Rebuild for wireshark soname change rhbz#2031322

Now with missing patches

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

0001-build-support-explicitly-disabling-netcf.patch

@@ -0,0 +1,56 @@
+From: Laine Stump <laine@redhat.com>
+Date: Thu, 21 Jan 2021 16:01:06 -0500
+Subject: [PATCH] build: support explicitly disabling netcf
+
+placing "-Dnetcf=disabled" on the meson commandline was ignored,
+meaning that even with that option the build would get WITH_NETCF if
+the netcf-devel package was found - the only way to disable it was to
+uninstall netcf-devel.
+
+This patch adds the small bit of logic to check the netcf meson
+commandline option (in addition to whether netcf-devel is installed)
+before defining WITH_NETCF.
+
+Signed-off-by: Laine Stump <laine@redhat.com>
+Reviewed-by: Neal Gompa <ngompa13@gmail.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 06169a115d46d8870a96d293c2faf6ea87e71020)
+---
+ meson.build | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index b5164f68ed..e9d6d9f82e 100644
+--- a/meson.build
++++ b/meson.build
+@@ -1155,8 +1155,10 @@ libm_dep = cc.find_library('m', required : false)
+ 
+ netcf_version = '0.1.8'
+ netcf_dep = dependency('netcf', version: '>=' + netcf_version, required: get_option('netcf'))
+-if netcf_dep.found()
+-  conf.set('WITH_NETCF', 1)
++if not get_option('netcf').disabled()
++  if netcf_dep.found()
++    conf.set('WITH_NETCF', 1)
++  endif
+ endif
+ 
+ have_gnu_gettext_tools = false
+@@ -1550,7 +1552,7 @@ elif get_option('driver_hyperv').enabled()
+   error('openwsman is required for the Hyper-V driver')
+ endif
+ 
+-if not get_option('driver_interface').disabled() and conf.has('WITH_LIBVIRTD') and (udev_dep.found() or netcf_dep.found())
++if not get_option('driver_interface').disabled() and conf.has('WITH_LIBVIRTD') and (udev_dep.found() or conf.has('WITH_NETCF'))
+   conf.set('WITH_INTERFACE', 1)
+ elif get_option('driver_interface').enabled()
+   error('Requested the Interface driver without netcf or udev and libvirtd support')
+@@ -2362,7 +2364,7 @@ libs_summary = {
+   'libssh': libssh_dep.found(),
+   'libssh2': libssh2_dep.found(),
+   'libutil': libutil_dep.found(),
+-  'netcf': netcf_dep.found(),
++  'netcf': conf.has('WITH_NETCF'),
+   'NLS': have_gnu_gettext_tools,
+   'numactl': numactl_dep.found(),
+   'openwsman': openwsman_dep.found(),

0001-qemu-xen-add-missing-deps-on-virtlockd-virtlogd-sock.patch

@@ -1,66 +0,0 @@
-From 88c5b9f827779ae6fe5a6f08100a4b6184492a1c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Tue, 31 Aug 2021 10:59:39 +0100
-Subject: [PATCH] qemu, xen: add missing deps on virtlockd/virtlogd sockets
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The QEMU driver uses both virtlogd and virtlockd, while the Xen driver
-uses virtlockd. The libvirtd.service unit contains deps on the socket
-units for these services, but these deps were missed in the modular
-daemons. As a result the virtlockd/virtlogd sockets are not started
-when the virtqemud/virtxend daemons are started.
-
-Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
----
- src/libxl/virtxend.service.in | 2 ++
- src/qemu/virtqemud.service.in | 4 ++++
- 2 files changed, 6 insertions(+)
-
-diff --git a/src/libxl/virtxend.service.in b/src/libxl/virtxend.service.in
-index a863917467..19b19ce3e6 100644
---- a/src/libxl/virtxend.service.in
-+++ b/src/libxl/virtxend.service.in
-@@ -1,6 +1,7 @@
- [Unit]
- Description=Virtualization xen daemon
- Conflicts=libvirtd.service
-+Requires=virtlockd.socket
- Requires=virtxend.socket
- Requires=virtxend-ro.socket
- Requires=virtxend-admin.socket
-@@ -25,6 +26,7 @@ KillMode=process
- 
- [Install]
- WantedBy=multi-user.target
-+Also=virtlockd.socket
- Also=virtxend.socket
- Also=virtxend-ro.socket
- Also=virtxend-admin.socket
-diff --git a/src/qemu/virtqemud.service.in b/src/qemu/virtqemud.service.in
-index 8abc9d3a7f..20e1b43a6e 100644
---- a/src/qemu/virtqemud.service.in
-+++ b/src/qemu/virtqemud.service.in
-@@ -1,6 +1,8 @@
- [Unit]
- Description=Virtualization qemu daemon
- Conflicts=libvirtd.service
-+Requires=virtlogd.socket
-+Requires=virtlockd.socket
- Requires=virtqemud.socket
- Requires=virtqemud-ro.socket
- Requires=virtqemud-admin.socket
-@@ -42,6 +44,8 @@ LimitMEMLOCK=64M
- 
- [Install]
- WantedBy=multi-user.target
-+Also=virtlogd.socket
-+Also=virtlockd.socket
- Also=virtqemud.socket
- Also=virtqemud-ro.socket
- Also=virtqemud-admin.socket
--- 
-2.31.1
-

0002-node_device_udev-Serialize-access-to-pci_get_strings.patch

@@ -0,0 +1,72 @@
+From: wangjian <wangjian161@huawei.com>
+Date: Fri, 26 Mar 2021 11:21:16 +0800
+Subject: [PATCH] node_device_udev: Serialize access to pci_get_strings)_
+
+Since the functions provided by libpciaccess are not thread-safe,
+when the udev-event and nodedev-init threads of libvirt call the
+pci_get_strings function provided by libpaciaccess at the same
+time the following can happen:
+
+nodedev-init thread:
+nodeStateInitializeEnumerate ->
+  udevEnumerateDevices->
+    udevProcessDeviceListEntry ->
+      udevAddOneDevice ->
+        udevGetDeviceDetails->
+          udevProcessPCI ->
+            udevTranslatePCIIds ->
+              pci_get_strings -> (libpciaccess)
+                find_device_name ->
+                  populate_vendor ->
+                    d = realloc( vend->devices, (vend->num_devices + 1), * sizeof( struct pci_device_leaf ) );
+                    vend->num_devices++;
+
+udev-event thread:
+udevEventHandleThread ->
+  udevHandleOneDevice ->
+    udevAddOneDevice->
+      udevGetDeviceDetails->
+        udevProcessPCI ->
+          udevTranslatePCIIds ->
+            pci_get_strings -> (libpciaccess)
+              find_device_name ->
+                populate_vendor ->
+                  d = realloc( vend->devices, (vend->num_devices + 1), * sizeof( struct pci_device_leaf ) );
+                  vend->num_devices++;
+
+Signed-off-by: WangJian <wangjian161@huawei.com>
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 59788a5caea5f292c86e07a31ee2b853d68db87e)
+---
+ src/node_device/node_device_udev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c
+index 55a2731681..6f0defe908 100644
+--- a/src/node_device/node_device_udev.c
++++ b/src/node_device/node_device_udev.c
+@@ -328,6 +328,7 @@ udevGenerateDeviceName(struct udev_device *device,
+     return 0;
+ }
+ 
++static virMutex pciaccessMutex = VIR_MUTEX_INITIALIZER;
+ 
+ static int
+ udevTranslatePCIIds(unsigned int vendor,
+@@ -346,12 +347,14 @@ udevTranslatePCIIds(unsigned int vendor,
+     m.device_class_mask = 0;
+     m.match_data = 0;
+ 
+-    /* pci_get_strings returns void */
++    /* pci_get_strings returns void and unfortunately is not thread safe. */
++    virMutexLock(&pciaccessMutex);
+     pci_get_strings(&m,
+                     &device_name,
+                     &vendor_name,
+                     NULL,
+                     NULL);
++    virMutexUnlock(&pciaccessMutex);
+ 
+     *vendor_string = g_strdup(vendor_name);
+     *product_string = g_strdup(device_name);

0003-virSetUIDGIDWithCaps-Don-t-drop-CAP_SETPCAP-right-aw.patch

@@ -0,0 +1,53 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Thu, 24 Jun 2021 16:58:09 +0200
+Subject: [PATCH] virSetUIDGIDWithCaps: Don't drop CAP_SETPCAP right away
+
+There are few cases where we execute a virCommand with all caps
+cleared (virCommandClearCaps()). For instance
+dnsmasqCapsRefreshInternal() does just that. This means, that
+after fork() and before exec() the virSetUIDGIDWithCaps() is
+called. But since the caller did not want to change anything,
+just drop capabilities, these are the values of arguments:
+
+  virSetUIDGIDWithCaps (uid=-1, gid=-1, groups=0x0, ngroups=0,
+                        capBits=0, clearExistingCaps=true)
+
+This means that indeed all capabilities will be dropped,
+including CAP_SETPCAP. But this capability controls whether
+capabilities can be set, IOW whether capng_apply() succeeds.
+
+There are two calls of capng_apply() in the function. The
+CAP_SETPCAP is dropped after the first call and thus the other
+call (capng_apply(CAPNG_SELECT_BOUNDS);) fails.
+
+The solution is to keep the capability for as long as needed
+(just like CAP_SETGID and CAP_SETUID) and drop it only at the
+very end (just like CAP_SETGID and CAP_SETUID).
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1949388
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 438b50dda8a863fdc988e9ab612f097cc1626e8a)
+---
+ src/util/virutil.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/util/virutil.c b/src/util/virutil.c
+index a0cd0f1bcd..7ae23a7061 100644
+--- a/src/util/virutil.c
++++ b/src/util/virutil.c
+@@ -1202,12 +1202,10 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
+     }
+ # ifdef PR_CAPBSET_DROP
+     /* If newer kernel, we need also need setpcap to change the bounding set */
+-    if ((capBits || need_setgid || need_setuid) &&
+-        !capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
++    if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
+         need_setpcap = true;
+-    }
+-    if (need_setpcap)
+         capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETPCAP);
++    }
+ # endif
+ 
+     /* Tell system we want to keep caps across uid change */

0004-security-fix-SELinux-label-generation-logic.patch

@@ -0,0 +1,51 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 28 Jun 2021 13:09:04 +0100
+Subject: [PATCH] security: fix SELinux label generation logic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A process can access a file if the set of MCS categories
+for the file is equal-to *or* a subset-of, the set of
+MCS categories for the process.
+
+If there are two VMs:
+
+  a) svirt_t:s0:c117
+  b) svirt_t:s0:c117,c720
+
+Then VM (b) is able to access files labelled for VM (a).
+
+IOW, we must discard case where the categories are equal
+because that is a subset of many other valid category pairs.
+
+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
+CVE-2021-3631
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 15073504dbb624d3f6c911e85557019d3620fdb2)
+---
+ src/security/security_selinux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 2fc6ef2616..61a871ec3d 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -389,7 +389,15 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr,
+         VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
+ 
+         if (c1 == c2) {
+-            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
++            /*
++             * A process can access a file if the set of MCS categories
++             * for the file is equal-to *or* a subset-of, the set of
++             * MCS categories for the process.
++             *
++             * IOW, we must discard case where the categories are equal
++             * because that is a subset of other category pairs.
++             */
++            continue;
+         } else {
+             if (c1 > c2) {
+                 int t = c1;

0004-tests-virstoragetest-remove-tests-without-backing-ty.patch

@@ -1,78 +0,0 @@
-From 979d1ba3ae1332bda80cb6eca98e41dc4462a226 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
-Date: Tue, 31 Aug 2021 11:41:55 +0200
-Subject: [PATCH] tests: virstoragetest: remove tests without backing type
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-As of qemu commit:
-
-  commit 497a30dbb065937d67f6c43af6dd78492e1d6f6d
-    qemu-img: Require -F with -b backing image
-
-creating images with backing images requires specifying the format.
-
-Remove tests which do not pass the backing format on the command
-line.
-
-Signed-off-by: Ján Tomko <jtomko@redhat.com>
-Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
----
- tests/virstoragetest.c | 33 ---------------------------------
- 1 file changed, 33 deletions(-)
-
-diff --git a/tests/virstoragetest.c b/tests/virstoragetest.c
-index 1b211b60e6..b80818bc7b 100644
---- a/tests/virstoragetest.c
-+++ b/tests/virstoragetest.c
-@@ -638,30 +638,6 @@ mymain(void)
-     };
-     TEST_CHAIN(abswrap, VIR_STORAGE_FILE_QCOW2, (&wrap, &qcow2, &raw), EXP_PASS);
- 
--    /* Rewrite qcow2 and wrap file to omit backing file type */
--    virCommandFree(cmd);
--    cmd = virCommandNewArgList(qemuimg, "rebase", "-u", "-f", "qcow2",
--                               "-b", absraw, "qcow2", NULL);
--    if (virCommandRun(cmd, NULL) < 0)
--        ret = -1;
--
--    virCommandFree(cmd);
--    cmd = virCommandNewArgList(qemuimg, "rebase", "-u", "-f", "qcow2",
--                               "-b", absqcow2, "wrap", NULL);
--    if (virCommandRun(cmd, NULL) < 0)
--        ret = -1;
--
--    /* Qcow2 file with raw as absolute backing, backing format omitted */
--    testFileData wrap_as_raw = {
--        .expBackingStoreRaw = absqcow2,
--        .expCapacity = 1024,
--        .path = abswrap,
--        .type = VIR_STORAGE_TYPE_FILE,
--        .format = VIR_STORAGE_FILE_QCOW2,
--    };
--    TEST_CHAIN(abswrap, VIR_STORAGE_FILE_QCOW2,
--               (&wrap_as_raw, &qcow2_as_raw), EXP_FAIL);
--
-     /* Rewrite qcow2 to a missing backing file, with backing type */
-     virCommandFree(cmd);
-     cmd = virCommandNewArgList(qemuimg, "rebase", "-u", "-f", "qcow2",
-@@ -674,15 +650,6 @@ mymain(void)
-     /* Qcow2 file with missing backing file but specified type */
-     TEST_CHAIN(absqcow2, VIR_STORAGE_FILE_QCOW2, (&qcow2), EXP_FAIL);
- 
--    /* Rewrite qcow2 to a missing backing file, without backing type */
--    virCommandFree(cmd);
--    cmd = virCommandNewArgList(qemuimg, "rebase", "-u", "-f", "qcow2",
--                               "-b", datadir "/bogus", "qcow2", NULL);
--    if (virCommandRun(cmd, NULL) < 0)
--        ret = -1;
--
--    /* Qcow2 file with missing backing file and no specified type */
--    TEST_CHAIN(absqcow2, VIR_STORAGE_FILE_QCOW2, (&qcow2), EXP_FAIL);
- 
-     /* Rewrite qcow2 to use an nbd: protocol as backend */
-     virCommandFree(cmd);
--- 
-2.33.1
-

