Accepting request 224371 from Virtualization

- Update to libvirt 1.2.2 - add LXC from native conversion tool - vbox: add support for v4.2.20+ and v4.3.4+ - CVE-2013-6456 (bnc#857490) - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Drop upstream patches: 37564b47-xend-parse-response.patch, 4f20084-fix-apparmor-install-patch.patch - Add local disable-virCgroupGetPercpuStats-test.patch to disable failing virCgroupGetPercpuStats test in 'make check' - daemon-qemu: Require qemu instead of kvm to align with recent changes to the qemu package structure - spec: fix dependencies of daemon-config-network and daemon-config-nwfilter subpackages. Influenced by upstream commits cf76c4b3 and dca5ce4c - Remove libvirtd, virtlockd, and libvirt-guests init scripts when using systemd bnc#863540 - Fix the path to libvirtd AppArmor template profile OBS-URL: https://build.opensuse.org/request/show/224371 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=139
2014-03-04 12:45:14 +00:00 · 2014-03-04 12:45:14 +00:00 · 62a2a24d7c
commit 62a2a24d7c
parent 7412a46feb 5016413cf6
20 changed files with 395 additions and 521 deletions
--- a/37564b47-xend-parse-response.patch
+++ b/37564b47-xend-parse-response.patch
@ -1,39 +0,0 @@
 commit 37564b471da7e9080284149f8350241afd448515
 Author: Jim Fehlig <jfehlig@suse.com>
 Date:   Tue Jan 28 18:15:48 2014 -0700
    xen: fix parsing xend http response
    Commit df36af58 broke parsing of http response from xend.  The prior
    use of atoi() would happily parse e.g. a string containing "200 OK\r\n",
    whereas virStrToLong_i() will fail when called with a NULL end_ptr.
    Change the calls to virStrToLong_i() to provide a non-NULL end_ptr.
 Index: libvirt-1.2.1/src/xen/xend_internal.c
 ===================================================================
 --- libvirt-1.2.1.orig/src/xen/xend_internal.c
 +++ libvirt-1.2.1/src/xen/xend_internal.c
@@ -282,6 +282,7 @@ xend_req(int fd, char **content)
     size_t buffer_size = 4096;
     int content_length = 0;
     int retcode = 0;
 +    char *end_ptr;
     if (VIR_ALLOC_N(buffer, buffer_size) < 0)
         return -1;
@@ -291,13 +292,13 @@ xend_req(int fd, char **content)
             break;
         if (istartswith(buffer, "Content-Length: ")) {
 -            if (virStrToLong_i(buffer + 16, NULL, 10, &content_length) < 0) {
 +            if (virStrToLong_i(buffer + 16, &end_ptr, 10, &content_length) < 0) {
                 virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                                _("failed to parse Xend response content length"));
                 return -1;
             }
         } else if (istartswith(buffer, "HTTP/1.1 ")) {
 -            if (virStrToLong_i(buffer + 9, NULL, 10, &retcode) < 0) {
 +            if (virStrToLong_i(buffer + 9, &end_ptr, 10, &retcode) < 0) {
                 virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                                _("failed to parse Xend response return code"));
                 return -1;
--- a/disable-virCgroupGetPercpuStats-test.patch
+++ b/disable-virCgroupGetPercpuStats-test.patch
@ -0,0 +1,91 @@
 Index: libvirt-1.2.2/tests/vircgrouptest.c
 ===================================================================
 --- libvirt-1.2.2.orig/tests/vircgrouptest.c
 +++ libvirt-1.2.2/tests/vircgrouptest.c
@@ -33,7 +33,6 @@
 # include "virlog.h"
 # include "virfile.h"
 # include "testutilslxc.h"
 -# include "nodeinfo.h"
 # define VIR_FROM_THIS VIR_FROM_NONE
@@ -531,68 +530,6 @@ static int testCgroupAvailable(const voi
     return 0;
 }
 -static int testCgroupGetPercpuStats(const void *args ATTRIBUTE_UNUSED)
 -{
 -    virCgroupPtr cgroup = NULL;
 -    size_t i;
 -    int rv, ret = -1;
 -    virTypedParameter params[2];
 -
 -    // TODO: mock nodeGetCPUCount() as well & check 2nd cpu, too
 -    unsigned long long expected[] = {
 -        1413142688153030ULL
 -    };
 -
 -    if ((rv = virCgroupNewPartition("/virtualmachines", true,
 -                                    (1 << VIR_CGROUP_CONTROLLER_CPU) |
 -                                    (1 << VIR_CGROUP_CONTROLLER_CPUACCT),
 -                                    &cgroup)) < 0) {
 -        fprintf(stderr, "Could not create /virtualmachines cgroup: %d\n", -rv);
 -        goto cleanup;
 -    }
 -
 -    if (nodeGetCPUCount() < 1) {
 -        fprintf(stderr, "Unexpected: nodeGetCPUCount() yields: %d\n", nodeGetCPUCount());
 -        goto cleanup;
 -    }
 -
 -    if ((rv = virCgroupGetPercpuStats(cgroup,
 -                                      params,
 -                                      2, 0, 1)) < 0) {
 -        fprintf(stderr, "Failed call to virCgroupGetPercpuStats for /virtualmachines cgroup: %d\n", -rv);
 -        goto cleanup;
 -    }
 -
 -    for (i = 0; i < ARRAY_CARDINALITY(expected); i++) {
 -        if (!STREQ(params[i].field, VIR_DOMAIN_CPU_STATS_CPUTIME)) {
 -            fprintf(stderr,
 -                    "Wrong parameter name value from virCgroupGetPercpuStats (is: %s)\n",
 -                    params[i].field);
 -            goto cleanup;
 -        }
 -
 -        if (params[i].type != VIR_TYPED_PARAM_ULLONG) {
 -            fprintf(stderr,
 -                    "Wrong parameter value type from virCgroupGetPercpuStats (is: %d)\n",
 -                    params[i].type);
 -            goto cleanup;
 -        }
 -
 -        if (params[i].value.ul != expected[i]) {
 -            fprintf(stderr,
 -                    "Wrong value from virCgroupGetMemoryUsage (expected %llu)\n",
 -                    params[i].value.ul);
 -            goto cleanup;
 -        }
 -    }
 -
 -    ret = 0;
 -
 -cleanup:
 -    virCgroupFree(&cgroup);
 -    return ret;
 -}
 -
 static int testCgroupGetMemoryUsage(const void *args ATTRIBUTE_UNUSED)
 {
     virCgroupPtr cgroup = NULL;
@@ -798,9 +735,6 @@ mymain(void)
     if (virtTestRun("virCgroupGetMemoryUsage works", testCgroupGetMemoryUsage, NULL) < 0)
         ret = -1;
 -    if (virtTestRun("virCgroupGetPercpuStats works", testCgroupGetPercpuStats, NULL) < 0)
 -        ret = -1;
 -
     setenv("VIR_CGROUP_MOCK_MODE", "allinone", 1);
     if (virtTestRun("New cgroup for self (allinone)", testCgroupNewForSelfAllInOne, NULL) < 0)
         ret = -1;
--- a/fix-pci-attach-xen-driver.patch
+++ b/fix-pci-attach-xen-driver.patch
@ -8,10 +8,10 @@ uses the 'device_configure' RPC.
 This patch changes the xend driver to always call 'device_configure' for
 PCI devices to be consistent with the usage in the xen tools.
-Index: libvirt-1.2.1/src/xen/xend_internal.c
+Index: libvirt-1.2.2/src/xen/xend_internal.c
 ===================================================================
--- libvirt-1.2.1.orig/src/xen/xend_internal.c
+--- libvirt-1.2.2.orig/src/xen/xend_internal.c
-+++ libvirt-1.2.1/src/xen/xend_internal.c
+++ libvirt-1.2.2/src/xen/xend_internal.c
@@ -2217,6 +2217,7 @@ xenDaemonAttachDeviceFlags(virConnectPtr
     virBuffer buf = VIR_BUFFER_INITIALIZER;
     char class[8], ref[80];
--- a/ia64-clone.patch
+++ b/ia64-clone.patch
@ -1,7 +1,7 @@
-Index: libvirt-1.2.1/src/lxc/lxc_container.c
+Index: libvirt-1.2.2/src/lxc/lxc_container.c
 ===================================================================
--- libvirt-1.2.1.orig/src/lxc/lxc_container.c
+--- libvirt-1.2.2.orig/src/lxc/lxc_container.c
-+++ libvirt-1.2.1/src/lxc/lxc_container.c
+++ libvirt-1.2.2/src/lxc/lxc_container.c
@@ -162,12 +162,19 @@ int lxcContainerHasReboot(void)
     VIR_FREE(buf);
     cmd = v ? LINUX_REBOOT_CMD_CAD_ON : LINUX_REBOOT_CMD_CAD_OFF;
--- a/install-apparmor-profiles.patch
+++ b/install-apparmor-profiles.patch
@ -1,8 +1,8 @@
-Index: libvirt-1.2.1/examples/apparmor/Makefile.am
+Index: libvirt-1.2.2/examples/apparmor/Makefile.am
 ===================================================================
--- libvirt-1.2.1.orig/examples/apparmor/Makefile.am
+--- libvirt-1.2.2.orig/examples/apparmor/Makefile.am
-+++ libvirt-1.2.1/examples/apparmor/Makefile.am
+++ libvirt-1.2.2/examples/apparmor/Makefile.am
-@@ -14,13 +14,32 @@
+@@ -14,13 +14,25 @@
 ## License along with this library.  If not, see
 ## <http://www.gnu.org/licenses/>.
@ -13,18 +13,11 @@ Index: libvirt-1.2.1/examples/apparmor/Makefile.am
 -	usr.sbin.libvirtd
 +EXTRA_DIST=				        \
 +	TEMPLATE			        \
-+	libvirt-qemu.in				\
+	libvirt-qemu			        \
 +	usr.lib.libvirt.virt-aa-helper.in	\
 +	usr.sbin.libvirtd.in
 if WITH_APPARMOR_PROFILES
 +
 +libvirt-qemu: libvirt-qemu.in
 +	sed                                     \
 +	    -e 's![@]libdir[@]!$(libdir)!g'     \
 +	    < $< > $@-t
 +	mv $@-t $@
 +
 +usr.lib.libvirt.virt-aa-helper: usr.lib.libvirt.virt-aa-helper.in
 +	sed                                     \
 +	    -e 's![@]libdir[@]!$(libdir)!g'     \
@ -40,12 +33,12 @@ Index: libvirt-1.2.1/examples/apparmor/Makefile.am
 apparmordir = $(sysconfdir)/apparmor.d/
 apparmor_DATA = \
 	usr.lib.libvirt.virt-aa-helper \
-Index: libvirt-1.2.1/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
+Index: libvirt-1.2.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
 ===================================================================
 --- /dev/null
-+++ libvirt-1.2.1/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ libvirt-1.2.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,48 @@
-+# Last Modified: Fri Aug 19 11:21:48 2011
+# Last Modified: Mon Apr  5 15:10:27 2010
 +#include <tunables/global>
 +
 +@libdir@/libvirt/virt-aa-helper {
@ -58,8 +51,9 @@ Index: libvirt-1.2.1/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
 +  # needed for when disk is on a network filesystem
 +  network inet,
 +
 +  @{PROC}/[0-9]** r,
 +  deny @{PROC}/[0-9]*/mounts r,
 +  @{PROC}/[0-9]*/net/psched r,
 +  owner @{PROC}/[0-9]*/status r,
 +  @{PROC}/filesystems r,
 +
 +  # for hostdev
@ -83,14 +77,91 @@ Index: libvirt-1.2.1/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
 +  @{HOME}/** r,
 +  /var/lib/libvirt/images/ r,
 +  /var/lib/libvirt/images/** r,
-+  /var/lib/kvm/images/ r,
+  /{media,mnt,opt,srv}/** r,
-+  /var/lib/kvm/images/** r,
+
 +  /**.img r,
 +  /**.qcow{,2} r,
 +  /**.qed r,
 +  /**.vmdk r,
 +  /**.[iI][sS][oO] r,
 +  /**/disk{,.*} r,
 +}
-Index: libvirt-1.2.1/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+Index: libvirt-1.2.2/examples/apparmor/usr.sbin.libvirtd.in
 ===================================================================
--- libvirt-1.2.1.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+--- /dev/null
 +++ libvirt-1.2.2/examples/apparmor/usr.sbin.libvirtd.in
@@ -0,0 +1,66 @@
 +# Last Modified: Mon Apr  5 15:03:58 2010
 +#include <tunables/global>
 +@{LIBVIRT}="libvirt"
 +
 +/usr/sbin/libvirtd {
 +  #include <abstractions/base>
 +  #include <abstractions/dbus>
 +
 +  capability kill,
 +  capability net_admin,
 +  capability net_raw,
 +  capability setgid,
 +  capability sys_admin,
 +  capability sys_module,
 +  capability sys_ptrace,
 +  capability sys_pacct,
 +  capability sys_nice,
 +  capability sys_chroot,
 +  capability setuid,
 +  capability dac_override,
 +  capability dac_read_search,
 +  capability fowner,
 +  capability chown,
 +  capability setpcap,
 +  capability mknod,
 +  capability fsetid,
 +  capability audit_write,
 +  capability ipc_lock,
 +
 +  network inet stream,
 +  network inet dgram,
 +  network inet6 stream,
 +  network inet6 dgram,
 +  network packet dgram,
 +
 +  # Very lenient profile for libvirtd since we want to first focus on confining
 +  # the guests. Guests will have a very restricted profile.
 +  / r,
 +  /** rwmkl,
 +
 +  /bin/* PUx,
 +  /sbin/* PUx,
 +  /usr/bin/* PUx,
 +  /usr/sbin/* PUx,
 +  /lib/udev/scsi_id PUx,
 +  /usr/lib/xen/bin/* Ux,
 +  /usr/lib64/xen/bin/* Ux,
 +  /usr/lib/polkit-1/polkit-agent-helper Px,
 +
 +  # force the use of virt-aa-helper
 +  audit deny /sbin/apparmor_parser rwxl,
 +  audit deny /etc/apparmor.d/libvirt/** wxl,
 +  audit deny /sys/kernel/security/apparmor/features rwxl,
 +  audit deny /sys/kernel/security/apparmor/matching rwxl,
 +  audit deny /sys/kernel/security/apparmor/.* rwxl,
 +  /sys/kernel/security/apparmor/profiles r,
 +  @libdir@/libvirt/* PUxr,
 +  /etc/libvirt/hooks/** rmix,
 +  /etc/xen/scripts/** rmix,
 +  @libdir@/libvirt/libvirt_parthelper Ux,
 +  @libdir@/libvirt/libvirt_iohelper Ux,
 +
 +  # allow changing to our UUID-based named profiles
 +  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
 +
 +}
 Index: libvirt-1.2.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper
 ===================================================================
 --- libvirt-1.2.2.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper
 +++ /dev/null
-@@ -1,38 +0,0 @@
+@@ -1,48 +0,0 @@
 -# Last Modified: Mon Apr  5 15:10:27 2010
 -#include <tunables/global>
 -
@ -105,6 +176,8 @@ Index: libvirt-1.2.1/examples/apparmor/usr.lib.libvirt.virt-aa-helper
 -  network inet,
 -
 -  deny @{PROC}/[0-9]*/mounts r,
 -  @{PROC}/[0-9]*/net/psched r,
 -  owner @{PROC}/[0-9]*/status r,
 -  @{PROC}/filesystems r,
 -
 -  # for hostdev
@ -128,18 +201,27 @@ Index: libvirt-1.2.1/examples/apparmor/usr.lib.libvirt.virt-aa-helper
 -  @{HOME}/** r,
 -  /var/lib/libvirt/images/ r,
 -  /var/lib/libvirt/images/** r,
 -  /{media,mnt,opt,srv}/** r,
 -
 -  /**.img r,
 -  /**.qcow{,2} r,
 -  /**.qed r,
 -  /**.vmdk r,
 -  /**.[iI][sS][oO] r,
 -  /**/disk{,.*} r,
 -}
-Index: libvirt-1.2.1/examples/apparmor/usr.sbin.libvirtd
+Index: libvirt-1.2.2/examples/apparmor/usr.sbin.libvirtd
 ===================================================================
--- libvirt-1.2.1.orig/examples/apparmor/usr.sbin.libvirtd
+--- libvirt-1.2.2.orig/examples/apparmor/usr.sbin.libvirtd
 +++ /dev/null
-@@ -1,52 +0,0 @@
+@@ -1,60 +0,0 @@
 -# Last Modified: Mon Apr  5 15:03:58 2010
 -#include <tunables/global>
 -@{LIBVIRT}="libvirt"
 -
 -/usr/sbin/libvirtd {
 -  #include <abstractions/base>
 -  #include <abstractions/dbus>
 -
 -  capability kill,
 -  capability net_admin,
@ -158,20 +240,25 @@ Index: libvirt-1.2.1/examples/apparmor/usr.sbin.libvirtd
 -  capability setpcap,
 -  capability mknod,
 -  capability fsetid,
 -  capability audit_write,
 -
 -  network inet stream,
 -  network inet dgram,
 -  network inet6 stream,
 -  network inet6 dgram,
 -  network packet dgram,
 -
 -  # Very lenient profile for libvirtd since we want to first focus on confining
 -  # the guests. Guests will have a very restricted profile.
