Rewrite policykit support (rhbz #499970)

2009-08-13 15:27:42 +00:00 · 2009-08-13 15:27:42 +00:00 · c476c8b683
commit c476c8b683
parent b93eafc59f
2 changed files with 497 additions and 1 deletions
--- a/libvirt-0.7.0-policy-kit-rewrite.patch
+++ b/libvirt-0.7.0-policy-kit-rewrite.patch
@ -0,0 +1,469 @@
 diff -rupN libvirt-0.7.0/configure.in libvirt-0.7.0.new/configure.in
 --- libvirt-0.7.0/configure.in	2009-08-05 08:53:49.000000000 -0400
 +++ libvirt-0.7.0.new/configure.in	2009-08-13 08:37:22.393897620 -0400
@@ -641,40 +641,61 @@ AC_SUBST([SASL_LIBS])
 dnl PolicyKit library
 POLKIT_CFLAGS=
 POLKIT_LIBS=
 +PKCHECK_PATH=
 AC_ARG_WITH([polkit],
   [  --with-polkit         use PolicyKit for UNIX socket access checks],
   [],
   [with_polkit=check])
 +with_polkit0=no
 +with_polkit1=no
 if test "x$with_polkit" = "xyes" -o "x$with_polkit" = "xcheck"; then
 -  PKG_CHECK_MODULES(POLKIT, polkit-dbus >= $POLKIT_REQUIRED,
 -    [with_polkit=yes], [
 -    if test "x$with_polkit" = "xcheck" ; then
 -       with_polkit=no
 -    else
 -       AC_MSG_ERROR(
 -         [You must install PolicyKit >= $POLKIT_REQUIRED to compile libvirt])
 -    fi
 -  ])
 -  if test "x$with_polkit" = "xyes" ; then
 +  dnl Check for new polkit first - just a binary
 +  AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH])
 +  if test "x$PKCHECK_PATH" != "x" ; then
 +    AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program])
     AC_DEFINE_UNQUOTED([HAVE_POLKIT], 1,
 -      [use PolicyKit for UNIX socket access checks])
 -
 -    old_CFLAGS=$CFLAGS
 -    old_LDFLAGS=$LDFLAGS
 -    CFLAGS="$CFLAGS $POLKIT_CFLAGS"
 -    LDFLAGS="$LDFLAGS $POLKIT_LIBS"
 -    AC_CHECK_FUNCS([polkit_context_is_caller_authorized])
 -    CFLAGS="$old_CFLAGS"
 -    LDFLAGS="$old_LDFLAGS"
 -
 -    AC_PATH_PROG([POLKIT_AUTH], [polkit-auth])
 -    if test "x$POLKIT_AUTH" != "x"; then
 -      AC_DEFINE_UNQUOTED([POLKIT_AUTH],["$POLKIT_AUTH"],[Location of polkit-auth program])
 +        [use PolicyKit for UNIX socket access checks])
 +    AC_DEFINE_UNQUOTED([HAVE_POLKIT1], 1,
 +        [use PolicyKit for UNIX socket access checks])
 +    with_polkit="yes"
 +    with_polkit1="yes"
 +  else
 +    dnl Check for old polkit second - library + binary
 +    PKG_CHECK_MODULES(POLKIT, polkit-dbus >= $POLKIT_REQUIRED,
 +      [with_polkit=yes], [
 +      if test "x$with_polkit" = "xcheck" ; then
 +         with_polkit=no
 +      else
 +         AC_MSG_ERROR(
 +           [You must install PolicyKit >= $POLKIT_REQUIRED to compile libvirt])
 +      fi
 +    ])
 +    if test "x$with_polkit" = "xyes" ; then
 +      AC_DEFINE_UNQUOTED([HAVE_POLKIT], 1,
 +        [use PolicyKit for UNIX socket access checks])
 +      AC_DEFINE_UNQUOTED([HAVE_POLKIT0], 1,
 +        [use PolicyKit for UNIX socket access checks])
 +
 +      old_CFLAGS=$CFLAGS
 +      old_LDFLAGS=$LDFLAGS
 +      CFLAGS="$CFLAGS $POLKIT_CFLAGS"
 +      LDFLAGS="$LDFLAGS $POLKIT_LIBS"
 +      AC_CHECK_FUNCS([polkit_context_is_caller_authorized])
 +      CFLAGS="$old_CFLAGS"
 +      LDFLAGS="$old_LDFLAGS"
 +
 +      AC_PATH_PROG([POLKIT_AUTH], [polkit-auth])
 +      if test "x$POLKIT_AUTH" != "x"; then
 +        AC_DEFINE_UNQUOTED([POLKIT_AUTH],["$POLKIT_AUTH"],[Location of polkit-auth program])
 +      fi
