diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 44edee7..5257aec 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -702,6 +702,25 @@ interface(`dev_manage_all_chr_files',`
 
 ########################################
 ## <summary>
+##	Read and write the agp devices.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_rw_agp_dev',`
+	gen_require(`
+		type device_t, agp_device_t;
+		class dir r_dir_perms;
+		class chr_file rw_file_perms;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 agp_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the apm bios device node.
 ## </summary>
 ## <param name="domain">
@@ -795,1005 +814,910 @@ interface(`dev_rw_apm_bios',`
 
 ########################################
 ## <summary>
-##	Read raw memory devices (e.g. /dev/mem).
+##	Read the CPU identity.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_read_raw_memory',`
+interface(`dev_read_cpuid',`
 	gen_require(`
-		type device_t, memory_device_t;
-		attribute memory_raw_read;
+		type device_t, cpu_device_t;
 		class dir r_dir_perms;
 		class chr_file r_file_perms;
-		class capability sys_rawio;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 memory_device_t:chr_file r_file_perms;
-
-	allow $1 self:capability sys_rawio;
-	typeattribute $1 memory_raw_read;
+	allow $1 cpu_device_t:chr_file r_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Write raw memory devices (e.g. /dev/mem).
+##	Read and write the the CPU microcode device. This
+##	is required to load CPU microcode.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_write_raw_memory',`
+interface(`dev_rw_cpu_microcode',`
 	gen_require(`
-		type device_t, memory_device_t;
-		attribute memory_raw_write;
+		type device_t, cpu_device_t;
 		class dir r_dir_perms;
-		class chr_file write;
-		class capability sys_rawio;
+		class chr_file rw_file_perms;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 memory_device_t:chr_file write;
-
-	allow $1 self:capability sys_rawio;
-	typeattribute $1 memory_raw_write;
+	allow $1 cpu_device_t:chr_file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and execute raw memory devices (e.g. /dev/mem).
+##	Getattr the agp devices.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_rx_raw_memory',`
+interface(`dev_getattr_agp_dev',`
 	gen_require(`
-		type device_t, memory_device_t;
-		class chr_file execute;
+		type device_t, dri_device_t;
+		class dir r_dir_perms;
+		class chr_file getattr;
 	')
 
-	dev_read_raw_memory($1)
-	allow $1 memory_device_t:chr_file execute;
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 dri_device_t:chr_file getattr;
 ')
 
 ########################################
 ## <summary>
-##	Write and execute raw memory devices (e.g. /dev/mem).
+##	Read and write the dri devices.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_wx_raw_memory',`
+interface(`dev_rw_dri_dev',`
 	gen_require(`
-		type device_t, memory_device_t;
-		class chr_file execute;
+		type device_t, dri_device_t;
+		class dir r_dir_perms;
+		class chr_file rw_file_perms;
 	')
 
-	dev_write_raw_memory($1)
-	allow $1 memory_device_t:chr_file execute;
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 dri_device_t:chr_file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read from random devices (e.g., /dev/random)
+##	Dontaudit read and write on the dri devices.
 ## </summary>
 ## <param name="domain">
-##	Domain allowed access.
+##	Domain to dontaudit access.
 ## </param>
 #
-interface(`dev_read_rand',`
+interface(`dev_dontaudit_rw_dri_dev',`
 	gen_require(`
-		type device_t, random_device_t;
-		class dir r_dir_perms;
-		class chr_file r_file_perms;
+		type dri_device_t;
+		class chr_file { getattr read write ioctl };
 	')
 
-	allow $1 device_t:dir r_dir_perms;
-	allow $1 random_device_t:chr_file r_file_perms;
+	dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
 ')
 
 ########################################
 ## <summary>
-##	Read from pseudo random devices (e.g., /dev/urandom)
+##	Read input event devices (/dev/input).
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_read_urand',`
+interface(`dev_read_input',`
 	gen_require(`
-		type device_t, urandom_device_t;
+		type device_t, event_device_t;
 		class dir r_dir_perms;
 		class chr_file r_file_perms;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 urandom_device_t:chr_file r_file_perms;
+	allow $1 event_device_t:chr_file r_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Write to the random device (e.g., /dev/random). This adds
-##	entropy used to generate the random data read from the
-##	random device.
+##	Get the attributes of the framebuffer device node.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_write_rand',`
+interface(`dev_getattr_framebuffer',`
 	gen_require(`
-		type device_t, random_device_t;
+		type device_t, framebuf_device_t;
 		class dir r_dir_perms;
-		class chr_file { getattr write ioctl };
+		class chr_file getattr;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 random_device_t:chr_file { getattr write ioctl };
+	allow $1 framebuf_device_t:chr_file getattr;
 ')
 
