diff --git a/nodepool/elements/nodepool-base/finalise.d/99-unbound b/nodepool/elements/nodepool-base/finalise.d/99-unbound
index e1c34c266e..659972a77c 100755
--- a/nodepool/elements/nodepool-base/finalise.d/99-unbound
+++ b/nodepool/elements/nodepool-base/finalise.d/99-unbound
@@ -35,8 +35,12 @@ chmod a+r /etc/unbound/forwarding.conf
 
 # If we have selinux install, restore default SELinux contents when ever
 # possible. Currently this only seems relevant for RHEL based DIBs.
-if [ -x /sbin/restorecon ] ; then
-    restorecon -v /etc/unbound/forwarding.conf
+SETFILES=$(which setfiles || true)
+if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then
+    # Without fixing selinux file labels, sshd will run in the kernel_t domain
+    # instead of the sshd_t domain, making ssh connections fail with
+    # "Unable to get valid context for <user>" error message
+    setfiles /etc/selinux/targeted/contexts/files/file_contexts /etc/unbound
 fi
 
 # Overwrite /etc/resolv.conf at boot