From 0f8be2531c44f04854af0b0569d3f2c373b1bba6 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Mon, 11 Apr 2016 17:02:25 -0400
Subject: [PATCH] man: virsh: Document lxc-enter-namespace --noseclabel

https://bugzilla.redhat.com/show_bug.cgi?id=1147737
---
 tools/virsh.pod | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tools/virsh.pod b/tools/virsh.pod
index 7cf5552b19..6c9d4ec609 100644
--- a/tools/virsh.pod
+++ b/tools/virsh.pod
@@ -4182,7 +4182,7 @@ When I<--timestamp> is used, a human-readable timestamp will be printed
 before the event, and the timing information provided by QEMU will be
 omitted.
 
-=item B<lxc-enter-namespace> I<domain> -- /path/to/binary [arg1, [arg2, ...]]
+=item B<lxc-enter-namespace> I<domain> [I<--noseclabel>] -- /path/to/binary [arg1, [arg2, ...]]
 
 Enter the namespace of I<domain> and execute the command C</path/to/binary>
 passing the requested args. The binary path is relative to the container
@@ -4191,6 +4191,10 @@ environment variables / console visible to virsh. This command only works
 when connected to the LXC hypervisor driver.  This command succeeds only
 if C</path/to/binary> has 0 exit status.
 
+By default the new process will run with the security label of the new
+parent container. Use the I<--noseclabel> option to instead have the
+process keep the same security label as C<virsh>.
+
 =back
 
 =head1 ENVIRONMENT