diff --git a/defaults/main.yml b/defaults/main.yml
index a5bf8ae6..20cb5a9a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -232,6 +232,17 @@ security_postfix_inet_interfaces: localhost       # V-38622
 #
 #security_root_forward_email: user@example.com
 
+## Linux Security Module (LSM)
+# AppArmor and SELinux provide powerful security controls on a Linux system
+# by setting policies for allowed actions. By setting the following variable
+# to true, the appropriate LSM will be enabled for the Linux distribution:
+#
+#    Ubuntu: AppArmor
+#    CentOS: SELinux
+#
+# See the openstack-ansible-security documentation for more details.
+security_enable_linux_security_module: yes        # V-51337
+
 ## PAM and authentication
 # V-38497 requires that accounts with null passwords aren't allowed to
 # authenticate via PAM. Ubuntu 14.04's default allows these logins -- see the
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index 1715bc98..d319fd9d 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -143,6 +143,16 @@ deployers can adjust this by changing ``security_disable_ipv6`` to ``yes``.
 
 Core dumps are also disabled by default in the openstack-ansible-security role.
 
+Linux Security Module (LSM)
+---------------------------
+
+The STIG requires that SELinux is in enforcing mode to provide additional
+security against attacks. The security role will enable SELinux on CentOS
+systems and enable AppArmor on Ubuntu systems.
+
+For more information on how these changes are applied, refer to the
+documentation for V-51337.
+
 Mail
 ----
 
diff --git a/doc/source/developer-notes/V-51337.rst b/doc/source/developer-notes/V-51337.rst
index 929a3f5f..a3973060 100644
--- a/doc/source/developer-notes/V-51337.rst
+++ b/doc/source/developer-notes/V-51337.rst
@@ -1,14 +1,39 @@
-Ubuntu loads the AppArmor module by default starting with version 8.04. For
-more information, review the `AppArmor documentation`_ on Ubuntu's site.
-In addition, the OpenStack-Ansible project configures AppArmor policies
-for the LXC containers which run the OpenStack infrastructure.
+The tasks in the security role will enable the Linux Security
+Module (LSM) that is appropriate for the Linux distribution in use.
 
-The tasks for this STIG will verify that AppArmor is enabled via the
-``apparmor_status``. The playbook will fail if AppArmor is found to be
-disabled on the host.
+For Ubuntu, the default LSM is AppArmor.  Refer to Ubuntu's `AppArmor
+documentation`_ for more details on how AppArmor works. The tasks will enable
+AppArmor and start it immediately on the system.
+
+For CentOS, the default LSM is SELinux. Refer to Red Hat's `Security-Enhanced
+Linux`_ documentation for more details on SELinux. The tasks will enable
+SELinux on the next boot.
+
+.. note::
+
+    **If SELinux was disabled before the security role was applied, the
+    filesystem will be automatically relabeled on the next boot.** For most
+    systems, this process only takes a few minutes. However, it can take
+    additional time to finish on systems with slow disks or a large number of
+    files.
+
+    Deployers are strongly urged to relabel the filesystem if the system has
+    never had SELinux in enforcing mode previously. Rebooting into enforcing
+    mode with a partially-labeled filesystem can lead to unnecessary SELinux
+    policy denials.
+
+Deployers can opt-out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_enable_linux_security_module: False
+
+Setting the variable to ``False`` will prevent the tasks from making any
+adjustments to the LSM status.
 
 On CentOS 7, the security role will verify that SELinux is in *Enforcing* mode.
 If SELinux is in *Disabled* or *Permissive* mode, the playbook will fail with
 an error message.
 
