summarylogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.SRCINFO40
-rw-r--r--0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch62
-rw-r--r--0001-disable-RestrictAddressFamilies-on-i686.patch30
-rw-r--r--PKGBUILD83
-rw-r--r--initcpio-install-systemd2
5 files changed, 178 insertions, 39 deletions
diff --git a/.SRCINFO b/.SRCINFO
index d7ff58426f51..e9ac5b1027af 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
pkgbase = systemd-selinux
- pkgver = 231
+ pkgver = 232
pkgrel = 4
- url = http://www.freedesktop.org/wiki/Software/systemd
+ url = https://www.github.com/systemd/systemd
arch = i686
arch = x86_64
groups = selinux
@@ -30,8 +30,7 @@ pkgbase = systemd-selinux
makedepends = git
makedepends = libselinux
options = strip
- options = debug
- source = git://github.com/systemd/systemd.git#tag=v231
+ source = git+https://github.com/systemd/systemd.git#tag=v232
source = initcpio-hook-udev
source = initcpio-install-systemd
source = initcpio-install-udev
@@ -39,14 +38,19 @@ pkgbase = systemd-selinux
source = loader.conf
source = splash-arch.bmp::https://projects.archlinux.org/svntogit/packages.git/plain/trunk/splash-arch.bmp?h=packages/systemd&id=e43ddb71a5b1ab56e898347a63e54c5d5d07728a
source = udev-hwdb.hook
- md5sums = SKIP
- md5sums = 90ea67a7bb237502094914622a39e281
- md5sums = 55ea7d81c02d090b65c42a88f1a5a21a
- md5sums = 1b3aa3a0551b08af9305d33f85b5c2fc
- md5sums = 20ead378f5d6df4b2a3e670301510a7d
- md5sums = ddaef54f68f6c86c6c07835fc668f62a
- md5sums = 1e2f9a8b0fa32022bf0a8f39123e5f4e
- md5sums = a475a5ed8f03fb0f6b58b4684998d05c
+ source = 0001-disable-RestrictAddressFamilies-on-i686.patch
+ source = 0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch
+ validpgpkeys = 63CDA1E5D3FC22B998D20DD6327F26951A015CC4
+ sha512sums = SKIP
+ sha512sums = f0d933e8c6064ed830dec54049b0a01e27be87203208f6ae982f10fb4eddc7258cb2919d594cbfb9a33e74c3510cfd682f3416ba8e804387ab87d1a217eb4b73
+ sha512sums = 52af734947a768758d5eb3f18e31a1cfec6699eca6fa10e40b90c7f11991509186c0a696e3490af3eaba80064ea4cb93e041579abf05addf072d294300aa4b28
+ sha512sums = fec639de0d99967ed3e67289eff5ff78fff0c5829d350e73bed536a8391f1daa1d118d72dbdc1f480ffd33fc22b72f4817d0973bd09ec7f182fd26ad87b24355
+ sha512sums = 61032d29241b74a0f28446f8cf1be0e8ec46d0847a61dadb2a4f096e8686d5f57fe5c72bcf386003f6520bc4b5856c32d63bf3efe7eb0bc0deefc9f68159e648
+ sha512sums = c416e2121df83067376bcaacb58c05b01990f4614ad9de657d74b6da3efa441af251d13bf21e3f0f71ddcb4c9ea658b81da3d915667dc5c309c87ec32a1cb5a5
+ sha512sums = 5a1d78b5170da5abe3d18fdf9f2c3a4d78f15ba7d1ee9ec2708c4c9c2e28973469bc19386f70b3cf32ffafbe4fcc4303e5ebbd6d5187a1df3314ae0965b25e75
+ sha512sums = 888ab01bc6e09beb08d7126472c34c9e1aa35ea34e62a09e900ae34c93b1de2fcc988586efd8d0dc962393974f45c77b206d59a86cf53e370f061bf9a1b1a862
+ sha512sums = 89f9b2d3918c679ce4f76c2b10dc7fcb7e04f1925a5f92542f06891de2a123a91df7eb67fd4ce71506a8132f5440b3560b7bb667e1c1813944b115c1dfe35e3f
+ sha512sums = b993a42c5534582631f7b379d54f6abc37e3aaa56ecf869a6d86ff14ae5a52628f4e447b6a30751bc1c14c30cec63a5c6d0aa268362d235ed477b639cac3a219
pkgname = systemd-selinux
pkgdesc = system and service manager with SELinux support
@@ -78,9 +82,9 @@ pkgname = systemd-selinux
optdepends = systemd-sysvcompat: symlink package to provide sysvinit binaries
optdepends = polkit: allow administration as unprivileged user
provides = nss-myhostname
- provides = systemd-tools=231
- provides = udev=231
- provides = systemd=231-4
+ provides = systemd-tools=232
+ provides = udev=232
+ provides = systemd=232-4
conflicts = nss-myhostname
conflicts = systemd-tools
conflicts = udev
@@ -112,15 +116,15 @@ pkgname = libsystemd-selinux
depends = xz
provides = libsystemd.so
provides = libudev.so
- provides = libsystemd=231-4
