diff --git a/ic-os/components/selinux/filebeat/filebeat.te b/ic-os/components/selinux/filebeat/filebeat.te
index a80d09c5eb9..2a456d9509b 100644
--- a/ic-os/components/selinux/filebeat/filebeat.te
+++ b/ic-os/components/selinux/filebeat/filebeat.te
@@ -41,6 +41,7 @@ init_daemon_domain(filebeat_t, filebeat_exec_t)
 # Allow filebeat to perform its primary function, namely to read
 # the journal files.
 systemd_read_journal_files(filebeat_t)
+systemd_watch_journal_dirs(filebeat_t)
 
 # It wants to send the logs to remote host, allow unrestricted TCP for
 # this for now. Maybe this can be reasonably constrained more tightly.
@@ -56,6 +57,7 @@ corenet_all_recvfrom_unlabeled(filebeat_t)
 
 # Read generic etc files (e.g. nsswitch.conf)
 files_read_etc_files(filebeat_t)
+files_read_etc_runtime_files(filebeat_t)
 
 # Read CA certificate
 miscfiles_read_generic_certs(filebeat_t)
@@ -124,6 +126,7 @@ require {
 search_dirs_pattern(filebeat_t, bin_t, bin_t)
 
 # Allow to read `/sys/fs/cgroup/unified/system.slice/filebeat.service/cgroup.controllers`
+require { type cgroup_t; }
 fs_read_cgroup_files(filebeat_t)
 allow filebeat_t cgroup_t:dir read;
 
diff --git a/ic-os/components/selinux/ic-node/ic-node.te b/ic-os/components/selinux/ic-node/ic-node.te
index ba93005d723..3feaab8fc3b 100644
--- a/ic-os/components/selinux/ic-node/ic-node.te
+++ b/ic-os/components/selinux/ic-node/ic-node.te
@@ -322,6 +322,7 @@ allow ic_canister_sandbox_t ic_canister_mem_t : file { map read write getattr };
 allow ic_replica_t ic_canister_mem_t : file { map read write getattr };
 
 # Wants to read its own control group. Should deny that.
+require { type cgroup_t; }
 dontaudit ic_canister_sandbox_t cgroup_t : dir { search };
 dontaudit ic_canister_sandbox_t cgroup_t : file { open read getattr };
 
diff --git a/ic-os/components/selinux/manageboot/manageboot.te b/ic-os/components/selinux/manageboot/manageboot.te
index f6ca4bf9c9a..c1a5d472c57 100644
--- a/ic-os/components/selinux/manageboot/manageboot.te
+++ b/ic-os/components/selinux/manageboot/manageboot.te
@@ -22,7 +22,7 @@ application_domain(ic_manageboot_t, ic_manageboot_exec_t)
 # write upgrades into partition). Allow entering sudo, and return
 # to the original domain when sudo re-executes the script (so
 # it is now running same domain, but with root privileges).
-sudo_role_template(ic_manageboot, system_r, ic_manageboot_t)
+sudo_role_template(ic_manageboot, ic_manageboot_t, ic_manageboot_exec_t, system_r)
 domtrans_pattern(ic_manageboot_sudo_t, ic_manageboot_exec_t, ic_manageboot_t)
 # Under certain circumstances, sudo signals its children.
 allow ic_manageboot_sudo_t ic_manageboot_t : process { signal };
@@ -123,7 +123,7 @@ allow ic_manageboot_t ic_manageboot_t : unix_stream_socket { connect create geta
 # Allow searching runtime process directories (/var/run which is symlinked to /run).
 # It is not perfectly clear what/why it is doing that, but it is harmless
 # enough. May to to forbid it and see if it still works.
-files_search_pids(ic_manageboot_t)
+files_search_runtime(ic_manageboot_t)
 
 # Allow reading /opt/ic/share/version.txt
-read_files_pattern(ic_manageboot_t, usr_t, usr_t)
\ No newline at end of file
+read_files_pattern(ic_manageboot_t, usr_t, usr_t)
diff --git a/ic-os/components/selinux/misc-fixes/misc-fixes.te b/ic-os/components/selinux/misc-fixes/misc-fixes.te
index d10be1c1cd3..3ebfe2d2fbd 100644
--- a/ic-os/components/selinux/misc-fixes/misc-fixes.te
+++ b/ic-os/components/selinux/misc-fixes/misc-fixes.te
@@ -15,12 +15,16 @@ permissive unconfined_t;
 require { type lvm_t; }
 
 # Note that "cryptsetup" is also running as lvm_t.
+require { type initrc_t, initrc_runtime_t; }
+allow lvm_t initrc_t : sem rw_sem_perms;
 
 # cryptsetup needs to create /run/cryptsetup: This is its lockfile directory to
 # track which devices, which is the lockfile directory tracking devices on
 # which operations are in progress
-require { type var_run_t; }
+require { type var_run_t, initrc_runtime_t; }
 create_dirs_pattern(lvm_t, var_run_t, var_run_t)
+manage_dirs_pattern(lvm_t, initrc_runtime_t, initrc_runtime_t)
+manage_files_pattern(lvm_t, initrc_runtime_t, initrc_runtime_t)
 
 # lvm cryptsetup needs to manage its own cryptographic keys
 allow lvm_t lvm_t : key manage_key_perms;
diff --git a/ic-os/components/selinux/systemd-fixes/systemd-fixes.te b/ic-os/components/selinux/systemd-fixes/systemd-fixes.te
index 74ce4a9d88b..4aa7dd2ee24 100644
--- a/ic-os/components/selinux/systemd-fixes/systemd-fixes.te
+++ b/ic-os/components/selinux/systemd-fixes/systemd-fixes.te
@@ -119,6 +119,13 @@ list_dirs_pattern(systemd_tmpfiles_t, unlabeled_t, unlabeled_t)
 # A tempfile is used as part of setting up machine-id
 read_files_pattern(systemd_tmpfiles_t, tmpfs_t, tmpfs_t)
 
+###############################################################################
+# systemd-generator
+
+# systemd_generator_t is missing this permission, and it blocks ssh
+require { type systemd_generator_t; }
+init_delete_runtime_files(systemd_generator_t)
+
 ###############################################################################
 # udev