Merge branch 'master' of /home/davem/src/GIT/linux-2.6/

Conflicts:
	drivers/net/pcmcia/fmvj18x_cs.c
	drivers/net/pcmcia/nmclan_cs.c
	drivers/net/pcmcia/xirc2ps_cs.c
	drivers/net/wireless/ray_cs.c

6 files changed, 274 insertions, 224 deletions

diff --git a/scripts/recordmcount.pl b/scripts/recordmcount.pl
index 090d300d7394..f0d14452632b 100755
--- a/scripts/recordmcount.pl
+++ b/scripts/recordmcount.pl
@@ -6,77 +6,93 @@
 #                   all the offsets to the calls to mcount.
 #
 #
-# What we want to end up with is a section in vmlinux called
-# __mcount_loc that contains a list of pointers to all the
-# call sites in the kernel that call mcount. Later on boot up, the kernel
-# will read this list, save the locations and turn them into nops.
-# When tracing or profiling is later enabled, these locations will then
-# be converted back to pointers to some function.
+# What we want to end up with this is that each object file will have a
+# section called __mcount_loc that will hold the list of pointers to mcount
+# callers. After final linking, the vmlinux will have within .init.data the
+# list of all callers to mcount between __start_mcount_loc and __stop_mcount_loc.
+# Later on boot up, the kernel will read this list, save the locations and turn
+# them into nops. When tracing or profiling is later enabled, these locations
+# will then be converted back to pointers to some function.
 #
 # This is no easy feat. This script is called just after the original
 # object is compiled and before it is linked.
 #
-# The references to the call sites are offsets from the section of text
-# that the call site is in. Hence, all functions in a section that
-# has a call site to mcount, will have the offset from the beginning of
-# the section and not the beginning of the function.
+# When parse this object file using 'objdump', the references to the call
+# sites are offsets from the section that the call site is in. Hence, all
+# functions in a section that has a call site to mcount, will have the
+# offset from the beginning of the section and not the beginning of the
+# function.
+#
+# But where this section will reside finally in vmlinx is undetermined at
+# this point. So we can't use this kind of offsets to record the final
+# address of this call site.
+#
+# The trick is to change the call offset referring the start of a section to
+# referring a function symbol in this section. During the link step, 'ld' will
+# compute the final address according to the information we record.
 #
-# The trick is to find a way to record the beginning of the section.
-# The way we do this is to look at the first function in the section
-# which will also be the location of that section after final link.
 # e.g.
 #
 #  .section ".sched.text", "ax"
-#  .globl my_func
-#  my_func:
 #        [...]
-#        call mcount  (offset: 0x5)
+#  func1:
+#        [...]
+#        call mcount  (offset: 0x10)
 #        [...]
 #        ret
-#  other_func:
+#  .globl fun2
+#  func2:             (offset: 0x20)
 #        [...]
-#        call mcount (offset: 0x1b)
+#        [...]
+#        ret
+#  func3:
+#        [...]
+#        call mcount (offset: 0x30)
 #        [...]
 #
 # Both relocation offsets for the mcounts in the above example will be
-# offset from .sched.text. If we make another file called tmp.s with:
+# offset from .sched.text. If we choose global symbol func2 as a reference and
+# make another file called tmp.s with the new offsets:
 #
 #  .section __mcount_loc
-#  .quad  my_func + 0x5
-#  .quad  my_func + 0x1b
+#  .quad  func2 - 0x10
+#  .quad  func2 + 0x10
 #
-# We can then compile this tmp.s into tmp.o, and link it to the original
+# We can then compile this tmp.s into tmp.o, and link it back to the original
 # object.
 #
-# But this gets hard if my_func is not globl (a static function).
-# In such a case we have:
+# In our algorithm, we will choose the first global function we meet in this
+# section as the reference. But this gets hard if there is no global functions
+# in this section. In such a case we have to select a local one. E.g. func1:
 #
 #  .section ".sched.text", "ax"
-#  my_func:
+#  func1:
 #        [...]
-#        call mcount  (offset: 0x5)
+#        call mcount  (offset: 0x10)
 #        [...]
 #        ret
-#  other_func:
+#  func2:
 #        [...]
-#        call mcount (offset: 0x1b)
+#        call mcount (offset: 0x20)
 #        [...]
+#  .section "other.section"
 #
 # If we make the tmp.s the same as above, when we link together with
-# the original object, we will end up with two symbols for my_func:
+# the original object, we will end up with two symbols for func1:
 # one local, one global.  After final compile, we will end up with
-# an undefined reference to my_func.
+# an undefined reference to func1 or a wrong reference to another global
+# func1 in other files.
 #
 # Since local objects can reference local variables, we need to find
 # a way to make tmp.o reference the local objects of the original object
-# file after it is linked together. To do this, we convert the my_func
+# file after it is linked together. To do this, we convert func1
 # into a global symbol before linking tmp.o. Then after we link tmp.o
-# we will only have a single symbol for my_func that is global.
-# We can convert my_func back into a local symbol and we are done.
+# we will only have a single symbol for func1 that is global.
+# We can convert func1 back into a local symbol and we are done.
 #
 # Here are the steps we take:
 #
-# 1) Record all the local symbols by using 'nm'
+# 1) Record all the local and weak symbols by using 'nm'
 # 2) Use objdump to find all the call site offsets and sections for
 #    mcount.
 # 3) Compile the list into its own object.
@@ -86,10 +102,8 @@
 # 6) Link together this new object with the list object.
 # 7) Convert the local functions back to local symbols and rename
 #    the result as the original object.
-#    End.
 # 8) Link the object with the list object.
 # 9) Move the result back to the original object.
-#    End.
 #
 
