diff --git a/doc/source/roles/role-nova_svirt.rst b/doc/source/roles/role-nova_svirt.rst
new file mode 100644
index 000000000..1141929ad
--- /dev/null
+++ b/doc/source/roles/role-nova_svirt.rst
@@ -0,0 +1,6 @@
+=================
+nova_svirt
+=================
+
+.. ansibleautoplugin::
+  :role: roles/nova_svirt
diff --git a/playbooks/nova-svirt.yaml b/playbooks/nova-svirt.yaml
new file mode 100644
index 000000000..27f281911
--- /dev/null
+++ b/playbooks/nova-svirt.yaml
@@ -0,0 +1,13 @@
+---
+- hosts: Compute
+  gather_facts: false
+  vars:
+    metadata:
+      name: Check nova sVirt support
+      description: >-
+        Ensures all running VM are correctly protected with sVirt
+      groups:
+        - post-deployment
+        - post-upgrade
+  roles:
+    - nova_svirt
diff --git a/roles/nova_svirt/defaults/main.yml b/roles/nova_svirt/defaults/main.yml
new file mode 100644
index 000000000..94a8e4269
--- /dev/null
+++ b/roles/nova_svirt/defaults/main.yml
@@ -0,0 +1,21 @@
+---
+# Copyright 2020 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+# All variables intended for modification should place placed in this file.
+
+# All variables within this role should have a prefix of "nova_svirt"
+nova_svirt_directory: /run/libvirt/qemu
diff --git a/roles/nova_svirt/molecule/default/Dockerfile b/roles/nova_svirt/molecule/default/Dockerfile
new file mode 100644
index 000000000..417c6c702
--- /dev/null
+++ b/roles/nova_svirt/molecule/default/Dockerfile
@@ -0,0 +1,37 @@
+# Molecule managed
+# Copyright 2020 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+{% if item.registry is defined %}
+FROM {{ item.registry.url }}/{{ item.image }}
+{% else %}
+FROM {{ item.image }}
+{% endif %}
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install sudo python*-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
+    elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
+
+{% for pkg in item.easy_install | default([]) %}
+# install pip for centos where there is no python-pip rpm in default repos
+RUN easy_install {{ pkg }}
+{% endfor %}
+
+
+CMD ["sh", "-c", "while true; do sleep 10000; done"]
\ No newline at end of file
diff --git a/roles/nova_svirt/molecule/default/converge.yml b/roles/nova_svirt/molecule/default/converge.yml
new file mode 100644
index 000000000..4973c374e
--- /dev/null
+++ b/roles/nova_svirt/molecule/default/converge.yml
@@ -0,0 +1,47 @@
+---
+# Copyright 2020 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Converge
+  hosts: all
+  tasks:
+    - name: Run against a successful file
+      vars:
+        nova_svirt_directory: /libvirt/success
+      include_role:
+        name: nova_svirt
+
+    - name: Run against failed file
+      vars:
+        nova_svirt_directory: /libvirt/failure
+      block:
+        - name: Run the validation
+          include_role:
+            name: nova_svirt
+      rescue:
+        - name: Clear host errors
+          meta: clear_host_errors
+
+        - name: Success output
+          debug:
+            msg: Validation successfully detected the failure
+
+        - name: End play
+          meta: end_play
+
+    - name: Fail if we reach this point
+      fail:
+        msg: The validation did not detect the error
diff --git a/roles/nova_svirt/molecule/default/molecule.yml b/roles/nova_svirt/molecule/default/molecule.yml
new file mode 100644
index 000000000..8f2b8a064
--- /dev/null
+++ b/roles/nova_svirt/molecule/default/molecule.yml
@@ -0,0 +1,48 @@
+---
+driver:
+  name: docker
+
+log: true
+
+platforms:
+  - name: centos7
+    hostname: centos7
+    image: centos:7
+    dockerfile: Dockerfile
+    pkg_extras: python-setuptools python-lxml
+    volumes:
+      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
+    easy_install:
+      - pip
+    environment: &env
+      http_proxy: "{{ lookup('env', 'http_proxy') }}"
+      https_proxy: "{{ lookup('env', 'https_proxy') }}"
+
+  - name: centos8
+    hostname: centos8
+    image: centos:8
+    dockerfile: Dockerfile
+    pkg_extras: python*-setuptools python*-lxml
+    volumes:
+      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
+    environment:
+      <<: *env
+
+provisioner:
+  name: ansible
+  log: true
+  env:
+    ANSIBLE_STDOUT_CALLBACK: yaml
+    ANSIBLE_LIBRARY: "../../../../library"
+
+scenario:
+  test_sequence:
+    - destroy
+    - create
+    - prepare
+    - converge
+    - verify
+    - destroy
+
+verifier:
+  name: testinfra
