diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 4e2571d..df716c6 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -33,17 +33,17 @@ files_make_file(update_modules_tmp_t)
 # insmod local policy
 #
 
-allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans };
-
-# Read module config and dependency information
-allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
-
 allow insmod_t self:capability { dac_override net_raw sys_tty_config };
 allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 
 allow insmod_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
 allow insmod_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
 
+# Read module config and dependency information
+allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
+
+allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans };
+
 kernel_transition_from(insmod_t,insmod_exec_t)
 
 kernel_load_module(insmod_t)
@@ -192,6 +192,7 @@ dontaudit update_modules_t depmod_t : process { noatsecure siginh rlimitinh };
 
 allow update_modules_t update_modules_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
 allow update_modules_t update_modules_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+files_create_private_tmp_data(update_modules_t, update_modules_tmp_t, { file dir })
 
 kernel_read_kernel_sysctl(update_modules_t)
 kernel_read_system_state(update_modules_t)
@@ -211,7 +212,6 @@ domain_use_widely_inheritable_file_descriptors(depmod_t)
 files_read_runtime_system_config(update_modules_t)
 files_read_general_system_config(update_modules_t)
 files_execute_system_config_script(update_modules_t)
-files_create_private_tmp_data(update_modules_t, update_modules_tmp_t, { file dir })
 
 corecommands_execute_general_programs(update_modules_t)
 corecommands_execute_system_programs(update_modules_t)