Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (30 commits)
  TOMOYO: Add recursive directory matching operator support.
  remove CONFIG_SECURITY_FILE_CAPABILITIES compile option
  SELinux: print denials for buggy kernel with unknown perms
  Silence the existing API for capability version compatibility check.
  LSM: Move security_path_chmod()/security_path_chown() to after mutex_lock().
  SELinux: header generation may hit infinite loop
  selinux: Fix warnings
  security: report the module name to security_module_request
  Config option to set a default LSM
  sysctl: require CAP_SYS_RAWIO to set mmap_min_addr
  tpm: autoload tpm_tis based on system PnP IDs
  tpm_tis: TPM_STS_DATA_EXPECT workaround
  define convenient securebits masks for prctl users (v2)
  tpm: fix header for modular build
  tomoyo: improve hash bucket dispersion
  tpm add default function definitions
  LSM: imbed ima calls in the security hooks
  SELinux: add .gitignore files for dynamic classes
  security: remove root_plug
  SELinux: fix locking issue introduced with c6d3aaa4e35c71a3
  ...

55 files changed, 1083 insertions, 2183 deletions

diff --git a/Documentation/dontdiff b/Documentation/dontdiff
index e1efc400bed6..e151b2a36267 100644
--- a/Documentation/dontdiff
+++ b/Documentation/dontdiff
@@ -65,6 +65,7 @@ aicdb.h*
 asm-offsets.h
 asm_offsets.h
 autoconf.h*
+av_permissions.h
 bbootsect
 bin2c
 binkernel.spec
@@ -95,12 +96,14 @@ docproc
 elf2ecoff
 elfconfig.h*
 fixdep
+flask.h
 fore200e_mkfirm
 fore200e_pca_fw.c*
 gconf
 gen-devlist
 gen_crc32table
 gen_init_cpio
+genheaders
 genksyms
 *_gray256.c
 ihex2fw
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 9107b387e91f..332fe3b47e0c 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -85,7 +85,6 @@ parameter is applicable:
         PPT     Parallel port support is enabled.
         PS2     Appropriate PS/2 support is enabled.
         RAM     RAM disk support is enabled.
-        ROOTPLUG The example Root Plug LSM is enabled.
         S390    S390 architecture is enabled.
         SCSI    Appropriate SCSI support is enabled.
                         A lot of drivers has their options described inside of
@@ -2164,15 +2163,6 @@ and is between 256 and 4096 characters. It is defined in the file
                         Useful for devices that are detected asynchronously
                         (e.g. USB and MMC devices).
 
-        root_plug.vendor_id=
-                        [ROOTPLUG] Override the default vendor ID
-
-        root_plug.product_id=
-                        [ROOTPLUG] Override the default product ID
-
-        root_plug.debug=
-                        [ROOTPLUG] Enable debugging output
-
         rw              [KNL] Mount root device read-write on boot
 
         S               [KNL] Run init in single mode
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
index 47c2d2763456..f06bb37defb1 100644
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -31,7 +31,7 @@
 
 enum tpm_const {
         TPM_MINOR = 224,        /* officially assigned */
-        TPM_BUFSIZE = 2048,
+        TPM_BUFSIZE = 4096,
         TPM_NUM_DEVICES = 256,
 };
 
diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c
index 0b73e4ec1add..2405f17b29dd 100644
--- a/drivers/char/tpm/tpm_tis.c
+++ b/drivers/char/tpm/tpm_tis.c
@@ -257,6 +257,10 @@ out:
         return size;
 }
 
+static int itpm;
+module_param(itpm, bool, 0444);
+MODULE_PARM_DESC(itpm, "Force iTPM workarounds (found on some Lenovo laptops)");
+
 /*
  * If interrupts are used (signaled by an irq set in the vendor structure)
  * tpm.c can skip polling for the data to be available as the interrupt is
@@ -293,7 +297,7 @@ static int tpm_tis_send(struct tpm_chip *chip, u8 *buf, size_t len)
                 wait_for_stat(chip, TPM_STS_VALID, chip->vendor.timeout_c,
                               &chip->vendor.int_queue);
                 status = tpm_tis_status(chip);
-                if ((status & TPM_STS_DATA_EXPECT) == 0) {
+                if (!itpm && (status & TPM_STS_DATA_EXPECT) == 0) {
                         rc = -EIO;
                         goto out_err;
                 }
@@ -467,6 +471,10 @@ static int tpm_tis_init(struct device *dev, resource_size_t start,
                  "1.2 TPM (device-id 0x%X, rev-id %d)\n",
                  vendor >> 16, ioread8(chip->vendor.iobase + TPM_RID(0)));
 
+        if (itpm)
+                dev_info(dev, "Intel iTPM workaround enabled\n");
+
+
         /* Figure out the capabilities */
         intfcaps =
             ioread32(chip->vendor.iobase +
@@ -629,6 +637,7 @@ static struct pnp_device_id tpm_pnp_tbl[] __devinitdata = {
         {"", 0},                /* User Specified */
         {"", 0}                 /* Terminator */
 };
+MODULE_DEVICE_TABLE(pnp, tpm_pnp_tbl);
 
 static __devexit void tpm_tis_pnp_remove(struct pnp_dev *dev)
 {
diff --git a/fs/exec.c b/fs/exec.c
index ba112bd4a339..c0c636e34f60 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -46,7 +46,6 @@
 #include <linux/proc_fs.h>
 #include <linux/mount.h>
 #include <linux/security.h>
-#include <linux/ima.h>
 #include <linux/syscalls.h>
 #include <linux/tsacct_kern.h>
 #include <linux/cn_proc.h>
@@ -1209,9 +1208,6 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
         retval = security_bprm_check(bprm);
         if (retval)
                 return retval;
-        retval = ima_bprm_check(bprm);
-        if (retval)
-                return retval;
 
         /* kernel module loader fixup */
         /* so we don't try to load run modprobe in kernel space. */
diff --git a/fs/file_table.c b/fs/file_table.c
index 8eb44042e009..4bef4c01ec6f 100644
--- a/fs/file_table.c
+++ b/fs/file_table.c
@@ -13,7 +13,6 @@
 #include <linux/module.h>
 #include <linux/fs.h>
 #include <linux/security.h>
-#include <linux/ima.h>
 #include <linux/eventpoll.h>
 #include <linux/rcupdate.h>
 #include <linux/mount.h>
@@ -280,7 +279,6 @@ void __fput(struct file *file)
         if (file->f_op && file->f_op->release)
                 file->f_op->release(inode, file);
         security_file_free(file);
-        ima_file_free(file);
         if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL))
                 cdev_put(inode->i_cdev);
         fops_put(file->f_op);
diff --git a/fs/inode.c b/fs/inode.c
index 4d8e3be55976..06c1f02de611 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -18,7 +18,6 @@
 #include <linux/hash.h>
 #include <linux/swap.h>
 #include <linux/security.h>
-#include <linux/ima.h>
 #include <linux/pagemap.h>
 #include <linux/cdev.h>
 #include <linux/bootmem.h>
@@ -157,11 +156,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
 
         if (security_inode_alloc(inode))
                 goto out;
-
-        /* allocate and initialize an i_integrity */
-        if (ima_inode_alloc(inode))
-                goto out_free_security;
-
         spin_lock_init(&inode->i_lock);
         lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);
 
@@ -201,9 +195,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
 #endif
 
         return 0;
-
-out_free_security:
-        security_inode_free(inode);
 out:
         return -ENOMEM;
 }
@@ -235,7 +226,6 @@ static struct inode *alloc_inode(struct super_block *sb)
 void __destroy_inode(struct inode *inode)
 {
         BUG_ON(inode_has_buffers(inode));
-        ima_inode_free(inode);
         security_inode_free(inode);
         fsnotify_inode_delete(inode);
 #ifdef CONFIG_FS_POSIX_ACL
diff --git a/fs/namespace.c b/fs/namespace.c
index bdc3cb4fd222..7d70d63ceb29 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1921,6 +1921,16 @@ long do_mount(char *dev_name, char *dir_name, char *type_page,
         if (data_page)
                 ((char *)data_page)[PAGE_SIZE - 1] = 0;
 
+        /* ... and get the mountpoint */
+        retval = kern_path(dir_name, LOOKUP_FOLLOW, &path);
+        if (retval)
+                return retval;
+
+        retval = security_sb_mount(dev_name, &path,
+                                   type_page, flags, data_page);
+        if (retval)
+                goto dput_out;
+
         /* Default to relatime unless overriden */
         if (!(flags & MS_NOATIME))
                 mnt_flags |= MNT_RELATIME;
@@ -1945,16 +1955,6 @@ long do_mount(char *dev_name, char *dir_name, char *type_page,
                    MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
                    MS_STRICTATIME);
 
-        /* ... and get the mountpoint */
-        retval = kern_path(dir_name, LOOKUP_FOLLOW, &path);
-        if (retval)
-                return retval;
-
-        retval = security_sb_mount(dev_name, &path,
-                                   type_page, flags, data_page);
-        if (retval)
-                goto dput_out;
-
         if (flags & MS_REMOUNT)
                 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
                                     data_page);
diff --git a/fs/open.c b/fs/open.c
index 4f01e06227c6..b4b31d277f3a 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -587,6 +587,9 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename)
         error = -EPERM;
         if (!capable(CAP_SYS_CHROOT))
                 goto dput_and_out;
+        error = security_path_chroot(&path);
+        if (error)
+                goto dput_and_out;
 
         set_fs_root(current->fs, &path);
         error = 0;
@@ -617,11 +620,15 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd, mode_t, mode)
         if (err)
                 goto out_putf;
         mutex_lock(&inode->i_mutex);
+        err = security_path_chmod(dentry, file->f_vfsmnt, mode);
+        if (err)
+                goto out_unlock;
         if (mode == (mode_t) -1)
                 mode = inode->i_mode;
         newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
         newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
         err = notify_change(dentry, &newattrs);
+out_unlock:
         mutex_unlock(&inode->i_mutex);
         mnt_drop_write(file->f_path.mnt);
 out_putf:
@@ -646,11 +653,15 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, const char __user *, filename, mode_t, mode)
         if (error)
                 goto dput_and_out;
         mutex_lock(&inode->i_mutex);
+        error = security_path_chmod(path.dentry, path.mnt, mode);
+        if (error)
+                goto out_unlock;
         if (mode == (mode_t) -1)
                 mode = inode->i_mode;
         newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
         newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
         error = notify_change(path.dentry, &newattrs);
+out_unlock:
         mutex_unlock(&inode->i_mutex);
         mnt_drop_write(path.mnt);
 dput_and_out:
@@ -664,9 +675,9 @@ SYSCALL_DEFINE2(chmod, const char __user *, filename, mode_t, mode)
         return sys_fchmodat(AT_FDCWD, filename, mode);
 }
 
-static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
+static int chown_common(struct path *path, uid_t user, gid_t group)
 {
-        struct inode *inode = dentry->d_inode;
+        struct inode *inode = path->dentry->d_inode;
         int error;
         struct iattr newattrs;
 
@@ -683,7 +694,9 @@ static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
                 newattrs.ia_valid |=
                         ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
         mutex_lock(&inode->i_mutex);
-        error = notify_change(dentry, &newattrs);
+        error = security_path_chown(path, user, group);
+        if (!error)
+                error = notify_change(path->dentry, &newattrs);
         mutex_unlock(&inode->i_mutex);
 
         return error;
@@ -700,7 +713,7 @@ SYSCALL_DEFINE3(chown, const char __user *, filename, uid_t, user, gid_t, group)
         error = mnt_want_write(path.mnt);
         if (error)
                 goto out_release;
-        error = chown_common(path.dentry, user, group);
+        error = chown_common(&path, user, group);
         mnt_drop_write(path.mnt);
 out_release:
         path_put(&path);
@@ -725,7 +738,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, const char __user *, filename, uid_t, user,
         error = mnt_want_write(path.mnt);
         if (error)
                 goto out_release;
-        error = chown_common(path.dentry, user, group);
+        error = chown_common(&path, user, group);
         mnt_drop_write(path.mnt);
 out_release:
         path_put(&path);
@@ -744,7 +757,7 @@ SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group
         error = mnt_want_write(path.mnt);
         if (error)
                 goto out_release;
-        error = chown_common(path.dentry, user, group);
+        error = chown_common(&path, user, group);
         mnt_drop_write(path.mnt);
 out_release:
         path_put(&path);
@@ -767,7 +780,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd, uid_t, user, gid_t, group)
                 goto out_fput;
         dentry = file->f_path.dentry;
         audit_inode(NULL, dentry);
-        error = chown_common(dentry, user, group);
+        error = chown_common(&file->f_path, user, group);
         mnt_drop_write(file->f_path.mnt);
 out_fput:
         fput(file);
diff --git a/include/linux/Kbuild b/include/linux/Kbuild
index 1feed71551c9..5a5385749e16 100644
--- a/include/linux/Kbuild
+++ b/include/linux/Kbuild
@@ -330,6 +330,7 @@ unifdef-y += scc.h
 unifdef-y += sched.h
 unifdef-y += screen_info.h
 unifdef-y += sdla.h
+unifdef-y += securebits.h
 unifdef-y += selinux_netlink.h
 unifdef-y += sem.h
 unifdef-y += serial_core.h
diff --git a/include/linux/capability.h b/include/linux/capability.h
index c8f2a5f70ed5..39e5ff512fbe 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -92,9 +92,7 @@ struct vfs_cap_data {
 #define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
 #define _KERNEL_CAPABILITY_U32S    _LINUX_CAPABILITY_U32S_3
 
-#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
 extern int file_caps_enabled;
-#endif
 
 typedef struct kernel_cap_struct {
         __u32 cap[_KERNEL_CAPABILITY_U32S];
diff --git a/include/linux/init_task.h b/include/linux/init_task.h
index 21a6f5d9af22..8d10aa7fd4c9 100644
--- a/include/linux/init_task.h
+++ b/include/linux/init_task.h
@@ -83,16 +83,12 @@ extern struct group_info init_groups;
 #define INIT_IDS
 #endif
 
-#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
 /*
  * Because of the reduced scope of CAP_SETPCAP when filesystem
  * capabilities are in effect, it is safe to allow CAP_SETPCAP to
  * be available in the default configuration.
  */
 # define CAP_INIT_BSET  CAP_FULL_SET
-#else
-# define CAP_INIT_BSET  CAP_INIT_EFF_SET
-#endif
 
 #ifdef CONFIG_TREE_PREEMPT_RCU
 #define INIT_TASK_RCU_PREEMPT(tsk)                                      \
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 190c37854870..f78f83d7663f 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -26,14 +26,15 @@
 
 /* Auxiliary data to use in generating the audit record. */
 struct common_audit_data {
-        char    type;
-#define LSM_AUDIT_DATA_FS      1
-#define LSM_AUDIT_DATA_NET     2
-#define LSM_AUDIT_DATA_CAP     3
-#define LSM_AUDIT_DATA_IPC     4
-#define LSM_AUDIT_DATA_TASK    5
-#define LSM_AUDIT_DATA_KEY     6
-#define LSM_AUDIT_NO_AUDIT     7
+        char type;
+#define LSM_AUDIT_DATA_FS       1
+#define LSM_AUDIT_DATA_NET      2
+#define LSM_AUDIT_DATA_CAP      3
+#define LSM_AUDIT_DATA_IPC      4
+#define LSM_AUDIT_DATA_TASK     5
+#define LSM_AUDIT_DATA_KEY      6
+#define LSM_AUDIT_NO_AUDIT      7
+#define LSM_AUDIT_DATA_KMOD     8
         struct task_struct *tsk;
         union   {
                 struct {
@@ -66,6 +67,7 @@ struct common_audit_data {
                         char *key_desc;
                 } key_struct;
 #endif
+                char *kmod_name;
         } u;
         /* this union contains LSM specific data */
         union {
diff --git a/include/linux/securebits.h b/include/linux/securebits.h
index d2c5ed845bcc..33406174cbe8 100644
--- a/include/linux/securebits.h
+++ b/include/linux/securebits.h
@@ -1,6 +1,15 @@
 #ifndef _LINUX_SECUREBITS_H
 #define _LINUX_SECUREBITS_H 1
 
+/* Each securesetting is implemented using two bits. One bit specifies
+   whether the setting is on or off. The other bit specify whether the
+   setting is locked or not. A setting which is locked cannot be
+   changed from user-level. */
+#define issecure_mask(X)        (1 << (X))
+#ifdef __KERNEL__
+#define issecure(X)             (issecure_mask(X) & current_cred_xxx(securebits))
+#endif
+
 #define SECUREBITS_DEFAULT 0x00000000
 
 /* When set UID 0 has no special privileges. When unset, we support
@@ -12,6 +21,9 @@
 #define SECURE_NOROOT                   0
 #define SECURE_NOROOT_LOCKED            1  /* make bit-0 immutable */
 
+#define SECBIT_NOROOT           (issecure_mask(SECURE_NOROOT))
+#define SECBIT_NOROOT_LOCKED    (issecure_mask(SECURE_NOROOT_LOCKED))
+
 /* When set, setuid to/from uid 0 does not trigger capability-"fixup".
    When unset, to provide compatiblility with old programs relying on
    set*uid to gain/lose privilege, transitions to/from uid 0 cause
@@ -19,6 +31,10 @@
 #define SECURE_NO_SETUID_FIXUP          2
 #define SECURE_NO_SETUID_FIXUP_LOCKED   3  /* make bit-2 immutable */
 
+#define SECBIT_NO_SETUID_FIXUP  (issecure_mask(SECURE_NO_SETUID_FIXUP))
+#define SECBIT_NO_SETUID_FIXUP_LOCKED \
+                        (issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED))
+
 /* When set, a process can retain its capabilities even after
    transitioning to a non-root user (the set-uid fixup suppressed by
    bit 2). Bit-4 is cleared when a process calls exec(); setting both
@@ -27,12 +43,8 @@
 #define SECURE_KEEP_CAPS                4
 #define SECURE_KEEP_CAPS_LOCKED         5  /* make bit-4 immutable */
 
-/* Each securesetting is implemented using two bits. One bit specifies
-   whether the setting is on or off. The other bit specify whether the
-   setting is locked or not. A setting which is locked cannot be
-   changed from user-level. */
-#define issecure_mask(X)        (1 << (X))
-#define issecure(X)             (issecure_mask(X) & current_cred_xxx(securebits))
+#define SECBIT_KEEP_CAPS        (issecure_mask(SECURE_KEEP_CAPS))
+#define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED))
 
 #define SECURE_ALL_BITS         (issecure_mask(SECURE_NOROOT) | \
                                  issecure_mask(SECURE_NO_SETUID_FIXUP) | \
diff --git a/include/linux/security.h b/include/linux/security.h
index 239e40d0450b..466cbadbd1ef 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -447,6 +447,22 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *      @new_dir contains the path structure for parent of the new link.
  *      @new_dentry contains the dentry structure of the new link.
  *      Return 0 if permission is granted.
+ * @path_chmod:
+ *      Check for permission to change DAC's permission of a file or directory.
+ *      @dentry contains the dentry structure.
+ *      @mnt contains the vfsmnt structure.
+ *      @mode contains DAC's mode.
+ *      Return 0 if permission is granted.
+ * @path_chown:
+ *      Check for permission to change owner/group of a file or directory.
+ *      @path contains the path structure.
+ *      @uid contains new owner's ID.
+ *      @gid contains new group's ID.
+ *      Return 0 if permission is granted.
+ * @path_chroot:
+ *      Check for permission to change root directory.
+ *      @path contains the path structure.
+ *      Return 0 if permission is granted.
  * @inode_readlink:
  *      Check the permission to read the symbolic link.
  *      @dentry contains the dentry structure for the file link.
@@ -690,6 +706,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  * @kernel_module_request:
  *      Ability to trigger the kernel to automatically upcall to userspace for
  *      userspace to load a kernel module with the given name.
+ *      @kmod_name name of the module requested by the kernel
  *      Return 0 if successful.
  * @task_setuid:
  *      Check permission before setting one or more of the user identity
@@ -1488,6 +1505,10 @@ struct security_operations {
                           struct dentry *new_dentry);
         int (*path_rename) (struct path *old_dir, struct dentry *old_dentry,
                             struct path *new_dir, struct dentry *new_dentry);
+        int (*path_chmod) (struct dentry *dentry, struct vfsmount *mnt,
+                           mode_t mode);
+        int (*path_chown) (struct path *path, uid_t uid, gid_t gid);
+        int (*path_chroot) (struct path *path);
 #endif
 
         int (*inode_alloc_security) (struct inode *inode);
@@ -1557,7 +1578,7 @@ struct security_operations {
         void (*cred_transfer)(struct cred *new, const struct cred *old);
         int (*kernel_act_as)(struct cred *new, u32 secid);
         int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
-        int (*kernel_module_request)(void);
+        int (*kernel_module_request)(char *kmod_name);
         int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags);
         int (*task_fix_setuid) (struct cred *new, const struct cred *old,
                                 int flags);
@@ -1822,7 +1843,7 @@ void security_commit_creds(struct cred *new, const struct cred *old);
 void security_transfer_creds(struct cred *new, const struct cred *old);
 int security_kernel_act_as(struct cred *new, u32 secid);
 int security_kernel_create_files_as(struct cred *new, struct inode *inode);
-int security_kernel_module_request(void);
+int security_kernel_module_request(char *kmod_name);
 int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags);
 int security_task_fix_setuid(struct cred *new, const struct cred *old,
                              int flags);
@@ -2387,7 +2408,7 @@ static inline int security_kernel_create_files_as(struct cred *cred,
         return 0;
 }
 
-static inline int security_kernel_module_request(void)
+static inline int security_kernel_module_request(char *kmod_name)
 {
         return 0;
 }
@@ -2952,6 +2973,10 @@ int security_path_link(struct dentry *old_dentry, struct path *new_dir,
                        struct dentry *new_dentry);
 int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
                          struct path *new_dir, struct dentry *new_dentry);
+int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
+                        mode_t mode);
+int security_path_chown(struct path *path, uid_t uid, gid_t gid);
+int security_path_chroot(struct path *path);
 #else   /* CONFIG_SECURITY_PATH */
 static inline int security_path_unlink(struct path *dir, struct dentry *dentry)
 {
@@ -3001,6 +3026,23 @@ static inline int security_path_rename(struct path *old_dir,
 {
         return 0;
 }
+
+static inline int security_path_chmod(struct dentry *dentry,
+                                      struct vfsmount *mnt,
+                                      mode_t mode)
+{
+        return 0;
+}
+
+static inline int security_path_chown(struct path *path, uid_t uid, gid_t gid)
+{
+        return 0;
+}
+
+static inline int security_path_chroot(struct path *path)
+{
+        return 0;
+}
 #endif  /* CONFIG_SECURITY_PATH */
 
 #ifdef CONFIG_KEYS
diff --git a/include/linux/tpm.h b/include/linux/tpm.h
index 3338b3f5c21a..ac5d1c1285d9 100644
--- a/include/linux/tpm.h
+++ b/include/linux/tpm.h
@@ -27,9 +27,16 @@
  */
 #define TPM_ANY_NUM 0xFFFF
 
-#if defined(CONFIG_TCG_TPM)
+#if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE)
 
 extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf);
 extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash);
+#else
+static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) {
+        return -ENODEV;
+}
+static inline int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) {
+        return -ENODEV;
+}
 #endif
 #endif
diff --git a/kernel/capability.c b/kernel/capability.c
index 4e17041963f5..7f876e60521f 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -29,7 +29,6 @@ EXPORT_SYMBOL(__cap_empty_set);
 EXPORT_SYMBOL(__cap_full_set);
 EXPORT_SYMBOL(__cap_init_eff_set);
 
