Rename Biba and MLS _single label elements to _effective, which more

accurately represents the intention of the 'single' label element in
Biba and MLS labels.  It also approximates the use of 'effective' in
traditional UNIX credentials, and avoids confusion with 'singlelabel'
in the context of file systems.

Inspired by:	trhodes

2 files changed, 173 insertions, 173 deletions

diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index 4fcf0140634f..ee390c34d7bd 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -216,31 +216,31 @@ mac_mls_range_in_range(struct mac_mls *rangea, struct mac_mls *rangeb)
 }
 
 static int
-mac_mls_single_in_range(struct mac_mls *single, struct mac_mls *range)
+mac_mls_effective_in_range(struct mac_mls *effective, struct mac_mls *range)
 {
 
-	KASSERT((single->mm_flags & MAC_MLS_FLAG_SINGLE) != 0,
-	    ("mac_mls_single_in_range: a not single"));
+	KASSERT((effective->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0,
+	    ("mac_mls_effective_in_range: a not effective"));
 	KASSERT((range->mm_flags & MAC_MLS_FLAG_RANGE) != 0,
-	    ("mac_mls_single_in_range: b not range"));
+	    ("mac_mls_effective_in_range: b not range"));
 
 	return (mac_mls_dominate_element(&range->mm_rangehigh,
-	    &single->mm_single) &&
-	    mac_mls_dominate_element(&single->mm_single,
+	    &effective->mm_effective) &&
+	    mac_mls_dominate_element(&effective->mm_effective,
 	    &range->mm_rangelow));
 
 	return (1);
 }
 
 static int
-mac_mls_dominate_single(struct mac_mls *a, struct mac_mls *b)
+mac_mls_dominate_effective(struct mac_mls *a, struct mac_mls *b)
 {
-	KASSERT((a->mm_flags & MAC_MLS_FLAG_SINGLE) != 0,
-	    ("mac_mls_dominate_single: a not single"));
-	KASSERT((b->mm_flags & MAC_MLS_FLAG_SINGLE) != 0,
-	    ("mac_mls_dominate_single: b not single"));
+	KASSERT((a->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0,
+	    ("mac_mls_dominate_effective: a not effective"));
+	KASSERT((b->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0,
+	    ("mac_mls_dominate_effective: b not effective"));
 
-	return (mac_mls_dominate_element(&a->mm_single, &b->mm_single));
+	return (mac_mls_dominate_element(&a->mm_effective, &b->mm_effective));
 }
 
 static int
@@ -255,23 +255,23 @@ mac_mls_equal_element(struct mac_mls_element *a, struct mac_mls_element *b)
 }
 
 static int
-mac_mls_equal_single(struct mac_mls *a, struct mac_mls *b)
+mac_mls_equal_effective(struct mac_mls *a, struct mac_mls *b)
 {
 
-	KASSERT((a->mm_flags & MAC_MLS_FLAG_SINGLE) != 0,
-	    ("mac_mls_equal_single: a not single"));
-	KASSERT((b->mm_flags & MAC_MLS_FLAG_SINGLE) != 0,
-	    ("mac_mls_equal_single: b not single"));
+	KASSERT((a->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0,
+	    ("mac_mls_equal_effective: a not effective"));
+	KASSERT((b->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0,
+	    ("mac_mls_equal_effective: b not effective"));
 
-	return (mac_mls_equal_element(&a->mm_single, &b->mm_single));
+	return (mac_mls_equal_element(&a->mm_effective, &b->mm_effective));
 }
 
 static int
 mac_mls_contains_equal(struct mac_mls *mac_mls)
 {
 
-	if (mac_mls->mm_flags & MAC_MLS_FLAG_SINGLE)
-		if (mac_mls->mm_single.mme_type == MAC_MLS_TYPE_EQUAL)
+	if (mac_mls->mm_flags & MAC_MLS_FLAG_EFFECTIVE)
+		if (mac_mls->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL)
 			return (1);
 
 	if (mac_mls->mm_flags & MAC_MLS_FLAG_RANGE) {
@@ -292,8 +292,8 @@ mac_mls_subject_privileged(struct mac_mls *mac_mls)
 	    MAC_MLS_FLAGS_BOTH,
 	    ("mac_mls_subject_privileged: subject doesn't have both labels"));
 
