Btw, while looking at the code before replying to Casey I noticed something else in this area of code which we should probably fix if we touch all this. We are really supposed to create the ACLs and security labels atomically with the actual inode creation. And I think we have all the infrastructure to do this without too much pain now for ACLs. Security labels with the weird security_inode_init_security interface might be a little harder but not impossible. And I suspect security_inode_init_security might be right thing to reuse for the helper to figure out what attrs would be set. If security_inode_init_security with an idempotent callback is idempotent itself we might be able to use it directly, but all the weird hooking makes it rather hard to read.
