diff --git a/libvirt-0.6.4-do-not-unnecessarily-try-to-change-a-file-context.patch b/libvirt-0.6.4-do-not-unnecessarily-try-to-change-a-file-context.patch
new file mode 100644
index 0000000..4669460
--- /dev/null
+++ b/libvirt-0.6.4-do-not-unnecessarily-try-to-change-a-file-context.patch
@@ -0,0 +1,47 @@
+From ae4523336ac06e3ff7cc7b416fad9e57998c6b54 Mon Sep 17 00:00:00 2001
+From: Tim Waugh <twaugh@redhat.com>
+Date: Fri, 3 Jul 2009 10:29:01 +0100
+Subject: [PATCH 2/3] Don't unnecessarily try to change a file context
+
+As pointed out by Tim Waugh here:
+
+ https://bugzilla.redhat.com/507555
+
+We shouldn't bother trying to set the context of a file if it already
+matches what we want.
+
+(Fixed to use STREQ() and not use tabs, as pointed out by danpb)
+
+Signed-off-by: Mark McLoughlin <markmc@redhat.com>
+---
+ src/security_selinux.c | 11 ++++++++++-
+ 1 files changed, 10 insertions(+), 1 deletions(-)
+
+diff --git a/src/security_selinux.c b/src/security_selinux.c
+index db1c27d..c2015a1 100644
+--- a/src/security_selinux.c
++++ b/src/security_selinux.c
+@@ -280,10 +280,19 @@ static int
+ SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
+ {
+ char ebuf[1024];
++ security_context_t econ;
+
+ VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
+
+- if(setfilecon(path, tcon) < 0) {
++ if (setfilecon(path, tcon) < 0) {
++ if (getfilecon(path, &econ) >= 0) {
++ if (STREQ(tcon, econ)) {
++ freecon(econ);
++ /* It's alright, there's nothing to change anyway. */
++ return 0;
++ }
++ freecon(econ);
++ }
+ virSecurityReportError(conn, VIR_ERR_ERROR,
+ _("%s: unable to set security context "
+ "'\%s\' on %s: %s."), __func__,
+--
+1.6.2.5
+
diff --git a/libvirt-0.6.4-fix-nosource-label.patch b/libvirt-0.6.4-fix-nosource-label.patch
new file mode 100644
index 0000000..997559b
--- /dev/null
+++ b/libvirt-0.6.4-fix-nosource-label.patch
@@ -0,0 +1,35 @@
+From 06f607a9c5cfd50433ae27cc7729c31f81d87f19 Mon Sep 17 00:00:00 2001
+From: Cole Robinson <crobinso@redhat.com>
+Date: Fri, 3 Jul 2009 10:40:55 +0100
+Subject: [PATCH 3/3] Skip labelling if no src path present
+
+Fixes startup of guest's with sourceless cdrom devices.
+
+Patch originall posted here:
+
+ https://bugzilla.redhat.com/499569
+
+but never sent upstream.
+
+Signed-off-by: Mark McLoughlin <markmc@redhat.com>
+---
+ src/security_selinux.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/src/security_selinux.c b/src/security_selinux.c
+index c2015a1..eb8d308 100644
+--- a/src/security_selinux.c
++++ b/src/security_selinux.c
+@@ -342,6 +342,9 @@ SELinuxSetSecurityImageLabel(virConnectPtr conn,
+ {
+ const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+
++ if (!disk->src)
++ return 0;
++
+ if (disk->shared) {
+ return SELinuxSetFilecon(conn, disk->src, default_image_context);
+ } else if (disk->readonly) {
+--
+1.6.2.5
+
diff --git a/libvirt-0.6.4-shared-readonly-label.patch b/libvirt-0.6.4-shared-readonly-label.patch
new file mode 100644
index 0000000..688c549
--- /dev/null
+++ b/libvirt-0.6.4-shared-readonly-label.patch
@@ -0,0 +1,97 @@
+From e700e17c3989d32e04ef98c63ac9b9414fefb366 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Fri, 3 Jul 2009 10:24:50 +0100
+Subject: [PATCH 1/3] Re-label shared and readonly images
+
+This patch was posted ages ago here:
+
+ https://bugzilla.redhat.com/493692
+
+But was never posted upstream AFAICT.
