diff --git a/roles/copr/keygen/selinux/compile.sh b/roles/copr/keygen/selinux/compile.sh
new file mode 100644
index 0000000000..5eec166609
--- /dev/null
+++ b/roles/copr/keygen/selinux/compile.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+checkmodule -M -m -o copr_rules.mod copr_rules.te
+semodule_package -o copr_rules.pp -m copr_rules.mod
diff --git a/roles/copr/keygen/selinux/copr_rules.mod b/roles/copr/keygen/selinux/copr_rules.mod
new file mode 100644
index 0000000000..b65038ad84
Binary files /dev/null and b/roles/copr/keygen/selinux/copr_rules.mod differ
diff --git a/roles/copr/keygen/selinux/copr_rules.pp b/roles/copr/keygen/selinux/copr_rules.pp
new file mode 100644
index 0000000000..0642cc91e6
Binary files /dev/null and b/roles/copr/keygen/selinux/copr_rules.pp differ
diff --git a/roles/copr/keygen/selinux/copr_rules.te b/roles/copr/keygen/selinux/copr_rules.te
new file mode 100644
index 0000000000..42d15bbd61
--- /dev/null
+++ b/roles/copr/keygen/selinux/copr_rules.te
@@ -0,0 +1,12 @@
+module copr_rules 1.0;
+
+require {
+    type httpd_t;
+    type httpd_var_lib_t;
+    class sock_file getattr;
+    class sock_file unlink;
+    class sock_file write;
+}
+
+#============= httpd_t ==============
+allow httpd_t httpd_var_lib_t:sock_file { getattr unlink write };
diff --git a/roles/copr/keygen/tasks/main.yml b/roles/copr/keygen/tasks/main.yml
index 1390f01494..3f2a900864 100644
--- a/roles/copr/keygen/tasks/main.yml
+++ b/roles/copr/keygen/tasks/main.yml
@@ -23,13 +23,6 @@
 - name: change owner of data to copr-signer
   file: path=/var/lib/copr-keygen owner=copr-signer group=copr-signer recurse=yes
 
-- selinux: policy=targeted state=permissive
-
-#- name: install keygen specific packages
-#  dnf: name="{{ item }}" state=present
-#  with_items:
-#  - gnupg2
-
 - name: put keygen vhost for httpd
   copy: src="httpd/copr-keygen.conf" dest="/etc/httpd/conf.d/copr-keygen.conf"
   notify:
@@ -57,3 +50,17 @@
 - name: setup backup
   when: not devel
   import_tasks: "setup_backup.yml"
+
+# Three tasks for handling our custom selinux module
+- name: ensure a directory exists for our custom selinux module
+  file: dest=/usr/local/share/copr state=directory
+
+- name: copy over our custom selinux module
+  copy: src=selinux/copr_rules.pp dest=/usr/local/share/copr/copr_rules.pp
+  register: selinux_module
+
+- name: install our custom selinux module
+  command: semodule -i /usr/local/share/copr/copr_rules.pp
+  when: selinux_module|changed
+
+- selinux: policy=targeted state=enforcing