diff --git a/opencryptoki-3.21-sandboxing.patch b/opencryptoki-3.21-sandboxing.patch
new file mode 100644
index 0000000..b3ba3e5
--- /dev/null
+++ b/opencryptoki-3.21-sandboxing.patch
@@ -0,0 +1,27 @@
+diff -up opencryptoki-3.21.0/misc/pkcsslotd.service.in.me opencryptoki-3.21.0/misc/pkcsslotd.service.in
+--- opencryptoki-3.21.0/misc/pkcsslotd.service.in.me	2023-05-16 20:50:08.128841932 +0200
++++ opencryptoki-3.21.0/misc/pkcsslotd.service.in	2023-05-16 21:19:35.208570589 +0200
+@@ -22,17 +22,17 @@ PrivateUsers=no
+ PrivateNetwork=no
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK
+ IPAddressDeny=any
+-ProtectClock=yes
++#ProtectClock=yes
+ ProtectKernelTunables=yes
+ ProtectKernelModules=yes
+-ProtectKernelLogs=yes
++#ProtectKernelLogs=yes
+ ProtectControlGroups=yes
+ ProtectHome=yes
+-ProtectHostname=yes
+-ProtectProc=default
++#ProtectHostname=yes
++#ProtectProc=default
+ ProtectSystem=strict
+-ReadWritePaths=@localstatedir@
+-ProcSubset=all
++ReadWritePaths=@localstatedir@ /run
++#ProcSubset=all
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
+ RestrictNamespaces=yes
diff --git a/opencryptoki.spec b/opencryptoki.spec
index 1b4a14c..fce8465 100644
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@@ -1,7 +1,7 @@
 Name: opencryptoki
 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
 Version: 3.21.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: CPL
 Group: System Environment/Base
 URL: https://github.com/opencryptoki/opencryptoki
@@ -12,6 +12,9 @@ Patch0: opencryptoki-3.11.0-group.patch
 Patch1: opencryptoki-3.11.0-lockdir.patch
 # add missing p11sak_defined_attrs.conf
 Patch2: opencryptoki-3.21.0-p11sak.patch
+# comment some unsupported sandbox options and add /run to ReadWritePaths to exclude
+# /run directory from being made read-only on rhel8
+Patch3: opencryptoki-3.21-sandboxing.patch
 
 # upstream patches
 
@@ -294,10 +297,10 @@ fi
 %{_libdir}/opencryptoki/methods
 %{_libdir}/pkcs11/methods
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/HSM_MK_CHANGE
 %ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}
 %ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}/*
 %dir %attr(710,pkcsslotd,pkcs11) /run/%{name}
-%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
 
 %files libs
 %license LICENSE
@@ -313,6 +316,7 @@ fi
 %{_libdir}/pkcs11/libopencryptoki.so
 %{_libdir}/pkcs11/PKCS11_API.so
 %{_libdir}/pkcs11/stdll
+%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
 
 %files devel
 %{_includedir}/%{name}/
@@ -371,6 +375,12 @@ fi
 
 
 %changelog
+* Tue May 16 2023 Than Ngo <than@redhat.com> - 3.21.0-2
+- add missing /var/lib/opencryptoki/HSM_MK_CHANGE
+- disable unsupported sandbox options and add /run to ReadWritePaths to exclude
+  /run directory from being made read-only on rhel8
+Related: #2159697
+
 * Mon May 15 2023 Than Ngo <than@redhat.com> - 3.21.0-1
 - Resolves: #1984865, ep11 and cca: support concurrent HSM master key changes
 - Resolves: #2110500, ep11 token: PKCS #11 3.0 - support AES_XTS