0005-virSetUIDGIDWithCaps-Set-bounding-capabilities-only-.patch

@@ -0,0 +1,43 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Thu, 22 Jul 2021 14:26:00 +0200
+Subject: [PATCH] virSetUIDGIDWithCaps: Set bounding capabilities only with
+ CAP_SETPCAP
+
+In one of my previous patches I've tried to postpone dropping
+CAP_SETPCAP until the very end because it's needed for
+capng_apply(). What I did not realize back then was that we might
+not have the capability to begin with. Because of unknown reasons
+capng_apply() pollutes logs only for CAPNG_SELECT_BOUNDS and not
+for CAPNG_SELECT_CAPS.
+
+Reproducer is really simple: run libvirtd as a regular user.
+During its initialization, libvirtd will spawn some binaries
+(dnsmasq, qemu-*, etc.) and while doing so it will try to drop
+capabilities.
+
+Anyway, let's call capng_apply(CAPNG_SELECT_BOUNDS) only if we
+have the CAP_SETPCAP (which is tracked in need_setpcap variable).
+
+Fixes: 438b50dda8a863fdc988e9ab612f097cc1626e8a
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1924218
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Cole Robinson <crobinso@redhat.com>
+(cherry picked from commit a2476f37a7789eb9315b77bb451f4754ef4ef15b)
+---
+ src/util/virutil.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/util/virutil.c b/src/util/virutil.c
+index 7ae23a7061..333f99e91d 100644
+--- a/src/util/virutil.c
++++ b/src/util/virutil.c
+@@ -1269,7 +1269,8 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
+      * do this if we failed to get the capability above, so ignore the
+      * return value.
+      */
+-    capng_apply(CAPNG_SELECT_BOUNDS);
++    if (!need_setpcap)
++        capng_apply(CAPNG_SELECT_BOUNDS);
+ 
+     /* Drop the caps that allow setuid/gid (unless they were requested) */
+     if (need_setgid)

0006-qemu_firmware-don-t-error-out-for-unknown-firmware-f.patch

@@ -0,0 +1,57 @@
+From: Pavel Hrdina <phrdina@redhat.com>
+Date: Mon, 10 May 2021 15:07:09 +0200
+Subject: [PATCH] qemu_firmware: don't error out for unknown firmware features
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When QEMU introduces new firmware features libvirt will fail until we
+list that feature in our code as well which doesn't sound right.
+
+We should simply ignore the new feature until we add a proper support
+for it.
+
+Reported-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 61d95a1073833ec4323c1ef28e71e913c55aa7b9)
+---
+ src/qemu/qemu_firmware.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
+index 639cff7459..e602de22e3 100644
+--- a/src/qemu/qemu_firmware.c
++++ b/src/qemu/qemu_firmware.c
+@@ -573,6 +573,7 @@ qemuFirmwareFeatureParse(const char *path,
+     virJSONValuePtr featuresJSON;
+     g_autoptr(qemuFirmwareFeature) features = NULL;
+     size_t nfeatures;
++    size_t nparsed = 0;
+     size_t i;
+ 
+     if (!(featuresJSON = virJSONValueObjectGetArray(doc, "features"))) {
+@@ -592,17 +593,16 @@ qemuFirmwareFeatureParse(const char *path,
+         int tmp;
+ 
+         if ((tmp = qemuFirmwareFeatureTypeFromString(tmpStr)) <= 0) {
+-            virReportError(VIR_ERR_INTERNAL_ERROR,
+-                           _("unknown feature %s"),
+-                           tmpStr);
+-            return -1;
++            VIR_DEBUG("ignoring unknown QEMU firmware feature '%s'", tmpStr);
++            continue;
+         }
+ 
+-        features[i] = tmp;
++        features[nparsed] = tmp;
++        nparsed++;
+     }
+ 
+     fw->features = g_steal_pointer(&features);
+-    fw->nfeatures = nfeatures;
++    fw->nfeatures = nparsed;
+     return 0;
+ }
+ 

0007-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch

@@ -0,0 +1,33 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 21 Jul 2021 11:22:25 +0200
+Subject: [PATCH] storage_driver: Unlock object on ACL fail in
+ storagePoolLookupByTargetPath
+
+'virStoragePoolObjListSearch' returns a locked and refed object, thus we
+must release it on ACL permission failure.
+
+Fixes: 7aa0e8c0cb8
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+(cherry picked from commit 447f69dec47e1b0bd15ecd7cd49a9fd3b050fb87)
+---
+ src/storage/storage_driver.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
+index 16bc53aa46..2787c1671b 100644
+--- a/src/storage/storage_driver.c
++++ b/src/storage/storage_driver.c
+@@ -1739,8 +1739,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn,
+                                            storagePoolLookupByTargetPathCallback,
+                                            cleanpath))) {
+         def = virStoragePoolObjGetDef(obj);
+-        if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
++        if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) {
++            virStoragePoolObjEndAPI(&obj);
+             return NULL;
++        }
+ 
+         pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
+         virStoragePoolObjEndAPI(&obj);

libvirt.spec

@@ -3,16 +3,23 @@
 # This spec file assumes you are building on a Fedora or RHEL version
 # that's still supported by the vendor. It may work on other distros
 # or versions, but no effort will be made to ensure that going forward.
-%define min_rhel 8
-%define min_fedora 33
+%define min_rhel 7
+%define min_fedora 31
 
-%define arches_qemu_kvm         %{ix86} x86_64 %{power64} %{arm} aarch64 s390x
+%if 0%{?fedora} >= %{min_fedora} || 0%{?rhel} >= %{min_rhel}
+    %define supported_platform 1
+%else
+    %define supported_platform 0
+%endif
+
+# On RHEL 7 and older macro _vpath_builddir is not defined.
+%if 0%{?rhel} && 0%{?rhel} <= 7
+    %define _vpath_builddir %{_target_platform}
+%endif
+
+%define arches_qemu_kvm         %{ix86} x86_64 %{power64} %{arm} aarch64 s390x riscv64
 %if 0%{?rhel}
-    %if 0%{?rhel} > 8
-        %define arches_qemu_kvm     x86_64 aarch64 s390x
-    %else
-        %define arches_qemu_kvm     x86_64 %{power64} aarch64 s390x
-    %endif
+    %define arches_qemu_kvm     x86_64 %{power64} aarch64 s390x
 %endif
 
 %define arches_64bit            x86_64 %{power64} aarch64 s390x riscv64
@@ -65,28 +72,24 @@
 %endif
 
 %define with_storage_gluster 0%{!?_without_storage_gluster:1}
-%if 0%{?rhel}
-    # Glusterfs has been dropped in RHEL-9, and before that
-    # was only enabled on arches where KVM exists
-    %if 0%{?rhel} > 8
+%ifnarch %{arches_qemu_kvm}
+    # gluster is only built where qemu driver is enabled on RHEL 8
+    %if 0%{?rhel} >= 8
         %define with_storage_gluster 0
-    %else
-        %ifnarch %{arches_qemu_kvm}
-            %define with_storage_gluster 0
-        %endif
     %endif
 %endif
 
-# Fedora has zfs-fuse
+# F25+ has zfs-fuse
 %if 0%{?fedora}
     %define with_storage_zfs      0%{!?_without_storage_zfs:1}
 %else
     %define with_storage_zfs      0
 %endif
 
-%define with_storage_iscsi_direct 0%{!?_without_storage_iscsi_direct:1}
-# libiscsi has been dropped in RHEL-9
-%if 0%{?rhel} > 8
+# We need a recent enough libiscsi (>= 1.18.0)
+%if 0%{?fedora} || 0%{?rhel} > 7
+    %define with_storage_iscsi_direct 0%{!?_without_storage_iscsi_direct:1}
+%else
     %define with_storage_iscsi_direct 0
 %endif
 
@@ -123,7 +126,9 @@
     %define with_storage_rbd 0
 %endif
 
-# RHEL doesn't ship many hypervisor drivers
+# RHEL doesn't ship OpenVZ, VBox, PowerHypervisor,
+# VMware, libxenlight (Xen 4.1 and newer),
+# or HyperV.
 %if 0%{?rhel}
     %define with_openvz 0
     %define with_vbox 0
@@ -131,10 +136,15 @@
     %define with_libxl 0
     %define with_hyperv 0
     %define with_vz 0
-    %define with_lxc 0
+
+    %if 0%{?rhel} > 7
+        %define with_lxc 0
+    %endif
 %endif
 
-%define with_firewalld_zone 0%{!?_without_firewalld_zone:1}
+%if 0%{?fedora} || 0%{?rhel} > 7
+    %define with_firewalld_zone 0%{!?_without_firewalld_zone:1}
+%endif
 
 %if (0%{?fedora} && 0%{?fedora} < 34) || (0%{?rhel} && 0%{?rhel} < 9)
     %define with_netcf 0%{!?_without_netcf:1}
@@ -162,12 +172,16 @@
     %define with_libssh2 0%{!?_without_libssh2:1}
 %endif
 
