diff --git a/Makefile b/Makefile
index 9848a8e8..c4225539 100644
--- a/Makefile
+++ b/Makefile
@@ -130,6 +130,7 @@ install-init:
 	install -m 0644 init/functions $(DESTDIR)$(LIBDIR)/qubes/init/
 ifneq ($(ENABLE_SELINUX),1)
 	rm -f $(DESTDIR)$(LIBDIR)/qubes/init/relabel-root.sh
+	rm -f $(DESTDIR)$(LIBDIR)/qubes/init/relabel-rw.sh
 endif
 
 # Systemd service files
diff --git a/init/relabel-rw.sh b/init/relabel-rw.sh
new file mode 100755
index 00000000..189bd8c8
--- /dev/null
+++ b/init/relabel-rw.sh
@@ -0,0 +1,6 @@
+#!/bin/bash --
+set -eu
+if [ /.qubes-relabeled -nt /rw/.autorelabel ]; then
+    restorecon -R /rw /home /usr/local
+    touch --reference=/.qubes-relabeled /rw/.autorelabel
+fi
diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in
index 143dc02f..fbfd397f 100644
--- a/rpm_spec/core-agent.spec.in
+++ b/rpm_spec/core-agent.spec.in
@@ -426,6 +426,7 @@ a VM with SELinux enforcing, as is the default on Red Hat-family distributions.
 %dir %_unitdir/selinux-autorelabel.service.d
 %_unitdir/selinux-autorelabel.service.d/30_qubes.conf
 /usr/lib/qubes/init/relabel-root.sh
+/usr/lib/qubes/init/relabel-rw.sh
 
 %postun selinux
 if [ "$1" -eq 0 ]; then
diff --git a/vm-systemd/qubes-relabel-root.service b/vm-systemd/qubes-relabel-root.service
index c1611cc3..a79e6b11 100644
--- a/vm-systemd/qubes-relabel-root.service
+++ b/vm-systemd/qubes-relabel-root.service
@@ -3,7 +3,8 @@ Description=Relabel /
 After=qubes-sysinit.service
 Requires=qubes-sysinit.service
 ConditionSecurity=selinux
-ConditionPathExists=!/.qubes-relabeled
+ConditionPathExists=|/.autorelabel
+ConditionPathExists=|!/.qubes-relabeled
 ConditionPathExists=/run/qubes/persistent-full
 DefaultDependencies=no
 Conflicts=shutdown.target
diff --git a/vm-systemd/qubes-relabel-rw.service b/vm-systemd/qubes-relabel-rw.service
index 2e4d4203..cbffb991 100644
--- a/vm-systemd/qubes-relabel-rw.service
+++ b/vm-systemd/qubes-relabel-rw.service
@@ -1,9 +1,8 @@
 [Unit]
 Description=Relabel /rw and /home
-After=qubes-mount-dirs.service qubes-sysinit.service
-Requires=qubes-mount-dirs.service qubes-sysinit.service
+After=qubes-mount-dirs.service qubes-sysinit.service qubes-relabel-root.service
+Requires=qubes-mount-dirs.service qubes-sysinit.service qubes-relabel-root.service
 ConditionSecurity=selinux
-ConditionPathExists=!/rw/.autorelabel
 DefaultDependencies=no
 Conflicts=selinux-autorelabel.service
 Before=local-fs.target rw.mount home.mount qubes-gui-agent.service qubes-qrexec-agent.service
@@ -11,8 +10,7 @@ Before=local-fs.target rw.mount home.mount qubes-gui-agent.service qubes-qrexec-
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/sbin/restorecon -RF /rw /home /usr/local
-ExecStart=/bin/touch /rw/.autorelabel
+ExecStart=/usr/lib/qubes/init/relabel-rw.sh
 
 [Install]
 WantedBy=multi-user.target