diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index a49a055..66d899e 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -35,6 +35,7 @@ kernel_use_fd(consoletype_t)
 kernel_dontaudit_read_system_state(consoletype_t)
 
 fs_getattr_all_fs(consoletype_t)
+fs_search_auto_mountpoints(consoletype_t)
 
 term_use_console(consoletype_t)
 term_use_unallocated_tty(consoletype_t)
@@ -58,6 +59,10 @@ optional_policy(`authlogin.te', `
 	auth_read_pam_pid(consoletype_t)
 ')
 
+optional_policy(`nis.te',`
+	nis_use_ypbind(consoletype_t)
+')
+
 optional_policy(`userdomain.te',`
 	userdom_use_unpriv_users_fd(consoletype_t)
 ')
@@ -73,12 +78,6 @@ allow consoletype_t nfs_t:file write;
 allow consoletype_t crond_t:fifo_file r_file_perms;
 allow consoletype_t system_crond_t:fd use;
 
-can_ypbind(consoletype_t)
-
-optional_policy(`automount.te', `
-allow consoletype_t autofs_t:dir { search getattr };
-')
-
 optional_policy(`xdm.te', `
 domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
 allow consoletype_t xdm_tmp_t:file rw_file_perms;
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index 110bd14..ead44ee 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -22,11 +22,14 @@ dontaudit dmesg_t self:capability sys_tty_config;
 allow dmesg_t self:process signal_perms;
 
 kernel_read_kernel_sysctl(dmesg_t)
-dev_read_sysfs(dmesg_t)
 kernel_read_ring_buffer(dmesg_t)
 kernel_clear_ring_buffer(dmesg_t)
 kernel_change_ring_buffer_level(dmesg_t)
 
+dev_read_sysfs(dmesg_t)
+
+fs_search_auto_mountpoints(dmesg_t)
+
 term_dontaudit_use_console(dmesg_t)
 
 domain_use_wide_inherit_fd(dmesg_t)
@@ -67,11 +70,7 @@ ifdef(`TODO',`
 allow dmesg_t proc_t:dir r_dir_perms;
 allow dmesg_t proc_t:lnk_file read;
 
-optional_policy(`rhgb.te', `
-allow dmesg_t rhgb_t:process sigchld;
-allow dmesg_t rhgb_t:fd use;
-allow dmesg_t rhgb_t:fifo_file rw_file_perms;
+optional_policy(`rhgb.te',`
+rhgb_domain(dmesg_t)
 ')
-
-allow dmesg_t autofs_t:dir { search getattr };
 ') dnl endif TODO
diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if
index db3e743..f40ec6c 100644
--- a/refpolicy/policy/modules/admin/netutils.if
+++ b/refpolicy/policy/modules/admin/netutils.if
@@ -1,8 +1,12 @@
 ## <summary>Network analysis utilities</summary>
 
-#######################################
-#
-# netutils_domtrans(domain)
+########################################
+## <desc>
+##	Execute network utilities in the netutils domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`netutils_domtrans',`
 	gen_require(`
@@ -20,9 +24,39 @@ interface(`netutils_domtrans',`
 	allow netutils_t $1:process sigchld;
 ')
 
-#######################################
+########################################
+## <desc>
+##	Execute network utilities in the netutils domain, and
+##	allow the specified role the netutils domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the netutils domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the netutils domain to use.
+## </param>
 #
-# netutils_exec(domain)
+interface(`netutils_run',`
+	gen_require(`
+		type netutils_t;
+		class chr_file rw_term_perms;
+	')
+
+	netutils_domtrans($1)
+	role $2 types netutils_t;
+	allow netutils_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <desc>
+##	Execute network utilities in the caller domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`netutils_exec',`
 	gen_require(`
@@ -31,3 +65,135 @@ interface(`netutils_exec',`
 
 	can_exec($1,netutils_exec_t)
 ')
+
+########################################
+## <desc>
+##	Execute ping in the ping domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`netutils_domtrans_ping',`
+	gen_require(`
+		type ping_t, ping_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	domain_auto_trans($1,ping_exec_t,ping_t)
+
+	allow $1 ping_t:fd use;
+	allow ping_t $1:fd use;
+	allow ping_t $1:fifo_file rw_file_perms;
+	allow ping_t $1:process sigchld;
+')
+
+########################################
+## <desc>
+##	Execute ping in the ping domain, and
+##	allow the specified role the ping domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the ping domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the ping domain to use.
+## </param>
+#
+interface(`netutils_run_ping',`
+	gen_require(`
+		type ping_t;
+		class chr_file rw_term_perms;
+	')
+
+	netutils_domtrans_ping($1)
+	role $2 types ping_t;
+	allow ping_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <desc>
+##	Execute ping in the caller domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`netutils_exec_ping',`
+	gen_require(`
+		type ping_exec_t;
+	')
+
+	can_exec($1,ping_exec_t)
+')
+
+########################################
+## <desc>
+##	Execute traceroute in the traceroute domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`netutils_domtrans_traceroute',`
+	gen_require(`
+		type traceroute_t, traceroute_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	domain_auto_trans($1,traceroute_exec_t,traceroute_t)
+
+	allow $1 traceroute_t:fd use;
+	allow traceroute_t $1:fd use;
+	allow traceroute_t $1:fifo_file rw_file_perms;
+	allow traceroute_t $1:process sigchld;
+')
+
+########################################
+## <desc>
+##	Execute traceroute in the traceroute domain, and
+##	allow the specified role the traceroute domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the traceroute domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the traceroute domain to use.
+## </param>
+#
+interface(`netutils_run_traceroute',`
+	gen_require(`
+		type traceroute_t;
+		class chr_file rw_term_perms;
+	')
+
+	netutils_domtrans_traceroute($1)
+	role $2 types traceroute_t;
+	allow traceroute_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <desc>
+##	Execute traceroute in the caller domain.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`netutils_exec_traceroute',`
+	gen_require(`
+		type traceroute_exec_t;
+	')
+
+	can_exec($1,traceroute_exec_t)
+')
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index ce6656f..a6b8fb2 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -54,15 +54,15 @@ corenet_udp_bind_all_nodes(netutils_t)
 
 fs_getattr_xattr_fs(netutils_t)
 
-init_use_fd(netutils_t)
-init_use_script_pty(netutils_t)
-
 domain_use_wide_inherit_fd(netutils_t)
 
 files_read_generic_etc_files(netutils_t)
 # for nscd
 files_dontaudit_search_var(netutils_t)
 
+init_use_fd(netutils_t)
+init_use_script_pty(netutils_t)
+
 libs_use_ld_so(netutils_t)
 libs_use_shared_libs(netutils_t)
 
@@ -70,18 +70,14 @@ logging_send_syslog_msg(netutils_t)
 
 miscfiles_read_localization(netutils_t)
 
-ifdef(`TODO',`
-role sysadm_r types netutils_t;
-
-can_ypbind(netutils_t)
+userdom_use_all_user_fd(netutils_t)
 
-domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
+optional_policy(`nis.te',`
+	nis_use_ypbind(netutils_t)
+')
 
-# Inherit and use descriptors from init.
-allow netutils_t userdomain:fd use;
+ifdef(`TODO',`
 
-# Access terminals.
-allow netutils_t admin_tty_type:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
 allow netutils_t proc_t:dir search;
 
@@ -129,14 +125,11 @@ tunable_policy(`user_ping',`
 	term_use_all_user_ptys(ping_t)
 ')
 
-ifdef(`TODO',`
-can_ypbind(ping_t)
-
-domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
-role sysadm_r types ping_t;
-allow ping_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
+optional_policy(`nis.te',`
+	nis_use_ypbind(ping_t)
+')
 
+ifdef(`TODO',`
 in_user_role(ping_t)
 tunable_policy(`user_ping',`
 	domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
@@ -193,23 +186,16 @@ tunable_policy(`user_ping',`
 	term_use_all_user_ptys(traceroute_t)
 ')
 
-ifdef(`TODO',`
-role sysadm_r types traceroute_t;
-
-can_ypbind(traceroute_t)
-
-# Transition into this domain when you run this program.
-domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t)
-
-# Access the terminal.
-allow traceroute_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
+optional_policy(`nis.te',`
+	nis_use_ypbind(traceroute_t)
+')
 
+ifdef(`TODO',`
 in_user_role(traceroute_t)
 tunable_policy(`user_ping',`
 	domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
 ')
-
+ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
 #rules needed for nmap
 dontaudit traceroute_t userdomain:dir search;
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 1da9add..c2a81ad 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -117,9 +117,10 @@ dev_read_urand(rpm_t)
 #devices_manage_all_device_types(rpm_t)
 