 +      with_polkit0="yes"
     fi
   fi
 fi
 AM_CONDITIONAL([HAVE_POLKIT], [test "x$with_polkit" = "xyes"])
 +AM_CONDITIONAL([HAVE_POLKIT0], [test "x$with_polkit0" = "xyes"])
 +AM_CONDITIONAL([HAVE_POLKIT1], [test "x$with_polkit1" = "xyes"])
 AC_SUBST([POLKIT_CFLAGS])
 AC_SUBST([POLKIT_LIBS])
@@ -1695,7 +1716,11 @@ else
 AC_MSG_NOTICE([   avahi: no])
 fi
 if test "$with_polkit" = "yes" ; then
 -AC_MSG_NOTICE([  polkit: $POLKIT_CFLAGS $POLKIT_LIBS])
 +if test "$with_polkit0" = "yes" ; then
 +AC_MSG_NOTICE([  polkit: $POLKIT_CFLAGS $POLKIT_LIBS (version 0)])
 +else
 +AC_MSG_NOTICE([  polkit: $PKCHECK_PATH (version 1)])
 +fi
 else
 AC_MSG_NOTICE([  polkit: no])
 fi
 diff -rupN libvirt-0.7.0/qemud/libvirtd.policy libvirt-0.7.0.new/qemud/libvirtd.policy
 --- libvirt-0.7.0/qemud/libvirtd.policy	2009-07-22 09:37:32.000000000 -0400
 +++ libvirt-0.7.0.new/qemud/libvirtd.policy	1969-12-31 19:00:00.000000000 -0500
@@ -1,42 +0,0 @@
 -<!DOCTYPE policyconfig PUBLIC
 - "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 - "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
 -
 -<!--
 -Policy definitions for libvirt daemon
 -
 -Copyright (c) 2007 Daniel P. Berrange <berrange redhat com>
 -
 -libvirt is licensed to you under the GNU Lesser General Public License
 -version 2. See COPYING for details.
 -
 -NOTE: If you make changes to this file, make sure to validate the file
 -using the polkit-policy-file-validate(1) tool. Changes made to this
 -file are instantly applied.
 --->
 -
 -<policyconfig>
 -    <action id="org.libvirt.unix.monitor">
 -      <description>Monitor local virtualized systems</description>
 -      <message>System policy prevents monitoring of local virtualized systems</message>
 -      <defaults>
 -        <!-- Any program can use libvirt in read-only mode for monitoring,
 -             even if not part of a session -->
 -        <allow_any>yes</allow_any>
 -        <allow_inactive>yes</allow_inactive>
 -        <allow_active>yes</allow_active>
 -      </defaults>
 -    </action>
 -
 -    <action id="org.libvirt.unix.manage">
 -      <description>Manage local virtualized systems</description>
 -      <message>System policy prevents management of local virtualized systems</message>
 -      <defaults>
 -        <!-- Only a program in the active host session can use libvirt in
 -             read-write mode for management, and we require user password -->
 -        <allow_any>no</allow_any>
 -        <allow_inactive>no</allow_inactive>
 -        <allow_active>auth_admin_keep_session</allow_active>
 -      </defaults>
 -    </action>
 -</policyconfig>
 diff -rupN libvirt-0.7.0/qemud/libvirtd.policy-0 libvirt-0.7.0.new/qemud/libvirtd.policy-0
 --- libvirt-0.7.0/qemud/libvirtd.policy-0	1969-12-31 19:00:00.000000000 -0500
 +++ libvirt-0.7.0.new/qemud/libvirtd.policy-0	2009-08-13 08:37:22.408883879 -0400
@@ -0,0 +1,42 @@
 +<!DOCTYPE policyconfig PUBLIC
 + "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 + "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
 +
 +<!--
 +Policy definitions for libvirt daemon
 +
 +Copyright (c) 2007 Daniel P. Berrange <berrange redhat com>
 +
 +libvirt is licensed to you under the GNU Lesser General Public License
 +version 2. See COPYING for details.
