diff --git a/Changelog b/Changelog
index c87f076..8021b3e 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,6 @@
+- Move range transitions to modules.
+- Make number of MLS sensitivities, and number of MLS and MCS
+  categories configurable as build options.
 - Add role infrastructure.
 - Debian updates from Erich Schubert.
 - Add nscd_socket_use() to auth_use_nsswitch().
diff --git a/Makefile b/Makefile
index 5382fc4..423612f 100644
--- a/Makefile
+++ b/Makefile
@@ -208,11 +208,16 @@ ifeq ($(DIRECT_INITRC),y)
 	M4PARAM += -D direct_sysadm_daemon
 endif
 
+# default MLS/MCS sensitivity and category settings.
+MLS_SENS ?= 16
+MLS_CATS ?= 256
+MCS_CATS ?= 256
+
 ifeq ($(QUIET),y)
 	verbose = @
 endif
 
-M4PARAM += -D hide_broken_symptoms
+M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms
 
 # we need exuberant ctags; unfortunately it is named
 # differently on different distros
@@ -454,7 +459,15 @@ $(userpath)/local.users: config/local.users
 
 ########################################
 #
-# Appconfig files
+# Build Appconfig files
+#
+$(tmpdir)/initrc_context: $(appconf)/initrc_context
+	@mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z]' > $@
+
+########################################
+#
+# Install Appconfig files
 #
 install-appconfig: $(appfiles)
 
@@ -485,7 +498,7 @@ $(appdir)/userhelper_context: $(appconf)/userhelper_context
 	@mkdir -p $(appdir)
 	$(verbose) $(INSTALL) -m 644 $< $@
 
-$(appdir)/initrc_context: $(appconf)/initrc_context
+$(appdir)/initrc_context: $(tmpdir)/initrc_context
 	@mkdir -p $(appdir)
 	$(verbose) $(INSTALL) -m 644 $< $@
 
@@ -527,6 +540,9 @@ endif
 	$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
 	$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
 	$(verbose) echo "POLY ?= $(POLY)" >> $(headerdir)/build.conf
+	$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
+	$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
+	$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
 	$(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile
 
 ########################################
diff --git a/Rules.modular b/Rules.modular
index 63e60f8..e2d6686 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -88,15 +88,19 @@ $(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
 #
 # Create a base module package
 #
-$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(seusers) $(net_contexts)
+$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers $(net_contexts)
 	@echo "Creating $(NAME) base module package"
 	@test -d $(builddir) || mkdir -p $(builddir)
-	$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(seusers) -n $(net_contexts)
+	$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers -n $(net_contexts)
 
 $(base_mod): $(base_conf)
 	@echo "Compiling $(NAME) base module"
 	$(verbose) $(CHECKMODULE) $^ -o $@
 
+$(tmpdir)/seusers: $(seusers)
+	@mkdir -p $(tmpdir)
+	$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@
+
 $(users_extra): $(m4support) $(user_files)
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
 	$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
diff --git a/build.conf b/build.conf
index 7bfd7e7..5e721ea 100644
--- a/build.conf
+++ b/build.conf
@@ -46,6 +46,20 @@ MONOLITHIC=y
 # Enable polyinstantiated directory support.
 POLY=n
 
+# Number of MLS Sensitivities
+# The sensitivities will be s0 to s(MLS_SENS-1).
+# Dominance will be in increasing numerical order
+# with s0 being lowest.
+MLS_SENS=16
+
+# Number of MLS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MLS_CATS=256
+
+# Number of MCS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MCS_CATS=256
+
 # Set this to y to only display status messages
 # during build.
 QUIET=n
diff --git a/config/appconfig-strict-mcs/seusers b/config/appconfig-strict-mcs/seusers
index c400c79..ce614b4 100644
--- a/config/appconfig-strict-mcs/seusers
+++ b/config/appconfig-strict-mcs/seusers
@@ -1,2 +1,2 @@
-root:root:s0-s0:c0.c255
+root:root:s0-mcs_systemhigh
 __default__:user_u:s0
diff --git a/config/appconfig-strict-mls/initrc_context b/config/appconfig-strict-mls/initrc_context
index 5435ea4..4598f92 100644
--- a/config/appconfig-strict-mls/initrc_context
+++ b/config/appconfig-strict-mls/initrc_context
@@ -1 +1 @@
-system_u:system_r:initrc_t:s0-s15:c0.c255
+system_u:system_r:initrc_t:s0-mls_systemhigh
diff --git a/config/appconfig-strict-mls/seusers b/config/appconfig-strict-mls/seusers
index 9a0516d..4e500b0 100644
--- a/config/appconfig-strict-mls/seusers
+++ b/config/appconfig-strict-mls/seusers
@@ -1,2 +1,2 @@
-root:root:s0-s15:c0.c255
+root:root:s0-mls_systemhigh
 __default__:user_u:s0
diff --git a/config/appconfig-targeted-mcs/seusers b/config/appconfig-targeted-mcs/seusers
index c400c79..ce614b4 100644
--- a/config/appconfig-targeted-mcs/seusers
+++ b/config/appconfig-targeted-mcs/seusers
@@ -1,2 +1,2 @@
-root:root:s0-s0:c0.c255
+root:root:s0-mcs_systemhigh
 __default__:user_u:s0
diff --git a/config/appconfig-targeted-mls/initrc_context b/config/appconfig-targeted-mls/initrc_context
index 63a0923..13645ea 100644
--- a/config/appconfig-targeted-mls/initrc_context
+++ b/config/appconfig-targeted-mls/initrc_context
@@ -1 +1 @@
-user_u:system_r:initrc_t:s0-s15:c0.c255
+user_u:system_r:initrc_t:s0-mls_systemhigh
diff --git a/config/appconfig-targeted-mls/seusers b/config/appconfig-targeted-mls/seusers
index 9a0516d..4e500b0 100644
--- a/config/appconfig-targeted-mls/seusers
+++ b/config/appconfig-targeted-mls/seusers
@@ -1,2 +1,2 @@
-root:root:s0-s15:c0.c255
+root:root:s0-mls_systemhigh
 __default__:user_u:s0
diff --git a/policy/mcs b/policy/mcs
index d51cf97..aeb24bd 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -2,32 +2,23 @@ ifdef(`enable_mcs',`
 #
 # Define sensitivities 
 #
-# Each sensitivity has a name and zero or more aliases.
-#
 # MCS is single-sensitivity.
-#
-sensitivity s0;
-
-#
-# Define the ordering of the sensitivity levels (least to greatest)
-#
-dominance { s0 }
 
