diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te
index 70c39b2..41e327a 100644
--- a/refpolicy/policy/modules/kernel/mls.te
+++ b/refpolicy/policy/modules/kernel/mls.te
@@ -52,6 +52,7 @@ attribute mlsrangetrans;
 # temporarily have to break encapsulation to work around this.
 #
 
+type cupsd_exec_t;
 type getty_t;
 type login_exec_t;
 type init_t;
@@ -66,6 +67,7 @@ type xdm_exec_t;
 ifdef(`enable_mcs',`
 range_transition getty_t login_exec_t s0 - s0:c0.c255;
 range_transition init_t xdm_exec_t s0 - s0:c0.c255;
+range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
 range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
 range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
 range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index aae3f7e..19e8de7 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -73,11 +73,11 @@ interface(`term_login_pty',`
 #
 interface(`term_tty',`
 	gen_require(`
-		attribute ttynode;
+		attribute ttynode, serial_device;
 		type tty_device_t;
 	')
 
-	typeattribute $2 ttynode;
+	typeattribute $2 ttynode, serial_device;
 	type_change $1 tty_device_t:chr_file $2;
 
 	# Debian login is from shadow utils and does not allow resetting the perms.
diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te
index d461ed8..05c7d8d 100644
--- a/refpolicy/policy/modules/kernel/terminal.te
+++ b/refpolicy/policy/modules/kernel/terminal.te
@@ -8,6 +8,7 @@ policy_module(terminal,1.0)
 attribute ttynode;
 attribute ptynode;
 attribute server_ptynode;
+attribute serial_device;
 
 #
 # bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
@@ -50,11 +51,11 @@ mls_trusted_object(ptmx_t)
 #
 # tty_device_t is the type of /dev/*tty*
 #
-type tty_device_t;
+type tty_device_t, serial_device;
 dev_node(tty_device_t)
 
 #
 # usbtty_device_t is the type of /dev/usr/tty*
 #
-type usbtty_device_t;
+type usbtty_device_t, serial_device;
 dev_node(usbtty_device_t)
diff --git a/refpolicy/policy/modules/services/cups.fc b/refpolicy/policy/modules/services/cups.fc
new file mode 100644
index 0000000..8cd7cc5
--- /dev/null
+++ b/refpolicy/policy/modules/services/cups.fc
@@ -0,0 +1,52 @@
+
+/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/cups(/.*)?			gen_context(system_u:object_r:cupsd_etc_t,s0)
+/etc/cups/classes\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/cupsd\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/lpoptions.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppd/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/printers\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs		-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/hp(/.*)?			gen_context(system_u:object_r:hplip_etc_t,s0)
+
+/etc/printcap.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/bin/cups-config-daemon --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/lib(64)?/cups/daemon/.*	-- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+
+
+/usr/sbin/cupsd		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hpiod		--	gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/sbin/printconf-backend --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
+/usr/sbin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
+/usr/sbin/ptal-photod	--	gen_context(system_u:object_r:ptal_exec_t,s0)
+
+/usr/share/cups(/.*)?		gen_context(system_u:object_r:cupsd_etc_t,s0)
+/usr/share/foomatic/db/oldprinterids --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/share/hplip/hpssd.py --	gen_context(system_u:object_r:hplip_exec_t,s0)
+
+/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/foomatic(/.*)? --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/var/lib/cups/certs	-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/lib/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/var/log/cups(/.*)?		gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0)
