On Mon, 2006-09-11 at 15:05 -0300, Eduardo Madeira Fleury wrote: > Hey all, > > I'm doing some tests and currently inotify_rm_watch is not performing any > permission checks, i.e., an ordinary user can remove a watch set by root on a > file with root:root 400 permission. > > Is this the expected behavior? Seems like neither MAC nor MLS checks are > being > done.
The inotify calls and inotifyfs came up earlier (in June) on redhat-lspp, subject was "Syscalls questions". As I noted then, the only object that would get the creator's label is the struct file (open file description) allocated for the inotify instance, and the only SELinux check that would be relevant would be the fd use permission check applied when a descriptor is used, inherited, or received by a process in a different label. The lack of MLS checking is due to the lack of a MLS constraint on fd use in the policy. That is what needs to be fixed. -- Stephen Smalley National Security Agency -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
