I'm looking in the code to see why runtime VM dac seclabel values aren't printed in the active XML. They are filled in, but the domain XML formatter explicitly skips it: /* To avoid backward compatibility issues, suppress DAC and 'none' labels * that are automatically generated. */ if ((STREQ_NULLABLE(def->model, "dac") || STREQ_NULLABLE(def->model, "none")) && def->implicit) return; The relevant bit is from here: commit 990e46c4542349f838e001d30638872576c389e9 Author: Marcelo Cerri <mhcerri@xxxxxxxxxxxxxxxxxx> Date: Fri Aug 31 13:40:41 2012 +0200 conf: Avoid formatting auto-generated DAC labels And I think comment elsewhere in domain_conf.c explains what that's all about: /* libvirt versions prior to 0.10.0 support just a single seclabel element * in guest's XML and model attribute can be suppressed if type is none or * type is dynamic, baselabel is not defined and INACTIVE flag is set. * * To avoid compatibility issues, for this specific case the first model * defined in host's capabilities is used as model for the seclabel. */ Just dropping the the model == "dac" check above seems to accomplish what I'm after, but it's not strictly back compatible. That said, libvirt has supported multiple seclabels for a loooong time now, so I wonder do we even care? Do we have a target for how far back we try to maintain XML compat? Or does anyone else have other ideas? (ccing jiri and michal who have had patches in this area) Thanks, Cole -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list