Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
  selinux: preserve boolean values across policy reloads
  selinux: change numbering of boolean directory inodes in selinuxfs
  selinux: remove unused enumeration constant from selinuxfs
  selinux: explicitly number all selinuxfs inodes
  selinux: export initial SID contexts via selinuxfs
  selinux: remove userland security class and permission definitions
  SELinux: move security_skb_extlbl_sid() out of the security server
  MAINTAINERS: update selinux entry
  SELinux: rename selinux_netlabel.h to netlabel.h
  SELinux: extract the NetLabel SELinux support from the security server
  NetLabel: convert a BUG_ON in the CIPSO code to a runtime check
  NetLabel: cleanup and document CIPSO constants

15 files changed, 695 insertions, 773 deletions

diff --git a/MAINTAINERS b/MAINTAINERS
index 2e83c82aa13d..5519d257b556 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2980,8 +2980,10 @@ P:	Stephen Smalley
 M:      sds@tycho.nsa.gov
 P:      James Morris
 M:      jmorris@namei.org
+P:      Eric Paris
+M:      eparis@parisplace.org
 L:      linux-kernel@vger.kernel.org (kernel issues)
-L:      selinux@tycho.nsa.gov (general discussion)
+L:      selinux@tycho.nsa.gov (subscribers-only, general discussion)
 W:      http://www.nsa.gov/selinux
 S:      Supported
 
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 11a3404d65af..e1f18489db1d 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -92,6 +92,33 @@ int cipso_v4_rbm_optfmt = 0;
 int cipso_v4_rbm_strictvalid = 1;
 
 /*
+ * Protocol Constants
+ */
+
+/* Maximum size of the CIPSO IP option, derived from the fact that the maximum
+ * IPv4 header size is 60 bytes and the base IPv4 header is 20 bytes long. */
+#define CIPSO_V4_OPT_LEN_MAX          40
+
+/* Length of the base CIPSO option, this includes the option type (1 byte), the
+ * option length (1 byte), and the DOI (4 bytes). */
+#define CIPSO_V4_HDR_LEN              6
+
+/* Base length of the restrictive category bitmap tag (tag #1). */
+#define CIPSO_V4_TAG_RBM_BLEN         4
+
+/* Base length of the enumerated category tag (tag #2). */
+#define CIPSO_V4_TAG_ENUM_BLEN        4
+
+/* Base length of the ranged categories bitmap tag (tag #5). */
+#define CIPSO_V4_TAG_RNG_BLEN         4
+/* The maximum number of category ranges permitted in the ranged category tag
+ * (tag #5).  You may note that the IETF draft states that the maximum number
+ * of category ranges is 7, but if the low end of the last category range is
+ * zero then it is possibile to fit 8 category ranges because the zero should
+ * be omitted. */
+#define CIPSO_V4_TAG_RNG_CAT_MAX      8
+
+/*
  * Helper Functions
  */
 
@@ -1109,16 +1136,15 @@ static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def,
                                      unsigned char *net_cat,
                                      u32 net_cat_len)
 {
-        /* The constant '16' is not random, it is the maximum number of
-         * high/low category range pairs as permitted by the CIPSO draft based
-         * on a maximum IPv4 header length of 60 bytes - the BUG_ON() assertion
-         * does a sanity check to make sure we don't overflow the array. */
         int iter = -1;
-        u16 array[16];
+        u16 array[CIPSO_V4_TAG_RNG_CAT_MAX * 2];
         u32 array_cnt = 0;
         u32 cat_size = 0;
 
-        BUG_ON(net_cat_len > 30);
+        /* make sure we don't overflow the 'array[]' variable */
+        if (net_cat_len >
+            (CIPSO_V4_OPT_LEN_MAX - CIPSO_V4_HDR_LEN - CIPSO_V4_TAG_RNG_BLEN))
+                return -ENOSPC;
 
         for (;;) {
                 iter = netlbl_secattr_catmap_walk(secattr->mls_cat, iter + 1);
@@ -1196,9 +1222,6 @@ static int cipso_v4_map_cat_rng_ntoh(const struct cipso_v4_doi *doi_def,
  * Protocol Handling Functions
  */
 
-#define CIPSO_V4_OPT_LEN_MAX          40
-#define CIPSO_V4_HDR_LEN              6
-
 /**
  * cipso_v4_gentag_hdr - Generate a CIPSO option header
  * @doi_def: the DOI definition
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index e03a3282c551..f2535e7f2869 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -263,9 +263,6 @@ int netlbl_socket_setattr(const struct socket *sock,
         int ret_val = -ENOENT;
         struct netlbl_dom_map *dom_entry;
 
-        if ((secattr->flags & NETLBL_SECATTR_DOMAIN) == 0)
-                return -ENOENT;
-
         rcu_read_lock();
         dom_entry = netlbl_domhsh_getentry(secattr->domain);
         if (dom_entry == NULL)
diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index faf2e02e4410..dc3502e30b19 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -8,5 +8,7 @@ selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o exports.o
 
 selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
 
+selinux-$(CONFIG_NETLABEL) += netlabel.o
+
 EXTRA_CFLAGS += -Isecurity/selinux/include
 
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index da8caf10ef97..e4396a89edc6 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -217,6 +217,8 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
                 audit_log_format(ab, " tcontext=%s", scontext);
                 kfree(scontext);
         }
+
+        BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]);
         audit_log_format(ab, " tclass=%s", class_to_string[tclass]);
 }
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5f02b4be1917..885a9a958b8d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -77,7 +77,7 @@
 #include "objsec.h"
 #include "netif.h"
 #include "xfrm.h"
-#include "selinux_netlabel.h"
+#include "netlabel.h"
 
 #define XATTR_SELINUX_SUFFIX "selinux"
 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
@@ -3123,6 +3123,34 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
         return ret;
 }
 
+/**
+ * selinux_skb_extlbl_sid - Determine the external label of a packet
+ * @skb: the packet
+ * @base_sid: the SELinux SID to use as a context for MLS only external labels
+ * @sid: the packet's SID
+ *
+ * Description:
+ * Check the various different forms of external packet labeling and determine
+ * the external SID for the packet.
+ *
+ */
+static void selinux_skb_extlbl_sid(struct sk_buff *skb,
+                                   u32 base_sid,
+                                   u32 *sid)
+{
+        u32 xfrm_sid;
+        u32 nlbl_sid;
+
+        selinux_skb_xfrm_sid(skb, &xfrm_sid);
+        if (selinux_netlbl_skbuff_getsid(skb,
+                                         (xfrm_sid == SECSID_NULL ?
+                                          base_sid : xfrm_sid),
+                                         &nlbl_sid) != 0)
+                nlbl_sid = SECSID_NULL;
+
+        *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
+}
+
 /* socket security operations */
 static int socket_has_perm(struct task_struct *task, struct socket *sock,
                            u32 perms)
@@ -3664,9 +3692,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
         if (sock && sock->sk->sk_family == PF_UNIX)
                 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
         else if (skb)
-                security_skb_extlbl_sid(skb,
-                                        SECINITSID_UNLABELED,
-                                        &peer_secid);
+                selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid);
 
         if (peer_secid == SECSID_NULL)
                 err = -EINVAL;
@@ -3727,7 +3753,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
         u32 newsid;
         u32 peersid;
 
-        security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
+        selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
         if (peersid == SECSID_NULL) {
                 req->secid = sksec->sid;
                 req->peer_secid = SECSID_NULL;
@@ -3765,7 +3791,7 @@ static void selinux_inet_conn_established(struct sock *sk,
 {
         struct sk_security_struct *sksec = sk->sk_security;
 
-        security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
+        selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
 }
 
