diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if
index ccb61b7ec..983084c11 100644
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ b/refpolicy/policy/modules/kernel/selinux.if
@@ -279,6 +279,8 @@ interface(`selinux_unconfined',`
 	gen_require(`
 		attribute can_load_policy, can_setenforce, can_setsecparam;
 		type security_t;
+		class dir { getattr search read };
+		class file { getattr read write };
 		class security { load_policy setenforce setbool };
 	')
 
@@ -286,5 +288,9 @@ interface(`selinux_unconfined',`
 	allow $1 security_t:security *;
 	auditallow $1 security_t:security { load_policy setenforce setbool };
 
+	# use SELinuxfs
+	allow $1 security_t:dir { getattr search read };
+	allow $1 secuirty_t:file { getattr read write };
+
 	typeattribute $1 can_load_policy, can_setenforce, can_setsecparam;
 ')