diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/sos-bz1767356-interim-sysroot-forbidden-paths.patch b/SOURCES/sos-bz1767356-interim-sysroot-forbidden-paths.patch
new file mode 100644
index 0000000..5a0fd80
--- /dev/null
+++ b/SOURCES/sos-bz1767356-interim-sysroot-forbidden-paths.patch
@@ -0,0 +1,354 @@
+From 9a0ab16793a8388b2c3d3909fd3a087c5b6296d4 Mon Sep 17 00:00:00 2001
+From: Pavel Moravec <pmoravec@redhat.com>
+Date: Fri, 1 Nov 2019 12:13:23 -0400
+Subject: [PATCH 01/10] [Plugin] remove invalid {strip/join}_sysroot()
+
+Do not strip the sysroot path prefix when calling _do_copy_path()
+for a symlink target and do not add the sysroot prefix when
+testing for a forbidden path.
+
+Related: #1842
+
+Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
+Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
+---
+ sos/plugins/__init__.py | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/sos/plugins/__init__.py b/sos/plugins/__init__.py
+index e75ec82e..4f1b73ce 100644
+--- a/sos/plugins/__init__.py
++++ b/sos/plugins/__init__.py
+@@ -731,7 +731,7 @@ class Plugin(object):
+
+ # skip recursive copying of symlink pointing to itself.
+ if (absdest != srcpath):
+- self._do_copy_path(self.strip_sysroot(absdest))
++ self._do_copy_path(absdest)
+ else:
+ self._log_debug("link '%s' points to itself, skipping target..."
+ % linkdest)
+@@ -758,8 +758,6 @@ class Plugin(object):
+ return None
+
+ def _is_forbidden_path(self, path):
+- if self.use_sysroot():
+- path = self.join_sysroot(path)
+ return _path_in_path_list(path, self.forbidden_paths)
+
+ def _copy_node(self, path, st):
+--
+2.21.0
+
+
+From aeeebf126fc9fdb0fd8c3b01418bef742bce78c3 Mon Sep 17 00:00:00 2001
+From: "Bryn M. Reeves" <bmr@redhat.com>
+Date: Fri, 1 Nov 2019 12:22:51 -0400
+Subject: [PATCH 02/10] [Plugin] fix destination paths in _do_copy_path()
+
+The path used to copy special device nodes and directories in
+_do_copy_path() should be the destination path in the archive
+(without sysroot prefix), and not the source path in the host
+file system that includes this prefix.
+
+Related: #1842
+
+Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
+---
+ sos/plugins/__init__.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sos/plugins/__init__.py b/sos/plugins/__init__.py
+index 4f1b73ce..60fbeaf7 100644
+--- a/sos/plugins/__init__.py
++++ b/sos/plugins/__init__.py
+@@ -651,9 +651,13 @@ class Plugin(object):
+ self._copy_symlink(srcpath)
+ return
+ else:
+- if stat.S_ISDIR(st.st_mode) and os.access(srcpath, os.R_OK):
+- self._copy_dir(srcpath)
+- return
++ if stat.S_ISDIR(st.st_mode) and os.access(srcpath, os.R_OK):
++ # copy empty directory
++ if not os.listdir(srcpath):
++ self.archive.add_dir(dest)
++ return
++ self._copy_dir(dest)
++ return
+
+ # handle special nodes (block, char, fifo, socket)
+ if not (stat.S_ISREG(st.st_mode) or stat.S_ISDIR(st.st_mode)):
+@@ -808,7 +808,7 @@ class Plugin(object):
+ ntype = _node_type(st)
+ self._log_debug("creating %s node at archive:'%s'"
+ % (ntype, dest))
+- self._copy_node(srcpath, st)
++ self._copy_node(dest, st)
+ return
+
+ # if we get here, it's definitely a regular file (not a symlink or dir)
+--
+2.21.0
+
+
+From 05f3d5bda8f548459fabcd38f2d087d6ecef98a2 Mon Sep 17 00:00:00 2001
+From: "Bryn M. Reeves" <bmr@redhat.com>
+Date: Fri, 1 Nov 2019 12:25:09 -0400
+Subject: [PATCH 03/10] [kernel] remove trailing directory globs in forbidden
+ paths
+
+Since the forbidden path test now uses an exact match the trailing
+globs ("/some/directory/path/to/exclude/*") used to exclude trace
+related directories from collection lead to a failure to properly
+blacklist these files:
+
+The glob is expanded, for e.g.:
+
+ "/sys/kernel/debug/tracing/per_cpu/*"
+
+Expands to unclude a 'cpuN' sub-directory for each CPU present on
+the machine. These expanded paths are then added to the forbidden
+paths list for the plugin:
+
+ /sys/kernel/debug/tracing/per_cpu/cpu0
+ /sys/kernel/debug/tracing/per_cpu/cpu1
+ ...
