diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index e0d55ac0..d296a6bf 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -80,6 +80,7 @@
uptime
uwimap
vmware
+ watchdog
xen (Dan Walsh)
xprint
yam
diff --git a/refpolicy/policy/modules/kernel/devices.fc b/refpolicy/policy/modules/kernel/devices.fc
index 77c58c41..f83f36fa 100644
--- a/refpolicy/policy/modules/kernel/devices.fc
+++ b/refpolicy/policy/modules/kernel/devices.fc
@@ -64,6 +64,7 @@ ifdef(`distro_suse', `
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
/dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index a32e5533..dad9c0cb 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -2342,6 +2342,25 @@ interface(`dev_read_urand',`
allow $1 urandom_device_t:chr_file r_file_perms;
')
+########################################
+##
+## Do not audit attempts to read from pseudo
+## random devices (e.g., /dev/urandom)
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dev_dontaudit_read_urand',`
+ gen_require(`
+ type urandom_device_t;
+ ')
+
+ dontaudit $1 urandom_device_t:chr_file { getattr read };
+')
+
########################################
##
## Write to the pseudo random device (e.g., /dev/urandom). This
@@ -2723,6 +2742,25 @@ interface(`dev_rwx_vmware',`
allow $1 vmware_device_t:chr_file { rw_file_perms execute };
')
+########################################
+##
+## Write to watchdog devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_write_watchdog',`
+ gen_require(`
+ type device_t, watchdog_device_t;
+ ')
+
+ allow $1 device_t:dir list_dir_perms;
+ allow $1 watchdog_device_t:chr_file { getattr write };
+')
+
########################################
##
## Read and write Xen devices.
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 1397a874..7ec2f42e 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.1.12)
+policy_module(devices,1.1.13)
########################################
#
@@ -173,6 +173,9 @@ dev_node(v4l_device_t)
type vmware_device_t;
dev_node(vmware_device_t)
+type watchdog_device_t;
+dev_node(vmware_device_t)
+
type xen_device_t;
dev_node(xen_device_t)
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 570433bf..06d65c48 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -496,6 +496,24 @@ interface(`kernel_read_debugfs',`
allow $1 debugfs_t:lnk_file { getattr read };
')
+########################################
+##
+## Unmount the proc filesystem.
+##
+##
+##
+## The type of the domain unmounting the filesystem.
+##
+##
+#
+interface(`kernel_unmount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem unmount;
+')
+
########################################
##
## Get the attributes of the proc filesystem.
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 2bc665f5..97ecfba6 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.3.5)
+policy_module(kernel,1.3.6)
########################################
#
diff --git a/refpolicy/policy/modules/services/watchdog.fc b/refpolicy/policy/modules/services/watchdog.fc
new file mode 100644
index 00000000..7551c51b
--- /dev/null
+++ b/refpolicy/policy/modules/services/watchdog.fc
@@ -0,0 +1,5 @@
+/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
+
+/var/log/watchdog(/.*)? gen_context(system_u:object_r:watchdog_log_t,s0)
+
+/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/watchdog.if b/refpolicy/policy/modules/services/watchdog.if
new file mode 100644
index 00000000..f8acf10a
--- /dev/null
+++ b/refpolicy/policy/modules/services/watchdog.if
@@ -0,0 +1 @@
+## Software watchdog
diff --git a/refpolicy/policy/modules/services/watchdog.te b/refpolicy/policy/modules/services/watchdog.te
new file mode 100644
index 00000000..d6bc58fa
--- /dev/null
+++ b/refpolicy/policy/modules/services/watchdog.te
@@ -0,0 +1,123 @@
+
+policy_module(watchdog,1.0.0)
+
+#################################
+#
+# Rules for the watchdog_t domain.
+#
+
+type watchdog_t;
+type watchdog_exec_t;
+init_daemon_domain(watchdog_t,watchdog_exec_t)
+
+type watchdog_log_t;
+logging_log_file(watchdog_log_t)
+
+type watchdog_var_run_t;
+files_pid_file(watchdog_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
+dontaudit watchdog_t self:capability sys_tty_config;
+allow watchdog_t self:process { setsched signal_perms };
+allow watchdog_t self:fifo_file rw_file_perms;
+allow watchdog_t self:unix_stream_socket create_socket_perms;
+allow watchdog_t self:tcp_socket create_stream_socket_perms;
+allow watchdog_t self:udp_socket create_socket_perms;
+
+allow watchdog_t watchdog_log_t:file create_file_perms;
+logging_log_filetrans(watchdog_t,watchdog_log_t,file)
+
+allow watchdog_t watchdog_var_run_t:file create_file_perms;
+allow watchdog_t watchdog_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(watchdog_t,watchdog_var_run_t,file)
+
+kernel_read_system_state(watchdog_t)
+kernel_read_kernel_sysctls(watchdog_t)
+kernel_unmount_proc(watchdog_t)
+
+corecmd_search_sbin(watchdog_t)
+# for orderly shutdown
+corecmd_exec_shell(watchdog_t)
+
+# cjp: why networking?
+corenet_non_ipsec_sendrecv(watchdog_t)
+corenet_tcp_sendrecv_generic_if(watchdog_t)
+corenet_udp_sendrecv_generic_if(watchdog_t)
+corenet_raw_sendrecv_generic_if(watchdog_t)
+corenet_tcp_sendrecv_all_nodes(watchdog_t)
+corenet_udp_sendrecv_all_nodes(watchdog_t)
+corenet_raw_sendrecv_all_nodes(watchdog_t)
+corenet_tcp_sendrecv_all_ports(watchdog_t)
+corenet_udp_sendrecv_all_ports(watchdog_t)
+corenet_tcp_bind_all_nodes(watchdog_t)
+corenet_udp_bind_all_nodes(watchdog_t)
+corenet_tcp_connect_all_ports(watchdog_t)
+
+dev_read_sysfs(watchdog_t)
+dev_write_watchdog(watchdog_t)
+# do not care about saving the random seed
+dev_dontaudit_read_rand(watchdog_t)
+dev_dontaudit_read_urand(watchdog_t)
+
+domain_use_interactive_fds(watchdog_t)
+domain_getsession_all_domains(watchdog_t)
+domain_sigchld_all_domains(watchdog_t)
+domain_sigstop_all_domains(watchdog_t)
+domain_signull_all_domains(watchdog_t)
+domain_signal_all_domains(watchdog_t)
+domain_kill_all_domains(watchdog_t)
+
+files_read_etc_files(watchdog_t)
+# for updating mtab on umount
+files_manage_etc_runtime_files(watchdog_t)
+
+fs_unmount_xattr_fs(watchdog_t)
+fs_getattr_all_fs(watchdog_t)
+fs_search_auto_mountpoints(watchdog_t)
+
+term_dontaudit_use_console(watchdog_t)
+
+# record the fact that we are going down
+auth_append_login_records(watchdog_t)
+
+init_use_fds(watchdog_t)
+init_use_script_ptys(watchdog_t)
+
+libs_use_ld_so(watchdog_t)
+libs_use_shared_libs(watchdog_t)
+
+logging_send_syslog_msg(watchdog_t)
+
+miscfiles_read_localization(watchdog_t)
+
+sysnet_read_config(watchdog_t)
+
+userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
+userdom_dontaudit_search_sysadm_home_dirs(watchdog_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(watchdog_t)
+ term_dontaudit_use_generic_ptys(watchdog_t)
+ files_dontaudit_read_root_files(watchdog_t)
+')
+
+optional_policy(`
+ mta_send_mail(watchdog_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(watchdog_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(watchdog_t)
+')
+
+optional_policy(`
+ udev_read_db(watchdog_t)
+')