diff --git a/Changelog b/Changelog
index 0d17563..31d542c 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Add role infrastructure.
 - Debian updates from Erich Schubert.
 - Add nscd_socket_use() to auth_use_nsswitch().
 - Remove old selopt rules.
diff --git a/Makefile b/Makefile
index 2e2699e..3d88b9c 100644
--- a/Makefile
+++ b/Makefile
@@ -295,17 +295,46 @@ filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\
 # Functions
 #
 
+# parse-rolemap-compat modulename,outputfile
+define parse-rolemap-compat
+	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
 # parse-rolemap modulename,outputfile
 define parse-rolemap
 	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
 endef
 
-# peruser-expansion modulename,outputfile
-define peruser-expansion
-	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
+# perrole-expansion modulename,outputfile
+define perrole-expansion
+	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
 	$(call parse-rolemap,$1,$2)
 	$(verbose) echo "')" >> $2
+
+	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+	$(call parse-rolemap-compat,$1,$2)
+	$(verbose) echo "')" >> $2
+endef
+
+# create-base-per-role-tmpl modulenames,outputfile
+define create-base-per-role-tmpl
+	$(verbose) echo "define(\`base_per_role_template',\`" >> $2
+
+	$(verbose) for i in $1; do \
+		echo "ifdef(\`""$$i""_per_role_template',\`""$$i""_per_role_template("'$$*'")')" \
+			>> $2 ;\
+	done
+
+	$(verbose) for i in $1; do \
+		echo "ifdef(\`""$$i""_per_userdomain_template',\`" >> $2 ;\
+		echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$$i""_per_userdomain_template)'__endline__)" >> $2 ;\
+		echo """$$i""_per_userdomain_template("'$$*'")')"  >> $2 ;\
+	done
+	$(verbose) echo "')" >> $@
+
 endef
 
 ########################################
diff --git a/Rules.modular b/Rules.modular
index c8018a2..63e60f8 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -71,7 +71,7 @@ $(modpkgdir)/%.pp: $(builddir)%.pp
 $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
 	@echo "Compliling $(NAME) $(@F) module"
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
-	$(call peruser-expansion,$(basename $(@F)),$@.role)
+	$(call perrole-expansion,$(basename $(@F)),$@.role)
 	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
 
@@ -120,13 +120,7 @@ $(tmpdir)/generated_definitions.conf: $(base_te_files)
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
 # define all available object classes
 	$(verbose) $(genperm) $(avs) $(secclass) > $@
-# per-userdomain templates
-	$(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
-	$(verbose) for i in $(patsubst %.te,%,$(base_mods)); do \
-		echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
-			>> $@ ;\
-	done
-	$(verbose) echo "')" >> $@
+	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
 	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
 
 $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
diff --git a/Rules.monolithic b/Rules.monolithic
index 745268e..1209145 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -114,11 +114,7 @@ $(tmpdir)/generated_definitions.conf: $(all_te_files)
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
 # define all available object classes
 	$(verbose) $(genperm) $(avs) $(secclass) > $@
-# per-userdomain templates:
-	$(verbose) echo "define(\`base_per_userdomain_template',\`" >> $@
-	$(verbose) $(foreach mod,$(basename $(notdir $(all_modules))), \
-		echo "ifdef(\`""$(mod)""_per_userdomain_template',\`""$(mod)""_per_userdomain_template("'$$*'")')" >> $@ ;)
-	$(verbose) echo "')" >> $@
+	$(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)
 	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
 
 $(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
diff --git a/doc/policy.dtd b/doc/policy.dtd
index 7990cff..dddae6a 100644
--- a/doc/policy.dtd
+++ b/doc/policy.dtd
@@ -20,9 +20,9 @@
       name CDATA #REQUIRED
       dftval CDATA #REQUIRED>
 <!ELEMENT summary (#PCDATA)>
-<!ELEMENT interface (summary,desc?,param+,infoflow?)>
+<!ELEMENT interface (summary,desc?,param+,infoflow?,(rolebase|rolecap)?)>
 <!ATTLIST interface name CDATA #REQUIRED lineno CDATA #REQUIRED>
-<!ELEMENT template (summary,desc?,param+)>
+<!ELEMENT template (summary,desc?,param+,(rolebase|rolecap)?)>
 <!ATTLIST template name CDATA #REQUIRED lineno CDATA #REQUIRED>
 <!ELEMENT desc (#PCDATA|%inline.class;)*>
 <!ELEMENT param (summary)>
@@ -33,6 +33,8 @@
 <!ATTLIST infoflow 
       type CDATA #REQUIRED
       weight CDATA #IMPLIED>
+<!ELEMENT rolebase EMPTY>
+<!ELEMENT rolecap EMPTY>
 
 <!ATTLIST pre caption CDATA #IMPLIED>
 <!ELEMENT p (#PCDATA|%inline.class;)*>
diff --git a/policy/global_tunables b/policy/global_tunables
index 0cb55b8..2b98122 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -536,13 +536,6 @@ gen_tunable(user_rw_noexattrfile,false)
 
 ## <desc>
 ## <p>
-## Allow users to rw usb devices
-## </p>
-## </desc>
-gen_tunable(user_rw_usb,false)
-
-## <desc>
-## <p>
 ## Allow users to run TCP servers (bind to ports and accept connection from
 ## the same domain and outside users)  disabling this forces FTP passive mode
 ## and may change other protocols.
diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
index f7b1645..d44693c 100644
--- a/policy/modules/admin/amanda.if
+++ b/policy/modules/admin/amanda.if
@@ -43,6 +43,7 @@ interface(`amanda_domtrans_recover',`
 ##	The type of the terminal allow the amanda_recover domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`amanda_run_recover',`
 	gen_require(`
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index 180f05e..1f97994 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -45,6 +45,7 @@ interface(`apt_domtrans',`
 ##	The type of the terminal allow the apt domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`apt_run',`
 	gen_require(`
diff --git a/policy/modules/admin/backup.if b/policy/modules/admin/backup.if
index 64beebe..12098a2 100644
--- a/policy/modules/admin/backup.if
+++ b/policy/modules/admin/backup.if
@@ -41,6 +41,7 @@ interface(`backup_domtrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`backup_run',`
 	gen_require(`
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index 8f6707b..315882e 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -43,6 +43,7 @@ interface(`bootloader_domtrans',`
 ##	The type of the terminal allow the bootloader domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`bootloader_run',`
 	gen_require(`
@@ -83,6 +84,7 @@ interface(`bootloader_read_config',`
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`bootloader_rw_config',`
 	gen_require(`
diff --git a/policy/modules/admin/certwatch.if b/policy/modules/admin/certwatch.if
index 84e3852..c5f9e2a 100644
--- a/policy/modules/admin/certwatch.if
+++ b/policy/modules/admin/certwatch.if
@@ -47,6 +47,7 @@ interface(`certwatch_domtrans',`
 ##	The type of the terminal allow the certwatch domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`certwatach_run',`
 	gen_require(`
diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
index 58a2018..b791540 100644
--- a/policy/modules/admin/consoletype.if
+++ b/policy/modules/admin/consoletype.if
@@ -66,6 +66,7 @@ interface(`consoletype_run',`
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`consoletype_exec',`
 	gen_require(`
diff --git a/policy/modules/admin/ddcprobe.if b/policy/modules/admin/ddcprobe.if
index 875b7d2..8a7ea14 100644
--- a/policy/modules/admin/ddcprobe.if
+++ b/policy/modules/admin/ddcprobe.if
@@ -43,6 +43,7 @@ interface(`ddcprobe_domtrans',`
 ##	The type of the terminal allow the clock domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`ddcprobe_run',`
 	gen_require(`
diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
index 0ca1319..e1bc978 100644
--- a/policy/modules/admin/dmesg.if
+++ b/policy/modules/admin/dmesg.if
@@ -42,6 +42,7 @@ interface(`dmesg_domtrans',`
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dmesg_exec',`
 	ifdef(`targeted_policy',`
diff --git a/policy/modules/admin/dmidecode.if b/policy/modules/admin/dmidecode.if
index 70d6044..a2c318f 100644
--- a/policy/modules/admin/dmidecode.if
+++ b/policy/modules/admin/dmidecode.if
@@ -43,6 +43,7 @@ interface(`dmidecode_domtrans',`
 ##	The type of the terminal allow the dmidecode domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dmidecode_run',`
 	gen_require(`
diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if
index 5d494be..b4dcfc4 100644
--- a/policy/modules/admin/dpkg.if
+++ b/policy/modules/admin/dpkg.if
@@ -71,6 +71,7 @@ interface(`dpkg_domtrans_script',`
 ##	The type of the terminal allow the dpkg domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dpkg_run',`
 	gen_require(`
diff --git a/policy/modules/admin/kudzu.if b/policy/modules/admin/kudzu.if
index 605a394..8d10285 100644
--- a/policy/modules/admin/kudzu.if
+++ b/policy/modules/admin/kudzu.if
@@ -43,6 +43,7 @@ interface(`kudzu_domtrans',`
 ##	The type of the terminal allow the kudzu domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kudzu_run',`
 	gen_require(`
diff --git a/policy/modules/admin/logrotate.if b/policy/modules/admin/logrotate.if
index 988ddfc..480120c 100644
--- a/policy/modules/admin/logrotate.if
+++ b/policy/modules/admin/logrotate.if
@@ -43,6 +43,7 @@ interface(`logrotate_domtrans',`
 ##	The type of the terminal allow the logrotate domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`logrotate_run',`
 	gen_require(`
diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
index 9fdfc1f..e562e6d 100644
--- a/policy/modules/admin/netutils.if
+++ b/policy/modules/admin/netutils.if
@@ -43,6 +43,7 @@ interface(`netutils_domtrans',`
 ##	The type of the terminal allow the netutils domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`netutils_run',`
 	gen_require(`
@@ -151,6 +152,7 @@ interface(`netutils_signal_ping',`
 ##	The type of the terminal allow the ping domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`netutils_run_ping',`
 	gen_require(`
@@ -182,6 +184,7 @@ interface(`netutils_run_ping',`
 ##	The type of the terminal allow the ping domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`netutils_run_ping_cond',`
 	gen_require(`
@@ -258,6 +261,7 @@ interface(`netutils_domtrans_traceroute',`
 ##	The type of the terminal allow the traceroute domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`netutils_run_traceroute',`
 	gen_require(`
@@ -289,6 +293,7 @@ interface(`netutils_run_traceroute',`
 ##	The type of the terminal allow the traceroute domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`netutils_run_traceroute_cond',`
 	gen_require(`
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 14f8312..03640ee 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -54,6 +54,7 @@ interface(`portage_domtrans',`
 ##	The type of the terminal allow for portage to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`portage_run',`
 	gen_require(`
@@ -394,6 +395,7 @@ interface(`portage_domtrans_gcc_config',`
 ##	The type of the terminal allow for gcc_config to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`portage_run_gcc_config',`
 	gen_require(`
diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
index 8d3bac7..1e954d0 100644
--- a/policy/modules/admin/quota.if
+++ b/policy/modules/admin/quota.if
@@ -43,6 +43,7 @@ interface(`quota_domtrans',`
 ##	The type of the terminal allow the quota domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`quota_run',`
 	gen_require(`
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index 9b37218..83e3bfe 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -68,6 +68,7 @@ interface(`rpm_domtrans_script',`
 ##	The type of the terminal allow the RPM domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`rpm_run',`
 	gen_require(`
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 6c493c7..8be3a0c 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -127,7 +127,7 @@ template(`su_restricted_domain_template', `
 
 #######################################
 ## <summary>
-##	The per user domain template for the su module.
+##	The per role template for the su module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -158,7 +158,7 @@ template(`su_restricted_domain_template', `
 ##	</summary>
 ## </param>
 #
-template(`su_per_userdomain_template',`
+template(`su_per_role_template',`
 	gen_require(`
 		type su_exec_t;
 		bool secure_mode;
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index e0ff588..07e894f 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the sudo module.
+##	The per role template for the sudo module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -33,7 +33,7 @@
 ##	</summary>
 ## </param>
 #
-template(`sudo_per_userdomain_template',`
+template(`sudo_per_role_template',`
 
 	gen_require(`
 		type sudo_exec_t;
diff --git a/policy/modules/admin/sxid.if b/policy/modules/admin/sxid.if
index 36c3a48..114fad0 100644
--- a/policy/modules/admin/sxid.if
+++ b/policy/modules/admin/sxid.if
@@ -10,6 +10,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`sxid_read_log',`
 	gen_require(`
diff --git a/policy/modules/admin/tripwire.if b/policy/modules/admin/tripwire.if
index a8b38c0..4db23aa 100644
--- a/policy/modules/admin/tripwire.if
+++ b/policy/modules/admin/tripwire.if
@@ -54,6 +54,7 @@ interface(`tripwire_domtrans_tripwire',`
 ##	The type of the terminal allow the tripwire domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`tripwire_run_tripwire',`
 	gen_require(`
@@ -106,6 +107,7 @@ interface(`tripwire_domtrans_twadmin',`
 ##	The type of the terminal allow the twadmin domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`tripwire_run_twadmin',`
 	gen_require(`
@@ -158,6 +160,7 @@ interface(`tripwire_domtrans_twprint',`
 ##	The type of the terminal allow the twprint domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`tripwire_run_twprint',`
 	gen_require(`
@@ -210,6 +213,7 @@ interface(`tripwire_domtrans_siggen',`
 ##	The type of the terminal allow the siggen domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`tripwire_run_siggen',`
 	gen_require(`
diff --git a/policy/modules/admin/usbmodules.if b/policy/modules/admin/usbmodules.if
index b27fb16..fea1445 100644
--- a/policy/modules/admin/usbmodules.if
+++ b/policy/modules/admin/usbmodules.if
@@ -45,6 +45,7 @@ interface(`usbmodules_domtrans',`
 ##	The type of the terminal allow the usbmodules domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`usbmodules_run',`
 	gen_require(`
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 9a1c41e..b49086d 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -101,6 +101,7 @@ interface(`usermanage_domtrans_groupadd',`
 ##	The type of the terminal allow the groupadd domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`usermanage_run_groupadd',`
 	gen_require(`
@@ -215,6 +216,7 @@ interface(`usermanage_domtrans_admin_passwd',`
 ##	The type of the terminal allow the admin passwd domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`usermanage_run_admin_passwd',`
 	gen_require(`
@@ -271,6 +273,7 @@ interface(`usermanage_domtrans_useradd',`
 ##	The type of the terminal allow the useradd domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`usermanage_run_useradd',`
 	gen_require(`
diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if
index eb9b4eb..fea1dd4 100644
--- a/policy/modules/admin/vpn.if
+++ b/policy/modules/admin/vpn.if
@@ -43,6 +43,7 @@ interface(`vpn_domtrans',`
 ##	The type of the terminal allow the vpnc domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`vpn_run',`
 	gen_require(`
diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if
index 4b98c08..d20691e 100644
--- a/policy/modules/apps/cdrecord.if
+++ b/policy/modules/apps/cdrecord.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the cdrecord module.
+##	The per role template for the cdrecord module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`cdrecord_per_userdomain_template', `
+template(`cdrecord_per_role_template', `
 
 	gen_require(`
 		type cdrecord_exec_t;
diff --git a/policy/modules/apps/ethereal.if b/policy/modules/apps/ethereal.if
index 6215059..6d0eda3 100644
--- a/policy/modules/apps/ethereal.if
+++ b/policy/modules/apps/ethereal.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the ethereal module.
+##	The per role template for the ethereal module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`ethereal_per_userdomain_template',`
+template(`ethereal_per_role_template',`
 