 static void selinux_req_classify_flow(const struct request_sock *req,
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index ad9fb2d69b50..b83e74012a97 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -128,96 +128,6 @@
    S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
    S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
    S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
-   S_(SECCLASS_PASSWD, PASSWD__PASSWD, "passwd")
-   S_(SECCLASS_PASSWD, PASSWD__CHFN, "chfn")
-   S_(SECCLASS_PASSWD, PASSWD__CHSH, "chsh")
-   S_(SECCLASS_PASSWD, PASSWD__ROOTOK, "rootok")
-   S_(SECCLASS_PASSWD, PASSWD__CRONTAB, "crontab")
-   S_(SECCLASS_DRAWABLE, DRAWABLE__CREATE, "create")
-   S_(SECCLASS_DRAWABLE, DRAWABLE__DESTROY, "destroy")
-   S_(SECCLASS_DRAWABLE, DRAWABLE__DRAW, "draw")
-   S_(SECCLASS_DRAWABLE, DRAWABLE__COPY, "copy")
-   S_(SECCLASS_DRAWABLE, DRAWABLE__GETATTR, "getattr")
-   S_(SECCLASS_GC, GC__CREATE, "create")
-   S_(SECCLASS_GC, GC__FREE, "free")
-   S_(SECCLASS_GC, GC__GETATTR, "getattr")
-   S_(SECCLASS_GC, GC__SETATTR, "setattr")
-   S_(SECCLASS_WINDOW, WINDOW__ADDCHILD, "addchild")
-   S_(SECCLASS_WINDOW, WINDOW__CREATE, "create")
-   S_(SECCLASS_WINDOW, WINDOW__DESTROY, "destroy")
-   S_(SECCLASS_WINDOW, WINDOW__MAP, "map")
-   S_(SECCLASS_WINDOW, WINDOW__UNMAP, "unmap")
-   S_(SECCLASS_WINDOW, WINDOW__CHSTACK, "chstack")
-   S_(SECCLASS_WINDOW, WINDOW__CHPROPLIST, "chproplist")
-   S_(SECCLASS_WINDOW, WINDOW__CHPROP, "chprop")
-   S_(SECCLASS_WINDOW, WINDOW__LISTPROP, "listprop")
-   S_(SECCLASS_WINDOW, WINDOW__GETATTR, "getattr")
-   S_(SECCLASS_WINDOW, WINDOW__SETATTR, "setattr")
-   S_(SECCLASS_WINDOW, WINDOW__SETFOCUS, "setfocus")
-   S_(SECCLASS_WINDOW, WINDOW__MOVE, "move")
-   S_(SECCLASS_WINDOW, WINDOW__CHSELECTION, "chselection")
-   S_(SECCLASS_WINDOW, WINDOW__CHPARENT, "chparent")
-   S_(SECCLASS_WINDOW, WINDOW__CTRLLIFE, "ctrllife")
-   S_(SECCLASS_WINDOW, WINDOW__ENUMERATE, "enumerate")
-   S_(SECCLASS_WINDOW, WINDOW__TRANSPARENT, "transparent")
-   S_(SECCLASS_WINDOW, WINDOW__MOUSEMOTION, "mousemotion")
-   S_(SECCLASS_WINDOW, WINDOW__CLIENTCOMEVENT, "clientcomevent")
-   S_(SECCLASS_WINDOW, WINDOW__INPUTEVENT, "inputevent")
-   S_(SECCLASS_WINDOW, WINDOW__DRAWEVENT, "drawevent")
-   S_(SECCLASS_WINDOW, WINDOW__WINDOWCHANGEEVENT, "windowchangeevent")
-   S_(SECCLASS_WINDOW, WINDOW__WINDOWCHANGEREQUEST, "windowchangerequest")
-   S_(SECCLASS_WINDOW, WINDOW__SERVERCHANGEEVENT, "serverchangeevent")
-   S_(SECCLASS_WINDOW, WINDOW__EXTENSIONEVENT, "extensionevent")
-   S_(SECCLASS_FONT, FONT__LOAD, "load")
-   S_(SECCLASS_FONT, FONT__FREE, "free")
-   S_(SECCLASS_FONT, FONT__GETATTR, "getattr")
-   S_(SECCLASS_FONT, FONT__USE, "use")
-   S_(SECCLASS_COLORMAP, COLORMAP__CREATE, "create")
-   S_(SECCLASS_COLORMAP, COLORMAP__FREE, "free")
-   S_(SECCLASS_COLORMAP, COLORMAP__INSTALL, "install")
-   S_(SECCLASS_COLORMAP, COLORMAP__UNINSTALL, "uninstall")
-   S_(SECCLASS_COLORMAP, COLORMAP__LIST, "list")
-   S_(SECCLASS_COLORMAP, COLORMAP__READ, "read")
-   S_(SECCLASS_COLORMAP, COLORMAP__STORE, "store")
-   S_(SECCLASS_COLORMAP, COLORMAP__GETATTR, "getattr")
-   S_(SECCLASS_COLORMAP, COLORMAP__SETATTR, "setattr")
-   S_(SECCLASS_PROPERTY, PROPERTY__CREATE, "create")
-   S_(SECCLASS_PROPERTY, PROPERTY__FREE, "free")
-   S_(SECCLASS_PROPERTY, PROPERTY__READ, "read")
-   S_(SECCLASS_PROPERTY, PROPERTY__WRITE, "write")
-   S_(SECCLASS_CURSOR, CURSOR__CREATE, "create")
-   S_(SECCLASS_CURSOR, CURSOR__CREATEGLYPH, "createglyph")
-   S_(SECCLASS_CURSOR, CURSOR__FREE, "free")
-   S_(SECCLASS_CURSOR, CURSOR__ASSIGN, "assign")
-   S_(SECCLASS_CURSOR, CURSOR__SETATTR, "setattr")
-   S_(SECCLASS_XCLIENT, XCLIENT__KILL, "kill")
-   S_(SECCLASS_XINPUT, XINPUT__LOOKUP, "lookup")
-   S_(SECCLASS_XINPUT, XINPUT__GETATTR, "getattr")
-   S_(SECCLASS_XINPUT, XINPUT__SETATTR, "setattr")
-   S_(SECCLASS_XINPUT, XINPUT__SETFOCUS, "setfocus")
-   S_(SECCLASS_XINPUT, XINPUT__WARPPOINTER, "warppointer")
-   S_(SECCLASS_XINPUT, XINPUT__ACTIVEGRAB, "activegrab")
-   S_(SECCLASS_XINPUT, XINPUT__PASSIVEGRAB, "passivegrab")
-   S_(SECCLASS_XINPUT, XINPUT__UNGRAB, "ungrab")
-   S_(SECCLASS_XINPUT, XINPUT__BELL, "bell")
-   S_(SECCLASS_XINPUT, XINPUT__MOUSEMOTION, "mousemotion")
-   S_(SECCLASS_XINPUT, XINPUT__RELABELINPUT, "relabelinput")
-   S_(SECCLASS_XSERVER, XSERVER__SCREENSAVER, "screensaver")
-   S_(SECCLASS_XSERVER, XSERVER__GETHOSTLIST, "gethostlist")
-   S_(SECCLASS_XSERVER, XSERVER__SETHOSTLIST, "sethostlist")
-   S_(SECCLASS_XSERVER, XSERVER__GETFONTPATH, "getfontpath")
-   S_(SECCLASS_XSERVER, XSERVER__SETFONTPATH, "setfontpath")
-   S_(SECCLASS_XSERVER, XSERVER__GETATTR, "getattr")
-   S_(SECCLASS_XSERVER, XSERVER__GRAB, "grab")
-   S_(SECCLASS_XSERVER, XSERVER__UNGRAB, "ungrab")
-   S_(SECCLASS_XEXTENSION, XEXTENSION__QUERY, "query")
-   S_(SECCLASS_XEXTENSION, XEXTENSION__USE, "use")
-   S_(SECCLASS_PAX, PAX__PAGEEXEC, "pageexec")
-   S_(SECCLASS_PAX, PAX__EMUTRAMP, "emutramp")
-   S_(SECCLASS_PAX, PAX__MPROTECT, "mprotect")
-   S_(SECCLASS_PAX, PAX__RANDMMAP, "randmmap")
-   S_(SECCLASS_PAX, PAX__RANDEXEC, "randexec")
-   S_(SECCLASS_PAX, PAX__SEGMEXEC, "segmexec")
    S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
    S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
    S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
@@ -232,16 +142,6 @@
    S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv")
    S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read")
    S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write")
-   S_(SECCLASS_DBUS, DBUS__ACQUIRE_SVC, "acquire_svc")
-   S_(SECCLASS_DBUS, DBUS__SEND_MSG, "send_msg")
-   S_(SECCLASS_NSCD, NSCD__GETPWD, "getpwd")
-   S_(SECCLASS_NSCD, NSCD__GETGRP, "getgrp")
-   S_(SECCLASS_NSCD, NSCD__GETHOST, "gethost")
-   S_(SECCLASS_NSCD, NSCD__GETSTAT, "getstat")
-   S_(SECCLASS_NSCD, NSCD__ADMIN, "admin")
-   S_(SECCLASS_NSCD, NSCD__SHMEMPWD, "shmempwd")
-   S_(SECCLASS_NSCD, NSCD__SHMEMGRP, "shmemgrp")
-   S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
    S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
@@ -256,7 +156,5 @@
    S_(SECCLASS_KEY, KEY__LINK, "link")
    S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
    S_(SECCLASS_KEY, KEY__CREATE, "create")
-   S_(SECCLASS_CONTEXT, CONTEXT__TRANSLATE, "translate")
-   S_(SECCLASS_CONTEXT, CONTEXT__CONTAINS, "contains")
    S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
    S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index 2de4b5fe3aa1..5fee1735bffe 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -16,7 +16,6 @@
 #define COMMON_FILE__SWAPON                              0x00004000UL
 #define COMMON_FILE__QUOTAON                             0x00008000UL
 #define COMMON_FILE__MOUNTON                             0x00010000UL
-
 #define COMMON_SOCKET__IOCTL                             0x00000001UL
 #define COMMON_SOCKET__READ                              0x00000002UL
 #define COMMON_SOCKET__WRITE                             0x00000004UL
@@ -39,7 +38,6 @@
 #define COMMON_SOCKET__RECV_MSG                          0x00080000UL
 #define COMMON_SOCKET__SEND_MSG                          0x00100000UL
 #define COMMON_SOCKET__NAME_BIND                         0x00200000UL
-
 #define COMMON_IPC__CREATE                               0x00000001UL
 #define COMMON_IPC__DESTROY                              0x00000002UL
 #define COMMON_IPC__GETATTR                              0x00000004UL
@@ -49,7 +47,6 @@
 #define COMMON_IPC__ASSOCIATE                            0x00000040UL
 #define COMMON_IPC__UNIX_READ                            0x00000080UL
 #define COMMON_IPC__UNIX_WRITE                           0x00000100UL
-
 #define FILESYSTEM__MOUNT                         0x00000001UL
 #define FILESYSTEM__REMOUNT                       0x00000002UL
 #define FILESYSTEM__UNMOUNT                       0x00000004UL
@@ -60,7 +57,6 @@
 #define FILESYSTEM__ASSOCIATE                     0x00000080UL
 #define FILESYSTEM__QUOTAMOD                      0x00000100UL
 #define FILESYSTEM__QUOTAGET                      0x00000200UL
-
 #define DIR__IOCTL                                0x00000001UL
 #define DIR__READ                                 0x00000002UL
 #define DIR__WRITE                                0x00000004UL
@@ -78,13 +74,11 @@
 #define DIR__SWAPON                               0x00004000UL
 #define DIR__QUOTAON                              0x00008000UL
 #define DIR__MOUNTON                              0x00010000UL
-
 #define DIR__ADD_NAME                             0x00020000UL
 #define DIR__REMOVE_NAME                          0x00040000UL
 #define DIR__REPARENT                             0x00080000UL
 #define DIR__SEARCH                               0x00100000UL
 #define DIR__RMDIR                                0x00200000UL
-
 #define FILE__IOCTL                               0x00000001UL
 #define FILE__READ                                0x00000002UL
 #define FILE__WRITE                               0x00000004UL
@@ -102,11 +96,9 @@
 #define FILE__SWAPON                              0x00004000UL
 #define FILE__QUOTAON                             0x00008000UL
 #define FILE__MOUNTON                             0x00010000UL
-
 #define FILE__EXECUTE_NO_TRANS                    0x00020000UL
 #define FILE__ENTRYPOINT                          0x00040000UL
 #define FILE__EXECMOD                             0x00080000UL
-
 #define LNK_FILE__IOCTL                           0x00000001UL
 #define LNK_FILE__READ                            0x00000002UL
 #define LNK_FILE__WRITE                           0x00000004UL
@@ -124,7 +116,6 @@
 #define LNK_FILE__SWAPON                          0x00004000UL
 #define LNK_FILE__QUOTAON                         0x00008000UL
 #define LNK_FILE__MOUNTON                         0x00010000UL
-
 #define CHR_FILE__IOCTL                           0x00000001UL
 #define CHR_FILE__READ                            0x00000002UL
 #define CHR_FILE__WRITE                           0x00000004UL
@@ -142,11 +133,9 @@
 #define CHR_FILE__SWAPON                          0x00004000UL
 #define CHR_FILE__QUOTAON                         0x00008000UL
 #define CHR_FILE__MOUNTON                         0x00010000UL
-
 #define CHR_FILE__EXECUTE_NO_TRANS                0x00020000UL
 #define CHR_FILE__ENTRYPOINT                      0x00040000UL
 #define CHR_FILE__EXECMOD                         0x00080000UL
-
 #define BLK_FILE__IOCTL                           0x00000001UL
 #define BLK_FILE__READ                            0x00000002UL
 #define BLK_FILE__WRITE                           0x00000004UL
@@ -164,7 +153,6 @@
 #define BLK_FILE__SWAPON                          0x00004000UL
 #define BLK_FILE__QUOTAON                         0x00008000UL
 #define BLK_FILE__MOUNTON                         0x00010000UL
-
 #define SOCK_FILE__IOCTL                          0x00000001UL
 #define SOCK_FILE__READ                           0x00000002UL
 #define SOCK_FILE__WRITE                          0x00000004UL
@@ -182,7 +170,6 @@
 #define SOCK_FILE__SWAPON                         0x00004000UL
 #define SOCK_FILE__QUOTAON                        0x00008000UL
 #define SOCK_FILE__MOUNTON                        0x00010000UL
-
 #define FIFO_FILE__IOCTL                          0x00000001UL
 #define FIFO_FILE__READ                           0x00000002UL
 #define FIFO_FILE__WRITE                          0x00000004UL
@@ -200,9 +187,7 @@
 #define FIFO_FILE__SWAPON                         0x00004000UL
 #define FIFO_FILE__QUOTAON                        0x00008000UL
 #define FIFO_FILE__MOUNTON                        0x00010000UL
-
 #define FD__USE                                   0x00000001UL
-
 #define SOCKET__IOCTL                             0x00000001UL
 #define SOCKET__READ                              0x00000002UL
 #define SOCKET__WRITE                             0x00000004UL
@@ -225,7 +210,6 @@
 #define SOCKET__RECV_MSG                          0x00080000UL
 #define SOCKET__SEND_MSG                          0x00100000UL
 #define SOCKET__NAME_BIND                         0x00200000UL
-
 #define TCP_SOCKET__IOCTL                         0x00000001UL
