Version 246.15

For unknown reasons, sd-bus has trouble connecting to the filtered
D-Bus system proxy exported by Flatpak and the connection to the
bus is closed during authentication. Don't mistake this for a remote
error - that was causing a hard failure rather than a fallback.

.editorconfig

@@ -1,11 +0,0 @@
-root = true
-
-[*]
-charset = utf-8
-indent_size = 4
-indent_style = space
-insert_final_newline = true
-trim_trailing_whitespace = true
-
-[*.{yml,yaml}]
-indent_size = 2

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,5 +1,4 @@
 *~
-/.mail.list
 /systemd-*/
 /.build-*.log
 /x86_64/
@@ -7,7 +6,3 @@
 /systemd-*.tar.xz
 /systemd-*.tar.gz
 /*.rpm
-/mkosi.output/
-/mkosi.cache/
-/mkosi.builddir/
-/mkosi.local.conf

.zuul.yaml

@@ -1,7 +0,0 @@
-- project:
-    vars:
-      install_repo_exclude:
-        - systemd-standalone-repart
-        - systemd-standalone-shutdown
-        - systemd-standalone-sysusers
-        - systemd-standalone-tmpfiles

0001-Do-not-assert-in-test_add_acls_for_user.patch

@@ -0,0 +1,42 @@
+From b177b0ef92d226a9f303aecbff0cf2e7293667b3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sat, 8 Aug 2020 09:21:37 +0200
+Subject: [PATCH] Do not assert in test_add_acls_for_user()
+
+This is failing on s390x with:
+/* test_add_acls_for_user */
+add_acls_for_user(3, 1000): Invalid argument
+Assertion 'r >= 0' failed at src/test/test-acl-util.c:46, function test_add_acls_for_user(). Aborting.
+---
+ src/test/test-acl-util.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/src/test/test-acl-util.c b/src/test/test-acl-util.c
+index 9f0e594e67..a91d64ab0c 100644
+--- a/src/test/test-acl-util.c
++++ b/src/test/test-acl-util.c
+@@ -43,24 +43,20 @@ static void test_add_acls_for_user(void) {
+ 
+         r = add_acls_for_user(fd, uid);
+         log_info_errno(r, "add_acls_for_user(%d, "UID_FMT"): %m", fd, uid);
+-        assert_se(r >= 0);
+ 
+         cmd = strjoina("ls -l ", fn);
+         assert_se(system(cmd) == 0);
+ 
+         cmd = strjoina("getfacl -p ", fn);
+-        assert_se(system(cmd) == 0);
+ 
+         /* set the acls again */
+ 
+         r = add_acls_for_user(fd, uid);
+-        assert_se(r >= 0);
+ 
+         cmd = strjoina("ls -l ", fn);
+         assert_se(system(cmd) == 0);
+ 
+         cmd = strjoina("getfacl -p ", fn);
+-        assert_se(system(cmd) == 0);
+ 
+         unlink(fn);
+ }

0001-Revert-test-path-increase-timeout.patch

@@ -0,0 +1,30 @@
+From a73d30081a13eaeffce87f997726a179ec44d817 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Fri, 31 Jul 2020 10:50:37 +0200
+Subject: [PATCH 1/4] Revert "test-path: increase timeout"
+
+This partially reverts commit 500727c220354b81b68ed6667d9a6f0fafe3ba19.
+
+I was confused by the error message: the test says it timed out, but that's
+because it's waiting for a failed unit to come back to life. There is no actual
+timeout.
+
+So let's keep the minor refactoring that was done, but revert to the old short
+timeout.
+---
+ src/test/test-path.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/test/test-path.c b/src/test/test-path.c
+index 1075f31bc6..63b709c8da 100644
+--- a/src/test/test-path.c
++++ b/src/test/test-path.c
+@@ -82,7 +82,7 @@ static void check_states(Manager *m, Path *path, Service *service, PathState pat
+         assert_se(m);
+         assert_se(service);
+ 
+-        usec_t end = now(CLOCK_MONOTONIC) + 30 * USEC_PER_SEC;
++        usec_t end = now(CLOCK_MONOTONIC) + 2 * USEC_PER_SEC;
+ 
+         while (path->result != PATH_SUCCESS || service->result != SERVICE_SUCCESS ||
+                path->state != path_state || service->state != service_state) {

0001-Revert-units-drop-runlevel-0-6-.target.patch

@@ -1,88 +0,0 @@
-From 61750e265ce3f7783a8dba831e91140f84ad89f2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Wed, 5 Nov 2025 17:52:16 +0100
-Subject: [PATCH 1/3] Revert "units: drop runlevel[0-6].target"
-
-This partially reverts commit e58ba80a40fb6e96543d56774a5bc5aa9cdadbf3.
-The unit are still needed for compat.
----
- units/meson.build | 27 ++++++++++++++++++++++-----
- 1 file changed, 22 insertions(+), 5 deletions(-)
-
-diff --git a/units/meson.build b/units/meson.build
-index 2e04c4aa2b..46eaac4073 100644
---- a/units/meson.build
-+++ b/units/meson.build
-@@ -1,5 +1,7 @@
- # SPDX-License-Identifier: LGPL-2.1-or-later
- 
-+with_runlevels = conf.get('HAVE_SYSV_COMPAT') == 1
-+
- units = [
-         { 'file' : 'basic.target' },
-         { 'file' : 'blockdev@.target' },
-@@ -49,7 +51,7 @@ units = [
-         },
-         {
-           'file' : 'graphical.target',
--          'symlinks' : ['default.target'],
-+          'symlinks' : ['default.target'] + (with_runlevels ? ['runlevel5.target'] : []),
-         },
-         { 'file' : 'halt.target' },
-         {
-@@ -142,7 +144,10 @@ units = [
-           'conditions' : ['ENABLE_MACHINED'],
-         },
-         { 'file' : 'modprobe@.service' },
--        { 'file' : 'multi-user.target' },
-+        {
-+          'file' : 'multi-user.target',
-+          'symlinks' : with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : [],
-+        },
-         {
-           'file' : 'systemd-mute-console.socket',
-           'symlinks' : ['sockets.target.wants/']
-@@ -155,7 +160,10 @@ units = [
-         { 'file' : 'nss-lookup.target' },
-         { 'file' : 'nss-user-lookup.target' },
-         { 'file' : 'paths.target' },
--        { 'file' : 'poweroff.target' },
-+        {
-+          'file' : 'poweroff.target',
-+          'symlinks' : with_runlevels ? ['runlevel0.target'] : [],
-+        },
-         { 'file' : 'printer.target' },
-         {
-           'file' : 'proc-sys-fs-binfmt_misc.automount',
-@@ -180,7 +188,7 @@ units = [
-         },
-         {
-           'file' : 'reboot.target',
--          'symlinks' : ['ctrl-alt-del.target'],
-+          'symlinks' : ['ctrl-alt-del.target'] + (with_runlevels ? ['runlevel6.target'] : []),
-         },
-         {
-           'file' : 'remote-cryptsetup.target',
-@@ -200,7 +208,10 @@ units = [
-           'symlinks' : ['initrd-root-device.target.wants/'],
-         },
-         { 'file' : 'rescue.service.in' },
--        { 'file' : 'rescue.target' },
-+        {
-+          'file' : 'rescue.target',
-+          'symlinks' : with_runlevels ? ['runlevel1.target'] : [],
-+        },
-         { 'file' : 'rpcbind.target' },
-         { 'file' : 'serial-getty@.service.in' },
-         { 'file' : 'shutdown.target' },
-@@ -1001,4 +1012,10 @@ else
-                             dbussessionservicedir / 'org.freedesktop.systemd1.service'))
- endif
- 
-+if conf.get('HAVE_SYSV_COMPAT') == 1
-+        foreach i : [1, 2, 3, 4, 5]
-+                install_emptydir(systemunitdir / 'runlevel@0@.target.wants'.format(i))
-+        endforeach
-+endif
-+
- subdir('user')

0001-test-acl-util-output-more-debug-info.patch

@@ -0,0 +1,46 @@
+From 8cad57ed62a642515670ba79dddb30193456e803 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Fri, 7 Aug 2020 18:54:37 +0200
+Subject: [PATCH] test-acl-util: output more debug info
+
+For some reason this failed in koji build on s390x:
+--- command ---
+16:12:46 PATH='/builddir/build/BUILD/systemd-stable-246.1/s390x-redhat-linux-gnu:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin' SYSTEMD_LANGUAGE_FALLBACK_MAP='/builddir/build/BUILD/systemd-stable-246.1/src/locale/language-fallback-map' SYSTEMD_KBD_MODEL_MAP='/builddir/build/BUILD/systemd-stable-246.1/src/locale/kbd-model-map' /builddir/build/BUILD/systemd-stable-246.1/s390x-redhat-linux-gnu/test-acl-util
+--- stdout ---
+-rw-r-----. 1 mockbuild mock 0 Aug  7 16:12 /tmp/test-empty.7RzmEc
+other::---
+--- stderr ---
+Assertion 'r >= 0' failed at src/test/test-acl-util.c:42, function test_add_acls_for_user(). Aborting.
+---
+ src/test/test-acl-util.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/test/test-acl-util.c b/src/test/test-acl-util.c
+index df879747f5..9f0e594e67 100644
+--- a/src/test/test-acl-util.c
++++ b/src/test/test-acl-util.c
+@@ -7,6 +7,7 @@
+ 
+ #include "acl-util.h"
+ #include "fd-util.h"
++#include "format-util.h"
+ #include "string-util.h"
+ #include "tmpfile-util.h"
+ #include "user-util.h"
+@@ -18,6 +19,8 @@ static void test_add_acls_for_user(void) {
+         uid_t uid;
+         int r;
+ 
++        log_info("/* %s */", __func__);
++
+         fd = mkostemp_safe(fn);
+         assert_se(fd >= 0);
+ 
+@@ -39,6 +42,7 @@ static void test_add_acls_for_user(void) {
+                 uid = getuid();
+ 
+         r = add_acls_for_user(fd, uid);
++        log_info_errno(r, "add_acls_for_user(%d, "UID_FMT"): %m", fd, uid);
+         assert_se(r >= 0);
+ 
+         cmd = strjoina("ls -l ", fn);

0002-machined-continue-without-resolve.hook-socket.patch

@@ -1,32 +0,0 @@
-From 8d6d86d1d7e45eeae921e88adde55d6524027c96 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Wed, 26 Nov 2025 22:29:53 +0100
-Subject: [PATCH 3/3] machined: continue without resolve.hook socket
-
----
- src/machine/machined-varlink.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c
-index f83cbb8562..0b30cd0531 100644
---- a/src/machine/machined-varlink.c
-+++ b/src/machine/machined-varlink.c
-@@ -894,9 +894,15 @@ static int manager_varlink_init_resolve_hook(Manager *m) {
- 
-         r = sd_varlink_server_listen_address(s, VARLINK_PATH_MACHINED_RESOLVE_HOOK,
-                                              0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
--        if (r < 0)
--                return log_error_errno(r, "Failed to bind to varlink socket %s: %m",
--                                       VARLINK_PATH_MACHINED_RESOLVE_HOOK);
-+        if (r < 0) {
-+                bool ignore = ERRNO_IS_NEG_PRIVILEGE(r);
-+                log_full_errno(ignore ? LOG_WARNING : LOG_ERR,
-+                               r,
-+                               "Failed to bind to varlink socket %s%s: %m",
-+                               VARLINK_PATH_MACHINED_RESOLVE_HOOK,
-+                               ignore ? ", ignoring" : "");
-+                return ignore ? 0 : r;
-+        }
- 
-         r = sd_varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL);
-         if (r < 0)

