Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael...
[linux-2.6.git] / security / selinux / ss / services.c
index 343c8ab..223c1ff 100644 (file)
  *
  *  Added validation of kernel classes and permissions
  *
+ * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com>
+ *
+ *  Added support for bounds domain and audit messaged on masked permissions
+ *
+ * Updated: Guido Trentalancia <guido@trentalancia.com>
+ *
+ *  Added support for runtime switching of the policy type
+ *
+ * Copyright (C) 2008, 2009 NEC Corporation
  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
  * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
@@ -41,6 +50,8 @@
 #include <linux/audit.h>
 #include <linux/mutex.h>
 #include <linux/selinux.h>
+#include <linux/flex_array.h>
+#include <linux/vmalloc.h>
 #include <net/netlabel.h>
 
 #include "flask.h"
 #include "audit.h"
 
 extern void selnl_notify_policyload(u32 seqno);
-unsigned int policydb_loaded_version;
 
 int selinux_policycap_netpeer;
 int selinux_policycap_openperm;
 
-/*
- * This is declared in avc.c
- */
-extern const struct selinux_class_perm selinux_class_perm;
-
 static DEFINE_RWLOCK(policy_rwlock);
 
 static struct sidtab sidtab;
@@ -88,11 +93,156 @@ static u32 latest_granting;
 static int context_struct_to_string(struct context *context, char **scontext,
                                    u32 *scontext_len);
 
-static int context_struct_compute_av(struct context *scontext,
-                                    struct context *tcontext,
-                                    u16 tclass,
-                                    u32 requested,
-                                    struct av_decision *avd);
+static void context_struct_compute_av(struct context *scontext,
+                                     struct context *tcontext,
+                                     u16 tclass,
+                                     struct av_decision *avd);
+
+struct selinux_mapping {
+       u16 value; /* policy value */
+       unsigned num_perms;
+       u32 perms[sizeof(u32) * 8];
+};
+
+static struct selinux_mapping *current_mapping;
+static u16 current_mapping_size;
+
+static int selinux_set_mapping(struct policydb *pol,
+                              struct security_class_mapping *map,
+                              struct selinux_mapping **out_map_p,
+                              u16 *out_map_size)
+{
+       struct selinux_mapping *out_map = NULL;
+       size_t size = sizeof(struct selinux_mapping);
+       u16 i, j;
+       unsigned k;
+       bool print_unknown_handle = false;
+
+       /* Find number of classes in the input mapping */
+       if (!map)
+               return -EINVAL;
+       i = 0;
+       while (map[i].name)
+               i++;
+
+       /* Allocate space for the class records, plus one for class zero */
+       out_map = kcalloc(++i, size, GFP_ATOMIC);
+       if (!out_map)
+               return -ENOMEM;
+
+       /* Store the raw class and permission values */
+       j = 0;
+       while (map[j].name) {
+               struct security_class_mapping *p_in = map + (j++);
+               struct selinux_mapping *p_out = out_map + j;
+
+               /* An empty class string skips ahead */
+               if (!strcmp(p_in->name, "")) {
+                       p_out->num_perms = 0;
+                       continue;
+               }
+
+               p_out->value = string_to_security_class(pol, p_in->name);
+               if (!p_out->value) {
+                       printk(KERN_INFO
+                              "SELinux:  Class %s not defined in policy.\n",
+                              p_in->name);
+                       if (pol->reject_unknown)
+                               goto err;
+                       p_out->num_perms = 0;
+                       print_unknown_handle = true;
+                       continue;
+               }
+
+               k = 0;
+               while (p_in->perms && p_in->perms[k]) {
+                       /* An empty permission string skips ahead */
+                       if (!*p_in->perms[k]) {
+                               k++;
+                               continue;
+                       }
+                       p_out->perms[k] = string_to_av_perm(pol, p_out->value,
+                                                           p_in->perms[k]);
+                       if (!p_out->perms[k]) {
+                               printk(KERN_INFO
+                                      "SELinux:  Permission %s in class %s not defined in policy.\n",
+                                      p_in->perms[k], p_in->name);
+                               if (pol->reject_unknown)
+                                       goto err;
+                               print_unknown_handle = true;
+                       }
+
+                       k++;
+               }
+               p_out->num_perms = k;
+       }
+
+       if (print_unknown_handle)
+               printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
+                      pol->allow_unknown ? "allowed" : "denied");
+
+       *out_map_p = out_map;
+       *out_map_size = i;
+       return 0;
+err:
+       kfree(out_map);
+       return -EINVAL;
+}
+
+/*
+ * Get real, policy values from mapped values
+ */
+
+static u16 unmap_class(u16 tclass)
+{
+       if (tclass < current_mapping_size)
+               return current_mapping[tclass].value;
+
+       return tclass;
+}
+
+static void map_decision(u16 tclass, struct av_decision *avd,
+                        int allow_unknown)
+{
+       if (tclass < current_mapping_size) {
+               unsigned i, n = current_mapping[tclass].num_perms;
+               u32 result;
+
+               for (i = 0, result = 0; i < n; i++) {
+                       if (avd->allowed & current_mapping[tclass].perms[i])
+                               result |= 1<<i;
+                       if (allow_unknown && !current_mapping[tclass].perms[i])
+                               result |= 1<<i;
+               }
+               avd->allowed = result;
+
+               for (i = 0, result = 0; i < n; i++)
+                       if (avd->auditallow & current_mapping[tclass].perms[i])
+                               result |= 1<<i;
+               avd->auditallow = result;
+
+               for (i = 0, result = 0; i < n; i++) {
+                       if (avd->auditdeny & current_mapping[tclass].perms[i])
+                               result |= 1<<i;
+                       if (!allow_unknown && !current_mapping[tclass].perms[i])
+                               result |= 1<<i;
+               }
+               /*
+                * In case the kernel has a bug and requests a permission
+                * between num_perms and the maximum permission number, we
+                * should audit that denial
+                */
+               for (; i < (sizeof(u32)*8); i++)
+                       result |= 1<<i;
+               avd->auditdeny = result;
+       }
+}
+
+int security_mls_enabled(void)
+{
+       return policydb.mls_enabled;
+}
+
 /*
  * Return the boolean value of a constraint expression
  * when it is applied to the specified source and target
@@ -126,15 +276,15 @@ static int constraint_expr_eval(struct context *scontext,
                case CEXPR_AND:
                        BUG_ON(sp < 1);
                        sp--;
-                       s[sp] &= s[sp+1];
+                       s[sp] &= s[sp + 1];
                        break;
                case CEXPR_OR:
                        BUG_ON(sp < 1);
                        sp--;
-                       s[sp] |= s[sp+1];
+                       s[sp] |= s[sp + 1];
                        break;
                case CEXPR_ATTR:
-                       if (sp == (CEXPR_MAXDEPTH-1))
+                       if (sp == (CEXPR_MAXDEPTH - 1))
                                return 0;
                        switch (e->attr) {
                        case CEXPR_USER:
@@ -279,13 +429,102 @@ mls_ops:
 }
 
 /*
+ * security_dump_masked_av - dumps masked permissions during
+ * security_compute_av due to RBAC, MLS/Constraint and Type bounds.
+ */
+static int dump_masked_av_helper(void *k, void *d, void *args)
+{
+       struct perm_datum *pdatum = d;
+       char **permission_names = args;
+
+       BUG_ON(pdatum->value < 1 || pdatum->value > 32);
+
+       permission_names[pdatum->value - 1] = (char *)k;
+
+       return 0;
+}
+
+static void security_dump_masked_av(struct context *scontext,
+                                   struct context *tcontext,
+                                   u16 tclass,
+                                   u32 permissions,
+                                   const char *reason)
+{
+       struct common_datum *common_dat;
+       struct class_datum *tclass_dat;
+       struct audit_buffer *ab;
+       char *tclass_name;
+       char *scontext_name = NULL;
+       char *tcontext_name = NULL;
+       char *permission_names[32];
+       int index;
+       u32 length;
+       bool need_comma = false;
+
+       if (!permissions)
+               return;
+
+       tclass_name = policydb.p_class_val_to_name[tclass - 1];
+       tclass_dat = policydb.class_val_to_struct[tclass - 1];
+       common_dat = tclass_dat->comdatum;
+
+       /* init permission_names */
+       if (common_dat &&
+           hashtab_map(common_dat->permissions.table,
+                       dump_masked_av_helper, permission_names) < 0)
+               goto out;
+
+       if (hashtab_map(tclass_dat->permissions.table,
+                       dump_masked_av_helper, permission_names) < 0)
+               goto out;
+
+       /* get scontext/tcontext in text form */
+       if (context_struct_to_string(scontext,
+                                    &scontext_name, &length) < 0)
+               goto out;
+
+       if (context_struct_to_string(tcontext,
+                                    &tcontext_name, &length) < 0)
+               goto out;
+
+       /* audit a message */
+       ab = audit_log_start(current->audit_context,
+                            GFP_ATOMIC, AUDIT_SELINUX_ERR);
+       if (!ab)
+               goto out;
+
+       audit_log_format(ab, "op=security_compute_av reason=%s "
+                        "scontext=%s tcontext=%s tclass=%s perms=",
+                        reason, scontext_name, tcontext_name, tclass_name);
+
+       for (index = 0; index < 32; index++) {
+               u32 mask = (1 << index);
+
+               if ((mask & permissions) == 0)
+                       continue;
+
+               audit_log_format(ab, "%s%s",
+                                need_comma ? "," : "",
+                                permission_names[index]
+                                ? permission_names[index] : "????");
+               need_comma = true;
+       }
+       audit_log_end(ab);
+out:
+       /* release scontext/tcontext */
+       kfree(tcontext_name);
+       kfree(scontext_name);
+
+       return;
+}
+
+/*
  * security_boundary_permission - drops violated permissions
  * on boundary constraint.
  */
 static void type_attribute_bounds_av(struct context *scontext,
                                     struct context *tcontext,
                                     u16 tclass,
-                                    u32 requested,
                                     struct av_decision *avd)
 {
        struct context lo_scontext;
@@ -306,7 +545,6 @@ static void type_attribute_bounds_av(struct context *scontext,
                context_struct_compute_av(&lo_scontext,
                                          tcontext,
                                          tclass,
-                                         requested,
                                          &lo_avd);
                if ((lo_avd.allowed & avd->allowed) == avd->allowed)
                        return;         /* no masked permission */
@@ -322,7 +560,6 @@ static void type_attribute_bounds_av(struct context *scontext,
                context_struct_compute_av(scontext,
                                          &lo_tcontext,
                                          tclass,
-                                         requested,
                                          &lo_avd);
                if ((lo_avd.allowed & avd->allowed) == avd->allowed)
                        return;         /* no masked permission */
@@ -339,7 +576,6 @@ static void type_attribute_bounds_av(struct context *scontext,
                context_struct_compute_av(&lo_scontext,
                                          &lo_tcontext,
                                          tclass,
-                                         requested,
                                          &lo_avd);
                if ((lo_avd.allowed & avd->allowed) == avd->allowed)
                        return;         /* no masked permission */
@@ -347,28 +583,12 @@ static void type_attribute_bounds_av(struct context *scontext,
        }
 
        if (masked) {
-               struct audit_buffer *ab;
-               char *stype_name
-                       = policydb.p_type_val_to_name[source->value - 1];
-               char *ttype_name
-                       = policydb.p_type_val_to_name[target->value - 1];
-               char *tclass_name
-                       = policydb.p_class_val_to_name[tclass - 1];
-
                /* mask violated permissions */
                avd->allowed &= ~masked;
 
-               /* notice to userspace via audit message */
-               ab = audit_log_start(current->audit_context,
-                                    GFP_ATOMIC, AUDIT_SELINUX_ERR);
-               if (!ab)
-                       return;
-
-               audit_log_format(ab, "av boundary violation: "
-                                "source=%s target=%s tclass=%s",
-                                stype_name, ttype_name, tclass_name);
-               avc_dump_av(ab, tclass, masked);
-               audit_log_end(ab);
+               /* audit masked permissions */
+               security_dump_masked_av(scontext, tcontext,
+                                       tclass, masked, "bounds");
        }
 }
 
@@ -376,11 +596,10 @@ static void type_attribute_bounds_av(struct context *scontext,
  * Compute access vectors based on a context structure pair for
  * the permissions in a particular class.
  */
-static int context_struct_compute_av(struct context *scontext,
-                                    struct context *tcontext,
-                                    u16 tclass,
-                                    u32 requested,
-                                    struct av_decision *avd)
+static void context_struct_compute_av(struct context *scontext,
+                                     struct context *tcontext,
+                                     u16 tclass,
+                                     struct av_decision *avd)
 {
        struct constraint_node *constraint;
        struct role_allow *ra;
@@ -389,56 +608,17 @@ static int context_struct_compute_av(struct context *scontext,
        struct class_datum *tclass_datum;
        struct ebitmap *sattr, *tattr;
        struct ebitmap_node *snode, *tnode;
-       const struct selinux_class_perm *kdefs = &selinux_class_perm;
        unsigned int i, j;
 
-       /*
-        * Remap extended Netlink classes for old policy versions.
-        * Do this here rather than socket_type_to_security_class()
-        * in case a newer policy version is loaded, allowing sockets
-        * to remain in the correct class.
-        */
-       if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
-               if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
-                   tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
-                       tclass = SECCLASS_NETLINK_SOCKET;
-
-       /*
-        * Initialize the access vectors to the default values.
-        */
        avd->allowed = 0;
-       avd->decided = 0xffffffff;
        avd->auditallow = 0;
        avd->auditdeny = 0xffffffff;
-       avd->seqno = latest_granting;
-
-       /*
-        * Check for all the invalid cases.
-        * - tclass 0
-        * - tclass > policy and > kernel
-        * - tclass > policy but is a userspace class
-        * - tclass > policy but we do not allow unknowns
-        */
-       if (unlikely(!tclass))
-               goto inval_class;
-       if (unlikely(tclass > policydb.p_classes.nprim))
-               if (tclass > kdefs->cts_len ||
-                   !kdefs->class_to_string[tclass] ||
-                   !policydb.allow_unknown)
-                       goto inval_class;
-
-       /*
-        * Kernel class and we allow unknown so pad the allow decision
-        * the pad will be all 1 for unknown classes.
-        */
-       if (tclass <= kdefs->cts_len && policydb.allow_unknown)
-               avd->allowed = policydb.undefined_perms[tclass - 1];
 
-       /*
-        * Not in policy. Since decision is completed (all 1 or all 0) return.
-        */
-       if (unlikely(tclass > policydb.p_classes.nprim))
-               return 0;
+       if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
+               if (printk_ratelimit())
+                       printk(KERN_WARNING "SELinux:  Invalid class %hu\n", tclass);
+               return;
+       }
 
        tclass_datum = policydb.class_val_to_struct[tclass - 1];
 
@@ -448,8 +628,10 @@ static int context_struct_compute_av(struct context *scontext,
         */
        avkey.target_class = tclass;
        avkey.specified = AVTAB_AV;
-       sattr = &policydb.type_attr_map[scontext->type - 1];
-       tattr = &policydb.type_attr_map[tcontext->type - 1];
+       sattr = flex_array_get(policydb.type_attr_map_array, scontext->type - 1);
+       BUG_ON(!sattr);
+       tattr = flex_array_get(policydb.type_attr_map_array, tcontext->type - 1);
+       BUG_ON(!tattr);
        ebitmap_for_each_positive_bit(sattr, snode, i) {
                ebitmap_for_each_positive_bit(tattr, tnode, j) {
                        avkey.source_type = i + 1;
@@ -480,7 +662,7 @@ static int context_struct_compute_av(struct context *scontext,
                if ((constraint->permissions & (avd->allowed)) &&
                    !constraint_expr_eval(scontext, tcontext, NULL,
                                          constraint->expr)) {
-                       avd->allowed = (avd->allowed) & ~(constraint->permissions);
+                       avd->allowed &= ~(constraint->permissions);
                }
                constraint = constraint->next;
        }
@@ -490,8 +672,8 @@ static int context_struct_compute_av(struct context *scontext,
         * role is changing, then check the (current_role, new_role)
         * pair.
         */
-       if (tclass == SECCLASS_PROCESS &&
-           (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&
+       if (tclass == policydb.process_class &&
+           (avd->allowed & policydb.process_trans_perms) &&
            scontext->role != tcontext->role) {
                for (ra = policydb.role_allow; ra; ra = ra->next) {
                        if (scontext->role == ra->role &&
@@ -499,8 +681,7 @@ static int context_struct_compute_av(struct context *scontext,
                                break;
                }
                if (!ra)
-                       avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
-                                                       PROCESS__DYNTRANSITION);
+                       avd->allowed &= ~policydb.process_trans_perms;
        }
 
        /*
@@ -509,49 +690,7 @@ static int context_struct_compute_av(struct context *scontext,
         * permission and notice it to userspace via audit.
         */
        type_attribute_bounds_av(scontext, tcontext,
-                                tclass, requested, avd);
-
-       return 0;
-
-inval_class:
-       if (!tclass || tclass > kdefs->cts_len ||
-           !kdefs->class_to_string[tclass]) {
-               if (printk_ratelimit())
-                       printk(KERN_ERR "SELinux: %s:  unrecognized class %d\n",
-                              __func__, tclass);
-               return -EINVAL;
-       }
-
-       /*
-        * Known to the kernel, but not to the policy.
-        * Handle as a denial (allowed is 0).
-        */
-       return 0;
-}
-
-/*
- * Given a sid find if the type has the permissive flag set
- */
-int security_permissive_sid(u32 sid)
-{
-       struct context *context;
-       u32 type;
-       int rc;
-
-       read_lock(&policy_rwlock);
-
-       context = sidtab_search(&sidtab, sid);
-       BUG_ON(!context);
-
-       type = context->type;
-       /*
-        * we are intentionally using type here, not type-1, the 0th bit may
-        * someday indicate that we are globally setting permissive in policy.
-        */
-       rc = ebitmap_get_bit(&policydb.permissive_map, type);
-
-       read_unlock(&policy_rwlock);
-       return rc;
+                                tclass, avd);
 }
 
 static int security_validtrans_handle_fail(struct context *ocontext,
@@ -583,13 +722,14 @@ out:
 }
 
