diff --git a/dib/ironic-python-agent-ramdisk/element-deps b/dib/ironic-python-agent-ramdisk/element-deps
index 0f0d86e..28e5a3c 100644
--- a/dib/ironic-python-agent-ramdisk/element-deps
+++ b/dib/ironic-python-agent-ramdisk/element-deps
@@ -6,5 +6,6 @@ package-installs
 pip-and-virtualenv
 pkg-map
 runtime-ssh-host-keys
+selinux-permissive
 source-repositories
 svc-map
diff --git a/doc/source/admin/dib.rst b/doc/source/admin/dib.rst
index 3a6b6e6..abfab8d 100644
--- a/doc/source/admin/dib.rst
+++ b/doc/source/admin/dib.rst
@@ -123,8 +123,7 @@ The *dynamic-login* element allows the operator to inject an SSH key at boot
 time via the kernel command line parameters:
 
 * Add ``sshkey="ssh-rsa <your public key here>"`` to ``pxe_append_params``
-  setting in the ``ironic.conf`` file. Disabling SELinux is required for
-  systems where it is enabled, it can be done with ``selinux=0``.
+  setting in the ``ironic.conf`` file.
 
   .. warning:: Quotation marks around the public key are important!
 
diff --git a/releasenotes/notes/selinux-permissive-a059f42bb66373a1.yaml b/releasenotes/notes/selinux-permissive-a059f42bb66373a1.yaml
new file mode 100644
index 0000000..1c963be
--- /dev/null
+++ b/releasenotes/notes/selinux-permissive-a059f42bb66373a1.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    The DIB-based ramdisk is now always built with SELinux set to permissive.
+    Enabling SELinux may result in broken ramdisks and does not make much
+    sense for IPA anyway.