diff --git a/refpolicy/policy/modules/admin/bootloader.fc b/refpolicy/policy/modules/admin/bootloader.fc
new file mode 100644
index 0000000..bcedf95
--- /dev/null
+++ b/refpolicy/policy/modules/admin/bootloader.fc
@@ -0,0 +1,12 @@
+
+/etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
+
+/etc/mkinitrd/scripts/.* --	gen_context(system_u:object_r:bootloader_exec_t,s0)
+
+/usr/sbin/mkinitrd	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+
+/sbin/grub.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/mkinitrd		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/bootloader.if b/refpolicy/policy/modules/admin/bootloader.if
new file mode 100644
index 0000000..8f6707b
--- /dev/null
+++ b/refpolicy/policy/modules/admin/bootloader.if
@@ -0,0 +1,134 @@
+## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
+
+########################################
+## <summary>
+##	Execute bootloader in the bootloader domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`bootloader_domtrans',`
+	gen_require(`
+		type bootloader_t, bootloader_exec_t;
+	')
+
+	domain_auto_trans($1, bootloader_exec_t, bootloader_t)
+
+	allow $1 bootloader_t:fd use;
+	allow bootloader_t $1:fd use;
+	allow bootloader_t $1:fifo_file rw_file_perms;
+	allow bootloader_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute bootloader interactively and do
+##	a domain transition to the bootloader domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the bootloader domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the bootloader domain to use.
+##	</summary>
+## </param>
+#
+interface(`bootloader_run',`
+	gen_require(`
+		type bootloader_t;
+	')
+
+	bootloader_domtrans($1)
+
+	role $2 types bootloader_t;
+	allow bootloader_t $3:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Read the bootloader configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`bootloader_read_config',`
+	gen_require(`
+		type bootloader_etc_t;
+	')
+
+	allow $1 bootloader_etc_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write the bootloader
+##	configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`bootloader_rw_config',`
+	gen_require(`
+		type bootloader_etc_t;
+	')
+
+	allow $1 bootloader_etc_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write the bootloader
+##	temporary data in /tmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`bootloader_rw_tmp_files',`
+	gen_require(`
+		type bootloader_tmp_t;
+	')
+
+	# FIXME: read tmp_t dir
+	allow $1 bootloader_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write the bootloader
+##	temporary data in /tmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`bootloader_create_runtime_file',`
+	gen_require(`
+		type boot_t, boot_runtime_t;
+	')
+
+	allow $1 boot_t:dir rw_dir_perms;
+	allow $1 boot_runtime_t:file { rw_file_perms create unlink };
+	type_transition $1 boot_t:file boot_runtime_t;
+')
diff --git a/refpolicy/policy/modules/admin/bootloader.te b/refpolicy/policy/modules/admin/bootloader.te
new file mode 100644
index 0000000..a0e3d9c
--- /dev/null
+++ b/refpolicy/policy/modules/admin/bootloader.te
@@ -0,0 +1,222 @@
+
+policy_module(bootloader,1.1.4)
+
+########################################
+#
+# Declarations
+#
+
+#
+# boot_runtime_t is the type for /boot/kernel.h,
+# which is automatically generated at boot time.
+# only for Red Hat
+#
+type boot_runtime_t;
+files_type(boot_runtime_t)
+
+type bootloader_t;
+domain_type(bootloader_t)
+role system_r types bootloader_t;
+
+type bootloader_exec_t;
+domain_entry_file(bootloader_t,bootloader_exec_t)
+
+#
+# bootloader_etc_t is the configuration file,
+# grub.conf, lilo.conf, etc.
+#
+type bootloader_etc_t alias etc_bootloader_t;
+files_type(bootloader_etc_t)
+
+#
+# The temp file is used for initrd creation;
+# it consists of files and device nodes
+#
+type bootloader_tmp_t;
+files_tmp_file(bootloader_tmp_t)
+dev_node(bootloader_tmp_t)
+
+#
+# /var/log/ksyms
+# cjp: this probably can be removed, I do not
+# think it is used on 2.6 kernels
+type var_log_ksyms_t;
+logging_log_file(var_log_ksyms_t)
+
+########################################
+#
+# bootloader local policy
+#
+
+allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
+allow bootloader_t self:process { sigkill sigstop signull signal };
+allow bootloader_t self:fifo_file rw_file_perms;
+
+allow bootloader_t bootloader_etc_t:file r_file_perms;
+# uncomment the following lines if you use "lilo -p"
+#allow bootloader_t bootloader_etc_t:file manage_file_perms;
+#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
+
+allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
+allow bootloader_t bootloader_tmp_t:file create_file_perms;
+allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
+allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
+allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
+files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
+# for tune2fs (cjp: ?)