 ########################################
 ## <summary>
-##	Write to the pseudo random device (e.g., /dev/urandom). This
-##	sets the random number generator seed.
+##	Set the attributes of the framebuffer device node.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_write_urand',`
+interface(`dev_setattr_framebuffer',`
 	gen_require(`
-		type device_t, urandom_device_t;
+		type device_t, framebuf_device_t;
 		class dir r_dir_perms;
-		class chr_file { getattr write ioctl };
+		class chr_file setattr;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 urandom_device_t:chr_file { getattr write ioctl };
+	allow $1 framebuf_device_t:chr_file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Read and write to the null device (/dev/null).
+##	Dot not audit attempts to set the attributes
+##	of the framebuffer device node.
 ## </summary>
 ## <param name="domain">
-##	Domain allowed access.
+##	Domain to not audit.
 ## </param>
 #
-interface(`dev_rw_null_dev',`
+interface(`dev_dontaudit_setattr_framebuffer',`
 	gen_require(`
-		type device_t, null_device_t;
-		class device_t:dir r_dir_perms;
-		class chr_file rw_file_perms;
+		type framebuf_device_t;
+		class chr_file setattr;
 	')
 
-	allow $1 device_t:dir r_dir_perms;
-	allow $1 null_device_t:chr_file rw_file_perms;
+	dontaudit $1 framebuf_device_t:chr_file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Read and write to the zero device (/dev/zero).
+##	Read the framebuffer.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_rw_zero_dev',`
+interface(`dev_read_framebuffer',`
 	gen_require(`
-		type device_t, zero_device_t;
-		class device_t:dir r_dir_perms;
+		type framebuf_device_t;
+		class dir r_dir_perms;
 		class chr_file r_file_perms;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 zero_device_t:chr_file rw_file_perms;
+	allow $1 framebuf_device_t:chr_file r_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read, write, and execute the zero device (/dev/zero).
+##	Do not audit attempts to read the framebuffer.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_rwx_zero_dev',`
+interface(`dev_dontaudit_read_framebuffer',`
 	gen_require(`
-		type zero_device_t;
-		class chr_file execute;
+		type framebuf_device_t;
+		class chr_file r_file_perms;
 	')
 
-	dev_rw_zero_dev($1)
-	allow $1 zero_device_t:chr_file execute;
+	dontaudit $1 framebuf_device_t:chr_file { getattr read };
 ')
 
 ########################################
 ## <summary>
-##	Read the realtime clock (/dev/rtc).
+##	Write the framebuffer.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_read_realtime_clock',`
+interface(`dev_write_framebuffer',`
 	gen_require(`
-		type device_t, clock_device_t;
+		type device_t, framebuf_device_t;
 		class dir r_dir_perms;
-		class chr_file r_file_perms;
+		class chr_file { getattr write ioctl };
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 clock_device_t:chr_file r_file_perms;
+	allow $1 framebuf_device_t:chr_file { getattr write ioctl };
 ')
 
 ########################################
 ## <summary>
-##	Read the realtime clock (/dev/rtc).
+##	Read the lvm comtrol device.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_write_realtime_clock',`
+interface(`dev_read_lvm_control',`
 	gen_require(`
-		type device_t, clock_device_t;
+		type device_t, lvm_control_t;
 		class dir r_dir_perms;
-		class chr_file { setattr lock write append ioctl };
+		class chr_file r_file_perms;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
-')
-
-########################################
-## <summary>
-##	Read the realtime clock (/dev/rtc).
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`dev_rw_realtime_clock',`
-	dev_read_realtime_clock($1)
-	dev_write_realtime_clock($1)
+	allow $1 lvm_control_t:chr_file r_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Get the attributes of the sound devices.
+##	Read and write the lvm control device.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_getattr_snd_dev',`
+interface(`dev_rw_lvm_control',`
 	gen_require(`
-		type device_t, sound_device_t;
+		type device_t, lvm_control_t;
 		class dir r_dir_perms;
-		class chr_file getattr;
+		class chr_file rw_file_perms;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 sound_device_t:chr_file getattr;
+	allow $1 lvm_control_t:chr_file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Set the attributes of the sound devices.
+##	Delete the lvm control device.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_setattr_snd_dev',`
+interface(`dev_delete_lvm_control',`
 	gen_require(`
-		type device_t, sound_device_t;
-		class dir r_dir_perms;
-		class chr_file setattr;
+		type device_t, lvm_control_t;
+		class dir { getattr search read write remove_name };
+		class chr_file unlink;
 	')
 
