diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 81fb26fa2..98b8b2d47 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -41,11 +41,11 @@ interface(`usermanage_domtrans_chfn',`
 #
 interface(`usermanage_run_chfn',`
 	gen_require(`
-		type chfn_t;
+		attribute_role chfn_roles;
 	')
 
 	usermanage_domtrans_chfn($1)
-	role $2 types chfn_t;
+	roleattribute $2 chfn_roles;
 ')
 
 ########################################
@@ -90,15 +90,11 @@ interface(`usermanage_domtrans_groupadd',`
 #
 interface(`usermanage_run_groupadd',`
 	gen_require(`
-		type groupadd_t;
+		attribute_role groupadd_roles;
 	')
 
 	usermanage_domtrans_groupadd($1)
-	role $2 types groupadd_t;
-
-	optional_policy(`
-		nscd_run(groupadd_t, $2)
-	')
+	roleattribute $2 groupadd_roles;
 ')
 
 ########################################
@@ -160,12 +156,11 @@ interface(`usermanage_kill_passwd',`
 #
 interface(`usermanage_run_passwd',`
 	gen_require(`
-		type passwd_t;
+		attribute_role passwd_roles;
 	')
 
 	usermanage_domtrans_passwd($1)
-	role $2 types passwd_t;
-	auth_run_chk_passwd(passwd_t, $2)
+	roleattribute $2 passwd_roles;
 ')
 
 ########################################
@@ -208,15 +203,11 @@ interface(`usermanage_domtrans_admin_passwd',`
 #
 interface(`usermanage_run_admin_passwd',`
 	gen_require(`
-		type sysadm_passwd_t;
+		attribute_role sysadm_passwd_roles;
 	')
 
 	usermanage_domtrans_admin_passwd($1)
-	role $2 types sysadm_passwd_t;
-
-	optional_policy(`
-		nscd_run(sysadm_passwd_t, $2)
-	')
+	roleattribute $2 sysadm_passwd_roles;
 ')
 
 ########################################
@@ -279,17 +270,11 @@ interface(`usermanage_domtrans_useradd',`
 #
 interface(`usermanage_run_useradd',`
 	gen_require(`
-		type useradd_t;
+		attribute_role useradd_roles;
 	')
 
 	usermanage_domtrans_useradd($1)
-	role $2 types useradd_t;
-
-	seutil_run_semanage(useradd_t, $2)
-
-	optional_policy(`
-		nscd_run(useradd_t, $2)
-	')
+	roleattribute $2 useradd_roles;
 ')
 
 ########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index d4d853371..8ef2983f6 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,6 +5,19 @@ policy_module(usermanage, 1.16.0)
 # Declarations
 #
 
+attribute_role chfn_roles;
+role system_r types chfn_t;
+
+attribute_role groupadd_roles;
+
+attribute_role passwd_roles;
+roleattribute system_r passwd_roles;
+
+attribute_role sysadm_passwd_roles;
+roleattribute system_r sysadm_passwd_roles;
+
+attribute_role useradd_roles;
+
 type admin_passwd_exec_t;
 files_type(admin_passwd_exec_t)
 
@@ -12,7 +25,6 @@ type chfn_t;
 type chfn_exec_t;
 domain_obj_id_change_exemption(chfn_t)
 application_domain(chfn_t, chfn_exec_t)
-role system_r types chfn_t;
 
 type crack_t;
 type crack_exec_t;
@@ -34,12 +46,12 @@ type passwd_t;
 type passwd_exec_t;
 domain_obj_id_change_exemption(passwd_t)
 application_domain(passwd_t, passwd_exec_t)
-role system_r types passwd_t;
+role passwd_roles types passwd_t;
 
 type sysadm_passwd_t;
 domain_obj_id_change_exemption(sysadm_passwd_t)
 application_domain(sysadm_passwd_t, admin_passwd_exec_t)
-role system_r types sysadm_passwd_t;
+role sysadm_passwd_roles types sysadm_passwd_t;
 
 type sysadm_passwd_tmp_t;
 files_tmp_file(sysadm_passwd_tmp_t)
@@ -88,7 +100,7 @@ fs_search_auto_mountpoints(chfn_t)
 # for SSP
 dev_read_urand(chfn_t)
 
-auth_domtrans_chk_passwd(chfn_t)
+auth_run_chk_passwd(chfn_t, chfn_roles)
 auth_dontaudit_read_shadow(chfn_t)
 auth_use_nsswitch(chfn_t)
 
@@ -216,7 +228,7 @@ logging_send_syslog_msg(groupadd_t)
 
 miscfiles_read_localization(groupadd_t)
 
-auth_domtrans_chk_passwd(groupadd_t)
+auth_run_chk_passwd(groupadd_t, groupadd_roles)
 auth_rw_lastlog(groupadd_t)
 auth_use_nsswitch(groupadd_t)
 # these may be unnecessary due to the above
@@ -237,7 +249,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nscd_domtrans(groupadd_t)
+	nscd_run(groupadd_t, groupadd_roles)
 ')
 
 optional_policy(`
@@ -294,7 +306,7 @@ selinux_compute_user_contexts(passwd_t)
 term_use_all_ttys(passwd_t)
 term_use_all_ptys(passwd_t)
 
-auth_domtrans_chk_passwd(passwd_t)
+auth_run_chk_passwd(passwd_t, passwd_roles)
 auth_manage_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)
 auth_etc_filetrans_shadow(passwd_t)
@@ -334,7 +346,7 @@ userdom_read_user_tmp_files(passwd_t)
 userdom_dontaudit_search_user_home_content(passwd_t)
 
 optional_policy(`
-	nscd_domtrans(passwd_t)
+	nscd_run(passwd_t, passwd_roles)
 ')
 
 ########################################
@@ -418,7 +430,7 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t)
 userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
 
 optional_policy(`
-	nscd_domtrans(sysadm_passwd_t)
+	nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
 ')
 
 ########################################
@@ -472,7 +484,7 @@ selinux_compute_user_contexts(useradd_t)
 term_use_all_ttys(useradd_t)
 term_use_all_ptys(useradd_t)
 
-auth_domtrans_chk_passwd(useradd_t)
+auth_run_chk_passwd(useradd_t, useradd_roles)
 auth_rw_lastlog(useradd_t)
 auth_rw_faillog(useradd_t)
 auth_use_nsswitch(useradd_t)
@@ -493,8 +505,8 @@ miscfiles_read_localization(useradd_t)
 seutil_read_config(useradd_t)
 seutil_read_file_contexts(useradd_t)
 seutil_read_default_contexts(useradd_t)
-seutil_domtrans_semanage(useradd_t)
-seutil_domtrans_setfiles(useradd_t)
+seutil_run_semanage(useradd_t, useradd_roles)
+seutil_run_setfiles(useradd_t, useradd_roles)
 
 userdom_use_unpriv_users_fds(useradd_t)
 # Add/remove user home directories
@@ -525,7 +537,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nscd_domtrans(useradd_t)
+	nscd_run(useradd_t, useradd_roles)
 ')
 
 optional_policy(`