[libvirt] [PATCH] Add XML config switch to enable/disable vhost-net support
by Laine Stump
This patch is in response to
https://bugzilla.redhat.com/show_bug.cgi?id=643050
The existing libvirt support for the vhost-net backend to the virtio
network driver happens automatically - if the vhost-net device is
available, it is always enabled, otherwise the standard userland
virtio backend is used.
This patch makes it possible to force whether or not vhost-net is used
with a bit of XML. Adding a <driver> element to the interface XML, eg:
<interface type="network">
<model type="virtio"/>
<driver name="vhost"/>
will force use of vhost-net (if it's not available, the domain will
fail to start). if driver name="qemu", vhost-net will not be used even
if it is available.
If there is no <driver name='xxx'/> in the config, libvirt will revert
to the pre-existing automatic behavior - use vhost-net if it's
available, and userland backend if vhost-net isn't available.
---
Note that I don't really like the "name='vhost|qemu'" nomenclature,
but am including it here just to get the patches on the list. I could
live with it this way, or with any of the following (anyone have a
strong opinion?) (note that in all cases, nothing specified means "try
to use vhost, but fallback to userland if necessary")
vhost='on|off'
vhost='required|disabled'
mode='vhost|qemu'
mode='kernel|user'
backend='kernel|user'
(So far the strongest opinion has been for the current "name='vhost|qemu'")
Oh, and also - sorry Eric, but I didn't have the brain cells left
tonight to add this new bit to the documentation, and I really want to
get the patch up/in now, so that will have to wait for a followup next
week :-)
docs/schemas/domain.rng | 13 ++++++++
src/conf/domain_conf.c | 27 +++++++++++++++++-
src/conf/domain_conf.h | 10 ++++++
src/qemu/qemu_command.c | 71 +++++++++++++++++++++++++++++++++++++++--------
src/qemu/qemu_command.h | 3 --
5 files changed, 108 insertions(+), 16 deletions(-)
diff --git a/docs/schemas/domain.rng b/docs/schemas/domain.rng
index a524e4b..6d0654d 100644
--- a/docs/schemas/domain.rng
+++ b/docs/schemas/domain.rng
@@ -1005,6 +1005,19 @@
</element>
</optional>
<optional>
+ <element name="driver">
+ <optional>
+ <attribute name="name">
+ <choice>
+ <value>qemu</value>
+ <value>vhost</value>
+ </choice>
+ </attribute>
+ </optional>
+ <empty/>
+ </element>
+ </optional>
+ <optional>
<ref name="address"/>
</optional>
<optional>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index b4df38c..04ed502 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -184,6 +184,10 @@ VIR_ENUM_IMPL(virDomainNet, VIR_DOMAIN_NET_TYPE_LAST,
"internal",
"direct")
+VIR_ENUM_IMPL(virDomainNetBackend, VIR_DOMAIN_NET_BACKEND_TYPE_LAST,
+ "qemu",
+ "vhost")
+
VIR_ENUM_IMPL(virDomainChrChannelTarget,
VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_LAST,
"guestfwd",
@@ -2289,6 +2293,7 @@ virDomainNetDefParseXML(virCapsPtr caps,
char *address = NULL;
char *port = NULL;
char *model = NULL;
+ char *backend = NULL;
char *filter = NULL;
char *internal = NULL;
char *devaddr = NULL;
@@ -2371,6 +2376,8 @@ virDomainNetDefParseXML(virCapsPtr caps,
script = virXMLPropString(cur, "path");
} else if (xmlStrEqual (cur->name, BAD_CAST "model")) {
model = virXMLPropString(cur, "type");
