Linux.com - https://www.linux.com/news/understanding-selinux-labels-container-runtimes-1
“I’ve just started to deal with some software that is containerized via Docker, and which is ordinarily only ever run on Ubuntu. Naturally this means nobody ever put any thought into how it will interact with SELinux.
“I know that containers get a pair of randomly chosen MCS [Multi-Category Security] labels by default, and that the files they create obviously end up with those same categories. However, when it’s time to rebuild or upgrade the container, the files are now inaccessible because the new container has a different pair of categories.