Stephen Smalley wrote:
> Unless you have an actual usage scenario for this functionality, I'd
> suggest a simple prohibition of any change in context even by the thread
> group leader if there are any child threads. That would still allow a
> process to change its context prior to spawning any threads, e.g. to
> shed privileges during startup. Changing the security attributes of
> other threads without their explicit awareness/consent is undesirable;
> note that SELinux currently prevents setprocattr on another task.

The prohibition works for us. Would you like a new patch with these changes?

-- 

Darrel

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.