Bug 237186 - LSPP: writes to /selinux/avc/cache_threshold can enexpectedly succeed
LSPP: writes to /selinux/avc/cache_threshold can enexpectedly succeed
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Kernel Manager
Martin Jenner
Depends On:
Blocks: RHEL5LSPPCertTracker
  Show dependency treegraph
Reported: 2007-04-19 17:27 EDT by Trevor Highland
Modified: 2007-11-30 17:07 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-04-20 16:06:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Trevor Highland 2007-04-19 17:27:31 EDT
Description of problem:
Writes to /selinux/avc/cache_threshold succeed by users without write
permission, if the user tries to write the value currently in the file.

Version-Release number of selected component (if applicable):

How reproducible:
  This behavior can always be reproduced.

Steps to Reproduce:
  Login with the staff_r role and become root.
   cat /selinux/avc/cache_threshold
   echo [current contents] > /selinux/avc/cache_threshold
   write succeeds.
4. echo [different value] > /selinux/avc/cache_threshold
   write error: permission denied

Actual results:
  Under a role without write access to a /selinux/avc/cache_threshold.  The
  user is able to write the value currently in the file without having the write 
  fail with a permission denied error.

Expected results:
  Any call to the write system call made by a user without write permission 
  should return EPERM.  It is misleading for writes to succeed because the value 
  in the file is unchanged.

Additional info:
Comment 1 Steve Grubb 2007-04-20 16:06:06 EDT
I think this was discussed on the LSPP mail list and the group consensus was
that since this is a interface accessible only by an admin, its OK. Closing this

Note You need to log in before you can comment on or make changes to this bug.