Stephen Smalley wrote:
> Yes, please make that change and confirm via testing that it properly
> blocks attempts by multi-threaded processes to set their current
> context.
> 

The new patch is attached.  I also made a change to the general_domain_access 
macro to not grant setcurrent to self - a separate can_setcon macro has been 
added to grant this.  Dynamic transitions are denied for a multi-threaded 
process (with more than one "kernel thread").  A process can switch its context 
before spawning other threads and after all other threads have exited, but not 
while any other threads exist.

-- 

Darrel