Fix qemu:///session connect race failures (bz #1271183)

driver: log missing modules as INFO, not WARN (bz #1274849)

.cvsignore

@@ -1,14 +0,0 @@
-.build*.log
-*.rpm
-i686
-x86_64
-libvirt-*.tar.gz
-libvirt-0.6.0.tar.gz
-libvirt-0.6.1.tar.gz
-libvirt-0.6.2.tar.gz
-libvirt-0.6.3.tar.gz
-libvirt-0.6.4.tar.gz
-libvirt-0.6.5.tar.gz
-libvirt-0.7.0-0.1.gitf055724.tar.gz
-libvirt-0.7.0-0.6.gite195b43.tar.gz
-libvirt-0.7.0.tar.gz

.gitignore

@@ -0,0 +1,5 @@
+.build*.log
+*.rpm
+i686
+x86_64
+libvirt-*.tar.gz

0001-schema-interleave-domain-name-and-uuid-with-other-el.patch

@@ -0,0 +1,38 @@
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Thu, 17 Dec 2015 13:43:58 +0100
+Subject: [PATCH] schema: interleave domain name and uuid with other elements
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Allow <name> and <uuid> anywhere under <domain>, not just at the top:
+
+error:XML document failed to validate against schema: Unable to validate
+doc against /usr/share/libvirt/schemas/domain.rng
+Expecting an element name, got nothing
+Invalid sequence in interleave
+Element domain failed to validate content
+
+Introduced with the first RelaxNG schema in commit c642103.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1292131
+(cherry picked from commit b4e0549febe416ffefc16f389423740d6d65fa74)
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+---
+ docs/schemas/domaincommon.rng | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
+index b252a17..48610ce 100644
+--- a/docs/schemas/domaincommon.rng
++++ b/docs/schemas/domaincommon.rng
+@@ -30,8 +30,8 @@
+   <define name="domain">
+     <element name="domain">
+       <ref name="hvs"/>
+-      <ref name="ids"/>
+       <interleave>
++        <ref name="ids"/>
+         <optional>
+           <ref name="title"/>
+         </optional>

0002-leaseshelper-fix-crash-when-no-mac-is-specified.patch

@@ -0,0 +1,32 @@
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Thu, 14 Jan 2016 14:31:17 +0100
+Subject: [PATCH] leaseshelper: fix crash when no mac is specified
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If dnsmasq specified DNSMASQ_IAID (so we're dealing with an IPv6
+lease) but no DNSMASQ_MAC, we skip creation of the new lease object.
+
+Also skip adding it to the leases array.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1202350
+(cherry picked from commit df9fe124d650bc438c531673492569da87523d20)
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+---
+ src/network/leaseshelper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/network/leaseshelper.c b/src/network/leaseshelper.c
+index 2d528f7..6930310 100644
+--- a/src/network/leaseshelper.c
++++ b/src/network/leaseshelper.c
+@@ -439,7 +439,7 @@ main(int argc, char **argv)
+ 
+     case VIR_LEASE_ACTION_OLD:
+     case VIR_LEASE_ACTION_ADD:
+-        if (virJSONValueArrayAppend(leases_array_new, lease_new) < 0) {
++        if (lease_new && virJSONValueArrayAppend(leases_array_new, lease_new) < 0) {
+             virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                            _("failed to create json"));
+             goto cleanup;

0003-build-predictably-generate-systemtap-tapsets-bz-1173.patch

@@ -0,0 +1,63 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Tue, 19 Jan 2016 22:19:56 -0500
+Subject: [PATCH] build: predictably generate systemtap tapsets (bz 1173641)
+
+The generated output is dependent on perl hashtable ordering, which
+gives different results for i686 and x86_64. Fix this by sorting
+the hash keys before iterating over them
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1173641
+(cherry picked from commit a1edb05c6028470aa24b74aa0f8d5fb5a181128a)
+---
+ src/rpc/gensystemtap.pl | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/rpc/gensystemtap.pl b/src/rpc/gensystemtap.pl
+index 2467300..7b80fbf 100755
+--- a/src/rpc/gensystemtap.pl
++++ b/src/rpc/gensystemtap.pl
+@@ -72,7 +72,7 @@ function libvirt_rpc_auth_name(type, verbose)
+ {
+ EOF
+ my $first = 1;
+-foreach my $type (keys %auth) {
++foreach my $type (sort(keys %auth)) {
+     my $cond = $first ? "if" : "} else if";
+     $first = 0;
+     print "  $cond (type == ", $type, ") {\n";
+@@ -95,7 +95,7 @@ function libvirt_rpc_type_name(type, verbose)
+ {
+ EOF
+ $first = 1;
+-foreach my $type (keys %type) {
++foreach my $type (sort(keys %type)) {
+     my $cond = $first ? "if" : "} else if";
+     $first = 0;
+     print "  $cond (type == ", $type, ") {\n";
+@@ -118,7 +118,7 @@ function libvirt_rpc_status_name(status, verbose)
+ {
+ EOF
+ $first = 1;
+-foreach my $status (keys %status) {
++foreach my $status (sort(keys %status)) {
+     my $cond = $first ? "if" : "} else if";
+     $first = 0;
+     print "  $cond (status == ", $status, ") {\n";
+@@ -141,7 +141,7 @@ function libvirt_rpc_program_name(program, verbose)
+ {
+ EOF
+ $first = 1;
+-foreach my $prog (keys %funcs) {
++foreach my $prog (sort(keys %funcs)) {
+     my $cond = $first ? "if" : "} else if";
+     $first = 0;
+     print "  $cond (program == ", $funcs{$prog}->{id}, ") {\n";
+@@ -165,7 +165,7 @@ function libvirt_rpc_procedure_name(program, version, proc, verbose)
+ {
+ EOF
+ $first = 1;
+-foreach my $prog (keys %funcs) {
++foreach my $prog (sort(keys %funcs)) {
+     my $cond = $first ? "if" : "} else if";
+     $first = 0;
+     print "  $cond (program == ", $funcs{$prog}->{id}, " && version == ", $funcs{$prog}->{version}, ") {\n";

0004-rpc-ensure-daemon-is-spawn-even-if-dead-socket-exist.patch

@@ -0,0 +1,30 @@
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Fri, 3 Jul 2015 16:51:56 +0100
+Subject: [PATCH] rpc: ensure daemon is spawn even if dead socket exists
+
+The auto-spawn code would originally attempt to spawn the
+daemon for both ENOENT and ECONNREFUSED errors from connect().
+The various refactorings eventually lost this so we only
+spawn the daemon on ENOENT. The result is if the daemon exits
+uncleanly, so that the socket is left in the filesystem, we
+will never be able to auto-spawn the daemon again.
+
+(cherry picked from commit 406ee8c226d2197ba1aaecb9cf3ad2b6df31ae44)
+---
+ src/rpc/virnetsocket.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
+index 51f94d4..6153e0e 100644
+--- a/src/rpc/virnetsocket.c
++++ b/src/rpc/virnetsocket.c
+@@ -610,7 +610,8 @@ int virNetSocketNewConnectUNIX(const char *path,
+ 
+     while (retries &&
+            connect(fd, &remoteAddr.data.sa, remoteAddr.len) < 0) {
+-        if (!(spawnDaemon && errno == ENOENT)) {
++        if (!(spawnDaemon && (errno == ENOENT ||
++                              errno == ECONNREFUSED))) {
+             virReportSystemError(errno, _("Failed to connect socket to '%s'"),
+                                  path);
+             goto cleanup;

0005-rpc-socket-Minor-cleanups.patch

@@ -0,0 +1,48 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Mon, 11 Jan 2016 20:01:24 -0500
+Subject: [PATCH] rpc: socket: Minor cleanups
+
+- Add some debugging
+- Make the loop dependent only on retries
+- Make it explicit that connect(2) success exits the loop
+- Invert the error checking logic
+
+(cherry picked from commit f102c7146ed7f6e04af0ad3bce302476239f2502)
+---
+ src/rpc/virnetsocket.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
+index 6153e0e..dcff69e 100644
+--- a/src/rpc/virnetsocket.c
++++ b/src/rpc/virnetsocket.c
+@@ -548,6 +548,9 @@ int virNetSocketNewConnectUNIX(const char *path,
+     char *rundir = NULL;
+     int ret = -1;
+ 
++    VIR_DEBUG("path=%s spawnDaemon=%d binary=%s", path, spawnDaemon,
++        NULLSTR(binary));
++
+     memset(&localAddr, 0, sizeof(localAddr));
+     memset(&remoteAddr, 0, sizeof(remoteAddr));
+ 
+@@ -608,10 +611,15 @@ int virNetSocketNewConnectUNIX(const char *path,
+     if (remoteAddr.data.un.sun_path[0] == '@')
+         remoteAddr.data.un.sun_path[0] = '\0';
+ 
+-    while (retries &&
+-           connect(fd, &remoteAddr.data.sa, remoteAddr.len) < 0) {
+-        if (!(spawnDaemon && (errno == ENOENT ||
+-                              errno == ECONNREFUSED))) {
++    while (retries) {
++        if (connect(fd, &remoteAddr.data.sa, remoteAddr.len) == 0) {
++            VIR_DEBUG("connect() succeeded");
++            break;
++        }
++        VIR_DEBUG("connect() failed: retries=%d errno=%d", retries, errno);
++
++        if (!spawnDaemon ||
++            (errno != ENOENT && errno != ECONNREFUSED)) {
+             virReportSystemError(errno, _("Failed to connect socket to '%s'"),
+                                  path);
+             goto cleanup;

0006-rpc-socket-Explicitly-error-if-we-exceed-retry-count.patch

@@ -0,0 +1,40 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Mon, 11 Jan 2016 20:08:45 -0500
+Subject: [PATCH] rpc: socket: Explicitly error if we exceed retry count
+
+When we autolaunch libvirtd for session URIs, we spin in a retry
+loop waiting for the daemon to start and the connect(2) to succeed.
+
+However if we exceed the retry count, we don't explicitly raise an
+error, which can yield a slew of different error messages elsewhere
+in the code.
+
+Explicitly raise the last connect(2) failure if we run out of retries.
+
+(cherry picked from commit 8da02d528068942303923fc4f935e77cccac9c7c)
+---
+ src/rpc/virnetsocket.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
+index dcff69e..90951be 100644
+--- a/src/rpc/virnetsocket.c
++++ b/src/rpc/virnetsocket.c
+@@ -618,7 +618,9 @@ int virNetSocketNewConnectUNIX(const char *path,
+         }
+         VIR_DEBUG("connect() failed: retries=%d errno=%d", retries, errno);
+ 
++        retries--;
+         if (!spawnDaemon ||
++            retries == 0 ||
+             (errno != ENOENT && errno != ECONNREFUSED)) {
+             virReportSystemError(errno, _("Failed to connect socket to '%s'"),
+                                  path);
+@@ -628,7 +630,6 @@ int virNetSocketNewConnectUNIX(const char *path,
+         if (virNetSocketForkDaemon(binary) < 0)
+             goto cleanup;
+ 
+-        retries--;
+         usleep(5000);
+     }
+ 

0007-rpc-socket-Don-t-repeatedly-attempt-to-launch-daemon.patch

@@ -0,0 +1,43 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Mon, 11 Jan 2016 20:13:38 -0500
+Subject: [PATCH] rpc: socket: Don't repeatedly attempt to launch daemon
+
+On every socket connect(2) attempt we were re-launching session
+libvirtd, up to 100 times in 5 seconds.
+
+This understandably caused some weird load races and intermittent
+qemu:///session startup failures
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1271183
+(cherry picked from commit 2eb7a975756d05a5b54ab4acf60083beb6161ac6)
+---
+ src/rpc/virnetsocket.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
+index 90951be..2ee4b6e 100644
+--- a/src/rpc/virnetsocket.c
++++ b/src/rpc/virnetsocket.c
+@@ -547,6 +547,7 @@ int virNetSocketNewConnectUNIX(const char *path,
+     virSocketAddr remoteAddr;
+     char *rundir = NULL;
+     int ret = -1;
++    bool daemonLaunched = false;
+ 
+     VIR_DEBUG("path=%s spawnDaemon=%d binary=%s", path, spawnDaemon,
+         NULLSTR(binary));
+@@ -627,8 +628,12 @@ int virNetSocketNewConnectUNIX(const char *path,
+             goto cleanup;
+         }
+ 
+-        if (virNetSocketForkDaemon(binary) < 0)
+-            goto cleanup;
++        if (!daemonLaunched) {
++            if (virNetSocketForkDaemon(binary) < 0)
++                goto cleanup;
++
++            daemonLaunched = true;
++        }
+ 
+         usleep(5000);
+     }

