Cloud (_Atomic) selinux labels and restorecon

FYI: restorecon changes many file labels following a clean install https://bugzilla.redhat.com/show_bug.cgi?id=1259018 This bug is not Cloud specific, but because Cloud_Atomic is read-only it can't be fixed with restorecon. I mention this in the bug. I don't know the quantity of metadata changes: selinux policy, permissions, all other xattr, happen in the course of a release; but in an "Atomic" context it looks like only option is to duplicate the affected files to uniquely set new metadata on just that file in a particular tree. The alternative, changing the metadata on the hardlink, punches through to the original file in a completely different tree, affecting all trees, and is therefore not atomic. (On Btrfs this duplication can be made efficient with reflinks instead of hardlinks, but that's trivia.) -- Chris Murphy