Fix virtlockd-admin.socket syntax (bz #1586239)

nwfilter: increase pcap buffer size to be compatible with TPACKET_V3 (bz #1547237)

0001-cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch

@@ -0,0 +1,36 @@
+From 519a6adb135959709fefbe30b7f40de436dd2f16 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 21 May 2018 23:05:07 +0100
+Subject: [PATCH 1/2] cpu: define the 'ssbd' CPUID feature bit (CVE-2018-3639)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+New microcode introduces the "Speculative Store Bypass Disable"
+CPUID feature bit. This needs to be exposed to guest OS to allow
+them to protect against CVE-2018-3639.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 1dbca2eccad58d91a5fd33962854f1a653638182)
+---
+ src/cpu/cpu_map.xml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index 00a43b172c..245aec3309 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -298,6 +298,9 @@
+     <feature name='spec-ctrl'>
+       <cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/>
+     </feature>
++    <feature name='ssbd'>
++      <cpuid eax_in='0x07' ecx_in='0x00' edx='0x80000000'/>
++    </feature>
+ 
+     <!-- Processor Extended State Enumeration sub leaf 1 -->
+     <feature name='xsaveopt'>
+-- 
+2.17.0
+

0001-tests-force-use-of-NORMAL-TLS-priority-in-test-suite.patch

@@ -0,0 +1,69 @@
+From ec92abee2851344e4e8c108a26b5cec594561ff4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 5 Mar 2018 12:46:16 +0000
+Subject: [PATCH] tests: force use of "NORMAL" TLS priority in test suite
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When generating certificates we rely on GNUTLS' built-in default setup
+for the ciphers used in the certs. We then currently run with the distro
+specific TLS priority setup which can be much stronger, to the extent
+that the certificates we generate are considered untrustworthy. We don't
+care about the quality of the ciphers we use in the test suite, so just
+force the priority to "NORMAL" which should ensure our certs are
+accepted by GNUTLS.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ tests/virnettlscontexttest.c | 4 ++--
+ tests/virnettlssessiontest.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
+index 089c10e964..86647f3014 100644
+--- a/tests/virnettlscontexttest.c
++++ b/tests/virnettlscontexttest.c
+@@ -72,7 +72,7 @@ static int testTLSContextInit(const void *opaque)
+                                          data->crt,
+                                          KEYFILE,
+                                          NULL,
+-                                         NULL,
++                                         "NORMAL",
+                                          true,
+                                          true);
+     } else {
+@@ -80,7 +80,7 @@ static int testTLSContextInit(const void *opaque)
+                                          NULL,
+                                          data->crt,
+                                          KEYFILE,
+-                                         NULL,
++                                         "NORMAL",
+                                          true,
+                                          true);
+     }
+diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c
+index 6d639e5b16..7e85607181 100644
+--- a/tests/virnettlssessiontest.c
++++ b/tests/virnettlssessiontest.c
+@@ -113,7 +113,7 @@ static int testTLSSessionInit(const void *opaque)
+                                            data->servercrt,
+                                            KEYFILE,
+                                            data->wildcards,
+-                                           NULL,
++                                           "NORMAL",
+                                            false,
+                                            true);
+ 
+@@ -121,7 +121,7 @@ static int testTLSSessionInit(const void *opaque)
+                                            NULL,
+                                            data->clientcrt,
+                                            KEYFILE,
+-                                           NULL,
++                                           "NORMAL",
+                                            false,
+                                            true);
+ 
+-- 
+2.14.3
+

0002-cpu-define-the-virt-ssbd-CPUID-feature-bit-CVE-2018-.patch

@@ -0,0 +1,47 @@
+From 40cf57b55f3af94163d7ef3d50aec6c5c79c139d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 21 May 2018 23:05:08 +0100
+Subject: [PATCH 2/2] cpu: define the 'virt-ssbd' CPUID feature bit
+ (CVE-2018-3639)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some AMD processors only support a non-architectural means of
+enabling Speculative Store Bypass Disable. To allow simplified
+handling in virtual environments, hypervisors will expose an
+architectural definition through CPUID bit 0x80000008_EBX[25].
+This needs to be exposed to guest OS running on AMD x86 hosts to
+allow them to protect against CVE-2018-3639.
+
+Note that since this CPUID bit won't be present in the host CPUID
+results on physical hosts, it will not be enabled automatically
+in guests configured with "host-model" CPU unless using QEMU
+version >= 2.9.0. Thus for older versions of QEMU, this feature
+must be manually enabled using policy=force. Guests using the
+"host-passthrough" CPU mode do not need special handling.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 9267342206ce17f6933d57a3128cdc504d5945c9)
+---
+ src/cpu/cpu_map.xml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index 245aec3309..96daa0f9af 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -433,6 +433,9 @@
+     <feature name='ibpb'>
+       <cpuid eax_in='0x80000008' ebx='0x00001000'/>
+     </feature>
++    <feature name='virt-ssbd'>
++      <cpuid eax_in='0x80000008' ebx='0x02000000'/>
++    </feature>
+ 
+     <!-- models -->
+     <model name='486'>
+-- 
+2.17.0
+

0004-lockd-fix-typo-in-virtlockd-admin.socket.patch

@@ -0,0 +1,36 @@
+From fb327ac2c3d721b4002852c520d9f39a35183e0d Mon Sep 17 00:00:00 2001
+Message-Id: <fb327ac2c3d721b4002852c520d9f39a35183e0d.1530632931.git.crobinso@redhat.com>
+From: Jim Fehlig <jfehlig@suse.com>
+Date: Wed, 14 Mar 2018 16:42:39 -0600
+Subject: [PATCH] lockd: fix typo in virtlockd-admin.socket
+
+Commit ce7ae55ea1 introduced a typo in virtlockd-admin socket file
+
+/usr/lib/systemd/system/virtlockd-admin.socket:7: Unknown lvalue
+'Server' in section 'Socket'
+
+Change 'Server' to 'Service'.
+
+Signed-off-by: Jim Fehlig <jfehlig@suse.com>
+Reviewed-by: Erik Skultety <eskultet@redhat.com>
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/locking/virtlockd-admin.socket.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in
+index 1fa0a3dc33..2a7500f3d0 100644
+--- a/src/locking/virtlockd-admin.socket.in
++++ b/src/locking/virtlockd-admin.socket.in
+@@ -4,7 +4,7 @@ Before=libvirtd.service
+ 
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
+-Server=virtlockd.service
++Service=virtlockd.service
+ 
+ [Install]
+ WantedBy=sockets.target
+-- 
+2.17.1
+

