Merge remote-tracking branch 'up/master' into master-riscv64

Signed-off-by: David Abdurachmanov <david.abdurachmanov@gmail.com>

0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch

@@ -0,0 +1,207 @@
+From 2cce22a4279d4f304e75b87b56b9eeb5cd313566 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sat, 22 Dec 2018 11:11:04 +0100
+Subject: [PATCH] Revert "units: set NoNewPrivileges= for all long-running
+ services"
+
+This reverts commit 64d7f7b4a15f1534fb19fda6b601fec50783bee4.
+---
+ units/systemd-coredump@.service.in        | 1 -
+ units/systemd-hostnamed.service.in        | 1 -
+ units/systemd-initctl.service.in          | 1 -
+ units/systemd-journal-gatewayd.service.in | 1 -
+ units/systemd-journal-remote.service.in   | 1 -
+ units/systemd-journal-upload.service.in   | 1 -
+ units/systemd-journald.service.in         | 1 -
+ units/systemd-localed.service.in          | 1 -
+ units/systemd-logind.service.in           | 1 -
+ units/systemd-machined.service.in         | 1 -
+ units/systemd-networkd.service.in         | 1 -
+ units/systemd-resolved.service.in         | 1 -
+ units/systemd-rfkill.service.in           | 1 -
+ units/systemd-timedated.service.in        | 1 -
+ units/systemd-timesyncd.service.in        | 1 -
+ 15 files changed, 15 deletions(-)
+
+diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
+index ffcb5f36ca..74dcf7fe06 100644
+--- a/units/systemd-coredump@.service.in
++++ b/units/systemd-coredump@.service.in
+@@ -22,7 +22,6 @@ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+ Nice=9
+-NoNewPrivileges=yes
+ OOMScoreAdjust=500
+ PrivateDevices=yes
+ PrivateNetwork=yes
+diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
+index 9c925e80d9..696d4e2e60 100644
+--- a/units/systemd-hostnamed.service.in
++++ b/units/systemd-hostnamed.service.in
+@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed
+ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateDevices=yes
+ PrivateNetwork=yes
+ PrivateTmp=yes
+diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in
+index c276283908..f48d673d58 100644
+--- a/units/systemd-initctl.service.in
++++ b/units/systemd-initctl.service.in
+@@ -14,6 +14,5 @@ DefaultDependencies=no
+ 
+ [Service]
+ ExecStart=@rootlibexecdir@/systemd-initctl
+-NoNewPrivileges=yes
+ NotifyAccess=all
+ SystemCallArchitectures=native
+diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
+index ebc8bf9a25..5ef4ee0058 100644
+--- a/units/systemd-journal-gatewayd.service.in
++++ b/units/systemd-journal-gatewayd.service.in
+@@ -17,7 +17,6 @@ DynamicUser=yes
+ ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateDevices=yes
+ PrivateNetwork=yes
+ ProtectControlGroups=yes
+diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
+index 29a99aaec1..ec1311da88 100644
+--- a/units/systemd-journal-remote.service.in
++++ b/units/systemd-journal-remote.service.in
+@@ -17,7 +17,6 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va
+ LockPersonality=yes
+ LogsDirectory=journal/remote
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateDevices=yes
+ PrivateNetwork=yes
+ PrivateTmp=yes
+diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
+index 92cd4e5259..a15744e1e8 100644
+--- a/units/systemd-journal-upload.service.in
++++ b/units/systemd-journal-upload.service.in
+@@ -18,7 +18,6 @@ DynamicUser=yes
+ ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateDevices=yes
+ ProtectControlGroups=yes
+ ProtectHome=yes
+diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
+index 4684f095c0..7b659d4b03 100644
+--- a/units/systemd-journald.service.in
++++ b/units/systemd-journald.service.in
+@@ -22,7 +22,6 @@ FileDescriptorStoreMax=4224
+ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ Restart=always
+ RestartSec=0
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK
+diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
+index 01e0703d0e..7d40fb4897 100644
+--- a/units/systemd-localed.service.in
++++ b/units/systemd-localed.service.in
+@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-localed
+ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateDevices=yes
+ PrivateNetwork=yes
+ PrivateTmp=yes
+diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
+index 38a7f269ac..6b362ccdca 100644
+--- a/units/systemd-logind.service.in
++++ b/units/systemd-logind.service.in
+@@ -27,7 +27,6 @@ FileDescriptorStoreMax=512
+ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ Restart=always
+ RestartSec=0
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK
+diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
+index 9f1476814d..d90e71ae67 100644
+--- a/units/systemd-machined.service.in
++++ b/units/systemd-machined.service.in
+@@ -22,7 +22,6 @@ ExecStart=@rootlibexecdir@/systemd-machined
+ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+ RestrictRealtime=yes
+ SystemCallArchitectures=native
+diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
+index 472ef045de..f23bf227fb 100644
+--- a/units/systemd-networkd.service.in
++++ b/units/systemd-networkd.service.in
+@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
+ ExecStart=!!@rootlibexecdir@/systemd-networkd
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ ProtectControlGroups=yes
+ ProtectHome=yes
+ ProtectKernelModules=yes
+diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
+index 3144b70063..d08842f0d4 100644
+--- a/units/systemd-resolved.service.in
++++ b/units/systemd-resolved.service.in
+@@ -25,7 +25,6 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
+ ExecStart=!!@rootlibexecdir@/systemd-resolved
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateDevices=yes
+ PrivateTmp=yes
+ ProtectControlGroups=yes
+diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in
+index 3abb958310..7447ed5b5b 100644
+--- a/units/systemd-rfkill.service.in
++++ b/units/systemd-rfkill.service.in
+@@ -18,7 +18,6 @@ Before=shutdown.target
+ 
+ [Service]
+ ExecStart=@rootlibexecdir@/systemd-rfkill
+-NoNewPrivileges=yes
+ StateDirectory=systemd/rfkill
+ TimeoutSec=30s
+ Type=notify
+diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
+index 6d53024195..1105f1a980 100644
+--- a/units/systemd-timedated.service.in
++++ b/units/systemd-timedated.service.in
+@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-timedated
+ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateTmp=yes
+ ProtectControlGroups=yes
+ ProtectHome=yes
+diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
+index 03ade45d08..8b99e92e01 100644
+--- a/units/systemd-timesyncd.service.in
++++ b/units/systemd-timesyncd.service.in
+@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_SYS_TIME
+ ExecStart=!!@rootlibexecdir@/systemd-timesyncd
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateDevices=yes
+ PrivateTmp=yes
+ ProtectControlGroups=yes
+-- 
+2.19.2
+

