From patchwork Tue Nov 15 10:06:40 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Gruenbacher <agruenba@redhat.com>
X-Patchwork-Id: 9429937
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	839F060471 for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 15 Nov 2016 14:52:10 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 711FF27D29
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 15 Nov 2016 14:52:10 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 63B9428B87; Tue, 15 Nov 2016 14:52:10 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 25D7427D29
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 15 Nov 2016 14:52:08 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.31,495,1473120000"; d="scan'208";a="767319"
IronPort-PHdr: =?us-ascii?q?9a23=3ArnrGjR0RkK6ORvx5smDT+DRfVm0co7zxezQtwd8Z?=
	=?us-ascii?q?sewSKPjxwZ3uMQTl6Ol3ixeRBMOAuqkC0rCd7fqocFdDyK7JiGoFfp1IWk1Nou?=
	=?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZr?=
	=?us-ascii?q?KeTpAI7SiNm82/yv95HJbQhFgDSwbalvIBmoognct9caipZ+J6gszRfEvmFGcP?=
	=?us-ascii?q?lMy2NyIlKTkRf85sOu85Nm7i9dpfEv+dNeXKvjZ6g3QqBWAzogM2Au+c3krgLD?=
	=?us-ascii?q?QheV5nsdSWoZjBxFCBXY4R7gX5fxtiz6tvdh2CSfIMb7Q6w4VSik4qx2UxLjlj?=
	=?us-ascii?q?sJOCAl/2HWksxwjbxUoBS9pxxk3oXYZJiZOOdicq/BeN8XQ2ROXtxVVydcHI2y?=
	=?us-ascii?q?aYUBBPcFMepBsoXxu14CoB2jDgeuGezv0CdFiH/o06Mn3eovEgPJ3AI4H98MrX?=
	=?us-ascii?q?jZotr6O7sdX++r16nF1inDYvFM1Dvh9ITEbg4trPeRVrxwa8rRzkwvGhvZg1WW?=
	=?us-ascii?q?tIPlJS2a2f4Ws2OG7uRgT/+vhHAhqw5quDeg2scshZfThokIzV3L7yp5wJwoJd?=
	=?us-ascii?q?KmTk50esSrHYBKty6EKoR2QtktQ31ytCkmzb0GvIe2cS4Xw5ok3x7Sc+GLfoeH?=
	=?us-ascii?q?7x75VOudPC10iGxqdb6hnRq+7FCsxvPgWsSwylpGsyRInsfWunwQ1BHe5NKLRu?=
	=?us-ascii?q?V+80qnxD2BzRrc6vteLkAxjafbLpkhzaMumZcLqkTDGzP2mF3xjK+LakUo4uio?=
	=?us-ascii?q?5PrjYrXhvpKcK5V7ihv/MqQzgcyzG/g4MwgSUGib/uSwzrvj8lHiQLpWlPE2l6?=
	=?us-ascii?q?jZsJTCKcQaoK62HRNV354+5xuwADqqytQVkWQdIF5bdx+LkZLlN0zWLPD9F/i/?=
	=?us-ascii?q?glCskDlxx/DBO73sGo7NIWbHkLfge7Z99kFdxBMowtBY+pJUDK0OL+zoWkLqqN?=
	=?us-ascii?q?zZDgM2Mwyzw+r9DtV9zZkRVXiAAq+eLqPeqUWI6f43I+mQeI8Vvy7wKvgk5v7p?=
	=?us-ascii?q?i380glodfa2w0ZsWbnC0BPJmLF+DYXrvg9cBD3kFshA4TOP0lF2ISSRTaGqqX6?=
	=?us-ascii?q?Ig+jE7D5qrDInCRoCphbyOwj27E4ZYZm9YF1+MFm3oeJ+cW/cWbyKSINFunSAY?=
	=?us-ascii?q?VbS7TI8hzx6uvhfgy7V7NurU5jEYtZX72dh7/e3cjxcy+iB1D8SGyGyNSnl0nm?=
	=?us-ascii?q?IRSz8t0qF/ulZxylCZ0ah3m/ZYD8Bc5+tVUgcmMp7R1+96BMrxWgLGY9eEU1Wm?=
	=?us-ascii?q?Tc+lATE2U9I92dgOY1xyG9+6lBDMwzKqA6MJl7yMHJE76L/T32LwJ8lj0XbLz7?=
	=?us-ascii?q?MugEUjQsdVMm2mnKF//RDJB4HVi0WZi7qqdaME0SHR7miDyXSBvFpEUA9wVqXI?=
	=?us-ascii?q?RmsfaVfXrdvn4EPCU76uBq49PgtH18GCNrNAasf1glVeWPfjJNPebnqxm2iuAR?=
	=?us-ascii?q?aIwrSMYZHue2UAwCXdD00EnBoJ8XaBLwg+CT+ro3jCAzx2CVLvf0Ts/PFlqHO1?=
	=?us-ascii?q?VE80yBqKb1F62rqu/B4VgvKdS/YJ0bICoishrSt7HEql1dLMF9WAvxZhfLlbYd?=
	=?us-ascii?q?4l7lZIz2bZtxBjMZy6NKBvnUAefBptv0z1yhV3D59Mkc8wrHMl1AByM76X0Etd?=
	=?us-ascii?q?dzOE2pD9IqHXJXTv8xCucaHW3krT38qR+qcK9Ps3sU7jvB2zGkok7Xpnz8Ff02?=
	=?us-ascii?q?GA6ZXSEAoSTZXxX14x9xh7o7HaZjcy55jP2HJ2L6a0qDjC18guBOs/xRaqZ81f?=
	=?us-ascii?q?P7+cFA/uD80aANCjJ/EwlFi1dB0LIu5S9aEvMsy6d/uJwrSrPPp+kzK8l2hH5p?=
	=?us-ascii?q?5y0l6U/SpmVuHIx4oFw+2f3gafSTf8jUuustzwmYBefz0dAmq/yS/iBI5efaBy?=
	=?us-ascii?q?eYcLCWG0LM2twdVynZntW2RX9FS7HVMJxNepeQaOb1z6xQBQ0UUXoWe7mSeh1D?=
	=?us-ascii?q?x7jTUprquZ3CzTzOXvbwEHOnZKRGlkjFfjPZO0g8ocXEe2cwgjjAGl6lrix6hH?=
	=?us-ascii?q?uKR/KHHeQV1PfyjyK2FtTLGwuaaFY89B854oqjhXX/inYVyATb79uRQa2Tv5H2?=
	=?us-ascii?q?RC3DA7ay2qupLhkhxikm2dMXJzoGDDds1q3hjf49jcReJW3joAXyR4jCXbBl67?=
	=?us-ascii?q?P9a159mUkYnMsvymXWK7SpJTaTXrzZ+HtCaj4G1qBQSzkO61mtD8Dwg1zyv719?=
	=?us-ascii?q?10WiXSthr8ZJfk17iiO+J9YkZoHEP869Z9GoxmkYs/mpcQ2WMBi5WW43UHl3zz?=
	=?us-ascii?q?MdNF1qLidnYNQiQLw9HN6gj/xEJjNm6Jx57+VniF2stufcS6YmcI1SIl9c9KDr?=
	=?us-ascii?q?uU46JenSZuv1q4thzeYeJmnjsH0vsu72Mag/sVtwUzwCWdBaoSHUZGMiD2kRSH?=
	=?us-ascii?q?8cy+pr1NZGmzabiwyFZ+nde5AbGcpAFTRW30eokkHSBt7sVzKlTM32Pv6ov8Yt?=
	=?us-ascii?q?nfccoTtgGIkxfHl+VVMIg+lucOhSd8JW39vGElyu4igRxgx566upKLK2J3/KK2?=
	=?us-ascii?q?GhRYLCH6Z9sP+jHxiqZThsWW3oCrHpp/ATgLWZzoTfymED0MqfTnKwaOEDo5qn?=
	=?us-ascii?q?iFA7bfGxGQ6Ft+pXLVD5+rL22XJGUezdh6ShmSPkpfgBwTXDU/hZM5GB6ly9Hm?=
	=?us-ascii?q?cEdj/D8R/kT4qhxOyu12Kxb/Tn3TpACyajc7UJKfNgZZ7hle50fJNsyT9u1zHy?=
	=?us-ascii?q?FE8Z27rA2NMnCbZwNTAGEPREOEG0vjMaW06tnY7eeUHOy+IOXSYb+Ws+xRS++I?=
	=?us-ascii?q?xY6z0oth5zuDK8OPMWN5AvIm3EpMR2p1G8PDmzUAUyYXjT7Cb9aHpBeg/S16tt?=
	=?us-ascii?q?q//O7lWQ714IuAEb9SMdJv+h2tm6iMK+uQiDx+KTZC2ZMG3WXIx6QH3F4OlyFu?=
	=?us-ascii?q?cCGgEbIatSHXVKLQgrRaDxAaayNpL8tI86w83ghLOcHBjNP6yr94geQxC1tfUl?=
	=?us-ascii?q?zhgM6pb9QQI26hLFPHGFqLNLOeKDLQ2M77Zqe8SbxLjOVIrB28oy2bHFH/MTiZ?=
	=?us-ascii?q?jDnmSRSvMeBKjCGGMx1To52ycxZ3CWj+V9LqcBO6P8VrjT0txr00gGnGNWkGMT?=
	=?us-ascii?q?hza0lNtKGf7TtEgvVjHGxM9mFqLeiLmyae6enVMYsZvuVwDSR1je1a5m42y7xP?=
	=?us-ascii?q?7CFLXPZ1gjfdrsZyo1G6lemC0iBoUBVUpTZVmo2GpkJiOb3H+ZlGXHbL5hMN7W?=
	=?us-ascii?q?GLBBQNqNppENrvu7pfytLXjqL8NC9C887I/csbH8XUNMWHMH87PRrzHz7VDRUK?=
	=?us-ascii?q?TTiwOmHFgExSjvKS+2aJoZg9r5jjhIABSqRHVFAvEPMVFFhlFsQYIJhrRjMkja?=
	=?us-ascii?q?KbjMkQ6Hq+sBnRRMJavpXdWfKJGvjvLTeZjaVeZxQW27/4Kp4TNoLj0Ux4dlZ6?=
	=?us-ascii?q?hJjKG1bXXd1VpC1ucBU7oEFW/Xh9SW0zwF7lZRmr4H8IFv60nwQ6ig1gbuQx7D?=
	=?us-ascii?q?3s+Us4JkLWpCssl0k8gc/lji6KcDHvNqiwR51ZCyrvukcqM5P7WRt6bQq8nUx8?=
	=?us-ascii?q?LjfLWbJQg6FmdW91lA/WoYFPFuJETa1YfB8QwumaaOgy3lRCqyWo2FRH6PDfBp?=
	=?us-ascii?q?t4jgsqdpCtr2le1A1/cd41P63QJLZJz1RKgKKBoDOo3PgrwAACP0YN7H+SeCkQ?=
	=?us-ascii?q?tUMVLbkpOTCn/uN26QOYhTtOY3MMWOApovJ37EMyIf6Mzyb9075FME+xLfWTL7?=
	=?us-ascii?q?+eu2jDlc+IRUk81kUWmElZ5bJ2y9ssc1KIV0Azy7ucDxoJNdDcJg5IdMpd7n7T?=
	=?us-ascii?q?fTqJseXW2p96JZmyFuXyQe+JrqYUjVquHBw1EIQU8sQBAp6s3VncLcfgNr4K1x?=
	=?us-ascii?q?Mt5QXsJFieA/RJfg+LnC0Ao8Glw599xZNdKS0FAWVhLSW34a7aphQ0j/qHXdc2?=
	=?us-ascii?q?ZGoaX4QfO30qX826njJWsG5bDDmryO4ZzhaN7yPkrCTKEDb8d8ZjZOuTZR50Fd?=
	=?us-ascii?q?655TA/86+wiV7L75nTPH/6Osp4ut/O6OIaoJCHB+lSTbZjr0fWg5NYSGCyU27T?=
	=?us-ascii?q?Dd61IID9a4o2bd30EHm6VEC/izIuQsf+O9atNrSHjRvuRYlKrImRxCojOtOlFj?=
	=?us-ascii?q?ECBxdwoPkO5L59ZQ0GZJo7fR7otgQlOqOiIQeZ0s+hTH23JTtQUfZf0f2wZ6ZL?=
	=?us-ascii?q?wCo0cu+61HwgQ4k1z+mt60ENQo0KgwrfxfakaYheVzTzGnxDdAXOoyo5i3ZuNv?=
	=?us-ascii?q?wozuc53hzIrUEWMyqXe+xxdGxEo9Y8CEuILnVyC2o3W0GTgpLG4g+s2bAS+C1d?=
	=?us-ascii?q?kMxP3OJesXjxpJnfbCuiWKy2s5nVtTQvbcQ+qa1rLYPjOteGtI/ZnjHHV5bfrA?=
	=?us-ascii?q?uFXTWgGPVHhNhfPjhYQOJSlmE/Oc0Ko41B6VA+Vs0mPbxAFLEspqy2aTpjFSMS?=
	=?us-ascii?q?1ykZV4Kc0zwChee836DamA+Jfpo/KhIJrJJMj8ABXC5xZyMRuLWsV57Kl2OeTG?=
	=?us-ascii?q?gEPhsT5xxW5A0cjo9wYvzl4I3QQZBQyT5Zue57XzDXGZlv81v7TmCWjkbiSPW9?=
	=?us-ascii?q?jeOmwQJSwOjr0tkBVx51EVJdyPpOlks0NLF3LLEdvpTQvT+SckP1p3ngyPe8JF?=
	=?us-ascii?q?ZL183baVn4DIvDtWrzVi0c+HIURY9TyHHRD5sSiQ95ZLwtpFpSPICsYlz+6CA8?=
	=?us-ascii?q?x4R1A7m4UtimxlY/onYdXSiqFttBC+d9vVLWRD1qeYurp4n/NJlIRG9f5oGdoU?=
	=?us-ascii?q?9DkEpxKy651YZcK8ZV7z8CRjRAvTWdvNq3SM1Cw8B2DIQBItZhtHjjBqxIIp+R?=
	=?us-ascii?q?o2c5urb30H/W5yg8sEumxDW0A6K4V+VZ/2kEFQUzKWWerU0vD+U3/2fX9VDNtU?=
	=?us-ascii?q?t08PlHCbiVikVxuy19HpFIBjZGz3ylKE5zTHZeueVANKvVa9BcQ+U1ZRK3IRM+?=
	=?us-ascii?q?D+Mm30qT8UF3hnr5Yi1ytgpG+y/GRQU0Uzcagqv1kz0Ets6nISMaS45PbTg5cy?=
	=?us-ascii?q?fFLAeblDtLvBpDbkFlQIoVAtBb9LEHxYFU5NbNSV6wKSEZWxxvLgI43uBFlUFZ?=
	=?us-ascii?q?tEWXZDvQAhe2evbXqh14Y8ORo9CzLPjj+wdHkIznuvgi96ofX32mhRGtQdfGoo?=
	=?us-ascii?q?/8sd2FqEWOe7niM+CnYH/OUibDgg6qibcjFZnK8DDZMBBHJJli1XokfZ/hBHbJ?=
	=?us-ascii?q?PRRBOa0WPFdUWr5hadpYuOBae9Frd7sT9a9rGB2HWgvlGJazo/leMlbTWTPeIj?=
	=?us-ascii?q?2a/eyxvY3f8b7QRfXua8GX23nHRKd3MYtg5jngB7fmy4le9VTq2v117EN1VUDG?=
	=?us-ascii?q?MzydrNTmPg4L/teteVbivpIzATPbG5NwkH3zxk5eacYYXyqq/4kGx59D7nb/V/?=
	=?us-ascii?q?542FDpsOJO77lk9ZU347dxxMesPqfSNe5VvlJ7AhWPHQVq8YgtAHJjSG9PZO8R?=
	=?us-ascii?q?NO3Rcr4djcz0rOD3DaMX4gWP++NFcdvHO13Bms6nBzGAUxxLghkOpiMBIwuB0/?=
	=?us-ascii?q?6Fh7V0Rty7pej43UIt50axLgIcwLBq/4eE9bKCpPXLYBvJ0bgERq/qS9v2rrs2?=
	=?us-ascii?q?v0OS4eMrlKISemNveQKqC+4dWdABxmf70a8l1zosHN3ZE7Lm5vFDS2oznij8lJ?=
	=?us-ascii?q?BlA1UWBvQUEKKJ/YtEhGc4nPfZNtkMfaBcgWuPEAOkErseyX6q9ySXIXNqghfV?=
	=?us-ascii?q?0x3qRmOz9lD2pzdiQSTQ19fjjlZVVr6vCEdQRSWpP0F4sCmIPAX1qtX6org141?=
	=?us-ascii?q?swMmz/s9KBjm2hN61LH8fnPtyTPTE0pE4LjJ02XtGv1p0bGdu5INcV7n5+a+DT?=
	=?us-ascii?q?5H61nCBaoqdInYze7tuS+vXNEnmql7eapKmVxDBE1ng4ukky6takNvzV5t2KRf?=
	=?us-ascii?q?Go23wQTyd5tQvBRQS6qqfHr1AOJEyEzFvLmJEQPt5Hx3U40Vvm5Oc7StIp6Ape?=
	=?us-ascii?q?DprAZ+8FpT3rPTv0xlCfY844ViaAyDZXG1P1HkN+GKcixGLxssXJlW3T+10zXI?=
	=?us-ascii?q?VwcVLohQBvBYUiNU0t8EQXwjYEEQUVcxCUEaynCF/qLYsBWkkPcxKH06ameq0v?=
	=?us-ascii?q?x0183quv5PPPbex7H6cNMu1djguOkVVAFJIZr7ARQLVme1BH7K7XvA/iC4r5UP?=
	=?us-ascii?q?f6iXo8L/q1QtpV8coBrXst/h6/Rwa86ZdE97sbjZSIebBBYZjLos9861xq5TER?=
	=?us-ascii?q?eSxKmxh/lwm2UfwdpO/55tjbsZyo6vqwW6YpQ+UX9hc0CHp4j5Tsnl8vu9fX2P?=
	=?us-ascii?q?lASofNk4Tw7BhNI2KWuIbdyxR8MvABK5yxc7Zv6XoHPDMTJ2kUMtqIcfY87DFi?=
	=?us-ascii?q?MC7J61xEHMwMecsSPNDRlgBMlk3pRLZT+9LZGl+ZDod+bMUo4HT3yT8r65s8U+?=
	=?us-ascii?q?Dg6DCsKZDZ8V5NI+tJjD9wm9LauOgV3f3SBTAW4XiYcRd62D+NxoKWC/nu4eWD?=
	=?us-ascii?q?1s3bW0kBHi4sXIdXPCCC9hC/RuqpiJXpVRuZ5dTygJIlekOfXH6xnKUZsqZUC+?=
	=?us-ascii?q?FAlyH70yNCGYDymv2arcCj6HZNtl1ACoZ89wfJGKJFPpV0IR74jNWkRlBgBivj?=
	=?us-ascii?q?f8HZbgIut/CKxugQ4+V/OUz+ZZUYIh4d0LL1935VTgpoSL7rsVeURvoRa8F6SP?=
	=?us-ascii?q?zYrnBU54VgK7UMPFSHp5zlsC1IqFYoDw8tcrMwqSZadkbWlg1PR6n0oKIAihcb?=
	=?us-ascii?q?UdNhpU9MA3y/OGYk6DrBS6tYl7SeCP0a8jWSUqwBSV5oPTlkQxOowplufaWmne?=
	=?us-ascii?q?xfuGNcgix9uOQq0yBhRBakti3jvbgN1iw8+LG4rzgBvX1FTvmAnCfIE1pD0e8K?=
	=?us-ascii?q?gb0aC3n89Vy2eGMDY5fq4Ll7OcTg8pEs43shbhUlYy0GWuOgBybrj6yWBoyPsd?=
	=?us-ascii?q?RchAOCucjVab+8MzISN7Qnxh75QXhyzBTelg5y8GQXWjWg8MMkJIKlNMYjxyqn?=
	=?us-ascii?q?BW/bdFIW7aNSqsfxtFkLTOwtaVN622hj18eKRyIXSMzIAWY1gRAuaX9Yf5Jb9R?=
	=?us-ascii?q?8aC64ojy6HvqZa5QEUey7YHJmq9IfWnMfI32Q9TNhxy2LZo62KnJUq32N/l9Nz?=
	=?us-ascii?q?9C6Ot2wYd/bEXM90HnjzyoBfxPT8Z/WqsuAHTpFqx6ihUP8GL8ms5Gq32JRsWk?=
	=?us-ascii?q?++xbQeHkG0MPECxrfFSSilTXCXWeWRf2iKgTk5Llb45QO0IV0vdMdKs0g9P/PD?=
	=?us-ascii?q?hp5CjQLhV6h5RiGNpVDGzWwjNvgaexgxuIe9dAwAVPQRaPSEJegy3P0+D0MBb3?=
	=?us-ascii?q?3XEit4Be+2tUWgnYZhNHVm/0r6ff7h8gb4P9uOAhMEC5LVroZt+fymQWKMIXBg?=
	=?us-ascii?q?zBl1PEh66ejfE1Axu/RHc5aWm9jQhsh03fQDd/hzLS03osQTlZ576YmIzMeKdg?=
	=?us-ascii?q?nczpTyJdDVuviYBPnfz0U2em5ESbcZZAL155kgPtEnQbHTGqFZvRsED6ggXJMh?=
	=?us-ascii?q?L3vx9L1zLA5rbg7RZbG0j9L2puKKepRUpGHZ7lYqICfapRID1uS+TRZnYJCym3?=
	=?us-ascii?q?XyPJcwSypEr91sCRtmH4xPFtgCrwW9AJ6Un6e7hMG3+09gve8Fr7bwAOjQ1Nul?=
	=?us-ascii?q?x4VxQ4Ra5UuTMTnKGqZrhFhlg/+pgvfE1ZnxFd/iec0aW+dmWGLFbaXGHoqnID?=
	=?us-ascii?q?KUJs38Y1JG86Kb0L9hXBWeeiT5X6uetCK6L/hl4EQ7yol9fOXN1jwt66/U1MH1?=
	=?us-ascii?q?Z2FBqSeptWSJO4dH7FzWGezeWApZSPSd8GZ/HK0YcZX7+fwLMdwj3Nic+Rd84C?=
	=?us-ascii?q?5F0MufLKirtlXM1V5jdZLHMEvp3D40WY4OIBuhKkYsmWvZpW7GAXRAL8irNdVt?=
	=?us-ascii?q?gMyLARPz/UVxn38iZnJZEGryWdiRIXQb2965ZACS8AJLDtADn/O4eEIhsq2ySP?=
	=?us-ascii?q?JoOolemeixtbUIi9BpKybVSMhdJSHQI6d8PiBNAeXXuFgofhkEvqAuWogrYZiO?=
	=?us-ascii?q?IUUHMFqPyC/1wgXCzU30eMK21KmXOCYZ6G5Kz7Hb3jhWoQm2p/KZjdb+ULDWdp?=
	=?us-ascii?q?32W+TSMCU9XDGAWTsyCVqp+Uuju/ccuPqYIHwfokwPbyOTEQ4ToLpgocLWDmDN?=
	=?us-ascii?q?he1pZIcKi+yCWyDsVC14k7I/BiNRuk+QQ/oDFA/Wb3j6jWpCuQyiIOFD/Xbkb7?=