-# Enable wireshark plugins for all distros
-%define with_wireshark 0%{!?_without_wireshark:1}
-%define wireshark_plugindir %(pkg-config --variable plugindir wireshark)/epan
+# Enable wireshark plugins for all distros except RHEL-7
+%if 0%{?fedora} || 0%{?rhel} > 7
+    %define with_wireshark 0%{!?_without_wireshark:1}
+    %define wireshark_plugindir %(pkg-config --variable plugindir wireshark)/epan
+%endif
 
-# Enable libssh transport for all distros
-%define with_libssh 0%{!?_without_libssh:1}
+# Enable libssh transport for new enough distros
+%if 0%{?fedora} || 0%{?rhel} > 7
+    %define with_libssh 0%{!?_without_libssh:1}
+%endif
 
 %if %{with_qemu} || %{with_lxc}
 # numad is used to manage the CPU and memory placement dynamically,
@@ -181,11 +195,6 @@
     %define with_dmidecode 0%{!?_without_dmidecode:1}
 %endif
 
-%define with_modular_daemons 0
-%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
-    %define with_modular_daemons 1
-%endif
-
 # Force QEMU to run as non-root
 %define qemu_user  qemu
 %define qemu_group  qemu
@@ -197,16 +206,20 @@
 %if 0%{?rhel}
     %define enable_werror -Dwerror=true
 %else
-    %define enable_werror -Dwerror=false -Dgit_werror=disabled
+    %define enable_werror -Dwerror=false
 %endif
 
-%define tls_priority "@LIBVIRT,SYSTEM"
+%if 0%{?rhel} == 7
+    %define tls_priority "NORMAL"
+%else
+    %define tls_priority "@LIBVIRT,SYSTEM"
+%endif
 
 
 Summary: Library providing a simple virtualization API
 Name: libvirt
-Version: 7.6.0
-Release: 5%{?dist}
+Version: 7.0.0
+Release: 8%{?dist}
 License: LGPLv2+
 URL: https://libvirt.org/
 
@@ -214,10 +227,26 @@ URL: https://libvirt.org/
     %define mainturl stable_updates/
 %endif
 Source: https://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz
-Patch1: 0001-qemu-xen-add-missing-deps-on-virtlockd-virtlogd-sock.patch
-Patch2: 0002-wireshark-Switch-to-tvb_bytes_to_str.patch
-Patch3: 0003-wireshark-Drop-needless-comment-in-dissect_xdr_bytes.patch
-Patch4: 0004-tests-virstoragetest-remove-tests-without-backing-ty.patch
+
+# Disable netcf
+Patch0001: 0001-build-support-explicitly-disabling-netcf.patch
+# Crash in udev driver populate_vendor (bz #1966851)
+Patch0002: 0002-node_device_udev-Serialize-access-to-pci_get_strings.patch
+# Fix CAP_SETPCAP syslog warning (bz #1924218)
+Patch0003: 0003-virSetUIDGIDWithCaps-Don-t-drop-CAP_SETPCAP-right-aw.patch
+# CVE-2021-3631 libvirt: insecure sVirt label generation (bz #1977760)
+Patch0004: 0004-security-fix-SELinux-label-generation-logic.patch
+# More CAP_SETPCAP warning fixes (bz #1924218)
+Patch0005: 0005-virSetUIDGIDWithCaps-Set-bounding-capabilities-only-.patch
+# Handle unknown firmware.json errors
+Patch0006: 0006-qemu_firmware-don-t-error-out-for-unknown-firmware-f.patch
+# CVE-2021-3667: Fix deadlock on virStoragePoolLookupByTargetPath failure
+# (bz #1986113)
+Patch0007: 0007-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
+
+# Wireshark changed its public API
+Patch0008: 0008-wireshark-Switch-to-tvb_bytes_to_str.patch
+Patch0009: 0009-wireshark-Drop-needless-comment-in-dissect_xdr_bytes.patch
 
 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -249,17 +278,28 @@ Requires: libvirt-libs = %{version}-%{release}
 
 # All build-time requirements. Run-time requirements are
 # listed against each sub-RPM
+BuildRequires: gettext-devel
+%if 0%{?rhel} == 7
+BuildRequires: python36-docutils
+%else
 BuildRequires: python3-docutils
+%endif
 BuildRequires: gcc
 BuildRequires: meson >= 0.54.0
 BuildRequires: ninja-build
+BuildRequires: make
 BuildRequires: git
+%if 0%{?fedora} || 0%{?rhel} > 7
 BuildRequires: perl-interpreter
+%else
+BuildRequires: perl
+%endif
 BuildRequires: python3
+BuildRequires: systemd-units
 %if %{with_libxl}
 BuildRequires: xen-devel
 %endif
-BuildRequires: glib2-devel >= 2.56
+BuildRequires: glib2-devel >= 2.48
 BuildRequires: libxml2-devel
 BuildRequires: libxslt
 BuildRequires: readline-devel
@@ -311,8 +351,13 @@ BuildRequires: device-mapper-devel
 # For XFS reflink clone support
 BuildRequires: xfsprogs-devel
 %if %{with_storage_rbd}
+    %if 0%{?fedora} || 0%{?rhel} > 7
 BuildRequires: librados-devel
 BuildRequires: librbd-devel
+    %else
+BuildRequires: librados2-devel
+BuildRequires: librbd1-devel
+    %endif
 %endif
 %if %{with_storage_gluster}
 BuildRequires: glusterfs-api-devel >= 3.4.1
@@ -374,7 +419,11 @@ BuildRequires: wireshark-devel
 BuildRequires: libssh-devel >= 0.7.0
 %endif
 
+# On RHEL-7 rpcgen is still part of glibc-common package
+%if 0%{?fedora} || 0%{?rhel} > 7
 BuildRequires: rpcgen
+%endif
+
 BuildRequires: libtirpc-devel
 
 # Needed for the firewalld_reload macro
@@ -409,10 +458,12 @@ Requires: /usr/bin/nc
 # for modprobe of pci devices
 Requires: module-init-tools
 
-# for /sbin/ip
+# for /sbin/ip & /sbin/tc
 Requires: iproute
-# for /sbin/tc
+# tc is provided by iproute-tc since at least Fedora 26
+%if 0%{?fedora} || 0%{?rhel} > 7
 Requires: iproute-tc
+%endif
 
 Requires: polkit >= 0.112
 %if %{with_dmidecode}
@@ -420,7 +471,10 @@ Requires: polkit >= 0.112
 Requires: dmidecode
 %endif
 # For service management
-Requires(post): /usr/bin/systemctl
+Requires(post): systemd-units
+Requires(post): systemd-sysv
+Requires(preun): systemd-units
+Requires(postun): systemd-units
 %if %{with_numad}
 Requires: numad
 %endif
@@ -428,13 +482,6 @@ Requires: numad
 Requires: dbus
 # For uid creation during pre
 Requires(pre): shadow-utils
-# Needed by /usr/libexec/libvirt-guests.sh script.
-Requires: gettext
-
-# Ensure smooth upgrades
-Obsoletes: libvirt-admin < 7.3.0
-Provides: libvirt-admin = %{version}-%{release}
-Obsoletes: libvirt-bash-completion < 7.3.0
 
 %description daemon
 Server side daemon required to manage the virtualization capabilities
@@ -493,7 +540,9 @@ Requires: libvirt-libs = %{version}-%{release}
 # needed for device enumeration
 Requires: systemd >= 185
 # For managing persistent mediated devices
+%if 0%{?fedora} || 0%{?rhel} > 7
 Requires: mdevctl
+%endif
 
 %description daemon-driver-nodedev
 The nodedev driver plugin for the libvirtd daemon, providing
@@ -591,6 +640,7 @@ volumes using the host iscsi stack.
 Summary: Storage driver plugin for iscsi-direct
 Requires: libvirt-daemon-driver-storage-core = %{version}-%{release}
 Requires: libvirt-libs = %{version}-%{release}
+Requires: libiscsi
 
