rpms/libvirt
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add (upstream) patches to label sockets for SELinux (RHBZ#853393).

Browse Source
This commit is contained in:
Richard W.M. Jones 2012-09-21 18:44:02 +01:00
parent 52f3bedee7
commit b5548f62cb
3 changed files with 587 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
0001-Make-virSecurityDeviceLabelDefParseXML-into-generic-.patch Normal file
View File

@ -0,0 +1,138 @@
From db2aff6adaa405f0bc998c7bd3158fe43805ee60 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 20 Sep 2012 14:58:12 +0100
Subject: [PATCH 1/2] Make virSecurityDeviceLabelDefParseXML into generic
device <seclabel> parser.
This is just code motion, allowing us to reuse the same function to
parse the <seclabel> from character devices too.
However it also fixes a possible segfault in the original code if
VIR_ALLOC_N returns an error and the cleanup code (at the error:
label) tries to iterate over the unallocated array (thanks Michal
Privoznik for spotting this).
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
---
src/conf/domain_conf.c | 43 +++++++++++++++++++++++++------------------
1 file changed, 25 insertions(+), 18 deletions(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 947cc7a..26c2042 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -3258,29 +3258,30 @@ error:
return -1;
}
+/* Parse the <seclabel> from a disk or character device. */
static int
-virSecurityDeviceLabelDefParseXML(virDomainDiskDefPtr def,
+virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
+ size_t *nseclabels_rtn,
virSecurityLabelDefPtr *vmSeclabels,
int nvmSeclabels, xmlXPathContextPtr ctxt)
{
+ virSecurityDeviceLabelDefPtr *seclabels;
+ size_t nseclabels = 0;
int n, i, j;
xmlNodePtr *list = NULL;
virSecurityLabelDefPtr vmDef = NULL;
char *model, *relabel, *label;
- if (def == NULL)
- return 0;
-
if ((n = virXPathNodeSet("./seclabel", ctxt, &list)) == 0)
return 0;
- def->nseclabels = n;
- if (VIR_ALLOC_N(def->seclabels, n) < 0) {
+ if (VIR_ALLOC_N(seclabels, n) < 0) {
virReportOOMError();
goto error;
}
+ nseclabels = n;
for (i = 0; i < n; i++) {
- if (VIR_ALLOC(def->seclabels[i]) < 0) {
+ if (VIR_ALLOC(seclabels[i]) < 0) {
virReportOOMError();
goto error;
}
@@ -3297,7 +3298,7 @@ virSecurityDeviceLabelDefParseXML(virDomainDiskDefPtr def,
break;
}
}
- def->seclabels[i]->model = model;
+ seclabels[i]->model = model;
}
/* Can't use overrides if top-level doesn't allow relabeling. */
@@ -3311,9 +3312,9 @@ virSecurityDeviceLabelDefParseXML(virDomainDiskDefPtr def,
relabel = virXMLPropString(list[i], "relabel");
if (relabel != NULL) {
if (STREQ(relabel, "yes")) {
- def->seclabels[i]->norelabel = false;
+ seclabels[i]->norelabel = false;
} else if (STREQ(relabel, "no")) {
- def->seclabels[i]->norelabel = true;
+ seclabels[i]->norelabel = true;
} else {
virReportError(VIR_ERR_XML_ERROR,
_("invalid security relabel value %s"),
@@ -3323,30 +3324,34 @@ virSecurityDeviceLabelDefParseXML(virDomainDiskDefPtr def,
}
VIR_FREE(relabel);
} else {
- def->seclabels[i]->norelabel = false;
+ seclabels[i]->norelabel = false;
}
ctxt->node = list[i];
label = virXPathStringLimit("string(./label)",
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
- def->seclabels[i]->label = label;
+ seclabels[i]->label = label;
- if (label && def->seclabels[i]->norelabel) {
+ if (label && seclabels[i]->norelabel) {
virReportError(VIR_ERR_XML_ERROR,
_("Cannot specify a label if relabelling is "
"turned off. model=%s"),
- NULLSTR(def->seclabels[i]->model));
+ NULLSTR(seclabels[i]->model));
goto error;
}
}
VIR_FREE(list);
+
+ *nseclabels_rtn = nseclabels;
+ *seclabels_rtn = seclabels;
+
return 0;
error:
- for (i = 0; i < n; i++) {
- virSecurityDeviceLabelDefFree(def->seclabels[i]);
+ for (i = 0; i < nseclabels; i++) {
+ virSecurityDeviceLabelDefFree(seclabels[i]);
}
- VIR_FREE(def->seclabels);
+ VIR_FREE(seclabels);
VIR_FREE(list);
return -1;
}
@@ -3839,7 +3844,9 @@ virDomainDiskDefParseXML(virCapsPtr caps,
if (sourceNode) {
xmlNodePtr saved_node = ctxt->node;
ctxt->node = sourceNode;
- if (virSecurityDeviceLabelDefParseXML(def, vmSeclabels,
+ if (virSecurityDeviceLabelDefParseXML(&def->seclabels,
+ &def->nseclabels,
+ vmSeclabels,
nvmSeclabels,
ctxt) < 0)
goto error;
--
1.7.11.4

440
0002-Add-seclabel-to-character-devices.patch Normal file
View File

@ -0,0 +1,440 @@
From f8b08d0e961c7e10d87ee011ec7bf1f8fe7b1fbb Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 20 Sep 2012 14:16:17 +0100
Subject: [PATCH 2/2] Add <seclabel> to character devices.