+files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
+
+kernel_getattr_core_if(bootloader_t)
+kernel_read_system_state(bootloader_t)
+kernel_read_software_raid_state(bootloader_t)
+kernel_read_kernel_sysctls(bootloader_t)
+
+storage_raw_read_fixed_disk(bootloader_t)
+storage_raw_write_fixed_disk(bootloader_t)
+storage_raw_read_removable_device(bootloader_t)
+storage_raw_write_removable_device(bootloader_t)
+
+dev_getattr_all_chr_files(bootloader_t)
+dev_getattr_all_blk_files(bootloader_t)
+dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
+dev_read_rand(bootloader_t)
+dev_read_urand(bootloader_t)
+dev_read_sysfs(bootloader_t)
+# for reading BIOS data
+dev_read_raw_memory(bootloader_t)
+
+fs_getattr_xattr_fs(bootloader_t)
+fs_read_tmpfs_symlinks(bootloader_t)
+
+term_getattr_all_user_ttys(bootloader_t)
+term_dontaudit_manage_pty_dirs(bootloader_t)
+
+corecmd_exec_bin(bootloader_t)
+corecmd_exec_sbin(bootloader_t)
+corecmd_exec_shell(bootloader_t)
+
+domain_exec_all_entry_files(bootloader_t)
+domain_use_interactive_fds(bootloader_t)
+
+files_create_boot_dirs(bootloader_t)
+files_manage_boot_files(bootloader_t)
+files_manage_boot_symlinks(bootloader_t)
+files_read_etc_files(bootloader_t)
+files_exec_etc_files(bootloader_t)
+files_read_etc_runtime_files(bootloader_t)
+files_read_usr_src_files(bootloader_t)
+files_read_usr_files(bootloader_t)
+files_read_var_files(bootloader_t)
+files_read_kernel_modules(bootloader_t)
+# for nscd
+files_dontaudit_search_pids(bootloader_t)
+
+init_getattr_initctl(bootloader_t)
+init_use_script_ptys(bootloader_t)
+init_use_script_fds(bootloader_t)
+init_rw_script_pipes(bootloader_t)
+
+libs_use_ld_so(bootloader_t)
+libs_use_shared_libs(bootloader_t)
+libs_read_lib_files(bootloader_t)
+libs_exec_lib_files(bootloader_t)
+
+logging_send_syslog_msg(bootloader_t)
+logging_rw_generic_logs(bootloader_t)
+
+miscfiles_read_localization(bootloader_t)
+
+seutil_read_bin_policy(bootloader_t)
+seutil_read_loadpolicy(bootloader_t)
+seutil_dontaudit_search_config(bootloader_t)
+
+ifdef(`distro_debian',`
+	allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+	fs_list_tmpfs(bootloader_t)
+
+	files_relabel_kernel_modules(bootloader_t)
+	files_relabelfrom_boot_files(bootloader_t)
+	files_delete_kernel_modules(bootloader_t)
+	files_relabelto_usr_files(bootloader_t)
+	files_search_var_lib(bootloader_t)
+	# for /usr/share/initrd-tools/scripts
+	files_exec_usr_files(bootloader_t)
+
+	fstools_manage_entry_files(bootloader_t)
+	fstools_relabelto_entry_files(bootloader_t)
+
+	libs_relabelto_lib_files(bootloader_t)
+')
+
+ifdef(`distro_redhat',`
+	# for memlock
+	allow bootloader_t self:capability ipc_lock;
+
+	# new file system defaults to file_t, granting file_t access is still bad.
+	allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
+
+	# mkinitrd mount initrd on bootloader temp dir
+	files_mountpoint(bootloader_tmp_t)
+
+	# new file system defaults to file_t, granting file_t access is still bad.
+	files_manage_isid_type_dirs(bootloader_t)
+	files_manage_isid_type_files(bootloader_t)
+	files_manage_isid_type_symlinks(bootloader_t)
+	files_manage_isid_type_blk_files(bootloader_t)
+	files_manage_isid_type_chr_files(bootloader_t)
+
+	# for mke2fs
+	mount_domtrans(bootloader_t)
+')
+
+ifdef(`targeted_policy',`
+	term_use_unallocated_ttys(bootloader_t)
+	term_use_generic_ptys(bootloader_t)
+')
+
+optional_policy(`fstools',`
+	fstools_exec(bootloader_t)
+')
+
+optional_policy(`lvm',`
+	dev_rw_lvm_control(bootloader_t)
+
+	lvm_domtrans(bootloader_t)
+	lvm_read_config(bootloader_t)
+')
+
+optional_policy(`modutils',`
+	modutils_exec_insmod(bootloader_t)
+	modutils_read_module_deps(bootloader_t)
+	modutils_read_module_config(bootloader_t)
+	modutils_exec_insmod(bootloader_t)
+	modutils_exec_depmod(bootloader_t)
+	modutils_exec_update_mods(bootloader_t)
+')
+
+optional_policy(`nscd',`
+	nscd_socket_use(bootloader_t)
+')
+
+optional_policy(`rpm',`
+	rpm_rw_pipes(bootloader_t)
+')
+
+optional_policy(`userdomain',`
+	userdom_dontaudit_search_staff_home_dirs(bootloader_t)
+	userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
+')
+
+ifdef(`TODO',`
+ifdef(`distro_debian', `
+	# cjp: there is no setfscreate or type_transition, and
+	# bootloader_t cannot rw a usr_t or lib_t directory, so
+	# how can this work?  This is probably rw_file_perms,
+	# possibly with unlink.  Files are probably "created"
+	# by the above relabeling permissions.
+	allow bootloader_t { usr_t lib_t }:file create_file_perms;
+
+	allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
+	allow bootloader_t dpkg_var_lib_t:file { getattr read };
+')
+') dnl end TODO
diff --git a/refpolicy/policy/modules/kernel/bootloader.fc b/refpolicy/policy/modules/kernel/bootloader.fc
deleted file mode 100644
index bcedf95..0000000
--- a/refpolicy/policy/modules/kernel/bootloader.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-
-/etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
-/etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
-
-/etc/mkinitrd/scripts/.* --	gen_context(system_u:object_r:bootloader_exec_t,s0)
-
-/usr/sbin/mkinitrd	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-
-/sbin/grub.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-/sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-/sbin/mkinitrd		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-/sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
deleted file mode 100644
index 8f6707b..0000000
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ /dev/null
@@ -1,134 +0,0 @@
-## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
-
-########################################
-## <summary>
-##	Execute bootloader in the bootloader domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_domtrans',`
-	gen_require(`
-		type bootloader_t, bootloader_exec_t;
-	')
-
-	domain_auto_trans($1, bootloader_exec_t, bootloader_t)
-
-	allow $1 bootloader_t:fd use;
-	allow bootloader_t $1:fd use;
-	allow bootloader_t $1:fifo_file rw_file_perms;
-	allow bootloader_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-##	Execute bootloader interactively and do
-##	a domain transition to the bootloader domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed the bootloader domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the terminal allow the bootloader domain to use.
