debian/changelog

-libvirt (5.3.0-1~2.gbp6ef599) UNRELEASED; urgency=medium
+libvirt (5.6.0-1) unstable; urgency=medium
 
-  ** SNAPSHOT build @6ef59955262b2219b9ab4e5ce1d1cb89248c316f **
+  * Team upload.
 
   [ Guido Günther ]
   * [fb43676] d/control: Drop dh-autoreconf build-dep
   * [81d21d5] d/not-installed: Use multi-arch dirs
-  * [641e532] New upstream version 5.3.0
   * [07d5669] New upstream version 5.6.0
+    Fixes CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091,
+    CVE-2019-10132
+    (Closes: #915107, #931243, #929334)
+  * [9f38a9e] apparmor: Allow run pygrub
+    (Closes: #931768)
+  * Acknowledge NMU. Thanks Jonathan Wiltshire
 
   [ Christian Ehrhardt ]
   * [c28c3b3] d/libvirt0.install: install translations
@@ -21,16 +26,23 @@ libvirt (5.3.0-1~2.gbp6ef599) UNRELEASED; urgency=medium
   * [eda89b2] d/no-installed, d/libvirt-doc.docs: do not install fonts
   * [ab67a28] d/copyright: add license for docs/fonts/
   * [2e222a2] d/rules: strip symbolic-functions linker option
-  * [39b658c] Revert "d/libvirt-daemon-system.install: ship libxl-sanlock.conf"
-  * [ce46360] d/rules: install libxl-sanlock.conf dependent on xen being enabled
+  * [39b658c] Revert "d/libvirt-daemon-system.install: ship
+    libxl-sanlock.conf"
+  * [ce46360] d/rules: install libxl-sanlock.conf dependent on xen being
+    enabled
 
   [ Andrea Bolognani ]
   * [6a2eae3] Simplify and improve watch file
-  * [baef715] Rediff patches
   * [82a1edc] Bump symbol versions
   * [73fccd9] Specify --doc-main-package for dh_installdocs
-
- -- Guido Günther <agx@sigxcpu.org>  Wed, 14 Aug 2019 08:30:07 +0200
+  * [d48fdf6] Rediff patches
+  * [3b16c86] Bump symbol versions
+  * [48c9b75] Drop Avahi support
+  * [a49de91] Fix AppArmor profile for virt-aa-helper
+  * [b8e92da] Disable libvirtd socket activation
+  * [73d1e8c] Install kbase articles
+
+ -- Andrea Bolognani <eof@kiyuko.org>  Sun, 25 Aug 2019 16:32:31 +0200
 
 libvirt (5.2.0-2) experimental; urgency=medium
 

debian/control

@@ -13,7 +13,6 @@ Build-Depends:
  zlib1g-dev,
  libgcrypt20-dev,
  libgnutls28-dev,
- libavahi-client-dev,
  libsasl2-dev,
  libxen-dev (>= 4.3) [i386 amd64 armhf arm64],
  lvm2 [linux-any],
@@ -202,7 +201,7 @@ Suggests:
  systemd,
  systemtap,
  zfsutils,
-Breaks: avahi-daemon (<< 0.6.31-3~),
+Breaks:
  systemd-sysv (<< 224-1~)
 Description: Libvirt daemon configuration files
  Libvirt is a C toolkit to interact with the virtualization capabilities

debian/libvirt-daemon-system.libvirtd.init

@@ -9,8 +9,8 @@
 # Provides:          libvirtd
 # Required-Start:    $network $local_fs $remote_fs $syslog virtlogd
 # Required-Stop:     $local_fs $remote_fs $syslog virtlogd
-# Should-Start:      avahi-daemon cgconfig
-# Should-Stop:       avahi-daemon cgconfig
+# Should-Start:      cgconfig
+# Should-Stop:       cgconfig
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: libvirt management daemon

debian/libvirt-doc.docs

@@ -7,5 +7,6 @@ docs/*.css
 docs/html/
 docs/devhelp/
 docs/internals/
+docs/kbase/
 docs/logos/
 examples/

debian/libvirt0.symbols

@@ -119,8 +119,9 @@ libvirt.so.0 libvirt0 #MINVER#
  *@LIBVIRT_4.10.0 4.10.0
  *@LIBVIRT_5.0.0 5.0.0
  *@LIBVIRT_5.2.0 5.2.0~rc1
- *@LIBVIRT_5.3.0 5.3.0
- *@LIBVIRT_PRIVATE_5.3.0 5.3.0
+ *@LIBVIRT_5.5.0 5.6.0
+ *@LIBVIRT_5.6.0 5.6.0
+ *@LIBVIRT_PRIVATE_5.6.0 5.6.0
 
 libvirt-qemu.so.0 libvirt0 #MINVER#
  *@LIBVIRT_QEMU_0.8.3 0.8.3
@@ -142,4 +143,4 @@ libvirt-admin.so.0 libvirt0 #MINVER#
  *@LIBVIRT_ADMIN_1.3.0 1.2.18
  *@LIBVIRT_ADMIN_2.0.0 2.0.0~rc1
  *@LIBVIRT_ADMIN_3.0.0 3.0.0
- *@LIBVIRT_ADMIN_PRIVATE_5.3.0 5.3.0
+ *@LIBVIRT_ADMIN_PRIVATE_5.6.0 5.6.0

debian/patches/Include-etc-pki-qemu-in-apparmor.patch

@@ -12,10 +12,10 @@ Closes: #930100
  1 file changed, 2 insertions(+)
 
 diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
-index eaa5167..0659cda 100644
+index d33348a..95e8e98 100644
 --- a/src/security/apparmor/libvirt-qemu
 +++ b/src/security/apparmor/libvirt-qemu
-@@ -93,6 +93,8 @@
+@@ -94,6 +94,8 @@
    /etc/pki/CA/* r,
    /etc/pki/libvirt{,-spice,-vnc}/ r,
    /etc/pki/libvirt{,-spice,-vnc}/** r,

debian/patches/Pass-GPG_TTY-env-var-to-the-ssh-binary.patch

@@ -13,10 +13,10 @@ require the 'TERM' environment variable to be set to the terminal type.
  1 file changed, 2 insertions(+)
 
 diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
-index bfa1952..bbc70e2 100644
+index 3282bc0..f448001 100644
 --- a/src/rpc/virnetsocket.c
 +++ b/src/rpc/virnetsocket.c
-@@ -844,6 +844,8 @@ int virNetSocketNewConnectSSH(const char *nodename,
+@@ -876,6 +876,8 @@ int virNetSocketNewConnectSSH(const char *nodename,
      virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL);
      virCommandAddEnvPassBlockSUID(cmd, "SSH_AUTH_SOCK", NULL);
      virCommandAddEnvPassBlockSUID(cmd, "SSH_ASKPASS", NULL);

debian/patches/Reduce-udevadm-settle-timeout-to-10-seconds.patch

@@ -10,15 +10,15 @@ Closes: #663931
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/util/virutil.c b/src/util/virutil.c
-index e5917d3..e24b5c3 100644
+index 84ccc1a..a9b1f04 100644
 --- a/src/util/virutil.c
 +++ b/src/util/virutil.c
-@@ -1483,7 +1483,7 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
- void virWaitForDevices(void)
- {
- # ifdef UDEVADM
--    const char *const settleprog[] = { UDEVADM, "settle", NULL };
-+    const char *const settleprog[] = { UDEVADM, "settle", "--timeout=10", NULL };
- # else
-     const char *const settleprog[] = { UDEVSETTLE, NULL };
- # endif
+@@ -1488,7 +1488,7 @@ void virWaitForDevices(void)
+     if (!(udev = virFindFileInPath(UDEVADM)))
+         return;
+ 
+-    if (!(cmd = virCommandNewArgList(udev, "settle", NULL)))
++    if (!(cmd = virCommandNewArgList(udev, "settle", "--timeout=10", NULL)))
+         return;
+ 
+     /*

debian/patches/apparmor-Allow-run-pygrub.patch

+From: Tobias Wolter <towo@b1-systems.de>
+Date: Wed, 21 Aug 2019 10:27:05 +0200
+Subject: apparmor: Allow run pygrub
+
+---
+ src/security/apparmor/usr.sbin.libvirtd | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd
+index a66452b..67d5d3c 100644
+--- a/src/security/apparmor/usr.sbin.libvirtd
++++ b/src/security/apparmor/usr.sbin.libvirtd
+@@ -87,6 +87,7 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
+   /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
+   /usr/{lib,lib64}/xen/bin/* Ux,
+   /usr/lib/xen-*/bin/libxl-save-helper PUx,
++  /usr/lib/xen-*/bin/pygrub PUx,
+ 
+   # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+   # read and run an ebtables script.

