diff --git a/dovecot.te b/dovecot.te
index 7006116..07186d1 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,15 +1,17 @@
-policy_module(dovecot, 1.15.3)
+policy_module(dovecot, 1.15.4)
 
 ########################################
 #
 # Declarations
 #
 
-type dovecot_t;
+attribute dovecot_domain;
+
+type dovecot_t, dovecot_domain;
 type dovecot_exec_t;
 init_daemon_domain(dovecot_t, dovecot_exec_t)
 
-type dovecot_auth_t;
+type dovecot_auth_t, dovecot_domain;
 type dovecot_auth_exec_t;
 domain_type(dovecot_auth_t)
 domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
@@ -21,7 +23,7 @@ files_tmp_file(dovecot_auth_tmp_t)
 type dovecot_cert_t;
 miscfiles_cert_type(dovecot_cert_t)
 
-type dovecot_deliver_t;
+type dovecot_deliver_t, dovecot_domain;
 type dovecot_deliver_exec_t;
 domain_type(dovecot_deliver_t)
 domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
@@ -56,20 +58,46 @@ files_pid_file(dovecot_var_run_t)
 
 ########################################
 #
+# Common local policy
+#
+
+allow dovecot_domain self:capability2 block_suspend;
+allow dovecot_domain self:fifo_file rw_fifo_file_perms;
+
+allow dovecot_domain dovecot_etc_t:dir list_dir_perms;
+allow dovecot_domain dovecot_etc_t:file read_file_perms;
+allow dovecot_domain dovecot_etc_t:lnk_file read_lnk_file_perms;
+
+kernel_read_all_sysctls(dovecot_domain)
+kernel_read_system_state(dovecot_domain)
+
+corecmd_exec_bin(dovecot_domain)
+corecmd_exec_shell(dovecot_domain)
+
+dev_read_sysfs(dovecot_domain)
+dev_read_rand(dovecot_domain)
+dev_read_urand(dovecot_domain)
+
+files_read_etc_runtime_files(dovecot_domain)
+
+logging_send_syslog_msg(dovecot_domain)
+
+miscfiles_read_localization(dovecot_domain)
+
+########################################
+#
 # Local policy
 #
 
 allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
 dontaudit dovecot_t self:capability sys_tty_config;
-allow dovecot_t self:capability2 block_suspend;
 allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
-allow dovecot_t self:fifo_file rw_fifo_file_perms;
 allow dovecot_t self:tcp_socket { accept listen };
 allow dovecot_t self:unix_stream_socket { accept connectto listen };
 
-allow dovecot_t { dovecot_etc_t dovecot_cert_t }:dir list_dir_perms;
-read_files_pattern(dovecot_t, { dovecot_etc_t dovecot_cert_t }, { dovecot_etc_t dovecot_cert_t })
-read_lnk_files_pattern(dovecot_t, { dovecot_etc_t dovecot_cert_t }, { dovecot_etc_t dovecot_cert_t })
+allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+allow dovecot_t dovecot_cert_t:file read_file_perms;
+allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
 
 manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
 manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
@@ -100,9 +128,6 @@ allow dovecot_t dovecot_auth_t:process signal;
 
 domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
 
-kernel_read_kernel_sysctls(dovecot_t)
-kernel_read_system_state(dovecot_t)
-
 corenet_all_recvfrom_unlabeled(dovecot_t)
 corenet_all_recvfrom_netlabel(dovecot_t)
 corenet_tcp_sendrecv_generic_if(dovecot_t)
@@ -121,15 +146,8 @@ corenet_sendrecv_all_client_packets(dovecot_t)
 corenet_tcp_connect_all_ports(dovecot_t)
 corenet_tcp_connect_postgresql_port(dovecot_t)
 
-corecmd_exec_bin(dovecot_t)
-
-dev_read_sysfs(dovecot_t)
-dev_read_rand(dovecot_t)
-dev_read_urand(dovecot_t)
-
 domain_use_interactive_fds(dovecot_t)
 
-files_read_etc_runtime_files(dovecot_t)
 files_read_var_lib_files(dovecot_t)
 files_read_var_symlinks(dovecot_t)
 files_search_spool(dovecot_t)
@@ -146,10 +164,7 @@ init_getattr_utmp(dovecot_t)
 
 auth_use_nsswitch(dovecot_t)
 
-logging_send_syslog_msg(dovecot_t)
-
 miscfiles_read_generic_certs(dovecot_t)
-miscfiles_read_localization(dovecot_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
 userdom_use_user_terminals(dovecot_t)
@@ -209,16 +224,11 @@ optional_policy(`
 #
 
 allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
-allow dovecot_auth_t self:capability2 block_suspend;
 allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
-allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
 allow dovecot_auth_t self:unix_stream_socket { accept connectto listen };
 
 read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
 
-read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
-read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
-
 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
 manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
 files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
@@ -228,16 +238,6 @@ manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
 
 allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
 
-kernel_read_all_sysctls(dovecot_auth_t)
-kernel_read_system_state(dovecot_auth_t)
-
-corecmd_exec_bin(dovecot_auth_t)
-
-dev_read_sysfs(dovecot_auth_t)
-dev_read_rand(dovecot_auth_t)
-dev_read_urand(dovecot_auth_t)
-
-files_read_etc_runtime_files(dovecot_auth_t)
 files_search_pids(dovecot_auth_t)
 files_read_usr_files(dovecot_auth_t)
 files_read_var_lib_files(dovecot_auth_t)
@@ -248,9 +248,6 @@ auth_use_nsswitch(dovecot_auth_t)
 init_rw_utmp(dovecot_auth_t)
 
 logging_send_audit_msgs(dovecot_auth_t)
-logging_send_syslog_msg(dovecot_auth_t)
-
-miscfiles_read_localization(dovecot_auth_t)
 
 seutil_dontaudit_search_config(dovecot_auth_t)
 
@@ -282,13 +279,6 @@ optional_policy(`
 # Deliver local policy
 #
 
-allow dovecot_deliver_t self:capability2 block_suspend;
-allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;
-
-allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
-read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
-read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
-
 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
 
 append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
@@ -298,8 +288,8 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
 files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
 
 allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
-read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+allow dovecot_deliver_t dovecot_var_run_t:file read_file_perms;
+allow dovecot_deliver_t dovecot_var_run_t:sock_file read_sock_file_perms;
 
 stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t })
 
@@ -307,25 +297,11 @@ can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
 
 allow dovecot_deliver_t dovecot_t:process signull;
 
-kernel_read_all_sysctls(dovecot_deliver_t)
-kernel_read_system_state(dovecot_deliver_t)
-
-corecmd_exec_bin(dovecot_deliver_t)
-
-dev_read_sysfs(dovecot_deliver_t)
-dev_read_rand(dovecot_deliver_t)
-dev_read_urand(dovecot_deliver_t)
-
-files_read_etc_runtime_files(dovecot_deliver_t)
-
 fs_getattr_all_fs(dovecot_deliver_t)
 
 auth_use_nsswitch(dovecot_deliver_t)
 
 logging_search_logs(dovecot_deliver_t)
-logging_send_syslog_msg(dovecot_deliver_t)
-
-miscfiles_read_localization(dovecot_deliver_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(dovecot_deliver_t)