diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 7d0bb6c..16d9bc0 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -10,7 +10,8 @@ policy_module(usermanage,1.0)
 type admin_passwd_exec_t;
 files_make_file(admin_passwd_exec_t)
 
-type chfn_t; #, auth_chkpwd, privowner
+type chfn_t; #, auth_chkpwd
+kernel_make_object_identity_change_constraint_exception(chfn_t)
 domain_make_domain(chfn_t)
 role system_r types chfn_t;
 
@@ -29,27 +30,31 @@ files_make_file(crack_db_t)
 type crack_tmp_t;
 files_make_file(crack_tmp_t)
 
-type groupadd_t; #, privowner, nscd_client_domain;
+type groupadd_t; #, nscd_client_domain;
 type groupadd_exec_t;
+kernel_make_object_identity_change_constraint_exception(groupadd_t)
 domain_make_system_domain(groupadd_t,groupadd_exec_t)
 role system_r types groupadd_t;
 
-type passwd_t; #,auth_write, privowner;
+type passwd_t; #,auth_write;
+kernel_make_object_identity_change_constraint_exception(passwd_t)
 domain_make_domain(passwd_t)
 role system_r types passwd_t;
 
 type passwd_exec_t;
 domain_make_entrypoint_file(passwd_t,passwd_exec_t)
 
-type sysadm_passwd_t; #, auth_write, privowner;
+type sysadm_passwd_t; #, auth_write
+kernel_make_object_identity_change_constraint_exception(sysadm_passwd_t)
 domain_make_domain(sysadm_passwd_t)
 domain_make_entrypoint_file(sysadm_passwd_t,admin_passwd_exec_t)
 
 type sysadm_passwd_tmp_t;
 files_make_file(sysadm_passwd_tmp_t)
 
-type useradd_t; #, privowner, nscd_client_domain;
+type useradd_t; # nscd_client_domain;
 type useradd_exec_t;
+kernel_make_object_identity_change_constraint_exception(useradd_t)
 domain_make_system_domain(useradd_t,useradd_exec_t)
 role system_r types useradd_t;
 
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 5e7b5af..79cd778 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -58,6 +58,45 @@ class dir mounton;
 
 ########################################
 #
+# kernel_make_process_identity_change_constraint_exception(domain)
+#
+define(`kernel_make_process_identity_change_constraint_exception',`
+requires_block_template(`$0'_depend)
+typeattribute $1 can_change_process_identity;
+')
+
+define(`kernel_make_process_identity_change_constraint_exception_depend',`
+attribute can_change_process_identity;
+')
+
+########################################
+#
+# kernel_make_role_change_constraint_exception(domain)
+#
+define(`kernel_make_role_change_constraint_exception',`
+requires_block_template(`$0'_depend)
+typeattribute $1 can_change_process_role;
+')
+
+define(`kernel_make_role_change_constraint_exception_depend',`
+attribute can_change_process_role;
+')
+
+########################################
+#
+# kernel_make_object_identity_change_constraint_exception(domain)
+#
+define(`kernel_make_object_identity_change_constraint_exception',`
+requires_block_template(`$0'_depend)
+typeattribute $1 can_change_object_identity;
+')
+
+define(`kernel_make_object_identity_change_constraint_exception_depend',`
+attribute can_change_object_identity;
+')
+
+########################################
+#
 # kernel_load_module(domain)
 #
 define(`kernel_load_module',`
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 352c2ec..da13020 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -2,12 +2,18 @@
 
 policy_module(kernel,1.0)
 
+# assertion related attributes
 attribute can_load_policy;
 attribute can_setenforce;
 attribute can_setsecparam;
 attribute can_load_kernmodule;
 attribute can_receive_kernel_messages;
 
+# constraint related attributes
+attribute can_change_process_identity;
+attribute can_change_process_role;
+attribute can_change_object_identity;
+
 #
 # kernel_t is the domain of kernel threads.
 # It is also the target type when checking permissions in the system class.
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 3948ede..b686794 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -7,7 +7,10 @@ policy_module(authlogin,1.0)
 # Declarations
 #
 
-type remote_login_t; #, privuser, privrole, privlog, auth_chkpwd, privowner, nscd_client_domain;
+type remote_login_t; #, privlog, auth_chkpwd, nscd_client_domain;
+kernel_make_object_identity_change_constraint_exception(remote_login_t)
+kernel_make_process_identity_change_constraint_exception(remote_login_t)
+kernel_make_role_change_constraint_exception(remote_login_t)
 domain_make_domain(remote_login_t)
 domain_make_file_descriptors_widely_inheritable(remote_login_t)
 authlogin_make_login_program_entrypoint(remote_login_t)
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 6bdec67..153ecc9 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -7,7 +7,10 @@ policy_module(locallogin,1.0)
 # Declarations
 #
 
-type local_login_t; #, privuser, privrole, auth_chkpwd, privowner, nscd_client_domain;
+type local_login_t; #, auth_chkpwd, nscd_client_domain;
+kernel_make_object_identity_change_constraint_exception(local_login_t)
+kernel_make_process_identity_change_constraint_exception(local_login_t)
+kernel_make_role_change_constraint_exception(local_login_t)
 domain_make_domain(local_login_t)
 domain_make_file_descriptors_widely_inheritable(local_login_t)
 authlogin_make_login_program_entrypoint(local_login_t)
diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te
index 7d869e9..1a7c008 100644
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@@ -38,7 +38,9 @@ role system_r types load_policy_t;
 type load_policy_exec_t;
 domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
 
-type newrole_t; #, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2;
+type newrole_t; # , privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
+kernel_make_role_change_constraint_exception(newrole_t)
+kernel_make_object_identity_change_constraint_exception(newrole_t)
 domain_make_domain(newrole_t)
 
 type newrole_exec_t;
@@ -61,7 +63,8 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
 type policy_src_t;
 files_make_file(policy_src_t)
 
-type restorecon_t, can_relabelto_binary_policy; #, privowner, auth_write, change_context;
+type restorecon_t, can_relabelto_binary_policy; #, auth_write, change_context;
+kernel_make_object_identity_change_constraint_exception(restorecon_t)
 domain_make_domain(restorecon_t)
 role system_r types restorecon_t;
 
@@ -75,7 +78,8 @@ domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
 type selinux_config_t;
 files_make_file(selinux_config_t)
 
-type setfiles_t, can_relabelto_binary_policy; # privlog, privowner, auth_write, change_context;
+type setfiles_t, can_relabelto_binary_policy; # privlog, auth_write, change_context;
+kernel_make_object_identity_change_constraint_exception(setfiles_t)
 domain_make_domain(setfiles_t)
 role system_r types setfiles_t;
 
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 7d869e9..1a7c008 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -38,7 +38,9 @@ role system_r types load_policy_t;
 type load_policy_exec_t;
 domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
 
-type newrole_t; #, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2;
+type newrole_t; # , privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
+kernel_make_role_change_constraint_exception(newrole_t)
+kernel_make_object_identity_change_constraint_exception(newrole_t)
 domain_make_domain(newrole_t)
 
 type newrole_exec_t;
@@ -61,7 +63,8 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
 type policy_src_t;
 files_make_file(policy_src_t)
 
-type restorecon_t, can_relabelto_binary_policy; #, privowner, auth_write, change_context;
+type restorecon_t, can_relabelto_binary_policy; #, auth_write, change_context;
+kernel_make_object_identity_change_constraint_exception(restorecon_t)
 domain_make_domain(restorecon_t)
 role system_r types restorecon_t;
 
@@ -75,7 +78,8 @@ domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
 type selinux_config_t;
 files_make_file(selinux_config_t)
 
-type setfiles_t, can_relabelto_binary_policy; # privlog, privowner, auth_write, change_context;
+type setfiles_t, can_relabelto_binary_policy; # privlog, auth_write, change_context;
+kernel_make_object_identity_change_constraint_exception(setfiles_t)
 domain_make_domain(setfiles_t)
 role system_r types setfiles_t;