+
+/var/run/cups/printcap	--	gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.pid	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/run/hp.*\.port	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
+/var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
+
+/var/spool/cups(/.*)?		gen_context(system_u:object_r:print_spool_t,s0)
diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if
new file mode 100644
index 0000000..02c323e
--- /dev/null
+++ b/refpolicy/policy/modules/services/cups.if
@@ -0,0 +1 @@
+## <summary>Common UNIX printing system</summary>
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
new file mode 100644
index 0000000..9867a94
--- /dev/null
+++ b/refpolicy/policy/modules/services/cups.te
@@ -0,0 +1,755 @@
+
+policy_module(cups,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type cupsd_config_t;
+type cupsd_config_exec_t;
+init_daemon_domain(cupsd_config_t,cupsd_config_exec_t)
+
+type cupsd_config_var_run_t;
+files_pid_file(cupsd_config_var_run_t)
+
+type cupsd_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+	type cupsd_exec_t;
+')
+init_daemon_domain(cupsd_t,cupsd_exec_t)
+
+type cupsd_etc_t; #, usercanread;
+files_type(cupsd_etc_t)
+
+type cupsd_rw_etc_t; #, usercanread;
+files_type(cupsd_rw_etc_t)
+
+type cupsd_log_t;
+logging_log_file(cupsd_log_t)
+
+type cupsd_lpd_t;
+type cupsd_lpd_exec_t;
+inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
+role system_r types cupsd_lpd_t;
+
+type cupsd_lpd_tmp_t;
+files_tmp_file(cupsd_lpd_tmp_t)
+
+type cupsd_lpd_var_run_t;
+files_pid_file(cupsd_lpd_var_run_t)
+
+type cupsd_tmp_t;
+files_tmp_file(cupsd_tmp_t)
+
+type cupsd_var_run_t;
+files_pid_file(cupsd_var_run_t)
+
+type hplip_t;
+type hplip_exec_t;
+init_daemon_domain(hplip_t,hplip_exec_t)
+
+type hplip_etc_t; #, usercanread;
+files_type(hplip_etc_t)
+
+type hplip_var_run_t;
+files_pid_file(hplip_var_run_t)
+
+type ptal_t;
+type ptal_exec_t;
+init_daemon_domain(ptal_t,ptal_exec_t)
+
+type ptal_etc_t; #, usercanread;
+files_type(ptal_etc_t)
+
+type ptal_var_run_t;
+files_pid_file(ptal_var_run_t)
+
+########################################
+#
+# Cups local policy
+#
+
+# /usr/lib/cups/backend/serial needs sys_admin(?!)
+allow cupsd_t self:capability { sys_admin dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
+dontaudit cupsd_t self:capability net_admin;
+allow cupsd_t self:process setsched;
+allow cupsd_t self:fifo_file rw_file_perms;
+allow cupsd_t self:unix_stream_socket create_socket_perms;
+allow cupsd_t self:unix_dgram_socket create_socket_perms;
+allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
+allow cupsd_t self:tcp_socket { create_stream_socket_perms connectto acceptfrom recvfrom };
+allow cupsd_t self:udp_socket create_socket_perms;
+
+allow cupsd_t cupsd_etc_t:file { r_file_perms setattr };
+allow cupsd_t cupsd_etc_t:dir { r_dir_perms setattr };
+allow cupsd_t cupsd_etc_t:lnk_file { getattr read };
+files_search_etc(cupsd_t)
+
+allow cupsd_t cupsd_rw_etc_t:file manage_file_perms;
+allow cupsd_t cupsd_rw_etc_t:dir manage_dir_perms;
+type_transition cupsd_t cupsd_etc_t:file cupsd_rw_etc_t;
+files_create_var(cupsd_t,cupsd_rw_etc_t,{ dir file })
+
+# allow cups to execute its backend scripts
+can_exec(cupsd_t, cupsd_exec_t)
+allow cupsd_t cupsd_exec_t:dir search;
+allow cupsd_t cupsd_exec_t:lnk_file read;
+
+allow cupsd_t cupsd_log_t:file create_file_perms;
+allow cupsd_t cupsd_log_t:dir rw_dir_perms;
+logging_create_log(cupsd_t,cupsd_log_t,{ file dir })
+
+allow cupsd_t cupsd_tmp_t:dir create_dir_perms;
+allow cupsd_t cupsd_tmp_t:file create_file_perms;
+files_create_tmp_files(cupsd_t, cupsd_tmp_t, { file dir })
+
+allow cupsd_t cupsd_var_run_t:file create_file_perms;
+allow cupsd_t cupsd_var_run_t:dir rw_dir_perms;
+files_create_pid(cupsd_t,cupsd_var_run_t)
+
