Bug 1144077

Summary: AUDIT-TRACKER: libvirt: new polkit permissions for checkpoint
Product: [openSUSE] openSUSE Tumbleweed Reporter: James Fehlig <jfehlig>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: jsegitz, matthias.gerstner
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description James Fehlig 2019-08-02 17:19:43 UTC 
Here we go again. Upcoming libvirt 5.6.0 gets a new polkit permission for the checkpoint object via commit 4f0438ef7c5, which causes the following lint failure

[  541s] libvirt-daemon.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.libvirt.api.domain.checkpoint (no:no:no)

Hopefully non-controversial to whitelist with the 'no:no:no' perms. Failing package can be found here

https://build.opensuse.org/package/show/home:jfehlig:branches:Virtualization/libvirt
Comment 1 Matthias Gerstner 2019-08-05 09:49:26 UTC 
Ah that was quick with a new addition ;)

So you need this with all the backports again?

We really need to streamline this process for backports somehow, I'm already
having this on the team agenda.
Comment 2 James Fehlig 2019-08-05 15:47:59 UTC 
(In reply to Matthias Gerstner from comment #1)
> So you need this with all the backports again?

Yes, sorry.

> We really need to streamline this process for backports somehow, I'm already
> having this on the team agenda.

Options from my side:
1. Disable build for anything but Factory
2. Patch out new functionality for older distros

1 is doable but I would certainly get complaints. I really dislike 2 and not even sure why I mentioned it :-).
Comment 3 Johannes Segitz 2019-08-06 07:26:41 UTC 
(In reply to James Fehlig from comment #2)
We are working on converting these errors into warnings in devel projects, so that could be option 3. We'll discuss it this week, maybe this is a viable solution

I'll work on adding the new permissions
Comment 4 Johannes Segitz 2019-08-06 11:05:41 UTC 
I've added the entry to Factory and backported it to SLE 15. Might take a while to appear, therefor changing to AUDIT-TRACKER
Comment 6 Swamp Workflow Management 2019-09-12 20:10:10 UTC 
SUSE-RU-2019:2375-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1144077
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    rpmlint-mini-1.10-5.8.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    polkit-default-privs-13.2-10.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-09-24 13:18:25 UTC 
openSUSE-RU-2019:2170-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1144077
CVE References: 
Sources used:
openSUSE Leap 15.0 (src):    polkit-default-privs-13.2-lp150.8.28.1, rpmlint-mini-1.10-lp150.15.1
Comment 9 Matthias Gerstner 2019-10-31 12:10:10 UTC 
The whitelisting should be through by now, so closing this bug.