> -s static,label=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Well running "virt-sandbox -s inherit" would run as unconfined_t for most users. I the future we need to add a check to libvirt to ask SELinux if it is ok for a user to transiton to the label, rather then just to do it. Imagine a confined admin which is allowed to generate containers, he should only be allowed to generate containers with processes labels that he can transition into, not that libvirt can transition into. [sandbox PATCH 1/2] Add virt-sandbox -s inherit, to execute the [sandbox PATCH 2/2] Unit files only exist in Systemd Containers. -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list