Version 256.17

- Fixes for systemd itself, systemd-networkd, systemd-ssh-generator,
  systemd-fstab-generator, bootctl, systemd-repart, systemd-vmspawn,
  the shared library code, udev rules, resolvectl, shell completions,
  documentation
- Update of the hardware database

.editorconfig

@@ -1,11 +0,0 @@
-root = true
-
-[*]
-charset = utf-8
-indent_size = 4
-indent_style = space
-insert_final_newline = true
-trim_trailing_whitespace = true
-
-[*.{yml,yaml}]
-indent_size = 2

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -7,7 +7,3 @@
 /systemd-*.tar.xz
 /systemd-*.tar.gz
 /*.rpm
-/mkosi.output/
-/mkosi.cache/
-/mkosi.builddir/
-/mkosi.local.conf

0001-Revert-units-drop-runlevel-0-6-.target.patch

@@ -1,88 +0,0 @@
-From 61750e265ce3f7783a8dba831e91140f84ad89f2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Wed, 5 Nov 2025 17:52:16 +0100
-Subject: [PATCH 1/3] Revert "units: drop runlevel[0-6].target"
-
-This partially reverts commit e58ba80a40fb6e96543d56774a5bc5aa9cdadbf3.
-The unit are still needed for compat.
----
- units/meson.build | 27 ++++++++++++++++++++++-----
- 1 file changed, 22 insertions(+), 5 deletions(-)
-
-diff --git a/units/meson.build b/units/meson.build
-index 2e04c4aa2b..46eaac4073 100644
---- a/units/meson.build
-+++ b/units/meson.build
-@@ -1,5 +1,7 @@
- # SPDX-License-Identifier: LGPL-2.1-or-later
- 
-+with_runlevels = conf.get('HAVE_SYSV_COMPAT') == 1
-+
- units = [
-         { 'file' : 'basic.target' },
-         { 'file' : 'blockdev@.target' },
-@@ -49,7 +51,7 @@ units = [
-         },
-         {
-           'file' : 'graphical.target',
--          'symlinks' : ['default.target'],
-+          'symlinks' : ['default.target'] + (with_runlevels ? ['runlevel5.target'] : []),
-         },
-         { 'file' : 'halt.target' },
-         {
-@@ -142,7 +144,10 @@ units = [
-           'conditions' : ['ENABLE_MACHINED'],
-         },
-         { 'file' : 'modprobe@.service' },
--        { 'file' : 'multi-user.target' },
-+        {
-+          'file' : 'multi-user.target',
-+          'symlinks' : with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : [],
-+        },
-         {
-           'file' : 'systemd-mute-console.socket',
-           'symlinks' : ['sockets.target.wants/']
-@@ -155,7 +160,10 @@ units = [
-         { 'file' : 'nss-lookup.target' },
-         { 'file' : 'nss-user-lookup.target' },
-         { 'file' : 'paths.target' },
--        { 'file' : 'poweroff.target' },
-+        {
-+          'file' : 'poweroff.target',
-+          'symlinks' : with_runlevels ? ['runlevel0.target'] : [],
-+        },
-         { 'file' : 'printer.target' },
-         {
-           'file' : 'proc-sys-fs-binfmt_misc.automount',
-@@ -180,7 +188,7 @@ units = [
-         },
-         {
-           'file' : 'reboot.target',
--          'symlinks' : ['ctrl-alt-del.target'],
-+          'symlinks' : ['ctrl-alt-del.target'] + (with_runlevels ? ['runlevel6.target'] : []),
-         },
-         {
-           'file' : 'remote-cryptsetup.target',
-@@ -200,7 +208,10 @@ units = [
-           'symlinks' : ['initrd-root-device.target.wants/'],
-         },
-         { 'file' : 'rescue.service.in' },
--        { 'file' : 'rescue.target' },
-+        {
-+          'file' : 'rescue.target',
-+          'symlinks' : with_runlevels ? ['runlevel1.target'] : [],
-+        },
-         { 'file' : 'rpcbind.target' },
-         { 'file' : 'serial-getty@.service.in' },
-         { 'file' : 'shutdown.target' },
-@@ -1001,4 +1012,10 @@ else
-                             dbussessionservicedir / 'org.freedesktop.systemd1.service'))
- endif
- 
-+if conf.get('HAVE_SYSV_COMPAT') == 1
-+        foreach i : [1, 2, 3, 4, 5]
-+                install_emptydir(systemunitdir / 'runlevel@0@.target.wants'.format(i))
-+        endforeach
-+endif
-+
- subdir('user')

0001-tmpfiles-make-purge-hard-to-mis-use.patch

@@ -0,0 +1,88 @@
+From 1e788a7fb535a37a8268aa7dc5130f670eb72a6b Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Tue, 23 Jul 2024 13:14:05 +0200
+Subject: [PATCH] tmpfiles: make --purge hard to (mis-)use
+
+Follow-up for https://github.com/systemd/systemd/pull/33383.
+---
+ src/tmpfiles/tmpfiles.c           | 17 +++++++++++++++++
+ test/units/TEST-22-TMPFILES.18.sh |  4 ++--
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
+index 8cc8c1ccd6..14048545db 100644
+--- a/src/tmpfiles/tmpfiles.c
++++ b/src/tmpfiles/tmpfiles.c
+@@ -4197,6 +4197,7 @@ static int parse_argv(int argc, char *argv[]) {
+                 ARG_IMAGE_POLICY,
+                 ARG_REPLACE,
+                 ARG_DRY_RUN,
++                ARG_DESTROY_DATA,
+                 ARG_NO_PAGER,
+         };
+ 
+@@ -4220,10 +4221,18 @@ static int parse_argv(int argc, char *argv[]) {
+                 { "replace",        required_argument,   NULL, ARG_REPLACE        },
+                 { "dry-run",        no_argument,         NULL, ARG_DRY_RUN        },
+                 { "no-pager",       no_argument,         NULL, ARG_NO_PAGER       },
++
++                /* This is not documented on purpose.
++                 * If you think --purge should be allowed without jumping through hoops,
++                 * consider opening a bug report with the description of the use case.
++                 */
++                { "destroy-data",   no_argument,         NULL, ARG_DESTROY_DATA   },
++
+                 {}
+         };
+ 
+         int c, r;
++        bool destroy_data = false;
+ 
+         assert(argc >= 0);
+         assert(argv);
+@@ -4330,6 +4339,10 @@ static int parse_argv(int argc, char *argv[]) {
+                         arg_dry_run = true;
+                         break;
+ 
++                case ARG_DESTROY_DATA:
++                        destroy_data = true;
++                        break;
++
+                 case ARG_NO_PAGER:
+                         arg_pager_flags |= PAGER_DISABLE;
+                         break;
+@@ -4349,6 +4362,10 @@ static int parse_argv(int argc, char *argv[]) {
+                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                        "Refusing --purge without specification of a configuration file.");
+ 
++        if (FLAGS_SET(arg_operation, OPERATION_PURGE) && !arg_dry_run && !destroy_data)
++                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
++                                       "Refusing --purge without --destroy-data.");
++
+         if (arg_replace && arg_cat_flags != CAT_CONFIG_OFF)
+                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                        "Option --replace= is not supported with --cat-config/--tldr.");
+diff --git a/test/units/TEST-22-TMPFILES.18.sh b/test/units/TEST-22-TMPFILES.18.sh
+index 5d24197c81..de23bbb95f 100755
+--- a/test/units/TEST-22-TMPFILES.18.sh
++++ b/test/units/TEST-22-TMPFILES.18.sh
+@@ -21,7 +21,7 @@ systemd-tmpfiles --purge --dry-run - <<<"$c"
+ test -f /tmp/somedir/somefile
+ grep -q baz /tmp/somedir/somefile
+ 
+-systemd-tmpfiles --purge - <<<"$c"
++systemd-tmpfiles --purge --destroy-data - <<<"$c"
+ test ! -f /tmp/somedir/somefile
+ test ! -d /tmp/somedir/
+ 
+@@ -29,6 +29,6 @@ systemd-tmpfiles --create --purge --dry-run - <<<"$c"
+ test ! -f /tmp/somedir/somefile
+ test ! -d /tmp/somedir/
+ 
+-systemd-tmpfiles --create --purge - <<<"$c"
++systemd-tmpfiles --create --destroy-data --purge - <<<"$c"
+ test -f /tmp/somedir/somefile
+ grep -q baz /tmp/somedir/somefile
+-- 
+2.45.2
+

