diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 069f6a3..0b74810 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1231,32 +1231,6 @@ interface(`domain_entry_file_spec_domtrans',`
 
 ########################################
 ## <summary>
-##	Unconfined access to domains.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`domain_unconfined',`
-	gen_require(`
-		attribute set_curr_context;
-		attribute can_change_object_identity;
-		attribute unconfined_domain_type;
-		attribute process_uncond_exempt;
-	')
-
-	typeattribute $1 unconfined_domain_type;
-
-	# pass constraints
-	typeattribute $1 can_change_object_identity;
-	typeattribute $1 set_curr_context;
-	typeattribute $1 process_uncond_exempt;
-')
-
-########################################
-## <summary>
 ##	Ability to mmap a low area of the address space,
 ##      as configured by /proc/sys/kernel/mmap_min_addr.
 ##      Preventing such mappings helps protect against
@@ -1280,18 +1254,52 @@ interface(`domain_mmap_low',`
 
 ########################################
 ## <summary>
-##	Allow specified type to associate ipsec packets from any domain
+##	Allow specified type to receive labeled
+##	networking packets from all domains, over
+##	all protocols (TCP, UDP, etc)
 ## </summary>
 ## <param name="type">
 ##	<summary>
-##	Type of subject to be allowed this.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`domain_ipsec_labels',`
+interface(`domain_all_recvfrom_all_domains',`
 	gen_require(`
 		attribute domain;
  	')
- 
-	allow $1 domain:association { sendto recvfrom };
+
+	# IPSEC-based labeled networking 
+	allow $1 domain:association recvfrom;
+
+	# Netlabel (CIPSO)-based labeled networking
+	# currently only supports MLS portion of label
+	corenet_all_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Unconfined access to domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_unconfined',`
+	gen_require(`
+		attribute set_curr_context;
+		attribute can_change_object_identity;
+		attribute unconfined_domain_type;
+		attribute process_uncond_exempt;
+	')
+
+	typeattribute $1 unconfined_domain_type;
+
+	# pass constraints
+	typeattribute $1 can_change_object_identity;
+	typeattribute $1 set_curr_context;
+	typeattribute $1 process_uncond_exempt;
 ')
+
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 3fa734c..17231cd 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -1,5 +1,5 @@
 
-policy_module(domain,1.4.2)
+policy_module(domain,1.4.3)
 
 ########################################
 #