diff --git a/Changelog b/Changelog
index 455c410..9352cb9 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Marked the pax class as deprecated, changed it to userland so
+  it will be removed from the kernel.
 - Stop including netfilter contexts by default.
 - Add dontaudits for init fds and console to init_daemon_domain().
 - Patch to allow gpg to create user keys dir.
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 788d854..ff96cf1 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -63,8 +63,8 @@ class xinput			# userspace
 class xserver			# userspace
 class xextension		# userspace
 
-# pax flags
-class pax
+# pax flags; deprecated--can be reclaimed
+class pax			# userspace
 
 # extended netlink sockets
 class netlink_route_socket