Version 249.13

This reverts commit 4b8edcc3e2.

.editorconfig

@@ -1,11 +0,0 @@
-root = true
-
-[*]
-charset = utf-8
-indent_size = 4
-indent_style = space
-insert_final_newline = true
-trim_trailing_whitespace = true
-
-[*.{yml,yaml}]
-indent_size = 2

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -7,7 +7,3 @@
 /systemd-*.tar.xz
 /systemd-*.tar.gz
 /*.rpm
-/mkosi.output/
-/mkosi.cache/
-/mkosi.builddir/
-/mkosi.local.conf

.zuul.yaml

@@ -1,7 +1,5 @@
 - project:
     vars:
       install_repo_exclude:
-        - systemd-standalone-repart
-        - systemd-standalone-shutdown
-        - systemd-standalone-sysusers
         - systemd-standalone-tmpfiles
+        - systemd-standalone-sysuser

0001-Revert-units-drop-runlevel-0-6-.target.patch

@@ -1,88 +0,0 @@
-From 61750e265ce3f7783a8dba831e91140f84ad89f2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Wed, 5 Nov 2025 17:52:16 +0100
-Subject: [PATCH 1/3] Revert "units: drop runlevel[0-6].target"
-
-This partially reverts commit e58ba80a40fb6e96543d56774a5bc5aa9cdadbf3.
-The unit are still needed for compat.
----
- units/meson.build | 27 ++++++++++++++++++++++-----
- 1 file changed, 22 insertions(+), 5 deletions(-)
-
-diff --git a/units/meson.build b/units/meson.build
-index 2e04c4aa2b..46eaac4073 100644
---- a/units/meson.build
-+++ b/units/meson.build
-@@ -1,5 +1,7 @@
- # SPDX-License-Identifier: LGPL-2.1-or-later
- 
-+with_runlevels = conf.get('HAVE_SYSV_COMPAT') == 1
-+
- units = [
-         { 'file' : 'basic.target' },
-         { 'file' : 'blockdev@.target' },
-@@ -49,7 +51,7 @@ units = [
-         },
-         {
-           'file' : 'graphical.target',
--          'symlinks' : ['default.target'],
-+          'symlinks' : ['default.target'] + (with_runlevels ? ['runlevel5.target'] : []),
-         },
-         { 'file' : 'halt.target' },
-         {
-@@ -142,7 +144,10 @@ units = [
-           'conditions' : ['ENABLE_MACHINED'],
-         },
-         { 'file' : 'modprobe@.service' },
--        { 'file' : 'multi-user.target' },
-+        {
-+          'file' : 'multi-user.target',
-+          'symlinks' : with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : [],
-+        },
-         {
-           'file' : 'systemd-mute-console.socket',
-           'symlinks' : ['sockets.target.wants/']
-@@ -155,7 +160,10 @@ units = [
-         { 'file' : 'nss-lookup.target' },
-         { 'file' : 'nss-user-lookup.target' },
-         { 'file' : 'paths.target' },
--        { 'file' : 'poweroff.target' },
-+        {
-+          'file' : 'poweroff.target',
-+          'symlinks' : with_runlevels ? ['runlevel0.target'] : [],
-+        },
-         { 'file' : 'printer.target' },
-         {
-           'file' : 'proc-sys-fs-binfmt_misc.automount',
-@@ -180,7 +188,7 @@ units = [
-         },
-         {
-           'file' : 'reboot.target',
--          'symlinks' : ['ctrl-alt-del.target'],
-+          'symlinks' : ['ctrl-alt-del.target'] + (with_runlevels ? ['runlevel6.target'] : []),
-         },
-         {
-           'file' : 'remote-cryptsetup.target',
-@@ -200,7 +208,10 @@ units = [
-           'symlinks' : ['initrd-root-device.target.wants/'],
-         },
-         { 'file' : 'rescue.service.in' },
--        { 'file' : 'rescue.target' },
-+        {
-+          'file' : 'rescue.target',
-+          'symlinks' : with_runlevels ? ['runlevel1.target'] : [],
-+        },
-         { 'file' : 'rpcbind.target' },
-         { 'file' : 'serial-getty@.service.in' },
-         { 'file' : 'shutdown.target' },
-@@ -1001,4 +1012,10 @@ else
-                             dbussessionservicedir / 'org.freedesktop.systemd1.service'))
- endif
- 
-+if conf.get('HAVE_SYSV_COMPAT') == 1
-+        foreach i : [1, 2, 3, 4, 5]
-+                install_emptydir(systemunitdir / 'runlevel@0@.target.wants'.format(i))
-+        endforeach
-+endif
-+
- subdir('user')

0001-rpm-don-t-specify-the-full-path-for-systemctl-and-ot.patch

@@ -0,0 +1,247 @@
+From aa56d0bbcef9c2f32845203b50df92492717fea6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 7 Jul 2021 14:02:36 +0200
+Subject: [PATCH 1/6] rpm: don't specify the full path for systemctl and other
+ commands
+
+We can make things a bit simpler and more readable by not specifying the path.
+Since we didn't specify the full path for all commands (including those invoked
+recursively by anythign we invoke), this didn't really privide any security or
+robustness benefits. I guess that full paths were used because this style of
+rpm packagnig was popular in the past, with macros used for everything
+possible, with special macros for common commands like %{__ln} and %{__mkdir}.
+---
+ src/rpm/macros.systemd.in      | 24 ++++++++++++------------
+ src/rpm/triggers.systemd.in    | 18 +++++++++---------
+ src/rpm/triggers.systemd.sh.in | 18 +++++++++---------
+ 3 files changed, 30 insertions(+), 30 deletions(-)
+
+diff --git a/src/rpm/macros.systemd.in b/src/rpm/macros.systemd.in
+index 3a0169a85f..3129ab2d61 100644
+--- a/src/rpm/macros.systemd.in
++++ b/src/rpm/macros.systemd.in
+@@ -46,9 +46,9 @@ OrderWithRequires(postun): systemd \
+ 
+ %systemd_post() \
+ %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_post}} \
+-if [ $1 -eq 1 ] && [ -x %{_bindir}/systemctl ]; then \
++if [ $1 -eq 1 ] && command -v systemctl >/dev/null; then \
+     # Initial installation \
+-    %{_bindir}/systemctl --no-reload preset %{?*} || : \
++    systemctl --no-reload preset %{?*} || : \
+ fi \
+ %{nil}
+ 
+@@ -56,21 +56,21 @@ fi \
+ 
+ %systemd_preun() \
+ %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_preun}} \
+-if [ $1 -eq 0 ] && [ -x %{_bindir}/systemctl ]; then \
++if [ $1 -eq 0 ] && command -v systemctl >/dev/null; then \
+     # Package removal, not upgrade \
+     if [ -d /run/systemd/system ]; then \
+-          %{_bindir}/systemctl --no-reload disable --now %{?*} || : \
++          systemctl --no-reload disable --now %{?*} || : \
+     else \
+-          %{_bindir}/systemctl --no-reload disable %{?*} || : \
++          systemctl --no-reload disable %{?*} || : \
+     fi \
+ fi \
+ %{nil}
+ 
+ %systemd_user_preun() \
+ %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_user_preun}} \
+-if [ $1 -eq 0 ] && [ -x %{_bindir}/systemctl ]; then \
++if [ $1 -eq 0 ] && command -v systemctl >/dev/null; then \
+     # Package removal, not upgrade \
+-    %{_bindir}/systemctl --global disable %{?*} || : \
++    systemctl --global disable %{?*} || : \
+ fi \
+ %{nil}
+ 
+@@ -84,10 +84,10 @@ fi \
+ 
+ %systemd_postun_with_restart() \
+ %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_postun_with_restart}} \
+-if [ $1 -ge 1 ] && [ -x %{_bindir}/systemctl ]; then \
++if [ $1 -ge 1 ] && command -v systemctl >/dev/null; then \
+     # Package upgrade, not uninstall \
+     for unit in %{?*}; do \
+-         %{_bindir}/systemctl set-property $unit Markers=+needs-restart || : \
++        systemctl set-property $unit Markers=+needs-restart || : \
+     done \
+ fi \
+ %{nil}
+@@ -105,17 +105,17 @@ fi \
+ # Deprecated. Use %tmpfiles_create_package instead
+ %tmpfiles_create() \
+ %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# tmpfiles_create}} \
+-[ -x %{_bindir}/systemd-tmpfiles ] && %{_bindir}/systemd-tmpfiles --create %{?*} || : \
++command -v systemd-tmpfiles >/dev/null && systemd-tmpfiles --create %{?*} || : \
+ %{nil}
+ 
+ # Deprecated. Use %sysusers_create_package instead
+ %sysusers_create() \
+ %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# sysusers_create}} \
+-[ -x %{_bindir}/systemd-sysusers ] && %{_bindir}/systemd-sysusers %{?*} || : \
++command -v systemd-sysusers >/dev/null && systemd-sysusers %{?*} || : \
+ %{nil}
+ 
+ %sysusers_create_inline() \
+-[ -x %{_bindir}/systemd-sysusers ] && %{_bindir}/systemd-sysusers - <<SYSTEMD_INLINE_EOF || : \
++command -v systemd-sysusers >/dev/null && systemd-sysusers - <<SYSTEMD_INLINE_EOF || : \
+ %{?*} \
+ SYSTEMD_INLINE_EOF\
+ %{nil}
+diff --git a/src/rpm/triggers.systemd.in b/src/rpm/triggers.systemd.in
+index c10112fe54..483207e58c 100644
+--- a/src/rpm/triggers.systemd.in
++++ b/src/rpm/triggers.systemd.in
+@@ -16,14 +16,14 @@
+ if posix.access("/run/systemd/system") then
+     pid = posix.fork()
+     if pid == 0 then
+-        assert(posix.exec("%{_bindir}/systemctl", "daemon-reload"))
++        assert(posix.execp("systemctl", "daemon-reload"))
+     elseif pid > 0 then
+         posix.wait(pid)
+     end
+ 
+     pid = posix.fork()
+     if pid == 0 then
+-        assert(posix.exec("%{_bindir}/systemctl", "reload-or-restart", "--marked"))
++        assert(posix.execp("systemctl", "reload-or-restart", "--marked"))
+     elseif pid > 0 then
+         posix.wait(pid)
+     end
+@@ -38,7 +38,7 @@ end
+ if posix.access("/run/systemd/system") then
+     pid = posix.fork()
+     if pid == 0 then
+-        assert(posix.exec("%{_bindir}/systemctl", "daemon-reload"))
++        assert(posix.execp("systemctl", "daemon-reload"))
+     elseif pid > 0 then
+         posix.wait(pid)
+     end
+@@ -49,7 +49,7 @@ end
+ if posix.access("/run/systemd/system") then
+     pid = posix.fork()
+     if pid == 0 then
+-        assert(posix.exec("%{_bindir}/systemctl", "reload-or-restart", "--marked"))
++        assert(posix.execp("systemctl", "reload-or-restart", "--marked"))
+     elseif pid > 0 then
+         posix.wait(pid)
+     end
+@@ -61,7 +61,7 @@ end
+ -- will run before the tmpfiles file trigger.
+ pid = posix.fork()
+ if pid == 0 then
+-    assert(posix.exec("%{_bindir}/systemd-sysusers"))
++    assert(posix.execp("systemd-sysusers"))
+ elseif pid > 0 then
+     posix.wait(pid)
+ end
+@@ -71,7 +71,7 @@ end
+ -- installed or updated in {{UDEV_HWDB_DIR}}.
+ pid = posix.fork()
+ if pid == 0 then
+-    assert(posix.exec("%{_bindir}/systemd-hwdb", "update"))
++    assert(posix.execp("systemd-hwdb", "update"))
+ elseif pid > 0 then
+     posix.wait(pid)
+ end
+@@ -81,7 +81,7 @@ end
+ -- have been installed or updated in {{SYSTEMD_CATALOG_DIR}}.
+ pid = posix.fork()
+ if pid == 0 then
+-    assert(posix.exec("%{_bindir}/journalctl", "--update-catalog"))
++    assert(posix.execp("journalctl", "--update-catalog"))
+ elseif pid > 0 then
+     posix.wait(pid)
+ end
+@@ -105,7 +105,7 @@ end
+ if posix.access("/run/systemd/system") then
+     pid = posix.fork()
+     if pid == 0 then
+-        assert(posix.exec("%{_bindir}/systemd-tmpfiles", "--create"))
++        assert(posix.execp("systemd-tmpfiles", "--create"))
+     elseif pid > 0 then
+         posix.wait(pid)
+     end
+@@ -117,7 +117,7 @@ end
+ if posix.access("/run/systemd/system") then
+     pid = posix.fork()
+     if pid == 0 then
+-        assert(posix.exec("%{_bindir}/udevadm", "control", "--reload"))
++        assert(posix.execp("udevadm", "control", "--reload"))
+     elseif pid > 0 then
+         posix.wait(pid)
+     end
+diff --git a/src/rpm/triggers.systemd.sh.in b/src/rpm/triggers.systemd.sh.in
+index e746c316d3..f8c4514313 100644
+--- a/src/rpm/triggers.systemd.sh.in
++++ b/src/rpm/triggers.systemd.sh.in
+@@ -15,8 +15,8 @@
+ # installed, because other cases are covered by the *un scriptlets,
+ # so sometimes we will reload needlessly.
+ if test -d "/run/systemd/system"; then
+-  %{_bindir}/systemctl daemon-reload || :
+-  %{_bindir}/systemctl reload-or-restart --marked || :
++  systemctl daemon-reload || :
++  systemctl reload-or-restart --marked || :
+ fi
+ 
+ %transfiletriggerpostun -P 1000100 -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system
+@@ -26,30 +26,30 @@ fi
+ # have been installed, but before %postun scripts in packages get
+ # executed.
+ if test -d "/run/systemd/system"; then
+-  %{_bindir}/systemctl daemon-reload || :
++  systemctl daemon-reload || :
+ fi
+ 
+ %transfiletriggerpostun -P 10000 -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system
+ # We restart remaining services that should be restarted here.
+ if test -d "/run/systemd/system"; then
+-  %{_bindir}/systemctl reload-or-restart --marked || :
++  systemctl reload-or-restart --marked || :
+ fi
+ 
+ %transfiletriggerin -P 1000700 -- {{SYSUSERS_DIR}}
+ # This script will process files installed in {{SYSUSERS_DIR}} to create
+ # specified users automatically. The priority is set such that it
+ # will run before the tmpfiles file trigger.
+-%{_bindir}/systemd-sysusers || :
++systemd-sysusers || :
+ 
+ %transfiletriggerin -P 1000700 udev -- {{UDEV_HWDB_DIR}}
+ # This script will automatically invoke hwdb update if files have been
+ # installed or updated in {{UDEV_HWDB_DIR}}.
+-%{_bindir}/systemd-hwdb update || :
++systemd-hwdb update || :
+ 
+ %transfiletriggerin -P 1000700 -- {{SYSTEMD_CATALOG_DIR}}
+ # This script will automatically invoke journal catalog update if files
+ # have been installed or updated in {{SYSTEMD_CATALOG_DIR}}.
+-%{_bindir}/journalctl --update-catalog || :
++journalctl --update-catalog || :
+ 
+ %transfiletriggerin -P 1000700 -- {{BINFMT_DIR}}
+ # This script will automatically apply binfmt rules if files have been
+@@ -65,14 +65,14 @@ fi
+ # tmpfiles automatically. The priority is set such that it will run
+ # after the sysusers file trigger, but before any other triggers.
+ if test -d "/run/systemd/system"; then
+-  %{_bindir}/systemd-tmpfiles --create || :
++  systemd-tmpfiles --create || :
+ fi
+ 
+ %transfiletriggerin -P 1000600 udev -- {{UDEV_RULES_DIR}}
+ # This script will automatically update udev with new rules if files
+ # have been installed or updated in {{UDEV_RULES_DIR}}.
+ if test -e /run/udev/control; then
+-  %{_bindir}/udevadm control --reload || :
++  udevadm control --reload || :
+ fi
+ 
+ %transfiletriggerin -P 1000500 -- {{SYSCTL_DIR}}

