docs \ - --docdir=/usr/share/doc/fontconfig-2.12.4 + --docdir=/usr/share/doc/fontconfig-2.13.91 make make install popd -rm -rf fontconfig-2.12.4 +rm -rf fontconfig-2.13.91 # Xorg Libraries echo Xorg Libraries diff --git a/toolkit/scripts/toolchain/container/toolchain-md5sums b/toolkit/scripts/toolchain/container/toolchain-md5sums index ef11745bf1..e2fdccfe5f 100644 --- a/toolkit/scripts/toolchain/container/toolchain-md5sums +++ b/toolkit/scripts/toolchain/container/toolchain-md5sums @@ -10,7 +10,7 @@ a42bce1f10e92be5f3f5c1c5c4798b06 aarch64-jdk8u181-b13-langtools.tar.bz2 53f38e7591fa57c3d2cee682be668e5b automake-1.16.1.tar.xz 518e2c187cc11a17040f0915dddce54e bash-4.4.18.tar.gz 1a05fb01fa1d5198894c931cf925c025 bigreqsproto-1.1.2.tar.bz2 -0d174cdaf85721c5723bf52355be41e6 binutils-2.32.tar.xz +628d490d976d8957279bbbff06cf29d4 binutils-2.36.1.tar.xz db7e431785ad96870bfa570a15cab079 bison-3.1.tar.xz 6a5ac7e89b791aae556de0f745916f7f bzip2-1.0.6-install_docs-1.patch 00b516f4704d4a7cb50a1d97e6e8e15b bzip2-1.0.6.tar.gz @@ -34,9 +34,9 @@ ca047ae951b40020ac831c28859161b2 expat-2.2.6.tar.bz2 9936aa8009438ce185bea2694a997fc1 findutils-4.6.0.tar.gz e7431ab84d37b2678af71e29355e101d fixesproto-5.0.tar.bz2 2882e3179748cc9f9c23ec593d6adc8d flex-2.6.4.tar.gz -29105662c7d319720e0088a0ac53f494 fontconfig-2.12.4.tar.bz2 +5470d817f54b7870eee23e045a0afc8b fontconfig-2.13.91.tar.gz 36934d00b00555eaacde9f091f392f97 fontsproto-2.1.3.tar.bz2 -2413ac3eaf508ada019c63959ea81a92 freetype-2.8.tar.bz2 +3adb0e35d3c100c456357345ccfa8056 freetype-2.9.1.tar.gz 95cf553f50ec9f386b5dfcd67f30180a gawk-4.2.1.tar.xz 6069ae3737cf02bf2cb44a391ef0e937 gcc-9.1.0.tar.xz 988dc82182121c7570e0cb8b4fcd5415 gdbm-1.18.1.tar.gz @@ -59,7 +59,7 @@ bc62e7df6f75357b6dd1ec34600dbeaf jdk8u212-b04-langtools.tar.bz2 d0272e7a6107c64dae62b80ca7ec65e2 jdk8u212-b04-nashorn.tar.bz2 befd51c2b53a442e1fa6644bba89a95a jdk8u212-b04.tar.bz2 94afc90c1f7bef4a27fdd59ece39c878 kbproto-1.0.7.tar.bz2 -e0c6f0946012317df6dc4a56b82410e3 kernel-5.10.28.1.tar.gz +a983fcd3083df9e3d28cc27b49d9bc2a kernel-5.10.52.1.tar.gz d953ed6b47694dadf0e6042f8f9ff451 libarchive-3.4.2.tar.gz 968ac4d42a1a71754313527be2ab5df3 libcap-2.26.tar.xz ba983eba5a9f05d152a0725b8e863151 libdmx-1.1.3.tar.bz2 diff --git a/toolkit/scripts/toolchain/container/toolchain-remote-wget-list b/toolkit/scripts/toolchain/container/toolchain-remote-wget-list index 4e3c24edd1..651158145b 100644 --- a/toolkit/scripts/toolchain/container/toolchain-remote-wget-list +++ b/toolkit/scripts/toolchain/container/toolchain-remote-wget-list @@ -1,6 +1,6 @@ http://ftp.gnu.org/gnu/autoconf/autoconf-2.69.tar.xz http://ftp.gnu.org/gnu/automake/automake-1.16.1.tar.xz -https://ftp.gnu.org/gnu/binutils/binutils-2.32.tar.xz +https://ftp.gnu.org/gnu/binutils/binutils-2.36.1.tar.xz http://ftp.gnu.org/gnu/dejagnu/dejagnu-1.6.2.tar.gz https://prdownloads.sourceforge.net/e2fsprogs/e2fsprogs-1.45.6.tar.gz https://sourceware.org/ftp/elfutils/0.176/elfutils-0.176.tar.bz2 @@ -97,8 +97,8 @@ https://www.x.org/pub/individual/lib/libdmx-1.1.3.tar.bz2 https://www.x.org/pub/individual/lib/libpciaccess-0.13.5.tar.bz2 https://www.x.org/pub/individual/lib/libxkbfile-1.0.9.tar.bz2 https://www.x.org/pub/individual/lib/libxshmfence-1.2.tar.bz2 -https://downloads.sourceforge.net/freetype/freetype-2.8.tar.bz2 -https://www.freedesktop.org/software/fontconfig/release/fontconfig-2.12.4.tar.bz2 +https://download.savannah.gnu.org/releases/freetype/freetype-2.9.1.tar.gz +https://www.freedesktop.org/software/fontconfig/release/fontconfig-2.13.91.tar.gz https://xcb.freedesktop.org/dist/libxcb-1.12.tar.bz2 https://xcb.freedesktop.org/dist/xcb-proto-1.12.tar.bz2 https://www.x.org/pub/individual/lib/libXau-1.0.8.tar.bz2 diff --git a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh index e23137f416..bc990a6b2e 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh @@ -57,14 +57,14 @@ set -e # cd /sources -echo Linux-5.10.28.1 API Headers -tar xf kernel-5.10.28.1.tar.gz -pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.28.1 +echo Linux-5.10.52.1 API Headers +tar xf kernel-5.10.52.1.tar.gz +pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.52.1 make mrproper make headers cp -rv usr/include/* /usr/include popd -rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.28.1 +rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.52.1 touch /logs/status_kernel_headers_complete echo 6.8. Man-pages-5.02 @@ -235,9 +235,9 @@ popd rm -rf m4-1.4.18 touch /logs/status_m4_complete -echo Binutils-2.32 -tar xf binutils-2.32.tar.xz -pushd binutils-2.32 +echo Binutils-2.36.1 +tar xf binutils-2.36.1.tar.xz +pushd binutils-2.36.1 sed -i '/@\tincremental_copy/d' gold/testsuite/Makefile.in mkdir -v build cd build @@ -251,11 +251,10 @@ cd build --with-system-zlib # --enable-install-libiberty # libiberty.a used to be in binutils. Now it is in GCC. -# --enable-install-libiberty make -j$(nproc) tooldir=/usr make tooldir=/usr install popd -rm -rf binutils-2.32 +rm -rf binutils-2.36.1 touch /logs/status_binutils_complete echo GMP-6.1.2 @@ -1072,6 +1071,7 @@ tar xf nss-3.44.tar.gz pushd nss-3.44 patch -Np1 -i ../nss-3.44-standalone-1.patch cd nss +export NSS_DISABLE_GTESTS=1 # Build with single processor due to errors seen with parallel make make -j1 BUILD_OPT=1 \ NSPR_INCLUDE_DIR=/usr/include/nspr \ diff --git a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh index 8df1b2accb..745e11b9fd 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh @@ -16,9 +16,9 @@ touch $LFS/logs/temptoolchain/status_temp_toolchain_build_started cat /home/lfs/.bashrc LFS_TGT=$(uname -m)-lfs-linux-gnu -echo Binutils-2.32 - Pass 1 -tar xf binutils-2.32.tar.xz -pushd binutils-2.32 +echo Binutils-2.36.1 - Pass 1 +tar xf binutils-2.36.1.tar.xz +pushd binutils-2.36.1 mkdir -v build cd build ../configure --prefix=/tools \ @@ -31,7 +31,7 @@ make -j$(nproc) mkdir -v /tools/lib && ln -sv lib /tools/lib64 make install popd -rm -rf binutils-2.32 +rm -rf binutils-2.36.1 touch $LFS/logs/temptoolchain/status_binutils_pass1_complete @@ -113,14 +113,14 @@ rm -rf gcc-9.1.0 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete -echo Linux-5.10.28.1 API Headers -tar xf kernel-5.10.28.1.tar.gz -pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.28.1 +echo Linux-5.10.52.1 API Headers +tar xf kernel-5.10.52.1.tar.gz +pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.52.1 make mrproper make headers cp -rv usr/include/* /tools/include popd -rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.28.1 +rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.52.1 touch $LFS/logs/temptoolchain/status_kernel_headers_complete @@ -182,9 +182,9 @@ rm -rf gcc-9.1.0 touch $LFS/logs/temptoolchain/status_libstdc++_complete -echo Binutils-2.32 - Pass 2 -tar xf binutils-2.32.tar.xz -pushd binutils-2.32 +echo Binutils-2.36.1 - Pass 2 +tar xf binutils-2.36.1.tar.xz +pushd binutils-2.36.1 mkdir -v build cd build CC=$LFS_TGT-gcc \ @@ -202,7 +202,7 @@ make -C ld clean make -C ld LIB_PATH=/usr/lib:/lib cp -v ld/ld-new /tools/bin popd -rm -rf binutils-2.32 +rm -rf binutils-2.36.1 touch $LFS/logs/temptoolchain/status_binutils_pass2_complete diff --git a/toolkit/scripts/toolkit.mk b/toolkit/scripts/toolkit.mk index ce7aafd11d..926d96e9ff 100644 --- a/toolkit/scripts/toolkit.mk +++ b/toolkit/scripts/toolkit.mk @@ -12,11 +12,14 @@ toolkit_component_extra_files = \ $(PROJECT_ROOT)/LICENSES-AND-NOTICES/LICENSE.md \ $(toolkit_root)/.gitignore +mariner_repos_dir = $(SPECS_DIR)/mariner-repos + # Outputs toolkit_version = $(RELEASE_VERSION)-$(build_arch) toolkit_archive = $(OUT_DIR)/toolkit-$(toolkit_version).tar.gz toolkit_remove_archive = $(OUT_DIR)/toolkit-*.tar.gz toolkit_build_dir = $(BUILD_DIR)/toolkit +toolkit_repos_dir = $(toolkit_build_dir)/repos toolkit_tools_dir = $(toolkit_build_dir)/tools/toolkit_bins toolkit_release_file = $(toolkit_build_dir)/version.txt @@ -30,10 +33,15 @@ clean-package-toolkit: package-toolkit: go-tools rm -rf $(toolkit_build_dir) && \ mkdir -p $(toolkit_build_dir) && \ + mkdir -p $(toolkit_repos_dir) && \ mkdir -p $(toolkit_tools_dir) && \ cp -r $(toolkit_root)/* $(toolkit_build_dir) && \ + cp $(mariner_repos_dir)/*.repo $(toolkit_repos_dir) && \ cp $(toolkit_component_extra_files) $(toolkit_build_dir) && \ cp $(go_tool_targets) $(toolkit_tools_dir) && \ echo "$(toolkit_version)" > $(toolkit_release_file) && \ rm -rf $(toolkit_build_dir)/out && \ tar -I $(ARCHIVE_TOOL) -cvp -f $(toolkit_archive) -C $(toolkit_build_dir)/.. $(notdir $(toolkit_build_dir)) + +print-build-summary: + sed -E -n 's:^.+level=info msg="Built \(([^\)]+)\) -> \[(.+)\].+$:\1\t\2:gp' $(LOGS_DIR)/pkggen/rpmbuilding/* | tee $(LOGS_DIR)/pkggen/build-summary.csv diff --git a/toolkit/scripts/tools.mk b/toolkit/scripts/tools.mk index 1f0167f89d..fd8e2e87f4 100644 --- a/toolkit/scripts/tools.mk +++ b/toolkit/scripts/tools.mk @@ -125,7 +125,11 @@ clean-chroot-tools: rm -rf $(BUILD_DIR)/worker && \ rm -rf $(BUILD_DIR)/validatechroot -worker_chroot_manifest = $(TOOLCHAIN_MANIFESTS_DIR)/pkggen_core_$(build_arch).txt +# Worker chroot manifest is a file corresponding to the TOOLCHAIN_MANIFEST name. +toolchain_config_name=$(notdir $(TOOLCHAIN_MANIFEST)) +worker_manifest_name=$(shell echo "$(toolchain_config_name)" | sed -E 's:^toolchain:pkggen_core:' ) +worker_chroot_manifest = $(TOOLCHAIN_MANIFESTS_DIR)/$(worker_manifest_name) +#$(TOOLCHAIN_MANIFESTS_DIR)/pkggen_core_$(build_arch).txt # Find the *.rpm corresponding to each of the entries in the manifest # regex operation: (.*\.([^\.]+)\.rpm) extracts *.().rpm" to determine # the exact path of the required rpm diff --git a/toolkit/tools/imagegen/attendedinstaller/primitives/enumfield/enumfield.go b/toolkit/tools/imagegen/attendedinstaller/primitives/enumfield/enumfield.go new file mode 100644 index 0000000000..6dfcdde444 --- /dev/null +++ b/toolkit/tools/imagegen/attendedinstaller/primitives/enumfield/enumfield.go @@ -0,0 +1,254 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +package enumfield + +import ( + "math" + + "github.com/gdamore/tcell" + "github.com/rivo/tview" +) + +type EnumField struct { + *tview.Box + + // The label of the field + label string + + // Maximum width of the label, or 0 for label's length + labelWidth int + + // Options to choose from + options []string + + // Index of the currently selected option + selectedOption int + + // The label color. + labelColor tcell.Color + + // The label color when this item is selected. + labelColorActivated tcell.Color + + // The text color. + textColor tcell.Color + + // The text color when this item is selected. + textColorActivated tcell.Color + + // The background color. + backgroundColor tcell.Color + + // The background color when this item is selected. + backgroundColorActivated tcell.Color + + // A callback invoked when the user leaves this form item + onFinished func(tcell.Key) + + // A callback invoked when this primitive receives focus. + onFocus func() + + // A callback invoked when this primitive loses focus. + onBlur func() +} + +// NewEnumField returns a new navigation bar. +func NewEnumField(options []string) *EnumField { + return &EnumField{ + Box: tview.NewBox(), + backgroundColor: tview.Styles.PrimitiveBackgroundColor, + backgroundColorActivated: tview.Styles.ContrastBackgroundColor, + labelColor: tview.Styles.SecondaryTextColor, + labelColorActivated: tview.Styles.ContrastSecondaryTextColor, + textColor: tview.Styles.PrimaryTextColor, + textColorActivated: tview.Styles.PrimaryTextColor, + options: options, + } +} + +// SetLabelColor sets the color of button text. +func (n *EnumField) SetLabelColor(color tcell.Color) *EnumField { + n.labelColor = color + return n +} + +// SetLabelColorActivated sets the color of button text when the button is +// selected. +func (n *EnumField) SetLabelColorActivated(color tcell.Color) *EnumField { + n.labelColorActivated = color + return n +} + +// SetNavBackgroundColor sets the background color. +func (n *EnumField) SetFieldBackgroundColor(color tcell.Color) *EnumField { + n.backgroundColor = color + return n +} + +// SetBackgroundColorActivated sets the background color of the button text when +// the button is selected. +func (n *EnumField) SetBackgroundColorActivated(color tcell.Color) *EnumField { + n.backgroundColorActivated = color + return n +} + +// Draw renders this primitive onto the screen. +func (n *EnumField) Draw(screen tcell.Screen) { + + // Update dimensions + n.Box.Draw(screen) + + // Obtain dimensions + x, y, width, height := n.GetInnerRect() + rightLimit := x + width + if height < 1 || rightLimit <= x { + return + } + + // Draw label. + // Make sure labelWidth is not greater than n.labelWidth + labelWidth := rightLimit - x + if (n.labelWidth > 0) && (n.labelWidth < labelWidth) { + labelWidth = n.labelWidth + } + tview.Print(screen, n.label, x, y, labelWidth, tview.AlignLeft, n.labelColor) + // Always move to the edge to align input fields + x += n.labelWidth + + // Don't draw the option part if there are no options + if len(n.options) == 0 { + return + } + + // get as much space as needed or available + fieldWidth := math.MaxInt32 + if rightLimit-x < fieldWidth { + fieldWidth = rightLimit - x + } + + // Draw the background + var ( + fieldStyle tcell.Style + textColor tcell.Color + ) + + if n.HasFocus() { + fieldStyle = tcell.StyleDefault.Background(n.backgroundColorActivated) + textColor = n.textColorActivated + } else { + fieldStyle = tcell.StyleDefault.Background(n.backgroundColor) + textColor = n.textColor + } + + for index := 0; index < len(n.options[n.selectedOption]); index++ { + screen.SetContent(x+index, y, ' ', nil, fieldStyle) + } + + // Draw the text + text := n.options[n.selectedOption] + tview.Print(screen, tview.Escape(text), x, y, fieldWidth, tview.AlignLeft, textColor) +} + +// InputHandler returns the handler for this primitive. +func (n *EnumField) InputHandler() func(event *tcell.EventKey, setFocus func(p tview.Primitive)) { + return n.WrapInputHandler(func(event *tcell.EventKey, setFocus func(p tview.Primitive)) { + key := event.Key() + switch key { + case tcell.KeyLeft: + n.selectedOption-- + if n.selectedOption < 0 { + n.selectedOption = len(n.options) - 1 + } + case tcell.KeyRight: + n.selectedOption++ + if n.selectedOption == len(n.options) { + n.selectedOption = 0 + } + case tcell.KeyDown, tcell.KeyUp, tcell.KeyEnter, + tcell.KeyEscape, tcell.KeyTab, tcell.KeyBacktab: + n.onFinished(key) + } + }) +} + +// GetLabel returns the text to be displayed before the input area. +func (n *EnumField) GetLabel() string { + return n.label +} + +// GetFieldWidth obtains a screen width of the input area. A value of 0 means +// extend as much as possible. +func (n *EnumField) GetFieldWidth() int { + // Same as the text length + return 0 +} + +// SetFormAttributes sets attributes shared by all form items. Only bgColor is considered for bg colors. +func (n *EnumField) SetFormAttributes(labelWidth int, labelColor, bgColor, fieldTextColor, fieldBgColor tcell.Color) tview.FormItem { + n.labelWidth = labelWidth + n.labelColor = labelColor + n.textColor = fieldTextColor + n.backgroundColor = bgColor + + return n +} + +// SetFinishedFunc sets a callback invoked when the user leaves this form item. +func (n *EnumField) SetFinishedFunc(handler func(key tcell.Key)) tview.FormItem { + n.onFinished = handler + return n +} + +// SetOnFocusFunc sets a callback invoked when this primitive receives focus. +func (n *EnumField) SetOnFocusFunc(handler func()) *EnumField { + n.onFocus = handler + return n +} + +// SetOnBlurFunc sets a callback invoked when this primitive loses focus. +func (n *EnumField) SetOnBlurFunc(handler func()) *EnumField { + n.onBlur = handler + return n +} + +// Focus is called when this primitive receives focus. +func (n *EnumField) Focus(delegate func(p tview.Primitive)) { + if n.onFocus != nil { + n.onFocus() + } + + n.Box.Focus(delegate) +} + +// Blur is called when this primitive loses focus. +func (n *EnumField) Blur() { + if n.onBlur != nil { + n.onBlur() + } + n.Box.Blur() +} + +// GetText returns currently selected text +func (n *EnumField) GetText() string { + return n.options[n.selectedOption] +} + +// SetLabel sets label and returns the updated object. +func (n *EnumField) SetLabel(x string) *EnumField { + n.label = x + n.Box.SetTitle(n.label) + return n +} + +// SetLabelWidth sets the screen width of the label. A value of 0 will cause the +// primitive to use the width of the label string. +func (n *EnumField) SetLabelWidth(width int) *EnumField { + n.labelWidth = width + return n +} + +// GetLabelWidth returns width of the label field. +func (n *EnumField) GetLabelWidth() int { + return n.labelWidth +} diff --git a/toolkit/tools/imagegen/attendedinstaller/views/diskview/manualpartitionwidget/manualpartitionwidget.go b/toolkit/tools/imagegen/attendedinstaller/views/diskview/manualpartitionwidget/manualpartitionwidget.go index c4d98f8c23..937eadcfcb 100644 --- a/toolkit/tools/imagegen/attendedinstaller/views/diskview/manualpartitionwidget/manualpartitionwidget.go +++ b/toolkit/tools/imagegen/attendedinstaller/views/diskview/manualpartitionwidget/manualpartitionwidget.go @@ -7,6 +7,7 @@ import ( "fmt" "strings" + "microsoft.com/pkggen/imagegen/attendedinstaller/primitives/enumfield" "microsoft.com/pkggen/imagegen/attendedinstaller/primitives/navigationbar" "microsoft.com/pkggen/imagegen/attendedinstaller/uitext" "microsoft.com/pkggen/imagegen/attendedinstaller/uiutils" @@ -80,10 +81,10 @@ type ManualPartitionWidget struct { addPartitionForm *tview.Form formFlex *tview.Flex formNavBar *navigationbar.NavigationBar - formatInput *tview.InputField + formatInput *enumfield.EnumField mountPointInput *tview.InputField nameInput *tview.InputField - sizeUnitInput *tview.InputField + sizeUnitInput *enumfield.EnumField sizeInput *tview.InputField formSpaceLeftText *tview.TextView @@ -129,13 +130,34 @@ func (mp *ManualPartitionWidget) Initialize(backButtonText string, sysConfig *co mp.addPartitionForm = tview.NewForm(). SetButtonsAlign(tview.AlignCenter) + // Calculate longest label size to align enum input fields + diskSizeLabelFull := fmt.Sprintf("%s %s", uitext.FormDiskSizeLabel, uitext.FormDiskSizeLabelMaxHelp) + var maxLabelWidth int + labels := []string{ + uitext.FormDiskFormatLabel, + uitext.FormDiskSizeUnitLabel, + uitext.FormDiskNameLabel, + uitext.FormDiskMountPointLabel, + diskSizeLabelFull, + } + for _, label := range labels { + labelLen := len(label) + if labelLen > maxLabelWidth { + maxLabelWidth = labelLen + } + } + mp.formatInput = mp.enumInputBox(validPartitionFormats). SetLabel(uitext.FormDiskFormatLabel). - SetFieldBackgroundColor(tcell.ColorWhite) + SetLabelWidth(maxLabelWidth). + SetFieldBackgroundColor(tcell.ColorWhite). + SetBackgroundColorActivated(tcell.ColorPurple) mp.sizeUnitInput = mp.enumInputBox(validSizeUnits). SetLabel(uitext.FormDiskSizeUnitLabel). - SetFieldBackgroundColor(tcell.ColorWhite) + SetLabelWidth(maxLabelWidth). + SetFieldBackgroundColor(tcell.ColorWhite). + SetBackgroundColorActivated(tcell.ColorPurple) mp.nameInput = tview.NewInputField(). SetLabel(uitext.FormDiskNameLabel). @@ -149,7 +171,7 @@ func (mp *ManualPartitionWidget) Initialize(backButtonText string, sysConfig *co SetFieldBackgroundColor(tcell.ColorWhite) mp.sizeInput = tview.NewInputField(). - SetLabel(fmt.Sprintf("%s %s", uitext.FormDiskSizeLabel, uitext.FormDiskSizeLabelMaxHelp)). + SetLabel(diskSizeLabelFull). SetAcceptanceFunc(mp.sizeInputValidation). SetFieldBackgroundColor(tcell.ColorWhite) @@ -660,38 +682,25 @@ func (mp *ManualPartitionWidget) onNextButton() { } } -// enumInputBox returns an input box that only allows values from elements to appear. -func (mp *ManualPartitionWidget) enumInputBox(elements []string) *tview.InputField { - field := tview.NewInputField() - index := 0 - // Initialize text with the first element - field.SetText(elements[index]) - +// enumInputBox returns an input box that only allows values +// from elements to appear and produces helpful error message for +// every unhandled input +func (mp *ManualPartitionWidget) enumInputBox(elements []string) *enumfield.EnumField { + field := enumfield.NewEnumField(elements) + // Add helpful message when user presses any key we do not process field.SetInputCapture(func(event *tcell.EventKey) *tcell.EventKey { key := event.Key() - // Override movement left/right. Leave navigation keys intact. Consume all other input. switch key { - case tcell.KeyLeft: - if index == 0 { - index = len(elements) - } - index-- - case tcell.KeyRight: - index++ - if index == len(elements) { - index = 0 - } case tcell.KeyEnter, tcell.KeyEscape, tcell.KeyDown, tcell.KeyTab, - tcell.KeyUp, tcell.KeyBacktab: + tcell.KeyUp, tcell.KeyBacktab, + tcell.KeyLeft, tcell.KeyRight: // Navigation keys - pass return event default: mp.formNavBar.SetUserFeedback(uitext.EnumNavigationFeedback, tview.Styles.TertiaryTextColor) return nil } - field.SetText(elements[index]) - return nil }) return field } diff --git a/toolkit/tools/imagegen/installutils/installutils.go b/toolkit/tools/imagegen/installutils/installutils.go index 1a828c685a..463631b00c 100644 --- a/toolkit/tools/imagegen/installutils/installutils.go +++ b/toolkit/tools/imagegen/installutils/installutils.go @@ -286,7 +286,9 @@ func umount(path string) (err error) { } // PackageNamesFromSingleSystemConfig goes through the packageslist field in the systemconfig and extracts the list of packages -// from each of the packagelists +// from each of the packagelists. +// NOTE: the package list contains the versions restrictions for the packages, if present, in the form "[package][condition][version]". +// Example: gcc=9.1.0 // - systemConfig is the systemconfig field from the config file // Since kernel is not part of the packagelist, it is added separately from KernelOptions. func PackageNamesFromSingleSystemConfig(systemConfig configuration.SystemConfig) (finalPkgList []string, err error) { @@ -354,9 +356,15 @@ func PackageNamesFromConfig(config configuration.Config) (packageList []*pkgjson packages := make([]*pkgjson.PackageVer, 0, len(packagesToInstall)) for _, pkg := range packagesToInstall { - packages = append(packages, &pkgjson.PackageVer{ - Name: pkg, - }) + var packageVer *pkgjson.PackageVer + + packageVer, err = pkgjson.PackagesListEntryToPackageVer(pkg) + if err != nil { + logger.Log.Errorf("Failed to parse packages list from system config \"%s\".", systemCfg.Name) + return + } + + packages = append(packages, packageVer) } packageList = append(packageList, packages...) @@ -696,7 +704,7 @@ func addMachineID(installChroot *safechroot.Chroot) (err error) { const ( machineIDFile = "/etc/machine-id" - machineIDFilePerms = 0644 + machineIDFilePerms = 0444 ) ReportAction("Configuring machine id") @@ -1317,9 +1325,37 @@ func configureUserStartupCommand(installChroot *safechroot.Chroot, user configur } func provisionUserSSHCerts(installChroot *safechroot.Chroot, user configuration.User, homeDir string) (err error) { + var ( + pubKeyData []string + exists bool + ) const squashErrors = false + const authorizedKeysTempFilePerms = 0644 + const authorizedKeysTempFile = "/tmp/authorized_keys" userSSHKeyDir := filepath.Join(homeDir, ".ssh") + authorizedKeysFile := filepath.Join(homeDir, ".ssh/authorized_keys") + + exists, err = file.PathExists(authorizedKeysTempFile) + if err != nil { + logger.Log.Warnf("Error accessing %s file : %v", authorizedKeysTempFile, err) + return + } + if !exists { + logger.Log.Debugf("File %s does not exist. Creating file...", authorizedKeysTempFile) + err = file.Create(authorizedKeysTempFile, authorizedKeysTempFilePerms) + if err != nil { + logger.Log.Warnf("Failed to create %s file : %v", authorizedKeysTempFile, err) + return + } + } else { + err = os.Truncate(authorizedKeysTempFile, 0) + if err != nil { + logger.Log.Warnf("Failed to truncate %s file : %v", authorizedKeysTempFile, err) + return + } + } + defer os.Remove(authorizedKeysTempFile) for _, pubKey := range user.SSHPubKeyPaths { logger.Log.Infof("Adding ssh key (%s) to user (%s)", filepath.Base(pubKey), user.Name) @@ -1334,6 +1370,33 @@ func provisionUserSSHCerts(installChroot *safechroot.Chroot, user configuration. if err != nil { return } + + logger.Log.Infof("Adding ssh key (%s) to user (%s) .ssh/authorized_users", filepath.Base(pubKey), user.Name) + pubKeyData, err = file.ReadLines(pubKey) + if err != nil { + logger.Log.Warnf("Failed to read from SSHPubKey : %v", err) + return + } + + // Append to the tmp/authorized_users file + for _, sshkey := range pubKeyData { + sshkey += "\n" + err = file.Append(sshkey, authorizedKeysTempFile) + if err != nil { + logger.Log.Warnf("Failed to append to %s : %v", authorizedKeysTempFile, err) + return + } + } + } + + fileToCopy := safechroot.FileToCopy{ + Src: authorizedKeysTempFile, + Dest: authorizedKeysFile, + } + + err = installChroot.AddFiles(fileToCopy) + if err != nil { + return } if len(user.SSHPubKeyPaths) != 0 { diff --git a/toolkit/tools/internal/pkgjson/pkgjson.go b/toolkit/tools/internal/pkgjson/pkgjson.go index 91eb6cd7a9..8bbd1def33 100644 --- a/toolkit/tools/internal/pkgjson/pkgjson.go +++ b/toolkit/tools/internal/pkgjson/pkgjson.go @@ -5,6 +5,7 @@ package pkgjson import ( "fmt" + "regexp" "strings" "microsoft.com/pkggen/internal/versioncompare" @@ -13,14 +14,28 @@ import ( "microsoft.com/pkggen/internal/logger" ) -var knownConditions = map[string]bool{ - "": true, - "=": true, - "<": true, - "<=": true, - ">": true, - ">=": true, -} +const ( + packageWithVersionNameIndex = 1 + packageWithVersionConditionIndex = 2 + packageWithVersionVersionIndex = 3 + packageWithVersionExpectedMatches = 4 +) + +var ( + knownConditions = map[string]bool{ + "": true, + "=": true, + "<": true, + "<=": true, + ">": true, + ">=": true, + } + // Regular expression to correctly split a string with the package name and an optional version constraint. + // Examples: + // gcc -> "gcc" "" "" + // gcc=9.1.0 -> "gcc" "=" "1.9.0" + packageWithVersionRegex = regexp.MustCompile(`^\s*([^><=\s]+)\s*(?:((?:[<>]=)|(?:[<>=]))\s*([^<>=\s]+))?\s*$`) +) // PackageRepo contains an array of SRPMs and relational dependencies type PackageRepo struct { @@ -44,10 +59,6 @@ type PackageVerInterval struct { UpperInclusive bool // Does the upper bound actually include the indicated version (< vs <=) } -func (pkgVer *PackageVer) String() string { - return fmt.Sprintf("%s:C:'%s'V:'%s',C2:'%s'V2:'%s'", pkgVer.Name, pkgVer.Condition, pkgVer.Version, pkgVer.SCondition, pkgVer.SVersion) -} - // Package is a representation of a package with name and version information type Package struct { Provides *PackageVer `json:"Provides"` // Version information and name of package @@ -233,6 +244,30 @@ func (pkgVer *PackageVer) validatedIntervals() error { return nil } +// String prints the contents of the given PackageVer struct. +func (pkgVer *PackageVer) String() string { + return fmt.Sprintf("%s:C:'%s'V:'%s',C2:'%s'V2:'%s'", pkgVer.Name, pkgVer.Condition, pkgVer.Version, pkgVer.SCondition, pkgVer.SVersion) +} + +// PackagesListEntryToPackageVer converts an entry from the packages list JSON into an instance of PackageVer. +// The entries may contain only the name of the package or also include a single package version constraint. +// Examples: +// - "gcc" +// - "gcc=9.1.0" +func PackagesListEntryToPackageVer(packageString string) (pkgVer *PackageVer, err error) { + matches := packageWithVersionRegex.FindStringSubmatch(packageString) + if len(matches) != packageWithVersionExpectedMatches { + err = fmt.Errorf("packages list entry \"%s\" does not match the '[name][optional_condition][optional_version]' format", packageString) + return + } + + return &PackageVer{ + Name: matches[packageWithVersionNameIndex], + Condition: matches[packageWithVersionConditionIndex], + Version: matches[packageWithVersionVersionIndex], + }, err +} + // String outputs an interval in interval notation func (interval *PackageVerInterval) String() (s string) { var ( diff --git a/toolkit/tools/internal/pkgjson/pkgjson_test.go b/toolkit/tools/internal/pkgjson/pkgjson_test.go index f3cc15b743..0d11997b7b 100644 --- a/toolkit/tools/internal/pkgjson/pkgjson_test.go +++ b/toolkit/tools/internal/pkgjson/pkgjson_test.go @@ -745,12 +745,100 @@ func TestShouldFailIntervalCreationUnkownFirstCondition(t *testing.T) { assert.Error(t, err) } +func TestShouldCorrectlyConvertPackageNameWithoutVersionConstraints(t *testing.T) { + packageVer, err := PackagesListEntryToPackageVer("gcc-devel") + + assert.NoError(t, err) + assert.Equal(t, "gcc-devel", packageVer.Name) + assert.Equal(t, "", packageVer.Condition) + assert.Equal(t, "", packageVer.SCondition) + assert.Equal(t, "", packageVer.SVersion) + assert.Equal(t, "", packageVer.Version) +} + +func TestShouldCorrectlyConvertPackageNameWithEqualsVersionConstraint(t *testing.T) { + packageVer, err := PackagesListEntryToPackageVer("gcc-devel=9.1.0") + + assert.NoError(t, err) + assert.Equal(t, "gcc-devel", packageVer.Name) + assert.Equal(t, "=", packageVer.Condition) + assert.Equal(t, "", packageVer.SCondition) + assert.Equal(t, "", packageVer.SVersion) + assert.Equal(t, "9.1.0", packageVer.Version) +} + +func TestShouldCorrectlyConvertPackageNameWithGreaterEqualsVersionConstraint(t *testing.T) { + packageVer, err := PackagesListEntryToPackageVer("gcc-devel>=9.1.0") + + assert.NoError(t, err) + assert.Equal(t, "gcc-devel", packageVer.Name) + assert.Equal(t, ">=", packageVer.Condition) + assert.Equal(t, "", packageVer.SCondition) + assert.Equal(t, "", packageVer.SVersion) + assert.Equal(t, "9.1.0", packageVer.Version) +} + +func TestShouldCorrectlyConvertPackageNameWithGreaterVersionConstraint(t *testing.T) { + packageVer, err := PackagesListEntryToPackageVer("gcc-devel>9.1.0") + + assert.NoError(t, err) + assert.Equal(t, "gcc-devel", packageVer.Name) + assert.Equal(t, ">", packageVer.Condition) + assert.Equal(t, "", packageVer.SCondition) + assert.Equal(t, "", packageVer.SVersion) + assert.Equal(t, "9.1.0", packageVer.Version) +} + +func TestShouldCorrectlyConvertPackageNameWithLesserEqualsVersionConstraint(t *testing.T) { + packageVer, err := PackagesListEntryToPackageVer("gcc-devel<=9.1.0") + + assert.NoError(t, err) + assert.Equal(t, "gcc-devel", packageVer.Name) + assert.Equal(t, "<=", packageVer.Condition) + assert.Equal(t, "", packageVer.SCondition) + assert.Equal(t, "", packageVer.SVersion) + assert.Equal(t, "9.1.0", packageVer.Version) +} + +func TestShouldCorrectlyConvertPackageNameWithLesserVersionConstraint(t *testing.T) { + packageVer, err := PackagesListEntryToPackageVer("gcc-devel<9.1.0") + + assert.NoError(t, err) + assert.Equal(t, "gcc-devel", packageVer.Name) + assert.Equal(t, "<", packageVer.Condition) + assert.Equal(t, "", packageVer.SCondition) + assert.Equal(t, "", packageVer.SVersion) + assert.Equal(t, "9.1.0", packageVer.Version) +} + +func TestShouldCorrectlyConvertPackageNameWithAllowedWhitespaces(t *testing.T) { + packageVer, err := PackagesListEntryToPackageVer(" gcc-devel\t\t< 9.1.0 ") + + assert.NoError(t, err) + assert.Equal(t, "gcc-devel", packageVer.Name) + assert.Equal(t, "<", packageVer.Condition) + assert.Equal(t, "", packageVer.SCondition) + assert.Equal(t, "", packageVer.SVersion) + assert.Equal(t, "9.1.0", packageVer.Version) +} + +func TestShouldFailToConvertPackageListEntryStartingWithInvalidCharacter(t *testing.T) { + _, err := PackagesListEntryToPackageVer("=gcc-devel") + + assert.Error(t, err) +} + func TestShouldFailIntervalCreationUnkownSecondCondition(t *testing.T) { packageVersion := &PackageVer{Version: "1", Condition: ">", SVersion: "2", SCondition: "?"