diff --git a/packages/selinux-policy/class.cil b/packages/selinux-policy/class.cil
index 18d323aecb9..746f31e354e 100644
--- a/packages/selinux-policy/class.cil
+++ b/packages/selinux-policy/class.cil
@@ -50,6 +50,7 @@
 (classcommon blk_file file)
 (classcommon sock_file file)
 (classcommon fifo_file file)
+(classcommon anon_inode file)
 
 ; Add permissions specific to some file classes.
 (class file (execute_no_trans entrypoint))
@@ -60,6 +61,7 @@
 (class blk_file ())
 (class sock_file ())
 (class fifo_file ())
+(class anon_inode ())
 
 ; Add permissions shared by all socket classes.
 (common socket (
@@ -261,7 +263,7 @@
   phonet_socket ieee802154_socket caif_socket alg_socket
   nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
   infiniband_pkey infiniband_endport bpf xdp_socket
-  mctp_socket perf_event lockdown))
+  mctp_socket perf_event lockdown anon_inode))
 
 ; Add permissions for SELinux-aware applications.
 ; This includes systemd and dbus-broker.
diff --git a/packages/selinux-policy/files.cil b/packages/selinux-policy/files.cil
index ab44fbea112..206e2d58cd3 100644
--- a/packages/selinux-policy/files.cil
+++ b/packages/selinux-policy/files.cil
@@ -9,6 +9,7 @@
 (classmapping files relabel relabel_blk_file)
 (classmapping files relabel relabel_sock_file)
 (classmapping files relabel relabel_fifo_file)
+(classmapping files relabel relabel_anon_inode)
 
 ; Permission group for mounts.
 (classmapping files mount mount_file)
@@ -19,6 +20,7 @@
 (classmapping files mount mount_sock_file)
 (classmapping files mount mount_fifo_file)
 (classmapping files mount mount_filesystem)
+(classmapping files mount mount_anon_inode)
 
 ; Permission group for relaxing security constraints on files.
 (classmapping files relax relax_file)
@@ -28,6 +30,7 @@
 (classmapping files relax relax_blk_file)
 (classmapping files relax relax_sock_file)
 (classmapping files relax relax_fifo_file)
+(classmapping files relax relax_anon_inode)
 
 ; Permission group for using files as entry points.
 (classmapping files enter enter_file)
@@ -41,6 +44,7 @@
 (classmapping files describe describe_sock_file)
 (classmapping files describe describe_fifo_file)
 (classmapping files describe describe_filesystem)
+(classmapping files describe describe_anon_inode)
 
 ; Permission group for reading and executing files.
 (classmapping files load load_file)
@@ -52,6 +56,7 @@
 (classmapping files load load_fifo_file)
 (classmapping files load load_filesystem)
 (classmapping files load load_fd)
+(classmapping files load load_anon_inode)
 
 ; Permission group for blocking access to files.
 (classmapping files block block_file)
@@ -61,6 +66,7 @@
 (classmapping files block block_blk_file)
 (classmapping files block block_sock_file)
 (classmapping files block block_fifo_file)
+(classmapping files block block_anon_inode)
 
 ; Permission group for mutating files.
 (classmapping files mutate mutate_file)
@@ -70,6 +76,7 @@
 (classmapping files mutate mutate_blk_file)
 (classmapping files mutate mutate_sock_file)
 (classmapping files mutate mutate_fifo_file)
+(classmapping files mutate mutate_anon_inode)
 
 ; Sets of permissions for relabeling file objects.
 (classpermission relabel_file)
@@ -79,6 +86,7 @@
 (classpermission relabel_blk_file)
 (classpermission relabel_sock_file)
 (classpermission relabel_fifo_file)
+(classpermission relabel_anon_inode)
 (classpermissionset relabel_file (
   file (relabelfrom relabelto)))
 (classpermissionset relabel_dir (
@@ -93,6 +101,8 @@
   sock_file (relabelfrom relabelto)))
 (classpermissionset relabel_fifo_file (
   fifo_file (relabelfrom relabelto)))
+(classpermissionset relabel_anon_inode(
+  anon_inode (relabelfrom relabelto)))
 
