diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index d04ec62..f4a9102 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -45,7 +45,7 @@ allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin 
 allow bootloader_t self:process { sigkill sigstop signull signal };
 allow bootloader_t self:fifo_file { getattr read write };
 
-kernel_stat_kernel_core_interface(bootloader_t)
+kernel_get_core_interface_attributes(bootloader_t)
 kernel_read_system_state(bootloader_t)
 kernel_read_software_raid_state(bootloader_t)
 kernel_read_kernel_sysctl(bootloader_t)
@@ -55,7 +55,8 @@ storage_raw_write_fixed_disk(bootloader_t)
 storage_raw_read_removable_device(bootloader_t)
 storage_raw_write_removable_device(bootloader_t)
 
-devices_get_all_block_device_attributes(bootloader_t)
+devices_get_all_character_device_attributes(bootloader_t)
+devices_set_all_block_device_attributes(bootloader_t)
 # for reading BIOS data (cjp: ?)
 devices_raw_read_memory(bootloader_t)
 
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index e56e2ea..67dd5f6 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -372,22 +372,6 @@ class system ipc_info;
 
 ########################################
 #
-# kernel_read_kernel_messages(domain,[`optional'])
-#
-define(`kernel_read_kernel_messages',`
-requires_block_template(kernel_read_kernel_messages_depend,$2)
-allow $1 proc_kmsg_t:file { getattr read };
-typeattribute $1 can_receive_kernel_messages;
-')
-
-define(`kernel_read_kenel_messages_depend',`
-attribute can_receive_kernel_messages;
-type proc_kmsg_t;
-class file { getattr read };
-')
-
-########################################
-#
 # kernel_get_selinuxfs_mount_point(domain,[`optional'])
 #
 define(`kernel_get_selinuxfs_mount_point',`
@@ -440,15 +424,15 @@ class file { getattr read };
 
 ########################################
 #
-# kernel_stat_kernel_core_interface(domain,[`optional'])
+# kernel_get_core_interface_attributes(domain,[`optional'])
 #
-define(`kernel_stat_kernel_core_interface',`
-requires_block_template(kernel_stat_kernel_core_interface_depend,$2)
+define(`kernel_get_core_interface_attributes',`
+requires_block_template(kernel_get_core_interface_attributes_depend,$2)
 allow $1 proc_t:dir { getattr search read };
 allow $1 proc_kcore_t:file getattr;
 ')
 
-ifdef(`kernel_stat_kernel_core_interface_depend',`
+ifdef(`kernel_get_core_interface_attributes_depend',`
 type proc_t, proc_kcore_t;
 class dir { search getattr read };
 class file getattr;
@@ -456,6 +440,40 @@ class file getattr;
 
 ########################################
 #
+# kernel_read_messages(domain,[`optional'])
+#
+define(`kernel_read_messages',`
+requires_block_template(kernel_read_messages_depend,$2)
+allow $1 proc_t:dir search;
+allow $1 proc_kmsg_t:file { getattr read };
+typeattribute $1 can_receive_kernel_messages;
+')
+
+define(`kernel_read_messages_depend',`
+attribute can_receive_kernel_messages;
+type proc_kmsg_t, proc_t;
+class dir search;
+class file { getattr read };
+')
+
+########################################
+#
+# kernel_get_message_interface_attributes(domain,[`optional'])
+#
+define(`kernel_get_message_interface_attributes',`
+requires_block_template(kernel_get_message_interface_attributes_depend,$2)
+allow $1 proc_t:dir search;
+allow $1 proc_kmsg_t:file getattr;
+')
+
+define(`kernel_get_message_interface_attributes_depend',`
+type proc_kmsg_t, proc_t;
+class dir search;
+class file getattr;
+')
+
+########################################
+#
 # kernel_read_network_state(domain,[`optional'])
 #
 define(`kernel_read_network_state',`
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 523805e..727cb74 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -1,39 +1,19 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
-########################################
+attribute can_load_policy;
+attribute can_setenforce;
+attribute can_setsecparam;
+attribute can_load_kernmodule;
+attribute can_receive_kernel_messages;
+
+#
 # kernel_t is the domain of kernel threads.
 # It is also the target type when checking permissions in the system class.
 # 
-type kernel_t, can_load_kernmodule;
+type kernel_t, can_load_kernmodule, can_load_policy;
 role system_r types kernel_t;
+domain_make_domain(kernel_t)
 
