diff --git a/30c6aecc-apparmor-lib64.patch b/30c6aecc-apparmor-lib64.patch new file mode 100644 index 0000000..ce7bd20 --- /dev/null +++ b/30c6aecc-apparmor-lib64.patch @@ -0,0 +1,73 @@ +From 30c6aecc449202e930249215c6514d6c13a46c83 Mon Sep 17 00:00:00 2001 +From: Cedric Bosdonnat +Date: Mon, 15 Dec 2014 15:14:48 +0100 +Subject: [PATCH] Teach AppArmor, that /usr/lib64 may exist. + +The apparmor profiles forgot about /usr/lib64 folders, just add lib64 +as a possible alternative to lib in the paths +--- + examples/apparmor/libvirt-qemu | 2 +- + examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++-- + examples/apparmor/usr.sbin.libvirtd | 4 ++-- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu +index c6de6dd..7aad391 100644 +--- a/examples/apparmor/libvirt-qemu ++++ b/examples/apparmor/libvirt-qemu +@@ -111,7 +111,7 @@ + /usr/bin/qemu-sparc32plus rmix, + /usr/bin/qemu-sparc64 rmix, + /usr/bin/qemu-x86_64 rmix, +- /usr/lib/qemu/block-curl.so mr, ++ /usr/{lib,lib64}/qemu/block-curl.so mr, + + # for save and resume + /bin/dash rmix, +diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper +index bceaaff..b34fb35 100644 +--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper ++++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper +@@ -1,7 +1,7 @@ + # Last Modified: Mon Apr 5 15:10:27 2010 + #include + +-/usr/lib/libvirt/virt-aa-helper { ++profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { + #include + + # needed for searching directories +@@ -20,7 +20,7 @@ + /sys/devices/ r, + /sys/devices/** r, + +- /usr/lib/libvirt/virt-aa-helper mr, ++ /usr/{lib,lib64}/libvirt/virt-aa-helper mr, + /sbin/apparmor_parser Ux, + + /etc/apparmor.d/libvirt/* r, +diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd +index 3011eff..7151052 100644 +--- a/examples/apparmor/usr.sbin.libvirtd ++++ b/examples/apparmor/usr.sbin.libvirtd +@@ -44,7 +44,7 @@ + /usr/bin/* PUx, + /usr/sbin/* PUx, + /lib/udev/scsi_id PUx, +- /usr/lib/xen-common/bin/xen-toolstack PUx, ++ /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + + # force the use of virt-aa-helper + audit deny /sbin/apparmor_parser rwxl, +@@ -53,7 +53,7 @@ + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, +- /usr/lib/libvirt/* PUxr, ++ /usr/{lib,lib64}/libvirt/* PUxr, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, + +-- +2.1.2 + diff --git a/install-apparmor-profiles.patch b/install-apparmor-profiles.patch deleted file mode 100644 index 67c883e..0000000 --- a/install-apparmor-profiles.patch +++ /dev/null @@ -1,583 +0,0 @@ -Index: libvirt-1.2.10/examples/apparmor/Makefile.am -=================================================================== ---- libvirt-1.2.10.orig/examples/apparmor/Makefile.am -+++ libvirt-1.2.10/examples/apparmor/Makefile.am -@@ -17,12 +17,30 @@ - EXTRA_DIST= \ - TEMPLATE.qemu \ - TEMPLATE.lxc \ -- libvirt-qemu \ -+ libvirt-qemu.in \ - libvirt-lxc \ -- usr.lib.libvirt.virt-aa-helper \ -- usr.sbin.libvirtd -+ usr.lib.libvirt.virt-aa-helper.in \ -+ usr.sbin.libvirtd.in - - if WITH_APPARMOR_PROFILES -+usr.lib.libvirt.virt-aa-helper: usr.lib.libvirt.virt-aa-helper.in -+ sed \ -+ -e 's![@]libdir[@]!$(libdir)!g' \ -+ < $< > $@-t -+ mv $@-t $@ -+ -+usr.sbin.libvirtd: usr.sbin.libvirtd.in -+ sed \ -+ -e 's![@]libdir[@]!$(libdir)!g' \ -+ < $< > $@-t -+ mv $@-t $@ -+ -+libvirt-qemu: libvirt-qemu.in -+ sed \ -+ -e 's![@]libdir[@]!$(libdir)!g' \ -+ < $< > $@-t -+ mv $@-t $@ -+ - apparmordir = $(sysconfdir)/apparmor.d/ - apparmor_DATA = \ - usr.lib.libvirt.virt-aa-helper \ -Index: libvirt-1.2.10/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in -=================================================================== ---- /dev/null -+++ libvirt-1.2.10/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in -@@ -0,0 +1,48 @@ -+# Last Modified: Mon Apr 5 15:10:27 2010 -+#include -+ -+@libdir@/libvirt/virt-aa-helper { -+ #include -+ -+ # needed for searching directories -+ capability dac_override, -+ capability dac_read_search, -+ -+ # needed for when disk is on a network filesystem -+ network inet, -+ -+ deny @{PROC}/[0-9]*/mounts r, -+ @{PROC}/[0-9]*/net/psched r, -+ owner @{PROC}/[0-9]*/status r, -+ @{PROC}/filesystems r, -+ -+ # for hostdev -+ /sys/devices/ r, -+ /sys/devices/** r, -+ -+ @libdir@/libvirt/virt-aa-helper mr, -+ /sbin/apparmor_parser Ux, -+ -+ /etc/apparmor.d/libvirt/* r, -+ /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, -+ -+ # for backingstore -- allow access to non-hidden files in @{HOME} as well -+ # as storage pools -+ audit deny @{HOME}/.* mrwkl, -+ audit deny @{HOME}/.*/ rw, -+ audit deny @{HOME}/.*/** mrwkl, -+ audit deny @{HOME}/bin/ rw, -+ audit deny @{HOME}/bin/** mrwkl, -+ @{HOME}/ r, -+ @{HOME}/** r, -+ /var/lib/libvirt/images/ r, -+ /var/lib/libvirt/images/** r, -+ /{media,mnt,opt,srv}/** r, -+ -+ /**.img r, -+ /**.qcow{,2} r, -+ /**.qed r, -+ /**.vmdk r, -+ /**.[iI][sS][oO] r, -+ /**/disk{,.*} r, -+} -Index: libvirt-1.2.10/examples/apparmor/usr.sbin.libvirtd.in -=================================================================== ---- /dev/null -+++ libvirt-1.2.10/examples/apparmor/usr.sbin.libvirtd.in -@@ -0,0 +1,68 @@ -+# Last Modified: Mon Apr 5 15:03:58 2010 -+#include -+@{LIBVIRT}="libvirt" -+ -+/usr/sbin/libvirtd { -+ #include -+ #include -+ -+ capability kill, -+ capability net_admin, -+ capability net_raw, -+ capability setgid, -+ capability sys_admin, -+ capability sys_module, -+ capability sys_ptrace, -+ capability sys_nice, -+ capability sys_chroot, -+ capability setuid, -+ capability dac_override, -+ capability dac_read_search, -+ capability fowner, -+ capability chown, -+ capability setpcap, -+ capability mknod, -+ capability fsetid, -+ capability audit_write, -+ -+ # Needed for vfio -+ capability sys_resource, -+ -+ network inet stream, -+ network inet dgram, -+ network inet6 stream, -+ network inet6 dgram, -+ network packet dgram, -+ network packet raw, -+ -+ # Very lenient profile for libvirtd since we want to first focus on confining -+ # the guests. Guests will have a very restricted profile. -+ / r, -+ /** rwmkl, -+ -+ /bin/* PUx, -+ /sbin/* PUx, -+ /usr/bin/* PUx, -+ /usr/sbin/* PUx, -+ /lib/udev/scsi_id PUx, -+ /usr/lib/xen/bin/* Ux, -+ /usr/lib64/xen/bin/* Ux, -+ /usr/lib/polkit-1/polkit-agent-helper Px, -+ -+ # force the use of virt-aa-helper -+ audit deny /sbin/apparmor_parser rwxl, -+ audit deny /etc/apparmor.d/libvirt/** wxl, -+ audit deny /sys/kernel/security/apparmor/features rwxl, -+ audit deny /sys/kernel/security/apparmor/matching rwxl, -+ audit deny /sys/kernel/security/apparmor/.* rwxl, -+ /sys/kernel/security/apparmor/profiles r, -+ @libdir@/libvirt/* PUxr, -+ /etc/libvirt/hooks/** rmix, -+ /etc/xen/scripts/** rmix, -+ @libdir@/libvirt/libvirt_parthelper Ux, -+ @libdir@/libvirt/libvirt_iohelper Ux, -+ -+ # allow changing to our UUID-based named profiles -+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, -+ -+} -Index: libvirt-1.2.10/examples/apparmor/usr.lib.libvirt.virt-aa-helper -=================================================================== ---- libvirt-1.2.10.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper -+++ /dev/null -@@ -1,48 +0,0 @@ --# Last Modified: Mon Apr 5 15:10:27 2010 --#include -- --/usr/lib/libvirt/virt-aa-helper { -- #include -- -- # needed for searching directories -- capability dac_override, -- capability dac_read_search, -- -- # needed for when disk is on a network filesystem -- network inet, -- -- deny @{PROC}/[0-9]*/mounts r, -- @{PROC}/[0-9]*/net/psched r, -- owner @{PROC}/[0-9]*/status r, -- @{PROC}/filesystems r, -- -- # for hostdev -- /sys/devices/ r, -- /sys/devices/** r, -- -- /usr/lib/libvirt/virt-aa-helper mr, -- /sbin/apparmor_parser Ux, -- -- /etc/apparmor.d/libvirt/* r, -- /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, -- -- # for backingstore -- allow access to non-hidden files in @{HOME} as well -- # as storage pools -- audit deny @{HOME}/.* mrwkl, -- audit deny @{HOME}/.*/ rw, -- audit deny @{HOME}/.*/** mrwkl, -- audit deny @{HOME}/bin/ rw, -- audit deny @{HOME}/bin/** mrwkl, -- @{HOME}/ r, -- @{HOME}/** r, -- /var/lib/libvirt/images/ r, -- /var/lib/libvirt/images/** r, -- /{media,mnt,opt,srv}/** r, -- -- /**.img r, -- /**.qcow{,2} r, -- /**.qed r, -- /**.vmdk r, -- /**.[iI][sS][oO] r, -- /**/disk{,.*} r, --} -Index: libvirt-1.2.10/examples/apparmor/usr.sbin.libvirtd -=================================================================== ---- libvirt-1.2.10.orig/examples/apparmor/usr.sbin.libvirtd -+++ /dev/null -@@ -1,63 +0,0 @@ --# Last Modified: Mon Apr 5 15:03:58 2010 --#include --@{LIBVIRT}="libvirt" -- --/usr/sbin/libvirtd { -- #include -- #include -- -- capability kill, -- capability net_admin, -- capability net_raw, -- capability setgid, -- capability sys_admin, -- capability sys_module, -- capability sys_ptrace, -- capability sys_nice, -- capability sys_chroot, -- capability setuid, -- capability dac_override, -- capability dac_read_search, -- capability fowner, -- capability chown, -- capability setpcap, -- capability mknod, -- capability fsetid, -- capability audit_write, -- -- # Needed for vfio -- capability sys_resource, -- -- network inet stream, -- network inet dgram, -- network inet6 stream, -- network inet6 dgram, -- network packet dgram, -- -- # Very lenient profile for libvirtd since we want to first focus on confining -- # the guests. Guests will have a very restricted profile. -- / r, -- /** rwmkl, -- -- /bin/* PUx, -- /sbin/* PUx, -- /usr/bin/* PUx, -- /usr/sbin/* PUx, -- /lib/udev/scsi_id PUx, -- /usr/lib/xen-common/bin/xen-toolstack PUx, -- -- # force the use of virt-aa-helper -- audit deny /sbin/apparmor_parser rwxl, -- audit deny /etc/apparmor.d/libvirt/** wxl, -- audit deny /sys/kernel/security/apparmor/features rwxl, -- audit deny /sys/kernel/security/apparmor/matching rwxl, -- audit deny /sys/kernel/security/apparmor/.* rwxl, -- /sys/kernel/security/apparmor/profiles r, -- /usr/lib/libvirt/* PUxr, -- /etc/libvirt/hooks/** rmix, -- /etc/xen/scripts/** rmix, -- -- # allow changing to our UUID-based named profiles -- change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, -- --} -Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu -=================================================================== ---- libvirt-1.2.10.orig/examples/apparmor/libvirt-qemu -+++ /dev/null -@@ -1,144 +0,0 @@ --# Last Modified: Wed Sep 3 21:52:03 2014 -- -- #include -- #include -- #include -- -- # required for reading disk images -- capability dac_override, -- capability dac_read_search, -- capability chown, -- -- # needed to drop privileges -- capability setgid, -- capability setuid, -- -- network inet stream, -- network inet6 stream, -- -- /dev/net/tun rw, -- /dev/kvm rw, -- /dev/ptmx rw, -- /dev/kqemu rw, -- @{PROC}/*/status r, -- @{PROC}/sys/kernel/cap_last_cap r, -- -- # For hostdev access. The actual devices will be added dynamically -- /sys/bus/usb/devices/ r, -- /sys/devices/**/usb[0-9]*/** r, -- -- # WARNING: this gives the guest direct access to host hardware and specific -- # portions of shared memory. This is required for sound using ALSA with kvm, -- # but may constitute a security risk. If your environment does not require -- # the use of sound in your VMs, feel free to comment out or prepend 'deny' to -- # the rules for files in /dev. -- /{dev,run}/shm r, -- /{dev,run}/shmpulse-shm* r, -- /{dev,run}/shmpulse-shm* rwk, -- /dev/snd/* rw, -- capability ipc_lock, -- # spice -- owner /{dev,run}/shm/spice.* rw, -- # 'kill' is not required for sound and is a security risk. Do not enable -- # unless you absolutely need it. -- deny capability kill, -- -- # Uncomment the following if you need access to /dev/fb* -- #/dev/fb* rw, -- -- /etc/pulse/client.conf r, -- @{HOME}/.pulse-cookie rwk, -- owner /root/.pulse-cookie rwk, -- owner /root/.pulse/ rw, -- owner /root/.pulse/* rw, -- /usr/share/alsa/** r, -- owner /tmp/pulse-*/ rw, -- owner /tmp/pulse-*/* rw, -- /var/lib/dbus/machine-id r, -- -- # access to firmware's etc -- /usr/share/kvm/** r, -- /usr/share/qemu/** r, -- /usr/share/bochs/** r, -- /usr/share/openbios/** r, -- /usr/share/openhackware/** r, -- /usr/share/proll/** r, -- /usr/share/vgabios/** r, -- /usr/share/seabios/** r, -- /usr/share/ovmf/** r, -- -- # access PKI infrastructure -- /etc/pki/libvirt-vnc/** r, -- -- # the various binaries -- /usr/bin/kvm rmix, -- /usr/bin/qemu rmix, -- /usr/bin/qemu-system-arm rmix, -- /usr/bin/qemu-system-cris rmix, -- /usr/bin/qemu-system-i386 rmix, -- /usr/bin/qemu-system-m68k rmix, -- /usr/bin/qemu-system-microblaze rmix, -- /usr/bin/qemu-system-microblazeel rmix, -- /usr/bin/qemu-system-mips rmix, -- /usr/bin/qemu-system-mips64 rmix, -- /usr/bin/qemu-system-mips64el rmix, -- /usr/bin/qemu-system-mipsel rmix, -- /usr/bin/qemu-system-ppc rmix, -- /usr/bin/qemu-system-ppc64 rmix, -- /usr/bin/qemu-system-ppcemb rmix, -- /usr/bin/qemu-system-sh4 rmix, -- /usr/bin/qemu-system-sh4eb rmix, -- /usr/bin/qemu-system-sparc rmix, -- /usr/bin/qemu-system-sparc64 rmix, -- /usr/bin/qemu-system-x86_64 rmix, -- /usr/bin/qemu-alpha rmix, -- /usr/bin/qemu-arm rmix, -- /usr/bin/qemu-armeb rmix, -- /usr/bin/qemu-cris rmix, -- /usr/bin/qemu-i386 rmix, -- /usr/bin/qemu-m68k rmix, -- /usr/bin/qemu-microblaze rmix, -- /usr/bin/qemu-microblazeel rmix, -- /usr/bin/qemu-mips rmix, -- /usr/bin/qemu-mipsel rmix, -- /usr/bin/qemu-ppc rmix, -- /usr/bin/qemu-ppc64 rmix, -- /usr/bin/qemu-ppc64abi32 rmix, -- /usr/bin/qemu-sh4 rmix, -- /usr/bin/qemu-sh4eb rmix, -- /usr/bin/qemu-sparc rmix, -- /usr/bin/qemu-sparc64 rmix, -- /usr/bin/qemu-sparc32plus rmix, -- /usr/bin/qemu-sparc64 rmix, -- /usr/bin/qemu-x86_64 rmix, -- /usr/lib/qemu/block-curl.so mr, -- -- # for save and resume -- /bin/dash rmix, -- /bin/dd rmix, -- /bin/cat rmix, -- -- # for usb access -- /dev/bus/usb/ r, -- /etc/udev/udev.conf r, -- /sys/bus/ r, -- /sys/class/ r, -- -- /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, -- # child profile for bridge helper process -- profile qemu_bridge_helper { -- #include -- -- capability setuid, -- capability setgid, -- capability setpcap, -- capability net_admin, -- -- network inet stream, -- -- /dev/net/tun rw, -- /etc/qemu/** r, -- owner @{PROC}/*/status r, -- -- /usr/{lib,libexec}/qemu-bridge-helper rmix, -- } -Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu.in -=================================================================== ---- /dev/null -+++ libvirt-1.2.10/examples/apparmor/libvirt-qemu.in -@@ -0,0 +1,144 @@ -+# Last Modified: Wed Sep 3 21:52:03 2014 -+ -+ #include -+ #include -+ #include -+ -+ # required for reading disk images -+ capability dac_override, -+ capability dac_read_search, -+ capability chown, -+ -+ # needed to drop privileges -+ capability setgid, -+ capability setuid, -+ -+ network inet stream, -+ network inet6 stream, -+ -+ /dev/net/tun rw, -+ /dev/kvm rw, -+ /dev/ptmx rw, -+ /dev/kqemu rw, -+ @{PROC}/*/status r, -+ @{PROC}/sys/kernel/cap_last_cap r, -+ -+ # For hostdev access. The actual devices will be added dynamically -+ /sys/bus/usb/devices/ r, -+ /sys/devices/**/usb[0-9]*/** r, -+ -+ # WARNING: this gives the guest direct access to host hardware and specific -+ # portions of shared memory. This is required for sound using ALSA with kvm, -+ # but may constitute a security risk. If your environment does not require -+ # the use of sound in your VMs, feel free to comment out or prepend 'deny' to -+ # the rules for files in /dev. -+ /{dev,run}/shm r, -+ /{dev,run}/shmpulse-shm* r, -+ /{dev,run}/shmpulse-shm* rwk, -+ /dev/snd/* rw, -+ capability ipc_lock, -+ # spice -+ owner /{dev,run}/shm/spice.