diff --git a/policy/mls b/policy/mls
index 3603de11b..db3ed9073 100644
--- a/policy/mls
+++ b/policy/mls
@@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
 
 # new file labels must be dominated by the relabeling subjects clearance
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
-	( h1 dom h2 );
+	(( h1 dom h2 ) or
+	(( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or
+	( t1 == mlsfilewrite ));
 
 # the file "read" ops (note the check is dominance of the low level)
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 27d64010a..829605ba9 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -97,6 +97,26 @@ interface(`mls_file_write_to_clearance',`
 	typeattribute $1 mlsfilewritetoclr;
 ')
 
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for relabelto to files up to its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_relabel_to_clearance',`
+	gen_require(`
+		attribute mlsfilerelabeltoclr;
+	')
+
+	typeattribute $1 mlsfilerelabeltoclr;
+')
+
 ########################################
 ## <summary>
 ##	Make specified domain MLS trusted
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index e50805089..13b86257e 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -12,6 +12,7 @@ attribute mlsfilewritetoclr;
 attribute mlsfilewriteinrange;
 attribute mlsfileupgrade;
 attribute mlsfiledowngrade;
+attribute mlsfilerelabeltoclr;
 
 attribute mlsnetread;
 attribute mlsnetreadtoclr;