-#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
 int file_caps_enabled = 1;
 
 static int __init file_caps_disable(char *str)
@@ -38,7 +37,6 @@ static int __init file_caps_disable(char *str)
         return 1;
 }
 __setup("no_file_caps", file_caps_disable);
-#endif
 
 /*
  * More recent versions of libcap are available from:
@@ -169,8 +167,8 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
         kernel_cap_t pE, pI, pP;
 
         ret = cap_validate_magic(header, &tocopy);
-        if (ret != 0)
-                return ret;
+        if ((dataptr == NULL) || (ret != 0))
+                return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret;
 
         if (get_user(pid, &header->pid))
                 return -EFAULT;
@@ -238,7 +236,7 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
 SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
 {
         struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
-        unsigned i, tocopy;
+        unsigned i, tocopy, copybytes;
         kernel_cap_t inheritable, permitted, effective;
         struct cred *new;
         int ret;
@@ -255,8 +253,11 @@ SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
         if (pid != 0 && pid != task_pid_vnr(current))
                 return -EPERM;
 
-        if (copy_from_user(&kdata, data,
-                           tocopy * sizeof(struct __user_cap_data_struct)))
+        copybytes = tocopy * sizeof(struct __user_cap_data_struct);
+        if (copybytes > sizeof(kdata))
+                return -EFAULT;
+
+        if (copy_from_user(&kdata, data, copybytes))
                 return -EFAULT;
 
         for (i = 0; i < tocopy; i++) {
diff --git a/kernel/kmod.c b/kernel/kmod.c
index 9fcb53a11f87..25b103190364 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -80,16 +80,16 @@ int __request_module(bool wait, const char *fmt, ...)
 #define MAX_KMOD_CONCURRENT 50  /* Completely arbitrary value - KAO */
         static int kmod_loop_msg;
 
-        ret = security_kernel_module_request();
-        if (ret)
-                return ret;
-
         va_start(args, fmt);
         ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
         va_end(args);
         if (ret >= MODULE_NAME_LEN)
                 return -ENAMETOOLONG;
 
+        ret = security_kernel_module_request(module_name);
+        if (ret)
+                return ret;
+
         /* If modprobe needs a service that is in a module, we get a recursive
          * loop.  Limit the number of running kmod threads to max_threads/2 or
          * MAX_KMOD_CONCURRENT, whichever is the smaller.  A cleaner method
diff --git a/mm/mmap.c b/mm/mmap.c
index 73f5e4b64010..292ddc3cef9c 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -20,7 +20,6 @@
 #include <linux/fs.h>
 #include <linux/personality.h>
 #include <linux/security.h>
-#include <linux/ima.h>
 #include <linux/hugetlb.h>
 #include <linux/profile.h>
 #include <linux/module.h>
@@ -1061,9 +1060,6 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
         error = security_file_mmap(file, reqprot, prot, flags, addr, 0);
         if (error)
                 return error;
-        error = ima_file_mmap(file, prot);
-        if (error)
-                return error;
 
         return mmap_region(file, addr, len, flags, vm_flags, pgoff);
 }
diff --git a/scripts/selinux/Makefile b/scripts/selinux/Makefile
index ca4b1ec01822..e8049da1831f 100644
--- a/scripts/selinux/Makefile
+++ b/scripts/selinux/Makefile
@@ -1,2 +1,2 @@
-subdir-y := mdp
-subdir- += mdp
+subdir-y := mdp genheaders
+subdir- += mdp genheaders
diff --git a/scripts/selinux/genheaders/.gitignore b/scripts/selinux/genheaders/.gitignore
new file mode 100644
index 000000000000..4c0b646ff8d5
--- /dev/null
+++ b/scripts/selinux/genheaders/.gitignore
@@ -0,0 +1 @@
+genheaders
diff --git a/scripts/selinux/genheaders/Makefile b/scripts/selinux/genheaders/Makefile
new file mode 100644
index 000000000000..417b165008ee
--- /dev/null
+++ b/scripts/selinux/genheaders/Makefile
@@ -0,0 +1,5 @@
+hostprogs-y     := genheaders
+HOST_EXTRACFLAGS += -Isecurity/selinux/include
+
+always          := $(hostprogs-y)
+clean-files     := $(hostprogs-y)
diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
new file mode 100644
index 000000000000..24626968055d
--- /dev/null
+++ b/scripts/selinux/genheaders/genheaders.c
@@ -0,0 +1,118 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <ctype.h>
+
+struct security_class_mapping {
+        const char *name;
+        const char *perms[sizeof(unsigned) * 8 + 1];
+};
+
+#include "classmap.h"
+#include "initial_sid_to_string.h"
+
+#define max(x, y) (((int)(x) > (int)(y)) ? x : y)
+
+const char *progname;
+
+static void usage(void)
+{
+        printf("usage: %s flask.h av_permissions.h\n", progname);
+        exit(1);
+}
+
+static char *stoupperx(const char *s)
+{
+        char *s2 = strdup(s);
+        char *p;
+
+        if (!s2) {
+                fprintf(stderr, "%s:  out of memory\n", progname);
+                exit(3);
+        }
+
+        for (p = s2; *p; p++)
+                *p = toupper(*p);
+        return s2;
+}
+
+int main(int argc, char *argv[])
+{
+        int i, j, k;
+        int isids_len;
+        FILE *fout;
+
+        progname = argv[0];
+
+        if (argc < 3)
+                usage();
+
+        fout = fopen(argv[1], "w");
+        if (!fout) {
+                fprintf(stderr, "Could not open %s for writing:  %s\n",
+                        argv[1], strerror(errno));
+                exit(2);
+        }
+
+        for (i = 0; secclass_map[i].name; i++) {
+                struct security_class_mapping *map = &secclass_map[i];
+                map->name = stoupperx(map->name);
+                for (j = 0; map->perms[j]; j++)
+                        map->perms[j] = stoupperx(map->perms[j]);
+        }
+
+        isids_len = sizeof(initial_sid_to_string) / sizeof (char *);
+        for (i = 1; i < isids_len; i++)
+                initial_sid_to_string[i] = stoupperx(initial_sid_to_string[i]);
+
+        fprintf(fout, "/* This file is automatically generated.  Do not edit. */\n");
+        fprintf(fout, "#ifndef _SELINUX_FLASK_H_\n#define _SELINUX_FLASK_H_\n\n");
+
+        for (i = 0; secclass_map[i].name; i++) {
+                struct security_class_mapping *map = &secclass_map[i];
+                fprintf(fout, "#define SECCLASS_%s", map->name);
+                for (j = 0; j < max(1, 40 - strlen(map->name)); j++)
+                        fprintf(fout, " ");
+                fprintf(fout, "%2d\n", i+1);
+        }
+
+        fprintf(fout, "\n");
+
+        for (i = 1; i < isids_len; i++) {
+                char *s = initial_sid_to_string[i];
+                fprintf(fout, "#define SECINITSID_%s", s);
+                for (j = 0; j < max(1, 40 - strlen(s)); j++)
+                        fprintf(fout, " ");
+                fprintf(fout, "%2d\n", i);
+        }
+        fprintf(fout, "\n#define SECINITSID_NUM %d\n", i-1);
+        fprintf(fout, "\n#endif\n");
+        fclose(fout);
+
+        fout = fopen(argv[2], "w");
+        if (!fout) {
+                fprintf(stderr, "Could not open %s for writing:  %s\n",
+                        argv[2], strerror(errno));
+                exit(4);
+        }
+
+        fprintf(fout, "/* This file is automatically generated.  Do not edit. */\n");
+        fprintf(fout, "#ifndef _SELINUX_AV_PERMISSIONS_H_\n#define _SELINUX_AV_PERMISSIONS_H_\n\n");
+
+        for (i = 0; secclass_map[i].name; i++) {
+                struct security_class_mapping *map = &secclass_map[i];
+                for (j = 0; map->perms[j]; j++) {
+                        fprintf(fout, "#define %s__%s", map->name,
+                                map->perms[j]);
+                        for (k = 0; k < max(1, 40 - strlen(map->name) - strlen(map->perms[j])); k++)
+                                fprintf(fout, " ");
+                        fprintf(fout, "0x%08xUL\n", (1<<j));
+                }
+        }
+
+        fprintf(fout, "\n#endif\n");
+        fclose(fout);
+        exit(0);
+}
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index b4ced8562587..62b34ce1f50d 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -29,86 +29,27 @@
 #include <unistd.h>
 #include <string.h>
 
-#include "flask.h"
-
 static void usage(char *name)
 {
         printf("usage: %s [-m] policy_file context_file\n", name);
         exit(1);
 }
 
-static void find_common_name(char *cname, char *dest, int len)
-{
-        char *start, *end;
-
-        start = strchr(cname, '_')+1;
-        end = strchr(start, '_');
-        if (!start || !end || start-cname > len || end-start > len) {
-                printf("Error with commons defines\n");
-                exit(1);
-        }
-        strncpy(dest, start, end-start);
-        dest[end-start] = '\0';
-}
-
-#define S_(x) x,
-static char *classlist[] = {
-#include "class_to_string.h"
-        NULL
+/* Class/perm mapping support */
+struct security_class_mapping {
+        const char *name;
+        const char *perms[sizeof(unsigned) * 8 + 1];
 };
-#undef S_
 
+#include "classmap.h"
 #include "initial_sid_to_string.h"
 
-#define TB_(x) char *x[] = {
-#define TE_(x) NULL };
-#define S_(x) x,
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-
-struct common {
-        char *cname;
-        char **perms;
-};
-struct common common[] = {
-#define TB_(x) { #x, x },
-#define S_(x)
-#define TE_(x)
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-};
-
-#define S_(x, y, z) {x, #y},
-struct av_inherit {
-        int class;
-        char *common;
-};
-struct av_inherit av_inherit[] = {
-#include "av_inherit.h"
-};
-#undef S_
-
-#include "av_permissions.h"
-#define S_(x, y, z) {x, y, z},
-struct av_perms {
-        int class;
-        int perm_i;
-        char *perm_s;
-};
-struct av_perms av_perms[] = {
-#include "av_perm_to_string.h"
-};
-#undef S_
-
 int main(int argc, char *argv[])
 {
         int i, j, mls = 0;
+        int initial_sid_to_string_len;
         char **arg, *polout, *ctxout;
-        int classlist_len, initial_sid_to_string_len;
+
         FILE *fout;
 
         if (argc < 3)
@@ -127,64 +68,25 @@ int main(int argc, char *argv[])
                 usage(argv[0]);
         }
 
-        classlist_len = sizeof(classlist) / sizeof(char *);
         /* print out the classes */
-        for (i=1; i < classlist_len; i++) {
-                if(classlist[i])
-                        fprintf(fout, "class %s\n", classlist[i]);
-                else
-                        fprintf(fout, "class user%d\n", i);
-        }
+        for (i = 0; secclass_map[i].name; i++)
+                fprintf(fout, "class %s\n", secclass_map[i].name);
         fprintf(fout, "\n");
 
         initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
         /* print out the sids */
-        for (i=1; i < initial_sid_to_string_len; i++)
+        for (i = 1; i < initial_sid_to_string_len; i++)
                 fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
         fprintf(fout, "\n");
 
-        /* print out the commons */
-        for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
-                char cname[101];
-                find_common_name(common[i].cname, cname, 100);
-                cname[100] = '\0';
-                fprintf(fout, "common %s\n{\n", cname);
-                for (j=0; common[i].perms[j]; j++)
-                        fprintf(fout, "\t%s\n", common[i].perms[j]);
-                fprintf(fout, "}\n\n");
-        }
-        fprintf(fout, "\n");
-
         /* print out the class permissions */
-        for (i=1; i < classlist_len; i++) {
-                if (classlist[i]) {
-                        int firstperm = -1, numperms = 0;
-
-                        fprintf(fout, "class %s\n", classlist[i]);
-                        /* does it inherit from a common? */
-                        for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++)
-                                if (av_inherit[j].class == i)
-                                        fprintf(fout, "inherits %s\n", av_inherit[j].common);
-
-                        for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
-                                if (av_perms[j].class == i) {
-                                        if (firstperm == -1)
-                                                firstperm = j;
-                                        numperms++;
-                                }
-                        }
-                        if (!numperms) {
-                                fprintf(fout, "\n");
-                                continue;
-                        }
-
-                        fprintf(fout, "{\n");
-                        /* print out the av_perms */
-                        for (j=0; j < numperms; j++) {
-                                fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
-                        }
-                        fprintf(fout, "}\n\n");
-                }
+        for (i = 0; secclass_map[i].name; i++) {
+                struct security_class_mapping *map = &secclass_map[i];
+                fprintf(fout, "class %s\n", map->name);
+                fprintf(fout, "{\n");
+                for (j = 0; map->perms[j]; j++)
+                        fprintf(fout, "\t%s\n", map->perms[j]);
+                fprintf(fout, "}\n\n");
         }
         fprintf(fout, "\n");
 
@@ -197,31 +99,34 @@ int main(int argc, char *argv[])
         /* types, roles, and allows */
         fprintf(fout, "type base_t;\n");
         fprintf(fout, "role base_r types { base_t };\n");
-        for (i=1; i < classlist_len; i++) {
-                if (classlist[i])
-                        fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]);
-                else
-                        fprintf(fout, "allow base_t base_t:user%d *;\n", i);
-        }
+        for (i = 0; secclass_map[i].name; i++)
+                fprintf(fout, "allow base_t base_t:%s *;\n",
+                        secclass_map[i].name);
         fprintf(fout, "user user_u roles { base_r };\n");
         fprintf(fout, "\n");
 
         /* default sids */
-        for (i=1; i < initial_sid_to_string_len; i++)
+        for (i = 1; i < initial_sid_to_string_len; i++)
                 fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
         fprintf(fout, "\n");
 
-
         fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_xattr lustre user_u:base_r:base_t;\n");
 
+        fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
 
+        fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
 
diff --git a/security/Kconfig b/security/Kconfig
index fb363cd81cf6..226b9556b25f 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -91,28 +91,6 @@ config SECURITY_PATH
           implement pathname based access controls.
           If you are unsure how to answer this question, answer N.
 
-config SECURITY_FILE_CAPABILITIES
-        bool "File POSIX Capabilities"
-        default n
-        help
-          This enables filesystem capabilities, allowing you to give
-          binaries a subset of root's powers without using setuid 0.
-
-          If in doubt, answer N.
-
-config SECURITY_ROOTPLUG
-        bool "Root Plug Support"
-        depends on USB=y && SECURITY
-        help
-          This is a sample LSM module that should only be used as such.
-          It prevents any programs running with egid == 0 if a specific
-          USB device is not present in the system.
-
-          See <http://www.linuxjournal.com/article.php?sid=6279> for
-          more information about this module.
-
-          If you are unsure how to answer this question, answer N.
-
 config INTEL_TXT
         bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
         depends on HAVE_INTEL_TXT
@@ -165,5 +143,37 @@ source security/tomoyo/Kconfig
 
 source security/integrity/ima/Kconfig
 
+choice
+        prompt "Default security module"
+        default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
+        default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
+        default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
+        default DEFAULT_SECURITY_DAC
+
+        help
+          Select the security module that will be used by default if the
+          kernel parameter security= is not specified.
+
+        config DEFAULT_SECURITY_SELINUX
+                bool "SELinux" if SECURITY_SELINUX=y
+
+        config DEFAULT_SECURITY_SMACK
+                bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+
+        config DEFAULT_SECURITY_TOMOYO
+                bool "TOMOYO" if SECURITY_TOMOYO=y
+
+        config DEFAULT_SECURITY_DAC
+                bool "Unix Discretionary Access Controls"
+
+endchoice
+
+config DEFAULT_SECURITY
+        string
+        default "selinux" if DEFAULT_SECURITY_SELINUX
+        default "smack" if DEFAULT_SECURITY_SMACK
+        default "tomoyo" if DEFAULT_SECURITY_TOMOYO
+        default "" if DEFAULT_SECURITY_DAC
+
 endmenu
 
diff --git a/security/Makefile b/security/Makefile
index 95ecc06392d7..bb44e350c618 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -18,7 +18,6 @@ obj-$(CONFIG_SECURITY_SELINUX)		+= selinux/built-in.o
 obj-$(CONFIG_SECURITY_SMACK)            += smack/built-in.o
 obj-$(CONFIG_AUDIT)                     += lsm_audit.o
 obj-$(CONFIG_SECURITY_TOMOYO)           += tomoyo/built-in.o
-obj-$(CONFIG_SECURITY_ROOTPLUG)         += root_plug.o
 obj-$(CONFIG_CGROUP_DEVICE)             += device_cgroup.o
 
 # Object integrity file lists
diff --git a/security/capability.c b/security/capability.c
index fce07a7bc825..5c700e1a4fd3 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -308,6 +308,22 @@ static int cap_path_truncate(struct path *path, loff_t length,
 {
         return 0;
 }
+
+static int cap_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
+                          mode_t mode)
+{
+        return 0;
+}
+
+static int cap_path_chown(struct path *path, uid_t uid, gid_t gid)
+{
+        return 0;
+}
+
+static int cap_path_chroot(struct path *root)
+{
+        return 0;
+}
 #endif
 
 static int cap_file_permission(struct file *file, int mask)
@@ -405,7 +421,7 @@ static int cap_kernel_create_files_as(struct cred *new, struct inode *inode)
         return 0;
 }
 
-static int cap_kernel_module_request(void)
+static int cap_kernel_module_request(char *kmod_name)
 {
         return 0;
 }
@@ -977,6 +993,9 @@ void security_fixup_ops(struct security_operations *ops)
         set_to_cap_if_null(ops, path_link);
         set_to_cap_if_null(ops, path_rename);
         set_to_cap_if_null(ops, path_truncate);
+        set_to_cap_if_null(ops, path_chmod);
+        set_to_cap_if_null(ops, path_chown);
+        set_to_cap_if_null(ops, path_chroot);
 #endif
         set_to_cap_if_null(ops, file_permission);
         set_to_cap_if_null(ops, file_alloc_security);
diff --git a/security/commoncap.c b/security/commoncap.c
index fe30751a6cd9..f800fdb3de94 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1,4 +1,4 @@
-/* Common capabilities, needed by capability.o and root_plug.o
+/* Common capabilities, needed by capability.o.
  *
  *      This program is free software; you can redistribute it and/or modify
  *      it under the terms of the GNU General Public License as published by
@@ -173,7 +173,6 @@ int cap_capget(struct task_struct *target, kernel_cap_t *effective,
  */
 static inline int cap_inh_is_capped(void)
 {
-#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
 
         /* they are so limited unless the current task has the CAP_SETPCAP
          * capability
@@ -181,7 +180,6 @@ static inline int cap_inh_is_capped(void)
         if (cap_capable(current, current_cred(), CAP_SETPCAP,
                         SECURITY_CAP_AUDIT) == 0)
                 return 0;
-#endif
         return 1;
 }
 
@@ -239,8 +237,6 @@ static inline void bprm_clear_caps(struct linux_binprm *bprm)
         bprm->cap_effective = false;
 }
 
-#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
-
 /**
  * cap_inode_need_killpriv - Determine if inode change affects privileges
  * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
@@ -421,49 +417,6 @@ out:
         return rc;
 }
 
-#else
-int cap_inode_need_killpriv(struct dentry *dentry)
-{
-        return 0;
-}
-
-int cap_inode_killpriv(struct dentry *dentry)
-{
-        return 0;
-}
-
-int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
-{
-        memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
-        return -ENODATA;
-}
-
-static inline int get_file_caps(struct linux_binprm *bprm, bool *effective)
-{
-        bprm_clear_caps(bprm);
-        return 0;
-}
-#endif
-
-/*
- * Determine whether a exec'ing process's new permitted capabilities should be
- * limited to just what it already has.
- *
- * This prevents processes that are being ptraced from gaining access to
- * CAP_SETPCAP, unless the process they're tracing already has it, and the
- * binary they're executing has filecaps that elevate it.
- *
- *  Returns 1 if they should be limited, 0 if they are not.
- */
-static inline int cap_limit_ptraced_target(void)
-{
-#ifndef CONFIG_SECURITY_FILE_CAPABILITIES
-        if (capable(CAP_SETPCAP))
-                return 0;
-#endif
-        return 1;
-}
-
 /**
  * cap_bprm_set_creds - Set up the proposed credentials for execve().
  * @bprm: The execution parameters, including the proposed creds
@@ -523,9 +476,8 @@ skip:
                         new->euid = new->uid;
                         new->egid = new->gid;
                 }
-                if (cap_limit_ptraced_target())
-                        new->cap_permitted = cap_intersect(new->cap_permitted,
-                                                           old->cap_permitted);
+                new->cap_permitted = cap_intersect(new->cap_permitted,
+                                                   old->cap_permitted);
         }
 
         new->suid = new->fsuid = new->euid;
@@ -739,7 +691,6 @@ int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
         return 0;
 }
 
-#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
 /*
  * Rationale: code calling task_setscheduler, task_setioprio, and
  * task_setnice, assumes that
@@ -820,22 +771,6 @@ static long cap_prctl_drop(struct cred *new, unsigned long cap)
         return 0;
 }
 
-#else
-int cap_task_setscheduler (struct task_struct *p, int policy,
-                           struct sched_param *lp)
-{
-        return 0;
-}
-int cap_task_setioprio (struct task_struct *p, int ioprio)
-{
-        return 0;
-}
-int cap_task_setnice (struct task_struct *p, int nice)
-{
-        return 0;
-}
-#endif
-
 /**
  * cap_task_prctl - Implement process control functions for this security module
  * @option: The process control function requested
@@ -866,7 +801,6 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
                 error = !!cap_raised(new->cap_bset, arg2);
                 goto no_change;
 
-#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
         case PR_CAPBSET_DROP:
                 error = cap_prctl_drop(new, arg2);
                 if (error < 0)
@@ -917,8 +851,6 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
                 error = new->securebits;
                 goto no_change;
 
-#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
-
         case PR_GET_KEEPCAPS:
                 if (issecure(SECURE_KEEP_CAPS))
                         error = 1;
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 53d9764e8f09..3d7846de8069 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -3,6 +3,7 @@
 config IMA
         bool "Integrity Measurement Architecture(IMA)"
         depends on ACPI
+        depends on SECURITY
         select SECURITYFS
         select CRYPTO
         select CRYPTO_HMAC
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 3bb90b6f1dd3..51bd0fd9c9f0 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -354,6 +354,10 @@ static void dump_common_audit_data(struct audit_buffer *ab,
                 }
                 break;
 #endif
+        case LSM_AUDIT_DATA_KMOD:
+                audit_log_format(ab, " kmod=");
+                audit_log_untrustedstring(ab, a->u.kmod_name);
+                break;
         } /* switch (a->type) */
 }
 
diff --git a/security/min_addr.c b/security/min_addr.c
index c844eed7915d..fc43c9d37084 100644
--- a/security/min_addr.c
+++ b/security/min_addr.c
@@ -33,6 +33,9 @@ int mmap_min_addr_handler(struct ctl_table *table, int write,
 {
         int ret;
 
