diff --git a/manifests/config.pp b/manifests/config.pp
index bdf3bd15c..52260bd91 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -57,10 +57,11 @@
   )
   $min_puma_threads = pick($foreman::foreman_service_puma_threads_min, $foreman::foreman_service_puma_threads_max)
   systemd::dropin_file { 'foreman-service':
-    filename       => 'installer.conf',
-    unit           => "${foreman::foreman_service}.service",
-    content        => template('foreman/foreman.service-overrides.erb'),
-    notify_service => true,
+    filename                => 'installer.conf',
+    unit                    => "${foreman::foreman_service}.service",
+    content                 => template('foreman/foreman.service-overrides.erb'),
+    notify_service          => true,
+    selinux_ignore_defaults => $foreman::selinux_ignore_defaults,
   }
 
   if ! defined(File[$foreman::app_root]) {
@@ -223,10 +224,11 @@
   }
 
   systemd::dropin_file { 'foreman-socket':
-    ensure         => bool2str($foreman_socket_override =~ Undef, 'absent', 'present'),
-    filename       => 'installer.conf',
-    unit           => "${foreman::foreman_service}.socket",
-    content        => $foreman_socket_override,
-    notify_service => true,
+    ensure                  => bool2str($foreman_socket_override =~ Undef, 'absent', 'present'),
+    filename                => 'installer.conf',
+    unit                    => "${foreman::foreman_service}.socket",
+    content                 => $foreman_socket_override,
+    notify_service          => true,
+    selinux_ignore_defaults => $foreman::selinux_ignore_defaults,
   }
 }
diff --git a/manifests/globals.pp b/manifests/globals.pp
index 3496cb019..c732253f9 100644
--- a/manifests/globals.pp
+++ b/manifests/globals.pp
@@ -24,6 +24,8 @@
 # @param vhost_priority
 #   Defines Apache vhost priority for the Foreman vhost conf file.
 #
+# @param selinux_ignore_defaults
+#   Do not lookup default security context for file resources in catalogue compilation and attempt to manage them; instead defer context lookups to the system itself when the files are actually created. Useful during initial installs, because Puppet can install packages which modify the security policy after the context lookups were performed, which breaks idempotence. This can be disabled after the initial install, to allow Puppet to remedy drift in security context.
 class foreman::globals (
   Optional[String] $plugin_prefix = undef,
   Boolean $manage_user = true,
@@ -33,5 +35,6 @@
   Stdlib::Absolutepath $app_root = '/usr/share/foreman',
   String[1] $rails_env = 'production',
   String[1] $vhost_priority = '05',
+  Boolean $selinux_ignore_defaults = true,
 ) {
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 82f26cb82..20ec78371 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -190,6 +190,8 @@
 #
 # $dynflow_redis_url::            If set, the redis server is not managed and we use the defined url to connect
 #
+# $selinux_ignore_defaults::      Do not lookup default security context for file resources in catalogue compilation and attempt to manage them; instead defer context lookups to the system itself when the files are actually created. Useful during initial installs, because Puppet can install packages which modify the security policy after the context lookups were performed, which breaks idempotence. This can be disabled after the initial install, to allow Puppet to remedy drift in security context.
+#
 # === Keycloak parameters:
 #
 # $keycloak::                     Enable Keycloak support. Note this is limited
@@ -291,6 +293,7 @@
   String[1] $keycloak_app_name = $foreman::params::keycloak_app_name,
   String[1] $keycloak_realm = $foreman::params::keycloak_realm,
   Boolean $register_in_foreman = $foreman::params::register_in_foreman,
+  Boolean $selinux_ignore_defaults = $foreman::params::selinux_ignore_defaults,
 ) inherits foreman::params {
   assert_type(Array[Stdlib::IP::Address], $trusted_proxies)
 
@@ -313,6 +316,12 @@
   include foreman::database
   contain foreman::service
 
+  if $facts['os']['selinux']['enabled'] {
+    File {
+      selinux_ignore_defaults => $foreman::selinux_ignore_defaults,
+    }
+  }
+
   Anchor <| title == 'foreman::repo' |> ~> Class['foreman::install']
   Class['foreman::install'] ~> Class['foreman::config', 'foreman::service']
   Class['foreman::config'] ~> Class['foreman::database', 'foreman::service']
diff --git a/spec/setup_acceptance_node.pp b/spec/setup_acceptance_node.pp
index 9eda8336e..b754ddc0b 100644
--- a/spec/setup_acceptance_node.pp
+++ b/spec/setup_acceptance_node.pp
@@ -2,14 +2,6 @@
   repo => 'nightly',
 }
 
-# Needed for idempotency when SELinux is enabled
-if $foreman::repo::configure_scl_repo {
-  package { 'rh-redis5-redis':
-    ensure  => installed,
-    require => Class['foreman::repo'],
-  }
-}
-
 # Not /etc/foreman because purging removes that
 $directory = '/etc/foreman-certs'
 $certificate = "${directory}/certificate.pem"