Hi guys.

I map /root very often - I'd imagine many do - and I do that with Z
What I get is quite puzzling to me, say host has it:

          system_u:object_r:container_file_t:s0 bin
system_u:object_r:container_file_t:s0:c526,c622 cacert.p12
system_u:object_r:container_file_t:s0:c526,c622 kracert.p12
  system_u:object_r:container_file_t:s0:c74,c78 pki

in container:

-> $ ls -Z1 bin pki
bin:
system_u:object_r:container_file_t:s0 conf
system_u:object_r:container_file_t:s0 container-config
ls: cannot open directory 'pki': Permission denied

'root' existed prior to container creation and 'pki' was added later, & outside of container.
fcontext is not enough? SELinux says:

allow container_init_t container_file_t:dir read;

label=disable seems to be the way of it it but is that the right way?