> However, the behavior you are seeing might not be related to SELinux, as > Linux also enables AT_SECURE if the uid or gid changes across execve (to > be precise, if the effective identity is not equal to the real identity > after the credential change, as this was the legacy logic from libc). So if I understand correctly, SELinux expands on AT_SECURE to sanitize environment variables across context changes instead of just setgid/setuid. Makes sense; you live and learn. In this case I believe it was SELinux performing the sanitization as disabling it solved the problem, but this is helpful to know. /Aaron
Attachment:
signature.asc
Description: OpenPGP digital signature