-domain_make_base_domain(kernel_t)
-
-terminal_use_console(kernel_t)
-domain_signal_all_domains(kernel_t)
-
-# Use capabilities. need to investigate which capabilities are actually used
-allow kernel_t self:capability *;
-
-# Mount root file system.  Used when loading a policy
-# from initrd, then mounting the root filesystem
-filesystem_mount_all_filesystems(kernel_t)
-
-# Other possible mount points for the root fs are in sysfiles
-allow kernel_t unlabeled_t:dir mounton;
-
-# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
-#can_exec(kernel_t, bin_t.sys)
-
-# Kernel-generated traffic, e.g. ICMP replies.
-corenetwork_network_raw_on_all_interfaces(kernel_t)
-corenetwork_network_raw_on_all_nodes(kernel_t)
-
-# Kernel-generated traffic, e.g. TCP resets.
-corenetwork_network_tcp_on_all_interfaces(kernel_t)
-corenetwork_network_tcp_on_all_nodes(kernel_t)
-
-########################################
 #
 # unlabeled_t is the type of unlabeled objects.
 # Objects that have no known labeling information or that
@@ -41,31 +21,15 @@ corenetwork_network_tcp_on_all_nodes(kernel_t)
 #
 type unlabeled_t;
 
-############################################
 # 
 # security_t is the target type when checking
 # the permissions in the security class.  It is also
 # applied to selinuxfs inodes.
 #
 type security_t;
+filesystem_make_filesystem(security_t)
 genfscon selinuxfs / system_u:object_r:security_t
 
-attribute can_load_policy;
-attribute can_setenforce;
-attribute can_setsecparam;
-neverallow ~can_load_policy security_t:security load_policy;
-neverallow ~can_setenforce security_t:security setenforce;
-neverallow ~can_setsecparam security_t:security setsecparam;
-
-# enabling dyntransition breaks process tranquility.  If you dont
-# know what this means or dont understand the implications of a
-# dynamic transition, you shouldnt be using it!!!
-neverallow * *:process { setcurrent dyntransition };
-
-attribute can_load_kernmodule;
-neverallow ~can_load_kernmodule *:capability sys_module;
-
-########################################
 #
 # sysfs_t is the type for /sys
 #
@@ -73,7 +37,6 @@ type sysfs_t;
 filesystem_make_filesystem(sysfs_t)
 genfscon sysfs / system_u:object_r:sysfs_t
 
-########################################
 #
 # usbfs_t is the type for /proc/bus/usb
 #
@@ -82,7 +45,6 @@ filesystem_make_filesystem(usbfs_t)
 genfscon usbfs / system_u:object_r:usbfs_t
 genfscon usbdevfs / system_u:object_r:usbfs_t
 
-############################################
 #
 # Procfs types
 #
@@ -94,7 +56,6 @@ genfscon proc /sysvipc system_u:object_r:proc_t
 # kernel message interface
 type proc_kmsg_t;
 genfscon proc /kmsg system_u:object_r:proc_kmsg_t
-attribute can_receive_kernel_messages;
 neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr;
 
 # /proc kcore: inaccessible
@@ -108,7 +69,6 @@ genfscon proc /mdstat system_u:object_r:proc_mdstat_t
 type proc_net_t;
 genfscon proc /net system_u:object_r:proc_net_t
 
