diff --git a/policy-20080710.patch b/policy-20080710.patch
index eb4f283..d0d1b80 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -7171,17 +7171,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(xfs, tcp,7100,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.5.13/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/devices.fc	2009-02-10 15:07:15.000000000 +0100
-@@ -1,7 +1,7 @@
++++ serefpolicy-3.5.13/policy/modules/kernel/devices.fc	2009-03-25 13:47:42.000000000 +0100
+@@ -1,8 +1,9 @@
  
  /dev			-d	gen_context(system_u:object_r:device_t,s0)
  /dev/.*				gen_context(system_u:object_r:device_t,s0)
 -
-+/dev/3dfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/[0-9].*		-c	gen_context(system_u:object_r:usb_device_t,s0)
++/dev/3dfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/admmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/adsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-@@ -12,42 +12,59 @@
+ /dev/(misc/)?agpgart	-c	gen_context(system_u:object_r:agp_device_t,s0)
+@@ -12,44 +13,65 @@
  /dev/apm_bios		-c	gen_context(system_u:object_r:apm_bios_t,s0)
  /dev/atibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
@@ -7190,18 +7192,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-+/dev/gfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/graphics		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/gtrsc.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
-+/dev/pcfclock.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
  /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
++/dev/elographics/e2201	-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
  /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
  /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
  /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
-+/dev/[0-9].*		-c	gen_context(system_u:object_r:usb_device_t,s0)
  /dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
++/dev/gfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/graphics		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/gtrsc.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
 +/dev/hfmodem		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
  /dev/hidraw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
@@ -7209,28 +7210,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
  /dev/hwrng		-c	gen_context(system_u:object_r:random_device_t,s0)
  /dev/i915		-c	gen_context(system_u:object_r:dri_device_t,s0)
++/dev/inportbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 +/dev/ipmi[0-9]+		-c	gen_context(system_u:object_r:ipmi_device_t,s0)
 +/dev/ipmi/[0-9]+	-c	gen_context(system_u:object_r:ipmi_device_t,s0)
  /dev/irlpt[0-9]+	-c	gen_context(system_u:object_r:printer_device_t,s0)
-+/dev/elographics/e2201	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 +/dev/jbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 +/dev/kqemu		-c	gen_context(system_u:object_r:qemu_device_t,s0)
 +/dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
++/dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
  /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
  /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 +/dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
++/dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
  /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
  /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
++/dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 +/dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
 +/dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
  /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
@@ -7240,10 +7244,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +/dev/opengl		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/par.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  /dev/patmgr[01]		-c	gen_context(system_u:object_r:sound_device_t,s0)
++/dev/pc110pad		-c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/pcfclock.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
  /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
-@@ -69,14 +86,14 @@
+ /dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
+@@ -68,18 +90,20 @@
+ /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
  /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
 -/dev/usbmon[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
 -/dev/usbdev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
@@ -7259,43 +7269,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
  /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
  /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -91,6 +108,7 @@
++/dev/vrtpanel		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/watchdog		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
+@@ -91,14 +115,20 @@
  
  /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
  
+-/dev/cpu/.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 +/dev/cpu_dma_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
- /dev/cpu/.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
++/dev/cpu.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
  /dev/cpu/mtrr		-c	gen_context(system_u:object_r:mtrr_device_t,s0)
  
-@@ -98,13 +116,25 @@
++/dev/biometric/sensor.*	-c	gen_context(system_u:object_r:event_device_t,s0)
++
+ /dev/dri/.+		-c	gen_context(system_u:object_r:dri_device_t,s0)
  
  /dev/dvb/.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  
-+/dev/inportbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/input/.*mouse.*	-c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/input/.*		-c	gen_context(system_u:object_r:event_device_t,s0)
 +/dev/input/m.*  	-c 	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/input/.*mouse.*	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 +/dev/input/keyboard.*	-c	gen_context(system_u:object_r:event_device_t,s0)
-+/dev/input/.*  		-c 	gen_context(system_u:object_r:event_device_t,s0)
  /dev/input/event.*	-c	gen_context(system_u:object_r:event_device_t,s0)
  /dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/input/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/input/uinput	-c	gen_context(system_u:object_r:event_device_t,s0)
-+/dev/pc110pad		-c	gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/vrtpanel		-c	gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/touchscreen/ucb1x00	-c	gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
-+/dev/bometric/sensor.*	-c	gen_context(system_u:object_r:event_device_t,s0)
+@@ -106,10 +136,15 @@
  
