From: ssalley@likewise.com (Scott Salley)
Date: Fri, 05 Mar 2010 18:05:47 -0800
Subject: [refpolicy] [PATCH 1/1] Likewise policy
Message-ID: <4B91B87B.9010001@likewise.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Resubmitting Likewise policy with suggested changes.


Signed-off-by: Scott Salley <ssalley@likewise.com>
---
 policy/modules/services/likewise.fc |   65 ++++++++
 policy/modules/services/likewise.if |  231 ++++++++++++++++++++++++++++
 policy/modules/services/likewise.te |  286 +++++++++++++++++++++++++++++++++++
 policy/modules/system/authlogin.if  |    4 +
 4 files changed, 586 insertions(+), 0 deletions(-)
 create mode 100644 policy/modules/services/likewise.fc
 create mode 100644 policy/modules/services/likewise.if
 create mode 100644 policy/modules/services/likewise.te

diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
new file mode 100644
index 0000000..d065e58
--- /dev/null
+++ b/policy/modules/services/likewise.fc
@@ -0,0 +1,65 @@
+
+/etc/rc\.d/init\.d/dcerpcd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/eventlogd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lsassd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwiod	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwregd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwsmd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/netlogond	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/srvsvcd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+
+/etc/likewise-open(/.*)?		gen_context(system_u:object_r:likewise_etc_t,s0)
+
+
+/usr/sbin/dcerpcd	--	gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/usr/sbin/eventlogd	--	gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/usr/sbin/lsassd	--	gen_context(system_u:object_r:lsassd_exec_t,s0)
+/usr/sbin/lwiod 	--	gen_context(system_u:object_r:lwiod_exec_t,s0)
+/usr/sbin/lwregd	--	gen_context(system_u:object_r:lwregd_exec_t,s0)
+/usr/sbin/lwsmd 	--	gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/usr/sbin/netlogond	--	gen_context(system_u:object_r:netlogond_exec_t,s0)
+/usr/sbin/srvsvcd	--	gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+
+
+/var/lib/likewise-open(/.*)?		gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/db	-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/run	-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/rpc	-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
+
+/var/lib/likewise-open/krb5-affinity.conf	--	gen_context(system_u:object_r:netlogond_var_lib_t, s0)
+
+/var/lib/likewise-open/db/lwi_events.db	--	gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
+
+/var/lib/likewise-open/run/rpcdep.dat	--	gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
+
+/var/lib/likewise-open/rpc/epmapper	-s	gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
+
+/var/lib/likewise-open/rpc/lsass	-s	gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+
+/var/lib/likewise-open/rpc/socket	-s	gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
+
+
+/var/run/lsassd.pid	--	gen_context(system_u:object_r:lsassd_var_run_t,s0)
+/var/lib/likewise-open/db/sam\.db	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adcache\.db	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adstate\.filedb	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/lsasd\.err	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/\.lsassd	-s	gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+
+/var/run/lwiod.pid	--	gen_context(system_u:object_r:lwiod_var_run_t,s0)
+/var/lib/likewise-open/\.lwiod	-s	gen_context(system_u:object_r:lwiod_var_socket_t,s0)
+
+/var/run/lwregd.pid	--	gen_context(system_u:object_r:lwregd_var_run_t,s0)
+/var/lib/likewise-open/\.regsd	-s	gen_context(system_u:object_r:lwregd_var_socket_t,s0)
+/var/lib/likewise-open/db/registry\.db	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise-open/regsd\.err	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+
