diff --git a/Makefile b/Makefile
index 3aa2592..55c057b 100644
--- a/Makefile
+++ b/Makefile
@@ -174,10 +174,10 @@ print-vm:
 # without actually running them
 prepare-check: $(NODE_MODULES_TEST) $(VM_IMAGE) test/common
 
-# run the browser integration tests; skip check for SELinux denials
+# run the browser integration tests
 # this will run all tests/check-* and format them as TAP
 check: prepare-check
-	TEST_AUDIT_NO_SELINUX=1 test/common/run-tests ${RUN_TESTS_OPTIONS}
+	test/common/run-tests ${RUN_TESTS_OPTIONS}
 
 # checkout Cockpit's bots for standard test VM images and API to launch them
 bots: $(COCKPIT_REPO_STAMP)
diff --git a/plans/all.fmf b/plans/all.fmf
index 2bce34a..689393e 100644
--- a/plans/all.fmf
+++ b/plans/all.fmf
@@ -4,3 +4,7 @@ discover:
     how: fmf
 execute:
     how: tmt
+
+# Let's handle them upstream only, don't break Fedora/RHEL reverse dependency gating
+environment:
+    TEST_AUDIT_NO_SELINUX: 1
diff --git a/test/browser/browser.sh b/test/browser/browser.sh
index d7feb81..8f0ca89 100755
--- a/test/browser/browser.sh
+++ b/test/browser/browser.sh
@@ -1,11 +1,12 @@
 #!/bin/sh
 set -eux
 
-TESTS="$(realpath $(dirname "$0"))"
-SOURCE="$(realpath $TESTS/../..)"
-# https://tmt.readthedocs.io/en/stable/overview.html#variables
-LOGS="${TMT_TEST_DATA:-$(pwd)/logs}"
-FILES="$(realpath $TESTS/../files)"
+export TEST_BROWSER=${TEST_BROWSER:-firefox}
+export TESTS="$(realpath $(dirname "$0"))"
+export SOURCE="$(realpath $TESTS/../..)"
+export FILES="$(realpath $TESTS/../files)"
+export LOGS="$(pwd)/logs"
+
 mkdir -p "$LOGS"
 chmod a+w "$LOGS"
 
@@ -57,7 +58,9 @@ cp $FILES/binary-rec.journal /var/log/journal/binary-rec.journal
 systemctl enable --now cockpit.socket
 
 # Run tests as unprivileged user
-su - -c "env TEST_BROWSER=firefox SOURCE=$SOURCE LOGS=$LOGS $TESTS/run-test.sh" runtest
+# once we drop support for RHEL 8, use this:
+# runuser -u runtest --whitelist-environment=TEST_BROWSER,TEST_ALLOW_JOURNAL_MESSAGES,TEST_AUDIT_NO_SELINUX,SOURCE,LOGS $TESTS/run-test.sh
+runuser -u runtest --preserve-environment env USER=runtest HOME=$(getent passwd runtest | cut -f6 -d:) $TESTS/run-test.sh
 
 RC=$(cat $LOGS/exitcode)
 exit ${RC:-1}
diff --git a/test/browser/run-test.sh b/test/browser/run-test.sh
index 99b8029..e343972 100755
--- a/test/browser/run-test.sh
+++ b/test/browser/run-test.sh
@@ -22,7 +22,6 @@ mv .git dot-git
 
 . /etc/os-release
 export TEST_OS="${ID}-${VERSION_ID/./-}"
-export TEST_AUDIT_NO_SELINUX=1
 
 if [ "${TEST_OS#centos-}" != "$TEST_OS" ]; then
     TEST_OS="${TEST_OS}-stream"
@@ -30,6 +29,10 @@ fi
 
 EXCLUDES=""
 
+# make it easy to check in logs
+echo "TEST_ALLOW_JOURNAL_MESSAGES: ${TEST_ALLOW_JOURNAL_MESSAGES:-}"
+echo "TEST_AUDIT_NO_SELINUX: ${TEST_AUDIT_NO_SELINUX:-}"
+
 RC=0
 test/common/run-tests --nondestructive --machine 127.0.0.1:22 --browser 127.0.0.1:9090 $EXCLUDES || RC=$?