Adjust patches

0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch was added exactly
a year ago because selinux policy needed to be updated. I think we can drop the
patch now.

Also drop part of 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch:
the service runs as unprivileged user, so the creation cannot succeed. The other
part of the patch is kept.

0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch

@@ -1,178 +0,0 @@
-From 69860269011435e30e45713e44ba5adeaea8b546 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Wed, 3 Apr 2019 10:56:14 +0200
-Subject: [PATCH] Revert "units: set NoNewPrivileges= for all long-running
- services"
-
-This reverts commit 64d7f7b4a15f1534fb19fda6b601fec50783bee4.
----
- units/systemd-coredump@.service.in      | 1 -
- units/systemd-hostnamed.service.in      | 1 -
- units/systemd-initctl.service.in        | 1 -
- units/systemd-journal-remote.service.in | 1 -
- units/systemd-journald.service.in       | 1 -
- units/systemd-localed.service.in        | 1 -
- units/systemd-logind.service.in         | 1 -
- units/systemd-machined.service.in       | 1 -
- units/systemd-networkd.service.in       | 1 -
- units/systemd-resolved.service.in       | 1 -
- units/systemd-rfkill.service.in         | 1 -
- units/systemd-timedated.service.in      | 1 -
- units/systemd-timesyncd.service.in      | 1 -
- 13 files changed, 13 deletions(-)
-
-diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
-index 951faa62a1..c3997d17d0 100644
---- a/units/systemd-coredump@.service.in
-+++ b/units/systemd-coredump@.service.in
-@@ -22,7 +22,6 @@ IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
- Nice=9
--NoNewPrivileges=yes
- OOMScoreAdjust=500
- PrivateDevices=yes
- PrivateNetwork=yes
-diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
-index 1365d749ca..c0d4b02418 100644
---- a/units/systemd-hostnamed.service.in
-+++ b/units/systemd-hostnamed.service.in
-@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed
- IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
--NoNewPrivileges=yes
- PrivateDevices=yes
- PrivateNetwork=yes
- PrivateTmp=yes
-diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in
-index c276283908..f48d673d58 100644
---- a/units/systemd-initctl.service.in
-+++ b/units/systemd-initctl.service.in
-@@ -14,6 +14,5 @@ DefaultDependencies=no
- 
- [Service]
- ExecStart=@rootlibexecdir@/systemd-initctl
--NoNewPrivileges=yes
- NotifyAccess=all
- SystemCallArchitectures=native
-diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
-index 6181d15d77..11f7aefcce 100644
---- a/units/systemd-journal-remote.service.in
-+++ b/units/systemd-journal-remote.service.in
-@@ -17,7 +17,6 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va
- LockPersonality=yes
- LogsDirectory=journal/remote
- MemoryDenyWriteExecute=yes
--NoNewPrivileges=yes
- PrivateDevices=yes
- PrivateNetwork=yes
- PrivateTmp=yes
-diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
-index 303d5a4826..f0eb094cf4 100644
---- a/units/systemd-journald.service.in
-+++ b/units/systemd-journald.service.in
-@@ -24,7 +24,6 @@ FileDescriptorStoreMax=4224
- IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
--NoNewPrivileges=yes
- Restart=always
- RestartSec=0
- RestrictAddressFamilies=AF_UNIX AF_NETLINK
-diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
-index 10ecff5184..f1578bd626 100644
---- a/units/systemd-localed.service.in
-+++ b/units/systemd-localed.service.in
-@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-localed
- IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
--NoNewPrivileges=yes
- PrivateDevices=yes
- PrivateNetwork=yes
- PrivateTmp=yes
-diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
-index ccbe631586..81fbee6fb6 100644
---- a/units/systemd-logind.service.in
-+++ b/units/systemd-logind.service.in
-@@ -35,7 +35,6 @@ FileDescriptorStoreMax=512
- IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
--NoNewPrivileges=yes
- PrivateTmp=yes
- ProtectControlGroups=yes
- ProtectHome=yes
-diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
-index fa344d487d..b8ca60ddcc 100644
---- a/units/systemd-machined.service.in
-+++ b/units/systemd-machined.service.in
-@@ -22,7 +22,6 @@ ExecStart=@rootlibexecdir@/systemd-machined
- IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
--NoNewPrivileges=yes
- ProtectHostname=yes
- ProtectKernelLogs=yes
- RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
-diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
-index 01931665a4..0531fcbf12 100644
---- a/units/systemd-networkd.service.in
-+++ b/units/systemd-networkd.service.in
-@@ -25,7 +25,6 @@ DeviceAllow=char-* rw
- ExecStart=!!@rootlibexecdir@/systemd-networkd
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
--NoNewPrivileges=yes
- ProtectControlGroups=yes
- ProtectHome=yes
- ProtectKernelModules=yes
-diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
-index f73697832c..4b8aa68f07 100644
---- a/units/systemd-resolved.service.in
-+++ b/units/systemd-resolved.service.in
-@@ -25,7 +25,6 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
- ExecStart=!!@rootlibexecdir@/systemd-resolved
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
--NoNewPrivileges=yes
- PrivateDevices=yes
- PrivateTmp=yes
- ProtectControlGroups=yes
-diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in
-index 3abb958310..7447ed5b5b 100644
---- a/units/systemd-rfkill.service.in
-+++ b/units/systemd-rfkill.service.in
-@@ -18,7 +18,6 @@ Before=shutdown.target
- 
- [Service]
- ExecStart=@rootlibexecdir@/systemd-rfkill
--NoNewPrivileges=yes
- StateDirectory=systemd/rfkill
- TimeoutSec=30s
- Type=notify
-diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
-index 87859f4aef..337067244e 100644
---- a/units/systemd-timedated.service.in
-+++ b/units/systemd-timedated.service.in
-@@ -20,7 +20,6 @@ ExecStart=@rootlibexecdir@/systemd-timedated
- IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
--NoNewPrivileges=yes
- PrivateTmp=yes
- ProtectControlGroups=yes
- ProtectHome=yes
-diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
-index f0486a70ab..bb1ce55977 100644
---- a/units/systemd-timesyncd.service.in
-+++ b/units/systemd-timesyncd.service.in
-@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_SYS_TIME
- ExecStart=!!@rootlibexecdir@/systemd-timesyncd
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
--NoNewPrivileges=yes
- PrivateDevices=yes
- PrivateTmp=yes
- ProtectControlGroups=yes

