diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c7b805b..581e205 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -173,10 +173,16 @@ jobs:
         run: python2 run.py deps
       - name: Run test suite (2.7)
         run: python2 run.py ci-driver
+      - name: Cleanup deps (2.7)
+        if: always()
+        run: python2 run.py ci-cleanup
       - name: Install dependencies (3.8)
         run: python3 run.py deps
       - name: Run test suite (3.8)
         run: python3 run.py ci-driver
+      - name: Cleanup deps (3.8)
+        if: always()
+        run: python3 run.py ci-cleanup
 
   build-arm64:
     name: Python 2.7/3.8 on arm64
@@ -187,7 +193,13 @@ jobs:
         run: python2 run.py deps
       - name: Run test suite (2.7)
         run: python2 run.py ci-driver
+      - name: Cleanup deps (2.7)
+        if: always()
+        run: python2 run.py ci-cleanup
       - name: Install dependencies (3.8)
         run: python3 run.py deps
       - name: Run test suite (3.8)
         run: python3 run.py ci-driver
+      - name: Cleanup deps (3.8)
+        if: always()
+        run: python3 run.py ci-cleanup
diff --git a/asn1crypto/cms.py b/asn1crypto/cms.py
index 8ee3ff0..7ce583d 100644
--- a/asn1crypto/cms.py
+++ b/asn1crypto/cms.py
@@ -315,7 +315,7 @@ class SetOfSvceAuthInfo(SetOf):
 class RoleSyntax(Sequence):
     _fields = [
         ('role_authority', GeneralNames, {'implicit': 0, 'optional': True}),
-        ('role_name', GeneralName, {'implicit': 1}),
+        ('role_name', GeneralName, {'explicit': 1}),
     ]
 
 
@@ -337,7 +337,7 @@ class ClassList(BitString):
 class SecurityCategory(Sequence):
     _fields = [
         ('type', ObjectIdentifier, {'implicit': 0}),
-        ('value', Any, {'implicit': 1}),
+        ('value', Any, {'explicit': 1}),
     ]
 
 
@@ -347,9 +347,9 @@ class SetOfSecurityCategory(SetOf):
 
 class Clearance(Sequence):
     _fields = [
-        ('policy_id', ObjectIdentifier, {'implicit': 0}),
-        ('class_list', ClassList, {'implicit': 1, 'default': 'unclassified'}),
-        ('security_categories', SetOfSecurityCategory, {'implicit': 2, 'optional': True}),
+        ('policy_id', ObjectIdentifier),
+        ('class_list', ClassList, {'default': set(['unclassified'])}),
+        ('security_categories', SetOfSecurityCategory, {'optional': True}),
     ]
 
 
diff --git a/dev/ci-cleanup.py b/dev/ci-cleanup.py
new file mode 100644
index 0000000..92ca6da
--- /dev/null
+++ b/dev/ci-cleanup.py
@@ -0,0 +1,28 @@
+# coding: utf-8
+from __future__ import unicode_literals, division, absolute_import, print_function
+
+import os
+import shutil
+
+from . import build_root, other_packages
+
+
+def run():
+    """
+    Cleans up CI dependencies - used for persistent GitHub Actions
+    Runners since they don't clean themselves up.
+    """
+
+    print("Removing ci dependencies")
+    deps_dir = os.path.join(build_root, 'modularcrypto-deps')
+    if os.path.exists(deps_dir):
+        shutil.rmtree(deps_dir, ignore_errors=True)
+
+    print("Removing modularcrypto packages")
+    for other_package in other_packages:
+        pkg_dir = os.path.join(build_root, other_package)
+        if os.path.exists(pkg_dir):
+            shutil.rmtree(pkg_dir, ignore_errors=True)
+    print()
+
+    return True
diff --git a/tests/test_cms.py b/tests/test_cms.py
index 3f8c98c..52d852e 100644
--- a/tests/test_cms.py
+++ b/tests/test_cms.py
@@ -21,6 +21,30 @@
 fixtures_dir = os.path.join(tests_root, 'fixtures')
 
 
+class ClearanceTests(unittest.TestCase):
+
+    def test_clearance_decode_bad_tagging(self):
+        rfc_3281_wrong_tagging = b'\x30\x08\x80\x02\x88\x37\x81\x02\x02\x4c'
+        # This test documents the fact that we can't deal with the "wrong"
+        # version of Clearance in RFC 3281
+        self.assertRaises(
+            ValueError,
+            lambda: cms.Clearance.load(rfc_3281_wrong_tagging).native
+        )
+
+    def test_clearance_decode_correct_tagging(self):
+        correct_tagging = b'\x30\x08\x06\x02\x88\x37\x03\x02\x02\x4c'
+        clearance_obj = cms.Clearance.load(correct_tagging)
+        self.assertEqual(
+            util.OrderedDict([
+                ('policy_id', '2.999'),
+                ('class_list', set(['secret', 'top_secret', 'unclassified'])),
+                ('security_categories', None)
+            ]),
+            clearance_obj.native
+        )
+
+
 class CMSTests(unittest.TestCase):
 
     def test_create_content_info_data(self):
@@ -913,3 +937,13 @@ def test_parse_attribute_cert(self):
         ac_info = ac_parsed['ac_info']
         self.assertIsInstance(ac_info['issuer'].chosen, cms.V2Form)
         self.assertEqual(1, len(ac_info['issuer'].chosen['issuer_name']))
+
+    def test_create_role_syntax(self):
+        rs = cms.RoleSyntax({'role_name': {'rfc822_name': 'test@example.com'}})
+        self.assertEqual(
+            util.OrderedDict([
+                ('role_authority', None),
+                ('role_name', 'test@example.com')
+            ]),
+            rs.native
+        )