diff --git a/policy/modules/contrib/bootupd.te b/policy/modules/contrib/bootupd.te
index f86ed6efed..790c156623 100644
--- a/policy/modules/contrib/bootupd.te
+++ b/policy/modules/contrib/bootupd.te
@@ -40,6 +40,7 @@ domain_use_interactive_fds(bootupd_t)
 files_create_boot_dirs(bootupd_t)
 files_read_etc_files(bootupd_t)
 files_manage_boot_files(bootupd_t)
+files_read_root_files(bootupd_t)
 
 fs_getattr_all_fs(bootupd_t)
 fs_manage_dos_dirs(bootupd_t)
@@ -63,6 +64,7 @@ optional_policy(`
 
 optional_policy(`
 	udev_domtrans(bootupd_t)
+	udev_read_pid_files(bootupd_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 75afb8eab2..af7337e061 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -337,4 +337,5 @@ ifndef(`distro_redhat',`
 /nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 /nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 
+/sysroot/.aleph-version.json	gen_context(system_u:object_r:root_t,s0)
 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?           gen_context(system_u:object_r:root_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 73fdbeedb9..7359713055 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2870,6 +2870,24 @@ interface(`files_root_filetrans',`
 	filetrans_pattern($1, root_t, $2, $3, $4)
 ')
 
+########################################
+## <summary>
+##	Read files in the root directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_read_root_files',`
+	gen_require(`
+		type root_t;
+	')
+
+	read_files_pattern($1, root_t, root_t)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read files in