From patchwork Thu Nov 10 21:18:30 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Gruenbacher <agruenba@redhat.com>
X-Patchwork-Id: 9422081
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	7764460484 for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 10 Nov 2016 21:24:36 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 64201296C5
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 10 Nov 2016 21:24:36 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 586F1296C3; Thu, 10 Nov 2016 21:24:36 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea10.nsa.gov (emsm-gh1-uea10.nsa.gov [8.44.101.8])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 305B3296C3
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 10 Nov 2016 21:24:35 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.31,620,1473120000"; d="scan'208";a="843562"
IronPort-PHdr: =?us-ascii?q?9a23=3Ailcg1BH/IAqDeSYg0MbaSJ1GYnF86YWxBRYc798d?=
	=?us-ascii?q?s5kLTJ79o8W4bnLW6fgltlLVR4KTs6sC0LuN9fi7EjVcvN6oizMrSNR0TRgLiM?=
	=?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVr?=
	=?us-ascii?q?O+/7BpDdj9it1+C15pbffxhEiCCzbL52Ihi6txndu8cZjYd/Jas8ygbCr2dVde?=
	=?us-ascii?q?hR2W5mP0+YkQzm5se38p5j8iBQtOwk+sVdT6j0fLk2QKJBAjg+PG87+MPktR/Y?=
	=?us-ascii?q?TQuS/XQcSXkZkgBJAwfe8h73WIr6vzbguep83CmaOtD2TawxVD+/4apnVAPkhS?=
	=?us-ascii?q?EaPDMi7mrZltJ/g75aoBK5phxw3YjUYJ2ONPFjeq/RZM4WSXZdUspUUSFODJm8?=
	=?us-ascii?q?b48SBOQfO+hWoZT2q18XoRejGQWgAeXiwSJKiHDrx603y+QvHx/b0gIuHNwBsn?=
	=?us-ascii?q?rUrM33OasPX+26w7XHwzrdYPNNwjr99IrFfwo9rf2QQb58b8zcwlQvGQPfiVWQ?=
	=?us-ascii?q?rJToMi+T1usQqWiU8fBvVfmygGAmsQFxvyagxsE3hYbTmo0Vyk7L9T9ky4syP9?=
	=?us-ascii?q?K4R1R7YcO6H5tWrC6VLZB7Qtk8TG51uCY10KEGtYSncygNzZQq3hjSYOGEfYiQ?=
	=?us-ascii?q?+h/vSemcLDhiiH9lZb6znQi+/Ee+xuHmS8W4yEhGojZBn9XWq3wA2QLf5tKaRv?=
	=?us-ascii?q?Z+8EqtwyiD2gPV5+pZO047j7DbJIQkwrMok5oTtlnMETHulUXtia+Wal0k+u+1?=
	=?us-ascii?q?6+T7ernmpoGTN4tzigzmLqQhgNa/AeUlMggVRWSb5eS926Hj/U3+WrlKiOE5kr?=
	=?us-ascii?q?LFv5zAIMQbp6q5DxdU0oYl9Rm/Ey+r3MkXkHQINl5IeA+Lg5L3N1zBPvz0F+qz?=
	=?us-ascii?q?j0ypkDhxxvDGOrPhAo/KLnjGiLrhZqhy60pdyAo10NBe6ItYBaoGIPLuXE/+qM?=
	=?us-ascii?q?LXDgQiPgyow+foFNV91oQEVWKJGa+WKrnesVCP5uIxO+WMfpMauC7hK/g54P7j?=
	=?us-ascii?q?lXE5mUUHcqmvwZQXaWu4E+9jI0WBYHrgm8wBEGkRvgYkS+zqklKCWyZJZ3muR6?=
	=?us-ascii?q?I8+i07CIW+AIfAXI+tg7uB3DqgE51VfG9GCVeMEWrye4WDQfcMZzqYItV9nTwc?=
	=?us-ascii?q?SbihV4gh2Am0uwDn0bpnL/Tb+jcDuJ35yNd14vfflRYo9Tx7F86dyX2CT3lonm?=
	=?us-ascii?q?MUQD87xKB/rlJ5yleH1qh1mPhYFcFP5/NOVwc1L4TQz+tgC9D9QgjBZMuGSE66?=
	=?us-ascii?q?QtW6BjE8Vskxw9EUY0Z6ANWikgvO3zGsA78Smb2LAYY78qTG03j3Ocl9127M1L?=
	=?us-ascii?q?M9gFk+XstPKWqmi7Zx9gfJA47Jj1uWl7yxdakHwi7C6n2DwnGTvEFdSgJwVr/F?=
	=?us-ascii?q?XX8HbEvMsdv5/l/CT6OpCbk/LgtO1NONKqpQZd3tllhJWPDjONHCbG2rgGewGQ?=
	=?us-ascii?q?yExrWSY4r2Y28dxjnSCFAYkwAP+naLLQ4+Bialo2LaEjNuDknibFny/ulkr3O3?=