	=?us-ascii?q?2e26pUVPYaAoxWcv2WW9HYY+xRJy80ljUFP+axZ9/coKw60lLPVmQUCLTI9FuC?=
	=?us-ascii?q?TE6WRfyc2j3rXYUJv4QuvCon5M7QlDdtE6vUJ7afuyKu8omggSaXo+LRTXMtY0?=
	=?us-ascii?q?0rj+IGG2SB3h1AJ3sfC9EUpUHhWKiAaFhQ1Hgxk+JhxwcMeBhvUn1pynBWnvO9?=
	=?us-ascii?q?GspDSV4OjWOuW+YLbFZtAzM140CK4xf+YdsaucDcX2Ve7KcDSZIBLPk074naIL?=
	=?us-ascii?q?UfwPQu3DJmpiw6qCKdD1VGgwKK6arQAbx8yaNY5WUi+fF5QF2PSSvFcmfb0oqm?=
	=?us-ascii?q?F95PxSB2rHD/2crUu/xiObpZqoxiHlcFHzh2JtHc/DBGV2H4wg2ysAinHD6GOj?=
	=?us-ascii?q?IW/C4LJTAZduZy1+J7shHIdtDF6U6LsqIutlakCQiMCrquxJNEFNvl1QOmZilX?=
	=?us-ascii?q?In2XEMVOo+tJ3PMVZrkqLdymCk3FBhD3EwbdvicL7hWsqbOuW5lk2GIbx4wqJM?=
	=?us-ascii?q?vkVpJCIsPE0Tdyyn1IyYBHmWSeGM7SYJfww9Z1CXEHKt+2Tny9M8GBBCn7qP1W?=
	=?us-ascii?q?isRmLE2VcuhPeTsC65M=3D?=
X-IPAS-Result: =?us-ascii?q?A2HyBADGICtY/wHyM5BdHAEBBAEBCgEBFwEBBAEBCgEBgww?=
	=?us-ascii?q?BAQEBAR+BWKRJlmUhiChTAQEBAQEBAQECAQJfKIIzGgGCFAEBBAECJBMUIAsDA?=
	=?us-ascii?q?wkBAQoNCx4ICAMBLRURBggLBRgEiEuyIz0qAos1AQoBAQEBIoY8hFqEGhEBhX0?=
	=?us-ascii?q?BBIhQhhCLYZBiAooWhgqNR4QKVVoqHIMjHIFecYVtgi0BAQE?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 15 Nov 2016 14:51:49 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uAFEpaRX026411;
	Tue, 15 Nov 2016 09:51:37 -0500
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	uAFA6vv2113346 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Tue, 15 Nov 2016 05:06:57 -0500
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uAFA6uFb029648;
	Tue, 15 Nov 2016 05:06:57 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1CcAADh3SpYhxy3hNFdGwEBAQMBAQEJAQEBgzcBAQEBAYF3pEiSU4QWhiMCgjBTAQIBAQEBAQITAQEBCgsJCR2FEgEBAQMnUhALGC5XBhOIbLFoPYtbAQEIJ4Y8hFqKKQWIUIYQi2GQYgKQII1HhAqBWRyDIxELgV49NIc+AQEB
X-IPAS-Result: 
 A1CcAADh3SpYhxy3hNFdGwEBAQMBAQEJAQEBgzcBAQEBAYF3pEiSU4QWhiMCgjBTAQIBAQEBAQITAQEBCgsJCR2FEgEBAQMnUhALGC5XBhOIbLFoPYtbAQEIJ4Y8hFqKKQWIUIYQi2GQYgKQII1HhAqBWRyDIxELgV49NIc+AQEB
X-IronPort-AV: E=Sophos;i="5.31,494,1473134400"; d="scan'208";a="5824095"
Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov)
	([10.208.41.36])
	by goalie.tycho.ncsc.mil with ESMTP; 15 Nov 2016 05:06:44 -0500
IronPort-PHdr: =?us-ascii?q?9a23=3Ada/+FRDGyymopKnuTXgmUyQJP3N1i/DPJgcQr6Af?=
	=?us-ascii?q?oPdwSPvypMbcNUDSrc9gkEXOFd2CrakV0KyP6ejJYi8p2d65qncMcZhBBVcuqP?=
	=?us-ascii?q?49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6?=
	=?us-ascii?q?JvjvGo7Vks+7y/2+94fdbghMijexe65+IAurpgjNq8cahpdvJLwswRXTuHtIfO?=
	=?us-ascii?q?pWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnM?=
	=?us-ascii?q?VhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iS?=
	=?us-ascii?q?cHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRsZfWTJcDI2y?=
	=?us-ascii?q?bIUADeQBMP1Eo4XhvVYCsQeyCRWwCO7p1zRGhmX23ao/0+k5DQzG2hEvH8gQv3?=
	=?us-ascii?q?vOt9X+KaYcUfqozKbWyzXMdOlZ1iv96IfWaBAqvPaBUqh/ccrL1EkgCQXFgU6K?=
