diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 0216eb4..e18dc0b 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t)
 # Local policy
 #
 
+allow cvs_t self:capability { setuid setgid };
 allow cvs_t self:process signal_perms;
 allow cvs_t self:fifo_file rw_fifo_file_perms;
 allow cvs_t self:tcp_socket connected_stream_socket_perms;
 # for identd; cjp: this should probably only be inetd_child rules?
 allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow cvs_t self:capability { setuid setgid };
 
 manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
 manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
index 0c6a473..5fd29a5 100644
--- a/policy/modules/services/djbdns.te
+++ b/policy/modules/services/djbdns.te
@@ -23,11 +23,11 @@ djbdns_daemontools_domain_template(tinydns)
 # Local policy for axfrdns component
 #
 
+allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
+
 daemontools_ipc_domain(djbdns_axfrdns_t)
 daemontools_read_svc(djbdns_axfrdns_t)
 
-allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
-
 allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
 allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms;
 
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index ac97ed9..96e3c80 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -61,9 +61,9 @@ optional_policy(`
 # Mailman mail local policy
 #
 
-allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
-allow mailman_mail_t self:process { signal signull };
 allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
+allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
 
 manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
 manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index ac63be9..13c0555 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -157,8 +157,8 @@ optional_policy(`
 
 allow mysqld_safe_t self:capability { chown dac_override fowner kill };
 dontaudit mysqld_safe_t self:capability sys_ptrace;
-allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
 allow mysqld_safe_t self:process { setsched getsched setrlimit };
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
 
 read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
 
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index 4876cae..3bd04d9 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -57,8 +57,8 @@ files_pid_file(ypxfr_var_run_t)
 # ypbind local policy
 
 dontaudit ypbind_t self:capability { net_admin sys_tty_config };
-allow ypbind_t self:fifo_file rw_fifo_file_perms;
 allow ypbind_t self:process signal_perms;
+allow ypbind_t self:fifo_file rw_fifo_file_perms;
 allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
 allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
 allow ypbind_t self:tcp_socket create_stream_socket_perms;
@@ -142,8 +142,8 @@ optional_policy(`
 
 allow yppasswdd_t self:capability dac_override;
 dontaudit yppasswdd_t self:capability sys_tty_config;
-allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
 allow yppasswdd_t self:process { getsched setfscreate signal_perms };
+allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
 allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
 allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
 allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
@@ -224,8 +224,8 @@ optional_policy(`
 #
 
 dontaudit ypserv_t self:capability sys_tty_config;
-allow ypserv_t self:fifo_file rw_fifo_file_perms;
 allow ypserv_t self:process signal_perms;
+allow ypserv_t self:fifo_file rw_fifo_file_perms;
 allow ypserv_t self:unix_dgram_socket create_socket_perms;
 allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
 allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;