diff --git a/libvirt-0.7.7-fix-usb-product.patch b/libvirt-0.7.7-fix-usb-product.patch
new file mode 100644
index 0000000..8ce24a9
--- /dev/null
+++ b/libvirt-0.7.7-fix-usb-product.patch
@@ -0,0 +1,233 @@
+From 3a441522017aa9c1b8b54d2ce4569d0f0d96fa72 Mon Sep 17 00:00:00 2001
+From: Cole Robinson <crobinso@redhat.com>
+Date: Fri, 12 Mar 2010 12:36:56 -0500
+Subject: [PATCH] qemu: Add some debugging at domain startup
+
+---
+ src/qemu/qemu_driver.c | 24 +++++++++++++++++++++++-
+ 1 files changed, 23 insertions(+), 1 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index f8ab545..040d645 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -2695,6 +2695,8 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+
+ FD_ZERO(&keepfd);
+
++ DEBUG0("Beginning VM startup process");
++
+ if (virDomainObjIsActive(vm)) {
+ qemuReportError(VIR_ERR_OPERATION_INVALID,
+ "%s", _("VM is already active"));
+@@ -2703,22 +2705,27 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+
+ /* If you are using a SecurityDriver with dynamic labelling,
+ then generate a security label for isolation */
++ DEBUG0("Generating domain security label (if required)");
+ if (driver->securityDriver &&
+ driver->securityDriver->domainGenSecurityLabel &&
+ driver->securityDriver->domainGenSecurityLabel(vm) < 0)
+ return -1;
+
++ DEBUG0("Generating setting domain security labels (if required)");
+ if (driver->securityDriver &&
+ driver->securityDriver->domainSetSecurityAllLabel &&
+ driver->securityDriver->domainSetSecurityAllLabel(vm) < 0)
+ goto cleanup;
+
+- /* Ensure no historical cgroup for this VM is lieing around bogus settings */
++ /* Ensure no historical cgroup for this VM is lying around bogus
++ * settings */
++ DEBUG0("Ensuring no historical cgroup is lying around");
+ qemuRemoveCgroup(driver, vm, 1);
+
+ if ((vm->def->ngraphics == 1) &&
+ vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC &&
+ vm->def->graphics[0]->data.vnc.autoport) {
++ DEBUG0("Determining VNC port");
+ int port = qemudNextFreeVNCPort(driver);
+ if (port < 0) {
+ qemuReportError(VIR_ERR_INTERNAL_ERROR,
+@@ -2735,6 +2742,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+ goto cleanup;
+ }
+
++ DEBUG0("Creating domain log file");
+ if ((logfile = qemudLogFD(driver, vm->def->name)) < 0)
+ goto cleanup;
+
+@@ -2751,14 +2759,17 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+ goto cleanup;
+ }
+
++ DEBUG0("Determing emulator version");
+ if (qemudExtractVersionInfo(emulator,
+ NULL,
+ &qemuCmdFlags) < 0)
+ goto cleanup;
+
++ DEBUG0("Setting up domain cgroup (if required)");
+ if (qemuSetupCgroup(driver, vm) < 0)
+ goto cleanup;
+
++ DEBUG0("Preparing host devices");
+ if (qemuPrepareHostDevices(driver, vm->def) < 0)
+ goto cleanup;
+
+@@ -2767,6 +2778,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+ goto cleanup;
+ }
+
++ DEBUG0("Preparing monitor state");
+ if (qemuPrepareMonitorChr(driver, priv->monConfig, vm->def->name) < 0)
+ goto cleanup;
+
+@@ -2798,6 +2810,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+ * use in hotplug
+ */
+ if (qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE) {
++ DEBUG0("Assigning domain PCI addresses");
+ /* Populate cache with current addresses */
+ if (priv->pciaddrs) {
+ qemuDomainPCIAddressSetFree(priv->pciaddrs);
+@@ -2816,6 +2829,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+ priv->persistentAddrs = 0;
+ }
+
++ DEBUG0("Building emulator command line");
+ vm->def->id = driver->nextvmid++;
+ if (qemudBuildCommandLine(conn, driver, vm->def, priv->monConfig,
+ priv->monJSON, qemuCmdFlags, &argv, &progenv,
+@@ -2899,25 +2913,31 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+ if (ret == -1) /* The VM failed to start */
+ goto cleanup;
+
++ DEBUG0("Waiting for monitor to show up");
+ if (qemudWaitForMonitor(driver, vm, pos) < 0)
+ goto abort;
+
++ DEBUG0("Detecting VCPU PIDs");
+ if (qemuDetectVcpuPIDs(driver, vm) < 0)
+ goto abort;
+
++ DEBUG0("Setting CPU affinity");
+ if (qemudInitCpuAffinity(vm) < 0)
+ goto abort;
+
++ DEBUG0("Setting any required VM passwords");
+ if (qemuInitPasswords(conn, driver, vm, qemuCmdFlags) < 0)
+ goto abort;
+
+ /* If we have -device, then addresses are assigned explicitly.
