--- SubDomain.pm.old	2009-10-15 14:58:34.000000000 -0400
+++ SubDomain.pm	2009-10-16 14:17:53.000000000 -0400
@@ -2732,8 +2732,17 @@
     return if ($e->{operation} =~ /profile_set/);
 
     my ($profile, $hat);
+    # just convert new null profile style names to old before we begin processing
+    # profile and name can contain multiple layers of null- but all we care about
+    # currently is single level.
+    if ($e->{profile} =~ m/\/\/null-/) {
+        $e->{profile} = "null-complain-profile";
+    }
     ($profile, $hat) = split /\/\//, $e->{profile};
     if ( $e->{operation} eq "change_hat" ) {
+	#screen out change_hat events that aren't part of learning, as before
+	#AppArmor 2.4 these events only happend as hints during learning
+	return if ($sdmode ne "HINT" &&  $sdmode ne "PERMITTING");
         ($profile, $hat) = split /\/\//, $e->{name};
     }
     $hat = $profile if ( !$hat );
@@ -2757,6 +2766,18 @@
                          $e->{name},
                          $e->{name2}
                        );
+        } elsif ( defined $e->{name2} && $e->{name2} =~ m/\/\/null-/) {
+            add_to_tree( $e->{pid},
+			 $e->{parent},
+                          "exec",
+                          $profile,
+                          $hat,
+                          $prog,
+                          $sdmode,
+                          $e->{denied_mask},
+                          $e->{name},
+			  ""
+                        );
         }
     } elsif ($e->{operation} =~ m/file_/) {
         add_to_tree( $e->{pid},