0003-Ignore-failure-to-setup-private-dev.patch

@@ -0,0 +1,46 @@
+From dbe7ff3240dd30240402632dfa9d95a71f425267 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 15 Jan 2019 10:34:10 +0100
+Subject: [PATCH] Ignore failure to setup private /dev
+
+This partially reverts 1beab8b0d0.
+---
+ src/core/namespace.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/namespace.c b/src/core/namespace.c
+index c2ca3e0334..6113b9a5ea 100644
+--- a/src/core/namespace.c
++++ b/src/core/namespace.c
+@@ -58,6 +58,7 @@ typedef struct MountEntry {
+         bool has_prefix:1;        /* Already is prefixed by the root dir? */
+         bool read_only:1;         /* Shall this mount point be read-only? */
+         bool applied:1;           /* Already applied */
++        bool xxx:1;
+         char *path_malloc;        /* Use this instead of 'path_const' if we had to allocate memory */
+         const char *source_const; /* The source path, for bind mounts */
+         char *source_malloc;
+@@ -1413,7 +1414,10 @@ int setup_namespace(
+                                 }
+ 
+                                 r = apply_mount(root, m);
+-                                if (r < 0)
++                                if (m->mode == PRIVATE_DEV && IN_SET(r, -EPERM, -EACCES)) {
++                                        m->xxx = true;
++                                        log_warning_errno(r, "Failed to prepare private /dev, ignoring: %m");
++                                } else if (r < 0)
+                                         goto finish;
+ 
+                                 m->applied = true;
+@@ -1433,6 +1437,8 @@ int setup_namespace(
+ 
+                 /* Second round, flip the ro bits if necessary. */
+                 for (m = mounts; m < mounts + n_mounts; ++m) {
++                        if (m->xxx)
++                                continue;
+                         r = make_read_only(m, blacklist, proc_self_mountinfo);
+                         if (r < 0)
+                                 goto finish;
+-- 
+2.19.2
+

0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch

@@ -1,4 +1,4 @@
-From b727694500d24d19ac0d7c51c1eb67c281f2f301 Mon Sep 17 00:00:00 2001
+From 86aa208e639b119007332718aa4f453af2a061d0 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
 Date: Fri, 11 Mar 2016 17:06:17 -0500
 Subject: [PATCH] resolved: create /etc/resolv.conf symlink at runtime
@@ -18,11 +18,11 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1313085
  2 files changed, 4 insertions(+), 3 deletions(-)
 
 diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c
-index a4cda0b5ef..68bca80777 100644
+index f4efddf8e5..3386e3bf67 100644
 --- a/src/resolve/resolved.c
 +++ b/src/resolve/resolved.c
-@@ -71,6 +71,10 @@ int main(int argc, char *argv[]) {
-         /* Drop privileges, but only if we have been started as root. If we are not running as root we assume all
+@@ -45,6 +45,10 @@ static int run(int argc, char *argv[]) {
+         /* Drop privileges, but only if we have been started as root. If we are not running as root we assume most
           * privileges are already dropped. */
          if (getuid() == 0) {
 +                r = symlink("../run/systemd/resolve/resolv.conf", "/etc/resolv.conf");
@@ -46,3 +46,6 @@ index df8d42101c..928105ea8d 100644
  C /etc/nsswitch.conf - - - -
  m4_ifdef(`HAVE_PAM',
  C /etc/pam.d - - - -
+-- 
+2.19.2
+

sources

@@ -1 +1 @@
-SHA512 (systemd-239.tar.gz) = fd44590dfd148504c5ed1e67521efce50d84b627b7fc77015fa95dfa76d7a42297c56cc89eff40181809732024b16d48f2a87038cf435e0c63bc2b95ecd86b0f
+SHA512 (systemd-f02b547.tar.gz) = a7d774ed00d572eb2d9313ff25a09c707112443020d173d4d350bdb9b269fcef519da8efc2d93b3b72f4ebdd3ff295716e2f640f8c1e679cb24b26e71fca56ee

split-files.py

@@ -18,6 +18,7 @@ def files(root):
 o_libs = open('.file-list-libs', 'w')
 o_udev = open('.file-list-udev', 'w')
 o_pam = open('.file-list-pam', 'w')
+o_rpm_macros = open('.file-list-rpm-macros', 'w')
 o_devel = open('.file-list-devel', 'w')
 o_container = open('.file-list-container', 'w')
 o_remote = open('.file-list-remote', 'w')
@@ -40,12 +41,15 @@ for file in files(buildroot):
                     /usr/lib/firewalld(/services|)$|
                     /usr/share/(locale|licenses|doc)|             # no $
                     /etc(/pam\.d|/xdg|/X11|/X11/xinit|/X11.*\.d|)$|
+                    /etc/(dnf|dnf/protected.d)$|
                     /usr/(src|lib/debug)|                         # no $
                     /var(/cache|/log|/lib|/run|)$
     ''', n, re.X):
         continue
     if '/security/pam_' in n:
         o = o_pam
+    elif 'rpm/macros' in n:
+        o = o_rpm_macros
     elif re.search(r'/lib.*\.pc|/man3/|/usr/include|(?<!/libsystemd-shared-...).so$', n):
         o = o_devel
     elif '/usr/lib/systemd/tests' in n:

systemd-user

@@ -4,9 +4,7 @@
 
 account  include system-auth
 
-m4_ifdef(`HAVE_SELINUX',
 session  required pam_selinux.so close
 session  required pam_selinux.so nottys open
-)m4_dnl
 session  required pam_loginuid.so
 session  include system-auth

systemd.spec

@@ -1,7 +1,7 @@
-#global gitcommit 4b650021751ccd404dcb329ef5e312c8a93f7ce2
-%{?gitcommit:%global gitcommitshort %(c=%{gitcommit}; echo ${c:0:7})}
+%global commit f02b5472c6f0c41e5dc8dc2c84590866baf937ff
+%{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})}
 
-#global stable 1
+%global stable 1
 
 # We ship a .pc file but don't want to have a dep on pkg-config. We
 # strip the automatically generated dep here and instead co-own the
@@ -13,21 +13,21 @@
 %global user_unit_dir %{pkgdir}/user
 
 Name:           systemd
-Url:            http://www.freedesktop.org/wiki/Software/systemd
-Version:        239
-Release:        3%{?gitcommit:.git%{gitcommitshort}}.0.riscv64%{?dist}
+Url:            https://www.freedesktop.org/wiki/Software/systemd
+Version:        240
+Release:        6%{?commit:.git%{shortcommit}}.0.riscv64%{?dist}
 # For a breakdown of the licensing, see README
 License:        LGPLv2+ and MIT and GPLv2+
 Summary:        System and Service Manager
 
 # download tarballs with "spectool -g systemd.spec"
-%if %{defined gitcommit}
-Source0:        https://github.com/systemd/systemd%{?stable:-stable}/archive/%{?gitcommit}.tar.gz#/%{name}-%{gitcommitshort}.tar.gz
+%if %{defined commit}
+Source0:        https://github.com/systemd/systemd%{?stable:-stable}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
 %else
-Source0:        https://github.com/systemd/systemd/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Source0:        https://github.com/systemd/systemd/archive/v%{version}/%{name}-%{version}.tar.gz
 %endif
 # This file must be available before %%prep.
-# It is generated during systemd build and can be found in src/core/.
+# It is generated during systemd build and can be found in build/src/core/.
 Source1:        triggers.systemd
 Source2:        split-files.py
 Source3:        purge-nobody-user
@@ -42,7 +42,7 @@ Source8:        systemd-journal-gatewayd.xml
 Source9:        20-yama-ptrace.conf
 Source10:       systemd-udev-trigger-no-reload.conf
 Source11:       20-grubby.install
-Source12:       https://raw.githubusercontent.com/systemd/systemd/1000522a60ceade446773c67031b47a566d4a70d/src/login/systemd-user.m4
+Source12:       systemd-user
 
