diff --git a/crates/kit/src/credentials.rs b/crates/kit/src/credentials.rs
index 961540d..c66f86b 100644
--- a/crates/kit/src/credentials.rs
+++ b/crates/kit/src/credentials.rs
@@ -45,8 +45,19 @@ pub fn guest_path_to_unit_name(guest_path: &str) -> String {
 /// Note: systemd automatically creates mount point directories, so DirectoryMode is not needed
 ///
 /// Returns the complete unit file content as a string
-pub fn generate_mount_unit(virtiofs_tag: &str, guest_path: &str, readonly: bool) -> String {
-    let options = if readonly { "Options=ro" } else { "Options=rw" };
+pub fn generate_virtiofs_mount_unit(
+    virtiofs_tag: &str,
+    guest_path: &str,
+    readonly: bool,
+) -> String {
+    let options = if readonly {
+        // Default readonly mounts to usr_t - this helps avoid SELinux
+        // issues when accessing them as container storage for example.
+        // TODO don't hardcode this, detect from the environment
+        "ro,context=system_u:object_r:usr_t:s0"
+    } else {
+        "rw"
+    };
 
     format!(
         "[Unit]\n\
@@ -61,7 +72,7 @@ pub fn generate_mount_unit(virtiofs_tag: &str, guest_path: &str, readonly: bool)
          What={tag}\n\
          Where={path}\n\
          Type=virtiofs\n\
-         {options}\n",
+         Options={options}\n",
         tag = virtiofs_tag,
         path = guest_path,
         options = options
@@ -82,7 +93,7 @@ pub fn smbios_creds_for_mount_unit(
     readonly: bool,
 ) -> Result<Vec<String>> {
     let unit_name = guest_path_to_unit_name(guest_path);
-    let mount_unit_content = generate_mount_unit(virtiofs_tag, guest_path, readonly);
+    let mount_unit_content = generate_virtiofs_mount_unit(virtiofs_tag, guest_path, readonly);
     let encoded_mount = data_encoding::BASE64.encode(mount_unit_content.as_bytes());
 
     let mount_cred =
diff --git a/crates/kit/src/libvirt/run.rs b/crates/kit/src/libvirt/run.rs
index 9f8321e..16d16fa 100644
--- a/crates/kit/src/libvirt/run.rs
+++ b/crates/kit/src/libvirt/run.rs
@@ -882,8 +882,11 @@ fn process_bind_mounts(
 
         // Generate SMBIOS credential for mount unit (without dropin)
         let unit_name = crate::credentials::guest_path_to_unit_name(&bind_mount.guest_path);
-        let mount_unit_content =
-            crate::credentials::generate_mount_unit(&tag, &bind_mount.guest_path, readonly);
+        let mount_unit_content = crate::credentials::generate_virtiofs_mount_unit(
+            &tag,
+            &bind_mount.guest_path,
+            readonly,
+        );
         let encoded_mount = data_encoding::BASE64.encode(mount_unit_content.as_bytes());
         let mount_cred =
             format!("io.systemd.credential.binary:systemd.extra-unit.{unit_name}={encoded_mount}");
@@ -1211,7 +1214,7 @@ fn create_libvirt_domain_from_disk(
         let guest_mount_path = "/run/host-container-storage";
         let unit_name = crate::credentials::guest_path_to_unit_name(guest_mount_path);
         let mount_unit_content =
-            crate::credentials::generate_mount_unit("hoststorage", guest_mount_path, true);
+            crate::credentials::generate_virtiofs_mount_unit("hoststorage", guest_mount_path, true);
         let encoded_mount = data_encoding::BASE64.encode(mount_unit_content.as_bytes());
         let mount_cred =
             format!("io.systemd.credential.binary:systemd.extra-unit.{unit_name}={encoded_mount}");
diff --git a/crates/kit/src/run_ephemeral.rs b/crates/kit/src/run_ephemeral.rs
index e9db17b..64d90ae 100644
--- a/crates/kit/src/run_ephemeral.rs
+++ b/crates/kit/src/run_ephemeral.rs
@@ -915,7 +915,7 @@ pub(crate) async fn run_impl(opts: RunEphemeralOpts) -> Result<()> {
             let mount_point = format!("/run/virtiofs-mnt-{}", mount_name_str);
             let unit_name = crate::credentials::guest_path_to_unit_name(&mount_point);
             let mount_unit_content =
-                crate::credentials::generate_mount_unit(&tag, &mount_point, is_readonly);
+                crate::credentials::generate_virtiofs_mount_unit(&tag, &mount_point, is_readonly);
             let encoded_mount = data_encoding::BASE64.encode(mount_unit_content.as_bytes());
 
             // Create SMBIOS credential for the mount unit