diff --git a/magnum/drivers/common/templates/swarm/fragments/configure-selinux.sh b/magnum/drivers/common/templates/swarm/fragments/configure-selinux.sh
new file mode 100644
index 0000000000..1d3c0205b7
--- /dev/null
+++ b/magnum/drivers/common/templates/swarm/fragments/configure-selinux.sh
@@ -0,0 +1,12 @@
+#cloud-boothook
+#!/bin/sh
+
+# files in /usr/local/bin should be labeled bin_t
+# however on Atomic /usr/local is a symlink to /var/usrlocal
+# so the default Fedora policy doesn't work
+echo '/var/usrlocal/(.*/)?bin(/.*)?    system_u:object_r:bin_t:s0' > /etc/selinux/targeted/contexts/files/file_contexts.local
+restorecon -R /usr/local/bin
+
+# disable selinux until cloud-init is over
+# enabled again in enable-services.sh
+setenforce 0
diff --git a/magnum/drivers/common/templates/swarm/fragments/disable-selinux.sh b/magnum/drivers/common/templates/swarm/fragments/disable-selinux.sh
deleted file mode 100644
index 49e9dc79a8..0000000000
--- a/magnum/drivers/common/templates/swarm/fragments/disable-selinux.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#cloud-boothook
-#!/bin/sh
-
-setenforce 0
diff --git a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml
index 2422acfd67..da95c53532 100644
--- a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml
@@ -341,11 +341,11 @@ resources:
       group: ungrouped
       config: {get_file: ../../common/templates/swarm/fragments/cfn-signal.sh}
 
-  disable_selinux:
+  configure_selinux:
     type: "OS::Heat::SoftwareConfig"
     properties:
       group: ungrouped
-      config: {get_file: ../../common/templates/swarm/fragments/disable-selinux.sh}
+      config: {get_file: ../../common/templates/swarm/fragments/configure-selinux.sh}
 
   add_proxy:
     type: "OS::Heat::SoftwareConfig"
@@ -363,7 +363,7 @@ resources:
     type: "OS::Heat::MultipartMime"
     properties:
       parts:
-        - config: {get_resource: disable_selinux}
+        - config: {get_resource: configure_selinux}
         - config: {get_resource: remove_docker_key}
         - config: {get_resource: write_heat_params}
         - config: {get_resource: make_cert}
diff --git a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml
index 5b1f345102..50762c9a7e 100644
--- a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml
@@ -304,11 +304,11 @@ resources:
       group: ungrouped
       config: {get_file: ../../common/templates/swarm/fragments/cfn-signal.sh}
 
-  disable_selinux:
+  configure_selinux:
     type: "OS::Heat::SoftwareConfig"
     properties:
       group: ungrouped
-      config: {get_file: ../../common/templates/swarm/fragments/disable-selinux.sh}
+      config: {get_file: ../../common/templates/swarm/fragments/configure-selinux.sh}
 
   add_proxy:
     type: "OS::Heat::SoftwareConfig"
@@ -326,7 +326,7 @@ resources:
     type: "OS::Heat::MultipartMime"
     properties:
       parts:
-        - config: {get_resource: disable_selinux}
+        - config: {get_resource: configure_selinux}
         - config: {get_resource: remove_docker_key}
         - config: {get_resource: write_heat_params}
         - config: {get_resource: make_cert}