diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te
--- ./contrib/selinux/cjdns.te.selinux	2020-06-23 08:37:44.000000000 -0400
+++ ./contrib/selinux/cjdns.te	2020-07-01 19:34:24.473531348 -0400
@@ -7,8 +7,9 @@ require {
 	type port_t;
 	type unreserved_port_t;
 	type tmp_t;
-	type kernel_t;
 	type passwd_file_t;
+	type net_conf_t;
+	type sssd_var_lib_t;
 }
 
 type cjdns_t;
@@ -17,27 +18,29 @@ init_daemon_domain(cjdns_t,cjdns_exec_t)
 
 #============= cjdns_t ==============
 # Let master process run further restricted subprocess
-allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod };
-allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot sys_module };
+allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod map };
+allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot };
 allow cjdns_t self:process { signal getcap setrlimit setcap };
-allow cjdns_t kernel_t:system module_request;
 # translate username to uid
 allow cjdns_t passwd_file_t:file { read getattr open };
+# should not need sssd to lookup uid for local uid
+dontaudit cjdns_t sssd_var_lib_t:dir search;
 
+# translate host names
+allow cjdns_t net_conf_t:file { read getattr open };
 # allow network access
 allow cjdns_t node_t:udp_socket node_bind;
 allow cjdns_t port_t:udp_socket name_bind;
 allow cjdns_t unreserved_port_t:udp_socket name_bind;
-allow cjdns_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow cjdns_t self:netlink_route_socket { bind create getattr nlmsg_read read write nlmsg_write };
 allow cjdns_t self:packet_socket { bind create ioctl read write };
 allow cjdns_t self:tun_socket create;
-allow cjdns_t self:udp_socket { create setopt bind ioctl getattr read write };
+allow cjdns_t self:udp_socket { create setopt bind ioctl getattr read write connect };
 allow cjdns_t tun_tap_device_t:chr_file { read write open ioctl };
 
-
 # management API
 allow cjdns_t self:unix_stream_socket connectto;
-allow cjdns_t tmp_t:sock_file { write create unlink };
+allow cjdns_t tmp_t:sock_file { write create unlink getattr };
 allow cjdns_t tmp_t:dir { write remove_name add_name };
 allow cjdns_t urandom_device_t:chr_file { read open };