	=?us-ascii?q?VEg0zxuFb0d5zbq65gYVheCAS/MUxr8LpT0uqyluE1mj0dLXBMGNqBZhfKpGe9?=
	=?us-ascii?q?M9/ElI1XjDuwx7IJOgM7hohkQCfARvo0PuyxJ3B51ekcgrsHwq0A1yKbiC3Fxd?=
	=?us-ascii?q?dzOY2pbwOrLMJ2n2/RCvbbTZ2kvZ0NqM/acP8vs4oU35vA61Dkoi72ln095N3n?=
	=?us-ascii?q?uY55XKFxYSXYvqUkkp8xh6prfaYjQy5o7Pzn1sKai0sjnD2901H+sp0BCgcMlD?=
	=?us-ascii?q?MKmcDg/9D9UaB9SyKOwtg1WpdBUEPORW9KEqJcOpa/yG2aCwMeZ7gTKpkX9H7J?=
	=?us-ascii?q?p60kKW+Cp2UvTI0Iodw/GEwguHUC/xjE+7vcDqnYBIfysdEnCkxijjAI5Reqpy?=
	=?us-ascii?q?fYAQBGerP8G3wNJ+iIL3V35e6lGjG0sM2NW1dhqKc1z9wQpQ2FwSoXyjgCe30T?=
	=?us-ascii?q?p0nio3rqWB2CzOx/rtdAAdNm5NWmZikU/mIZKogNACQEiocw8pmQOm5Unkwahb?=
	=?us-ascii?q?v79yL2rNTkdOZCj2KX9tUrequrqFec5P54sisT9LX+SkfVCaVrn9rgME0yPlAm?=
	=?us-ascii?q?RT3y47dze3tZX5hRB6jnySLGprpnrDZc5w3Qvf5MDbRfNJxjoJXjR4iT3MC1eg?=
	=?us-ascii?q?Ptmp4dWVm47Nsu+kUWKtTJpTcTPkzYmYriu0+XVqAQGjn/C0gtDnCRI10TL/19?=
	=?us-ascii?q?Z0TSXHthD8YpX12KSgKu9nY1JoC0Hm68phAI1+iYwwhIwK2XcGmJqV830HkX38?=
	=?us-ascii?q?MdpFw67+amQCRSITyd7P/AflwFFjLm6Ox4/hWHWS2M1hZ8W9YmMTwS894d5FB7?=
	=?us-ascii?q?qT7LxehyR1ukC4rQXTYfdjgjgd1eEi6HkAg+EGoAAt1DmSAqgOHUlEOizhjxuI?=
	=?us-ascii?q?79Cio6VNZGevaaSw1E1lkNCnEr6CvhpcV2rjdZc6AyB89MN/P0zQ0Hfr8IHrZM?=
	=?us-ascii?q?HQbc4Pth2TixrAivJaKJY1lvUUmSpnJXjysmc+xu49kxNuwYq6s5SdJGV14q21?=
	=?us-ascii?q?GBhYOSPpZ8kL4DHikb5entqK34CoBphhAC8HXZXyQfKtCj0SsfPnNgaVHTImtn?=
	=?us-ascii?q?ibHKDTHQiF6Edpt3jPCYykN2mLJHkFytVvXB+dJFZFjwAMRDU3hZA5FgGwxMz6?=
	=?us-ascii?q?bEd56DER5ljipRtK1u1oNgPwUmPFqAevcDc0R4CVLABK4QFa+0fVLcue4/prHy?=
	=?us-ascii?q?5G5ZKusgqNKm2HZwRPFmwJW1KLCE79MbW04tnA6eeYDPKkL/TSebWOtfBeV/CQ?=
	=?us-ascii?q?yJ20yYRq+DKMNsSUPnl+FP03wFFDUm5lFMjDgDUAVSgXlyPLb86Gqxax4TF4r8?=
	=?us-ascii?q?Cl8PT2QwLj/4WOBKFOMdV0/BC2h72PN+mKhCZ2MTxYzI8DxWfUyLgD214fkzpu?=
	=?us-ascii?q?eCOzEbsaui7CUrnQl7RMDxEBdSN8LsRI4Lwn3gVXP87UlM/13KZijvEpE1dFSU?=
	=?us-ascii?q?DhmsaxaMMRImG9O1THBECQObubOzLE2MD3brm6SbFKi+VUrRKwsy6BE0D/JjSD?=
	=?us-ascii?q?iyXpVxe3PO5WgyGUJgJet5+mfxZqEWjsUtTmahihP992iT052ro0h3zQOW4bKz?=
	=?us-ascii?q?h8fFtHrqeM4iNAnvV/B2tB42J5LemDniaV9fPYKpEXsPR1BCR7jPha4HMkxLtW?=
	=?us-ascii?q?9yxLWPt1mC7OodF0uFGmjvODyjx5XxpSsjxLnp6EvV1+OaXF8ZlNQXXE/RIJ7W?=
	=?us-ascii?q?qOEBkKotxlCtPhu69O1tjPiKLzKDBH893K58ccAdbbKN6fOno7LRXpACLUDBcC?=
	=?us-ascii?q?TTOzNGHfgVBdn++W9nKLq5g1tITsmIAOS7JAU1w1Du0VCkJgHNMYIZd3Wigrkb?=
	=?us-ascii?q?mUjcIS4nq+thbRTt1Avp/bTvKSHenvKDGBgLlCeRQH27f4IJ8QNo38wExidkN1?=
	=?us-ascii?q?nILRG0rTXNBBuCthYREooE9V6nhxUnUz2175agOq+HITD+C7ngUohQRke+Qi6D?=
	=?us-ascii?q?fs7kwsKVrLvis/jU4xmdv9gTCLbjHwLL28XYdIBCror0IxKI/0Qx5pbQ2umkxp?=
	=?us-ascii?q?LCrLR7VXj7tmaG9klgvcuZpUFPFGU6JEehgQyeuQZ/Uy3lRWsj+nylNf5evZFZ?=
	=?us-ascii?q?tikxMnfoO2oHJe2gJsccU1KLfKK6pT1FhQgayPvjS22e8t3Q8ePUcN8H+SeSIS?=
	=?us-ascii?q?vkwHKKUmLTKy/uNw8QyChydDeG8UWvU3ufJl6FkyO+uazy36zb5OMVuxOPacL6?=
