diff --git a/internal/noderesource/noderesource.go b/internal/noderesource/noderesource.go
index 26501ae..ca500f9 100644
--- a/internal/noderesource/noderesource.go
+++ b/internal/noderesource/noderesource.go
@@ -273,6 +273,10 @@ func buildNodePodSpec(node *seiv1alpha1.SeiNode, p PlatformConfig) corev1.PodSpe
 			},
 		},
 		Volumes: volumes,
+		SecurityContext: &corev1.PodSecurityContext{
+			// Avoids recursive setxattr walk on the data PVC at pod start.
+			SELinuxChangePolicy: ptr.To(corev1.SELinuxChangePolicyMountOption),
+		},
 	}
 
 	spec.ShareProcessNamespace = ptr.To(true)
diff --git a/internal/noderesource/noderesource_test.go b/internal/noderesource/noderesource_test.go
index bb8b51e..fc3ee91 100644
--- a/internal/noderesource/noderesource_test.go
+++ b/internal/noderesource/noderesource_test.go
@@ -188,6 +188,21 @@ func TestBuildNodePodSpec_SharedPIDNamespace(t *testing.T) {
 	g.Expect(*sts.Spec.Template.Spec.ShareProcessNamespace).To(BeTrue())
 }
 
+// SELinuxChangePolicy=MountOption avoids the per-pod-recreation recursive
+// xattr walk over the data PVC. On a multi-TB archive PVC, that walk takes
+// ~20 minutes; with MountOption the kernel applies the SELinux context as
+// a per-mount overlay in milliseconds.
+func TestBuildNodePodSpec_SELinuxChangePolicyMountOption(t *testing.T) {
+	g := NewWithT(t)
+	node := newSnapshotNode("snap-0", "default")
+
+	spec := buildNodePodSpec(node, platformtest.Config())
+
+	g.Expect(spec.SecurityContext).NotTo(BeNil())
+	g.Expect(spec.SecurityContext.SELinuxChangePolicy).NotTo(BeNil())
+	g.Expect(*spec.SecurityContext.SELinuxChangePolicy).To(Equal(corev1.SELinuxChangePolicyMountOption))
+}
+
 // --- PVC ---
 
 func TestNodeDataPVCClaimName_Genesis(t *testing.T) {