diff --git a/Makefile.am b/Makefile.am
index acda826621..9a78488f8a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3825,7 +3825,6 @@ dist_network_DATA = \
 	network/80-container-vz.network
 
 dist_udevrules_DATA += \
-	rules/50-udev-default.rules \
 	rules/60-block.rules \
 	rules/60-drm.rules \
 	rules/60-evdev.rules \
@@ -3843,6 +3842,7 @@ dist_udevrules_DATA += \
 	rules/80-net-setup-link.rules
 
 nodist_udevrules_DATA += \
+	rules/50-udev-default.rules \
 	rules/99-systemd.rules
 
 udevconfdir = $(sysconfdir)/udev
@@ -3853,6 +3853,7 @@ pkgconfigdata_DATA += \
 	src/udev/udev.pc
 
 EXTRA_DIST += \
+	rules/50-udev-default.rules.in \
 	rules/99-systemd.rules.in \
 	src/udev/udev.pc.in
 
@@ -6301,6 +6302,7 @@ substitutions = \
        '|KILL_USER_PROCESSES=$(KILL_USER_PROCESSES)|' \
        '|systemuidmax=$(SYSTEM_UID_MAX)|' \
        '|systemgidmax=$(SYSTEM_GID_MAX)|' \
+       '|DEV_KVM_MODE=$(DEV_KVM_MODE)|' \
        '|TTY_GID=$(TTY_GID)|' \
        '|systemsleepdir=$(systemsleepdir)|' \
        '|systemshutdowndir=$(systemshutdowndir)|' \
diff --git a/configure.ac b/configure.ac
index c0e5ec4fae..06fa908d43 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1205,6 +1205,16 @@ AC_ARG_WITH(system-gid-max,
 AC_DEFINE_UNQUOTED(SYSTEM_GID_MAX, [$SYSTEM_GID_MAX], [Maximum System GID])
 AC_SUBST(SYSTEM_GID_MAX)
 
+# ------------------------------------------------------------------------------
+
+AC_ARG_WITH(dev-kvm-mode,
+        AS_HELP_STRING([--with-dev-kvm-mode=MODE],
+                [/dev/kvm access mode, defaults to "0660"]),
+        [DEV_KVM_MODE="$withval"],
+        [DEV_KVM_MODE="0660"])
+
+AC_SUBST(DEV_KVM_MODE, [$DEV_KVM_MODE], [/dev/kvm access mode])
+
 # ------------------------------------------------------------------------------
 have_localed=no
 AC_ARG_ENABLE(localed, AS_HELP_STRING([--disable-localed], [disable locale daemon]))
@@ -1767,6 +1777,7 @@ AC_MSG_RESULT([
         TTY GID:                           ${TTY_GID}
         maximum system UID:                ${SYSTEM_UID_MAX}
         maximum system GID:                ${SYSTEM_GID_MAX}
+        /dev/kvm access mode:              ${DEV_KVM_MODE}
         certificate root:                  ${CERTIFICATEROOT}
         support URL:                       ${SUPPORT_URL}
         nobody user name:                  ${NOBODY_USER_NAME}
diff --git a/rules/.gitignore b/rules/.gitignore
index 93a50ddd80..ea6e216bad 100644
--- a/rules/.gitignore
+++ b/rules/.gitignore
@@ -1 +1,2 @@
+/50-udev-default.rules
 /99-systemd.rules
diff --git a/rules/50-udev-default.rules b/rules/50-udev-default.rules.in
similarity index 98%
rename from rules/50-udev-default.rules
rename to rules/50-udev-default.rules.in
index 3347c8cd89..064f66a976 100644
--- a/rules/50-udev-default.rules
+++ b/rules/50-udev-default.rules.in
@@ -74,6 +74,8 @@ KERNEL=="tun", MODE="0666", OPTIONS+="static_node=net/tun"
 
 KERNEL=="fuse", MODE="0666", OPTIONS+="static_node=fuse"
 
+KERNEL=="kvm", GROUP="kvm", MODE="@DEV_KVM_MODE@"
+
 SUBSYSTEM=="ptp", ATTR{clock_name}=="KVM virtual PTP", SYMLINK += "ptp_kvm"
 
 LABEL="default_end"
diff --git a/sysusers.d/basic.conf.in b/sysusers.d/basic.conf.in
index b2dc5ebd4f..7d6021e855 100644
--- a/sysusers.d/basic.conf.in
+++ b/sysusers.d/basic.conf.in
@@ -29,6 +29,7 @@ g dialout -     -            -
 g disk    -     -            -
 g input   -     -            -
 g lp      -     -            -
+g kvm     -     -            -
 g tape    -     -            -
 g video   -     -            -