 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
-                                u16 tclass)
+                                u16 orig_tclass)
 {
        struct context *ocontext;
        struct context *ncontext;
        struct context *tcontext;
        struct class_datum *tclass_datum;
        struct constraint_node *constraint;
+       u16 tclass;
        int rc = 0;
 
        if (!ss_initialized)
@@ -597,16 +737,7 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
 
        read_lock(&policy_rwlock);
 
-       /*
-        * Remap extended Netlink classes for old policy versions.
-        * Do this here rather than socket_type_to_security_class()
-        * in case a newer policy version is loaded, allowing sockets
-        * to remain in the correct class.
-        */
-       if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
-               if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
-                   tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
-                       tclass = SECCLASS_NETLINK_SOCKET;
+       tclass = unmap_class(orig_tclass);
 
        if (!tclass || tclass > policydb.p_classes.nprim) {
                printk(KERN_ERR "SELinux: %s:  unrecognized class %d\n",
@@ -688,7 +819,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
                goto out;
        }
 
-       /* type/domain unchaned */
+       /* type/domain unchanged */
        if (old_context->type == new_context->type) {
                rc = 0;
                goto out;
@@ -712,66 +843,142 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
                }
                index = type->bounds;
        }
+
+       if (rc) {
+               char *old_name = NULL;
+               char *new_name = NULL;
+               u32 length;
+
+               if (!context_struct_to_string(old_context,
+                                             &old_name, &length) &&
+                   !context_struct_to_string(new_context,
+                                             &new_name, &length)) {
+                       audit_log(current->audit_context,
+                                 GFP_ATOMIC, AUDIT_SELINUX_ERR,
+                                 "op=security_bounded_transition "
+                                 "result=denied "
+                                 "oldcontext=%s newcontext=%s",
+                                 old_name, new_name);
+               }
+               kfree(new_name);
+               kfree(old_name);
+       }
 out:
        read_unlock(&policy_rwlock);
 
        return rc;
 }
 
+static void avd_init(struct av_decision *avd)
+{
+       avd->allowed = 0;
+       avd->auditallow = 0;
+       avd->auditdeny = 0xffffffff;
+       avd->seqno = latest_granting;
+       avd->flags = 0;
+}
+
 
 /**
  * security_compute_av - Compute access vector decisions.
  * @ssid: source security identifier
  * @tsid: target security identifier
  * @tclass: target security class
- * @requested: requested permissions
  * @avd: access vector decisions
  *
  * Compute a set of access vector decisions based on the
  * SID pair (@ssid, @tsid) for the permissions in @tclass.
- * Return -%EINVAL if any of the parameters are invalid or %0
- * if the access vector decisions were computed successfully.
  */
-int security_compute_av(u32 ssid,
-                       u32 tsid,
-                       u16 tclass,
-                       u32 requested,
-                       struct av_decision *avd)
+void security_compute_av(u32 ssid,
+                        u32 tsid,
+                        u16 orig_tclass,
+                        struct av_decision *avd)
 {
+       u16 tclass;
        struct context *scontext = NULL, *tcontext = NULL;
-       int rc = 0;
 
-       if (!ss_initialized) {
-               avd->allowed = 0xffffffff;
-               avd->decided = 0xffffffff;
-               avd->auditallow = 0;
-               avd->auditdeny = 0xffffffff;
-               avd->seqno = latest_granting;
-               return 0;
+       read_lock(&policy_rwlock);
+       avd_init(avd);
+       if (!ss_initialized)
+               goto allow;
+
+       scontext = sidtab_search(&sidtab, ssid);
+       if (!scontext) {
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, ssid);
+               goto out;
        }
 
+       /* permissive domain? */
+       if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
+               avd->flags |= AVD_FLAGS_PERMISSIVE;
+
+       tcontext = sidtab_search(&sidtab, tsid);
+       if (!tcontext) {
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, tsid);
+               goto out;
+       }
+
+       tclass = unmap_class(orig_tclass);
+       if (unlikely(orig_tclass && !tclass)) {
+               if (policydb.allow_unknown)
+                       goto allow;
+               goto out;
+       }
+       context_struct_compute_av(scontext, tcontext, tclass, avd);
+       map_decision(orig_tclass, avd, policydb.allow_unknown);
+out:
+       read_unlock(&policy_rwlock);
+       return;
+allow:
+       avd->allowed = 0xffffffff;
+       goto out;
+}
+
+void security_compute_av_user(u32 ssid,
+                             u32 tsid,
+                             u16 tclass,
+                             struct av_decision *avd)
+{
+       struct context *scontext = NULL, *tcontext = NULL;
+
        read_lock(&policy_rwlock);
+       avd_init(avd);
+       if (!ss_initialized)
+               goto allow;
 
        scontext = sidtab_search(&sidtab, ssid);
        if (!scontext) {
                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
                       __func__, ssid);
-               rc = -EINVAL;
                goto out;
        }
+
+       /* permissive domain? */
+       if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
+               avd->flags |= AVD_FLAGS_PERMISSIVE;
+
        tcontext = sidtab_search(&sidtab, tsid);
        if (!tcontext) {
                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
                       __func__, tsid);
-               rc = -EINVAL;
                goto out;
        }
 
-       rc = context_struct_compute_av(scontext, tcontext, tclass,
-                                      requested, avd);
-out:
+       if (unlikely(!tclass)) {
+               if (policydb.allow_unknown)
+                       goto allow;
+               goto out;
+       }
+
+       context_struct_compute_av(scontext, tcontext, tclass, avd);
+ out:
        read_unlock(&policy_rwlock);
-       return rc;
+       return;
+allow:
+       avd->allowed = 0xffffffff;
+       goto out;
 }
 
 /*
@@ -785,7 +992,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
 {
        char *scontextp;
 
-       *scontext = NULL;
+       if (scontext)
+               *scontext = NULL;
        *scontext_len = 0;
 
        if (context->len) {
@@ -802,6 +1010,9 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
        *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;
        *scontext_len += mls_compute_context_len(context);
 
+       if (!scontext)
+               return 0;
+
        /* Allocate space for the context; caller must free this space. */
        scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
        if (!scontextp)
@@ -841,7 +1052,8 @@ static int security_sid_to_context_core(u32 sid, char **scontext,
        struct context *context;
        int rc = 0;
 
-       *scontext = NULL;
+       if (scontext)
+               *scontext = NULL;
        *scontext_len  = 0;
 
        if (!ss_initialized) {
@@ -849,6 +1061,8 @@ static int security_sid_to_context_core(u32 sid, char **scontext,
                        char *scontextp;
 
                        *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
+                       if (!scontext)
+                               goto out;
                        scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
                        if (!scontextp) {
                                rc = -ENOMEM;
@@ -1013,7 +1227,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
        *sid = SECSID_NULL;
 
        /* Copy the string so that we can modify the copy as we parse it. */
-       scontext2 = kmalloc(scontext_len+1, gfp_flags);
+       scontext2 = kmalloc(scontext_len + 1, gfp_flags);
        if (!scontext2)
                return -ENOMEM;
        memcpy(scontext2, scontext, scontext_len);
@@ -1128,20 +1342,22 @@ out:
 
 static int security_compute_sid(u32 ssid,
                                u32 tsid,
-                               u16 tclass,
+                               u16 orig_tclass,
                                u32 specified,
-                               u32 *out_sid)
+                               u32 *out_sid,
+                               bool kern)
 {
        struct context *scontext = NULL, *tcontext = NULL, newcontext;
        struct role_trans *roletr = NULL;
        struct avtab_key avkey;
        struct avtab_datum *avdatum;
        struct avtab_node *node;
+       u16 tclass;
        int rc = 0;
 
        if (!ss_initialized) {
-               switch (tclass) {
-               case SECCLASS_PROCESS:
+               switch (orig_tclass) {
+               case SECCLASS_PROCESS: /* kernel value */
                        *out_sid = ssid;
                        break;
                default:
@@ -1155,6 +1371,11 @@ static int security_compute_sid(u32 ssid,
 
        read_lock(&policy_rwlock);
 
+       if (kern)
+               tclass = unmap_class(orig_tclass);
+       else
+               tclass = orig_tclass;
+
        scontext = sidtab_search(&sidtab, ssid);
        if (!scontext) {
                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
@@ -1184,13 +1405,11 @@ static int security_compute_sid(u32 ssid,
        }
 
        /* Set the role and type to default values. */
-       switch (tclass) {
-       case SECCLASS_PROCESS:
+       if (tclass == policydb.process_class) {
                /* Use the current role and type of process. */
                newcontext.role = scontext->role;
                newcontext.type = scontext->type;
-               break;
-       default:
+       } else {
                /* Use the well-defined object role. */
                newcontext.role = OBJECT_R_VAL;
                /* Use the type of the related object. */
@@ -1221,8 +1440,7 @@ static int security_compute_sid(u32 ssid,
        }
 
        /* Check for class-specific changes. */
-       switch (tclass) {
-       case SECCLASS_PROCESS:
+       if  (tclass == policydb.process_class) {
                if (specified & AVTAB_TRANSITION) {
                        /* Look for a role transition rule. */
                        for (roletr = policydb.role_tr; roletr;
@@ -1235,9 +1453,6 @@ static int security_compute_sid(u32 ssid,
                                }
                        }
                }
-               break;
-       default:
-               break;
        }
 
        /* Set the MLS attributes.
@@ -1282,7 +1497,17 @@ int security_transition_sid(u32 ssid,
                            u16 tclass,
                            u32 *out_sid)
 {
-       return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
+       return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
+                                   out_sid, true);
+}
+
+int security_transition_sid_user(u32 ssid,
+                                u32 tsid,
+                                u16 tclass,
+                                u32 *out_sid)
+{
+       return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
+                                   out_sid, false);
 }
 
 /**
@@ -1303,7 +1528,8 @@ int security_member_sid(u32 ssid,
                        u16 tclass,
                        u32 *out_sid)
 {
-       return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
+       return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
+                                   false);
 }
 