+gen_sens(1)
 
 #
 # Define the categories
 #
-# Each category has a name and zero or more aliases.
-#
+# Generate declarations
 
-# generate declarations for c0 to c255
-gen_cats(256)
+gen_cats(mcs_num_cats)
 
 #
 # Each MCS level specifies a sensitivity and zero or more categories which may
 # be associated with that sensitivity.
 #
-level s0:c0.c255;
+
+gen_levels(1,mcs_num_cats)
 
 #
 # Define the MCS policy
diff --git a/policy/mls b/policy/mls
index 5a136d1..9398d84 100644
--- a/policy/mls
+++ b/policy/mls
@@ -2,62 +2,26 @@ ifdef(`enable_mls',`
 #
 # Define sensitivities 
 #
-# Each sensitivity has a name and zero or more aliases.
-#
-sensitivity s0;
-sensitivity s1;
-sensitivity s2;
-sensitivity s3;
-sensitivity s4;
-sensitivity s5;
-sensitivity s6;
-sensitivity s7;
-sensitivity s8;
-sensitivity s9;
-sensitivity s10;
-sensitivity s11;
-sensitivity s12;
-sensitivity s13;
-sensitivity s14;
-sensitivity s15;
-
-#
-# Define the ordering of the sensitivity levels (least to greatest)
-#
-dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
+# Domination of sensitivities is in increasin
+# numerical order, with s0 being the lowest
 
+gen_sens(mls_num_sens)
 
 #
 # Define the categories
 #
-# Each category has a name and zero or more aliases.
-#
-
-# generate declarations for c0 to c255
-gen_cats(256)
+# Generate declarations
 
+gen_cats(mls_num_cats)
 
 #
 # Each MLS level specifies a sensitivity and zero or more categories which may
 # be associated with that sensitivity.
 #
-level s0:c0.c255;
-level s1:c0.c255;
-level s2:c0.c255;
-level s3:c0.c255;
-level s4:c0.c255;
-level s5:c0.c255;
-level s6:c0.c255;
-level s7:c0.c255;
-level s8:c0.c255;
-level s9:c0.c255;
-level s10:c0.c255;
-level s11:c0.c255;
-level s12:c0.c255;
-level s13:c0.c255;
-level s14:c0.c255;
-level s15:c0.c255;
+# Generate levels from all sensitivities
+# with all categories
 
+gen_levels(mls_num_sens,mls_num_cats)
 
 #
 # Define the MLS policy
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index d3e7246..610cd10 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -165,15 +165,15 @@ portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
 # nodes in net_contexts or net_contexts.mls.
 #
 type node_t, node_type;
-sid node gen_context(system_u:object_r:node_t,s0 - s15:c0.c255)
+sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
 
 network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
 network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
 type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
 network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
-network_node(lo, s0 - s15:c0.c255, 127.0.0.1, 255.255.255.255)
+network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
 network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
-network_node(multicast, s0 - s15:c0.c255, ff00::, ff00::)
+network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
 network_node(site_local, s0, fec0::, ffc0::)
 network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
 
@@ -186,10 +186,10 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
 # netif_t is the default type of network interfaces.
 #
 type netif_t, netif_type;
-sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c255)
+sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
 
 build_option(`enable_mls',`
-network_interface(lo, lo,s0 - s15:c0.c255)
+network_interface(lo, lo,s0 - mls_systemhigh)
 ')
 
 ########################################
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 7ded82b..9967dc0 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -25,10 +25,10 @@
 /dev/i915		-c	gen_context(system_u:object_r:dri_device_t,s0)
 /dev/irlpt[0-9]+	-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
-/dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
+/dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
-/dev/mem		-c	gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
+/dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
@@ -37,11 +37,11 @@
 /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-/dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,s15:c0.c255)
+/dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
 /dev/par.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/patmgr[01]		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
-/dev/port		-c	gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
+/dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/rmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/radeon		-c	gen_context(system_u:object_r:dri_device_t,s0)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 1433644..3fd01d9 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -29,7 +29,7 @@ ifdef(`distro_suse',`
 /boot			-d	gen_context(system_u:object_r:boot_t,s0)
 /boot/.*			gen_context(system_u:object_r:boot_t,s0)
 /boot/\.journal			<<none>>
-/boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+/boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /boot/lost\+found/.*		<<none>>
 /boot/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
 
@@ -92,9 +92,9 @@ ifdef(`distro_suse',`
 # HOME_ROOT
 # expanded by genhomedircon
 #
-HOME_ROOT		-d	gen_context(system_u:object_r:home_root_t,s0-s15:c0.c255)
+HOME_ROOT		-d	gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
 HOME_ROOT/\.journal		<<none>>
-HOME_ROOT/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+HOME_ROOT/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 HOME_ROOT/lost\+found/.*		<<none>>
 
 #
@@ -112,7 +112,7 @@ HOME_ROOT/lost\+found/.*		<<none>>
 #
 # /lost+found
 #
-/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /lost\+found/.*			<<none>>
 
 #
@@ -176,11 +176,11 @@ HOME_ROOT/lost\+found/.*		<<none>>
 #
 # /tmp
 #
-/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
+/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
 /tmp/.*				<<none>>
 /tmp/\.journal			<<none>>
 
-/tmp/lost\+found	-d		gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+/tmp/lost\+found	-d		gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /tmp/lost\+found/.*		<<none>>
 
 #
@@ -200,12 +200,12 @@ HOME_ROOT/lost\+found/.*		<<none>>
 
 /usr/local/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
 
-/usr/local/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+/usr/local/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /usr/local/lost\+found/.*	<<none>>
 
 /usr/local/src(/.*)?		gen_context(system_u:object_r:src_t,s0)
 
-/usr/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+/usr/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /usr/lost\+found/.*		<<none>>
 
 /usr/share(/.*)?/lib(64)?(/.*)?	gen_context(system_u:object_r:usr_t,s0)
@@ -213,7 +213,7 @@ HOME_ROOT/lost\+found/.*		<<none>>
 /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
 /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 
-/usr/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
+/usr/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
 /usr/tmp/.*			<<none>>
 
 #
@@ -233,18 +233,18 @@ HOME_ROOT/lost\+found/.*		<<none>>
 
 /var/lock(/.*)?			gen_context(system_u:object_r:var_lock_t,s0)
 
-/var/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+/var/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /var/lost\+found/.*		<<none>>
 
-/var/run			-d	gen_context(system_u:object_r:var_run_t,s0-s15:c0.c255)
+/var/run			-d	gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
 /var/run/.*			gen_context(system_u:object_r:var_run_t,s0)
 /var/run/.*\.*pid		<<none>>
 
 /var/spool(/.*)?			gen_context(system_u:object_r:var_spool_t,s0)
 /var/spool/postfix/etc(/.*)?	gen_context(system_u:object_r:etc_t,s0)
 
-/var/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
+/var/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
 /var/tmp/.*			<<none>>
-/var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+/var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /var/tmp/lost\+found/.*		<<none>>
 /var/tmp/vi\.recover	-d	gen_context(system_u:object_r:tmp_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 11e0807..13da037 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -37,6 +37,45 @@ interface(`kernel_domtrans_to',`
 
 ########################################
 ## <summary>
+##	Allows to start userland processes
+##	by transitioning to the specified domain,
+##	with a range transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The process type entered by kernel.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The executable type for the entrypoint.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	Range for the domain.
+##	</summary>
+## </param>
+#
+interface(`kernel_ranged_domtrans_to',`
+	gen_require(`
+		type kernel_t;
+	')
+
+
+	kernel_domtrans_to($1,$2)
+
+	ifdef(`enable_mcs',`
+		range_transition kernel_t $2:process $3;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition kernel_t $2:process $3;
+	')
+')
+
+########################################
+## <summary>
 ##	Allows the kernel to mount filesystems on
 ##	the specified directory type.
 ## </summary>
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 5fe4843..b343642 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -39,7 +39,7 @@ type kernel_t, can_load_kernmodule;
 domain_base_type(kernel_t)
 mls_rangetrans_source(kernel_t)
 role system_r types kernel_t;
-sid kernel gen_context(system_u:system_r:kernel_t,s15:c0.c255)
+sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
 
 #
 # DebugFS
@@ -62,13 +62,13 @@ genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
 
 # kernel message interface
 type proc_kmsg_t, proc_type;
-genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255)
+genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)
 neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
 
