diff --git a/base-services.yml b/base-services.yml
index e441b16..60e86fb 100644
--- a/base-services.yml
+++ b/base-services.yml
@@ -1,138 +1,138 @@
 version: "3.7"
 
 services:
   memcache:
     image: memcached
     deploy:
       replicas: 1
 
   db-storage:
     image: postgres:12
     deploy:
       mode: global
       placement:
         constraints:
           - node.role == manager
     command: ['-c', 'shared_buffers=4GB', '-c', 'effective_cache_size=4GB', '-c', 'random_page_cost=1.5', '-c', 'max_wal_size=4GB']
     environment:
       POSTGRES_PASSWORD_FILE: /run/secrets/postgres-password
       POSTGRES_USER: swh
       POSTGRES_DB:
       # unset POSTGRES_DB: we're handling db creation ourselves in the backend
     volumes:
-      - "storage:/var/lib/postgresql/data"
+      - "storage:/var/lib/postgresql/data:rw,Z"
     secrets:
       - source: postgres-password
         uid: '999'
         mode: 0400
 
   web:
     image: softwareheritage/web:${SWH_IMAGE_TAG:-latest}
     configs:
       - source: web
         target: /etc/softwareheritage/config.yml
     command: serve
     environment:
       PORT: "5004"
     depends_on:
       - memcache
 
   objstorage:
     image: softwareheritage/base:${SWH_IMAGE_TAG:-latest}
     deploy:
       placement:
         constraints:
           - node.role == manager
     volumes:
-      - "objstorage:/srv/softwareheritage/objects"
+      - "objstorage:/srv/softwareheritage/objects:rw,Z"
     configs:
       - source: objstorage
         target: /etc/softwareheritage/config.yml
     environment:
       PORT: "5003"
       STATSD_HOST: prometheus-statsd-exporter
       STATSD_PORT: 9125
     command: objstorage
 
   storage:
     image: softwareheritage/base:${SWH_IMAGE_TAG:-latest}
     configs:
       - source: storage
         target: /etc/softwareheritage/config.yml
     environment:
       PGHOST: db-storage
       PGUSER: swh
       POSTGRES_DB: swh-storage
       PORT: "5002"
       STATSD_HOST: prometheus-statsd-exporter
       STATSD_PORT: 9125
     command: storage
     depends_on:
       - db-storage
     secrets:
       - source: postgres-password
         mode: 0400
 
   nginx:
     image: nginx
     configs:
       - source: nginx
         target: /etc/nginx/nginx.conf
     ports:
       - "5081:5081/tcp"
     deploy:
       placement:
         constraints:
           - node.role == manager
 
   prometheus:
     image: prom/prometheus
     depends_on:
     - prometheus-statsd-exporter
     command:
       # Needed for the reverse-proxy
       - "--web.external-url=/prometheus"
       - "--config.file=/etc/prometheus/prometheus.yml"
     volumes:
-      - "./conf/prometheus.yml:/etc/prometheus/prometheus.yml:ro"
+      - "./conf/prometheus.yml:/etc/prometheus/prometheus.yml:ro,Z"
     deploy:
       mode: global
 
   prometheus-statsd-exporter:
     image: prom/statsd-exporter
     command:
       - "--statsd.mapping-config=/etc/prometheus/statsd-mapping.yml"
     volumes:
-      - "./conf/prometheus-statsd-mapping.yml:/etc/prometheus/statsd-mapping.yml:ro"
+      - "./conf/prometheus-statsd-mapping.yml:/etc/prometheus/statsd-mapping.yml:ro,Z"
 
   grafana:
     image: grafana/grafana
     depends_on:
     - prometheus
     environment:
       GF_SERVER_ROOT_URL: http://localhost:5081/grafana
     volumes:
-      - "./conf/grafana/provisioning:/etc/grafana/provisioning:ro"
-      - "./conf/grafana/dashboards:/var/lib/grafana/dashboards"
+      - "./conf/grafana/provisioning:/etc/grafana/provisioning:ro,Z"
+      - "./conf/grafana/dashboards:/var/lib/grafana/dashboards:rw,Z"
 
 volumes:
   objstorage:
   storage:
 
 secrets:
   postgres-password:
     external: true
 
 configs:
   storage:
     file: conf/storage.yml
     name: storage
   objstorage:
     file: conf/objstorage.yml
     name: objstorage
   nginx:
     file: conf/nginx.conf
     name: nginx
   web:
     file: conf/web.yml
     name: web