diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 0162fca47d..ae71e6deed 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1798,6 +1798,32 @@ interface(`files_manage_all_files',`
')
')
+########################################
+##
+## Grant execute access to all files on the filesystem,
+## except the listed exceptions.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+##
+##
+##
+#
+interface(`files_mmap_exec_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ mmap_exec_files_pattern($1, { file_type $2 }, { file_type $2 })
+')
+
########################################
##
## Search the contents of all directories on
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 37a31be779..441734c5ac 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -362,12 +362,14 @@ domain_use_all_fds(kernel_t)
domain_signal_all_domains(kernel_t)
domain_search_all_domains_state(kernel_t)
-files_list_root(kernel_t)
-files_list_etc(kernel_t)
-files_list_home(kernel_t)
-files_read_usr_files(kernel_t)
-files_manage_mounttab(kernel_t)
-files_manage_generic_spool_dirs(kernel_t)
+files_manage_all_files(kernel_t)
+# The 'execute' permission on lower inodes is checked against the mounter
+# cred by overlayfs, so we need to grant it to allow overlay mounts created
+# during early boot to work.
+# In itself, this doesn't allow the kernel to execute all files - an
+# execute_no_trans permission or a type transition is also needed to grant
+# that ability (and we are much more strict about those).
+files_mmap_exec_all_files(kernel_t)
mcs_process_set_categories(kernel_t)
mcs_file_read_all(kernel_t)