diff --git a/Changelog b/Changelog
index 677f0c47b..549274cbb 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Database userspace object manager classes from KaiGai Kohei.
 - Add third-party interface for Apache CGI.
 - Add getserv and shmemserv nscd permissions.
 - Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 5f68fccad..3150be646 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -79,6 +79,20 @@ common ipc
 	unix_write
 }
 
+#
+#  Define a common prefix for userspace database object access vectors.
+#
+
+common database
+{
+	create
+	drop
+	getattr
+	setattr
+	relabelfrom
+	relabelto
+}
+
 #
 # Define the access vectors.
 #
@@ -655,3 +669,60 @@ class memprotect
 {
 	mmap_zero
 }
+
+class db_database
+inherits database
+{
+	access
+	install_module
+	load_module
+	get_param
+	set_param
+}
+
+class db_table
+inherits database
+{
+	use
+	select
+	update
+	insert
+	delete
+	lock
+}
+
+class db_procedure
+inherits database
+{
+	execute
+	entrypoint
+}
+
+class db_column
+inherits database
+{
+	use
+	select
+	update
+	insert
+}
+
+class db_tuple
+{
+	relabelfrom
+	relabelto
+	use
+	select
+	update
+	insert
+	delete
+}
+
+class db_blob
+inherits database
+{
+	read
+	write
+	import
+	export
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index c681855f7..1a3ff7b32 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -99,4 +99,11 @@ class dccp_socket
 
 class memprotect
 
+class db_database		# userspace
+class db_table			# userspace
+class db_procedure		# userspace
+class db_column			# userspace
+class db_tuple			# userspace
+class db_blob			# userspace
+
 # FLASK
diff --git a/policy/mcs b/policy/mcs
index aeb24bd77..99d66c277 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -98,4 +98,35 @@ mlsconstrain process { ptrace }
 mlsconstrain process { sigkill sigstop }
 	(( h1 dom h2 ) or ( t1 == mcskillall ));
 
+#
+# MCS policy for SELinux-enabled databases
+#
+
+# Any database object must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
+mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }
+	(( h1 dom h2 ) and ( l2 eq h2 ));
+
+mlsconstrain { db_tuple } { insert relabelto }
+	(( h1 dom h2 ) and ( l2 eq h2 ));
+
+# Access control for any database objects based on MCS rules.
+mlsconstrain db_database { drop setattr relabelfrom access install_module load_module get_param set_param }
+	( h1 dom h2 );
+
+mlsconstrain db_table { drop setattr relabelfrom select update insert delete use }
+	( h1 dom h2 );
+
+mlsconstrain db_column { drop setattr relabelfrom select update insert use }
+	( h1 dom h2 );
+
+mlsconstrain db_tuple { relabelfrom select update delete use }
+	( h1 dom h2 );
+
+mlsconstrain db_procedure { execute }
+	( h1 dom h2 );
+
+mlsconstrain db_blob { drop setattr relabelfrom read write }
+	( h1 dom h2 );
+
 ') dnl end enable_mcs
diff --git a/policy/mls b/policy/mls
index 16bd1dfd4..3ce227bc1 100644
--- a/policy/mls
+++ b/policy/mls
@@ -600,4 +600,96 @@ mlsconstrain context translate
 mlsconstrain context contains
 	( h1 dom h2 );
 
+#
+# MLS policy for database classes
+#
+
+# make sure these database classes are "single level"
+mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }
+	( l2 eq h2 );
+mlsconstrain { db_tuple } { insert relabelto }
+	( l2 eq h2 );
+
+# new database labels must be dominated by the relabeling subjects clearance
+mlsconstrain { db_database db_table db_procedure db_column db_tuple db_blob } { relabelto }
+	( h1 dom h2 );
+
+# the database "read" ops (note the check is dominance of the low level)
+mlsconstrain { db_database } { getattr access get_param }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_table db_column } { getattr use select }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_procedure } { getattr execute }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_blob } { getattr read }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_tuple } { use select }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+# the "single level" file "write" ops
+mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete lock }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_column } { create drop setattr relabelfrom update insert }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_blob } { create drop setattr relabelfrom write import export }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_tuple } { relabelfrom update insert delete }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+# the database upgrade/downgrade rule
+mlsvalidatetrans { db_database db_table db_procedure db_column db_tuple db_blob }
+	((( l1 eq l2 ) or
+	  (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or
+	  (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or
+	  (( t3 == mlsdbdowngrade ) and ( l1 incomp l2 ))) and
+	 (( l1 eq h2 ) or
+	  (( t3 == mlsdbupgrade ) and ( h1 domby h2 )) or
+	  (( t3 == mlsdbdowngrade ) and ( h1 dom h2 )) or
+	  (( t3 == mlsdbdowngrade ) and ( h1 incomp h2 ))));
+
 ') dnl end enable_mls
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 769ef1faf..6606745ce 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -491,3 +491,79 @@ interface(`mls_context_translate_all_levels',`
 
 	typeattribute $1 mlstranslate;
 ')
+
+########################################
+## <summary>
+##      Make specified domain MLS trusted
+##      for reading from databases at any level.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_db_read_all_levels',`
+	gen_require(`
+		attribute mlsdbread;
+	')
+
+	typeattribute $1 mlsdbread;
+')
+
+########################################
+## <summary>
+##       Make specified domain MLS trusted
+##       for writing to databases at any level.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_db_write_all_levels',`
+	gen_require(`
+		attribute mlsdbwrite;
+	')
+
+	typeattribute $1 mlsdbwrite;
+')
+
+########################################
+## <summary>
+##      Make specified domain MLS trusted
+##      for raising the level of databases.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_db_upgrade',`
+	gen_require(`
+		attribute mlsdbupgrade;
+	')
+
+	typeattribute $1 mlsdbupgrade;
+')
+
+########################################
+## <summary>
+##      Make specified domain MLS trusted
+##      for lowering the level of databases.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_db_downgrade',`
+	gen_require(`
+		attribute mlsdbdowngrade;
+	')
+
+	typeattribute $1 mlsdbdowngrade;
+')
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index bd5f393f7..da0d2a0ff 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
 
-policy_module(mls,1.5.0)
+policy_module(mls,1.5.1)
 
 ########################################
 #
@@ -43,6 +43,14 @@ attribute mlsxwinreadcolormap;
 attribute mlsxwinwritecolormap;
 attribute mlsxwinwritexinput;
 
+attribute mlsdbread;
+attribute mlsdbreadtoclr;
+attribute mlsdbwrite;
+attribute mlsdbwritetoclr;
+attribute mlsdbwriteinrange;
+attribute mlsdbupgrade;
+attribute mlsdbdowngrade;
+
 attribute mlstrustedobject;
 
 attribute privrangetrans;