Fix USB devices by product with security enabled (bz 574136)

Set kernel/initrd in security driver, fixes some URL installs (bz 566425)

.cvsignore

@@ -8,3 +8,11 @@ libvirt-0.6.1.tar.gz
 libvirt-0.6.2.tar.gz
 libvirt-0.6.3.tar.gz
 libvirt-0.6.4.tar.gz
+libvirt-0.6.5.tar.gz
+libvirt-0.7.0.tar.gz
+libvirt-0.7.1.tar.gz
+libvirt-0.7.2.tar.gz
+libvirt-0.7.3.tar.gz
+libvirt-0.7.4.tar.gz
+libvirt-0.7.5.tar.gz
+libvirt-0.7.6.tar.gz

Makefile

@@ -4,7 +4,7 @@ NAME := libvirt
 SPECFILE = $(firstword $(wildcard *.spec))
 
 define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
+for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
 endef
 
 MAKEFILE_COMMON := $(shell $(find-makefile-common))

branch

@@ -0,0 +1 @@
+F-13

libvirt-0.6.4-do-not-unnecessarily-try-to-change-a-file-context.patch

@@ -1,47 +0,0 @@
-From ae4523336ac06e3ff7cc7b416fad9e57998c6b54 Mon Sep 17 00:00:00 2001
-From: Tim Waugh <twaugh@redhat.com>
-Date: Fri, 3 Jul 2009 10:29:01 +0100
-Subject: [PATCH 2/3] Don't unnecessarily try to change a file context
-
-As pointed out by Tim Waugh here:
-
-  https://bugzilla.redhat.com/507555
-
-We shouldn't bother trying to set the context of a file if it already
-matches what we want.
-
-(Fixed to use STREQ() and not use tabs, as pointed out by danpb)
-
-Signed-off-by: Mark McLoughlin <markmc@redhat.com>
----
- src/security_selinux.c |   11 ++++++++++-
- 1 files changed, 10 insertions(+), 1 deletions(-)
-
-diff --git a/src/security_selinux.c b/src/security_selinux.c
-index db1c27d..c2015a1 100644
---- a/src/security_selinux.c
-+++ b/src/security_selinux.c
-@@ -280,10 +280,19 @@ static int
- SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
- {
-     char ebuf[1024];
-+    security_context_t econ;
- 
-     VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
- 
--    if(setfilecon(path, tcon) < 0) {
-+    if (setfilecon(path, tcon) < 0) {
-+        if (getfilecon(path, &econ) >= 0) {
-+            if (STREQ(tcon, econ)) {
-+                freecon(econ);
-+                /* It's alright, there's nothing to change anyway. */
-+                return 0;
-+            }
-+            freecon(econ);
-+        }
-         virSecurityReportError(conn, VIR_ERR_ERROR,
-                                _("%s: unable to set security context "
-                                  "'\%s\' on %s: %s."), __func__,
--- 
-1.6.2.5
-