  /dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
-+/dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  
++/dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
++
  /dev/pts(/.*)?			<<none>>
  
+ /dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
+ 
++/dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
++
+ /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.13/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/devices.if	2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/kernel/devices.if	2009-03-25 14:08:22.000000000 +0100
 @@ -65,7 +65,7 @@
  
  	relabelfrom_dirs_pattern($1, device_t, device_node)
@@ -7305,7 +7323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  	relabelfrom_fifo_files_pattern($1, device_t, device_node)
  	relabelfrom_sock_files_pattern($1, device_t, device_node)
  	relabel_blk_files_pattern($1,device_t,{ device_t device_node })
-@@ -167,6 +167,25 @@
+@@ -185,6 +185,24 @@
  
  ########################################
  ## <summary>
@@ -7325,59 +7343,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +	manage_dirs_pattern($1, device_t, device_t)
 +')
 +
-+
 +########################################
 +## <summary>
- ##	Delete a directory in the device directory.
+ ##	Allow full relabeling (to and from) of directories in /dev.
  ## </summary>
  ## <param name="domain">
-@@ -381,6 +400,24 @@
- 	getattr_chr_files_pattern($1, device_t, device_t)
- ')
- 
-+#######################################
-+## <summary>
-+##      Allow setattr for generic character device files.
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
-+## </param>
-+#
-+interface(`dev_setattr_generic_chr_files',`
-+        gen_require(`
-+                type device_t;
-+        ')
-+
-+        setattr_chr_files_pattern($1, device_t, device_t)
-+')
-+
- ########################################
- ## <summary>
- ##	Dontaudit getattr for generic character device files.
-@@ -667,6 +704,7 @@
+@@ -664,9 +682,10 @@
+ interface(`dev_dontaudit_getattr_all_blk_files',`
+ 	gen_require(`
+ 		attribute device_node;
++		type device_t;
  	')
  
- 	dontaudit $1 device_node:blk_file getattr;
-+	dev_dontaudit_getattr_generic_blk_files($1)
+-	dontaudit $1 device_node:blk_file getattr;
++	dontaudit $1 { device_t device_node }:blk_file getattr;
  ')
  
  ########################################
-@@ -704,6 +742,7 @@
+@@ -701,9 +720,10 @@
+ interface(`dev_dontaudit_getattr_all_chr_files',`
+ 	gen_require(`
+ 		attribute device_node;
++		type device_t;
  	')
  
- 	dontaudit $1 device_node:chr_file getattr;
-+	dev_dontaudit_getattr_generic_chr_files($1)
+-	dontaudit $1 device_node:chr_file getattr;
++	dontaudit $1 { device_t device_node }:chr_file getattr;
  ')
  
  ########################################
-@@ -1160,6 +1199,25 @@
+@@ -1062,6 +1082,98 @@
  
  ########################################
  ## <summary>
-+##	Set the attributes of the CPU
-+##	microcode and id interfaces.
++##	Get the attributes of the autofs device node.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7385,24 +7384,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_setattr_cpu_dev',`
++interface(`dev_getattr_autofs_dev',`
 +	gen_require(`
-+		type device_t, cpu_device_t;
++		type device_t, autofs_device_t;
 +	')
 +
-+	setattr_chr_files_pattern($1, device_t, cpu_device_t)
++	getattr_chr_files_pattern($1, device_t, autofs_device_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Read the CPU identity.
- ## </summary>
- ## <param name="domain">
-@@ -1958,6 +2016,42 @@
- 
- ########################################
- ## <summary>
-+##	Get the attributes of the null device nodes.
++##	Do not audit attempts to get the attributes of
++##	the autofs device node.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`dev_dontaudit_getattr_autofs_dev',`
++	gen_require(`
++		type autofs_device_t;
++	')
++
++	dontaudit $1 autofs_device_t:chr_file getattr;
++')
++
++########################################
++## <summary>
++##	Set the attributes of the autofs device node.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7410,17 +7421,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_getattr_null_dev',`
++interface(`dev_setattr_autofs_dev',`
 +	gen_require(`
-+		type device_t, null_device_t;
++		type device_t, autofs_device_t;
 +	')
 +
-+	getattr_chr_files_pattern($1, device_t, null_device_t)
++	setattr_chr_files_pattern($1, device_t, autofs_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Set the attributes of the null device nodes.
++##	Do not audit attempts to set the attributes of
++##	the autofs device node.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`dev_dontaudit_setattr_autofs_dev',`
++	gen_require(`
++		type autofs_device_t;
++	')
++
++	dontaudit $1 autofs_device_t:chr_file setattr;
++')
++
++########################################
++## <summary>
++##	Read and write the autofs device.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7428,24 +7458,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_setattr_null_dev',`
++interface(`dev_rw_autofs',`
 +	gen_require(`
-+		type device_t, null_device_t;
++		type device_t, autofs_device_t;
 +	')
 +
-+	setattr_chr_files_pattern($1, device_t, null_device_t)
++	rw_chr_files_pattern($1, device_t, autofs_device_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Read and write to the null device (/dev/null).
+ ##	Read and write the PCMCIA card manager device.
  ## </summary>
  ## <param name="domain">
-@@ -2769,6 +2863,24 @@
+@@ -1160,6 +1272,25 @@
  
