diff --git a/0001-compose-Don-t-require-SELinux-policy-in-legacy-path.patch b/0001-compose-Don-t-require-SELinux-policy-in-legacy-path.patch
new file mode 100644
index 0000000..29fca96
--- /dev/null
+++ b/0001-compose-Don-t-require-SELinux-policy-in-legacy-path.patch
@@ -0,0 +1,93 @@
+From 62a3ffcb42d9af23715f21a8c9b5d688c31c999d Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Fri, 2 Nov 2018 11:46:26 -0400
+Subject: [PATCH] compose: Don't require SELinux policy in legacy path
+
+In #1630, we lowered SELinux policy loading into the core. However, this
+also enabled SELinux policy loading from the host system even in the
+legacy (non-unified) compose path. This meant that compose systems now
+needed to have the policy installed even though we didn't need it at
+all. This caused regressions in pungi:
+
+https://pagure.io/dusty/failed-composes/issue/956
+
+Just make the binding of the "selinux" member conditional on whether or
+not we're in unified mode (which is really when we even care about
+having it loaded from the start for pkgcache purposes).
+
+Closes: #1656
+Approved by: cgwalters
+---
+ src/app/rpmostree-compose-builtin-tree.c |  1 +
+ src/app/rpmostree-composeutil.c          | 16 ++++++++++++++--
+ src/app/rpmostree-composeutil.h          |  1 +
+ 3 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/src/app/rpmostree-compose-builtin-tree.c b/src/app/rpmostree-compose-builtin-tree.c
+index 620fa36..4e9d45c 100644
+--- a/src/app/rpmostree-compose-builtin-tree.c
++++ b/src/app/rpmostree-compose-builtin-tree.c
+@@ -576,6 +576,7 @@ rpm_ostree_compose_context_new (const char    *treefile_pathstr,
+   self->treespec = rpmostree_composeutil_get_treespec (self->corectx,
+                                                        self->treefile_rs,
+                                                        self->treefile,
++                                                       opt_unified_core,
+                                                        error);
+   if (!self->treespec)
+     return FALSE;
+diff --git a/src/app/rpmostree-composeutil.c b/src/app/rpmostree-composeutil.c
+index 820ecfd..621bc85 100644
+--- a/src/app/rpmostree-composeutil.c
++++ b/src/app/rpmostree-composeutil.c
+@@ -241,6 +241,7 @@ RpmOstreeTreespec *
+ rpmostree_composeutil_get_treespec (RpmOstreeContext  *ctx,
+                                     RORTreefile *treefile_rs,
+                                     JsonObject  *treedata,
++                                    gboolean     bind_selinux,
+                                     GError     **error)
+ {
+   GLNX_AUTO_PREFIX_ERROR ("Parsing treefile", error);
+@@ -255,8 +256,6 @@ rpmostree_composeutil_get_treespec (RpmOstreeContext  *ctx,
+     return FALSE;
+   if (!treespec_bind_bool (treedata, treespec, "recommends", TRUE, error))
+     return FALSE;
+-  if (!treespec_bind_bool (treedata, treespec, "selinux", TRUE, error))
+-    return FALSE;
+   if (!treespec_bind_array (treedata, treespec, "install-langs", "instlangs", FALSE, error))
+     return FALSE;
+   { const char *releasever;
+@@ -267,6 +266,19 @@ rpmostree_composeutil_get_treespec (RpmOstreeContext  *ctx,
+       g_key_file_set_string (treespec, "tree", "releasever", releasever);
+   }
+ 
++  if (bind_selinux)
++    {
++      if (!treespec_bind_bool (treedata, treespec, "selinux", TRUE, error))
++        return FALSE;
++    }
++  else
++    {
++      /* In the legacy compose path, we don't want to use any of the core's selinux stuff,
++       * e.g. importing, relabeling, etc... so just disable it. We do still set the policy
++       * to the final one right before commit as usual. */
++      g_key_file_set_boolean (treespec, "tree", "selinux", FALSE);
++    }
++
+   const char *input_ref = NULL;
+   if (!_rpmostree_jsonutil_object_get_optional_string_member (treedata, "ref", &input_ref, error))
+     return FALSE;
+diff --git a/src/app/rpmostree-composeutil.h b/src/app/rpmostree-composeutil.h
+index e3e64c6..3d91f58 100644
+--- a/src/app/rpmostree-composeutil.h
++++ b/src/app/rpmostree-composeutil.h
+@@ -47,6 +47,7 @@ RpmOstreeTreespec *
+ rpmostree_composeutil_get_treespec (RpmOstreeContext  *ctx,
+                                     RORTreefile *treefile_rs,
+                                     JsonObject  *treedata,
++                                    gboolean     bind_selinux,
+                                     GError     **error);
+ 
+ GHashTable *
+-- 
+2.17.1
+
diff --git a/rpm-ostree.spec b/rpm-ostree.spec
index 59eb7c2..441d80f 100644
--- a/rpm-ostree.spec
+++ b/rpm-ostree.spec
@@ -14,7 +14,7 @@
 Summary: Hybrid image/package system
 Name: rpm-ostree
 Version: 2018.9
-Release: 2%{?dist}
+Release: 3%{?dist}
 #VCS: https://github.com/cgwalters/rpm-ostree
 # This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot"
 # in the upstream git.  If rust is enabled, it contains vendored sources.
@@ -23,6 +23,7 @@ License: LGPLv2+
 URL: https://github.com/projectatomic/rpm-ostree
 
 Patch0: 0001-rust-Drop-crates-io-patch-and-use-0.4.0.patch
+Patch1: 0001-compose-Don-t-require-SELinux-policy-in-legacy-path.patch
 
 %if %{with rust}
     %if !%{defined rust_arches}
@@ -201,6 +202,9 @@ $PYTHON autofiles.py > files.devel \
 %files devel -f files.devel
 
 %changelog
+* Fri Nov 02 2018 Jonathan Lebon <jonathan@jlebon.com> - 2018.9-3
+- Backport patch for https://pagure.io/dusty/failed-composes/issue/956
+
 * Tue Oct 30 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2018.9-2
 - Rebuild for libsolv 0.7