The issue with the SELinux labels in container layered builds is Bootable Containers: Incorrect SELinux labels for package layered with a SELinux module (#45) · Issues · fedora / Fedora Atomic Desktops / SIG Issue Tracker · GitLab. There are workarounds that does not involve completely remounting /usr read-write. Another option is GitHub - hhd-dev/rechunk.
For point 3, this is unexpected. Looks like there are tmpfiles.d entries missing? Would be great to file an issue in Issues · fedora / Fedora Atomic Desktops / SIG Issue Tracker · GitLab with as much details as possible.
For layering libvirt, I’ve been looking at other options but I don’t have a solution yet: Overlaying libvirt on Silverblue / Kinoite / Sericea / Onyx and CoreOS. Systemd’s sysext might work: systemd-sysext