diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index a04588d3..139c5248 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -77,7 +77,6 @@ tunable_policy(`ssh_sysadm_login',`
 	# ioctl is necessary for logout() processing for utmp entry and for w to
 	# display the tty.
 	# some versions of sshd on the new SE Linux require setattr
-	allow sshd_t ptyfile:chr_file relabelto;
 	term_use_all_user_ptys(sshd_t)
 	term_setattr_all_user_ptys(sshd_t)
 	term_relabelto_all_user_ptys(sshd_t)
@@ -95,6 +94,12 @@ optional_policy(`rpm.te',`
 
 ifdef(`TODO',`
 tunable_policy(`ssh_sysadm_login',`
+	# Relabel and access ptys created by sshd
+	# ioctl is necessary for logout() processing for utmp entry and for w to
+	# display the tty.
+	# some versions of sshd on the new SE Linux require setattr
+	allow sshd_t ptyfile:chr_file relabelto;
+
 	optional_policy(`xauth.te',`
 		domain_trans(sshd_t, xauth_exec_t, userdomain)
 	')