 +
 +NOTE: If you make changes to this file, make sure to validate the file
 +using the polkit-policy-file-validate(1) tool. Changes made to this
 +file are instantly applied.
 +-->
 +
 +<policyconfig>
 +    <action id="org.libvirt.unix.monitor">
 +      <description>Monitor local virtualized systems</description>
 +      <message>System policy prevents monitoring of local virtualized systems</message>
 +      <defaults>
 +        <!-- Any program can use libvirt in read-only mode for monitoring,
 +             even if not part of a session -->
 +        <allow_any>yes</allow_any>
 +        <allow_inactive>yes</allow_inactive>
 +        <allow_active>yes</allow_active>
 +      </defaults>
 +    </action>
 +
 +    <action id="org.libvirt.unix.manage">
 +      <description>Manage local virtualized systems</description>
 +      <message>System policy prevents management of local virtualized systems</message>
 +      <defaults>
 +        <!-- Only a program in the active host session can use libvirt in
 +             read-write mode for management, and we require user password -->
 +        <allow_any>no</allow_any>
 +        <allow_inactive>no</allow_inactive>
 +        <allow_active>auth_admin_keep_session</allow_active>
 +      </defaults>
 +    </action>
 +</policyconfig>
 diff -rupN libvirt-0.7.0/qemud/libvirtd.policy-1 libvirt-0.7.0.new/qemud/libvirtd.policy-1
 --- libvirt-0.7.0/qemud/libvirtd.policy-1	1969-12-31 19:00:00.000000000 -0500
 +++ libvirt-0.7.0.new/qemud/libvirtd.policy-1	2009-08-13 08:37:22.412905763 -0400
@@ -0,0 +1,42 @@
 +<!DOCTYPE policyconfig PUBLIC
 + "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 + "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
 +
 +<!--
 +Policy definitions for libvirt daemon
 +
 +Copyright (c) 2007 Daniel P. Berrange <berrange redhat com>
 +
 +libvirt is licensed to you under the GNU Lesser General Public License
 +version 2. See COPYING for details.
 +
 +NOTE: If you make changes to this file, make sure to validate the file
 +using the polkit-policy-file-validate(1) tool. Changes made to this
 +file are instantly applied.
 +-->
 +
 +<policyconfig>
 +    <action id="org.libvirt.unix.monitor">
 +      <description>Monitor local virtualized systems</description>
 +      <message>System policy prevents monitoring of local virtualized systems</message>
 +      <defaults>
 +        <!-- Any program can use libvirt in read-only mode for monitoring,
 +             even if not part of a session -->
 +        <allow_any>yes</allow_any>
 +        <allow_inactive>yes</allow_inactive>
 +        <allow_active>yes</allow_active>
 +      </defaults>
 +    </action>
 +
 +    <action id="org.libvirt.unix.manage">
 +      <description>Manage local virtualized systems</description>
 +      <message>System policy prevents management of local virtualized systems</message>
 +      <defaults>
 +        <!-- Only a program in the active host session can use libvirt in
 +             read-write mode for management, and we require user password -->
 +        <allow_any>no</allow_any>
 +        <allow_inactive>no</allow_inactive>
 +        <allow_active>auth_admin_keep</allow_active>
 +      </defaults>
 +    </action>
 +</policyconfig>
 diff -rupN libvirt-0.7.0/qemud/Makefile.am libvirt-0.7.0.new/qemud/Makefile.am
 --- libvirt-0.7.0/qemud/Makefile.am	2009-07-22 09:37:32.000000000 -0400
