17 files changed, 487 insertions, 269 deletions

diff --git a/MAINTAINERS b/MAINTAINERS
index fbb6e45018f5..20dc1a125e24 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -13994,7 +13994,7 @@ W:	https://selinuxproject.org
 W:      https://github.com/SELinuxProject
 T:      git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
 S:      Supported
-F:      include/linux/selinux*
+F:      include/uapi/linux/selinux_netlink.h
 F:      security/selinux/
 F:      scripts/selinux/
 F:      Documentation/admin-guide/LSM/SELinux.rst
diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
index 1e7a74b8e064..016ba88f7335 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -532,9 +532,6 @@ void kernfs_put(struct kernfs_node *kn)
         kfree_const(kn->name);
 
         if (kn->iattr) {
-                if (kn->iattr->ia_secdata)
-                        security_release_secctx(kn->iattr->ia_secdata,
-                                                kn->iattr->ia_secdata_len);
                 simple_xattrs_free(&kn->iattr->xattrs);
                 kmem_cache_free(kernfs_iattrs_cache, kn->iattr);
         }
@@ -618,6 +615,7 @@ struct kernfs_node *kernfs_node_from_dentry(struct dentry *dentry)
 }
 
 static struct kernfs_node *__kernfs_new_node(struct kernfs_root *root,
+                                             struct kernfs_node *parent,
                                              const char *name, umode_t mode,
                                              kuid_t uid, kgid_t gid,
                                              unsigned flags)
@@ -673,6 +671,12 @@ static struct kernfs_node *__kernfs_new_node(struct kernfs_root *root,
                         goto err_out3;
         }
 
+        if (parent) {
+                ret = security_kernfs_init_security(parent, kn);
+                if (ret)
+                        goto err_out3;
+        }
+
         return kn;
 
  err_out3:
@@ -691,7 +695,7 @@ struct kernfs_node *kernfs_new_node(struct kernfs_node *parent,
 {
         struct kernfs_node *kn;
 
-        kn = __kernfs_new_node(kernfs_root(parent),
+        kn = __kernfs_new_node(kernfs_root(parent), parent,
                                name, mode, uid, gid, flags);
         if (kn) {
                 kernfs_get(parent);
@@ -794,9 +798,8 @@ int kernfs_add_one(struct kernfs_node *kn)
         /* Update timestamps on the parent */
         ps_iattr = parent->iattr;
         if (ps_iattr) {
-                struct iattr *ps_iattrs = &ps_iattr->ia_iattr;
-                ktime_get_real_ts64(&ps_iattrs->ia_ctime);
-                ps_iattrs->ia_mtime = ps_iattrs->ia_ctime;
+                ktime_get_real_ts64(&ps_iattr->ia_ctime);
+                ps_iattr->ia_mtime = ps_iattr->ia_ctime;
         }
 
         mutex_unlock(&kernfs_mutex);
@@ -961,7 +964,7 @@ struct kernfs_root *kernfs_create_root(struct kernfs_syscall_ops *scops,
         INIT_LIST_HEAD(&root->supers);
         root->next_generation = 1;
 
-        kn = __kernfs_new_node(root, "", S_IFDIR | S_IRUGO | S_IXUGO,
+        kn = __kernfs_new_node(root, NULL, "", S_IFDIR | S_IRUGO | S_IXUGO,
                                GLOBAL_ROOT_UID, GLOBAL_ROOT_GID,
                                KERNFS_DIR);
         if (!kn) {
@@ -1328,9 +1331,8 @@ static void __kernfs_remove(struct kernfs_node *kn)
 
                         /* update timestamps on the parent */
                         if (ps_iattr) {
-                                ktime_get_real_ts64(&ps_iattr->ia_iattr.ia_ctime);
-                                ps_iattr->ia_iattr.ia_mtime =
-                                        ps_iattr->ia_iattr.ia_ctime;
+                                ktime_get_real_ts64(&ps_iattr->ia_ctime);
+                                ps_iattr->ia_mtime = ps_iattr->ia_ctime;
                         }
 
                         kernfs_put(pos);
diff --git a/fs/kernfs/inode.c b/fs/kernfs/inode.c
index 0c1fd945ce42..f89a0f13840e 100644
--- a/fs/kernfs/inode.c
+++ b/fs/kernfs/inode.c
@@ -31,30 +31,27 @@ static const struct inode_operations kernfs_iops = {
         .listxattr      = kernfs_iop_listxattr,
 };
 
-static struct kernfs_iattrs *kernfs_iattrs(struct kernfs_node *kn)
+static struct kernfs_iattrs *__kernfs_iattrs(struct kernfs_node *kn, int alloc)
 {
         static DEFINE_MUTEX(iattr_mutex);
         struct kernfs_iattrs *ret;
-        struct iattr *iattrs;
 
         mutex_lock(&iattr_mutex);
 
-        if (kn->iattr)
+        if (kn->iattr || !alloc)
                 goto out_unlock;
 
         kn->iattr = kmem_cache_zalloc(kernfs_iattrs_cache, GFP_KERNEL);
         if (!kn->iattr)
                 goto out_unlock;
-        iattrs = &kn->iattr->ia_iattr;
 
         /* assign default attributes */
-        iattrs->ia_mode = kn->mode;
-        iattrs->ia_uid = GLOBAL_ROOT_UID;
-        iattrs->ia_gid = GLOBAL_ROOT_GID;
+        kn->iattr->ia_uid = GLOBAL_ROOT_UID;
+        kn->iattr->ia_gid = GLOBAL_ROOT_GID;
 
-        ktime_get_real_ts64(&iattrs->ia_atime);
-        iattrs->ia_mtime = iattrs->ia_atime;
-        iattrs->ia_ctime = iattrs->ia_atime;
+        ktime_get_real_ts64(&kn->iattr->ia_atime);
+        kn->iattr->ia_mtime = kn->iattr->ia_atime;
+        kn->iattr->ia_ctime = kn->iattr->ia_atime;
 
         simple_xattrs_init(&kn->iattr->xattrs);
 out_unlock:
@@ -63,32 +60,37 @@ out_unlock:
         return ret;
 }
 
+static struct kernfs_iattrs *kernfs_iattrs(struct kernfs_node *kn)
+{
+        return __kernfs_iattrs(kn, 1);
+}
+
+static struct kernfs_iattrs *kernfs_iattrs_noalloc(struct kernfs_node *kn)
+{
+        return __kernfs_iattrs(kn, 0);
+}
+
 int __kernfs_setattr(struct kernfs_node *kn, const struct iattr *iattr)
 {
         struct kernfs_iattrs *attrs;
-        struct iattr *iattrs;
         unsigned int ia_valid = iattr->ia_valid;
 
         attrs = kernfs_iattrs(kn);
         if (!attrs)
                 return -ENOMEM;
 
-        iattrs = &attrs->ia_iattr;
-
         if (ia_valid & ATTR_UID)
-                iattrs->ia_uid = iattr->ia_uid;
+                attrs->ia_uid = iattr->ia_uid;
         if (ia_valid & ATTR_GID)
-                iattrs->ia_gid = iattr->ia_gid;
+                attrs->ia_gid = iattr->ia_gid;
         if (ia_valid & ATTR_ATIME)
-                iattrs->ia_atime = iattr->ia_atime;
+                attrs->ia_atime = iattr->ia_atime;
         if (ia_valid & ATTR_MTIME)
-                iattrs->ia_mtime = iattr->ia_mtime;
+                attrs->ia_mtime = iattr->ia_mtime;
         if (ia_valid & ATTR_CTIME)
-                iattrs->ia_ctime = iattr->ia_ctime;
-        if (ia_valid & ATTR_MODE) {
-                umode_t mode = iattr->ia_mode;
-                iattrs->ia_mode = kn->mode = mode;
-        }
+                attrs->ia_ctime = iattr->ia_ctime;
+        if (ia_valid & ATTR_MODE)
+                kn->mode = iattr->ia_mode;
         return 0;
 }
 
@@ -135,23 +137,6 @@ out:
         return error;
 }
 
-static int kernfs_node_setsecdata(struct kernfs_iattrs *attrs, void **secdata,
-                                  u32 *secdata_len)
-{
-        void *old_secdata;
-        size_t old_secdata_len;
-
-        old_secdata = attrs->ia_secdata;
-        old_secdata_len = attrs->ia_secdata_len;
-
-        attrs->ia_secdata = *secdata;
-        attrs->ia_secdata_len = *secdata_len;
-
-        *secdata = old_secdata;
-        *secdata_len = old_secdata_len;
-        return 0;
-}
-
 ssize_t kernfs_iop_listxattr(struct dentry *dentry, char *buf, size_t size)
 {
         struct kernfs_node *kn = kernfs_dentry_node(dentry);
@@ -171,14 +156,15 @@ static inline void set_default_inode_attr(struct inode *inode, umode_t mode)
                 inode->i_ctime = current_time(inode);
 }
 
-static inline void set_inode_attr(struct inode *inode, struct iattr *iattr)
+static inline void set_inode_attr(struct inode *inode,
+                                  struct kernfs_iattrs *attrs)
 {
         struct super_block *sb = inode->i_sb;
-        inode->i_uid = iattr->ia_uid;
-        inode->i_gid = iattr->ia_gid;
-        inode->i_atime = timespec64_trunc(iattr->ia_atime, sb->s_time_gran);
-        inode->i_mtime = timespec64_trunc(iattr->ia_mtime, sb->s_time_gran);
-        inode->i_ctime = timespec64_trunc(iattr->ia_ctime, sb->s_time_gran);
+        inode->i_uid = attrs->ia_uid;
+        inode->i_gid = attrs->ia_gid;
+        inode->i_atime = timespec64_trunc(attrs->ia_atime, sb->s_time_gran);
+        inode->i_mtime = timespec64_trunc(attrs->ia_mtime, sb->s_time_gran);
+        inode->i_ctime = timespec64_trunc(attrs->ia_ctime, sb->s_time_gran);
 }
 
 static void kernfs_refresh_inode(struct kernfs_node *kn, struct inode *inode)
@@ -186,15 +172,12 @@ static void kernfs_refresh_inode(struct kernfs_node *kn, struct inode *inode)
         struct kernfs_iattrs *attrs = kn->iattr;
 
         inode->i_mode = kn->mode;
-        if (attrs) {
+        if (attrs)
                 /*
                  * kernfs_node has non-default attributes get them from
                  * persistent copy in kernfs_node.
                  */
-                set_inode_attr(inode, &attrs->ia_iattr);
-                security_inode_notifysecctx(inode, attrs->ia_secdata,
-                                            attrs->ia_secdata_len);
-        }
+                set_inode_attr(inode, attrs);
 
         if (kernfs_type(kn) == KERNFS_DIR)
                 set_nlink(inode, kn->dir.subdirs + 2);
@@ -305,78 +288,57 @@ int kernfs_iop_permission(struct inode *inode, int mask)
         return generic_permission(inode, mask);
 }
 
