diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 843820974..4b819110c 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -359,12 +359,15 @@ interface(`init_daemon_domain',`
 		init_domain($1, $2)
 
 		allow $1 init_t:unix_dgram_socket sendto;
+
+		optional_policy(`
+			systemd_connectto_socket_proxyd_unix_sockets($1)
+		')
 	')
 
 	optional_policy(`
 		nscd_use($1)
 	')
-
 ')
 
 ########################################
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 5edb24a0c..4d1d400a6 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -38,6 +38,7 @@
 /usr/lib/systemd/systemd-pstore		--	gen_context(system_u:object_r:systemd_pstore_exec_t,s0)
 /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-rfkill		--	gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
+/usr/lib/systemd/systemd-socket-proxyd	--	gen_context(system_u:object_r:systemd_socket_proxyd_exec_t,s0)
 /usr/lib/systemd/systemd-update-done	--	gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
 /usr/lib/systemd/systemd-user-runtime-dir	--	gen_context(system_u:object_r:systemd_user_runtime_dir_exec_t,s0)
 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
@@ -54,6 +55,7 @@
 /usr/lib/systemd/system/systemd-binfmt.*	--	gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
 /usr/lib/systemd/system/systemd-networkd.*		gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
 /usr/lib/systemd/system/systemd-rfkill.*	--	gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
+/usr/lib/systemd/system/systemd-socket-proxyd\.service	--	gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)
 
 /var/\.updated				--	gen_context(system_u:object_r:systemd_update_run_t,s0)
 
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 262c26d18..426113460 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -886,6 +886,24 @@ interface(`systemd_status_power_units',`
 	allow $1 power_unit_t:service status;
 ')
 
+########################################
+## <summary>
+##  Allows connections to the systemd-socket-proxyd's socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_connectto_socket_proxyd_unix_sockets', `
+	gen_require(`
+		type systemd_socket_proxyd_t;
+	')
+
+	allow $1 systemd_socket_proxyd_t:unix_stream_socket connectto;
+')
+
 ########################################
 ## <summary>
 ##	Make the specified type usable for
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index b6e508eb0..43673a4e0 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -29,6 +29,22 @@ gen_tunable(systemd_nspawn_labeled_namespace, false)
 ## </desc>
 gen_tunable(systemd_logind_get_bootloader, false)
 
+## <desc>
+## <p>
+## Allow systemd-socket-proxyd to bind any port instead of one labelled
+## with systemd_socket_proxyd_port_t.
+## </p>
+## </desc>
+gen_tunable(systemd_socket_proxyd_bind_any, false)
+
+## <desc>
+## <p>
+## Allow systemd-socket-proxyd to connect to any port instead of
+## labelled ones.
+## </p>
+## </desc>
+gen_tunable(systemd_socket_proxyd_connect_any, false)
+
 attribute systemd_log_parse_env_type;
 attribute systemd_tmpfiles_conf_type;
 attribute systemd_user_session_type;
@@ -217,6 +233,16 @@ files_runtime_file(systemd_sessions_runtime_t)
 init_daemon_runtime_file(systemd_sessions_runtime_t, dir, "systemd_sessions")
 init_mountpoint(systemd_sessions_runtime_t)
 
+type systemd_socket_proxyd_t;
+type systemd_socket_proxyd_exec_t;
+init_daemon_domain(systemd_socket_proxyd_t, systemd_socket_proxyd_exec_t)
+
+type systemd_socket_proxyd_port_t;
+corenet_port(systemd_socket_proxyd_port_t)
+
+type systemd_socket_proxyd_unit_file_t;
+init_unit_file(systemd_socket_proxyd_unit_file_t)
+
 type systemd_sysusers_t;
 type systemd_sysusers_exec_t;
 init_system_domain(systemd_sysusers_t, systemd_sysusers_exec_t)
@@ -1144,6 +1170,32 @@ optional_policy(`
 	dbus_watch_system_bus_runtime_named_sockets(systemd_resolved_t)
 ')
 
+#########################################
+#
+# Socket-proxyd local policy
+#
+
+allow systemd_socket_proxyd_t self:unix_dgram_socket { create create_socket_perms getopt setopt sendto read write };
+allow systemd_socket_proxyd_t self:tcp_socket accept;
+
+kernel_read_system_state(systemd_socket_proxyd_t)
+
+auth_use_nsswitch(systemd_socket_proxyd_t)
+sysnet_dns_name_resolve(systemd_socket_proxyd_t)
+
+tunable_policy(`systemd_socket_proxyd_bind_any',`
+ corenet_tcp_bind_all_ports(systemd_socket_proxyd_t)
+',`
+ allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_bind;
+')
+
+tunable_policy(`systemd_socket_proxyd_connect_any',`
+ corenet_tcp_connect_all_ports(systemd_socket_proxyd_t)
+',`
+ allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_connect;
+')
+
+
 #########################################
 #
 # Sessions local policy