diff --git a/config.sh b/config.sh
index 47142bb..e26bf99 100755
--- a/config.sh
+++ b/config.sh
@@ -93,12 +93,6 @@ rpm -qa --qf '%{size}\t%{name}-%{version}-%{release}.%{arch}\n' |sort -rn
 # Note that running rpm recreates the rpm db files which aren't needed or wanted
 rm -f /var/lib/rpm/__db*
 
-#======================================
-# Force selinux relabel on firstboot
-#--------------------------------------
-# Workaround for https://github.com/OSInside/kiwi/issues/2192
-touch /.autorelabel
-
 #======================================
 # Generate boot.bin
 #======================================
diff --git a/root/etc/fstab.script b/root/etc/fstab.script
index adf95ab..94e99db 100755
--- a/root/etc/fstab.script
+++ b/root/etc/fstab.script
@@ -1,3 +1,10 @@
 #!/bin/sh
 
+# Set ESP mount options to match what Fedora does
+# https://github.com/OSInside/kiwi/issues/2201
 gawk -i inplace '$2 == "/boot/efi" { $4 = $4",umask=0077,shortname=winnt" } { print $0 }' /etc/fstab
+
+# Run selinux relabel at the right time
+# https://github.com/OSInside/kiwi/issues/2192
+# https://github.com/OSInside/kiwi/pull/2282#issuecomment-1514399308
+setfiles -F -p -c /etc/selinux/targeted/policy/policy.* -e /proc -e /sys -e /dev /etc/selinux/targeted/contexts/files/file_contexts /