The first attached patch against 2.6.0-test9 includes our current set of changes to the SELinux module. These changes include: - Reduce the full capability check for the KDSKBENT/SENT ioctls to only checking the SELinux permission, as discussed earlier on the list. - Remove the use of -include and removes the global.h file, adding appropriate individual #includes to the various files in the security/selinux/ss subdirectory. This fixes SELinux for make O=... builds. - Introduce new experimental controls over the inheritance of signal-related state and resource limits upon context transitions. These are to provide further protection of domain-changing programs invoked from less trusted contexts in addition to the existing protections provided via AT_SECURE. The second attached patch updates the policy access vector definitions to include definitions for the new permissions and updates the core macros to avoid auditing of inheritance-related denials and to avoid granting setrlimit by default within a domain. -- Stephen Smalley National Security Agency