diff --git a/src/selinux/swtpm.te b/src/selinux/swtpm.te
index 62cd2e108..9228648d1 100644
--- a/src/selinux/swtpm.te
+++ b/src/selinux/swtpm.te
@@ -12,6 +12,8 @@ require {
 	type virt_var_lib_t;
 	type virtqemud_t;
 	type virtqemud_tmp_t;
+	class file map;
+	tunable virt_use_nfs;
 }
 
 attribute_role swtpm_roles;
@@ -31,7 +33,7 @@ allow swtpm_t qemu_var_run_t:dir { add_name remove_name write };
 allow swtpm_t qemu_var_run_t:sock_file { create setattr unlink };
 allow swtpm_t var_log_t:file open;
 allow swtpm_t virt_var_lib_t:dir { add_name remove_name write };
-allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write };
+allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write map };
 allow swtpm_t virtqemud_t:unix_stream_socket { read write getattr };
 allow swtpm_t virtqemud_tmp_t:file { open write };
 allow swtpm_t svirt_image_t:file { open append };  # BZ2306817
@@ -44,3 +46,10 @@ files_read_etc_files(swtpm_t)
 auth_use_nsswitch(swtpm_t)
 
 miscfiles_read_localization(swtpm_t)
+
+tunable_policy(`virt_use_nfs',`
+	fs_manage_nfs_dirs(swtpm_t)
+	fs_manage_nfs_files(swtpm_t)
+	fs_read_nfs_symlinks(swtpm_t)
+	fs_mmap_nfs_files(swtpm_t)
+')