commit: e75e730b45c6310637c8b6511ea841944b643f3a
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Fri Sep 26 16:49:17 2025 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Fri Sep 26 17:01:08 2025 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e75e730b
sys-apps/systemd: add 258
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
sys-apps/systemd/Manifest | 1 +
.../systemd/files/gentoo-journald-audit-r2.patch | 51 ++++++++++++++++++++++
.../{systemd-9999.ebuild => systemd-258.ebuild} | 28 +++++++-----
sys-apps/systemd/systemd-9999.ebuild | 28 +++++++-----
4 files changed, 84 insertions(+), 24 deletions(-)
diff --git a/sys-apps/systemd/Manifest b/sys-apps/systemd/Manifest
index 5bcfb53837e4..7e275bcaa29e 100644
--- a/sys-apps/systemd/Manifest
+++ b/sys-apps/systemd/Manifest
@@ -9,3 +9,4 @@ DIST systemd-257.6.tar.gz 16321562 BLAKE2B
cdd3bad6d2721bd7a7cc85bfd430db46ed44d
DIST systemd-257.7.tar.gz 16327096 BLAKE2B
59a28ce9b355b98f718f26489400640f3d732bbf73c00ea0571302dfc6dfb3585bf07ec56af06d74c5aa033b06a6220c3c839af6dba5ab7f8bde1aef4b58f0f6
SHA512
fdc7c0153432b261ad8018c869dc714ce1d6d2a8428bdec46f7c5f120b196d3a553a375ae433f0c166c57b6e8b3c56549f585349b7b6ff83c2a86a32982d8411
DIST systemd-257.8.tar.gz 16385060 BLAKE2B
c220bbb1ca3c6c411500bf3fd696e9a7f87de4061bb317f0f90a2719a48cbb2ae21a682e50fa16979c41560ee11f79698135fac4f494bf772c7b0a0bfcd0d8e7
SHA512
30331df5eb7a1556da8c017a0e6c07b8b99f0cb31da055c1b86c9b9e6fd7074f7c6746efa3e69711b73af48a15d61a84f35ad6e554d32a23441ba910398f7f65
DIST systemd-257.9.tar.gz 16401765 BLAKE2B
c3ad528d37b89de8f82548807e950b59aab43f875a533ad983169eb539594e5e8230b6b562caee5297dcec4572e27df0e53ebee04f79e85f429f47862031592e
SHA512
23b3d2764e0f990d8373068ccb41177793413bc193f7bd34e38b03d6fc3cd32d07c86e9dcbf07e32904075bb5eeca208f65beab04d628ac0e0b81ba87a975c1b
+DIST systemd-258.tar.gz 16976853 BLAKE2B
c63bc09bff11ba4cf6e87bef689250a6b354bf8f5bfb5af6d2a173fa1e1838aa457a8a7db66f7aad20dae25b7a0defddcb052d53f18a688a2dd6d5f323d4692a
SHA512
c488354da1c170ad02e10926f561d1985c3c3393fec878562f295ef764fdf3a1b2877c3b2549253f19bf23e357be6e443a50b937f60f4677f286d3402d611b85
diff --git a/sys-apps/systemd/files/gentoo-journald-audit-r2.patch
b/sys-apps/systemd/files/gentoo-journald-audit-r2.patch
new file mode 100644
index 000000000000..0b1b16e6969e
--- /dev/null
+++ b/sys-apps/systemd/files/gentoo-journald-audit-r2.patch
@@ -0,0 +1,51 @@
+From 7b9ee7375ca9a1521ff36dd9ceb8a26e59572a6e Mon Sep 17 00:00:00 2001
+From: Mike Gilbert <[email protected]>
+Date: Wed, 17 Sep 2025 15:40:57 -0400
+Subject: [PATCH] journald: do not change the kernel audit setting by default
+
+Bug: https://bugs.gentoo.org/736910
+---
+ man/journald.conf.xml | 2 +-
+ src/journal/journald-config.c | 2 +-
+ src/journal/journald.conf | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/man/journald.conf.xml b/man/journald.conf.xml
+index 1a68ba8698..a9a77a51d1 100644
+--- a/man/journald.conf.xml
++++ b/man/journald.conf.xml
+@@ -482,7 +482,7 @@
+ kernel auditing on start-up. If disabled it will turn it off. If
unset it will neither enable nor
+ disable it, leaving the previous state unchanged. This means if
another tool turns on auditing even
+ if <command>systemd-journald</command> left it off, it will still
collect the generated
+- messages. Defaults to on in the default journal namespace, and unset
otherwise.</para>
++ messages.</para>
+
+ <para>Note that this option does not control whether
<command>systemd-journald</command> collects
+ generated audit records, it just controls whether it tells the kernel
to generate them. If you need
+diff --git a/src/journal/journald-config.c b/src/journal/journald-config.c
+index dd2e29e296..4160fa2ab9 100644
+--- a/src/journal/journald-config.c
++++ b/src/journal/journald-config.c
+@@ -122,7 +122,7 @@ void manager_merge_configs(Manager *m) {
+ MERGE_NON_NEGATIVE(read_kmsg, !m->namespace);
+ /* By default, kernel auditing is enabled by the main namespace
instance, and not controlled by
+ * non-default namespace instances. */
+- MERGE_NON_NEGATIVE(set_audit, m->namespace ? -1 : true);
++ MERGE_NON_NEGATIVE(set_audit, -1);
+ MERGE_NON_ZERO(sync_interval_usec, DEFAULT_SYNC_INTERVAL_USEC);
+
+ /* TODO: also merge them when comdline or credentials support to
configure them. */
+diff --git a/src/journal/journald.conf b/src/journal/journald.conf
+index 9a12ca7657..e42efbcf84 100644
+--- a/src/journal/journald.conf
++++ b/src/journal/journald.conf
+@@ -47,4 +47,4 @@
+ #MaxLevelSocket=debug
+ #LineMax=48K
+ #ReadKMsg=yes
+-#Audit=yes
++#Audit=
+--
+2.51.0
+
diff --git a/sys-apps/systemd/systemd-9999.ebuild
b/sys-apps/systemd/systemd-258.ebuild
similarity index 96%
copy from sys-apps/systemd/systemd-9999.ebuild
copy to sys-apps/systemd/systemd-258.ebuild
index 06bfb8de5b72..5034ed902a78 100644
--- a/sys-apps/systemd/systemd-9999.ebuild
+++ b/sys-apps/systemd/systemd-258.ebuild
@@ -34,16 +34,15 @@ LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
SLOT="0/2"
IUSE="
acl apparmor audit boot bpf cgroup-hybrid cryptsetup curl +dns-over-tls
elfutils
- fido2 +gcrypt gnutls homed http idn importd iptables +kernel-install
+kmod
- +lz4 lzma +openssl pam pcre pkcs11 policykit pwquality qrcode
+ fido2 +gcrypt homed http idn importd iptables +kernel-install +kmod
+ +lz4 lzma pam pcre pkcs11 policykit pwquality qrcode
+resolvconf +seccomp selinux split-usr +sysv-utils test tpm ukify
vanilla xkb +zstd
"
REQUIRED_USE="
${PYTHON_REQUIRED_USE}
- dns-over-tls? ( || ( gnutls openssl ) )
- fido2? ( cryptsetup openssl )
- homed? ( cryptsetup pam openssl )
- importd? ( curl lzma || ( gcrypt openssl ) )
+ fido2? ( cryptsetup )
+ homed? ( cryptsetup pam )
+ importd? ( curl lzma )
pwquality? ( homed )
boot? ( kernel-install )
ukify? ( boot )
@@ -52,6 +51,8 @@ RESTRICT="!test? ( test )"
MINKV="4.15"
+OPENSSL_DEP=">=dev-libs/openssl-1.1.0:0="
+
COMMON_DEPEND="
>=sys-apps/util-linux-2.32:0=[${MULTILIB_USEDEP}]
sys-libs/libcap:0=[${MULTILIB_USEDEP}]
@@ -62,13 +63,18 @@ COMMON_DEPEND="
bpf? ( >=dev-libs/libbpf-1.4.0:0= )
cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= )
curl? ( >=net-misc/curl-7.32.0:0= )
+ dns-over-tls? ( ${OPENSSL_DEP} )
elfutils? ( >=dev-libs/elfutils-0.158:0= )
- fido2? ( dev-libs/libfido2:0= )
+ fido2? (
+ ${OPENSSL_DEP}
+ dev-libs/libfido2:0=
+ )
gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] )
- gnutls? ( >=net-libs/gnutls-3.6.0:0= )
+ homed? ( ${OPENSSL_DEP} )
http? ( >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] )
idn? ( net-dns/libidn2:= )
importd? (
+ ${OPENSSL_DEP}
app-arch/bzip2:0=
sys-libs/zlib:0=
)
@@ -76,7 +82,6 @@ COMMON_DEPEND="
lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] )
lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] )
iptables? ( net-firewall/iptables:0= )
- openssl? ( >=dev-libs/openssl-1.1.0:0= )
pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] )
pkcs11? ( >=app-crypt/p11-kit-0.23.3:0= )
pcre? ( dev-libs/libpcre2 )
@@ -105,6 +110,7 @@ RDEPEND="${COMMON_DEPEND}
>=acct-group/utmp-0-r1
>=acct-group/audio-0-r1
>=acct-group/cdrom-0-r1
+ acct-group/clock
>=acct-group/dialout-0-r1
>=acct-group/disk-0-r1
>=acct-group/input-0-r1
@@ -276,7 +282,7 @@ src_prepare() {
if ! use vanilla; then
PATCHES+=(
- "${FILESDIR}/gentoo-journald-audit-r1.patch"
+ "${FILESDIR}/gentoo-journald-audit-r2.patch"
)
fi
@@ -324,7 +330,6 @@ multilib_src_configure() {
$(meson_native_use_feature elfutils)
