diff --git a/pkg/manifest/build.go b/pkg/manifest/build.go
index 0950106d2a..0e476d9f34 100644
--- a/pkg/manifest/build.go
+++ b/pkg/manifest/build.go
@@ -235,13 +235,7 @@ func (p *BuildrootFromContainer) serialize() osbuild.Pipeline {
 	pipeline.Runner = p.runner.String()
 
 	image := osbuild.NewContainersInputForSingleSource(p.containerSpecs[0])
-	options := &osbuild.ContainerDeployOptions{
-		// XXX: this cannot be used when "bootc install to-filesystem"
-		// is used. The issue is that this also contains the metadata
-		// that bootc install uses to install the filesystem
-		//Exclude: []string{"/sysroot"},
-	}
-
+	options := &osbuild.ContainerDeployOptions{}
 	stage, err := osbuild.NewContainerDeployStage(image, options)
 	if err != nil {
 		panic(err)
@@ -250,6 +244,7 @@ func (p *BuildrootFromContainer) serialize() osbuild.Pipeline {
 	pipeline.AddStage(osbuild.NewSELinuxStage(
 		&osbuild.SELinuxStageOptions{
 			FileContexts: "etc/selinux/targeted/contexts/files/file_contexts",
+			ExcludePaths: []string{"/sysroot"},
 			Labels:       p.getSELinuxLabels(),
 		},
 	))
diff --git a/pkg/osbuild/selinux_stage.go b/pkg/osbuild/selinux_stage.go
index d5b0512cef..8126a730a3 100644
--- a/pkg/osbuild/selinux_stage.go
+++ b/pkg/osbuild/selinux_stage.go
@@ -6,6 +6,7 @@ package osbuild
 // the filesystem labels to apply to the image.
 type SELinuxStageOptions struct {
 	FileContexts     string            `json:"file_contexts"`
+	ExcludePaths     []string          `json:"exclude_paths"`
 	Labels           map[string]string `json:"labels,omitempty"`
 	ForceAutorelabel *bool             `json:"force_autorelabel,omitempty"`
 }