diff --git a/ansible/roles/baremetal/defaults/main.yml b/ansible/roles/baremetal/defaults/main.yml
index 62584c8b20..aff8ccfe5f 100644
--- a/ansible/roles/baremetal/defaults/main.yml
+++ b/ansible/roles/baremetal/defaults/main.yml
@@ -12,7 +12,9 @@ create_kolla_user: True
 
 enable_host_ntp: True
 
-disable_selinux: True
+change_selinux: True
+
+selinux_state: "permissive"
 
 docker_storage_driver: ""
 
diff --git a/ansible/roles/baremetal/tasks/post-install.yml b/ansible/roles/baremetal/tasks/post-install.yml
index 63b8a3a8fa..2a19455d5a 100644
--- a/ansible/roles/baremetal/tasks/post-install.yml
+++ b/ansible/roles/baremetal/tasks/post-install.yml
@@ -115,13 +115,13 @@
     - ansible_os_family == "RedHat"
     - enable_host_ntp | bool
 
-- name: Disable selinux
+- name: Change state of selinux
   selinux:
-    policy: target
-    state: permissive
+    policy: targeted
+    state: "{{ selinux_state }}"
   become: true
   when:
-    - disable_selinux | bool
+    - change_selinux | bool
     - ansible_os_family == "RedHat"
 
 - name: Reboot
diff --git a/releasenotes/notes/add-state-for-selinux-3ab41a8d1c3b099e.yaml b/releasenotes/notes/add-state-for-selinux-3ab41a8d1c3b099e.yaml
new file mode 100644
index 0000000000..6a4ec5a43c
--- /dev/null
+++ b/releasenotes/notes/add-state-for-selinux-3ab41a8d1c3b099e.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Add a new parameter for changing selinux state. The default value is
+    "permissive". Update a parameter named "disable_selinux", use
+    "change_selinux" instead of it.