Kernel patch from Dan Walsh.

policy/modules/kernel/kernel.if

@@ -142,6 +142,24 @@ interface(`kernel_sigchld',`
 	allow $1 kernel_t:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Send a kill signal to kernel threads.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process sending the signal.
+##	</summary>
+## </param>
+#
+interface(`kernel_kill',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:process sigkill;
+')
+
 ########################################
 ## <summary>
 ##	Send a generic signal to kernel threads.
@@ -622,6 +640,24 @@ interface(`kernel_search_debugfs',`
 	search_dirs_pattern($1, debugfs_t, debugfs_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search the kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_debugfs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	dontaudit $1 debugfs_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read information from the debugging filesystem.
@@ -1992,6 +2028,25 @@ interface(`kernel_kill_unlabeled',`
 	allow $1 unlabeled_t:process sigkill;
 ')
 
+########################################
+## <summary>
+##	Mount a kernel unlabeled filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the domain mounting the filesystem.
+##	</summary>
+## </param>
+#
+interface(`kernel_mount_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:filesystem mount;
+')
+
+
 ########################################
 ## <summary>
 ##	Send general signals to unlabeled processes.

policy/modules/kernel/kernel.te

@@ -1,5 +1,5 @@
 
-policy_module(kernel, 1.11.2)
+policy_module(kernel, 1.11.3)
 
 ########################################
 #