inotify_rm_watch behavior
Stephen Smalley
sds at tycho.nsa.gov
Mon Sep 11 18:48:45 UTC 2006
On Mon, 2006-09-11 at 15:05 -0300, Eduardo Madeira Fleury wrote:
> Hey all,
>
> I'm doing some tests and currently inotify_rm_watch is not performing any
> permission checks, i.e., an ordinary user can remove a watch set by root on a
> file with root:root 400 permission.
>
> Is this the expected behavior? Seems like neither MAC nor MLS checks are being
> done.
The inotify calls and inotifyfs came up earlier (in June) on
redhat-lspp, subject was "Syscalls questions".
As I noted then, the only object that would get the creator's label is
the struct file (open file description) allocated for the inotify
instance, and the only SELinux check that would be relevant would be the
fd use permission check applied when a descriptor is used, inherited, or
received by a process in a different label. The lack of MLS checking is
due to the lack of a MLS constraint on fd use in the policy. That is
what needs to be fixed.
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list