+/var/lib/likewise-open/\.lwsm	-s	gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
+
+/var/run/netlogond.pid	--	gen_context(system_u:object_r:netlogond_var_run_t,s0)
+/var/lib/likewise-open/\.netlogond	-s	gen_context(system_u:object_r:netlogond_var_socket_t,s0)
+/var/lib/likewise-open/LWNetsd\.err	--	gen_context(system_u:object_r:netlogond_var_lib_t,s0)
+
+/var/run/srvsvcd.pid	--	gen_context(system_u:object_r:srvsvcd_var_run_t,s0)
+
+/etc/likewise-open/likewise-krb5-ad.conf	--	gen_context(system_u:object_r:likewise_krb5_ad_t,s0)
diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
new file mode 100644
index 0000000..9294528
--- /dev/null
+++ b/policy/modules/services/likewise.if
@@ -0,0 +1,231 @@
+## <summary>Likewise policy.</summary>
+
+########################################
+## <summary>
+##	Execute daemon in the likewise domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`likewise_initrc_domtrans',`
+	gen_require(`
+		type likewise_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, likewise_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Connect to dcerpcd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`likewise_stream_connect_dcerpcd',`
+	gen_require(`
+		type likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+')
+
+########################################
+## <summary>
+##	Connect to eventlogd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`likewise_stream_connect_eventlogd',`
+	gen_require(`
+		type likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t)
+')
+
+########################################
+## <summary>
+##	Connect to lsassd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`likewise_stream_connect_lsassd',`
+	gen_require(`
+		type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+')
+
+########################################
+## <summary>
+##	Connect to lwiod.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`likewise_stream_connect_lwiod',`
+	gen_require(`
+		type likewise_var_lib_t, lwiod_var_socket_t, lwiod_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+')
+
+########################################
+## <summary>
+##	Connect to netlogond.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`likewise_stream_connect_netlogond',`
+	gen_require(`
+		type likewise_var_lib_t, netlogond_var_socket_t, netlogond_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
+')
+
+########################################
+## <summary>
+##	Connect to lwregd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`likewise_stream_connect_lwregd',`
+	gen_require(`
+		type likewise_var_lib_t, lwregd_var_socket_t, lwregd_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+')
+
+########################################
+## <summary>
+##	Manage /etc/likewise-open.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`likewise_manage_etc_files',`
+	gen_require(`
+		type likewise_etc_t;
+	')
+
+	allow $1 likewise_etc_t:dir search_dir_perms;
+	manage_files_pattern($1, likewise_etc_t, likewise_etc_t)
+')
+
+########################################
+## <summary>
+##	Grant likewise daemons a common set of rules
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain of daemon process.
+##	</summary>
+## </param>
+## <param name="executable">
+##	<summary>
+##	Type of daemon executable files.
+##	</summary>
+## </param>
+## <param name="pid">
+##	<summary>
+##	Type of pid file created by daemon.
+##	</summary>
+## </param>
+## <param name="socket">
+##	<summary>
+##	Type of daemon communication socket.
+##	</summary>
+## </param>
+## <param name="files">
+##	<summary>
+##	Files managed by the daemon.
+##	</summary>
+## </param>
+interface(`likewise_daemon',`
+	gen_require(`
+		type likewise_etc_t, likewise_var_lib_t;
+	')
+
+	# Mark $1 as domain and $2 as an entrypoint into that domain.