0002-machined-continue-without-resolve.hook-socket.patch

@@ -1,32 +0,0 @@
-From 8d6d86d1d7e45eeae921e88adde55d6524027c96 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Wed, 26 Nov 2025 22:29:53 +0100
-Subject: [PATCH 3/3] machined: continue without resolve.hook socket
-
----
- src/machine/machined-varlink.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c
-index f83cbb8562..0b30cd0531 100644
---- a/src/machine/machined-varlink.c
-+++ b/src/machine/machined-varlink.c
-@@ -894,9 +894,15 @@ static int manager_varlink_init_resolve_hook(Manager *m) {
- 
-         r = sd_varlink_server_listen_address(s, VARLINK_PATH_MACHINED_RESOLVE_HOOK,
-                                              0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
--        if (r < 0)
--                return log_error_errno(r, "Failed to bind to varlink socket %s: %m",
--                                       VARLINK_PATH_MACHINED_RESOLVE_HOOK);
-+        if (r < 0) {
-+                bool ignore = ERRNO_IS_NEG_PRIVILEGE(r);
-+                log_full_errno(ignore ? LOG_WARNING : LOG_ERR,
-+                               r,
-+                               "Failed to bind to varlink socket %s%s: %m",
-+                               VARLINK_PATH_MACHINED_RESOLVE_HOOK,
-+                               ignore ? ", ignoring" : "");
-+                return ignore ? 0 : r;
-+        }
- 
-         r = sd_varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL);
-         if (r < 0)

0002-rpm-use-a-helper-script-to-actually-invoke-systemctl.patch

@@ -0,0 +1,332 @@
+From bbfbe1c31046d53640ebb4ef4e4820614fd0864e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Thu, 22 Jul 2021 11:22:33 +0200
+Subject: [PATCH 2/6] rpm: use a helper script to actually invoke systemctl
+ commands
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Instead of embedding the commands to invoke directly in the macros,
+let's use a helper script as indirection. This has a couple of advantages:
+
+- the macro language is awkward, we need to suffix most commands by "|| :"
+  and "\", which is easy to get wrong. In the new scheme, the macro becomes
+  a single simple command.
+- in the script we can use normal syntax highlighting, shellcheck, etc.
+- it's also easier to test the invoked commands by invoking the helper
+  manually.
+- most importantly, the logic is contained in the helper, i.e. we can
+  update systemd rpm and everything uses the new helper. Before, we would
+  have to rebuild all packages to update the macro definition.
+
+This raises the question whether it makes sense to use the lua scriptlets when
+the real work is done in a bash script. I think it's OK: we still have the
+efficient lua scripts that do the short scripts, and we use a single shared
+implementation in bash to do the more complex stuff.
+
+The meson version is raised to 0.47 because that's needed for install_mode.
+We were planning to raise the required version anyway…
+---
+ README                           |  2 +-
+ meson.build                      |  3 +-
+ src/rpm/macros.systemd.in        | 30 ++++++++--------
+ src/rpm/meson.build              | 13 ++++---
+ src/rpm/systemd-update-helper.in | 60 ++++++++++++++++++++++++++++++++
+ src/rpm/triggers.systemd.in      | 43 ++++++++---------------
+ src/rpm/triggers.systemd.sh.in   | 13 ++-----
+ 7 files changed, 105 insertions(+), 59 deletions(-)
+ create mode 100755 src/rpm/systemd-update-helper.in
+
+diff --git a/README b/README
+index 9e5bcab830..2b759e7f5a 100644
+--- a/README
++++ b/README
+@@ -195,7 +195,7 @@ REQUIREMENTS:
+         python-jinja2
+         python-lxml (optional, required to build the indices)
+         python >= 3.5
+-        meson >= 0.46 (>= 0.49 is required to build position-independent executables)
++        meson >= 0.47 (>= 0.49 is required to build position-independent executables)
+         ninja
+         gcc, awk, sed, grep, and similar tools
+         clang >= 10.0, llvm >= 10.0 (optional, required to build BPF programs
+diff --git a/meson.build b/meson.build
+index ece21fbd10..5962371e49 100644
+--- a/meson.build
++++ b/meson.build
+@@ -10,7 +10,7 @@ project('systemd', 'c',
+                 'localstatedir=/var',
+                 'warning_level=2',
+         ],
+-        meson_version : '>= 0.46',
++        meson_version : '>= 0.47',
+        )
+ 
+ libsystemd_version = '0.32.0'
+@@ -253,6 +253,7 @@ conf.set_quoted('SYSTEMD_SHUTDOWN_BINARY_PATH',               join_paths(rootlib
+ conf.set_quoted('SYSTEMD_STDIO_BRIDGE_BINARY_PATH',           join_paths(bindir, 'systemd-stdio-bridge'))
+ conf.set_quoted('SYSTEMD_TEST_DATA',                          join_paths(testsdir, 'testdata'))
+ conf.set_quoted('SYSTEMD_TTY_ASK_PASSWORD_AGENT_BINARY_PATH', join_paths(rootbindir, 'systemd-tty-ask-password-agent'))
++conf.set_quoted('SYSTEMD_UPDATE_HELPER_PATH',                 join_paths(rootlibexecdir, 'systemd-update-helper'))
+ conf.set_quoted('SYSTEMD_USERWORK_PATH',                      join_paths(rootlibexecdir, 'systemd-userwork'))
+ conf.set_quoted('SYSTEMD_VERITYSETUP_PATH',                   join_paths(rootlibexecdir, 'systemd-veritysetup'))
+ conf.set_quoted('SYSTEM_CONFIG_UNIT_DIR',                     join_paths(pkgsysconfdir, 'system'))
+diff --git a/src/rpm/macros.systemd.in b/src/rpm/macros.systemd.in
+index 3129ab2d61..bbdf036da7 100644
+--- a/src/rpm/macros.systemd.in
++++ b/src/rpm/macros.systemd.in
+@@ -46,31 +46,33 @@ OrderWithRequires(postun): systemd \
+ 
+ %systemd_post() \
+ %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_post}} \
+-if [ $1 -eq 1 ] && command -v systemctl >/dev/null; then \
++if [ $1 -eq 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
+     # Initial installation \
+-    systemctl --no-reload preset %{?*} || : \
++    {{SYSTEMD_UPDATE_HELPER_PATH}} install-system-units %{?*} || : \
+ fi \
+ %{nil}
+ 
+-%systemd_user_post() %{expand:%systemd_post \\--global %%{?*}}
++%systemd_user_post() \
++%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_user_post}} \
++if [ $1 -eq 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
++    # Initial installation \
++    {{SYSTEMD_UPDATE_HELPER_PATH}} install-user-units %{?*} || : \
++fi \
++%{nil}
+ 
+ %systemd_preun() \
+ %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_preun}} \
+-if [ $1 -eq 0 ] && command -v systemctl >/dev/null; then \
++if [ $1 -eq 0 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
+     # Package removal, not upgrade \
+-    if [ -d /run/systemd/system ]; then \
+-          systemctl --no-reload disable --now %{?*} || : \
+-    else \
+-          systemctl --no-reload disable %{?*} || : \
+-    fi \
++    {{SYSTEMD_UPDATE_HELPER_PATH}} remove-system-units %{?*} || : \
+ fi \
+ %{nil}
+ 
+ %systemd_user_preun() \
+ %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_user_preun}} \
+-if [ $1 -eq 0 ] && command -v systemctl >/dev/null; then \
++if [ $1 -eq 0 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
+     # Package removal, not upgrade \
+-    systemctl --global disable %{?*} || : \
++    {{SYSTEMD_UPDATE_HELPER_PATH}} remove-user-units %{?*} || : \
+ fi \
+ %{nil}
+ 
+@@ -84,11 +86,9 @@ fi \
+ 
+ %systemd_postun_with_restart() \
+ %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_postun_with_restart}} \
+-if [ $1 -ge 1 ] && command -v systemctl >/dev/null; then \
++if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
+     # Package upgrade, not uninstall \
+-    for unit in %{?*}; do \
+-        systemctl set-property $unit Markers=+needs-restart || : \
+-    done \
++    {{SYSTEMD_UPDATE_HELPER_PATH}} mark-restart-system-units %{?*} || : \
+ fi \
+ %{nil}
+ 
+diff --git a/src/rpm/meson.build b/src/rpm/meson.build
+index fc72fee73c..2ad3308cc1 100644
+--- a/src/rpm/meson.build
++++ b/src/rpm/meson.build
+@@ -1,9 +1,13 @@
+ # SPDX-License-Identifier: LGPL-2.1-or-later
+ 
+ in_files = [
+-        ['macros.systemd',      rpmmacrosdir != 'no'],
+-        ['triggers.systemd',    false],
+-        ['triggers.systemd.sh', false]]
++        ['macros.systemd',        rpmmacrosdir != 'no', rpmmacrosdir],
++
++        # we conditionalize on rpmmacrosdir, but install into rootlibexecdir
++        ['systemd-update-helper', rpmmacrosdir != 'no', rootlibexecdir, 'rwxr-xr-x'],
++
++        ['triggers.systemd',      false],
++        ['triggers.systemd.sh',   false]]
+ 
+ # The last two don't get installed anywhere, one of them needs to included in
+ # the rpm spec file definition instead.
+@@ -17,6 +21,7 @@ foreach tuple : in_files
+                 command : [meson_render_jinja2, config_h, '@INPUT@'],
+                 capture : true,
+                 install : tuple[1],
+-                install_dir : rpmmacrosdir,
++                install_dir : tuple.length() > 2 ? tuple[2] : '',
++                install_mode : tuple.length() > 3 ? tuple[3] : false,
+                 build_by_default : true)
+ endforeach
+diff --git a/src/rpm/systemd-update-helper.in b/src/rpm/systemd-update-helper.in
+new file mode 100755
+index 0000000000..9fa49fa131
+--- /dev/null
++++ b/src/rpm/systemd-update-helper.in
+@@ -0,0 +1,60 @@
++#!/bin/bash
++set -eu
++set -o pipefail
++
++command="${1:?}"
++shift
++
++command -v systemctl >/dev/null || exit 0
++
++case "$command" in
++    install-system-units)
++        systemctl --no-reload preset "$@"
++        ;;
++
++    install-user-units)
++        systemctl --no-reload preset --global "$@"
++        ;;
++
++    remove-system-units)
++        if [ -d /run/systemd/system ]; then
++            systemctl --no-reload disable --now "$@"
++        else
++            systemctl --no-reload disable "$@"
++        fi
++        ;;
++
++    remove-user-units)
++        systemctl --global disable "$@"
++        ;;
++
++    mark-restart-system-units)
++        [ -d /run/systemd/system ] || exit 0
++
++        for unit in "$@"; do
++            systemctl set-property "$unit" Markers=+needs-restart || :
++        done
++        ;;
++
++    system-reload-restart|system-reload|system-restart)
++        if [ -n "$*" ]; then
++            echo "Unexpected arguments for '$command': $*"
++            exit 2
++        fi
++
++        [ -d /run/systemd/system ] || exit 0
++
++        if [[ "$command" =~ reload ]]; then
++            systemctl daemon-reload
++        fi
++
++        if [[ "$command" =~ restart ]]; then
++            systemctl reload-or-restart --marked
++        fi
++        ;;
++
++    *)
++        echo "Unknown verb '$command'"
++        exit 3
++        ;;
++esac
+diff --git a/src/rpm/triggers.systemd.in b/src/rpm/triggers.systemd.in
+index 483207e58c..f56c80c7ca 100644
+--- a/src/rpm/triggers.systemd.in
++++ b/src/rpm/triggers.systemd.in
+@@ -13,20 +13,11 @@
+ -- upgraded. We care about the case where a package is initially
+ -- installed, because other cases are covered by the *un scriptlets,
+ -- so sometimes we will reload needlessly.
+-if posix.access("/run/systemd/system") then
+-    pid = posix.fork()
+-    if pid == 0 then
+-        assert(posix.execp("systemctl", "daemon-reload"))
+-    elseif pid > 0 then
+-        posix.wait(pid)
+-    end
+-
+-    pid = posix.fork()
+-    if pid == 0 then
+-        assert(posix.execp("systemctl", "reload-or-restart", "--marked"))
+-    elseif pid > 0 then
+-        posix.wait(pid)
+-    end
++pid = posix.fork()
++if pid == 0 then
++    assert(posix.exec("{{SYSTEMD_UPDATE_HELPER_PATH}}", "system-reload-restart"))
++elseif pid > 0 then
++    posix.wait(pid)
+ end
+ 
+ %transfiletriggerpostun -P 1000100 -p <lua> -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system
+@@ -35,24 +26,20 @@ end
+ -- On upgrade, we need to run daemon-reload after any new unit files
+ -- have been installed, but before %postun scripts in packages get
+ -- executed.
+-if posix.access("/run/systemd/system") then
+-    pid = posix.fork()
+-    if pid == 0 then
+-        assert(posix.execp("systemctl", "daemon-reload"))
+-    elseif pid > 0 then
+-        posix.wait(pid)
+-    end
++pid = posix.fork()
++if pid == 0 then
++    assert(posix.exec("{{SYSTEMD_UPDATE_HELPER_PATH}}", "system-reload"))
++elseif pid > 0 then
++    posix.wait(pid)
+ end
+ 
+ %transfiletriggerpostun -P 10000 -p <lua> -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system
+ -- We restart remaining services that should be restarted here.
+-if posix.access("/run/systemd/system") then
+-    pid = posix.fork()
+-    if pid == 0 then
+-        assert(posix.execp("systemctl", "reload-or-restart", "--marked"))
+-    elseif pid > 0 then
+-        posix.wait(pid)
+-    end
++pid = posix.fork()
++if pid == 0 then
++    assert(posix.exec("{{SYSTEMD_UPDATE_HELPER_PATH}}", "system-restart"))
++elseif pid > 0 then
++    posix.wait(pid)
+ end
+ 
+ %transfiletriggerin -P 100700 -p <lua> -- {{SYSUSERS_DIR}}
+diff --git a/src/rpm/triggers.systemd.sh.in b/src/rpm/triggers.systemd.sh.in
+index f8c4514313..3b35a4b5c6 100644
+--- a/src/rpm/triggers.systemd.sh.in
++++ b/src/rpm/triggers.systemd.sh.in
+@@ -14,10 +14,7 @@
+ # upgraded. We care about the case where a package is initially
+ # installed, because other cases are covered by the *un scriptlets,
+ # so sometimes we will reload needlessly.
+-if test -d "/run/systemd/system"; then
+-  systemctl daemon-reload || :
+-  systemctl reload-or-restart --marked || :
+-fi
++{{SYSTEMD_UPDATE_HELPER_PATH}} system-reload-restart || :
+ 
+ %transfiletriggerpostun -P 1000100 -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system
+ # On removal, we need to run daemon-reload after any units have been
+@@ -25,15 +22,11 @@ fi
+ # On upgrade, we need to run daemon-reload after any new unit files
+ # have been installed, but before %postun scripts in packages get
+ # executed.
+-if test -d "/run/systemd/system"; then
+-  systemctl daemon-reload || :
+-fi
++{{SYSTEMD_UPDATE_HELPER_PATH}} system-reload || :
+ 
+ %transfiletriggerpostun -P 10000 -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system
+ # We restart remaining services that should be restarted here.
+-if test -d "/run/systemd/system"; then
+-  systemctl reload-or-restart --marked || :
+-fi
++{{SYSTEMD_UPDATE_HELPER_PATH}} system-restart || :
+ 
+ %transfiletriggerin -P 1000700 -- {{SYSUSERS_DIR}}
+ # This script will process files installed in {{SYSUSERS_DIR}} to create