 	##############################
 	#
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index 16b640e..9f197dc 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the evolution module.
+##	The per role template for the evolution module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -33,7 +33,7 @@
 ##	</summary>
 ## </param>
 #
-template(`evolution_per_userdomain_template',`
+template(`evolution_per_role_template',`
 
 	########################################
 	#
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
index 592a423..685a656 100644
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the games module.
+##	The per role template for the games module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`games_per_userdomain_template',`
+template(`games_per_role_template',`
 
 	########################################
 	#
diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if
index 8ddc30c..5a707ef 100644
--- a/policy/modules/apps/gift.if
+++ b/policy/modules/apps/gift.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the gift module.
+##	The per role template for the gift module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`gift_per_userdomain_template',`
+template(`gift_per_role_template',`
 
 	##############################
 	#
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index 9d49603..b125e78 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the gpg module.
+##	The per role template for the gpg module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -34,7 +34,7 @@
 ##	</summary>
 ## </param>
 #
-template(`gpg_per_userdomain_template',`
+template(`gpg_per_role_template',`
 	gen_require(`
 		type gpg_exec_t, gpg_helper_exec_t;
 		type gpg_agent_exec_t, pinentry_exec_t;
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 16848bc..16b2ae9 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the irc module.
+##	The per role template for the irc module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`irc_per_userdomain_template',`
+template(`irc_per_role_template',`
 	gen_require(`
 		type irc_exec_t;
 	')
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
index 53d83fa..8617525 100644
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the java module.
+##	The per role template for the java module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`java_per_userdomain_template',`
+template(`java_per_role_template',`
 	gen_require(`
 		type java_exec_t;
 	')
diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if
index 3e2f6da..d85b82c 100644
--- a/policy/modules/apps/loadkeys.if
+++ b/policy/modules/apps/loadkeys.if
@@ -47,6 +47,7 @@ interface(`loadkeys_domtrans',`
 ##	The type of the terminal allow the loadkeys domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`loadkeys_run',`
 	ifdef(`targeted_policy',`
diff --git a/policy/modules/apps/lockdev.if b/policy/modules/apps/lockdev.if
index ddf08c4..c462bcc 100644
--- a/policy/modules/apps/lockdev.if
+++ b/policy/modules/apps/lockdev.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the lockdev module.
+##	The per role template for the lockdev module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -33,7 +33,7 @@
 ##	</summary>
 ## </param>
 #
-template(`lockdev_per_userdomain_template',`
+template(`lockdev_per_role_template',`
 	gen_require(`
 		type lockdev_exec_t;
 	')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 4d1b332..06b220f 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the mozilla module.
+##	The per role template for the mozilla module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`mozilla_per_userdomain_template',`
+template(`mozilla_per_role_template',`
 	
 	########################################
 	#
@@ -362,7 +362,7 @@ template(`mozilla_per_userdomain_template',`
 	ifdef(`TODO',`
 		# Java plugin
 		optional_policy(`
-			#reh, these are hacked in types due to the use of the java_per_userdomain_template
+			#reh, these are hacked in types due to the use of the java_per_role_template
 			type $1_mozilla_tmp_t;
 			files_tmp_file($1_mozilla_tmp_t)
 
@@ -374,7 +374,7 @@ template(`mozilla_per_userdomain_template',`
 			type $1_mozilla_home_dir_t;
 			userdom_user_home_content($1,$1_mozilla_home_dir_t)
 
-			java_per_userdomain_template($1_mozilla,$2,$3)
+			java_per_role_template($1_mozilla,$2,$3)
 		')
 
 		######### Launch mplayer
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index 347f0fb..45c3bf5 100644
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the mplayer module.
+##	The per role template for the mplayer module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`mplayer_per_userdomain_template',`
+template(`mplayer_per_role_template',`
 
 	########################################
 	#
diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if
index 2a84766..965e988 100644
--- a/policy/modules/apps/rssh.if
+++ b/policy/modules/apps/rssh.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the rssh module.
+##	The per role template for the rssh module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -23,7 +23,7 @@
 ##	</summary>
 ## </param>
 #
-template(`rssh_per_userdomain_template',`
+template(`rssh_per_role_template',`
 
 	##############################
 	#
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
index fa61d05..f65b59f 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the screen module.
+##	The per role template for the screen module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`screen_per_userdomain_template',`
+template(`screen_per_role_template',`
 	gen_require(`
 		type screen_dir_t, screen_exec_t;
 	')
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
index 0c84014..839142d 100644
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the thunderbird module.
+##	The per role template for the thunderbird module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`thunderbird_per_userdomain_template',`
+template(`thunderbird_per_role_template',`
 
 	########################################
 	#
diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if
index 22c035f..f743169 100644
--- a/policy/modules/apps/tvtime.if
+++ b/policy/modules/apps/tvtime.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the tvtime module.
+##	The per role template for the tvtime module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`tvtime_per_userdomain_template',`
+template(`tvtime_per_role_template',`
 
 	########################################
 	#
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index 8be916a..a599b7d 100644
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -2,7 +2,7 @@
 	
 #######################################
 ## <summary>
-##	The per user domain template for the uml module.
+##	The per role template for the uml module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`uml_per_userdomain_template',`
+template(`uml_per_role_template',`
 	
 	########################################
 	#
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
index 7447019..e755216 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the userhelper module.
+##	The per role template for the userhelper module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`userhelper_per_userdomain_template',`
+template(`userhelper_per_role_template',`
 	gen_require(`
 		type userhelper_exec_t, userhelper_conf_t;
 	')
diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if
index 06d73e3..49a9779 100644
--- a/policy/modules/apps/usernetctl.if
+++ b/policy/modules/apps/usernetctl.if
@@ -47,6 +47,7 @@ interface(`usernetctl_domtrans',`
 ##	The type of the terminal allow the usernetctl domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`usernetctl_run',`
 	gen_require(`
diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if
index 1f63d96..8ed664a 100644
--- a/policy/modules/apps/vmware.if
+++ b/policy/modules/apps/vmware.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the vmware module.
+##	The per role template for the vmware module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`vmware_per_userdomain_template',`
+template(`vmware_per_role_template',`
 
 	##############################
 	#
diff --git a/policy/modules/apps/webalizer.if b/policy/modules/apps/webalizer.if
index 642ba83..b754943 100644
--- a/policy/modules/apps/webalizer.if
+++ b/policy/modules/apps/webalizer.if
@@ -43,6 +43,7 @@ interface(`webalizer_domtrans',`
 ##	The type of the terminal allow the webalizer domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`webalizer_run',`
 	gen_require(`
diff --git a/policy/modules/apps/yam.if b/policy/modules/apps/yam.if
index 450fb4e..57e30ea 100644
--- a/policy/modules/apps/yam.if
+++ b/policy/modules/apps/yam.if
@@ -44,6 +44,7 @@ interface(`yam_domtrans',`
 ##	The type of the terminal allow the yam domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`yam_run',`
 	gen_require(`
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 1514fde..8eb3a9e 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -920,6 +920,7 @@ interface(`corecmd_exec_chroot',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`corecmd_exec_all_executables',`
 	gen_require(`
@@ -941,6 +942,7 @@ interface(`corecmd_exec_all_executables',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`corecmd_manage_all_executables',`
 	gen_require(`
@@ -962,6 +964,7 @@ interface(`corecmd_manage_all_executables',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`corecmd_relabel_all_executables',`
 	gen_require(`
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index e17a5d5..8583729 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -55,6 +55,7 @@ interface(`dev_node',`
 ##	Domain allowed to relabel.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dev_relabel_all_dev_nodes',`
 	gen_require(`
@@ -389,6 +390,25 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
 
 ########################################
 ## <summary>
+##	Create symbolic links in device directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_generic_symlinks',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:dir add_entry_dir_perms;
+	allow $1 device_t:lnk_file create;
+')
+
+########################################
+## <summary>
 ##	Delete symbolic links in device directories.
 ## </summary>
 ## <param name="domain">
@@ -402,7 +422,7 @@ interface(`dev_delete_generic_symlinks',`
 		type device_t;
 	')
 
-	allow $1 device_t:dir { getattr read write remove_name };
+	allow $1 device_t:dir del_entry_dir_perms;
 	allow $1 device_t:lnk_file unlink;
 ')
 
@@ -576,6 +596,7 @@ interface(`dev_filetrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dev_getattr_all_blk_files',`
 	gen_require(`
@@ -612,6 +633,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dev_getattr_all_chr_files',`
 	gen_require(`
@@ -648,6 +670,7 @@ interface(`dev_dontaudit_getattr_all_chr_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dev_setattr_all_blk_files',`
 	gen_require(`
@@ -667,6 +690,7 @@ interface(`dev_setattr_all_blk_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dev_setattr_all_chr_files',`
 	gen_require(`
@@ -715,6 +739,122 @@ interface(`dev_dontaudit_read_all_chr_files',`
 
 ########################################
 ## <summary>
+##	Create all block device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	allow $1 self:capability mknod;
+	allow $1 device_t:dir add_entry_dir_perms;
+	allow $1 device_node:blk_file create;
+')
+
+########################################
+## <summary>
+##	Create all character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	allow $1 self:capability mknod;
+	allow $1 device_t:dir add_entry_dir_perms;
+	allow $1 device_node:chr_file create;
+')
+
+########################################
+## <summary>
+##	Delete all block device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	allow $1 device_t:dir del_entry_dir_perms;
+	allow $1 device_node:blk_file delete_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete all character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	allow $1 device_t:dir del_entry_dir_perms;
+	allow $1 device_node:chr_file delete_file_perms;
+')
+
+########################################
+## <summary>
+##	Rename all block device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rename_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	allow $1 device_t:dir rw_dir_perms;
+	allow $1 device_node:blk_file rename;
+')
+
+########################################
+## <summary>
+##	Rename all character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rename_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	allow $1 device_t:dir rw_dir_perms;
+	allow $1 device_node:chr_file rename;
+')
+
+########################################
+## <summary>
 ##	Read, write, create, and delete all block device files.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 3150795..6f30f63 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.20)
+policy_module(devices,1.1.21)
 
 ########################################
 #
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 3de6530..d1b3087 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -218,6 +218,7 @@ interface(`domain_role_change_exemption',`
 ##	The process type to make an exception to the constraint.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_obj_id_change_exemption',`
 	gen_require(`
@@ -400,6 +401,7 @@ interface(`domain_sigchld_interactive_fds',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_setpriority_all_domains',`
 	gen_require(`
@@ -418,6 +420,7 @@ interface(`domain_setpriority_all_domains',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_signal_all_domains',`
 	gen_require(`
@@ -436,6 +439,7 @@ interface(`domain_signal_all_domains',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_signull_all_domains',`
 	gen_require(`
@@ -454,6 +458,7 @@ interface(`domain_signull_all_domains',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_sigstop_all_domains',`
 	gen_require(`
@@ -472,6 +477,7 @@ interface(`domain_sigstop_all_domains',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_sigchld_all_domains',`
 	gen_require(`
@@ -490,6 +496,7 @@ interface(`domain_sigchld_all_domains',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_kill_all_domains',`
 	gen_require(`
@@ -547,6 +554,7 @@ interface(`domain_dontaudit_search_all_domains_state',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_read_all_domains_state',`
 	gen_require(`
@@ -568,6 +576,7 @@ interface(`domain_read_all_domains_state',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_getattr_all_domains',`
 	gen_require(`
@@ -604,6 +613,7 @@ interface(`domain_dontaudit_getattr_all_domains',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_read_confined_domains_state',`
 	gen_require(`
@@ -628,6 +638,7 @@ interface(`domain_read_confined_domains_state',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_getattr_confined_domains',`
 	gen_require(`
@@ -646,6 +657,7 @@ interface(`domain_getattr_confined_domains',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_ptrace_all_domains',`
 	gen_require(`
@@ -1090,6 +1102,7 @@ interface(`domain_read_all_entry_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`domain_exec_all_entry_files',`
 	gen_require(`
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 4123678..8ade7e6 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -510,6 +510,7 @@ interface(`files_execmod_all_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_read_non_security_files',`
 	gen_require(`
@@ -704,6 +705,7 @@ interface(`files_dontaudit_getattr_non_security_chr_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_read_all_symlinks',`
 	gen_require(`
@@ -882,6 +884,7 @@ interface(`files_read_all_chr_files',`
 ##	must be negated by the caller.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_relabel_all_files',`
 	gen_require(`
@@ -916,6 +919,7 @@ interface(`files_relabel_all_files',`
 ##	must be negated by the caller.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_manage_all_files',`
 	gen_require(`
@@ -1355,6 +1359,7 @@ interface(`files_boot_filetrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_manage_boot_files',`
 	gen_require(`
@@ -1452,6 +1457,7 @@ interface(`files_read_kernel_img',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_create_kernel_img',`
 	gen_require(`
@@ -1472,6 +1478,7 @@ interface(`files_create_kernel_img',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_delete_kernel',`
 	gen_require(`
@@ -1803,6 +1810,7 @@ interface(`files_dontaudit_write_etc_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_rw_etc_files',`
 	gen_require(`
@@ -1824,6 +1832,7 @@ interface(`files_rw_etc_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_manage_etc_files',`
 	gen_require(`
@@ -1939,6 +1948,7 @@ interface(`files_etc_filetrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_create_boot_flag',`
 	gen_require(`
@@ -1960,6 +1970,7 @@ interface(`files_create_boot_flag',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_read_etc_runtime_files',`
 	gen_require(`
@@ -2001,6 +2012,7 @@ interface(`files_dontaudit_read_etc_runtime_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_rw_etc_runtime_files',`
 	gen_require(`
@@ -2022,6 +2034,7 @@ interface(`files_rw_etc_runtime_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_manage_etc_runtime_files',`
 	gen_require(`
@@ -2436,6 +2449,24 @@ interface(`files_home_filetrans',`
 
 ########################################
 ## <summary>
+##	Get the attributes of lost+found directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_lost_found_dirs',`
+	gen_require(`
+		type lost_found_t;
+	')
+
+	allow $1 lost_found_t:dir getattr;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete objects in
 ##	lost+found directories.
 ## </summary>
@@ -2444,6 +2475,7 @@ interface(`files_home_filetrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_manage_lost_found',`
 	gen_require(`
@@ -2538,6 +2570,7 @@ interface(`files_mounton_mnt',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_manage_mnt_dirs',`
 	gen_require(`
@@ -2708,6 +2741,7 @@ interface(`files_delete_kernel_modules',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_manage_kernel_modules',`
 	gen_require(`
@@ -2776,6 +2810,7 @@ interface(`files_kernel_modules_filetrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_list_world_readable',`
 	gen_require(`
@@ -2794,6 +2829,7 @@ interface(`files_list_world_readable',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_read_world_readable_files',`
 	gen_require(`
@@ -2812,6 +2848,7 @@ interface(`files_read_world_readable_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_read_world_readable_symlinks',`
 	gen_require(`
@@ -3902,6 +3939,7 @@ interface(`files_manage_generic_locks',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_delete_all_locks',`
 	gen_require(`
@@ -4139,6 +4177,7 @@ interface(`files_dontaudit_ioctl_all_pids',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_read_all_pids',`
 	gen_require(`
@@ -4179,6 +4218,7 @@ interface(`files_mounton_all_poly_members',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`files_delete_all_pids',`
 	gen_require(`
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 9f2ed2c..5a7769c 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -96,6 +96,7 @@ interface(`fs_associate_noxattr',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_exec_noxattr',`
 	gen_require(`
@@ -177,6 +178,7 @@ interface(`fs_unmount_xattr_fs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_getattr_xattr_fs',`
 	gen_require(`
@@ -237,6 +239,7 @@ interface(`fs_relabelfrom_xattr_fs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_get_xattr_fs_quotas',`
 	gen_require(`
@@ -256,6 +259,7 @@ interface(`fs_get_xattr_fs_quotas',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_set_xattr_fs_quotas',`
 	gen_require(`
@@ -369,6 +373,7 @@ interface(`fs_search_auto_mountpoints',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_list_auto_mountpoints',`
 	gen_require(`
@@ -442,6 +447,7 @@ interface(`fs_getattr_binfmt_misc_dirs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_register_binary_executable_type',`
 	gen_require(`
@@ -517,6 +523,7 @@ interface(`fs_unmount_cifs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_getattr_cifs',`
 	gen_require(`
@@ -591,6 +598,7 @@ interface(`fs_dontaudit_list_cifs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_read_cifs_files',`
 	gen_require(`
@@ -622,6 +630,24 @@ interface(`fs_list_noxattr_fs',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete all noxattrfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_noxattr_fs_dirs',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	allow $1 noxattrfs:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Read all noxattrfs files.
 ## </summary>
 ## <param name="domain">
@@ -642,6 +668,25 @@ interface(`fs_read_noxattr_fs_files',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete all noxattrfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_noxattr_fs_files',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	allow $1 noxattrfs:dir rw_dir_perms;
+	allow $1 noxattrfs:file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read all noxattrfs symbolic links.
 ## </summary>
 ## <param name="domain">
@@ -727,6 +772,7 @@ interface(`fs_read_cifs_symlinks',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_exec_cifs_files',`
 	gen_require(`
@@ -747,6 +793,7 @@ interface(`fs_exec_cifs_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_manage_cifs_dirs',`
 	gen_require(`
@@ -786,6 +833,7 @@ interface(`fs_dontaudit_manage_cifs_dirs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_manage_cifs_files',`
 	gen_require(`
@@ -989,6 +1037,7 @@ interface(`fs_unmount_dos_fs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_getattr_dos_fs',`
 	gen_require(`
@@ -1164,6 +1213,7 @@ interface(`fs_unmount_iso9660_fs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_getattr_iso9660_fs',`
 	gen_require(`
@@ -1258,6 +1308,7 @@ interface(`fs_unmount_nfs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_getattr_nfs',`
 	gen_require(`
@@ -1331,6 +1382,7 @@ interface(`fs_dontaudit_list_nfs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_read_nfs_files',`
 	gen_require(`
@@ -1388,6 +1440,7 @@ interface(`fs_write_nfs_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_exec_nfs_files',`
 	gen_require(`
@@ -1650,6 +1703,7 @@ interface(`fs_read_rpc_sockets',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_manage_nfs_dirs',`
 	gen_require(`
@@ -1689,6 +1743,7 @@ interface(`fs_dontaudit_manage_nfs_dirs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_manage_nfs_files',`
 	gen_require(`
@@ -1729,6 +1784,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_manage_nfs_symlinks',`
 	gen_require(`
@@ -2445,6 +2501,7 @@ interface(`fs_unmount_tmpfs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_getattr_tmpfs',`
 	gen_require(`
@@ -2968,6 +3025,7 @@ interface(`fs_unmount_all_fs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_getattr_all_fs',`
 	gen_require(`
@@ -3005,6 +3063,7 @@ interface(`fs_dontaudit_getattr_all_fs',`
 ##	The type of the domain getting quotas.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_get_all_fs_quotas',`
 	gen_require(`
@@ -3023,6 +3082,7 @@ interface(`fs_get_all_fs_quotas',`
 ##	The type of the domain setting quotas.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fs_set_all_quotas',`
 	gen_require(`
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index e5f3a6d..2aa08cc 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -324,6 +324,7 @@ interface(`kernel_link_key',`
 ##	The process type allowed to read the ring buffer.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_ring_buffer',`
 	gen_require(`
@@ -360,6 +361,7 @@ interface(`kernel_dontaudit_read_ring_buffer',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_change_ring_buffer_level',`
 	gen_require(`
@@ -378,6 +380,7 @@ interface(`kernel_change_ring_buffer_level',`
 ##	The process type clearing the buffer.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_clear_ring_buffer',`
 	gen_require(`
@@ -653,6 +656,7 @@ interface(`kernel_read_proc_symlinks',`
 ##	The process type reading the system state information.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_system_state',`
 	gen_require(`
@@ -673,6 +677,7 @@ interface(`kernel_read_system_state',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 # cjp: this should probably go away.  any
 # file thats writable in proc should really
@@ -734,6 +739,7 @@ interface(`kernel_dontaudit_read_proc_symlinks',`
 ##	The process type reading software raid state.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_software_raid_state',`
 	gen_require(`
@@ -910,7 +916,7 @@ interface(`kernel_search_network_state',`
 ##	The process type reading the state.
 ##	</summary>
 ## </param>
-##
+## <rolecap/>
 #
 interface(`kernel_read_network_state',`
 	gen_require(`
@@ -932,7 +938,6 @@ interface(`kernel_read_network_state',`
 ##	The process type reading the state.
 ##	</summary>
 ## </param>
-##
 #
 interface(`kernel_read_network_state_symlinks',`
 	gen_require(`
@@ -1114,6 +1119,7 @@ interface(`kernel_read_sysctl',`
 ##	The process type to allow to read the device sysctls.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_device_sysctls',`
 	gen_require(`
@@ -1135,6 +1141,7 @@ interface(`kernel_read_device_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_device_sysctls',`
 	gen_require(`
@@ -1155,7 +1162,6 @@ interface(`kernel_rw_device_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-##
 #
 interface(`kernel_search_vm_sysctl',`
 	gen_require(`
@@ -1174,7 +1180,7 @@ interface(`kernel_search_vm_sysctl',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-##
+## <rolecap/>
 #
 interface(`kernel_read_vm_sysctls',`
 	gen_require(`
@@ -1195,6 +1201,7 @@ interface(`kernel_read_vm_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_vm_sysctls',`
 	gen_require(`
@@ -1255,7 +1262,7 @@ interface(`kernel_dontaudit_search_network_sysctl',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-##
+## <rolecap/>
 #
 interface(`kernel_read_net_sysctls',`
 	gen_require(`
@@ -1277,6 +1284,7 @@ interface(`kernel_read_net_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_net_sysctls',`
 	gen_require(`
@@ -1299,6 +1307,7 @@ interface(`kernel_rw_net_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_unix_sysctls',`
 	gen_require(`
@@ -1321,6 +1330,7 @@ interface(`kernel_read_unix_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_unix_sysctls',`
 	gen_require(`
@@ -1342,6 +1352,7 @@ interface(`kernel_rw_unix_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_hotplug_sysctls',`
 	gen_require(`
@@ -1363,6 +1374,7 @@ interface(`kernel_read_hotplug_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_hotplug_sysctls',`
 	gen_require(`
@@ -1384,6 +1396,7 @@ interface(`kernel_rw_hotplug_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_modprobe_sysctls',`
 	gen_require(`
@@ -1405,6 +1418,7 @@ interface(`kernel_read_modprobe_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_modprobe_sysctls',`
 	gen_require(`
@@ -1483,6 +1497,7 @@ interface(`kernel_dontaudit_write_kernel_sysctl',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_kernel_sysctl',`
 	gen_require(`
@@ -1504,6 +1519,7 @@ interface(`kernel_rw_kernel_sysctl',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_fs_sysctls',`
 	gen_require(`
@@ -1525,6 +1541,7 @@ interface(`kernel_read_fs_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_fs_sysctls',`
 	gen_require(`
@@ -1546,6 +1563,7 @@ interface(`kernel_rw_fs_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_irq_sysctls',`
 	gen_require(`
@@ -1566,7 +1584,7 @@ interface(`kernel_read_irq_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-##
+## <rolecap/>
 #
 interface(`kernel_rw_irq_sysctls',`
 	gen_require(`
@@ -1587,7 +1605,7 @@ interface(`kernel_rw_irq_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-##
+## <rolecap/>
 #
 interface(`kernel_read_rpc_sysctls',`
 	gen_require(`
@@ -1609,7 +1627,7 @@ interface(`kernel_read_rpc_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-##
+## <rolecap/>
 #
 interface(`kernel_rw_rpc_sysctls',`
 	gen_require(`
@@ -1649,6 +1667,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_read_all_sysctls',`
 	gen_require(`
@@ -1672,6 +1691,7 @@ interface(`kernel_read_all_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kernel_rw_all_sysctls',`
 	gen_require(`
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index ed1e022..a78c551 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -13,6 +13,7 @@
 ##	Domain target for user exemption.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mcs_killall',`
 	gen_require(`
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 3b38c83..8a1e89c 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -21,6 +21,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_file_read_up',`
 	gen_require(`
@@ -40,6 +41,7 @@ interface(`mls_file_read_up',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_file_write_down',`
 	gen_require(`
@@ -59,6 +61,7 @@ interface(`mls_file_write_down',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_file_upgrade',`
 	gen_require(`
@@ -78,6 +81,7 @@ interface(`mls_file_upgrade',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_file_downgrade',`
 	gen_require(`
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index f10b677..8ee0795 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -106,6 +106,7 @@ interface(`selinux_dontaudit_read_fs',`
 ##	The process type to allow to get the enforcing mode.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`selinux_get_enforce_mode',`
 	gen_require(`
@@ -136,6 +137,7 @@ interface(`selinux_get_enforce_mode',`
 ##	The process type to allow to set the enforcement mode.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`selinux_set_enforce_mode',`
 	gen_require(`
@@ -209,6 +211,7 @@ interface(`selinux_load_policy',`
 ##	The process type allowed to set the Boolean.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`selinux_set_boolean',`
 	gen_require(`
@@ -249,6 +252,7 @@ interface(`selinux_set_boolean',`
 ##	The process type to allow to set security parameters.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`selinux_set_parameters',`
 	gen_require(`
@@ -272,6 +276,7 @@ interface(`selinux_set_parameters',`
 ##	The process type permitted to validate contexts.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`selinux_validate_context',`
 	gen_require(`
@@ -292,6 +297,7 @@ interface(`selinux_validate_context',`
 ##	The process type allowed to compute an access vector.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`selinux_compute_access_vector',`
 	gen_require(`
@@ -312,6 +318,7 @@ interface(`selinux_compute_access_vector',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`selinux_compute_create_context',`
 	gen_require(`
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index ce3bc65..0b8fa12 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -147,6 +147,7 @@ interface(`term_create_pty',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_use_all_terms',`
 	gen_require(`
@@ -168,6 +169,7 @@ interface(`term_use_all_terms',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_write_console',`
 	gen_require(`
@@ -187,6 +189,7 @@ interface(`term_write_console',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_read_console',`
 	gen_require(`
@@ -206,6 +209,7 @@ interface(`term_read_console',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_use_console',`
 	gen_require(`
@@ -245,6 +249,7 @@ interface(`term_dontaudit_use_console',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_setattr_console',`
 	gen_require(`
@@ -560,6 +565,7 @@ interface(`term_dontaudit_use_ptmx',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_getattr_all_user_ptys',`
 	gen_require(`
@@ -603,6 +609,7 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_setattr_all_user_ptys',`
 	gen_require(`
@@ -641,6 +648,7 @@ interface(`term_relabelto_all_user_ptys',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_use_all_user_ptys',`
 	gen_require(`
@@ -704,6 +712,7 @@ interface(`term_relabel_all_user_ptys',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_getattr_unallocated_ttys',`
 	gen_require(`
@@ -743,6 +752,7 @@ interface(`term_dontaudit_getattr_unallocated_ttys',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_setattr_unallocated_ttys',`
 	gen_require(`
@@ -880,6 +890,7 @@ interface(`term_write_unallocated_ttys',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_use_unallocated_ttys',`
 	gen_require(`
@@ -919,6 +930,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_getattr_all_user_ttys',`
 	gen_require(`
@@ -960,6 +972,7 @@ interface(`term_dontaudit_getattr_all_user_ttys',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_setattr_all_user_ttys',`
 	gen_require(`
@@ -1018,6 +1031,7 @@ interface(`term_write_all_user_ttys',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`term_use_all_user_ttys',`
 	gen_require(`
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index d263fc3..89bd811 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -241,7 +241,7 @@ template(`apache_content_template',`
 
 #######################################
 ## <summary>
-##	The per user domain template for the apache module.
+##	The per role template for the apache module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -271,7 +271,7 @@ template(`apache_content_template',`
 ##	</summary>
 ## </param>
 #
-template(`apache_per_userdomain_template', `
+template(`apache_per_role_template', `
 	gen_require(`
 		attribute httpdcontent, httpd_script_domains;
 		attribute httpd_exec_scripts;
@@ -513,6 +513,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`apache_manage_all_content',`
 	gen_require(`
@@ -558,6 +559,7 @@ interface(`apache_rw_cache_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`apache_read_config',`
 	gen_require(`
@@ -638,6 +640,7 @@ interface(`apache_domtrans_helper',`
 ##	The type of the terminal allow the dmidecode domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`apache_run_helper',`
 	gen_require(`
@@ -659,6 +662,7 @@ interface(`apache_run_helper',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`apache_read_log',`
 	gen_require(`
@@ -825,6 +829,7 @@ interface(`apache_domtrans_rotatelogs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 # Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
 interface(`apache_manage_sys_content',`
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 62fffb3..6266137 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -61,6 +61,7 @@ interface(`bind_signal',`
 ##	The type of the terminal allow the bind domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`bind_run_ndc',`
 	gen_require(`
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 8eefbb5..dcbb5aa 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -103,6 +103,7 @@ interface(`bluetooth_dbus_chat',`
 ##	The type of the terminal allow the bluetooth_helper domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`bluetooth_run_helper',`
 	gen_require(`
diff --git a/policy/modules/services/clockspeed.if b/policy/modules/services/clockspeed.if
index 9d4c892..cc5e29d 100644
--- a/policy/modules/services/clockspeed.if
+++ b/policy/modules/services/clockspeed.if
@@ -40,6 +40,7 @@ interface(`clockspeed_domtrans_cli',`
 ##	The type of the terminal allow the clockspeed_cli domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 template(`clockspeed_run_cli',`
 	gen_require(`
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index d6de082..59d8735 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the cron module.
+##	The per role template for the cron module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -33,7 +33,7 @@
 ##	</summary>
 ## </param>
 #
-template(`cron_per_userdomain_template',`
+template(`cron_per_role_template',`
 	gen_require(`
 		attribute cron_spool_type;
 		type crond_t, cron_spool_t, crontab_exec_t;
@@ -277,6 +277,7 @@ template(`cron_per_userdomain_template',`
 ##	is the prefix for user_t).
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 template(`cron_admin_template',`
 	gen_require(`
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index b144ee9..bd14c17 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -151,6 +151,7 @@ interface(`cups_dbus_chat_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cups_read_config',`
 	gen_require(`
@@ -172,6 +173,7 @@ interface(`cups_read_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cups_read_rw_config',`
 	gen_require(`
@@ -192,6 +194,7 @@ interface(`cups_read_rw_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`cups_read_log',`
 	gen_require(`
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 605f253..f971482 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -18,7 +18,7 @@ interface(`dbus_stub',`
 
