diff --git a/manifests/fedora-coreos-base.yaml b/manifests/fedora-coreos-base.yaml
index 57fe09ac96..8cd7bdda63 100644
--- a/manifests/fedora-coreos-base.yaml
+++ b/manifests/fedora-coreos-base.yaml
@@ -54,7 +54,6 @@ postprocess:
   - |
     #!/usr/bin/env bash
     set -xeuo pipefail
-    setsebool -P -N container_use_cephfs on  # RHBZ#1692369
     setsebool -P -N virt_use_samba on  # RHBZ#1754825
 
   # Mask dnsmasq. We include dnsmasq for host services that use the dnsmasq
@@ -179,12 +178,9 @@ packages:
 #   - Add this package on x86_64 and aarch64 (the two architectures
 #     GCP supports. https://github.com/coreos/fedora-coreos-tracker/issues/1494
 #     This should be moved to a shared manifest when RHEL has this package.
-# - crun-wasm wasmedge-rt
-#   - Support for wasm runtime: https://github.com/coreos/fedora-coreos-tracker/issues/1375
 packages-x86_64:
   - irqbalance
   - google-compute-engine-guest-configs-udev
-  - crun-wasm wasmedge-rt
   # Include AMD microcode updates, see https://github.com/coreos/fedora-coreos-tracker/issues/1618.
   # This normally should belong in bootable-rpm-ostree.yaml (alongside
   # `microcode_ctl`), but this change hasn't hit RHCOS yet.
@@ -199,7 +195,6 @@ packages-aarch64:
   - irqbalance
   - qemu-user-static-x86
   - google-compute-engine-guest-configs-udev
-  - crun-wasm wasmedge-rt
 packages-s390x:
   - qemu-user-static-x86
 
diff --git a/manifests/fedora-coreos.yaml b/manifests/fedora-coreos.yaml
index f0bf5af9ea..1f4bf73af4 100644
--- a/manifests/fedora-coreos.yaml
+++ b/manifests/fedora-coreos.yaml
@@ -11,6 +11,9 @@ rojig:
 add-commit-metadata:
   fedora-coreos.stream: ${stream}
 
+# Include all container engines by default
+variables:
+  container_engines: true
 
 include: fedora-coreos-base.yaml
 conditional-include:
@@ -27,17 +30,27 @@ conditional-include:
     # passwd RPM was obsoleted by shadow-utils in F40+, but we need to keep
     # including it in F39. Remove this when we are on F40+ on all streams.
     include: passwd.yaml
-  - if: releasever == 39
+  - if:
+      - releasever == 39
+      - container_engines == true
     # No longer need CNI plugins in f40 since Podman dropped
     # support for CNI networking entirely in Podmanv5
     # Remove this once we have Podman v5 in f39.
     # xref: https://github.com/coreos/fedora-coreos-tracker/issues/1629
     include: cni-plugins.yaml
-  - if: releasever == 39
+  - if:
+      - releasever == 39
+      - container_engines == true
     # Checks for breaking changes that came with Podman v5.
     include: podman-v5.yaml
   - if: releasever >= 40
     include: cliwrap.yaml
+  - if: container_engines == true
+    include:
+      - podman.yaml
+      - moby-engine.yaml
+  - if: container_engines == false
+    include: no-container-engines.yaml
 
 ostree-layers:
   - overlay/15fcos
@@ -55,10 +68,6 @@ packages:
   # the archive repo for more reliable package layering
   # https://github.com/coreos/fedora-coreos-tracker/issues/400
   - fedora-repos-archive
-  # CL ships this.
-  - moby-engine
-  # Already pulled in by moby-engine, but let's be explicit. Typhoon uses it.
-  - containerd
   # Updates
   - zincati
   # Include and set the default editor
diff --git a/manifests/moby-engine.yaml b/manifests/moby-engine.yaml
new file mode 100644
index 0000000000..f33b8c2c15
--- /dev/null
+++ b/manifests/moby-engine.yaml
@@ -0,0 +1,6 @@
+packages:
+  # CL shipped this
+  - moby-engine
+  # Already pulled in by moby-engine, but let's be explicit. Typhoon uses it.
+  - containerd
+  - runc
diff --git a/manifests/no-container-engines.yaml b/manifests/no-container-engines.yaml
new file mode 100644
index 0000000000..6a31c1e6b2
--- /dev/null
+++ b/manifests/no-container-engines.yaml
@@ -0,0 +1,8 @@
+exclude-packages:
+  - crun
+  - runc
+  - podman
+  - moby-engine
+  - containerd
+  - containernetworking-plugins
+  - podman-plugins
diff --git a/manifests/podman.yaml b/manifests/podman.yaml
new file mode 100644
index 0000000000..1351045698
--- /dev/null
+++ b/manifests/podman.yaml
@@ -0,0 +1,19 @@
+packages:
+  - podman
+  - crun
+  # Include toolbox here as it pulls podman
+  - toolbox
+
+# Support for wasm runtime: https://github.com/coreos/fedora-coreos-tracker/issues/1375
+packages-x86_64:
+  - crun-wasm wasmedge-rt
+packages-aarch64:
+  - crun-wasm wasmedge-rt
+
+postprocess:
+  # Enable SELinux booleans used by OpenShift
+  # https://github.com/coreos/fedora-coreos-tracker/issues/284
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    setsebool -P -N container_use_cephfs on  # RHBZ#1692369
diff --git a/manifests/user-experience.yaml b/manifests/user-experience.yaml
index ee848357cf..5a12957c49 100644
--- a/manifests/user-experience.yaml
+++ b/manifests/user-experience.yaml
@@ -37,13 +37,10 @@ packages:
   # Remote Access
   - openssh-clients openssh-server
   # Container tooling
-  ## crun recommends but doesn't require criu and criu-libs. We want them for
-  ## checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
-  - crun criu criu-libs
-  - podman
-  - runc
   - skopeo
-  - toolbox
+  # crun recommends but doesn't require criu and criu-libs. We want them for
+  # checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
+  - criu criu-libs
   # passt provides user-mode networking daemons for namespaces
   - passt
   # nvme-cli for managing nvme disks