+allow cupsd_t hplip_var_run_t:file { read getattr };
+
+allow cupsd_t ptal_var_run_t:dir search;
+allow cupsd_t ptal_var_run_t:sock_file { write setattr };
+allow cupsd_t ptal_t:unix_stream_socket connectto;
+
+kernel_read_system_state(cupsd_t)
+kernel_read_all_sysctl(cupsd_t)
+kernel_tcp_recvfrom(cupsd_t)
+
+corenet_tcp_sendrecv_all_if(cupsd_t)
+corenet_udp_sendrecv_all_if(cupsd_t)
+corenet_raw_sendrecv_all_if(cupsd_t)
+corenet_tcp_sendrecv_all_nodes(cupsd_t)
+corenet_udp_sendrecv_all_nodes(cupsd_t)
+corenet_raw_sendrecv_all_nodes(cupsd_t)
+corenet_tcp_sendrecv_all_ports(cupsd_t)
+corenet_udp_sendrecv_all_ports(cupsd_t)
+corenet_tcp_bind_all_nodes(cupsd_t)
+corenet_udp_bind_all_nodes(cupsd_t)
+corenet_tcp_bind_ipp_port(cupsd_t)
+corenet_udp_bind_ipp_port(cupsd_t)
+corenet_tcp_bind_reserved_port(cupsd_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+corenet_tcp_connect_all_ports(cupsd_t)
+
+dev_rw_printer(cupsd_t)
+dev_read_urand(cupsd_t)
+dev_read_sysfs(cupsd_t)
+dev_read_usbfs(cupsd_t)
+
+fs_getattr_all_fs(cupsd_t)
+fs_search_auto_mountpoints(cupsd_t)
+
+term_dontaudit_use_console(cupsd_t)
+
+auth_domtrans_chk_passwd(cupsd_t)
+
+# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+corecmd_exec_shell(cupsd_t)
+corecmd_exec_bin(cupsd_t)
+corecmd_exec_sbin(cupsd_t)
+
+domain_use_wide_inherit_fd(cupsd_t)
+
+files_read_etc_files(cupsd_t)
+files_read_etc_runtime_files(cupsd_t)
+# read python modules
+files_read_usr_files(cupsd_t)
+# for /var/lib/defoma
+files_search_var_lib(cupsd_t)
+files_list_world_readable(cupsd_t)
+files_read_world_readable_files(cupsd_t)
+files_read_world_readable_symlinks(cupsd_t)
+
+init_use_fd(cupsd_t)
+init_use_script_pty(cupsd_t)
+init_exec_script(cupsd_t)
+
+libs_use_ld_so(cupsd_t)
+libs_use_shared_libs(cupsd_t)
+# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
+libs_read_lib(cupsd_t)
+
+logging_send_syslog_msg(cupsd_t)
+
+miscfiles_read_localization(cupsd_t)
+# invoking ghostscript needs to read fonts
+miscfiles_read_fonts(cupsd_t)
+
+seutil_dontaudit_read_config(cupsd_t)
+
+sysnet_read_config(cupsd_t)
+
+userdom_dontaudit_use_unpriv_user_fd(cupsd_t)
+userdom_dontaudit_search_sysadm_home_dir(cupsd_t)
+
+# Write to /var/spool/cups.
+lpd_manage_spool(cupsd_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(cupsd_t)
+	term_dontaudit_use_generic_pty(cupsd_t)
+	files_dontaudit_read_root_file(cupsd_t)
+')
+
+optional_policy(`dbus.te',`
+	dbus_system_bus_client_template(cupsd,cupsd_t)
+	dbus_send_system_bus_msg(cupsd_t)
+
+	allow cupsd_t userdomain:dbus send_msg;
+')
+
+optional_policy(`hostname.te',`
+	hostname_exec(cupsd_t)
+')
+
+optional_policy(`mount.te',`
+	mount_send_nfs_client_request(cupsd_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(cupsd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(cupsd_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(cupsd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(cupsd_t)
+')
+allow web_client_domain cupsd_t:tcp_socket { connectto recvfrom };
+allow cupsd_t web_client_domain:tcp_socket { acceptfrom recvfrom };
+allow cupsd_t kernel_t:tcp_socket recvfrom;
+allow web_client_domain kernel_t:tcp_socket recvfrom;
+
+allow cupsd_t usercanread:dir { getattr read search };
+allow cupsd_t usercanread:file { read getattr };
+allow cupsd_t usercanread:lnk_file { getattr read };
+') dnl end TODO
+
+
+
+allow cupsd_t devpts_t:dir search;
+
+dontaudit cupsd_t random_device_t:chr_file ioctl;
+
+# temporary solution, we need something better
+allow cupsd_t serial_device:chr_file rw_file_perms;
+
+optional_policy(`logrotate.te',`
+	domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
+')
+
+optional_policy(`inetd.te', `
+domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
+')
+
+# for /etc/printcap
+dontaudit cupsd_t etc_t:file write;
+
+
+
+
+
+# Send to portmap.
