diff --git a/Changelog b/Changelog
index bb2e41c..e324451 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Deprecate per-role templates and rolemap support.
+- Implement user-based access control for use as role separations.
 - Move shared library calls from individual modules to the domain module.
 - Enable open permission checks policy capability.
 - Remove hierarchy from portage module as it is not a good example of
diff --git a/Makefile b/Makefile
index ec7c7d5..12c9128 100644
--- a/Makefile
+++ b/Makefile
@@ -204,6 +204,10 @@ ifeq ($(DIRECT_INITRC),y)
 	M4PARAM += -D direct_sysadm_daemon
 endif
 
+ifeq "$(UBAC)" "y"
+	M4PARAM += -D enable_ubac
+endif
+
 # default MLS/MCS sensitivity and category settings.
 MLS_SENS ?= 16
 MLS_CATS ?= 256
@@ -550,6 +554,7 @@ ifneq "$(DISTRO)" ""
 endif
 	$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
 	$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
+	$(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf
 	$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
 	$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
 	$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
diff --git a/README b/README
index 37d5ce3..184c6ef 100644
--- a/README
+++ b/README
@@ -119,6 +119,9 @@ UNK_PERMS		String.  Set the kernel behavior for handling of
 			policy.  The permissions can either be allowed, denied,
 			or the policy loading can be rejected.
 
+UBAC			Boolean.  If set, the SELinux user will be used
+			additionally for approximate role separation.
+
 MLS_SENS		Integer.  Set the number of sensitivities in the MLS
 			policy.  Ignored on standard and MCS policies.
 
diff --git a/Rules.modular b/Rules.modular
index 6c5f58e..168a14f 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -157,7 +157,7 @@ endif
 	$(verbose) $(M4) $(M4PARAM) -s $^ > $@
 
 $(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy
-$(tmpdir)/post_te_files.conf: $(m4support) $(base_post_te_files)
+$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(base_post_te_files)
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
 	$(verbose) $(M4) $(M4PARAM) $^ > $@
 
diff --git a/Rules.monolithic b/Rules.monolithic
index 4b6acbc..1dde01a 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -142,7 +142,7 @@ endif
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
 	$(verbose) $(M4) $(M4PARAM) -s $^ > $@
 
-$(tmpdir)/post_te_files.conf: $(m4support) $(post_te_files)
+$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files)
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
 	$(verbose) $(M4) $(M4PARAM) $^ > $@
 
diff --git a/build.conf b/build.conf
index 1cd0d66..58fd51d 100644
--- a/build.conf
+++ b/build.conf
@@ -48,6 +48,10 @@ DIRECT_INITRC = n
 # will build a loadable module policy.
 MONOLITHIC = y
 
+# User-based access control (UBAC)
+# Enable UBAC for role separations.
+UBAC = y
+
 # Number of MLS Sensitivities
 # The sensitivities will be s0 to s(MLS_SENS-1).
 # Dominance will be in increasing numerical order
diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts
index c2b7a80..22aeb67 100644
--- a/config/appconfig-mcs/default_contexts
+++ b/config/appconfig-mcs/default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0		user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
+system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mcs/root_default_contexts b/config/appconfig-mcs/root_default_contexts
index 7f4a125..7805778 100644
--- a/config/appconfig-mcs/root_default_contexts
+++ b/config/appconfig-mcs/root_default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 
 staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
index 679a5dd..881a292 100644
--- a/config/appconfig-mcs/staff_u_default_contexts
+++ b/config/appconfig-mcs/staff_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 system_r:remote_login_t:s0	staff_r:staff_t:s0
 system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0		staff_r:staff_crond_t:s0
+system_r:crond_t:s0		staff_r:cronjob_t:s0
 system_r:xdm_t:s0		staff_r:staff_t:s0
 staff_r:staff_su_t:s0		staff_r:staff_t:s0
 staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
diff --git a/config/appconfig-mcs/unconfined_u_default_contexts b/config/appconfig-mcs/unconfined_u_default_contexts
index 53b04ec..106e093 100644
--- a/config/appconfig-mcs/unconfined_u_default_contexts
+++ b/config/appconfig-mcs/unconfined_u_default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0		unconfined_r:unconfined_t:s0
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
 system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
index 38656b1..cacbc93 100644
--- a/config/appconfig-mcs/user_u_default_contexts
+++ b/config/appconfig-mcs/user_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	user_r:user_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0
-system_r:crond_t:s0		user_r:user_crond_t:s0
+system_r:crond_t:s0		user_r:cronjob_t:s0
 system_r:xdm_t:s0		user_r:user_t:s0
 user_r:user_su_t:s0		user_r:user_t:s0
 user_r:user_sudo_t:s0		user_r:user_t:s0
diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts
index c2b7a80..22aeb67 100644
--- a/config/appconfig-mls/default_contexts
+++ b/config/appconfig-mls/default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0		user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
+system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
 system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mls/root_default_contexts b/config/appconfig-mls/root_default_contexts
index 7f4a125..7805778 100644
--- a/config/appconfig-mls/root_default_contexts
+++ b/config/appconfig-mls/root_default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 
 staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
index 679a5dd..881a292 100644
--- a/config/appconfig-mls/staff_u_default_contexts
+++ b/config/appconfig-mls/staff_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 system_r:remote_login_t:s0	staff_r:staff_t:s0
 system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0		staff_r:staff_crond_t:s0
+system_r:crond_t:s0		staff_r:cronjob_t:s0
 system_r:xdm_t:s0		staff_r:staff_t:s0
 staff_r:staff_su_t:s0		staff_r:staff_t:s0
 staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
diff --git a/config/appconfig-mls/unconfined_u_default_contexts b/config/appconfig-mls/unconfined_u_default_contexts
index 53b04ec..106e093 100644
--- a/config/appconfig-mls/unconfined_u_default_contexts
+++ b/config/appconfig-mls/unconfined_u_default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0		unconfined_r:unconfined_t:s0
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
 system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
 system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
 system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
index 38656b1..cacbc93 100644
--- a/config/appconfig-mls/user_u_default_contexts
+++ b/config/appconfig-mls/user_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t:s0	user_r:user_t:s0
 system_r:remote_login_t:s0	user_r:user_t:s0
 system_r:sshd_t:s0		user_r:user_t:s0
-system_r:crond_t:s0		user_r:user_crond_t:s0
+system_r:crond_t:s0		user_r:cronjob_t:s0
 system_r:xdm_t:s0		user_r:user_t:s0
 user_r:user_su_t:s0		user_r:user_t:s0
 user_r:user_sudo_t:s0		user_r:user_t:s0
diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts
index 4bb784d..6141347 100644
--- a/config/appconfig-standard/default_contexts
+++ b/config/appconfig-standard/default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t	user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t unconfined_r:unconfined_crond_t
+system_r:crond_t	user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_crond_t unconfined_r:unconfined_cronjob_t
 system_r:local_login_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
 system_r:remote_login_t	user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
 system_r:sshd_t		user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
diff --git a/config/appconfig-standard/root_default_contexts b/config/appconfig-standard/root_default_contexts
index 3806d33..f522568 100644
--- a/config/appconfig-standard/root_default_contexts
+++ b/config/appconfig-standard/root_default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t	unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
+system_r:crond_t	unconfined_r:unconfined_t sysadm_r:cronjob_t staff_r:cronjob_t user_r:cronjob_t
 system_r:local_login_t  unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
 
 staff_r:staff_su_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
index 456bbf9..c2a5ea8 100644
--- a/config/appconfig-standard/staff_u_default_contexts
+++ b/config/appconfig-standard/staff_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t		staff_r:staff_t sysadm_r:sysadm_t
 system_r:remote_login_t		staff_r:staff_t
 system_r:sshd_t			staff_r:staff_t sysadm_r:sysadm_t
-system_r:crond_t		staff_r:staff_crond_t
+system_r:crond_t		staff_r:cronjob_t
 system_r:xdm_t			staff_r:staff_t
 staff_r:staff_su_t		staff_r:staff_t
 staff_r:staff_sudo_t		staff_r:staff_t
diff --git a/config/appconfig-standard/unconfined_u_default_contexts b/config/appconfig-standard/unconfined_u_default_contexts
index 1b26b60..e340b21 100644
--- a/config/appconfig-standard/unconfined_u_default_contexts
+++ b/config/appconfig-standard/unconfined_u_default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t		unconfined_r:unconfined_t
+system_r:crond_t		unconfined_r:unconfined_t unconfined_r:unconfined_cronjob_t
 system_r:initrc_t		unconfined_r:unconfined_t
 system_r:local_login_t		unconfined_r:unconfined_t
 system_r:remote_login_t		unconfined_r:unconfined_t
diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
index 26835d8..f5bfac3 100644
--- a/config/appconfig-standard/user_u_default_contexts
+++ b/config/appconfig-standard/user_u_default_contexts
@@ -1,7 +1,7 @@
 system_r:local_login_t		user_r:user_t
 system_r:remote_login_t		user_r:user_t
 system_r:sshd_t			user_r:user_t
-system_r:crond_t		user_r:user_crond_t
+system_r:crond_t		user_r:cronjob_t
 system_r:xdm_t			user_r:user_t
 user_r:user_su_t		user_r:user_t
 user_r:user_sudo_t		user_r:user_t
diff --git a/policy/constraints b/policy/constraints
index 2e58ead..bf4a736 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -25,59 +25,219 @@
 # name_list : name | name_list name		
 #
 
+define(`basic_ubac_conditions',`
+	ifdef(`enable_ubac',`
+		u1 == u2
+		or u1 == system_u
+		or u2 == system_u
+		or t1 != ubac_constrained_type
+		or t2 != ubac_constrained_type
+	')
+')
+
+define(`basic_ubac_constraint',`
+	ifdef(`enable_ubac',`
+		constrain $1 all_$1_perms
+		(
+			basic_ubac_conditions
+		);
+	')
+')
+
+define(`exempted_ubac_constraint',`
+	ifdef(`enable_ubac',`
+		constrain $1 all_$1_perms
+		(
+			basic_ubac_conditions
+			or t1 == $2
+		);
+	')
+')
+
+########################################
 #
-# SELinux process identity change constraint:
+# File rules
 #
-constrain process transition
+
+exempted_ubac_constraint(dir, ubacfile)
+exempted_ubac_constraint(file, ubacfile)
+exempted_ubac_constraint(lnk_file, ubacfile)
+exempted_ubac_constraint(fifo_file, ubacfile)
+exempted_ubac_constraint(sock_file, ubacfile)
+exempted_ubac_constraint(chr_file, ubacfile)
+exempted_ubac_constraint(blk_file, ubacfile)
+
+# SElinux object identity change constraint:
+constrain dir_file_class_set { create relabelto relabelfrom } 
 (
 	u1 == u2
+	or t1 == can_change_object_identity
+);
 
-	or ( t1 == can_change_process_identity and t2 == process_user_target )
+########################################
+#
+# Process rules
+#
 
-       	or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
+constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
+(
+	basic_ubac_conditions
+	or t1 == ubacproc
+);
 
+constrain process { transition noatsecure siginh rlimitinh }
+(
+	u1 == u2
+	or ( t1 == can_change_process_identity and t2 == process_user_target )
+       	or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
 	or ( t1 == can_system_change and u2 == system_u )
-
 	or ( t1 == process_uncond_exempt )
 );
 
-#
-# SELinux process role change constraint:
-#
-constrain process transition 
+constrain process { transition noatsecure siginh rlimitinh }
 (
-	r1 == r2 
-
-	or ( t1 == can_change_process_role and t2 == process_user_target )
-
-   	or ( t1 == cron_source_domain and t2 == cron_job_domain )
-
-	or ( t1 == can_system_change and r2 == system_r )
-
+	r1 == r2
+	or ( t1 == can_change_process_identity and t2 == process_user_target )
+	or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
+	or ( t1 == can_system_change and u2 == system_u )
 	or ( t1 == process_uncond_exempt )
 );
 
-#
-# SELinux dynamic transition constraint:
-#
 constrain process dyntransition
 (
 	u1 == u2 and r1 == r2
 );
 
+# These permissions do not have ubac constraints:
+# fork
+# setexec
+# setfscreate
+# setcurrent
+# execmem
+# execstack
+# execheap
+# setkeycreate
+# setsockcreate
+
+########################################
 #
-# SElinux object identity change constraint:
+# File descriptor rules
 #
-constrain dir_file_class_set { create relabelto relabelfrom } 
-(
-	u1 == u2
 
-	or t1 == can_change_object_identity
-);
+exempted_ubac_constraint(fd, ubacfd)
+
+########################################
+#
+# Socket rules
+#
+
+exempted_ubac_constraint(socket, ubacsock)
+exempted_ubac_constraint(tcp_socket, ubacsock)
+exempted_ubac_constraint(udp_socket, ubacsock)
+exempted_ubac_constraint(rawip_socket, ubacsock)
+exempted_ubac_constraint(netlink_socket, ubacsock)
+exempted_ubac_constraint(packet_socket, ubacsock)
+exempted_ubac_constraint(key_socket, ubacsock)
+exempted_ubac_constraint(unix_stream_socket, ubacsock)
+exempted_ubac_constraint(unix_dgram_socket, ubacsock)
+exempted_ubac_constraint(netlink_route_socket, ubacsock)
+exempted_ubac_constraint(netlink_firewall_socket, ubacsock)
+exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
+exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
+exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
+exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
+exempted_ubac_constraint(netlink_audit_socket, ubacsock)
+exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock)
+exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
+exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
+exempted_ubac_constraint(appletalk_socket, ubacsock)
+exempted_ubac_constraint(dccp_socket, ubacsock)
 
 constrain socket_class_set { create relabelto relabelfrom } 
 (
 	u1 == u2
-
 	or t1 == can_change_object_identity
 );
+
+########################################
+#
+# SysV IPC rules
+
+exempted_ubac_constraint(sem, ubacipc)
+exempted_ubac_constraint(msg, ubacipc)
+exempted_ubac_constraint(msgq, ubacipc)
+exempted_ubac_constraint(shm, ubacipc)
+exempted_ubac_constraint(ipc, ubacipc)
+
+########################################
+#
+# SE-X Windows rules
+#
+
+exempted_ubac_constraint(x_drawable, ubacxwin)
+exempted_ubac_constraint(x_screen, ubacxwin)
+exempted_ubac_constraint(x_gc, ubacxwin)
+exempted_ubac_constraint(x_font, ubacxwin)
+exempted_ubac_constraint(x_colormap, ubacxwin)
+exempted_ubac_constraint(x_property, ubacxwin)
+exempted_ubac_constraint(x_selection, ubacxwin)
+exempted_ubac_constraint(x_cursor, ubacxwin)
+exempted_ubac_constraint(x_client, ubacxwin)
+exempted_ubac_constraint(x_device, ubacxwin)
+exempted_ubac_constraint(x_server, ubacxwin)
+exempted_ubac_constraint(x_extension, ubacxwin)
+exempted_ubac_constraint(x_resource, ubacxwin)
+exempted_ubac_constraint(x_event, ubacxwin)
+exempted_ubac_constraint(x_synthetic_event, ubacxwin)
+exempted_ubac_constraint(x_application_data, ubacxwin)
+
+########################################
+#
+# D-BUS rules
+#
+
+exempted_ubac_constraint(dbus, ubacdbus)
+
+########################################
+#
+# Key rules
+#
+
+exempted_ubac_constraint(key, ubackey)
+
+########################################
+#
+# Database rules
+#
+
+exempted_ubac_constraint(db_database, ubacdb)
+exempted_ubac_constraint(db_table, ubacdb)
+exempted_ubac_constraint(db_procedure, ubacdb)
+exempted_ubac_constraint(db_column, ubacdb)
+exempted_ubac_constraint(db_tuple, ubacdb)
+exempted_ubac_constraint(db_blob, ubacdb)
+
+
+
+basic_ubac_constraint(association)
+basic_ubac_constraint(peer)
+
+
+# these classes have no UBAC restrictions
+#class security
+#class system
+#class capability
+#class memprotect
+#class passwd			# userspace
+#class node
+#class netif
+#class packet
+#class capability2
+#class nscd			# userspace
+#class context			# userspace
+
+
+
+undefine(`basic_ubac_constraint')
+undefine(`basic_ubac_conditions')
+undefine(`exempted_ubac_constraint')
diff --git a/policy/global_tunables b/policy/global_tunables
index ee3e484..c08ca6f 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -62,8 +62,8 @@ gen_tunable(global_ssp,false)
 ## <desc>
 ## <p>
 ## Allow email client to various content.
-## nfs, samba, removable devices, user temp
-## and untrusted content files
+## nfs, samba, removable devices, and user temp
+## files
 ## </p>
 ## </desc>
 gen_tunable(mail_read_content,false)
@@ -91,15 +91,6 @@ gen_tunable(read_default_t,false)
 
 ## <desc>
 ## <p>
-## Allow applications to read untrusted content
-## If this is disallowed, Internet content has
-## to be manually relabeled for read access to be granted
-## </p>
-## </desc>
-gen_tunable(read_untrusted_content,false)
-
-## <desc>
-## <p>
 ## Support NFS home directories
 ## </p>
 ## </desc>
@@ -120,12 +111,3 @@ gen_tunable(use_samba_home_dirs,false)
 ## </p>
 ## </desc>
 gen_tunable(user_tcp_server,false)
-
-## <desc>
-## <p>
-## Allow applications to write untrusted content
-## If this is disallowed, no Internet content
-## will be stored.
-## </p>
-## </desc>
-gen_tunable(write_untrusted_content,false)
diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te
index 8a7c421..e51ae66 100644
--- a/policy/modules/admin/acct.te
+++ b/policy/modules/admin/acct.te
@@ -1,5 +1,5 @@
 
-policy_module(acct, 1.2.0)
+policy_module(acct, 1.2.1)
 
 ########################################
 #
@@ -64,8 +64,7 @@ logging_send_syslog_msg(acct_t)
 miscfiles_read_localization(acct_t)
 
 userdom_dontaudit_use_unpriv_user_fds(acct_t)
-
-sysadm_dontaudit_search_home_dirs(acct_t)
+userdom_dontaudit_search_user_home_dirs(acct_t)
 
 optional_policy(`
 	optional_policy(`
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index b7cb5df..fd3abca 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -1,5 +1,5 @@
 
-policy_module(alsa, 1.6.0)
+policy_module(alsa, 1.6.1)
 
 ########################################
 #
@@ -60,10 +60,7 @@ miscfiles_read_localization(alsa_t)
 
 userdom_manage_unpriv_user_semaphores(alsa_t)
 userdom_manage_unpriv_user_shared_mem(alsa_t)
-
-sysadm_dontaudit_search_home_dirs(alsa_t)
-
-unprivuser_search_home_dirs(alsa_t)
+userdom_search_user_home_dirs(alsa_t)
 
 optional_policy(`
 	hal_use_fds(alsa_t)
diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
index e877b02..dab38fb 100644
--- a/policy/modules/admin/amanda.if
+++ b/policy/modules/admin/amanda.if
@@ -33,11 +33,6 @@ interface(`amanda_domtrans_recover',`
 ##	The role to be allowed the amanda_recover domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the amanda_recover domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`amanda_run_recover',`
@@ -47,7 +42,6 @@ interface(`amanda_run_recover',`
 
 	amanda_domtrans_recover($1)
 	role $2 types amanda_recover_t;
-	allow amanda_recover_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index dd39ca4..4b32928 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
 
-policy_module(amanda, 1.10.0)
+policy_module(amanda, 1.10.1)
 
 #######################################
 #
@@ -182,7 +182,7 @@ manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_
 manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
 manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
 manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
-sysadm_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file })
+userdom_user_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file })
 
 manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
 manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
@@ -227,4 +227,5 @@ logging_search_logs(amanda_recover_t)
 
 miscfiles_read_localization(amanda_recover_t)
 
-sysadm_search_home_content_dirs(amanda_recover_t)
+userdom_use_user_terminals(amanda_recover_t)
+userdom_search_user_home_content(amanda_recover_t)
diff --git a/policy/modules/admin/amtu.if b/policy/modules/admin/amtu.if
index 01432cc..18e3bc6 100644
--- a/policy/modules/admin/amtu.if
+++ b/policy/modules/admin/amtu.if
@@ -34,11 +34,6 @@ interface(`amtu_domtrans',`
 ##	The role to be allowed the amtu domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the amtu domain to use.
-##	</summary>
-## </param>
 #
 interface(`amtu_run',`
 	gen_require(`
@@ -47,5 +42,4 @@ interface(`amtu_run',`
 
 	amtu_domtrans($1)
 	role $2 types amtu_t;
-	allow amtu_t $3:chr_file rw_term_perms;
 ')
diff --git a/policy/modules/admin/amtu.te b/policy/modules/admin/amtu.te
index fd34746..ec4c097 100644
--- a/policy/modules/admin/amtu.te
+++ b/policy/modules/admin/amtu.te
@@ -1,4 +1,4 @@
-policy_module(amtu,1.1.0)
+policy_module(amtu, 1.1.1)
 
 ########################################
 #
@@ -23,6 +23,8 @@ files_read_etc_files(amtu_t)
 
 logging_send_audit_msgs(amtu_t)
 
+userdom_use_user_terminals(amtu_t)
+
 optional_policy(`
 	nscd_dontaudit_search_pid(amtu_t)
 ')
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
index 35d22c5..9e11224 100644
--- a/policy/modules/admin/anaconda.te
+++ b/policy/modules/admin/anaconda.te
@@ -1,5 +1,5 @@
 
-policy_module(anaconda, 1.4.0)
+policy_module(anaconda, 1.4.1)
 
 ########################################
 #
@@ -32,7 +32,7 @@ modutils_domtrans_insmod(anaconda_t)
 
 seutil_domtrans_semanage(anaconda_t)
 
-unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
+userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
 
 optional_policy(`
 	kudzu_domtrans(anaconda_t)
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index 99004b5..68ecf71 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -34,11 +34,6 @@ interface(`apt_domtrans',`
 ##	The role to allow the apt domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the apt domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`apt_run',`
@@ -48,7 +43,6 @@ interface(`apt_run',`
 
 	apt_domtrans($1)
 	role $2 types apt_t;
-	allow apt_t $3:chr_file rw_term_perms;
 	# TODO: likely have to add dpkg_run here.
 ')
 
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index d59fc5c..37226e1 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -1,5 +1,5 @@
 
-policy_module(apt, 1.4.0)
+policy_module(apt, 1.4.1)
 
 ########################################
 #
@@ -119,6 +119,8 @@ seutil_use_newrole_fds(apt_t)
 
 sysnet_read_config(apt_t)
 
+userdom_use_user_terminals(apt_t)
+
 # with boolean, for cron-apt and such?
 #optional_policy(`
 #	cron_system_entry(apt_t,apt_exec_t)
diff --git a/policy/modules/admin/backup.if b/policy/modules/admin/backup.if
index 8720ae7..29ed36e 100644
--- a/policy/modules/admin/backup.if
+++ b/policy/modules/admin/backup.if
@@ -33,11 +33,6 @@ interface(`backup_domtrans',`
 ##	The role to be allowed the backup domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`backup_run',`
@@ -47,5 +42,4 @@ interface(`backup_run',`
 
 	backup_domtrans($1)
 	role $2 types backup_t;
-	allow backup_t $3:chr_file rw_term_perms;
 ')
diff --git a/policy/modules/admin/backup.te b/policy/modules/admin/backup.te
index bfe5fab..eea9a80 100644
--- a/policy/modules/admin/backup.te
+++ b/policy/modules/admin/backup.te
@@ -1,5 +1,5 @@
 
-policy_module(backup, 1.3.0)
+policy_module(backup, 1.3.1)
 
 ########################################
 #
@@ -71,6 +71,8 @@ logging_send_syslog_msg(backup_t)
 
 sysnet_read_config(backup_t)
 
+userdom_use_user_terminals(backup_t)
+
 optional_policy(`
 	cron_system_entry(backup_t, backup_exec_t)
 ')
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index e083200..0106920 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -33,11 +33,6 @@ interface(`bootloader_domtrans',`
 ##	The role to be allowed the bootloader domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the bootloader domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`bootloader_run',`
@@ -48,11 +43,10 @@ interface(`bootloader_run',`
 	bootloader_domtrans($1)
 
 	role $2 types bootloader_t;
-	allow bootloader_t $3:chr_file rw_term_perms;
 
 	ifdef(`distro_redhat',`
 		# for mke2fs
-		mount_run(bootloader_t, $2, $3)
+		mount_run(bootloader_t, $2)
 	')
 ')
 
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 292be8b..b11c06b 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,5 +1,5 @@
 
-policy_module(bootloader, 1.9.0)
+policy_module(bootloader, 1.9.1)
 
 ########################################
 #
@@ -135,6 +135,9 @@ seutil_read_bin_policy(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)
 seutil_dontaudit_search_config(bootloader_t)
 
+userdom_use_user_terminals(bootloader_t)
+userdom_dontaudit_search_user_home_dirs(bootloader_t)
+
 ifdef(`distro_debian',`
 	allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
 	fs_list_tmpfs(bootloader_t)
@@ -211,11 +214,3 @@ optional_policy(`
 optional_policy(`
 	rpm_rw_pipes(bootloader_t)
 ')
-
-optional_policy(`
-	staff_dontaudit_search_home_dirs(bootloader_t)
-')
-
-optional_policy(`
-	sysadm_dontaudit_search_home_dirs(bootloader_t)
-')
diff --git a/policy/modules/admin/certwatch.if b/policy/modules/admin/certwatch.if
index 6dc459a..1cbd014 100644
--- a/policy/modules/admin/certwatch.if
+++ b/policy/modules/admin/certwatch.if
@@ -37,11 +37,6 @@ interface(`certwatch_domtrans',`
 ##	The role to be allowed the certwatch domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the certwatch domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`certwatch_run',`
@@ -51,7 +46,6 @@ interface(`certwatch_run',`
 
 	certwatch_domtrans($1)
 	role $2 types certwatch_t;
-	allow certwatch_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
index 46913fd..15be490 100644
--- a/policy/modules/admin/certwatch.te
+++ b/policy/modules/admin/certwatch.te
@@ -32,6 +32,8 @@ logging_send_syslog_msg(certwatch_t)
 miscfiles_read_certs(certwatch_t)
 miscfiles_read_localization(certwatch_t)
 
+userdom_use_user_terminals(certwatch_t)
+
 optional_policy(`
 	apache_exec_modules(certwatch_t)
 ')
diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
index bb06d8c..bd8c9c9 100644
--- a/policy/modules/admin/consoletype.if
+++ b/policy/modules/admin/consoletype.if
@@ -36,11 +36,6 @@ interface(`consoletype_domtrans',`
 ##	The role to be allowed the consoletype domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the consoletype domain to use.
-##	</summary>
-## </param>
 #
 interface(`consoletype_run',`
 	gen_require(`
@@ -49,7 +44,6 @@ interface(`consoletype_run',`
 
 	consoletype_domtrans($1)
 	role $2 types consoletype_t;
-	allow consoletype_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index 2672c68..d3700dd 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -1,5 +1,5 @@
 
-policy_module(consoletype, 1.6.0)
+policy_module(consoletype, 1.6.1)
 
 ########################################
 #
@@ -54,6 +54,8 @@ domain_use_interactive_fds(consoletype_t)
 files_dontaudit_read_root_files(consoletype_t)
 files_list_usr(consoletype_t)
 
+userdom_use_user_terminals(consoletype_t)
+
 ifdef(`distro_redhat',`
 	fs_rw_tmpfs_chr_files(consoletype_t)
 ')
diff --git a/policy/modules/admin/ddcprobe.if b/policy/modules/admin/ddcprobe.if
index e334a51..898f54e 100644
--- a/policy/modules/admin/ddcprobe.if
+++ b/policy/modules/admin/ddcprobe.if
@@ -33,11 +33,6 @@ interface(`ddcprobe_domtrans',`
 ##	Role to be authenticated for ddcprobe domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the clock domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`ddcprobe_run',`
@@ -47,5 +42,4 @@ interface(`ddcprobe_run',`
 
 	ddcprobe_domtrans($1)
 	role $2 types ddcprobe_t;
-	allow ddcprobe_t $3:chr_file rw_term_perms;
 ')
diff --git a/policy/modules/admin/ddcprobe.te b/policy/modules/admin/ddcprobe.te
index 07f9f03..be46d42 100644
--- a/policy/modules/admin/ddcprobe.te
+++ b/policy/modules/admin/ddcprobe.te
@@ -1,5 +1,5 @@
 
-policy_module(ddcprobe, 1.1.0)
+policy_module(ddcprobe, 1.1.1)
 
 ########################################
 #
@@ -45,6 +45,7 @@ miscfiles_read_localization(ddcprobe_t)
 
 modutils_read_module_deps(ddcprobe_t)
 
+userdom_use_user_terminals(ddcprobe_t)
 userdom_use_all_users_fds(ddcprobe_t)
 
 #reh why? this does not seem even necessary to function properly
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 02bd258..69ca5b5 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -1,5 +1,5 @@
 
-policy_module(dmesg, 1.2.0)
+policy_module(dmesg, 1.2.1)
 
 ########################################
 #
@@ -48,8 +48,7 @@ logging_write_generic_logs(dmesg_t)
 miscfiles_read_localization(dmesg_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
-
-sysadm_use_terms(dmesg_t)
+userdom_use_user_terminals(dmesg_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(dmesg_t)
diff --git a/policy/modules/admin/dmidecode.if b/policy/modules/admin/dmidecode.if
index 5a7774a..233e6d4 100644
--- a/policy/modules/admin/dmidecode.if
+++ b/policy/modules/admin/dmidecode.if
@@ -38,11 +38,6 @@ interface(`dmidecode_domtrans',`
 ##	The role to be allowed the dmidecode domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the dmidecode domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`dmidecode_run',`
@@ -52,5 +47,4 @@ interface(`dmidecode_run',`
 
 	dmidecode_domtrans($1)
 	role $2 types dmidecode_t;
-	allow dmidecode_t $3:chr_file rw_term_perms;
 ')
diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te
index 8fb4783..d032a09 100644
--- a/policy/modules/admin/dmidecode.te
+++ b/policy/modules/admin/dmidecode.te
@@ -1,5 +1,5 @@
 
-policy_module(dmidecode, 1.3.0)
+policy_module(dmidecode, 1.3.1)
 
 ########################################
 #
@@ -24,8 +24,8 @@ dev_read_raw_memory(dmidecode_t)
 
 mls_file_read_all_levels(dmidecode_t)
 
-term_list_ptys(dmidecode_t)
-
 files_list_usr(dmidecode_t)
 
 locallogin_use_fds(dmidecode_t)
+
+userdom_use_user_terminals(dmidecode_t)
diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if
index 1822169..560d021 100644
--- a/policy/modules/admin/dpkg.if
+++ b/policy/modules/admin/dpkg.if
@@ -58,11 +58,6 @@ interface(`dpkg_domtrans_script',`
 ##	The role to allow the dpkg domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the dpkg domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`dpkg_run',`
@@ -73,8 +68,7 @@ interface(`dpkg_run',`
 	dpkg_domtrans($1)
 	role $2 types dpkg_t;
 	role $2 types dpkg_script_t;
-	seutil_run_loadpolicy(dpkg_script_t, $2, $3)
-	allow dpkg_t $3:chr_file rw_term_perms;
+	seutil_run_loadpolicy(dpkg_script_t, $2)
 ')
 
 ########################################
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index f57eab0..2e03742 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -1,5 +1,5 @@
 
-policy_module(dpkg, 1.5.0)
+policy_module(dpkg, 1.5.1)
 
 ########################################
 #
@@ -141,8 +141,6 @@ storage_raw_write_fixed_disk(dpkg_t)
 # for installing kernel packages
 storage_raw_read_fixed_disk(dpkg_t)
 
-term_list_ptys(dpkg_t)
-
 auth_relabel_all_files_except_shadow(dpkg_t)
 auth_manage_all_files_except_shadow(dpkg_t)
 auth_dontaudit_read_shadow(dpkg_t)
@@ -164,6 +162,7 @@ seutil_manage_bin_policy(dpkg_t)
 
 sysnet_read_config(dpkg_t)
 
+userdom_use_user_terminals(dpkg_t)
 userdom_use_unpriv_users_fds(dpkg_t)
 
 # transition to dpkg script:
@@ -284,8 +283,6 @@ selinux_compute_user_contexts(dpkg_script_t)
 storage_raw_read_fixed_disk(dpkg_script_t)
 storage_raw_write_fixed_disk(dpkg_script_t)
 
-term_getattr_unallocated_ttys(dpkg_script_t)
-term_list_ptys(dpkg_script_t)
 term_use_all_terms(dpkg_script_t)
 
 auth_dontaudit_getattr_shadow(dpkg_script_t)
diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if
index 402cc7a..00415af 100644
--- a/policy/modules/admin/firstboot.if
+++ b/policy/modules/admin/firstboot.if
@@ -36,11 +36,6 @@ interface(`firstboot_domtrans',`
 ##	The role to be allowed the firstboot domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the firstboot domain to use.
-##	</summary>
-## </param>
 #
 interface(`firstboot_run',`
 	gen_require(`
@@ -49,7 +44,6 @@ interface(`firstboot_run',`
 
 	firstboot_domtrans($1)
 	role $2 types firstboot_t;
-	allow firstboot_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index ea98cfd..374ffd4 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -1,5 +1,5 @@
 
-policy_module(firstboot, 1.8.0)
+policy_module(firstboot, 1.8.1)
 
 gen_require(`
 	class passwd rootok;
@@ -80,14 +80,15 @@ modutils_domtrans_insmod(firstboot_t)
 modutils_read_module_config(firstboot_t)
 modutils_read_module_deps(firstboot_t)
 
+userdom_use_user_terminals(firstboot_t)
 # Add/remove user home directories
-unprivuser_manage_home_content_dirs(firstboot_t)
-unprivuser_manage_home_content_files(firstboot_t)
-unprivuser_manage_home_content_symlinks(firstboot_t)
-unprivuser_manage_home_content_pipes(firstboot_t)
-unprivuser_manage_home_content_sockets(firstboot_t)
-unprivuser_home_filetrans_home_dir(firstboot_t)
-unprivuser_home_dir_filetrans_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+userdom_manage_user_home_content_dirs(firstboot_t)
+userdom_manage_user_home_content_files(firstboot_t)
+userdom_manage_user_home_content_symlinks(firstboot_t)
+userdom_manage_user_home_content_pipes(firstboot_t)
+userdom_manage_user_home_content_sockets(firstboot_t)
+userdom_home_filetrans_user_home_dir(firstboot_t)
+userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
 
 optional_policy(`
 	hal_dbus_chat(firstboot_t)
@@ -116,6 +117,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	xserver_rw_xdm_xserver_shm(firstboot_t)
+	xserver_rw_shm(firstboot_t)
 	xserver_unconfined(firstboot_t)
 ')
diff --git a/policy/modules/admin/kismet.if b/policy/modules/admin/kismet.if
index 149ced6..b4cf132 100644
--- a/policy/modules/admin/kismet.if
+++ b/policy/modules/admin/kismet.if
@@ -33,11 +33,6 @@ interface(`kismet_domtrans',`
 ##	The role to be allowed the kismet domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the role's terminal.
-##	</summary>
-## </param>
 #
 interface(`kismet_run',`
 	gen_require(`
@@ -46,7 +41,6 @@ interface(`kismet_run',`
 
 	kismet_domtrans($1)
 	role $2 types kismet_t;
-	allow kismet_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te
index c6aaa1d..9a243c0 100644
--- a/policy/modules/admin/kismet.te
+++ b/policy/modules/admin/kismet.te
@@ -1,5 +1,5 @@
 
-policy_module(kismet, 1.1.0)
+policy_module(kismet, 1.1.1)
 
 ########################################
 #
@@ -52,3 +52,5 @@ auth_use_nsswitch(kismet_t)
 files_read_etc_files(kismet_t)
 
 miscfiles_read_localization(kismet_t)
+
+userdom_use_user_terminals(kismet_t)
diff --git a/policy/modules/admin/kudzu.if b/policy/modules/admin/kudzu.if
index 6fb17f7..11c6f9e 100644
--- a/policy/modules/admin/kudzu.if
+++ b/policy/modules/admin/kudzu.if
@@ -33,11 +33,6 @@ interface(`kudzu_domtrans',`
 ##	The role to be allowed the kudzu domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the kudzu domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`kudzu_run',`
@@ -47,7 +42,6 @@ interface(`kudzu_run',`
 
 	kudzu_domtrans($1)
 	role $2 types kudzu_t;
-	allow kudzu_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
index fe122aa..eef8ee3 100644
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@@ -1,5 +1,5 @@
 
-policy_module(kudzu, 1.7.0)
+policy_module(kudzu, 1.7.1)
 
 ########################################
 #
@@ -77,7 +77,6 @@ storage_raw_write_removable_device(kudzu_t)
 storage_raw_read_fixed_disk(kudzu_t)
 storage_raw_read_removable_device(kudzu_t)
 
-term_search_ptys(kudzu_t)
 term_dontaudit_use_console(kudzu_t)
 # so it can write messages to the console
 term_use_unallocated_ttys(kudzu_t)
@@ -123,9 +122,9 @@ modutils_domtrans_insmod(kudzu_t)
 
 sysnet_read_config(kudzu_t)
 
+userdom_use_user_terminals(kudzu_t)
 userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
-
-sysadm_search_home_dirs(kudzu_t)
+userdom_search_user_home_dirs(kudzu_t)
 
 optional_policy(`
 	gpm_getattr_gpmctl(kudzu_t)
diff --git a/policy/modules/admin/logrotate.if b/policy/modules/admin/logrotate.if
index 3485d9f..f9af0e1 100644
--- a/policy/modules/admin/logrotate.if
+++ b/policy/modules/admin/logrotate.if
@@ -33,11 +33,6 @@ interface(`logrotate_domtrans',`
 ##	The role to be allowed the logrotate domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the logrotate domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`logrotate_run',`
@@ -47,7 +42,6 @@ interface(`logrotate_run',`
 
 	logrotate_domtrans($1)
 	role $2 types logrotate_t;
-	allow logrotate_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 0743fca..982fb75 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -1,5 +1,5 @@
 
-policy_module(logrotate, 1.10.0)
+policy_module(logrotate, 1.10.1)
 
 ########################################
 #
@@ -115,6 +115,8 @@ miscfiles_read_localization(logrotate_t)
 
 seutil_dontaudit_read_config(logrotate_t)
 
+userdom_use_user_terminals(logrotate_t)
+userdom_dontaudit_search_user_home_dirs(logrotate_t)
 userdom_use_unpriv_users_fds(logrotate_t)
 
 cron_system_entry(logrotate_t, logrotate_exec_t)
@@ -122,8 +124,6 @@ cron_search_spool(logrotate_t)
 
 mta_send_mail(logrotate_t)
 
-sysadm_dontaudit_search_home_dirs(logrotate_t)
-
 ifdef(`distro_debian', `
 	allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
 	# for savelog
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
index 80fd11b..d67089e 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -1,5 +1,5 @@
 
-policy_module(logwatch, 1.8.0)
+policy_module(logwatch, 1.8.1)
 
 #################################
 #
@@ -86,9 +86,9 @@ selinux_dontaudit_getattr_dir(logwatch_t)
 
 sysnet_dns_name_resolve(logwatch_t)
 
-mta_send_mail(logwatch_t)
+userdom_dontaudit_search_user_home_dirs(logwatch_t)
 
-sysadm_dontaudit_search_home_dirs(logwatch_t)
+mta_send_mail(logwatch_t)
 
 optional_policy(`
 	apache_read_log(logwatch_t)
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 2e013ac..5acd1fd 100644
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@@ -1,5 +1,5 @@
 
-policy_module(mrtg, 1.5.0)
+policy_module(mrtg, 1.5.1)
 
 ########################################
 #
@@ -113,11 +113,10 @@ miscfiles_read_localization(mrtg_t)
 
 selinux_dontaudit_getattr_dir(mrtg_t)
 
+userdom_use_user_terminals(mrtg_t)
+userdom_dontaudit_read_user_home_content_files(mrtg_t)
 userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
 
-sysadm_use_terms(mrtg_t)
-sysadm_dontaudit_read_home_content_files(mrtg_t)
-
 ifdef(`enable_mls',`
 	corenet_udp_sendrecv_lo_if(mrtg_t)
 ')
diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
index 0e3fd06..0ab5f13 100644
--- a/policy/modules/admin/netutils.if
+++ b/policy/modules/admin/netutils.if
@@ -33,11 +33,6 @@ interface(`netutils_domtrans',`
 ##	The role to be allowed the netutils domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the netutils domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`netutils_run',`
@@ -47,7 +42,6 @@ interface(`netutils_run',`
 
 	netutils_domtrans($1)
 	role $2 types netutils_t;
-	allow netutils_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -155,11 +149,6 @@ interface(`netutils_signal_ping',`
 ##	The role to be allowed the ping domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the ping domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`netutils_run_ping',`
@@ -169,7 +158,6 @@ interface(`netutils_run_ping',`
 
 	netutils_domtrans_ping($1)
 	role $2 types ping_t;
-	allow ping_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -187,11 +175,6 @@ interface(`netutils_run_ping',`
 ##	The role to be allowed the ping domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the ping domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`netutils_run_ping_cond',`
@@ -204,7 +187,6 @@ interface(`netutils_run_ping_cond',`
 
 	if ( user_ping ) {
 		netutils_domtrans_ping($1)
-		allow ping_t $3:chr_file rw_term_perms;
 	}
 ')
 
@@ -259,11 +241,6 @@ interface(`netutils_domtrans_traceroute',`
 ##	The role to be allowed the traceroute domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the traceroute domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`netutils_run_traceroute',`
@@ -273,7 +250,6 @@ interface(`netutils_run_traceroute',`
 
 	netutils_domtrans_traceroute($1)
 	role $2 types traceroute_t;
-	allow traceroute_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -291,11 +267,6 @@ interface(`netutils_run_traceroute',`
 ##	The role to be allowed the traceroute domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the traceroute domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`netutils_run_traceroute_cond',`
@@ -308,7 +279,6 @@ interface(`netutils_run_traceroute_cond',`
 
 	if( user_ping ) {
 		netutils_domtrans_traceroute($1)
-		allow traceroute_t $3:chr_file rw_term_perms;
 	}
 ')
 
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index ca45fce..9414ac3 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
 
-policy_module(netutils, 1.7.0)
+policy_module(netutils, 1.7.1)
 
 ########################################
 #
@@ -85,6 +85,7 @@ logging_send_syslog_msg(netutils_t)
 
 miscfiles_read_localization(netutils_t)
 
+userdom_use_user_terminals(netutils_t)
 userdom_use_all_users_fds(netutils_t)
 
 optional_policy(`
@@ -133,6 +134,8 @@ logging_send_syslog_msg(ping_t)
 
 miscfiles_read_localization(ping_t)
 
+userdom_use_user_terminals(ping_t)
+
 ifdef(`hide_broken_symptoms',`
 	init_dontaudit_use_fds(ping_t)
 ')
@@ -197,6 +200,8 @@ logging_send_syslog_msg(traceroute_t)
 
 miscfiles_read_localization(traceroute_t)
 
+userdom_use_user_terminals(traceroute_t)
+
 #rules needed for nmap
 dev_read_rand(traceroute_t)
 dev_read_urand(traceroute_t)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index da338ab..f4043c3 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -40,11 +40,6 @@ interface(`portage_domtrans',`
 ##	The role to allow the portage domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow for portage to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`portage_run',`
@@ -54,9 +49,6 @@ interface(`portage_run',`
 
 	portage_domtrans($1)
 	role $2 types { portage_t portage_fetch_t portage_sandbox_t };
-	allow portage_t $3:chr_file rw_term_perms;
-	allow portage_fetch_t $3:chr_file rw_term_perms;
-	allow portage_sandbox_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -186,6 +178,8 @@ interface(`portage_compile_domain',`
 
 	logging_send_syslog_msg($1)
 
+	userdom_use_user_terminals($1)
+
 	ifdef(`TODO',`
 	# some gui ebuilds want to interact with X server, like xawtv
 	optional_policy(`
@@ -231,11 +225,6 @@ interface(`portage_domtrans_gcc_config',`
 ##	The role to allow the gcc_config domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow for gcc_config to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`portage_run_gcc_config',`
@@ -245,5 +234,4 @@ interface(`portage_run_gcc_config',`
 
 	portage_domtrans_gcc_config($1)
 	role $2 types gcc_config_t;
-	allow gcc_config_t $3:chr_file rw_term_perms;
 ')
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index af61ccf..20ac2f1 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -1,5 +1,5 @@
 
-policy_module(portage, 1.6.1)
+policy_module(portage, 1.6.2)
 
 ########################################
 #
@@ -90,8 +90,6 @@ files_search_pids(gcc_config_t)
 # the directory it is being run from
 files_list_all(gcc_config_t)
 
-term_search_ptys(gcc_config_t)
-
 # seems to be ok without this
 init_dontaudit_read_script_status_files(gcc_config_t)
 
@@ -105,6 +103,8 @@ logging_send_syslog_msg(gcc_config_t)
 
 miscfiles_read_localization(gcc_config_t)
 
+userdom_use_user_terminals(gcc_config_t)
+
 consoletype_exec(gcc_config_t)
 
 optional_policy(`
@@ -245,7 +245,8 @@ miscfiles_read_localization(portage_fetch_t)
 sysnet_read_config(portage_fetch_t)
 sysnet_dns_name_resolve(portage_fetch_t)
 
-sysadm_dontaudit_read_home_content_files(portage_fetch_t)
+userdom_use_user_terminals(portage_fetch_t)
+userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
 
 ifdef(`hide_broken_symptoms',`
 	dontaudit portage_fetch_t portage_cache_t:file read;
diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if
index 9e09e88..38d22ad 100644
--- a/policy/modules/admin/prelink.if
+++ b/policy/modules/admin/prelink.if
@@ -33,11 +33,6 @@ interface(`prelink_domtrans',`
 ##	The role to allow the prelink domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the prelink domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`prelink_run',`
@@ -47,7 +42,6 @@ interface(`prelink_run',`
 
 	prelink_domtrans($1)
 	role $2 types prelink_t;
-	allow prelink_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index 6fe27d0..be3a1ee 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -1,5 +1,5 @@
 
-policy_module(prelink, 1.5.0)
+policy_module(prelink, 1.5.1)
 
 ########################################
 #
@@ -79,6 +79,8 @@ libs_delete_lib_symlinks(prelink_t)
 
 miscfiles_read_localization(prelink_t)
 
+userdom_use_user_terminals(prelink_t)
+
 optional_policy(`
 	amanda_manage_lib(prelink_t)
 ')
diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
index 8eae304..50ff52e 100644
--- a/policy/modules/admin/quota.if
+++ b/policy/modules/admin/quota.if
@@ -33,11 +33,6 @@ interface(`quota_domtrans',`
 ##	The role to be allowed the quota domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the quota domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`quota_run',`
@@ -47,7 +42,6 @@ interface(`quota_run',`
 
 	quota_domtrans($1)
 	role $2 types quota_t;
-	allow quota_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
index 098d817..d796579 100644
--- a/policy/modules/admin/quota.te
+++ b/policy/modules/admin/quota.te
@@ -1,5 +1,5 @@
 
-policy_module(quota, 1.3.0)
+policy_module(quota, 1.3.1)
 
 ########################################
 #
@@ -72,6 +72,7 @@ init_use_script_ptys(quota_t)
 
 logging_send_syslog_msg(quota_t)
 
+userdom_use_user_terminals(quota_t)
 userdom_dontaudit_use_unpriv_user_fds(quota_t)
 
 optional_policy(`
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index cbf5853..8645082 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -1,5 +1,5 @@
 
-policy_module(readahead, 1.7.0)
+policy_module(readahead, 1.7.1)
 
 ########################################
 #
@@ -77,8 +77,7 @@ logging_dontaudit_search_audit_config(readahead_t)
 miscfiles_read_localization(readahead_t)
 
 userdom_dontaudit_use_unpriv_user_fds(readahead_t)
-
-sysadm_dontaudit_search_home_dirs(readahead_t)
+userdom_dontaudit_search_user_home_dirs(readahead_t)
 
 optional_policy(`
 	cron_system_entry(readahead_t, readahead_exec_t)
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index e115154..36f9fa8 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -56,11 +56,6 @@ interface(`rpm_domtrans_script',`
 ##	The role to allow the RPM domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the RPM domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`rpm_run',`
@@ -71,10 +66,9 @@ interface(`rpm_run',`
 	rpm_domtrans($1)
 	role $2 types rpm_t;
 	role $2 types rpm_script_t;
-	seutil_run_loadpolicy(rpm_script_t, $2, $3)
-	seutil_run_semanage(rpm_script_t, $2, $3)
-	seutil_run_setfiles(rpm_script_t, $2, $3)
-	allow rpm_t $3:chr_file rw_term_perms;
+	seutil_run_loadpolicy(rpm_script_t, $2)
+	seutil_run_semanage(rpm_script_t, $2)
+	seutil_run_setfiles(rpm_script_t, $2)
 ')
 
 ########################################
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index aa77c0f..5d8a46c 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
 
-policy_module(rpm, 1.8.0)
+policy_module(rpm, 1.8.1)
 
 ########################################
 #
@@ -132,8 +132,6 @@ storage_raw_write_fixed_disk(rpm_t)
 # for installing kernel packages
 storage_raw_read_fixed_disk(rpm_t)
 
-term_list_ptys(rpm_t)
-
 auth_relabel_all_files_except_shadow(rpm_t)
 auth_manage_all_files_except_shadow(rpm_t)
 auth_dontaudit_read_shadow(rpm_t)
@@ -168,6 +166,7 @@ logging_send_syslog_msg(rpm_t)
 seutil_manage_src_policy(rpm_t)
 seutil_manage_bin_policy(rpm_t)
 
+userdom_use_user_terminals(rpm_t)
 userdom_use_unpriv_users_fds(rpm_t)
 
 optional_policy(`
@@ -273,8 +272,6 @@ selinux_compute_user_contexts(rpm_script_t)
 storage_raw_read_fixed_disk(rpm_script_t)
 storage_raw_write_fixed_disk(rpm_script_t)
 
-term_getattr_unallocated_ttys(rpm_script_t)
-term_list_ptys(rpm_script_t)
 term_use_all_terms(rpm_script_t)
 
 auth_dontaudit_getattr_shadow(rpm_script_t)
@@ -338,7 +335,7 @@ optional_policy(`
 	unconfined_domtrans(rpm_script_t)
 
 	optional_policy(`
-		java_domtrans(rpm_script_t)
+		java_domtrans_unconfined(rpm_script_t)
 	')
 
 	optional_policy(`
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 801577e..36f2316 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -125,38 +125,26 @@ template(`su_restricted_domain_template', `
 
 #######################################
 ## <summary>
-##	The per role template for the su module.
+##	The role template for the su module.
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domain which is allowed
-##	to change the linux user id, to run shells as a different
-##	user.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role_prefix">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="user_role">
 ##	<summary>
-##	The type of the user domain.
+##	The role associated with the user domain.
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="user_domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	The type of the user domain.
 ##	</summary>
 ## </param>
 #
-template(`su_per_role_template',`
+template(`su_role_template',`
 	gen_require(`
 		attribute su_domain_type;
 		type su_exec_t;
@@ -167,9 +155,10 @@ template(`su_per_role_template',`
 	domain_entry_file($1_su_t,su_exec_t)
 	domain_type($1_su_t)
 	domain_interactive_fd($1_su_t)
-	role $3 types $1_su_t;
+	ubac_constrained($1_su_t)
+	role $2 types $1_su_t;
 
-	allow $2 $1_su_t:process signal;
+	allow $3 $1_su_t:process signal;
 
 	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
 	dontaudit $1_su_t self:capability sys_tty_config;
@@ -179,13 +168,15 @@ template(`su_per_role_template',`
 	allow $1_su_t self:key { search write };
 
 	# Transition from the user domain to this domain.
-	domtrans_pattern($2, su_exec_t, $1_su_t)
+	domtrans_pattern($3, su_exec_t, $1_su_t)
+
+	ps_process_pattern($3, $1_su_t)
 
 	# By default, revert to the calling domain when a shell is executed.
-	corecmd_shell_domtrans($1_su_t, $2)
-	allow $2 $1_su_t:fd use;
-	allow $2 $1_su_t:fifo_file rw_file_perms;
-	allow $2 $1_su_t:process sigchld;
+	corecmd_shell_domtrans($1_su_t, $3)
+	allow $3 $1_su_t:fd use;
+	allow $3 $1_su_t:fifo_file rw_file_perms;
+	allow $3 $1_su_t:process sigchld;
 
 	kernel_read_system_state($1_su_t)
 	kernel_read_kernel_sysctls($1_su_t)
@@ -200,7 +191,7 @@ template(`su_per_role_template',`
 	# needed for pam_rootok
 	selinux_compute_access_vector($1_su_t)
 
-	auth_domtrans_user_chk_passwd($1, $1_su_t)
+	auth_domtrans_chk_passwd($1_su_t)
 	auth_dontaudit_read_shadow($1_su_t)
 	auth_use_nsswitch($1_su_t)
 	auth_rw_faillog($1_su_t)
@@ -224,8 +215,8 @@ template(`su_per_role_template',`
 
 	miscfiles_read_localization($1_su_t)
 
-	userdom_use_user_terminals($1, $1_su_t)
-	userdom_search_user_home_dirs($1, $1_su_t)
+	userdom_use_user_terminals($1_su_t)
+	userdom_search_user_home_dirs($1_su_t)
 
 	ifdef(`distro_rhel4',`
 		domain_role_change_exemption($1_su_t)
@@ -285,17 +276,9 @@ template(`su_per_role_template',`
 
 	# Modify .Xauthority file (via xauth program).
 	optional_policy(`
-		xserver_user_home_dir_filetrans_user_xauth($1, su_domain_type)
-		xserver_domtrans_user_xauth($1, $1_su_t)
+		xserver_user_home_dir_filetrans_user_xauth($1_su_t)
+		xserver_domtrans_xauth($1_su_t)
 	')
-
-	ifdef(`TODO',`
-	allow $1_su_t $1_home_t:file manage_file_perms;
-
-	# Access sshd cookie files.
-	allow $1_su_t sshd_tmp_t:file rw_file_perms;
-	file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
-	') dnl end TODO
 ')
 
 #######################################
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index 696a768..68c20e2 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -1,5 +1,5 @@
 
-policy_module(su, 1.8.0)
+policy_module(su, 1.8.1)
 
 ########################################
 #
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index a068802..a9468b9 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per role template for the sudo module.
+##	The role template for the sudo module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -10,30 +10,25 @@
 ##	to change the linux user id, to run commands as a different
 ##	user.
 ##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
 ## </desc>
-## <param name="userdomain_prefix">
+## <param name="role_prefix">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="user_role">
 ##	<summary>
-##	The type of the user domain.
+##	The user role.
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="user_domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	The user domain associated with the role.
 ##	</summary>
 ## </param>
 #
-template(`sudo_per_role_template',`
+template(`sudo_role_template',`
 
 	gen_require(`
 		type sudo_exec_t;
@@ -47,7 +42,8 @@ template(`sudo_per_role_template',`
 	type $1_sudo_t; 
 	application_domain($1_sudo_t, sudo_exec_t)
 	domain_interactive_fd($1_sudo_t)
-	role $3 types $1_sudo_t;
+	ubac_constrained($1_sudo_t)
+	role $2 types $1_sudo_t;
 
 	##############################
 	#
@@ -71,13 +67,13 @@ template(`sudo_per_role_template',`
 	allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
 
 	# Enter this derived domain from the user domain
-	domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
+	domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
 
 	# By default, revert to the calling domain when a shell is executed.
-	corecmd_shell_domtrans($1_sudo_t, $2)
-	allow $2 $1_sudo_t:fd use;
-	allow $2 $1_sudo_t:fifo_file rw_file_perms;
-	allow $2 $1_sudo_t:process sigchld;
+	corecmd_shell_domtrans($1_sudo_t, $3)
+	allow $3 $1_sudo_t:fd use;
+	allow $3 $1_sudo_t:fifo_file rw_file_perms;
+	allow $3 $1_sudo_t:process sigchld;
 
 	kernel_read_kernel_sysctls($1_sudo_t)
 	kernel_read_system_state($1_sudo_t)
@@ -113,22 +109,11 @@ template(`sudo_per_role_template',`
 
 	miscfiles_read_localization($1_sudo_t)
 
-	userdom_manage_user_home_content_files($1, $1_sudo_t)
-	userdom_manage_user_home_content_symlinks($1, $1_sudo_t)
-	userdom_manage_user_tmp_files($1, $1_sudo_t)
-	userdom_manage_user_tmp_symlinks($1, $1_sudo_t)
-	userdom_use_user_terminals($1, $1_sudo_t)
-	userdom_use_unpriv_users_fds($1_sudo_t)
+	userdom_manage_user_home_content_files($1_sudo_t)
+	userdom_manage_user_home_content_symlinks($1_sudo_t)
+	userdom_manage_user_tmp_files($1_sudo_t)
+	userdom_manage_user_tmp_symlinks($1_sudo_t)
+	userdom_use_user_terminals($1_sudo_t)
 	# for some PAM modules and for cwd
-	userdom_dontaudit_search_all_users_home_content($1_sudo_t)
-
-	ifdef(`TODO',`
-	# for when the network connection is killed
-	dontaudit unpriv_userdomain $1_sudo_t:process signal;
-
-	ifdef(`mta.te', `
-	domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
-	')
-
-	') dnl end TODO
+	userdom_dontaudit_search_user_home_content($1_sudo_t)
 ')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index 6af4f6d..c890938 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -1,5 +1,5 @@
 
-policy_module(sudo, 1.3.0)
+policy_module(sudo, 1.3.1)
 
 ########################################
 #
@@ -7,5 +7,3 @@ policy_module(sudo, 1.3.0)
 
 type sudo_exec_t;
 application_executable_file(sudo_exec_t)
-
-# Remaining policy in per user domain template.
diff --git a/policy/modules/admin/tripwire.if b/policy/modules/admin/tripwire.if
index 2bbae12..d23d02a 100644
--- a/policy/modules/admin/tripwire.if
+++ b/policy/modules/admin/tripwire.if
@@ -46,11 +46,6 @@ interface(`tripwire_domtrans_tripwire',`
 ##	The role to be allowed the tripwire domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the tripwire domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`tripwire_run_tripwire',`
@@ -60,7 +55,6 @@ interface(`tripwire_run_tripwire',`
 
 	tripwire_domtrans_tripwire($1)
 	role $2 types tripwire_t;
-	allow tripwire_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -96,11 +90,6 @@ interface(`tripwire_domtrans_twadmin',`
 ##	The role to be allowed the twadmin domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the twadmin domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`tripwire_run_twadmin',`
@@ -110,7 +99,6 @@ interface(`tripwire_run_twadmin',`
 
 	tripwire_domtrans_twadmin($1)
 	role $2 types twadmin_t;
-	allow twadmin_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -146,11 +134,6 @@ interface(`tripwire_domtrans_twprint',`
 ##	The role to be allowed the twprint domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the twprint domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`tripwire_run_twprint',`
@@ -160,7 +143,6 @@ interface(`tripwire_run_twprint',`
 
 	tripwire_domtrans_twprint($1)
 	role $2 types twprint_t;
-	allow twprint_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -196,11 +178,6 @@ interface(`tripwire_domtrans_siggen',`
 ##	The role to be allowed the siggen domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the siggen domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`tripwire_run_siggen',`
@@ -210,5 +187,4 @@ interface(`tripwire_run_siggen',`
 
 	tripwire_domtrans_siggen($1)
 	role $2 types siggen_t;
-	allow siggen_t $3:chr_file rw_term_perms;
 ')
diff --git a/policy/modules/admin/tripwire.te b/policy/modules/admin/tripwire.te
index 151a18c..e57a2d1 100644
--- a/policy/modules/admin/tripwire.te
+++ b/policy/modules/admin/tripwire.te
@@ -1,5 +1,5 @@
 
-policy_module(tripwire, 1.1.0)
+policy_module(tripwire, 1.1.1)
 
 ########################################
 #
@@ -81,6 +81,8 @@ files_getattr_all_sockets(tripwire_t)
 
 logging_send_syslog_msg(tripwire_t)
 
+userdom_use_user_terminals(tripwire_t)
+
 optional_policy(`
 	cron_system_entry(tripwire_t, tripwire_exec_t)
 ')
@@ -100,6 +102,8 @@ logging_send_syslog_msg(twadmin_t)
 
 miscfiles_read_localization(twadmin_t)
 
+userdom_use_user_terminals(twadmin_t)
+
 ########################################
 #
 # Twprint local policy
@@ -124,6 +128,8 @@ logging_send_syslog_msg(twprint_t)
 
 miscfiles_read_localization(twprint_t)
 
+userdom_use_user_terminals(twprint_t)
+
 ########################################
 #
 # Siggen local policy
@@ -137,3 +143,5 @@ files_read_all_files(siggen_t)
 logging_send_syslog_msg(siggen_t)
 
 miscfiles_read_localization(siggen_t)
+
+userdom_use_user_terminals(siggen_t)
diff --git a/policy/modules/admin/tzdata.if b/policy/modules/admin/tzdata.if
index f6e3b89..b873388 100644
--- a/policy/modules/admin/tzdata.if
+++ b/policy/modules/admin/tzdata.if
@@ -32,11 +32,6 @@ interface(`tzdata_domtrans',`
 ##	The role to allow the tzdata domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the tzdata domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`tzdata_run',`
@@ -46,5 +41,4 @@ interface(`tzdata_run',`
 
 	tzdata_domtrans($1)
 	role $2 types tzdata_t;
-	allow tzdata_t $3:chr_file rw_term_perms;
 ')
diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
index ad5d172..c21be19 100644
--- a/policy/modules/admin/tzdata.te
+++ b/policy/modules/admin/tzdata.te
@@ -1,5 +1,5 @@
 
-policy_module(tzdata, 1.2.0)
+policy_module(tzdata, 1.2.1)
 
 ########################################
 #
@@ -27,6 +27,8 @@ miscfiles_read_localization(tzdata_t)
 miscfiles_manage_localization(tzdata_t)
 miscfiles_etc_filetrans_localization(tzdata_t)
 
+userdom_use_user_terminals(tzdata_t)
+
 # tzdata looks for /var/spool/postfix/etc/localtime.
 optional_policy(`
 	postfix_search_spool(tzdata_t)
diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te
index 976ee15..e492606 100644
--- a/policy/modules/admin/updfstab.te
+++ b/policy/modules/admin/updfstab.te
@@ -1,5 +1,5 @@
 
-policy_module(updfstab, 1.4.0)
+policy_module(updfstab, 1.4.1)
 
 ########################################
 #
@@ -76,7 +76,7 @@ seutil_read_config(updfstab_t)
 seutil_read_default_contexts(updfstab_t)
 seutil_read_file_contexts(updfstab_t)
 
-userdom_dontaudit_search_all_users_home_content(updfstab_t)
+userdom_dontaudit_search_user_home_content(updfstab_t)
 userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
 
 optional_policy(`
@@ -86,7 +86,7 @@ optional_policy(`
 optional_policy(`
 	init_dbus_chat_script(updfstab_t)
 
-	dbus_system_bus_client_template(updfstab, updfstab_t)
+	dbus_system_bus_client(updfstab_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/admin/usbmodules.if b/policy/modules/admin/usbmodules.if
index 50c1dc3..9ac17f5 100644
--- a/policy/modules/admin/usbmodules.if
+++ b/policy/modules/admin/usbmodules.if
@@ -34,11 +34,6 @@ interface(`usbmodules_domtrans',`
 ##	The role to be allowed the usbmodules domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the usbmodules domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`usbmodules_run',`
@@ -48,5 +43,4 @@ interface(`usbmodules_run',`
 
 	usbmodules_domtrans($1)
 	role $2 types usbmodules_t;
-	allow usbmodules_t $3:chr_file rw_term_perms;
 ')
diff --git a/policy/modules/admin/usbmodules.te b/policy/modules/admin/usbmodules.te
index 9932456..3a16d1e 100644
--- a/policy/modules/admin/usbmodules.te
+++ b/policy/modules/admin/usbmodules.te
@@ -1,5 +1,5 @@
 
-policy_module(usbmodules, 1.1.0)
+policy_module(usbmodules, 1.1.1)
 
 ########################################
 #
@@ -37,6 +37,8 @@ miscfiles_read_hwdata(usbmodules_t)
 
 modutils_read_module_deps(usbmodules_t)
 
+userdom_use_user_terminals(usbmodules_t)
+
 optional_policy(`
 	hotplug_read_config(usbmodules_t)
 ')
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 900d377..ac74240 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -35,11 +35,6 @@ interface(`usermanage_domtrans_chfn',`
 ##	The role to be allowed the chfn domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the chfn domain to use.
-##	</summary>
-## </param>
 #
 interface(`usermanage_run_chfn',`
 	gen_require(`
@@ -48,7 +43,6 @@ interface(`usermanage_run_chfn',`
 
 	usermanage_domtrans_chfn($1)
 	role $2 types chfn_t;
-	allow chfn_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -86,11 +80,6 @@ interface(`usermanage_domtrans_groupadd',`
 ##	The role to be allowed the groupadd domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the groupadd domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`usermanage_run_groupadd',`
@@ -100,10 +89,9 @@ interface(`usermanage_run_groupadd',`
 
 	usermanage_domtrans_groupadd($1)
 	role $2 types groupadd_t;
-	allow groupadd_t $3:chr_file rw_term_perms;
 
 	optional_policy(`
-		nscd_run(groupadd_t, $2, $3)
+		nscd_run(groupadd_t, $2)
 	')
 ')
 
@@ -142,11 +130,6 @@ interface(`usermanage_domtrans_passwd',`
 ##	The role to be allowed the passwd domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the passwd domain to use.
-##	</summary>
-## </param>
 #
 interface(`usermanage_run_passwd',`
 	gen_require(`
@@ -155,7 +138,6 @@ interface(`usermanage_run_passwd',`
 
 	usermanage_domtrans_passwd($1)
 	role $2 types passwd_t;
-	allow passwd_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -195,11 +177,6 @@ interface(`usermanage_domtrans_admin_passwd',`
 ##	The role to be allowed the admin passwd domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the admin passwd domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`usermanage_run_admin_passwd',`
@@ -209,10 +186,9 @@ interface(`usermanage_run_admin_passwd',`
 
 	usermanage_domtrans_admin_passwd($1)
 	role $2 types sysadm_passwd_t;
-	allow sysadm_passwd_t $3:chr_file rw_term_perms;
 
 	optional_policy(`
-		nscd_run(sysadm_passwd_t, $2, $3)
+		nscd_run(sysadm_passwd_t, $2)
 	')
 ')
 
@@ -269,11 +245,6 @@ interface(`usermanage_domtrans_useradd',`
 ##	The role to be allowed the useradd domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the useradd domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`usermanage_run_useradd',`
@@ -283,10 +254,9 @@ interface(`usermanage_run_useradd',`
 
 	usermanage_domtrans_useradd($1)
 	role $2 types useradd_t;
-	allow useradd_t $3:chr_file rw_term_perms;
 
 	optional_policy(`
-		nscd_run(useradd_t, $2, $3)
+		nscd_run(useradd_t, $2)
 	')
 ')
 
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 384df0d..8f28ae0 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
 
-policy_module(usermanage, 1.11.0)
+policy_module(usermanage, 1.11.1)
 
 ########################################
 #
@@ -119,7 +119,7 @@ seutil_dontaudit_search_config(chfn_t)
 userdom_use_unpriv_users_fds(chfn_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
-userdom_dontaudit_search_all_users_home_content(chfn_t)
+userdom_dontaudit_search_user_home_content(chfn_t)
 
 ########################################
 #
@@ -153,7 +153,7 @@ corecmd_exec_bin(crack_t)
 
 logging_send_syslog_msg(crack_t)
 
-sysadm_dontaudit_search_home_dirs(crack_t)
+userdom_dontaudit_search_user_home_dirs(crack_t)
 
 ifdef(`distro_debian',`
 	# the package cracklib-runtime on Debian contains a daily maintenance
@@ -227,9 +227,8 @@ auth_use_nsswitch(groupadd_t)
 seutil_read_config(groupadd_t)
 
 userdom_use_unpriv_users_fds(groupadd_t)
-
 # for when /root is the cwd
-sysadm_dontaudit_search_home_dirs(groupadd_t)
+userdom_dontaudit_search_user_home_dirs(groupadd_t)
 
 optional_policy(`
 	dpkg_use_fds(groupadd_t)
@@ -316,13 +315,14 @@ miscfiles_read_localization(passwd_t)
 
 seutil_dontaudit_search_config(passwd_t)
 
+userdom_use_user_terminals(passwd_t)
 userdom_use_unpriv_users_fds(passwd_t)
 # make sure that getcon succeeds
 userdom_getattr_all_users(passwd_t)
 userdom_read_all_users_state(passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
-userdom_dontaudit_search_all_users_home_content(passwd_t)
+userdom_dontaudit_search_user_home_content(passwd_t)
 
 optional_policy(`
 	nscd_domtrans(passwd_t)
@@ -406,7 +406,7 @@ seutil_dontaudit_search_config(sysadm_passwd_t)
 userdom_use_unpriv_users_fds(sysadm_passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
-userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t)
+userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
 
 optional_policy(`
 	nscd_domtrans(sysadm_passwd_t)
@@ -485,10 +485,10 @@ seutil_domtrans_setfiles(useradd_t)
 
 userdom_use_unpriv_users_fds(useradd_t)
 # Add/remove user home directories
-userdom_manage_all_users_home_content_dirs(useradd_t)
-userdom_manage_all_users_home_content_files(useradd_t)
-unprivuser_home_filetrans_home_dir(useradd_t)
-unprivuser_home_dir_filetrans_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_user_home_content_dirs(useradd_t)
+userdom_manage_user_home_content_files(useradd_t)
+userdom_home_filetrans_user_home_dir(useradd_t)
+userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
 
 mta_manage_spool(useradd_t)
 
diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if
index 05cfd4e..8779a18 100644
--- a/policy/modules/admin/vpn.if
+++ b/policy/modules/admin/vpn.if
@@ -33,11 +33,6 @@ interface(`vpn_domtrans',`
 ##	The role to be allowed the vpnc domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the vpnc domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`vpn_run',`
@@ -47,8 +42,7 @@ interface(`vpn_run',`
 
 	vpn_domtrans($1)
 	role $2 types vpnc_t;
-	allow vpnc_t $3:chr_file rw_term_perms;
-	sysnet_run_ifconfig(vpnc_t, $2, $3)
+	sysnet_run_ifconfig(vpnc_t, $2)
 ')
 
 ########################################
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index c7db478..42d5238 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -1,5 +1,5 @@
 
-policy_module(vpn, 1.9.0)
+policy_module(vpn, 1.9.1)
 
 ########################################
 #
@@ -105,10 +105,10 @@ sysnet_etc_filetrans_config(vpnc_t)
 sysnet_manage_config(vpnc_t)
 
 userdom_use_all_users_fds(vpnc_t)
-userdom_dontaudit_search_all_users_home_content(vpnc_t)
+userdom_dontaudit_search_user_home_content(vpnc_t)
 
 optional_policy(`
-	dbus_system_bus_client_template(vpnc, vpnc_t)
+	dbus_system_bus_client(vpnc_t)
 
 	optional_policy(`
 		networkmanager_dbus_chat(vpnc_t)
diff --git a/policy/modules/apps/ada.if b/policy/modules/apps/ada.if
index 348c348..3f3bbe0 100644
--- a/policy/modules/apps/ada.if
+++ b/policy/modules/apps/ada.if
@@ -34,11 +34,6 @@ interface(`ada_domtrans',`
 ##	The role to be allowed the ada domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the ada domain to use.
-##	</summary>
-## </param>
 #
 interface(`ada_run',`
 	gen_require(`
@@ -47,5 +42,4 @@ interface(`ada_run',`
 
 	ada_domtrans($1)
 	role $2 types ada_t;
-	allow ada_t $3:chr_file rw_term_perms;
 ')
diff --git a/policy/modules/apps/ada.te b/policy/modules/apps/ada.te
index 048d953..4ae3777 100644
--- a/policy/modules/apps/ada.te
+++ b/policy/modules/apps/ada.te
@@ -1,5 +1,5 @@
 
-policy_module(ada, 1.2.0)
+policy_module(ada, 1.2.1)
 
 ########################################
 #
@@ -18,6 +18,8 @@ role system_r types ada_t;
 
 allow ada_t self:process { execstack execmem };
 
+userdom_use_user_terminals(ada_t)
+
 optional_policy(`
 	unconfined_domain_noaudit(ada_t)
 ')
diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te
index 39213d5..9811f98 100644
--- a/policy/modules/apps/calamaris.te
+++ b/policy/modules/apps/calamaris.te
@@ -1,5 +1,5 @@
 
-policy_module(calamaris, 1.3.0)
+policy_module(calamaris, 1.3.1)
 
 ########################################
 #
@@ -65,7 +65,7 @@ miscfiles_read_localization(calamaris_t)
 
 sysnet_read_config(calamaris_t)
 
-sysadm_dontaudit_list_home_dirs(calamaris_t)
+userdom_dontaudit_list_user_home_dirs(calamaris_t)
 
 squid_read_log(calamaris_t)
 
diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if
index 1319eaf..1582faf 100644
--- a/policy/modules/apps/cdrecord.if
+++ b/policy/modules/apps/cdrecord.if
@@ -1,187 +1,33 @@
 ## <summary>Policy for cdrecord</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the cdrecord module.
+##	Role access for cdrecord
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates derived domains which are used
-##	for cdrecord.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="domain">
 ##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`cdrecord_per_role_template', `
-
+interface(`cdrecord_role',`
 	gen_require(`
-		type cdrecord_exec_t;
+		type cdrecord_t, cdrecord_exec_t;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
-	type $1_cdrecord_t;
-	application_domain($1_cdrecord_t, cdrecord_exec_t)
-	role $3 types $1_cdrecord_t;
-
-	########################################
-	#
-	# Local policy
-	#
-
-	allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
-	allow $1_cdrecord_t self:process { getsched setsched sigkill };
-	allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
-	allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
-
-	allow $1_cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
-
-	# allow ps to show cdrecord and allow the user to kill it 
-	ps_process_pattern($2,$1_cdrecord_t)
-	allow $2 $1_cdrecord_t:process signal;
+	role $1 types cdrecord_t;
 
 	# Transition from the user domain to the derived domain.
-	domtrans_pattern($2, cdrecord_exec_t, $1_cdrecord_t)
-
-	# allow searching for cdrom-drive
-	dev_list_all_dev_nodes($1_cdrecord_t) 
-
-	domain_interactive_fd($1_cdrecord_t)
-	domain_use_interactive_fds($1_cdrecord_t)
-
-	files_read_etc_files($1_cdrecord_t)
-
-	term_use_controlling_term($1_cdrecord_t)
-	term_list_ptys($1_cdrecord_t)
-
-	# allow cdrecord to write the CD
-	storage_raw_write_removable_device($1_cdrecord_t)
-	storage_write_scsi_generic($1_cdrecord_t)
-
-	logging_send_syslog_msg($1_cdrecord_t)
-
-	miscfiles_read_localization($1_cdrecord_t)
+	domtrans_pattern($2, cdrecord_exec_t, cdrecord_t)
 
-	# write to the user domain tty.
-	userdom_use_user_terminals($1, $1_cdrecord_t)
-	userdom_use_user_terminals($1, $2)
+	allow cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
 
-	userdom_read_user_home_content_files($1, $1_cdrecord_t)
-
-	# Handle nfs home dirs
-	tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
-		fs_list_auto_mountpoints($1_cdrecord_t)
-		files_list_home($1_cdrecord_t)
-		fs_read_nfs_files($1_cdrecord_t)
-		fs_read_nfs_symlinks($1_cdrecord_t)
-
-	',`
-		files_dontaudit_list_home($1_cdrecord_t)
-		fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
-		fs_dontaudit_read_nfs_files($1_cdrecord_t)
-		fs_dontaudit_list_nfs($1_cdrecord_t)
-	')
-	# Handle samba home dirs
-	tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
-		fs_list_auto_mountpoints($1_cdrecord_t)
-		files_list_home($1_cdrecord_t)
-		fs_read_cifs_files($1_cdrecord_t)
-		fs_read_cifs_symlinks($1_cdrecord_t)
-	',`
-		files_dontaudit_list_home($1_cdrecord_t)
-		fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
-		fs_dontaudit_read_cifs_files($1_cdrecord_t)
-		fs_dontaudit_list_cifs($1_cdrecord_t)
-	')
-
-	# Handle removable media, /tmp, and /home
-	tunable_policy(`cdrecord_read_content',`
-		userdom_list_user_tmp($1, $1_cdrecord_t)
-		userdom_read_user_tmp_files($1, $1_cdrecord_t)
-		userdom_read_user_tmp_symlinks($1, $1_cdrecord_t)
-		userdom_search_user_home_dirs($1, $1_cdrecord_t)
-		userdom_read_user_home_content_files($1, $1_cdrecord_t)
-		userdom_read_user_home_content_symlinks($1, $1_cdrecord_t)
-
-		ifdef(`enable_mls',`
-		',`
-			fs_search_removable($1_cdrecord_t)
-			fs_read_removable_files($1_cdrecord_t)
-			fs_read_removable_symlinks($1_cdrecord_t)
-		')
-	',`
-		files_dontaudit_list_tmp($1_cdrecord_t)
-		files_dontaudit_list_home($1_cdrecord_t)
-		fs_dontaudit_list_removable($1_cdrecord_t)
-		fs_dontaudit_read_removable_files($1_cdrecord_t)
-		userdom_dontaudit_list_user_tmp($1, $1_cdrecord_t)
-		userdom_dontaudit_read_user_tmp_files($1, $1_cdrecord_t)
-		userdom_dontaudit_list_user_home_dirs($1, $1_cdrecord_t)
-		userdom_dontaudit_read_user_home_content_files($1, $1_cdrecord_t)
-	')
-
-	# Handle default_t content
-	tunable_policy(`cdrecord_read_content && read_default_t',`
-		files_list_default($1_cdrecord_t)
-		files_read_default_files($1_cdrecord_t)
-		files_read_default_symlinks($1_cdrecord_t)
-	',`
-		files_dontaudit_read_default_files($1_cdrecord_t)
-		files_dontaudit_list_default($1_cdrecord_t)
-	')
-
-	# Handle untrusted content
-	tunable_policy(`cdrecord_read_content && read_untrusted_content',`
-		files_list_tmp($1_cdrecord_t)
-		files_list_home($1_cdrecord_t)
-		userdom_search_user_home_dirs($1, $1_cdrecord_t)
-
-		userdom_list_user_untrusted_content($1, $1_cdrecord_t)
-		userdom_read_user_untrusted_content_files($1, $1_cdrecord_t)
-		userdom_read_user_untrusted_content_symlinks($1, $1_cdrecord_t)
-		userdom_list_user_tmp_untrusted_content($1, $1_cdrecord_t)
-		userdom_read_user_tmp_untrusted_content_files($1, $1_cdrecord_t)
-		userdom_read_user_tmp_untrusted_content_symlinks($1, $1_cdrecord_t)
-	',`
-		files_dontaudit_list_tmp($1_cdrecord_t)
-		files_dontaudit_list_home($1_cdrecord_t)
-		userdom_dontaudit_list_user_home_dirs($1, $1_cdrecord_t)
-		userdom_dontaudit_list_user_untrusted_content($1, $1_cdrecord_t)
-		userdom_dontaudit_read_user_untrusted_content_files($1, $1_cdrecord_t)
-		userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_cdrecord_t)
-		userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_cdrecord_t)
-	')
-
-	tunable_policy(`use_nfs_home_dirs',`
-		files_search_mnt($1_cdrecord_t)
-		fs_read_nfs_files($1_cdrecord_t)
-		fs_read_nfs_symlinks($1_cdrecord_t)
-	')
-
-	optional_policy(`
-		resmgr_stream_connect($1_cdrecord_t)
-	')
+	# allow ps to show cdrecord and allow the user to kill it 
+	ps_process_pattern($2, cdrecord_t)
+	allow $2 cdrecord_t:process signal;
 ')
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
index 26139e6..a3148c7 100644
--- a/policy/modules/apps/cdrecord.te
+++ b/policy/modules/apps/cdrecord.te
@@ -1,5 +1,5 @@
 
-policy_module(cdrecord, 1.4.0)
+policy_module(cdrecord, 2.0.0)
 
 ########################################
 #
@@ -15,5 +15,112 @@ policy_module(cdrecord, 1.4.0)
 ## </desc>
 gen_tunable(cdrecord_read_content, false)
 
+type cdrecord_t;
 type cdrecord_exec_t;
-application_executable_file(cdrecord_exec_t)
+typealias cdrecord_t alias { user_cdrecord_t staff_cdrecord_t sysadm_cdrecord_t };
+typealias cdrecord_t alias { auditadm_cdrecord_t secadm_cdrecord_t };
+application_domain(cdrecord_t, cdrecord_exec_t)
+ubac_constrained(cdrecord_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
+allow cdrecord_t self:process { getsched setsched sigkill };
+allow cdrecord_t self:unix_dgram_socket create_socket_perms;
+allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
+
+# allow searching for cdrom-drive
+dev_list_all_dev_nodes(cdrecord_t) 
+
+domain_interactive_fd(cdrecord_t)
+domain_use_interactive_fds(cdrecord_t)
+
+files_read_etc_files(cdrecord_t)
+
+term_use_controlling_term(cdrecord_t)
+term_list_ptys(cdrecord_t)
+
+# allow cdrecord to write the CD
+storage_raw_write_removable_device(cdrecord_t)
+storage_write_scsi_generic(cdrecord_t)
+
+logging_send_syslog_msg(cdrecord_t)
+
+miscfiles_read_localization(cdrecord_t)
+
+# write to the user domain tty.
+userdom_use_user_terminals(cdrecord_t)
+userdom_read_user_home_content_files(cdrecord_t)
+
+# Handle nfs home dirs
+tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
+	fs_list_auto_mountpoints(cdrecord_t)
+	files_list_home(cdrecord_t)
+	fs_read_nfs_files(cdrecord_t)
+	fs_read_nfs_symlinks(cdrecord_t)
+
+',`
+	files_dontaudit_list_home(cdrecord_t)
+	fs_dontaudit_list_auto_mountpoints(cdrecord_t)
+	fs_dontaudit_read_nfs_files(cdrecord_t)
+	fs_dontaudit_list_nfs(cdrecord_t)
+')
+# Handle samba home dirs
+tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
+	fs_list_auto_mountpoints(cdrecord_t)
+	files_list_home(cdrecord_t)
+	fs_read_cifs_files(cdrecord_t)
+	fs_read_cifs_symlinks(cdrecord_t)
+',`
+	files_dontaudit_list_home(cdrecord_t)
+	fs_dontaudit_list_auto_mountpoints(cdrecord_t)
+	fs_dontaudit_read_cifs_files(cdrecord_t)
+	fs_dontaudit_list_cifs(cdrecord_t)
+')
+
+# Handle removable media, /tmp, and /home
+tunable_policy(`cdrecord_read_content',`
+	userdom_list_user_tmp(cdrecord_t)
+	userdom_read_user_tmp_files(cdrecord_t)
+	userdom_read_user_tmp_symlinks(cdrecord_t)
+	userdom_read_user_home_content_files(cdrecord_t)
+	userdom_read_user_home_content_symlinks(cdrecord_t)
+
+	ifndef(`enable_mls',`
+		fs_search_removable(cdrecord_t)
+		fs_read_removable_files(cdrecord_t)
+		fs_read_removable_symlinks(cdrecord_t)
+	')
+',`
+	files_dontaudit_list_tmp(cdrecord_t)
+	files_dontaudit_list_home(cdrecord_t)
+	fs_dontaudit_list_removable(cdrecord_t)
+	fs_dontaudit_read_removable_files(cdrecord_t)
+	userdom_dontaudit_list_user_tmp(cdrecord_t)
+	userdom_dontaudit_read_user_tmp_files(cdrecord_t)
+	userdom_dontaudit_list_user_home_dirs(cdrecord_t)
+	userdom_dontaudit_read_user_home_content_files(cdrecord_t)
+')
+
+# Handle default_t content
+tunable_policy(`cdrecord_read_content && read_default_t',`
+	files_list_default(cdrecord_t)
+	files_read_default_files(cdrecord_t)
+	files_read_default_symlinks(cdrecord_t)
+',`
+	files_dontaudit_read_default_files(cdrecord_t)
+	files_dontaudit_list_default(cdrecord_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	files_search_mnt(cdrecord_t)
+	fs_read_nfs_files(cdrecord_t)
+	fs_read_nfs_symlinks(cdrecord_t)
+')
+
+optional_policy(`
+	resmgr_stream_connect(cdrecord_t)
+')
diff --git a/policy/modules/apps/ethereal.fc b/policy/modules/apps/ethereal.fc
index 7204fe2..b489cae 100644
--- a/policy/modules/apps/ethereal.fc
+++ b/policy/modules/apps/ethereal.fc
@@ -1,4 +1,4 @@
-HOME_DIR/\.ethereal(/.*)? 		gen_context(system_u:object_r:ROLE_ethereal_home_t,s0)
+HOME_DIR/\.ethereal(/.*)? 		gen_context(system_u:object_r:ethereal_home_t,s0)
 
 /usr/sbin/ethereal.*		--	gen_context(system_u:object_r:ethereal_exec_t,s0)
 /usr/sbin/tethereal.*		--	gen_context(system_u:object_r:tethereal_exec_t,s0)
diff --git a/policy/modules/apps/ethereal.if b/policy/modules/apps/ethereal.if
index 20eee67..23d5b85 100644
--- a/policy/modules/apps/ethereal.if
+++ b/policy/modules/apps/ethereal.if
@@ -1,244 +1,55 @@
 ## <summary>Ethereal packet capture tool.</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the ethereal module.
+##	Role access for ethereal
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for ethereal packet capture tool.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_domain">
+## <param name="role">
 ##	<summary>
-##	The type of the user domain.
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`ethereal_per_role_template',`
-
+interface(`ethereal_role',`
 	gen_require(`
-		type ethereal_exec_t;
-	')
-
-	##############################
-	#
-	# Declarations
-	#
-
-	# Type for program
-	type $1_ethereal_t;
-	application_domain($1_ethereal_t, ethereal_exec_t)
-	role $3 types $1_ethereal_t;
-
-	type $1_ethereal_home_t alias $1_ethereal_rw_t;
-	files_poly_member($1_ethereal_home_t)
-	userdom_user_home_content($1, $1_ethereal_home_t)
-
-	type $1_ethereal_tmp_t;
-	files_tmp_file($1_ethereal_tmp_t)
-
-	type $1_ethereal_tmpfs_t;
-	files_tmpfs_file($1_ethereal_tmpfs_t)
-
-	##############################
-	#
-	# Local Policy
-	#
-
-	allow $1_ethereal_t self:capability { net_admin net_raw setgid };
-	allow $1_ethereal_t self:process { signal getsched };
-	allow $1_ethereal_t self:fifo_file { getattr read write };
-	allow $1_ethereal_t self:shm destroy;
-	allow $1_ethereal_t self:shm create_shm_perms;
-	allow $1_ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms };
-	allow $1_ethereal_t self:packet_socket { setopt bind ioctl getopt create read };
-	allow $1_ethereal_t self:tcp_socket create_socket_perms;
-	allow $1_ethereal_t self:udp_socket create_socket_perms;
-
-	# Re-execute itself (why?)
-	can_exec($1_ethereal_t, ethereal_exec_t)
-	corecmd_search_bin($1_ethereal_t)
-
-	# /home/.ethereal
-	manage_dirs_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
-	manage_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
-	manage_lnk_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
-	userdom_user_home_dir_filetrans($1, $1_ethereal_t, $1_ethereal_home_t, dir)
-
-	# Store temporary files
-	manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t)
-	manage_files_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t)
-	files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })
-
-	manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
-	manage_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
-	manage_lnk_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
-	manage_sock_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
-	manage_fifo_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
-	fs_tmpfs_filetrans($1_ethereal_t, $1_ethereal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-	domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t)
-	allow $1_ethereal_t $2:fd use;
-	allow $1_ethereal_t $2:process sigchld;
-
-	manage_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-	manage_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-	manage_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-	relabel_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-	relabel_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-	relabel_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-
-	kernel_read_kernel_sysctls($1_ethereal_t)
-	kernel_read_system_state($1_ethereal_t)
-	kernel_read_sysctl($1_ethereal_t)
-
-	corecmd_search_bin($1_ethereal_t)
-
-	corenet_tcp_connect_generic_port($1_ethereal_t)
-	corenet_tcp_sendrecv_generic_if($1_ethereal_t)
-
-	dev_read_urand($1_ethereal_t)
-
-	files_read_etc_files($1_ethereal_t)
-	files_read_usr_files($1_ethereal_t)
-
-	fs_list_inotifyfs($1_ethereal_t)
-	fs_search_auto_mountpoints($1_ethereal_t)
-
-	libs_read_lib_files($1_ethereal_t)
-
-	miscfiles_read_fonts($1_ethereal_t)
-	miscfiles_read_localization($1_ethereal_t)
-
-	seutil_use_newrole_fds($1_ethereal_t)
-
-	sysnet_read_config($1_ethereal_t)
-
-	userdom_manage_user_home_content_files($1, $1_ethereal_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_ethereal_t)
-		fs_manage_nfs_files($1_ethereal_t)
-		fs_manage_nfs_symlinks($1_ethereal_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_ethereal_t)
-		fs_manage_cifs_files($1_ethereal_t)
-		fs_manage_cifs_symlinks($1_ethereal_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_ethereal_t)
+		type ethereal_t, ethereal_exec_t, ethereal_home_t;
 	')
 
-	# Manual transition from userhelper 
-	optional_policy(`
-		userhelper_use_user_fd($1, $1_ethereal_t)
-		userhelper_sigchld_user($1, $1_ethereal_t)
-	')
-
-	optional_policy(`
-		xserver_user_x_domain_template($1, $1_ethereal, $1_ethereal_t, $1_ethereal_tmpfs_t)
-		xserver_create_xdm_tmp_sockets($1_ethereal_t)
-	')
-
-	ifdef(`TODO',`
-		# Why does it write this?
-		optional_policy(`
-			dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
-		')
-		#TODO
-		gnome_application($1_ethereal, $1)
-		gnome_file_dialog($1_ethereal, $1)
-		# FIXME: policy is incomplete
-	')
-
-')
-
-#######################################
-## <summary>
-##	The administrative functions template for the ethereal module.
-## </summary>
-## <desc>
-##	<p>
-##	This template creates rules for administrating ethereal,
-##	allowing the specified user to manage ethereal files.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-#
-template(`ethereal_admin_template',`
-	gen_require(`
-		type $1_ethereal_t;
-	')
+	role $1 types ethereal_t;
 
-	# Create various types of sockets
-	allow $1_ethereal_t self:netlink_route_socket create_netlink_socket_perms;
-	allow $1_ethereal_t self:udp_socket create_socket_perms;
-	allow $1_ethereal_t self:packet_socket create_socket_perms;
-	allow $1_ethereal_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_ethereal_t self:tcp_socket create_socket_perms;
+	domain_auto_trans($2, ethereal_exec_t, ethereal_t)
+	allow ethereal_t $2:fd use;
+	allow ethereal_t $2:process sigchld;
 
-	userdom_use_user_terminals($1, $1_ethereal_t)
-	# Ethereal tries to write to user terminal
-	userdom_dontaudit_use_user_terminals($1, $1_ethereal_t)
+	manage_dirs_pattern($2, ethereal_home_t, ethereal_home_t)
+	manage_files_pattern($2, ethereal_home_t, ethereal_home_t)
+	manage_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t)
+	relabel_dirs_pattern($2, ethereal_home_t, ethereal_home_t)
+	relabel_files_pattern($2, ethereal_home_t, ethereal_home_t)
+	relabel_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t)
 ')
 
 ########################################
 ## <summary>
 ##	Run ethereal in ethereal domain.
 ## </summary>
-## <desc>
-##	<p>
-##	Run ethereal in ethereal domain.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`ethereal_domtrans_user_ethereal',`
+interface(`ethereal_domtrans',`
 	gen_require(`
-		type $1_ethereal_t, ethereal_exec_t;
+		type ethereal_t, ethereal_exec_t;
 	')
 
-	domtrans_pattern($2, ethereal_exec_t, $1_ethereal_t)
+	domtrans_pattern($1, ethereal_exec_t, ethereal_t)
 ')
 
 ########################################
@@ -251,7 +62,7 @@ template(`ethereal_domtrans_user_ethereal',`
 ##	</summary>
 ## </param>
 #
-template(`ethereal_domtrans_tethereal',`
+interface(`ethereal_domtrans_tethereal',`
 	gen_require(`
 		type tethereal_t, tethereal_exec_t;
 	')
@@ -274,11 +85,6 @@ template(`ethereal_domtrans_tethereal',`
 ##	The role to be allowed the tethereal domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the tethereal domain to use.
-##	</summary>
-## </param>
 #
 interface(`ethereal_run_tethereal',`
 	gen_require(`
@@ -287,5 +93,4 @@ interface(`ethereal_run_tethereal',`
 
 	ethereal_domtrans_tethereal($1)
 	role $2 types tethereal_t;
-	allow tethereal_t $3:chr_file rw_term_perms;
 ')
diff --git a/policy/modules/apps/ethereal.te b/policy/modules/apps/ethereal.te
index e4d312d..30c850f 100644
--- a/policy/modules/apps/ethereal.te
+++ b/policy/modules/apps/ethereal.te
@@ -1,13 +1,35 @@
 
-policy_module(ethereal, 1.5.0)
+policy_module(ethereal, 2.0.0)
 
 ########################################
 #
 # Declarations
 #
 
+type ethereal_t;
 type ethereal_exec_t;
-application_executable_file(ethereal_exec_t)
+typealias ethereal_t alias { user_ethereal_t staff_ethereal_t sysadm_ethereal_t };
+typealias ethereal_t alias { auditadm_ethereal_t secadm_ethereal_t };
+application_domain(ethereal_t, ethereal_exec_t)
+ubac_constrained(ethereal_t)
+
+type ethereal_home_t;
+typealias ethereal_home_t alias { user_ethereal_home_t staff_ethereal_home_t sysadm_ethereal_home_t };
+typealias ethereal_home_t alias { auditadm_ethereal_home_t secadm_ethereal_home_t };
+files_poly_member(ethereal_home_t)
+userdom_user_home_content(ethereal_home_t)
+
+type ethereal_tmp_t;
+typealias ethereal_tmp_t alias { user_ethereal_tmp_t staff_ethereal_tmp_t sysadm_ethereal_tmp_t };
+typealias ethereal_tmp_t alias { auditadm_ethereal_tmp_t secadm_ethereal_tmp_t };
+files_tmp_file(ethereal_tmp_t)
+ubac_constrained(ethereal_tmp_t)
+
+type ethereal_tmpfs_t;
+typealias ethereal_tmpfs_t alias { user_ethereal_tmpfs_t staff_ethereal_tmpfs_t sysadm_ethereal_tmpfs_t };
+typealias ethereal_tmpfs_t alias { auditadm_ethereal_tmpfs_t secadm_ethereal_tmpfs_t };
+files_tmpfs_file(ethereal_tmpfs_t)
+ubac_constrained(ethereal_tmpfs_t)
 
 type tethereal_t;
 type tethereal_exec_t;
@@ -16,6 +38,99 @@ application_domain(tethereal_t, tethereal_exec_t)
 type tethereal_tmp_t;
 files_tmp_file(tethereal_tmp_t)
 
+##############################
+#
+# Local Policy
+#
+
+allow ethereal_t self:capability { net_admin net_raw setgid };
+allow ethereal_t self:process { signal getsched };
+allow ethereal_t self:fifo_file { getattr read write };
+allow ethereal_t self:shm destroy;
+allow ethereal_t self:shm create_shm_perms;
+allow ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms };
+allow ethereal_t self:packet_socket { setopt bind ioctl getopt create read };
+allow ethereal_t self:tcp_socket create_socket_perms;
+allow ethereal_t self:udp_socket create_socket_perms;
+
+# Re-execute itself (why?)
+can_exec(ethereal_t, ethereal_exec_t)
+corecmd_search_bin(ethereal_t)
+
+# /home/.ethereal
+manage_dirs_pattern(ethereal_t, ethereal_home_t, ethereal_home_t)
+manage_files_pattern(ethereal_t, ethereal_home_t, ethereal_home_t)
+manage_lnk_files_pattern(ethereal_t, ethereal_home_t, ethereal_home_t)
+userdom_user_home_dir_filetrans(ethereal_t, ethereal_home_t, dir)
+
+# Store temporary files
+manage_dirs_pattern(ethereal_t, ethereal_tmp_t, ethereal_tmp_t)
+manage_files_pattern(ethereal_t, ethereal_tmp_t, ethereal_tmp_t)
+files_tmp_filetrans(ethereal_t, ethereal_tmp_t, { dir file })
+
+manage_dirs_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
+manage_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
+manage_lnk_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
+manage_sock_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
+manage_fifo_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
+fs_tmpfs_filetrans(ethereal_t, ethereal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(ethereal_t)
+kernel_read_system_state(ethereal_t)
+kernel_read_sysctl(ethereal_t)
+
+corecmd_search_bin(ethereal_t)
+
+corenet_tcp_connect_generic_port(ethereal_t)
+corenet_tcp_sendrecv_generic_if(ethereal_t)
+
+dev_read_urand(ethereal_t)
+
+files_read_etc_files(ethereal_t)
+files_read_usr_files(ethereal_t)
+
+fs_list_inotifyfs(ethereal_t)
+fs_search_auto_mountpoints(ethereal_t)
+
+libs_read_lib_files(ethereal_t)
+
+miscfiles_read_fonts(ethereal_t)
+miscfiles_read_localization(ethereal_t)
+
+seutil_use_newrole_fds(ethereal_t)
+
+sysnet_read_config(ethereal_t)
+
+userdom_manage_user_home_content_files(ethereal_t)
+userdom_use_user_terminals(ethereal_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(ethereal_t)
+	fs_manage_nfs_files(ethereal_t)
+	fs_manage_nfs_symlinks(ethereal_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(ethereal_t)
+	fs_manage_cifs_files(ethereal_t)
+	fs_manage_cifs_symlinks(ethereal_t)
+')
+
+optional_policy(`
+	nscd_socket_use(ethereal_t)
+')
+
+# Manual transition from userhelper 
+optional_policy(`
+	userhelper_use_fd(ethereal_t)
+	userhelper_sigchld(ethereal_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(ethereal, ethereal_t, ethereal_tmpfs_t)
+	xserver_create_xdm_tmp_sockets(ethereal_t)
+')
+
 ########################################
 #
 # Tethereal policy
@@ -48,6 +163,8 @@ seutil_use_newrole_fds(tethereal_t)
 
 sysnet_dns_name_resolve(tethereal_t)
 
+userdom_use_user_terminals(tethereal_t)
+
 optional_policy(`
 	nscd_socket_use(tethereal_t)
 ')
diff --git a/policy/modules/apps/evolution.fc b/policy/modules/apps/evolution.fc
index 1b425f4..c011277 100644
--- a/policy/modules/apps/evolution.fc
+++ b/policy/modules/apps/evolution.fc
@@ -2,13 +2,13 @@
 # HOME_DIR/
 #
 
-HOME_DIR/\.camel_certs(/.*)?					gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
-HOME_DIR/\.evolution(/.*)?					gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
+HOME_DIR/\.camel_certs(/.*)?					gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.evolution(/.*)?					gen_context(system_u:object_r:evolution_home_t,s0)
 
 #
 # /tmp
 #
-/tmp/\.exchange-USER(/.*)?					gen_context(system_u:object_r:ROLE_evolution_exchange_tmp_t,s0)
+/tmp/\.exchange-USER(/.*)?					gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
 
 #
 # /usr
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index d50b4b7..1cb204c 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -1,795 +1,71 @@
 ## <summary>Evolution email client</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the evolution module.
+##	Role access for evolution
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for evolution email client and other related evolution applications such as webcal and alarm
-##	type is also created to protect the user evolution keys.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_domain">
+## <param name="role">
 ##	<summary>
-##	The type of the user domain.
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`evolution_per_role_template',`
-
-	########################################
-	#
-	# Declarations
-	#
-
-	type $1_evolution_t;
-	application_domain($1_evolution_t, evolution_exec_t)
-	role $3 types $1_evolution_t;
-
-	type $1_evolution_tmpfs_t;
-	files_tmpfs_file($1_evolution_tmpfs_t)
-
-	type $1_evolution_home_t alias $1_evolution_rw_t;
-	files_poly_member($1_evolution_home_t)
-	userdom_user_home_content($1, $1_evolution_home_t)
-
-	type $1_evolution_orbit_tmp_t;
-	files_tmp_file($1_evolution_orbit_tmp_t)
-
-	type $1_evolution_alarm_t;
-	application_domain($1_evolution_alarm_t, evolution_alarm_exec_t)
-	role $3 types $1_evolution_alarm_t;
-
-	type $1_evolution_alarm_tmpfs_t;
-	files_tmpfs_file($1_evolution_alarm_tmpfs_t)
-
-	type $1_evolution_alarm_orbit_tmp_t;
-	files_tmp_file($1_evolution_alarm_orbit_tmp_t)
-
-	type $1_evolution_exchange_t;
-	application_domain($1_evolution_exchange_t, evolution_exchange_exec_t)
-	role $3 types $1_evolution_exchange_t;
-
-	type $1_evolution_exchange_tmpfs_t;
-	files_tmpfs_file($1_evolution_exchange_tmpfs_t)
-
-	type $1_evolution_exchange_tmp_t;
-	files_tmp_file($1_evolution_exchange_tmp_t)
-
-	type $1_evolution_exchange_orbit_tmp_t;
-	files_tmp_file($1_evolution_exchange_orbit_tmp_t)
-
-	type $1_evolution_server_t;
-	application_domain($1_evolution_server_t, evolution_server_exec_t)
-	role $3 types $1_evolution_server_t;
-
-	type $1_evolution_server_orbit_tmp_t;
-	files_tmp_file($1_evolution_server_orbit_tmp_t)
-
-	type $1_evolution_webcal_t;
-	application_domain($1_evolution_webcal_t, evolution_webcal_exec_t)
-	role $3 types $1_evolution_webcal_t;
-
-	type $1_evolution_webcal_tmpfs_t;
-	files_tmpfs_file($1_evolution_webcal_tmpfs_t)
-
-	type $1_orbit_tmp_t;
-	files_tmp_file($1_orbit_tmp_t)
-
-	########################################
-	#
-	# Evolution local policy
-	#
-
-	allow $1_evolution_t self:capability { setuid setgid sys_nice };
-	allow $1_evolution_t self:process { signal getsched setsched };
-	allow $1_evolution_t self:fifo_file rw_file_perms;
-	allow $1_evolution_t self:tcp_socket create_socket_perms;
-	allow $1_evolution_t self:udp_socket create_socket_perms;
-
-	allow $1_evolution_t $1_evolution_alarm_t:dir search_dir_perms;
-	allow $1_evolution_t $1_evolution_alarm_t:file read;
-
-	allow $1_evolution_t $1_evolution_alarm_t:unix_stream_socket connectto;
-	allow $1_evolution_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
-
-	can_exec($1_evolution_t, evolution_alarm_exec_t)
-
-	allow $1_evolution_t $1_evolution_exchange_t:unix_stream_socket connectto;
-	allow $1_evolution_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
-
-	allow $1_evolution_t $1_evolution_home_t:dir manage_dir_perms;
-	allow $1_evolution_t $1_evolution_home_t:file manage_file_perms;
-	allow $1_evolution_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
-
-	allow $1_evolution_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
-	allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms;
-	files_tmp_filetrans($1_evolution_t, $1_evolution_orbit_tmp_t, { dir file })
-
-	allow $1_evolution_server_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
-	allow $1_evolution_server_t $1_evolution_orbit_tmp_t:file manage_file_perms;
-	files_tmp_filetrans($1_evolution_server_t, $1_evolution_orbit_tmp_t, { dir file })
-
-	allow $1_evolution_t $1_evolution_server_t:dir search_dir_perms;
-	allow $1_evolution_t $1_evolution_server_t:file read;
-
-	allow $1_evolution_t $1_evolution_server_t:unix_stream_socket connectto;
-	allow $1_evolution_t $1_evolution_server_orbit_tmp_t:sock_file write;
-
-	can_exec($1_evolution_t, evolution_server_exec_t)
-
-	allow $1_evolution_t $1_evolution_tmpfs_t:dir rw_dir_perms;
-	allow $1_evolution_t $1_evolution_tmpfs_t:file manage_file_perms;
-	allow $1_evolution_t $1_evolution_tmpfs_t:lnk_file manage_lnk_file_perms;
-	allow $1_evolution_t $1_evolution_tmpfs_t:sock_file manage_sock_file_perms;
-	allow $1_evolution_t $1_evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
-	fs_tmpfs_filetrans($1_evolution_t, $1_evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-	allow $1_evolution_t $2:dir search;
-	allow $1_evolution_t $2:fd use;
-	allow $1_evolution_t $2:file read;
-	allow $1_evolution_t $2:lnk_file read;
-	allow $1_evolution_t $2:process sigchld;
-	allow $1_evolution_t $2:unix_stream_socket connectto;
-	allow $1_evolution_t $2:dir search;
-	allow $1_evolution_t $2:file read;
-
-	domain_auto_trans($2, evolution_exec_t, $1_evolution_t)
-
-	allow $2 $1_evolution_t:unix_stream_socket connectto;
-	allow $2 $1_evolution_t:process noatsecure;
-	allow $2 $1_evolution_t:process signal_perms;
+interface(`evolution_role',`
+	gen_require(`
+		type evolution_t, evolution_exec_t, evolution_home_t;
+		type evolution_alarm_t, evolution_alarm_exec_t;
+		type evolution_exchange_t, evolution_exchange_exec_t;
+		type evolution_exchange_orbit_tmp_t;
+		type evolution_server_t, evolution_server_exec_t;
+		type evolution_webcal_t, evolution_webcal_exec_t;
+	')
+
+	role $1 types { evolution_t evolution_alarm_t evolution_exchange_t };
+	role $1 types { evolution_server_t evolution_webcal_t };
+
+	domtrans_pattern($2, evolution_exec_t, evolution_t)
+	domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t)
+	domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t)
+	domtrans_pattern($2, evolution_server_exec_t, evolution_server_t)
+	domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t)
+
+	ps_process_pattern($2, evolution_t)
+	ps_process_pattern($2, evolution_alarm_t)
+	ps_process_pattern($2, evolution_exchange_t)
+	ps_process_pattern($2, evolution_server_t)
+	ps_process_pattern($2, evolution_webcal_t)
+
+	allow evolution_t $2:dir search;
+	allow evolution_t $2:file read;
+	allow evolution_t $2:lnk_file read;
+	allow evolution_t $2:unix_stream_socket connectto;
+
+	allow $2 evolution_t:unix_stream_socket connectto;
+	allow $2 evolution_t:process noatsecure;
+	allow $2 evolution_t:process signal_perms;
 
