Comment 2 for bug 456942

Normally, SELinux labels are stored in inode xattrs. Since tmpfses aren't persistent, restorecon re-labels the missing base label on the root inode of that filesystem based on the SELinux policy rules. (Where those rules are, I have no idea, we'd have to check with Caleb or someone else more familiar with it.)

I suspect it would be much easier to just call out to restorecon.