 -  / r,
 -  /** rwmkl,
 -
-  /bin/* Ux,
+-  /bin/* PUx,
-  /sbin/* Ux,
+-  /sbin/* PUx,
-  /usr/bin/* Ux,
+-  /usr/bin/* PUx,
-  /usr/sbin/* Ux,
+-  /usr/sbin/* PUx,
 -  /lib/udev/scsi_id PUx,
 -  /usr/lib/xen-common/bin/xen-toolstack PUx,
 -
 -  # force the use of virt-aa-helper
 -  audit deny /sbin/apparmor_parser rwxl,
@ -181,346 +268,10 @@ Index: libvirt-1.2.1/examples/apparmor/usr.sbin.libvirtd
 -  audit deny /sys/kernel/security/apparmor/.* rwxl,
 -  /sys/kernel/security/apparmor/profiles r,
 -  /usr/lib/libvirt/* PUxr,
 -  /etc/libvirt/hooks/** rmix,
 -  /etc/xen/scripts/** rmix,
 -
 -  # allow changing to our UUID-based named profiles
 -  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
 -
 -}
 Index: libvirt-1.2.1/examples/apparmor/usr.sbin.libvirtd.in
 ===================================================================
 --- /dev/null
 +++ libvirt-1.2.1/examples/apparmor/usr.sbin.libvirtd.in
@@ -0,0 +1,62 @@
 +# Last Modified: Fri Aug 19 11:20:36 2011
 +#include <tunables/global>
 +@{LIBVIRT}="libvirt"
 +
 +/usr/sbin/libvirtd {
 +  #include <abstractions/base>
 +
 +  capability kill,
 +  capability net_admin,
 +  capability net_raw,
 +  capability setgid,
 +  capability sys_admin,
 +  capability sys_module,
 +  capability sys_ptrace,
 +  capability sys_pacct,
 +  capability sys_nice,
 +  capability sys_chroot,
 +  capability setuid,
 +  capability dac_override,
 +  capability dac_read_search,
 +  capability fowner,
 +  capability chown,
 +  capability setpcap,
 +  capability mknod,
 +  capability fsetid,
 +  capability ipc_lock,
 +
 +  network inet stream,
 +  network inet dgram,
 +  network inet6 stream,
 +  network inet6 dgram,
 +  network packet dgram,
 +
 +  # Very lenient profile for libvirtd since we want to first focus on confining
 +  # the guests. Guests will have a very restricted profile.
 +  /** rwmkl,
 +
 +  /bin/* Ux,
 +  /sbin/* Ux,
 +  /usr/bin/* Ux,
 +  /usr/sbin/* Ux,
 +  /usr/lib/xen/bin/* Ux,
 +  /usr/lib64/xen/bin/* Ux,
 +  /usr/lib/PolicyKit/polkit-read-auth-helper Px,
 +
 +  # force the use of virt-aa-helper
 +  audit deny /sbin/apparmor_parser rwxl,
 +  audit deny /etc/apparmor.d/libvirt/** wxl,
 +  audit deny /sys/kernel/security/apparmor/features rwxl,
 +  audit deny /sys/kernel/security/apparmor/matching rwxl,
 +  audit deny /sys/kernel/security/apparmor/.* rwxl,
 +  /sys/kernel/security/apparmor/profiles r,
 +  /etc/libvirt/hooks/* rix,
 +  /etc/xen/scripts/* rix,
 +  @libdir@/libvirt/* Pxr,
 +  @libdir@/libvirt/libvirt_parthelper Ux,
 +  @libdir@/libvirt/libvirt_iohelper Ux,
 +
 +  # allow changing to our UUID-based named profiles
 +  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
 +
 +}
 Index: libvirt-1.2.1/examples/apparmor/libvirt-qemu
 ===================================================================
 --- libvirt-1.2.1.orig/examples/apparmor/libvirt-qemu
 +++ /dev/null
@@ -1,129 +0,0 @@
 -# Last Modified: Fri Mar 9 14:43:22 2012
 -
 -  #include <abstractions/base>
 -  #include <abstractions/consoles>
 -  #include <abstractions/nameservice>
 -
 -  # required for reading disk images
 -  capability dac_override,
 -  capability dac_read_search,
 -  capability chown,
 -
 -  network inet stream,
 -  network inet6 stream,
 -
 -  /dev/net/tun rw,
 -  /dev/kvm rw,
 -  /dev/ptmx rw,
 -  /dev/kqemu rw,
 -  @{PROC}/*/status r,
 -
 -  # For hostdev access. The actual devices will be added dynamically
 -  /sys/bus/usb/devices/ r,
 -  /sys/devices/*/*/usb[0-9]*/** r,
 -
 -  # WARNING: this gives the guest direct access to host hardware and specific
 -  # portions of shared memory. This is required for sound using ALSA with kvm,
 -  # but may constitute a security risk. If your environment does not require
 -  # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
 -  # the rules for files in /dev.
 -  /{dev,run}/shm r,
 -  /{dev,run}/shmpulse-shm* r,
 -  /{dev,run}/shmpulse-shm* rwk,
 -  /dev/snd/* rw,
 -  capability ipc_lock,
 -  # 'kill' is not required for sound and is a security risk. Do not enable
 -  # unless you absolutely need it.
 -  deny capability kill,
 -
 -  # Uncomment the following if you need access to /dev/fb*
 -  #/dev/fb* rw,
 -
 -  /etc/pulse/client.conf r,
 -  @{HOME}/.pulse-cookie rwk,
 -  owner /root/.pulse-cookie rwk,
 -  owner /root/.pulse/ rw,
 -  owner /root/.pulse/* rw,
 -  /usr/share/alsa/** r,
 -  owner /tmp/pulse-*/ rw,
 -  owner /tmp/pulse-*/* rw,
 -  /var/lib/dbus/machine-id r,
 -
 -  # access to firmware's etc
 -  /usr/share/kvm/** r,
 -  /usr/share/qemu/** r,
 -  /usr/share/bochs/** r,
 -  /usr/share/openbios/** r,
 -  /usr/share/openhackware/** r,
 -  /usr/share/proll/** r,
 -  /usr/share/vgabios/** r,
 -  /usr/share/seabios/** r,
 -
 -  # access PKI infrastructure
 -  /etc/pki/libvirt-vnc/** r,
 -
 -  # the various binaries
 -  /usr/bin/kvm rmix,
 -  /usr/bin/qemu rmix,
 -  /usr/bin/qemu-system-arm rmix,
 -  /usr/bin/qemu-system-cris rmix,
 -  /usr/bin/qemu-system-i386 rmix,
 -  /usr/bin/qemu-system-m68k rmix,
 -  /usr/bin/qemu-system-microblaze rmix,
 -  /usr/bin/qemu-system-microblazeel rmix,
 -  /usr/bin/qemu-system-mips rmix,
 -  /usr/bin/qemu-system-mips64 rmix,
 -  /usr/bin/qemu-system-mips64el rmix,
 -  /usr/bin/qemu-system-mipsel rmix,
 -  /usr/bin/qemu-system-ppc rmix,
 -  /usr/bin/qemu-system-ppc64 rmix,
 -  /usr/bin/qemu-system-ppcemb rmix,
 -  /usr/bin/qemu-system-sh4 rmix,
 -  /usr/bin/qemu-system-sh4eb rmix,
 -  /usr/bin/qemu-system-sparc rmix,
 -  /usr/bin/qemu-system-sparc64 rmix,
 -  /usr/bin/qemu-system-x86_64 rmix,
 -  /usr/bin/qemu-alpha rmix,
 -  /usr/bin/qemu-arm rmix,
 -  /usr/bin/qemu-armeb rmix,
 -  /usr/bin/qemu-cris rmix,
 -  /usr/bin/qemu-i386 rmix,
 -  /usr/bin/qemu-m68k rmix,
 -  /usr/bin/qemu-microblaze rmix,
 -  /usr/bin/qemu-microblazeel rmix,
 -  /usr/bin/qemu-mips rmix,
 -  /usr/bin/qemu-mipsel rmix,
 -  /usr/bin/qemu-ppc rmix,
 -  /usr/bin/qemu-ppc64 rmix,
 -  /usr/bin/qemu-ppc64abi32 rmix,
 -  /usr/bin/qemu-sh4 rmix,
 -  /usr/bin/qemu-sh4eb rmix,
 -  /usr/bin/qemu-sparc rmix,
 -  /usr/bin/qemu-sparc64 rmix,
 -  /usr/bin/qemu-sparc32plus rmix,
 -  /usr/bin/qemu-sparc64 rmix,
 -  /usr/bin/qemu-x86_64 rmix,
 -
 -  # for save and resume
 -  /bin/dash rmix,
 -  /bin/dd rmix,
 -  /bin/cat rmix,
 -
 -  /usr/libexec/qemu-bridge-helper Cx,
 -  # child profile for bridge helper process
 -  profile /usr/libexec/qemu-bridge-helper {
 -   #include <abstractions/base>
 -
 -   capability setuid,
 -   capability setgid,
 -   capability setpcap,
 -   capability net_admin,
 -
 -   network inet stream,
 -
 -   /dev/net/tun rw,
 -   /etc/qemu/** r,
 -   owner @{PROC}/*/status r,
 -
 -   /usr/libexec/qemu-bridge-helper rmix,
 -  }
 Index: libvirt-1.2.1/examples/apparmor/libvirt-qemu.in
 ===================================================================
 --- /dev/null
 +++ libvirt-1.2.1/examples/apparmor/libvirt-qemu.in
@@ -0,0 +1,132 @@
 +# Last Modified: Fri Mar 9 14:43:22 2012
 +
 +  #include <abstractions/base>
 +  #include <abstractions/consoles>
 +  #include <abstractions/nameservice>
 +
 +  # required for reading disk images
 +  capability dac_override,
 +  capability dac_read_search,
 +  capability chown,
 +  capability setgid,
 +
 +  network inet stream,
 +  network inet6 stream,
 +
 +  /dev/net/tun rw,
 +  /dev/kvm rw,
 +  /dev/ptmx rw,
 +  /dev/kqemu rw,
 +  @{PROC}/*/status r,
 +
 +  # For hostdev access. The actual devices will be added dynamically
 +  /sys/bus/usb/devices/ r,
 +  /sys/devices/*/*/usb[0-9]*/** r,
 +
 +  # WARNING: this gives the guest direct access to host hardware and specific
 +  # portions of shared memory. This is required for sound using ALSA with kvm,
 +  # but may constitute a security risk. If your environment does not require
 +  # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
 +  # the rules for files in /dev.
 +  /{dev,run}/shm r,
 +  /{dev,run}/shmpulse-shm* r,
 +  /{dev,run}/shmpulse-shm* rwk,
 +  /dev/snd/* rw,
 +  capability ipc_lock,
 +  # 'kill' is not required for sound and is a security risk. Do not enable
 +  # unless you absolutely need it.
 +  deny capability kill,
 +
 +  # Uncomment the following if you need access to /dev/fb*
 +  #/dev/fb* rw,
 +
 +  /etc/pulse/client.conf r,
 +  @{HOME}/.pulse-cookie rwk,
 +  owner /root/.pulse-cookie rwk,
 +  owner /root/.pulse/ rw,
 +  owner /root/.pulse/* rw,
 +  /usr/share/alsa/** r,
 +  owner /tmp/pulse-*/ rw,
 +  owner /tmp/pulse-*/* rw,
 +  /var/lib/dbus/machine-id r,
 +
 +  # access to firmware's etc
 +  /usr/share/kvm/** r,
 +  /usr/share/qemu/** r,
 +  /usr/share/qemu-kvm/** r,
 +  /usr/share/bochs/** r,
 +  /usr/share/openbios/** r,
 +  /usr/share/openhackware/** r,
 +  /usr/share/proll/** r,
 +  /usr/share/vgabios/** r,
 +  /usr/share/seabios/** r,
 +
 +  # access PKI infrastructure
 +  /etc/pki/libvirt-vnc/** r,
 +
 +  # the various binaries
 +  /usr/bin/kvm rmix,
 +  /usr/bin/qemu rmix,
 +  /usr/bin/qemu-kvm rmix,
 +  /usr/bin/qemu-system-arm rmix,
 +  /usr/bin/qemu-system-cris rmix,
 +  /usr/bin/qemu-system-i386 rmix,
 +  /usr/bin/qemu-system-m68k rmix,
 +  /usr/bin/qemu-system-microblaze rmix,
 +  /usr/bin/qemu-system-microblazeel rmix,
 +  /usr/bin/qemu-system-mips rmix,
 +  /usr/bin/qemu-system-mips64 rmix,
 +  /usr/bin/qemu-system-mips64el rmix,
 +  /usr/bin/qemu-system-mipsel rmix,
 +  /usr/bin/qemu-system-ppc rmix,
 +  /usr/bin/qemu-system-ppc64 rmix,
 +  /usr/bin/qemu-system-ppcemb rmix,
 +  /usr/bin/qemu-system-sh4 rmix,
 +  /usr/bin/qemu-system-sh4eb rmix,
 +  /usr/bin/qemu-system-sparc rmix,
 +  /usr/bin/qemu-system-sparc64 rmix,
 +  /usr/bin/qemu-system-x86_64 rmix,
 +  /usr/bin/qemu-alpha rmix,
 +  /usr/bin/qemu-arm rmix,
 +  /usr/bin/qemu-armeb rmix,
 +  /usr/bin/qemu-cris rmix,
 +  /usr/bin/qemu-i386 rmix,
 +  /usr/bin/qemu-m68k rmix,
 +  /usr/bin/qemu-microblaze rmix,
 +  /usr/bin/qemu-microblazeel rmix,
 +  /usr/bin/qemu-mips rmix,
 +  /usr/bin/qemu-mipsel rmix,
 +  /usr/bin/qemu-ppc rmix,
 +  /usr/bin/qemu-ppc64 rmix,
 +  /usr/bin/qemu-ppc64abi32 rmix,
 +  /usr/bin/qemu-sh4 rmix,
 +  /usr/bin/qemu-sh4eb rmix,
 +  /usr/bin/qemu-sparc rmix,
 +  /usr/bin/qemu-sparc64 rmix,
 +  /usr/bin/qemu-sparc32plus rmix,
 +  /usr/bin/qemu-sparc64 rmix,
 +  /usr/bin/qemu-x86_64 rmix,
 +
 +  # for save and resume
 +  /bin/dash rmix,
 +  /bin/dd rmix,
 +  /bin/cat rmix,
 +
 +  @libdir@/qemu-bridge-helper Cx,
 +  # child profile for bridge helper process
 +  profile @libdir@/qemu-bridge-helper {
 +   #include <abstractions/base>
 +
 +   capability setuid,
 +   capability setgid,
 +   capability setpcap,
 +   capability net_admin,
 +
 +   network inet stream,
 +
 +   /dev/net/tun rw,
 +   /etc/qemu/** r,
 +   owner @{PROC}/*/status r,
 +
 +   @libdir@/qemu-bridge-helper rmix,
 +  }
--- a/libvirt-1.2.1.tar.bz2
+++ b/libvirt-1.2.1.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:8234f08f12d77e5172f9f8430e9a5bb3370266bc46c9b7f5cad85c3ef2c6293b
 size 19585562
--- a/libvirt-1.2.2.tar.bz2
+++ b/libvirt-1.2.2.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:237074ec79c2de75c79c05dfaa074543ae5fd75261e7e1f9fc4b8a424bf96692