 #######################################
 ## <summary>
-##	The per user domain template for the dbus module.
+##	The per role template for the dbus module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -48,7 +48,7 @@ interface(`dbus_stub',`
 ##	</summary>
 ## </param>
 #
-template(`dbus_per_userdomain_template',`
+template(`dbus_per_role_template',`
 
 	##############################
 	#
diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
index ea9083f..0f3a273 100644
--- a/policy/modules/services/dcc.if
+++ b/policy/modules/services/dcc.if
@@ -42,6 +42,7 @@ interface(`dcc_domtrans_cdcc',`
 ##	The type of the terminal allow the cdcc domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dcc_run_cdcc',`
 	gen_require(`
@@ -95,6 +96,7 @@ interface(`dcc_domtrans_client',`
 ##	The type of the terminal allow the dcc_client domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dcc_run_client',`
 	gen_require(`
@@ -148,6 +150,7 @@ interface(`dcc_domtrans_dbclean',`
 ##	The type of the terminal allow the dcc_dbclean domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`dcc_run_dbclean',`
 	gen_require(`
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index e31a0fc..266d62c 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the ftp module.
+##	The per role template for the ftp module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -23,7 +23,7 @@
 ##	</summary>
 ## </param>
 #
-template(`ftp_per_userdomain_template',`
+template(`ftp_per_role_template',`
 	tunable_policy(`ftpd_is_daemon',`
 		userdom_manage_user_home_content_files($1,ftpd_t)
 		userdom_manage_user_home_content_symlinks($1,ftpd_t)
diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if
index 39ce526..8fe6b8d 100644
--- a/policy/modules/services/inn.if
+++ b/policy/modules/services/inn.if
@@ -88,6 +88,7 @@ interface(`inn_manage_pid',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+
 #
 interface(`inn_read_config',`
 	gen_require(`
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index b700f65..a475645 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -70,6 +70,7 @@ interface(`kerberos_use',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kerberos_read_config',`
 	gen_require(`
@@ -108,6 +109,7 @@ interface(`kerberos_dontaudit_write_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kerberos_rw_config',`
 	gen_require(`
@@ -127,6 +129,7 @@ interface(`kerberos_rw_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`kerberos_read_keytab',`
 	gen_require(`
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
index 5565567..c954c2b 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -28,6 +28,7 @@ interface(`ldap_list_db',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`ldap_read_config',`
 	gen_require(`
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index 5b19184..ad18018 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the lpd module.
+##	The per role template for the lpd module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -32,7 +32,7 @@
 ##	</summary>
 ## </param>
 #
-template(`lpd_per_userdomain_template',`
+template(`lpd_per_role_template',`
 	gen_require(`
 		type lpr_exec_t, lpd_t, print_spool_t, printconf_t, lpd_var_run_t, printer_t;
 	')
@@ -215,6 +215,7 @@ template(`lpd_per_userdomain_template',`
 ##	is the prefix for user_t).
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 template(`lpr_admin_template',`
 	gen_require(`
@@ -273,6 +274,7 @@ interface(`lpd_domtrans_checkpc',`
 ##	The type of the terminal allow the lpd domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`lpd_run_checkpc',`
 	gen_require(`
@@ -334,6 +336,7 @@ interface(`lpd_manage_spool',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`lpd_read_config',`
 	gen_require(`
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 680594b..c769a83 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -144,7 +144,7 @@ template(`mta_base_mail_template',`
 
 #######################################
 ## <summary>
-##	The per user domain template for the mta module.
+##	The per role template for the mta module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -175,7 +175,7 @@ template(`mta_base_mail_template',`
 ##	</summary>
 ## </param>
 #
-template(`mta_per_userdomain_template',`
+template(`mta_per_role_template',`
 
 	##############################
 	#
@@ -255,6 +255,7 @@ template(`mta_per_userdomain_template',`
 ##	The type of the user domain.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 template(`mta_admin_template',`
 	gen_require(`
@@ -523,6 +524,7 @@ interface(`mta_sendmail_exec',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mta_read_config',`
 	gen_require(`
@@ -582,6 +584,7 @@ interface(`mta_etc_filetrans_aliases',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mta_rw_aliases',`
 	gen_require(`
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index aca3c63..80e2098 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -30,6 +30,7 @@ interface(`munin_stream_connect',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`munin_read_config',`
 	gen_require(`
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index 9fe9237..b75e9d0 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -27,6 +27,7 @@ interface(`mysql_signal',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mysql_stream_connect',`
 	gen_require(`
@@ -47,6 +48,7 @@ interface(`mysql_stream_connect',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mysql_read_config',`
 	gen_require(`
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
index a8975bf..6aa14d2 100644
--- a/policy/modules/services/nagios.if
+++ b/policy/modules/services/nagios.if
@@ -10,6 +10,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`nagios_read_config',`
 	gen_require(`
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
index e78f9aa..129e470 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -72,6 +72,7 @@ interface(`nis_use_ypbind_uncond',`
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`nis_use_ypbind',`
 	gen_require(`
diff --git a/policy/modules/services/oav.if b/policy/modules/services/oav.if
index 122b069..8f28e33 100644
--- a/policy/modules/services/oav.if
+++ b/policy/modules/services/oav.if
@@ -44,6 +44,7 @@ interface(`oav_domtrans_update',`
 ##	The type of the terminal allow the oav_update domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`oav_run_update',`
 	gen_require(`
diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if
index 78bbc4b..b21e1ce 100644
--- a/policy/modules/services/openvpn.if
+++ b/policy/modules/services/openvpn.if
@@ -10,6 +10,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`openvpn_read_config',`
 	gen_require(`
diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if
index 3376997..5cc32e7 100644
--- a/policy/modules/services/portmap.if
+++ b/policy/modules/services/portmap.if
@@ -45,6 +45,7 @@ interface(`portmap_domtrans_helper',`
 ##	The type of the terminal allow the portmap domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`portmap_run_helper',`
 	gen_require(`
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index b6c9bb1..ab9632b 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -187,7 +187,7 @@ template(`postfix_user_domain_template',`
 
 ########################################
 ## <summary>
-##	The per-userdomain template for the postfix module.
+##	The per role template for the postfix module.
 ## </summary>
 ## <param name="prefix">
 ##	<summary>
@@ -201,7 +201,7 @@ template(`postfix_user_domain_template',`
 ##	</summary>
 ## </param>
 #
-template(`postfix_per_userdomain_template',`
+template(`postfix_per_role_template',`
 	gen_require(`
 		attribute postfix_user_domains;
 		type postfix_postdrop_t;
@@ -223,6 +223,7 @@ template(`postfix_per_userdomain_template',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`postfix_read_config',`
 	gen_require(`
@@ -349,6 +350,7 @@ interface(`postfix_domtrans_map',`
 ##	The type of the terminal allow the postfix_map domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`postfix_run_map',`
 	gen_require(`
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index c842eb7..2025d03 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -69,6 +69,7 @@ interface(`postgresql_domtrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`postgresql_read_config',`
 	gen_require(`
@@ -104,6 +105,7 @@ interface(`postgresql_tcp_connect',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`postgresql_stream_connect',`
 	gen_require(`
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index afec620..d6453d2 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -107,6 +107,7 @@ interface(`ppp_domtrans',`
 ##	 Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`ppp_run_cond',`
 	gen_require(`
@@ -130,6 +131,7 @@ interface(`ppp_run_cond',`
 ##	 Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`ppp_run',`
 	gen_require(`
diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if
index ef23b07..c611aa5 100644
--- a/policy/modules/services/pyzor.if
+++ b/policy/modules/services/pyzor.if
@@ -47,7 +47,7 @@ interface(`pyzor_exec',`
 
 #######################################
 ## <summary>
-##	The per user domain template for the pyzor module.
+##	The per role template for the pyzor module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -68,7 +68,7 @@ interface(`pyzor_exec',`
 ##	</summary>
 ## </param>
 #
-template(`pyzor_per_userdomain_template',`
+template(`pyzor_per_role_template',`
 	type $1_pyzor_home_t;
 	userdom_user_home_content($1,$1_pyzor_home_t)
 
diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
index a9ac709..09a3863 100644
--- a/policy/modules/services/qmail.if
+++ b/policy/modules/services/qmail.if
@@ -2,7 +2,7 @@
 
 #######################################
 ## <summary>
-##      The per user domain template for qmail
+##      The per role template for qmail
 ## </summary>
 ## <desc>
 ##      <p>
@@ -28,7 +28,7 @@
 ##      </summary>
 ## </param>
 #
-template(`qmail_per_userdomain_template',`
+template(`qmail_per_role_template',`
 	gen_require(`
 		attribute qmail_user_domains;
 	')
@@ -163,6 +163,7 @@ interface(`qmail_domtrans_queue',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`qmail_read_config',`
 	gen_require(`
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index 26b3637..9a1bff6 100644
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@@ -101,11 +101,11 @@ template(`razor_common_domain_template',`
 
 #######################################
 ## <summary>
-##	The per user domain template for the razor module.
+##	The per role template for the razor module.
 ## </summary>
 ## <desc>
 ##	<p>
-##	The per user domain template for the razor module.
+##	The per role template for the razor module.
 ##	</p>
 ##	<p>
 ##	This template is invoked automatically for each user, and
@@ -130,7 +130,7 @@ template(`razor_common_domain_template',`
 ##	</summary>
 ## </param>
 #
-template(`razor_per_userdomain_template',`
+template(`razor_per_role_template',`
 
 	type $1_razor_t;
 	domain_type($1_razor_t)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index 9f76d61..52dd231 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -219,6 +219,7 @@ interface(`rpc_domtrans_nfsd',`
 ##      Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`rpc_read_nfs_content',`
 	gen_require(`
@@ -239,6 +240,7 @@ interface(`rpc_read_nfs_content',`
 ##      Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`rpc_manage_nfs_rw_content',`
 	gen_require(`
@@ -259,6 +261,7 @@ interface(`rpc_manage_nfs_rw_content',`
 ##      Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`rpc_manage_nfs_ro_content',`
 	gen_require(`
diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if
index 9f1bdd8..af9ff01 100644
--- a/policy/modules/services/rsync.if
+++ b/policy/modules/services/rsync.if
@@ -94,6 +94,7 @@ interface(`rsync_entry_domtrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`rsync_exec',`
 	gen_require(`
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index 7cacf8b..0245910 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -6,7 +6,7 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the samba module.
+##	The per role template for the samba module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -27,7 +27,7 @@
 ##	</summary>
 ## </param>
 #
-template(`samba_per_userdomain_template',`
+template(`samba_per_role_template',`
 	gen_require(`
 		type smbd_t;
 	')
@@ -86,6 +86,7 @@ interface(`samba_domtrans_net',`
 ##	The type of the terminal allow the samba_net domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`samba_run_net',`
 	gen_require(`
@@ -131,6 +132,7 @@ interface(`samba_domtrans_smbmount',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`samba_read_config',`
 	gen_require(`
@@ -151,6 +153,7 @@ interface(`samba_read_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`samba_rw_config',`
 	gen_require(`
@@ -170,6 +173,7 @@ interface(`samba_rw_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`samba_read_log',`
 	gen_require(`
@@ -339,6 +343,7 @@ interface(`samba_domtrans_winbind_helper',`
 ##	The type of the terminal allow the winbind_helper domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`samba_run_winbind_helper',`
 	gen_require(`
diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
index 28a0ca6..7c70d80 100644
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@@ -83,6 +83,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`sendmail_manage_log',`
 	gen_require(`
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index b58b49f..3ffdc69 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -2,11 +2,11 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the spamassassin module.
+##	The per role template for the spamassassin module.
 ## </summary>
 ## <desc>
 ##	<p>
-##	The per user domain template for the spamassassin module.
+##	The per role template for the spamassassin module.
 ##	</p>
 ##	<p>
 ##	This template is invoked automatically for each user, and
@@ -33,7 +33,7 @@
 #
 # cjp: when tunables are available, spamc stuff should be
 # toggled on activation of spamc, and similarly for spamd.
-template(`spamassassin_per_userdomain_template',`
+template(`spamassassin_per_role_template',`
 
 	##############################
 	#
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index 4a7a357..a819bfc 100644
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -33,6 +33,7 @@ interface(`squid_domtrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`squid_read_config',`
 	gen_require(`
@@ -52,6 +53,7 @@ interface(`squid_read_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`squid_read_log',`
 	gen_require(`
@@ -93,6 +95,7 @@ interface(`squid_append_log',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`squid_manage_logs',`
 	gen_require(`
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index e31296f..a801eba 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -185,7 +185,7 @@ template(`ssh_basic_client_template',`
 
 #######################################
 ## <summary>
-##	The per user domain template for the ssh module.
+##	The per role template for the ssh module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -216,7 +216,7 @@ template(`ssh_basic_client_template',`
 ##	</summary>
 ## </param>
 #
-template(`ssh_per_userdomain_template',`
+template(`ssh_per_role_template',`
 	gen_require(`
 		type ssh_agent_exec_t, ssh_keysign_exec_t;
 	')
diff --git a/policy/modules/services/sysstat.if b/policy/modules/services/sysstat.if
index d646197..a3beead 100644
--- a/policy/modules/services/sysstat.if
+++ b/policy/modules/services/sysstat.if
@@ -9,6 +9,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`sysstat_manage_log',`
 	gen_require(`
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6c6ccf2..db6a010 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -189,7 +189,7 @@ template(`xserver_common_domain_template',`
 
 #######################################
 ## <summary>
-##	The per user domain template for the xserver module.
+##	The per role template for the xserver module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -220,7 +220,7 @@ template(`xserver_common_domain_template',`
 ##	</summary>
 ## </param>
 #
-template(`xserver_per_userdomain_template',`
+template(`xserver_per_role_template',`
 
 	##############################
 	#
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index 4c6bcc9..8f23864 100644
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@@ -9,6 +9,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`zebra_read_config',`
 	gen_require(`
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index b947f0a..bdcc29b 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -64,7 +64,7 @@ template(`authlogin_common_auth_domain_template',`
 