 %description daemon-driver-storage-iscsi-direct
 The storage driver backend adding implementation of the storage APIs for iscsi
@@ -708,8 +758,12 @@ Requires: gzip
 Requires: bzip2
 Requires: lzop
 Requires: xz
+    %if 0%{?fedora} || 0%{?rhel} > 7
 Requires: systemd-container
+    %endif
+    %if 0%{?fedora} || 0%{?rhel} > 7
 Requires: swtpm-tools
+    %endif
 
 %description daemon-driver-qemu
 The qemu driver plugin for the libvirtd daemon, providing
@@ -725,7 +779,9 @@ Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-libs = %{version}-%{release}
 # There really is a hard cross-driver dependency here
 Requires: libvirt-daemon-driver-network = %{version}-%{release}
+    %if 0%{?fedora} || 0%{?rhel} > 7
 Requires: systemd-container
+    %endif
 
 %description daemon-driver-lxc
 The LXC driver plugin for the libvirtd daemon, providing
@@ -863,11 +919,11 @@ capabilities of VirtualBox
 %package client
 Summary: Client side utilities of the libvirt library
 Requires: %{name}-libs = %{version}-%{release}
+# Needed by /usr/libexec/libvirt-guests.sh script.
+Requires: gettext
 # Needed by virt-pki-validate script.
 Requires: gnutls-utils
-
-# Ensure smooth upgrades
-Obsoletes: libvirt-bash-completion < 7.3.0
+Requires: %{name}-bash-completion = %{version}-%{release}
 
 %description client
 The client binaries needed to access the virtualization
@@ -884,6 +940,20 @@ Requires: cyrus-sasl-gssapi
 %description libs
 Shared libraries for accessing the libvirt daemon.
 
+%package admin
+Summary: Set of tools to control libvirt daemon
+Requires: %{name}-libs = %{version}-%{release}
+Requires: %{name}-bash-completion = %{version}-%{release}
+
+%description admin
+The client side utilities to control the libvirt daemon.
+
+%package bash-completion
+Summary: Bash completion script
+
+%description bash-completion
+Bash completion script stub.
+
 %if %{with_wireshark}
 %package wireshark
 Summary: Wireshark dissector plugin for libvirt RPC transactions
@@ -940,10 +1010,11 @@ Libvirt plugin for NSS for translating domain names into IP addresses.
 %autosetup -S git_am
 
 %build
-%if 0%{?fedora} >= %{min_fedora} || 0%{?rhel} >= %{min_rhel}
-    %define supported_platform 1
-%else
-    %define supported_platform 0
+
+%if 0%{?fedora} == 34
+    # binutils change in F34 broke linking of tests
+    # https://bugzilla.redhat.com/show_bug.cgi?id=1889763
+    %define _lto_cflags %{nil}
 %endif
 
 %if ! %{supported_platform}
@@ -1085,12 +1156,6 @@ exit 1
     %define arg_libssh2 -Dlibssh2=disabled
 %endif
 
-%if %{with_modular_daemons}
-    %define arg_remote_mode -Dremote_default_mode=direct
-%else
-    %define arg_remote_mode -Dremote_default_mode=legacy
-%endif
-
 %define when  %(date +"%%F-%%T")
 %define where %(hostname)
 %define who   %{?packager}%{!?packager:Unknown}
@@ -1113,15 +1178,12 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/%{name}.spec)
            -Dsasl=enabled \
            -Dpolkit=enabled \
            -Ddriver_libvirtd=enabled \
-           -Ddriver_remote=enabled \
-           -Ddriver_test=enabled \
            %{?arg_esx} \
            %{?arg_hyperv} \
            %{?arg_vmware} \
            -Ddriver_vz=disabled \
            -Ddriver_bhyve=disabled \
-           -Ddriver_ch=disabled \
-           %{?arg_remote_mode} \
+           -Dremote_default_mode=legacy \
            -Ddriver_interface=enabled \
            -Ddriver_network=enabled \
            -Dstorage_fs=enabled \
@@ -1144,7 +1206,6 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/%{name}.spec)
            -Dselinux=enabled \
            %{?arg_selinux_mount} \
            -Dapparmor=disabled \
-           -Dapparmor_profiles=disabled \
            -Dsecdriver_apparmor=disabled \
            -Dudev=enabled \
            -Dyajl=enabled \
@@ -1197,7 +1258,7 @@ rm -f $RPM_BUILD_ROOT%{wireshark_plugindir}/libvirt.la
 %endif
 
 install -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/lib/libvirt/dnsmasq/
-# We don't want to install /etc/libvirt/qemu/networks in the main %%files list
+# We don't want to install /etc/libvirt/qemu/networks in the main %files list
 # because if the admin wants to delete the default network completely, we don't
 # want to end up re-incarnating it on every RPM upgrade.
 install -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/libvirt/networks/
@@ -1206,7 +1267,7 @@ cp $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/qemu/networks/default.xml \
 # libvirt saves this file with mode 0600
 chmod 0600 $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/qemu/networks/default.xml
 
-# nwfilter files are installed in /usr/share/libvirt and copied to /etc in %%post
+# nwfilter files are installed in /usr/share/libvirt and copied to /etc in %post
 # to avoid verification errors on changed files in /etc
 install -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/libvirt/nwfilter/
 cp -a $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/nwfilter/*.xml \
@@ -1263,32 +1324,15 @@ mv $RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \
 # raising the test timeout
 VIR_TEST_DEBUG=1 %meson_test --no-suite syntax-check --timeout-multiplier 10
 
-%define libvirt_daemon_schedule_restart() mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || : \
-/bin/systemctl is-active %1.service 1>/dev/null 2>&1 && \
-  touch %{_localstatedir}/lib/rpm-state/libvirt/restart-%1 || :
+%post libs
+%if 0%{?rhel} == 7
+/sbin/ldconfig
+%endif
 
-%define libvirt_daemon_finish_restart() rm -f %{_localstatedir}/lib/rpm-state/libvirt/restart-%1 \
-rmdir %{_localstatedir}/lib/rpm-state/libvirt 2>/dev/null || :
-
-%define libvirt_daemon_needs_restart() -f %{_localstatedir}/lib/rpm-state/libvirt/restart-%1
-
-%define libvirt_daemon_perform_restart() if test %libvirt_daemon_needs_restart %1 \
-then \
-  /bin/systemctl try-restart %1.service >/dev/null 2>&1 || : \
-fi \
-%libvirt_daemon_finish_restart %1
-
-# For daemons with only UNIX sockets
-%define libvirt_daemon_systemd_post() %systemd_post %1.socket %1-ro.socket %1-admin.socket %1.service
-%define libvirt_daemon_systemd_preun() %systemd_preun %1.service %1-ro.socket %1-admin.socket %1.socket
-
-# For daemons with UNIX and INET sockets
-%define libvirt_daemon_systemd_post_inet() %systemd_post %1.socket %1-ro.socket %1-admin.socket %1-tls.socket %1-tcp.socket %1.service
-%define libvirt_daemon_systemd_preun_inet() %systemd_preun %1.service %1-ro.socket %1-admin.socket %1-tls.socket %1-tcp.socket %1.socket
-
-# For daemons with only UNIX sockets and no unprivileged read-only access
-%define libvirt_daemon_systemd_post_priv() %systemd_post %1.socket %1-admin.socket %1.service
-%define libvirt_daemon_systemd_preun_priv() %systemd_preun %1.service %1-admin.socket %1.socket
+%postun libs
+%if 0%{?rhel} == 7
+/sbin/ldconfig
+%endif
 
 %pre daemon
 # 'libvirt' group is just to allow password-less polkit access to
@@ -1299,32 +1343,30 @@ getent group libvirt >/dev/null || groupadd -r libvirt
 exit 0
 