 size 20497389
--- a/libvirt-guests-init-script.patch
+++ b/libvirt-guests-init-script.patch
@ -1,9 +1,9 @@
 Adjust libvirt-guests init files to conform to SUSE standards
-Index: libvirt-1.2.1/tools/libvirt-guests.init.in
+Index: libvirt-1.2.2/tools/libvirt-guests.init.in
 ===================================================================
--- libvirt-1.2.1.orig/tools/libvirt-guests.init.in
+--- libvirt-1.2.2.orig/tools/libvirt-guests.init.in
-+++ libvirt-1.2.1/tools/libvirt-guests.init.in
+++ libvirt-1.2.2/tools/libvirt-guests.init.in
@@ -3,15 +3,15 @@
 # the following is the LSB init header
 #
@ -28,10 +28,10 @@ Index: libvirt-1.2.1/tools/libvirt-guests.init.in
 ### END INIT INFO
 # the following is chkconfig init header
-Index: libvirt-1.2.1/tools/libvirt-guests.sh.in
+Index: libvirt-1.2.2/tools/libvirt-guests.sh.in
 ===================================================================
--- libvirt-1.2.1.orig/tools/libvirt-guests.sh.in
+--- libvirt-1.2.2.orig/tools/libvirt-guests.sh.in
-+++ libvirt-1.2.1/tools/libvirt-guests.sh.in
+++ libvirt-1.2.2/tools/libvirt-guests.sh.in
@@ -16,14 +16,13 @@
 # License along with this library.  If not, see
 # <http://www.gnu.org/licenses/>.
@ -50,7 +50,7 @@ Index: libvirt-1.2.1/tools/libvirt-guests.sh.in
 # Source gettext library.
 # Make sure this file is recognized as having translations: _("dummy")
 . "@bindir@"/gettext.sh
-@@ -42,9 +41,11 @@ test -f "$sysconfdir"/sysconfig/libvirt-
+@@ -44,9 +43,11 @@ test -f "$sysconfdir"/sysconfig/libvirt-
     . "$sysconfdir"/sysconfig/libvirt-guests
 LISTFILE="$localstatedir"/lib/libvirt/libvirt-guests
@ -65,7 +65,7 @@ Index: libvirt-1.2.1/tools/libvirt-guests.sh.in
 # retval COMMAND ARGUMENTS...
 # run command with arguments and convert non-zero return value to 1 and set
-@@ -52,7 +53,7 @@ RETVAL=0
+@@ -54,7 +55,7 @@ RETVAL=0
 retval() {
     "$@"
     if [ $? -ne 0 ]; then
@ -74,7 +74,7 @@ Index: libvirt-1.2.1/tools/libvirt-guests.sh.in
         return 1
     else
         return 0
-@@ -81,6 +82,25 @@ run_virsh_c() {
+@@ -83,6 +84,25 @@ run_virsh_c() {
     ( export LC_ALL=C; run_virsh "$@" )
 }
@ -100,7 +100,7 @@ Index: libvirt-1.2.1/tools/libvirt-guests.sh.in
 # test_connect URI
 # check if URI is reachable
 test_connect()
-@@ -107,7 +127,7 @@ list_guests() {
+@@ -114,7 +134,7 @@ list_guests() {
     list=$(run_virsh_c "$uri" list --uuid $persistent)
     if [ $? -ne 0 ]; then
@ -109,7 +109,7 @@ Index: libvirt-1.2.1/tools/libvirt-guests.sh.in
         return 1
     fi
-@@ -133,7 +153,7 @@ guest_is_on() {
+@@ -140,7 +160,7 @@ guest_is_on() {
     guest_running=false
     id=$(run_virsh "$uri" domid "$uuid")
     if [ $? -ne 0 ]; then
@ -118,7 +118,7 @@ Index: libvirt-1.2.1/tools/libvirt-guests.sh.in
         return 1
     fi
-@@ -181,6 +201,12 @@ start() {
+@@ -188,6 +208,12 @@ start() {
         test_connect "$uri" || continue
@ -131,7 +131,7 @@ Index: libvirt-1.2.1/tools/libvirt-guests.sh.in
         eval_gettext "Resuming guests on \$uri URI..."; echo
         for guest in $list; do
             name=$(guest_name "$uri" "$guest")
-@@ -394,7 +420,7 @@ shutdown_guests_parallel()
+@@ -401,7 +427,7 @@ shutdown_guests_parallel()
             timeout=$(($timeout - 1))
             if [ $timeout -le 0 ]; then
                 eval_gettext "Timeout expired while shutting down domains"; echo
@ -140,7 +140,7 @@ Index: libvirt-1.2.1/tools/libvirt-guests.sh.in
                 return
             fi
         else
-@@ -422,7 +448,7 @@ stop() {
+@@ -429,7 +455,7 @@ stop() {
         if [ $SHUTDOWN_TIMEOUT -lt 0 ]; then
             gettext "SHUTDOWN_TIMEOUT must be equal or greater than 0"
             echo
@ -149,7 +149,7 @@ Index: libvirt-1.2.1/tools/libvirt-guests.sh.in
             return
         fi
     fi
-@@ -470,14 +496,14 @@ stop() {
+@@ -477,14 +503,14 @@ stop() {
                 if [ $? -ne 0 ]; then
                     eval_gettext "Failed to list persistent guests on \$uri"
                     echo
@ -166,7 +166,7 @@ Index: libvirt-1.2.1/tools/libvirt-guests.sh.in
                 set +f
                 return
             fi
-@@ -536,14 +562,13 @@ gueststatus() {
+@@ -543,14 +569,13 @@ gueststatus() {
 rh_status() {
     if [ -f "$LISTFILE" ]; then
         gettext "stopped, with saved guests"; echo
@ -183,16 +183,16 @@ Index: libvirt-1.2.1/tools/libvirt-guests.sh.in
         fi
     fi
 }
-@@ -588,4 +613,4 @@ case "$1" in
+@@ -595,4 +620,4 @@ case "$1" in
         usage
         ;;
 esac
 -exit $RETVAL
 +rc_exit
-Index: libvirt-1.2.1/tools/libvirt-guests.sysconf
+Index: libvirt-1.2.2/tools/libvirt-guests.sysconf
 ===================================================================
--- libvirt-1.2.1.orig/tools/libvirt-guests.sysconf
+--- libvirt-1.2.2.orig/tools/libvirt-guests.sysconf
-+++ libvirt-1.2.1/tools/libvirt-guests.sysconf
+++ libvirt-1.2.2/tools/libvirt-guests.sysconf
@@ -1,19 +1,29 @@
 +## Path: System/Virtualization/libvirt-guests
 +
--- a/libvirt-suse-netcontrol.patch
+++ b/libvirt-suse-netcontrol.patch
@ -1,7 +1,7 @@
-Index: libvirt-1.2.1/configure.ac
+Index: libvirt-1.2.2/configure.ac
 ===================================================================
--- libvirt-1.2.1.orig/configure.ac
+--- libvirt-1.2.2.orig/configure.ac
-+++ libvirt-1.2.1/configure.ac
+++ libvirt-1.2.2/configure.ac
@@ -231,6 +231,7 @@ LIBVIRT_CHECK_FUSE
 LIBVIRT_CHECK_GLUSTER
 LIBVIRT_CHECK_HAL
@ -10,7 +10,7 @@ Index: libvirt-1.2.1/configure.ac
 LIBVIRT_CHECK_NUMACTL
 LIBVIRT_CHECK_OPENWSMAN
 LIBVIRT_CHECK_PCIACCESS
-@@ -2337,11 +2338,12 @@ if test "$with_libvirtd" = "no" ; then
+@@ -2368,11 +2369,12 @@ if test "$with_libvirtd" = "no" ; then
   with_interface=no
 fi
@ -26,7 +26,7 @@ Index: libvirt-1.2.1/configure.ac
 esac
 if test "$with_interface" = "yes" ; then
-@@ -2656,6 +2658,7 @@ LIBVIRT_RESULT_FUSE
+@@ -2766,6 +2768,7 @@ LIBVIRT_RESULT_FUSE
 LIBVIRT_RESULT_GLUSTER
 LIBVIRT_RESULT_HAL
 LIBVIRT_RESULT_NETCF
@ -34,11 +34,11 @@ Index: libvirt-1.2.1/configure.ac
 LIBVIRT_RESULT_NUMACTL
 LIBVIRT_RESULT_OPENWSMAN
 LIBVIRT_RESULT_PCIACCESS
-Index: libvirt-1.2.1/src/Makefile.am
+Index: libvirt-1.2.2/src/Makefile.am
 ===================================================================
--- libvirt-1.2.1.orig/src/Makefile.am
+--- libvirt-1.2.2.orig/src/Makefile.am
-+++ libvirt-1.2.1/src/Makefile.am
+++ libvirt-1.2.2/src/Makefile.am
-@@ -790,6 +790,10 @@ if WITH_NETCF
+@@ -801,6 +801,10 @@ if WITH_NETCF
 INTERFACE_DRIVER_SOURCES +=					\
 		interface/interface_backend_netcf.c
 endif WITH_NETCF
@ -49,7 +49,7 @@ Index: libvirt-1.2.1/src/Makefile.am
 if WITH_UDEV
 INTERFACE_DRIVER_SOURCES +=					\
 		interface/interface_backend_udev.c
-@@ -1355,10 +1359,15 @@ if WITH_NETCF
+@@ -1386,10 +1390,15 @@ if WITH_NETCF
 libvirt_driver_interface_la_CFLAGS += $(NETCF_CFLAGS)
 libvirt_driver_interface_la_LIBADD += $(NETCF_LIBS)
 else ! WITH_NETCF
@ -65,11 +65,11 @@ Index: libvirt-1.2.1/src/Makefile.am
 endif ! WITH_NETCF
 if WITH_DRIVER_MODULES
 libvirt_driver_interface_la_LIBADD += ../gnulib/lib/libgnu.la
-Index: libvirt-1.2.1/tools/virsh.c
+Index: libvirt-1.2.2/tools/virsh.c
 ===================================================================
--- libvirt-1.2.1.orig/tools/virsh.c
+--- libvirt-1.2.2.orig/tools/virsh.c
-+++ libvirt-1.2.1/tools/virsh.c
+++ libvirt-1.2.2/tools/virsh.c
-@@ -3029,6 +3029,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE
+@@ -3209,6 +3209,8 @@ vshShowVersion(vshControl *ctl ATTRIBUTE
     vshPrint(ctl, " Interface");
 # if defined(WITH_NETCF)
     vshPrint(ctl, " netcf");
@ -78,10 +78,10 @@ Index: libvirt-1.2.1/tools/virsh.c
 # elif defined(WITH_UDEV)
     vshPrint(ctl, " udev");
 # endif
-Index: libvirt-1.2.1/src/interface/interface_backend_netcf.c
+Index: libvirt-1.2.2/src/interface/interface_backend_netcf.c
 ===================================================================
--- libvirt-1.2.1.orig/src/interface/interface_backend_netcf.c
+--- libvirt-1.2.2.orig/src/interface/interface_backend_netcf.c
-+++ libvirt-1.2.1/src/interface/interface_backend_netcf.c
+++ libvirt-1.2.2/src/interface/interface_backend_netcf.c
@@ -23,7 +23,12 @@
 #include <config.h>
@ -165,10 +165,10 @@ Index: libvirt-1.2.1/src/interface/interface_backend_netcf.c
     return 0;
 }
-Index: libvirt-1.2.1/src/interface/interface_driver.c
+Index: libvirt-1.2.2/src/interface/interface_driver.c
 ===================================================================
--- libvirt-1.2.1.orig/src/interface/interface_driver.c
+--- libvirt-1.2.2.orig/src/interface/interface_driver.c
-+++ libvirt-1.2.1/src/interface/interface_driver.c
+++ libvirt-1.2.2/src/interface/interface_driver.c
@@ -28,8 +28,15 @@ interfaceRegister(void) {
     if (netcfIfaceRegister() == 0)
         return 0;
@ -186,10 +186,10 @@ Index: libvirt-1.2.1/src/interface/interface_driver.c
     if (udevIfaceRegister() == 0)
         return 0;
 #endif /* WITH_UDEV */
-Index: libvirt-1.2.1/m4/virt-netcontrol.m4
+Index: libvirt-1.2.2/m4/virt-netcontrol.m4
 ===================================================================
 --- /dev/null
-+++ libvirt-1.2.1/m4/virt-netcontrol.m4
+++ libvirt-1.2.2/m4/virt-netcontrol.m4
@@ -0,0 +1,35 @@
 +dnl The libnetcontrol library
 +dnl
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,42 @@
 -------------------------------------------------------------------
 Sun Mar  2 20:32:21 MST 2014 - jfehlig@suse.com
 - Update to libvirt 1.2.2
  - add LXC from native conversion tool
  - vbox: add support for v4.2.20+ and v4.3.4+
  - CVE-2013-6456 (bnc#857490)
  - Many incremental improvements and bug fixes, see
    http://libvirt.org/news.html
  - Drop upstream patches: 37564b47-xend-parse-response.patch,
    4f20084-fix-apparmor-install-patch.patch
  - Add local disable-virCgroupGetPercpuStats-test.patch to disable
    failing virCgroupGetPercpuStats test in 'make check'
 -------------------------------------------------------------------
 Mon Feb 24 16:40:31 MST 2014 - jfehlig@suse.com
 - daemon-qemu: Require qemu instead of kvm to align with
  recent changes to the qemu package structure
 -------------------------------------------------------------------
 Fri Feb 14 14:51:52 MST 2014 - jfehlig@suse.com
 - spec: fix dependencies of daemon-config-network and
  daemon-config-nwfilter subpackages.  Influenced by upstream
  commits cf76c4b3 and dca5ce4c 
 -------------------------------------------------------------------
 Fri Feb 14 14:37:42 MST 2014 - jfehlig@suse.com
 - Remove libvirtd, virtlockd, and libvirt-guests init scripts when
  using systemd
  bnc#863540  
 -------------------------------------------------------------------
 Wed Feb 12 15:58:18 UTC 2014 - cbosdonnat@suse.com
 - Fix the path to libvirtd AppArmor template profile
 -------------------------------------------------------------------
 Wed Jan 29 14:50:27 MST 2014 - jfehlig@suse.com
--- a/libvirt.spec
+++ b/libvirt.spec
@ -90,6 +90,7 @@
 %define with_numad         0%{!?_without_numad:0}
 %define with_firewalld     0%{!?_without_firewalld:0}
 %define with_libssh2       0%{!?_without_libssh2:0}
 %define with_systemd_daemon 0%{!?_without_systemd_daemon:0}
 # Non-server/HV driver defaults which are always enabled
 %define with_sasl          0%{!?_without_sasl:1}
@ -144,6 +145,7 @@
 # Support systemd on 12.1 and later
 %if 0%{?suse_version} >= 1210
 %define with_systemd       0%{!?_without_systemd:1}
 %define with_systemd_daemon 1
 %endif
 # libcapng is used to manage capabilities in 11.3 or newer.
@ -233,7 +235,7 @@
 Name:           libvirt
 Url:            http://libvirt.org/
-Version:        1.2.1
+Version:        1.2.2
 Release:        0
 Summary:        Library providing a simple virtualization API
 License:        LGPL-2.1+
@ -286,9 +288,14 @@ BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  gettext-tools
 BuildRequires:  libtool
 # Needed for virkmodtest in 'make check'
 BuildRequires:  modutils
 %if %{with_systemd}
 BuildRequires:  systemd
 %endif
 %if %{with_systemd_daemon}
 BuildRequires:  systemd-devel
 %endif
 %if %{with_xen} || %{with_libxl}
 BuildRequires:  xen-devel
 %endif
@ -421,7 +428,6 @@ Source1:        libvirtd.init
 Source2:        libvirtd-relocation-server.fw
 Source99:       baselibs.conf
 # Upstream patches
 Patch0:         37564b47-xend-parse-response.patch
 # Need to go upstream
 Patch100:       xen-name-for-devid.patch
 Patch101:       ia64-clone.patch
@ -436,6 +442,8 @@ Patch204:       suse-qemu-conf.patch
 Patch205:       fix-pci-attach-xen-driver.patch
 Patch206:       support-managed-pci-xen-driver.patch
 Patch207:       systemd-service-xen.patch
 # Disable failing virCgroupGetPercpuStats unit test
 Patch208:       disable-virCgroupGetPercpuStats-test.patch
 %if %{with_apparmor}
 Patch250:       install-apparmor-profiles.patch
 %endif
@ -518,11 +526,15 @@ of recent versions of Linux. Requires a hypervisor specific sub-RPM
 for specific drivers.
 %if %{with_network}
 %package daemon-config-network
 Summary:        Default configuration files for the libvirtd daemon
 Group:          Development/Libraries/C and C++
 Requires:       libvirt-daemon = %{version}-%{release}
 %if %{with_driver_modules}
 Requires:       libvirt-daemon-driver-network = %{version}-%{release}
 %endif
 %description daemon-config-network
 Default configuration files for setting up NAT based networking
@ -535,6 +547,9 @@ Summary:        Network filter configuration files for the libvirtd
 Group:          Development/Libraries/C and C++
 Requires:       libvirt-daemon = %{version}-%{release}
 %if %{with_driver_modules}
 Requires:       libvirt-daemon-driver-nwfilter = %{version}-%{release}
 %endif
 %description daemon-config-nwfilter
 Network filter configuration files for the libvirt daemon, used for
@ -755,7 +770,7 @@ Requires:       libvirt-daemon-driver-qemu = %{version}-%{release}
 Requires:       libvirt-daemon-driver-secret = %{version}-%{release}
 Requires:       libvirt-daemon-driver-storage = %{version}-%{release}
 %endif
-Requires:       kvm
+Requires:       qemu
 %description daemon-qemu
 Server side daemon and driver required to manage the virtualization
@ -929,7 +944,6 @@ namespaces.
 %prep
 %setup -q
 %patch0 -p1
 %patch100 -p1
 %patch101 -p1
 %patch102 -p1
@ -942,6 +956,7 @@ namespaces.
 %patch205 -p1
 %patch206 -p1
 %patch207 -p1
 %patch208 -p1
 %if %{with_apparmor}
 %patch250 -p1
 %endif
@ -1089,6 +1104,9 @@ namespaces.