diff --git a/roles/nova_svirt/molecule/default/prepare.yml b/roles/nova_svirt/molecule/default/prepare.yml
new file mode 100644
index 000000000..0b557b415
--- /dev/null
+++ b/roles/nova_svirt/molecule/default/prepare.yml
@@ -0,0 +1,60 @@
+---
+# Copyright 2020 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Create directory tree
+      file:
+        path: "{{ item }}"
+        state: directory
+      loop:
+        - /libvirt
+        - /libvirt/success
+        - /libvirt/failure
+
+    - name: Push correct xml
+      copy:
+        mode: 0644
+        dest: /libvirt/success/instance-0001.xml
+        content: |
+          <domstatus>
+            <domain>
+              <seclabel type='dynamic' model='dac' relabel='yes'>
+                <label>+107:+107</label>
+                <imagelabel>+107:+107</imagelabel>
+              </seclabel>
+              <seclabel type='dynamic' model='selinux' relabel='yes'>
+                <label>system_u:system_r:svirt_t:s0:c687,c775</label>
+                <imagelabel>system_u:object_r:svirt_image_t:s0:c687,c775</imagelabel>
+              </seclabel>
+            </domain>
+          </domstatus>
+
+    - name: Push incorrect xml
+      copy:
+        mode: 0644
+        dest: /libvirt/failure/instance-0002.xml
+        content: |
+          <domstatus>
+            <domain>
+              <seclabel type='dynamic' model='dac' relabel='yes'>
+                <label>+107:+107</label>
+                <imagelabel>+107:+107</imagelabel>
+              </seclabel>
+            </domain>
+          </domstatus>
diff --git a/roles/nova_svirt/tasks/main.yml b/roles/nova_svirt/tasks/main.yml
new file mode 100644
index 000000000..29148d7da
--- /dev/null
+++ b/roles/nova_svirt/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+- name: Get all instance XMLs
+  register: xmls
+  find:
+    paths: "{{ nova_svirt_directory }}"
+    patterns: "*.xml"
+    recurse: true
+    depth: 1
+
+- name: Loop on XMLs and validate sVirt availability
+  loop: "{{ xmls.files }}"
+  loop_control:
+    label: "{{ item.path }}"
+  include_tasks: validate.yml
diff --git a/roles/nova_svirt/tasks/validate.yml b/roles/nova_svirt/tasks/validate.yml
new file mode 100644
index 000000000..ee4a42f34
--- /dev/null
+++ b/roles/nova_svirt/tasks/validate.yml
@@ -0,0 +1,28 @@
+---
+- name: "Parse {{ item.path }}"
+  become: true
+  register: seclabels
+  xml:
+    path: "{{ item.path }}"
+    content: attribute
+    xpath: '/domstatus/domain/seclabel'
+
+- name: Set or reset svirt_enabled
+  set_fact:
+    svirt_enabled: false
+
+- name: Check enabled seclabels
+  loop: "{{ seclabels.matches }}"
+  loop_control:
+    loop_var: seclabel
+  when:
+    - seclabel.seclabel.model == 'selinux'
+  set_fact:
+    svirt_enabled: true
+
+- name: Fail if sVirt is not enabled
+  fail:
+    msg: |
+      sVirt not detected for {{ item.path }}
+  when:
+    - not svirt_enabled
diff --git a/zuul.d/molecule.yaml b/zuul.d/molecule.yaml
index 599018ca4..e8c79de45 100644
--- a/zuul.d/molecule.yaml
+++ b/zuul.d/molecule.yaml
@@ -12,6 +12,7 @@
       - tripleo-validations-centos-8-molecule-haproxy
       - tripleo-validations-centos-8-molecule-image_serve
       - tripleo-validations-centos-8-molecule-nova_status
+      - tripleo-validations-centos-8-molecule-nova_svirt
       - tripleo-validations-centos-8-molecule-rabbitmq_limits
       - tripleo-validations-centos-8-molecule-repos
       - tripleo-validations-centos-8-molecule-stonith_exists
@@ -35,6 +36,7 @@
       - tripleo-validations-centos-8-molecule-haproxy
       - tripleo-validations-centos-8-molecule-image_serve
       - tripleo-validations-centos-8-molecule-nova_status
+      - tripleo-validations-centos-8-molecule-nova_svirt
       - tripleo-validations-centos-8-molecule-rabbitmq_limits
       - tripleo-validations-centos-8-molecule-repos
       - tripleo-validations-centos-8-molecule-stonith_exists
@@ -388,3 +390,17 @@
     parent: tripleo-validations-centos-8-base
     vars:
       tripleo_validations_role_name: ceph
+- job:
+    files:
+    - ^roles/system_encoding/.*
+    name: tripleo-validations-centos-8-molecule-system_encoding
+    parent: tripleo-validations-centos-8-base
+    vars:
+      tripleo_validations_role_name: system_encoding
+- job:
+    files:
+    - ^roles/nova_svirt/.*
+    name: tripleo-validations-centos-8-molecule-nova_svirt
+    parent: tripleo-validations-centos-8-base
+    vars:
+      tripleo_validations_role_name: nova_svirt