 #define TCP_SOCKET__READ                          0x00000002UL
 #define TCP_SOCKET__WRITE                         0x00000004UL
@@ -248,13 +232,11 @@
 #define TCP_SOCKET__RECV_MSG                      0x00080000UL
 #define TCP_SOCKET__SEND_MSG                      0x00100000UL
 #define TCP_SOCKET__NAME_BIND                     0x00200000UL
-
 #define TCP_SOCKET__CONNECTTO                     0x00400000UL
 #define TCP_SOCKET__NEWCONN                       0x00800000UL
 #define TCP_SOCKET__ACCEPTFROM                    0x01000000UL
 #define TCP_SOCKET__NODE_BIND                     0x02000000UL
 #define TCP_SOCKET__NAME_CONNECT                  0x04000000UL
-
 #define UDP_SOCKET__IOCTL                         0x00000001UL
 #define UDP_SOCKET__READ                          0x00000002UL
 #define UDP_SOCKET__WRITE                         0x00000004UL
@@ -277,9 +259,7 @@
 #define UDP_SOCKET__RECV_MSG                      0x00080000UL
 #define UDP_SOCKET__SEND_MSG                      0x00100000UL
 #define UDP_SOCKET__NAME_BIND                     0x00200000UL
-
 #define UDP_SOCKET__NODE_BIND                     0x00400000UL
-
 #define RAWIP_SOCKET__IOCTL                       0x00000001UL
 #define RAWIP_SOCKET__READ                        0x00000002UL
 #define RAWIP_SOCKET__WRITE                       0x00000004UL
@@ -302,9 +282,7 @@
 #define RAWIP_SOCKET__RECV_MSG                    0x00080000UL
 #define RAWIP_SOCKET__SEND_MSG                    0x00100000UL
 #define RAWIP_SOCKET__NAME_BIND                   0x00200000UL
-
 #define RAWIP_SOCKET__NODE_BIND                   0x00400000UL
-
 #define NODE__TCP_RECV                            0x00000001UL
 #define NODE__TCP_SEND                            0x00000002UL
 #define NODE__UDP_RECV                            0x00000004UL
@@ -314,7 +292,6 @@
 #define NODE__ENFORCE_DEST                        0x00000040UL
 #define NODE__DCCP_RECV                           0x00000080UL
 #define NODE__DCCP_SEND                           0x00000100UL
-
 #define NETIF__TCP_RECV                           0x00000001UL
 #define NETIF__TCP_SEND                           0x00000002UL
 #define NETIF__UDP_RECV                           0x00000004UL
@@ -323,7 +300,6 @@
 #define NETIF__RAWIP_SEND                         0x00000020UL
 #define NETIF__DCCP_RECV                          0x00000040UL
 #define NETIF__DCCP_SEND                          0x00000080UL
-
 #define NETLINK_SOCKET__IOCTL                     0x00000001UL
 #define NETLINK_SOCKET__READ                      0x00000002UL
 #define NETLINK_SOCKET__WRITE                     0x00000004UL
@@ -346,7 +322,6 @@
 #define NETLINK_SOCKET__RECV_MSG                  0x00080000UL
 #define NETLINK_SOCKET__SEND_MSG                  0x00100000UL
 #define NETLINK_SOCKET__NAME_BIND                 0x00200000UL
-
 #define PACKET_SOCKET__IOCTL                      0x00000001UL
 #define PACKET_SOCKET__READ                       0x00000002UL
 #define PACKET_SOCKET__WRITE                      0x00000004UL
@@ -369,7 +344,6 @@
 #define PACKET_SOCKET__RECV_MSG                   0x00080000UL
 #define PACKET_SOCKET__SEND_MSG                   0x00100000UL
 #define PACKET_SOCKET__NAME_BIND                  0x00200000UL
-
 #define KEY_SOCKET__IOCTL                         0x00000001UL
 #define KEY_SOCKET__READ                          0x00000002UL
 #define KEY_SOCKET__WRITE                         0x00000004UL
@@ -392,7 +366,6 @@
 #define KEY_SOCKET__RECV_MSG                      0x00080000UL
 #define KEY_SOCKET__SEND_MSG                      0x00100000UL
 #define KEY_SOCKET__NAME_BIND                     0x00200000UL
-
 #define UNIX_STREAM_SOCKET__IOCTL                 0x00000001UL
 #define UNIX_STREAM_SOCKET__READ                  0x00000002UL
 #define UNIX_STREAM_SOCKET__WRITE                 0x00000004UL
@@ -415,11 +388,9 @@
 #define UNIX_STREAM_SOCKET__RECV_MSG              0x00080000UL
 #define UNIX_STREAM_SOCKET__SEND_MSG              0x00100000UL
 #define UNIX_STREAM_SOCKET__NAME_BIND             0x00200000UL
-
 #define UNIX_STREAM_SOCKET__CONNECTTO             0x00400000UL
 #define UNIX_STREAM_SOCKET__NEWCONN               0x00800000UL
 #define UNIX_STREAM_SOCKET__ACCEPTFROM            0x01000000UL
-
 #define UNIX_DGRAM_SOCKET__IOCTL                  0x00000001UL
 #define UNIX_DGRAM_SOCKET__READ                   0x00000002UL
 #define UNIX_DGRAM_SOCKET__WRITE                  0x00000004UL
@@ -442,7 +413,6 @@
 #define UNIX_DGRAM_SOCKET__RECV_MSG               0x00080000UL
 #define UNIX_DGRAM_SOCKET__SEND_MSG               0x00100000UL
 #define UNIX_DGRAM_SOCKET__NAME_BIND              0x00200000UL
-
 #define PROCESS__FORK                             0x00000001UL
 #define PROCESS__TRANSITION                       0x00000002UL
 #define PROCESS__SIGCHLD                          0x00000004UL
@@ -473,7 +443,6 @@
 #define PROCESS__EXECHEAP                         0x08000000UL
 #define PROCESS__SETKEYCREATE                     0x10000000UL
 #define PROCESS__SETSOCKCREATE                    0x20000000UL
-
 #define IPC__CREATE                               0x00000001UL
 #define IPC__DESTROY                              0x00000002UL
 #define IPC__GETATTR                              0x00000004UL
@@ -483,7 +452,6 @@
 #define IPC__ASSOCIATE                            0x00000040UL
 #define IPC__UNIX_READ                            0x00000080UL
 #define IPC__UNIX_WRITE                           0x00000100UL
-
 #define SEM__CREATE                               0x00000001UL
 #define SEM__DESTROY                              0x00000002UL
 #define SEM__GETATTR                              0x00000004UL
@@ -493,7 +461,6 @@
 #define SEM__ASSOCIATE                            0x00000040UL
 #define SEM__UNIX_READ                            0x00000080UL
 #define SEM__UNIX_WRITE                           0x00000100UL
-
 #define MSGQ__CREATE                              0x00000001UL
 #define MSGQ__DESTROY                             0x00000002UL
 #define MSGQ__GETATTR                             0x00000004UL
@@ -503,12 +470,9 @@
 #define MSGQ__ASSOCIATE                           0x00000040UL
 #define MSGQ__UNIX_READ                           0x00000080UL
 #define MSGQ__UNIX_WRITE                          0x00000100UL
-
 #define MSGQ__ENQUEUE                             0x00000200UL
-
 #define MSG__SEND                                 0x00000001UL
 #define MSG__RECEIVE                              0x00000002UL
-
 #define SHM__CREATE                               0x00000001UL
 #define SHM__DESTROY                              0x00000002UL
 #define SHM__GETATTR                              0x00000004UL
@@ -518,9 +482,7 @@
 #define SHM__ASSOCIATE                            0x00000040UL
 #define SHM__UNIX_READ                            0x00000080UL
 #define SHM__UNIX_WRITE                           0x00000100UL
-
 #define SHM__LOCK                                 0x00000200UL
-
 #define SECURITY__COMPUTE_AV                      0x00000001UL
 #define SECURITY__COMPUTE_CREATE                  0x00000002UL
 #define SECURITY__COMPUTE_MEMBER                  0x00000004UL
@@ -532,12 +494,10 @@
 #define SECURITY__SETBOOL                         0x00000100UL
 #define SECURITY__SETSECPARAM                     0x00000200UL
 #define SECURITY__SETCHECKREQPROT                 0x00000400UL
-
 #define SYSTEM__IPC_INFO                          0x00000001UL
 #define SYSTEM__SYSLOG_READ                       0x00000002UL
 #define SYSTEM__SYSLOG_MOD                        0x00000004UL
 #define SYSTEM__SYSLOG_CONSOLE                    0x00000008UL
-
 #define CAPABILITY__CHOWN                         0x00000001UL
 #define CAPABILITY__DAC_OVERRIDE                  0x00000002UL
 #define CAPABILITY__DAC_READ_SEARCH               0x00000004UL
@@ -569,110 +529,6 @@
 #define CAPABILITY__LEASE                         0x10000000UL
 #define CAPABILITY__AUDIT_WRITE                   0x20000000UL
 #define CAPABILITY__AUDIT_CONTROL                 0x40000000UL
-
-#define PASSWD__PASSWD                            0x00000001UL
-#define PASSWD__CHFN                              0x00000002UL
-#define PASSWD__CHSH                              0x00000004UL
-#define PASSWD__ROOTOK                            0x00000008UL
-#define PASSWD__CRONTAB                           0x00000010UL
-
-#define DRAWABLE__CREATE                          0x00000001UL
-#define DRAWABLE__DESTROY                         0x00000002UL
-#define DRAWABLE__DRAW                            0x00000004UL
-#define DRAWABLE__COPY                            0x00000008UL
-#define DRAWABLE__GETATTR                         0x00000010UL
-
-#define GC__CREATE                                0x00000001UL
-#define GC__FREE                                  0x00000002UL
-#define GC__GETATTR                               0x00000004UL
-#define GC__SETATTR                               0x00000008UL
-
-#define WINDOW__ADDCHILD                          0x00000001UL
-#define WINDOW__CREATE                            0x00000002UL
-#define WINDOW__DESTROY                           0x00000004UL
-#define WINDOW__MAP                               0x00000008UL
-#define WINDOW__UNMAP                             0x00000010UL
-#define WINDOW__CHSTACK                           0x00000020UL
-#define WINDOW__CHPROPLIST                        0x00000040UL
-#define WINDOW__CHPROP                            0x00000080UL
-#define WINDOW__LISTPROP                          0x00000100UL
-#define WINDOW__GETATTR                           0x00000200UL
-#define WINDOW__SETATTR                           0x00000400UL
-#define WINDOW__SETFOCUS                          0x00000800UL
-#define WINDOW__MOVE                              0x00001000UL
-#define WINDOW__CHSELECTION                       0x00002000UL
-#define WINDOW__CHPARENT                          0x00004000UL
-#define WINDOW__CTRLLIFE                          0x00008000UL
-#define WINDOW__ENUMERATE                         0x00010000UL
-#define WINDOW__TRANSPARENT                       0x00020000UL
-#define WINDOW__MOUSEMOTION                       0x00040000UL
-#define WINDOW__CLIENTCOMEVENT                    0x00080000UL
-#define WINDOW__INPUTEVENT                        0x00100000UL
-#define WINDOW__DRAWEVENT                         0x00200000UL
-#define WINDOW__WINDOWCHANGEEVENT                 0x00400000UL
-#define WINDOW__WINDOWCHANGEREQUEST               0x00800000UL
-#define WINDOW__SERVERCHANGEEVENT                 0x01000000UL
-#define WINDOW__EXTENSIONEVENT                    0x02000000UL
-
-#define FONT__LOAD                                0x00000001UL
-#define FONT__FREE                                0x00000002UL
-#define FONT__GETATTR                             0x00000004UL
-#define FONT__USE                                 0x00000008UL
-
-#define COLORMAP__CREATE                          0x00000001UL
-#define COLORMAP__FREE                            0x00000002UL
-#define COLORMAP__INSTALL                         0x00000004UL
-#define COLORMAP__UNINSTALL                       0x00000008UL
-#define COLORMAP__LIST                            0x00000010UL
-#define COLORMAP__READ                            0x00000020UL
-#define COLORMAP__STORE                           0x00000040UL
-#define COLORMAP__GETATTR                         0x00000080UL
-#define COLORMAP__SETATTR                         0x00000100UL
-
-#define PROPERTY__CREATE                          0x00000001UL
-#define PROPERTY__FREE                            0x00000002UL
-#define PROPERTY__READ                            0x00000004UL
-#define PROPERTY__WRITE                           0x00000008UL
-
-#define CURSOR__CREATE                            0x00000001UL
-#define CURSOR__CREATEGLYPH                       0x00000002UL
-#define CURSOR__FREE                              0x00000004UL
-#define CURSOR__ASSIGN                            0x00000008UL
-#define CURSOR__SETATTR                           0x00000010UL
-
-#define XCLIENT__KILL                             0x00000001UL
-
-#define XINPUT__LOOKUP                            0x00000001UL
-#define XINPUT__GETATTR                           0x00000002UL
-#define XINPUT__SETATTR                           0x00000004UL