+ } else if (xmlStrEqual (cur->name, BAD_CAST "driver")) {
+ backend = virXMLPropString(cur, "name");
} else if (xmlStrEqual (cur->name, BAD_CAST "filterref")) {
filter = virXMLPropString(cur, "filter");
VIR_FREE(filterparams);
@@ -2558,6 +2565,18 @@ virDomainNetDefParseXML(virCapsPtr caps,
model = NULL;
}
+ if ((backend != NULL) &&
+ (def->model && STREQ(def->model, "virtio"))) {
+ int b;
+ if ((b = virDomainNetBackendTypeFromString(backend)) < 0) {
+ virDomainReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Unkown interface <driver name='%s'> has been specified"),
+ backend);
+ goto error;
+ }
+ def->backend = b;
+ def->backend_specified = 1;
+ }
if (filter != NULL) {
switch (def->type) {
case VIR_DOMAIN_NET_TYPE_ETHERNET:
@@ -2584,6 +2603,7 @@ cleanup:
VIR_FREE(script);
VIR_FREE(bridge);
VIR_FREE(model);
+ VIR_FREE(backend);
VIR_FREE(filter);
VIR_FREE(type);
VIR_FREE(internal);
@@ -6275,9 +6295,14 @@ virDomainNetDefFormat(virBufferPtr buf,
if (def->ifname)
virBufferEscapeString(buf, " <target dev='%s'/>\n",
def->ifname);
- if (def->model)
+ if (def->model) {
virBufferEscapeString(buf, " <model type='%s'/>\n",
def->model);
+ if (STREQ(def->model, "virtio") && def->backend_specified) {
+ virBufferVSprintf(buf, " <driver name='%s'/>\n",
+ virDomainNetBackendTypeToString(def->backend));
+ }
+ }
if (def->filter) {
virBufferEscapeString(buf, " <filterref filter='%s'",
def->filter);
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index a459a22..451ccad 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -292,6 +292,13 @@ enum virDomainNetType {
VIR_DOMAIN_NET_TYPE_LAST,
};
+/* the backend driver used for virtio interfaces */
+enum virDomainNetBackendType {
+ VIR_DOMAIN_NET_BACKEND_TYPE_QEMU, /* userland */
+ VIR_DOMAIN_NET_BACKEND_TYPE_VHOST, /* kernel */
+
+ VIR_DOMAIN_NET_BACKEND_TYPE_LAST,
+};
/* the mode type for macvtap devices */
enum virDomainNetdevMacvtapType {
@@ -310,6 +317,8 @@ struct _virDomainNetDef {
enum virDomainNetType type;
unsigned char mac[VIR_MAC_BUFLEN];
char *model;
+ enum virDomainNetBackendType backend;
+ int backend_specified : 1;
union {
struct {
char *dev;
@@ -1264,6 +1273,7 @@ VIR_ENUM_DECL(virDomainControllerModel)
VIR_ENUM_DECL(virDomainFS)
VIR_ENUM_DECL(virDomainFSAccessMode)
VIR_ENUM_DECL(virDomainNet)
+VIR_ENUM_DECL(virDomainNetBackend)
VIR_ENUM_DECL(virDomainChrDevice)
VIR_ENUM_DECL(virDomainChrChannelTarget)
VIR_ENUM_DECL(virDomainChrConsoleTarget)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 86c5bb5..9eb54a1 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -302,24 +302,61 @@ cleanup:
}
-int
+static int
qemuOpenVhostNet(virDomainNetDefPtr net,
- unsigned long long qemuCmdFlags)
+ unsigned long long qemuCmdFlags,
+ int *vhostfd)
{
- /* If qemu supports vhost-net mode (including the -netdev command
- * option), the nic model is virtio, and we can open
- * /dev/vhost_net, assume that vhost-net mode is available and
- * return the fd to /dev/vhost_net. Otherwise, return -1.
- */
+ *vhostfd = -1; /* assume we won't use vhost */
+ /* If the config says explicitly to not use vhost, return now */
+ if (net->backend_specified &&
+ (net->backend == VIR_DOMAIN_NET_BACKEND_TYPE_QEMU)) {
+ return 0;
+ }
+
+ /* If qemu doesn't support vhost-net mode (including the -netdev command
+ * option), don't try to open the device.
