diff --git a/policy/policy_capabilities b/policy/policy_capabilities
index 9e309fbfc..b800997f3 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -100,9 +100,17 @@ policycap cgroup_seclabel;
 policycap nnp_nosuid_transition;
 
 # Enable extended genfscon labeling for symlinks.
-# Requires libsepol 3.1 (estimated) and kernel 5.7 (estimated).
+# Requires libsepol 3.1 and kernel 5.7.
 #
 # Added checks:
 # (none)
 #
 #policycap genfs_seclabel_symlinks;
+
+# Always allow FIOCLEX and FIONCLEX ioctl.
+# Requires libsepol 3.4 (estimated) and kernel 5.18 (estimated).
+#
+# Removed checks:
+# common file/socket: ioctl { 0x5450 0x5451 }
+#
+#policycap ioctl_skip_cloexec;