0002-machined-continue-without-resolve.hook-socket.patch

@@ -1,32 +0,0 @@
-From 8d6d86d1d7e45eeae921e88adde55d6524027c96 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Wed, 26 Nov 2025 22:29:53 +0100
-Subject: [PATCH 3/3] machined: continue without resolve.hook socket
-
----
- src/machine/machined-varlink.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c
-index f83cbb8562..0b30cd0531 100644
---- a/src/machine/machined-varlink.c
-+++ b/src/machine/machined-varlink.c
-@@ -894,9 +894,15 @@ static int manager_varlink_init_resolve_hook(Manager *m) {
- 
-         r = sd_varlink_server_listen_address(s, VARLINK_PATH_MACHINED_RESOLVE_HOOK,
-                                              0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
--        if (r < 0)
--                return log_error_errno(r, "Failed to bind to varlink socket %s: %m",
--                                       VARLINK_PATH_MACHINED_RESOLVE_HOOK);
-+        if (r < 0) {
-+                bool ignore = ERRNO_IS_NEG_PRIVILEGE(r);
-+                log_full_errno(ignore ? LOG_WARNING : LOG_ERR,
-+                               r,
-+                               "Failed to bind to varlink socket %s%s: %m",
-+                               VARLINK_PATH_MACHINED_RESOLVE_HOOK,
-+                               ignore ? ", ignoring" : "");
-+                return ignore ? 0 : r;
-+        }
- 
-         r = sd_varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL);
-         if (r < 0)

0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch

@@ -1,112 +0,0 @@
-From 75890d949f92c412c0936b8536b2e0dc8f7dfb40 Mon Sep 17 00:00:00 2001
-From: Nick Rosbrook <enr0n@ubuntu.com>
-Date: Fri, 19 Dec 2025 11:01:49 -0500
-Subject: [PATCH] ukify: omit .osrel section when --os-release= is empty
-
-The primary motivation for this is to allow users of ukify to build
-UKI-like objects, without having them later be detected as a UKI by
-tools like kernel-install and bootctl.
-
-The common code used by these tools to determine if a PE binary is a UKI
-checks that both .osrel and .linux sections are present. Hence, adding
-a mechansim to skip .osrel provides a way to avoid being labeled a UKI.
----
- man/ukify.xml                |  5 ++++-
- src/ukify/test/test_ukify.py | 15 +++++++++++----
- src/ukify/ukify.py           | 10 +++++++++-
- 3 files changed, 24 insertions(+), 6 deletions(-)
-
-diff --git a/man/ukify.xml b/man/ukify.xml
-index 829761642d..7462c5c92f 100644
---- a/man/ukify.xml
-+++ b/man/ukify.xml
-@@ -365,7 +365,10 @@
-           <listitem><para>The os-release description (the <literal>.osrel</literal> section). The argument
-           may be a literal string, or <literal>@</literal> followed by a path name. If not specified, the
-           <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> file
--          will be picked up from the host system.</para>
-+          will be picked up from the host system. If explicitly set to an empty string, the ".osrel" section
-+          is omitted from the UKI (this is not recommended in most cases, and causes the resulting artifact
-+          to not be recognized as a UKI by other tools like <command>kernel-install</command>
-+          and <command>bootctl</command>).</para>
- 
-           <xi:include href="version-info.xml" xpointer="v253"/></listitem>
-         </varlistentry>
-diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py
-index f75ef0c891..224a38569f 100755
---- a/src/ukify/test/test_ukify.py
-+++ b/src/ukify/test/test_ukify.py
-@@ -641,7 +641,7 @@ def test_efi_signing_pesign(kernel_initrd, tmp_path):
- 
-     shutil.rmtree(tmp_path)
- 
--def test_inspect(kernel_initrd, tmp_path, capsys):
-+def test_inspect(kernel_initrd, tmp_path, capsys, osrel=True):
-     if kernel_initrd is None:
-         pytest.skip('linux+initrd not found')
-     if not shutil.which('sbsign'):
-@@ -653,7 +653,7 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
- 
-     output = f'{tmp_path}/signed2.efi'
-     uname_arg='1.2.3'
--    osrel_arg='Linux'
-+    osrel_arg='Linux' if osrel else ''
-     cmdline_arg='ARG1 ARG2 ARG3'
- 
-     args = [
-@@ -680,8 +680,12 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
- 
-     text = capsys.readouterr().out
- 
--    expected_osrel = f'.osrel:\n  size: {len(osrel_arg)}'
--    assert expected_osrel in text
-+    if osrel:
-+        expected_osrel = f'.osrel:\n  size: {len(osrel_arg)}'
-+        assert expected_osrel in text
-+    else:
-+        assert '.osrel:' not in text
-+
-     expected_cmdline = f'.cmdline:\n  size: {len(cmdline_arg)}'
-     assert expected_cmdline in text
-     expected_uname = f'.uname:\n  size: {len(uname_arg)}'
-@@ -694,6 +698,9 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
- 
-     shutil.rmtree(tmp_path)
- 
-+def test_inspect_no_osrel(kernel_initrd, tmp_path, capsys):
-+    test_inspect(kernel_initrd, tmp_path, capsys, osrel=False)
-+
- @pytest.mark.skipif(not slow_tests, reason='slow')
- def test_pcr_signing(kernel_initrd, tmp_path):
-     if kernel_initrd is None:
-diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
-index c98f8e2a5d..b7542c7eca 100755
---- a/src/ukify/ukify.py
-+++ b/src/ukify/ukify.py
-@@ -1477,6 +1477,9 @@ def make_uki(opts: UkifyConfig) -> None:
-         '.profile',
-     }
- 
-+    if not opts.os_release:
-+        to_import.remove('.osrel')
-+
-     for profile in opts.join_profiles:
-         pe = pefile.PE(profile, fast_load=True)
-         prev_len = len(uki.sections)
-@@ -2412,7 +2415,12 @@ def finalize_options(opts: argparse.Namespace) -> None:
- 
-     opts.os_release = resolve_at_path(opts.os_release)
- 
--    if not opts.os_release and opts.linux:
-+    if opts.os_release == '':
-+        # If --os-release= with an empty string was passed, treat that as
-+        # explicitly disabling the .osrel section, and do not fallback to the
-+        # system's os-release files.
-+        pass
-+    elif opts.os_release is None and opts.linux:
-         p = Path('/etc/os-release')
-         if not p.exists():
-             p = Path('/usr/lib/os-release')
--- 
-2.52.0
-