+
+When an attempt is made to collect the entire "per_cpu" directory
+a check is made for the full "/sys/kernel/debug/tracing/per_cpu"
+path against each entry in the forbidden paths list. Since this is
+a prefix of the actual paths stored no match is returned and the
+collection is permitted.
+
+Remove the trailing globs from these directory paths and prevent
+any collection of the directories they reference by the plugin.
+
+Related: #1842
+
+Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
+---
+ sos/plugins/kernel.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sos/plugins/kernel.py b/sos/plugins/kernel.py
+index 88b14689..5c852143 100644
+--- a/sos/plugins/kernel.py
++++ b/sos/plugins/kernel.py
+@@ -89,9 +89,9 @@ class Kernel(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin):
+ self.add_forbidden_path([
+ '/sys/kernel/debug/tracing/trace_pipe',
+ '/sys/kernel/debug/tracing/README',
+- '/sys/kernel/debug/tracing/trace_stat/*',
+- '/sys/kernel/debug/tracing/per_cpu/*',
+- '/sys/kernel/debug/tracing/events/*',
++ '/sys/kernel/debug/tracing/trace_stat',
++ '/sys/kernel/debug/tracing/per_cpu',
++ '/sys/kernel/debug/tracing/events',
+ '/sys/kernel/debug/tracing/free_buffer',
+ '/sys/kernel/debug/tracing/trace_marker',
+ '/sys/kernel/debug/tracing/trace_marker_raw',
+--
+2.21.0
+
+
+From 801c71b33dcfeaa980baa9f377b721bdd26aa5e8 Mon Sep 17 00:00:00 2001
+From: "Bryn M. Reeves" <bmr@redhat.com>
+Date: Fri, 1 Nov 2019 16:53:29 +0000
+Subject: [PATCH 04/10] [tests] fix test_copy_dir_forbidden_path
+
+Rather than call just Plugin.setup() and Plugin._do_copy_path(),
+add an add_copy_spec() call to the mock plugin setup() method,
+and invoke copying by calling the Plugin.collect() method.