	=?us-ascii?q?poH+JTOayPkCs2iB4Op8T+6gl2knqwRorzWp28wiiZHJi5oLxlzY8Sh12ps5KN?=
	=?us-ascii?q?OmREJhfNKpE5VduzuEO4Z1RM4pXntmtzwgyrIcvJ62ZCgKx4ojxx7Yc/GHdoeJ?=
	=?us-ascii?q?7g/5WOaLPzh3mXJld6ijhxqo7Uegzej8WtG10FZMsCVFjsHBum4R2xHX8MSLV/?=
	=?us-ascii?q?Vw8lm71TqS1A3e5PtILV43mKbDLp4u2L8wlp4dsUTZGS/2nV37g7WZdkU+5+in?=
	=?us-ascii?q?9eLnba78qZKHLY97lBzxMqQ0lcyjG+g3Lg8OX22D9eSmyLLj5VH5QKlNjvAuia?=
	=?us-ascii?q?nWrYvaKN8Hpq+5HwBV0oEj5wy5Dze9ytsUh3YHLFVbeBiflYjmJ0nOIOzkDfe4?=
	=?us-ascii?q?m1msiylkx/THPr3nH5XMIWPOkKvhfLlh605czxA/zdZE551OEL0BL/XzWlGi/O?=
	=?us-ascii?q?DfWycwLgj85uHgEtg1gpsXRGanGqaENObXtliS66QkJOzaN6EPvzOoAv4p/fPn?=
	=?us-ascii?q?ljcWg0IQe6Og1psacjjsF/t8Pkifa3PEmNoNEW4W+AE5Sbq52xW5TTdPaiPqDO?=
	=?us-ascii?q?oH7TYhBdfjVN+bSw=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0HnAADh3SpYhxy3hNFdHAEBBAEBCgEBF?=
	=?us-ascii?q?gEBAQMBAQEJAQEBgwwBAQEBAYF3pEiSU4QWhiMCgjBTAQEBAQEBAQECAQIQAQE?=
	=?us-ascii?q?BCgsJCR0wgjMaAYIUAQEBAydSEAsYLlcGE4hssWg9i1sBAQgCASSGPIRaiikFi?=
	=?us-ascii?q?FCGEIthkGICkCCNR4QKgVkcgyMRC4FePTSHPgEBAQ?=
X-IPAS-Result: =?us-ascii?q?A0HnAADh3SpYhxy3hNFdHAEBBAEBCgEBFgEBAQMBAQEJAQE?=
	=?us-ascii?q?BgwwBAQEBAYF3pEiSU4QWhiMCgjBTAQEBAQEBAQECAQIQAQEBCgsJCR0wgjMaA?=
	=?us-ascii?q?YIUAQEBAydSEAsYLlcGE4hssWg9i1sBAQgCASSGPIRaiikFiFCGEIthkGICkCC?=
	=?us-ascii?q?NR4QKgVkcgyMRC4FePTSHPgEBAQ?=
X-IronPort-AV: E=Sophos;i="5.31,494,1473120000"; d="scan'208";a="933132"
Received: from mx1.redhat.com ([209.132.183.28])
	by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	15 Nov 2016 10:06:43 +0000
Received: from int-mx11.intmail.prod.int.phx2.redhat.com
	(int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 07E52C0567A2;
	Tue, 15 Nov 2016 10:06:43 +0000 (UTC)
Received: from nux.redhat.com (vpn1-6-94.ams2.redhat.com [10.36.6.94])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
	ESMTP id uAFA6eNk015138; Tue, 15 Nov 2016 05:06:41 -0500
From: Andreas Gruenbacher <agruenba@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Subject: Re: [PATCH 4/4] selinux: Convert isec->lock into a spinlock
Date: Tue, 15 Nov 2016 11:06:40 +0100
Message-Id: <1479204400-24557-1-git-send-email-agruenba@redhat.com>
In-Reply-To: 
 <CAHC9VhSrDfGOBrw+hV8xfZ-COOjHpW_73sz7VYLMnem-szWRWA@mail.gmail.com>
References: <1478812710-17190-1-git-send-email-agruenba@redhat.com>
	<1478812710-17190-5-git-send-email-agruenba@redhat.com>
	<CAHC9VhSrDfGOBrw+hV8xfZ-COOjHpW_73sz7VYLMnem-szWRWA@mail.gmail.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.32]); Tue, 15 Nov 2016 10:06:43 +0000 (UTC)
X-Mailman-Approved-At: Tue, 15 Nov 2016 09:51:34 -0500
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
	Andreas Gruenbacher <agruenba@redhat.com>, selinux@tycho.nsa.gov
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

