diff --git a/policy/mls b/policy/mls
index ddd5812f..a8e2a907 100644
--- a/policy/mls
+++ b/policy/mls
@@ -344,11 +344,15 @@ mlsconstrain msg send
# MLS policy for the fd class
#
-# these access vectors have no MLS restrictions
-# fd use
-
-
-
+# No sharing of open file descriptors between levels unless
+# the process type is authorized to use fds created by
+# other levels (mlsfduse) or the fd type is authorized to
+# shared among levels (mlsfdshare).
+mlsconstrain fd use (
+ l1 eq l2
+ or t1 == mlsfduse
+ or t2 == mlsfdshare
+);
#
# MLS policy for the network object classes
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 8a1e89c6..5ca509e2 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -411,3 +411,43 @@ interface(`mls_trusted_object',`
typeattribute $1 mlstrustedobject;
')
+
+########################################
+##
+## Make the specified domain trusted
+## to inherit and use file descriptors
+## from all levels.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mls_fd_use_all_levels',`
+ gen_require(`
+ attribute mlsfduse;
+ ')
+
+ typeattribute $1 mlsfduse;
+')
+
+########################################
+##
+## Make the file descriptors from the
+## specifed domain inheritable by
+## all levels.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mls_fd_share_all_levels',`
+ gen_require(`
+ attribute mlsfdshare;
+ ')
+
+ typeattribute $1 mlsfdshare;
+')
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 819a2df9..971d38e9 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
-policy_module(mls,1.3.1)
+policy_module(mls,1.3.2)
########################################
#
@@ -47,6 +47,9 @@ attribute mlstrustedobject;
attribute privrangetrans;
attribute mlsrangetrans;
+attribute mlsfduse;
+attribute mlsfdshare;
+
########################################
#
# THIS IS A HACK