diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 7d78871..1752cdd 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -33,6 +33,9 @@ domain_type(system_mail_t)
 domain_entry_file(system_mail_t,sendmail_exec_t)
 role system_r types system_mail_t;
 
+type system_mail_tmp_t;
+files_tmp_file(system_mail_tmp_t)
+
 # cjp: need to resolve this, but require{}
 # does not work in the else part of the optional
 #ifdef(`targeted_policy',`',`
@@ -57,6 +60,10 @@ allow system_mail_t etc_mail_t:file r_file_perms;
 can_exec(system_mail_t, sendmail_exec_t)
 allow system_mail_t sendmail_exec_t:lnk_file r_file_perms;
 
+allow system_mail_t system_mail_tmp_t:dir create_dir_perms;
+allow system_mail_t system_mail_tmp_t:file create_file_perms;
+files_create_tmp_files(system_mail_t, system_mail_tmp_t, { file dir })
+
 kernel_read_kernel_sysctl(system_mail_t)
 kernel_read_system_state(system_mail_t)
 kernel_read_network_state(system_mail_t)
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 4b4f98d..f8eac9d 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -31,6 +31,9 @@ files_type(sshd_key_t)
 ifdef(`targeted_policy',`
 	unconfined_alias_domain(sshd_t)
 	init_system_domain(sshd_t,sshd_exec_t)
+
+	type sshd_var_run_t;
+	files_type(sshd_var_run_t)
 ',`
 	# Type for the ssh-agent executable.
 	type ssh_agent_exec_t;