+ */
if (!(qemuCmdFlags & QEMUD_CMD_FLAG_VNET_HOST &&
qemuCmdFlags & QEMUD_CMD_FLAG_NETDEV &&
- qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE &&
- net->model && STREQ(net->model, "virtio")))
- return -1;
+ qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE)) {
+ if (net->backend_specified &&
+ (net->backend == VIR_DOMAIN_NET_BACKEND_TYPE_VHOST)) {
+ qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ "%s", _("vhost-net is not supported with "
+ "this QEMU binary"));
+ return -1;
+ }
+ return 0;
+ }
- return open("/dev/vhost-net", O_RDWR, 0);
+ /* If the nic model isn't virtio, don't try to open. */
+ if (!(net->model && STREQ(net->model, "virtio"))) {
+ if (net->backend_specified &&
+ (net->backend == VIR_DOMAIN_NET_BACKEND_TYPE_VHOST)) {
+ qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ "%s", _("vhost-net is only supported for "
+ "virtio network interfaces"));
+ return -1;
+ }
+ return 0;
+ }
+
+ *vhostfd = open("/dev/vhost-net", O_RDWR, 0);
+
+ /* If the config says explicitly to use vhost and we couldn't open it,
+ * report an error.
+ */
+ if ((*vhostfd < 0) && net->backend_specified &&
+ (net->backend == VIR_DOMAIN_NET_BACKEND_TYPE_VHOST)) {
+ qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ "%s", _("vhost-net was requested for an interface, "
+ "but is unavailable"));
+ return -1;
+ }
+ return 0;
}
@@ -3278,7 +3315,10 @@ qemuBuildCommandLine(virConnectPtr conn,
net->type == VIR_DOMAIN_NET_TYPE_DIRECT) {
/* Attempt to use vhost-net mode for these types of
network device */
- int vhostfd = qemuOpenVhostNet(net, qemuCmdFlags);
+ int vhostfd;
+
+ if (qemuOpenVhostNet(net, qemuCmdFlags, &vhostfd) < 0)
+ goto error;
if (vhostfd >= 0) {
virCommandTransferFD(cmd, vhostfd);
@@ -4618,6 +4658,13 @@ qemuParseCommandLineNet(virCapsPtr caps,
} else if (STREQ(keywords[i], "model")) {
def->model = values[i];
values[i] = NULL;
+ } else if (STREQ(keywords[i], "vhost")) {
+ if ((values[i] == NULL) || STREQ(values[i], "on")) {
+ def->backend = VIR_DOMAIN_NET_BACKEND_TYPE_VHOST;
+ } else if (STREQ(keywords[i], "off")) {
+ def->backend = VIR_DOMAIN_NET_BACKEND_TYPE_QEMU;
+ }
+ def->backend_specified = 1;
}
}
diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h
index 4c42a10..5439184 100644
--- a/src/qemu/qemu_command.h
+++ b/src/qemu/qemu_command.h
@@ -116,9 +116,6 @@ int qemuNetworkIfaceConnect(virConnectPtr conn,
unsigned long long qemCmdFlags)
ATTRIBUTE_NONNULL(1);
-int qemuOpenVhostNet(virDomainNetDefPtr net,
- unsigned long long qemuCmdFlags);
-
int qemuPhysIfaceConnect(virConnectPtr conn,
struct qemud_driver *driver,
virDomainNetDefPtr net,
--
1.7.3.4
14 years
[libvirt] [PATCH 2/2] Make sure the rundir is accessible by the user
by Guido Günther
otherwise the user might not have enough permissions to access the
socket if roots umask is 077.
http://bugs.debian.org/614210
---
daemon/libvirtd.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
index 610e7fd..a968e05 100644
--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -3156,7 +3156,9 @@ static int create_rundir (void)
{
const char *rundir = LOCALSTATEDIR "/run/libvirt";
int ret = 0;
+ mode_t old_umask;
+ old_umask = umask(022);
if (mkdir (rundir, 0755)) {
if (errno != EEXIST) {
char ebuf[1024];
@@ -3165,6 +3167,7 @@ static int create_rundir (void)
ret = VIR_DAEMON_ERR_RUNDIR;
}
}
+ umask(old_umask);
return ret;
}
--
1.7.4.1
14 years
[libvirt] [PATCH] storage: replace the deprecated option of qemu-img.
by Osier Yang
qemu-img silently disable "-e", so we can't use it for volume
encryption anymore, change it into "-o encryption=on".
I'm afraid of it will inroduce compatibility problem for older
qemu without "-o" option, but "-o" option is already used in the
codes, seems it's fine.
* src/storage/storage_backend.c
---
src/storage/storage_backend.c | 17 +++++++++++------
1 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/src/storage/storage_backend.c b/src/storage/storage_backend.c
index 2eede74..c381444 100644
--- a/src/storage/storage_backend.c
+++ b/src/storage/storage_backend.c
@@ -778,7 +778,7 @@ virStorageBackendCreateQemuImg(virConnectPtr conn,
imgargv[8] = vol->target.path;
imgargv[9] = size;
if (vol->target.encryption != NULL)
- imgargv[10] = "-e";
+ imgargv[10] = "-o encryption=on";
break;
case QEMU_IMG_BACKING_FORMAT_OPTIONS:
@@ -786,13 +786,18 @@ virStorageBackendCreateQemuImg(virConnectPtr conn,
virReportOOMError();
goto cleanup;
}
+
+ if (vol->target.encryption != NULL) {
+ if (virAsprintf(&optflag, ",encryption=on") < 0) {
+ virReportOOMError();
+ goto cleanup;
+ }
+ }
+
imgargv[6] = "-o";
imgargv[7] = optflag;
imgargv[8] = vol->target.path;
imgargv[9] = size;
- if (vol->target.encryption != NULL)
- imgargv[10] = "-e";
- break;
default:
VIR_INFO("Unable to set backing store format for %s with %s",
@@ -800,7 +805,7 @@ virStorageBackendCreateQemuImg(virConnectPtr conn,
imgargv[6] = vol->target.path;
imgargv[7] = size;
if (vol->target.encryption != NULL)
- imgargv[8] = "-e";
+ imgargv[8] = "-o encryption=on";
}
ret = virStorageBackendCreateExecCommand(pool, vol, imgargv);
@@ -817,7 +822,7 @@ virStorageBackendCreateQemuImg(virConnectPtr conn,
NULL
};
if (vol->target.encryption != NULL)
- imgargv[6] = "-e";
+ imgargv[6] = "-o encryption=on";
ret = virStorageBackendCreateExecCommand(pool, vol, imgargv);
}
--
1.7.4
14 years
[libvirt] [PATCH] docs: correct range of default NAT subnet
by Eric Blake
* docs/formatdomain.html.in: Fix typo.
---
Pushing under the trivial rule.
docs/formatdomain.html.in | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 9b9ab29..8b6e5e4 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -1145,7 +1145,7 @@
network config with '<code>virsh net-dumpxml [networkname]</code>'.
There is one virtual network called 'default' setup out
of the box which does NAT'ing to the default route and has an IP range of
- <code>192.168.22.0/255.255.255.0</code>. Each guest will have an
+ <code>192.168.122.0/255.255.255.0</code>. Each guest will have an
associated tun device created with a name of vnetN, which can also be
overridden with the <target> element (see
<a href="#elementsNICSTargetOverride">overriding the target element</a>).