0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch

@@ -1,51 +0,0 @@
-From e57e599e6b11039ab6484e5622b3deae20bfd678 Mon Sep 17 00:00:00 2001
-From: Hans de Goede <johannes.goede@oss.qualcomm.com>
-Date: Mon, 12 Jan 2026 14:56:36 +0100
-Subject: [PATCH] stub: Fix NULL pointer deref when there are no initrds
-
-When n_all_initrds == 0, then all_initrds is unmodified from its initial
-value of:
-
-	_cleanup_free_ struct iovec *all_initrds = NULL;
-
-and in the else block of the "if (n_all_initrds > 1)" the NULL is
-dereferenced:
-
-		final_initrd = all_initrds[0];
-
-Leading to the stub crashing due to a NULL pointer deref.
-
-Fix this by initializing final_initrd to all 0s and only
-running the else block if (n_all_initrds == 1).
----
- src/boot/stub.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/boot/stub.c b/src/boot/stub.c
-index 06ecbc7d18..65950262c6 100644
---- a/src/boot/stub.c
-+++ b/src/boot/stub.c
-@@ -1302,9 +1302,9 @@ static EFI_STATUS run(EFI_HANDLE image) {
- 
-         /* Combine the initrds into one */
-         _cleanup_pages_ Pages initrd_pages = {};
--        struct iovec final_initrd;
-+        struct iovec final_initrd = {};
-         if (n_all_initrds > 1) {
--                /* There will always be a base initrd, if this counter is higher, we need to combine them */
-+                /* If there is more then 1 initrd we need to combine them */
-                 err = combine_initrds(all_initrds, n_all_initrds, &initrd_pages, &final_initrd.iov_len);
-                 if (err != EFI_SUCCESS)
-                         return err;
-@@ -1313,7 +1313,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
- 
-                 /* Given these might be large let's free them explicitly before we pass control to Linux */
-                 initrds_free(&initrds);
--        } else
-+        } else if (n_all_initrds == 1)
-                 final_initrd = all_initrds[0];
- 
-         struct iovec kernel = IOVEC_MAKE(
--- 
-2.52.0
-

30846.patch

@@ -1,4 +1,4 @@
-From 07bedc8f93277f705622625f440a1f56ccff1cd0 Mon Sep 17 00:00:00 2001
+From 9e3d6b193d79ce447cd329617ada941f331570a9 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
 Date: Tue, 9 Jan 2024 11:28:04 +0100
 Subject: [PATCH] journal: again create user journals for users with high uids
@@ -39,18 +39,17 @@ revert the change to fix user systems.
 
 Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843.
 ---
- src/basic/uid-classification.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ src/basic/uid-classification.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/basic/uid-classification.c b/src/basic/uid-classification.c
-index 203ce2c68a..2eb384395d 100644
+index e2d2cebc6de27..2c8b06c0d3088 100644
 --- a/src/basic/uid-classification.c
 +++ b/src/basic/uid-classification.c
-@@ -129,5 +129,6 @@ bool uid_for_system_journal(uid_t uid) {
+@@ -127,5 +127,5 @@ bool uid_for_system_journal(uid_t uid) {
  
          /* Returns true if the specified UID shall get its data stored in the system journal. */
  
--        return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_container(uid) || uid_is_foreign(uid);
-+        return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_foreign(uid);
-+
+-        return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY || uid_is_container(uid);
++        return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY;
  }

33738.patch

@@ -0,0 +1,37 @@
+From 69c5d6bea7cc2168a2a483d232aa9a77202173f0 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 16 Jul 2024 17:46:09 +0200
+Subject: [PATCH] rules: Add uaccess tag to /dev/udmabuf
+
+In some cases userspace may need to create dmabuffers from userspace
+on such example is the software ISP part of libcamera which needs to
+allocate dma-buffers for the output of the software ISP.
+
+At first the plan was to allow console users access to /dev/dma_heap/*,
+this was discussed with various kernel folks here:
+https://lore.kernel.org/all/bb372250-e8b8-4458-bc99-dd8365b06991@redhat.com/
+
+Giving console users access to the dma_heap's was deemed a bad idea
+because memory allocated this way is not accounted in cgroup limits.
+
+Giving access to /dev/udmabuf OTOH was deemed acceptable so that
+is what this patch adds.
+
+Resolves: #32662
+---
+ rules.d/70-uaccess.rules.in | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/rules.d/70-uaccess.rules.in b/rules.d/70-uaccess.rules.in
+index b82ce04a39d38..e683bb1114461 100644
+--- a/rules.d/70-uaccess.rules.in
++++ b/rules.d/70-uaccess.rules.in
+@@ -34,6 +34,8 @@ SUBSYSTEM=="sound", TAG+="uaccess", \
+ SUBSYSTEM=="video4linux", TAG+="uaccess"
+ SUBSYSTEM=="dvb", TAG+="uaccess"
+ SUBSYSTEM=="media", TAG+="uaccess"
++# libcamera software ISP used with some cams requires udmabuf access
++KERNEL=="udmabuf", TAG+="uaccess"
+ 
+ # industrial cameras, some webcams, camcorders, set-top boxes, TV sets, audio devices, and more
+ SUBSYSTEM=="firewire", TEST=="units", ENV{IEEE1394_UNIT_FUNCTION_MIDI}=="1", TAG+="uaccess"

