diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index 710646a..c67e85b 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -40,26 +40,32 @@ files_config_file(var_lib_nfs_t)
 allow rpcd_t self:fifo_file rw_file_perms;
 allow rpcd_t self:file { getattr read };
 
-dontaudit userdomain exports_t:file getattr;
-allow rpcd_t rpcd_var_run_t:file create_file_perms;
-allow rpcd_t rpcd_var_run_t:dir create_dir_perms;
-allow rpcd_t rpcd_var_run_t:dir setattr;
+allow rpcd_t rpcd_var_run_t:file manage_file_perms;
+allow rpcd_t rpcd_var_run_t:dir { rw_dir_perms setattr };
 files_create_pid(rpcd_t,rpcd_var_run_t)
 
 kernel_search_network_state(rpcd_t) 
 # for rpc.rquotad
 kernel_read_sysctl(rpcd_t)  
 
-fs_read_rpc_dirs(rpcd_t) 
-fs_read_rpc_files(rpcd_t) 
-fs_read_rpc_symlinks(rpcd_t) 
+corenet_udp_bind_generic_port(rpcd_t)
+corenet_udp_bind_reserved_port(rpcd_t)
+
+fs_read_rpc_dirs(rpcd_t)
+fs_read_rpc_files(rpcd_t)
+fs_read_rpc_symlinks(rpcd_t)
 fs_read_rpc_sockets(rpcd_t) 
-term_use_controlling_term(rpcd_t) 
+term_use_controlling_term(rpcd_t)
+
+# cjp: this should really have its own type
+files_manage_mounttab(rpcd_t)
 
 seutil_dontaudit_search_config(rpcd_t)
 
+# FIXME
+dontaudit userdomain exports_t:file getattr;
 
-ifdef(`distro_redhat', `
+ifdef(`distro_redhat',`
 	allow rpcd_t self:capability { chown dac_override setgid setuid };
 ')
 
@@ -78,7 +84,9 @@ kernel_read_system_state(nfsd_t)
 kernel_read_network_state(nfsd_t) 
 kernel_udp_sendfrom(nfsd_t)	
 kernel_tcp_recvfrom(nfsd_t) 
-				
+
+corenet_udp_bind_generic_port(nfsd_t)
+
 fs_mount_nfsd_fs(nfsd_t) 
 fs_search_nfsd_fs(nfsd_t) 
 fs_getattr_all_fs(nfsd_t) 
@@ -90,6 +98,8 @@ term_use_controlling_term(nfsd_t)
 files_search_pids(nfsd_t) 
 # for exportfs and rpc.mountd
 files_getattr_tmp_dir(nfsd_t) 
+# cjp: this should really have its own type
+files_manage_mounttab(rpcd_t)
 
 tunable_policy(`nfs_export_all_rw',`
 	auth_read_all_dirs_except_shadow(nfsd_t) 
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 471fd28..6bfabae 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -2655,6 +2655,9 @@ interface(`files_read_var_lib_symlinks',`
 	allow $1 var_lib_t:lnk_file { getattr read };
 ')
 
+# cjp: the next two interfaces really need to be fixed
+# in some way.  They really neeed their own types.
+
 ########################################
 #
 # files_manage_urandom_seed(domain)
@@ -2666,7 +2669,26 @@ interface(`files_manage_urandom_seed',`
 
 	allow $1 var_t:dir search_dir_perms;
 	allow $1 var_lib_t:dir rw_dir_perms;
-	allow $1 var_lib_t:file { getattr create read write setattr unlink };
+	allow $1 var_lib_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow domain to manage mount tables
+##	necessary for rpcd, nfsd, etc.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_manage_mounttab',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lib_t:dir rw_dir_perms;
+	allow $1 var_lib_t:file manage_file_perms;
 ')
 
 ########################################