Installing SELinux Policies - What is the best way?

I’m new to SELinux and it has caused some friction with the migration from CL.

What is the best way of injecting new SELinux policies into a FCOS VM?

Right now I’m declaring the policy changes in CIL format as additional files in FCCT and executing a post-boot/provisioning command to install with sudo semodule but is there a better way?

To expand on above I have found myself having to make SELinux policy changes to allow access to the docker socket so that I can run cadvisor, a prometheus exporter, providing it the ability to give me insight into running containers.

This has involved a bit of ignition such as below and then the execution post-boot of:
sudo semodule -i /etc/acme-corp/dockersock.cil

If anyone has a better way to get cadvisor running properly I’d be much obliged.

storage:
  files:
    # SELinux policies written in cil format can simpy be installed with
    # semodule command.  We do this as part of post-boot processes.  Is there
    # an easier way?
    - path: /etc/acme-corp/dockersock.cil
      mode: 0644
      contents:
        inline: |
          (typeattributeset cil_gen_require docker_var_run_t)
          (typeattributeset cil_gen_require docker_t)
          (typeattributeset cil_gen_require svirt_lxc_net_t)
          (allow svirt_lxc_net_t docker_t (unix_stream_socket (connectto)))
          (allow svirt_lxc_net_t docker_var_run_t (sock_file (write)))

Above is very wide scope. Here an explain on how to target policies to specific containers.