I tested the series and it resolves the issue, thus: Tested-by: Richard W.M. Jones <rjones@redhat.com> - - - I wanted to clarify how we are using <seclabel/> since the original description on RHEL-156689 was wrong (I've updated it there). We put this in the main body of the XML: <seclabel type="none" model="selinux"/> We put this into some <disk/> sections: <disk device="disk" type="file"> <source file="scratch1.img"> <seclabel model="selinux" relabel="no"/> </source> I was concerned that in your comment you said this second usage of <seclabel/> is wrong. However the documentation seems to contradict this (although the documentation is not very clear). Is the second usage above correct or not? There's no simple way to check the XML we generate against the RNG, so if libvirt accepts it then we won't find out if it's technically wrong. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html