diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 9cbf5d70f..065b70e7b 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -78,6 +78,14 @@ gen_tunable(virt_use_xserver, false)
 ## </desc>
 gen_tunable(virt_use_vfio, false)
 
+## <desc>
+##	<p>
+##	Determine whether confined virtual guests
+##	can use input devices via evdev pass through.
+##	</p>
+## </desc>
+gen_tunable(virt_use_evdev, false)
+
 attribute virt_ptynode;
 attribute virt_domain;
 attribute virt_image_type;
@@ -448,6 +456,12 @@ tunable_policy(`virt_use_vfio',`
 	dev_rw_vfio_dev(svirt_t)
 ')
 
+tunable_policy(`virt_use_evdev',`
+	# qemu uses IOCTLs 0x01, 0x06, 0x90, and potentially others
+	# see qemu:include/standard-headers/linux/input.h
+	dev_ioctl_input_dev(svirt_t)
+')
+
 ########################################
 #
 # virtd local policy