-	/* If the single is EQUAL, it's ok. */
-	if (mac_mls->mm_single.mme_type == MAC_MLS_TYPE_EQUAL)
+	/* If the effective is EQUAL, it's ok. */
+	if (mac_mls->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL)
 		return (0);
 
 	/* If either range endpoint is EQUAL, it's ok. */
@@ -314,17 +314,17 @@ static int
 mac_mls_valid(struct mac_mls *mac_mls)
 {
 
-	if (mac_mls->mm_flags & MAC_MLS_FLAG_SINGLE) {
-		switch (mac_mls->mm_single.mme_type) {
+	if (mac_mls->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
+		switch (mac_mls->mm_effective.mme_type) {
 		case MAC_MLS_TYPE_LEVEL:
 			break;
 
 		case MAC_MLS_TYPE_EQUAL:
 		case MAC_MLS_TYPE_HIGH:
 		case MAC_MLS_TYPE_LOW:
-			if (mac_mls->mm_single.mme_level != 0 ||
+			if (mac_mls->mm_effective.mme_level != 0 ||
 			    !MAC_MLS_BIT_SET_EMPTY(
-			    mac_mls->mm_single.mme_compartments))
+			    mac_mls->mm_effective.mme_compartments))
 				return (EINVAL);
 			break;
 
@@ -332,7 +332,7 @@ mac_mls_valid(struct mac_mls *mac_mls)
 			return (EINVAL);
 		}
 	} else {
-		if (mac_mls->mm_single.mme_type != MAC_MLS_TYPE_UNDEF)
+		if (mac_mls->mm_effective.mme_type != MAC_MLS_TYPE_UNDEF)
 			return (EINVAL);
 	}
 
@@ -404,16 +404,16 @@ mac_mls_set_range(struct mac_mls *mac_mls, u_short typelow,
 }
 
 static void
-mac_mls_set_single(struct mac_mls *mac_mls, u_short type, u_short level,
+mac_mls_set_effective(struct mac_mls *mac_mls, u_short type, u_short level,
     u_char *compartments)
 {
 
-	mac_mls->mm_single.mme_type = type;
-	mac_mls->mm_single.mme_level = level;
+	mac_mls->mm_effective.mme_type = type;
+	mac_mls->mm_effective.mme_level = level;
 	if (compartments != NULL)
-		memcpy(mac_mls->mm_single.mme_compartments, compartments,
-		    sizeof(mac_mls->mm_single.mme_compartments));
-	mac_mls->mm_flags |= MAC_MLS_FLAG_SINGLE;
+		memcpy(mac_mls->mm_effective.mme_compartments, compartments,
+		    sizeof(mac_mls->mm_effective.mme_compartments));
+	mac_mls->mm_flags |= MAC_MLS_FLAG_EFFECTIVE;
 }
 
 static void
@@ -429,22 +429,22 @@ mac_mls_copy_range(struct mac_mls *labelfrom, struct mac_mls *labelto)
 }
 
 static void
-mac_mls_copy_single(struct mac_mls *labelfrom, struct mac_mls *labelto)
+mac_mls_copy_effective(struct mac_mls *labelfrom, struct mac_mls *labelto)
 {
 
-	KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_SINGLE) != 0,
-	    ("mac_mls_copy_single: labelfrom not single"));
+	KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0,
+	    ("mac_mls_copy_effective: labelfrom not effective"));
 
-	labelto->mm_single = labelfrom->mm_single;
-	labelto->mm_flags |= MAC_MLS_FLAG_SINGLE;
+	labelto->mm_effective = labelfrom->mm_effective;
+	labelto->mm_flags |= MAC_MLS_FLAG_EFFECTIVE;
 }
 
 static void
 mac_mls_copy(struct mac_mls *source, struct mac_mls *dest)
 {
 
-	if (source->mm_flags & MAC_MLS_FLAG_SINGLE)
-		mac_mls_copy_single(source, dest);
+	if (source->mm_flags & MAC_MLS_FLAG_EFFECTIVE)
+		mac_mls_copy_effective(source, dest);
 	if (source->mm_flags & MAC_MLS_FLAG_RANGE)
 		mac_mls_copy_range(source, dest);
 }
@@ -547,8 +547,8 @@ static int
 mac_mls_to_string(struct sbuf *sb, struct mac_mls *mac_mls)
 {
 