 .. _AppArmor documentation: https://help.ubuntu.com/community/AppArmor
+.. _Security-Enhanced Linux: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/
diff --git a/releasenotes/notes/enable-lsm-bae903e463079a3f.yaml b/releasenotes/notes/enable-lsm-bae903e463079a3f.yaml
new file mode 100644
index 00000000..64b945dd
--- /dev/null
+++ b/releasenotes/notes/enable-lsm-bae903e463079a3f.yaml
@@ -0,0 +1,14 @@
+---
+features:
+  - |
+    The Linux Security Module (LSM) that is appropriate for the Linux
+    distribution in use will be automatically enabled by the security role by
+    default. Deployers can opt out of this change by setting the following
+    Ansible variable:
+
+    .. code-block:: yaml
+
+        security_enable_linux_security_module: False
+
+    The documentation for STIG V-51337 has more information about how each
+    LSM is enabled along with special notes for SELinux.
diff --git a/tasks/lsm.yml b/tasks/lsm.yml
new file mode 100644
index 00000000..2ddd85a5
--- /dev/null
+++ b/tasks/lsm.yml
@@ -0,0 +1,81 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Install packages for AppArmor support (for V-51337)
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - apparmor
+    - apparmor-profiles
+    - apparmor-utils
+  when:
+    - ansible_os_family == "Debian"
+    - security_enable_linux_security_module | bool
+  tags:
+    - cat2
+    - V-51337
+
+- name: Ensure AppArmor is running (for V-51337)
+  service:
+    name: apparmor
+    state: started
+    enabled: yes
+  when:
+    - ansible_os_family == "Debian"
+    - security_enable_linux_security_module | bool
+  tags:
+    - cat2
+    - V-51337
+
+- name: Install packages for SELinux support (for V-51337)
+  yum:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - libselinux-python
+    - policycoreutils-python
+    - selinux-policy
+    - selinux-policy-targeted
+  when:
+    - ansible_os_family == "RedHat"
+    - security_enable_linux_security_module | bool
+  tags:
+    - cat2
+    - V-51337
+
+- name: Ensure SELinux is in enforcing mode on the next reboot (for V-51337)
+  selinux:
+    state: enforcing
+    policy: targeted
+  register: selinux_status_change
+  when:
+    - ansible_os_family == "RedHat"
+    - security_enable_linux_security_module | bool
+  tags:
+    - cat2
+    - V-51337
+
+- name: Relabel files on next boot if SELinux mode changed (for V-51337)
+  file:
+    path: /.autorelabel
+    state: touch
+  when:
+    - ansible_os_family == "RedHat"
+    - security_enable_linux_security_module | bool
+    - selinux_status_change | changed
+  tags:
+    - cat2
+    - V-51337
diff --git a/tasks/main.yml b/tasks/main.yml
index 6a317253..4fa6f443 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -55,6 +55,7 @@
   - include: console.yml
   - include: file_perms.yml
   - include: kernel.yml
+  - include: lsm.yml
   - include: mail.yml
   - include: misc.yml
   - include: nfsd.yml
diff --git a/tasks/misc.yml b/tasks/misc.yml
index b9067a22..da950a1d 100644
--- a/tasks/misc.yml
+++ b/tasks/misc.yml
@@ -412,44 +412,3 @@
   tags:
     - cat2
     - V-38674
-
-- name: Check if AppArmor is running (for V-51337)
-  shell: "apparmor_status 2>&1 | head -n 1"
-  register: v51337_result
-  changed_when: False
-  always_run: True
-  when: ansible_pkg_mgr == 'apt'
-  tags:
-    - cat2
-    - V-51337
-
-- name: V-51337 - The system must use a Linux Security Module at boot time
-  fail:
-    msg: "FAILED: AppArmor isn't enabled"
-  when:
-    - ansible_pkg_mgr == 'apt'
-    - "'apparmor module is loaded' not in v51337_result.stdout"
-  tags:
-    - cat2
-    - V-51337
-
-
-- name: Check if SELinux is enforcing (for V-51337)
-  command: getenforce
-  register: v51337_result
-  changed_when: False
-  always_run: True
-  when: ansible_pkg_mgr == 'yum'
-  tags:
-    - cat2
-    - V-51337
-
-- name: V-51337 - The system must use a Linux Security Module at boot time
-  fail:
-    msg: "FAILED: SELinux is not in enforcing mode."
-  when:
-    - ansible_pkg_mgr == 'yum'
-    - "'Enforcing' not in v51337_result.stdout"
-  tags:
-    - cat2
-    - V-51337
diff --git a/tox.ini b/tox.ini
index bbe6b89e..84442333 100644
--- a/tox.ini
+++ b/tox.ini
@@ -105,9 +105,7 @@ commands =
 # NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now building
 #                   images with apt config Apt::Get::AllowUnauthenticated set
 #                   to true.
-# NOTE(mhayden):    V-51337: OpenStack infra images don't have AppArmor
-#                   enabled, so it must be skipped.
-#                   V-38674: OpenStack infra images have graphical target
+# NOTE(mhayden):    V-38674: OpenStack infra images have graphical target
 #                   enabled, so it must be skipped.
 #                   V-38574: OpenStack infra images have non-standard pam
 #                   configurations that don't match a standard CentOS 7 server
@@ -118,7 +116,7 @@ commands =
               {homedir}/.ansible/plugins
     ansible-playbook -i {toxinidir}/tests/inventory \
                      -e "rolename={toxinidir}" \
-                     --skip-tag V-38462,V-51337,V-38574,V-38674 \
+                     --skip-tag V-38462,V-38574,V-38674 \
                      {toxinidir}/tests/test.yml