diff --git a/policy/modules/services/eg25manager.te b/policy/modules/services/eg25manager.te
index 92fd3e4f8..f305a9a01 100644
--- a/policy/modules/services/eg25manager.te
+++ b/policy/modules/services/eg25manager.te
@@ -57,8 +57,10 @@ files_read_usr_files(eg25manager_t)
 logging_send_syslog_msg(eg25manager_t)
 
 miscfiles_read_generic_certs(eg25manager_t)
+miscfiles_read_localization(eg25manager_t)
 
-modemmanager_dbus_chat(eg25manager_t)
+# will not upload to pinephone modem without this
+selinux_get_fs_mount(eg25manager_t)
 
 sysnet_read_config(eg25manager_t)
 
@@ -66,3 +68,10 @@ systemd_dbus_chat_logind(eg25manager_t)
 systemd_read_resolved_runtime(eg25manager_t)
 systemd_use_logind_fds(eg25manager_t)
 systemd_write_inherited_logind_inhibit_pipes(eg25manager_t)
+
+term_use_unallocated_ttys(eg25manager_t)
+
+optional_policy(`
+	modemmanager_dbus_chat(eg25manager_t)
+')
+
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
index 5801baedd..b94117bff 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -15,16 +15,30 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
 #
 
 allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
-allow modemmanager_t self:process { getsched signal };
+allow modemmanager_t self:process { getsched setsched signal setpgid };
 allow modemmanager_t self:fifo_file rw_fifo_file_perms;
-allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
+allow modemmanager_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow modemmanager_t self:netlink_route_socket { create getattr getopt nlmsg_write read write };
+allow modemmanager_t self:qipcrtr_socket { create getattr getopt read write };
+
+# ModemManager  calls mmap(PROT_READ|PROT_WRITE|PROT_EXEC)
+allow modemmanager_t self:process execmem;
 
 kernel_read_system_state(modemmanager_t)
+kernel_request_load_module(modemmanager_t)
 
+# for qmi/pass_through
+dev_create_sysfs_files(modemmanager_t)
+
+dev_getattr_sysfs(modemmanager_t)
 dev_read_sysfs(modemmanager_t)
+dev_write_sysfs(modemmanager_t)
 dev_rw_modem(modemmanager_t)
 
+# for /usr/libexec/qmi-proxy
+corecmd_exec_bin(modemmanager_t)
+
 files_read_etc_files(modemmanager_t)
 
 term_use_generic_ptys(modemmanager_t)