[redhat-lspp] Re: inotify_rm_watch behavior
Amy Griffis
amy.griffis at hp.com
Mon Sep 11 18:49:03 UTC 2006
Eduardo Madeira Fleury wrote: [Mon Sep 11 2006, 02:05:24PM EDT]
> I'm doing some tests and currently inotify_rm_watch is not performing any
> permission checks, i.e., an ordinary user can remove a watch set by root on a
> file with root:root 400 permission.
>
> Is this the expected behavior? Seems like neither MAC nor MLS checks are being
> done.
Yes. As I understand it, an inotify watch is not a data object, and
so does not require DAC or MAC checks.
Amy
More information about the redhat-lspp
mailing list