diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index b34146e8..c566b7f9 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
-policy_module(netutils,1.3.1)
+policy_module(netutils,1.3.2)
########################################
#
@@ -65,6 +65,8 @@ corenet_tcp_connect_all_ports(netutils_t)
corenet_sendrecv_all_client_packets(netutils_t)
corenet_udp_bind_generic_node(netutils_t)
+dev_read_sysfs(netutils_t)
+
fs_getattr_xattr_fs(netutils_t)
domain_use_interactive_fds(netutils_t)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index fc2e6c88..cbbd523c 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2501,6 +2501,25 @@ interface(`dev_list_sysfs',`
list_dirs_pattern($1,sysfs_t,sysfs_t)
')
+########################################
+##
+## Write in a sysfs directories.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+# cjp: added for cpuspeed
+interface(`dev_write_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:dir write;
+')
+
########################################
##
## Allow caller to read hardware state information.
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index ff6b4ce6..1e04a53b 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.3.1)
+policy_module(devices,1.3.2)
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 28577691..172ce142 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1094,6 +1094,24 @@ interface(`fs_relabelfrom_dos_fs',`
allow $1 dosfs_t:filesystem relabelfrom;
')
+########################################
+##
+## Read files on a DOS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_read_dos_files',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ read_files_pattern($1,dosfs_t,dosfs_t)
+')
+
########################################
##
## Create, read, write, and delete files
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 33f34470..be1b0e6b 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
-policy_module(filesystem,1.5.1)
+policy_module(filesystem,1.5.2)
########################################
#
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 5f1d353c..ff4e2697 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -42,7 +42,8 @@ ifdef(`distro_redhat', `
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
-/dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
+/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index 71aff40e..983ed547 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,5 +1,5 @@
-policy_module(storage,1.2.0)
+policy_module(storage,1.2.1)
########################################
#
diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te
index bedc36f1..81c14b91 100644
--- a/policy/modules/services/cpucontrol.te
+++ b/policy/modules/services/cpucontrol.te
@@ -1,5 +1,5 @@
-policy_module(cpucontrol,1.1.0)
+policy_module(cpucontrol,1.1.1)
########################################
#
@@ -91,6 +91,7 @@ files_pid_filetrans(cpuspeed_t,cpuspeed_var_run_t,file)
kernel_read_system_state(cpuspeed_t)
kernel_read_kernel_sysctls(cpuspeed_t)
+dev_write_sysfs_dirs(cpuspeed_t)
dev_rw_sysfs(cpuspeed_t)
domain_use_interactive_fds(cpuspeed_t)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 5a7d7bc3..dbb2b6e4 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -111,3 +111,70 @@ interface(`ipsec_manage_pid',`
files_search_pids($1)
manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
')
+
+########################################
+##
+## Execute racoon in the racoon domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`ipsec_domtrans_racoon',`
+ gen_require(`
+ type racoon_t, racoon_exec_t;
+ ')
+
+ domtrans_pattern($1,racoon_exec_t,racoon_t)
+')
+
+########################################
+##
+## Execute setkey in the setkey domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`ipsec_domtrans_setkey',`
+ gen_require(`
+ type setkey_t, setkey_exec_t;
+ ')
+
+ domtrans_pattern($1,setkey_exec_t,setkey_t)
+')
+
+########################################
+##
+## Execute setkey and allow the specified role the domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed the racoon and setkey domains.
+##
+##
+##
+##
+## The type of the terminal allow the racoon and setkey domains to use.
+##
+##
+##
+#
+interface(`ipsec_run_setkey',`
+ gen_require(`
+ type setkey_t;
+ ')
+
+ ipsec_domtrans_setkey($1)
+ role $2 types setkey_t;
+ allow setkey_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 2b7ec226..794838b0 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
-policy_module(ipsec,1.2.1)
+policy_module(ipsec,1.2.2)
########################################
#
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index cc40dcb0..d968d18e 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,5 +1,5 @@
-policy_module(iptables,1.2.1)
+policy_module(iptables,1.2.2)
########################################
#
@@ -77,9 +77,10 @@ sysnet_dns_name_resolve(iptables_t)
userdom_use_all_users_fds(iptables_t)
ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(iptables_t)
- term_dontaudit_use_generic_ptys(iptables_t)
+ term_use_unallocated_ttys(iptables_t)
+ term_use_generic_ptys(iptables_t)
files_dontaudit_read_root_files(iptables_t)
+ unconfined_rw_pipes(iptables_t)
')
optional_policy(`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 46425d76..b4c73bfa 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1337,6 +1337,10 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
+ optional_policy(`
+ ipsec_run_setkey($1,$2,$3)
+ ')
+
optional_policy(`
netlabel_run_mgmt($1,$2, $3)
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index ec35724e..a4c05ff0 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,2.1.3)
+policy_module(userdomain,2.1.4)
gen_require(`
role sysadm_r, staff_r, user_r;