 %post daemon
-%libvirt_daemon_systemd_post_priv virtlogd
-%libvirt_daemon_systemd_post_priv virtlockd
-%if %{with_modular_daemons}
-%libvirt_daemon_systemd_post_inet virtproxyd
-%else
-%libvirt_daemon_systemd_post_inet libvirtd
-%endif
 
-%systemd_post libvirt-guests.service
+%systemd_post virtlockd.socket virtlockd-admin.socket
+%systemd_post virtlogd.socket virtlogd-admin.socket
+%systemd_post libvirtd.socket libvirtd-ro.socket libvirtd-admin.socket
+%systemd_post libvirtd-tcp.socket libvirtd-tls.socket
+%systemd_post libvirtd.service
 
-%libvirt_daemon_schedule_restart libvirtd
+# request daemon restart in posttrans
+mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || :
+touch %{_localstatedir}/lib/rpm-state/libvirt/restart || :
 
 %preun daemon
-%systemd_preun libvirt-guests.service
-
-%libvirt_daemon_systemd_preun_inet libvirtd
-%libvirt_daemon_systemd_preun_inet virtproxyd
-%libvirt_daemon_systemd_preun_priv virtlogd
-%libvirt_daemon_systemd_preun_priv virtlockd
+%systemd_preun libvirtd.service
+%systemd_preun libvirtd-tcp.socket libvirtd-tls.socket
+%systemd_preun libvirtd.socket libvirtd-ro.socket libvirtd-admin.socket
+%systemd_preun virtlogd.socket virtlogd-admin.socket virtlogd.service
+%systemd_preun virtlockd.socket virtlockd-admin.socket virtlockd.service
 
 %postun daemon
 /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 if [ $1 -ge 1 ] ; then
-    /bin/systemctl reload-or-try-restart virtlockd.service virtlogd.service >/dev/null 2>&1 || :
+    /bin/systemctl reload-or-try-restart virtlockd.service >/dev/null 2>&1 || :
+    /bin/systemctl reload-or-try-restart virtlogd.service >/dev/null 2>&1 || :
 fi
-%systemd_postun libvirt-guests.service
 
 # In upgrade scenario we must explicitly enable virtlockd/virtlogd
 # sockets, if libvirtd is already enabled and start them if
@@ -1339,8 +1381,7 @@ if [ $1 -ge 1 ] ; then
 fi
 
 %posttrans daemon
-if test %libvirt_daemon_needs_restart libvirtd
-then
+if [ -f %{_localstatedir}/lib/rpm-state/libvirt/restart ]; then
     # See if user has previously modified their install to
     # tell libvirtd to use --listen
     grep -E '^LIBVIRTD_ARGS=.*--listen' /etc/sysconfig/libvirtd 1>/dev/null 2>&1
@@ -1350,12 +1391,11 @@ then
         # systemd socket activation, because switching things
         # might confuse mgmt tool like puppet/ansible that
         # expect the old style libvirtd
-        /bin/systemctl mask \
-                libvirtd.socket \
-                libvirtd-ro.socket \
-                libvirtd-admin.socket \
-                libvirtd-tls.socket \
-                libvirtd-tcp.socket >/dev/null 2>&1 || :
+        /bin/systemctl mask libvirtd.socket >/dev/null 2>&1 || :
+        /bin/systemctl mask libvirtd-ro.socket >/dev/null 2>&1 || :
+        /bin/systemctl mask libvirtd-admin.socket >/dev/null 2>&1 || :
+        /bin/systemctl mask libvirtd-tls.socket >/dev/null 2>&1 || :
+        /bin/systemctl mask libvirtd-tcp.socket >/dev/null 2>&1 || :
     else
         # Old libvirtd owns the sockets and will delete them on
         # shutdown. Can't use a try-restart as libvirtd will simply
@@ -1367,165 +1407,26 @@ then
         then
             /bin/systemctl stop libvirtd.service >/dev/null 2>&1 || :
 
-            /bin/systemctl try-restart \
-                    libvirtd.socket \
-                    libvirtd-ro.socket \
-                    libvirtd-admin.socket >/dev/null 2>&1 || :
+            /bin/systemctl try-restart libvirtd.socket >/dev/null 2>&1 || :
+            /bin/systemctl try-restart libvirtd-ro.socket >/dev/null 2>&1 || :
+            /bin/systemctl try-restart libvirtd-admin.socket >/dev/null 2>&1 || :
 
             /bin/systemctl start libvirtd.service >/dev/null 2>&1 || :
         fi
     fi
 fi
-
-%libvirt_daemon_finish_restart libvirtd
+rm -rf %{_localstatedir}/lib/rpm-state/libvirt || :
 
 %post daemon-driver-network
 %if %{with_firewalld_zone}
     %firewalld_reload
 %endif
 
-%if %{with_modular_daemons}
-%libvirt_daemon_systemd_post virtnetworkd
-%endif
-%libvirt_daemon_schedule_restart virtnetworkd
-
-%preun
-%libvirt_daemon_systemd_preun virtnetworkd
-
 %postun daemon-driver-network
 %if %{with_firewalld_zone}
     %firewalld_reload
 %endif
 
-%posttrans daemon-driver-network
-%libvirt_daemon_perform_restart virtnetworkd
-
-
-%post daemon-driver-nwfilter
-%if %{with_modular_daemons}
-%libvirt_daemon_systemd_post virtnwfilterd
-%endif
-%libvirt_daemon_schedule_restart virtnwfilterd
-
-%preun daemon-driver-nwfilter
-%libvirt_daemon_systemd_preun virtnwfilterd
-
-%posttrans daemon-driver-nwfilter
-%libvirt_daemon_perform_restart virtnwfilterd
-
-
-%post daemon-driver-nodedev
-%if %{with_modular_daemons}
-%libvirt_daemon_systemd_post virtnodedevd
-%endif
-%libvirt_daemon_schedule_restart virtnodedevd
-
-%preun daemon-driver-nodedev
-%libvirt_daemon_systemd_preun virtnodedevd
-
-%posttrans daemon-driver-nodedev
-%libvirt_daemon_perform_restart virtnodedevd
-
-
-%post daemon-driver-interface
-%if %{with_modular_daemons}
-%libvirt_daemon_systemd_post virtinterfaced
-%endif
-%libvirt_daemon_schedule_restart virtinterfaced
-
-%preun daemon-driver-interface
-%libvirt_daemon_systemd_preun virtinterfaced
-
-%posttrans daemon-driver-interface
-%libvirt_daemon_perform_restart virtinterfaced
-
-
-%post daemon-driver-secret
-%if %{with_modular_daemons}
-%libvirt_daemon_systemd_post virtsecretd
-%endif
-%libvirt_daemon_schedule_restart virtsecretd
-
-%preun daemon-driver-secret
-%libvirt_daemon_systemd_preun virtsecretd
-
-%posttrans daemon-driver-secret
-%libvirt_daemon_perform_restart virtsecretd
-
-
-%post daemon-driver-storage
-%if %{with_modular_daemons}
-%libvirt_daemon_systemd_post virtstoraged
-%endif
-%libvirt_daemon_schedule_restart virtstoraged
-
-%preun daemon-driver-storage
-%libvirt_daemon_systemd_preun virtstoraged
-
-%posttrans daemon-driver-storage
-%libvirt_daemon_perform_restart virtstoraged
-
-
-%if %{with_qemu}
-%post daemon-driver-qemu
-%if %{with_modular_daemons}
-%libvirt_daemon_systemd_post virtqemud
-%endif
-%libvirt_daemon_schedule_restart virtqemud
-
-%preun daemon-driver-qemu
-%libvirt_daemon_systemd_preun virtqemud
-
-%posttrans daemon-driver-qemu
-%libvirt_daemon_perform_restart virtqemud
-%endif
-
-
-%if %{with_lxc}
-%post daemon-driver-lxc
-%if %{with_modular_daemons}
-%libvirt_daemon_systemd_post virtlxcd
-%endif
-%libvirt_daemon_schedule_restart virtlxcd
-
-%preun daemon-driver-lxc
-%libvirt_daemon_systemd_preun virtlxcd
-
-%posttrans daemon-driver-lxc
-%libvirt_daemon_perform_restart virtlxcd
-%endif
-
-
-%if %{with_vbox}
-%post daemon-driver-vbox
-%if %{with_modular_daemons}
-%libvirt_daemon_systemd_post virtvboxd
-%endif
-%libvirt_daemon_schedule_restart virtvboxd
-
-%preun daemon-driver-vbox
-%libvirt_daemon_systemd_preun virtvboxd
-
-%posttrans daemon-driver-vbox
-%libvirt_daemon_perform_restart virtvboxd
-%endif
-
-
-%if %{with_libxl}
-%post daemon-driver-libxl
-%if %{with_modular_daemons}
-%libvirt_daemon_systemd_post virtxend
-%endif
-%libvirt_daemon_schedule_restart virtxend
-
-%preun daemon-driver-libxl
-%libvirt_daemon_systemd_preun virtxend
-
-%posttrans daemon-driver-libxl
-%libvirt_daemon_perform_restart virtxend
-%endif
-
-
 %post daemon-config-network
 if test $1 -eq 1 && test ! -f %{_sysconfdir}/libvirt/qemu/networks/default.xml ; then
     # see if the network used by default network creates a conflict,
@@ -1564,13 +1465,15 @@ if test $1 -eq 1 && test ! -f %{_sysconfdir}/libvirt/qemu/networks/default.xml ;
     chmod 0600 %{_sysconfdir}/libvirt/qemu/networks/default.xml
 