+optional_policy(`portmap.te', `
+allow cupsd_t portmap_t:udp_socket sendto;
+allow portmap_t cupsd_t:udp_socket recvfrom;
+allow portmap_t cupsd_t:udp_socket sendto;
+allow cupsd_t portmap_t:udp_socket recvfrom;
+')
+
+
+
+
+
+#
+# Satisfy readahead
+#
+allow initrc_t cupsd_log_t:file { getattr read };
+allow cupsd_t var_t:dir { getattr read search };
+allow cupsd_t var_t:file { read getattr };
+allow cupsd_t var_t:lnk_file { getattr read };
+
+optional_policy(`samba.te', `
+# cjp: rw_dir_perms here doesnt make sense
+allow cupsd_t samba_var_t:dir rw_dir_perms;
+allow cupsd_t samba_var_t:file rw_file_perms;
+allow cupsd_t samba_var_t:lnk_file { getattr read };
+allow smbd_t cupsd_etc_t:dir search;
+')
+
+optional_policy(`pam.te', `
+dontaudit cupsd_t pam_var_run_t:file { getattr read };
+')
+dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
+
+########################################
+#
+# PTAL local policy
+#
+
+allow ptal_t self:capability { chown sys_rawio };
+dontaudit ptal_t self:capability sys_tty_config;
+allow ptal_t self:fifo_file rw_file_perms;
+allow ptal_t self:unix_dgram_socket create_socket_perms;
+allow ptal_t self:unix_stream_socket create_stream_socket_perms;
+allow ptal_t self:tcp_socket create_stream_socket_perms;
+
+allow ptal_t ptal_etc_t:file r_file_perms;
+allow ptal_t ptal_etc_t:dir r_dir_perms;
+allow ptal_t ptal_etc_t:lnk_file { getattr read };
+files_search_etc(ptal_t)
+
+allow ptal_t ptal_var_run_t:dir create_dir_perms;
+allow ptal_t ptal_var_run_t:file create_file_perms;
+allow ptal_t ptal_var_run_t:lnk_file create_lnk_perms;
+allow ptal_t ptal_var_run_t:sock_file create_file_perms;
+allow ptal_t ptal_var_run_t:fifo_file create_file_perms;
+files_create_pid(ptal_t,ptal_var_run_t,{ file lnk_file sock_file fifo_file })
+
+allow ptal_t ptal_var_run_t:file create_file_perms;
+allow ptal_t ptal_var_run_t:dir rw_dir_perms;
+files_create_pid(ptal_t,ptal_var_run_t)
+
+kernel_read_kernel_sysctl(ptal_t)
+kernel_list_proc(ptal_t)
+kernel_read_proc_symlinks(ptal_t)
+
+corenet_tcp_sendrecv_all_if(ptal_t)
+corenet_raw_sendrecv_all_if(ptal_t)
+corenet_tcp_sendrecv_all_nodes(ptal_t)
+corenet_raw_sendrecv_all_nodes(ptal_t)
+corenet_tcp_bind_all_nodes(ptal_t)
+corenet_tcp_sendrecv_all_ports(ptal_t)
+corenet_tcp_bind_ptal_port(ptal_t)
+
+dev_read_sysfs(ptal_t)
+dev_read_usbfs(ptal_t)
+dev_rw_printer(ptal_t)
+
+fs_getattr_all_fs(ptal_t)
+fs_search_auto_mountpoints(ptal_t)
+
+term_dontaudit_use_console(ptal_t)
+
+domain_use_wide_inherit_fd(ptal_t)
+
+files_read_etc_files(ptal_t)
+files_read_etc_runtime_files(ptal_t)
+
+init_use_fd(ptal_t)
+init_use_script_pty(ptal_t)
+
+libs_use_ld_so(ptal_t)
+libs_use_shared_libs(ptal_t)
+
+logging_send_syslog_msg(ptal_t)
+
+miscfiles_read_localization(ptal_t)
+
+sysnet_read_config(ptal_t)
+
+userdom_dontaudit_use_unpriv_user_fd(ptal_t)
+userdom_dontaudit_search_sysadm_home_dir(ptal_t)
+
+ifdef(`targeted_policy', `
+	term_dontaudit_use_unallocated_tty(ptal_t)
+	term_dontaudit_use_generic_pty(ptal_t)
+	files_dontaudit_read_root_file(ptal_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(ptal_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(ptal_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(ptal_t)
+')
+') dnl end TODO
+
+
+allow userdomain ptal_t:unix_stream_socket connectto;
+allow userdomain ptal_var_run_t:sock_file write;
+allow userdomain ptal_var_run_t:dir search;
+
+allow initrc_t printer_device_t:chr_file getattr;
+
+dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
+
+allow initrc_t ptal_var_run_t:dir rmdir;
+allow initrc_t ptal_var_run_t:fifo_file unlink;
+
+########################################
+#
+# HPLIP local policy
+#
+
+dontaudit hplip_t self:capability sys_tty_config;
+allow hplip_t self:unix_dgram_socket create_socket_perms;
+allow hplip_t self:unix_stream_socket create_socket_perms;
+allow hplip_t self:tcp_socket create_stream_socket_perms;
+allow hplip_t self:udp_socket create_socket_perms;
+# cjp: raw?
+allow hplip_t self:rawip_socket create_socket_perms;
+
+allow hplip_t cupsd_etc_t:dir search;
+
+allow hplip_t hplip_etc_t:file r_file_perms;
+allow hplip_t hplip_etc_t:dir r_dir_perms;
+allow hplip_t hplip_etc_t:lnk_file { getattr read };
+files_search_etc(hplip_t)
+
+allow hplip_t hplip_var_run_t:file create_file_perms;
+allow hplip_t hplip_var_run_t:dir rw_dir_perms;
+files_create_pid(hplip_t,hplip_var_run_t)
+
+kernel_read_system_state(hplip_t)
+kernel_read_kernel_sysctl(hplip_t)
+
+corenet_tcp_sendrecv_all_if(hplip_t)
+corenet_udp_sendrecv_all_if(hplip_t)
+corenet_raw_sendrecv_all_if(hplip_t)
+corenet_tcp_sendrecv_all_nodes(hplip_t)
+corenet_udp_sendrecv_all_nodes(hplip_t)
+corenet_raw_sendrecv_all_nodes(hplip_t)
+corenet_tcp_sendrecv_all_ports(hplip_t)
+corenet_udp_sendrecv_all_ports(hplip_t)
+corenet_tcp_bind_all_nodes(hplip_t)
+corenet_udp_bind_all_nodes(hplip_t)
+corenet_tcp_bind_hplip_port(hplip_t)
+corenet_tcp_connect_hplip_port(hplip_t)
+corenet_tcp_connect_ipp_port(hplip_t)
+
+dev_read_sysfs(hplip_t)
+dev_rw_printer(hplip_t)
+dev_read_urand(hplip_t)
+
+fs_getattr_all_fs(hplip_t)
+fs_search_auto_mountpoints(hplip_t)
+
+term_dontaudit_use_console(hplip_t)
+
+# for python
+corecmd_exec_bin(hplip_t)
+corecmd_search_sbin(hplip_t)
+
+domain_use_wide_inherit_fd(hplip_t)
+
+files_read_etc_files(hplip_t)
+files_read_etc_runtime_files(hplip_t)
+files_read_usr_files(hplip_t)
+
+init_use_fd(hplip_t)
+init_use_script_pty(hplip_t)
+
+libs_use_ld_so(hplip_t)
+libs_use_shared_libs(hplip_t)
+
+logging_send_syslog_msg(hplip_t)
+
+miscfiles_read_localization(hplip_t)
+
+sysnet_read_config(hplip_t)
+
+userdom_dontaudit_use_unpriv_user_fd(hplip_t)
+userdom_dontaudit_search_sysadm_home_dir(hplip_t)
+
+lpd_read_config(cupsd_t)
+
+ifdef(`targeted_policy', `
+	term_dontaudit_use_unallocated_tty(hplip_t)
+	term_dontaudit_use_generic_pty(hplip_t)
+	files_dontaudit_read_root_file(hplip_t)
+')
+
+optional_policy(`mount.te',`
+	mount_send_nfs_client_request(hplip_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(hplip_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(hplip_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(hplip_t)