 /**
@@ -1324,144 +1550,8 @@ int security_change_sid(u32 ssid,
                        u16 tclass,
                        u32 *out_sid)
 {
-       return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
-}
-
-/*
- * Verify that each kernel class that is defined in the
- * policy is correct
- */
-static int validate_classes(struct policydb *p)
-{
-       int i, j;
-       struct class_datum *cladatum;
-       struct perm_datum *perdatum;
-       u32 nprim, tmp, common_pts_len, perm_val, pol_val;
-       u16 class_val;
-       const struct selinux_class_perm *kdefs = &selinux_class_perm;
-       const char *def_class, *def_perm, *pol_class;
-       struct symtab *perms;
-       bool print_unknown_handle = 0;
-
-       if (p->allow_unknown) {
-               u32 num_classes = kdefs->cts_len;
-               p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL);
-               if (!p->undefined_perms)
-                       return -ENOMEM;
-       }
-
-       for (i = 1; i < kdefs->cts_len; i++) {
-               def_class = kdefs->class_to_string[i];
-               if (!def_class)
-                       continue;
-               if (i > p->p_classes.nprim) {
-                       printk(KERN_INFO
-                              "SELinux:  class %s not defined in policy\n",
-                              def_class);
-                       if (p->reject_unknown)
-                               return -EINVAL;
-                       if (p->allow_unknown)
-                               p->undefined_perms[i-1] = ~0U;
-                       print_unknown_handle = 1;
-                       continue;
-               }
-               pol_class = p->p_class_val_to_name[i-1];
-               if (strcmp(pol_class, def_class)) {
-                       printk(KERN_ERR
-                              "SELinux:  class %d is incorrect, found %s but should be %s\n",
-                              i, pol_class, def_class);
-                       return -EINVAL;
-               }
-       }
-       for (i = 0; i < kdefs->av_pts_len; i++) {
-               class_val = kdefs->av_perm_to_string[i].tclass;
-               perm_val = kdefs->av_perm_to_string[i].value;
-               def_perm = kdefs->av_perm_to_string[i].name;
-               if (class_val > p->p_classes.nprim)
-                       continue;
-               pol_class = p->p_class_val_to_name[class_val-1];
-               cladatum = hashtab_search(p->p_classes.table, pol_class);
-               BUG_ON(!cladatum);
-               perms = &cladatum->permissions;
-               nprim = 1 << (perms->nprim - 1);
-               if (perm_val > nprim) {
-                       printk(KERN_INFO
-                              "SELinux:  permission %s in class %s not defined in policy\n",
-                              def_perm, pol_class);
-                       if (p->reject_unknown)
-                               return -EINVAL;
-                       if (p->allow_unknown)
-                               p->undefined_perms[class_val-1] |= perm_val;
-                       print_unknown_handle = 1;
-                       continue;
-               }
-               perdatum = hashtab_search(perms->table, def_perm);
-               if (perdatum == NULL) {
-                       printk(KERN_ERR
-                              "SELinux:  permission %s in class %s not found in policy, bad policy\n",
-                              def_perm, pol_class);
-                       return -EINVAL;
-               }
-               pol_val = 1 << (perdatum->value - 1);
-               if (pol_val != perm_val) {
-                       printk(KERN_ERR
-                              "SELinux:  permission %s in class %s has incorrect value\n",
-                              def_perm, pol_class);
-                       return -EINVAL;
-               }
-       }
-       for (i = 0; i < kdefs->av_inherit_len; i++) {
-               class_val = kdefs->av_inherit[i].tclass;
-               if (class_val > p->p_classes.nprim)
-                       continue;
-               pol_class = p->p_class_val_to_name[class_val-1];
-               cladatum = hashtab_search(p->p_classes.table, pol_class);
-               BUG_ON(!cladatum);
-               if (!cladatum->comdatum) {
-                       printk(KERN_ERR
-                              "SELinux:  class %s should have an inherits clause but does not\n",
-                              pol_class);
-                       return -EINVAL;
-               }
-               tmp = kdefs->av_inherit[i].common_base;
-               common_pts_len = 0;
-               while (!(tmp & 0x01)) {
-                       common_pts_len++;
-                       tmp >>= 1;
-               }
-               perms = &cladatum->comdatum->permissions;
-               for (j = 0; j < common_pts_len; j++) {
-                       def_perm = kdefs->av_inherit[i].common_pts[j];
-                       if (j >= perms->nprim) {
-                               printk(KERN_INFO
-                                      "SELinux:  permission %s in class %s not defined in policy\n",
-                                      def_perm, pol_class);
-                               if (p->reject_unknown)
-                                       return -EINVAL;
-                               if (p->allow_unknown)
-                                       p->undefined_perms[class_val-1] |= (1 << j);
-                               print_unknown_handle = 1;
-                               continue;
-                       }
-                       perdatum = hashtab_search(perms->table, def_perm);
-                       if (perdatum == NULL) {
-                               printk(KERN_ERR
-                                      "SELinux:  permission %s in class %s not found in policy, bad policy\n",
-                                      def_perm, pol_class);
-                               return -EINVAL;
-                       }
-                       if (perdatum->value != j + 1) {
-                               printk(KERN_ERR
-                                      "SELinux:  permission %s in class %s has incorrect value\n",
-                                      def_perm, pol_class);
-                               return -EINVAL;
-                       }
-               }
-       }
-       if (print_unknown_handle)
-               printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
-                       (security_get_allow_unknown() ? "allowed" : "denied"));
-       return 0;
+       return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
+                                   false);
 }
 
 /* Clone the SID into the new SID table. */
@@ -1471,7 +1561,10 @@ static int clone_sid(u32 sid,
 {
        struct sidtab *s = arg;
 
-       return sidtab_insert(s, sid, context);
+       if (sid > SECINITSID_NUM)
+               return sidtab_insert(s, sid, context);
+       else
+               return 0;
 }
 
 static inline int convert_context_handle_invalid_context(struct context *context)
@@ -1512,12 +1605,17 @@ static int convert_context(u32 key,
 {
        struct convert_context_args *args;
        struct context oldc;
+       struct ocontext *oc;
+       struct mls_range *range;
        struct role_datum *role;
        struct type_datum *typdatum;
        struct user_datum *usrdatum;
        char *s;
        u32 len;
-       int rc;
+       int rc = 0;
+
+       if (key <= SECINITSID_NUM)
+               goto out;
 
        args = p;
 
@@ -1579,9 +1677,39 @@ static int convert_context(u32 key,
                goto bad;
        c->type = typdatum->value;
 
-       rc = mls_convert_context(args->oldp, args->newp, c);
-       if (rc)
-               goto bad;
+       /* Convert the MLS fields if dealing with MLS policies */
+       if (args->oldp->mls_enabled && args->newp->mls_enabled) {
+               rc = mls_convert_context(args->oldp, args->newp, c);
+               if (rc)
+                       goto bad;
+       } else if (args->oldp->mls_enabled && !args->newp->mls_enabled) {
+               /*
+                * Switching between MLS and non-MLS policy:
+                * free any storage used by the MLS fields in the
+                * context for all existing entries in the sidtab.
+                */
+               mls_context_destroy(c);
+       } else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
+               /*
+                * Switching between non-MLS and MLS policy:
+                * ensure that the MLS fields of the context for all
+                * existing entries in the sidtab are filled in with a
+                * suitable default value, likely taken from one of the
+                * initial SIDs.
+                */
+               oc = args->newp->ocontexts[OCON_ISID];
+               while (oc && oc->sid[0] != SECINITSID_UNLABELED)
+                       oc = oc->next;
+               if (!oc) {
+                       printk(KERN_ERR "SELinux:  unable to look up"
+                               " the initial SIDs list\n");
+                       goto bad;
+               }
+               range = &oc->context[0].range;
+               rc = mls_range_set(c, range);
+               if (rc)
+                       goto bad;
+       }
 
