then the kernel is going to have to call out to userspace every time a
file is created or renamed and the policy is going to be enforced
incorrectly until userspace finished labeling/relabeling whatever is
moved. building this sort of race condigion for security into the kernel
is highly questionable at best.
see Linus' rants about why it's not automaticaly the best thing to move
functionality into userspace.
remember that the files covered by an AA policy can change as files are
renamed. this isn't the case with SELinux so it doesn't have this sort of