0005-nwfilter-increase-pcap-buffer-size-to-be-compatible-.patch

@@ -0,0 +1,110 @@
+From ce5aebeacd10a1c15cb3ee46a59c8b5ff235589e Mon Sep 17 00:00:00 2001
+Message-Id: <ce5aebeacd10a1c15cb3ee46a59c8b5ff235589e.1530632895.git.crobinso@redhat.com>
+From: Laine Stump <laine@laine.org>
+Date: Wed, 25 Apr 2018 17:12:03 -0400
+Subject: [PATCH] nwfilter: increase pcap buffer size to be compatible with
+ TPACKET_V3
+
+When an nwfilter rule sets the parameter CTRL_IP_LEARNING to "dhcp",
+this turns on the "dhcpsnoop" thread, which uses libpcap to monitor
+traffic on the domain's tap device and extract the IP address from the
+DHCP response.
+
+If libpcap on the host is built with HAVE_TPACKET3 defined (to enable
+support for TPACKET_V3), the dhcpsnoop code's initialization of the
+libpcap socket would fail with the following error:
+
+  virNWFilterSnoopDHCPOpen:1134 : internal error: pcap_setfilter: can't remove kernel filter: Bad file descriptor
+
+It turns out that this was because TPACKET_V3 requires a larger buffer
+size than libvirt was setting (we were setting it to 128k). Changing
+the buffer size to 256k eliminates the error, and the dhcpsnoop thread
+once again works properly.
+
+A fuller explanation of why TPACKET_V3 requires such a large buffer,
+for future git spelunkers:
+
+libpcap calls setsockopt(... SOL_PACKET, PACKET_RX_RING...) to setup a
+ring buffer for receiving packets; two of the attributes sent to this
+API are called tp_frame_size, and tp_frame_nr. If libpcap was built
+with HAVE_TPACKET3 defined, tp_trame_size is set to MAXIMUM_SNAPLEN
+(defined in libpcap sources as 262144) and tp_frame_nr is set to:
+
+ [the buffer size we set, i.e. PCAP_BUFFERSIZE i.e. 262144] / tp_frame_size.
+
+So if PCAP_BUFFERSIZE < MAXIMUM_SNAPLEN, then tp_frame_nr (the number
+of frames in the ring buffer) is 0, which is nonsensical. This same
+value is later used as a multiplier to determine the size for a call
+to malloc() (which would also fail).
+
+(NB: if HAVE_TPACKET3 is *not* defined, then tp_frame_size is set to
+the snaplen set by the user (in our case 576) plus a small amount to
+account for ethernet headers, so 256k is far more than adequate)
+
+Since the TPACKET_V3 code in libpcap actually reads multiple packets
+into each frame, it's not a problem to have only a single frame
+(especially when we are monitoring such infrequent traffic), so it's
+okay to set this relatively small buffer size (in comparison to the
+default, which is 2MB), which is important since every guest using
+dhcp snooping in a nwfilter rule will hold 2 of these buffers for the
+entire life of the guest.
+
+Thanks to Christian Ehrhardt for discovering that buffer size was the
+problem (this was not at all obvious from the error that was logged!)
+
+Resolves: https://bugzilla.redhat.com/1547237
+Fixes: https://bugs.launchpad.net/libvirt/+bug/1758037
+
+Signed-off-by: Laine Stump <laine@laine.org>
+Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> (V1)
+Reviewed-by: John Ferlan <jferlan@redhat.com>
+Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/nwfilter/nwfilter_dhcpsnoop.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/src/nwfilter/nwfilter_dhcpsnoop.c b/src/nwfilter/nwfilter_dhcpsnoop.c
+index 6069e70460..50cfb944a2 100644
+--- a/src/nwfilter/nwfilter_dhcpsnoop.c
++++ b/src/nwfilter/nwfilter_dhcpsnoop.c
+@@ -256,10 +256,21 @@ struct _virNWFilterDHCPDecodeJob {
+ # define DHCP_BURST_INTERVAL_S  10 /* sec */
+ 
+ /*
+- * libpcap 1.5 requires a 128kb buffer
+- * 128 kb is bigger than (DHCP_PKT_BURST * PCAP_PBUFSIZE / 2)
++ * NB: Any libpcap built with HAVE_TPACKET3 will require
++ * PCAP_BUFFERSIZE to be at least 262144 (although
++ * pcap_set_buffer_size() with a lower value will succeed, and the
++ * error will only show up later when pcap_setfilter() is called).
++ *
++ * It is possible that in the future libpcap could increase the
++ * minimum size even further, but due to the fact that each guest
++ * using dhcp snooping keeps 2 pcap sockets open (and thus 2 buffers
++ * allocated) for the life of the guest, we want to minimize the
++ * length of the buffer, so instead of leaving it at the default size
++ * (2MB), we are setting it to the minimum viable size and including
++ * this clue in the source to help quickly resolve the problem when/if
++ * it reoccurs.
+  */
+-# define PCAP_BUFFERSIZE        (128 * 1024)
++# define PCAP_BUFFERSIZE        (256 * 1024)
+ 
+ # define MAX_QUEUED_JOBS        (DHCP_PKT_BURST + 2 * DHCP_PKT_RATE)
+ 
+@@ -1114,6 +1125,11 @@ virNWFilterSnoopDHCPOpen(const char *ifname, virMacAddr *mac,
+         goto cleanup_nohandle;
+     }
+ 
++    /* IMPORTANT: If there is any failure of *any* pcap_* function
++     * during setup of the socket, look to the comment where
++     * PCAP_BUFFERSIZE is defined. It may be too small, even if the
++     * generated error doesn't imply that.
++     */
+     if (pcap_set_snaplen(handle, PCAP_PBUFSIZE) < 0 ||
+         pcap_set_buffer_size(handle, PCAP_BUFFERSIZE) < 0 ||
+         pcap_activate(handle) < 0) {
+-- 
+2.17.1
+

