diff --git a/lib/src/install.rs b/lib/src/install.rs
index a95f5a59a..f432898d4 100644
--- a/lib/src/install.rs
+++ b/lib/src/install.rs
@@ -445,6 +445,10 @@ async fn initialize_ostree_root_from_self(
     let rootfs = root_setup.rootfs.as_path();
     let cancellable = gio::Cancellable::NONE;
 
+    // Ensure that the physical root is labeled.
+    // Another implementation: https://github.com/coreos/coreos-assembler/blob/3cd3307904593b3a131b81567b13a4d0b6fe7c90/src/create_disk.sh#L295
+    state.lsm_label(rootfs, "/".into(), false)?;
+
     // TODO: make configurable?
     let stateroot = STATEROOT_DEFAULT;
     Task::new_and_run(
@@ -453,6 +457,12 @@ async fn initialize_ostree_root_from_self(
         ["admin", "init-fs", "--modern", rootfs.as_str()],
     )?;
 
+    // And also label /boot AKA xbootldr, if it exists
+    let bootdir = rootfs.join("boot");
+    if bootdir.try_exists()? {
+        state.lsm_label(&bootdir, "/boot".into(), false)?;
+    }
+
     // Default to avoiding grub2-mkconfig etc., but we need to use zipl on s390x.
     // TODO: Lower this logic into ostree proper.
     let bootloader = if cfg!(target_arch = "s390x") {
diff --git a/tests/kolainst/install b/tests/kolainst/install
index 121dc2af7..cb8544076 100755
--- a/tests/kolainst/install
+++ b/tests/kolainst/install
@@ -35,6 +35,7 @@ EOF
     # but for now let's just sanity test that the install command executes.
     lsblk ${DEV}
     mount /dev/vda3 /var/mnt
+    ls -Z /var/mnt |grep ':root_t:'
     grep foo=bar /var/mnt/loader/entries/*.conf
     grep localtestkarg=somevalue /var/mnt/loader/entries/*.conf
     grep -Ee '^linux /boot/ostree' /var/mnt/loader/entries/*.conf