Description of problem:
If you do:
oo-admin-cartridge -a install -s /path/to/cartridge
... then the cartridge is installed with a copy of the original context it was checked out in.

The specific problem that happened was that a git repo was checked out in /root and then installed. Then cron was unable to update the mco cart_list fact because it couldn't read context admin_home_t. Other more serious problems may be imagined.

Version-Release number of selected component (if applicable):
OSE rubygem-openshift-origin-node-1.9.14.1 but also in current repo

Steps to Reproduce:
1. On a node, make sure SELinux is enforcing: setenforce 1
2. cd /root
3. git clone https://github.com/openshift/origin-server.git
4. oo-admin-cartridge -a install -s origin-server/cartridges/openshift-origin-cartridge-phpmyadmin
5. grep cart_list /etc/mcollective/facts.yaml
6. wait for (5) to change

Actual results:
The cartridge list never changes. If you setenforce 0 and look in the audit.log, you'll see it's being denied based on the context of the installed cartridge.

Expected results:
Cartridge should always be installed in the cartridge repository with the correct context, e.g.:
# ls -lZ /var/lib/openshift/.cartridge_repository/redhat-phpmyadmin/0.0.1/metadata/manifest.yml
-rw-r--r--. root root unconfined_u:object_r:openshift_var_lib_t:s0 /var/lib/openshift/.cartridge_repository/redhat-phpmyadmin/0.0.1/metadata/manifest.yml

Additional info:
As of this writing, looks like the problem is here:
https://github.com/openshift/origin-server/blob/master/node/lib/openshift-origin-node/model/cartridge_repository.rb#L179

Utils.oo_spawn("shopt -s dotglob; /bin/cp -ad #{directory}/* #{entry.repository_path}",
                         expected_exitstatus: 0)

cp -a retains SELinux context. Should that perhaps be followed by "&& restorecon -R #{entry.repository_path}" ?