From: Stephen Smalley <sds@epoch.ncsc.mil>

This patch against 2.6.0 adds a control to the SELinux module over the
inheritance of signal-related state upon security context transitions in
order to protect the new security context.  If the permission is not
granted by the policy for a given pair of contexts, then transitions
between them will clear itimers, flush all pending signals, forcibly
flush signal handlers, and unblock all signals.  Roland McGrath provided
input and feedback on the patch. 
Please apply, or let James Morris and me know if you'd like this to be
resubmitted later.  Thanks.