systemd-selinux 232-6 update

4 files changed, 56 insertions, 11 deletions

diff --git a/.SRCINFO b/.SRCINFO
index e9ac5b1027af..6adc0257091f 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
 pkgbase = systemd-selinux
 	pkgver = 232
-	pkgrel = 4
+	pkgrel = 6
 	url = https://www.github.com/systemd/systemd
 	arch = i686
 	arch = x86_64
@@ -37,9 +37,11 @@ pkgbase = systemd-selinux
 	source = arch.conf
 	source = loader.conf
 	source = splash-arch.bmp::https://projects.archlinux.org/svntogit/packages.git/plain/trunk/splash-arch.bmp?h=packages/systemd&id=e43ddb71a5b1ab56e898347a63e54c5d5d07728a
+	source = systemd-user.pam
 	source = udev-hwdb.hook
 	source = 0001-disable-RestrictAddressFamilies-on-i686.patch
 	source = 0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch
+	source = 0001-nspawn-don-t-hide-bind-tmp-mounts.patch
 	validpgpkeys = 63CDA1E5D3FC22B998D20DD6327F26951A015CC4
 	sha512sums = SKIP
 	sha512sums = f0d933e8c6064ed830dec54049b0a01e27be87203208f6ae982f10fb4eddc7258cb2919d594cbfb9a33e74c3510cfd682f3416ba8e804387ab87d1a217eb4b73
@@ -48,9 +50,11 @@ pkgbase = systemd-selinux
 	sha512sums = 61032d29241b74a0f28446f8cf1be0e8ec46d0847a61dadb2a4f096e8686d5f57fe5c72bcf386003f6520bc4b5856c32d63bf3efe7eb0bc0deefc9f68159e648
 	sha512sums = c416e2121df83067376bcaacb58c05b01990f4614ad9de657d74b6da3efa441af251d13bf21e3f0f71ddcb4c9ea658b81da3d915667dc5c309c87ec32a1cb5a5
 	sha512sums = 5a1d78b5170da5abe3d18fdf9f2c3a4d78f15ba7d1ee9ec2708c4c9c2e28973469bc19386f70b3cf32ffafbe4fcc4303e5ebbd6d5187a1df3314ae0965b25e75
+	sha512sums = b90c99d768dc2a4f020ba854edf45ccf1b86a09d2f66e475de21fe589ff7e32c33ef4aa0876d7f1864491488fd7edb2682fc0d68e83a6d4890a0778dc2d6fe19
 	sha512sums = 888ab01bc6e09beb08d7126472c34c9e1aa35ea34e62a09e900ae34c93b1de2fcc988586efd8d0dc962393974f45c77b206d59a86cf53e370f061bf9a1b1a862
 	sha512sums = 89f9b2d3918c679ce4f76c2b10dc7fcb7e04f1925a5f92542f06891de2a123a91df7eb67fd4ce71506a8132f5440b3560b7bb667e1c1813944b115c1dfe35e3f
 	sha512sums = b993a42c5534582631f7b379d54f6abc37e3aaa56ecf869a6d86ff14ae5a52628f4e447b6a30751bc1c14c30cec63a5c6d0aa268362d235ed477b639cac3a219
+	sha512sums = 68478403433aafc91a03fda5d83813d2ed1dfc6ab7416b2927a803314ecf826edcb6c659587e74df65de3ccb1edf958522f56ff9ac461a1f696b6dede1d4dd35
 
 pkgname = systemd-selinux
 	pkgdesc = system and service manager with SELinux support
@@ -84,7 +88,7 @@ pkgname = systemd-selinux
 	provides = nss-myhostname
 	provides = systemd-tools=232
 	provides = udev=232
-	provides = systemd=232-4
+	provides = systemd=232-6
 	conflicts = nss-myhostname
 	conflicts = systemd-tools
 	conflicts = udev
@@ -116,15 +120,15 @@ pkgname = libsystemd-selinux
 	depends = xz
 	provides = libsystemd.so
 	provides = libudev.so
-	provides = libsystemd=232-4
+	provides = libsystemd=232-6
 	conflicts = libsystemd
 
 pkgname = systemd-sysvcompat-selinux
 	pkgdesc = sysvinit compat for systemd with SELinux support
 	license = GPL2
 	depends = systemd-selinux
-	provides = systemd-sysvcompat=232-4
-	provides = selinux-systemd-sysvcompat=232-4
+	provides = systemd-sysvcompat=232-6
+	provides = selinux-systemd-sysvcompat=232-6
 	conflicts = sysvinit
 	conflicts = systemd-sysvcompat
 	conflicts = selinux-systemd-sysvcompat
diff --git a/0001-nspawn-don-t-hide-bind-tmp-mounts.patch b/0001-nspawn-don-t-hide-bind-tmp-mounts.patch
new file mode 100644
index 000000000000..a5336ece5730
--- /dev/null
+++ b/0001-nspawn-don-t-hide-bind-tmp-mounts.patch
@@ -0,0 +1,26 @@
+From 7ec42a45410cb27140292d85ebb0e4b6dcea5555 Mon Sep 17 00:00:00 2001
+From: Dave Reisner <dreisner@archlinux.org>
+Date: Wed, 7 Dec 2016 13:45:48 -0500
+Subject: [PATCH] nspawn: don't hide --bind=/tmp/* mounts
+
+This is a v232-applicable version of upstream c9fd987279a462e.
+---
+ src/nspawn/nspawn-mount.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
+index 115de64..2dabe2a 100644
+--- a/src/nspawn/nspawn-mount.c
++++ b/src/nspawn/nspawn-mount.c
+@@ -382,7 +382,7 @@ int mount_all(const char *dest,
+                 { "tmpfs",               "/dev",                "tmpfs", "mode=755",  MS_NOSUID|MS_STRICTATIME,                                  true,  false, false },
+                 { "tmpfs",               "/dev/shm",            "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,                         true,  false, false },
+                 { "tmpfs",               "/run",                "tmpfs", "mode=755",  MS_NOSUID|MS_NODEV|MS_STRICTATIME,                         true,  false, false },
+-                { "tmpfs",               "/tmp",                "tmpfs", "mode=1777", MS_STRICTATIME,                                            true,  true,  false },
++                { "tmpfs",               "/tmp",                "tmpfs", "mode=1777", MS_STRICTATIME,                                            true,  false,  false },
+ #ifdef HAVE_SELINUX
+                 { "/sys/fs/selinux",     "/sys/fs/selinux",     NULL,     NULL,       MS_BIND,                                                   false, false, false },  /* Bind mount first */
+                 { NULL,                  "/sys/fs/selinux",     NULL,     NULL,       MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, false, false, false },  /* Then, make it r/o */
+-- 
+2.10.2
+
diff --git a/PKGBUILD b/PKGBUILD
index 41282d5fee77..8f733d50c30a 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -7,7 +7,7 @@
 pkgbase=systemd-selinux
 pkgname=('systemd-selinux' 'libsystemd-selinux' 'systemd-sysvcompat-selinux')
 pkgver=232
-pkgrel=4
+pkgrel=6
 arch=('i686' 'x86_64')
 url="https://www.github.com/systemd/systemd"
 groups=('selinux')
@@ -26,9 +26,11 @@ source=("git+https://github.com/systemd/systemd.git#tag=v$pkgver"
         'arch.conf'
         'loader.conf'
         'splash-arch.bmp::https://projects.archlinux.org/svntogit/packages.git/plain/trunk/splash-arch.bmp?h=packages/systemd&id=e43ddb71a5b1ab56e898347a63e54c5d5d07728a'
+        'systemd-user.pam'
         'udev-hwdb.hook'
         '0001-disable-RestrictAddressFamilies-on-i686.patch'
-        '0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch')
+        '0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch'
+        '0001-nspawn-don-t-hide-bind-tmp-mounts.patch')
 sha512sums=('SKIP'
             'f0d933e8c6064ed830dec54049b0a01e27be87203208f6ae982f10fb4eddc7258cb2919d594cbfb9a33e74c3510cfd682f3416ba8e804387ab87d1a217eb4b73'
             '52af734947a768758d5eb3f18e31a1cfec6699eca6fa10e40b90c7f11991509186c0a696e3490af3eaba80064ea4cb93e041579abf05addf072d294300aa4b28'
@@ -36,9 +38,11 @@ sha512sums=('SKIP'
             '61032d29241b74a0f28446f8cf1be0e8ec46d0847a61dadb2a4f096e8686d5f57fe5c72bcf386003f6520bc4b5856c32d63bf3efe7eb0bc0deefc9f68159e648'
             'c416e2121df83067376bcaacb58c05b01990f4614ad9de657d74b6da3efa441af251d13bf21e3f0f71ddcb4c9ea658b81da3d915667dc5c309c87ec32a1cb5a5'
             '5a1d78b5170da5abe3d18fdf9f2c3a4d78f15ba7d1ee9ec2708c4c9c2e28973469bc19386f70b3cf32ffafbe4fcc4303e5ebbd6d5187a1df3314ae0965b25e75'
+            'b90c99d768dc2a4f020ba854edf45ccf1b86a09d2f66e475de21fe589ff7e32c33ef4aa0876d7f1864491488fd7edb2682fc0d68e83a6d4890a0778dc2d6fe19'
             '888ab01bc6e09beb08d7126472c34c9e1aa35ea34e62a09e900ae34c93b1de2fcc988586efd8d0dc962393974f45c77b206d59a86cf53e370f061bf9a1b1a862'
             '89f9b2d3918c679ce4f76c2b10dc7fcb7e04f1925a5f92542f06891de2a123a91df7eb67fd4ce71506a8132f5440b3560b7bb667e1c1813944b115c1dfe35e3f'
-            'b993a42c5534582631f7b379d54f6abc37e3aaa56ecf869a6d86ff14ae5a52628f4e447b6a30751bc1c14c30cec63a5c6d0aa268362d235ed477b639cac3a219')
+            'b993a42c5534582631f7b379d54f6abc37e3aaa56ecf869a6d86ff14ae5a52628f4e447b6a30751bc1c14c30cec63a5c6d0aa268362d235ed477b639cac3a219'
+            '68478403433aafc91a03fda5d83813d2ed1dfc6ab7416b2927a803314ecf826edcb6c659587e74df65de3ccb1edf958522f56ff9ac461a1f696b6dede1d4dd35')
 validpgpkeys=(
   '63CDA1E5D3FC22B998D20DD6327F26951A015CC4'  # Lennart Poettering
 )
@@ -48,6 +52,9 @@ _backports=(
   'abd67ce74858491565cde157c7b08fda43d3279c'  # basic/virt: fix userns check on CONFIG_USER_NS=n kernel (#4651)
   '4318abe8d26e969ebdb97744a63ab900233a0185'  # build-sys: do not install ctrl-alt-del.target symlink twice
   'd112eae7da77899be245ab52aa1747d4675549f1'  # device: Avoid calling unit_free(NULL) in device setup logic (#4748)
+  'cfed63f60dd7412c199652825ed172c319b02b3c'  # nspawn: fix exit code for --help and --version (#4609)
+  '3099caf2b5bb9498b1d0227c40926435ca81f26f'  # journal: make sure to initially populate the space info cache (#4807)
+  '3d4cf7de48a74726694abbaa09f9804b845ff3ba'  # build-sys: check for lz4 in the old and new numbering scheme (#4717)
 )
 
