diff --git a/src/libostree/ostree-sepolicy-private.h b/src/libostree/ostree-sepolicy-private.h
new file mode 100644
index 00000000..55d49eaf
--- /dev/null
+++ b/src/libostree/ostree-sepolicy-private.h
@@ -0,0 +1,41 @@
+/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*-
+ *
+ * Copyright (C) 2017 Colin Walters <walters@verbum.org>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+ * Boston, MA 02111-1307, USA.
+ */
+
+#pragma once
+
+#include "ostree-types.h"
+
+G_BEGIN_DECLS
+
+typedef struct {
+  gboolean initialized;
+} OstreeSepolicyFsCreatecon;
+
+void _ostree_sepolicy_fscreatecon_clear (OstreeSepolicyFsCreatecon *con);
+G_DEFINE_AUTO_CLEANUP_CLEAR_FUNC(OstreeSepolicyFsCreatecon, _ostree_sepolicy_fscreatecon_clear)
+
+gboolean _ostree_sepolicy_preparefscreatecon (OstreeSepolicyFsCreatecon *con,
+                                              OstreeSePolicy   *self,
+                                              const char       *path,
+                                              guint32           mode,
+                                              GError          **error);
+
+
+G_END_DECLS
diff --git a/src/libostree/ostree-sepolicy.c b/src/libostree/ostree-sepolicy.c
index 833583da..ea4e46b1 100644
--- a/src/libostree/ostree-sepolicy.c
+++ b/src/libostree/ostree-sepolicy.c
@@ -28,6 +28,7 @@
 #include "otutil.h"
 
 #include "ostree-sepolicy.h"
+#include "ostree-sepolicy-private.h"
 #include "ostree-bootloader-uboot.h"
 #include "ostree-bootloader-syslinux.h"
 
@@ -690,3 +691,31 @@ ostree_sepolicy_fscreatecon_cleanup (void **unused)
   setfscreatecon (NULL);
 #endif
 }
+
+/* Currently private copy of the older sepolicy/fscreatecon API with a nicer
+ * g_auto() cleanup. May be made public later.
+ */
+gboolean
+_ostree_sepolicy_preparefscreatecon (OstreeSepolicyFsCreatecon *con,
+                                     OstreeSePolicy   *self,
+                                     const char       *path,
+                                     guint32           mode,
+                                     GError          **error)
+{
+  if (!self || ostree_sepolicy_get_name (self) == NULL)
+    return TRUE;
+
+  if (!ostree_sepolicy_setfscreatecon (self, path, mode, error))
+    return FALSE;
+
+  con->initialized = TRUE;
+  return TRUE;
+}
+
+void
+_ostree_sepolicy_fscreatecon_clear (OstreeSepolicyFsCreatecon *con)
+{
+  if (!con->initialized)
+    return;
+  ostree_sepolicy_fscreatecon_cleanup (NULL);
+}
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
index 6bf01a16..45707fe7 100644
--- a/src/libostree/ostree-sysroot-deploy.c
+++ b/src/libostree/ostree-sysroot-deploy.c
@@ -30,6 +30,7 @@
 #endif
 
 #include "ostree-sysroot-private.h"
+#include "ostree-sepolicy-private.h"
 #include "ostree-deployment-private.h"
 #include "ostree-core-private.h"
 #include "ostree-linuxfsutil.h"
@@ -733,21 +734,13 @@ selinux_relabel_var_if_needed (OstreeSysroot                 *sysroot,
           return FALSE;
         }
 
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wunused-variable"
-      { ostree_cleanup_sepolicy_fscreatecon gpointer dummy = NULL;
-#pragma GCC diagnostic pop
+      { g_auto(OstreeSepolicyFsCreatecon) con = { 0, };
+        const char *selabeled_abspath = glnx_strjoina ("/", selabeled);
 
-        if (sysroot->sepolicy != NULL
-            && ostree_sepolicy_get_name (sysroot->sepolicy) != NULL)
-          {
-            const char *selabeled_abspath = glnx_strjoina ("/", selabeled);
-            if (!ostree_sepolicy_setfscreatecon (sysroot->sepolicy,
-                                                 selabeled_abspath,
-                                                 0644,
-                                                 error))
-              return FALSE;
-          }
+        if (!_ostree_sepolicy_preparefscreatecon (&con, sysroot->sepolicy,
+                                                  selabeled_abspath,
+                                                  0644, error))
+          return FALSE;
 
         if (!glnx_file_replace_contents_at (os_deploy_dfd, selabeled, (guint8*)"", 0,
                                             GLNX_FILE_REPLACE_DATASYNC_NEW,
@@ -2112,23 +2105,12 @@ ostree_sysroot_deploy_tree (OstreeSysroot     *self,
         return FALSE;
     }
 
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wunused-variable"
-  { ostree_cleanup_sepolicy_fscreatecon gpointer dummy = NULL;
-#pragma GCC diagnostic pop
+  { g_auto(OstreeSepolicyFsCreatecon) con = { 0, };
 
-    /* Explicitly override the label for the origin file to ensure
-     * it's system_conf_t.
-     */
-    if (self->sepolicy != NULL
-        && ostree_sepolicy_get_name (self->sepolicy) != NULL)
-      {
-        if (!ostree_sepolicy_setfscreatecon (self->sepolicy,
-                                             "/etc/ostree/remotes.d/dummy.conf",
-                                             0644,
-                                             error))
-          return FALSE;
-      }
+    if (!_ostree_sepolicy_preparefscreatecon (&con, self->sepolicy,
+                                              "/etc/ostree/remotes.d/dummy.conf",
+                                              0644, error))
+      return FALSE;
 
     /* Don't fsync here, as we assume that's all done in
      * ostree_sysroot_write_deployments().