diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc
index af4fa00..fd8cd0b 100644
--- a/policy/modules/services/chronyd.fc
+++ b/policy/modules/services/chronyd.fc
@@ -1,3 +1,5 @@
+/etc/chrony\.keys		--	gen_context(system_u:object_r:chronyd_keys_t,s0)
+
 /etc/rc\.d/init\.d/chronyd	--	gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
 
 /usr/sbin/chronyd		--	gen_context(system_u:object_r:chronyd_exec_t,s0)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
index 5bda4f9..16e4342 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -6,7 +6,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -25,7 +25,7 @@ interface(`chronyd_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -77,7 +77,7 @@ interface(`chronyd_admin',`
 	gen_require(`
 		type chronyd_t, chronyd_var_log_t;
 		type chronyd_var_run_t, chronyd_var_lib_t;
-		type chronyd_initrc_exec_t;
+		type chronyd_initrc_exec_t, chronyd_keys_t;
 	')
 
 	allow $1 chronyd_t:process { ptrace signal_perms };
@@ -88,6 +88,9 @@ interface(`chronyd_admin',`
 	role_transition $2 chronyd_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_search_etc($1)
+	admin_pattern($1, chronyd_keys_t)
+
 	logging_search_logs($1)
 	admin_pattern($1, chronyd_var_log_t)
 
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index 15234c7..2aa2d73 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -13,6 +13,9 @@ init_daemon_domain(chronyd_t, chronyd_exec_t)
 type chronyd_initrc_exec_t;
 init_script_file(chronyd_initrc_exec_t)
 
+type chronyd_keys_t;
+files_type(chronyd_keys_t)
+
 type chronyd_var_lib_t;
 files_type(chronyd_var_lib_t)
 
@@ -27,13 +30,17 @@ files_pid_file(chronyd_var_run_t)
 # Local policy
 #
 
-allow chronyd_t self:capability { setuid setgid sys_time };
-allow chronyd_t self:process { getcap setcap };
-allow chronyd_t self:unix_dgram_socket create_socket_perms;
+allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+allow chronyd_t self:process { getcap setcap setrlimit };
+allow chronyd_t self:shm create_shm_perms;
 allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
+
+allow chronyd_t chronyd_keys_t:file read_file_perms;
 
 manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
 manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
 files_var_lib_filetrans(chronyd_t, chronyd_var_lib_t, { file dir })
 
 manage_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t)
@@ -42,7 +49,7 @@ logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
 
 manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
 manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
-files_pid_filetrans(chronyd_t, chronyd_var_run_t, { file })
+files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
 
 corenet_udp_bind_ntp_port(chronyd_t)
 # bind to udp/323
@@ -56,3 +63,7 @@ auth_use_nsswitch(chronyd_t)
 logging_send_syslog_msg(chronyd_t)
 
 miscfiles_read_localization(chronyd_t)
+
+optional_policy(`
+	gpsd_rw_shm(chronyd_t)
+')