 %if %{with_firewalld}
 %define _with_firewalld --with-firewalld
 %endif
 %if ! %{with_systemd_daemon}
 %define _without_systemd_daemon --without-systemd-daemon
 %endif
 %if %{with_selinux}
 %define with_selinux_mount --with-selinux-mount="/sys/fs/selinux"
@ -1143,6 +1161,7 @@ export CFLAGS="$RPM_OPT_FLAGS"
           %{?_without_dtrace} \
           %{?_without_driver_modules} \
           %{?_with_firewalld} \
           %{?_without_systemd_daemon} \
           --libexecdir=%{_libdir}/%{name} \
           --with-qemu-user=%{qemu_user} \
           --with-qemu-group=%{qemu_group} \
@ -1256,22 +1275,32 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates
 %if %{with_libvirtd}
 # Currently using our own libvirtd init script
 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/libvirtd
 %if ! %{with_systemd}
 install %SOURCE1 $RPM_BUILD_ROOT%{_sysconfdir}/init.d/libvirtd
 ln -s /etc/init.d/libvirtd $RPM_BUILD_ROOT%{_sbindir}/rclibvirtd
 %endif
 mv $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/libvirtd $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates/sysconfig.libvirtd
 rm -f $RPM_BUILD_ROOT/usr/lib/sysctl.d/libvirtd.conf
 # For other services, use the in-tree scripts
 %if %{with_systemd}
 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/virtlockd
 %else
 mv $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/virtlockd $RPM_BUILD_ROOT%{_sysconfdir}/init.d/virtlockd
 ln -s /etc/init.d/virtlockd $RPM_BUILD_ROOT%{_sbindir}/rcvirtlockd
 %endif
 mv $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/virtlockd $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates/sysconfig.virtlockd
 #install firewall definitions format is described here:
 #/usr/share/SuSEfirewall2/services/TEMPLATE
 mkdir -p $RPM_BUILD_ROOT/%{_fwdefdir}
 install -m 644 %{S:2} $RPM_BUILD_ROOT/%{_fwdefdir}/libvirtd-relocation-server
 %endif
 %if %{with_systemd}
 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/libvirt-guests
 %else
 mv $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/libvirt-guests $RPM_BUILD_ROOT%{_sysconfdir}/init.d/libvirt-guests
 mkdir -p $RPM_BUILD_ROOT%{_sbindir}
 ln -s %{_sysconfdir}/init.d/libvirt-guests $RPM_BUILD_ROOT%{_sbindir}/rclibvirt-guests
 %endif
 mv $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/libvirt-guests $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates/sysconfig.libvirt-guests
 %fdupes -s $RPM_BUILD_ROOT
@ -1315,32 +1344,31 @@ fi
 %service_add_post libvirtd.service
 %service_add_post virtlockd.service virtlockd.socket
 %endif
 %if 0%{?sles_version}
 %{fillup_and_insserv -y -n libvirtd libvirtd}
 %else # ! sles
 %{fillup_only -n libvirtd}
 %endif
 %{fillup_only -n virtlockd}
 %preun daemon
 %if %{with_systemd}
 %service_del_preun libvirtd.service
 %service_del_preun virtlockd.service virtlockd.socket
-%endif
+%else
 %stop_on_removal libvirtd
 %stop_on_removal virtlockd
 %endif
 %postun daemon
 /sbin/ldconfig
 %if %{with_systemd}
 %service_del_postun libvirtd.service
 %service_del_postun virtlockd.service virtlockd.socket
-%endif
+%else
 %restart_on_update libvirtd
 %restart_on_update virtlockd
 %endif
 %insserv_cleanup
 %if %{with_network}
 %post daemon-config-network
 # Install the default network if one doesn't exist
 if test $1 -eq 1 && test ! -f %{_sysconfdir}/libvirt/qemu/networks/default.xml ; then
@ -1362,8 +1390,9 @@ fi
 %preun client
 %if %{with_systemd}
 %service_del_preun libvirt-guests.service
-%endif
+%else
 %stop_on_removal libvirt-guests
 %endif
 if [ $1 = 0 ]; then
    rm -f /var/lib/libvirt/libvirt-guests
 fi
@ -1388,15 +1417,16 @@ fi
 %dir %{_libdir}/%{name}
 %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/
 %{_localstatedir}/adm/fillup-templates/sysconfig.libvirtd
 %config /etc/init.d/libvirtd
 %{_sbindir}/rclibvirtd
 %{_localstatedir}/adm/fillup-templates/sysconfig.virtlockd
 %config /etc/init.d/virtlockd
 %{_sbindir}/rcvirtlockd
 %if %{with_systemd}
 %{_unitdir}/libvirtd.service
 %{_unitdir}/virtlockd.service
 %{_unitdir}/virtlockd.socket
 %else
 %config /etc/init.d/libvirtd
 %{_sbindir}/rclibvirtd
 %config /etc/init.d/virtlockd
 %{_sbindir}/rcvirtlockd
 %endif
 %config(noreplace) %{_sysconfdir}/libvirt/libvirtd.conf
 %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd
@ -1435,11 +1465,11 @@ fi
 %if %{with_apparmor}
 %dir %{_sysconfdir}/apparmor.d
 %dir %{_sysconfdir}/apparmor.d/abstractions
-%dir %{_sysconfdir}/apparmor.d/libvirtd
+%dir %{_sysconfdir}/apparmor.d/libvirt
 %config(noreplace) %{_sysconfdir}/apparmor.d/usr.sbin.libvirtd
 %config(noreplace) %{_sysconfdir}/apparmor.d/usr.lib.libvirt.virt-aa-helper
 %config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/libvirt-qemu
-%config(noreplace) %{_sysconfdir}/apparmor.d/libvirtd/TEMPLATE
+%config(noreplace) %{_sysconfdir}/apparmor.d/libvirt/TEMPLATE
 %{_libdir}/%{name}/virt-aa-helper
 %endif
 %config %{_fwdefdir}/libvirtd-relocation-server
@ -1490,6 +1520,7 @@ fi
 %endif # ! %{with_driver_modules}
 %if %{with_network}
 %files daemon-config-network
 %defattr(-, root, root)
