From ec17372ebcabc692b9b69d189e5ce830d6a0078b Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Mon, 1 Apr 2013 17:22:27 -0400 Subject: [PATCH] Rebased to version 0.10.2.4 Fix 'Cannot parse sensitivity level in s0' error (bz #902103) Fix updating NIC that has boot order set (bz #906446) Fix virsh list for vmware ESX (bz #910702) Fix libxl disk backend default (bz #912488) --- ...virt_tcg_t-context-for-TCG-based-gue.patch | 129 ------------------ libvirt.spec | 27 ++-- sources | 2 +- 3 files changed, 20 insertions(+), 138 deletions(-) delete mode 100644 0002-Support-custom-svirt_tcg_t-context-for-TCG-based-gue.patch diff --git a/0002-Support-custom-svirt_tcg_t-context-for-TCG-based-gue.patch b/0002-Support-custom-svirt_tcg_t-context-for-TCG-based-gue.patch deleted file mode 100644 index a5e683b..0000000 --- a/0002-Support-custom-svirt_tcg_t-context-for-TCG-based-gue.patch +++ /dev/null @@ -1,129 +0,0 @@ -From 95ea6a38bd9a3ca8393c7d738df8bab0ca554439 Mon Sep 17 00:00:00 2001 -From: "Daniel P. Berrange" -Date: Wed, 12 Dec 2012 11:47:19 +0000 -Subject: [PATCH] Support custom 'svirt_tcg_t' context for TCG based guests - -The current SELinux policy only works for KVM guests, since -TCG requires the 'execmem' privilege. There is a 'virt_use_execmem' -boolean to turn this on globally, but that is unpleasant for users. -This changes libvirt to automatically use a new 'svirt_tcg_t' -context for TCG based guests. This obsoletes the previous -boolean tunable and makes things 'just work(tm)' - -Since we can't assume we run with new enough policy, I also -make us log a warning message (once only) if we find the policy -lacks support. In this case we fallback to the normal label and -expect users to set the boolean tunable - -Signed-off-by: Daniel P. Berrange -(cherry picked from commit 77d3a8097480e388f1ce3129fe530f235b05f93b) ---- - src/security/security_selinux.c | 48 +++++++++++++++++++++++++++++++++++++---- - 1 file changed, 44 insertions(+), 4 deletions(-) - -diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c -index 2720266..b9f5a7b 100644 ---- a/src/security/security_selinux.c -+++ b/src/security/security_selinux.c -@@ -58,6 +58,7 @@ typedef virSecuritySELinuxCallbackData *virSecuritySELinuxCallbackDataPtr; - - struct _virSecuritySELinuxData { - char *domain_context; -+ char *alt_domain_context; - char *file_context; - char *content_context; - virHashTablePtr mcs; -@@ -475,8 +476,23 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr) - } - - ptr = strchrnul(data->domain_context, '\n'); -- if (ptr) -+ if (ptr && *ptr == '\n') { - *ptr = '\0'; -+ ptr++; -+ if (*ptr != '\0') { -+ data->alt_domain_context = strdup(ptr); -+ if (!data->alt_domain_context) { -+ virReportOOMError(); -+ goto error; -+ } -+ ptr = strchrnul(data->alt_domain_context, '\n'); -+ if (ptr && *ptr == '\n') -+ *ptr = '\0'; -+ } -+ } -+ VIR_DEBUG("Loaded domain context '%s', alt domain context '%s'", -+ data->domain_context, NULLSTR(data->alt_domain_context)); -+ - - if (virFileReadAll(selinux_virtual_image_context_path(), 2*MAX_CONTEXT, &(data->file_context)) < 0) { - virReportSystemError(errno, -@@ -498,6 +514,9 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr) - *ptr = '\0'; - } - -+ VIR_DEBUG("Loaded file context '%s', content context '%s'", -+ data->file_context, data->content_context); -+ - if (!