Storage patch from Dan Walsh.

Add /dev/hwcdrom

policy/modules/kernel/storage.fc

@@ -20,6 +20,7 @@
 /dev/gscd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/hitcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/ht[0-1]		-b	gen_context(system_u:object_r:tape_device_t,s0)
+/dev/hwcdrom		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/initrd		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/jsfd		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/jsflash		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)

policy/modules/kernel/storage.if

@@ -570,6 +570,25 @@ interface(`storage_dontaudit_read_removable_device',`
 	dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts made by the caller to write
+##	removable devices device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_write_removable_device',`
+	gen_require(`
+		type removable_device_t;
+	')
+
+	dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to set the attributes of removable

policy/modules/kernel/storage.te

@@ -1,5 +1,5 @@
 
-policy_module(storage, 1.8.0)
+policy_module(storage, 1.8.1)
 
 ########################################
 #