+        if (!capable(CAP_SYS_RAWIO))
+                return -EPERM;
+
         ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos);
 
         update_mmap_min_addr();
diff --git a/security/root_plug.c b/security/root_plug.c
deleted file mode 100644
index 2f7ffa67c4d2..000000000000
--- a/security/root_plug.c
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * Root Plug sample LSM module
- *
- * Originally written for a Linux Journal.
- *
- * Copyright (C) 2002 Greg Kroah-Hartman <greg@kroah.com>
- *
- * Prevents any programs running with egid == 0 if a specific USB device
- * is not present in the system.  Yes, it can be gotten around, but is a
- * nice starting point for people to play with, and learn the LSM
- * interface.
- *
- * If you want to turn this into something with a semblance of security,
- * you need to hook the task_* functions also.
- *
- * See http://www.linuxjournal.com/article.php?sid=6279 for more information
- * about this code.
- *
- *      This program is free software; you can redistribute it and/or
- *      modify it under the terms of the GNU General Public License as
- *      published by the Free Software Foundation, version 2 of the
- *      License.
- */
-
-#include <linux/kernel.h>
-#include <linux/init.h>
-#include <linux/security.h>
-#include <linux/usb.h>
-#include <linux/moduleparam.h>
-
-/* default is a generic type of usb to serial converter */
-static int vendor_id = 0x0557;
-static int product_id = 0x2008;
-
-module_param(vendor_id, uint, 0400);
-module_param(product_id, uint, 0400);
-
-/* should we print out debug messages */
-static int debug = 0;
-
-module_param(debug, bool, 0600);
-
-#define MY_NAME "root_plug"
-
-#define root_dbg(fmt, arg...)                                   \
-        do {                                                    \
-                if (debug)                                      \
-                        printk(KERN_DEBUG "%s: %s: " fmt ,      \
-                                MY_NAME , __func__ ,    \
-                                ## arg);                        \
-        } while (0)
-
-static int rootplug_bprm_check_security (struct linux_binprm *bprm)
-{
-        struct usb_device *dev;
-
-        root_dbg("file %s, e_uid = %d, e_gid = %d\n",
-                 bprm->filename, bprm->cred->euid, bprm->cred->egid);
-
-        if (bprm->cred->egid == 0) {
-                dev = usb_find_device(vendor_id, product_id);
-                if (!dev) {
-                        root_dbg("e_gid = 0, and device not found, "
-                                 "task not allowed to run...\n");
-                        return -EPERM;
-                }
-                usb_put_dev(dev);
-        }
-
-        return 0;
-}
-
-static struct security_operations rootplug_security_ops = {
-        .bprm_check_security =          rootplug_bprm_check_security,
-};
-
-static int __init rootplug_init (void)
-{
-        /* register ourselves with the security framework */
-        if (register_security (&rootplug_security_ops)) {
-                printk (KERN_INFO 
-                        "Failure registering Root Plug module with the kernel\n");
-                        return -EINVAL;
-        }
-        printk (KERN_INFO "Root Plug module initialized, "
-                "vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id);
-        return 0;
-}
-
-security_initcall (rootplug_init);
diff --git a/security/security.c b/security/security.c
index c4c673240c1c..24e060be9fa5 100644
--- a/security/security.c
+++ b/security/security.c
@@ -16,9 +16,11 @@
 #include <linux/init.h>
 #include <linux/kernel.h>
 #include <linux/security.h>
+#include <linux/ima.h>
 
 /* Boot-time LSM user choice */
-static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
+static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
+        CONFIG_DEFAULT_SECURITY;
 
 /* things that live in capability.c */
 extern struct security_operations default_security_ops;
@@ -79,8 +81,10 @@ __setup("security=", choose_lsm);
  *
  * Return true if:
  *      -The passed LSM is the one chosen by user at boot time,
- *      -or user didn't specify a specific LSM and we're the first to ask
- *       for registration permission,
+ *      -or the passed LSM is configured as the default and the user did not
+ *       choose an alternate LSM at boot time,
+ *      -or there is no default LSM set and the user didn't specify a
+ *       specific LSM and we're the first to ask for registration permission,
  *      -or the passed LSM is currently loaded.
  * Otherwise, return false.
  */
@@ -235,7 +239,12 @@ int security_bprm_set_creds(struct linux_binprm *bprm)
 
 int security_bprm_check(struct linux_binprm *bprm)
 {
-        return security_ops->bprm_check_security(bprm);
+        int ret;
+
+        ret = security_ops->bprm_check_security(bprm);
+        if (ret)
+                return ret;
+        return ima_bprm_check(bprm);
 }
 
 void security_bprm_committing_creds(struct linux_binprm *bprm)
@@ -352,12 +361,21 @@ EXPORT_SYMBOL(security_sb_parse_opts_str);
 
 int security_inode_alloc(struct inode *inode)
 {
+        int ret;
+
         inode->i_security = NULL;
-        return security_ops->inode_alloc_security(inode);
+        ret =  security_ops->inode_alloc_security(inode);
+        if (ret)
+                return ret;
+        ret = ima_inode_alloc(inode);
+        if (ret)
+                security_inode_free(inode);
+        return ret;
 }
 
 void security_inode_free(struct inode *inode)
 {
+        ima_inode_free(inode);
         security_ops->inode_free_security(inode);
 }
 
@@ -434,6 +452,26 @@ int security_path_truncate(struct path *path, loff_t length,
                 return 0;
         return security_ops->path_truncate(path, length, time_attrs);
 }
+
+int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
+                        mode_t mode)
+{
+        if (unlikely(IS_PRIVATE(dentry->d_inode)))
+                return 0;
+        return security_ops->path_chmod(dentry, mnt, mode);
+}
+
+int security_path_chown(struct path *path, uid_t uid, gid_t gid)
+{
+        if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
+                return 0;
+        return security_ops->path_chown(path, uid, gid);
+}
+
+int security_path_chroot(struct path *path)
+{
+        return security_ops->path_chroot(path);
+}
 #endif
 
 int security_inode_create(struct inode *dir, struct dentry *dentry, int mode)
@@ -628,6 +666,8 @@ int security_file_alloc(struct file *file)
 void security_file_free(struct file *file)
 {
         security_ops->file_free_security(file);
+        if (file->f_dentry)
+                ima_file_free(file);
 }
 
 int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
@@ -639,7 +679,12 @@ int security_file_mmap(struct file *file, unsigned long reqprot,
                         unsigned long prot, unsigned long flags,
                         unsigned long addr, unsigned long addr_only)
 {
-        return security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only);
+        int ret;
+
+        ret = security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only);
+        if (ret)
+                return ret;
+        return ima_file_mmap(file, prot);
 }
 
 int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
@@ -719,9 +764,9 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode)
         return security_ops->kernel_create_files_as(new, inode);
 }
 
-int security_kernel_module_request(void)
+int security_kernel_module_request(char *kmod_name)
 {
-        return security_ops->kernel_module_request();
+        return security_ops->kernel_module_request(kmod_name);
 }
 
 int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
diff --git a/security/selinux/.gitignore b/security/selinux/.gitignore
new file mode 100644
index 000000000000..2e5040a3d48b
--- /dev/null
+++ b/security/selinux/.gitignore
@@ -0,0 +1,2 @@
+av_permissions.h
+flask.h
diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index d47fc5e545e0..f013982df417 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -18,5 +18,13 @@ selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
 
 selinux-$(CONFIG_NETLABEL) += netlabel.o
 
-EXTRA_CFLAGS += -Isecurity/selinux/include
+EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include
 
+$(obj)/avc.o: $(obj)/flask.h
+
+quiet_cmd_flask = GEN     $(obj)/flask.h $(obj)/av_permissions.h
+      cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h
+
+targets += flask.h
+$(obj)/flask.h: $(src)/include/classmap.h FORCE
+        $(call if_changed,flask)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index b4b5da1c0a42..f2dde268165a 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -31,43 +31,7 @@
 #include <net/ipv6.h>
 #include "avc.h"
 #include "avc_ss.h"
-
-static const struct av_perm_to_string av_perm_to_string[] = {
-#define S_(c, v, s) { c, v, s },
-#include "av_perm_to_string.h"
-#undef S_
-};
-
-static const char *class_to_string[] = {
-#define S_(s) s,
-#include "class_to_string.h"
-#undef S_
-};
-
-#define TB_(s) static const char *s[] = {
-#define TE_(s) };
-#define S_(s) s,
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-
-static const struct av_inherit av_inherit[] = {
-#define S_(c, i, b) {   .tclass = c,\
-                        .common_pts = common_##i##_perm_to_string,\
-                        .common_base =  b },
-#include "av_inherit.h"
-#undef S_
-};
-
-const struct selinux_class_perm selinux_class_perm = {
-        .av_perm_to_string = av_perm_to_string,
-        .av_pts_len = ARRAY_SIZE(av_perm_to_string),
-        .class_to_string = class_to_string,
-        .cts_len = ARRAY_SIZE(class_to_string),
-        .av_inherit = av_inherit,
-        .av_inherit_len = ARRAY_SIZE(av_inherit)
-};
+#include "classmap.h"
 
 #define AVC_CACHE_SLOTS                 512
 #define AVC_DEF_CACHE_THRESHOLD         512
@@ -139,52 +103,28 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
  */
 static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
 {
-        const char **common_pts = NULL;
-        u32 common_base = 0;
-        int i, i2, perm;
+        const char **perms;
+        int i, perm;
 
         if (av == 0) {
                 audit_log_format(ab, " null");
                 return;
         }
 
-        for (i = 0; i < ARRAY_SIZE(av_inherit); i++) {
-                if (av_inherit[i].tclass == tclass) {
-                        common_pts = av_inherit[i].common_pts;
-                        common_base = av_inherit[i].common_base;
-                        break;
-                }
-        }
+        perms = secclass_map[tclass-1].perms;
 
         audit_log_format(ab, " {");
         i = 0;
         perm = 1;
-        while (perm < common_base) {
-                if (perm & av) {
-                        audit_log_format(ab, " %s", common_pts[i]);
+        while (i < (sizeof(av) * 8)) {
+                if ((perm & av) && perms[i]) {
+                        audit_log_format(ab, " %s", perms[i]);
                         av &= ~perm;
                 }
                 i++;
                 perm <<= 1;
         }
 
-        while (i < sizeof(av) * 8) {
-                if (perm & av) {
-                        for (i2 = 0; i2 < ARRAY_SIZE(av_perm_to_string); i2++) {
-                                if ((av_perm_to_string[i2].tclass == tclass) &&
-                                    (av_perm_to_string[i2].value == perm))
-                                        break;
-                        }
-                        if (i2 < ARRAY_SIZE(av_perm_to_string)) {
-                                audit_log_format(ab, " %s",
-                                                 av_perm_to_string[i2].name);
-                                av &= ~perm;
-                        }
-                }
-                i++;
-                perm <<= 1;
-        }
-
         if (av)
                 audit_log_format(ab, " 0x%x", av);
 
@@ -219,8 +159,8 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
                 kfree(scontext);
         }
 
-        BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]);
-        audit_log_format(ab, " tclass=%s", class_to_string[tclass]);
+        BUG_ON(tclass >= ARRAY_SIZE(secclass_map));
+        audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name);
 }
 
 /**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index bb230d5d7085..c96d63ec4753 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -91,7 +91,6 @@
 
 #define NUM_SEL_MNT_OPTS 5
 
-extern unsigned int policydb_loaded_version;
 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
 extern struct security_operations *security_ops;
 
@@ -3338,9 +3337,18 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
         return 0;
 }
 
-static int selinux_kernel_module_request(void)
+static int selinux_kernel_module_request(char *kmod_name)
 {
-        return task_has_system(current, SYSTEM__MODULE_REQUEST);
+        u32 sid;
+        struct common_audit_data ad;
+
+        sid = task_sid(current);
+
+        COMMON_AUDIT_DATA_INIT(&ad, KMOD);
+        ad.u.kmod_name = kmod_name;
+
+        return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
+                            SYSTEM__MODULE_REQUEST, &ad);
 }
 
 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
@@ -4714,10 +4722,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
         if (err)
                 return err;
 
-        if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
-                err = selinux_nlmsg_perm(sk, skb);
-
-        return err;
+        return selinux_nlmsg_perm(sk, skb);
 }
 
 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
@@ -5830,12 +5835,12 @@ int selinux_disable(void)
         selinux_disabled = 1;
         selinux_enabled = 0;
 
-        /* Try to destroy the avc node cache */
-        avc_disable();
-
         /* Reset security_ops to the secondary module, dummy or capability. */
         security_ops = secondary_ops;
 
+        /* Try to destroy the avc node cache */
+        avc_disable();
+
         /* Unregister netfilter hooks. */
         selinux_nf_ip_exit();
 
diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h
deleted file mode 100644
index abedcd704dae..000000000000
--- a/security/selinux/include/av_inherit.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
-   S_(SECCLASS_DIR, file, 0x00020000UL)
-   S_(SECCLASS_FILE, file, 0x00020000UL)
-   S_(SECCLASS_LNK_FILE, file, 0x00020000UL)
-   S_(SECCLASS_CHR_FILE, file, 0x00020000UL)
-   S_(SECCLASS_BLK_FILE, file, 0x00020000UL)
-   S_(SECCLASS_SOCK_FILE, file, 0x00020000UL)
-   S_(SECCLASS_FIFO_FILE, file, 0x00020000UL)
-   S_(SECCLASS_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_TCP_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_UDP_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_RAWIP_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_PACKET_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_KEY_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_UNIX_STREAM_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_UNIX_DGRAM_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_TUN_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_IPC, ipc, 0x00000200UL)
-   S_(SECCLASS_SEM, ipc, 0x00000200UL)
-   S_(SECCLASS_MSGQ, ipc, 0x00000200UL)
-   S_(SECCLASS_SHM, ipc, 0x00000200UL)
-   S_(SECCLASS_NETLINK_ROUTE_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_FIREWALL_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_NFLOG_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_XFRM_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_SELINUX_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_APPLETALK_SOCKET, socket, 0x00400000UL)
-   S_(SECCLASS_DCCP_SOCKET, socket, 0x00400000UL)
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
deleted file mode 100644
index 2b683ad83d21..000000000000
--- a/security/selinux/include/av_perm_to_string.h
+++ /dev/null
@@ -1,183 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod")
-   S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget")
-   S_(SECCLASS_DIR, DIR__ADD_NAME, "add_name")
-   S_(SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name")
-   S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
-   S_(SECCLASS_DIR, DIR__SEARCH, "search")
-   S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
-   S_(SECCLASS_DIR, DIR__OPEN, "open")
-   S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
-   S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
-   S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
-   S_(SECCLASS_FILE, FILE__OPEN, "open")
-   S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
-   S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
-   S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
-   S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
-   S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
-   S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open")
-   S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
-   S_(SECCLASS_FD, FD__USE, "use")
-   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
-   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
-   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom")
-   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind")
-   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect")
-   S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind")
-   S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind")
-   S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv")
-   S_(SECCLASS_NODE, NODE__TCP_SEND, "tcp_send")
-   S_(SECCLASS_NODE, NODE__UDP_RECV, "udp_recv")
-   S_(SECCLASS_NODE, NODE__UDP_SEND, "udp_send")
-   S_(SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv")
-   S_(SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send")
-   S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
-   S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
-   S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
-   S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom")
-   S_(SECCLASS_NODE, NODE__SENDTO, "sendto")
-   S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
-   S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
-   S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
-   S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send")
-   S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv")
-   S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
-   S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
-   S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
-   S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress")
-   S_(SECCLASS_NETIF, NETIF__EGRESS, "egress")
-   S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
-   S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
-   S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
-   S_(SECCLASS_PROCESS, PROCESS__FORK, "fork")
-   S_(SECCLASS_PROCESS, PROCESS__TRANSITION, "transition")
-   S_(SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld")
-   S_(SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill")
-   S_(SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop")
-   S_(SECCLASS_PROCESS, PROCESS__SIGNULL, "signull")
-   S_(SECCLASS_PROCESS, PROCESS__SIGNAL, "signal")
-   S_(SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace")
-   S_(SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched")
-   S_(SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched")
-   S_(SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession")
-   S_(SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid")
-   S_(SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid")
-   S_(SECCLASS_PROCESS, PROCESS__GETCAP, "getcap")
-   S_(SECCLASS_PROCESS, PROCESS__SETCAP, "setcap")
-   S_(SECCLASS_PROCESS, PROCESS__SHARE, "share")
-   S_(SECCLASS_PROCESS, PROCESS__GETATTR, "getattr")
-   S_(SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec")
-   S_(SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate")
-   S_(SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure")
-   S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh")
-   S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit")
-   S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
-   S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
-   S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
-   S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
-   S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
-   S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
-   S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate")
-   S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate")
-   S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
-   S_(SECCLASS_MSG, MSG__SEND, "send")
-   S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
-   S_(SECCLASS_SHM, SHM__LOCK, "lock")
-   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
-   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
-   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
-   S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context")
-   S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy")
-   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel")
-   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user")
-   S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce")
-   S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
-   S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
-   S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot")
-   S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info")
-   S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
-   S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
-   S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console")
-   S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
-   S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
-   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
-   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
-   S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
-   S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
-   S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
-   S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE, "nlmsg_write")
-   S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_READ, "nlmsg_read")
-   S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE, "nlmsg_write")
-   S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_READ, "nlmsg_read")
-   S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_WRITE, "nlmsg_write")
-   S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READ, "nlmsg_read")
-   S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write")
-   S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay")
-   S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv")
-   S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT, "nlmsg_tty_audit")
-   S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read")
-   S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write")
-   S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
-   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
-   S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
-   S_(SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, "polmatch")
-   S_(SECCLASS_PACKET, PACKET__SEND, "send")
-   S_(SECCLASS_PACKET, PACKET__RECV, "recv")
-   S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
-   S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in")
-   S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out")
-   S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in")
-   S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out")
-   S_(SECCLASS_KEY, KEY__VIEW, "view")
-   S_(SECCLASS_KEY, KEY__READ, "read")
-   S_(SECCLASS_KEY, KEY__WRITE, "write")
-   S_(SECCLASS_KEY, KEY__SEARCH, "search")
-   S_(SECCLASS_KEY, KEY__LINK, "link")
-   S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
-   S_(SECCLASS_KEY, KEY__CREATE, "create")
-   S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
-   S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
-   S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
-   S_(SECCLASS_PEER, PEER__RECV, "recv")
-   S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__USE_AS_OVERRIDE, "use_as_override")
-   S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__CREATE_FILES_AS, "create_files_as")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
deleted file mode 100644
index 0546d616ccac..000000000000
--- a/security/selinux/include/av_permissions.h
+++ /dev/null
@@ -1,870 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
-#define COMMON_FILE__IOCTL                               0x00000001UL
-#define COMMON_FILE__READ                                0x00000002UL
-#define COMMON_FILE__WRITE                               0x00000004UL
-#define COMMON_FILE__CREATE                              0x00000008UL
-#define COMMON_FILE__GETATTR                             0x00000010UL
-#define COMMON_FILE__SETATTR                             0x00000020UL
-#define COMMON_FILE__LOCK                                0x00000040UL
-#define COMMON_FILE__RELABELFROM                         0x00000080UL
-#define COMMON_FILE__RELABELTO                           0x00000100UL
-#define COMMON_FILE__APPEND                              0x00000200UL
-#define COMMON_FILE__UNLINK                              0x00000400UL
-#define COMMON_FILE__LINK                                0x00000800UL
-#define COMMON_FILE__RENAME                              0x00001000UL
-#define COMMON_FILE__EXECUTE                             0x00002000UL
-#define COMMON_FILE__SWAPON                              0x00004000UL
-#define COMMON_FILE__QUOTAON                             0x00008000UL
-#define COMMON_FILE__MOUNTON                             0x00010000UL
-#define COMMON_SOCKET__IOCTL                             0x00000001UL
-#define COMMON_SOCKET__READ                              0x00000002UL
-#define COMMON_SOCKET__WRITE                             0x00000004UL
-#define COMMON_SOCKET__CREATE                            0x00000008UL
-#define COMMON_SOCKET__GETATTR                           0x00000010UL
-#define COMMON_SOCKET__SETATTR                           0x00000020UL
-#define COMMON_SOCKET__LOCK                              0x00000040UL
-#define COMMON_SOCKET__RELABELFROM                       0x00000080UL
-#define COMMON_SOCKET__RELABELTO                         0x00000100UL
-#define COMMON_SOCKET__APPEND                            0x00000200UL
-#define COMMON_SOCKET__BIND                              0x00000400UL
-#define COMMON_SOCKET__CONNECT                           0x00000800UL
-#define COMMON_SOCKET__LISTEN                            0x00001000UL
-#define COMMON_SOCKET__ACCEPT                            0x00002000UL
-#define COMMON_SOCKET__GETOPT                            0x00004000UL
-#define COMMON_SOCKET__SETOPT                            0x00008000UL
-#define COMMON_SOCKET__SHUTDOWN                          0x00010000UL
-#define COMMON_SOCKET__RECVFROM                          0x00020000UL
-#define COMMON_SOCKET__SENDTO                            0x00040000UL
-#define COMMON_SOCKET__RECV_MSG                          0x00080000UL
-#define COMMON_SOCKET__SEND_MSG                          0x00100000UL
-#define COMMON_SOCKET__NAME_BIND                         0x00200000UL
-#define COMMON_IPC__CREATE                               0x00000001UL
-#define COMMON_IPC__DESTROY                              0x00000002UL
-#define COMMON_IPC__GETATTR                              0x00000004UL
-#define COMMON_IPC__SETATTR                              0x00000008UL
-#define COMMON_IPC__READ                                 0x00000010UL
-#define COMMON_IPC__WRITE                                0x00000020UL
-#define COMMON_IPC__ASSOCIATE                            0x00000040UL
-#define COMMON_IPC__UNIX_READ                            0x00000080UL
-#define COMMON_IPC__UNIX_WRITE                           0x00000100UL
-#define FILESYSTEM__MOUNT                         0x00000001UL
-#define FILESYSTEM__REMOUNT                       0x00000002UL
-#define FILESYSTEM__UNMOUNT                       0x00000004UL
-#define FILESYSTEM__GETATTR                       0x00000008UL
-#define FILESYSTEM__RELABELFROM                   0x00000010UL
-#define FILESYSTEM__RELABELTO                     0x00000020UL
-#define FILESYSTEM__TRANSITION                    0x00000040UL
-#define FILESYSTEM__ASSOCIATE                     0x00000080UL
-#define FILESYSTEM__QUOTAMOD                      0x00000100UL
-#define FILESYSTEM__QUOTAGET                      0x00000200UL
-#define DIR__IOCTL                                0x00000001UL
-#define DIR__READ                                 0x00000002UL
-#define DIR__WRITE                                0x00000004UL
-#define DIR__CREATE                               0x00000008UL
-#define DIR__GETATTR                              0x00000010UL
-#define DIR__SETATTR                              0x00000020UL
-#define DIR__LOCK                                 0x00000040UL
-#define DIR__RELABELFROM                          0x00000080UL
-#define DIR__RELABELTO                            0x00000100UL
-#define DIR__APPEND                               0x00000200UL
-#define DIR__UNLINK                               0x00000400UL
-#define DIR__LINK                                 0x00000800UL
-#define DIR__RENAME                               0x00001000UL
-#define DIR__EXECUTE                              0x00002000UL
-#define DIR__SWAPON                               0x00004000UL
-#define DIR__QUOTAON                              0x00008000UL
-#define DIR__MOUNTON                              0x00010000UL
-#define DIR__ADD_NAME                             0x00020000UL
-#define DIR__REMOVE_NAME                          0x00040000UL
-#define DIR__REPARENT                             0x00080000UL
-#define DIR__SEARCH                               0x00100000UL
-#define DIR__RMDIR                                0x00200000UL
-#define DIR__OPEN                                 0x00400000UL
-#define FILE__IOCTL                               0x00000001UL
-#define FILE__READ                                0x00000002UL
-#define FILE__WRITE                               0x00000004UL
-#define FILE__CREATE                              0x00000008UL
-#define FILE__GETATTR                             0x00000010UL
-#define FILE__SETATTR                             0x00000020UL
-#define FILE__LOCK                                0x00000040UL
-#define FILE__RELABELFROM                         0x00000080UL
-#define FILE__RELABELTO                           0x00000100UL
-#define FILE__APPEND                              0x00000200UL
-#define FILE__UNLINK                              0x00000400UL
-#define FILE__LINK                                0x00000800UL
-#define FILE__RENAME                              0x00001000UL
-#define FILE__EXECUTE                             0x00002000UL
-#define FILE__SWAPON                              0x00004000UL
-#define FILE__QUOTAON                             0x00008000UL
-#define FILE__MOUNTON                             0x00010000UL
-#define FILE__EXECUTE_NO_TRANS                    0x00020000UL
-#define FILE__ENTRYPOINT                          0x00040000UL
-#define FILE__EXECMOD                             0x00080000UL
-#define FILE__OPEN                                0x00100000UL
-#define LNK_FILE__IOCTL                           0x00000001UL
-#define LNK_FILE__READ                            0x00000002UL
-#define LNK_FILE__WRITE                           0x00000004UL
-#define LNK_FILE__CREATE                          0x00000008UL
-#define LNK_FILE__GETATTR                         0x00000010UL
-#define LNK_FILE__SETATTR                         0x00000020UL
-#define LNK_FILE__LOCK                            0x00000040UL
-#define LNK_FILE__RELABELFROM                     0x00000080UL
-#define LNK_FILE__RELABELTO                       0x00000100UL
-#define LNK_FILE__APPEND                          0x00000200UL
-#define LNK_FILE__UNLINK                          0x00000400UL
-#define LNK_FILE__LINK                            0x00000800UL
-#define LNK_FILE__RENAME                          0x00001000UL
-#define LNK_FILE__EXECUTE                         0x00002000UL
-#define LNK_FILE__SWAPON                          0x00004000UL
-#define LNK_FILE__QUOTAON                         0x00008000UL
-#define LNK_FILE__MOUNTON                         0x00010000UL
-#define CHR_FILE__IOCTL                           0x00000001UL
-#define CHR_FILE__READ                            0x00000002UL
-#define CHR_FILE__WRITE                           0x00000004UL
-#define CHR_FILE__CREATE                          0x00000008UL
-#define CHR_FILE__GETATTR                         0x00000010UL
-#define CHR_FILE__SETATTR                         0x00000020UL
-#define CHR_FILE__LOCK                            0x00000040UL
-#define CHR_FILE__RELABELFROM                     0x00000080UL
-#define CHR_FILE__RELABELTO                       0x00000100UL
-#define CHR_FILE__APPEND                          0x00000200UL
-#define CHR_FILE__UNLINK                          0x00000400UL
-#define CHR_FILE__LINK                            0x00000800UL
-#define CHR_FILE__RENAME                          0x00001000UL
-#define CHR_FILE__EXECUTE                         0x00002000UL
-#define CHR_FILE__SWAPON                          0x00004000UL
-#define CHR_FILE__QUOTAON                         0x00008000UL
-#define CHR_FILE__MOUNTON                         0x00010000UL
-#define CHR_FILE__EXECUTE_NO_TRANS                0x00020000UL
-#define CHR_FILE__ENTRYPOINT                      0x00040000UL
-#define CHR_FILE__EXECMOD                         0x00080000UL
-#define CHR_FILE__OPEN                            0x00100000UL
-#define BLK_FILE__IOCTL                           0x00000001UL
-#define BLK_FILE__READ                            0x00000002UL
-#define BLK_FILE__WRITE                           0x00000004UL
-#define BLK_FILE__CREATE                          0x00000008UL
-#define BLK_FILE__GETATTR                         0x00000010UL
-#define BLK_FILE__SETATTR                         0x00000020UL
-#define BLK_FILE__LOCK                            0x00000040UL
-#define BLK_FILE__RELABELFROM                     0x00000080UL
-#define BLK_FILE__RELABELTO                       0x00000100UL
-#define BLK_FILE__APPEND                          0x00000200UL
-#define BLK_FILE__UNLINK                          0x00000400UL
-#define BLK_FILE__LINK                            0x00000800UL
-#define BLK_FILE__RENAME                          0x00001000UL
-#define BLK_FILE__EXECUTE                         0x00002000UL
-#define BLK_FILE__SWAPON                          0x00004000UL
-#define BLK_FILE__QUOTAON                         0x00008000UL
-#define BLK_FILE__MOUNTON                         0x00010000UL
-#define BLK_FILE__OPEN                            0x00020000UL
-#define SOCK_FILE__IOCTL                          0x00000001UL
-#define SOCK_FILE__READ                           0x00000002UL
-#define SOCK_FILE__WRITE                          0x00000004UL
-#define SOCK_FILE__CREATE                         0x00000008UL
-#define SOCK_FILE__GETATTR                        0x00000010UL
-#define SOCK_FILE__SETATTR                        0x00000020UL
-#define SOCK_FILE__LOCK                           0x00000040UL
-#define SOCK_FILE__RELABELFROM                    0x00000080UL
-#define SOCK_FILE__RELABELTO                      0x00000100UL
-#define SOCK_FILE__APPEND                         0x00000200UL
-#define SOCK_FILE__UNLINK                         0x00000400UL
-#define SOCK_FILE__LINK                           0x00000800UL
-#define SOCK_FILE__RENAME                         0x00001000UL
-#define SOCK_FILE__EXECUTE                        0x00002000UL
-#define SOCK_FILE__SWAPON                         0x00004000UL
-#define SOCK_FILE__QUOTAON                        0x00008000UL
-#define SOCK_FILE__MOUNTON                        0x00010000UL
-#define SOCK_FILE__OPEN                           0x00020000UL
-#define FIFO_FILE__IOCTL                          0x00000001UL
-#define FIFO_FILE__READ                           0x00000002UL
-#define FIFO_FILE__WRITE                          0x00000004UL
-#define FIFO_FILE__CREATE                         0x00000008UL
-#define FIFO_FILE__GETATTR                        0x00000010UL
-#define FIFO_FILE__SETATTR                        0x00000020UL
-#define FIFO_FILE__LOCK                           0x00000040UL
-#define FIFO_FILE__RELABELFROM                    0x00000080UL
-#define FIFO_FILE__RELABELTO                      0x00000100UL
-#define FIFO_FILE__APPEND                         0x00000200UL
-#define FIFO_FILE__UNLINK                         0x00000400UL
-#define FIFO_FILE__LINK                           0x00000800UL
-#define FIFO_FILE__RENAME                         0x00001000UL
-#define FIFO_FILE__EXECUTE                        0x00002000UL
-#define FIFO_FILE__SWAPON                         0x00004000UL
-#define FIFO_FILE__QUOTAON                        0x00008000UL
-#define FIFO_FILE__MOUNTON                        0x00010000UL
-#define FIFO_FILE__OPEN                           0x00020000UL
-#define FD__USE                                   0x00000001UL
-#define SOCKET__IOCTL                             0x00000001UL
-#define SOCKET__READ                              0x00000002UL
-#define SOCKET__WRITE                             0x00000004UL
-#define SOCKET__CREATE                            0x00000008UL
-#define SOCKET__GETATTR                           0x00000010UL
-#define SOCKET__SETATTR                           0x00000020UL
-#define SOCKET__LOCK                              0x00000040UL
-#define SOCKET__RELABELFROM                       0x00000080UL
-#define SOCKET__RELABELTO                         0x00000100UL
-#define SOCKET__APPEND                            0x00000200UL
-#define SOCKET__BIND                              0x00000400UL
-#define SOCKET__CONNECT                           0x00000800UL
-#define SOCKET__LISTEN                            0x00001000UL
-#define SOCKET__ACCEPT                            0x00002000UL
-#define SOCKET__GETOPT                            0x00004000UL
-#define SOCKET__SETOPT                            0x00008000UL
-#define SOCKET__SHUTDOWN                          0x00010000UL
-#define SOCKET__RECVFROM                          0x00020000UL
-#define SOCKET__SENDTO                            0x00040000UL
-#define SOCKET__RECV_MSG                          0x00080000UL
-#define SOCKET__SEND_MSG                          0x00100000UL
-#define SOCKET__NAME_BIND                         0x00200000UL
-#define TCP_SOCKET__IOCTL                         0x00000001UL
-#define TCP_SOCKET__READ                          0x00000002UL
-#define TCP_SOCKET__WRITE                         0x00000004UL
-#define TCP_SOCKET__CREATE                        0x00000008UL
-#define TCP_SOCKET__GETATTR                       0x00000010UL
-#define TCP_SOCKET__SETATTR                       0x00000020UL
-#define TCP_SOCKET__LOCK                          0x00000040UL
-#define TCP_SOCKET__RELABELFROM                   0x00000080UL
-#define TCP_SOCKET__RELABELTO                     0x00000100UL
-#define TCP_SOCKET__APPEND                        0x00000200UL
-#define TCP_SOCKET__BIND                          0x00000400UL
-#define TCP_SOCKET__CONNECT                       0x00000800UL
-#define TCP_SOCKET__LISTEN                        0x00001000UL
-#define TCP_SOCKET__ACCEPT                        0x00002000UL
-#define TCP_SOCKET__GETOPT                        0x00004000UL
-#define TCP_SOCKET__SETOPT                        0x00008000UL
-#define TCP_SOCKET__SHUTDOWN                      0x00010000UL
-#define TCP_SOCKET__RECVFROM                      0x00020000UL
-#define TCP_SOCKET__SENDTO                        0x00040000UL
-#define TCP_SOCKET__RECV_MSG                      0x00080000UL
-#define TCP_SOCKET__SEND_MSG                      0x00100000UL
-#define TCP_SOCKET__NAME_BIND                     0x00200000UL
-#define TCP_SOCKET__CONNECTTO                     0x00400000UL
-#define TCP_SOCKET__NEWCONN                       0x00800000UL
-#define TCP_SOCKET__ACCEPTFROM                    0x01000000UL
-#define TCP_SOCKET__NODE_BIND                     0x02000000UL
-#define TCP_SOCKET__NAME_CONNECT                  0x04000000UL
-#define UDP_SOCKET__IOCTL                         0x00000001UL
-#define UDP_SOCKET__READ                          0x00000002UL
-#define UDP_SOCKET__WRITE                         0x00000004UL
-#define UDP_SOCKET__CREATE                        0x00000008UL
-#define UDP_SOCKET__GETATTR                       0x00000010UL
-#define UDP_SOCKET__SETATTR                       0x00000020UL
-#define UDP_SOCKET__LOCK                          0x00000040UL
-#define UDP_SOCKET__RELABELFROM                   0x00000080UL
-#define UDP_SOCKET__RELABELTO                     0x00000100UL
-#define UDP_SOCKET__APPEND                        0x00000200UL
-#define UDP_SOCKET__BIND                          0x00000400UL
-#define UDP_SOCKET__CONNECT                       0x00000800UL
-#define UDP_SOCKET__LISTEN                        0x00001000UL
-#define UDP_SOCKET__ACCEPT                        0x00002000UL
-#define UDP_SOCKET__GETOPT                        0x00004000UL
-#define UDP_SOCKET__SETOPT                        0x00008000UL
-#define UDP_SOCKET__SHUTDOWN                      0x00010000UL
-#define UDP_SOCKET__RECVFROM                      0x00020000UL
-#define UDP_SOCKET__SENDTO                        0x00040000UL
-#define UDP_SOCKET__RECV_MSG                      0x00080000UL
-#define UDP_SOCKET__SEND_MSG                      0x00100000UL
-#define UDP_SOCKET__NAME_BIND                     0x00200000UL
-#define UDP_SOCKET__NODE_BIND                     0x00400000UL
-#define RAWIP_SOCKET__IOCTL                       0x00000001UL
-#define RAWIP_SOCKET__READ                        0x00000002UL
-#define RAWIP_SOCKET__WRITE                       0x00000004UL
-#define RAWIP_SOCKET__CREATE                      0x00000008UL
-#define RAWIP_SOCKET__GETATTR                     0x00000010UL
-#define RAWIP_SOCKET__SETATTR                     0x00000020UL
-#define RAWIP_SOCKET__LOCK                        0x00000040UL
-#define RAWIP_SOCKET__RELABELFROM                 0x00000080UL
-#define RAWIP_SOCKET__RELABELTO                   0x00000100UL
-#define RAWIP_SOCKET__APPEND                      0x00000200UL
-#define RAWIP_SOCKET__BIND                        0x00000400UL
-#define RAWIP_SOCKET__CONNECT                     0x00000800UL
-#define RAWIP_SOCKET__LISTEN                      0x00001000UL
-#define RAWIP_SOCKET__ACCEPT                      0x00002000UL
-#define RAWIP_SOCKET__GETOPT                      0x00004000UL
-#define RAWIP_SOCKET__SETOPT                      0x00008000UL
-#define RAWIP_SOCKET__SHUTDOWN                    0x00010000UL
-#define RAWIP_SOCKET__RECVFROM                    0x00020000UL
-#define RAWIP_SOCKET__SENDTO                      0x00040000UL
-#define RAWIP_SOCKET__RECV_MSG                    0x00080000UL
-#define RAWIP_SOCKET__SEND_MSG                    0x00100000UL
-#define RAWIP_SOCKET__NAME_BIND                   0x00200000UL
-#define RAWIP_SOCKET__NODE_BIND                   0x00400000UL
-#define NODE__TCP_RECV                            0x00000001UL
-#define NODE__TCP_SEND                            0x00000002UL
-#define NODE__UDP_RECV                            0x00000004UL
-#define NODE__UDP_SEND                            0x00000008UL
-#define NODE__RAWIP_RECV                          0x00000010UL
-#define NODE__RAWIP_SEND                          0x00000020UL
-#define NODE__ENFORCE_DEST                        0x00000040UL
-#define NODE__DCCP_RECV                           0x00000080UL
-#define NODE__DCCP_SEND                           0x00000100UL
-#define NODE__RECVFROM                            0x00000200UL
-#define NODE__SENDTO                              0x00000400UL
-#define NETIF__TCP_RECV                           0x00000001UL
-#define NETIF__TCP_SEND                           0x00000002UL
-#define NETIF__UDP_RECV                           0x00000004UL
-#define NETIF__UDP_SEND                           0x00000008UL
-#define NETIF__RAWIP_RECV                         0x00000010UL
-#define NETIF__RAWIP_SEND                         0x00000020UL
-#define NETIF__DCCP_RECV                          0x00000040UL
-#define NETIF__DCCP_SEND                          0x00000080UL
-#define NETIF__INGRESS                            0x00000100UL
-#define NETIF__EGRESS                             0x00000200UL
-#define NETLINK_SOCKET__IOCTL                     0x00000001UL
-#define NETLINK_SOCKET__READ                      0x00000002UL
-#define NETLINK_SOCKET__WRITE                     0x00000004UL
-#define NETLINK_SOCKET__CREATE                    0x00000008UL
-#define NETLINK_SOCKET__GETATTR                   0x00000010UL
-#define NETLINK_SOCKET__SETATTR                   0x00000020UL
-#define NETLINK_SOCKET__LOCK                      0x00000040UL
-#define NETLINK_SOCKET__RELABELFROM               0x00000080UL
-#define NETLINK_SOCKET__RELABELTO                 0x00000100UL
-#define NETLINK_SOCKET__APPEND                    0x00000200UL
-#define NETLINK_SOCKET__BIND                      0x00000400UL
-#define NETLINK_SOCKET__CONNECT                   0x00000800UL
-#define NETLINK_SOCKET__LISTEN                    0x00001000UL
-#define NETLINK_SOCKET__ACCEPT                    0x00002000UL
-#define NETLINK_SOCKET__GETOPT                    0x00004000UL
-#define NETLINK_SOCKET__SETOPT                    0x00008000UL
-#define NETLINK_SOCKET__SHUTDOWN                  0x00010000UL
-#define NETLINK_SOCKET__RECVFROM                  0x00020000UL
-#define NETLINK_SOCKET__SENDTO                    0x00040000UL
-#define NETLINK_SOCKET__RECV_MSG                  0x00080000UL
-#define NETLINK_SOCKET__SEND_MSG                  0x00100000UL
-#define NETLINK_SOCKET__NAME_BIND                 0x00200000UL
-#define PACKET_SOCKET__IOCTL                      0x00000001UL
-#define PACKET_SOCKET__READ                       0x00000002UL
-#define PACKET_SOCKET__WRITE                      0x00000004UL
-#define PACKET_SOCKET__CREATE                     0x00000008UL
-#define PACKET_SOCKET__GETATTR                    0x00000010UL
-#define PACKET_SOCKET__SETATTR                    0x00000020UL
-#define PACKET_SOCKET__LOCK                       0x00000040UL
-#define PACKET_SOCKET__RELABELFROM                0x00000080UL
-#define PACKET_SOCKET__RELABELTO                  0x00000100UL
-#define PACKET_SOCKET__APPEND                     0x00000200UL
-#define PACKET_SOCKET__BIND                       0x00000400UL
-#define PACKET_SOCKET__CONNECT                    0x00000800UL
-#define PACKET_SOCKET__LISTEN                     0x00001000UL
-#define PACKET_SOCKET__ACCEPT                     0x00002000UL
-#define PACKET_SOCKET__GETOPT                     0x00004000UL
-#define PACKET_SOCKET__SETOPT                     0x00008000UL
-#define PACKET_SOCKET__SHUTDOWN                   0x00010000UL
-#define PACKET_SOCKET__RECVFROM                   0x00020000UL
-#define PACKET_SOCKET__SENDTO                     0x00040000UL
-#define PACKET_SOCKET__RECV_MSG                   0x00080000UL
