Re: [libvirt] New QEMU daemon for persistent reservations

If we had one daemon per QEMU, then we would give the daemon the same MCS label as QEMU. The kernel will thus enforce this label matches the label on the QEMU process when it connects to the UNIX socket. The kernel will also validate the label on the disk file descriptor passed to the daemon by QEMU. If we had one daemon per host, then that daemon will need a generic label that lets all QEMUs connect to it. When QEMU passes in a disk FD, the daemon will need to query the SELinux context of the remote QEMU process, and then perform a userspace ACL check of that against the FD that is passed in. The latter case means the QEMU helper will need to link to libselinux and performs checks itself.