Hi all,

Earlier this week, I submitted a patch for the mainline 2.5 kernel on
lkml (cc'd to lsm) to allow security modules like SELinux to convey a
boolean flag via the auxiliary ELF table to userland to indicate whether
libc secure mode should be enabled (i.e. sanitize the environment,
initial descriptors, etc) so that secure mode can be requested upon
changes to other security attributes such as capabilities, roles,
domains, etc.  This change is to address the underlying issue identified
in Rafal Wojtczuk's report.  The patch has been taken into Andrew
Morton's 2.5.72-mm series, and there have been no objections to it so
far.

Below I've attached a corresponding patch for the lsm-2.4 tree and a
patch for glibc (based on glibc-2.3.2-27.9 for RH9) to cause glibc to
use the boolean flag when it is provided by the kernel.  The SELinux
code in the kernel patch presently requests libc secure mode for any SID
transition (as well as preserving the legacy logic); we may want to
replace this with a new permission check to provide greater flexibility.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency