diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index 0f262a7..4d10897 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -30,7 +30,7 @@ allow rhgb_t self:tcp_socket create_socket_perms;
 allow rhgb_t self:udp_socket create_socket_perms;
 allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
 
-allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
 term_create_pty(rhgb_t, rhgb_devpts_t)
 
 manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index 9f38104..29e7311 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -99,7 +99,7 @@ manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
 manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
 files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
 
-allow ricci_t ricci_var_log_t:dir setattr;
+allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
 manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
 manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
 logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index 2744af2..0155ca7 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -34,7 +34,7 @@ allow rlogind_t self:tcp_socket connected_stream_socket_perms;
 # for identd; cjp: this should probably only be inetd_child rules?
 allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 
-allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
 term_create_pty(rlogind_t, rlogind_devpts_t)
 
 # for /usr/lib/telnetlogin
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 698b763..68d36c5 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -62,7 +62,7 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
 allow rpcd_t self:process { getcap setcap };
 allow rpcd_t self:fifo_file rw_fifo_file_perms;
 
-allow rpcd_t rpcd_var_run_t:dir setattr;
+allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms;
 manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
 manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
 files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
@@ -196,7 +196,7 @@ tunable_policy(`nfs_export_all_ro',`
 
 allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
 allow gssd_t self:process { getsched setsched };
-allow gssd_t self:fifo_file rw_file_perms;
+allow gssd_t self:fifo_file rw_fifo_file_perms;
 
 manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index d7f4bd4..012723c 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -32,17 +32,17 @@ files_pid_file(snort_var_run_t)
 allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
 dontaudit snort_t self:capability sys_tty_config;
 allow snort_t self:process signal_perms;
-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow snort_t self:netlink_route_socket create_netlink_socket_perms;
 allow snort_t self:tcp_socket create_stream_socket_perms;
 allow snort_t self:udp_socket create_socket_perms;
 allow snort_t self:packet_socket create_socket_perms;
 allow snort_t self:socket create_socket_perms;
 # Snort IPS node. unverified.
-allow snort_t self:netlink_firewall_socket { bind create getattr };
+allow snort_t self:netlink_firewall_socket create_socket_perms;
 
 allow snort_t snort_etc_t:dir list_dir_perms;
 allow snort_t snort_etc_t:file read_file_perms;
-allow snort_t snort_etc_t:lnk_file { getattr read };
+allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
 
 manage_files_pattern(snort_t, snort_log_t, snort_log_t)
 create_dirs_pattern(snort_t, snort_log_t, snort_log_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index f03a8ce..c7efe5d 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -258,7 +258,7 @@ tunable_policy(`allow_ssh_keysign',`
 	allow ssh_keysign_t self:capability { setgid setuid };
 	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
 
-	allow ssh_keysign_t sshd_key_t:file { getattr read };
+	allow ssh_keysign_t sshd_key_t:file read_file_perms;
 
 	dev_read_urand(ssh_keysign_t)
 
@@ -383,7 +383,7 @@ ifdef(`TODO',`
 		# ioctl is necessary for logout() processing for utmp entry and for w to
 		# display the tty.
 		# some versions of sshd on the new SE Linux require setattr
-		allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
+		allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
 	')
 ') dnl endif TODO
 
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
index be42115..7113802 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -31,7 +31,7 @@ files_pid_file(sssd_var_run_t)
 
 allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
 allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
-allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:fifo_file rw_fifo_file_perms;
 allow sssd_t self:key manage_key_perms;
 allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index 9cc4d7d..296e5ba 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -36,7 +36,7 @@ allow stunnel_t self:udp_socket create_socket_perms;
 
 allow stunnel_t stunnel_etc_t:dir list_dir_perms;
 allow stunnel_t stunnel_etc_t:file read_file_perms;
-allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
+allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
 
 manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
 manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index d9d8e18..34c4c57 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -31,7 +31,7 @@ allow telnetd_t self:udp_socket create_socket_perms;
 # for identd; cjp: this should probably only be inetd_child rules?
 allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 
-allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
+allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
 term_create_pty(telnetd_t, telnetd_devpts_t)
 
 manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index f4080d1..97ce79e 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -40,7 +40,7 @@ allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
 
 allow tftpd_t tftpdir_t:dir list_dir_perms;
 allow tftpd_t tftpdir_t:file read_file_perms;
-allow tftpd_t tftpdir_t:lnk_file { getattr read };
+allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
 
 manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
 manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
index 678ab90..44dfdc8 100644
--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
@@ -29,7 +29,7 @@ files_type(tgtd_var_lib_t)
 allow tgtd_t self:capability sys_resource;
 allow tgtd_t self:process { setrlimit signal };
 allow tgtd_t self:fifo_file rw_fifo_file_perms;
-allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow tgtd_t self:netlink_route_socket create_netlink_socket_perms;
 allow tgtd_t self:shm create_shm_perms;
 allow tgtd_t self:sem create_sem_perms;
 allow tgtd_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
index c2cf97e..037a1e8 100644
--- a/policy/modules/services/uptime.te
+++ b/policy/modules/services/uptime.te
@@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t)
 
 dontaudit uptimed_t self:capability sys_tty_config;
 allow uptimed_t self:process signal_perms;
-allow uptimed_t self:fifo_file write_file_perms;
+allow uptimed_t self:fifo_file write_fifo_file_perms;
 
 allow uptimed_t uptimed_etc_t:file read_file_perms;
 files_search_etc(uptimed_t)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index 91886b2..1e40c2a 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -123,7 +123,7 @@ optional_policy(`
 #
 
 allow uux_t self:capability { setuid setgid };
-allow uux_t self:fifo_file write_file_perms;
+allow uux_t self:fifo_file write_fifo_file_perms;
 
 uucp_append_log(uux_t)
 uucp_manage_spool(uux_t)
diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te
index f56f51f..7baeb6f 100644
--- a/policy/modules/services/vhostmd.te
+++ b/policy/modules/services/vhostmd.te
@@ -25,7 +25,7 @@ files_pid_file(vhostmd_var_run_t)
 
 allow vhostmd_t self:capability { dac_override ipc_lock	setuid setgid };
 allow vhostmd_t self:process { setsched getsched };
-allow vhostmd_t self:fifo_file rw_file_perms;
+allow vhostmd_t self:fifo_file rw_fifo_file_perms;
 
 manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
 manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 9930bcb..62e349a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -473,7 +473,7 @@ optional_policy(`
 
 allow virt_domain self:capability { dac_read_search dac_override kill };
 allow virt_domain self:process { execmem execstack signal getsched signull };
-allow virt_domain self:fifo_file rw_file_perms;
+allow virt_domain self:fifo_file rw_fifo_file_perms;
 allow virt_domain self:shm create_shm_perms;
 allow virt_domain self:unix_stream_socket create_stream_socket_perms;
 allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 739b23b..c80794b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -414,7 +414,7 @@ allow xdm_t self:key { search link write };
 
 allow xdm_t xauth_home_t:file manage_file_perms;
 
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
 manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
 
@@ -483,7 +483,7 @@ allow xdm_t xserver_t:process { signal signull };
 allow xdm_t xserver_t:unix_stream_socket connectto;
 
 allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
+allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms };
 
 # transition to the xdm xserver
 domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -1115,7 +1115,7 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
 allow xserver_t xdm_var_lib_t:file read_file_perms;
-dontaudit xserver_t xdm_var_lib_t:dir search;
+dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
 
 read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
 
@@ -1125,7 +1125,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
 # Run xkbcomp.
-allow xserver_t xkb_var_lib_t:lnk_file read;
+allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
 can_exec(xserver_t, xkb_var_lib_t)
 
 # VNC v4 module in X server
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
index b8dd21a..20d7cde 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@@ -26,11 +26,11 @@ files_pid_file(zabbix_var_run_t)
 #
 
 allow zabbix_t self:capability { setuid setgid };
-allow zabbix_t self:fifo_file rw_file_perms;
+allow zabbix_t self:fifo_file rw_fifo_file_perms;
 allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
 
 # log files
-allow zabbix_t zabbix_log_t:dir setattr;
+allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
 manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
 logging_log_filetrans(zabbix_t, zabbix_log_t, file)
 
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index a1035a4..f0b1201 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -51,7 +51,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms;
 read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
 read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
 
-allow zebra_t zebra_log_t:dir setattr;
+allow zebra_t zebra_log_t:dir setattr_dir_perms;
 manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
 manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
 logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
diff --git a/policy/modules/services/zosremote.te b/policy/modules/services/zosremote.te
index f9a06d2..3d407c6 100644
--- a/policy/modules/services/zosremote.te
+++ b/policy/modules/services/zosremote.te
@@ -16,7 +16,7 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
 #
 
 allow zos_remote_t self:process signal;
-allow zos_remote_t self:fifo_file rw_file_perms;
+allow zos_remote_t self:fifo_file rw_fifo_file_perms;
 allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
 
 files_read_etc_files(zos_remote_t)