diff --git a/sys/conf/files b/sys/conf/files
index d07c82bc2d52..c8e120abfaa3 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -1957,6 +1957,7 @@ security/audit/audit_pipe.c	optional audit
 security/audit/audit_syscalls.c	standard
 security/audit/audit_trigger.c	optional audit
 security/audit/audit_worker.c	optional audit
+security/mac/mac_audit.c	optional mac audit
 security/mac/mac_framework.c	optional mac
 security/mac/mac_inet.c		optional mac inet
 security/mac/mac_label.c	optional mac
diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c
index d227334840b0..96dedbab733f 100644
--- a/sys/security/audit/audit_syscalls.c
+++ b/sys/security/audit/audit_syscalls.c
@@ -29,6 +29,8 @@
  * $FreeBSD$
  */
 
+#include "opt_mac.h"
+
 #include <sys/param.h>
 #include <sys/mount.h>
 #include <sys/namei.h>
@@ -41,8 +43,10 @@
 
 #include <bsm/audit.h>
 #include <bsm/audit_kevents.h>
+
 #include <security/audit/audit.h>
 #include <security/audit/audit_private.h>
+#include <security/mac/mac_framework.h>
 
 #ifdef AUDIT
 
@@ -109,6 +113,12 @@ audit(struct thread *td, struct audit_args *uap)
 		goto free_out;
 	}
 
+#ifdef MAC
+	error = mac_check_system_audit(td->td_ucred, rec, uap->length);
+	if (error)
+		goto free_out;
+#endif
+
 	/*
 	 * Attach the user audit record to the kernel audit record. Because
 	 * this system call is an auditable event, we will write the user
@@ -153,6 +163,13 @@ auditon(struct thread *td, struct auditon_args *uap)
 	if (jailed(td->td_ucred))
 		return (ENOSYS);
 	AUDIT_ARG(cmd, uap->cmd);
+
+#ifdef MAC
+	error = mac_check_system_auditon(td->td_ucred, uap->cmd);
+	if (error)
+		return (error);
+#endif
+
 	error = priv_check(td, PRIV_AUDIT_CONTROL);
 	if (error)
 		return (error);
@@ -451,6 +468,12 @@ setauid(struct thread *td, struct setauid_args *uap)
 
 	audit_arg_auid(id);
 
+#ifdef MAC
+	error = mac_check_proc_setauid(td->td_ucred, id);
+	if (error)
+		return (error);
+#endif
+
 	/*
 	 * XXX: Integer write on static pointer dereference: doesn't need
 	 * locking?
@@ -519,6 +542,12 @@ setaudit(struct thread *td, struct setaudit_args *uap)
 
 	audit_arg_auditinfo(&ai);
 
+#ifdef MAC
+	error = mac_check_proc_setaudit(td->td_ucred, &ai);
+	if (error)
+		return (error);
+#endif
+
 	/*
 	 * XXXRW: Test privilege while holding the proc lock?
 	*/
@@ -568,6 +597,11 @@ setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
 	if (error)
 		return (error);
 
