Your correct a svirt_t:s0:c1,c2 would be able to read a svirt_tmp_t:s0:c1 file, which is why libvirt/sandbox/openshift ... are coded not to do that.

These applications all label with two unique categories, to avoid this problem.

Eventually we might need to go to three categories for systems like OpenShift if they grow to large. Especially if we go with a Unigue UID for a gear across all Nodes.

