diff --git a/selinux/files/restorecond.conf b/selinux/files/restorecond.conf
new file mode 100644
index 0000000..58b723a
--- /dev/null
+++ b/selinux/files/restorecond.conf
@@ -0,0 +1,8 @@
+/etc/services
+/etc/resolv.conf
+/etc/samba/secrets.tdb
+/etc/mtab
+/var/run/utmp
+/var/log/wtmp
+/root/*
+/root/.ssh/*
diff --git a/selinux/manifests/init.pp b/selinux/manifests/init.pp
index 76e57f2..13cd8e1 100644
--- a/selinux/manifests/init.pp
+++ b/selinux/manifests/init.pp
@@ -92,6 +92,34 @@ class selinux::tools {
 }
 
 
+# Enable restorecond service.
+#
+class selinux::restorecond {
+
+    if $::selinux == "true" {
+        file { "/etc/selinux/restorecond.conf":
+            ensure  => present,
+            mode    => "0644",
+            owner   => "root",
+            group   => "root",
+            seltype => "selinux_config_t",
+            source  => [
+                "puppet:///files/selinux/restorecond.conf.${homename}",
+                "puppet:///files/selinux/restorecond.conf",
+                "puppet:///modules/selinux/restorecond.conf",
+            ],
+            notify  => Service["restorecond"],
+        }
+
+        service { "restorecond":
+            ensure => running,
+            enable => true,
+        }
+    }
+
+}
+
+
 # Set SELinux boolean value
 #
 # === Parameters