On Tuesday, 12 December 2017 20:23:47 CET Kees Cook wrote: > This is an interesting state for the system to be in, though, it means > AT_SECURE is being set for virtually all processes too? I would expect > that might break a lot too (but clearly it hasn't).
Not really. AT_SECURE is set only for the exec that triggers a domain transition, but unlike the rlimits it's not inherited by descendants (as long as they stay within the same SELinux domain). 2T
