diff --git a/policy/modules/contrib/nbdkit.fc b/policy/modules/contrib/nbdkit.fc
new file mode 100644
index 0000000000..fb19fa6d88
--- /dev/null
+++ b/policy/modules/contrib/nbdkit.fc
@@ -0,0 +1,5 @@
+HOME_DIR/tmp(/.*)? gen_context(system_u:object_r:nbdkit_home_t,s0)
+
+/usr/sbin/nbdkit -- gen_context(system_u:object_r:nbdkit_exec_t,s0)
+
+/usr/lib/systemd/system/nbdkit.* gen_context(system_u:object_r:nbdkit_unit_file_t,s0)
diff --git a/policy/modules/contrib/nbdkit.if b/policy/modules/contrib/nbdkit.if
new file mode 100644
index 0000000000..2bd510ac08
--- /dev/null
+++ b/policy/modules/contrib/nbdkit.if
@@ -0,0 +1,115 @@
+[root@ci-vm-10-0-136-52 policy]# cat nbdkit.if
+
+## policy for nbdkit
+
+########################################
+##
+## Execute nbdkit_exec_t in the nbdkit domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nbdkit_domtrans',`
+ gen_require(`
+ type nbdkit_t, nbdkit_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, nbdkit_exec_t, nbdkit_t)
+')
+
+######################################
+##
+## Execute nbdkit in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nbdkit_exec',`
+ gen_require(`
+ type nbdkit_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, nbdkit_exec_t)
+')
+
+########################################
+##
+## Execute nbdkit in the nbdkit domain, and
+## allow the specified role the nbdkit domain.
+##
+##
+##
+## Domain allowed to transition
+##
+##
+##
+##
+## The role to be allowed the nbdkit domain.
+##
+##
+#
+interface(`nbdkit_run',`
+ gen_require(`
+ type nbdkit_t;
+ attribute_role nbdkit_roles;
+ ')
+
+ nbdkit_domtrans($1)
+ roleattribute $2 nbdkit_roles;
+')
+
+########################################
+##
+## Role access for nbdkit
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`nbdkit_role',`
+ gen_require(`
+ type nbdkit_t;
+ attribute_role nbdkit_roles;
+ ')
+
+ roleattribute $1 nbdkit_roles;
+
+ nbdkit_domtrans($2)
+
+ ps_process_pattern($2, nbdkit_t)
+ allow $2 nbdkit_t:process { signull signal sigkill };
+')
+
+########################################
+##
+## Allow attempts to connect to nbdkit
+## with a unix stream socket.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`nbdkit_stream_connect',`
+ gen_require(`
+ type nbdkit_t;
+ ')
+
+ allow $1 nbdkit_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/contrib/nbdkit.te b/policy/modules/contrib/nbdkit.te
new file mode 100644
index 0000000000..33ab367e4f
--- /dev/null
+++ b/policy/modules/contrib/nbdkit.te
@@ -0,0 +1,114 @@
+policy_module(nbdkit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+gen_require(`
+ type unconfined_t;
+')
+
+type nbdkit_t;
+type nbdkit_exec_t;
+application_domain(nbdkit_t, nbdkit_exec_t)
+mcs_constrained(nbdkit_t)
+role system_r types nbdkit_t;
+
+type nbdkit_home_t;
+userdom_user_home_content(nbdkit_home_t)
+
+type nbdkit_tmp_t;
+files_tmp_file(nbdkit_tmp_t)
+
+type nbdkit_unit_file_t;
+systemd_unit_file(nbdkit_unit_file_t)
+
+permissive nbdkit_t;
+
+########################################
+#
+# nbdkit local policy
+#
+allow nbdkit_t self:capability { setgid setuid };
+allow nbdkit_t self:fifo_file rw_fifo_file_perms;
+allow nbdkit_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow nbdkit_t self:process { fork setsockcreate signal_perms };
+allow nbdkit_t self:tcp_socket { bind listen accept connect create getattr getopt read setopt write };
+allow nbdkit_t self:udp_socket { connect create getattr read write setopt };
+
+manage_dirs_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t)
+manage_files_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t)
+userdom_user_tmp_filetrans(nbdkit_t, nbdkit_tmp_t, { dir file })
+
+manage_dirs_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t)
+manage_files_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t)
+userdom_user_home_dir_filetrans(nbdkit_t, nbdkit_home_t, { dir file })
+
+allow unconfined_t nbdkit_exec_t:file entrypoint;
+
+corenet_tcp_connect_http_port(nbdkit_t)
+corenet_tcp_connect_ssh_port(nbdkit_t)
+corenet_tcp_connect_tftp_port(nbdkit_t)
+corenet_tcp_bind_generic_port(nbdkit_t)
+corenet_tcp_bind_generic_node(nbdkit_t)
+
+domain_use_interactive_fds(nbdkit_t)
+
+files_read_etc_files(nbdkit_t)
+
+init_abstract_socket_activation(nbdkit_t)
+init_ioctl_stream_sockets(nbdkit_t)
+init_rw_stream_sockets(nbdkit_t)
+
+optional_policy(`
+ auth_use_nsswitch(nbdkit_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(nbdkit_t)
+')
+
+optional_policy(`
+ miscfiles_read_localization(nbdkit_t)
+ miscfiles_read_generic_certs(nbdkit_t)
+')
+
+optional_policy(`
+ sysnet_dns_name_resolve(nbdkit_t)
+ sysnet_read_config(nbdkit_t)
+')
+
+optional_policy(`
+ userdom_use_inherited_user_ptys(nbdkit_t)
+')
+
+optional_policy(`
+ virt_create_svirt_image_sock_files(nbdkit_t)
+ virt_read_qemu_pid_files(nbdkit_t)
+ virtlogd_rw_pipes(nbdkit_t)
+ virt_rw_svirt_image(nbdkit_t)
+ virt_rw_svirt_image_dirs(nbdkit_t)
+ virt_search_lib(nbdkit_t)
+ virt_stream_connect_svirt(nbdkit_t)
+')
+
+########################################
+#
+# virt policy
+#
+require {
+ type svirt_t;
+ type virtd_t;
+}
+
+nbdkit_domtrans(virtd_t)
+nbdkit_stream_connect(svirt_t)
+nbdkit_stream_connect(svirt_tcg_t)
+nbdkit_stream_connect(virtd_t)
+
+# FIXME: It would be nice to allow libvirt to transition nbdkit_exec_t to
+# nbdkit_t when libvirtd was started manually from the commandline (i.e. in
+# unconfined_t), but we don't want this transition to happen automatically
+# when starting directly from the shell. I'm not sure how to achieve this...
+#nbdkit_domtrans(unconfined_t, nbdkit_exec_t, nbdkit_t)
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
index 1db93a7b03..2b4b6db31b 100644
--- a/policy/modules/contrib/virt.if
+++ b/policy/modules/contrib/virt.if
@@ -1540,6 +1540,42 @@ interface(`virt_rw_svirt_image',`
allow $1 svirt_image_t:file rw_file_perms;
')
+########################################
+##
+## Read and write to svirt_image dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_rw_svirt_image_dirs',`
+ gen_require(`
+ type svirt_image_t;
+ ')
+
+ allow $1 svirt_image_t:dir rw_dir_perms;
+')
+
+########################################
+##
+## Create svirt_image sock_files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virt_create_svirt_image_sock_files',`
+ gen_require(`
+ type svirt_image_t;
+ ')
+
+ allow $1 svirt_image_t:sock_file create_sock_file_perms;
+')
+
########################################
##
## Read and write to svirt_image devices.
@@ -1855,3 +1891,21 @@ interface(`virt_manage_qemu_pid_sock_files',`
files_search_pids($1)
manage_sock_files_pattern($1, qemu_var_run_t, qemu_var_run_t)
')
+
+########################################
+##
+## Read and write virtlogd pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`virtlogd_rw_pipes',`
+ gen_require(`
+ type virtlogd_t;
+ ')
+
+ allow $1 virtlogd_t:fifo_file rw_fifo_file_perms;
+')