With the fix, here is the correct and desired behaviour:

Validate the SELinux labels
---------------------------

On the Compute node, exec into the 'nova_libvirt' container:

    [root@overcloud-0-novacompute-0 ~]# podman exec -it nova_libvirt /bin/bash

SELinux info:

    ()[root@overcloud-0-novacompute-0 /]# getenforce 
    Enforcing

    ()[root@overcloud-0-novacompute-0 /]# sestatus 
    SELinux status:                 enabled
    SELinuxfs mount:                /sys/fs/selinux
    SELinux root directory:         /etc/selinux
    Loaded policy name:             targeted
    Current mode:                   enforcing
    Mode from config file:          enforcing
    Policy MLS status:              enabled
    Policy deny_unknown status:     allowed
    Memory protection checking:     actual (secure)
    Max kernel policy version:      31

Run `virsh dominfo` for the guest:

    ()[root@overcloud-0-novacompute-0 /]# virsh dominfo instance-00000001
    Id:             1
    Name:           instance-00000001
    UUID:           9aa82fee-ee30-44d1-a547-cb283f1edf8c
    OS Type:        hvm
    State:          running
    CPU(s):         1
    CPU time:       18.9s
    Max memory:     524288 KiB
    Used memory:    524288 KiB
    Persistent:     yes
    Autostart:      disable
    Managed save:   no
    Security model: selinux
    Security DOI:   0
    Security label: system_u:system_r:svirt_t:s0:c643,c979 (enforcing)

SELinux label of the running QEMU processes:

    ()[root@overcloud-0-novacompute-0 /]# ps -eZ | grep qemu
    system_u:system_r:svirt_t:s0:c496,c549 216371 ?  00:01:30 qemu-kvm

SELinux label for the QEMU binary file:

    ()[root@overcloud-0-novacompute-0 /]# ls -lZ /usr/libexec/qemu-kvm 
    -rwxr-xr-x. 1 root root system_u:object_r:container_ro_file_t:s0 16356584 Apr  6 20:47 /usr/libexec/qemu-kvm

SELinux label for the libvirtd process:

    ()[root@overcloud-0-novacompute-0 /]# ps -eZ | grep libvirtd
    system_u:system_r:spc_t:s0       209874 ?        00:00:01 libvirtd

SELinux label for the libvirtd binary file:

    ()[root@overcloud-0-novacompute-0 /]# ls -lZ /usr/sbin/libvirtd
    -rwxr-xr-x. 1 root root system_u:object_r:container_ro_file_t:s0 618304 Dec 20 01:11 /usr/sbin/libvirtd

                * * *

Capture evidence that sVirt in effect
-------------------------------------

Enumerate the running guests:

    ()[root@overcloud-0-novacompute-0 /]# virsh list
     Id   Name                State
    -----------------------------------
     1    instance-00000001   running

Enumerate the disk images the above guests are using:

    ()[root@overcloud-0-novacompute-0 /]# virsh domblklist 1
     Target   Source
    -----------------------------------------------------------------------------
     vda      /var/lib/nova/instances/dfad20d8-8152-46ec-bdd9-b9be2dd0c538/disk

Check the SELinux labels for the above disk image:

    ()[root@overcloud-0-novacompute-0 /]# ls -lZ /var/lib/nova/instances/dfad20d8-8152-46ec-bdd9-b9be2dd0c538/disk
    -rw-r--r--. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c496,c549 59113472 Jun 17 11:46 /var/lib/nova/instances/dfad20d8-8152-46ec-bdd9-b9be2dd0c538/disk

They match the labels for the corresponding QEMU processes:

    ()[root@overcloud-0-novacompute-0 /]# ps -eZ | grep qemu
    system_u:system_r:svirt_t:s0:c496,c549 216371 ?  00:02:00 qemu-kvm

Squint your eyes and notice that the QEMU process and its corresponding
disk image have the matching SELinux label.  In this case, the
'qemu-kvm' process for instance-00000001 & its disk image, both have the
matching labels: s0:c496,c549

                * * *