Index: selinux/build/afsd.te
===================================================================
--- selinux/build/afsd.te	(revision 81)
+++ selinux/build/afsd.te	(revision 82)
@@ -61,4 +61,5 @@
 corenet_udp_sendrecv_all_nodes(afsd_t)
 
+afs_access(afsd_t);
 
 require {
Index: selinux/build/misc.te
===================================================================
--- selinux/build/misc.te	(revision 81)
+++ selinux/build/misc.te	(revision 82)
@@ -1,23 +1,20 @@
 policy_module(misc,1.0.0)
+
+### USER ###
+
+require {
+	type user_t;
+};
+
+afs_access(user_t);
 
 ### AFS ###
 
 require {
-	type crond_t, kernel_t, sshd_t, user_t, httpd_t;
-	type postfix_local_t, procmail_t;
-	type proc_t;
-}
-afs_access(afsd_t);
-afs_access(crond_t);
-afs_access(httpd_t);
+	type kernel_t, initrc_t, proc_t;
+};
+
 afs_access(kernel_t);
-afs_access(postfix_local_t);
-afs_access(procmail_t);
-afs_access(sshd_t);
-afs_access(user_t);
 
-require {
-	type initrc_t;
-}
 # init.d script sets up cell files:
 allow initrc_t afsd_etc_t:file { setattr write };
@@ -29,7 +26,7 @@
 require {
 	type crond_t, user_cron_spool_t;
-	type user_t;
 };
 
+afs_access(crond_t);
 ### crond can switch to user_t rather than user_crond_t
 ### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
@@ -43,10 +40,11 @@
 allow user_t crond_t:process sigchld;
 
-### KRB ###
+### SSH ###
 
 require {
-	type sendmail_t, sshd_t;
+	type sshd_t;
 };
 
+afs_access(sshd_t);
 ### sshd GSSAPI authentication
 kerberos_read_keytab(sshd_t)
@@ -54,4 +52,11 @@
 
 ### MAIL ###
+
+require {
+	type postfix_local_t, procmail_t, sendmail_t;
+};
+
+afs_access(postfix_local_t);
+afs_access(procmail_t);
 mta_sendmail_exec(user_t)
 can_exec(user_t, sendmail_exec_t)
@@ -62,3 +67,11 @@
 
 ### HTTPD ###
+
+require {
+	type httpd_t, httpd_suexec_exec_t;
+};
+
+afs_access(httpd_t);
 allow httpd_t self:key all_key_perms;
+allow httpd_t self:process setrlimit;
+allow httpd_t httpd_suexec_exec_t:file { execute execute_no_trans };