Fix previous patch and revert the change that requires selinux policy update

0001-test-json-check-absolute-and-relative-difference-in-.patch

@@ -1,4 +1,4 @@
-From 034967a2a644c8cdbf855f0079299b71b6a1f435 Mon Sep 17 00:00:00 2001
+From 847364f5123f108884f8c59fb05d7ff941693dfb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
 Date: Fri, 21 Dec 2018 22:49:53 +0100
 Subject: [PATCH] test-json: check absolute and relative difference in floating
@@ -17,7 +17,7 @@ Let's do the usual-style test for absolute and relative differences.
  1 file changed, 7 insertions(+), 9 deletions(-)
 
 diff --git a/src/test/test-json.c b/src/test/test-json.c
-index 5aa4d19dbe..e6ec9bfba8 100644
+index 5aa4d19dbe..cd6269f798 100644
 --- a/src/test/test-json.c
 +++ b/src/test/test-json.c
 @@ -1,9 +1,6 @@
@@ -42,11 +42,11 @@ index 5aa4d19dbe..e6ec9bfba8 100644
 -                                assert_se(fabsl(d - v.real) < 0.001L);
 +                        /* Valgrind doesn't support long double calculations and automatically downgrades to 80bit:
 +                         * http://www.valgrind.org/docs/manual/manual-core.html#manual-core.limits.
-+                         * Some architectures might now support long double either.
++                         * Some architectures might not support long double either.
 +                         */
 +
-+                        assert_se(fabsl(d - v.real) < 1e-15 ||
++                        assert_se(fabsl(d - v.real) < 1e-10 ||
-+                                  fabsl(d - v.real) / v.real < 1e-15);
++                                  fabsl((d - v.real) / v.real) < 1e-10);
  
                  } else if (t == JSON_TOKEN_INTEGER) {
                          intmax_t i;

