diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index bc0fd7f..5b30909 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -95,6 +95,9 @@ kernel_read_software_raid_state(ipsec_t)
 kernel_getattr_core_if(ipsec_t)
 kernel_getattr_message_if(ipsec_t)
 
+corecmd_exec_shell(ipsec_t)
+corecmd_exec_bin(ipsec_t)
+
 # Pluto needs network access
 corenet_all_recvfrom_unlabeled(ipsec_t)
 corenet_tcp_sendrecv_all_if(ipsec_t)
@@ -115,24 +118,21 @@ dev_read_sysfs(ipsec_t)
 dev_read_rand(ipsec_t)
 dev_read_urand(ipsec_t)
 
+domain_use_interactive_fds(ipsec_t)
+
+files_read_etc_files(ipsec_t)
+
 fs_getattr_all_fs(ipsec_t)
 fs_search_auto_mountpoints(ipsec_t)
 
 term_use_console(ipsec_t)
 term_dontaudit_use_all_user_ttys(ipsec_t)
 
-corecmd_exec_shell(ipsec_t)
-corecmd_exec_bin(ipsec_t)
-
-domain_use_interactive_fds(ipsec_t)
-
-files_read_etc_files(ipsec_t)
+auth_use_nsswitch(ipsec_t)
 
 init_use_fds(ipsec_t)
 init_use_script_ptys(ipsec_t)
 
-auth_use_nsswitch(ipsec_t)
-
 logging_send_syslog_msg(ipsec_t)
 
 miscfiles_read_localization(ipsec_t)
@@ -209,21 +209,15 @@ kernel_getattr_message_if(ipsec_mgmt_t)
 files_read_kernel_symbol_table(ipsec_mgmt_t)
 files_getattr_kernel_modules(ipsec_mgmt_t)
 
-dev_read_rand(ipsec_mgmt_t)
-dev_read_urand(ipsec_mgmt_t)
-
-fs_getattr_xattr_fs(ipsec_mgmt_t)
-fs_list_tmpfs(ipsec_mgmt_t)
-
-term_use_console(ipsec_mgmt_t)
-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
-
 # the default updown script wants to run route
 # the ipsec wrapper wants to run /usr/bin/logger (should we put
 # it in its own domain?)
 corecmd_exec_bin(ipsec_mgmt_t)
 corecmd_exec_shell(ipsec_mgmt_t)
 
+dev_read_rand(ipsec_mgmt_t)
+dev_read_urand(ipsec_mgmt_t)
+
 domain_use_interactive_fds(ipsec_mgmt_t)
 # denials when ps tries to search /proc. Do not audit these denials.
 domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
@@ -238,6 +232,12 @@ files_read_etc_runtime_files(ipsec_mgmt_t)
 files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
 files_dontaudit_getattr_default_files(ipsec_mgmt_t)
 
+fs_getattr_xattr_fs(ipsec_mgmt_t)
+fs_list_tmpfs(ipsec_mgmt_t)
+
+term_use_console(ipsec_mgmt_t)
+term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
+
 init_use_script_ptys(ipsec_mgmt_t)
 init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
@@ -317,10 +317,10 @@ files_read_etc_files(racoon_t)
 # allow racoon to use avc_has_perm to check context on proposed SA
 selinux_compute_access_vector(racoon_t)
 
-ipsec_setcontext_default_spd(racoon_t)
-
 auth_use_nsswitch(racoon_t)
 
+ipsec_setcontext_default_spd(racoon_t)
+
 locallogin_use_fds(racoon_t)
 
 logging_send_syslog_msg(racoon_t)