diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te
index c8098d7..88b7c59 100644
--- a/refpolicy/policy/modules/admin/acct.te
+++ b/refpolicy/policy/modules/admin/acct.te
@@ -85,10 +85,6 @@ optional_policy(`cron.te',`
 	cron_system_entry(acct_t,acct_exec_t)
 ')
 
-optional_policy(`rhgb.te',`
-	rhgb_domain(acct_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(acct_t)
 ')
@@ -96,3 +92,9 @@ optional_policy(`selinuxutil.te',`
 optional_policy(`udev.te', `
 	udev_read_db(acct_t)
 ')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(acct_t)
+')
+')
diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te
index 4005a80..f4b5246 100644
--- a/refpolicy/policy/modules/admin/quota.te
+++ b/refpolicy/policy/modules/admin/quota.te
@@ -67,10 +67,6 @@ ifdef(`targeted_policy',`
 	files_dontaudit_read_root_file(quota_t)
 ')
 
-optional_policy(`rhgb.te',`
-	rhgb_domain(quota_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(quota_t)
 ')
@@ -86,4 +82,7 @@ file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t
 allow quota_t file_t:file quotaon;
 
 allow quota_t proc_t:file getattr;
+optional_policy(`rhgb.te',`
+	rhgb_domain(quota_t)
+')
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te
index 4c15864..ad6ffc9 100644
--- a/refpolicy/policy/modules/admin/updfstab.te
+++ b/refpolicy/policy/modules/admin/updfstab.te
@@ -104,10 +104,6 @@ optional_policy(`modutils.te',`
 	modutils_read_mods_deps(updfstab_t)
 ')
 
-optional_policy(`rhgb.te',`
-	rhgb_domain(updfstab_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(updfstab_t)
 ')
@@ -115,3 +111,9 @@ optional_policy(`selinuxutil.te',`
 optional_policy(`udev.te',`
 	udev_read_db(updfstab_t)
 ')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(updfstab_t)
+')
+')
diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index 49c4a58..cf278f8 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -146,10 +146,6 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(named_t)
 ')
 
-optional_policy(`rhgb.te',`
-	rhgb_domain(named_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(named_t)
 ')
@@ -158,6 +154,15 @@ optional_policy(`udev.te',`
 	udev_read_db(named_t)
 ')
 
+ifdef(`TODO',`
+can_udp_send(domain, named_t)
+can_udp_send(named_t, domain)
+can_tcp_connect(domain, named_t)
+optional_policy(`rhgb.te',`
+	rhgb_domain(named_t)
+')
+')
+
 ########################################
 #
 # NDC local policy
@@ -241,9 +246,3 @@ optional_policy(`nis.te',`
 optional_policy(`nscd.te',`
 	nscd_use_socket(ndc_t)
 ')
-
-ifdef(`TODO',`
-can_udp_send(domain, named_t)
-can_udp_send(named_t, domain)
-can_tcp_connect(domain, named_t)
-')
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
index f2c4688..0ceff77 100644
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@@ -125,10 +125,12 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(system_dbusd_t)
 ')
 
+optional_policy(`udev.te', `
+	udev_read_db(system_dbusd_t)
+')
+
+ifdef(`TODO',`
 optional_policy(`rhgb.te',`
 	rhgb_domain(system_dbusd_t)
 ')
-
-optional_policy(`udev.te', `
-	udev_read_db(system_dbusd_t)
 ')
diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te
index 44c5c03..151087d 100644
--- a/refpolicy/policy/modules/services/gpm.te
+++ b/refpolicy/policy/modules/services/gpm.te
@@ -83,10 +83,6 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(gpm_t)
 ')
 
-optional_policy(`rhgb.te',`
-	rhgb_domain(gpm_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(gpm_t)
 ')
@@ -99,4 +95,7 @@ ifdef(`TODO',`
 # Access the mouse.
 # cjp: why write?
 allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms;
+optional_policy(`rhgb.te',`
+	rhgb_domain(gpm_t)
+')
 ')
diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te
index 8e6ed7d..ae49234 100644
--- a/refpolicy/policy/modules/services/howl.te
+++ b/refpolicy/policy/modules/services/howl.te
@@ -79,10 +79,6 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(howl_t)
 ')
 
-optional_policy(`rhgb.te',`
-	rhgb_domain(howl_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(howl_t)
 ')
@@ -90,3 +86,9 @@ optional_policy(`selinuxutil.te',`
 optional_policy(`udev.te', `
 	udev_read_db(howl_t)
 ')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(howl_t)
+')
+')
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 9919d1d..924a480 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -147,13 +147,6 @@ optional_policy(`rhgb.te',`
 	rhgb_domain(inetd_t)
 ')
 
-# Bind to the telnet, ftp, rlogin and rsh ports.
-# cjp: these ports currently dont exist in the NSA example
-ifdef(`talk.te', `
-allow inetd_t talk_port_t:tcp_socket name_bind;
-allow inetd_t ntalk_port_t:tcp_socket name_bind;
-')
-
 # Communicate with the portmapper.
 ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
 ') dnl TODO
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index a7ffb9c..91f5b8e 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -110,10 +110,6 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(slapd_t)
 ')
 
