diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te
index a4a9d1f49..f17dafdc4 100644
--- a/policy/modules/services/tcsd.te
+++ b/policy/modules/services/tcsd.te
@@ -23,25 +23,26 @@ allow tcsd_t self:capability { dac_override setuid };
 allow tcsd_t self:process { signal sigkill };
 allow tcsd_t self:tcp_socket create_stream_socket_perms;
 
-# Access /dev/tpm0.
-dev_rw_tpm(tcsd_t)
-
 # var/lib files for tcsd
 manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
 manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
 files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir })
 
 # Accept connections on the TCS port over loopback.
-sysnet_read_config(tcsd_t)
 corenet_all_recvfrom_unlabeled(tcsd_t)
 corenet_tcp_bind_generic_node(tcsd_t)
 corenet_tcp_bind_tcs_port(tcsd_t)
 
-# Read /dev/urandom, /etc, /usr, and locale files.
 dev_read_urand(tcsd_t)
+# Access /dev/tpm0.
+dev_rw_tpm(tcsd_t)
+
 files_read_etc_files(tcsd_t)
 files_read_usr_files(tcsd_t)
-miscfiles_read_localization(tcsd_t)
 
 # Log messages via syslog.
 logging_send_syslog_msg(tcsd_t)
+
+miscfiles_read_localization(tcsd_t)
+
+sysnet_read_config(tcsd_t)