diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 7d2c4992c..eeca6e7c3 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -37,7 +37,8 @@ role system_r types logrotate_mail_t;
 # Local policy
 #
 
-allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
+# sys_ptrace is for systemctl
+allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource };
 # systemctl asks for net_admin
 dontaudit logrotate_t self:capability net_admin;
 allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 76e97aea5..66864c075 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -183,11 +183,6 @@ optional_policy(`
 	spamassassin_read_spamd_tmp_files(gpg_t)
 ')
 
-optional_policy(`
-	cron_system_entry(gpg_t, gpg_exec_t)
-	cron_read_system_job_tmp_files(gpg_t)
-')
-
 optional_policy(`
 	xserver_use_xdm_fds(gpg_t)
 	xserver_rw_xdm_pipes(gpg_t)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index dbaa28cdd..5ae181086 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -521,6 +521,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
 dev_getattr_all_blk_files(system_cronjob_t)
 dev_getattr_all_chr_files(system_cronjob_t)
 dev_getattr_mtrr_dev(system_cronjob_t)
+dev_read_rand(system_cronjob_t)
 dev_read_urand(system_cronjob_t)
 dev_read_sysfs(system_cronjob_t)
 # for checkarray to write to sync_action
@@ -553,6 +554,7 @@ files_read_var_lib_symlinks(system_cronjob_t)
 mls_file_read_to_clearance(system_cronjob_t)
 
 init_domtrans_script(system_cronjob_t)
+init_read_generic_units_links(system_cronjob_t)
 init_read_utmp(system_cronjob_t)
 init_use_script_fds(system_cronjob_t)
 
@@ -624,6 +626,10 @@ optional_policy(`
 	ftp_read_log(system_cronjob_t)
 ')
 
+optional_policy(`
+	gpg_exec(system_cronjob_t)
+')
+
 optional_policy(`
 	inn_manage_log(system_cronjob_t)
 	inn_manage_pid(system_cronjob_t)
diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
index a659af7ae..33f44a6fd 100644
--- a/policy/modules/services/irqbalance.te
+++ b/policy/modules/services/irqbalance.te
@@ -31,7 +31,8 @@ allow irqbalance_t self:udp_socket create_socket_perms;
 allow irqbalance_t self:unix_stream_socket create_stream_socket_perms;
 
 manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
-files_pid_filetrans(irqbalance_t, irqbalance_pid_t, file)
+manage_sock_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
+files_pid_filetrans(irqbalance_t, irqbalance_pid_t, { file sock_file })
 
 kernel_read_network_state(irqbalance_t)
 kernel_read_system_state(irqbalance_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 9abb94703..782ea42de 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -2960,6 +2960,25 @@ interface(`init_search_units',`
 	fs_search_tmpfs($1)
 ')
 
+########################################
+## <summary>
+##	Read systemd unit links
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_generic_units_links',`
+	gen_require(`
+		type systemd_unit_t;
+		class service status;
+	')
+
+	allow $1 systemd_unit_t:lnk_file read_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get status of generic systemd units.