 	# Access .evolution
-	allow $2 $1_evolution_home_t:dir manage_dir_perms;
-	allow $2 $1_evolution_home_t:file manage_file_perms;
-	allow $2 $1_evolution_home_t:lnk_file manage_lnk_file_perms;
-	allow $2 $1_evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-	userdom_search_user_home_dirs($1, $1_evolution_t)
-
-	# Allow the user domain to signal/ps.
-	ps_process_pattern($2, $1_evolution_t)
-
-	domain_dontaudit_read_all_domains_state($1_evolution_t)
-
-	#FIXME check to see if really needed
-	kernel_read_kernel_sysctls($1_evolution_t)
-	kernel_read_system_state($1_evolution_t)
-	# Allow netstat
-	kernel_read_network_state($1_evolution_t)
-	kernel_read_net_sysctls($1_evolution_t)
-
-	corecmd_exec_shell($1_evolution_t)
-	# Run various programs
-	corecmd_exec_bin($1_evolution_t)
-
-	corenet_all_recvfrom_unlabeled($1_evolution_t)
-	corenet_all_recvfrom_netlabel($1_evolution_t)
-	corenet_tcp_sendrecv_generic_if($1_evolution_t)
-	corenet_udp_sendrecv_generic_if($1_evolution_t)
-	corenet_raw_sendrecv_generic_if($1_evolution_t)
-	corenet_tcp_sendrecv_all_nodes($1_evolution_t)
-	corenet_udp_sendrecv_all_nodes($1_evolution_t)
-	corenet_tcp_sendrecv_pop_port($1_evolution_t)
-	corenet_udp_sendrecv_pop_port($1_evolution_t)
-	corenet_tcp_sendrecv_smtp_port($1_evolution_t)
-	corenet_udp_sendrecv_smtp_port($1_evolution_t)
-	corenet_tcp_sendrecv_innd_port($1_evolution_t)
-	corenet_udp_sendrecv_innd_port($1_evolution_t)
-	corenet_tcp_sendrecv_ldap_port($1_evolution_t)
-	corenet_udp_sendrecv_ldap_port($1_evolution_t)
-	corenet_tcp_sendrecv_ipp_port($1_evolution_t)
-	corenet_udp_sendrecv_ipp_port($1_evolution_t)
-	corenet_tcp_connect_pop_port($1_evolution_t)
-	corenet_tcp_connect_smtp_port($1_evolution_t)
-	corenet_tcp_connect_innd_port($1_evolution_t)
-	corenet_tcp_connect_ldap_port($1_evolution_t)
-	corenet_tcp_connect_ipp_port($1_evolution_t)
-	corenet_sendrecv_pop_client_packets($1_evolution_t)
-	corenet_sendrecv_smtp_client_packets($1_evolution_t)
-	corenet_sendrecv_innd_client_packets($1_evolution_t)
-	corenet_sendrecv_ldap_client_packets($1_evolution_t)
-	corenet_sendrecv_ipp_client_packets($1_evolution_t)
-	# not sure about this bind
-	corenet_udp_bind_all_nodes($1_evolution_t)
-	corenet_udp_bind_generic_port($1_evolution_t)
-
-	dev_read_urand($1_evolution_t)
-
-	files_read_etc_files($1_evolution_t)
-	files_read_usr_files($1_evolution_t)
-	files_read_usr_symlinks($1_evolution_t)
-	files_read_var_files($1_evolution_t)
-
-	fs_search_auto_mountpoints($1_evolution_t)
-
-	logging_send_syslog_msg($1_evolution_t)
-
-	miscfiles_read_localization($1_evolution_t)
-
-	sysnet_read_config($1_evolution_t)
-	sysnet_dns_name_resolve($1_evolution_t)
-
-	udev_read_state($1_evolution_t)
-
-	userdom_rw_user_tmp_files($1, $1_evolution_t)
-	userdom_manage_user_tmp_dirs($1, $1_evolution_t)
-	userdom_manage_user_tmp_sockets($1, $1_evolution_t)
-	userdom_manage_user_tmp_files($1, $1_evolution_t)
-	userdom_use_user_terminals($1, $1_evolution_t)
-	# FIXME: suppress access to .local/.icons/.themes until properly implemented
-	# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
-	# until properly implemented
-	userdom_dontaudit_read_user_home_content_files($1, $1_evolution_t)
-
-	mta_read_config($1_evolution_t)
-
-	xserver_user_x_domain_template($1, $1_evolution, $1_evolution_t, $1_evolution_tmpfs_t)
-	xserver_read_xdm_tmp_files($1_evolution_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_evolution_t)
-		fs_manage_nfs_files($1_evolution_t)
-		fs_manage_nfs_symlinks($1_evolution_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_evolution_t)
-		fs_manage_cifs_files($1_evolution_t)
-		fs_manage_cifs_symlinks($1_evolution_t)
-	')
-
-	tunable_policy(`mail_read_content && use_nfs_home_dirs',`
-		fs_list_auto_mountpoints($1_evolution_t)
-		files_list_home($1_evolution_t)
-		fs_read_nfs_files($1_evolution_t)
-		fs_read_nfs_symlinks($1_evolution_t)
-
-	',`
-		files_dontaudit_list_home($1_evolution_t)
-		fs_dontaudit_list_auto_mountpoints($1_evolution_t)
-		fs_dontaudit_read_nfs_files($1_evolution_t)
-		fs_dontaudit_list_nfs($1_evolution_t)
-	')
-
-	tunable_policy(`mail_read_content && use_samba_home_dirs',`
-		fs_list_auto_mountpoints($1_evolution_t)
-		files_list_home($1_evolution_t)
-		fs_read_cifs_files($1_evolution_t)
-		fs_read_cifs_symlinks($1_evolution_t)
-	',`
-		files_dontaudit_list_home($1_evolution_t)
-		fs_dontaudit_list_auto_mountpoints($1_evolution_t)
-		fs_dontaudit_read_cifs_files($1_evolution_t)
-		fs_dontaudit_list_cifs($1_evolution_t)
-	')
-
-	tunable_policy(`mail_read_content',`
-		userdom_list_user_tmp($1, $1_evolution_t)
-		userdom_read_user_tmp_files($1, $1_evolution_t)
-		userdom_read_user_tmp_symlinks($1, $1_evolution_t)
-		userdom_search_user_home_dirs($1, $1_evolution_t)
-		userdom_read_user_home_content_files($1, $1_evolution_t)
-		userdom_read_user_home_content_symlinks($1, $1_evolution_t)
-
-		ifndef(`enable_mls',`
-			fs_search_removable($1_evolution_t)
-			fs_read_removable_files($1_evolution_t)
-			fs_read_removable_symlinks($1_evolution_t)
-		')
-	',`
-		files_dontaudit_list_tmp($1_evolution_t)
-		files_dontaudit_list_home($1_evolution_t)
-		fs_dontaudit_list_removable($1_evolution_t)
-		fs_dontaudit_read_removable_files($1_evolution_t)
-		userdom_dontaudit_list_user_tmp($1,$1_evolution_t)
-		userdom_dontaudit_read_user_tmp_files($1,$1_evolution_t)
-		userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
-		userdom_dontaudit_read_user_home_content_files($1,$1_evolution_t)
-	')
-
-	tunable_policy(`mail_read_content && read_default_t',`
-		files_list_default($1_evolution_t)
-		files_read_default_files($1_evolution_t)
-		files_read_default_symlinks($1_evolution_t)
-	',`
-		files_dontaudit_read_default_files($1_evolution_t)
-		files_dontaudit_list_default($1_evolution_t)
-	')
-
-	tunable_policy(`mail_read_content && read_untrusted_content',`
-		files_list_tmp($1_evolution_t)
-		files_list_home($1_evolution_t)
-		userdom_search_user_home_dirs($1,$1_evolution_t)
-
-		userdom_list_user_untrusted_content($1, $1_evolution_t)
-		userdom_read_user_untrusted_content_files($1, $1_evolution_t)
-		userdom_read_user_untrusted_content_symlinks($1, $1_evolution_t)
-		userdom_list_user_tmp_untrusted_content($1, $1_evolution_t)
-		userdom_read_user_tmp_untrusted_content_files($1, $1_evolution_t)
-		userdom_read_user_tmp_untrusted_content_symlinks($1, $1_evolution_t)
-	',`
-		files_dontaudit_list_tmp($1_evolution_t)
-		files_dontaudit_list_home($1_evolution_t)
-		userdom_dontaudit_list_user_home_dirs($1, $1_evolution_t)
-		userdom_dontaudit_list_user_untrusted_content($1, $1_evolution_t)
-		userdom_dontaudit_read_user_untrusted_content_files($1, $1_evolution_t)
-		userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_evolution_t)
-		userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_evolution_t)
-	')
-
-	tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
-		files_search_home($1_evolution_t)
-
-		fs_search_auto_mountpoints($1_evolution_t)
-		fs_manage_nfs_dirs($1_evolution_t)
-		fs_manage_nfs_files($1_evolution_t)
-		fs_manage_nfs_symlinks($1_evolution_t)
-	',`
-		fs_dontaudit_list_auto_mountpoints($1_evolution_t)
-		fs_dontaudit_manage_nfs_dirs($1_evolution_t)
-		fs_dontaudit_manage_nfs_files($1_evolution_t)
-	')
-
-	tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
-		files_search_home($1_evolution_t)
-
-		fs_search_auto_mountpoints($1_evolution_t)
-		fs_manage_cifs_dirs($1_evolution_t)
-		fs_manage_cifs_files($1_evolution_t)
-		fs_manage_cifs_symlinks($1_evolution_t)
-	',`
-		fs_dontaudit_list_auto_mountpoints($1_evolution_t)
-		fs_dontaudit_manage_cifs_dirs($1_evolution_t)
-		fs_dontaudit_manage_cifs_files($1_evolution_t)
-	')
-
-	tunable_policy(`write_untrusted_content',`
-		files_search_home($1_evolution_t)
-
-		userdom_manage_user_untrusted_content_files($1, $1_evolution_t)
-		userdom_user_home_dir_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir })
-		userdom_user_home_content_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir })
-
-	',`
-		files_dontaudit_list_home($1_evolution_t)
-		files_dontaudit_list_tmp($1_evolution_t)
-
-		userdom_dontaudit_list_user_home_dirs($1, $1_evolution_t)
-		#userdom_dontaudit_manage_user_tmp($1,$1_evolution_t)
-		#userdom_dontaudit_manage_user_tmp_files($1,$1_evolution_t)
-		#userdom_dontaudit_manage_user_home_subdirs($1,$1_evolution_t)
-	')
-
-	optional_policy(`
-		automount_read_state($1_evolution_t)
-	')
-
-	# Allow printing the mail
-	optional_policy(`
-		cups_read_rw_config($1_evolution_t)
-	')
-
-	optional_policy(`
-		dbus_system_bus_client_template($1_evolution, $1_evolution_t)
-		dbus_user_bus_client_template($1, $1_evolution, $1_evolution_t)
-	')
-
-	optional_policy(`
-		gnome_stream_connect_gconf_template($1, $1_evolution_t)
-	')
-
-	# Encrypt mail
-	optional_policy(`
-		gpg_domtrans_user_gpg($1, $1_evolution_t)
-		gpg_signal_user_gpg($1, $1_evolution_t)
-	')
-
-	optional_policy(`
-		lpd_domtrans_user_lpr($1, $1_evolution_t)
-	')
-
-	optional_policy(`
-		mozilla_read_user_home_files($1, $1_evolution_t)
-		mozilla_domtrans_user_mozilla($1, $1_evolution_t)
-	')
-
-	# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
-	optional_policy(`
-		nis_use_ypbind($1_evolution_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_evolution_t)
-	')
-
-	### Junk mail filtering (start spamd)
-	optional_policy(`
-		spamassassin_exec_spamd($1_evolution_t)
-		spamassassin_domtrans_user_client($1, $1_evolution_t)
-		spamassassin_domtrans_user_local_client($1, $1_evolution_t)
-		# Allow evolution to signal the daemon
-		# FIXME: Now evolution can read spamd temp files
-		spamassassin_read_spamd_tmp_files($1_evolution_t)
-		spamassassin_signal_spamd($1_evolution_t)
-		spamassassin_dontaudit_getattr_spamd_tmp_sockets($1_evolution_t)
-	')
-
-	ifdef(`TODO',`
-
-		# Gnome common stuff
-		gnome_application($1_evolution, $1)
-
-		#TODO gnome stuff
-		# Store passwords in .gnome2_private
-		# Type for storing secret data
-		# (different from home, not directly accessible from ROLE_t)
-		type $1_evolutioin_secret_t;
-		userdom_user_home_content($1,$1_evolutioin_secret_t)
-
-		# Put secret files in .gnome2_private
-		allow $1_evolution_t $1_gnome_secret_t:dir rw_dir_perms;
-		allow $1_evolution_t $1_evolutioin_secret_t:file manage_file_perms;
-		type_transition $1_evolution_t $1_gnome_secret_t:file $1_evolutioin_secret_t;
-
-		allow $2 $1_evolution_secret_t:file unlink;
+	allow $2 evolution_home_t:dir manage_dir_perms;
+	allow $2 evolution_home_t:file manage_file_perms;
+	allow $2 evolution_home_t:lnk_file manage_lnk_file_perms;
+	allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
 
-		ifdef(`TODO',`
-			gnome_file_dialog($1_evolution, $1)
-		')
-	')
-
-	########################################
-	#
-	# Evolution alarm local policy
-	#
-
-	allow $1_evolution_alarm_t self:process { signal getsched };
-	allow $1_evolution_alarm_t self:fifo_file rw_fifo_file_perms;
-
-	allow $1_evolution_alarm_t $1_evolution_t:unix_stream_socket connectto;
-	allow $1_evolution_alarm_t $1_evolution_orbit_tmp_t:sock_file write;
-
-	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:dir rw_dir_perms;
-	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:file manage_file_perms;
-	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms;
-	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms;
-	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms;
-	fs_tmpfs_filetrans($1_evolution_alarm_t,$1_evolution_alarm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-	allow $1_evolution_alarm_t $1_evolution_exchange_t:unix_stream_socket connectto;
-	allow $1_evolution_alarm_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
-
-	# Access evolution home
-	allow $1_evolution_alarm_t $1_evolution_home_t:dir manage_dir_perms;
-	allow $1_evolution_alarm_t $1_evolution_home_t:file manage_file_perms;
-	allow $1_evolution_alarm_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
-
-	allow $1_evolution_alarm_t $1_evolution_server_t:unix_stream_socket connectto;
-	allow $1_evolution_alarm_t $1_evolution_server_orbit_tmp_t:sock_file write;
-
-	domain_auto_trans($2, evolution_alarm_exec_t, $1_evolution_alarm_t)
-	allow $1_evolution_alarm_t $2:fd use;
-
-	dev_read_urand($1_evolution_alarm_t)
-
-	files_read_etc_files($1_evolution_alarm_t)
-	files_read_usr_files($1_evolution_alarm_t)
-
-	fs_search_auto_mountpoints($1_evolution_alarm_t)
-
-	miscfiles_read_localization($1_evolution_alarm_t)
-
-	# Access evolution home
-	userdom_search_user_home_dirs($1,$1_evolution_alarm_t)
-	# FIXME: suppress access to .local/.icons/.themes until properly implemented
-	# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
-	# until properly implemented
-	userdom_dontaudit_read_user_home_content_files($1, $1_evolution_alarm_t)
-
-	xserver_user_x_domain_template($1, $1_evolution_alarm, $1_evolution_alarm_t, $1_evolution_alarm_tmpfs_t)
-
-	# Access evolution home
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_files($1_evolution_alarm_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_files($1_evolution_alarm_t)
-	')
-
-	optional_policy(`
-		dbus_user_bus_client_template($1, $1_evolution_alarm, $1_evolution_alarm_t)
-	')
-
-	optional_policy(`
-		gnome_stream_connect_gconf_template($1, $1_evolution_alarm_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_evolution_alarm_t)
-	')
-
-	ifdef(`TODO',`
-		# Gnome common stuff
-		gnome_application($1_evolution_alarm,$1)
-	')
-
-	########################################
-	#
-	# Evolution exchange connector local policy
-	#
-
-	allow $1_evolution_exchange_t self:process getsched;
-	allow $1_evolution_exchange_t self:fifo_file rw_fifo_file_perms;
-
-	allow $1_evolution_exchange_t self:tcp_socket create_socket_perms;
-	allow $1_evolution_exchange_t self:udp_socket create_socket_perms;
-
-	allow $1_evolution_exchange_t $1_evolution_t:unix_stream_socket connectto;
-	allow $1_evolution_exchange_t $1_evolution_orbit_tmp_t:sock_file write;
-
-	allow $1_evolution_exchange_t $1_evolution_alarm_t:unix_stream_socket connectto;
-	allow $1_evolution_exchange_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
-
-	# Access evolution home
-	allow $1_evolution_exchange_t $1_evolution_home_t:dir manage_dir_perms;
-	allow $1_evolution_exchange_t $1_evolution_home_t:file manage_file_perms;
-	allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
-
-	allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto;
-	allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write;
-
-	# /tmp/.exchange-$USER
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir manage_dir_perms;
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file manage_file_perms;
-	files_tmp_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmp_t, { file dir })
-
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:dir rw_dir_perms;
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:file manage_file_perms;
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms;
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms;
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
-	fs_tmpfs_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-	allow $1_evolution_exchange_t $2:unix_stream_socket connectto;
-	#FIXME, who should own this. I dont think this module should
-	allow $1_evolution_exchange_t $1_orbit_tmp_t:sock_file write;
+	allow evolution_exchange_t $2:unix_stream_socket connectto;
 
 	# Clock applet talks to exchange (FIXME: Needs policy)
-	allow $2 $1_evolution_exchange_t:unix_stream_socket connectto;
-	allow $2 $1_evolution_exchange_orbit_tmp_t:sock_file write;
-
-	# Transition from user domain
-	domain_auto_trans($2, evolution_exchange_exec_t, $1_evolution_exchange_t)
-
-	kernel_read_network_state($1_evolution_exchange_t)
-	kernel_read_net_sysctls($1_evolution_exchange_t)
-
-	# Allow netstat
-	corecmd_exec_bin($1_evolution_exchange_t)
-
-	dev_read_urand($1_evolution_exchange_t)
-
-	files_read_etc_files($1_evolution_exchange_t)
-	files_read_usr_files($1_evolution_exchange_t)
-
-	# Access evolution home
-	fs_search_auto_mountpoints($1_evolution_exchange_t)
-
-	miscfiles_read_localization($1_evolution_exchange_t)
-
-	# Access evolution home
-	userdom_search_user_home_dirs($1, $1_evolution_exchange_t)
-	# FIXME: suppress access to .local/.icons/.themes until properly implemented
-	# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
-	# until properly implemented
-	userdom_dontaudit_read_user_home_content_files($1, $1_evolution_exchange_t)
-
-	xserver_user_x_domain_template($1, $1_evolution_exchange, $1_evolution_exchange_t, $1_evolution_exchange_tmpfs_t)
-
-	# Access evolution home
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_files($1_evolution_exchange_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_files($1_evolution_exchange_t)
-	')
-
-	optional_policy(`
-		gnome_stream_connect_gconf_template($1, $1_evolution_exchange_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_evolution_exchange_t)
-	')
-
-	ifdef(`TODO',`
-	# Gnome common stuff
-	gnome_application($1_evolution_exchange, $1)
-	')
-
-	########################################
-	#
-	# Evolution data server local policy
-	#
-
-	allow $1_evolution_server_t self:process { getsched signal };
-
-	allow $1_evolution_server_t self:fifo_file { read write };
-	allow $1_evolution_server_t self:unix_stream_socket { accept connectto };
-	# Talk to ldap (address book),
-	# Obtain weather data via http (read server name from xml file in /usr)
-	allow $1_evolution_server_t self:tcp_socket create_socket_perms;
-
-	allow $1_evolution_server_t $1_evolution_t:unix_stream_socket connectto;
-	allow $1_evolution_server_t $1_evolution_orbit_tmp_t:sock_file write;
-
-	allow $1_evolution_server_t $1_evolution_exchange_t:unix_stream_socket connectto;
-	allow $1_evolution_server_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
-
-	# Access evolution home
-	allow $1_evolution_server_t $1_evolution_home_t:dir manage_dir_perms;
-	allow $1_evolution_server_t $1_evolution_home_t:file manage_file_perms;
-	allow $1_evolution_server_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
-
-	allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
-	allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
-
-	# Transition from user type
-	domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
-
-	kernel_read_system_state($1_evolution_server_t)
-
-	corecmd_exec_shell($1_evolution_server_t)
-
-	# Obtain weather data via http (read server name from xml file in /usr)
-	corenet_all_recvfrom_unlabeled($1_evolution_server_t)
-	corenet_all_recvfrom_netlabel($1_evolution_server_t)
-	corenet_tcp_sendrecv_generic_if($1_evolution_server_t)
-	corenet_tcp_sendrecv_all_nodes($1_evolution_server_t)
-	corenet_tcp_sendrecv_http_port($1_evolution_server_t)
-	corenet_tcp_sendrecv_http_cache_port($1_evolution_server_t)
-	corenet_tcp_connect_http_cache_port($1_evolution_server_t)
-	corenet_tcp_connect_http_port($1_evolution_server_t)
-	corenet_sendrecv_http_client_packets($1_evolution_server_t)
-	corenet_sendrecv_http_cache_client_packets($1_evolution_server_t)
-
-	dev_read_urand($1_evolution_server_t)
-
-	files_read_etc_files($1_evolution_server_t)
-	# Obtain weather data via http (read server name from xml file in /usr)
-	files_read_usr_files($1_evolution_server_t)
-
-	fs_search_auto_mountpoints($1_evolution_server_t)
-
-	miscfiles_read_localization($1_evolution_server_t)
-	# Look in /etc/pki
-	miscfiles_read_certs($1_evolution_server_t)
-
-	# Talk to ldap (address book)
-	sysnet_read_config($1_evolution_server_t)
-	sysnet_dns_name_resolve($1_evolution_server_t)
-	sysnet_use_ldap($1_evolution_server_t)
-
-	# Access evolution home
-	userdom_search_user_home_dirs($1, $1_evolution_server_t)
-	# FIXME: suppress access to .local/.icons/.themes until properly implemented
-	# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
-	# until properly implemented
-	userdom_dontaudit_read_user_home_content_files($1, $1_evolution_server_t)
-
-	# Access evolution home
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_files($1_evolution_server_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_files($1_evolution_server_t)
-	')
-
-	optional_policy(`
-		gnome_stream_connect_gconf_template($1, $1_evolution_server_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_evolution_server_t)
-	')
-
-	ifdef(`TODO',`
-	# Gnome common stuff
-	gnome_application($1_evolution_server, $1)
-	')
-
-	########################################
-	#
-	# Evolution webcal local policy
-	#
-
-	allow $1_evolution_webcal_t self:tcp_socket create_socket_perms;
-
-	# X/evolution common stuff
-	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:dir rw_dir_perms;
-	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:file manage_file_perms;
-	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms;
-	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms;
-	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
-	fs_tmpfs_filetrans($1_evolution_webcal_t, $1_evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-	# Transition from user type
-	domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t)
-
-	corenet_all_recvfrom_unlabeled($1_evolution_webcal_t)
-	corenet_all_recvfrom_netlabel($1_evolution_webcal_t)
-	corenet_tcp_sendrecv_generic_if($1_evolution_webcal_t)
-	corenet_raw_sendrecv_generic_if($1_evolution_webcal_t)
-	corenet_tcp_sendrecv_all_nodes($1_evolution_webcal_t)
-	corenet_raw_sendrecv_all_nodes($1_evolution_webcal_t)
-	corenet_tcp_sendrecv_http_port($1_evolution_webcal_t)
-	corenet_tcp_sendrecv_http_cache_port($1_evolution_webcal_t)
-	corenet_tcp_connect_http_cache_port($1_evolution_webcal_t)
-	corenet_tcp_connect_http_port($1_evolution_webcal_t)
-	corenet_sendrecv_http_client_packets($1_evolution_webcal_t)
-	corenet_sendrecv_http_cache_client_packets($1_evolution_webcal_t)
-
-	# Networking capability - connect to website and handle ics link
-	sysnet_read_config($1_evolution_webcal_t)
-	sysnet_dns_name_resolve($1_evolution_webcal_t)
-
-	# Search home directory (?)
-	userdom_search_user_home_dirs($1, $1_evolution_webcal_t)
-	# FIXME: suppress access to .local/.icons/.themes until properly implemented
-	# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
-	# until properly implemented
-	userdom_dontaudit_read_user_home_content_files($1, $1_evolution_webcal_t)
-
-	xserver_user_x_domain_template($1, $1_evolution_webcal, $1_evolution_webcal_t, $1_evolution_webcal_tmpfs_t)
-
-	optional_policy(`
-		nscd_socket_use($1_evolution_webcal_t)
-	')
-
-	ifdef(`TODO',`
-	# Gnome common stuff
-	gnome_application($1_evolution_webcal, $1)
-	')
+	allow $2 evolution_exchange_t:unix_stream_socket connectto;
+	allow $2 evolution_exchange_orbit_tmp_t:sock_file write;
 ')
 
 ########################################
 ## <summary>
 ##	Create objects in users evolution home folders.
 ## </summary>
-## <desc>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@@ -802,52 +78,36 @@ template(`evolution_per_role_template',`
 ## </param>
 ## <param name="class">
 ##	<summary>
-##	The object class of the object being created.  If
-##	no class is specified, dir will be used.
+##	The object class of the object being created.
 ##	</summary>
 ## </param>
 #
-template(`evolution_home_filetrans',`
+interface(`evolution_home_filetrans',`
 	gen_require(`
-		type $1_evolution_home_t;
+		type evolution_home_t;
 	')
 
-	allow $2 $1_evolution_home_t:dir rw_dir_perms;
-	type_transition $2 $1_evolution_home_t:$4 $3;
+	allow $1 evolution_home_t:dir rw_dir_perms;
+	type_transition $1 evolution_home_t:$3 $2;
 ')
 
 ########################################
 ## <summary>
-##	Connect to user evolution unix stream socket.
+##	Connect to evolution unix stream socket.
 ## </summary>
-## <desc>
-##	<p>
-##	Connect to user evolution unix stream socket.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`evolution_stream_connect',`
+interface(`evolution_stream_connect',`
 	gen_require(`
-		type $1_evolution_t, $1_evolution_home_t;
+		type evolution_t, evolution_home_t;
 	')
 
-	allow $2 $1_evolution_t:unix_stream_socket connectto;
-	allow $2 $1_evolution_home_t:dir search;
+	allow $1 evolution_t:unix_stream_socket connectto;
+	allow $1 evolution_home_t:dir search;
 ')
 
 ########################################
@@ -855,12 +115,6 @@ template(`evolution_stream_connect',`
 ##	Send and receive messages from
 ##	evolution over dbus.
 ## </summary>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@@ -869,12 +123,12 @@ template(`evolution_stream_connect',`
 #
 interface(`evolution_dbus_chat',`
 	gen_require(`
-		type $1_evolution_t;
+		type evolution_t;
 		class dbus send_msg;
 	')
 
-	allow $2 $1_evolution_t:dbus send_msg;
-	allow $1_evolution_t $2:dbus send_msg;
+	allow $1 evolution_t:dbus send_msg;
+	allow evolution_t $1:dbus send_msg;
 ')
 
 ########################################
@@ -882,12 +136,6 @@ interface(`evolution_dbus_chat',`
 ##	Send and receive messages from
 ##	evolution_alarm over dbus.
 ## </summary>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@@ -896,10 +144,10 @@ interface(`evolution_dbus_chat',`
 #
 interface(`evolution_alarm_dbus_chat',`
 	gen_require(`
-		type $1_evolution_alarm_t;
+		type evolution_alarm_t;
 		class dbus send_msg;
 	')
 
-	allow $2 $1_evolution_alarm_t:dbus send_msg;
-	allow $1_evolution_alarm_t $2:dbus send_msg;
+	allow $1 evolution_alarm_t:dbus send_msg;
+	allow evolution_alarm_t $1:dbus send_msg;
 ')
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index c08a51b..c126b9a 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -1,22 +1,629 @@
 
-policy_module(evolution, 1.6.0)
+policy_module(evolution, 2.0.0)
 
 ########################################
 #
 # Declarations
 #
 
+type evolution_t;
 type evolution_exec_t;
-application_executable_file(evolution_exec_t)
+typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t };
+typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t };
+application_domain(evolution_t, evolution_exec_t)
+ubac_constrained(evolution_t)
 
+type evolution_alarm_t;
 type evolution_alarm_exec_t;
-application_executable_file(evolution_alarm_exec_t)
+typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t };
+typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t };
+application_domain(evolution_alarm_t, evolution_alarm_exec_t)
+ubac_constrained(evolution_alarm_t)
 
+type evolution_alarm_tmpfs_t;
+typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t };
+typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t };
+files_tmpfs_file(evolution_alarm_tmpfs_t)
+ubac_constrained(evolution_alarm_tmpfs_t)
+
+type evolution_alarm_orbit_tmp_t;
+typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
+typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t };
+files_tmp_file(evolution_alarm_orbit_tmp_t)
+ubac_constrained(evolution_alarm_orbit_tmp_t)
+
+type evolution_exchange_t;
 type evolution_exchange_exec_t;
-application_executable_file(evolution_exchange_exec_t)
+typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t };
+typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t };
+application_domain(evolution_exchange_t, evolution_exchange_exec_t)
+ubac_constrained(evolution_exchange_t)
+
+type evolution_exchange_tmpfs_t;
+typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t };
+typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t };
+files_tmpfs_file(evolution_exchange_tmpfs_t)
+ubac_constrained(evolution_exchange_tmpfs_t)
+
+type evolution_exchange_tmp_t;
+typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
+typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t };
+files_tmp_file(evolution_exchange_tmp_t)
+ubac_constrained(evolution_exchange_tmp_t)
+
+type evolution_exchange_orbit_tmp_t;
+typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t };
+typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t };
+files_tmp_file(evolution_exchange_orbit_tmp_t)
+ubac_constrained(evolution_exchange_orbit_tmp_t)
 
+type evolution_home_t;
+typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t };
+typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t };
+files_poly_member(evolution_home_t)
+userdom_user_home_content(evolution_home_t)
+
+type evolution_orbit_tmp_t;
+typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t };
+typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t };
+files_tmp_file(evolution_orbit_tmp_t)
+ubac_constrained(evolution_orbit_tmp_t)
+
+type evolution_server_t;
 type evolution_server_exec_t;
-application_executable_file(evolution_server_exec_t)
+typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t };
+typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t };
+application_domain(evolution_server_t, evolution_server_exec_t)
+ubac_constrained(evolution_server_t)
+
+type evolution_server_orbit_tmp_t;
+typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t };
+typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t };
+files_tmp_file(evolution_server_orbit_tmp_t)
+ubac_constrained(evolution_server_orbit_tmp_t)
+
+type evolution_tmpfs_t;
+typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
+typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t };
+files_tmpfs_file(evolution_tmpfs_t)
+ubac_constrained(evolution_tmpfs_t)
 
+type evolution_webcal_t;
 type evolution_webcal_exec_t;
-application_executable_file(evolution_webcal_exec_t)
+typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t };
+typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t };
+application_domain(evolution_webcal_t, evolution_webcal_exec_t)
+ubac_constrained(evolution_webcal_t)
+
+type evolution_webcal_tmpfs_t;
+typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t };
+typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t };
+files_tmpfs_file(evolution_webcal_tmpfs_t)
+ubac_constrained(evolution_webcal_tmpfs_t)
+
+########################################
+#
+# Evolution local policy
+#
+
+allow evolution_t self:capability { setuid setgid sys_nice };
+allow evolution_t self:process { signal getsched setsched };
+allow evolution_t self:fifo_file rw_file_perms;
+allow evolution_t self:tcp_socket create_socket_perms;
+allow evolution_t self:udp_socket create_socket_perms;
+
+allow evolution_t evolution_alarm_t:dir search_dir_perms;
+allow evolution_t evolution_alarm_t:file read;
+
+allow evolution_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+can_exec(evolution_t, evolution_alarm_exec_t)
+
+allow evolution_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+allow evolution_t evolution_home_t:dir manage_dir_perms;
+allow evolution_t evolution_home_t:file manage_file_perms;
+allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms;
+userdom_search_user_home_dirs(evolution_t)
+
+allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms;
+allow evolution_t evolution_orbit_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file })
+
+allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms;
+allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file })
+
+allow evolution_t evolution_server_t:dir search_dir_perms;
+allow evolution_t evolution_server_t:file read;
+
+allow evolution_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_t evolution_server_orbit_tmp_t:sock_file write;
+
+can_exec(evolution_t, evolution_server_exec_t)
+
+allow evolution_t evolution_tmpfs_t:dir rw_dir_perms;
+allow evolution_t evolution_tmpfs_t:file manage_file_perms;
+allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+#FIXME check to see if really needed
+kernel_read_kernel_sysctls(evolution_t)
+kernel_read_system_state(evolution_t)
+# Allow netstat
+kernel_read_network_state(evolution_t)
+kernel_read_net_sysctls(evolution_t)
+
+corecmd_exec_shell(evolution_t)
+# Run various programs
+corecmd_exec_bin(evolution_t)
+
+corenet_all_recvfrom_unlabeled(evolution_t)
+corenet_all_recvfrom_netlabel(evolution_t)
+corenet_tcp_sendrecv_generic_if(evolution_t)
+corenet_udp_sendrecv_generic_if(evolution_t)
+corenet_raw_sendrecv_generic_if(evolution_t)
+corenet_tcp_sendrecv_all_nodes(evolution_t)
+corenet_udp_sendrecv_all_nodes(evolution_t)
+corenet_tcp_sendrecv_pop_port(evolution_t)
+corenet_udp_sendrecv_pop_port(evolution_t)
+corenet_tcp_sendrecv_smtp_port(evolution_t)
+corenet_udp_sendrecv_smtp_port(evolution_t)
+corenet_tcp_sendrecv_innd_port(evolution_t)
+corenet_udp_sendrecv_innd_port(evolution_t)
+corenet_tcp_sendrecv_ldap_port(evolution_t)
+corenet_udp_sendrecv_ldap_port(evolution_t)
+corenet_tcp_sendrecv_ipp_port(evolution_t)
+corenet_udp_sendrecv_ipp_port(evolution_t)
+corenet_tcp_connect_pop_port(evolution_t)
+corenet_tcp_connect_smtp_port(evolution_t)
+corenet_tcp_connect_innd_port(evolution_t)
+corenet_tcp_connect_ldap_port(evolution_t)
+corenet_tcp_connect_ipp_port(evolution_t)
+corenet_sendrecv_pop_client_packets(evolution_t)
+corenet_sendrecv_smtp_client_packets(evolution_t)
+corenet_sendrecv_innd_client_packets(evolution_t)
+corenet_sendrecv_ldap_client_packets(evolution_t)
+corenet_sendrecv_ipp_client_packets(evolution_t)
+# not sure about this bind
+corenet_udp_bind_all_nodes(evolution_t)
+corenet_udp_bind_generic_port(evolution_t)
+
+dev_read_urand(evolution_t)
+
+domain_dontaudit_read_all_domains_state(evolution_t)
+
+files_read_etc_files(evolution_t)
+files_read_usr_files(evolution_t)
+files_read_usr_symlinks(evolution_t)
+files_read_var_files(evolution_t)
+
+fs_search_auto_mountpoints(evolution_t)
+
+logging_send_syslog_msg(evolution_t)
+
+miscfiles_read_localization(evolution_t)
+
+sysnet_read_config(evolution_t)
+sysnet_dns_name_resolve(evolution_t)
+
+udev_read_state(evolution_t)
+
+userdom_rw_user_tmp_files(evolution_t)
+userdom_manage_user_tmp_dirs(evolution_t)
+userdom_manage_user_tmp_sockets(evolution_t)
+userdom_manage_user_tmp_files(evolution_t)
+userdom_use_user_terminals(evolution_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_t)
+
+mta_read_config(evolution_t)
+
+xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
+xserver_read_xdm_tmp_files(evolution_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(evolution_t)
+	fs_manage_nfs_files(evolution_t)
+	fs_manage_nfs_symlinks(evolution_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(evolution_t)
+	fs_manage_cifs_files(evolution_t)
+	fs_manage_cifs_symlinks(evolution_t)
+')
+
+tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+	fs_list_auto_mountpoints(evolution_t)
+	files_list_home(evolution_t)
+	fs_read_nfs_files(evolution_t)
+	fs_read_nfs_symlinks(evolution_t)
+
+',`
+	files_dontaudit_list_home(evolution_t)
+	fs_dontaudit_list_auto_mountpoints(evolution_t)
+	fs_dontaudit_read_nfs_files(evolution_t)
+	fs_dontaudit_list_nfs(evolution_t)
+')
+
+tunable_policy(`mail_read_content && use_samba_home_dirs',`
+	fs_list_auto_mountpoints(evolution_t)
+	files_list_home(evolution_t)
+	fs_read_cifs_files(evolution_t)
+	fs_read_cifs_symlinks(evolution_t)
+',`
+	files_dontaudit_list_home(evolution_t)
+	fs_dontaudit_list_auto_mountpoints(evolution_t)
+	fs_dontaudit_read_cifs_files(evolution_t)
+	fs_dontaudit_list_cifs(evolution_t)
+')
+
+tunable_policy(`mail_read_content',`
+	userdom_list_user_tmp(evolution_t)
+	userdom_read_user_tmp_files(evolution_t)
+	userdom_read_user_tmp_symlinks(evolution_t)
+	userdom_read_user_home_content_files(evolution_t)
+	userdom_read_user_home_content_symlinks(evolution_t)
+
+	ifndef(`enable_mls',`
+		fs_search_removable(evolution_t)
+		fs_read_removable_files(evolution_t)
+		fs_read_removable_symlinks(evolution_t)
+	')
+',`
+	files_dontaudit_list_tmp(evolution_t)
+	files_dontaudit_list_home(evolution_t)
+	fs_dontaudit_list_removable(evolution_t)
+	fs_dontaudit_read_removable_files(evolution_t)
+	userdom_dontaudit_list_user_tmp(evolution_t)
+	userdom_dontaudit_read_user_tmp_files(evolution_t)
+	userdom_dontaudit_list_user_home_dirs(evolution_t)
+	userdom_dontaudit_read_user_home_content_files(evolution_t)
+')
+
+tunable_policy(`mail_read_content && read_default_t',`
+	files_list_default(evolution_t)
+	files_read_default_files(evolution_t)
+	files_read_default_symlinks(evolution_t)
+',`
+	files_dontaudit_read_default_files(evolution_t)
+	files_dontaudit_list_default(evolution_t)
+')
+
+optional_policy(`
+	automount_read_state(evolution_t)
+')
+
+# Allow printing the mail
+optional_policy(`
+	cups_read_rw_config(evolution_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(evolution_t)
+	dbus_session_bus_client(evolution_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(evolution_t)
+')
+
+# Encrypt mail
+optional_policy(`
+	gpg_domtrans(evolution_t)
+	gpg_signal(evolution_t)
+')
+
+optional_policy(`
+	lpd_domtrans_lpr(evolution_t)
+')
+
+optional_policy(`
+	mozilla_read_user_home_files(evolution_t)
+	mozilla_domtrans(evolution_t)
+')
+
+# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
+optional_policy(`
+	nis_use_ypbind(evolution_t)
+')
+
+optional_policy(`
+	nscd_socket_use(evolution_t)
+')
+
+### Junk mail filtering (start spamd)
+optional_policy(`
+	spamassassin_exec_spamd(evolution_t)
+	spamassassin_domtrans_client(evolution_t)
+	spamassassin_domtrans_local_client(evolution_t)
+	# Allow evolution to signal the daemon
+	# FIXME: Now evolution can read spamd temp files
+	spamassassin_read_spamd_tmp_files(evolution_t)
+	spamassassin_signal_spamd(evolution_t)
+	spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
+')
+
+########################################
+#
+# Evolution alarm local policy
+#
+
+allow evolution_alarm_t self:process { signal getsched };
+allow evolution_alarm_t self:fifo_file rw_fifo_file_perms;
+
+allow evolution_alarm_t evolution_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+allow evolution_alarm_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_alarm_t evolution_home_t:dir manage_dir_perms;
+allow evolution_alarm_t evolution_home_t:file manage_file_perms;
+allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_alarm_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write;
+
+dev_read_urand(evolution_alarm_t)
+
+files_read_etc_files(evolution_alarm_t)
+files_read_usr_files(evolution_alarm_t)
+
+fs_search_auto_mountpoints(evolution_alarm_t)
+
+miscfiles_read_localization(evolution_alarm_t)
+
+# Access evolution home
+userdom_search_user_home_dirs(evolution_alarm_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
+
+xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_files(evolution_alarm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(evolution_alarm_t)
+')
+
+optional_policy(`
+	dbus_session_bus_client(evolution_alarm_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(evolution_alarm_t)
+')
+
+optional_policy(`
+	nscd_socket_use(evolution_alarm_t)
+')
+
+########################################
+#
+# Evolution exchange connector local policy
+#
+
+allow evolution_exchange_t self:process getsched;
+allow evolution_exchange_t self:fifo_file rw_fifo_file_perms;
+
+allow evolution_exchange_t self:tcp_socket create_socket_perms;
+allow evolution_exchange_t self:udp_socket create_socket_perms;
+
+allow evolution_exchange_t evolution_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_exchange_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_exchange_t evolution_home_t:dir manage_dir_perms;
+allow evolution_exchange_t evolution_home_t:file manage_file_perms;
+allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_exchange_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_server_orbit_tmp_t:sock_file write;
+
+# /tmp/.exchange-$USER
+allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms;
+allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir })
+
+allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_network_state(evolution_exchange_t)
+kernel_read_net_sysctls(evolution_exchange_t)
+
+# Allow netstat
+corecmd_exec_bin(evolution_exchange_t)
+
+dev_read_urand(evolution_exchange_t)
+
+files_read_etc_files(evolution_exchange_t)
+files_read_usr_files(evolution_exchange_t)
+
+# Access evolution home
+fs_search_auto_mountpoints(evolution_exchange_t)
+
+miscfiles_read_localization(evolution_exchange_t)
+
+userdom_write_user_tmp_sockets(evolution_exchange_t)
+# Access evolution home
+userdom_search_user_home_dirs(evolution_exchange_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
+
+xserver_user_x_domain_template(evolution_exchange,evolution_exchange_t, evolution_exchange_tmpfs_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_files(evolution_exchange_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(evolution_exchange_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(evolution_exchange_t)
+')
+
+optional_policy(`
+	nscd_socket_use(evolution_exchange_t)
+')
+
+########################################
+#
+# Evolution data server local policy
+#
+
+allow evolution_server_t self:process { getsched signal };
+
+allow evolution_server_t self:fifo_file { read write };
+allow evolution_server_t self:unix_stream_socket { accept connectto };
+# Talk to ldap (address book),
+# Obtain weather data via http (read server name from xml file in /usr)
+allow evolution_server_t self:tcp_socket create_socket_perms;
+
+allow evolution_server_t evolution_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_server_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_server_t evolution_home_t:dir manage_dir_perms;
+allow evolution_server_t evolution_home_t:file manage_file_perms;
+allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_server_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+kernel_read_system_state(evolution_server_t)
+
+corecmd_exec_shell(evolution_server_t)
+
+# Obtain weather data via http (read server name from xml file in /usr)
+corenet_all_recvfrom_unlabeled(evolution_server_t)
+corenet_all_recvfrom_netlabel(evolution_server_t)
+corenet_tcp_sendrecv_generic_if(evolution_server_t)
+corenet_tcp_sendrecv_all_nodes(evolution_server_t)
+corenet_tcp_sendrecv_http_port(evolution_server_t)
+corenet_tcp_sendrecv_http_cache_port(evolution_server_t)
+corenet_tcp_connect_http_cache_port(evolution_server_t)
+corenet_tcp_connect_http_port(evolution_server_t)
+corenet_sendrecv_http_client_packets(evolution_server_t)
+corenet_sendrecv_http_cache_client_packets(evolution_server_t)
+
+dev_read_urand(evolution_server_t)
+
+files_read_etc_files(evolution_server_t)
+# Obtain weather data via http (read server name from xml file in /usr)
+files_read_usr_files(evolution_server_t)
+
+fs_search_auto_mountpoints(evolution_server_t)
+
+miscfiles_read_localization(evolution_server_t)
+# Look in /etc/pki
+miscfiles_read_certs(evolution_server_t)
+
+# Talk to ldap (address book)
+sysnet_read_config(evolution_server_t)
+sysnet_dns_name_resolve(evolution_server_t)
+sysnet_use_ldap(evolution_server_t)
+
+# Access evolution home
+userdom_search_user_home_dirs(evolution_server_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_server_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_files(evolution_server_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(evolution_server_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(evolution_server_t)
+')
+
+optional_policy(`
+	nscd_socket_use(evolution_server_t)
+')
+
+########################################
+#
+# Evolution webcal local policy
+#
+
+allow evolution_webcal_t self:tcp_socket create_socket_perms;
+
+# X/evolution common stuff
+allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+corenet_all_recvfrom_unlabeled(evolution_webcal_t)
+corenet_all_recvfrom_netlabel(evolution_webcal_t)
+corenet_tcp_sendrecv_generic_if(evolution_webcal_t)
+corenet_raw_sendrecv_generic_if(evolution_webcal_t)
+corenet_tcp_sendrecv_all_nodes(evolution_webcal_t)
+corenet_raw_sendrecv_all_nodes(evolution_webcal_t)
+corenet_tcp_sendrecv_http_port(evolution_webcal_t)
+corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t)
+corenet_tcp_connect_http_cache_port(evolution_webcal_t)
+corenet_tcp_connect_http_port(evolution_webcal_t)
+corenet_sendrecv_http_client_packets(evolution_webcal_t)
+corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
+
+# Networking capability - connect to website and handle ics link
+sysnet_read_config(evolution_webcal_t)
+sysnet_dns_name_resolve(evolution_webcal_t)
+
+# Search home directory (?)
+userdom_search_user_home_dirs(evolution_webcal_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
+
+xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
+
+optional_policy(`
+	nscd_socket_use(evolution_webcal_t)
+')
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
index 86b8ff7..c136e1f 100644
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@@ -1,164 +1,32 @@
 ## <summary>Games</summary>
 
-#######################################
+############################################################
 ## <summary>
-##	The per role template for the games module.
+##	Role access for games
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for games.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="domain">
 ##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`games_per_role_template',`
-
+interface(`games_role',`
 	gen_require(`
-		type games_exec_t, games_data_t;
-	')
-
-	########################################
-	#
-	# Declarations
-	#
-
-	type $1_games_t;
-	application_domain($1_games_t, games_exec_t)
-	role $3 types $1_games_t;
-
-	type $1_games_devpts_t;
-	term_pty($1_games_devpts_t)
-
-	type $1_games_tmpfs_t;
-	files_tmpfs_file($1_games_tmpfs_t)
-
-	type $1_games_tmp_t;
-	files_tmp_file($1_games_tmp_t)
-
-	########################################
-	#
-	# Local policy
-	#
-
-	allow $1_games_t self:sem create_sem_perms;
-	allow $1_games_t self:tcp_socket create_stream_socket_perms;
-	allow $1_games_t self:udp_socket create_socket_perms;
-
-	manage_files_pattern($1_games_t, games_data_t, games_data_t)
-	manage_lnk_files_pattern($1_games_t, games_data_t, games_data_t)
-
-	allow $1_games_t $1_games_devpts_t:chr_file { rw_chr_file_perms setattr };
-	term_create_pty($1_games_t,$1_games_devpts_t)
-
-	manage_dirs_pattern($1_games_t, $1_games_tmp_t, $1_games_tmp_t)
-	manage_files_pattern($1_games_t, $1_games_tmp_t, $1_games_tmp_t)
-	files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
-
-	manage_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
-	manage_lnk_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
-	manage_fifo_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
-	manage_sock_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
-	fs_tmpfs_filetrans($1_games_t, $1_games_tmpfs_t, { file lnk_file sock_file fifo_file })
-
-	can_exec($1_games_t, games_exec_t)
-
-	domain_auto_trans($2, games_exec_t, $1_games_t)
-	allow $2 $1_games_t:unix_stream_socket connectto;
-	allow $1_games_t $2:unix_stream_socket connectto;
-
-	kernel_read_system_state($1_games_t)
-
-	corecmd_exec_bin($1_games_t)
-
-	corenet_all_recvfrom_unlabeled($1_games_t)
-	corenet_all_recvfrom_netlabel($1_games_t)
-	corenet_tcp_sendrecv_generic_if($1_games_t)
-	corenet_udp_sendrecv_generic_if($1_games_t)
-	corenet_tcp_sendrecv_all_nodes($1_games_t)
-	corenet_udp_sendrecv_all_nodes($1_games_t)
-	corenet_tcp_sendrecv_all_ports($1_games_t)
-	corenet_udp_sendrecv_all_ports($1_games_t)
-	corenet_tcp_bind_all_nodes($1_games_t)
-	corenet_tcp_bind_generic_port($1_games_t)
-	corenet_tcp_connect_generic_port($1_games_t)
-	corenet_sendrecv_generic_client_packets($1_games_t)
-	corenet_sendrecv_generic_server_packets($1_games_t)
-
-	dev_read_sound($1_games_t)
-	dev_write_sound($1_games_t)
-	dev_read_input($1_games_t)
-	dev_read_mouse($1_games_t)
-	dev_read_urand($1_games_t)
-
-	files_list_var($1_games_t)
-	files_search_var_lib($1_games_t)
-	files_dontaudit_search_var($1_games_t)
-	files_read_etc_files($1_games_t)
-	files_read_usr_files($1_games_t)
-	files_read_var_files($1_games_t)
-
-	init_dontaudit_rw_utmp($1_games_t)
-
-	logging_dontaudit_search_logs($1_games_t)
-
-	miscfiles_read_man_pages($1_games_t)
-	miscfiles_read_localization($1_games_t)
-
-	sysnet_read_config($1_games_t)
-
-	userdom_manage_user_tmp_dirs($1,$1_games_t)
-	userdom_manage_user_tmp_files($1,$1_games_t)
-	userdom_manage_user_tmp_symlinks($1,$1_games_t)
-	userdom_manage_user_tmp_sockets($1,$1_games_t)
-	# Suppress .icons denial until properly implemented
-	userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
-
-	tunable_policy(`allow_execmem',`
-		allow $1_games_t self:process execmem;
+		type games_t, games_exec_t;
 	')
 
-	optional_policy(`
-		nscd_socket_use($1_games_t)
-	')
+	role $1 types games_t;
 
-	optional_policy(`
-		xserver_user_x_domain_template($1, $1_games, $1_games_t, $1_games_tmpfs_t)
-		xserver_create_xdm_tmp_sockets($1_games_t)
-		xserver_read_xdm_lib_files($1_games_t)
-	')
+	domtrans_pattern($2, games_exec_t, games_t)
+	allow $2 games_t:unix_stream_socket connectto;
+	allow games_t $2:unix_stream_socket connectto;
 
-	ifdef(`TODO',`
-		gnome_application($1_games, $1)
-		gnome_file_dialog($1_games, $1)
-		# Access /home/user/.gnome2
-		# FIXME: Change to use per app types
-		allow $1_games_t $1_gnome_settings_t:dir manage_dir_perms;
-		allow $1_games_t $1_gnome_settings_t:file manage_file_perms;
-		allow $1_games_t $1_gnome_settings_t:lnk_file manage_lnk_file_perms;
-		#missing policy
-		optional_policy(`
-			dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
-		')
-	')
+	# Allow the user domain to signal/ps.
+	ps_process_pattern($2, games_t)
+	allow $2 games_t:process signal_perms;
 ')
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index 92b1513..eedbc4b 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -1,67 +1,182 @@
 
-policy_module(games, 1.7.0)
+policy_module(games, 2.0.0)
 
 ########################################
 #
 # Declarations
 #
 
+type games_t;
+type games_exec_t;
+typealias games_t alias { user_games_t staff_games_t sysadm_games_t };
+typealias games_t alias { auditadm_games_t secadm_games_t };
+application_domain(games_t, games_exec_t)
+ubac_constrained(games_t)
+
 type games_data_t;
+typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t };
+typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t };
 files_type(games_data_t)
+ubac_constrained(games_data_t)
+
+type games_devpts_t;
+typealias games_devpts_t alias { user_games_devpts_t staff_games_devpts_t sysadm_games_devpts_t };
+typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t };
+term_pty(games_devpts_t)
+ubac_constrained(games_devpts_t)
 
-# games_t is for system operation of games, generic games daemons and
+# games_srv_t is for system operation of games, generic games daemons and
 # games recovery scripts
-type games_t;
-type games_exec_t;
-init_system_domain(games_t, games_exec_t)
+type games_srv_t;
+init_system_domain(games_srv_t, games_exec_t)
+
+type games_srv_var_run_t;
+files_pid_file(games_srv_var_run_t)
+
+type games_tmp_t;
+typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t };
+typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t };
+files_tmp_file(games_tmp_t)
+ubac_constrained(games_tmp_t)
 
-type games_var_run_t;
-files_pid_file(games_var_run_t)
+type games_tmpfs_t;
+typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
+typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t };
+files_tmpfs_file(games_tmpfs_t)
+ubac_constrained(games_tmpfs_t)
 
 ########################################
 #
-# Local policy
+# Server local policy
 #
 
-dontaudit games_t self:capability sys_tty_config;
-allow games_t self:process signal_perms;
+dontaudit games_srv_t self:capability sys_tty_config;
+allow games_srv_t self:process signal_perms;
 
-manage_files_pattern(games_t, games_data_t, games_data_t)
-manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
+manage_files_pattern(games_srv_t, games_data_t, games_data_t)
+manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t)
+
+manage_files_pattern(games_srv_t, games_srv_var_run_t, games_srv_var_run_t)
+files_pid_filetrans(games_srv_t, games_srv_var_run_t, file)
 
-manage_files_pattern(games_t, games_var_run_t, games_var_run_t)
-files_pid_filetrans(games_t, games_var_run_t, file)
+can_exec(games_srv_t, games_exec_t)
 
-can_exec(games_t,games_exec_t)
+kernel_read_kernel_sysctls(games_srv_t)
+kernel_list_proc(games_srv_t)
+kernel_read_proc_symlinks(games_srv_t)
 
-kernel_read_kernel_sysctls(games_t)
-kernel_list_proc(games_t)
-kernel_read_proc_symlinks(games_t)
+dev_read_sysfs(games_srv_t)
 
-dev_read_sysfs(games_t)
+fs_getattr_all_fs(games_srv_t)
+fs_search_auto_mountpoints(games_srv_t)
 
-fs_getattr_all_fs(games_t)
-fs_search_auto_mountpoints(games_t)
+term_dontaudit_use_console(games_srv_t)
 
-term_dontaudit_use_console(games_t)
+domain_use_interactive_fds(games_srv_t)
 
-domain_use_interactive_fds(games_t)
+init_use_fds(games_srv_t)
+init_use_script_ptys(games_srv_t)
 
-init_use_fds(games_t)
-init_use_script_ptys(games_t)
+logging_send_syslog_msg(games_srv_t)
 
-logging_send_syslog_msg(games_t)
+miscfiles_read_localization(games_srv_t)
 
+userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
+
+userdom_dontaudit_search_user_home_dirs(games_srv_t)
+
+optional_policy(`
+	seutil_sigchld_newrole(games_srv_t)
+')
+
+optional_policy(`
+	udev_read_db(games_srv_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow games_t self:sem create_sem_perms;
+allow games_t self:tcp_socket create_stream_socket_perms;
+allow games_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(games_t, games_data_t, games_data_t)
+manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
+
+allow games_t games_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(games_t, games_devpts_t)
+
+manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
+manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
+files_tmp_filetrans(games_t, games_tmp_t, { file dir })
+
+manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_lnk_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_fifo_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_sock_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+can_exec(games_t, games_exec_t)
+
+kernel_read_system_state(games_t)
+
+corecmd_exec_bin(games_t)
+
+corenet_all_recvfrom_unlabeled(games_t)
+corenet_all_recvfrom_netlabel(games_t)
+corenet_tcp_sendrecv_generic_if(games_t)
+corenet_udp_sendrecv_generic_if(games_t)
+corenet_tcp_sendrecv_all_nodes(games_t)
+corenet_udp_sendrecv_all_nodes(games_t)
+corenet_tcp_sendrecv_all_ports(games_t)
+corenet_udp_sendrecv_all_ports(games_t)
+corenet_tcp_bind_all_nodes(games_t)
+corenet_tcp_bind_generic_port(games_t)
+corenet_tcp_connect_generic_port(games_t)
+corenet_sendrecv_generic_client_packets(games_t)
+corenet_sendrecv_generic_server_packets(games_t)
+
+dev_read_sound(games_t)
+dev_write_sound(games_t)
+dev_read_input(games_t)
+dev_read_mouse(games_t)
+dev_read_urand(games_t)
+
+files_list_var(games_t)
+files_search_var_lib(games_t)
+files_dontaudit_search_var(games_t)
+files_read_etc_files(games_t)
+files_read_usr_files(games_t)
+files_read_var_files(games_t)
+
+init_dontaudit_rw_utmp(games_t)
+
+logging_dontaudit_search_logs(games_t)
+
+miscfiles_read_man_pages(games_t)
 miscfiles_read_localization(games_t)
 
-userdom_dontaudit_use_unpriv_user_fds(games_t)
+sysnet_read_config(games_t)
+
+userdom_manage_user_tmp_dirs(games_t)
+userdom_manage_user_tmp_files(games_t)
+userdom_manage_user_tmp_symlinks(games_t)
+userdom_manage_user_tmp_sockets(games_t)
+# Suppress .icons denial until properly implemented
+userdom_dontaudit_read_user_home_content_files(games_t)
 
-sysadm_dontaudit_search_home_dirs(games_t)
+tunable_policy(`allow_execmem',`
+	allow games_t self:process execmem;
+')
 
 optional_policy(`
-	seutil_sigchld_newrole(games_t)
+	nscd_socket_use(games_t)
 ')
 
 optional_policy(`
-	udev_read_db(games_t)
+	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
+	xserver_create_xdm_tmp_sockets(games_t)
+	xserver_read_xdm_lib_files(games_t)
 ')
diff --git a/policy/modules/apps/gift.fc b/policy/modules/apps/gift.fc
index 2c2a01a..df7ced4 100644
--- a/policy/modules/apps/gift.fc
+++ b/policy/modules/apps/gift.fc
@@ -1,4 +1,4 @@
-HOME_DIR/\.giFT(/.*)?			gen_context(system_u:object_r:ROLE_gift_home_t,s0)
+HOME_DIR/\.giFT(/.*)?			gen_context(system_u:object_r:gift_home_t,s0)
 
 /usr/(local/)?bin/apollon	-- 	gen_context(system_u:object_r:gift_exec_t,s0)
 /usr/(local/)?bin/giftd		--	gen_context(system_u:object_r:giftd_exec_t,s0)
diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if
index 7ab618e..c9b90d3 100644
--- a/policy/modules/apps/gift.if
+++ b/policy/modules/apps/gift.if
@@ -1,193 +1,42 @@
 ## <summary>giFT peer to peer file sharing tool</summary>
 
-#######################################
+############################################################
 ## <summary>
-##	The per role template for the gift module.
+##	Role access for gift
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for gift client sessions and gift daemons.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="domain">
 ##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`gift_per_role_template',`
-
-	##############################
-	#
-	# Declarations
-	#
-
-	type $1_gift_t;
-	application_domain($1_gift_t, gift_exec_t)
-	role $3 types $1_gift_t;
-
-	type $1_gift_home_t alias $1_gift_rw_t;
-	files_poly_member($1_gift_home_t)
-	userdom_user_home_content($1, $1_gift_home_t)
-
-	type $1_gift_tmpfs_t;
-	files_tmpfs_file($1_gift_tmpfs_t)
-
-	type $1_giftd_t;
-	application_domain($1_giftd_t, giftd_exec_t)
-	role $3 types $1_giftd_t;
-
-	##############################
-	#
-	# giFT user interface local policy
-	#
-
-	allow $1_gift_t self:tcp_socket create_socket_perms;
-
-	manage_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
-	manage_lnk_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
-	manage_fifo_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
-	manage_sock_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
-	fs_tmpfs_filetrans($1_gift_t, $1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-	manage_dirs_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t)
-	manage_files_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t)
-	manage_lnk_files_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t)
-	userdom_user_home_dir_filetrans($1, $1_gift_t, $1_gift_home_t,dir)
+interface(`gift_role',`
+	gen_require(`
+		type gift_t, gift_exec_t;
+		type giftd_t, giftd_exec_t;
+		type gift_home_t;
+	')
 
-	# Launch gift daemon
-	domtrans_pattern($1_gift_t, giftd_exec_t, $1_giftd_t)
+	role $1 types { gift_t giftd_t };
 
 	# transition from user domain
-	domtrans_pattern($2, gift_exec_t, $1_gift_t)
+	domtrans_pattern($2, gift_exec_t, gift_t)
+	domtrans_pattern($2, giftd_exec_t, giftd_t)
 
 	# user managed content
-	manage_dirs_pattern($2, $1_gift_home_t, $1_gift_home_t)
-	manage_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
-	manage_lnk_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
-	relabel_dirs_pattern($2, $1_gift_home_t, $1_gift_home_t)
-	relabel_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
-	relabel_lnk_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
+	manage_dirs_pattern($2, gift_home_t, gift_home_t)
+	manage_files_pattern($2, gift_home_t, gift_home_t)
+	manage_lnk_files_pattern($2, gift_home_t, gift_home_t)
+	relabel_dirs_pattern($2, gift_home_t, gift_home_t)
+	relabel_files_pattern($2, gift_home_t, gift_home_t)
+	relabel_lnk_files_pattern($2, gift_home_t, gift_home_t)
 
 	# Allow the user domain to signal/ps.
-	ps_process_pattern($2, $1_gift_t)
-	allow $2 $1_gift_t:process signal_perms;
-
-	# Read /proc/meminfo
-	kernel_read_system_state($1_giftd_t)
-
-	# Connect to gift daemon
-	corenet_all_recvfrom_unlabeled($1_gift_t)
-	corenet_all_recvfrom_netlabel($1_gift_t)
-	corenet_tcp_sendrecv_generic_if($1_gift_t)
-	corenet_tcp_sendrecv_all_nodes($1_gift_t)
-	corenet_tcp_sendrecv_giftd_port($1_gift_t)
-	corenet_tcp_connect_giftd_port($1_gift_t)
-	corenet_sendrecv_giftd_client_packets($1_gift_t)
-
-	fs_search_auto_mountpoints($1_gift_t)
-
-	sysnet_read_config($1_gift_t)
-
-	# giftui looks in .icons, .themes.
-	userdom_dontaudit_read_user_home_content_files($1, $1_gift_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_gift_t)
-		fs_manage_nfs_files($1_gift_t)
-		fs_manage_nfs_symlinks($1_gift_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_gift_t)
-		fs_manage_cifs_files($1_gift_t)
-		fs_manage_cifs_symlinks($1_gift_t)
-	')
-
-#	optional_policy(`
-#		gnome_user_application($1,$1_gift,$1_gift_t)
-#	')
-
-	optional_policy(`
-		nscd_socket_use($1_gift_t)
-	')
-
-	optional_policy(`
-		xserver_user_x_domain_template($1, $1_gift, $1_gift_t, $1_gift_tmpfs_t)
-	')
-
-	##############################
-	#
-	# giFT server local policy
-	#
-
-	allow $1_giftd_t self:process { signal setsched };
-	allow $1_giftd_t self:unix_stream_socket create_socket_perms;
-	allow $1_giftd_t self:tcp_socket create_stream_socket_perms;
-	allow $1_giftd_t self:udp_socket create_socket_perms;
-
-	manage_dirs_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t)
-	manage_files_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t)
-	manage_lnk_files_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t)
-	userdom_user_home_dir_filetrans($1, $1_giftd_t, $1_gift_home_t, dir)
-
-	domtrans_pattern($2, giftd_exec_t, $1_giftd_t)
-
-	kernel_read_system_state($1_giftd_t)
-	kernel_read_kernel_sysctls($1_giftd_t)
-
-	# Serve content on various p2p networks. Ports can be random.
-	corenet_all_recvfrom_unlabeled($1_giftd_t)
-	corenet_all_recvfrom_netlabel($1_giftd_t)
-	corenet_tcp_sendrecv_generic_if($1_giftd_t)
-	corenet_udp_sendrecv_generic_if($1_giftd_t)
-	corenet_tcp_sendrecv_all_nodes($1_giftd_t)
-	corenet_udp_sendrecv_all_nodes($1_giftd_t)
-	corenet_tcp_sendrecv_all_ports($1_giftd_t)
-	corenet_udp_sendrecv_all_ports($1_giftd_t)
-	corenet_tcp_bind_all_nodes($1_giftd_t)
-	corenet_udp_bind_all_nodes($1_giftd_t)
-	corenet_tcp_bind_all_ports($1_giftd_t)
-	corenet_udp_bind_all_ports($1_giftd_t)
-	corenet_tcp_connect_all_ports($1_giftd_t)
-	corenet_sendrecv_all_client_packets($1_giftd_t)
-
-	files_read_usr_files($1_giftd_t)
-	# Read /etc/mtab
-	files_read_etc_runtime_files($1_giftd_t)
-
-	miscfiles_read_localization($1_giftd_t)
-
-	sysnet_read_config($1_giftd_t)
-
-	userdom_use_user_terminals($1,$1_giftd_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_giftd_t)
-		fs_manage_nfs_files($1_giftd_t)
-		fs_manage_nfs_symlinks($1_giftd_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_giftd_t)
-		fs_manage_cifs_files($1_giftd_t)
-		fs_manage_cifs_symlinks($1_giftd_t)
-	')
+	ps_process_pattern($2, { gift_t giftd_t })
+	allow $2 { gift_t giftd_t }:process signal_perms;
 ')
diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
index c0aec31..b7c1e18 100644
--- a/policy/modules/apps/gift.te
+++ b/policy/modules/apps/gift.te
@@ -1,13 +1,149 @@
 
-policy_module(gift, 1.4.0)
+policy_module(gift, 2.0.0)
 
 ########################################
 #
 # Declarations
 #
 
+type gift_t;
 type gift_exec_t;
-application_executable_file(gift_exec_t)
+typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t };
+typealias gift_t alias { auditadm_gift_t secadm_gift_t };
+application_domain(gift_t, gift_exec_t)
+ubac_constrained(gift_t)
 
+type gift_home_t;
+typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
+typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
+files_poly_member(gift_home_t)
+userdom_user_home_content(gift_home_t)
+
+type gift_tmpfs_t;
+typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t };
+typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t };
+files_tmpfs_file(gift_tmpfs_t)
+ubac_constrained(gift_tmpfs_t)
+
+type giftd_t;
 type giftd_exec_t;
-application_executable_file(giftd_exec_t)
+typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t };
+typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t };
+application_domain(giftd_t, giftd_exec_t)
+ubac_constrained(giftd_t)
+
+##############################
+#
+# giFT user interface local policy
+#
+
+allow gift_t self:tcp_socket create_socket_perms;
+
+manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(gift_t, gift_home_t, gift_home_t)
+manage_files_pattern(gift_t, gift_home_t, gift_home_t)
+manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t)
+userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir)
+
+# Launch gift daemon
+domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
+
+# Read /proc/meminfo
+kernel_read_system_state(giftd_t)
+
+# Connect to gift daemon
+corenet_all_recvfrom_unlabeled(gift_t)
+corenet_all_recvfrom_netlabel(gift_t)
+corenet_tcp_sendrecv_generic_if(gift_t)
+corenet_tcp_sendrecv_all_nodes(gift_t)
+corenet_tcp_sendrecv_giftd_port(gift_t)
+corenet_tcp_connect_giftd_port(gift_t)
+corenet_sendrecv_giftd_client_packets(gift_t)
+
+fs_search_auto_mountpoints(gift_t)
+
+sysnet_read_config(gift_t)
+
+# giftui looks in .icons, .themes.
+userdom_dontaudit_read_user_home_content_files(gift_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(gift_t)
+	fs_manage_nfs_files(gift_t)
+	fs_manage_nfs_symlinks(gift_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(gift_t)
+	fs_manage_cifs_files(gift_t)
+	fs_manage_cifs_symlinks(gift_t)
+')
+
+optional_policy(`
+	nscd_socket_use(gift_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
+')
+
+##############################
+#
+# giFT server local policy
+#
+
+allow giftd_t self:process { signal setsched };
+allow giftd_t self:unix_stream_socket create_socket_perms;
+allow giftd_t self:tcp_socket create_stream_socket_perms;
+allow giftd_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t)
+manage_files_pattern(giftd_t, gift_home_t, gift_home_t)
+manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t)
+userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir)
+
+kernel_read_system_state(giftd_t)
+kernel_read_kernel_sysctls(giftd_t)
+
+# Serve content on various p2p networks. Ports can be random.
+corenet_all_recvfrom_unlabeled(giftd_t)
+corenet_all_recvfrom_netlabel(giftd_t)
+corenet_tcp_sendrecv_generic_if(giftd_t)
+corenet_udp_sendrecv_generic_if(giftd_t)
+corenet_tcp_sendrecv_all_nodes(giftd_t)
+corenet_udp_sendrecv_all_nodes(giftd_t)
+corenet_tcp_sendrecv_all_ports(giftd_t)
+corenet_udp_sendrecv_all_ports(giftd_t)
+corenet_tcp_bind_all_nodes(giftd_t)
+corenet_udp_bind_all_nodes(giftd_t)
+corenet_tcp_bind_all_ports(giftd_t)
+corenet_udp_bind_all_ports(giftd_t)
+corenet_tcp_connect_all_ports(giftd_t)
+corenet_sendrecv_all_client_packets(giftd_t)
+
+files_read_usr_files(giftd_t)
+# Read /etc/mtab
+files_read_etc_runtime_files(giftd_t)
+
+miscfiles_read_localization(giftd_t)
+
+sysnet_read_config(giftd_t)
+
+userdom_use_user_terminals(giftd_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(giftd_t)
+	fs_manage_nfs_files(giftd_t)
+	fs_manage_nfs_symlinks(giftd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(giftd_t)
+	fs_manage_cifs_files(giftd_t)
+	fs_manage_cifs_symlinks(giftd_t)
+')
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
index e5f5f1c..223a9d1 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
@@ -1,8 +1,8 @@
-HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
-HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:ROLE_gconf_home_t,s0)
+HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
 
 /etc/gconf(/.*)?		gen_context(system_u:object_r:gconf_etc_t,s0)
 
-/tmp/gconfd-USER/.*	--	gen_context(system_u:object_r:ROLE_gconf_tmp_t,s0)
+/tmp/gconfd-USER/.*	--	gen_context(system_u:object_r:gconf_tmp_t,s0)
 
 /usr/libexec/gconfd-2 	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 8da9f61..9601de0 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,190 +1,93 @@
 ## <summary>GNU network object model environment (GNOME)</summary>
 
-########################################
+############################################################
 ## <summary>
-##	The per role template for the gnome module.
+##	Role access for gnome
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domain which is used
-##	for gconf sessions.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each role, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`gnome_per_role_template',`
+interface(`gnome_role',`
 	gen_require(`
-		type gconfd_exec_t, gconf_etc_t;
-		attribute gnomedomain;
+		type gconfd_t, gconfd_exec_t;
+		type gconf_tmp_t;
 	')
 
-	##############################
-	#
-	# Declarations
-	#
-	type $1_gconfd_t, gnomedomain;
-
-	application_domain($1_gconfd_t, gconfd_exec_t)
-	role $3 types $1_gconfd_t;
-
-	type $1_gconf_home_t;
-	userdom_user_home_content($1, $1_gconf_home_t)
-
-	type $1_gnome_home_t;
-	userdom_user_home_content($1, $1_gnome_home_t)
-
-	type $1_gconf_tmp_t;
-	files_tmp_file($1_gconf_tmp_t)
-
-	##############################
-	#
-	# Local Policy
-	#
-
-	allow $1_gconfd_t self:process getsched;
- 	allow $1_gconfd_t self:fifo_file rw_fifo_file_perms;
-
-	manage_dirs_pattern($1_gconfd_t, $1_gconf_home_t, $1_gconf_home_t)
-	manage_files_pattern($1_gconfd_t, $1_gconf_home_t, $1_gconf_home_t)
-	userdom_user_home_dir_filetrans($1, $1_gconfd_t, $1_gconf_home_t, dir)
-
-	manage_dirs_pattern($1_gconfd_t, $1_gconf_tmp_t, $1_gconf_tmp_t)
-	manage_files_pattern($1_gconfd_t, $1_gconf_tmp_t, $1_gconf_tmp_t)
-	userdom_user_tmp_filetrans($1, $1_gconfd_t, $1_gconf_tmp_t, { dir file })
-
-	domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t)
-	allow $1_gconfd_t $2:fd use;
-	allow $1_gconfd_t $2:fifo_file write;
-	allow $1_gconfd_t $2:unix_stream_socket connectto;
-
-	allow $1_gconfd_t gconf_etc_t:dir list_dir_perms;
-	read_files_pattern($1_gconfd_t, gconf_etc_t, gconf_etc_t)
+	role $1 types gconfd_t;
 
-	ps_process_pattern($2, $1_gconfd_t)
+	domain_auto_trans($2, gconfd_exec_t, gconfd_t)
+	allow gconfd_t $2:fd use;
+	allow gconfd_t $2:fifo_file write;
+	allow gconfd_t $2:unix_stream_socket connectto;
 
-	dev_read_urand($1_gconfd_t)
+	ps_process_pattern($2, gconfd_t)
 
-	files_read_etc_files($1_gconfd_t)
-
-	miscfiles_read_localization($1_gconfd_t)
-
-	logging_send_syslog_msg($1_gconfd_t)
-
-	userdom_manage_user_tmp_sockets($1, $1_gconfd_t)
-	userdom_manage_user_tmp_dirs($1, $1_gconfd_t)
-	userdom_tmp_filetrans_user_tmp($1, $1_gconfd_t,dir)
-
-	gnome_stream_connect_gconf_template($1, $2)
-
-	optional_policy(`
-		nscd_dontaudit_search_pid($1_gconfd_t)
-	')
-
-	optional_policy(`
-		xserver_use_xdm_fds($1_gconfd_t)
-		xserver_rw_xdm_pipes($1_gconfd_t)
-	')
+	#gnome_stream_connect_gconf_template($1, $2)
+	read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
+	allow $2 gconfd_t:unix_stream_socket connectto;
 ')
 
 ########################################
 ## <summary>
 ##	gconf connection template.
 ## </summary>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="user_domain">
 ##	<summary>
 ##	The type of the user domain.
 ##	</summary>
 ## </param>
 #
-template(`gnome_stream_connect_gconf_template',`
+interface(`gnome_stream_connect_gconf',`
 	gen_require(`
-		type $1_gconfd_t, $1_gconf_tmp_t;
+		type gconfd_t, gconf_tmp_t;
 	')
 
-	read_files_pattern($2, $1_gconf_tmp_t, $1_gconf_tmp_t)
-	allow $2 $1_gconfd_t:unix_stream_socket connectto;
+	read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+	allow $1 gconfd_t:unix_stream_socket connectto;
 ')
 
 ########################################
 ## <summary>
-##	Run gconfd in the role-specific gconfd domain.
+##	Run gconfd in gconfd domain.
 ## </summary>
-## <desc>
-##	<p>
-##	Run gconfd in the role-specfic gconfd domain.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`gnome_domtrans_user_gconf',`
+interface(`gnome_domtrans_gconfd',`
 	gen_require(`
-		type $1_gconfd_t, gconfd_exec_t;
+		type gconfd_t, gconfd_exec_t;
 	')
 
-	domtrans_pattern($2, gconfd_exec_t, $1_gconfd_t)
+	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
 ')
 
 ########################################
 ## <summary>
 ##	manage gnome homedir content (.config)
 ## </summary>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="user_domain">
 ##	<summary>
 ##	The type of the user domain.
 ##	</summary>
 ## </param>
 #
-template(`gnome_manage_user_gnome_config',`
+interface(`gnome_manage_config',`
 	gen_require(`
-		type $1_gnome_home_t;
+		type gnome_home_t;
 	')
 
-	allow $2 $1_gnome_home_t:dir manage_dir_perms;
-	allow $2 $1_gnome_home_t:file manage_file_perms;
+	allow $1 gnome_home_t:dir manage_dir_perms;
+	allow $1 gnome_home_t:file manage_file_perms;
+	userdom_search_user_home_dirs($1)
 ')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 1bfe4dd..984009e 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -1,5 +1,5 @@
 
-policy_module(gnome, 1.3.0)
+policy_module(gnome, 2.0.0)
 
 ##############################
 #
@@ -11,5 +11,65 @@ attribute gnomedomain;
 type gconf_etc_t;
 files_type(gconf_etc_t)
 
+type gconf_home_t;
+typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
+typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
+userdom_user_home_content(gconf_home_t)
+
+type gconf_tmp_t;
+typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
+typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
+files_tmp_file(gconf_tmp_t)
+ubac_constrained(gconf_tmp_t)
+
+type gconfd_t, gnomedomain;
 type gconfd_exec_t;
-application_executable_file(gconfd_exec_t)
+typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
+typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+application_domain(gconfd_t, gconfd_exec_t)
+ubac_constrained(gconfd_t)
+
+type gnome_home_t;
+typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
+typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
+userdom_user_home_content(gnome_home_t)
+
+##############################
+#
+# Local Policy
+#
+
+allow gconfd_t self:process getsched;
+allow gconfd_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
+
+manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+
+dev_read_urand(gconfd_t)
+
+files_read_etc_files(gconfd_t)
+
+miscfiles_read_localization(gconfd_t)
+
+logging_send_syslog_msg(gconfd_t)
+
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_manage_user_tmp_dirs(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+
+optional_policy(`
+	nscd_dontaudit_search_pid(gconfd_t)
+')
+
+optional_policy(`
+	xserver_use_xdm_fds(gconfd_t)
+	xserver_rw_xdm_pipes(gconfd_t)
+')
diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
index 0c5dc94..3a42f2a 100644
--- a/policy/modules/apps/gpg.fc
+++ b/policy/modules/apps/gpg.fc
@@ -1,4 +1,4 @@
-HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
+HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
 
 /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index 9b03de2..176e01d 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -1,382 +1,88 @@
 ## <summary>Policy for GNU Privacy Guard and related programs.</summary>
 
-#######################################
+############################################################
 ## <summary>
-##	The per role template for the gpg module.
+##	Role access for gpg
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates the types and rules for GPG,
-##	GPG-agent, and GPG helper programs.  This protects
-##	the user keys and secrets, and runs the programs
-##	in domains specific to the user type.
-##	</p>
-##	<p>
-##	This is invoked automatically for each user and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="userdomain">
+## <param name="role">
 ##	<summary>
-##	The user domain.
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`gpg_per_role_template',`
+interface(`gpg_role',`
 	gen_require(`
-		type gpg_exec_t, gpg_helper_exec_t, gpg_agent_exec_t, pinentry_exec_t;
+		type gpg_t, gpg_exec_t;
+		type gpg_agent_t, gpg_agent_exec_t;
+		type gpg_agent_tmp_t;
+		type gpg_helper_t, gpg_pinentry_t;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
-	type $1_gpg_t;
-	application_domain($1_gpg_t, gpg_exec_t)
-	role $3 types $1_gpg_t;
-
-	type $1_gpg_agent_t;
-	application_domain($1_gpg_agent_t, gpg_agent_exec_t)
-	role $3 types $1_gpg_agent_t;
-
-	type $1_gpg_agent_tmp_t;
-	files_tmp_file($1_gpg_agent_tmp_t)
-
-	type $1_gpg_secret_t;
-	userdom_user_home_content($1, $1_gpg_secret_t)
-
-	type $1_gpg_helper_t;
-	application_domain($1_gpg_helper_t, gpg_helper_exec_t)
-	role $3 types $1_gpg_helper_t;
-
-	type $1_gpg_pinentry_t;
-	application_domain($1_gpg_pinentry_t, pinentry_exec_t)
-	role $3 types $1_gpg_pinentry_t;
-
-	########################################
-	#
-	# GPG local policy
-	#
-
-	allow $1_gpg_t self:capability { ipc_lock setuid };
-	allow { $2 $1_gpg_t } $1_gpg_t:process signal;
-	# setrlimit is for ulimit -c 0
-	allow $1_gpg_t self:process { setrlimit setcap setpgid };
-
-	allow $1_gpg_t self:fifo_file rw_fifo_file_perms;
-	allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
-
-	# transition from the gpg domain to the helper domain
-	domtrans_pattern($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t)
-
-	manage_files_pattern($1_gpg_t, $1_gpg_secret_t, $1_gpg_secret_t)
-	manage_lnk_files_pattern($1_gpg_t, $1_gpg_secret_t, $1_gpg_secret_t)
-	allow $1_gpg_t $1_gpg_secret_t:dir create_dir_perms;
- 	userdom_user_home_dir_filetrans($1, $1_gpg_t, $1_gpg_secret_t, dir)
+	role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };
 
 	# transition from the userdomain to the derived domain
-	domtrans_pattern($2, gpg_exec_t, $1_gpg_t)
+	domtrans_pattern($2, gpg_exec_t, gpg_t)
 
 	# allow ps to show gpg
-	ps_process_pattern($2, $1_gpg_t)
-
-	corenet_all_recvfrom_unlabeled($1_gpg_t)
-	corenet_all_recvfrom_netlabel($1_gpg_t)
-	corenet_tcp_sendrecv_all_if($1_gpg_t)
-	corenet_udp_sendrecv_all_if($1_gpg_t)
-	corenet_tcp_sendrecv_all_nodes($1_gpg_t)
-	corenet_udp_sendrecv_all_nodes($1_gpg_t)
-	corenet_tcp_sendrecv_all_ports($1_gpg_t)
-	corenet_udp_sendrecv_all_ports($1_gpg_t)
-	corenet_tcp_connect_all_ports($1_gpg_t)
-	corenet_sendrecv_all_client_packets($1_gpg_t)
-
-	dev_read_rand($1_gpg_t)
-	dev_read_urand($1_gpg_t)
-
-	fs_getattr_xattr_fs($1_gpg_t)
-
-	domain_use_interactive_fds($1_gpg_t)
-
-	files_read_etc_files($1_gpg_t)
-	files_read_usr_files($1_gpg_t)
-	files_dontaudit_search_var($1_gpg_t)
-
-	miscfiles_read_localization($1_gpg_t)
-
-	logging_send_syslog_msg($1_gpg_t)
-
-	sysnet_read_config($1_gpg_t)
-
-	userdom_use_user_terminals($1, $1_gpg_t)
-
-	optional_policy(`
-		nis_use_ypbind($1_gpg_t)
-	')
-
-	ifdef(`TODO',`
-	# Read content to encrypt/decrypt/sign
-	read_content($1_gpg_t, $1)
-
-	# Write content to encrypt/decrypt/sign
-	write_trusted($1_gpg_t, $1)
-	') dnl end TODO
-
-	########################################
-	#
-	# GPG helper local policy
-	#
-
-	# for helper programs (which automatically fetch keys)
-	# Note: this is only tested with the hkp interface. If you use eg the 
-	# mail interface you will likely need additional permissions.
-
-	allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
-	allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
+	ps_process_pattern($2, gpg_t)
+	allow $2 gpg_t:process signal;
 
 	# communicate with the user 
-	allow $1_gpg_helper_t $2:fd use;
-	allow $1_gpg_helper_t $2:fifo_file write;
-
-	dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
-
-	corenet_all_recvfrom_unlabeled($1_gpg_helper_t)
-	corenet_all_recvfrom_netlabel($1_gpg_helper_t)
-	corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
-	corenet_raw_sendrecv_all_if($1_gpg_helper_t)
-	corenet_udp_sendrecv_all_if($1_gpg_helper_t)
-	corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t)
-	corenet_udp_sendrecv_all_nodes($1_gpg_helper_t)
-	corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
-	corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
-	corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
-	corenet_tcp_bind_all_nodes($1_gpg_helper_t)
-	corenet_udp_bind_all_nodes($1_gpg_helper_t)
-	corenet_tcp_connect_all_ports($1_gpg_helper_t)
-
-	dev_read_urand($1_gpg_helper_t)
-
-	files_read_etc_files($1_gpg_helper_t)
-	# for nscd
-	files_dontaudit_search_var($1_gpg_helper_t)
-
-	sysnet_read_config($1_gpg_helper_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_dontaudit_rw_nfs_files($1_gpg_helper_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
-	')
-
-	optional_policy(`
-		xserver_use_xdm_fds($1_gpg_t)
-		xserver_rw_xdm_pipes($1_gpg_t)
-	')
-
-	########################################
-	#
-	# GPG agent local policy
-	#
-
-	# rlimit: gpg-agent wants to prevent coredumps
-	allow $1_gpg_agent_t self:process setrlimit;
-
-	allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
-	allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms;
-
-	# Allow the gpg-agent to manage its tmp files (socket)
-	manage_dirs_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
-	manage_files_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
-	manage_sock_files_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
-	files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
-
-	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-	manage_dirs_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t)
-	manage_files_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t)
-	manage_lnk_files_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t)
-
-	# allow gpg to connect to the gpg agent
-	stream_connect_pattern($1_gpg_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t, $1_gpg_agent_t)
+	allow gpg_helper_t $2:fd use;
+	allow gpg_helper_t $2:fifo_file write;
 
 	# allow ps to show gpg-agent
-	ps_process_pattern($2, $1_gpg_agent_t)
+	ps_process_pattern($2, gpg_agent_t)
 
 	# Allow the user shell to signal the gpg-agent program.
-	allow $2 $1_gpg_agent_t:process { signal sigkill signull };
-
-	# Allow the user to manage gpg-agent tmp files (socket)
-	manage_dirs_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
-	manage_files_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
-	manage_sock_files_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
-
-	# Transition from the user domain to the derived domain.
-	domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
-
-	corecmd_search_bin($1_gpg_agent_t)
-
-	domain_use_interactive_fds($1_gpg_agent_t)
-
-	miscfiles_read_localization($1_gpg_agent_t)
-
-	# Write to the user domain tty.
-	userdom_use_user_terminals($1, $1_gpg_agent_t)
-	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-	userdom_search_user_home_dirs($1, $1_gpg_agent_t)
-
-	tunable_policy(`gpg_agent_env_file',`
-		# write ~/.gpg-agent-info or a similar to the users home dir
-		# or subdir (gpg-agent --write-env-file option)
-		#
-		userdom_user_home_dir_filetrans_user_home_content($1, $1_gpg_agent_t, file)
-		userdom_manage_user_home_content_dirs($1, $1_gpg_agent_t)
-		userdom_manage_user_home_content_files($1, $1_gpg_agent_t)
-	')
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_gpg_agent_t)
-		fs_manage_nfs_files($1_gpg_agent_t)
-		fs_manage_nfs_symlinks($1_gpg_agent_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_gpg_agent_t)
-		fs_manage_cifs_files($1_gpg_agent_t)
-		fs_manage_cifs_symlinks($1_gpg_agent_t)
-	')
-
-	##############################
-	#
-	# Pinentry local policy
-	#
-
-	allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
-	allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
-
-	# we need to allow gpg-agent to call pinentry so it can get the passphrase 
-	# from the user.
-	domtrans_pattern($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t)
-
-	# read /proc/meminfo
-	kernel_read_system_state($1_gpg_pinentry_t)
+	allow $2 gpg_agent_t:process { signal sigkill };
 
-	files_read_usr_files($1_gpg_pinentry_t)
-	# read /etc/X11/qtrc
-	files_read_etc_files($1_gpg_pinentry_t)
+	manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+	manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+	manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+	files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
 
-	miscfiles_read_fonts($1_gpg_pinentry_t)
-	miscfiles_read_localization($1_gpg_pinentry_t)
-
-	# for .Xauthority
-	userdom_read_user_home_content_files($1, $1_gpg_pinentry_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_read_nfs_files($1_gpg_pinentry_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_read_cifs_files($1_gpg_pinentry_t)
-	')
-
-	optional_policy(`
-		xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t)
-	')
-
-	ifdef(`TODO',`
-	allow $1_gpg_pinentry_t tmp_t:dir { getattr search };
-
-	# wants to put some lock files into the user home dir, seems to work fine without
-	dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
-	dontaudit $1_gpg_pinentry_t $1_home_t:file write;
-
-	tunable_policy(`use_nfs_home_dirs',`
-		dontaudit $1_gpg_pinentry_t nfs_t:dir write;
-		dontaudit $1_gpg_pinentry_t nfs_t:file write;
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		dontaudit $1_gpg_pinentry_t cifs_t:dir write;
-		dontaudit $1_gpg_pinentry_t cifs_t:file write;
-	')
-
-	dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
-	') dnl end TODO
+	# Transition from the user domain to the agent domain.
+	domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
 ')
 
 ########################################
 ## <summary>
 ##      Transition to a user gpg domain.
 ## </summary>
-## <desc>
-##      <p>
-##      Transition to a user gpg domain.
-##      </p>
-##      <p>
-##      This is a templated interface, and should only
-##      be called from a per-userdomain template.
-##      </p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##      The prefix of the user domain (e.g., user
-##      is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##      Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`gpg_domtrans_user_gpg',`
+interface(`gpg_domtrans',`
 	gen_require(`
-		type $1_gpg_t, gpg_exec_t;
+		type gpg_t, gpg_exec_t;
 	')
 
-	domtrans_pattern($2, gpg_exec_t, $1_gpg_t)
+	domtrans_pattern($1, gpg_exec_t, gpg_t)
 ')
 
 ########################################
 ## <summary>
 ##      Send generic signals to user gpg processes.
 ## </summary>
-## <desc>
-##      <p>
-##      This is a templated interface, and should only
-##      be called from a per-userdomain template.
-##      </p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##      The prefix of the user domain (e.g., user
-##      is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##      Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`gpg_signal_user_gpg',`
+interface(`gpg_signal',`
 	gen_require(`
-		type $1_gpg_t;
+		type gpg_t;
 	')
 
-	allow $2 $1_gpg_t:process signal;
+	allow $1 gpg_t:process signal;
 ')
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 6754d6d..061b94c 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -1,5 +1,5 @@
 
-policy_module(gpg, 1.6.0)
+policy_module(gpg, 2.0.0)
 
 ########################################
 #
@@ -14,16 +14,239 @@ policy_module(gpg, 1.6.0)
 ## </desc>
 gen_tunable(gpg_agent_env_file, false)
 
-# Type for gpg or pgp executables.
+type gpg_t;
 type gpg_exec_t;
-type gpg_helper_exec_t;
-application_executable_file(gpg_exec_t)
-application_executable_file(gpg_helper_exec_t)
+typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
+typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
+application_domain(gpg_t, gpg_exec_t)
+ubac_constrained(gpg_t)
 
-# Type for the gpg-agent executable.
+type gpg_agent_t;
 type gpg_agent_exec_t;
-application_executable_file(gpg_agent_exec_t)
+typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
+typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
+application_domain(gpg_agent_t, gpg_agent_exec_t)
+ubac_constrained(gpg_agent_t)
+
+type gpg_agent_tmp_t;
+typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
+typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
+files_tmp_file(gpg_agent_tmp_t)
+ubac_constrained(gpg_agent_tmp_t)
+
+type gpg_secret_t;
+typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
+typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t };
+userdom_user_home_content(gpg_secret_t)
+
+type gpg_helper_t;
+type gpg_helper_exec_t;
+typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
+typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
+application_domain(gpg_helper_t, gpg_helper_exec_t)
+ubac_constrained(gpg_helper_t)
 
-# type for the pinentry executable
+type gpg_pinentry_t;
 type pinentry_exec_t;
-application_executable_file(pinentry_exec_t)
+typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
+typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
+application_domain(gpg_pinentry_t, pinentry_exec_t)
+ubac_constrained(gpg_pinentry_t)
+
+########################################
+#
+# GPG local policy
+#
+
+allow gpg_t self:capability { ipc_lock setuid };
+# setrlimit is for ulimit -c 0
+allow gpg_t self:process { signal setrlimit setcap setpgid };
+
+allow gpg_t self:fifo_file rw_fifo_file_perms;
+allow gpg_t self:tcp_socket create_stream_socket_perms;
+
+# transition from the gpg domain to the helper domain
+domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+
+allow gpg_t gpg_secret_t:dir create_dir_perms;
+manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
+
+corenet_all_recvfrom_unlabeled(gpg_t)
+corenet_all_recvfrom_netlabel(gpg_t)
+corenet_tcp_sendrecv_all_if(gpg_t)
+corenet_udp_sendrecv_all_if(gpg_t)
+corenet_tcp_sendrecv_all_nodes(gpg_t)
+corenet_udp_sendrecv_all_nodes(gpg_t)
+corenet_tcp_sendrecv_all_ports(gpg_t)
+corenet_udp_sendrecv_all_ports(gpg_t)
+corenet_tcp_connect_all_ports(gpg_t)
+corenet_sendrecv_all_client_packets(gpg_t)
+
+dev_read_rand(gpg_t)
+dev_read_urand(gpg_t)
+
+fs_getattr_xattr_fs(gpg_t)
+
+domain_use_interactive_fds(gpg_t)
+
+files_read_etc_files(gpg_t)
+files_read_usr_files(gpg_t)
+files_dontaudit_search_var(gpg_t)
+
+miscfiles_read_localization(gpg_t)
+
+logging_send_syslog_msg(gpg_t)
+
+sysnet_read_config(gpg_t)
+
+userdom_use_user_terminals(gpg_t)
+
+optional_policy(`
+	nis_use_ypbind(gpg_t)
+')
+
+########################################
+#
+# GPG helper local policy
+#
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the 
+# mail interface you will likely need additional permissions.
+
+allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
+
+dontaudit gpg_helper_t gpg_secret_t:file read;
+
+corenet_all_recvfrom_unlabeled(gpg_helper_t)
+corenet_all_recvfrom_netlabel(gpg_helper_t)
+corenet_tcp_sendrecv_all_if(gpg_helper_t)
+corenet_raw_sendrecv_all_if(gpg_helper_t)
+corenet_udp_sendrecv_all_if(gpg_helper_t)
+corenet_tcp_sendrecv_all_nodes(gpg_helper_t)
+corenet_udp_sendrecv_all_nodes(gpg_helper_t)
+corenet_raw_sendrecv_all_nodes(gpg_helper_t)
+corenet_tcp_sendrecv_all_ports(gpg_helper_t)
+corenet_udp_sendrecv_all_ports(gpg_helper_t)
+corenet_tcp_bind_all_nodes(gpg_helper_t)
+corenet_udp_bind_all_nodes(gpg_helper_t)
+corenet_tcp_connect_all_ports(gpg_helper_t)
+
+dev_read_urand(gpg_helper_t)
+
+files_read_etc_files(gpg_helper_t)
+# for nscd
+files_dontaudit_search_var(gpg_helper_t)
+
+sysnet_read_config(gpg_helper_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_dontaudit_rw_nfs_files(gpg_helper_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_dontaudit_rw_cifs_files(gpg_helper_t)
+')
+
+optional_policy(`
+	xserver_use_xdm_fds(gpg_t)
+	xserver_rw_xdm_pipes(gpg_t)
+')
+
+########################################
+#
+# GPG agent local policy
+#
+
+# rlimit: gpg-agent wants to prevent coredumps
+allow gpg_agent_t self:process setrlimit;
+
+allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+
+# Allow the gpg-agent to manage its tmp files (socket)
+manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+# allow gpg to connect to the gpg agent
+stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+
+corecmd_search_bin(gpg_agent_t)
+
+domain_use_interactive_fds(gpg_agent_t)
+
+miscfiles_read_localization(gpg_agent_t)
+
+# Write to the user domain tty.
+userdom_use_user_terminals(gpg_agent_t)
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+userdom_search_user_home_dirs(gpg_agent_t)
+
+tunable_policy(`gpg_agent_env_file',`
+	# write ~/.gpg-agent-info or a similar to the users home dir
+	# or subdir (gpg-agent --write-env-file option)
+	#
+	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
+	userdom_manage_user_home_content_dirs(gpg_agent_t)
+	userdom_manage_user_home_content_files(gpg_agent_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(gpg_agent_t)
+	fs_manage_nfs_files(gpg_agent_t)
+	fs_manage_nfs_symlinks(gpg_agent_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(gpg_agent_t)
+	fs_manage_cifs_files(gpg_agent_t)
+	fs_manage_cifs_symlinks(gpg_agent_t)
+')
+
+##############################
+#
+# Pinentry local policy
+#
+
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+
+# we need to allow gpg-agent to call pinentry so it can get the passphrase 
+# from the user.
+domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
+
+# read /proc/meminfo
+kernel_read_system_state(gpg_pinentry_t)
+
+files_read_usr_files(gpg_pinentry_t)
+# read /etc/X11/qtrc
+files_read_etc_files(gpg_pinentry_t)
+
+miscfiles_read_fonts(gpg_pinentry_t)
+miscfiles_read_localization(gpg_pinentry_t)
+
+# for .Xauthority
+userdom_read_user_home_content_files(gpg_pinentry_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(gpg_pinentry_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+	xserver_stream_connect(gpg_pinentry_t)
+')
diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
index 618588c..65ece18 100644
--- a/policy/modules/apps/irc.fc
+++ b/policy/modules/apps/irc.fc
@@ -1,11 +1,11 @@
 #
 # /home
 #
-HOME_DIR/\.ircmotd	--	gen_context(system_u:object_r:ROLE_irc_home_t,s0)
+HOME_DIR/\.ircmotd	--	gen_context(system_u:object_r:irc_home_t,s0)
 
 #
 # /usr
 #
-/usr/bin/[st]irc		--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/[st]irc	--	gen_context(system_u:object_r:irc_exec_t,s0)
 /usr/bin/ircII		--	gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/tinyirc		--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/tinyirc	--	gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 42d49ac..4f9dc90 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -1,147 +1,31 @@
 ## <summary>IRC client policy</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the irc module.
+##	Role access for IRC
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for an irc client sessions.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="domain">
 ##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`irc_per_role_template',`
+interface(`irc_role',`
 	gen_require(`
-		type irc_exec_t;
+		type irc_t, irc_exec_t;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
-	type $1_irc_t;
-	application_domain($1_irc_t, irc_exec_t)
-	role $3 types $1_irc_t;
-
-	type $1_irc_exec_t;
-	userdom_user_home_content($1, $1_irc_exec_t)
-	application_domain($1_irc_t, $1_irc_exec_t)
-
-	type $1_irc_home_t;
-	userdom_user_home_content($1, $1_irc_home_t)
-
-	type $1_irc_tmp_t;
-	userdom_user_home_content($1, $1_irc_tmp_t)
-
-	########################################
-	#
-	# Local policy
-	#
-
-	allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_irc_t self:tcp_socket create_socket_perms;
-	allow $1_irc_t self:udp_socket create_socket_perms;
-
-	manage_dirs_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t)
-	manage_files_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t)
-	manage_lnk_files_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t)
-	userdom_user_home_dir_filetrans($1, $1_irc_t, $1_irc_home_t,{ dir file lnk_file })
-
-	# access files under /tmp
-	manage_dirs_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
-	manage_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
-	manage_lnk_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
-	manage_fifo_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
-	manage_sock_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
-	files_tmp_filetrans($1_irc_t, $1_irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+	role $1 types irc_t;
 
 	# Transition from the user domain to the derived domain.
-	domtrans_pattern($2, irc_exec_t, $1_irc_t)
-
-	allow $2 $1_irc_exec_t:file { relabelfrom relabelto manage_file_perms };
+	domtrans_pattern($2, irc_exec_t, irc_t)
 
 	# allow ps to show irc
-	ps_process_pattern($2, $1_irc_t)
-	allow $2 $1_irc_t:process signal;
-
-	kernel_read_proc_symlinks($1_irc_t)
-
-	corenet_all_recvfrom_unlabeled($1_irc_t)
-	corenet_all_recvfrom_netlabel($1_irc_t)
-	corenet_tcp_sendrecv_generic_if($1_irc_t)
-	corenet_udp_sendrecv_generic_if($1_irc_t)
-	corenet_tcp_sendrecv_all_nodes($1_irc_t)
-	corenet_udp_sendrecv_all_nodes($1_irc_t)
-	corenet_tcp_sendrecv_all_ports($1_irc_t)
-	corenet_udp_sendrecv_all_ports($1_irc_t)
-	corenet_sendrecv_ircd_client_packets($1_irc_t)
-	# cjp: this seems excessive:
-	corenet_tcp_connect_all_ports($1_irc_t)
-	corenet_sendrecv_all_client_packets($1_irc_t)
-
-	domain_use_interactive_fds($1_irc_t)
-
-	files_dontaudit_search_pids($1_irc_t)
-	files_search_var($1_irc_t)
-	files_read_etc_files($1_irc_t)
-	files_read_usr_files($1_irc_t)
-
-	fs_getattr_xattr_fs($1_irc_t)
-	fs_search_auto_mountpoints($1_irc_t)
-
-	term_use_controlling_term($1_irc_t)
-	term_list_ptys($1_irc_t)
-
-	# allow utmp access
-	init_read_utmp($1_irc_t)
-	init_dontaudit_lock_utmp($1_irc_t)
-
-	miscfiles_read_localization($1_irc_t)
-
-	# Inherit and use descriptors from newrole.
-	seutil_use_newrole_fds($1_irc_t)
-
-	sysnet_read_config($1_irc_t)
-
-	# Write to the user domain tty.
-	userdom_use_user_terminals($1, $1_irc_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_irc_t)
-		fs_manage_nfs_files($1_irc_t)
-		fs_manage_nfs_symlinks($1_irc_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_irc_t)
-		fs_manage_cifs_files($1_irc_t)
-		fs_manage_cifs_symlinks($1_irc_t)
-	')
-
-	optional_policy(`
-		nis_use_ypbind($1_irc_t)
-	')
+	ps_process_pattern($2, irc_t)
+	allow $2 irc_t:process signal;
 ')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 31208b6..c8b6405 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -1,10 +1,104 @@
 
-policy_module(irc, 1.4.0)
+policy_module(irc, 2.0.0)
 
 ########################################
 #
 # Declarations
 #
 
+type irc_t;
 type irc_exec_t;
-application_executable_file(irc_exec_t)
+typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
+typealias irc_t alias { auditadm_irc_t secadm_irc_t };
+application_domain(irc_t, irc_exec_t)
+ubac_constrained(irc_t)
+
+type irc_home_t;
+typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
+typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
+userdom_user_home_content(irc_home_t)
+
+type irc_tmp_t;
+typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
+typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
+userdom_user_home_content(irc_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow irc_t self:unix_stream_socket create_stream_socket_perms;
+allow irc_t self:tcp_socket create_socket_perms;
+allow irc_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
+manage_files_pattern(irc_t, irc_home_t, irc_home_t)
+manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
+userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
+
+# access files under /tmp
+manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+
+kernel_read_proc_symlinks(irc_t)
+
+corenet_all_recvfrom_unlabeled(irc_t)
+corenet_all_recvfrom_netlabel(irc_t)
+corenet_tcp_sendrecv_generic_if(irc_t)
+corenet_udp_sendrecv_generic_if(irc_t)
+corenet_tcp_sendrecv_all_nodes(irc_t)
+corenet_udp_sendrecv_all_nodes(irc_t)
+corenet_tcp_sendrecv_all_ports(irc_t)
+corenet_udp_sendrecv_all_ports(irc_t)
+corenet_sendrecv_ircd_client_packets(irc_t)
+# cjp: this seems excessive:
+corenet_tcp_connect_all_ports(irc_t)
+corenet_sendrecv_all_client_packets(irc_t)
+
+domain_use_interactive_fds(irc_t)
+
+files_dontaudit_search_pids(irc_t)
+files_search_var(irc_t)
+files_read_etc_files(irc_t)
+files_read_usr_files(irc_t)
+
+fs_getattr_xattr_fs(irc_t)
+fs_search_auto_mountpoints(irc_t)
+
+term_use_controlling_term(irc_t)
+term_list_ptys(irc_t)
+
+# allow utmp access
+init_read_utmp(irc_t)
+init_dontaudit_lock_utmp(irc_t)
+
+miscfiles_read_localization(irc_t)
+
+# Inherit and use descriptors from newrole.
+seutil_use_newrole_fds(irc_t)
+
+sysnet_read_config(irc_t)
+
+# Write to the user domain tty.
+userdom_use_user_terminals(irc_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(irc_t)
+	fs_manage_nfs_files(irc_t)
+	fs_manage_nfs_symlinks(irc_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(irc_t)
+	fs_manage_cifs_files(irc_t)
+	fs_manage_cifs_symlinks(irc_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(irc_t)
+')
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
index 11f192c..a620f39 100644
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -1,206 +1,58 @@
 ## <summary>Java virtual machine</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the java module.
+##	Role access for java
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for java plugins that are executed by a browser.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_domain">
+## <param name="role">
 ##	<summary>
-##	The type of the user domain.
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`java_per_role_template',`
+interface(`java_role',`
 	gen_require(`
-		type java_exec_t;
+		type java_t, java_exec_t;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
-	type $1_javaplugin_t;
-	application_domain($1_javaplugin_t, java_exec_t)
-	role $3 types $1_javaplugin_t;
-
-	type $1_javaplugin_tmp_t;
-	files_tmp_file($1_javaplugin_tmp_t)
-
-	type $1_javaplugin_tmpfs_t;
-	files_tmpfs_file($1_javaplugin_tmpfs_t)
-
-	########################################
-	#
-	# Local policy
-	#
-
-	allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
-	allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms;
-	allow $1_javaplugin_t self:tcp_socket create_socket_perms;
-	allow $1_javaplugin_t self:udp_socket create_socket_perms;
-
-	allow $1_javaplugin_t $2:unix_stream_socket connectto;
-	allow $1_javaplugin_t $2:unix_stream_socket { read write };
-	userdom_write_user_tmp_sockets($1, $1_javaplugin_t)
-
-	manage_dirs_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t)
-	manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t)
-	files_tmp_filetrans($1_javaplugin_t, $1_javaplugin_tmp_t, { file dir })
-
-	manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
-	manage_lnk_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
-	manage_fifo_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
-	manage_sock_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
-	fs_tmpfs_filetrans($1_javaplugin_t, $1_javaplugin_tmpfs_t, { file lnk_file sock_file fifo_file })
-
-	rw_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t)
-	read_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t)
-
-	can_exec($1_javaplugin_t, java_exec_t)
+	role $1 types java_t;
 
 	# The user role is authorized for this domain.
-	domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
-	allow $1_javaplugin_t $2:fd use;
+	domtrans_pattern($2, java_exec_t, java_t)
+	allow java_t $2:process signull;
 	# Unrestricted inheritance from the caller.
-	allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
-	allow $1_javaplugin_t $2:process signull;
-
-	kernel_read_all_sysctls($1_javaplugin_t)
-	kernel_search_vm_sysctl($1_javaplugin_t)
-	kernel_read_network_state($1_javaplugin_t)
-	kernel_read_system_state($1_javaplugin_t)
-
-	# Search bin directory under javaplugin for javaplugin executable
-	corecmd_search_bin($1_javaplugin_t)
-
-	corenet_all_recvfrom_unlabeled($1_javaplugin_t)
-	corenet_all_recvfrom_netlabel($1_javaplugin_t)
-	corenet_tcp_sendrecv_generic_if($1_javaplugin_t)
-	corenet_udp_sendrecv_generic_if($1_javaplugin_t)
-	corenet_tcp_sendrecv_all_nodes($1_javaplugin_t)
-	corenet_udp_sendrecv_all_nodes($1_javaplugin_t)
-	corenet_tcp_sendrecv_all_ports($1_javaplugin_t)
-	corenet_udp_sendrecv_all_ports($1_javaplugin_t)
-	corenet_tcp_connect_all_ports($1_javaplugin_t)
-	corenet_sendrecv_all_client_packets($1_javaplugin_t)
-
-	dev_read_sound($1_javaplugin_t)
-	dev_write_sound($1_javaplugin_t)
-	dev_read_urand($1_javaplugin_t)
-	dev_read_rand($1_javaplugin_t)
-
-	files_read_etc_files($1_javaplugin_t)
-	files_read_usr_files($1_javaplugin_t)
-	files_search_home($1_javaplugin_t)
-	files_search_var_lib($1_javaplugin_t)
-	files_read_etc_runtime_files($1_javaplugin_t)
-	# Read global fonts and font config
-	files_read_etc_files($1_javaplugin_t)
-
-	fs_getattr_xattr_fs($1_javaplugin_t)
-	fs_dontaudit_rw_tmpfs_files($1_javaplugin_t)
+	allow $2 java_t:process { noatsecure siginh rlimitinh };
 
-	logging_send_syslog_msg($1_javaplugin_t)
-
-	miscfiles_read_localization($1_javaplugin_t)
-	# Read global fonts and font config
-	miscfiles_read_fonts($1_javaplugin_t)
-
-	sysnet_read_config($1_javaplugin_t)
-
-	userdom_dontaudit_use_user_terminals($1, $1_javaplugin_t)
-	userdom_dontaudit_setattr_user_home_content_files($1, $1_javaplugin_t)
-	userdom_dontaudit_exec_user_home_content_files($1, $1_javaplugin_t)
-	userdom_manage_user_home_content_dirs($1, $1_javaplugin_t)
-	userdom_manage_user_home_content_files($1, $1_javaplugin_t)
-	userdom_manage_user_home_content_symlinks($1, $1_javaplugin_t)
-	userdom_manage_user_home_content_pipes($1, $1_javaplugin_t)
-	userdom_manage_user_home_content_sockets($1, $1_javaplugin_t)
-	userdom_user_home_dir_filetrans_user_home_content($1, $1_javaplugin_t, { file lnk_file sock_file fifo_file })
-
-	tunable_policy(`allow_java_execstack',`
-		allow $1_javaplugin_t self:process execstack;
-
-		allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
-
-		libs_legacy_use_shared_libs($1_javaplugin_t)
-		libs_legacy_use_ld_so($1_javaplugin_t)
-
-		miscfiles_legacy_read_localization($1_javaplugin_t)
-	')
-
-	optional_policy(`
-		nis_use_ypbind($1_javaplugin_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_javaplugin_t)
-	')
-
-	optional_policy(`
-		xserver_user_x_domain_template($1, $1_javaplugin, $1_javaplugin_t, $1_javaplugin_tmpfs_t)
-	')
+	allow java_t $2:unix_stream_socket connectto;
+	allow java_t $2:unix_stream_socket { read write };
 ')
 
 ########################################
 ## <summary>
 ##	Run java in javaplugin domain.
 ## </summary>
-## <desc>
-##	<p>
-##	Run java in javaplugin domain.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`java_domtrans_user_javaplugin',`
+template(`java_domtrans',`
 	gen_require(`
-		type $1_javaplugin_t, java_exec_t;
+		type java_t, java_exec_t;
 	')
 
-	domtrans_pattern($2, java_exec_t, $1_javaplugin_t)
+	domtrans_pattern($1, java_exec_t, java_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute the java program in the java domain.
+##	Execute the java program in the unconfined java domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -208,11 +60,11 @@ template(`java_domtrans_user_javaplugin',`
 ##	</summary>
 ## </param>
 #
-interface(`java_domtrans',`
+interface(`java_domtrans_unconfined',`
 	gen_require(`
-		type java_t, java_exec_t;
+		type unconfined_java_t, java_exec_t;
 	')
 
+	domtrans_pattern($1, java_exec_t, unconfined_java_t)
 	corecmd_search_bin($1)
-	domtrans_pattern($1, java_exec_t, java_t)
 ')
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 16d43eb..1f866e7 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -1,5 +1,5 @@
 
-policy_module(java, 1.8.0)
+policy_module(java, 2.0.0)
 
 ########################################
 #
@@ -15,19 +15,136 @@ gen_tunable(allow_java_execstack, false)
 
 type java_t;
 type java_exec_t;
-init_system_domain(java_t, java_exec_t)
+application_domain(java_t, java_exec_t)
+ubac_constrained(java_t)
+typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
+typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
+
+type java_tmp_t;
+files_tmp_file(java_tmp_t)
+ubac_constrained(java_tmp_t)
+typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
+typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
+
+type java_tmpfs_t;
+ubac_constrained(java_tmpfs_t)
+files_tmpfs_file(java_tmpfs_t)
+typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
+typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
+
+type unconfined_java_t;
+init_system_domain(unconfined_java_t, java_exec_t)
 
 ########################################
 #
 # Local policy
 #
 
-# execheap is needed for itanium/BEA jrocket
-allow java_t self:process { execstack execmem execheap };
+allow java_t self:process { signal_perms getsched setsched execmem };
+allow java_t self:fifo_file rw_fifo_file_perms;
+allow java_t self:tcp_socket create_socket_perms;
+allow java_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t)
+manage_files_pattern(java_t, java_tmp_t, java_tmp_t)
+files_tmp_filetrans(java_t, java_tmp_t,{ file dir })
+
+manage_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+manage_lnk_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+manage_fifo_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+manage_sock_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+fs_tmpfs_filetrans(java_t, java_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+can_exec(java_t, java_exec_t)
+
+kernel_read_all_sysctls(java_t)
+kernel_search_vm_sysctl(java_t)
+kernel_read_network_state(java_t)
+kernel_read_system_state(java_t)
+
+# Search bin directory under java for java executable
+corecmd_search_bin(java_t)
+
+corenet_all_recvfrom_unlabeled(java_t)
+corenet_all_recvfrom_netlabel(java_t)
+corenet_tcp_sendrecv_generic_if(java_t)
+corenet_udp_sendrecv_generic_if(java_t)
+corenet_tcp_sendrecv_all_nodes(java_t)
+corenet_udp_sendrecv_all_nodes(java_t)
+corenet_tcp_sendrecv_all_ports(java_t)
+corenet_udp_sendrecv_all_ports(java_t)
+corenet_tcp_connect_all_ports(java_t)
+corenet_sendrecv_all_client_packets(java_t)
+
+dev_read_sound(java_t)
+dev_write_sound(java_t)
+dev_read_urand(java_t)
+dev_read_rand(java_t)
+
+files_read_etc_files(java_t)
+files_read_usr_files(java_t)
+files_search_home(java_t)
+files_search_var_lib(java_t)
+files_read_etc_runtime_files(java_t)
+# Read global fonts and font config
+files_read_etc_files(java_t)
+
+fs_getattr_xattr_fs(java_t)
+fs_dontaudit_rw_tmpfs_files(java_t)
+
+logging_send_syslog_msg(java_t)
+
+miscfiles_read_localization(java_t)
+# Read global fonts and font config
+miscfiles_read_fonts(java_t)
+
+sysnet_read_config(java_t)
+
+userdom_dontaudit_use_user_terminals(java_t)
+userdom_dontaudit_setattr_user_home_content_files(java_t)
+userdom_dontaudit_exec_user_home_content_files(java_t)
+userdom_manage_user_home_content_dirs(java_t)
+userdom_manage_user_home_content_files(java_t)
+userdom_manage_user_home_content_symlinks(java_t)
+userdom_manage_user_home_content_pipes(java_t)
+userdom_manage_user_home_content_sockets(java_t)
+userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file })
+userdom_write_user_tmp_sockets(java_t)
+
+tunable_policy(`allow_java_execstack',`
+	allow java_t self:process execstack;
+
+	allow java_t java_tmp_t:file execute;
 
-init_dbus_chat_script(java_t)
+	libs_legacy_use_shared_libs(java_t)
+	libs_legacy_use_ld_so(java_t)
+
+	miscfiles_legacy_read_localization(java_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(java_t)
+')
 
 optional_policy(`
-	unconfined_domain_noaudit(java_t)
-	unconfined_dbus_chat(java_t)
+	nscd_socket_use(java_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
+')
+
+########################################
+#
+# Unconfined java local policy
+#
+
+optional_policy(`
+	# execheap is needed for itanium/BEA jrocket
+	allow unconfined_java_t self:process { execstack execmem execheap };
+
+	init_dbus_chat_script(unconfined_java_t)
+
+	unconfined_domain_noaudit(unconfined_java_t)
+	unconfined_dbus_chat(unconfined_java_t)
 ')
diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if
index 1c5f09b..c56cfa4 100644
--- a/policy/modules/apps/loadkeys.if
+++ b/policy/modules/apps/loadkeys.if
@@ -33,11 +33,6 @@ interface(`loadkeys_domtrans',`
 ##	The role to allow the loadkeys domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the loadkeys domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`loadkeys_run',`
@@ -47,7 +42,6 @@ interface(`loadkeys_run',`
 
 	loadkeys_domtrans($1)
 	role $2 types loadkeys_t;
-	allow loadkeys_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index bcb6676..670ef29 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -1,5 +1,5 @@
 