+ provides = libsystemd=232-4
conflicts = libsystemd
pkgname = systemd-sysvcompat-selinux
pkgdesc = sysvinit compat for systemd with SELinux support
license = GPL2
depends = systemd-selinux
- provides = systemd-sysvcompat=231-4
- provides = selinux-systemd-sysvcompat=231-4
+ provides = systemd-sysvcompat=232-4
+ provides = selinux-systemd-sysvcompat=232-4
conflicts = sysvinit
conflicts = systemd-sysvcompat
conflicts = selinux-systemd-sysvcompat
diff --git a/0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch b/0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch
new file mode 100644
index 000000000000..5d47d01a463c
--- /dev/null
+++ b/0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch
@@ -0,0 +1,62 @@
+From 481712d9ee88395042f0640f272c1f87142bc0a8 Mon Sep 17 00:00:00 2001
+From: Dave Reisner <dreisner@archlinux.org>
+Date: Wed, 9 Nov 2016 11:14:03 -0500
+Subject: [PATCH] Revert "nspawn: try to bind mount resolved's resolv.conf
+ snippet into the container"
+
+This reverts commit 3539724c26a1b2b00c4eb3c004b635a4b8647de6.
+---
+ src/nspawn/nspawn.c | 27 ++++++++-------------------
+ 1 file changed, 8 insertions(+), 19 deletions(-)
+
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index c8b18bc..93df7c6 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -1309,35 +1309,24 @@ static int setup_resolv_conf(const char *dest) {
+ /* Fix resolv.conf, if possible */
+ where = prefix_roota(dest, "/etc/resolv.conf");
+
+- if (access("/usr/lib/systemd/resolv.conf", F_OK) >= 0) {
+- /* resolved is enabled on the host. In this, case bind mount its static resolv.conf file into the
+- * container, so that the container can use the host's resolver. Given that network namespacing is
+- * disabled it's only natural of the container also uses the host's resolver. It also has the big
+- * advantage that the container will be able to follow the host's DNS server configuration changes
+- * transparently. */
+-
+- r = mount_verbose(LOG_WARNING, "/usr/lib/systemd/resolv.conf", where, NULL, MS_BIND, NULL);
+- if (r >= 0)
+- return mount_verbose(LOG_ERR, NULL, where, NULL,
+- MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV, NULL);
+- }
+-
+- /* If that didn't work, let's copy the file */
+ r = copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW, 0644, 0);
+ if (r < 0) {
+- /* If the file already exists as symlink, let's suppress the warning, under the assumption that
+- * resolved or something similar runs inside and the symlink points there.
++ /* If the file already exists as symlink, let's
++ * suppress the warning, under the assumption that
++ * resolved or something similar runs inside and the
++ * symlink points there.
+ *
+- * If the disk image is read-only, there's also no point in complaining.
++ * If the disk image is read-only, there's also no
++ * point in complaining.
+ */
+ log_full_errno(IN_SET(r, -ELOOP, -EROFS) ? LOG_DEBUG : LOG_WARNING, r,
+- "Failed to copy /etc/resolv.conf to %s, ignoring: %m", where);
++ "Failed to copy /etc/resolv.conf to %s: %m", where);
+ return 0;
+ }
+
+ r = userns_lchown(where, 0, 0);
+ if (r < 0)
+- log_warning_errno(r, "Failed to chown /etc/resolv.conf, ignoring: %m");
++ log_warning_errno(r, "Failed to chown /etc/resolv.conf: %m");
+
+ return 0;
+ }
+--
+2.10.2
+
diff --git a/0001-disable-RestrictAddressFamilies-on-i686.patch b/0001-disable-RestrictAddressFamilies-on-i686.patch
new file mode 100644
index 000000000000..27e6f4fb0819
--- /dev/null
+++ b/0001-disable-RestrictAddressFamilies-on-i686.patch
@@ -0,0 +1,30 @@
+From ff59e06f9423af0532aaeedf931474823f764875 Mon Sep 17 00:00:00 2001
+From: Dave Reisner <dreisner@archlinux.org>
+Date: Wed, 9 Nov 2016 08:00:26 -0500
+Subject: [PATCH] disable RestrictAddressFamilies on i686
+
+Shit's broke, yo.
