This is related to this question: How to audit the selinux denial inside a docker container

I have a container that does not work after enforcing selinux, the "ls /app" command failed with access denial:

# docker exec -it XXX ls -lZ /app
ls: cannot open directory /app: Permission denied

the first problem is that selinux denial messages not logged for accessing inside my container,after turnoff the "dontaudit", the selinux denial info appears, but it shows the container is trying to "read" an "unlabeled_t",

type=AVC msg=audit(1537323105.938:115360): avc:  denied  { read } for  
pid=11891 comm="ls" path="/app" dev="vdb" ino=917696
scontext=system_u:system_r:container_t:s0:c136,c536
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir

but per the below info, it is of "container_file_t"

# docker exec -it XXX ls -dZ /app
       drwxr-xr-x. root root system_u:object_r:container_file_t:s0:c136,c536 /app

I don't think it is proper that I add a rule to allow (container_t read "unlabeled_t" dir), though it does work.

So I want to know why the "/app" dir(and many others) inside the container deemed as "unlabeled_t" by the SELinux, and how can I fix the problem?