diff --git a/ansible/kolla-ansible.yml b/ansible/kolla-ansible.yml
index c7dc26d03..0ffb4098e 100644
--- a/ansible/kolla-ansible.yml
+++ b/ansible/kolla-ansible.yml
@@ -223,3 +223,10 @@
     - role: kolla-ansible
       kolla_external_fqdn_cert: "{{ kolla_config_path }}/certificates/haproxy.pem"
       kolla_ansible_passwords_path: "{{ kayobe_config_path }}/kolla/passwords.yml"
+      # NOTE: This differs from the default SELinux mode in kolla ansible,
+      # which is permissive. The justification for using this mode is twofold:
+      # 1. it avoids filling up the audit log
+      # 2. it avoids an issue seen when using diskimage-builder in the bifrost
+      # container.
+      # We could look at making the SELinux mode configurable in future.
+      kolla_selinux_state: disabled
diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml
index a3722ca8d..9384e04fd 100644
--- a/ansible/roles/kolla-ansible/defaults/main.yml
+++ b/ansible/roles/kolla-ansible/defaults/main.yml
@@ -255,3 +255,9 @@ kolla_ansible_custom_passwords: {}
 # When set, this will copy the contents of this variable into place for
 # use by HAProxy.
 kolla_tls_cert:
+
+###############################################################################
+# SELinux
+
+# Desired SELinux state.
+kolla_selinux_state:
diff --git a/ansible/roles/kolla-ansible/templates/globals.yml.j2 b/ansible/roles/kolla-ansible/templates/globals.yml.j2
index 918639720..97a966e59 100644
--- a/ansible/roles/kolla-ansible/templates/globals.yml.j2
+++ b/ansible/roles/kolla-ansible/templates/globals.yml.j2
@@ -398,6 +398,10 @@ bifrost_install_type: source
 grafana_admin_username: "{{ grafana_local_admin_user_name }}"
 {% endif %}
 
+{% if kolla_selinux_state is not none %}
+selinux_state: {{ kolla_selinux_state }}
+{% endif %}
+
 {% if kolla_extra_globals %}
 #######################
 # Extra configuration