diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if
index f5f8483ba..6a902e29b 100644
--- a/policy/modules/admin/dpkg.if
+++ b/policy/modules/admin/dpkg.if
@@ -19,6 +19,50 @@ interface(`dpkg_domtrans',`
domtrans_pattern($1, dpkg_exec_t, dpkg_t)
')
+########################################
+##
+## Transition to dpkg_t when NNP has been set
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dpkg_nnp_domtrans',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ dpkg_domtrans($1)
+ allow $1 dpkg_t:process2 nnp_transition;
+')
+
+########################################
+##
+## Execute dpkg programs in the dpkg domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`dpkg_run',`
+ gen_require(`
+ attribute_role dpkg_roles;
+ ')
+
+ dpkg_domtrans($1)
+ roleattribute $2 dpkg_roles;
+')
+
########################################
##
## Execute the dkpg in the caller domain.
@@ -79,31 +123,6 @@ interface(`dpkg_script_rw_pipes',`
allow $1 dpkg_script_t:fifo_file rw_file_perms;
')
-########################################
-##
-## Execute dpkg programs in the dpkg domain.
-##
-##
-##
-## Domain allowed to transition.
-##
-##
-##
-##
-## Role allowed access.
-##
-##
-##
-#
-interface(`dpkg_run',`
- gen_require(`
- attribute_role dpkg_roles;
- ')
-
- dpkg_domtrans($1)
- roleattribute $2 dpkg_roles;
-')
-
########################################
##
## Inherit and use file descriptors from dpkg.
@@ -337,21 +356,3 @@ interface(`dpkg_read_script_tmp_symlinks',`
allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
')
-
-########################################
-##
-## Transition to dpkg_t when NNP has been set
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`dpkg_nnp_domtrans',`
- gen_require(`
- type dpkg_t;
- ')
-
- allow $1 dpkg_t:process2 nnp_transition;
-')