diff --git a/Changelog b/Changelog
index 0fa7738..17d4d04 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Move user roles into individual modules.
 - Make hald_log_t a log file.
 - Cryptsetup runs shell scripts.  Patch from Martin Orr.
 - Add file for enabling policy capabilities.
diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te
index 87dc0c1..1fb5445 100644
--- a/policy/modules/admin/acct.te
+++ b/policy/modules/admin/acct.te
@@ -1,5 +1,5 @@
 
-policy_module(acct,1.1.0)
+policy_module(acct,1.1.1)
 
 ########################################
 #
@@ -66,9 +66,10 @@ logging_send_syslog_msg(acct_t)
 
 miscfiles_read_localization(acct_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(acct_t)
 userdom_dontaudit_use_unpriv_user_fds(acct_t)
 
+sysadm_dontaudit_search_home_dirs(acct_t)
+
 optional_policy(`
 	optional_policy(`
 		# for monthly cron job
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index ffe916b..914f757 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -1,5 +1,5 @@
 
-policy_module(alsa,1.4.0)
+policy_module(alsa,1.4.1)
 
 ########################################
 #
@@ -60,8 +60,10 @@ miscfiles_read_localization(alsa_t)
 
 userdom_manage_unpriv_user_semaphores(alsa_t)
 userdom_manage_unpriv_user_shared_mem(alsa_t)
-userdom_search_generic_user_home_dirs(alsa_t)
-userdom_dontaudit_search_sysadm_home_dirs(alsa_t)
+
+sysadm_dontaudit_search_home_dirs(alsa_t)
+
+unprivuser_search_home_dirs(alsa_t)
 
 optional_policy(`
 	hal_use_fds(alsa_t)
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index 025da73..a5f6f45 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
 
-policy_module(amanda,1.8.0)
+policy_module(amanda,1.8.1)
 
 #######################################
 #
@@ -181,7 +181,7 @@ manage_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
 manage_lnk_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
 manage_fifo_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
 manage_sock_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
-userdom_sysadm_home_dir_filetrans(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file })
+sysadm_home_dir_filetrans(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file })
 
 manage_dirs_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
 manage_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
@@ -228,4 +228,4 @@ logging_search_logs(amanda_recover_t)
 
 miscfiles_read_localization(amanda_recover_t)
 
-userdom_search_sysadm_home_content_dirs(amanda_recover_t)
+sysadm_search_home_content_dirs(amanda_recover_t)
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
index 9684a0e..34255f0 100644
--- a/policy/modules/admin/anaconda.te
+++ b/policy/modules/admin/anaconda.te
@@ -1,5 +1,5 @@
 
-policy_module(anaconda,1.2.0)
+policy_module(anaconda,1.2.1)
 
 ########################################
 #
@@ -34,7 +34,7 @@ seutil_domtrans_semanage(anaconda_t)
 
 unconfined_domain(anaconda_t)
 
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
+unprivuser_home_dir_filetrans_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
 
 optional_policy(`
 	dmesg_domtrans(anaconda_t)
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index b430249..be26bcb 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,5 +1,5 @@
 
-policy_module(bootloader,1.7.0)
+policy_module(bootloader,1.7.1)
 
 ########################################
 #
@@ -212,6 +212,9 @@ optional_policy(`
 ')
 
 optional_policy(`
-	userdom_dontaudit_search_staff_home_dirs(bootloader_t)
-	userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
+	staff_dontaudit_search_home_dirs(bootloader_t)
+')
+
+optional_policy(`
+	sysadm_dontaudit_search_home_dirs(bootloader_t)
 ')
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 91b0e98..7a74094 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -1,5 +1,5 @@
 
-policy_module(dmesg,1.1.0)
+policy_module(dmesg,1.1.1)
 
 ########################################
 #
@@ -50,9 +50,10 @@ logging_write_generic_logs(dmesg_t)
 
 miscfiles_read_localization(dmesg_t)
 
-userdom_use_sysadm_terms(dmesg_t)
 userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
 
+sysadm_use_terms(dmesg_t)
+
 optional_policy(`
 	seutil_sigchld_newrole(dmesg_t)
 ')
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index 1a2a66a..ec7cf5c 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -1,5 +1,5 @@
 
-policy_module(firstboot,1.6.0)
+policy_module(firstboot,1.6.1)
 
 gen_require(`
 	class passwd rootok;
@@ -88,13 +88,13 @@ modutils_read_module_config(firstboot_t)
 modutils_read_module_deps(firstboot_t)
 
 # Add/remove user home directories
-userdom_manage_generic_user_home_content_dirs(firstboot_t)
-userdom_manage_generic_user_home_content_files(firstboot_t)
-userdom_manage_generic_user_home_content_symlinks(firstboot_t)
-userdom_manage_generic_user_home_content_pipes(firstboot_t)
-userdom_manage_generic_user_home_content_sockets(firstboot_t)
-userdom_home_filetrans_generic_user_home_dir(firstboot_t)
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(firstboot_t,{ dir file lnk_file fifo_file sock_file })
+unprivuser_manage_home_content_dirs(firstboot_t)
+unprivuser_manage_home_content_files(firstboot_t)
+unprivuser_manage_home_content_symlinks(firstboot_t)
+unprivuser_manage_home_content_pipes(firstboot_t)
+unprivuser_manage_home_content_sockets(firstboot_t)
+unprivuser_home_filetrans_home_dir(firstboot_t)
+unprivuser_home_dir_filetrans_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
 
 optional_policy(`
 	hal_dbus_chat(firstboot_t)
diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
index 6b7f12f..47e98f7 100644
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@@ -1,5 +1,5 @@
 
-policy_module(kudzu,1.5.0)
+policy_module(kudzu,1.5.1)
 
 ########################################
 #
@@ -122,9 +122,10 @@ modutils_domtrans_insmod(kudzu_t)
 
 sysnet_read_config(kudzu_t)
 
-userdom_search_sysadm_home_dirs(kudzu_t)
 userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
 
+sysadm_search_home_dirs(kudzu_t)
+
 optional_policy(`
 	gpm_getattr_gpmctl(kudzu_t)
 ')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 313298b..ff27e33 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -1,5 +1,5 @@
 
-policy_module(logrotate,1.8.0)
+policy_module(logrotate,1.8.1)
 
 ########################################
 #
@@ -115,7 +115,6 @@ miscfiles_read_localization(logrotate_t)
 
 seutil_dontaudit_read_config(logrotate_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(logrotate_t)
 userdom_use_unpriv_users_fds(logrotate_t)
 
 cron_system_entry(logrotate_t, logrotate_exec_t)
@@ -123,6 +122,8 @@ cron_search_spool(logrotate_t)
 
 mta_send_mail(logrotate_t)
 
+sysadm_dontaudit_search_home_dirs(logrotate_t)
+
 ifdef(`distro_debian', `
 	allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
 	# for savelog
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
index 7fd7487..59c4a4e 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -1,5 +1,5 @@
 
-policy_module(logwatch,1.7.0)
+policy_module(logwatch,1.7.1)
 
 #################################
 #
@@ -88,11 +88,10 @@ selinux_dontaudit_getattr_dir(logwatch_t)
 
 sysnet_dns_name_resolve(logwatch_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
-userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
-
 mta_send_mail(logwatch_t)
 
+sysadm_dontaudit_search_home_dirs(logwatch_t)
+
 optional_policy(`
 	apache_read_log(logwatch_t)
 ')
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 4cfd88a..c13c762 100644
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@@ -1,5 +1,5 @@
 
-policy_module(mrtg,1.3.0)
+policy_module(mrtg,1.3.1)
 
 ########################################
 #
@@ -115,7 +115,8 @@ selinux_dontaudit_getattr_dir(mrtg_t)
 sysnet_read_config(mrtg_t)
 
 userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
-userdom_use_sysadm_terms(mrtg_t)
+
+sysadm_use_terms(mrtg_t)
 
 ifdef(`enable_mls',`
 	corenet_udp_sendrecv_lo_if(mrtg_t)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 401120a..2c06304 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -272,7 +272,7 @@ interface(`portage_fetch_domain',`
 	sysnet_read_config($1)
 	sysnet_dns_name_resolve($1)
 
-	userdom_dontaudit_read_sysadm_home_content_files($1)
+	sysadm_dontaudit_read_home_content_files($1)
 
 	ifdef(`hide_broken_symptoms',`
 		dontaudit $1 portage_cache_t:file read;
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 49476ac..151828a 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -1,5 +1,5 @@
 
-policy_module(portage,1.5.0)
+policy_module(portage,1.5.1)
 
 ########################################
 #
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index b8227d4..fde1608 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -1,5 +1,5 @@
 
-policy_module(readahead,1.5.0)
+policy_module(readahead,1.5.1)
 
 ########################################
 #
@@ -79,7 +79,8 @@ logging_dontaudit_search_audit_config(readahead_t)
 miscfiles_read_localization(readahead_t)
 
 userdom_dontaudit_use_unpriv_user_fds(readahead_t)
-userdom_dontaudit_search_sysadm_home_dirs(readahead_t)
+
+sysadm_dontaudit_search_home_dirs(readahead_t)
 
 optional_policy(`
 	cron_system_entry(readahead_t, readahead_exec_t)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 6495325..1d6fa25 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.10.0)
+policy_module(usermanage,1.10.1)
 
 ########################################
 #
@@ -159,7 +159,7 @@ libs_use_shared_libs(crack_t)
 
 logging_send_syslog_msg(crack_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(crack_t)
+sysadm_dontaudit_search_home_dirs(crack_t)
 
 ifdef(`distro_debian',`
 	# the package cracklib-runtime on Debian contains a daily maintenance
@@ -236,8 +236,9 @@ auth_use_nsswitch(groupadd_t)
 seutil_read_config(groupadd_t)
 
 userdom_use_unpriv_users_fds(groupadd_t)
+
 # for when /root is the cwd
-userdom_dontaudit_search_sysadm_home_dirs(groupadd_t)
+sysadm_dontaudit_search_home_dirs(groupadd_t)
 
 optional_policy(`
 	dpkg_use_fds(groupadd_t)
@@ -501,13 +502,11 @@ seutil_domtrans_semanage(useradd_t)
 seutil_domtrans_setfiles(useradd_t)
 
 userdom_use_unpriv_users_fds(useradd_t)
-# for when /root is the cwd
-userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
 # Add/remove user home directories
-userdom_home_filetrans_generic_user_home_dir(useradd_t)
 userdom_manage_all_users_home_content_dirs(useradd_t)
 userdom_manage_all_users_home_content_files(useradd_t)
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
+unprivuser_home_filetrans_home_dir(useradd_t)
+unprivuser_home_dir_filetrans_home_content(useradd_t,notdevfile_class_set)
 
 mta_manage_spool(useradd_t)
 
diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te
index 7d10435..d48ff4b 100644
--- a/policy/modules/apps/calamaris.te
+++ b/policy/modules/apps/calamaris.te
@@ -1,5 +1,5 @@
 
-policy_module(calamaris,1.2.0)
+policy_module(calamaris,1.2.1)
 
 ########################################
 #
@@ -67,7 +67,7 @@ miscfiles_read_localization(calamaris_t)
 
 sysnet_read_config(calamaris_t)
 
-userdom_dontaudit_list_sysadm_home_dirs(calamaris_t)
+sysadm_dontaudit_list_home_dirs(calamaris_t)
 
 squid_read_log(calamaris_t)
 
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index 3a02cc7..9bbd43f 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -1,5 +1,5 @@
 
-policy_module(games,1.6.0)
+policy_module(games,1.6.1)
 
 ########################################
 #
@@ -58,7 +58,8 @@ logging_send_syslog_msg(games_t)
 miscfiles_read_localization(games_t)
 
 userdom_dontaudit_use_unpriv_user_fds(games_t)
-userdom_dontaudit_search_sysadm_home_dirs(games_t)
+
+sysadm_dontaudit_search_home_dirs(games_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(games_t)
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
index 47b711a..ee29a1f 100644
--- a/policy/modules/apps/mono.te
+++ b/policy/modules/apps/mono.te
@@ -1,5 +1,5 @@
 
-policy_module(mono,1.4.0)
+policy_module(mono,1.4.1)
 
 ########################################
 #
@@ -17,7 +17,7 @@ init_system_domain(mono_t,mono_exec_t)
 
 allow mono_t self:process { execheap execmem };
 
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
+unprivuser_home_dir_filetrans_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
 
 init_dbus_chat_script(mono_t)
 
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index aae9a1b..7be910c 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -1,5 +1,5 @@
 
-policy_module(uml,1.5.0)
+policy_module(uml,1.5.1)
 
 ########################################
 #
@@ -57,7 +57,8 @@ logging_send_syslog_msg(uml_switch_t)
 miscfiles_read_localization(uml_switch_t)
 
 userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
-userdom_dontaudit_search_sysadm_home_dirs(uml_switch_t)
+
+sysadm_dontaudit_search_home_dirs(uml_switch_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(uml_switch_t)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
index ccc3d2c..4a6c6a8 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -161,8 +161,8 @@ template(`userhelper_per_role_template',`
 
 	tunable_policy(`! secure_mode',`
 		#if we are not in secure mode then we can transition to sysadm_t
-		userdom_bin_spec_domtrans_sysadm($1_userhelper_t)
-		userdom_entry_spec_domtrans_sysadm($1_userhelper_t)
+		sysadm_bin_spec_domtrans($1_userhelper_t)
+		sysadm_entry_spec_domtrans($1_userhelper_t)
 	')
 	
 	optional_policy(`
diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
index f84c4e4..69fa2e1 100644
--- a/policy/modules/apps/userhelper.te
+++ b/policy/modules/apps/userhelper.te
@@ -1,5 +1,5 @@
 
-policy_module(userhelper,1.3.0)
+policy_module(userhelper,1.3.1)
 
 ########################################
 #
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 69e988a..d239b8d 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -1,5 +1,5 @@
 
-policy_module(vmware,1.5.0)
+policy_module(vmware,1.5.1)
 
 ########################################
 #
@@ -87,7 +87,8 @@ miscfiles_read_localization(vmware_host_t)
 sysnet_dns_name_resolve(vmware_host_t)
 
 userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
-userdom_dontaudit_search_sysadm_home_dirs(vmware_host_t)
+
+sysadm_dontaudit_search_home_dirs(vmware_host_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(vmware_host_t)
diff --git a/policy/modules/roles/auditadm.fc b/policy/modules/roles/auditadm.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/auditadm.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/auditadm.if b/policy/modules/roles/auditadm.if
new file mode 100644
index 0000000..532cb5a
--- /dev/null
+++ b/policy/modules/roles/auditadm.if
@@ -0,0 +1,45 @@
+## <summary>Audit administrator role</summary>
+
+########################################
+## <summary>
+##	Change to the generic user role.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`auditadm_role_change_template',`
+	userdom_role_change_template($1, auditadm)
+')
+
+########################################
+## <summary>
+##	Change from the generic user role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the generic user role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`auditadm_role_change_to_template',`
+	userdom_role_change_template(auditadm, $1)
+')
+
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
new file mode 100644
index 0000000..29d389a
--- /dev/null
+++ b/policy/modules/roles/auditadm.te
@@ -0,0 +1,50 @@
+
+policy_module(auditadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role auditadm_r;
+
+userdom_unpriv_user_template(auditadm)
+
+########################################
+#
+# Local policy
+#
+
+allow auditadm_t self:capability { dac_read_search dac_override };
+
+corecmd_exec_shell(auditadm_t)
+
+domain_kill_all_domains(auditadm_t)
+
+logging_send_syslog_msg(auditadm_t)
+logging_read_generic_logs(auditadm_t)
+logging_manage_audit_log(auditadm_t)
+logging_manage_audit_config(auditadm_t)
+logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+
+seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+seutil_read_bin_policy(auditadm_t)
+
+optional_policy(`
+	consoletype_exec(auditadm_t)
+')
+
+optional_policy(`
+	dmesg_exec(auditadm_t)
+')
+
+optional_policy(`
+	secadm_role_change_template(auditadm)
+')
+
+optional_policy(`
+	sysadm_role_change_template(auditadm)
+	sysadm_dontaudit_read_home_content_files(auditadm_t)
+')
+
diff --git a/policy/modules/roles/metadata.xml b/policy/modules/roles/metadata.xml
new file mode 100644
index 0000000..ba002e8
--- /dev/null
+++ b/policy/modules/roles/metadata.xml
@@ -0,0 +1 @@
+<summary>Policy modules for user roles.</summary>
diff --git a/policy/modules/roles/secadm.fc b/policy/modules/roles/secadm.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/secadm.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/secadm.if b/policy/modules/roles/secadm.if
new file mode 100644
index 0000000..a5148b0
--- /dev/null
+++ b/policy/modules/roles/secadm.if
@@ -0,0 +1,45 @@
+## <summary>Security administrator role</summary>
+
+########################################
+## <summary>
+##	Change to the generic user role.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`secadm_role_change_template',`
+	userdom_role_change_template($1, secadm)
+')
+
+########################################
+## <summary>
+##	Change from the generic user role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the generic user role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`secadm_role_change_to_template',`
+	userdom_role_change_template(secadm, $1)
+')
+
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
new file mode 100644
index 0000000..1831961
--- /dev/null
+++ b/policy/modules/roles/secadm.te
@@ -0,0 +1,62 @@
+
+policy_module(secadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role secadm_r;
+
+userdom_unpriv_user_template(secadm)
+userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+
+########################################
+#
+# Local policy
+#
+
+allow secadm_t self:capability { dac_read_search dac_override };
+
+corecmd_exec_shell(secadm_t)
+
+dev_relabel_all_dev_nodes(secadm_t)
+
+domain_obj_id_change_exemption(secadm_t)
+
+mls_process_read_up(secadm_t)
+mls_file_read_all_levels(secadm_t)
+mls_file_write_all_levels(secadm_t)
+mls_file_upgrade(secadm_t)
+mls_file_downgrade(secadm_t)
+
+auth_relabel_all_files_except_shadow(secadm_t)
+auth_relabel_shadow(secadm_t)
+
+init_exec(secadm_t)
+
+logging_read_audit_log(secadm_t)
+logging_read_generic_logs(secadm_t)
+logging_read_audit_config(secadm_t)
+
+optional_policy(`
+	aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+')
+
+optional_policy(`
+	auditadm_role_change_template(secadm)
+')
+
+optional_policy(`
+	netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+')
+
+optional_policy(`
+	staff_dontaudit_append_home_content_files(secadm_t)
+')
+
+optional_policy(`
+	sysadm_role_change_template(secadm)
+	sysadm_dontaudit_read_home_content_files(secadm_t)
+')
+
diff --git a/policy/modules/roles/staff.fc b/policy/modules/roles/staff.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/staff.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if
new file mode 100644
index 0000000..6e0bc69
--- /dev/null
+++ b/policy/modules/roles/staff.if
@@ -0,0 +1,162 @@
+## <summary>Administrator's unprivileged user role</summary>
+
+########################################
+## <summary>
+##	Change to the staff role.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`staff_role_change_template',`
+	userdom_role_change_template($1, staff)
+')
+
+########################################
+## <summary>
+##	Change from the staff role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the staff role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`staff_role_change_to_template',`
+	userdom_role_change_template(staff, $1)
+')
+
+########################################
+## <summary>
+##	Search the staff users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`staff_search_home_dirs',`
+	gen_require(`
+		type staff_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 staff_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the staff
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`staff_dontaudit_search_home_dirs',`
+	gen_require(`
+		type staff_home_dir_t;
+	')
+
+	dontaudit $1 staff_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete staff
+##	home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`staff_manage_home_dirs',`
+	gen_require(`
+		type staff_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 staff_home_dir_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to staff home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`staff_relabelto_home_dirs',`
+	gen_require(`
+		type staff_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 staff_home_dir_t:dir relabelto;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to append to the staff
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`staff_dontaudit_append_home_content_files',`
+	gen_require(`
+		type staff_home_t;
+	')
+
+	dontaudit $1 staff_home_t:file append;
+')
+
+########################################
+## <summary>
+##	Read files in the staff users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`staff_read_home_content_files',`
+	gen_require(`
+		type staff_home_dir_t, staff_home_t;
+	')
+
+	files_search_home($1)
+	allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms;
+	read_files_pattern($1, { staff_home_dir_t staff_home_t }, staff_home_t)
+	read_lnk_files_pattern($1, { staff_home_dir_t staff_home_t }, staff_home_t)
+')
+
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
new file mode 100644
index 0000000..9d68d0b
--- /dev/null
+++ b/policy/modules/roles/staff.te
@@ -0,0 +1,30 @@
+
+policy_module(staff, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role staff_r;
+
+userdom_unpriv_user_template(staff)
+
+########################################
+#
+# Local policy
+#
+
+optional_policy(`
+	auditadm_role_change_template(staff)
+')
+
+optional_policy(`
+	secadm_role_change_template(staff)
+')
+
+optional_policy(`
+	sysadm_role_change_template(staff)
+	sysadm_dontaudit_use_terms(staff_t)
+')
+
diff --git a/policy/modules/roles/sysadm.fc b/policy/modules/roles/sysadm.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/sysadm.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
new file mode 100644
index 0000000..8c4ad00
--- /dev/null
+++ b/policy/modules/roles/sysadm.if
@@ -0,0 +1,547 @@
+## <summary>General system administration role</summary>
+
+########################################
+## <summary>
+##	Change to the generic user role.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`sysadm_role_change_template',`
+	userdom_role_change_template($1, sysadm)
+')
+
+########################################
+## <summary>
+##	Change from the generic user role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the generic user role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`sysadm_role_change_to_template',`
+	userdom_role_change_template(sysadm, $1)
+')
+
+########################################
+## <summary>
+##	Execute a shell in the sysadm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_shell_domtrans',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	corecmd_shell_domtrans($1, sysadm_t)
+	allow sysadm_t $1:fd use;
+	allow sysadm_t $1:fifo_file rw_file_perms;
+	allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute a generic bin program in the sysadm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_bin_spec_domtrans',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	corecmd_bin_spec_domtrans($1, sysadm_t)
+	allow sysadm_t $1:fd use;
+	allow sysadm_t $1:fifo_file rw_file_perms;
+	allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute all entrypoint files in the sysadm domain. This
+##	is an explicit transition, requiring the
+##	caller to use setexeccon().
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_entry_spec_domtrans',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	domain_entry_file_spec_domtrans($1, sysadm_t)
+	allow sysadm_t $1:fd use;
+	allow sysadm_t $1:fifo_file rw_file_perms;
+	allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow sysadm to execute a generic bin program in
+##	a specified domain.  This is an explicit transition,
+##	requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+##	<p>
+##	Allow sysadm to execute a generic bin program in
+##	a specified domain.
+##	</p>
+##	<p>
+##	This is a interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to execute in.
+##	</summary>
+## </param>
+#
+interface(`sysadm_bin_spec_domtrans_to',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	corecmd_bin_spec_domtrans(sysadm_t, $1)
+	allow $1 sysadm_t:fd use;
+	allow $1 sysadm_t:fifo_file rw_file_perms;
+	allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to sysadm users.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_sigchld',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Inherit and use sysadm file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_use_fds',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	allow $1 sysadm_t:fd use;
+')
+
+########################################
+## <summary>
+##	Read and write sysadm user unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_rw_pipes',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attepts to get the attributes
+##	of sysadm ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_getattr_ttys',`
+	gen_require(`
+		type sysadm_tty_device_t;
+	')
+
+	dontaudit $1 sysadm_tty_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Read and write sysadm ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_use_ttys',`
+	gen_require(`
+		type sysadm_tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	term_list_ptys($1)
+	allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use sysadm ttys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_use_ttys',`
+	gen_require(`
+		type sysadm_tty_device_t;
+	')
+
+	dontaudit $1 sysadm_tty_device_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+##	Read and write sysadm ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_use_ptys',`
+	gen_require(`
+		type sysadm_devpts_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	term_list_ptys($1)
+	allow $1 sysadm_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Dont audit attempts to read and write sysadm ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_use_ptys',`
+	gen_require(`
+		type sysadm_devpts_t;
+	')
+
+	dontaudit $1 sysadm_devpts_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+##	Read and write sysadm ttys and ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_use_terms',`
+	sysadm_use_ttys($1)
+	sysadm_use_ptys($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use sysadm ttys and ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_use_terms',`
+	sysadm_dontaudit_use_ttys($1)
+	sysadm_dontaudit_use_ptys($1)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the sysadm users
+##	home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_getattr_home_dirs',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	allow $1 sysadm_home_dir_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the sysadm users
+##	home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_getattr_home_dirs',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	dontaudit $1 sysadm_home_dir_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Search the sysadm users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_search_home_dirs',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	allow $1 sysadm_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the sysadm
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_search_home_dirs',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	List the sysadm users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_list_home_dirs',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	allow $1 sysadm_home_dir_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to list the sysadm
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_list_home_dirs',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create objects in sysadm home directories
+##	with automatic file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	If not specified, file is used.
+##	</summary>
+## </param>
+#
+interface(`sysadm_home_dir_filetrans',`
+	gen_require(`
+		type sysadm_home_dir_t;
+	')
+
+	filetrans_pattern($1, sysadm_home_dir_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Search the sysadm users home sub directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_search_home_content_dirs',`
+	gen_require(`
+		type sysadm_home_dir_t, sysadm_home_t;
+	')
+
+	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read files in the sysadm home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_read_home_content_files',`
+	gen_require(`
+		type sysadm_home_dir_t, sysadm_home_t;
+	')
+
+	files_search_home($1)
+	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
+	read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
+	read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read files in the sysadm
+##	home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysadm_dontaudit_read_home_content_files',`
+	gen_require(`
+		type sysadm_home_dir_t, sysadm_home_t;
+	')
+
+	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+	dontaudit $1 sysadm_home_t:dir search_dir_perms;
+	dontaudit $1 sysadm_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Read sysadm temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysadm_read_tmp_files',`
+	gen_require(`
+		type sysadm_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 sysadm_tmp_t:dir list_dir_perms;
+	read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
+	read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
+')
+
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
new file mode 100644
index 0000000..186b2a6
--- /dev/null
+++ b/policy/modules/roles/sysadm.te
@@ -0,0 +1,330 @@
+
+policy_module(sysadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow sysadm to debug or ptrace all processes.
+## </p>
+## </desc>
+gen_tunable(allow_ptrace,false)
+
+role sysadm_r;
+
+userdom_admin_user_template(sysadm)
+
+ifndef(`enable_mls',`
+	userdom_security_admin_template(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+########################################
+#
+# Local policy
+#
+
+corecmd_exec_shell(sysadm_t)
+
+mls_process_read_up(sysadm_t)
+
+init_exec(sysadm_t)
+
+# For sending reboot and wall messages
+userdom_use_unpriv_users_ptys(sysadm_t)
+userdom_use_unpriv_users_ttys(sysadm_t)
+
+ifdef(`direct_sysadm_daemon',`
+	optional_policy(`
+		init_run_daemon(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	')
+',`
+	ifdef(`distro_gentoo',`
+		optional_policy(`
+			seutil_init_script_run_runinit(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+		')
+	')
+')
+
+ifndef(`enable_mls',`
+	logging_manage_audit_log(sysadm_t)
+	logging_manage_audit_config(sysadm_t)
+	logging_run_auditctl(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+tunable_policy(`allow_ptrace',`
+	domain_ptrace_all_domains(sysadm_t)
+')
+
+optional_policy(`
+	amanda_run_recover(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	apache_run_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	#apache_run_all_scripts(sysadm_t, sysadm_r)
+	#apache_domtrans_sys_script(sysadm_t)
+')
+
+optional_policy(`
+	# cjp: why is this not apm_run_client
+	apm_domtrans_client(sysadm_t)
+')
+
+optional_policy(`
+	apt_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	auditadm_role_change_template(sysadm)
+')
+
+optional_policy(`
+	backup_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	bind_run_ndc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	bootloader_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	certwatch_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	clock_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	clockspeed_run_cli(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	consoletype_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	cron_admin_template(sysadm, sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	cvs_exec(sysadm_t)
+')
+
+optional_policy(`
+	dcc_run_cdcc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	dcc_run_client(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	dcc_run_dbclean(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	ddcprobe_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	dmesg_exec(sysadm_t)
+')
+
+optional_policy(`
+	dmidecode_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	dpkg_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	ethereal_run_tethereal(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	ethereal_admin_template(sysadm, sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	firstboot_run(sysadm_t, sysadm_r, sysadm_tty_device_t)
+')
+
+optional_policy(`
+	fstools_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	hostname_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	# allow system administrator to use the ipsec script to look
+	# at things (e.g., ipsec auto --status)
+	# probably should create an ipsec_admin role for this kind of thing
+	ipsec_exec_mgmt(sysadm_t)
+	ipsec_stream_connect(sysadm_t)
+	# for lsof
+	ipsec_getattr_key_sockets(sysadm_t)
+')
+
+optional_policy(`
+	iptables_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	kudzu_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	libs_run_ldconfig(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	logrotate_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	lpd_run_checkpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	lpr_admin_template(sysadm, sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	lvm_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	modutils_run_depmod(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	modutils_run_insmod(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	modutils_run_update_mods(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	mount_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	mta_admin_template(sysadm, sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+	munin_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+	mysql_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+	netutils_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	netutils_run_ping(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	netutils_run_traceroute(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	ntp_stub()
+	corenet_udp_bind_ntp_port(sysadm_t)
+')
+
+optional_policy(`
+	oav_run_update(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	pcmcia_run_cardctl(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	portage_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	portage_run_gcc_config(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	portmap_run_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	quota_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	raid_domtrans_mdadm(sysadm_t)
+')
+
+optional_policy(`
+	rpc_domtrans_nfsd(sysadm_t)
+')
+
+optional_policy(`
+	rpm_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	rsync_exec(sysadm_t)
+')
+
+optional_policy(`
+	samba_run_net(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	samba_run_winbind_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	secadm_role_change_template(sysadm)
+')
+
+optional_policy(`
+	seutil_run_setfiles(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	seutil_run_runinit(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	staff_role_change_template(sysadm)
+')
+
+optional_policy(`
+	sysnet_run_ifconfig(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	sysnet_run_dhcpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	tripwire_run_siggen(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	tripwire_run_tripwire(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	tripwire_run_twadmin(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	tripwire_run_twprint(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	tzdata_domtrans(sysadm_t)
+')
+
+optional_policy(`
+	unconfined_domtrans(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	# Add/remove user home directories
+	unprivuser_manage_home_dirs(sysadm_t)
+	unprivuser_home_filetrans_home_dir(sysadm_t)
+
+	unprivuser_role_change_template(sysadm)
+')
+
+optional_policy(`
+	usbmodules_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	usermanage_run_admin_passwd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	usermanage_run_groupadd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+	usermanage_run_useradd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	vpn_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	webalizer_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
+
+optional_policy(`
+	yam_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+')
diff --git a/policy/modules/roles/unprivuser.fc b/policy/modules/roles/unprivuser.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/unprivuser.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
new file mode 100644
index 0000000..1b55153
--- /dev/null
+++ b/policy/modules/roles/unprivuser.if
@@ -0,0 +1,325 @@
+## <summary>Generic unprivileged user role</summary>
+
+########################################
+## <summary>
+##	Change to the generic user role.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`unprivuser_role_change_template',`
+	userdom_role_change_template($1, user)
+')
+
+########################################
+## <summary>
+##	Change from the generic user role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the generic user role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is a template to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`unprivuser_role_change_to_template',`
+	userdom_role_change_template(user, $1)
+')
+
+########################################
+## <summary>
+##	Create generic user home directories
+##	with automatic file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_home_filetrans_home_dir',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	files_home_filetrans($1,user_home_dir_t,dir)
+')
+
+########################################
+## <summary>
+##	Search generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_search_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	allow $1 user_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create objects in generic user home directories
+##	with automatic file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	If not specified, file is used.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_home_dir_filetrans_home_content',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	files_search_home($1)
+	filetrans_pattern($1,user_home_dir_t,user_home_t,$2)
+')
+
+########################################
+## <summary>
+##	Don't audit search on the user home subdirectory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_dontaudit_search_home_dirs',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete generic user
+##	home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_manage_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 user_home_dir_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	subdirectories of generic user
+##	home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_manage_home_content_dirs',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	files_search_home($1)
+	manage_dirs_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
+########################################
+## <summary>
+##	Relabel to generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_relabelto_home_dirs',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 user_home_dir_t:dir relabelto;
+')
+
+########################################
+## <summary>
+##	Read files in generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_read_home_content_files',`
+	gen_require(`
+		type user_home_t, user_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 user_home_t:dir list_dir_perms;
+	read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
+########################################
+## <summary>
+##	Mmap of generic user
+##	home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_mmap_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	files_search_home($1)
+	allow $1 user_home_t:file execute;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	in generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_manage_home_content_files',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	files_search_home($1)
+	manage_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to relabel generic user
+##	home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_dontaudit_relabel_home_content_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	dontaudit $1 user_home_t:file { relabelto relabelfrom };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic
+##	links in generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_manage_home_content_symlinks',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	files_search_home($1)
+	manage_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete named
+##	pipes in generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_manage_home_content_pipes',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	files_search_home($1)
+	manage_fifo_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete named
+##	sockets in generic user home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_manage_home_content_sockets',`
+	gen_require(`
+		type user_home_dir_t, user_home_t;
+	')
+
+	files_search_home($1)
+	manage_sock_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+')
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
new file mode 100644
index 0000000..6a1254b
--- /dev/null
+++ b/policy/modules/roles/unprivuser.te
@@ -0,0 +1,15 @@
+
+policy_module(unprivuser, 1.0.0)
+
+# this module should be named user, but that is
+# a compile error since user is a keyword.
+
+########################################
+#
+# Declarations
+#
+
+role user_r;
+
+userdom_unpriv_user_template(user)
+
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index f77f14c..462cb20 100644
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@@ -1,5 +1,5 @@
 
-policy_module(afs,1.2.0)
+policy_module(afs,1.2.1)
 
 ########################################
 #
@@ -186,8 +186,7 @@ seutil_read_config(afs_fsserver_t)
 
 sysnet_read_config(afs_fsserver_t)
 
-userdom_dontaudit_use_sysadm_ttys(afs_fsserver_t)
-userdom_dontaudit_use_sysadm_ptys(afs_fsserver_t)
+sysadm_dontaudit_use_terms(afs_fsserver_t)
 
 ########################################
 #
@@ -235,8 +234,7 @@ seutil_read_config(afs_kaserver_t)
 
 sysnet_read_config(afs_kaserver_t)
 
-userdom_dontaudit_use_sysadm_ttys(afs_kaserver_t)
-userdom_dontaudit_use_sysadm_ptys(afs_kaserver_t)
+sysadm_dontaudit_use_terms(afs_kaserver_t)
 
 ########################################
 #
@@ -277,8 +275,7 @@ miscfiles_read_localization(afs_ptserver_t)
 
 sysnet_read_config(afs_ptserver_t)
 
-userdom_dontaudit_use_sysadm_ttys(afs_ptserver_t)
-userdom_dontaudit_use_sysadm_ptys(afs_ptserver_t)
+sysadm_dontaudit_use_terms(afs_ptserver_t)
 
 ########################################
 #
@@ -319,5 +316,4 @@ miscfiles_read_localization(afs_vlserver_t)
 
 sysnet_read_config(afs_vlserver_t)
 
-userdom_dontaudit_use_sysadm_ttys(afs_vlserver_t)
-userdom_dontaudit_use_sysadm_ptys(afs_vlserver_t)
+sysadm_dontaudit_use_terms(afs_vlserver_t)
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index b8b475c..c8f4bbc 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -1,5 +1,5 @@
 
-policy_module(amavis,1.6.0)
+policy_module(amavis,1.6.1)
 
 ########################################
 #
@@ -143,8 +143,6 @@ miscfiles_read_localization(amavis_t)
 sysnet_dns_name_resolve(amavis_t)
 sysnet_use_ldap(amavis_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(amavis_t)
-
 # Cron handling
 cron_use_fds(amavis_t)
 cron_use_system_job_fds(amavis_t)
@@ -152,6 +150,8 @@ cron_rw_pipes(amavis_t)
 
 mta_read_config(amavis_t)
 
+sysadm_dontaudit_search_home_dirs(amavis_t)
+
 optional_policy(`
 	clamav_stream_connect(amavis_t)
 	clamav_domtrans_clamscan(amavis_t)
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 74accd1..b263dbb 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
 
-policy_module(apache,1.9.0)
+policy_module(apache,1.9.1)
 
 #
 # NOTES: 
@@ -419,9 +419,9 @@ tunable_policy(`httpd_tty_comm',`
 	# cjp: this is redundant:
 	term_use_controlling_term(httpd_t)
 
-	userdom_use_sysadm_terms(httpd_t)
+	sysadm_use_terms(httpd_t)
 ',`
-	userdom_dontaudit_use_sysadm_terms(httpd_t)
+	sysadm_dontaudit_use_terms(httpd_t)
 ')
 
 optional_policy(`
@@ -515,10 +515,7 @@ libs_use_shared_libs(httpd_helper_t)
 logging_send_syslog_msg(httpd_helper_t)
 
 tunable_policy(`httpd_tty_comm',`
-	# cjp: this is redundant:
-	term_use_controlling_term(httpd_helper_t)
-
-	userdom_use_sysadm_terms(httpd_helper_t)
+	sysadm_use_terms(httpd_helper_t)
 ')
 
 ########################################
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
index 44a1a00..3aaf5bd 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -1,5 +1,5 @@
 
-policy_module(apm,1.6.0)
+policy_module(apm,1.6.1)
 
 ########################################
 #
@@ -139,9 +139,10 @@ modutils_read_module_config(apmd_t)
 seutil_dontaudit_read_config(apmd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(apmd_t)
-userdom_dontaudit_search_sysadm_home_dirs(apmd_t)
 userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive?
 
+sysadm_dontaudit_search_home_dirs(apmd_t)
+
 ifdef(`distro_redhat',`
 	allow apmd_t apmd_lock_t:file manage_file_perms;
 	files_lock_filetrans(apmd_t,apmd_lock_t,file)
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index 63afd6f..f09cbdd 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@@ -1,5 +1,5 @@
 
-policy_module(arpwatch,1.5.0)
+policy_module(arpwatch,1.5.1)
 
 ########################################
 #
@@ -81,10 +81,11 @@ logging_send_syslog_msg(arpwatch_t)
 miscfiles_read_localization(arpwatch_t)
 
 userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
-userdom_dontaudit_search_sysadm_home_dirs(arpwatch_t)
 
 mta_send_mail(arpwatch_t)
 
+sysadm_dontaudit_search_home_dirs(arpwatch_t)
+
 optional_policy(`
 	seutil_sigchld_newrole(arpwatch_t)
 ')
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index b9e5d01..d1ba555 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -1,5 +1,5 @@
 
-policy_module(asterisk,1.4.0)
+policy_module(asterisk,1.4.1)
 
 ########################################
 #
@@ -126,7 +126,8 @@ miscfiles_read_localization(asterisk_t)
 sysnet_read_config(asterisk_t)
 
 userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
-userdom_dontaudit_search_sysadm_home_dirs(asterisk_t)
+
+sysadm_dontaudit_search_home_dirs(asterisk_t)
 
 optional_policy(`
 	nis_use_ypbind(asterisk_t)
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 63de93c..9005dde 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -1,5 +1,5 @@
 
-policy_module(audio_entropy,1.3.0)
+policy_module(audio_entropy,1.3.1)
 
 ########################################
 #
@@ -49,7 +49,8 @@ logging_send_syslog_msg(entropyd_t)
 miscfiles_read_localization(entropyd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
-userdom_dontaudit_search_sysadm_home_dirs(entropyd_t)
+
+sysadm_dontaudit_search_home_dirs(entropyd_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(entropyd_t)
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index 03aaa9e..e62ae70 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
 
-policy_module(automount,1.8.0)
+policy_module(automount,1.8.1)
 
 ########################################
 #
@@ -145,7 +145,8 @@ sysnet_use_ldap(automount_t)
 sysnet_read_config(automount_t)
 
 userdom_dontaudit_use_unpriv_user_fds(automount_t)
-userdom_dontaudit_search_sysadm_home_dirs(automount_t)
+
+sysadm_dontaudit_search_home_dirs(automount_t)
 
 optional_policy(`
 	bind_search_cache(automount_t)
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 726d403..01404f6 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
 
-policy_module(avahi,1.8.0)
+policy_module(avahi,1.8.1)
 
 ########################################
 #
@@ -78,7 +78,8 @@ logging_send_syslog_msg(avahi_t)
 miscfiles_read_localization(avahi_t)
 
 userdom_dontaudit_use_unpriv_user_fds(avahi_t)
-userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
+
+sysadm_dontaudit_search_home_dirs(avahi_t)
 
 optional_policy(`
 	dbus_system_bus_client_template(avahi,avahi_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index f330f16..d35fe06 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
 
-policy_module(bind,1.6.0)
+policy_module(bind,1.6.1)
 
 ########################################
 #
@@ -147,7 +147,8 @@ miscfiles_read_certs(named_t)
 sysnet_read_config(named_t)
 
 userdom_dontaudit_use_unpriv_user_fds(named_t)
-userdom_dontaudit_search_sysadm_home_dirs(named_t)
+
+sysadm_dontaudit_search_home_dirs(named_t)
 
 tunable_policy(`named_write_master_zones',`
 	manage_dirs_pattern(named_t,named_zone_t,named_zone_t)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index c80a6ff..f4db88c 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
 
-policy_module(bluetooth,2.1.0)
+policy_module(bluetooth,2.1.1)
 
 ########################################
 #
@@ -121,8 +121,9 @@ miscfiles_read_fonts(bluetooth_t)
 sysnet_read_config(bluetooth_t)
 
 userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
-userdom_dontaudit_use_sysadm_ptys(bluetooth_t)
-userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t)
+
+sysadm_dontaudit_use_ptys(bluetooth_t)
+sysadm_dontaudit_search_home_dirs(bluetooth_t)
 
 optional_policy(`
 	dbus_system_bus_client_template(bluetooth,bluetooth_t)
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index e94d4d7..ea586b6 100644
--- a/policy/modules/services/canna.te
+++ b/policy/modules/services/canna.te
@@ -1,5 +1,5 @@
 
-policy_module(canna,1.6.0)
+policy_module(canna,1.6.1)
 
 ########################################
 #
@@ -78,7 +78,8 @@ miscfiles_read_localization(canna_t)
 sysnet_read_config(canna_t)
 
 userdom_dontaudit_use_unpriv_user_fds(canna_t)
-userdom_dontaudit_search_sysadm_home_dirs(canna_t)
+
+sysadm_dontaudit_search_home_dirs(canna_t)
 
 optional_policy(`
 	nis_use_ypbind(canna_t)
diff --git a/policy/modules/services/comsat.te b/policy/modules/services/comsat.te
index 6f9defd..d8ae246 100644
--- a/policy/modules/services/comsat.te
+++ b/policy/modules/services/comsat.te
@@ -1,5 +1,5 @@
 
-policy_module(comsat,1.4.0)
+policy_module(comsat,1.4.1)
 
 ########################################
 #
@@ -69,10 +69,10 @@ logging_send_syslog_msg(comsat_t)
 
 miscfiles_read_localization(comsat_t)
 
-userdom_dontaudit_getattr_sysadm_ttys(comsat_t)
-
 mta_getattr_spool(comsat_t)
 
+sysadm_dontaudit_getattr_ttys(comsat_t)
+
 optional_policy(`
 	kerberos_use(comsat_t)
 ')
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index e9205ab..9c1006d 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -1,5 +1,5 @@
 
-policy_module(courier,1.4.0)
+policy_module(courier,1.4.1)
 
 ########################################
 #
@@ -65,10 +65,11 @@ miscfiles_read_localization(courier_authdaemon_t)
 
 # should not be needed!
 userdom_search_unpriv_users_home_dirs(courier_authdaemon_t)
-userdom_dontaudit_search_sysadm_home_dirs(courier_authdaemon_t)
 
 courier_domtrans_pop(courier_authdaemon_t)
 
+sysadm_dontaudit_search_home_dirs(courier_authdaemon_t)
+
 ########################################
 #
 # Calendar (PCP) local policy
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 2c648c2..5a00230 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
 
-policy_module(cups,1.9.0)
+policy_module(cups,1.9.1)
 
 ########################################
 #
@@ -357,11 +357,12 @@ miscfiles_read_localization(cupsd_config_t)
 seutil_dontaudit_search_config(cupsd_config_t)
 
 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
-userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
+
+cups_stream_connect(cupsd_config_t)
 
 lpd_read_config(cupsd_config_t)
 
-cups_stream_connect(cupsd_config_t)
+sysadm_dontaudit_search_home_dirs(cupsd_config_t)
 
 ifdef(`distro_redhat',`
 	init_getattr_script_files(cupsd_config_t)
@@ -561,11 +562,12 @@ miscfiles_read_localization(hplip_t)
 sysnet_read_config(hplip_t)
 
 userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
 userdom_dontaudit_search_all_users_home_content(hplip_t)
 
 lpd_read_config(cupsd_t)
 
+sysadm_dontaudit_search_home_dirs(hplip_t)
+
 optional_policy(`
 	seutil_sigchld_newrole(hplip_t)
 ')
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index c3c926c..0460925 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -1,5 +1,5 @@
 
-policy_module(cyrus,1.5.0)
+policy_module(cyrus,1.5.1)
 
 ########################################
 #
@@ -108,12 +108,13 @@ miscfiles_read_certs(cyrus_t)
 sysnet_read_config(cyrus_t)
 
 userdom_dontaudit_use_unpriv_user_fds(cyrus_t)
-userdom_dontaudit_search_sysadm_home_dirs(cyrus_t)
 userdom_use_unpriv_users_fds(cyrus_t)
 
 mta_manage_spool(cyrus_t)
 mta_send_mail(cyrus_t)
 
+sysadm_dontaudit_search_home_dirs(cyrus_t)
+
 optional_policy(`
 	cron_system_entry(cyrus_t,cyrus_exec_t)
 ')
diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te
index ebf3ecf..fd1fbfe 100644
--- a/policy/modules/services/dante.te
+++ b/policy/modules/services/dante.te
@@ -1,5 +1,5 @@
 
-policy_module(dante,1.4.0)
+policy_module(dante,1.4.1)
 
 ########################################
 #
@@ -72,7 +72,8 @@ miscfiles_read_localization(dante_t)
 sysnet_read_config(dante_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dante_t)
-userdom_dontaudit_search_sysadm_home_dirs(dante_t)
+
+sysadm_dontaudit_search_home_dirs(dante_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(dante_t)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 1e2b2bf..3d7eb76 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,5 +1,5 @@
 
-policy_module(dbus,1.8.0)
+policy_module(dbus,1.8.1)
 
 gen_require(`
 	class dbus all_dbus_perms;
@@ -106,7 +106,8 @@ seutil_read_default_contexts(system_dbusd_t)
 seutil_sigchld_newrole(system_dbusd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
-userdom_dontaudit_search_sysadm_home_dirs(system_dbusd_t)
+
+sysadm_dontaudit_search_home_dirs(system_dbusd_t)
 
 tunable_policy(`read_default_t',`
 	files_list_default(system_dbusd_t)
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
index f019c25..e92766a 100644
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@@ -1,5 +1,5 @@
 
-policy_module(dcc,1.5.0)
+policy_module(dcc,1.5.1)
 
 ########################################
 #
@@ -273,7 +273,8 @@ sysnet_read_config(dccd_t)
 sysnet_dns_name_resolve(dccd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dccd_t)
-userdom_dontaudit_search_sysadm_home_dirs(dccd_t)
+
+sysadm_dontaudit_search_home_dirs(dccd_t)
 
 optional_policy(`
 	nscd_socket_use(dccd_t)
@@ -346,7 +347,8 @@ sysnet_read_config(dccifd_t)
 sysnet_dns_name_resolve(dccifd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
-userdom_dontaudit_search_sysadm_home_dirs(dccifd_t)
+
+sysadm_dontaudit_search_home_dirs(dccifd_t)
 
 optional_policy(`
 	nscd_socket_use(dccifd_t)
@@ -418,7 +420,8 @@ sysnet_read_config(dccm_t)
 sysnet_dns_name_resolve(dccm_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dccm_t)
-userdom_dontaudit_search_sysadm_home_dirs(dccm_t)
+
+sysadm_dontaudit_search_home_dirs(dccm_t)
 
 optional_policy(`
 	nscd_socket_use(dccm_t)
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
index f94e134..aef76b6 100644
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@@ -1,5 +1,5 @@
 
-policy_module(ddclient,1.4.0)
+policy_module(ddclient,1.4.1)
 
 ########################################
 #
@@ -98,7 +98,8 @@ sysnet_exec_ifconfig(ddclient_t)
 sysnet_read_config(ddclient_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ddclient_t)
-userdom_dontaudit_search_sysadm_home_dirs(ddclient_t)
+
+sysadm_dontaudit_search_home_dirs(ddclient_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(ddclient_t)
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index 901635a..bfbcaed 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -1,5 +1,5 @@
 
-policy_module(dhcp,1.5.0)
+policy_module(dhcp,1.5.1)
 
 ########################################
 #
@@ -99,7 +99,8 @@ sysnet_read_config(dhcpd_t)
 sysnet_read_dhcp_config(dhcpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(dhcpd_t)
+
+sysadm_dontaudit_search_home_dirs(dhcpd_t)
 
 ifdef(`distro_gentoo',`
 	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te
index 3bfd4aa..660b169 100644
--- a/policy/modules/services/distcc.te
+++ b/policy/modules/services/distcc.te
@@ -1,5 +1,5 @@
 
-policy_module(distcc,1.5.0)
+policy_module(distcc,1.5.1)
 
 ########################################
 #
@@ -81,7 +81,8 @@ miscfiles_read_localization(distccd_t)
 sysnet_read_config(distccd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(distccd_t)
-userdom_dontaudit_search_sysadm_home_dirs(distccd_t)
+
+sysadm_dontaudit_search_home_dirs(distccd_t)
 
 optional_policy(`
 	nis_use_ypbind(distccd_t)
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 4999098..bf6c334 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -1,5 +1,5 @@
 
-policy_module(dnsmasq,1.5.0)
+policy_module(dnsmasq,1.5.1)
 
 ########################################
 #
@@ -81,7 +81,8 @@ miscfiles_read_localization(dnsmasq_t)
 sysnet_read_config(dnsmasq_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
-userdom_dontaudit_search_sysadm_home_dirs(dnsmasq_t)
+
+sysadm_dontaudit_search_home_dirs(dnsmasq_t)
 
 optional_policy(`
 	nis_use_ypbind(dnsmasq_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 34deb41..9471e99 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
 
-policy_module(dovecot,1.8.0)
+policy_module(dovecot,1.8.1)
 
 ########################################
 #
@@ -113,11 +113,12 @@ miscfiles_read_certs(dovecot_t)
 miscfiles_read_localization(dovecot_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
-userdom_dontaudit_search_sysadm_home_dirs(dovecot_t)
 userdom_priveleged_home_dir_manager(dovecot_t)
 
 mta_manage_spool(dovecot_t)
 
+sysadm_dontaudit_search_home_dirs(dovecot_t)
+
 optional_policy(`
 	kerberos_use(dovecot_t)
 ')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index b43336e..9e97e84 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -1,5 +1,5 @@
 
-policy_module(exim,1.1.0)
+policy_module(exim,1.1.1)
 
 ########################################
 #
@@ -102,12 +102,13 @@ miscfiles_read_localization(exim_t)
 
 sysnet_dns_name_resolve(exim_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(exim_t)
-userdom_dontaudit_search_generic_user_home_dirs(exim_t)
+unprivuser_dontaudit_search_home_dirs(exim_t)
 
 mta_read_aliases(exim_t)
 mta_rw_spool(exim_t)
 
+sysadm_dontaudit_search_home_dirs(exim_t)
+
 tunable_policy(`exim_read_user_files',`
 	userdom_read_unpriv_users_home_content_files(exim_t)
 	userdom_read_unpriv_users_tmp_files(exim_t)
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index 0f58ecd..4106bbb 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -1,5 +1,5 @@
 
-policy_module(fetchmail,1.5.1)
+policy_module(fetchmail,1.5.2)
 
 ########################################
 #
@@ -83,7 +83,8 @@ miscfiles_read_certs(fetchmail_t)
 sysnet_read_config(fetchmail_t)
 
 userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
-userdom_dontaudit_search_sysadm_home_dirs(fetchmail_t)
+
+sysadm_dontaudit_search_home_dirs(fetchmail_t)
 
 optional_policy(`
 	procmail_domtrans(fetchmail_t)
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
index 7bea8af..b69b8aa 100644
--- a/policy/modules/services/finger.te
+++ b/policy/modules/services/finger.te
@@ -1,5 +1,5 @@
 
-policy_module(finger,1.6.0)
+policy_module(finger,1.6.1)
 
 ########################################
 #
@@ -91,12 +91,12 @@ sysnet_read_config(fingerd_t)
 
 miscfiles_read_localization(fingerd_t)
 
-userdom_read_unpriv_users_home_content_files(fingerd_t)
-userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
-userdom_dontaudit_search_sysadm_home_dirs(fingerd_t)
 # stop it accessing sub-directories, prevents checking a Maildir for new mail,
 # have to change this when we create a type for Maildir
-userdom_dontaudit_search_generic_user_home_dirs(fingerd_t)
+userdom_read_unpriv_users_home_content_files(fingerd_t)
+userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
+
+sysadm_dontaudit_search_home_dirs(fingerd_t)
 
 optional_policy(`
 	cron_system_entry(fingerd_t, fingerd_exec_t)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 02c5ea5..26d43ef 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
 
-policy_module(ftp,1.7.0)
+policy_module(ftp,1.7.1)
 
 ########################################
 #
@@ -179,9 +179,10 @@ seutil_dontaudit_search_config(ftpd_t)
 sysnet_read_config(ftpd_t)
 sysnet_use_ldap(ftpd_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
 userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
 
+sysadm_dontaudit_search_home_dirs(ftpd_t)
+
 tunable_policy(`allow_ftpd_anon_write',`
 	miscfiles_manage_public_files(ftpd_t)
 ')
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
index 118dfa5..a7ce0db 100644
--- a/policy/modules/services/gatekeeper.te
+++ b/policy/modules/services/gatekeeper.te
@@ -1,5 +1,5 @@
 
-policy_module(gatekeeper,1.4.0)
+policy_module(gatekeeper,1.4.1)
 
 ########################################
 #
@@ -88,7 +88,8 @@ miscfiles_read_localization(gatekeeper_t)
 sysnet_read_config(gatekeeper_t)
 
 userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
-userdom_dontaudit_search_sysadm_home_dirs(gatekeeper_t)
+
+sysadm_dontaudit_search_home_dirs(gatekeeper_t)
 
 optional_policy(`
 	nis_use_ypbind(gatekeeper_t)
diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te
index 185d96f..ad75558 100644
--- a/policy/modules/services/gpm.te
+++ b/policy/modules/services/gpm.te
@@ -1,5 +1,5 @@
 
-policy_module(gpm,1.4.0)
+policy_module(gpm,1.4.1)
 
 ########################################
 #
@@ -69,7 +69,8 @@ logging_send_syslog_msg(gpm_t)
 miscfiles_read_localization(gpm_t)
 
 userdom_dontaudit_use_unpriv_user_fds(gpm_t)
-userdom_dontaudit_search_sysadm_home_dirs(gpm_t)
+
+sysadm_dontaudit_search_home_dirs(gpm_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(gpm_t)
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 6170da5..bb0da44 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal,1.9.1)
+policy_module(hal,1.9.2)
 
 ########################################
 #
@@ -193,7 +193,8 @@ seutil_read_file_contexts(hald_t)
 sysnet_read_config(hald_t)
 
 userdom_dontaudit_use_unpriv_user_fds(hald_t)
-userdom_dontaudit_search_sysadm_home_dirs(hald_t)
+
+sysadm_dontaudit_search_home_dirs(hald_t)
 
 optional_policy(`
 	alsa_domtrans(hald_t)
diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te
index 9b7d99e..3466646 100644
--- a/policy/modules/services/howl.te
+++ b/policy/modules/services/howl.te
@@ -1,5 +1,5 @@
 
-policy_module(howl,1.5.0)
+policy_module(howl,1.5.1)
 
 ########################################
 #
@@ -69,7 +69,8 @@ miscfiles_read_localization(howl_t)
 sysnet_read_config(howl_t)
 
 userdom_dontaudit_use_unpriv_user_fds(howl_t)
-userdom_dontaudit_search_sysadm_home_dirs(howl_t)
+
+sysadm_dontaudit_search_home_dirs(howl_t)
 
 optional_policy(`
 	nis_use_ypbind(howl_t)
diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te
index 08d28b8..50774e6 100644
--- a/policy/modules/services/i18n_input.te
+++ b/policy/modules/services/i18n_input.te
@@ -1,5 +1,5 @@
 
-policy_module(i18n_input,1.5.0)
+policy_module(i18n_input,1.5.1)
 
 ########################################
 #
@@ -77,9 +77,10 @@ miscfiles_read_localization(i18n_input_t)
 sysnet_read_config(i18n_input_t)
 
 userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
-userdom_dontaudit_search_sysadm_home_dirs(i18n_input_t)
 userdom_read_unpriv_users_home_content_files(i18n_input_t)
 
+sysadm_dontaudit_search_home_dirs(i18n_input_t)
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(i18n_input_t)
 	fs_read_nfs_symlinks(i18n_input_t)
diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te
index ff3be76..c481d8b 100644
--- a/policy/modules/services/imaze.te
+++ b/policy/modules/services/imaze.te
@@ -1,5 +1,5 @@
 
-policy_module(imaze,1.4.0)
+policy_module(imaze,1.4.1)
 
 ########################################
 #
@@ -88,7 +88,8 @@ miscfiles_read_localization(imazesrv_t)
 sysnet_read_config(imazesrv_t)
 
 userdom_use_unpriv_users_fds(imazesrv_t)
-userdom_dontaudit_search_sysadm_home_dirs(imazesrv_t)
+
+sysadm_dontaudit_search_home_dirs(imazesrv_t)
 
 optional_policy(`
 	nis_use_ypbind(imazesrv_t)
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index 90663bd..9e30dba 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
 
-policy_module(inetd,1.6.0)
+policy_module(inetd,1.6.1)
 
 ########################################
 #
@@ -145,7 +145,8 @@ mls_process_set_level(inetd_t)
 sysnet_read_config(inetd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(inetd_t)
-userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
+
+sysadm_dontaudit_search_home_dirs(inetd_t)
 
 ifdef(`enable_mls',`
 	corenet_tcp_recvfrom_netlabel(inetd_t)
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index bbe2b97..6c6db78 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -1,5 +1,5 @@
 
-policy_module(inn,1.5.0)
+policy_module(inn,1.5.1)
 
 ########################################
 #
@@ -105,7 +105,8 @@ seutil_dontaudit_search_config(innd_t)
 sysnet_read_config(innd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(innd_t)
-userdom_dontaudit_search_sysadm_home_dirs(innd_t)
+
+sysadm_dontaudit_search_home_dirs(innd_t)
 
 mta_send_mail(innd_t)
 
diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te
index 27dab6b..2bd2d52 100644
--- a/policy/modules/services/ircd.te
+++ b/policy/modules/services/ircd.te
@@ -1,5 +1,5 @@
 
-policy_module(ircd,1.4.0)
+policy_module(ircd,1.4.1)
 
 ########################################
 #
@@ -82,7 +82,8 @@ miscfiles_read_localization(ircd_t)
 sysnet_read_config(ircd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ircd_t)
-userdom_dontaudit_search_sysadm_home_dirs(ircd_t)
+
+sysadm_dontaudit_search_home_dirs(ircd_t)
 
 optional_policy(`
 	nis_use_ypbind(ircd_t)
diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
index 4913ef7..ef5e961 100644
--- a/policy/modules/services/irqbalance.te
+++ b/policy/modules/services/irqbalance.te
@@ -1,5 +1,5 @@
 
-policy_module(irqbalance,1.2.0)
+policy_module(irqbalance,1.2.1)
 
 ########################################
 #
@@ -50,7 +50,8 @@ logging_send_syslog_msg(irqbalance_t)
 miscfiles_read_localization(irqbalance_t)
 
 userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
-userdom_dontaudit_search_sysadm_home_dirs(irqbalance_t)
+
+sysadm_dontaudit_search_home_dirs(irqbalance_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(irqbalance_t)
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index cd02124..a232bec 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -1,5 +1,5 @@
 
-policy_module(jabber,1.4.0)
+policy_module(jabber,1.4.1)
 
 ########################################
 #
@@ -80,7 +80,8 @@ miscfiles_read_localization(jabberd_t)
 sysnet_read_config(jabberd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
-userdom_dontaudit_search_sysadm_home_dirs(jabberd_t)
+
+sysadm_dontaudit_search_home_dirs(jabberd_t)
 
 optional_policy(`
 	nis_use_ypbind(jabberd_t)
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index efdc334..d158886 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -1,5 +1,5 @@
 
-policy_module(kerberos,1.6.0)
+policy_module(kerberos,1.6.1)
 
 ########################################
 #
@@ -129,7 +129,8 @@ miscfiles_read_localization(kadmind_t)
 sysnet_read_config(kadmind_t)
 
 userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
-userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
+
+sysadm_dontaudit_search_home_dirs(kadmind_t)
 
 optional_policy(`
 	nis_use_ypbind(kadmind_t)
@@ -225,7 +226,8 @@ miscfiles_read_localization(krb5kdc_t)
 sysnet_read_config(krb5kdc_t)
 
 userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
+
+sysadm_dontaudit_search_home_dirs(krb5kdc_t)
 
 optional_policy(`
 	nis_use_ypbind(krb5kdc_t)
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index e90f4f9..560717c 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -1,5 +1,5 @@
 
-policy_module(ldap,1.6.0)
+policy_module(ldap,1.6.1)
 
 ########################################
 #
@@ -114,7 +114,8 @@ miscfiles_read_certs(slapd_t)
 miscfiles_read_localization(slapd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(slapd_t)
-userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
+
+sysadm_dontaudit_search_home_dirs(slapd_t)
 
 optional_policy(`
 	kerberos_use(slapd_t)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 03e8d29..eb9f364 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -1,5 +1,5 @@
 
-policy_module(lpd,1.9.0)
+policy_module(lpd,1.9.1)
 
 ########################################
 #
@@ -200,7 +200,8 @@ miscfiles_read_localization(lpd_t)
 sysnet_read_config(lpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(lpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(lpd_t)
+
+sysadm_dontaudit_search_home_dirs(lpd_t)
 
 optional_policy(`
 	nis_use_ypbind(lpd_t)
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index 30c65b0..874805a 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -1,5 +1,5 @@
 
-policy_module(mailman,1.4.0)
+policy_module(mailman,1.4.1)
 
 ########################################
 #
@@ -99,12 +99,11 @@ files_dontaudit_search_pids(mailman_queue_t)
 # for su
 seutil_dontaudit_search_config(mailman_queue_t)
 
+su_exec(mailman_queue_t)
+
 # some of the following could probably be changed to dontaudit, someone who
 # knows mailman well should test this out and send the changes
-userdom_search_sysadm_home_dirs(mailman_queue_t)
-userdom_getattr_sysadm_home_dirs(mailman_queue_t)
-
-su_exec(mailman_queue_t)
+sysadm_search_home_dirs(mailman_queue_t)
 
 optional_policy(`
 	cron_system_entry(mailman_queue_t,mailman_queue_exec_t)
diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te
index a1bed0f..99fce61 100644
--- a/policy/modules/services/monop.te
+++ b/policy/modules/services/monop.te
@@ -1,5 +1,5 @@
 
-policy_module(monop,1.4.0)
+policy_module(monop,1.4.1)
 
 ########################################
 #
@@ -74,7 +74,8 @@ miscfiles_read_localization(monopd_t)
 sysnet_read_config(monopd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(monopd_t)
-userdom_dontaudit_search_sysadm_home_dirs(monopd_t)
+
+sysadm_dontaudit_search_home_dirs(monopd_t)
 
 optional_policy(`
 	nis_use_ypbind(monopd_t)
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index d313f4c..bd4c6cd 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
 
-policy_module(mta,1.9.0)
+policy_module(mta,1.9.1)
 
 ########################################
 #
@@ -49,8 +49,8 @@ dev_read_urand(system_mail_t)
 
 init_use_script_ptys(system_mail_t)
 
-userdom_use_sysadm_terms(system_mail_t)
-userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
+sysadm_use_terms(system_mail_t)
+sysadm_dontaudit_search_home_dirs(system_mail_t)
 
 optional_policy(`
 	apache_read_squirrelmail_data(system_mail_t)
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 023d05d..e8bd9f2 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -1,5 +1,5 @@
 
-policy_module(munin,1.4.0)
+policy_module(munin,1.4.1)
 
 ########################################
 #
@@ -96,7 +96,8 @@ miscfiles_read_localization(munin_t)
 sysnet_read_config(munin_t)
 
 userdom_dontaudit_use_unpriv_user_fds(munin_t)
-userdom_dontaudit_search_sysadm_home_dirs(munin_t)
+
+sysadm_dontaudit_search_home_dirs(munin_t)
 
 optional_policy(`
 	# for accessing the output directory
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index c1207fe..3cc3de1 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -1,5 +1,5 @@
 
-policy_module(mysql,1.7.0)
+policy_module(mysql,1.7.1)
 
 ########################################
 #
@@ -100,8 +100,9 @@ miscfiles_read_localization(mysqld_t)
 sysnet_read_config(mysqld_t)
 
 userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+
 # for /root/.my.cnf - should not be needed:
-userdom_read_sysadm_home_content_files(mysqld_t)
+sysadm_read_home_content_files(mysqld_t)
 
 ifdef(`distro_redhat',`
 	# because Fedora has the sock_file in the database directory
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index fa8e8d9..2846858 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -1,5 +1,5 @@
 
-policy_module(nagios,1.5.0)
+policy_module(nagios,1.5.1)
 
 ########################################
 #
@@ -103,10 +103,11 @@ logging_send_syslog_msg(nagios_t)
 miscfiles_read_localization(nagios_t)
 
 userdom_dontaudit_use_unpriv_user_fds(nagios_t)
-userdom_dontaudit_search_sysadm_home_dirs(nagios_t)
 
 mta_send_mail(nagios_t)
 
+sysadm_dontaudit_search_home_dirs(nagios_t)
+
 optional_policy(`
 	netutils_domtrans_ping(nagios_t)
 	netutils_signal_ping(nagios_t)
diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te
index 160489d..727ddce 100644
--- a/policy/modules/services/nessus.te
+++ b/policy/modules/services/nessus.te
@@ -1,5 +1,5 @@
 
-policy_module(nessus,1.4.0)
+policy_module(nessus,1.4.1)
 
 ########################################
 #
@@ -94,7 +94,8 @@ miscfiles_read_localization(nessusd_t)
 sysnet_read_config(nessusd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
-userdom_dontaudit_search_sysadm_home_dirs(nessusd_t)
+
+sysadm_dontaudit_search_home_dirs(nessusd_t)
 
 optional_policy(`
 	nis_use_ypbind(nessusd_t)
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index fa17c58..36188cc 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
 
-policy_module(networkmanager,1.9.0)
+policy_module(networkmanager,1.9.1)
 
 ########################################
 #
@@ -109,11 +109,12 @@ sysnet_manage_config(NetworkManager_t)
 sysnet_etc_filetrans_config(NetworkManager_t)
 
 userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
-userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t)
 userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
 # Read gnome-keyring
 userdom_read_unpriv_users_home_content_files(NetworkManager_t)
 
+sysadm_dontaudit_search_home_dirs(NetworkManager_t)
+
 optional_policy(`
 	bind_domtrans(NetworkManager_t)
 	bind_manage_cache(NetworkManager_t)
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index ed2d601..e8a7cac 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -1,5 +1,5 @@
 
-policy_module(nis,1.6.0)
+policy_module(nis,1.6.1)
 
 ########################################
 #
@@ -111,7 +111,8 @@ miscfiles_read_localization(ypbind_t)
 sysnet_read_config(ypbind_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
-userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
+
+sysadm_dontaudit_search_home_dirs(ypbind_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(ypbind_t)
@@ -192,7 +193,8 @@ miscfiles_read_localization(yppasswdd_t)
 sysnet_read_config(yppasswdd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
-userdom_dontaudit_search_sysadm_home_dirs(yppasswdd_t)
+
+sysadm_dontaudit_search_home_dirs(yppasswdd_t)
 
 optional_policy(`
 	hostname_exec(yppasswdd_t)
@@ -275,7 +277,8 @@ nis_domtrans_ypxfr(ypserv_t)
 sysnet_read_config(ypserv_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
-userdom_dontaudit_search_sysadm_home_dirs(ypserv_t)
+
+sysadm_dontaudit_search_home_dirs(ypserv_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(ypserv_t)
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index 89baef0..c727db1 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,5 +1,5 @@
 
-policy_module(nscd,1.6.0)
+policy_module(nscd,1.6.1)
 
 gen_require(`
 	class nscd all_nscd_perms;
@@ -104,7 +104,8 @@ seutil_sigchld_newrole(nscd_t)
 sysnet_read_config(nscd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(nscd_t)
-userdom_dontaudit_search_sysadm_home_dirs(nscd_t)
+
+sysadm_dontaudit_search_home_dirs(nscd_t)
 
 optional_policy(`
 	udev_read_db(nscd_t)
diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
index eff9ee6..675e2e1 100644
--- a/policy/modules/services/nsd.te
+++ b/policy/modules/services/nsd.te
@@ -1,5 +1,5 @@
 
-policy_module(nsd,1.4.0)
+policy_module(nsd,1.4.1)
 
 ########################################
 #
@@ -96,7 +96,8 @@ miscfiles_read_localization(nsd_t)
 sysnet_read_config(nsd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(nsd_t)
-userdom_dontaudit_search_sysadm_home_dirs(nsd_t)
+
+sysadm_dontaudit_search_home_dirs(nsd_t)
 
 optional_policy(`
 	nis_use_ypbind(nsd_t)
@@ -172,7 +173,7 @@ miscfiles_read_localization(nsd_crond_t)
 
 sysnet_read_config(nsd_crond_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(nsd_crond_t)
+sysadm_dontaudit_search_home_dirs(nsd_crond_t)
 
 optional_policy(`
 	cron_system_entry(nsd_crond_t,nsd_exec_t)
diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
index 47893f7..dff5d4a 100644
--- a/policy/modules/services/ntop.te
+++ b/policy/modules/services/ntop.te
@@ -1,5 +1,5 @@
 
-policy_module(ntop,1.5.0)
+policy_module(ntop,1.5.1)
 
 ########################################
 #
@@ -92,7 +92,8 @@ miscfiles_read_localization(ntop_t)
 sysnet_read_config(ntop_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ntop_t)
-userdom_dontaudit_search_sysadm_home_dirs(ntop_t)
+
+sysadm_dontaudit_search_home_dirs(ntop_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(ntop_t)
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 91814a2..86ef2b0 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,5 +1,5 @@
 
-policy_module(ntp,1.5.0)
+policy_module(ntp,1.5.1)
 
 ########################################
 #
@@ -106,8 +106,8 @@ logging_send_syslog_msg(ntpd_t)
 miscfiles_read_localization(ntpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
-userdom_list_sysadm_home_dirs(ntpd_t)
-userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
+
+sysadm_list_home_dirs(ntpd_t)
 
 optional_policy(`
 	# for cron jobs
diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te
index c10ccda..8ef4f1b 100644
--- a/policy/modules/services/oav.te
+++ b/policy/modules/services/oav.te
@@ -1,5 +1,5 @@
 
-policy_module(oav,1.5.0)
+policy_module(oav,1.5.1)
 
 ########################################
 #
@@ -142,7 +142,8 @@ miscfiles_read_localization(scannerdaemon_t)
 sysnet_read_config(scannerdaemon_t)
 
 userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t)
-userdom_dontaudit_search_sysadm_home_dirs(scannerdaemon_t)
+
+sysadm_dontaudit_search_home_dirs(scannerdaemon_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(scannerdaemon_t)
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
index 2650a8b..3c4717f 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -1,5 +1,5 @@
 
-policy_module(oddjob,1.4.0)
+policy_module(oddjob,1.4.1)
 
 ########################################
 #
@@ -78,10 +78,12 @@ libs_use_shared_libs(oddjob_mkhomedir_t)
 
 miscfiles_read_localization(oddjob_mkhomedir_t)
 
+staff_manage_home_dirs(oddjob_mkhomedir_t)
+
 # Add/remove user home directories
-userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t)
-userdom_manage_staff_home_dirs(oddjob_mkhomedir_t)
-userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
+unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t)
+unprivuser_manage_home_content_dirs(oddjob_mkhomedir_t)
+unprivuser_manage_home_content_files(oddjob_mkhomedir_t)
+unprivuser_manage_home_dirs(oddjob_mkhomedir_t)
+unprivuser_home_dir_filetrans_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
+
diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
index 7908ac8..351cfe6 100644
--- a/policy/modules/services/openct.te
+++ b/policy/modules/services/openct.te
@@ -1,5 +1,5 @@
 
-policy_module(openct,1.2.1)
+policy_module(openct,1.2.2)
 
 ########################################
 #
@@ -51,7 +51,8 @@ logging_send_syslog_msg(openct_t)
 miscfiles_read_localization(openct_t)
 
 userdom_dontaudit_use_unpriv_user_fds(openct_t)
-userdom_dontaudit_search_sysadm_home_dirs(openct_t)
+
+sysadm_dontaudit_search_home_dirs(openct_t)
 
 openct_exec(openct_t)
 
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index 3cb9992..9c163ed 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -1,5 +1,5 @@
 
-policy_module(pegasus,1.5.1)
+policy_module(pegasus,1.5.2)
 
 ########################################
 #
@@ -122,7 +122,8 @@ sysnet_read_config(pegasus_t)
 sysnet_domtrans_ifconfig(pegasus_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
-userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
+
+sysadm_dontaudit_search_home_dirs(pegasus_t)
 
 optional_policy(`
 	rpm_exec(pegasus_t)
diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te
index 2020b03..edc1a04 100644
--- a/policy/modules/services/perdition.te
+++ b/policy/modules/services/perdition.te
@@ -1,5 +1,5 @@
 
-policy_module(perdition,1.4.0)
+policy_module(perdition,1.4.1)
 
 ########################################
 #
@@ -68,7 +68,8 @@ miscfiles_read_localization(perdition_t)
 sysnet_read_config(perdition_t)
 
 userdom_dontaudit_use_unpriv_user_fds(perdition_t)
-userdom_dontaudit_search_sysadm_home_dirs(perdition_t)
+
+sysadm_dontaudit_search_home_dirs(perdition_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(perdition_t)
diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
index 0a0e50a..4c66018 100644
--- a/policy/modules/services/portmap.te
+++ b/policy/modules/services/portmap.te
@@ -1,5 +1,5 @@
 