+#ifdef MAC
+	error = mac_check_proc_setaudit(td->td_ucred, NULL);
+	if (error)
+		return (error);
+#endif
 	error = copyin(uap->auditinfo_addr, &aia, sizeof(aia));
 	if (error)
 		return (error);
@@ -617,7 +651,17 @@ auditctl(struct thread *td, struct auditctl_args *uap)
 		return (error);
 	vfslocked = NDHASGIANT(&nd);
 	vp = nd.ni_vp;
+#ifdef MAC
+	error = mac_check_system_auditctl(td->td_ucred, vp);
 	VOP_UNLOCK(vp, 0, td);
+	if (error) {
+		vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td);
+		VFS_UNLOCK_GIANT(vfslocked);
+		return (error);
+	}
+#else
+	VOP_UNLOCK(vp, 0, td);
+#endif
 	NDFREE(&nd, NDF_ONLY_PNBUF);
 	if (vp->v_type != VREG) {
 		vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td);
diff --git a/sys/security/mac/mac_audit.c b/sys/security/mac/mac_audit.c
new file mode 100644
index 000000000000..c3aad11c4458
--- /dev/null
+++ b/sys/security/mac/mac_audit.c
@@ -0,0 +1,101 @@
+/*-
+ * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 2001 Ilmar S. Habibulin
+ * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
+ *
+ * This software was developed by Robert Watson and Ilmar Habibulin for the
+ * TrustedBSD Project.
+ *
+ * This software was developed for the FreeBSD Project in part by Network
+ * Associates Laboratories, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+ * as part of the DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/param.h>
+#include <sys/module.h>
+#include <sys/vnode.h>
+
+#include <security/audit/audit.h>
+
+#include <security/mac/mac_framework.h>
+#include <security/mac/mac_internal.h>
+#include <security/mac/mac_policy.h>
+
+int
+mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
+{
+	int error;
+
+	MAC_CHECK(check_proc_setaudit, cred, ai);
+
+	return (error);
+}
+
+int
+mac_check_proc_setauid(struct ucred *cred, uid_t auid)
+{
+	int error;
+
+	MAC_CHECK(check_proc_setauid, cred, auid);
+
+	return (error);
+}
+
+int
+mac_check_system_audit(struct ucred *cred, void *record, int length)
+{
+	int error;
+
+	MAC_CHECK(check_system_audit, cred, record, length);
+
+	return (error);
+}
+
+int
+mac_check_system_auditctl(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+	struct label *vl;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_system_auditctl");
+
+	vl = (vp != NULL) ? vp->v_label : NULL;
+
+	MAC_CHECK(check_system_auditctl, cred, vp, vl);
+
+	return (error);
+}
+
+int
+mac_check_system_auditon(struct ucred *cred, int cmd)
+{
+	int error;
+
+	MAC_CHECK(check_system_auditon, cred, cmd);
+
+	return (error);
+}
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 4a954768c5c6..f127456fe589 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -50,6 +50,7 @@
 #error "no user-serviceable parts inside"
 #endif
 
+struct auditinfo;
 struct bpf_d;
 struct cdev;
 struct componentname;
@@ -297,6 +298,8 @@ int	mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr);
 int	mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr);
 int	mac_check_proc_debug(struct ucred *cred, struct proc *proc);
 int	mac_check_proc_sched(struct ucred *cred, struct proc *proc);
+int	mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai);
+int	mac_check_proc_setauid(struct ucred *cred, uid_t auid);
 int	mac_check_proc_setuid(struct proc *proc,  struct ucred *cred,
 	    uid_t uid);
 int	mac_check_proc_seteuid(struct proc *proc, struct ucred *cred,
@@ -334,6 +337,9 @@ int	mac_check_socket_stat(struct ucred *cred, struct socket *so);
 int	mac_check_socket_visible(struct ucred *cred, struct socket *so);
 int	mac_check_sysarch_ioperm(struct ucred *cred);
 int	mac_check_system_acct(struct ucred *cred, struct vnode *vp);
+int	mac_check_system_audit(struct ucred *cred, void *record, int length);
+int	mac_check_system_auditctl(struct ucred *cred, struct vnode *vp);
+int	mac_check_system_auditon(struct ucred *cred, int cmd);
 int	mac_check_system_nfsd(struct ucred *cred);
 int	mac_check_system_reboot(struct ucred *cred, int howto);
 int	mac_check_system_settime(struct ucred *cred);
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index c3c435cc7329..ade77f627df3 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -62,6 +62,7 @@
 #include <sys/acl.h>	/* XXX acl_type_t */
 
 struct acl;
+struct auditinfo;
 struct bpf_d;
 struct cdev;
 struct componentname;
@@ -455,6 +456,9 @@ typedef int	(*mpo_check_proc_debug_t)(struct ucred *cred,
 		    struct proc *proc);
 typedef int	(*mpo_check_proc_sched_t)(struct ucred *cred,
 		    struct proc *proc);
+typedef int	(*mpo_check_proc_setaudit_t)(struct ucred *cred,
+		    struct auditinfo *ai);
+typedef int	(*mpo_check_proc_setauid_t)(struct ucred *cred, uid_t auid);
 typedef int	(*mpo_check_proc_setuid_t)(struct ucred *cred, uid_t uid);
 typedef int	(*mpo_check_proc_seteuid_t)(struct ucred *cred, uid_t euid);
 typedef int	(*mpo_check_proc_setgid_t)(struct ucred *cred, gid_t gid);
@@ -504,6 +508,11 @@ typedef int	(*mpo_check_socket_visible_t)(struct ucred *cred,
 typedef int	(*mpo_check_sysarch_ioperm_t)(struct ucred *cred);
 typedef int	(*mpo_check_system_acct_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vlabel);
+typedef int	(*mpo_check_system_audit_t)(struct ucred *cred, void *record,
+		    int length);
+typedef int	(*mpo_check_system_auditctl_t)(struct ucred *cred,
+		    struct vnode *vp, struct label *vplabel);
+typedef int	(*mpo_check_system_auditon_t)(struct ucred *cred, int cmd);
 typedef int	(*mpo_check_system_nfsd_t)(struct ucred *cred);
 typedef int	(*mpo_check_system_reboot_t)(struct ucred *cred, int howto);
 typedef int	(*mpo_check_system_settime_t)(struct ucred *cred);
@@ -827,6 +836,8 @@ struct mac_policy_ops {
 	mpo_check_posix_sem_wait_t		mpo_check_posix_sem_wait;
 	mpo_check_proc_debug_t			mpo_check_proc_debug;
 	mpo_check_proc_sched_t			mpo_check_proc_sched;
+	mpo_check_proc_setaudit_t		mpo_check_proc_setaudit;
+	mpo_check_proc_setauid_t		mpo_check_proc_setauid;
 	mpo_check_proc_setuid_t			mpo_check_proc_setuid;
 	mpo_check_proc_seteuid_t		mpo_check_proc_seteuid;
 	mpo_check_proc_setgid_t			mpo_check_proc_setgid;
@@ -853,6 +864,9 @@ struct mac_policy_ops {
 	mpo_check_socket_visible_t		mpo_check_socket_visible;
 	mpo_check_sysarch_ioperm_t		mpo_check_sysarch_ioperm;
 	mpo_check_system_acct_t			mpo_check_system_acct;
+	mpo_check_system_audit_t		mpo_check_system_audit;
+	mpo_check_system_auditctl_t		mpo_check_system_auditctl;
+	mpo_check_system_auditon_t		mpo_check_system_auditon;
 	mpo_check_system_nfsd_t			mpo_check_system_nfsd;
 	mpo_check_system_reboot_t		mpo_check_system_reboot;
 	mpo_check_system_settime_t		mpo_check_system_settime;
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 202aeed68250..abb817d560a3 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -2303,6 +2303,50 @@ mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp,
 	return (0);
 }
 
