diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 9b924c3..53c2e97 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -6,8 +6,11 @@
/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
+
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index beec752..0bd4103 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -2,6 +2,24 @@
########################################
##
+## Send generic signals to udev.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`udev_signal',`
+ gen_require(`
+ type udev_t;
+ ')
+
+ allow $1 udev_t:process signal;
+')
+
+########################################
+##
## Execute udev in the udev domain.
##
##
@@ -169,3 +187,23 @@ interface(`udev_rw_db',`
dev_list_all_dev_nodes($1)
allow $1 udev_tbl_t:file rw_file_perms;
')
+
+########################################
+##
+## Create, read, write, and delete
+## udev pid files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`udev_manage_pid_files',`
+ gen_require(`
+ type udev_var_run_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
+')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 132115c..c86fad8 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,5 +1,5 @@
-policy_module(udev, 1.11.0)
+policy_module(udev, 1.11.1)
########################################
#
@@ -66,9 +66,11 @@ dev_filetrans(udev_t, udev_tbl_t, file)
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
kernel_read_system_state(udev_t)
+kernel_request_load_module(udev_t)
kernel_getattr_core_if(udev_t)
kernel_use_fds(udev_t)
kernel_read_device_sysctls(udev_t)
@@ -99,7 +101,7 @@ dev_relabel_all_dev_nodes(udev_t)
dev_relabel_generic_symlinks(udev_t)
domain_read_all_domains_state(udev_t)
-domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
@@ -111,6 +113,7 @@ files_search_mnt(udev_t)
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
+fs_rw_anon_inodefs_files(udev_t)
mcs_ptrace_all(udev_t)
@@ -140,6 +143,7 @@ logging_send_syslog_msg(udev_t)
logging_send_audit_msgs(udev_t)
miscfiles_read_localization(udev_t)
+miscfiles_read_hwdata(udev_t)
modutils_domtrans_insmod(udev_t)
# read modules.inputmap:
@@ -194,6 +198,10 @@ optional_policy(`
')
optional_policy(`
+ bluetooth_domtrans(udev_t)
+')
+
+optional_policy(`
brctl_domtrans(udev_t)
')
@@ -206,10 +214,19 @@ optional_policy(`
')
optional_policy(`
+ cups_domtrans_config(udev_t)
+')
+
+optional_policy(`
dbus_system_bus_client(udev_t)
')
optional_policy(`
+ devicekit_read_pid_files(udev_t)
+ devicekit_dgram_send(udev_t)
+')
+
+optional_policy(`
lvm_domtrans(udev_t)
')
@@ -228,6 +245,10 @@ optional_policy(`
')
optional_policy(`
+ mount_domtrans(udev_t)
+')
+
+optional_policy(`
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
@@ -242,6 +263,14 @@ optional_policy(`
')
optional_policy(`
+ unconfined_signal(udev_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(udev_t)
+')
+
+optional_policy(`
kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)