diff --git a/libvirt-0.6.1-svirt-shared-readonly.patch b/libvirt-0.6.1-svirt-shared-readonly.patch
new file mode 100644
index 0000000..2c7b2ba
--- /dev/null
+++ b/libvirt-0.6.1-svirt-shared-readonly.patch
@@ -0,0 +1,143 @@
+diff -rup libvirt-0.6.1.orig/src/qemu_driver.c libvirt-0.6.1.new/src/qemu_driver.c
+--- libvirt-0.6.1.orig/src/qemu_driver.c 2009-03-17 11:57:04.000000000 +0000
++++ libvirt-0.6.1.new/src/qemu_driver.c 2009-03-17 11:57:12.000000000 +0000
+@@ -3765,7 +3765,7 @@ static int qemudDomainAttachDevice(virDo
+ goto cleanup;
+ }
+ if (driver->securityDriver)
+- driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev);
++ driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev->data.disk);
+ break;
+
+ default:
+@@ -3901,7 +3901,7 @@ static int qemudDomainDetachDevice(virDo
+ dev->data.disk->bus == VIR_DOMAIN_DISK_BUS_VIRTIO)) {
+ ret = qemudDomainDetachPciDiskDevice(dom->conn, vm, dev);
+ if (driver->securityDriver)
+- driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, vm, dev);
++ driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, dev->data.disk);
+ }
+ else
+ qemudReportError(dom->conn, dom, NULL, VIR_ERR_NO_SUPPORT,
+diff -rup libvirt-0.6.1.orig/src/security.h libvirt-0.6.1.new/src/security.h
+--- libvirt-0.6.1.orig/src/security.h 2009-03-03 16:40:46.000000000 +0000
++++ libvirt-0.6.1.new/src/security.h 2009-03-17 11:57:12.000000000 +0000
+@@ -32,11 +32,10 @@ typedef virSecurityDriverStatus (*virSec
+ typedef int (*virSecurityDriverOpen) (virConnectPtr conn,
+ virSecurityDriverPtr drv);
+ typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn,
+- virDomainObjPtr vm,
+- virDomainDeviceDefPtr dev);
++ virDomainDiskDefPtr disk);
+ typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn,
+ virDomainObjPtr vm,
+- virDomainDeviceDefPtr dev);
++ virDomainDiskDefPtr disk);
+ typedef int (*virSecurityDomainGenLabel) (virConnectPtr conn,
+ virDomainObjPtr sec);
+ typedef int (*virSecurityDomainGetLabel) (virConnectPtr conn,
+diff -rup libvirt-0.6.1.orig/src/security_selinux.c libvirt-0.6.1.new/src/security_selinux.c
+--- libvirt-0.6.1.orig/src/security_selinux.c 2009-03-03 16:40:46.000000000 +0000
++++ libvirt-0.6.1.new/src/security_selinux.c 2009-03-17 11:57:12.000000000 +0000
+@@ -269,7 +269,7 @@ SELinuxGetSecurityLabel(virConnectPtr co
+ }
+
+ static int
+-SELinuxSetFilecon(virConnectPtr conn, char *path, char *tcon)
++SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
+ {
+ char ebuf[1024];
+
+@@ -288,28 +288,51 @@ SELinuxSetFilecon(virConnectPtr conn, ch
+
+ static int
+ SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
+- virDomainObjPtr vm,
+- virDomainDeviceDefPtr dev)
++ virDomainDiskDefPtr disk)
+ {
+- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
++ struct stat buf;
++ security_context_t fcon = NULL;
++ int rc = -1;
++ char *newpath = NULL;
++ const char *path = disk->src;
+
+- if (secdef->imagelabel) {
+- return SELinuxSetFilecon(conn, dev->data.disk->src, default_image_context);
++ if (disk->readonly || disk->shared)
++ return 0;
++
++ if (lstat(path, &buf) != 0)
++ return -1;
++
++ if (S_ISLNK(buf.st_mode)) {
++ if (VIR_ALLOC_N(newpath, buf.st_size + 1) < 0)
++ return -1;
++
++ if (readlink(path, newpath, buf.st_size) < 0)
++ goto err;
++ path = newpath;
++ if (stat(path, &buf) != 0)
++ goto err;
+ }
+- return 0;
++
++ if (matchpathcon(path, buf.st_mode, &fcon) == 0) {
++ rc = SELinuxSetFilecon(conn, path, fcon);
++ }
++err:
++ VIR_FREE(fcon);
++ VIR_FREE(newpath);
++ return rc;
+ }
+
+ static int
+ SELinuxSetSecurityImageLabel(virConnectPtr conn,
+ virDomainObjPtr vm,
+- virDomainDeviceDefPtr dev)
++ virDomainDiskDefPtr disk)
+
+ {
+ const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+
+- if (secdef->imagelabel) {
+- return SELinuxSetFilecon(conn, dev->data.disk->src, secdef->imagelabel);
+- }
++ if (secdef->imagelabel)
++ return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel);
++
+ return 0;
+ }
+
+@@ -322,7 +345,7 @@ SELinuxRestoreSecurityLabel(virConnectPt
+ int rc = 0;
+ if (secdef->imagelabel) {
+ for (i = 0 ; i < vm->def->ndisks ; i++) {
+- if (SELinuxSetFilecon(conn, vm->def->disks[i]->src, default_image_context) < 0)
++ if (SELinuxRestoreSecurityImageLabel(conn, vm->def->disks[i]) < 0)
+ rc = -1;
+ }
+ VIR_FREE(secdef->model);
+@@ -368,16 +391,11 @@ SELinuxSetSecurityLabel(virConnectPtr co
+
+ if (secdef->imagelabel) {
+ for (i = 0 ; i < vm->def->ndisks ; i++) {
+- if(setfilecon(vm->def->disks[i]->src, secdef->imagelabel) < 0) {
+- virSecurityReportError(conn, VIR_ERR_ERROR,
+- _("%s: unable to set security context "
+- "'\%s\' on %s: %s."), __func__,
+- secdef->imagelabel,
+- vm->def->disks[i]->src,
+- virStrerror(errno, ebuf, sizeof ebuf));
+- if (security_getenforce() == 1)
+- return -1;
+- }
++ if (vm->def->disks[i]->readonly ||
++ vm->def->disks[i]->shared) continue;
++
++ if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0)
++ return -1;
+ }
+ }
+
diff --git a/libvirt.spec b/libvirt.spec
index f672800..f705e3e 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -47,7 +47,7 @@
Summary: Library providing a simple API virtualization
Name: libvirt
Version: 0.6.1
-Release: 4%{?dist}%{?extra_release}
+Release: 5%{?dist}%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
Source: libvirt-%{version}.tar.gz
@@ -61,6 +61,7 @@ Patch7: libvirt-0.6.1-storage-free.patch
Patch8: libvirt-0.6.1-vcpu-deadlock.patch
Patch9: libvirt-0.6.1-xenblock-detach.patch
Patch10: libvirt-0.6.1-fd-leaks2.patch
+Patch11: libvirt-0.6.1-svirt-shared-readonly.patch
# Not upstream yet - pending QEMU merge
Patch100: libvirt-0.6.1-vnc-sasl-auth.patch
@@ -205,6 +206,7 @@ of recent versions of Linux (and other OSes).
%patch8 -p1
%patch9 -p1
%patch10 -p0
+%patch11 -p1
%patch100 -p1
@@ -499,6 +501,9 @@ fi
%endif
%changelog
+* Tue Mar 17 2009 Daniel P. Berrange <berrange@redhat.com> - 0.6.1-5.fc11
+- Don't relabel shared/readonly disks
+
* Tue Mar 17 2009 Daniel P. Berrange <berrange@redhat.com> - 0.6.1-4.fc11
- Fix memory allocation for xend lookup
- Avoid crash if storage volume deletion fails