diff --git a/grsecurity/gracl_cap.c b/grsecurity/gracl_cap.c
index 1a94c11..8747091 100644
--- a/grsecurity/gracl_cap.c
+++ b/grsecurity/gracl_cap.c
@@ -8,7 +8,7 @@
 extern const char *captab_log[];
 extern int captab_log_entries;
 
-int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap)
+int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap, bool log)
 {
 	struct acl_subject_label *curracl;
 
@@ -18,7 +18,8 @@ int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const
 	curracl = task->acl;
 
 	if (curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
-		security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
+		if (log)
+			security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
 			       task->role->roletype, GR_GLOBAL_UID(cred->uid),
 			       GR_GLOBAL_GID(cred->gid), task->exec_file ?
 			       gr_to_filename(task->exec_file->f_path.dentry,
@@ -31,7 +32,7 @@ int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const
 	return 0;
 }
 
-int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
+int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap, bool log)
 {
 	struct acl_subject_label *curracl;
 	kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
@@ -62,7 +63,7 @@ int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cr
 	}
 
 	if (!cap_raised(cap_drop, cap)) {
-		if (cap_raised(cap_audit, cap))
+		if (log && cap_raised(cap_audit, cap))
 			gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
 		return 1;
 	}
@@ -72,10 +73,10 @@ int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cr
 	   to this rule to ensure any role transition involves what the full-learned
 	   policy believes in a privileged process
 	*/
-	if (cap_raised(cred->cap_effective, cap) && gr_learn_cap(task, cred, cap))
+	if (cap_raised(cred->cap_effective, cap) && gr_learn_cap(task, cred, cap, log))
 		return 1;
 
-	if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
+	if (log && (cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
 		gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
 
 	return 0;
@@ -84,44 +85,12 @@ int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cr
 int
 gr_acl_is_capable(const int cap)
 {
-	return gr_task_acl_is_capable(current, current_cred(), cap);
-}
-
-int gr_task_acl_is_capable_nolog(const struct task_struct *task, const int cap)
-{
-	struct acl_subject_label *curracl;
-	kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
-
-	if (!gr_acl_is_enabled())
-		return 1;
-
-	curracl = task->acl;
-
-	cap_drop = curracl->cap_lower;
-	cap_mask = curracl->cap_mask;
-
-	while ((curracl = curracl->parent_subject)) {
-		/* if the cap isn't specified in the current computed mask but is specified in the
-		   current level subject, and is lowered in the current level subject, then add
-		   it to the set of dropped capabilities
-		   otherwise, add the current level subject's mask to the current computed mask
-		 */
-		if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
-			cap_raise(cap_mask, cap);
-			if (cap_raised(curracl->cap_lower, cap))
-				cap_raise(cap_drop, cap);
-		}
-	}
-
-	if (!cap_raised(cap_drop, cap))
-		return 1;
-
-	return 0;
+	return gr_task_acl_is_capable(current, current_cred(), cap, true);
 }
 
 int
 gr_acl_is_capable_nolog(const int cap)
 {
-	return gr_task_acl_is_capable_nolog(current, cap);
+	return gr_task_acl_is_capable(current, current_cred(), cap, false);
 }
 
diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c
index dece8e5..93d4602 100644
--- a/grsecurity/grsec_disabled.c
+++ b/grsecurity/grsec_disabled.c
@@ -40,7 +40,7 @@ gr_acl_is_enabled(void)
 }
 
 int
-gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap)
+gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap, bool log)
 {
 	return 0;
 }
diff --git a/grsecurity/grsec_exec.c b/grsecurity/grsec_exec.c
index 14638ff..5c4b913 100644
--- a/grsecurity/grsec_exec.c
+++ b/grsecurity/grsec_exec.c
@@ -88,8 +88,7 @@ gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv)
 #ifdef CONFIG_GRKERNSEC
 extern int gr_acl_is_capable(const int cap);
 extern int gr_acl_is_capable_nolog(const int cap);
-extern int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
-extern int gr_task_acl_is_capable_nolog(const struct task_struct *task, const int cap);
+extern int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap, bool log);
 extern int gr_chroot_is_capable(const int cap);
 extern int gr_chroot_is_capable_nolog(const int cap);
 extern int gr_task_chroot_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
@@ -152,7 +151,7 @@ int gr_is_capable(const int cap)
 int gr_task_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
 {
 #ifdef CONFIG_GRKERNSEC
-	if (gr_task_acl_is_capable(task, cred, cap) && gr_task_chroot_is_capable(task, cred, cap))
+	if (gr_task_acl_is_capable(task, cred, cap, true) && gr_task_chroot_is_capable(task, cred, cap))
 		return 1;
 	return 0;
 #else
@@ -171,10 +170,10 @@ int gr_is_capable_nolog(const int cap)
 #endif
 }
 
-int gr_task_is_capable_nolog(const struct task_struct *task, const int cap)
+int gr_task_is_capable_nolog(const struct task_struct *task, const struct cred *cred, const int cap)
 {
 #ifdef CONFIG_GRKERNSEC
-	if (gr_task_acl_is_capable_nolog(task, cap) && gr_task_chroot_is_capable_nolog(task, cap))
+	if (gr_task_acl_is_capable(task, cred, cap, false) && gr_task_chroot_is_capable_nolog(task, cap))
 		return 1;
 	return 0;
 #else
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
index 77bb49a..acd5a94 100644
--- a/include/linux/grsecurity.h
+++ b/include/linux/grsecurity.h
@@ -44,7 +44,7 @@ int gr_acl_enable_at_secure(void);
 int gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs);
 int gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs);
 
-int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap);
+int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap, bool log);
 
 void gr_del_task_from_ip_table(struct task_struct *p);
 
@@ -114,7 +114,7 @@ int gr_handle_hardlink(const struct dentry *dentry,
 int gr_is_capable(const int cap);
 int gr_is_capable_nolog(const int cap);
 int gr_task_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
-int gr_task_is_capable_nolog(const struct task_struct *task, const int cap);
+int gr_task_is_capable_nolog(const struct task_struct *task, const struct cred *cred, const int cap);
 
 void gr_copy_label(struct task_struct *tsk);
 void gr_handle_crash(struct task_struct *task, const int sig);
diff --git a/kernel/capability.c b/kernel/capability.c
index d5954a8..d08e50b 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -351,7 +351,7 @@ bool has_ns_capability_noaudit(struct task_struct *t,
 	int ret;
 
 	rcu_read_lock();
-	ret = security_capable_noaudit(__task_cred(t), ns, cap) == 0 && gr_task_is_capable_nolog(t, cap);
+	ret = security_capable_noaudit(__task_cred(t), ns, cap) == 0 && gr_task_is_capable_nolog(t, __task_cred(t), cap);
 	rcu_read_unlock();
 
 	return ret;
diff --git a/kernel/sys.c b/kernel/sys.c
index 3108703e..938ed87 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -368,7 +368,7 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)
 		   we may not log a CAP_SETGID check above, e.g.
 		   in the case where new rgid = old egid
 		*/
-		gr_learn_cap(current, new, CAP_SETGID);
+		gr_learn_cap(current, new, CAP_SETGID, true);
 	}
 
 	if (rgid != (gid_t) -1 ||
@@ -518,7 +518,7 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)
 		   we may not log a CAP_SETUID check above, e.g.
 		   in the case where new ruid = old euid
 		*/
-		gr_learn_cap(current, new, CAP_SETUID);
+		gr_learn_cap(current, new, CAP_SETUID, true);
 		retval = set_user(new);
 		if (retval < 0)
 			goto error;
