diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 78ea93f40..316f43625 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -756,9 +756,14 @@ interface(`sysnet_dns_name_resolve',`
 		nscd_use($1)
 	')
 
-	# This seems needed when the mymachines NSS module is used
-	optional_policy(`
-		systemd_read_machines($1)
+	ifdef(`init_systemd',`
+		optional_policy(`
+			systemd_dbus_chat_resolved($1)
+		')
+		# This seems needed when the mymachines NSS module is used
+		optional_policy(`
+			systemd_read_machines($1)
+		')
 	')
 ')
 
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 346850881..9247924b2 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -753,6 +753,27 @@ interface(`systemd_tmpfilesd_managed',`
 	allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
 ')
 
+########################################
+## <summary>
+##   Send and receive messages from
+##   systemd resolved over dbus.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_dbus_chat_resolved',`
+	gen_require(`
+		type systemd_resolved_t;
+		class dbus send_msg;
+	')
+
+	allow $1 systemd_resolved_t:dbus send_msg;
+	allow systemd_resolved_t $1:dbus send_msg;
+')
+
 #######################################
 ## <summary>
 ##  Allow domain to read resolv.conf file generated by systemd_resolved
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2a658621d..e70ccb214 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -864,7 +864,7 @@ optional_policy(`
 # Resolved local policy
 #
 
-allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
+allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid };
 allow systemd_resolved_t self:process { getcap setcap setfscreate signal };
 
 allow systemd_resolved_t self:tcp_socket { accept listen };
@@ -881,8 +881,10 @@ kernel_read_kernel_sysctls(systemd_resolved_t)
 kernel_read_net_sysctls(systemd_resolved_t)
 
 corenet_tcp_bind_generic_node(systemd_resolved_t)
+corenet_tcp_bind_dns_port(systemd_resolved_t)
 corenet_tcp_bind_llmnr_port(systemd_resolved_t)
 corenet_udp_bind_generic_node(systemd_resolved_t)
+corenet_udp_bind_dns_port(systemd_resolved_t)
 corenet_udp_bind_llmnr_port(systemd_resolved_t)
 
 auth_use_nsswitch(systemd_resolved_t)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 469a95234..0501eff99 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -58,6 +58,12 @@ ifdef(`direct_sysadm_daemon',`
         ')
 ')
 
+ifdef(`init_systemd',`
+	optional_policy(`
+		systemd_dbus_chat_resolved(unconfined_t)
+	')
+')
+
 optional_policy(`
 	ada_domtrans(unconfined_t)
 ')