diff --git a/Changelog b/Changelog
index 6c85f15..b2cfb6c 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Add MLS constrains for ingress/egress and secmark from Paul Moore.
- Drop write permission from fs_read_rpc_sockets().
- Remove unused udev_runtime_t type.
- Patch for RadSec port from Glen Turner.
diff --git a/policy/mls b/policy/mls
index 80b3a43..d8a3c3c 100644
--- a/policy/mls
+++ b/policy/mls
@@ -299,6 +299,57 @@ mlsconstrain { netif node } { tcp_send udp_send rawip_send }
#
+# MLS policy for the network ingress/egress controls
+#
+
+# the netif ingress/egress ops, the ingress permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network interface which is acting as the object
+mlsconstrain { netif } { ingress }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mlsnetinbound ) or
+ ( t1 == unlabeled_t ));
+mlsconstrain { netif } { egress }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mlsnetoutbound ));
+
+# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network node which is acting as the object
+mlsconstrain { node } { recvfrom }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mlsnetinbound ) or
+ ( t1 == unlabeled_t ));
+mlsconstrain { node } { sendto }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mlsnetoutbound ));
+
+# the forward ops, the forward_in permission is a "write" operation because the
+# subject in this particular case is the remote domain which is writing data
+# to the network with a secmark label, the object in this case
+mlsconstrain { packet } { forward_in }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mlsnetinbound ) or
+ ( t1 == unlabeled_t ));
+mlsconstrain { packet } { forward_out }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mlsnetoutbound ) or
+ ( t1 == unlabeled_t ));
+
+#
+# MLS policy for the secmark and peer controls
+#
+
+# the peer/packet recv op
+mlsconstrain { peer packet } { recv }
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+
+
+
+#
# MLS policy for the process class
#
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index c2706de..af86516 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -332,6 +332,48 @@ interface(`mls_net_write_within_range',`
########################################
##
+## Make specified domain trusted to
+## write inbound packets regardless of the
+## network's or node's MLS range.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mls_net_inbound_all_levels',`
+ gen_require(`
+ attribute mlsnetinbound;
+ ')
+
+ typeattribute $1 mlsnetinbound;
+')
+
+########################################
+##
+## Make specified domain trusted to
+## write outbound packets regardless of the
+## network's or node's MLS range.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mls_net_outbound_all_levels',`
+ gen_require(`
+ attribute mlsnetoutbound;
+ ')
+
+ typeattribute $1 mlsnetoutbound;
+')
+
+########################################
+##
## Make specified domain MLS trusted
## for reading from System V IPC objects
## up to its clearance.
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 10b5e5a..252deef 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
-policy_module(mls, 1.7.0)
+policy_module(mls, 1.7.1)
########################################
#
@@ -22,6 +22,8 @@ attribute mlsnetwriteranged;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
attribute mlsnetrecvall;
+attribute mlsnetinbound;
+attribute mlsnetoutbound;
attribute mlsipcread;
attribute mlsipcreadtoclr;