-policy_module(loadkeys, 1.4.0)
+policy_module(loadkeys, 1.4.1)
 
 ########################################
 #
@@ -39,6 +39,8 @@ locallogin_use_fds(loadkeys_t)
 
 miscfiles_read_localization(loadkeys_t)
 
+userdom_use_user_ttys(loadkeys_t)
+
 optional_policy(`
 	nscd_dontaudit_search_pid(loadkeys_t)
 ')
diff --git a/policy/modules/apps/lockdev.if b/policy/modules/apps/lockdev.if
index c818c1e..8e7d279 100644
--- a/policy/modules/apps/lockdev.if
+++ b/policy/modules/apps/lockdev.if
@@ -1,79 +1,33 @@
 ## <summary>device locking policy for lockdev</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the lockdev module.
+##	Role access for lockdev
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates derived domains which are used
-##	for lockdev. A derived type is also created to protect
-##	the user's device locks.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="domain">
 ##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`lockdev_per_role_template',`
+interface(`lockdev_role',`
 	gen_require(`
-		type lockdev_exec_t;
+		type lockdev_t, lockdev_exec_t;
+		type lockdev_lock_t;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
-	type $1_lockdev_t;
-	application_domain($1_lockdev_t, lockdev_exec_t)
-	role $3 types $1_lockdev_t;
-
-	type $1_lockdev_lock_t;
-	files_lock_file($1_lockdev_lock_t)
-
-	########################################
-	#
-	# Local policy
-	#
-
-	# Use capabilities.
-	allow $1_lockdev_t self:capability setgid;
-	allow $1_lockdev_t $2:process signull;
+	role $1 types lockdev_t;
 
 	# Transition from the user domain to the derived domain.
-	domtrans_pattern($2, lockdev_exec_t, $1_lockdev_t)
+	domtrans_pattern($2, lockdev_exec_t, lockdev_t)
+	allow lockdev_t $2:process signull;
 
-	allow $1_lockdev_t $1_lockdev_lock_t:file manage_file_perms;
-	files_lock_filetrans($1_lockdev_t, $1_lockdev_lock_t, file)
-
-	files_read_all_locks($1_lockdev_t)
-
-	fs_getattr_xattr_fs($1_lockdev_t)
-
-	logging_send_syslog_msg($1_lockdev_t)
-
-	userdom_use_user_terminals($1, $1_lockdev_t)
-
-	optional_policy(`
-		logging_send_syslog_msg($1_t)
-	')
+	# allow ps to show lockdev
+	ps_process_pattern($2, lockdev_t)
+	allow $2 lockdev_t:process signal;
 ')
diff --git a/policy/modules/apps/lockdev.te b/policy/modules/apps/lockdev.te
index bb96b0c..34467b6 100644
--- a/policy/modules/apps/lockdev.te
+++ b/policy/modules/apps/lockdev.te
@@ -1,10 +1,40 @@
 
-policy_module(lockdev, 1.2.0)
+policy_module(lockdev, 1.2.1)
 
 ########################################
 #
 # Declarations
 #
 
+type lockdev_t;
 type lockdev_exec_t;
-application_executable_file(lockdev_exec_t)
+typealias lockdev_t alias { user_lockdev_t staff_lockdev_t sysadm_lockdev_t };
+typealias lockdev_t alias { auditadm_lockdev_t secadm_lockdev_t };
+application_domain(lockdev_t, lockdev_exec_t)
+ubac_constrained(lockdev_t)
+
+type lockdev_lock_t;
+typealias lockdev_lock_t alias { user_lockdev_lock_t staff_lockdev_lock_t sysadm_lockdev_lock_t };
+typealias lockdev_lock_t alias { auditadm_lockdev_lock_t secadm_lockdev_lock_t };
+files_lock_file(lockdev_lock_t)
+ubac_constrained(lockdev_lock_t)
+
+########################################
+#
+# Local policy
+#
+
+# Use capabilities.
+allow lockdev_t self:capability setgid;
+
+allow lockdev_t lockdev_lock_t:file manage_file_perms;
+files_lock_filetrans(lockdev_t, lockdev_lock_t, file)
+
+files_read_all_locks(lockdev_t)
+
+fs_getattr_xattr_fs(lockdev_t)
+
+logging_send_syslog_msg(lockdev_t)
+
+userdom_use_user_terminals(lockdev_t)
+
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
index 831090a..5c79af6 100644
--- a/policy/modules/apps/mono.te
+++ b/policy/modules/apps/mono.te
@@ -1,5 +1,5 @@
 
-policy_module(mono, 1.5.0)
+policy_module(mono, 1.5.1)
 
 ########################################
 #
@@ -17,10 +17,10 @@ init_system_domain(mono_t, mono_exec_t)
 
 allow mono_t self:process { execheap execmem };
 
-unprivuser_home_dir_filetrans_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
-
 init_dbus_chat_script(mono_t)
 
+userdom_user_home_dir_filetrans_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
+
 optional_policy(`
 	avahi_dbus_chat(mono_t)
 ')
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
index 99f54ca..b6f0924 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
@@ -1,8 +1,8 @@
-HOME_DIR/\.galeon(/.*)?			gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.java(/.*)?			gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)?		gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.netscape(/.*)?		gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.galeon(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 
 #
 # /bin
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index abbb2bb..3811a40 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -1,504 +1,108 @@
 ## <summary>Policy for Mozilla and related web browsers</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the mozilla module.
+##	Role access for mozilla
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for mozilla web browser.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_domain">
+## <param name="role">
 ##	<summary>
-##	The type of the user domain.
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`mozilla_per_role_template',`
+interface(`mozilla_role',`
 	gen_require(`
-		type mozilla_conf_t, mozilla_exec_t;
+		type mozilla_t, mozilla_exec_t, mozilla_home_t;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-	type $1_mozilla_t;
-	application_domain($1_mozilla_t, mozilla_exec_t)
-	role $3 types $1_mozilla_t;
-
-	type $1_mozilla_home_t alias $1_mozilla_rw_t;
-	files_poly_member($1_mozilla_home_t)
-	userdom_user_home_content($1, $1_mozilla_home_t)
-
-	type $1_mozilla_tmpfs_t;
-	files_tmpfs_file($1_mozilla_tmpfs_t)
-
-	########################################
-	#
-	# Local policy
-	#
-
-	allow $1_mozilla_t self:capability { sys_nice setgid setuid };
-	allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
-	allow $1_mozilla_t self:fifo_file rw_fifo_file_perms;
-	allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
-	allow $1_mozilla_t self:sem create_sem_perms;
-	allow $1_mozilla_t self:socket create_socket_perms;
-	allow $1_mozilla_t self:unix_stream_socket { listen accept };
-	# Browse the web, connect to printer
-	allow $1_mozilla_t self:tcp_socket create_socket_perms;
-	allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms;
-
-	# for bash - old mozilla binary
-	can_exec($1_mozilla_t, mozilla_exec_t)
-
-	# X access, Home files
-	manage_dirs_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t)
-	manage_files_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t)
-	manage_lnk_files_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t)
-	userdom_search_user_home_dirs($1, $1_mozilla_t)
-
-	# Mozpluggerrc
-	allow $1_mozilla_t mozilla_conf_t:file read_file_perms;
+	role $1 types mozilla_t;
 
-	allow $1_mozilla_t $2:fd use;
-	allow $1_mozilla_t $2:process sigchld;
-	allow $1_mozilla_t $2:unix_stream_socket connectto;
-	allow $2 $1_mozilla_t:fd use;
-	allow $2 $1_mozilla_t:shm { associate getattr };
-	allow $2 $1_mozilla_t:shm { unix_read unix_write };
-	allow $2 $1_mozilla_t:unix_stream_socket connectto;
-
-	# X access, Home files
-	manage_dirs_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
-	manage_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
-	manage_lnk_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
-	relabel_dirs_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
-	relabel_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
-	relabel_lnk_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
-
-	manage_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
-	manage_lnk_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
-	manage_fifo_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
-	manage_sock_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
-	fs_tmpfs_filetrans($1_mozilla_t, $1_mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
-
-	allow $1_mozilla_t $2:process signull;
-
-	domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+	domain_auto_trans($2, mozilla_exec_t, mozilla_t)
 	# Unrestricted inheritance from the caller.
-	allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
+	allow $2 mozilla_t:process { noatsecure siginh rlimitinh };
+	allow mozilla_t $2:fd use;
+	allow mozilla_t $2:process { sigchld signull };
+	allow mozilla_t $2:unix_stream_socket connectto;
 
 	# Allow the user domain to signal/ps.
-	ps_process_pattern($2, $1_mozilla_t)
-	allow $2 $1_mozilla_t:process signal_perms;
-
-	kernel_read_kernel_sysctls($1_mozilla_t)
-	kernel_read_network_state($1_mozilla_t)
-	# Access /proc, sysctl
-	kernel_read_system_state($1_mozilla_t)
-	kernel_read_net_sysctls($1_mozilla_t)
-
-	# Look for plugins 
-	corecmd_list_bin($1_mozilla_t)
-	# for bash - old mozilla binary
-	corecmd_exec_shell($1_mozilla_t)
-	corecmd_exec_bin($1_mozilla_t)
-
-	# Browse the web, connect to printer
-	corenet_all_recvfrom_unlabeled($1_mozilla_t)
-	corenet_all_recvfrom_netlabel($1_mozilla_t)
-	corenet_tcp_sendrecv_generic_if($1_mozilla_t)
-	corenet_raw_sendrecv_generic_if($1_mozilla_t)
-	corenet_tcp_sendrecv_all_nodes($1_mozilla_t)
-	corenet_raw_sendrecv_all_nodes($1_mozilla_t)
-	corenet_tcp_sendrecv_http_port($1_mozilla_t)
-	corenet_tcp_sendrecv_http_cache_port($1_mozilla_t)
-	corenet_tcp_sendrecv_ftp_port($1_mozilla_t)
-	corenet_tcp_sendrecv_ipp_port($1_mozilla_t)
-	corenet_tcp_connect_http_port($1_mozilla_t)
-	corenet_tcp_connect_http_cache_port($1_mozilla_t)
-	corenet_tcp_connect_ftp_port($1_mozilla_t)
-	corenet_tcp_connect_ipp_port($1_mozilla_t)
-	corenet_tcp_connect_generic_port($1_mozilla_t)
-	corenet_sendrecv_http_client_packets($1_mozilla_t)
-	corenet_sendrecv_http_cache_client_packets($1_mozilla_t)
-	corenet_sendrecv_ftp_client_packets($1_mozilla_t)
-	corenet_sendrecv_ipp_client_packets($1_mozilla_t)
-	corenet_sendrecv_generic_client_packets($1_mozilla_t)
-	# Should not need other ports
-	corenet_dontaudit_tcp_sendrecv_generic_port($1_mozilla_t)
-	corenet_dontaudit_tcp_bind_generic_port($1_mozilla_t)
-
-	dev_read_urand($1_mozilla_t)
-	dev_read_rand($1_mozilla_t)
-	dev_write_sound($1_mozilla_t)
-	dev_read_sound($1_mozilla_t)
-	dev_dontaudit_rw_dri($1_mozilla_t)
-	dev_getattr_sysfs_dirs($1_mozilla_t)
-
-	files_read_etc_runtime_files($1_mozilla_t)
-	files_read_usr_files($1_mozilla_t)
-	files_read_etc_files($1_mozilla_t)
-	# /var/lib
-	files_read_var_lib_files($1_mozilla_t)
-	# interacting with gstreamer
-	files_read_var_files($1_mozilla_t)
-	files_read_var_symlinks($1_mozilla_t)
- 	files_dontaudit_getattr_boot_dirs($1_mozilla_t)
-
-	fs_search_auto_mountpoints($1_mozilla_t)
-	fs_list_inotifyfs($1_mozilla_t)
-	fs_rw_tmpfs_files($1_mozilla_t)
-
-	term_dontaudit_getattr_pty_dirs($1_mozilla_t)
-
-	logging_send_syslog_msg($1_mozilla_t)
+	ps_process_pattern($2, mozilla_t)
+	allow $2 mozilla_t:process signal_perms;
 
-	miscfiles_read_fonts($1_mozilla_t)
-	miscfiles_read_localization($1_mozilla_t)
-
-	# Browse the web, connect to printer
-	sysnet_dns_name_resolve($1_mozilla_t)
-	sysnet_read_config($1_mozilla_t)
-
-	userdom_manage_user_home_content_dirs($1, $1_mozilla_t)
-	userdom_manage_user_home_content_files($1, $1_mozilla_t)
-	userdom_manage_user_home_content_symlinks($1, $1_mozilla_t)
-	userdom_manage_user_tmp_dirs($1, $1_mozilla_t)
-	userdom_manage_user_tmp_files($1, $1_mozilla_t)
-	userdom_manage_user_tmp_sockets($1, $1_mozilla_t)
-
-	xserver_user_x_domain_template($1, $1_mozilla, $1_mozilla_t, $1_mozilla_tmpfs_t)
-	xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
-	xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
-
-	tunable_policy(`allow_execmem',`
-		allow $1_mozilla_t self:process { execmem execstack };
-	')
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_mozilla_t)
-		fs_manage_nfs_files($1_mozilla_t)
-		fs_manage_nfs_symlinks($1_mozilla_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_mozilla_t)
-		fs_manage_cifs_files($1_mozilla_t)
-		fs_manage_cifs_symlinks($1_mozilla_t)
-	')
-
-	# Uploads, local html
-	tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
-		fs_list_auto_mountpoints($1_mozilla_t)
-		files_list_home($1_mozilla_t)
-		fs_read_nfs_files($1_mozilla_t)
-		fs_read_nfs_symlinks($1_mozilla_t)
-
-	',`
-		files_dontaudit_list_home($1_mozilla_t)
-		fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
-		fs_dontaudit_read_nfs_files($1_mozilla_t)
-		fs_dontaudit_list_nfs($1_mozilla_t)
-	')
-
-	tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
-		fs_list_auto_mountpoints($1_mozilla_t)
-		files_list_home($1_mozilla_t)
-		fs_read_cifs_files($1_mozilla_t)
-		fs_read_cifs_symlinks($1_mozilla_t)
-	',`
-		files_dontaudit_list_home($1_mozilla_t)
-		fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
-		fs_dontaudit_read_cifs_files($1_mozilla_t)
-		fs_dontaudit_list_cifs($1_mozilla_t)
-	')
-
-	tunable_policy(`mozilla_read_content',`
-		userdom_list_user_tmp($1, $1_mozilla_t)
-		userdom_read_user_tmp_files($1, $1_mozilla_t)
-		userdom_read_user_tmp_symlinks($1, $1_mozilla_t)
-		userdom_search_user_home_dirs($1, $1_mozilla_t)
-		userdom_read_user_home_content_files($1, $1_mozilla_t)
-		userdom_read_user_home_content_symlinks($1, $1_mozilla_t)
-
-		ifdef(`enable_mls',`',`
-			fs_search_removable($1_mozilla_t)
-			fs_read_removable_files($1_mozilla_t)
-			fs_read_removable_symlinks($1_mozilla_t)
-		')
-	',`
-		files_dontaudit_list_tmp($1_mozilla_t)
-		files_dontaudit_list_home($1_mozilla_t)
-		fs_dontaudit_list_removable($1_mozilla_t)
-		fs_dontaudit_read_removable_files($1_mozilla_t)
-		userdom_dontaudit_list_user_tmp($1, $1_mozilla_t)
-		userdom_dontaudit_read_user_tmp_files($1, $1_mozilla_t)
-		userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t)
-		userdom_dontaudit_read_user_home_content_files($1, $1_mozilla_t)
-	')
-
-	tunable_policy(`mozilla_read_content && read_default_t',`
-		files_list_default($1_mozilla_t)
-		files_read_default_files($1_mozilla_t)
-		files_read_default_symlinks($1_mozilla_t)
-	',`
-		files_dontaudit_read_default_files($1_mozilla_t)
-		files_dontaudit_list_default($1_mozilla_t)
-	')
-
-	tunable_policy(`mozilla_read_content && read_untrusted_content',`
-		files_list_tmp($1_mozilla_t)
-		files_list_home($1_mozilla_t)
-		userdom_search_user_home_dirs($1, $1_mozilla_t)
-
-		userdom_list_user_untrusted_content($1, $1_mozilla_t)
-		userdom_read_user_untrusted_content_files($1, $1_mozilla_t)
-		userdom_read_user_untrusted_content_symlinks($1, $1_mozilla_t)
-		userdom_list_user_tmp_untrusted_content($1, $1_mozilla_t)
-		userdom_read_user_tmp_untrusted_content_files($1, $1_mozilla_t)
-		userdom_read_user_tmp_untrusted_content_symlinks($1, $1_mozilla_t)
-	',`
-		files_dontaudit_list_tmp($1_mozilla_t)
-		files_dontaudit_list_home($1_mozilla_t)
-		userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t)
-		userdom_dontaudit_list_user_untrusted_content($1, $1_mozilla_t)
-		userdom_dontaudit_read_user_untrusted_content_files($1, $1_mozilla_t)
-		userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_mozilla_t)
-		userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_mozilla_t)
-	')
-
-	# Save web pages
-	tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
-		files_search_home($1_mozilla_t)
-
-		fs_search_auto_mountpoints($1_mozilla_t)
-		fs_manage_nfs_dirs($1_mozilla_t)
-		fs_manage_nfs_files($1_mozilla_t)
-		fs_manage_nfs_symlinks($1_mozilla_t)
-	',`
-		fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
-		fs_dontaudit_manage_nfs_dirs($1_mozilla_t)
-		fs_dontaudit_manage_nfs_files($1_mozilla_t)
-	')
+	allow $2 mozilla_t:fd use;
+	allow $2 mozilla_t:shm { associate getattr };
+	allow $2 mozilla_t:shm { unix_read unix_write };
+	allow $2 mozilla_t:unix_stream_socket connectto;
 
-	tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
-		files_search_home($1_mozilla_t)
-
-		fs_search_auto_mountpoints($1_mozilla_t)
-		fs_manage_cifs_dirs($1_mozilla_t)
-		fs_manage_cifs_files($1_mozilla_t)
-		fs_manage_cifs_symlinks($1_mozilla_t)
-	',`
-		fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
-		fs_dontaudit_manage_cifs_dirs($1_mozilla_t)
-		fs_dontaudit_manage_cifs_files($1_mozilla_t)
-	')
-
-	tunable_policy(`write_untrusted_content',`
-		files_search_home($1_mozilla_t)
-		userdom_manage_user_untrusted_content_tmp_files($1, $1_mozilla_t)
-		files_tmp_filetrans($1_mozilla_t, $1_untrusted_content_tmp_t, file)
-		files_tmp_filetrans($1_mozilla_t, $1_untrusted_content_tmp_t, dir)
-
-		userdom_manage_user_untrusted_content_files($1, $1_mozilla_t)
-		userdom_user_home_dir_filetrans($1, $1_mozilla_t, $1_untrusted_content_tmp_t, { file dir })
-		userdom_user_home_content_filetrans($1, $1_mozilla_t, $1_untrusted_content_tmp_t, { file dir })
-		',`
-		files_dontaudit_list_home($1_mozilla_t)
-		files_dontaudit_list_tmp($1_mozilla_t)
-
-		userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t)
-		userdom_dontaudit_manage_user_tmp_dirs($1, $1_mozilla_t)
-		userdom_dontaudit_manage_user_tmp_files($1, $1_mozilla_t)
-		userdom_dontaudit_manage_user_home_content_dirs($1, $1_mozilla_t)
-
-	')
-
-	optional_policy(`
-		apache_read_user_scripts($1, $1_mozilla_t)
-		apache_read_user_content($1, $1_mozilla_t)
-	')
-
-	optional_policy(`
-		automount_dontaudit_getattr_tmp_dirs($1_mozilla_t)
-	')
-
-	optional_policy(`
-		cups_read_rw_config($1_mozilla_t)
-		cups_dbus_chat($1_mozilla_t)
-	')
-
-	optional_policy(`
-		dbus_system_bus_client_template($1_mozilla, $1_mozilla_t)
-		dbus_user_bus_client_template($1, $1_mozilla, $1_mozilla_t)
-	')
-
-	optional_policy(`
-		gnome_stream_connect_gconf_template($1, $1_mozilla_t)
-	')
-
-	optional_policy(`
-		java_domtrans_user_javaplugin($1, $1_mozilla_t)
-	')
-
-	optional_policy(`
-		lpd_domtrans_user_lpr($1, $1_mozilla_t)
-	')
-
-	optional_policy(`
-		mplayer_domtrans_user_mplayer($1, $1_mozilla_t)
-		mplayer_read_user_home_files($1, $1_mozilla_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_mozilla_t)
-	')
-
-	optional_policy(`
-		thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
-	')
-
-	ifdef(`TODO',`
-		#NOTE commented out in strict.
-		######### Launch email client, and make webcal links work
-		#ifdef(`evolution.te', `
-		#domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
-		#domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
-		#')
-
-		# Macros for mozilla/mozilla (or other browser) domains.
-		# FIXME: Rules were removed to centralize policy in a gnome_app macro
-		# A similar thing might be necessary for mozilla compiled without GNOME
-		# support (is this possible?). 
-
-		# GNOME integration
-		optional_policy(`
-			gnome_application($1_mozilla, $1)
-			gnome_file_dialog($1_mozilla, $1)
-		')
-	')
+	# X access, Home files
+	manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+	manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
+	manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+	relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
+	relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
 ')
 
 ########################################
 ## <summary>
-##	Read mozilla per user homedir
+##	Read mozilla home directory content
 ## </summary>
-## <desc>
-##	<p>
-##	Read mozilla per user homedir
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`mozilla_read_user_home_files',`
+interface(`mozilla_read_user_home_files',`
 	gen_require(`
-		type $1_mozilla_home_t;
+		type mozilla_home_t;
 	')
 
-	allow $2 $1_mozilla_home_t:dir list_dir_perms;
-	allow $2 $1_mozilla_home_t:file read_file_perms;
+	allow $1 mozilla_home_t:dir list_dir_perms;
+	allow $1 mozilla_home_t:file read_file_perms;
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	write mozilla per user homedir
+##	Write mozilla home directory content
 ## </summary>
-## <desc>
-##	<p>
-##	Read mozilla per user homedir
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`mozilla_write_user_home_files',`
+interface(`mozilla_write_user_home_files',`
 	gen_require(`
-		type $1_mozilla_home_t;
+		type mozilla_home_t;
 	')
 
-	allow $2 $1_mozilla_home_t:dir list_dir_perms;
-	allow $2 $1_mozilla_home_t:file write;
+	allow $1 mozilla_home_t:dir list_dir_perms;
+	allow $1 mozilla_home_t:file write;
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Run mozilla in user mozilla domain.
+##	Run mozilla in the mozilla domain.
 ## </summary>
-## <desc>
-##	<p>
-##	Run mozilla in mozilla domain.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`mozilla_domtrans_user_mozilla',`
+interface(`mozilla_domtrans',`
 	gen_require(`
-		type $1_mozilla_t, mozilla_exec_t;
+		type mozilla_t, mozilla_exec_t;
 	')
 
-	domtrans_pattern($2, mozilla_exec_t, $1_mozilla_t)
+	domtrans_pattern($1, mozilla_exec_t, mozilla_t)
 ')
 
 ########################################
@@ -506,67 +110,36 @@ template(`mozilla_domtrans_user_mozilla',`
 ##	Send and receive messages from
 ##	mozilla over dbus.
 ## </summary>
-## <desc>
-##	<p>
-##	Send and receive messages from
-##	mozilla over dbus.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`mozilla_dbus_chat',`
+interface(`mozilla_dbus_chat',`
 	gen_require(`
-		type $1_mozilla_t;
+		type mozilla_t;
 		class dbus send_msg;
 	')
 
-	allow $2 $1_mozilla_t:dbus send_msg;
-	allow $1_mozilla_t $2:dbus send_msg;
+	allow $1 mozilla_t:dbus send_msg;
+	allow mozilla_t $1:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
 ##	read/write mozilla per user tcp_socket
 ## </summary>
-## <desc>
-##	<p>
-##	read/write mozilla per user tcp_socket
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`mozilla_rw_user_tcp_sockets',`
+interface(`mozilla_rw_tcp_sockets',`
 	gen_require(`
-		type $1_mozilla_t;
+		type mozilla_t;
 	')
 
-	allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
+	allow $1 mozilla_t:tcp_socket rw_socket_perms;
 ')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 5d653b8..55576bc 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -1,5 +1,5 @@
 
-policy_module(mozilla, 1.6.0)
+policy_module(mozilla, 2.0.0)
 
 ########################################
 #
@@ -13,8 +13,255 @@ policy_module(mozilla, 1.6.0)
 ## </desc>
 gen_tunable(mozilla_read_content, false)
 
+type mozilla_t;
+type mozilla_exec_t;
+typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
+typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+application_domain(mozilla_t, mozilla_exec_t)
+ubac_constrained(mozilla_t)
+
 type mozilla_conf_t;
 files_config_file(mozilla_conf_t)
 
-type mozilla_exec_t;
-application_executable_file(mozilla_exec_t)
+type mozilla_home_t;
+typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
+typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
+files_poly_member(mozilla_home_t)
+userdom_user_home_content(mozilla_home_t)
+
+type mozilla_tmpfs_t;
+typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
+typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
+files_tmpfs_file(mozilla_tmpfs_t)
+ubac_constrained(mozilla_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mozilla_t self:capability { sys_nice setgid setuid };
+allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
+allow mozilla_t self:fifo_file rw_fifo_file_perms;
+allow mozilla_t self:shm { unix_read unix_write read write destroy create };
+allow mozilla_t self:sem create_sem_perms;
+allow mozilla_t self:socket create_socket_perms;
+allow mozilla_t self:unix_stream_socket { listen accept };
+# Browse the web, connect to printer
+allow mozilla_t self:tcp_socket create_socket_perms;
+allow mozilla_t self:netlink_route_socket r_netlink_socket_perms;
+
+# for bash - old mozilla binary
+can_exec(mozilla_t, mozilla_exec_t)
+
+# X access, Home files
+manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+userdom_search_user_home_dirs(mozilla_t)
+
+# Mozpluggerrc
+allow mozilla_t mozilla_conf_t:file read_file_perms;
+
+manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(mozilla_t)
+kernel_read_network_state(mozilla_t)
+# Access /proc, sysctl
+kernel_read_system_state(mozilla_t)
+kernel_read_net_sysctls(mozilla_t)
+
+# Look for plugins 
+corecmd_list_bin(mozilla_t)
+# for bash - old mozilla binary
+corecmd_exec_shell(mozilla_t)
+corecmd_exec_bin(mozilla_t)
+
+# Browse the web, connect to printer
+corenet_all_recvfrom_unlabeled(mozilla_t)
+corenet_all_recvfrom_netlabel(mozilla_t)
+corenet_tcp_sendrecv_generic_if(mozilla_t)
+corenet_raw_sendrecv_generic_if(mozilla_t)
+corenet_tcp_sendrecv_all_nodes(mozilla_t)
+corenet_raw_sendrecv_all_nodes(mozilla_t)
+corenet_tcp_sendrecv_http_port(mozilla_t)
+corenet_tcp_sendrecv_http_cache_port(mozilla_t)
+corenet_tcp_sendrecv_ftp_port(mozilla_t)
+corenet_tcp_sendrecv_ipp_port(mozilla_t)
+corenet_tcp_connect_http_port(mozilla_t)
+corenet_tcp_connect_http_cache_port(mozilla_t)
+corenet_tcp_connect_ftp_port(mozilla_t)
+corenet_tcp_connect_ipp_port(mozilla_t)
+corenet_tcp_connect_generic_port(mozilla_t)
+corenet_sendrecv_http_client_packets(mozilla_t)
+corenet_sendrecv_http_cache_client_packets(mozilla_t)
+corenet_sendrecv_ftp_client_packets(mozilla_t)
+corenet_sendrecv_ipp_client_packets(mozilla_t)
+corenet_sendrecv_generic_client_packets(mozilla_t)
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
+corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
+
+dev_read_urand(mozilla_t)
+dev_read_rand(mozilla_t)
+dev_write_sound(mozilla_t)
+dev_read_sound(mozilla_t)
+dev_dontaudit_rw_dri(mozilla_t)
+dev_getattr_sysfs_dirs(mozilla_t)
+
+files_read_etc_runtime_files(mozilla_t)
+files_read_usr_files(mozilla_t)
+files_read_etc_files(mozilla_t)
+# /var/lib
+files_read_var_lib_files(mozilla_t)
+# interacting with gstreamer
+files_read_var_files(mozilla_t)
+files_read_var_symlinks(mozilla_t)
+files_dontaudit_getattr_boot_dirs(mozilla_t)
+
+fs_search_auto_mountpoints(mozilla_t)
+fs_list_inotifyfs(mozilla_t)
+fs_rw_tmpfs_files(mozilla_t)
+
+term_dontaudit_getattr_pty_dirs(mozilla_t)
+
+logging_send_syslog_msg(mozilla_t)
+
+miscfiles_read_fonts(mozilla_t)
+miscfiles_read_localization(mozilla_t)
+
+# Browse the web, connect to printer
+sysnet_dns_name_resolve(mozilla_t)
+
+userdom_manage_user_home_content_dirs(mozilla_t)
+userdom_manage_user_home_content_files(mozilla_t)
+userdom_manage_user_home_content_symlinks(mozilla_t)
+userdom_manage_user_tmp_dirs(mozilla_t)
+userdom_manage_user_tmp_files(mozilla_t)
+userdom_manage_user_tmp_sockets(mozilla_t)
+
+xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
+
+tunable_policy(`allow_execmem',`
+	allow mozilla_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(mozilla_t)
+	fs_manage_nfs_files(mozilla_t)
+	fs_manage_nfs_symlinks(mozilla_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(mozilla_t)
+	fs_manage_cifs_files(mozilla_t)
+	fs_manage_cifs_symlinks(mozilla_t)
+')
+
+# Uploads, local html
+tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
+	fs_list_auto_mountpoints(mozilla_t)
+	files_list_home(mozilla_t)
+	fs_read_nfs_files(mozilla_t)
+	fs_read_nfs_symlinks(mozilla_t)
+
+',`
+	files_dontaudit_list_home(mozilla_t)
+	fs_dontaudit_list_auto_mountpoints(mozilla_t)
+	fs_dontaudit_read_nfs_files(mozilla_t)
+	fs_dontaudit_list_nfs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
+	fs_list_auto_mountpoints(mozilla_t)
+	files_list_home(mozilla_t)
+	fs_read_cifs_files(mozilla_t)
+	fs_read_cifs_symlinks(mozilla_t)
+',`
+	files_dontaudit_list_home(mozilla_t)
+	fs_dontaudit_list_auto_mountpoints(mozilla_t)
+	fs_dontaudit_read_cifs_files(mozilla_t)
+	fs_dontaudit_list_cifs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content',`
+	userdom_list_user_tmp(mozilla_t)
+	userdom_read_user_tmp_files(mozilla_t)
+	userdom_read_user_tmp_symlinks(mozilla_t)
+	userdom_read_user_home_content_files(mozilla_t)
+	userdom_read_user_home_content_symlinks(mozilla_t)
+
+	ifdef(`enable_mls',`',`
+		fs_search_removable(mozilla_t)
+		fs_read_removable_files(mozilla_t)
+		fs_read_removable_symlinks(mozilla_t)
+	')
+',`
+	files_dontaudit_list_tmp(mozilla_t)
+	files_dontaudit_list_home(mozilla_t)
+	fs_dontaudit_list_removable(mozilla_t)
+	fs_dontaudit_read_removable_files(mozilla_t)
+	userdom_dontaudit_list_user_tmp(mozilla_t)
+	userdom_dontaudit_read_user_tmp_files(mozilla_t)
+	userdom_dontaudit_list_user_home_dirs(mozilla_t)
+	userdom_dontaudit_read_user_home_content_files(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content && read_default_t',`
+	files_list_default(mozilla_t)
+	files_read_default_files(mozilla_t)
+	files_read_default_symlinks(mozilla_t)
+',`
+	files_dontaudit_read_default_files(mozilla_t)
+	files_dontaudit_list_default(mozilla_t)
+')
+
+optional_policy(`
+	apache_read_user_scripts(mozilla_t)
+	apache_read_user_content(mozilla_t)
+')
+
+optional_policy(`
+	automount_dontaudit_getattr_tmp_dirs(mozilla_t)
+')
+
+optional_policy(`
+	cups_read_rw_config(mozilla_t)
+	cups_dbus_chat(mozilla_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(mozilla_t)
+	dbus_session_bus_client(mozilla_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(mozilla_t)
+')
+
+optional_policy(`
+	java_domtrans(mozilla_t)
+')
+
+optional_policy(`
+	lpd_domtrans_lpr(mozilla_t)
+')
+
+optional_policy(`
+	mplayer_domtrans(mozilla_t)
+	mplayer_read_user_home_files(mozilla_t)
+')
+
+optional_policy(`
+	nscd_socket_use(mozilla_t)
+')
+
+optional_policy(`
+	thunderbird_domtrans(mozilla_t)
+')
diff --git a/policy/modules/apps/mplayer.fc b/policy/modules/apps/mplayer.fc
index ffef8be..ab54284 100644
--- a/policy/modules/apps/mplayer.fc
+++ b/policy/modules/apps/mplayer.fc
@@ -10,4 +10,4 @@
 /usr/bin/mencoder	--	gen_context(system_u:object_r:mencoder_exec_t,s0)
 /usr/bin/xine		--	gen_context(system_u:object_r:mplayer_exec_t,s0)
 
-HOME_DIR/\.mplayer(/.*)?        gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
+HOME_DIR/\.mplayer(/.*)?        gen_context(system_u:object_r:mplayer_home_t,s0)
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index 664a3e9..8944655 100644
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@@ -1,503 +1,85 @@
 ## <summary>Mplayer media player and encoder</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the mplayer module.
+##	Role access for mplayer
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for mplayer media player.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_domain">
+## <param name="role">
 ##	<summary>
-##	The type of the user domain.
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`mplayer_per_role_template',`
+interface(`mplayer_role',`
 	gen_require(`
-		type mencoder_exec_t, mplayer_exec_t, mplayer_etc_t;
+		type mencoder_t, mencoder_exec_t;
+		type mplayer_t, mplayer_exec_t;
+		type mplayer_home_t;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
-	type $1_mencoder_t;
-	application_domain($1_mencoder_t, mencoder_exec_t)
-	role $3 types $1_mencoder_t;
-
-	type $1_mplayer_t;
-	application_domain($1_mplayer_t, mplayer_exec_t)
-	role $3 types $1_mplayer_t;
-
-	type $1_mplayer_home_t alias $1_mplayer_rw_t;
-	files_poly_member($1_mplayer_home_t)
-	userdom_user_home_content($1,$1_mplayer_home_t)
-
-	type $1_mplayer_tmpfs_t;
-	files_tmpfs_file($1_mplayer_tmpfs_t)
-
-	########################################
-	#
-	# mencoder local policy
-	#
-
-	manage_dirs_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t)
-	manage_files_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t)
-	manage_lnk_files_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t)
-
-	# Read global config
-	allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms;
-	read_files_pattern($1_mencoder_t, mplayer_etc_t, mplayer_etc_t)
-	read_lnk_files_pattern($1_mencoder_t, mplayer_etc_t, mplayer_etc_t)
+	role $1 types { mencoder_t mplayer_t };
 
 	# domain transition
-	domtrans_pattern($2, mencoder_exec_t, $1_mencoder_t)
+	domtrans_pattern($2, mencoder_exec_t, mencoder_t)
 
 	# Allow the user domain to signal/ps.
-	ps_process_pattern($2,$1_mencoder_t)
-	allow $2 $1_mencoder_t:process signal_perms;
-
-	# Read /proc files and directories
-	# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
-	kernel_read_system_state($1_mencoder_t)
-	# Sysctl on kernel version 
-	kernel_read_kernel_sysctls($1_mencoder_t)
-
-	# Required for win32 binary loader 
-	dev_rwx_zero($1_mencoder_t)
-	# Access to DVD/CD/V4L
-	dev_read_video_dev($1_mencoder_t)
-
-	# Read data in /usr/share (fonts, icons..)
-	files_read_usr_files($1_mencoder_t)
-	files_read_usr_symlinks($1_mencoder_t)
-
-	fs_search_auto_mountpoints($1_mencoder_t)
-
-	# Access to DVD/CD/V4L
-	storage_raw_read_removable_device($1_mencoder_t)
-
-	miscfiles_read_localization($1_mencoder_t)
-
-	userdom_use_user_terminals($1,$1_mencoder_t)
-	# Handle removable media, /tmp, and /home
-	userdom_list_user_tmp($1,$1_mencoder_t)
-	userdom_read_user_tmp_files($1,$1_mencoder_t)
-	userdom_read_user_tmp_symlinks($1,$1_mencoder_t)
-	userdom_read_user_home_content_files($1,$1_mencoder_t)
-	userdom_read_user_home_content_symlinks($1,$1_mencoder_t)
-
-	# Read content to encode
-	ifdef(`enable_mls',`',`
-		fs_search_removable($1_mencoder_t)
-		fs_read_removable_files($1_mencoder_t)
-		fs_read_removable_symlinks($1_mencoder_t)
-	')
-
-	tunable_policy(`allow_execmem',`
-		allow $1_mencoder_t self:process execmem;
-	')
-
-	tunable_policy(`allow_execmod',`
-		dev_execmod_zero($1_mencoder_t)
-	')
-
-	tunable_policy(`allow_mplayer_execstack',`
-		allow $1_mencoder_t self:process { execmem execstack };
-	')
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_mencoder_t)
-		fs_manage_nfs_files($1_mencoder_t)
-		fs_manage_nfs_symlinks($1_mencoder_t)
-
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_mencoder_t)
-		fs_manage_cifs_files($1_mencoder_t)
-		fs_manage_cifs_symlinks($1_mencoder_t)
-
-	')
-
-	# Read content to encode
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_list_auto_mountpoints($1_mencoder_t)
-		files_list_home($1_mencoder_t)
-		fs_read_nfs_files($1_mencoder_t)
-		fs_read_nfs_symlinks($1_mencoder_t)
-
-	',`
-		files_dontaudit_list_home($1_mencoder_t)
-		fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
-		fs_dontaudit_read_nfs_files($1_mencoder_t)
-		fs_dontaudit_list_nfs($1_mencoder_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_list_auto_mountpoints($1_mencoder_t)
-		files_list_home($1_mencoder_t)
-		fs_read_cifs_files($1_mencoder_t)
-		fs_read_cifs_symlinks($1_mencoder_t)
-	',`
-		files_dontaudit_list_home($1_mencoder_t)
-		fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
-		fs_dontaudit_read_cifs_files($1_mencoder_t)
-		fs_dontaudit_list_cifs($1_mencoder_t)
-	')
-
-	tunable_policy(`read_default_t',`
-		files_list_default($1_mencoder_t)
-		files_read_default_files($1_mencoder_t)
-		files_read_default_symlinks($1_mencoder_t)
-	',`
-		files_dontaudit_read_default_files($1_mencoder_t)
-		files_dontaudit_list_default($1_mencoder_t)
-	')
-
-	tunable_policy(`read_untrusted_content',`
-		files_list_tmp($1_mencoder_t)
-		files_list_home($1_mencoder_t)
-
-		userdom_list_user_untrusted_content($1, $1_mencoder_t)
-		userdom_read_user_untrusted_content_files($1, $1_mencoder_t)
-		userdom_read_user_untrusted_content_symlinks($1, $1_mencoder_t)
-		userdom_list_user_tmp_untrusted_content($1, $1_mencoder_t)
-		userdom_read_user_tmp_untrusted_content_files($1, $1_mencoder_t)
-		userdom_read_user_tmp_untrusted_content_symlinks($1, $1_mencoder_t)
-	',`
-		files_dontaudit_list_tmp($1_mencoder_t)
-		files_dontaudit_list_home($1_mencoder_t)
-		userdom_dontaudit_list_user_home_dirs($1, $1_mencoder_t)
-		userdom_dontaudit_list_user_untrusted_content($1, $1_mencoder_t)
-		userdom_dontaudit_read_user_untrusted_content_files($1, $1_mencoder_t)
-		userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_mencoder_t)
-		userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_mencoder_t)
-	')
-
-	tunable_policy(`write_untrusted_content',`
-		userdom_manage_user_untrusted_content_files($1, $1_mplayer_t)
-	')
-
-	# Save encoded files
-	tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
-		files_search_home($1_mencoder_t)
-
-		fs_search_auto_mountpoints($1_mencoder_t)
-		fs_manage_nfs_dirs($1_mencoder_t)
-		fs_manage_nfs_files($1_mencoder_t)
-		fs_manage_nfs_symlinks($1_mencoder_t)
-	',`
-		fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
-		fs_dontaudit_manage_nfs_dirs($1_mencoder_t)
-		fs_dontaudit_manage_nfs_files($1_mencoder_t)
-	')
-
-	tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
-		files_search_home($1_mencoder_t)
-
-		fs_search_auto_mountpoints($1_mencoder_t)
-		fs_manage_cifs_dirs($1_mencoder_t)
-		fs_manage_cifs_files($1_mencoder_t)
-		fs_manage_cifs_symlinks($1_mencoder_t)
-	',`
-		fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
-		fs_dontaudit_manage_cifs_dirs($1_mencoder_t)
-		fs_dontaudit_manage_cifs_files($1_mencoder_t)
-	')
-
-	tunable_policy(`write_untrusted_content',`
-		files_search_home($1_mencoder_t)
-		files_tmp_filetrans($1_mencoder_t, $1_untrusted_content_tmp_t, file)
-		files_tmp_filetrans($1_mencoder_t, $1_untrusted_content_tmp_t ,dir)
-
-		userdom_manage_user_untrusted_content_dirs($1, $1_mencoder_t)
-		userdom_manage_user_untrusted_content_files($1, $1_mencoder_t)
-	',`
-		files_dontaudit_list_home($1_mencoder_t)
-		files_dontaudit_list_tmp($1_mencoder_t)
-
-		userdom_dontaudit_list_user_home_dirs($1, $1_mencoder_t)
-		userdom_dontaudit_manage_user_tmp_files($1, $1_mencoder_t)
-		userdom_dontaudit_manage_user_home_content_dirs($1, $1_mencoder_t)
-	')
-
-	########################################
-	#
-	# mplayer local policy
-	#
-
-	allow $1_mplayer_t self:process { signal_perms getsched };
-	allow $1_mplayer_t self:fifo_file rw_fifo_file_perms;
- 	allow $1_mplayer_t self:sem create_sem_perms;
-
-	manage_dirs_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t)
-	manage_files_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t)
-	manage_lnk_files_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t)
-	userdom_search_user_home_dirs($1, $1_mplayer_t)
-
-	manage_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t)
-	manage_lnk_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t)
-	manage_fifo_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t)
-	manage_sock_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t)
-	fs_tmpfs_filetrans($1_mplayer_t, $1_mplayer_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-	# Read global config
-	allow $1_mplayer_t mplayer_etc_t:dir list_dir_perms;
-	read_files_pattern($1_mplayer_t, mplayer_etc_t, mplayer_etc_t)
-	read_lnk_files_pattern($1_mplayer_t, mplayer_etc_t, mplayer_etc_t)
+	ps_process_pattern($2, mencoder_t)
+	allow $2 mencoder_t:process signal_perms;
 
 	# Home access
-	manage_dirs_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
-	manage_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
-	manage_lnk_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
-	relabel_dirs_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
-	relabel_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
-	relabel_lnk_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
+	manage_dirs_pattern($2, mplayer_home_t, mplayer_home_t)
+	manage_files_pattern($2, mplayer_home_t, mplayer_home_t)
+	manage_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t)
+	relabel_dirs_pattern($2, mplayer_home_t, mplayer_home_t)
+	relabel_files_pattern($2, mplayer_home_t, mplayer_home_t)
+	relabel_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t)
 
 	# domain transition
-	domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t)
+	domtrans_pattern($2, mplayer_exec_t, mplayer_t)
 
 	# Allow the user domain to signal/ps.
-	ps_process_pattern($2,$1_mplayer_t)
-	allow $2 $1_mplayer_t:process signal_perms;
-
-	kernel_dontaudit_list_unlabeled($1_mplayer_t)
-	kernel_dontaudit_getattr_unlabeled_files($1_mplayer_t)
-	kernel_dontaudit_read_unlabeled_files($1_mplayer_t)
-	# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
-	kernel_read_system_state($1_mplayer_t)
-	# Sysctl on kernel version 
-	kernel_read_kernel_sysctls($1_mplayer_t)
-
-	# Run bash/sed (??) 
-	corecmd_exec_bin($1_mplayer_t)
-	corecmd_exec_shell($1_mplayer_t)
-
-	# Required for win32 binary loader 
-	dev_rwx_zero($1_mplayer_t)
-	# Access to DVD/CD/V4L
-	dev_read_video_dev($1_mplayer_t)
-	# Audio, alsa.conf
-	dev_read_sound_mixer($1_mplayer_t)
-	dev_write_sound_mixer($1_mplayer_t)
-	# RTC clock 
-	dev_read_realtime_clock($1_mplayer_t)
-
-	# Access to DVD/CD/V4L
-	storage_raw_read_removable_device($1_mplayer_t)
-
-	files_read_etc_files($1_mplayer_t)
-	files_dontaudit_list_non_security($1_mplayer_t)
-	files_dontaudit_getattr_non_security_files($1_mplayer_t)
-	files_read_non_security_files($1_mplayer_t)
-	# Unfortunately the ancient file dialog starts in /
-	files_list_home($1_mplayer_t)
-	# Read /etc/mtab
-	files_read_etc_runtime_files($1_mplayer_t)
-	# Read data in /usr/share (fonts, icons..)
-	files_read_usr_files($1_mplayer_t)
-	files_read_usr_symlinks($1_mplayer_t)
-
-	fs_dontaudit_getattr_all_fs($1_mplayer_t)
-	fs_search_auto_mountpoints($1_mplayer_t)
-	fs_list_inotifyfs($1_mplayer_t)
-
-	miscfiles_read_localization($1_mplayer_t)
-	miscfiles_read_fonts($1_mplayer_t)
-
-	userdom_use_user_terminals($1, $1_mplayer_t)
-	# Read media files
-	userdom_list_user_tmp($1, $1_mplayer_t)
-	userdom_read_user_tmp_files($1, $1_mplayer_t)
-	userdom_read_user_tmp_symlinks($1, $1_mplayer_t)
-	userdom_read_user_home_content_files($1, $1_mplayer_t)
-	userdom_read_user_home_content_symlinks($1, $1_mplayer_t)
-
-	xserver_user_x_domain_template($1, $1_mplayer, $1_mplayer_t, $1_mplayer_tmpfs_t)
-
-	# Read songs
-	ifdef(`enable_mls',`',`
-		fs_search_removable($1_mplayer_t)
-		fs_read_removable_files($1_mplayer_t)
-		fs_read_removable_symlinks($1_mplayer_t)
-	')
-
-	tunable_policy(`allow_execmem',`
-		allow $1_mplayer_t self:process execmem;
-	')
-
-	tunable_policy(`allow_execmod',`
-		dev_execmod_zero($1_mplayer_t)
-	')
-
-	tunable_policy(`allow_mplayer_execstack',`
-		allow $1_mplayer_t self:process { execmem execstack };
-	')
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_mplayer_t)
-		fs_manage_nfs_files($1_mplayer_t)
-		fs_manage_nfs_symlinks($1_mplayer_t)
-	')
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_mplayer_t)
-		fs_manage_cifs_files($1_mplayer_t)
-		fs_manage_cifs_symlinks($1_mplayer_t)
-	')
-
-	# Legacy domain issues
-	tunable_policy(`allow_mplayer_execstack',`
-		allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
-	')
-
-	# Read songs
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_list_auto_mountpoints($1_mplayer_t)
-		files_list_home($1_mplayer_t)
-		fs_read_nfs_files($1_mplayer_t)
-		fs_read_nfs_symlinks($1_mplayer_t)
-
-	',`
-		files_dontaudit_list_home($1_mplayer_t)
-		fs_dontaudit_list_auto_mountpoints($1_mplayer_t)
-		fs_dontaudit_read_nfs_files($1_mplayer_t)
-		fs_dontaudit_list_nfs($1_mplayer_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_list_auto_mountpoints($1_mplayer_t)
-		files_list_home($1_mplayer_t)
-		fs_read_cifs_files($1_mplayer_t)
-		fs_read_cifs_symlinks($1_mplayer_t)
-	',`
-		files_dontaudit_list_home($1_mplayer_t)
-		fs_dontaudit_list_auto_mountpoints($1_mplayer_t)
-		fs_dontaudit_read_cifs_files($1_mplayer_t)
-		fs_dontaudit_list_cifs($1_mplayer_t)
-	')
-
-	tunable_policy(`read_default_t',`
-		files_list_default($1_mplayer_t)
-		files_read_default_files($1_mplayer_t)
-		files_read_default_symlinks($1_mplayer_t)
-	',`
-		files_dontaudit_read_default_files($1_mplayer_t)
-		files_dontaudit_list_default($1_mplayer_t)
-	')
-
-	tunable_policy(`read_untrusted_content',`
-		files_list_tmp($1_mplayer_t)
-		files_list_home($1_mplayer_t)
-
-		userdom_list_user_untrusted_content($1, $1_mplayer_t)
-		userdom_read_user_untrusted_content_files($1, $1_mplayer_t)
-		userdom_read_user_untrusted_content_symlinks($1, $1_mplayer_t)
-		userdom_list_user_tmp_untrusted_content($1, $1_mplayer_t)
-		userdom_read_user_tmp_untrusted_content_files($1, $1_mplayer_t)
-		userdom_read_user_tmp_untrusted_content_symlinks($1, $1_mplayer_t)
-	',`
-		files_dontaudit_list_tmp($1_mplayer_t)
-		files_dontaudit_list_home($1_mplayer_t)
-		userdom_dontaudit_list_user_home_dirs($1, $1_mplayer_t)
-		userdom_dontaudit_list_user_untrusted_content($1, $1_mplayer_t)
-		userdom_dontaudit_read_user_untrusted_content_files($1, $1_mplayer_t)
-		userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_mplayer_t)
-		userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_mplayer_t)
-	')
-
-	optional_policy(`
-		alsa_read_rw_config($1_mplayer_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_mplayer_t)
-	')
+	ps_process_pattern($2, mplayer_t)
+	allow $2 mplayer_t:process signal_perms;
 ')
 
 ########################################
 ## <summary>
 ##	Run mplayer in mplayer domain.
 ## </summary>
-## <desc>
-##	<p>
-##	Run mplayer in mplayer domain.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`mplayer_domtrans_user_mplayer',`
+interface(`mplayer_domtrans',`
 	gen_require(`
-		type $1_mplayer_t, mplayer_exec_t;
+		type mplayer_t, mplayer_exec_t;
 	')
 
-	domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t)
+	domtrans_pattern($1, mplayer_exec_t, mplayer_t)
 ')
 
 ########################################
 ## <summary>
 ##	Read mplayer per user homedir
 ## </summary>
-## <desc>
-##	<p>
-##	Read mplayer per user homedir
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`mplayer_read_user_home_files',`
+interface(`mplayer_read_user_home_files',`
 	gen_require(`
-		type $1_mplayer_home_t;
+		type mplayer_home_t;
 	')
 
-	read_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
+	read_files_pattern($1, mplayer_home_t, mplayer_home_t)
+	userdom_search_user_home_dirs($1)
 ')
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index 94fa547..83c177c 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -1,5 +1,5 @@
 
-policy_module(mplayer, 1.5.0)
+policy_module(mplayer, 2.0.0)
 
 ########################################
 #
@@ -13,12 +13,300 @@ policy_module(mplayer, 1.5.0)
 ## </desc>
 gen_tunable(allow_mplayer_execstack, false)
 
+type mencoder_t;
 type mencoder_exec_t;
-application_executable_file(mencoder_exec_t)
+typealias mencoder_t alias { user_mencoder_t staff_mencoder_t sysadm_mencoder_t };
+typealias mencoder_t alias { auditadm_mencoder_t secadm_mencoder_t };
+application_domain(mencoder_t, mencoder_exec_t)
+ubac_constrained(mencoder_t)
+
+type mplayer_t;
+type mplayer_exec_t;
+typealias mplayer_t alias { user_mplayer_t staff_mplayer_t sysadm_mplayer_t };
+typealias mplayer_t alias { auditadm_mplayer_t secadm_mplayer_t };
+application_domain(mplayer_t, mplayer_exec_t)
+ubac_constrained(mplayer_t)
 
 type mplayer_etc_t;
 files_config_file(mplayer_etc_t)
 
-type mplayer_exec_t;
-corecmd_executable_file(mplayer_exec_t)
-application_executable_file(mplayer_exec_t)
+type mplayer_home_t;
+typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t };
+typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t };
+files_poly_member(mplayer_home_t)
+userdom_user_home_content(mplayer_home_t)
+
+type mplayer_tmpfs_t;
+typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t };
+typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t };
+files_tmpfs_file(mplayer_tmpfs_t)
+ubac_constrained(mplayer_tmpfs_t)
+
+########################################
+#
+# mencoder local policy
+#
+
+manage_dirs_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+manage_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+manage_lnk_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+
+# Read global config
+allow mencoder_t mplayer_etc_t:dir list_dir_perms;
+read_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t)
+read_lnk_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t)
+
+# Read /proc files and directories
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+kernel_read_system_state(mencoder_t)
+# Sysctl on kernel version 
+kernel_read_kernel_sysctls(mencoder_t)
+
+# Required for win32 binary loader 
+dev_rwx_zero(mencoder_t)
+# Access to DVD/CD/V4L
+dev_read_video_dev(mencoder_t)
+
+# Read data in /usr/share (fonts, icons..)
+files_read_usr_files(mencoder_t)
+files_read_usr_symlinks(mencoder_t)
+
+fs_search_auto_mountpoints(mencoder_t)
+
+# Access to DVD/CD/V4L
+storage_raw_read_removable_device(mencoder_t)
+
+miscfiles_read_localization(mencoder_t)
+
+userdom_use_user_terminals(mencoder_t)
+# Handle removable media, /tmp, and /home
+userdom_list_user_tmp(mencoder_t)
+userdom_read_user_tmp_files(mencoder_t)
+userdom_read_user_tmp_symlinks(mencoder_t)
+userdom_read_user_home_content_files(mencoder_t)
+userdom_read_user_home_content_symlinks(mencoder_t)
+
+# Read content to encode
+ifndef(`enable_mls',`
+	fs_search_removable(mencoder_t)
+	fs_read_removable_files(mencoder_t)
+	fs_read_removable_symlinks(mencoder_t)
+')
+
+tunable_policy(`allow_execmem',`
+	allow mencoder_t self:process execmem;
+')
+
+tunable_policy(`allow_execmod',`
+	dev_execmod_zero(mencoder_t)
+')
+
+tunable_policy(`allow_mplayer_execstack',`
+	allow mencoder_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(mencoder_t)
+	fs_manage_nfs_files(mencoder_t)
+	fs_manage_nfs_symlinks(mencoder_t)
+
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(mencoder_t)
+	fs_manage_cifs_files(mencoder_t)
+	fs_manage_cifs_symlinks(mencoder_t)
+
+')
+
+# Read content to encode
+tunable_policy(`use_nfs_home_dirs',`
+	fs_list_auto_mountpoints(mencoder_t)
+	files_list_home(mencoder_t)
+	fs_read_nfs_files(mencoder_t)
+	fs_read_nfs_symlinks(mencoder_t)
+
+',`
+	files_dontaudit_list_home(mencoder_t)
+	fs_dontaudit_list_auto_mountpoints(mencoder_t)
+	fs_dontaudit_read_nfs_files(mencoder_t)
+	fs_dontaudit_list_nfs(mencoder_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_list_auto_mountpoints(mencoder_t)
+	files_list_home(mencoder_t)
+	fs_read_cifs_files(mencoder_t)
+	fs_read_cifs_symlinks(mencoder_t)
+',`
+	files_dontaudit_list_home(mencoder_t)
+	fs_dontaudit_list_auto_mountpoints(mencoder_t)
+	fs_dontaudit_read_cifs_files(mencoder_t)
+	fs_dontaudit_list_cifs(mencoder_t)
+')
+
+tunable_policy(`read_default_t',`
+	files_list_default(mencoder_t)
+	files_read_default_files(mencoder_t)
+	files_read_default_symlinks(mencoder_t)
+',`
+	files_dontaudit_read_default_files(mencoder_t)
+	files_dontaudit_list_default(mencoder_t)
+')
+
+########################################
+#
+# mplayer local policy
+#
+
+allow mplayer_t self:process { signal_perms getsched };
+allow mplayer_t self:fifo_file rw_fifo_file_perms;
+allow mplayer_t self:sem create_sem_perms;
+
+manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+userdom_search_user_home_dirs(mplayer_t)
+
+manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_fifo_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_sock_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Read global config
+allow mplayer_t mplayer_etc_t:dir list_dir_perms;
+read_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t)
+read_lnk_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t)
+
+kernel_dontaudit_list_unlabeled(mplayer_t)
+kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
+kernel_dontaudit_read_unlabeled_files(mplayer_t)
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+kernel_read_system_state(mplayer_t)
+# Sysctl on kernel version 
+kernel_read_kernel_sysctls(mplayer_t)
+
+# Run bash/sed (??) 
+corecmd_exec_bin(mplayer_t)
+corecmd_exec_shell(mplayer_t)
+
+# Required for win32 binary loader 
+dev_rwx_zero(mplayer_t)
+# Access to DVD/CD/V4L
+dev_read_video_dev(mplayer_t)
+# Audio, alsa.conf
+dev_read_sound_mixer(mplayer_t)
+dev_write_sound_mixer(mplayer_t)
+# RTC clock 
+dev_read_realtime_clock(mplayer_t)
+
+# Access to DVD/CD/V4L
+storage_raw_read_removable_device(mplayer_t)
+
+files_read_etc_files(mplayer_t)
+files_dontaudit_list_non_security(mplayer_t)
+files_dontaudit_getattr_non_security_files(mplayer_t)
+files_read_non_security_files(mplayer_t)
+# Unfortunately the ancient file dialog starts in /
+files_list_home(mplayer_t)
+# Read /etc/mtab
+files_read_etc_runtime_files(mplayer_t)
+# Read data in /usr/share (fonts, icons..)
+files_read_usr_files(mplayer_t)
+files_read_usr_symlinks(mplayer_t)
+
+fs_dontaudit_getattr_all_fs(mplayer_t)
+fs_search_auto_mountpoints(mplayer_t)
+fs_list_inotifyfs(mplayer_t)
+
+miscfiles_read_localization(mplayer_t)
+miscfiles_read_fonts(mplayer_t)
+
+userdom_use_user_terminals(mplayer_t)
+# Read media files
+userdom_list_user_tmp(mplayer_t)
+userdom_read_user_tmp_files(mplayer_t)
+userdom_read_user_tmp_symlinks(mplayer_t)
+userdom_read_user_home_content_files(mplayer_t)
+userdom_read_user_home_content_symlinks(mplayer_t)
+
+xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+
+# Read songs
+ifdef(`enable_mls',`',`
+	fs_search_removable(mplayer_t)
+	fs_read_removable_files(mplayer_t)
+	fs_read_removable_symlinks(mplayer_t)
+')
+
+tunable_policy(`allow_execmem',`
+	allow mplayer_t self:process execmem;
+')
+
+tunable_policy(`allow_execmod',`
+	dev_execmod_zero(mplayer_t)
+')
+
+tunable_policy(`allow_mplayer_execstack',`
+	allow mplayer_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(mplayer_t)
+	fs_manage_nfs_files(mplayer_t)
+	fs_manage_nfs_symlinks(mplayer_t)
+')
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(mplayer_t)
+	fs_manage_cifs_files(mplayer_t)
+	fs_manage_cifs_symlinks(mplayer_t)
+')
+
+# Legacy domain issues
+tunable_policy(`allow_mplayer_execstack',`
+	allow mplayer_t mplayer_tmpfs_t:file execute;
+')
+
+# Read songs
+tunable_policy(`use_nfs_home_dirs',`
+	fs_list_auto_mountpoints(mplayer_t)
+	files_list_home(mplayer_t)
+	fs_read_nfs_files(mplayer_t)
+	fs_read_nfs_symlinks(mplayer_t)
+
+',`
+	files_dontaudit_list_home(mplayer_t)
+	fs_dontaudit_list_auto_mountpoints(mplayer_t)
+	fs_dontaudit_read_nfs_files(mplayer_t)
+	fs_dontaudit_list_nfs(mplayer_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_list_auto_mountpoints(mplayer_t)
+	files_list_home(mplayer_t)
+	fs_read_cifs_files(mplayer_t)
+	fs_read_cifs_symlinks(mplayer_t)
+',`
+	files_dontaudit_list_home(mplayer_t)
+	fs_dontaudit_list_auto_mountpoints(mplayer_t)
+	fs_dontaudit_read_cifs_files(mplayer_t)
+	fs_dontaudit_list_cifs(mplayer_t)
+')
+
+tunable_policy(`read_default_t',`
+	files_list_default(mplayer_t)
+	files_read_default_files(mplayer_t)
+	files_read_default_symlinks(mplayer_t)
+',`
+	files_dontaudit_read_default_files(mplayer_t)
+	files_dontaudit_list_default(mplayer_t)
+')
+
+optional_policy(`
+	alsa_read_rw_config(mplayer_t)
+')
+
+optional_policy(`
+	nscd_socket_use(mplayer_t)
+')
diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
index 08b504b..802461d 100644
--- a/policy/modules/apps/podsleuth.te
+++ b/policy/modules/apps/podsleuth.te
@@ -1,5 +1,5 @@
 
-policy_module(podsleuth, 1.0.0)
+policy_module(podsleuth, 1.0.1)
 
 ########################################
 #
@@ -28,7 +28,7 @@ files_read_etc_files(podsleuth_t)
 
 miscfiles_read_localization(podsleuth_t)
 
-dbus_system_bus_client_template(podsleuth, podsleuth_t)
+dbus_system_bus_client(podsleuth_t)
 
 mono_exec(podsleuth_t)
 
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index aff0165..c010a01 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -32,11 +32,6 @@ interface(`qemu_domtrans',`
 ##	The role to allow the qemu domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the qemu domain to use.
-##	</summary>
-## </param>
 #
 interface(`qemu_run',`
 	gen_require(`
@@ -45,7 +40,6 @@ interface(`qemu_run',`
 
 	qemu_domtrans($1)
 	role $2 types qemu_t;
-	allow qemu_t $3:chr_file rw_file_perms;
 ')
 
 ########################################
@@ -195,6 +189,8 @@ template(`qemu_domain_template',`
 
 	sysnet_read_config($1_t)
 
+	userdom_use_user_terminals($1_t)
+
 #	optional_policy(`
 #		samba_domtrans_smb($1_t)
 #	')
@@ -206,7 +202,7 @@ template(`qemu_domain_template',`
 	')
 
 	optional_policy(`
-		xserver_stream_connect_xdm_xserver($1_t)
+		xserver_stream_connect($1_t)
 		xserver_read_xdm_tmp_files($1_t)
 		xserver_read_xdm_pid($1_t)
 #		xserver_xdm_rw_shm($1_t)
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
index d341aab..fa023cd 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -1,5 +1,5 @@
 
-policy_module(qemu, 1.0.0)
+policy_module(qemu, 1.0.1)
 
 ########################################
 #
diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if
index d0129a8..3870eda 100644
--- a/policy/modules/apps/rssh.if
+++ b/policy/modules/apps/rssh.if
@@ -1,104 +1,30 @@
 ## <summary>Restricted (scp/sftp) only shell</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the rssh module.
+##	Role access for rssh
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for rssh client sessions.  Derived types are also created
-##	for read-only and read-write file access.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`rssh_per_role_template',`
+interface(`rssh_role',`
 	gen_require(`
-		type rssh_exec_t;
-		attribute rssh_domain_type;
-		attribute rssh_ro_content_type;
+		type rssh_t;
 	')
 
-	##############################
-	#
-	# Declarations
-	#
-
-	type $1_rssh_t alias rssh_$1_t, rssh_domain_type;
-	application_domain($1_rssh_t, rssh_exec_t)
-	domain_user_exemption_target($1_t)
-	domain_interactive_fd($1_rssh_t)
-	role system_r types $1_rssh_t;
-
-	type $1_rssh_devpts_t alias rssh_$1_devpts_t;
-	term_user_pty($1_rssh_t,$1_rssh_devpts_t)
-
-	type $1_rssh_ro_t alias rssh_$1_ro_t, rssh_ro_content_type;
-	userdom_user_home_content($1,$1_rssh_ro_t)
-
-	type $1_rssh_rw_t alias rssh_$1_rw_t;
-	userdom_user_home_content($1, $1_rssh_rw_t)
-
-	##############################
-	#
-	# Local policy
-	#
-
-	allow $1_rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-	allow $1_rssh_t self:fd use;
-	allow $1_rssh_t self:fifo_file rw_fifo_file_perms;
-	allow $1_rssh_t self:unix_dgram_socket create_socket_perms;
-	allow $1_rssh_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_rssh_t self:unix_dgram_socket sendto;
-	allow $1_rssh_t self:unix_stream_socket connectto;
-	allow $1_rssh_t self:shm create_shm_perms;
-	allow $1_rssh_t self:sem create_sem_perms;
-	allow $1_rssh_t self:msgq create_msgq_perms;
-	allow $1_rssh_t self:msg { send receive };
+	role $1 types rssh_t;
 
-	allow $1_rssh_t $1_rssh_devpts_t:chr_file { rw_file_perms setattr };
-	term_create_pty($1_rssh_t, $1_rssh_devpts_t)
-
-	allow $1_rssh_t $1_rssh_ro_t:dir list_dir_perms;
-	read_files_pattern($1_rssh_t, $1_rssh_ro_t, $1_rssh_ro_t)
-
-	manage_dirs_pattern($1_rssh_t, $1_rssh_rw_t, $1_rssh_rw_t)
-	manage_files_pattern($1_rssh_t, $1_rssh_rw_t, $1_rssh_rw_t)
-
-	kernel_read_system_state($1_rssh_t)
-	kernel_read_kernel_sysctls($1_rssh_t)
-
-	files_read_etc_files($1_rssh_t)
-	files_read_etc_runtime_files($1_rssh_t)
-	files_list_home($1_rssh_t)
-	files_read_usr_files($1_rssh_t)
-	files_list_var($1_rssh_t)
-
-	fs_search_auto_mountpoints($1_rssh_t)
-
-	logging_send_syslog_msg($1_rssh_t)
-
-	miscfiles_read_localization($1_rssh_t)
-
-	userdom_use_unpriv_users_fds($1_rssh_t)
-
-	ssh_rw_tcp_sockets($1_rssh_t)
-	ssh_rw_stream_sockets($1_rssh_t)
-
-	optional_policy(`
-		nis_use_ypbind($1_rssh_t)
-	')
+	# allow ps to show irc
+	ps_process_pattern($2, rssh_t)
+	allow $2 rssh_t:process signal;
 ')
 
 ########################################
@@ -111,13 +37,12 @@ template(`rssh_per_role_template',`
 ##	</summary>
 ## </param>
 #
-interface(`rssh_spec_domtrans_all_users',`
+interface(`rssh_spec_domtrans',`
 	gen_require(`
-		attribute rssh_domain_type;
-		type rssh_exec_t;
+		type rssh_t, rssh_exec_t;
 	')
 
-	spec_domtrans_pattern($1, rssh_exec_t, rssh_domain_type)
+	spec_domtrans_pattern($1, rssh_exec_t, rssh_t)
 ')
 
 ########################################
@@ -130,12 +55,12 @@ interface(`rssh_spec_domtrans_all_users',`
 ##	</summary>
 ## </param>
 #
-interface(`rssh_read_all_users_ro_content',`
+interface(`rssh_read_ro_content',`
 	gen_require(`
-		attribute rssh_ro_content_type;
+		type rssh_ro_t;
 	')
 
-	allow $1 rssh_ro_content_type:dir list_dir_perms;
-	read_files_pattern($1, rssh_ro_content_type, rssh_ro_content_type)
-	read_lnk_files_pattern($1, rssh_ro_content_type, rssh_ro_content_type)
+	allow $1 rssh_ro_t:dir list_dir_perms;
+	read_files_pattern($1, rssh_ro_t, rssh_ro_t)
+	read_lnk_files_pattern($1, rssh_ro_t, rssh_ro_t)
 ')
diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te
index 92ba29f..7f357d2 100644
--- a/policy/modules/apps/rssh.te
+++ b/policy/modules/apps/rssh.te
@@ -1,13 +1,81 @@
 
-policy_module(rssh, 1.1.0)
+policy_module(rssh, 2.0.0)
 
 ########################################
 #
 # Declarations
 #
 
-attribute rssh_domain_type;
-attribute rssh_ro_content_type;
-
+type rssh_t;
 type rssh_exec_t;
-application_executable_file(rssh_exec_t)
+typealias rssh_t alias { user_rssh_t staff_rssh_t sysadm_rssh_t };
+typealias rssh_t alias { auditadm_rssh_t secadm_rssh_t };
+application_domain(rssh_t, rssh_exec_t)
+domain_user_exemption_target(rssh_t)
+domain_interactive_fd(rssh_t)
+ubac_constrained(rssh_t)
+role system_r types rssh_t;
+
+type rssh_devpts_t;
+typealias rssh_devpts_t alias { user_rssh_devpts_t staff_rssh_devpts_t sysadm_rssh_devpts_t };
+typealias rssh_devpts_t alias { auditadm_rssh_devpts_t secadm_rssh_devpts_t };
+term_user_pty(rssh_t, rssh_devpts_t)
+ubac_constrained(rssh_devpts_t)
+
+type rssh_ro_t;
+typealias rssh_ro_t alias { user_rssh_ro_t staff_rssh_ro_t sysadm_rssh_ro_t };
+typealias rssh_ro_t alias { auditadm_rssh_ro_t secadm_rssh_ro_t };
+userdom_user_home_content(rssh_ro_t)
+
+type rssh_rw_t;
+typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t };
+typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t };
+userdom_user_home_content(rssh_rw_t)
+
+##############################
+#
+# Local policy
+#
+
+allow rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow rssh_t self:fd use;
+allow rssh_t self:fifo_file rw_fifo_file_perms;
+allow rssh_t self:unix_dgram_socket create_socket_perms;
+allow rssh_t self:unix_stream_socket create_stream_socket_perms;
+allow rssh_t self:unix_dgram_socket sendto;
+allow rssh_t self:unix_stream_socket connectto;
+allow rssh_t self:shm create_shm_perms;
+allow rssh_t self:sem create_sem_perms;
+allow rssh_t self:msgq create_msgq_perms;
+allow rssh_t self:msg { send receive };
+
+allow rssh_t rssh_devpts_t:chr_file { rw_file_perms setattr };
+term_create_pty(rssh_t, rssh_devpts_t)
+
+allow rssh_t rssh_ro_t:dir list_dir_perms;
+read_files_pattern(rssh_t, rssh_ro_t, rssh_ro_t)
+
+manage_dirs_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+
+kernel_read_system_state(rssh_t)
+kernel_read_kernel_sysctls(rssh_t)
+
+files_read_etc_files(rssh_t)
+files_read_etc_runtime_files(rssh_t)
+files_list_home(rssh_t)
+files_read_usr_files(rssh_t)
+files_list_var(rssh_t)
+
+fs_search_auto_mountpoints(rssh_t)
+
+logging_send_syslog_msg(rssh_t)
+
+miscfiles_read_localization(rssh_t)
+
+ssh_rw_tcp_sockets(rssh_t)
+ssh_rw_stream_sockets(rssh_t)
+
+optional_policy(`
+	nis_use_ypbind(rssh_t)
+')
diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
index 92211c9..b020416 100644
--- a/policy/modules/apps/screen.fc
+++ b/policy/modules/apps/screen.fc
@@ -1,7 +1,7 @@
 #
 # /home
 #
-HOME_DIR/\.screenrc		--	gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0)
+HOME_DIR/\.screenrc		--	gen_context(system_u:object_r:screen_home_t,s0)
 
 #
 # /usr
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
index 2c949a3..2e1ab41 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -2,39 +2,29 @@
 
 #######################################
 ## <summary>
-##	The per role template for the screen module.
+##	The role template for the screen module.
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for screen sessions.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role_prefix">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="user_role">
 ##	<summary>
-##	The type of the user domain.
+##	The role associated with the user domain.
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="user_domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	The type of the user domain.
 ##	</summary>
 ## </param>
 #
-template(`screen_per_role_template',`
+template(`screen_role_template',`
 	gen_require(`
-		type screen_dir_t, screen_exec_t;
+		type screen_dir_t, screen_exec_t, screen_tmp_t;
+		type screen_home_t, screen_var_run_t;
 	')
 
 	########################################
@@ -45,16 +35,8 @@ template(`screen_per_role_template',`
 	type $1_screen_t;
 	application_domain($1_screen_t, screen_exec_t)
 	domain_interactive_fd($1_screen_t)
-	role $3 types $1_screen_t;
-
-	type $1_screen_tmp_t;
-	files_tmp_file($1_screen_tmp_t)
-
-	type $1_screen_ro_home_t;
-	files_type($1_screen_ro_home_t)
-
-	type $1_screen_var_run_t;
-	files_pid_file($1_screen_var_run_t)
+	ubac_constrained($1_screen_t)
+	role $2 types $1_screen_t;
 
 	########################################
 	#
@@ -70,33 +52,33 @@ template(`screen_per_role_template',`
 	allow $1_screen_t self:unix_stream_socket create_socket_perms;
 	allow $1_screen_t self:unix_dgram_socket create_socket_perms;
 
-	manage_dirs_pattern($1_screen_t, $1_screen_tmp_t, $1_screen_tmp_t)
-	manage_files_pattern($1_screen_t, $1_screen_tmp_t, $1_screen_tmp_t)
-	manage_fifo_files_pattern($1_screen_t, $1_screen_tmp_t, $1_screen_tmp_t)
-	files_tmp_filetrans($1_screen_t, $1_screen_tmp_t, { file dir })
+	manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+	manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+	manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+	files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir })
 
 	# Create fifo
-	manage_fifo_files_pattern($1_screen_t, screen_dir_t, $1_screen_var_run_t)
+	manage_fifo_files_pattern($1_screen_t, screen_dir_t, screen_var_run_t)
 	manage_dirs_pattern($1_screen_t, screen_dir_t, screen_dir_t)
-	filetrans_pattern($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file)
+	filetrans_pattern($1_screen_t, screen_dir_t, screen_var_run_t, fifo_file)
 	files_pid_filetrans($1_screen_t, screen_dir_t, dir)
 
-	allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms;
-	read_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t)
-	read_lnk_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t)
+	allow $1_screen_t screen_home_t:dir list_dir_perms;
+	read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+	read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
 
-	allow $1_screen_t $2:process signal;
+	allow $1_screen_t $3:process signal;
 
-	domtrans_pattern($2, screen_exec_t, $1_screen_t)
-	allow $2 $1_screen_t:process signal;
-	allow $1_screen_t $2:process signal;
+	domtrans_pattern($3, screen_exec_t, $1_screen_t)
+	allow $3 $1_screen_t:process signal;
+	allow $1_screen_t $3:process signal;
 
-	manage_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
-	manage_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
-	manage_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
-	relabel_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
-	relabel_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
-	relabel_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
+	manage_dirs_pattern($3, screen_home_t, screen_home_t)
+	manage_files_pattern($3, screen_home_t, screen_home_t)
+	manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
+	relabel_dirs_pattern($3, screen_home_t,  screen_home_t)
+	relabel_files_pattern($3, screen_home_t, screen_home_t)
+	relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
 
 	kernel_read_system_state($1_screen_t)
 	kernel_read_kernel_sysctls($1_screen_t)
@@ -107,8 +89,8 @@ template(`screen_per_role_template',`
 	corecmd_read_bin_pipes($1_screen_t)
 	corecmd_read_bin_sockets($1_screen_t)
 	# Revert to the user domain when a shell is executed.
-	corecmd_shell_domtrans($1_screen_t,$2)
-	corecmd_bin_domtrans($1_screen_t,$2)
+	corecmd_shell_domtrans($1_screen_t, $3)
+	corecmd_bin_domtrans($1_screen_t, $3)
 
 	corenet_all_recvfrom_unlabeled($1_screen_t)
 	corenet_all_recvfrom_netlabel($1_screen_t)
@@ -150,10 +132,10 @@ template(`screen_per_role_template',`
 
 	sysnet_read_config($1_screen_t)
 
-	userdom_use_user_terminals($1, $1_screen_t)
-	userdom_create_user_pty($1, $1_screen_t)
-	userdom_user_home_domtrans($1, $1_screen_t, $2)
-	userdom_setattr_user_ptys($1, $1_screen_t)
+	userdom_use_user_terminals($1_screen_t)
+	userdom_create_user_pty($1_screen_t)
+	userdom_user_home_domtrans($1_screen_t, $3)
+	userdom_setattr_user_ptys($1_screen_t)
 
 	tunable_policy(`read_default_t',`
 		files_list_default($1_screen_t)
@@ -164,13 +146,13 @@ template(`screen_per_role_template',`
 	')
 
 	tunable_policy(`use_samba_home_dirs',`
-		fs_cifs_domtrans($1_screen_t, $2)
+		fs_cifs_domtrans($1_screen_t, $3)
 		fs_read_cifs_symlinks($1_screen_t)
 		fs_list_cifs($1_screen_t)
 	')
 
 	tunable_policy(`use_nfs_home_dirs',`
-		fs_nfs_domtrans($1_screen_t, $2)
+		fs_nfs_domtrans($1_screen_t, $3)
 		fs_list_nfs($1_screen_t)
 		fs_read_nfs_symlinks($1_screen_t)
 	')
diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
index 5ad00a1..554eebe 100644
--- a/policy/modules/apps/screen.te
+++ b/policy/modules/apps/screen.te
@@ -1,5 +1,5 @@
 
-policy_module(screen, 1.4.0)
+policy_module(screen, 2.0.0)
 
 ########################################
 #
@@ -11,3 +11,20 @@ files_pid_file(screen_dir_t)
 
 type screen_exec_t;
 application_executable_file(screen_exec_t)
+
+type screen_home_t;
+typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t };
+typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };
+userdom_user_home_content(screen_home_t)
+
+type screen_tmp_t;
+typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
+typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
+files_tmp_file(screen_tmp_t)
+ubac_constrained(screen_tmp_t)
+
+type screen_var_run_t;
+typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
+typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t };
+files_pid_file(screen_var_run_t)
+ubac_constrained(screen_var_run_t)
diff --git a/policy/modules/apps/thunderbird.fc b/policy/modules/apps/thunderbird.fc
index 2b6c006..fb43a7b 100644
--- a/policy/modules/apps/thunderbird.fc
+++ b/policy/modules/apps/thunderbird.fc
@@ -3,4 +3,4 @@
 #
 /usr/bin/thunderbird.*			--	gen_context(system_u:object_r:thunderbird_exec_t,s0)
 
-HOME_DIR/\.thunderbird(/.*)?			gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)?			gen_context(system_u:object_r:thunderbird_home_t,s0)
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
index d9d5af8..c2cc18d 100644
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@@ -1,383 +1,63 @@
 ## <summary>Thunderbird email client</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the thunderbird module.
+##	Role access for thunderbird
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domain which is used
-##	for the thunderbird email client.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`thunderbird_per_role_template',`
-
-	########################################
-	#
-	# Declarations
-	#
-
-	type $1_thunderbird_t;
-	application_domain($1_thunderbird_t, thunderbird_exec_t)
-	role $3 types $1_thunderbird_t;
-
-	type $1_thunderbird_home_t alias $1_thunderbird_rw_t;
-	files_poly_member($1_thunderbird_home_t)
-	userdom_user_home_content($1, $1_thunderbird_home_t)
-
-	type $1_thunderbird_tmpfs_t;
-	files_tmpfs_file($1_thunderbird_tmpfs_t)
-
-	########################################
-	#
-	# Local policy
-	#
-
-	allow $1_thunderbird_t self:capability sys_nice;
-	allow $1_thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack };
-	allow $1_thunderbird_t self:fifo_file { ioctl read write getattr };
-	allow $1_thunderbird_t self:unix_dgram_socket { create connect };
-	allow $1_thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
-	allow $1_thunderbird_t self:tcp_socket create_socket_perms;
-	allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
-
-	# Access ~/.thunderbird
-	manage_dirs_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
-	manage_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
-	manage_lnk_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
-	userdom_search_user_home_dirs($1, $1_thunderbird_t)
-
-	manage_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t)
-	manage_lnk_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t)
-	manage_fifo_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t)
-	manage_sock_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t)
-	fs_tmpfs_filetrans($1_thunderbird_t, $1_thunderbird_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-	domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
-	allow $2 $1_thunderbird_t:fd use;
-	allow $2 $1_thunderbird_t:shm { associate getattr };
-	allow $2 $1_thunderbird_t:unix_stream_socket connectto;
-	allow $1_thunderbird_t $2:fd use;
-	allow $1_thunderbird_t $2:process sigchld;
-	allow $1_thunderbird_t $2:unix_stream_socket connectto;
-
-	# Allow the user domain to signal/ps.
-	ps_process_pattern($2,$1_thunderbird_t)
-
-	# Access ~/.thunderbird
-	manage_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
-	manage_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
-	manage_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
-
-	relabel_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
-	relabel_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
-	relabel_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
-
-	# Allow netstat
-	kernel_read_network_state($1_thunderbird_t)
-	kernel_read_net_sysctls($1_thunderbird_t)
-	kernel_read_system_state($1_thunderbird_t)
-
-	# Startup shellscript
-	corecmd_exec_shell($1_thunderbird_t)
-
-	corenet_all_recvfrom_unlabeled($1_thunderbird_t)
-	corenet_all_recvfrom_netlabel($1_thunderbird_t)
-	corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
-	corenet_tcp_sendrecv_all_nodes($1_thunderbird_t)
-	corenet_tcp_sendrecv_ipp_port($1_thunderbird_t)
-	corenet_tcp_sendrecv_ldap_port($1_thunderbird_t)
-	corenet_tcp_sendrecv_innd_port($1_thunderbird_t)
-	corenet_tcp_sendrecv_smtp_port($1_thunderbird_t)
-	corenet_tcp_sendrecv_pop_port($1_thunderbird_t)
-	corenet_tcp_sendrecv_http_port($1_thunderbird_t)
-	corenet_tcp_connect_ipp_port($1_thunderbird_t)
-	corenet_tcp_connect_ldap_port($1_thunderbird_t)
-	corenet_tcp_connect_innd_port($1_thunderbird_t)
-	corenet_tcp_connect_smtp_port($1_thunderbird_t)
-	corenet_tcp_connect_pop_port($1_thunderbird_t)
-	corenet_tcp_connect_http_port($1_thunderbird_t)
-	corenet_sendrecv_ipp_client_packets($1_thunderbird_t)
-	corenet_sendrecv_ldap_client_packets($1_thunderbird_t)
-	corenet_sendrecv_innd_client_packets($1_thunderbird_t)
-	corenet_sendrecv_smtp_client_packets($1_thunderbird_t)
-	corenet_sendrecv_pop_client_packets($1_thunderbird_t)
-	corenet_sendrecv_http_client_packets($1_thunderbird_t)
-
- 	dev_read_urand($1_thunderbird_t)
-	dev_dontaudit_search_sysfs($1_thunderbird_t)
-
-	files_list_tmp($1_thunderbird_t)
-	files_read_usr_files($1_thunderbird_t)
-	files_read_etc_files($1_thunderbird_t)
-	files_read_etc_runtime_files($1_thunderbird_t)
-	files_read_var_files($1_thunderbird_t)
-	files_read_var_symlinks($1_thunderbird_t)
-	files_dontaudit_getattr_all_tmp_files($1_thunderbird_t)
-	files_dontaudit_getattr_boot_dirs($1_thunderbird_t)
-	files_dontaudit_getattr_lost_found_dirs($1_thunderbird_t)
-	files_dontaudit_search_mnt($1_thunderbird_t)
-
-	fs_getattr_xattr_fs($1_thunderbird_t)
-	fs_list_inotifyfs($1_thunderbird_t)
-	# Access ~/.thunderbird
-	fs_search_auto_mountpoints($1_thunderbird_t)
-
-	auth_use_nsswitch($1_thunderbird_t)
-
-	miscfiles_read_fonts($1_thunderbird_t)
-	miscfiles_read_localization($1_thunderbird_t)
-
-	userdom_manage_user_tmp_dirs($1, $1_thunderbird_t)
-	userdom_read_user_tmp_files($1, $1_thunderbird_t)
-	userdom_write_user_tmp_sockets($1, $1_thunderbird_t)
-	userdom_manage_user_tmp_sockets($1, $1_thunderbird_t)
-	# .kde/....gtkrc
-	userdom_read_user_home_content_files($1, $1_thunderbird_t)
-
-	xserver_user_x_domain_template($1, $1_thunderbird, $1_thunderbird_t, $1_thunderbird_tmpfs_t)
-	xserver_read_xdm_tmp_files($1_thunderbird_t)
-	xserver_dontaudit_getattr_xdm_tmp_sockets($1_thunderbird_t)
-
-	# Access ~/.thunderbird
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_thunderbird_t)
-		fs_manage_nfs_files($1_thunderbird_t)
-		fs_manage_nfs_symlinks($1_thunderbird_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_thunderbird_t)
-		fs_manage_cifs_files($1_thunderbird_t)
-		fs_manage_cifs_symlinks($1_thunderbird_t)
-	')
-
-	tunable_policy(`mail_read_content && use_nfs_home_dirs',`
-		files_list_home($1_thunderbird_t)
-
-		fs_list_auto_mountpoints($1_thunderbird_t)
-		fs_read_nfs_files($1_thunderbird_t)
-		fs_read_nfs_symlinks($1_thunderbird_t)
-	',`
-		files_dontaudit_list_home($1_thunderbird_t)
-
-		fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
-		fs_dontaudit_list_nfs($1_thunderbird_t)
-		fs_dontaudit_read_nfs_files($1_thunderbird_t)
-	')
-
-	tunable_policy(`mail_read_content && use_samba_home_dirs',`
-		files_list_home($1_thunderbird_t)
-
-		fs_list_auto_mountpoints($1_thunderbird_t)
-		fs_read_cifs_files($1_thunderbird_t)
-		fs_read_cifs_symlinks($1_thunderbird_t)
-	',`
-		files_dontaudit_list_home($1_thunderbird_t)
-
-		fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
-		fs_dontaudit_read_cifs_files($1_thunderbird_t)
-		fs_dontaudit_list_cifs($1_thunderbird_t)
-	')
-
-	tunable_policy(`mail_read_content',`
-		userdom_list_user_tmp($1, $1_thunderbird_t)
-		userdom_read_user_tmp_files($1, $1_thunderbird_t)
-		userdom_read_user_tmp_symlinks($1, $1_thunderbird_t)
-		userdom_search_user_home_dirs($1, $1_thunderbird_t)
-		userdom_read_user_home_content_files($1, $1_thunderbird_t)
-
-		ifndef(`enable_mls',`
-			fs_search_removable($1_thunderbird_t)
-			fs_read_removable_files($1_thunderbird_t)
-			fs_read_removable_symlinks($1_thunderbird_t)
-		')
-	',`
-		files_dontaudit_list_tmp($1_thunderbird_t)
-		files_dontaudit_list_home($1_thunderbird_t)
-
-		fs_dontaudit_list_removable($1_thunderbird_t)
-		fs_dontaudit_read_removable_files($1_thunderbird_t)
-
-		userdom_dontaudit_list_user_tmp($1, $1_thunderbird_t)
-		userdom_dontaudit_read_user_tmp_files($1, $1_thunderbird_t)
-		userdom_dontaudit_list_user_home_dirs($1, $1_thunderbird_t)
-		userdom_dontaudit_read_user_home_content_files($1, $1_thunderbird_t)
-	')
-
-	tunable_policy(`mail_read_content && read_default_t',`
-		files_list_default($1_thunderbird_t)
-		files_read_default_files($1_thunderbird_t)
-		files_read_default_symlinks($1_thunderbird_t)
-	',`
-		files_dontaudit_read_default_files($1_thunderbird_t)
-		files_dontaudit_list_default($1_thunderbird_t)
-	')
-
-	tunable_policy(`mail_read_content && read_untrusted_content',`
-		files_list_tmp($1_thunderbird_t)
-		files_list_home($1_thunderbird_t)
-
-		userdom_search_user_home_dirs($1, $1_thunderbird_t)
-		userdom_list_user_untrusted_content($1, $1_thunderbird_t)
-		userdom_read_user_untrusted_content_files($1, $1_thunderbird_t)
-		userdom_read_user_untrusted_content_symlinks($1, $1_thunderbird_t)
-		userdom_list_user_tmp_untrusted_content($1, $1_thunderbird_t)
-		userdom_read_user_tmp_untrusted_content_files($1, $1_thunderbird_t)
-		userdom_read_user_tmp_untrusted_content_symlinks($1, $1_thunderbird_t)
-	',`
-		files_dontaudit_list_tmp($1_thunderbird_t)
-		files_dontaudit_list_home($1_thunderbird_t)
-
-		userdom_dontaudit_list_user_home_dirs($1, $1_thunderbird_t)
-		userdom_dontaudit_list_user_untrusted_content($1, $1_thunderbird_t)
-		userdom_dontaudit_read_user_untrusted_content_files($1, $1_thunderbird_t)
-		userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_thunderbird_t)
-		userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_thunderbird_t)
-	')
-
-	# Manage nfs homedirs
-	tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
-		files_search_home($1_thunderbird_t)
-
-		fs_search_auto_mountpoints($1_thunderbird_t)
-		fs_manage_nfs_dirs($1_thunderbird_t)
-		fs_manage_nfs_files($1_thunderbird_t)
-		fs_manage_nfs_symlinks($1_thunderbird_t)
-	',`
-		fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
-		fs_dontaudit_manage_nfs_dirs($1_thunderbird_t)
-		fs_dontaudit_manage_nfs_files($1_thunderbird_t)
-	')
-
-	# Manage samba homedirs
-	tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
-		files_search_home($1_thunderbird_t)
-
-		fs_search_auto_mountpoints($1_thunderbird_t)
-		fs_manage_cifs_dirs($1_thunderbird_t)
-		fs_manage_cifs_files($1_thunderbird_t)
-		fs_manage_cifs_symlinks($1_thunderbird_t)
-	',`
-		fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
-		fs_dontaudit_manage_cifs_dirs($1_thunderbird_t)
-		fs_dontaudit_manage_cifs_files($1_thunderbird_t)
-	')
-
-	# Manage /tmp and /home
-	tunable_policy(`write_untrusted_content',`
-		files_search_home($1_thunderbird_t)
-		files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,file)
-		files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,dir)
-		userdom_manage_user_untrusted_content_files($1, $1_thunderbird_t)
-		userdom_manage_user_untrusted_content_tmp_files($1, $1_thunderbird_t)
-		userdom_user_home_dir_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir })
-		userdom_user_home_content_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir })
-	',`
-		files_dontaudit_list_home($1_thunderbird_t)
-		files_dontaudit_list_tmp($1_thunderbird_t)
-
-		userdom_dontaudit_list_user_home_dirs($1, $1_thunderbird_t)
-		userdom_dontaudit_manage_user_tmp_dirs($1, $1_thunderbird_t)
-		userdom_dontaudit_manage_user_tmp_files($1, $1_thunderbird_t)
-		userdom_dontaudit_manage_user_home_content_dirs($1, $1_thunderbird_t)
-	')
-
-	optional_policy(`
-		dbus_system_bus_client_template($1_thunderbird, $1_thunderbird_t)
-		dbus_user_bus_client_template($1, $1_thunderbird, $1_thunderbird_t)
-	')
-
-	optional_policy(`
-		cups_read_rw_config($1_thunderbird_t)
-		cups_dbus_chat($1_thunderbird_t)
-	')
-
-	optional_policy(`
-		gnome_stream_connect_gconf_template($1, $1_thunderbird_t)
-		gnome_domtrans_user_gconf($1, $1_thunderbird_t)
-		gnome_manage_user_gnome_config($1, $1_thunderbird_t)
-	')
-
-	optional_policy(`
-		gpg_domtrans_user_gpg($1, $1_thunderbird_t)
+interface(`thunderbird_role',`
+	gen_require(`
+		type thunderbird_t, thunderbird_exec_t;
+		type thunderbird_home_t, thunderbird_tmpfs_t;
 	')
 
-	optional_policy(`
-		lpd_domtrans_user_lpr($1, $1_thunderbird_t)
-	')
+	role $1 types thunderbird_t;
 
-	optional_policy(`
-		mozilla_read_user_home_files($1, $1_thunderbird_t)
-		mozilla_domtrans_user_mozilla($1, $1_thunderbird_t)
-		mozilla_dbus_chat($1, $1_thunderbird_t)
-	')
+	domain_auto_trans($2, thunderbird_exec_t, thunderbird_t)
+	allow $2 thunderbird_t:fd use;
+	allow $2 thunderbird_t:shm { associate getattr };
+	allow $2 thunderbird_t:unix_stream_socket connectto;
+	allow thunderbird_t $2:fd use;
+	allow thunderbird_t $2:process sigchld;
+	allow thunderbird_t $2:unix_stream_socket connectto;
 
-	ifdef(`TODO',`
-		# FIXME: Rules were removed to centralize policy in a gnome_app macro
-		# A similar thing might be necessary for mozilla compiled without GNOME
-		# support (is this possible?).
+	# allow ps to show thunderbird and allow the user to kill it 
+	ps_process_pattern($2, thunderbird_t)
+	allow $2 thunderbird_t:process signal;
 
-		# GNOME support
-		optional_policy(`
-			gnome_application($1_thunderbird, $1)
-			gnome_file_dialog($1_thunderbird, $1)
-			allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
-		')
-	')
+	# Access ~/.thunderbird
+	manage_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t)
+	manage_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+	manage_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+	relabel_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t)
+	relabel_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+	relabel_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
 ')
 
 ########################################
 ## <summary>
 ##	Run thunderbird in the user thunderbird domain.
 ## </summary>
-## <desc>
-##	<p>
-##	Run thunderbird in the user thunderbird domain.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`thunderbird_domtrans_user_thunderbird',`
+interface(`thunderbird_domtrans',`
 	gen_require(`
-		type $1_thunderbird_t, thunderbird_exec_t;
+		type thunderbird_t, thunderbird_exec_t;
 	')
 
-	domtrans_pattern($2, thunderbird_exec_t, $1_thunderbird_t)
+	domtrans_pattern($1, thunderbird_exec_t, thunderbird_t)
 ')
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index 15169bc..8c0faea 100644
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@@ -1,10 +1,221 @@
 
-policy_module(thunderbird, 1.6.0)
+policy_module(thunderbird, 2.0.0)
 
 ########################################
 #
 # Declarations
 #
 
+type thunderbird_t;
 type thunderbird_exec_t;
-application_executable_file(thunderbird_exec_t)
+typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t };
+typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t };
+application_domain(thunderbird_t, thunderbird_exec_t)
+ubac_constrained(thunderbird_t)
+
+type thunderbird_home_t;
+typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t };
+typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t };
+files_poly_member(thunderbird_home_t)
+userdom_user_home_content(thunderbird_home_t)
+
+type thunderbird_tmpfs_t;
+typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird_tmpfs_t sysadm_thunderbird_tmpfs_t };
+typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t };
+files_tmpfs_file(thunderbird_tmpfs_t)
+ubac_constrained(thunderbird_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow thunderbird_t self:capability sys_nice;
+allow thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack };
+allow thunderbird_t self:fifo_file { ioctl read write getattr };
+allow thunderbird_t self:unix_dgram_socket { create connect };
+allow thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
+allow thunderbird_t self:tcp_socket create_socket_perms;
+allow thunderbird_t self:shm { read write create destroy unix_read unix_write };
+
+# Access ~/.thunderbird
+manage_dirs_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+userdom_search_user_home_dirs(thunderbird_t)
+
+manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Allow netstat
+kernel_read_network_state(thunderbird_t)
+kernel_read_net_sysctls(thunderbird_t)
+kernel_read_system_state(thunderbird_t)
+
+# Startup shellscript
+corecmd_exec_shell(thunderbird_t)
+
+corenet_all_recvfrom_unlabeled(thunderbird_t)
+corenet_all_recvfrom_netlabel(thunderbird_t)
+corenet_tcp_sendrecv_generic_if(thunderbird_t)
+corenet_tcp_sendrecv_all_nodes(thunderbird_t)
+corenet_tcp_sendrecv_ipp_port(thunderbird_t)
+corenet_tcp_sendrecv_ldap_port(thunderbird_t)
+corenet_tcp_sendrecv_innd_port(thunderbird_t)
+corenet_tcp_sendrecv_smtp_port(thunderbird_t)
+corenet_tcp_sendrecv_pop_port(thunderbird_t)
+corenet_tcp_sendrecv_http_port(thunderbird_t)
+corenet_tcp_connect_ipp_port(thunderbird_t)
+corenet_tcp_connect_ldap_port(thunderbird_t)
+corenet_tcp_connect_innd_port(thunderbird_t)
+corenet_tcp_connect_smtp_port(thunderbird_t)
+corenet_tcp_connect_pop_port(thunderbird_t)
+corenet_tcp_connect_http_port(thunderbird_t)
+corenet_sendrecv_ipp_client_packets(thunderbird_t)
+corenet_sendrecv_ldap_client_packets(thunderbird_t)
+corenet_sendrecv_innd_client_packets(thunderbird_t)
+corenet_sendrecv_smtp_client_packets(thunderbird_t)
+corenet_sendrecv_pop_client_packets(thunderbird_t)
+corenet_sendrecv_http_client_packets(thunderbird_t)
+
+dev_read_urand(thunderbird_t)
+dev_dontaudit_search_sysfs(thunderbird_t)
+
+files_list_tmp(thunderbird_t)
+files_read_usr_files(thunderbird_t)
+files_read_etc_files(thunderbird_t)
+files_read_etc_runtime_files(thunderbird_t)
+files_read_var_files(thunderbird_t)
+files_read_var_symlinks(thunderbird_t)
+files_dontaudit_getattr_all_tmp_files(thunderbird_t)
+files_dontaudit_getattr_boot_dirs(thunderbird_t)
+files_dontaudit_getattr_lost_found_dirs(thunderbird_t)
+files_dontaudit_search_mnt(thunderbird_t)
+
+fs_getattr_xattr_fs(thunderbird_t)
+fs_list_inotifyfs(thunderbird_t)
+# Access ~/.thunderbird
+fs_search_auto_mountpoints(thunderbird_t)
+
+auth_use_nsswitch(thunderbird_t)
+
+miscfiles_read_fonts(thunderbird_t)
+miscfiles_read_localization(thunderbird_t)
+
+userdom_manage_user_tmp_dirs(thunderbird_t)
+userdom_read_user_tmp_files(thunderbird_t)
+userdom_manage_user_tmp_sockets(thunderbird_t)
+# .kde/....gtkrc
+userdom_read_user_home_content_files(thunderbird_t)
+
+xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
+xserver_read_xdm_tmp_files(thunderbird_t)
+xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
+
+# Access ~/.thunderbird
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(thunderbird_t)
+	fs_manage_nfs_files(thunderbird_t)
+	fs_manage_nfs_symlinks(thunderbird_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(thunderbird_t)
+	fs_manage_cifs_files(thunderbird_t)
+	fs_manage_cifs_symlinks(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+	files_list_home(thunderbird_t)
+
+	fs_list_auto_mountpoints(thunderbird_t)
+	fs_read_nfs_files(thunderbird_t)
+	fs_read_nfs_symlinks(thunderbird_t)
+',`
+	files_dontaudit_list_home(thunderbird_t)
+
+	fs_dontaudit_list_auto_mountpoints(thunderbird_t)
+	fs_dontaudit_list_nfs(thunderbird_t)
+	fs_dontaudit_read_nfs_files(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content && use_samba_home_dirs',`
+	files_list_home(thunderbird_t)
+
+	fs_list_auto_mountpoints(thunderbird_t)
+	fs_read_cifs_files(thunderbird_t)
+	fs_read_cifs_symlinks(thunderbird_t)
+',`
+	files_dontaudit_list_home(thunderbird_t)
+
+	fs_dontaudit_list_auto_mountpoints(thunderbird_t)
+	fs_dontaudit_read_cifs_files(thunderbird_t)
+	fs_dontaudit_list_cifs(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content',`
+	userdom_list_user_tmp(thunderbird_t)
+	userdom_read_user_tmp_files(thunderbird_t)
+	userdom_read_user_tmp_symlinks(thunderbird_t)
+	userdom_search_user_home_dirs(thunderbird_t)
+	userdom_read_user_home_content_files(thunderbird_t)
+
+	ifndef(`enable_mls',`
+		fs_search_removable(thunderbird_t)
+		fs_read_removable_files(thunderbird_t)
+		fs_read_removable_symlinks(thunderbird_t)
+	')
+',`
+	files_dontaudit_list_tmp(thunderbird_t)
+	files_dontaudit_list_home(thunderbird_t)
+
+	fs_dontaudit_list_removable(thunderbird_t)
+	fs_dontaudit_read_removable_files(thunderbird_t)
+
+	userdom_dontaudit_list_user_tmp(thunderbird_t)
+	userdom_dontaudit_read_user_tmp_files(thunderbird_t)
+	userdom_dontaudit_list_user_home_dirs(thunderbird_t)
+	userdom_dontaudit_read_user_home_content_files(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content && read_default_t',`
+	files_list_default(thunderbird_t)
+	files_read_default_files(thunderbird_t)
+	files_read_default_symlinks(thunderbird_t)
+',`
+	files_dontaudit_read_default_files(thunderbird_t)
+	files_dontaudit_list_default(thunderbird_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(thunderbird_t)
+	dbus_session_bus_client(thunderbird_t)
+')
+
+optional_policy(`
+	cups_read_rw_config(thunderbird_t)
+	cups_dbus_chat(thunderbird_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(thunderbird_t)
+	gnome_domtrans_gconfd(thunderbird_t)
+	gnome_manage_config(thunderbird_t)
+')
+
+optional_policy(`
+	gpg_domtrans(thunderbird_t)
+')
+
+optional_policy(`
+	lpd_domtrans_lpr(thunderbird_t)
+')
+
+optional_policy(`
+	mozilla_read_user_home_files(thunderbird_t)
+	mozilla_domtrans(thunderbird_t)
+	mozilla_dbus_chat(thunderbird_t)
+')
diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if
index 2cfec68..8d89f21 100644
--- a/policy/modules/apps/tvtime.if
+++ b/policy/modules/apps/tvtime.if
@@ -1,136 +1,40 @@
 ## <summary> tvtime - a high quality television application </summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the tvtime module.
+##	Role access for tvtime
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for tvtime.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="domain">
 ##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`tvtime_per_role_template',`
+interface(`tvtime_role',`
 	gen_require(`
-		type tvtime_exec_t;
+		type tvtime_t, tvtime_exec_t;
+		type tvtime_home_t, tvtime_tmpfs_t;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
-	type $1_tvtime_t;
-	application_domain($1_tvtime_t, tvtime_exec_t)
-	role $3 types $1_tvtime_t;
-
-	type $1_tvtime_home_t alias $1_tvtime_rw_t;
-	userdom_user_home_content($1, $1_tvtime_home_t)
-	files_poly_member($1_tvtime_home_t)
-
-	type $1_tvtime_tmp_t;
-	files_tmp_file($1_tvtime_tmp_t)
-
-	type $1_tvtime_tmpfs_t;
-	files_tmpfs_file($1_tvtime_tmpfs_t)
-
-	########################################
-	#
-	# Local policy
-	#
-
-	allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
-	allow $1_tvtime_t self:process setsched;
-	allow $1_tvtime_t self:unix_dgram_socket rw_socket_perms;
-	allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms;
-
-	# X access, Home files
-	manage_dirs_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
-	manage_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
-	manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
-	userdom_user_home_dir_filetrans($1, $1_tvtime_t, $1_tvtime_home_t, dir)
-
-	manage_dirs_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t)
-	manage_files_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t)
-	files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir })
-
-	manage_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t)
-	manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t)
-	manage_fifo_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t)
-	manage_sock_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t)
-	fs_tmpfs_filetrans($1_tvtime_t, $1_tvtime_tmpfs_t, { file lnk_file sock_file fifo_file })
+	role $1 types tvtime_t;
 
 	# Type transition
-	domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t)
+	domtrans_pattern($2, tvtime_exec_t, tvtime_t)
 
 	# X access, Home files
-	manage_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
-	manage_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
-	manage_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
-	relabel_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
-	relabel_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
-	relabel_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
+	manage_dirs_pattern($2, tvtime_home_t, tvtime_home_t)
+	manage_files_pattern($2, tvtime_home_t, tvtime_home_t)
+	manage_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t)
+	relabel_dirs_pattern($2, tvtime_home_t, tvtime_home_t)
+	relabel_files_pattern($2, tvtime_home_t, tvtime_home_t)
+	relabel_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t)
 
 	# Allow the user domain to signal/ps.
-	ps_process_pattern($2,$1_tvtime_t)
-	allow $2 $1_tvtime_t:process signal_perms;
-
-	kernel_read_all_sysctls($1_tvtime_t)
-	kernel_get_sysvipc_info($1_tvtime_t)
-
-	dev_read_urand($1_tvtime_t)
-	dev_read_realtime_clock($1_tvtime_t)
-	dev_read_sound($1_tvtime_t)
-
-	files_read_usr_files($1_tvtime_t)
-	files_search_pids($1_tvtime_t)
-	# Read /etc/tvtime
-	files_read_etc_files($1_tvtime_t)
-
-	# X access, Home files
-	fs_search_auto_mountpoints($1_tvtime_t)
-
-	miscfiles_read_localization($1_tvtime_t)
-	miscfiles_read_fonts($1_tvtime_t)
-
-	userdom_use_user_terminals($1, $1_tvtime_t)
-	userdom_read_user_home_content_files($1, $1_tvtime_t)
-
-	# X access, Home files
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_tvtime_t)
-		fs_manage_nfs_files($1_tvtime_t)
-		fs_manage_nfs_symlinks($1_tvtime_t)
-	')
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_tvtime_t)
-		fs_manage_cifs_files($1_tvtime_t)
-		fs_manage_cifs_symlinks($1_tvtime_t)
-	')
-
-	optional_policy(`
-		xserver_user_x_domain_template($1, $1_tvtime, $1_tvtime_t, $1_tvtime_tmpfs_t)
-	')
+	ps_process_pattern($2, tvtime_t)
+	allow $2 tvtime_t:process signal_perms;
 ')
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index 8c64f2d..033b123 100644
--- a/policy/modules/apps/tvtime.te
+++ b/policy/modules/apps/tvtime.te
@@ -1,13 +1,95 @@
 
-policy_module(tvtime, 1.4.0)
+policy_module(tvtime, 2.0.0)
 
 ########################################
 #
 # Declarations
 #
 
+type tvtime_t;
 type tvtime_exec_t;
-application_executable_file(tvtime_exec_t)
+typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t };
+typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t };
+application_domain(tvtime_t, tvtime_exec_t)
+ubac_constrained(tvtime_t)
 
-type tvtime_dir_t;
-files_pid_file(tvtime_dir_t)
+type tvtime_home_t alias tvtime_rw_t;
+typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t };
+typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t };
+userdom_user_home_content(tvtime_home_t)
+files_poly_member(tvtime_home_t)
+
+type tvtime_tmp_t;
+typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t };
+typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t };
+files_tmp_file(tvtime_tmp_t)
+ubac_constrained(tvtime_tmp_t)
+
+type tvtime_tmpfs_t;
+typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t };
+typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t };
+files_tmpfs_file(tvtime_tmpfs_t)
+ubac_constrained(tvtime_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow tvtime_t self:capability { setuid sys_nice sys_resource };
+allow tvtime_t self:process setsched;
+allow tvtime_t self:unix_dgram_socket rw_socket_perms;
+allow tvtime_t self:unix_stream_socket rw_stream_socket_perms;
+
+# X access, Home files
+manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir)
+
+manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
+manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
+files_tmp_filetrans(tvtime_t, tvtime_tmp_t,{ file dir })
+
+manage_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_lnk_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_fifo_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_sock_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+fs_tmpfs_filetrans(tvtime_t, tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file })
+
+kernel_read_all_sysctls(tvtime_t)
+kernel_get_sysvipc_info(tvtime_t)
+
+dev_read_urand(tvtime_t)
+dev_read_realtime_clock(tvtime_t)
+dev_read_sound(tvtime_t)
+
+files_read_usr_files(tvtime_t)
+files_search_pids(tvtime_t)
+# Read /etc/tvtime
+files_read_etc_files(tvtime_t)
+
+# X access, Home files
+fs_search_auto_mountpoints(tvtime_t)
+
+miscfiles_read_localization(tvtime_t)
+miscfiles_read_fonts(tvtime_t)
+
+userdom_use_user_terminals(tvtime_t)
+userdom_read_user_home_content_files(tvtime_t)
+
+# X access, Home files
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(tvtime_t)
+	fs_manage_nfs_files(tvtime_t)
+	fs_manage_nfs_symlinks(tvtime_t)
+')
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(tvtime_t)
+	fs_manage_cifs_files(tvtime_t)
+	fs_manage_cifs_symlinks(tvtime_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
+')
diff --git a/policy/modules/apps/uml.fc b/policy/modules/apps/uml.fc
index ba0a764..b8b9520 100644
--- a/policy/modules/apps/uml.fc
+++ b/policy/modules/apps/uml.fc
@@ -1,7 +1,7 @@
 #
 # HOME_DIR/
 #
-HOME_DIR/\.uml(/.*)?		gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
+HOME_DIR/\.uml(/.*)?		gen_context(system_u:object_r:uml_rw_t,s0)
 
 #
 # /usr
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index a833644..d2ab7cb 100644
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -1,194 +1,64 @@
 ## <summary>Policy for UML</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the uml module.
+##	Role access for uml
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for uml program.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`uml_per_role_template',`
+interface(`uml_role',`
 	gen_require(`
-		type uml_ro_t, uml_exec_t;
+		type uml_t, uml_exec_t;
+		type uml_ro_t, uml_rw_t, uml_tmp_t;
+		type uml_devpts_t, uml_tmpfs_t;
 	')
 
