committing changes in /etc after apt run

Package changes: -ansible 2.1.1.0-1~bpo8+1 -apt 1.0.9.8.3 +ansible 2.2.1.0-1~bpo8+1 +apt 1.0.9.8.4 -apt-transport-https 1.0.9.8.3 -apt-utils 1.0.9.8.3 +apt-transport-https 1.0.9.8.4 +apt-utils 1.0.9.8.4 -base-files 8+deb8u6 +base-files 8+deb8u7 -bash 4.3-11+b1 +bash 4.3-11+deb8u1 -bind9-host 1:9.9.5.dfsg-9+deb8u7 +bind9-host 1:9.9.5.dfsg-9+deb8u10 -ca-certificates 20141019+deb8u1 +ca-certificates 20141019+deb8u2 -curl 7.38.0-4+deb8u4 +curl 7.38.0-4+deb8u5 -dbus 1.8.20-0+deb8u1 -dbus-x11 1.8.20-0+deb8u1 +dbus 1.8.22-0+deb8u1 +dbus-x11 1.8.22-0+deb8u1 -dnsutils 1:9.9.5.dfsg-9+deb8u7 +dnsutils 1:9.9.5.dfsg-9+deb8u10 -e2fslibs 1.42.12-2 -e2fsprogs 1.42.12-2 -eject 2.1.5+deb1+cvs20081104-13.1 +e2fslibs 1.42.12-2+b1 +e2fsprogs 1.42.12-2+b1 +eject 2.1.5+deb1+cvs20081104-13.1+deb8u1 -file 1:5.22+15-2+deb8u2 +file 1:5.22+15-2+deb8u3 -firejail 0.9.42-1 +firejail 0.9.44.8-1 -gstreamer0.10-gconf 0.10.31-3+nmu4+b1 +gstreamer0.10-gconf 0.10.31-3+nmu4+deb8u2 -gstreamer0.10-plugins-good 0.10.31-3+nmu4+b1 +gstreamer0.10-plugins-good 0.10.31-3+nmu4+deb8u2 -imagemagick 8:6.8.9.9-5+deb8u5 -imagemagick-6.q16 8:6.8.9.9-5+deb8u5 -imagemagick-common 8:6.8.9.9-5+deb8u5 +imagemagick 8:6.8.9.9-5+deb8u8 +imagemagick-6.q16 8:6.8.9.9-5+deb8u8 +imagemagick-common 8:6.8.9.9-5+deb8u8 -irssi 0.8.17-1+deb8u1 +irssi 0.8.17-1+deb8u3 -jq 1.4-2.1 +jq 1.4-2.1+deb8u1 -libapt-inst1.5 1.0.9.8.3 +libapt-inst1.5 1.0.9.8.4 -libapt-pkg4.12 1.0.9.8.3 +libapt-pkg4.12 1.0.9.8.4 -libassuan0 2.4.3-1 +libassuan0 2.4.3-2 -libbind9-90 1:9.9.5.dfsg-9+deb8u7 +libbind9-90 1:9.9.5.dfsg-9+deb8u10 -libc-bin 2.19-18+deb8u6 -libc-dev-bin 2.19-18+deb8u6 -libc6 2.19-18+deb8u6 -libc6-dev 2.19-18+deb8u6 +libc-bin 2.19-18+deb8u7 +libc-dev-bin 2.19-18+deb8u7 +libc6 2.19-18+deb8u7 +libc6-dev 2.19-18+deb8u7 -libcairo-gobject2 1.14.0-2.1+deb8u1 -libcairo2 1.14.0-2.1+deb8u1 +libcairo-gobject2 1.14.0-2.1+deb8u2 +libcairo2 1.14.0-2.1+deb8u2 -libcomerr2 1.42.12-2 +libcomerr2 1.42.12-2+b1 -libcurl3 7.38.0-4+deb8u4 -libcurl3-gnutls 7.38.0-4+deb8u4 +libcurl3 7.38.0-4+deb8u5 +libcurl3-gnutls 7.38.0-4+deb8u5 -libdbus-1-3 1.8.20-0+deb8u1 +libdbus-1-3 1.8.22-0+deb8u1 -libdns-export100 1:9.9.5.dfsg-9+deb8u7 -libdns100 1:9.9.5.dfsg-9+deb8u7 +libdns-export100 1:9.9.5.dfsg-9+deb8u10 +libdns100 1:9.9.5.dfsg-9+deb8u10 -libevent-2.0-5 2.0.21-stable-2 -libevent-core-2.0-5 2.0.21-stable-2 -libevent-extra-2.0-5 2.0.21-stable-2 -libevent-openssl-2.0-5 2.0.21-stable-2 -libevent-pthreads-2.0-5 2.0.21-stable-2 +libevent-2.0-5 2.0.21-stable-2+deb8u1 +libevent-core-2.0-5 2.0.21-stable-2+deb8u1 +libevent-extra-2.0-5 2.0.21-stable-2+deb8u1 +libevent-openssl-2.0-5 2.0.21-stable-2+deb8u1 +libevent-pthreads-2.0-5 2.0.21-stable-2+deb8u1 -libgcrypt20 1.7.3-2 -libgd3 2.1.0-5+deb8u7 +libgcrypt20 1.7.6-1 +libgd3 2.1.0-5+deb8u9 -libgme0 0.5.5-2 +libgme0 0.5.5-2+deb8u1 -libgnutls-deb0-28 3.3.8-6+deb8u3 -libgnutls-openssl27 3.3.8-6+deb8u3 +libgnutls-deb0-28 3.3.8-6+deb8u4 +libgnutls-openssl27 3.3.8-6+deb8u4 -libgpg-error0 1.24-1 +libgpg-error0 1.26-2 -libgstreamer-plugins-bad0.10-0 0.10.23-7.4 +libgstreamer-plugins-bad0.10-0 0.10.23-7.4+deb8u2 -libgudev-1.0-0 215-17+deb8u5 +libgudev-1.0-0 215-17+deb8u6 -libhogweed2 2.7.1-5+deb8u1 +libhogweed2 2.7.1-5+deb8u2 -libicu52 52.1-8+deb8u3 +libicu52 52.1-8+deb8u5 -libio-socket-ssl-perl 2.002-2+deb8u1 +libio-socket-ssl-perl 2.002-2+deb8u2 -libirs-export91 1:9.9.5.dfsg-9+deb8u7 -libisc-export95 1:9.9.5.dfsg-9+deb8u7 -libisc95 1:9.9.5.dfsg-9+deb8u7 -libisccc90 1:9.9.5.dfsg-9+deb8u7 -libisccfg-export90 1:9.9.5.dfsg-9+deb8u7 -libisccfg90 1:9.9.5.dfsg-9+deb8u7 +libirs-export91 1:9.9.5.dfsg-9+deb8u10 +libisc-export95 1:9.9.5.dfsg-9+deb8u10 +libisc95 1:9.9.5.dfsg-9+deb8u10 +libisccc90 1:9.9.5.dfsg-9+deb8u10 +libisccfg-export90 1:9.9.5.dfsg-9+deb8u10 +libisccfg90 1:9.9.5.dfsg-9+deb8u10 -libjasper1 1.900.1-debian1-2.4+deb8u1 +libjasper1 1.900.1-debian1-2.4+deb8u3 -libjbig2dec0 0.11+20120125-1 +libjbig2dec0 0.13-4~deb8u1 -liblcms2-2 2.6-3+b3 +liblcms2-2 2.6-3+deb8u1 -liblwres90 1:9.9.5.dfsg-9+deb8u7 +liblwres90 1:9.9.5.dfsg-9+deb8u10 -libmagic1 1:5.22+15-2+deb8u2 -libmagickcore-6.q16-2 8:6.8.9.9-5+deb8u5 -libmagickwand-6.q16-2 8:6.8.9.9-5+deb8u5 +libmagic1 1:5.22+15-2+deb8u3 +libmagickcore-6.q16-2 8:6.8.9.9-5+deb8u8 +libmagickwand-6.q16-2 8:6.8.9.9-5+deb8u8 -libnettle4 2.7.1-5+deb8u1 +libnettle4 2.7.1-5+deb8u2 -libnpth0 1.2-3 +libnpth0 1.3-1 -libnss-ldapd 0.9.4-3+deb8u1 +libnss-ldapd 0.9.4-3+deb8u2 -libpam-ldapd 0.9.4-3+deb8u1 -libpam-modules 1.1.8-3.1+deb8u1+b1 -libpam-modules-bin 1.1.8-3.1+deb8u1+b1 +libpam-ldapd 0.9.4-3+deb8u2 +libpam-modules 1.1.8-3.1+deb8u2 +libpam-modules-bin 1.1.8-3.1+deb8u2 -libpam-runtime 1.1.8-3.1+deb8u1 +libpam-runtime 1.1.8-3.1+deb8u2 -libpam-systemd 215-17+deb8u5 -libpam0g 1.1.8-3.1+deb8u1+b1 +libpam-systemd 215-17+deb8u6 +libpam0g 1.1.8-3.1+deb8u2 -libpcsclite1 1.8.13-1 +libpcsclite1 1.8.13-1+deb8u1 -libpng12-0 1.2.50-2+deb8u2 +libpng12-0 1.2.50-2+deb8u3 -librados2 0.80.7-2+deb8u1 +librados2 0.80.7-2+deb8u2 -librbd1 0.80.7-2+deb8u1 +librbd1 0.80.7-2+deb8u2 -libspice-server1 0.12.5-1+deb8u3 +libspice-server1 0.12.5-1+deb8u4 -libss2 1.42.12-2 +libss2 1.42.12-2+b1 -libssl-dev 1.0.1t-1+deb8u5 -libssl-doc 1.0.1t-1+deb8u5 -libssl1.0.0 1.0.1t-1+deb8u5 +libssl-dev 1.0.1t-1+deb8u6 +libssl-doc 1.0.1t-1+deb8u6 +libssl1.0.0 1.0.1t-1+deb8u6 -libsystemd0 215-17+deb8u5 +libsystemd0 215-17+deb8u6 -libtevent0 0.9.25-0+deb8u1 +libtevent0 0.9.28-0+deb8u1 -libtiff5 4.0.3-12.3+deb8u1 +libtiff5 4.0.3-12.3+deb8u2 -libtre5 0.8.0-4 +libtre5 0.8.0-4+deb8u1 -libudev1 215-17+deb8u5 -libunbound2 1.5.9-1~bpo8+1 +libudev1 215-17+deb8u6 +libunbound2 1.6.0-2~bpo8+1 -libwbclient0 2:4.2.10+dfsg-0+deb8u3 +libwbclient0 2:4.2.14+dfsg-0+deb8u5 -libwmf0.2-7 0.2.8.4-10.3+deb8u1 +libwmf0.2-7 0.2.8.4-10.3+deb8u2 -libxen-4.4 4.4.1-9+deb8u7 -libxenstore3.0 4.4.1-9+deb8u7 +libxen-4.4 4.4.1-9+deb8u8 +libxenstore3.0 4.4.1-9+deb8u8 -libxml2 2.9.1+dfsg1-5+deb8u3 -libxml2-dev 2.9.1+dfsg1-5+deb8u3 +libxml2 2.9.1+dfsg1-5+deb8u4 +libxml2-dev 2.9.1+dfsg1-5+deb8u4 -libxpm4 1:3.5.11-1+b1 +libxpm4 1:3.5.12-0+deb8u1 -libxslt1-dev 1.1.28-2+deb8u1 -libxslt1.1 1.1.28-2+deb8u1 +libxslt1-dev 1.1.28-2+deb8u2 +libxslt1.1 1.1.28-2+deb8u2 -linux-image-3.16.0-4-amd64 3.16.36-1+deb8u2 +linux-image-3.16.0-4-amd64 3.16.39-1+deb8u2 -linux-libc-dev 3.16.36-1+deb8u2 +linux-libc-dev 3.16.39-1+deb8u2 -locales 2.19-18+deb8u6 -locales-all 2.19-18+deb8u6 +locales 2.19-18+deb8u7 +locales-all 2.19-18+deb8u7 -login 1:4.2-3+deb8u1 +login 1:4.2-3+deb8u3 -mat 0.5.2-3 +mat 0.5.2-3+deb8u1 -multiarch-support 2.19-18+deb8u6 +multiarch-support 2.19-18+deb8u7 -nscd 2.19-18+deb8u6 -nslcd 0.9.4-3+deb8u1 -nslcd-utils 0.9.4-3+deb8u1 +nscd 2.19-18+deb8u7 +nslcd 0.9.4-3+deb8u2 +nslcd-utils 0.9.4-3+deb8u2 -openntpd 20080406p-10 +openntpd 1:6.0p1-2~bpo80+1 -openssl 1.0.1t-1+deb8u5 +openssl 1.0.1t-1+deb8u6 -passwd 1:4.2-3+deb8u1 +passwd 1:4.2-3+deb8u3 -pidgin-data 2.11.0-0+deb8u1 +pidgin-data 2.11.0-0+deb8u2 -python-crypto 2.6.1-5+b2 +python-crypto 2.6.1-5+deb8u1 -python3-bottle 0.12.7-1 +python3-bottle 0.12.7-1+deb8u2 -python3-crypto 2.6.1-5+b2 +python3-crypto 2.6.1-5+deb8u1 -ruby2.1 2.1.5-2+deb8u2 +ruby2.1 2.1.5-2+deb8u3 -samba-libs 2:4.2.10+dfsg-0+deb8u3 +samba-libs 2:4.2.14+dfsg-0+deb8u5 -sed 4.2.2-4+b1 +sed 4.2.2-4+deb8u1 -systemd 215-17+deb8u5 -systemd-sysv 215-17+deb8u5 +systemd 215-17+deb8u6 +systemd-sysv 215-17+deb8u6 -tar 1.27.1-2+b1 +tar 1.27.1-2+deb8u1 -tor 0.2.8.9-1~d80.jessie+1 +tor 0.2.9.10-1~d80.jessie+1 -tzdata 2016f-0+deb8u1 -tzdata-java 2016f-0+deb8u1 +tzdata 2016j-0+deb8u1 +tzdata-java 2016j-0+deb8u1 -udev 215-17+deb8u5 +udev 215-17+deb8u6 -unbound 1.5.9-1~bpo8+1 -unbound-anchor 1.5.9-1~bpo8+1 +unbound 1.6.0-2~bpo8+1 +unbound-anchor 1.6.0-2~bpo8+1 -vim-common 2:7.4.488-7 -vim-nox 2:7.4.488-7 -vim-runtime 2:7.4.488-7 -vim-tiny 2:7.4.488-7 +vim-common 2:7.4.488-7+deb8u2 +vim-nox 2:7.4.488-7+deb8u2 +vim-runtime 2:7.4.488-7+deb8u2 +vim-tiny 2:7.4.488-7+deb8u2 -w3m 0.5.3-19 +w3m 0.5.3-19+deb8u1 -weechat 1.6-1 -weechat-core 1.6-1 -weechat-curses 1.6-1 -weechat-plugins 1.6-1 +weechat 1.7.1-1 +weechat-core 1.7.1-1 +weechat-curses 1.7.1-1 +weechat-plugins 1.7.1-1
hashbang · Apr 25, 2017 · a76ebb5 · a76ebb5
1 parent 9e27fbc
commit a76ebb5
Show file tree

Hide file tree

Showing 56 changed files with 389 additions and 556 deletions.
diff --git a/.etckeeper b/.etckeeper
@@ -63,8 +63,10 @@ maybe chmod 0755 'apparmor.d/force-complain'
 maybe chmod 0755 'apparmor.d/local'
 maybe chmod 0644 'apparmor.d/local/system_tor'
 maybe chmod 0644 'apparmor.d/local/usr.sbin.sssd'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.unbound'
 maybe chmod 0644 'apparmor.d/system_tor'
 maybe chmod 0644 'apparmor.d/usr.sbin.sssd'
+maybe chmod 0644 'apparmor.d/usr.sbin.unbound'
 maybe chmod 0755 'apt'
 maybe chmod 0755 'apt/apt.conf.d'
 maybe chmod 0644 'apt/apt.conf.d/00CDMountPoint'
@@ -311,8 +313,8 @@ maybe chmod 0644 'emacs/site-start.d/50python-docutils.el'
 maybe chmod 0644 'emacs/site-start.d/50silversearcher-ag-el.el'
 maybe chmod 0644 'emacs/site-start.el'
 maybe chmod 0644 'environment'
-maybe chmod 0755 'etckeeper'
 maybe chmod 0700 '.etckeeper'
+maybe chmod 0755 'etckeeper'
 maybe chmod 0755 'etckeeper/commit.d'
 maybe chmod 0755 'etckeeper/commit.d/10vcs-test'
 maybe chmod 0755 'etckeeper/commit.d/30bzr-add'

diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
@@ -13,8 +13,8 @@
 
 #inventory      = /etc/ansible/hosts
 #library        = /usr/share/my_modules/
-#remote_tmp     = $HOME/.ansible/tmp
-#local_tmp      = $HOME/.ansible/tmp
+#remote_tmp     = ~/.ansible/tmp
+#local_tmp      = ~/.ansible/tmp
 #forks          = 5
 #poll_interval  = 15
 #sudo_user      = root
@@ -23,7 +23,7 @@
 #transport      = smart
 #remote_port    = 22
 #module_lang    = C
-#module_set_locale = True
+#module_set_locale = False
 
 # plays will gather facts by default, which contain information about
 # the remote system.
@@ -45,6 +45,13 @@
 # A minimal set of facts is always gathered.
 #gather_subset = all
 
+# some hardware related facts are collected
+# with a maximum timeout of 10 seconds. This
+# option lets you increase or decrease that
+# timeout to something more suitable for the
+# environment. 
+# gather_timeout = 10
+
 # additional paths to search for roles in, colon separated
 #roles_path    = /etc/ansible/roles
 
@@ -63,6 +70,9 @@
 #task_includes_static = True
 #handler_includes_static = True
 
+# Controls if a missing handler for a notification event is an error or a warning
+#error_on_missing_handler = True
+
 # change this for alternative sudo implementations
 #sudo_exe = sudo
 
@@ -114,8 +124,9 @@
 # templates indicates to users editing templates files will be replaced.
 # replacing {file}, {host} and {uid} and strftime codes with proper values.
 #ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
-# This short version is better used in templates as it won't flag the file as changed every run.
-#ansible_managed = Ansible managed: {file} on {host}
+# {file}, {host}, {uid}, and the timestamp can all interfere with idempotence
+# in some situations so the default is a static string:
+#ansible_managed = Ansible managed
 
 # by default, ansible-playbook will display "Skipping [host]" if it determines a task
 # should not be run on a host.  Set this to "False" if you don't want to see these "Skipping"
@@ -160,9 +171,11 @@
 
 # set plugin path directories here, separate with colons
 #action_plugins     = /usr/share/ansible/plugins/action
+#cache_plugins      = /usr/share/ansible/plugins/cache
 #callback_plugins   = /usr/share/ansible/plugins/callback
 #connection_plugins = /usr/share/ansible/plugins/connection
 #lookup_plugins     = /usr/share/ansible/plugins/lookup
+#inventory_plugins  = /usr/share/ansible/plugins/inventory
 #vars_plugins       = /usr/share/ansible/plugins/vars
 #filter_plugins     = /usr/share/ansible/plugins/filter
 #test_plugins       = /usr/share/ansible/plugins/test
@@ -217,7 +230,7 @@
 # when looping. Instead of calling the module once per with_ item, the
 # module is called once with all items at once. Currently this only works
 # under limited circumstances, and only with parameters named 'name'.
-#squash_actions = apk,apt,dnf,package,pacman,pkgng,yum,zypper
+#squash_actions = apk,apt,dnf,homebrew,package,pacman,pkgng,yum,zypper
 
