inotify_rm_watch behavior

Hey all, I'm doing some tests and currently inotify_rm_watch is not performing any permission checks, i.e., an ordinary user can remove a watch set by root on a file with root:root 400 permission. Is this the expected behavior? Seems like neither MAC nor MLS checks are being done. Regards, -- Eduardo M. Fleury IBM Linux Technology Center Brazil Mobile: +55-19-81224410 email/sametime: efleury(a)br.ibm.com