diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index f1f817c906..092f79749c 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -842,6 +842,7 @@ virSecurityDriverLookup;
 # security/security_manager.h
 virSecurityManagerClearSocketLabel;
 virSecurityManagerGenLabel;
+virSecurityManagerGetBaseLabel;
 virSecurityManagerGetDOI;
 virSecurityManagerGetModel;
 virSecurityManagerGetMountOptions;
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 30e4c3fbac..776a470b93 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -931,6 +931,12 @@ AppArmorGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     return opts;
 }
 
+static const char *
+AppArmorGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                     int virtType ATTRIBUTE_UNUSED)
+{
+    return NULL;
+}
 
 virSecurityDriver virAppArmorSecurityDriver = {
     .privateDataLen                     = 0,
@@ -972,4 +978,6 @@ virSecurityDriver virAppArmorSecurityDriver = {
     .domainSetSecurityTapFDLabel        = AppArmorSetFDLabel,
 
     .domainGetSecurityMountOptions      = AppArmorGetMountOptions,
+
+    .getBaseLabel                       = AppArmoryGetBaseLabel,
 };
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index f16251cd4e..019c789ffd 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1174,6 +1174,14 @@ virSecurityDACGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     return NULL;
 }
 
+static const char *
+virSecurityDACGetBaseLabel(virSecurityManagerPtr mgr,
+                           int virt ATTRIBUTE_UNUSED)
+{
+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    return priv->baselabel;
+}
+
 virSecurityDriver virSecurityDriverDAC = {
     .privateDataLen                     = sizeof(virSecurityDACData),
     .name                               = SECURITY_DAC_NAME,
@@ -1216,4 +1224,6 @@ virSecurityDriver virSecurityDriverDAC = {
     .domainSetSecurityTapFDLabel        = virSecurityDACSetTapFDLabel,
 
     .domainGetSecurityMountOptions      = virSecurityDACGetMountOptions,
+
+    .getBaseLabel                       = virSecurityDACGetBaseLabel,
 };
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 8735558955..ced1b9220a 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -46,6 +46,8 @@ typedef int (*virSecurityDriverClose) (virSecurityManagerPtr mgr);
 
 typedef const char *(*virSecurityDriverGetModel) (virSecurityManagerPtr mgr);
 typedef const char *(*virSecurityDriverGetDOI) (virSecurityManagerPtr mgr);
+typedef const char *(*virSecurityDriverGetBaseLabel) (virSecurityManagerPtr mgr,
+                                                      int virtType);
 
 typedef int (*virSecurityDriverPreFork) (virSecurityManagerPtr mgr);
 
@@ -154,6 +156,8 @@ struct _virSecurityDriver {
 
     virSecurityDomainGetMountOptions domainGetSecurityMountOptions;
     virSecurityDomainSetHugepages domainSetSecurityHugepages;
+
+    virSecurityDriverGetBaseLabel getBaseLabel;
 };
 
 virSecurityDriverPtr virSecurityDriverLookup(const char *name,
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 0e783ee5af..5b76ad8eef 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -275,6 +275,21 @@ virSecurityManagerGetModel(virSecurityManagerPtr mgr)
     return NULL;
 }
 
+/* return NULL if a base label is not present */
+const char *
+virSecurityManagerGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
+{
+    if (mgr->drv->getBaseLabel) {
+        const char *ret;
+        virObjectLock(mgr);
+        ret = mgr->drv->getBaseLabel(mgr, virtType);
+        virObjectUnlock(mgr);
+        return ret;
+    }
+
+    return NULL;
+}
+
 bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr)
 {
     return mgr->allowDiskFormatProbing;
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 9252830613..81d3160a8b 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -55,6 +55,8 @@ void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr);
 const char *virSecurityManagerGetDriver(virSecurityManagerPtr mgr);
 const char *virSecurityManagerGetDOI(virSecurityManagerPtr mgr);
 const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr);
+const char *virSecurityManagerGetBaseLabel(virSecurityManagerPtr mgr, int virtType);
+
 bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr);
 bool virSecurityManagerGetDefaultConfined(virSecurityManagerPtr mgr);
 bool virSecurityManagerGetRequireConfined(virSecurityManagerPtr mgr);
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 233404c1dd..73e1ac167e 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -186,6 +186,14 @@ static char *virSecurityDomainGetMountOptionsNop(virSecurityManagerPtr mgr ATTRI
     return opts;
 }
 
+static const char *
+virSecurityGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                        int virtType ATTRIBUTE_UNUSED)
+{
+    return NULL;
+}
+
+
 virSecurityDriver virSecurityDriverNop = {
     .privateDataLen                     = 0,
     .name                               = "none",
@@ -226,4 +234,6 @@ virSecurityDriver virSecurityDriverNop = {
     .domainSetSecurityTapFDLabel        = virSecurityDomainSetFDLabelNop,
 
     .domainGetSecurityMountOptions      = virSecurityDomainGetMountOptionsNop,
+
+    .getBaseLabel                       = virSecurityGetBaseLabel,
 };
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 6c0b0bb341..310e30060b 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1830,6 +1830,17 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
 }
 
 
+static const char *
+virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
+{
+    virSecuritySELinuxDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    if (virtType == VIR_DOMAIN_VIRT_QEMU && priv->alt_domain_context)
+        return priv->alt_domain_context;
+    else
+        return priv->domain_context;
+}
+
+
 static int
 virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
                                           virDomainDefPtr def,
@@ -2477,4 +2488,5 @@ virSecurityDriver virSecurityDriverSELinux = {
     .domainSetSecurityTapFDLabel        = virSecuritySELinuxSetTapFDLabel,
 
     .domainGetSecurityMountOptions      = virSecuritySELinuxGetSecurityMountOptions,
+    .getBaseLabel                       = virSecuritySELinuxGetBaseLabel,
 };
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 0a0dc92241..ff0f06b1bf 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -555,6 +555,13 @@ virSecurityStackGetNested(virSecurityManagerPtr mgr)
     return list;
 }
 
+static const char *
+virSecurityStackGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
+{
+    return virSecurityManagerGetBaseLabel(virSecurityStackGetPrimary(mgr),
+                                          virtType);
+}
+
 virSecurityDriver virSecurityDriverStack = {
     .privateDataLen                     = sizeof(virSecurityStackData),
     .name                               = "stack",
@@ -599,4 +606,6 @@ virSecurityDriver virSecurityDriverStack = {
     .domainGetSecurityMountOptions      = virSecurityStackGetMountOptions,
 
     .domainSetSecurityHugepages         = virSecurityStackSetHugepages,
+
+    .getBaseLabel                       = virSecurityStackGetBaseLabel,
 };