- Change default setting of security_default_confined in

/etc/libvirt/qemu.conf instead of in code. Making the change in code changes the default behavior for all users, even those that have a custom security setup in their /etc/libvirt/qemu.conf. Modified suse-qemu-conf.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=442
2015-03-11 15:35:20 +00:00 · 2015-03-11 15:35:20 +00:00 · 168a353639
commit 168a353639
parent 7eedb34aa2
3 changed files with 27 additions and 17 deletions
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Mar 11 09:29:29 MDT 2015 - jfehlig@suse.com
+
+- Change default setting of security_default_confined in
+  /etc/libvirt/qemu.conf instead of in code.  Making the change in
+  code changes the default behavior for all users, even those that
+  have a custom security setup in their /etc/libvirt/qemu.conf.
+  Modified suse-qemu-conf.patch
+
 -------------------------------------------------------------------
 Mon Mar  9 16:51:08 UTC 2015 - cbosdonnat@suse.com

--- a/libvirt.spec
+++ b/libvirt.spec
@ -1,7 +1,7 @@
 #
 # spec file for package libvirt
 #
-# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
--- a/suse-qemu-conf.patch
+++ b/suse-qemu-conf.patch
@ -2,16 +2,30 @@ Index: libvirt-1.2.13/src/qemu/qemu.conf
 ===================================================================
 --- libvirt-1.2.13.orig/src/qemu/qemu.conf
 +++ libvirt-1.2.13/src/qemu/qemu.conf
-@@ -204,7 +204,7 @@
+@@ -201,11 +201,20 @@
+ # isolation, but it cannot appear in a list of drivers.
+ #
+ #security_driver = "selinux"
+#security_driver = "apparmor"
 
 # If set to non-zero, then the default security labeling
 # will make guests confined. If set to zero, then guests
 -# will be unconfined by default. Defaults to 1.
+-#security_default_confined = 1
 +# will be unconfined by default. Defaults to 0.
- #security_default_confined = 1
+#
+# SUSE Note:
+# Currently, Apparmor is the default security framework in SUSE
+# distros.  If Apparmor is enabled on the host, libvirtd is
+# generously confined but users must opt-in to confine qemu
+# instances.  Change this to a non-zero value to enable default
+# Apparmor confinement of qemu instances.
+#
+security_default_confined = 0
 
 # If set to non-zero, then attempts to create unconfined
-@@ -417,11 +417,22 @@
+ # guests will be blocked. Defaults to 0.
+@@ -417,11 +426,22 @@
 #allow_disk_format_probing = 1
 
 
@ -39,16 +53,3 @@ Index: libvirt-1.2.13/src/qemu/qemu.conf
 #
 #lock_manager = "lockd"
 
-Index: libvirt-1.2.13/src/qemu/qemu_conf.c
-===================================================================
--- libvirt-1.2.13.orig/src/qemu/qemu_conf.c
-+++ libvirt-1.2.13/src/qemu/qemu_conf.c
-@@ -293,7 +293,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf
- 
-     cfg->clearEmulatorCapabilities = true;
- 
-    cfg->securityDefaultConfined = true;
-+    cfg->securityDefaultConfined = false;
-     cfg->securityRequireConfined = false;
- 
-     cfg->keepAliveInterval = 5;