-static int kernfs_xattr_get(const struct xattr_handler *handler,
-                            struct dentry *unused, struct inode *inode,
-                            const char *suffix, void *value, size_t size)
+int kernfs_xattr_get(struct kernfs_node *kn, const char *name,
+                     void *value, size_t size)
 {
-        const char *name = xattr_full_name(handler, suffix);
-        struct kernfs_node *kn = inode->i_private;
-        struct kernfs_iattrs *attrs;
-
-        attrs = kernfs_iattrs(kn);
+        struct kernfs_iattrs *attrs = kernfs_iattrs_noalloc(kn);
         if (!attrs)
-                return -ENOMEM;
+                return -ENODATA;
 
         return simple_xattr_get(&attrs->xattrs, name, value, size);
 }
 
-static int kernfs_xattr_set(const struct xattr_handler *handler,
-                            struct dentry *unused, struct inode *inode,
-                            const char *suffix, const void *value,
-                            size_t size, int flags)
+int kernfs_xattr_set(struct kernfs_node *kn, const char *name,
+                     const void *value, size_t size, int flags)
 {
-        const char *name = xattr_full_name(handler, suffix);
-        struct kernfs_node *kn = inode->i_private;
-        struct kernfs_iattrs *attrs;
-
-        attrs = kernfs_iattrs(kn);
+        struct kernfs_iattrs *attrs = kernfs_iattrs(kn);
         if (!attrs)
                 return -ENOMEM;
 
         return simple_xattr_set(&attrs->xattrs, name, value, size, flags);
 }
 
-static const struct xattr_handler kernfs_trusted_xattr_handler = {
-        .prefix = XATTR_TRUSTED_PREFIX,
-        .get = kernfs_xattr_get,
-        .set = kernfs_xattr_set,
-};
-
-static int kernfs_security_xattr_set(const struct xattr_handler *handler,
-                                     struct dentry *unused, struct inode *inode,
-                                     const char *suffix, const void *value,
-                                     size_t size, int flags)
+static int kernfs_vfs_xattr_get(const struct xattr_handler *handler,
+                                struct dentry *unused, struct inode *inode,
+                                const char *suffix, void *value, size_t size)
 {
+        const char *name = xattr_full_name(handler, suffix);
         struct kernfs_node *kn = inode->i_private;
-        struct kernfs_iattrs *attrs;
-        void *secdata;
-        u32 secdata_len = 0;
-        int error;
-
-        attrs = kernfs_iattrs(kn);
-        if (!attrs)
-                return -ENOMEM;
 
-        error = security_inode_setsecurity(inode, suffix, value, size, flags);
-        if (error)
-                return error;
-        error = security_inode_getsecctx(inode, &secdata, &secdata_len);
-        if (error)
-                return error;
+        return kernfs_xattr_get(kn, name, value, size);
+}
 
-        mutex_lock(&kernfs_mutex);
-        error = kernfs_node_setsecdata(attrs, &secdata, &secdata_len);
-        mutex_unlock(&kernfs_mutex);
+static int kernfs_vfs_xattr_set(const struct xattr_handler *handler,
+                                struct dentry *unused, struct inode *inode,
+                                const char *suffix, const void *value,
+                                size_t size, int flags)
+{
+        const char *name = xattr_full_name(handler, suffix);
+        struct kernfs_node *kn = inode->i_private;
 
-        if (secdata)
-                security_release_secctx(secdata, secdata_len);
-        return error;
+        return kernfs_xattr_set(kn, name, value, size, flags);
 }
 
+static const struct xattr_handler kernfs_trusted_xattr_handler = {
+        .prefix = XATTR_TRUSTED_PREFIX,
+        .get = kernfs_vfs_xattr_get,
+        .set = kernfs_vfs_xattr_set,
+};
+
 static const struct xattr_handler kernfs_security_xattr_handler = {
         .prefix = XATTR_SECURITY_PREFIX,
-        .get = kernfs_xattr_get,
-        .set = kernfs_security_xattr_set,
+        .get = kernfs_vfs_xattr_get,
+        .set = kernfs_vfs_xattr_set,
 };
 
 const struct xattr_handler *kernfs_xattr_handlers[] = {
diff --git a/fs/kernfs/kernfs-internal.h b/fs/kernfs/kernfs-internal.h
index 0b7d197a904c..3c437990f39a 100644
--- a/fs/kernfs/kernfs-internal.h
+++ b/fs/kernfs/kernfs-internal.h
@@ -20,9 +20,11 @@
 #include <linux/fs_context.h>
 
 struct kernfs_iattrs {
-        struct iattr            ia_iattr;
-        void                    *ia_secdata;
-        u32                     ia_secdata_len;
+        kuid_t                  ia_uid;
+        kgid_t                  ia_gid;
+        struct timespec64       ia_atime;
+        struct timespec64       ia_mtime;
+        struct timespec64       ia_ctime;
 
         struct simple_xattrs    xattrs;
 };
diff --git a/fs/kernfs/symlink.c b/fs/kernfs/symlink.c
index 162f43b80c84..eb46c3a16e2f 100644
--- a/fs/kernfs/symlink.c
+++ b/fs/kernfs/symlink.c
@@ -33,8 +33,8 @@ struct kernfs_node *kernfs_create_link(struct kernfs_node *parent,
         kgid_t gid = GLOBAL_ROOT_GID;
 
         if (target->iattr) {
-                uid = target->iattr->ia_iattr.ia_uid;
-                gid = target->iattr->ia_iattr.ia_gid;
+                uid = target->iattr->ia_uid;
+                gid = target->iattr->ia_gid;
         }
 
         kn = kernfs_new_node(parent, name, S_IFLNK|S_IRWXUGO, uid, gid,
diff --git a/fs/proc/base.c b/fs/proc/base.c
index f179568b4c76..b6ccb6c57706 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2535,6 +2535,11 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
                 rcu_read_unlock();
                 return -EACCES;
         }
+        /* Prevent changes to overridden credentials. */
+        if (current_cred() != current_real_cred()) {
+                rcu_read_unlock();
+                return -EBUSY;
+        }
         rcu_read_unlock();
 
         if (count > PAGE_SIZE)
diff --git a/include/linux/kernfs.h b/include/linux/kernfs.h
index e446ab97ee0c..2bf477f86eb1 100644
--- a/include/linux/kernfs.h
+++ b/include/linux/kernfs.h
@@ -371,6 +371,11 @@ __poll_t kernfs_generic_poll(struct kernfs_open_file *of,
                              struct poll_table_struct *pt);
 void kernfs_notify(struct kernfs_node *kn);
 
+int kernfs_xattr_get(struct kernfs_node *kn, const char *name,
+                     void *value, size_t size);
+int kernfs_xattr_set(struct kernfs_node *kn, const char *name,
+                     const void *value, size_t size, int flags);
+
 const void *kernfs_super_ns(struct super_block *sb);
 int kernfs_get_tree(struct fs_context *fc);
 void kernfs_free_fs_context(struct fs_context *fc);
@@ -473,6 +478,14 @@ static inline int kernfs_setattr(struct kernfs_node *kn,
 
 static inline void kernfs_notify(struct kernfs_node *kn) { }
 
+static inline int kernfs_xattr_get(struct kernfs_node *kn, const char *name,
+                                   void *value, size_t size)
+{ return -ENOSYS; }
+
+static inline int kernfs_xattr_set(struct kernfs_node *kn, const char *name,
+                                   const void *value, size_t size, int flags)
+{ return -ENOSYS; }
+
 static inline const void *kernfs_super_ns(struct super_block *sb)
 { return NULL; }
 
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index a240a3fc5fc4..f7e55d0d2672 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -445,6 +445,15 @@
  *      to abort the copy up. Note that the caller is responsible for reading
  *      and writing the xattrs as this hook is merely a filter.
  *
+ * Security hooks for kernfs node operations
+ *
+ * @kernfs_init_security:
+ *      Initialize the security context of a newly created kernfs node based
+ *      on its own and its parent's attributes.
+ *
+ *      @kn_dir the parent kernfs node
+ *      @kn the new child kernfs node
+ *
  * Security hooks for file operations
  *
  * @file_permission:
@@ -1570,6 +1579,9 @@ union security_list_options {
         int (*inode_copy_up)(struct dentry *src, struct cred **new);
         int (*inode_copy_up_xattr)(const char *name);
 
+        int (*kernfs_init_security)(struct kernfs_node *kn_dir,
+                                    struct kernfs_node *kn);
+
         int (*file_permission)(struct file *file, int mask);
         int (*file_alloc_security)(struct file *file);
         void (*file_free_security)(struct file *file);
@@ -1871,6 +1883,7 @@ struct security_hook_heads {
         struct hlist_head inode_getsecid;
         struct hlist_head inode_copy_up;
         struct hlist_head inode_copy_up_xattr;
+        struct hlist_head kernfs_init_security;
         struct hlist_head file_permission;
         struct hlist_head file_alloc_security;
         struct hlist_head file_free_security;
diff --git a/include/linux/security.h b/include/linux/security.h
index 49f2685324b0..d543293216b9 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -51,6 +51,7 @@ struct fown_struct;
 struct file_operations;
 struct msg_msg;
 struct xattr;
+struct kernfs_node;
 struct xfrm_sec_ctx;
 struct mm_struct;
 struct fs_context;
@@ -299,6 +300,8 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer
 void security_inode_getsecid(struct inode *inode, u32 *secid);
 int security_inode_copy_up(struct dentry *src, struct cred **new);
 int security_inode_copy_up_xattr(const char *name);
+int security_kernfs_init_security(struct kernfs_node *kn_dir,
+                                  struct kernfs_node *kn);
 int security_file_permission(struct file *file, int mask);
 int security_file_alloc(struct file *file);
 void security_file_free(struct file *file);
@@ -801,6 +804,12 @@ static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
         return 0;
 }
 
+static inline int security_kernfs_init_security(struct kernfs_node *kn_dir,
+                                                struct kernfs_node *kn)
+{
+        return 0;
+}
+
 static inline int security_inode_copy_up_xattr(const char *name)
 {
         return -EOPNOTSUPP;
diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
index 0b86c47baf7d..2dccf141241d 100755
--- a/scripts/selinux/install_policy.sh
+++ b/scripts/selinux/install_policy.sh
@@ -1,30 +1,61 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0
+set -e
 if [ `id -u` -ne 0 ]; then
         echo "$0: must be root to install the selinux policy"
         exit 1
 fi
+
 SF=`which setfiles`
 if [ $? -eq 1 ]; then
-        if [ -f /sbin/setfiles ]; then
-                SF="/usr/setfiles"
-        else
-                echo "no selinux tools installed: setfiles"
-                exit 1
-        fi
+        echo "Could not find setfiles"
+        echo "Do you have policycoreutils installed?"
+        exit 1
 fi
 
-cd mdp
-
 CP=`which checkpolicy`
+if [ $? -eq 1 ]; then
+        echo "Could not find checkpolicy"
+        echo "Do you have checkpolicy installed?"
+        exit 1
+fi
 VERS=`$CP -V | awk '{print $1}'`
 
-./mdp policy.conf file_contexts
-$CP -o policy.$VERS policy.conf
+ENABLED=`which selinuxenabled`
+if [ $? -eq 1 ]; then
+        echo "Could not find selinuxenabled"
+        echo "Do you have libselinux-utils installed?"
+        exit 1
+fi
+
+if selinuxenabled; then
+    echo "SELinux is already enabled"
+    echo "This prevents safely relabeling all files."
+    echo "Boot with selinux=0 on the kernel command-line or"
+    echo "SELINUX=disabled in /etc/selinux/config."
+    exit 1
+fi
+
+cd mdp
+./mdp -m policy.conf file_contexts
+$CP -U allow -M -o policy.$VERS policy.conf
 
