diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index c00a0ba..45d4ec6 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -595,6 +595,13 @@ template(`unpriv_user_template', `
 		kernel_dontaudit_read_ring_buffer($1_t)
 	')
 
+	# Allow users to rw usb devices
+	tunable_policy(`user_rw_usb',`
+		dev_rw_usbfs($1_t)
+	',`
+		dev_read_usbfs($1_t)
+	')
+
 	# Allow users to run TCP servers (bind to ports and accept connection from
 	# the same domain and outside users)  disabling this forces FTP passive mode
 	# and may change other protocols
@@ -699,13 +706,6 @@ template(`unpriv_user_template', `
 	allow $1_t var_lib_t:dir r_dir_perms;
 	allow $1_t var_lib_t:file { getattr read };
 
-	# Allow users to rw usb devices
-	tunable_policy(`user_rw_usb',`
-		rw_dir_create_file($1_t,usbdevfs_t)
-	',`
-		r_dir_file($1_t,usbdevfs_t)
-	')
-
 	# Do not audit write denials to /etc/ld.so.cache.
 	dontaudit $1_t ld_so_cache_t:file write;
 
@@ -720,7 +720,6 @@ template(`unpriv_user_template', `
 	')
 
 	allow $1_t initrc_t:fifo_file write;
-
 	') dnl end TODO
 ')
 
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 916c81e..1f39dfb 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.0)
+policy_module(userdomain,1.3.1)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -128,7 +128,8 @@ ifdef(`targeted_policy',`
 
 	ifdef(`enable_mls',`
 		admin_user_template(secadm)
-		role_change(staff, secadm)
+		role_change(staff,secadm)
+		role_change(sysadm,secadm)
 	')
 
 	# this should be tunable_policy, but