diff --git a/Changelog b/Changelog
index 7a6d2b8..40bb755 100644
--- a/Changelog
+++ b/Changelog
@@ -22,6 +22,7 @@
- Added modules:
certmaster (Dan Walsh)
cpufreqselector (Dan Walsh)
+ devicekit (Dan Walsh)
git (Dan Walsh)
gpsd (Miroslav Grepl)
guest (Dan Walsh)
diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc
new file mode 100644
index 0000000..73a06f7
--- /dev/null
+++ b/policy/modules/services/devicekit.fc
@@ -0,0 +1,8 @@
+/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
+/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+
+/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+
+/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
new file mode 100644
index 0000000..5be015a
--- /dev/null
+++ b/policy/modules/services/devicekit.if
@@ -0,0 +1,185 @@
+## Devicekit modular hardware abstraction layer
+
+########################################
+##
+## Execute a domain transition to run devicekit.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`devicekit_domtrans',`
+ gen_require(`
+ type devicekit_t, devicekit_exec_t;
+ ')
+
+ domtrans_pattern($1, devicekit_exec_t, devicekit_t)
+')
+
+########################################
+##
+## Send to devicekit over a unix domain
+## datagram socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_dgram_send',`
+ gen_require(`
+ type devicekit_t;
+ ')
+
+ allow $1 devicekit_t:unix_dgram_socket sendto;
+')
+
+########################################
+##
+## Send and receive messages from
+## devicekit over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_dbus_chat',`
+ gen_require(`
+ type devicekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_t:dbus send_msg;
+ allow devicekit_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from
+## devicekit disk over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_dbus_chat_disk',`
+ gen_require(`
+ type devicekit_disk_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_disk_t:dbus send_msg;
+ allow devicekit_disk_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Send signal devicekit power
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_signal_power',`
+ gen_require(`
+ type devicekit_power_t;
+ ')
+
+ allow $1 devicekit_power_t:process signal;
+')
+
+########################################
+##
+## Send and receive messages from
+## devicekit power over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_dbus_chat_power',`
+ gen_require(`
+ type devicekit_power_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_power_t:dbus send_msg;
+ allow devicekit_power_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Read devicekit PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`devicekit_read_pid_files',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an devicekit environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the devicekit domain.
+##
+##
+##
+##
+## The type of the user terminal.
+##
+##
+##
+#
+interface(`devicekit_admin',`
+ gen_require(`
+ type devicekit_t, devicekit_disk_t, devicekit_power_t;
+ type devicekit_var_run_t;
+ ')
+
+ allow $1 devicekit_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, devicekit_t)
+
+ allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, devicekit_disk_t)
+
+ allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, devicekit_power_t)
+
+ admin_pattern($1, devicekit_tmp_t)
+ files_search_tmp($1)
+
+ admin_pattern($1, devicekit_var_lib_t)
+ files_search_var_lib($1)
+
+ admin_pattern($1, devicekit_var_run_t)
+ files_search_pids($1)
+')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
new file mode 100644
index 0000000..5d673bc
--- /dev/null
+++ b/policy/modules/services/devicekit.te
@@ -0,0 +1,219 @@
+policy_module(devicekit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type devicekit_t;
+type devicekit_exec_t;
+dbus_system_domain(devicekit_t, devicekit_exec_t)
+
+type devicekit_power_t;
+type devicekit_power_exec_t;
+dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+
+type devicekit_disk_t;
+type devicekit_disk_exec_t;
+dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
+
+type devicekit_tmp_t;
+files_tmp_file(devicekit_tmp_t)
+
+type devicekit_var_run_t;
+files_pid_file(devicekit_var_run_t)
+
+type devicekit_var_lib_t;
+files_type(devicekit_var_lib_t)
+
+########################################
+#
+# DeviceKit local policy
+#
+
+allow devicekit_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir })
+
+dev_read_sysfs(devicekit_t)
+dev_read_urand(devicekit_t)
+
+files_read_etc_files(devicekit_t)
+
+miscfiles_read_localization(devicekit_t)
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_t)
+
+ allow devicekit_t devicekit_disk_t:dbus send_msg;
+ allow devicekit_t devicekit_power_t:dbus send_msg;
+')
+
+optional_policy(`
+ udev_read_db(devicekit_t)
+')
+
+########################################
+#
+# DeviceKit disk local policy
+#
+
+allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir })
+
+manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+
+kernel_read_software_raid_state(devicekit_disk_t)
+kernel_setsched(devicekit_disk_t)
+
+corecmd_exec_bin(devicekit_disk_t)
+
+dev_rw_sysfs(devicekit_disk_t)
+dev_read_urand(devicekit_disk_t)
+dev_getattr_usbfs_dirs(devicekit_disk_t)
+
+files_manage_mnt_dirs(devicekit_disk_t)
+files_read_etc_files(devicekit_disk_t)
+files_read_etc_runtime_files(devicekit_disk_t)
+files_read_usr_files(devicekit_disk_t)
+
+fs_mount_all_fs(devicekit_disk_t)
+fs_unmount_all_fs(devicekit_disk_t)
+fs_manage_fusefs_dirs(devicekit_disk_t)
+
+storage_raw_read_fixed_disk(devicekit_disk_t)
+storage_raw_write_fixed_disk(devicekit_disk_t)
+storage_raw_read_removable_device(devicekit_disk_t)
+storage_raw_write_removable_device(devicekit_disk_t)
+
+auth_use_nsswitch(devicekit_disk_t)
+
+miscfiles_read_localization(devicekit_disk_t)
+
+userdom_read_all_users_state(devicekit_disk_t)
+userdom_search_user_home_dirs(devicekit_disk_t)
+
+optional_policy(`
+ fstools_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+ lvm_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+ policykit_domtrans_auth(devicekit_disk_t)
+ policykit_read_lib(devicekit_disk_t)
+ policykit_read_reload(devicekit_disk_t)
+')
+
+optional_policy(`
+ mount_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_disk_t)
+
+ allow devicekit_disk_t devicekit_t:dbus send_msg;
+
+ optional_policy(`
+ consolekit_dbus_chat(devicekit_disk_t)
+ ')
+')
+
+optional_policy(`
+ udev_domtrans(devicekit_disk_t)
+ udev_read_db(devicekit_disk_t)
+')
+
+########################################
+#
+# DeviceKit-Power local policy
+#
+
+allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+
+kernel_read_network_state(devicekit_power_t)
+kernel_read_system_state(devicekit_power_t)
+kernel_rw_hotplug_sysctls(devicekit_power_t)
+kernel_rw_kernel_sysctl(devicekit_power_t)
+
+corecmd_exec_bin(devicekit_power_t)
+corecmd_exec_shell(devicekit_power_t)
+
+consoletype_exec(devicekit_power_t)
+
+domain_read_all_domains_state(devicekit_power_t)
+
+dev_rw_generic_usb_dev(devicekit_power_t)
+dev_rw_netcontrol(devicekit_power_t)
+dev_rw_sysfs(devicekit_power_t)
+
+files_read_kernel_img(devicekit_power_t)
+files_read_etc_files(devicekit_power_t)
+files_read_usr_files(devicekit_power_t)
+
+term_use_all_terms(devicekit_power_t)
+
+auth_use_nsswitch(devicekit_power_t)
+
+miscfiles_read_localization(devicekit_power_t)
+
+userdom_read_all_users_state(devicekit_power_t)
+
+optional_policy(`
+ bootloader_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_power_t)
+
+ allow devicekit_power_t devicekit_t:dbus send_msg;
+
+ optional_policy(`
+ consolekit_dbus_chat(devicekit_power_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(devicekit_power_t)
+ ')
+
+ optional_policy(`
+ rpm_dbus_chat(devicekit_power_t)
+ ')
+')
+
+optional_policy(`
+ fstools_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ hal_domtrans_mac(devicekit_power_t)
+ hal_manage_pid_dirs(devicekit_power_t)
+ hal_manage_pid_files(devicekit_power_t)
+ hal_dbus_chat(devicekit_power_t)
+')
+
+optional_policy(`
+ policykit_domtrans_auth(devicekit_power_t)
+ policykit_read_lib(devicekit_power_t)
+ policykit_read_reload(devicekit_power_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(devicekit_power_t)
+')