[lxc-devel] [PATCH 0/3] support setting lsm label at exec or immediately

[Dwight Engen]

Hi Serge,

This patch set implements what you suggested WRT setting
/proc/self/attr/current in order to set a profile/context now
instead of only at exec(2) time. I don't know how I missed the regular
setcon(3) vs setexeccon(3) call, so doing "now" is obviously
possible in SELinux as well, thanks for helping me find it!

I implemented it as an option flag to attach since only the caller knows
which behavior they want (ie. they may be using attach to a function,
but know that they are going to exec in their function and don't want
the label set until then).

In order to make sure this is all working, I implemented an attach.c
test which tests both the exec(2) and function cases (and a plain old
attach for good measure :) Tested on Ubuntu, Oracle, Fedora.