diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 6a53f886b..3a93e1419 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1684,6 +1684,8 @@ interface(`files_mounton_all_mountpoints',`
allow $1 mountpoint:dir { search_dir_perms mounton };
allow $1 mountpoint:file { getattr mounton };
+
+ kernel_mounton_unlabeled_dirs($1)
')
########################################
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 7914e1fd4..2e915da3e 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -3210,6 +3210,43 @@ interface(`kernel_delete_unlabeled_sockets',`
delete_sock_files_pattern($1, unlabeled_t, unlabeled_t)
')
+
+########################################
+##
+## Allow caller to relabel from unlabeled block devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_relabelfrom_unlabeled_blk_devs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:blk_file { getattr relabelfrom };
+')
+
+########################################
+##
+## Allow caller to relabel from unlabeled character devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_relabelfrom_unlabeled_chr_devs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:chr_file { getattr relabelfrom };
+')
+
########################################
##
## Send and receive messages from an
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index c8218bf8c..ed536321a 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -190,7 +190,6 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
#
type unlabeled_t;
kernel_rootfs_mountpoint(unlabeled_t)
-files_mountpoint(unlabeled_t)
fs_associate(unlabeled_t)
sid file gen_context(system_u:object_r:unlabeled_t,s0)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index fad28f179..8d062dd88 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -354,6 +354,14 @@ kernel_getattr_debugfs(restorecond_t)
kernel_read_system_state(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_use_fds(restorecond_t)
+kernel_list_unlabeled(restorecond_t)
+kernel_relabelfrom_unlabeled_dirs(restorecond_t)
+kernel_relabelfrom_unlabeled_files(restorecond_t)
+kernel_relabelfrom_unlabeled_symlinks(restorecond_t)
+kernel_relabelfrom_unlabeled_pipes(restorecond_t)
+kernel_relabelfrom_unlabeled_sockets(restorecond_t)
+kernel_relabelfrom_unlabeled_blk_devs(restorecond_t)
+kernel_relabelfrom_unlabeled_chr_devs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_all_xattr_fs(restorecond_t)
@@ -586,6 +594,8 @@ kernel_relabelfrom_unlabeled_files(setfiles_t)
kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
kernel_relabelfrom_unlabeled_pipes(setfiles_t)
kernel_relabelfrom_unlabeled_sockets(setfiles_t)
+kernel_relabelfrom_unlabeled_blk_devs(setfiles_t)
+kernel_relabelfrom_unlabeled_chr_devs(setfiles_t)
kernel_use_fds(setfiles_t)
kernel_rw_pipes(setfiles_t)
kernel_rw_unix_dgram_sockets(setfiles_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 5aab9ada7..e9556084f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1425,6 +1425,14 @@ template(`userdom_security_admin_template',`
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
+ kernel_relabelfrom_unlabeled_dirs($1)
+ kernel_relabelfrom_unlabeled_files($1)
+ kernel_relabelfrom_unlabeled_symlinks($1)
+ kernel_relabelfrom_unlabeled_pipes($1)
+ kernel_relabelfrom_unlabeled_sockets($1)
+ kernel_relabelfrom_unlabeled_blk_devs($1)
+ kernel_relabelfrom_unlabeled_chr_devs($1)
+
mls_process_read_all_levels($1)
mls_file_read_all_levels($1)
mls_file_upgrade($1)