diff --git a/roles/nagios_client/files/selinux/mirrormanager_container.pp b/roles/nagios_client/files/selinux/mirrormanager_container.pp
new file mode 100644
index 0000000000..31b8435358
Binary files /dev/null and b/roles/nagios_client/files/selinux/mirrormanager_container.pp differ
diff --git a/roles/nagios_client/files/selinux/mirrormanager_container.te b/roles/nagios_client/files/selinux/mirrormanager_container.te
new file mode 100644
index 0000000000..6180969c69
--- /dev/null
+++ b/roles/nagios_client/files/selinux/mirrormanager_container.te
@@ -0,0 +1,15 @@
+module mirrormanager_container 1.0;
+
+require {
+    type container_t;
+    type container_file_t;
+    type mirrormanager_log_t;
+    type nrpe_t;
+    class file { append getattr };
+}
+
+# Allow mirrorlist to append to its log
+allow container_t mirrormanager_log_t:file append;
+# Allow nrpe to check file age of mirrorlist pkl files
+allow nrpe_t container_file_t:file getattr;
+
diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml
index 329d50f0c2..0c55d78e11 100644
--- a/roles/nagios_client/tasks/main.yml
+++ b/roles/nagios_client/tasks/main.yml
@@ -99,6 +99,15 @@
   command: semodule -i /usr/share/nrpe/fi-nrpe.pp
   when: ansible_distribution_major_version|int == 7 and selinux_module|changed
 
+- name: copy over our custom selinux module for mirrorlist
+  copy: src=selinux/fi-nrpe.pp dest=/usr/share/nrpe/mirrormanager_container.pp
+  register: selinux_module_mirrorlist
+  when: 'proxy' in inventory_hostname
+
+- name: install our custom selinux module for mirrorlist
+  command: semodule -i /usr/share/nrpe/mirrormanager_container.pp
+  when: 'proxy' in inventory_hostname and selinux_module|changed
+
 
 # Set up our base config.
 - name: /etc/nagios/nrpe.cfg