-policy_module(portmap,1.6.0)
+policy_module(portmap,1.6.1)
 
 ########################################
 #
@@ -87,7 +87,8 @@ miscfiles_read_localization(portmap_t)
 sysnet_read_config(portmap_t)
 
 userdom_dontaudit_use_unpriv_user_fds(portmap_t)
-userdom_dontaudit_search_sysadm_home_dirs(portmap_t)
+
+sysadm_dontaudit_search_home_dirs(portmap_t)
 
 optional_policy(`
 	nis_use_ypbind(portmap_t)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index bd90404..1c5416f 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,5 +1,5 @@
 
-policy_module(postgresql,1.5.0)
+policy_module(postgresql,1.5.1)
 
 #################################
 #
@@ -128,12 +128,13 @@ miscfiles_read_localization(postgresql_t)
 
 seutil_dontaudit_search_config(postgresql_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
-userdom_dontaudit_use_sysadm_ttys(postgresql_t)
 userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
 
 mta_getattr_spool(postgresql_t)
 
+sysadm_dontaudit_search_home_dirs(postgresql_t)
+sysadm_dontaudit_use_ttys(postgresql_t)
+
 tunable_policy(`allow_execmem',`
 	allow postgresql_t self:process execmem;
 ')
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index b6cda43..04458ed 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -1,5 +1,5 @@
 
-policy_module(postgrey,1.4.0)
+policy_module(postgrey,1.4.1)
 
 ########################################
 #
@@ -78,7 +78,8 @@ miscfiles_read_localization(postgrey_t)
 sysnet_read_config(postgrey_t)
 
 userdom_dontaudit_use_unpriv_user_fds(postgrey_t)
-userdom_dontaudit_search_sysadm_home_dirs(postgrey_t)
+
+sysadm_dontaudit_search_home_dirs(postgrey_t)
 
 optional_policy(`
 	nis_use_ypbind(postgrey_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 9f60fd9..a7c890a 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -1,5 +1,5 @@
 
-policy_module(ppp,1.7.0)
+policy_module(ppp,1.7.1)
 
 ########################################
 #
@@ -176,14 +176,15 @@ sysnet_manage_config(pppd_t)
 sysnet_etc_filetrans_config(pppd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pppd_t)
-userdom_dontaudit_search_sysadm_home_dirs(pppd_t)
 # for ~/.ppprc - if it actually exists then you need some policy to read it
 #allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
-userdom_search_sysadm_home_dirs(pppd_t)
 userdom_search_unpriv_users_home_dirs(pppd_t)
 
 ppp_exec(pppd_t)
 
+sysadm_dontaudit_search_home_dirs(pppd_t)
+sysadm_search_home_dirs(pppd_t)
+
 optional_policy(`
 	ddclient_domtrans(pppd_t)
 ')
@@ -280,7 +281,8 @@ miscfiles_read_localization(pptp_t)
 sysnet_read_config(pptp_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-userdom_dontaudit_search_sysadm_home_dirs(pptp_t)
+
+sysadm_dontaudit_search_home_dirs(pptp_t)
 
 optional_policy(`
 	consoletype_exec(pppd_t)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
index 26d2b16..9dbbebc 100644
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
@@ -1,5 +1,5 @@
 
-policy_module(privoxy,1.6.0)
+policy_module(privoxy,1.6.1)
 
 ########################################
 #
@@ -76,9 +76,10 @@ miscfiles_read_localization(privoxy_t)
 sysnet_dns_name_resolve(privoxy_t)
 
 userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
-userdom_dontaudit_search_sysadm_home_dirs(privoxy_t)
+
+sysadm_dontaudit_search_home_dirs(privoxy_t)
 # cjp: this should really not be needed
-userdom_use_sysadm_terms(privoxy_t)
+sysadm_use_terms(privoxy_t)
 
 optional_policy(`
 	nis_use_ypbind(privoxy_t)
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index d334245..f104fa7 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -1,5 +1,5 @@
 
-policy_module(procmail,1.8.0)
+policy_module(procmail,1.8.1)
 
 ########################################
 #
@@ -74,9 +74,10 @@ miscfiles_read_localization(procmail_t)
 
 # only works until we define a different type for maildir
 userdom_priveleged_home_dir_manager(procmail_t)
+
 # Do not audit attempts to access /root.
-userdom_dontaudit_search_sysadm_home_dirs(procmail_t)
-userdom_dontaudit_search_staff_home_dirs(procmail_t)
+staff_dontaudit_search_home_dirs(procmail_t)
+sysadm_dontaudit_search_home_dirs(procmail_t)
 
 mta_manage_spool(procmail_t)
 
diff --git a/policy/modules/services/pxe.te b/policy/modules/services/pxe.te
index ce9b865..910cad0 100644
--- a/policy/modules/services/pxe.te
+++ b/policy/modules/services/pxe.te
@@ -1,5 +1,5 @@
 
-policy_module(pxe,1.2.0)
+policy_module(pxe,1.2.1)
 
 # cjp: policy seems incomplete
 
@@ -56,7 +56,8 @@ logging_send_syslog_msg(pxe_t)
 miscfiles_read_localization(pxe_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pxe_t)
-userdom_dontaudit_search_sysadm_home_dirs(pxe_t)
+
+sysadm_dontaudit_search_home_dirs(pxe_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(pxe_t)
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index 05ca327..36f71f2 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -1,5 +1,5 @@
 
-policy_module(pyzor,1.5.0)
+policy_module(pyzor,1.5.1)
 
 ########################################
 #
@@ -68,7 +68,7 @@ libs_use_shared_libs(pyzor_t)
 
 miscfiles_read_localization(pyzor_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
+sysadm_dontaudit_search_home_dirs(pyzor_t)
 
 optional_policy(`
 	amavis_manage_lib_files(pyzor_t)
@@ -127,12 +127,12 @@ locallogin_dontaudit_use_fds(pyzord_t)
 
 miscfiles_read_localization(pyzord_t)
 
-# Do not audit attempts to access /root.
-userdom_dontaudit_search_sysadm_home_dirs(pyzord_t)
-userdom_dontaudit_search_staff_home_dirs(pyzord_t)
-
 mta_manage_spool(pyzord_t)
 
+# Do not audit attempts to access /root.
+staff_dontaudit_search_home_dirs(pyzord_t)
+sysadm_dontaudit_search_home_dirs(pyzord_t)
+
 optional_policy(`
 	logging_send_syslog_msg(pyzord_t)
 ')
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index ed0a0e4..60e1525 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -1,5 +1,5 @@
 
-policy_module(radius,1.7.0)
+policy_module(radius,1.7.1)
 
 ########################################
 #
@@ -110,8 +110,9 @@ miscfiles_read_certs(radiusd_t)
 sysnet_read_config(radiusd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
-userdom_dontaudit_search_sysadm_home_dirs(radiusd_t)
-userdom_dontaudit_getattr_sysadm_home_dirs(radiusd_t)
+
+sysadm_dontaudit_search_home_dirs(radiusd_t)
+sysadm_dontaudit_getattr_home_dirs(radiusd_t)
 
 optional_policy(`
 	cron_system_entry(radiusd_t,radiusd_exec_t)
diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
index 027da47..b08b7ad 100644
--- a/policy/modules/services/radvd.te
+++ b/policy/modules/services/radvd.te
@@ -1,5 +1,5 @@
 
-policy_module(radvd,1.7.0)
+policy_module(radvd,1.7.1)
 
 ########################################
 #
@@ -69,7 +69,8 @@ miscfiles_read_localization(radvd_t)
 sysnet_read_config(radvd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(radvd_t)
-userdom_dontaudit_search_sysadm_home_dirs(radvd_t)
+
+sysadm_dontaudit_search_home_dirs(radvd_t)
 
 optional_policy(`
 	nis_use_ypbind(radvd_t)
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index 433ba9e..e096a06 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -1,5 +1,5 @@
 
-policy_module(rhgb,1.6.0)
+policy_module(rhgb,1.6.1)
 
 ########################################
 #
@@ -111,9 +111,10 @@ sysnet_read_config(rhgb_t)
 sysnet_domtrans_ifconfig(rhgb_t)
 
 userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
-userdom_dontaudit_search_sysadm_home_dirs(rhgb_t)
 userdom_dontaudit_search_all_users_home_content(rhgb_t)
 
+sysadm_dontaudit_search_home_dirs(rhgb_t)
+
 xserver_read_xdm_xserver_tmp_files(rhgb_t)
 xserver_kill_xdm_xserver(rhgb_t)
 # for running setxkbmap
diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te
index b9a6f89..c1add20 100644
--- a/policy/modules/services/roundup.te
+++ b/policy/modules/services/roundup.te
@@ -1,5 +1,5 @@
 
-policy_module(roundup,1.4.0)
+policy_module(roundup,1.4.1)
 
 ########################################
 #
@@ -81,7 +81,8 @@ miscfiles_read_localization(roundup_t)
 sysnet_read_config(roundup_t)
 
 userdom_dontaudit_use_unpriv_user_fds(roundup_t)
-userdom_dontaudit_search_sysadm_home_dirs(roundup_t)
+
+sysadm_dontaudit_search_home_dirs(roundup_t)
 
 optional_policy(`
 	mysql_stream_connect(roundup_t)
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index e25ec57..a523f68 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
 
-policy_module(samba,1.8.0)
+policy_module(samba,1.8.1)
 
 #################################
 #
@@ -193,7 +193,7 @@ logging_send_syslog_msg(samba_net_t)
 
 miscfiles_read_localization(samba_net_t) 
 
-userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)
+sysadm_dontaudit_search_home_dirs(samba_net_t)
 
 optional_policy(`
 	kerberos_use(samba_net_t)
@@ -316,10 +316,11 @@ logging_send_syslog_msg(smbd_t)
 miscfiles_read_localization(smbd_t)
 miscfiles_read_public_files(smbd_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
 userdom_dontaudit_use_unpriv_user_fds(smbd_t)
 userdom_use_unpriv_users_fds(smbd_t)
 
+sysadm_dontaudit_search_home_dirs(smbd_t)
+
 ifdef(`hide_broken_symptoms', `
 	files_dontaudit_getattr_default_dirs(smbd_t)
 	files_dontaudit_getattr_boot_dirs(smbd_t)
@@ -375,7 +376,7 @@ tunable_policy(`samba_export_all_rw',`
 	auth_manage_all_files_except_shadow(smbd_t)
 	fs_read_noxattr_fs_files(nmbd_t) 
 	auth_manage_all_files_except_shadow(nmbd_t)
-	userdom_generic_user_home_dir_filetrans_generic_user_home_content(nmbd_t, { file dir })
+	unprivuser_home_dir_filetrans_home_content(nmbd_t, { file dir })
 ')
 
 ########################################
@@ -457,10 +458,11 @@ logging_send_syslog_msg(nmbd_t)
 
 miscfiles_read_localization(nmbd_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(nmbd_t)
 userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
 userdom_use_unpriv_users_fds(nmbd_t)
 
+sysadm_dontaudit_search_home_dirs(nmbd_t)
+
 optional_policy(`
 	seutil_sigchld_newrole(nmbd_t)
 ')
@@ -718,9 +720,10 @@ logging_send_syslog_msg(winbind_t)
 miscfiles_read_localization(winbind_t)
 
 userdom_dontaudit_use_unpriv_user_fds(winbind_t)
-userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
 userdom_priveleged_home_dir_manager(winbind_t)
 
+sysadm_dontaudit_search_home_dirs(winbind_t)
+
 optional_policy(`
 	kerberos_use(winbind_t)
 ')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index 8c7abe3..528f8ae 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -1,5 +1,5 @@
 
-policy_module(sasl,1.8.0)
+policy_module(sasl,1.8.1)
 
 ########################################
 #
@@ -89,7 +89,8 @@ seutil_dontaudit_read_config(saslauthd_t)
 sysnet_read_config(saslauthd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
-userdom_dontaudit_search_sysadm_home_dirs(saslauthd_t)
+
+sysadm_dontaudit_search_home_dirs(saslauthd_t)
 
 # cjp: typeattribute doesnt work in conditionals
 auth_can_read_shadow_passwords(saslauthd_t)
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index 8a66c3c..f6ae7ec 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -1,5 +1,5 @@
 
-policy_module(sendmail,1.7.0)
+policy_module(sendmail,1.7.1)
 
 ########################################
 #
@@ -96,7 +96,6 @@ miscfiles_read_certs(sendmail_t)
 miscfiles_read_localization(sendmail_t)
 
 userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
-userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
 
 mta_read_config(sendmail_t)
 mta_etc_filetrans_aliases(sendmail_t)
@@ -106,6 +105,8 @@ mta_rw_aliases(sendmail_t)
 mta_manage_queue(sendmail_t)
 mta_manage_spool(sendmail_t)
 
+sysadm_dontaudit_search_home_dirs(sendmail_t)
+
 optional_policy(`
 	clamav_search_lib(sendmail_t)
 ')
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index 96d1caa..0a801f7 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -1,5 +1,5 @@
 
-policy_module(setroubleshoot,1.6.0)
+policy_module(setroubleshoot,1.6.1)
 
 ########################################
 #
@@ -105,7 +105,7 @@ seutil_read_file_contexts(setroubleshootd_t)
 
 sysnet_read_config(setroubleshootd_t)
 
-userdom_dontaudit_read_sysadm_home_content_files(setroubleshootd_t)
+sysadm_dontaudit_read_home_content_files(setroubleshootd_t)
 
 optional_policy(`
 	dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te
index de7deeb..d05d9ac 100644
--- a/policy/modules/services/slrnpull.te
+++ b/policy/modules/services/slrnpull.te
@@ -1,5 +1,5 @@
 
-policy_module(slrnpull,1.2.0)
+policy_module(slrnpull,1.2.1)
 
 ########################################
 #
@@ -59,7 +59,8 @@ logging_send_syslog_msg(slrnpull_t)
 miscfiles_read_localization(slrnpull_t)
 
 userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
-userdom_dontaudit_search_sysadm_home_dirs(slrnpull_t)
+
+sysadm_dontaudit_search_home_dirs(slrnpull_t)
 
 optional_policy(`
 	cron_system_entry(slrnpull_t,slrnpull_exec_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 24ed53b..30c9ec2 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -1,5 +1,5 @@
 
-policy_module(smartmon,1.5.0)
+policy_module(smartmon,1.5.1)
 
 ########################################
 #
@@ -81,7 +81,8 @@ miscfiles_read_localization(fsdaemon_t)
 sysnet_read_config(fsdaemon_t)
 
 userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
-userdom_dontaudit_search_sysadm_home_dirs(fsdaemon_t)
+
+sysadm_dontaudit_search_home_dirs(fsdaemon_t)
 
 optional_policy(`
         mta_send_mail(fsdaemon_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index 0e8d8d5..5eceb5f 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -1,5 +1,5 @@
 
-policy_module(snmp,1.7.0)
+policy_module(snmp,1.7.1)
 
 ########################################
 #
@@ -106,7 +106,8 @@ seutil_dontaudit_search_config(snmpd_t)
 sysnet_read_config(snmpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(snmpd_t)
+
+sysadm_dontaudit_search_home_dirs(snmpd_t)
 
 ifdef(`distro_redhat', `
 	optional_policy(`
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index a1ec586..1bad55d 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -1,5 +1,5 @@
 
-policy_module(snort,1.4.0)
+policy_module(snort,1.4.1)
 
 ########################################
 #
@@ -86,7 +86,8 @@ miscfiles_read_localization(snort_t)
 sysnet_read_config(snort_t)
 
 userdom_dontaudit_use_unpriv_user_fds(snort_t)
-userdom_dontaudit_search_sysadm_home_dirs(snort_t)
+
+sysadm_dontaudit_search_home_dirs(snort_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(snort_t)
diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te
index e5e4910..5015510 100644
--- a/policy/modules/services/soundserver.te
+++ b/policy/modules/services/soundserver.te
@@ -1,5 +1,5 @@
 
-policy_module(soundserver,1.4.0)
+policy_module(soundserver,1.4.1)
 
 ########################################
 #
@@ -96,7 +96,8 @@ miscfiles_read_localization(soundd_t)
 sysnet_read_config(soundd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(soundd_t)
-userdom_dontaudit_search_sysadm_home_dirs(soundd_t)
+
+sysadm_dontaudit_search_home_dirs(soundd_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(soundd_t)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 4197b9e..bb4c27a 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
 
-policy_module(spamassassin,1.9.0)
+policy_module(spamassassin,1.9.1)
 
 ########################################
 #
@@ -147,7 +147,8 @@ sysnet_dns_name_resolve(spamd_t)
 
 userdom_use_unpriv_users_fds(spamd_t)
 userdom_search_unpriv_users_home_dirs(spamd_t)
-userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
+
+sysadm_dontaudit_search_home_dirs(spamd_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_files(spamd_t)
diff --git a/policy/modules/services/speedtouch.te b/policy/modules/services/speedtouch.te
index cb81891..624358a 100644
--- a/policy/modules/services/speedtouch.te
+++ b/policy/modules/services/speedtouch.te
@@ -1,5 +1,5 @@
 
-policy_module(speedtouch,1.2.0)
+policy_module(speedtouch,1.2.1)
 
 #######################################
 #
@@ -54,7 +54,8 @@ logging_send_syslog_msg(speedmgmt_t)
 miscfiles_read_localization(speedmgmt_t)
 
 userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t)
-userdom_dontaudit_search_sysadm_home_dirs(speedmgmt_t)
+
+sysadm_dontaudit_search_home_dirs(speedmgmt_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(speedmgmt_t)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index b8ae177..af457b9 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -1,5 +1,5 @@
 
-policy_module(squid,1.5.0)
+policy_module(squid,1.5.1)
 
 ########################################
 #
@@ -141,7 +141,8 @@ miscfiles_read_localization(squid_t)
 
 userdom_use_unpriv_users_fds(squid_t)
 userdom_dontaudit_use_unpriv_user_fds(squid_t)
-userdom_dontaudit_search_sysadm_home_dirs(squid_t)
+
+sysadm_dontaudit_search_home_dirs(squid_t)
 
 tunable_policy(`squid_connect_any',`
 	corenet_tcp_connect_all_ports(squid_t)
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index a14c521..69f02a8 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -1,5 +1,5 @@
 
-policy_module(stunnel,1.5.0)
+policy_module(stunnel,1.5.1)
 
 ########################################
 #
@@ -89,7 +89,8 @@ ifdef(`distro_gentoo', `
 	domain_use_interactive_fds(stunnel_t)
 
 	userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
-	userdom_dontaudit_search_sysadm_home_dirs(stunnel_t)
+
+	sysadm_dontaudit_search_home_dirs(stunnel_t)
 
 	optional_policy(`
 		daemontools_service_domain(stunnel_t, stunnel_exec_t)
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
index 411fc8d..ff83525 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -1,5 +1,5 @@
 