 #fs_manage_nfs_dir(rpm_t)
-#fs_manage_nfs_files(rpm_t)
+fs_manage_nfs_files(rpm_t)
 fs_manage_nfs_symlinks(rpm_t)
 fs_getattr_all_fs(rpm_t)
+fs_search_auto_mountpoints(rpm_t)
 
 storage_raw_write_fixed_disk(rpm_t)
 # for installing kernel packages
@@ -159,6 +160,10 @@ userdom_use_unpriv_users_fd(rpm_t)
 
 #cron_transition_from(rpm,rpm_exec_t)
 
+optional_policy(`nis.te',`
+	nis_use_ypbind(rpm_t)
+')
+
 ifdef(`TODO',`
 
 type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpfs_t;
@@ -183,16 +188,10 @@ allow rpm_t usbdevfs_t:dir r_dir_perms;
 
 allow rpm_t rpc_pipefs_t:dir search;
 
-can_ypbind(rpm_t)
-
 optional_policy(`gnome-pty-helper.te', `
 allow rpm_t sysadm_gph_t:fd use;
 ')
 
-optional_policy(`automount.te', `
-allow rpm_t autofs_t:dir { search getattr };
-')
-
 optional_policy(`mount.te', `
 allow rpm_t mount_t:udp_socket rw_socket_perms;
 ')
@@ -265,6 +264,7 @@ fs_getattr_nfs(rpm_script_t)
 fs_getattr_xattr_fs(rpm_script_t)
 fs_mount_xattr_fs(rpm_script_t)
 fs_unmount_xattr_fs(rpm_script_t)
+fs_search_auto_mountpoints(rpm_script_t)
 
 storage_raw_read_fixed_disk(rpm_script_t)
 storage_raw_write_fixed_disk(rpm_script_t)
@@ -309,7 +309,11 @@ seutil_domtrans_restorecon(rpm_script_t)
 userdom_use_all_user_fd(rpm_script_t)
 
 optional_policy(`bootloader.te', `
-bootloader_domtrans(rpm_script_t)
+	bootloader_domtrans(rpm_script_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(rpm_script_t)
 ')
 
 ifdef(`TODO',`
@@ -318,22 +322,8 @@ allow rpm_script_t sysfs_t:dir r_dir_perms;
 
 can_exec(rpm_script_t,usr_t)
 
-
-allow rpm_script_t autofs_t:dir { search getattr };
-
-can_ypbind(rpm_script_t)
-
-optional_policy(`automount.te', `
-allow rpm_script_t autofs_t:dir { search getattr };
-')
-
 optional_policy(`lpd.te', `
 can_exec(rpm_script_t,printconf_t)
-
-')
-
-optional_policy(`ssh.te', `
-allow sshd_t rpm_script_t:fd use;
 ')
 
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index cec2a48..9c01380 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -88,18 +88,20 @@ term_use_all_user_ttys(chfn_t)
 term_use_all_user_ptys(chfn_t)
 
 fs_getattr_xattr_fs(chfn_t)
+fs_search_auto_mountpoints(chfn_t)
 
 # for SSP
 dev_read_urand(chfn_t)
 
-# /usr/bin/passwd asks for w access to utmp, but it will operate
-# correctly without it.  Do not audit write denials to utmp.
-init_dontaudit_rw_script_pid(chfn_t)
-
 domain_use_wide_inherit_fd(chfn_t)
 
 files_manage_generic_etc_files(chfn_t)
 files_read_etc_runtime_files(chfn_t)
+files_dontaudit_search_var(chfn_t)
+
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it.  Do not audit write denials to utmp.
+init_dontaudit_rw_script_pid(chfn_t)
 
 libs_use_ld_so(chfn_t)
 libs_use_shared_libs(chfn_t)
@@ -111,20 +113,18 @@ logging_send_syslog_msg(chfn_t)
 auth_domtrans_chk_passwd(chfn_t)
 auth_dontaudit_read_shadow(chfn_t)
 
+userdom_use_unpriv_users_fd(chfn_t)
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(chfn_t)
+')
+
 ifdef(`TODO',`
 role sysadm_r types chfn_t;
 in_user_role(chfn_t)
 
 domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
 
-dontaudit chfn_t var_t:dir search;
-
-allow chfn_t unpriv_userdomain:fd use;
-can_ypbind(chfn_t)
-ifdef(`automount.te', `
-allow chfn_t autofs_t:dir { search getattr };
-')
-
 ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
 
 # allow checking if a shell is executable
@@ -181,7 +181,6 @@ ifdef(`TODO',`
 ifdef(`crond.te', `
 domain_auto_trans(system_crond_t, crack_exec_t, crack_t)
 allow crack_t crond_t:fifo_file rw_file_perms;
-# a rule for privfd may make this obsolete
 allow crack_t crond_t:fd use;
 allow crack_t crond_t:process sigchld;
 ')
@@ -209,6 +208,9 @@ allow groupadd_t self:sem create_sem_perms;
 allow groupadd_t self:msgq create_msgq_perms;
 allow groupadd_t self:msg { send receive };
 
+fs_getattr_xattr_fs(groupadd_t)
+fs_search_auto_mountpoints(groupadd_t)
+
 # Allow access to context for shadow file
 selinux_get_fs_mount(groupadd_t)
 selinux_validate_context(groupadd_t)
@@ -217,13 +219,12 @@ selinux_compute_create_context(groupadd_t)
 selinux_compute_relabel_context(groupadd_t)
 selinux_compute_user_contexts(groupadd_t)
 
-fs_getattr_xattr_fs(groupadd_t)
-
 term_use_all_user_ttys(groupadd_t)
 term_use_all_user_ptys(groupadd_t)
 
 init_use_fd(groupadd_t)
 init_read_script_pid(groupadd_t)
+init_dontaudit_write_script_pid(groupadd_t)
 
 domain_use_wide_inherit_fd(groupadd_t)
 
@@ -245,16 +246,14 @@ auth_rw_lastlog(groupadd_t)
 
 seutil_read_config(groupadd_t)
 
-ifdef(`TODO',`
-role sysadm_r types groupadd_t;
-domain_auto_trans(sysadm_t, groupadd_exec_t, groupadd_t)
+userdom_use_unpriv_users_fd(groupadd_t)
 
-allow groupadd_t unpriv_userdomain:fd use;
-can_ypbind(groupadd_t)
-ifdef(`automount.te', `
-allow groupadd_t autofs_t:dir { search getattr };
+optional_policy(`nis.te',`
+	nis_use_ypbind(groupadd_t)
 ')
 
+ifdef(`TODO',`
+
 # Update /etc/shadow and /etc/passwd
 allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
 
@@ -263,7 +262,6 @@ ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
 
 # for when /root is the cwd
 dontaudit groupadd_t sysadm_home_dir_t:dir search;
-dontaudit groupadd_t initrc_var_run_t:file write;
 ') dnl end TODO
 
 ########################################
@@ -285,6 +283,15 @@ allow passwd_t self:sem create_sem_perms;
 allow passwd_t self:msgq create_msgq_perms;
 allow passwd_t self:msg { send receive };
 
+allow passwd_t crack_db_t:dir r_dir_perms;
+allow passwd_t crack_db_t:file r_file_perms;
+
+# for SSP
+dev_read_urand(passwd_t)
+
+fs_getattr_xattr_fs(passwd_t)
+fs_search_auto_mountpoints(passwd_t)
+
 selinux_get_fs_mount(passwd_t)
 selinux_validate_context(passwd_t)
 selinux_compute_access_vector(passwd_t)
@@ -292,11 +299,6 @@ selinux_compute_create_context(passwd_t)
 selinux_compute_relabel_context(passwd_t)
 selinux_compute_user_contexts(passwd_t)
 
-# for SSP
-dev_read_urand(passwd_t)
-
-fs_getattr_xattr_fs(passwd_t)
-
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_script_pid(passwd_t)
@@ -305,6 +307,7 @@ domain_use_wide_inherit_fd(passwd_t)
 
 files_read_etc_runtime_files(passwd_t)
 files_manage_generic_etc_files(passwd_t)
+files_search_var(passwd_t)
 
 libs_use_ld_so(passwd_t)
 libs_use_shared_libs(passwd_t)
@@ -315,6 +318,12 @@ miscfiles_read_localization(passwd_t)
 
 auth_manage_shadow(passwd_t)
 
+userdom_use_unpriv_users_fd(passwd_t)
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(passwd_t)
+')
+
 ifdef(`TODO',`
 
 ifdef(`firstboot.te',`
@@ -324,12 +333,6 @@ domain_auto_trans(firstboot_t, passwd_exec_t, passwd_t)
 # Update /etc/shadow and /etc/passwd
 allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
 