-optional_policy(`rhgb.te',`
-	rhgb_domain(slapd_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(slapd_t)
 ')
@@ -123,6 +119,9 @@ optional_policy(`udev.te', `
 ')
 
 ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(slapd_t)
+')
 # allow any domain to connect to the LDAP server
 # cjp: how does this relate to the old can_ldap() macro?
 can_tcp_connect(domain, slapd_t)
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index 2f48985..d8b8374 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -111,10 +111,6 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(mysqld_t)
 ')
 
-optional_policy(`rhgb.te',`
-	rhgb_domain(mysqld_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(mysqld_t)
 ')
@@ -123,7 +119,10 @@ optional_policy(`udev.te', `
 	udev_read_db(mysqld_t)
 ')
 
-ifdef(`TODO',
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(mysqld_t)
+')
 optional_policy(`daemontools.te',`
 	domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
 	mysqld_signal(svc_start_t)
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index 792d14a..4c54c2c 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -95,10 +95,6 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(nscd_t)
 ')
 
-optional_policy(`rhgb.te',`
-	rhgb_domain(nscd_t)
-')
-
 optional_policy(`selinuxutils.te',`
 	seutil_sigchld_newrole(nscd_t)
 ')
@@ -119,7 +115,9 @@ optional_policy(`winbind.te', `
 	allow nscd_t samba_var_t:dir search;
 	allow nscd_t winbind_var_run_t:dir { getattr search };
 ')
-
+optional_policy(`rhgb.te',`
+	rhgb_domain(nscd_t)
+')
 allow nscd_t tmp_t:dir { search getattr };
 allow nscd_t tmp_t:lnk_file read;
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index d1c5f3e..36ee8a5 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -83,10 +83,6 @@ optional_policy(`mount.te',`
 	mount_send_nfs_client_request(privoxy_t)
 ')
 
-optional_policy(`rhgb.te',`
-	rhgb_domain(privoxy_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(privoxy_t)
 ')
@@ -94,3 +90,9 @@ optional_policy(`selinuxutil.te',`
 optional_policy(`udev.te', `
 	udev_read_db(privoxy_t)
 ')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(privoxy_t)
+')
+')
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 139c524..8549167 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -24,7 +24,7 @@ role system_r types ssh_keygen_t;
 ssh_server_template(sshd)
 
 optional_policy(`inetd.te',`
-# CJP: commenting this out until typeattribute works in a conditional
+# cjp: commenting this out until typeattribute works in a conditional
 #	tunable_policy(`run_ssh_inetd',`
 		inetd_tcp_service_domain(sshd_t,sshd_exec_t)
 #	',`
@@ -221,10 +221,6 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(ssh_keygen_t)
 ')
 
-optional_policy(`rhgb.te', `
-	rhgb_domain(ssh_keygen_t)
-')
-
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(ssh_keygen_t)
 ')
@@ -232,3 +228,9 @@ optional_policy(`selinuxutil.te',`
 optional_policy(`udev.te', `
 	udev_read_db(ssh_keygen_t)
 ')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te', `
+	rhgb_domain(ssh_keygen_t)
+')
+')
diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te
index cc06b3e..a30a314 100644
--- a/refpolicy/policy/modules/system/ipsec.te
+++ b/refpolicy/policy/modules/system/ipsec.te
@@ -128,10 +128,6 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(ipsec_t)
 ')
 
-optional_policy(`rhgb.te',`
-	rhgb_domain(ipsec_t)
-')
-
 optional_policy(`selinuxutils.te',`
 	seutil_sigchld_newrole(ipsec_t)
 ')
@@ -140,6 +136,12 @@ optional_policy(`udev.te', `
 	udev_read_db(ipsec_t)
 ')
 
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(ipsec_t)
+')
+')
+
 ########################################
 #
 # ipsec_mgmt Local policy
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index 133694a..025c886 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -116,10 +116,6 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(cardmgr_t)
 ')
 
-optional_policy(`rhgb.te',`
-	rhgb_domain(cardmgr_t)
-')
-
 optional_policy(`selinuxutils.te',`
 	seutil_sigchld_newrole(cardmgr_t)
 ')
@@ -157,4 +153,7 @@ optional_policy(`pcmcia.te',`
 	pcmcia_manage_pid(hald_t)
 	pcmcia_manage_runtime_chr(hald_t)
 ')
+optional_policy(`rhgb.te',`
+	rhgb_domain(cardmgr_t)
+')
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te
index a8a2f46..c58e7af 100644
--- a/refpolicy/policy/modules/system/raid.te
+++ b/refpolicy/policy/modules/system/raid.te
@@ -73,10 +73,6 @@ ifdef(`targeted_policy',`
 	files_dontaudit_read_root_file(mdadm_t)
 ')
 
-optional_policy(`rhgb.te',`
-	rhgb_domain(mdadm_t)
-')
-
 optional_policy(`selinux.te',`
 	seutil_sigchld_newrole(mdadm_t)
 ')
@@ -90,4 +86,7 @@ ifdef(`TODO',`
 dontaudit mdadm_t device_t:{ fifo_file file chr_file blk_file } { read getattr };
 
 allow mdadm_t var_t:dir getattr;
+optional_policy(`rhgb.te',`
+	rhgb_domain(mdadm_t)
+')
 ') dnl TODO