diff --git a/Ext4Crypt.cpp b/Ext4Crypt.cpp
index a7d359e..472ffc8 100644
--- a/Ext4Crypt.cpp
+++ b/Ext4Crypt.cpp
@@ -747,6 +747,12 @@ bool e4crypt_prepare_user_storage(const char* volume_uuid, userid_t user_id, int
             if (!ensure_policy(ce_raw_ref, misc_ce_path)) return false;
             if (!ensure_policy(ce_raw_ref, media_ce_path)) return false;
             if (!ensure_policy(ce_raw_ref, user_ce_path)) return false;
+
+            // Now that credentials have been installed, we can run restorecon
+            // over these paths
+            // NOTE: these paths need to be kept in sync with libselinux
+            android::vold::RestoreconRecursive(system_ce_path);
+            android::vold::RestoreconRecursive(misc_ce_path);
         }
     }
 
diff --git a/PrivateVolume.cpp b/PrivateVolume.cpp
index 21746b2..e5809fb 100644
--- a/PrivateVolume.cpp
+++ b/PrivateVolume.cpp
@@ -137,23 +137,7 @@ status_t PrivateVolume::doMount() {
         return -EIO;
     }
 
-    LOG(VERBOSE) << "Starting restorecon of " << mPath;
-
-    // TODO: find a cleaner way of waiting for restorecon to finish
-    property_set("selinux.restorecon_recursive", "");
-    property_set("selinux.restorecon_recursive", mPath.c_str());
-
-    char value[PROPERTY_VALUE_MAX];
-    while (true) {
-        property_get("selinux.restorecon_recursive", value, "");
-        if (strcmp(mPath.c_str(), value) == 0) {
-            break;
-        }
-        sleep(1);
-        LOG(VERBOSE) << "Waiting for restorecon...";
-    }
-
-    LOG(VERBOSE) << "Finished restorecon of " << mPath;
+    RestoreconRecursive(mPath);
 
     // Verify that common directories are ready to roll
     if (PrepareDir(mPath + "/app", 0771, AID_SYSTEM, AID_SYSTEM) ||
diff --git a/Utils.cpp b/Utils.cpp
index 7ae22c5..014055b 100644
--- a/Utils.cpp
+++ b/Utils.cpp
@@ -646,6 +646,27 @@ std::string DefaultFstabPath() {
     return StringPrintf("/fstab.%s", hardware);
 }
 
+status_t RestoreconRecursive(const std::string& path) {
+    LOG(VERBOSE) << "Starting restorecon of " << path;
+
+    // TODO: find a cleaner way of waiting for restorecon to finish
+    const char* cpath = path.c_str();
+    property_set("selinux.restorecon_recursive", "");
+    property_set("selinux.restorecon_recursive", cpath);
+
+    char value[PROPERTY_VALUE_MAX];
+    while (true) {
+        property_get("selinux.restorecon_recursive", value, "");
+        if (strcmp(cpath, value) == 0) {
+            break;
+        }
+        usleep(100000); // 100ms
+    }
+
+    LOG(VERBOSE) << "Finished restorecon of " << path;
+    return OK;
+}
+
 status_t SaneReadLinkAt(int dirfd, const char* path, char* buf, size_t bufsiz) {
     ssize_t len = readlinkat(dirfd, path, buf, bufsiz);
     if (len < 0) {
diff --git a/Utils.h b/Utils.h
index 9abd322..4bfd8e9 100644
--- a/Utils.h
+++ b/Utils.h
@@ -114,6 +114,8 @@ dev_t GetDevice(const std::string& path);
 
 std::string DefaultFstabPath();
 
+status_t RestoreconRecursive(const std::string& path);
+
 status_t SaneReadLinkAt(int dirfd, const char* path, char* buf, size_t bufsiz);
 
 class ScopedFd {