diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 9278bb439..79c8f8f93 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1606,19 +1606,86 @@ interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
 
 ########################################
 ## <summary>
-##	Allow caller to relabel unlabeled objects.
+##	Allow caller to relabel unlabeled directories.
 ## </summary>
 ## <param name="domain">
 ##	The process type relabeling the objects.
 ## </param>
 #
-interface(`kernel_relabel_unlabeled',`
+interface(`kernel_relabelfrom_unlabeled_dirs',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir { getattr search read relabelfrom };
+')
+
+########################################
+## <summary>
+##	Allow caller to relabel unlabeled files.
+## </summary>
+## <param name="domain">
+##	The process type relabeling the objects.
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_files',`
 	gen_require(`
 		type unlabeled_t;
 	')
 
 	kernel_list_unlabeled($1)
-	allow $1 unlabeled_t:dir_file_class_set { getattr relabelfrom };
+	allow $1 unlabeled_t:file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+##	Allow caller to relabel unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+##	The process type relabeling the objects.
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_symlinks',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	kernel_list_unlabeled($1)
+	allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+##	Allow caller to relabel unlabeled named pipes.
+## </summary>
+## <param name="domain">
+##	The process type relabeling the objects.
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_pipes',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	kernel_list_unlabeled($1)
+	allow $1 unlabeled_t:fifo_file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+##	Allow caller to relabel unlabeled named sockets.
+## </summary>
+## <param name="domain">
+##	The process type relabeling the objects.
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_sockets',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	kernel_list_unlabeled($1)
+	allow $1 unlabeled_t:sock_file { getattr relabelfrom };
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 0cf800a26..8447279fc 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -321,7 +321,13 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
 kernel_use_fd(restorecon_t)
 kernel_rw_pipes(restorecon_t)
 kernel_read_system_state(restorecon_t)
+kernel_relabelfrom_unlabeled_dirs(restorecon_t)
+kernel_relabelfrom_unlabeled_files(restorecon_t)
+kernel_relabelfrom_unlabeled_symlinks(restorecon_t)
+kernel_relabelfrom_unlabeled_pipes(restorecon_t)
+kernel_relabelfrom_unlabeled_sockets(restorecon_t)
 
+dev_relabel_all_dev_nodes(restorecon_t)
 # cjp: why is this needed?
 dev_rw_generic_files(restorecon_t)
 
@@ -359,10 +365,6 @@ logging_send_syslog_msg(restorecon_t)
 
 userdom_use_all_users_fd(restorecon_t)
 
-# relabeling rules
-kernel_relabel_unlabeled(restorecon_t)
-dev_relabel_all_dev_nodes(restorecon_t)
-
 files_relabel_all_files(restorecon_t)
 files_list_all(restorecon_t)
 # this is to satisfy the assertion:
@@ -474,7 +476,13 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
 
 kernel_read_system_state(setfiles_t)
-kernel_list_unlabeled(setfiles_t)
+kernel_relabelfrom_unlabeled_dirs(setfiles_t)
+kernel_relabelfrom_unlabeled_files(setfiles_t)
+kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
+kernel_relabelfrom_unlabeled_pipes(setfiles_t)
+kernel_relabelfrom_unlabeled_sockets(setfiles_t)
+
+dev_relabel_all_dev_nodes(setfiles_t)
 
 fs_getattr_xattr_fs(setfiles_t)
 fs_list_all(setfiles_t)
@@ -495,6 +503,9 @@ term_use_all_user_ttys(setfiles_t)
 term_use_all_user_ptys(setfiles_t)
 term_use_unallocated_ttys(setfiles_t)
 
+# this is to satisfy the assertion:
+auth_relabelto_shadow(setfiles_t)
+
 init_use_fd(setfiles_t)
 init_use_script_fd(setfiles_t)
 init_use_script_ptys(setfiles_t)
@@ -506,6 +517,8 @@ libs_use_shared_libs(setfiles_t)
 
 files_read_etc_runtime_files(setfiles_t)
 files_read_etc_files(setfiles_t)
+files_list_all(setfiles_t)
+files_relabel_all_files(setfiles_t)
 
 logging_send_syslog_msg(setfiles_t)
 
@@ -515,14 +528,6 @@ userdom_use_all_users_fd(setfiles_t)
 # for config files in a home directory
 userdom_read_all_user_files(setfiles_t)
 
-# relabeling rules
-kernel_relabel_unlabeled(setfiles_t)
-dev_relabel_all_dev_nodes(setfiles_t)
-files_list_all(setfiles_t)
-files_relabel_all_files(setfiles_t)
-# this is to satisfy the assertion:
-auth_relabelto_shadow(setfiles_t)
-
 ifdef(`TODO',`
 # for upgrading glibc and other shared objects - without this the upgrade
 # scripts will put things in a state such that setfiles can not be run!