+ * If not, then we have to detect dynamic ones here */
+ if (!(qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE)) {
++ DEBUG0("Determining domain device PCI addresses");
+ if (qemuInitPCIAddresses(driver, vm) < 0)
+ goto abort;
+ }
+
++ DEBUG0("Setting initial memory amount");
+ qemuDomainObjEnterMonitorWithDriver(driver, vm);
+ if (qemuMonitorSetBalloon(priv->mon, vm->def->memory) < 0) {
+ qemuDomainObjExitMonitorWithDriver(driver, vm);
+@@ -2925,6 +2945,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+ }
+
+ if (migrateFrom == NULL) {
++ DEBUG0("Starting domain CPUs");
+ /* Allow the CPUS to start executing */
+ if (qemuMonitorStartCPUs(priv->mon, conn) < 0) {
+ if (virGetLastError() == NULL)
+@@ -2937,6 +2958,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+ qemuDomainObjExitMonitorWithDriver(driver, vm);
+
+
++ DEBUG0("Writing domain status to disk");
+ if (virDomainSaveStatus(driver->caps, driver->stateDir, vm) < 0)
+ goto abort;
+
+--
+1.6.6.1
+
+From 6d5c8a8f51db8ce97ab35ab6022dd5c94ab016b4 Mon Sep 17 00:00:00 2001
+From: Cole Robinson <crobinso@redhat.com>
+Date: Fri, 12 Mar 2010 12:37:52 -0500
+Subject: [PATCH] qemu: Fix USB by product with security enabled
+
+We need to call PrepareHostdevs to determine the USB device path before
+any security calls. PrepareHostUSBDevices was also incorrectly skipping
+all USB devices.
+---
+ src/qemu/qemu_driver.c | 11 ++++++-----
+ 1 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 040d645..b17d26d 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -2360,7 +2360,7 @@ qemuPrepareHostUSBDevices(struct qemud_driver *driver ATTRIBUTE_UNUSED,
+
+ if (hostdev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
+ continue;
+- if (hostdev->source.subsys.type != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI)
++ if (hostdev->source.subsys.type != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB)
+ continue;
+
+ /* Resolve a vendor/product to bus/device */
+@@ -2703,6 +2703,11 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+ return -1;
+ }
+
++ /* Must be run before security labelling */
++ DEBUG0("Preparing host devices");
++ if (qemuPrepareHostDevices(driver, vm->def) < 0)
++ goto cleanup;
++
+ /* If you are using a SecurityDriver with dynamic labelling,
+ then generate a security label for isolation */
+ DEBUG0("Generating domain security label (if required)");
+@@ -2769,10 +2774,6 @@ static int qemudStartVMDaemon(virConnectPtr conn,
+ if (qemuSetupCgroup(driver, vm) < 0)
+ goto cleanup;
+
+- DEBUG0("Preparing host devices");
+- if (qemuPrepareHostDevices(driver, vm->def) < 0)
+- goto cleanup;
+-
+ if (VIR_ALLOC(priv->monConfig) < 0) {
+ virReportOOMError();
+ goto cleanup;
+--
+1.6.6.1
+
+From 65e97240e6e4606820dd1c42ac172319e0af4d8d Mon Sep 17 00:00:00 2001
+From: Cole Robinson <crobinso@redhat.com>
+Date: Mon, 22 Mar 2010 10:45:36 -0400
+Subject: [PATCH] security: selinux: Fix crash when releasing non-existent label
+
+This can be triggered by the qemuStartVMDaemon cleanup path if a
+VM references a non-existent USB device (by product) in the XML.