0003-rpm-call-needs-restart-in-parallel.patch

@@ -0,0 +1,30 @@
+From bc587d08416e3517b82b764798866154caa11085 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Thu, 22 Jul 2021 11:28:36 +0200
+Subject: [PATCH 3/6] rpm: call +needs-restart in parallel
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some rpms install a bunch of units… It seems nicer to invoke them all in
+parallel. In particular, timeouts in systemctl also run in parallel, so if
+there's some communication mishap, we will wait less.
+---
+ src/rpm/systemd-update-helper.in | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/rpm/systemd-update-helper.in b/src/rpm/systemd-update-helper.in
+index 9fa49fa131..f3c75b75fa 100755
+--- a/src/rpm/systemd-update-helper.in
++++ b/src/rpm/systemd-update-helper.in
+@@ -32,8 +32,9 @@ case "$command" in
+         [ -d /run/systemd/system ] || exit 0
+ 
+         for unit in "$@"; do
+-            systemctl set-property "$unit" Markers=+needs-restart || :
++            systemctl set-property "$unit" Markers=+needs-restart &
+         done
++        wait
+         ;;
+ 
+     system-reload-restart|system-reload|system-restart)

0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch

@@ -1,112 +0,0 @@
-From 75890d949f92c412c0936b8536b2e0dc8f7dfb40 Mon Sep 17 00:00:00 2001
-From: Nick Rosbrook <enr0n@ubuntu.com>
-Date: Fri, 19 Dec 2025 11:01:49 -0500
-Subject: [PATCH] ukify: omit .osrel section when --os-release= is empty
-
-The primary motivation for this is to allow users of ukify to build
-UKI-like objects, without having them later be detected as a UKI by
-tools like kernel-install and bootctl.
-
-The common code used by these tools to determine if a PE binary is a UKI
-checks that both .osrel and .linux sections are present. Hence, adding
-a mechansim to skip .osrel provides a way to avoid being labeled a UKI.
----
- man/ukify.xml                |  5 ++++-
- src/ukify/test/test_ukify.py | 15 +++++++++++----
- src/ukify/ukify.py           | 10 +++++++++-
- 3 files changed, 24 insertions(+), 6 deletions(-)
-
-diff --git a/man/ukify.xml b/man/ukify.xml
-index 829761642d..7462c5c92f 100644
---- a/man/ukify.xml
-+++ b/man/ukify.xml
-@@ -365,7 +365,10 @@
-           <listitem><para>The os-release description (the <literal>.osrel</literal> section). The argument
-           may be a literal string, or <literal>@</literal> followed by a path name. If not specified, the
-           <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> file
--          will be picked up from the host system.</para>
-+          will be picked up from the host system. If explicitly set to an empty string, the ".osrel" section
-+          is omitted from the UKI (this is not recommended in most cases, and causes the resulting artifact
-+          to not be recognized as a UKI by other tools like <command>kernel-install</command>
-+          and <command>bootctl</command>).</para>
- 
-           <xi:include href="version-info.xml" xpointer="v253"/></listitem>
-         </varlistentry>
-diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py
-index f75ef0c891..224a38569f 100755
---- a/src/ukify/test/test_ukify.py
-+++ b/src/ukify/test/test_ukify.py
-@@ -641,7 +641,7 @@ def test_efi_signing_pesign(kernel_initrd, tmp_path):
- 
-     shutil.rmtree(tmp_path)
- 
--def test_inspect(kernel_initrd, tmp_path, capsys):
-+def test_inspect(kernel_initrd, tmp_path, capsys, osrel=True):
-     if kernel_initrd is None:
-         pytest.skip('linux+initrd not found')
-     if not shutil.which('sbsign'):
-@@ -653,7 +653,7 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
- 
-     output = f'{tmp_path}/signed2.efi'
-     uname_arg='1.2.3'
--    osrel_arg='Linux'
-+    osrel_arg='Linux' if osrel else ''
-     cmdline_arg='ARG1 ARG2 ARG3'
- 
-     args = [
-@@ -680,8 +680,12 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
- 
-     text = capsys.readouterr().out
- 
--    expected_osrel = f'.osrel:\n  size: {len(osrel_arg)}'
--    assert expected_osrel in text
-+    if osrel:
-+        expected_osrel = f'.osrel:\n  size: {len(osrel_arg)}'
-+        assert expected_osrel in text
-+    else:
-+        assert '.osrel:' not in text
-+
-     expected_cmdline = f'.cmdline:\n  size: {len(cmdline_arg)}'
-     assert expected_cmdline in text
-     expected_uname = f'.uname:\n  size: {len(uname_arg)}'
-@@ -694,6 +698,9 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
- 
-     shutil.rmtree(tmp_path)
- 
-+def test_inspect_no_osrel(kernel_initrd, tmp_path, capsys):
-+    test_inspect(kernel_initrd, tmp_path, capsys, osrel=False)
-+
- @pytest.mark.skipif(not slow_tests, reason='slow')
- def test_pcr_signing(kernel_initrd, tmp_path):
-     if kernel_initrd is None:
-diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
-index c98f8e2a5d..b7542c7eca 100755
---- a/src/ukify/ukify.py
-+++ b/src/ukify/ukify.py
-@@ -1477,6 +1477,9 @@ def make_uki(opts: UkifyConfig) -> None:
-         '.profile',
-     }
- 
-+    if not opts.os_release:
-+        to_import.remove('.osrel')
-+
-     for profile in opts.join_profiles:
-         pe = pefile.PE(profile, fast_load=True)
-         prev_len = len(uki.sections)
-@@ -2412,7 +2415,12 @@ def finalize_options(opts: argparse.Namespace) -> None:
- 
-     opts.os_release = resolve_at_path(opts.os_release)
- 
--    if not opts.os_release and opts.linux:
-+    if opts.os_release == '':
-+        # If --os-release= with an empty string was passed, treat that as
-+        # explicitly disabling the .osrel section, and do not fallback to the
-+        # system's os-release files.
-+        pass
-+    elif opts.os_release is None and opts.linux:
-         p = Path('/etc/os-release')
-         if not p.exists():
-             p = Path('/usr/lib/os-release')
--- 
-2.52.0
-

