diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 5e99b332..39a4e970 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -15,6 +15,7 @@ attribute exec_type;
#
type bin_t alias { ls_exec_t sbin_t };
corecmd_executable_file(bin_t)
+dev_associate(bin_t) #For /dev/MAKEDEV
#
# shell_exec_t is the type of user shells such as /bin/bash.
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index cac0c64e..fec4d405 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -71,6 +71,43 @@ interface(`dev_node',`
typeattribute $1 device_node;
')
+########################################
+##
+## Associate the specified file type with device filesystem.
+##
+##
+##
+## The type of the file to be associated.
+##
+##
+#
+interface(`dev_associate',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:filesystem associate;
+ fs_associate_tmpfs($1) #For backwards compatibility
+')
+
+########################################
+##
+## Mount a filesystem on /dev
+##
+##
+##
+## Domain allow access.
+##
+##
+#
+interface(`dev_mounton',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir mounton;
+')
+
########################################
##
## Allow full relabeling (to and from) of all device nodes.
@@ -759,7 +796,7 @@ interface(`dev_filetrans',`
filetrans_pattern($1, device_t, $2, $3)
- fs_associate_tmpfs($2)
+ dev_associate($2)
files_associate_tmp($2)
')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 102d1302..c4c843bd 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -18,6 +18,8 @@ fs_associate_tmpfs(device_t)
files_type(device_t)
files_mountpoint(device_t)
files_associate_tmp(device_t)
+fs_type(device_t)
+fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
#
# Type for /dev/agpgart
@@ -294,6 +296,8 @@ fs_associate_tmpfs(device_node)
files_associate_tmp(device_node)
+allow device_node device_t:filesystem associate;
+
########################################
#
# Unconfined access to this module
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index fb63c3ad..22dc0f37 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -174,7 +174,6 @@ files_poly_parent(tmpfs_t)
# and label the filesystem itself with the specified context.
# This is appropriate for pseudo filesystems like devpts and tmpfs
# where we want to label objects with a derived type.
-fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 6fa55f26..f87946fb 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -245,8 +245,7 @@ dev_create_generic_blk_files(kernel_t)
dev_delete_generic_blk_files(kernel_t)
dev_create_generic_chr_files(kernel_t)
dev_delete_generic_chr_files(kernel_t)
-# work around until devtmpfs has device_t type
-dev_tmpfs_filetrans_dev(kernel_t, { dir blk_file chr_file })
+dev_mounton(kernel_t)
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index bd45076c..74c0c76f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -108,7 +108,6 @@ files_pid_filetrans(init_t, init_var_run_t, file)
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-fs_associate_tmpfs(initctl_t)
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };