diff --git a/Changelog b/Changelog
index 5b8b560e1..4b5351064 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Allow user and role changes on dynamic transitions with the same
+  constraints as regular transitions.
 - New git service features from Dominick Grift.
 - Corenetwork policy size optimization from Dan Walsh.
 - Silence spurious udp_socket listen denials.
diff --git a/policy/constraints b/policy/constraints
index 130887155..3a45f236b 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -87,7 +87,7 @@ ifdef(`enable_ubac',`
 	);
 ')
 
-constrain process { transition noatsecure siginh rlimitinh }
+constrain process { transition dyntransition noatsecure siginh rlimitinh }
 (
 	u1 == u2
 	or ( t1 == can_change_process_identity and t2 == process_user_target )
@@ -96,7 +96,7 @@ constrain process { transition noatsecure siginh rlimitinh }
 	or ( t1 == process_uncond_exempt )
 );
 
-constrain process { transition noatsecure siginh rlimitinh }
+constrain process { transition dyntransition noatsecure siginh rlimitinh }
 (
 	r1 == r2 
 	or ( t1 == can_change_process_role and t2 == process_user_target )
@@ -105,11 +105,6 @@ constrain process { transition noatsecure siginh rlimitinh }
 	or ( t1 == process_uncond_exempt )
 );
 
-constrain process dyntransition
-(
-	u1 == u2 and r1 == r2
-);
-
 # These permissions do not have ubac constraints:
 # fork
 # setexec