On Mon, Nov 14, 2016 at 11:22 PM, Paul Moore <paul@paul-moore.com> wrote:
> We shouldn't need the spinlocks on the socket_post_create() and the
> socket_accept() hooks as the callers should still have exclusive
> access to the socket/inode at that point.
>
> I didn't check all the callers of the inode_init_security(), but it
> looks like the same idea applies.

Indeed.  An updated patch with the unnecessary locking removed follows.

Thanks,
Andreas
---

Convert isec->lock from a mutex into a spinlock.  Instead of holding the
lock while sleeping in inode_doinit_with_dentry, set isec->initialized
to LABEL_PENDING and release the lock.  Then, when the sid has been
determined, re-acquire the lock.  If isec->initialized is still set to
LABEL_PENDING, set isec->sid; otherwise, the sid has been set by another
task (LABEL_INITIALIZED) or invalidated (LABEL_INVALID) in the meantime.

This fixes a deadlock on gfs2 where

 * one task is in inode_doinit_with_dentry -> gfs2_getxattr, holds
   isec->lock, and tries to acquire the inode's glock, and

 * another task is in do_xmote -> inode_go_inval ->
   selinux_inode_invalidate_secctx, holds the inode's glock, and tries
   to acquire isec->lock.

Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
---
 security/selinux/hooks.c          | 102 +++++++++++++++++++++++---------------
 security/selinux/include/objsec.h |   5 +-
 2 files changed, 66 insertions(+), 41 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index cf5067e..ea77ed3 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -231,7 +231,7 @@ static int inode_alloc_security(struct inode *inode)
 	if (!isec)
 		return -ENOMEM;
 
-	mutex_init(&isec->lock);
+	spin_lock_init(&isec->lock);
 	INIT_LIST_HEAD(&isec->list);
 	isec->inode = inode;
 	isec->sid = SECINITSID_UNLABELED;
@@ -1381,7 +1381,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 {
 	struct superblock_security_struct *sbsec = NULL;
 	struct inode_security_struct *isec = inode->i_security;
-	u32 sid;
+	u32 task_sid, sid = 0;
+	u16 sclass;
 	struct dentry *dentry;
 #define INITCONTEXTLEN 255
 	char *context = NULL;
@@ -1391,7 +1392,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 	if (isec->initialized == LABEL_INITIALIZED)
 		return 0;
 
-	mutex_lock(&isec->lock);
+	spin_lock(&isec->lock);
 	if (isec->initialized == LABEL_INITIALIZED)
 		goto out_unlock;
 
@@ -1410,12 +1411,18 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 		goto out_unlock;
 	}
 
+	sclass = isec->sclass;
+	task_sid = isec->task_sid;
+	sid = isec->sid;
+	isec->initialized = LABEL_PENDING;
+	spin_unlock(&isec->lock);
+
 	switch (sbsec->behavior) {
 	case SECURITY_FS_USE_NATIVE:
 		break;
 	case SECURITY_FS_USE_XATTR:
 		if (!(inode->i_opflags & IOP_XATTR)) {
-			isec->sid = sbsec->def_sid;
+			sid = sbsec->def_sid;
 			break;
 		}
 		/* Need a dentry, since the xattr API requires one.
@@ -1437,7 +1444,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 			 * inode_doinit with a dentry, before these inodes could
 			 * be used again by userspace.
 			 */
-			goto out_unlock;
+			goto out;
 		}
 
 		len = INITCONTEXTLEN;
@@ -1445,7 +1452,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 		if (!context) {
 			rc = -ENOMEM;
 			dput(dentry);
-			goto out_unlock;
+			goto out;
 		}
 		context[len] = '\0';
 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
@@ -1456,14 +1463,14 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
 			if (rc < 0) {
 				dput(dentry);
-				goto out_unlock;
+				goto out;
 			}
 			len = rc;
 			context = kmalloc(len+1, GFP_NOFS);
 			if (!context) {
 				rc = -ENOMEM;
 				dput(dentry);
-				goto out_unlock;
+				goto out;
 			}
 			context[len] = '\0';
 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
@@ -1475,7 +1482,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 				       "%d for dev=%s ino=%ld\n", __func__,
 				       -rc, inode->i_sb->s_id, inode->i_ino);
 				kfree(context);
-				goto out_unlock;
+				goto out;
 			}
 			/* Map ENODATA to the default file SID */
 			sid = sbsec->def_sid;
@@ -1505,28 +1512,25 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 			}
 		}
 		kfree(context);
-		isec->sid = sid;
 		break;
 	case SECURITY_FS_USE_TASK:
-		isec->sid = isec->task_sid;
+		sid = task_sid;
 		break;
 	case SECURITY_FS_USE_TRANS:
 		/* Default to the fs SID. */
-		isec->sid = sbsec->sid;
+		sid = sbsec->sid;
 
