diff --git a/resources/selinux/.gitignore b/resources/selinux/.gitignore
new file mode 100644
--- /dev/null
+++ b/resources/selinux/.gitignore
@@ -0,0 +1,2 @@
+tmp/
+*.pp
diff --git a/resources/selinux/README b/resources/selinux/README
new file mode 100644
--- /dev/null
+++ b/resources/selinux/README
@@ -0,0 +1,27 @@
+There are systems with selinux alwasys-on policy - really!
+
+So phabricator needs a selinux policy.
+
+Default paths for file contexts:
+/opt/phacility/{libphutil,arcanist,phabricator}
+
+Compile SELinux modules
+
+make -f /usr/share/selinux/devel/Makefile libphutil.pp
+make -f /usr/share/selinux/devel/Makefile arcanist.pp
+make -f /usr/share/selinux/devel/Makefile phabricator.pp
+
+
+Enable SELinux modules
+
+semodule -i libphutil.pp
+semodule -i arcanist.pp
+semodule -i phabricator.pp
+
+
+Relabel phabricator files:
+
+restorecon -R /opt/phacility
+
+# if you use the https://github.com/vinzent/phabricator/tree/master/resources/rhel rpm:
+restorecon -R /etc/init.d/phabricator
diff --git a/resources/selinux/arcanist.fc b/resources/selinux/arcanist.fc
new file mode 100644
--- /dev/null
+++ b/resources/selinux/arcanist.fc
@@ -0,0 +1,2 @@
+/opt/phacility/arcanist(/.*)?			gen_context(system_u:object_r:arcanist_t,s0)
+/opt/phacility/arcanist/bin/.*		--	gen_context(system_u:object_r:arcanist_exec_t,s0)
diff --git a/resources/selinux/arcanist.if b/resources/selinux/arcanist.if
new file mode 100644
--- /dev/null
+++ b/resources/selinux/arcanist.if
@@ -0,0 +1,35 @@
+## <summary>arcanist policy</summary>
+## <desc>
+##	<p>
+##		More descriptive text about myapp.  The desc
+##		tag can also use p, ul, and ol
+##		html tags for formatting.
+##	</p>
+##	<p>
+##		This policy supports the following myapp features:
+##		<ul>
+##		<li>Feature A</li>
+##		<li>Feature B</li>
+##		<li>Feature C</li>
+##		</ul>
+##	</p>
+## </desc>
+
+########################################
+## <summary>
+##	Execute a domain transition to run arcanist.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`arcanist_domtrans',`
+	gen_requires(`
+		type arcanist_t, arcanist_exec_t;
+	')
+
+	domtrans_pattern($1,arcanist_exec_t,arcanist_t)
+')
+
diff --git a/resources/selinux/arcanist.te b/resources/selinux/arcanist.te
new file mode 100644
--- /dev/null
+++ b/resources/selinux/arcanist.te
@@ -0,0 +1,24 @@
+policy_module(arcanist,0.3)
+
+gen_require(`
+  type libphutil_t;
+  type unconfined_t;
+')
+
+
+# Private type declarations
+type arcanist_t;
+type arcanist_exec_t;
+
+type arcanist_etc_t;
+files_config_file(arcanist_etc_t)
+
+type arcanist_log_t;
+logging_log_file(arcanist_log_t)
+
+# ----
+
+# access libphutil
+read_files_pattern(arcanist_t,libphutil_t,libphutil_t)
+
+can_exec(unconfined_t, arcanist_t)
diff --git a/resources/selinux/libphutil.fc b/resources/selinux/libphutil.fc
new file mode 100644
--- /dev/null
+++ b/resources/selinux/libphutil.fc
@@ -0,0 +1 @@
+/opt/phacility/libphutil(/.*)?			gen_context(system_u:object_r:libphutil_t,s0)
diff --git a/resources/selinux/libphutil.if b/resources/selinux/libphutil.if
new file mode 100644
--- /dev/null
+++ b/resources/selinux/libphutil.if
@@ -0,0 +1,17 @@
+## <summary>libphutil policy</summary>
+## <desc>
+##	<p>
+##		More descriptive text about myapp.  The desc
+##		tag can also use p, ul, and ol
+##		html tags for formatting.
