Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.

Example of denial:
type=AVC msg=audit(1461664028.583:784): avc:  denied  { relabelto } for
pid=14322 comm="yum" name="libvirt" dev="dm-0" ino=670147
scontext=root:system_r:rpm_t:s0
tcontext=system_u:object_r:virt_cache_t:s0-s15:c0.c1023 tclass=dir

policy/mls

@@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
 
 # new file labels must be dominated by the relabeling subjects clearance
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
-	( h1 dom h2 );
+	(( h1 dom h2 ) or
+	(( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or
+	( t1 == mlsfilewrite ));
 
 # the file "read" ops (note the check is dominance of the low level)
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }

policy/modules/kernel/mls.if

@@ -97,6 +97,26 @@ interface(`mls_file_write_to_clearance',`
 	typeattribute $1 mlsfilewritetoclr;
 ')
 
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for relabelto to files up to its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_relabel_to_clearance',`
+	gen_require(`
+		attribute mlsfilerelabeltoclr;
+	')
+
+	typeattribute $1 mlsfilerelabeltoclr;
+')
+
 ########################################
 ## <summary>
 ##	Make specified domain MLS trusted

policy/modules/kernel/mls.te

@@ -12,6 +12,7 @@ attribute mlsfilewritetoclr;
 attribute mlsfilewriteinrange;
 attribute mlsfileupgrade;
 attribute mlsfiledowngrade;
+attribute mlsfilerelabeltoclr;
 
 attribute mlsnetread;
 attribute mlsnetreadtoclr;