diff --git a/policy/modules/admin/cloudinit.te b/policy/modules/admin/cloudinit.te
index 12e02dbc9f..ccc1d1a0fc 100644
--- a/policy/modules/admin/cloudinit.te
+++ b/policy/modules/admin/cloudinit.te
@@ -706,6 +706,10 @@ optional_policy(`
oident_admin(cloud_init_t, system_r)
')
+optional_policy(`
+ openarc_admin(cloud_init_t, system_r)
+')
+
optional_policy(`
openct_admin(cloud_init_t, system_r)
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 69777df206..acf2c67aec 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -749,6 +749,10 @@ optional_policy(`
ooffice_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
')
+optional_policy(`
+ openarc_admin(sysadm_t, sysadm_r)
+')
+
optional_policy(`
openct_admin(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/services/openarc.fc b/policy/modules/services/openarc.fc
new file mode 100644
index 0000000000..a3315600a2
--- /dev/null
+++ b/policy/modules/services/openarc.fc
@@ -0,0 +1,13 @@
+/etc/openarc/keys(/.*)? gen_context(system_u:object_r:openarc_milter_private_key_t,s0)
+
+/etc/rc\.d/init\.d/openarc -- gen_context(system_u:object_r:openarc_milter_initrc_exec_t,s0)
+
+/usr/bin/openarc -- gen_context(system_u:object_r:openarc_milter_exec_t,s0)
+
+/usr/lib/systemd/system/openarc\.service -- gen_context(system_u:object_r:openarc_milter_unit_t,s0)
+
+/usr/sbin/openarc -- gen_context(system_u:object_r:openarc_milter_exec_t,s0)
+
+/run/openarc(/.*)? gen_context(system_u:object_r:openarc_milter_data_t,s0)
+
+/var/run/openarc(/.*)? gen_context(system_u:object_r:openarc_milter_data_t,s0)
diff --git a/policy/modules/services/openarc.if b/policy/modules/services/openarc.if
new file mode 100644
index 0000000000..ca188094fc
--- /dev/null
+++ b/policy/modules/services/openarc.if
@@ -0,0 +1,74 @@
+## Authenticated Received Chain milter.
+
+########################################
+##
+## Allow a domain to talk to OpenARC via Unix domain socket
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openarc_stream_connect',`
+ gen_require(`
+ type openarc_milter_data_t, openarc_milter_t;
+ ')
+
+ stream_connect_pattern($1, openarc_milter_data_t, openarc_milter_data_t, openarc_milter_t)
+')
+
+########################################
+##
+## Reload the openarc service (systemd).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openarc_reload',`
+ gen_require(`
+ type openarc_milter_unit_t;
+ class service { reload status };
+ ')
+
+ allow $1 openarc_milter_unit_t:service { reload status };
+')
+
+
+########################################
+##
+## All of the rules required to
+## administrate an OpenARC environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`openarc_admin',`
+ gen_require(`
+ type openarc_milter_t, openarc_milter_initrc_exec_t, openarc_milter_private_key_t;
+ type openarc_milter_data_t;
+ ')
+
+ allow $1 openarc_milter_t:process { ptrace signal_perms };
+ ps_process_pattern($1, openarc_milter_t)
+
+ init_startstop_service($1, $2, openarc_milter_t, openarc_milter_initrc_exec_t)
+
+ files_search_etc($1)
+ admin_pattern($1, openarc_milter_private_key_t)
+
+ files_search_runtime($1)
+ admin_pattern($1, openarc_milter_data_t)
+')
diff --git a/policy/modules/services/openarc.te b/policy/modules/services/openarc.te
new file mode 100644
index 0000000000..e27555141e
--- /dev/null
+++ b/policy/modules/services/openarc.te
@@ -0,0 +1,62 @@
+policy_module(openarc)
+
+########################################
+#
+# Declarations
+#
+
+milter_template(openarc)
+
+type openarc_milter_initrc_exec_t;
+init_script_file(openarc_milter_initrc_exec_t)
+
+type openarc_milter_private_key_t;
+files_security_file(openarc_milter_private_key_t)
+
+type openarc_milter_unit_t;
+init_unit_file(openarc_milter_unit_t)
+
+init_daemon_runtime_file(openarc_milter_data_t, dir, "openarc")
+
+########################################
+#
+# Local policy
+#
+
+allow openarc_milter_t self:capability { dac_override dac_read_search setgid setuid };
+allow openarc_milter_t self:process { getsched signal signull };
+allow openarc_milter_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(openarc_milter_t, openarc_milter_private_key_t, openarc_milter_private_key_t)
+
+# /proc/sys/kernel/ngroups_max
+kernel_read_kernel_sysctls(openarc_milter_t)
+kernel_read_vm_overcommit_sysctl(openarc_milter_t)
+
+corecmd_exec_shell(openarc_milter_t)
+
+corenet_udp_bind_generic_node(openarc_milter_t)
+corenet_udp_bind_all_unreserved_ports(openarc_milter_t)
+corenet_udp_bind_generic_port(openarc_milter_t)
+
+dev_read_urand(openarc_milter_t)
+# for cpu/online
+dev_read_sysfs(openarc_milter_t)
+
+files_runtime_filetrans(openarc_milter_t, openarc_milter_data_t, { dir file })
+files_read_usr_files(openarc_milter_t)
+files_search_spool(openarc_milter_t)
+
+miscfiles_read_generic_certs(openarc_milter_t)
+
+# Allow OpenARC to send a message to Postmaster in case of an invalid ARC signature.
+mta_sendmail_exec(openarc_milter_t)
+
+optional_policy(`
+ mta_read_config(openarc_milter_t)
+')
+
+optional_policy(`
+ # set up unix socket
+ postfix_search_spool(openarc_milter_t)
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 23a5461af6..6c3b677ae5 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -418,6 +418,10 @@ optional_policy(`
dkim_stream_connect(postfix_cleanup_t)
')
+optional_policy(`
+ openarc_stream_connect(postfix_cleanup_t)
+')
+
optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
')