diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if
index 3a64fca6d..08c29074b 100644
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ b/refpolicy/policy/modules/kernel/selinux.if
@@ -394,20 +394,8 @@ interface(`selinux_compute_user_contexts',`
 #
 interface(`selinux_unconfined',`
 	gen_require(`
-		attribute can_load_policy, can_setenforce, can_setsecparam;
-		bool secure_mode_policyload;
-		type security_t;
+		attribute selinux_unconfined_type;
 	')
 
-	# use SELinuxfs
-	allow $1 security_t:dir { getattr search read };
-	allow $1 security_t:file { getattr read write };
-
-	typeattribute $1 can_load_policy, can_setenforce, can_setsecparam;
-
-	if(!secure_mode_policyload) {
-		# Access the security API.
-		allow $1 security_t:security *;
-		auditallow $1 security_t:security { load_policy setenforce setbool };
-	}
+	typeattribute $1 selinux_unconfined_type;
 ')
diff --git a/refpolicy/policy/modules/kernel/selinux.te b/refpolicy/policy/modules/kernel/selinux.te
index bfa5712ad..5d6093846 100644
--- a/refpolicy/policy/modules/kernel/selinux.te
+++ b/refpolicy/policy/modules/kernel/selinux.te
@@ -1,5 +1,5 @@
 
-policy_module(selinux,1.1.0)
+policy_module(selinux,1.1.1)
 
 ########################################
 #
@@ -9,6 +9,7 @@ policy_module(selinux,1.1.0)
 attribute can_load_policy;
 attribute can_setenforce;
 attribute can_setsecparam;
+attribute selinux_unconfined_type;
 
 # 
 # security_t is the target type when checking
@@ -21,6 +22,23 @@ mls_trusted_object(security_t)
 sid security gen_context(system_u:object_r:security_t,s15:c0.c255)
 genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
 
-neverallow ~can_load_policy security_t:security load_policy;
-neverallow ~can_setenforce security_t:security setenforce;
-neverallow ~can_setsecparam security_t:security setsecparam;
+neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
+neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
+neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
+
+########################################
+#
+# Unconfined access to this module
+#
+
+# use SELinuxfs
+allow selinux_unconfined_type security_t:dir { getattr search read };
+allow selinux_unconfined_type security_t:file { getattr read write };
+
+# Access the security API.
+allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
+
+if(!secure_mode_policyload) {
+	allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
+	auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
+}
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 97e99db10..ba8dc8a9e 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -56,10 +56,6 @@ interface(`unconfined_domain_noaudit',`
 		# Allow making the stack executable via mprotect.
 		allow $1 self:process execstack;
 #		auditallow $1 self:process execstack;
-	', `
-		# These are fairly common but seem to be harmless
-		# caused by using shared libraries built with old tool chains
-		#dontaudit $1 self:process execstack;
 	')
 
 
@@ -73,6 +69,8 @@ interface(`unconfined_domain_noaudit',`
 	')
 
 	optional_policy(`
+		# this is to handle execmod on shared
+		# libs with text relocations
 		libs_use_shared_libs($1)
 	')