you would need to have same packages you have installed (preferably apply this to a new minimal fedora template) but then relabel the file system first then set selinux to enforce as the last step only , here is how to do it 
:
NOTE: switch back the mode to permissive temporarily from /etc/selinux/config
then reboot the template ( reboot could be not needed yet) .
- next create a file called “.autorelabel” at the root directory ( include the dot at the beginning of file name ,make sure to put the dot after the slash :
sudo touch /.autorelabel
- shutdown the fedora minimal template (i personally ran) :
sudo reboot
- set minimal fedora template to run with security=selinux with qvm-prefs (from dom0) :
qvm-prefs vmname kernelopts "swiotlb=2048 security=selinux"
additionally increase maximum startup timeout so that relabeling file system will have sufficient time (it was under 1 minute in my case so 600 seconds is more than enough) :
qvm-prefs vmname qrexec_timeout 600
-
then start the fedora template and check the relabeling progress -if needed- from qubes manager > open console in qube (option is greyed out until vm starts)
template may restart on its own when relabel completes! if it does then run it again. -
run sestatus it should say enabled, try setting it to enforce finally
sudo setenforce 1
- run sestatus to make sure its enforcing and remodify the /etc/selinux/config and add the enforcing policy back :
SELINUX=enforcing