diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 84b243c0c..5a7e1cd4d 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -225,6 +225,10 @@ ifdef(`init_systemd',`
 	fs_getattr_cgroup(bootloader_t)
 	init_read_state(bootloader_t)
 	init_rw_inherited_stream_socket(bootloader_t)
+
+	# for systemd-boot-update to manage EFI binaries
+	domain_obj_id_change_exemption(bootloader_t)
+	files_mmap_read_boot_files(bootloader_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 472b5bb38..d83107e3c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2588,6 +2588,25 @@ interface(`files_read_boot_files',`
 	read_files_pattern($1, boot_t, boot_t)
 ')
 
+########################################
+## <summary>
+##	Read and memory map files in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_mmap_read_boot_files',`
+	gen_require(`
+		type boot_t;
+	')
+
+	mmap_read_files_pattern($1, boot_t, boot_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files