Cloning, since RHEL 5.6 suffers from the same problem.  Actually, the problem goes back as far as upstream libvirt-0.4.6 (introduced by commit da196338 in Aug '08), so it may also be worth some z-stream patches since it is a crasher.  It does not impact xen; qemu, lxc, and uml are the only clients that passed a non-null keepfd.

Patch posted for 5.6:
http://post-office.corp.redhat.com/archives/rhvirt-patches/2010-December/msg00438.html

Fix built in libvirt-0.8.2-16.el5 for 5.7

Verfied it on build:libvirt-0.8.2-18.el5.
Steps:
1.# ulimit -n 2048
2.# for i in $(seq 1700 1800); do eval exec $i\>/dev/null; done
3.# service libvirtd stop
Stopping libvirtd daemon:                                  [  OK  ]
4.# libvirtd
23:41:08.146: error : virRunWithHook:856 : internal error '/sbin/iptables --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 69 --jump ACCEPT' exited with non-zero status 1 and signal 0: iptables: Bad rule (does a matching rule exist in that chain?)

5.# ps -ea|grep libvirt
10540 pts/0    00:00:00 libvirtd

6.# ls /proc/10540/fd
0     1704  1713  1722  1731  1740  1749  1758  1767  1776  1785  1794  4
1     1705  1714  1723  1732  1741  1750  1759  1768  1777  1786  1795  5
10    1706  1715  1724  1733  1742  1751  1760  1769  1778  1787  1796  6
11    1707  1716  1725  1734  1743  1752  1761  1770  1779  1788  1797  7
12    1708  1717  1726  1735  1744  1753  1762  1771  1780  1789  1798  8
1700  1709  1718  1727  1736  1745  1754  1763  1772  1781  1790  1799  9
1701  1710  1719  1728  1737  1746  1755  1764  1773  1782  1791  1800
1702  1711  1720  1729  1738  1747  1756  1765  1774  1783  1792  2
1703  1712  1721  1730  1739  1748  1757  1766  1775  1784  1793  3

7# virsh start r6.0
Domain r6.0 started

8.# ps -ea|grep qemu
 4819 ?        00:00:00 qemu-dm
 7508 ?        00:00:03 qemu-dm

9.# ls /proc/4819/fd
0  1  10  11  12  2  23  3  4  5  6  7  8  9

10.# ls /proc/7508/fd
0  1  10  11  12  13  14  15  2  23  3  4  5  6  7  8  9

Doesn't have libvirt leak to the qemu child . 

So set bug status to VERIFIED

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
libvirt could crash if the maximum number of open file descriptors (_SC_OPEN_MAX) grew larger than the value of FD_SETSIZE because it accessed file descriptors outside the bounds of the set. libvirt has been updated and the maximum number of open file descriptors can no longer grow larger than the value of FD_SETSIZE.

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-1019.html