  ########################################
  ## <summary>
-+##	Read generic the USB devices.
++##	Set the attributes of the CPU
++##	microcode and id interfaces.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7453,24 +7484,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_read_generic_usb_dev',`
++interface(`dev_setattr_cpu_dev',`
 +	gen_require(`
-+		type usb_device_t;
++		type device_t, cpu_device_t;
 +	')
 +
-+	read_chr_files_pattern($1, device_t, usb_device_t)
++	setattr_chr_files_pattern($1, device_t, cpu_device_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Read and write generic the USB devices.
+ ##	Read the CPU identity.
  ## </summary>
  ## <param name="domain">
-@@ -2787,6 +2899,97 @@
+@@ -1282,7 +1413,7 @@
+ 		type dri_device_t;
+ 	')
+ 
+-	dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
++	dontaudit $1 dri_device_t:chr_file rw_chr_file_perms;
+ ')
+ 
+ ########################################
+@@ -1507,6 +1638,96 @@
  
  ########################################
  ## <summary>
-+##	Read and write generic the USB fifo files.
++##	Read the kernel messages
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7478,13 +7518,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_rw_generic_usb_pipes',`
++interface(`dev_read_kmsg',`
 +	gen_require(`
-+		type usb_device_t;
++		type device_t, kmsg_device_t;
 +	')
 +
-+	allow $1 device_t:dir search_dir_perms;
-+	allow $1 usb_device_t:fifo_file rw_fifo_file_perms;
++	read_chr_files_pattern($1, device_t, kmsg_device_t)
 +')
 +
 +########################################
@@ -7561,17 +7600,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +
 +########################################
 +## <summary>
- ##	Mount a usbfs filesystem.
+ ##	Read the lvm comtrol device.
  ## </summary>
  ## <param name="domain">
-@@ -3322,3 +3525,242 @@
+@@ -1958,6 +2179,96 @@
  