} _, err := packageVersion.Interval() assert.Error(t, err) } +func TestShouldFailToConvertPackageListEntryWithIncompleteComparison(t *testing.T) { + _, err := PackagesListEntryToPackageVer("gcc-devel=") + + assert.Error(t, err) +} func TestShouldFailIntervalCreationFirstConditionWithoutVersion(t *testing.T) { packageVersion := &PackageVer{Version: "", Condition: ">", SVersion: "2", SCondition: ">"} @@ -758,6 +846,11 @@ func TestShouldFailIntervalCreationFirstConditionWithoutVersion(t *testing.T) { assert.Error(t, err) } +func TestShouldFailToConvertPackageListEntryWithInvalidComparison(t *testing.T) { + _, err := PackagesListEntryToPackageVer("gcc-devel=>9.1.0") + + assert.Error(t, err) +} func TestShouldFailIntervalCreationSecondConditionWithoutVersion(t *testing.T) { packageVersion := &PackageVer{Version: "1", Condition: ">", SVersion: "", SCondition: ">"} @@ -765,6 +858,11 @@ func TestShouldFailIntervalCreationSecondConditionWithoutVersion(t *testing.T) { assert.Error(t, err) } +func TestShouldFailToConvertPackageListEntryWithWhitespacesInComparison(t *testing.T) { + _, err := PackagesListEntryToPackageVer("gcc-devel< =9.1.0") + + assert.Error(t, err) +} func TestShouldFailIntervalCreationFirstConditionEmptySecondConditionWithoutVersion(t *testing.T) { packageVersion := &PackageVer{Version: "", Condition: "", SVersion: "", SCondition: ">"} @@ -772,6 +870,11 @@ func TestShouldFailIntervalCreationFirstConditionEmptySecondConditionWithoutVers assert.Error(t, err) } +func TestShouldFailToConvertPackageListEntryWithWhitespacesInName(t *testing.T) { + _, err := PackagesListEntryToPackageVer("gcc devel") + + assert.Error(t, err) +} func TestShouldFailIntervalCreationFirstConditionWithoutVersionSecondConditionEmpty(t *testing.T) { packageVersion := &PackageVer{Version: "", Condition: ">", SVersion: "", SCondition: ""} @@ -779,3 +882,8 @@ func TestShouldFailIntervalCreationFirstConditionWithoutVersionSecondConditionEm assert.Error(t, err) } +func TestShouldFailToConvertPackageListEntryWithWhitespacesInVersion(t *testing.T) { + _, err := PackagesListEntryToPackageVer("gcc-devel<9 1.0") + + assert.Error(t, err) +} diff --git a/toolkit/tools/pkgworker/pkgworker.go b/toolkit/tools/pkgworker/pkgworker.go index 006fe275fc..c6016e697a 100644 --- a/toolkit/tools/pkgworker/pkgworker.go +++ b/toolkit/tools/pkgworker/pkgworker.go @@ -11,6 +11,7 @@ import ( "path/filepath" "regexp" "strings" + "time" "gopkg.in/alecthomas/kingpin.v2" "microsoft.com/pkggen/internal/exe" @@ -102,6 +103,8 @@ func copySRPMToOutput(srpmFilePath, srpmOutputDirPath string) (err error) { func buildSRPMInChroot(chrootDir, rpmDirPath, workerTar, srpmFile, repoFile, rpmmacrosFile string, defines map[string]string, noCleanup, runCheck bool, packagesToInstall []string) (builtRPMs []string, err error) { const ( + buildHeartbeatTimeout = 30 * time.Minute + existingChrootDir = false squashErrors = false @@ -111,7 +114,26 @@ func buildSRPMInChroot(chrootDir, rpmDirPath, workerTar, srpmFile, repoFile, rpm ) srpmBaseName := filepath.Base(srpmFile) - logger.Log.Infof("Building (%s)", srpmBaseName) + + quit := make(chan bool) + go func() { + logger.Log.Infof("Building (%s).", srpmBaseName) + + for { + select { + case <-quit: + if err == nil { + logger.Log.Infof("Built (%s) -> %v.", srpmBaseName, builtRPMs) + } + return + case <-time.After(buildHeartbeatTimeout): + logger.Log.Infof("Heartbeat: still building (%s).", srpmBaseName) + } + } + }() + defer func() { + quit <- true + }() // Create the chroot used to build the SRPM chroot := safechroot.NewChroot(chrootDir, existingChrootDir) @@ -136,18 +158,12 @@ func buildSRPMInChroot(chrootDir, rpmDirPath, workerTar, srpmFile, repoFile, rpm err = chroot.Run(func() (err error) { return buildRPMFromSRPMInChroot(srpmFileInChroot, runCheck, defines, packagesToInstall) }) - if err != nil { return } rpmBuildOutputDir := filepath.Join(chroot.RootDir(), chrootRpmBuildRoot, rpmDirName) builtRPMs, err = moveBuiltRPMs(rpmBuildOutputDir, rpmDirPath) - if err != nil { - return - } - - logger.Log.Infof("Built (%s) -> %v", srpmBaseName, builtRPMs) return } diff --git a/toolkit/tools/srpmpacker/srpmpacker.go b/toolkit/tools/srpmpacker/srpmpacker.go index 0f0eb82450..932186ac4d 100644 --- a/toolkit/tools/srpmpacker/srpmpacker.go +++ b/toolkit/tools/srpmpacker/srpmpacker.go @@ -181,7 +181,26 @@ func main() { logger.PanicOnError(err) } +// removeDuplicateStrings will remove duplicate entries from a string slice +func removeDuplicateStrings(packList []string) (deduplicatedPackList []string) { + var ( + packListSet = make(map[string]struct{}) + exists = struct{}{} + ) + + for _, entry := range packList { + packListSet[entry] = exists + } + + for entry := range packListSet { + deduplicatedPackList = append(deduplicatedPackList, entry) + } + + return +} + // parsePackListFile will parse a list of packages to pack if one is specified. +// Duplicate list entries in the file will be removed. func parsePackListFile(packListFile string) (packList []string, err error) { if packListFile == "" { return @@ -205,6 +224,8 @@ func parsePackListFile(packListFile string) (packList []string, err error) { err = fmt.Errorf("cannot have empty pack list (%s)", packListFile) } + packList = removeDuplicateStrings(packList) + return }