 use strict;
@@ -99,7 +113,7 @@ $P =~ s@.*/@@g;
 
 my $V = '0.1';
 
-if ($#ARGV < 7) {
+if ($#ARGV != 10) {
         print "usage: $P arch bits objdump objcopy cc ld nm rm mv is_module inputfile\n";
         print "version: $V\n";
         exit(1);
@@ -109,7 +123,7 @@ my ($arch, $bits, $objdump, $objcopy, $cc,
     $ld, $nm, $rm, $mv, $is_module, $inputfile) = @ARGV;
 
 # This file refers to mcount and shouldn't be ftraced, so lets' ignore it
-if ($inputfile eq "kernel/trace/ftrace.o") {
+if ($inputfile =~ m,kernel/trace/ftrace\.o$,) {
     exit(0);
 }
 
@@ -119,6 +133,7 @@ my %text_sections = (
      ".sched.text" => 1,
      ".spinlock.text" => 1,
      ".irqentry.text" => 1,
+     ".text.unlikely" => 1,
 );
 
 $objdump = "objdump" if ((length $objdump) == 0);
@@ -137,13 +152,47 @@ my %weak;		# List of weak functions
 my %convert;            # List of local functions used that needs conversion
 
 my $type;
-my $nm_regex;           # Find the local functions (return function)
+my $local_regex;        # Match a local function (return function)
+my $weak_regex;         # Match a weak function (return function)
 my $section_regex;      # Find the start of a section
 my $function_regex;     # Find the name of a function
                         #    (return offset and func name)
 my $mcount_regex;       # Find the call site to mcount (return offset)
 my $alignment;          # The .align value to use for $mcount_section
 my $section_type;       # Section header plus possible alignment command
+my $can_use_local = 0;  # If we can use local function references
+
+# Shut up recordmcount if user has older objcopy
+my $quiet_recordmcount = ".tmp_quiet_recordmcount";
+my $print_warning = 1;
+$print_warning = 0 if ( -f $quiet_recordmcount);
+
+##
+# check_objcopy - whether objcopy supports --globalize-symbols
+#
+#  --globalize-symbols came out in 2.17, we must test the version
+#  of objcopy, and if it is less than 2.17, then we can not
+#  record local functions.
+sub check_objcopy
+{
+    open (IN, "$objcopy --version |") or die "error running $objcopy";
+    while (<IN>) {
+        if (/objcopy.*\s(\d+)\.(\d+)/) {
+            $can_use_local = 1 if ($1 > 2 || ($1 == 2 && $2 >= 17));
+            last;
+        }
+    }
+    close (IN);
+
+    if (!$can_use_local && $print_warning) {
+        print STDERR "WARNING: could not find objcopy version or version " .
+            "is less than 2.17.\n" .
+            "\tLocal function references are disabled.\n";
+        open (QUIET, ">$quiet_recordmcount");
+        printf QUIET "Disables the warning from recordmcount.pl\n";
+        close QUIET;
+    }
+}
 