-allow passwd_t unpriv_userdomain:fd use;
-can_ypbind(passwd_t)
-ifdef(`automount.te', `
-allow passwd_t autofs_t:dir { search getattr };
-')
-
 # Inherit and use descriptors from login.
 ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;')
 
@@ -347,14 +350,7 @@ allow passwd_t userdomain:process getattr;
 
 dontaudit passwd_t selinux_config_t:dir search;
 
-ifdef(`crack.te', `
-allow passwd_t var_t:dir search;
 dontaudit passwd_t var_run_t:dir search;
-allow passwd_t crack_db_t:dir r_dir_perms;
-allow passwd_t crack_db_t:file r_file_perms;
-', `
-dontaudit passwd_t var_t:dir search;
-')
 ') dnl endif TODO
 
 ########################################
@@ -395,23 +391,26 @@ kernel_read_system_state(sysadm_passwd_t)
 dev_read_urand(sysadm_passwd_t)
 
 fs_getattr_xattr_fs(sysadm_passwd_t)
+fs_search_auto_mountpoints(sysadm_passwd_t)
 
 term_use_all_user_ttys(sysadm_passwd_t)
 term_use_all_user_ptys(sysadm_passwd_t)
 
-# /usr/bin/passwd asks for w access to utmp, but it will operate
-# correctly without it.  Do not audit write denials to utmp.
-init_dontaudit_rw_script_pid(sysadm_passwd_t)
+auth_manage_shadow(sysadm_passwd_t)
+
+# allow vipw to exec the editor
+corecmd_exec_bin(sysadm_passwd_t)
+corecmd_exec_shell(sysadm_passwd_t)
+files_read_usr_files(sysadm_passwd_t)
 
 domain_use_wide_inherit_fd(sysadm_passwd_t)
 
 files_manage_generic_etc_files(sysadm_passwd_t)
 files_read_etc_runtime_files(sysadm_passwd_t)
 
-# allow vipw to exec the editor
-corecmd_exec_bin(sysadm_passwd_t)
-corecmd_exec_shell(sysadm_passwd_t)
-files_read_usr_files(sysadm_passwd_t)
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it.  Do not audit write denials to utmp.
+init_dontaudit_rw_script_pid(sysadm_passwd_t)
 
 libs_use_ld_so(sysadm_passwd_t)
 libs_use_shared_libs(sysadm_passwd_t)
@@ -420,18 +419,16 @@ miscfiles_read_localization(sysadm_passwd_t)
 
 logging_send_syslog_msg(sysadm_passwd_t)
 
-auth_manage_shadow(sysadm_passwd_t)
+userdom_use_unpriv_users_fd(sysadm_passwd_t)
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(sysadm_passwd_t)
+')
 
 ifdef(`TODO',`
 role sysadm_r types sysadm_passwd_t;
 domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
 
-allow sysadm_passwd_t unpriv_userdomain:fd use;
-can_ypbind(sysadm_passwd_t)
-ifdef(`automount.te', `
-allow sysadm_passwd_t autofs_t:dir { search getattr };
-')
-
 # Inherit and use descriptors from login.
 ifdef(`gnome-pty-helper.te', `allow sysadm_passwd_t gphdomain:fd use;')
 
@@ -483,46 +480,46 @@ selinux_compute_user_contexts(useradd_t)
 # for getting the number of groups
 kernel_read_kernel_sysctl(useradd_t)
 
+fs_search_auto_mountpoints(useradd_t)
 fs_getattr_xattr_fs(useradd_t)
 
 term_use_all_user_ttys(useradd_t)
 term_use_all_user_ptys(useradd_t)
 
-init_use_fd(useradd_t)
-init_rw_script_pid(useradd_t)
+auth_manage_shadow(useradd_t)
+auth_rw_lastlog(useradd_t)
+
+corecmd_exec_shell(useradd_t)
+# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
+corecmd_exec_bin(useradd_t)
+corecmd_exec_sbin(useradd_t)
 
 domain_use_wide_inherit_fd(useradd_t)
 
 files_manage_generic_etc_files(useradd_t)
 
+init_use_fd(useradd_t)
+init_rw_script_pid(useradd_t)
+
 libs_use_ld_so(useradd_t)
 libs_use_shared_libs(useradd_t)
 
-corecmd_exec_shell(useradd_t)
-# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
-corecmd_exec_bin(useradd_t)
-corecmd_exec_sbin(useradd_t)
+logging_send_syslog_msg(useradd_t)
 
 miscfiles_read_localization(useradd_t)
 
 seutil_read_config(useradd_t)
 
-logging_send_syslog_msg(useradd_t)
+userdom_use_unpriv_users_fd(useradd_t)
 
-auth_manage_shadow(useradd_t)
-auth_rw_lastlog(useradd_t)
+mta_manage_spool(useradd_t)
 
-ifdef(`TODO',`
-
-role sysadm_r types useradd_t;
-domain_auto_trans(sysadm_t, useradd_exec_t, useradd_t)
-
-allow useradd_t unpriv_userdomain:fd use;
-can_ypbind(useradd_t)
-ifdef(`automount.te', `
-allow useradd_t autofs_t:dir { search getattr };
+optional_policy(`nis.te',`
+	nis_use_ypbind(useradd_t)
 ')
 
+ifdef(`TODO',`
+
 # Update /etc/shadow and /etc/passwd
 allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto };
 
@@ -536,10 +533,7 @@ dontaudit useradd_t sysadm_home_dir_t:dir search;
 file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
 file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
 
-# create/delete mail spool file in /var/mail
-allow useradd_t var_spool_t:dir search;
-allow useradd_t mail_spool_t:dir { search write add_name remove_name };
-allow useradd_t mail_spool_t:file create_file_perms;
 # /var/mail is a link to /var/spool/mail
 allow useradd_t mail_spool_t:lnk_file read;
+
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index 1a02004..fdd1690 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -129,9 +129,11 @@ template(`gpg_per_userdomain_template',`
 		fs_manage_cifs_symlinks($1_gpg_t)
 	')
 
-	ifdef(`TODO',`
+	optional_policy(`nis.te',`
+		nis_use_ypbind($1_gpg_t)
+	')
 
-	can_ypbind($1_gpg_t)
+	ifdef(`TODO',`
 
 	allow $1_t $1_gpg_secret_t:file getattr;
 
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 8e1e7d3..e184f51 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -267,6 +267,24 @@ interface(`fs_getattr_autofs',`
 ')
 
 ########################################
+## <summary>
+##	Search automount filesystem to use automatically
+##	mounted filesystems.
+## </summary>
+## <param name="domain">
+##	The type of the domain performing this action.
+## </param>
+#
+interface(`fs_search_auto_mountpoints',`
+	gen_require(`
+		type autofs_t;
+		class dir { getattr search };
+	')
+
+	allow $1 autofs_t:dir { getattr search };
+')
+
+########################################
 ## <desc>
 ##	Register an interpreter for new binary
 ##	file types, using the kernel binfmt_misc
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 81d9c97..d547c64 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -116,6 +116,10 @@ template(`cron_per_userdomain_template',`
 		allow crond_t $1_cron_spool_t:file create_file_perms;
 	')
 
+	optional_policy(`nis.te',`
+		nis_use_ypbind($1_crond_t)
+	')
+
 	ifdef(`TODO',`
 	# Access user files and dirs.
 	allow $1_crond_t home_root_t:dir search;
@@ -135,8 +139,6 @@ template(`cron_per_userdomain_template',`
 		allow mta_user_agent $1_crond_t:fd use;
 	')
 
-	# This domain is granted permissions common to most domains.
-	can_ypbind($1_crond_t)
 	allow $1_crond_t var_spool_t:dir search;
 	allow $1_crond_t var_t:dir r_dir_perms;
 	allow $1_crond_t var_t:file r_file_perms;
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 6c5bd64..9f333e3 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -87,6 +87,7 @@ selinux_compute_user_contexts(crond_t)
 dev_read_urand(crond_t)
 
 fs_getattr_all_fs(crond_t)
+fs_search_auto_mountpoints(crond_t)
 
 term_dontaudit_use_console(crond_t)
 
@@ -127,6 +128,10 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(crond_t)
 ')
 
+optional_policy(`nis.te',`
+	nis_use_ypbind(crond_t)
+')
+
 optional_policy(`udev.te', `
 	udev_read_db(crond_t)
 ')
@@ -135,18 +140,10 @@ ifdef(`TODO',`
 # NB The constraints file has some entries for crond_t, this makes it
 # different from all other domains...
 
