diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 1a55e3d2d..a4c78af90 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -152,6 +152,9 @@ optional_policy(`
 # is handled in the interface as typeattribute cannot
 # be used on an attribute.
 
+# unconfined access to bpf
+allow unconfined_domain_type domain:bpf { map_create map_read map_write prog_load prog_run };
+
 # Use/sendto/connectto sockets created by any domain.
 allow unconfined_domain_type domain:{ socket_class_set socket key_socket } { create_stream_socket_perms send_msg lock relabelto name_bind recv_msg map sendto recvfrom relabelfrom };
 allow unconfined_domain_type domain:rawip_socket node_bind;