diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc
index 97f3cde7..3def4af7 100644
--- a/refpolicy/policy/modules/kernel/corecommands.fc
+++ b/refpolicy/policy/modules/kernel/corecommands.fc
@@ -118,6 +118,7 @@ ifdef(`distro_gentoo',`
 
 /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/courier(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/cups/cgi-bin/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/cups/filter/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index fc7ba979..461f4859 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -1253,18 +1253,8 @@ interface(`corenet_non_ipsec_sendrecv',`
 #
 interface(`corenet_unconfined',`
 	gen_require(`
-		attribute node_type, netif_type, port_type;
+		attribute corenet_unconfined_type;
 	')
 
-	allow $1 node_type:node *;
-	allow $1 netif_type:netif *;
-	allow $1 port_type:tcp_socket { send_msg recv_msg name_connect };
-	allow $1 port_type:udp_socket { send_msg recv_msg };
-
-	# Bind to any network address.
-	# cjp: rawip_socket doesnt make any sense
-	allow $1 port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
-	allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
-
-	corenet_non_ipsec_sendrecv($1)
+	typeattribute $1 corenet_unconfined_type;
 ')
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index eca48979..93b9b004 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.1.4)
+policy_module(corenetwork,1.1.5)
 
 ########################################
 #
@@ -11,6 +11,8 @@ attribute node_type;
 attribute port_type;
 attribute reserved_port_type;
 
+attribute corenet_unconfined_type;
+
 type ppp_device_t;
 dev_node(ppp_device_t)
 
@@ -174,3 +176,19 @@ ifdef(`enable_mls', `
 network_interface(lo, lo,s0 - s15:c0.c255)
 ')
 #network_interface(eth0, eth0,s0)
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow corenet_unconfined_type node_type:node *;
+allow corenet_unconfined_type netif_type:netif *;
+allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
+allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
+
+# Bind to any network address.
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind;
+
+corenet_non_ipsec_sendrecv(corenet_unconfined_type)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index a5cfa0ed..1ee19c4a 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -2850,13 +2850,8 @@ interface(`dev_execmod_zero',`
 #
 interface(`dev_unconfined',`
 	gen_require(`
-		attribute device_node, memory_raw_write, memory_raw_read;
-		type mtrr_device_t;
+		attribute devices_unconfined_type;
 	')
 
-	allow $1 device_node:devfile_class_set *;
-	allow $1 mtrr_device_t:{ dir file } *;
-
-	allow $1 self:capability sys_rawio;
-	typeattribute $1 memory_raw_write, memory_raw_read;
+	typeattribute $1 devices_unconfined_type;
 ')
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 9e8164c8..c6108f2d 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.6)
+policy_module(devices,1.1.7)
 
 ########################################
 #
@@ -9,6 +9,7 @@ policy_module(devices,1.1.6)
 attribute device_node;
 attribute memory_raw_read;
 attribute memory_raw_write;
+attribute devices_unconfined_type;
 
 #
 # device_t is the type of /dev.
@@ -190,3 +191,12 @@ fs_associate(device_node)
 fs_associate_tmpfs(device_node)
 
 files_associate_tmp(device_node)
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow devices_unconfined_type self:capability sys_rawio;
+allow devices_unconfined_type device_node:{ blk_file chr_file } *;
+allow devices_unconfined_type mtrr_device_t:{ dir file } *;
diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if
index da70fa05..341eb91e 100644
--- a/refpolicy/policy/modules/kernel/domain.if
+++ b/refpolicy/policy/modules/kernel/domain.if
@@ -1136,7 +1136,7 @@ interface(`domain_entry_file_spec_domtrans',`
 #
 interface(`domain_unconfined',`
 	gen_require(`
-		attribute domain, set_curr_context;
+		attribute set_curr_context;
 		attribute can_change_process_identity;
 		attribute can_change_process_role;
 		attribute can_change_object_identity;
@@ -1145,30 +1145,11 @@ interface(`domain_unconfined',`
 
 	typeattribute $1 unconfined_domain_type;
 
-	# pass all constraints
+	# pass constraints
 	typeattribute $1 can_change_process_identity;
 	typeattribute $1 can_change_process_role;
 	typeattribute $1 can_change_object_identity;
 	typeattribute $1 set_curr_context;
-
-	# Use/sendto/connectto sockets created by any domain.
-	allow $1 domain:{ socket_class_set socket key_socket } *;
-
-	# Use descriptors and pipes created by any domain.
-	allow $1 domain:fd use;
-	allow $1 domain:fifo_file rw_file_perms;
-
-	# Act upon any other process.
-	allow $1 domain:process ~{ transition dyntransition execmem execstack execheap };
-
-	# Create/access any System V IPC objects.
-	allow $1 domain:{ sem msgq shm } *;
-	allow $1 domain:msg { send receive };
-
-	# For /proc/pid
-	allow $1 domain:dir r_dir_perms;
-	allow $1 domain:file r_file_perms;
-	allow $1 domain:lnk_file r_file_perms;
 ')
 
 #
diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te
index ae56c65a..bde89e02 100644
--- a/refpolicy/policy/modules/kernel/domain.te
+++ b/refpolicy/policy/modules/kernel/domain.te
@@ -1,5 +1,5 @@
 
-policy_module(domain,1.1.0)
+policy_module(domain,1.1.1)
 
 ########################################
 #
@@ -108,3 +108,31 @@ tunable_policy(`global_ssp',`
 	# stack smashing protection.
 	dev_read_urand(domain)
 ')
+
+########################################
+#
+# Unconfined access to this module
+#
+
+# unconfined access also allows constraints, but this
+# is handled in the interface as typeattribute cannot
+# be used on an attribute.
+
+# Use/sendto/connectto sockets created by any domain.
+allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+
+# Use descriptors and pipes created by any domain.
+allow unconfined_domain_type domain:fd use;
+allow unconfined_domain_type domain:fifo_file rw_file_perms;
+
+# Act upon any other process.
+allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
+
+# Create/access any System V IPC objects.
+allow unconfined_domain_type domain:{ sem msgq shm } *;
+allow unconfined_domain_type domain:msg { send receive };
+
+# For /proc/pid
+allow unconfined_domain_type domain:dir r_dir_perms;
+allow unconfined_domain_type domain:file r_file_perms;
+allow unconfined_domain_type domain:lnk_file r_file_perms;
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index 050c0884..a4673911 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -330,6 +330,24 @@ interface(`files_dontaudit_list_non_security',`
 	dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Allow attempts to modify any directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`files_write_non_security_dirs',`
+	gen_require(`
+		attribute file_type, security_file_type;
+	')
+
+	allow $1 file_type:dir write;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of all files.
@@ -3843,42 +3861,8 @@ interface(`files_polyinstantiate_all',`
 #
 interface(`files_unconfined',`
 	gen_require(`
-		attribute file_type;
+		attribute files_unconfined_type;
 	')
 
-	# Create/access any file in a labeled filesystem;
-	allow $1 file_type:{ file chr_file } ~execmod;
-	allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
-
-	# Mount/unmount any filesystem with the context= option. 
-	allow $1 file_type:filesystem *;
-
-	# Bind to any network address.
-	# cjp: need to check this, I dont think this has any effect.
-	allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
-
-	ifdef(`targeted_policy',`
-		tunable_policy(`allow_execmod',`
-			allow $1 file_type:file execmod;
-		')
-	')
-')
-
-
-########################################
-## <summary>
-##	Allow attempts to modify any directory
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to allow
-##	</summary>
-## </param>
-#
-interface(`files_write_non_security_dirs',`
-	gen_require(`
-		attribute file_type, security_file_type;
-	')
-
-	allow $1 file_type:dir write;
+	typeattribute $1 files_unconfined_type;
 ')
diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te
index 4e472858..a7faa689 100644
--- a/refpolicy/policy/modules/kernel/files.te
+++ b/refpolicy/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
 
-policy_module(files,1.2.4)
+policy_module(files,1.2.5)
 
 ########################################
 #
@@ -7,6 +7,7 @@ policy_module(files,1.2.4)
 #
 
 attribute file_type;
+attribute files_unconfined_type;
 attribute lockfile;
 attribute mountpoint;
 attribute pidfile;
@@ -195,3 +196,21 @@ fs_associate_tmpfs(tmpfile)
 #
 
 fs_associate_tmpfs(tmpfsfile)
+
+########################################
+#
+# Unconfined access to this module
+#
+
+# Create/access any file in a labeled filesystem;
+allow files_unconfined_type file_type:{ file chr_file } ~execmod;
+allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
+
+# Mount/unmount any filesystem with the context= option. 
+allow files_unconfined_type file_type:filesystem *;
+
+ifdef(`targeted_policy',`
+	tunable_policy(`allow_execmod',`
+		allow files_unconfined_type file_type:file execmod;
+	')
+')
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 9141c54a..2f6ce0e4 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -3159,13 +3159,8 @@ interface(`fs_dontaudit_getattr_all_sockets',`
 #
 interface(`fs_unconfined',`
 	gen_require(`
-		attribute filesystem_type;
+		attribute filesystem_unconfined_type;
 	')
 
-	allow $1 filesystem_type:filesystem *;
-
-	# Create/access other files.  fs_type is to pick up various
-	# pseudo filesystem types that are applied to both the filesystem
-	# and its files.
-	allow $1 filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
+	typeattribute $1 filesystem_unconfined_type;
 ')
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index f8251f10..f9491c09 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.3.4)
+policy_module(filesystem,1.3.5)
 
 ########################################
 #
@@ -7,6 +7,7 @@ policy_module(filesystem,1.3.4)
 #
 
 attribute filesystem_type;
+attribute filesystem_unconfined_type;
 attribute noxattrfs;
 
 ##############################
@@ -176,3 +177,15 @@ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 #
 
 allow filesystem_type self:filesystem associate;
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow filesystem_unconfined_type filesystem_type:filesystem *;
+
+# Create/access other files.  fs_type is to pick up various
+# pseudo filesystem types that are applied to both the filesystem
+# and its files.
+allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 574f201e..d5d03fff 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -2030,24 +2030,8 @@ interface(`kernel_sendrecv_unlabeled_association',`
 #
 interface(`kernel_unconfined',`
 	gen_require(`
-		type kernel_t, unlabeled_t, sysctl_t;
-		attribute proc_type, sysctl_type;
 		attribute kern_unconfined;
-		attribute can_load_kernmodule, can_receive_kernel_messages;
 	')
 
-	allow $1 proc_type:{ dir file } *;
-
-	allow $1 sysctl_t:{ dir file } *;
-
-	allow $1 kernel_t:system *;
-
-	allow $1 unlabeled_t:dir_file_class_set *;
-	allow $1 unlabeled_t:filesystem *;
-	allow $1 unlabeled_t:association *;
-
-	typeattribute $1 can_load_kernmodule, can_receive_kernel_messages;
 	typeattribute $1 kern_unconfined;
-
-	kernel_rw_all_sysctls($1)
 ')
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index a930f078..70df6fc3 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.3.3)
+policy_module(kernel,1.3.4)
 
 ########################################
 #
@@ -10,7 +10,7 @@ policy_module(kernel,1.3.3)
 attribute can_load_kernmodule;
 attribute can_receive_kernel_messages;
 
-neverallow ~can_load_kernmodule self:capability sys_module;
+neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
 
 # domains with unconfined access to kernel resources
 attribute kern_unconfined;
@@ -62,11 +62,11 @@ genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
 # kernel message interface
 type proc_kmsg_t, proc_type;
 genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255)
-neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr;
+neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
 
 # /proc kcore: inaccessible
 type proc_kcore_t, proc_type;
-neverallow { domain -kern_unconfined } proc_kcore_t:file ~getattr;
+neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
 genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255)
 
 type proc_mdstat_t, proc_type;
@@ -142,8 +142,8 @@ sid any_socket		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
 sid file_labels		gen_context(system_u:object_r:unlabeled_t,s0)
 sid icmp_socket		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
 sid igmp_packet		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-sid init			gen_context(system_u:object_r:unlabeled_t,s0)
-sid kmod			gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+sid init		gen_context(system_u:object_r:unlabeled_t,s0)
+sid kmod		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
 sid netmsg		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
 sid policy		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
 sid scmp_packet		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
@@ -340,3 +340,20 @@ optional_policy(`
 	# since you may have compromised system security.
 	init_sigchld(unlabeled_t)
 ')
+
+########################################
+#
+# Rules for unconfined acccess to this module
+#
+
+allow kern_unconfined proc_type:{ dir file } *;
+
+allow kern_unconfined sysctl_t:{ dir file } *;
+
+allow kern_unconfined kernel_t:system *;
+
+allow kern_unconfined unlabeled_t:dir_file_class_set *;
+allow kern_unconfined unlabeled_t:filesystem *;
+allow kern_unconfined unlabeled_t:association *;
+
+kernel_rw_all_sysctls(kern_unconfined)
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index f8c62e49..2fac4d0f 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -664,15 +664,8 @@ interface(`storage_setattr_tape_dev',`
 #
 interface(`storage_unconfined',`
 	gen_require(`
-		type fixed_disk_device_t, removable_device_t;
-		type scsi_generic_device_t, tape_device_t;
-		attribute fixed_disk_raw_read, fixed_disk_raw_write;
-		attribute scsi_generic_read, scsi_generic_write;
+		attribute storage_unconfined_type;
 	')
 
-	allow $1 { fixed_disk_device_t removable_device_t }:blk_file *;
-	allow $1 { scsi_generic_device_t tape_device_t }:chr_file *;
-
-	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
-	typeattribute $1 scsi_generic_read, scsi_generic_write;
+	typeattribute $1 storage_unconfined_type;
 ')
diff --git a/refpolicy/policy/modules/kernel/storage.te b/refpolicy/policy/modules/kernel/storage.te
index f4bf61d2..e78c43c6 100644
--- a/refpolicy/policy/modules/kernel/storage.te
+++ b/refpolicy/policy/modules/kernel/storage.te
@@ -1,5 +1,5 @@
 
-policy_module(storage,1.0.0)
+policy_module(storage,1.0.1)
 
 ########################################
 #
@@ -10,16 +10,17 @@ attribute fixed_disk_raw_read;
 attribute fixed_disk_raw_write;
 attribute scsi_generic_read;
 attribute scsi_generic_write;
+attribute storage_unconfined_type;
 
 #
 # fixed_disk_device_t is the type of 
 # /dev/hd* and /dev/sd*.
 #
-type fixed_disk_device_t alias lvm_vg_t;
+type fixed_disk_device_t;
 dev_node(fixed_disk_device_t)
 
-neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read;
-neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write };
+neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
+neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
 
 #
 # scsi_generic_device_t is the type of /dev/sg*
@@ -28,8 +29,8 @@ neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { app
 type scsi_generic_device_t;
 dev_node(scsi_generic_device_t)
 
-neverallow ~scsi_generic_read scsi_generic_device_t:{ chr_file blk_file } read;
-neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { append write };
+neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } read;
+neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } { append write };
 
 #
 # removable_device_t is the type of
@@ -43,3 +44,11 @@ dev_node(removable_device_t)
 #
 type tape_device_t;
 dev_node(tape_device_t)
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *;
+allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *;
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 52e2f922..3057feba 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -88,15 +88,6 @@ interface(`unconfined_domain_noaudit',`
 	optional_policy(`
 		storage_unconfined($1)
 	')
-
-	ifdef(`TODO',`
-	if (allow_execmod) {
-		ifdef(`targeted_policy', `', `
-			# Allow text relocations on system shared libraries, e.g. libGL.
-			allow $1 home_type:file execmod;
-		')
-	}
-	') dnl end TODO
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index e14e278c..f3fb9088 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.3.2)
+policy_module(unconfined,1.3.3)
 
 ########################################
 #