diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 13cafe0..1b9c837 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -614,6 +614,9 @@ interface(`domain_read_all_entry_files',`
 interface(`domain_unconfined',`
 	gen_require(`
 		attribute domain, set_curr_context;
+		attribute can_change_process_identity;
+		attribute can_change_process_role;
+		attribute can_change_object_identity;
 		class fd use;
 		class fifo_file rw_file_perms;
 		class process { transition dyntransition execmem };
@@ -622,6 +625,12 @@ interface(`domain_unconfined',`
 		class lnk_file r_file_perms;
 	')
 
+	# pass all constraints
+	typeattribute $1 can_change_process_identity;
+	typeattribute $1 can_change_process_role;
+	typeattribute $1 can_change_object_identity;
+	typeattribute $1 set_curr_context;
+
 	# Use/sendto/connectto sockets created by any domain.
 	allow $1 domain:{ socket_class_set socket key_socket } *;
 
@@ -631,7 +640,6 @@ interface(`domain_unconfined',`
 
 	# Act upon any other process.
 	allow $1 domain:process ~{ transition dyntransition execmem };
-	typeattribute $1 set_curr_context;
 
 	# Create/access any System V IPC objects.
 	allow $1 domain:{ sem msgq shm } *;