38769.patch

@@ -1,42 +0,0 @@
-From 00d70f36a0866660693347009446b7f872a05bf4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Sat, 30 Aug 2025 13:55:56 +0200
-Subject: [PATCH] core: create userdb root directory with correct label
-
-Set up the /run/systemd/userdb directory with the default SELinux context
-on creation.
-
-With version 257.7-1 on Debian the directory was automatically created with the
-correct label. Starting with version 258 (only tested with 258~rc3-1) it no
-longer is. Regression introduced in 736349958efe34089131ca88950e2e5bb391d36a.
-
-[zjs: edited the patch to apply comments from review and update the description.]
----
- src/core/varlink.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/core/varlink.c b/src/core/varlink.c
-index 99f12c59e5..71a8ffd0e5 100644
---- a/src/core/varlink.c
-+++ b/src/core/varlink.c
-@@ -5,6 +5,7 @@
- #include "constants.h"
- #include "errno-util.h"
- #include "manager.h"
-+#include "mkdir-label.h"
- #include "path-util.h"
- #include "pidref.h"
- #include "string-util.h"
-@@ -441,7 +442,11 @@ static int manager_varlink_init_system(Manager *m) {
-                         if (!fresh && varlink_server_contains_socket(m->varlink_server, address))
-                                 continue;
- 
--                        r = sd_varlink_server_listen_address(m->varlink_server, address, 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
-+                        r = mkdir_parents_label(address, 0755);
-+                        if (r < 0)
-+                                log_warning_errno(r, "Failed to create parent directory of '%s', ignoring: %m", address);
-+
-+                        r = sd_varlink_server_listen_address(m->varlink_server, address, 0666);
-                         if (r < 0)
-                                 return log_error_errno(r, "Failed to bind to varlink socket '%s': %m", address);
-                 }

changelog

@@ -1,97 +1,72 @@
-* Sun Jan 12 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257.2-6
-- Rebuilt for the bin-sbin merge (2nd attempt)
+* Thu May 29 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.15-1
+- Version 256.15
+- Fix for local information disclosure in systemd-coredump (CVE-2025-4598)
+- Various other fixes
 
-* Fri Jan 10 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257.2-4
-- Revert use of PrivateTmp=disconnected (rhbz#2334015,
-  https://github.com/coreos/fedora-coreos-tracker/issues/1857)
+* Thu May 15 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.13-1
+- Version 256.13
+- Various small fixes in multiple components
 
-* Wed Jan 08 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257.2-1
-- Version 257.2
+* Fri Mar 07 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.12-1
+- Version 256.12
+- Fixes for systemd itself, sd-boot, systemd-resolved, systemd-id128,
+  systemd-networkd, systemd-logind, systemd-tmpfiles, systemd-vmspawn,
+  systemd-userdb, udev, ukify, systemctl, homectl, fido2 code,
+  virtualization detection, internal shared library, shell completions,
+  documentation.
+- Hardware database is updated
+- Adds new DNSSEC anchor key for systemd-resolved
+- Adds new Fedora keys for systemd-importd
+- Adds a Georgian mapping to the keymap list
+
+* Fri Mar 07 2025 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.11-4
+- Make sure we pull in libbpf >= 2:1.4.7 if libbpf is installed
+
+* Fri Mar 07 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.11-2
+- Move some files into subpackages
+- systemd-ac-power is moved to systemd-udev
+- portablectl and importctl are moved to systemd-container (rhbz#2345551)
+
+* Wed Jan 08 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.11-1
+- Version 256.11
 - Fixes for assertion crashes and memory access issues in pid1 and systemd-
   machined, and other fixes for systemd-repart, systemd-resolved, systemd-
-  stdio-bridge, systemctl, journalctl, sd-device, hibernation, and the
-  hardware database.
+  stdio-bridge, sd-device, hibernation, and the hardware database.
 
-* Tue Jan 07 2025 Yu Watanabe <watanabe.yu+github@gmail.com> - 257.1-7
-- Replace 'udevadm hwdb' with systemd-hwdb
+* Sat Jan 04 2025 Orion Poplawski <orion@nwra.com> - 256.10-2
+- Disable unmerged-bin taint for F41 (rhbz#2334525)
 
-* Tue Jan 07 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257.1-6
-- Rename source .abignore file
+* Sat Dec 21 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.10-1
+- Version 256.10
+- Fixes for man pages, shell completion, logging, systemd-networkd,
+  systemd-resolved, systemctl edit.
 
-* Fri Dec 20 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 257.1-2
-- Re-enable upstream behaviour of systemd-tmpfiles --purge
-
-* Fri Dec 20 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257.1-1
-- Version 257.1
-- A bunch of post-release fixes, incl. for systemd-resolved, tpm2 support,
-  systemd-networkd, systemd-logind, journalct.
-- Should fix rhbz#2325780.
-
-* Sun Dec 15 2024 Yu Watanabe <watanabe.yu+github@gmail.com> - 257-3
-- Add patch for test-time-util
-
-* Sun Dec 15 2024 Yu Watanabe <watanabe.yu+github@gmail.com> - 257-2
-- sysusers: support new ! line flag for creating fully locked accounts
-
-* Tue Dec 10 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257-1
-- Version 257
-- A bunch of small fixes in various components: systemd itself, systemd-
-  cryptenroll, sd-varlink, sd-boot, documentation, tests
-- Includes an update of the hardware database
-
-* Thu Dec 05 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc3-5
-- Enable slow tests during build
-
-* Tue Dec 03 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc3-3
+* Tue Dec 03 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.9-3
 - Recommend qemu-kvm-core instead of qemu-kvm (rhbz#2329979)
 
-* Fri Nov 29 2024 Yu Watanabe <watanabe.yu+github@gmail.com> - 257~rc3-2
-- Update tmpfiles --destroy-data patch
-
-* Wed Nov 27 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc3-1
-- Version 257~rc3
-- A bunch of small fixes here and there: virtualization detection, udev,
-  systemd-networked, pid1.
-- Includes a hardware database update.
-
-* Tue Nov 26 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc2-4
-- Make systemd-network-generator co-owned by -udev and -networkd
-  (rhbz#2328723)
-
-* Tue Nov 19 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc2-3
-- Pull in qemu from systemd-container
-
-* Fri Nov 15 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc2-2
-- Change sysusers u! lines to u because we don't have support in rpm
-
-* Fri Nov 15 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc2-1
-- Version 257~rc2
-- Changes in systemd-measure, systemd-networkd, documentation, systemd-
-  sysupdated, systemd-sbsign, systemd-boot, systemd-stub, systemd-nspawn,
-  run0, ukify
-- Hardware database update
-
-* Fri Nov 15 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc1-3
-- Disable freezing of user sessions (rhbz#2321268)
-
-* Thu Nov 07 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257~rc1-1
-- Version 257~rc1
-
-* Thu Nov 07 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.7-7
-- Use %%posttrans instead of %%postun to restart services
-
-* Thu Nov 07 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 256.7-6
-- Disable OpenSSL v3 ENGINE on RHEL
-
-* Tue Nov 05 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.7-4
-- Backport user manager reexec changes
-
-* Tue Nov 05 2024 David Tardon <dtardon@redhat.com> - 256.7-3
+* Fri Nov 29 2024 David Tardon <dtardon@redhat.com> - 256.9-2
 - Use %%systemd_preun in systemd-resolved
 
-* Thu Oct 24 2024 Yu Watanabe <watanabe.yu+github@gmail.com> - 256.7-2
-- test_sysusers_defined: support new ! line flag for creating fully locked
-  accounts
+* Fri Nov 29 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.9-1
+- Version 256.9
+- Resolves rhbz#2329211
+
+* Tue Nov 19 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.8-2
+- Pull in qemu from systemd-container
+
+* Thu Nov 14 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.8-1
+- Version 256.8
+- Improvements to logging, documentation, systemd, systemd-repart, systemd-
+  networkd, systemd-network-generator, systemd-nspawn, systemd-resolved,
+  systemd-run, systemd-dissect, systemd-pcrlock, systemd-logind, systemd-
+  bsod, udev, ukify
+- Resolves #2323323: system will boot to cgroup v2 automatically unless
+  overriden
+- Resolves #2321268: freezing of user processes is disabled
+- Hardware database is updated
+
+* Thu Nov 14 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.7-2
+- Disable freezing of user sessions (rhbz#2321268)
 
 * Fri Oct 11 2024 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 256.7-1
 - Version 256.7
@@ -110,6 +85,9 @@
 * Wed Aug 28 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.5-5
 - Do not use patch to modify systemd-user pam config file
 
+* Wed Aug 28 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.5-4
+- Drop %%upstream conditionalization for patches
+
 * Tue Aug 27 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 256.5-3
 - Only make python3-pillow Recommends on Fedora
 

macros.sysusers

@@ -2,9 +2,9 @@
 #
 # Turn a sysusers.d file into macros specified by
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
-#
-# After https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers,
-# those macros are not needed anymore.
 
-%sysusers_requires_compat %nil
-%sysusers_create_compat() %nil
+%sysusers_requires_compat Requires(pre): shadow-utils
+
+%sysusers_create_compat() \
+%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \
+%{nil}

macros.sysusers.compat

@@ -1,10 +0,0 @@
-# RPM macros for packages creating system accounts
-#
-# Turn a sysusers.d file into macros specified by
-# https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
-
-%sysusers_requires_compat Requires(pre): shadow-utils
-
-%sysusers_create_compat() \
-%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \
-%{nil}

plans/run-integration-tests.sh

@@ -1,127 +0,0 @@
-#!/bin/bash
-
-set -eux
-set -o pipefail
-
-# Switch SELinux to permissive if possible, since the tests don't set proper contexts
-setenforce 0 || true
-
-echo "CPU and Memory information:"
-lscpu
-lsmem
-
-echo "Clock source: $(cat /sys/devices/system/clocksource/clocksource0/current_clocksource)"
-
-# Bump inotify limits if we can so nspawn containers don't run out of inotify file descriptors.
-sysctl fs.inotify.max_user_watches=65536 || true
-sysctl fs.inotify.max_user_instances=1024 || true
-
-if [[ -n "${KOJI_TASK_ID:-}" ]]; then
-    koji download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$KOJI_TASK_ID"
-elif [[ -n "${CBS_TASK_ID:-}" ]]; then
-    cbs download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$CBS_TASK_ID"
-elif [[ -n "${PACKIT_SRPM_URL:-}" ]]; then
-    COPR_BUILD_ID="$(basename "$(dirname "$PACKIT_SRPM_URL")")"
-    COPR_CHROOT="$(basename "$(dirname "$(dirname "$PACKIT_BUILD_LOG_URL")")")"
-    copr download-build --rpms --chroot "$COPR_CHROOT" "$COPR_BUILD_ID"
-    mv "$COPR_CHROOT"/* .
-else
-    echo "Not running within packit and no CBS/koji task ID provided"
-    exit 1
-fi
-
-PACKAGEDIR="$PWD"
-
-# This will match both the regular and the debuginfo rpm so make sure we select only the
-# non-debuginfo rpm.
-RPMS=(systemd-tests-*.rpm)
-rpm2cpio "${RPMS[0]}" | cpio --make-directories --extract
-pushd usr/lib/systemd/tests
-mkosi_hash="$(grep "MinimumVersion=commit:" mkosi/mkosi.conf | sed "s|MinimumVersion=commit:||g")"
-
-# Now prepare mkosi at the same version required by the systemd repo.
-git clone https://github.com/systemd/mkosi /var/tmp/systemd-integration-tests-mkosi
-git -C /var/tmp/systemd-integration-tests-mkosi checkout "$mkosi_hash"
-
-export PATH="/var/tmp/systemd-integration-tests-mkosi/bin:$PATH"
-
-# shellcheck source=/dev/null
-. /etc/os-release || . /usr/lib/os-release
-
-tee mkosi/mkosi.local.conf <<EOF
-[Distribution]
-Distribution=${MKOSI_DISTRIBUTION:-$ID}
-Release=${MKOSI_RELEASE:-${VERSION_ID:-rawhide}}
-
-[Content]
-PackageDirectories=$PACKAGEDIR
-SELinuxRelabel=yes
-
-[Build]
-ToolsTreeDistribution=${MKOSI_DISTRIBUTION:-$ID}
-ToolsTreeRelease=${MKOSI_RELEASE:-${VERSION_ID:-rawhide}}
-ToolsTreePackageDirectories=$PACKAGEDIR
-Environment=NO_BUILD=1
-WithTests=yes
-EOF
-
-if [[ -n "${MKOSI_REPOSITORIES:-}" ]]; then
-    tee --append mkosi/mkosi.local.conf <<EOF
-[Distribution]
-Repositories=$MKOSI_REPOSITORIES
-
-[Build]
-ToolsTreeRepositories=$MKOSI_REPOSITORIES
-EOF
-fi
-
-if [[ -n "${TEST_SELINUX_CHECK_AVCS:-}" ]]; then
-    tee --append mkosi/mkosi.local.conf <<EOF
-[Runtime]
-KernelCommandLineExtra=systemd.setenv=TEST_SELINUX_CHECK_AVCS=$TEST_SELINUX_CHECK_AVCS
-EOF
-fi
-
-# If we don't have KVM, skip running in qemu, as it's too slow. But try to load the module first.
-modprobe kvm || true
-if [[ ! -e /dev/kvm ]]; then
-    export TEST_NO_QEMU=1
-fi
-
-NPROC="$(nproc)"
-if [[ "$NPROC" -ge 10 ]]; then
-    export TEST_JOURNAL_USE_TMP=1
-    NPROC="$((NPROC / 3))"
-else
-    NPROC="$((NPROC - 1))"
-fi
-
-# This test is only really useful if we're building with sanitizers and takes a long time, so let's skip it
-# for now.
-export TEST_SKIP="TEST-21-DFUZZER ${TEST_SKIP:-}"
-
-mkosi genkey
-mkosi summary
-mkosi -f box -- true
-mkosi box -- meson setup build integration-tests/standalone
-mkosi -f
-if [[ "$(mkosi box -- meson test --help)" == *"--max-lines"* ]]; then
-    MAX_LINES=(--max-lines 300)
-else
-    MAX_LINES=()
-fi
-mkosi box -- \
-    meson test \
-        -C build \
-        --setup=integration \
-        --print-errorlogs \
-        --no-stdsplit \
-        --num-processes "$NPROC" \
-        "${MAX_LINES[@]}" && EC=0 || EC=$?
-
-[[ -d build/meson-logs ]] && find build/meson-logs -type f -exec mv {} "$TMT_TEST_DATA" \;
-[[ -d build/test/journal ]] && find build/test/journal -type f -exec mv {} "$TMT_TEST_DATA" \;
-
-popd
-
-exit "$EC"

