diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 08cc0e117..69777df20 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -472,6 +472,10 @@ optional_policy(`
 	hadoop_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
 ')
 
+optional_policy(`
+	haproxy_admin(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	hddtemp_admin(sysadm_t, sysadm_r)
 ')
diff --git a/policy/modules/services/haproxy.fc b/policy/modules/services/haproxy.fc
new file mode 100644
index 000000000..63e1b8a4c
--- /dev/null
+++ b/policy/modules/services/haproxy.fc
@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/haproxy.*	--	gen_context(system_u:object_r:haproxy_initrc_exec_t,s0)
+
+/etc/haproxy(/.*)?		gen_context(system_u:object_r:haproxy_conf_t,s0)
+
+/usr/bin/haproxy	--	gen_context(system_u:object_r:haproxy_exec_t,s0)
+/usr/sbin/haproxy	--	gen_context(system_u:object_r:haproxy_exec_t,s0)
+
+/run/haproxy(/.*)?	gen_context(system_u:object_r:haproxy_runtime_t,s0)
+/run/haproxy\.pid	--	gen_context(system_u:object_r:haproxy_runtime_t,s0)
+/run/haproxy-master\.sock	-s	gen_context(system_u:object_r:haproxy_runtime_t,s0)
+
+/var/log/haproxy(/.*)?		gen_context(system_u:object_r:haproxy_log_t,s0)
diff --git a/policy/modules/services/haproxy.if b/policy/modules/services/haproxy.if
new file mode 100644
index 000000000..45399bd2e
--- /dev/null
+++ b/policy/modules/services/haproxy.if
@@ -0,0 +1,89 @@
+## <summary>A TCP/HTTP reverse proxy for high availability environments.</summary>
+
+########################################
+## <summary>
+##	Execute haproxy in the haproxy domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`haproxy_domtrans',`
+	gen_require(`
+		type haproxy_t, haproxy_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, haproxy_exec_t, haproxy_t)
+')
+
+########################################
+## <summary>
+##	Execute haproxy in the haproxy domain, and
+##	allow the specified role the haproxy domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`haproxy_run',`
+	gen_require(`
+		type haproxy_t;
+	')
+
+	haproxy_domtrans($1)
+	role $2 types haproxy_t;
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an haproxy environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`haproxy_admin',`
+	gen_require(`
+		type haproxy_t, haproxy_initrc_exec_t, haproxy_conf_t;
+		type haproxy_log_t, haproxy_runtime_t, haproxy_tmpfs_t;
+	')
+
+	haproxy_run($1, $2)
+
+	init_startstop_service($1, $2, haproxy_t, haproxy_initrc_exec_t)
+
+	allow $1 haproxy_t:process { ptrace signal_perms };
+	ps_process_pattern($1, haproxy_t)
+
+	files_search_etc($1)
+	admin_pattern($1, haproxy_conf_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, haproxy_log_t)
+
+	fs_search_tmpfs($1)
+	admin_pattern($1, haproxy_tmpfs_t)
+
+	files_search_runtime($1)
+	admin_pattern($1, haproxy_runtime_t)
+')
diff --git a/policy/modules/services/haproxy.te b/policy/modules/services/haproxy.te
new file mode 100644
index 000000000..fd5bc3804
--- /dev/null
+++ b/policy/modules/services/haproxy.te
@@ -0,0 +1,121 @@
+policy_module(haproxy)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether haproxy can bind to
+##	all TCP ports.
+##	</p>
+## </desc>
+gen_tunable(haproxy_bind_all_tcp_ports, false)
+
+## <desc>
+##	<p>
+##	Determine whether haproxy can bind to
+##	kubernetes ports (typically 6443/tcp).
+##	</p>
+## </desc>
+gen_tunable(haproxy_bind_kubernetes_port, false)
+
+## <desc>
+##	<p>
+##	Determine whether haproxy can connect to
+##	all TCP ports.
+##	</p>
+## </desc>
+gen_tunable(haproxy_connect_all_tcp_ports, false)
+
+## <desc>
+##	<p>
+##	Determine whether haproxy can connect to
+##	kubernetes ports (typically 6443/tcp).
+##	</p>
+## </desc>
+gen_tunable(haproxy_connect_kubernetes_port, false)
+
+type haproxy_t;
+type haproxy_exec_t;
+init_daemon_domain(haproxy_t, haproxy_exec_t)
+
+type haproxy_conf_t;
+files_config_file(haproxy_conf_t)
+
+type haproxy_initrc_exec_t;
+init_script_file(haproxy_initrc_exec_t)
+
+type haproxy_log_t;
+logging_log_file(haproxy_log_t)
+
+type haproxy_runtime_t;
+files_runtime_file(haproxy_runtime_t)
+
+type haproxy_tmpfs_t;
+files_tmpfs_file(haproxy_tmpfs_t)
+
+########################################
+#
+# haproxy local policy
+#
+
+allow haproxy_t self:process { getsched setrlimit signal };
+allow haproxy_t self:capability { kill setuid setgid };
+dontaudit haproxy_t self:capability net_admin;
+allow haproxy_t self:fifo_file rw_fifo_file_perms;
+allow haproxy_t self:tcp_socket create_stream_socket_perms;
+allow haproxy_t self:udp_socket create_socket_perms;
+allow haproxy_t self:unix_dgram_socket create_socket_perms;
+
+read_files_pattern(haproxy_t, haproxy_conf_t, haproxy_conf_t)
+
+create_dirs_pattern(haproxy_t, haproxy_log_t, haproxy_log_t)
+create_files_pattern(haproxy_t, haproxy_log_t, haproxy_log_t)
+append_files_pattern(haproxy_t, haproxy_log_t, haproxy_log_t)
+logging_log_filetrans(haproxy_t, haproxy_log_t, { dir file })
+
+manage_files_pattern(haproxy_t, haproxy_runtime_t, haproxy_runtime_t)
+manage_sock_files_pattern(haproxy_t, haproxy_runtime_t, haproxy_runtime_t)
+files_runtime_filetrans(haproxy_t, haproxy_runtime_t, { dir file sock_file })
+
+mmap_manage_files_pattern(haproxy_t, haproxy_tmpfs_t, haproxy_tmpfs_t)
+fs_tmpfs_filetrans(haproxy_t, haproxy_tmpfs_t, file)
+
+corenet_tcp_bind_http_port(haproxy_t)
+corenet_tcp_connect_http_port(haproxy_t)
+corenet_tcp_bind_generic_node(haproxy_t)
+
+corecmd_search_bin(haproxy_t)
+
+dev_dontaudit_read_sysfs(haproxy_t)
+
+kernel_read_kernel_sysctls(haproxy_t)
+kernel_read_state(haproxy_t)
+kernel_read_system_state(haproxy_t)
+
+auth_use_nsswitch(haproxy_t)
+
+miscfiles_read_generic_certs(haproxy_t)
+miscfiles_read_localization(haproxy_t)
+
+logging_send_syslog_msg(haproxy_t)
+
+can_exec(haproxy_t, haproxy_exec_t)
+
+tunable_policy(`haproxy_bind_all_tcp_ports',`
+	corenet_tcp_bind_all_ports(haproxy_t)
+')
+
+tunable_policy(`haproxy_bind_kubernetes_port',`
+	corenet_tcp_bind_kubernetes_port(haproxy_t)
+')
+
+tunable_policy(`haproxy_connect_all_tcp_ports',`
+	corenet_tcp_connect_all_ports(haproxy_t)
+')
+
+tunable_policy(`haproxy_connect_kubernetes_port',`
+	corenet_tcp_connect_kubernetes_port(haproxy_t)
+')