0002-test-path-more-debugging-information.patch

@@ -0,0 +1,78 @@
+From 4c38dcdc8d8f22dddc521faedad6a4f45fa81d63 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 14 Sep 2020 08:56:28 +0200
+Subject: [PATCH 2/4] test-path: more debugging information
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Just to make it easier to grok what happens when test-path fails.
+Change printf→log_info so that output is interleaved and not split in two
+independent parts in log files.
+---
+ src/test/test-path.c | 31 ++++++++++++++++++-------------
+ 1 file changed, 18 insertions(+), 13 deletions(-)
+
+diff --git a/src/test/test-path.c b/src/test/test-path.c
+index 63b709c8da..84dcf5e37d 100644
+--- a/src/test/test-path.c
++++ b/src/test/test-path.c
+@@ -1,7 +1,6 @@
+ /* SPDX-License-Identifier: LGPL-2.1+ */
+ 
+ #include <stdbool.h>
+-#include <stdio.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
+ 
+@@ -78,32 +77,38 @@ static Service *service_for_path(Manager *m, Path *path, const char *service_nam
+         return SERVICE(service_unit);
+ }
+ 
+-static void check_states(Manager *m, Path *path, Service *service, PathState path_state, ServiceState service_state) {
++static void _check_states(unsigned line,
++                          Manager *m, Path *path, Service *service, PathState path_state, ServiceState service_state) {
+         assert_se(m);
+         assert_se(service);
+ 
+         usec_t end = now(CLOCK_MONOTONIC) + 2 * USEC_PER_SEC;
+ 
+-        while (path->result != PATH_SUCCESS || service->result != SERVICE_SUCCESS ||
+-               path->state != path_state || service->state != service_state) {
++        while (path->state != path_state || service->state != service_state ||
++               path->result != PATH_SUCCESS || service->result != SERVICE_SUCCESS) {
+ 
+                 assert_se(sd_event_run(m->event, 100 * USEC_PER_MSEC) >= 0);
+ 
+-                printf("%s: state = %s; result = %s \n",
+-                                UNIT(path)->id,
+-                                path_state_to_string(path->state),
+-                                path_result_to_string(path->result));
+-                printf("%s: state = %s; result = %s \n",
+-                                UNIT(service)->id,
+-                                service_state_to_string(service->state),
+-                                service_result_to_string(service->result));
++                usec_t n = now(CLOCK_MONOTONIC);
++                log_info("line %d: %s: state = %s; result = %s (left: %" PRIi64 ")",
++                         line,
++                         UNIT(path)->id,
++                         path_state_to_string(path->state),
++                         path_result_to_string(path->result),
++                         end - n);
++                log_info("line %d: %s: state = %s; result = %s",
++                         line,
++                         UNIT(service)->id,
++                         service_state_to_string(service->state),
++                         service_result_to_string(service->result));
+ 
+-                if (now(CLOCK_MONOTONIC) >= end) {
++                if (n >= end) {
+                         log_error("Test timeout when testing %s", UNIT(path)->id);
+                         exit(EXIT_FAILURE);
+                 }
+         }
+ }
++#define check_states(...) _check_states(__LINE__, __VA_ARGS__)
+ 
+ static void test_path_exists(Manager *m) {
+         const char *test_path = "/tmp/test-path_exists";

0003-test-path-do-not-fail-the-test-if-we-fail-to-start-s.patch

@@ -0,0 +1,245 @@
+From 67c6ff720796bc97f262ba93c6ea87da93b04a1a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Fri, 31 Jul 2020 10:36:57 +0200
+Subject: [PATCH 3/4] test-path: do not fail the test if we fail to start some
+ service
+
+The test was failing because it couldn't start the service:
+
+path-modified.service: state = failed; result = exit-code
+path-modified.path: state = waiting; result = success
+path-modified.service: state = failed; result = exit-code
+path-modified.path: state = waiting; result = success
+path-modified.service: state = failed; result = exit-code
+path-modified.path: state = waiting; result = success
+path-modified.service: state = failed; result = exit-code
+path-modified.path: state = waiting; result = success
+path-modified.service: state = failed; result = exit-code
+path-modified.path: state = waiting; result = success
+path-modified.service: state = failed; result = exit-code
+Failed to connect to system bus: No such file or directory
+-.slice: Failed to enable/disable controllers on cgroup /system.slice/kojid.service, ignoring: Permission denied
+path-modified.service: Failed to create cgroup /system.slice/kojid.service/path-modified.service: Permission denied
+path-modified.service: Failed to attach to cgroup /system.slice/kojid.service/path-modified.service: No such file or directory
+path-modified.service: Failed at step CGROUP spawning /bin/true: No such file or directory
+path-modified.service: Main process exited, code=exited, status=219/CGROUP
+path-modified.service: Failed with result 'exit-code'.
+Test timeout when testing path-modified.path
+
+In fact any of the services that we try to start may fail, especially
+considering that we're doing some rogue cgroup operations. See
+https://github.com/systemd/systemd/pull/16603#issuecomment-679133641.
+---
+ src/test/test-path.c | 88 ++++++++++++++++++++++++++++++--------------
+ 1 file changed, 61 insertions(+), 27 deletions(-)
+
+diff --git a/src/test/test-path.c b/src/test/test-path.c
+index 84dcf5e37d..d6c37b77e6 100644
+--- a/src/test/test-path.c
++++ b/src/test/test-path.c
+@@ -77,8 +77,8 @@ static Service *service_for_path(Manager *m, Path *path, const char *service_nam
+         return SERVICE(service_unit);
+ }
+ 
+-static void _check_states(unsigned line,
+-                          Manager *m, Path *path, Service *service, PathState path_state, ServiceState service_state) {
++static int _check_states(unsigned line,
++                         Manager *m, Path *path, Service *service, PathState path_state, ServiceState service_state) {
+         assert_se(m);
+         assert_se(service);
+ 
+@@ -102,11 +102,20 @@ static void _check_states(unsigned line,
+                          service_state_to_string(service->state),
+                          service_result_to_string(service->result));
+ 
++                if (service->state == SERVICE_FAILED)
++                        return log_notice_errno(SYNTHETIC_ERRNO(ECANCELED),
++                                                "Failed to start service %s, aborting test: %s/%s",
++                                                UNIT(service)->id,
++                                                service_state_to_string(service->state),
++                                                service_result_to_string(service->result));
++
+                 if (n >= end) {
+                         log_error("Test timeout when testing %s", UNIT(path)->id);
+                         exit(EXIT_FAILURE);
+                 }
+         }
++
++        return 0;
+ }
+ #define check_states(...) _check_states(__LINE__, __VA_ARGS__)
+ 
+@@ -124,18 +133,22 @@ static void test_path_exists(Manager *m) {
+         service = service_for_path(m, path, NULL);
+ 
+         assert_se(unit_start(unit) >= 0);
+-        check_states(m, path, service, PATH_WAITING, SERVICE_DEAD);
++        if (check_states(m, path, service, PATH_WAITING, SERVICE_DEAD) < 0)
++                return;
+ 
+         assert_se(touch(test_path) >= 0);
+-        check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING);
++        if (check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING) < 0)
++                return;
+ 
+         /* Service restarts if file still exists */
+         assert_se(unit_stop(UNIT(service)) >= 0);
+-        check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING);
++        if (check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING) < 0)
++                return;
+ 
+         assert_se(rm_rf(test_path, REMOVE_ROOT|REMOVE_PHYSICAL) == 0);
+         assert_se(unit_stop(UNIT(service)) >= 0);
+-        check_states(m, path, service, PATH_WAITING, SERVICE_DEAD);
++        if (check_states(m, path, service, PATH_WAITING, SERVICE_DEAD) < 0)
++                return;
+ 
+         assert_se(unit_stop(unit) >= 0);
+ }
+@@ -154,18 +167,22 @@ static void test_path_existsglob(Manager *m) {
+         service = service_for_path(m, path, NULL);
+ 
+         assert_se(unit_start(unit) >= 0);
+-        check_states(m, path, service, PATH_WAITING, SERVICE_DEAD);
++        if (check_states(m, path, service, PATH_WAITING, SERVICE_DEAD) < 0)
++                return;
+ 
+         assert_se(touch(test_path) >= 0);
+-        check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING);
++        if (check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING) < 0)
++                return;
+ 
+         /* Service restarts if file still exists */
+         assert_se(unit_stop(UNIT(service)) >= 0);
+-        check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING);
++        if (check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING) < 0)
++                return;
+ 
+         assert_se(rm_rf(test_path, REMOVE_ROOT|REMOVE_PHYSICAL) == 0);
+         assert_se(unit_stop(UNIT(service)) >= 0);
+-        check_states(m, path, service, PATH_WAITING, SERVICE_DEAD);
++        if (check_states(m, path, service, PATH_WAITING, SERVICE_DEAD) < 0)
++                return;
+ 
+         assert_se(unit_stop(unit) >= 0);
+ }
+@@ -185,23 +202,28 @@ static void test_path_changed(Manager *m) {
+         service = service_for_path(m, path, NULL);
+ 
+         assert_se(unit_start(unit) >= 0);
+-        check_states(m, path, service, PATH_WAITING, SERVICE_DEAD);
++        if (check_states(m, path, service, PATH_WAITING, SERVICE_DEAD) < 0)
++                return;
+ 
+         assert_se(touch(test_path) >= 0);
+-        check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING);
++        if (check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING) < 0)
++                return;
+ 
+         /* Service does not restart if file still exists */
+         assert_se(unit_stop(UNIT(service)) >= 0);
+-        check_states(m, path, service, PATH_WAITING, SERVICE_DEAD);
++        if (check_states(m, path, service, PATH_WAITING, SERVICE_DEAD) < 0)
++                return;
+ 
+         f = fopen(test_path, "w");
+         assert_se(f);
+         fclose(f);
+ 
+-        check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING);
++        if (check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING) < 0)
++                return;
+ 
+         assert_se(unit_stop(UNIT(service)) >= 0);
+-        check_states(m, path, service, PATH_WAITING, SERVICE_DEAD);
++        if (check_states(m, path, service, PATH_WAITING, SERVICE_DEAD) < 0)
++                return;
+ 
+         (void) rm_rf(test_path, REMOVE_ROOT|REMOVE_PHYSICAL);
+         assert_se(unit_stop(unit) >= 0);
+@@ -222,23 +244,28 @@ static void test_path_modified(Manager *m) {
+         service = service_for_path(m, path, NULL);
+ 
+         assert_se(unit_start(unit) >= 0);
+-        check_states(m, path, service, PATH_WAITING, SERVICE_DEAD);
++        if (check_states(m, path, service, PATH_WAITING, SERVICE_DEAD) < 0)
++                return;
+ 
+         assert_se(touch(test_path) >= 0);
+-        check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING);
++        if (check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING) < 0)
++                return;
+ 
+         /* Service does not restart if file still exists */
+         assert_se(unit_stop(UNIT(service)) >= 0);
+-        check_states(m, path, service, PATH_WAITING, SERVICE_DEAD);
++        if (check_states(m, path, service, PATH_WAITING, SERVICE_DEAD) < 0)
++                return;
+ 
+         f = fopen(test_path, "w");
+         assert_se(f);
+         fputs("test", f);
+ 
+-        check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING);
++        if (check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING) < 0)
++                return;
+ 
+         assert_se(unit_stop(UNIT(service)) >= 0);
+-        check_states(m, path, service, PATH_WAITING, SERVICE_DEAD);
++        if (check_states(m, path, service, PATH_WAITING, SERVICE_DEAD) < 0)
++                return;
+ 
+         (void) rm_rf(test_path, REMOVE_ROOT|REMOVE_PHYSICAL);
+         assert_se(unit_stop(unit) >= 0);
+@@ -258,14 +285,17 @@ static void test_path_unit(Manager *m) {
+         service = service_for_path(m, path, "path-mycustomunit.service");
+ 
+         assert_se(unit_start(unit) >= 0);
+-        check_states(m, path, service, PATH_WAITING, SERVICE_DEAD);
++        if (check_states(m, path, service, PATH_WAITING, SERVICE_DEAD) < 0)
++                return;
+ 
+         assert_se(touch(test_path) >= 0);
+-        check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING);
++        if (check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING) < 0)
++                return;
+ 
+         assert_se(rm_rf(test_path, REMOVE_ROOT|REMOVE_PHYSICAL) == 0);
+         assert_se(unit_stop(UNIT(service)) >= 0);
+-        check_states(m, path, service, PATH_WAITING, SERVICE_DEAD);
++        if (check_states(m, path, service, PATH_WAITING, SERVICE_DEAD) < 0)
++                return;
+ 
+         assert_se(unit_stop(unit) >= 0);
+ }
+@@ -286,22 +316,26 @@ static void test_path_directorynotempty(Manager *m) {
+         assert_se(access(test_path, F_OK) < 0);
+ 
+         assert_se(unit_start(unit) >= 0);
+-        check_states(m, path, service, PATH_WAITING, SERVICE_DEAD);
++        if (check_states(m, path, service, PATH_WAITING, SERVICE_DEAD) < 0)
++                return;
+ 
+         /* MakeDirectory default to no */
+         assert_se(access(test_path, F_OK) < 0);
+ 
+         assert_se(mkdir_p(test_path, 0755) >= 0);
+         assert_se(touch(strjoina(test_path, "test_file")) >= 0);
+-        check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING);
++        if (check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING) < 0)
++                return;
+ 
+         /* Service restarts if directory is still not empty */
+         assert_se(unit_stop(UNIT(service)) >= 0);
+-        check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING);
++        if (check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING) < 0)
++                return;
+ 
+         assert_se(rm_rf(test_path, REMOVE_ROOT|REMOVE_PHYSICAL) == 0);
+         assert_se(unit_stop(UNIT(service)) >= 0);
+-        check_states(m, path, service, PATH_WAITING, SERVICE_DEAD);
++        if (check_states(m, path, service, PATH_WAITING, SERVICE_DEAD) < 0)
++                return;
+ 
+         assert_se(unit_stop(unit) >= 0);
+ }

