diff --git a/.papr.yml b/.papr.yml
index 03489142..9a253431 100644
--- a/.papr.yml
+++ b/.papr.yml
@@ -153,7 +153,7 @@ tests:
   - make install DESTDIR=$(pwd)/insttree
   - yum -y install rsync
   - rsync -rl -e 'ssh -o User=root' . vmcheck:ostree/
-  - ssh root@vmcheck './ostree/tests/installed/fah-prep.sh && ostree admin unlock && rsync -rlv ./ostree/insttree/usr/ /usr/ && ./ostree/tests/installed/run.sh'
+  - ssh root@vmcheck './ostree/tests/installed/fah-prep.sh && ./ostree/tests/installed/run.sh'
 
 ---
 
diff --git a/tests/basic-test.sh b/tests/basic-test.sh
index 742b1ada..482f6979 100644
--- a/tests/basic-test.sh
+++ b/tests/basic-test.sh
@@ -19,11 +19,7 @@
 
 set -euo pipefail
 
-echo "1..$((73 + ${extra_basic_tests:-0}))"
-
-$CMD_PREFIX ostree --version > version.yaml
-python -c 'import yaml; yaml.safe_load(open("version.yaml"))'
-echo "ok yaml version"
+echo "1..$((72 + ${extra_basic_tests:-0}))"
 
 CHECKOUT_U_ARG=""
 CHECKOUT_H_ARGS="-H"
diff --git a/tests/installed/fah-prep.sh b/tests/installed/fah-prep.sh
index 0db4d15e..865fa4f1 100755
--- a/tests/installed/fah-prep.sh
+++ b/tests/installed/fah-prep.sh
@@ -6,3 +6,5 @@ if lvm lvs atomicos/docker-pool &>/dev/null; then
     lvm lvremove -f atomicos/docker-pool
 fi
 lvm lvextend -r -l +100%FREE atomicos/root
+ostree admin unlock
+rsync -rlv ./ostree/insttree/usr/ /usr/
diff --git a/tests/installed/itest-bare-unit.sh b/tests/installed/itest-bare-unit.sh
new file mode 100755
index 00000000..c763faf7
--- /dev/null
+++ b/tests/installed/itest-bare-unit.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Run test-basic.sh as root.
+# https://github.com/ostreedev/ostree/pull/1199
+
+set -xeuo pipefail
+
+dn=$(dirname $0)
+. ${dn}/libinsttest.sh
+
+# Use /var/tmp to hopefully use XFS + O_TMPFILE etc.
+tempdir=$(mktemp -d /var/tmp/tap-test.XXXXXX)
+touch ${tempdir}/.testtmp
+function cleanup () {
+    if test -f ${tempdir}/.testtmp; then
+	      rm "${tempdir}" -rf
+    fi
+}
+trap cleanup EXIT
+cd ${tempdir}
+# This sort of bypasses the installed-tests spec;
+# fixing that would require installing g-d-t-r, though
+# more ideally we architect things with a "control" container
+# distinct from the host.
+/usr/libexec/installed-tests/libostree/test-basic.sh
diff --git a/tests/libtest.sh b/tests/libtest.sh
index 9bfc199f..ed6cc43d 100755
--- a/tests/libtest.sh
+++ b/tests/libtest.sh
@@ -546,6 +546,30 @@ skip_without_user_xattrs () {
     fi
 }
 
+# Skip unless SELinux is disabled, or we can relabel.
+# Default Docker has security.selinux xattrs, but returns
+# EOPNOTSUPP when trying to set them, even to the existing value.
+# https://github.com/ostreedev/ostree/pull/759
+# https://github.com/ostreedev/ostree/pull/1217
+skip_without_no_selinux_or_relabel () {
+    cd ${test_tmpdir}
+    echo testlabel > testlabel.txt
+    selinux_xattr=security.selinux
+    if getfattr --encoding=base64 -n ${selinux_xattr} testlabel.txt >label.txt 2>err.txt; then
+        label=$(grep -E -e "^${selinux_xattr}=" < label.txt |sed -e "s,${selinux_xattr}=,,")
+        if setfattr -n ${selinux_xattr} -v ${label} testlabel.txt 2>err.txt; then
+            echo "SELinux enabled in $(pwd), and have privileges to relabel"
+            return 0
+        else
+            sed -e 's/^/# /' < err.txt >&2
+            skip "Found SELinux label, but unable to set (Unprivileged Docker?)"
+        fi
+    else
+        sed -e 's/^/# /' < err.txt >&2
+        skip "Unable to retrieve SELinux label, assuming disabled"
+    fi
+}
+
 # https://brokenpi.pe/tools/strace-fault-injection
 _have_strace_fault_injection=''
 have_strace_fault_injection() {
diff --git a/tests/test-basic-user-only.sh b/tests/test-basic-user-only.sh
index 19262b7b..6a2ca25f 100755
--- a/tests/test-basic-user-only.sh
+++ b/tests/test-basic-user-only.sh
@@ -22,9 +22,13 @@ set -euo pipefail
 . $(dirname $0)/libtest.sh
 
 setup_test_repository "bare-user-only"
-extra_basic_tests=4
+extra_basic_tests=5
 . $(dirname $0)/basic-test.sh
 
+$CMD_PREFIX ostree --version > version.yaml
+python -c 'import yaml; yaml.safe_load(open("version.yaml"))'
+echo "ok yaml version"
+
 # Reset things so we don't inherit a lot of state from earlier tests
 cd ${test_tmpdir}
 rm repo files -rf
diff --git a/tests/test-basic.sh b/tests/test-basic.sh
index d1afe75f..eaccc2f0 100755
--- a/tests/test-basic.sh
+++ b/tests/test-basic.sh
@@ -21,6 +21,7 @@ set -euo pipefail
 
 . $(dirname $0)/libtest.sh
 
-setup_test_repository "bare"
+skip_without_no_selinux_or_relabel
 
+setup_test_repository "bare"
 . $(dirname $0)/basic-test.sh