 +++ libvirt-0.7.0.new/qemud/Makefile.am	2009-08-13 08:37:22.398915449 -0400
@@ -21,7 +21,8 @@ EXTRA_DIST =						\
 	remote_protocol.x				\
 	libvirtd.conf					\
 	libvirtd.init.in				\
 -	libvirtd.policy					\
 +	libvirtd.policy-0				\
 +	libvirtd.policy-1				\
 	libvirtd.sasl					\
 	libvirtd.sysconf				\
 	libvirtd.aug                                    \
@@ -147,7 +148,13 @@ endif
 libvirtd_LDADD += ../src/libvirt.la
 if HAVE_POLKIT
 +if HAVE_POLKIT0
 policydir = $(datadir)/PolicyKit/policy
 +policyfile = libvirtd.policy-0
 +else
 +policydir = $(datadir)/polkit-1/actions
 +policyfile = libvirtd.policy-1
 +endif
 endif
 if HAVE_AVAHI
@@ -197,7 +204,7 @@ endif
 if HAVE_POLKIT
 install-data-polkit:: install-init
 	mkdir -p $(DESTDIR)$(policydir)
 -	$(INSTALL_DATA) $(srcdir)/libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
 +	$(INSTALL_DATA) $(srcdir)/$(policyfile) $(DESTDIR)$(policydir)/org.libvirt.unix.policy
 uninstall-data-polkit:: install-init
 	rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
 else
 diff -rupN libvirt-0.7.0/qemud/qemud.c libvirt-0.7.0.new/qemud/qemud.c
 --- libvirt-0.7.0/qemud/qemud.c	2009-07-22 09:37:32.000000000 -0400
 +++ libvirt-0.7.0.new/qemud/qemud.c	2009-08-13 08:37:22.419878018 -0400
@@ -895,7 +895,7 @@ static struct qemud_server *qemudNetwork
     }
 #endif
 -#ifdef HAVE_POLKIT
 +#if HAVE_POLKIT0
     if (auth_unix_rw == REMOTE_AUTH_POLKIT ||
         auth_unix_ro == REMOTE_AUTH_POLKIT) {
         DBusError derr;
@@ -982,7 +982,7 @@ static struct qemud_server *qemudNetwork
             sock = sock->next;
         }
 -#ifdef HAVE_POLKIT
 +#if HAVE_POLKIT0
         if (server->sysbus)
             dbus_connection_unref(server->sysbus);
 #endif
 diff -rupN libvirt-0.7.0/qemud/qemud.h libvirt-0.7.0.new/qemud/qemud.h
 --- libvirt-0.7.0/qemud/qemud.h	2009-07-23 12:33:02.000000000 -0400
 +++ libvirt-0.7.0.new/qemud/qemud.h	2009-08-13 08:37:22.425909852 -0400
@@ -34,7 +34,7 @@
 #include <sasl/sasl.h>
 #endif
 -#ifdef HAVE_POLKIT
 +#if HAVE_POLKIT0
 #include <dbus/dbus.h>
 #endif
@@ -253,7 +253,7 @@ struct qemud_server {
 #if HAVE_SASL
     char **saslUsernameWhitelist;
 #endif
 -#if HAVE_POLKIT
 +#if HAVE_POLKIT0
     DBusConnection *sysbus;
 #endif
 };
 diff -rupN libvirt-0.7.0/qemud/remote.c libvirt-0.7.0.new/qemud/remote.c
 --- libvirt-0.7.0/qemud/remote.c	2009-07-23 12:33:02.000000000 -0400
 +++ libvirt-0.7.0.new/qemud/remote.c	2009-08-13 08:37:22.431865087 -0400
@@ -43,7 +43,7 @@
 #include <fnmatch.h>
 #include "virterror_internal.h"
 -#ifdef HAVE_POLKIT
 +#if HAVE_POLKIT0
 #include <polkit/polkit.h>
 #include <polkit-dbus/polkit-dbus.h>
 #endif
@@ -3106,7 +3106,80 @@ remoteDispatchAuthSaslStep (struct qemud
 #endif /* HAVE_SASL */
 -#if HAVE_POLKIT
 +#if HAVE_POLKIT1
 +static int
 +remoteDispatchAuthPolkit (struct qemud_server *server,
 +                          struct qemud_client *client,
 +                          virConnectPtr conn ATTRIBUTE_UNUSED,
 +                          remote_error *rerr,
 +                          void *args ATTRIBUTE_UNUSED,
 +                          remote_auth_polkit_ret *ret)
 +{
 +    pid_t callerPid;
 +    uid_t callerUid;
 +    const char *action;
 +    int status = -1;
 +    char pidbuf[50];
 +    int rv;
 +
 +    virMutexLock(&server->lock);
 +    virMutexLock(&client->lock);
 +    virMutexUnlock(&server->lock);
 +
 +    action = client->readonly ?
