diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index a241ea1..2268319 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -16,13 +16,16 @@
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
/dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/etherd/.+ -c gen_context(system_u:object_r:lvm_control_t,s0)
/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
@@ -61,6 +64,7 @@
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/misc/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0)
/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
@@ -80,6 +84,7 @@
/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
@@ -98,6 +103,8 @@
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
+/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index a3796f8..1b72daa 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -479,6 +479,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
########################################
##
+## Read and write generic character device files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_rw_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+##
## Do not audit attempts to set the attributes
## of symbolic links in device directories (/dev).
##
@@ -826,6 +844,24 @@ interface(`dev_dontaudit_read_all_blk_files',`
########################################
##
+## Dontaudit write on all block file device nodes.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dev_dontaudit_write_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:blk_file write;
+')
+
+########################################
+##
## Dontaudit read on all character file device nodes.
##
##
@@ -844,6 +880,24 @@ interface(`dev_dontaudit_read_all_chr_files',`
########################################
##
+## Dontaudit write on all character file device nodes.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dev_dontaudit_write_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:chr_file write;
+')
+
+########################################
+##
## Create all block device files.
##
##
@@ -1405,6 +1459,42 @@ interface(`dev_rw_crypto',`
rw_chr_files_pattern($1, device_t, crypt_device_t)
')
+#######################################
+##
+## Set the attributes of the dlm control devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_setattr_dlm_control',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
+')
+
+#######################################
+##
+## Read and write the the dlm control device
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_rw_dlm_control',`
+ gen_require(`
+ type device_t, dlm_control_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, dlm_control_device_t)
+')
+
########################################
##
## getattr the dri devices.
@@ -1735,6 +1825,24 @@ interface(`dev_read_kmsg',`
########################################
##
+## Write to the kernel messages device
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_write_kmsg',`
+ gen_require(`
+ type device_t, kmsg_device_t;
+ ')
+
+ write_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
+##
## Get the attributes of the ksm devices.
##
##
@@ -2046,6 +2154,25 @@ interface(`dev_read_raw_memory',`
########################################
##
+## Do not audit attempts to read raw memory devices
+## (e.g. /dev/mem).
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dev_dontaudit_read_raw_memory',`
+ gen_require(`
+ type memory_device_t;
+ ')
+
+ dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+##
## Write raw memory devices (e.g. /dev/mem).
##
##
@@ -2456,6 +2583,25 @@ interface(`dev_write_mtrr',`
########################################
##
+## Do not audit attempts to write the memory type
+## range registers (MTRR).
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dev_dontaudit_write_mtrr',`
+ gen_require(`
+ type mtrr_device_t;
+ ')
+
+ dontaudit $1 mtrr_device_t:chr_file write;
+')
+
+########################################
+##
## Read and write the memory type range registers (MTRR).
##
##
@@ -3775,6 +3921,24 @@ interface(`dev_getattr_video_dev',`
getattr_chr_files_pattern($1, device_t, v4l_device_t)
')
+######################################
+##
+## Read and write userio device.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_rw_userio_dev',`
+ gen_require(`
+ type device_t, userio_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, userio_device_t)
+')
+
########################################
##
## Do not audit attempts to get the attributes
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index b3107fa..1586fbb 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices, 1.9.2)
+policy_module(devices, 1.9.3)
########################################
#
@@ -59,6 +59,12 @@ dev_node(cpu_device_t)
type crypt_device_t;
dev_node(crypt_device_t)
+#
+# dlm_misc_device_t is the type of /dev/misc/dlm.*
+#
+type dlm_control_device_t;
+dev_node(dlm_control_device_t)
+
type dri_device_t;
dev_node(dri_device_t)
@@ -232,6 +238,12 @@ genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
type usb_device_t;
dev_node(usb_device_t)
+#
+# userio_device_t is the type for /dev/uio[0-9]+
+#
+type userio_device_t;
+dev_node(userio_device_t)
+
type v4l_device_t;
dev_node(v4l_device_t)