+
+Signed-off-by: Mark McLoughlin <markmc@redhat.com>
+---
+ src/security_selinux.c | 27 +++++++++++++++++----------
+ 1 files changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/src/security_selinux.c b/src/security_selinux.c
+index ac317d7..db1c27d 100644
+--- a/src/security_selinux.c
++++ b/src/security_selinux.c
+@@ -24,11 +24,12 @@
+ #include "virterror_internal.h"
+ #include "util.h"
+ #include "memory.h"
+-
++#include "logging.h"
+
+ #define VIR_FROM_THIS VIR_FROM_SECURITY
+
+ static char default_domain_context[1024];
++static char default_content_context[1024];
+ static char default_image_context[1024];
+ #define SECURITY_SELINUX_VOID_DOI "0"
+ #define SECURITY_SELINUX_NAME "selinux"
+@@ -148,8 +149,13 @@ SELinuxInitialize(virConnectPtr conn)
+ close(fd);
+
+ ptr = strchrnul(default_image_context, '\n');
+- *ptr = '\0';
+-
++ if (*ptr == '\n') {
++ *ptr = '\0';
++ strcpy(default_content_context, ptr+1);
++ ptr = strchrnul(default_content_context, '\n');
++ if (*ptr == '\n')
++ *ptr = '\0';
++ }
+ return 0;
+ }
+
+@@ -275,6 +281,8 @@ SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
+ {
+ char ebuf[1024];
+
++ VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
++
+ if(setfilecon(path, tcon) < 0) {
+ virSecurityReportError(conn, VIR_ERR_ERROR,
+ _("%s: unable to set security context "
+@@ -299,9 +307,6 @@ SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
+ char *newpath = NULL;
+ const char *path = disk->src;
+
+- if (disk->readonly || disk->shared)
+- return 0;
+-
+ if ((err = virFileResolveLink(path, &newpath)) < 0) {
+ virReportSystemError(conn, err,
+ _("cannot resolve symlink %s"), path);
+@@ -328,8 +333,13 @@ SELinuxSetSecurityImageLabel(virConnectPtr conn,
+ {
+ const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+
+- if (secdef->imagelabel)
++ if (disk->shared) {
++ return SELinuxSetFilecon(conn, disk->src, default_image_context);
++ } else if (disk->readonly) {
++ return SELinuxSetFilecon(conn, disk->src, default_content_context);
++ } else if (secdef->imagelabel) {
+ return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel);
++ }
+
+ return 0;
+ }
+@@ -403,9 +413,6 @@ SELinuxSetSecurityLabel(virConnectPtr conn,
+
+ if (secdef->imagelabel) {
+ for (i = 0 ; i < vm->def->ndisks ; i++) {
+- if (vm->def->disks[i]->readonly ||
+- vm->def->disks[i]->shared) continue;
+-
+ if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0)
+ return -1;
+ }
+--
+1.6.2.5
+
diff --git a/libvirt.spec b/libvirt.spec
index b027634..4b8eea4 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -55,14 +55,17 @@
Summary: Library providing a simple API virtualization
Name: libvirt
Version: 0.6.4
-Release: 2%{?dist}%{?extra_release}
+Release: 3%{?dist}%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
Source: libvirt-%{version}.tar.gz
-# Patches cherry-picked from upstream
-
-# Patches not for upstream.
+# Handle shared/readonly image labelling (bug #493692)
+Patch1: libvirt-0.6.4-shared-readonly-label.patch
+# Don't unnecessarily try to change a file context (bug #507555)
+Patch2: libvirt-0.6.4-do-not-unnecessarily-try-to-change-a-file-context.patch
+# Don't try to label a disk with no path (e.g. empty cdrom) (bug #499569)
+Patch3: libvirt-0.6.4-fix-nosource-label.patch
# Temporary hack till PulseAudio autostart problems are sorted
# out when SELinux enforcing (bz 486112)
@@ -214,6 +217,10 @@ of recent versions of Linux (and other OSes).
%prep
%setup -q
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+
%patch200 -p0
mv NEWS NEWS.old
@@ -543,6 +550,11 @@ fi
%endif
%changelog
+* Fri Jul 3 2009 Mark McLoughlin <markmc@redhat.com> - 0.6.4-3.fc12
+- Handle shared/readonly image labelling (bug #493692)
+- Don't unnecessarily try to change a file context (bug #507555)
+- Don't try to label a disk with no path (e.g. empty cdrom) (bug #499569)
+
* Fri Jun 5 2009 Mark McLoughlin <markmc@redhat.com> - 0.6.4-2.fc12
- Remove the qemu BuildRequires