diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if
index 0709176..20dfc17 100644
--- a/pki/base/selinux/src/pki.if
+++ b/pki/base/selinux/src/pki.if
@@ -206,6 +206,21 @@ template(`pki_ca_template',`
         optional_policy(`
             unconfined_domain($1_script_t)
         ')
+
+        # tomcat6 init scripts do runuser and touch lockfile
+        allow $1_t self:capability { setuid chown setgid fowner audit_write dac_override };
+        allow $1_t self:netlink_audit_socket { nlmsg_relay create read write };
+        consoletype_exec($1_t)
+        fs_read_hugetlbfs_files($1_t)
+        hostname_exec($1_t)
+        kernel_read_kernel_sysctls($1_t)
+        fs_getattr_xattr_fs($1_t)
+
+        # java (mislabeled as lib_t?) calls build_classpath
+        libs_exec_lib_files($1_t)
+
+        selinux_get_enforce_mode($1_t)
+
 ')
 
 ########################################
diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te
index 7f6e657..dab02d4 100644
--- a/pki/base/selinux/src/pki.te
+++ b/pki/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,10.0.2)
+policy_module(pki,10.0.4)
 
 attribute pki_ca_config;
 attribute pki_ca_executable;