diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 1010a8f..ad77faf 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -2,6 +2,8 @@
 	* Add missing parts of unix stream socket connect interface
 	  of ipsec.
 	* Rename inetd connect interface for consistency.
+	* Added policies:
+		mysql
 
 20050802 (2 Aug 2005)
 	* Fix comparison bug in fc_sort.
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index a8173b4..80c2edd 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -16,6 +16,9 @@ gen_tunable(allow_gpg_execstack,false)
 ## Allow system to run with kerberos
 gen_tunable(allow_kerberos,false)
 
+## Allow users to connect to mysql
+gen_tunable(allow_user_mysql_connect,false)
+
 ## Allow system to run with NIS
 gen_tunable(allow_ypbind,false)
 
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 39b6cb8..16b8130 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -118,6 +118,12 @@ optional_policy(`consoletype.te',`
 
 ')
 
+optional_policy(`mysql.te',`
+	mysql_read_config(logrotate_t)
+	mysql_search_db_dir(logrotate_t)
+	mysql_stream_connect(logrotate_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(logrotate_t)
 ')
diff --git a/refpolicy/policy/modules/services/mysql.fc b/refpolicy/policy/modules/services/mysql.fc
new file mode 100644
index 0000000..ba5b94e
--- /dev/null
+++ b/refpolicy/policy/modules/services/mysql.fc
@@ -0,0 +1,24 @@
+# mysql database server
+
+#
+# /etc
+#
+/etc/my\.cnf		--	context_template(system_u:object_r:mysqld_etc_t,s0)
+/etc/mysql(/.*)?		context_template(system_u:object_r:mysqld_etc_t,s0)
+
+#
+# /usr
+#
+/usr/libexec/mysqld	--	context_template(system_u:object_r:mysqld_exec_t,s0)
+
+/usr/sbin/mysqld(-max)?	--	context_template(system_u:object_r:mysqld_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/mysql(/.*)?		context_template(system_u:object_r:mysqld_db_t,s0)
+/var/lib/mysql/mysql\.sock -s	context_template(system_u:object_r:mysqld_var_run_t,s0)
+
+/var/log/mysql.*	--	context_template(system_u:object_r:mysqld_log_t,s0)
+
+/var/run/mysqld(/.*)?		context_template(system_u:object_r:mysqld_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/mysql.if b/refpolicy/policy/modules/services/mysql.if
new file mode 100644
index 0000000..98b2251
--- /dev/null
+++ b/refpolicy/policy/modules/services/mysql.if
@@ -0,0 +1,135 @@
+## <summary>Policy for MySQL</summary>
+
+########################################
+## <summary>
+##	Send a generic signal to MySQL.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mysql_signal',`
+	gen_require(`
+		type mysqld_t;
+		class process signal;
+	')
+
+	allow $1 mysqld_t:process signal;
+')
+
+########################################
+## <summary>
+##	Connect to MySQL using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mysql_stream_connect',`
+	gen_require(`
+		type mysqld_t;
+		class unix_stream_socket connectto;
+		class dir search;
+		class sock_file write;
+	')
+
+	allow $1 mysqld_var_run_t:dir search;
+	allow $1 mysqld_var_run_t:sock_file write;
+	allow $1 mysqld_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Read MySQL configuration files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mysql_read_config',`
+	gen_require(`
+		type mysqld_etc_t;
+		class dir { getattr read search };
+		class file { read getattr };
+		class lnk_file { getattr read };
+	')
+
+	allow $1 mysqld_etc_t:dir { getattr read search };
+	allow $1 mysqld_etc_t:file { read getattr };
+	allow $1 mysqld_etc_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Search the directories that contain MySQL
+##	database storage.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: "_dir" in the name is added to clarify that this
+# is not searching the database itself.
+interface(`mysql_search_db_dir',`
+	gen_require(`
+		type mysqld_db_t;
+		class dir search;
+	')
+
+	files_search_var_lib($1)
+	allow $1 mysqld_db_t:dir search;
+')
+
+########################################
+## <summary>
+##	Read and write to the MySQL database directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mysql_rw_db_dir',`
+	gen_require(`
+		type mysqld_db_t;
+		class rw_dir_perms;
+	')
+
+	files_search_var_lib($1)
+	allow $1 mysqld_db_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete MySQL database directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mysql_manage_db_dir',`
+	gen_require(`
+		type mysql_db_t;
+		class create_dir_perms;
+	')
+
+	files_search_var_lib($1)
+	allow $1 mysqld_db_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Write to the MySQL log.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mysql_write_log',`
+	gen_require(`
+		type mysqld_log_t;
+		class file { write append setattr ioctl };
+	')
+
+	logging_search_logs($1)
+	allow $1 mysqld_log_t:file { write append setattr ioctl };
+')
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
new file mode 100644
index 0000000..2f48985
--- /dev/null
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -0,0 +1,133 @@
+
+policy_module(mysql,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type mysqld_t;
+type mysqld_exec_t;
+init_daemon_domain(mysqld_t,mysqld_exec_t)
+
+type mysqld_var_run_t;
+files_pid_file(mysqld_var_run_t)
+
+type mysqld_db_t;
+
+type mysqld_etc_t alias etc_mysqld_t;
+files_type(mysqld_etc_t)
+
+type mysqld_log_t;
+logging_log_file(mysqld_log_t)
+
+type mysqld_tmp_t;
+files_tmp_file(mysqld_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mysqld_t self:capability { dac_override setgid setuid };
+dontaudit mysqld_t self:capability sys_tty_config;
+allow mysqld_t self:process getsched;
+allow mysqld_t self:fifo_file { read write };
+allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
+allow mysqld_t self:tcp_socket create_stream_socket_perms;
+allow mysqld_t self:tcp_socket connected_socket_perms;
+
+allow mysqld_t mysqld_db_t:dir create_dir_perms;
+allow mysqld_t mysqld_db_t:file create_file_perms;
+allow mysqld_t mysqld_db_t:lnk_file create_lnk_perms;
+
+allow mysqld_t mysqld_etc_t:file { getattr read };
+
+allow mysqld_t mysqld_log_t:file create_file_perms;
+logging_create_log(mysqld_t,mysqld_log_t)
+
+allow mysqld_t mysqld_tmp_t:dir create_dir_perms;
+allow mysqld_t mysqld_tmp_t:file create_file_perms;
+files_create_tmp_files(mysqld_t, mysqld_tmp_t, { file dir })
+
+allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
+allow mysqld_t mysqld_var_run_t:file create_file_perms;
+files_create_pid(mysqld_t,mysqld_var_run_t)
+
+kernel_list_proc(mysqld_t)
+kernel_read_kernel_sysctl(mysqld_t)
+kernel_read_proc_symlinks(mysqld_t)
+kernel_read_system_state(mysqld_t)
+
+corenet_tcp_sendrecv_all_if(mysqld_t)
+corenet_raw_sendrecv_all_if(mysqld_t)
+corenet_tcp_sendrecv_all_nodes(mysqld_t)
+corenet_raw_sendrecv_all_nodes(mysqld_t)
+corenet_tcp_sendrecv_all_ports(mysqld_t)
+corenet_tcp_bind_all_nodes(mysqld_t)
+corenet_tcp_bind_mysqld_port(mysqld_t)
+
+dev_read_sysfs(mysqld_t)
+
+fs_getattr_all_fs(mysqld_t)
+fs_search_auto_mountpoints(mysqld_t)
+
+term_dontaudit_use_console(mysqld_t)
+
+domain_use_wide_inherit_fd(mysqld_t)
+
+files_getattr_var_lib_dir(mysqld_t)
+files_read_etc_runtime_files(mysqld_t)
+files_read_usr_files(mysqld_t)
+
+init_use_fd(mysqld_t)
+init_use_script_pty(mysqld_t)
+
+libs_use_ld_so(mysqld_t)
+libs_use_shared_libs(mysqld_t)
+
+logging_send_syslog_msg(mysqld_t)
+
+miscfiles_read_localization(mysqld_t)
+
+sysnet_read_config(mysqld_t)
+
+userdom_dontaudit_use_unpriv_user_fd(mysqld_t)
+# for /root/.my.cnf - should not be needed:
+userdom_read_sysadm_home_files(mysqld_t)
+
+ifdef(`distro_redhat',`
+	# because Fedora has the sock_file in the database directory
+	type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
+')
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(mysqld_t)
+	term_dontaudit_use_generic_pty(mysqld_t)
+	files_dontaudit_read_root_file(mysqld_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(mysqld_t)
+')
+
+optional_policy(`rhgb.te',`
+	rhgb_domain(mysqld_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(mysqld_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(mysqld_t)
+')
+
+ifdef(`TODO',
+optional_policy(`daemontools.te',`
+	domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
+	mysqld_signal(svc_start_t)
+
+	svc_ipc_domain(mysqld_t)
+')
+') dnl end TODO
diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc
index 9bf7bb1..78e9755 100644
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@@ -28,7 +28,11 @@
 
 /etc/netplug\.d(/.*)? 	 	context_template(system_u:object_r:sbin_t,s0)
 
-ifdef(`targeted_policy', `
+ifdef(`distro_debian',`
+/etc/mysql/debian-start	--	context_template(system_u:object_r:bin_t,s0)
+')
+
+ifdef(`targeted_policy',`
 /etc/X11/prefdm		--	context_template(system_u:object_r:bin_t,s0)
 ')
 
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 5d9b6db..f9cb5a4 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -392,6 +392,15 @@ optional_policy(`mta.te',`
 	mta_dontaudit_read_spool_symlink(initrc_t)
 ')
 
+optional_policy(`mysql.te',`
+	ifdef(`distro_redhat',`
+		mysql_manage_db_dir(initrc_t)
+	')
+
+	mysql_stream_connect(initrc_t)
+	mysql_write_log(initrc_t)
+')
+
 optional_policy(`nis.te',`
 	nis_udp_sendto_ypbind(initrc_t)
 	nis_list_var_yp(initrc_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 4b13e86..3ba5898 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -248,6 +248,14 @@ template(`base_user_template',`
 		nis_use_ypbind($1_t)
 	')
 
+	optional_policy(`mysql.te',`
+		ifdef(`targeted_policy',`',`
+			tunable_policy(`allow_user_mysql_connect',`
+				mysql_stream_connect($1_t)
+			')
+		')
+	')
+
 	optional_policy(`nscd.te',`
 		nscd_use_socket($1_t)
 	')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 4e6dd98..55d7321 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -161,6 +161,10 @@ ifdef(`targeted_policy',`
 		mount_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`mysql.te',`
+		mysql_stream_connect(sysadm_t)
+	')
+
 	optional_policy(`netutils.te',`
 		netutils_run(sysadm_t,sysadm_r,admin_terminal)
 		netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)