diff --git a/policy/Makefile b/policy/Makefile
index 9214baa..a6a86d0 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -4,9 +4,13 @@ DENY_POLICIES := blastwall-alg-socket-deny blastwall-bpf-deny blastwall-policy-s
 VERSION := 0.5.2
 SELINUX_DEVEL ?= /usr/share/selinux/devel
 
+ROLE_CIL := blastwall-role.cil
 SUPPORT_CIL := $(addsuffix .cil,$(SUPPORT_POLICIES))
 DENY_CIL := $(addsuffix .cil,$(DENY_POLICIES))
-ALL_CIL := $(SUPPORT_CIL) $(DENY_CIL)
+ALL_CIL := $(ROLE_CIL) $(SUPPORT_CIL) $(DENY_CIL)
+CONTEXT_FILE := contexts/blastwall_u
+CONTEXT_DIR := /etc/selinux/targeted/contexts/users
+SELINUX_MCS ?= s0
 
 .PHONY: all clean install uninstall check
 
@@ -22,11 +26,17 @@ check:
 
 install: $(POLICY).pp
 	semodule -i $(POLICY).pp $(ALL_CIL)
+	install -m 0644 $(CONTEXT_FILE) $(CONTEXT_DIR)/blastwall_u
+	semanage user -a -R "blastwall_r" -r "$(SELINUX_MCS)" blastwall_u 2>/dev/null || \
+		semanage user -m -R "blastwall_r" -r "$(SELINUX_MCS)" blastwall_u
 
 uninstall:
 	@for p in $(DENY_POLICIES); do semodule -r $$p 2>/dev/null || true; done
 	@for p in $(SUPPORT_POLICIES); do semodule -r $$p 2>/dev/null || true; done
+	-semodule -r blastwall-role
 	-semodule -r $(POLICY)
+	-semanage user -d blastwall_u 2>/dev/null
+	-rm -f $(CONTEXT_DIR)/blastwall_u
 
 clean:
 	rm -f *.pp *.mod *.fc.tmp