diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-1.17.15/include/selinux/selinux.h
--- nsalibselinux/include/selinux/selinux.h	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/include/selinux/selinux.h	2004-10-22 15:07:41.496204264 -0400
@@ -62,6 +62,15 @@
 extern int setfilecon(const char *path, security_context_t con);
 extern int lsetfilecon(const char *path, security_context_t con);
 extern int fsetfilecon(int fd, security_context_t con);
+/* setfileflag marks a file context as customized.  IE. a default setfiles 
+   will not relabel it.
+*/
+/* The following bit constants can be used with flags */
+#define SELINUX_CUSTOMIZE 1 << 0
+extern int setfileconflag(const char *path, unsigned int flag);
+extern int lsetfileconflag(const char *path, unsigned int flag);
+extern int getfileconflag(const char *path, unsigned int *flag);
+extern int lgetfileconflag(const char *path, unsigned int *flag);
 
 
 /* Wrappers for the socket API */
diff --exclude-from=exclude -N -u -r nsalibselinux/src/getfilecon.c libselinux-1.17.15/src/getfilecon.c
--- nsalibselinux/src/getfilecon.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/getfilecon.c	2004-10-22 14:55:41.000000000 -0400
@@ -43,3 +43,15 @@
 		*context = buf;
 	return ret;
 }
+
+int getfileconflag(const char *path, unsigned int *retflag)
+{
+	unsigned int flag=0;
+	int rc=0;
+	rc=lgetxattr(path, XATTR_NAME_SELINUX_FLAG, &flag, sizeof(flag));
+	if (rc>=0) 
+		*retflag=le32_to_cpu(flag);
+	else 
+		*retflag=0;
+	return rc;
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/lgetfilecon.c libselinux-1.17.15/src/lgetfilecon.c
--- nsalibselinux/src/lgetfilecon.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/lgetfilecon.c	2004-10-22 14:55:34.000000000 -0400
@@ -43,3 +43,14 @@
 		*context = buf;
 	return ret;
 }
+int lgetfileconflag(const char *path, unsigned int *retflag)
+{
+	unsigned int flag=0;
+	int rc=0;
+	rc=lgetxattr(path, XATTR_NAME_SELINUX_FLAG, &flag, sizeof(flag));
+	if (rc>=0) 
+		*retflag=le32_to_cpu(flag);
+	else 
+		*retflag=0;
+	return rc;
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/lsetfilecon.c libselinux-1.17.15/src/lsetfilecon.c
--- nsalibselinux/src/lsetfilecon.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/lsetfilecon.c	2004-10-22 14:55:54.000000000 -0400
@@ -11,3 +11,8 @@
 {
 	return lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context)+1, 0);
 }
+int lsetfileconflag(const char *path, unsigned int flag)
+{
+	unsigned int nflag=cpu_to_le32(flag);
+	return lsetxattr(path, XATTR_NAME_SELINUX_FLAG, &nflag, sizeof(nflag), 0);
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/policy.h libselinux-1.17.15/src/policy.h
--- nsalibselinux/src/policy.h	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/policy.h	2004-10-22 14:52:26.000000000 -0400
@@ -3,8 +3,26 @@
 
 /* Private definitions used internally by libselinux. */
 
+/* Endian conversion for reading and writing binary policies */
+
+#include <byteswap.h>
+#include <endian.h>
+
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+#define cpu_to_le32(x) (x)
+#define le32_to_cpu(x) (x)
+#define cpu_to_le64(x) (x)
+#define le64_to_cpu(x) (x)
+#else
+#define cpu_to_le32(x) bswap_32(x)
+#define le32_to_cpu(x) bswap_32(x)
+#define cpu_to_le64(x) bswap_64(x)
+#define le64_to_cpu(x) bswap_64(x)
+#endif
+
 /* xattr name for SELinux attributes. */
 #define XATTR_NAME_SELINUX "security.selinux"
+#define XATTR_NAME_SELINUX_FLAG "security.selinux.flag"
 
 /* Initial length guess for getting contexts. */
 #define INITCONTEXTLEN 255
diff --exclude-from=exclude -N -u -r nsalibselinux/src/setfilecon.c libselinux-1.17.15/src/setfilecon.c
--- nsalibselinux/src/setfilecon.c	2004-10-20 16:31:36.000000000 -0400
+++ libselinux-1.17.15/src/setfilecon.c	2004-10-22 14:53:02.000000000 -0400
@@ -11,3 +11,8 @@
 {
 	return setxattr(path, XATTR_NAME_SELINUX, context, strlen(context)+1, 0);
 }
+int setfileconflag(const char *path, unsigned int flag)
+{
+	unsigned int nflag=cpu_to_le32(flag);
+	return setxattr(path, XATTR_NAME_SELINUX_FLAG, &nflag, sizeof(nflag), 0);
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/getfileconflag.c libselinux-1.17.15/utils/getfileconflag.c
--- nsalibselinux/utils/getfileconflag.c	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.17.15/utils/getfileconflag.c	2004-10-22 14:57:52.000000000 -0400
@@ -0,0 +1,24 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <selinux/selinux.h>
+
+int main(int argc, char **argv) 
+{
+	int rc, i;
+	int flag;
+	if (argc < 2) {
+		fprintf(stderr, "usage:  %s path...\n", argv[0]);
+		exit(1);
+	}
+
+	for (i = 1; i < argc; i++) {
+		rc = getfileconflag(argv[i], &flag);
+		if (rc < 0) {
+			fprintf(stderr, "%s:  getfileconflag(%s) failed\n", argv[0], argv[i]);
+			exit(2);
+		}
+		printf("%s\t%d\n", argv[i], flag);
+	}
+	exit(0);
+}
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/setfileconflag.c libselinux-1.17.15/utils/setfileconflag.c
--- nsalibselinux/utils/setfileconflag.c	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-1.17.15/utils/setfileconflag.c	2004-10-22 14:57:28.000000000 -0400
@@ -0,0 +1,25 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <selinux/selinux.h>
+#include <errno.h>
+#include <string.h>
+
+int main(int argc, char **argv) 
+{
+	int rc, i;
+	int flag=SELINUX_CUSTOMIZE;
+	if (argc < 2) {
+		fprintf(stderr, "usage:  %s path...\n", argv[0]);
+		exit(1);
+	}
+
+	for (i = 1; i < argc; i++) {
+		rc = setfileconflag(argv[i],flag);
+		if (rc < 0) {
+			fprintf(stderr, "%s:  setfileconflag(%s) failed: %s\n", argv[0], argv[i],strerror(errno));
+			exit(2);
+		}
+	}
+	exit(0);
+}