Index: refpolicy-2.20250213/policy/modules/services/dhcp.fc
===================================================================
--- refpolicy-2.20250213.orig/policy/modules/services/dhcp.fc
+++ refpolicy-2.20250213/policy/modules/services/dhcp.fc
@@ -3,11 +3,14 @@
 /usr/lib/systemd/system/dhcpcd.*\.service   --      gen_context(system_u:object_r:dhcpd_unit_t,s0)
 
 /usr/bin/dhcpd.*	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
-
 /usr/sbin/dhcpd.*	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
+/usr/sbin/kea-.*	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
 
 /var/lib/dhcpd(/.*)?	gen_context(system_u:object_r:dhcpd_state_t,s0)
 /var/lib/dhcp(3)?/dhcpd\.leases.*	--	gen_context(system_u:object_r:dhcpd_state_t,s0)
 /var/lib/dhcp/dhcpd6\.leases.*	--	gen_context(system_u:object_r:dhcpd_state_t,s0)
+/var/lib/kea(/.*)?	gen_context(system_u:object_r:dhcpd_state_t,s0)
 
 /run/dhcpd(6)?\.pid	--	gen_context(system_u:object_r:dhcpd_runtime_t,s0)
+/run/kea(/.*)?			gen_context(system_u:object_r:dhcpd_runtime_t,s0)
+/run/lock/kea/.*	--	gen_context(system_u:object_r:dhcpd_lock_t,s0)
Index: refpolicy-2.20250213/policy/modules/services/dhcp.te
===================================================================
--- refpolicy-2.20250213.orig/policy/modules/services/dhcp.te
+++ refpolicy-2.20250213/policy/modules/services/dhcp.te
@@ -26,6 +26,9 @@ files_runtime_file(dhcpd_runtime_t)
 type dhcpd_state_t;
 files_type(dhcpd_state_t)
 
+type dhcpd_lock_t;
+files_lock_file(dhcpd_lock_t)
+
 type dhcpd_tmp_t;
 files_tmp_file(dhcpd_tmp_t)
 
@@ -39,7 +42,7 @@ init_unit_file(dhcpd_unit_t)
 
 allow dhcpd_t self:capability { chown dac_override net_raw setgid setuid sys_chroot sys_resource };
 dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
-allow dhcpd_t self:process { getcap setcap signal_perms };
+allow dhcpd_t self:process { setsched getcap setcap signal_perms };
 allow dhcpd_t self:fifo_file rw_fifo_file_perms;
 allow dhcpd_t self:tcp_socket { accept listen };
 allow dhcpd_t self:packet_socket create_socket_perms;
@@ -55,6 +58,11 @@ files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t
 manage_files_pattern(dhcpd_t, dhcpd_runtime_t, dhcpd_runtime_t)
 files_runtime_filetrans(dhcpd_t, dhcpd_runtime_t, file)
 
+allow dhcpd_t dhcpd_runtime_t:sock_file manage_sock_file_perms;
+# for /run/lock/kea
+allow dhcpd_t dhcpd_lock_t:file manage_file_perms;
+files_lock_filetrans(dhcpd_t, dhcpd_lock_t, file)
+
 can_exec(dhcpd_t, dhcpd_exec_t)
 
 kernel_read_system_state(dhcpd_t)
@@ -76,6 +84,9 @@ corenet_sendrecv_icmp_packets(dhcpd_t)
 corenet_tcp_bind_dhcpd_port(dhcpd_t)
 corenet_udp_bind_dhcpd_port(dhcpd_t)
 
+# for kea which needs port 8000 (common alternative web server port)
+corenet_tcp_bind_soundd_port(dhcpd_t)
+
 corenet_sendrecv_pxe_server_packets(dhcpd_t)
 corenet_udp_bind_pxe_port(dhcpd_t)
 
Index: refpolicy-2.20250213/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy-2.20250213.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-2.20250213/policy/modules/system/sysnetwork.fc
@@ -13,12 +13,13 @@ ifdef(`distro_debian',`
 /etc/dhclient-script	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
 /etc/dhcpc.*			gen_context(system_u:object_r:dhcp_etc_t,s0)
 /etc/dhcpd\.conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
-/etc/dhcp/dhcpd\.conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcp/dhcpd6?\.conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
 /etc/ethers		--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hosts		--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hosts\.allow.*	--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hosts\.deny.*	--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hostname		--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/kea(/.*)?			gen_context(system_u:object_r:dhcp_etc_t,s0)
 /etc/denyhosts.*	--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/machine-info	--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
Index: refpolicy-2.20250213/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20250213.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20250213/policy/modules/system/sysnetwork.te
@@ -77,6 +77,7 @@ allow dhcpc_t self:netlink_kobject_ueven
 allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
 allow dhcpc_t self:rawip_socket create_socket_perms;
 allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto };
+allow dhcpc_t self:unix_stream_socket connectto;
 
 allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
 read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
@@ -187,10 +188,12 @@ ifdef(`init_systemd',`
 	init_read_state(dhcpc_t)
 	init_stream_connect(dhcpc_t)
 	init_get_all_units_status(dhcpc_t)
+	init_getattr_generic_units_files(dhcpc_t)
 	init_search_units(dhcpc_t)
 
 	optional_policy(`
 		systemd_dbus_chat_resolved(dhcpc_t)
+		systemd_list_resolved_runtime_dir(dhcpc_t)
 	')
 ')
 