0008-security-Do-not-restore-kernel-and-initrd-labels.patch

@@ -0,0 +1,57 @@
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Fri, 15 Jan 2016 10:55:58 +0100
+Subject: [PATCH] security: Do not restore kernel and initrd labels
+
+Kernel/initrd files are essentially read-only shareable images and thus
+should be handled in the same way. We already use the appropriate label
+for kernel/initrd files when starting a domain, but when a domain gets
+destroyed we would remove the labels which would make other running
+domains using the same files very unhappy.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=921135
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 68acc701bd449481e3206723c25b18fcd3d261b7)
+---
+ src/security/security_dac.c     | 8 --------
+ src/security/security_selinux.c | 8 --------
+ 2 files changed, 16 deletions(-)
+
+diff --git a/src/security/security_dac.c b/src/security/security_dac.c
+index deb6980..d01215f 100644
+--- a/src/security/security_dac.c
++++ b/src/security/security_dac.c
+@@ -971,14 +971,6 @@ virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
+         virSecurityDACRestoreSecurityFileLabel(def->os.loader->nvram) < 0)
+         rc = -1;
+ 
+-    if (def->os.kernel &&
+-        virSecurityDACRestoreSecurityFileLabel(def->os.kernel) < 0)
+-        rc = -1;
+-
+-    if (def->os.initrd &&
+-        virSecurityDACRestoreSecurityFileLabel(def->os.initrd) < 0)
+-        rc = -1;
+-
+     if (def->os.dtb &&
+         virSecurityDACRestoreSecurityFileLabel(def->os.dtb) < 0)
+         rc = -1;
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 6e67a86..2475a80 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -1953,14 +1953,6 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
+         virSecuritySELinuxRestoreSecurityFileLabel(mgr, def->os.loader->nvram) < 0)
+         rc = -1;
+ 
+-    if (def->os.kernel &&
+-        virSecuritySELinuxRestoreSecurityFileLabel(mgr, def->os.kernel) < 0)
+-        rc = -1;
+-
+-    if (def->os.initrd &&
+-        virSecuritySELinuxRestoreSecurityFileLabel(mgr, def->os.initrd) < 0)
+-        rc = -1;
+-
+     if (def->os.dtb &&
+         virSecuritySELinuxRestoreSecurityFileLabel(mgr, def->os.dtb) < 0)
+         rc = -1;

0009-rpc-wait-longer-for-session-daemon-to-start-up.patch

@@ -0,0 +1,37 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Tue, 15 Mar 2016 17:04:32 -0400
+Subject: [PATCH] rpc: wait longer for session daemon to start up
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1271183
+
+We only wait 0.5 seconds for the session daemon to start up and present
+its socket, which isn't sufficient for many users. Bump up the sleep
+interval and retry amount so we wait for a total of 5.0 seconds.
+
+(cherry picked from commit ca0c06f4008154de55e0b3109885facd0bf02d32)
+---
+ src/rpc/virnetsocket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
+index 2ee4b6e..275f1f5 100644
+--- a/src/rpc/virnetsocket.c
++++ b/src/rpc/virnetsocket.c
+@@ -542,7 +542,7 @@ int virNetSocketNewConnectUNIX(const char *path,
+     char *lockpath = NULL;
+     int lockfd = -1;
+     int fd = -1;
+-    int retries = 100;
++    int retries = 500;
+     virSocketAddr localAddr;
+     virSocketAddr remoteAddr;
+     char *rundir = NULL;
+@@ -635,7 +635,7 @@ int virNetSocketNewConnectUNIX(const char *path,
+             daemonLaunched = true;
+         }
+ 
+-        usleep(5000);
++        usleep(10000);
+     }
+ 
+     localAddr.len = sizeof(localAddr.data);

0010-driver-log-missing-modules-as-INFO-not-WARN.patch

@@ -0,0 +1,27 @@
+From: Jovanka Gulicoska <jovanka.gulicoska@gmail.com>
+Date: Thu, 17 Mar 2016 20:02:20 +0100
+Subject: [PATCH] driver: log missing modules as INFO, not WARN
+
+Missing modules is a common expected scenario for most libvirt usage on
+RPM distributions like Fedora, so it doesn't really warrant logging at
+WARN level. Use INFO instead
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1274849
+(cherry picked from commit 9a0c7f5f834185db9017c34aabc03ad99cf37bed)
+---
+ src/driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/driver.c b/src/driver.c
+index db03438..f926fe4 100644
+--- a/src/driver.c
++++ b/src/driver.c
+@@ -62,7 +62,7 @@ virDriverLoadModule(const char *name)
+         return NULL;
+ 
+     if (access(modfile, R_OK) < 0) {
+-        VIR_WARN("Module %s not accessible", modfile);
++        VIR_INFO("Module %s not accessible", modfile);
+         goto cleanup;
+     }
+ 

0011-polkit-Allow-password-less-access-for-libvirt-group.patch

@@ -0,0 +1,126 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Tue, 28 Apr 2015 17:38:00 -0400
+Subject: [PATCH] polkit: Allow password-less access for 'libvirt' group
+
+Many users, who admin their own machines, want to be able to access
+system libvirtd via tools like virt-manager without having to enter
+a root password. Just google 'virt-manager without password' and
+you'll find many hits. I've read at least 5 blog posts over the years
+describing slightly different ways of achieving this goal.
+
+Let's finally add official support for this.
+
+Install a polkit-1 rules file granting password-less auth for any user
+in the new 'libvirt' group. Create the group on RPM install
+
+https://bugzilla.redhat.com/show_bug.cgi?id=957300
+(cherry picked from commit e94979e901517af9fdde358d7b7c92cc055dd50c)
+---
+ daemon/Makefile.am   | 13 +++++++++++++
+ daemon/libvirt.rules |  9 +++++++++
+ libvirt.spec.in      | 15 +++++++++++++--
+ 3 files changed, 35 insertions(+), 2 deletions(-)
+ create mode 100644 daemon/libvirt.rules
+
+diff --git a/daemon/Makefile.am b/daemon/Makefile.am
+index b95a79d..9c5ea37 100644
+--- a/daemon/Makefile.am
++++ b/daemon/Makefile.am
+@@ -53,6 +53,7 @@ EXTRA_DIST =						\
+ 	libvirtd.init.in				\
+ 	libvirtd.upstart				\
+ 	libvirtd.policy.in				\
++	libvirt.rules					\
+ 	libvirtd.sasl					\
+ 	libvirtd.service.in				\
+ 	libvirtd.socket.in				\
+@@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session
+ else ! WITH_POLKIT0
+ policydir = $(datadir)/polkit-1/actions
+ policyauth = auth_admin_keep
++rulesdir = $(datadir)/polkit-1/rules.d
++rulesfile = libvirt.rules
+ endif ! WITH_POLKIT0
+ endif WITH_POLKIT
+ 
+@@ -263,9 +266,19 @@ if WITH_POLKIT
+ install-data-polkit::
+ 	$(MKDIR_P) $(DESTDIR)$(policydir)
+ 	$(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
++if ! WITH_POLKIT0
++	$(MKDIR_P) $(DESTDIR)$(rulesdir)
++	$(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules
++endif ! WITH_POLKIT0
++
+ uninstall-data-polkit::
+ 	rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
+ 	rmdir $(DESTDIR)$(policydir) || :
++if ! WITH_POLKIT0
++	rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules
++	rmdir $(DESTDIR)$(rulesdir) || :
++endif ! WITH_POLKIT0
++
+ else ! WITH_POLKIT
+ install-data-polkit::
+ uninstall-data-polkit::
+diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules
+new file mode 100644
+index 0000000..01a15fa
+--- /dev/null
++++ b/daemon/libvirt.rules
+@@ -0,0 +1,9 @@
++// Allow any user in the 'libvirt' group to connect to system libvirtd
++// without entering a password.
++
++polkit.addRule(function(action, subject) {
++    if (action.id == "org.libvirt.unix.manage" &&
++        subject.isInGroup("libvirt")) {
++        return polkit.Result.YES;
++    }
++});
+diff --git a/libvirt.spec.in b/libvirt.spec.in
+index dc327a2..a23629d 100644
+--- a/libvirt.spec.in
++++ b/libvirt.spec.in
+@@ -1631,9 +1631,9 @@ then
+ fi
+ 
+ %if %{with_libvirtd}
++%pre daemon
+     %if ! %{with_driver_modules}
+         %if %{with_qemu}
+-%pre daemon
+             %if 0%{?fedora} || 0%{?rhel} >= 6
+ # We want soft static allocation of well-known ids, as disk images
+ # are commonly shared across NFS mounts by id rather than name; see
+@@ -1647,11 +1647,21 @@ if ! getent passwd qemu >/dev/null; then
+     useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
+   fi
+ fi
+-exit 0
+             %endif
+         %endif
+     %endif
+ 
++    %if %{with_polkit}
++        %if 0%{?fedora} || 0%{?rhel} >= 6
++# 'libvirt' group is just to allow password-less polkit access to
++# libvirtd. The uid number is irrelevant, so we use dynamic allocation
++# described at the above link.
++getent group libvirt >/dev/null || groupadd -r libvirt
++        %endif
++    %endif
++
++exit 0
++
+ %post daemon
+ 
+     %if %{with_systemd}
+@@ -1925,6 +1935,7 @@ exit 0
+         %if 0%{?fedora} || 0%{?rhel} >= 6
+ %{_datadir}/polkit-1/actions/org.libvirt.unix.policy
+ %{_datadir}/polkit-1/actions/org.libvirt.api.policy
++%{_datadir}/polkit-1/rules.d/50-libvirt.rules
+         %else
+ %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy
+         %endif

