Index: hooks.c
===================================================================
RCS file: /cvsroot/selinux/nsa/linux-2.6/security/selinux/hooks.c,v
retrieving revision 1.26
diff -u -r1.26 hooks.c
--- hooks.c	6 Dec 2004 20:04:06 -0000	1.26
+++ hooks.c	13 Dec 2004 21:14:15 -0000
@@ -1365,13 +1365,26 @@
 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
 {
+	struct task_security_struct *tsec;
+	struct av_decision avd;
 	int error;
 
 	error = task_has_perm(current, target, PROCESS__GETCAP);
 	if (error)
 		return error;
 
-	return secondary_ops->capget(target, effective, inheritable, permitted);
+	error = secondary_ops->capget(target, effective, inheritable,
+	                              permitted);
+	if (error)
+		return error;
+
+	/* Remove the capabilites that are not allowed to be used by the domain
+	   from the effective set */
+	tsec = target->security;
+	(void)avc_has_perm_noaudit(tsec->sid, tsec->sid,
+	                           SECCLASS_CAPABILITY, ~0, &avd);
+	cap_mask(*effective, avd.allowed);
+	return 0;
 }
 
 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,