diff --git a/cookbooks/basics/files/default/selinux_config b/cookbooks/basics/files/default/selinux_config
new file mode 100644
index 0000000..631f939
--- /dev/null
+++ b/cookbooks/basics/files/default/selinux_config
@@ -0,0 +1,4 @@
+# MANAGED WITH CHEF. DO NOT CHANGE BY HAND
+
+SELINUX=enforcing
+SELINUXTYPE=targeted
diff --git a/cookbooks/basics/recipes/default.rb b/cookbooks/basics/recipes/default.rb
index c9c2d2c..e4748ed 100644
--- a/cookbooks/basics/recipes/default.rb
+++ b/cookbooks/basics/recipes/default.rb
@@ -1,6 +1,17 @@
 # enable EPEL repository by default
 package 'epel-release'
 
+# replicate production security setup
+package 'selinux-policy'
+package 'policycoreutils-python'
+cookbook_file '/etc/selinux/config' do
+  source  'selinux_config'
+  owner   'root'
+  group   'root'
+  mode    0644
+end
+execute 'setenforce Enforcing'
+
 package 'vim'
 package 'bash-completion'
 package 'rsyslog'
--
libgit2 0.21.2