selinux: only invoke capabilities and selinux for CAP_MAC_ADMIN checks

	return dentry_has_perm(cred, dentry, FILE__SETATTR);

}

static bool has_cap_mac_admin(bool audit)

{

	const struct cred *cred = current_cred();

	int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;

	if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))

		return false;

	if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))

		return false;

	return true;

}

static int selinux_inode_setxattr(struct dentry *dentry, const char *name,

				  const void *value, size_t size, int flags)

{

	rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);

	if (rc == -EINVAL) {

		if (!capable(CAP_MAC_ADMIN)) {

		if (!has_cap_mac_admin(true)) {

			struct audit_buffer *ab;

			size_t audit_size;

			const char *str;

	 * and lack of permission just means that we fall back to the

	 * in-core context value, not a denial.

	 */

	error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,

			    SECURITY_CAP_NOAUDIT);

	if (!error)

		error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,

					    SECURITY_CAP_NOAUDIT, true);

	isec = inode_security(inode);

	if (!error)

	if (has_cap_mac_admin(false))

		error = security_sid_to_context_force(isec->sid, &context,

						      &size);

	else

		}

		error = security_context_to_sid(value, size, &sid, GFP_KERNEL);

		if (error == -EINVAL && !strcmp(name, "fscreate")) {

			if (!capable(CAP_MAC_ADMIN)) {

			if (!has_cap_mac_admin(true)) {

				struct audit_buffer *ab;

				size_t audit_size;