diff --git a/unconfined.te b/unconfined.te
index 8e40b063e3643df598e67669017dd49a3a50796d..ce51f306fbd78fc2560fd15a1df9567a79fbe258 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -59,9 +59,12 @@ allow unconfineddomain {
     -security_file
     -shell_data_file
 }:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain exec_type:{ file dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
-allow unconfineddomain system_file:{ dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
-allow unconfineddomain system_file:file ~{ create write setattr relabelfrom relabelto append unlink link rename entrypoint };
+allow unconfineddomain exec_type:dir r_dir_perms;
+allow unconfineddomain exec_type:file { rx_file_perms execmod };
+allow unconfineddomain exec_type:lnk_file r_file_perms;
+allow unconfineddomain system_file:dir r_dir_perms;
+allow unconfineddomain system_file:file { rx_file_perms execmod };
+allow unconfineddomain system_file:lnk_file r_file_perms;
 allow unconfineddomain {
     fs_type
     -usermodehelper
@@ -78,7 +81,7 @@ allow unconfineddomain {
     -security_file
     -shell_data_file
 }:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain { rootfs system_file exec_type }:file execute;
+allow unconfineddomain rootfs:file execute;
 allow unconfineddomain contextmount_type:dir r_dir_perms;
 allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
 allow unconfineddomain node_type:node *;