 # /proc kcore: inaccessible
 type proc_kcore_t, proc_type;
 neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
-genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255)
+genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
 
 type proc_mdstat_t, proc_type;
 genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
@@ -136,18 +136,18 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
 # have labels that are no longer valid are treated as having this type.
 #
 type unlabeled_t;
-sid unlabeled gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 
 # These initial sids are no longer used, and can be removed:
-sid any_socket		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 sid file_labels		gen_context(system_u:object_r:unlabeled_t,s0)
-sid icmp_socket		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-sid igmp_packet		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+sid icmp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid igmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 sid init		gen_context(system_u:object_r:unlabeled_t,s0)
-sid kmod		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-sid netmsg		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-sid policy		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-sid scmp_packet		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+sid kmod		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid netmsg		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid policy		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid scmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 sid sysctl_modprobe 	gen_context(system_u:object_r:unlabeled_t,s0)
 sid sysctl_fs		gen_context(system_u:object_r:unlabeled_t,s0)
 sid sysctl_kernel	gen_context(system_u:object_r:unlabeled_t,s0)
@@ -155,7 +155,7 @@ sid sysctl_net		gen_context(system_u:object_r:unlabeled_t,s0)
 sid sysctl_net_unix	gen_context(system_u:object_r:unlabeled_t,s0)
 sid sysctl_vm		gen_context(system_u:object_r:unlabeled_t,s0)
 sid sysctl_dev		gen_context(system_u:object_r:unlabeled_t,s0)
-sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 
 ########################################
 #
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index e75d5de..de146c1 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -9,44 +9,3 @@ policy_module(mcs,1.0.4)
 attribute mcskillall;
 attribute mcsptraceall;
 attribute mcssetcats;
-
-########################################
-#
-# THIS IS A HACK
-#
-# Only the base module can have range_transitions, so we
-# temporarily have to break encapsulation to work around this.
-#
-
-type auditd_exec_t;
-type crond_exec_t;
-type cupsd_exec_t;
-type getty_t;
-type init_t;
-type init_exec_t;
-type initrc_t;
-type initrc_exec_t;
-type login_exec_t;
-type sshd_exec_t;
-type udev_exec_t;
-type unconfined_t;
-type xdm_exec_t;
-
-ifdef(`enable_mcs',`
-# The eventual plan is to have a range_transition to s0 for the daemon by
-# default and have the daemons which need to run with all categories be
-# exceptions.  But while range_transitions have to be in the base module
-# this is not possible.
-range_transition getty_t login_exec_t s0 - s0:c0.c255;
-range_transition init_t xdm_exec_t s0 - s0:c0.c255;
-range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
-range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
-range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
-range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
-range_transition initrc_t setrans_exec_t s0 - s0:c0.c255;
-range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
-range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
-
-# these might be targeted_policy only
-range_transition unconfined_t initrc_exec_t s0;
-')
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 971d38e..791be1b 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -49,24 +49,3 @@ attribute mlsrangetrans;
 
 attribute mlsfduse; 
 attribute mlsfdshare;
-
-########################################
-#
-# THIS IS A HACK
-#
-# Only the base module can have range_transitions, so we
-# temporarily have to break encapsulation to work around this.
-# Other types are declared in the mcs module.
-#
-
-type lvm_exec_t;
-type run_init_t;
-type setrans_exec_t;
-
-ifdef(`enable_mls',`
-range_transition initrc_t auditd_exec_t s15:c0.c255;
-range_transition kernel_t init_exec_t s0 - s15:c0.c255;
-range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
-range_transition initrc_t setrans_exec_t s15:c0.c255;
-range_transition run_init_t initrc_exec_t s0 - s15:c0.c255;
-')
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index d0e2750..9629a7f 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -19,7 +19,7 @@ attribute selinux_unconfined_type;
 type security_t;
 fs_type(security_t)
 mls_trusted_object(security_t)
-sid security gen_context(system_u:object_r:security_t,s15:c0.c255)
+sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
 genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
 
 neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 8d52958..ef219a5 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -5,36 +5,36 @@
 /dev/n?osst[0-3].*	-c	gen_context(system_u:object_r:tape_device_t,s0)
 /dev/n?pt[0-9]+		-c	gen_context(system_u:object_r:tape_device_t,s0)
 /dev/n?tpqic[12].*	-c	gen_context(system_u:object_r:tape_device_t,s0)
-/dev/[shmx]d[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/[shmx]d[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/aztcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/bpcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/cdu.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/cm20.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
-/dev/dasd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/dm-[0-9]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/dasd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/dm-[0-9]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/fd[^/]+		-b	gen_context(system_u:object_r:removable_device_t,s0)
-/dev/flash[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/flash[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/gscd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/hitcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/ht[0-1]		-b	gen_context(system_u:object_r:tape_device_t,s0)
-/dev/initrd		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/jsfd		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/jsflash		-c	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/loop.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/lvm		-c	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/initrd		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/jsfd		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/jsflash		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/loop.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/lvm		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mcdx?		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
-/dev/nb[^/]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/nb[^/]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/optcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/p[fg][0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/pcd[0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/pd[a-d][^/]*	-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/pg[0-3]		-c	gen_context(system_u:object_r:removable_device_t,s0)
-/dev/ram.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/rawctl		-c	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/rd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/ram.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/rawctl		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/rd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 ifdef(`distro_redhat', `
-/dev/root		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/root		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 ')
 /dev/s(cd|r)[^/]*	-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/sbpcd.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
@@ -42,25 +42,25 @@ ifdef(`distro_redhat', `
 /dev/sjcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/sonycd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/tape.*		-c	gen_context(system_u:object_r:tape_device_t,s0)
-/dev/ub[a-z]		-b	gen_context(system_u:object_r:removable_device_t,s15:c0.c255)
-/dev/ubd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/xvd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/ub[a-z]		-b	gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
+/dev/ubd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/xvd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 
-/dev/ataraid/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/ataraid/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 
-/dev/cciss/[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/cciss/[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 
 /dev/floppy/[^/]*	-b	gen_context(system_u:object_r:removable_device_t,s0)
 
-/dev/i2o/hd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/i2o/hd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 
-/dev/ida/[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/ida/[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 
-/dev/md/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s0)
-/dev/mapper/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/md/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/mapper/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 
-/dev/raw/raw[0-9]+	-c	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/raw/raw[0-9]+	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 
-/dev/scramdisk/.*	-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/scramdisk/.*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 
 /dev/usb/rio500		-c	gen_context(system_u:object_r:removable_device_t,s0)
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
index a39e999..6fafbd9 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@@ -18,7 +18,7 @@
 
 /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
 
-/dev/pts		-d	gen_context(system_u:object_r:devpts_t,s0-s15:c0.c255)
+/dev/pts		-d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
 
 /dev/tts/[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 8812f7e..fe64b35 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -26,11 +26,7 @@ type cron_log_t;
 logging_log_file(cron_log_t)
 
 type crond_t;
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
-	type crond_exec_t;
-')
+type crond_exec_t;
 init_daemon_domain(crond_t,crond_exec_t)
 domain_interactive_fd(crond_t)
 domain_cron_exemption_source(crond_t)
@@ -67,6 +63,10 @@ ifdef(`targeted_policy',`
 	files_type(sysadm_cron_spool_t)
 ')
 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh)
+')
+
 ########################################
 #
 # Cron Local policy
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index e0c3284..947aab2 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -14,11 +14,7 @@ type cupsd_config_var_run_t;
 files_pid_file(cupsd_config_var_run_t)
 
 type cupsd_t;
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
-	type cupsd_exec_t;
-')
+type cupsd_exec_t;
 init_daemon_domain(cupsd_t,cupsd_exec_t)
 
 type cupsd_etc_t;
@@ -68,6 +64,10 @@ files_config_file(ptal_etc_t)
 type ptal_var_run_t;
 files_pid_file(ptal_var_run_t)
 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
+')
+
 ########################################
 #
 # Cups local policy
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index e24bb9d..155d2e9 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -20,11 +20,7 @@ role system_r types ssh_keygen_t;
 type ssh_keysign_exec_t;
 corecmd_executable_file(ssh_keysign_exec_t)
 
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
-	type sshd_exec_t;
-')
+type sshd_exec_t;
 corecmd_executable_file(sshd_exec_t)
 
 type sshd_key_t;
@@ -36,6 +32,10 @@ ifdef(`targeted_policy',`
 
 	type sshd_var_run_t;
 	files_type(sshd_var_run_t)
+
+	ifdef(`enable_mcs',`
+		init_ranged_system_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
+	')
 ',`
 	# Type for the ssh-agent executable.
 	type ssh_agent_exec_t;
@@ -55,6 +55,10 @@ ifdef(`targeted_policy',`
 		# These rules should match the else block
 		# of the run_ssh_inetd tunable directly above
 		init_daemon_domain(sshd_t,sshd_exec_t)
+
+		ifdef(`enable_mcs',`
+			init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
+		')
 #	')
 
 	type sshd_tmp_t;
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 9e92fc2..52cdc69 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,11 +26,7 @@ fs_associate_tmpfs(xconsole_device_t)
 files_associate_tmp(xconsole_device_t)
 
 type xdm_t;
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
-	type xdm_exec_t;
-')
+type xdm_exec_t;
 auth_login_pgm_domain(xdm_t)
 init_domain(xdm_t,xdm_exec_t)
 init_daemon_domain(xdm_t,xdm_exec_t)
@@ -71,6 +67,11 @@ logging_log_file(xserver_log_t)
 xserver_common_domain_template(xdm)
 init_system_domain(xdm_xserver_t,xserver_exec_t)
 
+ifdef(`enable_mcs',`
+	init_ranged_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
+	init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
+')
+
 optional_policy(`
 	prelink_object_file(xkb_var_lib_t)
 ')
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index bdcc29b..d57861b 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -282,6 +282,43 @@ interface(`auth_domtrans_login_program',`
 
 ########################################
 ## <summary>
+##	Execute a login_program in the target domain,
+##	with a range transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the login_program process.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	Range of the login program.
+##	</summary>
+## </param>
+#
+interface(`auth_ranged_domtrans_login_program',`
+	gen_require(`
+		type login_exec_t;
+	')
+
+	auth_domtrans_login_program($1,$2)
+
+	ifdef(`enable_mcs',`
+		range_transition $1 login_exec_t:process $3;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition $1 login_exec_t:process $3;
+	')
+')
+
+########################################
+## <summary>
 ##	Run unix_chkpwd to check a password.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index bfa78ae..8599a85 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -11,7 +11,7 @@ attribute can_write_shadow_passwords;
 attribute can_relabelto_shadow_passwords;
 
 type chkpwd_exec_t;
-files_type(chkpwd_exec_t)
+corecmd_executable_file(chkpwd_exec_t)
 
 type faillog_t;
 logging_log_file(faillog_t)
@@ -19,12 +19,8 @@ logging_log_file(faillog_t)
 type lastlog_t;
 logging_log_file(lastlog_t)
 
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
-	type login_exec_t;
-')
-files_type(login_exec_t)
+type login_exec_t;
+corecmd_executable_file(login_exec_t)
 
 type pam_console_t;
 type pam_console_exec_t;
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 8900a5b..7aad133 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -6,11 +6,7 @@ policy_module(getty,1.1.4)
 # Declarations
 #
 
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
-	type getty_t;
-')
+type getty_t;
 type getty_exec_t;
 init_domain(getty_t,getty_exec_t)
 domain_interactive_fd(getty_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 22554b4..892cf02 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -44,6 +44,43 @@ interface(`init_domain',`
 
 ########################################
 ## <summary>
+##	Create a domain which can be started by init,
+##	with a range transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	Range for the domain.
+##	</summary>
+## </param>
+#
+interface(`init_ranged_domain',`
+	gen_require(`
+		type init_t;
+	')
+
+	init_domain($1,$2)
+
+	ifdef(`enable_mcs',`
+		range_transition init_t $2:process $3;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition init_t $2:process $3;
+	')
+')
+
+########################################
+## <summary>
 ##	Create a domain for long running processes
 ##	(daemons) which can be started by init scripts.
 ## </summary>
@@ -129,6 +166,43 @@ interface(`init_daemon_domain',`
 
 ########################################
 ## <summary>
+##	Create a domain for long running processes
+##	(daemons) which can be started by init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	Range for the domain.
+##	</summary>
+## </param>
+#
+interface(`init_ranged_daemon_domain',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	init_daemon_domain($1,$2)
+
+	ifdef(`enable_mcs',`
+		range_transition initrc_t $2:process $3;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition initrc_t $2:process $3;
+	')
+')
+
+########################################
+## <summary>
 ##	Create a domain for short running processes
 ##	which can be started by init scripts.
 ## </summary>
@@ -172,6 +246,43 @@ interface(`init_system_domain',`
 
 ########################################
 ## <summary>
+##	Create a domain for short running processes
+##	which can be started by init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	Range for the domain.
+##	</summary>
+## </param>
+#
+interface(`init_ranged_system_domain',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	init_system_domain($1,$2)
+
+	ifdef(`enable_mcs',`
+		range_transition initrc_t $2 $3;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition initrc_t $2 $3;
+	')
+')
+
+########################################
+## <summary>
 ##	Execute init (/sbin/init) with a domain transition.
 ## </summary>
 ## <param name="domain">
@@ -483,10 +594,17 @@ interface(`init_domtrans_script',`
 
 	files_list_etc($1)
 	domain_auto_trans($1,initrc_exec_t,initrc_t)
-
 	allow initrc_t $1:fd use;
 	allow initrc_t $1:fifo_file rw_file_perms;
 	allow initrc_t $1:process sigchld;
+
+	ifdef(`enable_mcs',`
+		range_transition $1 initrc_exec_t:process s0;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+	')
 ')
 
 ########################################
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 13ed5c9..f699558 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -22,26 +22,12 @@ attribute daemon;
 #
 # init_t is the domain of the init process.
 #
-# real declaration moved to mls until
-# range_transition works in loadable modules
-# also remove the extra init_exec_t dependencies
-# in init_t interfaces when the decl gets moved back here.
-gen_require(`
-	type init_t;
-')
+type init_t;
+type init_exec_t;
 domain_type(init_t)
-role system_r types init_t;
-
-#
-# init_exec_t is the type of the init program.
-#
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
-	type init_exec_t;
-')
-kernel_domtrans_to(init_t,init_exec_t)
 domain_entry_file(init_t,init_exec_t)
+kernel_domtrans_to(init_t,init_exec_t)
+role system_r types init_t;
 
 #
 # init_var_run_t is the type for /var/run/shutdown.pid.
@@ -58,20 +44,11 @@ type initctl_t;
 files_type(initctl_t)
 mls_trusted_object(initctl_t)
 
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
-	type initrc_t;
-')
+type initrc_t;
+type initrc_exec_t;
 domain_type(initrc_t)
-role system_r types initrc_t;
-
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
-	type initrc_exec_t;
-')
 domain_entry_file(initrc_t,initrc_exec_t)
+role system_r types initrc_t;
 
 type initrc_devpts_t;
 term_pty(initrc_devpts_t)
@@ -86,6 +63,10 @@ files_tmp_file(initrc_tmp_t)
 type initrc_var_run_t;
 files_pid_file(initrc_var_run_t)
 
