diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 1b72daa1..6bab252a 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -407,7 +407,7 @@ interface(`dev_dontaudit_setattr_generic_blk_files',`
########################################
##
-## Allow read, write, and create for generic character device files.
+## Create generic block device files.
##
##
##
@@ -415,12 +415,30 @@ interface(`dev_dontaudit_setattr_generic_blk_files',`
##
##
#
-interface(`dev_create_generic_chr_files',`
+interface(`dev_create_generic_blk_files',`
gen_require(`
type device_t;
')
- create_chr_files_pattern($1, device_t, device_t)
+ create_blk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+##
+## Delete generic block device files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_delete_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ delete_blk_files_pattern($1, device_t, device_t)
')
########################################
@@ -495,6 +513,42 @@ interface(`dev_rw_generic_chr_files',`
allow $1 device_t:chr_file rw_chr_file_perms;
')
+########################################
+##
+## Create generic character device files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_create_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ create_chr_files_pattern($1, device_t, device_t)
+')
+
+########################################
+##
+## Delete generic character device files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_delete_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ delete_chr_files_pattern($1, device_t, device_t)
+')
+
########################################
##
## Do not audit attempts to set the attributes
@@ -709,6 +763,33 @@ interface(`dev_filetrans',`
files_associate_tmp($2)
')
+########################################
+##
+## Create, read, and write device nodes. The node
+## will be transitioned to the type provided. This is
+## a temporary interface until devtmpfs functionality
+## fixed.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Object class(es) (single or set including {}) for which this
+## the transition will occur.
+##
+##
+#
+interface(`dev_tmpfs_filetrans_dev',`
+ gen_require(`
+ type device_t;
+ ')
+
+ fs_tmpfs_filetrans($1, device_t, $2)
+')
+
########################################
##
## Getattr on all block file device nodes.
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 1586fbb0..72311a4e 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices, 1.9.3)
+policy_module(devices, 1.9.4)
########################################
#
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 3ef6a622..1923f55d 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel, 1.11.3)
+policy_module(kernel, 1.11.4)
########################################
#
@@ -248,6 +248,15 @@ corenet_send_all_packets(kernel_t)
dev_read_sysfs(kernel_t)
dev_search_usbfs(kernel_t)
+# devtmpfs handling:
+dev_create_generic_dirs(kernel_t)
+dev_delete_generic_dirs(kernel_t)
+dev_create_generic_blk_files(kernel_t)
+dev_delete_generic_blk_files(kernel_t)
+dev_create_generic_chr_files(kernel_t)
+dev_delete_generic_chr_files(kernel_t)
+# work around until devtmpfs has device_t type
+dev_tmpfs_filetrans_dev(kernel_t, { dir blk_file chr_file })
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem