diff --git a/libvirt.changes b/libvirt.changes index eeb3339..f08bf68 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed Mar 11 09:29:29 MDT 2015 - jfehlig@suse.com + +- Change default setting of security_default_confined in + /etc/libvirt/qemu.conf instead of in code. Making the change in + code changes the default behavior for all users, even those that + have a custom security setup in their /etc/libvirt/qemu.conf. + Modified suse-qemu-conf.patch + ------------------------------------------------------------------- Mon Mar 9 16:51:08 UTC 2015 - cbosdonnat@suse.com diff --git a/libvirt.spec b/libvirt.spec index dec842d..aa89a51 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -1,7 +1,7 @@ # # spec file for package libvirt # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed diff --git a/suse-qemu-conf.patch b/suse-qemu-conf.patch index 85da369..89eadd4 100644 --- a/suse-qemu-conf.patch +++ b/suse-qemu-conf.patch @@ -2,16 +2,30 @@ Index: libvirt-1.2.13/src/qemu/qemu.conf =================================================================== --- libvirt-1.2.13.orig/src/qemu/qemu.conf +++ libvirt-1.2.13/src/qemu/qemu.conf -@@ -204,7 +204,7 @@ +@@ -201,11 +201,20 @@ + # isolation, but it cannot appear in a list of drivers. + # + #security_driver = "selinux" ++#security_driver = "apparmor" # If set to non-zero, then the default security labeling # will make guests confined. If set to zero, then guests -# will be unconfined by default. Defaults to 1. +-#security_default_confined = 1 +# will be unconfined by default. Defaults to 0. - #security_default_confined = 1 ++# ++# SUSE Note: ++# Currently, Apparmor is the default security framework in SUSE ++# distros. If Apparmor is enabled on the host, libvirtd is ++# generously confined but users must opt-in to confine qemu ++# instances. Change this to a non-zero value to enable default ++# Apparmor confinement of qemu instances. ++# ++security_default_confined = 0 # If set to non-zero, then attempts to create unconfined -@@ -417,11 +417,22 @@ + # guests will be blocked. Defaults to 0. +@@ -417,11 +426,22 @@ #allow_disk_format_probing = 1 @@ -39,16 +53,3 @@ Index: libvirt-1.2.13/src/qemu/qemu.conf # #lock_manager = "lockd" -Index: libvirt-1.2.13/src/qemu/qemu_conf.c -=================================================================== ---- libvirt-1.2.13.orig/src/qemu/qemu_conf.c -+++ libvirt-1.2.13/src/qemu/qemu_conf.c -@@ -293,7 +293,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf - - cfg->clearEmulatorCapabilities = true; - -- cfg->securityDefaultConfined = true; -+ cfg->securityDefaultConfined = false; - cfg->securityRequireConfined = false; - - cfg->keepAliveInterval = 5;