diff --git a/policy/modules/contrib/ipa.if b/policy/modules/contrib/ipa.if
index 4c3a1fc02f..125062ede8 100644
--- a/policy/modules/contrib/ipa.if
+++ b/policy/modules/contrib/ipa.if
@@ -40,6 +40,27 @@ ifndef(`ipa_stream_connect_otpd',`
 	')
 ')
 
+########################################
+## <summary>
+##	Send sigkill to ipa-otpd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+ifndef(`ipa_sigkill_otpd',`
+	interface(`ipa_sigkill_otpd',`
+		gen_require(`
+			type ipa_otpd_t;
+		')
+
+		allow $1 ipa_otpd_t:process sigkill;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Connect to ipa-ods-exporter over a unix stream socket.
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index 53d08a80fa..0592316b37 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -241,6 +241,10 @@ optional_policy(`
 	ica_rw_map_tmpfs_files(sssd_t)
 ')
 
+optional_policy(`
+	ipa_sigkill_otpd(sssd_t)
+')
+
 optional_policy(`
 	ldap_stream_connect(sssd_t)
 	ldap_read_certs(sssd_t)