+
+Related: #1845
+
+Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
+---
+ tests/plugin_tests.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tests/plugin_tests.py b/tests/plugin_tests.py
+index b8760429..6522fe14 100644
+--- a/tests/plugin_tests.py
++++ b/tests/plugin_tests.py
+@@ -81,6 +81,7 @@ class ForbiddenMockPlugin(Plugin):
+ plugin_name = "forbidden"
+
+ def setup(self):
++ self.add_copy_spec("tests")
+ self.add_forbidden_path("tests")
+
+
+@@ -235,7 +236,7 @@ class PluginTests(unittest.TestCase):
+ })
+ p.archive = MockArchive()
+ p.setup()
+- p._do_copy_path("tests")
++ p.collect()
+ self.assertEquals(p.archive.m, {})
+
+
+--
+2.21.0
+
+
+From c4182ebd52af523261d2e7ef75affbb88eaf31fb Mon Sep 17 00:00:00 2001
+From: "Bryn M. Reeves" <bmr@redhat.com>
+Date: Mon, 4 Nov 2019 10:45:15 +0000
+Subject: [PATCH 05/10] [Plugin] use correct source path when copying
+ directories
+
+Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
+---
+ sos/plugins/__init__.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sos/plugins/__init__.py b/sos/plugins/__init__.py
+index 60fbeaf7..240fe9f1 100644
+--- a/sos/plugins/__init__.py
++++ b/sos/plugins/__init__.py
+@@ -656,7 +656,7 @@ class Plugin(object):
+ if not os.listdir(srcpath):
+ self.archive.add_dir(dest)
+ return
+- self._copy_dir(dest)
++ self._copy_dir(srcpath)
+ return
+
+ # handle special nodes (block, char, fifo, socket)
+--
+2.21.0
+
+
+From 68f4d7cc7adde00171af842b5bc808f41d888a87 Mon Sep 17 00:00:00 2001
+From: "Bryn M. Reeves" <bmr@redhat.com>
+Date: Mon, 4 Nov 2019 10:48:01 +0000
+Subject: [PATCH 06/10] [Plugin] improve _copy_dir() variable naming
+
+Directory entries found in _copy_dir() may be either files or
+sub-directories: reflect this in the names of local variables.
+
+Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
+---
+ sos/plugins/__init__.py | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/sos/plugins/__init__.py b/sos/plugins/__init__.py
+index 240fe9f1..1a1464c1 100644
+--- a/sos/plugins/__init__.py
++++ b/sos/plugins/__init__.py
+@@ -738,10 +738,11 @@ class Plugin(object):
+
+ def _copy_dir(self, srcpath):
+ try:
+- for afile in os.listdir(srcpath):
++ for name in os.listdir(srcpath):
+ self._log_debug("recursively adding '%s' from '%s'"
+- % (afile, srcpath))
+- self._do_copy_path(os.path.join(srcpath, afile), dest=None)
++ % (name, srcpath))
++ path = os.path.join(srcpath, name)
++ self._do_copy_path(path)
+ except OSError as e:
+ if e.errno == errno.ELOOP:
+ msg = "Too many levels of symbolic links copying"
+--
+2.21.0
+
+
+From ad3adef07c32aee5bdd438706c6c1d4590ff8297 Mon Sep 17 00:00:00 2001
+From: "Bryn M. Reeves" <bmr@redhat.com>
+Date: Mon, 4 Nov 2019 14:13:00 +0000
+Subject: [PATCH 07/10] [ceph] fix directory blacklist style
+
+Plugins must use 'path/to/exclude' rather than 'path/to/exclude/*'
+in order to omit a directory and all its content from the report.
+
+Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
+---
+ sos/plugins/ceph.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sos/plugins/ceph.py b/sos/plugins/ceph.py
+index 6e340c69..43284bc8 100644
+--- a/sos/plugins/ceph.py
++++ b/sos/plugins/ceph.py
+@@ -103,8 +103,8 @@ class Ceph(Plugin, RedHatPlugin, UbuntuPlugin):
+ "/var/lib/ceph/*keyring*",
+ "/var/lib/ceph/*/*keyring*",
+ "/var/lib/ceph/*/*/*keyring*",
+- "/var/lib/ceph/osd/*",
+- "/var/lib/ceph/mon/*",
++ "/var/lib/ceph/osd",
++ "/var/lib/ceph/mon",
+ # Excludes temporary ceph-osd mount location like
+ # /var/lib/ceph/tmp/mnt.XXXX from sos collection.
+ "/var/lib/ceph/tmp/*mnt*",
+--
+2.21.0
+
+
+From 4d1576b04d35902ce44d26d6a5b2219e6f9c175a Mon Sep 17 00:00:00 2001
+From: "Bryn M. Reeves" <bmr@redhat.com>
+Date: Mon, 4 Nov 2019 14:15:55 +0000
+Subject: [PATCH 09/10] [openstack_octavia] fix directory blacklist style
+
+Plugins must use 'path/to/exclude' rather than 'path/to/exclude/*'
+in order to omit a directory and all its content from the report.
