diff --git a/SOURCES/Makefile.selinux b/SOURCES/Makefile.selinux
new file mode 100644
index 0000000..bc159a5
--- /dev/null
+++ b/SOURCES/Makefile.selinux
@@ -0,0 +1,16 @@
+TARGETS ?= systemd_hs
+SHARE ?= /usr/share
+MODULES ?= ${TARGETS:=.pp.bz2}
+
+all: ${TARGETS:=.pp.bz2}
+
+%.pp.bz2: %.pp
+	@echo Compressing $^ -\ $@
+	bzip2 -9 $^
+
+%.pp: %.te
+	make -f ${SHARE}/selinux/devel/Makefile $@
+
+clean:
+	rm -f *~ *.tc *.pp *.pp.bz2
+	rm -rf tmp
diff --git a/SOURCES/systemd_hs.te b/SOURCES/systemd_hs.te
new file mode 100644
index 0000000..5498233
--- /dev/null
+++ b/SOURCES/systemd_hs.te
@@ -0,0 +1,39 @@
+policy_module(systemd_hs,0.0.1)
+
+# systemd overrides for 247
+gen_require(`
+	type avahi_t;
+	type init_t;
+	type init_var_run_t;
+	type kmsg_device_t;
+	type policykit_auth_t;
+	type policykit_t;
+	type proc_kmsg_t;
+	type system_dbusd_t;
+	type systemd_hostnamed_t;
+	type systemd_localed_t;
+	type systemd_logind_t;
+	type systemd_machined_t;
+	type security_t;
+	type syslogd_t;
+	type user_tmp_t;
+	type xdm_t;
+')
+
+allow avahi_t init_var_run_t:dir read;
+allow init_t kmsg_device_t:chr_file mounton;
+allow init_t proc_kmsg_t:file { getattr mounton };
+allow init_t systemd_machined_t:unix_stream_socket connectto;
+allow policykit_auth_t init_var_run_t:dir read;
+allow policykit_auth_t systemd_machined_t:unix_stream_socket connectto;
+allow policykit_t systemd_machined_t:unix_stream_socket connectto;
+allow syslogd_t user_tmp_t:lnk_file read;
+allow system_dbusd_t systemd_machined_t:unix_stream_socket connectto;
+allow systemd_hostnamed_t security_t:file map;
+allow systemd_localed_t security_t:file map;
+allow systemd_logind_t self:netlink_selinux_socket create;
+allow systemd_logind_t self:netlink_selinux_socket bind;
+allow systemd_logind_t security_t:file map;
+allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
+allow systemd_machined_t init_var_run_t:sock_file create;
+allow xdm_t systemd_machined_t:unix_stream_socket connectto;
diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec
index 859e47d..b45e60c 100644
--- a/SPECS/systemd.spec
+++ b/SPECS/systemd.spec
@@ -17,11 +17,16 @@
 %bcond_with    bootstrap
 %bcond_without tests
 %bcond_with    lto
+%if 0%{?facebook}
+%bcond_with selinux
+%else
+%bcond_without selinux
+%endif
 
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 Version:        247.3
-Release:        4%{?dist}
+Release:        5%{?dist}
 # For a breakdown of the licensing, see README
 License:        LGPLv2+ and MIT and GPLv2+
 Summary:        System and Service Manager
@@ -57,6 +62,10 @@ Source22:       sysusers.attr
 Source23:       sysusers.prov
 Source24:       sysusers.generate-pre.sh
 
+# Needed for selinux subpackage
+Source100:      Makefile.selinux
+Source101:      systemd_hs.te
+
 %if 0
 GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable
 i=1; for j in 00*patch; do printf "Patch%04d:      %s\n" $i $j; i=$((i+1));done|xclip
@@ -195,6 +204,11 @@ Recommends:     libpwquality.so.1()(64bit)
 Recommends:     libpwquality.so.1(LIBPWQUALITY_1.0)(64bit)
 Recommends:     libqrencode.so.4()(64bit)
 
+%if %{with selinux}
+# Force the SELinux module to be installed
+Requires:       %{name}-selinux = %{version}-%{release}
+%endif
+
 %description
 systemd is a system and service manager that runs as PID 1 and starts
 the rest of the system. It provides aggressive parallelization
@@ -345,9 +359,33 @@ License:       LGPLv2+
 "Installed tests" that are usually run as part of the build system.
 They can be useful to test systemd internals.
 
+%if %{with selinux}
+%package selinux
+Summary:        SELinux module for systemd
+BuildArch:      noarch
+BuildRequires:  bzip2
+BuildRequires:  make
+BuildRequires:  selinux-policy
+BuildRequires:  selinux-policy-devel
+Requires(post): selinux-policy-base >= %{_selinux_policy_version}
+Requires(post): policycoreutils
+Requires(post): policycoreutils-python-utils
+Requires(pre):  libselinux-utils
+Requires(post): libselinux-utils
+
+%description selinux
+This package provides the SELinux policy module to ensure systemd
+runs properly under an environment with SELinux enabled.
+%endif
+
 %prep
 %autosetup -n %{?commit:%{name}%{?stable:-stable}-%{commit}}%{!?commit:%{name}%{?stable:-stable}-%{github_version}} -p1
 
+%if %{with selinux}
+mkdir selinux
+cp %SOURCE100 %SOURCE101 selinux
+%endif
+
 %build
 %define ntpvendor %(source /etc/os-release; echo ${ID})
 %{!?ntpvendor: echo 'NTP vendor zone is not set!'; exit 1}
@@ -457,6 +495,11 @@ export LC_ALL=en_US.UTF-8
 %meson "${CONFIGURE_OPTS[@]}"
 %meson_build
 
+%if %{with selinux}
+cd selinux
+%{__make} -f Makefile.selinux SHARE="%{_datadir}" TARGETS="systemd_hs"
+%endif
+
 %install
 export LANG=en_US.UTF-8
 export LC_ALL=en_US.UTF-8
@@ -592,6 +635,13 @@ python3 %{SOURCE2} %buildroot <<EOF
 %ghost %attr(0700,root,root) %dir /var/log/private
 EOF
 
+%if %{with selinux}
+install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -p -m 0644 selinux/systemd_hs.if %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -d -p %{buildroot}%{_datadir}/selinux/packages
+install -p -m 0644 selinux/systemd_hs.pp.bz2 %{buildroot}%{_datadir}/selinux/packages
+%endif
+
 %check
 %if %{with tests}
 export LANG=en_US.UTF-8
@@ -833,6 +883,25 @@ fi
 %postun journal-remote
 %systemd_postun_with_restart systemd-journal-gatewayd.service systemd-journal-remote.service systemd-journal-upload.service
 
+%if %{with selinux}
+%pre selinux
+%selinux_relabel_pre
+
+%post selinux
+%selinux_modules_install %{_datadir}/selinux/packages/systemd_hs.pp.bz2
+%selinux_relabel_post
+
+%posttrans selinux
+%selinux_relabel_post
+
+%postun selinux
+%selinux_modules_uninstall systemd_hs
+
+if [ $1 -eq 0 ]; then
+    %selinux_relabel_post
+fi
+%endif
+
 %global _docdir_fmt %{name}
 
 %files -f %{name}.lang -f .file-list-rest
@@ -873,7 +942,16 @@ fi
 
 %files tests -f .file-list-tests
 
+%if %{with selinux}
+%files selinux
+%{_datadir}/selinux/devel/include/contrib/systemd_hs.if
+%{_datadir}/selinux/packages/systemd_hs.pp.bz2
+%endif
+
 %changelog
+* Wed Mar 31 2021 Davide Cavalca <dcavalca@fb.com> - 247.3-5
+- Add selinux subpackage
+
 * Wed Mar 17 2021 Anita Zhang <anitazha@fb.com> - 247.3-4
 - Backport PR #18955 (Fixes fstab parsing)
 - FB only backport PR #18886 (systemd-shutdown logs to /dev/console not stderr)