This is entirely controllable via policy. That is, you specify that newly
create files are labeled to something safe (enforced atomically at the
kernel level), and then your userland relabeler would be invoked via
inotify to relabel based on your userland pathname specification.
This labeling policy can be as granular as you wish, from the entire
filesystem to a single file. It can also be applied depending on the
process which created the file and the directory its created in, ranging
from all processes and all directories, to say, just those running as
user_t in directories labeled as public_html_t (or whatever).