 %if 0
 GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable
@@ -50,10 +50,10 @@ i=1; for j in 00*patch; do printf "Patch%04d:      %s\n" $i $j; i=$((i+1));done|
 GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[67]* hwdb/parse_hwdb.py > hwdb.patch
 %endif
 
-Patch0998:      0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
-Patch0999:      glibc-statx.patch
+Patch0002:      0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch
+Patch0003:      0003-Ignore-failure-to-setup-private-dev.patch
 
-%global num_patches %{lua: c=0; for i,p in ipairs(patches) do c=c+1; end; print(c);}
+Patch0998:      0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
 
 %ifarch %{ix86} x86_64 aarch64
 %global have_gnu_efi 1
@@ -102,21 +102,24 @@ BuildRequires:  gnu-efi gnu-efi-devel
 %ifnarch riscv64
 BuildRequires:  libseccomp-devel
 %endif
-%if %{num_patches}
 BuildRequires:  git
-%endif
 BuildRequires:  meson >= 0.43
 BuildRequires:  gettext
+# We use RUNNING_ON_VALGRIND in tests, so the headers need to be available
+BuildRequires:  valgrind-devel
 
 Requires(post): coreutils
 Requires(post): sed
 Requires(post): acl
 Requires(post): grep
+# systemd-machine-id-setup requires libssl
+Requires(post): openssl-libs
 Requires(pre):  coreutils
 Requires(pre):  /usr/bin/getent
 Requires(pre):  /usr/sbin/groupadd
 Requires:       dbus >= 1.9.18
 Requires:       %{name}-pam = %{version}-%{release}
+Requires:       %{name}-rpm-macros = %{version}-%{release}
 Requires:       %{name}-libs = %{version}-%{release}
 Recommends:     diffutils
 Requires:       util-linux
@@ -147,10 +150,10 @@ implements an elaborate transactional dependency-based service control
 logic. systemd supports SysV and LSB init scripts and works as a
 replacement for sysvinit. Other parts of this package are a logging daemon,
 utilities to control basic system configuration like the hostname,
-date, locale, maintain a list of logged-in users and running
-containers and virtual machines, system accounts, runtime directories
-and settings, and daemons to manage simple network configuration,
-network time synchronization, log forwarding, and name resolution.
+date, locale, maintain a list of logged-in users, system accounts,
+runtime directories and settings, and daemons to manage simple network
+configuration, network time synchronization, log forwarding, and name
+resolution.
 
 %package libs
 Summary:        systemd libraries
@@ -177,6 +180,14 @@ Requires:       %{name} = %{version}-%{release}
 %description pam
 Systemd PAM module registers the session with systemd-logind.
 
+%package rpm-macros
+Summary:        Macros that define paths and scriptlets related to systemd
+BuildArch:      noarch
+
+%description rpm-macros
+Just the definitions of rpm macros. Use %%{?systemd_requires} in the
+binary packages that use any scriptlets from this package.
+
 %package devel
 Summary:        Development headers for systemd
 License:        LGPLv2+ and MIT
@@ -263,21 +274,7 @@ License:       LGPLv2+
 They can be useful to test systemd internals.
 
 %prep
-%setup -q %{?gitcommit:-n %{name}%{?stable:-stable}-%{gitcommit}}
-
-%if %{num_patches}
-    git init
-    git config user.email "systemd-maint@redhat.com"
-    git config user.name "Fedora systemd team"
-    git add .
-    git commit -a -q -m "%{version} baseline."
-
-    # Apply all the patches.
-    git am %{patches}
-%endif
-
-# Restore systemd-user pam config from before "removal of Fedora-specific bits"
-cp -p %{SOURCE12} src/login/
+%autosetup %{?commit:-n %{name}%{?stable:-stable}-%{commit}} -p1 -Sgit
 
 %build
 %define ntpvendor %(source /etc/os-release; echo ${ID})
@@ -338,11 +335,6 @@ CONFIGURE_OPTS=(
 %meson "${CONFIGURE_OPTS[@]}"
 %meson_build
 
-if diff %{SOURCE1} %{_vpath_builddir}/triggers.systemd; then
-   echo -e "\n\n\nWARNING: triggers.systemd in Source1 is different!"
-   echo -e "      cp %{_vpath_builddir}/triggers.systemd %{SOURCE1}\n\n\n"
-fi
-
 %install
 %meson_install
 