libvirt-0.6.4-fix-libvirtd-crash-with-bad-capabilities-data.patch

@@ -1,130 +0,0 @@
-From 80965bff6d46dea1808c8bbf02f50f0e289a0e65 Mon Sep 17 00:00:00 2001
-From: Daniel P. Berrange <berrange@redhat.com>
-Date: Mon, 29 Jun 2009 10:41:56 +0000
-Subject: [PATCH] Fix crash in QEMU driver with bad capabilities data
-
----
- src/qemu_driver.c |   80 +++++++++++++++++++++++++++++++++++-----------------
- 1 files changed, 54 insertions(+), 26 deletions(-)
-
-diff -up libvirt-0.6.2/src/qemu_driver.c.bad-caps libvirt-0.6.2/src/qemu_driver.c
---- libvirt-0.6.2/src/qemu_driver.c.bad-caps	2009-07-03 10:07:03.275252815 +0100
-+++ libvirt-0.6.2/src/qemu_driver.c	2009-07-03 10:08:52.143502961 +0100
-@@ -360,12 +360,43 @@ next:
-     return 0;
- }
- 
-+
-+static int
-+qemudSecurityCapsInit(virSecurityDriverPtr secdrv,
-+                      virCapsPtr caps)
-+{
-+    const char *doi, *model;
-+
-+    doi = virSecurityDriverGetDOI(secdrv);
-+    model = virSecurityDriverGetModel(secdrv);
-+
-+    caps->host.secModel.model = strdup(model);
-+    if (!caps->host.secModel.model) {
-+        char ebuf[1024];
-+        VIR_ERROR(_("Failed to copy secModel model: %s"),
-+                  virStrerror(errno, ebuf, sizeof ebuf));
-+        return -1;
-+    }
-+
-+    caps->host.secModel.doi = strdup(doi);
-+    if (!caps->host.secModel.doi) {
-+        char ebuf[1024];
-+        VIR_ERROR(_("Failed to copy secModel DOI: %s"),
-+                  virStrerror(errno, ebuf, sizeof ebuf));
-+        return -1;
-+    }
-+
-+    VIR_DEBUG("Initialized caps for security driver \"%s\" with "
-+              "DOI \"%s\"", model, doi);
-+
-+    return 0;
-+}
-+
-+
- static int
- qemudSecurityInit(struct qemud_driver *qemud_drv)
- {
-     int ret;
--    const char *doi, *model;
--    virCapsPtr caps;
-     virSecurityDriverPtr security_drv;
- 
-     ret = virSecurityDriverStartup(&security_drv,
-@@ -381,36 +412,17 @@ qemudSecurityInit(struct qemud_driver *q
-     }
- 
-     qemud_drv->securityDriver = security_drv;
--    doi = virSecurityDriverGetDOI(security_drv);
--    model = virSecurityDriverGetModel(security_drv);
- 
--    VIR_DEBUG("Initialized security driver \"%s\" with "
--              "DOI \"%s\"", model, doi);
-+    VIR_INFO("Initialized security driver %s", security_drv->name);
- 
-     /*
-      * Add security policy host caps now that the security driver is
-      * initialized.
-      */
--    caps = qemud_drv->caps;
--
--    caps->host.secModel.model = strdup(model);
--    if (!caps->host.secModel.model) {
--        char ebuf[1024];
--        VIR_ERROR(_("Failed to copy secModel model: %s"),
--                  virStrerror(errno, ebuf, sizeof ebuf));
--        return -1;
--    }
-+    return qemudSecurityCapsInit(security_drv, qemud_drv->caps);
-+}
- 
--    caps->host.secModel.doi = strdup(doi);
--    if (!caps->host.secModel.doi) {
--        char ebuf[1024];
--        VIR_ERROR(_("Failed to copy secModel DOI: %s"),
--                  virStrerror(errno, ebuf, sizeof ebuf));
--        return -1;
--    }
- 
--    return 0;
--}
- 
- /**
-  * qemudStartup:
-@@ -1852,13 +1864,29 @@ static int qemudGetNodeInfo(virConnectPt
- 
- static char *qemudGetCapabilities(virConnectPtr conn) {
-     struct qemud_driver *driver = conn->privateData;
-+    virCapsPtr caps;
-     char *xml = NULL;
- 
-     qemuDriverLock(driver);
-+    if ((caps = qemudCapsInit()) == NULL) {
-+        virReportOOMError(conn);
-+        goto cleanup;
-+    }
-+
-+    if (qemu_driver->securityDriver &&
-+        qemudSecurityCapsInit(qemu_driver->securityDriver, caps) < 0) {
-+        virCapabilitiesFree(caps);
-+        virReportOOMError(conn);
-+        goto cleanup;
-+    }
-+
-     virCapabilitiesFree(qemu_driver->caps);
--    if ((qemu_driver->caps = qemudCapsInit()) == NULL ||
--        (xml = virCapabilitiesFormatXML(driver->caps)) == NULL)
-+    qemu_driver->caps = caps;
-+
-+    if ((xml = virCapabilitiesFormatXML(driver->caps)) == NULL)
-         virReportOOMError(conn);
-+
-+cleanup:
-     qemuDriverUnlock(driver);
- 
-     return xml;