-	########################################
-	#
-	# Declarations
-	#
-
-	type $1_uml_t;
-	type $1_uml_exec_t;
-	application_domain($1_uml_t, $1_uml_exec_t)
-	role $3 types $1_uml_t;
-
-	type $1_uml_ro_t;
-	files_type($1_uml_ro_t)
-
-	type $1_uml_rw_t;
-	files_type($1_uml_rw_t)
-
-	type $1_uml_tmp_t;
-	files_tmp_file($1_uml_tmp_t)
-
-	type $1_uml_tmpfs_t;
-	files_tmpfs_file($1_uml_tmpfs_t)
-
-	type $1_uml_devpts_t;
-	term_pty($1_uml_devpts_t)
-
-	########################################
-	#
-	# Local policy
-	#
-
-	allow $1_uml_t self:fifo_file rw_fifo_file_perms;
-	allow $1_uml_t self:process { signal_perms ptrace };
-	allow $1_uml_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_uml_t self:unix_dgram_socket create_socket_perms;
-	# Use the network.
-	allow $1_uml_t self:tcp_socket create_stream_socket_perms;
-	allow $1_uml_t self:udp_socket create_socket_perms;
-
-	allow $1_uml_t $2:process sigchld;
-	allow $1_uml_t $2:fifo_file { ioctl read write getattr lock append };
-
-	# allow the UML thing to happen
-	allow $1_uml_t $1_uml_devpts_t:chr_file { rw_chr_file_perms setattr };
-	term_create_pty($1_uml_t,$1_uml_devpts_t)
-
-	manage_dirs_pattern($1_uml_t, $1_uml_tmp_t, $1_uml_tmp_t)
-	manage_files_pattern($1_uml_t, $1_uml_tmp_t, $1_uml_tmp_t)
-	files_tmp_filetrans($1_uml_t, $1_uml_tmp_t, { file dir })
-	can_exec($1_uml_t, $1_uml_tmp_t)
-
-	manage_files_pattern($1_uml_t, $1_uml_tmpfs_t, $1_uml_tmpfs_t)
-	manage_lnk_files_pattern($1_uml_t, $1_uml_tmpfs_t, $1_uml_tmpfs_t)
-	manage_fifo_files_pattern($1_uml_t, $1_uml_tmpfs_t, $1_uml_tmpfs_t)
-	manage_sock_files_pattern($1_uml_t, $1_uml_tmpfs_t, $1_uml_tmpfs_t)
-	fs_tmpfs_filetrans($1_uml_t, $1_uml_tmpfs_t, { file lnk_file sock_file fifo_file })
-	can_exec($1_uml_t, $1_uml_tmpfs_t)
-
-	# access config files
-	allow $1_uml_t { $1_uml_ro_t uml_ro_t }:dir list_dir_perms;
-	read_files_pattern($1_uml_t, { $1_uml_ro_t uml_ro_t }, { $1_uml_ro_t uml_ro_t })
-	read_lnk_files_pattern($1_uml_t, { $1_uml_ro_t uml_ro_t }, { $1_uml_ro_t uml_ro_t })
-
-	manage_dirs_pattern($1_uml_t, $1_uml_rw_t, $1_uml_rw_t)
-	manage_files_pattern($1_uml_t, $1_uml_rw_t, $1_uml_rw_t)
-	manage_lnk_files_pattern($1_uml_t, $1_uml_rw_t, $1_uml_rw_t)
-	manage_fifo_files_pattern($1_uml_t, $1_uml_rw_t, $1_uml_rw_t)
-	manage_sock_files_pattern($1_uml_t, $1_uml_rw_t, $1_uml_rw_t)
-	userdom_user_home_dir_filetrans($1, $1_uml_t, $1_uml_rw_t, { file lnk_file sock_file fifo_file })
-
-	allow $2 uml_ro_t:dir list_dir_perms;
-	read_files_pattern($2,uml_ro_t, uml_ro_t)
-	read_lnk_files_pattern($2,uml_ro_t, uml_ro_t)
-
-	manage_dirs_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
-	manage_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
-	manage_lnk_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
-	manage_fifo_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
-	manage_sock_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
-	relabel_dirs_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
-	relabel_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
-	relabel_lnk_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
-	relabel_fifo_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
-	relabel_sock_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
-
-	manage_dirs_pattern($2, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
-	manage_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
-	relabel_dirs_pattern($2, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
-	relabel_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
-
-	# allow ps, ptrace, signal
-	ps_process_pattern($2,$1_uml_t)
-	allow $2 $1_uml_t:process { ptrace signal_perms };
-
-	manage_dirs_pattern($2, $1_uml_tmp_t, $1_uml_tmp_t)
-	manage_files_pattern($2, $1_uml_tmp_t, $1_uml_tmp_t)
-	manage_lnk_files_pattern($2, $1_uml_tmp_t, $1_uml_tmp_t)
-	manage_sock_files_pattern($2, $1_uml_tmp_t, $1_uml_tmp_t)
+	role $1 types uml_t;
 
 	# Transition from the user domain to this domain.
-	domain_auto_trans($2, { uml_exec_t $1_uml_exec_t }, $1_uml_t)
-	can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t })
+	domtrans_pattern($2, uml_exec_t, uml_t)
 
 	# for mconsole
-	allow { $2 $1_uml_t } $1_uml_t:unix_dgram_socket sendto;
-	allow $1_uml_t $2:unix_dgram_socket sendto;
-
-	kernel_read_system_state($1_uml_t)
-	# for SKAS - need something better
-	kernel_write_proc_files($1_uml_t)
-
-	# for xterm
-	corecmd_exec_bin($1_uml_t)
-
-	corenet_all_recvfrom_unlabeled($1_uml_t)
-	corenet_all_recvfrom_netlabel($1_uml_t)
-	corenet_tcp_sendrecv_generic_if($1_uml_t)
-	corenet_udp_sendrecv_generic_if($1_uml_t)
-	corenet_tcp_sendrecv_all_nodes($1_uml_t)
-	corenet_udp_sendrecv_all_nodes($1_uml_t)
-	corenet_tcp_sendrecv_all_ports($1_uml_t)
-	corenet_udp_sendrecv_all_ports($1_uml_t)
-	corenet_tcp_connect_all_ports($1_uml_t)
-	corenet_sendrecv_all_client_packets($1_uml_t)
-	corenet_rw_tun_tap_dev($1_uml_t)
-
-	domain_use_interactive_fds($1_uml_t)
+	allow $2 uml_t:unix_dgram_socket sendto;
+	allow uml_t $2:unix_dgram_socket sendto;
 
-	# for xterm
-	files_read_etc_files($1_uml_t)
-	files_dontaudit_read_etc_runtime_files($1_uml_t)
-	# putting uml data under /var is usual...
-	files_search_var($1_uml_t)
-
-	fs_getattr_xattr_fs($1_uml_t)
-
-	init_read_utmp($1_uml_t)
-	init_dontaudit_write_utmp($1_uml_t)
-
-	# for xterm
-	libs_exec_lib_files($1_uml_t)
-
-	# Inherit and use descriptors from newrole.
-	seutil_use_newrole_fds($1_uml_t)
-
-	# Use the network.
-	sysnet_read_config($1_uml_t)
-
-	userdom_use_user_terminals($1, $1_uml_t)
+	# allow ps, ptrace, signal
+	ps_process_pattern($2, uml_t)
+	allow $2 uml_t:process { ptrace signal_perms };
 
-	optional_policy(`
-		nis_use_ypbind($1_uml_t)
-	')
+	allow $2 uml_ro_t:dir list_dir_perms;
+	read_files_pattern($2, uml_ro_t, uml_ro_t)
+	read_lnk_files_pattern($2, uml_ro_t, uml_ro_t)
+
+	manage_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	manage_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	manage_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	manage_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	manage_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	relabel_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	relabel_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	relabel_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	relabel_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+	relabel_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+
+	manage_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+	manage_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+	relabel_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+	relabel_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+
+	manage_dirs_pattern($2, uml_tmp_t, uml_tmp_t)
+	manage_files_pattern($2, uml_tmp_t, uml_tmp_t)
+	manage_lnk_files_pattern($2, uml_tmp_t, uml_tmp_t)
+	manage_sock_files_pattern($2, uml_tmp_t, uml_tmp_t)
 ')
 
 ########################################
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index b9f8783..84b8efd 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -1,16 +1,47 @@
 
-policy_module(uml, 1.6.0)
+policy_module(uml, 2.0.0)
 
 ########################################
 #
 # Declarations
 #
 
+type uml_t;
 type uml_exec_t;
-application_executable_file(uml_exec_t)
+typealias uml_t alias { user_uml_t staff_uml_t sysadm_uml_t };
+typealias uml_t alias { auditadm_uml_t secadm_uml_t };
+application_domain(uml_t, uml_exec_t)
+ubac_constrained(uml_t)
 
 type uml_ro_t;
+typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t };
+typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t };
 files_type(uml_ro_t)
+ubac_constrained(uml_ro_t)
+
+type uml_rw_t;
+typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t };
+typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t };
+files_type(uml_rw_t)
+ubac_constrained(uml_rw_t)
+
+type uml_tmp_t;
+typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
+typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t };
+files_tmp_file(uml_tmp_t)
+ubac_constrained(uml_tmp_t)
+
+type uml_tmpfs_t;
+typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t };
+typealias uml_tmpfs_t alias { auditadm_uml_tmpfs_t secadm_uml_tmpfs_t };
+files_tmpfs_file(uml_tmpfs_t)
+ubac_constrained(uml_tmpfs_t)
+
+type uml_devpts_t;
+typealias uml_devpts_t alias { user_uml_devpts_t staff_uml_devpts_t sysadm_uml_devpts_t };
+typealias uml_devpts_t alias { auditadm_uml_devpts_t secadm_uml_devpts_t };
+term_pty(uml_devpts_t)
+ubac_constrained(uml_devpts_t)
 
 type uml_switch_t;
 type uml_switch_exec_t;
@@ -24,6 +55,98 @@ files_pid_file(uml_switch_var_run_t)
 # Local policy
 #
 
+allow uml_t self:fifo_file rw_fifo_file_perms;
+allow uml_t self:process { signal_perms ptrace };
+allow uml_t self:unix_stream_socket create_stream_socket_perms;
+allow uml_t self:unix_dgram_socket create_socket_perms;
+# Use the network.
+allow uml_t self:tcp_socket create_stream_socket_perms;
+allow uml_t self:udp_socket create_socket_perms;
+# for mconsole
+allow uml_t self:unix_dgram_socket sendto;
+
+# allow the UML thing to happen
+allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr };
+term_create_pty(uml_t, uml_devpts_t)
+
+manage_dirs_pattern(uml_t, uml_tmp_t, uml_tmp_t)
+manage_files_pattern(uml_t, uml_tmp_t, uml_tmp_t)
+files_tmp_filetrans(uml_t, uml_tmp_t, { file dir })
+can_exec(uml_t, uml_tmp_t)
+
+manage_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_lnk_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_fifo_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_sock_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+fs_tmpfs_filetrans(uml_t, uml_tmpfs_t, { file lnk_file sock_file fifo_file })
+can_exec(uml_t, uml_tmpfs_t)
+
+# access config files
+allow uml_t { uml_ro_t uml_ro_t }:dir list_dir_perms;
+read_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t })
+read_lnk_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t })
+
+manage_dirs_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_lnk_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_fifo_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_sock_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+userdom_user_home_dir_filetrans(uml_t, uml_rw_t, { file lnk_file sock_file fifo_file })
+
+can_exec(uml_t, { uml_exec_t uml_exec_t })
+
+kernel_read_system_state(uml_t)
+# for SKAS - need something better
+kernel_write_proc_files(uml_t)
+
+# for xterm
+corecmd_exec_bin(uml_t)
+
+corenet_all_recvfrom_unlabeled(uml_t)
+corenet_all_recvfrom_netlabel(uml_t)
+corenet_tcp_sendrecv_generic_if(uml_t)
+corenet_udp_sendrecv_generic_if(uml_t)
+corenet_tcp_sendrecv_all_nodes(uml_t)
+corenet_udp_sendrecv_all_nodes(uml_t)
+corenet_tcp_sendrecv_all_ports(uml_t)
+corenet_udp_sendrecv_all_ports(uml_t)
+corenet_tcp_connect_all_ports(uml_t)
+corenet_sendrecv_all_client_packets(uml_t)
+corenet_rw_tun_tap_dev(uml_t)
+
+domain_use_interactive_fds(uml_t)
+
+# for xterm
+files_read_etc_files(uml_t)
+files_dontaudit_read_etc_runtime_files(uml_t)
+# putting uml data under /var is usual...
+files_search_var(uml_t)
+
+fs_getattr_xattr_fs(uml_t)
+
+init_read_utmp(uml_t)
+init_dontaudit_write_utmp(uml_t)
+
+# for xterm
+libs_exec_lib_files(uml_t)
+
+# Inherit and use descriptors from newrole.
+seutil_use_newrole_fds(uml_t)
+
+# Use the network.
+sysnet_read_config(uml_t)
+
+userdom_use_user_terminals(uml_t)
+
+optional_policy(`
+	nis_use_ypbind(uml_t)
+')
+
+########################################
+#
+# Local policy
+#
+
 dontaudit uml_switch_t self:capability sys_tty_config;
 allow uml_switch_t self:process signal_perms;
 allow uml_switch_t self:unix_dgram_socket create_socket_perms;
@@ -54,8 +177,7 @@ logging_send_syslog_msg(uml_switch_t)
 miscfiles_read_localization(uml_switch_t)
 
 userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
-
-sysadm_dontaudit_search_home_dirs(uml_switch_t)
+userdom_dontaudit_search_user_home_dirs(uml_switch_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(uml_switch_t)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
index b144715..c25e403 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -2,38 +2,28 @@
 
 #######################################
 ## <summary>
-##	The per role template for the userhelper module.
+##	The role template for the userhelper module.
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for userhelper.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="userrole_prefix">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="user_role">
 ##	<summary>
-##	The type of the user domain.
+##	The user role.
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="user_domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	The user domain associated with the role.
 ##	</summary>
 ## </param>
 #
-template(`userhelper_per_role_template',`
+template(`userhelper_role_template',`
 	gen_require(`
+		attribute userhelper_type;
 		type userhelper_exec_t, userhelper_conf_t;
 	')
 
@@ -42,13 +32,14 @@ template(`userhelper_per_role_template',`
 	# Declarations
 	#
 
-	type $1_userhelper_t;
+	type $1_userhelper_t, userhelper_type;
 	application_domain($1_userhelper_t, userhelper_exec_t)
 	domain_role_change_exemption($1_userhelper_t)
 	domain_obj_id_change_exemption($1_userhelper_t)
 	domain_interactive_fd($1_userhelper_t)
 	domain_subj_id_change_exemption($1_userhelper_t)
-	role $3 types $1_userhelper_t;
+	ubac_constrained($1_userhelper_t)
+	role $2 types $1_userhelper_t;
 
 	########################################
 	#
@@ -70,14 +61,14 @@ template(`userhelper_per_role_template',`
 	allow $1_userhelper_t self:sock_file read_sock_file_perms;
 
 	#Transition to the derived domain.
-	domtrans_pattern($2, userhelper_exec_t, $1_userhelper_t)
+	domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
 
 	allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
 	rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t)
 
 	can_exec($1_userhelper_t, userhelper_exec_t)
 
-	dontaudit $2 $1_userhelper_t:process signal;
+	dontaudit $3 $1_userhelper_t:process signal;
 
 	kernel_read_all_sysctls($1_userhelper_t)
 	kernel_getattr_debugfs($1_userhelper_t)
@@ -86,7 +77,7 @@ template(`userhelper_per_role_template',`
 	# Execute shells
 	corecmd_exec_shell($1_userhelper_t)
 	# By default, revert to the calling domain when a program is executed
-	corecmd_bin_domtrans($1_userhelper_t,$2)
+	corecmd_bin_domtrans($1_userhelper_t, $3)
 
 	# Inherit descriptors from the current session.
 	domain_use_interactive_fds($1_userhelper_t)
@@ -98,8 +89,6 @@ template(`userhelper_per_role_template',`
 	dev_list_all_dev_nodes($1_userhelper_t)
 
 	files_list_var_lib($1_userhelper_t)
-	# Write to utmp.
-	files_pid_filetrans($1_userhelper_t,initrc_var_run_t,file)
 	# Read the /etc/security/default_type file
 	files_read_etc_files($1_userhelper_t)
 	# Read /var.
@@ -138,13 +127,13 @@ template(`userhelper_per_role_template',`
 	init_use_fds($1_userhelper_t)
 	# Write to utmp.
 	init_manage_utmp($1_userhelper_t)
+	init_pid_filetrans_utmp($1_userhelper_t)
 
 	miscfiles_read_localization($1_userhelper_t)
 
 	seutil_read_config($1_userhelper_t)
 	seutil_read_default_contexts($1_userhelper_t)
 
-	userdom_use_unpriv_users_fds($1_userhelper_t)
 	# Allow $1_userhelper_t to transition to user domains.
 	userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
 	userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
@@ -156,14 +145,8 @@ template(`userhelper_per_role_template',`
 		')
 	')
 
-	tunable_policy(`! secure_mode',`
-		#if we are not in secure mode then we can transition to sysadm_t
-		sysadm_bin_spec_domtrans($1_userhelper_t)
-		sysadm_entry_spec_domtrans($1_userhelper_t)
-	')
-
 	optional_policy(`
-		ethereal_domtrans_user_ethereal($1, $1_userhelper_t)
+		ethereal_domtrans($1_userhelper_t)
 	')
 
 	optional_policy(`
@@ -177,6 +160,14 @@ template(`userhelper_per_role_template',`
 	optional_policy(`
 		nscd_socket_use($1_userhelper_t)
 	')
+
+	optional_policy(`
+		tunable_policy(`! secure_mode',`
+			#if we are not in secure mode then we can transition to sysadm_t
+			sysadm_bin_spec_domtrans($1_userhelper_t)
+			sysadm_entry_spec_domtrans($1_userhelper_t)
+		')
+	')
 ')
 
 ########################################
@@ -220,46 +211,36 @@ interface(`userhelper_dontaudit_search_config',`
 ## <summary>
 ##	Allow domain to use userhelper file descriptor.
 ## </summary>
-## <param name="prefix">
-##	<summary>
-##	The prefix of the domain, example user is the prefix of user_t.
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##      Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`userhelper_use_user_fd',`
+interface(`userhelper_use_fd',`
 	gen_require(`
-		type $1_userhelper_t;
+		attribute userhelper_type;
 	')
 
-	allow $2 $1_userhelper_t:fd use;
+	allow $1 userhelper_type:fd use;
 ')
 
 ########################################
 ## <summary>
 ##	Allow domain to send sigchld to userhelper.
 ## </summary>
-## <param name="prefix">
-##	<summary>
-##	The prefix of the domain, example user is the prefix of user_t.
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##      Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`userhelper_sigchld_user',`
+interface(`userhelper_sigchld',`
 	gen_require(`
-		type $1_userhelper_t;
+		attribute userhelper_type;
 	')
 
-	allow $2 $1_userhelper_t:process sigchld;
+	allow $1 userhelper_type:process sigchld;
 ')
 
 ########################################
diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
index b93fc24..eac2ff4 100644
--- a/policy/modules/apps/userhelper.te
+++ b/policy/modules/apps/userhelper.te
@@ -1,11 +1,13 @@
 
-policy_module(userhelper, 1.4.0)
+policy_module(userhelper, 1.4.1)
 
 ########################################
 #
 # Declarations
 #
 
+attribute userhelper_type;
+
 type userhelper_conf_t;
 files_type(userhelper_conf_t)
 
diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if
index f846690..cc4609c 100644
--- a/policy/modules/apps/usernetctl.if
+++ b/policy/modules/apps/usernetctl.if
@@ -33,11 +33,6 @@ interface(`usernetctl_domtrans',`
 ##	The role to be allowed the usernetctl domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the usernetctl domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`usernetctl_run',`
@@ -47,24 +42,23 @@ interface(`usernetctl_run',`
 
 	usernetctl_domtrans($1)
 	role $2 types usernetctl_t;
-	allow usernetctl_t $3:chr_file rw_term_perms;
 
-	sysnet_run_ifconfig(usernetctl_t, $2, $3)
-	sysnet_run_dhcpc(usernetctl_t, $2, $3)
+	sysnet_run_ifconfig(usernetctl_t, $2)
+	sysnet_run_dhcpc(usernetctl_t, $2)
 
 	optional_policy(`
-		consoletype_run(usernetctl_t, $2, $3)
+		consoletype_run(usernetctl_t, $2)
 	')
 
 	optional_policy(`
-		iptables_run(usernetctl_t, $2, $3)
+		iptables_run(usernetctl_t, $2)
 	')
 
 	optional_policy(`
-		modutils_run_insmod(usernetctl_t, $2, $3)
+		modutils_run_insmod(usernetctl_t, $2)
 	')
 
 	optional_policy(`
-		ppp_run(usernetctl_t, $2, $3)
+		ppp_run(usernetctl_t, $2)
 	')
 ')
diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te
index aa63889..ef81e79 100644
--- a/policy/modules/apps/usernetctl.te
+++ b/policy/modules/apps/usernetctl.te
@@ -1,5 +1,5 @@
 
-policy_module(usernetctl, 1.4.0)
+policy_module(usernetctl, 1.4.1)
 
 ########################################
 #
@@ -59,7 +59,7 @@ seutil_read_config(usernetctl_t)
 
 sysnet_read_config(usernetctl_t)
 
-term_search_ptys(usernetctl_t)
+userdom_use_user_terminals(usernetctl_t)
 
 optional_policy(`
 	hostname_exec(usernetctl_t)
diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
index cf2097d..85b26a5 100644
--- a/policy/modules/apps/vmware.fc
+++ b/policy/modules/apps/vmware.fc
@@ -1,9 +1,9 @@
 #
 # HOME_DIR/
 #
-HOME_DIR/\.vmware(/.*)?			gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
-HOME_DIR/\.vmware[^/]*/.*\.cfg	--	gen_context(system_u:object_r:ROLE_vmware_conf_t,s0)
-HOME_DIR/vmware(/.*)?			gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
+HOME_DIR/\.vmware(/.*)?			gen_context(system_u:object_r:vmware_file_t,s0)
+HOME_DIR/\.vmware[^/]*/.*\.cfg	--	gen_context(system_u:object_r:vmware_conf_t,s0)
+HOME_DIR/vmware(/.*)?			gen_context(system_u:object_r:vmware_file_t,s0)
 
 #
 # /etc
diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if
index d4d83f6..80afe1f 100644
--- a/policy/modules/apps/vmware.if
+++ b/policy/modules/apps/vmware.if
@@ -1,168 +1,33 @@
 ## <summary>VMWare Workstation virtual machines</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the vmware module.
+##	Role access for vmware
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domain which is used
-##	for vmware sessions.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_domain">
+## <param name="role">
 ##	<summary>
-##	The type of the user domain.
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`vmware_per_role_template',`
+interface(`vmware_role',`
 	gen_require(`
-		type vmware_exec_t, vmware_sys_conf_t;
+		type vmware_t, vmware_exec_t;
 	')
 
-	##############################
-	#
-	# Declarations
-	#
-
-	type $1_vmware_t;
-	domain_type($1_vmware_t)
-	domain_entry_file($1_vmware_t, vmware_exec_t)
-	role $3 types $1_vmware_t;
-
-	type $1_vmware_conf_t;
-	userdom_user_home_content($1, $1_vmware_conf_t)
-
-	type $1_vmware_file_t;
-	userdom_user_home_content($1, $1_vmware_file_t)
-
-	type $1_vmware_tmp_t;
-	files_tmp_file($1_vmware_tmp_t)
-
-	type $1_vmware_tmpfs_t;
-	files_tmpfs_file($1_vmware_tmpfs_t)
-
-	type $1_vmware_var_run_t;
-	files_pid_file($1_vmware_var_run_t)
-
-	##############################
-	#
-	# Local policy
-	#
-
-	allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
-	dontaudit $1_vmware_t self:capability sys_tty_config;
-	allow $1_vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-	allow $1_vmware_t self:process { execmem execstack };
-	allow $1_vmware_t self:fd use;
-	allow $1_vmware_t self:fifo_file rw_fifo_file_perms;
-	allow $1_vmware_t self:unix_dgram_socket create_socket_perms;
-	allow $1_vmware_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_vmware_t self:unix_dgram_socket sendto;
-	allow $1_vmware_t self:unix_stream_socket connectto;
-	allow $1_vmware_t self:shm create_shm_perms;
-	allow $1_vmware_t self:sem create_sem_perms;
-	allow $1_vmware_t self:msgq create_msgq_perms;
-	allow $1_vmware_t self:msg { send receive };
-
-	can_exec($1_vmware_t, vmware_exec_t)
-
-	# User configuration files
-	allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms;
-
-	# VMWare disks
-	manage_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t)
-	manage_lnk_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t)
-
-	allow $1_vmware_t $1_vmware_tmp_t:file execute;
-	manage_dirs_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t)
-	manage_files_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t)
-	manage_sock_files_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t)
-	files_tmp_filetrans($1_vmware_t, $1_vmware_tmp_t, { file dir })
-
-	manage_files_pattern($1_vmware_t, $1_vmware_tmpfs_t, $1_vmware_tmpfs_t)
-	manage_lnk_files_pattern($1_vmware_t, $1_vmware_tmpfs_t, $1_vmware_tmpfs_t)
-	manage_fifo_files_pattern($1_vmware_t, $1_vmware_tmpfs_t, $1_vmware_tmpfs_t)
-	manage_sock_files_pattern($1_vmware_t, $1_vmware_tmpfs_t, $1_vmware_tmpfs_t)
-	fs_tmpfs_filetrans($1_vmware_t, $1_vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-	# Read clobal configuration files
-	allow $1_vmware_t vmware_sys_conf_t:dir list_dir_perms;
-	read_files_pattern($1_vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
-	read_lnk_files_pattern($1_vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
-
-	manage_dirs_pattern($1_vmware_t, $1_vmware_var_run_t, $1_vmware_var_run_t)
-	manage_files_pattern($1_vmware_t, $1_vmware_var_run_t, $1_vmware_var_run_t)
-	manage_lnk_files_pattern($1_vmware_t, $1_vmware_var_run_t, $1_vmware_var_run_t)
-	manage_sock_files_pattern($1_vmware_t, $1_vmware_var_run_t, $1_vmware_var_run_t)
-	files_pid_filetrans($1_vmware_t, $1_vmware_var_run_t, { dir file lnk_file })
-
-	domtrans_pattern($2, vmware_exec_t, $1_vmware_t)
-
-	kernel_read_system_state($1_vmware_t)
-	kernel_read_network_state($1_vmware_t)
-	kernel_read_kernel_sysctls($1_vmware_t)
-
-	# startup scripts
-	corecmd_exec_bin($1_vmware_t)
-	corecmd_exec_shell($1_vmware_t)
-
-	dev_read_raw_memory($1_vmware_t)
-	dev_write_raw_memory($1_vmware_t)
-	dev_read_mouse($1_vmware_t)
-	dev_write_sound($1_vmware_t)
-	dev_read_realtime_clock($1_vmware_t)
-	dev_rwx_vmware($1_vmware_t)
-	dev_rw_usbfs($1_vmware_t)
-	dev_search_sysfs($1_vmware_t)
-
-	domain_use_interactive_fds($1_vmware_t)
-
-	files_read_etc_files($1_vmware_t)
-	files_read_etc_runtime_files($1_vmware_t)
-	files_read_usr_files($1_vmware_t)
-	files_list_home($1_vmware_t)
-
-	fs_getattr_xattr_fs($1_vmware_t)
-	fs_search_auto_mountpoints($1_vmware_t)
-
-	storage_raw_read_removable_device($1_vmware_t)
-	storage_raw_write_removable_device($1_vmware_t)
-
-	# startup scripts run ldd
-	libs_exec_ld_so($1_vmware_t)
-	# Access X11 config files
-	libs_read_lib_files($1_vmware_t)
-
-	miscfiles_read_localization($1_vmware_t)
-
-	userdom_use_user_terminals($1, $1_vmware_t)
-	userdom_use_unpriv_users_fds($1_vmware_t)
-	userdom_list_user_home_dirs($1, $1_vmware_t)
-	# cjp: why?
-	userdom_read_user_home_content_files($1, $1_vmware_t)
+	role $1 types vmware_t;
 
-	sysnet_dns_name_resolve($1_vmware_t)
-	sysnet_read_config($1_vmware_t)
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, vmware_exec_t, vmware_t)
 
-	xserver_user_x_domain_template($1, $1_vmware, $1_vmware_t, $1_vmware_tmpfs_t)
+	# allow ps to show vmware and allow the user to kill it 
+	ps_process_pattern($2, vmware_t)
+	allow $2 vmware_t:process signal;
 ')
 
 ########################################
@@ -180,7 +45,7 @@ interface(`vmware_read_system_config',`
 		type vmware_sys_conf_t;
 	')
 
-	allow $1 vmware_sys_conf_t:file read_file_perms;
+	allow $1 vmware_sys_conf_t:file { getattr read };
 ')
 
 ########################################
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index bf61196..8cc3a31 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -1,5 +1,5 @@
 
-policy_module(vmware, 1.6.0)
+policy_module(vmware, 2.0.0)
 
 ########################################
 #
@@ -7,23 +7,58 @@ policy_module(vmware, 1.6.0)
 #
 
 # VMWare user program
+type vmware_t;
 type vmware_exec_t;
-corecmd_executable_file(vmware_exec_t)
+typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t };
+typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t };
+application_domain(vmware_t, vmware_exec_t)
+ubac_constrained(vmware_t)
+
+type vmware_conf_t;
+typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t };
+typealias vmware_conf_t alias { auditadm_vmware_conf_t secadm_vmware_conf_t };
+userdom_user_home_content(vmware_conf_t)
+
+type vmware_file_t;
+typealias vmware_file_t alias { user_vmware_file_t staff_vmware_file_t sysadm_vmware_file_t };
+typealias vmware_file_t alias { auditadm_vmware_file_t secadm_vmware_file_t };
+userdom_user_home_content(vmware_file_t)
 
 # VMWare host programs
 type vmware_host_t;
 type vmware_host_exec_t;
 init_daemon_domain(vmware_host_t, vmware_host_exec_t)
 
+type vmware_host_pid_t alias vmware_var_run_t;
+files_pid_file(vmware_host_pid_t)
+
 type vmware_log_t;
+typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
+typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
 logging_log_file(vmware_log_t)
+ubac_constrained(vmware_log_t)
+
+type vmware_pid_t;
+typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t };
+typealias vmware_pid_t alias { auditadm_vmware_pid_t secadm_vmware_pid_t };
+files_pid_file(vmware_pid_t)
+ubac_constrained(vmware_pid_t)
 
 # Systemwide configuration files
 type vmware_sys_conf_t;
 files_type(vmware_sys_conf_t)
 
-type vmware_var_run_t;
-files_pid_file(vmware_var_run_t)
+type vmware_tmp_t;
+typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t };
+typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t };
+files_tmp_file(vmware_tmp_t)
+ubac_constrained(vmware_tmp_t)
+
+type vmware_tmpfs_t;
+typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t };
+typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t };
+files_tmpfs_file(vmware_tmpfs_t)
+ubac_constrained(vmware_tmpfs_t)
 
 ########################################
 #
@@ -92,8 +127,7 @@ miscfiles_read_localization(vmware_host_t)
 sysnet_dns_name_resolve(vmware_host_t)
 
 userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
-
-sysadm_dontaudit_search_home_dirs(vmware_host_t)
+userdom_dontaudit_search_user_home_dirs(vmware_host_t)
 
 netutils_domtrans_ping(vmware_host_t)
 
@@ -105,3 +139,112 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(vmware_host_t)
 ')
+
+ifdef(`TODO',`
+# VMWare need access to pcmcia devices for network
+optional_policy(`
+allow kernel_t cardmgr_var_lib_t:dir { getattr search };
+allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
+')
+# Vmware create network devices
+allow kernel_t self:capability net_admin;
+allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow kernel_t self:socket create;
+')
+
+##############################
+#
+# VMWare guest local policy
+#
+
+allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
+dontaudit vmware_t self:capability sys_tty_config;
+allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow vmware_t self:process { execmem execstack };
+allow vmware_t self:fd use;
+allow vmware_t self:fifo_file rw_fifo_file_perms;
+allow vmware_t self:unix_dgram_socket { create_socket_perms sendto };
+allow vmware_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow vmware_t self:shm create_shm_perms;
+allow vmware_t self:sem create_sem_perms;
+allow vmware_t self:msgq create_msgq_perms;
+allow vmware_t self:msg { send receive };
+
+can_exec(vmware_t, vmware_exec_t)
+
+# User configuration files
+allow vmware_t vmware_conf_t:file manage_file_perms;
+
+# VMWare disks
+manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
+manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
+
+allow vmware_t vmware_tmp_t:file execute;
+manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+files_tmp_filetrans(vmware_t, vmware_tmp_t, { file dir })
+
+manage_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_lnk_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+# Read clobal configuration files
+allow vmware_t vmware_sys_conf_t:dir list_dir_perms;
+read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
+read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
+
+manage_dirs_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file })
+
+kernel_read_system_state(vmware_t)
+kernel_read_network_state(vmware_t)
+kernel_read_kernel_sysctls(vmware_t)
+
+# startup scripts
+corecmd_exec_bin(vmware_t)
+corecmd_exec_shell(vmware_t)
+
+dev_read_raw_memory(vmware_t)
+dev_write_raw_memory(vmware_t)
+dev_read_mouse(vmware_t)
+dev_write_sound(vmware_t)
+dev_read_realtime_clock(vmware_t)
+dev_rwx_vmware(vmware_t)
+dev_rw_usbfs(vmware_t)
+dev_search_sysfs(vmware_t)
+
+domain_use_interactive_fds(vmware_t)
+
+files_read_etc_files(vmware_t)
+files_read_etc_runtime_files(vmware_t)
+files_read_usr_files(vmware_t)
+files_list_home(vmware_t)
+
+fs_getattr_xattr_fs(vmware_t)
+fs_search_auto_mountpoints(vmware_t)
+
+storage_raw_read_removable_device(vmware_t)
+storage_raw_write_removable_device(vmware_t)
+
+# startup scripts run ldd
+libs_exec_ld_so(vmware_t)
+# Access X11 config files
+libs_read_lib_files(vmware_t)
+
+miscfiles_read_localization(vmware_t)
+
+userdom_use_user_terminals(vmware_t)
+userdom_list_user_home_dirs(vmware_t)
+# cjp: why?
+userdom_read_user_home_content_files(vmware_t)
+
+sysnet_dns_name_resolve(vmware_t)
+sysnet_read_config(vmware_t)
+
+xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
diff --git a/policy/modules/apps/webalizer.if b/policy/modules/apps/webalizer.if
index 7b0bc5c..1d25688 100644
--- a/policy/modules/apps/webalizer.if
+++ b/policy/modules/apps/webalizer.if
@@ -33,11 +33,6 @@ interface(`webalizer_domtrans',`
 ##	The role to be allowed the webalizer domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the webalizer domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`webalizer_run',`
@@ -47,5 +42,4 @@ interface(`webalizer_run',`
 
 	webalizer_domtrans($1)
 	role $2 types webalizer_t;
-	allow webalizer_t $3:chr_file rw_term_perms;
 ')
diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
index 3553ffc..e268644 100644
--- a/policy/modules/apps/webalizer.te
+++ b/policy/modules/apps/webalizer.te
@@ -1,5 +1,5 @@
 
-policy_module(webalizer, 1.7.0)
+policy_module(webalizer, 1.7.1)
 
 ########################################
 #
@@ -80,8 +80,9 @@ miscfiles_read_localization(webalizer_t)
 sysnet_dns_name_resolve(webalizer_t)
 sysnet_read_config(webalizer_t)
 
+userdom_use_user_terminals(webalizer_t)
 userdom_use_unpriv_users_fds(webalizer_t)
-userdom_dontaudit_search_all_users_home_content(webalizer_t)
+userdom_dontaudit_search_user_home_content(webalizer_t)
 
 apache_read_log(webalizer_t)
 apache_manage_sys_content(webalizer_t)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index 48ba074..7a99209 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -34,11 +34,6 @@ interface(`wine_domtrans',`
 ##	The role to be allowed the wine domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the wine domain to use.
-##	</summary>
-## </param>
 #
 interface(`wine_run',`
 	gen_require(`
@@ -47,5 +42,4 @@ interface(`wine_run',`
 
 	wine_domtrans($1)
 	role $2 types wine_t;
-	allow wine_t $3:chr_file rw_term_perms;
 ')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index 6789cdc..6dd261c 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -1,5 +1,5 @@
 
-policy_module(wine, 1.5.0)
+policy_module(wine, 1.5.1)
 
 ########################################
 #
@@ -15,6 +15,8 @@ application_domain(wine_t, wine_exec_t)
 # Local policy
 #
 
+userdom_use_user_terminals(wine_t)
+
 optional_policy(`
 	allow wine_t self:process { execstack execmem execheap };
 	unconfined_domain_noaudit(wine_t)
diff --git a/policy/modules/apps/wireshark.fc b/policy/modules/apps/wireshark.fc
index dac9c99..96844ae 100644
--- a/policy/modules/apps/wireshark.fc
+++ b/policy/modules/apps/wireshark.fc
@@ -1,3 +1,3 @@
-HOME_DIR/\.wireshark(/.*)? 		gen_context(system_u:object_r:ROLE_wireshark_home_t,s0)
+HOME_DIR/\.wireshark(/.*)? 		gen_context(system_u:object_r:wireshark_home_t,s0)
 
 /usr/bin/wireshark		--	gen_context(system_u:object_r:wireshark_exec_t,s0)
diff --git a/policy/modules/apps/wireshark.if b/policy/modules/apps/wireshark.if
index 8a0af00..a7c27a5 100644
--- a/policy/modules/apps/wireshark.if
+++ b/policy/modules/apps/wireshark.if
@@ -1,242 +1,55 @@
 ## <summary>Wireshark packet capture tool.</summary>
 
-#######################################
+############################################################
 ## <summary>
-##	The per role template for the wireshark module.
+##	Role access for wireshark
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for wireshark packet capture tool.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`wireshark_per_role_template',`
-
+interface(`wireshark_role',`
 	gen_require(`
-		type wireshark_exec_t;
+		type wireshark_t, wireshark_exec_t;
+		type wireshark_home_t, wireshark_tmp_t;
+		type wireshark_tmpfs_t;
 	')
 
-	##############################
-	#
-	# Declarations
-	#
-
-	# Type for program
-	type $1_wireshark_t;
-	application_domain($1_wireshark_t, wireshark_exec_t)
-	role $3 types $1_wireshark_t;
-
-	type $1_wireshark_home_t;
-	files_poly_member($1_wireshark_home_t)
-	userdom_user_home_content($1, $1_wireshark_home_t)
-
-	type $1_wireshark_tmp_t;
-	files_tmp_file($1_wireshark_tmp_t)
-
-	type $1_wireshark_tmpfs_t;
-	files_tmpfs_file($1_wireshark_tmpfs_t)
-
-	##############################
-	#
-	# Local Policy
-	#
-
-	allow $1_wireshark_t self:capability { net_admin net_raw setgid };
-	allow $1_wireshark_t self:process { signal getsched };
-	allow $1_wireshark_t self:fifo_file { getattr read write };
-	allow $1_wireshark_t self:shm destroy;
-	allow $1_wireshark_t self:shm create_shm_perms;
-	allow $1_wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
-	allow $1_wireshark_t self:packet_socket { setopt bind ioctl getopt create read };
-	allow $1_wireshark_t self:tcp_socket create_socket_perms;
-	allow $1_wireshark_t self:udp_socket create_socket_perms;
-
-	# Re-execute itself (why?)
-	can_exec($1_wireshark_t, wireshark_exec_t)
-	corecmd_search_bin($1_wireshark_t)
-
-	# /home/.wireshark
-	manage_dirs_pattern($1_wireshark_t, $1_wireshark_home_t, $1_wireshark_home_t)
-	manage_files_pattern($1_wireshark_t, $1_wireshark_home_t, $1_wireshark_home_t)
-	manage_lnk_files_pattern($1_wireshark_t, $1_wireshark_home_t, $1_wireshark_home_t)
-	userdom_user_home_dir_filetrans($1, $1_wireshark_t, $1_wireshark_home_t, dir)
-
-	# Store temporary files
-	manage_dirs_pattern($1_wireshark_t, $1_wireshark_tmp_t, $1_wireshark_tmp_t)
-	manage_files_pattern($1_wireshark_t, $1_wireshark_tmp_t, $1_wireshark_tmp_t)
-	files_tmp_filetrans($1_wireshark_t, $1_wireshark_tmp_t, { dir file })
+	role $1 types wireshark_t;
 
-	manage_dirs_pattern($1_wireshark_t, $1_wireshark_tmpfs_t, $1_wireshark_tmpfs_t)
-	manage_files_pattern($1_wireshark_t, $1_wireshark_tmpfs_t, $1_wireshark_tmpfs_t)
-	manage_lnk_files_pattern($1_wireshark_t, $1_wireshark_tmpfs_t, $1_wireshark_tmpfs_t)
-	manage_sock_files_pattern($1_wireshark_t, $1_wireshark_tmpfs_t, $1_wireshark_tmpfs_t)
-	manage_fifo_files_pattern($1_wireshark_t, $1_wireshark_tmpfs_t, $1_wireshark_tmpfs_t)
-	fs_tmpfs_filetrans($1_wireshark_t, $1_wireshark_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-	domain_auto_trans($2, wireshark_exec_t, $1_wireshark_t)
-	allow $1_wireshark_t $2:fd use;
-	allow $1_wireshark_t $2:process sigchld;
-
-	manage_dirs_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t)
-	manage_files_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t)
-	manage_lnk_files_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t)
-	relabel_dirs_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t)
-	relabel_files_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t)
-	relabel_lnk_files_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t)
-
-	kernel_read_kernel_sysctls($1_wireshark_t)
-	kernel_read_system_state($1_wireshark_t)
-	kernel_read_sysctl($1_wireshark_t)
-
-	corecmd_search_bin($1_wireshark_t)
-
-	corenet_tcp_connect_generic_port($1_wireshark_t)
-	corenet_tcp_sendrecv_generic_if($1_wireshark_t)
-
-	dev_read_urand($1_wireshark_t)
-
-	files_read_etc_files($1_wireshark_t)
-	files_read_usr_files($1_wireshark_t)
-
-	fs_list_inotifyfs($1_wireshark_t)
-	fs_search_auto_mountpoints($1_wireshark_t)
-
-	libs_read_lib_files($1_wireshark_t)
-
-	miscfiles_read_fonts($1_wireshark_t)
-	miscfiles_read_localization($1_wireshark_t)
-
-	seutil_use_newrole_fds($1_wireshark_t)
-
-	sysnet_read_config($1_wireshark_t)
-
-	userdom_manage_user_home_content_files($1, $1_wireshark_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_wireshark_t)
-		fs_manage_nfs_files($1_wireshark_t)
-		fs_manage_nfs_symlinks($1_wireshark_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_wireshark_t)
-		fs_manage_cifs_files($1_wireshark_t)
-		fs_manage_cifs_symlinks($1_wireshark_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_wireshark_t)
-	')
-
-	# Manual transition from userhelper 
-	optional_policy(`
-		userhelper_use_user_fd($1, $1_wireshark_t)
-		userhelper_sigchld_user($1, $1_wireshark_t)
-	')
-
-	optional_policy(`
-		xserver_user_client_template($1, $1_wireshark_t, $1_wireshark_tmpfs_t)
-		xserver_create_xdm_tmp_sockets($1_wireshark_t)
-	')
-
-	ifdef(`TODO',`
-		# Why does it write this?
-		optional_policy(`
-			dontaudit sysadm_wireshark_t snmpd_var_lib_t:file write;
-		')
-		#TODO
-		gnome_application($1_wireshark, $1)
-		gnome_file_dialog($1_wireshark, $1)
-		# FIXME: policy is incomplete
-	')
+	domain_auto_trans($2, wireshark_exec_t, wireshark_t)
+	allow wireshark_t $2:fd use;
+	allow wireshark_t $2:process sigchld;
 
-')
-
-#######################################
-## <summary>
-##	The administrative functions template for the wireshark module.
-## </summary>
-## <desc>
-##	<p>
-##	This template creates rules for administrating wireshark,
-##	allowing the specified user to manage wireshark files.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-#
-template(`wireshark_admin_template',`
-	gen_require(`
-		type $1_wireshark_t;
-	')
-
-	# Create various types of sockets
-	allow $1_wireshark_t self:netlink_route_socket create_netlink_socket_perms;
-	allow $1_wireshark_t self:udp_socket create_socket_perms;
-	allow $1_wireshark_t self:packet_socket create_socket_perms;
-	allow $1_wireshark_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_wireshark_t self:tcp_socket create_socket_perms;
-
-	userdom_use_user_terminals($1, $1_wireshark_t)
-	# wireshark tries to write to user terminal
-	userdom_dontaudit_use_user_terminals($1, $1_wireshark_t)
+	manage_dirs_pattern($2, wireshark_home_t, wireshark_home_t)
+	manage_files_pattern($2, wireshark_home_t, wireshark_home_t)
+	manage_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t)
+	relabel_dirs_pattern($2, wireshark_home_t, wireshark_home_t)
+	relabel_files_pattern($2, wireshark_home_t, wireshark_home_t)
+	relabel_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t)
 ')
 
 ########################################
 ## <summary>
 ##	Run wireshark in wireshark domain.
 ## </summary>
-## <desc>
-##	<p>
-##	Run wireshark in wireshark domain.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`wireshark_domtrans_user_wireshark',`
+interface(`wireshark_domtrans',`
 	gen_require(`
-		type $1_wireshark_t, wireshark_exec_t;
+		type wireshark_t, wireshark_exec_t;
 	')
 
-	domtrans_pattern($2, wireshark_exec_t, $1_wireshark_t)
+	domtrans_pattern($1, wireshark_exec_t, wireshark_t)
 ')
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index a0f1de0..9a03cb6 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -1,10 +1,124 @@
 
-policy_module(wireshark, 1.0.0)
+policy_module(wireshark, 2.0.0)
 
 ########################################
 #
 # Declarations
 #
 
+type wireshark_t;
 type wireshark_exec_t;
-application_executable_file(wireshark_exec_t)
+typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t };
+typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t };
+application_domain(wireshark_t, wireshark_exec_t)
+ubac_constrained(wireshark_t)
+
+type wireshark_home_t;
+typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
+typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t };
+files_poly_member(wireshark_home_t)
+userdom_user_home_content(wireshark_home_t)
+
+type wireshark_tmp_t;
+typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t };
+typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t };
+files_tmp_file(wireshark_tmp_t)
+ubac_constrained(wireshark_tmp_t)
+
+type wireshark_tmpfs_t;
+typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t };
+typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t secadm_wireshark_tmpfs_t };
+files_tmpfs_file(wireshark_tmpfs_t)
+ubac_constrained(wireshark_tmpfs_t)
+
+##############################
+#
+# Local Policy
+#
+
+allow wireshark_t self:capability { net_admin net_raw setgid };
+allow wireshark_t self:process { signal getsched };
+allow wireshark_t self:fifo_file { getattr read write };
+allow wireshark_t self:shm destroy;
+allow wireshark_t self:shm create_shm_perms;
+allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
+allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read };
+allow wireshark_t self:tcp_socket create_socket_perms;
+allow wireshark_t self:udp_socket create_socket_perms;
+
+# Re-execute itself (why?)
+can_exec(wireshark_t, wireshark_exec_t)
+corecmd_search_bin(wireshark_t)
+
+# /home/.wireshark
+manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+manage_lnk_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t,dir)
+
+# Store temporary files
+manage_dirs_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t)
+manage_files_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t)
+files_tmp_filetrans(wireshark_t, wireshark_tmp_t, { dir file })
+
+manage_dirs_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_lnk_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_sock_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_fifo_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+fs_tmpfs_filetrans(wireshark_t, wireshark_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(wireshark_t)
+kernel_read_system_state(wireshark_t)
+kernel_read_sysctl(wireshark_t)
+
+corecmd_search_bin(wireshark_t)
+
+corenet_tcp_connect_generic_port(wireshark_t)
+corenet_tcp_sendrecv_generic_if(wireshark_t)
+
+dev_read_urand(wireshark_t)
+
+files_read_etc_files(wireshark_t)
+files_read_usr_files(wireshark_t)
+
+fs_list_inotifyfs(wireshark_t)
+fs_search_auto_mountpoints(wireshark_t)
+
+libs_read_lib_files(wireshark_t)
+
+miscfiles_read_fonts(wireshark_t)
+miscfiles_read_localization(wireshark_t)
+
+seutil_use_newrole_fds(wireshark_t)
+
+sysnet_read_config(wireshark_t)
+
+userdom_manage_user_home_content_files(wireshark_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(wireshark_t)
+	fs_manage_nfs_files(wireshark_t)
+	fs_manage_nfs_symlinks(wireshark_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(wireshark_t)
+	fs_manage_cifs_files(wireshark_t)
+	fs_manage_cifs_symlinks(wireshark_t)
+')
+
+optional_policy(`
+	nscd_socket_use(wireshark_t)
+')
+
+# Manual transition from userhelper 
+optional_policy(`
+	userhelper_use_fd(wireshark_t)
+	userhelper_sigchld(wireshark_t)
+')
+
+optional_policy(`
+	xserver_user_client(wireshark_t, wireshark_tmpfs_t)
+	xserver_create_xdm_tmp_sockets(wireshark_t)
+')
diff --git a/policy/modules/apps/yam.if b/policy/modules/apps/yam.if
index b530e78..5fb7790 100644
--- a/policy/modules/apps/yam.if
+++ b/policy/modules/apps/yam.if
@@ -34,11 +34,6 @@ interface(`yam_domtrans',`
 ##	The role to be allowed the yam domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the yam domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`yam_run',`
@@ -48,7 +43,6 @@ interface(`yam_run',`
 
 	yam_domtrans($1)
 	role $2 types yam_t;
-	allow yam_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te
index 5c5b8a3..5971c2f 100644
--- a/policy/modules/apps/yam.te
+++ b/policy/modules/apps/yam.te
@@ -1,5 +1,5 @@
 
-policy_module(yam, 1.2.0)
+policy_module(yam, 1.2.1)
 
 ########################################
 #
@@ -84,8 +84,6 @@ fs_search_auto_mountpoints(yam_t)
 # Content can also be on ISO image files.
 fs_read_iso9660_files(yam_t)
 
-term_search_ptys(yam_t)
-
 logging_send_syslog_msg(yam_t)
 
 miscfiles_read_localization(yam_t)
@@ -95,10 +93,11 @@ seutil_read_config(yam_t)
 sysnet_dns_name_resolve(yam_t)
 sysnet_read_config(yam_t)
 
+userdom_use_user_terminals(yam_t)
 userdom_use_unpriv_users_fds(yam_t)
 # Reading dotfiles...
 # cjp: ?
-userdom_search_all_users_home_dirs(yam_t)
+userdom_search_user_home_dirs(yam_t)
 
 # The whole point of this program is to make updates available on a
 # local web server.  Need to go through /var to get to /var/yam
diff --git a/policy/modules/roles/auditadm.if b/policy/modules/roles/auditadm.if
index 532cb5a..d320022 100644
--- a/policy/modules/roles/auditadm.if
+++ b/policy/modules/roles/auditadm.if
@@ -2,44 +2,49 @@
 
 ########################################
 ## <summary>
-##	Change to the generic user role.
+##	Change to the audit administrator role.
 ## </summary>
-## <param name="prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
-template(`auditadm_role_change_template',`
-	userdom_role_change_template($1, auditadm)
+interface(`auditadm_role_change',`
+	gen_require(`
+		role auditadm_r;
+	')
+
+	allow $1 auditadm_r;
 ')
 
 ########################################
 ## <summary>
-##	Change from the generic user role.
+##	Change from the audit administrator role.
 ## </summary>
 ## <desc>
 ##	<p>
-##	Change from the generic user role to
+##	Change from the audit administrator role to
 ##	the specified role.
 ##	</p>
 ##	<p>
-##	This is a template to support third party modules
+##	This is an interface to support third party modules
 ##	and its use is not allowed in upstream reference
 ##	policy.
 ##	</p>
 ## </desc>
-## <param name="prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
-template(`auditadm_role_change_to_template',`
-	userdom_role_change_template(auditadm, $1)
-')
+interface(`auditadm_role_change_to',`
+	gen_require(`
+		role auditadm_r;
+	')
 
+	allow auditadm_r $1;
+')
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 29d389a..046de2a 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -1,5 +1,5 @@
 
-policy_module(auditadm, 1.0.0)
+policy_module(auditadm, 2.0.0)
 
 ########################################
 #
@@ -25,26 +25,165 @@ logging_send_syslog_msg(auditadm_t)
 logging_read_generic_logs(auditadm_t)
 logging_manage_audit_log(auditadm_t)
 logging_manage_audit_config(auditadm_t)
-logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
-logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+logging_run_auditctl(auditadm_t, auditadm_r)
+logging_run_auditd(auditadm_t, auditadm_r)
 
-seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+seutil_run_runinit(auditadm_t, auditadm_r)
 seutil_read_bin_policy(auditadm_t)
 
 optional_policy(`
+	apache_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	auth_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	bluetooth_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	cdrecord_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
 	consoletype_exec(auditadm_t)
 ')
 
 optional_policy(`
+	cron_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	dbus_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
+optional_policy(`
 	dmesg_exec(auditadm_t)
 ')
 
 optional_policy(`
-	secadm_role_change_template(auditadm)
+	ethereal_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	evolution_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	games_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	gift_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	gpg_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	gnome_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	irc_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	java_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	lockdev_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	lpd_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	mozilla_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	mplayer_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	mta_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	oident_manage_user_content(auditadm_t)
+	oident_relabel_user_content(auditadm_t)
+')
+
+optional_policy(`
+	pyzor_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	razor_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	rssh_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	screen_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	spamassassin_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	ssh_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	secadm_role_change(auditadm_r)
 ')
 
 optional_policy(`
-	sysadm_role_change_template(auditadm)
-	sysadm_dontaudit_read_home_content_files(auditadm_t)
+	su_role_template(auditadm, auditadm_r, auditadm_t)
 ')
 
+optional_policy(`
+	sudo_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	sysadm_role_change(auditadm_r)
+')
+
+optional_policy(`
+	thunderbird_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	tvtime_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	userhelper_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	vmware_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	wireshark_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	uml_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+	xserver_role(auditadm_r, auditadm_t)
+')
diff --git a/policy/modules/roles/secadm.if b/policy/modules/roles/secadm.if
index a5148b0..bb6a5fe 100644
--- a/policy/modules/roles/secadm.if
+++ b/policy/modules/roles/secadm.if
@@ -2,44 +2,50 @@
 
 ########################################
 ## <summary>
-##	Change to the generic user role.
+##	Change to the security administrator role.
 ## </summary>
-## <param name="prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
-template(`secadm_role_change_template',`
-	userdom_role_change_template($1, secadm)
+interface(`secadm_role_change',`
+	gen_require(`
+		role secadm_r;
+	')
+
+	allow $1 secadm_r;
 ')
 
 ########################################
 ## <summary>
-##	Change from the generic user role.
+##	Change from the security administrator role.
 ## </summary>
 ## <desc>
 ##	<p>
-##	Change from the generic user role to
+##	Change from the security administrator role to
 ##	the specified role.
 ##	</p>
 ##	<p>
-##	This is a template to support third party modules
+##	This is an interface to support third party modules
 ##	and its use is not allowed in upstream reference
 ##	policy.
 ##	</p>
 ## </desc>
-## <param name="prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
-template(`secadm_role_change_to_template',`
-	userdom_role_change_template(secadm, $1)
+interface(`secadm_role_change_to_template',`
+	gen_require(`
+		role secadm_r;
+	')
+
+	allow secadm_r $1;
 ')
 
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index 5b62c8f..018f64d 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -1,5 +1,5 @@
 
-policy_module(secadm, 1.1.0)
+policy_module(secadm, 2.0.0)
 
 ########################################
 #
@@ -9,7 +9,7 @@ policy_module(secadm, 1.1.0)
 role secadm_r;
 
 userdom_unpriv_user_template(secadm)
-userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+userdom_security_admin_template(secadm_t, secadm_r)
 
 ########################################
 #
@@ -30,6 +30,7 @@ mls_file_write_all_levels(secadm_t)
 mls_file_upgrade(secadm_t)
 mls_file_downgrade(secadm_t)
 
+auth_role(secadm_r, secadm_t)
 auth_relabel_all_files_except_shadow(secadm_t)
 auth_relabel_shadow(secadm_t)
 
@@ -40,11 +41,31 @@ logging_read_generic_logs(secadm_t)
 logging_read_audit_config(secadm_t)
 
 optional_policy(`
-	aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+	aide_run(secadm_t, secadm_r)
 ')
 
 optional_policy(`
-	auditadm_role_change_template(secadm)
+	apache_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	auditadm_role_change(secadm_r)
+')
+
+optional_policy(`
+	bluetooth_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	cdrecord_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	cron_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	dbus_role_template(secadm, secadm_r, secadm_t)
 ')
 
 optional_policy(`
@@ -52,15 +73,126 @@ optional_policy(`
 ')
 
 optional_policy(`
-	netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+	ethereal_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	evolution_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	games_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	gift_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	gnome_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	gpg_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	irc_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	java_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	lockdev_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	lpd_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	mozilla_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	mplayer_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	mta_role(secadm_r, secadm_t)
 ')
 
 optional_policy(`
-	staff_dontaudit_append_home_content_files(secadm_t)
+	netlabel_run_mgmt(secadm_t, secadm_r)
 ')
 
 optional_policy(`
-	sysadm_role_change_template(secadm)
-	sysadm_dontaudit_read_home_content_files(secadm_t)
+	oident_manage_user_content(secadm_t)
+	oident_relabel_user_content(secadm_t)
 ')
 
+optional_policy(`
+	pyzor_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	razor_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	rssh_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	screen_role_template(secadm, secadm_r, secadm_t)
+')
+
+optional_policy(`
+	spamassassin_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	ssh_role_template(secadm, secadm_r, secadm_t)
+')
+
+optional_policy(`
+	su_role_template(secadm, secadm_r, secadm_t)
+')
+
+optional_policy(`
+	sudo_role_template(secadm, secadm_r, secadm_t)
+')
+
+optional_policy(`
+	sysadm_role_change(secadm_r)
+')
+
+optional_policy(`
+	thunderbird_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	tvtime_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	uml_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	userhelper_role_template(secadm, secadm_r, secadm_t)
+')
+
+optional_policy(`
+	vmware_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	wireshark_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+	xserver_role(secadm_r, secadm_t)
+')
diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if
index 6e0bc69..234a940 100644
--- a/policy/modules/roles/staff.if
+++ b/policy/modules/roles/staff.if
@@ -4,16 +4,19 @@
 ## <summary>
 ##	Change to the staff role.
 ## </summary>
-## <param name="prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
-template(`staff_role_change_template',`
-	userdom_role_change_template($1, staff)
+interface(`staff_role_change',`
+	gen_require(`
+		role staff_r;
+	')
+
+	allow $1 staff_r;
 ')
 
 ########################################
@@ -26,137 +29,22 @@ template(`staff_role_change_template',`
 ##	the specified role.
 ##	</p>
 ##	<p>
-##	This is a template to support third party modules
+##	This is an interface to support third party modules
 ##	and its use is not allowed in upstream reference
 ##	policy.
 ##	</p>
 ## </desc>
-## <param name="prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
-template(`staff_role_change_to_template',`
-	userdom_role_change_template(staff, $1)
-')
-
-########################################
-## <summary>
-##	Search the staff users home directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`staff_search_home_dirs',`
+interface(`staff_role_change_to',`
 	gen_require(`
-		type staff_home_dir_t;
+		role staff_r;
 	')
 
-	files_search_home($1)
-	allow $1 staff_home_dir_t:dir search_dir_perms;
+	allow staff_r $1;
 ')
-
-########################################
-## <summary>
-##	Do not audit attempts to search the staff
-##	users home directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`staff_dontaudit_search_home_dirs',`
-	gen_require(`
-		type staff_home_dir_t;
-	')
-
-	dontaudit $1 staff_home_dir_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete staff
-##	home directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`staff_manage_home_dirs',`
-	gen_require(`
-		type staff_home_dir_t;
-	')
-
-	files_search_home($1)
-	allow $1 staff_home_dir_t:dir manage_dir_perms;
-')
-
-########################################
-## <summary>
-##	Relabel to staff home directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`staff_relabelto_home_dirs',`
-	gen_require(`
-		type staff_home_dir_t;
-	')
-
-	files_search_home($1)
-	allow $1 staff_home_dir_t:dir relabelto;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to append to the staff
-##	users home directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`staff_dontaudit_append_home_content_files',`
-	gen_require(`
-		type staff_home_t;
-	')
-
-	dontaudit $1 staff_home_t:file append;
-')
-
-########################################
-## <summary>
-##	Read files in the staff users home directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`staff_read_home_content_files',`
-	gen_require(`
-		type staff_home_dir_t, staff_home_t;
-	')
-
-	files_search_home($1)
-	allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms;
-	read_files_pattern($1, { staff_home_dir_t staff_home_t }, staff_home_t)
-	read_lnk_files_pattern($1, { staff_home_dir_t staff_home_t }, staff_home_t)
-')
-
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 9d68d0b..7433ca0 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -1,5 +1,5 @@
 
-policy_module(staff, 1.0.0)
+policy_module(staff, 2.0.0)
 
 ########################################
 #
@@ -16,15 +16,155 @@ userdom_unpriv_user_template(staff)
 #
 
 optional_policy(`
-	auditadm_role_change_template(staff)
+	apache_role(staff_r, staff_t)
 ')
 
 optional_policy(`
-	secadm_role_change_template(staff)
+	auth_role(staff_r, staff_t)
 ')
 
 optional_policy(`
-	sysadm_role_change_template(staff)
-	sysadm_dontaudit_use_terms(staff_t)
+	auditadm_role_change(staff_r)
 ')
 
+optional_policy(`
+	bluetooth_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	cdrecord_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	cron_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	dbus_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+	ethereal_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	evolution_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	games_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	gift_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	gnome_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	gpg_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	irc_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	java_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	lockdev_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	lpd_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	mozilla_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	mplayer_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	mta_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	oident_manage_user_content(staff_t)
+	oident_relabel_user_content(staff_t)
+')
+
+optional_policy(`
+	pyzor_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	razor_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	rssh_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	screen_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+	secadm_role_change(staff_r)
+')
+
+optional_policy(`
+	spamassassin_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	ssh_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+	su_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+	sudo_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+	sysadm_role_change(staff_r)
+	userdom_dontaudit_use_user_terminals(staff_t)
+')
+
+optional_policy(`
+	thunderbird_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	tvtime_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	uml_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	userhelper_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+	vmware_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	wireshark_role(staff_r, staff_t)
+')
+
+optional_policy(`
+	xserver_role(staff_r, staff_t)
+')
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
index 8c4ad00..42be030 100644
--- a/policy/modules/roles/sysadm.if
+++ b/policy/modules/roles/sysadm.if
@@ -2,45 +2,51 @@
 
 ########################################
 ## <summary>
-##	Change to the generic user role.
+##	Change to the system administrator role.
 ## </summary>
-## <param name="prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
-template(`sysadm_role_change_template',`
-	userdom_role_change_template($1, sysadm)
+interface(`sysadm_role_change',`
+	gen_require(`
+		role sysadm_r;
+	')
+
+	allow $1 sysadm_r;
 ')
 
 ########################################
 ## <summary>
-##	Change from the generic user role.
+##	Change from the system administrator role.
 ## </summary>
 ## <desc>
 ##	<p>
-##	Change from the generic user role to
+##	Change from the system administrator role to
 ##	the specified role.
 ##	</p>
 ##	<p>
-##	This is a template to support third party modules
+##	This is an interface to support third party modules
 ##	and its use is not allowed in upstream reference
 ##	policy.
 ##	</p>
 ## </desc>
-## <param name="prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
-template(`sysadm_role_change_to_template',`
-	userdom_role_change_template(sysadm, $1)
+interface(`sysadm_role_change_to',`
+	gen_require(`
+		role sysadm_r;
+	')
+
+	allow sysadm_r $1;
 ')
 
 ########################################
@@ -195,353 +201,3 @@ interface(`sysadm_rw_pipes',`
 
 	allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
 ')
-
-########################################
-## <summary>
-##	Do not audit attepts to get the attributes
-##	of sysadm ttys.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sysadm_dontaudit_getattr_ttys',`
-	gen_require(`
-		type sysadm_tty_device_t;
-	')
-
-	dontaudit $1 sysadm_tty_device_t:chr_file getattr;
-')
-
-########################################
-## <summary>
-##	Read and write sysadm ttys.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sysadm_use_ttys',`
-	gen_require(`
-		type sysadm_tty_device_t;
-	')
-
-	dev_list_all_dev_nodes($1)
-	term_list_ptys($1)
-	allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to use sysadm ttys.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`sysadm_dontaudit_use_ttys',`
-	gen_require(`
-		type sysadm_tty_device_t;
-	')
-
-	dontaudit $1 sysadm_tty_device_t:chr_file { read write };
-')
-
-########################################
-## <summary>
-##	Read and write sysadm ptys.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sysadm_use_ptys',`
-	gen_require(`
-		type sysadm_devpts_t;
-	')
-
-	dev_list_all_dev_nodes($1)
-	term_list_ptys($1)
-	allow $1 sysadm_devpts_t:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-##	Dont audit attempts to read and write sysadm ptys.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`sysadm_dontaudit_use_ptys',`
-	gen_require(`
-		type sysadm_devpts_t;
-	')
-
-	dontaudit $1 sysadm_devpts_t:chr_file { read write };
-')
-
-########################################
-## <summary>
-##	Read and write sysadm ttys and ptys.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sysadm_use_terms',`
-	sysadm_use_ttys($1)
-	sysadm_use_ptys($1)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to use sysadm ttys and ptys.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`sysadm_dontaudit_use_terms',`
-	sysadm_dontaudit_use_ttys($1)
-	sysadm_dontaudit_use_ptys($1)
-')
-
-########################################
-## <summary>
-##	Get the attributes of the sysadm users
-##	home directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sysadm_getattr_home_dirs',`
-	gen_require(`
-		type sysadm_home_dir_t;
-	')
-
-	allow $1 sysadm_home_dir_t:dir getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get the
-##	attributes of the sysadm users
-##	home directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`sysadm_dontaudit_getattr_home_dirs',`
-	gen_require(`
-		type sysadm_home_dir_t;
-	')
-
-	dontaudit $1 sysadm_home_dir_t:dir getattr;
-')
-
-########################################
-## <summary>
-##	Search the sysadm users home directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`sysadm_search_home_dirs',`
-	gen_require(`
-		type sysadm_home_dir_t;
-	')
-
-	allow $1 sysadm_home_dir_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to search the sysadm
-##	users home directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`sysadm_dontaudit_search_home_dirs',`
-	gen_require(`
-		type sysadm_home_dir_t;
-	')
-
-	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	List the sysadm users home directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sysadm_list_home_dirs',`
-	gen_require(`
-		type sysadm_home_dir_t;
-	')
-
-	allow $1 sysadm_home_dir_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to list the sysadm
-##	users home directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`sysadm_dontaudit_list_home_dirs',`
-	gen_require(`
-		type sysadm_home_dir_t;
-	')
-
-	dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-##	Create objects in sysadm home directories
-##	with automatic file type transition.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="private type">
-##	<summary>
-##	The type of the object to be created.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The class of the object to be created.
-##	If not specified, file is used.
-##	</summary>
-## </param>
-#
-interface(`sysadm_home_dir_filetrans',`
-	gen_require(`
-		type sysadm_home_dir_t;
-	')
-
-	filetrans_pattern($1, sysadm_home_dir_t, $2, $3)
-')
-
-########################################
-## <summary>
-##	Search the sysadm users home sub directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`sysadm_search_home_content_dirs',`
-	gen_require(`
-		type sysadm_home_dir_t, sysadm_home_t;
-	')
-
-	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	Read files in the sysadm home directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sysadm_read_home_content_files',`
-	gen_require(`
-		type sysadm_home_dir_t, sysadm_home_t;
-	')
-
-	files_search_home($1)
-	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
-	read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
-	read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read files in the sysadm
-##	home directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`sysadm_dontaudit_read_home_content_files',`
-	gen_require(`
-		type sysadm_home_dir_t, sysadm_home_t;
-	')
-
-	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
-	dontaudit $1 sysadm_home_t:dir search_dir_perms;
-	dontaudit $1 sysadm_home_t:file read_file_perms;
-')
-
-########################################
-## <summary>
-##	Read sysadm temporary files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`sysadm_read_tmp_files',`
-	gen_require(`
-		type sysadm_tmp_t;
-	')
-
-	files_search_tmp($1)
-	allow $1 sysadm_tmp_t:dir list_dir_perms;
-	read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
-	read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
-')
-
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index f1628d2..e69ab7c 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,5 +1,5 @@
 
-policy_module(sysadm, 1.0.0)
+policy_module(sysadm, 2.0.0)
 
 ########################################
 #
@@ -18,7 +18,7 @@ role sysadm_r;
 userdom_admin_user_template(sysadm)
 
 ifndef(`enable_mls',`
-	userdom_security_admin_template(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	userdom_security_admin_template(sysadm_t, sysadm_r)
 ')
 
 ########################################
@@ -30,20 +30,24 @@ corecmd_exec_shell(sysadm_t)
 
 mls_process_read_up(sysadm_t)
 
+ubac_process_exempt(sysadm_t)
+ubac_file_exempt(sysadm_t)
+ubac_fd_exempt(sysadm_t)
+
 init_exec(sysadm_t)
 
-# For sending reboot and wall messages
-userdom_use_unpriv_users_ptys(sysadm_t)
-userdom_use_unpriv_users_ttys(sysadm_t)
+# Add/remove user home directories
+userdom_manage_user_home_dirs(sysadm_t)
+userdom_home_filetrans_user_home_dir(sysadm_t)
 
 ifdef(`direct_sysadm_daemon',`
 	optional_policy(`
-		init_run_daemon(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+		init_run_daemon(sysadm_t, sysadm_r)
 	')
 ',`
 	ifdef(`distro_gentoo',`
 		optional_policy(`
-			seutil_init_script_run_runinit(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+			seutil_init_script_run_runinit(sysadm_t, sysadm_r)
 		')
 	')
 ')
@@ -51,7 +55,7 @@ ifdef(`direct_sysadm_daemon',`
 ifndef(`enable_mls',`
 	logging_manage_audit_log(sysadm_t)
 	logging_manage_audit_config(sysadm_t)
-	logging_run_auditctl(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	logging_run_auditctl(sysadm_t, sysadm_r)
 ')
 
 tunable_policy(`allow_ptrace',`
@@ -59,13 +63,14 @@ tunable_policy(`allow_ptrace',`
 ')
 
 optional_policy(`
-	amanda_run_recover(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	amanda_run_recover(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	apache_run_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	apache_run_helper(sysadm_t, sysadm_r)
 	#apache_run_all_scripts(sysadm_t, sysadm_r)
 	#apache_domtrans_sys_script(sysadm_t)
+	apache_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
@@ -74,43 +79,55 @@ optional_policy(`
 ')
 
 optional_policy(`
-	apt_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	apt_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	auditadm_role_change(sysadm_r)
+')
+
+optional_policy(`
+	auth_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	backup_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	auditadm_role_change_template(sysadm)
+	bind_run_ndc(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	backup_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	bluetooth_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	bind_run_ndc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	bootloader_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	bootloader_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	cdrecord_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	certwatch_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	certwatch_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	clock_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	clock_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	clockspeed_run_cli(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	clockspeed_run_cli(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	consoletype_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	consoletype_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	cron_admin_template(sysadm)
+	cron_admin_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
@@ -118,13 +135,17 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dcc_run_cdcc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	dcc_run_client(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	dcc_run_dbclean(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	dbus_role_template(sysadm, sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	ddcprobe_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	dcc_run_cdcc(sysadm_t, sysadm_r)
+	dcc_run_client(sysadm_t, sysadm_r)
+	dcc_run_dbclean(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	ddcprobe_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
@@ -132,28 +153,48 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dmidecode_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	dmidecode_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	dpkg_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	dpkg_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	ethereal_role(sysadm_r, sysadm_t)
+	ethereal_run_tethereal(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	ethereal_run_tethereal(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	ethereal_admin_template(sysadm)
+	evolution_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	firstboot_run(sysadm_t, sysadm_r, sysadm_tty_device_t)
+	firstboot_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	fstools_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	fstools_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	hostname_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	games_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	gift_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	gnome_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	gpg_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	hostname_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
@@ -167,42 +208,62 @@ optional_policy(`
 ')
 
 optional_policy(`
-	iptables_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	iptables_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	irc_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	java_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	kudzu_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	kudzu_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	libs_run_ldconfig(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	libs_run_ldconfig(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	logrotate_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	lockdev_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	lpd_run_checkpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	lpr_admin_template(sysadm)
+	logrotate_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	lvm_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	lpd_run_checkpc(sysadm_t, sysadm_r)
+	lpd_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	modutils_run_depmod(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	modutils_run_insmod(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	modutils_run_update_mods(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	lvm_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	mount_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	modutils_run_depmod(sysadm_t, sysadm_r)
+	modutils_run_insmod(sysadm_t, sysadm_r)
+	modutils_run_update_mods(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	mta_admin_template(sysadm, sysadm_t)
+	mount_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	mozilla_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	mplayer_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	mta_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
@@ -214,9 +275,9 @@ optional_policy(`
 ')
 
 optional_policy(`
-	netutils_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	netutils_run_ping(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	netutils_run_traceroute(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	netutils_run(sysadm_t, sysadm_r)
+	netutils_run_ping(sysadm_t, sysadm_r)
+	netutils_run_traceroute(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
@@ -225,24 +286,33 @@ optional_policy(`
 ')
 
 optional_policy(`
-	oav_run_update(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	oav_run_update(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	oident_manage_user_content(sysadm_t)
+	oident_relabel_user_content(sysadm_t)
+')
+
+optional_policy(`
+	pcmcia_run_cardctl(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	pcmcia_run_cardctl(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	portage_run(sysadm_t, sysadm_r)
+	portage_run_gcc_config(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	portage_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	portage_run_gcc_config(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	portmap_run_helper(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	portmap_run_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	pyzor_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	quota_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	quota_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
@@ -250,11 +320,19 @@ optional_policy(`
 ')
 
 optional_policy(`
+	razor_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
 	rpc_domtrans_nfsd(sysadm_t)
 ')
 
 optional_policy(`
-	rpm_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	rpm_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	rssh_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
@@ -262,33 +340,61 @@ optional_policy(`
 ')
 
 optional_policy(`
-	samba_run_net(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	samba_run_winbind_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	samba_run_net(sysadm_t, sysadm_r)
+	samba_run_winbind_helper(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	secadm_role_change_template(sysadm)
+	screen_role_template(sysadm, sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	seutil_run_setfiles(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	seutil_run_runinit(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	secadm_role_change(sysadm_r)
 ')
 
 optional_policy(`
-	staff_role_change_template(sysadm)
+	seutil_run_setfiles(sysadm_t, sysadm_r)
+	seutil_run_runinit(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	sysnet_run_ifconfig(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	sysnet_run_dhcpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	spamassassin_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	tripwire_run_siggen(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	tripwire_run_tripwire(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	tripwire_run_twadmin(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	tripwire_run_twprint(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	ssh_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	staff_role_change(sysadm_r)
+')
+
+optional_policy(`
+	su_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	sudo_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	sysnet_run_ifconfig(sysadm_t, sysadm_r)
+	sysnet_run_dhcpc(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	thunderbird_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	tripwire_run_siggen(sysadm_t, sysadm_r)
+	tripwire_run_tripwire(sysadm_t, sysadm_r)
+	tripwire_run_twadmin(sysadm_t, sysadm_r)
+	tripwire_run_twprint(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	tvtime_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
@@ -296,35 +402,51 @@ optional_policy(`
 ')
 
 optional_policy(`
+	uml_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
 	unconfined_domtrans(sysadm_t)
 ')
 
 optional_policy(`
-	# Add/remove user home directories
-	unprivuser_manage_home_dirs(sysadm_t)
-	unprivuser_home_filetrans_home_dir(sysadm_t)
+	unprivuser_role_change(sysadm_r)
+')
+
+optional_policy(`
+	usbmodules_run(sysadm_t, sysadm_r)
+')
 
-	unprivuser_role_change_template(sysadm)
+optional_policy(`
+	userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
+	usermanage_run_groupadd(sysadm_t, sysadm_r)
+	usermanage_run_useradd(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	vmware_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	usbmodules_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	vpn_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	usermanage_run_admin_passwd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	usermanage_run_groupadd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-	usermanage_run_useradd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	webalizer_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-	vpn_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	wireshark_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	webalizer_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	xserver_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
-	yam_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	yam_run(sysadm_t, sysadm_r)
 ')
diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
index 8ac6b36..3835596 100644
--- a/policy/modules/roles/unprivuser.if
+++ b/policy/modules/roles/unprivuser.if
@@ -4,16 +4,19 @@
 ## <summary>
 ##	Change to the generic user role.
 ## </summary>
-## <param name="prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
-template(`unprivuser_role_change_template',`
-	userdom_role_change_template($1, user)
+interface(`unprivuser_role_change',`
+	gen_require(`
+		role user_r;
+	')
+
+	allow $1 user_r;
 ')
 
 ########################################
@@ -26,319 +29,22 @@ template(`unprivuser_role_change_template',`
 ##	the specified role.
 ##	</p>
 ##	<p>
-##	This is a template to support third party modules
+##	This is an interface to support third party modules
 ##	and its use is not allowed in upstream reference
 ##	policy.
 ##	</p>
 ## </desc>
-## <param name="prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
-template(`unprivuser_role_change_to_template',`
-	userdom_role_change_template(user, $1)
-')
-
-########################################
-## <summary>
-##	Create generic user home directories
-##	with automatic file type transition.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unprivuser_home_filetrans_home_dir',`
-	gen_require(`
-		type user_home_dir_t;
-	')
-
-	files_home_filetrans($1, user_home_dir_t, dir)
-')
-
-########################################
-## <summary>
-##	Search generic user home directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unprivuser_search_home_dirs',`
-	gen_require(`
-		type user_home_dir_t;
-	')
-
-	allow $1 user_home_dir_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	Create objects in generic user home directories
-##	with automatic file type transition.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The class of the object to be created.
-##	If not specified, file is used.
-##	</summary>
-## </param>
-#
-interface(`unprivuser_home_dir_filetrans_home_content',`
-	gen_require(`
-		type user_home_dir_t, user_home_t;
-	')
-
-	files_search_home($1)
-	filetrans_pattern($1, user_home_dir_t, user_home_t, $2)
-')
-
-########################################
-## <summary>
-##	Don't audit search on the user home subdirectory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unprivuser_dontaudit_search_home_dirs',`
-	gen_require(`
-		type user_home_t;
-	')
-
-	dontaudit $1 user_home_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	Create generic user home directories
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unprivuser_create_home_dir',`
-	gen_require(`
-		type user_home_dir_t;
-	')
-
-	files_search_home($1)
-	allow $1 user_home_dir_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete generic user
-##	home directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unprivuser_manage_home_dirs',`
-	gen_require(`
-		type user_home_dir_t;
-	')
-
-	files_search_home($1)
-	allow $1 user_home_dir_t:dir manage_dir_perms;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	subdirectories of generic user
-##	home directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unprivuser_manage_home_content_dirs',`
-	gen_require(`
-		type user_home_dir_t, user_home_t;
-	')
-
-	files_search_home($1)
-	manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-')
-
-########################################
-## <summary>
-##	Relabel to generic user home directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unprivuser_relabelto_home_dirs',`
-	gen_require(`
-		type user_home_dir_t;
-	')
-
-	files_search_home($1)
-	allow $1 user_home_dir_t:dir relabelto;
-')
-
-########################################
-## <summary>
-##	Read files in generic user home directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unprivuser_read_home_content_files',`
-	gen_require(`
-		type user_home_t, user_home_dir_t;
-	')
-
-	files_search_home($1)
-	allow $1 user_home_t:dir list_dir_perms;
-	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-')
-
-########################################
-## <summary>
-##	Mmap of generic user
-##	home files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unprivuser_mmap_home_content_files',`
-	gen_require(`
-		type user_home_t;
-	')
-
-	files_search_home($1)
-	allow $1 user_home_t:file execute;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete files
-##	in generic user home directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unprivuser_manage_home_content_files',`
-	gen_require(`
-		type user_home_dir_t, user_home_t;
-	')
-
-	files_search_home($1)
-	manage_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to relabel generic user
-##	home files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unprivuser_dontaudit_relabel_home_content_files',`
-	gen_require(`
-		type user_home_t;
-	')
-
-	dontaudit $1 user_home_t:file { relabelto relabelfrom };
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete symbolic
-##	links in generic user home directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unprivuser_manage_home_content_symlinks',`
-	gen_require(`
-		type user_home_dir_t, user_home_t;
-	')
-
-	files_search_home($1)
-	manage_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete named
-##	pipes in generic user home directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unprivuser_manage_home_content_pipes',`
+interface(`unprivuser_role_change_to',`
 	gen_require(`
-		type user_home_dir_t, user_home_t;
+		role user_r;
 	')
 
-	files_search_home($1)
-	manage_fifo_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+	allow user_r $1;
 ')
-
-########################################
-## <summary>
-##	Create, read, write, and delete named
-##	sockets in generic user home directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unprivuser_manage_home_content_sockets',`
-	gen_require(`
-		type user_home_dir_t, user_home_t;
-	')
-
-	files_search_home($1)
-	manage_sock_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-')
-
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 63f50c2..2183644 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,5 @@
 
-policy_module(unprivuser, 1.1.0)
+policy_module(unprivuser, 2.0.0)
 
 # this module should be named user, but that is
 # a compile error since user is a keyword.
@@ -13,3 +13,143 @@ role user_r;
 
 userdom_unpriv_user_template(user)
 
+optional_policy(`
+	apache_role(user_r, user_t)
+')
+
+optional_policy(`
+	auth_role(user_r, user_t)
+')
+
+optional_policy(`
+	bluetooth_role(user_r, user_t)
+')
+
+optional_policy(`
+	cdrecord_role(user_r, user_t)
+')
+
+optional_policy(`
+	cron_role(user_r, user_t)
+')
+
+optional_policy(`
+	dbus_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
+	ethereal_role(user_r, user_t)
+')
+
+optional_policy(`
+	evolution_role(user_r, user_t)
+')
+
+optional_policy(`
+	games_role(user_r, user_t)
+')
+
+optional_policy(`
+	gift_role(user_r, user_t)
+')
+
+optional_policy(`
+	gnome_role(user_r, user_t)
+')
+
+optional_policy(`
+	gpg_role(user_r, user_t)
+')
+
+optional_policy(`
+	irc_role(user_r, user_t)
+')
+
+optional_policy(`
+	java_role(user_r, user_t)
+')
+
+optional_policy(`
+	lockdev_role(user_r, user_t)
+')
+
+optional_policy(`
+	lpd_role(user_r, user_t)
+')
+
+optional_policy(`
+	mozilla_role(user_r, user_t)
+')
+
+optional_policy(`
+	mplayer_role(user_r, user_t)
+')
+
+optional_policy(`
+	mta_role(user_r, user_t)
+')
+
+optional_policy(`
+	oident_manage_user_content(user_t)
+	oident_relabel_user_content(user_t)
+')
+
+optional_policy(`
+	pyzor_role(user_r, user_t)
+')
+
+optional_policy(`
+	razor_role(user_r, user_t)
+')
+
+optional_policy(`
+	rssh_role(user_r, user_t)
+')
+
+optional_policy(`
+	screen_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
+	spamassassin_role(user_r, user_t)
+')
+
+optional_policy(`
+	ssh_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
+	su_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
+	sudo_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
+	thunderbird_role(user_r, user_t)
+')
+
+optional_policy(`
+	tvtime_role(user_r, user_t)
+')
+
+optional_policy(`
+	uml_role(user_r, user_t)
+')
+
+optional_policy(`
+	userhelper_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
+	vmware_role(user_r, user_t)
+')
+
+optional_policy(`
+	wireshark_role(user_r, user_t)
+')
+
+optional_policy(`
+	xserver_role(user_r, user_t)
+')
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index 7f193c4..b571424 100644
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@@ -1,5 +1,5 @@
 
-policy_module(afs, 1.3.0)
+policy_module(afs, 1.3.1)
 
 ########################################
 #
@@ -180,7 +180,7 @@ seutil_read_config(afs_fsserver_t)
 
 sysnet_read_config(afs_fsserver_t)
 
-sysadm_dontaudit_use_terms(afs_fsserver_t)
+userdom_dontaudit_use_user_terminals(afs_fsserver_t)
 
 ########################################
 #
@@ -225,7 +225,7 @@ seutil_read_config(afs_kaserver_t)
 
 sysnet_read_config(afs_kaserver_t)
 
-sysadm_dontaudit_use_terms(afs_kaserver_t)
+userdom_dontaudit_use_user_terminals(afs_kaserver_t)
 
 ########################################
 #
@@ -263,7 +263,7 @@ miscfiles_read_localization(afs_ptserver_t)
 
 sysnet_read_config(afs_ptserver_t)
 
-sysadm_dontaudit_use_terms(afs_ptserver_t)
+userdom_dontaudit_use_user_terminals(afs_ptserver_t)
 
 ########################################
 #
@@ -301,4 +301,4 @@ miscfiles_read_localization(afs_vlserver_t)
 
 sysnet_read_config(afs_vlserver_t)
 
-sysadm_dontaudit_use_terms(afs_vlserver_t)
+userdom_dontaudit_use_user_terminals(afs_vlserver_t)
diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
index c656fa9..5b8def1 100644
--- a/policy/modules/services/aide.if
+++ b/policy/modules/services/aide.if
@@ -33,11 +33,6 @@ interface(`aide_domtrans',`
 ##	The role to allow the AIDE domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the AIDE domain to use.
-##	</summary>
-## </param>
 #
 interface(`aide_run',`
 	gen_require(`
@@ -46,7 +41,6 @@ interface(`aide_run',`
 
 	aide_domtrans($1)
 	role $2 types aide_t;
-	allow aide_t $3:chr_file rw_chr_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te
index af51f7f..aa3692c 100644
--- a/policy/modules/services/aide.te
+++ b/policy/modules/services/aide.te
@@ -1,5 +1,5 @@
 
-policy_module(aide, 1.4.0)
+policy_module(aide, 1.4.1)
 
 ########################################
 #
@@ -37,3 +37,5 @@ files_read_all_files(aide_t)
 logging_send_audit_msgs(aide_t)
 
 seutil_use_newrole_fds(aide_t)
+
+userdom_use_user_terminals(aide_t)
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index 42ffed8..6a9b4f7 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -1,5 +1,5 @@
 
-policy_module(amavis, 1.8.0)
+policy_module(amavis, 1.8.1)
 
 ########################################
 #
@@ -145,6 +145,8 @@ miscfiles_read_localization(amavis_t)
 sysnet_dns_name_resolve(amavis_t)
 sysnet_use_ldap(amavis_t)
 
+userdom_dontaudit_search_user_home_dirs(amavis_t)
+
 # Cron handling
 cron_use_fds(amavis_t)
 cron_use_system_job_fds(amavis_t)
@@ -152,8 +154,6 @@ cron_rw_pipes(amavis_t)
 
 mta_read_config(amavis_t)
 
-sysadm_dontaudit_search_home_dirs(amavis_t)
-
 optional_policy(`
 	clamav_stream_connect(amavis_t)
 	clamav_domtrans_clamscan(amavis_t)
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 7bb7be7..afcb9bd 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,4 +1,4 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
 
 /etc/apache(2)?(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_config_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 7946f40..bae17ed 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -238,107 +238,71 @@ template(`apache_content_template',`
 	')
 ')
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the apache module.
+##	Role access for apache
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates types used for web pages
-##	and web cgi to be used from the user home directory.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_domain">
+## <param name="role">
 ##	<summary>
-##	The type of the user domain.
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`apache_per_role_template', `
+interface(`apache_role',`
 	gen_require(`
-		attribute httpdcontent, httpd_script_domains;
-		attribute httpd_exec_scripts, httpd_user_content_type;
-		attribute httpd_user_script_exec_type;
-		type httpd_t, httpd_suexec_t, httpd_log_t;
+		attribute httpdcontent;
+		type httpd_user_content_t, httpd_user_htaccess_t;
+		type httpd_user_script_t, httpd_user_script_exec_t;
+		type httpd_user_script_ra_t, httpd_user_script_ro_t;
+		type httpd_user_script_rw_t;
 	')
 
-	apache_content_template($1)
-
-	typeattribute httpd_$1_content_t httpd_user_content_type;
-	typeattribute httpd_$1_script_ra_t httpd_user_content_type;
-	typeattribute httpd_$1_script_rw_t httpd_user_content_type;
-	typeattribute httpd_$1_script_ro_t httpd_user_content_type;
-	typeattribute httpd_$1_script_exec_t httpd_user_script_exec_type;
-
-	typeattribute httpd_$1_script_t httpd_script_domains;
-	userdom_user_home_content($1,httpd_$1_content_t)
+	role $1 types httpd_user_script_t;
 
-	role $3 types httpd_$1_script_t;
+	allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
 
-	allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
+	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
 
-	allow $2 httpd_$1_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+	manage_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
+	manage_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
+	manage_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
+	relabel_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
+	relabel_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
+	relabel_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
 
-	manage_dirs_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-	manage_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-	manage_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-	relabel_dirs_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-	relabel_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
-	relabel_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
+	manage_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
+	manage_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
+	manage_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
+	relabel_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
+	relabel_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
+	relabel_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
 
-	manage_dirs_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
-	manage_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
-	manage_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
-	relabel_dirs_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
-	relabel_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
-	relabel_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
+	manage_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
+	manage_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
+	manage_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
+	relabel_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
+	relabel_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
+	relabel_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
 
-	manage_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-	manage_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-	manage_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-	relabel_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-	relabel_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-	relabel_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-
-	manage_dirs_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
-	manage_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
-	manage_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
-	relabel_dirs_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
-	relabel_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
-	relabel_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
+	manage_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+	manage_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+	manage_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+	relabel_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+	relabel_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+	relabel_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
 
 	tunable_policy(`httpd_enable_cgi',`
 		# If a user starts a script by hand it gets the proper context
-		domtrans_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_t)
+		domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
 	')
 
 	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-		allow httpd_$1_script_t httpdcontent:file entrypoint;
-
-		domtrans_pattern($2, httpdcontent, httpd_$1_script_t)
-	')
-
-	# allow accessing files/dirs below the users home dir
-	tunable_policy(`httpd_enable_homedirs',`
-		userdom_search_user_home_dirs($1,httpd_t)
-		userdom_search_user_home_dirs($1,httpd_suexec_t)
-		userdom_search_user_home_dirs($1,httpd_$1_script_t)
+		domtrans_pattern($2, httpdcontent, httpd_user_script_t)
 	')
 ')
 
@@ -346,52 +310,40 @@ template(`apache_per_role_template', `
 ## <summary>
 ##	Read httpd user scripts executables.
 ## </summary>
-## <param name="domain_prefix">
-##	<summary>
-##	Prefix of the domain. Example, user would be
-##	the prefix for the uder_t domain.
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`apache_read_user_scripts',`
+interface(`apache_read_user_scripts',`
 	gen_require(`
-		type httpd_$1_script_exec_t;
+		type httpd_user_script_exec_t;
 	')
 
-	allow $2 httpd_$1_script_exec_t:dir list_dir_perms;
-	read_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
-	read_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
+	allow $1 httpd_user_script_exec_t:dir list_dir_perms;
+	read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
+	read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
 ')
 
 ########################################
 ## <summary>
 ##	Read user web content.
 ## </summary>
-## <param name="domain_prefix">
-##	<summary>
-##	Prefix of the domain. Example, user would be
-##	the prefix for the uder_t domain.
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`apache_read_user_content',`
+interface(`apache_read_user_content',`
 	gen_require(`
-		type httpd_$1_content_t;
+		type httpd_user_content_t;
 	')
 
-	allow $2 httpd_$1_content_t:dir list_dir_perms;
-	read_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t)
-	read_lnk_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t)
+	allow $1 httpd_user_content_t:dir list_dir_perms;
+	read_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+	read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
 ')
 
 ########################################
@@ -630,11 +582,6 @@ interface(`apache_domtrans_helper',`
 ##	The role to be allowed the dmidecode domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the dmidecode domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`apache_run_helper',`
@@ -644,7 +591,6 @@ interface(`apache_run_helper',`
 
 	apache_domtrans_helper($1)
 	role $2 types httpd_helper_t;
-	allow httpd_helper_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -913,8 +859,6 @@ interface(`apache_domtrans_all_scripts',`
 ##	</summary>
 ## </param>
 #
-# cjp: this is missing the terminal since scripts
-# do not output to the terminal
 interface(`apache_run_all_scripts',`
 	gen_require(`
 		attribute httpd_exec_scripts, httpd_script_domains;
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index ab19229..2afa17f 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,18 +1,17 @@
 
-policy_module(apache, 1.11.0)
+policy_module(apache, 2.0.0)
 
 #
 # NOTES: 
 #  This policy will work with SUEXEC enabled as part of the Apache
 #  configuration. However, the user CGI scripts will run under the
-#  system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
-#  of the creating user.
+#  system_u:system_r:httpd_user_script_t.
 #
-#  The user CGI scripts must be labeled with the httpd_$1_script_exec_t
+#  The user CGI scripts must be labeled with the httpd_user_script_exec_t
 #  type, and the directory containing the scripts should also be labeled
-#  with these types. This policy allows user_r role to perform that 
-#  relabeling. If it is desired that only sysadm_r should be able to relabel
-#  the user CGI scripts, then relabel rule for user_r should be removed.
+#  with these types. This policy allows the user role to perform that 
+#  relabeling. If it is desired that only admin role should be able to relabel
+#  the user CGI scripts, then relabel rule for user roles should be removed.
 #
 
 ########################################
@@ -187,6 +186,30 @@ files_tmp_file(httpd_tmp_t)
 type httpd_tmpfs_t;
 files_tmpfs_file(httpd_tmpfs_t)
 
+apache_content_template(user)
+ubac_constrained(httpd_user_script_t)
+userdom_user_home_content(httpd_user_content_t)
+userdom_user_home_content(httpd_user_htaccess_t)
+userdom_user_home_content(httpd_user_script_exec_t)
+userdom_user_home_content(httpd_user_script_ra_t)
+userdom_user_home_content(httpd_user_script_ro_t)
+userdom_user_home_content(httpd_user_script_rw_t)
+typeattribute httpd_user_script_t httpd_script_domains;
+typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
+typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
+typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
+typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
+typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
+typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
+typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
+typealias httpd_user_script_ro_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
+typealias httpd_user_script_ro_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
+typealias httpd_user_script_rw_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
+typealias httpd_user_script_rw_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
+typealias httpd_user_script_ra_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
+typealias httpd_user_script_ra_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
+
 # for apache2 memory mapped files
 type httpd_var_lib_t;
 files_type(httpd_var_lib_t)
@@ -393,7 +416,7 @@ tunable_policy(`httpd_enable_ftp_server',`
 ')
 
 tunable_policy(`httpd_enable_homedirs',`
-	userdom_read_unpriv_users_home_content_files(httpd_t)
+	userdom_read_user_home_content_files(httpd_t)
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -418,12 +441,9 @@ tunable_policy(`httpd_ssi_exec',`
 # to run correctly without this permission, so the permission
 # are dontaudited here. 
 tunable_policy(`httpd_tty_comm',`
-	# cjp: this is redundant:
-	term_use_controlling_term(httpd_t)
-
-	sysadm_use_terms(httpd_t)
+	userdom_use_user_terminals(httpd_t)
 ',`
-	sysadm_dontaudit_use_terms(httpd_t)
+	userdom_dontaudit_use_user_terminals(httpd_t)
 ')
 
 optional_policy(`
@@ -513,9 +533,7 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
 
 logging_send_syslog_msg(httpd_helper_t)
 
-tunable_policy(`httpd_tty_comm',`
-	sysadm_use_terms(httpd_helper_t)
-')
+userdom_use_user_terminals(httpd_helper_t)
 
 ########################################
 #
@@ -628,7 +646,7 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
 ')
 
 tunable_policy(`httpd_enable_homedirs',`
-	userdom_read_unpriv_users_home_content_files(httpd_suexec_t)
+	userdom_read_user_home_content_files(httpd_suexec_t)
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -686,7 +704,7 @@ ifdef(`distro_redhat',`
 ')
 
 tunable_policy(`httpd_enable_homedirs',`
-	userdom_read_unpriv_users_home_content_files(httpd_sys_script_t)
+	userdom_read_user_home_content_files(httpd_sys_script_t)
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -728,3 +746,19 @@ files_read_etc_files(httpd_rotatelogs_t)
 logging_search_logs(httpd_rotatelogs_t)
 
 miscfiles_read_localization(httpd_rotatelogs_t)
+
+########################################
+#
+# User content local policy
+#
+
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+	allow httpd_user_script_t httpdcontent:file entrypoint;
+')
+
+# allow accessing files/dirs below the users home dir
+tunable_policy(`httpd_enable_homedirs',`
+	userdom_search_user_home_dirs(httpd_t)
+	userdom_search_user_home_dirs(httpd_suexec_t)
+	userdom_search_user_home_dirs(httpd_user_script_t)
+')
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index 2a96926..e565c32 100644
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@@ -1,5 +1,5 @@
 
-policy_module(apcupsd, 1.4.0)
+policy_module(apcupsd, 1.4.1)
 
 ########################################
 #
@@ -88,8 +88,7 @@ miscfiles_read_localization(apcupsd_t)
 
 sysnet_dns_name_resolve(apcupsd_t)
 
-userdom_use_unpriv_users_ttys(apcupsd_t)
-userdom_use_unpriv_users_ptys(apcupsd_t)
+userdom_use_user_ttys(apcupsd_t)
 
 optional_policy(`
 	hostname_exec(apcupsd_t)
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
index 80c7780..2490ed7 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -1,5 +1,5 @@
 
-policy_module(apm, 1.8.0)
+policy_module(apm, 1.8.1)
 
 ########################################
 #
@@ -133,9 +133,8 @@ modutils_read_module_config(apmd_t)
 seutil_dontaudit_read_config(apmd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(apmd_t)
-userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive?
-
-sysadm_dontaudit_search_home_dirs(apmd_t)
+userdom_dontaudit_search_user_home_dirs(apmd_t)
+userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
 
 ifdef(`distro_redhat',`
 	allow apmd_t apmd_lock_t:file manage_file_perms;
@@ -225,5 +224,5 @@ optional_policy(`
 
 # cjp: related to sleep/resume (?)
 optional_policy(`
-	xserver_domtrans_xdm_xserver(apmd_t)
+	xserver_domtrans(apmd_t)
 ')
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index efff63c..27bf9ad 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@@ -1,5 +1,5 @@
 
-policy_module(arpwatch, 1.6.0)
+policy_module(arpwatch, 1.6.1)
 
 ########################################
 #
@@ -77,12 +77,11 @@ logging_send_syslog_msg(arpwatch_t)
 
 miscfiles_read_localization(arpwatch_t)
 
+userdom_dontaudit_search_user_home_dirs(arpwatch_t)
 userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
 
 mta_send_mail(arpwatch_t)
 
-sysadm_dontaudit_search_home_dirs(arpwatch_t)
-
 optional_policy(`
 	seutil_sigchld_newrole(arpwatch_t)
 ')
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index 5aaa127..6f1f982 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -1,5 +1,5 @@
 
-policy_module(asterisk, 1.5.0)
+policy_module(asterisk, 1.5.1)
 
 ########################################
 #
@@ -123,8 +123,7 @@ miscfiles_read_localization(asterisk_t)
 sysnet_read_config(asterisk_t)
 
 userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
-
-sysadm_dontaudit_search_home_dirs(asterisk_t)
+userdom_dontaudit_search_user_home_dirs(asterisk_t)
 
 optional_policy(`
 	nis_use_ypbind(asterisk_t)
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 66672f4..64a716a 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -1,5 +1,5 @@
 
-policy_module(audio_entropy, 1.4.0)
+policy_module(audio_entropy, 1.4.1)
 
 ########################################
 #
@@ -46,8 +46,7 @@ logging_send_syslog_msg(entropyd_t)
 miscfiles_read_localization(entropyd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
-
-sysadm_dontaudit_search_home_dirs(entropyd_t)
+userdom_dontaudit_search_user_home_dirs(entropyd_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(entropyd_t)
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index 61b06c6..43192df 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
 
-policy_module(automount, 1.10.0)
+policy_module(automount, 1.10.1)
 
 ########################################
 #
@@ -144,8 +144,7 @@ miscfiles_read_certs(automount_t)
 mount_domtrans(automount_t)
 
 userdom_dontaudit_use_unpriv_user_fds(automount_t)
-
-sysadm_dontaudit_search_home_dirs(automount_t)
+userdom_dontaudit_search_user_home_dirs(automount_t)
 
 optional_policy(`
 	bind_search_cache(automount_t)
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index dddae90..8120ad5 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
 
-policy_module(avahi, 1.9.0)
+policy_module(avahi, 1.9.1)
 
 ########################################
 #
@@ -75,11 +75,10 @@ logging_send_syslog_msg(avahi_t)
 miscfiles_read_localization(avahi_t)
 
 userdom_dontaudit_use_unpriv_user_fds(avahi_t)
-
-sysadm_dontaudit_search_home_dirs(avahi_t)
+userdom_dontaudit_search_user_home_dirs(avahi_t)
 
 optional_policy(`
-	dbus_system_bus_client_template(avahi,avahi_t)
+	dbus_system_bus_client(avahi_t)
 	dbus_connect_system_bus(avahi_t)
 
 	init_dbus_chat_script(avahi_t)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index d089eff..c28e4d9 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -51,11 +51,6 @@ interface(`bind_signal',`
 ##	The role to be allowed the bind domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the bind domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`bind_run_ndc',`
@@ -65,7 +60,6 @@ interface(`bind_run_ndc',`
 
 	bind_domtrans_ndc($1)
 	role $2 types ndc_t;
-	allow ndc_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 4ceaab3..77dfd18 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
 
-policy_module(bind, 1.8.0)
+policy_module(bind, 1.8.1)
 
 ########################################
 #
@@ -147,8 +147,7 @@ miscfiles_read_certs(named_t)
 sysnet_read_config(named_t)
 
 userdom_dontaudit_use_unpriv_user_fds(named_t)
-
-sysadm_dontaudit_search_home_dirs(named_t)
+userdom_dontaudit_search_user_home_dirs(named_t)
 
 tunable_policy(`named_write_master_zones',`
 	manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
@@ -161,7 +160,7 @@ optional_policy(`
 
 	sysnet_dbus_chat_dhcpc(named_t)
 
-	dbus_system_bus_client_template(named, named_t)
+	dbus_system_bus_client(named_t)
 	dbus_connect_system_bus(named_t)
 
 	optional_policy(`
@@ -241,6 +240,8 @@ miscfiles_read_localization(ndc_t)
 sysnet_read_config(ndc_t)
 sysnet_dns_name_resolve(ndc_t)
 
+userdom_use_user_terminals(ndc_t)
+
 # for /etc/rndc.key
 ifdef(`distro_redhat',`
 	allow ndc_t named_conf_t:dir search;
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index deb7d45..edf2769 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -1,111 +1,40 @@
 ## <summary>Bluetooth tools and system services.</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the bluetooth module.
+##	Role access for bluetooth
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates derived domains which are used
-##	for bluetooth.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_domain">
+## <param name="role">
 ##	<summary>
-##	The type of the user domain.
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`bluetooth_per_role_template',`
+interface(`bluetooth_role',`
 	gen_require(`
-		attribute bluetooth_helper_domain;
-		type bluetooth_helper_exec_t, bluetooth_t;
+		type bluetooth_helper_t, bluetooth_helper_exec_t;
+		type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t;
 	')
 
-	type $1_bluetooth_t, bluetooth_helper_domain;
-	application_domain($1_bluetooth_t, bluetooth_helper_exec_t)
-	role $3 types $1_bluetooth_t;
-
-	type $1_bluetooth_tmp_t;
-	files_tmp_file($1_bluetooth_tmp_t)
-
-	type $1_bluetooth_tmpfs_t;
-	files_tmpfs_file($1_bluetooth_tmpfs_t)
-
-	allow $1_bluetooth_t self:capability sys_nice;
-	allow $1_bluetooth_t self:process getsched;
-	allow $1_bluetooth_t self:fifo_file rw_fifo_file_perms;
-	allow $1_bluetooth_t self:shm create_shm_perms;
-	allow $1_bluetooth_t self:unix_stream_socket { create_stream_socket_perms connectto };
-	allow $1_bluetooth_t self:tcp_socket create_socket_perms;
-	allow $1_bluetooth_t self:netlink_route_socket r_netlink_socket_perms;
-
-	allow $1_bluetooth_t bluetooth_t:socket { read write };
-
-	manage_dirs_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t)
-	manage_files_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t)
-	manage_sock_files_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t)
-	files_tmp_filetrans($1_bluetooth_t, $1_bluetooth_tmp_t, { file dir sock_file })
-
-	manage_dirs_pattern($1_bluetooth_t, $1_bluetooth_tmpfs_t, $1_bluetooth_tmpfs_t)
-	manage_files_pattern($1_bluetooth_t, $1_bluetooth_tmpfs_t, $1_bluetooth_tmpfs_t)
-	fs_tmpfs_filetrans($1_bluetooth_t, $1_bluetooth_tmpfs_t, { dir file })
-
-	kernel_read_system_state($1_bluetooth_t)
-	kernel_read_kernel_sysctls($1_bluetooth_t)
+	role $1 types bluetooth_helper_t;
 
-	dev_read_urand($1_bluetooth_t)
+	domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
 
-	term_dontaudit_use_all_user_ttys($1_bluetooth_t)
+	# allow ps to show cdrecord and allow the user to kill it 
+	ps_process_pattern($2, bluetooth_helper_t)
+	allow $2 bluetooth_helper_t:process signal;
 
-	corecmd_exec_bin($1_bluetooth_t)
-	corecmd_exec_shell($1_bluetooth_t)
+	manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+	manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+	manage_sock_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
 
-	domain_read_all_domains_state($1_bluetooth_t)
-
-	files_read_etc_files($1_bluetooth_t)
-	files_read_etc_runtime_files($1_bluetooth_t)
-	files_read_usr_files($1_bluetooth_t)
-	files_dontaudit_list_default($1_bluetooth_t)
-
-	locallogin_dontaudit_use_fds($1_bluetooth_t)
-
-	logging_send_syslog_msg($1_bluetooth_t)
-
-	miscfiles_read_localization($1_bluetooth_t) 
-
-	sysnet_read_config($1_bluetooth_t)
-
-	optional_policy(`
-		bluetooth_dbus_chat($1_bluetooth_t)
-
-		dbus_system_bus_client_template($1_bluetooth, $1_bluetooth_t)
-		dbus_connect_system_bus($1_bluetooth_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_bluetooth_t)
-	')
-
-	optional_policy(`
-		xserver_user_x_domain_template($1, $1_bluetooth, $1_bluetooth_t, $1_bluetooth_tmpfs_t)
-	')
+	manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+	manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
 ')
 
 ########################################
@@ -207,7 +136,7 @@ interface(`bluetooth_run_helper',`
 
 ########################################
 ## <summary>
-##	Read bluetooth helper files.
+##	Read bluetooth helper state files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -215,11 +144,11 @@ interface(`bluetooth_run_helper',`
 ##	</summary>
 ## </param>
 #
-interface(`bluetooth_dontaudit_read_helper_files',`
+interface(`bluetooth_dontaudit_read_helper_state',`
 	gen_require(`
-		attribute bluetooth_helper_domain;
+		type bluetooth_helper_t;
 	')
 
-	dontaudit $1 bluetooth_helper_domain:dir search;
-	dontaudit $1 bluetooth_helper_domain:file { read getattr };
+	dontaudit $1 bluetooth_helper_t:dir search;
+	dontaudit $1 bluetooth_helper_t:file { read getattr };
 ')
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 0da2c88..302dd11 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
 
-policy_module(bluetooth, 2.2.0)
+policy_module(bluetooth, 3.0.0)
 
 ########################################
 #
@@ -15,10 +15,24 @@ files_type(bluetooth_conf_t)
 type bluetooth_conf_rw_t;
 files_type(bluetooth_conf_rw_t)
 
-attribute bluetooth_helper_domain;
-
+type bluetooth_helper_t;
 type bluetooth_helper_exec_t;
-application_executable_file(bluetooth_helper_exec_t)
+typealias bluetooth_helper_t alias { user_bluetooth_helper_t staff_bluetooth_helper_t sysadm_bluetooth_helper_t };
+typealias bluetooth_helper_t alias { auditadm_bluetooth_helper_t secadm_bluetooth_helper_t };
+application_domain(bluetooth_helper_t, bluetooth_helper_exec_t)
+ubac_constrained(bluetooth_helper_t)
+
+type bluetooth_helper_tmp_t;
+typealias bluetooth_helper_tmp_t alias { user_bluetooth_helper_tmp_t staff_bluetooth_helper_tmp_t sysadm_bluetooth_helper_tmp_t };
+typealias bluetooth_helper_tmp_t alias { auditadm_bluetooth_helper_tmp_t secadm_bluetooth_helper_tmp_t };
+files_tmp_file(bluetooth_helper_tmp_t)
+ubac_constrained(bluetooth_helper_tmp_t)
+
+type bluetooth_helper_tmpfs_t;
+typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t };
+typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t secadm_bluetooth_helper_tmpfs_t };
+files_tmpfs_file(bluetooth_helper_tmpfs_t)
+ubac_constrained(bluetooth_helper_tmpfs_t)
 
 type bluetooth_lock_t;
 files_lock_file(bluetooth_lock_t)
@@ -118,12 +132,11 @@ miscfiles_read_fonts(bluetooth_t)
 sysnet_read_config(bluetooth_t)
 
 userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
-
-sysadm_dontaudit_use_ptys(bluetooth_t)
-sysadm_dontaudit_search_home_dirs(bluetooth_t)
+userdom_dontaudit_use_user_terminals(bluetooth_t)
+userdom_dontaudit_search_user_home_dirs(bluetooth_t)
 
 optional_policy(`
-	dbus_system_bus_client_template(bluetooth, bluetooth_t)
+	dbus_system_bus_client(bluetooth_t)
 	dbus_connect_system_bus(bluetooth_t)
 ')
 
@@ -142,3 +155,67 @@ optional_policy(`
 optional_policy(`
 	ppp_domtrans(bluetooth_t)
 ')
+
+########################################
+#
+# Bluetooth helper programs local policy
+#
+
+allow bluetooth_helper_t self:capability sys_nice;
+allow bluetooth_helper_t self:process getsched;
+allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
+allow bluetooth_helper_t self:shm create_shm_perms;
+allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow bluetooth_helper_t self:tcp_socket create_socket_perms;
+allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow bluetooth_helper_t bluetooth_t:socket { read write };
+
+manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+manage_sock_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
+
+manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+fs_tmpfs_filetrans(bluetooth_helper_t, bluetooth_helper_tmpfs_t, { dir file })
+
+kernel_read_system_state(bluetooth_helper_t)
+kernel_read_kernel_sysctls(bluetooth_helper_t)
+
+dev_read_urand(bluetooth_helper_t)
+
+term_dontaudit_use_all_user_ttys(bluetooth_helper_t)
+
+corecmd_exec_bin(bluetooth_helper_t)
+corecmd_exec_shell(bluetooth_helper_t)
+
+domain_read_all_domains_state(bluetooth_helper_t)
+
+files_read_etc_files(bluetooth_helper_t)
+files_read_etc_runtime_files(bluetooth_helper_t)
+files_read_usr_files(bluetooth_helper_t)
+files_dontaudit_list_default(bluetooth_helper_t)
+
+locallogin_dontaudit_use_fds(bluetooth_helper_t)
+
+logging_send_syslog_msg(bluetooth_helper_t)
+
+miscfiles_read_localization(bluetooth_helper_t) 
+
+sysnet_read_config(bluetooth_helper_t)
+
+optional_policy(`
+	bluetooth_dbus_chat(bluetooth_helper_t)
+
+	dbus_system_bus_client(bluetooth_helper_t)
+	dbus_connect_system_bus(bluetooth_helper_t)
+')
+
+optional_policy(`
+	nscd_socket_use(bluetooth_helper_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
+')
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index 5f14678..110f2fa 100644
--- a/policy/modules/services/canna.te
+++ b/policy/modules/services/canna.te
@@ -1,5 +1,5 @@
 
-policy_module(canna, 1.8.0)
+policy_module(canna, 1.8.1)
 