+')
+') dnl end TODO
+
+allow hplip_t devpts_t:dir search;
+allow hplip_t devpts_t:chr_file { getattr ioctl };
+
+########################################
+#
+# Cups configuration daemon local policy
+#
+
+allow cupsd_config_t self:capability { chown sys_tty_config };
+allow cupsd_config_t self:fifo_file rw_file_perms;
+allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
+
+allow cupsd_config_t cupsd_t:tcp_socket { connectto recvfrom };
+allow cupsd_t cupsd_config_t:tcp_socket { acceptfrom recvfrom };
+
+# old can_ps() on cupsd_t:
+allow cupsd_config_t cupsd_t:process { signal };
+allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
+allow cupsd_config_t cupsd_t:dir { search getattr read };
+allow cupsd_config_t cupsd_t:{ file lnk_file } { read getattr };
+allow cupsd_config_t cupsd_t:process getattr;
+# We need to suppress this denial because procps tries to access
+# /proc/pid/environ and this now triggers a ptrace check in recent kernels
+# (2.4 and 2.6).  Might want to change procps to not do this, or only if
+# running in a privileged domain.
+dontaudit cupsd_config_t cupsd_t:process ptrace;
+
+allow cupsd_config_t cupsd_config_var_run_t:file create_file_perms;
+allow cupsd_config_t cupsd_config_var_run_t:dir rw_dir_perms;
+files_create_pid(cupsd_config_t,cupsd_config_var_run_t)
+
+can_exec(cupsd_config_t, cupsd_config_exec_t) 
+
+allow cupsd_config_t cupsd_etc_t:dir rw_dir_perms;
+allow cupsd_config_t cupsd_etc_t:file create_file_perms;
+allow cupsd_config_t cupsd_etc_t:lnk_file create_lnk_perms;
+type_transition cupsd_config_t cupsd_etc_t:file cupsd_rw_etc_t;
+
+allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms;
+allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms;
+allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
+files_create_var(cupsd_config_t,cupsd_rw_etc_t)
+
+allow cupsd_config_t cupsd_var_run_t:file { getattr read };
+
+kernel_read_system_state(cupsd_config_t)
+kernel_read_kernel_sysctl(cupsd_config_t)
+kernel_tcp_recvfrom(cupsd_config_t)
+
+corenet_tcp_sendrecv_all_if(cupsd_config_t)
+corenet_raw_sendrecv_all_if(cupsd_config_t)
+corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
+corenet_raw_sendrecv_all_nodes(cupsd_config_t)
+corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+corenet_tcp_bind_all_nodes(cupsd_config_t)
+corenet_tcp_connect_all_ports(cupsd_config_t)
+
+dev_read_sysfs(cupsd_config_t)
+dev_read_urand(cupsd_config_t)
+
+fs_getattr_all_fs(cupsd_config_t)
+fs_search_auto_mountpoints(cupsd_config_t)
+
+term_dontaudit_use_console(cupsd_config_t)
+
+corecmd_exec_bin(cupsd_config_t)
+corecmd_exec_sbin(cupsd_config_t)
+corecmd_exec_shell(cupsd_config_t)
+
+domain_use_wide_inherit_fd(cupsd_config_t)
+
+files_read_usr_files(cupsd_config_t)
+
+init_use_fd(cupsd_config_t)
+init_use_script_pty(cupsd_config_t)
+
+libs_use_ld_so(cupsd_config_t)
+libs_use_shared_libs(cupsd_config_t)
+
+logging_send_syslog_msg(cupsd_config_t)
+
