diff --git a/refpolicy/config/local.users b/refpolicy/config/local.users
index 887f6f78..7e2bf7aa 100644
--- a/refpolicy/config/local.users
+++ b/refpolicy/config/local.users
@@ -14,10 +14,6 @@
 # The MLS default level and allowed range should only be specified if 
 # MLS was enabled in the policy.
 
-user user_u roles { user_r };
-
-user root roles { sysadm_r staff_r };
-
 # sample for administrative user
 # user jadmin roles { staff_r sysadm_r };
 
diff --git a/refpolicy/policy/users b/refpolicy/policy/users
index a7a51b1d..bb9d37bb 100644
--- a/refpolicy/policy/users
+++ b/refpolicy/policy/users
@@ -11,3 +11,21 @@
 # identity.
 #
 user system_u roles system_r user_mls(s0,s0 - s9:c0.c127);
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined.  The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user.  If you do not want to
+# permit any access to such users, then remove this entry.
+#
+user user_u roles { user_r } user_mls(s0,s0 - s9:c0.c127);
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+user root roles { sysadm_r staff_r } user_mls(s0,s0 - s9:c0.c127);