diff --git a/agents.tf b/agents.tf
index e129650..da4c4f5 100644
--- a/agents.tf
+++ b/agents.tf
@@ -59,19 +59,6 @@ resource "null_resource" "agents" {
     inline = local.install_k3s_agent
   }
 
-  # Issue a reboot command and wait for MicroOS to reboot and be ready
-  # so that the new snapshot with k3s-selinux kicks in
-  provisioner "local-exec" {
-    command = <<-EOT
-      ssh ${local.ssh_args} root@${module.agents[each.key].ipv4_address} '(sleep 2; reboot)&'; sleep 3
-      until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${module.agents[each.key].ipv4_address} true 2> /dev/null
-      do
-        echo "Waiting for MicroOS to reboot and become available..."
-        sleep 3
-      done
-    EOT
-  }
-
   # Start the k3s agent and wait for it to have started
   provisioner "remote-exec" {
     inline = [
diff --git a/control_planes.tf b/control_planes.tf
index 1ecd24f..7c31d4b 100644
--- a/control_planes.tf
+++ b/control_planes.tf
@@ -65,19 +65,6 @@ resource "null_resource" "control_planes" {
     inline = local.install_k3s_server
   }
 
-  # Issue a reboot command and wait for MicroOS to reboot and be ready,
-  # so that the new snapshot with k3s-selinux kicks in, only if k3s has never been initialized on the node
-  provisioner "local-exec" {
-    command = <<-EOT
-      ssh ${local.ssh_args} root@${module.control_planes[count.index].ipv4_address} '[[ ! -f /etc/rancher/k3s/k3s.yaml ]] && (sleep 2; reboot)&'; sleep 3
-      until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${module.control_planes[count.index].ipv4_address} true 2> /dev/null
-      do
-        echo "Waiting for MicroOS to reboot and become available..."
-        sleep 3
-      done
-    EOT
-  }
-
   # Start the k3s server and wait for it to have started correctly
   provisioner "remote-exec" {
     inline = [
diff --git a/init.tf b/init.tf
index 81eb32b..e15b054 100644
--- a/init.tf
+++ b/init.tf
@@ -30,19 +30,6 @@ resource "null_resource" "first_control_plane" {
     inline = local.install_k3s_server
   }
 
-  # so that the new snapshot with k3s-selinux kicks in
-  # Issue a reboot command and wait for MicroOS to reboot and be ready
-  provisioner "local-exec" {
-    command = <<-EOT
-      ssh ${local.ssh_args} root@${module.control_planes[0].ipv4_address} '(sleep 2; reboot)&'; sleep 3
-      until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${module.control_planes[0].ipv4_address} true 2> /dev/null
-      do
-        echo "Waiting for MicroOS to reboot and become available..."
-        sleep 3
-      done
-    EOT
-  }
-
   # Upon reboot verify start k3s and wait for it to be ready to receive commands
   provisioner "remote-exec" {
     inline = [
diff --git a/locals.tf b/locals.tf
index 7acb380..6ebbe16 100644
--- a/locals.tf
+++ b/locals.tf
@@ -145,8 +145,10 @@ locals {
     "[ -e /etc/rancher/k3s/k3s.yaml ] && exit 0",
   ]
 
-  install_k3s_server = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_CHANNEL=${var.initial_k3s_channel} INSTALL_K3S_EXEC=server sh -"])
-  install_k3s_agent  = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_CHANNEL=${var.initial_k3s_channel} INSTALL_K3S_EXEC=agent sh -"])
+  apply_k3s_selinux = ["/sbin/semodule -v -i /usr/share/selinux/packages/k3s.pp"]
+
+  install_k3s_server = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_SKIP_SELINUX_RPM=true INSTALL_K3S_CHANNEL=${var.initial_k3s_channel} INSTALL_K3S_EXEC=server sh -"], local.apply_k3s_selinux)
+  install_k3s_agent  = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_SKIP_SELINUX_RPM=true INSTALL_K3S_CHANNEL=${var.initial_k3s_channel} INSTALL_K3S_EXEC=agent sh -"], local.apply_k3s_selinux)
 
   agent_nodepools = merge([
     for nodepool_name, nodepool_obj in var.agent_nodepools : {
diff --git a/modules/host/main.tf b/modules/host/main.tf
index 869fc8a..8eae7d6 100644
--- a/modules/host/main.tf
+++ b/modules/host/main.tf
@@ -51,6 +51,26 @@ resource "hcloud_server" "server" {
       done
     EOT
   }
+
+  # Install k3s-selinux (compatible version)
+  provisioner "remote-exec" {
+    inline = [
+      "set -ex",
+      "transactional-update pkg install -y k3s-selinux"
+    ]
+  }
+
+  # Issue a reboot command and wait for MicroOS to reboot and be ready
+  provisioner "local-exec" {
+    command = <<-EOT
+      ssh ${local.ssh_args} root@${self.ipv4_address} '(sleep 2; reboot)&'; sleep 3
+      until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${self.ipv4_address} true 2> /dev/null
+      do
+        echo "Waiting for MicroOS to reboot and become available..."
+        sleep 3
+      done
+    EOT
+  }
 }
 
 resource "hcloud_server_network" "server" {