diff --git a/dnsmasq.te b/dnsmasq.te
index 61382a207c039dda2b8b233d79e5e71da00b0808..9a9882d664031391ba0dde9c8b6e9df09449ec2f 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -5,6 +5,9 @@ type dnsmasq_exec, exec_type, file_type;
 
 net_domain(dnsmasq)
 
+# TODO:  Run with dhcp group to avoid need for dac_override.
+allow dnsmasq self:capability dac_override;
+
 allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
 
 allow dnsmasq dhcp_data_file:dir w_dir_perms;