* rw, -+ # 'kill' is not required for sound and is a security risk. Do not enable -+ # unless you absolutely need it. -+ deny capability kill, -+ -+ # Uncomment the following if you need access to /dev/fb* -+ #/dev/fb* rw, -+ -+ /etc/pulse/client.conf r, -+ @{HOME}/.pulse-cookie rwk, -+ owner /root/.pulse-cookie rwk, -+ owner /root/.pulse/ rw, -+ owner /root/.pulse/* rw, -+ /usr/share/alsa/** r, -+ owner /tmp/pulse-*/ rw, -+ owner /tmp/pulse-*/* rw, -+ /var/lib/dbus/machine-id r, -+ -+ # access to firmware's etc -+ /usr/share/kvm/** r, -+ /usr/share/qemu/** r, -+ /usr/share/bochs/** r, -+ /usr/share/openbios/** r, -+ /usr/share/openhackware/** r, -+ /usr/share/proll/** r, -+ /usr/share/vgabios/** r, -+ /usr/share/seabios/** r, -+ /usr/share/ovmf/** r, -+ -+ # access PKI infrastructure -+ /etc/pki/libvirt-vnc/** r, -+ -+ # the various binaries -+ /usr/bin/kvm rmix, -+ /usr/bin/qemu rmix, -+ /usr/bin/qemu-system-arm rmix, -+ /usr/bin/qemu-system-cris rmix, -+ /usr/bin/qemu-system-i386 rmix, -+ /usr/bin/qemu-system-m68k rmix, -+ /usr/bin/qemu-system-microblaze rmix, -+ /usr/bin/qemu-system-microblazeel rmix, -+ /usr/bin/qemu-system-mips rmix, -+ /usr/bin/qemu-system-mips64 rmix, -+ /usr/bin/qemu-system-mips64el rmix, -+ /usr/bin/qemu-system-mipsel rmix, -+ /usr/bin/qemu-system-ppc rmix, -+ /usr/bin/qemu-system-ppc64 rmix, -+ /usr/bin/qemu-system-ppcemb rmix, -+ /usr/bin/qemu-system-sh4 rmix, -+ /usr/bin/qemu-system-sh4eb rmix, -+ /usr/bin/qemu-system-sparc rmix, -+ /usr/bin/qemu-system-sparc64 rmix, -+ /usr/bin/qemu-system-x86_64 rmix, -+ /usr/bin/qemu-alpha rmix, -+ /usr/bin/qemu-arm rmix, -+ /usr/bin/qemu-armeb rmix, -+ /usr/bin/qemu-cris rmix, -+ /usr/bin/qemu-i386 rmix, -+ /usr/bin/qemu-m68k rmix, -+ /usr/bin/qemu-microblaze rmix, -+ /usr/bin/qemu-microblazeel rmix, -+ /usr/bin/qemu-mips rmix, -+ /usr/bin/qemu-mipsel rmix, -+ /usr/bin/qemu-ppc rmix, -+ /usr/bin/qemu-ppc64 rmix, -+ /usr/bin/qemu-ppc64abi32 rmix, -+ /usr/bin/qemu-sh4 rmix, -+ /usr/bin/qemu-sh4eb rmix, -+ /usr/bin/qemu-sparc rmix, -+ /usr/bin/qemu-sparc64 rmix, -+ /usr/bin/qemu-sparc32plus rmix, -+ /usr/bin/qemu-sparc64 rmix, -+ /usr/bin/qemu-x86_64 rmix, -+ @libdir@/qemu/block-curl.so mr, -+ -+ # for save and resume -+ /bin/dash rmix, -+ /bin/dd rmix, -+ /bin/cat rmix, -+ -+ # for usb access -+ /dev/bus/usb/ r, -+ /etc/udev/udev.conf r, -+ /sys/bus/ r, -+ /sys/class/ r, -+ -+ /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, -+ # child profile for bridge helper process -+ profile qemu_bridge_helper { -+ #include -+ -+ capability setuid, -+ capability setgid, -+ capability setpcap, -+ capability net_admin, -+ -+ network inet stream, -+ -+ /dev/net/tun rw, -+ /etc/qemu/** r, -+ owner @{PROC}/*/status r, -+ -+ /usr/{lib,libexec}/qemu-bridge-helper rmix, -+ } diff --git a/libvirt.changes b/libvirt.changes index 8bcc3dc..24079ed 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Jan 5 09:44:12 UTC 2015 - cbosdonnat@suse.com + +- Replaced hard to maintain install-apparmor-profiles.patch + by upstreamed 30c6aecc-apparmor-lib64.patch. +- Reformatted libvirt.spec and libvirtd.init to pass upstream make + syntax-check + ------------------------------------------------------------------- Sat Dec 27 22:08:00 UTC 2014 - Led diff --git a/libvirt.spec b/libvirt.spec index 29db81b..faaf86c 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -1,7 +1,7 @@ # # spec file for package libvirt # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,12 +21,12 @@ # Disable all server side drivers if client only build requested %if %{client_only} -%define server_drivers 0 + %define server_drivers 0 %else -%define server_drivers 1 + %define server_drivers 1 %endif -# Default build includes dlopen'd modules +# Always build with dlopen'd modules %define with_driver_modules 1 # Now set the defaults for all the important features, independent @@ -99,136 +99,136 @@ # Xen is available only on x86_64 %ifnarch x86_64 -%define with_xen 0 -%define with_libxl 0 + %define with_xen 0 + %define with_libxl 0 %endif # libxl is only compatible with Xen >= 4.2 (i.e. suse_version > 12.2) %if 0%{?suse_version} <= 1220 -%define with_libxl 0 + %define with_libxl 0 %endif # numactl only on x86_64 and ia64 %ifnarch x86_64 ia64 -%define with_numactl 0 + %define with_numactl 0 %endif # vbox is available only on i386 x86_64 %ifnarch %{ix86} x86_64 -%define with_vbox 0 + %define with_vbox 0 %endif # SLES doesn't contain OpenVZ, VBox, UML, ESX, VMWare, Citrix XenAPI, # or hyper-v %if 0%{?sles_version} -%define with_openvz 0 -%define with_vbox 0 -%define with_uml 0 -%define with_esx 0 -%define with_vmware 0 -%define with_xenapi 0 -%define with_hyperv 0 -%define with_parallels 0 + %define with_openvz 0 + %define with_vbox 0 + %define with_uml 0 + %define with_esx 0 + %define with_vmware 0 + %define with_xenapi 0 + %define with_hyperv 0 + %define with_parallels 0 %endif # Enable phyp driver for IBM Power systems %ifarch ppc64 -%define with_phyp 1 + %define with_phyp 1 %endif # LXC and selinux are not available on anything < 11.1 %if 0%{?suse_version} < 1110 -%define with_lxc 0 -%define with_selinux 0 + %define with_lxc 0 + %define with_selinux 0 %endif # Support systemd on 12.1 and later %if 0%{?suse_version} >= 1210 -%define with_systemd 0%{!?_without_systemd:1} -%define with_systemd_daemon 1 + %define with_systemd 0%{!?_without_systemd:1} + %define with_systemd_daemon 1 %endif # libcapng is used to manage capabilities in 11.3 or newer. # It is also used by lxc and needs to be enabled if lxc is enabled. %if 0%{?suse_version} >= 1130 || %{with_lxc} -%define with_capng 0%{!?_without_capng:1} + %define with_capng 0%{!?_without_capng:1} %endif %if 0%{?suse_version} >= 1230 -%define with_fuse 0%{!?_without_fuse:1} + %define with_fuse 0%{!?_without_fuse:1} %endif # interface requires netcontrol %if ! 0%{?with_netcontrol} -%define with_interface 0 + %define with_interface 0 %endif # Support libssh2 in 12.3 and later %if 0%{?suse_version} >= 1230 -%define with_libssh2 0%{!?_without_libssh2:1} + %define with_libssh2 0%{!?_without_libssh2:1} %endif # Disable some drivers when building without libvirt daemon. # The logic is the same as in configure.ac %if ! %{with_libvirtd} -%define with_interface 0 -%define with_network 0 -%define with_qemu 0 -%define with_lxc 0 -%define with_uml 0 -%define with_vbox 0 -%define with_udev 0 -%define with_storage_fs 0 -%define with_storage_lvm 0 -%define with_storage_iscsi 0 -%define with_storage_mpath 0 -%define with_storage_rbd 0 -%define with_storage_sheepdog 0 -%define with_storage_gluster 0 -%define with_storage_disk 0 + %define with_interface 0 + %define with_network 0 + %define with_qemu 0 + %define with_lxc 0 + %define with_uml 0 + %define with_vbox 0 + %define with_udev 0 + %define with_storage_fs 0 + %define with_storage_lvm 0 + %define with_storage_iscsi 0 + %define with_storage_mpath 0 + %define with_storage_rbd 0 + %define with_storage_sheepdog 0 + %define with_storage_gluster 0 + %define with_storage_disk 0 %endif # Enable libpcap library %if %{with_qemu} || %{with_lxc} -%if 0%{?suse_version} >= 1140 -%define with_nwfilter 0%{!?_without_nwfilter:%{server_drivers}} -%define with_libpcap 0%{!?_without_libpcap:%{server_drivers}} -%define with_macvtap 0%{!?_without_macvtap:%{server_drivers}} -# numad is used to manage the CPU and memory placement dynamically. -# It is only available on x86, and openSUSE >= 13.1 -%if 0%{?suse_version} >= 1310 -%ifarch i386 i586 i686 x86_64 -%define with_numad 0%{!?_without_numad:%{server_drivers}} -%endif -%endif -# Force QEMU to run as qemu:qemu -%define qemu_user qemu -%define qemu_group qemu -%else -%define qemu_user root -%define qemu_group root -%endif + %if 0%{?suse_version} >= 1140 + %define with_nwfilter 0%{!?_without_nwfilter:%{server_drivers}} + %define with_libpcap 0%{!?_without_libpcap:%{server_drivers}} + %define with_macvtap 0%{!?_without_macvtap:%{server_drivers}} + # numad is used to manage the CPU and memory placement dynamically. + # It is only available on x86, and openSUSE >= 13.1 + %if 0%{?suse_version} >= 1310 + %ifarch i386 i586 i686 x86_64 + %define with_numad 0%{!?_without_numad:%{server_drivers}} + %endif + %endif + # Force QEMU to run as qemu:qemu + %define qemu_user qemu + %define qemu_group qemu + %else + %define qemu_user root + %define qemu_group root + %endif %endif %if %{with_macvtap} -%define with_libnl 1 + %define with_libnl 1 %endif # Pull in cgroups config system %if %{with_qemu} || %{with_lxc} -%define with_cgconfig 0%{!?_without_cgconfig:1} + %define with_cgconfig 0%{!?_without_cgconfig:1} %endif %if %{with_udev} -%define with_nodedev 1 + %define with_nodedev 1 %else -%define with_nodedev 0 + %define with_nodedev 0 %endif %if %{with_storage_fs} || %{with_storage_mpath} || %{with_storage_iscsi} || %{with_storage_lvm} || %{with_storage_disk} -%define with_storage 1 + %define with_storage 1 %else -%define with_storage 0 + %define with_storage 0 %endif %define _fwdefdir /etc/sysconfig/SuSEfirewall2.d/services @@ -243,42 +243,42 @@ Group: Development/Libraries/C and C++ %if %{with_libvirtd} Requires: libvirt-daemon = %{version}-%{release} -%if %{with_network} + %if %{with_network} Requires: libvirt-daemon-config-network = %{version}-%{release} -%endif -%if %{with_nwfilter} + %endif + %if %{with_nwfilter} Requires: libvirt-daemon-config-nwfilter = %{version}-%{release} -%endif -%if %{with_driver_modules} -%if %{with_libxl} + %endif + %if %{with_driver_modules} + %if %{with_libxl} Requires: libvirt-daemon-driver-libxl = %{version}-%{release} -%endif -%if %{with_lxc} + %endif + %if %{with_lxc} Requires: libvirt-daemon-driver-lxc = %{version}-%{release} -%endif -%if %{with_qemu} + %endif + %if %{with_qemu} Requires: libvirt-daemon-driver-qemu = %{version}-%{release} -%endif -%if %{with_uml} + %endif + %if %{with_uml} Requires: libvirt-daemon-driver-uml = %{version}-%{release} -%endif -%if %{with_xen} + %endif + %if %{with_xen} Requires: libvirt-daemon-driver-xen = %{version}-%{release} -%endif -%if %{with_vbox} + %endif + %if %{with_vbox} Requires: libvirt-daemon-driver-vbox = %{version}-%{release} -%endif -%if %{with_nwfilter} + %endif + %if %{with_nwfilter} Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release} -%endif -%if %{with_interface} + %endif + %if %{with_interface} Requires: libvirt-daemon-driver-interface = %{version}-%{release} -%endif + %endif Requires: libvirt-daemon-driver-network = %{version}-%{release} Requires: libvirt-daemon-driver-nodedev = %{version}-%{release} Requires: libvirt-daemon-driver-secret = %{version}-%{release} Requires: libvirt-daemon-driver-storage = %{version}-%{release} -%endif + %endif %endif Requires: libvirt-client = %{version}-%{release} @@ -330,15 +330,15 @@ BuildRequires: sanlock-devel >= 2.4 BuildRequires: libpcap-devel %endif %if %{with_libnl} -%if 0%{?suse_version} >= 1310 + %if 0%{?suse_version} >= 1310 BuildRequires: libnl3-devel -%else -%if 0%{?suse_version} >= 1210 + %else + %if 0%{?suse_version} >= 1210 BuildRequires: libnl-1_1-devel -%else + %else BuildRequires: libnl-devel -%endif -%endif + %endif + %endif %endif %if %{with_avahi} BuildRequires: libavahi-devel @@ -362,11 +362,11 @@ BuildRequires: ebtables BuildRequires: cyrus-sasl-devel %endif %if %{with_polkit} -%if 0%{?suse_version} > 1110 + %if 0%{?suse_version} > 1110 BuildRequires: polkit-devel >= 0.9 -%else + %else BuildRequires: PolicyKit-devel >= 0.6 -%endif + %endif %endif %if %{with_storage_fs} # For mount/umount in FS driver @@ -417,7 +417,7 @@ BuildRequires: libwsman-devel >= 2.2.3 BuildRequires: audit-devel %endif %if %{with_dtrace} -# we need /usr/sbin/dtrace +# we need /usr/sbin/dtrace BuildRequires: systemtap-sdt-devel %endif %if %{with_numad} @@ -434,6 +434,7 @@ Source3: libvirtd.init Source4: libvirtd-relocation-server.fw Source99: baselibs.conf # Upstream patches +Patch0: 30c6aecc-apparmor-lib64.patch # Patches pending upstream review # Need to go upstream Patch150: xen-name-for-devid.patch @@ -453,9 +454,8 @@ Patch207: systemd-service-xen.patch # Disable failing virCgroupGetPercpuStats unit test Patch208: disable-virCgroupGetPercpuStats-test.patch %if %{with_apparmor} -Patch250: install-apparmor-profiles.patch -Patch251: apparmor-no-mount.patch -Patch252: qemu-apparmor-screenshot.patch +Patch250: apparmor-no-mount.patch +Patch251: qemu-apparmor-screenshot.patch %endif %if %{with_netcontrol} Patch300: libvirt-suse-netcontrol.patch @@ -504,70 +504,70 @@ Requires: modutils Requires: bridge-utils Requires: iproute Requires: logrotate -%if %{with_apparmor} + %if %{with_apparmor} Requires: apparmor-parser -%endif + %endif -%if %{with_udev} + %if %{with_udev} Requires: udev >= 145 -%endif -%if %{with_polkit} -%if 0%{?suse_version} > 1110 + %endif + %if %{with_polkit} + %if 0%{?suse_version} > 1110 Recommends: polkit >= 0.93 -%else + %else Recommends: PolicyKit >= 0.6 -%endif -%ifarch i386 i586 i686 x86_64 ia64 + %endif + %ifarch i386 i586 i686 x86_64 ia64 # For virConnectGetSysinfo Requires: dmidecode -%endif -%endif -%if %{with_systemd} + %endif + %endif + %if %{with_systemd} # For service management %{?systemd_requires} -%endif -%if %{with_numad} + %endif + %if %{with_numad} Requires: numad -%endif + %endif %description daemon Server side daemon required to manage the virtualization capabilities of recent versions of Linux. Requires a hypervisor specific sub-RPM for specific drivers. -%if %{with_network} + %if %{with_network} %package daemon-config-network Summary: Default configuration files for the libvirtd daemon Group: Development/Libraries/C and C++ Requires: libvirt-daemon = %{version}-%{release} -%if %{with_driver_modules} + %if %{with_driver_modules} Requires: libvirt-daemon-driver-network = %{version}-%{release} -%endif + %endif %description daemon-config-network Default configuration files for setting up NAT based networking -%endif + %endif -%if %{with_nwfilter} + %if %{with_nwfilter} %package daemon-config-nwfilter Summary: Network filter configuration files for the libvirtd Group: Development/Libraries/C and C++ Requires: libvirt-daemon = %{version}-%{release} -%if %{with_driver_modules} + %if %{with_driver_modules} Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release} -%endif + %endif %description daemon-config-nwfilter Network filter configuration files for the libvirt daemon, used for cleaning guest network traffic. -%endif + %endif -%if %{with_driver_modules} -%if %{with_network} + %if %{with_driver_modules} + %if %{with_network} %package daemon-driver-network Summary: Network driver plugin for the libvirtd daemon @@ -582,9 +582,9 @@ Requires: radvd The network driver plugin for the libvirtd daemon, providing an implementation of the virtual network APIs using the Linux bridge capabilities. -%endif + %endif -%if %{with_nwfilter} + %if %{with_nwfilter} %package daemon-driver-nwfilter Summary: A nwfilter driver plugin for the libvirtd daemon @@ -598,9 +598,9 @@ Requires: libvirt-daemon = %{version}-%{release} The nwfilter driver plugin for the libvirtd daemon, providing an implementation of the firewall APIs using the ebtables, iptables and ip6tables capabilities -%endif + %endif -%if %{with_nodedev} + %if %{with_nodedev} %package daemon-driver-nodedev Summary: Nodedev driver plugin for the libvirtd daemon @@ -611,9 +611,9 @@ Requires: libvirt-daemon = %{version}-%{release} The nodedev driver plugin for the libvirtd daemon, providing an implementation of the node device APIs using the udev capabilities. -%endif + %endif -%if %{with_interface} + %if %{with_interface} %package daemon-driver-interface Summary: Interface driver plugin for the libvirtd daemon @@ -624,7 +624,7 @@ Requires: libvirt-daemon = %{version}-%{release} The interface driver plugin for the libvirtd daemon, providing an implementation of the network interface APIs using the netcontrol library -%endif + %endif %package daemon-driver-secret Summary: Secret driver plugin for the libvirtd daemon @@ -635,46 +635,46 @@ Requires: libvirt-daemon = %{version}-%{release} The secret driver plugin for the libvirtd daemon, providing an implementation of the secret key APIs. -%if %{with_storage} + %if %{with_storage} %package daemon-driver-storage Summary: Storage driver plugin for the libvirtd daemon Group: Development/Libraries/C and C++ Requires: libvirt-daemon = %{version}-%{release} -%if %{with_storage_fs} + %if %{with_storage_fs} Requires: nfs-utils # For mkfs Requires: util-linux -%endif -%if %{with_qemu} + %endif + %if %{with_qemu} # From QEMU RPMs Requires: /usr/bin/qemu-img -%endif -%if %{with_storage_lvm} + %endif + %if %{with_storage_lvm} # For LVM drivers Requires: lvm2 -%endif -%if %{with_storage_iscsi} + %endif + %if %{with_storage_iscsi} # For ISCSI driver Requires: open-iscsi -%endif -%if %{with_storage_disk} + %endif + %if %{with_storage_disk} # For disk driver Requires: device-mapper Requires: parted -%endif -%if %{with_storage_mpath} + %endif + %if %{with_storage_mpath} # For multipath support Requires: device-mapper -%endif + %endif %description daemon-driver-storage The storage driver plugin for the libvirtd daemon, providing an implementation of the storage APIs using LVM, iSCSI, parted and more. -%endif + %endif -%if %{with_qemu} + %if %{with_qemu} %package daemon-driver-qemu Summary: Qemu driver plugin for the libvirtd daemon @@ -687,17 +687,17 @@ Requires: libvirt-daemon-driver-network = %{version}-%{release} Requires: bzip2 Requires: gzip Requires: xz -%if 0%{?suse_version} > 1210 + %if 0%{?suse_version} > 1210 Requires: lzop -%endif + %endif Requires: qemu %description daemon-driver-qemu The qemu driver plugin for the libvirtd daemon, providing an implementation of the hypervisor driver APIs using QEMU. -%endif + %endif -%if %{with_lxc} + %if %{with_lxc} %package daemon-driver-lxc Summary: LXC driver plugin for the libvirtd daemon @@ -710,9 +710,9 @@ Requires: libvirt-daemon-driver-network = %{version}-%{release} The LXC driver plugin for the libvirtd daemon, providing an implementation of the hypervisor driver APIs using the Linux kernel -%endif + %endif -%if %{with_uml} + %if %{with_uml} %package daemon-driver-uml Summary: Uml driver plugin for the libvirtd daemon @@ -723,9 +723,9 @@ Requires: libvirt-daemon = %{version}-%{release} The UML driver plugin for the libvirtd daemon, providing an implementation of the hypervisor driver APIs using User Mode Linux -%endif + %endif -%if %{with_xen} + %if %{with_xen} %package daemon-driver-xen Summary: Xen driver plugin for the libvirtd daemon @@ -735,9 +735,9 @@ Requires: libvirt-daemon = %{version}-%{release} %description daemon-driver-xen The Xen driver plugin for the libvirtd daemon, providing an implementation of the hypervisor driver APIs using Xen. -%endif + %endif -%if %{with_vbox} + %if %{with_vbox} %package daemon-driver-vbox Summary: VirtualBox driver plugin for the libvirtd daemon @@ -748,9 +748,9 @@ Requires: libvirt-daemon = %{version}-%{release} The vbox driver plugin for the libvirtd daemon, providing an implementation of the hypervisor driver APIs using VirtualBox -%endif + %endif -%if %{with_libxl} + %if %{with_libxl} %package daemon-driver-libxl Summary: Libxl driver plugin for the libvirtd daemon @@ -760,134 +760,134 @@ Requires: libvirt-daemon = %{version}-%{release} %description daemon-driver-libxl The Libxl driver plugin for the libvirtd daemon, providing an implementation of the hypervisor driver APIs using libxl. -%endif -%endif # with_driver_modules + %endif + %endif # with_driver_modules -%if %{with_qemu} + %if %{with_qemu} %package daemon-qemu Summary: Server side daemon & driver required to run QEMU guests Group: Development/Libraries/C and C++ Requires: libvirt-daemon = %{version}-%{release} -%if %{with_driver_modules} -%if %{with_interface} + %if %{with_driver_modules} + %if %{with_interface} Requires: libvirt-daemon-driver-interface = %{version}-%{release} -%endif + %endif Requires: libvirt-daemon-driver-network = %{version}-%{release} Requires: libvirt-daemon-driver-nodedev = %{version}-%{release} Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release} Requires: libvirt-daemon-driver-qemu = %{version}-%{release} Requires: libvirt-daemon-driver-secret = %{version}-%{release} Requires: libvirt-daemon-driver-storage = %{version}-%{release} -%endif + %endif %description daemon-qemu Server side daemon and driver required to manage the virtualization capabilities of the QEMU emulators -%endif + %endif -%if %{with_lxc} + %if %{with_lxc} %package daemon-lxc Summary: Server side daemon & driver required to run LXC guests Group: Development/Libraries/C and C++ Requires: libvirt-daemon = %{version}-%{release} -%if %{with_driver_modules} -%if %{with_interface} + %if %{with_driver_modules} + %if %{with_interface} Requires: libvirt-daemon-driver-interface = %{version}-%{release} -%endif + %endif Requires: libvirt-daemon-driver-lxc = %{version}-%{release} Requires: libvirt-daemon-driver-network = %{version}-%{release} Requires: libvirt-daemon-driver-nodedev = %{version}-%{release} Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release} Requires: libvirt-daemon-driver-secret = %{version}-%{release} Requires: libvirt-daemon-driver-storage = %{version}-%{release} -%endif + %endif %description daemon-lxc Server side daemon and driver required to manage the virtualization capabilities of LXC -%endif + %endif -%if %{with_uml} + %if %{with_uml} %package daemon-uml Summary: Server side daemon & driver required to run UML guests Group: Development/Libraries/C and C++ Requires: libvirt-daemon = %{version}-%{release} -%if %{with_driver_modules} -%if %{with_interface} + %if %{with_driver_modules} + %if %{with_interface} Requires: libvirt-daemon-driver-interface = %{version}-%{release} -%endif + %endif Requires: libvirt-daemon-driver-network = %{version}-%{release} Requires: libvirt-daemon-driver-nodedev = %{version}-%{release} Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release} Requires: libvirt-daemon-driver-secret = %{version}-%{release} Requires: libvirt-daemon-driver-storage = %{version}-%{release} Requires: libvirt-daemon-driver-uml = %{version}-%{release} -%endif + %endif %description daemon-uml Server side daemon and driver required to manage the virtualization capabilities of UML -%endif + %endif -%if %{with_xen} || %{with_libxl} + %if %{with_xen} || %{with_libxl} %package daemon-xen Summary: Server side daemon & driver required to run XEN guests Group: Development/Libraries/C and C++ Requires: libvirt-daemon = %{version}-%{release} -%if %{with_driver_modules} -%if %{with_xen} + %if %{with_driver_modules} + %if %{with_xen} Requires: libvirt-daemon-driver-xen = %{version}-%{release} -%endif -%if %{with_libxl} + %endif + %if %{with_libxl} Requires: libvirt-daemon-driver-libxl = %{version}-%{release} -%endif -%if %{with_interface} + %endif + %if %{with_interface} Requires: libvirt-daemon-driver-interface = %{version}-%{release} -%endif + %endif Requires: libvirt-daemon-driver-network = %{version}-%{release} Requires: libvirt-daemon-driver-nodedev = %{version}-%{release} Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release} Requires: libvirt-daemon-driver-secret = %{version}-%{release} Requires: libvirt-daemon-driver-storage = %{version}-%{release} -%endif + %endif Requires: xen %description daemon-xen Server side daemon and driver required to manage the virtualization capabilities of XEN -%endif + %endif -%if %{with_vbox} + %if %{with_vbox} %package daemon-vbox Summary: Server side daemon & driver required to run VirtualBox guests Group: Development/Libraries/C and C++ Requires: libvirt-daemon = %{version}-%{release} -%if %{with_driver_modules} -%if %{with_interface} + %if %{with_driver_modules} + %if %{with_interface} Requires: libvirt-daemon-driver-interface = %{version}-%{release} -%endif + %endif Requires: libvirt-daemon-driver-network = %{version}-%{release} Requires: libvirt-daemon-driver-nodedev = %{version}-%{release} Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release} Requires: libvirt-daemon-driver-secret = %{version}-%{release} Requires: libvirt-daemon-driver-storage = %{version}-%{release} Requires: libvirt-daemon-driver-vbox = %{version}-%{release} -%endif + %endif Requires: virtualbox %description daemon-vbox Server side daemon and driver required to manage the virtualization capabilities of VirtualBox -%endif + %endif %endif # with_libvirtd %package client @@ -965,6 +965,7 @@ Provides a dissector for the libvirt RPC protocol to help debugging it. %prep %setup -q +%patch0 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1 @@ -982,7 +983,6 @@ Provides a dissector for the libvirt RPC protocol to help debugging it. %if %{with_apparmor} %patch250 -p1 %patch251 -p1 -%patch252 -p1 %endif %if %{with_netcontrol} %patch300 -p1 @@ -990,150 +990,150 @@ Provides a dissector for the libvirt RPC protocol to help debugging it. %build %if ! %{with_xen} -%define _without_xen --without-xen + %define _without_xen --without-xen %endif %if ! %{with_qemu} -%define _without_qemu --without-qemu + %define _without_qemu --without-qemu %endif %if ! %{with_openvz} -%define _without_openvz --without-openvz + %define _without_openvz --without-openvz %endif %if ! %{with_lxc} -%define _without_lxc --without-lxc + %define _without_lxc --without-lxc %endif %if ! %{with_vbox} -%define _without_vbox --without-vbox + %define _without_vbox --without-vbox %endif %if ! %{with_xenapi} -%define _without_xenapi --without-xenapi + %define _without_xenapi --without-xenapi %endif %if ! %{with_uml} -%define _without_uml --without-uml + %define _without_uml --without-uml %endif %if ! %{with_phyp} -%define _without_phyp --without-phyp + %define _without_phyp --without-phyp %endif %if ! %{with_esx} -%define _without_esx --without-esx + %define _without_esx --without-esx %endif %if ! %{with_vmware} -%define _without_vmware --without-vmware + %define _without_vmware --without-vmware %endif %if ! %{with_hyperv} -%define _without_hyperv --without-hyperv + %define _without_hyperv --without-hyperv %endif %if ! %{with_parallels} -%define _without_parallels --without-parallels + %define _without_parallels --without-parallels %endif %if ! %{with_libxl} -%define _without_libxl --without-libxl + %define _without_libxl --without-libxl %endif %if ! %{with_libvirtd} -%define _without_libvirtd --without-libvirtd + %define _without_libvirtd --without-libvirtd %endif %if ! %{with_storage_fs} -%define _without_storage_fs --without-storage-fs + %define _without_storage_fs --without-storage-fs %endif %if ! %{with_storage_lvm} -%define _without_storage_lvm --without-storage-lvm + %define _without_storage_lvm --without-storage-lvm %endif %if ! %{with_storage_iscsi} -%define _without_storage_iscsi --without-storage-iscsi + %define _without_storage_iscsi --without-storage-iscsi %endif %if ! %{with_storage_disk} -%define _without_storage_disk --without-storage-disk + %define _without_storage_disk --without-storage-disk %endif %if ! %{with_storage_mpath} -%define _without_storage_mpath --without-storage-mpath + %define _without_storage_mpath --without-storage-mpath %endif %if ! %{with_storage_rbd} -%define _without_storage_rbd --without-storage-rbd + %define _without_storage_rbd --without-storage-rbd %endif %if ! %{with_storage_sheepdog} -%define _without_storage_sheepdog --without-storage-sheepdog + %define _without_storage_sheepdog --without-storage-sheepdog %endif %if ! %{with_storage_gluster} -%define _without_storage_gluster --without-storage-gluster + %define _without_storage_gluster --without-storage-gluster %endif %if ! %{with_numactl} -%define _without_numactl --without-numactl + %define _without_numactl --without-numactl %endif %if ! %{with_numad} -%define _without_numad --without-numad + %define _without_numad --without-numad %endif %if ! %{with_selinux} -%define _without_selinux --without-selinux + %define _without_selinux --without-selinux %endif %if ! %{with_apparmor} -%define _without_apparmor --without-apparmor + %define _without_apparmor --without-apparmor %else -%define _with_apparmor_profiles --with-apparmor-profiles + %define _with_apparmor_profiles --with-apparmor-profiles %endif %if ! %{with_capng} -%define _without_capng --without-capng + %define _without_capng --without-capng %endif %if ! %{with_fuse} -%define _without_fuse --without-fuse + %define _without_fuse --without-fuse %endif %if ! %{with_netcf} -%define _without_netcf --without-netcf + %define _without_netcf --without-netcf %endif %if ! %{with_netcontrol} -%define _without_netcontrol --without-netcontrol + %define _without_netcontrol --without-netcontrol %endif %if ! %{with_udev} -%define _without_udev --without-udev + %define _without_udev --without-udev %endif %if ! %{with_yajl} -%define _without_yajl --without-yajl + %define _without_yajl --without-yajl %endif %if ! %{with_macvtap} -%define _without_macvtap --without-macvtap + %define _without_macvtap --without-macvtap %endif %if ! %{with_polkit} -%define _without_polkit --without-polkit + %define _without_polkit --without-polkit %endif %if ! %{with_audit} -%define _without_audit --without-audit + %define _without_audit --without-audit %endif %if ! %{with_dtrace} -%define _without_dtrace --without-dtrace + %define _without_dtrace --without-dtrace %endif %if ! %{with_interface} -%define _without_interface --without-interface + %define _without_interface --without-interface %endif %if ! %{with_network} -%define _without_network --without-network + %define _without_network --without-network %endif %if ! %{with_sasl} -%define _without_sasl --without-sasl + %define _without_sasl --without-sasl %endif %if ! %{with_avahi} -%define _without_avahi --without-avahi + %define _without_avahi --without-avahi %endif %if ! %{with_libpcap} -%define _without_libpcap --without-libpcap + %define _without_libpcap --without-libpcap %endif %if ! %{with_sanlock} -%define _without_sanlock --without-sanlock + %define _without_sanlock --without-sanlock %endif %if %{with_systemd} -%define init_scripts --with-init_script=systemd+redhat + %define init_scripts --with-init_script=systemd+redhat %else -%define init_scripts --with-init_script=redhat + %define init_scripts --with-init_script=redhat %endif %if ! %{with_driver_modules} -%define _without_driver_modules --without-driver-modules + %define _without_driver_modules --without-driver-modules %endif %if %{with_firewalld} -%define _with_firewalld --with-firewalld + %define _with_firewalld --with-firewalld %endif %if ! %{with_systemd_daemon} -%define _without_systemd_daemon --without-systemd-daemon + %define _without_systemd_daemon --without-systemd-daemon %endif %if %{with_selinux} -%define with_selinux_mount --with-selinux-mount="/sys/fs/selinux" + %define with_selinux_mount --with-selinux-mount="/sys/fs/selinux" %endif autoreconf -f -i @@ -1300,22 +1300,22 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates %if %{with_libvirtd} # Currently using our own libvirtd init script rm -f $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/libvirtd -%if %{with_systemd} + %if %{with_systemd} ln -s %{_sbindir}/service $RPM_BUILD_ROOT%{_sbindir}/rclibvirtd -%else + %else install %SOURCE3 $RPM_BUILD_ROOT%{_sysconfdir}/init.d/libvirtd ln -s /etc/init.d/libvirtd $RPM_BUILD_ROOT%{_sbindir}/rclibvirtd -%endif + %endif mv $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/libvirtd $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates/sysconfig.libvirtd rm -f $RPM_BUILD_ROOT/usr/lib/sysctl.d/libvirtd.conf # For other services, use the in-tree scripts -%if %{with_systemd} + %if %{with_systemd} rm -f $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/virtlockd ln -s %{_sbindir}/service $RPM_BUILD_ROOT%{_sbindir}/rcvirtlockd -%else + %else mv $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/virtlockd $RPM_BUILD_ROOT%{_sysconfdir}/init.d/virtlockd ln -s /etc/init.d/virtlockd $RPM_BUILD_ROOT%{_sbindir}/rcvirtlockd -%endif + %endif mv $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/virtlockd $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates/sysconfig.virtlockd #install firewall definitions format is described here: #/usr/share/SuSEfirewall2/services/TEMPLATE @@ -1345,13 +1345,13 @@ make # These tests don't current work in a mock build root # virnetsockettest: needs unsupported linux-user syscalls EXTRA="" -%if 0%{?qemu_user_space_build:1} + %if 0%{?qemu_user_space_build:1} EXTRA="$EXTRA virnetsockettest" -%endif + %endif # virportallocatortest fails on aarch64 due to unsupported IPV6_V6ONLY flag -%ifarch aarch64 + %ifarch aarch64 EXTRA="$EXTRA virportallocatortest" -%endif + %endif # temporarily disable failing virt-aa-helper-test EXTRA="$EXTRA virt-aa-helper-test" for i in nodeinfotest seclabeltest $EXTRA @@ -1371,43 +1371,43 @@ fi %if %{with_libvirtd} %pre daemon -%if %{with_systemd} + %if %{with_systemd} %service_add_pre libvirtd.service %service_add_pre virtlockd.service virtlockd.socket -%endif + %endif %{_bindir}/getent group libvirt >/dev/null || \ %{_sbindir}/groupadd -r libvirt 2>/dev/null %post daemon /sbin/ldconfig -%if %{with_systemd} + %if %{with_systemd} %service_add_post libvirtd.service libvirtd.socket %service_add_post virtlockd.service virtlockd.socket -%endif + %endif %{fillup_only -n libvirtd} %{fillup_only -n virtlockd} %preun daemon -%if %{with_systemd} + %if %{with_systemd} %service_del_preun libvirtd.service libvirtd.socket %service_del_preun virtlockd.service virtlockd.socket -%else + %else %stop_on_removal libvirtd %stop_on_removal virtlockd -%endif + %endif %postun daemon /sbin/ldconfig -%if %{with_systemd} + %if %{with_systemd} %service_del_postun libvirtd.service %service_del_postun virtlockd.service virtlockd.socket -%else + %else %restart_on_update libvirtd %restart_on_update virtlockd -%endif + %endif %insserv_cleanup -%if %{with_network} + %if %{with_network} %post daemon-config-network # Install the default network if one doesn't exist @@ -1417,7 +1417,7 @@ if test $1 -eq 1 && test ! -f %{_sysconfdir}/libvirt/qemu/networks/default.xml ; < %{_datadir}/libvirt/networks/default.xml \ > %{_sysconfdir}/libvirt/qemu/networks/default.xml fi -%endif + %endif %endif # with_libvirtd %post client @@ -1459,15 +1459,15 @@ fi %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/hooks %{_localstatedir}/adm/fillup-templates/sysconfig.libvirtd %{_localstatedir}/adm/fillup-templates/sysconfig.virtlockd -%if %{with_systemd} + %if %{with_systemd} %{_unitdir}/libvirtd.service %{_unitdir}/libvirtd.socket %{_unitdir}/virtlockd.service %{_unitdir}/virtlockd.socket -%else + %else %config /etc/init.d/libvirtd %config /etc/init.d/virtlockd -%endif + %endif %{_sbindir}/rclibvirtd %{_sbindir}/rcvirtlockd %config(noreplace) %{_sysconfdir}/libvirt/libvirtd.conf @@ -1482,10 +1482,10 @@ fi %{_datadir}/augeas/lenses/tests/test_virtlockd.aug %{_datadir}/augeas/lenses/libvirt_lockd.aug %{_datadir}/augeas/lenses/tests/test_libvirt_lockd.aug -%if %{with_dtrace} + %if %{with_dtrace} %{_datadir}/systemtap/tapset/libvirt_probes.stp %{_datadir}/systemtap/tapset/libvirt_functions.stp -%endif + %endif %dir %{_localstatedir}/lib/libvirt/ %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/images/ %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/filesystems/ @@ -1494,17 +1494,17 @@ fi %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/ %dir %attr(0755, root, root) %{_libdir}/%{name}/lock-driver %attr(0755, root, root) %{_libdir}/%{name}/lock-driver/lockd.so -%if %{with_polkit} -%if 0%{?suse_version} > 1110 + %if %{with_polkit} + %if 0%{?suse_version} > 1110 %{_datadir}/polkit-1/actions/org.libvirt.unix.policy -%else + %else %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy -%endif -%endif + %endif + %endif %attr(0755, root, root) %{_libdir}/%{name}/libvirt_iohelper %doc %{_mandir}/man8/libvirtd.8* %{_mandir}/man8/virtlockd.8* -%if %{with_apparmor} + %if %{with_apparmor} %dir %{_sysconfdir}/apparmor.d %dir %{_sysconfdir}/apparmor.d/abstractions %dir %{_sysconfdir}/apparmor.d/libvirt @@ -1515,14 +1515,14 @@ fi %config(noreplace) %{_sysconfdir}/apparmor.d/libvirt/TEMPLATE.lxc %config(noreplace) %{_sysconfdir}/apparmor.d/libvirt/TEMPLATE.qemu %{_libdir}/%{name}/virt-aa-helper -%endif + %endif %config %{_fwdefdir}/libvirtd-relocation-server -%if ! %{with_driver_modules} -%if %{with_network} || %{with_qemu} + %if ! %{with_driver_modules} + %if %{with_network} || %{with_qemu} %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/ -%endif -%if %{with_network} + %endif + %if %{with_network} %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/ %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/autostart %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/network/ @@ -1530,11 +1530,11 @@ fi %attr(0755, root, root) %{_libdir}/%{name}/libvirt_leaseshelper %dir %{_datadir}/libvirt/networks/ %{_datadir}/libvirt/networks/default.xml -%endif -%if %{with_nwfilter} + %endif + %if %{with_nwfilter} %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/nwfilter/ -%endif -%if %{with_qemu} + %endif + %if %{with_qemu} %config(noreplace) %{_sysconfdir}/libvirt/qemu.conf %config(noreplace) %{_sysconfdir}/libvirt/qemu-lockd.conf %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu @@ -1545,8 +1545,8 @@ fi %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/ %{_datadir}/augeas/lenses/libvirtd_qemu.aug %{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug -%endif -%if %{with_lxc} + %endif + %if %{with_lxc} %config(noreplace) %{_sysconfdir}/libvirt/lxc.conf %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.lxc %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/lxc/ @@ -1554,47 +1554,47 @@ fi %attr(0755, root, root) %{_libdir}/%{name}/libvirt_lxc %{_datadir}/augeas/lenses/libvirtd_lxc.aug %{_datadir}/augeas/lenses/tests/test_libvirtd_lxc.aug -%endif -%if %{with_uml} + %endif + %if %{with_uml} %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.uml %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/uml/ %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/uml/ -%endif -%if %{with_libxl} + %endif + %if %{with_libxl} %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/libxl/ %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/libxl/ -%endif -%if %{with_storage_disk} + %endif + %if %{with_storage_disk} %attr(0755, root, root) %{_libdir}/%{name}/libvirt_parthelper -%endif -%endif # ! %{with_driver_modules} + %endif + %endif # ! %{with_driver_modules} -%if %{with_network} + %if %{with_network} %files daemon-config-network %defattr(-, root, root) %dir %{_datadir}/libvirt/networks/ %{_datadir}/libvirt/networks/default.xml -%endif + %endif -%if %{with_nwfilter} + %if %{with_nwfilter} %files daemon-config-nwfilter %defattr(-, root, root) %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/nwfilter/ %{_sysconfdir}/libvirt/nwfilter/*.xml -%endif + %endif -%if %{with_driver_modules} -%if %{with_interface} + %if %{with_driver_modules} + %if %{with_interface} %files daemon-driver-interface %defattr(-, root, root) %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_interface.so -%endif + %endif -%if %{with_network} + %if %{with_network} %files daemon-driver-network %defattr(-, root, root) @@ -1606,42 +1606,42 @@ fi %attr(0755, root, root) %{_libdir}/%{name}/libvirt_leaseshelper %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_network.so -%endif + %endif -%if %{with_nodedev} + %if %{with_nodedev} %files daemon-driver-nodedev %defattr(-, root, root) %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_nodedev.so -%endif + %endif -%if %{with_nwfilter} + %if %{with_nwfilter} %files daemon-driver-nwfilter %defattr(-, root, root) %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/nwfilter/ %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_nwfilter.so -%endif + %endif %files daemon-driver-secret %defattr(-, root, root) %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_secret.so -%if %{with_storage} + %if %{with_storage} %files daemon-driver-storage %defattr(-, root, root) -%if %{with_storage_disk} + %if %{with_storage_disk} %attr(0755, root, root) %{_libdir}/%{name}/libvirt_parthelper -%endif + %endif %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_storage.so -%endif + %endif -%if %{with_qemu} + %if %{with_qemu} %files daemon-driver-qemu %defattr(-, root, root) @@ -1658,9 +1658,9 @@ fi %{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_qemu.so -%endif + %endif -%if %{with_lxc} + %if %{with_lxc} %files daemon-driver-lxc %defattr(-, root, root) @@ -1674,9 +1674,9 @@ fi %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_lxc.so %attr(0755, root, root) %{_bindir}/virt-lxc-convert -%endif + %endif -%if %{with_uml} + %if %{with_uml} %files daemon-driver-uml %defattr(-, root, root) @@ -1685,17 +1685,17 @@ fi %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/uml/ %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_uml.so -%endif + %endif -%if %{with_xen} + %if %{with_xen} %files daemon-driver-xen %defattr(-, root, root) %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_xen.so -%endif + %endif -%if %{with_libxl} + %if %{with_libxl} %files daemon-driver-libxl %defattr(-, root, root) @@ -1703,52 +1703,52 @@ fi %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/libxl/ %dir %{_libdir}/%{name}/connection-driver %{_libdir}/%{name}/connection-driver/libvirt_driver_libxl.so -%endif + %endif -%if %{with_vbox} + %if %{with_vbox} %files daemon-driver-vbox %defattr(-, root, root) %{_libdir}/%{name}/connection-driver/libvirt_driver_vbox.so %{_libdir}/%{name}/connection-driver/libvirt_driver_vbox_network.so %{_libdir}/%{name}/connection-driver/libvirt_driver_vbox_storage.so -%endif -%endif # with_driver_modules + %endif + %endif # with_driver_modules -%if %{with_qemu} + %if %{with_qemu} %files daemon-qemu %defattr(-, root, root) %doc %{_docdir}/%{name}/libvirt-daemon-qemu.README -%endif + %endif -%if %{with_lxc} + %if %{with_lxc} %files daemon-lxc %defattr(-, root, root) %doc %{_docdir}/%{name}/libvirt-daemon-lxc.README -%endif + %endif -%if %{with_uml} + %if %{with_uml} %files daemon-uml %defattr(-, root, root) %doc %{_docdir}/%{name}/libvirt-daemon-uml.README -%endif + %endif -%if %{with_xen} || %{with_libxl} + %if %{with_xen} || %{with_libxl} %files daemon-xen %defattr(-, root, root) %doc %{_docdir}/%{name}/libvirt-daemon-xen.README -%endif + %endif -%if %{with_vbox} + %if %{with_vbox} %files daemon-vbox %defattr(-, root, root) %doc %{_docdir}/%{name}/libvirt-daemon-vbox.README -%endif + %endif %endif # with_libvirtd %files client -f %{name}.lang @@ -1835,9 +1835,9 @@ fi %files lock-sanlock %defattr(-, root, root) %doc %{_mandir}/man8/virt-sanlock-cleanup.8* -%if %{with_qemu} + %if %{with_qemu} %config(noreplace) %{_sysconfdir}/%{name}/qemu-sanlock.conf -%endif + %endif %dir %{_libdir}/%{name}/lock-driver/ %attr(0755, root, root) %{_libdir}/%{name}/lock-driver/sanlock.so %dir %{_datadir}/augeas/ diff --git a/libvirtd.init b/libvirtd.init index 7c58256..24dc963 100644 --- a/libvirtd.init +++ b/libvirtd.init @@ -22,7 +22,7 @@ LIBVIRTD_BIN=/usr/sbin/libvirtd LIBVIRTD_PIDFILE=/var/run/libvirtd.pid test -x $LIBVIRTD_BIN || { echo "$LIBVIRD_BIN not installed"; if [ "$1" = "stop" ]; then exit 0; - else exit 5; fi; } + else exit 5; fi; } . /etc/rc.status @@ -41,7 +41,7 @@ case "$1" in if [ -e $LIBVIRTD_PIDFILE ]; then if checkproc $LIBVIRTD_BIN ; then echo -n "libvirtd is already running." - rc_status -v + rc_status -v exit else echo "Removing stale PID file $LIBVIRTD_PIDFILE." @@ -76,7 +76,7 @@ case "$1" in rc_status ;; reload) - killproc -HUP $LIBVIRTD_BIN + killproc -HUP $LIBVIRTD_BIN rc_status -v ;; status) @@ -86,8 +86,8 @@ case "$1" in ;; *) echo "Usage: $0 {start|stop|restart|try-restart|reload|status}" - rc_failed 2 - rc_exit + rc_failed 2 + rc_exit ;; esac rc_exit diff --git a/qemu-apparmor-screenshot.patch b/qemu-apparmor-screenshot.patch index d3d9c80..017df7f 100644 --- a/qemu-apparmor-screenshot.patch +++ b/qemu-apparmor-screenshot.patch @@ -1,7 +1,7 @@ -Index: libvirt-1.2.10/examples/apparmor/libvirt-qemu.in +Index: libvirt-1.2.11/examples/apparmor/libvirt-qemu =================================================================== ---- libvirt-1.2.10.orig/examples/apparmor/libvirt-qemu.in -+++ libvirt-1.2.10/examples/apparmor/libvirt-qemu.in +--- libvirt-1.2.11.orig/examples/apparmor/libvirt-qemu ++++ libvirt-1.2.11/examples/apparmor/libvirt-qemu @@ -124,6 +124,9 @@ /sys/bus/ r, /sys/class/ r,