diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if
index cdeea5ea..d5adc90f 100644
--- a/refpolicy/policy/modules/admin/portage.if
+++ b/refpolicy/policy/modules/admin/portage.if
@@ -109,7 +109,7 @@ template(`portage_compile_domain_template',`
 	allow $1_t self:rawip_socket { create ioctl };
 	allow $1_t self:udp_socket recvfrom;
 	# needed for merging dbus:
-	allow $1_sandbox_t self:netlink_selinux_socket { bind create read };
+	allow $1_t self:netlink_selinux_socket { bind create read };
 
 	allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr };
 	term_create_pty($1_t,$1_devpts_t)
diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te
index e8125c3b..a73ab9e3 100644
--- a/refpolicy/policy/modules/admin/portage.te
+++ b/refpolicy/policy/modules/admin/portage.te
@@ -77,6 +77,8 @@ files_manage_all_files(portage_t)
 
 selinux_get_fs_mount(portage_t)
 
+auth_manage_shadow(portage_t)
+
 # merging baselayout will need this:
 init_exec(portage_t)
 
@@ -184,7 +186,7 @@ dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
 dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
 
 allow portage_sandbox_t portage_tmp_t:dir manage_dir_perms;
-allow portage_sandbox_t portage_tmp_t:file manage_dir_perms;
+allow portage_sandbox_t portage_tmp_t:file manage_file_perms;
 allow portage_sandbox_t portage_tmp_t:lnk_file create_lnk_perms;
 # run scripts out of the build directory
 can_exec(portage_sandbox_t,portage_tmp_t)