On 04/08/2013 12:45 AM, yue wrote: NFS doesn't support SELinux labels. Setting 'virt_use_nfs on' is your way of telling SELinux 'I acknowledge that I can't set MCS labels on NFS files, and that I therefore have a security risk that by turning this on, a rogue guest could corrupt ANY file in NFS rather than just the files assigned to the guest'. There are plans under way to teach qemu how to pass NFS files in by file descriptor, instead of letting qemu open() them; if these plans ever reach completion, then the 'virt_use_nfs on' option will no longer be necessary - it will be possible to use SELinux to prevent qemu from directly open()ing any file that lives on NFS, and libvirt will use fd passing to tell qemu which NFS files it may access. But that probably still won't happen in time for the upcoming qemu 1.5 release. Meanwhile, what you are observing is correct - it is the best we can do with existing NFS restrictions. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org