This allows the user to control labelling of each character device
separately (the default is to inherit from the VM).
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
---
docs/formatdomain.html.in | 8 ++++
docs/schemas/domaincommon.rng | 3 ++
src/conf/domain_conf.c | 78 +++++++++++++++++++++++++++++++++--
src/conf/domain_conf.h | 6 +++
src/security/security_selinux.c | 90 +++++++++++++++++++++++++++++------------
5 files changed, 155 insertions(+), 30 deletions(-)
diff -ur libvirt-0.10.1.old/docs/formatdomain.html.in libvirt-0.10.1/docs/formatdomain.html.in
--- libvirt-0.10.1.old/docs/formatdomain.html.in 2012-08-31 11:01:18.000000000 +0100
+++ libvirt-0.10.1/docs/formatdomain.html.in 2012-09-21 18:46:30.795973766 +0100
@@ -3369,6 +3369,14 @@
</p>
<p>
+ The <code>source</code> element may contain an optional
+ <code>seclabel</code> to override the way that labelling
+ is done on the socket path. If this element is not present,
+ the <a href="#seclabel">security label is inherited from
+ the per-domain setting</a>.
+ </p>
+
+ <p>
Each character device element has an optional
sub-element <code>&lt;address&gt;</code> which can tie the
device to a
diff -ur libvirt-0.10.1.old/docs/schemas/domaincommon.rng libvirt-0.10.1/docs/schemas/domaincommon.rng
--- libvirt-0.10.1.old/docs/schemas/domaincommon.rng 2012-08-22 10:05:18.000000000 +0100
+++ libvirt-0.10.1/docs/schemas/domaincommon.rng 2012-09-21 18:46:30.802973900 +0100
@@ -2344,6 +2344,9 @@
<optional>
<attribute name="wiremode"/>
</optional>
+ <optional>
+ <ref name='devSeclabel'/>
+ </optional>
</element>
</zeroOrMore>
<optional>
diff -ur libvirt-0.10.1.old/src/conf/domain_conf.c libvirt-0.10.1/src/conf/domain_conf.c
--- libvirt-0.10.1.old/src/conf/domain_conf.c 2012-09-21 18:46:07.045533923 +0100
+++ libvirt-0.10.1/src/conf/domain_conf.c 2012-09-21 18:47:34.781159182 +0100
@@ -1257,6 +1257,8 @@
void virDomainChrDefFree(virDomainChrDefPtr def)
{
+ size_t i;
+
if (!def)
return;
@@ -1280,6 +1282,12 @@
virDomainChrSourceDefClear(&def->source);
virDomainDeviceInfoClear(&def->info);
+ if (def->seclabels) {
+ for (i = 0; i < def->nseclabels; i++)
+ virSecurityDeviceLabelDefFree(def->seclabels[i]);
+ VIR_FREE(def->seclabels);
+ }
+
VIR_FREE(def);
}
@@ -5264,7 +5272,11 @@
* <target>, which is used by <serial> but not <smartcard>). */
static int
virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def,
- xmlNodePtr cur, unsigned int flags)
+ xmlNodePtr cur, unsigned int flags,
+ virDomainChrDefPtr chr_def,
+ xmlXPathContextPtr ctxt,
+ virSecurityLabelDefPtr* vmSeclabels,
+ int nvmSeclabels)
{
char *bindHost = NULL;
char *bindService = NULL;
@@ -5319,6 +5331,21 @@
if (def->type == VIR_DOMAIN_CHR_TYPE_UDP)
VIR_FREE(mode);
}
+
+ /* Check for an optional seclabel override in <source/>. */
+ if (chr_def) {
+ xmlNodePtr saved_node = ctxt->node;
+ ctxt->node = cur;
+ if (virSecurityDeviceLabelDefParseXML(&chr_def->seclabels,
+ &chr_def->nseclabels,
+ vmSeclabels,
+ nvmSeclabels,
+ ctxt) < 0) {
+ ctxt->node = saved_node;
+ goto error;
+ }
+ ctxt->node = saved_node;
+ }
} else if (xmlStrEqual(cur->name, BAD_CAST "protocol")) {
if (protocol == NULL)
protocol = virXMLPropString(cur, "type");
@@ -5512,7 +5539,10 @@
static virDomainChrDefPtr
virDomainChrDefParseXML(virCapsPtr caps,
virDomainDefPtr vmdef,
+ xmlXPathContextPtr ctxt,
xmlNodePtr node,
