diff --git a/diskimage_builder/block_device/blockdevice.py b/diskimage_builder/block_device/blockdevice.py
index 9ff491825..4d10bb92b 100644
--- a/diskimage_builder/block_device/blockdevice.py
+++ b/diskimage_builder/block_device/blockdevice.py
@@ -298,7 +298,10 @@ class BlockDevice(object):
             return 0
         if symbol == 'mount-points':
             mount_points = self._config_get_all_mount_points()
-            print("%s" % " ".join(mount_points))
+            # we return the mountpoints joined by a pipe, because it is not
+            # a valid char in directories, so it is a safe separator for the
+            # mountpoints list
+            print("%s" % "|".join(mount_points))
             return 0
         if symbol == 'image-block-partition':
             # If there is no partition needed, pass back directly the
diff --git a/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore b/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore
index 84ff7e582..0598d63ee 100755
--- a/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore
+++ b/diskimage_builder/elements/rpm-distro/finalise.d/90-selinux-fixfiles-restore
@@ -5,14 +5,22 @@ if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
 fi
 set -eu
 set -o pipefail
+
 SETFILES=$(which setfiles || true)
 if [ -e /etc/selinux/targeted/contexts/files/file_contexts -a -x "${SETFILES}" ]; then
-    # Without fixing selinux file labels, sshd will run in the kernel_t domain
-    # instead of the sshd_t domain, making ssh connections fail with
-    # "Unable to get valid context for <user>" error message
-    setfiles /etc/selinux/targeted/contexts/files/file_contexts /
+    # get all mounpoints in the system
+    IFS='|' read -ra SPLIT_MOUNTS <<< "$DIB_MOUNTPOINTS"
+    for MOUNTPOINT in "${SPLIT_MOUNTS[@]}"; do
+        # Without fixing selinux file labels, sshd will run in the kernel_t domain
+        # instead of the sshd_t domain, making ssh connections fail with
+        # "Unable to get valid context for <user>" error message
+        if [ "${MOUNTPOINT}" != "/tmp/in_target.d" ] && [ "${MOUNTPOINT}" != "/dev" ]; then
+            $SETFILES /etc/selinux/targeted/contexts/files/file_contexts ${MOUNTPOINT}
+        fi
+    done
 else
     echo "Skipping SELinux relabel, since setfiles is not available."
     echo "Touching /.autorelabel to schedule a relabel when the image boots."
     touch /.autorelabel
 fi
+
diff --git a/diskimage_builder/lib/disk-image-create b/diskimage_builder/lib/disk-image-create
index 3b76af668..88c64ed32 100644
--- a/diskimage_builder/lib/disk-image-create
+++ b/diskimage_builder/lib/disk-image-create
@@ -290,6 +290,10 @@ export DIB_ROOT_LABEL
 DIB_ROOT_FSTYPE=$(dib-block-device getval root-fstype)
 export DIB_ROOT_FSTYPE
 
+# retrieve mount points so we can reuse in elements
+DIB_MOUNTPOINTS=$(dib-block-device getval mount-points)
+export DIB_MOUNTPOINTS
+
 create_base
 # This variable needs to be propagated into the chroot
 mkdir -p $TMP_HOOKS_PATH/environment.d