-	if (mac_mls->mm_flags & MAC_MLS_FLAG_SINGLE) {
-		if (mac_mls_element_to_string(sb, &mac_mls->mm_single)
+	if (mac_mls->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
+		if (mac_mls_element_to_string(sb, &mac_mls->mm_effective)
 		    == -1)
 			return (EINVAL);
 	}
@@ -653,12 +653,12 @@ mac_mls_parse_element(struct mac_mls_element *element, char *string)
 static int
 mac_mls_parse(struct mac_mls *mac_mls, char *string)
 {
-	char *rangehigh, *rangelow, *single;
+	char *rangehigh, *rangelow, *effective;
 	int error;
 
-	single = strsep(&string, "(");
-	if (*single == '\0')
-		single = NULL;
+	effective = strsep(&string, "(");
+	if (*effective == '\0')
+		effective = NULL;
 
 	if (string != NULL) {
 		rangelow = strsep(&string, "-");
@@ -679,11 +679,11 @@ mac_mls_parse(struct mac_mls *mac_mls, char *string)
 	    ("mac_mls_parse: range mismatch"));
 
 	bzero(mac_mls, sizeof(*mac_mls));
-	if (single != NULL) {
-		error = mac_mls_parse_element(&mac_mls->mm_single, single);
+	if (effective != NULL) {
+		error = mac_mls_parse_element(&mac_mls->mm_effective, effective);
 		if (error)
 			return (error);
-		mac_mls->mm_flags |= MAC_MLS_FLAG_SINGLE;
+		mac_mls->mm_flags |= MAC_MLS_FLAG_EFFECTIVE;
 	}
 
 	if (rangelow != NULL) {
@@ -760,7 +760,7 @@ mac_mls_create_devfs_device(struct mount *mp, struct cdev *dev,
 		mls_type = MAC_MLS_TYPE_EQUAL;
 	else
 		mls_type = MAC_MLS_TYPE_LOW;
-	mac_mls_set_single(mac_mls, mls_type, 0, NULL);
+	mac_mls_set_effective(mac_mls, mls_type, 0, NULL);
 }
 
 static void
@@ -770,7 +770,7 @@ mac_mls_create_devfs_directory(struct mount *mp, char *dirname,
 	struct mac_mls *mac_mls;
 
 	mac_mls = SLOT(label);
-	mac_mls_set_single(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL);
+	mac_mls_set_effective(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL);
 }
 
 static void
@@ -783,7 +783,7 @@ mac_mls_create_devfs_symlink(struct ucred *cred, struct mount *mp,
 	source = SLOT(cred->cr_label);
 	dest = SLOT(delabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -794,9 +794,9 @@ mac_mls_create_mount(struct ucred *cred, struct mount *mp,
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(mntlabel);
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 	dest = SLOT(fslabel);
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -807,9 +807,9 @@ mac_mls_create_root_mount(struct ucred *cred, struct mount *mp,
 
 	/* Always mount root as high integrity. */
 	mac_mls = SLOT(fslabel);
-	mac_mls_set_single(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL);
+	mac_mls_set_effective(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL);
 	mac_mls = SLOT(mntlabel);
-	mac_mls_set_single(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL);
+	mac_mls_set_effective(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL);
 }
 
 static void
@@ -834,7 +834,7 @@ mac_mls_update_devfsdirent(struct mount *mp,
 	source = SLOT(vnodelabel);
 	dest = SLOT(direntlabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -847,7 +847,7 @@ mac_mls_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
 	source = SLOT(delabel);
 	dest = SLOT(vlabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static int
@@ -867,7 +867,7 @@ mac_mls_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
 	    MAC_MLS_EXTATTR_NAME, &buflen, (char *) &temp, curthread);
 	if (error == ENOATTR || error == EOPNOTSUPP) {
 		/* Fall back to the fslabel. */
-		mac_mls_copy_single(source, dest);
+		mac_mls_copy_effective(source, dest);
 		return (0);
 	} else if (error)
 		return (error);
@@ -881,12 +881,12 @@ mac_mls_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
 		printf("mac_mls_associate_vnode_extattr: invalid\n");
 		return (EPERM);
 	}
-	if ((temp.mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE) {
-		printf("mac_mls_associated_vnode_extattr: not single\n");
+	if ((temp.mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_EFFECTIVE) {
+		printf("mac_mls_associated_vnode_extattr: not effective\n");
 		return (EPERM);
 	}
 
-	mac_mls_copy_single(&temp, dest);
+	mac_mls_copy_effective(&temp, dest);
 	return (0);
 }
 
@@ -899,7 +899,7 @@ mac_mls_associate_vnode_singlelabel(struct mount *mp,
 	source = SLOT(fslabel);
 	dest = SLOT(vlabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static int
@@ -916,12 +916,12 @@ mac_mls_create_vnode_extattr(struct ucred *cred, struct mount *mp,
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(vlabel);
-	mac_mls_copy_single(source, &temp);
+	mac_mls_copy_effective(source, &temp);
 
 	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE,
 	    MAC_MLS_EXTATTR_NAME, buflen, (char *) &temp, curthread);
 	if (error == 0)
-		mac_mls_copy_single(source, dest);
+		mac_mls_copy_effective(source, dest);
 	return (error);
 }
 
@@ -937,10 +937,10 @@ mac_mls_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
 	bzero(&temp, buflen);
 
 	source = SLOT(intlabel);
-	if ((source->mm_flags & MAC_MLS_FLAG_SINGLE) == 0)
+	if ((source->mm_flags & MAC_MLS_FLAG_EFFECTIVE) == 0)
 		return (0);
 
-	mac_mls_copy_single(source, &temp);
+	mac_mls_copy_effective(source, &temp);
 
 	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE,
 	    MAC_MLS_EXTATTR_NAME, buflen, (char *) &temp, curthread);
@@ -959,7 +959,7 @@ mac_mls_create_inpcb_from_socket(struct socket *so, struct label *solabel,
 	source = SLOT(solabel);
 	dest = SLOT(inplabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -971,7 +971,7 @@ mac_mls_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
 	source = SLOT(socketlabel);
 	dest = SLOT(mbuflabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -983,7 +983,7 @@ mac_mls_create_socket(struct ucred *cred, struct socket *socket,
 	source = SLOT(cred->cr_label);
 	dest = SLOT(socketlabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -995,7 +995,7 @@ mac_mls_create_pipe(struct ucred *cred, struct pipepair *pp,
 	source = SLOT(cred->cr_label);
 	dest = SLOT(pipelabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -1008,7 +1008,7 @@ mac_mls_create_socket_from_socket(struct socket *oldsocket,
 	source = SLOT(oldsocketlabel);
 	dest = SLOT(newsocketlabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -1044,7 +1044,7 @@ mac_mls_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
 	source = SLOT(mbuflabel);
 	dest = SLOT(socketpeerlabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 /*
@@ -1060,7 +1060,7 @@ mac_mls_set_socket_peer_from_socket(struct socket *oldsocket,
 	source = SLOT(oldsocketlabel);
 	dest = SLOT(newsocketpeerlabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -1072,7 +1072,7 @@ mac_mls_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
 	source = SLOT(cred->cr_label);
 	dest = SLOT(bpflabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -1088,7 +1088,7 @@ mac_mls_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
 	else
 		type = MAC_MLS_TYPE_LOW;
 
-	mac_mls_set_single(dest, type, 0, NULL);
+	mac_mls_set_effective(dest, type, 0, NULL);
 	mac_mls_set_range(dest, type, 0, NULL, type, 0, NULL);
 }
 
@@ -1101,7 +1101,7 @@ mac_mls_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
 	source = SLOT(fragmentlabel);
 	dest = SLOT(ipqlabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -1114,7 +1114,7 @@ mac_mls_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
 	dest = SLOT(datagramlabel);
 