libvirt-0.6.4-fix-nosource-label.patch

@@ -1,35 +0,0 @@
-From 06f607a9c5cfd50433ae27cc7729c31f81d87f19 Mon Sep 17 00:00:00 2001
-From: Cole Robinson <crobinso@redhat.com>
-Date: Fri, 3 Jul 2009 10:40:55 +0100
-Subject: [PATCH 3/3] Skip labelling if no src path present
-
-Fixes startup of guest's with sourceless cdrom devices.
-
-Patch originall posted here:
-
-  https://bugzilla.redhat.com/499569
-
-but never sent upstream.
-
-Signed-off-by: Mark McLoughlin <markmc@redhat.com>
----
- src/security_selinux.c |    3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-
-diff --git a/src/security_selinux.c b/src/security_selinux.c
-index c2015a1..eb8d308 100644
---- a/src/security_selinux.c
-+++ b/src/security_selinux.c
-@@ -342,6 +342,9 @@ SELinuxSetSecurityImageLabel(virConnectPtr conn,
- {
-     const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
- 
-+    if (!disk->src)
-+        return 0;
-+
-     if (disk->shared) {
-         return SELinuxSetFilecon(conn, disk->src, default_image_context);
-     } else if (disk->readonly) {
--- 
-1.6.2.5
-

libvirt-0.6.4-shared-readonly-label.patch

@@ -1,97 +0,0 @@
-From e700e17c3989d32e04ef98c63ac9b9414fefb366 Mon Sep 17 00:00:00 2001
-From: Daniel P. Berrange <berrange@redhat.com>
-Date: Fri, 3 Jul 2009 10:24:50 +0100
-Subject: [PATCH 1/3] Re-label shared and readonly images
-
-This patch was posted ages ago here:
-
-  https://bugzilla.redhat.com/493692
-
-But was never posted upstream AFAICT.
-
-Signed-off-by: Mark McLoughlin <markmc@redhat.com>
----
- src/security_selinux.c |   27 +++++++++++++++++----------
- 1 files changed, 17 insertions(+), 10 deletions(-)
-
-diff --git a/src/security_selinux.c b/src/security_selinux.c
-index ac317d7..db1c27d 100644
---- a/src/security_selinux.c
-+++ b/src/security_selinux.c
-@@ -24,11 +24,12 @@
- #include "virterror_internal.h"
- #include "util.h"
- #include "memory.h"
--
-+#include "logging.h"
- 
- #define VIR_FROM_THIS VIR_FROM_SECURITY
- 
- static char default_domain_context[1024];
-+static char default_content_context[1024];
- static char default_image_context[1024];
- #define SECURITY_SELINUX_VOID_DOI       "0"
- #define SECURITY_SELINUX_NAME "selinux"
-@@ -148,8 +149,13 @@ SELinuxInitialize(virConnectPtr conn)
-     close(fd);
- 
-     ptr = strchrnul(default_image_context, '\n');
--    *ptr = '\0';
--
-+    if (*ptr == '\n') {
-+        *ptr = '\0';
-+        strcpy(default_content_context, ptr+1);
-+        ptr = strchrnul(default_content_context, '\n');
-+        if (*ptr == '\n')
-+            *ptr = '\0';
-+    }
-     return 0;
- }
- 
-@@ -275,6 +281,8 @@ SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
- {
-     char ebuf[1024];
- 
-+    VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
-+
-     if(setfilecon(path, tcon) < 0) {
-         virSecurityReportError(conn, VIR_ERR_ERROR,
-                                _("%s: unable to set security context "
-@@ -299,9 +307,6 @@ SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
-     char *newpath = NULL;
-     const char *path = disk->src;
- 
--    if (disk->readonly || disk->shared)
--        return 0;
--
-     if ((err = virFileResolveLink(path, &newpath)) < 0) {
-         virReportSystemError(conn, err,
-                              _("cannot resolve symlink %s"), path);
-@@ -328,8 +333,13 @@ SELinuxSetSecurityImageLabel(virConnectPtr conn,
- {
-     const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
- 
--    if (secdef->imagelabel)
-+    if (disk->shared) {
-+        return SELinuxSetFilecon(conn, disk->src, default_image_context);
-+    } else if (disk->readonly) {
-+        return SELinuxSetFilecon(conn, disk->src, default_content_context);
-+    } else if (secdef->imagelabel) {
-         return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel);
-+    }
- 
-     return 0;
- }
-@@ -403,9 +413,6 @@ SELinuxSetSecurityLabel(virConnectPtr conn,
- 
-     if (secdef->imagelabel) {
-         for (i = 0 ; i < vm->def->ndisks ; i++) {
--            if (vm->def->disks[i]->readonly ||
--                vm->def->disks[i]->shared) continue;
--
-             if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0)
-                 return -1;
-         }
--- 
-1.6.2.5
-

