diff --git a/Changelog b/Changelog
index 4fea4ca17..3af845764 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
 - Patch for handling restart of nscd when ran from useradd, groupadd, and
   admin passwd, from Dan Walsh.
 - Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
diff --git a/policy/mls b/policy/mls
index 859ebaafa..16fbfcb5e 100644
--- a/policy/mls
+++ b/policy/mls
@@ -183,7 +183,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
 	 ( t1 == mlsnetwrite ));
 
 # used by netlabel to restrict normal domains to same level connections
-mlsconstrain { tcp_socket udp_socket } recvfrom
+mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
 	(( l1 eq l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));