diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index e971c5331..863c25d6e 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -84,7 +84,7 @@ genfscon proc /fs/openafs gen_context(system_u:object_r:proc_afs_t,s0)
 # kernel message interface
 type proc_kmsg_t, proc_type;
 genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)
-neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
+neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file read;
 
 # /proc kcore: inaccessible
 type proc_kcore_t, proc_type;
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 07529a5de..10e59cf62 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -745,7 +745,6 @@ kernel_mounton_sysctl_dirs(systemd_nspawn_t)
 kernel_read_kernel_sysctls(systemd_nspawn_t)
 kernel_read_system_state(systemd_nspawn_t)
 kernel_remount_proc(systemd_nspawn_t)
-kernel_unconfined(systemd_nspawn_t)
 
 corecmd_exec_shell(systemd_nspawn_t)
 corecmd_search_bin(systemd_nspawn_t)