0004-rpm-restart-user-services-at-the-end-of-the-transact.patch

@@ -0,0 +1,254 @@
+From eb458aa5f37496059540e1db47f8b4f1c69ef206 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 7 Jul 2021 14:37:57 +0200
+Subject: [PATCH 4/6] rpm: restart user services at the end of the transaction
+
+This closes an important gap: so far we would reexecute the system manager and
+restart system services that were configured to do so, but we wouldn't do the
+same for user managers or user services.
+
+The scheme used for user managers is very similar to the system one, except
+that there can be multiple user managers running, so we query the system
+manager to get a list of them, and then tell each one to do the equivalent
+operations: daemon-reload, disable --now, set-property Markers=+needs-restart,
+reload-or-restart --marked.
+
+The total time that can be spend on this is bounded: we execute the commands in
+parallel over user managers and units, and additionally set SYSTEMD_BUS_TIMEOUT
+to a lower value (15 s by default). User managers should not have too many
+units running, and they should be able to do all those operations very
+quickly (<< 1s). The final restart operation may take longer, but it's done
+asynchronously, so we only wait for the queuing to happen.
+
+The advantage of doing this synchronously is that we can wait for each step to
+happen, and for example daemon-reloads can finish before we execute the service
+restarts, etc. We can also order various steps wrt. to the phases in the rpm
+transaction.
+
+When this was initially proposed, we discussed a more relaxed scheme with bus
+property notifications. Such an approach would be more complex because a bunch
+of infrastructure would have to be added to system manager to propagate
+appropriate notifications to the user managers, and then the user managers
+would have to wait for them. Instead, now there is no new code in the managers,
+all new functionality is contained in src/rpm/. The ability to call 'systemctl
+--user user@' makes this approach very easy. Also, it would be very hard to
+order the user manager steps and the rpm transaction steps.
+
+Note: 'systemctl --user disable' is only called for a user managers that are
+running. I don't see a nice way around this, and it shouldn't matter too much:
+we'll just leave a dangling symlink in the case where the user enabled the
+service manually.
+
+A follow-up for https://bugzilla.redhat.com/show_bug.cgi?id=1792468 and
+fa97d2fcf64e0558054bee673f734f523373b146.
+---
+ meson.build                      |  1 +
+ meson_options.txt                |  2 ++
+ src/rpm/macros.systemd.in        |  6 +++-
+ src/rpm/systemd-update-helper.in | 47 ++++++++++++++++++++++++++++++++
+ src/rpm/triggers.systemd.in      | 28 ++++++++++++++++++-
+ src/rpm/triggers.systemd.sh.in   | 13 ++++++++-
+ 6 files changed, 94 insertions(+), 3 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index 5962371e49..e185c27750 100644
+--- a/meson.build
++++ b/meson.build
+@@ -270,6 +270,7 @@ conf.set_quoted('TMPFILES_DIR',                               tmpfilesdir)
+ conf.set_quoted('UDEVLIBEXECDIR',                             udevlibexecdir)
+ conf.set_quoted('UDEV_HWDB_DIR',                              udevhwdbdir)
+ conf.set_quoted('UDEV_RULES_DIR',                             udevrulesdir)
++conf.set_quoted('UPDATE_HELPER_USER_TIMEOUT',                 get_option('update-helper-user-timeout'))
+ conf.set_quoted('USER_CONFIG_UNIT_DIR',                       join_paths(pkgsysconfdir, 'user'))
+ conf.set_quoted('USER_DATA_UNIT_DIR',                         userunitdir)
+ conf.set_quoted('USER_ENV_GENERATOR_DIR',                     userenvgeneratordir)
+diff --git a/meson_options.txt b/meson_options.txt
+index 2f0f4e7b8f..43b815e433 100644
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -182,6 +182,8 @@ option('xinitrcdir', type : 'string', value : '',
+        description : 'directory for xinitrc files')
+ option('rpmmacrosdir', type : 'string', value : 'lib/rpm/macros.d',
+        description : 'directory for rpm macros ["no" disables]')
++option('update-helper-user-timeout', type : 'string', value : '15s',
++       description : 'how long to wait for user manager operations')
+ option('pamlibdir', type : 'string',
+        description : 'directory for PAM modules')
+ option('pamconfdir', type : 'string',
+diff --git a/src/rpm/macros.systemd.in b/src/rpm/macros.systemd.in
+index bbdf036da7..caa2e45595 100644
+--- a/src/rpm/macros.systemd.in
++++ b/src/rpm/macros.systemd.in
+@@ -93,7 +93,11 @@ fi \
+ %{nil}
+ 
+ %systemd_user_postun_with_restart() \
+-%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_postun_with_restart}} \
++%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_user_postun_with_restart}} \
++if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
++    # Package upgrade, not uninstall \
++    {{SYSTEMD_UPDATE_HELPER_PATH}} mark-restart-user-units %{?*} || : \
++fi \
+ %{nil}
+ 
+ %udev_hwdb_update() %{nil}
+diff --git a/src/rpm/systemd-update-helper.in b/src/rpm/systemd-update-helper.in
+index f3c75b75fa..f3466ab3c0 100755
+--- a/src/rpm/systemd-update-helper.in
++++ b/src/rpm/systemd-update-helper.in
+@@ -26,6 +26,15 @@ case "$command" in
+ 
+     remove-user-units)
+         systemctl --global disable "$@"
++
++        [ -d /run/systemd/system ] || exit 0
++
++        users=$(systemctl list-units 'user@*' --legend=no | sed -n -r 's/.*user@([0-9]+).service.*/\1/p')
++        for user in $users; do
++            SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT}} \
++                    systemctl --user -M "$user@" disable --now "$@" &
++        done
++        wait
+         ;;
+ 
+     mark-restart-system-units)
+@@ -37,6 +46,17 @@ case "$command" in
+         wait
+         ;;
+ 
++    mark-restart-user-units)
++        [ -d /run/systemd/system ] || exit 0
++
++        users=$(systemctl list-units 'user@*' --legend=no | sed -n -r 's/.*user@([0-9]+).service.*/\1/p')
++        for user in $users; do
++            SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT}} \
++                    systemctl --user -M "$user@" set-property "$unit" Markers=+needs-restart &
++        done
++        wait
++        ;;
++
+     system-reload-restart|system-reload|system-restart)
+         if [ -n "$*" ]; then
+             echo "Unexpected arguments for '$command': $*"
+@@ -54,6 +74,33 @@ case "$command" in
+         fi
+         ;;
+ 
++    user-reload-restart|user-reload|user-restart)
++        if [ -n "$*" ]; then
++            echo "Unexpected arguments for '$command': $*"
++            exit 2
++        fi
++
++        [ -d /run/systemd/system ] || exit 0
++
++        users=$(systemctl list-units 'user@*' --legend=no | sed -n -r 's/.*user@([0-9]+).service.*/\1/p')
++
++        if [[ "$command" =~ reload ]]; then
++            for user in $users; do
++                SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT}} \
++                        systemctl --user -M "$user@" daemon-reload &
++            done
++            wait
++        fi
++
++        if [[ "$command" =~ restart ]]; then
++            for user in $users; do
++                SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT}} \
++                        systemctl --user -M "$user@" reload-or-restart --marked &
++            done
++            wait
++        fi
++        ;;
++
+     *)
+         echo "Unknown verb '$command'"
+         exit 3
+diff --git a/src/rpm/triggers.systemd.in b/src/rpm/triggers.systemd.in
+index f56c80c7ca..4755cdafe8 100644
+--- a/src/rpm/triggers.systemd.in
++++ b/src/rpm/triggers.systemd.in
+@@ -20,6 +20,14 @@ elseif pid > 0 then
+     posix.wait(pid)
+ end
+ 
++%transfiletriggerin -P 900899 -p <lua> -- {{USER_DATA_UNIT_DIR}} /etc/systemd/user
++pid = posix.fork()
++if pid == 0 then
++    assert(posix.exec("{{SYSTEMD_UPDATE_HELPER_PATH}}", "user-reload-restart"))
++elseif pid > 0 then
++    posix.wait(pid)
++end
++
+ %transfiletriggerpostun -P 1000100 -p <lua> -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system
+ -- On removal, we need to run daemon-reload after any units have been
+ -- removed.
+@@ -33,8 +41,17 @@ elseif pid > 0 then
+     posix.wait(pid)
+ end
+ 
++%transfiletriggerpostun -P 1000100 -p <lua> -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system
++-- Execute daemon-reload in user managers.
++pid = posix.fork()
++if pid == 0 then
++    assert(posix.exec("{{SYSTEMD_UPDATE_HELPER_PATH}}", "user-reload"))
++elseif pid > 0 then
++    posix.wait(pid)
++end
++
+ %transfiletriggerpostun -P 10000 -p <lua> -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system
+--- We restart remaining services that should be restarted here.
++-- We restart remaining system services that should be restarted here.
+ pid = posix.fork()
+ if pid == 0 then
+     assert(posix.exec("{{SYSTEMD_UPDATE_HELPER_PATH}}", "system-restart"))
+@@ -42,6 +59,15 @@ elseif pid > 0 then
+     posix.wait(pid)
+ end
+ 
++%transfiletriggerpostun -P 9999 -p <lua> -- {{USER_DATA_UNIT_DIR}} /etc/systemd/user
++-- We restart remaining user services that should be restarted here.
++pid = posix.fork()
++if pid == 0 then
++    assert(posix.exec("{{SYSTEMD_UPDATE_HELPER_PATH}}", "user-restart"))
++elseif pid > 0 then
++    posix.wait(pid)
++end
++
+ %transfiletriggerin -P 100700 -p <lua> -- {{SYSUSERS_DIR}}
+ -- This script will process files installed in {{SYSUSERS_DIR}} to create
+ -- specified users automatically. The priority is set such that it
+diff --git a/src/rpm/triggers.systemd.sh.in b/src/rpm/triggers.systemd.sh.in
+index 3b35a4b5c6..8c301f5ed9 100644
+--- a/src/rpm/triggers.systemd.sh.in
++++ b/src/rpm/triggers.systemd.sh.in
+@@ -16,6 +16,9 @@
+ # so sometimes we will reload needlessly.
+ {{SYSTEMD_UPDATE_HELPER_PATH}} system-reload-restart || :
+ 
++%transfiletriggerin -P 900899 -- {{USER_DATA_UNIT_DIR}} /etc/systemd/user
++{{SYSTEMD_UPDATE_HELPER_PATH}} user-reload-restart || :
++
+ %transfiletriggerpostun -P 1000100 -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system
+ # On removal, we need to run daemon-reload after any units have been
+ # removed.
+@@ -24,10 +27,18 @@
+ # executed.
+ {{SYSTEMD_UPDATE_HELPER_PATH}} system-reload || :
+ 
++%transfiletriggerpostun -P 1000099 -- {{USER_DATA_UNIT_DIR}} /etc/systemd/user
++# Execute daemon-reload in user managers.
++{{SYSTEMD_UPDATE_HELPER_PATH}} user-reload || :
++
+ %transfiletriggerpostun -P 10000 -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system
+-# We restart remaining services that should be restarted here.
++# We restart remaining system services that should be restarted here.
+ {{SYSTEMD_UPDATE_HELPER_PATH}} system-restart || :
+ 
++%transfiletriggerpostun -P  9999 -- {{USER_DATA_UNIT_DIR}} /etc/systemd/user
++# We restart remaining user services that should be restarted here.
++{{SYSTEMD_UPDATE_HELPER_PATH}} user-restart || :
++
+ %transfiletriggerin -P 1000700 -- {{SYSUSERS_DIR}}
+ # This script will process files installed in {{SYSUSERS_DIR}} to create
+ # specified users automatically. The priority is set such that it

0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch

@@ -1,51 +0,0 @@
-From e57e599e6b11039ab6484e5622b3deae20bfd678 Mon Sep 17 00:00:00 2001
-From: Hans de Goede <johannes.goede@oss.qualcomm.com>
-Date: Mon, 12 Jan 2026 14:56:36 +0100
-Subject: [PATCH] stub: Fix NULL pointer deref when there are no initrds
-
-When n_all_initrds == 0, then all_initrds is unmodified from its initial
-value of:
-
-	_cleanup_free_ struct iovec *all_initrds = NULL;
-
-and in the else block of the "if (n_all_initrds > 1)" the NULL is
-dereferenced:
-
-		final_initrd = all_initrds[0];
-
-Leading to the stub crashing due to a NULL pointer deref.
-
-Fix this by initializing final_initrd to all 0s and only
-running the else block if (n_all_initrds == 1).
----
- src/boot/stub.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/boot/stub.c b/src/boot/stub.c
-index 06ecbc7d18..65950262c6 100644
---- a/src/boot/stub.c
-+++ b/src/boot/stub.c
-@@ -1302,9 +1302,9 @@ static EFI_STATUS run(EFI_HANDLE image) {
- 
-         /* Combine the initrds into one */
-         _cleanup_pages_ Pages initrd_pages = {};
--        struct iovec final_initrd;
-+        struct iovec final_initrd = {};
-         if (n_all_initrds > 1) {
--                /* There will always be a base initrd, if this counter is higher, we need to combine them */
-+                /* If there is more then 1 initrd we need to combine them */
-                 err = combine_initrds(all_initrds, n_all_initrds, &initrd_pages, &final_initrd.iov_len);
-                 if (err != EFI_SUCCESS)
-                         return err;
-@@ -1313,7 +1313,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
- 
-                 /* Given these might be large let's free them explicitly before we pass control to Linux */
-                 initrds_free(&initrds);
--        } else
-+        } else if (n_all_initrds == 1)
-                 final_initrd = all_initrds[0];
- 
-         struct iovec kernel = IOVEC_MAKE(
--- 
-2.52.0
-

0005-update-helper-also-add-user-reexec-verb.patch

@@ -0,0 +1,42 @@
+From 50336a7d0c584c1731c656e991a317029ed45f84 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Fri, 23 Jul 2021 15:35:23 +0200
+Subject: [PATCH 5/6] update-helper: also add "user-reexec" verb
+
+This is not called from the systemd.triggers or systemd.macros files. Instead,
+it would be called from the scriptlets in systemd rpm package itself, at the
+place where we call systemctl daemon-reexec.
+
+See https://github.com/systemd/systemd/pull/20289#issuecomment-885622200 .
+---
+ src/rpm/systemd-update-helper.in | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/rpm/systemd-update-helper.in b/src/rpm/systemd-update-helper.in
+index f3466ab3c0..0c6675a9db 100755
+--- a/src/rpm/systemd-update-helper.in
++++ b/src/rpm/systemd-update-helper.in
+@@ -74,7 +74,7 @@ case "$command" in
+         fi
+         ;;
+ 
+-    user-reload-restart|user-reload|user-restart)
++    user-reload-restart|user-reload|user-restart|user-reexec)
+         if [ -n "$*" ]; then
+             echo "Unexpected arguments for '$command': $*"
+             exit 2
+@@ -84,6 +84,14 @@ case "$command" in
+ 
+         users=$(systemctl list-units 'user@*' --legend=no | sed -n -r 's/.*user@([0-9]+).service.*/\1/p')
+ 
++        if [[ "$command" =~ reexec ]]; then
++            for user in $users; do
++                SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT}} \
++                        systemctl --user -M "$user@" daemon-reexec &
++            done
++            wait
++        fi
++
+         if [[ "$command" =~ reload ]]; then
+             for user in $users; do
+                 SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT}} \

0006-update-helper-add-missing-loop-over-user-units.patch

@@ -0,0 +1,30 @@
+From 107f3e397937eb6a45054e22bd79c142fae19cd4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Thu, 4 Nov 2021 09:49:18 +0100
+Subject: [PATCH 6/6] update-helper: add missing loop over user units
+
+Noticed by Luca.
+
+shellcheck doens't catch this, and somehow it was missed in review
+and testing ;(
+---
+ src/rpm/systemd-update-helper.in | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/rpm/systemd-update-helper.in b/src/rpm/systemd-update-helper.in
+index 0c6675a9db..47d6663e07 100755
+--- a/src/rpm/systemd-update-helper.in
++++ b/src/rpm/systemd-update-helper.in
+@@ -51,8 +51,10 @@ case "$command" in
+ 
+         users=$(systemctl list-units 'user@*' --legend=no | sed -n -r 's/.*user@([0-9]+).service.*/\1/p')
+         for user in $users; do
+-            SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT}} \
+-                    systemctl --user -M "$user@" set-property "$unit" Markers=+needs-restart &
++            for unit in "$@"; do
++                SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT}} \
++                        systemctl --user -M "$user@" set-property "$unit" Markers=+needs-restart &
++            done
+         done
+         wait
+         ;;

10-map-count.conf

@@ -1,3 +0,0 @@
-# Increase the number of virtual memory areas that one process may request
-# https://fedoraproject.org/wiki/Changes/IncreaseVmMaxMapCount
-vm.max_map_count=1048576

10-oomd-per-slice-defaults.conf

@@ -1,3 +0,0 @@
-[Slice]
-ManagedOOMMemoryPressure=kill
-ManagedOOMMemoryPressureLimit=80%

10-oomd-root-slice-defaults.conf

@@ -0,0 +1,2 @@
+[Slice]
+ManagedOOMSwap=kill

10-oomd-user-service-defaults.conf

@@ -0,0 +1,3 @@
+[Service]
+ManagedOOMMemoryPressure=kill
+ManagedOOMMemoryPressureLimit=50%

10-timeout-abort.conf

@@ -1,14 +0,0 @@
-# This file is part of the systemd package.
-# See https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer.
-#
-# To facilitate debugging when a service fails to stop cleanly,
-# TimeoutStopFailureMode=abort is set to "crash" services that fail to stop in
-# the time allotted. This will cause the service to be terminated with SIGABRT
-# and a coredump to be generated.
-#
-# To undo this configuration change, create a mask file:
-#   sudo mkdir -p /etc/systemd/system/service.d
-#   sudo ln -sv /dev/null /etc/systemd/system/service.d/10-timeout-abort.conf
-
-[Service]
-TimeoutStopFailureMode=abort

20-grubby.install

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+if [[ ! -x /sbin/new-kernel-pkg ]]; then
+    exit 0
+fi
+
+COMMAND="$1"
+KERNEL_VERSION="$2"
+BOOT_DIR_ABS="$3"
+KERNEL_IMAGE="$4"
+
+KERNEL_DIR="${KERNEL_IMAGE%/*}"
+[[ "$KERNEL_VERSION" == *\+* ]] && flavor=-"${KERNEL_VERSION##*+}"
+case "$COMMAND" in
+    add)
+        if [[ "${KERNEL_DIR}" != "/boot" ]]; then
+            for i in \
+                "$KERNEL_IMAGE" \
+                    "$KERNEL_DIR"/System.map \
+                    "$KERNEL_DIR"/config \
+                    "$KERNEL_DIR"/zImage.stub \
+                    "$KERNEL_DIR"/dtb \
+                ; do
+                [[ -e "$i" ]] || continue
+                cp -aT "$i" "/boot/${i##*/}-${KERNEL_VERSION}"
+                command -v restorecon &>/dev/null && \
+                    restorecon -R "/boot/${i##*/}-${KERNEL_VERSION}"
+            done
+            # hmac is .vmlinuz-<version>.hmac so needs a special treatment
+            i="$KERNEL_DIR/.${KERNEL_IMAGE##*/}.hmac"
+            if [[ -e "$i" ]]; then
+                cp -a "$i" "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
+                command -v restorecon &>/dev/null && \
+                    restorecon "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
+            fi
+        fi
+        /sbin/new-kernel-pkg --package "kernel${flavor}" --install "$KERNEL_VERSION" || exit $?
+        /sbin/new-kernel-pkg --package "kernel${flavor}" --mkinitrd --dracut --depmod --update "$KERNEL_VERSION" || exit $?
+        /sbin/new-kernel-pkg --package "kernel${flavor}" --rpmposttrans "$KERNEL_VERSION" || exit $?
+        ;;
+    remove)
+        /sbin/new-kernel-pkg --package "kernel${flavor+-$flavor}" --rminitrd --rmmoddep --remove "$KERNEL_VERSION" || exit $?
+        ;;
+    *)
+        ;;
+esac
+
+# skip other installation plugins, if we can't find a boot loader spec conforming setup
+if ! [[ -d /boot/loader/entries || -L /boot/loader/entries ]]; then
+    exit 77
+fi

