On 10/09/2017 11:38, Paolo Bonzini wrote: > The daemon can then be > placed in the same devices cgroup and SELinux MCS category as QEMU.
At least regarding the devices cgroup, this is wrong, sorry (the socket can be given an MCS category to restrict who connects to it, but not the daemon). More details in the reply to Daniel's message. Thanks, Paolo -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