+	init_daemon_domain($1, $2)
+
+	# Mark $3 as a pid file and allow it to be creat/read/write by $1
+	files_pid_file($3)
+	manage_files_pattern($1, $3, $3)
+	files_pid_filetrans($1, $3, file)
+
+	# Mark $4 as a socket for client access 
+	files_type($4)
+	filetrans_pattern($1,likewise_var_lib_t,$4, sock_file)
+	manage_sock_files_pattern($1,likewise_var_lib_t,$4)
+	manage_files_pattern($1,$4,$4)
+
+	# Mark $5 as files, privately managed under /var/lib/likewise-open
+	files_type($5)
+	allow $1 likewise_var_lib_t:dir setattr;
+	allow $1 $5:file manage_file_perms;
+	allow $1 $5:dir manage_dir_perms;
+	allow $1 $5:sock_file manage_sock_file_perms;
+
+	filetrans_pattern($1,likewise_var_lib_t,$5, {file dir})
+
+	allow $1 self:process { signal_perms getsched setsched };
+	allow $1 self:fifo_file rw_fifo_file_perms;
+	allow $1 self:unix_dgram_socket create_socket_perms;
+	allow $1 self:unix_stream_socket create_stream_socket_perms;
+	allow $1 self:tcp_socket create_stream_socket_perms;
+	allow $1 self:udp_socket create_socket_perms;
+
+	# Read /etc
+	files_read_etc_files($1)
+
+	# Permit use of syslog
+	logging_send_syslog_msg($1)
+
+	# Permit use of locale
+	miscfiles_read_localization($1)
+
+	# Permit use of dev random/urandom
+	dev_read_urand($1)
+	dev_read_rand($1)
+')
+
diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
new file mode 100644
index 0000000..c4f2e19
--- /dev/null
+++ b/policy/modules/services/likewise.te
@@ -0,0 +1,286 @@
+
+policy_module(likewise, 1.0.0)
+
+#################################
+#
+# Declarations
+#
+type likewise_etc_t;
+files_config_file(likewise_etc_t)
+
+type likewise_initrc_exec_t;
+init_script_file(likewise_initrc_exec_t)
+
+type likewise_var_lib_t;
+files_type(likewise_var_lib_t)
+
+type likewise_pstore_lock_t;
+files_type(likewise_pstore_lock_t)
+
+type likewise_krb5_ad_t;
+files_type(likewise_krb5_ad_t)
+
+type likewise_krb5_affinity_t;
+files_type(likewise_krb5_affinity_t)
+
+#################################
+#
+# Declarations for dcerpcd
+#
+type dcerpcd_t;
+type dcerpcd_exec_t;
+type dcerpcd_var_run_t;
+type dcerpcd_var_socket_t;
+type dcerpcd_var_lib_t;
+
+#################################
+#
+# Declarations for eventlogd
+#
+type eventlogd_t;
+type eventlogd_exec_t;
+type eventlogd_var_run_t;
+type eventlogd_var_socket_t;
+type eventlogd_var_lib_t;
+
+#################################
+#
+# Declarations for lsassd
+#
+type lsassd_t;
+type lsassd_exec_t;
+type lsassd_var_run_t;
+type lsassd_var_socket_t;
+type lsassd_var_lib_t;
+
+#################################
+#
+# Declarations for lwiod
+#
+type lwiod_t;
+type lwiod_exec_t;
+type lwiod_var_run_t;
+type lwiod_var_socket_t;
+type lwiod_var_lib_t;
+
+#################################
+#
+# Declarations for lwregd
+#
+type lwregd_t;
+type lwregd_exec_t;
+type lwregd_var_run_t;
+type lwregd_var_socket_t;
+type lwregd_var_lib_t;
+
+#################################
+#
+# Declarations for lwsmd
+#
+type lwsmd_t;
+type lwsmd_exec_t;
+type lwsmd_var_run_t;
+type lwsmd_var_socket_t;
+type lwsmd_var_lib_t;
+
+#################################
+#
+# Declarations for netlogond
+#
+type netlogond_t;
+type netlogond_exec_t;
+type netlogond_var_run_t;