 +        "org.libvirt.unix.monitor" :
 +        "org.libvirt.unix.manage";
 +
 +    const char * const pkcheck [] = {
 +      PKCHECK_PATH,
 +      "--action-id", action,
 +      "--process", pidbuf,
 +      "--allow-user-interaction",
 +      NULL
 +    };
 +
 +    REMOTE_DEBUG("Start PolicyKit auth %d", client->fd);
 +    if (client->auth != REMOTE_AUTH_POLKIT) {
 +        VIR_ERROR0(_("client tried invalid PolicyKit init request"));
 +        goto authfail;
 +    }
 +
 +    if (qemudGetSocketIdentity(client->fd, &callerUid, &callerPid) < 0) {
 +        VIR_ERROR0(_("cannot get peer socket identity"));
 +        goto authfail;
 +    }
 +
 +    VIR_INFO(_("Checking PID %d running as %d"), callerPid, callerUid);
 +
 +    rv = snprintf(pidbuf, sizeof pidbuf, "%d", callerPid);
 +    if (rv < 0 || rv >= sizeof pidbuf) {
 +        VIR_ERROR(_("Caller PID was too large %d"), callerPid);
 +	goto authfail;
 +    }
 +
 +    if (virRun(NULL, pkcheck, &status) < 0) {
 +        VIR_ERROR(_("Cannot invoke %s"), PKCHECK_PATH);
 +	goto authfail;
 +    }
 +    if (status != 0) {
 +        VIR_ERROR(_("Policy kit denied action %s from pid %d, uid %d, result: %d\n"),
 +                  action, callerPid, callerUid, status);
 +        goto authfail;
 +    }
 +    VIR_INFO(_("Policy allowed action %s from pid %d, uid %d"),
 +             action, callerPid, callerUid);
 +    ret->complete = 1;
 +    client->auth = REMOTE_AUTH_NONE;
 +
 +    virMutexUnlock(&client->lock);
 +    return 0;
 +
 +authfail:
 +    remoteDispatchAuthError(rerr);
 +    virMutexUnlock(&client->lock);
 +    return -1;
 +}
 +#elif HAVE_POLKIT0
 static int
 remoteDispatchAuthPolkit (struct qemud_server *server,
                           struct qemud_client *client,
@@ -3217,7 +3290,7 @@ authfail:
     return -1;
 }
 -#else /* HAVE_POLKIT */
 +#else /* !HAVE_POLKIT0 & !HAVE_POLKIT1*/
 static int
 remoteDispatchAuthPolkit (struct qemud_server *server ATTRIBUTE_UNUSED,
@@ -3231,7 +3304,7 @@ remoteDispatchAuthPolkit (struct qemud_s
     remoteDispatchAuthError(rerr);
     return -1;
 }
 -#endif /* HAVE_POLKIT */
 +#endif /* HAVE_POLKIT1 */
 /***************************************************************
 diff -rupN libvirt-0.7.0/src/remote_internal.c libvirt-0.7.0.new/src/remote_internal.c
 --- libvirt-0.7.0/src/remote_internal.c	2009-07-29 10:42:15.000000000 -0400
 +++ libvirt-0.7.0.new/src/remote_internal.c	2009-08-13 10:55:57.607899170 -0400
@@ -6201,6 +6201,7 @@ remoteAuthPolkit (virConnectPtr conn, st
                   virConnectAuthPtr auth)
 {
     remote_auth_polkit_ret ret;
 +#if HAVE_POLKIT0
     int i, allowcb = 0;
     virConnectCredential cred = {
         VIR_CRED_EXTERNAL,
@@ -6210,8 +6211,10 @@ remoteAuthPolkit (virConnectPtr conn, st
         NULL,
         0,
     };
 +#endif
     DEBUG0("Client initialize PolicyKit authentication");
 +#if HAVE_POLKIT0
     if (auth && auth->cb) {
         /* Check if the necessary credential type for PolicyKit is supported */
         for (i = 0 ; i < auth->ncredtype ; i++) {
@@ -6220,6 +6223,7 @@ remoteAuthPolkit (virConnectPtr conn, st
         }
         if (allowcb) {
 +            DEBUG0("Client run callback for PolicyKit authentication");