 		/* Try to obtain a transition SID. */
-		rc = security_transition_sid(isec->task_sid, sbsec->sid,
-					     isec->sclass, NULL, &sid);
+		rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
 		if (rc)
-			goto out_unlock;
-		isec->sid = sid;
+			goto out;
 		break;
 	case SECURITY_FS_USE_MNTPOINT:
-		isec->sid = sbsec->mntpoint_sid;
+		sid = sbsec->mntpoint_sid;
 		break;
 	default:
 		/* Default to the fs superblock SID. */
-		isec->sid = sbsec->sid;
+		sid = sbsec->sid;
 
 		if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
 			/* We must have a dentry to determine the label on
@@ -1549,21 +1553,29 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 			 * could be used again by userspace.
 			 */
 			if (!dentry)
-				goto out_unlock;
-			rc = selinux_genfs_get_sid(dentry, isec->sclass,
-						   sbsec->flags, &sid);
+				goto out;
+			rc = selinux_genfs_get_sid(dentry, sclass, sbsec->flags, &sid);
 			dput(dentry);
 			if (rc)
-				goto out_unlock;
-			isec->sid = sid;
+				goto out;
 		}
 		break;
 	}
 
-	isec->initialized = LABEL_INITIALIZED;
+out:
+	spin_lock(&isec->lock);
+	if (isec->initialized == LABEL_PENDING) {
+		if (!sid || rc) {
+			isec->initialized = LABEL_INVALID;
+			goto out_unlock;
+		}
+
+		isec->initialized = LABEL_INITIALIZED;
+		isec->sid = sid;
+	}
 
 out_unlock:
-	mutex_unlock(&isec->lock);
+	spin_unlock(&isec->lock);
 	return rc;
 }
 
@@ -3194,9 +3206,11 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
 	}
 
 	isec = backing_inode_security(dentry);
+	spin_lock(&isec->lock);
 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
 	isec->sid = newsid;
 	isec->initialized = LABEL_INITIALIZED;
+	spin_unlock(&isec->lock);
 
 	return;
 }
@@ -3289,9 +3303,11 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
 	if (rc)
 		return rc;
 
+	spin_lock(&isec->lock);
 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
 	isec->sid = newsid;
 	isec->initialized = LABEL_INITIALIZED;
+	spin_unlock(&isec->lock);
 	return 0;
 }
 
@@ -3952,9 +3968,11 @@ static void selinux_task_to_inode(struct task_struct *p,
 	struct inode_security_struct *isec = inode->i_security;
 	u32 sid = task_sid(p);
 
+	spin_lock(&isec->lock);
 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
 	isec->sid = sid;
 	isec->initialized = LABEL_INITIALIZED;
+	spin_unlock(&isec->lock);
 }
 
 /* Returns error only if unable to parse addresses */
@@ -4273,24 +4291,24 @@ static int selinux_socket_post_create(struct socket *sock, int family,
 	const struct task_security_struct *tsec = current_security();
 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
 	struct sk_security_struct *sksec;
+	u16 sclass = socket_type_to_security_class(family, type, protocol);
+	u32 sid = SECINITSID_KERNEL;
 	int err = 0;
 
-	isec->sclass = socket_type_to_security_class(family, type, protocol);
-
-	if (kern)
-		isec->sid = SECINITSID_KERNEL;
-	else {
-		err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
+	if (!kern) {
+		err = socket_sockcreate_sid(tsec, sclass, &sid);
 		if (err)
 			return err;
 	}
 
+	isec->sclass = sclass;
+	isec->sid = sid;
 	isec->initialized = LABEL_INITIALIZED;
 
 	if (sock->sk) {
 		sksec = sock->sk->sk_security;
-		sksec->sid = isec->sid;
-		sksec->sclass = isec->sclass;
+		sksec->sclass = sclass;
+		sksec->sid = sid;
 		err = selinux_netlbl_socket_post_create(sock->sk, family);
 	}
 
@@ -4466,16 +4484,22 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
 	int err;
 	struct inode_security_struct *isec;
 	struct inode_security_struct *newisec;
+	u16 sclass;
+	u32 sid;
 
 	err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
 	if (err)
 		return err;
 
-	newisec = inode_security_novalidate(SOCK_INODE(newsock));
-
 	isec = inode_security_novalidate(SOCK_INODE(sock));
-	newisec->sclass = isec->sclass;
-	newisec->sid = isec->sid;
+	spin_lock(&isec->lock);
+	sclass = isec->sclass;
+	sid = isec->sid;
+	spin_unlock(&isec->lock);
+
+	newisec = inode_security_novalidate(SOCK_INODE(newsock));
+	newisec->sclass = sclass;
+	newisec->sid = sid;
 	newisec->initialized = LABEL_INITIALIZED;
 
 	return 0;
@@ -5978,9 +6002,9 @@ static void selinux_inode_invalidate_secctx(struct inode *inode)
 {
 	struct inode_security_struct *isec = inode->i_security;
 
-	mutex_lock(&isec->lock);
+	spin_lock(&isec->lock);
 	isec->initialized = LABEL_INVALID;
-	mutex_unlock(&isec->lock);
+	spin_unlock(&isec->lock);
 }
 
 /*
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index c21e135..7e770e9 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -39,7 +39,8 @@ struct task_security_struct {
 
 enum label_initialized {
 	LABEL_INVALID,		/* invalid or not initialized */
-	LABEL_INITIALIZED	/* initialized */
+	LABEL_INITIALIZED,	/* initialized */
+	LABEL_PENDING
 };
 
 struct inode_security_struct {
@@ -52,7 +53,7 @@ struct inode_security_struct {
 	u32 sid;		/* SID of this object */
 	u16 sclass;		/* security class of this object */
 	unsigned char initialized;	/* initialization flag */
-	struct mutex lock;
+	struct spinlock lock;
 };
 
 struct file_security_struct {