diff --git a/Changelog b/Changelog
index 3691938..1f849e2 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Add wireshark module based on ethereal module.
- Revise upstart support in init module to use a tunable, as upstart is now
used in Fedora too.
- Add iferror.m4 rather generate it out of the Makefiles.
diff --git a/policy/modules/apps/wireshark.fc b/policy/modules/apps/wireshark.fc
new file mode 100644
index 0000000..dac9c99
--- /dev/null
+++ b/policy/modules/apps/wireshark.fc
@@ -0,0 +1,3 @@
+HOME_DIR/\.wireshark(/.*)? gen_context(system_u:object_r:ROLE_wireshark_home_t,s0)
+
+/usr/bin/wireshark -- gen_context(system_u:object_r:wireshark_exec_t,s0)
diff --git a/policy/modules/apps/wireshark.if b/policy/modules/apps/wireshark.if
new file mode 100644
index 0000000..3d2b8e4
--- /dev/null
+++ b/policy/modules/apps/wireshark.if
@@ -0,0 +1,249 @@
+## Wireshark packet capture tool.
+
+#######################################
+##
+## The per role template for the wireshark module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for wireshark packet capture tool.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`wireshark_per_role_template',`
+
+ gen_require(`
+ type wireshark_exec_t;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ # Type for program
+ type $1_wireshark_t;
+ application_domain($1_wireshark_t,wireshark_exec_t)
+ role $3 types $1_wireshark_t;
+
+ type $1_wireshark_home_t;
+ files_poly_member($1_wireshark_home_t)
+ userdom_user_home_content($1,$1_wireshark_home_t)
+
+ type $1_wireshark_tmp_t;
+ files_tmp_file($1_wireshark_tmp_t)
+
+ type $1_wireshark_tmpfs_t;
+ files_tmpfs_file($1_wireshark_tmpfs_t)
+
+ ##############################
+ #
+ # Local Policy
+ #
+
+ allow $1_wireshark_t self:capability { net_admin net_raw setgid };
+ allow $1_wireshark_t self:process { signal getsched };
+ allow $1_wireshark_t self:fifo_file { getattr read write };
+ allow $1_wireshark_t self:shm destroy;
+ allow $1_wireshark_t self:shm create_shm_perms;
+ allow $1_wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
+ allow $1_wireshark_t self:packet_socket { setopt bind ioctl getopt create read };
+ allow $1_wireshark_t self:tcp_socket create_socket_perms;
+ allow $1_wireshark_t self:udp_socket create_socket_perms;
+
+ # Re-execute itself (why?)
+ can_exec($1_wireshark_t, wireshark_exec_t)
+ corecmd_search_bin($1_wireshark_t)
+
+ # /home/.wireshark
+ manage_dirs_pattern($1_wireshark_t,$1_wireshark_home_t,$1_wireshark_home_t)
+ manage_files_pattern($1_wireshark_t,$1_wireshark_home_t,$1_wireshark_home_t)
+ manage_lnk_files_pattern($1_wireshark_t,$1_wireshark_home_t,$1_wireshark_home_t)
+ userdom_user_home_dir_filetrans($1,$1_wireshark_t,$1_wireshark_home_t,dir)
+
+ # Store temporary files
+ manage_dirs_pattern($1_wireshark_t,$1_wireshark_tmp_t,$1_wireshark_tmp_t)
+ manage_files_pattern($1_wireshark_t,$1_wireshark_tmp_t,$1_wireshark_tmp_t)
+ files_tmp_filetrans($1_wireshark_t, $1_wireshark_tmp_t, { dir file })
+
+ manage_dirs_pattern($1_wireshark_t,$1_wireshark_tmpfs_t,$1_wireshark_tmpfs_t)
+ manage_files_pattern($1_wireshark_t,$1_wireshark_tmpfs_t,$1_wireshark_tmpfs_t)
+ manage_lnk_files_pattern($1_wireshark_t,$1_wireshark_tmpfs_t,$1_wireshark_tmpfs_t)
+ manage_sock_files_pattern($1_wireshark_t,$1_wireshark_tmpfs_t,$1_wireshark_tmpfs_t)
+ manage_fifo_files_pattern($1_wireshark_t,$1_wireshark_tmpfs_t,$1_wireshark_tmpfs_t)
+ fs_tmpfs_filetrans($1_wireshark_t,$1_wireshark_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ domain_auto_trans($2, wireshark_exec_t, $1_wireshark_t)
+ allow $1_wireshark_t $2:fd use;
+ allow $1_wireshark_t $2:process sigchld;
+
+ manage_dirs_pattern($2,$1_wireshark_home_t,$1_wireshark_home_t)
+ manage_files_pattern($2,$1_wireshark_home_t,$1_wireshark_home_t)
+ manage_lnk_files_pattern($2,$1_wireshark_home_t,$1_wireshark_home_t)
+ relabel_dirs_pattern($2,$1_wireshark_home_t,$1_wireshark_home_t)
+ relabel_files_pattern($2,$1_wireshark_home_t,$1_wireshark_home_t)
+ relabel_lnk_files_pattern($2,$1_wireshark_home_t,$1_wireshark_home_t)
+
+ kernel_read_kernel_sysctls($1_wireshark_t)
+ kernel_read_system_state($1_wireshark_t)
+ kernel_read_sysctl($1_wireshark_t)
+
+ corecmd_search_bin($1_wireshark_t)
+
+ corenet_tcp_connect_generic_port($1_wireshark_t)
+ corenet_tcp_sendrecv_generic_if($1_wireshark_t)
+
+ dev_read_urand($1_wireshark_t)
+
+ files_read_etc_files($1_wireshark_t)
+ files_read_usr_files($1_wireshark_t)
+
+ fs_list_inotifyfs($1_wireshark_t)
+ fs_search_auto_mountpoints($1_wireshark_t)
+
+ libs_read_lib_files($1_wireshark_t)
+ libs_use_ld_so($1_wireshark_t)
+ libs_use_shared_libs($1_wireshark_t)
+
+ miscfiles_read_fonts($1_wireshark_t)
+ miscfiles_read_localization($1_wireshark_t)
+
+ seutil_use_newrole_fds($1_wireshark_t)
+
+ sysnet_read_config($1_wireshark_t)
+
+ userdom_manage_user_home_content_files($1,$1_wireshark_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_wireshark_t)
+ fs_manage_nfs_files($1_wireshark_t)
+ fs_manage_nfs_symlinks($1_wireshark_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs($1_wireshark_t)
+ fs_manage_cifs_files($1_wireshark_t)
+ fs_manage_cifs_symlinks($1_wireshark_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_wireshark_t)
+ ')
+
+ # Manual transition from userhelper
+ optional_policy(`
+ userhelper_use_user_fd($1,$1_wireshark_t)
+ userhelper_sigchld_user($1,$1_wireshark_t)
+ ')
+
+ optional_policy(`
+ xserver_user_client_template($1,$1_wireshark_t,$1_wireshark_tmpfs_t)
+ xserver_create_xdm_tmp_sockets($1_wireshark_t)
+ ')
+
+ ifdef(`TODO',`
+ # Why does it write this?
+ optional_policy(`
+ dontaudit sysadm_wireshark_t snmpd_var_lib_t:file write;
+ ')
+ #TODO
+ gnome_application($1_wireshark, $1)
+ gnome_file_dialog($1_wireshark, $1)
+ # FIXME: policy is incomplete
+ ')
+
+')
+
+#######################################
+##
+## The administrative functions template for the wireshark module.
+##
+##
+##
+## This template creates rules for administrating wireshark,
+## allowing the specified user to manage wireshark files.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`wireshark_admin_template',`
+ gen_require(`
+ type $1_wireshark_t;
+ ')
+
+ # Create various types of sockets
+ allow $1_wireshark_t self:netlink_route_socket create_netlink_socket_perms;
+ allow $1_wireshark_t self:udp_socket create_socket_perms;
+ allow $1_wireshark_t self:packet_socket create_socket_perms;
+ allow $1_wireshark_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_wireshark_t self:tcp_socket create_socket_perms;
+
+ userdom_use_user_terminals($1,$1_wireshark_t)
+ # wireshark tries to write to user terminal
+ userdom_dontaudit_use_user_terminals($1,$1_wireshark_t)
+')
+
+########################################
+##
+## Run wireshark in wireshark domain.
+##
+##
+##
+## Run wireshark in wireshark domain.
+##
+##
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+template(`wireshark_domtrans_user_wireshark',`
+ gen_require(`
+ type $1_wireshark_t, wireshark_exec_t;
+ ')
+
+ domtrans_pattern($2,wireshark_exec_t,$1_wireshark_t)
+')
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
new file mode 100644
index 0000000..61092e3
--- /dev/null
+++ b/policy/modules/apps/wireshark.te
@@ -0,0 +1,10 @@
+
+policy_module(wireshark,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type wireshark_exec_t;
+application_executable_file(wireshark_exec_t)