diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 673e294..ff405e7 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -5,6 +5,7 @@
 - Fix base module compile issues.
 - Added policies:
 	cpucontrol
+	cvs
 	ktalk
 	portmap
 	postgresql
diff --git a/refpolicy/policy/modules/services/cvs.fc b/refpolicy/policy/modules/services/cvs.fc
new file mode 100644
index 0000000..2f031af
--- /dev/null
+++ b/refpolicy/policy/modules/services/cvs.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/cvs	--	context_template(system_u:object_r:cvs_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/cvs.if b/refpolicy/policy/modules/services/cvs.if
new file mode 100644
index 0000000..bddf757
--- /dev/null
+++ b/refpolicy/policy/modules/services/cvs.if
@@ -0,0 +1,17 @@
+## <summary>Concurrent versions system</summary>
+
+########################################
+## <summary>
+##	Read the CVS data and metadata.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cvs_read_data',`
+	gen_require(`
+		type cvs_data_t;
+	')
+
+	allow $1 cvs_data_t:file { getattr read };
+')
diff --git a/refpolicy/policy/modules/services/cvs.te b/refpolicy/policy/modules/services/cvs.te
new file mode 100644
index 0000000..3143e28
--- /dev/null
+++ b/refpolicy/policy/modules/services/cvs.te
@@ -0,0 +1,100 @@
+
+policy_module(cvs,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type cvs_t;
+type cvs_exec_t;
+inetd_tcp_service_domain(cvs_t,cvs_exec_t)
+role system_r types cvs_t;
+
+type cvs_data_t; #, customizable;
+files_type(cvs_data_t)
+
+type cvs_tmp_t;
+files_tmp_file(cvs_tmp_t)
+
+type cvs_var_run_t;
+files_pid_file(cvs_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cvs_t self:process signal_perms;
+allow cvs_t self:fifo_file rw_file_perms;
+allow cvs_t self:tcp_socket connected_stream_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow cvs_t self:capability { setuid setgid };
+
+allow cvs_t cvs_data_t:dir create_dir_perms;
+allow cvs_t cvs_data_t:file create_file_perms;
+allow cvs_t cvs_data_t:lnk_file create_lnk_perms;
+
+allow cvs_t cvs_tmp_t:dir create_dir_perms;
+allow cvs_t cvs_tmp_t:file create_file_perms;
+files_create_tmp_files(cvs_t, cvs_tmp_t, { file dir })
+
+allow cvs_t cvs_var_run_t:file create_file_perms;
+files_create_pid(cvs_t,cvs_var_run_t)
+
+kernel_read_kernel_sysctl(cvs_t)
+kernel_read_system_state(cvs_t)
+kernel_read_network_state(cvs_t)
+
+corenet_tcp_sendrecv_all_if(cvs_t)
+corenet_udp_sendrecv_all_if(cvs_t)
+corenet_raw_sendrecv_all_if(cvs_t)
+corenet_tcp_sendrecv_all_nodes(cvs_t)
+corenet_udp_sendrecv_all_nodes(cvs_t)
+corenet_raw_sendrecv_all_nodes(cvs_t)
+corenet_tcp_sendrecv_all_ports(cvs_t)
+corenet_udp_sendrecv_all_ports(cvs_t)
+corenet_tcp_bind_all_nodes(cvs_t)
+corenet_udp_bind_all_nodes(cvs_t)
+
+dev_read_urand(cvs_t)
+
+fs_getattr_xattr_fs(cvs_t)
+
+auth_domtrans_chk_passwd(cvs_t)
+
+corecmd_exec_bin(cvs_t)
+corecmd_exec_sbin(cvs_t)
+corecmd_exec_shell(cvs_t)
+
+files_read_etc_files(cvs_t)
+files_read_etc_runtime_files(cvs_t)
+# for identd; cjp: this should probably only be inetd_child rules?
+files_search_home(cvs_t)
+
+libs_use_ld_so(cvs_t)
+libs_use_shared_libs(cvs_t)
+
+logging_send_syslog_msg(cvs_t)
+
+miscfiles_read_localization(cvs_t)
+
+sysnet_read_config(cvs_t)
+
+mta_send_mail(cvs_t)
+
+optional_policy(`kerberos.te',`
+	kerberos_use(cvs_t)
+	kerberos_read_keytab(cvs_t)
+	kerberos_read_config(cvs_t)
+	kerberos_dontaudit_write_config(cvs_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(cvs_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(cvs_t)
+')
diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if
index c8c103a..9821152 100644
--- a/refpolicy/policy/modules/services/kerberos.if
+++ b/refpolicy/policy/modules/services/kerberos.if
@@ -76,6 +76,23 @@ interface(`kerberos_read_config',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to write the kerberos
+##	configuration file (/etc/krb5.conf).
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`kerberos_dontaudit_write_config',`
+	gen_require(`
+		type krb5_conf_t;
+	')
+
+	dontaudit $1 krb5_conf_t:file write;
+')
+
+########################################
+## <summary>
 ##	Read and write the kerberos configuration file (/etc/krb5.conf).
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 634db10..8f99cc4 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -121,6 +121,10 @@ optional_policy(`cron.te',`
 	cron_read_system_job_tmp_files(system_mail_t)
 ')
 
+optional_policy(`cvs.te',`
+	cvs_read_data(system_mail_t)
+')
+
 optional_policy(`logrotate.te',`
 	logrotate_read_tmp_files(system_mail_t)
 ')