Hello community, here is the log from the commit of package libvirt for openSUSE:Factory checked in at 2015-03-18 13:06:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvirt (Old) and /work/SRC/openSUSE:Factory/.libvirt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvirt" Changes: -------- --- /work/SRC/openSUSE:Factory/libvirt/libvirt.changes 2015-03-03 11:16:32.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libvirt.new/libvirt.changes 2015-03-18 13:06:05.000000000 +0100 @@ -1,0 +2,23 @@ +Thu Mar 12 07:48:35 UTC 2015 - [email protected] + +- Instruct polkit to allow memebers of the 'libvirt' group to connect + to libvirt without providing any password (bnc#920804) +- Added polkit-10-virt.rules to fix bnc#920804 + +------------------------------------------------------------------- +Wed Mar 11 09:29:29 MDT 2015 - [email protected] + +- Change default setting of security_default_confined in + /etc/libvirt/qemu.conf instead of in code. Making the change in + code changes the default behavior for all users, even those that + have a custom security setup in their /etc/libvirt/qemu.conf. + Modified suse-qemu-conf.patch + bsc#921586 + +------------------------------------------------------------------- +Mon Mar 9 16:51:08 UTC 2015 - [email protected] + +- Fixed a number of QEMU apparmor abstraction problems. bsc#921355 + apparmor-fixes.patch + +------------------------------------------------------------------- New: ---- apparmor-fixes.patch polkit-10-virt.rules ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvirt.spec ++++++ --- /var/tmp/diff_new_pack.yk6JgR/_old 2015-03-18 13:06:07.000000000 +0100 +++ /var/tmp/diff_new_pack.yk6JgR/_new 2015-03-18 13:06:07.000000000 +0100 @@ -363,6 +363,7 @@ %endif %if %{with_polkit} %if 0%{?suse_version} > 1110 +BuildRequires: polkit >= 0.9 BuildRequires: polkit-devel >= 0.9 %else BuildRequires: PolicyKit-devel >= 0.6 @@ -432,6 +433,7 @@ Source2: %{name}.keyring Source3: libvirtd.init Source4: libvirtd-relocation-server.fw +Source5: polkit-10-virt.rules Source99: baselibs.conf # Upstream patches # Patches pending upstream review @@ -441,6 +443,7 @@ Patch152: blockcopy-check-dst-identical-device.patch Patch153: libvirt-power8-models.patch Patch154: ppc64le-canonical-name.patch +Patch155: apparmor-fixes.patch # Our patches Patch200: libvirtd-defaults.patch Patch201: libvirtd-init-script.patch @@ -973,6 +976,7 @@ %patch152 -p1 %patch153 -p1 %patch154 -p1 +%patch155 -p1 %patch200 -p1 %patch201 -p1 %patch202 -p1 @@ -1336,6 +1340,12 @@ ln -s %{_sysconfdir}/init.d/libvirt-guests $RPM_BUILD_ROOT%{_sbindir}/rclibvirt-guests %endif mv $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/libvirt-guests $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates/sysconfig.libvirt-guests +%if %{with_polkit} + %if 0%{?suse_version} > 1110 +install -d $RPM_BUILD_ROOT%{_sysconfdir}/polkit-1/rules.d/ +install %SOURCE5 $RPM_BUILD_ROOT%{_sysconfdir}/polkit-1/rules.d/10-virt.rules + %endif +%endif %fdupes -s $RPM_BUILD_ROOT %clean @@ -1502,6 +1512,7 @@ %if %{with_polkit} %if 0%{?suse_version} > 1110 %{_datadir}/polkit-1/actions/org.libvirt.unix.policy +%{_sysconfdir}/polkit-1/rules.d/10-virt.rules %else %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy %endif ++++++ apparmor-fixes.patch ++++++ Index: libvirt-1.2.13/examples/apparmor/libvirt-qemu =================================================================== --- libvirt-1.2.13.orig/examples/apparmor/libvirt-qemu +++ libvirt-1.2.13/examples/apparmor/libvirt-qemu @@ -59,6 +59,7 @@ # access to firmware's etc /usr/share/kvm/** r, /usr/share/qemu/** r, + /usr/share/qemu-kvm/** r, /usr/share/bochs/** r, /usr/share/openbios/** r, /usr/share/openhackware/** r, @@ -73,6 +74,7 @@ # the various binaries /usr/bin/kvm rmix, /usr/bin/qemu rmix, + /usr/bin/qemu-kvm rmix, /usr/bin/qemu-system-arm rmix, /usr/bin/qemu-system-cris rmix, /usr/bin/qemu-system-i386 rmix, @@ -118,6 +120,12 @@ /bin/dd rmix, /bin/cat rmix, + # for restore + /bin/bash rmix, + + /run/nscd/passwd r, + /run/nscd/group r, + # for usb access /dev/bus/usb/ r, /etc/udev/udev.conf r, ++++++ polkit-10-virt.rules ++++++ polkit.addRule(function(action, subject) { if (action.id == "org.libvirt.unix.manage" && subject.local && subject.active && subject.isInGroup("libvirt")) { return polkit.Result.YES; } }); ++++++ qemu-apparmor-screenshot.patch ++++++ --- /var/tmp/diff_new_pack.yk6JgR/_old 2015-03-18 13:06:07.000000000 +0100 +++ /var/tmp/diff_new_pack.yk6JgR/_new 2015-03-18 13:06:07.000000000 +0100 @@ -2,7 +2,7 @@ =================================================================== --- libvirt-1.2.13.orig/examples/apparmor/libvirt-qemu +++ libvirt-1.2.13/examples/apparmor/libvirt-qemu -@@ -124,6 +124,9 @@ +@@ -132,6 +132,9 @@ /sys/bus/ r, /sys/class/ r, ++++++ suse-qemu-conf.patch ++++++ --- /var/tmp/diff_new_pack.yk6JgR/_old 2015-03-18 13:06:07.000000000 +0100 +++ /var/tmp/diff_new_pack.yk6JgR/_new 2015-03-18 13:06:07.000000000 +0100 @@ -2,16 +2,30 @@ =================================================================== --- libvirt-1.2.13.orig/src/qemu/qemu.conf +++ libvirt-1.2.13/src/qemu/qemu.conf -@@ -204,7 +204,7 @@ +@@ -201,11 +201,20 @@ + # isolation, but it cannot appear in a list of drivers. + # + #security_driver = "selinux" ++#security_driver = "apparmor" # If set to non-zero, then the default security labeling # will make guests confined. If set to zero, then guests -# will be unconfined by default. Defaults to 1. +-#security_default_confined = 1 +# will be unconfined by default. Defaults to 0. - #security_default_confined = 1 ++# ++# SUSE Note: ++# Currently, Apparmor is the default security framework in SUSE ++# distros. If Apparmor is enabled on the host, libvirtd is ++# generously confined but users must opt-in to confine qemu ++# instances. Change this to a non-zero value to enable default ++# Apparmor confinement of qemu instances. ++# ++security_default_confined = 0 # If set to non-zero, then attempts to create unconfined -@@ -417,11 +417,22 @@ + # guests will be blocked. Defaults to 0. +@@ -417,11 +426,22 @@ #allow_disk_format_probing = 1 @@ -39,16 +53,3 @@ # #lock_manager = "lockd" -Index: libvirt-1.2.13/src/qemu/qemu_conf.c -=================================================================== ---- libvirt-1.2.13.orig/src/qemu/qemu_conf.c -+++ libvirt-1.2.13/src/qemu/qemu_conf.c -@@ -293,7 +293,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf - - cfg->clearEmulatorCapabilities = true; - -- cfg->securityDefaultConfined = true; -+ cfg->securityDefaultConfined = false; - cfg->securityRequireConfined = false; - - cfg->keepAliveInterval = 5; -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