@@ -404,21 +396,23 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/private
 mkdir -p %{buildroot}%{_localstatedir}/log/private
 mkdir -p %{buildroot}%{_localstatedir}/cache/private
 mkdir -p %{buildroot}%{_localstatedir}/lib/private/systemd/journal-upload
-mkdir -p %{buildroot}%{_localstatedir}/lib/private/systemd/timesync
+mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/timesync
 ln -s ../private/systemd/journal-upload %{buildroot}%{_localstatedir}/lib/systemd/journal-upload
-ln -s ../private/systemd/timesync %{buildroot}%{_localstatedir}/lib/systemd/timesync
 mkdir -p %{buildroot}%{_localstatedir}/log/journal
 touch %{buildroot}%{_localstatedir}/lib/systemd/catalog/database
 touch %{buildroot}%{_sysconfdir}/udev/hwdb.bin
 touch %{buildroot}%{_localstatedir}/lib/systemd/random-seed
-touch %{buildroot}%{_localstatedir}/lib/private/systemd/timesync/clock
+touch %{buildroot}%{_localstatedir}/lib/systemd/timesync/clock
 touch %{buildroot}%{_localstatedir}/lib/private/systemd/journal-upload/state
 
 # Install yum protection fragment
-install -Dm0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/yum/protected.d/systemd.conf
+install -Dm0644 %{SOURCE4} %{buildroot}/etc/dnf/protected.d/systemd.conf
 
 install -Dm0644 -t %{buildroot}/usr/lib/firewalld/services/ %{SOURCE7} %{SOURCE8}
 
+# Restore systemd-user pam config from before "removal of Fedora-specific bits"
+install -Dm0644 -t %{buildroot}/etc/pam.d/ %{SOURCE12}
+
 # Install additional docs
 # https://bugzilla.redhat.com/show_bug.cgi?id=1234951
 install -Dm0644 -t %{buildroot}%{_pkgdocdir}/ %{SOURCE9}
@@ -426,10 +420,19 @@ install -Dm0644 -t %{buildroot}%{_pkgdocdir}/ %{SOURCE9}
 # https://bugzilla.redhat.com/show_bug.cgi?id=1378974
 install -Dm0644 -t %{buildroot}%{system_unit_dir}/systemd-udev-trigger.service.d/ %{SOURCE10}
 
+# A temporary work-around for https://bugzilla.redhat.com/show_bug.cgi?id=1663040
+mkdir -p %{buildroot}%{system_unit_dir}/systemd-hostnamed.service.d/
+cat >%{buildroot}%{system_unit_dir}/systemd-hostnamed.service.d/disable-privatedevices.conf <<EOF
+[Service]
+PrivateDevices=no
+EOF
+
 install -Dm0755 -t %{buildroot}%{_prefix}/lib/kernel/install.d/ %{SOURCE11}
 
 install -D -t %{buildroot}/usr/lib/systemd/ %{SOURCE3}
 
+sed -i 's|#!/usr/bin/env python3|#!%{__python3}|' %{buildroot}/usr/lib/systemd/tests/run-unit-tests.py
+
 %find_lang %{name}
 
 # Split files in build root into rpms. See split-files.py for the
@@ -450,13 +453,13 @@ python3 %{SOURCE2} %buildroot <<EOF
 %ghost %config(noreplace) /etc/locale.conf
 %ghost %config(noreplace) /etc/machine-id
 %ghost %config(noreplace) /etc/machine-info
-%ghost %dir /var/cache/private
-%ghost %dir /var/lib/private
+%ghost %attr(0700,root,root) %dir /var/cache/private
+%ghost %attr(0700,root,root) %dir /var/lib/private
 %ghost %dir /var/lib/private/systemd
 %ghost %dir /var/lib/private/systemd/journal-upload
 %ghost /var/lib/private/systemd/journal-upload/state
-%ghost %dir /var/lib/private/systemd/timesync
-%ghost /var/lib/private/systemd/timesync/clock
+%ghost %dir /var/lib/systemd/timesync
+%ghost /var/lib/systemd/timesync/clock
 %ghost %dir /var/lib/systemd/backlight
 %ghost /var/lib/systemd/catalog/database
 %ghost %dir /var/lib/systemd/coredump
@@ -464,10 +467,9 @@ python3 %{SOURCE2} %buildroot <<EOF
 %ghost %dir /var/lib/systemd/linger
 %ghost /var/lib/systemd/random-seed
 %ghost %dir /var/lib/systemd/rfkill
-%ghost /var/lib/systemd/timesync
 %ghost %dir /var/log/journal
 %ghost %dir /var/log/journal/remote
-%ghost %dir /var/log/private
+%ghost %attr(0700,root,root) %dir /var/log/private
 EOF
 
 %check
@@ -502,9 +504,10 @@ systemctl daemon-reexec &>/dev/null || :
 journalctl --update-catalog &>/dev/null || :
 systemd-tmpfiles --create &>/dev/null || :
 
-if [ $1 -eq 1 ] ; then
-     # create /var/log/journal only on initial installation
-     mkdir -p %{_localstatedir}/log/journal
+# create /var/log/journal only on initial installation,
+# and only if it's writable (it won't be in rpm-ostree).
+if [ $1 -eq 1 ] && [ -w %{_localstatedir} ]; then
+    mkdir -p %{_localstatedir}/log/journal
 fi
 
