diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 426122604..24e7c4fd4 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -216,6 +216,25 @@ interface(`corecmd_dontaudit_getattr_bin_files',`
 	dontaudit $1 bin_t:file getattr_file_perms;
 ')
 
+########################################
+## <summary>
+##	Check if files in bin directories are executable (DAC-wise)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_check_exec_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir search_dir_perms;
+	allow $1 bin_t:file { execute getattr };
+')
+
 ########################################
 ## <summary>
 ##	Read files in bin directories.
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 9dc456ebd..7ea4976df 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1798,6 +1798,24 @@ interface(`fs_relabelfrom_dos_fs',`
 	allow $1 dosfs_t:filesystem relabelfrom;
 ')
 
+########################################
+## <summary>
+##	Get attributes of directories on a dosfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_dos_dirs',`
+	gen_require(`
+		type dosfs_t;
+	')
+
+	allow $1 dosfs_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Search dosfs filesystem.
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 20c67da4e..95d328074 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -2776,11 +2776,11 @@ interface(`init_reload_generic_units',`
 #
 interface(`init_get_all_units_status',`
 	gen_require(`
-		attribute systemdunit;
+		attribute init_script_file_type, systemdunit;
 		class service status;
 	')
 
-	allow $1 systemdunit:service status;
+	allow $1 { init_script_file_type systemdunit }:service status;
 ')
 
 ########################################
@@ -2795,11 +2795,11 @@ interface(`init_get_all_units_status',`
 #
 interface(`init_start_all_units',`
 	gen_require(`
-		attribute systemdunit;
+		attribute init_script_file_type, systemdunit;
 		class service start;
 	')
 
-	allow $1 systemdunit:service start;
+	allow $1 { init_script_file_type systemdunit }:service start;
 ')
 
 ########################################
@@ -2814,11 +2814,11 @@ interface(`init_start_all_units',`
 #
 interface(`init_stop_all_units',`
 	gen_require(`
-		attribute systemdunit;
+		attribute init_script_file_type, systemdunit;
 		class service stop;
 	')
 
-	allow $1 systemdunit:service stop;
+	allow $1 { init_script_file_type systemdunit }:service stop;
 ')
 
 #######################################
@@ -2833,9 +2833,9 @@ interface(`init_stop_all_units',`
 #
 interface(`init_reload_all_units',`
 	gen_require(`
-		attribute systemdunit;
+		attribute init_script_file_type, systemdunit;
 		class service reload;
 	')
 
-	allow $1 systemdunit:service reload;
+	allow $1 { init_script_file_type systemdunit }:service reload;
 ')