+static int
+mac_biba_check_system_auditctl(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel)
+{
+	struct mac_biba *subj, *obj;
+	int error;
+
+	if (!mac_biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+
+	error = mac_biba_subject_privileged(subj);
+	if (error)
+		return (error);
+
+	if (vplabel == NULL)
+		return (0);
+
+	obj = SLOT(vplabel);
+	if (!mac_biba_high_effective(obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mac_biba_check_system_auditon(struct ucred *cred, int cmd)
+{
+	struct mac_biba *subj;
+	int error;
+
+	if (!mac_biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+
+	error = mac_biba_subject_privileged(subj);
+	if (error)
+		return (error);
+
+	return (0);
+}
+
 static int
 mac_biba_check_system_settime(struct ucred *cred)
 {
@@ -3204,6 +3248,8 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_check_socket_visible = mac_biba_check_socket_visible,
 	.mpo_check_sysarch_ioperm = mac_biba_check_sysarch_ioperm,
 	.mpo_check_system_acct = mac_biba_check_system_acct,
+	.mpo_check_system_auditctl = mac_biba_check_system_auditctl,
+	.mpo_check_system_auditon = mac_biba_check_system_auditon,
 	.mpo_check_system_settime = mac_biba_check_system_settime,
 	.mpo_check_system_swapon = mac_biba_check_system_swapon,
 	.mpo_check_system_swapoff = mac_biba_check_system_swapoff,
diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c
index a0bb80503df9..da99f2b598ed 100644
--- a/sys/security/mac_bsdextended/mac_bsdextended.c
+++ b/sys/security/mac_bsdextended/mac_bsdextended.c
@@ -487,6 +487,30 @@ mac_bsdextended_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode)
 	return (mac_bsdextended_check(cred, vp, &vap, acc_mode));
 }
 
+static int
+mac_bsdextended_check_system_acct(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+
+	return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
+}
+
+static int
+mac_bsdextended_check_system_auditctl(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+
+	return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
+}
+
+static int
+mac_bsdextended_check_system_swapoff(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+
+	return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
+}
+
 static int
 mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp,
     struct label *label)
@@ -739,6 +763,9 @@ static struct mac_policy_ops mac_bsdextended_ops =
 {
 	.mpo_destroy = mac_bsdextended_destroy,
 	.mpo_init = mac_bsdextended_init,
+	.mpo_check_system_acct = mac_bsdextended_check_system_acct,
+	.mpo_check_system_auditctl = mac_bsdextended_check_system_auditctl,
+	.mpo_check_system_swapoff = mac_bsdextended_check_system_swapoff,
 	.mpo_check_system_swapon = mac_bsdextended_check_system_swapon,
 	.mpo_check_vnode_access = mac_bsdextended_check_vnode_access,
 	.mpo_check_vnode_chdir = mac_bsdextended_check_vnode_chdir,
diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c
index 3beb7011d14c..d24e63f80f69 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * All rights reserved.
  *
@@ -2045,6 +2045,65 @@ mac_lomac_check_socket_visible(struct ucred *cred, struct socket *socket,
 	return (0);
 }
 
+static int
+mac_lomac_check_system_acct(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_lomac *subj, *obj;
+
+	if (!mac_lomac_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(label);
+
+	if (mac_lomac_subject_privileged(subj))
+		return (EPERM);
+
+	if (!mac_lomac_high_single(obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mac_lomac_check_system_auditctl(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_lomac *subj, *obj;
+
+	if (!mac_lomac_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(label);
+
+	if (mac_lomac_subject_privileged(subj))
+		return (EPERM);
+
+	if (!mac_lomac_high_single(obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mac_lomac_check_system_swapoff(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_lomac *subj;
+
+	if (!mac_lomac_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+
+	if (mac_lomac_subject_privileged(subj))
+		return (EPERM);
+
+	return (0);
+}
+
 static int
 mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp,
     struct label *label)
@@ -2700,6 +2759,9 @@ static struct mac_policy_ops mac_lomac_ops =
 	.mpo_check_socket_deliver = mac_lomac_check_socket_deliver,
 	.mpo_check_socket_relabel = mac_lomac_check_socket_relabel,
 	.mpo_check_socket_visible = mac_lomac_check_socket_visible,
+	.mpo_check_system_acct = mac_lomac_check_system_acct,
+	.mpo_check_system_auditctl = mac_lomac_check_system_auditctl,
+	.mpo_check_system_swapoff = mac_lomac_check_system_swapoff,
 	.mpo_check_system_swapon = mac_lomac_check_system_swapon,
 	.mpo_check_system_sysctl = mac_lomac_check_system_sysctl,
 	.mpo_check_vnode_access = mac_lomac_check_vnode_open,
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index b9001203ca83..e1cbc91d5128 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -2164,6 +2164,44 @@ mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket,
 	return (0);
 }
 
