diff --git a/policy/modules.conf b/policy/modules.conf
index e4103ce5e0..5c6fd8a305 100644
--- a/policy/modules.conf
+++ b/policy/modules.conf
@@ -3148,3 +3148,10 @@ afterburn = module
# nvme_stas
#
nvme_stas = module
+
+# Layer: contrib
+# Module: coreos_installer
+#
+# coreos_installer
+#
+coreos_installer = module
diff --git a/policy/modules/contrib/coreos_installer.fc b/policy/modules/contrib/coreos_installer.fc
new file mode 100644
index 0000000000..68e5f6d540
--- /dev/null
+++ b/policy/modules/contrib/coreos_installer.fc
@@ -0,0 +1,7 @@
+/usr/bin/coreos-installer -- gen_context(system_u:object_r:coreos_installer_exec_t,s0)
+
+/usr/libexec/coreos-installer-disable-device-auto-activation -- gen_context(system_u:object_r:coreos_installer_exec_t,s0)
+/usr/libexec/coreos-installer-service -- gen_context(system_u:object_r:coreos_installer_exec_t,s0)
+
+/usr/lib/systemd/system-generators/coreos-installer-generator -- gen_context(system_u:object_r:coreos_installer_exec_t,s0)
+/usr/lib/systemd/system/coreos-installer.* -- gen_context(system_u:object_r:coreos_installer_unit_file_t,s0)
diff --git a/policy/modules/contrib/coreos_installer.if b/policy/modules/contrib/coreos_installer.if
new file mode 100644
index 0000000000..64ef208940
--- /dev/null
+++ b/policy/modules/contrib/coreos_installer.if
@@ -0,0 +1,39 @@
+## policy for coreos_installer
+
+########################################
+##
+## Execute coreos_installer_exec_t in the coreos_installer domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`coreos_installer_domtrans',`
+ gen_require(`
+ type coreos_installer_t, coreos_installer_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, coreos_installer_exec_t, coreos_installer_t)
+')
+
+######################################
+##
+## Execute coreos_installer in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`coreos_installer_exec',`
+ gen_require(`
+ type coreos_installer_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, coreos_installer_exec_t)
+')
diff --git a/policy/modules/contrib/coreos_installer.te b/policy/modules/contrib/coreos_installer.te
new file mode 100644
index 0000000000..d6c3a808e8
--- /dev/null
+++ b/policy/modules/contrib/coreos_installer.te
@@ -0,0 +1,47 @@
+policy_module(coreos_installer, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type coreos_installer_t;
+type coreos_installer_exec_t;
+init_daemon_domain(coreos_installer_t, coreos_installer_exec_t)
+
+type coreos_installer_unit_file_t;
+systemd_unit_file(coreos_installer_unit_file_t)
+
+permissive coreos_installer_t;
+
+########################################
+#
+# coreos_installer local policy
+#
+allow coreos_installer_t self:capability { setgid setuid sys_admin };
+allow coreos_installer_t self:process { fork setpgid };
+allow coreos_installer_t self:fifo_file rw_fifo_file_perms;
+allow coreos_installer_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_proc_files(coreos_installer_t)
+
+corecmd_exec_bin(coreos_installer_t)
+corecmd_exec_shell(coreos_installer_t)
+
+dev_write_kmsg(coreos_installer_t)
+
+domain_use_interactive_fds(coreos_installer_t)
+
+files_read_etc_files(coreos_installer_t)
+
+optional_policy(`
+ auth_read_passwd_file(coreos_installer_t)
+')
+
+optional_policy(`
+ miscfiles_read_localization(coreos_installer_t)
+')
+
+optional_policy(`
+ sysnet_dns_name_resolve(coreos_installer_t)
+')