	=?us-ascii?q?OEoWjPj9SEQlct1kMOjUZF56F60dskc0qXV0Evy6GdFxIXOsreMQtVddZd9GDP?=
	=?us-ascii?q?fSaStuXA2Zx1P5+jGe/1Vu+BrqAUgl6jHAYyBIkD9NgOHpy23EHfN8fnI6YPyQ?=
	=?us-ascii?q?8x6wTzOFWFEPNJdQqPkDcAucGw0pl33IhaJjwGDmV9Nzi36qzQpg8wj/qJRM02?=
	=?us-ascii?q?bWsCXosYKnI2X9W3mzVHsHREDTm31P8ZyQeZ4jDgoSTQCSXzYMB4ZPeIfx9sDs?=
	=?us-ascii?q?+5+Skn+aislVHX6oneJ339Ndl6ud/P8+MbqIyBC/NITblwqEjcm45AR3O2SWLP?=
	=?us-ascii?q?F8C6J4ToYYk2cdP0Emq6UkC4iz8tU8fxPdOtLq+UgQHoRYdZq5SU3DEjNMCnDT?=
	=?us-ascii?q?4SARFwqP8f5Khkfw0Mf4I7YQL0twQ5L6G/IACY3cugQ2mzMztbVPhfwvukaLNJ?=
	=?us-ascii?q?1SYsafW6yHQ4RJEg0+a36VINRI0NjhzG3/mjY4heXjTtFXNFfgXOpSw5l29nNu?=
	=?us-ascii?q?ko2eow2xLIvkMaMzySeuxpdXZIv9ciClOOOX92EHY3R0eAjYrf5Q6hx6sd8DVb?=
	=?us-ascii?q?n9tPy+JKrWb+sYHFYDK3QqOrs5XUvzAnbdg8rK17KZbjLdeetJPCgjzfS4Hdsg?=
	=?us-ascii?q?KYUC67E/pansZfICdDTfZVh24qIs0GtpBH6UYrUcc+PbNPArE2pr+2cTpkETIS?=
	=?us-ascii?q?zSgBWoOa2jwCg/uz27vdlheUa5QsKAUKvohYjNYBVCB7eT8RpKimV4rKjWCEUX?=
	=?us-ascii?q?QLLB0V7QtS+AIKjpVwcfz94IrUUJ9MzCZbo+hpXSTWDZRo+F77S26MjVj+Vvqh?=
	=?us-ascii?q?j/Sj3RhOw/L0ztkbRBl/BFBByOZUjEQnNKp6JLUXvo7Otj+IdF31vHjxyOS4OF?=
	=?us-ascii?q?ZRydfYd1riDIrKrWD8SDET+WUIRY9Tz3HSDY4SnBBjaKYsv1pBO5ymelzk6Dw6?=
	=?us-ascii?q?2YtpG7i4Vcakx1YhrHYGSCeqE8ZPC+58qlLXXSdpY5a1p5X5I59SWHNf+IWBq1?=
	=?us-ascii?q?dFl0VgKy64xoBHK85X5z4MXT5PrC6cvNuuUsJDwtN5AIUWLtd5pXj9BLtOOIKN?=
	=?us-ascii?q?rH0uprzv1njZ9igysVug2DqzG664T+dY/2IEGQUkPGWepVcxAOQy6GvS9UrNsl?=
	=?us-ascii?q?9s9edBGrePlVlxoCp6Hp1WHDlJz22lL1JpQHlFqOhaKaXVc81AQ/YpfxOvPQIx?=
	=?us-ascii?q?FeI+1UyT4U50hWv5YzB1tgZC9CDdRRM7VS8Jgrr2mD0erc+mOTkGS5JIczohbi?=
	=?us-ascii?q?HFKx6FliBNphpfbV9lW4wBCNZf574bxZdU/tbFSUu0NSEFWxliOxkk0fZDkE5M?=
	=?us-ascii?q?q1+UeSbDAgq0bfzPqAF4fd+NrM61K/T05AdHhZn9sO8i86UMWmarlhCzTtDGt4?=
	=?us-ascii?q?/zqNmKuVWUdKviNO28e3DBRiDWjR+snbckE4XK/y/LPQpZLJl112EpboX/Bm7Q?=
	=?us-ascii?q?IxtGPb4bKFRGWqxgb9VJvPxabdd+eKkV4a9tGg6HRhT3FYO0ovlJMkrfSDbDIy?=
	=?us-ascii?q?iP6eGwvYXT7bnBRuf6fcyM22zLQ6RpMZdm8TP7Aavl0ZdC+krq3fdg7ll6Rkbb?=
	=?us-ascii?q?PCCBttvhOhgG5M2ldkv8oJIlAy/ZAJBtn3Xz3E1AcdQYQzGy+pQC1JxZ8GrwSf?=
	=?us-ascii?q?5/0kXrqO1S7KVk5pMq7LB10sq0PqDSKelAsUB7HBeUABlq9o83D2h7XWxRZfUR?=
	=?us-ascii?q?KPjJd6QDkc/us/z3F7AQ6BCN5+xZc8XIKF/clcSkFzGcTQBEnB0bpj4ELwuc0P?=
	=?us-ascii?q?qFlLFoScq/ouj5wE0t6UCkLhEa1LBt+ZuE+q2QqeDKaRve16MJVbXsRszptLgs?=
	=?us-ascii?q?vFmS5fI8nr4UZmN1exGnEPQaVsMFxGfv16YqzSw2E8PEAr3v5uVOV24jkTLmgJ?=
	=?us-ascii?q?B9GE8aGvUKErqX5Y5ehHs3m/TFNt0KdaBPgmSPGgS+Er8F0n6r7zGYIHd+jxHL?=
	=?us-ascii?q?zhHwRX+z7F7qoi95WyTMyczjnlBSVrmtCkdYRzCpNlNgsDOTIAros8L6uaIx7E?=
	=?us-ascii?q?wtM2zksteNmHGgOLNREc3/PsaTITIopFINkZ0+WsCv2Z0BGdWjOtsR92t+bvTG?=
	=?us-ascii?q?4WOxjyBBu7tHh5bZ4syN/PXXHGWvj6qeq7qX3zBU0Hk4vVY46tC7LfHD/NiKTv?=
	=?us-ascii?q?un1moLSCd/oQTBVQavqrPHt1AUJVCL0EDTlYMWJN5Z2Wc31lr65OkjR9I+7x5e?=
	=?us-ascii?q?GZrBZ/wcozDzJDr0zkyFb9IxSCaezyNdHkjpHllgBKg8xGXwsdrNlXfL/l0lRp?=
