From: Stephen Smalley <sds@epoch.ncsc.mil>

This patch removes the unnecessary code in inode_doinit_with_dentry,
replaces the unused inherits flag field (legacy from earlier code) with a
private flag field, does not set the SID in selinux_inode_mark_private
(leaving it with the unlabeled SID, which will ensure that we notice it if
it ever reaches a SELinux permission check), and modifies SELinux
permission checking functions and post_create() to test for the private
flag and skip SELinux processing in that case.

Please include if/when the reiserfs/selinux patchset goes upstream.  I know
that Chris Wright had raised the question of whether we should be using
i_flags to convey the "private" nature of the inode rather than using a
security hook, but didn't see any resolution of that issue.

Signed-off-by:  Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 25-akpm/security/selinux/hooks.c          |   27 ++++++++++++++++-----------
 25-akpm/security/selinux/include/objsec.h |    2 +-
 2 files changed, 17 insertions(+), 12 deletions(-)

diff -puN security/selinux/hooks.c~selinux-hooks-cleanup security/selinux/hooks.c
--- 25/security/selinux/hooks.c~selinux-hooks-cleanup	Tue Nov 30 15:11:49 2004
+++ 25-akpm/security/selinux/hooks.c	Tue Nov 30 15:11:49 2004
@@ -737,15 +737,6 @@ static int inode_doinit_with_dentry(stru
 	if (isec->initialized)
 		goto out;
 
-	if (opt_dentry && opt_dentry->d_parent && opt_dentry->d_parent->d_inode) {
-		struct inode_security_struct *pisec = opt_dentry->d_parent->d_inode->i_security;
-		if (pisec->inherit) {
-			isec->sid = pisec->sid;
-			isec->initialized = 1;
-			goto out;
-		}
-	}
-
 	down(&isec->sem);
 	hold_sem = 1;
 	if (isec->initialized)
@@ -983,6 +974,9 @@ int inode_has_perm(struct task_struct *t
 	tsec = tsk->security;
 	isec = inode->i_security;
 
+	if (isec->private)
+		return 0;
+
 	if (!adp) {
 		adp = &ad;
 		AVC_AUDIT_DATA_INIT(&ad, FS);
@@ -1064,6 +1058,9 @@ static int may_create(struct inode *dir,
 	dsec = dir->i_security;
 	sbsec = dir->i_sb->s_security;
 
+	if (dsec->private)
+		return 0;
+
 	AVC_AUDIT_DATA_INIT(&ad, FS);
 	ad.u.fs.dentry = dentry;
 
@@ -1111,6 +1108,9 @@ static int may_link(struct inode *dir,
 	dsec = dir->i_security;
 	isec = dentry->d_inode->i_security;
 
+	if (dsec->private)
+		return 0;
+
 	AVC_AUDIT_DATA_INIT(&ad, FS);
 	ad.u.fs.dentry = dentry;
 
@@ -1157,6 +1157,9 @@ static inline int may_rename(struct inod
 	old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
 	new_dsec = new_dir->i_security;
 
+	if (old_dsec->private)
+		return 0;
+
 	AVC_AUDIT_DATA_INIT(&ad, FS);
 
 	ad.u.fs.dentry = old_dentry;
@@ -1292,6 +1295,9 @@ static int post_create(struct inode *dir
 	dsec = dir->i_security;
 	sbsec = dir->i_sb->s_security;
 
+	if (dsec->private)
+		return 0;
+
 	inode = dentry->d_inode;
 	if (!inode) {
 		/* Some file system types (e.g. NFS) may not instantiate
@@ -2379,9 +2385,8 @@ static void selinux_inode_mark_private(s
 {
 	struct inode_security_struct *isec = inode->i_security;
 
-	isec->sid = SECINITSID_KERNEL;
+	isec->private = 1;
 	isec->initialized = 1;
-	isec->inherit = 1;
 }
 
 /* file security operations */
diff -puN security/selinux/include/objsec.h~selinux-hooks-cleanup security/selinux/include/objsec.h
--- 25/security/selinux/include/objsec.h~selinux-hooks-cleanup	Tue Nov 30 15:11:49 2004
+++ 25-akpm/security/selinux/include/objsec.h	Tue Nov 30 15:11:49 2004
@@ -45,7 +45,7 @@ struct inode_security_struct {
 	u16 sclass;       /* security class of this object */
 	unsigned char initialized;     /* initialization flag */
 	struct semaphore sem;
-	unsigned char inherit;         /* inherit SID from parent entry */
+       unsigned char private;         /* private file, skip checks */
 };
 
 struct file_security_struct {
_