[Podman] Re: fcontext for rootfull volumes ?

Hi guys. I map /root very often - I'd imagine many do - and I do that with Z What I get is quite puzzling to me, say host has it:           system_u:object_r:container_file_t:s0 bin system_u:object_r:container_file_t:s0:c526,c622 cacert.p12 system_u:object_r:container_file_t:s0:c526,c622 kracert.p12   system_u:object_r:container_file_t:s0:c74,c78 pki in container: -> $ ls -Z1 bin pki bin: system_u:object_r:container_file_t:s0 conf system_u:object_r:container_file_t:s0 container-config ls: cannot open directory 'pki': Permission denied 'root' existed prior to container creation and 'pki' was added later, & outside of container. fcontext is not enough? SELinux says: allow container_init_t container_file_t:dir read; label=disable seems to be the way of it it but is that the right way?