+ifdef(`enable_mls',`
+	kernel_ranged_domtrans_to(init_t,init_exec_t,s0 - mls_systemhigh)
+')
+
 ########################################
 #
 # Init local policy
diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
index 801aa12..364451c 100644
--- a/policy/modules/system/locallogin.if
+++ b/policy/modules/system/locallogin.if
@@ -16,6 +16,10 @@ interface(`locallogin_domtrans',`
 	')
 
 	auth_domtrans_login_program($1,local_login_t)
+
+	ifdef(`enable_mcs',`
+		auth_ranged_domtrans_login_program($1,local_login_t,s0 - mcs_systemhigh)
+	')
 ')
 
 ########################################
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 6730fd2..2d999fd 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -1,7 +1,7 @@
 
 /dev/log		-s	gen_context(system_u:object_r:devlog_t,s0)
 
-/etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,s15:c0.c255)
+/etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
 
 /sbin/auditctl		--	gen_context(system_u:object_r:auditctl_exec_t,s0)
 /sbin/auditd		--	gen_context(system_u:object_r:auditd_exec_t,s0)
@@ -24,11 +24,11 @@ ifdef(`distro_suse', `
 /var/axfrdns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 /var/dnscache/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 
-/var/log		-d	gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255)
+/var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
 /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
-/var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
+/var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
 
-/var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
+/var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
 
 /var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,s0)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 836b25c..27bcc91 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -21,11 +21,7 @@ files_security_file(auditd_log_t)
 files_mountpoint(auditd_log_t)
 
 type auditd_t;
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
-	type auditd_exec_t;
-')
+type auditd_exec_t;
 init_daemon_domain(auditd_t,auditd_exec_t)
 
 type auditd_var_run_t;
@@ -58,6 +54,10 @@ files_pid_file(syslogd_var_run_t)
 type var_log_t;
 logging_log_file(var_log_t)
 
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
+')
+
 ########################################
 #
 # Auditd local policy
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 114e1d8..ea5e36e 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -14,11 +14,7 @@ type clvmd_var_run_t;
 files_pid_file(clvmd_var_run_t)
 
 type lvm_t;
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
-	type lvm_exec_t;
-')
+type lvm_exec_t;
 init_system_domain(lvm_t,lvm_exec_t)
 # needs privowner because it assigns the identity system_u to device nodes
 # but runs as the identity of the sysadmin
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 2e6f4c7..8cb0707 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -6,12 +6,12 @@
 /etc/selinux(/.*)?			gen_context(system_u:object_r:selinux_config_t,s0)
 /etc/selinux/([^/]*/)?contexts(/.*)?	gen_context(system_u:object_r:default_context_t,s0)
 /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
-/etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
-/etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
+/etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
 /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?     gen_context(system_u:object_r:semanage_store_t,s0)
 /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK    --	gen_context(system_u:object_r:semanage_read_lock_t,s0)
 /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK   --	gen_context(system_u:object_r:semanage_trans_lock_t,s0)
-/etc/selinux/([^/]*/)?users(/.*)?	--	gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
+/etc/selinux/([^/]*/)?users(/.*)? --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
 
 #
 # /root
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ba03328..601ad2e 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -94,11 +94,7 @@ role system_r types restorecond_t;
 type restorecond_var_run_t;
 files_pid_file(restorecond_var_run_t)
 
-# real declaration moved to mls until
-# range transitions work in modules
-gen_require(`
-	type run_init_t;
-')
+type run_init_t;
 type run_init_exec_t;
 domain_type(run_init_t)
 domain_entry_file(run_init_t,run_init_exec_t)
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
index 71c374f..1cc3d19 100644
--- a/policy/modules/system/setrans.fc
+++ b/policy/modules/system/setrans.fc
@@ -1,3 +1,3 @@
 /sbin/mcstransd	--	gen_context(system_u:object_r:setrans_exec_t,s0)
 
-/var/run/setrans(/.*)?	gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c255)
+/var/run/setrans(/.*)?	gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index a42a0de..f742082 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -7,17 +7,21 @@ policy_module(setrans,1.0.3)
 #
 
 type setrans_t;
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
-	type setrans_exec_t;
-')
+type setrans_exec_t;
 init_daemon_domain(setrans_t, setrans_exec_t)
 
 type setrans_var_run_t;
 files_pid_file(setrans_var_run_t)
 mls_trusted_object(setrans_var_run_t)
 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(setrans_t, setrans_exec_t,s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(setrans_t, setrans_exec_t,mls_systemhigh)
+')
+
 ########################################
 #
 # setrans local policy
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 591e191..9e7edf5 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -6,13 +6,8 @@ policy_module(udev,1.3.6)
 # Declarations
 #
 
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
-	type udev_exec_t;
-')
-
 type udev_t;
+type udev_exec_t;
 type udev_helper_exec_t;
 kernel_domtrans_to(udev_t,udev_exec_t)
 domain_obj_id_change_exemption(udev_t)
@@ -34,6 +29,11 @@ files_type(udev_tbl_t)
 type udev_var_run_t;
 files_pid_file(udev_var_run_t)
 