 %doc %{_docdir}/%{name}/libvirt-daemon-config-network.README
@ -1683,10 +1714,11 @@ fi
 %{_libdir}/lib*.so.*
 %attr(0755, root, root) %{_libdir}/%{name}/libvirt-guests.sh
 %{_localstatedir}/adm/fillup-templates/sysconfig.libvirt-guests
 %config /etc/init.d/libvirt-guests
 %{_sbindir}/rclibvirt-guests
 %if %{with_systemd}
 %{_unitdir}/libvirt-guests.service
 %else
 %config /etc/init.d/libvirt-guests
 %{_sbindir}/rclibvirt-guests
 %endif
 %dir %{_datadir}/libvirt/
--- a/libvirtd-defaults.patch
+++ b/libvirtd-defaults.patch
@ -1,7 +1,7 @@
-Index: libvirt-1.2.1/daemon/libvirtd.conf
+Index: libvirt-1.2.2/daemon/libvirtd.conf
 ===================================================================
--- libvirt-1.2.1.orig/daemon/libvirtd.conf
+--- libvirt-1.2.2.orig/daemon/libvirtd.conf
-+++ libvirt-1.2.1/daemon/libvirtd.conf
+++ libvirt-1.2.2/daemon/libvirtd.conf
@@ -18,8 +18,8 @@
 # It is necessary to setup a CA and issue server certificates before
 # using this capability.
@ -13,10 +13,10 @@ Index: libvirt-1.2.1/daemon/libvirtd.conf
 # Listen for unencrypted TCP connections on the public TCP/IP port.
 # NB, must pass the --listen flag to the libvirtd process for this to
-Index: libvirt-1.2.1/daemon/libvirtd-config.c
+Index: libvirt-1.2.2/daemon/libvirtd-config.c
 ===================================================================
--- libvirt-1.2.1.orig/daemon/libvirtd-config.c
+--- libvirt-1.2.2.orig/daemon/libvirtd-config.c
-+++ libvirt-1.2.1/daemon/libvirtd-config.c
+++ libvirt-1.2.2/daemon/libvirtd-config.c
@@ -222,7 +222,7 @@ daemonConfigNew(bool privileged ATTRIBUT
     if (VIR_ALLOC(data) < 0)
         return NULL;
--- a/libvirtd-init-script.patch
+++ b/libvirtd-init-script.patch
@ -1,9 +1,9 @@
 Adjust libvirtd sysconfig file to conform to SUSE standards
-Index: libvirt-1.2.1/daemon/libvirtd.sysconf
+Index: libvirt-1.2.2/daemon/libvirtd.sysconf
 ===================================================================
--- libvirt-1.2.1.orig/daemon/libvirtd.sysconf
+--- libvirt-1.2.2.orig/daemon/libvirtd.sysconf
-+++ libvirt-1.2.1/daemon/libvirtd.sysconf
+++ libvirt-1.2.2/daemon/libvirtd.sysconf
@@ -1,16 +1,25 @@
 +## Path: System/Virtualization/libvirt
 +
--- a/libxl-hvm-vnc.patch
+++ b/libxl-hvm-vnc.patch
@ -1,8 +1,8 @@
-Index: libvirt-1.2.1/src/libxl/libxl_conf.c
+Index: libvirt-1.2.2/src/libxl/libxl_conf.c
 ===================================================================
--- libvirt-1.2.1.orig/src/libxl/libxl_conf.c
+--- libvirt-1.2.2.orig/src/libxl/libxl_conf.c
-+++ libvirt-1.2.1/src/libxl/libxl_conf.c
+++ libvirt-1.2.2/src/libxl/libxl_conf.c
-@@ -561,6 +561,30 @@ libxlMakeChrdevStr(virDomainChrDefPtr de
+@@ -565,6 +565,30 @@ libxlMakeChrdevStr(virDomainChrDefPtr de
 }
 static int
@ -33,7 +33,7 @@ Index: libvirt-1.2.1/src/libxl/libxl_conf.c
 libxlMakeDomBuildInfo(virDomainObjPtr vm, libxl_domain_config *d_config)
 {
     virDomainDefPtr def = vm->def;
-@@ -1189,6 +1213,9 @@ libxlBuildDomainConfig(libxlDriverPrivat
+@@ -1195,6 +1219,9 @@ libxlBuildDomainConfig(libxlDriverPrivat
     if (libxlMakeVfbList(driver, def, d_config) < 0)
         return -1;
--- a/support-managed-pci-xen-driver.patch
+++ b/support-managed-pci-xen-driver.patch
@ -8,11 +8,11 @@ Subject: [PATCH] support managed pci devices in xen driver
 src/xenxs/xen_xm.c   |   28 +++++++++++++++++++++++++++-
 2 files changed, 35 insertions(+), 15 deletions(-)
-Index: libvirt-1.2.1/src/xenxs/xen_sxpr.c
+Index: libvirt-1.2.2/src/xenxs/xen_sxpr.c
 ===================================================================
--- libvirt-1.2.1.orig/src/xenxs/xen_sxpr.c
+--- libvirt-1.2.2.orig/src/xenxs/xen_sxpr.c
-+++ libvirt-1.2.1/src/xenxs/xen_sxpr.c
+++ libvirt-1.2.2/src/xenxs/xen_sxpr.c
-@@ -996,6 +996,7 @@ xenParseSxprPCI(virDomainDefPtr def,
+@@ -998,6 +998,7 @@ xenParseSxprPCI(virDomainDefPtr def,
         int busID;
         int slotID;
         int funcID;
@ -20,7 +20,7 @@ Index: libvirt-1.2.1/src/xenxs/xen_sxpr.c
         node = cur->u.s.car;
         if (!sexpr_lookup(node, "dev"))
-@@ -1043,11 +1044,13 @@ xenParseSxprPCI(virDomainDefPtr def,
+@@ -1045,11 +1046,13 @@ xenParseSxprPCI(virDomainDefPtr def,
             goto error;
         }
@ -35,7 +35,7 @@ Index: libvirt-1.2.1/src/xenxs/xen_sxpr.c
         dev->source.subsys.type = VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI;
         dev->source.subsys.u.pci.addr.domain = domainID;
         dev->source.subsys.u.pci.addr.bus = busID;
-@@ -1991,11 +1994,15 @@ static void
+@@ -1993,11 +1996,15 @@ static void
 xenFormatSxprPCI(virDomainHostdevDefPtr def,
                  virBufferPtr buf)
 {
@ -52,7 +52,7 @@ Index: libvirt-1.2.1/src/xenxs/xen_sxpr.c
 }
-@@ -2014,12 +2021,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP
+@@ -2016,12 +2023,6 @@ xenFormatSxprOnePCI(virDomainHostdevDefP
                     virBufferPtr buf,
                     int detach)
 {
@ -65,7 +65,7 @@ Index: libvirt-1.2.1/src/xenxs/xen_sxpr.c
     virBufferAddLit(buf, "(pci ");
     xenFormatSxprPCI(def, buf);
     if (detach)
-@@ -2074,12 +2075,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def,
+@@ -2076,12 +2077,6 @@ xenFormatSxprAllPCI(virDomainDefPtr def,
     for (i = 0; i < def->nhostdevs; i++) {
         if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS &&
             def->hostdevs[i]->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) {
@ -78,10 +78,10 @@ Index: libvirt-1.2.1/src/xenxs/xen_sxpr.c
             xenFormatSxprPCI(def->hostdevs[i], buf);
         }
     }
-Index: libvirt-1.2.1/src/xenxs/xen_xm.c
+Index: libvirt-1.2.2/src/xenxs/xen_xm.c
 ===================================================================
--- libvirt-1.2.1.orig/src/xenxs/xen_xm.c
+--- libvirt-1.2.2.orig/src/xenxs/xen_xm.c
-+++ libvirt-1.2.1/src/xenxs/xen_xm.c
+++ libvirt-1.2.2/src/xenxs/xen_xm.c
@@ -802,6 +802,8 @@ xenParseXM(virConfPtr conf, int xendConf
             int busID;
             int slotID;
--- a/suse-qemu-conf.patch
+++ b/suse-qemu-conf.patch
@ -1,7 +1,7 @@
-Index: libvirt-1.2.1/src/qemu/qemu.conf
+Index: libvirt-1.2.2/src/qemu/qemu.conf
 ===================================================================
--- libvirt-1.2.1.orig/src/qemu/qemu.conf
+--- libvirt-1.2.2.orig/src/qemu/qemu.conf
-+++ libvirt-1.2.1/src/qemu/qemu.conf
+++ libvirt-1.2.2/src/qemu/qemu.conf
@@ -200,7 +200,16 @@
 # a special value; security_driver can be set to that value in
 # isolation, but it cannot appear in a list of drivers.
--- a/systemd-service-xen.patch
+++ b/systemd-service-xen.patch
@ -1,7 +1,7 @@
-Index: libvirt-1.2.1/daemon/libvirtd.service.in
+Index: libvirt-1.2.2/daemon/libvirtd.service.in
 ===================================================================
--- libvirt-1.2.1.orig/daemon/libvirtd.service.in
+--- libvirt-1.2.2.orig/daemon/libvirtd.service.in
-+++ libvirt-1.2.1/daemon/libvirtd.service.in
+++ libvirt-1.2.2/daemon/libvirtd.service.in
@@ -9,6 +9,8 @@ Before=libvirt-guests.service
 After=network.target
 After=dbus.service
--- a/virtlockd-init-script.patch
+++ b/virtlockd-init-script.patch
@ -1,9 +1,9 @@
 Adjust virtlockd init files to conform to SUSE standards
-Index: libvirt-1.2.1/src/locking/virtlockd.sysconf
+Index: libvirt-1.2.2/src/locking/virtlockd.sysconf
 ===================================================================
--- libvirt-1.2.1.orig/src/locking/virtlockd.sysconf
+--- libvirt-1.2.2.orig/src/locking/virtlockd.sysconf
-+++ libvirt-1.2.1/src/locking/virtlockd.sysconf
+++ libvirt-1.2.2/src/locking/virtlockd.sysconf
@@ -1,3 +1,7 @@
 +## Path: System/Virtualization/virtlockd
 +
@ -12,10 +12,10 @@ Index: libvirt-1.2.1/src/locking/virtlockd.sysconf
 #
 # Pass extra arguments to virtlockd
 #VIRTLOCKD_ARGS=
-Index: libvirt-1.2.1/src/locking/virtlockd.init.in
+Index: libvirt-1.2.2/src/locking/virtlockd.init.in
 ===================================================================
--- libvirt-1.2.1.orig/src/locking/virtlockd.init.in
+--- libvirt-1.2.2.orig/src/locking/virtlockd.init.in
-+++ libvirt-1.2.1/src/locking/virtlockd.init.in
+++ libvirt-1.2.2/src/locking/virtlockd.init.in
@@ -4,12 +4,14 @@
 # http://www.linux-foundation.org/spec//booksets/LSB-Core-generic/LSB-Core-generic.html#INITSCRCOMCONV
 #
--- a/xen-name-for-devid.patch
+++ b/xen-name-for-devid.patch
@ -14,10 +14,10 @@
    is inactive.  We obviously can't search xenstore when the domain is
    inactive.
-Index: libvirt-1.2.1/src/xen/xend_internal.c
+Index: libvirt-1.2.2/src/xen/xend_internal.c
 ===================================================================
--- libvirt-1.2.1.orig/src/xen/xend_internal.c
+--- libvirt-1.2.2.orig/src/xen/xend_internal.c
-+++ libvirt-1.2.1/src/xen/xend_internal.c
+++ libvirt-1.2.2/src/xen/xend_internal.c
@@ -70,7 +70,7 @@
 #define XEND_RCV_BUF_MAX_LEN (256 * 1024)
--- a/xen-pv-cdrom.patch
+++ b/xen-pv-cdrom.patch
@ -1,7 +1,7 @@
-Index: libvirt-1.2.1/src/xenxs/xen_sxpr.c
+Index: libvirt-1.2.2/src/xenxs/xen_sxpr.c
 ===================================================================
--- libvirt-1.2.1.orig/src/xenxs/xen_sxpr.c
+--- libvirt-1.2.2.orig/src/xenxs/xen_sxpr.c
-+++ libvirt-1.2.1/src/xenxs/xen_sxpr.c
+++ libvirt-1.2.2/src/xenxs/xen_sxpr.c
@@ -330,7 +330,7 @@ error:
 static int
 xenParseSxprDisks(virDomainDefPtr def,