diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 48eb1c8e0..33ad1b478 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -426,6 +426,13 @@ template(`ssh_role_template',`
 		xserver_use_xdm_fds($1_ssh_agent_t)
 		xserver_rw_xdm_pipes($1_ssh_agent_t)
 	')
+
+	optional_policy(`
+		tunable_policy(`ssh_use_gpg_agent',`
+			# for ssh-add
+			gpg_agent_connect($3)
+		')
+	')
 ')
 
 ########################################
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2022f28a5..65b5be9bb 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -19,6 +19,13 @@ gen_tunable(allow_ssh_keysign, false)
 ## </desc>
 gen_tunable(ssh_sysadm_login, false)
 
+## <desc>
+## <p>
+## Allow ssh to use gpg-agent
+## </p>
+## </desc>
+gen_tunable(ssh_use_gpg_agent, false)
+
 attribute ssh_server;
 attribute ssh_agent_type;
 
@@ -202,6 +209,12 @@ optional_policy(`
 	xserver_domtrans_xauth(ssh_t)
 ')
 
+optional_policy(`
+	tunable_policy(`ssh_use_gpg_agent',`
+		gpg_agent_connect(ssh_t)
+	')
+')
+
 ##############################
 #
 # ssh_keysign_t local policy