On Tue, 2004-10-12 at 10:03, Jeff Johnson wrote: > Better still, how about libselinux_execve() clone. no reason why libselinux > should not do the execve as well afaict. Hmmm..that lends itself to interface spread, as people will then want libselinux_execl*, libselinux_execvp, ... and possibly even libselinux_popen, as opposed to just a setexeccon-like function that can be called prior to any of those normal calls. We actually had execve_secure() in the old SELinux API, but were forced to migrate to setexeccon();execve(); as part of mainstream inclusion. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