-policy_module(sysstat,1.2.0)
+policy_module(sysstat,1.2.1)
 
 ########################################
 #
@@ -60,7 +60,7 @@ locallogin_use_fds(sysstat_t)
 
 miscfiles_read_localization(sysstat_t)
 
-userdom_dontaudit_list_sysadm_home_dirs(sysstat_t)
+sysadm_dontaudit_list_home_dirs(sysstat_t)
 
 optional_policy(`
 	cron_system_entry(sysstat_t,sysstat_exec_t)
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 99370f1..6fca7a2 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -1,5 +1,5 @@
 
-policy_module(tftp,1.7.0)
+policy_module(tftp,1.7.1)
 
 ########################################
 #
@@ -92,8 +92,9 @@ sysnet_read_config(tftpd_t)
 sysnet_use_ldap(tftpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
-userdom_dontaudit_use_sysadm_ttys(tftpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(tftpd_t)
+
+sysadm_dontaudit_use_ttys(tftpd_t)
+sysadm_dontaudit_search_home_dirs(tftpd_t)
 
 tunable_policy(`tftp_anon_write',`
 	miscfiles_manage_public_files(tftpd_t)
diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te
index 55b65f4..336b4d3 100644
--- a/policy/modules/services/timidity.te
+++ b/policy/modules/services/timidity.te
@@ -1,5 +1,5 @@
 
-policy_module(timidity,1.6.0)
+policy_module(timidity,1.6.1)
 
 # Note: You only need this policy if you want to run timidity as a server
 
@@ -73,10 +73,11 @@ logging_send_syslog_msg(timidity_t)
 sysnet_read_config(timidity_t)
 
 userdom_dontaudit_use_unpriv_user_fds(timidity_t)
+
 # stupid timidity won't start if it can't search its current directory.
 # allow this so /etc/init.d/alsasound start works from /root
 # cjp: this should be fixed if possible so this rule can be removed.
-userdom_search_sysadm_home_dirs(timidity_t)
+sysadm_search_home_dirs(timidity_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(timidity_t)
diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te
index f90dc35..7eaf8fa 100644
--- a/policy/modules/services/transproxy.te
+++ b/policy/modules/services/transproxy.te
@@ -1,5 +1,5 @@
 
-policy_module(transproxy,1.4.0)
+policy_module(transproxy,1.4.1)
 
 ########################################
 #
@@ -58,7 +58,8 @@ miscfiles_read_localization(transproxy_t)
 sysnet_read_config(transproxy_t)
 
 userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
-userdom_dontaudit_search_sysadm_home_dirs(transproxy_t)
+
+sysadm_dontaudit_search_home_dirs(transproxy_t)
 
 optional_policy(`
 	seutil_sigchld_newrole(transproxy_t)
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
index f6449c2..ec773f0 100644
--- a/policy/modules/services/uptime.te
+++ b/policy/modules/services/uptime.te
@@ -1,5 +1,5 @@
 
-policy_module(uptime,1.2.0)
+policy_module(uptime,1.2.1)
 
 ########################################
 #
@@ -62,7 +62,8 @@ logging_send_syslog_msg(uptimed_t)
 miscfiles_read_localization(uptimed_t)
 
 userdom_dontaudit_use_unpriv_user_fds(uptimed_t)
-userdom_dontaudit_search_sysadm_home_dirs(uptimed_t)
+
+sysadm_dontaudit_search_home_dirs(uptimed_t)
 
 optional_policy(`
 	mta_send_mail(uptimed_t)
diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te
index 6bf41f6..bfb01c7 100644
--- a/policy/modules/services/uwimap.te
+++ b/policy/modules/services/uwimap.te
@@ -1,5 +1,5 @@
 
-policy_module(uwimap,1.5.0)
+policy_module(uwimap,1.5.1)
 
 ########################################
 #
@@ -75,11 +75,12 @@ miscfiles_read_localization(imapd_t)
 sysnet_read_config(imapd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(imapd_t)
-userdom_dontaudit_search_sysadm_home_dirs(imapd_t)
 # cjp: this is excessive, should be limited to the
 # mail directories
 userdom_priveleged_home_dir_manager(imapd_t)
 
+sysadm_dontaudit_search_home_dirs(imapd_t)
+
 mta_rw_spool(imapd_t)
 
 optional_policy(`
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
index d93f5a6..9523876 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -1,5 +1,5 @@
 
-policy_module(watchdog,1.4.0)
+policy_module(watchdog,1.4.1)
 
 #################################
 #
@@ -90,7 +90,8 @@ miscfiles_read_localization(watchdog_t)
 sysnet_read_config(watchdog_t)
 
 userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
-userdom_dontaudit_search_sysadm_home_dirs(watchdog_t)
+
+sysadm_dontaudit_search_home_dirs(watchdog_t)
 
 optional_policy(`
 	mta_send_mail(watchdog_t)
diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te
index 314175b..bbd0989 100644
--- a/policy/modules/services/xfs.te
+++ b/policy/modules/services/xfs.te
@@ -1,5 +1,5 @@
 
-policy_module(xfs,1.3.0)
+policy_module(xfs,1.3.1)
 
 ########################################
 #
@@ -73,7 +73,8 @@ miscfiles_read_localization(xfs_t)
 miscfiles_read_fonts(xfs_t)
 
 userdom_dontaudit_use_unpriv_user_fds(xfs_t)
-userdom_dontaudit_search_sysadm_home_dirs(xfs_t)
+
+sysadm_dontaudit_search_home_dirs(xfs_t)
 
 xfs_exec(xfs_t)
 
diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te
index fd2293a..e6ee53b 100644
--- a/policy/modules/services/xprint.te
+++ b/policy/modules/services/xprint.te
@@ -1,5 +1,5 @@
 
-policy_module(xprint,1.4.0)
+policy_module(xprint,1.4.1)
 
 ########################################
 #
@@ -67,7 +67,8 @@ miscfiles_read_localization(xprint_t)
 sysnet_read_config(xprint_t)
 
 userdom_dontaudit_use_unpriv_user_fds(xprint_t)
-userdom_dontaudit_search_sysadm_home_dirs(xprint_t)
+
+sysadm_dontaudit_search_home_dirs(xprint_t)
 
 optional_policy(`
 	cups_read_config(xprint_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index dcafdcf..22f436f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
 
-policy_module(xserver,2.0.0)
+policy_module(xserver,2.0.1)
 
 ########################################
 #
@@ -308,7 +308,6 @@ miscfiles_read_fonts(xdm_t)
 sysnet_read_config(xdm_t)
 
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
-userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
 userdom_create_all_users_keys(xdm_t)
 # for .dmrc
 userdom_read_unpriv_users_home_content_files(xdm_t)
@@ -316,6 +315,8 @@ userdom_read_unpriv_users_home_content_files(xdm_t)
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
 
+sysadm_dontaudit_search_home_dirs(xdm_t)
+
 xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
 xserver_unconfined(xdm_t)
 
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index 098d4bd..0e28477 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -1,5 +1,5 @@
 
-policy_module(zebra,1.6.0)
+policy_module(zebra,1.6.1)
 
 ########################################
 #
@@ -112,7 +112,8 @@ miscfiles_read_localization(zebra_t)
 sysnet_read_config(zebra_t)
 
 userdom_dontaudit_use_unpriv_user_fds(zebra_t)
-userdom_dontaudit_search_sysadm_home_dirs(zebra_t)
+
+sysadm_dontaudit_search_home_dirs(zebra_t)
 
 tunable_policy(`allow_zebra_write_config',`
 	manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 8aab5da..efab930 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.10.0)
+policy_module(authlogin,1.10.1)
 
 ########################################
 #
@@ -274,7 +274,8 @@ term_dontaudit_use_generic_ptys(system_chkpwd_t)
 
 userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
 userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
-userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
+
+sysadm_dontaudit_use_terms(system_chkpwd_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index e9e4011..3789ea8 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -1,5 +1,5 @@
 
-policy_module(hotplug,1.8.0)
+policy_module(hotplug,1.8.1)
 
 ########################################
 #
@@ -114,7 +114,8 @@ seutil_dontaudit_search_config(hotplug_t)
 sysnet_read_config(hotplug_t)
 
 userdom_dontaudit_use_unpriv_user_fds(hotplug_t)
-userdom_dontaudit_search_sysadm_home_dirs(hotplug_t)
+
+sysadm_dontaudit_search_home_dirs(hotplug_t)
 
 ifdef(`distro_redhat', `
 	optional_policy(`
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d95575e..bc7d821 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init,1.10.0)
+policy_module(init,1.10.1)
 
 gen_require(`
 	class passwd rootok;
@@ -179,7 +179,7 @@ tunable_policy(`init_upstart',`
 ',`
 	# Run the shell in the sysadm role for single-user mode.
 	# causes problems with upstart
-	userdom_shell_domtrans_sysadm(init_t)
+	sysadm_shell_domtrans(init_t)
 ')
 
 optional_policy(`
@@ -381,10 +381,11 @@ modutils_domtrans_insmod(initrc_t)
 seutil_read_config(initrc_t)
 
 userdom_read_all_users_home_content_files(initrc_t)
+
 # Allow access to the sysadm TTYs. Note that this will give access to the 
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
 # started from init should be placed in their own domain.
-userdom_use_sysadm_terms(initrc_t)
+sysadm_use_terms(initrc_t)
 
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index f551e83..7020867 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
 
-policy_module(ipsec,1.6.0)
+policy_module(ipsec,1.6.1)
 
 ########################################
 #
@@ -137,7 +137,8 @@ miscfiles_read_localization(ipsec_t)
 sysnet_read_config(ipsec_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
-userdom_dontaudit_search_sysadm_home_dirs(ipsec_t)
+
+sysadm_dontaudit_search_home_dirs(ipsec_t)
 
 optional_policy(`
 	nis_use_ypbind(ipsec_t)
@@ -255,7 +256,7 @@ seutil_dontaudit_search_config(ipsec_mgmt_t)
 
 sysnet_domtrans_ifconfig(ipsec_mgmt_t)
 
-userdom_use_sysadm_terms(ipsec_mgmt_t)
+sysadm_use_terms(ipsec_mgmt_t)
 
 optional_policy(`
 	consoletype_exec(ipsec_mgmt_t)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 39ceb8d..8a3ca68 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -1,5 +1,5 @@
 
-policy_module(locallogin,1.6.0)
+policy_module(locallogin,1.6.1)
 
 ########################################
 #
@@ -241,11 +241,13 @@ seutil_read_default_contexts(sulogin_t)
 
 auth_read_shadow(sulogin_t)
 
-userdom_shell_domtrans_sysadm(sulogin_t)
 userdom_use_unpriv_users_fds(sulogin_t)
-userdom_use_sysadm_ptys(sulogin_t)
-userdom_search_staff_home_dirs(sulogin_t)
-userdom_search_sysadm_home_dirs(sulogin_t)
+
+staff_search_home_dirs(sulogin_t)
+
+sysadm_shell_domtrans(sulogin_t)
+sysadm_use_ptys(sulogin_t)
+sysadm_search_home_dirs(sulogin_t)
 
 # suse and debian do not use pam with sulogin...
 ifdef(`distro_suse', `define(`sulogin_no_pam')')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 1b6dfbf..b9c618d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging,1.10.0)
+policy_module(logging,1.10.1)
 
 ########################################
 #
@@ -162,7 +162,8 @@ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ dire
 seutil_dontaudit_read_config(auditd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(auditd_t)
-userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
+
+sysadm_dontaudit_search_home_dirs(auditd_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -224,7 +225,7 @@ miscfiles_read_localization(klogd_t)
 
 mls_file_read_all_levels(klogd_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(klogd_t)
+sysadm_dontaudit_search_home_dirs(klogd_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -355,7 +356,8 @@ sysnet_read_config(syslogd_t)
 miscfiles_read_localization(syslogd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-userdom_dontaudit_search_sysadm_home_dirs(syslogd_t)
+
+sysadm_dontaudit_search_home_dirs(syslogd_t)
 
 ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 6be1bcd..f1fbb4b 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,5 +1,5 @@
 
-policy_module(lvm,1.8.1)
+policy_module(lvm,1.8.2)
 
 ########################################
 #
@@ -117,7 +117,8 @@ seutil_dontaudit_search_config(clvmd_t)
 seutil_sigchld_newrole(clvmd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
-userdom_dontaudit_search_sysadm_home_dirs(clvmd_t)
+
+sysadm_dontaudit_search_home_dirs(clvmd_t)
 
 lvm_domtrans(clvmd_t)
 lvm_read_config(clvmd_t)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 53a0afc..245cea6 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
 
-policy_module(modutils,1.6.0)
+policy_module(modutils,1.6.1)
 
 gen_require(`
 	bool secure_mode_insmod;
@@ -208,8 +208,8 @@ libs_use_shared_libs(depmod_t)
 
 # Read System.map from home directories.
 files_list_home(depmod_t)
-userdom_read_staff_home_content_files(depmod_t)
-userdom_read_sysadm_home_content_files(depmod_t)
+staff_read_home_content_files(depmod_t)
+sysadm_read_home_content_files(depmod_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -283,7 +283,7 @@ logging_send_syslog_msg(update_modules_t)
 
 miscfiles_read_localization(update_modules_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(update_modules_t)
+sysadm_dontaudit_search_home_dirs(update_modules_t)
 
 ifdef(`distro_gentoo',`
 	files_search_pids(update_modules_t)
diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
index 2c41ad4..c9f8458 100644
--- a/policy/modules/system/pcmcia.te
+++ b/policy/modules/system/pcmcia.te
@@ -1,5 +1,5 @@
 
-policy_module(pcmcia,1.4.0)
+policy_module(pcmcia,1.4.1)
 
 ########################################
 #
@@ -110,7 +110,8 @@ sysnet_etc_filetrans_config(cardmgr_t)
 sysnet_manage_config(cardmgr_t)
 
 userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
-userdom_dontaudit_search_sysadm_home_dirs(cardmgr_t)
+
+sysadm_dontaudit_search_home_dirs(cardmgr_t)
 
 optional_policy(`
 	seutil_dontaudit_read_config(cardmgr_t)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 4e93909..7808c98 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -1,5 +1,5 @@
 
-policy_module(raid,1.5.0)
+policy_module(raid,1.5.1)
 
 ########################################
 #
@@ -69,11 +69,12 @@ logging_send_syslog_msg(mdadm_t)
 miscfiles_read_localization(mdadm_t)
 
 userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
-userdom_dontaudit_use_sysadm_ttys(mdadm_t)
 userdom_dontaudit_search_all_users_home_content(mdadm_t)
 
 mta_send_mail(mdadm_t)
 
+sysadm_dontaudit_use_ttys(mdadm_t)
+
 optional_policy(`
 	gpm_dontaudit_getattr_gpmctl(mdadm_t)
 ')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 3ea965a..9597607 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.9.0)
+policy_module(selinuxutil,1.9.1)
 
 gen_require(`
 	bool secure_mode;
@@ -512,8 +512,8 @@ ifdef(`enable_mls',`
 	# read secadm tmp files
 ',`
 	# Handle pp files created in homedir and /tmp
-	userdom_read_sysadm_home_content_files(semanage_t)
-	userdom_read_sysadm_tmp_files(semanage_t)
+	sysadm_read_home_content_files(semanage_t)
+	sysadm_read_tmp_files(semanage_t)
 
 	optional_policy(`
 		unconfined_read_home_content_files(semanage_t)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 8ea1a85..1d175e1 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,5 +1,5 @@
 
-policy_module(sysnetwork,1.6.0)
+policy_module(sysnetwork,1.6.1)
 
 ########################################
 #
@@ -136,7 +136,7 @@ miscfiles_read_localization(dhcpc_t)
 
 modutils_domtrans_insmod(dhcpc_t)
 
-userdom_dontaudit_search_staff_home_dirs(dhcpc_t)
+staff_dontaudit_search_home_dirs(dhcpc_t)
 
 ifdef(`distro_redhat', `
 	files_exec_etc_files(dhcpc_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 7b7d55a..91ef0a0 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1451,8 +1451,9 @@ template(`userdom_security_admin_template',`
 	seutil_run_semanage($1,$2,$3)
 	seutil_run_setfiles($1, $2, $3)
 
-	userdom_dontaudit_append_staff_home_content_files($1)
-	userdom_dontaudit_read_sysadm_home_content_files($1)
+	staff_dontaudit_append_home_content_files($1)
+
+	sysadm_dontaudit_read_home_content_files($1)
 
 	optional_policy(`
 		aide_run($1,$2, $3)
@@ -1479,16 +1480,6 @@ template(`userdom_security_admin_template',`
 ## <summary>
 ##	Change to the generic user role.
 ## </summary>
-## <desc>
-##	<p>
-##	Change to the generic user role.
-##	</p>
-##	<p>
-##	This is a template to support third party modules
-##	and its use is not allowed in upstream reference
-##	policy.
-##	</p>
-## </desc>
 ## <param name="prefix">
 ##	<summary>
 ##	The prefix of the user role (e.g., user
@@ -1498,7 +1489,8 @@ template(`userdom_security_admin_template',`
 ## <rolecap/>
 #
 template(`userdom_role_change_generic_user',`
-	userdom_role_change_template($1, user)
+	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_role_change_template() instead.')
+	unprivuser_role_change_template($1)
 ')
 
 ########################################
@@ -1525,23 +1517,14 @@ template(`userdom_role_change_generic_user',`
 ## <rolecap/>
 #
 template(`userdom_role_change_from_generic_user',`
-	userdom_role_change_template(user, $1)
+	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_role_change_to_template() instead.')
+	unprivuser_role_change_to_template($1)
 ')
 
 ########################################
 ## <summary>
 ##	Change to the staff user role.
 ## </summary>
-## <desc>
-##	<p>
-##	Change to the staff user role.
-##	</p>
-##	<p>
-##	This is a template to support third party modules
-##	and its use is not allowed in upstream reference
-##	policy.
-##	</p>
-## </desc>
 ## <param name="prefix">
 ##	<summary>
 ##	The prefix of the user role (e.g., user
@@ -1551,7 +1534,8 @@ template(`userdom_role_change_from_generic_user',`
 ## <rolecap/>
 #
 template(`userdom_role_change_staff',`
-	userdom_role_change_template($1, staff)
+	refpolicywarn(`$0($*) has been deprecated.  Please use staff_role_change_template() instead.')
+	staff_role_change_template($1)
 ')
 
 ########################################
@@ -1578,23 +1562,14 @@ template(`userdom_role_change_staff',`
 ## <rolecap/>
 #
 template(`userdom_role_change_from_staff',`
-	userdom_role_change_template(staff, $1)
+	refpolicywarn(`$0($*) has been deprecated.  Please use staff_role_change_to_template() instead.')
+	staff_role_change_to_template($1)
 ')
 
 ########################################
 ## <summary>
 ##	Change to the sysadm user role.
 ## </summary>
-## <desc>
-##	<p>
-##	Change to the sysadm user role.
-##	</p>
-##	<p>
-##	This is a template to support third party modules
-##	and its use is not allowed in upstream reference
-##	policy.
-##	</p>
-## </desc>
 ## <param name="prefix">
 ##	<summary>
 ##	The prefix of the user role (e.g., user
@@ -1604,7 +1579,8 @@ template(`userdom_role_change_from_staff',`
 ## <rolecap/>
 #
 template(`userdom_role_change_sysadm',`
-	userdom_role_change_template($1, sysadm)
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_role_change_template() instead.')
+	sysadm_role_change_template($1)
 ')
 
 ########################################
@@ -1631,23 +1607,14 @@ template(`userdom_role_change_sysadm',`
 ## <rolecap/>
 #
 template(`userdom_role_change_from_sysadm',`
-	userdom_role_change_template(sysadm, $1)
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_role_change_to_template() instead.')
+	sysadm_role_change_to_template($1)
 ')
 
 ########################################
 ## <summary>
 ##	Change to the secadm user role.
 ## </summary>
-## <desc>
-##	<p>
-##	Change to the secadm user role.
-##	</p>
-##	<p>
-##	This is a template to support third party modules
-##	and its use is not allowed in upstream reference
-##	policy.
-##	</p>
-## </desc>
 ## <param name="prefix">
 ##	<summary>
 ##	The prefix of the user role (e.g., user
@@ -1657,11 +1624,8 @@ template(`userdom_role_change_from_sysadm',`
 ## <rolecap/>
 #
 template(`userdom_role_change_secadm',`
-	ifdef(`enable_mls',`
-		userdom_role_change_template($1,secadm)
-	',`
-		refpolicywarn(`$0($*) has no effect in non-MLS policy.')
-	')
+	refpolicywarn(`$0($*) has been deprecated.  Please use secadm_role_change_template() instead.')
+	secadm_role_change_template($1)
 ')
 
 ########################################
@@ -1688,27 +1652,14 @@ template(`userdom_role_change_secadm',`
 ## <rolecap/>
 #
 template(`userdom_role_change_from_secadm',`
-	ifdef(`enable_mls',`
-		userdom_role_change_template(secadm,$1)
-	',`
-		refpolicywarn(`$0($*) has no effect in non-MLS policy.')
-	')
+	refpolicywarn(`$0($*) has been deprecated.  Please use secadm_role_change_to_template() instead.')
+	secadm_role_change_to_template($1)
 ')
 
 ########################################
 ## <summary>
 ##	Change to the auditadm user role.
 ## </summary>
-## <desc>
-##	<p>
-##	Change to the auditadm user role.
-##	</p>
-##	<p>
-##	This is a template to support third party modules
-##	and its use is not allowed in upstream reference
-##	policy.
-##	</p>
-## </desc>
 ## <param name="prefix">
 ##	<summary>
 ##	The prefix of the auditadm role (e.g., user
@@ -1718,11 +1669,8 @@ template(`userdom_role_change_from_secadm',`
 ## <rolecap/>
 #
 template(`userdom_role_change_auditadm',`
-	ifdef(`enable_mls',`
-		userdom_role_change_template($1,auditadm)
-	',`
-		refpolicywarn(`$0($*) has no effect in non-MLS policy.')
-	')
+	refpolicywarn(`$0($*) has been deprecated.  Please use auditadm_role_change_template() instead.')
+	auditadm_role_change_template($1)
 ')
 
 ########################################
@@ -1749,11 +1697,8 @@ template(`userdom_role_change_auditadm',`
 ## <rolecap/>
 #
 template(`userdom_role_change_from_auditadm',`
-	ifdef(`enable_mls',`
-		userdom_role_change_template(auditadm,$1)
-	',`
-		refpolicywarn(`$0($*) has no effect in non-MLS policy.')
-	')
+	refpolicywarn(`$0($*) has been deprecated.  Please use auditadm_role_change_to_template() instead.')
+	auditadm_role_change_to_template($1)
 ')
 
 ########################################
@@ -4053,14 +3998,8 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 ## </param>
 #
 interface(`userdom_shell_domtrans_sysadm',`
-	gen_require(`
-		type sysadm_t;
-	')
-
-	corecmd_shell_domtrans($1, sysadm_t)
-	allow sysadm_t $1:fd use;
-	allow sysadm_t $1:fifo_file rw_file_perms;
-	allow sysadm_t $1:process sigchld;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_shell_domtrans() instead.')
+	sysadm_shell_domtrans($1)
 ')
 
 ########################################
@@ -4074,14 +4013,8 @@ interface(`userdom_shell_domtrans_sysadm',`
 ## </param>
 #
 interface(`userdom_bin_spec_domtrans_sysadm',`
-	gen_require(`
-		type sysadm_t;
-	')
-
-	corecmd_bin_spec_domtrans($1,sysadm_t)
-	allow sysadm_t $1:fd use;
-	allow sysadm_t $1:fifo_file rw_file_perms;
-	allow sysadm_t $1:process sigchld;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_bin_spec_domtrans() instead.')
+	sysadm_bin_spec_domtrans($1)
 ')
 
 ########################################
@@ -4095,8 +4028,8 @@ interface(`userdom_bin_spec_domtrans_sysadm',`
 ## </param>
 #
 interface(`userdom_sbin_spec_domtrans_sysadm',`
-	userdom_bin_spec_domtrans_sysadm($1)
-	refpolicywarn(`$0() has been deprecated, please use userdom_bin_spec_domtrans_sysadm() instead.')
+	refpolicywarn(`$0() has been deprecated, please use sysadm_bin_spec_domtrans() instead.')
+	sysadm_bin_spec_domtrans($1)
 ')
 
 ########################################
@@ -4112,14 +4045,8 @@ interface(`userdom_sbin_spec_domtrans_sysadm',`
 ## </param>
 #
 interface(`userdom_entry_spec_domtrans_sysadm',`
-	gen_require(`
-		type sysadm_t;
-	')
-
-	domain_entry_file_spec_domtrans($1,sysadm_t)
-	allow sysadm_t $1:fd use;
-	allow sysadm_t $1:fifo_file rw_file_perms;
-	allow sysadm_t $1:process sigchld;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_entry_spec_domtrans() instead.')
+	sysadm_entry_spec_domtrans($1)
 ')
 
 ########################################
@@ -4146,14 +4073,8 @@ interface(`userdom_entry_spec_domtrans_sysadm',`
 ## </param>
 #
 interface(`userdom_sysadm_bin_spec_domtrans_to',`
-	gen_require(`
-		type sysadm_t;
-	')
-
-	corecmd_bin_spec_domtrans(sysadm_t,$1)
-	allow $1 sysadm_t:fd use;
-	allow $1 sysadm_t:fifo_file rw_file_perms;
-	allow $1 sysadm_t:process sigchld;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_bin_spec_domtrans_to() instead.')
+	sysadm_bin_spec_domtrans_to($1)
 ')
 
 ########################################
@@ -4180,8 +4101,8 @@ interface(`userdom_sysadm_bin_spec_domtrans_to',`
 ## </param>
 #
 interface(`userdom_sysadm_sbin_spec_domtrans_to',`
-	userdom_sysadm_bin_spec_domtrans_to($1)
-	refpolicywarn(`$0() has been deprecated, please use userdom_sysadm_bin_spec_domtrans_to() instead.')
+	refpolicywarn(`$0() has been deprecated, please use sysadm_bin_spec_domtrans_to() instead.')
+	sysadm_bin_spec_domtrans_to($1)
 ')
 
 ########################################
@@ -4209,14 +4130,8 @@ interface(`userdom_sysadm_sbin_spec_domtrans_to',`
 ## </param>
 #
 interface(`userdom_sysadm_entry_spec_domtrans_to',`
-	gen_require(`
-		type sysadm_t;
-	')
-
-	domain_entry_file_spec_domtrans(sysadm_t, $1)
-	allow $1 sysadm_t:fd use;
-	allow $1 sysadm_t:fifo_file rw_file_perms;
-	allow $1 sysadm_t:process sigchld;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_entry_spec_domtrans_to() instead.')
+	sysadm_entry_spec_domtrans_to($1)
 ')
 
 ########################################
@@ -4230,12 +4145,8 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',`
 ## </param>
 #
 interface(`userdom_search_staff_home_dirs',`
-	gen_require(`
-		type staff_home_dir_t;
-	')
-
-	files_search_home($1)
-	allow $1 staff_home_dir_t:dir search_dir_perms;
+	refpolicywarn(`$0($*) has been deprecated.  Please use staff_search_home_dirs() instead.')
+	staff_search_home_dirs($1)
 ')
 
 ########################################
@@ -4250,11 +4161,8 @@ interface(`userdom_search_staff_home_dirs',`
 ## </param>
 #
 interface(`userdom_dontaudit_search_staff_home_dirs',`
-	gen_require(`
-		type staff_home_dir_t;
-	')
-
-	dontaudit $1 staff_home_dir_t:dir search_dir_perms;
+	refpolicywarn(`$0($*) has been deprecated.  Please use staff_dontaudit_search_home_dirs() instead.')
+	staff_dontaudit_search_home_dirs($1)
 ')
 
 ########################################
@@ -4269,12 +4177,8 @@ interface(`userdom_dontaudit_search_staff_home_dirs',`
 ## </param>
 #
 interface(`userdom_manage_staff_home_dirs',`
-	gen_require(`
-		type staff_home_dir_t;
-	')
-
-	files_search_home($1)
-	allow $1 staff_home_dir_t:dir manage_dir_perms;
+	refpolicywarn(`$0($*) has been deprecated.  Please use staff_manage_home_dirs() instead.')
+	staff_manage_home_dirs($1)
 ')
 
 ########################################
@@ -4288,12 +4192,8 @@ interface(`userdom_manage_staff_home_dirs',`
 ## </param>
 #
 interface(`userdom_relabelto_staff_home_dirs',`
-	gen_require(`
-		type staff_home_dir_t;
-	')
-
-	files_search_home($1)
-	allow $1 staff_home_dir_t:dir relabelto;
+	refpolicywarn(`$0($*) has been deprecated.  Please use staff_relabelto_home_dirs() instead.')
+	staff_relabelto_home_dirs($1)
 ')
 
 ########################################
@@ -4308,11 +4208,8 @@ interface(`userdom_relabelto_staff_home_dirs',`
 ## </param>
 #
 interface(`userdom_dontaudit_append_staff_home_content_files',`
-	gen_require(`
-		type staff_home_t;
-	')
-
-	dontaudit $1 staff_home_t:file append;
+	refpolicywarn(`$0($*) has been deprecated.  Please use staff_dontaudit_append_home_content_files() instead.')
+	staff_dontaudit_append_home_content_files($1)
 ')
 
 ########################################
@@ -4326,14 +4223,8 @@ interface(`userdom_dontaudit_append_staff_home_content_files',`
 ## </param>
 #
 interface(`userdom_read_staff_home_content_files',`
-	gen_require(`
-		type staff_home_dir_t, staff_home_t;
-	')
-
-	files_search_home($1)
-	allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms;
-	read_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
-	read_lnk_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
+	refpolicywarn(`$0($*) has been deprecated.  Please use staff_read_home_content_files() instead.')
+	staff_read_home_content_files($1)
 ')
 
 ########################################
@@ -4347,11 +4238,8 @@ interface(`userdom_read_staff_home_content_files',`
 ## </param>
 #
 interface(`userdom_sigchld_sysadm',`
-	gen_require(`
-		type sysadm_t;
-	')
-
-	allow $1 sysadm_t:process sigchld;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_sigchld() instead.')
+	sysadm_sigchld($1)
 ')
 
 ########################################
@@ -4366,11 +4254,8 @@ interface(`userdom_sigchld_sysadm',`
 ## </param>
 #
 interface(`userdom_dontaudit_getattr_sysadm_ttys',`
-	gen_require(`
-		type sysadm_tty_device_t;
-	')
-
-	dontaudit $1 sysadm_tty_device_t:chr_file getattr;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_dontaudit_getattr_ttys() instead.')
+	sysadm_dontaudit_getattr_ttys($1)
 ')
 
 ########################################
@@ -4384,13 +4269,8 @@ interface(`userdom_dontaudit_getattr_sysadm_ttys',`
 ## </param>
 #
 interface(`userdom_use_sysadm_ttys',`
-	gen_require(`
-		type sysadm_tty_device_t;
-	')
-
-	dev_list_all_dev_nodes($1)
-	term_list_ptys($1)
-	allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_use_ttys() instead.')
+	sysadm_use_ttys($1)
 ')
 
 ########################################
@@ -4404,11 +4284,8 @@ interface(`userdom_use_sysadm_ttys',`
 ## </param>
 #
 interface(`userdom_dontaudit_use_sysadm_ttys',`
-	gen_require(`
-		type sysadm_tty_device_t;
-	')
-
-	dontaudit $1 sysadm_tty_device_t:chr_file { read write };
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_dontaudit_use_ttys() instead.')
+	sysadm_dontaudit_use_ttys($1)
 ')
 
 ########################################
@@ -4422,13 +4299,8 @@ interface(`userdom_dontaudit_use_sysadm_ttys',`
 ## </param>
 #
 interface(`userdom_use_sysadm_ptys',`
-	gen_require(`
-		type sysadm_devpts_t;
-	')
-
-	dev_list_all_dev_nodes($1)
-	term_list_ptys($1)
-	allow $1 sysadm_devpts_t:chr_file rw_term_perms;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_use_ptys() instead.')
+	sysadm_use_ptys($1)
 ')
 
 ########################################
@@ -4442,11 +4314,8 @@ interface(`userdom_use_sysadm_ptys',`
 ## </param>
 #
 interface(`userdom_dontaudit_use_sysadm_ptys',`
-	gen_require(`
-		type sysadm_devpts_t;
-	')
-
-	dontaudit $1 sysadm_devpts_t:chr_file { read write };
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_dontaudit_use_ptys() instead.')
+	sysadm_dontaudit_use_ptys($1)
 ')
 
 ########################################
@@ -4460,8 +4329,8 @@ interface(`userdom_dontaudit_use_sysadm_ptys',`
 ## </param>
 #
 interface(`userdom_use_sysadm_terms',`
-	userdom_use_sysadm_ttys($1)
-	userdom_use_sysadm_ptys($1)
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_use_terms() instead.')
+	sysadm_use_terms($1)
 ')
 
 ########################################
@@ -4475,11 +4344,8 @@ interface(`userdom_use_sysadm_terms',`
 ## </param>
 #
 interface(`userdom_dontaudit_use_sysadm_terms',`
-	gen_require(`
-		attribute admin_terminal;
-	')
-
-	dontaudit $1 admin_terminal:chr_file { read write };
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_dontaudit_use_terms() instead.')
+	sysadm_dontaudit_use_terms($1)
 ')
 
 ########################################
@@ -4493,11 +4359,8 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
 ## </param>
 #
 interface(`userdom_use_sysadm_fds',`
-	gen_require(`
-		type sysadm_t;
-	')
-
-	allow $1 sysadm_t:fd use;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_use_fds() instead.')
+	sysadm_use_fds($1)
 ')
 
 ########################################
@@ -4511,11 +4374,8 @@ interface(`userdom_use_sysadm_fds',`
 ## </param>
 #
 interface(`userdom_rw_sysadm_pipes',`
-	gen_require(`
-		type sysadm_t;
-	')
-
-	allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_rw_pipes() instead.')
+	sysadm_rw_pipes($1)
 ')
 
 ########################################
@@ -4530,11 +4390,8 @@ interface(`userdom_rw_sysadm_pipes',`
 ## </param>
 #
 interface(`userdom_getattr_sysadm_home_dirs',`
-	gen_require(`
-		type sysadm_home_dir_t;
-	')
-
-	allow $1 sysadm_home_dir_t:dir getattr;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_getattr_home_dirs() instead.')
+	sysadm_getattr_home_dirs($1)
 ')
 
 ########################################
@@ -4550,11 +4407,8 @@ interface(`userdom_getattr_sysadm_home_dirs',`
 ## </param>
 #
 interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
-	gen_require(`
-		type sysadm_home_dir_t;
-	')
-
-	dontaudit $1 sysadm_home_dir_t:dir getattr;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_dontaudit_getattr_home_dirs() instead.')
+	sysadm_dontaudit_getattr_home_dirs($1)
 ')
 
 ########################################
@@ -4568,11 +4422,8 @@ interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
 ## </param>
 #
 interface(`userdom_search_sysadm_home_dirs',`
-	gen_require(`
-		type sysadm_home_dir_t;
-	')
-
-	allow $1 sysadm_home_dir_t:dir search_dir_perms;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_search_home_dirs() instead.')
+	sysadm_search_home_dirs($1)
 ')
 
 ########################################
@@ -4587,11 +4438,8 @@ interface(`userdom_search_sysadm_home_dirs',`
 ## </param>
 #
 interface(`userdom_dontaudit_search_sysadm_home_dirs',`
-	gen_require(`
-		type sysadm_home_dir_t;
-	')
-
-	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_dontaudit_search_home_dirs() instead.')
+	sysadm_dontaudit_search_home_dirs($1)
 ')
 
 ########################################
@@ -4605,11 +4453,8 @@ interface(`userdom_dontaudit_search_sysadm_home_dirs',`
 ## </param>
 #
 interface(`userdom_list_sysadm_home_dirs',`
-	gen_require(`
-		type sysadm_home_dir_t;
-	')
-
-	allow $1 sysadm_home_dir_t:dir list_dir_perms;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_list_home_dirs() instead.')
+	sysadm_list_home_dirs($1)
 ')
 
 ########################################
@@ -4624,11 +4469,8 @@ interface(`userdom_list_sysadm_home_dirs',`
 ## </param>
 #
 interface(`userdom_dontaudit_list_sysadm_home_dirs',`
-	gen_require(`
-		type sysadm_home_dir_t;
-	')
-
-	dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_dontaudit_list_home_dirs() instead.')
+	sysadm_dontaudit_list_home_dirs($1)
 ')
 
 ########################################
@@ -4643,13 +4485,8 @@ interface(`userdom_dontaudit_list_sysadm_home_dirs',`
 ## </param>
 #
 interface(`userdom_dontaudit_read_sysadm_home_content_files',`
-	gen_require(`
-		type sysadm_home_dir_t, sysadm_home_t;
-	')
-
-	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
-	dontaudit $1 sysadm_home_t:dir search_dir_perms;
-	dontaudit $1 sysadm_home_t:file read_file_perms;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_dontaudit_read_home_content_files() instead.')
+	sysadm_dontaudit_read_home_content_files($1)
 ')
 