+static int
+mac_mls_check_system_acct(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mac_mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(label);
+
+	if (!mac_mls_dominate_effective(obj, subj) ||
+	    !mac_mls_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mac_mls_check_system_auditctl(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mac_mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(label);
+
+	if (!mac_mls_dominate_effective(obj, subj) ||
+	    !mac_mls_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
 static int
 mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp,
     struct label *label)
@@ -2972,6 +3010,8 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_check_socket_deliver = mac_mls_check_socket_deliver,
 	.mpo_check_socket_relabel = mac_mls_check_socket_relabel,
 	.mpo_check_socket_visible = mac_mls_check_socket_visible,
+	.mpo_check_system_acct = mac_mls_check_system_acct,
+	.mpo_check_system_auditctl = mac_mls_check_system_auditctl,
 	.mpo_check_system_swapon = mac_mls_check_system_swapon,
 	.mpo_check_vnode_access = mac_mls_check_vnode_open,
 	.mpo_check_vnode_chdir = mac_mls_check_vnode_chdir,
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index e80da04026ce..9e66145ecc3d 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
@@ -919,6 +919,20 @@ stub_check_proc_wait(struct ucred *cred, struct proc *proc)
 	return (0);
 }
 
+static int
+stub_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
+{
+
+	return (0);
+}
+
+static int
+stub_check_proc_setauid(struct ucred *cred, uid_t auid)
+{
+
+	return (0);
+}
+
 static int
 stub_check_proc_setuid(struct ucred *cred, uid_t uid)
 {
@@ -1095,6 +1109,28 @@ stub_check_system_acct(struct ucred *cred, struct vnode *vp,
 	return (0);
 }
 
+static int
+stub_check_system_audit(struct ucred *cred, void *record, int length)
+{
+
+	return (0);
+}
+
+static int
+stub_check_system_auditctl(struct ucred *cred, struct vnode *vp,
+    struct label *vlabel)
+{
+
+	return (0);
+}
+
+static int
+stub_check_system_auditon(struct ucred *cred, int cmd)
+{
+
+	return (0);
+}
+
 static int
 stub_check_system_nfsd(struct ucred *cred)
 {
@@ -1117,7 +1153,7 @@ stub_check_system_settime(struct ucred *cred)
 }
 
 static int
-stub_check_system_swapon(struct ucred *cred, struct vnode *vp,
+stub_check_system_swapoff(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
 
@@ -1125,7 +1161,7 @@ stub_check_system_swapon(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-stub_check_system_swapoff(struct ucred *cred, struct vnode *vp,
+stub_check_system_swapon(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
 
@@ -1576,6 +1612,8 @@ static struct mac_policy_ops mac_stub_ops =
 	.mpo_check_posix_sem_wait = stub_check_posix_sem_wait,
 	.mpo_check_proc_debug = stub_check_proc_debug,
 	.mpo_check_proc_sched = stub_check_proc_sched,
+	.mpo_check_proc_setaudit = stub_check_proc_setaudit,
+	.mpo_check_proc_setauid = stub_check_proc_setauid,
 	.mpo_check_proc_setuid = stub_check_proc_setuid,
 	.mpo_check_proc_seteuid = stub_check_proc_seteuid,
 	.mpo_check_proc_setgid = stub_check_proc_setgid,
@@ -1601,11 +1639,14 @@ static struct mac_policy_ops mac_stub_ops =
 	.mpo_check_socket_visible = stub_check_socket_visible,
 	.mpo_check_sysarch_ioperm = stub_check_sysarch_ioperm,
 	.mpo_check_system_acct = stub_check_system_acct,
+	.mpo_check_system_audit = stub_check_system_audit,
+	.mpo_check_system_auditctl = stub_check_system_auditctl,
+	.mpo_check_system_auditon = stub_check_system_auditon,
 	.mpo_check_system_nfsd = stub_check_system_nfsd,
 	.mpo_check_system_reboot = stub_check_system_reboot,
 	.mpo_check_system_settime = stub_check_system_settime,
-	.mpo_check_system_swapon = stub_check_system_swapon,
 	.mpo_check_system_swapoff = stub_check_system_swapoff,
+	.mpo_check_system_swapon = stub_check_system_swapon,
 	.mpo_check_system_sysctl = stub_check_system_sysctl,
 	.mpo_check_vnode_access = stub_check_vnode_access,
 	.mpo_check_vnode_chdir = stub_check_vnode_chdir,
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index 0ca31e104b24..cff35f637941 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -1711,6 +1711,24 @@ mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
 	return (0);
 }
 
+static int
+mac_test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
+{
+
+	ASSERT_CRED_LABEL(cred->cr_label);
+
+	return (0);
+}
+
+static int
+mac_test_check_proc_setauid(struct ucred *cred, uid_t auid)
+{
+
+	ASSERT_CRED_LABEL(cred->cr_label);
+
+	return (0);
+}
+
 static int
 mac_test_check_proc_setuid(struct ucred *cred, uid_t uid)
 {
@@ -1941,6 +1959,40 @@ mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
 
+	ASSERT_CRED_LABEL(cred->cr_label);
+	if (label != NULL) {
+		ASSERT_VNODE_LABEL(label);
+	}
+
+	return (0);
+}
+
+static int
+mac_test_check_system_audit(struct ucred *cred, void *record, int length)
+{
+
+	ASSERT_CRED_LABEL(cred->cr_label);
+
+	return (0);
+}
+
+static int
+mac_test_check_system_auditctl(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+
+	ASSERT_CRED_LABEL(cred->cr_label);
+	if (label != NULL) {
+		ASSERT_VNODE_LABEL(label);
+	}
+
+	return (0);
+}
+
+static int
+mac_test_check_system_auditon(struct ucred *cred, int cmd)
+{
+
 	ASSERT_CRED_LABEL(cred->cr_label);
 
 	return (0);
@@ -1965,7 +2017,7 @@ mac_test_check_system_settime(struct ucred *cred)
 }
 
 static int
-mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
+mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
 
@@ -1976,7 +2028,7 @@ mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
+mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
 
@@ -2515,6 +2567,8 @@ static struct mac_policy_ops mac_test_ops =
 	.mpo_check_posix_sem_wait = mac_test_check_posix_sem,
 	.mpo_check_proc_debug = mac_test_check_proc_debug,
 	.mpo_check_proc_sched = mac_test_check_proc_sched,
+	.mpo_check_proc_setaudit = mac_test_check_proc_setaudit,
+	.mpo_check_proc_setauid = mac_test_check_proc_setauid,
 	.mpo_check_proc_setuid = mac_test_check_proc_setuid,
 	.mpo_check_proc_seteuid = mac_test_check_proc_seteuid,
 	.mpo_check_proc_setgid = mac_test_check_proc_setgid,
@@ -2539,10 +2593,13 @@ static struct mac_policy_ops mac_test_ops =
 	.mpo_check_socket_visible = mac_test_check_socket_visible,
 	.mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm,
 	.mpo_check_system_acct = mac_test_check_system_acct,
+	.mpo_check_system_audit = mac_test_check_system_audit,
+	.mpo_check_system_auditctl = mac_test_check_system_auditctl,
+	.mpo_check_system_auditon = mac_test_check_system_auditon,
 	.mpo_check_system_reboot = mac_test_check_system_reboot,
 	.mpo_check_system_settime = mac_test_check_system_settime,
-	.mpo_check_system_swapon = mac_test_check_system_swapon,
 	.mpo_check_system_swapoff = mac_test_check_system_swapoff,
+	.mpo_check_system_swapon = mac_test_check_system_swapon,
 	.mpo_check_system_sysctl = mac_test_check_system_sysctl,
 	.mpo_check_vnode_access = mac_test_check_vnode_access,
 	.mpo_check_vnode_chdir = mac_test_check_vnode_chdir,