diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index 249e5e7..86b525e 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -1220,22 +1220,6 @@ interface(`corenet_rw_ppp_dev',`
########################################
##
-## Send and receive messages on a
-## non-encrypted (no IPSEC) network
-## session.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`corenet_non_ipsec_sendrecv',`
- kernel_sendrecv_unlabeled_association($1)
-')
-
-########################################
-##
## Bind TCP sockets to all RPC ports.
##
##
@@ -1310,6 +1294,43 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
########################################
##
+## Send and receive messages on a
+## non-encrypted (no IPSEC) network
+## session.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corenet_non_ipsec_sendrecv',`
+ kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+##
+## Send and receive unlabeled packets.
+##
+##
+##
+## Send and receive unlabeled packets.
+## These packets do not match any netfilter
+## SECMARK rules.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corenet_sendrecv_unlabeled_packets',`
+ kernel_sendrecv_unlabeled_packets($1)
+')
+
+########################################
+##
## Unconfined access to network objects.
##
##
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index 21094d1..d426539 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -8,6 +8,7 @@ policy_module(corenetwork,1.1.8)
attribute netif_type;
attribute node_type;
+attribute packet_type;
attribute port_type;
attribute reserved_port_type;
attribute rpc_port_type;
@@ -174,10 +175,9 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
type netif_t, netif_type;
sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c255)
-ifdef(`enable_mls', `
+ifdef(`enable_mls',`
network_interface(lo, lo,s0 - s15:c0.c255)
')
-#network_interface(eth0, eth0,s0)
########################################
#
@@ -186,6 +186,7 @@ network_interface(lo, lo,s0 - s15:c0.c255)
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
+allow corenet_unconfined_type packet_type:packet *;
allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
@@ -194,3 +195,4 @@ allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind;
corenet_non_ipsec_sendrecv(corenet_unconfined_type)
+corenet_sendrecv_unlabeled_packets(corenet_unconfined_type)
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 47edcf8..599d8b8 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -2051,6 +2051,36 @@ interface(`kernel_sendrecv_unlabeled_association',`
########################################
##
+## Send and receive unlabeled packets.
+##
+##
+##
+## Send and receive unlabeled packets.
+## These packets do not match any netfilter
+## SECMARK rules.
+##
+##
+## The corenetwork interface
+## corenet_sendrecv_unlabeled_packets() should
+## be used instead of this one.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_sendrecv_unlabeled_packets',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:packet { send recv };
+')
+
+########################################
+##
## Unconfined access to kernel module resources.
##
##