-allow crond_t autofs_t:dir { search getattr };
 dontaudit crond_t sysadm_home_dir_t:dir search;
 
 optional_policy(`rhgb.te', `
-allow crond_t rhgb_t:process sigchld;
-allow crond_t rhgb_t:fd use;
-allow crond_t rhgb_t:fifo_file { read write };
-')
-
-can_ypbind(crond_t)
-ifdef(`automount.te', `
-allow crond_t autofs_t:dir { search getattr };
+rhgb_domain(crond_t)
 ')
 
 # Read from /var/spool/cron.
@@ -301,10 +298,11 @@ tunable_policy(`cron_can_relabel',`
 	seutil_read_file_contexts(system_crond_t)
 ')
 
-ifdef(`TODO',`
-
-can_ypbind(system_crond_t)
+optional_policy(`nis.te',`
+	nis_use_ypbind(system_crond_t)
+')
 
+ifdef(`TODO',`
 dontaudit userdomain system_crond_t:fd use;
 
 # quiet other ps operations
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 7dd5c68..f156541 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -70,14 +70,15 @@ template(`mta_per_userdomain_template',`
 		corenet_udp_sendrecv_dns_port($1_mail_t)
 	')
 
+	optional_policy(`nis.te',`
+		nis_use_ypbind($1_mail_t)
+	')
+
 	optional_policy(`procmail.te',`
 		procmail_execute($1_mail_t)
 	')
 
 	ifdef(`TODO',`
-
-	can_ypbind($1_mail_t)
-
 	allow $1_mail_t device_t:dir search;
 	allow $1_mail_t { var_t var_spool_t }:dir search;
 	allow $1_mail_t sbin_t:dir search;
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 29ca2ea..2a3e676 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -90,8 +90,12 @@ tunable_policy(`use_dns',`
 	corenet_udp_sendrecv_dns_port(system_mail_t)
 ')
 
+optional_policy(`nis.te',`
+	nis_use_ypbind(system_mail_t)
+')
+
 optional_policy(`procmail.te',`
-	procmail_execute(system_mail_t)
+	procmail_exec(system_mail_t)
 ')
 
 ifdef(`TODO',`
@@ -117,9 +121,6 @@ dontaudit system_mail_t system_crond_tmp_t:file append;
 ')
 ') dnl end if sendmail
 
-
-can_ypbind(system_mail_t)
-
 allow system_mail_t device_t:dir search;
 allow system_mail_t { var_t var_spool_t }:dir search;
 allow system_mail_t sbin_t:dir search;
diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te
index 3f5d3fb..c5745ef 100644
--- a/refpolicy/policy/modules/services/nis.te
+++ b/refpolicy/policy/modules/services/nis.te
@@ -77,6 +77,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
 dev_read_sysfs(ypbind_t)
 
 fs_getattr_all_fs(ypbind_t)
+fs_search_auto_mountpoints(ypbind_t)
 
 term_dontaudit_use_console(ypbind_t)
 
@@ -121,7 +122,6 @@ ifdef(`TODO',`
 allow ypbind_t proc_t:dir r_dir_perms;
 allow ypbind_t proc_t:lnk_file read;
 
-allow ypbind_t autofs_t:dir { search getattr };
 dontaudit ypbind_t sysadm_home_dir_t:dir search;
 
 can_udp_send(ypbind_t, portmap_t)
@@ -172,6 +172,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
 dev_read_sysfs(ypserv_t)
 
 fs_getattr_all_fs(ypserv_t)
+fs_search_auto_mountpoints(ypserv_t)
 
 term_dontaudit_use_console(ypserv_t)
 
@@ -214,7 +215,6 @@ rhgb_domain(ypserv_t)
 allow ypserv_t proc_t:dir r_dir_perms;
 allow ypserv_t proc_t:lnk_file read;
 
-allow ypserv_t autofs_t:dir { search getattr };
 dontaudit ypserv_t sysadm_home_dir_t:dir search;
 
 # Send to portmap and initrc.
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 0fd4a22..4c5a5b7 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -54,8 +54,14 @@ selinux_compute_user_contexts(remote_login_t)
 dev_read_urand(remote_login_t)
 
 fs_getattr_xattr_fs(remote_login_t)
+fs_search_auto_mountpoints(remote_login_t)
 
-init_rw_script_pid(remote_login_t)
+auth_domtrans_chk_passwd(remote_login_t)
+auth_dontaudit_read_shadow(remote_login_t)
+auth_rw_login_records(remote_login_t)
+auth_rw_lastlog(remote_login_t)
+auth_exec_pam(remote_login_t)
+auth_manage_pam_console_data(remote_login_t)
 
 domain_read_all_entry_files(remote_login_t)
 
@@ -64,6 +70,8 @@ files_read_etc_runtime_files(remote_login_t)
 files_list_home(remote_login_t)
 files_read_usr_files(remote_login_t)
 
+init_rw_script_pid(remote_login_t)
+
 libs_use_ld_so(remote_login_t)
 libs_use_shared_libs(remote_login_t)
 
@@ -72,15 +80,10 @@ logging_send_syslog_msg(remote_login_t)
 seutil_read_config(remote_login_t)
 seutil_read_default_contexts(remote_login_t)
 
-auth_domtrans_chk_passwd(remote_login_t)
-auth_dontaudit_read_shadow(remote_login_t)
-auth_rw_login_records(remote_login_t)
-auth_rw_lastlog(remote_login_t)
-auth_exec_pam(remote_login_t)
-auth_manage_pam_console_data(remote_login_t)
-
 miscfiles_read_localization(remote_login_t)
 
+userdom_use_unpriv_users_fd(remote_login_t)
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(remote_login_t)
 	fs_read_nfs_symlinks(remote_login_t)
@@ -91,13 +94,12 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_read_cifs_symlinks(remote_login_t)
 ')
 
-ifdef(`TODO',`
-allow remote_login_t unpriv_userdomain:fd use;
-can_ypbind(remote_login_t)
-ifdef(`automount.te', `
-allow remote_login_t autofs_t:dir { search getattr };
+optional_policy(`nis.te',`
+	nis_use_ypbind(remote_login_t)
 ')
 
+ifdef(`TODO',`
+
 allow remote_login_t bin_t:dir r_dir_perms;
 allow remote_login_t bin_t:notdevfile_class_set r_file_perms;
 allow remote_login_t sbin_t:dir r_dir_perms;
@@ -123,7 +125,6 @@ allow remote_login_t device_t:lnk_file r_file_perms;
 
 dontaudit remote_login_t sysfs_t:dir search;
 
-allow remote_login_t autofs_t:dir r_dir_perms;
 allow remote_login_t mnt_t:dir r_dir_perms;
 
 # FIXME: what is this for?
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 49850c8..359b5ae 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -57,43 +57,48 @@ corenet_tcp_bind_smtp_port(sendmail_t)
 dev_read_urand(sendmail_t)
 
 fs_getattr_all_fs(sendmail_t)
+fs_search_auto_mountpoints(sendmail_t)
 
 term_dontaudit_use_console(sendmail_t)
 
-init_use_fd(sendmail_t)
-init_use_script_pty(sendmail_t)
-# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
-init_read_script_pid(sendmail_t)
-init_dontaudit_write_script_pid(sendmail_t)
-
 domain_use_wide_inherit_fd(sendmail_t)
 
 files_read_generic_etc_files(sendmail_t)
 files_search_spool(sendmail_t)
 
-logging_send_syslog_msg(sendmail_t)
+init_use_fd(sendmail_t)
+init_use_script_pty(sendmail_t)
+# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
+init_read_script_pid(sendmail_t)
+init_dontaudit_write_script_pid(sendmail_t)
 
 libs_use_ld_so(sendmail_t)
 libs_use_shared_libs(sendmail_t)
 # Read /usr/lib/sasl2/.*
 libs_read_lib(sendmail_t)
 
+logging_send_syslog_msg(sendmail_t)
+
 miscfiles_read_localization(sendmail_t)
 
+sysnet_read_config(sendmail_t)
+
 # Write to /etc/aliases and /etc/mail.
 mta_rw_aliases(sendmail_t)
 # Write to /var/spool/mail and /var/spool/mqueue.
 mta_manage_queue(sendmail_t)
 mta_manage_spool(sendmail_t)
 
-sysnet_read_config(sendmail_t)
-
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(sendmail_t)
 	term_dontaudit_use_generic_pty(sendmail_t)
 	files_dontaudit_read_root_file(sendmail_t)
 ')
 
+optional_policy(`nis.te',`
+	nis_use_ypbind(sendmail_t)
+')
+
 optional_policy(`selinux.te',`
 	seutil_newrole_sigchld(sendmail_t)
 ')
@@ -105,18 +110,13 @@ optional_policy(`udev.te', `
 ifdef(`TODO',`
 
 optional_policy(`rhgb.te', `
-allow sendmail_t rhgb_t:process sigchld;
-allow sendmail_t rhgb_t:fd use;
-allow sendmail_t rhgb_t:fifo_file { read write };
+rhgb_domain(sendmail_t)
 ')
 allow sendmail_t proc_t:dir r_dir_perms;
 allow sendmail_t proc_t:lnk_file read;
 dontaudit sendmail_t unpriv_userdomain:fd use;
-allow sendmail_t autofs_t:dir { search getattr };
 dontaudit sendmail_t sysadm_home_dir_t:dir search;
 
-can_ypbind(sendmail_t)
-
 #
 #  Need this transition to create /etc/aliases.db 
 #
@@ -144,7 +144,7 @@ dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr sear
 # Run procmail in its own domain, if defined.
 ifdef(`procmail.te',`
 corecmd_search_bin(sendmail_t)
-procmail_transition(sendmail_t)
+procmail_domtrans(sendmail_t)
 domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t)
 ')
 
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index c65d7f2..3a0a884 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -98,6 +98,7 @@ template(`ssh_per_userdomain_template',`
 	dev_read_urand($1_ssh_t)
 
 	fs_getattr_all_fs($1_ssh_t)
+	fs_search_auto_mountpoints($1_ssh_t)
 
 	# run helper programs - needed eg for x11-ssh-askpass
 	corecmd_exec_shell($1_ssh_t)
@@ -124,8 +125,6 @@ template(`ssh_per_userdomain_template',`
 
 	userdom_use_unpriv_users_fd($1_ssh_t)
 
-	nis_use_ypbind($1_ssh_t)
-
 	tunable_policy(`use_dns',`
 		allow $1_ssh_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
 		corenet_udp_sendrecv_all_if($1_ssh_t)
@@ -149,10 +148,11 @@ template(`ssh_per_userdomain_template',`
 		corenet_tcp_bind_ssh_port($1_ssh_t)
 	')
 
-	ifdef(`TODO',`
-	can_ypbind($1_ssh_t)
+	optional_policy(`nis.te',`
+		nis_use_ypbind($1_ssh_t)
+	')
 
-	allow $1_ssh_t autofs_t:dir { search getattr };
+	ifdef(`TODO',`
 
 	allow $1 sbin_t:dir r_dir_perms;
 	allow $1 sbin_t:notdevfile_class_set r_file_perms;
@@ -244,6 +244,8 @@ template(`ssh_per_userdomain_template',`
 	dev_read_urand($1_ssh_agent_t)
 	dev_read_rand($1_ssh_agent_t)
 
+	fs_search_auto_mountpoints($1_ssh_agent_t)
+
 	domain_use_wide_inherit_fd($1_ssh_agent_t)
 
 	files_read_generic_etc_files($1_ssh_agent_t)
@@ -265,6 +267,10 @@ template(`ssh_per_userdomain_template',`
 		fs_manage_cifs_files($1_ssh_agent_t)
 	}
 
+	optional_policy(`nis.te',`
+		nis_use_ypbind($1_ssh_agent_t)
+	')
+
 	ifdef(`TODO',`
 
 	# Write to the user domain tty.
@@ -275,9 +281,6 @@ template(`ssh_per_userdomain_template',`
 	# allow ps to show ssh
 	can_ps($1_t, $1_ssh_agent_t)
 
-	can_ypbind($1_ssh_agent_t)
-	allow $1_ssh_agent_t autofs_t:dir { search getattr };
-
 	allow $1_ssh_agent_t proc_t:dir search;
 	dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
 	dontaudit $1_ssh_agent_t selinux_config_t:dir search;
@@ -449,7 +452,6 @@ template(`sshd_program_domain', `
 	allow $1_t var_t:dir getattr;
 
 	allow $1_t { home_root_t home_dir_type }:dir getattr;
-	allow $1_t autofs_t:dir { search getattr };
 
 	dontaudit sshd_t userpty_type:chr_file relabelfrom;
 
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 6ac8926..8e3a1e6 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -112,6 +112,9 @@ tunable_policy(`run_ssh_inetd',`
 # for when the network connection breaks after running newrole -r sysadm_r
 dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
 
+optional_policy(`rpm.te',`
+allow sshd_t rpm_script_t:fd use;
+')
 ') dnl endif TODO
 
 #################################
@@ -187,6 +190,8 @@ files_create_etc_config(ssh_keygen_t,sshd_key_t,file)
 
 kernel_read_kernel_sysctl(ssh_keygen_t)
 
+fs_search_auto_mountpoints(ssh_keygen_t)
+
 dev_read_sysfs(ssh_keygen_t)
 dev_read_urand(ssh_keygen_t)
 
@@ -231,7 +236,3 @@ optional_policy(`selinux.te',`
 optional_policy(`udev.te', `
 	udev_read_db(ssh_keygen_t)
 ')
-
-ifdef(`TODO',`
-allow ssh_keygen_t autofs_t:dir { search getattr };
-')
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index a004cfa..3df2761 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -67,7 +67,6 @@ template(`authlogin_per_userdomain_template',`
 
 	seutil_read_config($1_chkpwd_t)
 
-	#can_ypbind($1_chkpwd_t)
 	#can_kerberos($1_chkpwd_t)
 	#can_ldap($1_chkpwd_t)
 
@@ -97,6 +96,10 @@ template(`authlogin_per_userdomain_template',`
 		sysnet_read_config($1_chkpwd_t)
 	')
 
+	optional_policy(`nis.te',`
+		nis_use_ypbind($1_chkpwd_t)
+	')
+
 	optional_policy(`selinux.te',`
 		seutil_use_newrole_fd($1_chkpwd_t)
 	')
@@ -173,9 +176,6 @@ interface(`auth_domtrans_chk_passwd',`
 	allow system_chkpwd_t $1:process sigchld;
 
 	dontaudit $1 shadow_t:file { getattr read };
-	#can_ypbind($1_t)
-	#can_kerberos($1_t)
-	#can_ldap($1_t)
 
 	tunable_policy(`use_dns',`
 		allow $1 self:udp_socket create_socket_perms;
@@ -187,6 +187,13 @@ interface(`auth_domtrans_chk_passwd',`
 		corenet_udp_sendrecv_dns_port($1)
 		sysnet_read_config($1)
 	')
+
+	#can_kerberos($1)
+	#can_ldap($1)
+
+	optional_policy(`nis.te',`
+		nis_use_ypbind($1)
+	')
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 82d24c0..c33677c 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -93,6 +93,8 @@ files_create_tmp_files(pam_t, pam_tmp_t, { file dir })
 
 kernel_read_system_state(pam_t)
 
+fs_search_auto_mountpoints(pam_t)
+
 term_use_all_user_ttys(pam_t)
 term_use_all_user_ptys(pam_t)
 
@@ -112,12 +114,11 @@ optional_policy(`locallogin.te',`
 	locallogin_use_fd(pam_t)
 ')
 
-ifdef(`TODO',`
-can_ypbind(pam_t)
-ifdef(`automount.te', `
-	allow pam_t autofs_t:dir { search getattr };
+optional_policy(`nis.te',`
+	nis_use_ypbind(pam_t)
 ')
 
+ifdef(`TODO',`
 ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
 ') dnl endif TODO
 
@@ -156,6 +157,8 @@ dev_setattr_snd_dev(pam_console_t)
 dev_getattr_video_dev(pam_console_t)
 dev_setattr_video_dev(pam_console_t)
 
+fs_search_auto_mountpoints(pam_console_t)
+
 storage_getattr_fixed_disk(pam_console_t)
 storage_setattr_fixed_disk(pam_console_t)
 storage_getattr_removable_device(pam_console_t)
@@ -210,11 +213,8 @@ optional_policy(`udev.te', `
 
 ifdef(`TODO',`
 optional_policy(`rhgb.te', `
-	allow pam_console_t rhgb_t:process sigchld;
-	allow pam_console_t rhgb_t:fd use;
-	allow pam_console_t rhgb_t:fifo_file { read write };
+	rhgb_domain(pam_console_t)
 ')
-allow pam_console_t autofs_t:dir { search getattr };
 
 allow pam_console_t apm_bios_t:chr_file { getattr setattr };
 
@@ -268,8 +268,11 @@ tunable_policy(`use_dns',`
 	sysnet_read_config(system_chkpwd_t)
 ')
 
+optional_policy(`nis.te',`
+	nis_use_ypbind(system_chkpwd_t)
+')
+
 ifdef(`TODO',`
-can_ypbind(system_chkpwd_t)
 can_kerberos(system_chkpwd_t)
 can_ldap(system_chkpwd_t)
 