	=?us-ascii?q?J9d0L5ihNqCIU4M1gi6EANwioEEwgCdwyUDK2yCUTiN4sEWlAJaQ6b07iiZqc3?=
	=?us-ascii?q?wUpzz6uq5O/Xc+N8Aq0NOehZjgOVk1hUBJUWsbYGQL1mZ19d9bTYpgzjC4jhQ/?=
	=?us-ascii?q?jpi34wNfm0QsBV788ZsWct7RilSxqm95hD864RiIqUea5cfZjMoMd84l9l5T4O?=
	=?us-ascii?q?cyxAmx1/gA25UO8CvuDj497bsJWy5uaoSqktW/0d9wIoCGRmk5vwnFcjrMnW1+?=
	=?us-ascii?q?ZdUILak5jw/RtWI3GUpIbVzQVzJfAJK4Kxc7Zq728HKDQGJ3ISIdqWbOEx7DRs?=
	=?us-ascii?q?MDXI6V1NGMEMZdIEPMrVgw9Ul0npVapP+crcB1CXFZ18d90y72rw0jA664EwUu?=
	=?us-ascii?q?H66D+5PZrf9U1CP+tfjCVwk9LPvPAVzuDOCCcL4XmYZR91wjmBy5WUEPb/4+GM?=
	=?us-ascii?q?yNDSV1MbES87SJ9dKyCe+QO7Ruq0mpLpUhmX6sPpg5IxaliQRnqvk6QBqKpMFv?=
	=?us-ascii?q?RAiirj1DhECo/1n+6Vs8ar6GZPql1HCph87RnfF6VZIJp2Ign3lsikRkh9Givw?=
	=?us-ascii?q?YtrUeQA0uOqL3OsM5ftxN1fmb48BPh0E06766WZSTgZ2R775pEyZUvwNZNtmU/?=
	=?us-ascii?q?7EqnFV6Z5+JK8PJleduYfqoi1OqF8oHA8jcKUwoSBCdknSgA1VXL75uLEehQsa?=
	=?us-ascii?q?Td55vkhMFWWrOG0g4zrHVKJVjLSeCfEO9jWcULYOUkVyPS9kRRO6xolucaOznf?=
	=?us-ascii?q?9bqmNGgj99oP8y3jxjQxu8vzHsp60T1j87/bG4tS8OuXpbQeWCnSbIDk9DzPcR?=
	=?us-ascii?q?jasGDXbt90C8amEZbITu+LlnOdjg9Y457nQwfRojZDYGUf29BS//ia2IA4qPsM?=
	=?us-ascii?q?9ThROWt8XOaKW8LS4MObgnzhLjXXd92BDEnBl06GsLXimg7Ng8KYW/PsYlxiyo?=
	=?us-ascii?q?FXLHe1YM5qNJrdb+tF8KTOswclNhw2Rj39OZRi0MWszAAWI1gRUlaWledpJM9w?=
	=?us-ascii?q?MaHbEygjmUpqlG4h0UYDDMH4Sk5Infh8HI1GI5Tdd3223Wp6qFhogw3H1igdN0?=
	=?us-ascii?q?4TaEuG4OeOzAT89sHn/z259dyePgafWtvOQHRZBoybu7Vv8NLNWj9XGw2Jp0Rk?=
	=?us-ascii?q?+v3q4eEEahMO8f2rfbVD+oSWKcWeSMfWmDgTI5Mkrp6BmzKV03bsZKoFMnPuvE?=
	=?us-ascii?q?mJFcixXrUaloSSWIuV/b0GsjPPsYdwI2uIanYwsKTOoQZ+iAO+cj2/g+CFoQb3?=
	=?us-ascii?q?/TAyR6Eei2sUSinIJjIXVv/V36Yfjx8gDhKNaSBhgEEYvBo55t+Py1WmGBNmFk?=
	=?us-ascii?q?zBFoOkl76fvfHUwrtuBAa5aRgcTQh9Nj3O4AdvdtMi49utkIl4Jh84aU08CKcR?=
	=?us-ascii?q?fPwZb0P93VpOaXA+HHxUQwZm5aSqYZYR/y54giJdE2RbvTHadCsBQHAag6R4Ah?=
	=?us-ascii?q?N3vv9K5qMQx/aAnRZK67gsPyvOKEeoNUp2PK7lI3NCrcoxoDyviuQgxhYZGqgH?=
	=?us-ascii?q?HyIJ4rSzJEqN1tDQBmE5VTFMMaqAqnGIWUmKC9i9++4U96vPUKsaXoAPDQyNu5?=
	=?us-ascii?q?x5lxX4Rd5UGTMjbeGq1rgkV9juusmfrB05jxCcbnedwaTuh7RnDKZqXBHoWlJT?=
	=?us-ascii?q?KEItj8dFJe876AzLJ5VQ2cZCDlX6qGsy2kMe9r4V4gx4x9ferT0CYt4K/B1Nv1?=
	=?us-ascii?q?fWFbqT+prWSVO5tH8FzKGeveUgpaSPqd6mZlHLEYYpXv+ecLMNwi3MKc7Bdp4D?=
	=?us-ascii?q?RFysuFLLCrrlXQ1UJjaZLbMEzp1j4+WYkOPhuyKlMsgWvDpXTGHXRcL9SrKdV3?=
	=?us-ascii?q?gNmLEBPh/U9xln8xZmRZAGrnWc+ROXQH28K5fACK8ANLD9Aen++4YEI4sqyySf?=
	=?us-ascii?q?J0OpVeguiqta8IkdBuKy3VQ8haJS7QJqdsPjVNFuXPuEQoYhkcvrguRIg1YZmO?=
	=?us-ascii?q?IEUaMEaPzi/8whfC0U3qeNy2yqmJODwZ/25Ez73byzhMoRe2ufKCjc3+X7DVdp?=
	=?us-ascii?q?b2XOTdMCA9TDGVWSwyEVq1+Vejo/cEuPuYIXwDol0PYyOSEQgTqbp1odjWEGDT?=
	=?us-ascii?q?hfVpfIcWi/CCRyDwVCp4mbI3BilRqU+MQ/sDFQ/Rb3L6nmpcuQqiKeFI/XLkab?=
	=?us-ascii?q?2Y26VUV/YRAotWff2TW8HYduxGJzc0ijUZP/6xf9/GoLY61VLHVnAUE7TO9F2C?=