 	/* Just use the head, since we require them all to match. */
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -1126,7 +1126,7 @@ mac_mls_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
 	source = SLOT(datagramlabel);
 	dest = SLOT(fragmentlabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -1138,7 +1138,7 @@ mac_mls_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
 	source = SLOT(inplabel);
 	dest = SLOT(mlabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -1170,7 +1170,7 @@ mac_mls_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
 
 	dest = SLOT(mbuflabel);
 
-	mac_mls_set_single(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
+	mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
 }
 
 static void
@@ -1182,7 +1182,7 @@ mac_mls_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
 	source = SLOT(bpflabel);
 	dest = SLOT(mbuflabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -1194,7 +1194,7 @@ mac_mls_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
 	source = SLOT(ifnetlabel);
 	dest = SLOT(mbuflabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -1207,7 +1207,7 @@ mac_mls_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
 	source = SLOT(oldmbuflabel);
 	dest = SLOT(newmbuflabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -1219,7 +1219,7 @@ mac_mls_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel,
 	source = SLOT(oldmbuflabel);
 	dest = SLOT(newmbuflabel);
 
-	mac_mls_copy_single(source, dest);
+	mac_mls_copy_effective(source, dest);
 }
 
 static int
@@ -1231,7 +1231,7 @@ mac_mls_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
 	a = SLOT(ipqlabel);
 	b = SLOT(fragmentlabel);
 
-	return (mac_mls_equal_single(a, b));
+	return (mac_mls_equal_effective(a, b));
 }
 
 static void
@@ -1276,7 +1276,7 @@ mac_mls_create_proc0(struct ucred *cred)
 
 	dest = SLOT(cred->cr_label);
 
-	mac_mls_set_single(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
+	mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
 	mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH,
 	    0, NULL);
 }
@@ -1288,7 +1288,7 @@ mac_mls_create_proc1(struct ucred *cred)
 
 	dest = SLOT(cred->cr_label);
 
-	mac_mls_set_single(dest, MAC_MLS_TYPE_LOW, 0, NULL);
+	mac_mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL);
 	mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH,
 	    0, NULL);
 }
@@ -1319,7 +1319,7 @@ mac_mls_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
 	a = SLOT(bpflabel);
 	b = SLOT(ifnetlabel);
 
-	if (mac_mls_equal_single(a, b))
+	if (mac_mls_equal_effective(a, b))
 		return (0);
 	return (EACCES);
 }
@@ -1335,7 +1335,7 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 
 	/*
 	 * If there is an MLS label update for the credential, it may be
-	 * an update of single, range, or both.
+	 * an update of effective, range, or both.
 	 */
 	error = mls_atmostflags(new, MAC_MLS_FLAGS_BOTH);
 	if (error)
@@ -1346,21 +1346,21 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 	 */
 	if (new->mm_flags & MAC_MLS_FLAGS_BOTH) {
 		/*
-		 * If the change request modifies both the MLS label single
-		 * and range, check that the new single will be in the
+		 * If the change request modifies both the MLS label effective
+		 * and range, check that the new effective will be in the
 		 * new range.
 		 */
 		if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) ==
 		    MAC_MLS_FLAGS_BOTH &&
-		    !mac_mls_single_in_range(new, new))
+		    !mac_mls_effective_in_range(new, new))
 			return (EINVAL);
 
 		/*
-		 * To change the MLS single label on a credential, the
-		 * new single label must be in the current range.
+		 * To change the MLS effective label on a credential, the
+		 * new effective label must be in the current range.
 		 */
-		if (new->mm_flags & MAC_MLS_FLAG_SINGLE &&
-		    !mac_mls_single_in_range(new, subj))
+		if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE &&
+		    !mac_mls_effective_in_range(new, subj))
 			return (EPERM);
 
 		/*
@@ -1398,7 +1398,7 @@ mac_mls_check_cred_visible(struct ucred *u1, struct ucred *u2)
 	obj = SLOT(u2->cr_label);
 
 	/* XXX: range */
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (ESRCH);
 
 	return (0);
@@ -1416,7 +1416,7 @@ mac_mls_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
 
 	/*
 	 * If there is an MLS label update for the interface, it may
-	 * be an update of single, range, or both.
+	 * be an update of effective, range, or both.
 	 */
 	error = mls_atmostflags(new, MAC_MLS_FLAGS_BOTH);
 	if (error)
@@ -1442,7 +1442,7 @@ mac_mls_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
 	p = SLOT(mbuflabel);
 	i = SLOT(ifnetlabel);
 
-	return (mac_mls_single_in_range(p, i) ? 0 : EACCES);
+	return (mac_mls_effective_in_range(p, i) ? 0 : EACCES);
 }
 
 static int
@@ -1457,7 +1457,7 @@ mac_mls_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
 	p = SLOT(mlabel);
 	i = SLOT(inplabel);
 
-	return (mac_mls_equal_single(p, i) ? 0 : EACCES);
+	return (mac_mls_equal_effective(p, i) ? 0 : EACCES);
 }
 
 static int
@@ -1472,7 +1472,7 @@ mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(mntlabel);
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -1503,7 +1503,7 @@ mac_mls_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT((pipelabel));
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -1521,7 +1521,7 @@ mac_mls_check_pipe_read(struct ucred *cred, struct pipepair *pp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT((pipelabel));
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -1540,9 +1540,9 @@ mac_mls_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
 
 	/*
 	 * If there is an MLS label update for a pipe, it must be a
-	 * single update.
+	 * effective update.
 	 */
-	error = mls_atmostflags(new, MAC_MLS_FLAG_SINGLE);
+	error = mls_atmostflags(new, MAC_MLS_FLAG_EFFECTIVE);
 	if (error)
 		return (error);
 
@@ -1550,18 +1550,18 @@ mac_mls_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
 	 * To perform a relabel of a pipe (MLS label or not), MLS must
 	 * authorize the relabel.
 	 */
-	if (!mac_mls_single_in_range(obj, subj))
+	if (!mac_mls_effective_in_range(obj, subj))
 		return (EPERM);
 
 	/*
 	 * If the MLS label is to be changed, authorize as appropriate.
 	 */
-	if (new->mm_flags & MAC_MLS_FLAG_SINGLE) {
+	if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
 		/*
 		 * To change the MLS label on a pipe, the new pipe label
 		 * must be in the subject range.
 		 */
-		if (!mac_mls_single_in_range(new, subj))
+		if (!mac_mls_effective_in_range(new, subj))
 			return (EPERM);
 
 		/*
@@ -1590,7 +1590,7 @@ mac_mls_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT((pipelabel));
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -1608,7 +1608,7 @@ mac_mls_check_pipe_write(struct ucred *cred, struct pipepair *pp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT((pipelabel));
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
@@ -1626,9 +1626,9 @@ mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc)
 	obj = SLOT(proc->p_ucred->cr_label);
 
 	/* XXX: range checks */
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (ESRCH);
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
@@ -1646,9 +1646,9 @@ mac_mls_check_proc_sched(struct ucred *cred, struct proc *proc)
 	obj = SLOT(proc->p_ucred->cr_label);
 
 	/* XXX: range checks */
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (ESRCH);
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
@@ -1666,9 +1666,9 @@ mac_mls_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
 	obj = SLOT(proc->p_ucred->cr_label);
 
 	/* XXX: range checks */
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (ESRCH);
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
@@ -1686,7 +1686,7 @@ mac_mls_check_socket_deliver(struct socket *so, struct label *socketlabel,
 	p = SLOT(mbuflabel);
 	s = SLOT(socketlabel);
 
-	return (mac_mls_equal_single(p, s) ? 0 : EACCES);
+	return (mac_mls_equal_effective(p, s) ? 0 : EACCES);
 }
 
 static int
@@ -1702,28 +1702,28 @@ mac_mls_check_socket_relabel(struct ucred *cred, struct socket *socket,
 
 	/*
 	 * If there is an MLS label update for the socket, it may be
-	 * an update of single.
+	 * an update of effective.
 	 */
-	error = mls_atmostflags(new, MAC_MLS_FLAG_SINGLE);
+	error = mls_atmostflags(new, MAC_MLS_FLAG_EFFECTIVE);
 	if (error)
 		return (error);
 
 	/*
-	 * To relabel a socket, the old socket single must be in the subject
+	 * To relabel a socket, the old socket effective must be in the subject
 	 * range.
 	 */
-	if (!mac_mls_single_in_range(obj, subj))
+	if (!mac_mls_effective_in_range(obj, subj))
 		return (EPERM);
 
 	/*
 	 * If the MLS label is to be changed, authorize as appropriate.
 	 */
-	if (new->mm_flags & MAC_MLS_FLAG_SINGLE) {
+	if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
 		/*
-		 * To relabel a socket, the new socket single must be in
+		 * To relabel a socket, the new socket effective must be in
 		 * the subject range.
 		 */
-		if (!mac_mls_single_in_range(new, subj))
+		if (!mac_mls_effective_in_range(new, subj))
 			return (EPERM);
 
 		/*
@@ -1752,7 +1752,7 @@ mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(socketlabel);
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (ENOENT);
 
 	return (0);
@@ -1770,8 +1770,8 @@ mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(label);
 
-	if (!mac_mls_dominate_single(obj, subj) ||
-	    !mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(obj, subj) ||
+	    !mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -1789,7 +1789,7 @@ mac_mls_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dlabel);
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -1807,7 +1807,7 @@ mac_mls_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dlabel);
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -1825,7 +1825,7 @@ mac_mls_check_vnode_create(struct ucred *cred, struct vnode *dvp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dlabel);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
@@ -1844,12 +1844,12 @@ mac_mls_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dlabel);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	obj = SLOT(label);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
@@ -1867,7 +1867,7 @@ mac_mls_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(label);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
@@ -1885,7 +1885,7 @@ mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(label);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
@@ -1917,7 +1917,7 @@ mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(label);
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -1935,7 +1935,7 @@ mac_mls_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(label);
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -1953,7 +1953,7 @@ mac_mls_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(label);
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -1972,11 +1972,11 @@ mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dlabel);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	obj = SLOT(dlabel);
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
@@ -1995,7 +1995,7 @@ mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(label);
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -2013,7 +2013,7 @@ mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dlabel);
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -2036,11 +2036,11 @@ mac_mls_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
 	obj = SLOT(label);
 
 	if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
-		if (!mac_mls_dominate_single(subj, obj))
+		if (!mac_mls_dominate_effective(subj, obj))
 			return (EACCES);
 	}
 	if (prot & VM_PROT_WRITE) {
-		if (!mac_mls_dominate_single(obj, subj))
+		if (!mac_mls_dominate_effective(obj, subj))
 			return (EACCES);
 	}
 
@@ -2061,11 +2061,11 @@ mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp,
 
 	/* XXX privilege override for admin? */
 	if (acc_mode & (VREAD | VEXEC | VSTAT)) {
-		if (!mac_mls_dominate_single(subj, obj))
+		if (!mac_mls_dominate_effective(subj, obj))
 			return (EACCES);
 	}
 	if (acc_mode & (VWRITE | VAPPEND | VADMIN)) {
-		if (!mac_mls_dominate_single(obj, subj))
+		if (!mac_mls_dominate_effective(obj, subj))
 			return (EACCES);
 	}
 
@@ -2084,7 +2084,7 @@ mac_mls_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(label);
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -2102,7 +2102,7 @@ mac_mls_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(label);
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -2120,7 +2120,7 @@ mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dlabel);
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -2138,7 +2138,7 @@ mac_mls_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vnodelabel);
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -2157,9 +2157,9 @@ mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
 
 	/*
 	 * If there is an MLS label update for the vnode, it must be a
-	 * single label.
+	 * effective label.
 	 */
-	error = mls_atmostflags(new, MAC_MLS_FLAG_SINGLE);
+	error = mls_atmostflags(new, MAC_MLS_FLAG_EFFECTIVE);
 	if (error)
 		return (error);
 
