diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index f9691bd..604f67b 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -84,10 +84,6 @@ interface(`kerberos_use',`
 	selinux_dontaudit_validate_context($1)
 	seutil_dontaudit_read_file_contexts($1)
 
-	optional_policy(`
-		sssd_read_public_files($1)
-	')
-
 	tunable_policy(`allow_kerberos',`
 		allow $1 self:tcp_socket create_socket_perms;
 		allow $1 self:udp_socket create_socket_perms;
@@ -115,6 +111,10 @@ interface(`kerberos_use',`
 			pcscd_stream_connect($1)
 		')
 	')
+
+	optional_policy(`
+		sssd_read_public_files($1)
+	')
 ')
 
 ########################################