diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 2e2af528be..d8bb82e7aa 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1765,8 +1765,12 @@ interface(`files_relabel_all_files',`
relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
# satisfy the assertions:
- seutil_relabelto_bin_policy($1)
- auth_relabelto_shadow($1)
+ optional_policy(`
+ seutil_relabelto_bin_policy($1)
+ ')
+ optional_policy(`
+ auth_relabelto_shadow($1)
+ ')
')
########################################
@@ -1835,6 +1839,44 @@ interface(`files_manage_all_files',`
')
')
+########################################
+##
+## Manage all block device files on the filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_manage_all_blk_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ manage_blk_files_pattern($1, file_type, file_type)
+')
+
+########################################
+##
+## Manage all character device files on the filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_manage_all_chr_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ manage_chr_files_pattern($1, file_type, file_type)
+')
+
########################################
##
## Grant execute access to all files on the filesystem,
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index ccb914f4a4..9bb09e25f1 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -385,6 +385,9 @@ domain_rw_all_sockets(kernel_t)
domain_obj_id_change_exemption(kernel_t)
files_manage_all_files(kernel_t)
+files_manage_all_blk_files(kernel_t)
+files_manage_all_chr_files(kernel_t)
+files_relabel_all_files(kernel_t)
# The 'execute' permission on lower inodes is checked against the mounter
# cred by overlayfs, so we need to grant it to allow overlay mounts created
# during early boot to work.