diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index 249e5e7..86b525e 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -1220,22 +1220,6 @@ interface(`corenet_rw_ppp_dev',`
 
 ########################################
 ## <summary>
-##	Send and receive messages on a
-##	non-encrypted (no IPSEC) network
-##	session.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`corenet_non_ipsec_sendrecv',`
-	kernel_sendrecv_unlabeled_association($1)
-')
-
-########################################
-## <summary>
 ##	Bind TCP sockets to all RPC ports.
 ## </summary>
 ## <param name="domain">
@@ -1310,6 +1294,43 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
 
 ########################################
 ## <summary>
+##	Send and receive messages on a
+##	non-encrypted (no IPSEC) network
+##	session.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_non_ipsec_sendrecv',`
+	kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Send and receive unlabeled packets.
+## </summary>
+## <desc>
+##	<p>
+##	Send and receive unlabeled packets.
+##	These packets do not match any netfilter
+##	SECMARK rules.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_unlabeled_packets',`
+	kernel_sendrecv_unlabeled_packets($1)
+')
+
+########################################
+## <summary>
 ##	Unconfined access to network objects.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index 21094d1..d426539 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -8,6 +8,7 @@ policy_module(corenetwork,1.1.8)
 
 attribute netif_type;
 attribute node_type;
+attribute packet_type;
 attribute port_type;
 attribute reserved_port_type;
 attribute rpc_port_type;
@@ -174,10 +175,9 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
 type netif_t, netif_type;
 sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c255)
 
-ifdef(`enable_mls', `
+ifdef(`enable_mls',`
 network_interface(lo, lo,s0 - s15:c0.c255)
 ')
-#network_interface(eth0, eth0,s0)
 
 ########################################
 #
@@ -186,6 +186,7 @@ network_interface(lo, lo,s0 - s15:c0.c255)
 
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
+allow corenet_unconfined_type packet_type:packet *;
 allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
 allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
 
@@ -194,3 +195,4 @@ allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
 allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind;
 
 corenet_non_ipsec_sendrecv(corenet_unconfined_type)
+corenet_sendrecv_unlabeled_packets(corenet_unconfined_type)
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 47edcf8..599d8b8 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -2051,6 +2051,36 @@ interface(`kernel_sendrecv_unlabeled_association',`
 
 ########################################
 ## <summary>
+##	Send and receive unlabeled packets.
+## </summary>
+## <desc>
+##	<p>
+##	Send and receive unlabeled packets.
+##	These packets do not match any netfilter
+##	SECMARK rules.
+##	</p>
+##	<p>
+##	The corenetwork interface
+##	corenet_sendrecv_unlabeled_packets() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_sendrecv_unlabeled_packets',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:packet { send recv };
+')
+
+########################################
+## <summary>
 ##	Unconfined access to kernel module resources.
 ## </summary>
 ## <param name="domain">