+
+Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
+---
+ sos/plugins/openstack_octavia.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sos/plugins/openstack_octavia.py b/sos/plugins/openstack_octavia.py
+index b97c83fa..ccdcd4c9 100644
+--- a/sos/plugins/openstack_octavia.py
++++ b/sos/plugins/openstack_octavia.py
+@@ -30,7 +30,7 @@ class OpenStackOctavia(Plugin):
+ ])
+
+ # don't collect certificates
+- self.add_forbidden_path("/etc/octavia/certs/")
++ self.add_forbidden_path("/etc/octavia/certs")
+
+ # logs
+ if self.get_option("all_logs"):
+--
+2.21.0
+
+
+From 1fd194191a56c51052f0c24ddeb3bbf9088ae0ca Mon Sep 17 00:00:00 2001
+From: "Bryn M. Reeves" <bmr@redhat.com>
+Date: Mon, 4 Nov 2019 14:16:13 +0000
+Subject: [PATCH 10/10] [vdsm] fix directory blacklist style
+
+Plugins must use 'path/to/exclude' rather than 'path/to/exclude/*'
+in order to omit a directory and all its content from the report.
+
+Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
+---
+ sos/plugins/vdsm.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sos/plugins/vdsm.py b/sos/plugins/vdsm.py
+index b2a1ca58..69672643 100644
+--- a/sos/plugins/vdsm.py
++++ b/sos/plugins/vdsm.py
+@@ -60,9 +60,9 @@ class Vdsm(Plugin, RedHatPlugin):
+ plugin_name = 'vdsm'
+
+ def setup(self):
+- self.add_forbidden_path('/etc/pki/vdsm/keys/*')
++ self.add_forbidden_path('/etc/pki/vdsm/keys')
+ self.add_forbidden_path('/etc/pki/vdsm/libvirt-spice/*-key.*')
+- self.add_forbidden_path('/etc/pki/libvirt/private/*')
++ self.add_forbidden_path('/etc/pki/libvirt/private')
+
+ self.add_cmd_output('service vdsmd status')
+ self.add_cmd_output('service supervdsmd status')
+
+--
+2.21.0
+
diff --git a/SPECS/sos.spec b/SPECS/sos.spec
index b60ccd2..572feec 100644
--- a/SPECS/sos.spec
+++ b/SPECS/sos.spec
@@ -5,7 +5,7 @@
Summary: A set of tools to gather troubleshooting information from a system
Name: sos
Version: 3.7
-Release: 5%{?dist}
+Release: 6%{?dist}
Group: Applications/System
Source0: https://github.com/sosreport/sos/archive/%{version}/sos-%{version}.tar.gz
Source1: sos-audit-%{auditversion}.tgz
@@ -39,6 +39,7 @@ Patch16: sos-bz1733469-timeouted-plugin-stop-further-collection.patch
Patch17: sos-bz1665929-nvme-config.patch
Patch18: sos-bz1745017-openvswitch-enable-by-openvswitch2.patch
Patch19: sos-bz1756094-kernel-no-trace-by-default.patch
+Patch20: sos-bz1767356-interim-sysroot-forbidden-paths.patch
%description
Sos is a set of tools that gathers information about system
@@ -67,6 +68,7 @@ support technicians and developers.
%patch17 -p1
%patch18 -p1
%patch19 -p1
+%patch20 -p1
%setup -T -D -a1 -q
%build
@@ -119,8 +121,9 @@ of the system. Currently storage and filesystem commands are audited.
%ghost /etc/audit/rules.d/40-sos-storage.rules
%changelog
-* Tue Nov 05 2019 CentOS Sources <bugs@centos.org> - 3.7-5.el8.centos
-- Apply debranding changes
+* Mon Nov 04 2019 Pavel Moravec <pmoravec@redhat.com> = 3.7-6
+- [Plugin, kernel] interim sysroot fixes
+ Resolves: bz1767356
* Wed Oct 02 2019 Pavel Moravec <pmoravec@redhat.com> = 3.7-5
- [kernel] Don't collect trace file by default