Thank you very much!! On the most basic test (only), appears to work, although afterward it strips out the imagelabel element: I originally did: <domain type='kvm'>   <!-- ... -->   <seclabel type='static' model='dac' relabel='yes'>     <label>horse-libvirt-qemu:libvirt-qemu</label> <imagelabel>horse-libvirt-qemu:libvirt-qemu</imagelabel>   </seclabel> </domain> virsh define /etc/libvirt/qemu/xxx.xml virsh start xxxx It effectively worked: ps aux: horse-libvirt-qemu 6522 /usr/bin/qemu-system-x86_64 -name guest=[...] -rw-------  1 horse-libvirt-qemu libvirt-qemu 21478375424 Dec 20 11:40 xxxxx.qcow2 Then the domain definition was rewritten by libvirt (probably unproblematically) to: <domain type='kvm'>   <!-- ... -->   <seclabel type='static' model='dac' relabel='yes'>     <label>horse-libvirt-qemu:libvirt-qemu</label>   </seclabel> </domain> I'll be trying, but are there any features or virtual machine devices known not covered by this method? (I had consulted the C source to figure out where virCHDriverConfig::user might be overridden, and so wonder at what code location this relabel is being applied, but conversely this looks more powerful) On 12/20/24 06:17, Jiri Denemark wrote:

On Fri, Dec 20, 2024 at 01:48:48 -0500, Pascal Proulx via Users wrote:

...

Hello,

How can I override the libvirt-qemu user defined in /etc/libvirt/qemu.conf using a per-domain (virtual machine) override using the domain XML definitions? I can find qemu arg overrides but not this and I may have missed it. I believe the following XML should do it

<seclabel type='static' model='dac' relabel='yes'> <label>user:group</label> <imagelabel>user:group</imagelabel> </seclabel>

The <imagelabel> element may not be needed depending on who owns the images and what mode they have.

Jirka