libvirt-0.6.4-svirt-sound.patch

@@ -1,33 +0,0 @@
---- src/qemu_conf.c.orig	2009-05-29 19:24:59.000000000 +0200
-+++ src/qemu_conf.c	2009-05-29 19:19:39.000000000 +0200
-@@ -792,6 +792,20 @@ int qemudBuildCommandLine(virConnectPtr 
-     char uuid[VIR_UUID_STRING_BUFLEN];
-     char domid[50];
-     const char *cpu = NULL;
-+    int skipSound = 0;
-+
-+    if (driver->securityDriver &&
-+        driver->securityDriver->name &&
-+        STREQ(driver->securityDriver->name, "selinux") &&
-+        getuid() == 0) {
-+        static int soundWarned = 0; 
-+        skipSound = 1;
-+        if (def->nsounds &&
-+            !soundWarned) {
-+            soundWarned = 1;
-+            VIR_WARN0("Sound cards for VMs are disabled while SELinux security model is active");
-+        }
-+    }
- 
-     uname_normalize(&ut);
- 
-@@ -1429,7 +1443,8 @@ int qemudBuildCommandLine(virConnectPtr 
-     }
- 
-     /* Add sound hardware */
--    if (def->nsounds) {
-+    if (def->nsounds &&
-+        !skipSound) {
-         int size = 100;
-         char *modstr;
-         if (VIR_ALLOC_N(modstr, size+1) < 0)

