diff --git a/refpolicy/config/appconfig-targeted-mcs/default_contexts b/refpolicy/config/appconfig-targeted-mcs/default_contexts
index 94de330..754bcc3 100644
--- a/refpolicy/config/appconfig-targeted-mcs/default_contexts
+++ b/refpolicy/config/appconfig-targeted-mcs/default_contexts
@@ -1,6 +1,7 @@
 system_r:unconfined_t:s0	system_r:unconfined_t:s0
-system_r:initrc_t:s0	system_r:unconfined_t:s0
-system_r:local_login_t:s0 system_r:unconfined_t:s0
-system_r:remote_login_t:s0 system_r:unconfined_t:s0
+system_r:initrc_t:s0		system_r:unconfined_t:s0
+system_r:local_login_t:s0	system_r:unconfined_t:s0
+system_r:remote_login_t:s0	system_r:unconfined_t:s0
 system_r:rshd_t:s0		system_r:unconfined_t:s0
-system_r:crond_t:s0	system_r:unconfined_t:s0
+system_r:crond_t:s0		system_r:unconfined_t:s0
+system_r:sshd_t:s0		system_r:unconfined_t:s0
diff --git a/refpolicy/config/appconfig-targeted-mls/default_contexts b/refpolicy/config/appconfig-targeted-mls/default_contexts
index 94de330..754bcc3 100644
--- a/refpolicy/config/appconfig-targeted-mls/default_contexts
+++ b/refpolicy/config/appconfig-targeted-mls/default_contexts
@@ -1,6 +1,7 @@
 system_r:unconfined_t:s0	system_r:unconfined_t:s0
-system_r:initrc_t:s0	system_r:unconfined_t:s0
-system_r:local_login_t:s0 system_r:unconfined_t:s0
-system_r:remote_login_t:s0 system_r:unconfined_t:s0
+system_r:initrc_t:s0		system_r:unconfined_t:s0
+system_r:local_login_t:s0	system_r:unconfined_t:s0
+system_r:remote_login_t:s0	system_r:unconfined_t:s0
 system_r:rshd_t:s0		system_r:unconfined_t:s0
-system_r:crond_t:s0	system_r:unconfined_t:s0
+system_r:crond_t:s0		system_r:unconfined_t:s0
+system_r:sshd_t:s0		system_r:unconfined_t:s0
diff --git a/refpolicy/config/appconfig-targeted/default_contexts b/refpolicy/config/appconfig-targeted/default_contexts
index 06b859a..12fcd1d 100644
--- a/refpolicy/config/appconfig-targeted/default_contexts
+++ b/refpolicy/config/appconfig-targeted/default_contexts
@@ -1,6 +1,7 @@
-system_r:unconfined_t	system_r:unconfined_t
-system_r:initrc_t	system_r:unconfined_t
-system_r:local_login_t system_r:unconfined_t
-system_r:remote_login_t system_r:unconfined_t
-system_r:rshd_t		system_r:unconfined_t
-system_r:crond_t	system_r:unconfined_t
+system_r:unconfined_t		system_r:unconfined_t
+system_r:initrc_t		system_r:unconfined_t
+system_r:local_login_t		system_r:unconfined_t
+system_r:remote_login_t		system_r:unconfined_t
+system_r:rshd_t			system_r:unconfined_t
+system_r:crond_t		system_r:unconfined_t
+system_r:sshd_t			system_r:unconfined_t
diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te
index 36c6544..75c64f0 100644
--- a/refpolicy/policy/modules/services/apm.te
+++ b/refpolicy/policy/modules/services/apm.te
@@ -11,7 +11,6 @@ init_daemon_domain(apmd_t,apmd_exec_t)
 
 type apm_t;
 domain_type(apm_t)
-role sysadm_r types apm_t;
 role system_r types apm_t;
 
 type apm_exec_t;
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 12019d1..a7c03fe 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -163,6 +163,8 @@ template(`ssh_per_userdomain_template',`
 	sysnet_dns_name_resolve($1_ssh_t)
 
 	userdom_use_unpriv_users_fd($1_ssh_t)
+	# Write to the user domain tty.
+	userdom_use_user_terminals($1,$1_ssh_t)
 
 	tunable_policy(`read_default_t',`
 		files_list_default($1_ssh_t)
@@ -220,11 +222,6 @@ template(`ssh_per_userdomain_template',`
 	# Inherit and use descriptors from gnome-pty-helper.
 	ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;')
 
-	# Write to the user domain tty.
-	allow $1_ssh_t $1_tty_device_t:chr_file { read write getattr ioctl };
-	allow $1_ssh_t devpts_t:dir { read search getattr };
-	allow $1_ssh_t $1_devpts_t:chr_file { read write getattr ioctl };
-
 	# allow ps to show ssh
 	can_ps($1_t, $1_ssh_t)
 
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 61bb2ec..ff4289a 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -425,6 +425,23 @@ interface(`auth_read_lastlog',`
 
 #######################################
 ## <summary>
+##	Append only to the last logins log.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`auth_append_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 lastlog_t:file { getattr lock append };
+')
+
+#######################################
+## <summary>
 ##	Read and write to the last logins log.
 ## </summary>
 ## <param name="domain">