 ########################################
@@ -4675,11 +4512,8 @@ interface(`userdom_dontaudit_read_sysadm_home_content_files',`
 ## </param>
 #
 interface(`userdom_sysadm_home_dir_filetrans',`
-	gen_require(`
-		type sysadm_home_dir_t;
-	')
-
-	filetrans_pattern($1,sysadm_home_dir_t,$2,$3)
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_home_dir_filetrans() instead.')
+	sysadm_home_dir_filetrans($1,$2,$3)
 ')
 
 ########################################
@@ -4693,11 +4527,8 @@ interface(`userdom_sysadm_home_dir_filetrans',`
 ## </param>
 #
 interface(`userdom_search_sysadm_home_content_dirs',`
-	gen_require(`
-		type sysadm_home_dir_t, sysadm_home_t;
-	')
-
-	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_search_home_content_dirs() instead.')
+	sysadm_search_home_content_dirs($1)
 ')
 
 ########################################
@@ -4711,14 +4542,8 @@ interface(`userdom_search_sysadm_home_content_dirs',`
 ## </param>
 #
 interface(`userdom_read_sysadm_home_content_files',`
-	gen_require(`
-		type sysadm_home_dir_t, sysadm_home_t;
-	')
-
-	files_search_home($1)
-	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
-	read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
-	read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_read_home_content_files() instead.')
+	sysadm_read_home_content_files($1)
 ')
 
 ########################################
@@ -4732,14 +4557,8 @@ interface(`userdom_read_sysadm_home_content_files',`
 ## </param>
 #
 interface(`userdom_read_sysadm_tmp_files',`
-	gen_require(`
-		type sysadm_tmp_t;
-	')
-
-	files_search_tmp($1)
-	allow $1 sysadm_tmp_t:dir list_dir_perms;
-	read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
-	read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
+	refpolicywarn(`$0($*) has been deprecated.  Please use sysadm_read_tmp_files() instead.')
+	sysadm_read_tmp_files($1)
 ')
 
 ########################################
@@ -4993,11 +4812,8 @@ interface(`userdom_dontaudit_use_unpriv_user_fds',`
 ## </param>
 #
 interface(`userdom_home_filetrans_generic_user_home_dir',`
-	gen_require(`
-		type user_home_dir_t;
-	')
-
-	files_home_filetrans($1,user_home_dir_t,dir)
+	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_home_filetrans_home_dir() instead.')
+	unprivuser_home_filetrans_home_dir($1)
 ')
 
 ########################################
@@ -5011,11 +4827,8 @@ interface(`userdom_home_filetrans_generic_user_home_dir',`
 ## </param>
 #
 interface(`userdom_search_generic_user_home_dirs',`
-	gen_require(`
-		type user_home_dir_t;
-	')
-
-	allow $1 user_home_dir_t:dir search_dir_perms;
+	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_search_home_dirs() instead.')
+	unprivuser_search_home_dirs($1)
 ')
 
 ########################################
@@ -5036,12 +4849,8 @@ interface(`userdom_search_generic_user_home_dirs',`
 ## </param>
 #
 interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',`
-	gen_require(`
-		type user_home_dir_t, user_home_t;
-	')
-
-	files_search_home($1)
-	filetrans_pattern($1,user_home_dir_t,user_home_t,$2)
+	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_home_dir_filetrans_home_content() instead.')
+	unprivuser_home_dir_filetrans_home_content($1)
 ')
 
 ########################################
@@ -5055,11 +4864,8 @@ interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',`
 ## </param>
 #
 interface(`userdom_dontaudit_search_generic_user_home_dirs',`
-	gen_require(`
-		type user_home_t;
-	')
-
-	dontaudit $1 user_home_t:dir search_dir_perms;
+	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_dontaudit_search_home_dirs() instead.')
+	unprivuser_dontaudit_search_home_dirs($1)
 ')
 
 ########################################
@@ -5074,12 +4880,8 @@ interface(`userdom_dontaudit_search_generic_user_home_dirs',`
 ## </param>
 #
 interface(`userdom_manage_generic_user_home_dirs',`
-	gen_require(`
-		type user_home_dir_t;
-	')
-
-	files_search_home($1)
-	allow $1 user_home_dir_t:dir manage_dir_perms;
+	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_manage_home_dirs() instead.')
+	unprivuser_manage_home_dirs($1)
 ')
 
 ########################################
@@ -5095,17 +4897,13 @@ interface(`userdom_manage_generic_user_home_dirs',`
 ## </param>
 #
 interface(`userdom_manage_generic_user_home_content_dirs',`
-	gen_require(`
-		type user_home_dir_t, user_home_t;
-	')
-
-	files_search_home($1)
-	manage_dirs_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_manage_home_content_dirs() instead.')
+	unprivuser_manage_home_content_dirs($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel to staff home directories.
+##	Relabel to generic user home directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5114,12 +4912,8 @@ interface(`userdom_manage_generic_user_home_content_dirs',`
 ## </param>
 #
 interface(`userdom_relabelto_generic_user_home_dirs',`
-	gen_require(`
-		type staff_home_dir_t;
-	')
-
-	files_search_home($1)
-	allow $1 user_home_dir_t:dir relabelto;
+	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_relabelto_home_dirs() instead.')
+	unprivuser_relabelto_home_dirs($1)
 ')
 
 ########################################
@@ -5133,13 +4927,8 @@ interface(`userdom_relabelto_generic_user_home_dirs',`
 ## </param>
 #
 interface(`userdom_read_generic_user_home_content_files',`
-	gen_require(`
-		type user_home_t, user_home_dir_t;
-	')
-
-	files_search_home($1)
-	allow $1 user_home_t:dir list_dir_perms;
-	read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_read_home_content_files() instead.')
+	unprivuser_read_home_content_files($1)
 ')
 
 ########################################
@@ -5154,12 +4943,8 @@ interface(`userdom_read_generic_user_home_content_files',`
 ## </param>
 #
 interface(`userdom_mmap_generic_user_home_content_files',`
-	gen_require(`
-		type user_home_t;
-	')
-
-	files_search_home($1)
-	allow $1 user_home_t:file execute;
+	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_mmap_home_content_files() instead.')
+	unprivuser_mmap_home_content_files($1)
 ')
 
 ########################################
@@ -5174,12 +4959,8 @@ interface(`userdom_mmap_generic_user_home_content_files',`
 ## </param>
 #
 interface(`userdom_manage_generic_user_home_content_files',`
-	gen_require(`
-		type user_home_dir_t, user_home_t;
-	')
-
-	files_search_home($1)
-	manage_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_manage_home_content_files() instead.')
+	unprivuser_manage_home_content_files($1)
 ')
 
 ########################################
@@ -5194,11 +4975,8 @@ interface(`userdom_manage_generic_user_home_content_files',`
 ## </param>
 #
 interface(`userdom_dontaudit_relabel_generic_user_home_content_files',`
-	gen_require(`
-		type user_home_t;
-	')
-
-	dontaudit $1 user_home_t:file { relabelto relabelfrom };
+	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_dontaudit_relabel_home_content_files() instead.')
+	unprivuser_dontaudit_relabel_home_content_files($1)
 ')
 
 ########################################
@@ -5213,12 +4991,8 @@ interface(`userdom_dontaudit_relabel_generic_user_home_content_files',`
 ## </param>
 #
 interface(`userdom_manage_generic_user_home_content_symlinks',`
-	gen_require(`
-		type user_home_dir_t, user_home_t;
-	')
-
-	files_search_home($1)
-	manage_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_manage_home_content_symlinks() instead.')
+	unprivuser_manage_home_content_symlinks($1)
 ')
 
 ########################################
@@ -5233,12 +5007,8 @@ interface(`userdom_manage_generic_user_home_content_symlinks',`
 ## </param>
 #
 interface(`userdom_manage_generic_user_home_content_pipes',`
-	gen_require(`
-		type user_home_dir_t, user_home_t;
-	')
-
-	files_search_home($1)
-	manage_fifo_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_manage_home_content_pipes() instead.')
+	unprivuser_manage_home_content_pipes($1)
 ')
 
 ########################################
@@ -5253,12 +5023,8 @@ interface(`userdom_manage_generic_user_home_content_pipes',`
 ## </param>
 #
 interface(`userdom_manage_generic_user_home_content_sockets',`
-	gen_require(`
-		type user_home_dir_t, user_home_t;
-	')
-
-	files_search_home($1)
-	manage_sock_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
+	refpolicywarn(`$0($*) has been deprecated.  Please use unprivuser_manage_home_content_sockets() instead.')
+	unprivuser_manage_home_content_sockets($1)
 ')
 
 ########################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index ae66309..276640b 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,14 +1,5 @@
 
-policy_module(userdomain,2.5.0)
-
-gen_require(`
-	role sysadm_r, staff_r, user_r;
-
-	ifdef(`enable_mls',`
-		role secadm_r;
-		role auditadm_r;
-	')
-')
+policy_module(userdomain, 3.0.1)
 
 ########################################
 #
@@ -17,13 +8,6 @@ gen_require(`
 
 ## <desc>
 ## <p>
-## Allow sysadm to debug or ptrace all processes.
-## </p>
-## </desc>
-gen_tunable(allow_ptrace,false)
-
-## <desc>
-## <p>
 ## Allow users to connect to mysql
 ## </p>
 ## </desc>
@@ -100,390 +84,3 @@ attribute unpriv_userdomain;
 
 attribute untrusted_content_type;
 attribute untrusted_content_tmp_type;
-
-########################################
-#
-# Local policy
-#
-
-userdom_admin_user_template(sysadm)
-userdom_unpriv_user_template(staff)
-userdom_unpriv_user_template(user)
-
-# user role change rules:
-# sysadm_r can change to user roles
-userdom_role_change_template(sysadm, user)
-userdom_role_change_template(sysadm, staff)
-
-# only staff_r can change to sysadm_r
-userdom_role_change_template(staff, sysadm)
-dontaudit staff_t admin_terminal:chr_file { read write };
-
-ifdef(`enable_mls',`
-	userdom_unpriv_user_template(secadm)
-	userdom_unpriv_user_template(auditadm)
-
-	userdom_role_change_template(staff, auditadm)
-	userdom_role_change_template(staff, secadm)
-
-	userdom_role_change_template(sysadm, secadm)
-	userdom_role_change_template(sysadm, auditadm)
-
-	userdom_role_change_template(auditadm, secadm)
-	userdom_role_change_template(auditadm, sysadm)
-
-	userdom_role_change_template(secadm, auditadm)
-	userdom_role_change_template(secadm, sysadm)
-')
-
-########################################
-#
-# Sysadm local policy
-#
-
-# for su
-allow sysadm_t userdomain:fd use;
-
-# Add/remove user home directories
-allow sysadm_t user_home_dir_t:dir manage_dir_perms;
-files_home_filetrans(sysadm_t, user_home_dir_t, dir)
-
-corecmd_exec_shell(sysadm_t)
-
-mls_process_read_up(sysadm_t)
-
-init_exec(sysadm_t)
-
-# Following for sending reboot and wall messages
-userdom_use_unpriv_users_ptys(sysadm_t)
-userdom_use_unpriv_users_ttys(sysadm_t)
-
-ifdef(`direct_sysadm_daemon',`
-	optional_policy(`
-		init_run_daemon(sysadm_t, sysadm_r, admin_terminal)
-	')
-',`
-	ifdef(`distro_gentoo',`
-		optional_policy(`
-			seutil_init_script_run_runinit(sysadm_t, sysadm_r, admin_terminal)
-		')
-	')
-')
-
-ifdef(`enable_mls',`
-	allow auditadm_t self:capability { dac_read_search dac_override };
-	seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
-	domain_kill_all_domains(auditadm_t)
-        seutil_read_bin_policy(auditadm_t)
-	corecmd_exec_shell(auditadm_t)
-	logging_send_syslog_msg(auditadm_t)
-        logging_read_generic_logs(auditadm_t)
-	logging_manage_audit_log(auditadm_t)
-	logging_manage_audit_config(auditadm_t)
-	logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
-	logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
-	userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
-
-	allow secadm_t self:capability { dac_read_search dac_override };
-	corecmd_exec_shell(secadm_t)
-	domain_obj_id_change_exemption(secadm_t)
-	mls_process_read_up(secadm_t)
-	mls_file_read_all_levels(secadm_t)
-	mls_file_write_all_levels(secadm_t)
-	mls_file_upgrade(secadm_t)
-	mls_file_downgrade(secadm_t)
-        auth_relabel_all_files_except_shadow(secadm_t)
-	dev_relabel_all_dev_nodes(secadm_t)
-	auth_relabel_shadow(secadm_t)
-	init_exec(secadm_t)
-	logging_read_audit_log(secadm_t)
-        logging_read_generic_logs(secadm_t)
-	logging_read_audit_config(secadm_t)
-	userdom_dontaudit_append_staff_home_content_files(secadm_t)
-	userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
-
-	optional_policy(`
-		aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
-	')
-
-	optional_policy(`
-		netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
-	')
-',`
-	logging_manage_audit_log(sysadm_t)
-	logging_manage_audit_config(sysadm_t)
-	logging_run_auditctl(sysadm_t, sysadm_r, admin_terminal)
-')
-
-tunable_policy(`allow_ptrace',`
-	domain_ptrace_all_domains(sysadm_t)
-')
-
-optional_policy(`
-	amanda_run_recover(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	apache_run_helper(sysadm_t, sysadm_r, admin_terminal)
-	#apache_run_all_scripts(sysadm_t, sysadm_r)
-	#apache_domtrans_sys_script(sysadm_t)
-')
-
-optional_policy(`
-	tzdata_domtrans(sysadm_t)
-')
-
-optional_policy(`
-	raid_domtrans_mdadm(sysadm_t)
-')
-
-optional_policy(`
-	# cjp: why is this not apm_run_client
-	apm_domtrans_client(sysadm_t)
-')
-
-optional_policy(`
-	apt_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	backup_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	bootloader_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	bind_run_ndc(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	certwatch_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	consoletype_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	clock_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	clockspeed_run_cli(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	cvs_exec(sysadm_t)
-')
-
-optional_policy(`
-	consoletype_exec(sysadm_t)
-
-	ifdef(`enable_mls',`
-		consoletype_exec(auditadm_t)
-	')
-')
-
-optional_policy(`
-	cron_admin_template(sysadm, sysadm_t, sysadm_r)
-')
-
-optional_policy(`
-	dcc_run_cdcc(sysadm_t, sysadm_r, admin_terminal)
-	dcc_run_client(sysadm_t, sysadm_r, admin_terminal)
-	dcc_run_dbclean(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	ddcprobe_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	dmesg_exec(sysadm_t)
-
-	ifdef(`enable_mls',`
-		dmesg_exec(auditadm_t)
-	')
-')
-
-optional_policy(`
-	dmidecode_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	dpkg_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	ethereal_run_tethereal(sysadm_t, sysadm_r, admin_terminal)
-	ethereal_admin_template(sysadm, sysadm_t, sysadm_r)
-')
-
-optional_policy(`
-	firstboot_run(sysadm_t, sysadm_r, sysadm_tty_device_t)
-')
-
-optional_policy(`
-	fstools_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	hostname_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	# allow system administrator to use the ipsec script to look
-	# at things (e.g., ipsec auto --status)
-	# probably should create an ipsec_admin role for this kind of thing
-	ipsec_exec_mgmt(sysadm_t)
-	ipsec_stream_connect(sysadm_t)
-	# for lsof
-	ipsec_getattr_key_sockets(sysadm_t)
-')
-
-optional_policy(`
-	iptables_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	libs_run_ldconfig(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	lvm_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	logrotate_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	lpd_run_checkpc(sysadm_t, sysadm_r, admin_terminal)
-	lpr_admin_template(sysadm, sysadm_t, sysadm_r)
-')
-
-optional_policy(`
-	kudzu_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	modutils_run_depmod(sysadm_t, sysadm_r, admin_terminal)
-	modutils_run_insmod(sysadm_t, sysadm_r, admin_terminal)
-	modutils_run_update_mods(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	mount_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	mta_admin_template(sysadm, sysadm_t, sysadm_r)
-')
-
-optional_policy(`
-	mysql_stream_connect(sysadm_t)
-')
-
-optional_policy(`
-	netutils_run(sysadm_t, sysadm_r, admin_terminal)
-	netutils_run_ping(sysadm_t, sysadm_r, admin_terminal)
-	netutils_run_traceroute(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	rpc_domtrans_nfsd(sysadm_t)
-')
-
-optional_policy(`
-	munin_stream_connect(sysadm_t)
-')
-
-optional_policy(`
-	ntp_stub()
-	corenet_udp_bind_ntp_port(sysadm_t)
-')
-
-optional_policy(`
-	oav_run_update(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	pcmcia_run_cardctl(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	portage_run(sysadm_t, sysadm_r, admin_terminal)
-	portage_run_gcc_config(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	portmap_run_helper(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	quota_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	rpm_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	rsync_exec(sysadm_t)
-')
-
-optional_policy(`
-	samba_run_net(sysadm_t, sysadm_r, admin_terminal)
-	samba_run_winbind_helper(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	seutil_run_setfiles(sysadm_t, sysadm_r, admin_terminal)
-	seutil_run_runinit(sysadm_t, sysadm_r, admin_terminal)
-
-	ifdef(`enable_mls',`
-		userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t sysadm_devpts_t })
-	', `
-		userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal)
-	')
-')
-
-optional_policy(`
-	sysnet_run_ifconfig(sysadm_t, sysadm_r, admin_terminal)
-	sysnet_run_dhcpc(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	tripwire_run_siggen(sysadm_t, sysadm_r, admin_terminal)
-	tripwire_run_tripwire(sysadm_t, sysadm_r, admin_terminal)
-	tripwire_run_twadmin(sysadm_t, sysadm_r, admin_terminal)
-	tripwire_run_twprint(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	unconfined_domtrans(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	usbmodules_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	usermanage_run_admin_passwd(sysadm_t, sysadm_r, admin_terminal)
-	usermanage_run_groupadd(sysadm_t, sysadm_r, admin_terminal)
-	usermanage_run_useradd(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	vpn_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	webalizer_run(sysadm_t, sysadm_r, admin_terminal)
-')
-
-optional_policy(`
-	yam_run(sysadm_t, sysadm_r, admin_terminal)
-')
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 45e0a64..d58ca23 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
 
-policy_module(xen,1.6.0)
+policy_module(xen,1.6.1)
 
 ########################################
 #
@@ -207,12 +207,12 @@ sysnet_delete_dhcpc_pid(xend_t)
 sysnet_read_dhcpc_pid(xend_t)
 sysnet_rw_dhcp_config(xend_t)
 
-userdom_dontaudit_search_sysadm_home_dirs(xend_t)
-
 xen_stream_connect_xenstore(xend_t)
 
 netutils_domtrans(xend_t)
 
+sysadm_dontaudit_search_home_dirs(xend_t)
+
 optional_policy(`
 	consoletype_exec(xend_t)
 ')