diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index a55373ed..1f3f640e 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -31,6 +31,7 @@ template(`ssh_per_userdomain_template',`
 	allow $1_ssh_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
 	allow $1_ssh_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
 	allow $1_ssh_t self:msg { send receive };
+	allow $1_ssh_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
 
 	# Transition from the user domain to the derived domain.
 	domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t)
@@ -40,6 +41,13 @@ template(`ssh_per_userdomain_template',`
 
 	kernel_read_kernel_sysctl($1_ssh_t)
 
+	corenet_tcp_sendrecv_all_if($1_ssh_t)
+	corenet_raw_sendrecv_all_if($1_ssh_t)
+	corenet_tcp_sendrecv_all_nodes($1_ssh_t)
+	corenet_raw_sendrecv_all_nodes($1_ssh_t)
+	corenet_tcp_sendrecv_all_ports($1_ssh_t)
+	corenet_tcp_bind_all_nodes($1_ssh_t)
+
 	dev_read_urand($1_ssh_t)
 
 	fs_getattr_all_fs($1_ssh_t)
@@ -65,6 +73,16 @@ template(`ssh_per_userdomain_template',`
 
 	seutil_read_config($1_ssh_t)
 
+	sysnet_read_config($1_ssh_t)
+
+	tunable_policy(`use_dns',`
+		allow $1_ssh_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+		corenet_udp_sendrecv_all_if($1_ssh_t)
+		corenet_udp_sendrecv_all_nodes($1_ssh_t)
+		corenet_udp_sendrecv_dns_port($1_ssh_t)
+		corenet_udp_bind_all_nodes($1_ssh_t)
+	')
+
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_dirs($1_ssh_t)
 		fs_manage_nfs_files($1_ssh_t)
@@ -104,8 +122,6 @@ template(`ssh_per_userdomain_template',`
 
 	# Grant permissions needed to create TCP and UDP sockets and
 	# to access the network.
-	can_network_client_tcp($1_ssh_t)
-	can_resolve($1_ssh_t)
 	can_ypbind($1_ssh_t)
 	can_kerberos($1_ssh_t)