Comment # 35 on bug 1228849 from pallas wept 
The documentation for podman
(https://www.mankier.com/5/containers-storage.conf#Selinux_Labeling) includes
handling for this issue, when changing the location for containers. TL;DR it's
an equivalence like my previous post here.
Subsequently, all new container storage is created with correct labelling.

Likewise I recently found that the libvirt tools also set the labels when the
user/admin creates new storage pools (eg in virt-manager). I came across this
issue only because this system was migrated from apparmor to selinux - had it
been running selinux all along, the labels would already be correct.

So, for the two biggest candidates, if they've taken it upon their tools to
handle this, then obviously it will be the same for other software, such as
user directories like downloads or caches. So, that means xdg-user-dirs, plus a
zillion other apps with caches. Not really something that's viable to fix...
But, if this system were running selinux before I moved those directories, then
they would have been correctly labelled already.

So that's my takeaway from all of this - if this system had been running
selinux from day 1, all of these problems would have been either documented,
avoided, or accounted for. It's only because I was running apparmor and then
switched, that I had problems, even with my extra configuration. Accordingly, I
guess these problems could be considered a part of the migration process.

Rather than confuse matters in the migration doc, also, since this isn't
*strictly* migration-specific (one *could* hit similar problems in normal use)
I have added this to the docs at
https://en.opensuse.org/Portal:SELinux/Common_issues#Non-standard_file_locations

I hope that's OK, I'm not sure if I'm supposed to edit those pages or not. I
just wanted to close this with as little fuss as possible :D

If you read this, thanks again Cathy.

You are receiving this mail because: