diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 684082b0a205..d10b03f36823 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -779,6 +779,10 @@ noinline int slow_avc_audit(struct selinux_state *state,
 	struct common_audit_data stack_data;
 	struct selinux_audit_data sad;
 
+	/* Only log permissive=1 messages for SECURITY_SELINUX_DEVELOP */
+	if (denied && !result)
+		return 0;
+
 	if (!a) {
 		a = &stack_data;
 		a->type = LSM_AUDIT_DATA_NONE;
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 9a28d2e27707..0f445ef4b75c 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -84,12 +84,6 @@ enum {
 extern char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX];
 
 extern int selinux_android_netlink_route;
-extern int selinux_policycap_netpeer;
-extern int selinux_policycap_openperm;
-extern int selinux_policycap_extsockclass;
-extern int selinux_policycap_alwaysnetwork;
-extern int selinux_policycap_cgroupseclabel;
-extern int selinux_policycap_nnp_nosuid_transition;
 
 /*
  * type_datum properties
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 6c9d964fd950..02bc47a6a237 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -71,7 +71,7 @@
 #include "audit.h"
 
 /* Policy capability names */
-const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = {
+char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = {
 	"network_peer_controls",
 	"open_perms",
 	"extended_socket_class",
@@ -80,13 +80,8 @@ const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = {
 	"nnp_nosuid_transition"
 };
 
+static struct selinux_ss selinux_ss;
 int selinux_android_netlink_route;
-int selinux_policycap_netpeer;
-int selinux_policycap_openperm;
-int selinux_policycap_extsockclass;
-int selinux_policycap_alwaysnetwork;
-int selinux_policycap_cgroupseclabel;
-int selinux_policycap_nnp_nosuid_transition;
 
 void selinux_ss_init(struct selinux_ss **ss)
 {
@@ -2136,7 +2131,7 @@ static void security_load_policycaps(struct selinux_state *state)
 				i);
 	}
 
-	selinux_android_netlink_route = policydb.android_netlink_route;
+	selinux_android_netlink_route = p->android_netlink_route;
 	selinux_nlmsg_init();
 }