-##	</summary>
-## </param>
-#
-interface(`bootloader_run',`
-	gen_require(`
-		type bootloader_t;
-	')
-
-	bootloader_domtrans($1)
-
-	role $2 types bootloader_t;
-	allow bootloader_t $3:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-##	Read the bootloader configuration file.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_read_config',`
-	gen_require(`
-		type bootloader_etc_t;
-	')
-
-	allow $1 bootloader_etc_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Read and write the bootloader
-##	configuration file.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_rw_config',`
-	gen_require(`
-		type bootloader_etc_t;
-	')
-
-	allow $1 bootloader_etc_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-##	Read and write the bootloader
-##	temporary data in /tmp.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_rw_tmp_files',`
-	gen_require(`
-		type bootloader_tmp_t;
-	')
-
-	# FIXME: read tmp_t dir
-	allow $1 bootloader_tmp_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-##	Read and write the bootloader
-##	temporary data in /tmp.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_create_runtime_file',`
-	gen_require(`
-		type boot_t, boot_runtime_t;
-	')
-
-	allow $1 boot_t:dir rw_dir_perms;
-	allow $1 boot_runtime_t:file { rw_file_perms create unlink };
-	type_transition $1 boot_t:file boot_runtime_t;
-')
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
deleted file mode 100644
index a0e3d9c..0000000
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ /dev/null
@@ -1,222 +0,0 @@
-
-policy_module(bootloader,1.1.4)
-
-########################################
-#
-# Declarations
-#
-
-#
-# boot_runtime_t is the type for /boot/kernel.h,
-# which is automatically generated at boot time.
-# only for Red Hat
-#
-type boot_runtime_t;
-files_type(boot_runtime_t)
-
-type bootloader_t;
-domain_type(bootloader_t)
-role system_r types bootloader_t;
-
-type bootloader_exec_t;
-domain_entry_file(bootloader_t,bootloader_exec_t)
-
-#
-# bootloader_etc_t is the configuration file,
-# grub.conf, lilo.conf, etc.
-#
-type bootloader_etc_t alias etc_bootloader_t;
-files_type(bootloader_etc_t)
-
-#
-# The temp file is used for initrd creation;
-# it consists of files and device nodes
-#
-type bootloader_tmp_t;
-files_tmp_file(bootloader_tmp_t)
-dev_node(bootloader_tmp_t)
-
-#
-# /var/log/ksyms
-# cjp: this probably can be removed, I do not
-# think it is used on 2.6 kernels
-type var_log_ksyms_t;
-logging_log_file(var_log_ksyms_t)
-
-########################################
-#
-# bootloader local policy
-#
-
-allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
-allow bootloader_t self:process { sigkill sigstop signull signal };
-allow bootloader_t self:fifo_file rw_file_perms;
-
-allow bootloader_t bootloader_etc_t:file r_file_perms;
-# uncomment the following lines if you use "lilo -p"
-#allow bootloader_t bootloader_etc_t:file manage_file_perms;
-#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
-
-allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
-allow bootloader_t bootloader_tmp_t:file create_file_perms;
-allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
-allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
-allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
-files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
-# for tune2fs (cjp: ?)
-files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
-
-kernel_getattr_core_if(bootloader_t)
-kernel_read_system_state(bootloader_t)
-kernel_read_software_raid_state(bootloader_t)
-kernel_read_kernel_sysctls(bootloader_t)
-
-storage_raw_read_fixed_disk(bootloader_t)
-storage_raw_write_fixed_disk(bootloader_t)
-storage_raw_read_removable_device(bootloader_t)
-storage_raw_write_removable_device(bootloader_t)
-
-dev_getattr_all_chr_files(bootloader_t)
-dev_getattr_all_blk_files(bootloader_t)
-dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
-dev_read_rand(bootloader_t)
-dev_read_urand(bootloader_t)
-dev_read_sysfs(bootloader_t)
