diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml
index f9d8623b5c..24d0d24755 100644
--- a/deployment/barbican/barbican-api-container-puppet.yaml
+++ b/deployment/barbican/barbican-api-container-puppet.yaml
@@ -803,6 +803,9 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
       scale_tasks:
         if:
         - {get_param: BarbicanPkcs11CryptoLunasaEnabled}
diff --git a/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml b/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml
index 618689b2d2..9d67f4e62d 100644
--- a/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml
+++ b/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml
@@ -139,3 +139,6 @@ outputs:
             name: virt_sandbox_use_netlink
             persistent: true
             state: true
+          when:
+            - ansible_facts.selinux is defined
+            - ansible_facts.selinux.status == "enabled"
diff --git a/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml b/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml
index 7cdc3c007b..0534531dcb 100644
--- a/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml
+++ b/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml
@@ -220,6 +220,9 @@ outputs:
             name: virt_sandbox_use_netlink
             persistent: true
             state: true
+          when:
+            - ansible_facts.selinux is defined
+            - ansible_facts.selinux.status == "enabled"
       external_upgrade_tasks:
         - when:
             - step|int == 1
diff --git a/deployment/cinder/cinder-backup-container-puppet.yaml b/deployment/cinder/cinder-backup-container-puppet.yaml
index e45075a261..8a3bbb4bfd 100644
--- a/deployment/cinder/cinder-backup-container-puppet.yaml
+++ b/deployment/cinder/cinder-backup-container-puppet.yaml
@@ -282,6 +282,9 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
       deploy_steps_tasks:
         - name: Clean up when switching cinder-backup from pcmk to active-active
           when:
diff --git a/deployment/cinder/cinder-scheduler-container-puppet.yaml b/deployment/cinder/cinder-scheduler-container-puppet.yaml
index c8d8e5f688..6f5aa652dd 100644
--- a/deployment/cinder/cinder-scheduler-container-puppet.yaml
+++ b/deployment/cinder/cinder-scheduler-container-puppet.yaml
@@ -163,6 +163,9 @@ outputs:
             name: virt_sandbox_use_netlink
             persistent: true
             state: true
+          when:
+            - ansible_facts.selinux is defined
+            - ansible_facts.selinux.status == "enabled"
       external_upgrade_tasks:
         - when:
             - step|int == 1
diff --git a/deployment/deprecated/nova/nova-libvirt-container-puppet.yaml b/deployment/deprecated/nova/nova-libvirt-container-puppet.yaml
index 51f88ab9f2..ac7ee7c6cd 100644
--- a/deployment/deprecated/nova/nova-libvirt-container-puppet.yaml
+++ b/deployment/deprecated/nova/nova-libvirt-container-puppet.yaml
@@ -925,6 +925,9 @@ outputs:
                 name: os_enable_vtpm
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
       metadata_settings:
         list_concat:
           - if:
diff --git a/deployment/heat/heat-engine-container-puppet.yaml b/deployment/heat/heat-engine-container-puppet.yaml
index dc42b9b160..4d702b840b 100644
--- a/deployment/heat/heat-engine-container-puppet.yaml
+++ b/deployment/heat/heat-engine-container-puppet.yaml
@@ -305,6 +305,9 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
       upgrade_tasks: []
       external_upgrade_tasks:
         - when:
diff --git a/deployment/logrotate/logrotate-crond-container-puppet.yaml b/deployment/logrotate/logrotate-crond-container-puppet.yaml
index 2a595d3f18..5e0c8ce175 100644
--- a/deployment/logrotate/logrotate-crond-container-puppet.yaml
+++ b/deployment/logrotate/logrotate-crond-container-puppet.yaml
@@ -113,6 +113,9 @@ outputs:
             name: logrotate_read_inside_containers