+ virSecurityLabelDefPtr* vmSeclabels,
+ int nvmSeclabels,
unsigned int flags)
{
xmlNodePtr cur;
@@ -5543,7 +5573,9 @@
}
cur = node->children;
- remaining = virDomainChrSourceDefParseXML(&def->source, cur, flags);
+ remaining = virDomainChrSourceDefParseXML(&def->source, cur, flags,
+ def, ctxt,
+ vmSeclabels, nvmSeclabels);
if (remaining < 0)
goto error;
if (remaining) {
@@ -5680,7 +5712,8 @@
}
cur = node->children;
- if (virDomainChrSourceDefParseXML(&def->data.passthru, cur, flags) < 0)
+ if (virDomainChrSourceDefParseXML(&def->data.passthru, cur, flags,
+ NULL, NULL, NULL, 0) < 0)
goto error;
if (def->data.passthru.type == VIR_DOMAIN_CHR_TYPE_SPICEVMC) {
@@ -7161,7 +7194,8 @@
if (xmlStrEqual(cur->name, BAD_CAST "source")) {
int remaining;
- remaining = virDomainChrSourceDefParseXML(&def->source.chr, cur, flags);
+ remaining = virDomainChrSourceDefParseXML(&def->source.chr, cur, flags,
+ NULL, NULL, NULL, 0);
if (remaining != 0)
goto error;
}
@@ -8974,7 +9008,10 @@
for (i = 0 ; i < n ; i++) {
virDomainChrDefPtr chr = virDomainChrDefParseXML(caps,
def,
+ ctxt,
nodes[i],
+ def->seclabels,
+ def->nseclabels,
flags);
if (!chr)
goto error;
@@ -9001,7 +9038,10 @@
for (i = 0 ; i < n ; i++) {
virDomainChrDefPtr chr = virDomainChrDefParseXML(caps,
def,
+ ctxt,
nodes[i],
+ def->seclabels,
+ def->nseclabels,
flags);
if (!chr)
goto error;
@@ -9031,7 +9071,10 @@
bool create_stub = true;
virDomainChrDefPtr chr = virDomainChrDefParseXML(caps,
def,
+ ctxt,
nodes[i],
+ def->seclabels,
+ def->nseclabels,
flags);
if (!chr)
goto error;
@@ -9107,7 +9150,10 @@
for (i = 0 ; i < n ; i++) {
virDomainChrDefPtr chr = virDomainChrDefParseXML(caps,
def,
+ ctxt,
nodes[i],
+ def->seclabels,
+ def->nseclabels,
flags);
if (!chr)
goto error;
@@ -12188,6 +12234,7 @@
const char *targetType = virDomainChrTargetTypeToString(def->deviceType,
def->targetType);
bool tty_compat;
+ size_t n;
int ret = 0;
@@ -12267,6 +12314,14 @@
return -1;
}
+ /* Security label overrides, if any. */
+ if (def->seclabels && def->nseclabels > 0) {
+ virBufferAdjustIndent(buf, 2);
+ for (n = 0; n < def->nseclabels; n++)
+ virSecurityDeviceLabelDefFormat(buf, def->seclabels[n]);
+ virBufferAdjustIndent(buf, -2);
+ }
+
virBufferAsprintf(buf, " </%s>\n", elementName);
return ret;
@@ -15032,6 +15087,21 @@
{
int i;
+ if (def == NULL)
+ return NULL;
+
+ for (i = 0; i < def->nseclabels; i++) {
+ if (STREQ_NULLABLE(def->seclabels[i]->model, model))
+ return def->seclabels[i];
+ }
+ return NULL;
+}
+
+virSecurityDeviceLabelDefPtr
+virDomainChrDefGetSecurityLabelDef(virDomainChrDefPtr def, const char *model)
+{
+ int i;
+
if (def == NULL)
return NULL;
diff -ur libvirt-0.10.1.old/src/conf/domain_conf.h libvirt-0.10.1/src/conf/domain_conf.h
--- libvirt-0.10.1.old/src/conf/domain_conf.h 2012-08-31 13:14:44.000000000 +0100
+++ libvirt-0.10.1/src/conf/domain_conf.h 2012-09-21 18:46:30.832974475 +0100
@@ -953,6 +953,9 @@
virDomainChrSourceDef source;
virDomainDeviceInfo info;
+
+ size_t nseclabels;
+ virSecurityDeviceLabelDefPtr *seclabels;
};
enum virDomainSmartcardType {
@@ -2074,6 +2077,9 @@
virSecurityDeviceLabelDefPtr
virDomainDiskDefGetSecurityLabelDef(virDomainDiskDefPtr def, const char *model);
+virSecurityDeviceLabelDefPtr
+virDomainChrDefGetSecurityLabelDef(virDomainChrDefPtr def, const char *model);
+
virSecurityLabelDefPtr
virDomainDefAddSecurityLabelDef(virDomainDefPtr def, const char *model);
diff -ur libvirt-0.10.1.old/src/security/security_selinux.c libvirt-0.10.1/src/security/security_selinux.c
--- libvirt-0.10.1.old/src/security/security_selinux.c 2012-08-22 04:19:44.000000000 +0100
+++ libvirt-0.10.1/src/security/security_selinux.c 2012-09-21 18:46:30.834974513 +0100
@@ -1213,38 +1213,61 @@
static int
virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
- virDomainChrSourceDefPtr dev)
+ virDomainChrDefPtr dev,
+ virDomainChrSourceDefPtr dev_source)
{
- virSecurityLabelDefPtr secdef;
+ virSecurityLabelDefPtr seclabel;
+ virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
+ char *imagelabel = NULL;
char *in = NULL, *out = NULL;
int ret = -1;
- secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (secdef == NULL)
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+ if (seclabel == NULL)
return -1;
- if (secdef->norelabel)
+ if (dev)
+ chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
+ SECURITY_SELINUX_NAME);
+
+ if (seclabel->norelabel || (chr_seclabel && chr_seclabel->norelabel))
return 0;
- switch (dev->type) {
+ if (chr_seclabel)
+ imagelabel = chr_seclabel->label;
+ if (!imagelabel)
+ imagelabel = seclabel->imagelabel;
+
+ switch (dev_source->type) {
case VIR_DOMAIN_CHR_TYPE_DEV:
case VIR_DOMAIN_CHR_TYPE_FILE:
- ret = virSecuritySELinuxSetFilecon(dev->data.file.path, secdef->imagelabel);
+ ret = virSecuritySELinuxSetFilecon(dev_source->data.file.path,
+ imagelabel);
+ break;
+
+ case VIR_DOMAIN_CHR_TYPE_UNIX:
+ if (!dev_source->data.nix.listen) {
+ if (virSecuritySELinuxSetFilecon(dev_source->data.file.path,
+ imagelabel) < 0)
+ goto done;
+ }
+ ret = 0;
break;
case VIR_DOMAIN_CHR_TYPE_PIPE:
- if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) ||
- (virAsprintf(&out, "%s.out", dev->data.file.path) < 0)) {
+ if ((virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0) ||
+ (virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0)) {
virReportOOMError();
goto done;
}
if (virFileExists(in) && virFileExists(out)) {
- if ((virSecuritySELinuxSetFilecon(in, secdef->imagelabel) < 0) ||
- (virSecuritySELinuxSetFilecon(out, secdef->imagelabel) < 0)) {
+ if ((virSecuritySELinuxSetFilecon(in, imagelabel) < 0) ||
+ (virSecuritySELinuxSetFilecon(out, imagelabel) < 0)) {
goto done;
}
- } else if (virSecuritySELinuxSetFilecon(dev->data.file.path, secdef->imagelabel) < 0) {
+ } else if (virSecuritySELinuxSetFilecon(dev_source->data.file.path,
+ imagelabel) < 0) {
goto done;
}
ret = 0;
@@ -1263,30 +1286,44 @@
static int
virSecuritySELinuxRestoreSecurityChardevLabel(virDomainDefPtr def,
- virDomainChrSourceDefPtr dev)
+ virDomainChrDefPtr dev,
+ virDomainChrSourceDefPtr dev_source)
{
- virSecurityLabelDefPtr secdef;
+ virSecurityLabelDefPtr seclabel;
+ virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
char *in = NULL, *out = NULL;
int ret = -1;
- secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (secdef == NULL)
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+ if (seclabel == NULL)
return -1;
- if (secdef->norelabel)
+ if (dev)
+ chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
+ SECURITY_SELINUX_NAME);
+ if (seclabel->norelabel || (chr_seclabel && chr_seclabel->norelabel))
return 0;
- switch (dev->type) {
+ switch (dev_source->type) {
case VIR_DOMAIN_CHR_TYPE_DEV:
case VIR_DOMAIN_CHR_TYPE_FILE:
- if (virSecuritySELinuxRestoreSecurityFileLabel(dev->data.file.path) < 0)
+ if (virSecuritySELinuxRestoreSecurityFileLabel(dev_source->data.file.path) < 0)
goto done;
ret = 0;
break;
+
+ case VIR_DOMAIN_CHR_TYPE_UNIX:
+ if (!dev_source->data.nix.listen) {
+ if (virSecuritySELinuxRestoreSecurityFileLabel(dev_source->data.file.path) < 0)
+ goto done;
+ }
+ ret = 0;
+ break;
+
case VIR_DOMAIN_CHR_TYPE_PIPE:
- if ((virAsprintf(&out, "%s.out", dev->data.file.path) < 0) ||
- (virAsprintf(&in, "%s.in", dev->data.file.path) < 0)) {
+ if ((virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0) ||
+ (virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0)) {
virReportOOMError();
goto done;
}
@@ -1295,7 +1332,7 @@
(virSecuritySELinuxRestoreSecurityFileLabel(in) < 0)) {
goto done;
}
- } else if (virSecuritySELinuxRestoreSecurityFileLabel(dev->data.file.path) < 0) {
+ } else if (virSecuritySELinuxRestoreSecurityFileLabel(dev_source->data.file.path) < 0) {
goto done;
}
ret = 0;
@@ -1323,7 +1360,8 @@
dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
return 0;
- return virSecuritySELinuxRestoreSecurityChardevLabel(def, &dev->source);
+ return virSecuritySELinuxRestoreSecurityChardevLabel(def, dev,
+ &dev->source);
}
@@ -1345,7 +1383,7 @@
return virSecuritySELinuxRestoreSecurityFileLabel(database);
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
- return virSecuritySELinuxRestoreSecurityChardevLabel(def, &dev->data.passthru);
+ return virSecuritySELinuxRestoreSecurityChardevLabel(def, NULL, &dev->data.passthru);
default:
virReportError(VIR_ERR_INTERNAL_ERROR,
@@ -1703,7 +1741,7 @@
dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
return 0;
- return virSecuritySELinuxSetSecurityChardevLabel(def, &dev->source);
+ return virSecuritySELinuxSetSecurityChardevLabel(def, dev, &dev->source);
}
@@ -1727,7 +1765,7 @@
return virSecuritySELinuxSetFilecon(database, data->content_context);
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
- return virSecuritySELinuxSetSecurityChardevLabel(def, &dev->data.passthru);
+ return virSecuritySELinuxSetSecurityChardevLabel(def, NULL, &dev->data.passthru);
default:
virReportError(VIR_ERR_INTERNAL_ERROR,

10
libvirt.spec
View File

@ -315,7 +315,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 0.10.1
Release: 4%{?dist}%{?extra_release}
Release: 5%{?dist}%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -331,6 +331,9 @@ Patch1: %{name}-dnsmasq-drop-filterwin2k.patch
Patch2: %{name}-fix-unwanted-connection-closing.patch
# Fix qemu -> qemu-system-i386 (RHBZ#857026).
Patch3: 0001-Use-qemu-system-i386-as-binary-instead-of-qemu.patch
# Upstream patches to label sockets for SELinux (RHBZ#853393).
Patch4: 0001-Make-virSecurityDeviceLabelDefParseXML-into-generic-.patch
Patch5: 0002-Add-seclabel-to-character-devices.patch
%if %{with_libvirtd}
Requires: libvirt-daemon = %{version}-%{release}
@ -1044,6 +1047,8 @@ of recent versions of Linux (and other OSes).
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
%if ! %{with_xen}
@ -1871,6 +1876,9 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sysctl.d/libvirtd
%endif
%changelog
* Fri Sep 21 2012 Richard W.M. Jones <rjones@redhat.com> - 0.10.1-5
- Add (upstream) patches to label sockets for SELinux (RHBZ#853393).
* Thu Sep 13 2012 Richard W.M. Jones <rjones@redhat.com> - 0.10.1-4
- Fix for 32 bit qemu renamed to qemu-system-i386 (RHBZ#857026).