Rework the selinux relabel workaround

config.sh

@@ -93,12 +93,6 @@ rpm -qa --qf '%{size}\t%{name}-%{version}-%{release}.%{arch}\n' |sort -rn
 # Note that running rpm recreates the rpm db files which aren't needed or wanted
 rm -f /var/lib/rpm/__db*
 
-#======================================
-# Force selinux relabel on firstboot
-#--------------------------------------
-# Workaround for https://github.com/OSInside/kiwi/issues/2192
-touch /.autorelabel
-
 #======================================
 # Generate boot.bin
 #======================================

root/etc/fstab.script

@@ -1,3 +1,10 @@
 #!/bin/sh
 
+# Set ESP mount options to match what Fedora does
+# https://github.com/OSInside/kiwi/issues/2201
 gawk -i inplace '$2 == "/boot/efi" { $4 = $4",umask=0077,shortname=winnt" } { print $0 }' /etc/fstab
+
+# Run selinux relabel at the right time
+# https://github.com/OSInside/kiwi/issues/2192
+# https://github.com/OSInside/kiwi/pull/2282#issuecomment-1514399308
+setfiles -F -p -c /etc/selinux/targeted/policy/policy.* -e /proc -e /sys -e /dev /etc/selinux/targeted/contexts/files/file_contexts /