 #######################################
 ## <summary>
-##	The per user domain template for the authlogin module.
+##	The per role template for the authlogin module.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -96,7 +96,7 @@ template(`authlogin_common_auth_domain_template',`
 ##	</summary>
 ## </param>
 #
-template(`authlogin_per_userdomain_template',`
+template(`authlogin_per_role_template',`
 
 	gen_require(`
 		type system_chkpwd_t, shadow_t;
@@ -609,6 +609,7 @@ interface(`auth_rw_faillog',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`auth_read_lastlog',`
 	gen_require(`
@@ -991,6 +992,7 @@ interface(`auth_read_all_dirs_except_shadow',`
 ##	must be negated by the caller.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`auth_read_all_files_except_shadow',`
 	gen_require(`
@@ -1174,6 +1176,7 @@ interface(`auth_setattr_login_records',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`auth_read_login_records',`
 	gen_require(`
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
index 542db15..1a2437d 100644
--- a/policy/modules/system/clock.if
+++ b/policy/modules/system/clock.if
@@ -43,6 +43,7 @@ interface(`clock_domtrans',`
 ##	The type of the terminal allow the clock domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`clock_run',`
 	gen_require(`
diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if
index 598e580..d3227c2 100644
--- a/policy/modules/system/daemontools.if
+++ b/policy/modules/system/daemontools.if
@@ -131,6 +131,7 @@ interface(`daemontools_domtrans_multilog',`
 ##      Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`daemontools_read_svc',`
 	gen_require(`
@@ -150,6 +151,7 @@ interface(`daemontools_read_svc',`
 ##      Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`daemontools_manage_svc',`
 	gen_require(`
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 29ec471..781d949 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -44,6 +44,7 @@ interface(`fstools_domtrans',`
 ##	The type of the terminal allow the fs tools domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`fstools_run',`
 	gen_require(`
diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
index 79a89e7..f60389d 100644
--- a/policy/modules/system/getty.if
+++ b/policy/modules/system/getty.if
@@ -51,6 +51,7 @@ interface(`getty_use_fds',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`getty_read_log',`
 	gen_require(`
@@ -70,6 +71,7 @@ interface(`getty_read_log',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`getty_read_config',`
 	gen_require(`
@@ -89,6 +91,7 @@ interface(`getty_read_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`getty_rw_config',`
 	gen_require(`
diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if
index d7a3090..707499c 100644
--- a/policy/modules/system/hostname.if
+++ b/policy/modules/system/hostname.if
@@ -64,6 +64,7 @@ interface(`hostname_run',`
 ##	Domain allowed access.
 ## 	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`hostname_exec',`
 	gen_require(`
diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if
index e9e0ee9..9a92dd8 100644
--- a/policy/modules/system/hotplug.if
+++ b/policy/modules/system/hotplug.if
@@ -147,6 +147,7 @@ interface(`hotplug_search_config',`
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`hotplug_read_config',`
 	gen_require(`
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 15bc6e8..435b60c 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -199,6 +199,7 @@ interface(`init_domtrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`init_exec',`
 	gen_require(`
@@ -387,6 +388,26 @@ interface(`init_write_initctl',`
 
 ########################################
 ## <summary>
+##	Use telinit (Read and write initctl).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_telinit',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 initctl_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read and write initctl.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 2cb9b8c..2ee4fe0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.22)
+policy_module(init,1.3.23)
 
 gen_require(`
 	class passwd rootok;
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index a3fc91d..b4a643f 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -89,6 +89,7 @@ interface(`ipsec_exec_mgmt',`
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`ipsec_read_config',`
 	gen_require(`
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 2d748cb..d81ec11 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -44,6 +44,7 @@ interface(`iptables_domtrans',`
 ##	The type of the terminal allow the iptables domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`iptables_run',`
 	gen_require(`
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index 64e70c8..439f5ea 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -43,6 +43,7 @@ interface(`libs_domtrans_ldconfig',`
 ##	The type of the terminal allow the ldconfig domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`libs_run_ldconfig',`
 	gen_require(`
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 62f6100..bdcf860 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -31,6 +31,7 @@ interface(`logging_log_file',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`logging_read_audit_log',`
 	gen_require(`
@@ -85,6 +86,7 @@ interface(`logging_domtrans_auditctl',`
 ##	The type of the terminal allow the auditctl domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`logging_run_auditctl',`
 	gen_require(`
@@ -179,6 +181,7 @@ interface(`logging_stream_connect_auditd',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`logging_manage_audit_config',`
 	gen_require(`
@@ -199,6 +202,7 @@ interface(`logging_manage_audit_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`logging_manage_audit_log',`
 	gen_require(`
@@ -302,6 +306,7 @@ interface(`logging_send_syslog_msg',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`logging_read_audit_config',`
 	gen_require(`
@@ -439,6 +444,7 @@ interface(`logging_append_all_logs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`logging_read_all_logs',`
 	gen_require(`
@@ -482,6 +488,7 @@ interface(`logging_exec_all_logs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`logging_manage_all_logs',`
 	gen_require(`
@@ -503,6 +510,7 @@ interface(`logging_manage_all_logs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`logging_read_generic_logs',`
 	gen_require(`
@@ -564,6 +572,7 @@ interface(`logging_rw_generic_logs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`logging_manage_generic_logs',`
 	gen_require(`
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 193069c..94e3014 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -43,6 +43,7 @@ interface(`lvm_domtrans',`
 ##	The type of the terminal allow the LVM domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`lvm_run',`
 	gen_require(`
@@ -63,6 +64,7 @@ interface(`lvm_run',`
 ##	The type of the process performing this action.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`lvm_read_config',`
 	gen_require(`
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 0c934e1..549b4fb 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -9,6 +9,7 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`miscfiles_read_certs',`
 	gen_require(`
@@ -29,6 +30,7 @@ interface(`miscfiles_read_certs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`miscfiles_read_fonts',`
 	gen_require(`
@@ -53,6 +55,7 @@ interface(`miscfiles_read_fonts',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`miscfiles_manage_fonts',`
 	gen_require(`
@@ -180,6 +183,7 @@ interface(`miscfiles_dontaudit_search_man_pages',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`miscfiles_read_man_pages',`
 	gen_require(`
@@ -245,6 +249,7 @@ interface(`miscfiles_manage_man_pages',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`miscfiles_read_public_files',`
 	gen_require(`
@@ -266,6 +271,7 @@ interface(`miscfiles_read_public_files',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`miscfiles_manage_public_files',`
 	gen_require(`
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index b1dca23..415ce86 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -29,6 +29,7 @@ interface(`modutils_read_module_deps',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`modutils_read_module_config',`
 	gen_require(`
@@ -130,6 +131,7 @@ interface(`modutils_domtrans_insmod',`
 ##	The type of the terminal allow the insmod domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`modutils_run_insmod',`
 	gen_require(`
@@ -203,6 +205,7 @@ interface(`modutils_domtrans_depmod',`
 ##	The type of the terminal allow the depmod domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`modutils_run_depmod',`
 	gen_require(`
@@ -276,6 +279,7 @@ interface(`modutils_domtrans_update_mods',`
 ##	The type of the terminal allow the update_modules domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`modutils_run_update_mods',`
 	gen_require(`
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index d9c0af3..19f3dff 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -44,6 +44,7 @@ interface(`mount_domtrans',`
 ##	The type of the terminal allow the mount domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mount_run',`
 	gen_require(`
diff --git a/policy/modules/system/pcmcia.if b/policy/modules/system/pcmcia.if
index 15155f4..1a01059 100644
--- a/policy/modules/system/pcmcia.if
+++ b/policy/modules/system/pcmcia.if
@@ -100,6 +100,7 @@ interface(`pcmcia_domtrans_cardctl',`
 ##	The type of the terminal allow the cardmgr domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`pcmcia_run_cardctl',`
 	gen_require(`
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 1c59671..6d87f29 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -46,6 +46,7 @@ interface(`seutil_domtrans_checkpolicy',`
 ##	The type of the terminal allow the checkpolicy domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`seutil_run_checkpolicy',`
 	gen_require(`
@@ -66,6 +67,7 @@ interface(`seutil_run_checkpolicy',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`seutil_exec_checkpolicy',`
 	gen_require(`
@@ -122,6 +124,7 @@ interface(`seutil_domtrans_loadpolicy',`
 ##	The type of the terminal allow the load_policy domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`seutil_run_loadpolicy',`
 	gen_require(`
@@ -217,6 +220,7 @@ interface(`seutil_domtrans_newrole',`
 ##	The type of the terminal allow the newrole domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`seutil_run_newrole',`
 	gen_require(`
@@ -348,6 +352,7 @@ interface(`seutil_domtrans_restorecon',`
 ##	The type of the terminal allow the restorecon domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`seutil_run_restorecon',`
 	gen_require(`
@@ -368,6 +373,7 @@ interface(`seutil_run_restorecon',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`seutil_exec_restorecon',`
 	gen_require(`
@@ -453,6 +459,7 @@ interface(`seutil_init_script_domtrans_runinit',`
 ##	The type of the terminal allow the run_init domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`seutil_run_runinit',`
 	gen_require(`
@@ -574,6 +581,7 @@ interface(`seutil_domtrans_setfiles',`
 ##	The type of the terminal allow the setfiles domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`seutil_run_setfiles',`
 	gen_require(`
@@ -653,6 +661,7 @@ interface(`seutil_dontaudit_read_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`seutil_read_config',`
 	gen_require(`
@@ -675,6 +684,7 @@ interface(`seutil_read_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`seutil_manage_selinux_config',`
 	gen_require(`
@@ -715,6 +725,7 @@ interface(`seutil_search_default_contexts',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`seutil_read_default_contexts',`
 	gen_require(`
@@ -757,6 +768,7 @@ interface(`seutil_manage_default_contexts',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`seutil_read_file_contexts',`
 	gen_require(`
@@ -801,6 +813,7 @@ interface(`seutil_rw_file_contexts',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`seutil_manage_file_contexts',`
 	gen_require(`
@@ -932,6 +945,7 @@ interface(`seutil_read_src_policy',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`seutil_manage_src_policy',`
 	gen_require(`
@@ -990,6 +1004,7 @@ interface(`seutil_domtrans_semanage',`
 ##	The type of the terminal allow the semanage domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`seutil_run_semanage',`
 	gen_require(`
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index be11fc0..c8813eb 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -44,6 +44,7 @@ interface(`sysnet_domtrans_dhcpc',`
 ##	The type of the terminal allow the clock domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`sysnet_run_dhcpc',`
 	gen_require(`
@@ -82,6 +83,7 @@ interface(`sysnet_sigchld_dhcpc',`
 ##	The domain sending the SIGKILL.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`sysnet_kill_dhcpc',`
 	gen_require(`
@@ -136,6 +138,7 @@ interface(`sysnet_signull_dhcpc',`
 ##	The domain sending the signal.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`sysnet_signal_dhcpc',`
 	gen_require(`
@@ -359,6 +362,7 @@ interface(`sysnet_domtrans_ifconfig',`
 ##	The type of the terminal allow the ifconfig domain to use.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`sysnet_run_ifconfig',`
 	gen_require(`
@@ -478,6 +482,7 @@ interface(`sysnet_dhcp_state_filetrans',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`sysnet_dns_name_resolve',`
 	gen_require(`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 00a7dd6..33a436e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2,19 +2,15 @@
 
 #######################################
 ## <summary>
-##	The template containing rules common to unprivileged
-##	users and administrative users.
+##	The template containing the most basic rules common to all users.
 ## </summary>
 ## <desc>
 ##	<p>
-##	This template creates a user domain, types, and
-##	rules for the user's tty, pty, home directories,
-##	tmp, and tmpfs files.
+##	The template containing the most basic rules common to all users.
 ##	</p>
 ##	<p>
-##	This generally should not be used, rather the
-##	unpriv_user_template or admin_user_template should
-##	be used.
+##	This template creates a user domain, types, and
+##	rules for the user's tty and pty.
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
@@ -23,9 +19,9 @@
 ##	is the prefix for user_t).
 ##	</summary>
 ## </param>
+## <rolebase/>
 #
-template(`base_user_template',`
-
+template(`userdom_base_user_template',`
 	attribute $1_file_type;
 
 	type $1_t, userdomain;
@@ -37,56 +33,14 @@ template(`base_user_template',`
 	role $1_r types $1_t;
 	allow system_r $1_r;
 
-	# user pseudoterminal
 	type $1_devpts_t;
 	term_user_pty($1_t,$1_devpts_t)
 	files_type($1_devpts_t)
 
-	# type for contents of home directory
-	type $1_home_t, $1_file_type, home_type;
-	files_type($1_home_t)
-	files_associate_tmp($1_home_t)
-	fs_associate_tmpfs($1_home_t)
-
-	# type of home directory
-	type $1_home_dir_t, home_dir_type, home_type;
-	files_type($1_home_dir_t)
-	files_associate_tmp($1_home_dir_t)
-	fs_associate_tmpfs($1_home_dir_t)
-
-	type $1_tmp_t, $1_file_type;
-	files_tmp_file($1_tmp_t)
-
-	type $1_tmpfs_t;
-	files_tmpfs_file($1_tmpfs_t)
-
-	# types for network-obtained content
-	type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
-	files_type($1_untrusted_content_t)
-	files_poly_member($1_untrusted_content_t)
-
-	type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
-	files_tmp_file($1_untrusted_content_tmp_t)
-
 	type $1_tty_device_t; 
 	term_tty($1_t,$1_tty_device_t)
 
-	##############################
-	#
-	# User home directory file rules
-	#
-
-	allow $1_file_type $1_home_t:filesystem associate;
-
-	##############################
-	#
-	# User domain Local policy
-	#
-
-	allow $1_t self:capability { setgid chown fowner };
-	dontaudit $1_t self:capability { sys_nice fsetid };
-	allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-	allow $1_t self:process { ptrace setfscreate };
+	allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession };
 	allow $1_t self:fd use;
 	allow $1_t self:fifo_file rw_file_perms;
 	allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -96,57 +50,13 @@ template(`base_user_template',`
 	allow $1_t self:msgq create_msgq_perms;
 	allow $1_t self:msg { send receive };
 	dontaudit $1_t self:socket create;
-	allow $1_t self:tcp_socket create_stream_socket_perms;
-	allow $1_t self:udp_socket create_socket_perms;
-
-	# evolution and gnome-session try to create a netlink socket
-	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-
-	# execute files in the home directory
-	can_exec($1_t,$1_home_t)
-
-	# full control of the home directory
-	allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
-	allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
-	allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
-	allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
-	allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
-	allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
-	type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
-	files_search_home($1_t)
-
-	can_exec($1_t,$1_tmp_t)
-
-	# user temporary files
-	allow $1_t $1_tmp_t:file create_file_perms;
-	allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
-	allow $1_t $1_tmp_t:dir create_dir_perms;
-	allow $1_t $1_tmp_t:sock_file create_file_perms;
-	allow $1_t $1_tmp_t:fifo_file create_file_perms;
-	files_tmp_filetrans($1_t, $1_tmp_t, { dir notdevfile_class_set })
-
-	# Bind to a Unix domain socket in /tmp.
-	# cjp: this is combination is not checked and should be removed
-	allow $1_t $1_tmp_t:unix_stream_socket name_bind;
 
-	allow $1_t $1_tmpfs_t:dir rw_dir_perms;
-	allow $1_t $1_tmpfs_t:file create_file_perms;
-	allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
-	allow $1_t $1_tmpfs_t:sock_file create_file_perms;
-	allow $1_t $1_tmpfs_t:fifo_file create_file_perms;
-	fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
+	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+	term_create_pty($1_t,$1_devpts_t)
 
 	allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
 
-	# Allow user to relabel untrusted content
-	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
-	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
-
-	allow $1_t unpriv_userdomain:fd use;
-
 	kernel_read_kernel_sysctls($1_t)
-	kernel_read_net_sysctls($1_t)
 	kernel_dontaudit_list_unlabeled($1_t)
 	kernel_dontaudit_getattr_unlabeled_files($1_t)
 	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -154,78 +64,23 @@ template(`base_user_template',`
 	kernel_dontaudit_getattr_unlabeled_sockets($1_t)
 	kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
 	kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
-	# Very permissive allowing every domain to see every type:
-	kernel_get_sysvipc_info($1_t)
-	# Find CDROM devices:
-	kernel_read_device_sysctls($1_t)
-
-	dev_rw_power_management($1_t)
-	# GNOME checks for usb and other devices:
-	dev_rw_usbfs($1_t)
-
-	corenet_non_ipsec_sendrecv($1_t)
-	corenet_tcp_sendrecv_all_if($1_t)
-	corenet_udp_sendrecv_all_if($1_t)
-	corenet_tcp_sendrecv_all_nodes($1_t)
-	corenet_udp_sendrecv_all_nodes($1_t)
-	corenet_tcp_sendrecv_all_ports($1_t)
-	corenet_udp_sendrecv_all_ports($1_t)
-	corenet_tcp_bind_all_nodes($1_t)
-	corenet_udp_bind_all_nodes($1_t)
-	corenet_udp_bind_generic_port($1_t)
-	corenet_tcp_connect_all_ports($1_t)
-	corenet_sendrecv_all_client_packets($1_t)
-
-	dev_read_input($1_t)
-	dev_read_misc($1_t)
-	dev_write_misc($1_t)
-	dev_write_sound($1_t)
-	dev_read_sound($1_t)
-	dev_read_sound_mixer($1_t)
-	dev_write_sound_mixer($1_t)
-	dev_read_rand($1_t)
-	dev_read_urand($1_t)
-	# open office is looking for the following
-	dev_getattr_agp_dev($1_t)
-	dev_dontaudit_rw_dri($1_t)
-
-	fs_get_all_fs_quotas($1_t)
-	fs_getattr_all_fs($1_t)
-	fs_getattr_all_dirs($1_t)
-	fs_search_auto_mountpoints($1_t)
-
-	# cjp: some of this probably can be removed
-	selinux_get_fs_mount($1_t)
-	selinux_validate_context($1_t)
-	selinux_compute_access_vector($1_t)
-	selinux_compute_create_context($1_t)
-	selinux_compute_relabel_context($1_t)
-	selinux_compute_user_contexts($1_t)
-
-	# for eject
-	storage_getattr_fixed_disk_dev($1_t)
-
-	auth_read_login_records($1_t)
-	auth_dontaudit_write_login_records($1_t)
-	auth_search_pam_console_data($1_t)
-	auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-	auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 
-	corecmd_exec_bin($1_t)
-	corecmd_exec_sbin($1_t)
-	corecmd_exec_ls($1_t)
-
-	domain_use_interactive_fds($1_t)
 	# When the user domain runs ps, there will be a number of access
 	# denials when ps tries to search /proc.  Do not audit these denials.
 	domain_dontaudit_read_all_domains_state($1_t)
 	domain_dontaudit_getattr_all_domains($1_t)
 	domain_dontaudit_getsession_all_domains($1_t)
 
-	files_exec_etc_files($1_t)
-	files_search_locks($1_t)
-	# Check to see if cdrom is mounted
-	files_search_mnt($1_t)
+	files_read_etc_files($1_t)
+	files_read_etc_runtime_files($1_t)
+	files_read_usr_files($1_t)
+	# Read directories and files with the readable_t type.
+	# This type is a general type for "world"-readable files.
+	files_list_world_readable($1_t)
+	files_read_world_readable_files($1_t)
+	files_read_world_readable_symlinks($1_t)
+	files_read_world_readable_pipes($1_t)
+	files_read_world_readable_sockets($1_t)
 	# old broswer_domain():
 	files_dontaudit_list_non_security($1_t)
 	files_dontaudit_getattr_non_security_files($1_t)
@@ -235,34 +90,658 @@ template(`base_user_template',`
 	files_dontaudit_getattr_non_security_blk_files($1_t)
 	files_dontaudit_getattr_non_security_chr_files($1_t)
 
-	# Caused by su - init scripts
-	init_dontaudit_use_script_ptys($1_t)
+	libs_use_ld_so($1_t)
+	libs_use_shared_libs($1_t)
+	libs_exec_ld_so($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	tunable_policy(`allow_execmem',`
+		# Allow loading DSOs that require executable stack.
+		allow $1_t self:process execmem;
+	')
+
+	tunable_policy(`allow_execmem && allow_execstack',`
+		# Allow making the stack executable via mprotect.
+		allow $1_t self:process execstack;
+	')
+')
+
+#######################################
+## <summary>
+##	The template for creating a home directory
+##	that the user has read-only access.
+## </summary>
+## <desc>
+##	<p>
+##	The template for creating a home directory
+##	that the user has read-only access.
+##	</p>
+##	<p>
+##	This does not allow execute access.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_ro_home_template',`
+	# type for contents of home directory
+	type $1_home_t, $1_file_type, home_type;
+	files_type($1_home_t)
+	files_associate_tmp($1_home_t)
+	fs_associate_tmpfs($1_home_t)
+
+	# type of home directory
+	type $1_home_dir_t, home_dir_type, home_type;
+	files_type($1_home_dir_t)
+	files_associate_tmp($1_home_dir_t)
+	fs_associate_tmpfs($1_home_dir_t)
+
+	##############################
+	#
+	# User home directory file rules
+	#
+
+	allow $1_file_type $1_home_t:filesystem associate;
+
+	# Rules used to associate a homedir as a mountpoint
+	allow $1_home_t self:filesystem associate;
+
+	##############################
+	#
+	# Domain access to home dir
+	#
+
+	# read-only home directory
+	allow $1_t $1_home_t:file { read_file_perms entrypoint };
+	allow $1_t $1_home_t:lnk_file read_file_perms;
+	allow $1_t $1_home_t:dir list_dir_perms;
+	allow $1_t $1_home_t:sock_file read_file_perms;
+	allow $1_t $1_home_t:fifo_file read_file_perms;
+	allow $1_t $1_home_dir_t:dir list_dir_perms;
+	files_list_home($1_t)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_list_nfs_dirs($1_t)
+		fs_read_nfs_files($1_t)
+		fs_read_nfs_symlinks($1_t)
+		fs_read_nfs_named_sockets($1_t)
+		fs_read_nfs_named_pipes($1_t)
+	',`
+		fs_dontaudit_read_nfs_dirs($1_t)
+		fs_dontaudit_read_nfs_files($1_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_list_cifs_dirs($1_t)
+		fs_read_cifs_files($1_t)
+		fs_read_cifs_symlinks($1_t)
+		fs_read_cifs_named_sockets($1_t)
+		fs_read_cifs_named_pipes($1_t)
+	',`
+		fs_dontaudit_list_cifs_dirs($1_t)
+		fs_dontaudit_read_cifs_files($1_t)
+	')
+')
+
+#######################################
+## <summary>
+##	The template for creating a home directory
+##	that the user has full access.
+## </summary>
+## <desc>
+##	<p>
+##	The template for creating a home directory
+##	that the user has full access.
+##	</p>
+##	<p>
+##	This does not allow execute access.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_manage_home_template',`
+	# type for contents of home directory
+	type $1_home_t, $1_file_type, home_type;
+	files_type($1_home_t)
+	files_associate_tmp($1_home_t)
+	fs_associate_tmpfs($1_home_t)
+
+	# type of home directory
+	type $1_home_dir_t, home_dir_type, home_type;
+	files_type($1_home_dir_t)
+	files_associate_tmp($1_home_dir_t)
+	fs_associate_tmpfs($1_home_dir_t)
+
+	##############################
+	#
+	# User home directory file rules
+	#
+
+	allow $1_file_type $1_home_t:filesystem associate;
+
+	# Rules used to associate a homedir as a mountpoint
+	allow $1_home_t self:filesystem associate;
+
+	##############################
+	#
+	# Domain access to home dir
+	#
+
+	# full control of the home directory
+	allow $1_t $1_home_t:file { manage_file_perms relabelfrom relabelto entrypoint };
+	allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:dir { manage_dir_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:sock_file { manage_file_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:fifo_file { manage_file_perms relabelfrom relabelto };
+	allow $1_t $1_home_dir_t:dir { manage_dir_perms relabelfrom relabelto };
+	type_transition $1_t $1_home_dir_t:{ dir file lnk_file sock_file fifo_file } $1_home_t;
+	files_list_home($1_t)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_dirs($1_t)
+		fs_manage_nfs_files($1_t)
+		fs_manage_nfs_symlinks($1_t)
+		fs_manage_nfs_named_sockets($1_t)
+		fs_manage_nfs_named_pipes($1_t)
+	',`
+		fs_dontaudit_manage_nfs_dirs($1_t)
+		fs_dontaudit_manage_nfs_files($1_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_manage_cifs_dirs($1_t)
+		fs_manage_cifs_files($1_t)
+		fs_manage_cifs_symlinks($1_t)
+		fs_manage_cifs_named_sockets($1_t)
+		fs_manage_cifs_named_pipes($1_t)
+	',`
+		fs_dontaudit_manage_cifs_dirs($1_t)
+		fs_dontaudit_manage_cifs_files($1_t)
+	')
+')
+
+#######################################
+## <summary>
+##	The template for allowing the user
+##	to execute files in their home directory.
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_exec_home_template',`
+	can_exec($1_t,$1_home_t)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_exec_nfs_files($1_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_exec_cifs_files($1_t)
+	')
+')
+
+#######################################
+## <summary>
+##	The template for polyinstantiating
+##	a user home directory.
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_poly_home_template',`
+	ifdef(`enable_polyinstantiation',`
+		type_member $1_t $1_home_dir_t:dir $1_home_t;
+
+		files_poly($1_home_dir_t)
+		files_poly_member($1_home_t)
+	')
+')
+
+#######################################
+## <summary>
+##	The template for full access to the temporary directories.
+## </summary>
+## <desc>
+##	<p>
+##	The template for full access to the temporary directories.
+##	This creates a derived type for the user
+##	temporary type.  Execute access is not given.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_manage_tmp_template',`
+	type $1_tmp_t, $1_file_type;
+	files_tmp_file($1_tmp_t)
+
+	allow $1_t $1_tmp_t:dir manage_dir_perms;
+	allow $1_t $1_tmp_t:file manage_file_perms;
+	allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
+	allow $1_t $1_tmp_t:sock_file manage_file_perms;
+	allow $1_t $1_tmp_t:fifo_file manage_file_perms;
+	files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
+')
+
+#######################################
+## <summary>
+##	The template for execute access to the user temporary files.
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_exec_tmp_template',`
+	can_exec($1_t,$1_tmp_t)
+')
+
+#######################################
+## <summary>
+##	The template for a polyinstantiated temporary directory.
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_poly_tmp_template',`
+	ifdef(`enable_polyinstantiation',`
+		files_poly_member_tmp($1_t,$1_tmp_t)
+	')
+')
+
+#######################################
+## <summary>
+##	The template for creating a tmpfs type
+##	that the user has full access.
+## </summary>
+## <desc>
+##	<p>
+##	The template for creating a tmpfs type
+##	that the user has full access.
+##	</p>
+##	<p>
+##	This does not allow execute access.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_manage_tmpfs_template',`
+	type $1_tmpfs_t, $1_file_type;
+	files_tmpfs_file($1_tmpfs_t)
+
+	allow $1_t $1_tmpfs_t:dir rw_dir_perms;
+	allow $1_t $1_tmpfs_t:file manage_file_perms;
+	allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
+	allow $1_t $1_tmpfs_t:sock_file manage_file_perms;
+	allow $1_t $1_tmpfs_t:fifo_file manage_file_perms;
+	fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+')
+
+#######################################
+## <summary>
+##	The template for creating a set of types
+##	for untrusted content.
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_untrusted_content_template',`
+	gen_require(`
+		attribute $1_file_type;
+		attribute untrusted_content_type, untrusted_content_tmp_type;
+		type $1_t;
+	')
+
+	# types for network-obtained content
+	type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
+	files_type($1_untrusted_content_t)
+	files_poly_member($1_untrusted_content_t)
+
+	type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
+	files_tmp_file($1_untrusted_content_tmp_t)
+
+	# Allow user to relabel untrusted content
+	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { manage_dir_perms relabelto relabelfrom };
+	allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+
+	tunable_policy(`read_untrusted_content',`
+		allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir list_dir_perms;
+		allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file read_file_perms;
+		allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:lnk_file { getattr read };
+	',`
+		dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir list_dir_perms;
+		dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file read_file_perms;
+	')
+')
+
+#######################################
+## <summary>
+##	The template allowing the user to execute
+##	generic programs, such as those found in /bin,
+##	/sbin, /usr/bin, and /usr/sbin.
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_exec_generic_pgms_template',`
+	gen_require(`
+		type $1_t;
+	')
+
+	corecmd_exec_bin($1_t)
+	corecmd_exec_sbin($1_t)
+	corecmd_exec_ls($1_t)
+')
+
+#######################################
+## <summary>
+##	The template allowing the user basic
+##	network permissions
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_basic_networking_template',`
+	gen_require(`
+		type $1_t;
+	')
+
+	allow $1_t self:tcp_socket create_stream_socket_perms;
+	allow $1_t self:udp_socket create_socket_perms;
+
+	corenet_non_ipsec_sendrecv($1_t)
+	corenet_tcp_sendrecv_all_if($1_t)
+	corenet_udp_sendrecv_all_if($1_t)
+	corenet_tcp_sendrecv_all_nodes($1_t)
+	corenet_udp_sendrecv_all_nodes($1_t)
+	corenet_tcp_sendrecv_all_ports($1_t)
+	corenet_udp_sendrecv_all_ports($1_t)
+	corenet_tcp_connect_all_ports($1_t)
+	corenet_sendrecv_all_client_packets($1_t)
+')
+
+#######################################
+## <summary>
+##	The template for creating a user xwindows client.
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_xwindows_client_template',`
+	gen_require(`
+		type $1_t, $1_tmpfs_t;
+	')
+
+	optional_policy(`
+		dev_rw_xserver_misc($1_t)
+		dev_rw_power_management($1_t)
+		dev_read_input($1_t)
+		dev_read_misc($1_t)
+		dev_write_misc($1_t)
+		# open office is looking for the following
+		dev_getattr_agp_dev($1_t)
+		dev_dontaudit_rw_dri($1_t)
+		# GNOME checks for usb and other devices:
+		dev_rw_usbfs($1_t)
+
+		xserver_user_client_template($1,$1_t,$1_tmpfs_t)
+		xserver_xsession_entry_type($1_t)
+		xserver_dontaudit_write_log($1_t)
+		xserver_stream_connect_xdm($1_t)
+		# certain apps want to read xdm.pid file
+		xserver_read_xdm_pid($1_t)
+		# gnome-session creates socket under /tmp/.ICE-unix/
+		xserver_create_xdm_tmp_sockets($1_t)
+	')
+')
+
+#######################################
+## <summary>
+##	The template for allowing the user to change passwords.
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_change_password_template',`
+	gen_require(`
+		type $1_t, $1_devpts_t, $1_tty_device_t;
+		role $1_r;
+	')
+
+	optional_policy(`
+		usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+		usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+	')
+')
+
+#######################################
+## <summary>
+##	The template for allowing the user to change roles.
+## </summary>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`userdom_role_change_template',`
+	gen_require(`
+		role $1_r, $2_r;
+		type $1_t, $2_t;
+		type $1_devpts_t, $2_devpts_t;
+		type $1_tty_device_t, $2_tty_device_t;
+	')
+
+	allow $1_r $2_r;
+	type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+	type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+	# avoid annoying messages on terminal hangup
+	dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+')
+
+#######################################
+## <summary>
+##	The template containing rules common to unprivileged
+##	users and administrative users.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a user domain, types, and
+##	rules for the user's tty, pty, tmp, and tmpfs files.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
+template(`userdom_common_user_template',`
+
+	userdom_base_user_template($1)
+
+	userdom_manage_home_template($1)
+	userdom_exec_home_template($1)
+
+	userdom_manage_tmp_template($1)
+	userdom_exec_tmp_template($1)
+
+	userdom_manage_tmpfs_template($1)
+
+	userdom_untrusted_content_template($1)
+
+	userdom_basic_networking_template($1)
+
+	userdom_exec_generic_pgms_template($1)
+
+	userdom_xwindows_client_template($1)
+
+	userdom_change_password_template($1)
+
+	##############################
+	#
+	# User domain Local policy
+	#
+
+	allow $1_t self:capability { setgid chown fowner };
+	dontaudit $1_t self:capability { sys_nice fsetid };
+	allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1_t self:process { ptrace setfscreate };
+
+	# evolution and gnome-session try to create a netlink socket
+	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+
+	allow $1_t unpriv_userdomain:fd use;
+
+	kernel_read_system_state($1_t)
+	kernel_read_network_state($1_t)
+	kernel_read_net_sysctls($1_t)
+	# Very permissive allowing every domain to see every type:
+	kernel_get_sysvipc_info($1_t)
+	# Find CDROM devices:
+	kernel_read_device_sysctls($1_t)
+
+	corenet_udp_bind_all_nodes($1_t)
+	corenet_udp_bind_generic_port($1_t)
+
+	dev_read_sysfs($1_t)
+	dev_read_rand($1_t)
+	dev_read_urand($1_t)
+	dev_write_sound($1_t)
+	dev_read_sound($1_t)
+	dev_read_sound_mixer($1_t)
+	dev_write_sound_mixer($1_t)
+
+	domain_use_interactive_fds($1_t)
+
+	files_exec_etc_files($1_t)
+	files_search_locks($1_t)
+	# Check to see if cdrom is mounted
+	files_search_mnt($1_t)
+	# cjp: perhaps should cut back on file reads:
+	files_read_var_files($1_t)
+	files_read_var_symlinks($1_t)
+	files_read_generic_spool($1_t)
+	files_read_var_lib_files($1_t)
+	# Stat lost+found.
+	files_getattr_lost_found_dirs($1_t)
+
+	fs_get_all_fs_quotas($1_t)
+	fs_getattr_all_fs($1_t)
+	fs_getattr_all_dirs($1_t)
+	fs_search_auto_mountpoints($1_t)
+
+	# cjp: some of this probably can be removed
+	selinux_get_fs_mount($1_t)
+	selinux_validate_context($1_t)
+	selinux_compute_access_vector($1_t)
+	selinux_compute_create_context($1_t)
+	selinux_compute_relabel_context($1_t)
+	selinux_compute_user_contexts($1_t)
+
+	# for eject
+	storage_getattr_fixed_disk_dev($1_t)
+
+	auth_read_login_records($1_t)
+	auth_dontaudit_write_login_records($1_t)
+	auth_search_pam_console_data($1_t)
+	auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+	auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+
+	init_read_utmp($1_t)
+	# The library functions always try to open read-write first,
+	# then fall back to read-only if it fails. 
+	init_dontaudit_write_utmp($1_t)
+	# Stop warnings about access to /dev/console
+	init_dontaudit_use_fds($1_t)
+	init_dontaudit_use_script_fds($1_t)
 
