diff --git a/packages/genpolicy_msft.nix b/packages/genpolicy_msft.nix
index 25713848ac..f0d239e878 100644
--- a/packages/genpolicy_msft.nix
+++ b/packages/genpolicy_msft.nix
@@ -62,6 +62,11 @@ rustPlatform.buildRustPackage rec {
       recursiveHash = true;
       postFetch = "install -D $downloadedFile $out/genpolicy-rules.rego";
     };
+
+    rules-coordinator = applyPatches {
+      src = rules;
+      patches = [ ./genpolicy_msft_rules_coordinator.patch ];
+    };
   };
 
   meta = {
diff --git a/packages/genpolicy_msft_rules_coordinator.patch b/packages/genpolicy_msft_rules_coordinator.patch
new file mode 100644
index 0000000000..7ae9baf0e2
--- /dev/null
+++ b/packages/genpolicy_msft_rules_coordinator.patch
@@ -0,0 +1,15 @@
+diff --git a/genpolicy-rules.rego b/genpolicy-rules.rego
+index e1954e9..fb508bc 100644
+--- a/genpolicy-rules.rego
++++ b/genpolicy-rules.rego
+@@ -137,9 +137,9 @@ allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) {
+     p_namespace := p_oci.Annotations[s_namespace]
+     i_namespace := i_oci.Annotations[s_namespace]
+     print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace)
+-    p_namespace == i_namespace
++    regex.match("^[a-z0-9-]{1,63}$", i_namespace)
+
+-    allow_by_container_types(p_oci, i_oci, s_name, p_namespace)
++    allow_by_container_types(p_oci, i_oci, s_name, i_namespace)
+     allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages)
+     allow_process(p_oci, i_oci, s_name)