Re: [redhat-lspp] Re: inotify_rm_watch behavior

Yes, I pointed this out during the "Syscalls questions" discussion back in June. Not sure why no one bothered adding such a constraint to MLS policy at the time. It would be something like: policy/mls: # No sharing of open file descriptions between levels unless # the process type is authorized to use fds created by # other levels (mlsfduse) or the fd type is authorized to # shared among levels (mlsfdshare). mlsconstrain fd use ( l1 eq l2 or t1 == mlsfduse or t2 == mlsfdshare); policy/modules/kernel/mls.te: attribute mlsfduse; attribute mlsfdshare; policy/modules/kernel/mls.if: interface(`mls_fd_use',` gen_require(` attribute mlsfduse; ') typeattribute $1 mlsfduse; ') interface(`mls_fd_share',` gen_require(` attribute mlsfdshare; ') typeattribute $1 mlsfdshare; ') And then one would add mls_fd_use() and mls_fd_share() as appropriate to types in the policy, e.g. policy/modules/system/selinuxtil.te: mls_fd_share(newrole_t) and likewise for login and friends. Naturally, one would need to exercise the system quite a bit to work out exactly what domains require such use/sharing.