-	allow $1 device_t:dir r_dir_perms;
-	allow $1 sound_device_t:chr_file setattr;
+	allow $1 device_t:dir { getattr search read write remove_name };
+	allow $1 lvm_control_t:chr_file unlink;
 ')
 
 ########################################
 ## <summary>
-##	Read the sound devices.
+##	Read raw memory devices (e.g. /dev/mem).
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_read_snd_dev',`
+interface(`dev_read_raw_memory',`
 	gen_require(`
-		type device_t, sound_device_t;
+		type device_t, memory_device_t;
+		attribute memory_raw_read;
 		class dir r_dir_perms;
 		class chr_file r_file_perms;
+		class capability sys_rawio;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 sound_device_t:chr_file r_file_perms;
+	allow $1 memory_device_t:chr_file r_file_perms;
+
+	allow $1 self:capability sys_rawio;
+	typeattribute $1 memory_raw_read;
 ')
 
 ########################################
 ## <summary>
-##	Write the sound devices.
+##	Write raw memory devices (e.g. /dev/mem).
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_write_snd_dev',`
+interface(`dev_write_raw_memory',`
 	gen_require(`
-		type device_t, sound_device_t;
+		type device_t, memory_device_t;
+		attribute memory_raw_write;
 		class dir r_dir_perms;
-		class chr_file { getattr write ioctl };
+		class chr_file write;
+		class capability sys_rawio;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 sound_device_t:chr_file { getattr write ioctl };
+	allow $1 memory_device_t:chr_file write;
+
+	allow $1 self:capability sys_rawio;
+	typeattribute $1 memory_raw_write;
 ')
 
 ########################################
 ## <summary>
-##	Read the sound mixer devices.
+##	Read and execute raw memory devices (e.g. /dev/mem).
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_read_snd_mixer_dev',`
+interface(`dev_rx_raw_memory',`
 	gen_require(`
-		type device_t, sound_device_t;
-		class dir r_dir_perms;
-		class chr_file { getattr read ioctl };
+		type device_t, memory_device_t;
+		class chr_file execute;
 	')
 
-	allow $1 device_t:dir r_dir_perms;
-	allow $1 sound_device_t:chr_file { getattr read ioctl };
+	dev_read_raw_memory($1)
+	allow $1 memory_device_t:chr_file execute;
 ')
 
 ########################################
 ## <summary>
-##	Write the sound mixer devices.
+##	Write and execute raw memory devices (e.g. /dev/mem).
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_write_snd_mixer_dev',`
+interface(`dev_wx_raw_memory',`
 	gen_require(`
-		type device_t, sound_device_t;
-		class dir r_dir_perms;
-		class chr_file { getattr write ioctl };
+		type device_t, memory_device_t;
+		class chr_file execute;
 	')
 
-	allow $1 device_t:dir r_dir_perms;
-	allow $1 sound_device_t:chr_file { getattr write ioctl };
+	dev_write_raw_memory($1)
+	allow $1 memory_device_t:chr_file execute;
 ')
 
 ########################################
 ## <summary>
-##	Read and write the agp devices.
+##	Get the attributes of miscellaneous devices.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_rw_agp_dev',`
+interface(`dev_getattr_misc',`
 	gen_require(`
-		type device_t, agp_device_t;
+		type device_t, misc_device_t;
 		class dir r_dir_perms;
-		class chr_file rw_file_perms;
+		class chr_file getattr;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 agp_device_t:chr_file rw_file_perms;
+	allow $1 misc_device_t:chr_file getattr;
 ')
 
 ########################################
 ## <summary>
-##	Getattr the agp devices.
+##	Do not audit attempts to get the attributes
+##	of miscellaneous devices.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_getattr_agp_dev',`
+interface(`dev_dontaudit_getattr_misc',`
 	gen_require(`
-		type device_t, dri_device_t;
-		class dir r_dir_perms;
+		type misc_device_t;
 		class chr_file getattr;
 	')
 