26494.patch

@@ -1,30 +0,0 @@
-From 6b25470ee28843a49c50442e9d8a98edc842ceca Mon Sep 17 00:00:00 2001
-From: Yu Watanabe <watanabe.yu+github@gmail.com>
-Date: Mon, 20 Feb 2023 12:00:30 +0900
-Subject: [PATCH] core/manager: run generators directly when we are in initrd
-
-Some initrd system write files at ourside of /run, /etc, or other
-allowed places. This is a kind of workaround, but in most cases, such
-sandboxing is not necessary as the filesystem is on ramfs when we are in
-initrd.
-
-Fixes #26488.
----
- src/core/manager.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/core/manager.c b/src/core/manager.c
-index 7b394794b0d4..306477c6e6c2 100644
---- a/src/core/manager.c
-+++ b/src/core/manager.c
-@@ -3822,8 +3822,8 @@ static int manager_run_generators(Manager *m) {
-         /* If we are the system manager, we fork and invoke the generators in a sanitized mount namespace. If
-          * we are the user manager, let's just execute the generators directly. We might not have the
-          * necessary privileges, and the system manager has already mounted /tmp/ and everything else for us.
--         */
--        if (MANAGER_IS_USER(m)) {
-+         * If we are in initrd, let's also execute the generators directly, as we are in ramfs. */
-+        if (MANAGER_IS_USER(m) || in_initrd()) {
-                 r = manager_execute_generators(m, paths, /* remount_ro= */ false);
-                 goto finish;
-         }

30846.patch

@@ -1,56 +0,0 @@
-From 07bedc8f93277f705622625f440a1f56ccff1cd0 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Tue, 9 Jan 2024 11:28:04 +0100
-Subject: [PATCH] journal: again create user journals for users with high uids
-
-This effectively reverts a change in 115d5145a257c1a27330acf9f063b5f4d910ca4d
-'journald: move uid_for_system_journal() to uid-alloc-range.h', which slipped
-in an additional check of uid_is_container(uid). The problem is that that change
-is not backwards-compatible at all and very hard for users to handle.
-There is no common agreement on mappings of high-range uids. Systemd declares
-ownership of a large range for container uids in https://systemd.io/UIDS-GIDS/,
-but this is only a recent change and various sites allocated those ranges
-in a different way, in particular FreeIPA uses (used?) uids from this range
-for human users. On big sites with lots of users changing uids is obviously a
-hard problem. We generally assume that uids cannot be "freed" and/or changed
-and/or reused safely, so we shouldn't demand the same from others.
-
-This is somewhat similar to the situation with SYSTEM_ALLOC_UID_MIN /
-SYSTEM_UID_MAX, which we tried to define to a fixed value in our code, causing
-huge problems for existing systems with were created with a different
-definition and couldn't be easily updated. For that case, we added a
-configuration time switch and we now parse /etc/login.defs to actually use the
-value that is appropriate for the local system.
-
-Unfortunately, login.defs doesn't have a concept of container allocation ranges
-(and we don't have code to parse and use those nonexistent names either), so we
-can't tell users to adjust logind.defs to work around the changed definition.
-
-login.defs has SUB_UID_{MIN,MAX}, but those aren't really the same thing,
-because they are used to define where the add allocations for subuids, which is
-generally a much smaller range. Maybe we should talk with other folks about
-the appropriate allocation ranges and define some new settings in login.defs.
-But this would require discussion and coordination with other projects first.
-
-Actualy, it seems that this change was needed at all. The code in the container
-does not log to the outside journal. It talks to its own journald, which does
-journal splitting using its internal logic based on shifted uids. So let's
-revert the change to fix user systems.
-
-Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843.
----
- src/basic/uid-classification.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/basic/uid-classification.c b/src/basic/uid-classification.c
-index 203ce2c68a..2eb384395d 100644
---- a/src/basic/uid-classification.c
-+++ b/src/basic/uid-classification.c
-@@ -129,5 +129,6 @@ bool uid_for_system_journal(uid_t uid) {
- 
-         /* Returns true if the specified UID shall get its data stored in the system journal. */
- 
--        return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_container(uid) || uid_is_foreign(uid);
-+        return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_foreign(uid);
-+
- }

38769.patch

@@ -1,42 +0,0 @@
-From 00d70f36a0866660693347009446b7f872a05bf4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Sat, 30 Aug 2025 13:55:56 +0200
-Subject: [PATCH] core: create userdb root directory with correct label
-
-Set up the /run/systemd/userdb directory with the default SELinux context
-on creation.
-
-With version 257.7-1 on Debian the directory was automatically created with the
-correct label. Starting with version 258 (only tested with 258~rc3-1) it no
-longer is. Regression introduced in 736349958efe34089131ca88950e2e5bb391d36a.
-
-[zjs: edited the patch to apply comments from review and update the description.]
----
- src/core/varlink.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/core/varlink.c b/src/core/varlink.c
-index 99f12c59e5..71a8ffd0e5 100644
---- a/src/core/varlink.c
-+++ b/src/core/varlink.c
-@@ -5,6 +5,7 @@
- #include "constants.h"
- #include "errno-util.h"
- #include "manager.h"
-+#include "mkdir-label.h"
- #include "path-util.h"
- #include "pidref.h"
- #include "string-util.h"
-@@ -441,7 +442,11 @@ static int manager_varlink_init_system(Manager *m) {
-                         if (!fresh && varlink_server_contains_socket(m->varlink_server, address))
-                                 continue;
- 
--                        r = sd_varlink_server_listen_address(m->varlink_server, address, 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
-+                        r = mkdir_parents_label(address, 0755);
-+                        if (r < 0)
-+                                log_warning_errno(r, "Failed to create parent directory of '%s', ignoring: %m", address);
-+
-+                        r = sd_varlink_server_listen_address(m->varlink_server, address, 0666);
-                         if (r < 0)
-                                 return log_error_errno(r, "Failed to bind to varlink socket '%s': %m", address);
-                 }

60-block-scheduler.rules

@@ -1,5 +0,0 @@
-# do not edit this file, it will be overwritten on update
-
-ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", \
-  KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \
-  ATTR{queue/scheduler}="bfq"

98-default-mac-none.link

@@ -1,20 +0,0 @@
-# SPDX-License-Identifier: MIT-0
-#
-# This config file is installed as part of systemd.
-# It may be freely copied and edited (following the MIT No Attribution license).
-#
-# To make local modifications, one of the following methods may be used:
-# 1. add a drop-in file that extends this file by creating the
-#    /etc/systemd/network/98-default-mac-none.link.d/ directory and creating a
-#    new .conf file there.
-# 2. copy this file into /etc/systemd/network or one of the other paths checked
-#    by systemd-udevd and edit it there.
-# This file should not be edited in place, because it'll be overwritten on upgrades.
-
-[Match]
-Kind=bridge bond team
-
-[Link]
-NamePolicy=keep kernel database onboard slot path
-AlternativeNamesPolicy=database onboard slot path
-MACAddressPolicy=none

README.build-in-place

@@ -0,0 +1,14 @@
+== Building systemd rpms for local development using rpmbuild --build-in-place ==
+
+This approach is based on https://github.com/filbranden/git-rpmbuild
+and filbranden's talk during ASG2019 [https://www.youtube.com/watch?v=fVM1kJrymRM].
+
+```
+git clone https://github.com/systemd/systemd
+fedpkg clone systemd fedora-systemd
+cd systemd
+rpmbuild -bb --build-in-place --noprep --define "_sourcedir $PWD/../fedora-systemd" --define "_rpmdir $PWD/rpms" --with inplace ../systemd.spec
+sudo dnf upgrade --setopt install_weak_deps=False rpms/*/*.rpm
+```
+
+`--without lto` and `--without tests` may be useful to speed up the build.

README.build-in-place.md

@@ -1,14 +0,0 @@
-# Building systemd rpms for local development using rpmbuild --build-in-place
-
-This approach is based on filbranden's [git-rpmbuild](https://github.com/filbranden/git-rpmbuild)
-and his [talk during ASG2019](https://www.youtube.com/watch?v=fVM1kJrymRM).
-
-```
-git clone https://github.com/systemd/systemd
-fedpkg clone systemd fedora-systemd
-cd systemd
-rpmbuild -bb --build-in-place --noprep --define "_sourcedir $PWD/../fedora-systemd" --define "_rpmdir $PWD/rpms" --with upstream ../fedora-systemd/systemd.spec
-sudo dnf upgrade --setopt install_weak_deps=False rpms/*/*.rpm
-```
-
-`--without lto` and `--without tests` may be useful to speed up the build.

f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch

@@ -0,0 +1,129 @@
+From f58b96d3e8d1cb0dd3666bc74fa673918b586612 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 14 Sep 2020 17:58:03 +0200
+Subject: [PATCH] test-mountpointutil-util: do not assert in test_mnt_id()
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1803070
+
+I *think* this a kernel bug: the mnt_id as listed in /proc/self/mountinfo is different
+than the one we get from /proc/self/fdinfo/. This only matters when both statx and
+name_to_handle_at are unavailable and we hit the fallback path that goes through fdinfo:
+
+(gdb) !uname -r
+5.6.19-200.fc31.ppc64le
+
+(gdb) !cat /proc/self/mountinfo
+697 664 253:0 /var/lib/mock/fedora-31-ppc64le/root / rw,relatime shared:298 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
+698 697 253:0 /var/cache/mock/fedora-31-ppc64le/yum_cache /var/cache/yum rw,relatime shared:299 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
+699 697 253:0 /var/cache/mock/fedora-31-ppc64le/dnf_cache /var/cache/dnf rw,relatime shared:300 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
+700 697 0:32 /mock-selinux-plugin.7me9bfpi /proc/filesystems rw,nosuid,nodev shared:301 master:18 - tmpfs tmpfs rw,seclabel <==========================================================
+701 697 0:41 / /sys ro,nosuid,nodev,noexec,relatime shared:302 - sysfs sysfs ro,seclabel
+702 701 0:21 / /sys/fs/selinux ro,nosuid,nodev,noexec,relatime shared:306 master:8 - selinuxfs selinuxfs rw
+703 697 0:42 / /dev rw,nosuid shared:303 - tmpfs tmpfs rw,seclabel,mode=755
+704 703 0:43 / /dev/shm rw,nosuid,nodev shared:304 - tmpfs tmpfs rw,seclabel
+705 703 0:45 / /dev/pts rw,nosuid,noexec,relatime shared:307 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=666
+706 703 0:6 /btrfs-control /dev/btrfs-control rw,nosuid shared:308 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+707 703 0:6 /loop-control /dev/loop-control rw,nosuid shared:309 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+708 703 0:6 /loop0 /dev/loop0 rw,nosuid shared:310 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+709 703 0:6 /loop1 /dev/loop1 rw,nosuid shared:311 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+710 703 0:6 /loop10 /dev/loop10 rw,nosuid shared:312 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+711 703 0:6 /loop11 /dev/loop11 rw,nosuid shared:313 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+712 703 0:6 /loop2 /dev/loop2 rw,nosuid shared:314 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+713 703 0:6 /loop3 /dev/loop3 rw,nosuid shared:315 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+714 703 0:6 /loop4 /dev/loop4 rw,nosuid shared:316 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+715 703 0:6 /loop5 /dev/loop5 rw,nosuid shared:317 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+716 703 0:6 /loop6 /dev/loop6 rw,nosuid shared:318 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+717 703 0:6 /loop7 /dev/loop7 rw,nosuid shared:319 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+718 703 0:6 /loop8 /dev/loop8 rw,nosuid shared:320 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+719 703 0:6 /loop9 /dev/loop9 rw,nosuid shared:321 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+720 697 0:44 / /run rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+721 720 0:25 /systemd/nspawn/propagate/9cc8a155d0244558b273f773d2b92142 /run/systemd/nspawn/incoming ro master:12 - tmpfs tmpfs rw,seclabel,mode=755
+722 697 0:32 /mock-resolv.dvml91hp /etc/resolv.conf rw,nosuid,nodev shared:322 master:18 - tmpfs tmpfs rw,seclabel
+725 697 0:47 / /proc rw,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+603 725 0:47 /sys /proc/sys ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+604 725 0:44 /systemd/inaccessible/reg /proc/kallsyms ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+605 725 0:44 /systemd/inaccessible/reg /proc/kcore ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+606 725 0:44 /systemd/inaccessible/reg /proc/keys ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+607 725 0:44 /systemd/inaccessible/reg /proc/sysrq-trigger ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+608 725 0:44 /systemd/inaccessible/reg /proc/timer_list ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+609 725 0:47 /bus /proc/bus ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+610 725 0:47 /fs /proc/fs ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+611 725 0:47 /irq /proc/irq ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+612 725 0:47 /scsi /proc/scsi ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+613 703 0:46 / /dev/mqueue rw,nosuid,nodev,noexec,relatime shared:324 - mqueue mqueue rw,seclabel
+614 701 0:26 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:325 - cgroup2 cgroup rw,seclabel,nsdelegate
+615 603 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+616 725 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+617 725 0:44 /.#proc-kmsg5b7a8bcfe6717139//deleted /proc/kmsg rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+
+The test process does
+name_to_handle_at("/proc/filesystems") which returns -EOPNOTSUPP, and then
+openat(AT_FDCWD, "/proc/filesystems") which returns 4, and then
+read(open("/proc/self/fdinfo/4", ...)) which gives
+"pos:\t0\nflags:\t012100000\nmnt_id:\t725\n"
+
+and the "725" is clearly inconsistent with "700" in /proc/self/mountinfo.
+
+We could either drop the fallback path (and fail name_to_handle_at() is not
+avaliable) or ignore the error in the test. Not sure what is better. I think
+this issue only occurs sometimes and with older kernels, so probably continuing
+with the current flaky implementation is better than ripping out the fallback.
+
+Another strace:
+writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/sys is 603", iov_len=27}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/sys is 603
+) = 28
+name_to_handle_at(AT_FDCWD, "/", {handle_bytes=128 => 12, handle_type=129, f_handle=0x52748401000000008b93e20d}, [697], 0) = 0
+writev(2</dev/pts/0>, [{iov_base="mnt ids of / is 697", iov_len=19}, {iov_base="\n", iov_len=1}], 2mnt ids of / is 697
+) = 20
+name_to_handle_at(AT_FDCWD, "/proc/kcore", {handle_bytes=128 => 12, handle_type=1, f_handle=0x92ddcfcd2e802d0100000000}, [605], 0) = 0
+writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/kcore is 605", iov_len=29}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/kcore is 605
+) = 30
+name_to_handle_at(AT_FDCWD, "/dev", {handle_bytes=128 => 12, handle_type=1, f_handle=0x8ae269160c802d0100000000}, [703], 0) = 0
+writev(2</dev/pts/0>, [{iov_base="mnt ids of /dev is 703", iov_len=22}, {iov_base="\n", iov_len=1}], 2mnt ids of /dev is 703
+) = 23
+name_to_handle_at(AT_FDCWD, "/proc/filesystems", {handle_bytes=128}, 0x7fffe36ddb84, 0) = -1 EOPNOTSUPP (Operation not supported)
+openat(AT_FDCWD, "/proc/filesystems", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4</proc/filesystems>
+openat(AT_FDCWD, "/proc/self/fdinfo/4", O_RDONLY|O_CLOEXEC) = 5</proc/20/fdinfo/4>
+fstat(5</proc/20/fdinfo/4>, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0
+fstat(5</proc/20/fdinfo/4>, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0
+read(5</proc/20/fdinfo/4>, "pos:\t0\nflags:\t012100000\nmnt_id:\t725\n", 2048) = 36
+read(5</proc/20/fdinfo/4>, "", 1024)    = 0
+close(5</proc/20/fdinfo/4>)             = 0
+close(4</proc/filesystems>)             = 0
+writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/filesystems are 700, 725", iov_len=41}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/filesystems are 700, 725
+) = 42
+writev(2</dev/pts/0>, [{iov_base="the other path for mnt id 725 is /proc", iov_len=38}, {iov_base="\n", iov_len=1}], 2the other path for mnt id 725 is /proc
+) = 39
+writev(2</dev/pts/0>, [{iov_base="Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting.", iov_len=108}, {iov_base="\n", iov_len=1}], 2Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting.
+) = 109
+rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
+rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
+getpid()                                = 20
+gettid()                                = 20
+tgkill(20, 20, SIGABRT)                 = 0
+rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
+--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=20, si_uid=0} ---
++++ killed by SIGABRT (core dumped) +++
+---
+ src/test/test-mountpoint-util.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/test/test-mountpoint-util.c b/src/test/test-mountpoint-util.c
+index 30b00ae4d8b..ffe5144b04a 100644
+--- a/src/test/test-mountpoint-util.c
++++ b/src/test/test-mountpoint-util.c
+@@ -89,8 +89,12 @@ static void test_mnt_id(void) {
+                 /* The ids don't match? If so, then there are two mounts on the same path, let's check if
+                  * that's really the case */
+                 char *t = hashmap_get(h, INT_TO_PTR(mnt_id2));
+-                log_debug("the other path for mnt id %i is %s\n", mnt_id2, t);
+-                assert_se(path_equal(p, t));
++                log_debug("Path for mnt id %i from /proc/self/mountinfo is %s\n", mnt_id2, t);
++
++                if (!path_equal(p, t))
++                        /* Apparent kernel bug in /proc/self/fdinfo */
++                        log_warning("Bad mount id given for %s: %d, should be %d",
++                                    p, mnt_id2, mnt_id);
+         }
+ }
+ 

