diff --git a/src/libostree/ostree-repo-commit.c b/src/libostree/ostree-repo-commit.c
index 56b4e8f8..45577373 100644
--- a/src/libostree/ostree-repo-commit.c
+++ b/src/libostree/ostree-repo-commit.c
@@ -2309,7 +2309,11 @@ get_modified_xattrs (OstreeRepo                       *self,
                                       &label, cancellable, error))
         return FALSE;
 
-      if (label)
+      if (!label && (modifier->flags & OSTREE_REPO_COMMIT_MODIFIER_FLAGS_ERROR_ON_UNLABELED) > 0)
+        {
+          return glnx_throw (error, "Failed to look up SELinux label for '%s'", relpath);
+        }
+      else if (label)
         {
           g_autoptr(GVariantBuilder) builder = NULL;
 
diff --git a/src/libostree/ostree-repo.h b/src/libostree/ostree-repo.h
index b88b980f..482ede7a 100644
--- a/src/libostree/ostree-repo.h
+++ b/src/libostree/ostree-repo.h
@@ -537,12 +537,14 @@ typedef OstreeRepoCommitFilterResult (*OstreeRepoCommitFilter) (OstreeRepo    *r
  * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS: Do not process extended attributes
  * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_GENERATE_SIZES: Generate size information.
  * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CANONICAL_PERMISSIONS: Canonicalize permissions for bare-user-only mode.
+ * @OSTREE_REPO_COMMIT_MODIFIER_FLAGS_ERROR_ON_UNLABELED: Emit an error if configured SELinux policy does not provide a label
  */
 typedef enum {
   OSTREE_REPO_COMMIT_MODIFIER_FLAGS_NONE = 0,
   OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS = (1 << 0),
   OSTREE_REPO_COMMIT_MODIFIER_FLAGS_GENERATE_SIZES = (1 << 1),
   OSTREE_REPO_COMMIT_MODIFIER_FLAGS_CANONICAL_PERMISSIONS = (1 << 2),
+  OSTREE_REPO_COMMIT_MODIFIER_FLAGS_ERROR_ON_UNLABELED = (1 << 3),
 } OstreeRepoCommitModifierFlags;
 
 /**
diff --git a/src/libostree/ostree-sepolicy.c b/src/libostree/ostree-sepolicy.c
index 2013f523..6063022c 100644
--- a/src/libostree/ostree-sepolicy.c
+++ b/src/libostree/ostree-sepolicy.c
@@ -526,35 +526,34 @@ ostree_sepolicy_get_label (OstreeSePolicy    *self,
                            GError          **error)
 {
 #ifdef HAVE_SELINUX
-  gboolean ret = FALSE;
-  int res;
-  char *con = NULL;
+  /* Early return if no policy */
+  if (!self->selinux_hnd)
+    return TRUE;
 
-  if (self->selinux_hnd)
+  /* http://marc.info/?l=selinux&m=149082134430052&w=2
+   * https://github.com/ostreedev/ostree/pull/768
+   */
+  if (strcmp (relpath, "/proc") == 0)
+    relpath = "/mnt";
+
+  char *con = NULL;
+  int res = selabel_lookup_raw (self->selinux_hnd, &con, relpath, unix_mode);
+  if (res != 0)
     {
-      res = selabel_lookup_raw (self->selinux_hnd, &con, relpath, unix_mode);
-      if (res != 0)
-        {
-          if (errno != ENOENT)
-            {
-              glnx_set_error_from_errno (error);
-              goto out;
-            }
-        }
+      if (errno == ENOENT)
+        *out_label = NULL;
       else
-        {
-          /* Ensure we consistently allocate with g_malloc */
-          *out_label = g_strdup (con);
-          freecon (con);
-        }
+        return glnx_throw_errno (error);
+    }
+  else
+    {
+      /* Ensure we consistently allocate with g_malloc */
+      *out_label = g_strdup (con);
+      freecon (con);
     }
 
-  ret = TRUE;
- out:
-  return ret;
-#else
-  return TRUE;
 #endif
+  return TRUE;
 }
 
 /**