diff --git a/dev/host_vars/podman.yml b/dev/host_vars/podman.yml
index d621f35..30e2933 100644
--- a/dev/host_vars/podman.yml
+++ b/dev/host_vars/podman.yml
@@ -1,6 +1,8 @@
 ##############
 #### base ####
 ##############
+selinux:
+  state: enforcing
 
 base_allow_reboot: false
 base_manage_network: false
diff --git a/roles/base/tasks/system.yml b/roles/base/tasks/system.yml
index 424c6bd..b645c34 100644
--- a/roles/base/tasks/system.yml
+++ b/roles/base/tasks/system.yml
@@ -4,6 +4,18 @@
     state: present
     update_cache: true
 
+- name: Get the default policy and basic SELinux utilities
+  ansible.builtin.apt:
+    name: ["selinux-basics", "selinux-policy-default", "auditd"]
+    state: present
+  when: selinux is defined and selinux is not false
+
+- name: Configure SELinux
+  ansible.posix.selinux:
+    state: "{{ selinux.state | default('permissive') }}"
+    policy: "{{ selinux.policy | default('default') }}"
+  when: selinux is defined and selinux is not false
+
 - name: Install GPG
   ansible.builtin.apt:
     name: gpg