diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 9bfe3aa2..28e5606f 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -37,6 +37,7 @@
 	apt (Erich Schubert)
 	asterisk
 	audioentropy
+	backup
 	calamaris
 	cipe
 	clamav (Erich Schubert)
diff --git a/refpolicy/policy/modules/admin/backup.fc b/refpolicy/policy/modules/admin/backup.fc
new file mode 100644
index 00000000..3096ad4c
--- /dev/null
+++ b/refpolicy/policy/modules/admin/backup.fc
@@ -0,0 +1,7 @@
+# backup
+# label programs that do backups to other files on disk (IE a cron job that
+# calls tar) in backup_exec_t and label the directory for storing them as
+# backup_store_t, Debian uses /var/backups
+
+#/usr/local/bin/backup-script	--	gen_require(system_u:object_r:backup_exec_t,s0)
+/var/backups(/.*)?			gen_require(system_u:object_r:backup_store_t,s0)
diff --git a/refpolicy/policy/modules/admin/backup.if b/refpolicy/policy/modules/admin/backup.if
new file mode 100644
index 00000000..64beebea
--- /dev/null
+++ b/refpolicy/policy/modules/admin/backup.if
@@ -0,0 +1,53 @@
+## <summary>System backup scripts</summary>
+
+########################################
+## <summary>
+##	Execute backup in the backup domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`backup_domtrans',`
+	gen_require(`
+		type backup_t, backup_exec_t;
+	')
+
+	domain_auto_trans($1,backup_exec_t,backup_t)
+	allow backup_t $1:fd use;
+	allow backup_t $1:fifo_file rw_file_perms;
+	allow backup_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute backup in the backup domain, and
+##	allow the specified role the backup domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the backup domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`backup_run',`
+	gen_require(`
+		type backup_t;
+	')
+
+	backup_domtrans($1)
+	role $2 types backup_t;
+	allow backup_t $3:chr_file rw_term_perms;
+')
diff --git a/refpolicy/policy/modules/admin/backup.te b/refpolicy/policy/modules/admin/backup.te
new file mode 100644
index 00000000..46b1ba3c
--- /dev/null
+++ b/refpolicy/policy/modules/admin/backup.te
@@ -0,0 +1,85 @@
+
+policy_module(backup,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type backup_t;
+type backup_exec_t;
+domain_type(backup_t)
+domain_entry_file(backup_t,backup_exec_t)
+role system_r types backup_t;
+
+type backup_store_t;
+files_type(backup_store_t)
+
+########################################
+#
+# Local policy
+#
+
+allow backup_t self:capability dac_override;
+allow backup_t self:process signal;
+allow backup_t self:fifo_file rw_file_perms;
+allow backup_t self:tcp_socket create_socket_perms;
+allow backup_t self:udp_socket create_socket_perms;
+
+allow backup_t backup_store_t:dir ra_dir_perms;
+allow backup_t backup_store_t:file { create rw_file_perms setattr };
+allow backup_t backup_store_t:lnk_file { getattr read };
+
+kernel_read_system_state(backup_t)
+kernel_read_kernel_sysctls(backup_t)
+
+corecmd_exec_bin(backup_t)
+
+corenet_non_ipsec_sendrecv(backup_t)
+corenet_tcp_sendrecv_generic_if(backup_t)
+corenet_udp_sendrecv_generic_if(backup_t)
+corenet_raw_sendrecv_generic_if(backup_t)
+corenet_tcp_sendrecv_all_nodes(backup_t)
+corenet_udp_sendrecv_all_nodes(backup_t)
+corenet_raw_sendrecv_all_nodes(backup_t)
+corenet_tcp_sendrecv_all_ports(backup_t)
+corenet_udp_sendrecv_all_ports(backup_t)
+corenet_tcp_bind_all_nodes(backup_t)
+corenet_udp_bind_all_nodes(backup_t)
+corenet_tcp_connect_all_ports(backup_t)
+
+dev_getattr_all_blk_files(backup_t)
+dev_getattr_all_chr_files(backup_t)
+# for SSP
+dev_read_urand(backup_t)
+
+domain_use_interactive_fds(backup_t)
+
+files_read_all_files(backup_t)
+files_read_all_symlinks(backup_t)
+files_getattr_all_pipes(backup_t)
+files_getattr_all_sockets(backup_t)
+
+fs_getattr_xattr_fs(backup_t)
+fs_list_all(backup_t)
+
+auth_read_shadow(backup_t)
+
+libs_use_ld_so(backup_t)
+libs_use_shared_libs(backup_t)
+
+logging_send_syslog_msg(backup_t)
+
+sysnet_read_config(backup_t)
+
+optional_policy(`
+	cron_system_entry(backup_t,backup_exec_t)
+')
+
+optional_policy(`
+	hostname_exec(backup_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(backup_t)
+')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 9772294e..6bb7a97f 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.17)
+policy_module(userdomain,1.3.18)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -211,6 +211,10 @@ ifdef(`targeted_policy',`
 		apt_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`
+		backup_run(sysadm_t,sysadm_r,admin_terminal)
+	')
+
 	optional_policy(`
 		bootloader_run(sysadm_t,sysadm_r,admin_terminal)
 	')