diff --git a/elements/undercloud-install/os-refresh-config/post-configure.d/98-undercloud-setup b/elements/undercloud-install/os-refresh-config/post-configure.d/98-undercloud-setup
index 465e8a039..0b600562f 100755
--- a/elements/undercloud-install/os-refresh-config/post-configure.d/98-undercloud-setup
+++ b/elements/undercloud-install/os-refresh-config/post-configure.d/98-undercloud-setup
@@ -25,6 +25,16 @@ fi
 
 cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
 
+if [ -e /usr/sbin/getenforce ]; then
+    if [ "$(getenforce)" == "Enforcing" ]; then
+        selinux_wrong_permission="$(find /home/.ssh/ -exec ls -lZ {} \; | grep -v 'ssh_home_t')"
+        if [ -n "${selinux_wrong_permission}" ]; then
+            semanage fcontext -a -t ssh_home_t '/root/.ssh(/.*)?'
+            restorecon -R /root/.ssh/
+        fi
+    fi
+fi
+
 UNDERCLOUD_IP=$(os-apply-config --key local-ip --type netaddress)
 export UNDERCLOUD_IP
 
diff --git a/instack_undercloud/undercloud.py b/instack_undercloud/undercloud.py
index 4459fd71c..5d6f3f636 100644
--- a/instack_undercloud/undercloud.py
+++ b/instack_undercloud/undercloud.py
@@ -1390,6 +1390,32 @@ def _configure_ssh_keys(nova):
             nova.keypairs.create('default', pubkey.read().rstrip())
 
 
+def _ensure_ssh_selinux_permission():
+    ssh_path = os.path.expanduser('~/.ssh')
+    try:
+        enforcing = _run_command(['getenforce'])
+        if os.path.isdir(ssh_path):
+            if 'Enforcing' in enforcing:
+                file_perms = _run_command(
+                    ['find', ssh_path, '-exec', 'ls', '-lZ', '{}', ';'])
+                wrong_perm = False
+                for line in file_perms.splitlines():
+                    if 'ssh_home_t' not in line:
+                        wrong_perm = True
+                        break
+                if wrong_perm:
+                    cmd = ['semanage',
+                           'fcontext', '-a', '-t', 'ssh_home_t',
+                           "{}(/.*)?".format(ssh_path)]
+                    _run_command(cmd)
+                    _run_command(['restorecon', '-R', ssh_path])
+    except OSError as e:
+        if e.errno == os.errno.ENOENT:
+            LOG.debug("Not a SeLinux platform")
+        else:
+            raise
+
+
 def _delete_default_flavors(nova):
     """Delete the default flavors from Nova
 
@@ -1678,6 +1704,7 @@ def _post_config(instack_env, upgrade):
                                   os_ironic_api_version='1.21')
 
     _configure_ssh_keys(nova)
+    _ensure_ssh_selinux_permission()
     _delete_default_flavors(nova)
 
     _ensure_node_resource_classes(ironic)