 if ($arch eq "x86") {
     if ($bits == 64) {
@@ -157,7 +206,8 @@ if ($arch eq "x86") {
 # We base the defaults off of i386, the other archs may
 # feel free to change them in the below if statements.
 #
-$nm_regex = "^[0-9a-fA-F]+\\s+t\\s+(\\S+)";
+$local_regex = "^[0-9a-fA-F]+\\s+t\\s+(\\S+)";
+$weak_regex = "^[0-9a-fA-F]+\\s+([wW])\\s+(\\S+)";
 $section_regex = "Disassembly of section\\s+(\\S+):";
 $function_regex = "^([0-9a-fA-F]+)\\s+<(.*?)>:";
 $mcount_regex = "^\\s*([0-9a-fA-F]+):.*\\smcount\$";
@@ -206,7 +256,7 @@ if ($arch eq "x86_64") {
     $cc .= " -m32";
 
 } elsif ($arch eq "powerpc") {
-    $nm_regex = "^[0-9a-fA-F]+\\s+t\\s+(\\.?\\S+)";
+    $local_regex = "^[0-9a-fA-F]+\\s+t\\s+(\\.?\\S+)";
     $function_regex = "^([0-9a-fA-F]+)\\s+<(\\.?.*?)>:";
     $mcount_regex = "^\\s*([0-9a-fA-F]+):.*\\s\\.?_mcount\$";
 
@@ -278,44 +328,17 @@ if ($filename =~ m,^(.*)(\.\S),) {
 my $mcount_s = $dirname . "/.tmp_mc_" . $prefix . ".s";
 my $mcount_o = $dirname . "/.tmp_mc_" . $prefix . ".o";
 
-#
-# --globalize-symbols came out in 2.17, we must test the version
-# of objcopy, and if it is less than 2.17, then we can not
-# record local functions.
-my $use_locals = 01;
-my $local_warn_once = 0;
-my $found_version = 0;
-
-open (IN, "$objcopy --version |") || die "error running $objcopy";
-while (<IN>) {
-    if (/objcopy.*\s(\d+)\.(\d+)/) {
-        my $major = $1;
-        my $minor = $2;
-
-        $found_version = 1;
-        if ($major < 2 ||
-            ($major == 2 && $minor < 17)) {
-            $use_locals = 0;
-        }
-        last;
-    }
-}
-close (IN);
-
-if (!$found_version) {
-    print STDERR "WARNING: could not find objcopy version.\n" .
-        "\tDisabling local function references.\n";
-}
+check_objcopy();
 
 #
 # Step 1: find all the local (static functions) and weak symbols.
-#        't' is local, 'w/W' is weak (we never use a weak function)
+#         't' is local, 'w/W' is weak
 #
 open (IN, "$nm $inputfile|") || die "error running $nm";
 while (<IN>) {
-    if (/$nm_regex/) {
+    if (/$local_regex/) {
         $locals{$1} = 1;
-    } elsif (/^[0-9a-fA-F]+\s+([wW])\s+(\S+)/) {
+    } elsif (/$weak_regex/) {
         $weak{$2} = $1;
     }
 }
@@ -333,26 +356,20 @@ my $offset = 0;		# offset of ref_func to section beginning
 #
 sub update_funcs
 {
-    return if ($#offsets < 0);
-
-    defined($ref_func) || die "No function to reference";
+    return unless ($ref_func and @offsets);
 
-    # A section only had a weak function, to represent it.
-    # Unfortunately, a weak function may be overwritten by another
-    # function of the same name, making all these offsets incorrect.
-    # To be safe, we simply print a warning and bail.
+    # Sanity check on weak function. A weak function may be overwritten by
+    # another function of the same name, making all these offsets incorrect.
     if (defined $weak{$ref_func}) {
-        print STDERR
-            "$inputfile: WARNING: referencing weak function" .
+        die "$inputfile: ERROR: referencing weak function" .
             " $ref_func for mcount\n";
-        return;
     }
 
     # is this function static? If so, note this fact.
     if (defined $locals{$ref_func}) {
 
         # only use locals if objcopy supports globalize-symbols
-        if (!$use_locals) {
+        if (!$can_use_local) {
             return;
         }
         $convert{$ref_func} = 1;
@@ -378,9 +395,27 @@ open(IN, "$objdump -hdr $inputfile|") || die "error running $objdump";
 
 my $text;
 