 _validate_tag() {
@@ -86,6 +93,9 @@ prepare() {
     git cherry-pick -n "${_backports[@]}"
   fi
 
+  # https://github.com/systemd/systemd/issues/4789
+  patch -Np1 <../0001-nspawn-don-t-hide-bind-tmp-mounts.patch
+
   # these patches aren't upstream, but they make v232 more useable.
 
   # https://github.com/systemd/systemd/issues/4575
@@ -188,9 +198,6 @@ package_systemd-selinux() {
   # we'll create this on installation
   rmdir "$pkgdir/var/log/journal/remote"
 
-  # fix pam file
-  sed 's|system-auth|system-login|g' -i "$pkgdir/etc/pam.d/systemd-user"
-
   # ship default policy to leave services disabled
   echo 'disable *' >"$pkgdir"/usr/lib/systemd/system-preset/99-default.preset
 
@@ -206,6 +213,9 @@ package_systemd-selinux() {
   install -Dm644 "$srcdir/splash-arch.bmp" "$pkgdir"/usr/share/systemd/bootctl/splash-arch.bmp
 
   install -Dm644 "$srcdir/udev-hwdb.hook" "$pkgdir/usr/share/libalpm/hooks/udev-hwdb.hook"
+
+  # overwrite the systemd-user PAM configuration with our own
+  install -Dm644 systemd-user.pam "$pkgdir/etc/pam.d/systemd-user"
 }
 
 package_libsystemd-selinux() {
diff --git a/systemd-user.pam b/systemd-user.pam
new file mode 100644
index 000000000000..83f762696e0e
--- /dev/null
+++ b/systemd-user.pam
@@ -0,0 +1,5 @@
+# Used by systemd --user instances.
+
+account  include system-login
+session  required pam_loginuid.so
+session  include system-login