The libvirt sanlock plugin is intentionally leaking a file
descriptor to QEMU. To enable QEMU to use this FD under
SELinux, it must be labelled correctly. We dont want to use
the svirt_image_t for this, since QEMU must not be allowed
to actually use the FD. So instead we label it with svirt_t
using virSecurityManagerSetProcessFDLabel

* src/locking/domain_lock.c, src/locking/domain_lock.h,
  src/locking/lock_driver.h, src/locking/lock_driver_nop.c,
  src/locking/lock_driver_sanlock.c, src/locking/lock_manager.c,
  src/locking/lock_manager.h: Optionally pass an FD back to
  the hypervisor for security driver labelling
* src/qemu/qemu_process.c: label the lock manager plugin
  FD with the process label

When virLockDriverAcquire is invoked during hotplug the state
parameter will be left as NULL.

* src/locking/lock_driver_nop.c,
  src/locking/lock_driver_sanlock.c: Don't reference NULL state
  parameter

To allow hypervisor drivers to assume that a lock driver impl
will be guaranteed to exist, provide a 'nop' impl that is
compiled into the library

* src/Makefile.am: Add nop driver
* src/locking/lock_driver_nop.c, src/locking/lock_driver_nop.h:
  Nop lock driver implementation
* src/locking/lock_manager.c: Enable direct access of 'nop'
  driver, instead of dlopen()ing it.