-#define PACKET_SOCKET__SEND_MSG                   0x00100000UL
-#define PACKET_SOCKET__NAME_BIND                  0x00200000UL
-#define KEY_SOCKET__IOCTL                         0x00000001UL
-#define KEY_SOCKET__READ                          0x00000002UL
-#define KEY_SOCKET__WRITE                         0x00000004UL
-#define KEY_SOCKET__CREATE                        0x00000008UL
-#define KEY_SOCKET__GETATTR                       0x00000010UL
-#define KEY_SOCKET__SETATTR                       0x00000020UL
-#define KEY_SOCKET__LOCK                          0x00000040UL
-#define KEY_SOCKET__RELABELFROM                   0x00000080UL
-#define KEY_SOCKET__RELABELTO                     0x00000100UL
-#define KEY_SOCKET__APPEND                        0x00000200UL
-#define KEY_SOCKET__BIND                          0x00000400UL
-#define KEY_SOCKET__CONNECT                       0x00000800UL
-#define KEY_SOCKET__LISTEN                        0x00001000UL
-#define KEY_SOCKET__ACCEPT                        0x00002000UL
-#define KEY_SOCKET__GETOPT                        0x00004000UL
-#define KEY_SOCKET__SETOPT                        0x00008000UL
-#define KEY_SOCKET__SHUTDOWN                      0x00010000UL
-#define KEY_SOCKET__RECVFROM                      0x00020000UL
-#define KEY_SOCKET__SENDTO                        0x00040000UL
-#define KEY_SOCKET__RECV_MSG                      0x00080000UL
-#define KEY_SOCKET__SEND_MSG                      0x00100000UL
-#define KEY_SOCKET__NAME_BIND                     0x00200000UL
-#define UNIX_STREAM_SOCKET__IOCTL                 0x00000001UL
-#define UNIX_STREAM_SOCKET__READ                  0x00000002UL
-#define UNIX_STREAM_SOCKET__WRITE                 0x00000004UL
-#define UNIX_STREAM_SOCKET__CREATE                0x00000008UL
-#define UNIX_STREAM_SOCKET__GETATTR               0x00000010UL
-#define UNIX_STREAM_SOCKET__SETATTR               0x00000020UL
-#define UNIX_STREAM_SOCKET__LOCK                  0x00000040UL
-#define UNIX_STREAM_SOCKET__RELABELFROM           0x00000080UL
-#define UNIX_STREAM_SOCKET__RELABELTO             0x00000100UL
-#define UNIX_STREAM_SOCKET__APPEND                0x00000200UL
-#define UNIX_STREAM_SOCKET__BIND                  0x00000400UL
-#define UNIX_STREAM_SOCKET__CONNECT               0x00000800UL
-#define UNIX_STREAM_SOCKET__LISTEN                0x00001000UL
-#define UNIX_STREAM_SOCKET__ACCEPT                0x00002000UL
-#define UNIX_STREAM_SOCKET__GETOPT                0x00004000UL
-#define UNIX_STREAM_SOCKET__SETOPT                0x00008000UL
-#define UNIX_STREAM_SOCKET__SHUTDOWN              0x00010000UL
-#define UNIX_STREAM_SOCKET__RECVFROM              0x00020000UL
-#define UNIX_STREAM_SOCKET__SENDTO                0x00040000UL
-#define UNIX_STREAM_SOCKET__RECV_MSG              0x00080000UL
-#define UNIX_STREAM_SOCKET__SEND_MSG              0x00100000UL
-#define UNIX_STREAM_SOCKET__NAME_BIND             0x00200000UL
-#define UNIX_STREAM_SOCKET__CONNECTTO             0x00400000UL
-#define UNIX_STREAM_SOCKET__NEWCONN               0x00800000UL
-#define UNIX_STREAM_SOCKET__ACCEPTFROM            0x01000000UL
-#define UNIX_DGRAM_SOCKET__IOCTL                  0x00000001UL
-#define UNIX_DGRAM_SOCKET__READ                   0x00000002UL
-#define UNIX_DGRAM_SOCKET__WRITE                  0x00000004UL
-#define UNIX_DGRAM_SOCKET__CREATE                 0x00000008UL
-#define UNIX_DGRAM_SOCKET__GETATTR                0x00000010UL
-#define UNIX_DGRAM_SOCKET__SETATTR                0x00000020UL
-#define UNIX_DGRAM_SOCKET__LOCK                   0x00000040UL
-#define UNIX_DGRAM_SOCKET__RELABELFROM            0x00000080UL
-#define UNIX_DGRAM_SOCKET__RELABELTO              0x00000100UL
-#define UNIX_DGRAM_SOCKET__APPEND                 0x00000200UL
-#define UNIX_DGRAM_SOCKET__BIND                   0x00000400UL
-#define UNIX_DGRAM_SOCKET__CONNECT                0x00000800UL
-#define UNIX_DGRAM_SOCKET__LISTEN                 0x00001000UL
-#define UNIX_DGRAM_SOCKET__ACCEPT                 0x00002000UL
-#define UNIX_DGRAM_SOCKET__GETOPT                 0x00004000UL
-#define UNIX_DGRAM_SOCKET__SETOPT                 0x00008000UL
-#define UNIX_DGRAM_SOCKET__SHUTDOWN               0x00010000UL
-#define UNIX_DGRAM_SOCKET__RECVFROM               0x00020000UL
-#define UNIX_DGRAM_SOCKET__SENDTO                 0x00040000UL
-#define UNIX_DGRAM_SOCKET__RECV_MSG               0x00080000UL
-#define UNIX_DGRAM_SOCKET__SEND_MSG               0x00100000UL
-#define UNIX_DGRAM_SOCKET__NAME_BIND              0x00200000UL
-#define TUN_SOCKET__IOCTL                         0x00000001UL
-#define TUN_SOCKET__READ                          0x00000002UL
-#define TUN_SOCKET__WRITE                         0x00000004UL
-#define TUN_SOCKET__CREATE                        0x00000008UL
-#define TUN_SOCKET__GETATTR                       0x00000010UL
-#define TUN_SOCKET__SETATTR                       0x00000020UL
-#define TUN_SOCKET__LOCK                          0x00000040UL
-#define TUN_SOCKET__RELABELFROM                   0x00000080UL
-#define TUN_SOCKET__RELABELTO                     0x00000100UL
-#define TUN_SOCKET__APPEND                        0x00000200UL
-#define TUN_SOCKET__BIND                          0x00000400UL
-#define TUN_SOCKET__CONNECT                       0x00000800UL
-#define TUN_SOCKET__LISTEN                        0x00001000UL
-#define TUN_SOCKET__ACCEPT                        0x00002000UL
-#define TUN_SOCKET__GETOPT                        0x00004000UL
-#define TUN_SOCKET__SETOPT                        0x00008000UL
-#define TUN_SOCKET__SHUTDOWN                      0x00010000UL
-#define TUN_SOCKET__RECVFROM                      0x00020000UL
-#define TUN_SOCKET__SENDTO                        0x00040000UL
-#define TUN_SOCKET__RECV_MSG                      0x00080000UL
-#define TUN_SOCKET__SEND_MSG                      0x00100000UL
-#define TUN_SOCKET__NAME_BIND                     0x00200000UL
-#define PROCESS__FORK                             0x00000001UL
-#define PROCESS__TRANSITION                       0x00000002UL
-#define PROCESS__SIGCHLD                          0x00000004UL
-#define PROCESS__SIGKILL                          0x00000008UL
-#define PROCESS__SIGSTOP                          0x00000010UL
-#define PROCESS__SIGNULL                          0x00000020UL
-#define PROCESS__SIGNAL                           0x00000040UL
-#define PROCESS__PTRACE                           0x00000080UL
-#define PROCESS__GETSCHED                         0x00000100UL
-#define PROCESS__SETSCHED                         0x00000200UL
-#define PROCESS__GETSESSION                       0x00000400UL
-#define PROCESS__GETPGID                          0x00000800UL
-#define PROCESS__SETPGID                          0x00001000UL
-#define PROCESS__GETCAP                           0x00002000UL
-#define PROCESS__SETCAP                           0x00004000UL
-#define PROCESS__SHARE                            0x00008000UL
-#define PROCESS__GETATTR                          0x00010000UL
-#define PROCESS__SETEXEC                          0x00020000UL
-#define PROCESS__SETFSCREATE                      0x00040000UL
-#define PROCESS__NOATSECURE                       0x00080000UL
-#define PROCESS__SIGINH                           0x00100000UL
-#define PROCESS__SETRLIMIT                        0x00200000UL
-#define PROCESS__RLIMITINH                        0x00400000UL
-#define PROCESS__DYNTRANSITION                    0x00800000UL
-#define PROCESS__SETCURRENT                       0x01000000UL
-#define PROCESS__EXECMEM                          0x02000000UL
-#define PROCESS__EXECSTACK                        0x04000000UL
-#define PROCESS__EXECHEAP                         0x08000000UL
-#define PROCESS__SETKEYCREATE                     0x10000000UL
-#define PROCESS__SETSOCKCREATE                    0x20000000UL
-#define IPC__CREATE                               0x00000001UL
-#define IPC__DESTROY                              0x00000002UL
-#define IPC__GETATTR                              0x00000004UL
-#define IPC__SETATTR                              0x00000008UL
-#define IPC__READ                                 0x00000010UL
-#define IPC__WRITE                                0x00000020UL
-#define IPC__ASSOCIATE                            0x00000040UL
-#define IPC__UNIX_READ                            0x00000080UL
-#define IPC__UNIX_WRITE                           0x00000100UL
-#define SEM__CREATE                               0x00000001UL
-#define SEM__DESTROY                              0x00000002UL
-#define SEM__GETATTR                              0x00000004UL
-#define SEM__SETATTR                              0x00000008UL
-#define SEM__READ                                 0x00000010UL
-#define SEM__WRITE                                0x00000020UL
-#define SEM__ASSOCIATE                            0x00000040UL
-#define SEM__UNIX_READ                            0x00000080UL
-#define SEM__UNIX_WRITE                           0x00000100UL
-#define MSGQ__CREATE                              0x00000001UL
-#define MSGQ__DESTROY                             0x00000002UL
-#define MSGQ__GETATTR                             0x00000004UL
-#define MSGQ__SETATTR                             0x00000008UL
-#define MSGQ__READ                                0x00000010UL
-#define MSGQ__WRITE                               0x00000020UL
-#define MSGQ__ASSOCIATE                           0x00000040UL
-#define MSGQ__UNIX_READ                           0x00000080UL
-#define MSGQ__UNIX_WRITE                          0x00000100UL
-#define MSGQ__ENQUEUE                             0x00000200UL
-#define MSG__SEND                                 0x00000001UL
-#define MSG__RECEIVE                              0x00000002UL
-#define SHM__CREATE                               0x00000001UL
-#define SHM__DESTROY                              0x00000002UL
-#define SHM__GETATTR                              0x00000004UL
-#define SHM__SETATTR                              0x00000008UL
-#define SHM__READ                                 0x00000010UL
-#define SHM__WRITE                                0x00000020UL
-#define SHM__ASSOCIATE                            0x00000040UL
-#define SHM__UNIX_READ                            0x00000080UL
-#define SHM__UNIX_WRITE                           0x00000100UL
-#define SHM__LOCK                                 0x00000200UL
-#define SECURITY__COMPUTE_AV                      0x00000001UL
-#define SECURITY__COMPUTE_CREATE                  0x00000002UL
-#define SECURITY__COMPUTE_MEMBER                  0x00000004UL
-#define SECURITY__CHECK_CONTEXT                   0x00000008UL
-#define SECURITY__LOAD_POLICY                     0x00000010UL
-#define SECURITY__COMPUTE_RELABEL                 0x00000020UL
-#define SECURITY__COMPUTE_USER                    0x00000040UL
-#define SECURITY__SETENFORCE                      0x00000080UL
-#define SECURITY__SETBOOL                         0x00000100UL
-#define SECURITY__SETSECPARAM                     0x00000200UL
-#define SECURITY__SETCHECKREQPROT                 0x00000400UL
-#define SYSTEM__IPC_INFO                          0x00000001UL
-#define SYSTEM__SYSLOG_READ                       0x00000002UL
-#define SYSTEM__SYSLOG_MOD                        0x00000004UL
-#define SYSTEM__SYSLOG_CONSOLE                    0x00000008UL
-#define SYSTEM__MODULE_REQUEST                    0x00000010UL
-#define CAPABILITY__CHOWN                         0x00000001UL
-#define CAPABILITY__DAC_OVERRIDE                  0x00000002UL
-#define CAPABILITY__DAC_READ_SEARCH               0x00000004UL
-#define CAPABILITY__FOWNER                        0x00000008UL
-#define CAPABILITY__FSETID                        0x00000010UL
-#define CAPABILITY__KILL                          0x00000020UL
-#define CAPABILITY__SETGID                        0x00000040UL
-#define CAPABILITY__SETUID                        0x00000080UL
-#define CAPABILITY__SETPCAP                       0x00000100UL
-#define CAPABILITY__LINUX_IMMUTABLE               0x00000200UL
-#define CAPABILITY__NET_BIND_SERVICE              0x00000400UL
-#define CAPABILITY__NET_BROADCAST                 0x00000800UL
-#define CAPABILITY__NET_ADMIN                     0x00001000UL
-#define CAPABILITY__NET_RAW                       0x00002000UL
-#define CAPABILITY__IPC_LOCK                      0x00004000UL
-#define CAPABILITY__IPC_OWNER                     0x00008000UL
-#define CAPABILITY__SYS_MODULE                    0x00010000UL
-#define CAPABILITY__SYS_RAWIO                     0x00020000UL
-#define CAPABILITY__SYS_CHROOT                    0x00040000UL
-#define CAPABILITY__SYS_PTRACE                    0x00080000UL
-#define CAPABILITY__SYS_PACCT                     0x00100000UL
-#define CAPABILITY__SYS_ADMIN                     0x00200000UL
-#define CAPABILITY__SYS_BOOT                      0x00400000UL
-#define CAPABILITY__SYS_NICE                      0x00800000UL
-#define CAPABILITY__SYS_RESOURCE                  0x01000000UL
-#define CAPABILITY__SYS_TIME                      0x02000000UL
-#define CAPABILITY__SYS_TTY_CONFIG                0x04000000UL
-#define CAPABILITY__MKNOD                         0x08000000UL
-#define CAPABILITY__LEASE                         0x10000000UL
-#define CAPABILITY__AUDIT_WRITE                   0x20000000UL
-#define CAPABILITY__AUDIT_CONTROL                 0x40000000UL
-#define CAPABILITY__SETFCAP                       0x80000000UL
-#define CAPABILITY2__MAC_OVERRIDE                 0x00000001UL
-#define CAPABILITY2__MAC_ADMIN                    0x00000002UL
-#define NETLINK_ROUTE_SOCKET__IOCTL               0x00000001UL
-#define NETLINK_ROUTE_SOCKET__READ                0x00000002UL
-#define NETLINK_ROUTE_SOCKET__WRITE               0x00000004UL
-#define NETLINK_ROUTE_SOCKET__CREATE              0x00000008UL
-#define NETLINK_ROUTE_SOCKET__GETATTR             0x00000010UL
-#define NETLINK_ROUTE_SOCKET__SETATTR             0x00000020UL
-#define NETLINK_ROUTE_SOCKET__LOCK                0x00000040UL
-#define NETLINK_ROUTE_SOCKET__RELABELFROM         0x00000080UL
-#define NETLINK_ROUTE_SOCKET__RELABELTO           0x00000100UL
-#define NETLINK_ROUTE_SOCKET__APPEND              0x00000200UL
-#define NETLINK_ROUTE_SOCKET__BIND                0x00000400UL
-#define NETLINK_ROUTE_SOCKET__CONNECT             0x00000800UL
-#define NETLINK_ROUTE_SOCKET__LISTEN              0x00001000UL
-#define NETLINK_ROUTE_SOCKET__ACCEPT              0x00002000UL
-#define NETLINK_ROUTE_SOCKET__GETOPT              0x00004000UL
-#define NETLINK_ROUTE_SOCKET__SETOPT              0x00008000UL
-#define NETLINK_ROUTE_SOCKET__SHUTDOWN            0x00010000UL
-#define NETLINK_ROUTE_SOCKET__RECVFROM            0x00020000UL
-#define NETLINK_ROUTE_SOCKET__SENDTO              0x00040000UL
-#define NETLINK_ROUTE_SOCKET__RECV_MSG            0x00080000UL
-#define NETLINK_ROUTE_SOCKET__SEND_MSG            0x00100000UL
-#define NETLINK_ROUTE_SOCKET__NAME_BIND           0x00200000UL
-#define NETLINK_ROUTE_SOCKET__NLMSG_READ          0x00400000UL
-#define NETLINK_ROUTE_SOCKET__NLMSG_WRITE         0x00800000UL
-#define NETLINK_FIREWALL_SOCKET__IOCTL            0x00000001UL
-#define NETLINK_FIREWALL_SOCKET__READ             0x00000002UL
-#define NETLINK_FIREWALL_SOCKET__WRITE            0x00000004UL
-#define NETLINK_FIREWALL_SOCKET__CREATE           0x00000008UL
-#define NETLINK_FIREWALL_SOCKET__GETATTR          0x00000010UL
-#define NETLINK_FIREWALL_SOCKET__SETATTR          0x00000020UL
-#define NETLINK_FIREWALL_SOCKET__LOCK             0x00000040UL
-#define NETLINK_FIREWALL_SOCKET__RELABELFROM      0x00000080UL
-#define NETLINK_FIREWALL_SOCKET__RELABELTO        0x00000100UL
-#define NETLINK_FIREWALL_SOCKET__APPEND           0x00000200UL
-#define NETLINK_FIREWALL_SOCKET__BIND             0x00000400UL
-#define NETLINK_FIREWALL_SOCKET__CONNECT          0x00000800UL
-#define NETLINK_FIREWALL_SOCKET__LISTEN           0x00001000UL
-#define NETLINK_FIREWALL_SOCKET__ACCEPT           0x00002000UL
-#define NETLINK_FIREWALL_SOCKET__GETOPT           0x00004000UL
-#define NETLINK_FIREWALL_SOCKET__SETOPT           0x00008000UL
-#define NETLINK_FIREWALL_SOCKET__SHUTDOWN         0x00010000UL
-#define NETLINK_FIREWALL_SOCKET__RECVFROM         0x00020000UL
-#define NETLINK_FIREWALL_SOCKET__SENDTO           0x00040000UL
-#define NETLINK_FIREWALL_SOCKET__RECV_MSG         0x00080000UL
-#define NETLINK_FIREWALL_SOCKET__SEND_MSG         0x00100000UL
-#define NETLINK_FIREWALL_SOCKET__NAME_BIND        0x00200000UL
-#define NETLINK_FIREWALL_SOCKET__NLMSG_READ       0x00400000UL
-#define NETLINK_FIREWALL_SOCKET__NLMSG_WRITE      0x00800000UL
-#define NETLINK_TCPDIAG_SOCKET__IOCTL             0x00000001UL
-#define NETLINK_TCPDIAG_SOCKET__READ              0x00000002UL
-#define NETLINK_TCPDIAG_SOCKET__WRITE             0x00000004UL
-#define NETLINK_TCPDIAG_SOCKET__CREATE            0x00000008UL
-#define NETLINK_TCPDIAG_SOCKET__GETATTR           0x00000010UL
-#define NETLINK_TCPDIAG_SOCKET__SETATTR           0x00000020UL
-#define NETLINK_TCPDIAG_SOCKET__LOCK              0x00000040UL
-#define NETLINK_TCPDIAG_SOCKET__RELABELFROM       0x00000080UL
-#define NETLINK_TCPDIAG_SOCKET__RELABELTO         0x00000100UL
-#define NETLINK_TCPDIAG_SOCKET__APPEND            0x00000200UL
-#define NETLINK_TCPDIAG_SOCKET__BIND              0x00000400UL
-#define NETLINK_TCPDIAG_SOCKET__CONNECT           0x00000800UL
-#define NETLINK_TCPDIAG_SOCKET__LISTEN            0x00001000UL
-#define NETLINK_TCPDIAG_SOCKET__ACCEPT            0x00002000UL
-#define NETLINK_TCPDIAG_SOCKET__GETOPT            0x00004000UL
-#define NETLINK_TCPDIAG_SOCKET__SETOPT            0x00008000UL
-#define NETLINK_TCPDIAG_SOCKET__SHUTDOWN          0x00010000UL
-#define NETLINK_TCPDIAG_SOCKET__RECVFROM          0x00020000UL
-#define NETLINK_TCPDIAG_SOCKET__SENDTO            0x00040000UL
-#define NETLINK_TCPDIAG_SOCKET__RECV_MSG          0x00080000UL
-#define NETLINK_TCPDIAG_SOCKET__SEND_MSG          0x00100000UL
-#define NETLINK_TCPDIAG_SOCKET__NAME_BIND         0x00200000UL
-#define NETLINK_TCPDIAG_SOCKET__NLMSG_READ        0x00400000UL
-#define NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE       0x00800000UL
-#define NETLINK_NFLOG_SOCKET__IOCTL               0x00000001UL
-#define NETLINK_NFLOG_SOCKET__READ                0x00000002UL
-#define NETLINK_NFLOG_SOCKET__WRITE               0x00000004UL
-#define NETLINK_NFLOG_SOCKET__CREATE              0x00000008UL
-#define NETLINK_NFLOG_SOCKET__GETATTR             0x00000010UL
-#define NETLINK_NFLOG_SOCKET__SETATTR             0x00000020UL
-#define NETLINK_NFLOG_SOCKET__LOCK                0x00000040UL
-#define NETLINK_NFLOG_SOCKET__RELABELFROM         0x00000080UL
-#define NETLINK_NFLOG_SOCKET__RELABELTO           0x00000100UL
-#define NETLINK_NFLOG_SOCKET__APPEND              0x00000200UL
-#define NETLINK_NFLOG_SOCKET__BIND                0x00000400UL
-#define NETLINK_NFLOG_SOCKET__CONNECT             0x00000800UL
-#define NETLINK_NFLOG_SOCKET__LISTEN              0x00001000UL
-#define NETLINK_NFLOG_SOCKET__ACCEPT              0x00002000UL
-#define NETLINK_NFLOG_SOCKET__GETOPT              0x00004000UL
-#define NETLINK_NFLOG_SOCKET__SETOPT              0x00008000UL
-#define NETLINK_NFLOG_SOCKET__SHUTDOWN            0x00010000UL
-#define NETLINK_NFLOG_SOCKET__RECVFROM            0x00020000UL
-#define NETLINK_NFLOG_SOCKET__SENDTO              0x00040000UL
-#define NETLINK_NFLOG_SOCKET__RECV_MSG            0x00080000UL
-#define NETLINK_NFLOG_SOCKET__SEND_MSG            0x00100000UL
-#define NETLINK_NFLOG_SOCKET__NAME_BIND           0x00200000UL
-#define NETLINK_XFRM_SOCKET__IOCTL                0x00000001UL
-#define NETLINK_XFRM_SOCKET__READ                 0x00000002UL
-#define NETLINK_XFRM_SOCKET__WRITE                0x00000004UL
-#define NETLINK_XFRM_SOCKET__CREATE               0x00000008UL
-#define NETLINK_XFRM_SOCKET__GETATTR              0x00000010UL
-#define NETLINK_XFRM_SOCKET__SETATTR              0x00000020UL
-#define NETLINK_XFRM_SOCKET__LOCK                 0x00000040UL
-#define NETLINK_XFRM_SOCKET__RELABELFROM          0x00000080UL
-#define NETLINK_XFRM_SOCKET__RELABELTO            0x00000100UL
-#define NETLINK_XFRM_SOCKET__APPEND               0x00000200UL
-#define NETLINK_XFRM_SOCKET__BIND                 0x00000400UL
-#define NETLINK_XFRM_SOCKET__CONNECT              0x00000800UL
-#define NETLINK_XFRM_SOCKET__LISTEN               0x00001000UL
-#define NETLINK_XFRM_SOCKET__ACCEPT               0x00002000UL
-#define NETLINK_XFRM_SOCKET__GETOPT               0x00004000UL
-#define NETLINK_XFRM_SOCKET__SETOPT               0x00008000UL
-#define NETLINK_XFRM_SOCKET__SHUTDOWN             0x00010000UL
-#define NETLINK_XFRM_SOCKET__RECVFROM             0x00020000UL
-#define NETLINK_XFRM_SOCKET__SENDTO               0x00040000UL
-#define NETLINK_XFRM_SOCKET__RECV_MSG             0x00080000UL
-#define NETLINK_XFRM_SOCKET__SEND_MSG             0x00100000UL
-#define NETLINK_XFRM_SOCKET__NAME_BIND            0x00200000UL
-#define NETLINK_XFRM_SOCKET__NLMSG_READ           0x00400000UL
-#define NETLINK_XFRM_SOCKET__NLMSG_WRITE          0x00800000UL
-#define NETLINK_SELINUX_SOCKET__IOCTL             0x00000001UL
-#define NETLINK_SELINUX_SOCKET__READ              0x00000002UL
-#define NETLINK_SELINUX_SOCKET__WRITE             0x00000004UL
-#define NETLINK_SELINUX_SOCKET__CREATE            0x00000008UL
-#define NETLINK_SELINUX_SOCKET__GETATTR           0x00000010UL
-#define NETLINK_SELINUX_SOCKET__SETATTR           0x00000020UL
-#define NETLINK_SELINUX_SOCKET__LOCK              0x00000040UL
-#define NETLINK_SELINUX_SOCKET__RELABELFROM       0x00000080UL
-#define NETLINK_SELINUX_SOCKET__RELABELTO         0x00000100UL
-#define NETLINK_SELINUX_SOCKET__APPEND            0x00000200UL
-#define NETLINK_SELINUX_SOCKET__BIND              0x00000400UL
-#define NETLINK_SELINUX_SOCKET__CONNECT           0x00000800UL
-#define NETLINK_SELINUX_SOCKET__LISTEN            0x00001000UL
-#define NETLINK_SELINUX_SOCKET__ACCEPT            0x00002000UL
-#define NETLINK_SELINUX_SOCKET__GETOPT            0x00004000UL
-#define NETLINK_SELINUX_SOCKET__SETOPT            0x00008000UL
-#define NETLINK_SELINUX_SOCKET__SHUTDOWN          0x00010000UL
-#define NETLINK_SELINUX_SOCKET__RECVFROM          0x00020000UL
-#define NETLINK_SELINUX_SOCKET__SENDTO            0x00040000UL
-#define NETLINK_SELINUX_SOCKET__RECV_MSG          0x00080000UL
-#define NETLINK_SELINUX_SOCKET__SEND_MSG          0x00100000UL
-#define NETLINK_SELINUX_SOCKET__NAME_BIND         0x00200000UL
-#define NETLINK_AUDIT_SOCKET__IOCTL               0x00000001UL
-#define NETLINK_AUDIT_SOCKET__READ                0x00000002UL
-#define NETLINK_AUDIT_SOCKET__WRITE               0x00000004UL
-#define NETLINK_AUDIT_SOCKET__CREATE              0x00000008UL
-#define NETLINK_AUDIT_SOCKET__GETATTR             0x00000010UL
-#define NETLINK_AUDIT_SOCKET__SETATTR             0x00000020UL
-#define NETLINK_AUDIT_SOCKET__LOCK                0x00000040UL
-#define NETLINK_AUDIT_SOCKET__RELABELFROM         0x00000080UL
-#define NETLINK_AUDIT_SOCKET__RELABELTO           0x00000100UL
-#define NETLINK_AUDIT_SOCKET__APPEND              0x00000200UL
-#define NETLINK_AUDIT_SOCKET__BIND                0x00000400UL
-#define NETLINK_AUDIT_SOCKET__CONNECT             0x00000800UL
-#define NETLINK_AUDIT_SOCKET__LISTEN              0x00001000UL
-#define NETLINK_AUDIT_SOCKET__ACCEPT              0x00002000UL
-#define NETLINK_AUDIT_SOCKET__GETOPT              0x00004000UL
-#define NETLINK_AUDIT_SOCKET__SETOPT              0x00008000UL
-#define NETLINK_AUDIT_SOCKET__SHUTDOWN            0x00010000UL
-#define NETLINK_AUDIT_SOCKET__RECVFROM            0x00020000UL
-#define NETLINK_AUDIT_SOCKET__SENDTO              0x00040000UL
-#define NETLINK_AUDIT_SOCKET__RECV_MSG            0x00080000UL
-#define NETLINK_AUDIT_SOCKET__SEND_MSG            0x00100000UL
-#define NETLINK_AUDIT_SOCKET__NAME_BIND           0x00200000UL
-#define NETLINK_AUDIT_SOCKET__NLMSG_READ          0x00400000UL
-#define NETLINK_AUDIT_SOCKET__NLMSG_WRITE         0x00800000UL
-#define NETLINK_AUDIT_SOCKET__NLMSG_RELAY         0x01000000UL
-#define NETLINK_AUDIT_SOCKET__NLMSG_READPRIV      0x02000000UL
-#define NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT     0x04000000UL
-#define NETLINK_IP6FW_SOCKET__IOCTL               0x00000001UL
-#define NETLINK_IP6FW_SOCKET__READ                0x00000002UL
-#define NETLINK_IP6FW_SOCKET__WRITE               0x00000004UL
-#define NETLINK_IP6FW_SOCKET__CREATE              0x00000008UL
-#define NETLINK_IP6FW_SOCKET__GETATTR             0x00000010UL
-#define NETLINK_IP6FW_SOCKET__SETATTR             0x00000020UL
-#define NETLINK_IP6FW_SOCKET__LOCK                0x00000040UL
-#define NETLINK_IP6FW_SOCKET__RELABELFROM         0x00000080UL
-#define NETLINK_IP6FW_SOCKET__RELABELTO           0x00000100UL
-#define NETLINK_IP6FW_SOCKET__APPEND              0x00000200UL
-#define NETLINK_IP6FW_SOCKET__BIND                0x00000400UL
-#define NETLINK_IP6FW_SOCKET__CONNECT             0x00000800UL
-#define NETLINK_IP6FW_SOCKET__LISTEN              0x00001000UL
-#define NETLINK_IP6FW_SOCKET__ACCEPT              0x00002000UL
-#define NETLINK_IP6FW_SOCKET__GETOPT              0x00004000UL
-#define NETLINK_IP6FW_SOCKET__SETOPT              0x00008000UL
-#define NETLINK_IP6FW_SOCKET__SHUTDOWN            0x00010000UL
-#define NETLINK_IP6FW_SOCKET__RECVFROM            0x00020000UL
-#define NETLINK_IP6FW_SOCKET__SENDTO              0x00040000UL
-#define NETLINK_IP6FW_SOCKET__RECV_MSG            0x00080000UL
-#define NETLINK_IP6FW_SOCKET__SEND_MSG            0x00100000UL
-#define NETLINK_IP6FW_SOCKET__NAME_BIND           0x00200000UL
-#define NETLINK_IP6FW_SOCKET__NLMSG_READ          0x00400000UL
-#define NETLINK_IP6FW_SOCKET__NLMSG_WRITE         0x00800000UL
-#define NETLINK_DNRT_SOCKET__IOCTL                0x00000001UL
-#define NETLINK_DNRT_SOCKET__READ                 0x00000002UL
-#define NETLINK_DNRT_SOCKET__WRITE                0x00000004UL
-#define NETLINK_DNRT_SOCKET__CREATE               0x00000008UL
-#define NETLINK_DNRT_SOCKET__GETATTR              0x00000010UL
-#define NETLINK_DNRT_SOCKET__SETATTR              0x00000020UL
-#define NETLINK_DNRT_SOCKET__LOCK                 0x00000040UL
-#define NETLINK_DNRT_SOCKET__RELABELFROM          0x00000080UL
-#define NETLINK_DNRT_SOCKET__RELABELTO            0x00000100UL
-#define NETLINK_DNRT_SOCKET__APPEND               0x00000200UL
-#define NETLINK_DNRT_SOCKET__BIND                 0x00000400UL
-#define NETLINK_DNRT_SOCKET__CONNECT              0x00000800UL
-#define NETLINK_DNRT_SOCKET__LISTEN               0x00001000UL
-#define NETLINK_DNRT_SOCKET__ACCEPT               0x00002000UL
-#define NETLINK_DNRT_SOCKET__GETOPT               0x00004000UL
-#define NETLINK_DNRT_SOCKET__SETOPT               0x00008000UL
-#define NETLINK_DNRT_SOCKET__SHUTDOWN             0x00010000UL
-#define NETLINK_DNRT_SOCKET__RECVFROM             0x00020000UL
-#define NETLINK_DNRT_SOCKET__SENDTO               0x00040000UL
-#define NETLINK_DNRT_SOCKET__RECV_MSG             0x00080000UL
-#define NETLINK_DNRT_SOCKET__SEND_MSG             0x00100000UL
-#define NETLINK_DNRT_SOCKET__NAME_BIND            0x00200000UL
-#define ASSOCIATION__SENDTO                       0x00000001UL
-#define ASSOCIATION__RECVFROM                     0x00000002UL
-#define ASSOCIATION__SETCONTEXT                   0x00000004UL
-#define ASSOCIATION__POLMATCH                     0x00000008UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL      0x00000001UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__READ       0x00000002UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__WRITE      0x00000004UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__CREATE     0x00000008UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__GETATTR    0x00000010UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__SETATTR    0x00000020UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__LOCK       0x00000040UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELFROM 0x00000080UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELTO  0x00000100UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__APPEND     0x00000200UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__BIND       0x00000400UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__CONNECT    0x00000800UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__LISTEN     0x00001000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__ACCEPT     0x00002000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__GETOPT     0x00004000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__SETOPT     0x00008000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__SHUTDOWN   0x00010000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__RECVFROM   0x00020000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__SENDTO     0x00040000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__RECV_MSG   0x00080000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG   0x00100000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND  0x00200000UL
-#define APPLETALK_SOCKET__IOCTL                   0x00000001UL
-#define APPLETALK_SOCKET__READ                    0x00000002UL
-#define APPLETALK_SOCKET__WRITE                   0x00000004UL
-#define APPLETALK_SOCKET__CREATE                  0x00000008UL
-#define APPLETALK_SOCKET__GETATTR                 0x00000010UL
-#define APPLETALK_SOCKET__SETATTR                 0x00000020UL
-#define APPLETALK_SOCKET__LOCK                    0x00000040UL
-#define APPLETALK_SOCKET__RELABELFROM             0x00000080UL
-#define APPLETALK_SOCKET__RELABELTO               0x00000100UL
-#define APPLETALK_SOCKET__APPEND                  0x00000200UL
-#define APPLETALK_SOCKET__BIND                    0x00000400UL
-#define APPLETALK_SOCKET__CONNECT                 0x00000800UL
-#define APPLETALK_SOCKET__LISTEN                  0x00001000UL
-#define APPLETALK_SOCKET__ACCEPT                  0x00002000UL
-#define APPLETALK_SOCKET__GETOPT                  0x00004000UL
-#define APPLETALK_SOCKET__SETOPT                  0x00008000UL
-#define APPLETALK_SOCKET__SHUTDOWN                0x00010000UL
-#define APPLETALK_SOCKET__RECVFROM                0x00020000UL
-#define APPLETALK_SOCKET__SENDTO                  0x00040000UL
-#define APPLETALK_SOCKET__RECV_MSG                0x00080000UL
-#define APPLETALK_SOCKET__SEND_MSG                0x00100000UL
-#define APPLETALK_SOCKET__NAME_BIND               0x00200000UL
-#define PACKET__SEND                              0x00000001UL
-#define PACKET__RECV                              0x00000002UL
-#define PACKET__RELABELTO                         0x00000004UL
-#define PACKET__FLOW_IN                           0x00000008UL
-#define PACKET__FLOW_OUT                          0x00000010UL
-#define PACKET__FORWARD_IN                        0x00000020UL
-#define PACKET__FORWARD_OUT                       0x00000040UL
-#define KEY__VIEW                                 0x00000001UL
-#define KEY__READ                                 0x00000002UL
-#define KEY__WRITE                                0x00000004UL
-#define KEY__SEARCH                               0x00000008UL
-#define KEY__LINK                                 0x00000010UL
-#define KEY__SETATTR                              0x00000020UL
-#define KEY__CREATE                               0x00000040UL
-#define DCCP_SOCKET__IOCTL                        0x00000001UL
-#define DCCP_SOCKET__READ                         0x00000002UL
-#define DCCP_SOCKET__WRITE                        0x00000004UL
-#define DCCP_SOCKET__CREATE                       0x00000008UL
-#define DCCP_SOCKET__GETATTR                      0x00000010UL
-#define DCCP_SOCKET__SETATTR                      0x00000020UL
-#define DCCP_SOCKET__LOCK                         0x00000040UL
-#define DCCP_SOCKET__RELABELFROM                  0x00000080UL
-#define DCCP_SOCKET__RELABELTO                    0x00000100UL
-#define DCCP_SOCKET__APPEND                       0x00000200UL
-#define DCCP_SOCKET__BIND                         0x00000400UL
-#define DCCP_SOCKET__CONNECT                      0x00000800UL
-#define DCCP_SOCKET__LISTEN                       0x00001000UL
-#define DCCP_SOCKET__ACCEPT                       0x00002000UL
-#define DCCP_SOCKET__GETOPT                       0x00004000UL
-#define DCCP_SOCKET__SETOPT                       0x00008000UL
-#define DCCP_SOCKET__SHUTDOWN                     0x00010000UL
-#define DCCP_SOCKET__RECVFROM                     0x00020000UL
-#define DCCP_SOCKET__SENDTO                       0x00040000UL
-#define DCCP_SOCKET__RECV_MSG                     0x00080000UL
-#define DCCP_SOCKET__SEND_MSG                     0x00100000UL
-#define DCCP_SOCKET__NAME_BIND                    0x00200000UL
-#define DCCP_SOCKET__NODE_BIND                    0x00400000UL
-#define DCCP_SOCKET__NAME_CONNECT                 0x00800000UL
-#define MEMPROTECT__MMAP_ZERO                     0x00000001UL
-#define PEER__RECV                                0x00000001UL
-#define KERNEL_SERVICE__USE_AS_OVERRIDE           0x00000001UL
-#define KERNEL_SERVICE__CREATE_FILES_AS           0x00000002UL
diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h
index bb1ec801bdfe..4677aa519b04 100644
--- a/security/selinux/include/avc_ss.h
+++ b/security/selinux/include/avc_ss.h
@@ -10,26 +10,13 @@
 
 int avc_ss_reset(u32 seqno);
 
-struct av_perm_to_string {
-        u16 tclass;
-        u32 value;
+/* Class/perm mapping support */
+struct security_class_mapping {
         const char *name;
+        const char *perms[sizeof(u32) * 8 + 1];
 };
 
-struct av_inherit {
-        const char **common_pts;
-        u32 common_base;
-        u16 tclass;
-};
-
-struct selinux_class_perm {
-        const struct av_perm_to_string *av_perm_to_string;
-        u32 av_pts_len;
-        u32 cts_len;
-        const char **class_to_string;
-        const struct av_inherit *av_inherit;
-        u32 av_inherit_len;
-};
+extern struct security_class_mapping secclass_map[];
 
 #endif /* _SELINUX_AVC_SS_H_ */
 
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
deleted file mode 100644
index 7ab9299bfb6b..000000000000
--- a/security/selinux/include/class_to_string.h
+++ /dev/null
@@ -1,80 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
-/*
- * Security object class definitions
- */
-    S_(NULL)
-    S_("security")
-    S_("process")
-    S_("system")
-    S_("capability")
-    S_("filesystem")
-    S_("file")
-    S_("dir")
-    S_("fd")
-    S_("lnk_file")
-    S_("chr_file")
-    S_("blk_file")
-    S_("sock_file")
-    S_("fifo_file")
-    S_("socket")
-    S_("tcp_socket")
-    S_("udp_socket")
-    S_("rawip_socket")
-    S_("node")
-    S_("netif")
-    S_("netlink_socket")
-    S_("packet_socket")
-    S_("key_socket")
-    S_("unix_stream_socket")
-    S_("unix_dgram_socket")
-    S_("sem")
-    S_("msg")
-    S_("msgq")
-    S_("shm")
-    S_("ipc")
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_("netlink_route_socket")
-    S_("netlink_firewall_socket")
-    S_("netlink_tcpdiag_socket")
-    S_("netlink_nflog_socket")
-    S_("netlink_xfrm_socket")
-    S_("netlink_selinux_socket")
-    S_("netlink_audit_socket")
-    S_("netlink_ip6fw_socket")
-    S_("netlink_dnrt_socket")
-    S_(NULL)
-    S_(NULL)
-    S_("association")
-    S_("netlink_kobject_uevent_socket")
-    S_("appletalk_socket")
-    S_("packet")
-    S_("key")
-    S_(NULL)
-    S_("dccp_socket")
-    S_("memprotect")
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_("peer")
-    S_("capability2")
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_(NULL)
-    S_("kernel_service")
-    S_("tun_socket")
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
new file mode 100644
index 000000000000..8b32e959bb2e
--- /dev/null
+++ b/security/selinux/include/classmap.h
@@ -0,0 +1,150 @@
+#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
+    "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
+
+#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
+    "rename", "execute", "swapon", "quotaon", "mounton"
+
+#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
+    "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom",  \
+    "sendto", "recv_msg", "send_msg", "name_bind"
+
+#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
+            "write", "associate", "unix_read", "unix_write"
+
+struct security_class_mapping secclass_map[] = {
+        { "security",
+          { "compute_av", "compute_create", "compute_member",
+            "check_context", "load_policy", "compute_relabel",
+            "compute_user", "setenforce", "setbool", "setsecparam",
+            "setcheckreqprot", NULL } },
+        { "process",
+          { "fork", "transition", "sigchld", "sigkill",
+            "sigstop", "signull", "signal", "ptrace", "getsched", "setsched",
+            "getsession", "getpgid", "setpgid", "getcap", "setcap", "share",
+            "getattr", "setexec", "setfscreate", "noatsecure", "siginh",
+            "setrlimit", "rlimitinh", "dyntransition", "setcurrent",
+            "execmem", "execstack", "execheap", "setkeycreate",
+            "setsockcreate", NULL } },
+        { "system",
+          { "ipc_info", "syslog_read", "syslog_mod",
+            "syslog_console", "module_request", NULL } },
+        { "capability",
+          { "chown", "dac_override", "dac_read_search",
+            "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
+            "linux_immutable", "net_bind_service", "net_broadcast",
+            "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
+            "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
+            "sys_boot", "sys_nice", "sys_resource", "sys_time",
+            "sys_tty_config", "mknod", "lease", "audit_write",
+            "audit_control", "setfcap", NULL } },
+        { "filesystem",
+          { "mount", "remount", "unmount", "getattr",
+            "relabelfrom", "relabelto", "transition", "associate", "quotamod",
+            "quotaget", NULL } },
+        { "file",
+          { COMMON_FILE_PERMS,
+            "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
+        { "dir",
+          { COMMON_FILE_PERMS, "add_name", "remove_name",
+            "reparent", "search", "rmdir", "open", NULL } },
+        { "fd", { "use", NULL } },
+        { "lnk_file",
+          { COMMON_FILE_PERMS, NULL } },
+        { "chr_file",
+          { COMMON_FILE_PERMS,
+            "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
+        { "blk_file",
+          { COMMON_FILE_PERMS, "open", NULL } },
+        { "sock_file",
+          { COMMON_FILE_PERMS, "open", NULL } },
+        { "fifo_file",
+          { COMMON_FILE_PERMS, "open", NULL } },
+        { "socket",
+          { COMMON_SOCK_PERMS, NULL } },
+        { "tcp_socket",
+          { COMMON_SOCK_PERMS,
+            "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
+            NULL } },
+        { "udp_socket",
+          { COMMON_SOCK_PERMS,
+            "node_bind", NULL } },
+        { "rawip_socket",
+          { COMMON_SOCK_PERMS,
+            "node_bind", NULL } },
+        { "node",
+          { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
+            "rawip_recv", "rawip_send", "enforce_dest",
+            "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
+        { "netif",
+          {  "tcp_recv", "tcp_send", "udp_recv", "udp_send",
+             "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
+             "ingress", "egress", NULL } },
+        { "netlink_socket",
+          { COMMON_SOCK_PERMS, NULL } },
+        { "packet_socket",
+          { COMMON_SOCK_PERMS, NULL } },
+        { "key_socket",
+          { COMMON_SOCK_PERMS, NULL } },
+        { "unix_stream_socket",
+          { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
+          } },
+        { "unix_dgram_socket",
+          { COMMON_SOCK_PERMS, NULL
+          } },
+        { "sem",
+          { COMMON_IPC_PERMS, NULL } },
+        { "msg", { "send", "receive", NULL } },
+        { "msgq",
+          { COMMON_IPC_PERMS, "enqueue", NULL } },
+        { "shm",
+          { COMMON_IPC_PERMS, "lock", NULL } },
+        { "ipc",
+          { COMMON_IPC_PERMS, NULL } },
+        { "netlink_route_socket",
+          { COMMON_SOCK_PERMS,
+            "nlmsg_read", "nlmsg_write", NULL } },
+        { "netlink_firewall_socket",
+          { COMMON_SOCK_PERMS,
+            "nlmsg_read", "nlmsg_write", NULL } },
+        { "netlink_tcpdiag_socket",
+          { COMMON_SOCK_PERMS,
+            "nlmsg_read", "nlmsg_write", NULL } },
+        { "netlink_nflog_socket",
+          { COMMON_SOCK_PERMS, NULL } },
+        { "netlink_xfrm_socket",
+          { COMMON_SOCK_PERMS,
+            "nlmsg_read", "nlmsg_write", NULL } },
+        { "netlink_selinux_socket",
+          { COMMON_SOCK_PERMS, NULL } },
+        { "netlink_audit_socket",
+          { COMMON_SOCK_PERMS,
+            "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
+            "nlmsg_tty_audit", NULL } },
+        { "netlink_ip6fw_socket",
+          { COMMON_SOCK_PERMS,
+            "nlmsg_read", "nlmsg_write", NULL } },
+        { "netlink_dnrt_socket",
+          { COMMON_SOCK_PERMS, NULL } },
+        { "association",
+          { "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
+        { "netlink_kobject_uevent_socket",
+          { COMMON_SOCK_PERMS, NULL } },
+        { "appletalk_socket",
+          { COMMON_SOCK_PERMS, NULL } },
+        { "packet",
+          { "send", "recv", "relabelto", "flow_in", "flow_out",
+            "forward_in", "forward_out", NULL } },
+        { "key",
+          { "view", "read", "write", "search", "link", "setattr", "create",
+            NULL } },
+        { "dccp_socket",
+          { COMMON_SOCK_PERMS,
+            "node_bind", "name_connect", NULL } },
+        { "memprotect", { "mmap_zero", NULL } },
+        { "peer", { "recv", NULL } },
+        { "capability2", { "mac_override", "mac_admin", NULL } },
+        { "kernel_service", { "use_as_override", "create_files_as", NULL } },
+        { "tun_socket",
+          { COMMON_SOCK_PERMS, NULL } },
+        { NULL }
+  };
diff --git a/security/selinux/include/common_perm_to_string.h b/security/selinux/include/common_perm_to_string.h
deleted file mode 100644
index ce5b6e2fe9dd..000000000000
--- a/security/selinux/include/common_perm_to_string.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
-TB_(common_file_perm_to_string)
-    S_("ioctl")
-    S_("read")
-    S_("write")
-    S_("create")
-    S_("getattr")
-    S_("setattr")
-    S_("lock")
-    S_("relabelfrom")
-    S_("relabelto")
-    S_("append")
-    S_("unlink")
-    S_("link")
-    S_("rename")
-    S_("execute")
-    S_("swapon")
-    S_("quotaon")
-    S_("mounton")
-TE_(common_file_perm_to_string)
-
-TB_(common_socket_perm_to_string)
-    S_("ioctl")
-    S_("read")
-    S_("write")
-    S_("create")
-    S_("getattr")
-    S_("setattr")
-    S_("lock")
-    S_("relabelfrom")
-    S_("relabelto")
-    S_("append")
-    S_("bind")
-    S_("connect")
-    S_("listen")
-    S_("accept")
-    S_("getopt")
-    S_("setopt")
-    S_("shutdown")
-    S_("recvfrom")
-    S_("sendto")
-    S_("recv_msg")
-    S_("send_msg")
-    S_("name_bind")
-TE_(common_socket_perm_to_string)
-
-TB_(common_ipc_perm_to_string)
-    S_("create")
-    S_("destroy")
-    S_("getattr")
-    S_("setattr")
-    S_("read")
-    S_("write")
-    S_("associate")
-    S_("unix_read")
-    S_("unix_write")
-TE_(common_ipc_perm_to_string)
-
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
deleted file mode 100644
index f248500a1e3c..000000000000
--- a/security/selinux/include/flask.h
+++ /dev/null
@@ -1,91 +0,0 @@
-/* This file is automatically generated.  Do not edit. */
-#ifndef _SELINUX_FLASK_H_
-#define _SELINUX_FLASK_H_
-
-/*
- * Security object class definitions
- */
-#define SECCLASS_SECURITY                                1
-#define SECCLASS_PROCESS                                 2
-#define SECCLASS_SYSTEM                                  3
-#define SECCLASS_CAPABILITY                              4
-#define SECCLASS_FILESYSTEM                              5
-#define SECCLASS_FILE                                    6
-#define SECCLASS_DIR                                     7
-#define SECCLASS_FD                                      8
-#define SECCLASS_LNK_FILE                                9
-#define SECCLASS_CHR_FILE                                10
-#define SECCLASS_BLK_FILE                                11
-#define SECCLASS_SOCK_FILE                               12
-#define SECCLASS_FIFO_FILE                               13
-#define SECCLASS_SOCKET                                  14
-#define SECCLASS_TCP_SOCKET                              15
-#define SECCLASS_UDP_SOCKET                              16
-#define SECCLASS_RAWIP_SOCKET                            17
-#define SECCLASS_NODE                                    18
-#define SECCLASS_NETIF                                   19
-#define SECCLASS_NETLINK_SOCKET                          20
-#define SECCLASS_PACKET_SOCKET                           21
-#define SECCLASS_KEY_SOCKET                              22
-#define SECCLASS_UNIX_STREAM_SOCKET                      23
-#define SECCLASS_UNIX_DGRAM_SOCKET                       24
-#define SECCLASS_SEM                                     25
-#define SECCLASS_MSG                                     26
-#define SECCLASS_MSGQ                                    27
-#define SECCLASS_SHM                                     28
-#define SECCLASS_IPC                                     29
-#define SECCLASS_NETLINK_ROUTE_SOCKET                    43
-#define SECCLASS_NETLINK_FIREWALL_SOCKET                 44
-#define SECCLASS_NETLINK_TCPDIAG_SOCKET                  45
-#define SECCLASS_NETLINK_NFLOG_SOCKET                    46
-#define SECCLASS_NETLINK_XFRM_SOCKET                     47
-#define SECCLASS_NETLINK_SELINUX_SOCKET                  48
-#define SECCLASS_NETLINK_AUDIT_SOCKET                    49
-#define SECCLASS_NETLINK_IP6FW_SOCKET                    50
-#define SECCLASS_NETLINK_DNRT_SOCKET                     51
-#define SECCLASS_ASSOCIATION                             54
-#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET           55
-#define SECCLASS_APPLETALK_SOCKET                        56
-#define SECCLASS_PACKET                                  57
-#define SECCLASS_KEY                                     58
-#define SECCLASS_DCCP_SOCKET                             60
-#define SECCLASS_MEMPROTECT                              61
-#define SECCLASS_PEER                                    68
-#define SECCLASS_CAPABILITY2                             69
-#define SECCLASS_KERNEL_SERVICE                          74
-#define SECCLASS_TUN_SOCKET                              75
-
-/*
- * Security identifier indices for initial entities
- */
-#define SECINITSID_KERNEL                               1
-#define SECINITSID_SECURITY                             2
-#define SECINITSID_UNLABELED                            3
-#define SECINITSID_FS                                   4
-#define SECINITSID_FILE                                 5
-#define SECINITSID_FILE_LABELS                          6
-#define SECINITSID_INIT                                 7
-#define SECINITSID_ANY_SOCKET                           8
-#define SECINITSID_PORT                                 9
-#define SECINITSID_NETIF                                10
-#define SECINITSID_NETMSG                               11
-#define SECINITSID_NODE                                 12
-#define SECINITSID_IGMP_PACKET                          13
-#define SECINITSID_ICMP_SOCKET                          14
-#define SECINITSID_TCP_SOCKET                           15
-#define SECINITSID_SYSCTL_MODPROBE                      16
-#define SECINITSID_SYSCTL                               17
-#define SECINITSID_SYSCTL_FS                            18
-#define SECINITSID_SYSCTL_KERNEL                        19
-#define SECINITSID_SYSCTL_NET                           20
-#define SECINITSID_SYSCTL_NET_UNIX                      21
-#define SECINITSID_SYSCTL_VM                            22
-#define SECINITSID_SYSCTL_DEV                           23
-#define SECINITSID_KMOD                                 24
-#define SECINITSID_POLICY                               25
-#define SECINITSID_SCMP_PACKET                          26
-#define SECINITSID_DEVNULL                              27
-
-#define SECINITSID_NUM                                  27
-
-#endif
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index ca835795a8b3..2553266ad793 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -97,11 +97,18 @@ struct av_decision {
 #define AVD_FLAGS_PERMISSIVE    0x0001
 
 int security_compute_av(u32 ssid, u32 tsid,
-        u16 tclass, u32 requested,
-        struct av_decision *avd);
+                        u16 tclass, u32 requested,
+                        struct av_decision *avd);
+
+int security_compute_av_user(u32 ssid, u32 tsid,
+                             u16 tclass, u32 requested,
+                             struct av_decision *avd);
 
 int security_transition_sid(u32 ssid, u32 tsid,
-        u16 tclass, u32 *out_sid);
+                            u16 tclass, u32 *out_sid);
+
+int security_transition_sid_user(u32 ssid, u32 tsid,
+                                 u16 tclass, u32 *out_sid);
 
 int security_member_sid(u32 ssid, u32 tsid,
         u16 tclass, u32 *out_sid);
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index b4fc506e7a87..fab36fdf2769 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -522,7 +522,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
         if (length < 0)
                 goto out2;
 