	=?us-ascii?q?TE6WReGcxz3rXYUJpYQ0vDQn+s7IlC9tD6vIJ6qfpyKp8oOggyaXo/bRVnMsY0?=
	=?us-ascii?q?MrhOIPG3eBwB1aJ2EfCtEVpVvhQqieaEZQzHgpk/5h2wcQeARvVX1jyn9WnPO6?=
	=?us-ascii?q?Gs1DU14UjXiuTeYAbF9tCTM/406K7hf1YdwatsDZX3Ve+acUSYoBMPko75HaN7?=
	=?us-ascii?q?USwPYu3DJmpjc6syKbD15GgQKF6bfQHLxiyb1Y/2U4+e95Xl2XSTPFbmfH0pam?=
	=?us-ascii?q?C95IxSp2unDk2c/UsfxsObZZvIx5HkkFATh3JtHc+jBBV3v42A2ssBanBD6eOi?=
	=?us-ascii?q?4W4C4XJSwZceZ41+17sBHOdtbF8k6Qsrwup1alCQaMELq7xIJEBtvv1QqmdSkY?=
	=?us-ascii?q?OQmsQqh/t/IFsdEVe65vMZC3HlTpNgHjCkedvCcW+V7hpbH9SYJx3mgGkqgqYO?=
	=?us-ascii?q?rsVo0OAMiRiCp02F5U1ZEPyiuXGdqZaZrnvYgwKGsPPdGFQGPqe9qdMi37rvEY?=
	=?us-ascii?q?+o8nDUeJcOETN28dtIQ5wDTEdVStrK728jWAJ7rwWiakNccEOZ+ohnMG1q/OLJ?=
	=?us-ascii?q?7j4fZLIWAK8ag1lYXLsnWI+WfUWsq+YnKrmkZhDRarc8nGvMgkapM=3D?=
X-IPAS-Result: =?us-ascii?q?A2FMBAAV5SRY/wHyM5BeGwEBAQMBAQEJAQEBFwEBBAEBCgE?=
	=?us-ascii?q?BgwUBAQEBAR+BV7siIoglUwEBAQEBAQEBAgECXyiCMxoBghQCBAECJBMUIAsDA?=
	=?us-ascii?q?wkBARcpCAgDAS0VEQYBBwsFGASIPrJRUjgCiy4BAQgBAQEBAQEhhj6IdBEBhX0?=
	=?us-ascii?q?BBIhQhg+LWJBTAooQhgqRQ1VYKByDHxyBXnGFLYItAQEB?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea10.nsa.gov with ESMTP; 10 Nov 2016 21:24:33 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uAALOW47025965;
	Thu, 10 Nov 2016 16:24:33 -0500
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	uAALInCV031939 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Thu, 10 Nov 2016 16:18:49 -0500
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uAALIefN025085;
	Thu, 10 Nov 2016 16:18:41 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1BLAAAt4yRYhxy3hNFeGwEBAQMBAQEJAQEBgzABAQEBAYF2txCEFoYkAoIdUwECAQEBAQECEwEBAQoLCQkdhRICAQMnUhBRVwYBEohfslhSi2gBAQgnhj6PAwWIUIYPi1iQUwKQGpFDgVUcgx8RC4FePTSHWgEBAQ
X-IPAS-Result: 
 A1BLAAAt4yRYhxy3hNFeGwEBAQMBAQEJAQEBgzABAQEBAYF2txCEFoYkAoIdUwECAQEBAQECEwEBAQoLCQkdhRICAQMnUhBRVwYBEohfslhSi2gBAQgnhj6PAwWIUIYPi1iQUwKQGpFDgVUcgx8RC4FePTSHWgEBAQ
X-IronPort-AV: E=Sophos;i="5.31,620,1473134400"; d="scan'208";a="5816985"
Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov)
	([10.208.41.36])
	by goalie.tycho.ncsc.mil with ESMTP; 10 Nov 2016 16:18:40 -0500
IronPort-PHdr: =?us-ascii?q?9a23=3AazqaTxVFf9Cd4Bafif8gsbFKXELV8LGtZVwlr6E/?=
	=?us-ascii?q?grcLSJyIuqrYbBOPt8tkgFKBZ4jH8fUM07OQ6PG7HzRbqs/d7TgrS99lb1c9k8?=
	=?us-ascii?q?IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUhrwOhBo?=
	=?us-ascii?q?KevrB4Xck9q41/yo+53Ufg5EmCexbal8IRiyowjdrNUajIVtJqosxRbEomZDdv?=
	=?us-ascii?q?hLy29vOV+dhQv36N2q/J5k/SRQuvYh+NBFXK7nYak2TqFWASo/PWwt68LlqRfM?=
	=?us-ascii?q?TQ2U5nsBSWoWiQZHAxLE7B7hQJj8tDbxu/dn1ymbOc32Sq00WSin4qx2RhLklD?=
	=?us-ascii?q?sLOjgk+2zMlMd+kLxUrw6gpxxnwo7bfoeVNOZlfqjAed8WXHdNUtpNWyBEBI63?=
	=?us-ascii?q?cokBAPcbPetAr4fzuUYAoxW9CwauCuPi0SNEimPs0KEmz+gtDR3K0Qo9FNwOqn?=
	=?us-ascii?q?TUq9D1Ob8OXOCz0abI1yvMYOlN2Tzg6YbIaA0hru+KXb1ra8Xe1UkvGB3fjl6N?=