+ifdef(`enable_mcs',`
+	kernel_ranged_domtrans_to(udev_t,udev_exec_t,s0 - mcs_systemhigh)
+	init_ranged_daemon_domain(udev_t,udev_exec_t,s0 - mcs_systemhigh)
+')
+
 ########################################
 #
 # Local policy
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 0e4271f..74f6c1b 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -6,11 +6,7 @@ policy_module(unconfined,1.3.15)
 # Declarations
 #
 
-# real declaration moved to mls until
-# range_transition works in loadable modules
-gen_require(`
-	type unconfined_t;
-')
+type unconfined_t;
 type unconfined_exec_t;
 init_system_domain(unconfined_t,unconfined_exec_t)
 
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index 177b096..a7146d8 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,5 +1,5 @@
 ifdef(`strict_policy',`
-HOME_DIR	-d	gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c255)
+HOME_DIR	-d	gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+		gen_context(system_u:object_r:ROLE_home_t,s0)
 
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt
index 9970be4..1719673 100644
--- a/policy/support/loadable_module.spt
+++ b/policy/support/loadable_module.spt
@@ -15,6 +15,16 @@ define(`policy_module',`
 		require {
 			role system_r;
 			all_kernel_class_perms
+
+			ifdef(`enable_mcs',`
+				sensitivity s0;
+				category c0, c`'decr(mcs_num_cats);
+			')
+
+			ifdef(`enable_mls',`
+				sensitivity s0, s`'decr(mls_num_sens);
+				category c0, c`'decr(mls_num_cats);
+			')
 		}
 	')
 ')
diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt
index 94e209f..e6924e6 100644
--- a/policy/support/misc_macros.spt
+++ b/policy/support/misc_macros.spt
@@ -76,16 +76,3 @@ define(`can_exec',`allow $1 $2:file { rx_file_perms execute_no_trans };')
 define(`gen_bool',`
 	bool $1 dflt_or_overr(`$1'_conf,$2);
 ')
-
-########################################
-#
-# gen_cats(N)
-#
-# declares categores c0 to c(N-1)
-#
-define(`decl_cats',`dnl
-category c$1;
-ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
-')
-
-define(`gen_cats',`decl_cats(0,decr($1))')
diff --git a/policy/support/mls_mcs_macros.spt b/policy/support/mls_mcs_macros.spt
new file mode 100644
index 0000000..7593e20
--- /dev/null
+++ b/policy/support/mls_mcs_macros.spt
@@ -0,0 +1,57 @@
+########################################
+#
+# gen_cats(N)
+#
+# declares categores c0 to c(N-1)
+#
+define(`decl_cats',`dnl
+category c$1;
+ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
+')
+
+define(`gen_cats',`decl_cats(0,decr($1))')
+
+########################################
+#
+# gen_sens(N)
+#
+# declares sensitivites s0 to s(N-1) with dominance
+# in increasing numeric order with s0 lowest, s(N-1) highest
+#
+define(`decl_sens',`dnl
+sensitivity s$1;
+ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
+')
+
+define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
+
+define(`gen_sens',`
+# Each sensitivity has a name and zero or more aliases.
+decl_sens(0,decr($1))
+
+# Define the ordering of the sensitivity levels (least to greatest)
+dominance { gen_dominance(0,decr($1)) }
+')
+
+########################################
+#
+# gen_levels(N,M)
+#
+# levels from s0 to (N-1) with categories c0 to (M-1)
+#
+define(`decl_levels',`dnl
+level s$1:c0.c$3;
+ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
+')
+
+define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
+
+########################################
+#
+# Basic level names for system low and high
+#
+define(`mls_systemlow',`s0')
+define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
+define(`mcs_systemlow',`s0')
+define(`mcs_systemhigh',`s0:c0.c`'decr(mcs_num_cats)')
+define(`mcs_allcats',`c0.c`'decr(mcs_num_cats)')
diff --git a/policy/users b/policy/users
index fecd3c3..e2053ab 100644
--- a/policy/users
+++ b/policy/users
@@ -16,7 +16,7 @@
 # and a user process should never be assigned the system user
 # identity.
 #
-gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
 # user_u is a generic user identity for Linux users who have no
@@ -26,11 +26,11 @@ gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255)
 # permit any access to such users, then remove this entry.
 #
 ifdef(`targeted_policy',`
-gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 ',`
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 ')
 
 #
@@ -41,11 +41,11 @@ gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 # not in the sysadm_r.
 #
 ifdef(`targeted_policy',`
-	gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+	gen_user(root, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 ',`
 	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 	',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 	')
 ')
diff --git a/support/Makefile.devel b/support/Makefile.devel
index 38664f9..57fec44 100644
--- a/support/Makefile.devel
+++ b/support/Makefile.devel
@@ -76,11 +76,16 @@ ifeq ($(DIRECT_INITRC),y)
 	M4PARAM += -D direct_sysadm_daemon
 endif
 
+# default MLS/MCS sensitivity and category settings.
+MLS_SENS ?= 16
+MLS_CATS ?= 256
+MCS_CATS ?= 256
+
 ifeq ($(QUIET),y)
 	verbose := @
 endif
 
-M4PARAM += -D hide_broken_symptoms
+M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS)
 
 # policy headers
 m4support = $(wildcard $(HEADERDIR)/support/*.spt)