diff --git a/tasks/main.yml b/tasks/main.yml

index e10b2f2..7d7479d 100644

--- a/tasks/main.yml

+++ b/tasks/main.yml

@@ -14,9 +14,6 @@

     state: present

   when: ansible_distribution == "Fedora"

-- name: Drop all local modifications first

-  shell: echo "{{drop_local_modifications}}" | /usr/sbin/semanage -i -

-

 - name: Set permanent SELinux mode

   selinux: policy={{ SELinux_type }} state={{ SELinux_mode }}

   when: SELinux_mode is defined

@@ -25,6 +22,13 @@

   command: /usr/sbin/setenforce {{ SELinux_mode }}

   when: SELinux_mode is defined and SELinux_change_running is defined

+- name: Drop all local modifications

+  shell: echo "{{drop_local_modifications}}" | /usr/sbin/semanage -i -

+

+- name: Reload SELinux policy

+  command: semodule -R

+  when: ansible_selinux.status != "disabled"

+

 - name: Set SELinux booleans

   seboolean:

     name: "{{ item.name }}"

diff --git a/test/selinux.config b/test/selinux.config

new file mode 100644

index 0000000..a520b96

--- /dev/null

+++ b/test/selinux.config

@@ -0,0 +1,14 @@

+

+# This file controls the state of SELinux on the system.

+# SELINUX= can take one of these three values:

+#     enforcing - SELinux security policy is enforced.

+#     permissive - SELinux prints warnings instead of enforcing.

+#     disabled - No SELinux policy is loaded.

+SELINUX=disabled

+# SELINUXTYPE= can take one of these three values:

+#     targeted - Targeted processes are protected,

+#     minimum - Modification of targeted policy. Only selected processes are protected. 

+#     mls - Multi Level Security protection.

+SELINUXTYPE=targeted

+

+

diff --git a/test/test_selinux_disabled.yml b/test/test_selinux_disabled.yml

new file mode 100644

index 0000000..b13bfef

--- /dev/null

+++ b/test/test_selinux_disabled.yml

@@ -0,0 +1,48 @@

+

+- name: Ensure the default is targeted, enforcing, without local modifications

+  hosts: all

+  become: true

+  vars:

+    SELinux_type: targeted

+    SELinux_mode: enforcing

+

+  pre_tasks:

+    - name: Backup original /etc/selinux/config

+      copy:

+        remote_src: true

+        src: /etc/selinux/config

+        dest: /etc/selinux/config.test_selinux_disabled

+    - name: Upload testing /etc/selinux/config

+      copy:

+        src: selinux.config

+        dest: /etc/selinux/config

+    - name: Switch to permissive to allow login when selinuxfs is not mounted

+      command: setenforce 0

+      when: ansible_selinux.status != "disabled"

+    - name: Get selinuxfs mountpoint

+      shell: findmnt -n -t selinuxfs --output=target

+      register: selinux_mountpoint

+    - name: Umount {{ selinux_mountpoint.stdout }} to emulate SELinux disabled system

+      command: umount {{ selinux_mountpoint.stdout }}

+

+  roles:

+    - selinux

+

+  tasks:

+    - name: Mount {{ selinux_mountpoint.stdout }} back to system

+      command: mount -t selinuxfs selinuxfs {{ selinux_mountpoint.stdout }}

+    - name: Switch back to enforcing

+      command: setenforce 1

+    - name: Gather facts again

+      setup:

+    - name: Check SELinux config mode

+      assert:

+        that: "{{ ansible_selinux.config_mode == 'enforcing' }}"

+        mgs: "SELinux config mode should be enforcing instead of {{ ansible_selinux.config_mode }}"

+    - name: Restore original /etc/selinux/config

+      copy:

+        remote_src: true

+        dest: /etc/selinux/config

+        src: /etc/selinux/config.test_selinux_disabled

+    - name: Remove /etc/selinux/config backup

+      command: rm /etc/selinux/config.test_selinux_disabled

diff --git a/vars/main.yml b/vars/main.yml

index 74ae42f..4dcb80d 100644

--- a/vars/main.yml

+++ b/vars/main.yml

@@ -1,6 +1,6 @@

 ---

 drop_local_modifications: |

-  boolean -D

-  login -D

-  port -D

-  fcontext -D

+  boolean -D -N

+  login -D -N

+  port -D -N

+  fcontext -D -N