diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index c524171..698b763 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -161,6 +161,8 @@ storage_raw_read_removable_device(nfsd_t)
 # Read access to public_content_t and public_content_rw_t
 miscfiles_read_public_files(nfsd_t)
 
+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
+
 # Write access to public_content_t and public_content_rw_t
 tunable_policy(`allow_nfsd_anon_write',`
 	miscfiles_manage_public_files(nfsd_t)
@@ -173,7 +175,6 @@ tunable_policy(`nfs_export_all_rw',`
 	fs_read_noxattr_fs_files(nfsd_t)
 	auth_manage_all_files_except_shadow(nfsd_t)
 ')
-userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
 
 tunable_policy(`nfs_export_all_ro',`
 	dev_getattr_all_blk_files(nfsd_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 135bb1b..f03a8ce 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -45,10 +45,6 @@ init_script_file(sshd_initrc_exec_t)
 type sshd_key_t;
 files_type(sshd_key_t)
 
-ifdef(`enable_mcs',`
-	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
-')
-
 type ssh_t;
 type ssh_exec_t;
 typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
@@ -83,6 +79,10 @@ typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_ho
 typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
 userdom_user_home_content(ssh_home_t)
 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+')
+
 ##############################
 #
 # SSH client local policy
@@ -296,15 +296,17 @@ term_use_ptmx(sshd_t)
 corenet_tcp_bind_xserver_port(sshd_t)
 corenet_sendrecv_xserver_server_packets(sshd_t)
 
-tunable_policy(`sshd_forward_ports',`
-	corenet_tcp_bind_all_unreserved_ports(sshd_t)
-	corenet_tcp_connect_all_ports(sshd_t)
-')
-
 userdom_read_user_home_content_files(sshd_t)
 userdom_read_user_home_content_symlinks(sshd_t)
 userdom_search_admin_dir(sshd_t)
 userdom_manage_tmp_role(system_r, sshd_t)
+userdom_spec_domtrans_unpriv_users(sshd_t)
+userdom_signal_unpriv_users(sshd_t)
+
+tunable_policy(`sshd_forward_ports',`
+	corenet_tcp_bind_all_unreserved_ports(sshd_t)
+	corenet_tcp_connect_all_ports(sshd_t)
+')
 
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd
@@ -314,9 +316,6 @@ tunable_policy(`ssh_sysadm_login',`
 	userdom_signal_all_users(sshd_t)
 ')
 
-userdom_spec_domtrans_unpriv_users(sshd_t)
-userdom_signal_unpriv_users(sshd_t)
-
 optional_policy(`
 	daemontools_service_domain(sshd_t, sshd_exec_t)
 ')
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index abd06df..9cc4d7d 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -8,12 +8,6 @@ policy_module(stunnel, 1.9.1)
 type stunnel_t;
 type stunnel_exec_t;
 
-ifdef(`distro_gentoo',`
-	init_daemon_domain(stunnel_t, stunnel_exec_t)
-',`
-	inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
-')
-
 type stunnel_etc_t;
 files_config_file(stunnel_etc_t)
 
@@ -23,6 +17,12 @@ files_tmp_file(stunnel_tmp_t)
 type stunnel_var_run_t;
 files_pid_file(stunnel_var_run_t)
 
+ifdef(`distro_gentoo',`
+	init_daemon_domain(stunnel_t, stunnel_exec_t)
+',`
+	inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
+')
+
 ########################################
 #
 # Local policy
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index fcdde4c..d9d8e18 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -83,11 +83,6 @@ userdom_setattr_user_ptys(telnetd_t)
 userdom_manage_user_tmp_files(telnetd_t)
 userdom_tmp_filetrans_user_tmp(telnetd_t, file)
 
-optional_policy(`
-	kerberos_keytab_template(telnetd, telnetd_t)
-	kerberos_manage_host_rcache(telnetd_t)
-')
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_search_nfs(telnetd_t)
 ')
@@ -95,3 +90,9 @@ tunable_policy(`use_nfs_home_dirs',`
 tunable_policy(`use_samba_home_dirs',`
 	fs_search_cifs(telnetd_t)
 ')
+
+optional_policy(`
+	kerberos_keytab_template(telnetd, telnetd_t)
+	kerberos_manage_host_rcache(telnetd_t)
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index b8d770d..3812d23 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -358,6 +358,8 @@ userdom_use_user_terminals(xauth_t)
 userdom_read_user_tmp_files(xauth_t)
 userdom_read_all_users_state(xauth_t)
 
