diff --git a/ipa_custodia.te b/ipa_custodia.te
index 8c0a18f..6999806 100644
--- a/ipa_custodia.te
+++ b/ipa_custodia.te
@@ -25,8 +25,8 @@ files_tmp_file(ipa_custodia_tmp_t)
 # ipa_custodia local policy
 #
 
-# DAC_OVERRIDE to read Dogtag's key material
-allow ipa_custodia_t self:capability {net_admin dac_override};
+allow ipa_custodia_t self:capability { net_admin dac_read_search };
+dontaudit ipa_custodia_t self:capability dac_override;
 allow ipa_custodia_t self:process execmem;
 allow ipa_custodia_t self:fifo_file rw_fifo_file_perms;
 allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms;