diff --git a/files/osa-nova.te b/files/osa-nova.te
new file mode 100644
index 00000000..4bd6135a
--- /dev/null
+++ b/files/osa-nova.te
@@ -0,0 +1,42 @@
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module osa-nova 1.0;
+
+require {
+        type nova_var_lib_t;
+        type virtd_t;
+        type svirt_tcg_t;
+        type virtlogd_t;
+        class capability dac_override;
+        class file { append create getattr open read unlink };
+        class dir { add_name remove_name search write };
+}
+
+# NOTE(mhayden): These policies give non-KVM qemu instances the ability to use
+# the execmem() syscall and perform other actions. This affects deployers who
+# do not have native KVM capabilities on the hypervisor (such as the
+# OpenStack) gate jobs.
+#============= svirt_tcg_t ==============
+allow svirt_tcg_t virtd_t:dir search;
+allow svirt_tcg_t virtd_t:file read;
+allow svirt_tcg_t virtd_t:file { getattr open };
+
+# NOTE(mhayden): This set of policies allows virtlogd (the daemon that
+# handles console logs for KVM instances) to take various actions under
+# /var/log/nova.
+#============= virtlogd_t ==============
+allow virtlogd_t nova_var_lib_t:dir { add_name remove_name search write };
+allow virtlogd_t nova_var_lib_t:file { append create getattr open unlink };
+allow virtlogd_t self:capability dac_override;
diff --git a/tasks/nova_selinux.yml b/tasks/nova_selinux.yml
index daa6ce20..57e39b6b 100644
--- a/tasks/nova_selinux.yml
+++ b/tasks/nova_selinux.yml
@@ -42,3 +42,23 @@
   command: restorecon -R /var/lib/nova
   when:
     - selinux_equivalence | changed or selinux_file_context_ssh_keys | changed
+
+- name: Copy OSA SELinux policy
+  copy:
+    src: osa-nova.te
+    dest: /tmp/osa-nova.te
+
+# NOTE(mhayden): Linting checks are skipped here because there isn't a
+# reliable way to determine if this SELinux module is newer than the one that
+# is currently in use on the system. The linter expects there to be a
+# "creates" argument below.
+- name: Compile new SELinux policy
+  command: "{{ item }}"
+  args:
+    chdir: "/tmp/"
+  with_items:
+    - checkmodule -M -m -o osa-nova.mod osa-nova.te
+    - semodule_package -o osa-nova.pp -m osa-nova.mod
+    - semodule -i osa-nova.pp
+  tags:
+    - skip_ansible_lint
diff --git a/vars/redhat-7.yml b/vars/redhat-7.yml
index 00e85e27..9e8c1c45 100644
--- a/vars/redhat-7.yml
+++ b/vars/redhat-7.yml
@@ -55,7 +55,6 @@ nova_compute_kvm_distro_packages:
   - libvirt-devel
   - libvirt-python
   - nfs-utils
-  - openstack-selinux
   - python-libguestfs
   - qemu-img-ev
   - sysfsutils