I have been talking to Richard Jones about guestfish and SELinux and he is trying his best to educate me.
One of the things I did not understand is that guestfish actually starts a kernel, it is sort of a mini virtual machine.
Therefore load_policy would load into the the guest kernel, and not capable of harming the host os.
Currently the administrator has to tell guestfish that it is using selinux, and even has a --selinux option. Sadly this flag does work if you specify -i.
# guestfish -i rhel5 --selinux
guestfish: cannot use -i option with -a, -m, --listen, --remote or --selinux
You can however execute
guestfish `virt-inspector --fish rhel5` --selinux
> <fs> sh "load_policy"
> <fs> sh "restorecon /etc/resolv.conf"
One problem I see with this is that guestfish should really figure out if the guest os is running selinux and then turn it on and load_policy by default.
Without fixing this problem, users of guestfish on selinux enabled systems have to be careful. Because if you do not turn on the -selinux flag and load_policy, you could create files/directories without labels (file_t). This could then cause the virtual machine to not work correctly when you boot it.