libvirt-0.7.7-fix-usb-product.patch

@@ -0,0 +1,233 @@
+From 3a441522017aa9c1b8b54d2ce4569d0f0d96fa72 Mon Sep 17 00:00:00 2001
+From: Cole Robinson <crobinso@redhat.com>
+Date: Fri, 12 Mar 2010 12:36:56 -0500
+Subject: [PATCH] qemu: Add some debugging at domain startup
+
+---
+ src/qemu/qemu_driver.c |   24 +++++++++++++++++++++++-
+ 1 files changed, 23 insertions(+), 1 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index f8ab545..040d645 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -2695,6 +2695,8 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+ 
+     FD_ZERO(&keepfd);
+ 
++    DEBUG0("Beginning VM startup process");
++
+     if (virDomainObjIsActive(vm)) {
+         qemuReportError(VIR_ERR_OPERATION_INVALID,
+                         "%s", _("VM is already active"));
+@@ -2703,22 +2705,27 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+ 
+     /* If you are using a SecurityDriver with dynamic labelling,
+        then generate a security label for isolation */
++    DEBUG0("Generating domain security label (if required)");
+     if (driver->securityDriver &&
+         driver->securityDriver->domainGenSecurityLabel &&
+         driver->securityDriver->domainGenSecurityLabel(vm) < 0)
+         return -1;
+ 
++    DEBUG0("Generating setting domain security labels (if required)");
+     if (driver->securityDriver &&
+         driver->securityDriver->domainSetSecurityAllLabel &&
+         driver->securityDriver->domainSetSecurityAllLabel(vm) < 0)
+         goto cleanup;
+ 
+-    /* Ensure no historical cgroup for this VM is lieing around bogus settings */
++    /* Ensure no historical cgroup for this VM is lying around bogus
++     * settings */
++    DEBUG0("Ensuring no historical cgroup is lying around");
+     qemuRemoveCgroup(driver, vm, 1);
+ 
+     if ((vm->def->ngraphics == 1) &&
+         vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC &&
+         vm->def->graphics[0]->data.vnc.autoport) {
++        DEBUG0("Determining VNC port");
+         int port = qemudNextFreeVNCPort(driver);
+         if (port < 0) {
+             qemuReportError(VIR_ERR_INTERNAL_ERROR,
+@@ -2735,6 +2742,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+         goto cleanup;
+     }
+ 
++    DEBUG0("Creating domain log file");
+     if ((logfile = qemudLogFD(driver, vm->def->name)) < 0)
+         goto cleanup;
+ 
+@@ -2751,14 +2759,17 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+         goto cleanup;
+     }
+ 
++    DEBUG0("Determing emulator version");
+     if (qemudExtractVersionInfo(emulator,
+                                 NULL,
+                                 &qemuCmdFlags) < 0)
+         goto cleanup;
+ 
++    DEBUG0("Setting up domain cgroup (if required)");
+     if (qemuSetupCgroup(driver, vm) < 0)
+         goto cleanup;
+ 
++    DEBUG0("Preparing host devices");
+     if (qemuPrepareHostDevices(driver, vm->def) < 0)
+         goto cleanup;
+ 
+@@ -2767,6 +2778,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+         goto cleanup;
+     }
+ 
++    DEBUG0("Preparing monitor state");
+     if (qemuPrepareMonitorChr(driver, priv->monConfig, vm->def->name) < 0)
+         goto cleanup;
+ 
+@@ -2798,6 +2810,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+      * use in hotplug
+      */
+     if (qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE) {
++        DEBUG0("Assigning domain PCI addresses");
+         /* Populate cache with current addresses */
+         if (priv->pciaddrs) {
+             qemuDomainPCIAddressSetFree(priv->pciaddrs);
+@@ -2816,6 +2829,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+         priv->persistentAddrs = 0;
+     }
+ 
++    DEBUG0("Building emulator command line");
+     vm->def->id = driver->nextvmid++;
+     if (qemudBuildCommandLine(conn, driver, vm->def, priv->monConfig,
+                               priv->monJSON, qemuCmdFlags, &argv, &progenv,
+@@ -2899,25 +2913,31 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+     if (ret == -1) /* The VM failed to start */
+         goto cleanup;
+ 
++    DEBUG0("Waiting for monitor to show up");
+     if (qemudWaitForMonitor(driver, vm, pos) < 0)
+         goto abort;
+ 
++    DEBUG0("Detecting VCPU PIDs");
+     if (qemuDetectVcpuPIDs(driver, vm) < 0)
+         goto abort;
+ 
++    DEBUG0("Setting CPU affinity");
+     if (qemudInitCpuAffinity(vm) < 0)
+         goto abort;
+ 
++    DEBUG0("Setting any required VM passwords");
+     if (qemuInitPasswords(conn, driver, vm, qemuCmdFlags) < 0)
+         goto abort;
+ 
+     /* If we have -device, then addresses are assigned explicitly.
+      * If not, then we have to detect dynamic ones here */
+     if (!(qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE)) {
++        DEBUG0("Determining domain device PCI addresses");
+         if (qemuInitPCIAddresses(driver, vm) < 0)
+             goto abort;
+     }
+ 
++    DEBUG0("Setting initial memory amount");
+     qemuDomainObjEnterMonitorWithDriver(driver, vm);
+     if (qemuMonitorSetBalloon(priv->mon, vm->def->memory) < 0) {
+         qemuDomainObjExitMonitorWithDriver(driver, vm);
+@@ -2925,6 +2945,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+     }
+ 
+     if (migrateFrom == NULL) {
++        DEBUG0("Starting domain CPUs");
+         /* Allow the CPUS to start executing */
+         if (qemuMonitorStartCPUs(priv->mon, conn) < 0) {
+             if (virGetLastError() == NULL)
+@@ -2937,6 +2958,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+     qemuDomainObjExitMonitorWithDriver(driver, vm);
+ 
+ 
++    DEBUG0("Writing domain status to disk");
+     if (virDomainSaveStatus(driver->caps, driver->stateDir, vm) < 0)
+         goto abort;
+ 
+-- 
+1.6.6.1
+
+From 6d5c8a8f51db8ce97ab35ab6022dd5c94ab016b4 Mon Sep 17 00:00:00 2001
+From: Cole Robinson <crobinso@redhat.com>
+Date: Fri, 12 Mar 2010 12:37:52 -0500
+Subject: [PATCH] qemu: Fix USB by product with security enabled
+
+We need to call PrepareHostdevs to determine the USB device path before
+any security calls. PrepareHostUSBDevices was also incorrectly skipping
+all USB devices.
+---
+ src/qemu/qemu_driver.c |   11 ++++++-----
+ 1 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 040d645..b17d26d 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -2360,7 +2360,7 @@ qemuPrepareHostUSBDevices(struct qemud_driver *driver ATTRIBUTE_UNUSED,
+ 
+         if (hostdev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
+             continue;
+-        if (hostdev->source.subsys.type != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI)
++        if (hostdev->source.subsys.type != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB)
+             continue;
+ 
+         /* Resolve a vendor/product to bus/device */
+@@ -2703,6 +2703,11 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+         return -1;
+     }
+ 
++    /* Must be run before security labelling */
++    DEBUG0("Preparing host devices");
++    if (qemuPrepareHostDevices(driver, vm->def) < 0)
++        goto cleanup;
++
+     /* If you are using a SecurityDriver with dynamic labelling,
+        then generate a security label for isolation */
+     DEBUG0("Generating domain security label (if required)");
+@@ -2769,10 +2774,6 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+     if (qemuSetupCgroup(driver, vm) < 0)
+         goto cleanup;
+ 
+-    DEBUG0("Preparing host devices");
+-    if (qemuPrepareHostDevices(driver, vm->def) < 0)
+-        goto cleanup;
+-
+     if (VIR_ALLOC(priv->monConfig) < 0) {
+         virReportOOMError();
+         goto cleanup;
+-- 
+1.6.6.1
+
+From 65e97240e6e4606820dd1c42ac172319e0af4d8d Mon Sep 17 00:00:00 2001
+From: Cole Robinson <crobinso@redhat.com>
+Date: Mon, 22 Mar 2010 10:45:36 -0400
+Subject: [PATCH] security: selinux: Fix crash when releasing non-existent label
+
+This can be triggered by the qemuStartVMDaemon cleanup path if a
+VM references a non-existent USB device (by product) in the XML.
+
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/security/security_selinux.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 975b315..6680e2d 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -632,7 +632,8 @@ SELinuxReleaseSecurityLabel(virDomainObjPtr vm)
+ {
+     const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ 
+-    if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
++    if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC ||
++        secdef->label == NULL)
+         return 0;
+ 
+     context_t con = context_new(secdef->label);
+-- 
+1.6.6.1
+

libvirt-0.7.7-set-kernel-perms.patch

@@ -0,0 +1,87 @@
+From 3f1aa08af6580c215d973bc6bf57f505dbf8b926 Mon Sep 17 00:00:00 2001
+From: Cole Robinson <crobinso@redhat.com>
+Date: Fri, 12 Mar 2010 13:38:39 -0500
+Subject: [PATCH] security: Set permissions for kernel/initrd
+
+Fixes URL installs when running virt-install as root on Fedora.
+---
+ src/qemu/qemu_security_dac.c    |   21 +++++++++++++++++++++
+ src/security/security_selinux.c |   16 ++++++++++++++++
+ 2 files changed, 37 insertions(+), 0 deletions(-)
+
+diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c
+index 6911f48..1883fbe 100644
+--- a/src/qemu/qemu_security_dac.c
++++ b/src/qemu/qemu_security_dac.c
+@@ -332,6 +332,15 @@ qemuSecurityDACRestoreSecurityAllLabel(virDomainObjPtr vm)
+                                                      vm->def->disks[i]) < 0)
+             rc = -1;
+     }
++
++    if (vm->def->os.kernel &&
++        qemuSecurityDACRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
++        rc = -1;
++
++    if (vm->def->os.initrd &&
++        qemuSecurityDACRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
++        rc = -1;
++
+     return rc;
+ }
+ 
+@@ -356,6 +365,18 @@ qemuSecurityDACSetSecurityAllLabel(virDomainObjPtr vm)
+             return -1;
+     }
+ 
++    if (vm->def->os.kernel &&
++        qemuSecurityDACSetOwnership(vm->def->os.kernel,
++                                    driver->user,
++                                    driver->group) < 0)
++        return -1;
++
++    if (vm->def->os.initrd &&
++        qemuSecurityDACSetOwnership(vm->def->os.initrd,
++                                    driver->user,
++                                    driver->group) < 0)
++        return -1;
++
+     return 0;
+ }
+ 
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index b2c8581..975b315 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -616,6 +616,14 @@ SELinuxRestoreSecurityAllLabel(virDomainObjPtr vm)
+             rc = -1;
+     }
+ 
++    if (vm->def->os.kernel &&
++        SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
++        rc = -1;
++
++    if (vm->def->os.initrd &&
++        SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
++        rc = -1;
++
+     return rc;
+ }
+ 
+@@ -736,6 +744,14 @@ SELinuxSetSecurityAllLabel(virDomainObjPtr vm)
+             return -1;
+     }
+ 
++    if (vm->def->os.kernel &&
++        SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
++        return -1;
++
++    if (vm->def->os.initrd &&
++        SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0)
++        return -1;
++
+     return 0;
+ }
+ 
+-- 
+1.6.6.1
+

sources

@@ -1 +1 @@
-344a6913a94582ea3ab0ad75a9bfef22  libvirt-0.6.4.tar.gz
+5f315b0bf20e3964f7657ba1e630cd67  libvirt-0.7.7.tar.gz