diff --git a/crates/lib/src/install.rs b/crates/lib/src/install.rs
index 6ab5a3cc0..f95cb39a2 100644
--- a/crates/lib/src/install.rs
+++ b/crates/lib/src/install.rs
@@ -1970,6 +1970,32 @@ async fn install_to_filesystem_impl(
         ostree_install(state, rootfs, cleanup).await?;
     }
 
+    // As the very last step before filesystem finalization, do a full SELinux
+    // relabel of the physical root filesystem.  We skip ostree/deploy because
+    // the contents there are already correctly labeled as part of the
+    // container image deployment.
+    if let Some(policy) = state.load_policy()? {
+        tracing::info!("Performing final SELinux relabeling of physical root");
+        let skip_devino =
+            if let Some(deploy_dir) = rootfs.physical_root.open_dir_optional("ostree/deploy")? {
+                let deploy_meta = deploy_dir.dir_metadata()?;
+                Some((deploy_meta.dev(), deploy_meta.ino()))
+            } else {
+                tracing::debug!("No ostree/deploy directory found; relabeling everything");
+                None
+            };
+        let mut path = Utf8PathBuf::from("");
+        crate::lsm::ensure_dir_labeled_recurse(
+            &rootfs.physical_root,
+            &mut path,
+            &policy,
+            skip_devino,
+        )
+        .context("Final SELinux relabeling of physical root")?;
+    } else {
+        tracing::debug!("Skipping final SELinux relabel (SELinux is disabled)");
+    }
+
     // Finalize mounted filesystems
     if !rootfs.skip_finalize {
         let bootfs = rootfs.boot.as_ref().map(|_| ("boot", "boot"));