diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index ba189bf..9ad2232 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -11,7 +11,7 @@ terminal_use_console(kernel_t)
 domain_signal_all_domains(kernel_t)
 
 # Use capabilities. need to investigate which capabilities are actually used
-#allow kernel_t self:capability *;
+allow kernel_t self:capability *;
 
 # Mount root file system.  Used when loading a policy
 # from initrd, then mounting the root filesystem
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 7fec32b..a53af29 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -79,14 +79,13 @@ authlogin_modify_login_records(init_t)
 logging_modify_system_logs(init_t)
 
 # Use capabilities. old rule:
-#allow init_t self:capability ~sys_module;
+allow init_t self:capability ~sys_module;
 # is ~sys_module really needed? observed: 
 # sys_boot
 # sys_tty_config
 # kill: now provided by domain_kill_all_domains()
 # setuid (from /sbin/shutdown)
 # sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot()
-allow init_t self:capability { sys_boot sys_tty_config setuid };
 
 # Modify utmp.
 allow init_t initrc_var_run_t:file { getattr read write setattr };