 ########################################
 #
@@ -78,8 +78,7 @@ miscfiles_read_localization(canna_t)
 sysnet_read_config(canna_t)
 
 userdom_dontaudit_use_unpriv_user_fds(canna_t)
-
-sysadm_dontaudit_search_home_dirs(canna_t)
+userdom_dontaudit_search_user_home_dirs(canna_t)
 
 optional_policy(`
 	nis_use_ypbind(canna_t)
diff --git a/policy/modules/services/clockspeed.if b/policy/modules/services/clockspeed.if
index 5dc0c2d..50aba89 100644
--- a/policy/modules/services/clockspeed.if
+++ b/policy/modules/services/clockspeed.if
@@ -32,11 +32,6 @@ interface(`clockspeed_domtrans_cli',`
 ##	The role to be allowed the clockspeed_cli domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the clockspeed_cli domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`clockspeed_run_cli',`
@@ -46,6 +41,4 @@ interface(`clockspeed_run_cli',`
 
 	role $2 types clockspeed_cli_t;
 	clockspeed_domtrans_cli($1)
-	allow clockspeed_cli_t $3:chr_file { getattr read write ioctl };
-
 ')
diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te
index f1699bc..075a7ea 100644
--- a/policy/modules/services/clockspeed.te
+++ b/policy/modules/services/clockspeed.te
@@ -1,5 +1,5 @@
 
-policy_module(clockspeed, 1.3.0)
+policy_module(clockspeed, 1.3.1)
 
 ########################################
 #
@@ -39,6 +39,8 @@ files_read_etc_files(clockspeed_cli_t)
 
 miscfiles_read_localization(clockspeed_cli_t)
 
+userdom_use_user_terminals(clockspeed_cli_t)
+
 ########################################
 #
 # Server local policy
diff --git a/policy/modules/services/comsat.te b/policy/modules/services/comsat.te
index 4881daf..5e1df3a 100644
--- a/policy/modules/services/comsat.te
+++ b/policy/modules/services/comsat.te
@@ -1,5 +1,5 @@
 
-policy_module(comsat, 1.5.0)
+policy_module(comsat, 1.5.1)
 
 ########################################
 #
@@ -66,9 +66,9 @@ logging_send_syslog_msg(comsat_t)
 
 miscfiles_read_localization(comsat_t)
 
-mta_getattr_spool(comsat_t)
+userdom_dontaudit_getattr_user_ttys(comsat_t)
 
-sysadm_dontaudit_getattr_ttys(comsat_t)
+mta_getattr_spool(comsat_t)
 
 optional_policy(`
 	kerberos_use(comsat_t)
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index 33deb95..f483a16 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -1,5 +1,5 @@
 
-policy_module(consolekit, 1.3.0)
+policy_module(consolekit, 1.3.1)
 
 ########################################
 #
@@ -50,7 +50,7 @@ auth_use_nsswitch(consolekit_t)
 miscfiles_read_localization(consolekit_t)
 
 optional_policy(`
-	dbus_system_bus_client_template(consolekit, consolekit_t)
+	dbus_system_bus_client(consolekit_t)
 	dbus_connect_system_bus(consolekit_t)
 
 	hal_dbus_chat(consolekit_t)
@@ -61,6 +61,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	xserver_read_all_users_xauth(consolekit_t)
-	xserver_stream_connect_xdm_xserver(consolekit_t)
+	xserver_read_user_xauth(consolekit_t)
+	xserver_stream_connect(consolekit_t)
 ')
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 768c1da..475e509 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -1,5 +1,5 @@
 
-policy_module(courier, 1.6.0)
+policy_module(courier, 1.6.1)
 
 ########################################
 #
@@ -67,12 +67,10 @@ libs_read_lib_files(courier_authdaemon_t)
 miscfiles_read_localization(courier_authdaemon_t)
 
 # should not be needed!
-userdom_search_unpriv_users_home_dirs(courier_authdaemon_t)
+userdom_search_user_home_dirs(courier_authdaemon_t)
 
 courier_domtrans_pop(courier_authdaemon_t)
 
-sysadm_dontaudit_search_home_dirs(courier_authdaemon_t)
-
 ########################################
 #
 # Calendar (PCP) local policy
@@ -100,12 +98,12 @@ miscfiles_read_localization(courier_pop_t)
 courier_domtrans_authdaemon(courier_pop_t)
 
 # do the actual work (read the Maildir)
-userdom_manage_unpriv_users_home_content_files(courier_pop_t)
+userdom_manage_user_home_content_files(courier_pop_t)
 # cjp: the fact that this is different for pop vs imap means that
 # there should probably be a courier_pop_t and courier_imap_t
 # this should also probably be a separate type too instead of
 # the regular home dir
-userdom_manage_unpriv_users_home_content_dirs(courier_pop_t)
+userdom_manage_user_home_content_dirs(courier_pop_t)
 
 ########################################
 #
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
index fb0d378..969629e 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
@@ -41,7 +41,7 @@ ifdef(`distro_suse', `
 #/var/spool/cron/crontabs/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
 
 /var/spool/fcron		-d	gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/fcron/.*			<<none>>
+/var/spool/fcron/[^/]*			<<none>>
 /var/spool/fcron/systab\.orig	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 /var/spool/fcron/systab		--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 /var/spool/fcron/new\.systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 0822ff9..e75526a 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -2,307 +2,234 @@
 
 #######################################
 ## <summary>
-##	The per role template for the cron module.
+##	The common rules for a crontab domain.
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for running programs on behalf of the user, from cron.
-##	A type for the user crontab is also created.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
 ## <param name="userdomain_prefix">
 ##	<summary>
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ##	</summary>
 ## </param>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
-##	</summary>
-## </param>
 #
-template(`cron_per_role_template',`
-	gen_require(`
-		attribute cron_spool_type;
-		type crond_t, cron_spool_t, crontab_exec_t;
-		class dbus send_msg;
-	')
-
-	# Type of user crontabs once moved to cron spool.
-	type $1_cron_spool_t, cron_spool_type;
-	files_type($1_cron_spool_t)
-
-	type $1_crond_t;
-	domain_type($1_crond_t)
-	domain_cron_exemption_target($1_crond_t)
-	corecmd_shell_entry_type($1_crond_t)
-	role $3 types $1_crond_t;
+template(`cron_common_crontab_template',`
+	##############################
+	#
+	# Declarations
+	#
 
-	type $1_crontab_t;
-	application_domain($1_crontab_t, crontab_exec_t)
-	role $3 types $1_crontab_t;
+	type $1_t;
+	application_domain($1_t, crontab_exec_t)
+	ubac_constrained($1_t)
 
-	type $1_crontab_tmp_t;
-	files_tmp_file($1_crontab_tmp_t)
+	type $1_tmp_t;
+	files_tmp_file($1_tmp_t)
 
 	##############################
 	#
-	# $1_crond_t local policy
+	# Local policy
 	#
 
-	allow $1_crond_t self:capability dac_override;
-	allow $1_crond_t self:process { signal_perms setsched };
-	allow $1_crond_t self:fifo_file rw_fifo_file_perms;
-	allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_crond_t self:unix_dgram_socket create_socket_perms;
-
-	# The entrypoint interface is not used as this is not
-	# a regular entrypoint.  Since crontab files are
-	# not directly executed, crond must ensure that
-	# the crontab file has a type that is appropriate
-	# for the domain of the user cron job.  It
-	# performs an entrypoint permission check
-	# for this purpose.
-	allow $1_crond_t $1_cron_spool_t:file entrypoint;
-
-	# Permit a transition from the crond_t domain to this domain.
-	# The transition is requested explicitly by the modified crond 
-	# via setexeccon.  There is no way to set up an automatic
-	# transition, since crontabs are configuration files, not executables.
-	allow crond_t $1_crond_t:process transition;
-	dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };
-	allow crond_t $1_crond_t:fd use;
-	allow $1_crond_t crond_t:fd use;
-	allow $1_crond_t crond_t:fifo_file rw_file_perms;
-	allow $1_crond_t crond_t:process sigchld;
-
-	kernel_read_system_state($1_crond_t)
-	kernel_read_kernel_sysctls($1_crond_t)
-
-	# ps does not need to access /boot when run from cron
-	files_dontaudit_search_boot($1_crond_t)
-
-	corenet_all_recvfrom_unlabeled($1_crond_t)
-	corenet_all_recvfrom_netlabel($1_crond_t)
-	corenet_tcp_sendrecv_all_if($1_crond_t)
-	corenet_udp_sendrecv_all_if($1_crond_t)
-	corenet_tcp_sendrecv_all_nodes($1_crond_t)
-	corenet_udp_sendrecv_all_nodes($1_crond_t)
-	corenet_tcp_sendrecv_all_ports($1_crond_t)
-	corenet_udp_sendrecv_all_ports($1_crond_t)
-	corenet_tcp_connect_all_ports($1_crond_t)
-	corenet_sendrecv_all_client_packets($1_crond_t)
-
-	dev_read_urand($1_crond_t)
-
-	fs_getattr_all_fs($1_crond_t)
-
-	corecmd_exec_all_executables($1_crond_t)
-
-	# quiet other ps operations
-	domain_dontaudit_read_all_domains_state($1_crond_t)
-	domain_dontaudit_getattr_all_domains($1_crond_t)
-
-	files_read_usr_files($1_crond_t)
-	files_exec_etc_files($1_crond_t)
-	# for nscd:
-	files_dontaudit_search_pids($1_crond_t)
-
-	libs_exec_lib_files($1_crond_t)
-	libs_exec_ld_so($1_crond_t)
-
-	files_read_etc_runtime_files($1_crond_t)
-	files_read_var_files($1_crond_t)
-	files_search_spool($1_crond_t)
-
-	logging_search_logs($1_crond_t)
-
-	seutil_read_config($1_crond_t)
-
-	miscfiles_read_localization($1_crond_t)
-
-	userdom_manage_user_tmp_files($1, $1_crond_t)
-	userdom_manage_user_tmp_symlinks($1, $1_crond_t)
-	userdom_manage_user_tmp_pipes($1, $1_crond_t)
-	userdom_manage_user_tmp_sockets($1, $1_crond_t)
-	# Run scripts in user home directory and access shared libs.
-	userdom_exec_user_home_content_files($1, $1_crond_t)
-	# Access user files and dirs.
-#	userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
-	userdom_manage_user_home_content_files($1, $1_crond_t)
-	userdom_manage_user_home_content_symlinks($1, $1_crond_t)
-	userdom_manage_user_home_content_pipes($1, $1_crond_t)
-	userdom_manage_user_home_content_sockets($1, $1_crond_t)
-#	userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
-
-	tunable_policy(`fcron_crond', `
-		allow crond_t $1_cron_spool_t:file manage_file_perms;
-	')
+	# dac_override is to create the file in the directory under /tmp
+	allow $1_t self:capability { fowner setuid setgid chown dac_override };
+	allow $1_t self:process signal_perms;
 
-	# need a per-role version of this:
-	#optional_policy(`
-	#	mono_domtrans($1_crond_t)
-	#')
+	allow $1_t $1_tmp_t:file manage_file_perms;
+	files_tmp_filetrans($1_t,$1_tmp_t,file)
 
-	optional_policy(`
-		dbus_stub($1_crond_t)
+	# create files in /var/spool/cron
+	# cjp: change this to a role transition
+	manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t)
+	filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
+	files_search_spool($1_t)
 
-		allow $1_crond_t $2:dbus send_msg;
-	')		
+	# crontab signals crond by updating the mtime on the spooldir
+	allow $1_t cron_spool_t:dir setattr;
 
-	optional_policy(`
-		nis_use_ypbind($1_crond_t)
-	')
+	kernel_read_system_state($1_t)
 
-	ifdef(`TODO',`
-	optional_policy(`
-		create_dir_file($1_crond_t, httpd_$1_content_t)
-	')
-	allow $1_crond_t tmp_t:dir rw_dir_perms;
-	type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
+	# for the checks used by crontab -u
+	selinux_dontaudit_search_fs($1_t)
 
-	ifdef(`mta.te', `
-		domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
-		allow $1_crond_t sendmail_exec_t:lnk_file read_lnk_file_perms;
+	fs_getattr_xattr_fs($1_t)
 
-		# $1_mail_t should only be reading from the cron fifo not needing to write
-		dontaudit $1_mail_t crond_t:fifo_file write;
-		allow mta_user_agent $1_crond_t:fd use;
-	')
-	') dnl endif TODO
+	domain_use_interactive_fds($1_t)
 
-	##############################
-	#
-	# $1_crontab_t local policy
-	#
+	files_read_etc_files($1_t)
+	files_dontaudit_search_pids($1_t)
 
-	# dac_override is to create the file in the directory under /tmp
-	allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
-	allow $1_crontab_t self:process signal_perms;
+	logging_send_syslog_msg($1_t)
 
-	# Transition from the user domain to the derived domain.
-	domtrans_pattern($2, crontab_exec_t, $1_crontab_t)
+	miscfiles_read_localization($1_t)
 
-	# crontab shows up in user ps
-	ps_process_pattern($2, $1_crontab_t)
+	seutil_read_config($1_t)
 
-	# for ^Z
-	allow $2 $1_crontab_t:process signal;
+	userdom_manage_user_tmp_dirs($1_t)
+	userdom_manage_user_tmp_files($1_t)
+	# Access terminals.
+	userdom_use_user_terminals($1_t)
+	# Read user crontabs
+	userdom_read_user_home_content_files($1_t)
 
-	# Allow crond to read those crontabs in cron spool.
-	allow crond_t $1_cron_spool_t:file manage_file_perms;
+	tunable_policy(`fcron_crond',`
+		# fcron wants an instant update of a crontab change for the administrator
+		# also crontab does a security check for crontab -u
+		dontaudit $1_t crond_t:process signal;
+	')
 
-	allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms;
-	files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, file)
+	optional_policy(`
+		nscd_socket_use($1_t)
+	')
+')
 
-	# create files in /var/spool/cron
-	manage_files_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t)
-	filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t,file)
-	files_search_spool($1_crontab_t)
+########################################
+## <summary>
+##	Role access for cron
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`cron_role',`
+	gen_require(`
+		type cronjob_t, crontab_t, crontab_exec_t;
+	')
 
-	# crontab signals crond by updating the mtime on the spooldir
-	allow $1_crontab_t cron_spool_t:dir setattr;
+	role $1 types { cronjob_t crontab_t };
 
-	kernel_read_system_state($1_crontab_t)
+	# cronjob shows up in user ps
+	ps_process_pattern($2, cronjob_t)
 
-	# for the checks used by crontab -u
-	selinux_dontaudit_search_fs($1_crontab_t)
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, crontab_exec_t, crontab_t)
 
-	fs_getattr_xattr_fs($1_crontab_t)
+	# crontab shows up in user ps
+	ps_process_pattern($2, crontab_t)
+	allow $2 crontab_t:process signal;
 
 	# Run helper programs as the user domain
-	corecmd_bin_domtrans($1_crontab_t, $2)
-	corecmd_shell_domtrans($1_crontab_t, $2)
+	#corecmd_bin_domtrans(crontab_t, $2)
+	#corecmd_shell_domtrans(crontab_t, $2)
+	corecmd_exec_bin(crontab_t)
+	corecmd_exec_shell(crontab_t)
+
+	optional_policy(`
+		gen_require(`
+			class dbus send_msg;
+		')
 
-	domain_use_interactive_fds($1_crontab_t)
+		dbus_stub(cronjob_t)
+
+		allow cronjob_t $2:dbus send_msg;
+	')		
+')
 
-	files_read_etc_files($1_crontab_t)
-	files_dontaudit_search_pids($1_crontab_t)
+########################################
+## <summary>
+##	Role access for unconfined cronjobs
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`cron_unconfined_role',`
+	gen_require(`
+		type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
+	')
 
-	logging_send_syslog_msg($1_crontab_t)
+	role $1 types { unconfined_cronjob_t crontab_t };
 
-	miscfiles_read_localization($1_crontab_t)
+	# cronjob shows up in user ps
+	ps_process_pattern($2, unconfined_cronjob_t)
 
-	seutil_read_config($1_crontab_t)
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, crontab_exec_t, crontab_t)
 
-	userdom_manage_user_tmp_dirs($1, $1_crontab_t)
-	userdom_manage_user_tmp_files($1, $1_crontab_t)
-	# Access terminals.
-	userdom_use_user_terminals($1, $1_crontab_t)
-	# Read user crontabs
-	userdom_read_user_home_content_files($1, $1_crontab_t)
+	# crontab shows up in user ps
+	ps_process_pattern($2, crontab_t)
+	allow $2 crontab_t:process signal;
 
-	tunable_policy(`fcron_crond',`
-		# fcron wants an instant update of a crontab change for the administrator
-		# also crontab does a security check for crontab -u
-		dontaudit $1_crontab_t crond_t:process signal;
-	')
+	# Run helper programs as the user domain
+	#corecmd_bin_domtrans(crontab_t, $2)
+	#corecmd_shell_domtrans(crontab_t, $2)
+	corecmd_exec_bin(crontab_t)
+	corecmd_exec_shell(crontab_t)
 
 	optional_policy(`
-		nscd_socket_use($1_crontab_t)
-	')
+		gen_require(`
+			class dbus send_msg;
+		')
 
-	ifdef(`TODO',`
-	# Read user crontabs
-	dontaudit $1_crontab_t $1_home_dir_t:dir write;
-	') dnl endif TODO
+		dbus_stub(unconfined_cronjob_t)
+
+		allow unconfined_cronjob_t $2:dbus send_msg;
+	')		
 ')
 
-#######################################
+########################################
 ## <summary>
-##	The administrative functions template for the cron module.
+##	Role access for cron
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates rules for administrating the cron service,
-##	allowing the specified user to manage other user crontabs.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-template(`cron_admin_template',`
+interface(`cron_admin_role',`
 	gen_require(`
-		attribute cron_spool_type;
-		type $1_crontab_t, $1_crond_t;
+		type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
+		class passwd crontab;
 	')
 
-	# Allow our crontab domain to unlink a user cron spool file.
-	allow $1_crontab_t cron_spool_type:file { read_file_perms delete_file_perms };
+	role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
 
-	logging_read_generic_logs($1_crond_t)
+	# cronjob shows up in user ps
+	ps_process_pattern($2, cronjob_t)
 
 	# Manipulate other users crontab.
-	selinux_get_fs_mount($1_crontab_t)
-	selinux_validate_context($1_crontab_t)
-	selinux_compute_access_vector($1_crontab_t)
-	selinux_compute_create_context($1_crontab_t)
-	selinux_compute_relabel_context($1_crontab_t)
-	selinux_compute_user_contexts($1_crontab_t)
-
-	tunable_policy(`fcron_crond', `
-		# fcron wants an instant update of a crontab change for the administrator
-		# also crontab does a security check for crontab -u
-		allow $1_crontab_t self:process setfscreate;
-		selinux_get_fs_mount($1_crontab_t)
-	')
+	allow $2 self:passwd crontab;
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
+
+	# crontab shows up in user ps
+	ps_process_pattern($2, admin_crontab_t)
+	allow $2 admin_crontab_t:process signal;
+
+	# Run helper programs as the user domain
+	#corecmd_bin_domtrans(admin_crontab_t, $2)
+	#corecmd_shell_domtrans(admin_crontab_t, $2)
+	corecmd_exec_bin(admin_crontab_t)
+	corecmd_exec_shell(admin_crontab_t)
+
+	optional_policy(`
+		gen_require(`
+			class dbus send_msg;
+		')
+
+		dbus_stub(admin_cronjob_t)
+
+		allow cronjob_t $2:dbus send_msg;
+	')		
 ')
 
 ########################################
@@ -323,16 +250,16 @@ template(`cron_admin_template',`
 #
 interface(`cron_system_entry',`
 	gen_require(`
-		type crond_t, system_crond_t;
+		type crond_t, system_cronjob_t;
 	')
 
-	domain_auto_trans(system_crond_t, $2, $1)
+	domain_auto_trans(system_cronjob_t, $2, $1)
 
 	# cjp: perhaps these four rules from the old
 	# domain_auto_trans are not needed?
-	allow $1 system_crond_t:fd use;
-	allow $1 system_crond_t:fifo_file rw_file_perms;
-	allow $1 system_crond_t:process sigchld;
+	allow $1 system_cronjob_t:fd use;
+	allow $1 system_cronjob_t:fifo_file rw_file_perms;
+	allow $1 system_cronjob_t:process sigchld;
 
 	allow $1 crond_t:fifo_file rw_file_perms;
 	allow $1 crond_t:fd use;
@@ -481,10 +408,10 @@ interface(`cron_search_spool',`
 #
 interface(`cron_anacron_domtrans_system_job',`
 	gen_require(`
-		type system_crond_t, anacron_exec_t;
+		type system_cronjob_t, anacron_exec_t;
 	')
 
-	domtrans_pattern($1, anacron_exec_t, system_crond_t)
+	domtrans_pattern($1,anacron_exec_t,system_cronjob_t)
 ')
 
 ########################################
@@ -500,10 +427,10 @@ interface(`cron_anacron_domtrans_system_job',`
 #
 interface(`cron_use_system_job_fds',`
 	gen_require(`
-		type system_crond_t;
+		type system_cronjob_t;
 	')
 
-	allow $1 system_crond_t:fd use;
+	allow $1 system_cronjob_t:fd use;
 ')
 
 ########################################
@@ -518,10 +445,10 @@ interface(`cron_use_system_job_fds',`
 #
 interface(`cron_write_system_job_pipes',`
 	gen_require(`
-		type system_crond_t;
+		type system_cronjob_t;
 	')
 
-	allow $1 system_crond_t:file write;
+	allow $1 system_cronjob_t:file write;
 ')
 
 ########################################
@@ -536,10 +463,10 @@ interface(`cron_write_system_job_pipes',`
 #
 interface(`cron_rw_system_job_pipes',`
 	gen_require(`
-		type system_crond_t;
+		type system_cronjob_t;
 	')
 
-	allow $1 system_crond_t:fifo_file rw_fifo_file_perms;
+	allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################
@@ -554,11 +481,11 @@ interface(`cron_rw_system_job_pipes',`
 #
 interface(`cron_read_system_job_tmp_files',`
 	gen_require(`
-		type system_crond_tmp_t;
+		type system_cronjob_tmp_t;
 	')
 
 	files_search_tmp($1)
-	allow $1 system_crond_tmp_t:file read_file_perms;
+	allow $1 system_cronjob_tmp_t:file read_file_perms;
 ')
 
 ########################################
@@ -574,8 +501,8 @@ interface(`cron_read_system_job_tmp_files',`
 #
 interface(`cron_dontaudit_append_system_job_tmp_files',`
 	gen_require(`
-		type system_crond_tmp_t;
+		type system_cronjob_tmp_t;
 	')
 
-	dontaudit $1 system_crond_tmp_t:file append;
+	dontaudit $1 system_cronjob_tmp_t:file append;
 ')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index d8ffcc3..a63ee63 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
 
-policy_module(cron, 1.9.0)
+policy_module(cron, 2.0.0)
 
 gen_require(`
 	class passwd rootok;
@@ -42,6 +42,14 @@ files_type(cron_var_lib_t)
 type cron_log_t;
 logging_log_file(cron_log_t)
 
+type cronjob_t;
+typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t };
+typealias cronjob_t alias { auditadm_crond_t secadm_crond_t };
+domain_type(cronjob_t)
+domain_cron_exemption_target(cronjob_t)
+corecmd_shell_entry_type(cronjob_t)
+ubac_constrained(cronjob_t)
+
 type crond_t;
 type crond_exec_t;
 init_daemon_domain(crond_t, crond_exec_t)
@@ -57,27 +65,69 @@ files_pid_file(crond_var_run_t)
 type crontab_exec_t;
 application_executable_file(crontab_exec_t)
 
+cron_common_crontab_template(admin_crontab)
+typealias admin_crontab_t alias sysadm_crontab_t;
+typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
+
+cron_common_crontab_template(crontab)
+typealias crontab_t alias { user_crontab_t staff_crontab_t };
+typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
+typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
+typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+
 type system_cron_spool_t, cron_spool_type;
 files_type(system_cron_spool_t)
 
-type system_crond_t;
-init_daemon_domain(system_crond_t, anacron_exec_t)
-corecmd_shell_entry_type(system_crond_t)
-role system_r types system_crond_t;
+type system_cronjob_t alias system_crond_t;
+init_daemon_domain(system_cronjob_t, anacron_exec_t)
+corecmd_shell_entry_type(system_cronjob_t)
+role system_r types system_cronjob_t;
 
-type system_crond_lock_t;
-files_lock_file(system_crond_lock_t)
+type system_cronjob_lock_t alias system_crond_lock_t;
+files_lock_file(system_cronjob_lock_t)
 
-type system_crond_tmp_t;
-files_tmp_file(system_crond_tmp_t)
+type system_cronjob_tmp_t alias system_crond_tmp_t;
+files_tmp_file(system_cronjob_tmp_t)
 
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh)
 ')
 
+type unconfined_cronjob_t;
+domain_type(unconfined_cronjob_t)
+
+# Type of user crontabs once moved to cron spool.
+type user_cron_spool_t, cron_spool_type;
+typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t };
+typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
+files_type(user_cron_spool_t)
+ubac_constrained(user_cron_spool_t)
+
+########################################
+#
+# Admin crontab local policy
+#
+
+# Allow our crontab domain to unlink a user cron spool file.
+allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
+
+# Manipulate other users crontab.
+selinux_get_fs_mount(admin_crontab_t)
+selinux_validate_context(admin_crontab_t)
+selinux_compute_access_vector(admin_crontab_t)
+selinux_compute_create_context(admin_crontab_t)
+selinux_compute_relabel_context(admin_crontab_t)
+selinux_compute_user_contexts(admin_crontab_t)
+
+tunable_policy(`fcron_crond', `
+	# fcron wants an instant update of a crontab change for the administrator
+	# also crontab does a security check for crontab -u
+	allow admin_crontab_t self:process setfscreate;
+')
+
 ########################################
 #
-# Cron Local policy
+# Cron daemon local policy
 #
 
 allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
@@ -155,7 +205,7 @@ miscfiles_read_localization(crond_t)
 
 userdom_use_unpriv_users_fds(crond_t)
 # Not sure why this is needed
-userdom_list_all_users_home_dirs(crond_t)
+userdom_list_user_home_dirs(crond_t)
 
 mta_send_mail(crond_t)
 
@@ -218,22 +268,22 @@ optional_policy(`
 # System cron process domain
 #
 
-allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
-allow system_crond_t self:process { signal_perms setsched };
-allow system_crond_t self:fifo_file rw_fifo_file_perms;
-allow system_crond_t self:passwd rootok;
+allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
+allow system_cronjob_t self:process { signal_perms setsched };
+allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
+allow system_cronjob_t self:passwd rootok;
 
 # This is to handle creation of files in /var/log directory.
 #  Used currently by rpm script log files
-allow system_crond_t cron_log_t:file manage_file_perms;
-logging_log_filetrans(system_crond_t, cron_log_t, file)
+allow system_cronjob_t cron_log_t:file manage_file_perms;
+logging_log_filetrans(system_cronjob_t, cron_log_t, file)
 
 # This is to handle /var/lib/misc directory.  Used currently
 # by prelink var/lib files for cron 
-allow system_crond_t cron_var_lib_t:file manage_file_perms;
-files_var_lib_filetrans(system_crond_t, cron_var_lib_t, file)
+allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
+files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
 
-allow system_crond_t system_cron_spool_t:file read_file_perms;
+allow system_cronjob_t system_cron_spool_t:file read_file_perms;
 # The entrypoint interface is not used as this is not
 # a regular entrypoint.  Since crontab files are
 # not directly executed, crond must ensure that
@@ -241,193 +291,303 @@ allow system_crond_t system_cron_spool_t:file read_file_perms;
 # for the domain of the user cron job.  It
 # performs an entrypoint permission check
 # for this purpose.
-allow system_crond_t system_cron_spool_t:file entrypoint;
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
 
 # Permit a transition from the crond_t domain to this domain.
 # The transition is requested explicitly by the modified crond 
 # via setexeccon.  There is no way to set up an automatic
 # transition, since crontabs are configuration files, not executables.
-allow crond_t system_crond_t:process transition;
-dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh };
-allow crond_t system_crond_t:fd use;
-allow system_crond_t crond_t:fd use;
-allow system_crond_t crond_t:fifo_file rw_file_perms;
-allow system_crond_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:process transition;
+dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t system_cronjob_t:fd use;
+allow system_cronjob_t crond_t:fd use;
+allow system_cronjob_t crond_t:fifo_file rw_file_perms;
+allow system_cronjob_t crond_t:process sigchld;
 
 # Write /var/lock/makewhatis.lock.
-allow system_crond_t system_crond_lock_t:file manage_file_perms;
-files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
+allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
+files_lock_filetrans(system_cronjob_t,system_cronjob_lock_t,file)
 
 # write temporary files
-manage_files_pattern(system_crond_t, crond_tmp_t, system_crond_tmp_t)
-manage_lnk_files_pattern(system_crond_t,crond_tmp_t, system_crond_tmp_t)
-filetrans_pattern(system_crond_t, crond_tmp_t, system_crond_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_crond_t, system_crond_tmp_t, file)
+manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
 
 # Read from /var/spool/cron.
-allow system_crond_t cron_spool_t:dir list_dir_perms;
-allow system_crond_t cron_spool_t:file read_file_perms;
+allow system_cronjob_t cron_spool_t:dir list_dir_perms;
+allow system_cronjob_t cron_spool_t:file read_file_perms;
 
-kernel_read_kernel_sysctls(system_crond_t)
-kernel_read_system_state(system_crond_t)
-kernel_read_software_raid_state(system_crond_t)
+kernel_read_kernel_sysctls(system_cronjob_t)
+kernel_read_system_state(system_cronjob_t)
+kernel_read_software_raid_state(system_cronjob_t)
 
 # ps does not need to access /boot when run from cron
-files_dontaudit_search_boot(system_crond_t)
+files_dontaudit_search_boot(system_cronjob_t)
 
-corecmd_exec_all_executables(system_crond_t)
+corecmd_exec_all_executables(system_cronjob_t)
 
-corenet_all_recvfrom_unlabeled(system_crond_t)
-corenet_all_recvfrom_netlabel(system_crond_t)
-corenet_tcp_sendrecv_all_if(system_crond_t)
-corenet_udp_sendrecv_all_if(system_crond_t)
-corenet_tcp_sendrecv_all_nodes(system_crond_t)
-corenet_udp_sendrecv_all_nodes(system_crond_t)
-corenet_tcp_sendrecv_all_ports(system_crond_t)
-corenet_udp_sendrecv_all_ports(system_crond_t)
+corenet_all_recvfrom_unlabeled(system_cronjob_t)
+corenet_all_recvfrom_netlabel(system_cronjob_t)
+corenet_tcp_sendrecv_all_if(system_cronjob_t)
+corenet_udp_sendrecv_all_if(system_cronjob_t)
+corenet_tcp_sendrecv_all_nodes(system_cronjob_t)
+corenet_udp_sendrecv_all_nodes(system_cronjob_t)
+corenet_tcp_sendrecv_all_ports(system_cronjob_t)
+corenet_udp_sendrecv_all_ports(system_cronjob_t)
 
-dev_getattr_all_blk_files(system_crond_t)
-dev_getattr_all_chr_files(system_crond_t)
-dev_read_urand(system_crond_t)
+dev_getattr_all_blk_files(system_cronjob_t)
+dev_getattr_all_chr_files(system_cronjob_t)
+dev_read_urand(system_cronjob_t)
 
-fs_getattr_all_fs(system_crond_t)
-fs_getattr_all_files(system_crond_t)
-fs_getattr_all_symlinks(system_crond_t)
-fs_getattr_all_pipes(system_crond_t)
-fs_getattr_all_sockets(system_crond_t)
+fs_getattr_all_fs(system_cronjob_t)
+fs_getattr_all_files(system_cronjob_t)
+fs_getattr_all_symlinks(system_cronjob_t)
+fs_getattr_all_pipes(system_cronjob_t)
+fs_getattr_all_sockets(system_cronjob_t)
 
 # quiet other ps operations
-domain_dontaudit_read_all_domains_state(system_crond_t)
-
-files_exec_etc_files(system_crond_t)
-files_read_etc_files(system_crond_t)
-files_read_etc_runtime_files(system_crond_t)
-files_list_all(system_crond_t)
-files_getattr_all_dirs(system_crond_t)
-files_getattr_all_files(system_crond_t)
-files_getattr_all_symlinks(system_crond_t)
-files_getattr_all_pipes(system_crond_t)
-files_getattr_all_sockets(system_crond_t)
-files_read_usr_files(system_crond_t)
-files_read_var_files(system_crond_t)
+domain_dontaudit_read_all_domains_state(system_cronjob_t)
+
+files_exec_etc_files(system_cronjob_t)
+files_read_etc_files(system_cronjob_t)
+files_read_etc_runtime_files(system_cronjob_t)
+files_list_all(system_cronjob_t)
+files_getattr_all_dirs(system_cronjob_t)
+files_getattr_all_files(system_cronjob_t)
+files_getattr_all_symlinks(system_cronjob_t)
+files_getattr_all_pipes(system_cronjob_t)
+files_getattr_all_sockets(system_cronjob_t)
+files_read_usr_files(system_cronjob_t)
+files_read_var_files(system_cronjob_t)
 # for nscd:
-files_dontaudit_search_pids(system_crond_t)
+files_dontaudit_search_pids(system_cronjob_t)
 # Access other spool directories like
 # /var/spool/anacron and /var/spool/slrnpull.
-files_manage_generic_spool(system_crond_t)
+files_manage_generic_spool(system_cronjob_t)
 
-init_use_script_fds(system_crond_t)
-init_read_utmp(system_crond_t)
-init_dontaudit_rw_utmp(system_crond_t)
+init_use_script_fds(system_cronjob_t)
+init_read_utmp(system_cronjob_t)
+init_dontaudit_rw_utmp(system_cronjob_t)
 # prelink tells init to restart it self, we either need to allow or dontaudit
-init_write_initctl(system_crond_t)
+init_write_initctl(system_cronjob_t)
 
-auth_use_nsswitch(system_crond_t)
+auth_use_nsswitch(system_cronjob_t)
 
-libs_exec_lib_files(system_crond_t)
-libs_exec_ld_so(system_crond_t)
+libs_exec_lib_files(system_cronjob_t)
+libs_exec_ld_so(system_cronjob_t)
 
-logging_read_generic_logs(system_crond_t)
-logging_send_syslog_msg(system_crond_t)
+logging_read_generic_logs(system_cronjob_t)
+logging_send_syslog_msg(system_cronjob_t)
 
-miscfiles_read_localization(system_crond_t)
-miscfiles_manage_man_pages(system_crond_t)
+miscfiles_read_localization(system_cronjob_t)
+miscfiles_manage_man_pages(system_cronjob_t)
 
-seutil_read_config(system_crond_t)
+seutil_read_config(system_cronjob_t)
 
 ifdef(`distro_redhat', `
 	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
 	# via redirection of standard out.
 	optional_policy(`
-		rpm_manage_log(system_crond_t)
+		rpm_manage_log(system_cronjob_t)
 	')
 ')
 
 tunable_policy(`cron_can_relabel',`
-	seutil_domtrans_setfiles(system_crond_t)
+	seutil_domtrans_setfiles(system_cronjob_t)
 ',`
-	selinux_get_fs_mount(system_crond_t)
-	selinux_validate_context(system_crond_t)
-	selinux_compute_access_vector(system_crond_t)
-	selinux_compute_create_context(system_crond_t)
-	selinux_compute_relabel_context(system_crond_t)
-	selinux_compute_user_contexts(system_crond_t)
-	seutil_read_file_contexts(system_crond_t)
+	selinux_get_fs_mount(system_cronjob_t)
+	selinux_validate_context(system_cronjob_t)
+	selinux_compute_access_vector(system_cronjob_t)
+	selinux_compute_create_context(system_cronjob_t)
+	selinux_compute_relabel_context(system_cronjob_t)
+	selinux_compute_user_contexts(system_cronjob_t)
+	seutil_read_file_contexts(system_cronjob_t)
 ')
 
 optional_policy(`
 	# Needed for certwatch
-	apache_exec_modules(system_crond_t)
-	apache_read_config(system_crond_t)
-	apache_read_log(system_crond_t)
-	apache_read_sys_content(system_crond_t)
+	apache_exec_modules(system_cronjob_t)
+	apache_read_config(system_cronjob_t)
+	apache_read_log(system_cronjob_t)
+	apache_read_sys_content(system_cronjob_t)
 ')
 
 optional_policy(`
-	cyrus_manage_data(system_crond_t)
+	cyrus_manage_data(system_cronjob_t)
 ')
 
 optional_policy(`
-	ftp_read_log(system_crond_t)
+	ftp_read_log(system_cronjob_t)
 ')
 
 optional_policy(`
-	inn_manage_log(system_crond_t)
-	inn_manage_pid(system_crond_t)
-	inn_read_config(system_crond_t)
+	inn_manage_log(system_cronjob_t)
+	inn_manage_pid(system_cronjob_t)
+	inn_read_config(system_cronjob_t)
 ')
 
 optional_policy(`
-	mrtg_append_create_logs(system_crond_t)
+	mrtg_append_create_logs(system_cronjob_t)
 ')
 
 optional_policy(`
-	mta_send_mail(system_crond_t)
+	mta_send_mail(system_cronjob_t)
 ')
 
 optional_policy(`
-	mysql_read_config(system_crond_t)
+	mysql_read_config(system_cronjob_t)
 ')
 
 optional_policy(`
-	postfix_read_config(system_crond_t)
+	postfix_read_config(system_cronjob_t)
 ')	
 
 optional_policy(`
-	prelink_read_cache(system_crond_t)
-	prelink_manage_log(system_crond_t)
-	prelink_delete_cache(system_crond_t)
+	prelink_read_cache(system_cronjob_t)
+	prelink_manage_log(system_cronjob_t)
+	prelink_delete_cache(system_cronjob_t)
 ')
 
 optional_policy(`
-	samba_read_config(system_crond_t)
-	samba_read_log(system_crond_t)
-	#samba_read_secrets(system_crond_t)
+	samba_read_config(system_cronjob_t)
+	samba_read_log(system_cronjob_t)
+	#samba_read_secrets(system_cronjob_t)
 ')
 
 optional_policy(`
-	slocate_create_append_log(system_crond_t)
+	slocate_create_append_log(system_cronjob_t)
 ')
 
 optional_policy(`
 	# cjp: why?
-	squid_domtrans(system_crond_t)
+	squid_domtrans(system_cronjob_t)
 ')
 
 optional_policy(`
-	sysstat_manage_log(system_crond_t)
+	sysstat_manage_log(system_cronjob_t)
 ')
 
 optional_policy(`
-	unconfined_domain(system_crond_t)
-
-	userdom_priveleged_home_dir_manager(system_crond_t)
+	unconfined_domain(system_cronjob_t)
+	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
 ')
 
 ifdef(`TODO',`
 ifdef(`mta.te', `
-allow system_crond_t mail_spool_t:lnk_file read;
-allow mta_user_agent system_crond_t:fd use;
+allow system_cronjob_t mail_spool_t:lnk_file read;
+allow mta_user_agent system_cronjob_t:fd use;
 r_dir_file(system_mail_t, crond_tmp_t)
 ')
 ') dnl end TODO
+
+########################################
+#
+# User cronjobs local policy
+#
+
+allow cronjob_t self:capability dac_override;
+allow cronjob_t self:process { signal_perms setsched };
+allow cronjob_t self:fifo_file rw_fifo_file_perms;
+allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
+allow cronjob_t self:unix_dgram_socket create_socket_perms;
+
+# The entrypoint interface is not used as this is not
+# a regular entrypoint.  Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job.  It
+# performs an entrypoint permission check
+# for this purpose.
+allow cronjob_t user_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond 
+# via setexeccon.  There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t cronjob_t:process transition;
+dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t cronjob_t:fd use;
+allow cronjob_t crond_t:fd use;
+allow cronjob_t crond_t:fifo_file rw_file_perms;
+allow cronjob_t crond_t:process sigchld;
+
+kernel_read_system_state(cronjob_t)
+kernel_read_kernel_sysctls(cronjob_t)
+
+# ps does not need to access /boot when run from cron
+files_dontaudit_search_boot(cronjob_t)
+
+corenet_all_recvfrom_unlabeled(cronjob_t)
+corenet_all_recvfrom_netlabel(cronjob_t)
+corenet_tcp_sendrecv_all_if(cronjob_t)
+corenet_udp_sendrecv_all_if(cronjob_t)
+corenet_tcp_sendrecv_all_nodes(cronjob_t)
+corenet_udp_sendrecv_all_nodes(cronjob_t)
+corenet_tcp_sendrecv_all_ports(cronjob_t)
+corenet_udp_sendrecv_all_ports(cronjob_t)
+corenet_tcp_connect_all_ports(cronjob_t)
+corenet_sendrecv_all_client_packets(cronjob_t)
+
+dev_read_urand(cronjob_t)
+
+fs_getattr_all_fs(cronjob_t)
+
+corecmd_exec_all_executables(cronjob_t)
+
+# quiet other ps operations
+domain_dontaudit_read_all_domains_state(cronjob_t)
+domain_dontaudit_getattr_all_domains(cronjob_t)
+
+files_read_usr_files(cronjob_t)
+files_exec_etc_files(cronjob_t)
+# for nscd:
+files_dontaudit_search_pids(cronjob_t)
+
+libs_exec_lib_files(cronjob_t)
+libs_exec_ld_so(cronjob_t)
+
+files_read_etc_runtime_files(cronjob_t)
+files_read_var_files(cronjob_t)
+files_search_spool(cronjob_t)
+
+logging_search_logs(cronjob_t)
+
+seutil_read_config(cronjob_t)
+
+miscfiles_read_localization(cronjob_t)
+
+userdom_manage_user_tmp_files(cronjob_t)
+userdom_manage_user_tmp_symlinks(cronjob_t)
+userdom_manage_user_tmp_pipes(cronjob_t)
+userdom_manage_user_tmp_sockets(cronjob_t)
+# Run scripts in user home directory and access shared libs.
+userdom_exec_user_home_content_files(cronjob_t)
+# Access user files and dirs.
+userdom_manage_user_home_content_files(cronjob_t)
+userdom_manage_user_home_content_symlinks(cronjob_t)
+userdom_manage_user_home_content_pipes(cronjob_t)
+userdom_manage_user_home_content_sockets(cronjob_t)
+#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+
+tunable_policy(`fcron_crond', `
+	allow crond_t user_cron_spool_t:file manage_file_perms;
+')
+
+# need a per-role version of this:
+#optional_policy(`
+#	mono_domtrans(cronjob_t)
+#')
+
+optional_policy(`
+	nis_use_ypbind(cronjob_t)
+')
+
+########################################
+#
+# Unconfined cronjobs local policy
+#
+
+optional_policy(`
+	unconfined_domain(unconfined_cronjob_t)
+')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 43bcd15..3b9dd1a 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
 
-policy_module(cups, 1.11.0)
+policy_module(cups, 1.11.1)
 
 ########################################
 #
@@ -221,7 +221,7 @@ seutil_read_config(cupsd_t)
 sysnet_read_config(cupsd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
-userdom_dontaudit_search_all_users_home_content(cupsd_t)
+userdom_dontaudit_search_user_home_content(cupsd_t)
 
 # Write to /var/spool/cups.
 lpd_manage_spool(cupsd_t)
@@ -239,7 +239,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dbus_system_bus_client_template(cupsd, cupsd_t)
+	dbus_system_bus_client(cupsd_t)
 
 	userdom_dbus_send_all_users(cupsd_t)
 
@@ -352,13 +352,12 @@ miscfiles_read_localization(cupsd_config_t)
 seutil_dontaudit_search_config(cupsd_config_t)
 
 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
+userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
 
 cups_stream_connect(cupsd_config_t)
 
 lpd_read_config(cupsd_config_t)
 
-sysadm_dontaudit_search_home_dirs(cupsd_config_t)
-
 ifdef(`distro_redhat',`
 	init_getattr_script_files(cupsd_config_t)
 
@@ -372,7 +371,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dbus_system_bus_client_template(cupsd_config, cupsd_config_t)
+	dbus_system_bus_client(cupsd_config_t)
 	dbus_connect_system_bus(cupsd_config_t)
 
 	optional_policy(`
@@ -551,14 +550,13 @@ miscfiles_read_localization(hplip_t)
 sysnet_read_config(hplip_t)
 
 userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_all_users_home_content(hplip_t)
+userdom_dontaudit_search_user_home_dirs(hplip_t)
+userdom_dontaudit_search_user_home_content(hplip_t)
 
 lpd_read_config(cupsd_t)
 
-sysadm_dontaudit_search_home_dirs(hplip_t)
-
 optional_policy(`
-	dbus_system_bus_client_template(hplip, hplip_t)
+	dbus_system_bus_client(hplip_t)
 ')
 
 optional_policy(`
@@ -628,7 +626,7 @@ miscfiles_read_localization(ptal_t)
 sysnet_read_config(ptal_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-userdom_dontaudit_search_all_users_home_content(ptal_t)
+userdom_dontaudit_search_user_home_content(ptal_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(ptal_t)
diff --git a/policy/modules/services/cyphesis.te b/policy/modules/services/cyphesis.te
index 6e1c9fd..4bc1990 100644
--- a/policy/modules/services/cyphesis.te
+++ b/policy/modules/services/cyphesis.te
@@ -1,5 +1,5 @@
 
-policy_module(cyphesis, 1.0.0)
+policy_module(cyphesis, 1.0.1)
 
 ########################################
 #
@@ -73,7 +73,7 @@ sysnet_dns_name_resolve(cyphesis_t)
 # cyphesis wants to talk to avahi via dbus
 optional_policy(`
 	avahi_dbus_chat(cyphesis_t)
-	dbus_system_bus_client_template(cyphesis, cyphesis_t)
+	dbus_system_bus_client(cyphesis_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/cyrus.if b/policy/modules/services/cyrus.if
index b4e232d..ff8f24d 100644
--- a/policy/modules/services/cyrus.if
+++ b/policy/modules/services/cyrus.if
@@ -79,4 +79,3 @@ interface(`cyrus_admin',`
 	files_list_pids($1)
 	admin_pattern($1, cyrus_var_run_t)
 ')
-
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index b8fe817..39b8b04 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -1,5 +1,5 @@
 
-policy_module(cyrus, 1.7.0)
+policy_module(cyrus, 1.7.1)
 
 ########################################
 #
@@ -108,14 +108,12 @@ miscfiles_read_certs(cyrus_t)
 
 sysnet_read_config(cyrus_t)
 
-userdom_dontaudit_use_unpriv_user_fds(cyrus_t)
 userdom_use_unpriv_users_fds(cyrus_t)
+userdom_dontaudit_search_user_home_dirs(cyrus_t)
 
 mta_manage_spool(cyrus_t)
 mta_send_mail(cyrus_t)
 
-sysadm_dontaudit_search_home_dirs(cyrus_t)
-
 optional_policy(`
 	cron_system_entry(cyrus_t, cyrus_exec_t)
 ')
diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te
index fd80978..9231cd4 100644
--- a/policy/modules/services/dante.te
+++ b/policy/modules/services/dante.te
@@ -1,5 +1,5 @@
 
-policy_module(dante, 1.5.0)
+policy_module(dante, 1.5.1)
 
 ########################################
 #
@@ -69,8 +69,7 @@ miscfiles_read_localization(dante_t)
 sysnet_read_config(dante_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dante_t)
-
-sysadm_dontaudit_search_home_dirs(dante_t)
+userdom_dontaudit_search_user_home_dirs(dante_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(dante_t)
diff --git a/policy/modules/services/dbus.fc b/policy/modules/services/dbus.fc
index 1f30fc4..e67e4e6 100644
--- a/policy/modules/services/dbus.fc
+++ b/policy/modules/services/dbus.fc
@@ -1,8 +1,8 @@
 /etc/dbus-1(/.*)?		gen_context(system_u:object_r:dbusd_etc_t,s0)
 
 # Sorting does not work correctly if I combine these next two roles
-/usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
-/bin/dbus-daemon 	--	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+/usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-daemon 	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
 
 /var/lib/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
 
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index f63337c..b117926 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -17,57 +17,45 @@ interface(`dbus_stub',`
 	')
 ')
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the dbus module.
+##	Role access for dbus
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domain which is
-##	used for the user dbus.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role_prefix">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="role">
 ##	<summary>
-##	The type of the user domain.
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`dbus_per_role_template',`
+template(`dbus_role_template',`
 	gen_require(`
-		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
 		class dbus { send_msg acquire_svc };
+
+		attribute session_bus_type;
+		type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
 	')
 
 	##############################
 	#
 	# Delcarations
 	#
-	type $1_dbusd_t;
-	domain_type($1_dbusd_t)
-	domain_entry_file($1_dbusd_t, system_dbusd_exec_t)
-	role $3 types $1_dbusd_t;
-
-	type $1_dbusd_$1_t;
 
-	type $1_dbusd_tmp_t;
-	files_tmp_file($1_dbusd_tmp_t)
+	type $1_dbusd_t, session_bus_type;
+	domain_type($1_dbusd_t)
+	domain_entry_file($1_dbusd_t, dbusd_exec_t)
+	ubac_constrained($1_dbusd_t)
+	role $2 types $1_dbusd_t;
 
 	##############################
 	#
@@ -85,31 +73,29 @@ template(`dbus_per_role_template',`
 	allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
 
 	# For connecting to the bus
-	allow $2 $1_dbusd_t:unix_stream_socket connectto;
-	type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
+	allow $3 $1_dbusd_t:unix_stream_socket connectto;
 
 	# SE-DBus specific permissions
-	allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
-	allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
-	allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
+	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
 
 	allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
 	read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
 	read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
 
-	manage_dirs_pattern($1_dbusd_t, $1_dbusd_tmp_t, $1_dbusd_tmp_t)
-	manage_files_pattern($1_dbusd_t, $1_dbusd_tmp_t, $1_dbusd_tmp_t)
-	files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
+	manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+	manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+	files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
 
-	domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
-	allow $2 $1_dbusd_t:process { sigkill signal };
+	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+	allow $3 $1_dbusd_t:process { sigkill signal };
 
 	# cjp: this seems very broken
-	corecmd_bin_domtrans($1_dbusd_t, $2)
-	allow $1_dbusd_t $2:process sigkill;
-	allow $2 $1_dbusd_t:fd use;
-	allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-	allow $2 $1_dbusd_t:process sigchld;
+	corecmd_bin_domtrans($1_dbusd_t, $3)
+	allow $1_dbusd_t $3:process sigkill;
+	allow $3 $1_dbusd_t:fd use;
+	allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+	allow $3 $1_dbusd_t:process sigchld;
 
 	kernel_read_system_state($1_dbusd_t)
 	kernel_read_kernel_sysctls($1_dbusd_t)
@@ -158,10 +144,10 @@ template(`dbus_per_role_template',`
 	seutil_read_config($1_dbusd_t)
 	seutil_read_default_contexts($1_dbusd_t)
 
-	userdom_read_user_home_content_files($1, $1_dbusd_t)
+	userdom_read_user_home_content_files($1_dbusd_t)
 
 	ifdef(`hide_broken_symptoms', `
-		dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
+		dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
 	')
 
 	tunable_policy(`read_default_t',`
@@ -187,39 +173,29 @@ template(`dbus_per_role_template',`
 ##	Template for creating connections to
 ##	the system DBUS.
 ## </summary>
-## <param name="domain_prefix">
-##	<summary>
-##	The prefix of the domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	The type of the domain.
 ##	</summary>
 ## </param>
 #
-template(`dbus_system_bus_client_template',`
+interface(`dbus_system_bus_client',`
 	gen_require(`
 		type system_dbusd_t, system_dbusd_t;
 		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
 		class dbus send_msg;
 	')
 
-#	type $1_dbusd_system_t;
-#	type_change $2 system_dbusd_t:dbus $1_dbusd_system_t;
-
 	# SE-DBus specific permissions
-#	allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
-	allow $2 { system_dbusd_t self }:dbus send_msg;
+	allow $1 { system_dbusd_t self }:dbus send_msg;
 
-	read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
-	files_search_var_lib($2)
+	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+	files_search_var_lib($1)
 
 	# For connecting to the bus
-	files_search_pids($2)
-	stream_connect_pattern($2, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
-	dbus_read_config($2)
+	files_search_pids($1)
+	stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
+	dbus_read_config($1)
 ')
 
 #######################################
@@ -227,64 +203,42 @@ template(`dbus_system_bus_client_template',`
 ##	Template for creating connections to
 ##	a user DBUS.
 ## </summary>
-## <param name="user_prefix">
-##	<summary>
-##	The prefix of the domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain_prefix" unused="true">
-##	<summary>
-##	The prefix of the domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	The type of the domain.
 ##	</summary>
 ## </param>
 #
-template(`dbus_user_bus_client_template',`
+interface(`dbus_session_bus_client',`
 	gen_require(`
-		type $1_dbusd_t;
+		attribute session_bus_type;
 		class dbus send_msg;
 	')
 
-#	type $2_dbusd_$1_t;
-#	type_change $3 $1_dbusd_t:dbus $2_dbusd_$1_t;
-
 	# SE-DBus specific permissions
-#	allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
-	allow $3 { $1_dbusd_t self }:dbus send_msg;
+	allow $1 { session_bus_type self }:dbus send_msg;
 
 	# For connecting to the bus
-	allow $3 $1_dbusd_t:unix_stream_socket connectto;
+	allow $1 session_bus_type:unix_stream_socket connectto;
 ')
 
 ########################################
 ## <summary>
-##	Send a message on user/application specific DBUS.
+##	Send a message the session DBUS.
 ## </summary>
-## <param name="domain_prefix">
-##	<summary>
-##	The prefix of the domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`dbus_send_user_bus',`
+interface(`dbus_send_session_bus',`
 	gen_require(`
-		type $1_dbusd_t;
+		attribute session_bus_type;
 		class dbus send_msg;
 	')
 
-	allow $2 $1_dbusd_t:dbus send_msg;
+	allow $1 session_bus_type:dbus send_msg;
 ')
 
 ########################################
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 0e5c879..0ea943b 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,5 +1,5 @@
 
-policy_module(dbus, 1.9.0)
+policy_module(dbus, 1.9.1)
 
 gen_require(`
 	class dbus all_dbus_perms;
@@ -10,12 +10,22 @@ gen_require(`
 # Delcarations
 #
 
-type dbusd_etc_t alias etc_dbusd_t;
+attribute session_bus_type;
+
+type dbusd_etc_t;
 files_type(dbusd_etc_t)
 
-type system_dbusd_t alias dbusd_t;
-type system_dbusd_exec_t;
-init_system_domain(system_dbusd_t, system_dbusd_exec_t)
+type dbusd_exec_t;
+corecmd_executable_file(dbusd_exec_t)
+
+type session_dbusd_tmp_t;
+typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
+typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
+files_tmp_file(session_dbusd_tmp_t)
+ubac_constrained(session_dbusd_tmp_t)
+
+type system_dbusd_t;
+init_system_domain(system_dbusd_t, dbusd_exec_t)
 
 type system_dbusd_tmp_t;
 files_tmp_file(system_dbusd_tmp_t)
@@ -28,7 +38,7 @@ files_pid_file(system_dbusd_var_run_t)
 
 ##############################
 #
-# Local policy
+# System bus local policy
 #
 
 # dac_override: /var/run/dbus is owned by messagebus on Debian
@@ -103,8 +113,7 @@ seutil_read_default_contexts(system_dbusd_t)
 seutil_sigchld_newrole(system_dbusd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
-
-sysadm_dontaudit_search_home_dirs(system_dbusd_t)
+userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
 
 tunable_policy(`read_default_t',`
 	files_list_default(system_dbusd_t)
diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
index 320c670..80102a7 100644
--- a/policy/modules/services/dcc.if
+++ b/policy/modules/services/dcc.if
@@ -34,11 +34,6 @@ interface(`dcc_domtrans_cdcc',`
 ##	The role to be allowed the cdcc domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the cdcc domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`dcc_run_cdcc',`
@@ -48,7 +43,6 @@ interface(`dcc_run_cdcc',`
 
 	dcc_domtrans_cdcc($1)
 	role $2 types cdcc_t;
-	allow cdcc_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -85,11 +79,6 @@ interface(`dcc_domtrans_client',`
 ##	The role to be allowed the dcc_client domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the dcc_client domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`dcc_run_client',`
@@ -99,7 +88,6 @@ interface(`dcc_run_client',`
 
 	dcc_domtrans_client($1)
 	role $2 types dcc_client_t;
-	allow dcc_client_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -136,11 +124,6 @@ interface(`dcc_domtrans_dbclean',`
 ##	The role to be allowed the dcc_dbclean domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the dcc_dbclean domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`dcc_run_dbclean',`
@@ -150,7 +133,6 @@ interface(`dcc_run_dbclean',`
 
 	dcc_domtrans_dbclean($1)
 	role $2 types dcc_dbclean_t;
-	allow dcc_dbclean_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
index b3c90f3..baddef3 100644
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@@ -1,5 +1,5 @@
 
-policy_module(dcc, 1.6.0)
+policy_module(dcc, 1.6.1)
 
 ########################################
 #
@@ -112,6 +112,8 @@ miscfiles_read_localization(cdcc_t)
 sysnet_read_config(cdcc_t)
 sysnet_dns_name_resolve(cdcc_t)
 
+userdom_use_user_terminals(cdcc_t)
+
 optional_policy(`
 	nscd_socket_use(cdcc_t)
 ')
@@ -152,6 +154,8 @@ miscfiles_read_localization(dcc_client_t)
 sysnet_read_config(dcc_client_t)
 sysnet_dns_name_resolve(dcc_client_t)
 
+userdom_use_user_terminals(dcc_client_t)
+
 optional_policy(`
 	nscd_socket_use(dcc_client_t)
 ')
@@ -192,6 +196,8 @@ miscfiles_read_localization(dcc_dbclean_t)
 sysnet_read_config(dcc_dbclean_t)
 sysnet_dns_name_resolve(dcc_dbclean_t)
 
+userdom_use_user_terminals(dcc_dbclean_t)
+
 optional_policy(`
 	nscd_socket_use(dcc_dbclean_t)
 ')
@@ -261,8 +267,7 @@ sysnet_read_config(dccd_t)
 sysnet_dns_name_resolve(dccd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dccd_t)
-
-sysadm_dontaudit_search_home_dirs(dccd_t)
+userdom_dontaudit_search_user_home_dirs(dccd_t)
 
 optional_policy(`
 	nscd_socket_use(dccd_t)
@@ -332,8 +337,7 @@ sysnet_read_config(dccifd_t)
 sysnet_dns_name_resolve(dccifd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
-
-sysadm_dontaudit_search_home_dirs(dccifd_t)
+userdom_dontaudit_search_user_home_dirs(dccifd_t)
 
 optional_policy(`
 	nscd_socket_use(dccifd_t)
@@ -402,8 +406,7 @@ sysnet_read_config(dccm_t)
 sysnet_dns_name_resolve(dccm_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dccm_t)
-
-sysadm_dontaudit_search_home_dirs(dccm_t)
+userdom_dontaudit_search_user_home_dirs(dccm_t)
 
 optional_policy(`
 	nscd_socket_use(dccm_t)
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
index dccbbe2..4b42128 100644
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@@ -1,5 +1,5 @@
 
-policy_module(ddclient, 1.6.0)
+policy_module(ddclient, 1.6.1)
 
 ########################################
 #
@@ -98,8 +98,7 @@ sysnet_exec_ifconfig(ddclient_t)
 sysnet_read_config(ddclient_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ddclient_t)
-
-sysadm_dontaudit_search_home_dirs(ddclient_t)
+userdom_dontaudit_search_user_home_dirs(ddclient_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(ddclient_t)
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index 9e125b7..a81476a 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -1,5 +1,5 @@
 
-policy_module(dhcp, 1.6.0)
+policy_module(dhcp, 1.6.1)
 
 ########################################
 #
@@ -96,8 +96,7 @@ sysnet_read_config(dhcpd_t)
 sysnet_read_dhcp_config(dhcpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
-
-sysadm_dontaudit_search_home_dirs(dhcpd_t)
+userdom_dontaudit_search_user_home_dirs(dhcpd_t)
 
 ifdef(`distro_gentoo',`
 	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
@@ -109,7 +108,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dbus_system_bus_client_template(dhcpd, dhcpd_t)
+	dbus_system_bus_client(dhcpd_t)
 	dbus_connect_system_bus(dhcpd_t)
 ')
 
diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te
index eb74f4e..4d0c431 100644
--- a/policy/modules/services/distcc.te
+++ b/policy/modules/services/distcc.te
@@ -1,5 +1,5 @@
 
-policy_module(distcc, 1.6.0)
+policy_module(distcc, 1.6.1)
 
 ########################################
 #
@@ -79,8 +79,7 @@ miscfiles_read_localization(distccd_t)
 sysnet_read_config(distccd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(distccd_t)
-
-sysadm_dontaudit_search_home_dirs(distccd_t)
+userdom_dontaudit_search_user_home_dirs(distccd_t)
 
 optional_policy(`
 	nis_use_ypbind(distccd_t)
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 9dbbc52..c2002a0 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -1,5 +1,5 @@
 
-policy_module(dnsmasq, 1.6.0)
+policy_module(dnsmasq, 1.6.1)
 
 ########################################
 #
@@ -78,8 +78,7 @@ miscfiles_read_localization(dnsmasq_t)
 sysnet_read_config(dnsmasq_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
-
-sysadm_dontaudit_search_home_dirs(dnsmasq_t)
+userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
 
 optional_policy(`
 	nis_use_ypbind(dnsmasq_t)
diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
index a738f3e..7018910 100644
--- a/policy/modules/services/dovecot.fc
+++ b/policy/modules/services/dovecot.fc
@@ -33,4 +33,3 @@ ifdef(`distro_redhat', `
 /var/lib/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_lib_t,s0)
 
 /var/spool/dovecot(/.*)?		gen_context(system_u:object_r:dovecot_spool_t,s0)
-
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 0148550..7f49af3 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
 
-policy_module(dovecot, 1.9.0)
+policy_module(dovecot, 1.9.1)
 
 ########################################
 #
@@ -110,12 +110,15 @@ miscfiles_read_certs(dovecot_t)
 miscfiles_read_localization(dovecot_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
-userdom_priveleged_home_dir_manager(dovecot_t)
+userdom_manage_user_home_content_dirs(dovecot_t)
+userdom_manage_user_home_content_files(dovecot_t)
+userdom_manage_user_home_content_symlinks(dovecot_t)
+userdom_manage_user_home_content_pipes(dovecot_t)
+userdom_manage_user_home_content_sockets(dovecot_t)
+userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
 
 mta_manage_spool(dovecot_t)
 
-sysadm_dontaudit_search_home_dirs(dovecot_t)
-
 optional_policy(`
 	kerberos_use(dovecot_t)
 ')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index eb01ac7..0cbf37b 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -1,5 +1,5 @@
 
-policy_module(exim, 1.2.0)
+policy_module(exim, 1.2.1)
 
 ########################################
 #
@@ -99,20 +99,18 @@ miscfiles_read_localization(exim_t)
 
 sysnet_dns_name_resolve(exim_t)
 
-unprivuser_dontaudit_search_home_dirs(exim_t)
+userdom_dontaudit_search_user_home_dirs(exim_t)
 
 mta_read_aliases(exim_t)
 mta_rw_spool(exim_t)
 
-sysadm_dontaudit_search_home_dirs(exim_t)
-
 tunable_policy(`exim_read_user_files',`
-	userdom_read_unpriv_users_home_content_files(exim_t)
-	userdom_read_unpriv_users_tmp_files(exim_t)
+	userdom_read_user_home_content_files(exim_t)
+	userdom_read_user_tmp_files(exim_t)
 ')
 
 tunable_policy(`exim_manage_user_files',`
-	userdom_manage_unpriv_users_home_content_dirs(exim_t)
-	userdom_read_unpriv_users_tmp_files(exim_t)
-	userdom_write_unpriv_users_tmp_files(exim_t)
+	userdom_manage_user_home_content_dirs(exim_t)
+	userdom_read_user_tmp_files(exim_t)
+	userdom_write_user_tmp_files(exim_t)
 ')
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index b9720c1..3ee6d4b 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -1,5 +1,5 @@
 
-policy_module(fetchmail, 1.7.0)
+policy_module(fetchmail, 1.7.1)
 
 ########################################
 #
@@ -80,8 +80,7 @@ miscfiles_read_certs(fetchmail_t)
 sysnet_read_config(fetchmail_t)
 
 userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
-
-sysadm_dontaudit_search_home_dirs(fetchmail_t)
+userdom_dontaudit_search_user_home_dirs(fetchmail_t)
 
 optional_policy(`
 	procmail_domtrans(fetchmail_t)
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
index 0c8a0b8..ba4cb01 100644
--- a/policy/modules/services/finger.te
+++ b/policy/modules/services/finger.te
@@ -1,5 +1,5 @@
 
-policy_module(finger, 1.7.0)
+policy_module(finger, 1.7.1)
 
 ########################################
 #
@@ -90,11 +90,9 @@ miscfiles_read_localization(fingerd_t)
 
 # stop it accessing sub-directories, prevents checking a Maildir for new mail,
 # have to change this when we create a type for Maildir
-userdom_read_unpriv_users_home_content_files(fingerd_t)
+userdom_read_user_home_content_files(fingerd_t)
 userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
 
-sysadm_dontaudit_search_home_dirs(fingerd_t)
-
 optional_policy(`
 	cron_system_entry(fingerd_t, fingerd_exec_t)
 ')
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index f07f6d4..b593224 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -1,42 +1,5 @@
 ## <summary>File transfer protocol service</summary>
 
-#######################################
-## <summary>
-##	The per role template for the ftp module.
-## </summary>
-## <desc>
-##	<p>
-##	This template allows ftpd to manage files in
-##	a user home directory, creating files with the
-##	correct type.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-#
-template(`ftp_per_role_template',`
-	gen_require(`
-		type ftpd_t;
-	')
-
-	tunable_policy(`ftp_home_dir',`
-		userdom_manage_user_home_content_files($1, ftpd_t)
-		userdom_manage_user_home_content_symlinks($1, ftpd_t)
-		userdom_manage_user_home_content_sockets($1, ftpd_t)
-		userdom_manage_user_home_content_pipes($1, ftpd_t)
-		userdom_user_home_dir_filetrans_user_home_content($1, ftpd_t, { dir file lnk_file sock_file fifo_file })
-	')
-')
-
 ########################################
 ## <summary>
 ##      Use ftp by connecting over TCP.  (Deprecated)
@@ -141,11 +104,6 @@ interface(`ftp_domtrans_ftpdctl',`
 ##	The role to allow the ftpdctl domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the ftpdctl domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`ftp_run_ftpdctl',`
@@ -155,7 +113,6 @@ interface(`ftp_run_ftpdctl',`
 
 	ftp_domtrans_ftpdctl($1)
 	role $2 types ftpdctl_t;
-	allow ftpdctl_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -173,11 +130,6 @@ interface(`ftp_run_ftpdctl',`
 ##	The role to be allowed to manage the ftp domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the ftpdctl domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`ftp_admin',`
@@ -197,7 +149,7 @@ interface(`ftp_admin',`
 	allow $2 system_r;
 
 	ps_process_pattern($1, ftpdctl_t)
-	ftp_run_ftpdctl($1, $2, $3)
+	ftp_run_ftpdctl($1, $2)
 
 	miscfiles_manage_public_files($1)
 
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 6c0dcf0..597a734 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
 
-policy_module(ftp, 1.9.0)
+policy_module(ftp, 1.9.1)
 
 ########################################
 #
@@ -184,8 +184,7 @@ sysnet_read_config(ftpd_t)
 sysnet_use_ldap(ftpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
-
-sysadm_dontaudit_search_home_dirs(ftpd_t)
+userdom_dontaudit_search_user_home_dirs(ftpd_t)
 
 tunable_policy(`allow_ftpd_anon_write',`
 	miscfiles_manage_public_files(ftpd_t)
@@ -219,10 +218,11 @@ tunable_policy(`ftp_home_dir',`
 
 	# allow access to /home
 	files_list_home(ftpd_t)
-	userdom_read_all_users_home_content_files(ftpd_t)
-	userdom_manage_all_users_home_content_dirs(ftpd_t)
-	userdom_manage_all_users_home_content_files(ftpd_t)
-	userdom_manage_all_users_home_content_symlinks(ftpd_t)
+	userdom_read_user_home_content_files(ftpd_t)
+	userdom_manage_user_home_content_dirs(ftpd_t)
+	userdom_manage_user_home_content_files(ftpd_t)
+	userdom_manage_user_home_content_symlinks(ftpd_t)
+	userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
 ')
 
 tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -292,3 +292,5 @@ files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
 
 # Allow ftpdctl to read config files
 files_read_etc_files(ftpdctl_t)
+
+userdom_use_user_terminals(ftpdctl_t)
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
index c8b8742..0baa897 100644
--- a/policy/modules/services/gatekeeper.te
+++ b/policy/modules/services/gatekeeper.te
@@ -1,5 +1,5 @@
 
-policy_module(gatekeeper, 1.5.0)
+policy_module(gatekeeper, 1.5.1)
 
 ########################################
 #
@@ -85,8 +85,7 @@ miscfiles_read_localization(gatekeeper_t)
 sysnet_read_config(gatekeeper_t)
 
 userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
-
-sysadm_dontaudit_search_home_dirs(gatekeeper_t)
+userdom_dontaudit_search_user_home_dirs(gatekeeper_t)
 
 optional_policy(`
 	nis_use_ypbind(gatekeeper_t)
diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te
index 9ad5472..e991ef5 100644
--- a/policy/modules/services/gpm.te
+++ b/policy/modules/services/gpm.te
@@ -1,5 +1,5 @@
 
-policy_module(gpm, 1.5.0)
+policy_module(gpm, 1.5.1)
 
 ########################################
 #
@@ -66,8 +66,7 @@ logging_send_syslog_msg(gpm_t)
 miscfiles_read_localization(gpm_t)
 
 userdom_dontaudit_use_unpriv_user_fds(gpm_t)
-
-sysadm_dontaudit_search_home_dirs(gpm_t)
+userdom_dontaudit_search_user_home_dirs(gpm_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(gpm_t)
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 260c08d..3e49a36 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal, 1.10.0)
+policy_module(hal, 1.10.1)
 
 ########################################
 #
@@ -197,8 +197,7 @@ seutil_read_file_contexts(hald_t)
 sysnet_read_config(hald_t)
 
 userdom_dontaudit_use_unpriv_user_fds(hald_t)
-
-sysadm_dontaudit_search_home_dirs(hald_t)
+userdom_dontaudit_search_user_home_dirs(hald_t)
 
 optional_policy(`
 	alsa_domtrans(hald_t)
@@ -233,7 +232,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dbus_system_bus_client_template(hald, hald_t)
+	dbus_system_bus_client(hald_t)
 	dbus_connect_system_bus(hald_t)
 
 	init_dbus_chat_script(hald_t)
diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te
index e135a7e..1560d23 100644
--- a/policy/modules/services/howl.te
+++ b/policy/modules/services/howl.te
@@ -1,5 +1,5 @@
 
-policy_module(howl, 1.6.0)
+policy_module(howl, 1.6.1)
 
 ########################################
 #
@@ -66,8 +66,7 @@ miscfiles_read_localization(howl_t)
 sysnet_read_config(howl_t)
 
 userdom_dontaudit_use_unpriv_user_fds(howl_t)
-
-sysadm_dontaudit_search_home_dirs(howl_t)
+userdom_dontaudit_search_user_home_dirs(howl_t)
 
 optional_policy(`
 	nis_use_ypbind(howl_t)
diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te
index f3db142..bcb0113 100644
--- a/policy/modules/services/i18n_input.te
+++ b/policy/modules/services/i18n_input.te
@@ -1,5 +1,5 @@
 
-policy_module(i18n_input, 1.6.0)
+policy_module(i18n_input, 1.6.1)
 
 ########################################
 #
@@ -74,9 +74,7 @@ miscfiles_read_localization(i18n_input_t)
 sysnet_read_config(i18n_input_t)
 
 userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
-userdom_read_unpriv_users_home_content_files(i18n_input_t)
-
-sysadm_dontaudit_search_home_dirs(i18n_input_t)
+userdom_read_user_home_content_files(i18n_input_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(i18n_input_t)
diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te
index d8c62bf..6b53adf 100644
--- a/policy/modules/services/imaze.te
+++ b/policy/modules/services/imaze.te
@@ -1,5 +1,5 @@
 
-policy_module(imaze, 1.5.0)
+policy_module(imaze, 1.5.1)
 
 ########################################
 #
@@ -85,8 +85,7 @@ miscfiles_read_localization(imazesrv_t)
 sysnet_read_config(imazesrv_t)
 
 userdom_use_unpriv_users_fds(imazesrv_t)
-
-sysadm_dontaudit_search_home_dirs(imazesrv_t)
+userdom_dontaudit_search_user_home_dirs(imazesrv_t)
 
 optional_policy(`
 	nis_use_ypbind(imazesrv_t)
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index d788754..faeadf0 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
 
-policy_module(inetd, 1.8.0)
+policy_module(inetd, 1.8.1)
 
 ########################################
 #
@@ -150,8 +150,7 @@ mls_process_set_level(inetd_t)
 sysnet_read_config(inetd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(inetd_t)
-
-sysadm_dontaudit_search_home_dirs(inetd_t)
+userdom_dontaudit_search_user_home_dirs(inetd_t)
 
 ifdef(`distro_redhat',`
 	optional_policy(`
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index e0d02e0..cc5dabe 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -1,5 +1,5 @@
 
-policy_module(inn, 1.7.0)
+policy_module(inn, 1.7.1)
 
 ########################################
 #
@@ -105,8 +105,7 @@ seutil_dontaudit_search_config(innd_t)
 sysnet_read_config(innd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(innd_t)
-
-sysadm_dontaudit_search_home_dirs(innd_t)
+userdom_dontaudit_search_user_home_dirs(innd_t)
 
 mta_send_mail(innd_t)
 
diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te
index fafbdd5..0015e70 100644
--- a/policy/modules/services/ircd.te
+++ b/policy/modules/services/ircd.te
@@ -1,5 +1,5 @@
 
-policy_module(ircd, 1.5.0)
+policy_module(ircd, 1.5.1)
 
 ########################################
 #
@@ -79,8 +79,7 @@ miscfiles_read_localization(ircd_t)
 sysnet_read_config(ircd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ircd_t)
-
-sysadm_dontaudit_search_home_dirs(ircd_t)
+userdom_dontaudit_search_user_home_dirs(ircd_t)
 
 optional_policy(`
 	nis_use_ypbind(ircd_t)
diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
index a7e1ad4..30f26e8 100644
--- a/policy/modules/services/irqbalance.te
+++ b/policy/modules/services/irqbalance.te
@@ -1,5 +1,5 @@
 
-policy_module(irqbalance, 1.3.0)
+policy_module(irqbalance, 1.3.1)
 
 ########################################
 #
@@ -47,8 +47,7 @@ logging_send_syslog_msg(irqbalance_t)
 miscfiles_read_localization(irqbalance_t)
 
 userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
-
-sysadm_dontaudit_search_home_dirs(irqbalance_t)
+userdom_dontaudit_search_user_home_dirs(irqbalance_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(irqbalance_t)
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 6a123ff..c0d8cee 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -1,5 +1,5 @@
 
-policy_module(jabber, 1.6.0)
+policy_module(jabber, 1.6.1)
 
 ########################################
 #
@@ -80,8 +80,7 @@ miscfiles_read_localization(jabberd_t)
 sysnet_read_config(jabberd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
-
-sysadm_dontaudit_search_home_dirs(jabberd_t)
+userdom_dontaudit_search_user_home_dirs(jabberd_t)
 
 optional_policy(`
 	nis_use_ypbind(jabberd_t)
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 8ab5c86..00ff5fa 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -1,5 +1,5 @@
 
-policy_module(kerberos, 1.8.0)
+policy_module(kerberos, 1.8.1)
 
 ########################################
 #
@@ -153,8 +153,7 @@ sysnet_read_config(kadmind_t)
 sysnet_use_ldap(kadmind_t)
 
 userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
-
-sysadm_dontaudit_search_home_dirs(kadmind_t)
+userdom_dontaudit_search_user_home_dirs(kadmind_t)
 
 optional_policy(`
 	nis_use_ypbind(kadmind_t)
@@ -254,8 +253,7 @@ sysnet_read_config(krb5kdc_t)
 sysnet_use_ldap(krb5kdc_t)
 
 userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-
-sysadm_dontaudit_search_home_dirs(krb5kdc_t)
+userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
 
 optional_policy(`
 	nis_use_ypbind(krb5kdc_t)
diff --git a/policy/modules/services/kerneloops.te b/policy/modules/services/kerneloops.te
index f9bb268..e27a1ec 100644
--- a/policy/modules/services/kerneloops.te
+++ b/policy/modules/services/kerneloops.te
@@ -1,5 +1,5 @@
 
-policy_module(kerneloops, 1.1.0)
+policy_module(kerneloops, 1.1.1)
 
 ########################################
 #
@@ -46,6 +46,6 @@ miscfiles_read_localization(kerneloops_t)
 sysnet_dns_name_resolve(kerneloops_t)
 
 optional_policy(`
-	dbus_system_bus_client_template(kerneloops, kerneloops_t)
+	dbus_system_bus_client(kerneloops_t)
 	dbus_connect_system_bus(kerneloops_t)
 ')
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index 07d2572..f228aae 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -1,5 +1,5 @@
 
-policy_module(ldap, 1.8.0)
+policy_module(ldap, 1.8.1)
 
 ########################################
 #
@@ -114,8 +114,7 @@ miscfiles_read_certs(slapd_t)
 miscfiles_read_localization(slapd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(slapd_t)
-
-sysadm_dontaudit_search_home_dirs(slapd_t)
+userdom_dontaudit_search_user_home_dirs(slapd_t)
 
 optional_policy(`
 	kerberos_use(slapd_t)
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index ae4ac06..5a7046d 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -1,230 +1,36 @@
 ## <summary>Line printer daemon</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the lpd module.
+##	Role access for lpd
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for lpr printing client.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_domain">
+## <param name="role">
 ##	<summary>
-##	The type of the user domain.
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`lpd_per_role_template',`
+interface(`lpd_role',`
 	gen_require(`
-		type lpr_exec_t, lpd_t, print_spool_t, printconf_t, lpd_var_run_t, printer_t;
-	')
-
-	##############################
-	#
-	# Declarations
-	#
-	# Derived domain based on the calling user domain and the program
-	type $1_lpr_t;
-	application_domain($1_lpr_t, lpr_exec_t)
-	role $3 types $1_lpr_t;
-
-	type $1_lpr_tmp_t;
-	files_tmp_file($1_lpr_tmp_t)
-
-	# Type for spool files.
-	type $1_print_spool_t;
-	files_type($1_print_spool_t)
-
-	##############################
-	#
-	# Local policy
-	#
-	allow $1_lpr_t self:capability { setuid dac_override net_bind_service chown };
-	allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_lpr_t self:tcp_socket create_socket_perms;
-	allow $1_lpr_t self:udp_socket create_socket_perms;
-	allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
-
-	can_exec($1_lpr_t,lpr_exec_t)
-
-	tunable_policy(`use_lpd_server',`
-		# lpr can run in lightweight mode, without a local print spooler.
-		allow $1_lpr_t lpd_var_run_t:dir search;
-		allow $1_lpr_t lpd_var_run_t:sock_file write;
-		files_read_var_files($1_lpr_t)
-
-		# Connect to lpd via a Unix domain socket.
-		allow $1_lpr_t printer_t:sock_file rw_sock_file_perms;
-		allow $1_lpr_t lpd_t:unix_stream_socket connectto;
-		# Send SIGHUP to lpd.
-		allow $1_lpr_t lpd_t:process signal;
-
-		manage_dirs_pattern($1_lpr_t, $1_lpr_tmp_t, $1_lpr_tmp_t)
-		manage_files_pattern($1_lpr_t, $1_lpr_tmp_t, $1_lpr_tmp_t)
-		files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir })
-
-		manage_files_pattern($1_lpr_t, print_spool_t, $1_print_spool_t)
-		filetrans_pattern($1_lpr_t, print_spool_t, $1_print_spool_t, file)
-		# Read and write shared files in the spool directory.
-		allow $1_lpr_t print_spool_t:file rw_file_perms;
-
-		allow $1_lpr_t printconf_t:dir list_dir_perms;
-		read_files_pattern($1_lpr_t, printconf_t, printconf_t)
-		read_lnk_files_pattern($1_lpr_t, printconf_t, printconf_t)
+		type lpr_t, lpr_exec_t, print_spool_t;
 	')
 
-	dontaudit $1_lpr_t $2:unix_stream_socket { read write };
+	role $1 types lpr_t;
 
 	# Transition from the user domain to the derived domain.
-	domtrans_pattern($2, lpr_exec_t, $1_lpr_t)
-
-	allow $2 $1_lpr_t:process signull;
-
-	# Allow lpd to read, rename, and unlink spool files.
-	allow lpd_t $1_print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
-
-	kernel_read_kernel_sysctls($1_lpr_t)
-
-	corenet_all_recvfrom_unlabeled($1_lpr_t)
-	corenet_all_recvfrom_netlabel($1_lpr_t)
-	corenet_tcp_sendrecv_generic_if($1_lpr_t)
-	corenet_udp_sendrecv_generic_if($1_lpr_t)
-	corenet_tcp_sendrecv_all_nodes($1_lpr_t)
-	corenet_udp_sendrecv_all_nodes($1_lpr_t)
-	corenet_tcp_sendrecv_all_ports($1_lpr_t)
-	corenet_udp_sendrecv_all_ports($1_lpr_t)
-	corenet_tcp_connect_all_ports($1_lpr_t)
-	corenet_sendrecv_all_client_packets($1_lpr_t)
-
-	dev_read_rand($1_lpr_t)
-	dev_read_urand($1_lpr_t)
-
-	domain_use_interactive_fds($1_lpr_t)
-
-	files_search_spool($1_lpr_t)
-	# for lpd config files (should have a new type)
-	files_read_etc_files($1_lpr_t)
-	# for test print
-	files_read_usr_files($1_lpr_t)
-	#Added to cover read_content macro
-	files_list_home($1_lpr_t)
-	files_read_generic_tmp_files($1_lpr_t)
-
-	fs_getattr_xattr_fs($1_lpr_t)
-
-	# Access the terminal.
-	term_use_controlling_term($1_lpr_t)
-	term_use_generic_ptys($1_lpr_t)
-
-	miscfiles_read_localization($1_lpr_t)
-
-	sysnet_read_config($1_lpr_t)
-
-	userdom_read_user_tmp_symlinks($1,$1_lpr_t)
-	# Write to the user domain tty.
-	userdom_use_user_terminals($1,$1_lpr_t)
-	userdom_read_user_home_content_files($1,$1_lpr_t)
-	userdom_read_user_tmp_files($1,$1_lpr_t)
-
-	tunable_policy(`read_default_t',`
-		files_list_default($1_lpr_t)
-		files_read_default_symlinks($1_lpr_t)
-		files_read_default_files($1_lpr_t)
-	')
-
-	tunable_policy(`read_untrusted_content',`
-		#list and read user specific untrusted content
-		userdom_read_user_untrusted_content_files($1, $1_lpr_t)
-
-		#list and read user specific temporary untrusted content
-		files_list_tmp($1_lpr_t)
-		userdom_read_user_tmp_untrusted_content_files($1, $1_lpr_t)
-	')
+	domtrans_pattern($2, lpr_exec_t, lpr_t)
+	dontaudit lpr_t $2:unix_stream_socket { read write };
 
-	tunable_policy(`use_nfs_home_dirs',`
-		files_list_home($1_lpr_t)
-		fs_list_auto_mountpoints($1_lpr_t)
-		fs_read_nfs_files($1_lpr_t)
-		fs_read_nfs_symlinks($1_lpr_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		files_list_home($1_lpr_t)
-		fs_list_auto_mountpoints($1_lpr_t)
-		fs_read_cifs_files($1_lpr_t)
-		fs_read_cifs_symlinks($1_lpr_t)
-	')
+	ps_process_pattern($2, lpr_t)
+	allow $2 lpr_t:process signull;
 
 	optional_policy(`
-		cups_read_config($1_lpr_t)
 		cups_read_config($2)
-		cups_stream_connect($1_lpr_t)
-		cups_read_pid_files($1_lpr_t)
-	')
-
-	optional_policy(`
-		logging_send_syslog_msg($1_lpr_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_lpr_t)
-	')
-
-	optional_policy(`
-		nis_use_ypbind($1_lpr_t)
-	')
-')
-
-#######################################
-## <summary>
-##	The administrative functions template for the lpd module.
-## </summary>
-## <desc>
-##	<p>
-##	This template creates rules for administrating the ldp service,
-##	allowing the specified user to manage lpr files.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <rolecap/>
-#
-template(`lpr_admin_template',`
-	gen_require(`
-		type $1_lpr_t, print_spool_t;
-	')
-
-	userdom_read_all_users_home_content_files($1_lpr_t)
-
-	# Read and write shared files in the spool directory.
-	allow $1_lpr_t print_spool_t:file rw_file_perms;
-
-	# Allow per user lpr domain read acces for specific user.
-	tunable_policy(`read_untrusted_content',`
-		userdom_read_all_untrusted_content($1_lpr_t)
-		userdom_read_all_tmp_untrusted_content($1_lpr_t)
 	')
 ')
 
@@ -261,11 +67,6 @@ interface(`lpd_domtrans_checkpc',`
 ##	The role to be allowed the lpd domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the lpd domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`lpd_run_checkpc',`
@@ -275,7 +76,6 @@ interface(`lpd_run_checkpc',`
 
 	lpd_domtrans_checkpc($1)
 	role $2 types checkpc_t;
-	allow checkpc_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -379,33 +179,18 @@ interface(`lpd_read_config',`
 ## <summary>
 ##      Transition to a user lpr domain.
 ## </summary>
-## <desc>
-##      <p>
-##      Transition to a user lpr domain.
-##      </p>
-##      <p>
-##      This is a templated interface, and should only
-##      be called from a per-userdomain template.
-##      </p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##      The prefix of the user domain (e.g., user
-##      is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##      Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`lpd_domtrans_user_lpr',`
+template(`lpd_domtrans_lpr',`
 	gen_require(`
-		type $1_lpr_t, lpr_exec_t;
+		type lpr_t, lpr_exec_t;
 	')
 
-	domtrans_pattern($2, lpr_exec_t, $1_lpr_t)
+	domtrans_pattern($1, lpr_exec_t, lpr_t)
 ')
 
 ########################################
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 6093e9b..0dd55e8 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -1,5 +1,5 @@
 
-policy_module(lpd, 1.10.0)
+policy_module(lpd, 1.10.1)
 
 ########################################
 #
@@ -31,11 +31,25 @@ files_tmp_file(lpd_tmp_t)
 type lpd_var_run_t;
 files_pid_file(lpd_var_run_t)
 
+type lpr_t;
 type lpr_exec_t;
-application_executable_file(lpr_exec_t)
-
+typealias lpr_t alias { user_lpr_t staff_lpr_t sysadm_lpr_t };
+typealias lpr_t alias { auditadm_lpr_t secadm_lpr_t };
+application_domain(lpr_t, lpr_exec_t)
+ubac_constrained(lpr_t)
+
+type lpr_tmp_t;
+typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t };
+typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t };
+files_tmp_file(lpr_tmp_t)
+ubac_constrained(lpr_tmp_t)
+
+# Type for spool files.
 type print_spool_t;
-files_tmp_file(print_spool_t)
+typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
+typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
+files_type(print_spool_t)
+ubac_constrained(print_spool_t)
 
 type printer_t;
 files_type(printer_t)
@@ -100,6 +114,8 @@ init_use_fds(checkpc_t)
 
 sysnet_read_config(checkpc_t)
 
+userdom_use_user_terminals(checkpc_t)
+
 optional_policy(`
 	cron_system_entry(checkpc_t, checkpc_exec_t)
 ')
@@ -132,7 +148,7 @@ files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
 
 manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
 manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
-files_pid_filetrans(lpd_t, lpd_var_run_t, file)
+files_pid_filetrans(lpd_t, lpd_var_run_t,file)
 
 # Write to /var/spool/lpd.
 manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
@@ -194,8 +210,7 @@ miscfiles_read_localization(lpd_t)
 sysnet_read_config(lpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(lpd_t)
-
-sysadm_dontaudit_search_home_dirs(lpd_t)
+userdom_dontaudit_search_user_home_dirs(lpd_t)
 
 optional_policy(`
 	nis_use_ypbind(lpd_t)
@@ -208,3 +223,126 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(lpd_t)
 ')
+
+##############################
+#
+# Local policy
+#
+
+allow lpr_t self:capability { setuid dac_override net_bind_service chown };
+allow lpr_t self:unix_stream_socket create_stream_socket_perms;
+allow lpr_t self:tcp_socket create_socket_perms;
+allow lpr_t self:udp_socket create_socket_perms;
+allow lpr_t self:netlink_route_socket r_netlink_socket_perms;
+
+can_exec(lpr_t, lpr_exec_t)
+
+# Allow lpd to read, rename, and unlink spool files.
+allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
+
+kernel_read_kernel_sysctls(lpr_t)
+
+corenet_all_recvfrom_unlabeled(lpr_t)
+corenet_all_recvfrom_netlabel(lpr_t)
+corenet_tcp_sendrecv_generic_if(lpr_t)
+corenet_udp_sendrecv_generic_if(lpr_t)
+corenet_tcp_sendrecv_all_nodes(lpr_t)
+corenet_udp_sendrecv_all_nodes(lpr_t)
+corenet_tcp_sendrecv_all_ports(lpr_t)
+corenet_udp_sendrecv_all_ports(lpr_t)
+corenet_tcp_connect_all_ports(lpr_t)
+corenet_sendrecv_all_client_packets(lpr_t)
+
+dev_read_rand(lpr_t)
+dev_read_urand(lpr_t)
+
+domain_use_interactive_fds(lpr_t)
+
+files_search_spool(lpr_t)
+# for lpd config files (should have a new type)
+files_read_etc_files(lpr_t)
+# for test print
+files_read_usr_files(lpr_t)
+#Added to cover read_content macro
+files_list_home(lpr_t)
+files_read_generic_tmp_files(lpr_t)
+
+fs_getattr_xattr_fs(lpr_t)
+
+# Access the terminal.
+term_use_controlling_term(lpr_t)
+term_use_generic_ptys(lpr_t)
+
+miscfiles_read_localization(lpr_t)
+
+sysnet_read_config(lpr_t)
+
+userdom_read_user_tmp_symlinks(lpr_t)
+# Write to the user domain tty.
+userdom_use_user_terminals(lpr_t)
+userdom_read_user_home_content_files(lpr_t)
+userdom_read_user_tmp_files(lpr_t)
+
+tunable_policy(`read_default_t',`
+	files_list_default(lpr_t)
+	files_read_default_symlinks(lpr_t)
+	files_read_default_files(lpr_t)
+')
+
+tunable_policy(`use_lpd_server',`
+	# lpr can run in lightweight mode, without a local print spooler.
+	allow lpr_t lpd_var_run_t:dir search;
+	allow lpr_t lpd_var_run_t:sock_file write;
+	files_read_var_files(lpr_t)
+
+	# Connect to lpd via a Unix domain socket.
+	allow lpr_t printer_t:sock_file rw_sock_file_perms;
+	allow lpr_t lpd_t:unix_stream_socket connectto;
+	# Send SIGHUP to lpd.
+	allow lpr_t lpd_t:process signal;
+
+	manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
+	manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
+	files_tmp_filetrans(lpr_t, lpr_tmp_t, { file dir })
+
+	manage_files_pattern(lpr_t,print_spool_t,print_spool_t)
+	filetrans_pattern(lpr_t,print_spool_t,print_spool_t,file)
+	# Read and write shared files in the spool directory.
+	allow lpr_t print_spool_t:file rw_file_perms;
+
+	allow lpr_t printconf_t:dir list_dir_perms;
+	read_files_pattern(lpr_t,printconf_t,printconf_t)
+	read_lnk_files_pattern(lpr_t,printconf_t,printconf_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	files_list_home(lpr_t)
+	fs_list_auto_mountpoints(lpr_t)
+	fs_read_nfs_files(lpr_t)
+	fs_read_nfs_symlinks(lpr_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	files_list_home(lpr_t)
+	fs_list_auto_mountpoints(lpr_t)
+	fs_read_cifs_files(lpr_t)
+	fs_read_cifs_symlinks(lpr_t)
+')
+
+optional_policy(`
+	cups_read_config(lpr_t)
+	cups_stream_connect(lpr_t)
+	cups_read_pid_files(lpr_t)
+')
+
+optional_policy(`
+	logging_send_syslog_msg(lpr_t)
+')
+
+optional_policy(`
+	nscd_socket_use(lpr_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(lpr_t)
+')
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index ea67c12..d6c5212 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -1,5 +1,5 @@
 
-policy_module(mailman, 1.5.0)
+policy_module(mailman, 1.5.1)
 
 ########################################
 #
@@ -99,11 +99,11 @@ files_dontaudit_search_pids(mailman_queue_t)
 # for su
 seutil_dontaudit_search_config(mailman_queue_t)
 
-su_exec(mailman_queue_t)
-
 # some of the following could probably be changed to dontaudit, someone who
 # knows mailman well should test this out and send the changes
-sysadm_search_home_dirs(mailman_queue_t)
+userdom_search_user_home_dirs(mailman_queue_t)
+
+su_exec(mailman_queue_t)
 
 optional_policy(`
 	cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te
index df46abf..23842b3 100644
--- a/policy/modules/services/monop.te
+++ b/policy/modules/services/monop.te
@@ -1,5 +1,5 @@
 
-policy_module(monop, 1.5.0)
+policy_module(monop, 1.5.1)
 
 ########################################
 #
@@ -71,8 +71,7 @@ miscfiles_read_localization(monopd_t)
 sysnet_read_config(monopd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(monopd_t)
-
-sysadm_dontaudit_search_home_dirs(monopd_t)
+userdom_dontaudit_search_user_home_dirs(monopd_t)
 
 optional_policy(`
 	nis_use_ypbind(monopd_t)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 5bfa326..1709743 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -132,154 +132,36 @@ template(`mta_base_mail_template',`
 
 ')
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the mta module.
+##	Role access for mta
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domain which is
-##	a email transfer agent, which sends mail on
-##	behalf of the user.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_domain">
+## <param name="role">
 ##	<summary>
-##	The type of the user domain.
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`mta_per_role_template',`
+interface(`mta_role',`
 	gen_require(`
 		attribute mta_user_agent;
-		attribute mailserver_delivery;
-		type sendmail_exec_t;
+		type user_mail_t, sendmail_exec_t;
 	')
 
-	##############################
-	#
-	# Declarations
-	#
-
-	mta_base_mail_template($1)
-	role $3 types $1_mail_t;
-
-	##############################
-	#
-	# $1_mail_t local policy
-	#
+	role $1 types { user_mail_t mta_user_agent };
 
 	# Transition from the user domain to the derived domain.
-	domtrans_pattern($2, sendmail_exec_t, $1_mail_t)
+	domtrans_pattern($2, sendmail_exec_t, user_mail_t)
 	allow $2 sendmail_exec_t:lnk_file { getattr read };
 
-	domain_use_interactive_fds($1_mail_t)
-
-	userdom_use_user_terminals($1, $1_mail_t)
-	# Write to the user domain tty. cjp: why?
-	userdom_use_user_terminals($1, mta_user_agent)
-	# Create dead.letter in user home directories.
-	userdom_manage_user_home_content_files($1, $1_mail_t)
-	userdom_user_home_dir_filetrans_user_home_content($1, $1_mail_t, file)
-	# for reading .forward - maybe we need a new type for it?
-	# also for delivering mail to maildir
-	userdom_manage_user_home_content_dirs($1, mailserver_delivery)
-	userdom_manage_user_home_content_files($1, mailserver_delivery)
-	userdom_manage_user_home_content_symlinks($1, mailserver_delivery)
-	userdom_manage_user_home_content_pipes($1, mailserver_delivery)
-	userdom_manage_user_home_content_sockets($1, mailserver_delivery)
-	userdom_user_home_dir_filetrans_user_home_content($1, mailserver_delivery, { dir file lnk_file fifo_file sock_file })
-	# Read user temporary files.
-	userdom_read_user_tmp_files($1, $1_mail_t)
-	userdom_dontaudit_append_user_tmp_files($1, $1_mail_t)
-	# cjp: this should probably be read all user tmp
-	# files in an appropriate place for mta_user_agent
-	userdom_read_user_tmp_files($1, mta_user_agent)
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_files($1_mail_t)
-		fs_manage_cifs_symlinks($1_mail_t)
-	')
-
-	optional_policy(`
-		allow $1_mail_t self:capability dac_override;
-
-		# Read user temporary files.
-		# postfix seems to need write access if the file handle is opened read/write
-		userdom_rw_user_tmp_files($1, $1_mail_t)
-
-		postfix_read_config($1_mail_t)
-		postfix_list_spool($1_mail_t)
-	')
-')
-
-########################################
-## <summary>
-##	Provide extra permissions for admin users
-##	mail domain.
-## </summary>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-template(`mta_admin_template',`
-	gen_require(`
-		type $1_mail_t;
-	')
-
-	# allow the sysadmin to do "mail someone < /home/user/whatever"
-	userdom_read_unpriv_users_home_content_files($1_mail_t)
-
-	optional_policy(`
-		gen_require(`
-			attribute mta_user_agent;
-			type etc_aliases_t;
-		')
-
-		allow mta_user_agent $2:fifo_file { read write };
-
-		manage_dirs_pattern($1_mail_t, etc_aliases_t, etc_aliases_t)
-		manage_files_pattern($1_mail_t, etc_aliases_t, etc_aliases_t)
-		manage_lnk_files_pattern($1_mail_t, etc_aliases_t, etc_aliases_t)
-		manage_fifo_files_pattern($1_mail_t, etc_aliases_t, etc_aliases_t)
-		manage_sock_files_pattern($1_mail_t, etc_aliases_t, etc_aliases_t)
-		files_etc_filetrans($1_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
-
-		# postfix needs this for newaliases
-		files_getattr_tmp_dirs($1_mail_t)
-
-		postfix_exec_master($1_mail_t)
-
-		ifdef(`distro_redhat',`
-			# compatability for old default main.cf
-			postfix_config_filetrans($1_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
-		')
-	')
+	allow mta_user_agent $2:fd use;
+	allow mta_user_agent $2:process sigchld;
+	allow mta_user_agent $2:fifo_file { read write };
 ')
 
 ########################################
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index d796fa4..27b9099 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
 
-policy_module(mta, 1.11.0)
+policy_module(mta, 2.0.0)
 
 ########################################
 #
@@ -33,6 +33,14 @@ mta_agent_executable(sendmail_exec_t)
 mta_base_mail_template(system)
 role system_r types system_mail_t;
 
+mta_base_mail_template(user)
+typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
+typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
+typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
+typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
+ubac_constrained(user_mail_t)
+ubac_constrained(user_mail_tmp_t)
+
 ########################################
 #
 # System mail local policy
@@ -55,8 +63,8 @@ dev_read_urand(system_mail_t)
 
 init_use_script_ptys(system_mail_t)
 
-sysadm_use_terms(system_mail_t)
-sysadm_dontaudit_search_home_dirs(system_mail_t)
+userdom_use_user_terminals(system_mail_t)
+userdom_dontaudit_search_user_home_dirs(system_mail_t)
 
 optional_policy(`
 	apache_read_squirrelmail_data(system_mail_t)
@@ -134,7 +142,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	userdom_dontaudit_use_unpriv_users_ptys(system_mail_t)
+	userdom_dontaudit_use_user_ptys(system_mail_t)
 
 	optional_policy(`
 		cron_dontaudit_append_system_job_tmp_files(system_mail_t)
@@ -160,3 +168,47 @@ optional_policy(`
 		cron_read_system_job_tmp_files(mta_user_agent)
 	')
 ')
+
+########################################
+#
+# User send mail local policy
+#
+
+domain_use_interactive_fds(user_mail_t)
+
+userdom_use_user_terminals(user_mail_t)
+# Write to the user domain tty. cjp: why?
+userdom_use_user_terminals(mta_user_agent)
+# Create dead.letter in user home directories.
+userdom_manage_user_home_content_files(user_mail_t)
+userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
+# for reading .forward - maybe we need a new type for it?
+# also for delivering mail to maildir
+userdom_manage_user_home_content_dirs(mailserver_delivery)
+userdom_manage_user_home_content_files(mailserver_delivery)
+userdom_manage_user_home_content_symlinks(mailserver_delivery)
+userdom_manage_user_home_content_pipes(mailserver_delivery)
+userdom_manage_user_home_content_sockets(mailserver_delivery)
+userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
+# Read user temporary files.
+userdom_read_user_tmp_files(user_mail_t)
+userdom_dontaudit_append_user_tmp_files(user_mail_t)
+# cjp: this should probably be read all user tmp
+# files in an appropriate place for mta_user_agent
+userdom_read_user_tmp_files(mta_user_agent)
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(user_mail_t)
+	fs_manage_cifs_symlinks(user_mail_t)
+')
+
+optional_policy(`
+	allow user_mail_t self:capability dac_override;
+
+	# Read user temporary files.
+	# postfix seems to need write access if the file handle is opened read/write
+	userdom_rw_user_tmp_files(user_mail_t)
+
+	postfix_read_config(user_mail_t)
+	postfix_list_spool(user_mail_t)
+')
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index e5f05ae..174b17d 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -1,5 +1,5 @@
 
-policy_module(munin, 1.5.0)
+policy_module(munin, 1.5.1)
 
 ########################################
 #
@@ -93,8 +93,7 @@ miscfiles_read_localization(munin_t)
 sysnet_read_config(munin_t)
 
 userdom_dontaudit_use_unpriv_user_fds(munin_t)
-
-sysadm_dontaudit_search_home_dirs(munin_t)
+userdom_dontaudit_search_user_home_dirs(munin_t)
 
 optional_policy(`
 	# for accessing the output directory
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index c093fc4..8f5706a 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -1,5 +1,5 @@
 
-policy_module(mysql, 1.9.0)
+policy_module(mysql, 1.9.1)
 
 ########################################
 #
@@ -97,9 +97,8 @@ miscfiles_read_localization(mysqld_t)
 sysnet_read_config(mysqld_t)
 
 userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
-
 # for /root/.my.cnf - should not be needed:
-sysadm_read_home_content_files(mysqld_t)
+userdom_read_user_home_content_files(mysqld_t)
 
 ifdef(`distro_redhat',`
 	# because Fedora has the sock_file in the database directory
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index 3d6b783..5fc26e7 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -1,5 +1,5 @@
 
-policy_module(nagios, 1.6.0)
+policy_module(nagios, 1.6.1)
 
 ########################################
 #
@@ -100,11 +100,10 @@ logging_send_syslog_msg(nagios_t)
 miscfiles_read_localization(nagios_t)
 
 userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+userdom_dontaudit_search_user_home_dirs(nagios_t)
 
 mta_send_mail(nagios_t)
 
-sysadm_dontaudit_search_home_dirs(nagios_t)
-
 optional_policy(`
 	netutils_domtrans_ping(nagios_t)
 	netutils_signal_ping(nagios_t)
diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te
index 1d265b0..0977507 100644
--- a/policy/modules/services/nessus.te
+++ b/policy/modules/services/nessus.te
@@ -1,5 +1,5 @@
 
-policy_module(nessus, 1.5.0)
+policy_module(nessus, 1.5.1)
 
 ########################################
 #
@@ -91,8 +91,7 @@ miscfiles_read_localization(nessusd_t)
 sysnet_read_config(nessusd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
-
-sysadm_dontaudit_search_home_dirs(nessusd_t)
+userdom_dontaudit_search_user_home_dirs(nessusd_t)
 
 optional_policy(`
 	nis_use_ypbind(nessusd_t)
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index f978889..b36d63f 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
 
-policy_module(networkmanager, 1.11.0)
+policy_module(networkmanager, 1.11.1)
 
 ########################################
 #
@@ -127,11 +127,9 @@ sysnet_manage_config(NetworkManager_t)
 sysnet_etc_filetrans_config(NetworkManager_t)
 
 userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
-userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
+userdom_dontaudit_use_user_ttys(NetworkManager_t)
 # Read gnome-keyring
-userdom_read_unpriv_users_home_content_files(NetworkManager_t)
-
-sysadm_dontaudit_search_home_dirs(NetworkManager_t)
+userdom_read_user_home_content_files(NetworkManager_t)
 
 optional_policy(`
 	bind_domtrans(NetworkManager_t)
@@ -140,7 +138,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	bluetooth_dontaudit_read_helper_files(NetworkManager_t)
+	bluetooth_dontaudit_read_helper_state(NetworkManager_t)
 ')
 
 optional_policy(`
@@ -148,7 +146,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dbus_system_bus_client_template(NetworkManager, NetworkManager_t)
+	dbus_system_bus_client(NetworkManager_t)
 	dbus_connect_system_bus(NetworkManager_t)
 ')
 
@@ -185,11 +183,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	# Read gnome-keyring
-	unconfined_read_home_content_files(NetworkManager_t)
-')
-
-optional_policy(`
 	vpn_domtrans(NetworkManager_t)
 	vpn_signal(NetworkManager_t)
 ')
@@ -198,6 +191,7 @@ optional_policy(`
 #
 # wpa_cli local policy
 #
+
 allow wpa_cli_t self:capability dac_override;
 allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
 
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index bfcdfcb..d0572ac 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -1,5 +1,5 @@
 
-policy_module(nis, 1.7.0)
+policy_module(nis, 1.7.1)
 
 ########################################
 #
@@ -108,8 +108,7 @@ miscfiles_read_localization(ypbind_t)
 sysnet_read_config(ypbind_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
-
-sysadm_dontaudit_search_home_dirs(ypbind_t)
+userdom_dontaudit_search_user_home_dirs(ypbind_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(ypbind_t)
@@ -187,8 +186,7 @@ miscfiles_read_localization(yppasswdd_t)
 sysnet_read_config(yppasswdd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
-
-sysadm_dontaudit_search_home_dirs(yppasswdd_t)
+userdom_dontaudit_search_user_home_dirs(yppasswdd_t)
 
 optional_policy(`
 	hostname_exec(yppasswdd_t)
@@ -268,8 +266,7 @@ nis_domtrans_ypxfr(ypserv_t)
 sysnet_read_config(ypserv_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
-
-sysadm_dontaudit_search_home_dirs(ypserv_t)
+userdom_dontaudit_search_user_home_dirs(ypserv_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(ypserv_t)
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
index 732e5e8..33ce3da 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -189,11 +189,6 @@ interface(`nscd_unconfined',`
 ##	The role to be allowed the nscd domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the role's terminal.
-##	</summary>
-## </param>
 #
 interface(`nscd_run',`
 	gen_require(`
@@ -202,5 +197,4 @@ interface(`nscd_run',`
 
 	nscd_domtrans($1)
 	role $2 types nscd_t;
-	dontaudit nscd_t $3:chr_file rw_term_perms;
 ')
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index f99aa8a..d84d0ac 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,5 +1,5 @@
 
-policy_module(nscd, 1.7.0)
+policy_module(nscd, 1.7.1)
 
 gen_require(`
 	class nscd all_nscd_perms;
@@ -100,9 +100,9 @@ seutil_sigchld_newrole(nscd_t)
 
 sysnet_read_config(nscd_t)
 
+userdom_dontaudit_use_user_terminals(nscd_t)
 userdom_dontaudit_use_unpriv_user_fds(nscd_t)
-
-sysadm_dontaudit_search_home_dirs(nscd_t)
+userdom_dontaudit_search_user_home_dirs(nscd_t)
 
 optional_policy(`
 	udev_read_db(nscd_t)
diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
index f50ef97..d9b34e0 100644
--- a/policy/modules/services/nsd.te
+++ b/policy/modules/services/nsd.te
@@ -1,5 +1,5 @@
 
-policy_module(nsd, 1.5.0)
+policy_module(nsd, 1.5.1)
 
 ########################################
 #
@@ -93,8 +93,7 @@ miscfiles_read_localization(nsd_t)
 sysnet_read_config(nsd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(nsd_t)
-
-sysadm_dontaudit_search_home_dirs(nsd_t)
+userdom_dontaudit_search_user_home_dirs(nsd_t)
 
 optional_policy(`
 	nis_use_ypbind(nsd_t)
@@ -167,7 +166,7 @@ miscfiles_read_localization(nsd_crond_t)
 
 sysnet_read_config(nsd_crond_t)
 
-sysadm_dontaudit_search_home_dirs(nsd_crond_t)
+userdom_dontaudit_search_user_home_dirs(nsd_crond_t)
 
 optional_policy(`
 	cron_system_entry(nsd_crond_t, nsd_exec_t)
diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
index dce93e7..000815f 100644
--- a/policy/modules/services/ntop.te
+++ b/policy/modules/services/ntop.te
@@ -1,5 +1,5 @@
 
-policy_module(ntop, 1.6.0)
+policy_module(ntop, 1.6.1)
 
 ########################################
 #
@@ -89,8 +89,7 @@ miscfiles_read_localization(ntop_t)
 sysnet_read_config(ntop_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ntop_t)
-
-sysadm_dontaudit_search_home_dirs(ntop_t)
+userdom_dontaudit_search_user_home_dirs(ntop_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(ntop_t)
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index b5b2701..546c28e 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,5 +1,5 @@
 
-policy_module(ntp, 1.7.0)
+policy_module(ntp, 1.7.1)
 
 ########################################
 #
@@ -113,9 +113,7 @@ logging_send_syslog_msg(ntpd_t)
 miscfiles_read_localization(ntpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
-
-sysadm_list_home_dirs(ntpd_t)
-sysadm_dontaudit_list_home_dirs(ntpd_t)
+userdom_list_user_home_dirs(ntpd_t)
 
 optional_policy(`
 	# for cron jobs
diff --git a/policy/modules/services/oav.if b/policy/modules/services/oav.if
index 0d6b501..2102b0b 100644
--- a/policy/modules/services/oav.if
+++ b/policy/modules/services/oav.if
@@ -34,11 +34,6 @@ interface(`oav_domtrans_update',`
 ##	The role to be allowed the oav_update domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the oav_update domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`oav_run_update',`
@@ -48,5 +43,4 @@ interface(`oav_run_update',`
 
 	oav_domtrans_update($1)
 	role $2 types oav_update_t;
-	allow oav_update_t $3:chr_file rw_term_perms;
 ')
diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te
index d865e02..80a8ec9 100644
--- a/policy/modules/services/oav.te
+++ b/policy/modules/services/oav.te
@@ -1,5 +1,5 @@
 
-policy_module(oav, 1.7.0)
+policy_module(oav, 1.7.1)
 
 ########################################
 #
@@ -67,6 +67,8 @@ logging_send_syslog_msg(oav_update_t)
 
 sysnet_read_config(oav_update_t)
 
+userdom_use_user_terminals(oav_update_t)
+
 optional_policy(`
 	cron_system_entry(oav_update_t, oav_update_exec_t)
 ')
@@ -134,8 +136,7 @@ miscfiles_read_localization(scannerdaemon_t)
 sysnet_read_config(scannerdaemon_t)
 
 userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t)
-
-sysadm_dontaudit_search_home_dirs(scannerdaemon_t)
+userdom_dontaudit_search_user_home_dirs(scannerdaemon_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(scannerdaemon_t)
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
index c48e0f2..daba3ef 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -1,5 +1,5 @@
 
-policy_module(oddjob, 1.5.0)
+policy_module(oddjob, 1.5.1)
 
 ########################################
 #
@@ -52,7 +52,7 @@ miscfiles_read_localization(oddjob_t)
 locallogin_dontaudit_use_fds(oddjob_t)
 
 optional_policy(`
-	dbus_system_bus_client_template(oddjob, oddjob_t)
+	dbus_system_bus_client(oddjob_t)
 	dbus_connect_system_bus(oddjob_t)
 ')
 
@@ -72,12 +72,10 @@ files_read_etc_files(oddjob_mkhomedir_t)
 
 miscfiles_read_localization(oddjob_mkhomedir_t)
 
-staff_manage_home_dirs(oddjob_mkhomedir_t)
-
 # Add/remove user home directories
-unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t)
-unprivuser_manage_home_content_dirs(oddjob_mkhomedir_t)
-unprivuser_manage_home_content_files(oddjob_mkhomedir_t)
-unprivuser_manage_home_dirs(oddjob_mkhomedir_t)
-unprivuser_home_dir_filetrans_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
+userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
+userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
+userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
 
diff --git a/policy/modules/services/oident.fc b/policy/modules/services/oident.fc
index 9879ead..5840ea8 100644
--- a/policy/modules/services/oident.fc
+++ b/policy/modules/services/oident.fc
@@ -1,4 +1,4 @@
-HOME_DIR/\.oidentd.conf			gen_context(system_u:object_r:ROLE_oidentd_home_t, s0)
+HOME_DIR/\.oidentd.conf			gen_context(system_u:object_r:oidentd_home_t, s0)
 
 /etc/oidentd\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
 /etc/oidentd_masq\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
@@ -6,4 +6,3 @@ HOME_DIR/\.oidentd.conf			gen_context(system_u:object_r:ROLE_oidentd_home_t, s0)
 /etc/rc\.d/init\.d/oidentd	--	gen_context(system_u:object_r:oidentd_initrc_exec_t, s0)
 
 /usr/sbin/oidentd		--	gen_context(system_u:object_r:oidentd_exec_t, s0)
-
diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if
index c9beafe..bb4fae5 100644
--- a/policy/modules/services/oident.if
+++ b/policy/modules/services/oident.if
@@ -7,66 +7,49 @@
 ##	</p>
 ## </desc>
 
-#######################################
+########################################
 ## <summary>
-##  The per role template for the Oidentd module.
+##	Allow the specified domain to read
+##	Oidentd personal configuration files.
 ## </summary>
-## <desc>
-## 	<p>
-## 	This template creates derived domains which are used
-## 	for Oident daemon.
-## 	</p>
-## 	<p>
-## 	This template is invoked automatically for each user, and
-## 	generally does not need to be invoked directly
-## 	by policy writers.
-## 	</p>
-## </desc>
-## <param name="userdomain_prefix">
-## 	<summary>
-## 	The prefix of the user domain (e.g., user
-## 	is the prefix for user_t).
-## 	</summary>
-## </param>
-## <param name="user_domain">
-## 	<summary>
-## 	The type of the user domain.
-## 	</summary>
-## 	</param>
-## 	<param name="user_role">
-## 	<summary>
-## 	The role associated with the user domain.
-## 	</summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
 ## </param>
 #
-template(`oident_per_role_template', `
-
-	########################################
-	#
-	#  Oident daemon shared declarations
-	#
-
+interface(`oident_read_user_content', `
 	gen_require(`
-		attribute oidentd_user_content_type;
+		type oidentd_home_t;
 	')
 
-	type $1_oidentd_home_t, oidentd_user_content_type;
-	userdom_user_home_content($1, $1_oidentd_home_t)
-
-	typeattribute $1_oidentd_home_t oidentd_user_content_type;
+	allow $1 oidentd_home_t:file read_file_perms;
+	userdom_search_user_home_dirs($1)
+')
 
-	########################################
-	#
-	#  Oident daemon shared policy
-	#
+########################################
+## <summary>
+##	Allow the specified domain to create, read, write, and delete
+##	Oidentd personal configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`oident_manage_user_content', `
+	gen_require(`
+		type oidentd_home_t;
+	')
 
-	allow $2 $1_oidentd_home_t:file manage_file_perms; 
-	allow $2 $1_oidentd_home_t:file relabel_file_perms;
+	allow $1 oidentd_home_t:file manage_file_perms;
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Allow the specified domain to read
+##	Allow the specified domain to relabel
 ##	Oidentd personal configuration files.
 ## </summary>
 ## <param name="domain">
@@ -75,11 +58,11 @@ template(`oident_per_role_template', `
 ##	</summary>
 ## </param>
 #
-interface(`oident_read_all_user_content', `
+interface(`oident_relabel_user_content', `
 	gen_require(`
-		attribute oidentd_user_content_type;
+		type oidentd_home_t;
 	')
 
-	allow $1 oidentd_user_content_type:file read_file_perms;
-	userdom_search_all_users_home_dirs($1)
+	allow $1 oidentd_home_t:file relabel_file_perms;
+	userdom_search_user_home_dirs($1)
 ')
diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te
index 0a7195c..bb56f9e 100644
--- a/policy/modules/services/oident.te
+++ b/policy/modules/services/oident.te
@@ -1,17 +1,20 @@
 
-policy_module(oident, 1.0.0) 
+policy_module(oident, 2.0.0) 
 
 ########################################
 #
 # Oident daemon private declarations
 #
 
-attribute oidentd_user_content_type;
-
 type oidentd_t;
 type oidentd_exec_t;
 init_daemon_domain(oidentd_t, oidentd_exec_t)
 
+type oidentd_home_t;
+typealias oidentd_home_t alias { oidentd_user_content_t oidentd_staff_content_t oidentd_sysadm_content_t };
+typealias oidentd_home_t alias { oidentd_secadm_content_t oidentd_auditadm_content_t };
+userdom_user_home_content(oidentd_home_t)
+
 type oidentd_initrc_exec_t;
 init_script_file(oidentd_initrc_exec_t)
 
@@ -53,7 +56,7 @@ miscfiles_read_localization(oidentd_t)
 
 sysnet_read_config(oidentd_t)
 
-oident_read_all_user_content(oidentd_t)
+oident_read_user_content(oidentd_t)
 
 optional_policy(`
 	nis_use_ypbind(oidentd_t)
diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
index cb046d9..638508a 100644
--- a/policy/modules/services/openct.te
+++ b/policy/modules/services/openct.te
@@ -1,5 +1,5 @@
 
-policy_module(openct, 1.3.0)
+policy_module(openct, 1.3.1)
 
 ########################################
 #
@@ -48,8 +48,7 @@ logging_send_syslog_msg(openct_t)
 miscfiles_read_localization(openct_t)
 
 userdom_dontaudit_use_unpriv_user_fds(openct_t)
-
-sysadm_dontaudit_search_home_dirs(openct_t)
+userdom_dontaudit_search_user_home_dirs(openct_t)
 
 openct_exec(openct_t)
 
diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if
index f448846..18d95e6 100644
--- a/policy/modules/services/openvpn.if
+++ b/policy/modules/services/openvpn.if
@@ -33,11 +33,6 @@ interface(`openvpn_domtrans',`
 ##	The role to be allowed the openvpn domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the openvpn domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`openvpn_run',`
@@ -47,7 +42,6 @@ interface(`openvpn_run',`
 
 	openvpn_domtrans($1)
 	role $2 types openvpn_t;
-	allow openvpn_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index ed97458..6e16c60 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -1,5 +1,5 @@
 
-policy_module(openvpn, 1.6.0)
+policy_module(openvpn, 1.6.1)
 
 ########################################
 #
@@ -100,8 +100,10 @@ miscfiles_read_certs(openvpn_t)
 sysnet_dns_name_resolve(openvpn_t)
 sysnet_exec_ifconfig(openvpn_t)
 
+userdom_use_user_terminals(openvpn_t)
+
 tunable_policy(`openvpn_enable_homedirs',`
-	userdom_read_unpriv_users_home_content_files(openvpn_t)
+	userdom_read_user_home_content_files(openvpn_t)
 ')
 
 optional_policy(`
@@ -109,7 +111,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dbus_system_bus_client_template(openvpn, openvpn_t)
+	dbus_system_bus_client(openvpn_t)
 	dbus_connect_system_bus(openvpn_t)
 
 	networkmanager_dbus_chat(openvpn_t)
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index 8f206d5..57cb94d 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -1,5 +1,5 @@
 
-policy_module(pegasus, 1.6.0)
+policy_module(pegasus, 1.6.1)
 
 ########################################
 #
@@ -119,8 +119,7 @@ sysnet_read_config(pegasus_t)
 sysnet_domtrans_ifconfig(pegasus_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
-
-sysadm_dontaudit_search_home_dirs(pegasus_t)
+userdom_dontaudit_search_user_home_dirs(pegasus_t)
 
 optional_policy(`
 	rpm_exec(pegasus_t)
diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te
index e54e60d..a8372cd 100644
--- a/policy/modules/services/perdition.te
+++ b/policy/modules/services/perdition.te
@@ -1,5 +1,5 @@
 
-policy_module(perdition, 1.5.0)
+policy_module(perdition, 1.5.1)
 
 ########################################
 #
@@ -65,8 +65,7 @@ miscfiles_read_localization(perdition_t)
 sysnet_read_config(perdition_t)
 
 userdom_dontaudit_use_unpriv_user_fds(perdition_t)
-
-sysadm_dontaudit_search_home_dirs(perdition_t)
+userdom_dontaudit_search_user_home_dirs(perdition_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(perdition_t)
diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if
index 039c6de..19d9f8a 100644
--- a/policy/modules/services/portmap.if
+++ b/policy/modules/services/portmap.if
@@ -35,11 +35,6 @@ interface(`portmap_domtrans_helper',`
 ##	The role to be allowed the portmap domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the portmap domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`portmap_run_helper',`
@@ -49,7 +44,6 @@ interface(`portmap_run_helper',`
 
 	portmap_domtrans_helper($1)
 	role $2 types portmap_helper_t;
-	allow portmap_helper_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
index b766249..e9af057 100644
--- a/policy/modules/services/portmap.te
+++ b/policy/modules/services/portmap.te
@@ -1,5 +1,5 @@
 
-policy_module(portmap, 1.7.0)
+policy_module(portmap, 1.7.1)
 
 ########################################
 #
@@ -84,8 +84,7 @@ miscfiles_read_localization(portmap_t)
 sysnet_read_config(portmap_t)
 
 userdom_dontaudit_use_unpriv_user_fds(portmap_t)
-
-sysadm_dontaudit_search_home_dirs(portmap_t)
+userdom_dontaudit_search_user_home_dirs(portmap_t)
 
 optional_policy(`
 	nis_use_ypbind(portmap_t)
@@ -145,6 +144,7 @@ logging_send_syslog_msg(portmap_helper_t)
 
 sysnet_read_config(portmap_helper_t)
 
+userdom_use_user_terminals(portmap_helper_t)
 userdom_dontaudit_use_all_users_fds(portmap_helper_t)
 
 optional_policy(`
diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te
index 617ebe0..c52a3e2 100644
--- a/policy/modules/services/portslave.te
+++ b/policy/modules/services/portslave.te
@@ -1,5 +1,5 @@
 
-policy_module(portslave, 1.5.0)
+policy_module(portslave, 1.5.1)
 
 ########################################
 #
@@ -95,7 +95,7 @@ sysnet_read_config(portslave_t)
 
 userdom_use_unpriv_users_fds(portslave_t)
 # for ~/.ppprc - if it actually exists then you need some policy to read it
-userdom_search_all_users_home_dirs(portslave_t)
+userdom_search_user_home_dirs(portslave_t)
 
 mta_send_mail(portslave_t)
 
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index 0eeb4e7..88b923c 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -160,40 +160,6 @@ template(`postfix_user_domain_template',`
 
 ########################################
 ## <summary>
-##	The per role template for the postfix module.
-## </summary>
-## <param name="prefix" unused="true">
-##	<summary>
-##	The prefix of the user domain.
-##	(e.g., user is the prefix of user_t)
-##	</summary>
-## </param>
-## <param name="user_domain">
-##	<summary>
-##	User domain type.
-##	</summary>
-## </param>
-## <param name="user_role">
-##	<summary>
-##	User role
-##	</summary>
-## </param>
-#
-template(`postfix_per_role_template',`
-	gen_require(`
-		attribute postfix_user_domains;
-		type postfix_postdrop_t;
-	')
-
-	role $3 types postfix_postdrop_t;
-
-	allow postfix_user_domains $2:process sigchld;
-	allow postfix_user_domains $2:fifo_file { write getattr };
-	allow postfix_user_domains $2:fd use;
-')
-
-########################################
-## <summary>
 ##	Read postfix configuration files.
 ## </summary>
 ## <param name="domain">
@@ -353,11 +319,6 @@ interface(`postfix_domtrans_map',`
 ##	The role to be allowed the postfix_map domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the postfix_map domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`postfix_run_map',`
@@ -367,7 +328,6 @@ interface(`postfix_run_map',`
 
 	postfix_domtrans_map($1)
 	role $2 types postfix_map_t;
-	allow postfix_map_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index d83b1b6..89d0abe 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
 
-policy_module(postfix, 1.9.0)
+policy_module(postfix, 1.9.1)
 
 ########################################
 #
@@ -342,6 +342,8 @@ miscfiles_read_localization(postfix_map_t)
 
 seutil_read_config(postfix_map_t)
 
+userdom_use_user_terminals(postfix_map_t)
+
 tunable_policy(`read_default_t',`
 	files_list_default(postfix_map_t)
 	files_read_default_files(postfix_map_t)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 4351a8c..7c84488 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -2,16 +2,11 @@
 
 #######################################
 ## <summary>
-##      The userdomain template for the SE-PostgreSQL.
+##      Role access for SE-PostgreSQL.
 ## </summary>
-## <desc>
-##      This template creates a delivered types which are used
-##	for given userdomains.
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="user_role">
 ##      <summary>
-##      The prefix of the user domain (e.g., user
-##      is the prefix for user_t).
+##      The role associated with the user domain.
 ##      </summary>
 ## </param>
 ## <param name="user_domain">
@@ -19,13 +14,8 @@
 ##      The type of the user domain.
 ##      </summary>
 ## </param>
-## <param name="user_role">
-##      <summary>
-##      The role associated with the user domain.
-##      </summary>
-## </param>
 #
-template(`postgresql_userdom_template',`
+interface(`postgresql_role',`
 	gen_require(`
 		class db_database all_db_database_perms;
 		class db_table all_db_table_perms;
@@ -38,6 +28,8 @@ template(`postgresql_userdom_template',`
 		attribute sepgsql_sysobj_table_type;
 
 		type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
+		type user_sepgsql_blob_t, user_sepgsql_proc_exec_t;
+		type user_sepgsql_sysobj_t, user_sepgsql_table_t;
 	')
 
 	########################################
@@ -46,20 +38,7 @@ template(`postgresql_userdom_template',`
 	#
 
 	typeattribute $2 sepgsql_client_type;
-
-	type $1_sepgsql_blob_t;
-	postgresql_blob_object($1_sepgsql_blob_t)
-
-	type $1_sepgsql_proc_exec_t;
-	postgresql_procedure_object($1_sepgsql_proc_exec_t)
-
-	type $1_sepgsql_sysobj_t;
-	postgresql_system_table_object($1_sepgsql_sysobj_t)
-
-	type $1_sepgsql_table_t;
-	postgresql_table_object($1_sepgsql_table_t)
-
-	role $3 types sepgsql_trusted_proc_t;
+	role $1 types sepgsql_trusted_proc_t;
 
 	##############################
 	#
@@ -67,25 +46,25 @@ template(`postgresql_userdom_template',`
 	#
 
 	tunable_policy(`sepgsql_enable_users_ddl',`
-		allow $2 $1_sepgsql_table_t:db_table { create drop };
-		type_transition $2 sepgsql_database_type:db_table $1_sepgsql_table_t;
+		allow $2 user_sepgsql_table_t:db_table { create drop };
+		type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
 
-		allow $2 $1_sepgsql_table_t:db_column { create drop };
+		allow $2 user_sepgsql_table_t:db_column { create drop };
 
-		allow $2 $1_sepgsql_sysobj_t:db_tuple { update insert delete };
-		type_transition $2 sepgsql_sysobj_table_type:db_tuple $1_sepgsql_sysobj_t;
+		allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
+		type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
 	')
 
-	allow $2 $1_sepgsql_table_t:db_table { getattr setattr use select update insert delete };
-	allow $2 $1_sepgsql_table_t:db_column { getattr setattr use select update insert };
-	allow $2 $1_sepgsql_table_t:db_tuple { use select update insert delete };
-	allow $2 $1_sepgsql_sysobj_t:db_tuple { use select };
+	allow $2 user_sepgsql_table_t:db_table  { getattr setattr use select update insert delete };
+	allow $2 user_sepgsql_table_t:db_column { getattr setattr use select update insert };
+	allow $2 user_sepgsql_table_t:db_tuple  { use select update insert delete };
+	allow $2 user_sepgsql_sysobj_t:db_tuple  { use select };
 
-	allow $2 $1_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
-	type_transition $2 sepgsql_database_type:db_procedure $1_sepgsql_proc_exec_t;
+	allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
+	type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
 
-	allow $2 $1_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
-	type_transition $2 sepgsql_database_type:db_blob $1_sepgsql_blob_t;
+	allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
+	type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
 
 	allow $2 sepgsql_trusted_proc_t:process transition;
 	type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 0dc0afb..3ba8a4c 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,5 +1,5 @@
 
-policy_module(postgresql, 1.7.0)
+policy_module(postgresql, 1.7.1)
 
 gen_require(`
 	class db_database all_db_database_perms;
@@ -96,6 +96,26 @@ domain_type(sepgsql_trusted_proc_t)
 postgresql_unconfined(sepgsql_trusted_proc_t)
 role system_r types sepgsql_trusted_proc_t;
 
+type user_sepgsql_blob_t;
+typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };
+typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t };
+postgresql_blob_object(user_sepgsql_blob_t)
+
+type user_sepgsql_proc_exec_t;
+typealias user_sepgsql_proc_exec_t alias { staff_sepgsql_proc_exec_t sysadm_sepgsql_proc_exec_t };
+typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t };
+postgresql_procedure_object(user_sepgsql_proc_exec_t)
+
+type user_sepgsql_sysobj_t;
+typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t };
+typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t };
+postgresql_system_table_object(user_sepgsql_sysobj_t)
+
+type user_sepgsql_table_t;
+typealias user_sepgsql_table_t alias { staff_sepgsql_table_t sysadm_sepgsql_table_t };
+typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t };
+postgresql_table_object(user_sepgsql_table_t)
+
 ########################################
 #
 # postgresql Local policy
@@ -218,12 +238,11 @@ miscfiles_read_localization(postgresql_t)
 seutil_libselinux_linked(postgresql_t)
 
 userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
+userdom_dontaudit_search_user_home_dirs(postgresql_t)
+userdom_dontaudit_use_user_terminals(postgresql_t)
 
 mta_getattr_spool(postgresql_t)
 
-sysadm_dontaudit_search_home_dirs(postgresql_t)
-sysadm_dontaudit_use_ttys(postgresql_t)
-
 tunable_policy(`allow_execmem',`
 	allow postgresql_t self:process execmem;
 ')
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index 68be03d..7c40fed 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -1,5 +1,5 @@
 
-policy_module(postgrey, 1.5.0)
+policy_module(postgrey, 1.5.1)
 
 ########################################
 #
@@ -75,8 +75,7 @@ miscfiles_read_localization(postgrey_t)
 sysnet_read_config(postgrey_t)
 
 userdom_dontaudit_use_unpriv_user_fds(postgrey_t)
-
-sysadm_dontaudit_search_home_dirs(postgrey_t)
+userdom_dontaudit_search_user_home_dirs(postgrey_t)
 
 optional_policy(`
 	nis_use_ypbind(postgrey_t)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index e100e9a..5786afa 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -125,11 +125,6 @@ interface(`ppp_domtrans',`
 ##	The role to allow the ppp domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the ppp domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`ppp_run_cond',`
@@ -141,7 +136,6 @@ interface(`ppp_run_cond',`
 
 	tunable_policy(`pppd_for_user',`
 		ppp_domtrans($1)
-		allow pppd_t $3:chr_file rw_term_perms;
 	')
 ')
 
@@ -159,11 +153,6 @@ interface(`ppp_run_cond',`
 ##	The role to allow the ppp domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the ppp domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`ppp_run',`
@@ -173,7 +162,6 @@ interface(`ppp_run',`
 
 	ppp_domtrans($1)
 	role $2 types pppd_t;
-	allow pppd_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 6f8636a..02f556e 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -1,5 +1,5 @@
 
-policy_module(ppp, 1.9.0)
+policy_module(ppp, 1.9.1)
 
 ########################################
 #
@@ -172,16 +172,13 @@ sysnet_exec_ifconfig(pppd_t)
 sysnet_manage_config(pppd_t)
 sysnet_etc_filetrans_config(pppd_t)
 
+userdom_use_user_terminals(pppd_t)
 userdom_dontaudit_use_unpriv_user_fds(pppd_t)
 # for ~/.ppprc - if it actually exists then you need some policy to read it
-#allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
-userdom_search_unpriv_users_home_dirs(pppd_t)
+userdom_search_user_home_dirs(pppd_t)
 
 ppp_exec(pppd_t)
 
-sysadm_dontaudit_search_home_dirs(pppd_t)
-sysadm_search_home_dirs(pppd_t)
-
 optional_policy(`
 	ddclient_domtrans(pppd_t)
 ')
@@ -279,8 +276,7 @@ miscfiles_read_localization(pptp_t)
 sysnet_read_config(pptp_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-
-sysadm_dontaudit_search_home_dirs(pptp_t)
+userdom_dontaudit_search_user_home_dirs(pptp_t)
 
 optional_policy(`
 	consoletype_exec(pppd_t)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
index cf1e5a8..5c6323b 100644
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
@@ -1,5 +1,5 @@
 
-policy_module(privoxy, 1.7.0)
+policy_module(privoxy, 1.7.1)
 
 ########################################
 #
@@ -73,10 +73,9 @@ miscfiles_read_localization(privoxy_t)
 sysnet_dns_name_resolve(privoxy_t)
 
 userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
-
-sysadm_dontaudit_search_home_dirs(privoxy_t)
+userdom_dontaudit_search_user_home_dirs(privoxy_t)
 # cjp: this should really not be needed
-sysadm_use_terms(privoxy_t)
+userdom_use_user_terminals(privoxy_t)
 
 optional_policy(`
 	nis_use_ypbind(privoxy_t)
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index f75453b..c9d52f4 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -1,5 +1,5 @@
 
-policy_module(procmail, 1.9.0)
+policy_module(procmail, 1.9.1)
 
 ########################################
 #
@@ -70,11 +70,15 @@ logging_send_syslog_msg(procmail_t)
 miscfiles_read_localization(procmail_t)
 
 # only works until we define a different type for maildir
-userdom_priveleged_home_dir_manager(procmail_t)
+userdom_manage_user_home_content_dirs(procmail_t)
+userdom_manage_user_home_content_files(procmail_t)
+userdom_manage_user_home_content_symlinks(procmail_t)
+userdom_manage_user_home_content_pipes(procmail_t)
+userdom_manage_user_home_content_sockets(procmail_t)
+userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
 
 # Do not audit attempts to access /root.
-staff_dontaudit_search_home_dirs(procmail_t)
-sysadm_dontaudit_search_home_dirs(procmail_t)
+userdom_dontaudit_search_user_home_dirs(procmail_t)
 
 mta_manage_spool(procmail_t)
 
diff --git a/policy/modules/services/pxe.te b/policy/modules/services/pxe.te
index 558a691..17e7c49 100644
--- a/policy/modules/services/pxe.te
+++ b/policy/modules/services/pxe.te
@@ -1,5 +1,5 @@
 
-policy_module(pxe, 1.3.0)
+policy_module(pxe, 1.3.1)
 
 # cjp: policy seems incomplete
 
@@ -53,8 +53,7 @@ logging_send_syslog_msg(pxe_t)
 miscfiles_read_localization(pxe_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pxe_t)
-
-sysadm_dontaudit_search_home_dirs(pxe_t)
+userdom_dontaudit_search_user_home_dirs(pxe_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(pxe_t)
diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc
index c512523..d4a7750 100644
--- a/policy/modules/services/pyzor.fc
+++ b/policy/modules/services/pyzor.fc
@@ -1,6 +1,6 @@
 /etc/pyzor(/.*)?		gen_context(system_u:object_r:pyzor_etc_t, s0)
 
-HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
+HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
 
 /usr/bin/pyzor		--	gen_context(system_u:object_r:pyzor_exec_t,s0)
 /usr/bin/pyzord		--	gen_context(system_u:object_r:pyzord_exec_t,s0)
diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if
index 8ab808b..3745b62 100644
--- a/policy/modules/services/pyzor.if
+++ b/policy/modules/services/pyzor.if
@@ -1,40 +1,34 @@
 ## <summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the pyzor module.
+##	Role access for pyzor
 ## </summary>
-## <desc>
-##	<p>
-##	This template allows pyzor to manage files in
-##	a user home directory, creating files with the
-##	correct type.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`pyzor_per_role_template',`
+interface(`pyzor_role',`
 	gen_require(`
-		type pyzord_t;
+		type pyzor_t, pyzor_exec_t;
+		type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t;
 	')
 
-	type $1_pyzor_home_t;
-	userdom_user_home_content($1, $1_pyzor_home_t)
+	role $1 types pyzor_t;
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, pyzor_exec_t, pyzor_t)
 
-	manage_dirs_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
-	manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
-	manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
-	userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file })
+	# allow ps to show pyzor and allow the user to kill it 
+	ps_process_pattern($2, pyzor_t)
+	allow $2 pyzor_t:process signal;
 ')
 
 ########################################
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index 6a4ba88..002132a 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -1,5 +1,5 @@
 
-policy_module(pyzor, 1.6.0)
+policy_module(pyzor, 2.0.0)
 
 ########################################
 #
@@ -8,33 +8,51 @@ policy_module(pyzor, 1.6.0)
 
 type pyzor_t;
 type pyzor_exec_t;
+typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
+typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
 application_domain(pyzor_t, pyzor_exec_t)
+ubac_constrained(pyzor_t)
 role system_r types pyzor_t;
 
-type pyzord_t;
-type pyzord_exec_t;
-domain_type(pyzord_t)
-init_daemon_domain(pyzord_t, pyzord_exec_t)
-
 type pyzor_etc_t;
 files_type(pyzor_etc_t)
 
-type pyzord_log_t;
-logging_log_file(pyzord_log_t)
+type pyzor_home_t;
+typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
+typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
+userdom_user_home_content(pyzor_home_t)
 
 type pyzor_tmp_t;
+typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
+typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
 files_tmp_file(pyzor_tmp_t)
+ubac_constrained(pyzor_tmp_t)
 
 type pyzor_var_lib_t;
+typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
+typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
 files_type(pyzor_var_lib_t)
+ubac_constrained(pyzor_var_lib_t)
+
+type pyzord_t;
+type pyzord_exec_t;
+init_daemon_domain(pyzord_t,pyzord_exec_t)
+
+type pyzord_log_t;
+logging_log_file(pyzord_log_t)
 
 ########################################
 #
-# Pyzor local policy
+# Pyzor client local policy
 #
 
 allow pyzor_t self:udp_socket create_socket_perms;
 
+manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file })
+
 allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
 read_files_pattern(pyzor_t,pyzor_var_lib_t,pyzor_var_lib_t)
 files_search_var_lib(pyzor_t)
@@ -65,7 +83,7 @@ auth_use_nsswitch(pyzor_t)
 
 miscfiles_read_localization(pyzor_t)
 
-sysadm_dontaudit_search_home_dirs(pyzor_t)
+userdom_dontaudit_search_user_home_dirs(pyzor_t)
 
 optional_policy(`
 	amavis_manage_lib_files(pyzor_t)
@@ -79,7 +97,7 @@ optional_policy(`
 
 ########################################
 #
-# Pyzord local policy
+# Pyzor server local policy
 #
 
 allow pyzord_t self:udp_socket create_socket_perms;
@@ -121,11 +139,10 @@ locallogin_dontaudit_use_fds(pyzord_t)
 
 miscfiles_read_localization(pyzord_t)
 
-mta_manage_spool(pyzord_t)
-
 # Do not audit attempts to access /root.
-staff_dontaudit_search_home_dirs(pyzord_t)
-sysadm_dontaudit_search_home_dirs(pyzord_t)
+userdom_dontaudit_search_user_home_dirs(pyzord_t)
+
+mta_manage_spool(pyzord_t)
 
 optional_policy(`
 	logging_send_syslog_msg(pyzord_t)
diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
index a40b0a2..5112322 100644
--- a/policy/modules/services/qmail.if
+++ b/policy/modules/services/qmail.if
@@ -1,48 +1,5 @@
 ## <summary>Qmail Mail Server</summary>
 
-#######################################
-## <summary>
-##      The per role template for qmail
-## </summary>
-## <desc>
-##      <p>
-##      This template is invoked automatically for each user, and
-##      generally does not need to be invoked directly
-##      by policy writers.
-##      </p>
-## </desc>
-## <param name="userdomain_prefix" unused="true">
-##      <summary>
-##      The prefix of the user domain (e.g., user
-##      is the prefix for user_t).
-##      </summary>
-## </param>
-## <param name="user_domain">
-##      <summary>
-##      The type of the user domain.
-##      </summary>
-## </param>
-## <param name="user_role">
-##      <summary>
-##      The role associated with the user domain.
-##      </summary>
-## </param>
-#
-template(`qmail_per_role_template',`
-	gen_require(`
-		attribute qmail_user_domains;
-	')
-
-	role $3 types qmail_user_domains;
-
-	qmail_domtrans_inject($2)
-
-	allow qmail_user_domains $2:process sigchld;
-	allow qmail_user_domains $2:fifo_file { write getattr };
-	allow qmail_user_domains $2:fd use;
-
-')
-
 ########################################
 ## <summary>
 ##	Template for qmail parent/sub-domain pairs
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
index ca0bf07..1da1661 100644
--- a/policy/modules/services/qmail.te
+++ b/policy/modules/services/qmail.te
@@ -1,5 +1,5 @@
 
-policy_module(qmail, 1.4.0)
+policy_module(qmail, 1.4.1)
 
 ########################################
 #
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index d803d38..c247f4f 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -1,5 +1,5 @@
 
-policy_module(radius, 1.9.0)
+policy_module(radius, 1.9.1)
 
 ########################################
 #
@@ -113,9 +113,7 @@ miscfiles_read_localization(radiusd_t)
 miscfiles_read_certs(radiusd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
-
-sysadm_dontaudit_search_home_dirs(radiusd_t)
-sysadm_dontaudit_getattr_home_dirs(radiusd_t)
+userdom_dontaudit_search_user_home_dirs(radiusd_t)
 
 optional_policy(`
 	cron_system_entry(radiusd_t, radiusd_exec_t)
diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
index 1397e40..dc5cc13 100644
--- a/policy/modules/services/radvd.te
+++ b/policy/modules/services/radvd.te
@@ -1,5 +1,5 @@
 
-policy_module(radvd, 1.9.0)
+policy_module(radvd, 1.9.1)
 
 ########################################
 #
@@ -70,8 +70,7 @@ miscfiles_read_localization(radvd_t)
 sysnet_read_config(radvd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(radvd_t)
-
-sysadm_dontaudit_search_home_dirs(radvd_t)
+userdom_dontaudit_search_user_home_dirs(radvd_t)
 
 optional_policy(`
 	nis_use_ypbind(radvd_t)
diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc
index d50875b..1efba0c 100644
--- a/policy/modules/services/razor.fc
+++ b/policy/modules/services/razor.fc
@@ -1,4 +1,4 @@
-HOME_DIR/\.razor(/.*)?		gen_context(system_u:object_r:ROLE_razor_home_t,s0)
+HOME_DIR/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
 
 /etc/razor(/.*)?		gen_context(system_u:object_r:razor_etc_t,s0)
 
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index 37fc170..b564199 100644
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@@ -26,6 +26,9 @@ template(`razor_common_domain_template',`
 	gen_require(`
 		type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
 	')
+	type $1_t;
+	domain_type($1_t)
+	domain_entry_file($1_t, razor_exec_t)
 
 	allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_t self:fd use;
@@ -95,109 +98,46 @@ template(`razor_common_domain_template',`
 	sysnet_read_config($1_t)
 	sysnet_dns_name_resolve($1_t)
 
-	userdom_use_unpriv_users_fds($1_t)
-
 	optional_policy(`
 		nis_use_ypbind($1_t)
 	')
 ')
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the razor module.
+##	Role access for razor
 ## </summary>
-## <desc>
-##	<p>
-##	The per role template for the razor module.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-template(`razor_per_role_template',`
+interface(`razor_role',`
 	gen_require(`
-		type razor_exec_t;
+		type razor_t, razor_exec_t, razor_home_t;
 	')
 
-	type $1_razor_t;
-	domain_type($1_razor_t)
-	domain_entry_file($1_razor_t, razor_exec_t)
-	razor_common_domain_template($1_razor)
-	role $3 types $1_razor_t;
+	role $1 types razor_t;
 
-	type $1_razor_home_t alias $1_razor_rw_t;
-	files_poly_member($1_razor_home_t)
-	userdom_user_home_content($1, $1_razor_home_t)
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, razor_exec_t, razor_t)
 
-	type $1_razor_tmp_t;
-	files_tmp_file($1_razor_tmp_t)
+	# allow ps to show razor and allow the user to kill it 
+	ps_process_pattern($2, razor_t)
+	allow $2 razor_t:process signal;
 
-	##############################
-	#
-	# Local policy
-	#
-
-	allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;
-
-	manage_dirs_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t)
-	manage_files_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t)
-	manage_lnk_files_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t)
-	userdom_user_home_dir_filetrans($1, $1_razor_t, $1_razor_home_t, dir)
-
-	manage_dirs_pattern($1_razor_t, $1_razor_tmp_t, $1_razor_tmp_t)
-	manage_files_pattern($1_razor_t, $1_razor_tmp_t, $1_razor_tmp_t)
-	files_tmp_filetrans($1_razor_t, $1_razor_tmp_t, { file dir })
-
-	domtrans_pattern($2, razor_exec_t, $1_razor_t)
-
-	manage_dirs_pattern($2, $1_razor_home_t, $1_razor_home_t)
-	manage_files_pattern($2, $1_razor_home_t, $1_razor_home_t)
-	manage_lnk_files_pattern($2, $1_razor_home_t, $1_razor_home_t)
-	relabel_dirs_pattern($2, $1_razor_home_t, $1_razor_home_t)
-	relabel_files_pattern($2, $1_razor_home_t, $1_razor_home_t)
-	relabel_lnk_files_pattern($2, $1_razor_home_t, $1_razor_home_t)
-
-	logging_send_syslog_msg($1_razor_t)
-
-	userdom_search_user_home_dirs($1, $1_razor_t)
-	# Allow razor to be run by hand.  Needed by any action other than
-	# invocation from a spam filter.
-	userdom_use_user_terminals($1, $1_razor_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_razor_t)
-		fs_manage_nfs_files($1_razor_t)
-		fs_manage_nfs_symlinks($1_razor_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_razor_t)
-		fs_manage_cifs_files($1_razor_t)
-		fs_manage_cifs_symlinks($1_razor_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_razor_t)
-	')
+	manage_dirs_pattern($2, razor_home_t, razor_home_t)
+	manage_files_pattern($2, razor_home_t, razor_home_t)
+	manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
+	relabel_dirs_pattern($2, razor_home_t, razor_home_t)
+	relabel_files_pattern($2, razor_home_t, razor_home_t)
+	relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
 ')
 
 ########################################
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index 156d1a6..f856ccf 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
@@ -1,60 +1,122 @@
 
-policy_module(razor, 1.4.0)
+policy_module(razor, 2.0.0)
 
 ########################################
 #
 # Declarations
 #
 
-type razor_t;
 type razor_exec_t;
-domain_type(razor_t)
-domain_entry_file(razor_t, razor_exec_t)
-role system_r types razor_t;
+corecmd_executable_file(razor_exec_t)
 
 type razor_etc_t;
 files_config_file(razor_etc_t)
 
+type razor_home_t;
+typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+files_poly_member(razor_home_t)
+userdom_user_home_content(razor_home_t)
+
 type razor_log_t;
 logging_log_file(razor_log_t)
 
+type razor_tmp_t;
+typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+files_tmp_file(razor_tmp_t)
+ubac_constrained(razor_tmp_t)
+
 type razor_var_lib_t;
 files_type(razor_var_lib_t)
 
+# these are here due to ordering issues:
 razor_common_domain_template(razor)
+typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
+typealias razor_t alias { auditadm_razor_t secadm_razor_t };
+ubac_constrained(razor_t)
+
+razor_common_domain_template(system_razor)
+role system_r types system_razor_t;
 
 ########################################
 #
-# Local policy
+# System razor local policy
 #
 
-allow razor_t self:tcp_socket create_socket_perms;
+# this version of razor is invoked typically
+# via the system spam filter
 
-manage_dirs_pattern(razor_t, razor_etc_t, razor_etc_t)
-manage_files_pattern(razor_t, razor_etc_t, razor_etc_t)
-manage_lnk_files_pattern(razor_t, razor_etc_t, razor_etc_t)
-files_search_etc(razor_t)
+allow system_razor_t self:tcp_socket create_socket_perms;
 
-allow razor_t razor_log_t:file manage_file_perms;
-logging_log_filetrans(razor_t, razor_log_t, file)
+manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+files_search_etc(system_razor_t)
 
-manage_files_pattern(razor_t, razor_var_lib_t, razor_var_lib_t)
-files_var_lib_filetrans(razor_t, razor_var_lib_t, file)
+allow system_razor_t razor_log_t:file manage_file_perms;
+logging_log_filetrans(system_razor_t, razor_log_t, file)
 
-corenet_all_recvfrom_unlabeled(razor_t)
-corenet_all_recvfrom_netlabel(razor_t)
-corenet_tcp_sendrecv_generic_if(razor_t)
-corenet_raw_sendrecv_generic_if(razor_t)
-corenet_tcp_sendrecv_all_nodes(razor_t)
-corenet_raw_sendrecv_all_nodes(razor_t)
-corenet_tcp_sendrecv_razor_port(razor_t)
-corenet_tcp_connect_razor_port(razor_t)
-corenet_sendrecv_razor_client_packets(razor_t)
+manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
 
-sysnet_read_config(razor_t)
+corenet_all_recvfrom_unlabeled(system_razor_t)
+corenet_all_recvfrom_netlabel(system_razor_t)
+corenet_tcp_sendrecv_generic_if(system_razor_t)
+corenet_raw_sendrecv_generic_if(system_razor_t)
+corenet_tcp_sendrecv_all_nodes(system_razor_t)
+corenet_raw_sendrecv_all_nodes(system_razor_t)
+corenet_tcp_sendrecv_razor_port(system_razor_t)
+corenet_tcp_connect_razor_port(system_razor_t)
+corenet_sendrecv_razor_client_packets(system_razor_t)
+
+sysnet_read_config(system_razor_t)
+
+# cjp: this shouldn't be needed
+userdom_use_unpriv_users_fds(system_razor_t)
 
 optional_policy(`
-	logging_send_syslog_msg(razor_t)
+	logging_send_syslog_msg(system_razor_t)
+')
+
+optional_policy(`
+	nscd_socket_use(system_razor_t)
+')
+
+########################################
+#
+# User razor local policy
+#
+
+# Allow razor to be run by hand.  Needed by any action other than
+# invocation from a spam filter.
+
+allow razor_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
+manage_files_pattern(razor_t, razor_home_t, razor_home_t)
+manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
+userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
+
+manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+
+logging_send_syslog_msg(razor_t)
+
+userdom_search_user_home_dirs(razor_t)
+userdom_use_user_terminals(razor_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(razor_t)
+	fs_manage_nfs_files(razor_t)
+	fs_manage_nfs_symlinks(razor_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(razor_t)
+	fs_manage_cifs_files(razor_t)
+	fs_manage_cifs_symlinks(razor_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
index 7a77cc0..5810a43 100644
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
@@ -1,5 +1,5 @@
 
-policy_module(remotelogin, 1.5.0)
+policy_module(remotelogin, 1.5.1)
 
 ########################################
 #
@@ -83,7 +83,7 @@ sysnet_dns_name_resolve(remote_login_t)
 miscfiles_read_localization(remote_login_t)
 
 userdom_use_unpriv_users_fds(remote_login_t)
-userdom_search_all_users_home_content(remote_login_t)
+userdom_search_user_home_content(remote_login_t)
 # Only permit unprivileged user domains to be entered via rlogin,
 # since very weak authentication is used.
 userdom_signal_unpriv_users(remote_login_t)
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index 8b118e0..59f6291 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -1,5 +1,5 @@
 
-policy_module(rhgb, 1.7.0)
+policy_module(rhgb, 1.7.1)
 
 ########################################
 #
@@ -109,18 +109,16 @@ sysnet_read_config(rhgb_t)
 sysnet_domtrans_ifconfig(rhgb_t)
 
 userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
-userdom_dontaudit_search_all_users_home_content(rhgb_t)
+userdom_dontaudit_search_user_home_content(rhgb_t)
 
-sysadm_dontaudit_search_home_dirs(rhgb_t)
-
-xserver_read_xdm_xserver_tmp_files(rhgb_t)
-xserver_kill_xdm_xserver(rhgb_t)
+xserver_read_tmp_files(rhgb_t)
+xserver_kill(rhgb_t)
 # for running setxkbmap
 xserver_read_xkb_libs(rhgb_t)
-xserver_domtrans_xdm_xserver(rhgb_t)
-xserver_signal_xdm_xserver(rhgb_t)
+xserver_domtrans(rhgb_t)
+xserver_signal(rhgb_t)
 xserver_read_xdm_tmp_files(rhgb_t)
-xserver_stream_connect_xdm_xserver(rhgb_t)
+xserver_stream_connect(rhgb_t)
 
 optional_policy(`
 	consoletype_exec(rhgb_t)
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index 4cb3917..38e99a4 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -1,5 +1,5 @@
 
-policy_module(ricci, 1.4.0)
+policy_module(ricci, 1.4.1)
 
 ########################################
 #
@@ -155,7 +155,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dbus_system_bus_client_template(ricci, ricci_t)
+	dbus_system_bus_client(ricci_t)
 
 	oddjob_dbus_chat(ricci_t)
 ')
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index 3286a3c..f1c0407 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(rlogin, 1.7.0)
+policy_module(rlogin, 1.7.1)
 
 ########################################
 #
@@ -83,9 +83,9 @@ miscfiles_read_localization(rlogind_t)
 
 seutil_read_config(rlogind_t)
 
-userdom_setattr_unpriv_users_ptys(rlogind_t)
+userdom_setattr_user_ptys(rlogind_t)
 # cjp: this is egregious
-userdom_read_all_users_home_content_files(rlogind_t)
+userdom_read_user_home_content_files(rlogind_t)
 
 remotelogin_domtrans(rlogind_t)
 remotelogin_signal(rlogind_t)
diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te
index 395044f..1325aa7 100644
--- a/policy/modules/services/roundup.te
+++ b/policy/modules/services/roundup.te
@@ -1,5 +1,5 @@
 
-policy_module(roundup, 1.5.0)
+policy_module(roundup, 1.5.1)
 
 ########################################
 #
@@ -78,8 +78,7 @@ miscfiles_read_localization(roundup_t)
 sysnet_read_config(roundup_t)
 
 userdom_dontaudit_use_unpriv_user_fds(roundup_t)
-
-sysadm_dontaudit_search_home_dirs(roundup_t)
+userdom_dontaudit_search_user_home_dirs(roundup_t)
 
 optional_policy(`
 	mysql_stream_connect(roundup_t)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 55995a5..7c6d443 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
 
-policy_module(rpc, 1.9.0)
+policy_module(rpc, 1.9.1)
 
 ########################################
 #
@@ -174,9 +174,9 @@ auth_use_nsswitch(gssd_t)
 miscfiles_read_certs(gssd_t)
 
 tunable_policy(`allow_gssd_read_tmp',`
-	userdom_list_unpriv_users_tmp(gssd_t) 
-	userdom_read_unpriv_users_tmp_files(gssd_t) 
-	userdom_read_unpriv_users_tmp_symlinks(gssd_t) 
+	userdom_list_user_tmp(gssd_t) 
+	userdom_read_user_tmp_files(gssd_t) 
+	userdom_read_user_tmp_symlinks(gssd_t) 
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
index ea4a7c5..00887fb 100644
--- a/policy/modules/services/rshd.te
+++ b/policy/modules/services/rshd.te
@@ -1,5 +1,5 @@
 
-policy_module(rshd, 1.5.0)
+policy_module(rshd, 1.5.1)
 
 ########################################
 #
@@ -61,7 +61,7 @@ miscfiles_read_localization(rshd_t)
 seutil_read_config(rshd_t)
 seutil_read_default_contexts(rshd_t)
 
-userdom_search_all_users_home_content(rshd_t)
+userdom_search_user_home_content(rshd_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(rshd_t)
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index 23da552..a0eaff1 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -4,44 +4,6 @@
 ##	from Windows NT servers.
 ## </summary>
 
-#######################################
-## <summary>
-##	The per role template for the samba module.
-## </summary>
-## <desc>
-##	<p>
-##	This template allows smbd to manage files in
-##	a user home directory, creating files with the
-##	correct type.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-#
-template(`samba_per_role_template',`
-	gen_require(`
-		type smbd_t;
-	')
-
-	tunable_policy(`samba_enable_home_dirs',`
-		userdom_manage_user_home_content_dirs($1, smbd_t)
-		userdom_manage_user_home_content_files($1, smbd_t)
-		userdom_manage_user_home_content_symlinks($1, smbd_t)
-		userdom_manage_user_home_content_sockets($1, smbd_t)
-		userdom_manage_user_home_content_pipes($1, smbd_t)
-		userdom_user_home_dir_filetrans_user_home_content($1, smbd_t, { dir file lnk_file sock_file fifo_file })
-	')
-')
-
 ########################################
 ## <summary>
 ##	Execute samba net in the samba_net domain.
@@ -76,11 +38,6 @@ interface(`samba_domtrans_net',`
 ##	The role to be allowed the samba_net domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the samba_net domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`samba_run_net',`
@@ -90,7 +47,6 @@ interface(`samba_run_net',`
 
 	samba_domtrans_net($1)
 	role $2 types samba_net_t;
-	allow samba_net_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -127,11 +83,6 @@ interface(`samba_domtrans_smbmount',`
 ##	The role to be allowed the smbmount domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the smbmount domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`samba_run_smbmount',`
@@ -141,7 +92,6 @@ interface(`samba_run_smbmount',`
 
 	samba_domtrans_smbmount($1)
 	role $2 types smbmount_t;
-	allow smbmount_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -437,11 +387,6 @@ interface(`samba_domtrans_winbind_helper',`
 ##	The role to be allowed the winbind_helper domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the winbind_helper domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`samba_run_winbind_helper',`
@@ -451,7 +396,6 @@ interface(`samba_run_winbind_helper',`
 
 	samba_domtrans_winbind_helper($1)
 	role $2 types winbind_helper_t;
-	allow winbind_helper_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 2b52ef9..b1eda58 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
 
-policy_module(samba, 1.10.0)
+policy_module(samba, 1.10.1)
 
 #################################
 #
@@ -197,7 +197,8 @@ logging_send_syslog_msg(samba_net_t)
 
 miscfiles_read_localization(samba_net_t) 
 
-sysadm_dontaudit_search_home_dirs(samba_net_t)
+userdom_use_user_terminals(samba_net_t)
+userdom_dontaudit_search_user_home_dirs(samba_net_t)
 
 optional_policy(`
 	kerberos_use(samba_net_t)
@@ -317,10 +318,8 @@ logging_send_syslog_msg(smbd_t)
 miscfiles_read_localization(smbd_t)
 miscfiles_read_public_files(smbd_t)
 
-userdom_dontaudit_use_unpriv_user_fds(smbd_t)
 userdom_use_unpriv_users_fds(smbd_t)
-
-sysadm_dontaudit_search_home_dirs(smbd_t)
+userdom_dontaudit_search_user_home_dirs(smbd_t)
 
 ifdef(`hide_broken_symptoms', `
 	files_dontaudit_getattr_default_dirs(smbd_t)
@@ -338,6 +337,15 @@ tunable_policy(`samba_domain_controller',`
 	usermanage_domtrans_groupadd(smbd_t)
 ')
 
+tunable_policy(`samba_enable_home_dirs',`
+	userdom_manage_user_home_content_dirs(smbd_t)
+	userdom_manage_user_home_content_files(smbd_t)
+	userdom_manage_user_home_content_symlinks(smbd_t)
+	userdom_manage_user_home_content_sockets(smbd_t)
+	userdom_manage_user_home_content_pipes(smbd_t)
+	userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
+')
+
 # Support Samba sharing of NFS mount points
 tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_dirs(smbd_t)
@@ -367,8 +375,8 @@ optional_policy(`
 
 tunable_policy(`samba_create_home_dirs',`
 	allow smbd_t self:capability chown;
-	unprivuser_create_home_dir(smbd_t)
-	unprivuser_home_filetrans_home_dir(smbd_t)
+	userdom_create_user_home_dirs(smbd_t)
+	userdom_home_filetrans_user_home_dir(smbd_t)
 ')
 
 tunable_policy(`samba_export_all_ro',`
@@ -383,7 +391,7 @@ tunable_policy(`samba_export_all_rw',`
 	auth_manage_all_files_except_shadow(smbd_t)
 	fs_read_noxattr_fs_files(nmbd_t) 
 	auth_manage_all_files_except_shadow(nmbd_t)
-	unprivuser_home_dir_filetrans_home_content(nmbd_t, { file dir })
+	userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
 ')
 
 ########################################
@@ -461,10 +469,8 @@ logging_send_syslog_msg(nmbd_t)
 
 miscfiles_read_localization(nmbd_t)
 
-userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
 userdom_use_unpriv_users_fds(nmbd_t)
-
-sysadm_dontaudit_search_home_dirs(nmbd_t)
+userdom_dontaudit_search_user_home_dirs(nmbd_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(nmbd_t)
@@ -526,8 +532,6 @@ fs_read_cifs_files(smbmount_t)
 storage_raw_read_fixed_disk(smbmount_t)
 storage_raw_write_fixed_disk(smbmount_t)
 
-term_list_ptys(smbmount_t)
-
 corecmd_list_bin(smbmount_t)
 
 files_list_mnt(smbmount_t)
@@ -546,6 +550,7 @@ locallogin_use_fds(smbmount_t)
 
 logging_search_logs(smbmount_t)
 
+userdom_use_user_terminals(smbmount_t)
 userdom_use_all_users_fds(smbmount_t)
 
 ########################################
@@ -714,9 +719,12 @@ logging_send_syslog_msg(winbind_t)
 miscfiles_read_localization(winbind_t)
 
 userdom_dontaudit_use_unpriv_user_fds(winbind_t)
-userdom_priveleged_home_dir_manager(winbind_t)
-
-sysadm_dontaudit_search_home_dirs(winbind_t)
+userdom_manage_user_home_content_dirs(winbind_t)
+userdom_manage_user_home_content_files(winbind_t)
+userdom_manage_user_home_content_symlinks(winbind_t)
+userdom_manage_user_home_content_pipes(winbind_t)
+userdom_manage_user_home_content_sockets(winbind_t)
+userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
 
 optional_policy(`
 	kerberos_use(winbind_t)
@@ -757,6 +765,8 @@ logging_send_syslog_msg(winbind_helper_t)
 
 miscfiles_read_localization(winbind_helper_t) 
 
+userdom_use_user_terminals(winbind_helper_t)
+
 optional_policy(`
 	squid_read_log(winbind_helper_t)
 	squid_append_log(winbind_helper_t)
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index cad7efb..c7d0716 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -1,5 +1,5 @@
 
-policy_module(sasl, 1.10.0)
+policy_module(sasl, 1.10.1)
 
 ########################################
 #
@@ -89,8 +89,7 @@ seutil_dontaudit_read_config(saslauthd_t)
 sysnet_read_config(saslauthd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
-
-sysadm_dontaudit_search_home_dirs(saslauthd_t)
+userdom_dontaudit_search_user_home_dirs(saslauthd_t)
 
 # cjp: typeattribute doesnt work in conditionals
 auth_can_read_shadow_passwords(saslauthd_t)
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index 1e63079..9c63d2d 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -1,5 +1,5 @@
 
-policy_module(sendmail, 1.8.0)
+policy_module(sendmail, 1.8.1)
 
 ########################################
 #
@@ -94,6 +94,7 @@ miscfiles_read_certs(sendmail_t)
 miscfiles_read_localization(sendmail_t)
 
 userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
+userdom_dontaudit_search_user_home_dirs(sendmail_t)
 
 mta_read_config(sendmail_t)
 mta_etc_filetrans_aliases(sendmail_t)
@@ -103,8 +104,6 @@ mta_rw_aliases(sendmail_t)
 mta_manage_queue(sendmail_t)
 mta_manage_spool(sendmail_t)
 
-sysadm_dontaudit_search_home_dirs(sendmail_t)
-
 optional_policy(`
 	clamav_search_lib(sendmail_t)
 ')
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index 709b7a6..74f4499 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -1,5 +1,5 @@
 
-policy_module(setroubleshoot, 1.8.0)
+policy_module(setroubleshoot, 1.8.1)
 
 ########################################
 #
@@ -102,10 +102,10 @@ seutil_read_file_contexts(setroubleshootd_t)
 
 sysnet_read_config(setroubleshootd_t)
 
-sysadm_dontaudit_read_home_content_files(setroubleshootd_t)
+userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
 
 optional_policy(`
-	dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
+	dbus_system_bus_client(setroubleshootd_t)
 	dbus_connect_system_bus(setroubleshootd_t)
 ')
 
diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te
index dd722d6..9bc9e4c 100644
--- a/policy/modules/services/slrnpull.te
+++ b/policy/modules/services/slrnpull.te
@@ -1,5 +1,5 @@
 
-policy_module(slrnpull, 1.3.0)
+policy_module(slrnpull, 1.3.1)
 
 ########################################
 #
@@ -56,8 +56,7 @@ logging_send_syslog_msg(slrnpull_t)
 miscfiles_read_localization(slrnpull_t)
 
 userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
-
-sysadm_dontaudit_search_home_dirs(slrnpull_t)
+userdom_dontaudit_search_user_home_dirs(slrnpull_t)
 
 optional_policy(`
 	cron_system_entry(slrnpull_t, slrnpull_exec_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 5e015ea..6dfe92a 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -1,5 +1,5 @@
 
-policy_module(smartmon, 1.7.0)
+policy_module(smartmon, 1.7.1)
 
 ########################################
 #
@@ -83,8 +83,7 @@ miscfiles_read_localization(fsdaemon_t)
 sysnet_dns_name_resolve(fsdaemon_t)
 
 userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
-
-sysadm_dontaudit_search_home_dirs(fsdaemon_t)
+userdom_dontaudit_search_user_home_dirs(fsdaemon_t)
 
 optional_policy(`
         mta_send_mail(fsdaemon_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index afefddc..242e92f 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -1,5 +1,5 @@
 
-policy_module(snmp, 1.8.0)
+policy_module(snmp, 1.8.1)
 
 ########################################
 #
@@ -103,8 +103,7 @@ seutil_dontaudit_search_config(snmpd_t)
 sysnet_read_config(snmpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
-
-sysadm_dontaudit_search_home_dirs(snmpd_t)
+userdom_dontaudit_search_user_home_dirs(snmpd_t)
 
 ifdef(`distro_redhat', `
 	optional_policy(`
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index 64f2f5e..9206d22 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -1,5 +1,5 @@
 
-policy_module(snort, 1.6.0)
+policy_module(snort, 1.6.1)
 
 ########################################
 #
@@ -92,8 +92,7 @@ miscfiles_read_localization(snort_t)
 sysnet_read_config(snort_t)
 
 userdom_dontaudit_use_unpriv_user_fds(snort_t)
-
-sysadm_dontaudit_search_home_dirs(snort_t)
+userdom_dontaudit_search_user_home_dirs(snort_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(snort_t)
diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te
index 3536fd3..8a7ac69 100644
--- a/policy/modules/services/soundserver.te
+++ b/policy/modules/services/soundserver.te
@@ -1,5 +1,5 @@
 
-policy_module(soundserver, 1.6.0)
+policy_module(soundserver, 1.6.1)
 
 ########################################
 #
@@ -100,8 +100,7 @@ miscfiles_read_localization(soundd_t)
 sysnet_read_config(soundd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(soundd_t)
-
-sysadm_dontaudit_search_home_dirs(soundd_t)
+userdom_dontaudit_search_user_home_dirs(soundd_t)
 
 optional_policy(`
 	alsa_domtrans(soundd_t)
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
index e4f676b..80cab98 100644
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
@@ -1,4 +1,4 @@
-HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamassassin_home_t,s0)
 
 /usr/bin/sa-learn	--	gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/spamassassin	--	gen_context(system_u:object_r:spamassassin_exec_t,s0)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index 6881e57..4140164 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -1,315 +1,41 @@
 ## <summary>Filter used for removing unsolicited email.</summary>
 
-#######################################
+########################################
 ## <summary>
-##	The per role template for the spamassassin module.
+##	Role access for spamassassin
 ## </summary>
-## <desc>
-##	<p>
-##	The per role template for the spamassassin module.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_domain">
+## <param name="role">
 ##	<summary>
-##	The type of the user domain.
+##	Role allowed access
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role
 ##	</summary>
 ## </param>
 #
-# cjp: when tunables are available, spamc stuff should be
-# toggled on activation of spamc, and similarly for spamd.
-template(`spamassassin_per_role_template',`
-
+interface(`spamassassin_role',`
 	gen_require(`
-		type spamc_exec_t, spamassassin_exec_t;
-		type spamd_t, spamd_tmp_t;
-	')
-
-	##############################
-	#
-	# Declarations
-	#
-
-	type $1_spamc_t;
-	application_domain($1_spamc_t, spamc_exec_t)
-	role $3 types $1_spamc_t;
-
-	type $1_spamc_tmp_t;
-	files_tmp_file($1_spamc_tmp_t)
-
-	type $1_spamassassin_t;
-	application_domain($1_spamassassin_t, spamassassin_exec_t)
-	role $3 types $1_spamassassin_t;
-
-	type $1_spamassassin_home_t alias $1_spamassassin_rw_t;
-	userdom_user_home_content($1, $1_spamassassin_home_t)
-	files_poly_member($1_spamassassin_home_t)
-
-	type $1_spamassassin_tmp_t;
-	files_tmp_file($1_spamassassin_tmp_t)
-
-	##############################
-	#
-	# $1_spamc_t local policy
-	#
-
-	allow $1_spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-	allow $1_spamc_t self:fd use;
-	allow $1_spamc_t self:fifo_file rw_fifo_file_perms;
-	allow $1_spamc_t self:sock_file read_sock_file_perms;
-	allow $1_spamc_t self:shm create_shm_perms;
-	allow $1_spamc_t self:sem create_sem_perms;
-	allow $1_spamc_t self:msgq create_msgq_perms;
-	allow $1_spamc_t self:msg { send receive };
-	allow $1_spamc_t self:unix_dgram_socket create_socket_perms;
-	allow $1_spamc_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_spamc_t self:unix_dgram_socket sendto;
-	allow $1_spamc_t self:unix_stream_socket connectto;
-	allow $1_spamc_t self:tcp_socket create_stream_socket_perms;
-	allow $1_spamc_t self:udp_socket create_socket_perms;
-
-	manage_dirs_pattern($1_spamc_t, $1_spamc_tmp_t, $1_spamc_tmp_t)
-	manage_files_pattern($1_spamc_t, $1_spamc_tmp_t, $1_spamc_tmp_t)
-	files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir })
-
-	# Allow connecting to a local spamd
-	stream_connect_pattern($1_spamc_t, spamd_tmp_t, spamd_tmp_t, spamd_t)
-
-	domtrans_pattern($2, spamc_exec_t, $1_spamc_t)
-
-	kernel_read_kernel_sysctls($1_spamc_t)
-
-	corenet_all_recvfrom_unlabeled($1_spamc_t)
-	corenet_all_recvfrom_netlabel($1_spamc_t)
-	corenet_tcp_sendrecv_generic_if($1_spamc_t)
-	corenet_udp_sendrecv_generic_if($1_spamc_t)
-	corenet_tcp_sendrecv_all_nodes($1_spamc_t)
-	corenet_udp_sendrecv_all_nodes($1_spamc_t)
-	corenet_tcp_sendrecv_all_ports($1_spamc_t)
-	corenet_udp_sendrecv_all_ports($1_spamc_t)
-	corenet_tcp_connect_all_ports($1_spamc_t)
-	corenet_sendrecv_all_client_packets($1_spamc_t)
-
-	fs_search_auto_mountpoints($1_spamc_t)
-
-	# cjp: these should probably be removed:
-	corecmd_list_bin($1_spamc_t)
-	corecmd_read_bin_symlinks($1_spamc_t)
-	corecmd_read_bin_files($1_spamc_t)
-	corecmd_read_bin_pipes($1_spamc_t)
-	corecmd_read_bin_sockets($1_spamc_t)
-
-	domain_use_interactive_fds($1_spamc_t)
-
-	files_read_etc_files($1_spamc_t)
-	files_read_etc_runtime_files($1_spamc_t)
-	files_read_usr_files($1_spamc_t)
-	files_dontaudit_search_var($1_spamc_t)
-	# cjp: this may be removable:
-	files_list_home($1_spamc_t)
-
-	logging_send_syslog_msg($1_spamc_t)
-
-	miscfiles_read_localization($1_spamc_t)
-
-	# cjp: this should probably be removed:
-	seutil_read_config($1_spamc_t)
-
-	sysnet_read_config($1_spamc_t)
-
-	userdom_use_unpriv_users_fds($1_spamc_t)
-	# cjp: this really should just be the
-	# terminal specific to the role
-	userdom_use_unpriv_users_ptys($1_spamc_t)
-
-	# cjp: this should probably be removed:
-	tunable_policy(`read_default_t',`
-		files_list_default($1_spamc_t)
-		files_read_default_files($1_spamc_t)
-		files_read_default_symlinks($1_spamc_t)
-		files_read_default_sockets($1_spamc_t)
-		files_read_default_pipes($1_spamc_t)
-	')
-
-	optional_policy(`
-		# Allow connection to spamd socket above
-		evolution_stream_connect($1, $1_spamc_t)
-	')
-
-	optional_policy(`
-		nis_use_ypbind($1_spamc_t)
-	')
-
-	optional_policy(`
-		nscd_socket_use($1_spamc_t)
-	')
-
-	optional_policy(`
-		mta_read_config($1_spamc_t)
-		sendmail_stub($1_spamc_t)
-	')
-
-	##############################
-	#
-	# $1_spamassassin_t local policy
-	#
-
-	allow $1_spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-	allow $1_spamassassin_t self:fd use;
-	allow $1_spamassassin_t self:fifo_file rw_fifo_file_perms;
-	allow $1_spamassassin_t self:sock_file read_sock_file_perms;
-	allow $1_spamassassin_t self:unix_dgram_socket create_socket_perms;
-	allow $1_spamassassin_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_spamassassin_t self:unix_dgram_socket sendto;
-	allow $1_spamassassin_t self:unix_stream_socket connectto;
-	allow $1_spamassassin_t self:shm create_shm_perms;
-	allow $1_spamassassin_t self:sem create_sem_perms;
-	allow $1_spamassassin_t self:msgq create_msgq_perms;
-	allow $1_spamassassin_t self:msg { send receive };
-
-	manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_lnk_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_fifo_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_sock_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
-
-	manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_tmp_t, $1_spamassassin_tmp_t)
-	manage_files_pattern($1_spamassassin_t, $1_spamassassin_tmp_t, $1_spamassassin_tmp_t)
-	files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir })
-
-	manage_dirs_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_lnk_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	relabel_dirs_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	relabel_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	relabel_lnk_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
-
-	domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t)
-
-	manage_dirs_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_lnk_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_fifo_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	manage_sock_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
-	userdom_user_home_dir_filetrans($1, spamd_t, $1_spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
-
-	kernel_read_kernel_sysctls($1_spamassassin_t)
-
-	dev_read_urand($1_spamassassin_t)
-
-	fs_search_auto_mountpoints($1_spamassassin_t)
-
-	# this should probably be removed
-	corecmd_list_bin($1_spamassassin_t)
-	corecmd_read_bin_symlinks($1_spamassassin_t)
-	corecmd_read_bin_files($1_spamassassin_t)
-	corecmd_read_bin_pipes($1_spamassassin_t)
-	corecmd_read_bin_sockets($1_spamassassin_t)
-
-	domain_use_interactive_fds($1_spamassassin_t)
-
-	files_read_etc_files($1_spamassassin_t)
-	files_read_etc_runtime_files($1_spamassassin_t)
-	files_list_home($1_spamassassin_t)
-	files_read_usr_files($1_spamassassin_t)
-	files_dontaudit_search_var($1_spamassassin_t)
-
-	logging_send_syslog_msg($1_spamassassin_t)
-
-	miscfiles_read_localization($1_spamassassin_t)
-
-	# cjp: this could probably be removed
-	seutil_read_config($1_spamassassin_t)
-
-	sysnet_dns_name_resolve($1_spamassassin_t)
-
-	userdom_use_unpriv_users_fds($1_spamassassin_t)
-	userdom_search_user_home_dirs($1,$1_spamassassin_t)
-	# cjp: this really should just be the
-	# terminal specific to the role
-	userdom_use_unpriv_users_ptys($1_spamassassin_t)
-
-	# this should probably be removed:
-	tunable_policy(`read_default_t',`
-		files_list_default($1_spamassassin_t)
-		files_read_default_files($1_spamassassin_t)
-		files_read_default_symlinks($1_spamassassin_t)
-		files_read_default_sockets($1_spamassassin_t)
-		files_read_default_pipes($1_spamassassin_t)
-	')
-
-	# set tunable if you have spamassassin do DNS lookups
-	tunable_policy(`spamassassin_can_network',`
-		allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms;
-		allow $1_spamassassin_t self:udp_socket create_socket_perms;
-
-		corenet_all_recvfrom_unlabeled($1_spamassassin_t)
-		corenet_all_recvfrom_netlabel($1_spamassassin_t)
-		corenet_tcp_sendrecv_generic_if($1_spamassassin_t)
-		corenet_udp_sendrecv_generic_if($1_spamassassin_t)
-		corenet_tcp_sendrecv_all_nodes($1_spamassassin_t)
-		corenet_udp_sendrecv_all_nodes($1_spamassassin_t)
-		corenet_tcp_sendrecv_all_ports($1_spamassassin_t)
-		corenet_udp_sendrecv_all_ports($1_spamassassin_t)
-		corenet_tcp_connect_all_ports($1_spamassassin_t)
-		corenet_sendrecv_all_client_packets($1_spamassassin_t)
-
-		sysnet_read_config($1_spamassassin_t)
+		type spamc_t, spamc_exec_t, spamc_tmp_t;
+		type spamassassin_t, spamassassin_exec_t;
+		type spamassassin_home_t, spamassassin_tmp_t;
 	')
 
-	tunable_policy(`spamd_enable_home_dirs',`
-		userdom_manage_user_home_content_dirs($1,spamd_t)
-		userdom_manage_user_home_content_files($1,spamd_t)
-		userdom_manage_user_home_content_symlinks($1,spamd_t)
-	')
+	role $1 types { spamc_t spamassassin_t };
 
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_spamassassin_t)
-		fs_manage_nfs_files($1_spamassassin_t)
-		fs_manage_nfs_symlinks($1_spamassassin_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_spamassassin_t)
-		fs_manage_cifs_files($1_spamassassin_t)
-		fs_manage_cifs_symlinks($1_spamassassin_t)
-	')
-
-	optional_policy(`
-		# Write pid file and socket in ~/.evolution/cache/tmp
-		evolution_home_filetrans($1, spamd_t, spamd_tmp_t, { file sock_file })
-	')
+	domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
+	ps_process_pattern($2, spamassassin_t)
 
-	optional_policy(`
-		# cjp: clearly some redundancy here
+	domtrans_pattern($2, spamc_exec_t, spamc_t)
+	ps_process_pattern($2, spamc_t)
 
-		nis_use_ypbind($1_spamassassin_t)
-
-		tunable_policy(`spamassassin_can_network && allow_ypbind',`
-			nis_use_ypbind_uncond($1_spamassassin_t)
-		')
-	')
-
-	optional_policy(`
-		mta_read_config($1_spamassassin_t)
-		sendmail_stub($1_spamassassin_t)
-	')
+	manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+	manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+	manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+	relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+	relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+	relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
 ')
 
 ########################################
@@ -371,31 +97,20 @@ interface(`spamassassin_exec_spamd',`
 
 ########################################
 ## <summary>
-##      Execute spamassassin client in the user spamassassin client domain.
+##      Execute spamassassin client in the spamassassin client domain.
 ## </summary>
-## <desc>
-##	<p>
-##	This is a template and should only be called 
-##	from per user domain tempaltes.
-##	</p>
-## </desc>
-## <param name="prefix">
-##      <summary>
-##      The prefix of the user domain. eg user would be the prefix of user_t.
-##      </summary>
-## </param>
 ## <param name="domain">
-##      <summary>
-##      The type of the process performing this action.
-##      </summary>
+##	<summary>
+##	Domain allowed access.
+##	</summary>
 ## </param>
 #
-template(`spamassassin_domtrans_user_client',`
+interface(`spamassassin_domtrans_client',`
 	gen_require(`
-		type $1_spamc_t, spamc_exec_t;
+		type spamc_t, spamc_exec_t;
 	')
 
-	domtrans_pattern($2, spamc_exec_t, $1_spamc_t)
+	domtrans_pattern($1, spamc_exec_t, spamc_t)
 ')
 
 ########################################
@@ -419,31 +134,20 @@ interface(`spamassassin_exec_client',`
 
 ########################################
 ## <summary>
-##      Execute spamassassin in the user spamassassin domain.
+##	Execute spamassassin standalone client in the user spamassassin domain.
 ## </summary>
-## <desc>
-##	<p>
-##	This is a template and should only be called 
-##	from per user domain tempaltes.
-##	</p>
-## </desc>
-## <param name="prefix">
-##      <summary>
-##	The prefix of the user domain. eg user would be the prefix of user_t.
-##      </summary>
-## </param>
 ## <param name="domain">
-##      <summary>
-##      The type of the process performing this action.
-##      </summary>
+##	<summary>
+##	Domain allowed access.
+##	</summary>
 ## </param>
 #
-template(`spamassassin_domtrans_user_local_client',`
+interface(`spamassassin_domtrans_local_client',`
 	gen_require(`
-		type $1_spamassassin_t, spamassassin_exec_t;
+		type spamassassin_t, spamassassin_exec_t;
 	')
 
-	domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t)
+	domtrans_pattern($1, spamassassin_exec_t, spamassassin_t)
 ')
 
 ########################################
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 98c7009..343136a 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
 
-policy_module(spamassassin, 1.10.0)
+policy_module(spamassassin, 2.0.0)
 
 ########################################
 #
@@ -20,13 +20,41 @@ gen_tunable(spamassassin_can_network, false)
 ## </desc>
 gen_tunable(spamd_enable_home_dirs, true)
 
-# spamassassin client executable
+type spamassassin_t;
+type spamassassin_exec_t;
+typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
+typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
+application_domain(spamassassin_t, spamassassin_exec_t)
+ubac_constrained(spamassassin_t)
+
+type spamassassin_home_t;
+typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+userdom_user_home_content(spamassassin_home_t)
+files_poly_member(spamassassin_home_t)
+
+type spamassassin_tmp_t;
+typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+files_tmp_file(spamassassin_tmp_t)
+ubac_constrained(spamassassin_tmp_t)
+
+type spamc_t;
 type spamc_exec_t;
-application_executable_file(spamc_exec_t)
+typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
+typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
+application_domain(spamc_t, spamc_exec_t)
+ubac_constrained(spamc_t)
+
+type spamc_tmp_t;
+typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+files_tmp_file(spamc_tmp_t)
+ubac_constrained(spamc_tmp_t)
 
 type spamd_t;
 type spamd_exec_t;
-init_daemon_domain(spamd_t,spamd_exec_t)
+init_daemon_domain(spamd_t, spamd_exec_t)
 
 type spamd_spool_t;
 files_type(spamd_spool_t)
@@ -41,12 +69,232 @@ files_type(spamd_var_lib_t)
 type spamd_var_run_t;
 files_pid_file(spamd_var_run_t)
 
-type spamassassin_exec_t;
-application_executable_file(spamassassin_exec_t)
+##############################
+#
+# Standalone program local policy
+#
+
+allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamassassin_t self:fd use;
+allow spamassassin_t self:fifo_file rw_fifo_file_perms;
+allow spamassassin_t self:sock_file read_sock_file_perms;
+allow spamassassin_t self:unix_dgram_socket create_socket_perms;
+allow spamassassin_t self:unix_stream_socket create_stream_socket_perms;
+allow spamassassin_t self:unix_dgram_socket sendto;
+allow spamassassin_t self:unix_stream_socket connectto;
+allow spamassassin_t self:shm create_shm_perms;
+allow spamassassin_t self:sem create_sem_perms;
+allow spamassassin_t self:msgq create_msgq_perms;
+allow spamassassin_t self:msg { send receive };
+
+manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
+manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
+files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir })
+
+manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(spamassassin_t)
+
+dev_read_urand(spamassassin_t)
+
+fs_search_auto_mountpoints(spamassassin_t)
+
+# this should probably be removed
+corecmd_list_bin(spamassassin_t)
+corecmd_read_bin_symlinks(spamassassin_t)
+corecmd_read_bin_files(spamassassin_t)
+corecmd_read_bin_pipes(spamassassin_t)
+corecmd_read_bin_sockets(spamassassin_t)
+
+domain_use_interactive_fds(spamassassin_t)
+
+files_read_etc_files(spamassassin_t)
+files_read_etc_runtime_files(spamassassin_t)
+files_list_home(spamassassin_t)
+files_read_usr_files(spamassassin_t)
+files_dontaudit_search_var(spamassassin_t)
+
+logging_send_syslog_msg(spamassassin_t)
+
+miscfiles_read_localization(spamassassin_t)
+
+# cjp: this could probably be removed
+seutil_read_config(spamassassin_t)
+
+sysnet_dns_name_resolve(spamassassin_t)
+
+# this should probably be removed:
+tunable_policy(`read_default_t',`
+	files_list_default(spamassassin_t)
+	files_read_default_files(spamassassin_t)
+	files_read_default_symlinks(spamassassin_t)
+	files_read_default_sockets(spamassassin_t)
+	files_read_default_pipes(spamassassin_t)
+')
+
+# set tunable if you have spamassassin do DNS lookups
+tunable_policy(`spamassassin_can_network',`
+	allow spamassassin_t self:tcp_socket create_stream_socket_perms;
+	allow spamassassin_t self:udp_socket create_socket_perms;
+
+	corenet_all_recvfrom_unlabeled(spamassassin_t)
+	corenet_all_recvfrom_netlabel(spamassassin_t)
+	corenet_tcp_sendrecv_generic_if(spamassassin_t)
+	corenet_udp_sendrecv_generic_if(spamassassin_t)
+	corenet_tcp_sendrecv_all_nodes(spamassassin_t)
+	corenet_udp_sendrecv_all_nodes(spamassassin_t)
+	corenet_tcp_sendrecv_all_ports(spamassassin_t)
+	corenet_udp_sendrecv_all_ports(spamassassin_t)
+	corenet_tcp_connect_all_ports(spamassassin_t)
+	corenet_sendrecv_all_client_packets(spamassassin_t)
+
+	sysnet_read_config(spamassassin_t)
+')
+
+tunable_policy(`spamd_enable_home_dirs',`
+	userdom_manage_user_home_content_dirs(spamd_t)
+	userdom_manage_user_home_content_files(spamd_t)
+	userdom_manage_user_home_content_symlinks(spamd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(spamassassin_t)
+	fs_manage_nfs_files(spamassassin_t)
+	fs_manage_nfs_symlinks(spamassassin_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(spamassassin_t)
+	fs_manage_cifs_files(spamassassin_t)
+	fs_manage_cifs_symlinks(spamassassin_t)
+')
+
+optional_policy(`
+	# Write pid file and socket in ~/.evolution/cache/tmp
+	evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
+')
+
+optional_policy(`
+	tunable_policy(`spamassassin_can_network && allow_ypbind',`
+		nis_use_ypbind_uncond(spamassassin_t)
+	')
+')
+
+optional_policy(`
+	mta_read_config(spamassassin_t)
+	sendmail_stub(spamassassin_t)
+')
+
+########################################
+#
+# Client local policy
+#
+
+allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamc_t self:fd use;
+allow spamc_t self:fifo_file rw_fifo_file_perms;
+allow spamc_t self:sock_file read_sock_file_perms;
+allow spamc_t self:shm create_shm_perms;
+allow spamc_t self:sem create_sem_perms;
+allow spamc_t self:msgq create_msgq_perms;
+allow spamc_t self:msg { send receive };
+allow spamc_t self:unix_dgram_socket create_socket_perms;
+allow spamc_t self:unix_stream_socket create_stream_socket_perms;
+allow spamc_t self:unix_dgram_socket sendto;
+allow spamc_t self:unix_stream_socket connectto;
+allow spamc_t self:tcp_socket create_stream_socket_perms;
+allow spamc_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
+
+# Allow connecting to a local spamd
+allow spamc_t spamd_t:unix_stream_socket connectto;
+allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
+
+kernel_read_kernel_sysctls(spamc_t)
+
+corenet_all_recvfrom_unlabeled(spamc_t)
+corenet_all_recvfrom_netlabel(spamc_t)
+corenet_tcp_sendrecv_generic_if(spamc_t)
+corenet_udp_sendrecv_generic_if(spamc_t)
+corenet_tcp_sendrecv_all_nodes(spamc_t)
+corenet_udp_sendrecv_all_nodes(spamc_t)
+corenet_tcp_sendrecv_all_ports(spamc_t)
+corenet_udp_sendrecv_all_ports(spamc_t)
+corenet_tcp_connect_all_ports(spamc_t)
+corenet_sendrecv_all_client_packets(spamc_t)
+
+fs_search_auto_mountpoints(spamc_t)
+
+# cjp: these should probably be removed:
+corecmd_list_bin(spamc_t)
+corecmd_read_bin_symlinks(spamc_t)
+corecmd_read_bin_files(spamc_t)
+corecmd_read_bin_pipes(spamc_t)
+corecmd_read_bin_sockets(spamc_t)
+
+domain_use_interactive_fds(spamc_t)
+
+files_read_etc_files(spamc_t)
+files_read_etc_runtime_files(spamc_t)
+files_read_usr_files(spamc_t)
+files_dontaudit_search_var(spamc_t)
+# cjp: this may be removable:
+files_list_home(spamc_t)
+
+logging_send_syslog_msg(spamc_t)
+
+miscfiles_read_localization(spamc_t)
+
+# cjp: this should probably be removed:
+seutil_read_config(spamc_t)
+
+sysnet_read_config(spamc_t)
+
+# cjp: this should probably be removed:
+tunable_policy(`read_default_t',`
+	files_list_default(spamc_t)
+	files_read_default_files(spamc_t)
+	files_read_default_symlinks(spamc_t)
+	files_read_default_sockets(spamc_t)
+	files_read_default_pipes(spamc_t)
+')
+
+optional_policy(`
+	# Allow connection to spamd socket above
+	evolution_stream_connect(spamc_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(spamc_t)
+')
+
+optional_policy(`
+	nscd_socket_use(spamc_t)
+')
+
+optional_policy(`
+	mta_read_config(spamc_t)
+	sendmail_stub(spamc_t)
+')
 
 ########################################
 #
-# Spamassassin daemon local policy
+# Server local policy
 #
 
 # Spamassassin, when run as root and using per-user config files,
@@ -143,9 +391,7 @@ sysnet_use_ldap(spamd_t)
 sysnet_dns_name_resolve(spamd_t)
 
 userdom_use_unpriv_users_fds(spamd_t)
-userdom_search_unpriv_users_home_dirs(spamd_t)
-
-sysadm_dontaudit_search_home_dirs(spamd_t)
+userdom_search_user_home_dirs(spamd_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_files(spamd_t)
diff --git a/policy/modules/services/speedtouch.te b/policy/modules/services/speedtouch.te
index 45f3070..dc0423f 100644
--- a/policy/modules/services/speedtouch.te
+++ b/policy/modules/services/speedtouch.te
@@ -1,5 +1,5 @@
 
-policy_module(speedtouch, 1.3.0)
+policy_module(speedtouch, 1.3.1)
 
 #######################################
 #
@@ -51,8 +51,7 @@ logging_send_syslog_msg(speedmgmt_t)
 miscfiles_read_localization(speedmgmt_t)
 
 userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t)
-
-sysadm_dontaudit_search_home_dirs(speedmgmt_t)
+userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(speedmgmt_t)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index 9b7187a..fcde140 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -1,5 +1,5 @@
 
-policy_module(squid, 1.7.0)
+policy_module(squid, 1.7.1)
 
 ########################################
 #
@@ -148,9 +148,7 @@ miscfiles_read_certs(squid_t)
 miscfiles_read_localization(squid_t)
 
 userdom_use_unpriv_users_fds(squid_t)
-userdom_dontaudit_use_unpriv_user_fds(squid_t)
-
-sysadm_dontaudit_search_home_dirs(squid_t)
+userdom_dontaudit_search_user_home_dirs(squid_t)
 
 tunable_policy(`squid_connect_any',`
 	corenet_tcp_connect_all_ports(squid_t)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index bf53f28..6262c7b 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,4 +1,4 @@
-HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ROLE_home_ssh_t,s0)
+HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:home_ssh_t,s0)
 
 /etc/ssh/primes			--	gen_context(system_u:object_r:sshd_key_t,s0)
 /etc/ssh/ssh_host_key 		--	gen_context(system_u:object_r:sshd_key_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 58b25e6..545f5b0 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -166,247 +166,6 @@ template(`ssh_basic_client_template',`
 
 #######################################
 ## <summary>
-##	The per role template for the ssh module.
-## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for ssh client sessions and user ssh agents.  A derived
-##	type is also created to protect the user ssh keys.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
-##	</summary>
-## </param>
-#
-template(`ssh_per_role_template',`
-	gen_require(`
-		type ssh_agent_exec_t, ssh_keysign_exec_t, sshd_t, sshd_key_t;
-	')
-
-	##############################
-	#
-	# Declarations
-	#
-
-	ssh_basic_client_template($1, $2, $3)
-
-	userdom_user_home_content($1, $1_home_ssh_t)
-
-	type $1_ssh_agent_t;
-	application_domain($1_ssh_agent_t, ssh_agent_exec_t)
-	domain_interactive_fd($1_ssh_agent_t)
-	role $3 types $1_ssh_agent_t;
-
-	type $1_ssh_agent_tmp_t;
-	files_tmp_file($1_ssh_agent_tmp_t)
-
-	type $1_ssh_keysign_t;
-	application_domain($1_ssh_keysign_t, ssh_keysign_exec_t)
-	role $3 types $1_ssh_keysign_t;
-
-	type $1_ssh_tmpfs_t;
-	files_tmpfs_file($1_ssh_tmpfs_t)
-
-	##############################
-	#
-	# Client local policy
-	#
-
-	manage_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
-	manage_lnk_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
-	manage_fifo_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
-	manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
-	fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-	manage_dirs_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t)
-	manage_sock_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t)
-	userdom_user_home_dir_filetrans($1, $1_ssh_t, $1_home_ssh_t, { dir sock_file })
-
-	# Allow the ssh program to communicate with ssh-agent.
-	stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t)
-
-	allow $1_ssh_t sshd_t:unix_stream_socket connectto;
-
-	allow $2 $1_ssh_t:process signal;
-
-	userdom_use_unpriv_users_fds($1_ssh_t)
-	userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
-	userdom_search_user_home_dirs($1,$1_ssh_t)
-	# Write to the user domain tty.
-	userdom_use_user_terminals($1,$1_ssh_t)
-	# needs to read krb tgt
-	userdom_read_user_tmp_files($1, $1_ssh_t)
-
-	tunable_policy(`allow_ssh_keysign',`
-		domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
-		allow $1_ssh_keysign_t $1_ssh_t:fd use;
-		allow $1_ssh_keysign_t $1_ssh_t:process sigchld;
-		allow $1_ssh_keysign_t $1_ssh_t:fifo_file rw_file_perms;
-	')
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_ssh_t)
-		fs_manage_nfs_files($1_ssh_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_ssh_t)
-		fs_manage_cifs_files($1_ssh_t)
-	')
-
-	# for port forwarding
-	tunable_policy(`user_tcp_server',`
-		corenet_tcp_bind_ssh_port($1_ssh_t)
-	')
-
-	optional_policy(`
-		xserver_user_x_domain_template($1, $1_ssh, $1_ssh_t, $1_ssh_tmpfs_t)
-		xserver_domtrans_user_xauth($1, $1_ssh_t)
-	')
-
-	ifdef(`TODO',`
-	# for /bin/sh used to execute xauth
-	dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
-
-	#allow ssh to access keys stored on removable media
-	# Should we have a boolean around this?
-	files_search_mnt($1_ssh_t)
-	r_dir_file($1_ssh_t, removable_t) 
-
-	') dnl endif TODO
-
-	##############################
-	#
-	# $1_ssh_agent_t local policy
-	#
-
-	allow $1_ssh_agent_t self:process setrlimit;
-	allow $1_ssh_agent_t self:capability setgid;
-
-	allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;
-
-	allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
-	manage_dirs_pattern($1_ssh_agent_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t)
-	manage_sock_files_pattern($1_ssh_agent_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t)
-	files_tmp_filetrans($1_ssh_agent_t, $1_ssh_agent_tmp_t, { dir sock_file })
-
-	# for ssh-add
-	stream_connect_pattern($2, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t)
-
-	# Allow the user shell to signal the ssh program.
-	allow $2 $1_ssh_agent_t:process signal;
-
-	# allow ps to show ssh
-	ps_process_pattern($2, $1_ssh_agent_t)
-
-	domtrans_pattern($2, ssh_agent_exec_t, $1_ssh_agent_t)
-
-	kernel_read_kernel_sysctls($1_ssh_agent_t)
-
-	dev_read_urand($1_ssh_agent_t)
-	dev_read_rand($1_ssh_agent_t)
-
-	fs_search_auto_mountpoints($1_ssh_agent_t)
-
-	# transition back to normal privs upon exec
-	corecmd_shell_domtrans($1_ssh_agent_t, $1_t)
-	corecmd_bin_domtrans($1_ssh_agent_t, $1_t)
-
-	domain_use_interactive_fds($1_ssh_agent_t)
-
-	files_read_etc_files($1_ssh_agent_t)
-	files_read_etc_runtime_files($1_ssh_agent_t)
-	files_search_home($1_ssh_agent_t)
-
-	libs_read_lib_files($1_ssh_agent_t)
-
-	logging_send_syslog_msg($1_ssh_agent_t)
-
-	miscfiles_read_localization($1_ssh_agent_t)
-
-	seutil_dontaudit_read_config($1_ssh_agent_t)
-
-	# Write to the user domain tty.
-	userdom_use_user_terminals($1,$1_ssh_agent_t)
-
-	# for the transition back to normal privs upon exec
-	userdom_user_home_domtrans($1, $1_ssh_agent_t, $2)
-	allow $2 $1_ssh_agent_t:fd use;
-	allow $2 $1_ssh_agent_t:fifo_file rw_file_perms;
-	allow $2 $1_ssh_agent_t:process sigchld;
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_files($1_ssh_agent_t)
-
-		# transition back to normal privs upon exec
-		fs_nfs_domtrans($1_ssh_agent_t, $1_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_files($1_ssh_agent_t)
-
-		# transition back to normal privs upon exec
-		fs_cifs_domtrans($1_ssh_agent_t, $1_t)
-	')
-
-	optional_policy(`
-		nis_use_ypbind($1_ssh_agent_t)
-	')
-
-	optional_policy(`
-		xserver_use_xdm_fds($1_ssh_agent_t)
-		xserver_rw_xdm_pipes($1_ssh_agent_t)
-	')
-
-	ifdef(`TODO',`
-	dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
-	') dnl endif TODO
-
-	##############################
-	#
-	# $1_ssh_keysign_t local policy
-	#
-
-	tunable_policy(`allow_ssh_keysign',`
-		allow $1_ssh_keysign_t self:capability { setgid setuid };
-		allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
-
-		allow $1_ssh_keysign_t sshd_key_t:file read_file_perms;
-
-		dev_read_urand($1_ssh_keysign_t)
-
-		files_read_etc_files($1_ssh_keysign_t)
-	')
-
-	optional_policy(`
-		tunable_policy(`allow_ssh_keysign',`
-			nscd_socket_use($1_ssh_keysign_t)
-		')
-	')
-')
-
-#######################################
-## <summary>
 ##	The template to define a ssh server.
 ## </summary>
 ## <desc>
@@ -493,8 +252,8 @@ template(`ssh_server_template', `
 
 	sysnet_read_config($1_t)
 
-	userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
-	userdom_search_all_users_home_dirs($1_t)
+	userdom_dontaudit_relabelfrom_user_ptys($1_t)
+	userdom_search_user_home_dirs($1_t)
 
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_read_nfs_files($1_t)
@@ -524,6 +283,159 @@ template(`ssh_server_template', `
 
 ########################################
 ## <summary>
+##	Role access for ssh
+## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+template(`ssh_role_template',`
+	gen_require(`
+		attribute ssh_server, ssh_agent_type;
+
+		type ssh_t, ssh_exec_t, ssh_tmpfs_t, home_ssh_t;
+		type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
+		type ssh_agent_tmp_t;
+	')
+
+	##############################
+	#
+	# Declarations
+	#
+
+	role $2 types ssh_t;
+
+	type $1_ssh_agent_t, ssh_agent_type;
+	application_domain($1_ssh_agent_t, ssh_agent_exec_t)
+	domain_interactive_fd($1_ssh_agent_t)
+	ubac_constrained($1_ssh_agent_t)
+	role $2 types $1_ssh_agent_t;
+
+	##############################
+	#
+	# Local policy
+	#
+
+	# Transition from the domain to the derived domain.
+	domtrans_pattern($3, ssh_exec_t, ssh_t)
+
+	# inheriting stream sockets is needed for "ssh host command" as no pty
+	# is allocated
+	allow $3 ssh_server:unix_stream_socket rw_stream_socket_perms;
+
+	# allow ps to show ssh
+	ps_process_pattern($3, ssh_t)
+	allow $3 ssh_t:process signal;
+
+	# for rsync
+	allow ssh_t $3:unix_stream_socket rw_socket_perms;
+	allow ssh_t $3:unix_stream_socket connectto;
+
+	# user can manage the keys and config
+	manage_files_pattern($3, home_ssh_t, home_ssh_t)
+	manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t)
+	manage_sock_files_pattern($3, home_ssh_t, home_ssh_t)
+
+	##############################
+	#
+	# SSH agent local policy
+	#
+
+	allow $1_ssh_agent_t self:process setrlimit;
+	allow $1_ssh_agent_t self:capability setgid;
+
+	allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
+
+	allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+	manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
+	manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
+	files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file })
+
+	# for ssh-add
+	stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
+
+	# Allow the user shell to signal the ssh program.
+	allow $3 $1_ssh_agent_t:process signal;
+
+	# allow ps to show ssh
+	ps_process_pattern($3, $1_ssh_agent_t)
+
+	domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t)
+
+	kernel_read_kernel_sysctls($1_ssh_agent_t)
+
+	dev_read_urand($1_ssh_agent_t)
+	dev_read_rand($1_ssh_agent_t)
+
+	fs_search_auto_mountpoints($1_ssh_agent_t)
+
+	# transition back to normal privs upon exec
+	corecmd_shell_domtrans($1_ssh_agent_t, $3)
+	corecmd_bin_domtrans($1_ssh_agent_t, $3)
+
+	domain_use_interactive_fds($1_ssh_agent_t)
+
+	files_read_etc_files($1_ssh_agent_t)
+	files_read_etc_runtime_files($1_ssh_agent_t)
+	files_search_home($1_ssh_agent_t)
+
+	libs_read_lib_files($1_ssh_agent_t)
+
+	logging_send_syslog_msg($1_ssh_agent_t)
+
+	miscfiles_read_localization($1_ssh_agent_t)
+
+	seutil_dontaudit_read_config($1_ssh_agent_t)
+
+	# Write to the user domain tty.
+	userdom_use_user_terminals($1_ssh_agent_t)
+
+	# for the transition back to normal privs upon exec
+	userdom_user_home_domtrans($1_ssh_agent_t, $3)
+	allow $3 $1_ssh_agent_t:fd use;
+	allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
+	allow $3 $1_ssh_agent_t:process sigchld;
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_files($1_ssh_agent_t)
+
+		# transition back to normal privs upon exec
+		fs_nfs_domtrans($1_ssh_agent_t, $3)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_manage_cifs_files($1_ssh_agent_t)
+
+		# transition back to normal privs upon exec
+		fs_cifs_domtrans($1_ssh_agent_t, $3)
+	')
+
+	optional_policy(`
+		nis_use_ypbind($1_ssh_agent_t)
+	')
+
+	optional_policy(`
+		xserver_use_xdm_fds($1_ssh_agent_t)
+		xserver_rw_xdm_pipes($1_ssh_agent_t)
+	')
+')
+
+########################################
+## <summary>
 ##	Send a SIGCHLD signal to the ssh server.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index fcc0a95..f192d2c 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
 
-policy_module(ssh, 1.11.0)
+policy_module(ssh, 2.0.0)
 
 ########################################
 #
@@ -21,23 +21,13 @@ gen_tunable(allow_ssh_keysign, false)
 gen_tunable(ssh_sysadm_login, false)
 
 attribute ssh_server;
-
-# Type for the ssh-agent executable.
-type ssh_agent_exec_t;
-files_type(ssh_agent_exec_t)
-
-# ssh client executable.
-type ssh_exec_t;
-application_executable_file(ssh_exec_t)
+attribute ssh_agent_type;
 
 type ssh_keygen_t;
 type ssh_keygen_exec_t;
 init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
 role system_r types ssh_keygen_t;
 
-type ssh_keysign_exec_t;
-application_executable_file(ssh_keysign_exec_t)
-
 type sshd_exec_t;
 corecmd_executable_file(sshd_exec_t)
 
@@ -55,6 +45,252 @@ ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
 ')
 
+type ssh_t;
+type ssh_exec_t;
+typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
+typealias ssh_t alias { auditadm_ssh_t secadm_ssh_t };
+application_domain(ssh_t, ssh_exec_t)
+ubac_constrained(ssh_t)
+
+type ssh_agent_exec_t;
+corecmd_executable_file(ssh_agent_exec_t)
+
+type ssh_agent_tmp_t;
+typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t };
+typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t };
+files_tmp_file(ssh_agent_tmp_t)
+ubac_constrained(ssh_agent_tmp_t)
+
+type ssh_keysign_t;
+type ssh_keysign_exec_t;
+typealias ssh_keysign_t alias { user_ssh_keysign_t staff_ssh_keysign_t sysadm_ssh_keysign_t };
+typealias ssh_keysign_t alias { auditadm_ssh_keysign_t secadm_ssh_keysign_t };
+application_domain(ssh_keysign_t, ssh_keysign_exec_t)
+ubac_constrained(ssh_keysign_t)
+
+type ssh_tmpfs_t;
+typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
+typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
+files_tmpfs_file(ssh_tmpfs_t)
+ubac_constrained(ssh_tmpfs_t)
+
+type home_ssh_t;
+typealias home_ssh_t alias { user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
+typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
+files_type(home_ssh_t)
+userdom_user_home_content(home_ssh_t)
+
+##############################
+#
+# SSH client local policy
+#
+
+allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow ssh_t self:fd use;
+allow ssh_t self:fifo_file rw_fifo_file_perms;
+allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
+allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow ssh_t self:shm create_shm_perms;
+allow ssh_t self:sem create_sem_perms;
+allow ssh_t self:msgq create_msgq_perms;
+allow ssh_t self:msg { send receive };
+allow ssh_t self:tcp_socket create_socket_perms;
+allow ssh_t self:netlink_route_socket r_netlink_socket_perms;
+
+# Read the ssh key file.
+allow ssh_t sshd_key_t:file read_file_perms;
+
+# Access the ssh temporary files.
+allow ssh_t sshd_tmp_t:dir manage_dir_perms;
+allow ssh_t sshd_tmp_t:file manage_file_perms;
+files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir })
+
+manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t)
+manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
+userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file })
+
+# Allow the ssh program to communicate with ssh-agent.
+stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
+
+allow ssh_t sshd_t:unix_stream_socket connectto;
+
+# ssh client can manage the keys and config
+manage_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
+read_lnk_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
+
+# ssh servers can read the user keys and config
+allow ssh_server home_ssh_t:dir list_dir_perms;
+read_files_pattern(ssh_server,home_ssh_t,home_ssh_t)
+read_lnk_files_pattern(ssh_server,home_ssh_t,home_ssh_t)
+
+kernel_read_kernel_sysctls(ssh_t)
+
+corenet_all_recvfrom_unlabeled(ssh_t)
+corenet_all_recvfrom_netlabel(ssh_t)
+corenet_tcp_sendrecv_all_if(ssh_t)
+corenet_tcp_sendrecv_all_nodes(ssh_t)
+corenet_tcp_sendrecv_all_ports(ssh_t)
+corenet_tcp_connect_ssh_port(ssh_t)
+corenet_sendrecv_ssh_client_packets(ssh_t)
+
+dev_read_urand(ssh_t)
+
+fs_getattr_all_fs(ssh_t)
+fs_search_auto_mountpoints(ssh_t)
+
+# run helper programs - needed eg for x11-ssh-askpass
+corecmd_exec_shell(ssh_t)
+corecmd_exec_bin(ssh_t)
+
+domain_use_interactive_fds(ssh_t)
+
+files_list_home(ssh_t)
+files_read_usr_files(ssh_t)
+files_read_etc_runtime_files(ssh_t)
+files_read_etc_files(ssh_t)
+files_read_var_files(ssh_t)
+
+logging_send_syslog_msg(ssh_t)
+logging_read_generic_logs(ssh_t)
+
+miscfiles_read_localization(ssh_t)
+
+seutil_read_config(ssh_t)
+
+sysnet_read_config(ssh_t)
+sysnet_dns_name_resolve(ssh_t)
+
+userdom_dontaudit_list_user_home_dirs(ssh_t)
+userdom_search_user_home_dirs(ssh_t)
+# Write to the user domain tty.
+userdom_use_user_terminals(ssh_t)
+# needs to read krb tgt
+userdom_read_user_tmp_files(ssh_t)
+
+tunable_policy(`allow_ssh_keysign',`
+	domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+	allow ssh_keysign_t ssh_t:fd use;
+	allow ssh_keysign_t ssh_t:process sigchld;
+	allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
+')
+
+tunable_policy(`read_default_t',`
+	files_list_default(ssh_t)
+	files_read_default_files(ssh_t)
+	files_read_default_symlinks(ssh_t)
+	files_read_default_sockets(ssh_t)
+	files_read_default_pipes(ssh_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(ssh_t)
+	fs_manage_nfs_files(ssh_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(ssh_t)
+	fs_manage_cifs_files(ssh_t)
+')
+
+# for port forwarding
+tunable_policy(`user_tcp_server',`
+	corenet_tcp_bind_ssh_port(ssh_t)
+')
+
+optional_policy(`
+	kerberos_use(ssh_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(ssh_t)
+')
+
+optional_policy(`
+	nscd_socket_use(ssh_t)
+')
+
+optional_policy(`
+	xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
+	xserver_domtrans_xauth(ssh_t)
+')
+
+########################################
+#
+# ssh_keygen local policy
+#
+
+# ssh_keygen_t is the type of the ssh-keygen program when run at install time
+# and by sysadm_t
+
+dontaudit ssh_keygen_t self:capability sys_tty_config;
+allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
+
+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+
+allow ssh_keygen_t sshd_key_t:file manage_file_perms;
+files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
+
+kernel_read_kernel_sysctls(ssh_keygen_t)
+
+fs_search_auto_mountpoints(ssh_keygen_t)
+
+dev_read_sysfs(ssh_keygen_t)
+dev_read_urand(ssh_keygen_t)
+
+term_dontaudit_use_console(ssh_keygen_t)
+
+domain_use_interactive_fds(ssh_keygen_t)
+
+files_read_etc_files(ssh_keygen_t)
+
+init_use_fds(ssh_keygen_t)
+init_use_script_ptys(ssh_keygen_t)
+
+logging_send_syslog_msg(ssh_keygen_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+
+optional_policy(`
+	nscd_socket_use(ssh_keygen_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(ssh_keygen_t)
+')
+
+optional_policy(`
+	udev_read_db(ssh_keygen_t)
+')
+
+##############################
+#
+# ssh_keysign_t local policy
+#
+
+tunable_policy(`allow_ssh_keysign',`
+	allow ssh_keysign_t self:capability { setgid setuid };
+	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+
+	allow ssh_keysign_t sshd_key_t:file { getattr read };
+
+	dev_read_urand(ssh_keysign_t)
+
+	files_read_etc_files(ssh_keysign_t)
+')
+
+optional_policy(`
+	tunable_policy(`allow_ssh_keysign',`
+		nscd_socket_use(ssh_keysign_t)
+	')
+')
+
 #################################
 #
 # sshd local policy
@@ -74,6 +310,10 @@ files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
 kernel_search_key(sshd_t)
 kernel_link_key(sshd_t)
 
+term_use_all_user_ptys(sshd_t)
+term_setattr_all_user_ptys(sshd_t)
+term_relabelto_all_user_ptys(sshd_t)
+
 # for X forwarding
 corenet_tcp_bind_xserver_port(sshd_t)
 corenet_sendrecv_xserver_server_packets(sshd_t)
@@ -83,19 +323,11 @@ tunable_policy(`ssh_sysadm_login',`
 	# ioctl is necessary for logout() processing for utmp entry and for w to
 	# display the tty.
 	# some versions of sshd on the new SE Linux require setattr
-	term_use_all_user_ptys(sshd_t)
-	term_setattr_all_user_ptys(sshd_t)
-	term_relabelto_all_user_ptys(sshd_t)
-
 	userdom_spec_domtrans_all_users(sshd_t)
 	userdom_signal_all_users(sshd_t)
 ',`
 	userdom_spec_domtrans_unpriv_users(sshd_t)
 	userdom_signal_unpriv_users(sshd_t)
-
-	userdom_setattr_unpriv_users_ptys(sshd_t)
-	userdom_relabelto_unpriv_users_ptys(sshd_t)
-	userdom_use_unpriv_users_ptys(sshd_t)
 ')
 
 optional_policy(`
@@ -111,9 +343,9 @@ optional_policy(`
 ')
 
 optional_policy(`
-	rssh_spec_domtrans_all_users(sshd_t)
+	rssh_spec_domtrans(sshd_t)
 	# For reading /home/user/.ssh
-	rssh_read_all_users_ro_content(sshd_t)
+	rssh_read_ro_content(sshd_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index 4d32293..3a4e7b8 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -1,5 +1,5 @@
 
-policy_module(stunnel, 1.7.0)
+policy_module(stunnel, 1.7.1)
 
 ########################################
 #
@@ -86,8 +86,7 @@ ifdef(`distro_gentoo', `
 	domain_use_interactive_fds(stunnel_t)
 
 	userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
-
-	sysadm_dontaudit_search_home_dirs(stunnel_t)
+	userdom_dontaudit_search_user_home_dirs(stunnel_t)
 
 	optional_policy(`
 		daemontools_service_domain(stunnel_t, stunnel_exec_t)
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
index 6cc56c8..dbdd85a 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -1,5 +1,5 @@
 
-policy_module(sysstat, 1.3.0)
+policy_module(sysstat, 1.3.1)
 
 ########################################
 #
@@ -57,7 +57,7 @@ locallogin_use_fds(sysstat_t)
 
 miscfiles_read_localization(sysstat_t)
 
-sysadm_dontaudit_list_home_dirs(sysstat_t)
+userdom_dontaudit_list_user_home_dirs(sysstat_t)
 
 optional_policy(`
 	cron_system_entry(sysstat_t, sysstat_exec_t)
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index 12c6a7b..cda45ef 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -1,5 +1,5 @@
 
-policy_module(telnet, 1.7.0)
+policy_module(telnet, 1.7.1)
 
 ########################################
 #
@@ -84,7 +84,7 @@ seutil_read_config(telnetd_t)
 
 remotelogin_domtrans(telnetd_t)
 
-userdom_search_unpriv_users_home_dirs(telnetd_t)
+userdom_search_user_home_dirs(telnetd_t)
 
 optional_policy(`
 	kerberos_use(telnetd_t)
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 154671d..67b736a 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -1,5 +1,5 @@
 
-policy_module(tftp, 1.9.0)
+policy_module(tftp, 1.9.1)
 
 ########################################
 #
@@ -87,8 +87,8 @@ miscfiles_read_localization(tftpd_t)
 miscfiles_read_public_files(tftpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
-sysadm_dontaudit_use_ttys(tftpd_t)
-sysadm_dontaudit_search_home_dirs(tftpd_t)
+userdom_dontaudit_use_user_terminals(tftpd_t)
+userdom_dontaudit_search_user_home_dirs(tftpd_t)
 
 tunable_policy(`tftp_anon_write',`
 	miscfiles_manage_public_files(tftpd_t)
diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te
index 344422a..8147f5a 100644
--- a/policy/modules/services/timidity.te
+++ b/policy/modules/services/timidity.te
@@ -1,5 +1,5 @@
 
-policy_module(timidity, 1.7.0)
+policy_module(timidity, 1.7.1)
 
 # Note: You only need this policy if you want to run timidity as a server
 
@@ -75,7 +75,7 @@ userdom_dontaudit_use_unpriv_user_fds(timidity_t)
 # stupid timidity won't start if it can't search its current directory.
 # allow this so /etc/init.d/alsasound start works from /root
 # cjp: this should be fixed if possible so this rule can be removed.
-sysadm_search_home_dirs(timidity_t)
+userdom_search_user_home_dirs(timidity_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(timidity_t)
diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te
index fa408a9..0599626 100644
--- a/policy/modules/services/transproxy.te
+++ b/policy/modules/services/transproxy.te
@@ -1,5 +1,5 @@
 
-policy_module(transproxy, 1.5.0)
+policy_module(transproxy, 1.5.1)
 
 ########################################
 #
@@ -55,8 +55,7 @@ miscfiles_read_localization(transproxy_t)
 sysnet_read_config(transproxy_t)
 
 userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
-
-sysadm_dontaudit_search_home_dirs(transproxy_t)
+userdom_dontaudit_search_user_home_dirs(transproxy_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(transproxy_t)
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
index 97a478c..86bdd42 100644
--- a/policy/modules/services/uptime.te
+++ b/policy/modules/services/uptime.te
@@ -1,5 +1,5 @@
 
-policy_module(uptime, 1.3.0)
+policy_module(uptime, 1.3.1)
 
 ########################################
 #
@@ -59,8 +59,7 @@ logging_send_syslog_msg(uptimed_t)
 miscfiles_read_localization(uptimed_t)
 
 userdom_dontaudit_use_unpriv_user_fds(uptimed_t)
-
-sysadm_dontaudit_search_home_dirs(uptimed_t)
+userdom_dontaudit_search_user_home_dirs(uptimed_t)
 
 optional_policy(`
 	mta_send_mail(uptimed_t)
diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te
index 234cf68..34ffa8b 100644
--- a/policy/modules/services/uwimap.te
+++ b/policy/modules/services/uwimap.te
@@ -1,5 +1,5 @@
 
-policy_module(uwimap, 1.6.0)
+policy_module(uwimap, 1.6.1)
 
 ########################################
 #
@@ -74,9 +74,12 @@ sysnet_read_config(imapd_t)
 userdom_dontaudit_use_unpriv_user_fds(imapd_t)
 # cjp: this is excessive, should be limited to the
 # mail directories
-userdom_priveleged_home_dir_manager(imapd_t)
-
-sysadm_dontaudit_search_home_dirs(imapd_t)
+userdom_manage_user_home_content_dirs(imapd_t)
+userdom_manage_user_home_content_files(imapd_t)
+userdom_manage_user_home_content_symlinks(imapd_t)
+userdom_manage_user_home_content_pipes(imapd_t)
+userdom_manage_user_home_content_sockets(imapd_t)
+userdom_user_home_dir_filetrans_user_home_content(imapd_t, { dir file lnk_file fifo_file sock_file })
 
 mta_rw_spool(imapd_t)
 
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 7c1c1b8..6aff9bd 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -1,5 +1,5 @@
 
-policy_module(virt, 1.0.0)
+policy_module(virt, 1.0.1)
 
 ########################################
 #
@@ -144,7 +144,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dbus_system_bus_client_template(virtd, virtd_t)
+	dbus_system_bus_client(virtd_t)
 
 	optional_policy(`
 		avahi_dbus_chat(virtd_t)
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
index 11c4d04..0ac9daa 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -1,5 +1,5 @@
 
-policy_module(watchdog, 1.5.0)
+policy_module(watchdog, 1.5.1)
 
 #################################
 #
@@ -87,8 +87,7 @@ miscfiles_read_localization(watchdog_t)
 sysnet_read_config(watchdog_t)
 
 userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
-
-sysadm_dontaudit_search_home_dirs(watchdog_t)
+userdom_dontaudit_search_user_home_dirs(watchdog_t)
 
 optional_policy(`
 	mta_send_mail(watchdog_t)
diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te
index 0b49a20..025f9fa 100644
--- a/policy/modules/services/xfs.te
+++ b/policy/modules/services/xfs.te
@@ -1,5 +1,5 @@
 
-policy_module(xfs, 1.4.0)
+policy_module(xfs, 1.4.1)
 
 ########################################
 #
@@ -70,8 +70,7 @@ miscfiles_read_localization(xfs_t)
 miscfiles_read_fonts(xfs_t)
 
 userdom_dontaudit_use_unpriv_user_fds(xfs_t)
-
-sysadm_dontaudit_search_home_dirs(xfs_t)
+userdom_dontaudit_search_user_home_dirs(xfs_t)
 
 xfs_exec(xfs_t)
 
diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te
index 7e39ac9..0a09bb0 100644
--- a/policy/modules/services/xprint.te
+++ b/policy/modules/services/xprint.te
@@ -1,5 +1,5 @@
 
-policy_module(xprint, 1.5.0)
+policy_module(xprint, 1.5.1)
 
 ########################################
 #
@@ -64,8 +64,7 @@ miscfiles_read_localization(xprint_t)
 sysnet_read_config(xprint_t)
 
 userdom_dontaudit_use_unpriv_user_fds(xprint_t)
-
-sysadm_dontaudit_search_home_dirs(xprint_t)
+userdom_dontaudit_search_user_home_dirs(xprint_t)
 
 optional_policy(`
 	cups_read_config(xprint_t)
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 1c4a31d..df70a29 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -1,13 +1,13 @@
 #
 # HOME_DIR
 #
-HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:ROLE_fonts_config_t,s0)
-HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:ROLE_fonts_t,s0)
-HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
-HOME_DIR/\.fonts\.cache-.* --	gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
-HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
-HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
-HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
+HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
+HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
+HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.fonts\.cache-.* --	gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:iceauth_home_t,s0)
+HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 
 #
 # /dev
@@ -49,7 +49,7 @@ ifdef(`distro_redhat',`
 
 /tmp/\.ICE-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
 /tmp/\.ICE-unix/.*	-s	<<none>>
-/tmp/\.X0-lock		--	gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
+/tmp/\.X0-lock		--	gen_context(system_u:object_r:xserver_tmp_t,s0)
 /tmp/\.X11-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
 /tmp/\.X11-unix/.*	-s	<<none>>
 
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index ffa2bd7..43f64fc 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1,518 +1,135 @@
 ## <summary>X Windows Server</summary>
 