0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch

@@ -0,0 +1,207 @@
+From 2cce22a4279d4f304e75b87b56b9eeb5cd313566 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sat, 22 Dec 2018 11:11:04 +0100
+Subject: [PATCH] Revert "units: set NoNewPrivileges= for all long-running
+ services"
+
+This reverts commit 64d7f7b4a15f1534fb19fda6b601fec50783bee4.
+---
+ units/systemd-coredump@.service.in        | 1 -
+ units/systemd-hostnamed.service.in        | 1 -
+ units/systemd-initctl.service.in          | 1 -
+ units/systemd-journal-gatewayd.service.in | 1 -
+ units/systemd-journal-remote.service.in   | 1 -
+ units/systemd-journal-upload.service.in   | 1 -
+ units/systemd-journald.service.in         | 1 -
+ units/systemd-localed.service.in          | 1 -
+ units/systemd-logind.service.in           | 1 -
+ units/systemd-machined.service.in         | 1 -
+ units/systemd-networkd.service.in         | 1 -
+ units/systemd-resolved.service.in         | 1 -
+ units/systemd-rfkill.service.in           | 1 -
+ units/systemd-timedated.service.in        | 1 -
+ units/systemd-timesyncd.service.in        | 1 -
+ 15 files changed, 15 deletions(-)
+
+diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
+index ffcb5f36ca..74dcf7fe06 100644
+--- a/units/systemd-coredump@.service.in
++++ b/units/systemd-coredump@.service.in
+@@ -22,7 +22,6 @@ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+ Nice=9
+-NoNewPrivileges=yes
+ OOMScoreAdjust=500
+ PrivateDevices=yes
+ PrivateNetwork=yes
+diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
+index 9c925e80d9..696d4e2e60 100644
+--- a/units/systemd-hostnamed.service.in
++++ b/units/systemd-hostnamed.service.in
+@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed
+ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateDevices=yes
+ PrivateNetwork=yes
+ PrivateTmp=yes
+diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in
+index c276283908..f48d673d58 100644
+--- a/units/systemd-initctl.service.in
++++ b/units/systemd-initctl.service.in
+@@ -14,6 +14,5 @@ DefaultDependencies=no
+ 
+ [Service]
+ ExecStart=@rootlibexecdir@/systemd-initctl
+-NoNewPrivileges=yes
+ NotifyAccess=all
+ SystemCallArchitectures=native
+diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
+index ebc8bf9a25..5ef4ee0058 100644
+--- a/units/systemd-journal-gatewayd.service.in
++++ b/units/systemd-journal-gatewayd.service.in
+@@ -17,7 +17,6 @@ DynamicUser=yes
+ ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateDevices=yes
+ PrivateNetwork=yes
+ ProtectControlGroups=yes
+diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
+index 29a99aaec1..ec1311da88 100644
+--- a/units/systemd-journal-remote.service.in
++++ b/units/systemd-journal-remote.service.in
+@@ -17,7 +17,6 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va
+ LockPersonality=yes
+ LogsDirectory=journal/remote
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateDevices=yes
+ PrivateNetwork=yes
+ PrivateTmp=yes
+diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
+index 92cd4e5259..a15744e1e8 100644
+--- a/units/systemd-journal-upload.service.in
++++ b/units/systemd-journal-upload.service.in
+@@ -18,7 +18,6 @@ DynamicUser=yes
+ ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateDevices=yes
+ ProtectControlGroups=yes
+ ProtectHome=yes
+diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
+index 4684f095c0..7b659d4b03 100644
+--- a/units/systemd-journald.service.in
++++ b/units/systemd-journald.service.in
+@@ -22,7 +22,6 @@ FileDescriptorStoreMax=4224
+ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ Restart=always
+ RestartSec=0
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK
+diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
+index 01e0703d0e..7d40fb4897 100644
+--- a/units/systemd-localed.service.in
++++ b/units/systemd-localed.service.in
+@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-localed
+ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateDevices=yes
+ PrivateNetwork=yes
+ PrivateTmp=yes
+diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
+index 38a7f269ac..6b362ccdca 100644
+--- a/units/systemd-logind.service.in
++++ b/units/systemd-logind.service.in
+@@ -27,7 +27,6 @@ FileDescriptorStoreMax=512
+ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ Restart=always
+ RestartSec=0
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK
+diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
+index 9f1476814d..d90e71ae67 100644
+--- a/units/systemd-machined.service.in
++++ b/units/systemd-machined.service.in
+@@ -22,7 +22,6 @@ ExecStart=@rootlibexecdir@/systemd-machined
+ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+ RestrictRealtime=yes
+ SystemCallArchitectures=native
+diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
+index 472ef045de..f23bf227fb 100644
+--- a/units/systemd-networkd.service.in
++++ b/units/systemd-networkd.service.in
+@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
+ ExecStart=!!@rootlibexecdir@/systemd-networkd
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ ProtectControlGroups=yes
+ ProtectHome=yes
+ ProtectKernelModules=yes
+diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
+index 3144b70063..d08842f0d4 100644
+--- a/units/systemd-resolved.service.in
++++ b/units/systemd-resolved.service.in
+@@ -25,7 +25,6 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
+ ExecStart=!!@rootlibexecdir@/systemd-resolved
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateDevices=yes
+ PrivateTmp=yes
+ ProtectControlGroups=yes
+diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in
+index 3abb958310..7447ed5b5b 100644
+--- a/units/systemd-rfkill.service.in
++++ b/units/systemd-rfkill.service.in
+@@ -18,7 +18,6 @@ Before=shutdown.target
+ 
+ [Service]
+ ExecStart=@rootlibexecdir@/systemd-rfkill
+-NoNewPrivileges=yes
+ StateDirectory=systemd/rfkill
+ TimeoutSec=30s
+ Type=notify
+diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
+index 6d53024195..1105f1a980 100644
+--- a/units/systemd-timedated.service.in
++++ b/units/systemd-timedated.service.in
+@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-timedated
+ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateTmp=yes
+ ProtectControlGroups=yes
+ ProtectHome=yes
+diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
+index 03ade45d08..8b99e92e01 100644
+--- a/units/systemd-timesyncd.service.in
++++ b/units/systemd-timesyncd.service.in
+@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_SYS_TIME
+ ExecStart=!!@rootlibexecdir@/systemd-timesyncd
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+-NoNewPrivileges=yes
+ PrivateDevices=yes
+ PrivateTmp=yes
+ ProtectControlGroups=yes
+-- 
+2.19.2
+

systemd.spec

@@ -51,6 +51,7 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
 %endif
 
 Patch0001:      0001-test-json-check-absolute-and-relative-difference-in-.patch
+Patch0002:      0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch
 
 Patch0998:      0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch