diff --git a/elements/rpm-distro/finalise.d/11-selinux-fixfiles-restore b/elements/rpm-distro/finalise.d/11-selinux-fixfiles-restore
index d4cc7445..db5b6695 100755
--- a/elements/rpm-distro/finalise.d/11-selinux-fixfiles-restore
+++ b/elements/rpm-distro/finalise.d/11-selinux-fixfiles-restore
@@ -3,16 +3,14 @@
 set -eux
 set -o pipefail
 
-CONFIGURED_SELINUX=$(grep ^SELINUX= /etc/selinux/config | awk -F = '{print $2}')
-
-if [ "$CONFIGURED_SELINUX" == "enforcing" ]; then
+if [ -d /sys/fs/selinux -a /etc/selinux/targeted/contexts/files/file_context\
+s -a -x /usr/sbin/setfiles ]; then
     # Without fixing selinux file labels, sshd will run in the kernel_t domain
     # instead of the sshd_t domain, making ssh connections fail with
     # "Unable to get valid context for <user>" error message
     setfiles /etc/selinux/targeted/contexts/files/file_contexts /
 else
-    echo "Skipping SELinux relabel, since it is not Enforcing."
-    echo "To relabel once the image is running, use:"
-    echo "setfiles /etc/selinux/targeted/contexts/files/file_contexts /"
-    echo "fixfiles restore"
+    echo "Skipping SELinux relabel, since setfiles is not available."
+    echo "Touching /.autorelabel to schedule a relabel when the image boots."
+    touch /.autorelabel
 fi