In adding nbdkit support to libvirt, I've run into several issues. First of all, libvirt is unable to spawn nbdkit right now due to virt selinux policies. This was filed as Bug 2176939.

Since the selinux context of nbdkit is currently system_u:object_r:bin_t:s0, libvirt is not permitted to spawn nbdkit. In order to craft a policy that would allow libvirt to spawn nbdkit, we'll presumably need to assign it a context that could be distinguished from other binaries (perhaps introducing something like nbdkit_exec_t/nbdkit_t).

But libvirt will also want to isolate nbdkit from other guests and the rest of the filesystem while allowing it access to things like ssh-agent socket, etc.

So this bug is about creating a policy for nbdkit. Bug 2176939 will be about updating the virt policy to interact with the nbdkit policy.

In discussing this with Daniel Berrange, he suggested that we might basically need two different policies for nbdkit since a policy that is suitable for libvirt's needs will be too strict for other uses of ndkit. He pointed to qemu as an example of a binary that has a slightly analogous scenario with the different svirt_t and svirt_tcg_t policies for KVM vs TCG emulation.

See also Bug 2172268 for a very similar situation with passt, which maintains its own selinux policy.