Cloud (_Atomic) selinux labels and restorecon

[Chris Murphy]

FYI:
restorecon changes many file labels following a clean install
https://bugzilla.redhat.com/show_bug.cgi?id=1259018

This bug is not Cloud specific, but because Cloud_Atomic is read-only
it can't be fixed with restorecon. I mention this in the bug.

I don't know the quantity of metadata changes: selinux policy,
permissions, all other xattr, happen in the course of a release; but
in an "Atomic" context it looks like only option is to duplicate the
affected files to uniquely set new metadata on just that file in a
particular tree. The alternative, changing the metadata on the
hardlink, punches through to the original file in a completely
different tree, affecting all trees, and is therefore not atomic. (On
Btrfs this duplication can be made efficient with reflinks instead of
hardlinks, but that's trivia.)


-- 
Chris Murphy