 # Make sure new journal files will be owned by the "systemd-journal" group
@@ -514,34 +517,15 @@ chmod g+s /run/log/journal/ /run/log/journal/`cat /etc/machine-id 2>/dev/null` /
 # Apply ACL to the journal directory
 setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ &>/dev/null || :
 
-# Stop-gap until rsyslog.rpm does this on its own. (This is supposed
-# to fail when the link already exists)
-ln -s /usr/lib/systemd/system/rsyslog.service /etc/systemd/system/syslog.service &>/dev/null || :
-
-# Remove spurious /etc/fstab entries from very old installations
-# https://bugzilla.redhat.com/show_bug.cgi?id=1009023
-if [ -e /etc/fstab ]; then
-   grep -v -E -q '^(devpts|tmpfs|sysfs|proc)' /etc/fstab || \
-         sed -i.rpm.bak -r '/^devpts\s+\/dev\/pts\s+devpts\s+defaults\s+/d; /^tmpfs\s+\/dev\/shm\s+tmpfs\s+defaults\s+/d; /^sysfs\s+\/sys\s+sysfs\s+defaults\s+/d; /^proc\s+\/proc\s+proc\s+defaults\s+/d' /etc/fstab || :
-fi
-
-# Services we install by default, and which are controlled by presets.
+# We reset the enablement of all services upon initial installation
+# https://bugzilla.redhat.com/show_bug.cgi?id=1118740#c23
+# This will fix up enablement of any preset services that got installed
+# before systemd due to rpm ordering problems:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1647172
 if [ $1 -eq 1 ] ; then
-        systemctl preset --quiet \
-                remote-fs.target \
-                getty@.service \
-                serial-getty@.service \
-                console-getty.service \
-                debug-shell.service \
-                systemd-networkd.service \
-                systemd-networkd-wait-online.service \
-                systemd-resolved.service \
-                >/dev/null || :
+        systemctl preset-all &>/dev/null || :
 fi
 
-# remove obsolete systemd-readahead file
-rm -f /.readahead &>/dev/null || :
-
 %preun
 if [ $1 -eq 0 ] ; then
         systemctl disable --quiet \
@@ -563,36 +547,33 @@ fi
 %post libs
 %{?ldconfig}
 
-if [ -f /etc/nsswitch.conf ] ; then
-        # sed-fu to add myhostanme to hosts line
-        grep -v -E -q '^hosts:.* myhostname' /etc/nsswitch.conf &&
+function mod_nss() {
+    if [ -f "$1" ] ; then
+        # sed-fu to add myhostname to hosts line
+        grep -E -q '^hosts:.* myhostname' "$1" ||
         sed -i.bak -e '
                 /^hosts:/ !b
                 /\<myhostname\>/ b
                 s/[[:blank:]]*$/ myhostname/
-                ' /etc/nsswitch.conf &>/dev/null || :
-
-        # remove mymachines from passwd and group lines of /etc/nsswitch.conf
-        # https://bugzilla.redhat.com/show_bug.cgi?id=1284325
-        # https://meetbot.fedoraproject.org/fedora-meeting/2015-11-25/fesco.2015-11-25-18.00.html
-        # To avoid the removal, e.g. add a space at the end of the line.
-        grep -E -q '^(passwd|group):.* mymachines$' /etc/nsswitch.conf &&
-        sed -i.bak -r -e '
-                s/^(passwd:.*) mymachines$/\1/;
-                s/^(group:.*) mymachines$/\1/;
-                ' /etc/nsswitch.conf &>/dev/null || :
-
-        # Add [!UNAVAIL=return] after resolve
-        grep -E -q '^hosts:.*resolve[[:space:]]*($|[[:alpha:]])' /etc/nsswitch.conf &&
-        sed -i.bak -e '
-                /^hosts:/ { s/resolve/& [!UNAVAIL=return]/}
-                ' /etc/nsswitch.conf &>/dev/null || :
+                ' "$1" &>/dev/null || :
 
         # Add nss-systemd to passwd and group
-        grep -E -q '^(passwd|group):.* systemd' /etc/nsswitch.conf ||
+        grep -E -q '^(passwd|group):.* systemd' "$1" ||
         sed -i.bak -r -e '
                 s/^(passwd|group):(.*)/\1: \2 systemd/
-                ' /etc/nsswitch.conf &>/dev/null || :
+                ' "$1" &>/dev/null || :
+    fi
+}
+
+FILE="$(readlink /etc/nsswitch.conf || echo /etc/nsswitch.conf)"
+if [ "$FILE" = "/etc/authselect/nsswitch.conf" ] && authselect check &>/dev/null; then
+        mod_nss "/etc/authselect/user-nsswitch.conf"
+        authselect apply-changes &> /dev/null || :
+else
+        mod_nss "$FILE"
+        # also apply the same changes to user-nsswitch.conf to affect
+        # possible future authselect configuration
+        mod_nss "/etc/authselect/user-nsswitch.conf"
 fi
 
 # check if nobody or nfsnobody is defined
@@ -615,10 +596,22 @@ fi
 
 %global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket systemd-timesyncd.service
 
+%pre udev
+getent group systemd-timesync &>/dev/null || groupadd -r systemd-timesync 2>&1 || :
+getent passwd systemd-timesync &>/dev/null || useradd -r -l -g systemd-timesync -d / -s /sbin/nologin -c "systemd Time Synchronization" systemd-timesync &>/dev/null || :
+
 %post udev
 # Move old stuff around in /var/lib
 mv %{_localstatedir}/lib/random-seed %{_localstatedir}/lib/systemd/random-seed &>/dev/null
 mv %{_localstatedir}/lib/backlight %{_localstatedir}/lib/systemd/backlight &>/dev/null
+if [ -L %{_localstatedir}/lib/systemd/timesync ]; then
+    rm %{_localstatedir}/lib/systemd/timesync
+    mv %{_localstatedir}/lib/private/systemd/timesync %{_localstatedir}/lib/systemd/timesync
+fi
+if [ -f %{_localstatedir}/lib/systemd/clock ] ; then
+    mkdir -p %{_localstatedir}/lib/systemd/timesync
+    mv %{_localstatedir}/lib/systemd/clock %{_localstatedir}/lib/systemd/timesync/.
+fi
 
 udevadm hwdb --update &>/dev/null
 %systemd_post %udev_services
@@ -631,12 +624,6 @@ grep -q -E '^KEYMAP="?fi-latin[19]"?' /etc/vconsole.conf 2>/dev/null &&
 
 %preun udev
 %systemd_preun %udev_services
-if [ $1 -eq 1 ] ; then
-    if [ -f %{_localstatedir}/lib/systemd/clock ] ; then
-        mkdir -p %{_localstatedir}/lib/private/systemd/timesync
-        mv %{_localstatedir}/lib/systemd/clock %{_localstatedir}/lib/private/systemd/timesync/.
-    fi
-fi
 
 %postun udev
 # Only restart systemd-udev, to run the upgraded dameon.
@@ -699,6 +686,8 @@ fi
 
 %files pam -f .file-list-pam
 
+%files rpm-macros -f .file-list-rpm-macros
+
 %files devel -f .file-list-devel
 
 %files udev -f .file-list-udev
@@ -710,9 +699,110 @@ fi
 %files tests -f .file-list-tests
 
 %changelog
-* Wed Aug 01 2018 David Abdurachmanov <david.abdurachmanov@gmail.com> - 239-3.0.riscv64
+* Wed Jan 16 2019 David Abdurachmanov <david.abdurachmanov@gmail.com> - 240-6.0.riscv64
 - Disable libseccomp on riscv64 (RISC-V) until it's ported upstream
 