-        length = security_compute_av(ssid, tsid, tclass, req, &avd);
+        length = security_compute_av_user(ssid, tsid, tclass, req, &avd);
         if (length < 0)
                 goto out2;
 
@@ -571,7 +571,7 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
         if (length < 0)
                 goto out2;
 
-        length = security_transition_sid(ssid, tsid, tclass, &newsid);
+        length = security_transition_sid_user(ssid, tsid, tclass, &newsid);
         if (length < 0)
                 goto out2;
 
diff --git a/security/selinux/ss/Makefile b/security/selinux/ss/Makefile
index bad78779b9b0..15d4e62917de 100644
--- a/security/selinux/ss/Makefile
+++ b/security/selinux/ss/Makefile
@@ -2,7 +2,7 @@
 # Makefile for building the SELinux security server as part of the kernel tree.
 #
 
-EXTRA_CFLAGS += -Isecurity/selinux/include
+EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include
 obj-y := ss.o
 
 ss-y := ebitmap.o hashtab.o symtab.o sidtab.o avtab.o policydb.o services.o conditional.o mls.o
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index b5407f16c2a4..3f2b2706b5bb 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -532,7 +532,7 @@ int mls_compute_sid(struct context *scontext,
                 }
                 /* Fallthrough */
         case AVTAB_CHANGE:
-                if (tclass == SECCLASS_PROCESS)
+                if (tclass == policydb.process_class)
                         /* Use the process MLS attributes. */
                         return mls_context_cpy(newcontext, scontext);
                 else
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 72e4a54973aa..f03667213ea8 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -713,7 +713,6 @@ void policydb_destroy(struct policydb *p)
                         ebitmap_destroy(&p->type_attr_map[i]);
         }
         kfree(p->type_attr_map);
-        kfree(p->undefined_perms);
         ebitmap_destroy(&p->policycaps);
         ebitmap_destroy(&p->permissive_map);
 
@@ -1640,6 +1639,40 @@ static int policydb_bounds_sanity_check(struct policydb *p)
 
 extern int ss_initialized;
 
+u16 string_to_security_class(struct policydb *p, const char *name)
+{
+        struct class_datum *cladatum;
+
+        cladatum = hashtab_search(p->p_classes.table, name);
+        if (!cladatum)
+                return 0;
+
+        return cladatum->value;
+}
+
+u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name)
+{
+        struct class_datum *cladatum;
+        struct perm_datum *perdatum = NULL;
+        struct common_datum *comdatum;
+
+        if (!tclass || tclass > p->p_classes.nprim)
+                return 0;
+
+        cladatum = p->class_val_to_struct[tclass-1];
+        comdatum = cladatum->comdatum;
+        if (comdatum)
+                perdatum = hashtab_search(comdatum->permissions.table,
+                                          name);
+        if (!perdatum)
+                perdatum = hashtab_search(cladatum->permissions.table,
+                                          name);
+        if (!perdatum)
+                return 0;
+
+        return 1U << (perdatum->value-1);
+}
+
 /*
  * Read the configuration data from a policy database binary
  * representation file into a policy database structure.
@@ -1861,6 +1894,16 @@ int policydb_read(struct policydb *p, void *fp)
         if (rc)
                 goto bad;
 
+        p->process_class = string_to_security_class(p, "process");
+        if (!p->process_class)
+                goto bad;
+        p->process_trans_perms = string_to_av_perm(p, p->process_class,
+                                                   "transition");
+        p->process_trans_perms |= string_to_av_perm(p, p->process_class,
+                                                    "dyntransition");
+        if (!p->process_trans_perms)
+                goto bad;
+
         for (i = 0; i < info->ocon_num; i++) {
                 rc = next_entry(buf, fp, sizeof(u32));
                 if (rc < 0)
@@ -2101,7 +2144,7 @@ int policydb_read(struct policydb *p, void *fp)
                                         goto bad;
                                 rt->target_class = le32_to_cpu(buf[0]);
                         } else
-                                rt->target_class = SECCLASS_PROCESS;
+                                rt->target_class = p->process_class;
                         if (!policydb_type_isvalid(p, rt->source_type) ||
                             !policydb_type_isvalid(p, rt->target_type) ||
                             !policydb_class_isvalid(p, rt->target_class)) {
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 55152d498b53..cdcc5700946f 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -254,7 +254,9 @@ struct policydb {
 
         unsigned int reject_unknown : 1;
         unsigned int allow_unknown : 1;
-        u32 *undefined_perms;
+
+        u16 process_class;
+        u32 process_trans_perms;
 };
 
 extern void policydb_destroy(struct policydb *p);
@@ -295,5 +297,8 @@ static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
         return 0;
 }
 
+extern u16 string_to_security_class(struct policydb *p, const char *name);
+extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
+
 #endif  /* _SS_POLICYDB_H_ */
 
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ff17820d35ec..d6bb20cbad62 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -65,16 +65,10 @@
 #include "audit.h"
 
 extern void selnl_notify_policyload(u32 seqno);
-unsigned int policydb_loaded_version;
 
 int selinux_policycap_netpeer;
 int selinux_policycap_openperm;
 
-/*
- * This is declared in avc.c
- */
-extern const struct selinux_class_perm selinux_class_perm;
-
 static DEFINE_RWLOCK(policy_rwlock);
 
 static struct sidtab sidtab;
@@ -98,6 +92,165 @@ static int context_struct_compute_av(struct context *scontext,
                                      u16 tclass,
                                      u32 requested,
                                      struct av_decision *avd);
+
+struct selinux_mapping {
+        u16 value; /* policy value */
+        unsigned num_perms;
+        u32 perms[sizeof(u32) * 8];
+};
+
+static struct selinux_mapping *current_mapping;
+static u16 current_mapping_size;
+
+static int selinux_set_mapping(struct policydb *pol,
+                               struct security_class_mapping *map,
+                               struct selinux_mapping **out_map_p,
+                               u16 *out_map_size)
+{
+        struct selinux_mapping *out_map = NULL;
+        size_t size = sizeof(struct selinux_mapping);
+        u16 i, j;
+        unsigned k;
+        bool print_unknown_handle = false;
+
+        /* Find number of classes in the input mapping */
+        if (!map)
+                return -EINVAL;
+        i = 0;
+        while (map[i].name)
+                i++;
+
+        /* Allocate space for the class records, plus one for class zero */
+        out_map = kcalloc(++i, size, GFP_ATOMIC);
+        if (!out_map)
+                return -ENOMEM;
+
+        /* Store the raw class and permission values */
+        j = 0;
+        while (map[j].name) {
+                struct security_class_mapping *p_in = map + (j++);
+                struct selinux_mapping *p_out = out_map + j;
+
+                /* An empty class string skips ahead */
+                if (!strcmp(p_in->name, "")) {
+                        p_out->num_perms = 0;
+                        continue;
+                }
+
+                p_out->value = string_to_security_class(pol, p_in->name);
+                if (!p_out->value) {
+                        printk(KERN_INFO
+                               "SELinux:  Class %s not defined in policy.\n",
+                               p_in->name);
+                        if (pol->reject_unknown)
+                                goto err;
+                        p_out->num_perms = 0;
+                        print_unknown_handle = true;
+                        continue;
+                }
+
+                k = 0;
+                while (p_in->perms && p_in->perms[k]) {
+                        /* An empty permission string skips ahead */
+                        if (!*p_in->perms[k]) {
+                                k++;
+                                continue;
+                        }
+                        p_out->perms[k] = string_to_av_perm(pol, p_out->value,
+                                                            p_in->perms[k]);
+                        if (!p_out->perms[k]) {
+                                printk(KERN_INFO
+                                       "SELinux:  Permission %s in class %s not defined in policy.\n",
+                                       p_in->perms[k], p_in->name);
+                                if (pol->reject_unknown)
+                                        goto err;
+                                print_unknown_handle = true;
+                        }
+
+                        k++;
+                }
+                p_out->num_perms = k;
+        }
+
+        if (print_unknown_handle)
+                printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
+                       pol->allow_unknown ? "allowed" : "denied");
+
+        *out_map_p = out_map;
+        *out_map_size = i;
+        return 0;
+err:
+        kfree(out_map);
+        return -EINVAL;
+}
+
+/*
+ * Get real, policy values from mapped values
+ */
+
+static u16 unmap_class(u16 tclass)
+{
+        if (tclass < current_mapping_size)
+                return current_mapping[tclass].value;
+
+        return tclass;
+}
+
+static u32 unmap_perm(u16 tclass, u32 tperm)
+{
+        if (tclass < current_mapping_size) {
+                unsigned i;
+                u32 kperm = 0;
+
+                for (i = 0; i < current_mapping[tclass].num_perms; i++)
+                        if (tperm & (1<<i)) {
+                                kperm |= current_mapping[tclass].perms[i];
+                                tperm &= ~(1<<i);
+                        }
+                return kperm;
+        }
+
+        return tperm;
+}
+
+static void map_decision(u16 tclass, struct av_decision *avd,
+                         int allow_unknown)
+{
+        if (tclass < current_mapping_size) {
+                unsigned i, n = current_mapping[tclass].num_perms;
+                u32 result;
+
+                for (i = 0, result = 0; i < n; i++) {
+                        if (avd->allowed & current_mapping[tclass].perms[i])
+                                result |= 1<<i;
+                        if (allow_unknown && !current_mapping[tclass].perms[i])
+                                result |= 1<<i;
+                }
+                avd->allowed = result;
+
+                for (i = 0, result = 0; i < n; i++)
+                        if (avd->auditallow & current_mapping[tclass].perms[i])
+                                result |= 1<<i;
+                avd->auditallow = result;
+
+                for (i = 0, result = 0; i < n; i++) {
+                        if (avd->auditdeny & current_mapping[tclass].perms[i])
+                                result |= 1<<i;
+                        if (!allow_unknown && !current_mapping[tclass].perms[i])
+                                result |= 1<<i;
+                }
+                /*
+                 * In case the kernel has a bug and requests a permission
+                 * between num_perms and the maximum permission number, we
+                 * should audit that denial
+                 */
+                for (; i < (sizeof(u32)*8); i++)
+                        result |= 1<<i;
+                avd->auditdeny = result;
+        }
+}
+
+
 /*
  * Return the boolean value of a constraint expression
  * when it is applied to the specified source and target
@@ -467,21 +620,9 @@ static int context_struct_compute_av(struct context *scontext,
         struct class_datum *tclass_datum;
         struct ebitmap *sattr, *tattr;
         struct ebitmap_node *snode, *tnode;
-        const struct selinux_class_perm *kdefs = &selinux_class_perm;
         unsigned int i, j;
 
         /*
-         * Remap extended Netlink classes for old policy versions.
-         * Do this here rather than socket_type_to_security_class()
-         * in case a newer policy version is loaded, allowing sockets
-         * to remain in the correct class.
-         */
-        if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
-                if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
-                    tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
-                        tclass = SECCLASS_NETLINK_SOCKET;
-
-        /*
          * Initialize the access vectors to the default values.
          */
         avd->allowed = 0;
@@ -490,33 +631,11 @@ static int context_struct_compute_av(struct context *scontext,
         avd->seqno = latest_granting;
         avd->flags = 0;
 
-        /*
-         * Check for all the invalid cases.
-         * - tclass 0
-         * - tclass > policy and > kernel
-         * - tclass > policy but is a userspace class
-         * - tclass > policy but we do not allow unknowns
-         */
-        if (unlikely(!tclass))
-                goto inval_class;
-        if (unlikely(tclass > policydb.p_classes.nprim))
-                if (tclass > kdefs->cts_len ||
-                    !kdefs->class_to_string[tclass] ||
-                    !policydb.allow_unknown)
-                        goto inval_class;
-
-        /*
-         * Kernel class and we allow unknown so pad the allow decision
-         * the pad will be all 1 for unknown classes.
-         */
-        if (tclass <= kdefs->cts_len && policydb.allow_unknown)
-                avd->allowed = policydb.undefined_perms[tclass - 1];
-
-        /*
-         * Not in policy. Since decision is completed (all 1 or all 0) return.
-         */
-        if (unlikely(tclass > policydb.p_classes.nprim))
-                return 0;
+        if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
+                if (printk_ratelimit())
+                        printk(KERN_WARNING "SELinux:  Invalid class %hu\n", tclass);
+                return -EINVAL;
+        }
 
         tclass_datum = policydb.class_val_to_struct[tclass - 1];
 
@@ -568,8 +687,8 @@ static int context_struct_compute_av(struct context *scontext,
          * role is changing, then check the (current_role, new_role)
          * pair.
          */
-        if (tclass == SECCLASS_PROCESS &&
-            (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&
+        if (tclass == policydb.process_class &&
+            (avd->allowed & policydb.process_trans_perms) &&
             scontext->role != tcontext->role) {
                 for (ra = policydb.role_allow; ra; ra = ra->next) {
                         if (scontext->role == ra->role &&
@@ -577,8 +696,7 @@ static int context_struct_compute_av(struct context *scontext,
                                 break;
                 }
                 if (!ra)
-                        avd->allowed &= ~(PROCESS__TRANSITION |
-                                          PROCESS__DYNTRANSITION);
+                        avd->allowed &= ~policydb.process_trans_perms;
         }
 
         /*
@@ -590,21 +708,6 @@ static int context_struct_compute_av(struct context *scontext,
                                  tclass, requested, avd);
 
         return 0;
-
-inval_class:
-        if (!tclass || tclass > kdefs->cts_len ||
-            !kdefs->class_to_string[tclass]) {
-                if (printk_ratelimit())
-                        printk(KERN_ERR "SELinux: %s:  unrecognized class %d\n",
-                               __func__, tclass);
-                return -EINVAL;
-        }
-
-        /*
-         * Known to the kernel, but not to the policy.
-         * Handle as a denial (allowed is 0).
-         */
-        return 0;
 }
 
 static int security_validtrans_handle_fail(struct context *ocontext,
@@ -636,13 +739,14 @@ out:
 }
 
 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
-                                 u16 tclass)
+                                 u16 orig_tclass)
 {
         struct context *ocontext;
         struct context *ncontext;
         struct context *tcontext;
         struct class_datum *tclass_datum;
         struct constraint_node *constraint;
+        u16 tclass;
         int rc = 0;
 
         if (!ss_initialized)
@@ -650,16 +754,7 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
 
         read_lock(&policy_rwlock);
 
-        /*
-         * Remap extended Netlink classes for old policy versions.
-         * Do this here rather than socket_type_to_security_class()
-         * in case a newer policy version is loaded, allowing sockets
-         * to remain in the correct class.
-         */
-        if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
-                if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
-                    tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
-                        tclass = SECCLASS_NETLINK_SOCKET;
+        tclass = unmap_class(orig_tclass);
 
         if (!tclass || tclass > policydb.p_classes.nprim) {
                 printk(KERN_ERR "SELinux: %s:  unrecognized class %d\n",
@@ -792,6 +887,38 @@ out:
 }
 
 
+static int security_compute_av_core(u32 ssid,
+                                    u32 tsid,
+                                    u16 tclass,
+                                    u32 requested,
+                                    struct av_decision *avd)
+{
+        struct context *scontext = NULL, *tcontext = NULL;
+        int rc = 0;
+
+        scontext = sidtab_search(&sidtab, ssid);
+        if (!scontext) {
+                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                       __func__, ssid);
+                return -EINVAL;
+        }
+        tcontext = sidtab_search(&sidtab, tsid);
+        if (!tcontext) {
+                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                       __func__, tsid);
+                return -EINVAL;
+        }
+
+        rc = context_struct_compute_av(scontext, tcontext, tclass,
+                                       requested, avd);
+
+        /* permissive domain? */
+        if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
+                avd->flags |= AVD_FLAGS_PERMISSIVE;
+
+        return rc;
+}
+
 /**
  * security_compute_av - Compute access vector decisions.
  * @ssid: source security identifier
@@ -807,12 +934,49 @@ out:
  */
 int security_compute_av(u32 ssid,
                         u32 tsid,
-                        u16 tclass,
-                        u32 requested,
+                        u16 orig_tclass,
+                        u32 orig_requested,
                         struct av_decision *avd)
 {
-        struct context *scontext = NULL, *tcontext = NULL;
-        int rc = 0;
+        u16 tclass;
+        u32 requested;
+        int rc;
+
+        read_lock(&policy_rwlock);
+
+        if (!ss_initialized)
+                goto allow;
+
+        requested = unmap_perm(orig_tclass, orig_requested);
+        tclass = unmap_class(orig_tclass);
+        if (unlikely(orig_tclass && !tclass)) {
+                if (policydb.allow_unknown)
+                        goto allow;
+                rc = -EINVAL;
+                goto out;
+        }
+        rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
+        map_decision(orig_tclass, avd, policydb.allow_unknown);
+out:
+        read_unlock(&policy_rwlock);
+        return rc;
+allow:
+        avd->allowed = 0xffffffff;
+        avd->auditallow = 0;
+        avd->auditdeny = 0xffffffff;
+        avd->seqno = latest_granting;
+        avd->flags = 0;
+        rc = 0;
+        goto out;
+}
+
+int security_compute_av_user(u32 ssid,
+                             u32 tsid,
+                             u16 tclass,
+                             u32 requested,
+                             struct av_decision *avd)
+{
+        int rc;
 
         if (!ss_initialized) {
                 avd->allowed = 0xffffffff;
@@ -823,29 +987,7 @@ int security_compute_av(u32 ssid,
         }
 
         read_lock(&policy_rwlock);
-
-        scontext = sidtab_search(&sidtab, ssid);
-        if (!scontext) {
-                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
-                       __func__, ssid);
-                rc = -EINVAL;
-                goto out;
-        }
-        tcontext = sidtab_search(&sidtab, tsid);
-        if (!tcontext) {
-                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
-                       __func__, tsid);
-                rc = -EINVAL;
-                goto out;
-        }
-
-        rc = context_struct_compute_av(scontext, tcontext, tclass,
-                                       requested, avd);
-
-        /* permissive domain? */
-        if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
-            avd->flags |= AVD_FLAGS_PERMISSIVE;
-out:
+        rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
         read_unlock(&policy_rwlock);
         return rc;
 }
@@ -1204,20 +1346,22 @@ out:
 
 static int security_compute_sid(u32 ssid,
                                 u32 tsid,
-                                u16 tclass,
+                                u16 orig_tclass,
                                 u32 specified,
-                                u32 *out_sid)
+                                u32 *out_sid,
+                                bool kern)
 {
         struct context *scontext = NULL, *tcontext = NULL, newcontext;
         struct role_trans *roletr = NULL;
         struct avtab_key avkey;
         struct avtab_datum *avdatum;
         struct avtab_node *node;
+        u16 tclass;
         int rc = 0;
 
         if (!ss_initialized) {
-                switch (tclass) {
-                case SECCLASS_PROCESS:
+                switch (orig_tclass) {
+                case SECCLASS_PROCESS: /* kernel value */
                         *out_sid = ssid;
                         break;
                 default:
@@ -1231,6 +1375,11 @@ static int security_compute_sid(u32 ssid,
 
         read_lock(&policy_rwlock);
 
+        if (kern)
+                tclass = unmap_class(orig_tclass);
+        else
+                tclass = orig_tclass;
+
         scontext = sidtab_search(&sidtab, ssid);
         if (!scontext) {
                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
@@ -1260,13 +1409,11 @@ static int security_compute_sid(u32 ssid,
         }
 
         /* Set the role and type to default values. */
-        switch (tclass) {
-        case SECCLASS_PROCESS:
+        if (tclass == policydb.process_class) {
                 /* Use the current role and type of process. */
                 newcontext.role = scontext->role;
                 newcontext.type = scontext->type;
-                break;
-        default:
+        } else {
                 /* Use the well-defined object role. */
                 newcontext.role = OBJECT_R_VAL;
                 /* Use the type of the related object. */
@@ -1297,8 +1444,7 @@ static int security_compute_sid(u32 ssid,
         }
 
         /* Check for class-specific changes. */
-        switch (tclass) {
-        case SECCLASS_PROCESS:
+        if  (tclass == policydb.process_class) {
                 if (specified & AVTAB_TRANSITION) {
                         /* Look for a role transition rule. */
                         for (roletr = policydb.role_tr; roletr;
@@ -1311,9 +1457,6 @@ static int security_compute_sid(u32 ssid,
                                 }
                         }
                 }
-                break;
-        default:
-                break;
         }
 
         /* Set the MLS attributes.
@@ -1358,7 +1501,17 @@ int security_transition_sid(u32 ssid,
                             u16 tclass,
                             u32 *out_sid)
 {
-        return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
+        return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
+                                    out_sid, true);
+}
+
+int security_transition_sid_user(u32 ssid,
+                                 u32 tsid,
+                                 u16 tclass,
+                                 u32 *out_sid)
+{
+        return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
+                                    out_sid, false);
 }
 
 /**
@@ -1379,7 +1532,8 @@ int security_member_sid(u32 ssid,
                         u16 tclass,
                         u32 *out_sid)
 {
-        return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
+        return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
+                                    false);
 }
 