+type netlogond_var_socket_t;
+type netlogond_var_lib_t;
+
+#################################
+#
+# Declarations for srvsvcd
+#
+type srvsvcd_t;
+type srvsvcd_exec_t;
+type srvsvcd_var_run_t;
+type srvsvcd_var_socket_t;
+type srvsvcd_var_lib_t;
+
+#################################
+#
+# Likewise DCE/RPC service local policy
+#
+
+likewise_daemon(dcerpcd_t, dcerpcd_exec_t, dcerpcd_var_run_t,dcerpcd_var_socket_t,dcerpcd_var_lib_t)
+
+corenet_tcp_bind_generic_node(dcerpcd_t)
+corenet_tcp_bind_reserved_port(dcerpcd_t)
+corenet_tcp_connect_generic_port(dcerpcd_t)
+corenet_udp_bind_generic_node(dcerpcd_t)
+corenet_udp_bind_reserved_port(dcerpcd_t)
+
+likewise_stream_connect_lwregd(dcerpcd_t)
+
+#################################
+#
+# Likewise Auditing and Logging service policy
+#
+
+likewise_daemon(eventlogd_t,eventlogd_exec_t,eventlogd_var_run_t,eventlogd_var_socket_t,eventlogd_var_lib_t)
+
+corenet_tcp_bind_generic_node(eventlogd_t)
+corenet_tcp_bind_reserved_port(eventlogd_t)
+corenet_udp_bind_generic_node(eventlogd_t)
+corenet_udp_bind_reserved_port(eventlogd_t)
+
+likewise_stream_connect_lwregd(eventlogd_t)
+likewise_stream_connect_dcerpcd(eventlogd_t)
+
+#################################
+#
+# Likewise Authentication service local policy
+#
+
+likewise_daemon(lsassd_t,lsassd_exec_t,lsassd_var_run_t,lsassd_var_socket_t,lsassd_var_lib_t)
+
+allow lsassd_t self:capability {fowner chown fsetid dac_override sys_time};
+allow lsassd_t self:unix_stream_socket {create_stream_socket_perms connectto};
+allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
+# Because lsassd calls access(), we need these two. It would be nice not to.
+corecmd_exec_bin(lsassd_t);
+corecmd_exec_shell(lsassd_t);
+
+kerberos_use(lsassd_t)
+
+corenet_tcp_connect_reserved_port(lsassd_t)
+corenet_tcp_sendrecv_all_reserved_ports(lsassd_t)
+sysnet_use_ldap(lsassd_t)
+sysnet_read_config(lsassd_t)
+
+kernel_read_system_state(lsassd_t)
+kernel_getattr_proc_files(lsassd_t)
+kernel_list_all_proc(lsassd_t)
+kernel_list_proc(lsassd_t)
+
+files_manage_generic_tmp_dirs(lsassd_t)
+files_manage_generic_tmp_files(lsassd_t)
+
+domain_obj_id_change_exemption(lsassd_t)
+selinux_get_fs_mount(lsassd_t)
+selinux_validate_context(lsassd_t)
+seutil_read_config(lsassd_t)
+seutil_read_default_contexts(lsassd_t)
+seutil_read_file_contexts(lsassd_t)
+seutil_run_semanage(lsassd_t, lsassd_t)
+
+userdom_home_filetrans_user_home_dir(lsassd_t)
+userdom_manage_home_role(system_r, lsassd_t)
+
+likewise_stream_connect_lwregd(lsassd_t)
+likewise_stream_connect_netlogond(lsassd_t)
+likewise_stream_connect_lwiod(lsassd_t)
+likewise_stream_connect_eventlogd(lsassd_t)
+likewise_stream_connect_dcerpcd(lsassd_t)
+
+likewise_manage_etc_files(lsassd_t)
+files_manage_etc_files(lsassd_t)
+files_manage_etc_symlinks(lsassd_t)
+files_manage_etc_runtime_files(lsassd_t)
+allow lsassd_t netlogond_var_lib_t:file read_file_perms;
+allow lsassd_t likewise_krb5_ad_t:file read_file_perms;
+
+
+#################################
+#
+# Likewise I/O service local policy
+#
+
+likewise_daemon(lwiod_t,lwiod_exec_t,lwiod_var_run_t,lwiod_var_socket_t,lwiod_var_lib_t)
+
+kerberos_rw_config(lwiod_t)
+kerberos_use(lwiod_t)
+allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
+allow lwiod_t netlogond_var_lib_t:file read_file_perms;
+
+corenet_tcp_bind_generic_node(lwiod_t)
+corenet_tcp_bind_smbd_port(lwiod_t)
+corenet_tcp_connect_smbd_port(lwiod_t)
+allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
+
+sysnet_read_config(lwiod_t)
+
+likewise_stream_connect_lwregd(lwiod_t)
+likewise_stream_connect_lsassd(lwiod_t)
+
+#################################
+#
+# Likewise Registry server local policy
+#
+
+likewise_daemon(lwregd_t,lwregd_exec_t,lwregd_var_run_t,lwregd_var_socket_t,lwregd_var_lib_t)
+
+#################################
+#
+# Likewise Service Manager service local policy
+#
+
+likewise_daemon(lwsmd_t,lwsmd_exec_t,lwsmd_var_run_t,lwsmd_var_socket_t,lwsmd_var_lib_t)
+
+corenet_tcp_bind_generic_node(lwsmd_t)
+corenet_tcp_bind_reserved_port(lwsmd_t)
+corenet_tcp_bind_smbd_port(lwsmd_t)
+corenet_udp_bind_generic_node(lwsmd_t)
+corenet_udp_bind_reserved_port(lwsmd_t)
+likewise_manage_etc_files(lwsmd_t)
+
+likewise_stream_connect_lwiod(lwsmd_t)
+likewise_stream_connect_lwregd(lwsmd_t)
+
+# When lwsmd starts the daemons, transition to their context:
+domtrans_pattern(lwsmd_t,dcerpcd_exec_t,dcerpcd_t)
+domtrans_pattern(lwsmd_t,eventlogd_exec_t,eventlogd_t)
+domtrans_pattern(lwsmd_t,lsassd_exec_t,lsassd_t)
+domtrans_pattern(lwsmd_t,lwiod_exec_t,lwiod_t)
+domtrans_pattern(lwsmd_t,lwregd_exec_t,lwregd_t)
+domtrans_pattern(lwsmd_t,netlogond_exec_t,netlogond_t)
+domtrans_pattern(lwsmd_t,srvsvcd_exec_t,srvsvcd_t)
+
+allow lwsmd_t dcerpcd_t:process { signal siginh rlimitinh };
+allow lwsmd_t eventlogd_t:process { signal siginh rlimitinh };
+allow lwsmd_t lsassd_t:process { signal siginh rlimitinh };
+allow lwsmd_t lwiod_t:process { signal siginh rlimitinh };
+allow lwsmd_t lwregd_t:process { signal siginh rlimitinh };
+allow lwsmd_t netlogond_t:process { signal siginh rlimitinh };
+allow lwsmd_t srvsvcd_t:process { signal siginh rlimitinh };
+
+#################################
+#
+# Likewise DC location service local policy
+#
+
+likewise_daemon(netlogond_t,netlogond_exec_t,netlogond_var_run_t,netlogond_var_socket_t,netlogond_var_lib_t)
+
+allow netlogond_t self:capability {dac_override};
+
+sysnet_dns_name_resolve(netlogond_t)
+sysnet_use_ldap(netlogond_t)
+
+likewise_stream_connect_lwregd(netlogond_t)
+likewise_manage_etc_files(netlogond_t)
+
+#################################
+#
+# Likewise Srv service local policy
+#
+
+likewise_daemon(srvsvcd_t,srvsvcd_exec_t,srvsvcd_var_run_t,srvsvcd_var_socket_t,srvsvcd_var_lib_t)
+
+corenet_tcp_bind_generic_node(srvsvcd_t)
+corenet_tcp_bind_reserved_port(srvsvcd_t)
+
+kerberos_use(srvsvcd_t)
+
+allow srvsvcd_t likewise_etc_t:dir search_dir_perms;
+
+likewise_stream_connect_lwregd(srvsvcd_t)
+likewise_stream_connect_dcerpcd(srvsvcd_t)
+likewise_stream_connect_lwiod(srvsvcd_t)
+
+
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index b193dd8..41d6517 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1403,6 +1403,10 @@ interface(`auth_use_nsswitch',`
 	')
 
 	optional_policy(`
+		likewise_stream_connect_lsassd($1)
+	')
+
+	optional_policy(`
 		nis_use_ypbind($1)
 	')
 
-- 
1.7.0.1.147.g6d84b