+
+# read headers first
 my $read_headers = 1;
 
 while (<IN>) {
+
+    if ($read_headers && /$mcount_section/) {
+        #
+        # Somehow the make process can execute this script on an
+        # object twice. If it does, we would duplicate the mcount
+        # section and it will cause the function tracer self test
+        # to fail. Check if the mcount section exists, and if it does,
+        # warn and exit.
+        #
+        print STDERR "ERROR: $mcount_section already in $inputfile\n" .
+            "\tThis may be an indication that your build is corrupted.\n" .
+            "\tDelete $inputfile and try again. If the same object file\n" .
+            "\tstill causes an issue, then disable CONFIG_DYNAMIC_FTRACE.\n";
+        exit(-1);
+    }
+
     # is it a section?
     if (/$section_regex/) {
         $read_headers = 0;
@@ -392,7 +427,7 @@ while (<IN>) {
             $read_function = 0;
         }
         # print out any recorded offsets
-        update_funcs() if (defined($ref_func));
+        update_funcs();
 
         # reset all markers and arrays
         $text_found = 0;
@@ -421,21 +456,7 @@ while (<IN>) {
                 $offset = hex $1;
             }
         }
-    } elsif ($read_headers && /$mcount_section/) {
-        #
-        # Somehow the make process can execute this script on an
-        # object twice. If it does, we would duplicate the mcount
-        # section and it will cause the function tracer self test
-        # to fail. Check if the mcount section exists, and if it does,
-        # warn and exit.
-        #
-        print STDERR "ERROR: $mcount_section already in $inputfile\n" .
-            "\tThis may be an indication that your build is corrupted.\n" .
-            "\tDelete $inputfile and try again. If the same object file\n" .
-            "\tstill causes an issue, then disable CONFIG_DYNAMIC_FTRACE.\n";
-        exit(-1);
     }
-
     # is this a call site to mcount? If so, record it to print later
     if ($text_found && /$mcount_regex/) {
         $offsets[$#offsets + 1] = hex $1;
@@ -443,7 +464,7 @@ while (<IN>) {
 }
 