(data->mcs = virHashCreate(10, NULL))) - goto error; - -@@ -508,6 +527,7 @@ error: - selabel_close(data->label_handle); - #endif - VIR_FREE(data->domain_context); -+ VIR_FREE(data->alt_domain_context); - VIR_FREE(data->file_context); - VIR_FREE(data->content_context); - virHashFree(data->mcs); -@@ -538,6 +558,7 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr, - const char *range; - virSecurityLabelDefPtr seclabel; - virSecuritySELinuxDataPtr data; -+ const char *baselabel; - - if (mgr == NULL) { - virReportError(VIR_ERR_INTERNAL_ERROR, -@@ -600,10 +621,28 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr, - if (virSecuritySELinuxMCSAdd(mgr, mcs) < 0) - goto cleanup; - -+ baselabel = seclabel->baselabel; -+ if (!baselabel) { -+ if (def->virtType == VIR_DOMAIN_VIRT_QEMU) { -+ if (data->alt_domain_context == NULL) { -+ static bool warned = false; -+ if (!warned) { -+ VIR_WARN("SELinux policy does not define a domain type for QEMU TCG. " -+ "Guest startup may be denied due to missing 'execmem' privilege " -+ "unless the 'virt_use_execmem' policy boolean is enabled"); -+ warned = true; -+ } -+ baselabel = data->domain_context; -+ } else { -+ baselabel = data->alt_domain_context; -+ } -+ } else { -+ baselabel = data->domain_context; -+ } -+ } -+ - seclabel->label = -- virSecuritySELinuxGenNewContext(seclabel->baselabel ? -- seclabel->baselabel : -- data->domain_context, mcs, false); -+ virSecuritySELinuxGenNewContext(baselabel, mcs, false); - if (!seclabel->label) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("cannot generate selinux context for %s"), mcs); -@@ -758,6 +797,7 @@ virSecuritySELinuxSecurityDriverClose(virSecurityManagerPtr mgr) - virHashFree(data->mcs); - - VIR_FREE(data->domain_context); -+ VIR_FREE(data->alt_domain_context); - VIR_FREE(data->file_context); - VIR_FREE(data->content_context); - --- -1.8.1 - diff --git a/libvirt.spec b/libvirt.spec index 8634fad..257d58e 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -334,7 +334,7 @@ Summary: Library providing a simple virtualization API Name: libvirt -Version: 0.10.2.3 +Version: 0.10.2.4 Release: 1%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries @@ -345,18 +345,16 @@ URL: http://libvirt.org/ %define mainturl stable_updates/ %endif Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz -# Fix qemu -> qemu-system-i386 (RHBZ#857026). + +# Fix qemu -> qemu-system-i386 (bz #857026). # keep: This patch is Fedora-specific and not upstream. Patch1: 0001-Use-qemu-system-i386-as-binary-instead-of-qemu.patch -# Cleanly save session VMs on logout/shutdown (bz 872254) +# Cleanly save session VMs on logout/shutdown (bz #872254) # keep: Fixed upstream, but using patches not suitable for stable Patch2: libvirt-dbus.patch -# Cleanly save session VMs on logout/shutdown (bz 872254) +# Cleanly save session VMs on logout/shutdown (bz #872254) # keep: Fixed upstream, but using patches not suitable for stable Patch3: libvirt-save-with-session.patch -# Fix selinux denials when launching non-kvm qemu guests (bz 885837) -# keep: missed stable release -Patch4: 0002-Support-custom-svirt_tcg_t-context-for-TCG-based-gue.patch %if %{with_libvirtd} @@ -1075,10 +1073,16 @@ of recent versions of Linux (and other OSes). %prep %setup -q + +# Fix qemu -> qemu-system-i386 (bz #857026). +# keep: This patch is Fedora-specific and not upstream. %patch1 -p1 +# Cleanly save session VMs on logout/shutdown (bz #872254) +# keep: Fixed upstream, but using patches not suitable for stable %patch2 -p1 +# Cleanly save session VMs on logout/shutdown (bz #872254) +# keep: Fixed upstream, but using patches not suitable for stable %patch3 -p1 -%patch4 -p1 %build %if ! %{with_xen} @@ -1954,6 +1958,13 @@ fi %endif %changelog +* Mon Apr 01 2013 Cole Robinson - 0.10.2.4-1 +- Rebased to version 0.10.2.4 +- Fix 'Cannot parse sensitivity level in s0' error (bz #902103) +- Fix updating NIC that has boot order set (bz #906446) +- Fix virsh list for vmware ESX (bz #910702) +- Fix libxl disk backend default (bz #912488) + * Mon Jan 28 2013 Cole Robinson - 0.10.2.3-1 - Rebased to version 0.10.2.3 - Fix libxl driver to build against xen 4.2 (bz #870689) diff --git a/sources b/sources index 1fcce42..e68e652 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -8ffff74a7e6674c782fec06c94c3381b libvirt-0.10.2.3.tar.gz +11d9f42c831751bec5ef8e5d87dc2bba libvirt-0.10.2.4.tar.gz