libselinux: getcon.3: Fix setcon description.

The man page description for setcon() was never updated for the
introduction of bounded transitions in Linux 2.6.28.  Update it.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

1 files changed, 11 insertions, 3 deletions

diff --git a/libselinux/man/man3/getcon.3 b/libselinux/man/man3/getcon.3
index fd0e02b8..644ee47c 100644
--- a/libselinux/man/man3/getcon.3
+++ b/libselinux/man/man3/getcon.3
@@ -90,10 +90,18 @@ A multi-threaded application can perform a
 .BR setcon ()
 prior to creating
 any child threads, in which case all of the child threads will inherit
-the new context.  However,
+the new context.  However, prior to Linux 2.6.28,
 .BR setcon ()
-will fail if there are any other
-threads running in the same process.
+would fail if there are any other
+threads running in the same process since this would yield
+an inconsistency among the security contexts of threads sharing
+the same memory space.  Since Linux 2.6.28,
+.BR setcon()
+is permitted for threads within a multi-threaded process if the
+new security context is bounded by the old security context, where
+the bounded relation is defined through typebounds statements in the
+policy and guarantees that the new security context has a subset of
+the permissions of the old security context.
 
 If the process was being ptraced at the time of the
 .BR setcon ()