debian/patches/apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch

@@ -8,7 +8,7 @@ Closes: #882979
  1 file changed, 1 insertion(+)
 
 diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
-index 3c61f0f..2d43057 100644
+index 577fc77..ee02744 100644
 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
 +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
 @@ -3,6 +3,7 @@

debian/patches/debian/Debianize-systemd-service-files.patch

@@ -8,17 +8,21 @@ Subject: Debianize systemd service files
  2 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in
-index 7f689e0..d57690c 100644
+index 3ddf0e2..143dd7f 100644
 --- a/src/remote/libvirtd.service.in
 +++ b/src/remote/libvirtd.service.in
-@@ -22,8 +22,8 @@ Documentation=https://libvirt.org
+@@ -20,12 +20,12 @@ Documentation=https://libvirt.org
  
  [Service]
  Type=notify
 -EnvironmentFile=-/etc/sysconfig/libvirtd
--ExecStart=@sbindir@/libvirtd $LIBVIRTD_ARGS
 +EnvironmentFile=-/etc/default/libvirtd
-+ExecStart=@sbindir@/libvirtd $libvirtd_opts
+ # libvirtd.service is set to run on boot so that autostart of
+ # VMs can be performed. We don't want it to stick around if
+ # unused though, so we set a timeout. The socket activation
+ # then ensures it gets started again if anything needs it
+-ExecStart=@sbindir@/libvirtd --timeout 120 $LIBVIRTD_ARGS
++ExecStart=@sbindir@/libvirtd --timeout 120 $libvirtd_opts
  ExecReload=/bin/kill -HUP $MAINPID
  KillMode=process
  Restart=on-failure

debian/patches/debian/Disable-libvirtd-socket-activation.patch

+From: Andrea Bolognani <eof@kiyuko.org>
+Date: Sat, 24 Aug 2019 18:00:00 +0200
+Subject: debian: Disable libvirtd socket activation
+
+It's currently broken upstream.
+---
+ src/remote/libvirtd.service.in | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in
+index 143dd7f..0fc50dc 100644
+--- a/src/remote/libvirtd.service.in
++++ b/src/remote/libvirtd.service.in
+@@ -2,9 +2,6 @@
+ Description=Virtualization daemon
+ Requires=virtlogd.socket
+ Requires=virtlockd.socket
+-Requires=libvirtd.socket
+-Requires=libvirtd-ro.socket
+-Requires=libvirtd-admin.socket
+ Wants=systemd-machined.service
+ Before=libvirt-guests.service
+ After=network.target
+@@ -44,5 +41,3 @@ TasksMax=32768
+ WantedBy=multi-user.target
+ Also=virtlockd.socket
+ Also=virtlogd.socket
+-Also=libvirtd.socket
+-Also=libvirtd-ro.socket

debian/patches/debian/Don-t-enable-default-network-on-boot.patch

@@ -9,10 +9,10 @@ to not interfere with existing network configurations
  2 files changed, 2 insertions(+), 4 deletions(-)
 
 diff --git a/src/Makefile.in b/src/Makefile.in
-index 99217f9..e9e5ee0 100644
+index 9a215e4..ace56ba 100644
 --- a/src/Makefile.in
 +++ b/src/Makefile.in
-@@ -13426,8 +13426,7 @@ lxc/lxc_controller_dispatch.h: $(srcdir)/rpc/gendispatch.pl \
+@@ -14837,8 +14837,7 @@ lxc/lxc_controller_dispatch.h: $(srcdir)/rpc/gendispatch.pl \
  @WITH_NETWORK_TRUE@	      $(DESTDIR)$(confdir)/qemu/networks/default.xml && \
  @WITH_NETWORK_TRUE@	    rm $(DESTDIR)$(confdir)/qemu/networks/default.xml.t; }
  @WITH_NETWORK_TRUE@	( cd $(DESTDIR)$(confdir)/qemu/networks/autostart && \
@@ -23,7 +23,7 @@ index 99217f9..e9e5ee0 100644
  @WITH_FIREWALLD_ZONE_TRUE@@WITH_NETWORK_TRUE@	$(INSTALL_DATA) $(srcdir)/network/libvirt.zone \
  @WITH_FIREWALLD_ZONE_TRUE@@WITH_NETWORK_TRUE@	  $(DESTDIR)$(prefix)/lib/firewalld/zones/libvirt.xml
 diff --git a/src/network/Makefile.inc.am b/src/network/Makefile.inc.am
-index 3fed59c..13ae858 100644
+index 23cf39b..ca516c3 100644
 --- a/src/network/Makefile.inc.am
 +++ b/src/network/Makefile.inc.am
 @@ -87,8 +87,7 @@ install-data-network:

debian/patches/debian/Prefer-sbin-over-usr-sbin.patch

@@ -11,7 +11,7 @@ Closes: #895145
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/configure.ac b/configure.ac
-index dcd78f6..1b77c97 100644
+index d18d427..9fe0aea 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -116,7 +116,7 @@ then

debian/patches/debian/Use-upstreams-polkit-rule.patch

@@ -9,10 +9,10 @@ As of 1.2.16 upstream ships a Polkit rule like Debian does.
  2 files changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/src/Makefile.in b/src/Makefile.in
-index e9e5ee0..c780453 100644
+index ace56ba..6721f99 100644
 --- a/src/Makefile.in
 +++ b/src/Makefile.in
-@@ -13475,12 +13475,12 @@ lxc/lxc_controller_dispatch.h: $(srcdir)/rpc/gendispatch.pl \
+@@ -14886,12 +14886,12 @@ lxc/lxc_controller_dispatch.h: $(srcdir)/rpc/gendispatch.pl \
  @WITH_LIBVIRTD_TRUE@@WITH_POLKIT_TRUE@		$(DESTDIR)$(polkitactionsdir)/org.libvirt.unix.policy
  @WITH_LIBVIRTD_TRUE@@WITH_POLKIT_TRUE@	$(MKDIR_P) $(DESTDIR)$(polkitrulesdir)
  @WITH_LIBVIRTD_TRUE@@WITH_POLKIT_TRUE@	$(INSTALL_DATA) $(srcdir)/remote/libvirtd.rules \
@@ -28,10 +28,10 @@ index e9e5ee0..c780453 100644
  
  .PHONY: \
 diff --git a/src/remote/Makefile.inc.am b/src/remote/Makefile.inc.am
-index 0671424..9e7227d 100644
+index 0cf00cb..75b7290 100644
 --- a/src/remote/Makefile.inc.am
 +++ b/src/remote/Makefile.inc.am
-@@ -221,12 +221,12 @@ install-polkit:
+@@ -226,12 +226,12 @@ install-polkit:
  		$(DESTDIR)$(polkitactionsdir)/org.libvirt.unix.policy
  	$(MKDIR_P) $(DESTDIR)$(polkitrulesdir)
  	$(INSTALL_DATA) $(srcdir)/remote/libvirtd.rules \

debian/patches/debian/apparmor_profiles_local_include.patch

@@ -9,10 +9,10 @@ Include local apparmor profile
  2 files changed, 4 insertions(+)
 
 diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
-index 78994bc..3c61f0f 100644
+index bf6bd29..577fc77 100644
 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
 +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
-@@ -66,5 +66,6 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
+@@ -67,5 +67,6 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
    /**.[iI][sS][oO] r,
    /**/disk{,.*} r,
  

debian/patches/series

@@ -15,3 +15,7 @@ Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
 apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
 debian/Prefer-sbin-over-usr-sbin.patch
 Include-etc-pki-qemu-in-apparmor.patch
+virt-aa-helper-Fix-AppArmor-profile.patch
+virt-aa-helper-Actually-fix-AppArmor-profile.patch
+debian/Disable-libvirtd-socket-activation.patch
+apparmor-Allow-run-pygrub.patch

