"When deployed alongside a Kerberos server, such as Red Hat's FreeIPA
server, this SASL functionality can allow for encrypted, authenticated,
single-sign-on-enabled remote access to VMs.
Fedora 11 taps its SELinux security framework to enforce isolation of
running VMs, using the framework's MCS (Multi Category System) policy.
This support builds on the MCS-based isolation between guest and host
that debuted in Fedora 10.
During tests, I created a pair of VMs on my Fedora 11 test box, and
could see in my process monitor that the security context information
for each running VM process included unique category attributes, as did
the virtual disk image files that corresponded to each VM."