     # Make sure libvirt picks up the new network defininiton
-    %libvirt_daemon_schedule_restart libvirtd
-    %libvirt_daemon_schedule_restart virtnetworkd
+    mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || :
+    touch %{_localstatedir}/lib/rpm-state/libvirt/restart || :
 fi
 
 %posttrans daemon-config-network
-%libvirt_daemon_perform_restart libvirtd
-%libvirt_daemon_perform_restart virtnetworkd
+if [ -f %{_localstatedir}/lib/rpm-state/libvirt/restart ]; then
+    /bin/systemctl try-restart libvirtd.service >/dev/null 2>&1 || :
+fi
+rm -rf %{_localstatedir}/lib/rpm-state/libvirt || :
 
 %post daemon-config-nwfilter
 for datadir_file in %{_datadir}/libvirt/nwfilter/*.xml; do
@@ -1581,12 +1484,15 @@ for datadir_file in %{_datadir}/libvirt/nwfilter/*.xml; do
   fi
 done
 # Make sure libvirt picks up the new nwfilter defininitons
-%libvirt_daemon_schedule_restart libvirtd
-%libvirt_daemon_schedule_restart virtnwfilterd
+mkdir -p %{_localstatedir}/lib/rpm-state/libvirt || :
+touch %{_localstatedir}/lib/rpm-state/libvirt/restart || :
 
 %posttrans daemon-config-nwfilter
-%libvirt_daemon_perform_restart libvirtd
-%libvirt_daemon_perform_restart virtnwfilterd
+if [ -f %{_localstatedir}/lib/rpm-state/libvirt/restart ]; then
+    /bin/systemctl try-restart libvirtd.service >/dev/null 2>&1 || :
+fi
+rm -rf %{_localstatedir}/lib/rpm-state/libvirt || :
+
 
 %if %{with_qemu}
 %pre daemon-driver-qemu
@@ -1605,6 +1511,16 @@ fi
 exit 0
 %endif
 
+%preun client
+
+%systemd_preun libvirt-guests.service
+
+%post client
+%systemd_post libvirt-guests.service
+
+%postun client
+%systemd_postun libvirt-guests.service
+
 %if %{with_lxc}
 %pre login-shell
 getent group virtlogin >/dev/null || groupadd -r virtlogin
@@ -1640,7 +1556,6 @@ exit 0
 %{_unitdir}/virtlockd.service
 %{_unitdir}/virtlockd.socket
 %{_unitdir}/virtlockd-admin.socket
-%{_unitdir}/libvirt-guests.service
 %config(noreplace) %{_sysconfdir}/sysconfig/libvirtd
 %config(noreplace) %{_sysconfdir}/sysconfig/virtproxyd
 %config(noreplace) %{_sysconfdir}/sysconfig/virtlogd
@@ -1650,7 +1565,6 @@ exit 0
 %config(noreplace) %{_sysconfdir}/libvirt/virtlogd.conf
 %config(noreplace) %{_sysconfdir}/libvirt/virtlockd.conf
 %config(noreplace) %{_sysconfdir}/sasl2/libvirt.conf
-%config(noreplace) %{_sysconfdir}/sysconfig/libvirt-guests
 %config(noreplace) %{_prefix}/lib/sysctl.d/60-libvirtd.conf
 
 %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd
@@ -1696,20 +1610,12 @@ exit 0
 %attr(0755, root, root) %{_sbindir}/virtproxyd
 %attr(0755, root, root) %{_sbindir}/virtlogd
 %attr(0755, root, root) %{_sbindir}/virtlockd
-%attr(0755, root, root) %{_libexecdir}/libvirt-guests.sh
 
-%{_mandir}/man1/virt-admin.1*
-%{_mandir}/man1/virt-host-validate.1*
 %{_mandir}/man8/libvirtd.8*
 %{_mandir}/man8/virtlogd.8*
 %{_mandir}/man8/virtlockd.8*
-%{_mandir}/man8/virtproxyd.8*
 %{_mandir}/man7/virkey*.7*
 
-%{_bindir}/virt-host-validate
-%{_bindir}/virt-admin
-%{_datadir}/bash-completion/completions/virt-admin
-
 %files daemon-config-network
 %dir %{_datadir}/libvirt/networks/
 %{_datadir}/libvirt/networks/default.xml
@@ -1732,7 +1638,6 @@ exit 0
 %{_unitdir}/virtinterfaced-admin.socket
 %attr(0755, root, root) %{_sbindir}/virtinterfaced
 %{_libdir}/%{name}/connection-driver/libvirt_driver_interface.so
-%{_mandir}/man8/virtinterfaced.8*
 
 %files daemon-driver-network
 %config(noreplace) %{_sysconfdir}/sysconfig/virtnetworkd
@@ -1752,7 +1657,6 @@ exit 0
 %dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/dnsmasq/
 %attr(0755, root, root) %{_libexecdir}/libvirt_leaseshelper
 %{_libdir}/%{name}/connection-driver/libvirt_driver_network.so
-%{_mandir}/man8/virtnetworkd.8*
 
 %if %{with_firewalld_zone}
 %{_prefix}/lib/firewalld/zones/libvirt.xml
@@ -1769,7 +1673,6 @@ exit 0
 %{_unitdir}/virtnodedevd-admin.socket
 %attr(0755, root, root) %{_sbindir}/virtnodedevd
 %{_libdir}/%{name}/connection-driver/libvirt_driver_nodedev.so
-%{_mandir}/man8/virtnodedevd.8*
 
 %files daemon-driver-nwfilter
 %config(noreplace) %{_sysconfdir}/sysconfig/virtnwfilterd
@@ -1784,7 +1687,6 @@ exit 0
 %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/nwfilter/
 %ghost %dir %{_rundir}/libvirt/network/
 %{_libdir}/%{name}/connection-driver/libvirt_driver_nwfilter.so
-%{_mandir}/man8/virtnwfilterd.8*
 
 %files daemon-driver-secret
 %config(noreplace) %{_sysconfdir}/sysconfig/virtsecretd
@@ -1797,7 +1699,6 @@ exit 0
 %{_unitdir}/virtsecretd-admin.socket
 %attr(0755, root, root) %{_sbindir}/virtsecretd
 %{_libdir}/%{name}/connection-driver/libvirt_driver_secret.so
-%{_mandir}/man8/virtsecretd.8*
 
 %files daemon-driver-storage
 
@@ -1815,7 +1716,6 @@ exit 0
 %{_libdir}/%{name}/connection-driver/libvirt_driver_storage.so
 %{_libdir}/%{name}/storage-backend/libvirt_storage_backend_fs.so
 %{_libdir}/%{name}/storage-file/libvirt_storage_file_fs.so
-%{_mandir}/man8/virtstoraged.8*
 
