diff --git a/tests/test-reboot.yml b/tests/test-reboot.yml
new file mode 100644
index 0000000..f073546
--- /dev/null
+++ b/tests/test-reboot.yml
@@ -0,0 +1,47 @@
+---
+- hosts: localhost
+  vars:
+  - artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"
+  tags:
+  - classic
+  tasks:
+  # switch SELinux to permissive mode
+  - name: Get default kernel
+    command: "grubby --default-kernel"
+    register: default_kernel
+  - debug: msg="{{ default_kernel.stdout }}"
+  - name: Set permissive mode
+    command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}"
+
+  - name: reboot
+    block:
+      - name: restart host
+        shell: sleep 2 && shutdown -r now "Ansible updates triggered"
+        async: 1
+        poll: 0
+        ignore_errors: true
+
+      - name: wait for host to come back
+        wait_for_connection:
+          delay: 10
+          timeout: 300
+
+      - name: Re-create /tmp/artifacts
+        command: mkdir /tmp/artifacts
+
+      - name: Gather SELinux denials since boot
+        shell: |
+            ausearch -m avc -m selinux_err -m user_avc -ts boot > /tmp/avc.log 2> /tmp/avc.err.log
+            grep -q '<no matches>' /tmp/avc.err.log && result=pass || result=fail
+            echo -e "results:\n- {result: $result, test: reboot}" > /tmp/results.yml
+
+    always:
+      - name: Pull out the artifacts
+        fetch:
+          dest: "{{ artifacts }}/"
+          src: "{{ item }}"
+          flat: yes
+        with_items:
+          - /tmp/avc.log
+          - /tmp/avc.err.log
+          - /tmp/results.yml
diff --git a/tests/tests.yml b/tests/tests.yml
new file mode 100644
index 0000000..b073ca5
--- /dev/null
+++ b/tests/tests.yml
@@ -0,0 +1 @@
+- import_playbook: test-reboot.yml