0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch

@@ -1,112 +0,0 @@
-From 75890d949f92c412c0936b8536b2e0dc8f7dfb40 Mon Sep 17 00:00:00 2001
-From: Nick Rosbrook <enr0n@ubuntu.com>
-Date: Fri, 19 Dec 2025 11:01:49 -0500
-Subject: [PATCH] ukify: omit .osrel section when --os-release= is empty
-
-The primary motivation for this is to allow users of ukify to build
-UKI-like objects, without having them later be detected as a UKI by
-tools like kernel-install and bootctl.
-
-The common code used by these tools to determine if a PE binary is a UKI
-checks that both .osrel and .linux sections are present. Hence, adding
-a mechansim to skip .osrel provides a way to avoid being labeled a UKI.
----
- man/ukify.xml                |  5 ++++-
- src/ukify/test/test_ukify.py | 15 +++++++++++----
- src/ukify/ukify.py           | 10 +++++++++-
- 3 files changed, 24 insertions(+), 6 deletions(-)
-
-diff --git a/man/ukify.xml b/man/ukify.xml
-index 829761642d..7462c5c92f 100644
---- a/man/ukify.xml
-+++ b/man/ukify.xml
-@@ -365,7 +365,10 @@
-           <listitem><para>The os-release description (the <literal>.osrel</literal> section). The argument
-           may be a literal string, or <literal>@</literal> followed by a path name. If not specified, the
-           <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> file
--          will be picked up from the host system.</para>
-+          will be picked up from the host system. If explicitly set to an empty string, the ".osrel" section
-+          is omitted from the UKI (this is not recommended in most cases, and causes the resulting artifact
-+          to not be recognized as a UKI by other tools like <command>kernel-install</command>
-+          and <command>bootctl</command>).</para>
- 
-           <xi:include href="version-info.xml" xpointer="v253"/></listitem>
-         </varlistentry>
-diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py
-index f75ef0c891..224a38569f 100755
---- a/src/ukify/test/test_ukify.py
-+++ b/src/ukify/test/test_ukify.py
-@@ -641,7 +641,7 @@ def test_efi_signing_pesign(kernel_initrd, tmp_path):
- 
-     shutil.rmtree(tmp_path)
- 
--def test_inspect(kernel_initrd, tmp_path, capsys):
-+def test_inspect(kernel_initrd, tmp_path, capsys, osrel=True):
-     if kernel_initrd is None:
-         pytest.skip('linux+initrd not found')
-     if not shutil.which('sbsign'):
-@@ -653,7 +653,7 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
- 
-     output = f'{tmp_path}/signed2.efi'
-     uname_arg='1.2.3'
--    osrel_arg='Linux'
-+    osrel_arg='Linux' if osrel else ''
-     cmdline_arg='ARG1 ARG2 ARG3'
- 
-     args = [
-@@ -680,8 +680,12 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
- 
-     text = capsys.readouterr().out
- 
--    expected_osrel = f'.osrel:\n  size: {len(osrel_arg)}'
--    assert expected_osrel in text
-+    if osrel:
-+        expected_osrel = f'.osrel:\n  size: {len(osrel_arg)}'
-+        assert expected_osrel in text
-+    else:
-+        assert '.osrel:' not in text
-+
-     expected_cmdline = f'.cmdline:\n  size: {len(cmdline_arg)}'
-     assert expected_cmdline in text
-     expected_uname = f'.uname:\n  size: {len(uname_arg)}'
-@@ -694,6 +698,9 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
- 
-     shutil.rmtree(tmp_path)
- 
-+def test_inspect_no_osrel(kernel_initrd, tmp_path, capsys):
-+    test_inspect(kernel_initrd, tmp_path, capsys, osrel=False)
-+
- @pytest.mark.skipif(not slow_tests, reason='slow')
- def test_pcr_signing(kernel_initrd, tmp_path):
-     if kernel_initrd is None:
-diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
-index c98f8e2a5d..b7542c7eca 100755
---- a/src/ukify/ukify.py
-+++ b/src/ukify/ukify.py
-@@ -1477,6 +1477,9 @@ def make_uki(opts: UkifyConfig) -> None:
-         '.profile',
-     }
- 
-+    if not opts.os_release:
-+        to_import.remove('.osrel')
-+
-     for profile in opts.join_profiles:
-         pe = pefile.PE(profile, fast_load=True)
-         prev_len = len(uki.sections)
-@@ -2412,7 +2415,12 @@ def finalize_options(opts: argparse.Namespace) -> None:
- 
-     opts.os_release = resolve_at_path(opts.os_release)
- 
--    if not opts.os_release and opts.linux:
-+    if opts.os_release == '':
-+        # If --os-release= with an empty string was passed, treat that as
-+        # explicitly disabling the .osrel section, and do not fallback to the
-+        # system's os-release files.
-+        pass
-+    elif opts.os_release is None and opts.linux:
-         p = Path('/etc/os-release')
-         if not p.exists():
-             p = Path('/usr/lib/os-release')
--- 
-2.52.0
-

0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch

@@ -1,51 +0,0 @@
-From e57e599e6b11039ab6484e5622b3deae20bfd678 Mon Sep 17 00:00:00 2001
-From: Hans de Goede <johannes.goede@oss.qualcomm.com>
-Date: Mon, 12 Jan 2026 14:56:36 +0100
-Subject: [PATCH] stub: Fix NULL pointer deref when there are no initrds
-
-When n_all_initrds == 0, then all_initrds is unmodified from its initial
-value of:
-
-	_cleanup_free_ struct iovec *all_initrds = NULL;
-
-and in the else block of the "if (n_all_initrds > 1)" the NULL is
-dereferenced:
-
-		final_initrd = all_initrds[0];
-
-Leading to the stub crashing due to a NULL pointer deref.
-
-Fix this by initializing final_initrd to all 0s and only
-running the else block if (n_all_initrds == 1).
----
- src/boot/stub.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/boot/stub.c b/src/boot/stub.c
-index 06ecbc7d18..65950262c6 100644
---- a/src/boot/stub.c
-+++ b/src/boot/stub.c
-@@ -1302,9 +1302,9 @@ static EFI_STATUS run(EFI_HANDLE image) {
- 
-         /* Combine the initrds into one */
-         _cleanup_pages_ Pages initrd_pages = {};
--        struct iovec final_initrd;
-+        struct iovec final_initrd = {};
-         if (n_all_initrds > 1) {
--                /* There will always be a base initrd, if this counter is higher, we need to combine them */
-+                /* If there is more then 1 initrd we need to combine them */
-                 err = combine_initrds(all_initrds, n_all_initrds, &initrd_pages, &final_initrd.iov_len);
-                 if (err != EFI_SUCCESS)
-                         return err;
-@@ -1313,7 +1313,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
- 
-                 /* Given these might be large let's free them explicitly before we pass control to Linux */
-                 initrds_free(&initrds);
--        } else
-+        } else if (n_all_initrds == 1)
-                 final_initrd = all_initrds[0];
- 
-         struct iovec kernel = IOVEC_MAKE(
--- 
-2.52.0
-

10-map-count.conf

@@ -1,3 +0,0 @@
-# Increase the number of virtual memory areas that one process may request
-# https://fedoraproject.org/wiki/Changes/IncreaseVmMaxMapCount
-vm.max_map_count=1048576

10-oomd-defaults.conf

@@ -1,2 +0,0 @@
-[OOM]
-DefaultMemoryPressureDurationSec=20s

10-oomd-per-slice-defaults.conf

@@ -1,3 +0,0 @@
-[Slice]
-ManagedOOMMemoryPressure=kill
-ManagedOOMMemoryPressureLimit=80%

10-timeout-abort.conf

@@ -1,14 +0,0 @@
-# This file is part of the systemd package.
-# See https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer.
-#
-# To facilitate debugging when a service fails to stop cleanly,
-# TimeoutStopFailureMode=abort is set to "crash" services that fail to stop in
-# the time allotted. This will cause the service to be terminated with SIGABRT
-# and a coredump to be generated.
-#
-# To undo this configuration change, create a mask file:
-#   sudo mkdir -p /etc/systemd/system/service.d
-#   sudo ln -sv /dev/null /etc/systemd/system/service.d/10-timeout-abort.conf
-
-[Service]
-TimeoutStopFailureMode=abort

20-grubby.install

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+if [[ ! -x /sbin/new-kernel-pkg ]]; then
+    exit 0
+fi
+
+COMMAND="$1"
+KERNEL_VERSION="$2"
+BOOT_DIR_ABS="$3"
+KERNEL_IMAGE="$4"
+
+KERNEL_DIR="${KERNEL_IMAGE%/*}"
+[[ "$KERNEL_VERSION" == *\+* ]] && flavor=-"${KERNEL_VERSION##*+}"
+case "$COMMAND" in
+    add)
+        if [[ "${KERNEL_DIR}" != "/boot" ]]; then
+            for i in \
+                "$KERNEL_IMAGE" \
+                    "$KERNEL_DIR"/System.map \
+                    "$KERNEL_DIR"/config \
+                    "$KERNEL_DIR"/zImage.stub \
+                    "$KERNEL_DIR"/dtb \
+                ; do
+                [[ -e "$i" ]] || continue
+                cp -aT "$i" "/boot/${i##*/}-${KERNEL_VERSION}"
+                command -v restorecon &>/dev/null && \
+                    restorecon -R "/boot/${i##*/}-${KERNEL_VERSION}"
+            done
+            # hmac is .vmlinuz-<version>.hmac so needs a special treatment
+            i="$KERNEL_DIR/.${KERNEL_IMAGE##*/}.hmac"
+            if [[ -e "$i" ]]; then
+                cp -a "$i" "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
+                command -v restorecon &>/dev/null && \
+                    restorecon "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
+            fi
+        fi
+        /sbin/new-kernel-pkg --package "kernel${flavor}" --install "$KERNEL_VERSION" || exit $?
+        /sbin/new-kernel-pkg --package "kernel${flavor}" --mkinitrd --dracut --depmod --update "$KERNEL_VERSION" || exit $?
+        /sbin/new-kernel-pkg --package "kernel${flavor}" --rpmposttrans "$KERNEL_VERSION" || exit $?
+        ;;
+    remove)
+        /sbin/new-kernel-pkg --package "kernel${flavor+-$flavor}" --rminitrd --rmmoddep --remove "$KERNEL_VERSION" || exit $?
+        ;;
+    *)
+        ;;
+esac
+
+# skip other installation plugins, if we can't find a boot loader spec conforming setup
+if ! [[ -d /boot/loader/entries || -L /boot/loader/entries ]]; then
+    exit 77
+fi

26494.patch

@@ -1,30 +0,0 @@
-From 6b25470ee28843a49c50442e9d8a98edc842ceca Mon Sep 17 00:00:00 2001
-From: Yu Watanabe <watanabe.yu+github@gmail.com>
-Date: Mon, 20 Feb 2023 12:00:30 +0900
-Subject: [PATCH] core/manager: run generators directly when we are in initrd
-
-Some initrd system write files at ourside of /run, /etc, or other
-allowed places. This is a kind of workaround, but in most cases, such
-sandboxing is not necessary as the filesystem is on ramfs when we are in
-initrd.
-
-Fixes #26488.
----
- src/core/manager.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/core/manager.c b/src/core/manager.c
-index 7b394794b0d4..306477c6e6c2 100644
---- a/src/core/manager.c
-+++ b/src/core/manager.c
-@@ -3822,8 +3822,8 @@ static int manager_run_generators(Manager *m) {
-         /* If we are the system manager, we fork and invoke the generators in a sanitized mount namespace. If
-          * we are the user manager, let's just execute the generators directly. We might not have the
-          * necessary privileges, and the system manager has already mounted /tmp/ and everything else for us.
--         */
--        if (MANAGER_IS_USER(m)) {
-+         * If we are in initrd, let's also execute the generators directly, as we are in ramfs. */
-+        if (MANAGER_IS_USER(m) || in_initrd()) {
-                 r = manager_execute_generators(m, paths, /* remount_ro= */ false);
-                 goto finish;
-         }

30846.patch

@@ -1,56 +0,0 @@
-From 07bedc8f93277f705622625f440a1f56ccff1cd0 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Tue, 9 Jan 2024 11:28:04 +0100
-Subject: [PATCH] journal: again create user journals for users with high uids
-
-This effectively reverts a change in 115d5145a257c1a27330acf9f063b5f4d910ca4d
-'journald: move uid_for_system_journal() to uid-alloc-range.h', which slipped
-in an additional check of uid_is_container(uid). The problem is that that change
-is not backwards-compatible at all and very hard for users to handle.
-There is no common agreement on mappings of high-range uids. Systemd declares
-ownership of a large range for container uids in https://systemd.io/UIDS-GIDS/,
-but this is only a recent change and various sites allocated those ranges
-in a different way, in particular FreeIPA uses (used?) uids from this range
-for human users. On big sites with lots of users changing uids is obviously a
-hard problem. We generally assume that uids cannot be "freed" and/or changed
-and/or reused safely, so we shouldn't demand the same from others.
-
-This is somewhat similar to the situation with SYSTEM_ALLOC_UID_MIN /
-SYSTEM_UID_MAX, which we tried to define to a fixed value in our code, causing
-huge problems for existing systems with were created with a different
-definition and couldn't be easily updated. For that case, we added a
-configuration time switch and we now parse /etc/login.defs to actually use the
-value that is appropriate for the local system.
-
-Unfortunately, login.defs doesn't have a concept of container allocation ranges
-(and we don't have code to parse and use those nonexistent names either), so we
-can't tell users to adjust logind.defs to work around the changed definition.
-
-login.defs has SUB_UID_{MIN,MAX}, but those aren't really the same thing,
-because they are used to define where the add allocations for subuids, which is
-generally a much smaller range. Maybe we should talk with other folks about
-the appropriate allocation ranges and define some new settings in login.defs.
-But this would require discussion and coordination with other projects first.
-
-Actualy, it seems that this change was needed at all. The code in the container
-does not log to the outside journal. It talks to its own journald, which does
-journal splitting using its internal logic based on shifted uids. So let's
-revert the change to fix user systems.
-
-Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843.
----
- src/basic/uid-classification.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/basic/uid-classification.c b/src/basic/uid-classification.c
-index 203ce2c68a..2eb384395d 100644
---- a/src/basic/uid-classification.c
-+++ b/src/basic/uid-classification.c
-@@ -129,5 +129,6 @@ bool uid_for_system_journal(uid_t uid) {
- 
-         /* Returns true if the specified UID shall get its data stored in the system journal. */
- 
--        return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_container(uid) || uid_is_foreign(uid);
-+        return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_foreign(uid);
-+
- }

38769.patch

@@ -1,42 +0,0 @@
-From 00d70f36a0866660693347009446b7f872a05bf4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Sat, 30 Aug 2025 13:55:56 +0200
-Subject: [PATCH] core: create userdb root directory with correct label
-
-Set up the /run/systemd/userdb directory with the default SELinux context
-on creation.
-
-With version 257.7-1 on Debian the directory was automatically created with the
-correct label. Starting with version 258 (only tested with 258~rc3-1) it no
-longer is. Regression introduced in 736349958efe34089131ca88950e2e5bb391d36a.
-
-[zjs: edited the patch to apply comments from review and update the description.]
----
- src/core/varlink.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/core/varlink.c b/src/core/varlink.c
-index 99f12c59e5..71a8ffd0e5 100644
---- a/src/core/varlink.c
-+++ b/src/core/varlink.c
-@@ -5,6 +5,7 @@
- #include "constants.h"
- #include "errno-util.h"
- #include "manager.h"
-+#include "mkdir-label.h"
- #include "path-util.h"
- #include "pidref.h"
- #include "string-util.h"
-@@ -441,7 +442,11 @@ static int manager_varlink_init_system(Manager *m) {
-                         if (!fresh && varlink_server_contains_socket(m->varlink_server, address))
-                                 continue;
- 
--                        r = sd_varlink_server_listen_address(m->varlink_server, address, 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
-+                        r = mkdir_parents_label(address, 0755);
-+                        if (r < 0)
-+                                log_warning_errno(r, "Failed to create parent directory of '%s', ignoring: %m", address);
-+
-+                        r = sd_varlink_server_listen_address(m->varlink_server, address, 0666);
-                         if (r < 0)
-                                 return log_error_errno(r, "Failed to bind to varlink socket '%s': %m", address);
-                 }

60-block-scheduler.rules

@@ -1,5 +0,0 @@
-# do not edit this file, it will be overwritten on update
-
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", \
-  KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \
-  ATTR{queue/scheduler}="bfq"

98-default-mac-none.link

@@ -1,20 +0,0 @@
-# SPDX-License-Identifier: MIT-0
-#
-# This config file is installed as part of systemd.
-# It may be freely copied and edited (following the MIT No Attribution license).
-#
-# To make local modifications, one of the following methods may be used:
-# 1. add a drop-in file that extends this file by creating the
-#    /etc/systemd/network/98-default-mac-none.link.d/ directory and creating a
-#    new .conf file there.
-# 2. copy this file into /etc/systemd/network or one of the other paths checked
-#    by systemd-udevd and edit it there.
-# This file should not be edited in place, because it'll be overwritten on upgrades.
-
-[Match]
-Kind=bridge bond team
-
-[Link]
-NamePolicy=keep kernel database onboard slot path
-AlternativeNamesPolicy=database onboard slot path
-MACAddressPolicy=none

README.build-in-place.md

@@ -1,14 +0,0 @@
-# Building systemd rpms for local development using rpmbuild --build-in-place
-
-This approach is based on filbranden's [git-rpmbuild](https://github.com/filbranden/git-rpmbuild)
-and his [talk during ASG2019](https://www.youtube.com/watch?v=fVM1kJrymRM).
-
-```
-git clone https://github.com/systemd/systemd
-fedpkg clone systemd fedora-systemd
-cd systemd
-rpmbuild -bb --build-in-place --noprep --define "_sourcedir $PWD/../fedora-systemd" --define "_rpmdir $PWD/rpms" --with upstream ../fedora-systemd/systemd.spec
-sudo dnf upgrade --setopt install_weak_deps=False rpms/*/*.rpm
-```
-
-`--without lto` and `--without tests` may be useful to speed up the build.

f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch

@@ -0,0 +1,129 @@
+From f58b96d3e8d1cb0dd3666bc74fa673918b586612 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 14 Sep 2020 17:58:03 +0200
+Subject: [PATCH] test-mountpointutil-util: do not assert in test_mnt_id()
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1803070
+
+I *think* this a kernel bug: the mnt_id as listed in /proc/self/mountinfo is different
+than the one we get from /proc/self/fdinfo/. This only matters when both statx and
+name_to_handle_at are unavailable and we hit the fallback path that goes through fdinfo:
+
+(gdb) !uname -r
+5.6.19-200.fc31.ppc64le
+
+(gdb) !cat /proc/self/mountinfo
+697 664 253:0 /var/lib/mock/fedora-31-ppc64le/root / rw,relatime shared:298 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
+698 697 253:0 /var/cache/mock/fedora-31-ppc64le/yum_cache /var/cache/yum rw,relatime shared:299 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
+699 697 253:0 /var/cache/mock/fedora-31-ppc64le/dnf_cache /var/cache/dnf rw,relatime shared:300 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
+700 697 0:32 /mock-selinux-plugin.7me9bfpi /proc/filesystems rw,nosuid,nodev shared:301 master:18 - tmpfs tmpfs rw,seclabel <==========================================================
+701 697 0:41 / /sys ro,nosuid,nodev,noexec,relatime shared:302 - sysfs sysfs ro,seclabel
+702 701 0:21 / /sys/fs/selinux ro,nosuid,nodev,noexec,relatime shared:306 master:8 - selinuxfs selinuxfs rw
+703 697 0:42 / /dev rw,nosuid shared:303 - tmpfs tmpfs rw,seclabel,mode=755
+704 703 0:43 / /dev/shm rw,nosuid,nodev shared:304 - tmpfs tmpfs rw,seclabel
+705 703 0:45 / /dev/pts rw,nosuid,noexec,relatime shared:307 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=666
+706 703 0:6 /btrfs-control /dev/btrfs-control rw,nosuid shared:308 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+707 703 0:6 /loop-control /dev/loop-control rw,nosuid shared:309 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+708 703 0:6 /loop0 /dev/loop0 rw,nosuid shared:310 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+709 703 0:6 /loop1 /dev/loop1 rw,nosuid shared:311 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+710 703 0:6 /loop10 /dev/loop10 rw,nosuid shared:312 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+711 703 0:6 /loop11 /dev/loop11 rw,nosuid shared:313 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+712 703 0:6 /loop2 /dev/loop2 rw,nosuid shared:314 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+713 703 0:6 /loop3 /dev/loop3 rw,nosuid shared:315 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+714 703 0:6 /loop4 /dev/loop4 rw,nosuid shared:316 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+715 703 0:6 /loop5 /dev/loop5 rw,nosuid shared:317 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+716 703 0:6 /loop6 /dev/loop6 rw,nosuid shared:318 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+717 703 0:6 /loop7 /dev/loop7 rw,nosuid shared:319 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+718 703 0:6 /loop8 /dev/loop8 rw,nosuid shared:320 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+719 703 0:6 /loop9 /dev/loop9 rw,nosuid shared:321 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+720 697 0:44 / /run rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+721 720 0:25 /systemd/nspawn/propagate/9cc8a155d0244558b273f773d2b92142 /run/systemd/nspawn/incoming ro master:12 - tmpfs tmpfs rw,seclabel,mode=755
+722 697 0:32 /mock-resolv.dvml91hp /etc/resolv.conf rw,nosuid,nodev shared:322 master:18 - tmpfs tmpfs rw,seclabel
+725 697 0:47 / /proc rw,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+603 725 0:47 /sys /proc/sys ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+604 725 0:44 /systemd/inaccessible/reg /proc/kallsyms ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+605 725 0:44 /systemd/inaccessible/reg /proc/kcore ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+606 725 0:44 /systemd/inaccessible/reg /proc/keys ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+607 725 0:44 /systemd/inaccessible/reg /proc/sysrq-trigger ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+608 725 0:44 /systemd/inaccessible/reg /proc/timer_list ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+609 725 0:47 /bus /proc/bus ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+610 725 0:47 /fs /proc/fs ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+611 725 0:47 /irq /proc/irq ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+612 725 0:47 /scsi /proc/scsi ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+613 703 0:46 / /dev/mqueue rw,nosuid,nodev,noexec,relatime shared:324 - mqueue mqueue rw,seclabel
+614 701 0:26 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:325 - cgroup2 cgroup rw,seclabel,nsdelegate
+615 603 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+616 725 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+617 725 0:44 /.#proc-kmsg5b7a8bcfe6717139//deleted /proc/kmsg rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+
+The test process does
+name_to_handle_at("/proc/filesystems") which returns -EOPNOTSUPP, and then
+openat(AT_FDCWD, "/proc/filesystems") which returns 4, and then
+read(open("/proc/self/fdinfo/4", ...)) which gives
+"pos:\t0\nflags:\t012100000\nmnt_id:\t725\n"
+
+and the "725" is clearly inconsistent with "700" in /proc/self/mountinfo.
+
+We could either drop the fallback path (and fail name_to_handle_at() is not
+avaliable) or ignore the error in the test. Not sure what is better. I think
+this issue only occurs sometimes and with older kernels, so probably continuing
+with the current flaky implementation is better than ripping out the fallback.
+
+Another strace:
+writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/sys is 603", iov_len=27}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/sys is 603
+) = 28
+name_to_handle_at(AT_FDCWD, "/", {handle_bytes=128 => 12, handle_type=129, f_handle=0x52748401000000008b93e20d}, [697], 0) = 0
+writev(2</dev/pts/0>, [{iov_base="mnt ids of / is 697", iov_len=19}, {iov_base="\n", iov_len=1}], 2mnt ids of / is 697
+) = 20
+name_to_handle_at(AT_FDCWD, "/proc/kcore", {handle_bytes=128 => 12, handle_type=1, f_handle=0x92ddcfcd2e802d0100000000}, [605], 0) = 0
+writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/kcore is 605", iov_len=29}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/kcore is 605
+) = 30
+name_to_handle_at(AT_FDCWD, "/dev", {handle_bytes=128 => 12, handle_type=1, f_handle=0x8ae269160c802d0100000000}, [703], 0) = 0
+writev(2</dev/pts/0>, [{iov_base="mnt ids of /dev is 703", iov_len=22}, {iov_base="\n", iov_len=1}], 2mnt ids of /dev is 703
+) = 23
+name_to_handle_at(AT_FDCWD, "/proc/filesystems", {handle_bytes=128}, 0x7fffe36ddb84, 0) = -1 EOPNOTSUPP (Operation not supported)
+openat(AT_FDCWD, "/proc/filesystems", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4</proc/filesystems>
+openat(AT_FDCWD, "/proc/self/fdinfo/4", O_RDONLY|O_CLOEXEC) = 5</proc/20/fdinfo/4>
+fstat(5</proc/20/fdinfo/4>, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0
+fstat(5</proc/20/fdinfo/4>, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0
+read(5</proc/20/fdinfo/4>, "pos:\t0\nflags:\t012100000\nmnt_id:\t725\n", 2048) = 36
+read(5</proc/20/fdinfo/4>, "", 1024)    = 0
+close(5</proc/20/fdinfo/4>)             = 0
+close(4</proc/filesystems>)             = 0
+writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/filesystems are 700, 725", iov_len=41}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/filesystems are 700, 725
+) = 42
+writev(2</dev/pts/0>, [{iov_base="the other path for mnt id 725 is /proc", iov_len=38}, {iov_base="\n", iov_len=1}], 2the other path for mnt id 725 is /proc
+) = 39
+writev(2</dev/pts/0>, [{iov_base="Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting.", iov_len=108}, {iov_base="\n", iov_len=1}], 2Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting.
+) = 109
+rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
+rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
+getpid()                                = 20
+gettid()                                = 20
+tgkill(20, 20, SIGABRT)                 = 0
+rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
+--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=20, si_uid=0} ---
++++ killed by SIGABRT (core dumped) +++
+---
+ src/test/test-mountpoint-util.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/test/test-mountpoint-util.c b/src/test/test-mountpoint-util.c
+index 30b00ae4d8b..ffe5144b04a 100644
+--- a/src/test/test-mountpoint-util.c
++++ b/src/test/test-mountpoint-util.c
+@@ -89,8 +89,12 @@ static void test_mnt_id(void) {
+                 /* The ids don't match? If so, then there are two mounts on the same path, let's check if
+                  * that's really the case */
+                 char *t = hashmap_get(h, INT_TO_PTR(mnt_id2));
+-                log_debug("the other path for mnt id %i is %s\n", mnt_id2, t);
+-                assert_se(path_equal(p, t));
++                log_debug("Path for mnt id %i from /proc/self/mountinfo is %s\n", mnt_id2, t);
++
++                if (!path_equal(p, t))
++                        /* Apparent kernel bug in /proc/self/fdinfo */
++                        log_warning("Bad mount id given for %s: %d, should be %d",
++                                    p, mnt_id2, mnt_id);
+         }
+ }
+ 

libabigail.abignore

@@ -1,3 +0,0 @@
-[suppress_file]
-# Those shared objects are private to systemd
-file_name_regexp=libsystemd-(shared|core)-.*.so

libsystemd-shared.abignore

@@ -0,0 +1,3 @@
+[suppress_file]
+# This shared object is private to systemd
+file_name_regexp=libsystemd-shared-.*.so

macros.sysusers

@@ -2,9 +2,9 @@
 #
 # Turn a sysusers.d file into macros specified by
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
-#
-# After https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers,
-# those macros are not needed anymore.
 
-%sysusers_requires_compat %nil
-%sysusers_create_compat() %nil
+%sysusers_requires_compat Requires(pre): shadow-utils
+
+%sysusers_create_compat() \
+%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \
+%{nil}

macros.sysusers.compat

@@ -1,10 +0,0 @@
-# RPM macros for packages creating system accounts
-#
-# Turn a sysusers.d file into macros specified by
-# https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
-
-%sysusers_requires_compat Requires(pre): shadow-utils
-
-%sysusers_create_compat() \
-%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \
-%{nil}

owner-check.sh

@@ -1,53 +0,0 @@
-#!/bin/bash
-set -e
-
-verb="$1"
-
-[ "$verb" = "-s" ] && do_send=1 || do_send=
-
-[ -n "$do_send" ] && [ -z "$server" -o -z "login" ] && { echo '$server and $login need to be set'; exit 1; }
-
-header=
-from=systemd-maint@fedoraproject.org
-time='2 years ago'
-# time='1 day ago'
-port=587
-
-for user in "$@"; do
-    echo "checking $user…"
-
-    p=$(git log -1 --all --author "$user")
-    if [ -z "$p" ]; then
-	echo "No commits from $user, check spelling"
-	exit 1
-    fi
-
-    t=$(git shortlog --all --author "$user" --since "@{$time}" | wc -l)
-    if [ $t != 0 ]; then
-	echo "$t commits in the last two years, OK"
-	echo
-	continue
-    fi
-
-    echo "$p" | head -n6
-    echo ".. adding to list"
-
-    if [ -z "$header" ]; then
-	echo '$USER$;$EMAIL$' >.mail.list
-	header=done
-    fi
-
-    echo "$user;$user@fedoraproject.org" >>.mail.list
-    echo
-done
-
-[ -z "$header" ] && exit 0
-[ -n "$do_send" ] || exit 0
-
-echo "Sending mails…"
-set -x
-massmail -F "$from" \
-	 -C "$from" \
-	 -S 'write access to the fedora systemd package' \
-	 -z "$server" -u "$login" -P "$port" \
-	 .mail.list <owner-check.template

owner-check.template

@@ -1,20 +0,0 @@
-Dear $USER$,
-
-the automation to check activity in the systemd dist-git repo [1]
-determined that you haven't done any commits in the last two years.
-
-To decrease the potential for unauthorized access, such checks will be
-executed periodically. Not-used accounts with write access to the repo
-will be downgraded to "ticket" (no write privileges).
-
-If you want to retain access, please reply to this mail.
-Otherwise, in two weeks, your access mode will be changed to "ticket".
-Even without write access, anyone can open a pull request in pagure,
-so write access is not necessary to contribute to the package.
-Obviously such changes not permanent, so even if your access mode is
-downgraded, it can easily be restored later on.
-
-Yours friendly,
-./owner-check.sh
-
-[1] https://src.fedoraproject.org/rpms/systemd

plans/run-integration-tests.sh

@@ -1,127 +0,0 @@
-#!/bin/bash
-
-set -eux
-set -o pipefail
-
-# Switch SELinux to permissive if possible, since the tests don't set proper contexts
-setenforce 0 || true
-
-echo "CPU and Memory information:"
-lscpu
-lsmem
-
-echo "Clock source: $(cat /sys/devices/system/clocksource/clocksource0/current_clocksource)"
-
-# Bump inotify limits if we can so nspawn containers don't run out of inotify file descriptors.
-sysctl fs.inotify.max_user_watches=65536 || true
-sysctl fs.inotify.max_user_instances=1024 || true
-
-if [[ -n "${KOJI_TASK_ID:-}" ]]; then
-    koji download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$KOJI_TASK_ID"
-elif [[ -n "${CBS_TASK_ID:-}" ]]; then
-    cbs download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$CBS_TASK_ID"
-elif [[ -n "${PACKIT_SRPM_URL:-}" ]]; then
-    COPR_BUILD_ID="$(basename "$(dirname "$PACKIT_SRPM_URL")")"
-    COPR_CHROOT="$(basename "$(dirname "$(dirname "$PACKIT_BUILD_LOG_URL")")")"
-    copr download-build --rpms --chroot "$COPR_CHROOT" "$COPR_BUILD_ID"
-    mv "$COPR_CHROOT"/* .
-else
-    echo "Not running within packit and no CBS/koji task ID provided"
-    exit 1
-fi
-
-PACKAGEDIR="$PWD"
-
-# This will match both the regular and the debuginfo rpm so make sure we select only the
-# non-debuginfo rpm.
-RPMS=(systemd-tests-*.rpm)
-rpm2cpio "${RPMS[0]}" | cpio --make-directories --extract
-pushd usr/lib/systemd/tests
-mkosi_hash="$(grep "MinimumVersion=commit:" mkosi/mkosi.conf | sed "s|MinimumVersion=commit:||g")"
-
-# Now prepare mkosi at the same version required by the systemd repo.
-git clone https://github.com/systemd/mkosi /var/tmp/systemd-integration-tests-mkosi
-git -C /var/tmp/systemd-integration-tests-mkosi checkout "$mkosi_hash"
-
-export PATH="/var/tmp/systemd-integration-tests-mkosi/bin:$PATH"
-
-# shellcheck source=/dev/null
-. /etc/os-release || . /usr/lib/os-release
-
-tee mkosi/mkosi.local.conf <<EOF
-[Distribution]
-Distribution=${MKOSI_DISTRIBUTION:-$ID}
-Release=${MKOSI_RELEASE:-${VERSION_ID:-rawhide}}
-
-[Content]
-PackageDirectories=$PACKAGEDIR
-SELinuxRelabel=yes
-
-[Build]
-ToolsTreeDistribution=${MKOSI_DISTRIBUTION:-$ID}
-ToolsTreeRelease=${MKOSI_RELEASE:-${VERSION_ID:-rawhide}}
-ToolsTreePackageDirectories=$PACKAGEDIR
-Environment=NO_BUILD=1
-WithTests=yes
-EOF
-
-if [[ -n "${MKOSI_REPOSITORIES:-}" ]]; then
-    tee --append mkosi/mkosi.local.conf <<EOF
-[Distribution]
-Repositories=$MKOSI_REPOSITORIES
-
-[Build]
-ToolsTreeRepositories=$MKOSI_REPOSITORIES
-EOF
-fi
-
-if [[ -n "${TEST_SELINUX_CHECK_AVCS:-}" ]]; then
-    tee --append mkosi/mkosi.local.conf <<EOF
-[Runtime]
-KernelCommandLineExtra=systemd.setenv=TEST_SELINUX_CHECK_AVCS=$TEST_SELINUX_CHECK_AVCS
-EOF
-fi
-
-# If we don't have KVM, skip running in qemu, as it's too slow. But try to load the module first.
-modprobe kvm || true
-if [[ ! -e /dev/kvm ]]; then
-    export TEST_NO_QEMU=1
-fi
-
-NPROC="$(nproc)"
-if [[ "$NPROC" -ge 10 ]]; then
-    export TEST_JOURNAL_USE_TMP=1
-    NPROC="$((NPROC / 3))"
-else
-    NPROC="$((NPROC - 1))"
-fi
-
-# This test is only really useful if we're building with sanitizers and takes a long time, so let's skip it
-# for now.
-export TEST_SKIP="TEST-21-DFUZZER ${TEST_SKIP:-}"
-
-mkosi genkey
-mkosi summary
-mkosi -f box -- true
-mkosi box -- meson setup build integration-tests/standalone
-mkosi -f
-if [[ "$(mkosi box -- meson test --help)" == *"--max-lines"* ]]; then
-    MAX_LINES=(--max-lines 300)
-else
-    MAX_LINES=()
-fi
-mkosi box -- \
-    meson test \
-        -C build \
-        --setup=integration \
-        --print-errorlogs \
-        --no-stdsplit \
-        --num-processes "$NPROC" \
-        "${MAX_LINES[@]}" && EC=0 || EC=$?
-
-[[ -d build/meson-logs ]] && find build/meson-logs -type f -exec mv {} "$TMT_TEST_DATA" \;
-[[ -d build/test/journal ]] && find build/test/journal -type f -exec mv {} "$TMT_TEST_DATA" \;
-
-popd
-
-exit "$EC"

plans/upstream.fmf

@@ -1,22 +0,0 @@
-summary: systemd upstream test suite
-provision:
-  hardware:
-    virtualization:
-      is-supported: true
-prepare:
-  - name: install-dependencies
-    how: install
-    package:
-      - coreutils
-      - distribution-gpg-keys
-      - dnf
-      - git-core
-      - koji
-      - centos-packager
-      - copr-cli
-    exclude:
-      - systemd-standalone-.*
-execute:
-    how: tmt
-    script: exec plans/run-integration-tests.sh
-    duration: 2h

purge-nobody-user

@@ -0,0 +1,101 @@
+#!/bin/bash -eu
+
+if [ $UID -ne 0 ]; then
+    echo "WARNING: This script needs to run as root to be effective"
+    exit 1
+fi
+
+export SYSTEMD_NSS_BYPASS_SYNTHETIC=1
+
+if [ "${1:-}" = "--ignore-journal" ]; then
+    shift
+    ignore_journal=1
+else
+    ignore_journal=0
+fi
+
+echo "Checking processes..."
+if ps h -u 99 | grep .; then
+    echo "ERROR: ps reports processes with UID 99!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking UTMP..."
+if w -h 199 | grep . ; then
+    echo "ERROR: w reports UID 99 as active!"
+    exit 2
+fi
+if w -h nobody | grep . ; then
+    echo "ERROR: w reports user nobody as active!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking the journal..."
+if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then
+    echo "ERROR: journalctl reports messages from UID 99 in current boot!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Looking for files in /etc, /run, /tmp, and /var..."
+if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then
+    echo "ERROR: found files belonging to UID 99"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking if nobody is defined correctly..."
+if getent passwd nobody |
+	grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin';
+then
+    echo "OK, nothing to do."
+    exit 0
+else
+    echo "NOTICE: User nobody is not defined correctly"
+fi
+
+echo "Checking if nfsnobody or something else is using the uid..."
+if getent passwd 65534 | grep . ; then
+    echo "NOTICE: will have to remove this user"
+else
+    echo "... not found"
+fi
+
+if [ "${1:-}" = "-x" ]; then
+    if getent passwd nobody >/dev/null; then
+	# this will remove both the user and the group.
+	( set -x
+   	  userdel nobody
+	)
+    fi
+
+    if getent passwd 65534 >/dev/null; then
+	# Make sure the uid is unused. This should free gid too.
+	name="$(getent passwd 65534 | cut -d: -f1)"
+	( set -x
+	  userdel "$name"
+	)
+    fi
+
+    if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then
+	echo "Sleeping, so sss can catch up"
+	sleep 3
+    fi
+
+    if getent group 65534; then
+	# Make sure the gid is unused, even if uid wasn't.
+	name="$(getent group 65534 | cut -d: -f1)"
+	( set -x
+	  groupdel "$name"
+	)
+    fi
+
+    # systemd-sysusers uses the same gid and uid
+    ( set -x
+      systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin'
+    )
+else
+    echo "Pass '-x' to perform changes"
+fi

rpminspect.yaml

@@ -1,24 +0,0 @@
- # Disable badfuncs check that has tons of false positives.
-badfuncs:
-  allowed:
-    /usr/lib/systemd/tests/unit-tests/*:
-       - inet_addr
-       - inet_aton
-    /usr/bin/networkctl:
-       - inet_addr
-       - inet_aton
-
-# don't report changed content of compiled files
-# that is expected with every update
-changedfiles:
-  exclude_path: .*
-
-# completely disable inspections:
-inspections:
-  # we know about our patches, no need to report anything
-  patches: off
-
-  # this inspection uses `udevadm` which comes from this package
-  # disable so we do not check udev rules with a possibly outdated version
-  # of the command
-  udevrules: off

sources

@@ -1 +1 @@
-SHA512 (systemd-259.tar.gz) = ef46b13661df43e3cfbeee1bc22f0b1eb902e8ebe39c19868c465efd08b35a199c2a2cd9d8021a6bc4d692fa0c6e0eab3f13eecd6ce24dde81d3945464a25b50
+SHA512 (systemd-246.15.tar.gz) = 71c8afb9de149b9f4b2f63c7a84e2ce2d897e90570692eaa75d8c99c345ad6cfc9717f93844ff1f582f65b7bdbb1166de1d4574cf6f4329edda8920a6c6bf536

split-files.py

@@ -1,47 +1,8 @@
 import re, sys, os, collections
 
 buildroot = sys.argv[1]
-no_bootloader = '--no-bootloader' in sys.argv
-
-known_files = '''
-%ghost %config(noreplace) /etc/crypttab
-%ghost %attr(0444,root,root) /etc/udev/hwdb.bin
-/etc/inittab
-# This directory is owned by openssh-server, but we don't want to introduce
-# a dependency. So let's copy the config and co-own the directory.
-%dir %attr(0700,root,root) /etc/ssh/sshd_config.d
-%ghost %config(noreplace) /etc/vconsole.conf
-%ghost %config(noreplace) /etc/X11/xorg.conf.d/00-keyboard.conf
-%ghost %attr(0664,root,root) %verify(not group) /run/utmp
-%ghost %attr(0664,root,root) %verify(not group) /var/log/wtmp
-%ghost %attr(0660,root,root) %verify(not group) /var/log/btmp
-%ghost %attr(0664,root,root) %verify(not md5 size mtime group) /var/log/lastlog
-%ghost %config(noreplace) /etc/hostname
-%ghost %config(noreplace) /etc/localtime
-%ghost %config(noreplace) /etc/locale.conf
-%ghost %attr(0444,root,root) %config(noreplace) /etc/machine-id
-%ghost %config(noreplace) /etc/machine-info
-%ghost %attr(0700,root,root) %dir /var/cache/private
-%ghost %attr(0700,root,root) %dir /var/lib/private
-%ghost %dir /var/lib/private/systemd
-%ghost %dir /var/lib/private/systemd/journal-upload
-%ghost /var/lib/private/systemd/journal-upload/state
-%ghost %dir /var/lib/systemd/timesync
-%ghost /var/lib/systemd/timesync/clock
-%ghost %dir /var/lib/systemd/backlight
-%ghost /var/lib/systemd/catalog/database
-%ghost %dir /var/lib/systemd/coredump
-%ghost /var/lib/systemd/journal-upload
-%ghost %dir /var/lib/systemd/linger
-%ghost %attr(0600,root,root) /var/lib/systemd/random-seed
-%ghost %dir /var/lib/systemd/rfkill
-%ghost %dir %verify(not mode group) /var/log/journal
-%ghost %dir /var/log/journal/remote
-%ghost %attr(0700,root,root) %dir /var/log/private
-'''
-
-known_files = {line.split()[-1]:line for line in known_files.splitlines()
-               if line and not line.startswith('#')}
+known_files = sys.stdin.read().splitlines()
+known_files = {line.split()[-1]:line for line in known_files}
 
 def files(root):
     os.chdir(root)
@@ -54,31 +15,18 @@ def files(root):
             if file.is_dir() and not file.is_symlink():
                 todo.append(file)
 
-outputs = {suffix: open(f'.file-list-{suffix}', 'w')
-           for suffix in (
-                   'shared',
-                   'libs',
-                   'udev',
-                   'ukify',
-                   'boot',
-                   'pam',
-                   'rpm-macros',
-                   'sysusers',
-                   'devel',
-                   'container',
-                   'networkd',
-                   'networkd-defaults',
-                   'oomd-defaults',
-                   'remote',
-                   'resolve',
-                   'tests',
-                   'standalone-repart',
-                   'standalone-tmpfiles',
-                   'standalone-sysusers',
-                   'standalone-shutdown',
-                   'main',
-           )}
-
+o_libs = open('.file-list-libs', 'w')
+o_udev = open('.file-list-udev', 'w')
+o_pam = open('.file-list-pam', 'w')
+o_rpm_macros = open('.file-list-rpm-macros', 'w')
+o_devel = open('.file-list-devel', 'w')
+o_container = open('.file-list-container', 'w')
+o_networkd = open('.file-list-networkd', 'w')
+o_remote = open('.file-list-remote', 'w')
+o_tests = open('.file-list-tests', 'w')
+o_standalone_tmpfiles = open('.file-list-standalone-tmpfiles', 'w')
+o_standalone_sysusers = open('.file-list-standalone-sysusers', 'w')
+o_rest = open('.file-list-rest', 'w')
 for file in files(buildroot):
     n = file.path[1:]
     if re.match(r'''/usr/(share|include)$|
@@ -102,197 +50,94 @@ for file in files(buildroot):
                     /var(/cache|/log|/lib|/run|)$
     ''', n, re.X):
         continue
-
-    if n.endswith('.standalone'):
-        if 'repart' in n:
-            o = outputs['standalone-repart']
-        elif 'tmpfiles' in n:
-            o = outputs['standalone-tmpfiles']
-        elif 'sysusers' in n:
-            o = outputs['standalone-sysusers']
-        elif 'shutdown' in n:
-            o = outputs['standalone-shutdown']
-        else:
-            assert False, 'Found .standalone not belonging to known packages'
-
-    elif '/security/pam_' in n or '/man8/pam_' in n:
-        o = outputs['pam']
+    if '/security/pam_' in n or '/man8/pam_' in n:
+        o = o_pam
     elif '/rpm/' in n:
-        o = outputs['rpm-macros']
+        o = o_rpm_macros
     elif '/usr/lib/systemd/tests' in n:
-        o = outputs['tests']
-    elif 'ukify' in n and '/man/' not in n:
-        o = outputs['ukify']
-    elif re.search(r'/libsystemd-core-.*\.so$', n):
-        o = outputs['main']
-    elif re.search(r'/libsystemd-shared-.*\.so$', n):
-        o = outputs['shared']
-    elif re.search(r'/libcryptsetup-token-systemd-.*\.so$', n):
-        o = outputs['udev']
-    elif re.search(r'/lib.*\.pc$|/man3/|/usr/include|\.so$', n):
-        o = outputs['devel']
+        o = o_tests
+    elif re.search(r'/lib.*\.pc|/man3/|/usr/include|(?<!/libsystemd-shared-...).so$', n):
+        o = o_devel
     elif re.search(r'''journal-(remote|gateway|upload)|
                        systemd-remote\.conf|
                        /usr/share/systemd/gatewayd|
                        /var/log/journal/remote
     ''', n, re.X):
-        o = outputs['remote']
-
-    # Just the binary, the dir, and the man page.
-    elif re.search(r'''systemd-sysusers$|
-                       sysusers\.d$|
-                       man/.*sysusers\.d\.5|
-                       man/.*systemd-sysusers\.8
-    ''', n, re.X):
-        o = outputs['sysusers']
-
+        o = o_remote
     elif re.search(r'''mymachines|
                        machinectl|
-                       mount.ddi|
-                       importctl|
-                       portablectl|
                        systemd-nspawn|
-                       systemd\.nspawn|
-                       systemd-vmspawn|
-                       systemd-dissect|
-                       import-pubring|
-                       systemd-machined|
-                       systemd-import|
-                       systemd-export|
-                       systemd-pull|
-                       systemd-mountfsd|
-                       systemd-mountwork|
-                       systemd-nsresource|
+                       import-pubring.gpg|
+                       systemd-(machined|import|pull)|
                        /machine.slice|
                        /machines.target|
                        var-lib-machines.mount|
                        org.freedesktop.(import|machine)1
     ''', n, re.X):
-        o = outputs['container']
-
-    # .network.example files go into systemd-networkd, and the matching files
-    # without .example go into systemd-networkd-defaults
-    elif (re.search(r'''/usr/lib/systemd/network/.*\.network$''', n)
-          and os.path.exists(f'./{n}.example')):
-        o = outputs['networkd-defaults']
-
-    # Files that are "consumed" by systemd-networkd go into the -networkd
-    # subpackage. As a special case, network-generator is co-owned also by
-    # the -udev subpackage because systemd-udevd reads .link files.
-    elif re.search(r'''/usr/lib/systemd/network/.*\.network|
+        o = o_container
+    elif re.search(r'''/usr/lib/systemd/network/80-|
                        networkd|
                        networkctl|
-                       org.freedesktop.network1|
-                       sysusers\.d/systemd-network.conf|
-                       tmpfiles\.d/systemd-network.conf|
-                       systemd\.network|
-                       systemd\.netdev
+                       org.freedesktop.network1
     ''', n, re.X):
-        o = outputs['networkd']
-    elif 'network-generator' in n:
-        o = (outputs['networkd'], outputs['udev'])
-
+        o = o_networkd
     elif '.so.' in n:
-        o = outputs['libs']
-
-    elif re.search(r'10-oomd-.*defaults.conf|lib/systemd/oomd.conf.d', n, re.X):
-        o = outputs['oomd-defaults']
-
+        o = o_libs
     elif re.search(r'''udev(?!\.pc)|
                        hwdb|
-                       ac-power|
                        bootctl|
-                       boot-update|
+                       sd-boot|systemd-boot\.|loader.conf|
                        bless-boot|
                        boot-system-token|
-                       bsod|
                        kernel-install|
-                       installkernel|
                        vconsole|
                        backlight|
                        rfkill|
                        random-seed|
                        modules-load|
                        timesync|
-                       crypttab|
-                       cryptenroll|
                        cryptsetup|
                        kmod|
                        quota|
                        pstore|
                        sleep|suspend|hibernate|
                        systemd-tmpfiles-setup-dev|
-                       network/98-default-mac-none.link|
                        network/99-default.link|
                        growfs|makefs|makeswap|mkswap|
                        fsck|
                        repart|
                        gpt-auto|
                        volatile-root|
-                       veritysetup|
-                       integritysetup|
-                       integritytab|
+                       verity-setup|
                        remount-fs|
-                       /initrd|
-                       systemd[.-]pcr|
-                       /pcrlock\.d|
-                       systemd-measure|
                        /boot$|
+                       /boot/efi|
                        /kernel/|
                        /kernel$|
-                       /modprobe.d|
-                       binfmt|
-                       sysctl|
-                       coredump|
-                       homed|home1|
-                       sysupdate|updatctl|
-                       oomd|
-                       portabled|portable1
-    ''', n, re.X):     # coredumpctl, homectl, portablectl are included in the main package because
-                       # they can be used to interact with remote daemons. Also, the user could be
-                       # confused if those user-facing binaries are not available.
-        o = outputs['udev']
-
-    elif re.search(r'''/boot/efi|
-                       /usr/lib/systemd/boot|
-                       sd-boot|systemd-boot\.|loader.conf
+                       /modprobe.d
     ''', n, re.X):
-        o = outputs['boot']
-
-    elif re.search(r'''resolved|resolve1|
-                       systemd-resolve|
-                       resolvconf|
-                       systemd\.(positive|negative)
-    ''', n, re.X):     # resolvectl and nss-resolve are in the main package.
-        o = outputs['resolve']
-
+        o = o_udev
+    elif n.endswith('.standalone'):
+        if 'tmpfiles' in n:
+            o = o_standalone_tmpfiles
+        elif 'sysusers' in n:
+            o = o_standalone_sysusers
+        else:
+            assert False, 'Found .standalone not belonging to known packages'
     else:
-        o = outputs['main']
+        o = o_rest
 
     if n in known_files:
-        prefix = known_files[n].split()[:-1]
-    elif file.is_dir(follow_symlinks=False):
-        prefix = ['%dir']
-    elif 'README' in n:
-        prefix = ['%doc']
+        prefix = ' '.join(known_files[n].split()[:-1])
+        if prefix:
+            prefix += ' '
+    elif file.is_dir() and not file.is_symlink():
+        prefix = '%dir '
     elif n.startswith('/etc'):
-        prefix = ['%config(noreplace)']
-        if not file.is_symlink() and file.stat().st_size == 0:
-            prefix += ['%ghost']
+        prefix = '%config(noreplace) '
     else:
-        prefix = []
-    prefix = ' '.join(prefix + ['']) if prefix else ''
+        prefix = ''
 
     suffix = '*' if '/man/' in n else ''
 
-    if not isinstance(o, tuple):
-        o = (o,)
-    for file in o:
-        print(f'{prefix}{n}{suffix}', file=file)
-
-if [print(f'ERROR: no file names were written to {o.name}')
-    for name, o in outputs.items()
-    if (o.tell() == 0 and
-        not (no_bootloader and name == 'boot'))
-    ]:
-    sys.exit(1)
+    print(f'{prefix}{n}{suffix}', file=o)

systemd-user

@@ -1,14 +1,10 @@
+# This file is part of systemd.
+#
 # Used by systemd --user instances.
 
--account sufficient pam_systemd_home.so
-account  sufficient pam_unix.so no_pass_expiry
-account  include    system-auth
+account  include system-auth
 
-session  required   pam_selinux.so close
-session  required   pam_selinux.so nottys open
-session  required   pam_loginuid.so
-session  optional   pam_keyinit.so force revoke
-session  required   pam_namespace.so
--session optional   pam_systemd_home.so
-session  optional   pam_umask.so silent
-session  include    system-auth
+session  required pam_selinux.so close
+session  required pam_selinux.so nottys open
+session  required pam_loginuid.so
+session  include system-auth

sysusers.generate-pre.sh

@@ -1,96 +1,79 @@
 #!/bin/bash
-# -*- mode: shell-script; indent-tabs-mode: true; tab-width: 4; -*-
 
 # This script turns sysuser.d files into scriptlets mandated by Fedora
 # packaging guidelines. The general idea is to define users using the
 # declarative syntax but to turn this into traditional scriptlets.
 
 user() {
-	user="$1"
-	uid="$2"
-	desc="$3"
-	group="$4"
-	home="$5"
-	shell="$6"
+    user="$1"
+    uid="$2"
+    desc="$3"
+    group="$4"
+    home="$5"
+    shell="$6"
 
-	[ "$desc" = '-' ] && desc=
-	{ [ "$home" = '-' ] || [ "$home" = '' ]; } && home=/
-	{ [ "$shell" = '-' ] || [ "$shell" = '' ]; } && shell=/usr/sbin/nologin
+[ "$desc" = '-' ] && desc=
+[ "$home" = '-' -o "$home" = '' ] && home=/
+[ "$shell" = '-' -o "$shell" = '' ] && shell=/sbin/nologin
 
-	if [ "$uid" = '-' ] || [ "$uid" = '' ]; then
-		cat <<-EOF
-		getent passwd '$user' >/dev/null || \\
-		    useradd -r -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || :
-		EOF
-	else
-		cat <<-EOF
-		if ! getent passwd ${user@Q} >/dev/null; then
-		    if ! getent passwd ${uid@Q} >/dev/null; then
-		        useradd -r -u ${uid@Q} -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || :
-		    else
-		        useradd -r -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || :
-		    fi
-		fi
+if [ "$uid" = '-' -o "$uid" = '' ]; then
+    cat <<EOF
+getent passwd '$user' >/dev/null || \\
+    useradd -r -g '$group' -d '$home' -s '$shell' -c '$desc' '$user'
+EOF
+else
+    cat <<EOF
+if ! getent passwd '$user' >/dev/null ; then
+    if ! getent passwd '$uid' >/dev/null ; then
+        useradd -r -u '$uid' -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user'
+    else
+        useradd -r -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user'
+    fi
+fi
 
-		EOF
-	fi
+EOF
+fi
 }
 
 group() {
-	group="$1"
-	gid="$2"
-
-	if [ "$gid" = '-' ]; then
-		cat <<-EOF
-		getent group ${group@Q} >/dev/null || groupadd -r ${group@Q} || :
-		EOF
-	else
-		cat <<-EOF
-		getent group ${group@Q} >/dev/null || groupadd -f -g ${gid@Q} -r ${group@Q} || :
-		EOF
-	fi
-}
-
-usermod() {
-	user="$1"
-	group="$2"
-
-	cat <<-EOF
-	if getent group ${group@Q} >/dev/null; then
-	    usermod -a -G ${group@Q} '$user' || :
-	fi
-	EOF
+    group="$1"
+    gid="$2"
+if [ "$gid" = '-' ]; then
+    cat <<EOF
+getent group '$group' >/dev/null || groupadd -r '$group'
+EOF
+else
+    cat <<EOF
+getent group '$group' >/dev/null || groupadd -f -g '$gid' -r '$group'
+EOF
+fi
 }
 
 parse() {
-	while read -r line || [ -n "$line" ] ; do
-		{ [ "${line:0:1}" = '#' ] || [ "${line:0:1}" = ';' ]; } && continue
-		line="${line## *}"
-		[ -z "$line" ] && continue
-		eval "arr=( $line )"
-		case "${arr[0]}" in
-			('u'|'u!')
-				if [[ "${arr[2]}" == *":"* ]]; then
-					user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}"
-				else
-					group "${arr[1]}" "${arr[2]}"
-					user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}"
-				fi
-				;;
-			('g')
-				group "${arr[1]}" "${arr[2]}"
-				;;
-			('m')
-				group "${arr[2]}" "-"
-				user "${arr[1]}" "-" "" "${arr[1]}" "" ""
-				usermod "${arr[1]}" "${arr[2]}"
-				;;
-		esac
-	done
+    while read line || [ "$line" ]; do
+        [ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue
+        line="${line## *}"
+        [ -z "$line" ] && continue
+        eval arr=( $line )
+        case "${arr[0]}" in
+            ('u')
+                group "${arr[1]}" "${arr[2]}"
+                user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}"
+                # TODO: user:group support
+                ;;
+            ('g')
+                group "${arr[1]}" "${arr[2]}"
+                ;;
+            ('m')
+                group "${arr[2]}" "-"
+                user "${arr[1]}" "-" "" "${arr[2]}"
+                ;;
+        esac
+    done
 }
 
 for fn in "$@"; do
-	[ -e "$fn" ] || continue
-	echo "# generated from $(basename "$fn")"
-	parse <"$fn"
+    [ -e "$fn" ] || continue
+    echo "# generated from $(basename $fn)"
+    parse < "$fn"
 done

