[email protected] was missing a Before=network.target
ordering. Such an ordering is ...

Besides SELinux not supported on Debian here, default behaviour of
maintainer scripts there woul...

This broke due to an SELinux policy bug.

Move it together with related preset file that disables conflicting
pipewire.

That was the last...

Don't support SELinux in Debian yet.

* origin/pr/343: (53 commits)
Allow init_t and unconfined_service_t to transition to anything
...

dbus-send is used in qubes.Suspend{Pre,Post} services.

Fix typo, use correct variable.

The former is needed for SELinuxContext= in systemd unit files to work
for all domains. The lat...

Needed for block device export.

Otherwise the system will not boot.

It won't make the R4.2 release.

All scripts in init/ get installed, but relabel-root.sh is expected only
for SELinux, which isn'...

It probably does not work.

This file will always exist at runtime.

-i was being considered an argument for -e, but it isn't syntactically
correct.

which will happen if selinux-autorelabel.service (which now just runs
/bin/true) cannot be started.

This will trigger a relabel on the next reboot.

It breaks the Debian build.

They are noarch, so mark them as such.

It does not belong in the main package.

It is a worse user experience.

This reverts commit 4886bc6451dfb9f8b473e9d6aa3d708c0a1e241a.

If relabeling fails then so should boot.

Force it to pull in qubes-relabel-root.service instead of the default
selinux-autorelabel.servic...

The rest will be relabeled after reboot.

Otherwise it will fail if /.autorelabel doesn’t exist.

The label of PID 1 might be wrong. Also conflict with shutdown.target.

This replaces the standard service.

Otherwise the user could wind up with a broken system.

This is necessary to ensure that the system is properly labeled for the
next boot.

selinux-autorelabel.service is buggy and does a bunch of stuff that
makes no sense in Qubes OS. ...

If a volume is not persistent, then the next boot of the VM would need
to relabel it again. Ins...

Otherwise various mount points do not get relabeled, which causes
breakage.

This will be used by later autorelabel code.

This changes qubes-sysinit.sh to check for bad service names and for
errors. This ensures that ...

This might be a cause of OpenQA failures.

Needed by qrexec possibly?

This is probably a bug somewhere else.

This ensures correct labeling of volumes. systemd units are used to
ensure that SELinux being e...

Needed for rather obvious reasons.

Trivial performance win

I believe this is why qubesdb kept failing to start.

The scriptlet needs to handle the case where the file is empty, which
breaks sed. Also lock bot...

These needed to be added to qubes-misc.fc.

so /rw/usrlocal and /usr/local need to be handled separately.

It didn't uninstall the qubes-misc policy module, and it unconditionally
removed the substitutio...

Also avoid depending on a specific policy type

This uses RPM rich dependency syntax.

Another step towards making Qubes OS work with SELinux enforcing.

This avoids problems due to SELinux.

This sets up the needed file context substitutions. It also provides
polices for qfile-unpacker...

* origin/pr/391:
Add upgrades-status-notify and upgrades-installed-check to archlinux package

* origin/pr/354:
Declare each target (other than .PHONY) only once
makefile fix
simplify m...

* origin/pr/393:
qvm-template: fallback to other mirrors

* origin/pr/397:
Replace ImageMagick with GraphicsMagick

* origin/pr/399:
Add purging of no longer allowed connections from conntrack

Finally switch to R4.2 repositories.

This reverts commit cdc12084ef6cbd935ffee2803ed782b2175fc156.

Previously adding a firewall rule didn't close already established connections:
https://github.c...

Using GLib.spawn_async instead of subprocess.call or subprocess.Popen
This prevents Nautilus fro...

https://github.com/QubesOS/qubes-issues/issues/5009

The get_file_items method of Nautilus.MenuProvider no longer take the window argument.

https://g...

* origin/pr/371:
Cohere with debian guidance on using 3rd party repos

If download from a selected mirror failed to start at all (missing file,
connection error etc), ...

This avoids a pitfall: if commands are given for a target in more than
one place, all but the la...

This lets the harden-network-interfaces service control hardening.

This ensures that any Qubes-provided configuration can be overridden by
the user.

to ensure that errors are properly handled

This indicates a serious problem.

This is done via various sysctls.

* origin/pr/347:
Make qubes-sync-time.service oneshot
Better error message when 'date' fails...

'zenity --progress --auto-close' exits on reading a progress input of
100 or more. If the estima...

* origin/pr/384:
Use link scope for routes

* origin/pr/385:
prepare-suspend: do not disable virtual interfaces before suspend
prepare-s...

* qvm-template-resume:
qvm-template: resume failed downloads
qvm-template: move cleanup to '...