 # prevents logging of task data, off by default
 #no_log = False
@@ -273,8 +286,8 @@
 
 # ssh arguments to use
 # Leaving off ControlPersist will result in poor performance, so use
-# paramiko on older platforms rather than removing it
-#ssh_args = -o ControlMaster=auto -o ControlPersist=60s
+# paramiko on older platforms rather than removing it, -C controls compression use
+#ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
 
 # The path to use for the ControlPath sockets. This defaults to
 # "%(directory)s/ansible-ssh-%%h-%%p-%%r", however on some systems with
@@ -297,9 +310,11 @@
 #
 #pipelining = False
 
-# if True, make ansible use scp if the connection type is ssh
-# (default is sftp)
-#scp_if_ssh = True
+# Control the mechanism for transfering files
+#   * smart = try sftp and then try scp [default]
+#   * True = use scp only
+#   * False = use sftp only
+#scp_if_ssh = smart
 
 # if False, sftp will not use batch mode to transfer files. This may cause some
 # types of file transfer failures impossible to catch however, and should

diff --git a/apparmor.d/local/usr.sbin.unbound b/apparmor.d/local/usr.sbin.unbound
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.sbin.unbound.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/apparmor.d/usr.sbin.unbound b/apparmor.d/usr.sbin.unbound
@@ -0,0 +1,45 @@
+# Author: Simon Deziel
+# vim:syntax=apparmor
+#include <tunables/global>
+
+/usr/sbin/unbound {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+
+  # needlessly chown'ing the PID
+  deny capability chown,
+
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability sys_chroot,
+  capability sys_resource,
+
+  # root trust anchor
+  owner /var/lib/unbound/root.key* rw,
+
+  # root hints from dns-data-root
+  /usr/share/dns/root.* r,
+
+  # non-chrooted paths
+  /etc/unbound/** r,
+  owner /etc/unbound/*.key* rw,
+  audit deny /etc/unbound/unbound_control.{key,pem} rw,
+  audit deny /etc/unbound/unbound_server.key w,
+
+  # chrooted paths
+  /var/lib/unbound/** r,
+  owner /var/lib/unbound/**/*.key* rw,
+  audit deny /var/lib/unbound/**/unbound_control.{key,pem} rw,
+  audit deny /var/lib/unbound/**/unbound_server.key w,
+
+  /usr/sbin/unbound mr,
+
+  /{,var/}run/{unbound/,}unbound.pid rw,
+
+  # Unix control socket
+  /{,var/}run/unbound.ctl rw,
+
+  #include <local/usr.sbin.unbound>
+}
diff --git a/ca-certificates.conf b/ca-certificates.conf
@@ -32,7 +32,7 @@ mozilla/Buypass_Class_2_CA_1.crt
 mozilla/Buypass_Class_2_Root_CA.crt
 !mozilla/Buypass_Class_3_CA_1.crt
 mozilla/Buypass_Class_3_Root_CA.crt
-mozilla/CA_Disig.crt
+!mozilla/CA_Disig.crt
 mozilla/CA_Disig_Root_R1.crt
 mozilla/CA_Disig_Root_R2.crt
 mozilla/Camerfirma_Chambers_of_Commerce_Root.crt
@@ -102,10 +102,10 @@ mozilla/Juur-SK.crt
 mozilla/Microsec_e-Szigno_Root_CA_2009.crt
 mozilla/Microsec_e-Szigno_Root_CA.crt
 mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt
-mozilla/NetLock_Business_=Class_B=_Root.crt
-mozilla/NetLock_Express_=Class_C=_Root.crt
-mozilla/NetLock_Notary_=Class_A=_Root.crt
-mozilla/NetLock_Qualified_=Class_QA=_Root.crt
+!mozilla/NetLock_Business_=Class_B=_Root.crt
+!mozilla/NetLock_Express_=Class_C=_Root.crt
+!mozilla/NetLock_Notary_=Class_A=_Root.crt
+!mozilla/NetLock_Qualified_=Class_QA=_Root.crt
 mozilla/Network_Solutions_Certificate_Authority.crt
 mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt
 mozilla/PSCProcert.crt
@@ -124,9 +124,9 @@ mozilla/Security_Communication_EV_RootCA1.crt
 mozilla/Security_Communication_RootCA2.crt
 mozilla/Security_Communication_Root_CA.crt
 !mozilla/SG_TRUST_SERVICES_RACINE.crt
-mozilla/Sonera_Class_1_Root_CA.crt
+!mozilla/Sonera_Class_1_Root_CA.crt
 mozilla/Sonera_Class_2_Root_CA.crt
-mozilla/Staat_der_Nederlanden_Root_CA.crt
+!mozilla/Staat_der_Nederlanden_Root_CA.crt
 mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt
 mozilla/Starfield_Class_2_CA.crt
 mozilla/Starfield_Root_Certificate_Authority_-_G2.crt
@@ -164,13 +164,13 @@ mozilla/TWCA_Root_Certification_Authority.crt
 mozilla/UTN_USERFirst_Email_Root_CA.crt
 mozilla/UTN_USERFirst_Hardware_Root_CA.crt
 mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt
-mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt
+!mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt
 mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
 mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt
 mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
-mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_2.crt
+!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_2.crt
 mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt
-mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt
+!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt
 mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
 mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
 mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
@@ -201,3 +201,13 @@ mozilla/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.crt
 mozilla/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.crt
 mozilla/USERTrust_ECC_Certification_Authority.crt
 mozilla/USERTrust_RSA_Certification_Authority.crt
+mozilla/Certplus_Root_CA_G1.crt
+mozilla/Certplus_Root_CA_G2.crt
+mozilla/Certum_Trusted_Network_CA_2.crt
+mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt
+mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt
+mozilla/ISRG_Root_X1.crt
+mozilla/OpenTrust_Root_CA_G1.crt
+mozilla/OpenTrust_Root_CA_G2.crt
+mozilla/OpenTrust_Root_CA_G3.crt
+mozilla/SZAFIR_ROOT_CA2.crt
diff --git a/firejail/7z.profile b/firejail/7z.profile
@@ -1,14 +1,9 @@
 # 7zip crompression tool profile
 quiet
 ignore noroot
-
 include /etc/firejail/default.profile
-
-blacklist /tmp/.X11-unix
-
 tracelog
 net none
 shell none
 private-dev
 nosound
-no3d
diff --git a/firejail/cherrytree.profile b/firejail/cherrytree.profile
@@ -9,10 +9,11 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
-nogroups
 nonewprivs
 noroot
 nosound
 seccomp
 protocol unix,inet,inet6,netlink
 tracelog
+
+
diff --git a/firejail/chromium.profile b/firejail/chromium.profile
@@ -18,11 +18,10 @@ whitelist ~/.cache/chromium
 mkdir ~/.pki
 whitelist ~/.pki
 
-# lastpass, keepass
-# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.keepass
-whitelist ~/.config/keepass
-whitelist ~/.config/KeePass
+# lastpass, keepassx
+whitelist ~/.keepassx
+whitelist ~/.config/keepassx
+whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 

diff --git a/firejail/claws-mail.profile b/firejail/claws-mail.profile
@@ -1,4 +1,5 @@
 # claws-mail profile
+
 noblacklist ~/.claws-mail
 noblacklist ~/.signature
 noblacklist ~/.gnupg

diff --git a/firejail/cpio.profile b/firejail/cpio.profile
@@ -16,7 +16,6 @@ shell none
 tracelog
 net none
 nosound
-no3d
 
-blacklist /tmp/.X11-unix
+