diff --git a/refpolicy/policy/constraints b/refpolicy/policy/constraints
index be9b34d..101441e 100644
--- a/refpolicy/policy/constraints
+++ b/refpolicy/policy/constraints
@@ -1,9 +1,5 @@
 
 #
-# Define m4 macros for the constraints
-#
-
-#
 # Define the constraints
 #
 # constrain class_set perm_set expression ;
@@ -33,29 +29,20 @@
 # SELinux process identity change constraint:
 #
 constrain process transition
-	( u1 == u2 or 
+	( u1 == u2
 
 ifdef(`targeted_policy',`
-	t1 == can_change_process_identity
+	or t1 == can_change_process_identity
 ',`
-	( t1 == can_change_process_identity and t2 == userdomain )
-	ifdef(`crond.te',`
-        	or (
-			t1 == crond_t
-			and (
-				t2 == user_crond_domain
-				or u2 == system_u
-			)
-		)
-	')
+	or ( t1 == can_change_process_identity and t2 == process_user_target )
 
-	ifdef(`userhelper.te',`
-		or (t1 == userhelperdomain)
-	')
+       	or ( t1 == cron_source_domain
+		and ( t2 == cron_job_domain or u2 == system_u )
+	   )
+
+	or (t1 == process_uncond_exempt)
 
-	ifdef(`TODO',`
-	or (t1 == priv_system_role and u2 == system_u )
-	') dnl end TODO
+	or (t1 == can_system_change and u2 == system_u )
 ')
 );
 
@@ -63,19 +50,16 @@ ifdef(`targeted_policy',`
 # SELinux process role change constraint:
 #
 constrain process transition 
-	( r1 == r2 or
+	( r1 == r2
+
 ifdef(`targeted_policy',`
-	t1 == can_change_process_role
+	or t1 == can_change_process_role
 ',`
-	( t1 == can_change_process_role and t2 == userdomain )
+	or ( t1 == can_change_process_role and t2 == process_user_target )
 
-	ifdef(`crond.te',`
-        	or (t1 == crond_t and t2 == user_crond_domain)
-	')
+       	or ( t1 == cron_source_domain and t2 == cron_job_domain )
 
-	ifdef(`userhelper.te',`
-		or (t1 == userhelperdomain)
-	')
+	or ( t1 == process_uncond_exempt )
 
 	ifdef(`postfix.te',`
 		ifdef(`direct_sysadm_daemon',`
@@ -87,9 +71,7 @@ ifdef(`targeted_policy',`
 		')
 	')
 
-	ifdef(`TODO',`
-	or (t1 == priv_system_role and r2 == system_r )
-	') dnl end TODO
+	or (t1 == can_system_change and r2 == system_r )
 ')
 );
 
@@ -97,7 +79,7 @@ ifdef(`targeted_policy',`
 # SELinux dynamic transition constraint:
 #
 constrain process dyntransition
-	( u1 == u2 and r1 == r2);
+	( u1 == u2 and r1 == r2 );
 
 #
 # SElinux object identity change constraint:
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index e418325..44fd2c1 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -33,8 +33,9 @@ template(`cron_per_userdomain_template',`
 	type $1_cron_spool_t, cron_spool_type;
 	files_type($1_cron_spool_t)
 
-	type $1_crond_t; # user_crond_domain;
-	domain_type($1_crond_t);
+	type $1_crond_t;
+	domain_type($1_crond_t)
+	domain_cron_exemption_target($1_crond_t)
 	corecmd_shell_entry_type($1_crond_t)
 	role $3 types $1_crond_t;
 
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index f93be50..d18945d 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -17,6 +17,7 @@ type crond_t; #, privmail
 type crond_exec_t;
 init_daemon_domain(crond_t,crond_exec_t)
 domain_wide_inherit_fd(crond_t)
+domain_cron_exemption_source(crond_t)
 
 type crond_log_t;
 logging_log_file(crond_log_t)
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 4489fdc..b18be62 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -389,6 +389,7 @@ template(`ssh_per_userdomain_template',`
 #
 template(`ssh_server_template', `
 	type $1_t, ssh_server;
+	domain_type($1_t)
 	role system_r types $1_t;
 
 	type $1_devpts_t;
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 7aab5d0..45bb6e8 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -4,8 +4,22 @@
 ## </required>
 
 ########################################
-#
-# domain_base_domain_type(domain)
+## <summary>
+##	Make the specified type usable as a basic domain.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable as a basic domain.
+##	</p>
+##	<p>
+##	This is primarily used for kernel threads;
+##	generally the domain_type() interface is
+##	more appropriate for userland processes.
+##	</p>
+## </desc>
+## <param name="type">
+##	Type to be used as a basic domain type.
+## </param>
 #
 interface(`domain_base_type',`
 	gen_require(`
@@ -26,19 +40,15 @@ interface(`domain_base_type',`
 
 	# allow $1 to create child processes in this domain
 	allow $1 self:process { fork sigchld };
-
-	# Files with domain types are currently only proc files
-	# self is excepted since domains and files can have
-	# the same type in SEFramework
-	# cjp: perhaps this should be a conditional exception,
-	# so it is excepted only on SEFramework policies
-	neverallow $1 { domain -$1 }:dir ~r_dir_perms;
-	neverallow $1 { domain -$1 }:file_class_set ~rw_file_perms;
 ')
 
 ########################################
-#
-# domain_type(domain)
+## <summary>
+##	Make the specified type usable as a domain.
+## </summary>
+## <param name="type">
+##	Type to be used as a domain type.
+## </param>
 #
 interface(`domain_type',`
 	# start with basic domain
@@ -69,8 +79,17 @@ interface(`domain_type',`
 ')
 