- 	typeattribute $1 devices_unconfined_type;
- ')
-+
-+########################################
-+## <summary>
-+##	Get the attributes of the autofs device node.
+ ########################################
+ ## <summary>
++##	Get the attributes of the network control device
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7579,36 +7615,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_getattr_autofs_dev',`
++interface(`dev_getattr_netcontrol_dev',`
 +	gen_require(`
-+		type device_t, autofs_device_t;
++		type device_t, netcontrol_device_t;
 +	')
 +
-+	getattr_chr_files_pattern($1, device_t, autofs_device_t)
++	getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to get the attributes of
-+##	the autofs device node.
++##	Read the network control identity.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_dontaudit_getattr_autofs_dev',`
++interface(`dev_read_netcontrol',`
 +	gen_require(`
-+		type autofs_device_t;
++		type device_t, netcontrol_device_t;
 +	')
 +
-+	dontaudit $1 autofs_device_t:chr_file getattr;
++	read_chr_files_pattern($1, device_t, netcontrol_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Set the attributes of the autofs device node.
++##	Read and write the the network control device.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7616,36 +7651,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_setattr_autofs_dev',`
++interface(`dev_rw_netcontrol',`
 +	gen_require(`
-+		type device_t, autofs_device_t;
++		type device_t, netcontrol_device_t;
 +	')
 +
-+	setattr_chr_files_pattern($1, device_t, autofs_device_t)
++	rw_chr_files_pattern($1, device_t, netcontrol_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to set the attributes of
-+##	the autofs device node.
++##	Get the attributes of the null device nodes.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_dontaudit_setattr_autofs_dev',`
++interface(`dev_getattr_null_dev',`
 +	gen_require(`
-+		type autofs_device_t;
++		type device_t, null_device_t;
 +	')
 +
-+	dontaudit $1 autofs_device_t:chr_file setattr;
++	getattr_chr_files_pattern($1, device_t, null_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read and write the autofs device.
++##	Set the attributes of the null device nodes.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7653,17 +7687,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_rw_autofs',`
++interface(`dev_setattr_null_dev',`
 +	gen_require(`
-+		type device_t, autofs_device_t;
++		type device_t, null_device_t;
 +	')
 +
-+	rw_chr_files_pattern($1, device_t, autofs_device_t)
++	setattr_chr_files_pattern($1, device_t, null_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Get the attributes of the network control device
+ ##	Read and write to the null device (/dev/null).
+ ## </summary>
+ ## <param name="domain">
+@@ -2104,6 +2415,98 @@
+ 
+ ########################################
+ ## <summary>
++##	Read printk devices (e.g., /dev/kmsg /dev/mcelog)
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7671,17 +7712,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_getattr_netcontrol',`
++interface(`dev_read_printk',`
 +	gen_require(`
-+		type device_t, netcontrol_device_t;
++		type device_t, printk_device_t;
 +	')
 +
-+	getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
++	read_chr_files_pattern($1, device_t, printk_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read the network control identity.
++##	Get the attributes of the QEMU
++##	microcode and id interfaces.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7689,17 +7731,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_read_netcontrol',`
++interface(`dev_getattr_qemu_dev',`
 +	gen_require(`
-+		type device_t, netcontrol_device_t;
++		type device_t, qemu_device_t;
 +	')
 +
-+	read_chr_files_pattern($1, device_t, netcontrol_device_t)
++	getattr_chr_files_pattern($1, device_t, qemu_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read and write the the network control device.
++##	Set the attributes of the QEMU
++##	microcode and id interfaces.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7707,18 +7750,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_rw_netcontrol',`
++interface(`dev_setattr_qemu_dev',`
 +	gen_require(`
-+		type device_t, netcontrol_device_t;
++		type device_t, qemu_device_t;
 +	')
 +
-+	rw_chr_files_pattern($1, device_t, netcontrol_device_t)
++	setattr_chr_files_pattern($1, device_t, qemu_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Get the attributes of the QEMU
-+##	microcode and id interfaces.
++##	Read the QEMU device
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7726,18 +7768,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_getattr_qemu',`
++interface(`dev_read_qemu',`
 +	gen_require(`
 +		type device_t, qemu_device_t;
 +	')
 +
-+	getattr_chr_files_pattern($1, device_t, qemu_device_t)
++	read_chr_files_pattern($1, device_t, qemu_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Set the attributes of the QEMU
-+##	microcode and id interfaces.
++##	Read and write the the QEMU device.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7745,17 +7786,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_setattr_qemu',`
++interface(`dev_rw_qemu',`
 +	gen_require(`
 +		type device_t, qemu_device_t;
 +	')
 +
-+	setattr_chr_files_pattern($1, device_t, qemu_device_t)
++	rw_chr_files_pattern($1, device_t, qemu_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read the QEMU device
+ ##	Read from random number generator
+ ##	devices (e.g., /dev/random)
+ ## </summary>
+@@ -2142,6 +2545,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attempts to append to random
++##	number generator devices (e.g., /dev/random)
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7763,17 +7812,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_read_qemu',`
++interface(`dev_dontaudit_append_rand',`
 +	gen_require(`
-+		type device_t, qemu_device_t;
++		type random_device_t;
 +	')
 +
-+	read_chr_files_pattern($1, device_t, qemu_device_t)
++	dontaudit $1 random_device_t:chr_file append_chr_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Read and write the the QEMU device.
+ ##	Write to the random device (e.g., /dev/random). This adds
+ ##	entropy used to generate the random data read from the
+ ##	random device.
+@@ -2769,6 +3191,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Read generic the USB devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7781,14 +7837,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_rw_qemu',`
++interface(`dev_read_generic_usb_dev',`
 +	gen_require(`
-+		type device_t, qemu_device_t;
++		type usb_device_t;
 +	')
 +
-+	rw_chr_files_pattern($1, device_t, qemu_device_t)
++	read_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++## <summary>
+ ##	Read and write generic the USB devices.
+ ## </summary>
+ ## <param name="domain">
+@@ -2957,6 +3397,25 @@
+ 	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+ ')
+ 
++#######################################
++## <summary>
++##     Read and write generic the USB fifo files.
++## </summary>
++## <param name="domain">
++##     <summary>
++##     Domain allowed access.
++##     </summary>
++## </param>
++#
++interface(`dev_rw_generic_usb_pipes',`
++       gen_require(`
++               type usb_device_t;
++       ')
++
++       allow $1 device_t:dir search_dir_perms;
++       allow $1 usb_device_t:fifo_file rw_fifo_file_perms;
 +')
 +
+ ########################################
+ ## <summary>
+ ##	Get the attributes of video4linux devices.
+@@ -3322,3 +3781,22 @@
+ 
+ 	typeattribute $1 devices_unconfined_type;
+ ')
++
 +#######################################
 +## <summary>
 +##      Set the attributes of the tty device
@@ -7800,16 +7892,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +## </param>
 +#
 +interface(`dev_setattr_tty',`
-+	gen_require(`
-+		type devtty_t;
-+	')
++       gen_require(`
++               type devtty_t;
++       ')
 +
-+	setattr_chr_files_pattern($1, devtty_t, devtty_t)
++       setattr_chr_files_pattern($1, devtty_t, devtty_t)
 +')
-+                                        
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.5.13/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/devices.te	2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/kernel/devices.te	2009-03-25 13:47:42.000000000 +0100
+@@ -1,5 +1,5 @@
+ 
+-policy_module(devices, 1.7.0)
++policy_module(devices, 1.7.1)
+ 
+ ########################################
+ #
 @@ -32,6 +32,12 @@
  type apm_bios_t;
  dev_node(apm_bios_t)
@@ -7823,20 +7922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  type cardmgr_dev_t;
  dev_node(cardmgr_dev_t)
  files_tmp_file(cardmgr_dev_t)
-@@ -49,6 +55,12 @@
- type cpu_device_t;
- dev_node(cpu_device_t)
- 
-+#
-+# network control devices 
-+#
-+type netcontrol_device_t;
-+dev_node(netcontrol_device_t)
-+
- # for the IBM zSeries z90crypt hardware ssl accelorator
- type crypt_device_t;
- dev_node(crypt_device_t)
-@@ -66,12 +78,25 @@
+@@ -66,12 +72,25 @@
  dev_node(framebuf_device_t)
  
  #
@@ -7862,8 +7948,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  # Type for /dev/mapper/control
  #
  type lvm_control_t;
-@@ -118,6 +143,12 @@
- dev_node(nvram_device_t)
+@@ -104,6 +123,12 @@
+ genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
+ 
+ #
++# network control devices 
++#
++type netcontrol_device_t;
++dev_node(netcontrol_device_t)
++
++#
+ # null_device_t is the type of /dev/null.
+ #
+ type null_device_t;
+@@ -128,6 +153,12 @@
+ mls_file_write_within_range(printer_device_t)
  
  #
 +# qemu control devices 
@@ -7872,9 +7971,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +dev_node(qemu_device_t)
 +
 +#
- # Type for /dev/pmu 
+ # random_device_t is the type of /dev/random
+ #
+ type random_device_t;
+@@ -157,6 +188,12 @@
+ genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
+ 
+ #
++# Type for /dev/tpm
++#
++type tpm_device_t;
++dev_node(tpm_device_t)
++
++#
+ # urandom_device_t is the type of /dev/urandom
  #
- type power_device_t;
+ type urandom_device_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.5.13/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2008-10-17 14:49:13.000000000 +0200
 +++ serefpolicy-3.5.13/policy/modules/kernel/domain.if	2009-02-10 15:07:15.000000000 +0100
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a53f79d..6035496 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13
-Release: 52%{?dist}
+Release: 53%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -460,6 +460,10 @@ exit 0
 %endif
 
 %changelog
+* Wed Mar 25 2009 Miroslav Grepl <mgrepl@redhat.com> 3.5.13-53
+- Add labeling for new devices
+- Fix devices policy
+
 * Wed Mar 25 2009 Miroslav Grepl <mgrepl@redhat.com> 3.5.13-52
 - Allow hald_t to read ppp config