--
1.7.4
14 years
[libvirt] [PATCH 2/2] libvirtd: Remove indirect linking
by Guido Günther
as described at
http://wiki.debian.org/ToolChain/DSOLinking
https://fedoraproject.org/wiki/UnderstandingDSOLinkChange
otherwise the build fails on current Debian unstable with:
CCLD libvirtd
/usr/bin/ld: ../src/.libs/libvirt_driver_lxc.a(libvirt_driver_lxc_la-lxc_container.o): undefined reference to symbol 'capng_apply'
/usr/bin/ld: note: 'capng_apply' is defined in DSO //usr/lib/libcap-ng.so.0 so try adding it to the linker command line
CCLD libvirtd
/usr/bin/ld: ../src/.libs/libvirt_driver_storage.a(libvirt_driver_storage_la-storage_backend.o): undefined reference to symbol 'fgetfilecon'
/usr/bin/ld: note: 'fgetfilecon' is defined in DSO //lib/libselinux.so.1 so try adding it to the linker command line
//lib/libselinux.so.1: could not read symbols: Invalid operation
O.k. to apply?
Cheers,
-- Guido
---
daemon/Makefile.am | 10 +++++++++-
1 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index 912440c..2083084 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -145,7 +145,15 @@ if WITH_NWFILTER
endif
endif
-libvirtd_LDADD += ../src/libvirt.la
+if WITH_SECDRIVER_SELINUX
+ libvirtd_LDADD += $(SELINUX_LIBS)
+endif
+if WITH_SECDRIVER_APPARMOR
+ libvirtd_LDADD += $(APPARMOR_LIBS)
+endif
+
+libvirtd_LDADD += ../src/libvirt.la \
+ $(CAPNG_LIBS)
if HAVE_POLKIT
if HAVE_POLKIT0
--
1.7.4.1
14 years
[libvirt] [libvirt-snmp][PATCH] configure.ac: lower required minimal version of autoconf
by Michal Privoznik
so we can build even on rhel 5.6 where the original version is not yet.
---
configure.ac | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/configure.ac b/configure.ac
index 468fb07..dcab0ae 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,7 +2,7 @@ AC_INIT([libvirt-snmp],[0.0.1],[libvir-list@redhat.com],[],[http://libvirt.org])
AM_INIT_AUTOMAKE([-Wall -Werror])
AC_CONFIG_HEADERS([config.h])
-AC_PREREQ([2.66])
+AC_PREREQ([2.50])
AC_CHECK_FUNCS([memset])
AC_CHECK_FUNCS([strdup])
AC_CHECK_HEADERS([stdlib.h])
--
1.7.4
14 years
[libvirt] (no subject)
by Guido Günther
>From 4a3765d97c3f5049aa294a4b7b629eabfd9cf04d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx(a)sigxcpu.org>
Date: Mon, 7 Mar 2011 22:22:36 +0100
Subject: [PATCH 1/2] Move rundir creation into separate function
---
daemon/libvirtd.c | 31 ++++++++++++++++++++-----------
1 files changed, 20 insertions(+), 11 deletions(-)
diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
index 452566c..610e7fd 100644
--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -3150,6 +3150,24 @@ enum {
OPT_VERSION = 129
};
+
+/* Ensure the rundir exists (on tmpfs on some systems) */
+static int create_rundir (void)
+{
+ const char *rundir = LOCALSTATEDIR "/run/libvirt";
+ int ret = 0;
+
+ if (mkdir (rundir, 0755)) {
+ if (errno != EEXIST) {
+ char ebuf[1024];
+ VIR_ERROR(_("unable to create rundir %s: %s"), rundir,
+ virStrerror(errno, ebuf, sizeof(ebuf)));
+ ret = VIR_DAEMON_ERR_RUNDIR;
+ }
+ }
+ return ret;
+}
+
#define MAX_LISTEN 5
int main(int argc, char **argv) {
struct qemud_server *server = NULL;
@@ -3276,17 +3294,8 @@ int main(int argc, char **argv) {
/* Ensure the rundir exists (on tmpfs on some systems) */
if (geteuid() == 0) {
- const char *rundir = LOCALSTATEDIR "/run/libvirt";
-
- if (mkdir (rundir, 0755)) {
- if (errno != EEXIST) {
- char ebuf[1024];
- VIR_ERROR(_("unable to create rundir %s: %s"), rundir,
- virStrerror(errno, ebuf, sizeof(ebuf)));
- ret = VIR_DAEMON_ERR_RUNDIR;
- goto error;
- }
- }
+ if (create_rundir ())
+ goto error;
}
/* Beyond this point, nothing should rely on using
--
1.7.4.1
14 years
[libvirt] [PATCH] Fix a wrong error message threw to user.
