diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh
index ccf24bd749..2b01fbf6b9 100755
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@@ -508,6 +508,13 @@ EOF
 
   write_contents "${root_fs_dir}" "${BUILD_DIR}/${image_contents}"
 
+  # Build the selinux policy
+  if pkg_use_enabled coreos-base/coreos selinux; then
+      setup_qemu_static "${root_fs_dir}"
+      sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
+      clean_qemu_static "${root_fs_dir}"
+  fi
+
   # Zero all fs free space to make it more compressible so auto-update
   # payloads become smaller, not fatal since it won't work on linux < 3.2
   sudo fstrim "${root_fs_dir}" || true
@@ -515,11 +522,6 @@ EOF
     sudo fstrim "${root_fs_dir}/usr" || true
   fi
 
-  # Build the selinux policy
-  if pkg_use_enabled coreos-base/coreos selinux; then
-      sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
-  fi
-
   # Make the filesystem un-mountable as read-write and setup verity.
   if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
     # Unmount /usr partition