I've been running this patch on my system for a few weeks now with no problems, therefore I conclude that the key service only passes one permission at a time. Listed below is the output from the kernel logs regarding the permission translations. key_perms polcap = 0 entry_perm: 0x0001 exit_perm: 0x0001 view entry_perm: 0x0002 exit_perm: 0x0002 read entry_perm: 0x0004 exit_perm: 0x0004 write entry_perm: 0x0008 exit_perm: 0x0008 search entry_perm: 0x0010 exit_perm: 0x0010 link entry_perm: 0x0020 exit_perm: 0x0020 setsec entry_perm: 0x0040 exit_perm: 0x0008 inval/search entry_perm: 0x0080 exit_perm: 0x0004 revoke/write entry_perm: 0x0100 exit_perm: 0x0008 join/search entry_perm: 0x0200 exit_perm: 0x0004 clear/write entry_perm: 0x0400 exit_perm: 0x0010 parent_join/link key_perms polcap = 1 entry_perm: 0x0001 exit_perm: 0x0001 view entry_perm: 0x0002 exit_perm: 0x0002 read entry_perm: 0x0004 exit_perm: 0x0004 write entry_perm: 0x0008 exit_perm: 0x0008 search entry_perm: 0x0010 exit_perm: 0x0010 link entry_perm: 0x0020 exit_perm: 0x0020 setsec entry_perm: 0x0040 exit_perm: 0x0080 inval entry_perm: 0x0080 exit_perm: 0x0100 revoke entry_perm: 0x0100 exit_perm: 0x0200 join entry_perm: 0x0200 exit_perm: 0x0400 clear entry_perm: 0x0400 exit_perm: 0x0200 parent_join/join <--- key.h ----> <-- av_permissions.h --> KEY_NEED_VIEW 0x001 KEY__VIEW 0x00000001U KEY_NEED_READ 0x002 KEY__READ 0x00000002U KEY_NEED_WRITE 0x004 KEY__WRITE 0x00000004U KEY_NEED_SEARCH 0x008 KEY__SEARCH 0x00000008U KEY_NEED_LINK 0x010 KEY__LINK 0x00000010U KEY_NEED_SETSEC 0x020 KEY__SETATTR 0x00000020U KEY_NEED_INVAL 0x040 KEY__INVAL 0x00000080U KEY_NEED_REVOKE 0x080 KEY__REVOKE 0x00000100U KEY_NEED_JOIN 0x100 KEY__JOIN 0x00000200U KEY_NEED_CLEAR 0x200 KEY__CLEAR 0x00000400U KEY_NEED_PARENT_JOIN 0x400 KEY__JOIN 0x00000200U Richard Haines (1): selinux: Add support for new key permissions security/selinux/hooks.c | 123 ++++++++++++++++------------ security/selinux/include/security.h | 10 +-- security/selinux/ss/services.c | 4 +- 3 files changed, 76 insertions(+), 61 deletions(-) -- 2.24.1