From 45a65ce989d59e64f59025c96b5edf826c164ec9 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 19 Aug 2025 10:29:15 +0200
Subject: [PATCH] images: Discuss `/.autorelabel`

Came up in chat.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 docs/src/bootc-images.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/docs/src/bootc-images.md b/docs/src/bootc-images.md
index 58a459c75..a0fe7b456 100644
--- a/docs/src/bootc-images.md
+++ b/docs/src/bootc-images.md
@@ -132,6 +132,18 @@ for handling the `security.selinux` extended attribute in tar
 streams; but this can only currently be done with a custom
 build process.
 
+#### Forcing relabeling
+
+Some distributions support a `/.autorelabel` file; this will not work
+on a bootc managed system where `/` is immutable state from the base
+image by default. The labels on the files under `/sysroot/ostree` are
+also managed by bootc/ostree and should not be changed by external
+tools.
+
+Most typically, you instead want to only relabel targeted subdirectories
+of `/etc` and `/var`. This can be done via a systemd unit, e.g.
+`ExecStart=restorecon -R -v /var/lib/mysql`.
+
 ### Toplevel directories
 
 In particular, a common problem is that inside a container image,