Bug 1144077 - AUDIT-TRACKER: libvirt: new polkit permissions for checkpoint
AUDIT-TRACKER: libvirt: new polkit permissions for checkpoint
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Security Team bot
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-02 17:19 UTC by James Fehlig
Modified: 2019-10-31 12:10 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description James Fehlig 2019-08-02 17:19:43 UTC
Here we go again. Upcoming libvirt 5.6.0 gets a new polkit permission for the checkpoint object via commit 4f0438ef7c5, which causes the following lint failure

[  541s] libvirt-daemon.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.libvirt.api.domain.checkpoint (no:no:no)

Hopefully non-controversial to whitelist with the 'no:no:no' perms. Failing package can be found here

https://build.opensuse.org/package/show/home:jfehlig:branches:Virtualization/libvirt
Comment 1 Matthias Gerstner 2019-08-05 09:49:26 UTC
Ah that was quick with a new addition ;)

So you need this with all the backports again?

We really need to streamline this process for backports somehow, I'm already
having this on the team agenda.
Comment 2 James Fehlig 2019-08-05 15:47:59 UTC
(In reply to Matthias Gerstner from comment #1)
> So you need this with all the backports again?

Yes, sorry.

> We really need to streamline this process for backports somehow, I'm already
> having this on the team agenda.

Options from my side:
1. Disable build for anything but Factory
2. Patch out new functionality for older distros

1 is doable but I would certainly get complaints. I really dislike 2 and not even sure why I mentioned it :-).
Comment 3 Johannes Segitz 2019-08-06 07:26:41 UTC
(In reply to James Fehlig from comment #2)
We are working on converting these errors into warnings in devel projects, so that could be option 3. We'll discuss it this week, maybe this is a viable solution

I'll work on adding the new permissions
Comment 4 Johannes Segitz 2019-08-06 11:05:41 UTC
I've added the entry to Factory and backported it to SLE 15. Might take a while to appear, therefor changing to AUDIT-TRACKER
Comment 6 Swamp Workflow Management 2019-09-12 20:10:10 UTC
SUSE-RU-2019:2375-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1144077
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    rpmlint-mini-1.10-5.8.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    polkit-default-privs-13.2-10.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-09-24 13:18:25 UTC
openSUSE-RU-2019:2170-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1144077
CVE References: 
Sources used:
openSUSE Leap 15.0 (src):    polkit-default-privs-13.2-lp150.8.28.1, rpmlint-mini-1.10-lp150.15.1
Comment 9 Matthias Gerstner 2019-10-31 12:10:10 UTC
The whitelisting should be through by now, so closing this bug.