On Mon, Nov 01, 2004 at 04:27:40PM -0500, Karl MacMillan wrote:
> Dropping privileges after startup can already be accomplished with
> conditional policies, though it requires that only one process be
> running in a given domain.
 

 sorry to be a pain but i feel a need to clarify: is that most  definitely the case?

 to illustrate, which of these is true:

• if i have two processes in a given domain, and one process runs the "drop privileges" selinux function, the process calling the function has its privileges "dropped" but the other process retains the _original_ privileges.
• if i have two or more processes in a given domain, and one process runs the "drop privileges" selinux function, _all_ processes in that domain have their its privileges "dropped".
• something indeterminate happens and it all goes pear-shaped.

 l.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.