+xserver_rw_xdm_tmp_files(xauth_t)
+
 ifdef(`hide_broken_symptoms',`
 	fs_dontaudit_rw_anon_inodefs_files(xauth_t)
 	fs_dontaudit_list_inotifyfs(xauth_t)
@@ -367,8 +369,6 @@ ifdef(`hide_broken_symptoms',`
 	miscfiles_read_fonts(xauth_t)
 ')
 
-xserver_rw_xdm_tmp_files(xauth_t)
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_files(xauth_t)
 	fs_read_nfs_symlinks(xauth_t)
@@ -651,6 +651,14 @@ application_signal(xdm_t)
 xserver_rw_session(xdm_t, xdm_tmpfs_t)
 xserver_unconfined(xdm_t)
 
+ifndef(`distro_redhat',`
+	allow xdm_t self:process { execheap execmem };
+')
+
+ifdef(`distro_rhel4',`
+	allow xdm_t self:process { execheap execmem };
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xdm_t)
 	fs_manage_nfs_files(xdm_t)
@@ -815,14 +823,6 @@ optional_policy(`
 	unconfined_signal(xdm_t)
 ')
 
-ifndef(`distro_redhat',`
-	allow xdm_t self:process { execheap execmem };
-')
-
-ifdef(`distro_rhel4',`
-	allow xdm_t self:process { execheap execmem };
-')
-
 optional_policy(`
 	userhelper_dontaudit_search_config(xdm_t)
 ')
@@ -1142,10 +1142,6 @@ userdom_read_all_users_state(xserver_t)
 
 xserver_use_user_fonts(xserver_t)
 
-optional_policy(`
-	userhelper_search_config(xserver_t)
-')
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
 	fs_manage_nfs_files(xserver_t)
@@ -1175,6 +1171,10 @@ optional_policy(`
 	rhgb_rw_tmpfs_files(xserver_t)
 ')
 
+optional_policy(`
+	userhelper_search_config(xserver_t)
+')
+
 ########################################
 #
 # Rules common to all X window domains
@@ -1281,6 +1281,22 @@ allow x_domain xserver_t:x_screen getattr;
 # Rules for unconfined access to this module
 #
 
+allow xserver_unconfined_type xserver_t:x_server *;
+allow xserver_unconfined_type xdrawable_type:x_drawable *;
+allow xserver_unconfined_type xserver_t:x_screen *;
+allow xserver_unconfined_type x_domain:x_gc *;
+allow xserver_unconfined_type xcolormap_type:x_colormap *;
+allow xserver_unconfined_type xproperty_type:x_property *;
+allow xserver_unconfined_type xselection_type:x_selection *;
+allow xserver_unconfined_type x_domain:x_cursor *;
+allow xserver_unconfined_type x_domain:x_client *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+allow xserver_unconfined_type xextension_type:x_extension *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
+allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
+
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
@@ -1302,31 +1318,6 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
 
-allow xserver_unconfined_type xserver_t:x_server *;
-allow xserver_unconfined_type xdrawable_type:x_drawable *;
-allow xserver_unconfined_type xserver_t:x_screen *;
-allow xserver_unconfined_type x_domain:x_gc *;
-allow xserver_unconfined_type xcolormap_type:x_colormap *;
-allow xserver_unconfined_type xproperty_type:x_property *;
-allow xserver_unconfined_type xselection_type:x_selection *;
-allow xserver_unconfined_type x_domain:x_cursor *;
-allow xserver_unconfined_type x_domain:x_client *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
-allow xserver_unconfined_type xextension_type:x_extension *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
-allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
-
-optional_policy(`
-	unconfined_rw_shm(xserver_t)
-	unconfined_execmem_rw_shm(xserver_t)
-
-	# xserver signals unconfined user on startx
-	unconfined_signal(xserver_t)
-	unconfined_getpgid(xserver_t)
-')
-
 tunable_policy(`allow_xserver_execmem',`
 	allow xserver_t self:process { execheap execmem execstack };
 ')
@@ -1347,3 +1338,12 @@ tunable_policy(`use_nfs_home_dirs',`
 tunable_policy(`use_samba_home_dirs',`
 	fs_append_cifs_files(xdmhomewriter)
 ')
+
+optional_policy(`
+	unconfined_rw_shm(xserver_t)
+	unconfined_execmem_rw_shm(xserver_t)
+
+	# xserver signals unconfined user on startx
+	unconfined_signal(xserver_t)
+	unconfined_getpgid(xserver_t)
+')