 mkdir -p /etc/selinux/dummy/policy
 mkdir -p /etc/selinux/dummy/contexts/files
 
+echo "__default__:user_u:s0" > /etc/selinux/dummy/seusers
+echo "base_r:base_t:s0" > /etc/selinux/dummy/contexts/failsafe_context
+echo "base_r:base_t:s0 base_r:base_t:s0" > /etc/selinux/dummy/default_contexts
+cat > /etc/selinux/dummy/contexts/x_contexts <<EOF
+client * user_u:base_r:base_t:s0
+property * user_u:object_r:base_t:s0
+extension * user_u:object_r:base_t:s0
+selection * user_u:object_r:base_t:s0
+event * user_u:object_r:base_t:s0
+EOF
+touch /etc/selinux/dummy/contexts/virtual_domain_context
+touch /etc/selinux/dummy/contexts/virtual_image_context
+
 cp file_contexts /etc/selinux/dummy/contexts/files
 cp dbus_contexts /etc/selinux/dummy/contexts
 cp policy.$VERS /etc/selinux/dummy/policy
@@ -33,37 +64,22 @@ FC_FILE=/etc/selinux/dummy/contexts/files/file_contexts
 if [ ! -d /etc/selinux ]; then
         mkdir -p /etc/selinux
 fi
-if [ ! -f /etc/selinux/config ]; then
-        cat > /etc/selinux/config << EOF
-SELINUX=enforcing
+if [ -f /etc/selinux/config ]; then
+    echo "/etc/selinux/config exists, moving to /etc/selinux/config.bak."
+    mv /etc/selinux/config /etc/selinux/config.bak
+fi
+echo "Creating new /etc/selinux/config for dummy policy."
+cat > /etc/selinux/config << EOF
+SELINUX=permissive
 SELINUXTYPE=dummy
 EOF
-else
-        TYPE=`cat /etc/selinux/config | grep "^SELINUXTYPE" | tail -1 | awk -F= '{ print $2 '}`
-        if [ "eq$TYPE" != "eqdummy" ]; then
-                selinuxenabled
-                if [ $? -eq 0 ]; then
-                        echo "SELinux already enabled with a non-dummy policy."
-                        echo "Exiting.  Please install policy by hand if that"
-                        echo "is what you REALLY want."
-                        exit 1
-                fi
-                mv /etc/selinux/config /etc/selinux/config.mdpbak
-                grep -v "^SELINUXTYPE" /etc/selinux/config.mdpbak >> /etc/selinux/config
-                echo "SELINUXTYPE=dummy" >> /etc/selinux/config
-        fi
-fi
 
 cd /etc/selinux/dummy/contexts/files
-$SF file_contexts /
+$SF -F file_contexts /
 
-mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs|ext4|ext4dev|gfs2" | awk '{ print $2 '}`
-$SF file_contexts $mounts
+mounts=`cat /proc/$$/mounts | \
+        egrep "ext[234]|jfs|xfs|reiserfs|jffs2|gfs2|btrfs|f2fs|ocfs2" | \
+        awk '{ print $2 '}`
+$SF -F file_contexts $mounts
 
-
-dodev=`cat /proc/$$/mounts | grep "/dev "`
-if [ "eq$dodev" != "eq" ]; then
-        mount --move /dev /mnt
-        $SF file_contexts /dev
-        mount --move /mnt /dev
-fi
+echo "-F" > /.autorelabel
diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile
index e9c92db7e2a3..8a1269a9d0ba 100644
--- a/scripts/selinux/mdp/Makefile
+++ b/scripts/selinux/mdp/Makefile
@@ -2,7 +2,7 @@
 hostprogs-y     := mdp
 HOST_EXTRACFLAGS += \
         -I$(srctree)/include/uapi -I$(srctree)/include \
-        -I$(srctree)/security/selinux/include
+        -I$(srctree)/security/selinux/include -I$(objtree)/include
 
 always          := $(hostprogs-y)
 clean-files     := policy.* file_contexts
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index 6d51b74bc679..18fd6143888b 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
+#include <linux/kconfig.h>
 
 static void usage(char *name)
 {
@@ -94,10 +95,31 @@ int main(int argc, char *argv[])
         }
         fprintf(fout, "\n");
 
-        /* NOW PRINT OUT MLS STUFF */
+        /* print out mls declarations and constraints */
         if (mls) {
-                printf("MLS not yet implemented\n");
-                exit(1);
+                fprintf(fout, "sensitivity s0;\n");
+                fprintf(fout, "sensitivity s1;\n");
+                fprintf(fout, "dominance { s0 s1 }\n");
+                fprintf(fout, "category c0;\n");
+                fprintf(fout, "category c1;\n");
+                fprintf(fout, "level s0:c0.c1;\n");
+                fprintf(fout, "level s1:c0.c1;\n");
+#define SYSTEMLOW "s0"
+#define SYSTEMHIGH "s1:c0.c1"
+                for (i = 0; secclass_map[i].name; i++) {
+                        struct security_class_mapping *map = &secclass_map[i];
+
+                        fprintf(fout, "mlsconstrain %s {\n", map->name);
+                        for (j = 0; map->perms[j]; j++)
+                                fprintf(fout, "\t%s\n", map->perms[j]);
+                        /*
+                         * This requires all subjects and objects to be
+                         * single-level (l2 eq h2), and that the subject
+                         * level dominate the object level (h1 dom h2)
+                         * in order to have any permissions to it.
+                         */
+                        fprintf(fout, "} (l2 eq h2 and h1 dom h2);\n\n");
+                }
         }
 
         /* types, roles, and allows */
@@ -107,34 +129,127 @@ int main(int argc, char *argv[])
         for (i = 0; secclass_map[i].name; i++)
                 fprintf(fout, "allow base_t base_t:%s *;\n",
                         secclass_map[i].name);
-        fprintf(fout, "user user_u roles { base_r };\n");
-        fprintf(fout, "\n");
+        fprintf(fout, "user user_u roles { base_r }");
+        if (mls)
+                fprintf(fout, " level %s range %s - %s", SYSTEMLOW,
+                        SYSTEMLOW, SYSTEMHIGH);
+        fprintf(fout, ";\n");
+
+#define SUBJUSERROLETYPE "user_u:base_r:base_t"
+#define OBJUSERROLETYPE "user_u:object_r:base_t"
 
         /* default sids */
         for (i = 1; i < initial_sid_to_string_len; i++)
-                fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
+                fprintf(fout, "sid %s " SUBJUSERROLETYPE "%s\n",
+                        initial_sid_to_string[i], mls ? ":" SYSTEMLOW : "");
         fprintf(fout, "\n");
 
-        fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
+#define FS_USE(behavior, fstype)                            \
+        fprintf(fout, "fs_use_%s %s " OBJUSERROLETYPE "%s;\n", \
+                behavior, fstype, mls ? ":" SYSTEMLOW : "")
+
+        /*
+         * Filesystems whose inode labels can be fetched via getxattr.
+         */
+#ifdef CONFIG_EXT2_FS_SECURITY
+        FS_USE("xattr", "ext2");
+#endif
+#ifdef CONFIG_EXT4_FS_SECURITY
+#ifdef CONFIG_EXT4_USE_FOR_EXT2
+        FS_USE("xattr", "ext2");
+#endif
+        FS_USE("xattr", "ext3");
+        FS_USE("xattr", "ext4");
+#endif
+#ifdef CONFIG_JFS_SECURITY
+        FS_USE("xattr", "jfs");
+#endif
+#ifdef CONFIG_REISERFS_FS_SECURITY
+        FS_USE("xattr", "reiserfs");
+#endif
+#ifdef CONFIG_JFFS2_FS_SECURITY
+        FS_USE("xattr", "jffs2");
+#endif
+#ifdef CONFIG_XFS_FS
+        FS_USE("xattr", "xfs");
+#endif
+#ifdef CONFIG_GFS2_FS
+        FS_USE("xattr", "gfs2");
+#endif
+#ifdef CONFIG_BTRFS_FS
+        FS_USE("xattr", "btrfs");
+#endif
+#ifdef CONFIG_F2FS_FS_SECURITY
+        FS_USE("xattr", "f2fs");
+#endif
+#ifdef CONFIG_OCFS2_FS
+        FS_USE("xattr", "ocsfs2");
+#endif
+#ifdef CONFIG_OVERLAY_FS
+        FS_USE("xattr", "overlay");
+#endif
+#ifdef CONFIG_SQUASHFS_XATTR
+        FS_USE("xattr", "squashfs");
+#endif
+
+        /*
+         * Filesystems whose inodes are labeled from allocating task.
+         */
+        FS_USE("task", "pipefs");
+        FS_USE("task", "sockfs");
 
-        fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
+        /*
+         * Filesystems whose inode labels are computed from both
+         * the allocating task and the superblock label.
+         */
+#ifdef CONFIG_UNIX98_PTYS
+        FS_USE("trans", "devpts");
+#endif
+#ifdef CONFIG_HUGETLBFS
+        FS_USE("trans", "hugetlbfs");
+#endif
+#ifdef CONFIG_TMPFS
+        FS_USE("trans", "tmpfs");
+#endif
+#ifdef CONFIG_DEVTMPFS
+        FS_USE("trans", "devtmpfs");
+#endif
+#ifdef CONFIG_POSIX_MQUEUE
+        FS_USE("trans", "mqueue");
+#endif
 
-        fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
-        fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
+#define GENFSCON(fstype, prefix)                             \
+        fprintf(fout, "genfscon %s %s " OBJUSERROLETYPE "%s\n", \
+                fstype, prefix, mls ? ":" SYSTEMLOW : "")
 
-        fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
+        /*
+         * Filesystems whose inodes are labeled from path prefix match
+         * relative to the filesystem root.  Depending on the filesystem,
+         * only a single label for all inodes may be supported.  Here
+         * we list the filesystem types for which per-file labeling is
+         * supported using genfscon; any other filesystem type can also
+         * be added by only with a single entry for all of its inodes.
+         */
+#ifdef CONFIG_PROC_FS
+        GENFSCON("proc", "/");
+#endif
+#ifdef CONFIG_SECURITY_SELINUX
+        GENFSCON("selinuxfs", "/");
+#endif
+#ifdef CONFIG_SYSFS
+        GENFSCON("sysfs", "/");
+#endif
+#ifdef CONFIG_DEBUG_FS
+        GENFSCON("debugfs", "/");
+#endif
+#ifdef CONFIG_TRACING
+        GENFSCON("tracefs", "/");
+#endif
+#ifdef CONFIG_PSTORE
+        GENFSCON("pstore", "/");
+#endif
+        GENFSCON("cgroup", "/");
+        GENFSCON("cgroup2", "/");
 
         fclose(fout);
 
@@ -143,8 +258,8 @@ int main(int argc, char *argv[])
                 printf("Wrote policy, but cannot open %s for writing\n", ctxout);
                 usage(argv[0]);
         }
-        fprintf(fout, "/ user_u:base_r:base_t\n");
-        fprintf(fout, "/.* user_u:base_r:base_t\n");
+        fprintf(fout, "/ " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
+        fprintf(fout, "/.* " OBJUSERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
         fclose(fout);
 
         return 0;
diff --git a/security/security.c b/security/security.c
index 23cbb1a295a3..8d6ef9da94eb 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1318,6 +1318,12 @@ int security_inode_copy_up_xattr(const char *name)
 }
 EXPORT_SYMBOL(security_inode_copy_up_xattr);
 
+int security_kernfs_init_security(struct kernfs_node *kn_dir,
+                                  struct kernfs_node *kn)
+{
+        return call_int_hook(kernfs_init_security, 0, kn_dir, kn);
+}
+
 int security_file_permission(struct file *file, int mask)
 {
         int ret;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1d0b37af2444..c61787b15f27 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -89,6 +89,8 @@
 #include <linux/msg.h>
 #include <linux/shm.h>
 #include <linux/bpf.h>
+#include <linux/kernfs.h>
+#include <linux/stringhash.h>   /* for hashlen_string() */
 #include <uapi/linux/mount.h>
 
 #include "avc.h"
@@ -751,11 +753,13 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 
         if (!strcmp(sb->s_type->name, "debugfs") ||
             !strcmp(sb->s_type->name, "tracefs") ||
-            !strcmp(sb->s_type->name, "sysfs") ||
-            !strcmp(sb->s_type->name, "pstore") ||
+            !strcmp(sb->s_type->name, "pstore"))
+                sbsec->flags |= SE_SBGENFS;
+
+        if (!strcmp(sb->s_type->name, "sysfs") ||
             !strcmp(sb->s_type->name, "cgroup") ||
             !strcmp(sb->s_type->name, "cgroup2"))
-                sbsec->flags |= SE_SBGENFS;
+                sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
 
         if (!sbsec->behavior) {
                 /*
@@ -1354,6 +1358,67 @@ static int selinux_genfs_get_sid(struct dentry *dentry,
         return rc;
 }
 
+static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
+                                  u32 def_sid, u32 *sid)
+{
+#define INITCONTEXTLEN 255
+        char *context;
+        unsigned int len;
+        int rc;
+
+        len = INITCONTEXTLEN;
+        context = kmalloc(len + 1, GFP_NOFS);
+        if (!context)
+                return -ENOMEM;
+
+        context[len] = '\0';
+        rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
+        if (rc == -ERANGE) {
+                kfree(context);
+
+                /* Need a larger buffer.  Query for the right size. */
+                rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
+                if (rc < 0)
+                        return rc;
+
+                len = rc;
+                context = kmalloc(len + 1, GFP_NOFS);
+                if (!context)
+                        return -ENOMEM;
+
+                context[len] = '\0';
+                rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
+                                    context, len);
+        }
+        if (rc < 0) {
+                kfree(context);
+                if (rc != -ENODATA) {
+                        pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
+                                __func__, -rc, inode->i_sb->s_id, inode->i_ino);
+                        return rc;
+                }
+                *sid = def_sid;
+                return 0;
+        }
+
+        rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
+                                             def_sid, GFP_NOFS);
+        if (rc) {
+                char *dev = inode->i_sb->s_id;
+                unsigned long ino = inode->i_ino;
+
+                if (rc == -EINVAL) {
+                        pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
+                                              ino, dev, context);
+                } else {
+                        pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
+                                __func__, context, -rc, dev, ino);
+                }
+        }
+        kfree(context);
+        return 0;
+}
+
 /* The inode's security attributes must be initialized before first use. */
 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
 {
@@ -1362,9 +1427,6 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
         u32 task_sid, sid = 0;
         u16 sclass;
         struct dentry *dentry;
-#define INITCONTEXTLEN 255
-        char *context = NULL;
-        unsigned len = 0;
         int rc = 0;
 
         if (isec->initialized == LABEL_INITIALIZED)
@@ -1432,72 +1494,11 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                         goto out;
                 }
 
-                len = INITCONTEXTLEN;
-                context = kmalloc(len+1, GFP_NOFS);
-                if (!context) {
-                        rc = -ENOMEM;
-                        dput(dentry);
-                        goto out;
-                }
-                context[len] = '\0';
-                rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
-                if (rc == -ERANGE) {
-                        kfree(context);
-
-                        /* Need a larger buffer.  Query for the right size. */
-                        rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
-                        if (rc < 0) {
-                                dput(dentry);
-                                goto out;
-                        }
-                        len = rc;
-                        context = kmalloc(len+1, GFP_NOFS);
-                        if (!context) {
-                                rc = -ENOMEM;
-                                dput(dentry);
-                                goto out;
-                        }
-                        context[len] = '\0';
-                        rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
-                }
+                rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
+                                            &sid);
                 dput(dentry);
-                if (rc < 0) {
-                        if (rc != -ENODATA) {
-                                pr_warn("SELinux: %s:  getxattr returned "
-                                       "%d for dev=%s ino=%ld\n", __func__,
-                                       -rc, inode->i_sb->s_id, inode->i_ino);
-                                kfree(context);
-                                goto out;
-                        }
-                        /* Map ENODATA to the default file SID */
-                        sid = sbsec->def_sid;
-                        rc = 0;
-                } else {
-                        rc = security_context_to_sid_default(&selinux_state,
-                                                             context, rc, &sid,
-                                                             sbsec->def_sid,
-                                                             GFP_NOFS);
-                        if (rc) {
-                                char *dev = inode->i_sb->s_id;
-                                unsigned long ino = inode->i_ino;
-
-                                if (rc == -EINVAL) {
-                                        if (printk_ratelimit())
-                                                pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
-                                                        "context=%s.  This indicates you may need to relabel the inode or the "
-                                                        "filesystem in question.\n", ino, dev, context);
-                                } else {
-                                        pr_warn("SELinux: %s:  context_to_sid(%s) "
-                                               "returned %d for dev=%s ino=%ld\n",
-                                               __func__, context, -rc, dev, ino);
-                                }
-                                kfree(context);
-                                /* Leave with the unlabeled SID */
-                                rc = 0;
-                                break;
-                        }
-                }
-                kfree(context);
+                if (rc)
+                        goto out;
                 break;
         case SECURITY_FS_USE_TASK:
                 sid = task_sid;
@@ -1548,9 +1549,21 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                                 goto out;
                         rc = selinux_genfs_get_sid(dentry, sclass,
                                                    sbsec->flags, &sid);
-                        dput(dentry);
-                        if (rc)
+                        if (rc) {
+                                dput(dentry);
                                 goto out;
+                        }
+
+                        if ((sbsec->flags & SE_SBGENFS_XATTR) &&
+                            (inode->i_opflags & IOP_XATTR)) {
+                                rc = inode_doinit_use_xattr(inode, dentry,
+                                                            sid, &sid);
+                                if (rc) {
+                                        dput(dentry);
+                                        goto out;
+                                }
+                        }
+                        dput(dentry);
                 }
                 break;
         }
@@ -3371,6 +3384,67 @@ static int selinux_inode_copy_up_xattr(const char *name)
         return -EOPNOTSUPP;
 }
 
+/* kernfs node operations */
+
+static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
+                                        struct kernfs_node *kn)
+{
+        const struct task_security_struct *tsec = current_security();
+        u32 parent_sid, newsid, clen;
+        int rc;
+        char *context;
+
+        rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
+        if (rc == -ENODATA)
+                return 0;
+        else if (rc < 0)
+                return rc;
+
+        clen = (u32)rc;
+        context = kmalloc(clen, GFP_KERNEL);
+        if (!context)
+                return -ENOMEM;
+
+        rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
+        if (rc < 0) {
+                kfree(context);
+                return rc;
+        }
+
+        rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
+                                     GFP_KERNEL);
+        kfree(context);
+        if (rc)
+                return rc;
+
+        if (tsec->create_sid) {
+                newsid = tsec->create_sid;
+        } else {
+                u16 secclass = inode_mode_to_security_class(kn->mode);
+                struct qstr q;
+
+                q.name = kn->name;
+                q.hash_len = hashlen_string(kn_dir, kn->name);
+
+                rc = security_transition_sid(&selinux_state, tsec->sid,
+                                             parent_sid, secclass, &q,
+                                             &newsid);
+                if (rc)
+                        return rc;
+        }
+
+        rc = security_sid_to_context_force(&selinux_state, newsid,
+                                           &context, &clen);
+        if (rc)
+                return rc;
+
+        rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
+                              XATTR_CREATE);
+        kfree(context);
+        return rc;
+}
+
+
 /* file security operations */
 
 static int selinux_revalidate_file_permission(struct file *file, int mask)
@@ -4438,7 +4512,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
                 struct lsm_network_audit net = {0,};
                 struct sockaddr_in *addr4 = NULL;
                 struct sockaddr_in6 *addr6 = NULL;
-                u16 family_sa = address->sa_family;
+                u16 family_sa;
                 unsigned short snum;
                 u32 sid, node_perm;
 
@@ -4448,6 +4522,9 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
                  * need to check address->sa_family as it is possible to have
                  * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
                  */
+                if (addrlen < offsetofend(struct sockaddr, sa_family))
+                        return -EINVAL;
+                family_sa = address->sa_family;
                 switch (family_sa) {
                 case AF_UNSPEC:
                 case AF_INET:
@@ -4580,6 +4657,8 @@ static int selinux_socket_connect_helper(struct socket *sock,
                  * need to check address->sa_family as it is possible to have
                  * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
                  */
+                if (addrlen < offsetofend(struct sockaddr, sa_family))
+                        return -EINVAL;
                 switch (address->sa_family) {
                 case AF_INET:
                         addr4 = (struct sockaddr_in *)address;
@@ -6719,6 +6798,8 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
         LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
         LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
 
+        LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
+
         LSM_HOOK_INIT(file_permission, selinux_file_permission),
         LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
         LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index b5b7c5aade8c..111121281c47 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -58,6 +58,7 @@
 #define SE_SBINITIALIZED        0x0100
 #define SE_SBPROC               0x0200
 #define SE_SBGENFS              0x0400
+#define SE_SBGENFS_XATTR        0x0800
 
 #define CONTEXT_STR     "context"
 #define FSCONTEXT_STR   "fscontext"
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 186e727b737b..6fd9954e1c08 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -288,11 +288,8 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep,
         int rc;
         struct netlbl_lsm_secattr secattr;
         struct sk_security_struct *sksec = ep->base.sk->sk_security;
-        struct sockaddr *addr;
         struct sockaddr_in addr4;
-#if IS_ENABLED(CONFIG_IPV6)
         struct sockaddr_in6 addr6;
-#endif
 
         if (ep->base.sk->sk_family != PF_INET &&
                                 ep->base.sk->sk_family != PF_INET6)
@@ -310,16 +307,15 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep,
         if (ip_hdr(skb)->version == 4) {
                 addr4.sin_family = AF_INET;
                 addr4.sin_addr.s_addr = ip_hdr(skb)->saddr;
-                addr = (struct sockaddr *)&addr4;
-#if IS_ENABLED(CONFIG_IPV6)
-        } else {
+                rc = netlbl_conn_setattr(ep->base.sk, (void *)&addr4, &secattr);
+        } else if (IS_ENABLED(CONFIG_IPV6) && ip_hdr(skb)->version == 6) {
                 addr6.sin6_family = AF_INET6;
                 addr6.sin6_addr = ipv6_hdr(skb)->saddr;
-                addr = (struct sockaddr *)&addr6;
-#endif
+                rc = netlbl_conn_setattr(ep->base.sk, (void *)&addr6, &secattr);
+        } else {
+                rc = -EAFNOSUPPORT;
         }
 
-        rc = netlbl_conn_setattr(ep->base.sk, addr, &secattr);
         if (rc == 0)
                 sksec->nlbl_state = NLBL_LABELED;
 
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ec62918521b1..cc043bc8fd4c 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1318,14 +1318,11 @@ static int security_sid_to_context_core(struct selinux_state *state,
                 rc = -EINVAL;
                 goto out_unlock;
         }
-        if (only_invalid && !context->len) {
-                scontext = NULL;
-                scontext_len = 0;
+        if (only_invalid && !context->len)
                 rc = 0;
-        } else {
+        else
                 rc = context_struct_to_string(policydb, context, scontext,
                                               scontext_len);
-        }
 out_unlock:
         read_unlock(&state->ss->policy_rwlock);
 out: