If we're going to have a hackish approach regardless, is this something we could shoehorn into the image build process? I don't know much about the CentOS build infrastructure, but in Fedora we could do something like:
* Have the patch provided and an updated specfile in the git repo with the kickstart and other image metadata;
* At the start of the build, fetch the upstream libselinux sources and build an SRPM;
* Send that SRPM to koji to be built into a real RPM;
* Fetch the resulting RPM and install it into the image, either with the kickstart or with the Dockerfile we ship to stackbrew.
We could probably even use Koji for EPEL-6 to do this, depending on how flexible the CentOS build infrastructure is. It's terrible and hackish and I hate it, but if it'll get us through until CentOS 6.6 (and will require less effort than other approaches), I say let's do it.
Or, could we use COPR to create a repo for the updated package? Again, stepping outside the CentOS infrastructure proper, but we're all owned by the same corporate overlord^W^W^W^W^W^W friends here.