Hi, after fixing the ostree-provided fs labels, there seem to be additional problems. E.g.:
# ls -Z /var/home/tob -d unconfined_u:object_r:default_t:s0 /var/home/tob/ which should most likely be unconfined_u:object_r:user_home_dir_t:s0. That's most likely the cause of many more ssh AVCs I get. Reading through the list of AVCs I get the feeling that most files are mislabeled. restorecon -n does not say anything is wrong, so I am led to believe that restorecon does not know its way on atomic hosts. I will keep that machine to debug the selinux tools, if you think that's reasonable. Cheers, Tobias Florek