-	libs_use_ld_so($1_t)
-	libs_use_shared_libs($1_t)
-	libs_exec_ld_so($1_t)
 	libs_exec_lib_files($1_t)
 
 	logging_dontaudit_getattr_all_logs($1_t)
 
-	miscfiles_read_localization($1_t)
+	miscfiles_read_man_pages($1_t)
 	# for running TeX programs
 	miscfiles_read_tetex_data($1_t)
 	miscfiles_exec_tetex_data($1_t)
 
 	seutil_read_file_contexts($1_t)
 	seutil_read_default_contexts($1_t)
+	seutil_read_config($1_t)
 	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-
-	tunable_policy(`allow_execmem',`
-		# Allow loading DSOs that require executable stack.
-		allow $1_t self:process execmem;
-	')
-
-	tunable_policy(`allow_execmem && allow_execstack',`
-		# Allow making the stack executable via mprotect.
-		allow $1_t self:process execstack;
-	')
+	# for when the network connection is killed
+	# this is needed when a login role can change
+	# to this one.
+	seutil_dontaudit_signal_newrole($1_t)
 
 	tunable_policy(`read_default_t',`
 		files_list_default($1_t)
@@ -275,39 +754,6 @@ template(`base_user_template',`
 		files_dontaudit_read_default_files($1_t)
 	')
 
-	tunable_policy(`read_untrusted_content',`
-		allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
-		allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
-		allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:lnk_file { getattr read };
-	',`
-		dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
-		dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
-	')
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_t)
-		fs_manage_nfs_files($1_t)
-		fs_manage_nfs_symlinks($1_t)
-		fs_manage_nfs_named_sockets($1_t)
-		fs_manage_nfs_named_pipes($1_t)
-		fs_exec_nfs_files($1_t)
-	',`
-		fs_dontaudit_manage_nfs_dirs($1_t)
-		fs_dontaudit_manage_nfs_files($1_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_t)
-		fs_manage_cifs_files($1_t)
-		fs_manage_cifs_symlinks($1_t)
-		fs_manage_cifs_named_sockets($1_t)
-		fs_manage_cifs_named_pipes($1_t)
-		fs_exec_cifs_files($1_t)
-	',`
-		fs_dontaudit_manage_cifs_dirs($1_t)
-		fs_dontaudit_manage_cifs_files($1_t)
-	')
-
 	tunable_policy(`user_direct_mouse',`
 		dev_read_mouse($1_t)
 	')
@@ -333,6 +779,10 @@ template(`base_user_template',`
 		dbus_system_bus_client_template($1,$1_t)
 
 		optional_policy(`
+			bluetooth_dbus_chat($1_t)
+		')
+
+		optional_policy(`
 			cups_dbus_chat_config($1_t)
 		')
 
@@ -356,6 +806,11 @@ template(`base_user_template',`
 		inn_read_news_spool($1_t)
 	')
 
+	# for running depmod as part of the kernel packaging process
+	optional_policy(`
+		modutils_read_module_config($1_t)
+	')
+
 	optional_policy(`
 		mta_rw_spool($1_t)
 	')
@@ -365,10 +820,8 @@ template(`base_user_template',`
 	')
 
 	optional_policy(`
-		ifdef(`strict_policy',`
-			tunable_policy(`allow_user_mysql_connect',`
-				mysql_stream_connect($1_t)
-			')
+		tunable_policy(`allow_user_mysql_connect',`
+			mysql_stream_connect($1_t)
 		')
 	')
 
@@ -395,8 +848,6 @@ template(`base_user_template',`
 	')
 
 	optional_policy(`
-		files_getattr_var_lib_dirs($1_t)
-		files_search_var_lib($1_t)
 		rpm_read_db($1_t)
 		rpm_dontaudit_manage_db($1_t)
 	')
@@ -410,25 +861,8 @@ template(`base_user_template',`
 	')
 
 	optional_policy(`
-		usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-		usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-	')
-
-	optional_policy(`
 		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 	')
-
-	optional_policy(`
-		dev_rw_xserver_misc($1_t)
-		xserver_user_client_template($1,$1_t,$1_tmpfs_t)
-		xserver_xsession_entry_type($1_t)
-		xserver_dontaudit_write_log($1_t)
-		xserver_stream_connect_xdm($1_t)
-		# certain apps want to read xdm.pid file
-		xserver_read_xdm_pid($1_t)
-		# gnome-session creates socket under /tmp/.ICE-unix/
-		xserver_create_xdm_tmp_sockets($1_t)
-	')
 ')
 
 #######################################
@@ -449,92 +883,63 @@ template(`base_user_template',`
 ##	</summary>
 ## </param>
 #
-template(`unpriv_user_template', `
+template(`userdom_unpriv_user_template', `
 	##############################
 	#
 	# Declarations
 	#
 
 	# Inherit rules for ordinary users.
-	base_user_template($1)
+	userdom_common_user_template($1)
 
 	typeattribute $1_t unpriv_userdomain;
 	domain_interactive_fd($1_t)
 
 	typeattribute $1_devpts_t user_ptynode;
-
 	typeattribute $1_home_dir_t user_home_dir_type;
-	files_poly($1_home_dir_t)
-
 	typeattribute $1_home_t user_home_type;
-	files_poly_member($1_home_t)
-
 	typeattribute $1_tmp_t user_tmpfile;
 	typeattribute $1_tty_device_t user_ttynode;
 
+	userdom_poly_home_template($1)
+	userdom_poly_tmp_template($1)
+
 	##############################
 	#
 	# Local policy
 	#
 
-	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
-	term_create_pty($1_t,$1_devpts_t)
-
-	# Rules used to associate a homedir as a mountpoint
-	allow $1_home_t self:filesystem associate;
-	allow $1_file_type $1_home_t:filesystem associate;
-
 	# privileged home directory writers
-	allow privhome $1_home_t:file create_file_perms;
+	allow privhome $1_home_t:file manage_file_perms;
 	allow privhome $1_home_t:lnk_file create_lnk_perms;
-	allow privhome $1_home_t:dir create_dir_perms;
-	allow privhome $1_home_t:sock_file create_file_perms;
-	allow privhome $1_home_t:fifo_file create_file_perms;
-	type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
-
-	kernel_read_system_state($1_t)
-	kernel_read_network_state($1_t)
-
-	dev_read_sysfs($1_t)
+	allow privhome $1_home_t:dir manage_dir_perms;
+	allow privhome $1_home_t:sock_file manage_file_perms;
+	allow privhome $1_home_t:fifo_file manage_file_perms;
+	type_transition privhome $1_home_dir_t:{ dir file lnk_file sock_file fifo_file } $1_home_t;
 
 	corecmd_exec_all_executables($1_t)
 
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
 	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+	# Need the following rule to allow users to run vpnc
+	corenet_tcp_bind_xserver_port($1_t)
 
-	files_read_etc_files($1_t)
-	files_read_etc_runtime_files($1_t)
-	files_list_home($1_t)
-	files_read_usr_files($1_t)
 	files_exec_usr_files($1_t)
-	# Read directories and files with the readable_t type.
-	# This type is a general type for "world"-readable files.
-	files_list_world_readable($1_t)
-	files_read_world_readable_files($1_t)
-	files_read_world_readable_symlinks($1_t)
-	files_read_world_readable_pipes($1_t)
-	files_read_world_readable_sockets($1_t)
 	# cjp: why?
 	files_read_kernel_symbol_table($1_t)
 
-	init_read_utmp($1_t)
-	# The library functions always try to open read-write first,
-	# then fall back to read-only if it fails. 
-	init_dontaudit_write_utmp($1_t)
-	# Stop warnings about access to /dev/console
-	init_dontaudit_use_fds($1_t)
-	init_dontaudit_use_script_fds($1_t)
-
-	miscfiles_read_man_pages($1_t)
-
-	seutil_read_config($1_t)
-	# Allow users to execute checkpolicy without a domain transition
-	# so it can be used without privilege to write real binary policy file
-	seutil_exec_checkpolicy($1_t)
+	ifndef(`enable_mls',`
+		fs_exec_noxattr($1_t)
 
-	ifdef(`enable_polyinstantiation',`
-		type_member $1_t $1_home_dir_t:dir $1_home_t;
-		files_poly_member_tmp($1_t,$1_tmp_t)
+		tunable_policy(`user_rw_noexattrfile',`
+			fs_manage_noxattr_fs_files($1_t)
+			fs_manage_noxattr_fs_dirs($1_t)
+			# Write floppies 
+			storage_raw_read_removable_device($1_t)
+			storage_raw_write_removable_device($1_t)
+		',`
+			storage_raw_read_removable_device($1_t)
+		')
 	')
 
 	tunable_policy(`user_dmesg',`
@@ -543,13 +948,6 @@ template(`unpriv_user_template', `
 		kernel_dontaudit_read_ring_buffer($1_t)
 	')
 
-	# Allow users to rw usb devices
-	tunable_policy(`user_rw_usb',`
-		dev_rw_usbfs($1_t)
-	',`
-		dev_read_usbfs($1_t)
-	')
-
 	# Allow users to run TCP servers (bind to ports and accept connection from
 	# the same domain and outside users)  disabling this forces FTP passive mode
 	# and may change other protocols
@@ -558,14 +956,6 @@ template(`unpriv_user_template', `
 	')
 
 	optional_policy(`
-		dbus_stub($1_t)
-
-		optional_policy(`
-			bluetooth_dbus_chat($1_t)
-		')
-	')
-
-	optional_policy(`
 		kerberos_use($1_t)
 	')
 
@@ -573,11 +963,6 @@ template(`unpriv_user_template', `
 		loadkeys_run($1_t,$1_r,$1_tty_device_t)
 	')
 
-	# for running depmod as part of the kernel packaging process
-	optional_policy(`
-		modutils_read_module_config($1_t)
-	')
-
 	optional_policy(`
 		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
@@ -588,78 +973,16 @@ template(`unpriv_user_template', `
 		ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 	')
 
-	optional_policy(`
-		# for when the network connection is killed
-		seutil_dontaudit_signal_newrole($1_t)
-	')
-
-	# Need the following rule to allow users to run vpnc
-	optional_policy(`
-		corenet_tcp_bind_xserver_port($1_t)
-	')
-
 	ifdef(`TODO',`
-	ifndef(`enable_mls',`
-		fs_exec_noxattr($1_t)
-
-		tunable_policy(`user_rw_noexattrfile',`
-			create_dir_file($1_t, noexattrfile)
-			# Write floppies 
-			storage_raw_read_removable_device($1_t)
-			storage_raw_write_removable_device($1_t)
-			# cjp: what does this have to do with removable devices?
-			allow $1_t usbtty_device_t:chr_file write;
-		',`
-			fs_read_noxattr_files($1_t)
-			r_dir_file($1_t, noexattrfile)
-			allow $1_t removable_device_t:blk_file r_file_perms;
-		')
-	')
-
-	dontaudit $1_t boot_t:lnk_file read;
-	dontaudit $1_t boot_t:file read;
-
-	# do not audit read on disk devices
-	dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
-
 	ifdef(`xdm.te', `
-		allow xdm_t $1_home_t:lnk_file read;
-		allow xdm_t $1_home_t:dir search;
-		#
-		# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
-		# 
+		# this should cause the .xsession-errors file to be written to /tmp
 		dontaudit xdm_t $1_home_t:file rw_file_perms;
 	')
 
