diff --git a/roles/copr/backend/files/selinux/compile.sh b/roles/copr/backend/files/selinux/compile.sh
index f37b46c00f..5eec166609 100644
--- a/roles/copr/backend/files/selinux/compile.sh
+++ b/roles/copr/backend/files/selinux/compile.sh
@@ -1,4 +1,4 @@
 #!/bin/sh
 
-checkmodule -M -m -o nrpe_copr.mod nrpe_copr.te
-semodule_package -o nrpe_copr.pp -m nrpe_copr.mod
+checkmodule -M -m -o copr_rules.mod copr_rules.te
+semodule_package -o copr_rules.pp -m copr_rules.mod
diff --git a/roles/copr/backend/files/selinux/copr_rules.mod b/roles/copr/backend/files/selinux/copr_rules.mod
new file mode 100644
index 0000000000..d626da3914
Binary files /dev/null and b/roles/copr/backend/files/selinux/copr_rules.mod differ
diff --git a/roles/copr/backend/files/selinux/copr_rules.pp b/roles/copr/backend/files/selinux/copr_rules.pp
new file mode 100644
index 0000000000..ae34d742e0
Binary files /dev/null and b/roles/copr/backend/files/selinux/copr_rules.pp differ
diff --git a/roles/copr/backend/files/selinux/copr_rules.te b/roles/copr/backend/files/selinux/copr_rules.te
new file mode 100644
index 0000000000..8a50654083
--- /dev/null
+++ b/roles/copr/backend/files/selinux/copr_rules.te
@@ -0,0 +1,27 @@
+
+module copr_rules 1.0;
+
+require {
+	type redis_port_t;
+	type nrpe_t;
+	type httpd_t;
+	type copr_data_t;
+	type logrotate_t;
+	class tcp_socket name_connect;
+    class file ioctl;
+    class lnk_file read;
+    class process execmem;
+}
+
+#============= nrpe_t ==============
+# nagios
+allow nrpe_t redis_port_t:tcp_socket name_connect;
+
+#============= httpd_t ==============
+# custom lighttpd dir script template
+allow httpd_t copr_data_t:file ioctl;
+allow httpd_t copr_data_t:lnk_file read;
+
+#============= logrotate_t ==============
+# https://bugzilla.redhat.com/show_bug.cgi?id=1535689
+allow logrotate_t self:process execmem;
diff --git a/roles/copr/backend/files/selinux/nrpe_copr.mod b/roles/copr/backend/files/selinux/nrpe_copr.mod
deleted file mode 100644
index 5ebf1b7fa3..0000000000
Binary files a/roles/copr/backend/files/selinux/nrpe_copr.mod and /dev/null differ
diff --git a/roles/copr/backend/files/selinux/nrpe_copr.pp b/roles/copr/backend/files/selinux/nrpe_copr.pp
deleted file mode 100644
index ee51973408..0000000000
Binary files a/roles/copr/backend/files/selinux/nrpe_copr.pp and /dev/null differ
diff --git a/roles/copr/backend/files/selinux/nrpe_copr.te b/roles/copr/backend/files/selinux/nrpe_copr.te
deleted file mode 100644
index 9eccd7a589..0000000000
--- a/roles/copr/backend/files/selinux/nrpe_copr.te
+++ /dev/null
@@ -1,11 +0,0 @@
-
-module copr_nrpe 1.0;
-
-require {
-	type redis_port_t;
-	type nrpe_t;
-	class tcp_socket name_connect;
-}
-
-#============= nrpe_t ==============
-allow nrpe_t redis_port_t:tcp_socket name_connect;
diff --git a/roles/copr/backend/tasks/main.yml b/roles/copr/backend/tasks/main.yml
index acdc92cdbe..639e0431c2 100644
--- a/roles/copr/backend/tasks/main.yml
+++ b/roles/copr/backend/tasks/main.yml
@@ -193,3 +193,15 @@
 
 - name: setup monitoring
   import_tasks: "monitoring.yml"
+
+# Three tasks for handling our custom selinux module
+- name: ensure a directory exists for our custom selinux module
+  file: dest=/usr/local/share/copr state=directory
+
+- name: copy over our custom selinux module
+  copy: src=selinux/copr_rules.pp dest=/usr/local/share/copr/copr_rules.pp
+  register: selinux_module
+
+- name: install our custom selinux module
+  command: semodule -i /usr/local/share/copr/copr_rules.pp
+  when: selinux_module|changed
diff --git a/roles/copr/backend/tasks/monitoring.yml b/roles/copr/backend/tasks/monitoring.yml
index 938b7e7b9b..e75619d273 100644
--- a/roles/copr/backend/tasks/monitoring.yml
+++ b/roles/copr/backend/tasks/monitoring.yml
@@ -10,15 +10,3 @@
 
 - name: set acl for nrpe on /etc/copr/copr-be.conf
   acl: name=/etc/copr/copr-be.conf entity=nrpe etype=user permissions=r state=present
-
-# Three tasks for handling our custom selinux module
-- name: ensure a directory exists for our custom selinux module
-  file: dest=/usr/local/share/copr state=directory
-
-- name: copy over our custom selinux module
-  copy: src=selinux/nrpe_copr.pp dest=/usr/local/share/copr/fedmsg.pp
-  register: selinux_module
-
-- name: install our custom selinux module
-  command: semodule -i /usr/local/share/copr/fedmsg.pp
-  when: selinux_module|changed