plans/upstream.fmf

@@ -1,22 +0,0 @@
-summary: systemd upstream test suite
-provision:
-  hardware:
-    virtualization:
-      is-supported: true
-prepare:
-  - name: install-dependencies
-    how: install
-    package:
-      - coreutils
-      - distribution-gpg-keys
-      - dnf
-      - git-core
-      - koji
-      - centos-packager
-      - copr-cli
-    exclude:
-      - systemd-standalone-.*
-execute:
-    how: tmt
-    script: exec plans/run-integration-tests.sh
-    duration: 2h

purge-nobody-user

@@ -0,0 +1,101 @@
+#!/bin/bash -eu
+
+if [ $UID -ne 0 ]; then
+    echo "WARNING: This script needs to run as root to be effective"
+    exit 1
+fi
+
+export SYSTEMD_NSS_BYPASS_SYNTHETIC=1
+
+if [ "${1:-}" = "--ignore-journal" ]; then
+    shift
+    ignore_journal=1
+else
+    ignore_journal=0
+fi
+
+echo "Checking processes..."
+if ps h -u 99 | grep .; then
+    echo "ERROR: ps reports processes with UID 99!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking UTMP..."
+if w -h 199 | grep . ; then
+    echo "ERROR: w reports UID 99 as active!"
+    exit 2
+fi
+if w -h nobody | grep . ; then
+    echo "ERROR: w reports user nobody as active!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking the journal..."
+if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then
+    echo "ERROR: journalctl reports messages from UID 99 in current boot!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Looking for files in /etc, /run, /tmp, and /var..."
+if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then
+    echo "ERROR: found files belonging to UID 99"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking if nobody is defined correctly..."
+if getent passwd nobody |
+	grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin';
+then
+    echo "OK, nothing to do."
+    exit 0
+else
+    echo "NOTICE: User nobody is not defined correctly"
+fi
+
+echo "Checking if nfsnobody or something else is using the uid..."
+if getent passwd 65534 | grep . ; then
+    echo "NOTICE: will have to remove this user"
+else
+    echo "... not found"
+fi
+
+if [ "${1:-}" = "-x" ]; then
+    if getent passwd nobody >/dev/null; then
+	# this will remove both the user and the group.
+	( set -x
+   	  userdel nobody
+	)
+    fi
+
+    if getent passwd 65534 >/dev/null; then
+	# Make sure the uid is unused. This should free gid too.
+	name="$(getent passwd 65534 | cut -d: -f1)"
+	( set -x
+	  userdel "$name"
+	)
+    fi
+
+    if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then
+	echo "Sleeping, so sss can catch up"
+	sleep 3
+    fi
+
+    if getent group 65534; then
+	# Make sure the gid is unused, even if uid wasn't.
+	name="$(getent group 65534 | cut -d: -f1)"
+	( set -x
+	  groupdel "$name"
+	)
+    fi
+
+    # systemd-sysusers uses the same gid and uid
+    ( set -x
+      systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin'
+    )
+else
+    echo "Pass '-x' to perform changes"
+fi

sources

@@ -1 +1 @@
-SHA512 (systemd-259.tar.gz) = ef46b13661df43e3cfbeee1bc22f0b1eb902e8ebe39c19868c465efd08b35a199c2a2cd9d8021a6bc4d692fa0c6e0eab3f13eecd6ce24dde81d3945464a25b50
+SHA512 (systemd-256.17.tar.gz) = c0f5d82f1220c69e8dc136e796ed9594bd9357450320c077a4c36151585508dfef58e16452ee64af7c32b90861a22996e9d567d76d71c15ce2136f96194f2be2

split-files.py

@@ -7,6 +7,7 @@ known_files = '''
 %ghost %config(noreplace) /etc/crypttab
 %ghost %attr(0444,root,root) /etc/udev/hwdb.bin
 /etc/inittab
+/usr/lib/systemd/purge-nobody-user
 # This directory is owned by openssh-server, but we don't want to introduce
 # a dependency. So let's copy the config and co-own the directory.
 %dir %attr(0700,root,root) /etc/ssh/sshd_config.d
@@ -56,14 +57,12 @@ def files(root):
 
 outputs = {suffix: open(f'.file-list-{suffix}', 'w')
            for suffix in (
-                   'shared',
                    'libs',
                    'udev',
                    'ukify',
                    'boot',
                    'pam',
                    'rpm-macros',
-                   'sysusers',
                    'devel',
                    'container',
                    'networkd',
@@ -121,15 +120,13 @@ for file in files(buildroot):
         o = outputs['rpm-macros']
     elif '/usr/lib/systemd/tests' in n:
         o = outputs['tests']
-    elif 'ukify' in n and '/man/' not in n:
+    elif 'ukify' in n:
         o = outputs['ukify']
-    elif re.search(r'/libsystemd-core-.*\.so$', n):
+    elif re.search(r'/libsystemd-(shared|core)-.*\.so$', n):
         o = outputs['main']
-    elif re.search(r'/libsystemd-shared-.*\.so$', n):
-        o = outputs['shared']
     elif re.search(r'/libcryptsetup-token-systemd-.*\.so$', n):
         o = outputs['udev']
-    elif re.search(r'/lib.*\.pc$|/man3/|/usr/include|\.so$', n):
+    elif re.search(r'/lib.*\.pc|/man3/|/usr/include|\.so$', n):
         o = outputs['devel']
     elif re.search(r'''journal-(remote|gateway|upload)|
                        systemd-remote\.conf|
@@ -138,24 +135,15 @@ for file in files(buildroot):
     ''', n, re.X):
         o = outputs['remote']
 
-    # Just the binary, the dir, and the man page.
-    elif re.search(r'''systemd-sysusers$|
-                       sysusers\.d$|
-                       man/.*sysusers\.d\.5|
-                       man/.*systemd-sysusers\.8
-    ''', n, re.X):
-        o = outputs['sysusers']
-
     elif re.search(r'''mymachines|
                        machinectl|
-                       mount.ddi|
                        importctl|
                        portablectl|
                        systemd-nspawn|
                        systemd\.nspawn|
                        systemd-vmspawn|
                        systemd-dissect|
-                       import-pubring|
+                       import-pubring.gpg|
                        systemd-machined|
                        systemd-import|
                        systemd-export|
@@ -176,9 +164,6 @@ for file in files(buildroot):
           and os.path.exists(f'./{n}.example')):
         o = outputs['networkd-defaults']
 
-    # Files that are "consumed" by systemd-networkd go into the -networkd
-    # subpackage. As a special case, network-generator is co-owned also by
-    # the -udev subpackage because systemd-udevd reads .link files.
     elif re.search(r'''/usr/lib/systemd/network/.*\.network|
                        networkd|
                        networkctl|
@@ -189,8 +174,6 @@ for file in files(buildroot):
                        systemd\.netdev
     ''', n, re.X):
         o = outputs['networkd']
-    elif 'network-generator' in n:
-        o = (outputs['networkd'], outputs['udev'])
 
     elif '.so.' in n:
         o = outputs['libs']
@@ -234,8 +217,7 @@ for file in files(buildroot):
                        integritytab|
                        remount-fs|
                        /initrd|
-                       systemd[.-]pcr|
-                       /pcrlock\.d|
+                       systemd-pcr|
                        systemd-measure|
                        /boot$|
                        /kernel/|
@@ -245,7 +227,6 @@ for file in files(buildroot):
                        sysctl|
                        coredump|
                        homed|home1|
-                       sysupdate|updatctl|
                        oomd|
                        portabled|portable1
     ''', n, re.X):     # coredumpctl, homectl, portablectl are included in the main package because
@@ -271,13 +252,13 @@ for file in files(buildroot):
 
     if n in known_files:
         prefix = known_files[n].split()[:-1]
-    elif file.is_dir(follow_symlinks=False):
+    elif file.is_dir() and not file.is_symlink():
         prefix = ['%dir']
     elif 'README' in n:
         prefix = ['%doc']
     elif n.startswith('/etc'):
         prefix = ['%config(noreplace)']
-        if not file.is_symlink() and file.stat().st_size == 0:
+        if file.stat().st_size == 0:
             prefix += ['%ghost']
     else:
         prefix = []
@@ -285,10 +266,7 @@ for file in files(buildroot):
 
     suffix = '*' if '/man/' in n else ''
 
-    if not isinstance(o, tuple):
-        o = (o,)
-    for file in o:
-        print(f'{prefix}{n}{suffix}', file=file)
+    print(f'{prefix}{n}{suffix}', file=o)
 
 if [print(f'ERROR: no file names were written to {o.name}')
     for name, o in outputs.items()

systemd-unmerged-bin.patch

@@ -0,0 +1,16 @@
+diff -up systemd-256.10/src/core/taint.c.unmerged-bin systemd-256.10/src/core/taint.c
+--- systemd-256.10/src/core/taint.c.unmerged-bin	2024-12-20 12:47:26.000000000 -0700
++++ systemd-256.10/src/core/taint.c	2025-01-04 12:12:51.478892350 -0700
+@@ -45,10 +45,10 @@ char* taint_string(void) {
+                 stage[n++] = "unmerged-usr";
+ 
+         /* Note that the check is different from default_PATH(), as we want to taint on uncanonical symlinks
+-         * too. */
++         * too.
+         if (readlink_malloc("/usr/sbin", &usr_sbin) < 0 || !PATH_IN_SET(usr_sbin, "bin", "/usr/bin"))
+                 stage[n++] = "unmerged-bin";
+-
++         */
+         if (readlink_malloc("/var/run", &var_run) < 0 || !PATH_IN_SET(var_run, "../run", "/run"))
+                 stage[n++] = "var-run-bad";
+ 

sysusers.generate-pre.sh

@@ -69,7 +69,7 @@ parse() {
 		[ -z "$line" ] && continue
 		eval "arr=( $line )"
 		case "${arr[0]}" in
-			('u'|'u!')
+			('u')
 				if [[ "${arr[2]}" == *":"* ]]; then
 					user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}"
 				else

sysusers.prov

@@ -42,7 +42,7 @@ parse() {
         [ -z "$line" ] && continue
         set -- $line
         case "$1" in
-            ('u'|'u!')
+            ('u')
                 process_u "$2" "$3"
                 ;;
             ('g')

test_sysusers_defined.py

@@ -1,6 +1,5 @@
 #!/usr/bin/python
 
-import os
 import sys
 
 def parse_sysusers_file(filename):
@@ -12,7 +11,7 @@ def parse_sysusers_file(filename):
             continue
         words = line.split()
         match words[0]:
-            case 'u'|'u!':
+            case 'u':
                 users.add(words[1])
             case 'g':
                 groups.add(words[1])
@@ -22,18 +21,14 @@ def parse_sysusers_file(filename):
                 assert False
     return users, groups
 
-setup_users, setup_groups = set(), set()
+setup_users, setup_groups = parse_sysusers_file(sys.argv[1])
+setup_users2, setup_groups2 = parse_sysusers_file(sys.argv[2])
+setup_users |= setup_users2
+setup_groups |= setup_groups2
 
-for arg in sys.argv[1:-1]:
-    users, groups = parse_sysusers_file(arg)
-    setup_users |= users
-    setup_groups |= groups
+basic_users, basic_groups = parse_sysusers_file(sys.argv[3])
 
-basic_users, basic_groups = parse_sysusers_file(sys.argv[-1])
-
-ignored = set(os.getenv('IGNORED', '').split())
-
-if d := basic_users - setup_users - ignored:
+if d := basic_users - setup_users:
     exit(f'We have new users: {d}')
-if d := basic_groups - setup_groups - ignored:
+if d := basic_groups - setup_groups:
     exit(f'We have new groups: {d}')

tests/tests-reboot.yml

@@ -0,0 +1,50 @@
+---
+- hosts: localhost
+  vars:
+  - artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"
+  tags:
+  - classic
+  tasks:
+  # switch SELinux to permissive mode
+  - name: Get default kernel
+    command: "grubby --default-kernel"
+    register: default_kernel
+  - debug: msg="{{ default_kernel.stdout }}"
+  - name: Set permissive mode
+    command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}"
+
+  - name: reboot
+    block:
+      - name: restart host
+        shell: sleep 2 && shutdown -r now "Ansible updates triggered"
+        async: 1
+        poll: 0
+        ignore_errors: true
+
+      - name: wait for host to come back
+        wait_for_connection:
+          delay: 10
+          timeout: 300
+
+      - name: Re-create /tmp/artifacts
+        command: mkdir /tmp/artifacts
+
+      - name: Gather SELinux denials since boot
+        shell: |
+            result=pass
+            dmesg | grep -i -e type=1300 -e type=1400 > /tmp/avc.log && result=fail
+            ausearch -m avc -m selinux_err -m user_avc -ts boot &>> /tmp/avc.log
+            grep -q '<no matches>' /tmp/avc.log || result=fail
+            echo -e "\nresults:\n- test: reboot and collect AVC\n  result: $result\n  logs:\n  - avc.log\n\n" > /tmp/results.yml
+            ( [ $result = "pass" ] && echo PASS test-reboot || echo FAIL test-reboot ) > /tmp/test.log
+
+    always:
+      - name: Pull out the artifacts
+        fetch:
+          dest: "{{ artifacts }}/"
+          src: "{{ item }}"
+          flat: yes
+        with_items:
+          - /tmp/test.log
+          - /tmp/avc.log
+          - /tmp/results.yml

triggers.systemd

@@ -9,17 +9,17 @@
 #
 # Minimum rpm version supported: 4.14.0
 
-%transfiletriggerin -P 900900 -- /usr/lib/systemd/system/ /etc/systemd/system/
+%transfiletriggerin -P 900900 -- /usr/lib/systemd/system /etc/systemd/system
 # This script will run after any package is initially installed or
 # upgraded. We care about the case where a package is initially
 # installed, because other cases are covered by the *un scriptlets,
 # so sometimes we will reload needlessly.
 /usr/lib/systemd/systemd-update-helper system-reload-restart || :
 
-%transfiletriggerin -P 900899 -- /usr/lib/systemd/user/ /etc/systemd/user/
+%transfiletriggerin -P 900899 -- /usr/lib/systemd/user /etc/systemd/user
 /usr/lib/systemd/systemd-update-helper user-reload-restart || :
 
-%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system/ /etc/systemd/system/
+%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system
 # On removal, we need to run daemon-reload after any units have been
 # removed.
 # On upgrade, we need to run daemon-reload after any new unit files
@@ -27,35 +27,35 @@
 # executed.
 /usr/lib/systemd/systemd-update-helper system-reload || :
 
-%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user/ /etc/systemd/user/
+%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user /etc/systemd/user
 # Execute daemon-reload in user managers.
 /usr/lib/systemd/systemd-update-helper user-reload || :
 
-%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system/ /etc/systemd/system/
+%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system /etc/systemd/system
 # We restart remaining system services that should be restarted here.
 /usr/lib/systemd/systemd-update-helper system-restart || :
 
-%transfiletriggerpostun -P  9999 -- /usr/lib/systemd/user/ /etc/systemd/user/
+%transfiletriggerpostun -P  9999 -- /usr/lib/systemd/user /etc/systemd/user
 # We restart remaining user services that should be restarted here.
 /usr/lib/systemd/systemd-update-helper user-restart || :
 
-%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d/
+%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d
 # This script will process files installed in /usr/lib/sysusers.d to create
 # specified users automatically. The priority is set such that it
 # will run before the tmpfiles file trigger.
 systemd-sysusers || :
 
-%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d/
+%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d
 # This script will automatically invoke hwdb update if files have been
 # installed or updated in /usr/lib/udev/hwdb.d.
 systemd-hwdb update || :
 
-%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog/
+%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog
 # This script will automatically invoke journal catalog update if files
 # have been installed or updated in /usr/lib/systemd/catalog.
 journalctl --update-catalog || :
 
-%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d/
+%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d
 # This script will automatically apply binfmt rules if files have been
 # installed or updated in /usr/lib/binfmt.d.
 if test -d "/run/systemd/system"; then
@@ -64,7 +64,7 @@ if test -d "/run/systemd/system"; then
   /usr/lib/systemd/systemd-binfmt || :
 fi
 
-%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d/
+%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d
 # This script will process files installed in /usr/lib/tmpfiles.d to create
 # tmpfiles automatically. The priority is set such that it will run
 # after the sysusers file trigger, but before any other triggers.
@@ -72,12 +72,14 @@ if test -d "/run/systemd/system"; then
   systemd-tmpfiles --create || :
 fi
 
-%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d/
+%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d
 # This script will automatically update udev with new rules if files
 # have been installed or updated in /usr/lib/udev/rules.d.
-/usr/lib/systemd/systemd-update-helper mark-reload-system-units systemd-udevd.service || :
+if test -e /run/udev/control; then
+  udevadm control --reload || :
+fi
 
-%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d/
+%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d
 # This script will automatically apply sysctl rules if files have been
 # installed or updated in /usr/lib/sysctl.d.
 if test -d "/run/systemd/system"; then