-	ifdef(`ftpd.te', `
-		tunable_policy(`ftp_home_dir',`
-			file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
-		')
-	')
-
-	ifdef(`useradd.te', `
-	# Useradd relabels /etc/skel files so needs these privs 
-	allow useradd_t $1_file_type:dir create_dir_perms;
-	allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
-	')
-
-	# Stat lost+found.
-	allow $1_t lost_found_t:dir getattr;
-
-	# Read /var, /var/spool, /var/run.
-	r_dir_file($1_t, var_t)
-	# what about pipes and sockets under /var/spool?
-	r_dir_file($1_t, var_spool_t)
-	r_dir_file($1_t, var_run_t)
-	allow $1_t var_lib_t:dir r_dir_perms;
-	allow $1_t var_lib_t:file { getattr read };
-
 	# Do not audit write denials to /etc/ld.so.cache.
 	dontaudit $1_t ld_so_cache_t:file write;
 
 	dontaudit $1_t sysadm_home_t:file { read append };
-
-	allow $1_t initrc_t:fifo_file write;
 	') dnl end TODO
 ')
 
@@ -692,7 +1015,7 @@ template(`unpriv_user_template', `
 ##	</summary>
 ## </param>
 #
-template(`admin_user_template',`
+template(`userdom_admin_user_template',`
 	gen_require(`
 		class passwd { passwd chfn chsh rootok crontab };
 	')
@@ -703,7 +1026,7 @@ template(`admin_user_template',`
 	#
 
 	# Inherit rules for ordinary users.
-	base_user_template($1)
+	userdom_common_user_template($1)
 
 	typeattribute $1_t privhome;
 	domain_obj_id_change_exemption($1_t)
@@ -736,11 +1059,6 @@ template(`admin_user_template',`
 
 	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
 
-	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
-	term_create_pty($1_t,$1_devpts_t)
-
-	kernel_read_system_state($1_t)
-	kernel_read_network_state($1_t)
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
 	kernel_getattr_message_if($1_t)
@@ -762,34 +1080,16 @@ template(`admin_user_template',`
 
 	dev_getattr_generic_blk_files($1_t)
 	dev_getattr_generic_chr_files($1_t)
-	dev_getattr_all_blk_files($1_t)
-	dev_getattr_all_chr_files($1_t)
-
-	fs_getattr_all_fs($1_t)
-	fs_set_all_quotas($1_t)
-	fs_exec_noxattr($1_t)
-
-	# Get security policy decisions:
-	selinux_get_fs_mount($1_t)
-	selinux_validate_context($1_t)
-	selinux_compute_access_vector($1_t)
-	selinux_compute_create_context($1_t)
-	selinux_compute_relabel_context($1_t)
-	selinux_compute_user_contexts($1_t)
-
-	storage_raw_read_removable_device($1_t)
-	storage_raw_write_removable_device($1_t)
-
-	term_use_console($1_t)
-	term_use_unallocated_ttys($1_t)
-	term_use_all_user_ptys($1_t)
-	term_use_all_user_ttys($1_t)
-
-	auth_getattr_shadow($1_t)
-	# Manage almost all files
-	auth_manage_all_files_except_shadow($1_t)
-	# Relabel almost all files
-	auth_relabel_all_files_except_shadow($1_t)
+	# for lsof
+	dev_getattr_mtrr_dev($1_t)
+	# Allow MAKEDEV to work
+	dev_create_all_blk_files($1_t)
+	dev_create_all_chr_files($1_t)
+	dev_delete_all_blk_files($1_t)
+	dev_delete_all_chr_files($1_t)
+	dev_rename_all_blk_files($1_t)
+	dev_rename_all_chr_files($1_t)
+	dev_create_generic_symlinks($1_t)
 
 	domain_setpriority_all_domains($1_t)
 	domain_read_all_domains_state($1_t)
@@ -807,13 +1107,27 @@ template(`admin_user_template',`
 
 	files_exec_usr_src_files($1_t)
 
-	init_rw_initctl($1_t)
+	fs_getattr_all_fs($1_t)
+	fs_set_all_quotas($1_t)
+	fs_exec_noxattr($1_t)
+
+	storage_raw_read_removable_device($1_t)
+	storage_raw_write_removable_device($1_t)
+
+	term_use_all_terms($1_t)
+
+	auth_getattr_shadow($1_t)
+	# Manage almost all files
+	auth_manage_all_files_except_shadow($1_t)
+	# Relabel almost all files
+	auth_relabel_all_files_except_shadow($1_t)
+
+	init_telinit($1_t)
 
 	logging_send_syslog_msg($1_t)
 
 	modutils_domtrans_insmod($1_t)
 
-	seutil_read_config($1_t)
 	# The following rule is temporary until such time that a complete
 	# policy management infrastructure is in place so that an administrator
 	# cannot directly manipulate policy files with arbitrary programs.
@@ -822,6 +1136,13 @@ template(`admin_user_template',`
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
 
+	tunable_policy(`user_rw_noexattrfile',`
+		fs_manage_noxattr_fs_files($1_t)
+		fs_manage_noxattr_fs_dirs($1_t)
+	',`
+		fs_read_noxattr_fs_files($1_t)
+	')
+
 	optional_policy(`
 		cron_admin_template($1,$1_t,$1_r)
 	')
@@ -839,65 +1160,11 @@ template(`admin_user_template',`
 	')
 
 	ifdef(`TODO',`
-
-	# for lsof
-	allow $1_t mtrr_device_t:file getattr;
-	allow $1_t eventpollfs_t:file getattr;
-
-	allow $1_t serial_device:chr_file setattr;
-
-	allow $1_t ptyfile:chr_file getattr;
-
-	# Run admin programs that require different permissions in their own domain.
-	# These rules were moved into the appropriate program domain file.
-
 	ifdef(`xserver.te', `
-		# Create files in /tmp/.X11-unix with our X servers derived
-		# tmp type rather than user_xserver_tmp_t.
-		file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
-	')
-
-
-	ifdef(`xdm.te', `
 		tunable_policy(`xdm_sysadm_login',`
 			allow xdm_t $1_home_t:lnk_file read;
 			allow xdm_t $1_home_t:dir search;
 		')
-		can_pipe_xdm($1_t)
-	')
-
-	# Allow MAKEDEV to work
-	allow $1_t device_t:dir rw_dir_perms;
-	allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
-	allow $1_t device_t:lnk_file { create read };
-
-	#
-	# A user who is authorized for sysadm_t may nonetheless have
-	# a home directory labeled with user_home_t if the user is expected
-	# to login in either user_t or sysadm_t.  Hence, the derived domains
-	# for programs need to be able to access user_home_t.  
-	# 
-
-	# Allow our gph domain to write to .xsession-errors.
-	ifdef(`gnome-pty-helper.te', `
-		allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
-		allow $1_gph_t user_home_type:file create_file_perms;
-	')
-
-	# Run programs from staff home directories.
-	# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
-	can_exec($1_t, staff_home_t)
-
-	tunable_policy(`user_rw_noexattrfile',`
-		create_dir_file($1_t, noexattrfile)
-		# Write floppies 
-		storage_raw_read_removable_device($1_t)
-		storage_raw_write_removable_device($1_t)
-		# cjp: what does this have to do with removable devices?
-		allow $1_t usbtty_device_t:chr_file write;
-	',`
-		r_dir_file($1_t, noexattrfile)
-		storage_raw_read_removable_device($1_t)
 	')
 	') dnl endif TODO
 ')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 49b447d..ba8819b 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.30)
+policy_module(userdomain,1.3.31)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -56,106 +56,43 @@ attribute untrusted_content_tmp_type;
 # Local policy
 #
 
-define(`role_change',`
-	allow $1_r $2_r;
-	type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
-	type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
-	# avoid annoying messages on terminal hangup
-	dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
-')
-
-ifdef(`targeted_policy',`
-	# Define some type aliases to help with compatibility with
-	# macros and domains from the "strict" policy.
-	unconfined_alias_domain(secadm_t)
-	unconfined_alias_domain(auditadm_t)
-	unconfined_alias_domain(sysadm_t)
-
-	# User home directory type.
-	type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
-	files_type(user_home_t)
-	files_associate_tmp(user_home_t)
-	fs_associate_tmpfs(user_home_t)
-
-	type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
-	files_type(user_home_dir_t)
-	files_associate_tmp(user_home_dir_t)
-	fs_associate_tmpfs(user_home_dir_t)
-
-	# compatibility for switching from strict
-#	dominance { role secadm_r { role system_r; }}
-#	dominance { role auditadm_r { role system_r; }}
-#	dominance { role sysadm_r { role system_r; }}
-#	dominance { role user_r { role system_r; }}
-#	dominance { role staff_r { role system_r; }}
-
-	# dont need to use the full role_change()
-	allow sysadm_r system_r;
-	allow sysadm_r user_r;
-	allow user_r system_r;
-	allow user_r sysadm_r;
-	allow system_r sysadm_r;
-	allow system_r sysadm_r;
-
-	allow privhome user_home_t:dir manage_dir_perms;
-	allow privhome user_home_t:file create_file_perms;
-	allow privhome user_home_t:lnk_file create_lnk_perms;
-	allow privhome user_home_t:fifo_file create_file_perms;
-	allow privhome user_home_t:sock_file create_file_perms;
-	allow privhome user_home_dir_t:dir rw_dir_perms;
-	type_transition privhome user_home_dir_t:{ dir file lnk_file fifo_file sock_file } user_home_t;
-	files_search_home(privhome)
-
-	ifdef(`enable_mls',`
-		allow secadm_r system_r;
-		allow auditadm_r system_r;
-		allow secadm_r user_r;
-		allow staff_r secadm_r;
-		allow staff_r auditadm_r;
-	')
-
-	optional_policy(`
-		samba_per_userdomain_template(user)
-	')
-',`
-	admin_user_template(sysadm)
-	unpriv_user_template(staff)
-	unpriv_user_template(user)
+ifdef(`strict_policy',`
+	userdom_admin_user_template(sysadm)
+	userdom_unpriv_user_template(staff)
+	userdom_unpriv_user_template(user)
 
 	# user role change rules:
 	# sysadm_r can change to user roles
-	role_change(sysadm, user)
-	role_change(sysadm, staff)
+	userdom_role_change_template(sysadm, user)
+	userdom_role_change_template(sysadm, staff)
 
 	# only staff_r can change to sysadm_r
-	role_change(staff, sysadm)
+	userdom_role_change_template(staff, sysadm)
 
 	ifdef(`enable_mls',`
-		unpriv_user_template(secadm)
-		unpriv_user_template(auditadm)
+		userdom_unpriv_user_template(secadm)
+		userdom_unpriv_user_template(auditadm)
 
-		role_change(staff,auditadm)
-		role_change(staff,secadm)
+		userdom_role_change_template(staff,auditadm)
+		userdom_role_change_template(staff,secadm)
 
-		role_change(sysadm,secadm)
-		role_change(sysadm,auditadm)
+		userdom_role_change_template(sysadm,secadm)
+		userdom_role_change_template(sysadm,auditadm)
 
-		role_change(auditadm,secadm)
-		role_change(auditadm,sysadm)
+		userdom_role_change_template(auditadm,secadm)
+		userdom_role_change_template(auditadm,sysadm)
 
-		role_change(secadm,auditadm)
-		role_change(secadm,sysadm)
+		userdom_role_change_template(secadm,auditadm)
+		userdom_role_change_template(secadm,sysadm)
 	')
 
 	# this should be tunable_policy, but
 	# currently type_change and RBAC allow
 	# do not work in conditionals
 	ifdef(`user_canbe_sysadm',`
-		role_change(user,sysadm)
+		userdom_role_change_template(user,sysadm)
 	')
 
-	allow privhome home_root_t:dir { getattr search };
-
 	########################################
 	#
 	# Sysadm local policy
@@ -211,7 +148,7 @@ ifdef(`targeted_policy',`
 		logging_read_audit_log(secadm_t)
 	        logging_read_generic_logs(secadm_t)
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
-	', `
+	',`
 		logging_manage_audit_log(sysadm_t)
 		logging_manage_audit_config(sysadm_t)
 		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
@@ -495,3 +432,58 @@ ifdef(`targeted_policy',`
 		yam_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 ')
+
+ifdef(`targeted_policy',`
+	# Define some type aliases to help with compatibility with
+	# strict policy.
+	unconfined_alias_domain(secadm_t)
+	unconfined_alias_domain(auditadm_t)
+	unconfined_alias_domain(sysadm_t)
+
+	# User home directory type.
+	type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
+	files_type(user_home_t)
+	files_associate_tmp(user_home_t)
+	fs_associate_tmpfs(user_home_t)
+
+	type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
+	files_type(user_home_dir_t)
+	files_associate_tmp(user_home_dir_t)
+	fs_associate_tmpfs(user_home_dir_t)
+
+	# compatibility for switching from strict
+#	dominance { role secadm_r { role system_r; }}
+#	dominance { role auditadm_r { role system_r; }}
+#	dominance { role sysadm_r { role system_r; }}
+#	dominance { role user_r { role system_r; }}
+#	dominance { role staff_r { role system_r; }}
+
+	# dont need to use the full role_change()
+	allow sysadm_r system_r;
+	allow sysadm_r user_r;
+	allow user_r system_r;
+	allow user_r sysadm_r;
+	allow system_r sysadm_r;
+	allow system_r sysadm_r;
+
+	allow privhome user_home_t:dir manage_dir_perms;
+	allow privhome user_home_t:file create_file_perms;
+	allow privhome user_home_t:lnk_file create_lnk_perms;
+	allow privhome user_home_t:fifo_file create_file_perms;
+	allow privhome user_home_t:sock_file create_file_perms;
+	allow privhome user_home_dir_t:dir rw_dir_perms;
+	type_transition privhome user_home_dir_t:{ dir file lnk_file fifo_file sock_file } user_home_t;
+	files_search_home(privhome)
+
+	ifdef(`enable_mls',`
+		allow secadm_r system_r;
+		allow auditadm_r system_r;
+		allow secadm_r user_r;
+		allow staff_r secadm_r;
+		allow staff_r auditadm_r;
+	')
+
+	optional_policy(`
+		samba_per_role_template(user)
+	')
+')
diff --git a/support/Makefile.devel b/support/Makefile.devel
index 0163f2f..38664f9 100644
--- a/support/Makefile.devel
+++ b/support/Makefile.devel
@@ -109,17 +109,28 @@ endif
 # Functions
 #
 
+# parse-rolemap-compat modulename,outputfile
+define parse-rolemap-compat
+	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
 # parse-rolemap modulename,outputfile
 define parse-rolemap
 	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
 endef
 
 # peruser-expansion modulename,outputfile
 define peruser-expansion
-	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
+	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
 	$(call parse-rolemap,$1,$2)
 	$(verbose) echo "')" >> $2
+
+	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+	$(call parse-rolemap-compat,$1,$2)
+	$(verbose) echo "')" >> $2
 endef
 
 .PHONY: clean all xml