diff --git a/refpolicy/policy/systemuser b/refpolicy/policy/systemuser
index 35499f85..dfcfe19d 100644
--- a/refpolicy/policy/systemuser
+++ b/refpolicy/policy/systemuser
@@ -13,7 +13,7 @@
 # and a user process should never be assigned the system user
 # identity.
 #
-gen_user(system_u, system_r, s0, s0 - s9:c0.c127, c0.c127)
+gen_user(system_u, system_r, s0, s0 - s15:c0.c127, c0.c255)
 
 # Normal users should not be added to this file,
 # but instead added to the users file.
diff --git a/refpolicy/policy/users b/refpolicy/policy/users
index 88a516e3..0dc5772d 100644
--- a/refpolicy/policy/users
+++ b/refpolicy/policy/users
@@ -16,9 +16,9 @@
 # permit any access to such users, then remove this entry.
 #
 ifdef(`targeted_policy',`
-gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
+gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
-gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
+gen_user(user_u, user_r, s0, s0 - s15:c0.c255, c0.c255)
 ')
 
 #
@@ -29,11 +29,11 @@ gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
 # not in the sysadm_r.
 #
 ifdef(`targeted_policy',`
-	gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127, c0.c127)
+	gen_user(root, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127, c0.c127)
+		gen_user(root, sysadm_r staff_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 	',`
-		gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127, c0.c127)
+		gen_user(root, sysadm_r staff_r, s0, s0 - s15:c0.c255, c0.c255)
 	')
 ')