@@ -2167,18 +2167,18 @@ mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
 	 * To perform a relabel of the vnode (MLS label or not), MLS must
 	 * authorize the relabel.
 	 */
-	if (!mac_mls_single_in_range(old, subj))
+	if (!mac_mls_effective_in_range(old, subj))
 		return (EPERM);
 
 	/*
 	 * If the MLS label is to be changed, authorize as appropriate.
 	 */
-	if (new->mm_flags & MAC_MLS_FLAG_SINGLE) {
+	if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
 		/*
 		 * To change the MLS label on a vnode, the new vnode label
 		 * must be in the subject range.
 		 */
-		if (!mac_mls_single_in_range(new, subj))
+		if (!mac_mls_effective_in_range(new, subj))
 			return (EPERM);
 
 		/*
@@ -2209,12 +2209,12 @@ mac_mls_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dlabel);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	obj = SLOT(label);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
@@ -2233,13 +2233,13 @@ mac_mls_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dlabel);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	if (vp != NULL) {
 		obj = SLOT(label);
 
-		if (!mac_mls_dominate_single(obj, subj))
+		if (!mac_mls_dominate_effective(obj, subj))
 			return (EACCES);
 	}
 
@@ -2258,7 +2258,7 @@ mac_mls_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(label);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
@@ -2276,7 +2276,7 @@ mac_mls_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(label);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
@@ -2295,7 +2295,7 @@ mac_mls_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vnodelabel);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	/* XXX: protect the MAC EA in a special way? */
@@ -2315,7 +2315,7 @@ mac_mls_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vnodelabel);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
@@ -2333,7 +2333,7 @@ mac_mls_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vnodelabel);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
@@ -2351,7 +2351,7 @@ mac_mls_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vnodelabel);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
@@ -2369,7 +2369,7 @@ mac_mls_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vnodelabel);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
@@ -2387,7 +2387,7 @@ mac_mls_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(vnodelabel);
 
-	if (!mac_mls_dominate_single(subj, obj))
+	if (!mac_mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
@@ -2405,7 +2405,7 @@ mac_mls_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(label);
 
-	if (!mac_mls_dominate_single(obj, subj))
+	if (!mac_mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
diff --git a/sys/security/mac_mls/mac_mls.h b/sys/security/mac_mls/mac_mls.h
index 69a3b62f80a0..7bed921b87fb 100644
--- a/sys/security/mac_mls/mac_mls.h
+++ b/sys/security/mac_mls/mac_mls.h
@@ -1,6 +1,6 @@
 /*-
  * Copyright (c) 1999-2002 Robert N. M. Watson
- * Copyright (c) 2001-2002 Networks Associates Technology, Inc.
+ * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -44,9 +44,9 @@
 
 #define	MAC_MLS_LABEL_NAME		"mls"
 
-#define	MAC_MLS_FLAG_SINGLE	0x00000001	/* mm_single initialized */
+#define	MAC_MLS_FLAG_EFFECTIVE	0x00000001	/* mm_effective initialized */
 #define	MAC_MLS_FLAG_RANGE	0x00000002	/* mm_range* initialized */
-#define	MAC_MLS_FLAGS_BOTH	(MAC_MLS_FLAG_SINGLE | MAC_MLS_FLAG_RANGE)
+#define	MAC_MLS_FLAGS_BOTH	(MAC_MLS_FLAG_EFFECTIVE | MAC_MLS_FLAG_RANGE)
 
 #define	MAC_MLS_TYPE_UNDEF	0	/* Undefined */
 #define	MAC_MLS_TYPE_LEVEL	1	/* Hierarchal level with mm_level. */
@@ -78,14 +78,14 @@ struct mac_mls_element {
 };
 
 /*
- * MLS labels consist of two components: a single label, and a label
+ * MLS labels consist of two components: an effective label, and a label
  * range.  Depending on the context, one or both may be used; the mb_flags
  * field permits the provider to indicate what fields are intended for
  * use.
  */
 struct mac_mls {
 	int			mm_flags;
-	struct mac_mls_element	mm_single;
+	struct mac_mls_element	mm_effective;
 	struct mac_mls_element	mm_rangelow, mm_rangehigh;
 };