$(meson_native_use_feature fido2 libfido2)
$(meson_feature gcrypt)
- $(meson_native_use_feature gnutls)
$(meson_native_use_feature homed)
$(meson_native_use_feature http microhttpd)
$(meson_native_use_bool idn)
@@ -338,7 +343,6 @@ multilib_src_configure() {
$(meson_use test tests)
$(meson_feature zstd)
$(meson_native_use_feature iptables libiptc)
- $(meson_native_use_feature openssl)
$(meson_feature pam)
$(meson_native_use_feature pkcs11 p11kit)
$(meson_native_use_feature pcre pcre2)
diff --git a/sys-apps/systemd/systemd-9999.ebuild
b/sys-apps/systemd/systemd-9999.ebuild
index 06bfb8de5b72..5034ed902a78 100644
--- a/sys-apps/systemd/systemd-9999.ebuild
+++ b/sys-apps/systemd/systemd-9999.ebuild
@@ -34,16 +34,15 @@ LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
SLOT="0/2"
IUSE="
acl apparmor audit boot bpf cgroup-hybrid cryptsetup curl +dns-over-tls
elfutils
- fido2 +gcrypt gnutls homed http idn importd iptables +kernel-install
+kmod
- +lz4 lzma +openssl pam pcre pkcs11 policykit pwquality qrcode
+ fido2 +gcrypt homed http idn importd iptables +kernel-install +kmod
+ +lz4 lzma pam pcre pkcs11 policykit pwquality qrcode
+resolvconf +seccomp selinux split-usr +sysv-utils test tpm ukify
vanilla xkb +zstd
"
REQUIRED_USE="
${PYTHON_REQUIRED_USE}
- dns-over-tls? ( || ( gnutls openssl ) )
- fido2? ( cryptsetup openssl )
- homed? ( cryptsetup pam openssl )
- importd? ( curl lzma || ( gcrypt openssl ) )
+ fido2? ( cryptsetup )
+ homed? ( cryptsetup pam )
+ importd? ( curl lzma )
pwquality? ( homed )
boot? ( kernel-install )
ukify? ( boot )
@@ -52,6 +51,8 @@ RESTRICT="!test? ( test )"
MINKV="4.15"
+OPENSSL_DEP=">=dev-libs/openssl-1.1.0:0="
+
COMMON_DEPEND="
>=sys-apps/util-linux-2.32:0=[${MULTILIB_USEDEP}]
sys-libs/libcap:0=[${MULTILIB_USEDEP}]
@@ -62,13 +63,18 @@ COMMON_DEPEND="
bpf? ( >=dev-libs/libbpf-1.4.0:0= )
cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= )
curl? ( >=net-misc/curl-7.32.0:0= )
+ dns-over-tls? ( ${OPENSSL_DEP} )
elfutils? ( >=dev-libs/elfutils-0.158:0= )
- fido2? ( dev-libs/libfido2:0= )
+ fido2? (
+ ${OPENSSL_DEP}
+ dev-libs/libfido2:0=
+ )
gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] )
- gnutls? ( >=net-libs/gnutls-3.6.0:0= )
+ homed? ( ${OPENSSL_DEP} )
http? ( >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] )
idn? ( net-dns/libidn2:= )
importd? (
+ ${OPENSSL_DEP}
app-arch/bzip2:0=
sys-libs/zlib:0=
)
@@ -76,7 +82,6 @@ COMMON_DEPEND="
lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] )
lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] )
iptables? ( net-firewall/iptables:0= )
- openssl? ( >=dev-libs/openssl-1.1.0:0= )
pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] )
pkcs11? ( >=app-crypt/p11-kit-0.23.3:0= )
pcre? ( dev-libs/libpcre2 )
@@ -105,6 +110,7 @@ RDEPEND="${COMMON_DEPEND}
>=acct-group/utmp-0-r1
>=acct-group/audio-0-r1
>=acct-group/cdrom-0-r1
+ acct-group/clock
>=acct-group/dialout-0-r1
>=acct-group/disk-0-r1
>=acct-group/input-0-r1
@@ -276,7 +282,7 @@ src_prepare() {
if ! use vanilla; then
PATCHES+=(
- "${FILESDIR}/gentoo-journald-audit-r1.patch"
+ "${FILESDIR}/gentoo-journald-audit-r2.patch"
)
fi
@@ -324,7 +330,6 @@ multilib_src_configure() {
$(meson_native_use_feature elfutils)
$(meson_native_use_feature fido2 libfido2)
$(meson_feature gcrypt)
- $(meson_native_use_feature gnutls)
$(meson_native_use_feature homed)
$(meson_native_use_feature http microhttpd)
$(meson_native_use_bool idn)
@@ -338,7 +343,6 @@ multilib_src_configure() {
$(meson_use test tests)
$(meson_feature zstd)
$(meson_native_use_feature iptables libiptc)
- $(meson_native_use_feature openssl)
$(meson_feature pam)
$(meson_native_use_feature pkcs11 p11kit)
$(meson_native_use_feature pcre pcre2)