Makefile

@@ -4,7 +4,7 @@ NAME := libvirt
 SPECFILE = $(firstword $(wildcard *.spec))
 
 define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
+for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
 endef
 
 MAKEFILE_COMMON := $(shell $(find-makefile-common))

libvirt-0.6.4-svirt-sound.patch

@@ -1,33 +0,0 @@
---- src/qemu_conf.c.orig	2009-05-29 19:24:59.000000000 +0200
-+++ src/qemu_conf.c	2009-05-29 19:19:39.000000000 +0200
-@@ -792,6 +792,20 @@ int qemudBuildCommandLine(virConnectPtr 
-     char uuid[VIR_UUID_STRING_BUFLEN];
-     char domid[50];
-     const char *cpu = NULL;
-+    int skipSound = 0;
-+
-+    if (driver->securityDriver &&
-+        driver->securityDriver->name &&
-+        STREQ(driver->securityDriver->name, "selinux") &&
-+        getuid() == 0) {
-+        static int soundWarned = 0; 
-+        skipSound = 1;
-+        if (def->nsounds &&
-+            !soundWarned) {
-+            soundWarned = 1;
-+            VIR_WARN0("Sound cards for VMs are disabled while SELinux security model is active");
-+        }
-+    }
- 
-     uname_normalize(&ut);
- 
-@@ -1429,7 +1443,8 @@ int qemudBuildCommandLine(virConnectPtr 
-     }
- 
-     /* Add sound hardware */
--    if (def->nsounds) {
-+    if (def->nsounds &&
-+        !skipSound) {
-         int size = 100;
-         char *modstr;
-         if (VIR_ALLOC_N(modstr, size+1) < 0)

libvirt-0.7.0-chown-kernel-initrd-before-spawning-qemu.patch

@@ -1,73 +0,0 @@
-From: Mark McLoughlin <markmc@redhat.com>
-Subject: [PATCH] chown kernel/initrd before spawning qemu
-
-If we're running qemu unprivileged, we need to chown any supplied kernel
-or initrd before spawning it.
-
-* src/qemu_driver.c: rename qemuDomainSetDiskOwnership() to
-  qemuDomainSetFileOwnership(), pass it a path string instead of a disk
-  definition and use it for chowning the kernel/initrd in
-  qemuDomainSetAllDeviceOwnership()
----
- src/qemu_driver.c |   20 ++++++++++++--------
- 1 files changed, 12 insertions(+), 8 deletions(-)
-
-diff --git a/src/qemu_driver.c b/src/qemu_driver.c
-index 412b68d..bd58435 100644
---- a/src/qemu_driver.c
-+++ b/src/qemu_driver.c
-@@ -1684,18 +1684,18 @@ static int qemuDomainSetHostdevOwnership(virConnectPtr conn,
- 
- }
- 
--static int qemuDomainSetDiskOwnership(virConnectPtr conn,
--                                      virDomainDiskDefPtr def,
-+static int qemuDomainSetFileOwnership(virConnectPtr conn,
-+                                      const char *path,
-                                       uid_t uid, gid_t gid)
- {
- 
--    if (!def->src)
-+    if (!path)
-         return 0;
- 
--    VIR_DEBUG("Setting ownership on %s to %d:%d", def->src, uid, gid);
--    if (chown(def->src, uid, gid) < 0) {
-+    VIR_DEBUG("Setting ownership on %s to %d:%d", path, uid, gid);
-+    if (chown(path, uid, gid) < 0) {
-         virReportSystemError(conn, errno, _("cannot set ownership on %s"),
--                             def->src);
-+                             path);
-         return -1;
-     }
-     return 0;
-@@ -1725,7 +1725,7 @@ static int qemuDomainSetDeviceOwnership(virConnectPtr conn,
-             (def->data.disk->readonly || def->data.disk->shared))
-             return 0;
- 
--        return qemuDomainSetDiskOwnership(conn, def->data.disk, uid, gid);
-+        return qemuDomainSetFileOwnership(conn, def->data.disk->src, uid, gid);
- 
-     case VIR_DOMAIN_DEVICE_HOSTDEV:
-         return qemuDomainSetHostdevOwnership(conn, def->data.hostdev, uid, gid);
-@@ -1753,12 +1753,16 @@ static int qemuDomainSetAllDeviceOwnership(virConnectPtr conn,
-     uid = restore ? 0 : driver->user;
-     gid = restore ? 0 : driver->group;
- 
-+    if (qemuDomainSetFileOwnership(conn, def->os.kernel, uid, gid) < 0 ||
-+        qemuDomainSetFileOwnership(conn, def->os.initrd, uid, gid) < 0)
-+        return -1;
-+
-     for (i = 0 ; i < def->ndisks ; i++) {
-         if (restore &&
-             (def->disks[i]->readonly || def->disks[i]->shared))
-             continue;
- 
--        if (qemuDomainSetDiskOwnership(conn, def->disks[i], uid, gid) < 0)
-+        if (qemuDomainSetFileOwnership(conn, def->disks[i]->src, uid, gid) < 0)
-             return -1;
-     }
- 
--- 
-1.6.2.5
-