 %files daemon-driver-storage-disk
 %{_libdir}/%{name}/storage-backend/libvirt_storage_backend_disk.so
@@ -1884,7 +1784,6 @@ exit 0
 %dir %attr(0730, tss, tss) %{_localstatedir}/log/swtpm/libvirt/qemu/
 %{_bindir}/virt-qemu-run
 %{_mandir}/man1/virt-qemu-run.1*
-%{_mandir}/man8/virtqemud.8*
 %endif
 
 %if %{with_lxc}
@@ -1907,7 +1806,6 @@ exit 0
 %{_datadir}/augeas/lenses/tests/test_libvirtd_lxc.aug
 %attr(0755, root, root) %{_libexecdir}/libvirt_lxc
 %{_libdir}/%{name}/connection-driver/libvirt_driver_lxc.so
-%{_mandir}/man8/virtlxcd.8*
 %endif
 
 %if %{with_libxl}
@@ -1930,7 +1828,6 @@ exit 0
 %ghost %dir %{_rundir}/libvirt/libxl/
 %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/libxl/
 %{_libdir}/%{name}/connection-driver/libvirt_driver_libxl.so
-%{_mandir}/man8/virtxend.8*
 %endif
 
 %if %{with_vbox}
@@ -1945,7 +1842,6 @@ exit 0
 %{_unitdir}/virtvboxd-admin.socket
 %attr(0755, root, root) %{_sbindir}/virtvboxd
 %{_libdir}/%{name}/connection-driver/libvirt_driver_vbox.so
-%{_mandir}/man8/virtvboxd.8*
 %endif
 
 %if %{with_qemu_tcg}
@@ -1989,12 +1885,25 @@ exit 0
 %{_mandir}/man1/virsh.1*
 %{_mandir}/man1/virt-xml-validate.1*
 %{_mandir}/man1/virt-pki-validate.1*
+%{_mandir}/man1/virt-host-validate.1*
 %{_bindir}/virsh
 %{_bindir}/virt-xml-validate
 %{_bindir}/virt-pki-validate
+%{_bindir}/virt-host-validate
+
+%{_datadir}/systemtap/tapset/libvirt_probes*.stp
+%{_datadir}/systemtap/tapset/libvirt_functions.stp
+%if %{with_qemu}
+%{_datadir}/systemtap/tapset/libvirt_qemu_probes*.stp
+%endif
 
 %{_datadir}/bash-completion/completions/virsh
 
+
+%{_unitdir}/libvirt-guests.service
+%config(noreplace) %{_sysconfdir}/sysconfig/libvirt-guests
+%attr(0755, root, root) %{_libexecdir}/libvirt-guests.sh
+
 %files libs -f %{name}.lang
 %license COPYING COPYING.LESSER
 %config(noreplace) %{_sysconfdir}/libvirt/libvirt.conf
@@ -2007,18 +1916,20 @@ exit 0
 %dir %{_datadir}/libvirt/schemas/
 %dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/
 
-%{_datadir}/systemtap/tapset/libvirt_probes*.stp
-%{_datadir}/systemtap/tapset/libvirt_functions.stp
-%if %{with_qemu}
-%{_datadir}/systemtap/tapset/libvirt_qemu_probes*.stp
-%endif
-
 %{_datadir}/libvirt/schemas/*.rng
 
 %{_datadir}/libvirt/cpu_map/*.xml
 
 %{_datadir}/libvirt/test-screenshot.png
 
+%files admin
+%{_mandir}/man1/virt-admin.1*
+%{_bindir}/virt-admin
+%{_datadir}/bash-completion/completions/virt-admin
+
+%files bash-completion
+%{_datadir}/bash-completion/completions/vsh
+
 %if %{with_wireshark}
 %files wireshark
 %{wireshark_plugindir}/libvirt.so
@@ -2073,49 +1984,21 @@ exit 0
 
 
 %changelog
-* Thu Dec 16 2021 Daniel P. Berrangé <berrange@redhat.com> - 7.6.0-5
-- Fix mistakes in post scripts causing uninstall errors
+* Mon Dec 13 2021 Daniel P. Berrangé <berrange@redhat.com> - 7.0.0-8
+- Rebuild for changed wireshark soname (rhbz#2031322)
 
-* Mon Dec 13 2021 Daniel P. Berrangé <berrange@redhat.com> - 7.6.0-4
-- Rebuild for changed wireshark soname (rhbz#2031316)
+* Tue Jul 27 2021 Cole Robinson <crobinso@redhat.com> - 7.0.0-7
+- More CAP_SETPCAP warning fixes (bz #1924218)
+- Handle unknown firmware.json errors
+- CVE-2021-3667: Fix deadlock on virStoragePoolLookupByTargetPath failure
+  (bz #1986113)
 
-* Wed Sep  8 2021 Daniel P. Berrangé <berrange@redhat.com> - 7.6.0-3
-- Fix bad post transaction script tag
-- Fix deps on virtlockd/virtlogd socket units (rhbz#2002279)
+* Fri Jul 02 2021 Cole Robinson <crobinso@redhat.com> - 7.0.0-6
+- CVE-2021-3631 libvirt: insecure sVirt label generation (bz #1977760)
 
-* Wed Aug  4 2021 Daniel P. Berrangé <berrange@redhat.com> - 7.6.0-2
-- Switch to use modular daemons by default
-
-* Mon Aug  2 2021 Daniel P. Berrangé <berrange@redhat.com> - 7.6.0-1
-- Update to 7.6.0 release
-
-* Wed Jul 28 2021 Richard W.M. Jones <rjones@redhat.com> - 7.5.0-3
-- Add fix for discard + copy-on-read affecting virt-v2v (RHBZ#1986509)
-
-* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.5.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Thu Jul 01 2021 Cole Robinson <crobinso@redhat.com> - 7.5.0-1
-- Update to version 7.5.0
-
-* Mon Jun 07 2021 Cole Robinson <crobinso@redhat.com> - 7.4.0-2
-- Rebuild for xen 4.14
-
-* Tue Jun 01 2021 Cole Robinson <crobinso@redhat.com> - 7.4.0-1
-- Update to version 7.4.0
-
-* Tue May  4 2021 Daniel P. Berrangé <berrange@redhat.com> - 7.3.0-1
-- Update to 7.3.0 release
-- Remove libvirt-admin & libvirt-bash-completion subpackages
-
-* Mon Apr 05 2021 Cole Robinson <crobinso@redhat.com> - 7.2.0-1
-- Update to version 7.2.0
-
-* Tue Mar  9 2021 Richard W.M. Jones <rjones@redhat.com> - 7.1.0-2
-- Bump and rebuild for libwsman_client.so.4 -> .5
-
-* Mon Mar 01 2021 Cole Robinson <crobinso@redhat.com> - 7.1.0-1
-- Update to version 7.1.0
+* Tue Jun 29 2021 Cole Robinson <crobinso@redhat.com> - 7.0.0-5
+- Crash in udev driver populate_vendor (bz #1966851)
+- Fix CAP_SETPCAP syslog warning (bz #1924218)
 
 * Wed Feb 03 2021 Cole Robinson <aintdiscole@gmail.com> - 7.0.0-4
 - Increase meson test timeout to fix builds on s390x copr

sources

@@ -1 +1 @@
-SHA512 (libvirt-7.6.0.tar.xz) = bad6cc02af071ca909bbbe3c07165e91cad863c9a759b26d9cff6aed6ea5643bc723d2f3c61ad41436dffd4fd50389333d74b131e37eaa54a5071a3ae26df627
+SHA512 (libvirt-7.0.0.tar.xz) = dd6db5ec4971cf4c6059795fd81d5a3a889b10740e34c3c92271eda1c683c99df2c8f923398065d8a7c4f987a20eb1da617d5297ba8ea5a31f154412af50c343