 ; Sets of permissions for mounts.
 (classpermission mount_file)
@@ -103,6 +113,7 @@
 (classpermission mount_sock_file)
 (classpermission mount_fifo_file)
 (classpermission mount_filesystem)
+(classpermission mount_anon_inode)
 (classpermissionset mount_file (
   file (mounton quotaon)))
 (classpermissionset mount_dir (
@@ -119,6 +130,8 @@
   fifo_file (mounton quotaon)))
 (classpermissionset mount_filesystem (
   filesystem (mount quotamod remount unmount)))
+(classpermissionset mount_anon_inode (
+  anon_inode (mounton quotaon)))
 
 ; Sets of permissions that relax security constraints for file objects.
 (classpermission relax_file)
@@ -128,6 +141,7 @@
 (classpermission relax_blk_file)
 (classpermission relax_sock_file)
 (classpermission relax_fifo_file)
+(classpermission relax_anon_inode)
 (classpermissionset relax_file (
   file (execmod)))
 (classpermissionset relax_dir (
@@ -142,6 +156,8 @@
   sock_file (execmod)))
 (classpermissionset relax_fifo_file (
   fifo_file (execmod)))
+(classpermissionset relax_anon_inode (
+  anon_inode (execmod)))
 
 ; Sets of permissions for using file objects as entry points.
 (classpermission enter_file)
@@ -157,6 +173,7 @@
 (classpermission describe_sock_file)
 (classpermission describe_fifo_file)
 (classpermission describe_filesystem)
+(classpermission describe_anon_inode)
 (classpermissionset describe_file (
   file (getattr)))
 (classpermissionset describe_dir (
@@ -173,6 +190,8 @@
   fifo_file (getattr)))
 (classpermissionset describe_filesystem (
   filesystem (getattr quotaget)))
+(classpermissionset describe_anon_inode (
+  anon_inode (getattr)))
 
 ; Sets of permissions for read-only actions that do not affect the
 ; integrity of file objects.
@@ -185,6 +204,7 @@
 (classpermission load_fifo_file)
 (classpermission load_filesystem)
 (classpermission load_fd)
+(classpermission load_anon_inode)
 (classpermissionset load_file (
   file (
     execute ioctl map open read execute_no_trans
@@ -217,6 +237,10 @@
   filesystem (watch)))
 (classpermissionset load_fd (
   fd (use)))
+(classpermissionset load_anon_inode (
+  anon_inode (
+    execute ioctl map open read
+    watch watch_mount watch_reads watch_sb)))
 
 ; Sets of permissions for blocking access to file objects.
 (classpermission block_file)
@@ -226,6 +250,7 @@
 (classpermission block_blk_file)
 (classpermission block_sock_file)
 (classpermission block_fifo_file)
+(classpermission block_anon_inode)
 (classpermissionset block_file (
   file (watch_with_perm)))
 (classpermissionset block_dir (
@@ -240,6 +265,8 @@
   sock_file (watch_with_perm)))
 (classpermissionset block_fifo_file (
   fifo_file (watch_with_perm)))
+(classpermissionset block_anon_inode (
+  anon_inode (watch_with_perm)))
 
 ; Sets of permissions for mutating file objects, which includes all
 ; actions that are not covered by other policy restrictions.
@@ -250,6 +277,7 @@
 (classpermission mutate_blk_file)
 (classpermission mutate_sock_file)
 (classpermission mutate_fifo_file)
+(classpermission mutate_anon_inode)
 (classpermissionset mutate_file (
   file (not (
     entrypoint execute_no_trans
@@ -287,3 +315,8 @@
     execute ioctl getattr map open read execmod
     relabelfrom relabelto mounton quotaon
     watch watch_mount watch_reads watch_sb watch_with_perm))))
+(classpermissionset mutate_anon_inode (
+  anon_inode (not (
+    execute ioctl getattr map open read execmod
+    relabelfrom relabelto mounton quotaon
+    watch watch_mount watch_reads watch_sb watch_with_perm))))