libvirt-0.7.0-handle-kernels-with-no-ipv6-support.patch

@@ -1,39 +0,0 @@
-From: Mark McLoughlin <markmc@redhat.com>
-Subject: [PATCH] Handle kernels with no ipv6 support
-
-If the ipv6 kernel module is not loaded, then we get this when starting
-a virtual network:
-
-  libvir: Network Config error :
-  cannot enable /proc/sys/net/ipv6/conf/virbr0/disable_ipv6:
-  No such file or directory
-
-If disable_ipv6 is not present, we should just merrily continue on our
-way.
-
-* src/network_driver.c: make networkDisableIPV6() not fail if the kernel
-  has no ipv6 support
----
- src/network_driver.c |    6 ++++++
- 1 files changed, 6 insertions(+), 0 deletions(-)
-
-diff --git a/src/network_driver.c b/src/network_driver.c
-index eaea454..84910ab 100644
---- a/src/network_driver.c
-+++ b/src/network_driver.c
-@@ -801,6 +801,12 @@ static int networkDisableIPV6(virConnectPtr conn,
-         goto cleanup;
-     }
- 
-+    if (access(field, W_OK) < 0 && errno == ENOENT) {
-+        VIR_DEBUG("ipv6 appears to already be disabled on %s", network->def->bridge);
-+        ret = 0;
-+        goto cleanup;
-+    }
-+
-     if (virFileWriteStr(field, "1") < 0) {
-         virReportSystemError(conn, errno,
-                              _("cannot enable %s"), field);
--- 
-1.6.2.5
-

libvirt-0.7.0-numa-ignore-fail.patch

@@ -1,85 +0,0 @@
-commit 19bac57b26c2d46ac8a7601158f210f34acdceac
-Author: Daniel P. Berrange <berrange@redhat.com>
-Date:   Thu Aug 13 11:56:31 2009 +0100
-
-    Make LXC / UML drivers robust against NUMA topology brokenness
-    
-    Some kernel versions expose broken NUMA topology for some machines.
-    This causes the LXC/UML drivers to fail to start. QEMU driver was
-    already fixed for this problem
-    
-    * src/lxc_conf.c: Log and ignore failure to populate NUMA info
-    * src/uml_conf.c: Log and ignore failure to populate NUMA info
-    * src/capabilities.c: Reset nnumaCell to 0 after freeing
-
-diff --git a/src/capabilities.c b/src/capabilities.c
-index c6766b6..193a9fe 100644
---- a/src/capabilities.c
-+++ b/src/capabilities.c
-@@ -139,6 +139,7 @@ virCapabilitiesFreeNUMAInfo(virCapsPtr caps)
-     for (i = 0 ; i < caps->host.nnumaCell ; i++)
-         virCapabilitiesFreeHostNUMACell(caps->host.numaCell[i]);
-     VIR_FREE(caps->host.numaCell);
-+    caps->host.nnumaCell = 0;
- }
- 
- /**
-diff --git a/src/lxc_conf.c b/src/lxc_conf.c
-index d06a024..fef60ba 100644
---- a/src/lxc_conf.c
-+++ b/src/lxc_conf.c
-@@ -30,6 +30,8 @@
- #include "lxc_conf.h"
- #include "nodeinfo.h"
- #include "virterror_internal.h"
-+#include "logging.h"
-+
- 
- #define VIR_FROM_THIS VIR_FROM_LXC
- 
-@@ -46,8 +48,14 @@ virCapsPtr lxcCapsInit(void)
-                                    0, 0)) == NULL)
-         goto no_memory;
- 
--    if (nodeCapsInitNUMA(caps) < 0)
--        goto no_memory;
-+    /* Some machines have problematic NUMA toplogy causing
-+     * unexpected failures. We don't want to break the QEMU
-+     * driver in this scenario, so log errors & carry on
-+     */
-+    if (nodeCapsInitNUMA(caps) < 0) {
-+        virCapabilitiesFreeNUMAInfo(caps);
-+        VIR_WARN0("Failed to query host NUMA topology, disabling NUMA capabilities");
-+    }
- 
-     /* XXX shouldn't 'borrow' KVM's prefix */
-     virCapabilitiesSetMacPrefix(caps, (unsigned char []){ 0x52, 0x54, 0x00 });
-diff --git a/src/uml_conf.c b/src/uml_conf.c
-index 48e05a8..4f756d4 100644
---- a/src/uml_conf.c
-+++ b/src/uml_conf.c
-@@ -45,6 +45,7 @@
- #include "nodeinfo.h"
- #include "verify.h"
- #include "bridge.h"
-+#include "logging.h"
- 
- #define VIR_FROM_THIS VIR_FROM_UML
- 
-@@ -63,8 +64,14 @@ virCapsPtr umlCapsInit(void) {
-                                    0, 0)) == NULL)
-         goto no_memory;
- 
--    if (nodeCapsInitNUMA(caps) < 0)
--        goto no_memory;
-+    /* Some machines have problematic NUMA toplogy causing
-+     * unexpected failures. We don't want to break the QEMU
-+     * driver in this scenario, so log errors & carry on
-+     */
-+    if (nodeCapsInitNUMA(caps) < 0) {
-+        virCapabilitiesFreeNUMAInfo(caps);
-+        VIR_WARN0("Failed to query host NUMA topology, disabling NUMA capabilities");
-+    }
- 
-     if ((guest = virCapabilitiesAddGuest(caps,
-                                          "uml",

