diff --git a/Vagrantfile b/Vagrantfile
index 2b7d9948a..2dd0f8ce2 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -19,6 +19,9 @@ $install_refpolicy = <<-SHELL
   make -C /vagrant install-headers
   semodule -s refpolicy -i /usr/share/selinux/refpolicy/*.pp
 
+  # Load the module specific to Vagrant VM
+  semodule -s refpolicy -i /vagrant/support/vagrant-vm.cil
+
   if ! (LANG=C sestatus -v | grep '^Loaded policy name:\s*refpolicy$' > /dev/null)
   then
       # Use the reference policy
diff --git a/support/vagrant-vm.cil b/support/vagrant-vm.cil
new file mode 100644
index 000000000..b969ffda1
--- /dev/null
+++ b/support/vagrant-vm.cil
@@ -0,0 +1,21 @@
+; SELinux policy module for running virtual machines with Vagrant
+
+; Vagrant performs "ssh sudo ..." without allocating a pseudo-terminal.
+; This leads sudo to directly using sshd pipes, as well as other processes
+; spawned from the provision scripts. Define an attribute for those processes.
+(typeattribute vagrant_provisioning_cmd_type)
+(typeattributeset vagrant_provisioning_cmd_type (
+    load_policy_t
+    semanage_t
+    setfiles_t
+    sudodomain
+))
+(allow vagrant_provisioning_cmd_type sshd_t (fifo_file (append getattr ioctl read write)))
+
+; "vagrant rsync" makes Vagrant invoke "sudo rsync" without a shell which would
+; make sudo transition out of sysadm_sudo_t.
+; Therefore add a transition from sysadm_sudo_t to sysadm_t through rsync_exec_t
+(optional sysadm_sudo_rsync_transition
+    (allow sysadm_t rsync_exec_t (file (entrypoint)))
+    (typetransition sysadm_sudo_t rsync_exec_t process sysadm_t)
+)