"container_t isn't allowed to access container_var_lib_t"
Container policy is defined in the container-selinux package. By default containers run with the SELinux type "container_t" whether this is a container launched by just about any container engine like: podman, cri-o, docker, buildah, moby. And most people who use SELinux with containers from container runtimes like runc, systemd-nspawn use it also.
By default container_t is allowed to read/execute labels under /usr, read generically labeled content in the hosts /etc directory (etc_t).
The default label for content in /var/lib/docker and /var/lib/containers is container_var_lib_t, This is not accessible by containers, container_t, whether they are running under podman, cri-o, docker, buildah ... We specifically do not want containers to be able to read this content, because content that uses block devices like devicemapper and btrfs(I believe) is labeled container_var_lib_t, when the containers are not running.
For overlay content we need to allow containers to read/execute the content, we use the type container_share_t, for this content. So container_t is allowed to read/execute container_share_t files, but not write/modify them.
Content under /var/lib/containers/overlay* and /var/lib/docker/overlay* is labeled container_share_ by default.
$ grep overlay /etc/selinux/targeted/contexts/files/fil
The label container_file_t is the only type that is writeable by containers. container_file_t is used when the overlay mount is created for the upper directory of an image. It is also used for content mounted from devicemapper and btrfs.
If you volume mount in a directory into a container and add a :z or :Z the container engines relabeled the content under the volumes to container_file_t.
Failure to read/write/execute content labeled container_var_lib_t is expected.
When I see this type of AVC, I expect that this is either a volume mounted in from /var/lib/container or /var/lib/docker or a mislabeled content under and overlay directory like /var/lib/containers/storage/overlay.
To solve these, I usually recommend running
restorecon -R -v /var/lib/containers
restorecon -R -v /var/lib/docker
Or if it is a volume mount to use the :z, or :Z/