debian/patches/virt-aa-helper-Actually-fix-AppArmor-profile.patch

+From: Andrea Bolognani <abologna@redhat.com>
+Date: Tue, 20 Aug 2019 09:54:12 +0200
+Subject: virt-aa-helper: Actually fix AppArmor profile
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Tried previously in
+
+  commit b1eb8b3e8fd1d4cb1da8e5e2b16f2c10837fd823
+  Author: Andrea Bolognani <abologna@redhat.com>
+  Date:   Mon Aug 19 10:23:42 2019 +0200
+
+    virt-aa-helper: Fix AppArmor profile
+
+  v5.6.0-243-gb1eb8b3e8f
+
+with somewhat disappointing results.
+
+Signed-off-by: Andrea Bolognani <abologna@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 9c2446ed4a81450f6482f259f9a0cf720cb0e423)
+---
+ src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+index 8a9a1f3..85ed370 100644
+--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
++++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+@@ -19,8 +19,8 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
+   @{PROC}/filesystems r,
+ 
+   # Used when internally running another command (namely apparmor_parser)
+-  @{PROC}/self/fd r,
+-  @{PROC}/@{pid}/fd r,
++  @{PROC}/self/fd/ r,
++  @{PROC}/@{pid}/fd/ r,
+ 
+   /etc/libnl-3/classid r,
+ 

debian/patches/virt-aa-helper-Fix-AppArmor-profile.patch

+From: Andrea Bolognani <abologna@redhat.com>
+Date: Mon, 19 Aug 2019 10:23:42 +0200
+Subject: virt-aa-helper: Fix AppArmor profile
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Since
+
+  commit 432faf259b696043ee5d7e8f657d855419a9a3fa
+  Author: Michal Privoznik <mprivozn@redhat.com>
+  Date:   Tue Jul 2 19:49:51 2019 +0200
+
+    virCommand: use procfs to learn opened FDs
+
+    When spawning a child process, between fork() and exec() we close
+    all file descriptors and keep only those the caller wants us to
+    pass onto the child. The problem is how we do that. Currently, we
+    get the limit of opened files and then iterate through each one
+    of them and either close() it or make it survive exec(). This
+    approach is suboptimal (although, not that much in default
+    configurations where the limit is pretty low - 1024). We have
+    /proc where we can learn what FDs we hold open and thus we can
+    selectively close only those.
+
+    Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+    Reviewed-by: Ján Tomko <jtomko@redhat.com>
+
+  v5.5.0-173-g432faf259b
+
+programs using the virCommand APIs on Linux need read access to
+/proc/self/fd, or they will fail like
+
+  error : virCommandWait:2796 : internal error: Child process
+  (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -c
+   -u libvirt-b20e9a8e-091a-45e0-8823-537119e98bc6) unexpected exit
+  status 1: libvirt:  error : cannot open directory '/proc/self/fd':
+  Permission denied
+  virt-aa-helper: error: apparmor_parser exited with error
+
+Update the AppArmor profile for virt-aa-helper so that read access
+to the relevant path is granted.
+
+Signed-off-by: Andrea Bolognani <abologna@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit b1eb8b3e8fd1d4cb1da8e5e2b16f2c10837fd823)
+---
+ src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+index ee02744..8a9a1f3 100644
+--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
++++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper
+@@ -18,6 +18,10 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
+   owner @{PROC}/[0-9]*/status r,
+   @{PROC}/filesystems r,
+ 
++  # Used when internally running another command (namely apparmor_parser)
++  @{PROC}/self/fd r,
++  @{PROC}/@{pid}/fd r,
++
+   /etc/libnl-3/classid r,
+ 
+   # for gl enabled graphics

debian/rules

@@ -100,7 +100,6 @@ DEB_CONFIGURE_EXTRA_ARGS :=      \
 	--with-qemu-user=libvirt-qemu  \
 	--with-qemu-group=libvirt-qemu \
 	$(WITH_OPENVZ)		 \
-	--with-avahi             \
 	--with-sasl              \
 	--with-yajl              \
 	--with-ssh2		 \
@@ -189,6 +188,10 @@ override_dh_install-arch:
 	cp debian/polkit/60-libvirt.pkla \
 	    debian/libvirt-daemon-system/var/lib/polkit-1/localauthority/10-vendor.d/
 ifneq (,$(findstring $(DEB_HOST_ARCH_OS), linux))
+	# Socket activation for libvirtd is currently broken. Fixes are being
+	# worked on upstream, but until they are in place it's much better for
+	# us to pretend the feature doesn't exist at all
+	rm -f debian/tmp/usr/lib/systemd/system/libvirtd*.socket
 	# Linux supports more nice things:
 	dh_install -p libvirt-daemon-system usr/lib/systemd/system lib/systemd/
 	dh_install -p libvirt-daemon-system usr/lib/libvirt/virt-aa-helper