+##	</p>
+##	<p>
+##		This policy supports the following myapp features:
+##		<ul>
+##		<li>Feature A</li>
+##		<li>Feature B</li>
+##		<li>Feature C</li>
+##		</ul>
+##	</p>
+## </desc>
+
diff --git a/resources/selinux/libphutil.te b/resources/selinux/libphutil.te
new file mode 100644
--- /dev/null
+++ b/resources/selinux/libphutil.te
@@ -0,0 +1,7 @@
+policy_module(libphutil,0.1)
+
+# Private type declarations
+type libphutil_t;
+
+# ----
+
diff --git a/resources/selinux/phabricator.fc b/resources/selinux/phabricator.fc
new file mode 100644
--- /dev/null
+++ b/resources/selinux/phabricator.fc
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/phabricator				gen_context(system_u:object_r:phabricator_initrc_exec_t,s0)
+/opt/phacility/phabricator(/.*)?			gen_context(system_u:object_r:phabricator_t,s0)
+/opt/phacility/phabricator/bin/.*			gen_context(system_u:object_r:phabricator_exec_t,s0)
+/opt/phacility/phabricator/conf/local(/.*)? 		gen_context(system_u:object_r:phabricator_etc_t,s0)
+/var/lib/phabricator(/.*)?				gen_context(system_u:object_r:phabricator_var_lib_t,s0)
+/var/log/phabricator(/.*)?				gen_context(system_u:object_r:phabricator_log_t,s0)
diff --git a/resources/selinux/phabricator.if b/resources/selinux/phabricator.if
new file mode 100644
--- /dev/null
+++ b/resources/selinux/phabricator.if
@@ -0,0 +1,35 @@
+## <summary>Phabricator policy</summary>
+## <desc>
+##	<p>
+##		More descriptive text about myapp.  The desc
+##		tag can also use p, ul, and ol
+##		html tags for formatting.
+##	</p>
+##	<p>
+##		This policy supports the following myapp features:
+##		<ul>
+##		<li>Feature A</li>
+##		<li>Feature B</li>
+##		<li>Feature C</li>
+##		</ul>
+##	</p>
+## </desc>
+
+########################################
+## <summary>
+##	Execute a domain transition to run phabricator.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`phabricator_domtrans',`
+	gen_requires(`
+		type phabricator_t, phabricator_exec_t;
+	')
+
+	domtrans_pattern($1,phabricator_exec_t,phabricator_t)
+')
+
diff --git a/resources/selinux/phabricator.te b/resources/selinux/phabricator.te
new file mode 100644
--- /dev/null
+++ b/resources/selinux/phabricator.te
@@ -0,0 +1,63 @@
+policy_module(phabricator,0.9)
+
+gen_require(`
+  type libphutil_t;
+  type arcanist_t;
+  type httpd_t;
+')
+
+
+# Private type declarations
+type phabricator_t;
+type phabricator_exec_t;
+
+type phabricator_etc_t;
+files_config_file(phabricator_etc_t)
+
+type phabricator_initrc_exec_t;
+
+type phabricator_log_t;
+logging_log_file(phabricator_log_t)
+
+type phabricator_tmp_t;
+files_tmp_file(phabricator_tmp_t)
+
+type phabricator_var_lib_t;
+files_type(phabricator_var_lib_t)
+
+type phabricator_var_run_t;
+files_pid_file(phabricator_var_run_t)
+
+# ----
+
+# Init scripts
+init_daemon_domain(phabricator_t, phabricator_exec_t)
+init_script_file(phabricator_initrc_exec_t)
+init_all_labeled_script_domtrans(phabricator_t) 
+init_domtrans_script(phabricator_t) 
+init_read_utmp(phabricator_t) 
+init_signull_script(phabricator_t) 
+
+
+# access libphutil
+read_files_pattern(phabricator_t,libphutil_t,libphutil_t)
+
+# read configs
+read_files_pattern(phabricator_t,phabricator_etc_t,phabricator_etc_t)
+
+# create/read logfiles
+create_files_pattern(phabricator_t,phabricator_log_t,phabricator_log_t)
+append_files_pattern(phabricator_t,phabricator_log_t,phabricator_log_t)
+read_files_pattern(phabricator_t,phabricator_log_t,phabricator_log_t)
+logging_log_filetrans(phabricator_t,phabricator_log_t, { file dir })
+
+# allow httpd 
+read_files_pattern(httpd_t,arcanist_t,arcanist_t)
+read_files_pattern(httpd_t,libphutil_t,libphutil_t)
+read_files_pattern(httpd_t,phabricator_t,phabricator_t)
+read_files_pattern(httpd_t,phabricator_var_lib_t,phabricator_var_lib_t)
+allow httpd_t arcanist_t:dir read;
+allow httpd_t libphutil_t:dir read;
+allow httpd_t phabricator_t:dir read;
+allow httpd_t phabricator_var_lib_t:dir read;
+