libvirt.spec

@@ -6,11 +6,6 @@
 %define min_rhel 6
 %define min_fedora 26
 
-# Fedora >= 28 default RPM linker flags set  "-z defs" to refuse
-# to link when there are undefined symbols. This breaks all of our
-# dlopen()able plugins, so we must turn it off.
-%undefine _strict_symbol_defs_build
-
 %if (0%{?fedora} && 0%{?fedora} >= %{min_fedora}) || (0%{?rhel} && 0%{?rhel} >= %{min_rhel})
     %define supported_platform 1
 %else
@@ -78,7 +73,7 @@
 %define with_numactl          0%{!?_without_numactl:1}
 
 # F25+ has zfs-fuse
-%if 0%{?fedora} >= 25
+%if 0%{?fedora}
     %define with_storage_zfs      0%{!?_without_storage_zfs:1}
 %else
     %define with_storage_zfs      0
@@ -148,6 +143,10 @@
     %define with_libxl 0
     %define with_hyperv 0
     %define with_vz 0
+
+    %if 0%{?rhel} > 7
+        %define with_lxc 0
+    %endif
 %endif
 
 # Fedora 17 / RHEL-7 are first where we use systemd. Although earlier
@@ -168,7 +167,7 @@
 %endif
 
 # fuse is used to provide virtualized /proc for LXC
-%if 0%{?fedora} || 0%{?rhel} >= 7
+%if %{with_lxc} && 0%{?rhel} != 6
     %define with_fuse      0%{!?_without_fuse:1}
 %endif
 
@@ -192,6 +191,11 @@
 %if 0%{?fedora}
     %define with_wireshark 0%{!?_without_wireshark:1}
 %endif
+%if 0%{?fedora} || 0%{?rhel} > 7
+    %define wireshark_plugindir %(pkg-config --variable plugindir wireshark)
+%else
+    %define wireshark_plugindir %{_libdir}/wireshark/plugins
+%endif
 
 # Enable libssh transport for new enough distros
 %if 0%{?fedora}
@@ -238,29 +242,34 @@
     %define enable_werror --disable-werror
 %endif
 
-%if 0%{?fedora} >= 25
+%if 0%{?fedora}
     %define tls_priority "@LIBVIRT,SYSTEM"
 %else
-    %if 0%{?fedora}
-        %define tls_priority "@SYSTEM"
-    %else
-        %define tls_priority "NORMAL"
-    %endif
+    %define tls_priority "NORMAL"
 %endif
 
 
 Summary: Library providing a simple virtualization API
 Name: libvirt
-Version: 4.0.0
-Release: 2%{?dist}%{?extra_release}
+Version: 4.1.0
+Release: 4%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 URL: https://libvirt.org/
 
 %if %(echo %{version} | grep -q "\.0$"; echo $?) == 1
     %define mainturl stable_updates/
 %endif
 Source: https://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz
+Patch1: 0001-tests-force-use-of-NORMAL-TLS-priority-in-test-suite.patch
+Patch2: 0001-cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
+Patch3: 0002-cpu-define-the-virt-ssbd-CPUID-feature-bit-CVE-2018-.patch
+# Fix virtlockd-admin.socket syntax (bz #1586239)
+Patch5: 0004-lockd-fix-typo-in-virtlockd-admin.socket.patch
+# nwfilter: increase pcap buffer size to be compatible with TPACKET_V3 (bz
+# #1547237)
+Patch4: 0005-nwfilter-increase-pcap-buffer-size-to-be-compatible-.patch
 
