diff --git a/packages/selinux-policy/rules.cil b/packages/selinux-policy/rules.cil
index 33446aaa7e8..e13f6464281 100644
--- a/packages/selinux-policy/rules.cil
+++ b/packages/selinux-policy/rules.cil
@@ -82,6 +82,11 @@
 (rangetransition runtime_t cache_t process s0-s0)
 (rangetransition runtime_t secret_t process s0-s0)
 
+; Allow transitions to container labels for programs invoked by OCI
+; hooks. There's no matching type or range transition since `runc`
+; also needs to run other OS programs.
+(allow container_s os_t (file (entrypoint)))
+
 ; Also allow entry to container domains through `docker-init`, which
 ; is mounted from the root filesystem and used as the init process.
 (allow container_s runtime_exec_t (file (entrypoint)))