diff --git a/refpolicy/policy/modules/system/pcmcia.fc b/refpolicy/policy/modules/system/pcmcia.fc
new file mode 100644
index 0000000..9dac1a2
--- /dev/null
+++ b/refpolicy/policy/modules/system/pcmcia.fc
@@ -0,0 +1,10 @@
+
+/etc/apm/event\.d/pcmcia -- system_u:object_r:cardmgr_exec_t
+
+/sbin/cardctl -- system_u:object_r:cardctl_exec_t
+/sbin/cardmgr -- system_u:object_r:cardmgr_exec_t
+
+/var/lib/pcmcia(/.*)? system_u:object_r:cardmgr_var_run_t
+
+/var/run/cardmgr\.pid -- system_u:object_r:cardmgr_var_run_t
+/var/run/stab -- system_u:object_r:cardmgr_var_run_t
diff --git a/refpolicy/policy/modules/system/pcmcia.if b/refpolicy/policy/modules/system/pcmcia.if
new file mode 100644
index 0000000..c99b813
--- /dev/null
+++ b/refpolicy/policy/modules/system/pcmcia.if
@@ -0,0 +1,51 @@
+## PCMCIA card management services
+
+########################################
+##
+## Execute cardctl in the cardmgr domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`pcmcia_domtrans_cardctl',`
+ gen_require(`
+ type cardmgr_t, cardctl_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ domain_auto_trans($1,cardctl_exec_t,cardmgr_t)
+
+ allow $1 cardmgr_t:fd use;
+ allow cardmgr_t $1:fd use;
+ allow cardmgr_t $1:fifo_file rw_file_perms;
+ allow cardmgr_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute cardmgr in the cardctl domain, and
+## allow the specified role the cardmgr domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the cardmgr domain.
+##
+##
+## The type of the terminal allow the cardmgr domain to use.
+##
+#
+interface(`pcmcia_run_cardctl',`
+ gen_require(`
+ type cardmgr_t;
+ class chr_file rw_term_perms;
+ ')
+
+ pcmcia_domtrans_cardctl($1)
+ role $2 types cardmgr_t;
+ allow cardmgr_t $3:chr_file rw_term_perms;
+')
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
new file mode 100644
index 0000000..48327fe
--- /dev/null
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -0,0 +1,138 @@
+
+policy_module(pcmcia,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type cardmgr_t;
+type cardmgr_exec_t;
+init_daemon_domain(cardmgr_t,cardmgr_exec_t)
+
+# Create symbolic links in /dev.
+# cjp: this should probably be eliminated
+type cardmgr_lnk_t;
+files_type(cardmgr_lnk_t)
+
+type cardmgr_var_run_t;
+files_pid_file(cardmgr_var_run_t)
+
+type cardctl_exec_t;
+domain_entry_file(cardmgr_t,cardctl_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+# Use capabilities (net_admin for route), setuid for cardctl
+allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
+dontaudit cardmgr_t self:capability sys_tty_config;
+allow cardmgr_t self:unix_dgram_socket create_socket_perms;
+allow cardmgr_t self:unix_stream_socket create_socket_perms;
+allow cardmgr_t self:fifo_file rw_file_perms;
+
+allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms;
+dev_create_dev_node(cardmgr_t,cardmgr_lnk_t,lnk_file)
+
+allow cardmgr_t cardmgr_var_run_t:file create_file_perms;
+files_create_pid(cardmgr_t,cardmgr_var_run_t)
+
+kernel_read_system_state(cardmgr_t)
+kernel_read_kernel_sysctl(cardmgr_t)
+kernel_list_proc(cardmgr_t)
+kernel_read_proc_symlinks(cardmgr_t)
+
+dev_read_sysfs(cardmgr_t)
+# for SSP
+dev_read_urand(cardmgr_t)
+
+fs_getattr_all_fs(cardmgr_t)
+fs_search_auto_mountpoints(cardmgr_t)
+
+term_use_unallocated_tty(cardmgr_t)
+term_dontaudit_use_console(cardmgr_t)
+
+corecmd_exec_bin(cardmgr_t)
+corecmd_exec_sbin(cardmgr_t)
+
+domain_use_wide_inherit_fd(cardmgr_t)
+domain_exec_all_entry_files(cardmgr_t)
+
+files_search_home(cardmgr_t)
+files_read_etc_runtime_files(cardmgr_t)
+files_exec_etc_files(cardmgr_t)
+
+init_use_fd(cardmgr_t)
+init_use_script_pty(cardmgr_t)
+
+libs_use_ld_so(cardmgr_t)
+libs_use_shared_libs(cardmgr_t)
+libs_exec_ld_so(cardmgr_t)
+libs_exec_lib_files(cardmgr_t)
+
+logging_send_syslog_msg(cardmgr_t)
+
+miscfiles_read_localization(cardmgr_t)
+
+sysnet_domtrans_ifconfig(cardmgr_t)
+# for /etc/resolv.conf
+sysnet_manage_config(cardmgr_t)
+
+userdom_dontaudit_use_unpriv_user_fd(cardmgr_t)
+userdom_dontaudit_search_sysadm_home_dir(cardmgr_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_tty(cardmgr_t)
+ term_dontaudit_use_generic_pty(cardmgr_t)
+ files_dontaudit_read_root_file(cardmgr_t)
+')
+
+optional_policy(`rhgb.te',`
+ rhgb_domain(cardmgr_t)
+')
+
+optional_policy(`selinuxutils.te',`
+ seutil_sigchld_newrole(cardmgr_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(cardmgr_t)
+')
+
+ifdef(`TODO',`
+allow cardmgr_t modules_object_t:dir search;
+
+# Create stab file
+var_lib_domain(cardmgr)
+
+# for /var/lib/misc/pcmcia-scheme
+# would be better to have it in a different type if I knew how it was created..
+allow cardmgr_t var_lib_t:file { getattr read };
+
+# Create device files in /tmp.
+file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
+
+# Read /proc/PID directories for all domains (for fuser).
+can_ps(cardmgr_t, domain)
+allow cardmgr_t device_type:{ chr_file blk_file } getattr;
+allow cardmgr_t ttyfile:chr_file getattr;
+dontaudit cardmgr_t ptyfile:chr_file getattr;
+dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
+dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
+dontaudit cardmgr_t proc_kmsg_t:file getattr;
+
+ifdef(`apmd.te', `
+domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
+')
+
+ifdef(`hide_broken_symptoms', `
+dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
+dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
+')
+ifdef(`hald.te', `
+rw_dir_file(hald_t, cardmgr_var_run_t)
+allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
+')
+') dnl end TODO
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index 373dcc2..4008974 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -165,6 +165,24 @@ interface(`sysnet_read_config',`
#######################################
##
+## Create, read, write, and delete network config files.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`sysnet_manage_config',`
+ gen_require(`
+ type net_conf_t;
+ class file create_file_perms;
+ ')
+
+ allow $1 net_conf_t:file r_file_perms;
+ files_create_etc_config($1,net_conf_t,file)
+')
+
+#######################################
+##
## Read the dhcp client pid file.
##
##
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index abbe1d8..dbada2c 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -154,6 +154,10 @@ ifdef(`targeted_policy',`
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
')
+ optional_policy(`pcmcia.te',`
+ pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
optional_policy(`rpm.te',`
rpm_run(sysadm_t,sysadm_r,admin_terminal)
')