diff --git a/sanlock.te b/sanlock.te
index d5d96e7..f1314b0 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -44,8 +44,8 @@ ifdef(`enable_mls',`
 #
 # sanlock local policy
 #
-allow sanlock_t self:capability { sys_nice ipc_lock };
-allow sanlock_t self:process { setsched signull };
+allow sanlock_t self:capability { chown setgid dac_override ipc_lock sys_nice };
+allow sanlock_t self:process { setsched signull signal };
 
 allow sanlock_t self:fifo_file rw_fifo_file_perms;
 allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
@@ -59,6 +59,7 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
 files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
 
 kernel_read_system_state(sanlock_t)
+kernel_read_kernel_sysctls(sanlock_t)
 
 domain_use_interactive_fds(sanlock_t)