diff --git a/selinux/sau.te b/selinux/sau.te
index f8f69e4..f5b8cf3 100644
--- a/selinux/sau.te
+++ b/selinux/sau.te
@@ -16,6 +16,11 @@ domain_type(sau_t)
 domain_entry_file(sau_t, sau_exec_t)
 files_config_file(sau_config_t)
 read_files_pattern(sau_t, etc_t, sau_config_t);
+read_files_pattern(sau_t, etc_t, etc_t)
+files_read_etc_runtime_files(sau_t);
+search_dirs_pattern(sau_t, etc_t, etc_runtime_t);
+files_manage_generic_tmp_files(sau_t)
+files_manage_generic_tmp_dirs(sau_t)
 
 role sysadm_r types sau_t;
 role system_r types sau_t;
@@ -29,31 +34,48 @@ userdom_use_all_users_fds(sau_t)
 
 # required for python
 corecmd_mmap_bin_files(sau_t)
+mmap_exec_files_pattern(sau_t, tmp_t, tmp_t);
 
 
-kernel_read_system_state(sau_t)
-domain_read_all_domains_state(sau_t)
-allow sau_t self:capability sys_ptrace;
-
-init_startstop_all_script_services(sau_t)
-init_all_labeled_script_domtrans(sau_t)
-init_use_script_ptys(sau_t)
-init_domtrans_script(sau_t)
-init_domtrans_labeled_script(sau_t)
-
+read_files_pattern(sau_t, usr_t, usr_t)
 miscfiles_read_localization(sau_t)
 logging_send_syslog_msg(sau_t)
 allow sau_t self:fifo_file { read write };
 corecmd_exec_shell(sau_t)
 corecmd_exec_bin(sau_t)
 
-init_manage_script_service(sau_t)
-init_read_script_status_files(sau_t)
-allow sau_t initrc_state_t:lnk_file { getattr read };
-allow sau_t initrc_state_t:dir { search read };
+# list processes
+kernel_read_system_state(sau_t)
+domain_read_all_domains_state(sau_t)
+allow sau_t self:capability sys_ptrace;
+
+# I've tried it all; I don't know how to give sau permission to
+# run init-scripts :(
+#init_all_labeled_script_domtrans(sau_t)
+#init_domtrans_script(sau_t)
+#init_read_utmp(sau_t)
+#init_signull_script(sau_t)
+#init_startstop_all_script_services(sau_t)
+#init_use_script_ptys(sau_t)
+#init_domtrans_labeled_script(sau_t)
+#init_manage_script_service(sau_t)
+#init_read_script_status_files(sau_t)
+#allow sau_t initrc_state_t:lnk_file { getattr read };
+#allow sau_t initrc_state_t:dir { search read };
+#init_admin(sau_t)
+# FIXME: shouldn't have to be unconfined...
+unconfined_domain(sau_t)
+
+
+# allow during troubleshooting...
+#files_getattr_all_dirs(sau_t)
+#files_getattr_all_files(sau_t)
 
 # Gentoo specific
+portage_read_config(sau_t)
+portage_read_ebuild(sau_t)
+portage_read_db(sau_t)
+portage_read_cache(sau_t)
 portage_domtrans(sau_t)
 
-dontaudit sau_t self:fifo_file { getattr ioctl };