diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh
index b6d92823bc4..f862a14b838 100755
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@@ -732,6 +732,11 @@ EOF
         "${BUILD_DIR}/${image_kconfig}"
   fi
 
+  # Label the root filesystem using 'file_contexts'.
+  sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
+  sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"
+  sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/usr
+
   write_contents "${root_fs_dir}" "${BUILD_DIR}/${image_contents}"
 
   # Zero all fs free space to make it more compressible so auto-update
@@ -741,11 +746,6 @@ EOF
     sudo fstrim "${root_fs_dir}/usr" || true
   fi
 
-  # Build the selinux policy
-  if pkg_use_enabled coreos-base/coreos selinux; then
-      sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
-  fi
-
   # Make the filesystem un-mountable as read-write and setup verity.
   if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
     # Unmount /usr partition
diff --git a/build_torcx_store b/build_torcx_store
index 6bc95b1ba2a..abc5a59c5ee 100755
--- a/build_torcx_store
+++ b/build_torcx_store
@@ -188,7 +188,24 @@ function torcx_package() {
         fi
 
         tmpfile="${BUILD_DIR}/${name}:${version}.torcx.tgz"
-        tar --force-local --selinux --xattrs -C "${tmppkgroot}" -czf "${tmpfile}" .
+        # build the file_contexts and set labels on the Torcx image content.
+        sudo chroot "${BOARD_ROOT}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
+        # temporary move to relabel the torcx files, they can't be relabelled on overlay FS (operation not supported)
+        sudo mkdir -p /mnt/host/source/src/build/
+        sudo cp -r "${tmppkgroot}" /mnt/host/source/src/build/torcx
+        sudo setfiles -Dv -r /mnt/host/source/src/build/torcx "${BOARD_ROOT}/etc/selinux/mcs/contexts/files/file_contexts" /mnt/host/source/src/build/torcx
+
+        # this is a bit hacky: we need to copy the file_contexts and the compiled policies from the BOARD_ROOT
+        # to the SDK. Otherwise, 'tar' will lookup for SELinux labels from the SDK and it will result
+        # into a partially updated system.
+        sudo mkdir -p /etc/selinux/mcs/contexts/files/
+        sudo cp "${BOARD_ROOT}/etc/selinux/mcs/contexts/files/file_contexts" /etc/selinux/mcs/contexts/files/
+
+        # sed file_contexts to simulate the root
+        sudo sed -i "s#^#/mnt/host/source/src/build/torcx#" /etc/selinux/mcs/contexts/files/file_contexts
+        # debug:
+        cat /etc/selinux/mcs/contexts/files/file_contexts
+        tar --force-local --selinux --xattrs -C /mnt/host/source/src/build/torcx -czf "${tmpfile}" .
         sha512sum=$(sha512sum "${tmpfile}" | awk '{print $1}')
 
         # TODO(euank): this opaque digest, if it were reproducible, could save