libvirt-0.7.0-policy-kit-rewrite.patch

@@ -1,469 +0,0 @@
-diff -rupN libvirt-0.7.0/configure.in libvirt-0.7.0.new/configure.in
---- libvirt-0.7.0/configure.in	2009-08-05 08:53:49.000000000 -0400
-+++ libvirt-0.7.0.new/configure.in	2009-08-13 08:37:22.393897620 -0400
-@@ -641,40 +641,61 @@ AC_SUBST([SASL_LIBS])
- dnl PolicyKit library
- POLKIT_CFLAGS=
- POLKIT_LIBS=
-+PKCHECK_PATH=
- AC_ARG_WITH([polkit],
-   [  --with-polkit         use PolicyKit for UNIX socket access checks],
-   [],
-   [with_polkit=check])
- 
-+with_polkit0=no
-+with_polkit1=no
- if test "x$with_polkit" = "xyes" -o "x$with_polkit" = "xcheck"; then
--  PKG_CHECK_MODULES(POLKIT, polkit-dbus >= $POLKIT_REQUIRED,
--    [with_polkit=yes], [
--    if test "x$with_polkit" = "xcheck" ; then
--       with_polkit=no
--    else
--       AC_MSG_ERROR(
--         [You must install PolicyKit >= $POLKIT_REQUIRED to compile libvirt])
--    fi
--  ])
--  if test "x$with_polkit" = "xyes" ; then
-+  dnl Check for new polkit first - just a binary
-+  AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH])
-+  if test "x$PKCHECK_PATH" != "x" ; then
-+    AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program])
-     AC_DEFINE_UNQUOTED([HAVE_POLKIT], 1,
--      [use PolicyKit for UNIX socket access checks])
--
--    old_CFLAGS=$CFLAGS
--    old_LDFLAGS=$LDFLAGS
--    CFLAGS="$CFLAGS $POLKIT_CFLAGS"
--    LDFLAGS="$LDFLAGS $POLKIT_LIBS"
--    AC_CHECK_FUNCS([polkit_context_is_caller_authorized])
--    CFLAGS="$old_CFLAGS"
--    LDFLAGS="$old_LDFLAGS"
--
--    AC_PATH_PROG([POLKIT_AUTH], [polkit-auth])
--    if test "x$POLKIT_AUTH" != "x"; then
--      AC_DEFINE_UNQUOTED([POLKIT_AUTH],["$POLKIT_AUTH"],[Location of polkit-auth program])
-+        [use PolicyKit for UNIX socket access checks])
-+    AC_DEFINE_UNQUOTED([HAVE_POLKIT1], 1,
-+        [use PolicyKit for UNIX socket access checks])
-+    with_polkit="yes"
-+    with_polkit1="yes"
-+  else
-+    dnl Check for old polkit second - library + binary
-+    PKG_CHECK_MODULES(POLKIT, polkit-dbus >= $POLKIT_REQUIRED,
-+      [with_polkit=yes], [
-+      if test "x$with_polkit" = "xcheck" ; then
-+         with_polkit=no
-+      else
-+         AC_MSG_ERROR(
-+           [You must install PolicyKit >= $POLKIT_REQUIRED to compile libvirt])
-+      fi
-+    ])
-+    if test "x$with_polkit" = "xyes" ; then
-+      AC_DEFINE_UNQUOTED([HAVE_POLKIT], 1,
-+        [use PolicyKit for UNIX socket access checks])
-+      AC_DEFINE_UNQUOTED([HAVE_POLKIT0], 1,
-+        [use PolicyKit for UNIX socket access checks])
-+
-+      old_CFLAGS=$CFLAGS
-+      old_LDFLAGS=$LDFLAGS
-+      CFLAGS="$CFLAGS $POLKIT_CFLAGS"
-+      LDFLAGS="$LDFLAGS $POLKIT_LIBS"
-+      AC_CHECK_FUNCS([polkit_context_is_caller_authorized])
-+      CFLAGS="$old_CFLAGS"
-+      LDFLAGS="$old_LDFLAGS"
-+
-+      AC_PATH_PROG([POLKIT_AUTH], [polkit-auth])
-+      if test "x$POLKIT_AUTH" != "x"; then
-+        AC_DEFINE_UNQUOTED([POLKIT_AUTH],["$POLKIT_AUTH"],[Location of polkit-auth program])
-+      fi
-+      with_polkit0="yes"
-     fi
-   fi
- fi
- AM_CONDITIONAL([HAVE_POLKIT], [test "x$with_polkit" = "xyes"])
-+AM_CONDITIONAL([HAVE_POLKIT0], [test "x$with_polkit0" = "xyes"])
-+AM_CONDITIONAL([HAVE_POLKIT1], [test "x$with_polkit1" = "xyes"])
- AC_SUBST([POLKIT_CFLAGS])
- AC_SUBST([POLKIT_LIBS])
- 
-@@ -1695,7 +1716,11 @@ else
- AC_MSG_NOTICE([   avahi: no])
- fi
- if test "$with_polkit" = "yes" ; then
--AC_MSG_NOTICE([  polkit: $POLKIT_CFLAGS $POLKIT_LIBS])
-+if test "$with_polkit0" = "yes" ; then
-+AC_MSG_NOTICE([  polkit: $POLKIT_CFLAGS $POLKIT_LIBS (version 0)])
-+else
-+AC_MSG_NOTICE([  polkit: $PKCHECK_PATH (version 1)])
-+fi
- else
- AC_MSG_NOTICE([  polkit: no])
- fi
-diff -rupN libvirt-0.7.0/qemud/libvirtd.policy libvirt-0.7.0.new/qemud/libvirtd.policy
---- libvirt-0.7.0/qemud/libvirtd.policy	2009-07-22 09:37:32.000000000 -0400
-+++ libvirt-0.7.0.new/qemud/libvirtd.policy	1969-12-31 19:00:00.000000000 -0500
-@@ -1,42 +0,0 @@
--<!DOCTYPE policyconfig PUBLIC
-- "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
-- "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
--
--<!--
--Policy definitions for libvirt daemon
--
--Copyright (c) 2007 Daniel P. Berrange <berrange redhat com>
--
--libvirt is licensed to you under the GNU Lesser General Public License
--version 2. See COPYING for details.
--
--NOTE: If you make changes to this file, make sure to validate the file
--using the polkit-policy-file-validate(1) tool. Changes made to this
--file are instantly applied.
---->
--
--<policyconfig>
--    <action id="org.libvirt.unix.monitor">
--      <description>Monitor local virtualized systems</description>
--      <message>System policy prevents monitoring of local virtualized systems</message>
--      <defaults>
--        <!-- Any program can use libvirt in read-only mode for monitoring,
--             even if not part of a session -->
--        <allow_any>yes</allow_any>
--        <allow_inactive>yes</allow_inactive>
--        <allow_active>yes</allow_active>
--      </defaults>
--    </action>
--
--    <action id="org.libvirt.unix.manage">
--      <description>Manage local virtualized systems</description>
--      <message>System policy prevents management of local virtualized systems</message>
--      <defaults>
--        <!-- Only a program in the active host session can use libvirt in
--             read-write mode for management, and we require user password -->
--        <allow_any>no</allow_any>
--        <allow_inactive>no</allow_inactive>
--        <allow_active>auth_admin_keep_session</allow_active>
--      </defaults>
--    </action>
--</policyconfig>
