Title says "virtfs permits guest to access entire host filesystem". First answer says "Yet another example where SELinux could have mitigated this effect". You say "That's not true".
"Entire host filesystem" is "/" and anything below, right? If your QEMU process is running in a SELinux context, there is no way it could access the "entire host filesystem".
And as your footnote, a mistake in SELinux configuration is highly unlikely. Once your process is running in a context, you have to have an explicit transition to the unconfined context or you have to relabel the "entire host filesystem" with the context of the QEMU process.
"Entire host filesystem" is "/" and anything below, right? If your QEMU process is running in a SELinux context, there is no way it could access the "entire host filesystem".
And as your footnote, a mistake in SELinux configuration is highly unlikely. Once your process is running in a context, you have to have an explicit transition to the unconfined context or you have to relabel the "entire host filesystem" with the context of the QEMU process.