diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index dbce0345e..cbd0cdd26 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -422,17 +422,17 @@ template(`ssh_role_template',`
 		nis_use_ypbind($1_ssh_agent_t)
 	')
 
-	optional_policy(`
-		xserver_use_xdm_fds($1_ssh_agent_t)
-		xserver_rw_xdm_pipes($1_ssh_agent_t)
-	')
-
 	optional_policy(`
 		tunable_policy(`ssh_use_gpg_agent',`
 			# for ssh-add
 			gpg_stream_connect_agent($3)
 		')
 	')
+
+	optional_policy(`
+		xserver_use_xdm_fds($1_ssh_agent_t)
+		xserver_rw_xdm_pipes($1_ssh_agent_t)
+	')
 ')
 
 ########################################
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 48654c255..e7b6412e2 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -204,17 +204,17 @@ tunable_policy(`user_tcp_server',`
 	corenet_tcp_bind_generic_node(ssh_t)
 ')
 
-optional_policy(`
-	xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
-	xserver_domtrans_xauth(ssh_t)
-')
-
 optional_policy(`
 	tunable_policy(`ssh_use_gpg_agent',`
 		gpg_stream_connect_agent(ssh_t)
 	')
 ')
 
+optional_policy(`
+	xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
+	xserver_domtrans_xauth(ssh_t)
+')
+
 ##############################
 #
 # ssh_keysign_t local policy