 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -303,7 +312,7 @@ BuildRequires: libtool
 BuildRequires: /usr/bin/pod2man
 %endif
 BuildRequires: git
-%if 0%{?fedora} >= 27
+%if 0%{?fedora} >= 27 || 0%{?rhel} > 7
 BuildRequires: perl-interpreter
 %else
 BuildRequires: perl
@@ -455,11 +464,7 @@ BuildRequires: numad
 %endif
 
 %if %{with_wireshark}
-    %if 0%{fedora} >= 24
 BuildRequires: wireshark-devel >= 2.1.0
-    %else
-BuildRequires: wireshark-devel >= 1.12.1
-    %endif
 %endif
 
 %if %{with_libssh}
@@ -803,7 +808,7 @@ Requires: gzip
 Requires: bzip2
 Requires: lzop
 Requires: xz
-    %if 0%{?fedora} >= 24
+    %if 0%{?fedora} || 0%{?rhel} > 7
 Requires: systemd-container
     %endif
 
@@ -821,7 +826,7 @@ Group: Development/Libraries
 Requires: libvirt-daemon = %{version}-%{release}
 # There really is a hard cross-driver dependency here
 Requires: libvirt-daemon-driver-network = %{version}-%{release}
-    %if 0%{?fedora} >= 24
+    %if 0%{?fedora} || 0%{?rhel} > 7
 Requires: systemd-container
     %endif
 
@@ -1026,6 +1031,9 @@ Requires: gnutls-utils
 # Needed for probing the power management features of the host.
 Requires: pm-utils
 %endif
+%if %{with_bash_completion}
+Requires: %{name}-bash-completion = %{version}-%{release}
+%endif
 
 %description client
 The client binaries needed to access the virtualization
@@ -1050,10 +1058,22 @@ Summary: Set of tools to control libvirt daemon
 Group: Development/Libraries
 Requires: %{name}-libs = %{version}-%{release}
 Requires: readline
+%if %{with_bash_completion}
+Requires: %{name}-bash-completion = %{version}-%{release}
+%endif
 
 %description admin
 The client side utilities to control the libvirt daemon.
 
+%if %{with_bash_completion}
+%package bash-completion
+Summary: Bash completion script
+Group: Development/Libraries
+
+%description bash-completion
+Bash completion script stub.
+%endif
+
 %if %{with_wireshark}
 %package wireshark
 Summary: Wireshark dissector plugin for libvirt RPC transactions
@@ -1176,8 +1196,10 @@ exit 1
 
 %if %{with_lxc}
     %define arg_lxc --with-lxc
+    %define arg_login_shell --with-login-shell
 %else
     %define arg_lxc --without-lxc
+    %define arg_login_shell --without-login-shell
 %endif
 
 %if %{with_vbox}
@@ -1387,7 +1409,8 @@ rm -f po/stamp-po
            %{?arg_loader_nvram} \
            %{?enable_werror} \
            --enable-expensive-tests \
-           %{arg_init_script}
+           %{arg_init_script} \
+           %{?arg_login_shell}
 make %{?_smp_mflags} V=1
 gzip -9 ChangeLog
 
@@ -1412,13 +1435,7 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libvirt/connection-driver/*.a
 rm -f $RPM_BUILD_ROOT%{_libdir}/libvirt/storage-backend/*.la
 rm -f $RPM_BUILD_ROOT%{_libdir}/libvirt/storage-backend/*.a
 %if %{with_wireshark}
-    %if 0%{fedora} >= 24
-rm -f $RPM_BUILD_ROOT%{_libdir}/wireshark/plugins/libvirt.la
-    %else
-rm -f $RPM_BUILD_ROOT%{_libdir}/wireshark/plugins/*/libvirt.la
-mv $RPM_BUILD_ROOT%{_libdir}/wireshark/plugins/*/libvirt.so \
-      $RPM_BUILD_ROOT%{_libdir}/wireshark/plugins/libvirt.so
-    %endif
+rm -f $RPM_BUILD_ROOT%{wireshark_plugindir}/libvirt.la
 %endif
 
 install -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/lib/libvirt/dnsmasq/
@@ -1483,6 +1500,9 @@ mv $RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \
    $RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes-64.stp
 %endif
 