sysusers.prov

@@ -1,40 +1,5 @@
 #!/bin/bash
 
-process_u() {
-    if [ ! -z "${2##*[!0-9]*}" ]; then
-        # Single shared static ID.
-        echo "user($1) = $2"
-        echo "group($1) = $2"
-    elif [[ $2 == *:* ]]; then
-        # UID:<group>.
-        uid=$(echo $2 | cut -d':' -f1 -)
-        group=$(echo $2 | cut -d':' -f2 -)
-        if [ ! -z "${group##*[!0-9]*}" ]; then
-            # UID:GID.
-            echo "user($1) = ${uid}"
-            echo "group($1) = ${group}"
-        else
-            # UID:<groupname>.
-            echo "user($1) = ${uid}"
-            echo "group(${group})"
-        fi
-    else
-        # Dynamic (or something else uninteresting).
-        echo "user($1)"
-        echo "group($1)"
-    fi
-}
-
-process_g() {
-    if [ ! -z "${2##*[!0-9]*}" ]; then
-        # Static GID.
-        echo "group($1) = $2"
-    else
-        # Dynamic (or something else uninteresting).
-        echo "group($1)"
-    fi
-}
-
 parse() {
     while read line; do
         [ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue
@@ -42,11 +7,13 @@ parse() {
         [ -z "$line" ] && continue
         set -- $line
         case "$1" in
-            ('u'|'u!')
-                process_u "$2" "$3"
+            ('u')
+                echo "user($2)"
+                echo "group($2)"
+                # TODO: user:group support
                 ;;
             ('g')
-                process_g "$2" "$3"
+                echo "group($2)"
                 ;;
             ('m')
                 echo "user($2)"

test_sysusers_defined.py

@@ -1,39 +0,0 @@
-#!/usr/bin/python
-
-import os
-import sys
-
-def parse_sysusers_file(filename):
-    users, groups = set(), set()
-
-    for line in open(filename):
-        line = line.strip()
-        if not line or line.startswith('#'):
-            continue
-        words = line.split()
-        match words[0]:
-            case 'u'|'u!':
-                users.add(words[1])
-            case 'g':
-                groups.add(words[1])
-            case 'm'|'r':
-                continue
-            case _:
-                assert False
-    return users, groups
-
-setup_users, setup_groups = set(), set()
-
-for arg in sys.argv[1:-1]:
-    users, groups = parse_sysusers_file(arg)
-    setup_users |= users
-    setup_groups |= groups
-
-basic_users, basic_groups = parse_sysusers_file(sys.argv[-1])
-
-ignored = set(os.getenv('IGNORED', '').split())
-
-if d := basic_users - setup_users - ignored:
-    exit(f'We have new users: {d}')
-if d := basic_groups - setup_groups - ignored:
-    exit(f'We have new groups: {d}')

tests/tests-reboot.yml

@@ -0,0 +1,50 @@
+---
+- hosts: localhost
+  vars:
+  - artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"
+  tags:
+  - classic
+  tasks:
+  # switch SELinux to permissive mode
+  - name: Get default kernel
+    command: "grubby --default-kernel"
+    register: default_kernel
+  - debug: msg="{{ default_kernel.stdout }}"
+  - name: Set permissive mode
+    command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}"
+
+  - name: reboot
+    block:
+      - name: restart host
+        shell: sleep 2 && shutdown -r now "Ansible updates triggered"
+        async: 1
+        poll: 0
+        ignore_errors: true
+
+      - name: wait for host to come back
+        wait_for_connection:
+          delay: 10
+          timeout: 300
+
+      - name: Re-create /tmp/artifacts
+        command: mkdir /tmp/artifacts
+
+      - name: Gather SELinux denials since boot
+        shell: |
+            result=pass
+            dmesg | grep -i -e type=1300 -e type=1400 > /tmp/avc.log && result=fail
+            ausearch -m avc -m selinux_err -m user_avc -ts boot &>> /tmp/avc.log
+            grep -q '<no matches>' /tmp/avc.log || result=fail
+            echo -e "\nresults:\n- test: reboot and collect AVC\n  result: $result\n  logs:\n  - avc.log\n\n" > /tmp/results.yml
+            ( [ $result = "pass" ] && echo PASS test-reboot || echo FAIL test-reboot ) > /tmp/test.log
+
+    always:
+      - name: Pull out the artifacts
+        fetch:
+          dest: "{{ artifacts }}/"
+          src: "{{ item }}"
+          flat: yes
+        with_items:
+          - /tmp/test.log
+          - /tmp/avc.log
+          - /tmp/results.yml

triggers.systemd

@@ -1,85 +1,111 @@
 #  -*- Mode: rpm-spec; indent-tabs-mode: nil -*- */
-#  SPDX-License-Identifier: LGPL-2.1-or-later
+#  SPDX-License-Identifier: LGPL-2.1+
 #
 #  This file is part of systemd.
 #
+#  Copyright 2015 Zbigniew Jędrzejewski-Szmek
 #  Copyright 2018 Neal Gompa
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+#
+#  systemd is distributed in the hope that it will be useful, but
+#  WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public License
+#  along with systemd; If not, see <http://www.gnu.org/licenses/>.
 
 # The contents of this are an example to be copied into systemd.spec.
 #
-# Minimum rpm version supported: 4.14.0
+# Minimum rpm version supported: 4.13.0
 
-%transfiletriggerin -P 900900 -- /usr/lib/systemd/system/ /etc/systemd/system/
+%transfiletriggerin -P 900900 -- /usr/lib/systemd/system /etc/systemd/system
 # This script will run after any package is initially installed or
 # upgraded. We care about the case where a package is initially
 # installed, because other cases are covered by the *un scriptlets,
 # so sometimes we will reload needlessly.
-/usr/lib/systemd/systemd-update-helper system-reload-restart || :
+if test -d /run/systemd/system; then
+  %{_bindir}/systemctl daemon-reload
+fi
 
-%transfiletriggerin -P 900899 -- /usr/lib/systemd/user/ /etc/systemd/user/
-/usr/lib/systemd/systemd-update-helper user-reload-restart || :
-
-%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system/ /etc/systemd/system/
+%transfiletriggerun -- /usr/lib/systemd/system /etc/systemd/system
 # On removal, we need to run daemon-reload after any units have been
-# removed.
+# removed. %transfiletriggerpostun would be ideal, but it does not get
+# executed for some reason.
 # On upgrade, we need to run daemon-reload after any new unit files
 # have been installed, but before %postun scripts in packages get
-# executed.
-/usr/lib/systemd/systemd-update-helper system-reload || :
+# executed. %transfiletriggerun gets the right list of files
+# but it is invoked too early (before changes happen).
+# %filetriggerpostun happens at the right time, but it fires for
+# every package.
+# To execute the reload at the right time, we create a state
+# file in %transfiletriggerun and execute the daemon-reload in
+# the first %filetriggerpostun.
 
-%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user/ /etc/systemd/user/
-# Execute daemon-reload in user managers.
-/usr/lib/systemd/systemd-update-helper user-reload || :
+if test -d "/run/systemd/system"; then
+    mkdir -p "%{_localstatedir}/lib/rpm-state/systemd"
+    touch "%{_localstatedir}/lib/rpm-state/systemd/needs-reload"
+fi
 
-%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system/ /etc/systemd/system/
-# We restart remaining system services that should be restarted here.
-/usr/lib/systemd/systemd-update-helper system-restart || :
+%filetriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system
+if test -f "%{_localstatedir}/lib/rpm-state/systemd/needs-reload"; then
+    rm -rf "%{_localstatedir}/lib/rpm-state/systemd"
+    %{_bindir}/systemctl daemon-reload
+fi
 
-%transfiletriggerpostun -P  9999 -- /usr/lib/systemd/user/ /etc/systemd/user/
-# We restart remaining user services that should be restarted here.
-/usr/lib/systemd/systemd-update-helper user-restart || :
-
-%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d/
+%transfiletriggerin -P 100700 -- /usr/lib/sysusers.d
 # This script will process files installed in /usr/lib/sysusers.d to create
 # specified users automatically. The priority is set such that it
 # will run before the tmpfiles file trigger.
-systemd-sysusers || :
+if test -d /run/systemd/system; then
+  %{_bindir}/systemd-sysusers || :
+fi
 
-%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d/
+%transfiletriggerin -P 100500 -- /usr/lib/tmpfiles.d
+# This script will process files installed in /usr/lib/tmpfiles.d to create
+# tmpfiles automatically. The priority is set such that it will run
+# after the sysusers file trigger, but before any other triggers.
+if test -d /run/systemd/system; then
+  %{_bindir}/systemd-tmpfiles --create || :
+fi
+
+%transfiletriggerin udev -- /usr/lib/udev/hwdb.d
 # This script will automatically invoke hwdb update if files have been
 # installed or updated in /usr/lib/udev/hwdb.d.
-systemd-hwdb update || :
+if test -d /run/systemd/system; then
+  %{_bindir}/systemd-hwdb update || :
+fi
 
-%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog/
+%transfiletriggerin -- /usr/lib/systemd/catalog
 # This script will automatically invoke journal catalog update if files
 # have been installed or updated in /usr/lib/systemd/catalog.
-journalctl --update-catalog || :
+if test -d /run/systemd/system; then
+  %{_bindir}/journalctl --update-catalog || :
+fi
 
-%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d/
+%transfiletriggerin udev -- /usr/lib/udev/rules.d
+# This script will automatically update udev with new rules if files
+# have been installed or updated in /usr/lib/udev/rules.d.
+if test -e /run/udev/control; then
+  %{_bindir}/udevadm control --reload || :
+fi
+
+%transfiletriggerin -- /usr/lib/sysctl.d
+# This script will automatically apply sysctl rules if files have been
+# installed or updated in /usr/lib/sysctl.d.
+if test -d /run/systemd/system; then
+  /usr/lib/systemd/systemd-sysctl || :
+fi
+
+%transfiletriggerin -- /usr/lib/binfmt.d
 # This script will automatically apply binfmt rules if files have been
 # installed or updated in /usr/lib/binfmt.d.
-if test -d "/run/systemd/system"; then
+if test -d /run/systemd/system; then
   # systemd-binfmt might fail if binfmt_misc kernel module is not loaded
   # during install
   /usr/lib/systemd/systemd-binfmt || :
 fi
-
-%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d/
-# This script will process files installed in /usr/lib/tmpfiles.d to create
-# tmpfiles automatically. The priority is set such that it will run
-# after the sysusers file trigger, but before any other triggers.
-if test -d "/run/systemd/system"; then
-  systemd-tmpfiles --create || :
-fi
-
-%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d/
-# This script will automatically update udev with new rules if files
-# have been installed or updated in /usr/lib/udev/rules.d.
-/usr/lib/systemd/systemd-update-helper mark-reload-system-units systemd-udevd.service || :
-
-%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d/
-# This script will automatically apply sysctl rules if files have been
-# installed or updated in /usr/lib/sysctl.d.
-if test -d "/run/systemd/system"; then
-  /usr/lib/systemd/systemd-sysctl || :
-fi

use-bfq-scheduler.patch

@@ -0,0 +1,41 @@
+From 223ea50950f97ed4e67311dfcffed7ffc27a7cd3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 14 Aug 2019 15:57:42 +0200
+Subject: [PATCH] udev: use bfq as the default scheduler
+
+As requested in https://bugzilla.redhat.com/show_bug.cgi?id=1738828.
+Test results are that bfq seems to behave better and more consistently on
+typical hardware. The kernel does not have a configuration option to set
+the default scheduler, and it currently needs to be set by userspace.
+
+See the bug for more discussion and links.
+---
+ rules.d/60-block-scheduler.rules | 5 +++++
+ rules.d/meson.build              | 1 +
+ 2 files changed, 6 insertions(+)
+ create mode 100644 rules.d/60-block-scheduler.rules
+
+diff --git a/rules.d/60-block-scheduler.rules b/rules.d/60-block-scheduler.rules
+new file mode 100644
+index 0000000000..480b941761
+--- /dev/null
++++ b/rules.d/60-block-scheduler.rules
+@@ -0,0 +1,6 @@
++# do not edit this file, it will be overwritten on update
++
++ACTION=="add", SUBSYSTEM=="block", \
++  KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \
++  ENV{DEVTYPE}=="disk", \
++  ATTR{queue/scheduler}="bfq"
+diff --git a/rules.d/meson.build b/rules.d/meson.build
+index ca4445d774..38d6aa6970 100644
+--- a/rules.d/meson.build
++++ b/rules.d/meson.build
+@@ -3,6 +3,7 @@
+ rules = files('''
+         60-autosuspend.rules
+         60-block.rules
++        60-block-scheduler.rules
+         60-cdrom_id.rules
+         60-drm.rules
+         60-evdev.rules

yum-protect-systemd.conf

@@ -0,0 +1,2 @@
+systemd
+systemd-udev