diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index e8a6b1d..d525708 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -58,6 +58,15 @@ files_type(etc_t)
typealias etc_t alias automount_etc_t;
typealias etc_t alias snmpd_etc_t;
+# system_conf_t is a new type of various
+# files in /etc/ that can be managed and
+# created by several domains.
+#
+type system_conf_t, configfile;
+files_type(system_conf_t)
+# compatibility aliases for removed type:
+typealias system_conf_t alias iptables_conf_t;
+
#
# etc_runtime_t is the type of various
# files in /etc that are automatically
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 6e022c3..5e44a4d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3935,6 +3935,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
+######################################
+##
+## Read manageable system configuration files in /etc
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_read_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, system_conf_t)
+ read_lnk_files_pattern($1, etc_t, system_conf_t)
+')
+
+#####################################
+##
+## Manage manageable system configuration files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+')
+
+#####################################
+##
+## Relabel manageable system configuration files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
+')
+
+#####################################
+##
+## Relabel manageable system configuration files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
+')
+
+##################################
+##
+## Create files in /etc with the type used for
+## the manageable system config files.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ filetrans_pattern($1, etc_t, system_conf_t, file)
+')
+
#######################################
##
## Read manageable system configuration files in /etc
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 3517db2..331c851 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -64,6 +64,12 @@ ifdef(`distro_suse',`
/etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
+
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)