	=?us-ascii?q?roHqJTyV1v4Qs2eF6epvTvighnU9qw5vvzevxt0jipXTio0JzVDE8Dx0zYAoLt?=
	=?us-ascii?q?O7UE52ecCoHIdUui2AKod7TN0uT3t1tCs5xLAKo4C3cSsMxZ863RDQceaHfJKN?=
	=?us-ascii?q?4h/7VOaePzN4hHV9dbK6iBe+7FKsyvfiWcap0FZFtDZFnsPQuXAK0hzf8smHSv?=
	=?us-ascii?q?1j8Ue9wTuDyRzf5+VeLUwpm6fXNYQtzqMzm5cdq0jPACz7lF3zjKCMd0Uk/uao?=
	=?us-ascii?q?6/7gYrXjvpKTLYB0ihvjMqswnMywGv43PxMUX2eF5Ou81Kfs/VHjTLpWif02l7?=
	=?us-ascii?q?HVsIrGKsQDuq65HwhV35446xmiFDery8gYnHkbI1JFfxKLlY7pO0rUL/ziAve/?=
	=?us-ascii?q?hEqsmi9xx//aJr3hHonNLn/bnbf6Y7l9709cyAwuzdFQ/J9UFrEAL+7zWk/2rt?=
	=?us-ascii?q?DYCAQ5PBauz+boD9V9yNBWZWXaOqaENOv3tliS66p7O+CRYKcNsSv5bv0i4OTj?=
	=?us-ascii?q?y3Q+nAlZNZK10IMXZXbwJfFvJ0GUcDK4mdsaOXsbtQo5CurxgRuNViAFIz6fRa?=
	=?us-ascii?q?M3rgkyEoO9RdPOXom3gaepxC6hH4ZOYmlNBxaLC3i+JKueXPJZQSSeOMJoiXQr?=
	=?us-ascii?q?T6WsTYUo3hGjrkeuwrV9M+fS8CQwr5/v1NFpoebUkEdhpnRPE82B3jTVHClPlW?=
	=?us-ascii?q?QSSmpzhfgnrA=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0HPAADn4yRYhxy3hNFeGwEBAQMBAQEJA?=
	=?us-ascii?q?QEBFgEBAQMBAQEJAQEBgwUBAQEBAYF2txCEFoYkAoIdUwEBAQEBAQEBAgECEAE?=
	=?us-ascii?q?BAQoLCQkdMIIzGgGCFAIBAydSEFFXBgESiF+yWFKLZwEBCAIBJIY+jwMFiFCGD?=
	=?us-ascii?q?4tYkFMCkBqRQ4FVHIMfEQuBXj00h1oBAQE?=
X-IPAS-Result: =?us-ascii?q?A0HPAADn4yRYhxy3hNFeGwEBAQMBAQEJAQEBFgEBAQMBAQE?=
	=?us-ascii?q?JAQEBgwUBAQEBAYF2txCEFoYkAoIdUwEBAQEBAQEBAgECEAEBAQoLCQkdMIIzG?=
	=?us-ascii?q?gGCFAIBAydSEFFXBgESiF+yWFKLZwEBCAIBJIY+jwMFiFCGD4tYkFMCkBqRQ4F?=
	=?us-ascii?q?VHIMfEQuBXj00h1oBAQE?=
X-IronPort-AV: E=Sophos;i="5.31,620,1473120000"; d="scan'208";a="843294"
Received: from mx1.redhat.com ([209.132.183.28])
	by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	10 Nov 2016 21:18:39 +0000
Received: from int-mx11.intmail.prod.int.phx2.redhat.com
	(int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 58EDF1E20;
	Thu, 10 Nov 2016 21:18:39 +0000 (UTC)
Received: from nux.redhat.com (vpn1-6-6.ams2.redhat.com [10.36.6.6])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
	ESMTP id uAALIVmS022357; Thu, 10 Nov 2016 16:18:38 -0500
From: Andreas Gruenbacher <agruenba@redhat.com>
To: Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>,
	Eric Paris <eparis@parisplace.org>
Subject: [PATCH 4/4] selinux: Convert isec->lock into a spinlock
Date: Thu, 10 Nov 2016 22:18:30 +0100
Message-Id: <1478812710-17190-5-git-send-email-agruenba@redhat.com>
In-Reply-To: <1478812710-17190-1-git-send-email-agruenba@redhat.com>
References: <1478812710-17190-1-git-send-email-agruenba@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.30]); Thu, 10 Nov 2016 21:18:39 +0000 (UTC)
X-Mailman-Approved-At: Thu, 10 Nov 2016 16:21:36 -0500
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: Andreas Gruenbacher <agruenba@redhat.com>, selinux@tycho.nsa.gov
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

Convert isec->lock from a mutex into a spinlock.  Instead of holding the
lock while sleeping in inode_doinit_with_dentry, set isec->initialized
to LABEL_PENDING and release the lock.  Then, when the sid has been
determined, re-acquire the lock.  If isec->initialized is still set to
LABEL_PENDING, set isec->sid; otherwise, the sid has been set by another
task (LABEL_INITIALIZED) or invalidated (LABEL_INVALID) in the meantime.

This fixes a deadlock on gfs2 where

 * one task is in inode_doinit_with_dentry -> gfs2_getxattr, holds
   isec->lock, and tries to acquire the inode's glock, and

 * another task is in do_xmote -> inode_go_inval ->
   selinux_inode_invalidate_secctx, holds the inode's glock, and tries
   to acquire isec->lock.

Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
---
 security/selinux/hooks.c          | 108 ++++++++++++++++++++++++--------------
 security/selinux/include/objsec.h |   5 +-
 2 files changed, 72 insertions(+), 41 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index cf5067e..4af31f1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -231,7 +231,7 @@ static int inode_alloc_security(struct inode *inode)
 	if (!isec)
 		return -ENOMEM;
 
-	mutex_init(&isec->lock);
+	spin_lock_init(&isec->lock);
 	INIT_LIST_HEAD(&isec->list);
 	isec->inode = inode;
 	isec->sid = SECINITSID_UNLABELED;
@@ -1381,7 +1381,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 {
 	struct superblock_security_struct *sbsec = NULL;
 	struct inode_security_struct *isec = inode->i_security;
-	u32 sid;
+	u32 task_sid, sid = 0;
+	u16 sclass;
 	struct dentry *dentry;
 #define INITCONTEXTLEN 255
 	char *context = NULL;
@@ -1391,7 +1392,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 	if (isec->initialized == LABEL_INITIALIZED)
 		return 0;
 
-	mutex_lock(&isec->lock);
+	spin_lock(&isec->lock);
 	if (isec->initialized == LABEL_INITIALIZED)
 		goto out_unlock;
 
@@ -1410,12 +1411,18 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 		goto out_unlock;
 	}
 
+	sclass = isec->sclass;
+	task_sid = isec->task_sid;
+	sid = isec->sid;
+	isec->initialized = LABEL_PENDING;
+	spin_unlock(&isec->lock);
+
 	switch (sbsec->behavior) {
 	case SECURITY_FS_USE_NATIVE:
 		break;
 	case SECURITY_FS_USE_XATTR:
 		if (!(inode->i_opflags & IOP_XATTR)) {
-			isec->sid = sbsec->def_sid;
+			sid = sbsec->def_sid;
 			break;
 		}
 		/* Need a dentry, since the xattr API requires one.
@@ -1437,7 +1444,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 			 * inode_doinit with a dentry, before these inodes could
 			 * be used again by userspace.
 			 */
-			goto out_unlock;
+			goto out;
 		}
 
 		len = INITCONTEXTLEN;
@@ -1445,7 +1452,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 		if (!context) {
 			rc = -ENOMEM;
 			dput(dentry);
-			goto out_unlock;
+			goto out;
 		}
 		context[len] = '\0';
 		rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
@@ -1456,14 +1463,14 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
 			if (rc < 0) {
 				dput(dentry);
-				goto out_unlock;
+				goto out;
 			}
 			len = rc;
 			context = kmalloc(len+1, GFP_NOFS);
 			if (!context) {
 				rc = -ENOMEM;
 				dput(dentry);
-				goto out_unlock;
+				goto out;
 			}
 			context[len] = '\0';
 			rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
@@ -1475,7 +1482,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 				       "%d for dev=%s ino=%ld\n", __func__,
 				       -rc, inode->i_sb->s_id, inode->i_ino);
 				kfree(context);
-				goto out_unlock;
+				goto out;
 			}
 			/* Map ENODATA to the default file SID */
 			sid = sbsec->def_sid;
@@ -1505,28 +1512,25 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 			}
 		}
 		kfree(context);
-		isec->sid = sid;
 		break;
 	case SECURITY_FS_USE_TASK:
-		isec->sid = isec->task_sid;
+		sid = task_sid;
 		break;
 	case SECURITY_FS_USE_TRANS:
 		/* Default to the fs SID. */
-		isec->sid = sbsec->sid;
+		sid = sbsec->sid;
 
 		/* Try to obtain a transition SID. */
-		rc = security_transition_sid(isec->task_sid, sbsec->sid,
-					     isec->sclass, NULL, &sid);
+		rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
 		if (rc)
-			goto out_unlock;
-		isec->sid = sid;
+			goto out;
 		break;
 	case SECURITY_FS_USE_MNTPOINT:
-		isec->sid = sbsec->mntpoint_sid;
+		sid = sbsec->mntpoint_sid;
 		break;
 	default:
 		/* Default to the fs superblock SID. */
-		isec->sid = sbsec->sid;
+		sid = sbsec->sid;
 
 		if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
 			/* We must have a dentry to determine the label on
@@ -1549,21 +1553,29 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
 			 * could be used again by userspace.
 			 */
 			if (!dentry)
-				goto out_unlock;
-			rc = selinux_genfs_get_sid(dentry, isec->sclass,
-						   sbsec->flags, &sid);
+				goto out;
+			rc = selinux_genfs_get_sid(dentry, sclass, sbsec->flags, &sid);
 			dput(dentry);
 			if (rc)
-				goto out_unlock;
-			isec->sid = sid;
+				goto out;
 		}
 		break;
 	}
 
