diff --git a/collectd.yml b/collectd.yml
index da3b79d..2cd8baa 100644
--- a/collectd.yml
+++ b/collectd.yml
@@ -23,6 +23,12 @@
 
 - hosts: collectd
   tasks:
+  - name: ensure selinux permissive mode is set for collectd
+    selinux_permissive:
+      domain: collectd_t
+      permissive: '{{ collectd_selinux_permissive|d(false) }}'
+    tags:
+    - selinux
   - name: ensure collectd is running
     service:
       name: collectd
diff --git a/host_vars/nvr1.pyrocufflink.blue.yml b/host_vars/nvr1.pyrocufflink.blue.yml
index 9ac879e..3ac3e4a 100644
--- a/host_vars/nvr1.pyrocufflink.blue.yml
+++ b/host_vars/nvr1.pyrocufflink.blue.yml
@@ -1,3 +1,8 @@
 collectd_plugins:
   md: true
   thermal: true
+
+# collectd generates a bunch of AVC denials on Fedora 36.  We'll mark
+# its domain permissive until the problems are identified and resolved
+# upstream.
+collectd_selinux_permissive: true