diff --git a/policy/modules/contrib/sap.fc b/policy/modules/contrib/sap.fc
new file mode 100644
index 0000000000..d090733f68
--- /dev/null
+++ b/policy/modules/contrib/sap.fc
@@ -0,0 +1,20 @@
+### primary executables
+/usr/sap/hostctrl/exe/.+ -- gen_context(system_u:object_r:sap_exec_t,s0)
+/usr/sap/H4C/HDB96/exe/.+ -- gen_context(system_u:object_r:sap_exec_t,s0)
+
+### additional executables
+#/hana/shared/H66/HDB33/.+ -- gen_context(system_u:object_r:sap_exec_t,s0)
+#/hana/shared/H66/exe(/.*)? -- gen_context(system_u:object_r:sap_exec_t,s0)
+
+### temporary files
+#/usr/sap/tmp(/.*)? gen_context(system_u:object_r:sap_tmp_t,s0)
+
+### work data
+#/usr/sap/hostctrl/work(/.*)? gen_context(system_u:object_r:sap_var_lib_t,s0)
+
+### hana logs
+#/hana/log/H66(/.*)? gen_context(system_u:object_r:sap_log_t,s0)
+
+### work data
+#/hana/data/H66(/.*)? gen_context(system_u:object_r:sap_var_lib_t,s0)
+
diff --git a/policy/modules/contrib/sap.if b/policy/modules/contrib/sap.if
new file mode 100644
index 0000000000..d1bcf739d3
--- /dev/null
+++ b/policy/modules/contrib/sap.if
@@ -0,0 +1,39 @@
+## SAP policy
+
+######################################
+##
+## Execute sap in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sap_exec',`
+ gen_require(`
+ type sap_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, sap_exec_t)
+')
+
+########################################
+##
+## Execute sap in sap unconfined domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`sap_unconfined_domtrans',`
+ gen_require(`
+ type sap_unconfined_t, sap_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, sap_exec_t, sap_unconfined_t)
+')
diff --git a/policy/modules/contrib/sap.te b/policy/modules/contrib/sap.te
new file mode 100644
index 0000000000..8c400da86c
--- /dev/null
+++ b/policy/modules/contrib/sap.te
@@ -0,0 +1,16 @@
+policy_module(sap, 1.0)
+
+type sap_unconfined_t;
+type sap_exec_t;
+files_type(sap_exec_t);
+init_daemon_domain(sap_unconfined_t, sap_exec_t)
+
+#type sap_tmp_t;
+#files_tmp_file(sap_tmp_t);
+#manage_dirs_pattern(sap_unconfined_t, sap_tmp_t, sap_tmp_t)
+#manage_files_pattern(sap_unconfined_t, sap_tmp_t, sap_tmp_t)
+#files_tmp_filetrans(sap_unconfined_t, sap_tmp_t, { dir file })
+
+optional_policy(`
+ unconfined_domain(sap_unconfined_t)
+')