-	isec->initialized = LABEL_INITIALIZED;
+out:
+	spin_lock(&isec->lock);
+	if (isec->initialized == LABEL_PENDING) {
+		if (!sid || rc) {
+			isec->initialized = LABEL_INVALID;
+			goto out_unlock;
+		}
+
+		isec->initialized = LABEL_INITIALIZED;
+		isec->sid = sid;
+	}
 
 out_unlock:
-	mutex_unlock(&isec->lock);
+	spin_unlock(&isec->lock);
 	return rc;
 }
 
@@ -2889,9 +2901,11 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
 	/* Possibly defer initialization to selinux_complete_init. */
 	if (sbsec->flags & SE_SBINITIALIZED) {
 		struct inode_security_struct *isec = inode->i_security;
+		spin_lock(&isec->lock);
 		isec->sclass = inode_mode_to_security_class(inode->i_mode);
 		isec->sid = newsid;
 		isec->initialized = LABEL_INITIALIZED;
+		spin_unlock(&isec->lock);
 	}
 
 	if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
@@ -3194,9 +3208,11 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
 	}
 
 	isec = backing_inode_security(dentry);
+	spin_lock(&isec->lock);
 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
 	isec->sid = newsid;
 	isec->initialized = LABEL_INITIALIZED;
+	spin_unlock(&isec->lock);
 
 	return;
 }
@@ -3289,9 +3305,11 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
 	if (rc)
 		return rc;
 
+	spin_lock(&isec->lock);
 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
 	isec->sid = newsid;
 	isec->initialized = LABEL_INITIALIZED;
+	spin_unlock(&isec->lock);
 	return 0;
 }
 
@@ -3952,9 +3970,11 @@ static void selinux_task_to_inode(struct task_struct *p,
 	struct inode_security_struct *isec = inode->i_security;
 	u32 sid = task_sid(p);
 
+	spin_lock(&isec->lock);
 	isec->sclass = inode_mode_to_security_class(inode->i_mode);
 	isec->sid = sid;
 	isec->initialized = LABEL_INITIALIZED;
+	spin_unlock(&isec->lock);
 }
 
 /* Returns error only if unable to parse addresses */
@@ -4273,24 +4293,26 @@ static int selinux_socket_post_create(struct socket *sock, int family,
 	const struct task_security_struct *tsec = current_security();
 	struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
 	struct sk_security_struct *sksec;
+	u16 sclass = socket_type_to_security_class(family, type, protocol);
+	u32 sid = SECINITSID_KERNEL;
 	int err = 0;
 
-	isec->sclass = socket_type_to_security_class(family, type, protocol);
-
-	if (kern)
-		isec->sid = SECINITSID_KERNEL;
-	else {
-		err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
+	if (!kern) {
+		err = socket_sockcreate_sid(tsec, sclass, &sid);
 		if (err)
 			return err;
 	}
 
+	spin_lock(&isec->lock);
+	isec->sclass = sclass;
+	isec->sid = sid;
 	isec->initialized = LABEL_INITIALIZED;
+	spin_unlock(&isec->lock);
 
 	if (sock->sk) {
 		sksec = sock->sk->sk_security;
-		sksec->sid = isec->sid;
-		sksec->sclass = isec->sclass;
+		sksec->sclass = sclass;
+		sksec->sid = sid;
 		err = selinux_netlbl_socket_post_create(sock->sk, family);
 	}
 
@@ -4466,17 +4488,25 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
 	int err;
 	struct inode_security_struct *isec;
 	struct inode_security_struct *newisec;
+	u16 sclass;
+	u32 sid;
 
 	err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
 	if (err)
 		return err;
 
-	newisec = inode_security_novalidate(SOCK_INODE(newsock));
-
 	isec = inode_security_novalidate(SOCK_INODE(sock));
-	newisec->sclass = isec->sclass;
-	newisec->sid = isec->sid;
+	spin_lock(&isec->lock);
+	sclass = isec->sclass;
+	sid = isec->sid;
+	spin_unlock(&isec->lock);
+
+	newisec = inode_security_novalidate(SOCK_INODE(newsock));
+	spin_lock(&newisec->lock);
+	newisec->sclass = sclass;
+	newisec->sid = sid;
 	newisec->initialized = LABEL_INITIALIZED;
+	spin_unlock(&newisec->lock);
 
 	return 0;
 }
@@ -5978,9 +6008,9 @@ static void selinux_inode_invalidate_secctx(struct inode *inode)
 {
 	struct inode_security_struct *isec = inode->i_security;
 
-	mutex_lock(&isec->lock);
+	spin_lock(&isec->lock);
 	isec->initialized = LABEL_INVALID;
-	mutex_unlock(&isec->lock);
+	spin_unlock(&isec->lock);
 }
 
 /*
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index c21e135..7e770e9 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -39,7 +39,8 @@ struct task_security_struct {
 
 enum label_initialized {
 	LABEL_INVALID,		/* invalid or not initialized */
-	LABEL_INITIALIZED	/* initialized */
+	LABEL_INITIALIZED,	/* initialized */
+	LABEL_PENDING
 };
 
 struct inode_security_struct {
@@ -52,7 +53,7 @@ struct inode_security_struct {
 	u32 sid;		/* SID of this object */
 	u16 sclass;		/* security class of this object */
 	unsigned char initialized;	/* initialization flag */
-	struct mutex lock;
+	struct spinlock lock;
 };
 
 struct file_security_struct {