diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index bfabd20d7..3571a4af8 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -40,6 +40,9 @@ gen_tunable(fcron_crond,false)
##
gen_tunable(read_default_t,false)
+## Allow ssh to run from inetd instead of as a daemon.
+gen_tunable(run_ssh_inetd,false)
+
##
## Enabling secure mode disallows programs, such as
## newrole, from transitioning to administrative
@@ -47,6 +50,9 @@ gen_tunable(read_default_t,false)
##
gen_bool(secure_mode,false)
+## Allow ssh logins as sysadm_r:sysadm_t
+gen_tunable(ssh_sysadm_login,false)
+
##
## Allow staff_r users to search the sysadm home
## dir and read files (such as ~/.bashrc)
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 2c6e0de08..6ac892693 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -6,11 +6,7 @@ policy_module(ssh,1.0)
# Declarations
#
-# Allow ssh logins as sysadm_r:sysadm_t
-bool ssh_sysadm_login false;
-
-# Allow ssh to run from inetd instead of as a daemon.
-bool run_ssh_inetd false;
+attribute ssh_server;
# Type for the ssh-agent executable.
type ssh_agent_exec_t;