by Hu Tao
---
src/qemu/qemu_driver.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 0f7cbad..f26b1ef 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -4209,8 +4209,8 @@ static int qemuDomainUpdateDeviceFlags(virDomainPtr dom,
default:
qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED,
- _("disk device type '%s' cannot be updated"),
- virDomainDiskDeviceTypeToString(dev->data.disk->device));
+ _("device type '%s' cannot be updated"),
+ virDomainDeviceTypeToString(dev->type));
break;
}
--
1.7.3.1
14 years
[libvirt] [PATCH] security: ignore disk opening failure of DAC driver.
by Osier Yang
Which blocks the domain booting up if one of the disks
can't be opened (e.g. doesn't exist).
---
src/security/security_dac.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index fba2d1d..8bb5bc9 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -182,7 +182,7 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
return virDomainDiskDefForeachPath(disk,
virSecurityManagerGetAllowDiskFormatProbing(mgr),
- false,
+ true,
virSecurityDACSetSecurityFileLabel,
mgr);
}
--
1.7.4
14 years
[libvirt] [PATCH] dynamic_ownership documentation
by Stephan Mueller
Hi,
I would like to propose the following patch for the libvirtd.conf file to
document sVirt and its usage. If you have suggestions to add better wording,
please let me know.
(If you reply with comments, could you please CC me as I am not on the list.)
Ciao
Stephan
---
diff --git a/cc-config/cc/libvirtd.conf b/cc-config/cc/libvirtd.conf
index 43e19d8..a9acc21 100644
--- a/cc-config/cc/libvirtd.conf
+++ b/cc-config/cc/libvirtd.conf
@@ -154,7 +154,52 @@ auth_unix_rw = "none"
# mechanism as well, by using 'sasl' for this option
#auth_tls = "none"
-
+#################################################################
+#
+# sVirt protection mechanisms
+#
+# The following options specify the separation of virtual machines
+# based on SELinux categories. As virtual machines execute with the
+# same user ID, an additional separation functionality is necessary
+# to prevent different virtual machines from interfering with each other
+# in case the simulation environment provided with QEMU is
+# successfully broken by a rogue guest.
+#
+# The sVirt protection mechanism implements two modes of operation:
+# dynamic assignment of SELinux categories
+# static assignment of SELinux labels
+#
+# A dynamic assignment of categories implies that libvirt generates
+# a unique SELinux category that the virtual machine and its resources
+# are assigned to during the instantiation of the virtual machine.
+# SELinux ensures that each virtual machine can only access resources
+# labeled with the same category as the virtual machine itself.
+#
+# A static assignment of SELinux labels imply that the administrator
+# manually configures the SELinux label of the virtual machine in
+# /etc/libvirt/qemu/<VM-DESCRIPTOR> based on the following example:
+#
+# <seclabel model='selinux' type="static">
+# <label>system_u:system_r:qemu_t:s0:c210.c502</label>
+# </seclabel>
+#
+# The <label> tag specifies a full SELinux label the virtual machine
+# will be executed with.
+#
+# In addition to the setting of the SELinux label of the virtual
+# machine, the administrator must manually set the SELinux label
+# of all resources the virtual machine accesses appropriately.
+#
+# NOTE: The dynamic assignment of categories is only intended for
+# systems with the targeted SELinux policy. Systems with the MLS
+# SELinux policy MUST use the static assignment of labels.
+# It is possible that static assignment is configured for
+# systems with the targeted policy as well.
+#
+# dynamic_ownership: 0 == static assignment of SELinux labels
+# 1 == dynamic assignment of SELinux labels
+dynamic_ownership=1
+#
14 years
