diff --git a/selinux/README.md b/selinux/README.md
new file mode 100644
index 0000000..6303b85
--- /dev/null
+++ b/selinux/README.md
@@ -0,0 +1 @@
+selinux policy to allow signing of rpms via sign plugin
diff --git a/selinux/koji-sign.te b/selinux/koji-sign.te
new file mode 100644
index 0000000..8c99589
--- /dev/null
+++ b/selinux/koji-sign.te
@@ -0,0 +1,22 @@
+
+module koji-sign 1.0;
+
+require {
+	type etc_t;
+	type devpts_t;
+	type httpd_t;
+	type ptmx_t;
+	class chr_file { getattr ioctl open read write };
+	class dir { add_name remove_name setattr write };
+	class file { create link unlink write };
+	class sock_file { create getattr setattr unlink write };
+}
+
+#============= httpd_t ==============
+
+#!!!! This avc is allowed in the current policy
+allow httpd_t devpts_t:chr_file open;
+allow httpd_t ptmx_t:chr_file { getattr ioctl open read write };
+allow httpd_t etc_t:dir { add_name remove_name setattr write };
+allow httpd_t etc_t:file { create link unlink write };
+allow httpd_t etc_t:sock_file { create getattr setattr unlink write };