- Change default setting of security_default_confined in

/etc/libvirt/qemu.conf instead of in code. Making the change in code changes the default behavior for all users, even those that have a custom security setup in their /etc/libvirt/qemu.conf. Modified suse-qemu-conf.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=442
2015-03-11 15:35:20 +00:00 · 2015-03-11 15:35:20 +00:00 · 168a353639
commit 168a353639
parent 7eedb34aa2
3 changed files with 27 additions and 17 deletions
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,12 @@
 -------------------------------------------------------------------
 Wed Mar 11 09:29:29 MDT 2015 - jfehlig@suse.com
 - Change default setting of security_default_confined in
  /etc/libvirt/qemu.conf instead of in code.  Making the change in
  code changes the default behavior for all users, even those that
  have a custom security setup in their /etc/libvirt/qemu.conf.
  Modified suse-qemu-conf.patch
 -------------------------------------------------------------------
 Mon Mar  9 16:51:08 UTC 2015 - cbosdonnat@suse.com
--- a/libvirt.spec
+++ b/libvirt.spec
@ -1,7 +1,7 @@
 #
 # spec file for package libvirt
 #
-# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
--- a/suse-qemu-conf.patch
+++ b/suse-qemu-conf.patch
@ -2,16 +2,30 @@ Index: libvirt-1.2.13/src/qemu/qemu.conf
 ===================================================================
 --- libvirt-1.2.13.orig/src/qemu/qemu.conf
 +++ libvirt-1.2.13/src/qemu/qemu.conf
-@@ -204,7 +204,7 @@
+@@ -201,11 +201,20 @@
 # isolation, but it cannot appear in a list of drivers.
 #
 #security_driver = "selinux"
 +#security_driver = "apparmor"
 # If set to non-zero, then the default security labeling
 # will make guests confined. If set to zero, then guests
 -# will be unconfined by default. Defaults to 1.
 -#security_default_confined = 1
 +# will be unconfined by default. Defaults to 0.
- #security_default_confined = 1
+#
 +# SUSE Note:
 +# Currently, Apparmor is the default security framework in SUSE
 +# distros.  If Apparmor is enabled on the host, libvirtd is
 +# generously confined but users must opt-in to confine qemu
 +# instances.  Change this to a non-zero value to enable default
 +# Apparmor confinement of qemu instances.
 +#
 +security_default_confined = 0
 # If set to non-zero, then attempts to create unconfined
-@@ -417,11 +417,22 @@
+ # guests will be blocked. Defaults to 0.
@@ -417,11 +426,22 @@
 #allow_disk_format_probing = 1
@ -39,16 +53,3 @@ Index: libvirt-1.2.13/src/qemu/qemu.conf
 #
 #lock_manager = "lockd"
 Index: libvirt-1.2.13/src/qemu/qemu_conf.c
 ===================================================================
 --- libvirt-1.2.13.orig/src/qemu/qemu_conf.c
 +++ libvirt-1.2.13/src/qemu/qemu_conf.c
@@ -293,7 +293,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf
     cfg->clearEmulatorCapabilities = true;
 -    cfg->securityDefaultConfined = true;
 +    cfg->securityDefaultConfined = false;
     cfg->securityRequireConfined = false;
     cfg->keepAliveInterval = 5;