+* Tue Jan 15 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 240-6.gitf02b547
+- Add a work-around for #1663040
+
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org>
+- Rebuilt for libcrypt.so.2 (#1666033)
+
+* Fri Jan 11 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 240-4.gitf02b547
+- Add a work-around for selinux issue on live images (#1663040)
+
+* Fri Jan 11 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 240-3.gitf02b547
+- systemd-journald and systemd-journal-remote reject entries which
+  contain too many fields (CVE-2018-16865, #1664973) and set limits on the
+  process' command line length (CVE-2018-16864, #1664972)
+- $DBUS_SESSION_BUS_ADDRESS is again exported by pam_systemd (#1662857)
+- A fix for systemd-udevd crash (#1662303)
+
+* Sat Dec 22 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 240-2
+- Add two more patches that revert recent udev changes
+
+* Fri Dec 21 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 240-1
+- Update to latest release
+  See https://github.com/systemd/systemd/blob/master/NEWS for the list of changes.
+
+* Mon Dec 17 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 239-10.git9f3aed1
+- Hibernation checks for resume= are rescinded (#1645870)
+- Various patches:
+  - memory issues in logind, networkd, journald (#1653068), sd-device, etc.
+  - Adaptations for newer meson, lz4, kernel
+  - Fixes for misleading bugs in documentation
+- net.ipv4.conf.all.rp_filter is changed from 1 to 2
+
+* Thu Nov 29 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
+- Adjust scriptlets to modify /etc/authselect/user-nsswitch.conf
+  (see https://github.com/pbrezina/authselect/issues/77)
+- Drop old scriptlets for nsswitch.conf modifications for nss-mymachines and nss-resolve
+
+* Sun Nov 18 2018 Alejandro Domínguez Muñoz <adomu@net-c.com>
+- Remove link creation for rsyslog.service
+
+* Thu Nov  8 2018 Adam Williamson <awilliam@redhat.com> - 239-9.git9f3aed1
+- Go back to using systemctl preset-all in %post (#1647172, #1118740)
+
+* Mon Nov  5 2018 Adam Williamson <awilliam@redhat.com> - 239-8.git9f3aed1
+- Requires(post) openssl-libs to fix live image build machine-id issue
+  See: https://pagure.io/dusty/failed-composes/issue/960
+
+* Mon Nov  5 2018 Yu Watanabe <watanabe.yu@gmail.com>
+- Set proper attributes to private directories
+
+* Fri Nov  2 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 239-7.git9f3aed1
+- Split out the rpm macros into systemd-rpm-macros subpackage (#1645298)
+
+* Sun Oct 28 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 239-6.git9f3aed1
+- Fix a local vulnerability from a race condition in chown-recursive (CVE-2018-15687, #1639076)
+- Fix a local vulnerability from invalid handling of long lines in state deserialization (CVE-2018-15686, #1639071)
+- Fix a remote vulnerability in DHCPv6 in systemd-networkd (CVE-2018-15688, #1639067)
+- The DHCP server is started only when link is UP
+- DHCPv6 prefix delegation is improved
+- Downgrade logging of various messages and add loging in other places
+- Many many fixes in error handling and minor memory leaks and such
+- Fix typos and omissions in documentation
+- Typo in %%_environmnentdir rpm macro is fixed (with backwards compatiblity preserved)
+- Matching by MACAddress= in systemd-networkd is fixed
+- Creation of user runtime directories is improved, and the user
+  manager is only stopped after 10 s after the user logs out (#1642460 and other bugs)
+- systemd units systemd-timesyncd, systemd-resolved, systemd-networkd are switched back to use DynamicUser=0
+- Aliases are now resolved when loading modules from pid1. This is a (redundant) fix for a brief kernel regression.
+- "systemctl --wait start" exits immediately if no valid units are named
+- zram devices are not considered as candidates for hibernation
+- ECN is not requested for both in- and out-going connections (the sysctl overide for net.ipv4.tcp_ecn is removed)
+- Various smaller improvements to unit ordering and dependencies
+- generators are now called with the manager's environment
+- Handling of invalid (intentionally corrupt) dbus messages is improved, fixing potential local DOS avenues
+- The target of symlinks links in .wants/ and .requires/ is now ignored. This fixes an issue where
+  the unit file would sometimes be loaded from such a symlink, leading to non-deterministic unit contents.
+- Filtering of kernel threads is improved. This fixes an issues with newer kernels where hybrid kernel/user
+  threads are used by bpfilter.
+- "noresume" can be used on the kernel command line to force normal boot even if a hibernation images is present
+- Hibernation is not advertised if resume= is not present on the kernenl command line
+- Hibernation/Suspend/... modes can be disabled using AllowSuspend=,
+  AllowHibernation=, AllowSuspendThenHibernate=, AllowHybridSleep=
+- LOGO= and DOCUMENTATION_URL= are documented for the os-release file
+- The hashmap mempool is now only used internally in systemd, and is disabled for external users of the systemd libraries
+- Additional state is serialized/deserialized when logind is restarted, fixing the handling of user objects
+- Catalog entries for the journal are improved (#1639482)
+- If suspend fails, the post-suspend hooks are still called.
+- Various build issues on less-common architectures are fixed
+
+* Wed Oct  3 2018 Jan Synáček <jsynacek@redhat.com> - 239-5
+- Fix meson using -Ddebug, which results in FTBFS
+- Fix line_begins() to accept word matching full string (#1631840)
+
+* Mon Sep 10 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 239-4
+- Move /etc/yum/protected.d/systemd.conf to /etc/dnf/ (#1626969)
+
+* Wed Jul 18 2018 Terje Rosten <terje.rosten@ntnu.no> - 239-3
+- Ignore return value from systemd-binfmt in scriptlet (#1565425)
+
+* Sun Jul 15 2018 Filipe Brandenburger <filbranden@gmail.com>
+- Override systemd-user PAM config in install and not prep
+
 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org>
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
@@ -1199,7 +1289,8 @@ Resolves: rhbz#1299019
 * Thu May 21 2015 Lennart Poettering <lpoetter@redhat.com> - 220-1
 - New upstream release
 - Drop /etc/mtab hack, as that's apparently fixed in mock now (#1116158)
-- Remove ghosting for %%{_sysconfdir}/systemd/system/runlevel*.target, these targets are not configurable anymore in systemd upstream
+- Remove ghosting for /etc/systemd/system/runlevel*.target, these
+  targets are not configurable anymore in systemd upstream
 - Drop work-around for #1002806, since this is solved upstream now
 
 * Wed May 20 2015 Dennis Gilmore <dennis@ausil.us> - 219-15

triggers.systemd

@@ -105,5 +105,7 @@ fi
 # This script will automatically apply binfmt rules if files have been
 # installed or updated in /usr/lib/binfmt.d.
 if test -d /run/systemd/system; then
-  /usr/lib/systemd/systemd-binfmt
+  # systemd-binfmt might fail if binfmt_misc kernel module is not loaded
+  # during install
+  /usr/lib/systemd/systemd-binfmt || :
 fi