+
+https://github.com/systemd/systemd/issues/4575
+---
+ src/core/execute.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/core/execute.c b/src/core/execute.c
+index f666f7c..7d09154 100644
+--- a/src/core/execute.c
++++ b/src/core/execute.c
+@@ -1254,6 +1254,10 @@ static int apply_address_families(const Unit* u, const ExecContext *c) {
+ Iterator i;
+ int r;
+
++#if defined(__i386__)
++ return 0;
++#endif
++
+ assert(c);
+
+ if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
+--
+2.10.2
+
diff --git a/PKGBUILD b/PKGBUILD
index e4401aca40e3..41282d5fee77 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -6,51 +6,95 @@
pkgbase=systemd-selinux
pkgname=('systemd-selinux' 'libsystemd-selinux' 'systemd-sysvcompat-selinux')
-pkgver=231
+pkgver=232
pkgrel=4
arch=('i686' 'x86_64')
-url="http://www.freedesktop.org/wiki/Software/systemd"
+url="https://www.github.com/systemd/systemd"
groups=('selinux')
makedepends=('acl' 'cryptsetup' 'docbook-xsl' 'gperf' 'lz4' 'xz' 'pam-selinux' 'libelf'
'intltool' 'iptables' 'kmod' 'libcap' 'libidn' 'libgcrypt'
'libmicrohttpd' 'libxslt' 'util-linux' 'linux-api-headers'
'python-lxml' 'quota-tools' 'shadow-selinux' 'gnu-efi-libs' 'git'
'libselinux')
-options=('strip' 'debug')
+options=('strip')
# Retrieve the splash-arch.bmp image from systemd package sources, as this
# file is too big to fit in the AUR.
-source=("git://github.com/systemd/systemd.git#tag=v$pkgver"
+source=("git+https://github.com/systemd/systemd.git#tag=v$pkgver"
'initcpio-hook-udev'
'initcpio-install-systemd'
'initcpio-install-udev'
'arch.conf'
'loader.conf'
'splash-arch.bmp::https://projects.archlinux.org/svntogit/packages.git/plain/trunk/splash-arch.bmp?h=packages/systemd&id=e43ddb71a5b1ab56e898347a63e54c5d5d07728a'
- 'udev-hwdb.hook')
-md5sums=('SKIP'
- '90ea67a7bb237502094914622a39e281'
- '55ea7d81c02d090b65c42a88f1a5a21a'
- '1b3aa3a0551b08af9305d33f85b5c2fc'
- '20ead378f5d6df4b2a3e670301510a7d'
- 'ddaef54f68f6c86c6c07835fc668f62a'
- '1e2f9a8b0fa32022bf0a8f39123e5f4e'
- 'a475a5ed8f03fb0f6b58b4684998d05c')
+ 'udev-hwdb.hook'
+ '0001-disable-RestrictAddressFamilies-on-i686.patch'
+ '0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch')
+sha512sums=('SKIP'
+ 'f0d933e8c6064ed830dec54049b0a01e27be87203208f6ae982f10fb4eddc7258cb2919d594cbfb9a33e74c3510cfd682f3416ba8e804387ab87d1a217eb4b73'
+ '52af734947a768758d5eb3f18e31a1cfec6699eca6fa10e40b90c7f11991509186c0a696e3490af3eaba80064ea4cb93e041579abf05addf072d294300aa4b28'
+ 'fec639de0d99967ed3e67289eff5ff78fff0c5829d350e73bed536a8391f1daa1d118d72dbdc1f480ffd33fc22b72f4817d0973bd09ec7f182fd26ad87b24355'
+ '61032d29241b74a0f28446f8cf1be0e8ec46d0847a61dadb2a4f096e8686d5f57fe5c72bcf386003f6520bc4b5856c32d63bf3efe7eb0bc0deefc9f68159e648'
+ 'c416e2121df83067376bcaacb58c05b01990f4614ad9de657d74b6da3efa441af251d13bf21e3f0f71ddcb4c9ea658b81da3d915667dc5c309c87ec32a1cb5a5'
+ '5a1d78b5170da5abe3d18fdf9f2c3a4d78f15ba7d1ee9ec2708c4c9c2e28973469bc19386f70b3cf32ffafbe4fcc4303e5ebbd6d5187a1df3314ae0965b25e75'
+ '888ab01bc6e09beb08d7126472c34c9e1aa35ea34e62a09e900ae34c93b1de2fcc988586efd8d0dc962393974f45c77b206d59a86cf53e370f061bf9a1b1a862'
+ '89f9b2d3918c679ce4f76c2b10dc7fcb7e04f1925a5f92542f06891de2a123a91df7eb67fd4ce71506a8132f5440b3560b7bb667e1c1813944b115c1dfe35e3f'
