diff --git a/kernel.te b/kernel.te
index 05838afd7d7b3b05ee4be9a70b74a3c39e55911e..67edc10e56870f8b9261b36f8f9298c04d341d52 100644
--- a/kernel.te
+++ b/kernel.te
@@ -3,6 +3,15 @@ type kernel, domain, domain_deprecated, mlstrustedsubject;
 
 allow kernel self:capability sys_nice;
 
+# Root fs.
+allow kernel rootfs:dir r_dir_perms;
+allow kernel rootfs:file r_file_perms;
+allow kernel rootfs:lnk_file r_file_perms;
+
+# Get SELinux enforcing status.
+allow kernel selinuxfs:dir r_dir_perms;
+allow kernel selinuxfs:file r_file_perms;
+
 # Allow init relabel itself.
 allow kernel rootfs:file relabelfrom;
 allow kernel init_exec:file relabelto;