diff --git a/refpolicy/policy/users b/refpolicy/policy/users
index bb9d37bb..3477aa70 100644
--- a/refpolicy/policy/users
+++ b/refpolicy/policy/users
@@ -4,13 +4,18 @@
 # Core User configuration.
 #
 
+# gen_user(username, role_set, levels)
+define(`gen_user_ass',`
+	user $1 { $2 } ifdef(`enable_mls', `level $3 range $4');
+')
+
 #
 # system_u is the user identity for system processes and objects.
 # There should be no corresponding Unix user identity for system,
 # and a user process should never be assigned the system user
 # identity.
 #
-user system_u roles system_r user_mls(s0,s0 - s9:c0.c127);
+gen_user(system_u, system_r, s0, s0 - s9:c0.c127)
 
 #
 # user_u is a generic user identity for Linux users who have no
@@ -19,7 +24,7 @@ user system_u roles system_r user_mls(s0,s0 - s9:c0.c127);
 # SELinux user identity for a Linux user.  If you do not want to
 # permit any access to such users, then remove this entry.
 #
-user user_u roles { user_r } user_mls(s0,s0 - s9:c0.c127);
+gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
 
 #
 # The following users correspond to Unix identities.
@@ -28,4 +33,4 @@ user user_u roles { user_r } user_mls(s0,s0 - s9:c0.c127);
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
-user root roles { sysadm_r staff_r } user_mls(s0,s0 - s9:c0.c127);
+gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127)