        /* Check the validity of the new context. */
        if (!policydb_context_isvalid(args->newp, c)) {
@@ -1634,38 +1762,45 @@ int security_load_policy(void *data, size_t len)
 {
        struct policydb oldpolicydb, newpolicydb;
        struct sidtab oldsidtab, newsidtab;
+       struct selinux_mapping *oldmap, *map = NULL;
        struct convert_context_args args;
        u32 seqno;
+       u16 map_size;
        int rc = 0;
        struct policy_file file = { data, len }, *fp = &file;
 
        if (!ss_initialized) {
                avtab_cache_init();
-               if (policydb_read(&policydb, fp)) {
+               rc = policydb_read(&policydb, fp);
+               if (rc) {
                        avtab_cache_destroy();
-                       return -EINVAL;
+                       return rc;
                }
-               if (policydb_load_isids(&policydb, &sidtab)) {
+
+               policydb.len = len;
+               rc = selinux_set_mapping(&policydb, secclass_map,
+                                        &current_mapping,
+                                        &current_mapping_size);
+               if (rc) {
                        policydb_destroy(&policydb);
                        avtab_cache_destroy();
-                       return -EINVAL;
+                       return rc;
                }
-               /* Verify that the kernel defined classes are correct. */
-               if (validate_classes(&policydb)) {
-                       printk(KERN_ERR
-                              "SELinux:  the definition of a class is incorrect\n");
-                       sidtab_destroy(&sidtab);
+
+               rc = policydb_load_isids(&policydb, &sidtab);
+               if (rc) {
                        policydb_destroy(&policydb);
                        avtab_cache_destroy();
-                       return -EINVAL;
+                       return rc;
                }
+
                security_load_policycaps();
-               policydb_loaded_version = policydb.policyvers;
                ss_initialized = 1;
                seqno = ++latest_granting;
                selinux_complete_init();
                avc_ss_reset(seqno);
                selnl_notify_policyload(seqno);
+               selinux_status_update_policyload(seqno);
                selinux_netlbl_cache_invalidate();
                selinux_xfrm_notify_policyload();
                return 0;
@@ -1675,21 +1810,27 @@ int security_load_policy(void *data, size_t len)
        sidtab_hash_eval(&sidtab, "sids");
 #endif
 
-       if (policydb_read(&newpolicydb, fp))
-               return -EINVAL;
+       rc = policydb_read(&newpolicydb, fp);
+       if (rc)
+               return rc;
+
+       newpolicydb.len = len;
+       /* If switching between different policy types, log MLS status */
+       if (policydb.mls_enabled && !newpolicydb.mls_enabled)
+               printk(KERN_INFO "SELinux: Disabling MLS support...\n");
+       else if (!policydb.mls_enabled && newpolicydb.mls_enabled)
+               printk(KERN_INFO "SELinux: Enabling MLS support...\n");
 
-       if (sidtab_init(&newsidtab)) {
+       rc = policydb_load_isids(&newpolicydb, &newsidtab);
+       if (rc) {
+               printk(KERN_ERR "SELinux:  unable to load the initial SIDs\n");
                policydb_destroy(&newpolicydb);
-               return -ENOMEM;
+               return rc;
        }
 
-       /* Verify that the kernel defined classes are correct. */
-       if (validate_classes(&newpolicydb)) {
-               printk(KERN_ERR
-                      "SELinux:  the definition of a class is incorrect\n");
-               rc = -EINVAL;
+       rc = selinux_set_mapping(&newpolicydb, secclass_map, &map, &map_size);
+       if (rc)
                goto err;
-       }
 
        rc = security_preserve_bools(&newpolicydb);
        if (rc) {
@@ -1699,10 +1840,10 @@ int security_load_policy(void *data, size_t len)
 
        /* Clone the SID table. */
        sidtab_shutdown(&sidtab);
-       if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
-               rc = -ENOMEM;
+
+       rc = sidtab_map(&sidtab, clone_sid, &newsidtab);
+       if (rc)
                goto err;
-       }
 
        /*
         * Convert the internal representations of contexts
@@ -1711,8 +1852,12 @@ int security_load_policy(void *data, size_t len)
        args.oldp = &policydb;
        args.newp = &newpolicydb;
        rc = sidtab_map(&newsidtab, convert_context, &args);
-       if (rc)
+       if (rc) {
+               printk(KERN_ERR "SELinux:  unable to convert the internal"
+                       " representation of contexts in the new SID"
+                       " table\n");
                goto err;
+       }
 
        /* Save the old policydb and SID table to free later. */
        memcpy(&oldpolicydb, &policydb, sizeof policydb);
@@ -1723,28 +1868,44 @@ int security_load_policy(void *data, size_t len)
        memcpy(&policydb, &newpolicydb, sizeof policydb);
        sidtab_set(&sidtab, &newsidtab);
        security_load_policycaps();
+       oldmap = current_mapping;
+       current_mapping = map;
+       current_mapping_size = map_size;
        seqno = ++latest_granting;
-       policydb_loaded_version = policydb.policyvers;
        write_unlock_irq(&policy_rwlock);
 
        /* Free the old policydb and SID table. */
        policydb_destroy(&oldpolicydb);
        sidtab_destroy(&oldsidtab);
+       kfree(oldmap);
 
        avc_ss_reset(seqno);
        selnl_notify_policyload(seqno);
+       selinux_status_update_policyload(seqno);
        selinux_netlbl_cache_invalidate();
        selinux_xfrm_notify_policyload();
 
        return 0;
 
 err:
+       kfree(map);
        sidtab_destroy(&newsidtab);
        policydb_destroy(&newpolicydb);
        return rc;
 
 }
 
+size_t security_policydb_len(void)
+{
+       size_t len;
+
+       read_lock(&policy_rwlock);
+       len = policydb.len;
+       read_unlock(&policy_rwlock);
+
+       return len;
+}
+
 /**
  * security_port_sid - Obtain the SID for a port.
  * @protocol: protocol number
@@ -1973,9 +2134,9 @@ int security_get_user_sids(u32 fromsid,
 
        ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
                role = policydb.role_val_to_struct[i];
-               usercon.role = i+1;
+               usercon.role = i + 1;
                ebitmap_for_each_positive_bit(&role->types, tnode, j) {
-                       usercon.type = j+1;
+                       usercon.type = j + 1;
 
                        if (mls_setup_user_range(fromcon, user, &usercon))
                                continue;
@@ -2015,7 +2176,7 @@ out_unlock:
        }
        for (i = 0, j = 0; i < mynel; i++) {
                rc = avc_has_perm_noaudit(fromsid, mysids[i],
-                                         SECCLASS_PROCESS,
+                                         SECCLASS_PROCESS, /* kernel value */
                                          PROCESS__TRANSITION, AVC_STRICT,
                                          NULL);
                if (!rc)
@@ -2043,10 +2204,11 @@ out:
  */
 int security_genfs_sid(const char *fstype,
                       char *path,
-                      u16 sclass,
+                      u16 orig_sclass,
                       u32 *sid)
 {
        int len;
+       u16 sclass;
        struct genfs *genfs;
        struct ocontext *c;
        int rc = 0, cmp = 0;
@@ -2056,6 +2218,8 @@ int security_genfs_sid(const char *fstype,
 
        read_lock(&policy_rwlock);
 
+       sclass = unmap_class(orig_sclass);
+
        for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
                cmp = strcmp(fstype, genfs->fstype);
                if (cmp <= 0)
@@ -2233,6 +2397,7 @@ out:
        if (!rc) {
                avc_ss_reset(seqno);
                selnl_notify_policyload(seqno);
+               selinux_status_update_policyload(seqno);
                selinux_xfrm_notify_policyload();
        }
        return rc;
@@ -2301,7 +2466,7 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
        u32 len;
        int rc = 0;
 
-       if (!ss_initialized || !selinux_mls_enabled) {
+       if (!ss_initialized || !policydb.mls_enabled) {
                *new_sid = sid;
                goto out;
        }
@@ -2402,7 +2567,7 @@ int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
        /* we don't need to check ss_initialized here since the only way both
         * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
         * security server was initialized and ss_initialized was true */
-       if (!selinux_mls_enabled) {
+       if (!policydb.mls_enabled) {
                *peer_sid = SECSID_NULL;
                return 0;
        }
@@ -2459,7 +2624,7 @@ int security_get_classes(char ***classes, int *nclasses)
        read_lock(&policy_rwlock);
 
        *nclasses = policydb.p_classes.nprim;
-       *classes = kcalloc(*nclasses, sizeof(*classes), GFP_ATOMIC);
+       *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC);
        if (!*classes)
                goto out;
 
@@ -2506,7 +2671,7 @@ int security_get_permissions(char *class, char ***perms, int *nperms)
        }
 
        *nperms = match->permissions.nprim;
-       *perms = kcalloc(*nperms, sizeof(*perms), GFP_ATOMIC);
+       *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC);
        if (!*perms)
                goto out;
 
@@ -2602,7 +2767,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
        case AUDIT_OBJ_ROLE:
        case AUDIT_OBJ_TYPE:
                /* only 'equals' and 'not equals' fit user, role, and type */
-               if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL)
+               if (op != Audit_equal && op != Audit_not_equal)
                        return -EINVAL;
                break;
        case AUDIT_SUBJ_SEN:
@@ -2736,10 +2901,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
        case AUDIT_SUBJ_USER:
        case AUDIT_OBJ_USER:
                switch (op) {
-               case AUDIT_EQUAL:
+               case Audit_equal:
                        match = (ctxt->user == rule->au_ctxt.user);
                        break;
-               case AUDIT_NOT_EQUAL:
+               case Audit_not_equal:
                        match = (ctxt->user != rule->au_ctxt.user);
                        break;
                }
@@ -2747,10 +2912,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
        case AUDIT_SUBJ_ROLE:
        case AUDIT_OBJ_ROLE:
                switch (op) {
-               case AUDIT_EQUAL:
+               case Audit_equal:
                        match = (ctxt->role == rule->au_ctxt.role);
                        break;
-               case AUDIT_NOT_EQUAL:
+               case Audit_not_equal:
                        match = (ctxt->role != rule->au_ctxt.role);
                        break;
                }
@@ -2758,10 +2923,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
        case AUDIT_SUBJ_TYPE:
        case AUDIT_OBJ_TYPE:
                switch (op) {
-               case AUDIT_EQUAL:
+               case Audit_equal:
                        match = (ctxt->type == rule->au_ctxt.type);
                        break;
-               case AUDIT_NOT_EQUAL:
+               case Audit_not_equal:
                        match = (ctxt->type != rule->au_ctxt.type);
                        break;
                }
@@ -2774,31 +2939,31 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
                          field == AUDIT_OBJ_LEV_LOW) ?
                         &ctxt->range.level[0] : &ctxt->range.level[1]);
                switch (op) {
-               case AUDIT_EQUAL:
+               case Audit_equal:
                        match = mls_level_eq(&rule->au_ctxt.range.level[0],
                                             level);
                        break;
-               case AUDIT_NOT_EQUAL:
+               case Audit_not_equal:
                        match = !mls_level_eq(&rule->au_ctxt.range.level[0],
                                              level);
                        break;
-               case AUDIT_LESS_THAN:
+               case Audit_lt:
                        match = (mls_level_dom(&rule->au_ctxt.range.level[0],
                                               level) &&
                                 !mls_level_eq(&rule->au_ctxt.range.level[0],
                                               level));
                        break;
-               case AUDIT_LESS_THAN_OR_EQUAL:
+               case Audit_le:
                        match = mls_level_dom(&rule->au_ctxt.range.level[0],
                                              level);
                        break;
-               case AUDIT_GREATER_THAN:
+               case Audit_gt:
                        match = (mls_level_dom(level,
                                              &rule->au_ctxt.range.level[0]) &&
                                 !mls_level_eq(level,
                                               &rule->au_ctxt.range.level[0]));
                        break;
-               case AUDIT_GREATER_THAN_OR_EQUAL:
+               case Audit_ge:
                        match = mls_level_dom(level,
                                              &rule->au_ctxt.range.level[0]);
                        break;
@@ -2988,3 +3153,38 @@ netlbl_sid_to_secattr_failure:
        return rc;
 }
 #endif /* CONFIG_NETLABEL */
+
+/**
+ * security_read_policy - read the policy.
+ * @data: binary policy data
+ * @len: length of data in bytes
+ *
+ */
+int security_read_policy(void **data, ssize_t *len)
+{
+       int rc;
+       struct policy_file fp;
+
+       if (!ss_initialized)
+               return -EINVAL;
+
+       *len = security_policydb_len();
+
+       *data = vmalloc_user(*len);
+       if (!*data)
+               return -ENOMEM;
+
+       fp.data = *data;
+       fp.len = *len;
+
+       read_lock(&policy_rwlock);
+       rc = policydb_write(&policydb, &fp);
+       read_unlock(&policy_rwlock);
+
+       if (rc)
+               return rc;
+
+       *len = (unsigned long)fp.data - (unsigned long)*data;
+       return 0;
+
+}