libabigail.abignore

@@ -1,3 +0,0 @@
-[suppress_file]
-# Those shared objects are private to systemd
-file_name_regexp=libsystemd-(shared|core)-.*.so

libsystemd-shared.abignore

@@ -0,0 +1,3 @@
+[suppress_file]
+# This shared object is private to systemd
+file_name_regexp=libsystemd-shared-.*.so

macros.sysusers

@@ -2,9 +2,9 @@
 #
 # Turn a sysusers.d file into macros specified by
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
-#
-# After https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers,
-# those macros are not needed anymore.
 
-%sysusers_requires_compat %nil
-%sysusers_create_compat() %nil
+%sysusers_requires_compat Requires(pre): shadow-utils
+
+%sysusers_create_compat() \
+%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \
+%{nil}

macros.sysusers.compat

@@ -1,10 +0,0 @@
-# RPM macros for packages creating system accounts
-#
-# Turn a sysusers.d file into macros specified by
-# https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
-
-%sysusers_requires_compat Requires(pre): shadow-utils
-
-%sysusers_create_compat() \
-%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \
-%{nil}

plans/run-integration-tests.sh

@@ -1,127 +0,0 @@
-#!/bin/bash
-
-set -eux
-set -o pipefail
-
-# Switch SELinux to permissive if possible, since the tests don't set proper contexts
-setenforce 0 || true
-
-echo "CPU and Memory information:"
-lscpu
-lsmem
-
-echo "Clock source: $(cat /sys/devices/system/clocksource/clocksource0/current_clocksource)"
-
-# Bump inotify limits if we can so nspawn containers don't run out of inotify file descriptors.
-sysctl fs.inotify.max_user_watches=65536 || true
-sysctl fs.inotify.max_user_instances=1024 || true
-
-if [[ -n "${KOJI_TASK_ID:-}" ]]; then
-    koji download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$KOJI_TASK_ID"
-elif [[ -n "${CBS_TASK_ID:-}" ]]; then
-    cbs download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$CBS_TASK_ID"
-elif [[ -n "${PACKIT_SRPM_URL:-}" ]]; then
-    COPR_BUILD_ID="$(basename "$(dirname "$PACKIT_SRPM_URL")")"
-    COPR_CHROOT="$(basename "$(dirname "$(dirname "$PACKIT_BUILD_LOG_URL")")")"
-    copr download-build --rpms --chroot "$COPR_CHROOT" "$COPR_BUILD_ID"
-    mv "$COPR_CHROOT"/* .
-else
-    echo "Not running within packit and no CBS/koji task ID provided"
-    exit 1
-fi
-
-PACKAGEDIR="$PWD"
-
-# This will match both the regular and the debuginfo rpm so make sure we select only the
-# non-debuginfo rpm.
-RPMS=(systemd-tests-*.rpm)
-rpm2cpio "${RPMS[0]}" | cpio --make-directories --extract
-pushd usr/lib/systemd/tests
-mkosi_hash="$(grep "MinimumVersion=commit:" mkosi/mkosi.conf | sed "s|MinimumVersion=commit:||g")"
-
-# Now prepare mkosi at the same version required by the systemd repo.
-git clone https://github.com/systemd/mkosi /var/tmp/systemd-integration-tests-mkosi
-git -C /var/tmp/systemd-integration-tests-mkosi checkout "$mkosi_hash"
-
-export PATH="/var/tmp/systemd-integration-tests-mkosi/bin:$PATH"
-
-# shellcheck source=/dev/null
-. /etc/os-release || . /usr/lib/os-release
-
-tee mkosi/mkosi.local.conf <<EOF
-[Distribution]
-Distribution=${MKOSI_DISTRIBUTION:-$ID}
-Release=${MKOSI_RELEASE:-${VERSION_ID:-rawhide}}
-
-[Content]
-PackageDirectories=$PACKAGEDIR
-SELinuxRelabel=yes
-
-[Build]
-ToolsTreeDistribution=${MKOSI_DISTRIBUTION:-$ID}
-ToolsTreeRelease=${MKOSI_RELEASE:-${VERSION_ID:-rawhide}}
-ToolsTreePackageDirectories=$PACKAGEDIR
-Environment=NO_BUILD=1
-WithTests=yes
-EOF
-
-if [[ -n "${MKOSI_REPOSITORIES:-}" ]]; then
-    tee --append mkosi/mkosi.local.conf <<EOF
-[Distribution]
-Repositories=$MKOSI_REPOSITORIES
-
-[Build]
-ToolsTreeRepositories=$MKOSI_REPOSITORIES
-EOF
-fi
-
-if [[ -n "${TEST_SELINUX_CHECK_AVCS:-}" ]]; then
-    tee --append mkosi/mkosi.local.conf <<EOF
-[Runtime]
-KernelCommandLineExtra=systemd.setenv=TEST_SELINUX_CHECK_AVCS=$TEST_SELINUX_CHECK_AVCS
-EOF
-fi
-
-# If we don't have KVM, skip running in qemu, as it's too slow. But try to load the module first.
-modprobe kvm || true
-if [[ ! -e /dev/kvm ]]; then
-    export TEST_NO_QEMU=1
-fi
-
-NPROC="$(nproc)"
-if [[ "$NPROC" -ge 10 ]]; then
-    export TEST_JOURNAL_USE_TMP=1
-    NPROC="$((NPROC / 3))"
-else
-    NPROC="$((NPROC - 1))"
-fi
-
-# This test is only really useful if we're building with sanitizers and takes a long time, so let's skip it
-# for now.
-export TEST_SKIP="TEST-21-DFUZZER ${TEST_SKIP:-}"
-
-mkosi genkey
-mkosi summary
-mkosi -f box -- true
-mkosi box -- meson setup build integration-tests/standalone
-mkosi -f
-if [[ "$(mkosi box -- meson test --help)" == *"--max-lines"* ]]; then
-    MAX_LINES=(--max-lines 300)
-else
-    MAX_LINES=()
-fi
-mkosi box -- \
-    meson test \
-        -C build \
-        --setup=integration \
-        --print-errorlogs \
-        --no-stdsplit \
-        --num-processes "$NPROC" \
-        "${MAX_LINES[@]}" && EC=0 || EC=$?
-
-[[ -d build/meson-logs ]] && find build/meson-logs -type f -exec mv {} "$TMT_TEST_DATA" \;
-[[ -d build/test/journal ]] && find build/test/journal -type f -exec mv {} "$TMT_TEST_DATA" \;
-
-popd
-
-exit "$EC"

plans/upstream.fmf

@@ -1,22 +0,0 @@
-summary: systemd upstream test suite
-provision:
-  hardware:
-    virtualization:
-      is-supported: true
-prepare:
-  - name: install-dependencies
-    how: install
-    package:
-      - coreutils
-      - distribution-gpg-keys
-      - dnf
-      - git-core
-      - koji
-      - centos-packager
-      - copr-cli
-    exclude:
-      - systemd-standalone-.*
-execute:
-    how: tmt
-    script: exec plans/run-integration-tests.sh
-    duration: 2h

purge-nobody-user

@@ -0,0 +1,101 @@
+#!/bin/bash -eu
+
+if [ $UID -ne 0 ]; then
+    echo "WARNING: This script needs to run as root to be effective"
+    exit 1
+fi
+
+export SYSTEMD_NSS_BYPASS_SYNTHETIC=1
+
+if [ "${1:-}" = "--ignore-journal" ]; then
+    shift
+    ignore_journal=1
+else
+    ignore_journal=0
+fi
+
+echo "Checking processes..."
+if ps h -u 99 | grep .; then
+    echo "ERROR: ps reports processes with UID 99!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking UTMP..."
+if w -h 199 | grep . ; then
+    echo "ERROR: w reports UID 99 as active!"
+    exit 2
+fi
+if w -h nobody | grep . ; then
+    echo "ERROR: w reports user nobody as active!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking the journal..."
+if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then
+    echo "ERROR: journalctl reports messages from UID 99 in current boot!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Looking for files in /etc, /run, /tmp, and /var..."
+if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then
+    echo "ERROR: found files belonging to UID 99"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking if nobody is defined correctly..."
+if getent passwd nobody |
+	grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin';
+then
+    echo "OK, nothing to do."
+    exit 0
+else
+    echo "NOTICE: User nobody is not defined correctly"
+fi
+
+echo "Checking if nfsnobody or something else is using the uid..."
+if getent passwd 65534 | grep . ; then
+    echo "NOTICE: will have to remove this user"
+else
+    echo "... not found"
+fi
+
+if [ "${1:-}" = "-x" ]; then
+    if getent passwd nobody >/dev/null; then
+	# this will remove both the user and the group.
+	( set -x
+   	  userdel nobody
+	)
+    fi
+
+    if getent passwd 65534 >/dev/null; then
+	# Make sure the uid is unused. This should free gid too.
+	name="$(getent passwd 65534 | cut -d: -f1)"
+	( set -x
+	  userdel "$name"
+	)
+    fi
+
+    if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then
+	echo "Sleeping, so sss can catch up"
+	sleep 3
+    fi
+
+    if getent group 65534; then
+	# Make sure the gid is unused, even if uid wasn't.
+	name="$(getent group 65534 | cut -d: -f1)"
+	( set -x
+	  groupdel "$name"
+	)
+    fi
+
+    # systemd-sysusers uses the same gid and uid
+    ( set -x
+      systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin'
+    )
+else
+    echo "Pass '-x' to perform changes"
+fi

rpminspect.yaml

@@ -1,24 +1,13 @@
  # Disable badfuncs check that has tons of false positives.
 badfuncs:
-  allowed:
-    /usr/lib/systemd/tests/unit-tests/*:
-       - inet_addr
-       - inet_aton
-    /usr/bin/networkctl:
-       - inet_addr
-       - inet_aton
+  exclude_path: .*
 
 # don't report changed content of compiled files
 # that is expected with every update
 changedfiles:
   exclude_path: .*
 