 /**
@@ -1400,144 +1554,8 @@ int security_change_sid(u32 ssid,
                         u16 tclass,
                         u32 *out_sid)
 {
-        return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
-}
-
-/*
- * Verify that each kernel class that is defined in the
- * policy is correct
- */
-static int validate_classes(struct policydb *p)
-{
-        int i, j;
-        struct class_datum *cladatum;
-        struct perm_datum *perdatum;
-        u32 nprim, tmp, common_pts_len, perm_val, pol_val;
-        u16 class_val;
-        const struct selinux_class_perm *kdefs = &selinux_class_perm;
-        const char *def_class, *def_perm, *pol_class;
-        struct symtab *perms;
-        bool print_unknown_handle = 0;
-
-        if (p->allow_unknown) {
-                u32 num_classes = kdefs->cts_len;
-                p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL);
-                if (!p->undefined_perms)
-                        return -ENOMEM;
-        }
-
-        for (i = 1; i < kdefs->cts_len; i++) {
-                def_class = kdefs->class_to_string[i];
-                if (!def_class)
-                        continue;
-                if (i > p->p_classes.nprim) {
-                        printk(KERN_INFO
-                               "SELinux:  class %s not defined in policy\n",
-                               def_class);
-                        if (p->reject_unknown)
-                                return -EINVAL;
-                        if (p->allow_unknown)
-                                p->undefined_perms[i-1] = ~0U;
-                        print_unknown_handle = 1;
-                        continue;
-                }
-                pol_class = p->p_class_val_to_name[i-1];
-                if (strcmp(pol_class, def_class)) {
-                        printk(KERN_ERR
-                               "SELinux:  class %d is incorrect, found %s but should be %s\n",
-                               i, pol_class, def_class);
-                        return -EINVAL;
-                }
-        }
-        for (i = 0; i < kdefs->av_pts_len; i++) {
-                class_val = kdefs->av_perm_to_string[i].tclass;
-                perm_val = kdefs->av_perm_to_string[i].value;
-                def_perm = kdefs->av_perm_to_string[i].name;
-                if (class_val > p->p_classes.nprim)
-                        continue;
-                pol_class = p->p_class_val_to_name[class_val-1];
-                cladatum = hashtab_search(p->p_classes.table, pol_class);
-                BUG_ON(!cladatum);
-                perms = &cladatum->permissions;
-                nprim = 1 << (perms->nprim - 1);
-                if (perm_val > nprim) {
-                        printk(KERN_INFO
-                               "SELinux:  permission %s in class %s not defined in policy\n",
-                               def_perm, pol_class);
-                        if (p->reject_unknown)
-                                return -EINVAL;
-                        if (p->allow_unknown)
-                                p->undefined_perms[class_val-1] |= perm_val;
-                        print_unknown_handle = 1;
-                        continue;
-                }
-                perdatum = hashtab_search(perms->table, def_perm);
-                if (perdatum == NULL) {
-                        printk(KERN_ERR
-                               "SELinux:  permission %s in class %s not found in policy, bad policy\n",
-                               def_perm, pol_class);
-                        return -EINVAL;
-                }
-                pol_val = 1 << (perdatum->value - 1);
-                if (pol_val != perm_val) {
-                        printk(KERN_ERR
-                               "SELinux:  permission %s in class %s has incorrect value\n",
-                               def_perm, pol_class);
-                        return -EINVAL;
-                }
-        }
-        for (i = 0; i < kdefs->av_inherit_len; i++) {
-                class_val = kdefs->av_inherit[i].tclass;
-                if (class_val > p->p_classes.nprim)
-                        continue;
-                pol_class = p->p_class_val_to_name[class_val-1];
-                cladatum = hashtab_search(p->p_classes.table, pol_class);
-                BUG_ON(!cladatum);
-                if (!cladatum->comdatum) {
-                        printk(KERN_ERR
-                               "SELinux:  class %s should have an inherits clause but does not\n",
-                               pol_class);
-                        return -EINVAL;
-                }
-                tmp = kdefs->av_inherit[i].common_base;
-                common_pts_len = 0;
-                while (!(tmp & 0x01)) {
-                        common_pts_len++;
-                        tmp >>= 1;
-                }
-                perms = &cladatum->comdatum->permissions;
-                for (j = 0; j < common_pts_len; j++) {
-                        def_perm = kdefs->av_inherit[i].common_pts[j];
-                        if (j >= perms->nprim) {
-                                printk(KERN_INFO
-                                       "SELinux:  permission %s in class %s not defined in policy\n",
-                                       def_perm, pol_class);
-                                if (p->reject_unknown)
-                                        return -EINVAL;
-                                if (p->allow_unknown)
-                                        p->undefined_perms[class_val-1] |= (1 << j);
-                                print_unknown_handle = 1;
-                                continue;
-                        }
-                        perdatum = hashtab_search(perms->table, def_perm);
-                        if (perdatum == NULL) {
-                                printk(KERN_ERR
-                                       "SELinux:  permission %s in class %s not found in policy, bad policy\n",
-                                       def_perm, pol_class);
-                                return -EINVAL;
-                        }
-                        if (perdatum->value != j + 1) {
-                                printk(KERN_ERR
-                                       "SELinux:  permission %s in class %s has incorrect value\n",
-                                       def_perm, pol_class);
-                                return -EINVAL;
-                        }
-                }
-        }
-        if (print_unknown_handle)
-                printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
-                        (security_get_allow_unknown() ? "allowed" : "denied"));
-        return 0;
+        return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
+                                    false);
 }
 
 /* Clone the SID into the new SID table. */
@@ -1710,8 +1728,10 @@ int security_load_policy(void *data, size_t len)
 {
         struct policydb oldpolicydb, newpolicydb;
         struct sidtab oldsidtab, newsidtab;
+        struct selinux_mapping *oldmap, *map = NULL;
         struct convert_context_args args;
         u32 seqno;
+        u16 map_size;
         int rc = 0;
         struct policy_file file = { data, len }, *fp = &file;
 
@@ -1721,22 +1741,19 @@ int security_load_policy(void *data, size_t len)
                         avtab_cache_destroy();
                         return -EINVAL;
                 }
-                if (policydb_load_isids(&policydb, &sidtab)) {
+                if (selinux_set_mapping(&policydb, secclass_map,
+                                        &current_mapping,
+                                        &current_mapping_size)) {
                         policydb_destroy(&policydb);
                         avtab_cache_destroy();
                         return -EINVAL;
                 }
-                /* Verify that the kernel defined classes are correct. */
-                if (validate_classes(&policydb)) {
-                        printk(KERN_ERR
-                               "SELinux:  the definition of a class is incorrect\n");
-                        sidtab_destroy(&sidtab);
+                if (policydb_load_isids(&policydb, &sidtab)) {
                         policydb_destroy(&policydb);
                         avtab_cache_destroy();
                         return -EINVAL;
                 }
                 security_load_policycaps();
-                policydb_loaded_version = policydb.policyvers;
                 ss_initialized = 1;
                 seqno = ++latest_granting;
                 selinux_complete_init();
@@ -1759,13 +1776,9 @@ int security_load_policy(void *data, size_t len)
                 return -ENOMEM;
         }
 
-        /* Verify that the kernel defined classes are correct. */
-        if (validate_classes(&newpolicydb)) {
-                printk(KERN_ERR
-                       "SELinux:  the definition of a class is incorrect\n");
-                rc = -EINVAL;
+        if (selinux_set_mapping(&newpolicydb, secclass_map,
+                                &map, &map_size))
                 goto err;
-        }
 
         rc = security_preserve_bools(&newpolicydb);
         if (rc) {
@@ -1799,13 +1812,16 @@ int security_load_policy(void *data, size_t len)
         memcpy(&policydb, &newpolicydb, sizeof policydb);
         sidtab_set(&sidtab, &newsidtab);
         security_load_policycaps();
+        oldmap = current_mapping;
+        current_mapping = map;
+        current_mapping_size = map_size;
         seqno = ++latest_granting;
-        policydb_loaded_version = policydb.policyvers;
         write_unlock_irq(&policy_rwlock);
 
         /* Free the old policydb and SID table. */
         policydb_destroy(&oldpolicydb);
         sidtab_destroy(&oldsidtab);
+        kfree(oldmap);
 
         avc_ss_reset(seqno);
         selnl_notify_policyload(seqno);
@@ -1815,6 +1831,7 @@ int security_load_policy(void *data, size_t len)
         return 0;
 
 err:
+        kfree(map);
         sidtab_destroy(&newsidtab);
         policydb_destroy(&newpolicydb);
         return rc;
@@ -2091,7 +2108,7 @@ out_unlock:
         }
         for (i = 0, j = 0; i < mynel; i++) {
                 rc = avc_has_perm_noaudit(fromsid, mysids[i],
-                                          SECCLASS_PROCESS,
+                                          SECCLASS_PROCESS, /* kernel value */
                                           PROCESS__TRANSITION, AVC_STRICT,
                                           NULL);
                 if (!rc)
@@ -2119,10 +2136,11 @@ out:
  */
 int security_genfs_sid(const char *fstype,
                        char *path,
-                       u16 sclass,
+                       u16 orig_sclass,
                        u32 *sid)
 {
         int len;
+        u16 sclass;
         struct genfs *genfs;
         struct ocontext *c;
         int rc = 0, cmp = 0;
@@ -2132,6 +2150,8 @@ int security_genfs_sid(const char *fstype,
 
         read_lock(&policy_rwlock);
 
+        sclass = unmap_class(orig_sclass);
+
         for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
                 cmp = strcmp(fstype, genfs->fstype);
                 if (cmp <= 0)
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 3c8bd8ee0b95..e0d0354008b7 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -187,6 +187,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
                             const s8 pattern_type, const s8 end_type,
                             const char *function)
 {
+        const char *const start = filename;
+        bool in_repetition = false;
         bool contains_pattern = false;
         unsigned char c;
         unsigned char d;
@@ -212,9 +214,13 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
                 if (c == '/')
                         goto out;
         }
-        while ((c = *filename++) != '\0') {
+        while (1) {
+                c = *filename++;
+                if (!c)
+                        break;
                 if (c == '\\') {
-                        switch ((c = *filename++)) {
+                        c = *filename++;
+                        switch (c) {
                         case '\\':  /* "\\" */
                                 continue;
                         case '$':   /* "\$" */
@@ -231,6 +237,22 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
                                         break; /* Must not contain pattern */
                                 contains_pattern = true;
                                 continue;
+                        case '{':   /* "/\{" */
+                                if (filename - 3 < start ||
+                                    *(filename - 3) != '/')
+                                        break;
+                                if (pattern_type == -1)
+                                        break; /* Must not contain pattern */
+                                contains_pattern = true;
+                                in_repetition = true;
+                                continue;
+                        case '}':   /* "\}/" */
+                                if (*filename != '/')
+                                        break;
+                                if (!in_repetition)
+                                        break;
+                                in_repetition = false;
+                                continue;
                         case '0':   /* "\ooo" */
                         case '1':
                         case '2':
@@ -246,6 +268,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
                                         continue; /* pattern is not \000 */
                         }
                         goto out;
+                } else if (in_repetition && c == '/') {
+                        goto out;
                 } else if (tomoyo_is_invalid(c)) {
                         goto out;
                 }
@@ -254,6 +278,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
                 if (!contains_pattern)
                         goto out;
         }
+        if (in_repetition)
+                goto out;
         return true;
  out:
         printk(KERN_DEBUG "%s: Invalid pathname '%s'\n", function,
@@ -360,33 +386,6 @@ struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname)
 }
 
 /**
- * tomoyo_path_depth - Evaluate the number of '/' in a string.
- *
- * @pathname: The string to evaluate.
- *
- * Returns path depth of the string.
- *
- * I score 2 for each of the '/' in the @pathname
- * and score 1 if the @pathname ends with '/'.
- */
-static int tomoyo_path_depth(const char *pathname)
-{
-        int i = 0;
-
-        if (pathname) {
-                const char *ep = pathname + strlen(pathname);
-                if (pathname < ep--) {
-                        if (*ep != '/')
-                                i++;
-                        while (pathname <= ep)
-                                if (*ep-- == '/')
-                                        i += 2;
-                }
-        }
-        return i;
-}
-
-/**
  * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
  *
  * @filename: The string to evaluate.
@@ -444,11 +443,10 @@ void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
         ptr->is_dir = len && (name[len - 1] == '/');
         ptr->is_patterned = (ptr->const_len < len);
         ptr->hash = full_name_hash(name, len);
-        ptr->depth = tomoyo_path_depth(name);
 }
 
 /**
- * tomoyo_file_matches_to_pattern2 - Pattern matching without '/' character
+ * tomoyo_file_matches_pattern2 - Pattern matching without '/' character
  * and "\-" pattern.
  *
  * @filename:     The start of string to check.
@@ -458,10 +456,10 @@ void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
  *
  * Returns true if @filename matches @pattern, false otherwise.
  */
-static bool tomoyo_file_matches_to_pattern2(const char *filename,
-                                            const char *filename_end,
-                                            const char *pattern,
-                                            const char *pattern_end)
+static bool tomoyo_file_matches_pattern2(const char *filename,
+                                         const char *filename_end,
+                                         const char *pattern,
+                                         const char *pattern_end)
 {
         while (filename < filename_end && pattern < pattern_end) {
                 char c;
@@ -519,7 +517,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename,
                 case '*':
                 case '@':
                         for (i = 0; i <= filename_end - filename; i++) {
-                                if (tomoyo_file_matches_to_pattern2(
+                                if (tomoyo_file_matches_pattern2(
                                                     filename + i, filename_end,
                                                     pattern + 1, pattern_end))
                                         return true;
@@ -550,7 +548,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename,
                                         j++;
                         }
                         for (i = 1; i <= j; i++) {
-                                if (tomoyo_file_matches_to_pattern2(
+                                if (tomoyo_file_matches_pattern2(
                                                     filename + i, filename_end,
                                                     pattern + 1, pattern_end))
                                         return true;
@@ -567,7 +565,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename,
 }
 
 /**
- * tomoyo_file_matches_to_pattern - Pattern matching without without '/' character.
+ * tomoyo_file_matches_pattern - Pattern matching without without '/' character.
  *
  * @filename:     The start of string to check.
  * @filename_end: The end of string to check.
@@ -576,7 +574,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename,
  *
  * Returns true if @filename matches @pattern, false otherwise.
  */
-static bool tomoyo_file_matches_to_pattern(const char *filename,
+static bool tomoyo_file_matches_pattern(const char *filename,
                                            const char *filename_end,
                                            const char *pattern,
                                            const char *pattern_end)
@@ -589,10 +587,10 @@ static bool tomoyo_file_matches_to_pattern(const char *filename,
                 /* Split at "\-" pattern. */
                 if (*pattern++ != '\\' || *pattern++ != '-')
                         continue;
-                result = tomoyo_file_matches_to_pattern2(filename,
-                                                         filename_end,
-                                                         pattern_start,
-                                                         pattern - 2);
+                result = tomoyo_file_matches_pattern2(filename,
+                                                      filename_end,
+                                                      pattern_start,
+                                                      pattern - 2);
                 if (first)
                         result = !result;
                 if (result)
@@ -600,13 +598,79 @@ static bool tomoyo_file_matches_to_pattern(const char *filename,
                 first = false;
                 pattern_start = pattern;
         }
-        result = tomoyo_file_matches_to_pattern2(filename, filename_end,
-                                                 pattern_start, pattern_end);
+        result = tomoyo_file_matches_pattern2(filename, filename_end,
+                                              pattern_start, pattern_end);
         return first ? result : !result;
 }
 
 /**
+ * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
+ *
+ * @f: The start of string to check.
+ * @p: The start of pattern to compare.
+ *
+ * Returns true if @f matches @p, false otherwise.
+ */
+static bool tomoyo_path_matches_pattern2(const char *f, const char *p)
+{
+        const char *f_delimiter;
+        const char *p_delimiter;
+
+        while (*f && *p) {
+                f_delimiter = strchr(f, '/');
+                if (!f_delimiter)
+                        f_delimiter = f + strlen(f);
+                p_delimiter = strchr(p, '/');
+                if (!p_delimiter)
+                        p_delimiter = p + strlen(p);
+                if (*p == '\\' && *(p + 1) == '{')
+                        goto recursive;
+                if (!tomoyo_file_matches_pattern(f, f_delimiter, p,
+                                                 p_delimiter))
+                        return false;
+                f = f_delimiter;
+                if (*f)
+                        f++;
+                p = p_delimiter;
+                if (*p)
+                        p++;
+        }
+        /* Ignore trailing "\*" and "\@" in @pattern. */
+        while (*p == '\\' &&
+               (*(p + 1) == '*' || *(p + 1) == '@'))
+                p += 2;
+        return !*f && !*p;
+ recursive:
+        /*
+         * The "\{" pattern is permitted only after '/' character.
+         * This guarantees that below "*(p - 1)" is safe.
+         * Also, the "\}" pattern is permitted only before '/' character
+         * so that "\{" + "\}" pair will not break the "\-" operator.
+         */
+        if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' ||
+            *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\')
+                return false; /* Bad pattern. */
+        do {
+                /* Compare current component with pattern. */
+                if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2,
+                                                 p_delimiter - 2))
+                        break;
+                /* Proceed to next component. */
+                f = f_delimiter;
+                if (!*f)
+                        break;
+                f++;
+                /* Continue comparison. */
+                if (tomoyo_path_matches_pattern2(f, p_delimiter + 1))
+                        return true;
+                f_delimiter = strchr(f, '/');
+        } while (f_delimiter);
+        return false; /* Not matched. */
+}
+
+/**
  * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
+ *
  * @filename: The filename to check.
  * @pattern:  The pattern to compare.
  *
@@ -615,24 +679,24 @@ static bool tomoyo_file_matches_to_pattern(const char *filename,
  * The following patterns are available.
  *   \\     \ itself.
  *   \ooo   Octal representation of a byte.
- *   \*     More than or equals to 0 character other than '/'.
- *   \@     More than or equals to 0 character other than '/' or '.'.
+ *   \*     Zero or more repetitions of characters other than '/'.
+ *   \@     Zero or more repetitions of characters other than '/' or '.'.
  *   \?     1 byte character other than '/'.
- *   \$     More than or equals to 1 decimal digit.
+ *   \$     One or more repetitions of decimal digits.
  *   \+     1 decimal digit.
- *   \X     More than or equals to 1 hexadecimal digit.
+ *   \X     One or more repetitions of hexadecimal digits.
  *   \x     1 hexadecimal digit.
- *   \A     More than or equals to 1 alphabet character.
+ *   \A     One or more repetitions of alphabet characters.
  *   \a     1 alphabet character.
+ *
  *   \-     Subtraction operator.
+ *
+ *   /\{dir\}/   '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
+ *               /dir/dir/dir/ ).
  */
 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
                                  const struct tomoyo_path_info *pattern)
 {
-        /*
-          if (!filename || !pattern)
-          return false;
-        */
         const char *f = filename->name;
         const char *p = pattern->name;
         const int len = pattern->const_len;
@@ -640,37 +704,15 @@ bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
         /* If @pattern doesn't contain pattern, I can use strcmp(). */
         if (!pattern->is_patterned)
                 return !tomoyo_pathcmp(filename, pattern);
-        /* Dont compare if the number of '/' differs. */
-        if (filename->depth != pattern->depth)
+        /* Don't compare directory and non-directory. */
+        if (filename->is_dir != pattern->is_dir)
                 return false;
         /* Compare the initial length without patterns. */
         if (strncmp(f, p, len))
                 return false;
         f += len;
         p += len;
-        /* Main loop. Compare each directory component. */
-        while (*f && *p) {
-                const char *f_delimiter = strchr(f, '/');
-                const char *p_delimiter = strchr(p, '/');
-                if (!f_delimiter)
-                        f_delimiter = f + strlen(f);
-                if (!p_delimiter)
-                        p_delimiter = p + strlen(p);
-                if (!tomoyo_file_matches_to_pattern(f, f_delimiter,
-                                                    p, p_delimiter))
-                        return false;
-                f = f_delimiter;
-                if (*f)
-                        f++;
-                p = p_delimiter;
-                if (*p)
-                        p++;
-        }
-        /* Ignore trailing "\*" and "\@" in @pattern. */
-        while (*p == '\\' &&
-               (*(p + 1) == '*' || *(p + 1) == '@'))
-                p += 2;
-        return !*f && !*p;
+        return tomoyo_path_matches_pattern2(f, p);
 }
 
 /**
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 31df541911f7..92169d29b2db 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -56,9 +56,6 @@ struct tomoyo_page_buffer {
  * (5) "is_patterned" is a bool which is true if "name" contains wildcard
  *     characters, false otherwise. This allows TOMOYO to use "hash" and
  *     strcmp() for string comparison if "is_patterned" is false.
- * (6) "depth" is calculated using the number of "/" characters in "name".
- *     This allows TOMOYO to avoid comparing two pathnames which never match
- *     (e.g. whether "/var/www/html/index.html" matches "/tmp/sh-thd-\$").
  */
 struct tomoyo_path_info {
         const char *name;
@@ -66,7 +63,6 @@ struct tomoyo_path_info {
         u16 const_len;     /* = tomoyo_const_part_length(name)     */
         bool is_dir;       /* = tomoyo_strendswith(name, "/")      */
         bool is_patterned; /* = tomoyo_path_contains_pattern(name) */
-        u16 depth;         /* = tomoyo_path_depth(name)            */
 };
 
 /*
diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c
index 5f2e33263371..917f564cdab1 100644
--- a/security/tomoyo/realpath.c
+++ b/security/tomoyo/realpath.c
@@ -13,6 +13,8 @@
 #include <linux/mount.h>
 #include <linux/mnt_namespace.h>
 #include <linux/fs_struct.h>
+#include <linux/hash.h>
+
 #include "common.h"
 #include "realpath.h"
 
@@ -263,7 +265,8 @@ static unsigned int tomoyo_quota_for_savename;
  * table. Frequency of appending strings is very low. So we don't need
  * large (e.g. 64k) hash size. 256 will be sufficient.
  */
-#define TOMOYO_MAX_HASH 256
+#define TOMOYO_HASH_BITS  8
+#define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS)
 
 /*
  * tomoyo_name_entry is a structure which is used for linking
@@ -315,6 +318,7 @@ const struct tomoyo_path_info *tomoyo_save_name(const char *name)
         struct tomoyo_free_memory_block_list *fmb;
         int len;
         char *cp;
+        struct list_head *head;
 
         if (!name)
                 return NULL;
@@ -325,9 +329,10 @@ const struct tomoyo_path_info *tomoyo_save_name(const char *name)
                 return NULL;
         }
         hash = full_name_hash((const unsigned char *) name, len - 1);
+        head = &tomoyo_name_list[hash_long(hash, TOMOYO_HASH_BITS)];
+
         mutex_lock(&lock);
-        list_for_each_entry(ptr, &tomoyo_name_list[hash % TOMOYO_MAX_HASH],
-                             list) {
+        list_for_each_entry(ptr, head, list) {
                 if (hash == ptr->entry.hash && !strcmp(name, ptr->entry.name))
                         goto out;
         }
@@ -365,7 +370,7 @@ const struct tomoyo_path_info *tomoyo_save_name(const char *name)
         tomoyo_fill_path_info(&ptr->entry);
         fmb->ptr += len;
         fmb->len -= len;
-        list_add_tail(&ptr->list, &tomoyo_name_list[hash % TOMOYO_MAX_HASH]);
+        list_add_tail(&ptr->list, head);
         if (fmb->len == 0) {
                 list_del(&fmb->list);
                 kfree(fmb);