@@ -303,10 +306,10 @@ libs_use_shared_libs(utempter_t)
 
 logging_search_logs(utempter_t)
 
-ifdef(`TODO',`
 # Allow utemper to write to /tmp/.xses-*
-allow utempter_t user_tmpfile:file { getattr write append };
+userdom_write_unpriv_user_tmp(utempter_t)
 
+ifdef(`TODO',`
 ifdef(`xdm.te', `
 allow utempter_t xdm_t:fd use;
 allow utempter_t xdm_t:fifo_file { write getattr };
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 9f884b2..5833654 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -35,6 +35,7 @@ dev_read_sysfs(hwclock_t)
 dev_rw_realtime_clock(hwclock_t)
 
 fs_getattr_xattr_fs(hwclock_t)
+fs_search_auto_mountpoints(hwclock_t)
 
 term_dontaudit_use_console(hwclock_t)
 term_use_unallocated_tty(hwclock_t)
@@ -81,13 +82,9 @@ allow hwclock_t proc_t:dir r_dir_perms;
 allow hwclock_t proc_t:lnk_file read;
 
 optional_policy(`rhgb.te', `
-allow hwclock_t rhgb_t:process sigchld;
-allow hwclock_t rhgb_t:fd use;
-allow hwclock_t rhgb_t:fifo_file rw_file_perms;
+rhgb_domain(hwclock_t)
 ')
 
-allow hwclock_t autofs_t:dir { search getattr };
-
 optional_policy(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
 
 optional_policy(`apmd.te', `
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 8a0404d..0605871 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -11,7 +11,6 @@ type hostname_exec_t;
 init_system_domain(hostname_t,hostname_exec_t)
 role system_r types hostname_t;
 
-
 ########################################
 #
 # Local policy
@@ -31,6 +30,7 @@ kernel_dontaudit_use_fd(hostname_t)
 dev_read_sysfs(hostname_t)
 
 fs_getattr_xattr_fs(hostname_t)
+fs_search_auto_mountpoints(hostname_t)
 
 term_dontaudit_use_console(hostname_t)
 term_use_all_user_ttys(hostname_t)
@@ -96,11 +96,7 @@ allow hostname_t proc_t:dir { read getattr lock search ioctl };
 allow hostname_t proc_t:lnk_file read;
 
 optional_policy(`rhgb.te', `
-allow hostname_t rhgb_t:process sigchld;
-allow hostname_t rhgb_t:fd use;
-allow hostname_t rhgb_t:fifo_file { read write };
+rhgb_domain(hostname_t)
 ')
-
-allow hostname_t autofs_t:dir { search getattr };
 ##end daemon_base_domain
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 288427c..04b5831 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -65,6 +65,7 @@ dev_setattr_snd_dev(hotplug_t)
 dev_read_urand(hotplug_t)
 
 fs_getattr_all_fs(hotplug_t)
+fs_search_auto_mountpoints(hotplug_t)
 
 storage_setattr_fixed_disk(hotplug_t)
 storage_setattr_removable_device(hotplug_t)
@@ -142,6 +143,10 @@ optional_policy(`mta.te', `
 	mta_send_mail(hotplug_t)
 ')
 
+optional_policy(`nis.te',`
+	nis_use_ypbind(hotplug_t)
+')
+
 optional_policy(`selinux.te',`
 	seutil_newrole_sigchld(hotplug_t)
 ')
@@ -160,17 +165,13 @@ optional_policy(`updfstab.te', `
 ')
 
 ifdef(`TODO',`
-allow hotplug_t autofs_t:dir { search getattr };
 dontaudit hotplug_t sysadm_home_dir_t:dir search;
-optional_policy(`rhgb.te', `
-	allow hotplug_t rhgb_t:process sigchld;
-	allow hotplug_t rhgb_t:fd use;
-	allow hotplug_t rhgb_t:fifo_file { read write };
+optional_policy(`rhgb.te',`
+rhgb_domain(hotplug_t)
 ')
 
 allow kernel_t hotplug_etc_t:dir search;
 
-can_ypbind(hotplug_t)
 dbusd_client(system, hotplug)
 
 # for ps
@@ -181,7 +182,7 @@ optional_policy(`hald.te', `
 	allow hotplug_t hald_t:unix_dgram_socket sendto;
 ')
 
-# this goes to hald:
+# this block goes to hald:
 optional_policy(`hotplug.te',`
 	allow hald_t hotplug_etc_t:dir search;
 	allow hald_t hotplug_etc_t:file { getattr read };
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index 01f62e8..27e8af2 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -46,6 +46,7 @@ kernel_use_fd(iptables_t)
 dev_read_sysfs(iptables_t)
 
 fs_getattr_xattr_fs(iptables_t)
+fs_search_auto_mountpoints(iptables_t)
 
 term_dontaudit_use_console(iptables_t)
 
@@ -71,6 +72,13 @@ sysnet_domtrans_ifconfig(iptables_t)
 
 userdom_use_all_user_fd(iptables_t)
 
+ifdef(`targeted_policy', `
+	term_dontaudit_use_unallocated_tty(iptables_t)
+	term_dontaudit_use_generic_pty(iptables_t)
+
+	files_dontaudit_read_root_file(iptables_t)
+')
+
 tunable_policy(`use_dns',`
 	allow iptables_t self:udp_socket create_socket_perms;
 
@@ -89,6 +97,11 @@ optional_policy(`modutils.te', `
 	modutils_domtrans_insmod(iptables_t)
 ')
 
+optional_policy(`nis.te',`
+	# for iptables -L
+	nis_use_ypbind(iptables_t)
+')
+
 optional_policy(`selinux.te',`
 	seutil_newrole_sigchld(iptables_t)
 ')
@@ -97,26 +110,11 @@ optional_policy(`udev.te', `
 	udev_read_db(iptables_t)
 ')
 
-ifdef(`targeted_policy', `
-	term_dontaudit_use_unallocated_tty(iptables_t)
-	term_dontaudit_use_generic_pty(iptables_t)
-
-	files_dontaudit_read_root_file(iptables_t)
-')
-
 ifdef(`TODO',`
-
-optional_policy(`rhgb.te', `
-allow iptables_t rhgb_t:process sigchld;
-allow iptables_t rhgb_t:fd use;
-allow iptables_t rhgb_t:fifo_file rw_file_perms;
+optional_policy(`rhgb.te',`
+rhgb_domain(iptables_t)
 ')
 
-allow iptables_t autofs_t:dir { search getattr };
-
-# for iptables -L
-can_ypbind(iptables_t)
-
 optional_policy(`gnome-pty-helper.te',`
 	allow iptables_t sysadm_gph_t:fd use;
 ')
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index cc05181..433c4f7 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -71,6 +71,8 @@ dev_dontaudit_setattr_scanner(local_login_t)
 # for SSP/ProPolice
 dev_read_urand(local_login_t)
 
+fs_search_auto_mountpoints(local_login_t)
+
 selinux_get_fs_mount(local_login_t)
 selinux_validate_context(local_login_t)
 selinux_compute_access_vector(local_login_t)
@@ -126,6 +128,13 @@ userdom_use_unpriv_users_fd(local_login_t)
 # Search for mail spool file.
 mta_getattr_spool(local_login_t)
 
+# Red Hat systems seem to have a stray
+# fd open from the initrd
+ifdef(`distro_redhat',`
+	kernel_dontaudit_use_fd(local_login_t)
+	files_dontaudit_read_root_file(local_login_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(local_login_t)
 	fs_read_nfs_symlinks(local_login_t)
@@ -136,20 +145,12 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_read_cifs_symlinks(local_login_t)
 ')
 
-# Red Hat systems seem to have a stray
-# fd open from the initrd
-optional_policy(`distro_redhat',`
-	kernel_dontaudit_use_fd(local_login_t)
-	files_dontaudit_read_root_file(local_login_t)
+optional_policy(`nis.te',`
+	nis_use_ypbind(local_login_t)
 ')
 
 ifdef(`TODO',`
 
-can_ypbind(local_login_t)
-ifdef(`automount.te', `
-	allow local_login_t autofs_t:dir { search getattr };
-')
-
 allow local_login_t bin_t:dir r_dir_perms;
 allow local_login_t bin_t:notdevfile_class_set r_file_perms;
 allow local_login_t sbin_t:dir r_dir_perms;
@@ -170,7 +171,6 @@ allow local_login_t var_t:lnk_file read;
 
 dontaudit local_login_t sysfs_t:dir search;
 
-allow local_login_t autofs_t:dir r_dir_perms;
 allow local_login_t mnt_t:dir r_dir_perms;
 
