diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
index 4dd664606..407768b10 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
@@ -26,6 +26,7 @@
 /var/lib/glpi/files(/.*)?	gen_context(system_u:object_r:cron_var_lib_t,s0)
 
 /var/log/cron.*	gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/popularity-contest.*	gen_context(system_u:object_r:cron_log_t,s0)
 /var/log/rpmpkgs.*	--	gen_context(system_u:object_r:cron_log_t,s0)
 
 /run/anacron\.pid	--	gen_context(system_u:object_r:crond_var_run_t,s0)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 45949bec5..915d3ad22 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -339,6 +339,7 @@ ifdef(`distro_debian',`
 	allow crond_t self:process setrlimit;
 
 	optional_policy(`
+		apt_domtrans(system_cronjob_t)
 		apt_manage_cache(system_cronjob_t)
 		apt_read_db(system_cronjob_t)
 
@@ -437,6 +438,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	init_dbus_chat(crond_t)
 	systemd_dbus_chat_logind(system_cronjob_t)
 	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
 	# so cron jobs can restart daemons
@@ -459,7 +461,7 @@ allow system_cronjob_t self:fd use;
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
 
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow system_cronjob_t cron_log_t:file manage_file_perms;
 logging_log_filetrans(system_cronjob_t, cron_log_t, file)
 
 allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
@@ -491,6 +493,11 @@ allow system_cronjob_t cron_spool_t:file rw_file_perms;
 
 allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
 
+# popcon wants to stat /proc/kmsg and /proc/kcore
+kernel_getattr_core_if(system_cronjob_t)
+kernel_getattr_message_if(system_cronjob_t)
+
+kernel_read_crypto_sysctls(system_cronjob_t)
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
@@ -513,6 +520,8 @@ dev_getattr_all_blk_files(system_cronjob_t)
 dev_getattr_all_chr_files(system_cronjob_t)
 dev_read_urand(system_cronjob_t)
 dev_read_sysfs(system_cronjob_t)
+# for checkarray to write to sync_action
+dev_rw_sysfs(system_cronjob_t)
 
 fs_getattr_all_fs(system_cronjob_t)
 fs_getattr_all_files(system_cronjob_t)
@@ -535,6 +544,7 @@ files_read_var_files(system_cronjob_t)
 files_dontaudit_search_pids(system_cronjob_t)
 files_manage_generic_spool(system_cronjob_t)
 files_create_boot_flag(system_cronjob_t)
+files_read_var_lib_symlinks(system_cronjob_t)
 
 mls_file_read_to_clearance(system_cronjob_t)