diff --git a/roles/rke2/selinux/my-openstack.te b/roles/rke2/selinux/my-openstack.te
index 0cdb1a0efa0e03acbeeabf86175ae1f46e58f709..403aadb18a7160195f001d9b954db7e14298d174 100644
--- a/roles/rke2/selinux/my-openstack.te
+++ b/roles/rke2/selinux/my-openstack.te
@@ -7,9 +7,10 @@ require {
         class lnk_file read;
         class file read;
         class file write;
+        class file open;
 }
 
 #============= container_t ==============
 allow container_t cert_t:dir read;
 allow container_t cert_t:lnk_file read;
-allow container_t cert_t:file {read write};
\ No newline at end of file
+allow container_t cert_t:file {open read write};
\ No newline at end of file