From f377b012f246a3d0e79a186959b9731f4c26d40a Mon Sep 17 00:00:00 2001 From: Zbigniew Jędrzejewski-Szmek Date: Feb 02 2023 12:08:38 +0000 Subject: Revert patch that causes selinux avcs --- diff --git a/0001-Revert-units-allow-systemd-userdbd-to-change-process.patch b/0001-Revert-units-allow-systemd-userdbd-to-change-process.patch new file mode 100644 index 0000000..8d1db4a --- /dev/null +++ b/0001-Revert-units-allow-systemd-userdbd-to-change-process.patch @@ -0,0 +1,28 @@ +From cc89389775b230e51d6e7a7e3e65f8a1928dbf2b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 2 Feb 2023 13:03:32 +0100 +Subject: [PATCH] Revert "units: allow systemd-userdbd to change process name" + +This reverts commit 9357d2342981a8b4fcfa2d170b7749c27d364fdd. + +https://bugzilla.redhat.com/show_bug.cgi?id=2166509 +--- + units/systemd-userdbd.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/units/systemd-userdbd.service.in b/units/systemd-userdbd.service.in +index b57661100c..84dea04f55 100644 +--- a/units/systemd-userdbd.service.in ++++ b/units/systemd-userdbd.service.in +@@ -16,7 +16,7 @@ Before=sysinit.target + DefaultDependencies=no + + [Service] +-CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE ++CapabilityBoundingSet=CAP_DAC_READ_SEARCH + ExecStart={{ROOTLIBEXECDIR}}/systemd-userdbd + IPAddressDeny=any + LimitNOFILE={{HIGH_RLIMIT_NOFILE}} +-- +2.39.1 + diff --git a/systemd.spec b/systemd.spec index 9af8bb5..80d6316 100644 --- a/systemd.spec +++ b/systemd.spec @@ -92,6 +92,7 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # than in the next section. Packit CI will drop any patches in this range before # applying upstream pull requests. +Patch0001: 0001-Revert-units-allow-systemd-userdbd-to-change-process.patch # This is a downstream-only patch, but we don't want it in packit builds. # https://bugzilla.redhat.com/show_bug.cgi?id=1738828