-# completely disable inspections:
+# completely disabled inspections:
 inspections:
   # we know about our patches, no need to report anything
   patches: off
-
-  # this inspection uses `udevadm` which comes from this package
-  # disable so we do not check udev rules with a possibly outdated version
-  # of the command
-  udevrules: off

sources

@@ -1 +1 @@
-SHA512 (systemd-259.tar.gz) = ef46b13661df43e3cfbeee1bc22f0b1eb902e8ebe39c19868c465efd08b35a199c2a2cd9d8021a6bc4d692fa0c6e0eab3f13eecd6ce24dde81d3945464a25b50
+SHA512 (systemd-249.13.tar.gz) = eca374a66cc6a3439e83495e11d96f885c68508f340332cd750558f9fde3e6f31775e98caf085be53c7ef1ac8cf01ba7f84641112e5c978c4670e053cca305b0

split-files.py

@@ -1,47 +1,8 @@
 import re, sys, os, collections
 
 buildroot = sys.argv[1]
-no_bootloader = '--no-bootloader' in sys.argv
-
-known_files = '''
-%ghost %config(noreplace) /etc/crypttab
-%ghost %attr(0444,root,root) /etc/udev/hwdb.bin
-/etc/inittab
-# This directory is owned by openssh-server, but we don't want to introduce
-# a dependency. So let's copy the config and co-own the directory.
-%dir %attr(0700,root,root) /etc/ssh/sshd_config.d
-%ghost %config(noreplace) /etc/vconsole.conf
-%ghost %config(noreplace) /etc/X11/xorg.conf.d/00-keyboard.conf
-%ghost %attr(0664,root,root) %verify(not group) /run/utmp
-%ghost %attr(0664,root,root) %verify(not group) /var/log/wtmp
-%ghost %attr(0660,root,root) %verify(not group) /var/log/btmp
-%ghost %attr(0664,root,root) %verify(not md5 size mtime group) /var/log/lastlog
-%ghost %config(noreplace) /etc/hostname
-%ghost %config(noreplace) /etc/localtime
-%ghost %config(noreplace) /etc/locale.conf
-%ghost %attr(0444,root,root) %config(noreplace) /etc/machine-id
-%ghost %config(noreplace) /etc/machine-info
-%ghost %attr(0700,root,root) %dir /var/cache/private
-%ghost %attr(0700,root,root) %dir /var/lib/private
-%ghost %dir /var/lib/private/systemd
-%ghost %dir /var/lib/private/systemd/journal-upload
-%ghost /var/lib/private/systemd/journal-upload/state
-%ghost %dir /var/lib/systemd/timesync
-%ghost /var/lib/systemd/timesync/clock
-%ghost %dir /var/lib/systemd/backlight
-%ghost /var/lib/systemd/catalog/database
-%ghost %dir /var/lib/systemd/coredump
-%ghost /var/lib/systemd/journal-upload
-%ghost %dir /var/lib/systemd/linger
-%ghost %attr(0600,root,root) /var/lib/systemd/random-seed
-%ghost %dir /var/lib/systemd/rfkill
-%ghost %dir %verify(not mode group) /var/log/journal
-%ghost %dir /var/log/journal/remote
-%ghost %attr(0700,root,root) %dir /var/log/private
-'''
-
-known_files = {line.split()[-1]:line for line in known_files.splitlines()
-               if line and not line.startswith('#')}
+known_files = sys.stdin.read().splitlines()
+known_files = {line.split()[-1]:line for line in known_files}
 
 def files(root):
     os.chdir(root)
@@ -54,31 +15,20 @@ def files(root):
             if file.is_dir() and not file.is_symlink():
                 todo.append(file)
 
-outputs = {suffix: open(f'.file-list-{suffix}', 'w')
-           for suffix in (
-                   'shared',
-                   'libs',
-                   'udev',
-                   'ukify',
-                   'boot',
-                   'pam',
-                   'rpm-macros',
-                   'sysusers',
-                   'devel',
-                   'container',
-                   'networkd',
-                   'networkd-defaults',
-                   'oomd-defaults',
-                   'remote',
-                   'resolve',
-                   'tests',
-                   'standalone-repart',
-                   'standalone-tmpfiles',
-                   'standalone-sysusers',
-                   'standalone-shutdown',
-                   'main',
-           )}
-
+o_libs = open('.file-list-libs', 'w')
+o_udev = open('.file-list-udev', 'w')
+o_pam = open('.file-list-pam', 'w')
+o_rpm_macros = open('.file-list-rpm-macros', 'w')
+o_devel = open('.file-list-devel', 'w')
+o_container = open('.file-list-container', 'w')
+o_networkd = open('.file-list-networkd', 'w')
+o_oomd_defaults = open('.file-list-oomd-defaults', 'w')
+o_remote = open('.file-list-remote', 'w')
+o_resolve = open('.file-list-resolve', 'w')
+o_tests = open('.file-list-tests', 'w')
+o_standalone_tmpfiles = open('.file-list-standalone-tmpfiles', 'w')
+o_standalone_sysusers = open('.file-list-standalone-sysusers', 'w')
+o_rest = open('.file-list-rest', 'w')
 for file in files(buildroot):
     n = file.path[1:]
     if re.match(r'''/usr/(share|include)$|
@@ -102,112 +52,47 @@ for file in files(buildroot):
                     /var(/cache|/log|/lib|/run|)$
     ''', n, re.X):
         continue
-
-    if n.endswith('.standalone'):
-        if 'repart' in n:
-            o = outputs['standalone-repart']
-        elif 'tmpfiles' in n:
-            o = outputs['standalone-tmpfiles']
-        elif 'sysusers' in n:
-            o = outputs['standalone-sysusers']
-        elif 'shutdown' in n:
-            o = outputs['standalone-shutdown']
-        else:
-            assert False, 'Found .standalone not belonging to known packages'
-
-    elif '/security/pam_' in n or '/man8/pam_' in n:
-        o = outputs['pam']
+    if '/security/pam_' in n or '/man8/pam_' in n:
+        o = o_pam
     elif '/rpm/' in n:
-        o = outputs['rpm-macros']
+        o = o_rpm_macros
     elif '/usr/lib/systemd/tests' in n:
-        o = outputs['tests']
-    elif 'ukify' in n and '/man/' not in n:
-        o = outputs['ukify']
-    elif re.search(r'/libsystemd-core-.*\.so$', n):
-        o = outputs['main']
-    elif re.search(r'/libsystemd-shared-.*\.so$', n):
-        o = outputs['shared']
-    elif re.search(r'/libcryptsetup-token-systemd-.*\.so$', n):
-        o = outputs['udev']
-    elif re.search(r'/lib.*\.pc$|/man3/|/usr/include|\.so$', n):
-        o = outputs['devel']
+        o = o_tests
+    elif re.search(r'/lib.*\.pc|/man3/|/usr/include|(?<!/libsystemd-shared-...).so$', n):
+        o = o_devel
     elif re.search(r'''journal-(remote|gateway|upload)|
                        systemd-remote\.conf|
                        /usr/share/systemd/gatewayd|
                        /var/log/journal/remote
     ''', n, re.X):
-        o = outputs['remote']
-
-    # Just the binary, the dir, and the man page.
-    elif re.search(r'''systemd-sysusers$|
-                       sysusers\.d$|
-                       man/.*sysusers\.d\.5|
-                       man/.*systemd-sysusers\.8
-    ''', n, re.X):
-        o = outputs['sysusers']
-
+        o = o_remote
     elif re.search(r'''mymachines|
                        machinectl|
-                       mount.ddi|
-                       importctl|
-                       portablectl|
                        systemd-nspawn|
-                       systemd\.nspawn|
-                       systemd-vmspawn|
-                       systemd-dissect|
-                       import-pubring|
-                       systemd-machined|
-                       systemd-import|
-                       systemd-export|
-                       systemd-pull|
-                       systemd-mountfsd|
-                       systemd-mountwork|
-                       systemd-nsresource|
+                       import-pubring.gpg|
+                       systemd-(machined|import|pull)|
                        /machine.slice|
                        /machines.target|
                        var-lib-machines.mount|
                        org.freedesktop.(import|machine)1
     ''', n, re.X):
-        o = outputs['container']
-
-    # .network.example files go into systemd-networkd, and the matching files
-    # without .example go into systemd-networkd-defaults
-    elif (re.search(r'''/usr/lib/systemd/network/.*\.network$''', n)
-          and os.path.exists(f'./{n}.example')):
-        o = outputs['networkd-defaults']
-
-    # Files that are "consumed" by systemd-networkd go into the -networkd
-    # subpackage. As a special case, network-generator is co-owned also by
-    # the -udev subpackage because systemd-udevd reads .link files.
-    elif re.search(r'''/usr/lib/systemd/network/.*\.network|
+        o = o_container
+    elif re.search(r'''/usr/lib/systemd/network/80-|
                        networkd|
                        networkctl|
-                       org.freedesktop.network1|
-                       sysusers\.d/systemd-network.conf|
-                       tmpfiles\.d/systemd-network.conf|
-                       systemd\.network|
-                       systemd\.netdev
+                       org.freedesktop.network1
     ''', n, re.X):
-        o = outputs['networkd']
-    elif 'network-generator' in n:
-        o = (outputs['networkd'], outputs['udev'])
-
+        o = o_networkd
     elif '.so.' in n:
-        o = outputs['libs']
-
-    elif re.search(r'10-oomd-.*defaults.conf|lib/systemd/oomd.conf.d', n, re.X):
-        o = outputs['oomd-defaults']
+        o = o_libs
 
     elif re.search(r'''udev(?!\.pc)|
                        hwdb|
-                       ac-power|
                        bootctl|
-                       boot-update|
+                       sd-boot|systemd-boot\.|loader.conf|
                        bless-boot|
                        boot-system-token|
-                       bsod|
                        kernel-install|
-                       installkernel|
                        vconsole|
                        backlight|
                        rfkill|
@@ -215,14 +100,12 @@ for file in files(buildroot):
                        modules-load|
                        timesync|
                        crypttab|
-                       cryptenroll|
                        cryptsetup|
                        kmod|
                        quota|
                        pstore|
                        sleep|suspend|hibernate|
                        systemd-tmpfiles-setup-dev|
-                       network/98-default-mac-none.link|
                        network/99-default.link|
                        growfs|makefs|makeswap|mkswap|
                        fsck|
@@ -233,11 +116,8 @@ for file in files(buildroot):
                        integritysetup|
                        integritytab|
                        remount-fs|
-                       /initrd|
-                       systemd[.-]pcr|
-                       /pcrlock\.d|
-                       systemd-measure|
                        /boot$|
+                       /boot/efi|
                        /kernel/|
                        /kernel$|
                        /modprobe.d|
@@ -245,54 +125,46 @@ for file in files(buildroot):
                        sysctl|
                        coredump|
                        homed|home1|
-                       sysupdate|updatctl|
-                       oomd|
                        portabled|portable1
     ''', n, re.X):     # coredumpctl, homectl, portablectl are included in the main package because
                        # they can be used to interact with remote daemons. Also, the user could be
                        # confused if those user-facing binaries are not available.
-        o = outputs['udev']
-
-    elif re.search(r'''/boot/efi|
-                       /usr/lib/systemd/boot|
-                       sd-boot|systemd-boot\.|loader.conf
-    ''', n, re.X):
-        o = outputs['boot']
+        o = o_udev
 
     elif re.search(r'''resolved|resolve1|
                        systemd-resolve|
                        resolvconf|
                        systemd\.(positive|negative)
     ''', n, re.X):     # resolvectl and nss-resolve are in the main package.
-        o = outputs['resolve']
+        o = o_resolve
+
+    elif re.search(r'10-oomd-.*defaults.conf|lib/systemd/oomd.conf.d', n, re.X):
+        o = o_oomd_defaults
+
+    elif n.endswith('.standalone'):
+        if 'tmpfiles' in n:
+            o = o_standalone_tmpfiles
+        elif 'sysusers' in n:
+            o = o_standalone_sysusers
+        else:
+            assert False, 'Found .standalone not belonging to known packages'
 
     else:
-        o = outputs['main']
+        o = o_rest
 
     if n in known_files:
-        prefix = known_files[n].split()[:-1]
-    elif file.is_dir(follow_symlinks=False):
-        prefix = ['%dir']
+        prefix = ' '.join(known_files[n].split()[:-1])
+        if prefix:
+            prefix += ' '
+    elif file.is_dir() and not file.is_symlink():
+        prefix = '%dir '
     elif 'README' in n:
-        prefix = ['%doc']
+        prefix = '%doc '
     elif n.startswith('/etc'):
-        prefix = ['%config(noreplace)']
-        if not file.is_symlink() and file.stat().st_size == 0:
-            prefix += ['%ghost']
+        prefix = '%config(noreplace) '
     else:
-        prefix = []
-    prefix = ' '.join(prefix + ['']) if prefix else ''
+        prefix = ''
 
     suffix = '*' if '/man/' in n else ''
 
-    if not isinstance(o, tuple):
-        o = (o,)
-    for file in o:
-        print(f'{prefix}{n}{suffix}', file=file)
-
-if [print(f'ERROR: no file names were written to {o.name}')
-    for name, o in outputs.items()
-    if (o.tell() == 0 and
-        not (no_bootloader and name == 'boot'))
-    ]:
-    sys.exit(1)
+    print(f'{prefix}{n}{suffix}', file=o)

systemd-user

@@ -1,14 +1,10 @@
+# This file is part of systemd.
+#
 # Used by systemd --user instances.
 
--account sufficient pam_systemd_home.so
-account  sufficient pam_unix.so no_pass_expiry
-account  include    system-auth
+account  include system-auth
 
-session  required   pam_selinux.so close
-session  required   pam_selinux.so nottys open
-session  required   pam_loginuid.so
-session  optional   pam_keyinit.so force revoke
-session  required   pam_namespace.so
--session optional   pam_systemd_home.so
-session  optional   pam_umask.so silent
-session  include    system-auth
+session  required pam_selinux.so close
+session  required pam_selinux.so nottys open
+session  required pam_loginuid.so
+session  include system-auth

sysusers.generate-pre.sh

@@ -1,96 +1,79 @@
 #!/bin/bash
-# -*- mode: shell-script; indent-tabs-mode: true; tab-width: 4; -*-
 
 # This script turns sysuser.d files into scriptlets mandated by Fedora
 # packaging guidelines. The general idea is to define users using the
 # declarative syntax but to turn this into traditional scriptlets.
 
 user() {
-	user="$1"
-	uid="$2"
-	desc="$3"
-	group="$4"
-	home="$5"
-	shell="$6"
+    user="$1"
+    uid="$2"
+    desc="$3"
+    group="$4"
+    home="$5"
+    shell="$6"
 
-	[ "$desc" = '-' ] && desc=
-	{ [ "$home" = '-' ] || [ "$home" = '' ]; } && home=/
-	{ [ "$shell" = '-' ] || [ "$shell" = '' ]; } && shell=/usr/sbin/nologin
+    [ "$desc" = '-' ] && desc=
+    { [ "$home" = '-' ] || [ "$home" = '' ]; } && home=/
+    { [ "$shell" = '-' ] || [ "$shell" = '' ]; } && shell=/sbin/nologin
 
-	if [ "$uid" = '-' ] || [ "$uid" = '' ]; then
-		cat <<-EOF
-		getent passwd '$user' >/dev/null || \\
-		    useradd -r -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || :
-		EOF
-	else
-		cat <<-EOF
-		if ! getent passwd ${user@Q} >/dev/null; then
-		    if ! getent passwd ${uid@Q} >/dev/null; then
-		        useradd -r -u ${uid@Q} -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || :
-		    else
-		        useradd -r -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || :
-		    fi
-		fi
+    if [ "$uid" = '-' ] || [ "$uid" = '' ]; then
+        cat <<EOF
+getent passwd '$user' >/dev/null || \\
+    useradd -r -g '$group' -d '$home' -s '$shell' -c '$desc' '$user'
+EOF
+    else
+        cat <<EOF
+if ! getent passwd '$user' >/dev/null ; then
+    if ! getent passwd '$uid' >/dev/null ; then
+        useradd -r -u '$uid' -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user'
+    else
+        useradd -r -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user'
+    fi
+fi
 
-		EOF
-	fi
+EOF
+    fi
 }
 
 group() {
-	group="$1"
-	gid="$2"
-
-	if [ "$gid" = '-' ]; then
-		cat <<-EOF
-		getent group ${group@Q} >/dev/null || groupadd -r ${group@Q} || :
-		EOF
-	else
-		cat <<-EOF
-		getent group ${group@Q} >/dev/null || groupadd -f -g ${gid@Q} -r ${group@Q} || :
-		EOF
-	fi
-}
-
-usermod() {
-	user="$1"
-	group="$2"
-
-	cat <<-EOF
-	if getent group ${group@Q} >/dev/null; then
-	    usermod -a -G ${group@Q} '$user' || :
-	fi
+    group="$1"
+    gid="$2"
+    if [ "$gid" = '-' ]; then
+        cat <<-EOF
+	getent group '$group' >/dev/null || groupadd -r '$group'
 	EOF
+    else
+        cat <<-EOF
+	getent group '$group' >/dev/null || groupadd -f -g '$gid' -r '$group'
+	EOF
+    fi
 }
 
 parse() {
-	while read -r line || [ -n "$line" ] ; do
-		{ [ "${line:0:1}" = '#' ] || [ "${line:0:1}" = ';' ]; } && continue
-		line="${line## *}"
-		[ -z "$line" ] && continue
-		eval "arr=( $line )"
-		case "${arr[0]}" in
-			('u'|'u!')
-				if [[ "${arr[2]}" == *":"* ]]; then
-					user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}"
-				else
-					group "${arr[1]}" "${arr[2]}"
-					user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}"
-				fi
-				;;
-			('g')
-				group "${arr[1]}" "${arr[2]}"
-				;;
-			('m')
-				group "${arr[2]}" "-"
-				user "${arr[1]}" "-" "" "${arr[1]}" "" ""
-				usermod "${arr[1]}" "${arr[2]}"
-				;;
-		esac
-	done
+    while read -r line || [ -n "$line" ] ; do
+        { [ "${line:0:1}" = '#' ] || [ "${line:0:1}" = ';' ]; } && continue
+        line="${line## *}"
+        [ -z "$line" ] && continue
+        eval "arr=( $line )"
+        case "${arr[0]}" in
+            ('u')
+                group "${arr[1]}" "${arr[2]}"
+                user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}"
+                # TODO: user:group support
+                ;;
+            ('g')
+                group "${arr[1]}" "${arr[2]}"
+                ;;
+            ('m')
+                group "${arr[2]}" "-"
+                user "${arr[1]}" "-" "" "${arr[2]}"
+                ;;
+        esac
+    done
 }
 
 for fn in "$@"; do
-	[ -e "$fn" ] || continue
-	echo "# generated from $(basename "$fn")"
-	parse <"$fn"
+    [ -e "$fn" ] || continue
+    echo "# generated from $(basename "$fn")"
+    parse <"$fn"
 done

sysusers.prov

@@ -42,7 +42,7 @@ parse() {
         [ -z "$line" ] && continue
         set -- $line
         case "$1" in
-            ('u'|'u!')
+            ('u')
                 process_u "$2" "$3"
                 ;;
             ('g')

test_sysusers_defined.py

@@ -1,39 +0,0 @@
-#!/usr/bin/python
-
-import os
-import sys
-
-def parse_sysusers_file(filename):
-    users, groups = set(), set()
-
-    for line in open(filename):
-        line = line.strip()
-        if not line or line.startswith('#'):
-            continue
-        words = line.split()
-        match words[0]:
-            case 'u'|'u!':
-                users.add(words[1])
-            case 'g':
-                groups.add(words[1])
-            case 'm'|'r':
-                continue
-            case _:
-                assert False
-    return users, groups
-
-setup_users, setup_groups = set(), set()
-
-for arg in sys.argv[1:-1]:
-    users, groups = parse_sysusers_file(arg)
-    setup_users |= users
-    setup_groups |= groups
-
-basic_users, basic_groups = parse_sysusers_file(sys.argv[-1])
-
-ignored = set(os.getenv('IGNORED', '').split())
-
-if d := basic_users - setup_users - ignored:
-    exit(f'We have new users: {d}')
-if d := basic_groups - setup_groups - ignored:
-    exit(f'We have new groups: {d}')

tests/tests-reboot.yml

@@ -0,0 +1,50 @@
+---
+- hosts: localhost
+  vars:
+  - artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"
+  tags:
+  - classic
+  tasks:
+  # switch SELinux to permissive mode
+  - name: Get default kernel
+    command: "grubby --default-kernel"
+    register: default_kernel
+  - debug: msg="{{ default_kernel.stdout }}"
+  - name: Set permissive mode
+    command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}"
+
+  - name: reboot
+    block:
+      - name: restart host
+        shell: sleep 2 && shutdown -r now "Ansible updates triggered"
+        async: 1
+        poll: 0
+        ignore_errors: true
+
+      - name: wait for host to come back
+        wait_for_connection:
+          delay: 10
+          timeout: 300
+
+      - name: Re-create /tmp/artifacts
+        command: mkdir /tmp/artifacts
+
+      - name: Gather SELinux denials since boot
+        shell: |
+            result=pass
+            dmesg | grep -i -e type=1300 -e type=1400 > /tmp/avc.log && result=fail
+            ausearch -m avc -m selinux_err -m user_avc -ts boot &>> /tmp/avc.log
+            grep -q '<no matches>' /tmp/avc.log || result=fail
+            echo -e "\nresults:\n- test: reboot and collect AVC\n  result: $result\n  logs:\n  - avc.log\n\n" > /tmp/results.yml
+            ( [ $result = "pass" ] && echo PASS test-reboot || echo FAIL test-reboot ) > /tmp/test.log
+
+    always:
+      - name: Pull out the artifacts
+        fetch:
+          dest: "{{ artifacts }}/"
+          src: "{{ item }}"
+          flat: yes
+        with_items:
+          - /tmp/test.log
+          - /tmp/avc.log
+          - /tmp/results.yml

triggers.systemd

@@ -9,17 +9,21 @@
 #
 # Minimum rpm version supported: 4.14.0
 
-%transfiletriggerin -P 900900 -- /usr/lib/systemd/system/ /etc/systemd/system/
+%transfiletriggerin -P 900900 -- /usr/lib/systemd/system /etc/systemd/system
 # This script will run after any package is initially installed or
 # upgraded. We care about the case where a package is initially
 # installed, because other cases are covered by the *un scriptlets,
 # so sometimes we will reload needlessly.
 /usr/lib/systemd/systemd-update-helper system-reload-restart || :
 
-%transfiletriggerin -P 900899 -- /usr/lib/systemd/user/ /etc/systemd/user/
-/usr/lib/systemd/systemd-update-helper user-reload-restart || :
+%transfiletriggerin -P 900899 -- /usr/lib/systemd/user /etc/systemd/user
+if selinuxenabled &>/dev/null; then
+  /usr/lib/systemd/systemd-update-helper user-reload-restart 2>/dev/null || :
+else
+  /usr/lib/systemd/systemd-update-helper user-reload-restart || :
+fi
 
-%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system/ /etc/systemd/system/
+%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system
 # On removal, we need to run daemon-reload after any units have been
 # removed.
 # On upgrade, we need to run daemon-reload after any new unit files
@@ -27,35 +31,49 @@
 # executed.
 /usr/lib/systemd/systemd-update-helper system-reload || :
 
-%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user/ /etc/systemd/user/
+%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user /etc/systemd/user
 # Execute daemon-reload in user managers.
-/usr/lib/systemd/systemd-update-helper user-reload || :
+if selinuxenabled &>/dev/null; then
+  /usr/lib/systemd/systemd-update-helper user-reload 2>/dev/null || :
+else
+  /usr/lib/systemd/systemd-update-helper user-reload || :
+fi
 
-%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system/ /etc/systemd/system/
+%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system /etc/systemd/system
 # We restart remaining system services that should be restarted here.
 /usr/lib/systemd/systemd-update-helper system-restart || :
 
-%transfiletriggerpostun -P  9999 -- /usr/lib/systemd/user/ /etc/systemd/user/
+%transfiletriggerpostun -P  9999 -- /usr/lib/systemd/user /etc/systemd/user
 # We restart remaining user services that should be restarted here.
-/usr/lib/systemd/systemd-update-helper user-restart || :
+if selinuxenabled &>/dev/null; then
+  /usr/lib/systemd/systemd-update-helper user-restart 2>/dev/null || :
+else
+  /usr/lib/systemd/systemd-update-helper user-restart || :
+fi
 
-%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d/
+%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d
 # This script will process files installed in /usr/lib/sysusers.d to create
 # specified users automatically. The priority is set such that it
 # will run before the tmpfiles file trigger.
-systemd-sysusers || :
+if test -d "/run/systemd/system"; then
+  systemd-sysusers || :
+fi
 
-%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d/
+%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d
 # This script will automatically invoke hwdb update if files have been
 # installed or updated in /usr/lib/udev/hwdb.d.
-systemd-hwdb update || :
+if test -d "/run/systemd/system"; then
+  systemd-hwdb update || :
+fi
 
-%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog/
+%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog
 # This script will automatically invoke journal catalog update if files
 # have been installed or updated in /usr/lib/systemd/catalog.
-journalctl --update-catalog || :
+if test -d "/run/systemd/system"; then
+  journalctl --update-catalog || :
+fi
 
-%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d/
+%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d
 # This script will automatically apply binfmt rules if files have been
 # installed or updated in /usr/lib/binfmt.d.
 if test -d "/run/systemd/system"; then
@@ -64,7 +82,7 @@ if test -d "/run/systemd/system"; then
   /usr/lib/systemd/systemd-binfmt || :
 fi
 
-%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d/
+%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d
 # This script will process files installed in /usr/lib/tmpfiles.d to create
 # tmpfiles automatically. The priority is set such that it will run
 # after the sysusers file trigger, but before any other triggers.
@@ -72,12 +90,14 @@ if test -d "/run/systemd/system"; then
   systemd-tmpfiles --create || :
 fi
 
-%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d/
+%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d
 # This script will automatically update udev with new rules if files
 # have been installed or updated in /usr/lib/udev/rules.d.
-/usr/lib/systemd/systemd-update-helper mark-reload-system-units systemd-udevd.service || :
+if test -e /run/udev/control; then
+  udevadm control --reload || :
+fi
 
-%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d/
+%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d
 # This script will automatically apply sysctl rules if files have been
 # installed or updated in /usr/lib/sysctl.d.
 if test -d "/run/systemd/system"; then

use-bfq-scheduler.patch

@@ -0,0 +1,41 @@
+From 223ea50950f97ed4e67311dfcffed7ffc27a7cd3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 14 Aug 2019 15:57:42 +0200
+Subject: [PATCH] udev: use bfq as the default scheduler
+
+As requested in https://bugzilla.redhat.com/show_bug.cgi?id=1738828.
+Test results are that bfq seems to behave better and more consistently on
+typical hardware. The kernel does not have a configuration option to set
+the default scheduler, and it currently needs to be set by userspace.
+
+See the bug for more discussion and links.
+---
+ rules.d/60-block-scheduler.rules | 5 +++++
+ rules.d/meson.build              | 1 +
+ 2 files changed, 6 insertions(+)
+ create mode 100644 rules.d/60-block-scheduler.rules
+
+diff --git a/rules.d/60-block-scheduler.rules b/rules.d/60-block-scheduler.rules
+new file mode 100644
+index 0000000000..480b941761
+--- /dev/null
++++ b/rules.d/60-block-scheduler.rules
+@@ -0,0 +1,6 @@
++# do not edit this file, it will be overwritten on update
++
++ACTION=="add", SUBSYSTEM=="block", \
++  KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \
++  ENV{DEVTYPE}=="disk", \
++  ATTR{queue/scheduler}="bfq"
+diff --git a/rules.d/meson.build b/rules.d/meson.build
+index ca4445d774..38d6aa6970 100644
+--- a/rules.d/meson.build
++++ b/rules.d/meson.build
+@@ -3,6 +3,7 @@
+ rules = files('''
+         60-autosuspend.rules
+         60-block.rules
++        60-block-scheduler.rules
+         60-cdrom_id.rules
+         60-drm.rules
+         60-evdev.rules

yum-protect-systemd.conf

@@ -0,0 +1,2 @@
+systemd
+systemd-udev