diff --git a/manifests/site.pp b/manifests/site.pp
index a6d5bf4884..d27ad33c27 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -538,6 +538,7 @@ node /^git\d+\.openstack\.org$/ {
     ssl_key_file_contents   => hiera('git_ssl_key_file_contents'),
     ssl_chain_file_contents => hiera('git_ssl_chain_file_contents'),
     behind_proxy            => true,
+    selinux_mode            => 'enforcing'
   }
 }
 
@@ -833,6 +834,7 @@ node 'pbx.openstack.org' {
         outgoing => false,
       },
     ],
+    selinux_mode  => 'enforcing'
   }
 }
 
diff --git a/modules/openstack_project/manifests/git.pp b/modules/openstack_project/manifests/git.pp
index 79bdcd08bc..d4911a4099 100644
--- a/modules/openstack_project/manifests/git.pp
+++ b/modules/openstack_project/manifests/git.pp
@@ -18,7 +18,8 @@
 class openstack_project::git (
   $sysadmins = [],
   $balancer_member_names = [],
-  $balancer_member_ips = []
+  $balancer_member_ips = [],
+  $selinux_mode = 'enforcing'
 ) {
   class { 'openstack_project::server':
     iptables_public_tcp_ports => [80, 443, 9418],
@@ -27,7 +28,7 @@ class openstack_project::git (
 
   if ($::osfamily == 'RedHat') {
     class { 'selinux':
-      mode => 'enforcing'
+      mode => $selinux_mode
     }
   }
 
diff --git a/modules/openstack_project/manifests/git_backend.pp b/modules/openstack_project/manifests/git_backend.pp
index caebe11d98..0f1694b3ca 100644
--- a/modules/openstack_project/manifests/git_backend.pp
+++ b/modules/openstack_project/manifests/git_backend.pp
@@ -23,6 +23,7 @@ class openstack_project::git_backend (
   $ssl_chain_file_contents = '',
   $behind_proxy = false,
   $project_config_repo = '',
+  $selinux_mode = 'enforcing',
 ) {
 
   package { 'lsof':
@@ -36,6 +37,12 @@ class openstack_project::git_backend (
   include jeepyb
   include pip
 
+  if ($::osfamily == 'RedHat') {
+    class { 'selinux':
+      mode => $selinux_mode
+    }
+  }
+
   class { '::cgit':
     vhost_name              => $vhost_name,
     ssl_cert_file           => "/etc/pki/tls/certs/${vhost_name}.pem",
@@ -54,6 +61,7 @@ class openstack_project::git_backend (
         'root-title'    => 'OpenStack git repository browser',
     },
     manage_cgitrc           => true,
+    selinux_mode            => $selinux_mode
   }
 
   # We don't actually use these variables in this manifest, but jeepyb
@@ -108,12 +116,6 @@ class openstack_project::git_backend (
     refreshonly => true,
   }
 
-  if ($::osfamily == 'RedHat') {
-    class { 'selinux':
-      mode => 'enforcing'
-    }
-  }
-
   cron { 'mirror_repack':
     user        => 'cgit',
     hour        => '4',
diff --git a/modules/openstack_project/manifests/pbx.pp b/modules/openstack_project/manifests/pbx.pp
index 4de500d10d..5832d447a8 100644
--- a/modules/openstack_project/manifests/pbx.pp
+++ b/modules/openstack_project/manifests/pbx.pp
@@ -18,6 +18,7 @@
 class openstack_project::pbx (
   $sysadmins = [],
   $sip_providers = [],
+  $selinux_mode = 'enforcing'
 ) {
   class { 'openstack_project::server':
     sysadmins                 => $sysadmins,
@@ -31,7 +32,7 @@ class openstack_project::pbx (
 
   if ($::osfamily == 'RedHat') {
     class { 'selinux':
-      mode => 'enforcing'
+      mode => $selinux_mode
     }
   }