-# for reading BIOS data
-dev_read_raw_memory(bootloader_t)
-
-fs_getattr_xattr_fs(bootloader_t)
-fs_read_tmpfs_symlinks(bootloader_t)
-
-term_getattr_all_user_ttys(bootloader_t)
-term_dontaudit_manage_pty_dirs(bootloader_t)
-
-corecmd_exec_bin(bootloader_t)
-corecmd_exec_sbin(bootloader_t)
-corecmd_exec_shell(bootloader_t)
-
-domain_exec_all_entry_files(bootloader_t)
-domain_use_interactive_fds(bootloader_t)
-
-files_create_boot_dirs(bootloader_t)
-files_manage_boot_files(bootloader_t)
-files_manage_boot_symlinks(bootloader_t)
-files_read_etc_files(bootloader_t)
-files_exec_etc_files(bootloader_t)
-files_read_etc_runtime_files(bootloader_t)
-files_read_usr_src_files(bootloader_t)
-files_read_usr_files(bootloader_t)
-files_read_var_files(bootloader_t)
-files_read_kernel_modules(bootloader_t)
-# for nscd
-files_dontaudit_search_pids(bootloader_t)
-
-init_getattr_initctl(bootloader_t)
-init_use_script_ptys(bootloader_t)
-init_use_script_fds(bootloader_t)
-init_rw_script_pipes(bootloader_t)
-
-libs_use_ld_so(bootloader_t)
-libs_use_shared_libs(bootloader_t)
-libs_read_lib_files(bootloader_t)
-libs_exec_lib_files(bootloader_t)
-
-logging_send_syslog_msg(bootloader_t)
-logging_rw_generic_logs(bootloader_t)
-
-miscfiles_read_localization(bootloader_t)
-
-seutil_read_bin_policy(bootloader_t)
-seutil_read_loadpolicy(bootloader_t)
-seutil_dontaudit_search_config(bootloader_t)
-
-ifdef(`distro_debian',`
-	allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
-	fs_list_tmpfs(bootloader_t)
-
-	files_relabel_kernel_modules(bootloader_t)
-	files_relabelfrom_boot_files(bootloader_t)
-	files_delete_kernel_modules(bootloader_t)
-	files_relabelto_usr_files(bootloader_t)
-	files_search_var_lib(bootloader_t)
-	# for /usr/share/initrd-tools/scripts
-	files_exec_usr_files(bootloader_t)
-
-	fstools_manage_entry_files(bootloader_t)
-	fstools_relabelto_entry_files(bootloader_t)
-
-	libs_relabelto_lib_files(bootloader_t)
-')
-
-ifdef(`distro_redhat',`
-	# for memlock
-	allow bootloader_t self:capability ipc_lock;
-
-	# new file system defaults to file_t, granting file_t access is still bad.
-	allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
-
-	# mkinitrd mount initrd on bootloader temp dir
-	files_mountpoint(bootloader_tmp_t)
-
-	# new file system defaults to file_t, granting file_t access is still bad.
-	files_manage_isid_type_dirs(bootloader_t)
-	files_manage_isid_type_files(bootloader_t)
-	files_manage_isid_type_symlinks(bootloader_t)
-	files_manage_isid_type_blk_files(bootloader_t)
-	files_manage_isid_type_chr_files(bootloader_t)
-
-	# for mke2fs
-	mount_domtrans(bootloader_t)
-')
-
-ifdef(`targeted_policy',`
-	term_use_unallocated_ttys(bootloader_t)
-	term_use_generic_ptys(bootloader_t)
-')
-
-optional_policy(`fstools',`
-	fstools_exec(bootloader_t)
-')
-
-optional_policy(`lvm',`
-	dev_rw_lvm_control(bootloader_t)
-
-	lvm_domtrans(bootloader_t)
-	lvm_read_config(bootloader_t)
-')
-
-optional_policy(`modutils',`
-	modutils_exec_insmod(bootloader_t)
-	modutils_read_module_deps(bootloader_t)
-	modutils_read_module_config(bootloader_t)
-	modutils_exec_insmod(bootloader_t)
-	modutils_exec_depmod(bootloader_t)
-	modutils_exec_update_mods(bootloader_t)
-')
-
-optional_policy(`nscd',`
-	nscd_socket_use(bootloader_t)
-')
-
-optional_policy(`rpm',`
-	rpm_rw_pipes(bootloader_t)
-')
-
-optional_policy(`userdomain',`
-	userdom_dontaudit_search_staff_home_dirs(bootloader_t)
-	userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
-')
-
-ifdef(`TODO',`
-ifdef(`distro_debian', `
-	# cjp: there is no setfscreate or type_transition, and
-	# bootloader_t cannot rw a usr_t or lib_t directory, so
-	# how can this work?  This is probably rw_file_perms,
-	# possibly with unlink.  Files are probably "created"
-	# by the above relabeling permissions.
-	allow bootloader_t { usr_t lib_t }:file create_file_perms;
-
-	allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
-	allow bootloader_t dpkg_var_lib_t:file { getattr read };
-')
-') dnl end TODO