On 3/16/22 12:40, Nikola Knazekova wrote: > Hi guys, > > Thank you very much for the detailed explanation. > > With the mount namespace feature turned off, there were no SELinux denials. > > Michal I saw yourcommit > <https://gitlab.com/libvirt/libvirt/-/commit/22188790cad490f51e73dabcac65736c3b8871a7>, > where firstly the existence of devices is checked. I assume when some > correction is required, virtqemud will still need unlink permission, right? Correct. So users can still hotplug and hotunplug devices from running guests. In case of hotunplug libvirt will remove corresponding /dev node. For instance, PCI devices need /dev/vfio/vfio. But if you hotunplug last PCI device from your guest, then libvirt will also remove /dev/vfio/vfio from the namespace. Therefore, we still need libvirt/virtqemud/virtlxcd to be able to remove files from under /dev. Michal