0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch

@@ -3,10 +3,7 @@ From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
 Date: Fri, 11 Mar 2016 17:06:17 -0500
 Subject: [PATCH] resolved: create /etc/resolv.conf symlink at runtime
 
-If the symlink doesn't exists, and we are being started, let's
+If the symlink exists, do nothing. In particular, if it is a broken symlink,
-create it to provie name resolution.
-
-If it exists, do nothing. In particular, if it is a broken symlink,
 we cannot really know if the administator configured it to point to
 a location used by some service that hasn't started yet, so we
 don't touch it in that case either.
@@ -17,21 +14,6 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1313085
  tmpfiles.d/etc.conf.m4 | 3 ---
  2 files changed, 4 insertions(+), 3 deletions(-)
 
-diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c
-index 2ca9fbdc72..3c8a9ff12a 100644
---- a/src/resolve/resolved.c
-+++ b/src/resolve/resolved.c
-@@ -49,6 +49,10 @@ static int run(int argc, char *argv[]) {
-         /* Drop privileges, but only if we have been started as root. If we are not running as root we assume most
-          * privileges are already dropped. */
-         if (getuid() == 0) {
-+                r = symlink("../run/systemd/resolve/resolv.conf", "/etc/resolv.conf");
-+                if (r < 0 && errno != EEXIST)
-+                        log_warning_errno(errno,
-+                                          "Could not create /etc/resolv.conf symlink: %m");
- 
-                 /* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */
-                 r = drop_privileges(uid, gid,
 diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4
 index f82e0b82ce..66a777bdb2 100644
 --- a/tmpfiles.d/etc.conf.m4

systemd.spec

@@ -59,8 +59,6 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
 # https://bugzilla.redhat.com/show_bug.cgi?id=1738828
 Patch0001:      https://github.com/keszybz/systemd/commit/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch
 
-Patch0002:      0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch
-
 Patch0998:      0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
 
 %ifarch %{ix86} x86_64 aarch64
@@ -714,6 +712,7 @@ fi
 * Sun Dec 15 2019  <zbyszek@nano-f31> - 244.1-1
 - Update to latest stable batch (systemd-networkd fixups, better
   support for seccomp on s390x, minor cleanups to documentation).
+- Drop patch to revert addition of NoNewPrivileges to systemd units
 
 * Fri Nov 29 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 244-1
 - Update to latest version. Just minor bugs fixed since the pre-release.