+ 'b993a42c5534582631f7b379d54f6abc37e3aaa56ecf869a6d86ff14ae5a52628f4e447b6a30751bc1c14c30cec63a5c6d0aa268362d235ed477b639cac3a219')
+validpgpkeys=(
+ '63CDA1E5D3FC22B998D20DD6327F26951A015CC4' # Lennart Poettering
+)
_backports=(
- '531ac2b2349da02acc9c382849758e07eb92b020' # If the notification message length is 0, ignore the message
- '8523bf7dd514a3a2c6114b7b8fb8f308b4f09fc4' # pid1: process zero-length notification messages again
- '9987750e7a4c62e0eb8473603150596ba7c3a015' # pid1: don't return any error in manager_dispatch_notify_fd()
- 'bd64d82c1c0e3fe2a5f9b3dd9132d62834f50b2d' # Revert "pid1: reconnect to the console before being re-executed"
- 'bd5b9f0a12dd9c1947b11534e99c395ddf44caa9' # systemctl: suppress errors with "show" for nonexistent units and properties
+ '843d5baf6aad6c53fc00ea8d95d83209a4f92de1' # core: don't use the unified hierarchy for the systemd cgroup yet (#4628)
+ 'abd67ce74858491565cde157c7b08fda43d3279c' # basic/virt: fix userns check on CONFIG_USER_NS=n kernel (#4651)
+ '4318abe8d26e969ebdb97744a63ab900233a0185' # build-sys: do not install ctrl-alt-del.target symlink twice
+ 'd112eae7da77899be245ab52aa1747d4675549f1' # device: Avoid calling unit_free(NULL) in device setup logic (#4748)
)
+_validate_tag() {
+ local success fingerprint trusted status tag=v$pkgver
+
+ parse_gpg_statusfile /dev/stdin < <(git verify-tag --raw "$tag" 2>&1)
+
+ if (( ! success )); then
+ error 'failed to validate tag %s\n' "$tag"
+ return 1
+ fi
+
+ if ! in_array "$fingerprint" "${validpgpkeys[@]}" && (( ! trusted )); then
+ error 'unknown or untrusted public key: %s\n' "$fingerprint"
+ return 1
+ fi
+
+ case $status in
+ 'expired')
+ warning 'the signature has expired'
+ ;;
+ 'expiredkey')
+ warning 'the key has expired'
+ ;;
+ esac
+
+ return 0
+}
+
prepare() {
cd "${pkgbase/-selinux}"
+ _validate_tag || return
+
if (( ${#_backports[*]} > 0 )); then
git cherry-pick -n "${_backports[@]}"
fi
+ # these patches aren't upstream, but they make v232 more useable.
+
+ # https://github.com/systemd/systemd/issues/4575
+ patch -Np1 <../0001-disable-RestrictAddressFamilies-on-i686.patch
+
+ # https://github.com/systemd/systemd/issues/4595
+ # https://github.com/systemd/systemd/issues/3826
+ patch -Np1 <../0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch
+
./autogen.sh
}
@@ -172,8 +216,7 @@ package_libsystemd-selinux() {
"${pkgname/-selinux}=${pkgver}-${pkgrel}")
conflicts=("${pkgname/-selinux}")
- # TODO(dreisner): for v232, this should be install-rootlibLTLIBRARIES.
- make -C "${pkgbase/-selinux}" DESTDIR="$pkgdir" install-libLTLIBRARIES
+ make -C "${pkgbase/-selinux}" DESTDIR="$pkgdir" install-rootlibLTLIBRARIES
}
package_systemd-sysvcompat-selinux() {
diff --git a/initcpio-install-systemd b/initcpio-install-systemd
index 59c16b7ef63a..f6d0afdb8285 100644
--- a/initcpio-install-systemd
+++ b/initcpio-install-systemd
@@ -185,7 +185,7 @@ EOF
help() {
cat <<HELPEOF
This will install a basic systemd setup in your initramfs, and is meant to
-replace the 'base', 'usr', 'udev' and 'timestamp' hooks. Other hooks with runtime
+replace the 'base', 'usr', 'udev' and 'resume' hooks. Other hooks with runtime
components will need to be ported, and will not work as intended. You also may
wish to still include the 'base' hook (before this hook) to ensure that a
rescue shell exists on your initramfs.