-	allow $1 device_t:dir r_dir_perms;
-	allow $1 dri_device_t:chr_file getattr;
+	dontaudit $1 misc_device_t:chr_file getattr;
 ')
 
 ########################################
 ## <summary>
-##	Read and write the dri devices.
+##	Set the attributes of miscellaneous devices.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_rw_dri_dev',`
+interface(`dev_setattr_misc',`
 	gen_require(`
-		type device_t, dri_device_t;
+		type device_t, misc_device_t;
 		class dir r_dir_perms;
-		class chr_file rw_file_perms;
+		class chr_file setattr;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 dri_device_t:chr_file rw_file_perms;
+	allow $1 misc_device_t:chr_file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Dontaudit read and write on the dri devices.
+##	Do not audit attempts to set the attributes
+##	of miscellaneous devices.
 ## </summary>
 ## <param name="domain">
-##	Domain to dontaudit access.
+##	Domain allowed access.
 ## </param>
 #
-interface(`dev_dontaudit_rw_dri_dev',`
+interface(`dev_dontaudit_setattr_misc',`
 	gen_require(`
-		type dri_device_t;
-		class chr_file { getattr read write ioctl };
+		type misc_device_t;
+		class chr_file setattr;
 	')
 
-	dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
+	dontaudit $1 misc_device_t:chr_file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Read the mtrr device.
+##	Read miscellaneous devices.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_read_mtrr',`
+interface(`dev_read_misc',`
 	gen_require(`
-		type device_t, mtrr_device_t;
+		type device_t, misc_device_t;
 		class dir r_dir_perms;
 		class chr_file r_file_perms;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 mtrr_device_t:chr_file r_file_perms;
+	allow $1 misc_device_t:chr_file r_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Write the mtrr device.
+##	Write miscellaneous devices.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_write_mtrr',`
+interface(`dev_write_misc',`
 	gen_require(`
-		type device_t, mtrr_device_t;
+		type device_t, misc_device_t;
 		class dir r_dir_perms;
 		class chr_file { getattr write ioctl };
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 mtrr_device_t:chr_file { getattr write ioctl };
+	allow $1 misc_device_t:chr_file { getattr write ioctl };
 ')
 
 ########################################
 ## <summary>
-##	Get the attributes of the framebuffer device node.
+##	Get the attributes of the mouse devices.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_getattr_framebuffer',`
+interface(`dev_getattr_mouse',`
 	gen_require(`
-		type device_t, framebuf_device_t;
+		type device_t, mouse_device_t;
 		class dir r_dir_perms;
 		class chr_file getattr;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 framebuf_device_t:chr_file getattr;
+	allow $1 mouse_device_t:chr_file getattr;
 ')
 
 ########################################
 ## <summary>
-##	Set the attributes of the framebuffer device node.
+##	Set the attributes of the mouse devices.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_setattr_framebuffer',`
+interface(`dev_setattr_mouse',`
 	gen_require(`
-		type device_t, framebuf_device_t;
+		type device_t, mouse_device_t;
 		class dir r_dir_perms;
 		class chr_file setattr;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 framebuf_device_t:chr_file setattr;
-')
-
-########################################
-## <summary>
-##	Dot not audit attempts to set the attributes
-##	of the framebuffer device node.
-## </summary>
-## <param name="domain">
-##	Domain to not audit.
-## </param>
-#
-interface(`dev_dontaudit_setattr_framebuffer',`
-	gen_require(`
-		type framebuf_device_t;
-		class chr_file setattr;
-	')
-
-	dontaudit $1 framebuf_device_t:chr_file setattr;
+	allow $1 mouse_device_t:chr_file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Read the framebuffer.
+##	Read the mouse devices.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_read_framebuffer',`
+interface(`dev_read_mouse',`
 	gen_require(`
-		type framebuf_device_t;
+		type device_t, mouse_device_t;
 		class dir r_dir_perms;
 		class chr_file r_file_perms;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 framebuf_device_t:chr_file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to read the framebuffer.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`dev_dontaudit_read_framebuffer',`
-	gen_require(`
-		type framebuf_device_t;
-		class chr_file r_file_perms;
-	')
-
-	dontaudit $1 framebuf_device_t:chr_file { getattr read };
-')
-
-########################################
-## <summary>
-##	Write the framebuffer.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`dev_write_framebuffer',`
-	gen_require(`
-		type device_t, framebuf_device_t;
-		class dir r_dir_perms;
-		class chr_file { getattr write ioctl };
-	')
-
-	allow $1 device_t:dir r_dir_perms;
-	allow $1 framebuf_device_t:chr_file { getattr write ioctl };
+	allow $1 mouse_device_t:chr_file r_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read the lvm comtrol device.
+##	Read the mtrr device.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_read_lvm_control',`
+interface(`dev_read_mtrr',`
 	gen_require(`
-		type device_t, lvm_control_t;
+		type device_t, mtrr_device_t;
 		class dir r_dir_perms;
 		class chr_file r_file_perms;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 lvm_control_t:chr_file r_file_perms;
+	allow $1 mtrr_device_t:chr_file r_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write the lvm control device.
+##	Write the mtrr device.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_rw_lvm_control',`
+interface(`dev_write_mtrr',`
 	gen_require(`
-		type device_t, lvm_control_t;
+		type device_t, mtrr_device_t;
 		class dir r_dir_perms;
-		class chr_file rw_file_perms;
+		class chr_file { getattr write ioctl };
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 lvm_control_t:chr_file rw_file_perms;
-')
-
-########################################
-## <summary>
-##	Delete the lvm control device.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`dev_delete_lvm_control',`
-	gen_require(`
-		type device_t, lvm_control_t;
-		class dir { getattr search read write remove_name };
-		class chr_file unlink;
-	')
-
-	allow $1 device_t:dir { getattr search read write remove_name };
-	allow $1 lvm_control_t:chr_file unlink;
+	allow $1 mtrr_device_t:chr_file { getattr write ioctl };
 ')
 
 ########################################
 ## <summary>
-##	Get the attributes of miscellaneous devices.
+##	Read and write to the null device (/dev/null).
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_getattr_misc',`
+interface(`dev_rw_null_dev',`
 	gen_require(`
-		type device_t, misc_device_t;
-		class dir r_dir_perms;
-		class chr_file getattr;
+		type device_t, null_device_t;
+		class device_t:dir r_dir_perms;
+		class chr_file rw_file_perms;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 misc_device_t:chr_file getattr;
+	allow $1 null_device_t:chr_file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get the attributes
-##	of miscellaneous devices.
+##	Set the attributes of the printer device nodes.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_dontaudit_getattr_misc',`
+interface(`dev_setattr_printer',`
 	gen_require(`
-		type misc_device_t;
-		class chr_file getattr;
+		type device_t, printer_device_t;
+		class dir search;
+		class chr_file setattr;
 	')
 
-	dontaudit $1 misc_device_t:chr_file getattr;
+	allow $1 device_t:dir search;
+	allow $1 printer_device_t:chr_file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Set the attributes of miscellaneous devices.
+##	Read from random devices (e.g., /dev/random)
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_setattr_misc',`
+interface(`dev_read_rand',`
 	gen_require(`
-		type device_t, misc_device_t;
+		type device_t, random_device_t;
 		class dir r_dir_perms;
-		class chr_file setattr;
+		class chr_file r_file_perms;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 misc_device_t:chr_file setattr;
+	allow $1 random_device_t:chr_file r_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to set the attributes
-##	of miscellaneous devices.
+##	Write to the random device (e.g., /dev/random). This adds
+##	entropy used to generate the random data read from the
+##	random device.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_dontaudit_setattr_misc',`
+interface(`dev_write_rand',`
 	gen_require(`
-		type misc_device_t;
-		class chr_file setattr;
+		type device_t, random_device_t;
+		class dir r_dir_perms;
+		class chr_file { getattr write ioctl };
 	')
 
-	dontaudit $1 misc_device_t:chr_file setattr;
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 random_device_t:chr_file { getattr write ioctl };
 ')
 
 ########################################
 ## <summary>
-##	Read miscellaneous devices.
+##	Read the realtime clock (/dev/rtc).
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_read_misc',`
+interface(`dev_read_realtime_clock',`
 	gen_require(`
-		type device_t, misc_device_t;
+		type device_t, clock_device_t;
 		class dir r_dir_perms;
 		class chr_file r_file_perms;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 misc_device_t:chr_file r_file_perms;
+	allow $1 clock_device_t:chr_file r_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Write miscellaneous devices.
+##	Set the realtime clock (/dev/rtc).
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_write_misc',`
+interface(`dev_write_realtime_clock',`
 	gen_require(`
-		type device_t, misc_device_t;
+		type device_t, clock_device_t;
 		class dir r_dir_perms;
-		class chr_file { getattr write ioctl };
+		class chr_file { setattr lock write append ioctl };
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 misc_device_t:chr_file { getattr write ioctl };
+	allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
 ')
 
 ########################################
 ## <summary>
-##	Get the attributes of the mouse devices.
+##	Read and set the realtime clock (/dev/rtc).
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_getattr_mouse',`
-	gen_require(`
-		type device_t, mouse_device_t;
-		class dir r_dir_perms;
-		class chr_file getattr;
-	')
-
-	allow $1 device_t:dir r_dir_perms;
-	allow $1 mouse_device_t:chr_file getattr;
+interface(`dev_rw_realtime_clock',`
+	dev_read_realtime_clock($1)
+	dev_write_realtime_clock($1)
 ')
 
 ########################################
 ## <summary>
-##	Set the attributes of the mouse devices.
+##	Get the attributes of the scanner device.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_setattr_mouse',`
+interface(`dev_getattr_scanner',`
 	gen_require(`
-		type device_t, mouse_device_t;
+		type device_t, scanner_device_t;
 		class dir r_dir_perms;
-		class chr_file setattr;
+		class chr_file getattr;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 mouse_device_t:chr_file setattr;
+	allow $1 scanner_device_t:chr_file getattr;
 ')
 
 ########################################
 ## <summary>
-##	Read the mouse devices.
+##	Do not audit attempts to get the attributes of
+##	the scanner device.
 ## </summary>
 ## <param name="domain">
-##	Domain allowed access.
+##	Domain to not audit.
 ## </param>
 #
-interface(`dev_read_mouse',`
+interface(`dev_dontaudit_getattr_scanner',`
 	gen_require(`
-		type device_t, mouse_device_t;
-		class dir r_dir_perms;
-		class chr_file r_file_perms;
+		type scanner_device_t;
+		class chr_file getattr;
 	')
 
-	allow $1 device_t:dir r_dir_perms;
-	allow $1 mouse_device_t:chr_file r_file_perms;
+	dontaudit $1 scanner_device_t:chr_file getattr;
 ')
 
 ########################################
 ## <summary>
-##	Set the attributes of the printer device nodes.
+##	Set the attributes of the scanner device.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_setattr_printer',`
+interface(`dev_setattr_scanner',`
 	gen_require(`
-		type device_t, printer_device_t;
-		class dir search;
-		class chr_file setattr;
+		type device_t, scanner_device_t;
+		class dir r_dir_perms;
+		class chr_file getattr;
 	')
 
-	allow $1 device_t:dir search;
-	allow $1 printer_device_t:chr_file setattr;
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 scanner_device_t:chr_file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Read input event devices (/dev/input).
+##	Do not audit attempts to set the attributes of
+##	the scanner device.
 ## </summary>
 ## <param name="domain">
-##	Domain allowed access.
+##	Domain to not audit.
 ## </param>
 #
-interface(`dev_read_input',`
+interface(`dev_dontaudit_setattr_scanner',`
 	gen_require(`
-		type device_t, event_device_t;
-		class dir r_dir_perms;
-		class chr_file r_file_perms;
+		type scanner_device_t;
+		class chr_file getattr;
 	')
 
-	allow $1 device_t:dir r_dir_perms;
-	allow $1 event_device_t:chr_file r_file_perms;
+	dontaudit $1 scanner_device_t:chr_file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Read the multiplexed input device (/dev/input).
+##	Read and write the scanner device.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_read_cpuid',`
+interface(`dev_rw_scanner',`
 	gen_require(`
-		type device_t, cpu_device_t;
+		type device_t, scanner_device_t;
 		class dir r_dir_perms;
-		class chr_file r_file_perms;
+		class chr_file rw_file_perms;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 cpu_device_t:chr_file r_file_perms;
+	allow $1 scanner_device_t:chr_file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write the the cpu microcode device. This
-##	is required to load cpu microcode.
+##	Get the attributes of the sound devices.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_rw_cpu_microcode',`
+interface(`dev_getattr_snd_dev',`
 	gen_require(`
-		type device_t, cpu_device_t;
+		type device_t, sound_device_t;
 		class dir r_dir_perms;
-		class chr_file rw_file_perms;
+		class chr_file getattr;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 cpu_device_t:chr_file rw_file_perms;
+	allow $1 sound_device_t:chr_file getattr;
 ')
 
 ########################################
 ## <summary>
-##	Get the attributes of the scanner device.
+##	Set the attributes of the sound devices.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_getattr_scanner',`
+interface(`dev_setattr_snd_dev',`
 	gen_require(`
-		type device_t, scanner_device_t;
+		type device_t, sound_device_t;
 		class dir r_dir_perms;
-		class chr_file getattr;
+		class chr_file setattr;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 scanner_device_t:chr_file getattr;
+	allow $1 sound_device_t:chr_file setattr;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get the attributes of
-##	the scanner device.
+##	Read the sound devices.
 ## </summary>
 ## <param name="domain">
-##	Domain to not audit.
+##	Domain allowed access.
 ## </param>
 #
-interface(`dev_dontaudit_getattr_scanner',`
+interface(`dev_read_snd_dev',`
 	gen_require(`
-		type scanner_device_t;
-		class chr_file getattr;
+		type device_t, sound_device_t;
+		class dir r_dir_perms;
+		class chr_file r_file_perms;
 	')
 
-	dontaudit $1 scanner_device_t:chr_file getattr;
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 sound_device_t:chr_file r_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Set the attributes of the scanner device.
+##	Write the sound devices.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_setattr_scanner',`
+interface(`dev_write_snd_dev',`
 	gen_require(`
-		type device_t, scanner_device_t;
+		type device_t, sound_device_t;
 		class dir r_dir_perms;
-		class chr_file getattr;
+		class chr_file { getattr write ioctl };
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 scanner_device_t:chr_file setattr;
+	allow $1 sound_device_t:chr_file { getattr write ioctl };
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to set the attributes of
-##	the scanner device.
+##	Read the sound mixer devices.
 ## </summary>
 ## <param name="domain">
-##	Domain to not audit.
+##	Domain allowed access.
 ## </param>
 #
-interface(`dev_dontaudit_setattr_scanner',`
+interface(`dev_read_snd_mixer_dev',`
 	gen_require(`
-		type scanner_device_t;
-		class chr_file getattr;
+		type device_t, sound_device_t;
+		class dir r_dir_perms;
+		class chr_file { getattr read ioctl };
 	')
 
-	dontaudit $1 scanner_device_t:chr_file setattr;
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 sound_device_t:chr_file { getattr read ioctl };
 ')
 
 ########################################
 ## <summary>
-##	Read and write the scanner device.
+##	Write the sound mixer devices.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`dev_rw_scanner',`
+interface(`dev_write_snd_mixer_dev',`
 	gen_require(`
-		type device_t, scanner_device_t;
+		type device_t, sound_device_t;
 		class dir r_dir_perms;
-		class chr_file rw_file_perms;
+		class chr_file { getattr write ioctl };
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 scanner_device_t:chr_file rw_file_perms;
+	allow $1 sound_device_t:chr_file { getattr write ioctl };
 ')
 
 ########################################
@@ -1964,6 +1888,45 @@ interface(`dev_rw_sysfs',`
 
 ########################################
 ## <summary>
+##	Read from pseudo random devices (e.g., /dev/urandom)
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_read_urand',`
+	gen_require(`
+		type device_t, urandom_device_t;
+		class dir r_dir_perms;
+		class chr_file r_file_perms;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 urandom_device_t:chr_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Write to the pseudo random device (e.g., /dev/urandom). This
+##	sets the random number generator seed.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_write_urand',`
+	gen_require(`
+		type device_t, urandom_device_t;
+		class dir r_dir_perms;
+		class chr_file { getattr write ioctl };
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 urandom_device_t:chr_file { getattr write ioctl };
+')
+
+########################################
+## <summary>
 ##	Mount a usbfs filesystem.
 ## </summary>
 ## <param name="domain">
@@ -2152,6 +2115,43 @@ interface(`dev_dontaudit_setattr_video_dev',`
 
 ########################################
 ## <summary>
+##	Read and write to the zero device (/dev/zero).
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_rw_zero_dev',`
+	gen_require(`
+		type device_t, zero_device_t;
+		class device_t:dir r_dir_perms;
+		class chr_file r_file_perms;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 zero_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Read, write, and execute the zero device (/dev/zero).
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_rwx_zero_dev',`
+	gen_require(`
+		type zero_device_t;
+		class chr_file execute;
+	')
+
+	dev_rw_zero_dev($1)
+	allow $1 zero_device_t:chr_file execute;
+')
+
+########################################
+## <summary>
 ##	Unconfined access to devices.
 ## </summary>
 ## <param name="domain">