-#######################################
-## <summary>
-##	Template to create types and rules common to
-##	all X server domains.
-## </summary>
-## <param name="prefix">
-##	<summary>
-##	The prefix of the domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-#
-template(`xserver_common_domain_template',`
-	gen_require(`
-		type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
-
-		attribute x_server_domain;
-		class x_drawable all_x_drawable_perms;
-		class x_colormap all_x_colormap_perms;
-		class x_screen all_x_screen_perms;
-	')
-
-	##############################
-	#
-	# Declarations
-	#
-
-	attribute $1_x_domain;
-	attribute $1_input_xevent_type;
-
-	type $1_rootwindow_t, rootwindow_type;
-
-	type $1_xserver_t, x_server_domain;
-	domain_type($1_xserver_t)
-	domain_entry_file($1_xserver_t, xserver_exec_t)
-
-	type $1_xserver_tmp_t;
-	files_tmp_file($1_xserver_tmp_t)
-
-	type $1_xserver_tmpfs_t;
-	files_tmpfs_file($1_xserver_tmpfs_t)
-
-	##############################
-	#
-	# $1_xserver_t local policy
-	#
-
-	# setuid/setgid for the wrapper program to change UID
-	# sys_rawio is for iopl access - should not be needed for frame-buffer
-	# sys_admin, locking shared mem?  chowning IPC message queues or semaphores?
-	# admin of APM bios?
-	# sys_nice is so that the X server can set a negative nice value
-	# execheap needed until the X module loader is fixed.
-	# NVIDIA Needs execstack
-
-	allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
-	dontaudit $1_xserver_t self:capability chown;
-	allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-	allow $1_xserver_t self:memprotect mmap_zero;
-	allow $1_xserver_t self:fd use;
-	allow $1_xserver_t self:fifo_file rw_fifo_file_perms;
-	allow $1_xserver_t self:sock_file read_sock_file_perms;
-	allow $1_xserver_t self:shm create_shm_perms;
-	allow $1_xserver_t self:sem create_sem_perms;
-	allow $1_xserver_t self:msgq create_msgq_perms;
-	allow $1_xserver_t self:msg { send receive };
-	allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto };
-	allow $1_xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
-	allow $1_xserver_t self:tcp_socket create_stream_socket_perms;
-	allow $1_xserver_t self:udp_socket create_socket_perms;
-
-	manage_dirs_pattern($1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmp_t)
-	manage_files_pattern($1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmp_t)
-	manage_sock_files_pattern($1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmp_t)
-	files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file })
-
-	filetrans_pattern($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
-	ifdef(`enable_mls',`
-		range_transition $1_xserver_t $1_xserver_tmp_t:sock_file s0 - mls_systemhigh;
-	')
-
-	manage_dirs_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
-	manage_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
-	manage_lnk_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
-	manage_fifo_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
-	manage_sock_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
-	fs_tmpfs_filetrans($1_xserver_t, $1_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-	manage_files_pattern($1_xserver_t, xkb_var_lib_t, xkb_var_lib_t)
-	manage_lnk_files_pattern($1_xserver_t, xkb_var_lib_t, xkb_var_lib_t)
-	files_search_var_lib($1_xserver_t)
-
-	# Create files in /var/log with the xserver_log_t type.
-	manage_files_pattern($1_xserver_t, xserver_log_t, xserver_log_t)
-	logging_log_filetrans($1_xserver_t, xserver_log_t, file)
-
-	# Labeling rules for default windows and colormaps
-	type_transition $1_xserver_t $1_xserver_t:{ x_drawable x_colormap } $1_rootwindow_t;
-	ifdef(`enable_mls',`
-		range_transition $1_xserver_t $1_rootwindow_t:x_drawable s0 - mls_systemhigh;
-	')
-
-	kernel_read_system_state($1_xserver_t)
-	kernel_read_device_sysctls($1_xserver_t)
-	kernel_read_modprobe_sysctls($1_xserver_t)
-	# Xorg wants to check if kernel is tainted
-	kernel_read_kernel_sysctls($1_xserver_t)
-	kernel_write_proc_files($1_xserver_t)
-
-	# Run helper programs in $1_xserver_t.
-	corecmd_exec_bin($1_xserver_t)
-	corecmd_exec_shell($1_xserver_t)
-
-	corenet_all_recvfrom_unlabeled($1_xserver_t)
-	corenet_all_recvfrom_netlabel($1_xserver_t)
-	corenet_tcp_sendrecv_generic_if($1_xserver_t)
-	corenet_udp_sendrecv_generic_if($1_xserver_t)
-	corenet_tcp_sendrecv_all_nodes($1_xserver_t)
-	corenet_udp_sendrecv_all_nodes($1_xserver_t)
-	corenet_tcp_sendrecv_all_ports($1_xserver_t)
-	corenet_udp_sendrecv_all_ports($1_xserver_t)
-	corenet_tcp_bind_all_nodes($1_xserver_t)
-	corenet_tcp_bind_xserver_port($1_xserver_t)
-	corenet_tcp_connect_all_ports($1_xserver_t)
-	corenet_sendrecv_xserver_server_packets($1_xserver_t)
-	corenet_sendrecv_all_client_packets($1_xserver_t)
-
-	dev_rw_sysfs($1_xserver_t)
-	dev_rw_mouse($1_xserver_t)
-	dev_rw_mtrr($1_xserver_t)
-	dev_rw_apm_bios($1_xserver_t)
-	dev_rw_agp($1_xserver_t)
-	dev_rw_framebuffer($1_xserver_t)
-	dev_manage_dri_dev($1_xserver_t)
-	dev_create_generic_dirs($1_xserver_t)
-	dev_setattr_generic_dirs($1_xserver_t)
-	# raw memory access is needed if not using the frame buffer
-	dev_read_raw_memory($1_xserver_t)
-	dev_wx_raw_memory($1_xserver_t)
-	# for other device nodes such as the NVidia binary-only driver
-	dev_rw_xserver_misc($1_xserver_t)
-	# read events - the synaptics touchpad driver reads raw events
-	dev_rw_input_dev($1_xserver_t)
-	dev_rwx_zero($1_xserver_t)
-
-	domain_mmap_low($1_xserver_t)
-
-	files_read_etc_files($1_xserver_t)
-	files_read_etc_runtime_files($1_xserver_t)
-	files_read_usr_files($1_xserver_t)
-
-	# brought on by rhgb
-	files_search_mnt($1_xserver_t)
-	# for nscd
-	files_dontaudit_search_pids($1_xserver_t)
-
-	fs_getattr_xattr_fs($1_xserver_t)
-	fs_search_nfs($1_xserver_t)
-	fs_search_auto_mountpoints($1_xserver_t)
-	fs_search_ramfs($1_xserver_t)
-
-	selinux_validate_context($1_xserver_t)
-	selinux_compute_access_vector($1_xserver_t)
-	selinux_compute_create_context($1_xserver_t)
-
-	auth_use_nsswitch($1_xserver_t)
-
-	init_getpgid($1_xserver_t)
-
-	term_setattr_unallocated_ttys($1_xserver_t)
-	term_use_unallocated_ttys($1_xserver_t)
-
-	logging_send_syslog_msg($1_xserver_t)
-	logging_send_audit_msgs($1_xserver_t)
-
-	miscfiles_read_localization($1_xserver_t)
-	miscfiles_read_fonts($1_xserver_t)
-
-	modutils_domtrans_insmod($1_xserver_t)
-
-	# read x_contexts
-	seutil_read_default_contexts($1_xserver_t)
-
-	ifndef(`distro_redhat',`
-		allow $1_xserver_t self:process { execmem execheap execstack };
-	')
-
-	ifdef(`distro_rhel4',`
-		allow $1_xserver_t self:process { execmem execheap execstack };
-	')
-
-	tunable_policy(`!xserver_object_manager',`
-		# should be xserver_unconfined($1_xserver_t),
-		# but typeattribute doesnt work in conditionals
-		gen_require(`
-			attribute x_server_domain, x_domain;
-			attribute xproperty_type, xselection_type;
-			attribute xextension_type, xevent_type;
-			attribute rootwindow_type;
-
-			type remote_xclient_t;
-		')
-		allow $1_xserver_t x_server_domain:x_server *;
-		allow $1_xserver_t { x_domain rootwindow_type }:x_drawable *;
-		allow $1_xserver_t x_server_domain:x_screen *;
-		allow $1_xserver_t x_domain:x_gc *;
-		allow $1_xserver_t { x_domain rootwindow_type }:x_colormap *;
-		allow $1_xserver_t xproperty_type:x_property *;
-		allow $1_xserver_t xselection_type:x_selection *;
-		allow $1_xserver_t x_domain:x_cursor *;
-		allow $1_xserver_t { x_domain remote_xclient_t }:x_client *;
-		allow $1_xserver_t { x_domain x_server_domain }:x_device *;
-		allow $1_xserver_t xextension_type:x_extension *;
-		allow $1_xserver_t { x_domain x_server_domain }:x_resource *;
-		allow $1_xserver_t xevent_type:{ x_event x_synthetic_event } *;
-	')
-
-	optional_policy(`
-		apm_stream_connect($1_xserver_t)
-	')
-
-	optional_policy(`
-		auth_search_pam_console_data($1_xserver_t)
-	')
-
-	optional_policy(`
-		rhgb_getpgid($1_xserver_t)
-		rhgb_signal($1_xserver_t)
-	')
-
-	optional_policy(`
-		xfs_stream_connect($1_xserver_t)
-	')
-')
-
-#######################################
+########################################
 ## <summary>
-##	The per role template for the xserver module.
+##	Rules required for using the X Windows server
+##	and environment.
 ## </summary>
-## <desc>
-##	<p>
-##	Define a derived domain for the X server when executed
-##	by a user domain (e.g. via startx).  See the xdm module
-##	if using an X Display Manager.
-##	</p>
-##	<p>
-##	This is invoked automatically for each user and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access.
 ##	</summary>
 ## </param>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`xserver_per_role_template',`
-
+interface(`xserver_role',`
 	gen_require(`
-		type iceauth_exec_t, xauth_exec_t;
-		attribute fonts_type, fonts_cache_type, fonts_config_type;
-	')
-
-	##############################
-	#
-	# Declarations
-	#
-
-	xserver_common_domain_template($1)
-	role $3 types $1_xserver_t;
-
-	type $1_fonts_t, fonts_type;
-	userdom_user_home_content($1, $1_fonts_t)
-
-	type $1_fonts_cache_t, fonts_cache_type;
-	userdom_user_home_content($1, $1_fonts_cache_t)
+		type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
+		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+		type iceauth_t, iceauth_exec_t, iceauth_home_t;
+		type xauth_t, xauth_exec_t, xauth_home_t;
 
-	type $1_fonts_config_t, fonts_config_type;
-	userdom_user_home_content($1, $1_fonts_cache_t)
+		type info_xproperty_t, rootwindow_t;
 
-	type $1_iceauth_t;
-	domain_type($1_iceauth_t)
-	domain_entry_file($1_iceauth_t, iceauth_exec_t)
-	role $3 types $1_iceauth_t;
-
-	type $1_iceauth_home_t alias $1_iceauth_rw_t;
-	files_poly_member($1_iceauth_home_t)
-	userdom_user_home_content($1, $1_iceauth_home_t)
-
-	type $1_xauth_t;
-	domain_type($1_xauth_t)
-	domain_entry_file($1_xauth_t, xauth_exec_t)
-	role $3 types $1_xauth_t;
-
-	type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type;
-	files_poly_member($1_xauth_home_t)
-	userdom_user_home_content($1, $1_xauth_home_t)
-
-	type $1_xauth_tmp_t;
-	files_tmp_file($1_xauth_tmp_t)
-
-	##############################
-	#
-	# $1_xserver_t Local policy
-	#
-
-	domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
+		class x_drawable all_x_drawable_perms;
+		class x_screen all_x_screen_perms;
+		class x_gc all_x_gc_perms;
+		class x_font all_x_font_perms;
+		class x_colormap all_x_colormap_perms;
+		class x_property all_x_property_perms;
+		class x_selection all_x_selection_perms;
+		class x_cursor all_x_cursor_perms;
+		class x_client all_x_client_perms;
+		class x_device all_x_device_perms;
+		class x_server all_x_server_perms;
+		class x_extension all_x_extension_perms;
+		class x_resource all_x_resource_perms;
+		class x_event all_x_event_perms;
+		class x_synthetic_event all_x_synthetic_event_perms;
+	')
 
-	allow $1_xserver_t $1_xauth_home_t:file read_file_perms;
+	role $1 types { xserver_t xauth_t iceauth_t };
 
-	domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
-	allow $1_xserver_t $2:process signal;
+	domtrans_pattern($2, xserver_exec_t, xserver_t)
+	allow xserver_t $2:process signal;
 
-	allow $1_xserver_t $2:shm rw_shm_perms;
+	allow xserver_t $2:shm rw_shm_perms;
 
-	manage_dirs_pattern($2, $1_fonts_t, $1_fonts_t)
-	manage_files_pattern($2, $1_fonts_t, $1_fonts_t)
-	relabel_dirs_pattern($2, $1_fonts_t, $1_fonts_t)
-	relabel_files_pattern($2, $1_fonts_t, $1_fonts_t)
+	manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
+	manage_files_pattern($2, user_fonts_t, user_fonts_t)
+	relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
+	relabel_files_pattern($2, user_fonts_t, user_fonts_t)
 
-	manage_dirs_pattern($2, $1_fonts_config_t, $1_fonts_config_t)
-	manage_files_pattern($2, $1_fonts_config_t, $1_fonts_config_t)
-	relabel_files_pattern($2, $1_fonts_config_t, $1_fonts_config_t)
+	manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+	manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+	relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+	relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
 
-	# For startup relabel
-	allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
+	manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+	manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
 
-	stream_connect_pattern($2, $1_xserver_tmp_t, $1_xserver_tmp_t, $1_xserver_t)
+	stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
 
-	allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+	allow $2 xserver_tmpfs_t:file rw_file_perms;
 
 	# Communicate via System V shared memory.
-	allow $1_xserver_t $2:shm rw_shm_perms;
-	allow $2 $1_xserver_t:shm rw_shm_perms;
-
-	getty_use_fds($1_xserver_t)
-
-	locallogin_use_fds($1_xserver_t)
-
-	userdom_search_user_home_dirs($1, $1_xserver_t)
-	userdom_use_user_ttys($1, $1_xserver_t)
-	userdom_setattr_user_ttys($1, $1_xserver_t)
-	userdom_rw_user_tmpfs_files($1, $1_xserver_t)
-
-	xserver_use_user_fonts($1, $1_xserver_t)
-	xserver_rw_xdm_tmp_files($1_xauth_t)
-
-	optional_policy(`
-		userhelper_search_config($1_xserver_t)
-	')
-
-	ifdef(`TODO',`
-	ifdef(`xdm.te', `
-		allow $1_t xdm_tmp_t:sock_file unlink;
-		allow $1_xserver_t xdm_var_run_t:dir search;
-	')
-	') dnl end TODO
-
-	##############################
-	#
-	# $1_xauth_t Local policy
-	#
+	allow xserver_t $2:shm rw_shm_perms;
+	allow $2 xserver_t:shm rw_shm_perms;
 
-	allow $1_xauth_t self:process signal;
-	allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
+	# allow ps to show iceauth
+	ps_process_pattern($2, iceauth_t)
 
-	allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
-	userdom_user_home_dir_filetrans($1, $1_xauth_t, $1_xauth_home_t,file)
+	domtrans_pattern($2, iceauth_exec_t, iceauth_t)
 
-	manage_dirs_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
-	manage_files_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
-	files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
+	allow $2 iceauth_home_t:file manage_file_perms;
+	allow $2 iceauth_home_t:file { relabelfrom relabelto };
 
-	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+	domtrans_pattern($2, xauth_exec_t, xauth_t)
 
-	allow $2 $1_xauth_t:process signal;
+	allow $2 xauth_t:process signal;
 
 	# allow ps to show xauth
-	ps_process_pattern($2,$1_xauth_t)
-
-	allow $2 $1_xauth_home_t:file manage_file_perms;
-	allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
-
-	allow xdm_t $1_xauth_home_t:file manage_file_perms;
-	userdom_user_home_dir_filetrans($1, xdm_t, $1_xauth_home_t, file)
-
-	domain_use_interactive_fds($1_xauth_t)
-
-	files_read_etc_files($1_xauth_t)
-	files_search_pids($1_xauth_t)
-
-	fs_getattr_xattr_fs($1_xauth_t)
-	fs_search_auto_mountpoints($1_xauth_t)
+	ps_process_pattern($2,xauth_t)
 
-	# cjp: why?
-	term_use_ptmx($1_xauth_t)
+	allow $2 xauth_home_t:file manage_file_perms;
+	allow $2 xauth_home_t:file { relabelfrom relabelto };
 
-	auth_use_nsswitch($1_xauth_t)
-
-	userdom_use_user_terminals($1, $1_xauth_t)
-	userdom_read_user_tmp_files($1, $1_xauth_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_files($1_xauth_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_files($1_xauth_t)
-	')
-
-	optional_policy(`
-		ssh_sigchld($1_xauth_t)
-		ssh_read_pipes($1_xauth_t)
-		ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
-	')
-
-	##############################
-	#
-	# $1_iceauth_t Local policy
-	#
-
-	domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
-
-	allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms;
-	userdom_user_home_dir_filetrans($1, $1_iceauth_t, $1_iceauth_home_t, file)
-
-	# allow ps to show iceauth
-	ps_process_pattern($2, $1_iceauth_t)
-
-	allow $2 $1_iceauth_home_t:file manage_file_perms;
-	allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
-
-	allow xdm_t $1_iceauth_home_t:file read_file_perms;
-
-	fs_search_auto_mountpoints($1_iceauth_t)
-
-	userdom_use_user_terminals($1, $1_iceauth_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_files($1_iceauth_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_files($1_iceauth_t)
-	')
+	xserver_common_x_domain_template(user, $2)
 
 	##############################
 	#
 	# User X object manager local policy
 	#
 
-	# Device rules
-	allow $1_x_domain $1_xserver_t:x_device { read getattr use setattr setfocus grab bell };
-
-	allow $1_xserver_t { input_xevent_t $1_input_xevent_type }:x_event send;
-	allow $1_xserver_t { $1_rootwindow_t $1_x_domain }:x_drawable send;
-
 	# manage: xhost X11:ChangeHosts
 	# freeze: metacity X11:GrabKey
 	# force_cursor: metacity X11:GrabPointer
-	allow $2 $1_xserver_t:x_device { manage freeze force_cursor };
+	allow $2 xserver_t:x_device { manage freeze force_cursor };
 
 	# gnome-settings-daemon XKEYBOARD:SetControls
-	allow $2 $1_xserver_t:x_server manage;
+	allow $2 xserver_t:x_server manage;
 
 	# gnome-settings-daemon RANDR:SelectInput
-	allow $2 $1_xserver_t:x_resource write;
+	allow $2 xserver_t:x_resource write;
 
 	# metacity X11:InstallColormap X11:UninstallColormap
-	allow $2 $1_rootwindow_t:x_colormap { install uninstall };
+	allow $2 rootwindow_t:x_colormap { install uninstall };
 
 	# read: gnome-settings-daemon RANDR:GetScreenSizeRange
 	# write: gnome-settings-daemon RANDR:SelectInput
 	# setattr: gnome-settings-daemon X11:GrabKey
 	# manage: metacity X11:ChangeWindowAttributes
-	allow $2 $1_rootwindow_t:x_drawable { read write manage setattr };
+	allow $2 rootwindow_t:x_drawable { read write manage setattr };
 
 	# setattr: metacity X11:InstallColormap
-	allow $2 $1_xserver_t:x_screen { saver_setattr saver_getattr setattr };
+	allow $2 xserver_t:x_screen { saver_getattr saver_setattr setattr };
 
 	# xrdb X11:ChangeProperty prop=RESOURCE_MANAGER
-	allow $2 info_xproperty_t:x_property { create write append };
-
-	mls_xwin_read_to_clearance($1_xserver_t)
-
-	xserver_common_x_domain_template($1, $1, $2)
+	allow $2 info_xproperty_t:x_property { create append write };
 ')
 
 #######################################
 ## <summary>
-##	Template for creating sessions on a
-##	prefix X server, with read-only
+##	Create sessions on the X server, with read-only
 ##	access to the X server shared
 ##	memory segments.
 ## </summary>
-## <param name="prefix">
-##	<summary>
-##	The prefix of the domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@@ -524,42 +141,35 @@ template(`xserver_per_role_template',`
 ##	</summary>
 ## </param>
 #
-template(`xserver_ro_session_template',`
+interface(`xserver_ro_session',`
 	gen_require(`
-		type $1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmpfs_t;
+		type xserver_t, xserver_tmp_t, xserver_tmpfs_t;
 	')
 
 	# Xserver read/write client shm
-	allow $1_xserver_t $2:fd use;
-	allow $1_xserver_t $2:shm rw_shm_perms;
-	allow $1_xserver_t $3:file rw_file_perms;
+	allow xserver_t $1:fd use;
+	allow xserver_t $1:shm rw_shm_perms;
+	allow xserver_t $2:file rw_file_perms;
 
 	# Connect to xserver
-	allow $2 $1_xserver_t:unix_stream_socket connectto;
-	allow $2 $1_xserver_t:process signal;
+	allow $1 xserver_t:unix_stream_socket connectto;
+	allow $1 xserver_t:process signal;
 
 	# Read /tmp/.X0-lock
-	allow $2 $1_xserver_tmp_t:file read_file_perms;
+	allow $1 xserver_tmp_t:file { getattr read };
 
 	# Client read xserver shm
-	allow $2 $1_xserver_t:fd use;
-	allow $2 $1_xserver_t:shm r_shm_perms;
-	allow $2 $1_xserver_tmpfs_t:file read_file_perms;
+	allow $1 xserver_t:fd use;
+	allow $1 xserver_t:shm r_shm_perms;
+	allow $1 xserver_tmpfs_t:file read_file_perms;
 ')
 
 #######################################
 ## <summary>
-##	Template for creating sessions on a
-##	prefix X server, with read and write
+##	Create sessions on the X server, with read and write
 ##	access to the X server shared
 ##	memory segments.
 ## </summary>
-## <param name="prefix">
-##	<summary>
-##	The prefix of the domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@@ -571,27 +181,21 @@ template(`xserver_ro_session_template',`
 ##	</summary>
 ## </param>
 #
-template(`xserver_rw_session_template',`
+interface(`xserver_rw_session',`
 	gen_require(`
-		type $1_xserver_t, $1_xserver_tmpfs_t;
+		type xserver_t, xserver_tmpfs_t;
 	')
 
-	xserver_ro_session_template($1, $2, $3)
-	allow $2 $1_xserver_t:shm rw_shm_perms;
-	allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+	xserver_ro_session($1,$2)
+	allow $1 xserver_t:shm rw_shm_perms;
+	allow $1 xserver_tmpfs_t:file rw_file_perms;
 ')
 
 #######################################
 ## <summary>
-##	Template for creating full client sessions
+##	Create full client sessions
 ##	on a user X server.
 ## </summary>
-## <param name="prefix">
-##	<summary>
-##	The prefix of the domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@@ -603,47 +207,46 @@ template(`xserver_rw_session_template',`
 ##	</summary>
 ## </param>
 #
-template(`xserver_user_client_template',`
+interface(`xserver_user_client',`
 #	refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
 	gen_require(`
 		type xdm_t, xdm_tmp_t;
-		type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
+		type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
 	')
 
-	allow $2 self:shm create_shm_perms;
-	allow $2 self:unix_dgram_socket create_socket_perms;
-	allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
+	allow $1 self:shm create_shm_perms;
+	allow $1 self:unix_dgram_socket create_socket_perms;
+	allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
 
 	# Read .Xauthority file
-	allow $2 $1_xauth_home_t:file read_file_perms;
-	allow $2 $1_iceauth_home_t:file read_file_perms;
+	allow $1 xauth_home_t:file { getattr read };
+	allow $1 iceauth_home_t:file { getattr read };
 
 	# for when /tmp/.X11-unix is created by the system
-	allow $2 xdm_t:fd use;
-	allow $2 xdm_t:fifo_file { getattr read write ioctl };
-	allow $2 xdm_tmp_t:dir search;
-	allow $2 xdm_tmp_t:sock_file { read write };
-	dontaudit $2 xdm_t:tcp_socket { read write };
+	allow $1 xdm_t:fd use;
+	allow $1 xdm_t:fifo_file { getattr read write ioctl };
+	allow $1 xdm_tmp_t:dir search;
+	allow $1 xdm_tmp_t:sock_file { read write };
+	dontaudit $1 xdm_t:tcp_socket { read write };
 
 	# Allow connections to X server.
-	files_search_tmp($2)
+	files_search_tmp($1)
 
-	miscfiles_read_fonts($2)
+	miscfiles_read_fonts($1)
 
-	userdom_search_user_home_dirs($1, $2)
+	userdom_search_user_home_dirs($1)
 	# for .xsession-errors
-	userdom_dontaudit_write_user_home_content_files($1, $2)
+	userdom_dontaudit_write_user_home_content_files($1)
 
-	xserver_ro_session_template(xdm, $2, $3)
-	xserver_rw_session_template($1, $2, $3)
-	xserver_use_user_fonts($1, $2)
+	xserver_ro_session($1,$2)
+	xserver_use_user_fonts($1)
 
-	xserver_read_xdm_tmp_files($2)
+	xserver_read_xdm_tmp_files($1)
 
 	# Client write xserver shm
 	tunable_policy(`allow_write_xshm',`
-		allow $2 $1_xserver_t:shm rw_shm_perms;
-		allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+		allow $1 xserver_t:shm rw_shm_perms;
+		allow $1 xserver_tmpfs_t:file rw_file_perms;
 	')
 ')
 
@@ -653,12 +256,6 @@ template(`xserver_user_client_template',`
 ##	an X client domain.  Provides the minimal set required by a basic
 ##	X client application.
 ## </summary>
-## <param name="user">
-##	<summary>
-##	The prefix of the X server domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="prefix">
 ##	<summary>
 ##	The prefix of the X client domain (e.g., user
@@ -673,176 +270,104 @@ template(`xserver_user_client_template',`
 #
 template(`xserver_common_x_domain_template',`
 	gen_require(`
-		type $1_rootwindow_t, std_xext_t, shmem_xext_t;
-		type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
+		type $1_xproperty_t, $1_input_xevent_t, $1_property_xevent_t;
+		type $1_focus_xevent_t, $1_manage_xevent_t, $1_default_xevent_t;
+		type $1_client_xevent_t;
+
+		type rootwindow_t, xproperty_t;
 		type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
 		type xevent_t, client_xevent_t;
-		type clipboard_xselection_t, xselection_t;
 
-		attribute x_server_domain, x_domain;
+		attribute x_domain;
 		attribute xproperty_type;
-		attribute xevent_type, xextension_type;
-		attribute $1_x_domain, $1_input_xevent_type;
+		attribute xevent_type;
+		attribute input_xevent_type;
 
 		class x_drawable all_x_drawable_perms;
-		class x_screen all_x_screen_perms;
-		class x_gc all_x_gc_perms;
-		class x_font all_x_font_perms;
-		class x_colormap all_x_colormap_perms;
 		class x_property all_x_property_perms;
-		class x_selection all_x_selection_perms;
-		class x_cursor all_x_cursor_perms;	
-		class x_client all_x_client_perms;
-		class x_device all_x_device_perms;
-		class x_server all_x_server_perms;
-		class x_extension all_x_extension_perms;
-		class x_resource all_x_resource_perms;
 		class x_event all_x_event_perms;
 		class x_synthetic_event all_x_synthetic_event_perms;
 	')
 
 	##############################
 	#
-	# Declarations
+	# Local Policy
 	#
 
 	# Type attributes
-	typeattribute $3 $1_x_domain, x_domain;
+	typeattribute $2 x_domain;
 
-	# Types for properties
-	type $2_xproperty_t alias $2_default_xproperty_t, xproperty_type;
+	# X Properties
+	# can read and write client properties
+	allow $2 $1_xproperty_t:x_property { create destroy read write append };
+	type_transition $2 xproperty_t:x_property $1_xproperty_t;
 
-	# Types for events
-	type $2_input_xevent_t, $1_input_xevent_type, xevent_type;
-	type $2_property_xevent_t, xevent_type;
-	type $2_focus_xevent_t, xevent_type;
-	type $2_manage_xevent_t, xevent_type;
-	type $2_default_xevent_t, xevent_type;
-	type $2_client_xevent_t, xevent_type;
+	# X Windows
+	# new windows have the domain type
+	type_transition $2 rootwindow_t:x_drawable $2;
+
+	# X Input
+	# can receive own events
+	allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
+	allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive;
+	allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive;
+	allow $2 $1_manage_xevent_t:{ x_event x_synthetic_event } receive;
+	allow $2 $1_default_xevent_t:{ x_event x_synthetic_event } receive;
+	allow $2 $1_client_xevent_t:{ x_event x_synthetic_event } receive;
+	type_transition $2 input_xevent_t:x_event $1_input_xevent_t;
+	type_transition $2 property_xevent_t:x_event $1_property_xevent_t;
+	type_transition $2 focus_xevent_t:x_event $1_focus_xevent_t;
+	type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t;
+	type_transition $2 client_xevent_t:x_event $1_client_xevent_t;
+	type_transition $2 xevent_t:x_event $1_default_xevent_t;
+	# can send ICCCM events to myself
+	allow $2 $1_manage_xevent_t:x_synthetic_event send;
+')
+
+#######################################
+## <summary>
+##	Template for creating the set of types used
+##	in an X windows domain.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the X client domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`xserver_object_types_template',`
+	gen_require(`
+		attribute xproperty_type, input_xevent_type, xevent_type;
+	')
 
 	##############################
 	#
-	# Local Policy
+	# Declarations
 	#
 
-	# Hacks
-	# everyone can get the input focus of everyone else
-	# this is a fundamental brokenness in the X protocol
-	allow $3 { x_domain x_server_domain }:x_device getfocus;
-	# everyone can grab the server
-	# everyone does it, it is basically a free DOS attack
-	allow $3 x_server_domain:x_server grab;
-	# everyone can get the font path, etc.
-	# this could leak out sensitive information
-	allow $3 x_server_domain:x_server getattr;
-	# everyone can do override-redirect windows.
-	# this could be used to spoof labels
-	allow $3 self:x_drawable override;
-	# everyone can receive management events on the root window
-	# allows to know when new windows appear, among other things
-	allow $3 manage_xevent_t:x_event receive;
-
-	# X Server
-	# can read server-owned resources
-	allow $3 x_server_domain:x_resource read;
-	# can mess with own clients
-	allow $3 self:x_client { manage destroy };
-
-	# X Protocol Extensions
-	allow $3 std_xext_t:x_extension { query use };
-	allow $3 shmem_xext_t:x_extension { query use };
-	dontaudit $3 xextension_type:x_extension { query use };
+	# Types for properties
+	type $1_xproperty_t alias $1_default_xproperty_t, xproperty_type;
+	ubac_constrained($1_xproperty_t)
 
-	# X Properties
-	# can read and write client properties
-	allow $3 $2_xproperty_t:x_property { create destroy read write append };
-	type_transition $3 xproperty_t:x_property $2_xproperty_t;
-	# can read and write cut buffers
-	allow $3 clipboard_xproperty_t:x_property { create read write append };
-	# can read info properties
-	allow $3 info_xproperty_t:x_property read;
-	# can change properties of root window
-	allow $3 $1_rootwindow_t:x_drawable { list_property get_property set_property };
-	# can change properties of own windows
-	allow $3 self:x_drawable { list_property get_property set_property };
+	# Types for events
+	type $1_input_xevent_t, input_xevent_type, xevent_type;
+	ubac_constrained($1_input_xevent_t)
 
-	# X Windows
-	# operations allowed on root windows
-	allow $3 $1_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive };
-	# operations allowed on my windows
-	allow $3 self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
-	type_transition $3 $1_rootwindow_t:x_drawable $3;
+	type $1_property_xevent_t, xevent_type;
+	ubac_constrained($1_property_xevent_t)
 
-	# X Colormaps
-	# can use the default colormap
-	allow $3 $1_rootwindow_t:x_colormap { read use add_color };
+	type $1_focus_xevent_t, xevent_type;
+	ubac_constrained($1_focus_xevent_t)
 
-	# X Input
-	# can receive own events
-	allow $3 $2_input_xevent_t:{ x_event x_synthetic_event } receive;
-	allow $3 $2_property_xevent_t:{ x_event x_synthetic_event } receive;
-	allow $3 $2_focus_xevent_t:{ x_event x_synthetic_event } receive;
-	allow $3 $2_manage_xevent_t:{ x_event x_synthetic_event } receive;
-	allow $3 $2_default_xevent_t:{ x_event x_synthetic_event } receive;
-	allow $3 $2_client_xevent_t:{ x_event x_synthetic_event } receive;
-	type_transition $3 input_xevent_t:x_event $2_input_xevent_t;
-	type_transition $3 property_xevent_t:x_event $2_property_xevent_t;
-	type_transition $3 focus_xevent_t:x_event $2_focus_xevent_t;
-	type_transition $3 manage_xevent_t:x_event $2_manage_xevent_t;
-	type_transition $3 client_xevent_t:x_event $2_client_xevent_t;
-	type_transition $3 xevent_t:x_event $2_default_xevent_t;
-	# can receive certain root window events
-	allow $3 focus_xevent_t:x_event receive;
-	allow $3 property_xevent_t:x_event receive;
-	allow $3 client_xevent_t:x_synthetic_event receive;
-	allow $3 manage_xevent_t:x_synthetic_event receive;
-	# can send ICCCM events to myself
-	allow $3 $2_manage_xevent_t:x_synthetic_event send;
-	# can send ICCCM events to the root window
-	allow $3 manage_xevent_t:x_synthetic_event send;
-	allow $3 client_xevent_t:x_synthetic_event send;
-
-	# X Selections
-	# can use the clipboard
-	allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
-	# can query all other selections
-	allow $3 xselection_t:x_selection { getattr read };
-
-	# Other X Objects
-	# can create and use cursors
-	allow $3 self:x_cursor *;
-	# can create and use graphics contexts
-	allow $3 self:x_gc *;
-	# can create and use colormaps
-	allow $3 self:x_colormap *;
-	# can read and write own objects
-	allow $3 self:x_resource { read write };
-
-	tunable_policy(`! xserver_object_manager',`
-		# should be xserver_unconfined($3),
-		# but typeattribute doesnt work in conditionals
-		gen_require(`
-			attribute x_server_domain, x_domain;
-			attribute xproperty_type, xselection_type;
-			attribute xextension_type, xevent_type;
-			attribute rootwindow_type;
-
-			type remote_xclient_t;
-		')
-		allow $3 x_server_domain:x_server *;
-		allow $3 { x_domain rootwindow_type }:x_drawable *;
-		allow $3 x_server_domain:x_screen *;
-		allow $3 x_domain:x_gc *;
-		allow $3 { x_domain rootwindow_type }:x_colormap *;
-		allow $3 xproperty_type:x_property *;
-		allow $3 xselection_type:x_selection *;
-		allow $3 x_domain:x_cursor *;
-		allow $3 { x_domain remote_xclient_t }:x_client *;
-		allow $3 { x_domain x_server_domain }:x_device *;
-		allow $3 xextension_type:x_extension *;
-		allow $3 { x_domain x_server_domain }:x_resource *;
-		allow $3 xevent_type:{ x_event x_synthetic_event } *;
-	')
+	type $1_manage_xevent_t, xevent_type;
+	ubac_constrained($1_manage_xevent_t)
+
+	type $1_default_xevent_t, xevent_type;
+	ubac_constrained($1_default_xevent_t)
+
+	type $1_client_xevent_t, xevent_type;
+	ubac_constrained($1_client_xevent_t)
 ')
 
 #######################################
@@ -851,12 +376,6 @@ template(`xserver_common_x_domain_template',`
 ##	an X client domain.  Provides the minimal set required by a basic
 ##	X client application.
 ## </summary>
-## <param name="user">
-##	<summary>
-##	The prefix of the X server domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="prefix">
 ##	<summary>
 ##	The prefix of the X client domain (e.g., user
@@ -877,46 +396,46 @@ template(`xserver_common_x_domain_template',`
 template(`xserver_user_x_domain_template',`
 	gen_require(`
 		type xdm_t, xdm_tmp_t;
-		type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
+		type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
 	')
 
-	allow $3 self:shm create_shm_perms;
-	allow $3 self:unix_dgram_socket create_socket_perms;
-	allow $3 self:unix_stream_socket { connectto create_stream_socket_perms };
+	allow $2 self:shm create_shm_perms;
+	allow $2 self:unix_dgram_socket create_socket_perms;
+	allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
 
 	# Read .Xauthority file
-	allow $3 $1_xauth_home_t:file read_file_perms;
-	allow $3 $1_iceauth_home_t:file read_file_perms;
+	allow $2 xauth_home_t:file read_file_perms;
+	allow $2 iceauth_home_t:file read_file_perms;
 
 	# for when /tmp/.X11-unix is created by the system
-	allow $3 xdm_t:fd use;
-	allow $3 xdm_t:fifo_file { getattr read write ioctl };
-	allow $3 xdm_tmp_t:dir search_dir_perms;
-	allow $3 xdm_tmp_t:sock_file { read write };
-	dontaudit $3 xdm_t:tcp_socket { read write };
+	allow $2 xdm_t:fd use;
+	allow $2 xdm_t:fifo_file { getattr read write ioctl };
+	allow $2 xdm_tmp_t:dir search_dir_perms;
+	allow $2 xdm_tmp_t:sock_file { read write };
+	dontaudit $2 xdm_t:tcp_socket { read write };
 
 	# Allow connections to X server.
-	files_search_tmp($3)
+	files_search_tmp($2)
 
-	miscfiles_read_fonts($3)
+	miscfiles_read_fonts($2)
 
-	userdom_search_user_home_dirs($1, $3)
+	userdom_search_user_home_dirs($2)
 	# for .xsession-errors
-	userdom_dontaudit_write_user_home_content_files($1, $3)
+	userdom_dontaudit_write_user_home_content_files($2)
 
-	xserver_ro_session_template(xdm, $3, $4)
-	xserver_rw_session_template($1, $3, $4)
-	xserver_use_user_fonts($1, $3)
+	xserver_ro_session($2,$3)
+	xserver_use_user_fonts($2)
 
-	xserver_read_xdm_tmp_files($3)
+	xserver_read_xdm_tmp_files($2)
 
 	# X object manager
-	xserver_common_x_domain_template($1, $2, $3)
+	xserver_object_types_template($1)
+	xserver_common_x_domain_template($1,$2)
 
 	# Client write xserver shm
 	tunable_policy(`allow_write_xshm',`
-		allow $3 $1_xserver_t:shm rw_shm_perms;
-		allow $3 $1_xserver_tmpfs_t:file rw_file_perms;
+		allow $2 xserver_t:shm rw_shm_perms;
+		allow $2 xserver_tmpfs_t:file rw_file_perms;
 	')
 ')
 
@@ -935,102 +454,66 @@ template(`xserver_user_x_domain_template',`
 ##	be called from a per-userdomain template.
 ##	</p>
 ## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`xserver_use_user_fonts',`
+interface(`xserver_use_user_fonts',`
 	gen_require(`
-		type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
+		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
 	')
 
 	# Read per user fonts
-	allow $2 $1_fonts_t:dir list_dir_perms;
-	allow $2 $1_fonts_t:file read_file_perms;
+	allow $1 user_fonts_t:dir list_dir_perms;
+	allow $1 user_fonts_t:file read_file_perms;
 
 	# Manipulate the global font cache
-	manage_dirs_pattern($2, $1_fonts_cache_t, $1_fonts_cache_t)
-	manage_files_pattern($2, $1_fonts_cache_t, $1_fonts_cache_t)
+	manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+	manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
 
 	# Read per user font config
-	allow $2 $1_fonts_config_t:dir list_dir_perms;
-	allow $2 $1_fonts_config_t:file read_file_perms;
+	allow $1 user_fonts_config_t:dir list_dir_perms;
+	allow $1 user_fonts_config_t:file read_file_perms;
 
-	userdom_search_user_home_dirs($1, $2)
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Transition to a user Xauthority domain.
+##	Transition to the Xauthority domain.
 ## </summary>
-## <desc>
-##	<p>
-##	Transition to a user Xauthority domain.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`xserver_domtrans_user_xauth',`
+interface(`xserver_domtrans_xauth',`
 	gen_require(`
-		type $1_xauth_t, xauth_exec_t;
+		type xauth_t, xauth_exec_t;
 	')
 
-	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+	domtrans_pattern($1, xauth_exec_t, xauth_t)
 ')
 
 ########################################
 ## <summary>
-##	Transition to a user Xauthority domain.
+##	Create a Xauthority file in the user home directory.
 ## </summary>
-## <desc>
-##	<p>
-##	Transition to a user Xauthority domain.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`xserver_user_home_dir_filetrans_user_xauth',`
+interface(`xserver_user_home_dir_filetrans_user_xauth',`
 	gen_require(`
-		type $1_xauth_home_t;
+		type xauth_home_t;
 	')
 
-	userdom_user_home_dir_filetrans($1, $2, $1_xauth_home_t, file)
+	userdom_user_home_dir_filetrans($1, xauth_home_t, file)
 ')
 
 ########################################
@@ -1045,23 +528,8 @@ template(`xserver_user_home_dir_filetrans_user_xauth',`
 ## </param>
 #
 interface(`xserver_use_all_users_fonts',`
-	gen_require(`
-		attribute fonts_type, fonts_cache_type, fonts_config_type;
-	')
-
-	# Read per user fonts
-	allow $1 fonts_type:dir list_dir_perms;
-	allow $1 fonts_type:file read_file_perms;
-
-	# Manipulate the global font cache
-	manage_dirs_pattern($1, fonts_cache_type, fonts_cache_type)
-	manage_files_pattern($1, fonts_cache_type, fonts_cache_type)
-
-	# Read per user font config
-	allow $1 fonts_config_type:dir list_dir_perms;
-	allow $1 fonts_config_type:file read_file_perms;
-
-	userdom_search_all_users_home_dirs($1)
+	refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.')
+	xserver_use_user_fonts($1)
 ')
 
 ########################################
@@ -1074,13 +542,13 @@ interface(`xserver_use_all_users_fonts',`
 ##	</summary>
 ## </param>
 #
-interface(`xserver_read_all_users_xauth',`
+interface(`xserver_read_user_xauth',`
 	gen_require(`
-		attribute xauth_home_type;
+		type xauth_home_t;
 	')
 
-	allow $1 xauth_home_type:file read_file_perms;
-	userdom_search_all_users_home_dirs($1)
+	allow $1 xauth_home_t:file read_file_perms;
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
@@ -1311,25 +779,6 @@ interface(`xserver_read_xdm_lib_files',`
 
 ########################################
 ## <summary>
-##	Execute the X server in the XDM X server domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xserver_domtrans_xdm_xserver',`
-	gen_require(`
-		type xdm_xserver_t, xserver_exec_t;
-	')
-
- 	allow $1 xdm_xserver_t:process siginh;
-	domtrans_pattern($1, xserver_exec_t, xdm_xserver_t)
-')
-
-########################################
-## <summary>
 ##	Make an X session script an entrypoint for the specified domain.
 ## </summary>
 ## <param name="domain">
@@ -1474,24 +923,6 @@ interface(`xserver_read_xkb_libs',`
 ##	</summary>
 ## </param>
 #
-interface(`xserver_read_xdm_xserver_tmp_files',`
-	gen_require(`
-		type xdm_xserver_tmp_t;
-	')
-
-	allow $1 xdm_xserver_tmp_t:file read_file_perms;
-')
-
-########################################
-## <summary>
-##	Read xdm temporary files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit
-##	</summary>
-## </param>
-#
 interface(`xserver_read_xdm_tmp_files',`
 	gen_require(`
 		type xdm_tmp_t;
@@ -1577,7 +1008,26 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
 
 ########################################
 ## <summary>
-##	Signal XDM X servers
+##	Execute the X server in the X server domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_domtrans',`
+	gen_require(`
+		type xserver_t, xserver_exec_t;
+	')
+
+ 	allow $1 xserver_t:process siginh;
+	domtrans_pattern($1, xserver_exec_t, xserver_t)
+')
+
+########################################
+## <summary>
+##	Signal X servers
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1585,17 +1035,17 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
 ##	</summary>
 ## </param>
 #
-interface(`xserver_signal_xdm_xserver',`
+interface(`xserver_signal',`
 	gen_require(`
-		type xdm_xserver_t;
+		type xserver_t;
 	')
 
-	allow $1 xdm_xserver_t:process signal;
+	allow $1 xserver_t:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Kill XDM X servers
+##	Kill X servers
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1603,18 +1053,37 @@ interface(`xserver_signal_xdm_xserver',`
 ##	</summary>
 ## </param>
 #
-interface(`xserver_kill_xdm_xserver',`
+interface(`xserver_kill',`
+	gen_require(`
+		type xserver_t;
+	')
+
+	allow $1 xserver_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Read and write X server Sys V Shared
+##	memory segments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_shm',`
 	gen_require(`
-		type xdm_xserver_t;
+		type xserver_t;
 	')
 
-	allow $1 xdm_xserver_t:process sigkill;
+	allow $1 xserver_t:shm rw_shm_perms;
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and write to
-##	a XDM X server socket.
+##	X server sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1622,17 +1091,17 @@ interface(`xserver_kill_xdm_xserver',`
 ##	</summary>
 ## </param>
 #
-interface(`xserver_dontaudit_rw_xdm_xserver_tcp_sockets',`
+interface(`xserver_dontaudit_rw_tcp_sockets',`
 	gen_require(`
-		type xdm_xserver_t;
+		type xserver_t;
 	')
 
-	dontaudit $1 xdm_xserver_t:tcp_socket { read write };
+	dontaudit $1 xserver_t:tcp_socket { read write };
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read and write xdm_xserver
+##	Do not audit attempts to read and write X server
 ##	unix domain stream sockets.
 ## </summary>
 ## <param name="domain">
@@ -1641,17 +1110,17 @@ interface(`xserver_dontaudit_rw_xdm_xserver_tcp_sockets',`
 ##	</summary>
 ## </param>
 #
-interface(`xserver_dontaudit_rw_xdm_stream_sockets',`
+interface(`xserver_dontaudit_rw_stream_sockets',`
 	gen_require(`
-		type xdm_xserver_t;
+		type xserver_t;
 	')
 
-	dontaudit $1 xdm_xserver_t:unix_stream_socket { read write };
+	dontaudit $1 xserver_t:unix_stream_socket { read write };
 ')
 
 ########################################
 ## <summary>
-##	Connect to xdm_xserver over a unix domain
+##	Connect to the X server over a unix domain
 ##	stream socket.
 ## </summary>
 ## <param name="domain">
@@ -1660,31 +1129,32 @@ interface(`xserver_dontaudit_rw_xdm_stream_sockets',`
 ##	</summary>
 ## </param>
 #
-interface(`xserver_stream_connect_xdm_xserver',`
+interface(`xserver_stream_connect',`
 	gen_require(`
-		type xdm_xserver_t, xdm_xserver_tmp_t;
+		type xserver_t, xserver_tmp_t;
 	')
 
 	files_search_tmp($1)
-	stream_connect_pattern($1, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t)
+	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
 ')
 
 ########################################
 ## <summary>
-##	xdm xserver RW shared memory socket.
+##	Read X server temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit
 ##	</summary>
 ## </param>
 #
-interface(`xserver_rw_xdm_xserver_shm',`
+interface(`xserver_read_tmp_files',`
 	gen_require(`
-		type xdm_xserver_t;
+		type xserver_tmp_t;
 	')
 
-	allow $1 xdm_xserver_t:shm rw_shm_perms;
+	allow $1 xserver_tmp_t:file read_file_perms;
+	files_search_tmp($1)
 ')
 
 ########################################
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 5fae59a..d507654 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,5 +1,23 @@
 
-policy_module(xserver, 2.2.0)
+policy_module(xserver, 3.0.0)
+
+gen_require(`
+	class x_drawable all_x_drawable_perms;
+	class x_screen all_x_screen_perms;
+	class x_gc all_x_gc_perms;
+	class x_font all_x_font_perms;
+	class x_colormap all_x_colormap_perms;
+	class x_property all_x_property_perms;
+	class x_selection all_x_selection_perms;
+	class x_cursor all_x_cursor_perms;
+	class x_client all_x_client_perms;
+	class x_device all_x_device_perms;
+	class x_server all_x_server_perms;
+	class x_extension all_x_extension_perms;
+	class x_resource all_x_resource_perms;
+	class x_event all_x_event_perms;
+	class x_synthetic_event all_x_synthetic_event_perms;
+')
 
 ########################################
 #
@@ -28,18 +46,10 @@ gen_tunable(xdm_sysadm_login, false)
 ## </desc>
 gen_tunable(xserver_object_manager, false)
 
-attribute fonts_type;
-attribute fonts_cache_type;
-attribute fonts_config_type;
-attribute xauth_home_type;
-
-# Domains
+attribute input_xevent_type;
 attribute xserver_unconfined_type;
-attribute x_server_domain;
-
-# Per-object attributes
-attribute rootwindow_type;
 attribute x_domain;
+attribute x_userdomain;
 attribute xproperty_type;
 attribute xselection_type;
 attribute xextension_type;
@@ -53,8 +63,18 @@ type debug_xext_t, xextension_type;
 type directhw_xext_t alias disallowed_xext_t, xextension_type;
 type focus_xevent_t, xevent_type;
 
+type iceauth_t;
 type iceauth_exec_t;
-application_executable_file(iceauth_exec_t)
+typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t };
+typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
+application_domain(iceauth_t, iceauth_exec_t)
+ubac_constrained(iceauth_t)
+
+type iceauth_home_t;
+typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
+typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
+files_poly_member(iceauth_home_t)
+userdom_user_home_content(iceauth_home_t)
 
 type info_xproperty_t, xproperty_type;
 type input_xevent_t, xevent_type;
@@ -62,19 +82,73 @@ type manage_xevent_t, xevent_type;
 type output_xext_t, xextension_type;
 type property_xevent_t, xevent_type;
 type remote_xclient_t;
+
+type rootwindow_t;
+typealias rootwindow_t alias { user_rootwindow_t staff_rootwindow_t sysadm_rootwindow_t };
+typealias rootwindow_t alias { auditadm_rootwindow_t secadm_rootwindow_t };
+ubac_constrained(rootwindow_t)
+
 type screensaver_xext_t, xextension_type;
 type security_xext_t, xextension_type;
 type shmem_xext_t, xextension_type;
 type std_xext_t, xextension_type;
 type video_xext_t, xextension_type;
 type unknown_xevent_t, xevent_type;
+
+xserver_object_types_template(user)
+typealias user_xproperty_t alias { staff_xproperty_t sysadm_xproperty_t };
+typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t };
+typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t };
+typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xevent_t };
+typealias user_property_xevent_t alias { staff_property_xevent_t sysadm_property_xevent_t };
+typealias user_property_xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t };
+typealias user_focus_xevent_t alias { staff_focus_xevent_t sysadm_focus_xevent_t };
+typealias user_focus_xevent_t alias { auditadm_focus_xevent_t secadm_focus_xevent_t };
+typealias user_manage_xevent_t alias { staff_manage_xevent_t sysadm_manage_xevent_t };
+typealias user_manage_xevent_t alias { auditadm_manage_xevent_t secadm_manage_xevent_t };
+typealias user_default_xevent_t alias { staff_default_xevent_t sysadm_default_xevent_t };
+typealias user_default_xevent_t alias { auditadm_default_xevent_t secadm_default_xevent_t };
+typealias user_client_xevent_t alias { staff_client_xevent_t sysadm_client_xevent_t };
+typealias user_client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t };
+
+type user_fonts_t;
+typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
+typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
+userdom_user_home_content(user_fonts_t)
+
+type user_fonts_cache_t;
+typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
+typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
+userdom_user_home_content(user_fonts_cache_t)
+
+type user_fonts_config_t;
+typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t };
+typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t };
+userdom_user_home_content(user_fonts_cache_t)
+
 type xevent_t alias default_xevent_t, xevent_type;
 type xext_t alias unknown_xext_t, xextension_type;
 type xproperty_t alias default_xproperty_t, xproperty_type;
 type xselection_t alias default_xselection_t, xselection_type;
 
+type xauth_t;
 type xauth_exec_t;
-application_executable_file(xauth_exec_t)
+typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
+typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
+application_domain(xauth_t, xauth_exec_t)
+ubac_constrained(xauth_t)
+
+type xauth_home_t;
+typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
+typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
+files_poly_member(xauth_home_t)
+userdom_user_home_content(xauth_home_t)
+
+type xauth_tmp_t;
+typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
+typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
+files_tmp_file(xauth_tmp_t)
+ubac_constrained(xauth_tmp_t)
 
 # this is not actually a device, its a pipe
 type xconsole_device_t;
@@ -112,8 +186,26 @@ type xkb_var_lib_t;
 files_type(xkb_var_lib_t)
 
 # Type for the executable used to start the X server, e.g. Xwrapper.
+type xserver_t;
 type xserver_exec_t;
-corecmd_executable_file(xserver_exec_t)
+typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t };
+typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t };
+xserver_object_types_template(xdm)
+xserver_common_x_domain_template(xdm,xdm_t)
+init_system_domain(xserver_t, xserver_exec_t)
+ubac_constrained(xserver_t)
+
+type xserver_tmp_t;
+typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
+typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t };
+files_tmp_file(xserver_tmp_t)
+ubac_constrained(xserver_tmp_t)
+
+type xserver_tmpfs_t;
+typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
+typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
+files_tmpfs_file(xserver_tmpfs_t)
+ubac_constrained(xserver_tmpfs_t)
 
 type xsession_exec_t;
 corecmd_executable_file(xsession_exec_t)
@@ -122,10 +214,6 @@ corecmd_executable_file(xsession_exec_t)
 type xserver_log_t;
 logging_log_file(xserver_log_t)
 
-xserver_common_domain_template(xdm)
-xserver_common_x_domain_template(xdm, xdm, xdm_t)
-init_system_domain(xdm_xserver_t, xserver_exec_t)
-
 ifdef(`enable_mcs',`
 	init_ranged_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
 	init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
@@ -137,6 +225,78 @@ optional_policy(`
 
 ########################################
 #
+# Iceauth local policy
+#
+
+allow iceauth_t iceauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+
+allow xdm_t iceauth_home_t:file read_file_perms;
+
+fs_search_auto_mountpoints(iceauth_t)
+
+userdom_use_user_terminals(iceauth_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_files(iceauth_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(iceauth_t)
+')
+
+########################################
+#
+# Xauth local policy
+#
+
+allow xauth_t self:process signal;
+allow xauth_t self:unix_stream_socket create_stream_socket_perms;
+
+allow xauth_t xauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
+
+manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
+manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
+files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
+
+allow xdm_t xauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+
+domain_use_interactive_fds(xauth_t)
+
+files_read_etc_files(xauth_t)
+files_search_pids(xauth_t)
+
+fs_getattr_xattr_fs(xauth_t)
+fs_search_auto_mountpoints(xauth_t)
+
+# cjp: why?
+term_use_ptmx(xauth_t)
+
+auth_use_nsswitch(xauth_t)
+
+userdom_use_user_terminals(xauth_t)
+userdom_read_user_tmp_files(xauth_t)
+
+xserver_rw_xdm_tmp_files(xauth_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_files(xauth_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_files(xauth_t)
+')
+
+optional_policy(`
+	ssh_sigchld(xauth_t)
+	ssh_read_pipes(xauth_t)
+	ssh_dontaudit_rw_tcp_sockets(xauth_t)
+')
+
+########################################
+#
 # XDM Local policy
 #
 
@@ -186,25 +346,25 @@ manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
 manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
 files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file })
 
-allow xdm_t xdm_xserver_t:process signal;
-allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
+allow xdm_t xserver_t:process signal;
+allow xdm_t xserver_t:unix_stream_socket connectto;
 
-allow xdm_t xdm_xserver_tmp_t:sock_file rw_sock_file_perms;
-allow xdm_t xdm_xserver_tmp_t:dir { setattr list_dir_perms };
+allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
+allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
 
 # transition to the xdm xserver
-domtrans_pattern(xdm_t, xserver_exec_t, xdm_xserver_t)
-allow xdm_xserver_t xdm_t:process signal;
-allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
+domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
+allow xserver_t xdm_t:process signal;
+allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
 
-allow xdm_t xdm_xserver_t:shm rw_shm_perms;
+allow xdm_t xserver_t:shm rw_shm_perms;
 
 # connect to xdm xserver over stream socket
-stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t)
+stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t)
 
 # Remove /tmp/.X11-unix/X0.
-delete_files_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t)
-delete_sock_files_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t)
+delete_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t)
+delete_sock_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t)
 
 manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
 manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
@@ -308,14 +468,12 @@ sysnet_read_config(xdm_t)
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
 # for .dmrc
-userdom_read_unpriv_users_home_content_files(xdm_t)
+userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
 
-sysadm_dontaudit_search_home_dirs(xdm_t)
-
-xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t)
+xserver_rw_session(xdm_t,xdm_tmpfs_t)
 xserver_unconfined(xdm_t)
 
 tunable_policy(`use_nfs_home_dirs',`
@@ -340,8 +498,8 @@ tunable_policy(`xdm_sysadm_login',`
 	userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
 	# FIXME:
 #	xserver_rw_session_template(xdm,unpriv_userdomain)
-#	dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
-#	allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
+#	dontaudit xserver_t sysadm_t:shm { unix_read unix_write };
+#	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
 
 optional_policy(`
@@ -380,6 +538,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	resmgr_stream_connect(xdm_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(xdm_t)
 ')
 
@@ -414,59 +576,275 @@ optional_policy(`
 
 ########################################
 #
+# X server local policy
+#
+
+# setuid/setgid for the wrapper program to change UID
+# sys_rawio is for iopl access - should not be needed for frame-buffer
+# sys_admin, locking shared mem?  chowning IPC message queues or semaphores?
+# admin of APM bios?
+# sys_nice is so that the X server can set a negative nice value
+# execheap needed until the X module loader is fixed.
+# NVIDIA Needs execstack
+
+allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+dontaudit xserver_t self:capability chown;
+allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow xserver_t self:memprotect mmap_zero;
+allow xserver_t self:fd use;
+allow xserver_t self:fifo_file rw_fifo_file_perms;
+allow xserver_t self:sock_file read_sock_file_perms;
+allow xserver_t self:shm create_shm_perms;
+allow xserver_t self:sem create_sem_perms;
+allow xserver_t self:msgq create_msgq_perms;
+allow xserver_t self:msg { send receive };
+allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow xserver_t self:tcp_socket create_stream_socket_perms;
+allow xserver_t self:udp_socket create_socket_perms;
+
+# Device rules
+allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
+
+allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
+
+domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
+
+allow xserver_t xauth_home_t:file read_file_perms;
+
+# Labeling rules for root windows and colormaps
+type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
+
+allow xserver_t { rootwindow_t x_domain }:x_drawable send;
+
+manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+
+filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file)
+
+manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+files_search_var_lib(xserver_t)
+
+# Create files in /var/log with the xserver_log_t type.
+manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
+logging_log_filetrans(xserver_t, xserver_log_t,file)
+
+kernel_read_system_state(xserver_t)
+kernel_read_device_sysctls(xserver_t)
+kernel_read_modprobe_sysctls(xserver_t)
+# Xorg wants to check if kernel is tainted
+kernel_read_kernel_sysctls(xserver_t)
+kernel_write_proc_files(xserver_t)
+
+# Run helper programs in xserver_t.
+corecmd_exec_bin(xserver_t)
+corecmd_exec_shell(xserver_t)
+
+corenet_all_recvfrom_unlabeled(xserver_t)
+corenet_all_recvfrom_netlabel(xserver_t)
+corenet_tcp_sendrecv_generic_if(xserver_t)
+corenet_udp_sendrecv_generic_if(xserver_t)
+corenet_tcp_sendrecv_all_nodes(xserver_t)
+corenet_udp_sendrecv_all_nodes(xserver_t)
+corenet_tcp_sendrecv_all_ports(xserver_t)
+corenet_udp_sendrecv_all_ports(xserver_t)
+corenet_tcp_bind_all_nodes(xserver_t)
+corenet_tcp_bind_xserver_port(xserver_t)
+corenet_tcp_connect_all_ports(xserver_t)
+corenet_sendrecv_xserver_server_packets(xserver_t)
+corenet_sendrecv_all_client_packets(xserver_t)
+
+dev_rw_sysfs(xserver_t)
+dev_rw_mouse(xserver_t)
+dev_rw_mtrr(xserver_t)
+dev_rw_apm_bios(xserver_t)
+dev_rw_agp(xserver_t)
+dev_rw_framebuffer(xserver_t)
+dev_manage_dri_dev(xserver_t)
+dev_create_generic_dirs(xserver_t)
+dev_setattr_generic_dirs(xserver_t)
+# raw memory access is needed if not using the frame buffer
+dev_read_raw_memory(xserver_t)
+dev_wx_raw_memory(xserver_t)
+# for other device nodes such as the NVidia binary-only driver
+dev_rw_xserver_misc(xserver_t)
+# read events - the synaptics touchpad driver reads raw events
+dev_rw_input_dev(xserver_t)
+dev_rwx_zero(xserver_t)
+
+domain_mmap_low(xserver_t)
+
+files_read_etc_files(xserver_t)
+files_read_etc_runtime_files(xserver_t)
+files_read_usr_files(xserver_t)
+
+# brought on by rhgb
+files_search_mnt(xserver_t)
+# for nscd
+files_dontaudit_search_pids(xserver_t)
+
+fs_getattr_xattr_fs(xserver_t)
+fs_search_nfs(xserver_t)
+fs_search_auto_mountpoints(xserver_t)
+fs_search_ramfs(xserver_t)
+
+mls_xwin_read_to_clearance(xserver_t)
+
+selinux_validate_context(xserver_t)
+selinux_compute_access_vector(xserver_t)
+selinux_compute_create_context(xserver_t)
+
+auth_use_nsswitch(xserver_t)
+
+init_getpgid(xserver_t)
+
+term_setattr_unallocated_ttys(xserver_t)
+term_use_unallocated_ttys(xserver_t)
+
+getty_use_fds(xserver_t)
+
+locallogin_use_fds(xserver_t)
+
+logging_send_syslog_msg(xserver_t)
+logging_send_audit_msgs(xserver_t)
+
+miscfiles_read_localization(xserver_t)
+miscfiles_read_fonts(xserver_t)
+
+modutils_domtrans_insmod(xserver_t)
+
+# read x_contexts
+seutil_read_default_contexts(xserver_t)
+
+userdom_search_user_home_dirs(xserver_t)
+userdom_use_user_ttys(xserver_t)
+userdom_setattr_user_ttys(xserver_t)
+userdom_rw_user_tmpfs_files(xserver_t)
+
+xserver_use_user_fonts(xserver_t)
+
+ifndef(`distro_redhat',`
+	allow xserver_t self:process { execmem execheap execstack };
+')
+
+ifdef(`distro_rhel4',`
+	allow xserver_t self:process { execmem execheap execstack };
+')
+
+ifdef(`enable_mls',`
+	range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh;
+	range_transition xserver_t rootwindow_t:x_drawable s0 - mls_systemhigh;
+')
+
+tunable_policy(`!xserver_object_manager',`
+	# should be xserver_unconfined(xserver_t),
+	# but typeattribute doesnt work in conditionals
+
+	allow xserver_t xserver_t:x_server *;
+	allow xserver_t { x_domain rootwindow_t }:x_drawable *;
+	allow xserver_t xserver_t:x_screen *;
+	allow xserver_t x_domain:x_gc *;
+	allow xserver_t { x_domain rootwindow_t }:x_colormap *;
+	allow xserver_t xproperty_type:x_property *;
+	allow xserver_t xselection_type:x_selection *;
+	allow xserver_t x_domain:x_cursor *;
+	allow xserver_t { x_domain remote_xclient_t }:x_client *;
+	allow xserver_t { x_domain xserver_t }:x_device *;
+	allow xserver_t xextension_type:x_extension *;
+	allow xserver_t { x_domain xserver_t }:x_resource *;
+	allow xserver_t xevent_type:{ x_event x_synthetic_event } *;
+')
+
+optional_policy(`
+	apm_stream_connect(xserver_t)
+')
+
+optional_policy(`
+	auth_search_pam_console_data(xserver_t)
+')
+
+optional_policy(`
+	rhgb_getpgid(xserver_t)
+	rhgb_signal(xserver_t)
+')
+
+optional_policy(`
+	unconfined_domain_noaudit(xserver_t)
+	unconfined_domtrans(xserver_t)
+')
+
+optional_policy(`
+	userhelper_search_config(xserver_t)
+')
+
+optional_policy(`
+	xfs_stream_connect(xserver_t)
+')
+
+########################################
+#
 # XDM Xserver local policy
 #
+# cjp: when xdm is configurable via tunable these
+# rules will be enabled only when xdm is enabled
 
-allow xdm_xserver_t xdm_t:process { signal getpgid };
-allow xdm_xserver_t xdm_t:shm rw_shm_perms;
+allow xserver_t xdm_t:process { signal getpgid };
+allow xserver_t xdm_t:shm rw_shm_perms;
 
-# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
+# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
-allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
-dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
+allow xserver_t xdm_var_lib_t:file { getattr read };
+dontaudit xserver_t xdm_var_lib_t:dir search;
 
-allow xdm_xserver_t xdm_var_run_t:file read_file_perms;
+allow xserver_t xdm_var_run_t:file read_file_perms;
 
 # Label pid and temporary files with derived types.
-manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
-manage_lnk_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
-manage_sock_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
+manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
 # Run xkbcomp.
-allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
-can_exec(xdm_xserver_t, xkb_var_lib_t)
-files_search_var_lib(xdm_xserver_t)
+allow xserver_t xkb_var_lib_t:lnk_file read;
+can_exec(xserver_t, xkb_var_lib_t)
 
 # VNC v4 module in X server
-corenet_tcp_bind_vnc_port(xdm_xserver_t)
-
-fs_search_auto_mountpoints(xdm_xserver_t)
+corenet_tcp_bind_vnc_port(xserver_t)
 
-init_use_fds(xdm_xserver_t)
+init_use_fds(xserver_t)
 
 # FIXME: After per user fonts are properly working
-# xdm_xserver_t may no longer have any reason
+# xserver_t may no longer have any reason
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
-userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
+userdom_read_user_home_content_files(xserver_t)
 
-xserver_use_all_users_fonts(xdm_xserver_t)
+xserver_use_user_fonts(xserver_t)
 
 tunable_policy(`use_nfs_home_dirs',`
-	fs_manage_nfs_dirs(xdm_xserver_t)
-	fs_manage_nfs_files(xdm_xserver_t)
-	fs_manage_nfs_symlinks(xdm_xserver_t)
+	fs_manage_nfs_dirs(xserver_t)
+	fs_manage_nfs_files(xserver_t)
+	fs_manage_nfs_symlinks(xserver_t)
 ')
 
 tunable_policy(`use_samba_home_dirs',`
-	fs_manage_cifs_dirs(xdm_xserver_t)
-	fs_manage_cifs_files(xdm_xserver_t)
-	fs_manage_cifs_symlinks(xdm_xserver_t)
+	fs_manage_cifs_dirs(xserver_t)
+	fs_manage_cifs_files(xserver_t)
+	fs_manage_cifs_symlinks(xserver_t)
 ')
 
 optional_policy(`
-	dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
-	hal_dbus_chat(xdm_xserver_t)
+	dbus_system_bus_client(xserver_t)
+	hal_dbus_chat(xserver_t)
 ')
 
 optional_policy(`
@@ -474,21 +852,105 @@ optional_policy(`
 ')
 
 optional_policy(`
-	rhgb_rw_shm(xdm_xserver_t)
-	rhgb_rw_tmpfs_files(xdm_xserver_t)
+	rhgb_rw_shm(xserver_t)
+	rhgb_rw_tmpfs_files(xserver_t)
 ')
 
-optional_policy(`
-	unconfined_domain_noaudit(xdm_xserver_t)
-	unconfined_domtrans(xdm_xserver_t)
-
-	ifndef(`distro_redhat',`
-		allow xdm_xserver_t self:process { execheap execmem };
-	')
+########################################
+#
+# Rules common to all X window domains
+#
 
-	ifdef(`distro_rhel4',`
-		allow xdm_xserver_t self:process { execheap execmem };
-	')
+# Hacks
+# everyone can get the input focus of everyone else
+# this is a fundamental brokenness in the X protocol
+allow x_domain { x_domain xserver_t }:x_device getfocus;
+# everyone can grab the server
+# everyone does it, it is basically a free DOS attack
+allow x_domain xserver_t:x_server grab;
+# everyone can get the font path, etc.
+# this could leak out sensitive information
+allow x_domain xserver_t:x_server getattr;
+# everyone can do override-redirect windows.
+# this could be used to spoof labels
+allow x_domain self:x_drawable override;
+# everyone can receive management events on the root window
+# allows to know when new windows appear, among other things
+allow x_domain manage_xevent_t:x_event receive;
+
+# X Server
+# can read server-owned resources
+allow x_domain xserver_t:x_resource read;
+# can mess with own clients
+allow x_domain self:x_client { manage destroy };
+
+# X Protocol Extensions
+allow x_domain std_xext_t:x_extension { query use };
+allow x_domain shmem_xext_t:x_extension { query use };
+dontaudit x_domain xextension_type:x_extension { query use };
+
+# X Properties
+# can read and write cut buffers
+allow x_domain clipboard_xproperty_t:x_property { create read write append };
+# can read info properties
+allow x_domain info_xproperty_t:x_property read;
+# can change properties of root window
+allow x_domain rootwindow_t:x_drawable { list_property get_property set_property };
+# can change properties of own windows
+allow x_domain self:x_drawable { list_property get_property set_property };
+
+# X Windows
+# operations allowed on root windows
+allow x_domain rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive };
+# operations allowed on my windows
+allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
+
+# X Colormaps
+# can use the default colormap
+allow x_domain rootwindow_t:x_colormap { read use add_color };
+
+# X Input
+# can receive certain root window events
+allow x_domain focus_xevent_t:x_event receive;
+allow x_domain property_xevent_t:x_event receive;
+allow x_domain client_xevent_t:x_synthetic_event receive;
+allow x_domain manage_xevent_t:x_synthetic_event receive;
+# can send ICCCM events to the root window
+allow x_domain manage_xevent_t:x_synthetic_event send;
+allow x_domain client_xevent_t:x_synthetic_event send;
+# X Selections
+# can use the clipboard
+allow x_domain clipboard_xselection_t:x_selection { getattr setattr read };
+# can query all other selections
+allow x_domain xselection_t:x_selection { getattr read };
+
+# Other X Objects
+# can create and use cursors
+allow x_domain self:x_cursor *;
+# can create and use graphics contexts
+allow x_domain self:x_gc *;
+# can create and use colormaps
+allow x_domain self:x_colormap *;
+# can read and write own objects
+allow x_domain self:x_resource { read write };
+
+tunable_policy(`! xserver_object_manager',`
+	# should be xserver_unconfined(x_domain),
+	# but typeattribute doesnt work in conditionals
+
+	allow x_domain xserver_t:x_server *;
+	allow x_domain { x_domain rootwindow_t }:x_drawable *;
+	allow x_domain xserver_t:x_screen *;
+	allow x_domain x_domain:x_gc *;
+	allow x_domain { x_domain rootwindow_t }:x_colormap *;
+	allow x_domain xproperty_type:x_property *;
+	allow x_domain xselection_type:x_selection *;
+	allow x_domain x_domain:x_cursor *;
+	allow x_domain { x_domain remote_xclient_t }:x_client *;
+	allow x_domain { x_domain xserver_t }:x_device *;
+	allow x_domain xextension_type:x_extension *;
+	allow x_domain { x_domain xserver_t }:x_resource *;
+	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
 
 ########################################
@@ -496,35 +958,21 @@ optional_policy(`
 # Rules for unconfined access to this module
 #
 
-allow xserver_unconfined_type x_server_domain:x_server *;
-allow xserver_unconfined_type { x_domain rootwindow_type }:x_drawable *;
-allow xserver_unconfined_type x_server_domain:x_screen *;
+allow xserver_unconfined_type xserver_t:x_server *;
+allow xserver_unconfined_type { x_domain rootwindow_t }:x_drawable *;
+allow xserver_unconfined_type xserver_t:x_screen *;
 allow xserver_unconfined_type x_domain:x_gc *;
-allow xserver_unconfined_type { x_domain rootwindow_type }:x_colormap *;
+allow xserver_unconfined_type { x_domain rootwindow_t }:x_colormap *;
 allow xserver_unconfined_type xproperty_type:x_property *;
 allow xserver_unconfined_type xselection_type:x_selection *;
 allow xserver_unconfined_type x_domain:x_cursor *;
 allow xserver_unconfined_type { x_domain remote_xclient_t }:x_client *;
-allow xserver_unconfined_type { x_domain x_server_domain }:x_device *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
 allow xserver_unconfined_type xextension_type:x_extension *;
-allow xserver_unconfined_type { x_domain x_server_domain }:x_resource *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
 
 ifdef(`TODO',`
-# Need to further investigate these permissions and
-# perhaps define derived types.
-allow xdm_t var_lib_t:dir { write search add_name remove_name  create unlink };
-allow xdm_t var_lib_t:file { create write unlink };
-
-# Do not audit attempts to write to index files under /usr
-dontaudit xdm_t usr_t:file write;
-
-ifdef(`rhgb.te', `
-allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
-allow xdm_xserver_t ramfs_t:file manage_file_perms;
-allow rhgb_t xdm_xserver_t:process signal;
-')
-
 tunable_policy(`allow_polyinstantiation',`
 # xdm needs access for linking .X11-unix to poly /tmp
 allow xdm_t polymember:dir { add_name remove_name write };
@@ -537,8 +985,4 @@ allow xdm_t polymember:file { create getattr write };
 # Wants to delete .xsession-errors file
 #
 allow xdm_t user_home_type:file unlink;
-#
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
-#
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
 ') dnl end TODO
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index 15458df..a663133 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -1,5 +1,5 @@
 
-policy_module(zebra, 1.8.0)
+policy_module(zebra, 1.8.1)
 
 ########################################
 #
@@ -113,8 +113,7 @@ miscfiles_read_localization(zebra_t)
 sysnet_read_config(zebra_t)
 
 userdom_dontaudit_use_unpriv_user_fds(zebra_t)
-
-sysadm_dontaudit_search_home_dirs(zebra_t)
+userdom_dontaudit_search_user_home_dirs(zebra_t)
 
 tunable_policy(`allow_zebra_write_config',`
 	manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index cdda011..7fb4cfe 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1,156 +1,33 @@
 ## <summary>Common policy for authentication and user login.</summary>
 
-#######################################
-## <summary>
-##	Common template to create a domain for authentication.
-## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domain which is allowed
-##	to authenticate users by using PAM unix_chkpwd support.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-#
-template(`authlogin_common_auth_domain_template',`
-	gen_require(`
-		attribute can_read_shadow_passwords;
-		type chkpwd_exec_t, shadow_t;
-	')
-
-	type $1_chkpwd_t, can_read_shadow_passwords;
-	application_domain($1_chkpwd_t,chkpwd_exec_t)
-
-	allow $1_chkpwd_t self:capability { dac_override setuid };
-	dontaudit $1_chkpwd_t self:capability sys_tty_config;
-	allow $1_chkpwd_t self:process getattr;
-
-	files_list_etc($1_chkpwd_t)
-	allow $1_chkpwd_t shadow_t:file read_file_perms;
-
-	# is_selinux_enabled
-	kernel_read_system_state($1_chkpwd_t)
-
-	dev_read_rand($1_chkpwd_t)
-	dev_read_urand($1_chkpwd_t)
-
-	files_read_etc_files($1_chkpwd_t)
-	# for nscd
-	files_dontaudit_search_var($1_chkpwd_t)
-
-	fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
-
-	auth_use_nsswitch($1_chkpwd_t)
-
-	logging_send_audit_msgs($1_chkpwd_t)
-	logging_send_syslog_msg($1_chkpwd_t)
-
-	miscfiles_read_localization($1_chkpwd_t)
-
-	seutil_read_config($1_chkpwd_t)
-
-	optional_policy(`
-		kerberos_use($1_chkpwd_t)
-	')
-')
-
-#######################################
+########################################
 ## <summary>
-##	The per role template for the authlogin module.
+##	Role access for password authentication.
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domain which is allowed
-##	to authenticate users by using PAM unix_chkpwd support.
-##	This domain will be used by any programs running in the
-##	user domain which use PAM to authenticate.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_domain">
+## <param name="role">
 ##	<summary>
-##	The type of the user domain.
+##	Role allowed access.
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-template(`authlogin_per_role_template',`
-
+interface(`auth_role',`
 	gen_require(`
-		type system_chkpwd_t, shadow_t;
+		type chkpwd_t, chkpwd_exec_t, shadow_t;
 	')
 
-	authlogin_common_auth_domain_template($1)
-
-	role $3 types $1_chkpwd_t;
-	role $3 types system_chkpwd_t;
-
-	dontaudit $2 shadow_t:file read_file_perms;
+	role $1 types chkpwd_t;
 
 	# Transition from the user domain to this domain.
-	domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t)
-
-	domain_use_interactive_fds($1_chkpwd_t)
+	domtrans_pattern($2, chkpwd_exec_t, chkpwd_t)
 
-	seutil_use_newrole_fds($1_chkpwd_t)
-
-	# Write to the user domain tty.
-	userdom_use_user_terminals($1,$1_chkpwd_t)
-')
-
-########################################
-## <summary>
-##	Run unix_chkpwd to check a password
-##	for a user domain.
-## </summary>
-## <desc>
-##	<p>
-##	Run unix_chkpwd to check a password
-##	for a user domain.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`auth_domtrans_user_chk_passwd',`
-	gen_require(`
-		type $1_chkpwd_t, chkpwd_exec_t;
-	')
+	ps_process_pattern($2, chkpwd_t)
 
-	corecmd_search_bin($2)
-	domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t)
+	dontaudit $2 shadow_t:file read_file_perms;
 ')
 
 ########################################
@@ -319,11 +196,11 @@ interface(`auth_ranged_domtrans_login_program',`
 #
 interface(`auth_domtrans_chk_passwd',`
 	gen_require(`
-		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
+		type chkpwd_t, chkpwd_exec_t, shadow_t;
 	')
 
 	corecmd_search_bin($1)
-	domtrans_pattern($1, chkpwd_exec_t, system_chkpwd_t)
+	domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
 
 	dontaudit $1 shadow_t:file { getattr read };
 
@@ -369,20 +246,14 @@ interface(`auth_domtrans_chk_passwd',`
 ##	The role to allow the chkpwd domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the chkpwd domain to use.
-##	</summary>
-## </param>
 #
 interface(`auth_run_chk_passwd',`
 	gen_require(`
-		type system_chkpwd_t;
+		type chkpwd_t;
 	')
 
 	auth_domtrans_chk_passwd($1)
-	role $2 types system_chkpwd_t;
-	allow system_chkpwd_t $3:chr_file rw_file_perms;
+	role $2 types chkpwd_t;
 ')
 
 ########################################
@@ -419,11 +290,6 @@ interface(`auth_domtrans_upd_passwd',`
 ##	The role to allow the updpwd domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the updpwd domain to use.
-##	</summary>
-## </param>
 #
 interface(`auth_run_upd_passwd',`
 	gen_require(`
@@ -432,7 +298,6 @@ interface(`auth_run_upd_passwd',`
 
 	auth_domtrans_upd_passwd($1)
 	role $2 types updpwd_t;
-	allow updpwd_t $3:chr_file rw_file_perms;
 ')
 
 ########################################
@@ -815,11 +680,6 @@ interface(`auth_signal_pam',`
 ##	The role to allow the PAM domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the PAM domain to use.
-##	</summary>
-## </param>
 #
 interface(`auth_run_pam',`
 	gen_require(`
@@ -828,7 +688,6 @@ interface(`auth_run_pam',`
 
 	auth_domtrans_pam($1)
 	role $2 types pam_t;
-	allow pam_t $3:chr_file rw_file_perms;
 ')
 
 ########################################
@@ -1228,11 +1087,6 @@ interface(`auth_domtrans_utempter',`
 ##	The role to allow the utempter domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the utempter domain to use.
-##	</summary>
-## </param>
 #
 interface(`auth_run_utempter',`
 	gen_require(`
@@ -1241,7 +1095,6 @@ interface(`auth_run_utempter',`
 
 	auth_domtrans_utempter($1)
 	role $2 types utempter_t;
-	allow utempter_t $3:chr_file rw_file_perms;
 ')
 
 #######################################
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index b4c998f..0f02b4f 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(authlogin, 1.11.1)
+policy_module(authlogin, 2.0.0)
 
 ########################################
 #
@@ -10,8 +10,12 @@ attribute can_read_shadow_passwords;
 attribute can_write_shadow_passwords;
 attribute can_relabelto_shadow_passwords;
 
+type chkpwd_t, can_read_shadow_passwords;
 type chkpwd_exec_t;
-application_executable_file(chkpwd_exec_t)
+typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
+typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t };
+application_domain(chkpwd_t, chkpwd_exec_t)
+role system_r types chkpwd_t;
 
 type faillog_t;
 logging_log_file(faillog_t)
@@ -69,9 +73,56 @@ files_type(var_auth_t)
 type wtmp_t;
 logging_log_file(wtmp_t)
 
-# reorder to work around require-then-decare bug
-authlogin_common_auth_domain_template(system)
-role system_r types system_chkpwd_t;
+########################################
+#
+# Check password local policy
+#
+
+allow chkpwd_t self:capability { dac_override setuid };
+dontaudit chkpwd_t self:capability sys_tty_config;
+allow chkpwd_t self:process getattr;
+
+allow chkpwd_t shadow_t:file read_file_perms;
+files_list_etc(chkpwd_t)
+
+# is_selinux_enabled
+kernel_read_system_state(chkpwd_t)
+
+domain_dontaudit_use_interactive_fds(chkpwd_t)
+
+dev_read_rand(chkpwd_t)
+dev_read_urand(chkpwd_t)
+
+files_read_etc_files(chkpwd_t)
+# for nscd
+files_dontaudit_search_var(chkpwd_t)
+
+fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+
+term_dontaudit_use_unallocated_ttys(chkpwd_t)
+term_dontaudit_use_generic_ptys(chkpwd_t)
+
+auth_use_nsswitch(chkpwd_t)
+
+logging_send_audit_msgs(chkpwd_t)
+logging_send_syslog_msg(chkpwd_t)
+
+miscfiles_read_localization(chkpwd_t)
+
+seutil_read_config(chkpwd_t)
+seutil_dontaudit_use_newrole_fds(chkpwd_t)
+
+userdom_use_user_terminals(chkpwd_t)
+
+ifdef(`distro_ubuntu',`
+	optional_policy(`
+		unconfined_domain(chkpwd_t)
+	')
+')
+
+optional_policy(`
+	kerberos_use(chkpwd_t)
+')
 
 ########################################
 #
@@ -117,8 +168,6 @@ files_read_etc_files(pam_t)
 
 logging_send_syslog_msg(pam_t)
 
-userdom_use_unpriv_users_fds(pam_t)
-
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(pam_t)
@@ -254,31 +303,6 @@ optional_policy(`
 
 ########################################
 #
-# System check password local policy
-#
-
-allow system_chkpwd_t shadow_t:file read_file_perms;
-
-corecmd_search_bin(system_chkpwd_t)
-
-domain_dontaudit_use_interactive_fds(system_chkpwd_t)
-
-term_dontaudit_use_unallocated_ttys(system_chkpwd_t)
-term_dontaudit_use_generic_ptys(system_chkpwd_t)
-
-userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
-userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
-
-sysadm_dontaudit_use_terms(system_chkpwd_t)
-
-ifdef(`distro_ubuntu',`
-	optional_policy(`
-		unconfined_domain(system_chkpwd_t)
-	')
-')
-
-########################################
-#
 # updpwd local policy
 #
 
@@ -292,7 +316,6 @@ kernel_read_system_state(updpwd_t)
 files_manage_etc_files(updpwd_t)
 
 term_dontaudit_use_console(updpwd_t)
-term_dontaudit_use_console(updpwd_t)
 term_dontaudit_use_unallocated_ttys(updpwd_t)
 
 auth_manage_shadow(updpwd_t)
@@ -302,6 +325,8 @@ logging_send_syslog_msg(updpwd_t)
 
 miscfiles_read_localization(updpwd_t)
 
+userdom_use_user_terminals(updpwd_t)
+
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(updpwd_t)
@@ -334,8 +359,9 @@ domain_use_interactive_fds(utempter_t)
 
 logging_search_logs(utempter_t)
 
+userdom_use_user_terminals(utempter_t)
 # Allow utemper to write to /tmp/.xses-*
-userdom_write_unpriv_users_tmp_files(utempter_t)
+userdom_write_user_tmp_files(utempter_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -348,11 +374,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	# Allow utemper to write to /tmp/.xses-*
-	unconfined_write_tmp_files(utempter_t)
-')
-
-optional_policy(`
 	xserver_use_xdm_fds(utempter_t)
 	xserver_rw_xdm_pipes(utempter_t)
 ')
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
index 29397af..f76522e 100644
--- a/policy/modules/system/clock.if
+++ b/policy/modules/system/clock.if
@@ -33,11 +33,6 @@ interface(`clock_domtrans',`
 ##	The role to be allowed the clock domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the clock domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`clock_run',`
@@ -47,7 +42,6 @@ interface(`clock_run',`
 
 	clock_domtrans($1)
 	role $2 types hwclock_t;
-	allow hwclock_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index 6f74901..4a97136 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
@@ -1,5 +1,5 @@
 
-policy_module(clock,1.5.0)
+policy_module(clock, 1.5.1)
 
 ########################################
 #
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index e529bd6..732b54a 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -34,11 +34,6 @@ interface(`fstools_domtrans',`
 ##	The role to be allowed the fs tools domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the fs tools domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`fstools_run',`
@@ -48,7 +43,6 @@ interface(`fstools_run',`
 
 	fstools_domtrans($1)
 	role $2 types fsadm_t;
-	allow fsadm_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 2f58907..14282bb 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,5 +1,5 @@
 
-policy_module(fstools, 1.11.0)
+policy_module(fstools, 1.11.1)
 
 ########################################
 #
@@ -150,6 +150,7 @@ modutils_read_module_config(fsadm_t)
 
 seutil_read_config(fsadm_t)
 
+userdom_use_user_terminals(fsadm_t)
 userdom_use_unpriv_users_fds(fsadm_t)
 
 tunable_policy(`read_default_t',`
diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if
index 7910037..1ce151a 100644
--- a/policy/modules/system/hostname.if
+++ b/policy/modules/system/hostname.if
@@ -34,11 +34,6 @@ interface(`hostname_domtrans',`
 ##	The role to be allowed the hostname domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the hostname domain to use.
-##	</summary>
-## </param>
 #
 interface(`hostname_run',`
 	gen_require(`
@@ -47,7 +42,6 @@ interface(`hostname_run',`
 
 	hostname_domtrans($1)
 	role $2 types hostname_t;
-	allow hostname_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index d043c9b..c5dca1c 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -1,5 +1,5 @@
 
-policy_module(hostname,1.5.0)
+policy_module(hostname, 1.5.1)
 
 ########################################
 #
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index a1511c4..f7c2d4c 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -1,5 +1,5 @@
 
-policy_module(hotplug, 1.10.0)
+policy_module(hotplug, 1.10.1)
 
 ########################################
 #
@@ -112,8 +112,7 @@ seutil_dontaudit_search_config(hotplug_t)
 sysnet_read_config(hotplug_t)
 
 userdom_dontaudit_use_unpriv_user_fds(hotplug_t)
-
-sysadm_dontaudit_search_home_dirs(hotplug_t)
+userdom_dontaudit_search_user_home_dirs(hotplug_t)
 
 ifdef(`distro_redhat', `
 	optional_policy(`
@@ -130,7 +129,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dbus_system_bus_client_template(hotplug,hotplug_t)
+	dbus_system_bus_client(hotplug_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index d6f0c52..150a28e 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -190,6 +190,8 @@ interface(`init_daemon_domain',`
 
 		typeattribute $1 direct_init;
 		typeattribute $2 direct_init_entry;
+
+		userdom_dontaudit_use_user_terminals($1)
 	')
 
 	ifdef(`hide_broken_symptoms',`
@@ -739,11 +741,6 @@ interface(`init_labeled_script_domtrans',`
 ##	The role to be performing this action.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal of the user.
-##	</summary>
-## </param>
 #
 interface(`init_run_daemon',`
 	gen_require(`
@@ -753,7 +750,6 @@ interface(`init_run_daemon',`
 
 	typeattribute $1 direct_run_init;
 	role_transition $2 direct_init_entry system_r;
-	dontaudit direct_init $3:chr_file rw_file_perms;
 ')
 
 ########################################
@@ -1474,6 +1470,25 @@ interface(`init_manage_utmp',`
 
 ########################################
 ## <summary>
+##	Create files in /var/run with the
+##	utmp file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain access allowed.
+##	</summary>
+## </param>
+#
+interface(`init_pid_filetrans_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	files_pid_filetrans($1, initrc_var_run_t, file)
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to connect to daemon with a tcp socket
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f0035b7..d3788e1 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init, 1.12.0)
+policy_module(init, 1.12.1)
 
 gen_require(`
 	class passwd rootok;
@@ -382,12 +382,11 @@ modutils_domtrans_insmod(initrc_t)
 
 seutil_read_config(initrc_t)
 
-userdom_read_all_users_home_content_files(initrc_t)
-
+userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the 
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
 # started from init should be placed in their own domain.
-sysadm_use_terms(initrc_t)
+userdom_use_user_terminals(initrc_t)
 
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
@@ -567,7 +566,7 @@ optional_policy(`
 
 optional_policy(`
 	dbus_connect_system_bus(initrc_t)
-	dbus_system_bus_client_template(initrc,initrc_t)
+	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
 
 	optional_policy(`
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index e082a55..27cacf5 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -219,11 +219,6 @@ interface(`ipsec_domtrans_setkey',`
 ##	The role to be allowed the racoon and setkey domains.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the racoon and setkey domains to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`ipsec_run_setkey',`
@@ -233,5 +228,4 @@ interface(`ipsec_run_setkey',`
 
 	ipsec_domtrans_setkey($1)
 	role $2 types setkey_t;
-	allow setkey_t $3:chr_file rw_term_perms;
 ')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index b7a6b0e..8ccedbe 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
 
-policy_module(ipsec, 1.8.0)
+policy_module(ipsec, 1.8.1)
 
 ########################################
 #
@@ -134,8 +134,7 @@ miscfiles_read_localization(ipsec_t)
 sysnet_read_config(ipsec_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
-
-sysadm_dontaudit_search_home_dirs(ipsec_t)
+userdom_dontaudit_search_user_home_dirs(ipsec_t)
 
 optional_policy(`
 	nis_use_ypbind(ipsec_t)
@@ -250,7 +249,7 @@ seutil_dontaudit_search_config(ipsec_mgmt_t)
 
 sysnet_domtrans_ifconfig(ipsec_mgmt_t)
 
-sysadm_use_terms(ipsec_mgmt_t)
+userdom_use_user_terminals(ipsec_mgmt_t)
 
 optional_policy(`
 	consoletype_exec(ipsec_mgmt_t)
@@ -348,3 +347,5 @@ locallogin_use_fds(setkey_t)
 miscfiles_read_localization(setkey_t)
 
 seutil_read_config(setkey_t)
+
+userdom_use_user_terminals(setkey_t)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index f05ae34..bab19d2 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -34,11 +34,6 @@ interface(`iptables_domtrans',`
 ##	The role to be allowed the iptables domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the iptables domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`iptables_run',`
@@ -48,12 +43,11 @@ interface(`iptables_run',`
 
 	iptables_domtrans($1)
 	role $2 types iptables_t;
-	allow iptables_t $3:chr_file rw_term_perms;
 
-	sysnet_run_ifconfig(iptables_t, $2, $3)
+	sysnet_run_ifconfig(iptables_t, $2)
 
 	optional_policy(`
-		modutils_run_insmod(iptables_t, $2, $3)
+		modutils_run_insmod(iptables_t, $2)
 	')
 ')
 
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 937f2db..be4ce0f 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,5 +1,5 @@
 
-policy_module(iptables, 1.7.0)
+policy_module(iptables, 1.7.1)
 
 ########################################
 #
@@ -74,6 +74,7 @@ miscfiles_read_localization(iptables_t)
 sysnet_domtrans_ifconfig(iptables_t)
 sysnet_dns_name_resolve(iptables_t)
 
+userdom_use_user_terminals(iptables_t)
 userdom_use_all_users_fds(iptables_t)
 
 optional_policy(`
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index db3945a..7c9b27b 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -33,11 +33,6 @@ interface(`libs_domtrans_ldconfig',`
 ##	The role to allow the ldconfig domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the ldconfig domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`libs_run_ldconfig',`
@@ -47,7 +42,6 @@ interface(`libs_run_ldconfig',`
 
 	libs_domtrans_ldconfig($1)
 	role $2 types ldconfig_t;
-	allow ldconfig_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 0e47455..794a424 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
 
-policy_module(libraries, 2.3.0)
+policy_module(libraries, 2.3.1)
 
 ########################################
 #
@@ -85,6 +85,7 @@ miscfiles_read_localization(ldconfig_t)
 
 logging_send_syslog_msg(ldconfig_t)
 
+userdom_use_user_terminals(ldconfig_t)
 userdom_use_all_users_fds(ldconfig_t)
 
 ifdef(`distro_ubuntu',`
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 1e31efb..7a00ae1 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -1,5 +1,5 @@
 
-policy_module(locallogin, 1.8.0)
+policy_module(locallogin, 1.8.1)
 
 ########################################
 #
@@ -131,7 +131,7 @@ miscfiles_read_localization(local_login_t)
 
 userdom_spec_domtrans_all_users(local_login_t)
 userdom_signal_all_users(local_login_t)
-userdom_search_all_users_home_content(local_login_t)
+userdom_search_user_home_content(local_login_t)
 userdom_use_unpriv_users_fds(local_login_t)
 userdom_sigchld_all_users(local_login_t)
 userdom_create_all_users_keys(local_login_t)
@@ -165,7 +165,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dbus_system_bus_client_template(local_login, local_login_t)
+	dbus_system_bus_client(local_login_t)
 
 	consolekit_dbus_chat(local_login_t)
 ')
@@ -238,11 +238,10 @@ auth_read_shadow(sulogin_t)
 
 userdom_use_unpriv_users_fds(sulogin_t)
 
-staff_search_home_dirs(sulogin_t)
+userdom_search_user_home_dirs(sulogin_t)
+userdom_use_user_ptys(sulogin_t)
 
 sysadm_shell_domtrans(sulogin_t)
-sysadm_use_ptys(sulogin_t)
-sysadm_search_home_dirs(sulogin_t)
 
 # suse and debian do not use pam with sulogin...
 ifdef(`distro_suse', `define(`sulogin_no_pam')')
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 4855a56..65004be 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -136,11 +136,6 @@ interface(`logging_domtrans_auditctl',`
 ##	The role to be allowed the auditctl domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the auditctl domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`logging_run_auditctl',`
@@ -150,7 +145,6 @@ interface(`logging_run_auditctl',`
 
 	logging_domtrans_auditctl($1)
 	role $2 types auditctl_t;
-	allow auditctl_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -186,11 +180,6 @@ interface(`logging_domtrans_auditd',`
 ##	The role to be allowed the auditd domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the auditd domain to use.
-##	</summary>
-## </param>
 #
 interface(`logging_run_auditd',`
 	gen_require(`
@@ -199,7 +188,6 @@ interface(`logging_run_auditd',`
 
 	logging_domtrans_auditd($1)
 	role $2 types auditd_t;
-	allow auditd_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 6ec8c70..eddb18e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging, 1.12.0)
+policy_module(logging, 1.12.1)
 
 ########################################
 #
@@ -188,9 +188,9 @@ seutil_dontaudit_read_config(auditd_t)
 
 sysnet_dns_name_resolve(auditd_t)
 
+userdom_use_user_terminals(auditd_t)
 userdom_dontaudit_use_unpriv_user_fds(auditd_t)
-
-sysadm_dontaudit_search_home_dirs(auditd_t)
+userdom_dontaudit_search_user_home_dirs(auditd_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -305,7 +305,7 @@ miscfiles_read_localization(klogd_t)
 
 mls_file_read_all_levels(klogd_t)
 
-sysadm_dontaudit_search_home_dirs(klogd_t)
+userdom_dontaudit_search_user_home_dirs(klogd_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -440,8 +440,7 @@ logging_send_syslog_msg(syslogd_t)
 miscfiles_read_localization(syslogd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-
-sysadm_dontaudit_search_home_dirs(syslogd_t)
+userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
 ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index adfa5ae..170f742 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -33,11 +33,6 @@ interface(`lvm_domtrans',`
 ##	The role to allow the LVM domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the LVM domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`lvm_run',`
@@ -47,7 +42,6 @@ interface(`lvm_run',`
 
 	lvm_domtrans($1)
 	role $2 types lvm_t;
-	allow lvm_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 29b0d9d..358a447 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,5 +1,5 @@
 
-policy_module(lvm, 1.9.0)
+policy_module(lvm, 1.9.1)
 
 ########################################
 #
@@ -114,8 +114,7 @@ seutil_dontaudit_search_config(clvmd_t)
 seutil_sigchld_newrole(clvmd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
-
-sysadm_dontaudit_search_home_dirs(clvmd_t)
+userdom_dontaudit_search_user_home_dirs(clvmd_t)
 
 lvm_domtrans(clvmd_t)
 lvm_read_config(clvmd_t)
@@ -241,9 +240,6 @@ storage_dev_filetrans_fixed_disk(lvm_t)
 # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
 storage_manage_fixed_disk(lvm_t)
 
-term_getattr_all_user_ttys(lvm_t)
-term_list_ptys(lvm_t)
-
 corecmd_exec_bin(lvm_t)
 corecmd_exec_shell(lvm_t)
 
@@ -267,6 +263,8 @@ seutil_read_file_contexts(lvm_t)
 seutil_search_default_contexts(lvm_t)
 seutil_sigchld_newrole(lvm_t)
 
+userdom_use_user_terminals(lvm_t)
+
 ifdef(`distro_redhat',`
 	# this is from the initrd:
 	files_rw_isid_type_dirs(lvm_t)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 73b4e08..ce4ac17 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -141,11 +141,6 @@ interface(`modutils_domtrans_insmod',`
 ##	The role to be allowed the insmod domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the insmod domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`modutils_run_insmod',`
@@ -155,7 +150,6 @@ interface(`modutils_run_insmod',`
 
 	modutils_domtrans_insmod($1)
 	role $2 types insmod_t;
-	allow insmod_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -210,11 +204,6 @@ interface(`modutils_domtrans_depmod',`
 ##	The role to be allowed the depmod domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the depmod domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`modutils_run_depmod',`
@@ -224,7 +213,6 @@ interface(`modutils_run_depmod',`
 
 	modutils_domtrans_depmod($1)
 	role $2 types depmod_t;
-	allow insmod_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -279,11 +267,6 @@ interface(`modutils_domtrans_update_mods',`
 ##	The role to be allowed the update_modules domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the update_modules domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`modutils_run_update_mods',`
@@ -293,9 +276,8 @@ interface(`modutils_run_update_mods',`
 
 	modutils_domtrans_update_mods($1)
 	role $2 types update_modules_t;
-	allow update_modules_t $3:chr_file rw_term_perms;
 
-	modutils_run_insmod(update_modules_t, $2, $3)
+	modutils_run_insmod(update_modules_t, $2)
 ')
 
 ########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 53ff21b..1883186 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
 
-policy_module(modutils, 1.8.0)
+policy_module(modutils, 1.8.1)
 
 gen_require(`
 	bool secure_mode_insmod;
@@ -109,6 +109,8 @@ miscfiles_read_localization(insmod_t)
 
 seutil_read_file_contexts(insmod_t)
 
+userdom_use_user_terminals(insmod_t)
+
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(insmod_t)
@@ -142,11 +144,11 @@ optional_policy(`
 	rhgb_dontaudit_use_ptys(insmod_t)
 
 	xserver_dontaudit_write_log(insmod_t)
-	xserver_stream_connect_xdm_xserver(insmod_t)
-	xserver_dontaudit_rw_xdm_stream_sockets(insmod_t)
+	xserver_stream_connect(insmod_t)
+	xserver_dontaudit_rw_stream_sockets(insmod_t)
 
 	ifdef(`hide_broken_symptoms',`
-		xserver_dontaudit_rw_xdm_xserver_tcp_sockets(insmod_t)
+		xserver_dontaudit_rw_tcp_sockets(insmod_t)
 	')
 ')
 
@@ -200,10 +202,10 @@ files_read_etc_files(depmod_t)
 files_read_usr_src_files(depmod_t)
 files_list_usr(depmod_t)
 
+userdom_use_user_terminals(depmod_t)
 # Read System.map from home directories.
 files_list_home(depmod_t)
-staff_read_home_content_files(depmod_t)
-sysadm_read_home_content_files(depmod_t)
+userdom_read_user_home_content_files(depmod_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -212,11 +214,6 @@ ifdef(`distro_ubuntu',`
 ')
 
 optional_policy(`
-	# Read System.map from home directories.
-	unconfined_read_home_content_files(depmod_t)
-')
-
-optional_policy(`
 	rpm_rw_pipes(depmod_t)
 ')
 
@@ -274,7 +271,8 @@ logging_send_syslog_msg(update_modules_t)
 
 miscfiles_read_localization(update_modules_t)
 
-sysadm_dontaudit_search_home_dirs(update_modules_t)
+userdom_use_user_terminals(update_modules_t)
+userdom_dontaudit_search_user_home_dirs(update_modules_t)
 
 ifdef(`distro_gentoo',`
 	files_search_pids(update_modules_t)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index f9717ce..805bef0 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -34,11 +34,6 @@ interface(`mount_domtrans',`
 ##	The role to be allowed the mount domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the mount domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`mount_run',`
@@ -48,10 +43,9 @@ interface(`mount_run',`
 
 	mount_domtrans($1)
 	role $2 types mount_t;
-	allow mount_t $3:chr_file rw_file_perms;
 
 	optional_policy(`
-		samba_run_smbmount($1, $2, $3)
+		samba_run_smbmount($1, $2)
 	')
 ')
 
@@ -155,11 +149,6 @@ interface(`mount_domtrans_unconfined',`
 ##	The role to be allowed the unconfined mount domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the unconfined mount domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`mount_run_unconfined',`
@@ -169,5 +158,4 @@ interface(`mount_run_unconfined',`
 
 	mount_domtrans_unconfined($1)
 	role $2 types unconfined_mount_t;
-	allow unconfined_mount_t $3:chr_file rw_file_perms;
 ')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 0089812..04a2293 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
 
-policy_module(mount,1.9.0)
+policy_module(mount, 1.9.1)
 
 ########################################
 #
diff --git a/policy/modules/system/netlabel.if b/policy/modules/system/netlabel.if
index 7c48ce5..1c9b8f5 100644
--- a/policy/modules/system/netlabel.if
+++ b/policy/modules/system/netlabel.if
@@ -34,11 +34,6 @@ interface(`netlabel_domtrans_mgmt',`
 ##	The role to be allowed the netlabel_mgmt domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the netlabel_mgmt domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`netlabel_run_mgmt',`
@@ -48,5 +43,4 @@ interface(`netlabel_run_mgmt',`
 
 	netlabel_domtrans_mgmt($1)
 	role $2 types netlabel_mgmt_t;
-	allow netlabel_mgmt_t $3:chr_file rw_term_perms;
 ')
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
index 59562b0..86d7eaa 100644
--- a/policy/modules/system/netlabel.te
+++ b/policy/modules/system/netlabel.te
@@ -1,5 +1,5 @@
 
-policy_module(netlabel, 1.2.0)
+policy_module(netlabel, 1.2.1)
 
 ########################################
 #
@@ -25,3 +25,5 @@ kernel_read_network_state(netlabel_mgmt_t)
 files_read_etc_files(netlabel_mgmt_t)
 
 seutil_use_newrole_fds(netlabel_mgmt_t)
+
+userdom_use_user_terminals(netlabel_mgmt_t)
diff --git a/policy/modules/system/pcmcia.if b/policy/modules/system/pcmcia.if
index 5724365..5f63c3a 100644
--- a/policy/modules/system/pcmcia.if
+++ b/policy/modules/system/pcmcia.if
@@ -85,11 +85,6 @@ interface(`pcmcia_domtrans_cardctl',`
 ##	The role to be allowed the cardmgr domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the cardmgr domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`pcmcia_run_cardctl',`
@@ -99,7 +94,6 @@ interface(`pcmcia_run_cardctl',`
 
 	pcmcia_domtrans_cardctl($1)
 	role $2 types cardmgr_t;
-	allow cardmgr_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
index 77da11e..aaf441e 100644
--- a/policy/modules/system/pcmcia.te
+++ b/policy/modules/system/pcmcia.te
@@ -1,5 +1,5 @@
 
-policy_module(pcmcia, 1.5.0)
+policy_module(pcmcia, 1.5.1)
 
 ########################################
 #
@@ -107,9 +107,9 @@ sysnet_domtrans_ifconfig(cardmgr_t)
 sysnet_etc_filetrans_config(cardmgr_t)
 sysnet_manage_config(cardmgr_t)
 
+userdom_use_user_terminals(cardmgr_t)
 userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
-
-sysadm_dontaudit_search_home_dirs(cardmgr_t)
+userdom_dontaudit_search_user_home_dirs(cardmgr_t)
 
 optional_policy(`
 	seutil_dontaudit_read_config(cardmgr_t)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 7556f02..a6a6531 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -1,5 +1,5 @@
 
-policy_module(raid, 1.7.0)
+policy_module(raid, 1.7.1)
 
 ########################################
 #
@@ -66,12 +66,11 @@ logging_send_syslog_msg(mdadm_t)
 miscfiles_read_localization(mdadm_t)
 
 userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
-userdom_dontaudit_search_all_users_home_content(mdadm_t)
+userdom_dontaudit_search_user_home_content(mdadm_t)
+userdom_dontaudit_use_user_terminals(mdadm_t)
 
 mta_send_mail(mdadm_t)
 
-sysadm_dontaudit_use_ttys(mdadm_t)
-
 optional_policy(`
 	gpm_dontaudit_getattr_gpmctl(mdadm_t)
 ')
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 7364a6e..a8edd1f 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -36,11 +36,6 @@ interface(`seutil_domtrans_checkpolicy',`
 ##	The role to be allowed the checkpolicy domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the checkpolicy domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`seutil_run_checkpolicy',`
@@ -50,7 +45,6 @@ interface(`seutil_run_checkpolicy',`
 
 	seutil_domtrans_checkpolicy($1)
 	role $2 types checkpolicy_t;
-	allow checkpolicy_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -109,11 +103,6 @@ interface(`seutil_domtrans_loadpolicy',`
 ##	The role to be allowed the load_policy domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the load_policy domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`seutil_run_loadpolicy',`
@@ -123,7 +112,6 @@ interface(`seutil_run_loadpolicy',`
 
 	seutil_domtrans_loadpolicy($1)
 	role $2 types load_policy_t;
-	allow load_policy_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -166,7 +154,7 @@ interface(`seutil_read_loadpolicy',`
 
 #######################################
 ## <summary>
-##	Execute newrole in the load_policy domain.
+##	Execute newrole in the newole domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -200,11 +188,6 @@ interface(`seutil_domtrans_newrole',`
 ##	The role to be allowed the newrole domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the newrole domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`seutil_run_newrole',`
@@ -214,9 +197,8 @@ interface(`seutil_run_newrole',`
 
 	seutil_domtrans_newrole($1)
 	role $2 types newrole_t;
-	allow newrole_t $3:chr_file rw_term_perms;
 
-	auth_run_upd_passwd(newrole_t, $2, $3)
+	auth_run_upd_passwd(newrole_t, $2)
 ')
 
 ########################################
@@ -294,6 +276,25 @@ interface(`seutil_use_newrole_fds',`
 	allow $1 newrole_t:fd use;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to inherit and use
+##	newrole file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_use_newrole_fds',`
+	gen_require(`
+		type newrole_t;
+	')
+
+	dontaudit $1 newrole_t:fd use;
+')
+
 #######################################
 ## <summary>
 ##	Execute restorecon in the restorecon domain.  (Deprecated)
@@ -325,16 +326,11 @@ interface(`seutil_domtrans_restorecon',`
 ##	The role to be allowed the restorecon domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the restorecon domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`seutil_run_restorecon',`
 	refpolicywarn(`$0($*) has been deprecated, please use seutil_run_setfiles() instead.')
-	seutil_run_setfiles($1,$2,$3)
+	seutil_run_setfiles($1,$2)
 ')
 
 ########################################
@@ -417,11 +413,6 @@ interface(`seutil_init_script_domtrans_runinit',`
 ##	The role to be allowed the run_init domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the run_init domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`seutil_run_runinit',`
@@ -430,10 +421,10 @@ interface(`seutil_run_runinit',`
 		role system_r;
 	')
 
-	auth_run_chk_passwd(run_init_t, $2, $3)
+	auth_run_chk_passwd(run_init_t, $2)
 	seutil_domtrans_runinit($1)
 	role $2 types run_init_t;
-	allow run_init_t $3:chr_file rw_term_perms;
+
 	allow $2 system_r;
 ')
 
@@ -463,11 +454,6 @@ interface(`seutil_run_runinit',`
 ##	The role to be allowed the run_init domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the run_init domain to use.
-##	</summary>
-## </param>
 #
 interface(`seutil_init_script_run_runinit',`
 	gen_require(`
@@ -475,10 +461,10 @@ interface(`seutil_init_script_run_runinit',`
 		role system_r;
 	')
 
-	auth_run_chk_passwd(run_init_t, $2, $3)
+	auth_run_chk_passwd(run_init_t, $2)
 	seutil_init_script_domtrans_runinit($1)
 	role $2 types run_init_t;
-	allow run_init_t $3:chr_file rw_term_perms;
+
 	allow $2 system_r;
 ')
 
@@ -536,11 +522,6 @@ interface(`seutil_domtrans_setfiles',`
 ##	The role to be allowed the setfiles domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the setfiles domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`seutil_run_setfiles',`
@@ -550,7 +531,6 @@ interface(`seutil_run_setfiles',`
 
 	seutil_domtrans_setfiles($1)
 	role $2 types setfiles_t;
-	allow setfiles_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -1033,11 +1013,6 @@ interface(`seutil_domtrans_semanage',`
 ##	The role to be allowed the checkpolicy domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the semanage domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`seutil_run_semanage',`
@@ -1046,10 +1021,9 @@ interface(`seutil_run_semanage',`
 	')
 
 	seutil_domtrans_semanage($1)
-	seutil_run_setfiles(semanage_t, $2, $3)
-	seutil_run_loadpolicy(semanage_t, $2, $3)
+	seutil_run_setfiles(semanage_t, $2)
+	seutil_run_loadpolicy(semanage_t, $2)
 	role $2 types semanage_t;
-	allow semanage_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index dbbfadd..49e789f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil, 1.11.1)
+policy_module(selinuxutil, 1.11.2)
 
 gen_require(`
 	bool secure_mode;
@@ -140,6 +140,7 @@ term_use_console(checkpolicy_t)
 init_use_fds(checkpolicy_t)
 init_use_script_ptys(checkpolicy_t)
 