-############################################
 #
 # Sysctl types
 #
@@ -156,3 +116,85 @@ genfscon proc /sys/vm system_u:object_r:sysctl_vm_t
 # /proc/sys/dev directory and files
 type sysctl_dev_t;
 genfscon proc /sys/dev system_u:object_r:sysctl_dev_t
+
+########################################
+#
+# kernel local policy
+#
+
+# Use capabilities. need to investigate which capabilities are actually used
+allow kernel_t self:capability *;
+
+# Other possible mount points for the root fs are in files
+allow kernel_t unlabeled_t:dir mounton;
+
+# old general_domain_access()
+allow kernel_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
+allow kernel_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
+allow kernel_t self:msg { send receive };
+allow kernel_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow kernel_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow kernel_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow kernel_t self:unix_dgram_socket sendto;
+allow kernel_t self:unix_stream_socket connectto;
+allow kernel_t self:fifo_file { read getattr lock ioctl write append };
+allow kernel_t self:fd use;
+
+# old general_proc_read_access():
+allow kernel_t proc_t:dir { getattr search read };
+allow kernel_t proc_t:{ lnk_file file } { getattr read };
+allow kernel_t proc_net_t:dir { getattr search read };
+allow kernel_t proc_net_t:file { getattr read };
+allow kernel_t proc_mdstat_t:file { getattr read }; 
+allow kernel_t proc_kcore_t:file getattr;
+allow kernel_t proc_kmsg_t:file getattr;
+allow kernel_t sysctl_t:dir { getattr search read };
+allow kernel_t sysctl_kernel_t:dir { getattr search read };
+allow kernel_t sysctl_kernel_t:file { getattr read };
+
+# old base_file_read_access():
+files_list_home_directories(kernel_t)
+files_read_general_shared_resources(kernel_t)
+selinux_read_config(kernel_t)
+
+selinux_read_binary_policy(kernel_t)
+allow kernel_t security_t:dir { read search getattr };
+allow kernel_t security_t:file { getattr read write };
+allow kernel_t security_t:security load_policy;
+auditallow kernel_t security_t:security load_policy;
+
+libraries_use_dynamic_loader(kernel_t)
+libraries_read_shared_libraries(kernel_t)
+
+corecommands_execute_shell(kernel_t)
+
+terminal_use_console(kernel_t)
+domain_signal_all_domains(kernel_t)
+
+# Mount root file system.  Used when loading a policy
+# from initrd, then mounting the root filesystem
+filesystem_mount_all_filesystems(kernel_t)
+
+# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
+corecommands_execute_general_programs(kernel_t)
+
+logging_send_system_log_message(kernel_t)
+
+# Kernel-generated traffic, e.g. ICMP replies.
+corenetwork_network_raw_on_all_interfaces(kernel_t)
+corenetwork_network_raw_on_all_nodes(kernel_t)
+
+# Kernel-generated traffic, e.g. TCP resets.
+corenetwork_network_tcp_on_all_interfaces(kernel_t)
+corenetwork_network_tcp_on_all_nodes(kernel_t)
+
+neverallow ~can_load_policy security_t:security load_policy;
+neverallow ~can_setenforce security_t:security setenforce;
+neverallow ~can_setsecparam security_t:security setsecparam;
+
+# enabling dyntransition breaks process tranquility.  If you dont
+# know what this means or dont understand the implications of a
+# dynamic transition, you shouldnt be using it!!!
+neverallow * *:process { setcurrent dyntransition };
+
+neverallow ~can_load_kernmodule *:capability sys_module;
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 28c9abd..08ebc58 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -14,7 +14,7 @@ filesystem_noxattr_associate($1,optional)
 define(`files_make_file_depend',`
 attribute file_type;
 filesystem_associate_depend
-filesystem_associate_noxattr_depend
+filesystem_noxattr_associate_depend
 ')
 
 ########################################
@@ -442,3 +442,18 @@ class dir { getattr search read };
 class file { getattr read };
 class lnk_file { getattr read };
 ')
+
+########################################
+#
+# files_list_home_directories(type,[`optional'])
+#
+define(`files_list_home_directories',`
+requires_block_template(files_list_home_directories_depend,$2)
+allow $1 home_root_t:dir { getattr search read };
+')
+
+define(`files_list_home_directories_depend',`
+type home_root_t;
+class dir { getattr search read };
+
+')
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 580ca93..e0e82bf 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -61,8 +61,7 @@ miscfiles_read_localization(klogd_t)
 
 logging_send_system_log_message(klogd_t)
 
-# Read /proc/kmsg and /dev/mem.
-kernel_read_kernel_messages(klogd_t)
+kernel_read_messages(klogd_t)
 devices_raw_read_memory(klogd_t)
 
 # Control syslog and console logging
diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if
index af8f9c1..10b4112 100644
--- a/refpolicy/policy/modules/system/selinux.if
+++ b/refpolicy/policy/modules/system/selinux.if
@@ -41,12 +41,10 @@ define(`selinux_read_binary_policy',`
 requires_block_template(selinux_read_binary_policy_depend,$2)
 allow $1 policy_config_t:dir { getattr search read };
 allow $1 policy_config_t:file { getattr read };
-typeattribute $1 can_write_binary_policy;
 ')
 
-define(`selinux_write_binary_policy_depend',`
+define(`selinux_read_binary_policy_depend',`
 type policy_config_t;
-attribute can_write_binary_policy;
 class dir { getattr search read };
 class file { getattr read };
 ')
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index af8f9c1..10b4112 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -41,12 +41,10 @@ define(`selinux_read_binary_policy',`
 requires_block_template(selinux_read_binary_policy_depend,$2)
 allow $1 policy_config_t:dir { getattr search read };
 allow $1 policy_config_t:file { getattr read };
-typeattribute $1 can_write_binary_policy;
 ')
 
-define(`selinux_write_binary_policy_depend',`
+define(`selinux_read_binary_policy_depend',`
 type policy_config_t;
-attribute can_write_binary_policy;
 class dir { getattr search read };
 class file { getattr read };
 ')