diff --git a/policy/constraints b/policy/constraints
index e9e05f06c..1cbbe2fba 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -139,13 +139,11 @@ exempted_ubac_constraint(key_socket, ubacsock)
 exempted_ubac_constraint(unix_stream_socket, ubacsock)
 exempted_ubac_constraint(unix_dgram_socket, ubacsock)
 exempted_ubac_constraint(netlink_route_socket, ubacsock)
-exempted_ubac_constraint(netlink_firewall_socket, ubacsock)
 exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
 exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
 exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
 exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
 exempted_ubac_constraint(netlink_audit_socket, ubacsock)
-exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock)
 exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
 exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
 exempted_ubac_constraint(appletalk_socket, ubacsock)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 2702bbabd..780f64097 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -599,7 +599,7 @@ inherits socket
 	nlmsg_write
 }
 
-class netlink_firewall_socket
+class obsolete_netlink_firewall_socket
 inherits socket
 {
 	nlmsg_read
@@ -636,7 +636,7 @@ inherits socket
 	nlmsg_tty_audit
 }
 
-class netlink_ip6fw_socket
+class obsolete_netlink_ip6fw_socket
 inherits socket
 {
 	nlmsg_read
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 44b2a8a17..dc905d583 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -66,13 +66,13 @@ class x_extension		# userspace
 
 # extended netlink sockets
 class netlink_route_socket
-class netlink_firewall_socket
+class obsolete_netlink_firewall_socket
 class netlink_tcpdiag_socket
 class netlink_nflog_socket
 class netlink_xfrm_socket
 class netlink_selinux_socket
 class netlink_audit_socket
-class netlink_ip6fw_socket
+class obsolete_netlink_ip6fw_socket
 class netlink_dnrt_socket
 
 class dbus			# userspace
diff --git a/policy/mls b/policy/mls
index a795a7d00..8ba40c077 100644
--- a/policy/mls
+++ b/policy/mls
@@ -167,13 +167,13 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
 #
 
 # new socket labels must be dominated by the relabeling subjects clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } relabelto
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } relabelto
 	( h1 dom h2 );
 
 # the socket "read+write" ops
 # (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
 # require equal levels for unprivileged subjects, or read *and* write overrides)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { accept connect }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket sctp_socket } { accept connect }
 	(( l1 eq l2 ) or
 	 (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	   ( t1 == mlsnetread )) and
@@ -183,18 +183,18 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
 
 
 # the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { read getattr listen accept getopt }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { read getattr listen accept getopt }
 	(( l1 dom l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
 
-mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
+mlsconstrain { netlink_route_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket } nlmsg_read
 	(( l1 dom l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
 
 # the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { write setattr relabelfrom connect setopt shutdown }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { write setattr relabelfrom connect setopt shutdown }
 	(( l1 eq l2 ) or
 	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
@@ -224,14 +224,14 @@ mlsconstrain unix_dgram_socket sendto
 	 ( t2 == mlstrustedsocket ));
 
 # these access vectors have no MLS restrictions
-# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { ioctl create lock append bind sendto name_bind }
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket sctp_socket } { ioctl create lock append bind sendto name_bind }
 
 #
 # { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
 #
 # { tcp_socket sctp_socket } name_connect
 #
-# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
+# { netlink_route_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket } nlmsg_write
 #
 # netlink_audit_socket { nlmsg_relay nlmsg_readpriv }
 #
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 88c9d6550..0a7548ab2 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -165,8 +165,6 @@ allow unconfined_domain_type domain:tcp_socket { node_bind name_connect };
 allow unconfined_domain_type domain:tun_socket attach_queue;
 allow unconfined_domain_type domain:unix_stream_socket connectto;
 allow unconfined_domain_type domain:netlink_audit_socket { nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_read nlmsg_tty_audit };
-allow unconfined_domain_type domain:netlink_firewall_socket { nlmsg_write nlmsg_read };
-allow unconfined_domain_type domain:netlink_ip6fw_socket { nlmsg_write nlmsg_read };
 allow unconfined_domain_type domain:netlink_route_socket { nlmsg_write nlmsg_read };
 allow unconfined_domain_type domain:netlink_tcpdiag_socket { nlmsg_write nlmsg_read };
 allow unconfined_domain_type domain:netlink_xfrm_socket { nlmsg_write nlmsg_read };
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index 4a271dd08..82a7a2f4d 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -37,7 +37,6 @@ allow snort_t self:netlink_socket create_socket_perms;
 allow snort_t self:tcp_socket { accept listen };
 allow snort_t self:packet_socket create_socket_perms;
 allow snort_t self:socket create_socket_perms;
-allow snort_t self:netlink_firewall_socket create_socket_perms;
 
 allow snort_t snort_etc_t:dir list_dir_perms;
 allow snort_t snort_etc_t:file read_file_perms;
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index e66f39148..feac40b9a 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -34,7 +34,7 @@ define(`devfile_class_set', `{ blk_file chr_file }')
 #
 # All socket classes.
 #
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }')
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }')
 
 #
 # Datagram socket classes.