 # dump out anymore offsets that may have been found
-update_funcs() if (defined($ref_func));
+update_funcs();
 
 # If we did not find any mcount callers, we are done (do nothing).
 if (!$opened) {
diff --git a/scripts/selinux/Makefile b/scripts/selinux/Makefile
index ca4b1ec01822..e8049da1831f 100644
--- a/scripts/selinux/Makefile
+++ b/scripts/selinux/Makefile
@@ -1,2 +1,2 @@
-subdir-y := mdp
-subdir- += mdp
+subdir-y := mdp genheaders
+subdir- += mdp genheaders
diff --git a/scripts/selinux/genheaders/.gitignore b/scripts/selinux/genheaders/.gitignore
new file mode 100644
index 000000000000..4c0b646ff8d5
--- /dev/null
+++ b/scripts/selinux/genheaders/.gitignore
@@ -0,0 +1 @@
+genheaders
diff --git a/scripts/selinux/genheaders/Makefile b/scripts/selinux/genheaders/Makefile
new file mode 100644
index 000000000000..417b165008ee
--- /dev/null
+++ b/scripts/selinux/genheaders/Makefile
@@ -0,0 +1,5 @@
+hostprogs-y     := genheaders
+HOST_EXTRACFLAGS += -Isecurity/selinux/include
+
+always          := $(hostprogs-y)
+clean-files     := $(hostprogs-y)
diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
new file mode 100644
index 000000000000..24626968055d
--- /dev/null
+++ b/scripts/selinux/genheaders/genheaders.c
@@ -0,0 +1,118 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <ctype.h>
+
+struct security_class_mapping {
+        const char *name;
+        const char *perms[sizeof(unsigned) * 8 + 1];
+};
+
+#include "classmap.h"
+#include "initial_sid_to_string.h"
+
+#define max(x, y) (((int)(x) > (int)(y)) ? x : y)
+
+const char *progname;
+
+static void usage(void)
+{
+        printf("usage: %s flask.h av_permissions.h\n", progname);
+        exit(1);
+}
+
+static char *stoupperx(const char *s)
+{
+        char *s2 = strdup(s);
+        char *p;
+
+        if (!s2) {
+                fprintf(stderr, "%s:  out of memory\n", progname);
+                exit(3);
+        }
+
+        for (p = s2; *p; p++)
+                *p = toupper(*p);
+        return s2;
+}
+
+int main(int argc, char *argv[])
+{
+        int i, j, k;
+        int isids_len;
+        FILE *fout;
+
+        progname = argv[0];
+
+        if (argc < 3)
+                usage();
+
+        fout = fopen(argv[1], "w");
+        if (!fout) {
+                fprintf(stderr, "Could not open %s for writing:  %s\n",
+                        argv[1], strerror(errno));
+                exit(2);
+        }
+
+        for (i = 0; secclass_map[i].name; i++) {
+                struct security_class_mapping *map = &secclass_map[i];
+                map->name = stoupperx(map->name);
+                for (j = 0; map->perms[j]; j++)
+                        map->perms[j] = stoupperx(map->perms[j]);
+        }
+
+        isids_len = sizeof(initial_sid_to_string) / sizeof (char *);
+        for (i = 1; i < isids_len; i++)
+                initial_sid_to_string[i] = stoupperx(initial_sid_to_string[i]);
+
+        fprintf(fout, "/* This file is automatically generated.  Do not edit. */\n");
+        fprintf(fout, "#ifndef _SELINUX_FLASK_H_\n#define _SELINUX_FLASK_H_\n\n");
+
+        for (i = 0; secclass_map[i].name; i++) {
+                struct security_class_mapping *map = &secclass_map[i];
+                fprintf(fout, "#define SECCLASS_%s", map->name);
+                for (j = 0; j < max(1, 40 - strlen(map->name)); j++)
+                        fprintf(fout, " ");
+                fprintf(fout, "%2d\n", i+1);
+        }
+
+        fprintf(fout, "\n");
+
+        for (i = 1; i < isids_len; i++) {
+                char *s = initial_sid_to_string[i];
+                fprintf(fout, "#define SECINITSID_%s", s);
+                for (j = 0; j < max(1, 40 - strlen(s)); j++)
+                        fprintf(fout, " ");
+                fprintf(fout, "%2d\n", i);
+        }
+        fprintf(fout, "\n#define SECINITSID_NUM %d\n", i-1);
+        fprintf(fout, "\n#endif\n");
+        fclose(fout);
+
+        fout = fopen(argv[2], "w");
+        if (!fout) {
+                fprintf(stderr, "Could not open %s for writing:  %s\n",
+                        argv[2], strerror(errno));
+                exit(4);
+        }
+
+        fprintf(fout, "/* This file is automatically generated.  Do not edit. */\n");
+        fprintf(fout, "#ifndef _SELINUX_AV_PERMISSIONS_H_\n#define _SELINUX_AV_PERMISSIONS_H_\n\n");
+
+        for (i = 0; secclass_map[i].name; i++) {
+                struct security_class_mapping *map = &secclass_map[i];
+                for (j = 0; map->perms[j]; j++) {
+                        fprintf(fout, "#define %s__%s", map->name,
+                                map->perms[j]);
+                        for (k = 0; k < max(1, 40 - strlen(map->name) - strlen(map->perms[j])); k++)
+                                fprintf(fout, " ");
+                        fprintf(fout, "0x%08xUL\n", (1<<j));
+                }
+        }
+
+        fprintf(fout, "\n#endif\n");
+        fclose(fout);
+        exit(0);
+}
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index b4ced8562587..62b34ce1f50d 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -29,86 +29,27 @@
 #include <unistd.h>
 #include <string.h>
 
-#include "flask.h"
-
 static void usage(char *name)
 {
         printf("usage: %s [-m] policy_file context_file\n", name);
         exit(1);
 }
 
-static void find_common_name(char *cname, char *dest, int len)
-{
-        char *start, *end;
-
-        start = strchr(cname, '_')+1;
-        end = strchr(start, '_');
-        if (!start || !end || start-cname > len || end-start > len) {
-                printf("Error with commons defines\n");
-                exit(1);
-        }
-        strncpy(dest, start, end-start);
-        dest[end-start] = '\0';
-}
-
-#define S_(x) x,
-static char *classlist[] = {
-#include "class_to_string.h"
-        NULL
+/* Class/perm mapping support */
+struct security_class_mapping {
+        const char *name;
+        const char *perms[sizeof(unsigned) * 8 + 1];
 };
-#undef S_
 
+#include "classmap.h"
 #include "initial_sid_to_string.h"
 
-#define TB_(x) char *x[] = {
-#define TE_(x) NULL };
-#define S_(x) x,
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-
-struct common {
-        char *cname;
-        char **perms;
-};
-struct common common[] = {
-#define TB_(x) { #x, x },
-#define S_(x)
-#define TE_(x)
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-};
-
-#define S_(x, y, z) {x, #y},
-struct av_inherit {
-        int class;
-        char *common;
-};
-struct av_inherit av_inherit[] = {
-#include "av_inherit.h"
-};
-#undef S_
-
-#include "av_permissions.h"
-#define S_(x, y, z) {x, y, z},
-struct av_perms {
-        int class;
-        int perm_i;
-        char *perm_s;
-};
-struct av_perms av_perms[] = {
-#include "av_perm_to_string.h"
-};
-#undef S_
-
 int main(int argc, char *argv[])
 {
         int i, j, mls = 0;
+        int initial_sid_to_string_len;
         char **arg, *polout, *ctxout;
-        int classlist_len, initial_sid_to_string_len;
+
         FILE *fout;
 
         if (argc < 3)
@@ -127,64 +68,25 @@ int main(int argc, char *argv[])
                 usage(argv[0]);
         }
 
-        classlist_len = sizeof(classlist) / sizeof(char *);
         /* print out the classes */
-        for (i=1; i < classlist_len; i++) {
-                if(classlist[i])
-                        fprintf(fout, "class %s\n", classlist[i]);
-                else
-                        fprintf(fout, "class user%d\n", i);
-        }
+        for (i = 0; secclass_map[i].name; i++)
+                fprintf(fout, "class %s\n", secclass_map[i].name);
         fprintf(fout, "\n");
 
         initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
         /* print out the sids */
-        for (i=1; i < initial_sid_to_string_len; i++)
+        for (i = 1; i < initial_sid_to_string_len; i++)
                 fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
         fprintf(fout, "\n");
 
-        /* print out the commons */
-        for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
-                char cname[101];
-                find_common_name(common[i].cname, cname, 100);
-                cname[100] = '\0';
-                fprintf(fout, "common %s\n{\n", cname);
-                for (j=0; common[i].perms[j]; j++)
-                        fprintf(fout, "\t%s\n", common[i].perms[j]);
-                fprintf(fout, "}\n\n");
-        }
-        fprintf(fout, "\n");
-
         /* print out the class permissions */
-        for (i=1; i < classlist_len; i++) {
-                if (classlist[i]) {
-                        int firstperm = -1, numperms = 0;
-
-                        fprintf(fout, "class %s\n", classlist[i]);
-                        /* does it inherit from a common? */
-                        for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++)
-                                if (av_inherit[j].class == i)
-                                        fprintf(fout, "inherits %s\n", av_inherit[j].common);
-
-                        for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
-                                if (av_perms[j].class == i) {
-                                        if (firstperm == -1)
-                                                firstperm = j;
-                                        numperms++;
-                                }
-                        }
-                        if (!numperms) {
-                                fprintf(fout, "\n");
-                                continue;
-                        }
-
-                        fprintf(fout, "{\n");
-                        /* print out the av_perms */
-                        for (j=0; j < numperms; j++) {
-                                fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
-                        }
-                        fprintf(fout, "}\n\n");
-                }
+        for (i = 0; secclass_map[i].name; i++) {
+                struct security_class_mapping *map = &secclass_map[i];
+                fprintf(fout, "class %s\n", map->name);
+                fprintf(fout, "{\n");
+                for (j = 0; map->perms[j]; j++)
+                        fprintf(fout, "\t%s\n", map->perms[j]);
+                fprintf(fout, "}\n\n");
         }
         fprintf(fout, "\n");
 
@@ -197,31 +99,34 @@ int main(int argc, char *argv[])
         /* types, roles, and allows */
         fprintf(fout, "type base_t;\n");
         fprintf(fout, "role base_r types { base_t };\n");
-        for (i=1; i < classlist_len; i++) {
-                if (classlist[i])
-                        fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]);
-                else
-                        fprintf(fout, "allow base_t base_t:user%d *;\n", i);
-        }
+        for (i = 0; secclass_map[i].name; i++)
+                fprintf(fout, "allow base_t base_t:%s *;\n",
+                        secclass_map[i].name);
         fprintf(fout, "user user_u roles { base_r };\n");
         fprintf(fout, "\n");
 
         /* default sids */
-        for (i=1; i < initial_sid_to_string_len; i++)
+        for (i = 1; i < initial_sid_to_string_len; i++)
                 fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
         fprintf(fout, "\n");
 
-
         fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_xattr lustre user_u:base_r:base_t;\n");
 
+        fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
 
+        fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
+        fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
         fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");