diff --git a/policy/mcs b/policy/mcs
index f477c7f30..216b3d125 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -69,16 +69,32 @@ gen_levels(1,mcs_num_cats)
 #  - /proc/pid operations are not constrained.
 
 mlsconstrain file { read ioctl lock execute execute_no_trans }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
 
 mlsconstrain file { write setattr append unlink link rename }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
 
 mlsconstrain dir { search read ioctl lock }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
 
 mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+
+mlsconstrain fifo_file { open }
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcs_constrained_type ) and ( t2 == domain )));
+
+mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+
+mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
 
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
@@ -101,6 +117,12 @@ mlsconstrain process { ptrace }
 mlsconstrain process { sigkill sigstop }
 	(( h1 dom h2 ) or ( t1 == mcskillall ));
 
+mlsconstrain process { signal }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
 #
 # MCS policy for SELinux-enabled databases
 #
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index f52faaf3a..508e609da 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -102,3 +102,31 @@ interface(`mcs_process_set_categories',`
 
 	typeattribute $1 mcssetcats;
 ')
+
+########################################
+## <summary>
+##	Constrain by category access control (MCS).
+## </summary>
+## <desc>
+##	<p>
+##	Constrain the specified type by category based
+##	access control (MCS) This prevents this domain from
+##	interacting with subjects and operating on objects
+##	that it otherwise would be able to interact
+##	with or operate on respectively.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be constrained by MCS.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`mcs_constrained',`
+	gen_require(`
+		attribute mcs_constrained_type;
+	')
+
+	typeattribute $1 mcs_constrained_type;
+')
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index 0e5b6611f..c608a8be1 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -10,3 +10,4 @@ attribute mcsptraceall;
 attribute mcssetcats;
 attribute mcswriteall;
 attribute mcsreadall;
+attribute mcs_constrained_type;