diff --git a/roles/openqa/server/files/httpd-openqa.pp b/roles/openqa/server/files/httpd-openqa.pp
new file mode 100644
index 0000000000..3d666e6586
Binary files /dev/null and b/roles/openqa/server/files/httpd-openqa.pp differ
diff --git a/roles/openqa/server/files/httpd-openqa.te b/roles/openqa/server/files/httpd-openqa.te
new file mode 100644
index 0000000000..bf06367e03
--- /dev/null
+++ b/roles/openqa/server/files/httpd-openqa.te
@@ -0,0 +1,17 @@
+
+module httpd-openqa 1.0;
+
+require {
+	type openqa_port_t;
+	type httpd_t;
+	type openqa_websockets_port_t;
+	class tcp_socket name_connect;
+}
+
+#============= httpd_t ==============
+
+#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
+allow httpd_t openqa_port_t:tcp_socket name_connect;
+
+#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
+allow httpd_t openqa_websockets_port_t:tcp_socket name_connect;
diff --git a/roles/openqa/server/tasks/main.yml b/roles/openqa/server/tasks/main.yml
index cdd9f3afb4..0db7607b97 100644
--- a/roles/openqa/server/tasks/main.yml
+++ b/roles/openqa/server/tasks/main.yml
@@ -161,14 +161,14 @@
 - name: Install various other required packages
   package:
     name:
-      - python3-libselinux # for custom SELinux policy
+      - python3-libselinux # for using seboolean module
       - git # for checking out tests/tools
       - jq # for checking if tests changed after template load
-      - libselinux-utils # custom SELinux policy
-      - python3-libsemanage # custom SELinux policy
+      - python3-libsemanage # for using seboolean module
       - nfs-utils # for configuring/running NFS server
       - perl(Class::DBI::Pg) # for using postgresql DB
       - genisoimage # for building cloud-init ISO
+      - policycoreutils # for loading SELinux policy module
     state: present
   tags:
   - packages
@@ -288,9 +288,17 @@
   - openqa-websockets
   - openqa-gru
 
-# This is using a big hammer until #1277312 is resolved
-- name: Allow Apache to connect to openQA
-  seboolean: name=httpd_can_network_connect state=yes persistent=yes
+# we used to set this as a bigger hammer to let httpd connect to openQA
+- name: Unset httpd_can_network_connect SELinux boolean
+  seboolean: name=httpd_can_network_connect state=no persistent=yes
+
+- name: Copy over custom SELinux module allowing httpd to connect to openQA
+  copy: src=httpd-openqa.pp dest=/usr/local/share/selinux/httpd-openqa.pp owner=root group=root mode=0644
+  register: selinux_module
+
+- name: Load our custom SELinux module
+  command: semodule -i /usr/local/share/selinux/httpd-openqa.pp
+  when: selinux_module is changed
 
 - name: Allow Apache to read from NFS (as we store test data files there now)
   seboolean: name=httpd_use_nfs state=yes persistent=yes