+userdom_use_user_terminals(checkpolicy_t)
 userdom_use_all_users_fds(checkpolicy_t)
 
 ifdef(`distro_ubuntu',`
@@ -181,6 +182,7 @@ miscfiles_read_localization(load_policy_t)
 
 seutil_libselinux_linked(load_policy_t)
 
+userdom_use_user_terminals(load_policy_t)
 userdom_use_all_users_fds(load_policy_t)
 
 ifdef(`distro_ubuntu',`
@@ -274,10 +276,9 @@ miscfiles_read_localization(newrole_t)
 
 seutil_libselinux_linked(newrole_t)
 
-userdom_use_unpriv_users_fds(newrole_t)
 # for some PAM modules and for cwd
-userdom_dontaudit_search_all_users_home_content(newrole_t)
-userdom_search_all_users_home_dirs(newrole_t)
+userdom_dontaudit_search_user_home_content(newrole_t)
+userdom_search_user_home_dirs(newrole_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -380,8 +381,6 @@ selinux_compute_create_context(run_init_t)
 selinux_compute_relabel_context(run_init_t)
 selinux_compute_user_contexts(run_init_t)
 
-term_dontaudit_list_ptys(run_init_t)
-
 auth_use_nsswitch(run_init_t)
 auth_domtrans_chk_passwd(run_init_t)
 auth_domtrans_upd_passwd(run_init_t)
@@ -398,6 +397,8 @@ miscfiles_read_localization(run_init_t)
 seutil_libselinux_linked(run_init_t)
 seutil_read_default_contexts(run_init_t)
 
+userdom_use_user_terminals(run_init_t)
+
 ifndef(`direct_sysadm_daemon',`
 	ifdef(`distro_gentoo',`
 		# Gentoo integrated run_init:
@@ -494,13 +495,8 @@ ifdef(`enable_mls',`
 	# read secadm tmp files
 ',`
 	# Handle pp files created in homedir and /tmp
-	sysadm_read_home_content_files(semanage_t)
-	sysadm_read_tmp_files(semanage_t)
-
-	optional_policy(`
-		unconfined_read_home_content_files(semanage_t)
-		unconfined_read_tmp_files(semanage_t)
-	')
+	userdom_read_user_home_content_files(semanage_t)
+	userdom_read_user_tmp_files(semanage_t)
 ')
 
 ########################################
@@ -574,7 +570,7 @@ seutil_libselinux_linked(setfiles_t)
 
 userdom_use_all_users_fds(setfiles_t)
 # for config files in a home directory
-userdom_read_all_users_home_content_files(setfiles_t)
+userdom_read_user_home_content_files(setfiles_t)
 
 ifdef(`distro_debian',`
 	# udev tmpfs is populated with static device nodes
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 57a33a7..21864b9 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -34,11 +34,6 @@ interface(`sysnet_domtrans_dhcpc',`
 ##	The role to be allowed the clock domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the clock domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`sysnet_run_dhcpc',`
@@ -48,7 +43,6 @@ interface(`sysnet_run_dhcpc',`
 
 	sysnet_domtrans_dhcpc($1)
 	role $2 types dhcpc_t;
-	allow dhcpc_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -404,11 +398,6 @@ interface(`sysnet_domtrans_ifconfig',`
 ##	The role to be allowed the ifconfig domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the ifconfig domain to use.
-##	</summary>
-## </param>
 ## <rolecap/>
 #
 interface(`sysnet_run_ifconfig',`
@@ -419,7 +408,6 @@ interface(`sysnet_run_ifconfig',`
 	corecmd_search_bin($1)
 	sysnet_domtrans_ifconfig($1)
 	role $2 types ifconfig_t;
-	allow ifconfig_t $3:chr_file rw_term_perms;
 ')
 
 #######################################
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 06ef1ab..db38b3c 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,5 +1,5 @@
 
-policy_module(sysnetwork, 1.8.0)
+policy_module(sysnetwork, 1.8.1)
 
 ########################################
 #
@@ -132,7 +132,8 @@ miscfiles_read_localization(dhcpc_t)
 
 modutils_domtrans_insmod(dhcpc_t)
 
-staff_dontaudit_search_home_dirs(dhcpc_t)
+userdom_use_user_terminals(dhcpc_t)
+userdom_dontaudit_search_user_home_dirs(dhcpc_t)
 
 ifdef(`distro_redhat', `
 	files_exec_etc_files(dhcpc_t)
@@ -151,7 +152,7 @@ optional_policy(`
 optional_policy(`
 	init_dbus_chat_script(dhcpc_t)
 
-	dbus_system_bus_client_template(dhcpc,dhcpc_t)
+	dbus_system_bus_client(dhcpc_t)
 	dbus_connect_system_bus(dhcpc_t)
 
 	optional_policy(`
@@ -295,6 +296,7 @@ modutils_domtrans_insmod(ifconfig_t)
 
 seutil_use_runinit_fds(ifconfig_t)
 
+userdom_use_user_terminals(ifconfig_t)
 userdom_use_all_users_fds(ifconfig_t)
 
 ifdef(`distro_ubuntu',`
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index b6506e6..9bd5d7f 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,5 +1,5 @@
 
-policy_module(udev,1.9.0)
+policy_module(udev, 1.9.1)
 
 ########################################
 #
@@ -160,7 +160,7 @@ sysnet_signal_dhcpc(udev_t)
 sysnet_manage_config(udev_t)
 sysnet_etc_filetrans_config(udev_t)
 
-userdom_dontaudit_search_all_users_home_content(udev_t)
+userdom_dontaudit_search_user_home_content(udev_t)
 
 ifdef(`distro_gentoo',`
 	# during boot, init scripts use /dev/.rcsysinit
@@ -198,7 +198,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dbus_system_bus_client_template(udev,udev_t)
+	dbus_system_bus_client(udev_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index cb43eb1..2d4c440 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -205,11 +205,6 @@ interface(`unconfined_domtrans',`
 ##	The role to allow the unconfined domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the unconfined domain to use.
-##	</summary>
-## </param>
 #
 interface(`unconfined_run',`
 	gen_require(`
@@ -218,7 +213,6 @@ interface(`unconfined_run',`
 
 	unconfined_domtrans($1)
 	role $2 types unconfined_t;
-	allow unconfined_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -308,13 +302,13 @@ interface(`unconfined_domtrans_to',`
 #
 interface(`unconfined_run_to',`
 	gen_require(`
-		type unconfined_t, unconfined_devpts_t, unconfined_tty_device_t;
+		type unconfined_t;
 		role unconfined_r;
 	')
 
 	domtrans_pattern(unconfined_t,$2,$1)
 	role unconfined_r types $1;
-	allow $1 { unconfined_devpts_t unconfined_tty_device_t }:chr_file rw_term_perms;
+	userdom_use_user_terminals($1)
 ')
 
 ########################################
@@ -587,63 +581,3 @@ interface(`unconfined_dbus_connect',`
 
 	allow $1 unconfined_t:dbus acquire_svc;
 ')
-
-########################################
-## <summary>
-##	Read files in unconfined users home directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unconfined_read_home_content_files',`
-	gen_require(`
-		type unconfined_home_dir_t, unconfined_home_t;
-	')
-
-	files_search_home($1)
-	allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
-	read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
-	read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
-')
-
-########################################
-## <summary>
-##	Read unconfined users temporary files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unconfined_read_tmp_files',`
-	gen_require(`
-		type unconfined_tmp_t;
-	')
-
-	files_search_tmp($1)
-	allow $1 unconfined_tmp_t:dir list_dir_perms;
-	read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
-	read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
-')
-
-########################################
-## <summary>
-##	Write unconfined users temporary files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`unconfined_write_tmp_files',`
-	gen_require(`
-		type unconfined_tmp_t;
-	')
-
-	allow $1 unconfined_tmp_t:file write_file_perms;
-')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 1c98875..0f2cfb6 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined, 2.4.0)
+policy_module(unconfined, 3.0.0)
 
 ########################################
 #
@@ -10,9 +10,9 @@ policy_module(unconfined, 2.4.0)
 # calls is not correct, however we dont currently
 # have another method to add access to these types
 userdom_base_user_template(unconfined)
-userdom_manage_home_template(unconfined)
-userdom_manage_tmp_template(unconfined)
-userdom_manage_tmpfs_template(unconfined)
+userdom_manage_home_role(unconfined_r, unconfined_t)
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
 
 type unconfined_exec_t;
 init_system_domain(unconfined_t, unconfined_exec_t)
@@ -34,25 +34,25 @@ files_create_boot_flag(unconfined_t)
 mcs_killall(unconfined_t)
 mcs_ptrace_all(unconfined_t)
 
-init_run_daemon(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+init_run_daemon(unconfined_t, unconfined_r)
 
-libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+libs_run_ldconfig(unconfined_t, unconfined_r)
 
 logging_send_syslog_msg(unconfined_t)
-logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+logging_run_auditctl(unconfined_t, unconfined_r)
 
-mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+mount_run_unconfined(unconfined_t, unconfined_r)
 
-seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+seutil_run_setfiles(unconfined_t, unconfined_r)
+seutil_run_semanage(unconfined_t, unconfined_r)
 
 unconfined_domain(unconfined_t)
 
-userdom_priveleged_home_dir_manager(unconfined_t)
+userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
 
 ifdef(`distro_gentoo',`
-	seutil_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
-	seutil_init_script_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
+	seutil_run_runinit(unconfined_t, unconfined_r)
+	seutil_init_script_run_runinit(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
@@ -60,24 +60,20 @@ optional_policy(`
 ')
 
 optional_policy(`
-	apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-	apache_per_role_template(unconfined, unconfined_t, unconfined_r)
-	# this is disallowed usage:
-	unconfined_domain(httpd_unconfined_script_t)
+	apache_run_helper(unconfined_t, unconfined_r)
+	apache_role(unconfined_r, unconfined_t)
 ')
 
 optional_policy(`
-	bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	bind_run_ndc(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
-	bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	bootloader_run(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
-	cron_per_role_template(unconfined, unconfined_t, unconfined_r)
-	# this is disallowed usage:
-	unconfined_domain(unconfined_crond_t)
+	cron_unconfined_role(unconfined_r, unconfined_t)
 ')
 
 optional_policy(`
@@ -115,11 +111,11 @@ optional_policy(`
 ')
 
 optional_policy(`
-	firstboot_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	firstboot_run(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
-	ftp_run_ftpdctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	ftp_run_ftpdctl(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
@@ -127,15 +123,15 @@ optional_policy(`
 ')
 
 optional_policy(`
-	java_domtrans(unconfined_t)
+	java_domtrans_unconfined(unconfined_t)
 ')
 
 optional_policy(`
-	lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	lpd_run_checkpc(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
-	modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	modutils_run_update_mods(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
@@ -143,7 +139,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mta_per_role_template(unconfined, unconfined_t, unconfined_r)
+	mta_role(unconfined_r, unconfined_t)
 ')
 
 optional_policy(`
@@ -151,26 +147,21 @@ optional_policy(`
 ')
 
 optional_policy(`
-	prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	prelink_run(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
-	portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	portmap_run_helper(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
-	postfix_per_role_template(unconfined, unconfined_t, unconfined_r)
-	postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	postfix_run_map(unconfined_t, unconfined_r)
 	# cjp: this should probably be removed:
 	postfix_domtrans_master(unconfined_t)
 ')
 
 optional_policy(`
-	pyzor_per_role_template(unconfined)
-')
-
-optional_policy(`
-	qmail_per_role_template(unconfined, unconfined_t, unconfined_r)
+	pyzor_role(unconfined_r, unconfined_t)
 ')
 
 optional_policy(`
@@ -179,38 +170,37 @@ optional_policy(`
 ')
 
 optional_policy(`
-	rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	rpm_run(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
-	samba_per_role_template(unconfined)
-	samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-	samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	samba_run_net(unconfined_t, unconfined_r)
+	samba_run_winbind_helper(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
-	spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
+	spamassassin_role(unconfined_r, unconfined_t)
 ')
 
 optional_policy(`
-	sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	sysnet_run_dhcpc(unconfined_t, unconfined_r)
 	sysnet_dbus_chat_dhcpc(unconfined_t)
 ')
 
 optional_policy(`
-	tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	tzdata_run(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
-	usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	usermanage_run_admin_passwd(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
-	vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	vpn_run(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
-	webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	webalizer_run(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`
@@ -218,7 +208,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	xserver_domtrans_xdm_xserver(unconfined_t)
+	xserver_domtrans(unconfined_t)
 ')
 
 ########################################
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index ebb37c5..db75976 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,4 +1,4 @@
-HOME_DIR	-d	gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
-HOME_DIR/.+		gen_context(system_u:object_r:ROLE_home_t,s0)
+HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
 
-/tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
+/tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d546c89..4cb0867 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -25,6 +25,7 @@ template(`userdom_base_user_template',`
 
 	gen_require(`
 		attribute userdomain;
+		type user_devpts_t, user_tty_device_t;
 		class context contains;
 	')
 
@@ -35,15 +36,13 @@ template(`userdom_base_user_template',`
 	corecmd_shell_entry_type($1_t)
 	corecmd_bin_entry_type($1_t)
 	domain_user_exemption_target($1_t)
+	ubac_constrained($1_t)
 	role $1_r types $1_t;
 	allow system_r $1_r;
 
-	type $1_devpts_t;
-	term_user_pty($1_t,$1_devpts_t)
-	files_type($1_devpts_t)
+	term_user_pty($1_t, user_devpts_t)
 
-	type $1_tty_device_t; 
-	term_user_tty($1_t,$1_tty_device_t)
+	term_user_tty($1_t, user_tty_device_t)
 
 	allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
 	allow $1_t self:fd use;
@@ -57,10 +56,13 @@ template(`userdom_base_user_template',`
 	allow $1_t self:context contains;
 	dontaudit $1_t self:socket create;
 
-	allow $1_t $1_devpts_t:chr_file { setattr rw_chr_file_perms };
-	term_create_pty($1_t,$1_devpts_t)
+	allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms };
+	# avoid annoying messages on terminal hangup on role change
+	dontaudit $1_t user_devpts_t:chr_file ioctl;
 
-	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
+	allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms };
+	# avoid annoying messages on terminal hangup on role change
+	dontaudit $1_t user_tty_device_t:chr_file ioctl;
 
 	kernel_read_kernel_sysctls($1_t)
 	kernel_dontaudit_list_unlabeled($1_t)
@@ -117,402 +119,250 @@ template(`userdom_base_user_template',`
 
 #######################################
 ## <summary>
-##	The template for creating a home directory
-##	that the user has read-only access.
+##	Allow a home directory for which the
+##	role has read-only access.
 ## </summary>
 ## <desc>
 ##	<p>
-##	The template for creating a home directory
-##	that the user has read-only access.
+##	Allow a home directory for which the
+##	role has read-only access.
 ##	</p>
 ##	<p>
 ##	This does not allow execute access.
 ##	</p>
 ## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	The user role
+##	</summary>
+## </param>
+## <param name="userdomain">
+##	<summary>
+##	The user domain
 ##	</summary>
 ## </param>
 ## <rolebase/>
 #
-template(`userdom_ro_home_template',`
+interface(`userdom_ro_home_role',`
 	gen_require(`
-		attribute home_type, home_dir_type, $1_file_type;
+		type user_home_t, user_home_dir_t;
 	')
 
-	# type for contents of home directory
-	type $1_home_t, $1_file_type, home_type;
-	files_type($1_home_t)
-	files_associate_tmp($1_home_t)
-	fs_associate_tmpfs($1_home_t)
-	files_mountpoint($1_home_t)
-
-	# type of home directory
-	type $1_home_dir_t, home_dir_type, home_type;
-	files_type($1_home_dir_t)
-	files_mountpoint($1_home_dir_t)
-	files_associate_tmp($1_home_dir_t)
-	fs_associate_tmpfs($1_home_dir_t)
-	files_poly_member($1_home_dir_t)
-
-	##############################
-	#
-	# User home directory file rules
-	#
-
-	allow $1_file_type $1_home_t:filesystem associate;
-
-	# Rules used to associate a homedir as a mountpoint
-	allow $1_home_t self:filesystem associate;
+	role $1 types { user_home_t user_home_dir_t };
 
 	##############################
 	#
 	# Domain access to home dir
 	#
 
+	type_member $2 user_home_dir_t:dir user_home_dir_t;
+
 	# read-only home directory
-	allow $1_t $1_home_dir_t:dir list_dir_perms;
-	allow $1_t $1_home_t:dir list_dir_perms;
-	allow $1_t $1_home_t:file entrypoint;
-	read_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
-	read_lnk_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
-	read_fifo_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
-	read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
-	files_list_home($1_t)
+	allow $2 user_home_dir_t:dir list_dir_perms;
+	allow $2 user_home_t:dir list_dir_perms;
+	allow $2 user_home_t:file entrypoint;
+	read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+	read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+	read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+	read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+	files_list_home($2)
 
 	tunable_policy(`use_nfs_home_dirs',`
-		fs_list_nfs($1_t)
-		fs_read_nfs_files($1_t)
-		fs_read_nfs_symlinks($1_t)
-		fs_read_nfs_named_sockets($1_t)
-		fs_read_nfs_named_pipes($1_t)
+		fs_list_nfs($2)
+		fs_read_nfs_files($2)
+		fs_read_nfs_symlinks($2)
+		fs_read_nfs_named_sockets($2)
+		fs_read_nfs_named_pipes($2)
 	',`
-		fs_dontaudit_list_nfs($1_t)
-		fs_dontaudit_read_nfs_files($1_t)
+		fs_dontaudit_list_nfs($2)
+		fs_dontaudit_read_nfs_files($2)
 	')
 
 	tunable_policy(`use_samba_home_dirs',`
-		fs_list_cifs($1_t)
-		fs_read_cifs_files($1_t)
-		fs_read_cifs_symlinks($1_t)
-		fs_read_cifs_named_sockets($1_t)
-		fs_read_cifs_named_pipes($1_t)
+		fs_list_cifs($2)
+		fs_read_cifs_files($2)
+		fs_read_cifs_symlinks($2)
+		fs_read_cifs_named_sockets($2)
+		fs_read_cifs_named_pipes($2)
 	',`
-		fs_dontaudit_list_cifs($1_t)
-		fs_dontaudit_read_cifs_files($1_t)
+		fs_dontaudit_list_cifs($2)
+		fs_dontaudit_read_cifs_files($2)
 	')
 ')
 
 #######################################
 ## <summary>
-##	The template for creating a home directory
-##	that the user has full access.
+##	Allow a home directory for which the
+##	role has full access.
 ## </summary>
 ## <desc>
 ##	<p>
-##	The template for creating a home directory
-##	that the user has full access.
+##	Allow a home directory for which the
+##	role has full access.
 ##	</p>
 ##	<p>
 ##	This does not allow execute access.
 ##	</p>
 ## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	The user role
+##	</summary>
+## </param>
+## <param name="userdomain">
+##	<summary>
+##	The user domain
 ##	</summary>
 ## </param>
 ## <rolebase/>
 #
-template(`userdom_manage_home_template',`
+interface(`userdom_manage_home_role',`
 	gen_require(`
-		attribute home_type, home_dir_type, $1_file_type;
+		type user_home_t, user_home_dir_t;
 	')
 
-	# type for contents of home directory
-	type $1_home_t, $1_file_type, home_type;
-	files_type($1_home_t)
-	files_associate_tmp($1_home_t)
-	fs_associate_tmpfs($1_home_t)
-
-	# type of home directory
-	type $1_home_dir_t, home_dir_type, home_type;
-	files_type($1_home_dir_t)
-	files_associate_tmp($1_home_dir_t)
-	fs_associate_tmpfs($1_home_dir_t)
-
-	##############################
-	#
-	# User home directory file rules
-	#
-
-	allow $1_file_type $1_home_t:filesystem associate;
-
-	# Rules used to associate a homedir as a mountpoint
-	allow $1_home_t self:filesystem associate;
+	role $1 types { user_home_t user_home_dir_t };
 
 	##############################
 	#
 	# Domain access to home dir
 	#
 
+	type_member $2 user_home_dir_t:dir user_home_dir_t;
+
 	# full control of the home directory
-	allow $1_t $1_home_t:file entrypoint;
-	manage_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-	manage_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-	manage_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-	manage_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-	manage_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-	relabel_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-	relabel_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-	relabel_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-	relabel_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-	relabel_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-	filetrans_pattern($1_t,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
-	files_list_home($1_t)
+	allow $2 user_home_t:file entrypoint;
+	manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+	filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+	files_list_home($2)
 
 	# cjp: this should probably be removed:
-	allow $1_t $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
 
 	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_t)
-		fs_manage_nfs_files($1_t)
-		fs_manage_nfs_symlinks($1_t)
-		fs_manage_nfs_named_sockets($1_t)
-		fs_manage_nfs_named_pipes($1_t)
+		fs_manage_nfs_dirs($2)
+		fs_manage_nfs_files($2)
+		fs_manage_nfs_symlinks($2)
+		fs_manage_nfs_named_sockets($2)
+		fs_manage_nfs_named_pipes($2)
 	',`
-		fs_dontaudit_manage_nfs_dirs($1_t)
-		fs_dontaudit_manage_nfs_files($1_t)
+		fs_dontaudit_manage_nfs_dirs($2)
+		fs_dontaudit_manage_nfs_files($2)
 	')
 
 	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_t)
-		fs_manage_cifs_files($1_t)
-		fs_manage_cifs_symlinks($1_t)
-		fs_manage_cifs_named_sockets($1_t)
-		fs_manage_cifs_named_pipes($1_t)
+		fs_manage_cifs_dirs($2)
+		fs_manage_cifs_files($2)
+		fs_manage_cifs_symlinks($2)
+		fs_manage_cifs_named_sockets($2)
+		fs_manage_cifs_named_pipes($2)
 	',`
-		fs_dontaudit_manage_cifs_dirs($1_t)
-		fs_dontaudit_manage_cifs_files($1_t)
+		fs_dontaudit_manage_cifs_dirs($2)
+		fs_dontaudit_manage_cifs_files($2)
 	')
 ')
 
 #######################################
 ## <summary>
-##	The template for allowing the user
-##	to execute files in their home directory.
+##	Manage user temporary files
 ## </summary>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <rolebase/>
-#
-template(`userdom_exec_home_template',`
-	can_exec($1_t,$1_home_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_exec_nfs_files($1_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_exec_cifs_files($1_t)
-	')
-')
-
-#######################################
-## <summary>
-##	The template for polyinstantiating
-##	a user home directory.
-## </summary>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access.
 ##	</summary>
 ## </param>
-## <rolebase/>
-#
-template(`userdom_poly_home_template',`
-	type_member $1_t $1_home_dir_t:dir $1_home_dir_t;
-	files_poly($1_home_dir_t)
-	files_poly_parent($1_home_dir_t)
-	files_poly_parent($1_home_t)
-	files_poly_member($1_home_t)
-')
-
-#######################################
-## <summary>
-##	The template for full access to the temporary directories.
-## </summary>
-## <desc>
-##	<p>
-##	The template for full access to the temporary directories.
-##	This creates a derived type for the user
-##	temporary type.  Execute access is not given.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
+## <param name="domain">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolebase/>
 #
-template(`userdom_manage_tmp_template',`
+interface(`userdom_manage_tmp_role',`
 	gen_require(`
-		attribute $1_file_type;
+		type user_tmp_t;
 	')
 
-	type $1_tmp_t, $1_file_type;
-	files_tmp_file($1_tmp_t)
+	role $1 types user_tmp_t;
 
-	manage_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t)
-	manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
-	manage_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
-	manage_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
-	manage_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
-	files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
-')
+	files_poly_member_tmp($2, user_tmp_t)
 
-#######################################
-## <summary>
-##	The template for execute access to the user temporary files.
-## </summary>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <rolebase/>
-#
-template(`userdom_exec_tmp_template',`
-	exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+	manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
+	manage_files_pattern($2, user_tmp_t, user_tmp_t)
+	manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
+	manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
+	manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
+	files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
 ')
 
 #######################################
 ## <summary>
-##	The template for a polyinstantiated temporary directory.
+##	The execute access user temporary files.
 ## </summary>
-## <param name="userdomain_prefix">
+## <param name="domain">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolebase/>
 #
-template(`userdom_poly_tmp_template',`
-	files_poly_member_tmp($1_t,tmp_t)
+interface(`userdom_exec_user_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	exec_files_pattern($1, user_tmp_t, user_tmp_t)
+	files_search_tmp($1)
 ')
 
 #######################################
 ## <summary>
-##	The template for creating a tmpfs type
+##	Role access for the user tmpfs type
 ##	that the user has full access.
 ## </summary>
 ## <desc>
 ##	<p>
-##	The template for creating a tmpfs type
+##	Role access for the user tmpfs type
 ##	that the user has full access.
 ##	</p>
 ##	<p>
 ##	This does not allow execute access.
 ##	</p>
 ## </desc>
-## <param name="userdomain_prefix">
+## <param name="role">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Role allowed access.
 ##	</summary>
 ## </param>
-## <rolebase/>
-#
-template(`userdom_manage_tmpfs_template',`
-	gen_require(`
-		attribute $1_file_type;
-	')
-
-	type $1_tmpfs_t, $1_file_type;
-	files_tmpfs_file($1_tmpfs_t)
-
-	manage_dirs_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
-	manage_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
-	manage_lnk_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
-	manage_sock_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
-	manage_fifo_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
-	fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-')
-
-#######################################
-## <summary>
-##	The template for creating a set of types
-##	for untrusted content.
-## </summary>
-## <param name="userdomain_prefix">
+## <param name="domain">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolebase/>
+## <rolecap/>
 #
-template(`userdom_untrusted_content_template',`
+interface(`userdom_manage_tmpfs_role',`
 	gen_require(`
-		attribute $1_file_type;
-		attribute untrusted_content_type, untrusted_content_tmp_type;
-		type $1_t;
-	')
-
-	# types for network-obtained content
-	type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
-	files_type($1_untrusted_content_t)
-	files_poly_member($1_untrusted_content_t)
-
-	type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
-	files_tmp_file($1_untrusted_content_tmp_t)
-
-	# Allow user to relabel untrusted content
-	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabel_file_perms rename };
-
-	tunable_policy(`read_untrusted_content',`
-		allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir list_dir_perms;
-		read_files_pattern($1_t,{ $1_untrusted_content_t $1_untrusted_content_tmp_t },{ $1_untrusted_content_t $1_untrusted_content_tmp_t })
-		read_lnk_files_pattern($1_t,{ $1_untrusted_content_t $1_untrusted_content_tmp_t },{ $1_untrusted_content_t $1_untrusted_content_tmp_t })
-	',`
-		dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir list_dir_perms;
-		dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file read_file_perms;
+		type user_tmpfs_t;
 	')
-')
 
-#######################################
-## <summary>
-##	The template allowing the user to execute
-##	generic programs, such as those found in /bin,
-##	/sbin, /usr/bin, and /usr/sbin.
-## </summary>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <rolebase/>
-#
-template(`userdom_exec_generic_pgms_template',`
-	gen_require(`
-		type $1_t;
-	')
+	role $1 types user_tmpfs_t;
 
-	corecmd_exec_bin($1_t)
+	manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
+	manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+	manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+	manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+	manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+	fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 ')
 
 #######################################
@@ -573,7 +423,7 @@ template(`userdom_basic_networking_template',`
 #
 template(`userdom_xwindows_client_template',`
 	gen_require(`
-		type $1_t, $1_tmpfs_t;
+		type $1_t, user_tmpfs_t;
 	')
 
 	dev_rw_xserver_misc($1_t)
@@ -587,7 +437,7 @@ template(`userdom_xwindows_client_template',`
 	# GNOME checks for usb and other devices:
 	dev_rw_usbfs($1_t)
 
-	xserver_user_client_template($1,$1_t,$1_tmpfs_t)
+	xserver_user_client($1_t, user_tmpfs_t)
 	xserver_xsession_entry_type($1_t)
 	xserver_dontaudit_write_log($1_t)
 	xserver_stream_connect_xdm($1_t)
@@ -613,46 +463,14 @@ template(`userdom_xwindows_client_template',`
 #
 template(`userdom_change_password_template',`
 	gen_require(`
-		type $1_t, $1_devpts_t, $1_tty_device_t;
+		type $1_t;
 		role $1_r;
 	')
 
 	optional_policy(`
-		usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-		usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-	')
-')
-
-#######################################
-## <summary>
-##	The template for allowing the user to change roles.
-## </summary>
-## <param name="src_role_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="tgt_role_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-#
-template(`userdom_role_change_template',`
-	gen_require(`
-		role $1_r, $2_r;
-		type $1_t, $2_t;
-		type $1_devpts_t, $2_devpts_t;
-		type $1_tty_device_t, $2_tty_device_t;
+		usermanage_run_chfn($1_t,$1_r)
+		usermanage_run_passwd($1_t,$1_r)
 	')
-
-	allow $1_r $2_r;
-	type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
-	type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
-	# avoid annoying messages on terminal hangup
-	dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
 ')
 
 #######################################
@@ -678,12 +496,8 @@ template(`userdom_common_user_template',`
 		attribute unpriv_userdomain;
 	')
 
-	userdom_untrusted_content_template($1)
-
 	userdom_basic_networking_template($1)
 
-	userdom_exec_generic_pgms_template($1)
-
 	optional_policy(`
 		userdom_xwindows_client_template($1)
 	')
@@ -707,6 +521,8 @@ template(`userdom_common_user_template',`
 	# Find CDROM devices:
 	kernel_read_device_sysctls($1_t)
 
+	corecmd_exec_bin($1_t)
+
 	corenet_udp_bind_all_nodes($1_t)
 	corenet_udp_bind_generic_port($1_t)
 
@@ -742,14 +558,14 @@ template(`userdom_common_user_template',`
 	auth_use_nsswitch($1_t)
 	auth_read_login_records($1_t)
 	auth_search_pam_console_data($1_t)
-	auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-	auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+	auth_run_pam($1_t,$1_r)
+	auth_run_utempter($1_t,$1_r)
 
 	init_read_utmp($1_t)
 
 	seutil_read_file_contexts($1_t)
 	seutil_read_default_contexts($1_t)
-	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+	seutil_run_newrole($1_t,$1_r)
 	seutil_exec_checkpolicy($1_t)
 	seutil_exec_setfiles($1_t)
 	# for when the network connection is killed
@@ -787,15 +603,15 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
-		dbus_system_bus_client_template($1,$1_t)
+		dbus_system_bus_client($1_t)
 
 		optional_policy(`
 			bluetooth_dbus_chat($1_t)
 		')
 
 		optional_policy(`
-			evolution_dbus_chat($1,$1_t)
-			evolution_alarm_dbus_chat($1,$1_t)
+			evolution_dbus_chat($1_t)
+			evolution_alarm_dbus_chat($1_t)
 		')
 
 		optional_policy(`
@@ -876,7 +692,7 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
-		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+		usernetctl_run($1_t,$1_r)
 	')
 ')
 
@@ -905,15 +721,13 @@ template(`userdom_login_user_template', `
 
 	userdom_base_user_template($1)
 
-	userdom_manage_home_template($1)
-	userdom_poly_home_template($1)
-	userdom_poly_tmp_template($1)
+	userdom_manage_home_role($1_r, $1_t)
 
-	userdom_manage_tmp_template($1)
-	userdom_manage_tmpfs_template($1)
+	userdom_manage_tmp_role($1_r, $1_t)
+	userdom_manage_tmpfs_role($1_r, $1_t)
 
-	userdom_exec_tmp_template($1)
-	userdom_exec_home_template($1)
+	userdom_exec_user_tmp_files($1_t)
+	userdom_exec_user_home_content_files($1_t)
 
 	userdom_change_password_template($1)
 
@@ -1019,7 +833,6 @@ template(`userdom_login_user_template', `
 template(`userdom_restricted_user_template',`
 	gen_require(`
 		attribute unpriv_userdomain;
-		attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
 	')
 
 	userdom_login_user_template($1)
@@ -1027,27 +840,13 @@ template(`userdom_restricted_user_template',`
 	typeattribute $1_t unpriv_userdomain;
 	domain_interactive_fd($1_t)
 
-	typeattribute $1_devpts_t user_ptynode;
-	typeattribute $1_home_dir_t user_home_dir_type;
-	typeattribute $1_home_t user_home_type;
-	typeattribute $1_tmp_t user_tmpfile;
-	typeattribute $1_tty_device_t user_ttynode;
-
 	##############################
 	#
 	# Local policy
 	#
 
-	# privileged home directory writers
-	manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
-	manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
-	manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
-	manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
-	manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
-	filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
-
 	optional_policy(`
-		loadkeys_run($1_t,$1_r,$1_tty_device_t)
+		loadkeys_run($1_t,$1_r)
 	')
 ')
 
@@ -1083,7 +882,7 @@ template(`userdom_restricted_xwindows_user_template',`
 	# Local policy
 	#
 
-	authlogin_per_role_template($1, $1_t, $1_r)
+	auth_role($1_r, $1_t)
 	auth_search_pam_console_data($1_t)
 
 	dev_read_sound($1_t)
@@ -1103,8 +902,8 @@ template(`userdom_restricted_xwindows_user_template',`
 	')
 
 	optional_policy(`
-		dbus_per_role_template($1, $1_t, $1_r)
-		dbus_system_bus_client_template($1, $1_t)
+		dbus_role_template($1, $1_r, $1_t)
+		dbus_system_bus_client($1_t)
 
 		optional_policy(`
 			consolekit_dbus_chat($1_t)
@@ -1116,7 +915,7 @@ template(`userdom_restricted_xwindows_user_template',`
 	')
 
 	optional_policy(`
-		java_per_role_template($1, $1_t, $1_r)
+		java_role($1_r, $1_t)
 	')
 
 	optional_policy(`
@@ -1201,17 +1000,17 @@ template(`userdom_unpriv_user_template', `
 	')
 
 	optional_policy(`
-		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+		netutils_run_ping_cond($1_t,$1_r)
+		netutils_run_traceroute_cond($1_t,$1_r)
 	')
 
 	optional_policy(`
-		postgresql_userdom_template($1,$1_t,$1_r)
+		postgresql_role($1_r,$1_t)
 	')
 
 	# Run pppd in pppd_t by default for user
 	optional_policy(`
-		ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+		ppp_run_cond($1_t,$1_r)
 	')
 
 	optional_policy(`
@@ -1250,8 +1049,7 @@ template(`userdom_unpriv_user_template', `
 #
 template(`userdom_admin_user_template',`
 	gen_require(`
-		attribute admin_terminal, privhome;
-		class passwd { passwd chfn chsh rootok crontab };
+		class passwd { passwd chfn chsh rootok };
 	')
 
 	##############################
@@ -1263,7 +1061,6 @@ template(`userdom_admin_user_template',`
 	userdom_login_user_template($1)
 	userdom_common_user_template($1)
 
-	typeattribute $1_t privhome;
 	domain_obj_id_change_exemption($1_t)
 	role system_r types $1_t;
 
@@ -1271,10 +1068,6 @@ template(`userdom_admin_user_template',`
 		domain_system_change_exemption($1_t)
 	')
 
-	typeattribute $1_devpts_t admin_terminal;
-
-	typeattribute $1_tty_device_t admin_terminal;
-
 	##############################
 	#
 	# $1_t local policy
@@ -1289,9 +1082,6 @@ template(`userdom_admin_user_template',`
 	# Skip authentication when pam_rootok is specified.
 	allow $1_t self:passwd rootok;
 
-	# Manipulate other users crontab.
-	allow $1_t self:passwd crontab;
-
 	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
 
 	kernel_read_software_raid_state($1_t)
@@ -1371,6 +1161,13 @@ template(`userdom_admin_user_template',`
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
 
+	userdom_manage_user_home_content_dirs($1_t)
+	userdom_manage_user_home_content_files($1_t)
+	userdom_manage_user_home_content_symlinks($1_t)
+	userdom_manage_user_home_content_pipes($1_t)
+	userdom_manage_user_home_content_sockets($1_t)
+	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
+
 	tunable_policy(`user_rw_noexattrfile',`
 		fs_manage_noxattr_fs_files($1_t)
 		fs_manage_noxattr_fs_dirs($1_t)
@@ -1402,12 +1199,6 @@ template(`userdom_admin_user_template',`
 ##	be called from a per-userdomain template.
 ##	</p>
 ## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@@ -1453,17 +1244,13 @@ template(`userdom_security_admin_template',`
 	logging_read_audit_config($1)
 
 	seutil_manage_bin_policy($1)
-	seutil_run_checkpolicy($1,$2,$3)
-	seutil_run_loadpolicy($1,$2,$3)
-	seutil_run_semanage($1,$2,$3)
-	seutil_run_setfiles($1, $2, $3)
-
-	staff_dontaudit_append_home_content_files($1)
-
-	sysadm_dontaudit_read_home_content_files($1)
+	seutil_run_checkpolicy($1,$2)
+	seutil_run_loadpolicy($1,$2)
+	seutil_run_semanage($1,$2)
+	seutil_run_setfiles($1, $2)
 
 	optional_policy(`
-		aide_run($1,$2, $3)
+		aide_run($1,$2)
 	')
 
 	optional_policy(`
@@ -1475,2523 +1262,186 @@ template(`userdom_security_admin_template',`
 	')
 
 	optional_policy(`	
-		ipsec_run_setkey($1,$2,$3)
+		ipsec_run_setkey($1,$2)
 	')
 
 	optional_policy(`
-		netlabel_run_mgmt($1,$2, $3)
+		netlabel_run_mgmt($1,$2)
 	')
 ')
 
 ########################################
 ## <summary>
-##	Change to the generic user role.
+##	Make the specified type usable in a
+##	user home directory.
 ## </summary>
-## <param name="prefix">
+## <param name="type">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Type to be used as a file in the
+##	user home directory.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-template(`userdom_role_change_generic_user',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_role_change_template() instead.')
-	unprivuser_role_change_template($1)
+interface(`userdom_user_home_content',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	allow $1 user_home_t:filesystem associate;
+	files_type($1)
+	ubac_constrained($1)
 ')
 
 ########################################
 ## <summary>
-##	Change from the generic user role.
+##	Set the attributes of a user pty.
 ## </summary>
-## <desc>
-##	<p>
-##	Change from the generic user role to
-##	the specified role.
-##	</p>
-##	<p>
-##	This is a template to support third party modules
-##	and its use is not allowed in upstream reference
-##	policy.
-##	</p>
-## </desc>
-## <param name="prefix">
+## <param name="domain">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-template(`userdom_role_change_from_generic_user',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_role_change_to_template() instead.')
-	unprivuser_role_change_to_template($1)
+interface(`userdom_setattr_user_ptys',`
+	gen_require(`
+		type user_devpts_t;
+	')
+
+	allow $1 user_devpts_t:chr_file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Change to the staff user role.
+##	Create a user pty.
 ## </summary>
-## <param name="prefix">
+## <param name="domain">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-template(`userdom_role_change_staff',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use staff_role_change_template() instead.')
-	staff_role_change_template($1)
+interface(`userdom_create_user_pty',`
+	gen_require(`
+		type user_devpts_t;
+	')
+
+	term_create_pty($1, user_devpts_t)
 ')
 
 ########################################
 ## <summary>
-##	Change from the staff user role.
+##	Get the attributes of user home directories.
 ## </summary>
-## <desc>
-##	<p>
-##	Change from the staff user role to
-##	the specified role.
-##	</p>
-##	<p>
-##	This is a template to support third party modules
-##	and its use is not allowed in upstream reference
-##	policy.
-##	</p>
-## </desc>
-## <param name="prefix">
+## <param name="domain">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-template(`userdom_role_change_from_staff',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use staff_role_change_to_template() instead.')
-	staff_role_change_to_template($1)
+interface(`userdom_getattr_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	allow $1 user_home_dir_t:dir getattr_dir_perms;
+	files_search_home($1)
 ')
 
 ########################################
 ## <summary>
-##	Change to the sysadm user role.
+##	Do not audit attempts to get the attributes of user home directories.
 ## </summary>
-## <param name="prefix">
+## <param name="domain">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-template(`userdom_role_change_sysadm',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_role_change_template() instead.')
-	sysadm_role_change_template($1)
+interface(`userdom_dontaudit_getattr_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	dontaudit $1 user_home_dir_t:dir getattr_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Change from the sysadm user role.
+##	Search user home directories.
 ## </summary>
-## <desc>
-##	<p>
-##	Change from the sysadm user role to
-##	the specified role.
-##	</p>
-##	<p>
-##	This is a template to support third party modules
-##	and its use is not allowed in upstream reference
-##	policy.
-##	</p>
-## </desc>
-## <param name="prefix">
+## <param name="domain">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-template(`userdom_role_change_from_sysadm',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_role_change_to_template() instead.')
-	sysadm_role_change_to_template($1)
+interface(`userdom_search_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	allow $1 user_home_dir_t:dir search_dir_perms;
+	files_search_home($1)
 ')
 
 ########################################
 ## <summary>
-##	Change to the secadm user role.
+##	Search user home directories.
 ## </summary>
-## <param name="prefix">
+## <param name="domain">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-template(`userdom_role_change_secadm',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use secadm_role_change_template() instead.')
-	secadm_role_change_template($1)
+interface(`userdom_dontaudit_search_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	dontaudit $1 user_home_dir_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Change from the secadm user role.
+##      List user home directories.
 ## </summary>
-## <desc>
-##	<p>
-##	Change from the secadm user role to
-##	the specified role.
-##	</p>
-##	<p>
-##	This is a template to support third party modules
-##	and its use is not allowed in upstream reference
-##	policy.
-##	</p>
-## </desc>
-## <param name="prefix">
+## <param name="domain">
 ##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
+##      Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-template(`userdom_role_change_from_secadm',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use secadm_role_change_to_template() instead.')
-	secadm_role_change_to_template($1)
-')
+interface(`userdom_list_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
 
-########################################
-## <summary>
-##	Change to the auditadm user role.
-## </summary>
-## <param name="prefix">
-##	<summary>
-##	The prefix of the auditadm role (e.g., user
-##	is the prefix for user_r).
-##	</summary>
-## </param>
-## <rolecap/>
-#
-template(`userdom_role_change_auditadm',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use auditadm_role_change_template() instead.')
-	auditadm_role_change_template($1)
-')
-
-########################################
-## <summary>
-##	Change from the auditadm user role.
-## </summary>
-## <desc>
-##	<p>
-##	Change from the auditadm user role to
-##	the specified role.
-##	</p>
-##	<p>
-##	This is a template to support third party modules
-##	and its use is not allowed in upstream reference
-##	policy.
-##	</p>
-## </desc>
-## <param name="prefix">
-##	<summary>
-##	The prefix of the user role (e.g., user
-##	is the prefix for user_r).
-##	</summary>
-## </param>
-## <rolecap/>
-#
-template(`userdom_role_change_from_auditadm',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use auditadm_role_change_to_template() instead.')
-	auditadm_role_change_to_template($1)
-')
-
-########################################
-## <summary>
-##	Make the specified type usable in a
-##	user home directory.
-## </summary>
-## <desc>
-##	<p>
-##	Make the specified type usable in a
-##	user home directory.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="type">
-##	<summary>
-##	Type to be used as a file in the
-##	user home directory.
-##	</summary>
-## </param>
-#
-template(`userdom_user_home_content',`
-	gen_require(`
-		attribute $1_file_type;
-	')
-
-	typeattribute $2 $1_file_type;
-	files_type($2)
-')
-
-########################################
-## <summary>
-##	Set the attributes of a user pty.
-## </summary>
-## <desc>
-##	<p>
-##	Set the attributes of a user pty.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_setattr_user_ptys',`
-	gen_require(`
-		type $1_devpts_t;
-	')
-
-	allow $2 $1_devpts_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-##	Create a user pty.
-## </summary>
-## <desc>
-##	<p>
-##	Create a user pty.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_create_user_pty',`
-	gen_require(`
-		type $1_devpts_t;
-	')
-
-	term_create_pty($2, $1_devpts_t)
-')
-
-########################################
-## <summary>
-##	Search user home directories.
-## </summary>
-## <desc>
-##	<p>
-##	Search user home directories.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_search_user_home_dirs',`
-	gen_require(`
-		type $1_home_dir_t;
-	')
-
-	files_search_home($2)
-	allow $2 $1_home_dir_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##      List user home directories.
-## </summary>
-## <desc>
-##      <p>
-##      List user home directories.
-##      </p>
-##      <p>
-##      This is a templated interface, and should only
-##      be called from a per-userdomain template.
-##      </p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##      The prefix of the user domain (e.g., user
-##      is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##      Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_list_user_home_dirs',`
-	gen_require(`
-		type $1_home_dir_t;
-	')
-
-	files_search_home($2)
-	allow $2 $1_home_dir_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-##	Do a domain transition to the specified
-##	domain when executing a program in the
-##	user home directory.
-## </summary>
-## <desc>
-##	<p>
-##	Do a domain transition to the specified
-##	domain when executing a program in the
-##	user home directory.
-##	</p>
-##	<p>
-##	No interprocess communication (signals, pipes,
-##	etc.) is provided by this interface since
-##	the domains are not owned by this module.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="source_domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="target_domain">
-##	<summary>
-##	Domain to transition to.
-##	</summary>
-## </param>
-#
-template(`userdom_user_home_domtrans',`
-	gen_require(`
-		type $1_home_dir_t, $1_home_t;
-	')
-
-	files_search_home($2)
-	allow $2 $1_home_dir_t:dir search_dir_perms;
-	domain_auto_trans($2,$1_home_t,$3)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to list user home subdirectories.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to list user home subdirectories.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit
-##	</summary>
-## </param>
-#
-template(`userdom_dontaudit_list_user_home_dirs',`
-	gen_require(`
-		type $1_home_dir_t;
-	')
-
-	dontaudit $2 $1_home_dir_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete directories
-##	in a user home subdirectory.
-## </summary>
-## <desc>
-##	<p>
-##	Create, read, write, and delete directories
-##	in a user home subdirectory.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_manage_user_home_content_dirs',`
-	gen_require(`
-		type $1_home_dir_t, $1_home_t;
-	')
-
-	files_search_home($2)
-	manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to set the
-##	attributes of user home files.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to set the
-##	attributes of user home files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_dontaudit_setattr_user_home_content_files',`
-	gen_require(`
-		type $1_home_dir_t, $1_home_t;
-	')
-
-	dontaudit $2 $1_home_t:file setattr;
-')
-
-########################################
-## <summary>
-##	Read user home files.
-## </summary>
-## <desc>
-##	<p>
-##	Read user home files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_read_user_home_content_files',`
-	gen_require(`
-		type $1_home_dir_t, $1_home_t;
-	')
-
-	files_search_home($2)
-	read_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read user home files.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to read user home files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-template(`userdom_dontaudit_read_user_home_content_files',`
-	gen_require(`
-		type $1_home_t;
-	')
-
-	dontaudit $2 $1_home_t:dir list_dir_perms;
-	dontaudit $2 $1_home_t:file read_file_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to write user home files.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to write user home files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-template(`userdom_dontaudit_write_user_home_content_files',`
-	gen_require(`
-		type $1_home_t;
-	')
-
-	dontaudit $2 $1_home_t:file write;
-')
-
-########################################
-## <summary>
-##	Read user home subdirectory symbolic links.
-## </summary>
-## <desc>
-##	<p>
-##	Read user home subdirectory symbolic links.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_read_user_home_content_symlinks',`
-	gen_require(`
-		type $1_home_dir_t, $1_home_t;
-	')
-
-	files_search_home($2)
-	read_lnk_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
-')
-
-########################################
-## <summary>
-##	Execute user home files.
-## </summary>
-## <desc>
-##	<p>
-##	Execute user home files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_exec_user_home_content_files',`
-	gen_require(`
-		type $1_home_dir_t, $1_home_t;
-	')
-
-	files_search_home($2)
-	exec_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to execute user home files.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to execute user home files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_dontaudit_exec_user_home_content_files',`
-	gen_require(`
-		type $1_home_t;
-	')
-
-	dontaudit $2 $1_home_t:file execute;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete files
-##	in a user home subdirectory.
-## </summary>
-## <desc>
-##	<p>
-##	Create, read, write, and delete files
-##	in a user home subdirectory.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_manage_user_home_content_files',`
-	gen_require(`
-		type $1_home_dir_t, $1_home_t;
-	')
-
-	files_search_home($2)
-	allow $2 $1_home_dir_t:dir search_dir_perms;
-	manage_files_pattern($2,$1_home_t,$1_home_t)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to create, read, write, and delete directories
-##	in a user home subdirectory.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to create, read, write, and delete directories
-##	in a user home subdirectory.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_dontaudit_manage_user_home_content_dirs',`
-	gen_require(`
-		type $1_home_dir_t, $1_home_t;
-	')
-
-	dontaudit $2 $1_home_t:dir manage_dir_perms;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete symbolic links
-##	in a user home subdirectory.
-## </summary>
-## <desc>
-##	<p>
-##	Create, read, write, and delete symbolic links
-##	in a user home subdirectory.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_manage_user_home_content_symlinks',`
-	gen_require(`
-		type $1_home_dir_t, $1_home_t;
-	')
-
-	files_search_home($2)
-	allow $2 $1_home_dir_t:dir search_dir_perms;
-	manage_lnk_files_pattern($2,$1_home_t,$1_home_t)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete named pipes
-##	in a user home subdirectory.
-## </summary>
-## <desc>
-##	<p>
-##	Create, read, write, and delete named pipes
-##	in a user home subdirectory.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_manage_user_home_content_pipes',`
-	gen_require(`
-		type $1_home_dir_t, $1_home_t;
-	')
-
-	files_search_home($2)
-	allow $2 $1_home_dir_t:dir search_dir_perms;
-	manage_fifo_files_pattern($2,$1_home_t,$1_home_t)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete named sockets
-##	in a user home subdirectory.
-## </summary>
-## <desc>
-##	<p>
-##	Create, read, write, and delete named sockets
-##	in a user home subdirectory.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_manage_user_home_content_sockets',`
-	gen_require(`
-		type $1_home_dir_t, $1_home_t;
-	')
-
-	files_search_home($2)
-	allow $2 $1_home_dir_t:dir search_dir_perms;
-	manage_sock_files_pattern($2,$1_home_t,$1_home_t)
-')
-
-########################################
-## <summary>
-##	Create objects in a user home directory
-##	with an automatic type transition to
-##	a specified private type.
-## </summary>
-## <desc>
-##	<p>
-##	Create objects in a user home directory
-##	with an automatic type transition to
-##	a specified private type.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="private_type">
-##	<summary>
-##	The type of the object to create.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The class of the object to be created.  If not
-##	specified, file is used.
-##	</summary>
-## </param>
-#
-template(`userdom_user_home_dir_filetrans',`
-	gen_require(`
-		type $1_home_dir_t;
-	')
-
-	files_search_home($2)
-	filetrans_pattern($2,$1_home_dir_t,$3,$4)
-')
-
-########################################
-## <summary>
-##	Create objects in a user home directory
-##	with an automatic type transition to
-##	a specified private type.
-## </summary>
-## <desc>
-##	<p>
-##	Create objects in a user home directory
-##	with an automatic type transition to
-##	a specified private type.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="private_type">
-##	<summary>
-##	The type of the object to create.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The class of the object to be created.  If not
-##	specified, file is used.
-##	</summary>
-## </param>
-#
-template(`userdom_user_home_content_filetrans',`
-	gen_require(`
-		type $1_home_t;
-	')
-
-	files_search_home($2)
-	filetrans_pattern($2,$1_home_t,$3,$4)
-')
-
-########################################
-## <summary>
-##	Create objects in a user home directory
-##	with an automatic type transition to
-##	the user home file type.
-## </summary>
-## <desc>
-##	<p>
-##	Create objects in a user home directory
-##	with an automatic type transition to
-##	the user home file type.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The class of the object to be created.  If not
-##	specified, file is used.
-##	</summary>
-## </param>
-#
-template(`userdom_user_home_dir_filetrans_user_home_content',`
-	gen_require(`
-		type $1_home_dir_t, $1_home_t;
-	')
-
-	files_search_home($2)
-	filetrans_pattern($2,$1_home_dir_t,$1_home_t,$3)
-')
-
-########################################
-## <summary>
-##      Write to user temporary named sockets.
-## </summary>
-## <desc>
-##      <p>
-##      Write to user temporary named sockets.
-##      </p>
-##      <p>
-##      This is a templated interface, and should only
-##      be called from a per-userdomain template.
-##      </p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##      The prefix of the user domain (e.g., user
-##      is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##      Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_write_user_tmp_sockets',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	files_search_tmp($2)
-	allow $2 $1_tmp_t:sock_file write;
-')
-
-########################################
-## <summary>
-##	List user temporary directories.
-## </summary>
-## <desc>
-##	<p>
-##	List user temporary directories.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_list_user_tmp',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	files_search_tmp($2)
-	allow $2 $1_tmp_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to list user
-##	temporary directories.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to list user
-##	temporary directories.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-template(`userdom_dontaudit_list_user_tmp',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	dontaudit $2 $1_tmp_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to manage users
-##	temporary directories.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to manage users
-##	temporary directories.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-template(`userdom_dontaudit_manage_user_tmp_dirs',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	dontaudit $2 $1_tmp_t:dir manage_dir_perms;
-')
-
-########################################
-## <summary>
-##	Read user temporary files.
-## </summary>
-## <desc>
-##	<p>
-##	Read user temporary files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_read_user_tmp_files',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	files_search_tmp($2)
-	allow $2 $1_tmp_t:dir list_dir_perms;
-	read_files_pattern($2,$1_tmp_t,$1_tmp_t)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read users
-##	temporary files.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to read users
-##	temporary files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-template(`userdom_dontaudit_read_user_tmp_files',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	dontaudit $2 $1_tmp_t:file read_file_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to append users
-##	temporary files.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to append users
-##	temporary files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-template(`userdom_dontaudit_append_user_tmp_files',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	dontaudit $2 $1_tmp_t:file append;
-')
-
-########################################
-## <summary>
-##	Read and write user temporary files.
-## </summary>
-## <desc>
-##	<p>
-##	Read and write user temporary files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_rw_user_tmp_files',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	files_search_tmp($2)
-	allow $2 $1_tmp_t:dir list_dir_perms;
-	rw_files_pattern($2,$1_tmp_t,$1_tmp_t)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to manage users
-##	temporary files.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to manage users
-##	temporary files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-template(`userdom_dontaudit_manage_user_tmp_files',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	dontaudit $2 $1_tmp_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-##	Read user
-##	temporary symbolic links.
-## </summary>
-## <desc>
-##	<p>
-##	Read user
-##	temporary symbolic links.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_read_user_tmp_symlinks',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	files_search_tmp($2)
-	allow $2 $1_tmp_t:dir list_dir_perms;
-	read_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete user
-##	temporary directories.
-## </summary>
-## <desc>
-##	<p>
-##	Create, read, write, and delete user
-##	temporary directories.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_manage_user_tmp_dirs',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	files_search_tmp($2)
-	manage_dirs_pattern($2,$1_tmp_t,$1_tmp_t)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete user
-##	temporary files.
-## </summary>
-## <desc>
-##	<p>
-##	Create, read, write, and delete user
-##	temporary files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_manage_user_tmp_files',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	files_search_tmp($2)
-	manage_files_pattern($2,$1_tmp_t,$1_tmp_t)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete user
-##	temporary symbolic links.
-## </summary>
-## <desc>
-##	<p>
-##	Create, read, write, and delete user
-##	temporary symbolic links.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_manage_user_tmp_symlinks',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	files_search_tmp($2)
-	manage_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete user
-##	temporary named pipes.
-## </summary>
-## <desc>
-##	<p>
-##	Create, read, write, and delete user
-##	temporary named pipes.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_manage_user_tmp_pipes',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	files_search_tmp($2)
-	manage_fifo_files_pattern($2,$1_tmp_t,$1_tmp_t)
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete user
-##	temporary named sockets.
-## </summary>
-## <desc>
-##	<p>
-##	Create, read, write, and delete user
-##	temporary named sockets.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_manage_user_tmp_sockets',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	files_search_tmp($2)
-	manage_sock_files_pattern($2,$1_tmp_t,$1_tmp_t)
-')
-
-########################################
-## <summary>
-##	Create objects in a user temporary directory
-##	with an automatic type transition to
-##	a specified private type.
-## </summary>
-## <desc>
-##	<p>
-##	Create objects in a user temporary directory
-##	with an automatic type transition to
-##	a specified private type.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="private_type">
-##	<summary>
-##	The type of the object to create.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The class of the object to be created.  If not
-##	specified, file is used.
-##	</summary>
-## </param>
-#
-template(`userdom_user_tmp_filetrans',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	filetrans_pattern($2,$1_tmp_t,$3,$4)
-	files_search_tmp($2)
-')
-
-########################################
-## <summary>
-##	Create objects in the temporary directory
-##	with an automatic type transition to
-##	the user temporary type.
-## </summary>
-## <desc>
-##	<p>
-##	Create objects in the temporary directory
-##	with an automatic type transition to
-##	the user temporary type.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The class of the object to be created.  If not
-##	specified, file is used.
-##	</summary>
-## </param>
-#
-template(`userdom_tmp_filetrans_user_tmp',`
-	gen_require(`
-		type $1_tmp_t;
-	')
-
-	files_tmp_filetrans($2,$1_tmp_t,$3)
-')
-
-########################################
-## <summary>
-##	Read user tmpfs files.
-## </summary>
-## <desc>
-##	<p>
-##	Read user tmpfs files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_rw_user_tmpfs_files',`
-	gen_require(`
-		type $1_tmpfs_t;
-	')
-
-	fs_search_tmpfs($2)
-	allow $2 $1_tmpfs_t:dir list_dir_perms;
-	rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
-	read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
-')
-
-########################################
-## <summary>
-##	List users untrusted directories.
-## </summary>
-## <desc>
-##	<p>
-##	List users untrusted directories.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_list_user_untrusted_content',`
-	gen_require(`
-		type $1_untrusted_content_t;
-	')
-
-	allow $2 $1_untrusted_content_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to list user
-##	untrusted directories.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to read user
-##	untrusted directories.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-template(`userdom_dontaudit_list_user_untrusted_content',`
-	gen_require(`
-		type $1_untrusted_content_t;
-	')
-
-	dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete users untrusted directories.
-## </summary>
-## <desc>
-##	<p>
-##	Create, read, write, and delete users untrusted directories.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_manage_user_untrusted_content_dirs',`
-	gen_require(`
-		type $1_untrusted_content_t;
-	')
-
-	allow $2 $1_untrusted_content_t:dir manage_dir_perms;
-')
-
-########################################
-## <summary>
-##	Read user untrusted files.
-## </summary>
-## <desc>
-##	<p>
-##	Read user untrusted files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_read_user_untrusted_content_files',`
-	gen_require(`
-		type $1_untrusted_content_t;
-	')
-
-	allow $2 $1_untrusted_content_t:dir list_dir_perms;
-	read_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t)
-')
-
-########################################
-## <summary>
-##	Manage user untrusted files.
-## </summary>
-## <desc>
-##      <p>
-##      Create, read, write, and delete untrusted files.
-##      </p>
-##      <p>
-##      This is a templated interface, and should only
-##      be called from a per-userdomain template.
-##      </p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##      The prefix of the user domain (e.g., user
-##      is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##      Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_manage_user_untrusted_content_files',`
-	gen_require(`
-		type $1_untrusted_content_t;
-	')
-
-	manage_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t)
-')
-
-########################################
-## <summary>
-##	Manage user untrusted tmp files.
-## </summary>
-## <desc>
-##      <p>
-##      Create, read, write, and delete untrusted tmp files.
-##      </p>
-##      <p>
-##      This is a templated interface, and should only
-##      be called from a per-userdomain template.
-##      </p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##      The prefix of the user domain (e.g., user
-##      is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##      Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_manage_user_untrusted_content_tmp_files',`
-	gen_require(`
-		type $1_untrusted_content_tmp_t;
-	')
-
-	manage_files_pattern($2,$1_untrusted_content_tmp_t,$1_untrusted_content_tmp_t)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read users
-##	untrusted files.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to read users
-##	untrusted files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-template(`userdom_dontaudit_read_user_untrusted_content_files',`
-	gen_require(`
-		type $1_untrusted_content_t;
-	')
-
-	dontaudit $2 $1_untrusted_content_t:file read_file_perms;
-')
-
-########################################
-## <summary>
-##	Read user untrusted symbolic links.
-## </summary>
-## <desc>
-##	<p>
-##	Read user untrusted symbolic links.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_read_user_untrusted_content_symlinks',`
-	gen_require(`
-		type $1_untrusted_content_t;
-	')
-
-	allow $2 $1_untrusted_content_t:dir list_dir_perms;
-	read_lnk_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t)
-')
-
-########################################
-## <summary>
-##	List users temporary untrusted directories.
-## </summary>
-## <desc>
-##	<p>
-##	List users temporary untrusted directories.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_list_user_tmp_untrusted_content',`
-	gen_require(`
-		type $1_untrusted_content_tmp_t;
-	')
-
-	allow $2 $1_untrusted_content_tmp_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to list user
-##	temporary untrusted directories.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to list user
-##	temporary directories.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-template(`userdom_dontaudit_list_user_tmp_untrusted_content',`
-	gen_require(`
-		type $1_untrusted_content_tmp_t;
-	')
-
-	dontaudit $2 $1_untrusted_content_tmp_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-##	Read user temporary untrusted files.
-## </summary>
-## <desc>
-##	<p>
-##	Read user temporary untrusted files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_read_user_tmp_untrusted_content_files',`
-	gen_require(`
-		type $1_untrusted_content_tmp_t;
-	')
-
-	allow $2 $1_untrusted_content_tmp_t:dir list_dir_perms;
-	read_files_pattern($2,$1_untrusted_content_tmp_t,$1_untrusted_content_tmp_t)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read users
-##	temporary untrusted files.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to read users
-##	temporary untrusted files.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-template(`userdom_dontaudit_read_user_tmp_untrusted_content_files',`
-	gen_require(`
-		type $1_untrusted_content_tmp_t;
-	')
-
-	dontaudit $2 $1_untrusted_content_tmp_t:file read_file_perms;
-')
-
-########################################
-## <summary>
-##	Read user temporary untrusted symbolic links.
-## </summary>
-## <desc>
-##	<p>
-##	Read user temporary untrusted symbolic links.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_read_user_tmp_untrusted_content_symlinks',`
-	gen_require(`
-		type $1_untrusted_content_tmp_t;
-	')
-
-	allow $2 $1_untrusted_content_tmp_t:dir list_dir_perms;
-	read_lnk_files_pattern($2,$1_untrusted_content_tmp_t,$1_untrusted_content_tmp_t)
-')
-
-########################################
-## <summary>
-##	Read all user untrusted content files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_read_all_untrusted_content',`
-	gen_require(`
-		attribute untrusted_content_type;
-	')
-
-	allow $1 untrusted_content_type:dir list_dir_perms;
-	read_files_pattern($1,untrusted_content_type,untrusted_content_type)
-	read_lnk_files_pattern($1,untrusted_content_type,untrusted_content_type)
-')
-
-########################################
-## <summary>
-##	Read all user temporary untrusted content files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_read_all_tmp_untrusted_content',`
-	gen_require(`
-		attribute untrusted_content_tmp_type;
-	')
-
-	allow $1 untrusted_content_tmp_type:dir list_dir_perms;
-	read_files_pattern($1,untrusted_content_tmp_type,untrusted_content_tmp_type)
-	read_lnk_files_pattern($1,untrusted_content_tmp_type,untrusted_content_tmp_type)
-')
-
-########################################
-## <summary>
-##	Set the attributes of a user domain tty.
-## </summary>
-## <desc>
-##	<p>
-##	Set the attributes of a user domain tty.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_setattr_user_ttys',`
-	gen_require(`
-		type $1_tty_device_t;
-	')
-
-	allow $2 $1_tty_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-##	Read and write a user domain tty.
-## </summary>
-## <desc>
-##	<p>
-##	Read and write a user domain tty.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_use_user_ttys',`
-	gen_require(`
-		type $1_tty_device_t;
-	')
-
-	allow $2 $1_tty_device_t:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-##	Read and write a user domain tty and pty.
-## </summary>
-## <desc>
-##	<p>
-##	Read and write a user domain tty and pty.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_use_user_terminals',`
-	gen_require(`
-		type $1_tty_device_t, $1_devpts_t;
-	')
-
-	allow $2 $1_tty_device_t:chr_file rw_term_perms;
-	allow $2 $1_devpts_t:chr_file rw_term_perms;
-	term_list_ptys($2)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read and write
-##	a user domain tty and pty.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to read and write
-##	a user domain tty and pty.
-##	</p>
-##	<p>
-##	This is a templated interface, and should only
-##	be called from a per-userdomain template.
-##	</p>
-## </desc>
-## <param name="userdomain_prefix">
-##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-template(`userdom_dontaudit_use_user_terminals',`
-	gen_require(`
-		type $1_tty_device_t, $1_devpts_t;
-	')
-
-	dontaudit $2 $1_tty_device_t:chr_file rw_term_perms;
-	dontaudit $2 $1_devpts_t:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-##	Execute a shell in all user domains.  This
-##	is an explicit transition, requiring the
-##	caller to use setexeccon().
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_spec_domtrans_all_users',`
-	gen_require(`
-		attribute userdomain;
-	')
-
-	corecmd_shell_spec_domtrans($1,userdomain)
-	allow userdomain $1:fd use;
-	allow userdomain $1:fifo_file rw_file_perms;
-	allow userdomain $1:process sigchld;
-')
-
-########################################
-## <summary>
-##	Execute an Xserver session in all unprivileged user domains.  This
-##	is an explicit transition, requiring the
-##	caller to use setexeccon().
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_xsession_spec_domtrans_all_users',`
-	gen_require(`
-		attribute userdomain;
-	')
-
-	xserver_xsession_spec_domtrans($1,userdomain)
-	allow userdomain $1:fd use;
-	allow userdomain $1:fifo_file rw_file_perms;
-	allow userdomain $1:process sigchld;
-')
-
-########################################
-## <summary>
-##	Execute a shell in all unprivileged user domains.  This
-##	is an explicit transition, requiring the
-##	caller to use setexeccon().
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_spec_domtrans_unpriv_users',`
-	gen_require(`
-		attribute unpriv_userdomain;
-	')
-
-	corecmd_shell_spec_domtrans($1,unpriv_userdomain)
-	allow unpriv_userdomain $1:fd use;
-	allow unpriv_userdomain $1:fifo_file rw_file_perms;
-	allow unpriv_userdomain $1:process sigchld;
-')
-
-########################################
-## <summary>
-##	Execute an Xserver session in all unprivileged user domains.  This
-##	is an explicit transition, requiring the
-##	caller to use setexeccon().
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_xsession_spec_domtrans_unpriv_users',`
-	gen_require(`
-		attribute unpriv_userdomain;
-	')
-
-	xserver_xsession_spec_domtrans($1,unpriv_userdomain)
-	allow unpriv_userdomain $1:fd use;
-	allow unpriv_userdomain $1:fifo_file rw_file_perms;
-	allow unpriv_userdomain $1:process sigchld;
-')
-
-########################################
-## <summary>
-##	Manage unpriviledged user SysV sempaphores.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_manage_unpriv_user_semaphores',`
-	gen_require(`
-		attribute unpriv_userdomain;
-	')
-
-	allow $1 unpriv_userdomain:sem create_sem_perms;
-')
-
-########################################
-## <summary>
-##	Manage unpriviledged user SysV shared
-##	memory segments.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_manage_unpriv_user_shared_mem',`
-	gen_require(`
-		attribute unpriv_userdomain;
-	')
-
-	allow $1 unpriv_userdomain:shm create_shm_perms;
+	allow $1 user_home_dir_t:dir list_dir_perms;
+	files_search_home($1)
 ')
 
 ########################################
 ## <summary>
-##	Execute bin_t in the unprivileged user domains. This
-##	is an explicit transition, requiring the
-##	caller to use setexeccon().
+##	Do not audit attempts to list user home subdirectories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit
 ##	</summary>
 ## </param>
 #
-interface(`userdom_bin_spec_domtrans_unpriv_users',`
+interface(`userdom_dontaudit_list_user_home_dirs',`
 	gen_require(`
-		attribute unpriv_userdomain;
+		type user_home_dir_t;
 	')
 
-	corecmd_bin_spec_domtrans($1,unpriv_userdomain)
-	allow unpriv_userdomain $1:fd use;
-	allow unpriv_userdomain $1:fifo_file rw_file_perms;
-	allow unpriv_userdomain $1:process sigchld;
+	dontaudit $1 user_home_dir_t:dir list_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Execute generic sbin programs in all unprivileged user
-##	domains. This is an explicit transition, requiring the
-##	caller to use setexeccon().
+##	Create user home directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3999,16 +1449,17 @@ interface(`userdom_bin_spec_domtrans_unpriv_users',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_sbin_spec_domtrans_unpriv_users',`
-	userdom_bin_spec_domtrans_unpriv_users($1)
-	refpolicywarn(`$0() has been deprecated, please use userdom_bin_spec_domtrans_unpriv_users() instead.')
+interface(`userdom_create_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	allow $1 user_home_dir_t:dir create_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Execute all entrypoint files in unprivileged user
-##	domains. This is an explicit transition, requiring the
-##	caller to use setexeccon().
+##	Create user home directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4016,20 +1467,17 @@ interface(`userdom_sbin_spec_domtrans_unpriv_users',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_entry_spec_domtrans_unpriv_users',`
+interface(`userdom_manage_user_home_dirs',`
 	gen_require(`
-		attribute unpriv_userdomain;
+		type user_home_dir_t;
 	')
 
-	domain_entry_file_spec_domtrans($1,unpriv_userdomain)
-	allow unpriv_userdomain $1:fd use;
-	allow unpriv_userdomain $1:fifo_file rw_file_perms;
-	allow unpriv_userdomain $1:process sigchld;
+	allow $1 user_home_dir_t:dir manage_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Execute a shell in the sysadm domain.
+##	Relabel to user home directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4037,29 +1485,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_shell_domtrans_sysadm',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_shell_domtrans() instead.')
-	sysadm_shell_domtrans($1)
-')
+interface(`userdom_relabelto_user_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
 
-########################################
-## <summary>
-##	Execute a generic bin program in the sysadm domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_bin_spec_domtrans_sysadm',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_bin_spec_domtrans() instead.')
-	sysadm_bin_spec_domtrans($1)
+	allow $1 user_home_dir_t:dir relabelto;
 ')
 
 ########################################
 ## <summary>
-##	Execute a generic sbin program in the sysadm domain.  (Deprecated)
+##	Create directories in the home dir root with
+##	the user home directory type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4067,148 +1504,75 @@ interface(`userdom_bin_spec_domtrans_sysadm',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_sbin_spec_domtrans_sysadm',`
-	refpolicywarn(`$0() has been deprecated, please use sysadm_bin_spec_domtrans() instead.')
-	sysadm_bin_spec_domtrans($1)
-')
+interface(`userdom_home_filetrans_user_home_dir',`
+	gen_require(`
+		type user_home_dir_t;
+	')
 
-########################################
-## <summary>
-##	Execute all entrypoint files in the sysadm domain. This
-##	is an explicit transition, requiring the
-##	caller to use setexeccon().
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_entry_spec_domtrans_sysadm',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_entry_spec_domtrans() instead.')
-	sysadm_entry_spec_domtrans($1)
+	files_home_filetrans($1, user_home_dir_t, dir)
 ')
 
 ########################################
 ## <summary>
-##	Allow sysadm to execute a generic bin program in
-##	a specified domain.  This is an explicit transition,
-##	requiring the caller to use setexeccon().  (Deprecated)
+##	Do a domain transition to the specified
+##	domain when executing a program in the
+##	user home directory.
 ## </summary>
 ## <desc>
 ##	<p>
-##	Allow sysadm to execute a generic bin program in
-##	a specified domain.  (Deprecated)
+##	Do a domain transition to the specified
+##	domain when executing a program in the
+##	user home directory.
 ##	</p>
 ##	<p>
-##	This is a interface to support third party modules
-##	and its use is not allowed in upstream reference
-##	policy.
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
 ##	</p>
 ## </desc>
-## <param name="domain">
+## <param name="source_domain">
 ##	<summary>
-##	Domain to execute in.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
-#
-interface(`userdom_sysadm_bin_spec_domtrans_to',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_bin_spec_domtrans_to() instead.')
-	sysadm_bin_spec_domtrans_to($1)
-')
-
-########################################
-## <summary>
-##	Allow sysadm to execute a generic sbin program in
-##	a specified domain.  This is an explicit transition,
-##	requiring the caller to use setexeccon().  (Deprecated)
-## </summary>
-## <desc>
-##	<p>
-##	Allow sysadm to execute a generic sbin program in
-##	a specified domain.  (Deprecated)
-##	</p>
-##	<p>
-##	This is a interface to support third party modules
-##	and its use is not allowed in upstream reference
-##	policy.
-##	</p>
-## </desc>
-## <param name="domain">
+## <param name="target_domain">
 ##	<summary>
-##	Domain to execute in.
+##	Domain to transition to.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_sysadm_sbin_spec_domtrans_to',`
-	refpolicywarn(`$0() has been deprecated, please use sysadm_bin_spec_domtrans_to() instead.')
-	sysadm_bin_spec_domtrans_to($1)
-')
+interface(`userdom_user_home_domtrans',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
 
-########################################
-## <summary>
-##	Allow sysadm to execute all entrypoint files
-##	in the specified domain. This is an explicit
-##	transition, requiring the caller to use setexeccon().
-## </summary>
-## <desc>
-##	<p>
-##	Allow sysadm to execute all entrypoint files
-##	in the specified domain. This is an explicit
-##	transition, requiring the caller to use setexeccon().
-##	</p>
-##	<p>
-##	This is a interface to support third party modules
-##	and its use is not allowed in upstream reference
-##	policy.
-##	</p>
-## </desc>
-## <param name="domain">
-##	<summary>
-##	Domain to execute in.
-##	</summary>
-## </param>
-#
-interface(`userdom_sysadm_entry_spec_domtrans_to',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_entry_spec_domtrans() instead.')
-	sysadm_entry_spec_domtrans($1)
+	domain_auto_trans($1, user_home_t, $2)
+	allow $1 user_home_dir_t:dir search_dir_perms;
+	files_search_home($1)
 ')
 
 ########################################
 ## <summary>
-##	Search the staff users home directory.
+##	Do not audit attempts to search user home content directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit
 ##	</summary>
 ## </param>
 #
-interface(`userdom_search_staff_home_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use staff_search_home_dirs() instead.')
-	staff_search_home_dirs($1)
-')
+interface(`userdom_dontaudit_search_user_home_content',`
+	gen_require(`
+		type user_home_t;
+	')
 
-########################################
-## <summary>
-##	Do not audit attempts to search the staff
-##	users home directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`userdom_dontaudit_search_staff_home_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use staff_dontaudit_search_home_dirs() instead.')
-	staff_dontaudit_search_home_dirs($1)
+	dontaudit $1 user_home_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete staff
-##	home directories.
+##	Create, read, write, and delete directories
+##	in a user home subdirectory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4216,14 +1580,19 @@ interface(`userdom_dontaudit_search_staff_home_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_manage_staff_home_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use staff_manage_home_dirs() instead.')
-	staff_manage_home_dirs($1)
+interface(`userdom_manage_user_home_content_dirs',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+	files_search_home($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel to staff home directories.
+##	Do not audit attempts to set the
+##	attributes of user home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4231,30 +1600,17 @@ interface(`userdom_manage_staff_home_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_relabelto_staff_home_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use staff_relabelto_home_dirs() instead.')
-	staff_relabelto_home_dirs($1)
-')
+interface(`userdom_dontaudit_setattr_user_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
 
-########################################
-## <summary>
-##	Do not audit attempts to append to the staff
-##	users home directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`userdom_dontaudit_append_staff_home_content_files',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use staff_dontaudit_append_home_content_files() instead.')
-	staff_dontaudit_append_home_content_files($1)
+	dontaudit $1 user_home_t:file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Read files in the staff users home directory.
+##	Mmap user home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4262,30 +1618,18 @@ interface(`userdom_dontaudit_append_staff_home_content_files',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_read_staff_home_content_files',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use staff_read_home_content_files() instead.')
-	staff_read_home_content_files($1)
-')
+interface(`userdom_mmap_user_home_content_files',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
 
-########################################
-## <summary>
-##	Send a SIGCHLD signal to sysadm users.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_sigchld_sysadm',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_sigchld() instead.')
-	sysadm_sigchld($1)
+	mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+	files_search_home($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attepts to get the attributes
-##	of sysadm ttys.
+##	Read user home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4293,29 +1637,37 @@ interface(`userdom_sigchld_sysadm',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_dontaudit_getattr_sysadm_ttys',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_dontaudit_getattr_ttys() instead.')
-	sysadm_dontaudit_getattr_ttys($1)
+interface(`userdom_read_user_home_content_files',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+	files_search_home($1)
 ')
 
 ########################################
 ## <summary>
-##	Read and write sysadm ttys.
+##	Do not audit attempts to read user home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_use_sysadm_ttys',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_use_ttys() instead.')
-	sysadm_use_ttys($1)
+interface(`userdom_dontaudit_read_user_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:dir list_dir_perms;
+	dontaudit $1 user_home_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to use sysadm ttys.
+##	Do not audit attempts to append user home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4323,29 +1675,35 @@ interface(`userdom_use_sysadm_ttys',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_dontaudit_use_sysadm_ttys',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_dontaudit_use_ttys() instead.')
-	sysadm_dontaudit_use_ttys($1)
+interface(`userdom_dontaudit_append_user_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:file append;
 ')
 
 ########################################
 ## <summary>
-##	Read and write sysadm ptys.
+##	Do not audit attempts to write user home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_use_sysadm_ptys',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_use_ptys() instead.')
-	sysadm_use_ptys($1)
+interface(`userdom_dontaudit_write_user_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:file write;
 ')
 
 ########################################
 ## <summary>
-##	Dont audit attempts to read and write sysadm ptys.
+##	Do not audit attempts to write user home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4353,14 +1711,17 @@ interface(`userdom_use_sysadm_ptys',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_dontaudit_use_sysadm_ptys',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_dontaudit_use_ptys() instead.')
-	sysadm_dontaudit_use_ptys($1)
+interface(`userdom_dontaudit_relabel_user_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:file relabel_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write sysadm ttys and ptys.
+##	Read user home subdirectory symbolic links.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4368,29 +1729,46 @@ interface(`userdom_dontaudit_use_sysadm_ptys',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_use_sysadm_terms',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_use_terms() instead.')
-	sysadm_use_terms($1)
+interface(`userdom_read_user_home_content_symlinks',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+	files_search_home($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to use sysadm ttys and ptys.
+##	Execute user home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`userdom_dontaudit_use_sysadm_terms',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_dontaudit_use_terms() instead.')
-	sysadm_dontaudit_use_terms($1)
+interface(`userdom_exec_user_home_content_files',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	files_search_home($1)
+	exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_exec_nfs_files($1)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_exec_cifs_files($1)
+	')
 ')
 
 ########################################
 ## <summary>
-##	Inherit and use sysadm file descriptors
+##	Do not audit attempts to execute user home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4398,14 +1776,18 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_use_sysadm_fds',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_use_fds() instead.')
-	sysadm_use_fds($1)
+interface(`userdom_dontaudit_exec_user_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:file execute;
 ')
 
 ########################################
 ## <summary>
-##	Read and write sysadm user unnamed pipes.
+##	Create, read, write, and delete files
+##	in a user home subdirectory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4413,15 +1795,20 @@ interface(`userdom_use_sysadm_fds',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_rw_sysadm_pipes',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_rw_pipes() instead.')
-	sysadm_rw_pipes($1)
+interface(`userdom_manage_user_home_content_files',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	manage_files_pattern($1, user_home_t, user_home_t)
+	allow $1 user_home_dir_t:dir search_dir_perms;
+	files_search_home($1)
 ')
 
 ########################################
 ## <summary>
-##	Get the attributes of the sysadm users
-##	home directory.
+##	Do not audit attempts to create, read, write, and delete directories
+##	in a user home subdirectory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4429,166 +1816,188 @@ interface(`userdom_rw_sysadm_pipes',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_getattr_sysadm_home_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_getattr_home_dirs() instead.')
-	sysadm_getattr_home_dirs($1)
+interface(`userdom_dontaudit_manage_user_home_content_dirs',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	dontaudit $1 user_home_t:dir manage_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get the
-##	attributes of the sysadm users
-##	home directory.
+##	Create, read, write, and delete symbolic links
+##	in a user home subdirectory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_dontaudit_getattr_home_dirs() instead.')
-	sysadm_dontaudit_getattr_home_dirs($1)
+interface(`userdom_manage_user_home_content_symlinks',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	manage_lnk_files_pattern($1, user_home_t, user_home_t)
+	allow $1 user_home_dir_t:dir search_dir_perms;
+	files_search_home($1)
 ')
 
 ########################################
 ## <summary>
-##	Search the sysadm users home directory.
+##	Create, read, write, and delete named pipes
+##	in a user home subdirectory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_search_sysadm_home_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_search_home_dirs() instead.')
-	sysadm_search_home_dirs($1)
+interface(`userdom_manage_user_home_content_pipes',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	manage_fifo_files_pattern($1, user_home_t, user_home_t)
+	allow $1 user_home_dir_t:dir search_dir_perms;
+	files_search_home($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search the sysadm
-##	users home directory.
+##	Create, read, write, and delete named sockets
+##	in a user home subdirectory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_dontaudit_search_sysadm_home_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_dontaudit_search_home_dirs() instead.')
-	sysadm_dontaudit_search_home_dirs($1)
+interface(`userdom_manage_user_home_content_sockets',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	allow $1 user_home_dir_t:dir search_dir_perms;
+	manage_sock_files_pattern($1, user_home_t, user_home_t)
+	files_search_home($1)
 ')
 
 ########################################
 ## <summary>
-##	List the sysadm users home directory.
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	a specified private type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-#
-interface(`userdom_list_sysadm_home_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_list_home_dirs() instead.')
-	sysadm_list_home_dirs($1)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to list the sysadm
-##	users home directory.
-## </summary>
-## <param name="domain">
+## <param name="private_type">
 ##	<summary>
-##	Domain to not audit.
+##	The type of the object to create.
 ##	</summary>
 ## </param>
-#
-interface(`userdom_dontaudit_list_sysadm_home_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_dontaudit_list_home_dirs() instead.')
-	sysadm_dontaudit_list_home_dirs($1)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to search the sysadm
-##	users home directory.
-## </summary>
-## <param name="domain">
+## <param name="object_class">
 ##	<summary>
-##	Domain to not audit.
+##	The class of the object to be created.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_dontaudit_read_sysadm_home_content_files',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_dontaudit_read_home_content_files() instead.')
-	sysadm_dontaudit_read_home_content_files($1)
+interface(`userdom_user_home_dir_filetrans',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	filetrans_pattern($1, user_home_dir_t, $2, $3)
+	files_search_home($1)
 ')
 
 ########################################
 ## <summary>
-##	Create objects in sysadm home directories
-##	with automatic file type transition.
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	a specified private type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="private type">
+## <param name="private_type">
 ##	<summary>
-##	The type of the object to be created.
+##	The type of the object to create.
 ##	</summary>
 ## </param>
 ## <param name="object_class">
 ##	<summary>
 ##	The class of the object to be created.
-##	If not specified, file is used.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_sysadm_home_dir_filetrans',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_home_dir_filetrans() instead.')
-	sysadm_home_dir_filetrans($1,$2,$3)
+interface(`userdom_user_home_content_filetrans',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	filetrans_pattern($1, user_home_t, $2, $3)
+	allow $1 user_home_dir_t:dir search_dir_perms;
+	files_search_home($1)
 ')
 
 ########################################
 ## <summary>
-##	Search the sysadm users home sub directories.
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	the user home file type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_search_sysadm_home_content_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_search_home_content_dirs() instead.')
-	sysadm_search_home_content_dirs($1)
+interface(`userdom_user_home_dir_filetrans_user_home_content',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	filetrans_pattern($1, user_home_dir_t, user_home_t, $2)
+	files_search_home($1)
 ')
 
 ########################################
 ## <summary>
-##	Read files in the sysadm users home directory.
+##      Write to user temporary named sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##      Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_read_sysadm_home_content_files',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_read_home_content_files() instead.')
-	sysadm_read_home_content_files($1)
+interface(`userdom_write_user_tmp_sockets',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	allow $1 user_tmp_t:sock_file write;
+	files_search_tmp($1)
 ')
 
 ########################################
 ## <summary>
-##	Read sysadm temporary files.
+##	List user temporary directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4596,52 +2005,56 @@ interface(`userdom_read_sysadm_home_content_files',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_read_sysadm_tmp_files',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_read_tmp_files() instead.')
-	sysadm_read_tmp_files($1)
+interface(`userdom_list_user_tmp',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	allow $1 user_tmp_t:dir list_dir_perms;
+	files_search_tmp($1)
 ')
 
 ########################################
 ## <summary>
-##	Search all users home directories.
+##	Do not audit attempts to list user
+##	temporary directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_search_all_users_home_dirs',`
+interface(`userdom_dontaudit_list_user_tmp',`
 	gen_require(`
-		attribute home_dir_type;
+		type user_tmp_t;
 	')
 
-	files_list_home($1)
-	allow $1 home_dir_type:dir search_dir_perms;
+	dontaudit $1 user_tmp_t:dir list_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	List all users home directories.
+##	Do not audit attempts to manage users
+##	temporary directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_list_all_users_home_dirs',`
+interface(`userdom_dontaudit_manage_user_tmp_dirs',`
 	gen_require(`
-		attribute home_dir_type;
+		type user_tmp_t;
 	')
 
-	files_list_home($1)
-	allow $1 home_dir_type:dir list_dir_perms;
+	dontaudit $1 user_tmp_t:dir manage_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Search all users home directories.
+##	Read user temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4649,18 +2062,20 @@ interface(`userdom_list_all_users_home_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_search_all_users_home_content',`
+interface(`userdom_read_user_tmp_files',`
 	gen_require(`
-		attribute home_dir_type, home_type;
+		type user_tmp_t;
 	')
 
-	files_list_home($1)
-	allow $1 { home_dir_type home_type }:dir search_dir_perms;
+	read_files_pattern($1, user_tmp_t, user_tmp_t)
+	allow $1 user_tmp_t:dir list_dir_perms;
+	files_search_tmp($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search all users home directories.
+##	Do not audit attempts to read users
+##	temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4668,38 +2083,36 @@ interface(`userdom_search_all_users_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_dontaudit_search_all_users_home_content',`
+interface(`userdom_dontaudit_read_user_tmp_files',`
 	gen_require(`
-		attribute home_dir_type, home_type;
+		type user_tmp_t;
 	')
 
-	dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
+	dontaudit $1 user_tmp_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read all files in all users home directories.
+##	Do not audit attempts to append users
+##	temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_read_all_users_home_content_files',`
+interface(`userdom_dontaudit_append_user_tmp_files',`
 	gen_require(`
-		attribute home_type;
+		type user_tmp_t;
 	')
 
-	files_list_home($1)
-	allow $1 home_type:dir list_dir_perms;
-	read_files_pattern($1,home_type,home_type)
+	dontaudit $1 user_tmp_t:file append;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete all directories
-##	in all users home directories.
+##	Read and write user temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4707,39 +2120,38 @@ interface(`userdom_read_all_users_home_content_files',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_manage_all_users_home_content_dirs',`
+interface(`userdom_rw_user_tmp_files',`
 	gen_require(`
-		attribute home_type;
+		type user_tmp_t;
 	')
 
-	files_list_home($1)
-	allow $1 home_type:dir manage_dir_perms;
+	allow $1 user_tmp_t:dir list_dir_perms;
+	rw_files_pattern($1, user_tmp_t, user_tmp_t)
+	files_search_tmp($1)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete all files
-##	in all users home directories.
+##	Do not audit attempts to manage users
+##	temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_manage_all_users_home_content_files',`
+interface(`userdom_dontaudit_manage_user_tmp_files',`
 	gen_require(`
-		attribute home_type;
+		type user_tmp_t;
 	')
 
-	files_list_home($1)
-	manage_files_pattern($1,home_type,home_type)
+	dontaudit $1 user_tmp_t:file manage_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete all symlinks
-##	in all users home directories.
+##	Read user temporary symbolic links.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4747,47 +2159,40 @@ interface(`userdom_manage_all_users_home_content_files',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_manage_all_users_home_content_symlinks',`
+interface(`userdom_read_user_tmp_symlinks',`
 	gen_require(`
-		attribute home_type;
+		type user_tmp_t;
 	')
 
-	files_list_home($1)
-	manage_lnk_files_pattern($1,home_type,home_type)
+	read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+	allow $1 user_tmp_t:dir list_dir_perms;
+	files_search_tmp($1)
 ')
 
 ########################################
 ## <summary>
-##	Make the specified domain a privileged
-##	home directory manager.
+##	Create, read, write, and delete user
+##	temporary directories.
 ## </summary>
-## <desc>
-##	<p>
-##	Make the specified domain a privileged
-##	home directory manager.  This domain will be
-##	able to manage the contents of all users
-##	general home directory content, and create
-##	files with the correct context.
-##	</p>
-## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_priveleged_home_dir_manager',`
+interface(`userdom_manage_user_tmp_dirs',`
 	gen_require(`
-		attribute privhome;
+		type user_tmp_t;
 	')
 
-	files_list_home($1)
-	typeattribute $1 privhome;
+	manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
+	files_search_tmp($1)
 ')
 
 ########################################
 ## <summary>
-##	Send general signals to unprivileged user domains.
+##	Create, read, write, and delete user
+##	temporary files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4795,17 +2200,19 @@ interface(`userdom_priveleged_home_dir_manager',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_signal_unpriv_users',`
+interface(`userdom_manage_user_tmp_files',`
 	gen_require(`
-		attribute unpriv_userdomain;
+		type user_tmp_t;
 	')
 
-	allow $1 unpriv_userdomain:process signal;
+	manage_files_pattern($1, user_tmp_t, user_tmp_t)
+	files_search_tmp($1)
 ')
 
 ########################################
 ## <summary>
-##	Inherit the file descriptors from unprivileged user domains.
+##	Create, read, write, and delete user
+##	temporary symbolic links.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4813,18 +2220,19 @@ interface(`userdom_signal_unpriv_users',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_use_unpriv_users_fds',`
+interface(`userdom_manage_user_tmp_symlinks',`
 	gen_require(`
-		attribute unpriv_userdomain;
+		type user_tmp_t;
 	')
 
-	allow $1 unpriv_userdomain:fd use;
+	manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+	files_search_tmp($1)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to inherit the
-##	file descriptors from all user domains.
+##	Create, read, write, and delete user
+##	temporary named pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4832,18 +2240,19 @@ interface(`userdom_use_unpriv_users_fds',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_dontaudit_use_unpriv_user_fds',`
+interface(`userdom_manage_user_tmp_pipes',`
 	gen_require(`
-		attribute unpriv_userdomain;
+		type user_tmp_t;
 	')
 
-	dontaudit $1 unpriv_userdomain:fd use;
+	manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
+	files_search_tmp($1)
 ')
 
 ########################################
 ## <summary>
-##	Create generic user home directories
-##	with automatic file type transition.
+##	Create, read, write, and delete user
+##	temporary named sockets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4851,30 +2260,51 @@ interface(`userdom_dontaudit_use_unpriv_user_fds',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_home_filetrans_generic_user_home_dir',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_home_filetrans_home_dir() instead.')
-	unprivuser_home_filetrans_home_dir($1)
+interface(`userdom_manage_user_tmp_sockets',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+	files_search_tmp($1)
 ')
 
 ########################################
 ## <summary>
-##	Search generic user home directories.
+##	Create objects in a user temporary directory
+##	with an automatic type transition to
+##	a specified private type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
 #
-interface(`userdom_search_generic_user_home_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_search_home_dirs() instead.')
-	unprivuser_search_home_dirs($1)
+interface(`userdom_user_tmp_filetrans',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	filetrans_pattern($1, user_tmp_t, $2, $3)
+	files_search_tmp($1)
 ')
 
 ########################################
 ## <summary>
-##	Create objects in generic user home directories
-##	with automatic file type transition.
+##	Create objects in the temporary directory
+##	with an automatic type transition to
+##	the user temporary type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4884,18 +2314,20 @@ interface(`userdom_search_generic_user_home_dirs',`
 ## <param name="object_class">
 ##	<summary>
 ##	The class of the object to be created.
-##	If not specified, file is used.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_home_dir_filetrans_home_content() instead.')
-	unprivuser_home_dir_filetrans_home_content($1, $2)
+interface(`userdom_tmp_filetrans_user_tmp',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	files_tmp_filetrans($1, user_tmp_t, $2)
 ')
 
 ########################################
 ## <summary>
-##	Don't audit search on the user home subdirectory.
+##	Read user tmpfs files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4903,15 +2335,20 @@ interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_dontaudit_search_generic_user_home_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_dontaudit_search_home_dirs() instead.')
-	unprivuser_dontaudit_search_home_dirs($1)
+interface(`userdom_rw_user_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+	allow $1 user_tmpfs_t:dir list_dir_perms;
+	fs_search_tmpfs($1)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete generic user
-##	home directories.
+##	Get the attributes of a user domain tty.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4919,16 +2356,17 @@ interface(`userdom_dontaudit_search_generic_user_home_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_manage_generic_user_home_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_manage_home_dirs() instead.')
-	unprivuser_manage_home_dirs($1)
+interface(`userdom_getattr_user_ttys',`
+	gen_require(`
+		type user_tty_device_t;
+	')
+
+	allow $1 user_tty_device_t:chr_file getattr;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	subdirectories of generic user
-##	home directories.
+##	Do not audit attempts to get the attributes of a user domain tty.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4936,14 +2374,17 @@ interface(`userdom_manage_generic_user_home_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_manage_generic_user_home_content_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_manage_home_content_dirs() instead.')
-	unprivuser_manage_home_content_dirs($1)
+interface(`userdom_dontaudit_getattr_user_ttys',`
+	gen_require(`
+		type user_tty_device_t;
+	')
+
+	dontaudit $1 user_tty_device_t:chr_file getattr;
 ')
 
 ########################################
 ## <summary>
-##	Relabel to generic user home directories.
+##	Set the attributes of a user domain tty.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4951,14 +2392,17 @@ interface(`userdom_manage_generic_user_home_content_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_relabelto_generic_user_home_dirs',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_relabelto_home_dirs() instead.')
-	unprivuser_relabelto_home_dirs($1)
+interface(`userdom_setattr_user_ttys',`
+	gen_require(`
+		type user_tty_device_t;
+	')
+
+	allow $1 user_tty_device_t:chr_file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Read files in generic user home directories.
+##	Do not audit attempts to set the attributes of a user domain tty.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4966,15 +2410,17 @@ interface(`userdom_relabelto_generic_user_home_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_read_generic_user_home_content_files',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_read_home_content_files() instead.')
-	unprivuser_read_home_content_files($1)
+interface(`userdom_dontaudit_setattr_user_ttys',`
+	gen_require(`
+		type user_tty_device_t;
+	')
+
+	dontaudit $1 user_tty_device_t:chr_file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Mmap of generic user
-##	home files.
+##	Read and write a user domain tty.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4982,15 +2428,17 @@ interface(`userdom_read_generic_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_mmap_generic_user_home_content_files',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_mmap_home_content_files() instead.')
-	unprivuser_mmap_home_content_files($1)
+interface(`userdom_use_user_ttys',`
+	gen_require(`
+		type user_tty_device_t;
+	')
+
+	allow $1 user_tty_device_t:chr_file rw_term_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete files
-##	in generic user home directories.
+##	Read and write a user domain pty.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4998,15 +2446,17 @@ interface(`userdom_mmap_generic_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_manage_generic_user_home_content_files',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_manage_home_content_files() instead.')
-	unprivuser_manage_home_content_files($1)
+interface(`userdom_use_user_ptys',`
+	gen_require(`
+		type user_devpts_t;
+	')
+
+	allow $1 user_devpts_t:chr_file rw_term_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to relabel generic user
-##	home files.
+##	Read and write a user domain tty and pty.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5014,15 +2464,20 @@ interface(`userdom_manage_generic_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_dontaudit_relabel_generic_user_home_content_files',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_dontaudit_relabel_home_content_files() instead.')
-	unprivuser_dontaudit_relabel_home_content_files($1)
+interface(`userdom_use_user_terminals',`
+	gen_require(`
+		type user_tty_device_t, user_devpts_t;
+	')
+
+	allow $1 user_tty_device_t:chr_file rw_term_perms;
+	allow $1 user_devpts_t:chr_file rw_term_perms;
+	term_list_ptys($1)
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete symbolic
-##	links in generic user home directories.
+##	Do not audit attempts to read and write
+##	a user domain tty and pty.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5030,15 +2485,20 @@ interface(`userdom_dontaudit_relabel_generic_user_home_content_files',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_manage_generic_user_home_content_symlinks',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_manage_home_content_symlinks() instead.')
-	unprivuser_manage_home_content_symlinks($1)
+interface(`userdom_dontaudit_use_user_terminals',`
+	gen_require(`
+		type user_tty_device_t, user_devpts_t;
+	')
+
+	dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
+	dontaudit $1 user_devpts_t:chr_file rw_term_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete named
-##	pipes in generic user home directories.
+##	Execute a shell in all user domains.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5046,15 +2506,22 @@ interface(`userdom_manage_generic_user_home_content_symlinks',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_manage_generic_user_home_content_pipes',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_manage_home_content_pipes() instead.')
-	unprivuser_manage_home_content_pipes($1)
+interface(`userdom_spec_domtrans_all_users',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	corecmd_shell_spec_domtrans($1,userdomain)
+	allow userdomain $1:fd use;
+	allow userdomain $1:fifo_file rw_file_perms;
+	allow userdomain $1:process sigchld;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete named
-##	sockets in generic user home directories.
+##	Execute an Xserver session in all unprivileged user domains.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5062,14 +2529,22 @@ interface(`userdom_manage_generic_user_home_content_pipes',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_manage_generic_user_home_content_sockets',`
-	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_manage_home_content_sockets() instead.')
-	unprivuser_manage_home_content_sockets($1)
+interface(`userdom_xsession_spec_domtrans_all_users',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	xserver_xsession_spec_domtrans($1,userdomain)
+	allow userdomain $1:fd use;
+	allow userdomain $1:fifo_file rw_file_perms;
+	allow userdomain $1:process sigchld;
 ')
 
 ########################################
 ## <summary>
-##	Search all unprivileged users home directories.
+##	Execute a shell in all unprivileged user domains.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5077,19 +2552,22 @@ interface(`userdom_manage_generic_user_home_content_sockets',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_search_unpriv_users_home_dirs',`
+interface(`userdom_spec_domtrans_unpriv_users',`
 	gen_require(`
-		attribute user_home_dir_type;
+		attribute unpriv_userdomain;
 	')
 
-	files_search_home($1)
-	allow $1 user_home_dir_type:dir search_dir_perms;
+	corecmd_shell_spec_domtrans($1,unpriv_userdomain)
+	allow unpriv_userdomain $1:fd use;
+	allow unpriv_userdomain $1:fifo_file rw_file_perms;
+	allow unpriv_userdomain $1:process sigchld;
 ')
 
 ########################################
 ## <summary>
-##	Read all unprivileged users home directory
-##	files.
+##	Execute an Xserver session in all unprivileged user domains.  This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5097,21 +2575,20 @@ interface(`userdom_search_unpriv_users_home_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_read_unpriv_users_home_content_files',`
+interface(`userdom_xsession_spec_domtrans_unpriv_users',`
 	gen_require(`
-		attribute user_home_dir_type, user_home_type;
+		attribute unpriv_userdomain;
 	')
 
-	files_search_home($1)
-	allow $1 user_home_type:dir list_dir_perms;
-	read_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
-	read_lnk_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+	xserver_xsession_spec_domtrans($1,unpriv_userdomain)
+	allow unpriv_userdomain $1:fd use;
+	allow unpriv_userdomain $1:fifo_file rw_file_perms;
+	allow unpriv_userdomain $1:process sigchld;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete directories in
-##	unprivileged users home directories.
+##	Manage unpriviledged user SysV sempaphores.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5119,19 +2596,18 @@ interface(`userdom_read_unpriv_users_home_content_files',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_manage_unpriv_users_home_content_dirs',`
+interface(`userdom_manage_unpriv_user_semaphores',`
 	gen_require(`
-		attribute user_home_dir_type, user_home_type;
+		attribute unpriv_userdomain;
 	')
 
-	files_search_home($1)
-	manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+	allow $1 unpriv_userdomain:sem create_sem_perms;
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete files in
-##	unprivileged users home directories.
+##	Manage unpriviledged user SysV shared
+##	memory segments.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5139,18 +2615,19 @@ interface(`userdom_manage_unpriv_users_home_content_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_manage_unpriv_users_home_content_files',`
+interface(`userdom_manage_unpriv_user_shared_mem',`
 	gen_require(`
-		attribute user_home_dir_type, user_home_type;
+		attribute unpriv_userdomain;
 	')
 
-	files_search_home($1)
-	manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+	allow $1 unpriv_userdomain:shm create_shm_perms;
 ')
 
 ########################################
 ## <summary>
-##	Set the attributes of user ptys.
+##	Execute bin_t in the unprivileged user domains. This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5158,17 +2635,22 @@ interface(`userdom_manage_unpriv_users_home_content_files',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_setattr_unpriv_users_ptys',`
+interface(`userdom_bin_spec_domtrans_unpriv_users',`
 	gen_require(`
-		attribute user_ptynode;
+		attribute unpriv_userdomain;
 	')
 
-	allow $1 user_ptynode:chr_file setattr;
+	corecmd_bin_spec_domtrans($1,unpriv_userdomain)
+	allow unpriv_userdomain $1:fd use;
+	allow unpriv_userdomain $1:fifo_file rw_file_perms;
+	allow unpriv_userdomain $1:process sigchld;
 ')
 
 ########################################
 ## <summary>
-##	Read and write unprivileged user ptys.
+##	Execute all entrypoint files in unprivileged user
+##	domains. This is an explicit transition, requiring the
+##	caller to use setexeccon().
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5176,37 +2658,39 @@ interface(`userdom_setattr_unpriv_users_ptys',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_use_unpriv_users_ptys',`
+interface(`userdom_entry_spec_domtrans_unpriv_users',`
 	gen_require(`
-		attribute user_ptynode;
+		attribute unpriv_userdomain;
 	')
 
-	term_search_ptys($1)
-	allow $1 user_ptynode:chr_file rw_file_perms;
+	domain_entry_file_spec_domtrans($1,unpriv_userdomain)
+	allow unpriv_userdomain $1:fd use;
+	allow unpriv_userdomain $1:fifo_file rw_file_perms;
+	allow unpriv_userdomain $1:process sigchld;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to use unprivileged
-##	user ptys.
+##	Search users home directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_dontaudit_use_unpriv_users_ptys',`
+interface(`userdom_search_user_home_content',`
 	gen_require(`
-		attribute user_ptynode;
+		type user_home_dir_t, user_home_t;
 	')
 
-	dontaudit $1 user_ptynode:chr_file rw_file_perms;
+	files_list_home($1)
+	allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Relabel files to unprivileged user pty types.
+##	Send general signals to unprivileged user domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5214,18 +2698,17 @@ interface(`userdom_dontaudit_use_unpriv_users_ptys',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_relabelto_unpriv_users_ptys',`
+interface(`userdom_signal_unpriv_users',`
 	gen_require(`
-		attribute user_ptynode;
+		attribute unpriv_userdomain;
 	')
 
-	allow $1 user_ptynode:chr_file relabelto;
+	allow $1 unpriv_userdomain:process signal;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to relabel files from
-##	unprivileged user pty types.
+##	Inherit the file descriptors from unprivileged user domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5233,17 +2716,18 @@ interface(`userdom_relabelto_unpriv_users_ptys',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_dontaudit_relabelfrom_unpriv_users_ptys',`
+interface(`userdom_use_unpriv_users_fds',`
 	gen_require(`
-		attribute user_ptynode;
+		attribute unpriv_userdomain;
 	')
 
-	dontaudit $1 user_ptynode:chr_file relabelfrom;
+	allow $1 unpriv_userdomain:fd use;
 ')
 
 ########################################
 ## <summary>
-##	Read all unprivileged users temporary directories.
+##	Do not audit attempts to inherit the
+##	file descriptors from all user domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5251,35 +2735,35 @@ interface(`userdom_dontaudit_relabelfrom_unpriv_users_ptys',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_list_unpriv_users_tmp',`
+interface(`userdom_dontaudit_use_unpriv_user_fds',`
 	gen_require(`
-		attribute user_tmpfile;
+		attribute unpriv_userdomain;
 	')
 
-	allow $1 user_tmpfile:dir list_dir_perms;
+	dontaudit $1 unpriv_userdomain:fd use;
 ')
 
 ########################################
 ## <summary>
-##	Read all unprivileged users temporary files.
+##	Do not audit attempts to use user ptys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`userdom_read_unpriv_users_tmp_files',`
+interface(`userdom_dontaudit_use_user_ptys',`
 	gen_require(`
-		attribute user_tmpfile;
+		type user_devpts_t;
 	')
 
-	allow $1 user_tmpfile:file read_file_perms;
+	dontaudit $1 user_devpts_t:chr_file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read all unprivileged users temporary symbolic links.
+##	Relabel files to unprivileged user pty types.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5287,17 +2771,18 @@ interface(`userdom_read_unpriv_users_tmp_files',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_read_unpriv_users_tmp_symlinks',`
+interface(`userdom_relabelto_user_ptys',`
 	gen_require(`
-		attribute user_tmpfile;
+		type user_devpts_t;
 	')
 
-	allow $1 user_tmpfile:lnk_file { getattr read };
+	allow $1 user_devpts_t:chr_file relabelto;
 ')
 
 ########################################
 ## <summary>
-##	Write all unprivileged users files in /tmp
+##	Do not audit attempts to relabel files from
+##	user pty types.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5305,17 +2790,17 @@ interface(`userdom_read_unpriv_users_tmp_symlinks',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_write_unpriv_users_tmp_files',`
+interface(`userdom_dontaudit_relabelfrom_user_ptys',`
 	gen_require(`
-		attribute user_tmpfile;
+		type user_devpts_t;
 	')
 
-	allow $1 user_tmpfile:file write_file_perms;
+	dontaudit $1 user_devpts_t:chr_file relabelfrom;
 ')
 
 ########################################
 ## <summary>
-##	Read and write unprivileged user ttys.
+##	Write all users files in /tmp
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5323,18 +2808,17 @@ interface(`userdom_write_unpriv_users_tmp_files',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_use_unpriv_users_ttys',`
+interface(`userdom_write_user_tmp_files',`
 	gen_require(`
-		attribute user_ttynode;
+		type user_tmp_t;
 	')
 
-	allow $1 user_ttynode:chr_file rw_term_perms;
+	allow $1 user_tmp_t:file write_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to use unprivileged
-##	user ttys.
+##	Do not audit attempts to use user ttys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5342,12 +2826,12 @@ interface(`userdom_use_unpriv_users_ttys',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_dontaudit_use_unpriv_users_ttys',`
+interface(`userdom_dontaudit_use_user_ttys',`
 	gen_require(`
-		attribute user_ttynode;
+		type user_tty_device_t;
 	')
 
-	dontaudit $1 user_ttynode:chr_file rw_file_perms;
+	dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
 ')
 
 ########################################
@@ -5496,17 +2980,3 @@ interface(`userdom_dbus_send_all_users',`
 
 	allow $1 userdomain:dbus send_msg;
 ')
-
-########################################
-## <summary>
-##	Unconfined access to user domains.  (Deprecated)
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`userdom_unconfined',`
-	refpolicywarn(`$0($*) has been deprecated.')
-')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index f53a5de..201c359 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain, 3.2.0)
+policy_module(userdomain, 4.0.0)
 
 ########################################
 #
@@ -49,33 +49,6 @@ gen_tunable(user_rw_noexattrfile,false)
 ## </desc>
 gen_tunable(user_ttyfile_stat,false)
 
-# admin users terminals (tty and pty)
-attribute admin_terminal;
-
-# users home directory
-attribute home_dir_type;
-
-# users home directory contents
-attribute home_type;
-
-# The privhome attribute identifies every domain that can create files under
-# regular user home directories in the regular context (IE act on behalf of
-# a user in writing regular files)
-attribute privhome;
-
-# all unprivileged users home directories
-attribute user_home_dir_type;
-attribute user_home_type;
-
-# all unprivileged users ptys
-attribute user_ptynode;
-
-# all unprivileged users tmp files
-attribute user_tmpfile;
-
-# all unprivileged users ttys
-attribute user_ttynode;
-
 # all user domains
 attribute userdomain;
 
@@ -84,3 +57,41 @@ attribute unpriv_userdomain;
 
 attribute untrusted_content_type;
 attribute untrusted_content_tmp_type;
+
+type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
+fs_associate_tmpfs(user_home_dir_t)
+files_type(user_home_dir_t)
+files_mountpoint(user_home_dir_t)
+files_associate_tmp(user_home_dir_t)
+files_poly(user_home_dir_t)
+files_poly_member(user_home_dir_t)
+files_poly_parent(user_home_dir_t)
+ubac_constrained(user_home_dir_t)
+
+type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
+typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
+userdom_user_home_content(user_home_t)
+fs_associate_tmpfs(user_home_t)
+files_associate_tmp(user_home_t)
+files_poly_member(user_home_t)
+files_poly_parent(user_home_t)
+files_mountpoint(user_home_t)
+ubac_constrained(user_home_t)
+
+type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
+dev_node(user_devpts_t)
+files_type(user_devpts_t)
+ubac_constrained(user_devpts_t)
+
+type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
+typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
+files_tmp_file(user_tmp_t)
+userdom_user_home_content(user_tmp_t)
+
+type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+files_tmpfs_file(user_tmpfs_t)
+userdom_user_home_content(user_tmpfs_t)
+
+type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
+dev_node(user_tty_device_t)
+ubac_constrained(user_tty_device_t)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 9e95995..80caa8b 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
 
-policy_module(xen, 1.7.0)
+policy_module(xen, 1.7.1)
 
 ########################################
 #
@@ -201,12 +201,12 @@ sysnet_delete_dhcpc_pid(xend_t)
 sysnet_read_dhcpc_pid(xend_t)
 sysnet_rw_dhcp_config(xend_t)
 
+userdom_dontaudit_search_user_home_dirs(xend_t)
+
 xen_stream_connect_xenstore(xend_t)
 
 netutils_domtrans(xend_t)
 
-sysadm_dontaudit_search_home_dirs(xend_t)
-
 optional_policy(`
 	consoletype_exec(xend_t)
 ')
diff --git a/policy/rolemap b/policy/rolemap
index 729ed88..c1de37e 100644
--- a/policy/rolemap
+++ b/policy/rolemap
@@ -1,6 +1,6 @@
 #
 # This file contains the mappings
-# used for per-userdomain template
+# used for per-role template
 # infrastructure.  Each line describes
 # the prefix and user domain type
 # corresponding to each role.
@@ -8,11 +8,6 @@
 # syntax: role prefix user_domain
 #
 
-user_r user user_t
-staff_r staff staff_t
-sysadm_r sysadm sysadm_t
-
-ifdef(`enable_mls',`
-	secadm_r secadm secadm_t
-	auditadm_r auditadm auditadm_t
-')
+# This support has been deprecated and
+# will be removed in the future.  Note:  No
+# per-role templates exist in refpolicy.
diff --git a/support/Makefile.devel b/support/Makefile.devel
index a944df0..87be614 100644
--- a/support/Makefile.devel
+++ b/support/Makefile.devel
@@ -62,6 +62,10 @@ ifeq ($(DIRECT_INITRC),y)
 	M4PARAM += -D direct_sysadm_daemon
 endif
 
+ifeq "$(UBAC)" "y"
+	M4PARAM += -D enable_ubac
+endif
+
 # default MLS/MCS sensitivity and category settings.
 MLS_SENS ?= 16
 MLS_CATS ?= 256