Quoting Dan Smith (danms@us.ibm.com):

SH> At the moment you miss out on the security_socket_connect() call. 

Is that any different than the path involved when a process does a
socketpair() call?

SH> Still your code is so customized that perhaps an explicit
SH> security_socket_connect() call in your sock_unix_join() may be the
SH> way to go...

So, when I do the join, I really should run the check on both the
remote and local addresses, right?  The join operation is not really a
connect in the sense of being one-sided...

Ok well if a join is not a connect then ignore me.

I'll set a block of time aside to take a closer look on your next
submit.

thanks,
-serge