diff --git a/Changelog b/Changelog
index 6869c6e0..87b135bd 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- More complete labeled networking infrastructure from KaiGai Kohei.
 - Add interface for libselinux constructor, for libselinux-linked
   SELinux-enabled programs.
 - Patch to restructure user role templates to create restricted user roles
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index a8ec213b..a24cfb0a 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -2056,6 +2056,118 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
 	dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
 ')
 
+########################################
+## <summary>
+##	Rules for receiving labeled TCP packets.
+## </summary>
+## <desc>
+##	<p>
+##	Rules for receiving labeled TCP packets.
+##	</p>
+##	<p>
+##	Due to the nature of TCP, this is bidirectional.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_labeled',`
+	allow { $1 $2 } self:association sendto;
+	allow $1 $2:{ association tcp_socket } recvfrom;
+	allow $2 $1:{ association tcp_socket } recvfrom;
+
+	# Netlabel (CIPSO)-based labeled networking
+	# currently only supports MLS portion of label
+	corenet_tcp_recvfrom_netlabel($1)
+	corenet_tcp_recvfrom_netlabel($2)
+')
+
+########################################
+## <summary>
+##	Rules for receiving labeled UDP packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_labeled',`
+	allow $2 self:association sendto;
+	allow $1 $2:{ association udp_socket } recvfrom;
+
+	# Netlabel (CIPSO)-based labeled networking
+	# currently only supports MLS portion of label
+	corenet_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Rules for receiving labeled raw IP packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_labeled',`
+	allow $2 self:association sendto;
+	allow $1 $2:{ association rawip_socket } recvfrom;
+
+	# Netlabel (CIPSO)-based labeled networking
+	# currently only supports MLS portion of label
+	corenet_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Rules for receiving labeled packets via TCP, UDP and raw IP.
+## </summary>
+## <desc>
+##	<p>
+##	Rules for receiving labeled packets via TCP, UDP and raw IP.
+##	</p>
+##	<p>
+##	Due to the nature of TCP, the rules (for TCP
+##	networking only) are bidirectional.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_all_recvfrom_labeled',`
+	corenet_tcp_recvfrom_labeled($1,$2)
+	corenet_udp_recvfrom_labeled($1,$2)
+	corenet_raw_recvfrom_labeled($1,$2)
+')
+
 ########################################
 ## <summary>
 ##	Send generic client packets.
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 0b74810e..78a953b0 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1269,12 +1269,7 @@ interface(`domain_all_recvfrom_all_domains',`
 		attribute domain;
  	')
 
-	# IPSEC-based labeled networking 
-	allow $1 domain:association recvfrom;
-
-	# Netlabel (CIPSO)-based labeled networking
-	# currently only supports MLS portion of label
-	corenet_all_recvfrom_netlabel($1)
+	corenet_all_recvfrom_labeled($1,domain)
 ')
 
 ########################################
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index a3bae431..20cb1e8d 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -369,14 +369,6 @@ tunable_policy(`httpd_can_network_connect',`
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
 
-tunable_policy(`httpd_can_network_connect_db',`
-	# allow httpd to connect to mysql/posgresql
-	corenet_tcp_connect_postgresql_port(httpd_t)
-	corenet_tcp_connect_mysqld_port(httpd_t)
-	corenet_sendrecv_postgresql_client_packets(httpd_t)
-	corenet_sendrecv_mysqld_client_packets(httpd_t)
-')
-
 tunable_policy(`httpd_can_network_relay',`
 	# allow httpd to work as a relay
 	corenet_tcp_connect_gopher_port(httpd_t)
@@ -457,8 +449,14 @@ optional_policy(`
 ')
 
 optional_policy(`
+	# Allow httpd to work with mysql
 	mysql_stream_connect(httpd_t)
 	mysql_rw_db_sockets(httpd_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		corenet_tcp_connect_mysqld_port(httpd_t)
+		corenet_sendrecv_mysqld_client_packets(httpd_t)
+	')
 ')
 
 optional_policy(`
@@ -476,6 +474,10 @@ optional_policy(`
 optional_policy(`
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_t)
+	')
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index da913c4c..a2caefad 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -79,7 +79,7 @@ interface(`postgresql_read_config',`
 
 ########################################
 ## <summary>
-##	Allow the specified domain to connect to postgresql with a tcp socket.  (Deprecated)
+##	Allow the specified domain to connect to postgresql with a tcp socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -88,7 +88,14 @@ interface(`postgresql_read_config',`
 ## </param>
 #
 interface(`postgresql_tcp_connect',`
-	refpolicywarn(`$0($*) has been deprecated.')
+	gen_require(`
+		type postgresql_t;
+	')
+
+	corenet_tcp_recvfrom_labeled($1,postgresql_t)
+	corenet_tcp_sendrecv_postgresql_port($1)
+	corenet_tcp_connect_postgresql_port($1)
+	corenet_sendrecv_postgresql_client_packets($1)
 ')
 
 ########################################
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index f3ec6c91..bed7ae08 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -153,6 +153,10 @@ optional_policy(`
 	hostname_exec(postgresql_t)
 ')
 
+optional_policy(`
+	ipsec_match_default_spd(postgresql_t)
+')
+
 optional_policy(`
 	kerberos_use(postgresql_t)
 ')
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 73ddc51e..b84df8eb 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -109,6 +109,7 @@ interface(`ipsec_match_default_spd',`
 	')
 
 	allow $1 ipsec_spd_t:association polmatch;
+	allow $1 self:association sendto;
 ')
 
 ########################################
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d2bd492a..8d1747ce 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -548,6 +548,10 @@ template(`userdom_basic_networking_template',`
 	corenet_udp_sendrecv_all_ports($1_t)
 	corenet_tcp_connect_all_ports($1_t)
 	corenet_sendrecv_all_client_packets($1_t)
+
+	optional_policy(`
+		ipsec_match_default_spd($1_t)
+	')
 ')
 
 #######################################
@@ -840,6 +844,7 @@ template(`userdom_common_user_template',`
 	optional_policy(`
 		tunable_policy(`allow_user_postgresql_connect',`
 			postgresql_stream_connect($1_t)
+			postgresql_tcp_connect($1_t)
 		')
 	')