+miscfiles_read_localization(cupsd_config_t)
+
+seutil_dontaudit_search_config(cupsd_config_t)
+
+sysnet_read_config(cupsd_config_t)
+
+userdom_dontaudit_use_unpriv_user_fd(cupsd_config_t)
+userdom_dontaudit_search_sysadm_home_dir(cupsd_config_t)
+
+ifdef(`targeted_policy', `
+	term_dontaudit_use_unallocated_tty(cupsd_config_t)
+	term_dontaudit_use_generic_pty(cupsd_config_t)
+	files_dontaudit_read_root_file(cupsd_config_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(cupsd_config_t)
+')
+
+optional_policy(`hostname.te',`
+	hostname_exec(cupsd_config_t)
+')
+
+optional_policy(`logrotate.te',`
+	logrotate_use_fd(cupsd_config_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(cupsd_config_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(cupsd_config_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(cupsd_config_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(cupsd_config_t)
+')
+') dnl end TODO
+
+allow cupsd_config_t devpts_t:dir search;
+allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
+
+ifdef(`distro_redhat', `
+	optional_policy(`rpm.te',`
+		allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
+		allow cupsd_config_t rpm_var_lib_t:file { getattr read };
+	')
+	allow cupsd_config_t initrc_exec_t:file getattr;
+')
+
+allow cupsd_config_t var_t:lnk_file read;
+
+optional_policy(`dbus.te',`
+	dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
+	dbus_connect_system_bus(cupsd_config_t)
+	dbus_send_system_bus_msg(cupsd_config_t)
+
+	allow cupsd_config_t userdomain:dbus send_msg;
+	allow userdomain cupsd_config_t:dbus send_msg;
+')
+
+optional_policy(`hal.te', `
+	optional_policy(`dbus.te', `
+		allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg;
+		allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg;
+	')
+
+	allow hald_t cupsd_config_t:process signal;
+	domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
+')
+
+# killall causes the following
+dontaudit cupsd_config_t domain:dir { getattr search };
+
+allow cupsd_config_t var_lib_t:dir { getattr search };
+allow cupsd_config_t rpm_var_lib_t:file { getattr read };
+allow cupsd_config_t printconf_t:file { getattr read };
+
+allow cupsd_config_t system_crond_t:fd use;
+allow cupsd_config_t crond_t:fifo_file r_file_perms;
+allow cupsd_t crond_t:fifo_file read;
+allow cupsd_t crond_t:fd use;
+
+# Alternatives asks for this
+allow cupsd_config_t initrc_exec_t:file getattr;
+
+ifdef(`targeted_policy', `
+	allow cupsd_t initrc_t:unix_stream_socket connectto;
+	allow cupsd_t initrc_t:dbus send_msg;
+	allow initrc_t cupsd_t:dbus send_msg;
+	allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
+	allow unconfined_t cupsd_config_t:dbus send_msg;
+	allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
+')
+
+########################################
+#
+# Cups lpd support
+#
+
+allow cupsd_lpd_t self:process signal_perms;
+allow cupsd_lpd_t self:fifo_file rw_file_perms;
+allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
+
+# for identd
+# cjp: this should probably only be inetd_child rules?
+allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow cupsd_lpd_t self:capability { setuid setgid };
+files_search_home(cupsd_lpd_t)
+optional_policy(`kerberos.te',`
+	kerberos_use(cupsd_lpd_t)
+')
+#end for identd
+
+allow cupsd_lpd_t cupsd_etc_t:dir { getattr read search };
+allow cupsd_lpd_t cupsd_etc_t:file { read getattr };
+allow cupsd_lpd_t cupsd_etc_t:lnk_file { getattr read };
+
+allow cupsd_lpd_t cupsd_lpd_tmp_t:dir create_dir_perms;
+allow cupsd_lpd_t cupsd_lpd_tmp_t:file create_file_perms;
+files_create_tmp_files(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
+
+allow cupsd_lpd_t cupsd_lpd_var_run_t:file create_file_perms;
+allow cupsd_lpd_t cupsd_lpd_var_run_t:dir rw_dir_perms;
+files_create_pid(cupsd_lpd_t,cupsd_lpd_var_run_t)
+
+allow cupsd_lpd_t cupsd_rw_etc_t:dir { getattr read search };
+allow cupsd_lpd_t cupsd_rw_etc_t:file { read getattr };
+allow cupsd_lpd_t cupsd_rw_etc_t:lnk_file { getattr read };
+
+kernel_read_kernel_sysctl(cupsd_lpd_t)
+kernel_read_system_state(cupsd_lpd_t)
+kernel_read_network_state(cupsd_lpd_t)
+
+corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
+corenet_udp_sendrecv_all_if(cupsd_lpd_t)
+corenet_raw_sendrecv_all_if(cupsd_lpd_t)
+corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
+corenet_udp_sendrecv_all_nodes(cupsd_lpd_t)
+corenet_raw_sendrecv_all_nodes(cupsd_lpd_t)
+corenet_tcp_sendrecv_all_ports(cupsd_lpd_t)
+corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+corenet_tcp_bind_all_nodes(cupsd_lpd_t)
+corenet_udp_bind_all_nodes(cupsd_lpd_t)
+corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+
+dev_read_urand(cupsd_lpd_t)
+
+fs_getattr_xattr_fs(cupsd_lpd_t)
+
+files_read_etc_files(cupsd_lpd_t)
+
+libs_use_ld_so(cupsd_lpd_t)
+libs_use_shared_libs(cupsd_lpd_t)
+
+logging_send_syslog_msg(cupsd_lpd_t)
+
+miscfiles_read_localization(cupsd_lpd_t)
+
+sysnet_read_config(cupsd_lpd_t)
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(cupsd_lpd_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(cupsd_lpd_t)
+')
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 12292ac..f7245dd 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -81,6 +81,7 @@ corenet_udp_bind_ftp_port(inetd_t)
 corenet_tcp_bind_inetd_child_port(inetd_t)
 corenet_tcp_bind_inetd_child_port(inetd_t)
 corenet_udp_bind_ktalkd_port(inetd_t)
+corenet_tcp_bind_printer_port(inetd_t)
 corenet_udp_bind_rsh_port(inetd_t)
 corenet_tcp_bind_rsync_port(inetd_t)
 corenet_udp_bind_rsync_port(inetd_t)
diff --git a/refpolicy/policy/modules/services/lpd.if b/refpolicy/policy/modules/services/lpd.if
index 05b956a..05b92f4 100644
--- a/refpolicy/policy/modules/services/lpd.if
+++ b/refpolicy/policy/modules/services/lpd.if
@@ -65,6 +65,26 @@ interface(`lpd_list_spool',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete printer spool files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`lpd_manage_spool',`
+	gen_require(`
+		type print_spool_t;
+	')
+
+	files_search_spool($1)
+
+	# cjp: cups wants setattr
+	allow $1 print_spool_t:dir { rw_dir_perms setattr };
+	allow $1 print_spool_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	List the contents of the printer spool directories.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 26ac53e..14f0d27 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -551,7 +551,7 @@ interface(`mta_manage_queue',`
 #######################################
 ## <summary>
 ##	Read sendmail binary.
-## </summmary>
+## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc
index b8c3956..f8eac62 100644
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@@ -79,6 +79,8 @@ ifdef(`distro_suse', `
 
 /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
 
+/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups/filter/.* --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/cyrus-imapd/.* --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/emacsen-common/.*	gen_context(system_u:object_r:bin_t,s0)
diff --git a/refpolicy/policy/modules/system/files.fc b/refpolicy/policy/modules/system/files.fc
index de07dd9..bddc00d 100644
--- a/refpolicy/policy/modules/system/files.fc
+++ b/refpolicy/policy/modules/system/files.fc
@@ -40,6 +40,8 @@ ifdef(`distro_redhat',`
 /etc/nohotplug		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/nologin.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 
+/etc/cups/client\.conf	--	gen_context(system_u:object_r:etc_t,s0)
+
 /etc/init\.d/functions	--	gen_context(system_u:object_r:etc_t,s0)
 ifdef(`distro_suse',`
 /etc/init\.d/\.depend.*	--	gen_context(system_u:object_r:etc_runtime_t,s0)