diff -purN -X dontdiff iptables-1.3.3-20051019.p/extensions/libipt_LOG.c iptables-1.3.3-20051019.w/extensions/libipt_LOG.c
--- iptables-1.3.3-20051019.p/extensions/libipt_LOG.c	2005-10-22 21:32:56.000000000 -0400
+++ iptables-1.3.3-20051019.w/extensions/libipt_LOG.c	2005-10-22 21:33:17.000000000 -0400
@@ -6,6 +6,7 @@
 #include <syslog.h>
 #include <getopt.h>
 #include <iptables.h>
+#include <selinux/selinux.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_LOG.h>
 
@@ -28,7 +29,8 @@ help(void)
 " --log-tcp-sequence		Log TCP sequence numbers.\n\n"
 " --log-tcp-options		Log TCP options.\n\n"
 " --log-ip-options		Log IP options.\n\n"
-" --log-uid			Log UID owning the local socket.\n\n",
+" --log-uid			Log UID owning the local socket.\n\n"
+" --log-context			Log SELinux context of local socket.\n\n",
 IPTABLES_VERSION);
 }
 
@@ -39,6 +41,7 @@ static struct option opts[] = {
 	{ .name = "log-tcp-options",  .has_arg = 0, .flag = 0, .val = '2' },
 	{ .name = "log-ip-options",   .has_arg = 0, .flag = 0, .val = '3' },
 	{ .name = "log-uid",          .has_arg = 0, .flag = 0, .val = '4' },
+	{ .name = "log-context",      .has_arg = 0, .flag = 0, .val = '5' },
 	{ .name = 0 }
 };
 
@@ -105,6 +108,7 @@ parse_level(const char *level)
 #define IPT_LOG_OPT_TCPOPT 0x08
 #define IPT_LOG_OPT_IPOPT 0x10
 #define IPT_LOG_OPT_UID 0x20
+#define IPT_LOG_OPT_CTX 0x40
 
 /* Function which parses command options; returns true if it
    ate an option */
@@ -188,6 +192,19 @@ parse(int c, char **argv, int invert, un
 		*flags |= IPT_LOG_OPT_UID;
 		break;
 
+	case '5':
+		if (!is_selinux_enabled())
+			exit_error(PARAMETER_PROBLEM,
+				   "--log-context invalid because SELinux is disabled in the kernel");
+				
+		if (*flags & IPT_LOG_OPT_CTX)
+			exit_error(PARAMETER_PROBLEM,
+				   "Can't specify --log-context twice");
+		
+		loginfo->logflags |= IPT_LOG_CTX;
+		*flags |= IPT_LOG_OPT_CTX;
+		break;
+
 	default:
 		return 0;
 	}
@@ -233,6 +250,8 @@ print(const struct ipt_ip *ip,
 			printf("ip-options ");
 		if (loginfo->logflags & IPT_LOG_UID)
 			printf("uid ");
+		if (loginfo->logflags & IPT_LOG_CTX)
+			printf("context ");
 		if (loginfo->logflags & ~(IPT_LOG_MASK))
 			printf("unknown-flags ");
 	}
@@ -262,6 +281,8 @@ save(const struct ipt_ip *ip, const stru
 		printf("--log-ip-options ");
 	if (loginfo->logflags & IPT_LOG_UID)
 		printf("--log-uid ");
+	if (loginfo->logflags & IPT_LOG_CTX)
+		printf("--log-context ");	
 }
 
 static
diff -purN -X dontdiff iptables-1.3.3-20051019.p/extensions/Makefile iptables-1.3.3-20051019.w/extensions/Makefile
--- iptables-1.3.3-20051019.p/extensions/Makefile	2005-10-22 21:32:56.000000000 -0400
+++ iptables-1.3.3-20051019.w/extensions/Makefile	2005-10-22 21:32:44.000000000 -0400
@@ -5,9 +5,9 @@
 # header files are present in the include/linux directory of this iptables
 # package (HW)
 #
-PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
+PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
 PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport owner physdev standard tcp udp HL LOG NFQUEUE MARK TRACE
-PF_EXT_SE_SLIB:=
+PF_EXT_SE_SLIB:=LOG
 PF6_EXT_SE_SLIB:=
 
 # Optionals