mount --bind and autorelabel versus restorecon

[Per Sjoholm]

There are more than one problem described here and the are connected.
One is the basic how to organize data regarding updates, backup and daily task.
One is SELinux protection.
One is this should NOT be a problem in the first place.
(IT was NOT until target/enforing policy)

I have systems and try to keep OS and data separated.
This makes backup and updating OS easier.
SELinux chamges things.
Normaly:
Partion 1,2 and 3 contain an OS and 4 is an extend partion with my data.
Then I can install a new OS and prepare it before changing over.
Keeping system running, rebooting into the new version.
Reverting to old OS version by a reboot if needed.

ONLY OS dependent data(config, deamon ..) is under "/" rest is elsewhere
and the physical file system for /dev/sda5 is mounted under /disk_dev/sda5.
with a mount --bind parts of   /disk_dev/<part>/<subdir> get mounted i the proper place.
mount --bind /disk_dev/sda5/projects/A /prj/A
the NFS4 exports is an other example

Some clients use samba and some NFS parts of the data should be available via httpd, bittorrent.
Some of the files are large and can't be duplicated (symlinked)?
Most data belongs to A project and the project belongs to a group

SELinux
Using symlinks or an alias in httpd does not work as components in the path
is missing lables as they contain data that ftp,samba or httpd is not ment to read.

autorelabel only handles filesystem mounts NOT mount --bind
the result of
doing a touch /.autorelabel; reboot
doing a restorecon -R <path>

will differ as autorelable does only see the physical mount.

It's possible to construct file context and they will most likely NOT
work reliable for both autorelabel and restorecon

Thanks
Per