 # FIXME: what is this for?
@@ -221,12 +221,14 @@ allow sulogin_t self:msg { send receive };
 
 kernel_read_system_state(sulogin_t)
 
-init_get_script_process_group(sulogin_t)
+fs_search_auto_mountpoints(sulogin_t)
 
 files_read_generic_etc_files(sulogin_t)
 # because file systems are not mounted:
 files_dontaudit_search_isid_type_dir(sulogin_t)
 
+init_get_script_process_group(sulogin_t)
+
 libs_use_ld_so(sulogin_t)
 libs_use_shared_libs(sulogin_t)
 
@@ -259,14 +261,11 @@ ifdef(`sulogin_no_pam', `
 	selinux_compute_user_contexts(sulogin_t)
 ')
 
-ifdef(`TODO',`
-
-allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
-
-can_ypbind(sulogin_t)
-ifdef(`automount.te', `
-	allow sulogin_t autofs_t:dir { search getattr };
+optional_policy(`nis.te',`
+	nis_use_ypbind(sulogin_t)
 ')
 
+ifdef(`TODO',`
+allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
 allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
 ') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 9dc0e2b..4838db1 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -63,6 +63,7 @@ kernel_read_kernel_sysctl(auditd_t)
 dev_read_sysfs(auditd_t)
 
 fs_getattr_all_fs(auditd_t)
+fs_search_auto_mountpoints(auditd_t)
 
 term_dontaudit_use_console(auditd_t)
 
@@ -80,6 +81,8 @@ libs_use_shared_libs(auditd_t)
 
 miscfiles_read_localization(auditd_t)
 
+userdom_dontaudit_use_unpriv_user_fd(auditd_t)
+
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(auditd_t)
 	term_dontaudit_use_generic_pty(auditd_t)
@@ -97,15 +100,13 @@ optional_policy(`udev.te', `
 ifdef(`TODO',`
 allow auditd_t proc_t:dir r_dir_perms;
 allow auditd_t proc_t:lnk_file read;
-dontaudit auditd_t unpriv_userdomain:fd use;
-allow auditd_t autofs_t:dir { search getattr };
-dontaudit auditd_t sysadm_home_dir_t:dir search;
+
 optional_policy(`rhgb.te', `
-allow auditd_t rhgb_t:process sigchld;
-allow auditd_t rhgb_t:fd use;
-allow auditd_t rhgb_t:fifo_file { read write };
+rhgb_domain(auditd_t)
 ')
 
+dontaudit auditd_t sysadm_home_dir_t:dir search;
+
 # cjp: this is questionable:
 allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
 ') dnl endif TODO
@@ -192,6 +193,8 @@ kernel_read_kernel_sysctl(syslogd_t)
 dev_create_dev_node(syslogd_t,devlog_t,sock_file)
 dev_read_sysfs(syslogd_t)
 
+fs_search_auto_mountpoints(syslogd_t)
+
 term_dontaudit_use_console(syslogd_t)
 # Allow syslog to a terminal
 term_write_unallocated_ttys(syslogd_t)
@@ -250,6 +253,14 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(syslogd_t)
 ')
 
+optional_policy(`cron.te',`
+	cron_rw_log(syslogd_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(syslogd_t)
+')
+
 optional_policy(`selinux.te',`
 	seutil_newrole_sigchld(syslogd_t)
 ')
@@ -258,18 +269,11 @@ optional_policy(`udev.te', `
 	udev_read_db(syslogd_t)
 ')
 
-optional_policy(`cron.te',`
-	cron_rw_log(syslogd_t)
-')
-
 ifdef(`TODO',`
 allow syslogd_t proc_t:lnk_file read;
-allow syslogd_t autofs_t:dir { search getattr };
 dontaudit syslogd_t sysadm_home_dir_t:dir search;
 optional_policy(`rhgb.te', `
-	allow syslogd_t rhgb_t:process sigchld;
-	allow syslogd_t rhgb_t:fd use;
-	allow syslogd_t rhgb_t:fifo_file { read write };
+	rhgb_domain(syslogd_t)
 ')
 tunable_policy(`direct_sysadm_daemon',`
 	dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
@@ -280,9 +284,6 @@ ifdef(`distro_suse', `
 	file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
 ')
 
-# can_network is for the UDP socket
-can_ypbind(syslogd_t)
-
 # log to the xconsole
 allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
 
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 8656956..0c9eeb9 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -101,6 +101,7 @@ dev_dontaudit_getattr_generic_pipe(lvm_t)
 term_dontaudit_getattr_all_user_ttys(lvm_t)
 
 fs_getattr_xattr_fs(lvm_t)
+fs_search_auto_mountpoints(lvm_t)
 
 # LVM creates block devices in /dev/mapper or /dev/<vg>
 # depending on its version
@@ -157,9 +158,6 @@ optional_policy(`udev.te', `
 ')
 
 ifdef(`TODO',`
-
-allow lvm_t autofs_t:dir { search getattr };
-
 allow lvm_t default_context_t:dir search;
 allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
 
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index a7f4d16..acd8425 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -44,6 +44,7 @@ fs_mount_all_fs(mount_t)
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)
 fs_relabelfrom_xattr_fs(mount_t)
+fs_search_auto_mountpoints(mount_t)
 
 term_use_console(mount_t)
 
@@ -88,7 +89,6 @@ ifdef(`distro_redhat',`
 
 optional_policy(`portmap.te', `
 	# for nfs
-	#can_ypbind(mount_t)
 	#allow portmap_t mount_t:udp_socket { sendto recvfrom };
 	#allow mount_t portmap_t:udp_socket { sendto recvfrom };
 	#allow mount_t rpc_pipefs_t:dir search;
@@ -106,6 +106,10 @@ optional_policy(`portmap.te', `
 	corenet_udp_bind_generic_port(mount_t)
 	corenet_tcp_bind_reserved_port(mount_t)
 	corenet_udp_bind_reserved_port(mount_t)
+
+	optional_policy(`nis.te',`
+		nis_use_ypbind(mount_t)
+	')
 ')
 
 ifdef(`TODO',`
@@ -127,13 +131,7 @@ allow mount_t sysadm_gph_t:fd use;
 ')
 
 optional_policy(`rhgb.te', `
-allow mount_t rhgb_t:process sigchld;
-allow mount_t rhgb_t:fd use;
-allow mount_t rhgb_t:fifo_file { read write };
-')
-
-optional_policy(`automount.te', `
-allow mount_t autofs_t:dir read;
+rhgb_domain(mount_t)
 ')
 
 ') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 739518b..ff2423f 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -195,6 +195,7 @@ kernel_read_kernel_sysctl(newrole_t)
 dev_read_urand(newrole_t)
 
 fs_getattr_xattr_fs(newrole_t)
+fs_search_auto_mountpoints(newrole_t)
 
 selinux_get_fs_mount(newrole_t)
 selinux_validate_context(newrole_t)
@@ -234,13 +235,11 @@ if(secure_mode) {
 	userdom_spec_domtrans_all_users(newrole_t)
 }
 
-ifdef(`TODO',`
-
-can_ypbind(newrole)
-ifdef(`automount.te', `
-allow newrole_t autofs_t:dir { search getattr };
+optional_policy(`nis.te',`
+	nis_use_ypbind(newrole_t)
 ')
 
+ifdef(`TODO',`
 # for when the user types "exec newrole" at the command line
 allow newrole_t privfd:process sigchld;
  
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index e4e1bd1..cbccdc3 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -105,6 +105,7 @@ dev_read_sysfs(dhcpc_t)
 dev_read_urand(dhcpc_t)
 
 fs_getattr_all_fs(dhcpc_t)
+fs_search_auto_mountpoints(dhcpc_t)
 
 term_dontaudit_use_console(dhcpc_t)
 term_dontaudit_use_all_user_ttys(dhcpc_t)
@@ -152,10 +153,23 @@ optional_policy(`hostname.te',`
 	hostname_domtrans(dhcpc_t)
 ')
 
+optional_policy(`nis.te',`
+	nis_use_ypbind(dhcpc_t)
+	# dhclient sometimes starts ypbind
+	init_exec_script(dhcpc_t)
+	#nis_domtrans_ypbind(dhcpc_t)
+')
+
 optional_policy(`nscd.te',`
 	nscd_domtrans(dhcpc_t)
 ')
 
+optional_policy(`ntpd.te',`
+	# dhclient sometimes starts ntpd
+	init_exec_script(dhcpc_t)
+	ntpd_domtrans(dhcpc_t)
+')
+
 optional_policy(`selinux.te',`
 	seutil_newrole_sigchld(dhcpc_t)
 ')
@@ -168,29 +182,13 @@ optional_policy(`userdomain.te',`
 	userdom_use_all_user_fd(dhcpc_t)
 ')
 