             persistent: true
             state: true
+          when:
+            - ansible_facts.selinux is defined
+            - ansible_facts.selinux.status == "enabled"
       deploy_steps_tasks:
         - name: configure tmpwatch on the host
           when: step|int == 2
diff --git a/deployment/manila/manila-scheduler-container-puppet.yaml b/deployment/manila/manila-scheduler-container-puppet.yaml
index 29c92c7976..7402e0e94c 100644
--- a/deployment/manila/manila-scheduler-container-puppet.yaml
+++ b/deployment/manila/manila-scheduler-container-puppet.yaml
@@ -128,6 +128,9 @@ outputs:
             name: virt_sandbox_use_netlink
             persistent: true
             state: true
+          when:
+            - ansible_facts.selinux is defined
+            - ansible_facts.selinux.status == "enabled"
       upgrade_tasks: []
       external_upgrade_tasks:
         - when:
diff --git a/deployment/neutron/neutron-dhcp-container-puppet.yaml b/deployment/neutron/neutron-dhcp-container-puppet.yaml
index 3b38b53efb..5297d6feb8 100644
--- a/deployment/neutron/neutron-dhcp-container-puppet.yaml
+++ b/deployment/neutron/neutron-dhcp-container-puppet.yaml
@@ -428,6 +428,9 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
             - name: set conditions
               set_fact:
                 dnsmasq_wrapper_enabled: {get_param: NeutronEnableDnsmasqDockerWrapper}
diff --git a/deployment/neutron/neutron-l3-container-puppet.yaml b/deployment/neutron/neutron-l3-container-puppet.yaml
index e07ecf3f1c..9438ddcec2 100644
--- a/deployment/neutron/neutron-l3-container-puppet.yaml
+++ b/deployment/neutron/neutron-l3-container-puppet.yaml
@@ -355,6 +355,9 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
             - name: set conditions
               set_fact:
                 keepalived_wrapper_enabled: {get_param: NeutronEnableKeepalivedWrapper}
diff --git a/deployment/neutron/neutron-metadata-container-puppet.yaml b/deployment/neutron/neutron-metadata-container-puppet.yaml
index 148b9d0d61..e6b2f9f6a7 100644
--- a/deployment/neutron/neutron-metadata-container-puppet.yaml
+++ b/deployment/neutron/neutron-metadata-container-puppet.yaml
@@ -211,4 +211,7 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
       upgrade_tasks: []
diff --git a/deployment/neutron/neutron-ovs-agent-container-puppet.yaml b/deployment/neutron/neutron-ovs-agent-container-puppet.yaml
index 9f81efc614..9acd0646d3 100644
--- a/deployment/neutron/neutron-ovs-agent-container-puppet.yaml
+++ b/deployment/neutron/neutron-ovs-agent-container-puppet.yaml
@@ -418,6 +418,9 @@ outputs:
                   name: virt_sandbox_use_netlink
                   persistent: true
                   state: true
+                when:
+                  - ansible_facts.selinux is defined
+                  - ansible_facts.selinux.status == "enabled"
       update_tasks:
         # puppetlabs-firewall manages security rules via Puppet but make the rules
         # consistent by default. Since Neutron also creates some rules, we don't
diff --git a/deployment/neutron/neutron-sriov-agent-container-puppet.yaml b/deployment/neutron/neutron-sriov-agent-container-puppet.yaml
index 707ce5eb1e..927cb63457 100644
--- a/deployment/neutron/neutron-sriov-agent-container-puppet.yaml
+++ b/deployment/neutron/neutron-sriov-agent-container-puppet.yaml
@@ -202,6 +202,9 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
             - if:
                 - derive_pci_whitelist_enabled
                 - - name: "creating directory"
diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml
index 768f8c24a0..9182e93416 100644
--- a/deployment/nova/nova-compute-container-puppet.yaml
+++ b/deployment/nova/nova-compute-container-puppet.yaml
@@ -1532,6 +1532,9 @@ outputs:
               name: virt_sandbox_use_netlink
               persistent: true
               state: true
+            when:
+              - ansible_facts.selinux is defined
+              - ansible_facts.selinux.status == "enabled"
           - name: install Instance HA recovery script
             when: instance_ha_enabled|bool
             block:
diff --git a/deployment/nova/nova-conductor-container-puppet.yaml b/deployment/nova/nova-conductor-container-puppet.yaml
index b860e5a2e0..bfb784582a 100644
--- a/deployment/nova/nova-conductor-container-puppet.yaml
+++ b/deployment/nova/nova-conductor-container-puppet.yaml
@@ -242,6 +242,9 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
       external_upgrade_tasks:
         - when: step|int == 1
           block: &nova_online_db_migration
diff --git a/deployment/nova/nova-ironic-container-puppet.yaml b/deployment/nova/nova-ironic-container-puppet.yaml
index 1ad72b366e..2b09076d8e 100644
--- a/deployment/nova/nova-ironic-container-puppet.yaml
+++ b/deployment/nova/nova-ironic-container-puppet.yaml
@@ -230,6 +230,9 @@ outputs:
             name: virt_sandbox_use_netlink
             persistent: true
             state: true
+          when:
+            - ansible_facts.selinux is defined
+            - ansible_facts.selinux.status == "enabled"
       external_post_deploy_tasks: {get_attr: [NovaComputeCommon, nova_compute_common_deploy_steps_tasks]}
       external_upgrade_tasks:
         - when:
diff --git a/deployment/nova/nova-modular-libvirt-container-puppet.yaml b/deployment/nova/nova-modular-libvirt-container-puppet.yaml
index 53edb0ed97..2e396bd9e9 100644
--- a/deployment/nova/nova-modular-libvirt-container-puppet.yaml
+++ b/deployment/nova/nova-modular-libvirt-container-puppet.yaml
@@ -963,6 +963,9 @@ outputs:
                 name: os_enable_vtpm
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
       metadata_settings:
         list_concat:
           - if:
diff --git a/deployment/nova/nova-scheduler-container-puppet.yaml b/deployment/nova/nova-scheduler-container-puppet.yaml
index 1ba78ee002..6abab19946 100644
--- a/deployment/nova/nova-scheduler-container-puppet.yaml
+++ b/deployment/nova/nova-scheduler-container-puppet.yaml
@@ -323,6 +323,9 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
       external_upgrade_tasks:
         - when:
             - step|int == 1
diff --git a/deployment/octavia/octavia-worker-container-puppet.yaml b/deployment/octavia/octavia-worker-container-puppet.yaml
index b9afa3a332..29ce487b70 100644
--- a/deployment/octavia/octavia-worker-container-puppet.yaml
+++ b/deployment/octavia/octavia-worker-container-puppet.yaml
@@ -179,6 +179,9 @@ outputs:
             name: virt_sandbox_use_netlink
             persistent: true
             state: true
+          when:
+            - ansible_facts.selinux is defined
+            - ansible_facts.selinux.status == "enabled"
       update_tasks: {get_attr: [OctaviaBase, role_data, update_tasks]}
       upgrade_tasks: {get_attr: [OctaviaBase, role_data, upgrade_tasks]}
       external_upgrade_tasks:
diff --git a/deployment/ovn/ovn-controller-container-puppet.yaml b/deployment/ovn/ovn-controller-container-puppet.yaml
index 8dc902f63f..2ad30c3830 100644
--- a/deployment/ovn/ovn-controller-container-puppet.yaml
+++ b/deployment/ovn/ovn-controller-container-puppet.yaml
@@ -277,7 +277,7 @@ outputs:
                 - 'ssl'
             vswitch::ovs::vlan_limit:
               if:
-                - {get_param: EnableVLANTransparency} 
+                - {get_param: EnableVLANTransparency}
                 - 0
       service_config_settings: {}
       # BEGIN DOCKER SETTINGS
@@ -426,6 +426,9 @@ outputs:
             name: virt_sandbox_use_netlink
             persistent: true
             state: true
+          when:
+            - ansible_facts.selinux is defined
+            - ansible_facts.selinux.status == "enabled"
         - name: Copy in cleanup script
           copy:
             content: {get_file: ../neutron/neutron-cleanup}