On 10/09/2017 11:38, Paolo Bonzini wrote:
The daemon can then be
placed in the same devices cgroup and SELinux MCS category as QEMU.
At least regarding the devices cgroup, this is wrong, sorry (the socket
can be given an MCS category to restrict who connects to it, but not the
daemon). More details in the reply to Daniel's message.
Thanks,
Paolo