-#
-# dhclient sometimes starts ypbind and ntpd
-#
-init_exec_script(dhcpc_t)
-optional_policy(`ypbind.te',`
-	ypbind_domtrans(dhcpc_t)
-')
-optional_policy(`ntpd.te',`
-	ntpd_domtrans(dhcpc_t)
-')
-
 ifdef(`TODO',`
-allow dhcpc_t autofs_t:dir { search getattr };
 dontaudit dhcpc_t sysadm_home_dir_t:dir search;
 
-optional_policy(`rhgb.te', `
-allow dhcpc_t rhgb_t:process sigchld;
-allow dhcpc_t rhgb_t:fd use;
-allow dhcpc_t rhgb_t:fifo_file { read write };
+optional_policy(`rhgb.te',`
+rhgb_domain(dhcpc_t)
 ')
 
-can_ypbind(dhcpc_t)
-
 ifdef(`cardmgr.te', `
 domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
 allow cardmgr_t dhcpc_var_run_t:file { getattr read };
@@ -208,15 +206,17 @@ logging_syslogd_transition(dhcpc_t)
 ')dnl end hotplug.te
 
 # for the dhcp client to run ping to check IP addresses
-ifdef(`ping.te', `
-domain_auto_trans(dhcpc_t, ping_exec_t, ping_t)
-ifdef(`hotplug.te',`
-allow ping_t hotplug_t:fd use;
-') dnl end if hotplug
-ifdef(`cardmgr.te', `
-allow ping_t cardmgr_t:fd use;
-') dnl end if cardmgr
-') dnl end if ping
+optional_policy(`netutils.te',`
+	netutils_domtrans_ping(dhcpc_t)
+
+	optional_policy(`hotplug.te',`
+		allow ping_t hotplug_t:fd use;
+	')
+
+	ifdef(`cardmgr.te',`
+		allow ping_t cardmgr_t:fd use;
+	')
+')
 
 ifdef(`distro_redhat', `
 allow initrc_t dhcp_etc_t:file rw_file_perms;
@@ -266,6 +266,7 @@ kernel_dontaudit_search_sysctl_dir(ifconfig_t)
 kernel_dontaudit_search_network_sysctl_dir(ifconfig_t)
 
 fs_getattr_xattr_fs(ifconfig_t)
+fs_search_auto_mountpoints(ifconfig_t)
 
 term_dontaudit_use_all_user_ttys(ifconfig_t)
 term_dontaudit_use_all_user_ptys(ifconfig_t)
@@ -289,22 +290,18 @@ seutil_use_runinit_fd(ifconfig_t)
 
 userdom_use_all_user_fd(ifconfig_t)
 
-ifdef(`TODO',`
-
-can_ypbind(ifconfig_t)
-ifdef(`automount.te', `
-allow ifconfig_t autofs_t:dir { search getattr };
+optional_policy(`nis.te',`
+	nis_use_ypbind(ifconfig_t)
 ')
 
-# Access terminals.
+ifdef(`TODO',`
+
 ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
 
 allow ifconfig_t tun_tap_device_t:chr_file { read write };
 
 optional_policy(`rhgb.te', `
-allow ifconfig_t rhgb_t:process sigchld;
-allow ifconfig_t rhgb_t:fd use;
-allow ifconfig_t rhgb_t:fifo_file { read write };
+rhgb_domain(ifconfig_t)
 ')
 
 ') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 86abffc..4a9c7d6 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -137,6 +137,7 @@ template(`base_user_domain',`
 
 	fs_get_all_fs_quotas($1_t)
 	fs_getattr_all_fs($1_t)
+	fs_search_auto_mountpoints($1_t)
 
 	# for eject
 	storage_getattr_fixed_disk($1_t)
@@ -204,6 +205,10 @@ template(`base_user_domain',`
 		term_getattr_all_user_ttys($1_t)
 	')
 
+	optional_policy(`nis.te',`
+		nis_use_ypbind($1_t)
+	')
+
 	optional_policy(`usermanage.te',`
 		usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 		usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
@@ -251,8 +256,6 @@ template(`base_user_domain',`
 
 	r_dir_file($1_t, usercanread)
 
-	can_ypbind($1_t)
-
 	tunable_policy(`allow_execmod',`
 		# Allow text relocations on system shared libraries, e.g. libGL.
 		allow $1_t texrel_shlib_t:file execmod;
@@ -271,8 +274,6 @@ template(`base_user_domain',`
 	dontaudit $1_t sysctl_t:dir_file_class_set getattr;
 	dontaudit $1_t proc_fs:dir { read search };
 
-	allow $1_t autofs_t:dir { getattr search };
-
 	can_exec($1_t, { removable_t noexattrfile } )
 
 	tunable_policy(`user_rw_noexattrfile',`
@@ -299,8 +300,6 @@ template(`base_user_domain',`
 
 	can_resmgrd_connect($1_t)
 
-	can_ypbind($1_t)
-
 	allow $1_t var_lock_t:dir search;
 
 	# Grant permissions to access the system DBus
@@ -385,10 +384,6 @@ template(`base_user_domain',`
 		allow $1_t apmd_var_run_t:sock_file write;
 	')
 
-	ifdef(`automount.te', `
-		allow $1_t autofs_t:dir { getattr search };
-	')
-
 	ifdef(`pamconsole.te', `
 		allow $1_t pam_var_console_t:dir search;
 	')
@@ -418,7 +413,7 @@ template(`user_domain_template', `
 	#typeattribute $1_home_dir_t user_home_dir_type;
 	#typeattribute $1_home_t user_home_type;
 
-	#typeattribute $1_tmp_t, user_tmpfile;
+	typeattribute $1_tmp_t user_tmpfile;
 
 	#typeattribute $1_tty_device_t user_tty_type;
  
@@ -808,11 +803,11 @@ template(`admin_domain_template',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Execute a shell in all user domains.  This
 ##	is an explicit transition, requiring the
 ##	caller to use setexeccon().
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -826,11 +821,11 @@ interface(`userdom_spec_domtrans_all_users',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Execute a shell in all unprivileged user domains.  This
 ##	is an explicit transition, requiring the
 ##	caller to use setexeccon().
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -844,9 +839,9 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Execute a shell in the sysadm domain.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -860,9 +855,9 @@ interface(`userdom_shell_domtrans_sysadm',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Read and write sysadm ttys.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -879,9 +874,9 @@ interface(`userdom_use_sysadm_tty',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Read and write sysadm ttys and ptys.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -898,9 +893,9 @@ interface(`userdom_use_sysadm_terms',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Do not audit attempts to use admin ttys and ptys.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -915,9 +910,9 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Search all users home directories.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -933,9 +928,9 @@ interface(`userdom_search_all_users_home',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Read all files in all users home directories.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -953,9 +948,26 @@ interface(`userdom_read_all_user_data',`
 ')
 
 ########################################
-## <desc>
+## <summary>
+##	Write all unprivileged users files in /tmp
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_write_unpriv_user_tmp',`
+	gen_require(`
+		attribute user_tmpfile;
+		class file { getattr write append };
+	')
+
+	allow $1 user_tmpfile:file { getattr write append };
+')
+
+########################################
+## <summary>
 ##	Inherit the file descriptors from all user domains
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -970,9 +982,9 @@ interface(`userdom_use_all_user_fd',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Send general signals to all user domains.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -987,9 +999,9 @@ interface(`userdom_signal_all_users',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Send general signals to unprivileged user domains.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -1004,9 +1016,9 @@ interface(`userdom_signal_unpriv_users',`
 ')
 
 ########################################
-## <desc>
-##	Inherit the file descriptors from all user domains.
-## </desc>
+## <summary>
+##	Inherit the file descriptors from unprivileged user domains.
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -1021,10 +1033,10 @@ interface(`userdom_use_unpriv_users_fd',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Do not audit attempts to inherit the
 ##	file descriptors from all user domains.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 422261e..37e4b91 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -20,6 +20,9 @@ attribute home_type;
 # a user in writing regular files)
 attribute privhome;
 
+# all unprivileged users tmp files
+attribute user_tmpfile;
+
 # all user domains
 attribute userdomain;
 
@@ -107,6 +110,12 @@ optional_policy(`mount.te',`
 	mount_run(sysadm_t,sysadm_r,admin_terminal)
 ')
 
+optional_policy(`netutils.te',`
+	netutils_run(sysadm_t,sysadm_r,admin_terminal)
+	netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
+	netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
+')
+
 optional_policy(`rpm.te',`
 	rpm_run(sysadm_t,sysadm_r,admin_terminal)
 ')