diff -Nru selinux-0.9/debian/changelog selinux-0.10~10.04.1/debian/changelog
--- selinux-0.9/debian/changelog	2010-04-22 19:00:15.000000000 -0500
+++ selinux-0.10~10.04.1/debian/changelog	2011-12-21 11:30:15.000000000 -0600
@@ -1,3 +1,11 @@
+selinux (1:0.10~10.04.1) lucid-security; urgency=low
+
+  * SECURITY UPDATE: fix unsafe lockfile creation. The scope of this
+    is limited by when this script is run, but it is still worthwhile
+    to get this cleaned up (LP: #876994)
+
+ -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 21 Dec 2011 11:27:22 -0600
+
 selinux (1:0.9) lucid; urgency=low
 
   * mounted-var{run,lock}.upstart, Makefile: add more restorecon
diff -Nru selinux-0.9/debian/selinux.init selinux-0.10~10.04.1/debian/selinux.init
--- selinux-0.9/debian/selinux.init	2009-09-14 13:59:41.000000000 -0500
+++ selinux-0.10~10.04.1/debian/selinux.init	2011-12-21 12:08:33.000000000 -0600
@@ -32,7 +32,7 @@
 FILESYSTEMSRO=`/bin/mount | /bin/grep -v "context=" | /bin/egrep -v '\((|.*,)bind(,.*|)\)' | /usr/bin/awk '/(ext[234]| xfs | jfs ).*\(ro/{print $3}';`
 FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
 
-lockfile=/var/lock/selinux-relabel
+lockdir=/var/lock/selinux-relabel
 
 # Start only creates the lock
 start() {
@@ -41,7 +41,7 @@
 		log_warning_msg "A relabel has already been requested. Please reboot to finish relabeling your system."
 		log_end_msg 0
 	else
-		/usr/bin/touch $lockfile
+		mkdir $lockdir 2>/dev/null || true
 		log_end_msg 0
 	fi
 }
@@ -51,7 +51,7 @@
 	if [ -e $statusfile ]; then
 		if [ "x${SELINUXTYPE}" = "x" ]; then
 			log_failure_msg "No SELinux policy found"
-			/bin/rm -f $lockfile
+			/bin/rmdir $lockdir
 			exit 5  # LSB defines this as 'program is not installed'
 		fi
 		if [ `/usr/sbin/getenforce` != "Disabled" ]; then
@@ -69,7 +69,7 @@
 		log_action_end_msg $?
 		/bin/rm -f $statusfile $switchfile
 	fi
-	/bin/rm -f $lockfile
+	/bin/rmdir $lockdir
 }
 
 # Restart does nothing
@@ -79,7 +79,7 @@
 
 # Determine if relabel has been requested
 status() {
-	if [ -e $lockfile ] ; then
+	if [ -d $lockdir ] ; then
 		if [ -e $statusfile ]; then
 			echo "Filesystem will be relabeled using policy ${SELINUXTYPE}."
 		else