diff --git a/policy/modules/services/policykit.fc b/policy/modules/services/policykit.fc
new file mode 100644
index 0000000..d726453
--- /dev/null
+++ b/policy/modules/services/policykit.fc
@@ -0,0 +1,10 @@
+/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+
+/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
+
diff --git a/policy/modules/services/policykit.if b/policy/modules/services/policykit.if
new file mode 100644
index 0000000..8726eb3
--- /dev/null
+++ b/policy/modules/services/policykit.if
@@ -0,0 +1,212 @@
+## Policy framework for controlling privileges for system-wide services.
+
+########################################
+##
+## Send and receive messages from
+## policykit over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`policykit_dbus_chat',`
+ gen_require(`
+ type policykit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 policykit_t:dbus send_msg;
+ allow policykit_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Execute a domain transition to run polkit_auth.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`policykit_domtrans_auth',`
+ gen_require(`
+ type policykit_auth_t, policykit_auth_exec_t;
+ ')
+
+ domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t)
+')
+
+########################################
+##
+## Execute a policy_auth in the policy_auth domain, and
+## allow the specified role the policy_auth domain,
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed the load_policy domain.
+##
+##
+#
+interface(`policykit_run_auth',`
+ gen_require(`
+ type policykit_auth_t;
+ ')
+
+ policykit_domtrans_auth($1)
+ role $2 types policykit_auth_t;
+')
+
+########################################
+##
+## Execute a domain transition to run polkit_grant.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`policykit_domtrans_grant',`
+ gen_require(`
+ type policykit_grant_t, policykit_grant_exec_t;
+ ')
+
+ domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t)
+')
+
+########################################
+##
+## Execute a policy_grant in the policy_grant domain, and
+## allow the specified role the policy_grant domain,
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed the load_policy domain.
+##
+##
+##
+#
+interface(`policykit_run_grant',`
+ gen_require(`
+ type policykit_grant_t;
+ ')
+
+ policykit_domtrans_grant($1)
+ role $2 types policykit_grant_t;
+
+ allow $1 policykit_grant_t:process signal;
+
+ ps_process_pattern(policykit_grant_t, $1)
+')
+
+########################################
+##
+## read policykit reload files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`policykit_read_reload',`
+ gen_require(`
+ type policykit_reload_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, policykit_reload_t, policykit_reload_t)
+')
+
+########################################
+##
+## rw policykit reload files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`policykit_rw_reload',`
+ gen_require(`
+ type policykit_reload_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, policykit_reload_t, policykit_reload_t)
+')
+
+########################################
+##
+## Execute a domain transition to run polkit_resolve.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`policykit_domtrans_resolve',`
+ gen_require(`
+ type policykit_resolve_t, policykit_resolve_exec_t;
+ ')
+
+ domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
+
+ ps_process_pattern(policykit_resolve_t $1)
+')
+
+########################################
+##
+## Search policykit lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`policykit_search_lib',`
+ gen_require(`
+ type policykit_var_lib_t;
+ ')
+
+ allow $1 policykit_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## read policykit lib files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`policykit_read_lib',`
+ gen_require(`
+ type policykit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
+
+ # Broken placement
+ cron_read_system_job_lib_files($1)
+')
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
new file mode 100644
index 0000000..9913701
--- /dev/null
+++ b/policy/modules/services/policykit.te
@@ -0,0 +1,208 @@
+
+policy_module(policykit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type policykit_t alias polkit_t;
+type policykit_exec_t alias polkit_exec_t;
+init_daemon_domain(policykit_t, policykit_exec_t)
+
+type policykit_auth_t alias polkit_auth_t;
+type policykit_auth_exec_t alias polkit_auth_exec_t;
+init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
+
+type policykit_grant_t alias polkit_grant_t;
+type policykit_grant_exec_t alias polkit_grant_exec_t;
+init_system_domain(policykit_grant_t, policykit_grant_exec_t)
+
+type policykit_resolve_t alias polkit_resolve_t;
+type policykit_resolve_exec_t alias polkit_resolve_exec_t;
+init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
+
+type policykit_reload_t alias polkit_reload_t;
+files_type(policykit_reload_t)
+
+type policykit_var_lib_t alias polkit_var_lib_t;
+files_type(policykit_var_lib_t)
+
+type policykit_var_run_t alias polkit_var_run_t;
+files_pid_file(policykit_var_run_t)
+
+########################################
+#
+# policykit local policy
+#
+
+allow policykit_t self:capability { setgid setuid };
+allow policykit_t self:process getattr;
+allow policykit_t self:fifo_file rw_file_perms;
+allow policykit_t self:unix_dgram_socket create_socket_perms;
+allow policykit_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_t)
+
+can_exec(policykit_t, policykit_exec_t)
+corecmd_exec_bin(policykit_t)
+
+rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
+
+policykit_domtrans_resolve(policykit_t)
+
+manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
+
+manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(policykit_t)
+
+files_read_etc_files(policykit_t)
+files_read_usr_files(policykit_t)
+
+auth_use_nsswitch(policykit_t)
+
+logging_send_syslog_msg(policykit_t)
+
+miscfiles_read_localization(policykit_t)
+
+userdom_read_all_users_state(policykit_t)
+
+########################################
+#
+# polkit_auth local policy
+#
+
+allow policykit_auth_t self:capability setgid;
+allow policykit_auth_t self:process getattr;
+allow policykit_auth_t self:fifo_file rw_file_perms;
+allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
+allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+can_exec(policykit_auth_t, policykit_auth_exec_t)
+corecmd_search_bin(policykit_auth_t)
+
+rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
+
+manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t)
+
+manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
+
+files_read_etc_files(policykit_auth_t)
+files_read_usr_files(policykit_auth_t)
+
+auth_use_nsswitch(policykit_auth_t)
+
+logging_send_syslog_msg(policykit_auth_t)
+
+miscfiles_read_localization(policykit_auth_t)
+
+userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
+
+optional_policy(`
+ dbus_session_bus_client(policykit_auth_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(policykit_auth_t)
+ ')
+')
+
+optional_policy(`
+ kernel_search_proc(policykit_auth_t)
+ hal_read_state(policykit_auth_t)
+')
+
+########################################
+#
+# polkit_grant local policy
+#
+
+allow policykit_grant_t self:capability setuid;
+allow policykit_grant_t self:process getattr;
+allow policykit_grant_t self:fifo_file rw_file_perms;
+allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
+allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_grant_t)
+
+policykit_domtrans_resolve(policykit_grant_t)
+
+can_exec(policykit_grant_t, policykit_grant_exec_t)
+corecmd_search_bin(policykit_grant_t)
+
+rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
+
+manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t)
+
+manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
+
+files_read_etc_files(policykit_grant_t)
+files_read_usr_files(policykit_grant_t)
+
+auth_use_nsswitch(policykit_grant_t)
+auth_domtrans_chk_passwd(policykit_grant_t)
+
+logging_send_syslog_msg(policykit_grant_t)
+
+miscfiles_read_localization(policykit_grant_t)
+
+userdom_read_all_users_state(policykit_grant_t)
+
+optional_policy(`
+ dbus_system_bus_client(policykit_grant_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(policykit_grant_t)
+ ')
+')
+
+########################################
+#
+# polkit_resolve local policy
+#
+
+allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
+allow policykit_resolve_t self:process getattr;
+allow policykit_resolve_t self:fifo_file rw_file_perms;
+allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
+allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_resolve_t)
+
+read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t)
+
+read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t)
+
+can_exec(policykit_resolve_t, policykit_resolve_exec_t)
+corecmd_search_bin(policykit_resolve_t)
+
+files_read_etc_files(policykit_resolve_t)
+files_read_usr_files(policykit_resolve_t)
+
+mcs_ptrace_all(policykit_resolve_t)
+
+auth_use_nsswitch(policykit_resolve_t)
+
+logging_send_syslog_msg(policykit_resolve_t)
+
+miscfiles_read_localization(policykit_resolve_t)
+
+userdom_read_all_users_state(policykit_resolve_t)
+
+optional_policy(`
+ dbus_system_bus_client(policykit_resolve_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(policykit_resolve_t)
+ ')
+')
+
+optional_policy(`
+ kernel_search_proc(policykit_resolve_t)
+ hal_read_state(policykit_resolve_t)
+')
+