-diff -rupN libvirt-0.7.0/qemud/libvirtd.policy-0 libvirt-0.7.0.new/qemud/libvirtd.policy-0
---- libvirt-0.7.0/qemud/libvirtd.policy-0	1969-12-31 19:00:00.000000000 -0500
-+++ libvirt-0.7.0.new/qemud/libvirtd.policy-0	2009-08-13 08:37:22.408883879 -0400
-@@ -0,0 +1,42 @@
-+<!DOCTYPE policyconfig PUBLIC
-+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
-+ "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
-+
-+<!--
-+Policy definitions for libvirt daemon
-+
-+Copyright (c) 2007 Daniel P. Berrange <berrange redhat com>
-+
-+libvirt is licensed to you under the GNU Lesser General Public License
-+version 2. See COPYING for details.
-+
-+NOTE: If you make changes to this file, make sure to validate the file
-+using the polkit-policy-file-validate(1) tool. Changes made to this
-+file are instantly applied.
-+-->
-+
-+<policyconfig>
-+    <action id="org.libvirt.unix.monitor">
-+      <description>Monitor local virtualized systems</description>
-+      <message>System policy prevents monitoring of local virtualized systems</message>
-+      <defaults>
-+        <!-- Any program can use libvirt in read-only mode for monitoring,
-+             even if not part of a session -->
-+        <allow_any>yes</allow_any>
-+        <allow_inactive>yes</allow_inactive>
-+        <allow_active>yes</allow_active>
-+      </defaults>
-+    </action>
-+
-+    <action id="org.libvirt.unix.manage">
-+      <description>Manage local virtualized systems</description>
-+      <message>System policy prevents management of local virtualized systems</message>
-+      <defaults>
-+        <!-- Only a program in the active host session can use libvirt in
-+             read-write mode for management, and we require user password -->
-+        <allow_any>no</allow_any>
-+        <allow_inactive>no</allow_inactive>
-+        <allow_active>auth_admin_keep_session</allow_active>
-+      </defaults>
-+    </action>
-+</policyconfig>
-diff -rupN libvirt-0.7.0/qemud/libvirtd.policy-1 libvirt-0.7.0.new/qemud/libvirtd.policy-1
---- libvirt-0.7.0/qemud/libvirtd.policy-1	1969-12-31 19:00:00.000000000 -0500
-+++ libvirt-0.7.0.new/qemud/libvirtd.policy-1	2009-08-13 08:37:22.412905763 -0400
-@@ -0,0 +1,42 @@
-+<!DOCTYPE policyconfig PUBLIC
-+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
-+ "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
-+
-+<!--
-+Policy definitions for libvirt daemon
-+
-+Copyright (c) 2007 Daniel P. Berrange <berrange redhat com>
-+
-+libvirt is licensed to you under the GNU Lesser General Public License
-+version 2. See COPYING for details.
-+
-+NOTE: If you make changes to this file, make sure to validate the file
-+using the polkit-policy-file-validate(1) tool. Changes made to this
-+file are instantly applied.
-+-->
-+
-+<policyconfig>
-+    <action id="org.libvirt.unix.monitor">
-+      <description>Monitor local virtualized systems</description>
-+      <message>System policy prevents monitoring of local virtualized systems</message>
-+      <defaults>
-+        <!-- Any program can use libvirt in read-only mode for monitoring,
-+             even if not part of a session -->
-+        <allow_any>yes</allow_any>
-+        <allow_inactive>yes</allow_inactive>
-+        <allow_active>yes</allow_active>
-+      </defaults>
-+    </action>
-+
-+    <action id="org.libvirt.unix.manage">
-+      <description>Manage local virtualized systems</description>
-+      <message>System policy prevents management of local virtualized systems</message>
-+      <defaults>
-+        <!-- Only a program in the active host session can use libvirt in
-+             read-write mode for management, and we require user password -->
-+        <allow_any>no</allow_any>
-+        <allow_inactive>no</allow_inactive>
-+        <allow_active>auth_admin_keep</allow_active>
-+      </defaults>
-+    </action>
-+</policyconfig>
-diff -rupN libvirt-0.7.0/qemud/Makefile.am libvirt-0.7.0.new/qemud/Makefile.am
---- libvirt-0.7.0/qemud/Makefile.am	2009-07-22 09:37:32.000000000 -0400
-+++ libvirt-0.7.0.new/qemud/Makefile.am	2009-08-13 08:37:22.398915449 -0400
-@@ -21,7 +21,8 @@ EXTRA_DIST =						\
- 	remote_protocol.x				\
- 	libvirtd.conf					\
- 	libvirtd.init.in				\
--	libvirtd.policy					\
-+	libvirtd.policy-0				\
-+	libvirtd.policy-1				\
- 	libvirtd.sasl					\
- 	libvirtd.sysconf				\
- 	libvirtd.aug                                    \
-@@ -147,7 +148,13 @@ endif
- libvirtd_LDADD += ../src/libvirt.la
- 
- if HAVE_POLKIT
-+if HAVE_POLKIT0
- policydir = $(datadir)/PolicyKit/policy
-+policyfile = libvirtd.policy-0
-+else
-+policydir = $(datadir)/polkit-1/actions
-+policyfile = libvirtd.policy-1
-+endif
- endif
- 
- if HAVE_AVAHI
-@@ -197,7 +204,7 @@ endif
- if HAVE_POLKIT
- install-data-polkit:: install-init
- 	mkdir -p $(DESTDIR)$(policydir)
--	$(INSTALL_DATA) $(srcdir)/libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
-+	$(INSTALL_DATA) $(srcdir)/$(policyfile) $(DESTDIR)$(policydir)/org.libvirt.unix.policy
- uninstall-data-polkit:: install-init
- 	rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
- else
-diff -rupN libvirt-0.7.0/qemud/qemud.c libvirt-0.7.0.new/qemud/qemud.c
---- libvirt-0.7.0/qemud/qemud.c	2009-07-22 09:37:32.000000000 -0400
-+++ libvirt-0.7.0.new/qemud/qemud.c	2009-08-13 08:37:22.419878018 -0400
-@@ -895,7 +895,7 @@ static struct qemud_server *qemudNetwork
-     }
- #endif
- 
--#ifdef HAVE_POLKIT
-+#if HAVE_POLKIT0
-     if (auth_unix_rw == REMOTE_AUTH_POLKIT ||
-         auth_unix_ro == REMOTE_AUTH_POLKIT) {
-         DBusError derr;
-@@ -982,7 +982,7 @@ static struct qemud_server *qemudNetwork
-             sock = sock->next;
-         }
- 
--#ifdef HAVE_POLKIT
-+#if HAVE_POLKIT0
-         if (server->sysbus)
