diff --git a/cmd/kola/options.go b/cmd/kola/options.go
index e46be3e54..eba7fede8 100644
--- a/cmd/kola/options.go
+++ b/cmd/kola/options.go
@@ -81,6 +81,7 @@ func init() {
 	root.PersistentFlags().StringVarP(&kolaOffering, "offering", "", "basic", "Offering: "+strings.Join(kolaOfferings, ", "))
 	root.PersistentFlags().StringVarP(&kola.Options.Distribution, "distro", "b", "cl", "Distribution: "+strings.Join(kolaDistros, ", "))
 	root.PersistentFlags().IntVarP(&kola.TestParallelism, "parallel", "j", 1, "number of tests to run in parallel")
+	bv(&kola.LateSelinux, "late-selinux", false, "Enable SELinux only after bootup")
 	sv(&kola.TAPFile, "tapfile", "", "file to write TAP results to")
 	sv(&kola.Options.BaseName, "basename", "kola", "Cluster name prefix")
 	ss("debug-systemd-unit", []string{}, "full-unit-name.service to enable SYSTEMD_LOG_LEVEL=debug on. Specify multiple times for multiple units.")
diff --git a/kola/harness.go b/kola/harness.go
index 09025c9b8..fb07113bb 100644
--- a/kola/harness.go
+++ b/kola/harness.go
@@ -79,6 +79,7 @@ var (
 	TestParallelism        int    //glue var to set test parallelism from main
 	TAPFile                string // if not "", write TAP results here
 	TorcxManifestFile      string // torcx manifest to expose to tests, if set
+	LateSelinux            bool   // delay the switching of SELinux to enforce mode
 	DevcontainerURL        string // dev container to expose to tests, if set
 	DevcontainerBinhostURL string // dev container binhost URL to use in the devcontainer test
 	DevcontainerFile       string // dev container path to expose to tests, if set
@@ -574,6 +575,7 @@ func runTest(h *harness.H, t *register.Test, pltfrm string, flight platform.Flig
 		SSHRetries:         Options.SSHRetries,
 		SSHTimeout:         Options.SSHTimeout,
 		DefaultUser:        t.DefaultUser,
+		LateSelinux:        LateSelinux,
 	}
 	c, err := flight.NewCluster(rconf)
 	if err != nil {
diff --git a/kola/register/register.go b/kola/register/register.go
index d792a4696..c0aa6d02f 100644
--- a/kola/register/register.go
+++ b/kola/register/register.go
@@ -30,7 +30,7 @@ const (
 	NoSSHKeyInUserData      Flag = iota // don't inject SSH key into Ignition/cloud-config
 	NoSSHKeyInMetadata                  // don't add SSH key to platform metadata
 	NoEmergencyShellCheck               // don't check console output for emergency shell invocation
-	NoEnableSelinux                     // don't enable selinux when starting or rebooting a machine
+	NoEnableSelinux                     // don't enable selinux
 	NoKernelPanicCheck                  // don't check console output for kernel panic
 	NoVerityCorruptionCheck             // don't check console output for verity corruption
 	NoDisableUpdates                    // don't disable usage of the public update server
diff --git a/platform/cluster.go b/platform/cluster.go
index e7adfc67b..aedb3be78 100644
--- a/platform/cluster.go
+++ b/platform/cluster.go
@@ -191,6 +191,15 @@ func (bc *BaseCluster) RenderUserData(userdata *conf.UserData, ignitionVars map[
 		conf.CopyKeys(keys)
 	}
 
+	if !bc.rconf.NoEnableSelinux && !bc.rconf.LateSelinux {
+		conf.AddFile("/etc/flatcar/update.conf", "root", `SELINUX=enforcing
+SELINUXTYPE=mcs
+`, 0644)
+		// These files used to be deleted but empty files should work, too
+		conf.AddFile("/etc/audit/rules.d/80-selinux.rules", "root", ``, 0644)
+		conf.AddFile("/etc/audit/rules.d/99-default.rules", "root", ``, 0644)
+	}
+
 	// disable the public update server by default
 	if !bc.rconf.NoDisableUpdates {
 		conf.AddFile("/etc/flatcar/update.conf", "root", `SERVER=disabled
diff --git a/platform/platform.go b/platform/platform.go
index dd9c01e28..118c43444 100644
--- a/platform/platform.go
+++ b/platform/platform.go
@@ -182,6 +182,7 @@ type RuntimeConfig struct {
 	AllowFailedUnits   bool          // don't fail CheckMachine if a systemd unit has failed
 	SSHRetries         int           // see SSHRetries field in Options
 	SSHTimeout         time.Duration // see SSHTimeout field in Options
+	LateSelinux        bool          // see LateSelinux field in Options
 
 	// DefaultUser is the user used for SSH connection, it will be created via Ignition when possible.
 	DefaultUser string
diff --git a/platform/util.go b/platform/util.go
index e9d2c5f87..a3a5fc551 100644
--- a/platform/util.go
+++ b/platform/util.go
@@ -129,7 +129,7 @@ func StartMachine(m Machine, j *Journal) error {
 	if err := CheckMachine(context.TODO(), m); err != nil {
 		return fmt.Errorf("machine %q failed basic checks: %v", m.ID(), err)
 	}
-	if !m.RuntimeConf().NoEnableSelinux {
+	if !m.RuntimeConf().NoEnableSelinux && m.RuntimeConf().LateSelinux {
 		if err := EnableSelinux(m); err != nil {
 			return fmt.Errorf("machine %q failed to enable selinux: %v", m.ID(), err)
 		}