             /* Run the authentication callback */
             if ((*(auth->cb))(&cred, 1, auth->cbdata) < 0) {
                 virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE,
@@ -6233,6 +6237,9 @@ remoteAuthPolkit (virConnectPtr conn, st
     } else {
         DEBUG0("No auth callback provided");
     }
 +#else
 +    DEBUG0("No auth callback required for PolicyKit-1");
 +#endif
     memset (&ret, 0, sizeof ret);
     if (call (conn, priv, in_open, REMOTE_PROC_AUTH_POLKIT,
--- a/libvirt.spec
+++ b/libvirt.spec
@ -78,7 +78,7 @@
 Summary: Library providing a simple API virtualization
 Name: libvirt
 Version: 0.7.0
-Release: 3%{?dist}%{?extra_release}
+Release: 4%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 Source: libvirt-%{version}.tar.gz
@ -89,6 +89,10 @@ Patch01: libvirt-0.7.0-chown-kernel-initrd-before-spawning-qemu.patch
 # Don't fail to start network if ipv6 modules is not loaded (bug #516497)
 Patch02: libvirt-0.7.0-handle-kernels-with-no-ipv6-support.patch
 # Policykit rewrite (bug #499970)
 # NB remove autoreconf hack & extra BRs when this goes away
 Patch03: libvirt-0.7.0-policy-kit-rewrite.patch
 # Temporary hack till PulseAudio autostart problems are sorted
 # out when SELinux enforcing (bz 486112)
 Patch200: libvirt-0.6.4-svirt-sound.patch
@ -106,8 +110,12 @@ Requires: iptables
 # needed for device enumeration
 Requires: hal
 %if %{with_polkit}
 %if 0%{?fedora} >= 12
 Requires: polkit >= 0.93
 %else
 Requires: PolicyKit >= 0.6
 %endif
 %endif
 %if %{with_storage_fs}
 # For mount/umount in FS driver
 BuildRequires: util-linux
@ -161,8 +169,13 @@ BuildRequires: bridge-utils
 BuildRequires: cyrus-sasl-devel
 %endif
 %if %{with_polkit}
 %if 0%{?fedora} >= 12
 # Only need the binary, not -devel
 BuildRequires: polkit >= 0.93
 %else
 BuildRequires: PolicyKit-devel >= 0.6
 %endif
 %endif
 %if %{with_storage_fs}
 # For mount/umount in FS driver
 BuildRequires: util-linux
@ -205,6 +218,9 @@ BuildRequires: netcf-devel
 # Fedora build root suckage
 BuildRequires: gawk
 # Temp hack for patch 3
 BuildRequires: libtool autoconf automake gettext
 %description
 Libvirt is a C toolkit to interact with the virtualization capabilities
 of recent versions of Linux (and other OSes). The main package includes
@ -260,6 +276,7 @@ of recent versions of Linux (and other OSes).
 %patch01 -p1
 %patch02 -p1
 %patch03 -p1
 %patch200 -p0
@ -352,6 +369,9 @@ of recent versions of Linux (and other OSes).
 %define _without_netcf --without-netcf
 %endif
 # Temp hack for patch 3
 autoreconf -if
 %configure %{?_without_xen} \
           %{?_without_qemu} \
           %{?_without_openvz} \
@ -541,8 +561,12 @@ fi
 %endif
 %if %{with_polkit}
 %if 0%{?fedora} >= 12
 %{_datadir}/polkit-1/actions/org.libvirt.unix.policy
 %else
 %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy
 %endif
 %endif
 %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/
 %if %{with_qemu}
@ -621,6 +645,9 @@ fi
 %endif
 %changelog
 * Thu Aug 13 2009  <berrange@dhcp-0-233.camlab.fab.redhat.com> - 0.7.0-4
 - Rewrite policykit support (rhbz #499970)
 * Mon Aug 10 2009 Mark McLoughlin <markmc@redhat.com> - 0.7.0-3
 - Don't fail to start network if ipv6 modules is not loaded (#516497)