-             dbus_connection_unref(server->sysbus);
- #endif
-diff -rupN libvirt-0.7.0/qemud/qemud.h libvirt-0.7.0.new/qemud/qemud.h
---- libvirt-0.7.0/qemud/qemud.h	2009-07-23 12:33:02.000000000 -0400
-+++ libvirt-0.7.0.new/qemud/qemud.h	2009-08-13 08:37:22.425909852 -0400
-@@ -34,7 +34,7 @@
- #include <sasl/sasl.h>
- #endif
- 
--#ifdef HAVE_POLKIT
-+#if HAVE_POLKIT0
- #include <dbus/dbus.h>
- #endif
- 
-@@ -253,7 +253,7 @@ struct qemud_server {
- #if HAVE_SASL
-     char **saslUsernameWhitelist;
- #endif
--#if HAVE_POLKIT
-+#if HAVE_POLKIT0
-     DBusConnection *sysbus;
- #endif
- };
-diff -rupN libvirt-0.7.0/qemud/remote.c libvirt-0.7.0.new/qemud/remote.c
---- libvirt-0.7.0/qemud/remote.c	2009-07-23 12:33:02.000000000 -0400
-+++ libvirt-0.7.0.new/qemud/remote.c	2009-08-13 08:37:22.431865087 -0400
-@@ -43,7 +43,7 @@
- #include <fnmatch.h>
- #include "virterror_internal.h"
- 
--#ifdef HAVE_POLKIT
-+#if HAVE_POLKIT0
- #include <polkit/polkit.h>
- #include <polkit-dbus/polkit-dbus.h>
- #endif
-@@ -3106,7 +3106,80 @@ remoteDispatchAuthSaslStep (struct qemud
- #endif /* HAVE_SASL */
- 
- 
--#if HAVE_POLKIT
-+#if HAVE_POLKIT1
-+static int
-+remoteDispatchAuthPolkit (struct qemud_server *server,
-+                          struct qemud_client *client,
-+                          virConnectPtr conn ATTRIBUTE_UNUSED,
-+                          remote_error *rerr,
-+                          void *args ATTRIBUTE_UNUSED,
-+                          remote_auth_polkit_ret *ret)
-+{
-+    pid_t callerPid;
-+    uid_t callerUid;
-+    const char *action;
-+    int status = -1;
-+    char pidbuf[50];
-+    int rv;
-+
-+    virMutexLock(&server->lock);
-+    virMutexLock(&client->lock);
-+    virMutexUnlock(&server->lock);
-+
-+    action = client->readonly ?
-+        "org.libvirt.unix.monitor" :
-+        "org.libvirt.unix.manage";
-+
-+    const char * const pkcheck [] = {
-+      PKCHECK_PATH,
-+      "--action-id", action,
-+      "--process", pidbuf,
-+      "--allow-user-interaction",
-+      NULL
-+    };
-+
-+    REMOTE_DEBUG("Start PolicyKit auth %d", client->fd);
-+    if (client->auth != REMOTE_AUTH_POLKIT) {
-+        VIR_ERROR0(_("client tried invalid PolicyKit init request"));
-+        goto authfail;
-+    }
-+
-+    if (qemudGetSocketIdentity(client->fd, &callerUid, &callerPid) < 0) {
-+        VIR_ERROR0(_("cannot get peer socket identity"));
-+        goto authfail;
-+    }
-+
-+    VIR_INFO(_("Checking PID %d running as %d"), callerPid, callerUid);
-+
-+    rv = snprintf(pidbuf, sizeof pidbuf, "%d", callerPid);
-+    if (rv < 0 || rv >= sizeof pidbuf) {
-+        VIR_ERROR(_("Caller PID was too large %d"), callerPid);
-+	goto authfail;
-+    }
-+
-+    if (virRun(NULL, pkcheck, &status) < 0) {
-+        VIR_ERROR(_("Cannot invoke %s"), PKCHECK_PATH);
-+	goto authfail;
-+    }
-+    if (status != 0) {
-+        VIR_ERROR(_("Policy kit denied action %s from pid %d, uid %d, result: %d\n"),
-+                  action, callerPid, callerUid, status);
-+        goto authfail;
-+    }
-+    VIR_INFO(_("Policy allowed action %s from pid %d, uid %d"),
-+             action, callerPid, callerUid);
-+    ret->complete = 1;
-+    client->auth = REMOTE_AUTH_NONE;
-+
-+    virMutexUnlock(&client->lock);
-+    return 0;
-+
-+authfail:
-+    remoteDispatchAuthError(rerr);
-+    virMutexUnlock(&client->lock);
-+    return -1;
-+}
-+#elif HAVE_POLKIT0
- static int
- remoteDispatchAuthPolkit (struct qemud_server *server,
-                           struct qemud_client *client,
-@@ -3217,7 +3290,7 @@ authfail:
-     return -1;
- }
- 
--#else /* HAVE_POLKIT */
-+#else /* !HAVE_POLKIT0 & !HAVE_POLKIT1*/
- 
- static int
- remoteDispatchAuthPolkit (struct qemud_server *server ATTRIBUTE_UNUSED,
-@@ -3231,7 +3304,7 @@ remoteDispatchAuthPolkit (struct qemud_s
-     remoteDispatchAuthError(rerr);
-     return -1;
- }
--#endif /* HAVE_POLKIT */
-+#endif /* HAVE_POLKIT1 */
- 
- 
- /***************************************************************
-diff -rupN libvirt-0.7.0/src/remote_internal.c libvirt-0.7.0.new/src/remote_internal.c
---- libvirt-0.7.0/src/remote_internal.c	2009-07-29 10:42:15.000000000 -0400
-+++ libvirt-0.7.0.new/src/remote_internal.c	2009-08-13 10:55:57.607899170 -0400
-@@ -6201,6 +6201,7 @@ remoteAuthPolkit (virConnectPtr conn, st
-                   virConnectAuthPtr auth)
- {
-     remote_auth_polkit_ret ret;
-+#if HAVE_POLKIT0
-     int i, allowcb = 0;
-     virConnectCredential cred = {
-         VIR_CRED_EXTERNAL,
-@@ -6210,8 +6211,10 @@ remoteAuthPolkit (virConnectPtr conn, st
-         NULL,
-         0,
-     };
-+#endif
-     DEBUG0("Client initialize PolicyKit authentication");
- 
-+#if HAVE_POLKIT0
-     if (auth && auth->cb) {
-         /* Check if the necessary credential type for PolicyKit is supported */
-         for (i = 0 ; i < auth->ncredtype ; i++) {
-@@ -6220,6 +6223,7 @@ remoteAuthPolkit (virConnectPtr conn, st
-         }
- 
-         if (allowcb) {
-+            DEBUG0("Client run callback for PolicyKit authentication");
-             /* Run the authentication callback */
-             if ((*(auth->cb))(&cred, 1, auth->cbdata) < 0) {
-                 virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE,
-@@ -6233,6 +6237,9 @@ remoteAuthPolkit (virConnectPtr conn, st
-     } else {
-         DEBUG0("No auth callback provided");
-     }
-+#else
-+    DEBUG0("No auth callback required for PolicyKit-1");
-+#endif
- 
-     memset (&ret, 0, sizeof ret);
-     if (call (conn, priv, in_open, REMOTE_PROC_AUTH_POLKIT,

sources

@@ -1 +1 @@
-8c2c14a7695c9c661004bcfc6468d62d  libvirt-0.7.0.tar.gz
+05f461cd499c628ef07822dd607c340a  libvirt-1.2.13.2.tar.gz