[xen] Change udev tap rule to avoid problems in openvpn, avoid a setuid in xend if it isn't needed

myoung myoung at fedoraproject.org
Sun Apr 15 17:08:36 UTC 2012 

commit 02851a12eaeb6380431b4d09a8be8b2075f179e1
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Sun Apr 15 18:05:46 2012 +0100

    Change udev tap rule to avoid problems in openvpn, avoid a setuid in xend if it isn't needed

 xen-backend.rules.patch   |    8 ++++++++
 xen.spec                  |   10 +++++++++-
 xend.selinux.setuid.patch |   12 ++++++++++++
 3 files changed, 29 insertions(+), 1 deletions(-)
---
diff --git a/xen-backend.rules.patch b/xen-backend.rules.patch
new file mode 100644
index 0000000..76a36b1
--- /dev/null
+++ b/xen-backend.rules.patch
@@ -0,0 +1,8 @@
+--- xen-4.1.2/tools/hotplug/Linux/xen-backend.rules.orig	2011-10-20 18:05:42.000000000 +0100
++++ xen-4.1.2/tools/hotplug/Linux/xen-backend.rules	2012-04-15 17:08:24.774955932 +0100
+@@ -13,4 +13,4 @@
+ KERNEL=="gntdev", NAME="xen/%k", MODE="0600"
+ KERNEL=="pci_iomul", NAME="xen/%k", MODE="0600"
+ KERNEL=="tapdev[a-z]*", NAME="xen/blktap-2/tapdev%m", MODE="0600"
+-SUBSYSTEM=="net", KERNEL=="tap*", ACTION=="add", RUN+="/etc/xen/scripts/vif-setup $env{ACTION} type_if=tap"
++SUBSYSTEM=="net", KERNEL=="tap[0-9]*.[0-9]*", ACTION=="add", RUN+="/etc/xen/scripts/vif-setup $env{ACTION} type_if=tap"
diff --git a/xen.spec b/xen.spec
index 3baaf4a..cd8f819 100644
--- a/xen.spec
+++ b/xen.spec
@@ -20,7 +20,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.1.2
-Release: 14%{?dist}
+Release: 15%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -72,6 +72,8 @@ Patch34: xend.catchbt.patch
 Patch35: xend-pci-loop.patch
 Patch36: localgcc47fix.patch
 Patch37: qemu-xen-4.1-testing.git-3cf61880403b4e484539596a95937cc066243388.patch
+Patch38: xen-backend.rules.patch
+Patch39: xend.selinux.setuid.patch
 
 Patch50: upstream-23936:cdb34816a40a-rework
 Patch51: upstream-23937:5173834e8476
@@ -235,6 +237,8 @@ manage Xen virtual machines.
 %patch35 -p1
 %patch36 -p1
 %patch37 -p1
+%patch38 -p1
+%patch39 -p1
 
 %patch50 -p1
 %patch51 -p1
@@ -697,6 +701,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Sun Apr 15 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.2-15
+- Make the udev tap rule more specific as it breaks openvpn (#812421)
+- don't try setuid in xend if we don't need to so selinux is happier
+
 * Sat Mar 31 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.2-14
 - /var/lib/xenstored mount has wrong selinux permissions in latest Fedora
 - load xen-acpi-processor module (kernel 3.4 onwards) if present
diff --git a/xend.selinux.setuid.patch b/xend.selinux.setuid.patch
new file mode 100644
index 0000000..902b960
--- /dev/null
+++ b/xend.selinux.setuid.patch
@@ -0,0 +1,12 @@
+--- xen-4.1.2/tools/python/xen/xend/server/SrvDaemon.py.orig	2012-04-15 17:17:50.167887550 +0100
++++ xen-4.1.2/tools/python/xen/xend/server/SrvDaemon.py	2012-04-15 17:31:13.648842655 +0100
+@@ -325,7 +325,8 @@
+     def set_user(self):
+         # Set the UID.
+         try:
+-            os.setuid(pwd.getpwnam(XEND_USER)[2])
++            if XEND_USER != "root":
++                os.setuid(pwd.getpwnam(XEND_USER)[2])
+             return 0
+         except KeyError:
+             print >>sys.stderr, "Error: no such user '%s'" % XEND_USER

More information about the scm-commits mailing list