-#define XINPUT__SETFOCUS                          0x00000008UL
-#define XINPUT__WARPPOINTER                       0x00000010UL
-#define XINPUT__ACTIVEGRAB                        0x00000020UL
-#define XINPUT__PASSIVEGRAB                       0x00000040UL
-#define XINPUT__UNGRAB                            0x00000080UL
-#define XINPUT__BELL                              0x00000100UL
-#define XINPUT__MOUSEMOTION                       0x00000200UL
-#define XINPUT__RELABELINPUT                      0x00000400UL
-
-#define XSERVER__SCREENSAVER                      0x00000001UL
-#define XSERVER__GETHOSTLIST                      0x00000002UL
-#define XSERVER__SETHOSTLIST                      0x00000004UL
-#define XSERVER__GETFONTPATH                      0x00000008UL
-#define XSERVER__SETFONTPATH                      0x00000010UL
-#define XSERVER__GETATTR                          0x00000020UL
-#define XSERVER__GRAB                             0x00000040UL
-#define XSERVER__UNGRAB                           0x00000080UL
-
-#define XEXTENSION__QUERY                         0x00000001UL
-#define XEXTENSION__USE                           0x00000002UL
-
-#define PAX__PAGEEXEC                             0x00000001UL
-#define PAX__EMUTRAMP                             0x00000002UL
-#define PAX__MPROTECT                             0x00000004UL
-#define PAX__RANDMMAP                             0x00000008UL
-#define PAX__RANDEXEC                             0x00000010UL
-#define PAX__SEGMEXEC                             0x00000020UL
-
 #define NETLINK_ROUTE_SOCKET__IOCTL               0x00000001UL
 #define NETLINK_ROUTE_SOCKET__READ                0x00000002UL
 #define NETLINK_ROUTE_SOCKET__WRITE               0x00000004UL
@@ -695,10 +551,8 @@
 #define NETLINK_ROUTE_SOCKET__RECV_MSG            0x00080000UL
 #define NETLINK_ROUTE_SOCKET__SEND_MSG            0x00100000UL
 #define NETLINK_ROUTE_SOCKET__NAME_BIND           0x00200000UL
-
 #define NETLINK_ROUTE_SOCKET__NLMSG_READ          0x00400000UL
 #define NETLINK_ROUTE_SOCKET__NLMSG_WRITE         0x00800000UL
-
 #define NETLINK_FIREWALL_SOCKET__IOCTL            0x00000001UL
 #define NETLINK_FIREWALL_SOCKET__READ             0x00000002UL
 #define NETLINK_FIREWALL_SOCKET__WRITE            0x00000004UL
@@ -721,10 +575,8 @@
 #define NETLINK_FIREWALL_SOCKET__RECV_MSG         0x00080000UL
 #define NETLINK_FIREWALL_SOCKET__SEND_MSG         0x00100000UL
 #define NETLINK_FIREWALL_SOCKET__NAME_BIND        0x00200000UL
-
 #define NETLINK_FIREWALL_SOCKET__NLMSG_READ       0x00400000UL
 #define NETLINK_FIREWALL_SOCKET__NLMSG_WRITE      0x00800000UL
-
 #define NETLINK_TCPDIAG_SOCKET__IOCTL             0x00000001UL
 #define NETLINK_TCPDIAG_SOCKET__READ              0x00000002UL
 #define NETLINK_TCPDIAG_SOCKET__WRITE             0x00000004UL
@@ -747,10 +599,8 @@
 #define NETLINK_TCPDIAG_SOCKET__RECV_MSG          0x00080000UL
 #define NETLINK_TCPDIAG_SOCKET__SEND_MSG          0x00100000UL
 #define NETLINK_TCPDIAG_SOCKET__NAME_BIND         0x00200000UL
-
 #define NETLINK_TCPDIAG_SOCKET__NLMSG_READ        0x00400000UL
 #define NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE       0x00800000UL
-
 #define NETLINK_NFLOG_SOCKET__IOCTL               0x00000001UL
 #define NETLINK_NFLOG_SOCKET__READ                0x00000002UL
 #define NETLINK_NFLOG_SOCKET__WRITE               0x00000004UL
@@ -773,7 +623,6 @@
 #define NETLINK_NFLOG_SOCKET__RECV_MSG            0x00080000UL
 #define NETLINK_NFLOG_SOCKET__SEND_MSG            0x00100000UL
 #define NETLINK_NFLOG_SOCKET__NAME_BIND           0x00200000UL
-
 #define NETLINK_XFRM_SOCKET__IOCTL                0x00000001UL
 #define NETLINK_XFRM_SOCKET__READ                 0x00000002UL
 #define NETLINK_XFRM_SOCKET__WRITE                0x00000004UL
@@ -796,10 +645,8 @@
 #define NETLINK_XFRM_SOCKET__RECV_MSG             0x00080000UL
 #define NETLINK_XFRM_SOCKET__SEND_MSG             0x00100000UL
 #define NETLINK_XFRM_SOCKET__NAME_BIND            0x00200000UL
-
 #define NETLINK_XFRM_SOCKET__NLMSG_READ           0x00400000UL
 #define NETLINK_XFRM_SOCKET__NLMSG_WRITE          0x00800000UL
-
 #define NETLINK_SELINUX_SOCKET__IOCTL             0x00000001UL
 #define NETLINK_SELINUX_SOCKET__READ              0x00000002UL
 #define NETLINK_SELINUX_SOCKET__WRITE             0x00000004UL
@@ -822,7 +669,6 @@
 #define NETLINK_SELINUX_SOCKET__RECV_MSG          0x00080000UL
 #define NETLINK_SELINUX_SOCKET__SEND_MSG          0x00100000UL
 #define NETLINK_SELINUX_SOCKET__NAME_BIND         0x00200000UL
-
 #define NETLINK_AUDIT_SOCKET__IOCTL               0x00000001UL
 #define NETLINK_AUDIT_SOCKET__READ                0x00000002UL
 #define NETLINK_AUDIT_SOCKET__WRITE               0x00000004UL
@@ -845,12 +691,10 @@
 #define NETLINK_AUDIT_SOCKET__RECV_MSG            0x00080000UL
 #define NETLINK_AUDIT_SOCKET__SEND_MSG            0x00100000UL
 #define NETLINK_AUDIT_SOCKET__NAME_BIND           0x00200000UL
-
 #define NETLINK_AUDIT_SOCKET__NLMSG_READ          0x00400000UL
 #define NETLINK_AUDIT_SOCKET__NLMSG_WRITE         0x00800000UL
 #define NETLINK_AUDIT_SOCKET__NLMSG_RELAY         0x01000000UL
 #define NETLINK_AUDIT_SOCKET__NLMSG_READPRIV      0x02000000UL
-
 #define NETLINK_IP6FW_SOCKET__IOCTL               0x00000001UL
 #define NETLINK_IP6FW_SOCKET__READ                0x00000002UL
 #define NETLINK_IP6FW_SOCKET__WRITE               0x00000004UL
@@ -873,10 +717,8 @@
 #define NETLINK_IP6FW_SOCKET__RECV_MSG            0x00080000UL
 #define NETLINK_IP6FW_SOCKET__SEND_MSG            0x00100000UL
 #define NETLINK_IP6FW_SOCKET__NAME_BIND           0x00200000UL
-
 #define NETLINK_IP6FW_SOCKET__NLMSG_READ          0x00400000UL
 #define NETLINK_IP6FW_SOCKET__NLMSG_WRITE         0x00800000UL
-
 #define NETLINK_DNRT_SOCKET__IOCTL                0x00000001UL
 #define NETLINK_DNRT_SOCKET__READ                 0x00000002UL
 #define NETLINK_DNRT_SOCKET__WRITE                0x00000004UL
@@ -899,24 +741,10 @@
 #define NETLINK_DNRT_SOCKET__RECV_MSG             0x00080000UL
 #define NETLINK_DNRT_SOCKET__SEND_MSG             0x00100000UL
 #define NETLINK_DNRT_SOCKET__NAME_BIND            0x00200000UL
-
-#define DBUS__ACQUIRE_SVC                         0x00000001UL
-#define DBUS__SEND_MSG                            0x00000002UL
-
-#define NSCD__GETPWD                              0x00000001UL
-#define NSCD__GETGRP                              0x00000002UL
-#define NSCD__GETHOST                             0x00000004UL
-#define NSCD__GETSTAT                             0x00000008UL
-#define NSCD__ADMIN                               0x00000010UL
-#define NSCD__SHMEMPWD                            0x00000020UL
-#define NSCD__SHMEMGRP                            0x00000040UL
-#define NSCD__SHMEMHOST                           0x00000080UL
-
 #define ASSOCIATION__SENDTO                       0x00000001UL
 #define ASSOCIATION__RECVFROM                     0x00000002UL
 #define ASSOCIATION__SETCONTEXT                   0x00000004UL
 #define ASSOCIATION__POLMATCH                     0x00000008UL
-
 #define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL      0x00000001UL
 #define NETLINK_KOBJECT_UEVENT_SOCKET__READ       0x00000002UL
 #define NETLINK_KOBJECT_UEVENT_SOCKET__WRITE      0x00000004UL
@@ -939,7 +767,6 @@
 #define NETLINK_KOBJECT_UEVENT_SOCKET__RECV_MSG   0x00080000UL
 #define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG   0x00100000UL
 #define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND  0x00200000UL
-
 #define APPLETALK_SOCKET__IOCTL                   0x00000001UL
 #define APPLETALK_SOCKET__READ                    0x00000002UL
 #define APPLETALK_SOCKET__WRITE                   0x00000004UL
@@ -962,11 +789,9 @@
 #define APPLETALK_SOCKET__RECV_MSG                0x00080000UL
 #define APPLETALK_SOCKET__SEND_MSG                0x00100000UL
 #define APPLETALK_SOCKET__NAME_BIND               0x00200000UL
-
 #define PACKET__SEND                              0x00000001UL
 #define PACKET__RECV                              0x00000002UL
 #define PACKET__RELABELTO                         0x00000004UL
-
 #define KEY__VIEW                                 0x00000001UL
 #define KEY__READ                                 0x00000002UL
 #define KEY__WRITE                                0x00000004UL
@@ -974,10 +799,6 @@
 #define KEY__LINK                                 0x00000010UL
 #define KEY__SETATTR                              0x00000020UL
 #define KEY__CREATE                               0x00000040UL
-
-#define CONTEXT__TRANSLATE                        0x00000001UL
-#define CONTEXT__CONTAINS                         0x00000002UL
-
 #define DCCP_SOCKET__IOCTL                        0x00000001UL
 #define DCCP_SOCKET__READ                         0x00000002UL
 #define DCCP_SOCKET__WRITE                        0x00000004UL
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
index 9f3ebb1bfae6..378799068441 100644
--- a/security/selinux/include/class_to_string.h
+++ b/security/selinux/include/class_to_string.h
@@ -2,7 +2,7 @@
 /*
  * Security object class definitions
  */
-    S_("null")
+    S_(NULL)
     S_("security")
     S_("process")
     S_("system")
@@ -32,19 +32,19 @@
     S_("msgq")
     S_("shm")
     S_("ipc")
-    S_("passwd")
-    S_("drawable")
-    S_("window")
-    S_("gc")
-    S_("font")
-    S_("colormap")
-    S_("property")
-    S_("cursor")
-    S_("xclient")
-    S_("xinput")
-    S_("xserver")
-    S_("xextension")
-    S_("pax")
+    S_(NULL)
+    S_(NULL)
+    S_(NULL)
+    S_(NULL)
+    S_(NULL)
+    S_(NULL)
+    S_(NULL)
+    S_(NULL)
+    S_(NULL)
+    S_(NULL)
+    S_(NULL)
+    S_(NULL)
+    S_(NULL)
     S_("netlink_route_socket")
     S_("netlink_firewall_socket")
     S_("netlink_tcpdiag_socket")
@@ -54,12 +54,12 @@
     S_("netlink_audit_socket")
     S_("netlink_ip6fw_socket")
     S_("netlink_dnrt_socket")
-    S_("dbus")
-    S_("nscd")
+    S_(NULL)
+    S_(NULL)
     S_("association")
     S_("netlink_kobject_uevent_socket")
     S_("appletalk_socket")
     S_("packet")
     S_("key")
-    S_("context")
+    S_(NULL)
     S_("dccp_socket")
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
index 67cef371ee00..35f309f47873 100644
--- a/security/selinux/include/flask.h
+++ b/security/selinux/include/flask.h
@@ -34,19 +34,6 @@
 #define SECCLASS_MSGQ                                    27
 #define SECCLASS_SHM                                     28
 #define SECCLASS_IPC                                     29
-#define SECCLASS_PASSWD                                  30
-#define SECCLASS_DRAWABLE                                31
-#define SECCLASS_WINDOW                                  32
-#define SECCLASS_GC                                      33
-#define SECCLASS_FONT                                    34
-#define SECCLASS_COLORMAP                                35
-#define SECCLASS_PROPERTY                                36
-#define SECCLASS_CURSOR                                  37
-#define SECCLASS_XCLIENT                                 38
-#define SECCLASS_XINPUT                                  39
-#define SECCLASS_XSERVER                                 40
-#define SECCLASS_XEXTENSION                              41
-#define SECCLASS_PAX                                     42
 #define SECCLASS_NETLINK_ROUTE_SOCKET                    43
 #define SECCLASS_NETLINK_FIREWALL_SOCKET                 44
 #define SECCLASS_NETLINK_TCPDIAG_SOCKET                  45
@@ -56,14 +43,11 @@
 #define SECCLASS_NETLINK_AUDIT_SOCKET                    49
 #define SECCLASS_NETLINK_IP6FW_SOCKET                    50
 #define SECCLASS_NETLINK_DNRT_SOCKET                     51
-#define SECCLASS_DBUS                                    52
-#define SECCLASS_NSCD                                    53
 #define SECCLASS_ASSOCIATION                             54
 #define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET           55
 #define SECCLASS_APPLETALK_SOCKET                        56
 #define SECCLASS_PACKET                                  57
 #define SECCLASS_KEY                                     58
-#define SECCLASS_CONTEXT                                 59
 #define SECCLASS_DCCP_SOCKET                             60
 
 /*
diff --git a/security/selinux/include/selinux_netlabel.h b/security/selinux/include/netlabel.h
index 2a732c9033e3..218e3f77c350 100644
--- a/security/selinux/include/selinux_netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -38,19 +38,22 @@
 
 #ifdef CONFIG_NETLABEL
 void selinux_netlbl_cache_invalidate(void);
-int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);
-int selinux_netlbl_socket_post_create(struct socket *sock);
-void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
-int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
-                                struct sk_buff *skb,
-                                struct avc_audit_data *ad);
+
 void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
                                       int family);
 void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
                                      int family);
 void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
                                       struct sk_security_struct *newssec);
+
+int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);
+
+void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
+int selinux_netlbl_socket_post_create(struct socket *sock);
 int selinux_netlbl_inode_permission(struct inode *inode, int mask);
+int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+                                struct sk_buff *skb,
+                                struct avc_audit_data *ad);
 int selinux_netlbl_socket_setsockopt(struct socket *sock,
                                      int level,
                                      int optname);
@@ -60,59 +63,53 @@ static inline void selinux_netlbl_cache_invalidate(void)
         return;
 }
 
-static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
-                                               u32 base_sid,
-                                               u32 *sid)
+static inline void selinux_netlbl_sk_security_reset(
+                                               struct sk_security_struct *ssec,
+                                               int family)
 {
-        *sid = SECSID_NULL;
-        return 0;
+        return;
 }
-
-static inline int selinux_netlbl_socket_post_create(struct socket *sock)
+static inline void selinux_netlbl_sk_security_init(
+                                               struct sk_security_struct *ssec,
+                                               int family)
 {
-        return 0;
+        return;
 }
-
-static inline void selinux_netlbl_sock_graft(struct sock *sk,
-                                             struct socket *sock)
+static inline void selinux_netlbl_sk_security_clone(
+                                            struct sk_security_struct *ssec,
+                                            struct sk_security_struct *newssec)
 {
         return;
 }
 
-static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
-                                              struct sk_buff *skb,
-                                              struct avc_audit_data *ad)
+static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
+                                               u32 base_sid,
+                                               u32 *sid)
 {
+        *sid = SECSID_NULL;
         return 0;
 }
 
-static inline void selinux_netlbl_sk_security_reset(
-                                               struct sk_security_struct *ssec,
-                                               int family)
-{
-        return;
-}
-
-static inline void selinux_netlbl_sk_security_init(
-                                               struct sk_security_struct *ssec,
-                                               int family)
+static inline void selinux_netlbl_sock_graft(struct sock *sk,
+                                             struct socket *sock)
 {
         return;
 }
-
-static inline void selinux_netlbl_sk_security_clone(
-                                           struct sk_security_struct *ssec,
-                                           struct sk_security_struct *newssec)
+static inline int selinux_netlbl_socket_post_create(struct socket *sock)
 {
-        return;
+        return 0;
 }
-
 static inline int selinux_netlbl_inode_permission(struct inode *inode,
                                                   int mask)
 {
         return 0;
 }
-
+static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+                                              struct sk_buff *skb,
+                                              struct avc_audit_data *ad)
+{
+        return 0;
+}
 static inline int selinux_netlbl_socket_setsockopt(struct socket *sock,
                                                    int level,
                                                    int optname)
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 210eec77e7ff..b94378afea25 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -34,7 +34,7 @@
 #define POLICYDB_VERSION_MAX    POLICYDB_VERSION_RANGETRANS
 #endif
 
-struct sk_buff;
+struct netlbl_lsm_secattr;
 
 extern int selinux_enabled;
 extern int selinux_mls_enabled;
@@ -82,8 +82,6 @@ int security_netif_sid(char *name, u32 *if_sid,
 int security_node_sid(u16 domain, void *addr, u32 addrlen,
         u32 *out_sid);
 
-void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid);
-
 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
                                  u16 tclass);
 
@@ -102,5 +100,30 @@ int security_fs_use(const char *fstype, unsigned int *behavior,
 int security_genfs_sid(const char *fstype, char *name, u16 sclass,
         u32 *sid);
 
+#ifdef CONFIG_NETLABEL
+int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
+                                   u32 base_sid,
+                                   u32 *sid);
+
+int security_netlbl_sid_to_secattr(u32 sid,
+                                   struct netlbl_lsm_secattr *secattr);
+#else
+static inline int security_netlbl_secattr_to_sid(
+                                            struct netlbl_lsm_secattr *secattr,
+                                            u32 base_sid,
+                                            u32 *sid)
+{
+        return -EIDRM;
+}
+
+static inline int security_netlbl_sid_to_secattr(u32 sid,
+                                           struct netlbl_lsm_secattr *secattr)
+{
+        return -ENOENT;
+}
+#endif /* CONFIG_NETLABEL */
+
+const char *security_get_initial_sid_context(u32 sid);
+
 #endif /* _SELINUX_SECURITY_H_ */
 
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
new file mode 100644
index 000000000000..bf8750791dd1
--- /dev/null
+++ b/security/selinux/netlabel.c
@@ -0,0 +1,363 @@
+/*
+ * SELinux NetLabel Support
+ *
+ * This file provides the necessary glue to tie NetLabel into the SELinux
+ * subsystem.
+ *
+ * Author: Paul Moore <paul.moore@hp.com>
+ *
+ */
+
+/*
+ * (c) Copyright Hewlett-Packard Development Company, L.P., 2007
+ *
+ * This program is free software;  you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY;  without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+ * the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program;  if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ */
+
+#include <linux/spinlock.h>
+#include <linux/rcupdate.h>
+#include <net/sock.h>
+#include <net/netlabel.h>
+
+#include "objsec.h"
+#include "security.h"
+
+/**
+ * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism
+ * @sock: the socket to label
+ * @sid: the SID to use
+ *
+ * Description:
+ * Attempt to label a socket using the NetLabel mechanism using the given
+ * SID.  Returns zero values on success, negative values on failure.  The
+ * caller is responsibile for calling rcu_read_lock() before calling this
+ * this function and rcu_read_unlock() after this function returns.
+ *
+ */
+static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
+{
+        int rc;
+        struct sk_security_struct *sksec = sock->sk->sk_security;
+        struct netlbl_lsm_secattr secattr;
+
+        rc = security_netlbl_sid_to_secattr(sid, &secattr);
+        if (rc != 0)
+                return rc;
+
+        rc = netlbl_socket_setattr(sock, &secattr);
+        if (rc == 0) {
+                spin_lock_bh(&sksec->nlbl_lock);
+                sksec->nlbl_state = NLBL_LABELED;
+                spin_unlock_bh(&sksec->nlbl_lock);
+        }
+
+        return rc;
+}
+
+/**
+ * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
+ *
+ * Description:
+ * Invalidate the NetLabel security attribute mapping cache.
+ *
+ */
+void selinux_netlbl_cache_invalidate(void)
+{
+        netlbl_cache_invalidate();
+}
+
+/**
+ * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
+ * @ssec: the sk_security_struct
+ * @family: the socket family
+ *
+ * Description:
+ * Called when the NetLabel state of a sk_security_struct needs to be reset.
+ * The caller is responsibile for all the NetLabel sk_security_struct locking.
+ *
+ */
+void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
+                                      int family)
+{
+        if (family == PF_INET)
+                ssec->nlbl_state = NLBL_REQUIRE;
+        else
+                ssec->nlbl_state = NLBL_UNSET;
+}
+
+/**
+ * selinux_netlbl_sk_security_init - Setup the NetLabel fields
+ * @ssec: the sk_security_struct
+ * @family: the socket family
+ *
+ * Description:
+ * Called when a new sk_security_struct is allocated to initialize the NetLabel
+ * fields.
+ *
+ */
+void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
+                                     int family)
+{
+        /* No locking needed, we are the only one who has access to ssec */
+        selinux_netlbl_sk_security_reset(ssec, family);
+        spin_lock_init(&ssec->nlbl_lock);
+}
+
+/**
+ * selinux_netlbl_sk_security_clone - Copy the NetLabel fields
+ * @ssec: the original sk_security_struct
+ * @newssec: the cloned sk_security_struct
+ *
+ * Description:
+ * Clone the NetLabel specific sk_security_struct fields from @ssec to
+ * @newssec.
+ *
+ */
+void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
+                                      struct sk_security_struct *newssec)
+{
+        /* We don't need to take newssec->nlbl_lock because we are the only
+         * thread with access to newssec, but we do need to take the RCU read
+         * lock as other threads could have access to ssec */
+        rcu_read_lock();
+        selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family);
+        newssec->sclass = ssec->sclass;
+        rcu_read_unlock();
+}
+
+/**
+ * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
+ * @skb: the packet
+ * @base_sid: the SELinux SID to use as a context for MLS only attributes
+ * @sid: the SID
+ *
+ * Description:
+ * Call the NetLabel mechanism to get the security attributes of the given
+ * packet and use those attributes to determine the correct context/SID to
+ * assign to the packet.  Returns zero on success, negative values on failure.
+ *
+ */
+int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
+{
+        int rc;
+        struct netlbl_lsm_secattr secattr;
+
+        netlbl_secattr_init(&secattr);
+        rc = netlbl_skbuff_getattr(skb, &secattr);
+        if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
+                rc = security_netlbl_secattr_to_sid(&secattr,
+                                                    base_sid,
+                                                    sid);
+        else
+                *sid = SECSID_NULL;
+        netlbl_secattr_destroy(&secattr);
+
+        return rc;
+}
+
+/**
+ * selinux_netlbl_sock_graft - Netlabel the new socket
+ * @sk: the new connection
+ * @sock: the new socket
+ *
+ * Description:
+ * The connection represented by @sk is being grafted onto @sock so set the
+ * socket's NetLabel to match the SID of @sk.
+ *
+ */
+void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
+{
+        struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
+        struct sk_security_struct *sksec = sk->sk_security;
+        struct netlbl_lsm_secattr secattr;
+        u32 nlbl_peer_sid;
+
+        sksec->sclass = isec->sclass;
+
+        rcu_read_lock();
+
+        if (sksec->nlbl_state != NLBL_REQUIRE) {
+                rcu_read_unlock();
+                return;
+        }
+
+        netlbl_secattr_init(&secattr);
+        if (netlbl_sock_getattr(sk, &secattr) == 0 &&
+            secattr.flags != NETLBL_SECATTR_NONE &&
+            security_netlbl_secattr_to_sid(&secattr,
+                                           SECINITSID_UNLABELED,
+                                           &nlbl_peer_sid) == 0)
+                sksec->peer_sid = nlbl_peer_sid;
+        netlbl_secattr_destroy(&secattr);
+
+        /* Try to set the NetLabel on the socket to save time later, if we fail
+         * here we will pick up the pieces in later calls to
+         * selinux_netlbl_inode_permission(). */
+        selinux_netlbl_socket_setsid(sock, sksec->sid);
+
+        rcu_read_unlock();
+}
+
+/**
+ * selinux_netlbl_socket_post_create - Label a socket using NetLabel
+ * @sock: the socket to label
+ *
+ * Description:
+ * Attempt to label a socket using the NetLabel mechanism using the given
+ * SID.  Returns zero values on success, negative values on failure.
+ *
+ */
+int selinux_netlbl_socket_post_create(struct socket *sock)
+{
+        int rc = 0;
+        struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
+        struct sk_security_struct *sksec = sock->sk->sk_security;
+
+        sksec->sclass = isec->sclass;
+
+        rcu_read_lock();
+        if (sksec->nlbl_state == NLBL_REQUIRE)
+                rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
+        rcu_read_unlock();
+
+        return rc;
+}
+
+/**
+ * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
+ * @inode: the file descriptor's inode
+ * @mask: the permission mask
+ *
+ * Description:
+ * Looks at a file's inode and if it is marked as a socket protected by
+ * NetLabel then verify that the socket has been labeled, if not try to label
+ * the socket now with the inode's SID.  Returns zero on success, negative
+ * values on failure.
+ *
+ */
+int selinux_netlbl_inode_permission(struct inode *inode, int mask)
+{
+        int rc;
+        struct sk_security_struct *sksec;
+        struct socket *sock;
+
+        if (!S_ISSOCK(inode->i_mode) ||
+            ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
+                return 0;
+        sock = SOCKET_I(inode);
+        sksec = sock->sk->sk_security;
+
+        rcu_read_lock();
+        if (sksec->nlbl_state != NLBL_REQUIRE) {
+                rcu_read_unlock();
+                return 0;
+        }
+        local_bh_disable();
+        bh_lock_sock_nested(sock->sk);
+        rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
+        bh_unlock_sock(sock->sk);
+        local_bh_enable();
+        rcu_read_unlock();
+
+        return rc;
+}
+
+/**
+ * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
+ * @sksec: the sock's sk_security_struct
+ * @skb: the packet
+ * @ad: the audit data
+ *
+ * Description:
+ * Fetch the NetLabel security attributes from @skb and perform an access check
+ * against the receiving socket.  Returns zero on success, negative values on
+ * error.
+ *
+ */
+int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+                                struct sk_buff *skb,
+                                struct avc_audit_data *ad)
+{
+        int rc;
+        u32 netlbl_sid;
+        u32 recv_perm;
+
+        rc = selinux_netlbl_skbuff_getsid(skb,
+                                          SECINITSID_UNLABELED,
+                                          &netlbl_sid);
+        if (rc != 0)
+                return rc;
+
+        if (netlbl_sid == SECSID_NULL)
+                return 0;
+
+        switch (sksec->sclass) {
+        case SECCLASS_UDP_SOCKET:
+                recv_perm = UDP_SOCKET__RECVFROM;
+                break;
+        case SECCLASS_TCP_SOCKET:
+                recv_perm = TCP_SOCKET__RECVFROM;
+                break;
+        default:
+                recv_perm = RAWIP_SOCKET__RECVFROM;
+        }
+
+        rc = avc_has_perm(sksec->sid,
+                          netlbl_sid,
+                          sksec->sclass,
+                          recv_perm,
+                          ad);
+        if (rc == 0)
+                return 0;
+
+        netlbl_skbuff_err(skb, rc);
+        return rc;
+}
+
+/**
+ * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
+ * @sock: the socket
+ * @level: the socket level or protocol
+ * @optname: the socket option name
+ *
+ * Description:
+ * Check the setsockopt() call and if the user is trying to replace the IP
+ * options on a socket and a NetLabel is in place for the socket deny the
+ * access; otherwise allow the access.  Returns zero when the access is
+ * allowed, -EACCES when denied, and other negative values on error.
+ *
+ */
+int selinux_netlbl_socket_setsockopt(struct socket *sock,
+                                     int level,
+                                     int optname)
+{
+        int rc = 0;
+        struct sk_security_struct *sksec = sock->sk->sk_security;
+        struct netlbl_lsm_secattr secattr;
+
+        rcu_read_lock();
+        if (level == IPPROTO_IP && optname == IP_OPTIONS &&
+            sksec->nlbl_state == NLBL_LABELED) {
+                netlbl_secattr_init(&secattr);
+                rc = netlbl_socket_getattr(sock, &secattr);
+                if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
+                        rc = -EACCES;
+                netlbl_secattr_destroy(&secattr);
+        }
+        rcu_read_unlock();
+
+        return rc;
+}
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 93b3177c7585..aca099aa2ed3 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -96,12 +96,18 @@ enum sel_inos {
         SEL_COMMIT_BOOLS, /* commit new boolean values */
         SEL_MLS,        /* return if MLS policy is enabled */
         SEL_DISABLE,    /* disable SELinux until next reboot */
-        SEL_AVC,        /* AVC management directory */
         SEL_MEMBER,     /* compute polyinstantiation membership decision */
         SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */
         SEL_COMPAT_NET, /* whether to use old compat network packet controls */
+        SEL_INO_NEXT,   /* The next inode number to use */
 };
 
+static unsigned long sel_last_ino = SEL_INO_NEXT - 1;
+
+#define SEL_INITCON_INO_OFFSET  0x01000000
+#define SEL_BOOL_INO_OFFSET     0x02000000
+#define SEL_INO_MASK            0x00ffffff
+
 #define TMPBUFLEN       12
 static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
                                 size_t count, loff_t *ppos)
@@ -777,8 +783,6 @@ static struct inode *sel_make_inode(struct super_block *sb, int mode)
         return ret;
 }
 
-#define BOOL_INO_OFFSET 30
-
 static ssize_t sel_read_bool(struct file *filep, char __user *buf,
                              size_t count, loff_t *ppos)
 {
@@ -806,14 +810,14 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf,
         }
 
         inode = filep->f_path.dentry->d_inode;
-        cur_enforcing = security_get_bool_value(inode->i_ino - BOOL_INO_OFFSET);
+        cur_enforcing = security_get_bool_value(inode->i_ino&SEL_INO_MASK);
         if (cur_enforcing < 0) {
                 ret = cur_enforcing;
                 goto out;
         }
 
         length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing,
-                          bool_pending_values[inode->i_ino - BOOL_INO_OFFSET]);
+                          bool_pending_values[inode->i_ino&SEL_INO_MASK]);
         ret = simple_read_from_buffer(buf, count, ppos, page, length);
 out:
         mutex_unlock(&sel_mutex);
@@ -865,7 +869,7 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
                 new_value = 1;
 
         inode = filep->f_path.dentry->d_inode;
-        bool_pending_values[inode->i_ino - BOOL_INO_OFFSET] = new_value;
+        bool_pending_values[inode->i_ino&SEL_INO_MASK] = new_value;
         length = count;
 
 out:
@@ -1029,7 +1033,7 @@ static int sel_make_bools(void)
                 isec->sid = sid;
                 isec->initialized = 1;
                 inode->i_fop = &sel_bool_ops;
-                inode->i_ino = i + BOOL_INO_OFFSET;
+                inode->i_ino = i|SEL_BOOL_INO_OFFSET;
                 d_add(dentry, inode);
         }
         bool_num = num;
@@ -1234,6 +1238,56 @@ static int sel_make_avc_files(struct dentry *dir)
                         goto out;
                 }
                 inode->i_fop = files[i].ops;
+                inode->i_ino = ++sel_last_ino;
+                d_add(dentry, inode);
+        }
+out:
+        return ret;
+}
+
+static ssize_t sel_read_initcon(struct file * file, char __user *buf,
+                                size_t count, loff_t *ppos)
+{
+        struct inode *inode;
+        char *con;
+        u32 sid, len;
+        ssize_t ret;
+
+        inode = file->f_path.dentry->d_inode;
+        sid = inode->i_ino&SEL_INO_MASK;
+        ret = security_sid_to_context(sid, &con, &len);
+        if (ret < 0)
+                return ret;
+
+        ret = simple_read_from_buffer(buf, count, ppos, con, len);
+        kfree(con);
+        return ret;
+}
+
+static const struct file_operations sel_initcon_ops = {
+        .read           = sel_read_initcon,
+};
+
+static int sel_make_initcon_files(struct dentry *dir)
+{
+        int i, ret = 0;
+
+        for (i = 1; i <= SECINITSID_NUM; i++) {
+                struct inode *inode;
+                struct dentry *dentry;
+                dentry = d_alloc_name(dir, security_get_initial_sid_context(i));
+                if (!dentry) {
+                        ret = -ENOMEM;
+                        goto out;
+                }
+
+                inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO);
+                if (!inode) {
+                        ret = -ENOMEM;
+                        goto out;
+                }
+                inode->i_fop = &sel_initcon_ops;
+                inode->i_ino = i|SEL_INITCON_INO_OFFSET;
                 d_add(dentry, inode);
         }
 out:
@@ -1252,6 +1306,7 @@ static int sel_make_dir(struct inode *dir, struct dentry *dentry)
         }
         inode->i_op = &simple_dir_inode_operations;
         inode->i_fop = &simple_dir_operations;
+        inode->i_ino = ++sel_last_ino;
         /* directory inodes start off with i_nlink == 2 (for "." entry) */
         inc_nlink(inode);
         d_add(dentry, inode);
@@ -1314,6 +1369,7 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
                 ret = -ENOMEM;
                 goto err;
         }
+        inode->i_ino = ++sel_last_ino;
         isec = (struct inode_security_struct*)inode->i_security;
         isec->sid = SECINITSID_DEVNULL;
         isec->sclass = SECCLASS_CHR_FILE;
@@ -1336,6 +1392,21 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
         ret = sel_make_avc_files(dentry);
         if (ret)
                 goto err;
+
+        dentry = d_alloc_name(sb->s_root, "initial_contexts");
+        if (!dentry) {
+                ret = -ENOMEM;
+                goto err;
+        }
+
+        ret = sel_make_dir(root_inode, dentry);
+        if (ret)
+                goto err;
+
+        ret = sel_make_initcon_files(dentry);
+        if (ret)
+                goto err;
+
 out:
         return ret;
 err:
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 1e52356664d6..40660ffd49b6 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -39,7 +39,6 @@
 #include <linux/sched.h>
 #include <linux/audit.h>
 #include <linux/mutex.h>
-#include <net/sock.h>
 #include <net/netlabel.h>
 
 #include "flask.h"
@@ -53,7 +52,7 @@
 #include "conditional.h"
 #include "mls.h"
 #include "objsec.h"
-#include "selinux_netlabel.h"
+#include "netlabel.h"
 #include "xfrm.h"
 #include "ebitmap.h"
 
@@ -594,6 +593,13 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
 
 #include "initial_sid_to_string.h"
 
+const char *security_get_initial_sid_context(u32 sid)
+{
+        if (unlikely(sid > SECINITSID_NUM))
+                return NULL;
+        return initial_sid_to_string[sid];
+}
+
 /**
  * security_sid_to_context - Obtain a context for a given SID.
  * @sid: security identifier, SID
@@ -1050,6 +1056,8 @@ static int validate_classes(struct policydb *p)
 
         for (i = 1; i < kdefs->cts_len; i++) {
                 def_class = kdefs->class_to_string[i];
+                if (!def_class)
+                        continue;
                 if (i > p->p_classes.nprim) {
                         printk(KERN_INFO
                                "security:  class %s not defined in policy\n",
@@ -1249,6 +1257,7 @@ bad:
 }
 
 extern void selinux_complete_init(void);
+static int security_preserve_bools(struct policydb *p);
 
 /**
  * security_load_policy - Load a security policy configuration.
@@ -1325,6 +1334,12 @@ int security_load_policy(void *data, size_t len)
                 goto err;
         }
 
+        rc = security_preserve_bools(&newpolicydb);
+        if (rc) {
+                printk(KERN_ERR "security:  unable to preserve booleans\n");
+                goto err;
+        }
+
         /* Clone the SID table. */
         sidtab_shutdown(&sidtab);
         if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
@@ -1882,6 +1897,37 @@ out:
         return rc;
 }
 
+static int security_preserve_bools(struct policydb *p)
+{
+        int rc, nbools = 0, *bvalues = NULL, i;
+        char **bnames = NULL;
+        struct cond_bool_datum *booldatum;
+        struct cond_node *cur;
+
+        rc = security_get_bools(&nbools, &bnames, &bvalues);
+        if (rc)
+                goto out;
+        for (i = 0; i < nbools; i++) {
+                booldatum = hashtab_search(p->p_bools.table, bnames[i]);
+                if (booldatum)
+                        booldatum->state = bvalues[i];
+        }
+        for (cur = p->cond_list; cur != NULL; cur = cur->next) {
+                rc = evaluate_cond_node(p, cur);
+                if (rc)
+                        goto out;
+        }
+
+out:
+        if (bnames) {
+                for (i = 0; i < nbools; i++)
+                        kfree(bnames[i]);
+        }
+        kfree(bnames);
+        kfree(bvalues);
+        return rc;
+}
+
 /*
  * security_sid_mls_copy() - computes a new sid based on the given
  * sid and the mls portion of mls_sid.
@@ -2198,41 +2244,15 @@ void selinux_audit_set_callback(int (*callback)(void))
         aurule_callback = callback;
 }
 
-/**
- * security_skb_extlbl_sid - Determine the external label of a packet
- * @skb: the packet
- * @base_sid: the SELinux SID to use as a context for MLS only external labels
- * @sid: the packet's SID
- *
- * Description:
- * Check the various different forms of external packet labeling and determine
- * the external SID for the packet.
- *
- */
-void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid)
-{
-        u32 xfrm_sid;
-        u32 nlbl_sid;
-
-        selinux_skb_xfrm_sid(skb, &xfrm_sid);
-        if (selinux_netlbl_skbuff_getsid(skb,
-                                         (xfrm_sid == SECSID_NULL ?
-                                          base_sid : xfrm_sid),
-                                         &nlbl_sid) != 0)
-                nlbl_sid = SECSID_NULL;
-
-        *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
-}
-
 #ifdef CONFIG_NETLABEL
 /*
- * This is the structure we store inside the NetLabel cache block.
+ * NetLabel cache structure
  */
-#define NETLBL_CACHE(x)           ((struct netlbl_cache *)(x))
+#define NETLBL_CACHE(x)           ((struct selinux_netlbl_cache *)(x))
 #define NETLBL_CACHE_T_NONE       0
 #define NETLBL_CACHE_T_SID        1
 #define NETLBL_CACHE_T_MLS        2
-struct netlbl_cache {
+struct selinux_netlbl_cache {
         u32 type;
         union {
                 u32 sid;
@@ -2241,7 +2261,7 @@ struct netlbl_cache {
 };
 
 /**
- * selinux_netlbl_cache_free - Free the NetLabel cached data
+ * security_netlbl_cache_free - Free the NetLabel cached data
  * @data: the data to free
  *
  * Description:
@@ -2249,9 +2269,9 @@ struct netlbl_cache {
  * netlbl_lsm_cache structure.
  *
  */
-static void selinux_netlbl_cache_free(const void *data)
+static void security_netlbl_cache_free(const void *data)
 {
-        struct netlbl_cache *cache;
+        struct selinux_netlbl_cache *cache;
 
         if (data == NULL)
                 return;
@@ -2266,33 +2286,33 @@ static void selinux_netlbl_cache_free(const void *data)
 }
 
 /**
- * selinux_netlbl_cache_add - Add an entry to the NetLabel cache
- * @skb: the packet
+ * security_netlbl_cache_add - Add an entry to the NetLabel cache
+ * @secattr: the NetLabel packet security attributes
  * @ctx: the SELinux context
  *
  * Description:
  * Attempt to cache the context in @ctx, which was derived from the packet in
- * @skb, in the NetLabel subsystem cache.
+ * @skb, in the NetLabel subsystem cache.  This function assumes @secattr has
+ * already been initialized.
  *
  */
-static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx)
+static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
+                                      struct context *ctx)
 {
-        struct netlbl_cache *cache = NULL;
-        struct netlbl_lsm_secattr secattr;
+        struct selinux_netlbl_cache *cache = NULL;
 
-        netlbl_secattr_init(&secattr);
-        secattr.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
-        if (secattr.cache == NULL)
-                goto netlbl_cache_add_return;
+        secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
+        if (secattr->cache == NULL)
+                return;
 
         cache = kzalloc(sizeof(*cache), GFP_ATOMIC);
         if (cache == NULL)
-                goto netlbl_cache_add_return;
+                return;
 
         cache->type = NETLBL_CACHE_T_MLS;
         if (ebitmap_cpy(&cache->data.mls_label.level[0].cat,
                         &ctx->range.level[0].cat) != 0)
-                goto netlbl_cache_add_return;
+                return;
         cache->data.mls_label.level[1].cat.highbit =
                 cache->data.mls_label.level[0].cat.highbit;
         cache->data.mls_label.level[1].cat.node =
@@ -2300,52 +2320,40 @@ static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx)
         cache->data.mls_label.level[0].sens = ctx->range.level[0].sens;
         cache->data.mls_label.level[1].sens = ctx->range.level[0].sens;
 
-        secattr.cache->free = selinux_netlbl_cache_free;
-        secattr.cache->data = (void *)cache;
-        secattr.flags = NETLBL_SECATTR_CACHE;
-
-        netlbl_cache_add(skb, &secattr);
-
-netlbl_cache_add_return:
-        netlbl_secattr_destroy(&secattr);
+        secattr->cache->free = security_netlbl_cache_free;
+        secattr->cache->data = (void *)cache;
+        secattr->flags |= NETLBL_SECATTR_CACHE;
 }
 
 /**
- * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
- *
- * Description:
- * Invalidate the NetLabel security attribute mapping cache.
- *
- */
-void selinux_netlbl_cache_invalidate(void)
-{
-        netlbl_cache_invalidate();
-}
-
-/**
- * selinux_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
- * @skb: the network packet
+ * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
  * @secattr: the NetLabel packet security attributes
  * @base_sid: the SELinux SID to use as a context for MLS only attributes
  * @sid: the SELinux SID
  *
  * Description:
- * Convert the given NetLabel packet security attributes in @secattr into a
+ * Convert the given NetLabel security attributes in @secattr into a
  * SELinux SID.  If the @secattr field does not contain a full SELinux
- * SID/context then use the context in @base_sid as the foundation.  If @skb
- * is not NULL attempt to cache as much data as possibile.  Returns zero on
- * success, negative values on failure.
+ * SID/context then use the context in @base_sid as the foundation.  If
+ * possibile the 'cache' field of @secattr is set and the CACHE flag is set;
+ * this is to allow the @secattr to be used by NetLabel to cache the secattr to
+ * SID conversion for future lookups.  Returns zero on success, negative
+ * values on failure.
  *
  */
-static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
-                                         struct netlbl_lsm_secattr *secattr,
-                                         u32 base_sid,
-                                         u32 *sid)
+int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
+                                   u32 base_sid,
+                                   u32 *sid)
 {
         int rc = -EIDRM;
         struct context *ctx;
         struct context ctx_new;
-        struct netlbl_cache *cache;
+        struct selinux_netlbl_cache *cache;
+
+        if (!ss_initialized) {
+                *sid = SECSID_NULL;
+                return 0;
+        }
 
         POLICY_RDLOCK;
 
@@ -2410,8 +2418,8 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
                 if (rc != 0)
                         goto netlbl_secattr_to_sid_return_cleanup;
 
-                if (skb != NULL)
-                        selinux_netlbl_cache_add(skb, &ctx_new);
+                security_netlbl_cache_add(secattr, &ctx_new);
+
                 ebitmap_destroy(&ctx_new.range.level[0].cat);
         } else {
                 *sid = SECSID_NULL;
@@ -2427,338 +2435,43 @@ netlbl_secattr_to_sid_return_cleanup:
 }
 
 /**
- * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
- * @skb: the packet
- * @base_sid: the SELinux SID to use as a context for MLS only attributes
- * @sid: the SID
- *
- * Description:
- * Call the NetLabel mechanism to get the security attributes of the given
- * packet and use those attributes to determine the correct context/SID to
- * assign to the packet.  Returns zero on success, negative values on failure.
- *
- */
-int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid)
-{
-        int rc;
-        struct netlbl_lsm_secattr secattr;
-
-        netlbl_secattr_init(&secattr);
-        rc = netlbl_skbuff_getattr(skb, &secattr);
-        if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
-                rc = selinux_netlbl_secattr_to_sid(skb,
-                                                   &secattr,
-                                                   base_sid,
-                                                   sid);
-        else
-                *sid = SECSID_NULL;
-        netlbl_secattr_destroy(&secattr);
-
-        return rc;
-}
-
-/**
- * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism
- * @sock: the socket to label
- * @sid: the SID to use
+ * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr
+ * @sid: the SELinux SID
+ * @secattr: the NetLabel packet security attributes
  *
  * Description:
- * Attempt to label a socket using the NetLabel mechanism using the given
- * SID.  Returns zero values on success, negative values on failure.  The
- * caller is responsibile for calling rcu_read_lock() before calling this
- * this function and rcu_read_unlock() after this function returns.
+ * Convert the given SELinux SID in @sid into a NetLabel security attribute.
+ * Returns zero on success, negative values on failure.
  *
  */
-static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
+int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
 {
         int rc = -ENOENT;
-        struct sk_security_struct *sksec = sock->sk->sk_security;
-        struct netlbl_lsm_secattr secattr;
         struct context *ctx;
 
+        netlbl_secattr_init(secattr);
+
         if (!ss_initialized)
                 return 0;
 
-        netlbl_secattr_init(&secattr);
-
         POLICY_RDLOCK;
-
         ctx = sidtab_search(&sidtab, sid);
         if (ctx == NULL)
-                goto netlbl_socket_setsid_return;
-
-        secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
-                                 GFP_ATOMIC);
-        secattr.flags |= NETLBL_SECATTR_DOMAIN;
-        mls_export_netlbl_lvl(ctx, &secattr);
-        rc = mls_export_netlbl_cat(ctx, &secattr);
+                goto netlbl_sid_to_secattr_failure;
+        secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
+                                  GFP_ATOMIC);
+        secattr->flags |= NETLBL_SECATTR_DOMAIN;
+        mls_export_netlbl_lvl(ctx, secattr);
+        rc = mls_export_netlbl_cat(ctx, secattr);
         if (rc != 0)
-                goto netlbl_socket_setsid_return;
-
-        rc = netlbl_socket_setattr(sock, &secattr);
-        if (rc == 0) {
-                spin_lock_bh(&sksec->nlbl_lock);
-                sksec->nlbl_state = NLBL_LABELED;
-                spin_unlock_bh(&sksec->nlbl_lock);
-        }
-
-netlbl_socket_setsid_return:
+                goto netlbl_sid_to_secattr_failure;
         POLICY_RDUNLOCK;
-        netlbl_secattr_destroy(&secattr);
-        return rc;
-}
-
-/**
- * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
- * @ssec: the sk_security_struct
- * @family: the socket family
- *
- * Description:
- * Called when the NetLabel state of a sk_security_struct needs to be reset.
- * The caller is responsibile for all the NetLabel sk_security_struct locking.
- *
- */
-void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
-                                      int family)
-{
-        if (family == PF_INET)
-                ssec->nlbl_state = NLBL_REQUIRE;
-        else
-                ssec->nlbl_state = NLBL_UNSET;
-}
 
-/**
- * selinux_netlbl_sk_security_init - Setup the NetLabel fields
- * @ssec: the sk_security_struct
- * @family: the socket family
- *
- * Description:
- * Called when a new sk_security_struct is allocated to initialize the NetLabel
- * fields.
- *
- */
-void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
-                                     int family)
-{
-        /* No locking needed, we are the only one who has access to ssec */
-        selinux_netlbl_sk_security_reset(ssec, family);
-        spin_lock_init(&ssec->nlbl_lock);
-}
-
-/**
- * selinux_netlbl_sk_security_clone - Copy the NetLabel fields
- * @ssec: the original sk_security_struct
- * @newssec: the cloned sk_security_struct
- *
- * Description:
- * Clone the NetLabel specific sk_security_struct fields from @ssec to
- * @newssec.
- *
- */
-void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
-                                      struct sk_security_struct *newssec)
-{
-        /* We don't need to take newssec->nlbl_lock because we are the only
-         * thread with access to newssec, but we do need to take the RCU read
-         * lock as other threads could have access to ssec */
-        rcu_read_lock();
-        selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family);
-        newssec->sclass = ssec->sclass;
-        rcu_read_unlock();
-}
-
-/**
- * selinux_netlbl_socket_post_create - Label a socket using NetLabel
- * @sock: the socket to label
- *
- * Description:
- * Attempt to label a socket using the NetLabel mechanism using the given
- * SID.  Returns zero values on success, negative values on failure.
- *
- */
-int selinux_netlbl_socket_post_create(struct socket *sock)
-{
-        int rc = 0;
-        struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
-        struct sk_security_struct *sksec = sock->sk->sk_security;
-
-        sksec->sclass = isec->sclass;
-
-        rcu_read_lock();
-        if (sksec->nlbl_state == NLBL_REQUIRE)
-                rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
-        rcu_read_unlock();
-
-        return rc;
-}
-
-/**
- * selinux_netlbl_sock_graft - Netlabel the new socket
- * @sk: the new connection
- * @sock: the new socket
- *
- * Description:
- * The connection represented by @sk is being grafted onto @sock so set the
- * socket's NetLabel to match the SID of @sk.
- *
- */
-void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
-{
-        struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
-        struct sk_security_struct *sksec = sk->sk_security;
-        struct netlbl_lsm_secattr secattr;
-        u32 nlbl_peer_sid;
-
-        sksec->sclass = isec->sclass;
-
-        rcu_read_lock();
-
-        if (sksec->nlbl_state != NLBL_REQUIRE) {
-                rcu_read_unlock();
-                return;
-        }
-
-        netlbl_secattr_init(&secattr);
-        if (netlbl_sock_getattr(sk, &secattr) == 0 &&
-            secattr.flags != NETLBL_SECATTR_NONE &&
-            selinux_netlbl_secattr_to_sid(NULL,
-                                          &secattr,
-                                          SECINITSID_UNLABELED,
-                                          &nlbl_peer_sid) == 0)
-                sksec->peer_sid = nlbl_peer_sid;
-        netlbl_secattr_destroy(&secattr);
-
-        /* Try to set the NetLabel on the socket to save time later, if we fail
-         * here we will pick up the pieces in later calls to
-         * selinux_netlbl_inode_permission(). */
-        selinux_netlbl_socket_setsid(sock, sksec->sid);
-
-        rcu_read_unlock();
-}
-
-/**
- * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
- * @inode: the file descriptor's inode
- * @mask: the permission mask
- *
- * Description:
- * Looks at a file's inode and if it is marked as a socket protected by
- * NetLabel then verify that the socket has been labeled, if not try to label
- * the socket now with the inode's SID.  Returns zero on success, negative
- * values on failure.
- *
- */
-int selinux_netlbl_inode_permission(struct inode *inode, int mask)
-{
-        int rc;
-        struct sk_security_struct *sksec;
-        struct socket *sock;
-
-        if (!S_ISSOCK(inode->i_mode) ||
-            ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
-                return 0;
-        sock = SOCKET_I(inode);
-        sksec = sock->sk->sk_security;
-
-        rcu_read_lock();
-        if (sksec->nlbl_state != NLBL_REQUIRE) {
-                rcu_read_unlock();
-                return 0;
-        }
-        local_bh_disable();
-        bh_lock_sock_nested(sock->sk);
-        rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
-        bh_unlock_sock(sock->sk);
-        local_bh_enable();
-        rcu_read_unlock();
-
-        return rc;
-}
-
-/**
- * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
- * @sksec: the sock's sk_security_struct
- * @skb: the packet
- * @ad: the audit data
- *
- * Description:
- * Fetch the NetLabel security attributes from @skb and perform an access check
- * against the receiving socket.  Returns zero on success, negative values on
- * error.
- *
- */
-int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
-                                struct sk_buff *skb,
-                                struct avc_audit_data *ad)
-{
-        int rc;
-        u32 netlbl_sid;
-        u32 recv_perm;
-
-        rc = selinux_netlbl_skbuff_getsid(skb,
-                                          SECINITSID_UNLABELED,
-                                          &netlbl_sid);
-        if (rc != 0)
-                return rc;
-
-        if (netlbl_sid == SECSID_NULL)
-                return 0;
-
-        switch (sksec->sclass) {
-        case SECCLASS_UDP_SOCKET:
-                recv_perm = UDP_SOCKET__RECVFROM;
-                break;
-        case SECCLASS_TCP_SOCKET:
-                recv_perm = TCP_SOCKET__RECVFROM;
-                break;
-        default:
-                recv_perm = RAWIP_SOCKET__RECVFROM;
-        }
-
-        rc = avc_has_perm(sksec->sid,
-                          netlbl_sid,
-                          sksec->sclass,
-                          recv_perm,
-                          ad);
-        if (rc == 0)
-                return 0;
-
-        netlbl_skbuff_err(skb, rc);
-        return rc;
-}
-
-/**
- * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
- * @sock: the socket
- * @level: the socket level or protocol
- * @optname: the socket option name
- *
- * Description:
- * Check the setsockopt() call and if the user is trying to replace the IP
- * options on a socket and a NetLabel is in place for the socket deny the
- * access; otherwise allow the access.  Returns zero when the access is
- * allowed, -EACCES when denied, and other negative values on error.
- *
- */
-int selinux_netlbl_socket_setsockopt(struct socket *sock,
-                                     int level,
-                                     int optname)
-{
-        int rc = 0;
-        struct sk_security_struct *sksec = sock->sk->sk_security;
-        struct netlbl_lsm_secattr secattr;
-
-        rcu_read_lock();
-        if (level == IPPROTO_IP && optname == IP_OPTIONS &&
-            sksec->nlbl_state == NLBL_LABELED) {
-                netlbl_secattr_init(&secattr);
-                rc = netlbl_socket_getattr(sock, &secattr);
-                if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
-                        rc = -EACCES;
-                netlbl_secattr_destroy(&secattr);
-        }
-        rcu_read_unlock();
+        return 0;
 
+netlbl_sid_to_secattr_failure:
+        POLICY_RDUNLOCK;
+        netlbl_secattr_destroy(secattr);
         return rc;
 }
 #endif /* CONFIG_NETLABEL */