diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
index 7aea39b223..242d7f34e0 100644
--- a/package/refpolicy/Config.in
+++ b/package/refpolicy/Config.in
@@ -121,6 +121,18 @@ config BR2_REFPOLICY_EXTRA_MODULES
 
 endif
 
+config BR2_REFPOLICY_ENABLEAUDIT
+	bool "remove dontaudit rules from policy (debugging only)"
+	help
+	  Remove dontaudit rules from policy.conf before compiling the
+	  policy. This can be useful for debugging to see "denied"
+	  audit log messages that would otherwise be hidden, which
+	  show the cause of problems.
+
+	  Warning: This option will likely produce a high rate of
+	  audit log messages, and should be enabled only for
+	  debugging.
+
 endif
 
 comment "refpolicy needs a toolchain w/ threads, gcc >= 5, host gcc >= 5"
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index be27147ec5..127faf793a 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -101,6 +101,12 @@ define REFPOLICY_CONFIGURE_SYSTEMD
 endef
 endif
 
+ifeq ($(BR2_REFPOLICY_ENABLEAUDIT),y)
+define REFPOLICY_CONFIGURE_ENABLEAUDIT
+	$(REFPOLICY_MAKE) -C $(@D) enableaudit
+endef
+endif
+
 define REFPOLICY_CONFIGURE_CMDS
 	$(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(REFPOLICY_POLICY_VERSION)" \
 		$(@D)/build.conf
@@ -111,6 +117,7 @@ define REFPOLICY_CONFIGURE_CMDS
 		$(REFPOLICY_COPY_EXTRA_MODULES)
 	)
 	$(REFPOLICY_MAKE) -C $(@D) bare conf
+	$(REFPOLICY_CONFIGURE_ENABLEAUDIT)
 	$(REFPOLICY_CONFIGURE_MODULES)
 endef