Please collect SELinux denials that appeared during the Steps to Reproduce.

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

And attach them to this BZ.

Thank you.

Did the /home/fedora/.ssh directory exist before Steps to Reproduce?

You may also strace qemu-ga with SELinux contexts, very useful for debugging:

# strace -fttTvyy -s 128 --secontext=all -o qemu-ga.strace -p $(pgrep qemu-ga)

Using "all" will shows full context + eventual mismatches (just in case some file is not labeled properly, to avoid false positives).

(In reply to Milos Malik from comment #1)
> Please collect SELinux denials that appeared during the Steps to Reproduce.
> 
> # ausearch -m avc -m user_avc -m selinux_err -i -ts today
> 
> And attach them to this BZ.

attachment has been updated and named as 'denied.txt'.
> 
> Thank you.
> 
> Did the /home/fedora/.ssh directory exist before Steps to Reproduce?

Definitely yes.

Thank you. 

What is the output of this? 
# ausearch -m avc -ts today | audit2allow

Thank you, 

Can you please enable the boolean:
# semanage boolean -m --on virt_qemu_ga_manage_ssh

and run your tests, in both SELinux modes: 
enforcing: # setenforce 1

then permissive: # setenforce 0

And check denials?

Thank you,

PR: https://github.com/fedora-selinux/selinux-policy/pull/1772

PR with new fixes is merged: https://github.com/fedora-selinux/selinux-policy/pull/1788.

Commits to backport:
4cffc71d2 Boolean: Allow virt_qemu_ga create ssh directory
19e34245f Allow virt_qemu_ga_t create .ssh dir with correct label