diff --git a/deployment/database/mysql-container-puppet.yaml b/deployment/database/mysql-container-puppet.yaml
index 2e7d79dc4c..82ab2346ba 100644
--- a/deployment/database/mysql-container-puppet.yaml
+++ b/deployment/database/mysql-container-puppet.yaml
@@ -291,6 +291,20 @@ outputs:
             - {'path': /var/log/containers/mysql, 'setype': 'svirt_sandbox_file_t', 'mode': '0750'}
             - {'path': /var/lib/mysql, 'setype': 'svirt_sandbox_file_t'}
       upgrade_tasks:
+        - name: Ensure correct label on mysql data directory and content
+          when:
+            - step|int == 0
+          file:
+            path: /var/lib/mysql
+            setype: svirt_sandbox_file_t
+            recurse: true
+        - name: Ensure correct label on mysql log directory and content
+          when:
+            - step|int == 0
+          file:
+            path: /var/log/containers/mysql
+            setype: svirt_sandbox_file_t
+            recurse: true
           # When mariadb is upgraded to a new major release, one must run
           # mysql_upgrade to upgrade the DB's system tables, and potentially
           # run other storage upgrade. We want to that as early as possible
diff --git a/deployment/database/redis-pacemaker-puppet.yaml b/deployment/database/redis-pacemaker-puppet.yaml
index b315085f0d..76fa2e6a82 100644
--- a/deployment/database/redis-pacemaker-puppet.yaml
+++ b/deployment/database/redis-pacemaker-puppet.yaml
@@ -330,6 +330,20 @@ outputs:
             tripleo_ha_wrapper_minor_update: true
 
       upgrade_tasks:
+        - name: Ensure correct label on redis data directory and content
+          when:
+            - step|int == 0
+          file:
+            path: /var/lib/redis
+            setype: svirt_sandbox_file_t
+            recurse: true
+        - name: Ensure correct label on redis log directory and content
+          when:
+            - step|int == 0
+          file:
+            path: /var/log/containers/redis
+            setype: svirt_sandbox_file_t
+            recurse: true
         - name: Prepare switch of redis image name
           when:
             - step|int == 0
diff --git a/deployment/haproxy/haproxy-container-puppet.yaml b/deployment/haproxy/haproxy-container-puppet.yaml
index c58c432db3..387e06ee31 100644
--- a/deployment/haproxy/haproxy-container-puppet.yaml
+++ b/deployment/haproxy/haproxy-container-puppet.yaml
@@ -348,6 +348,13 @@ outputs:
                 - '--debug --verbose'
                 - ''
       upgrade_tasks:
+        - name: Ensure correct label on haproxy data directory and content
+          when:
+            - step|int == 0
+          file:
+            path: /var/lib/haproxy
+            setype: svirt_sandbox_file_t
+            recurse: true
         - name: ensure we have haproxy log dir with the correct setype
           file:
             path: /var/log/containers/haproxy
diff --git a/deployment/manila/manila-share-container-puppet.yaml b/deployment/manila/manila-share-container-puppet.yaml
index 257c946e3e..8fbd9d2444 100644
--- a/deployment/manila/manila-share-container-puppet.yaml
+++ b/deployment/manila/manila-share-container-puppet.yaml
@@ -171,7 +171,21 @@ outputs:
           file:
             path: /etc/ceph
             state: directory
-      upgrade_tasks: []
+      upgrade_tasks:
+        - name: Ensure correct label on manila data directory and content
+          when:
+            - step|int == 0
+          file:
+            path: /var/lib/manila
+            setype: svirt_sandbox_file_t
+            recurse: true
+        - name: Ensure correct label on manila log directory and content
+          when:
+            - step|int == 0
+          file:
+            path: /var/log/containers/manila
+            setype: svirt_sandbox_file_t
+            recurse: true
       external_upgrade_tasks:
         - when:
             - step|int == 1
diff --git a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
index a637b05c60..3da8a9cfec 100644
--- a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
+++ b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
@@ -506,6 +506,14 @@ outputs:
             recurse: true
             setype: "svirt_sandbox_file_t"
             state: directory
+        - name: Ensure correct label recursively on ovn log directory
+          when:
+            - step|int == 2
+          file:
+            path: "/var/log/containers/openvswitch"
+            recurse: true
+            setype: "svirt_sandbox_file_t"
+            state: directory
         - name: Retag the pacemaker image if containerized
           when:
             - step|int == 3
diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
index 5e2ebf898a..5e9fac6ef6 100644
--- a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
@@ -305,7 +305,21 @@ outputs:
           with_items:
             - { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
             - { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t }
-      upgrade_tasks: []
+      upgrade_tasks:
+        - name: Ensure correct label on rabbitmq data directory and content
+          when:
+            - step|int == 0
+          file:
+            path: /var/lib/rabbitmq
+            setype: svirt_sandbox_file_t
+            recurse: true
+        - name: Ensure correct label on rabbitmq log directory and content
+          when:
+            - step|int == 0
+          file:
+            path: /var/log/containers/rabbitmq
+            setype: svirt_sandbox_file_t
+            recurse: true
       update_tasks:
         # TODO: Are we sure we want to support this.  Rolling update
         # without pacemaker may fail.  Do we test this ?  In any case,