The VMs are launched using a pre-defined domain.xml + raw disk. All VMs (whitelisted + backlisted) ones are launched the same way (virsh define followed by virsh start) I want to be able to disable launching of certain VMs(blacklisted ones) unless explicitly allowed. What is the best way to accomplish this? I am exploring the selinux path for this requirement. The current implementation(understandably) isolates each guest into their own MCS categories but by default the resources are always relabeled. Unless, I change the libvirtd code, the auto relabelling can't be disabled(?) Still trying to understand the various virt selinux policies, and XML seclabel options to accomplish this. Are there better alternatives? thanks Suresh