diff --git a/lib/src/install.rs b/lib/src/install.rs
index 060444340..022acb292 100644
--- a/lib/src/install.rs
+++ b/lib/src/install.rs
@@ -644,8 +644,11 @@ async fn initialize_ostree_root_from_self(
     }
     f.flush()?;
 
+    let fstab_path = Utf8PathBuf::from("/").join(path.as_str()).join("etc/fstab");
+    state.lsm_label(&fstab_path, "/etc/fstab".into(), false)?;
+
     if let Some(contents) = state.root_ssh_authorized_keys.as_deref() {
-        osconfig::inject_root_ssh_authorized_keys(&root, contents)?;
+        osconfig::inject_root_ssh_authorized_keys(&root, &path.as_str(), &state, contents)?;
     }
 
     let uname = rustix::system::uname();
diff --git a/lib/src/install/osconfig.rs b/lib/src/install/osconfig.rs
index 6bddc6400..b7a7f9b5e 100644
--- a/lib/src/install/osconfig.rs
+++ b/lib/src/install/osconfig.rs
@@ -1,5 +1,5 @@
 use anyhow::Result;
-use camino::Utf8Path;
+use camino::{Utf8Path, Utf8PathBuf};
 use cap_std::fs::Dir;
 use cap_std_ext::{cap_std, dirext::CapStdExtDirExt};
 use fn_error_context::context;
@@ -8,7 +8,12 @@ const ETC_TMPFILES: &str = "etc/tmpfiles.d";
 const ROOT_SSH_TMPFILE: &str = "bootc-root-ssh.conf";
 
 #[context("Injecting root authorized_keys")]
-pub(crate) fn inject_root_ssh_authorized_keys(root: &Dir, contents: &str) -> Result<()> {
+pub(crate) fn inject_root_ssh_authorized_keys(
+    root: &Dir,
+    root_path: &str,
+    state: &crate::install::State,
+    contents: &str,
+) -> Result<()> {
     // While not documented right now, this one looks like it does not newline wrap
     let b64_encoded = ostree_ext::glib::base64_encode(contents.as_bytes());
     // See the example in https://systemd.io/CREDENTIALS/
@@ -18,6 +23,14 @@ pub(crate) fn inject_root_ssh_authorized_keys(root: &Dir, contents: &str) -> Res
     root.create_dir_all(tmpfiles_dir)?;
     let target = tmpfiles_dir.join(ROOT_SSH_TMPFILE);
     root.atomic_write(&target, &tmpfiles_content)?;
+
+    let as_path = Utf8Path::new(ETC_TMPFILES).join(ROOT_SSH_TMPFILE);
+    state.lsm_label(
+        &Utf8PathBuf::from("/").join(root_path).join(&as_path),
+        &Utf8PathBuf::from("/").join(&as_path),
+        false,
+    )?;
+
     println!("Injected: {target}");
     Ok(())
 }