Rosetta exposed to Linux guests have no SELinux context, breaking container workflows

[Linus-XZX]

Describe the issue
Rosetta exposed to Linux guests are not given SELinux contexts, and it is impossible to manually apply any because the virtiofs directory is functionally read-only (can be mounted rw but errors out with Operation not permitted when manually running chcon).

This affects me when running a SELinux-enforcing distro and attempting to run a container with --arch=amd64.

To reproduce:

• Start a VM with a SELinux-enforcing distro (I used RHEL but Fedora should work as well) using Virtualization, with Rosetta enabled
• Configure Rosetta as documented
  • Fedora and derivatives may need to do the update-binfmts step manually with echo ':rosetta:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00:\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/media/rosetta/rosetta:PCF' | sudo tee /proc/sys/fs/binfmt_misc/register
• Install Podman
• Start a container with the amd64 arch and run some command in it
  • podman run --arch=amd64 quay.io/centos/centos:stream10 uname -m for example

Expected result:

x86_64

Actual result: no output, exit code 139, journalctl -b -et setroubleshoot reports a violation

Source Context: system_u:system_r:container_t:s0:c986,c993
Target Context: system_u:system_r:unlabeled_t:s0
Target Objects: /media/rosetta/rosetta [ file ]

Configuration

• UTM Version: 4.7.5 (118)
• macOS Version: 26.5 (25F71)
• Mac Chip (Intel, M1, ...): M4

Crash log
Does not apply.

Debug log
Does not apply imo but I can provide if required.

Upload VM
Does not apply imo but I can provide if required.