+%clean
+rm -fr %{buildroot}
+
 %check
 cd tests
 # These tests don't current work in a mock build root
@@ -1511,13 +1531,17 @@ exit 0
 
 %if %{with_systemd}
     %if %{with_systemd_macros}
-        %systemd_post virtlockd.socket virtlogd.socket libvirtd.service
+        %systemd_post virtlockd.socket virtlockd-admin.socket
+        %systemd_post virtlogd.socket virtlogd-admin.socket
+        %systemd_post libvirtd.service
     %else
 if [ $1 -eq 1 ] ; then
     # Initial installation
     /bin/systemctl enable \
         virtlockd.socket \
+        virtlockd-admin.socket \
         virtlogd.socket \
+        virtlogd-admin.socket \
         libvirtd.service >/dev/null 2>&1 || :
 fi
     %endif
@@ -1544,21 +1568,27 @@ touch %{_localstatedir}/lib/rpm-state/libvirt/restart || :
 %preun daemon
 %if %{with_systemd}
     %if %{with_systemd_macros}
-        %systemd_preun libvirtd.service virtlogd.socket virtlogd.service virtlockd.socket virtlockd.service
+        %systemd_preun libvirtd.service
+        %systemd_preun virtlogd.socket virtlogd-admin.socket virtlogd.service
+        %systemd_preun virtlockd.socket virtlockd-admin.socket virtlockd.service
     %else
 if [ $1 -eq 0 ] ; then
     # Package removal, not upgrade
     /bin/systemctl --no-reload disable \
         libvirtd.service \
         virtlogd.socket \
+        virtlogd-admin.socket \
         virtlogd.service \
         virtlockd.socket \
+        virtlockd-admin.socket \
         virtlockd.service > /dev/null 2>&1 || :
     /bin/systemctl stop \
         libvirtd.service \
         virtlogd.socket \
+        virtlogd-admin.socket \
         virtlogd.service \
         virtlockd.socket \
+        virtlockd-admin.socket \
         virtlockd.service > /dev/null 2>&1 || :
 fi
     %endif
@@ -1587,15 +1617,6 @@ if [ $1 -ge 1 ]; then
 fi
 %endif
 
-%if %{with_systemd}
-%else
-%triggerpostun daemon -- libvirt-daemon < 1.2.1
-if [ "$1" -ge "1" ]; then
-    /sbin/service virtlockd reload > /dev/null 2>&1 || :
-    /sbin/service virtlogd reload > /dev/null 2>&1 || :
-fi
-%endif
-
 # In upgrade scenario we must explicitly enable virtlockd/virtlogd
 # sockets, if libvirtd is already enabled and start them if
 # libvirtd is running, otherwise you'll get failures to start
@@ -1603,15 +1624,17 @@ fi
 %triggerpostun daemon -- libvirt-daemon < 1.3.0
 if [ $1 -ge 1 ] ; then
 %if %{with_systemd}
-        /bin/systemctl is-enabled libvirtd.service 1>/dev/null 2>&1 &&
-            /bin/systemctl enable virtlogd.socket || :
-        /bin/systemctl is-active libvirtd.service 1>/dev/null 2>&1 &&
-            /bin/systemctl start virtlogd.socket || :
+    /bin/systemctl is-enabled libvirtd.service 1>/dev/null 2>&1 &&
+        /bin/systemctl enable virtlogd.socket virtlogd-admin.socket || :
+    /bin/systemctl is-active libvirtd.service 1>/dev/null 2>&1 &&
+        /bin/systemctl start virtlogd.socket virtlogd-admin.socket || :
 %else
-        /sbin/chkconfig libvirtd 1>/dev/null 2>&1 &&
-            /sbin/chkconfig virtlogd on || :
-        /sbin/service libvirtd status 1>/dev/null 2>&1 &&
-            /sbin/service virtlogd start || :
+    /sbin/chkconfig libvirtd 1>/dev/null 2>&1 &&
+        /sbin/chkconfig virtlogd on || :
+    /sbin/service libvirtd status 1>/dev/null 2>&1 &&
+        /sbin/service virtlogd start || :
+    /sbin/service virtlockd reload > /dev/null 2>&1 || :
+    /sbin/service virtlogd reload > /dev/null 2>&1 || :
 %endif
 fi
 
@@ -1811,14 +1834,15 @@ exit 0
 %{_unitdir}/virt-guest-shutdown.target
 %{_unitdir}/virtlogd.service
 %{_unitdir}/virtlogd.socket
+%{_unitdir}/virtlogd-admin.socket
 %{_unitdir}/virtlockd.service
 %{_unitdir}/virtlockd.socket
+%{_unitdir}/virtlockd-admin.socket
 %else
 %{_sysconfdir}/rc.d/init.d/libvirtd
 %{_sysconfdir}/rc.d/init.d/virtlogd
 %{_sysconfdir}/rc.d/init.d/virtlockd
 %endif
-%doc daemon/libvirtd.upstart
 %config(noreplace) %{_sysconfdir}/sysconfig/libvirtd
 %config(noreplace) %{_sysconfdir}/sysconfig/virtlogd
 %config(noreplace) %{_sysconfdir}/sysconfig/virtlockd
@@ -2065,7 +2089,7 @@ exit 0
 %{_datadir}/systemtap/tapset/libvirt_functions.stp
 
 %if %{with_bash_completion}
-%{_datadir}/bash-completion/completions/vsh
+%{_datadir}/bash-completion/completions/virsh
 %endif
 
 
@@ -2117,11 +2141,18 @@ exit 0
 %files admin
 %{_mandir}/man1/virt-admin.1*
 %{_bindir}/virt-admin
+%if %{with_bash_completion}
+%{_datadir}/bash-completion/completions/virt-admin
+%endif
 
+%if %{with_bash_completion}
+%files bash-completion
+%{_datadir}/bash-completion/completions/vsh
+%endif
 
 %if %{with_wireshark}
 %files wireshark
-%{_libdir}/wireshark/plugins/libvirt.so
+%{wireshark_plugindir}/libvirt.so
 %endif
 
 %files nss
@@ -2173,6 +2204,20 @@ exit 0
 
 
 %changelog
+* Tue Jul 03 2018 Cole Robinson <crobinso@redhat.com> - 4.1.0-4
+- Fix virtlockd-admin.socket syntax (bz #1586239)
+- nwfilter: increase pcap buffer size to be compatible with TPACKET_V3 (bz
+  #1547237)
+
+* Mon Jun 18 2018 Daniel P. Berrangé <berrange@redhat.com> - 4.1.0-3
+- Add new CPU features for speculative store bypass (CVE-2018-3639)
+
+* Wed Mar 21 2018 Daniel P. Berrangé <berrange@redhat.com> - 4.1.0-2
+- Fix systemd macro argument with line continuations (rhbz#1558648)
+
+* Mon Mar  5 2018 Daniel Berrange <berrange@redhat.com> - 4.1.0-1
+- Rebase to version 4.1.0
+
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 

sources

@@ -1 +1 @@
-SHA512 (libvirt-4.0.0.tar.xz) = c99ea305f427859eb070b5f0c43de48645a5c53a2aa8efc60f54f278ec3fa0b504307861309e1852f8d7bff4436afe00c859aac27691366a0c36c91341cea7a1
+SHA512 (libvirt-4.1.0.tar.xz) = 62d1a228adf3270cc6defe3cbf92dac8c4ce2c434c4d97219571ccef799a4f6304cfd1ba9938338356641285f53ac71145d7b398523021c5ea1dc8e3d49cf894