diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 0162fca47d..ae71e6deed 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1798,6 +1798,32 @@ interface(`files_manage_all_files',`
 	')
 ')
 
+########################################
+## <summary>
+##	Grant execute access to all files on the filesystem,
+##	except the listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_mmap_exec_all_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	mmap_exec_files_pattern($1, { file_type $2 }, { file_type $2 })
+')
+
 ########################################
 ## <summary>
 ##	Search the contents of all directories on
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 37a31be779..441734c5ac 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -362,12 +362,14 @@ domain_use_all_fds(kernel_t)
 domain_signal_all_domains(kernel_t)
 domain_search_all_domains_state(kernel_t)
 
-files_list_root(kernel_t)
-files_list_etc(kernel_t)
-files_list_home(kernel_t)
-files_read_usr_files(kernel_t)
-files_manage_mounttab(kernel_t)
-files_manage_generic_spool_dirs(kernel_t)
+files_manage_all_files(kernel_t)
+# The 'execute' permission on lower inodes is checked against the mounter
+# cred by overlayfs, so we need to grant it to allow overlay mounts created
+# during early boot to work.
+# In itself, this doesn't allow the kernel to execute all files - an 
+# execute_no_trans permission or a type transition is also needed to grant
+# that ability (and we are much more strict about those).
+files_mmap_exec_all_files(kernel_t)
 
 mcs_process_set_categories(kernel_t)
 mcs_file_read_all(kernel_t)