Add to patch to create userdb root directory with correct label

The upstream PR was closed with the intent to force the SELinux policy to be updated instead. While we're waiting for that to happen, include the patch here.
2025-09-04 13:56:28 +02:00 · 2025-09-04 13:56:28 +02:00 · 327e54e421
commit 327e54e421
parent 2289d65726
2 changed files with 46 additions and 0 deletions
--- a/38769.patch
+++ b/38769.patch
@ -0,0 +1,42 @@
+From e4e1e425394dcef01317c42b34c133768c26b765 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Sat, 30 Aug 2025 13:55:56 +0200
+Subject: [PATCH] core: create userdb root directory with correct label
+
+Set up the /run/systemd/userdb directory with the default SELinux context
+on creation.
+
+With version 257.7-1 on Debian the directory was automatically created with the
+correct label. Starting with version 258 (only tested with 258~rc3-1) it no
+longer is. Regression introduced in 736349958efe34089131ca88950e2e5bb391d36a.
+
+[zjs: edited the patch to apply comments from review and update the description.]
+---
+ src/core/varlink.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/varlink.c b/src/core/varlink.c
+index 8c6b95e31d1d5..110b281842373 100644
+--- a/src/core/varlink.c
+++ b/src/core/varlink.c
+@@ -6,6 +6,7 @@
+ #include "errno-util.h"
+ #include "json-util.h"
+ #include "manager.h"
+#include "mkdir-label.h"
+ #include "path-util.h"
+ #include "pidref.h"
+ #include "string-util.h"
+@@ -424,7 +425,11 @@ static int manager_varlink_init_system(Manager *m) {
+                         if (!fresh && varlink_server_contains_socket(m->varlink_server, address))
+                                 continue;
+ 
+-                        r = sd_varlink_server_listen_address(m->varlink_server, address, 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
+                        r = mkdir_parents_label(address, 0755);
+                        if (r < 0)
+                                log_warning_errno(r, "Failed to create parent directory of '%s', ignoring: %m", address);
+
+                        r = sd_varlink_server_listen_address(m->varlink_server, address, 0666);
+                         if (r < 0)
+                                 return log_error_errno(r, "Failed to bind to varlink socket '%s': %m", address);
+                 }
--- a/systemd.spec
+++ b/systemd.spec
@ -143,6 +143,10 @@ Patch:          0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch
 Patch:          https://github.com/systemd/systemd/pull/30846.patch

 Patch:          https://github.com/systemd/systemd/pull/38724.patch
+
+# userdb: create userdb root directory with correct label
+# We can drop this after SELinux policy is updated to handle the transition.
+Patch:          https://github.com/systemd/systemd/pull/38769.patch
 %endif

 %ifarch %{ix86} x86_64 aarch64 riscv64