is it a regression?
does it run a proper rpm installation in a mock environment, including post-install script? that one registers the new policy. If it just runs a plain chroot deploy of rpms and then tries to label it it is going to fail (and it always did). ovirt-vmconsole-proxy may need to be declared as a build requirement then

(In reply to Michal Skrivanek from comment #1)
> is it a regression?

Probably yes, because in the 3.6 build of oVirt Live it didn't happen:
http://jenkins.ovirt.org/job/ovirt-live_3.6-create-iso/47/artifact/output/iso.log


> does it run a proper rpm installation in a mock environment, including
> post-install script? that one registers the new policy.

It's a livecd creation instance so it's a clean installation in an isolated environment previously completely empty.

> If it just runs a
> plain chroot deploy of rpms and then tries to label it it is going to fail
> (and it always did). ovirt-vmconsole-proxy may need to be declared as a
> build requirement then

I suppose it's related to the issue during installation of that policy:
  Installing: selinux-policy               ################### [650/1303]semodule: SELinux policy is not managed or store cannot be accessed.
 

Same problem is in 3.6 but it may be that the livecd creation didn't do relabeling in 3.6. Is that possible? If so, it might be a limitation/bug of livecd tool that it can't do proper selinux labeling during creation. Then we need to do it on bootup - is that how it was working in 3.6?

there seems to be some issue with building the iso as the policy doesn't get installed properly, but when testing final iso it was there correctly more or less (well, there were many other files with wrong context upon boot when I tried restorevcon -Rv /). But we anyway run livecd in Permissive mode, likely because of all these issues and we do not want to waste time relabeling on boot for live cd...so let's close it as a known issue