 ########################################
-#
-# domain_entry_file(domain,entrypointfile)
+## <summary>
+##	Make the specified type usable as
+##	an entry point for the domain.
+## </summary>
+## <param name="domain">
+##	Domain to be entered.
+## </param>
+## <param name="type">
+##	Type of program used for entering
+##	the domain.
+## </param>
 #
 interface(`domain_entry_file',`
 	gen_require(`
@@ -79,7 +98,10 @@ interface(`domain_entry_file',`
 	')
 
 	files_type($2)
+
 	allow $1 $2:file entrypoint;
+	allow $1 $2:file rx_file_perms;
+
 	typeattribute $2 entry_type;
 ')
 
@@ -159,6 +181,105 @@ interface(`domain_obj_id_change_exempt',`
 ')
 
 ########################################
+## <summary>
+##	Make the specified domain the target of
+##	the user domain exception of the
+##	SELinux role and identity change
+##	constraints.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified domain the target of
+##	the user domain exception of the
+##	SELinux role and identity change
+##	constraints.
+##	</p>
+##	<p>
+##	This interface is needed to decouple
+##	the user domains from the base module.
+##	It should not be used other than on
+##	user domains.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain target for user exemption.
+## </param>
+#
+interface(`domain_user_exemption_target',`
+	gen_require(`
+		attribute process_user_target;
+	')
+
+	typeattribute $1 process_user_target;
+')
+
+########################################
+## <summary>
+##	Make the specified domain the source of
+##	the cron domain exception of the
+##	SELinux role and identity change
+##	constraints.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified domain the source of
+##	the cron domain exception of the
+##	SELinux role and identity change
+##	constraints.
+##	</p>
+##	<p>
+##	This interface is needed to decouple
+##	the cron domains from the base module.
+##	It should not be used other than on
+##	cron domains.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain target for user exemption.
+## </param>
+#
+interface(`domain_cron_exemption_source',`
+	gen_require(`
+		attribute cron_source_domain;
+	')
+
+	typeattribute $1 cron_source_domain;
+')
+
+########################################
+## <summary>
+##	Make the specified domain the target of
+##	the cron domain exception of the
+##	SELinux role and identity change
+##	constraints.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified domain the target of
+##	the cron domain exception of the
+##	SELinux role and identity change
+##	constraints.
+##	</p>
+##	<p>
+##	This interface is needed to decouple
+##	the cron domains from the base module.
+##	It should not be used other than on
+##	user cron jobs.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain target for user exemption.
+## </param>
+#
+interface(`domain_cron_exemption_target',`
+	gen_require(`
+		attribute cron_job_domain;
+	')
+
+	typeattribute $1 cron_job_domain;
+')
+
+########################################
 #
 # domain_use_wide_inherit_fd(domain)
 #
diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te
index 2878652..efd8a4b 100644
--- a/refpolicy/policy/modules/system/domain.te
+++ b/refpolicy/policy/modules/system/domain.te
@@ -9,30 +9,58 @@ policy_module(domain,1.0)
 # Mark process types as domains
 attribute domain;
 
+# Transitions only allowed from domains to other domains
+neverallow domain ~domain:process { transition dyntransition };
+
+# Domains that can set their current context
+# (perform dynamic transitions)
+attribute set_curr_context;
+
+# enabling setcurrent breaks process tranquility.  If you do not
+# know what this means or do not understand the implications of a
+# dynamic transition, you should not be using it!!!
+neverallow { domain -set_curr_context } self:process setcurrent;
+
 # entrypoint executables
 attribute entry_type;
 
 # widely-inheritable file descriptors
 attribute privfd;
 
-# Domains that can set their current context
-# (perform dynamic transitions)
-attribute set_curr_context;
-
+#
 # constraint related attributes
+#
+
+# [1] types that can change SELinux identity on transition
 attribute can_change_process_identity;
+
+# [2] types that can change SELinux role on transition
 attribute can_change_process_role;
+
+# [3] types that can change the SELinux identity on a filesystem
+# object or a socket object on a create or relabel
 attribute can_change_object_identity;
 
-# Transitions only allowed from domains to other domains
-neverallow domain ~domain:process { transition dyntransition };
+# [3] types that can change to system_u:system_r
+attribute can_system_change;
 
-# enabling setcurrent breaks process tranquility.  If you do not
-# know what this means or do not understand the implications of a
-# dynamic transition, you should not be using it!!!
-neverallow { domain -set_curr_context } self:process setcurrent;
+# [4] types that have attribute 1 can change the SELinux
+# identity only if the target domain has this attribute.
+# Types that have attribute 2 can change the SELinux role
+# only if the target domain has this attribute.
+attribute process_user_target;
+
+# For cron jobs
+# [5] types used for cron daemons
+attribute cron_source_domain;
+# [6] types used for cron jobs
+attribute cron_job_domain;
+
+# [7] types that are unconditionally exempt from
+# SELinux identity and role change constraints
+attribute process_uncond_exempt;	# add userhelperdomain to this one
 
 # TODO:
 # cjp: also need to except correctly for SEFramework
-#neverallow { domain unlabeled_t } file_type:process *;
-#neverallow ~{ domain unlabeled_t } *:process *;
+neverallow { domain unlabeled_t } file_type:process *;
+neverallow ~{ domain unlabeled_t } *:process *;
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 3fa926c..375092f 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -29,6 +29,7 @@ template(`base_user_template',`
 	type $1_t, userdomain;
 	domain_type($1_t)
 	corecmd_shell_entry_type($1_t)
+	domain_user_exemption_target($1_t)
 	role $1_r types $1_t;
 	allow system_r $1_r;