+
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ src/security/security_selinux.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index 975b315..6680e2d 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -632,7 +632,8 @@ SELinuxReleaseSecurityLabel(virDomainObjPtr vm)
+ {
+ const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+
+- if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
++ if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC ||
++ secdef->label == NULL)
+ return 0;
+
+ context_t con = context_new(secdef->label);
+--
+1.6.6.1
+
diff --git a/libvirt-0.7.7-set-kernel-perms.patch b/libvirt-0.7.7-set-kernel-perms.patch
new file mode 100644
index 0000000..aa623ff
--- /dev/null
+++ b/libvirt-0.7.7-set-kernel-perms.patch
@@ -0,0 +1,87 @@
+From 3f1aa08af6580c215d973bc6bf57f505dbf8b926 Mon Sep 17 00:00:00 2001
+From: Cole Robinson <crobinso@redhat.com>
+Date: Fri, 12 Mar 2010 13:38:39 -0500
+Subject: [PATCH] security: Set permissions for kernel/initrd
+
+Fixes URL installs when running virt-install as root on Fedora.
+---
+ src/qemu/qemu_security_dac.c | 21 +++++++++++++++++++++
+ src/security/security_selinux.c | 16 ++++++++++++++++
+ 2 files changed, 37 insertions(+), 0 deletions(-)
+
+diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c
+index 6911f48..1883fbe 100644
+--- a/src/qemu/qemu_security_dac.c
++++ b/src/qemu/qemu_security_dac.c
+@@ -332,6 +332,15 @@ qemuSecurityDACRestoreSecurityAllLabel(virDomainObjPtr vm)
+ vm->def->disks[i]) < 0)
+ rc = -1;
+ }
++
++ if (vm->def->os.kernel &&
++ qemuSecurityDACRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
++ rc = -1;
++
++ if (vm->def->os.initrd &&
++ qemuSecurityDACRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
++ rc = -1;
++
+ return rc;
+ }
+
+@@ -356,6 +365,18 @@ qemuSecurityDACSetSecurityAllLabel(virDomainObjPtr vm)
+ return -1;
+ }
+
++ if (vm->def->os.kernel &&
++ qemuSecurityDACSetOwnership(vm->def->os.kernel,
++ driver->user,
++ driver->group) < 0)
++ return -1;
++
++ if (vm->def->os.initrd &&
++ qemuSecurityDACSetOwnership(vm->def->os.initrd,
++ driver->user,
++ driver->group) < 0)
++ return -1;
++
+ return 0;
+ }
+
+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
+index b2c8581..975b315 100644
+--- a/src/security/security_selinux.c
++++ b/src/security/security_selinux.c
+@@ -616,6 +616,14 @@ SELinuxRestoreSecurityAllLabel(virDomainObjPtr vm)
+ rc = -1;
+ }
+
++ if (vm->def->os.kernel &&
++ SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
++ rc = -1;
++
++ if (vm->def->os.initrd &&
++ SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
++ rc = -1;
++
+ return rc;
+ }
+
+@@ -736,6 +744,14 @@ SELinuxSetSecurityAllLabel(virDomainObjPtr vm)
+ return -1;
+ }
+
++ if (vm->def->os.kernel &&
++ SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
++ return -1;
++
++ if (vm->def->os.initrd &&
++ SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0)
++ return -1;
++
+ return 0;
+ }
+
+--
+1.6.6.1
+
diff --git a/libvirt.spec b/libvirt.spec
index e2dea73..1273be3 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -169,10 +169,14 @@
Summary: Library providing a simple API virtualization
Name: libvirt
Version: 0.7.7
-Release: 1%{?dist}%{?extra_release}
+Release: 2%{?dist}%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
Source: http://libvirt.org/sources/libvirt-%{version}.tar.gz
+# Fix USB devices by product with security enabled (bz 574136)
+Patch1: %{name}-%{version}-fix-usb-product.patch
+# Set kernel/initrd in security driver, fixes some URL installs (bz 566425)
+Patch2: %{name}-%{version}-set-kernel-perms.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
URL: http://libvirt.org/
BuildRequires: python-devel
@@ -394,6 +398,8 @@ of recent versions of Linux (and other OSes).
%prep
%setup -q
+%patch1 -p1
+%patch2 -p1
%build
%if ! %{with_xen}
@@ -815,6 +821,10 @@ fi
%endif
%changelog
+* Mon Mar 22 2010 Cole Robinson <crobinso@redhat.com> - 0.7.7-2.fc14
+- Fix USB devices by product with security enabled (bz 574136)
+- Set kernel/initrd in security driver, fixes some URL installs (bz 566425)
+
* Fri Mar 5 2010 Daniel Veillard <veillard@redhat.com> - 0.7.7-1
- macvtap support
- async job handling