Red Hat Bugzilla – Bug 237186
LSPP: writes to /selinux/avc/cache_threshold can enexpectedly succeed
Last modified: 2007-11-30 17:07:43 EST
Description of problem:
Writes to /selinux/avc/cache_threshold succeed by users without write
permission, if the user tries to write the value currently in the file.
Version-Release number of selected component (if applicable):
This behavior can always be reproduced.
Steps to Reproduce:
Login with the staff_r role and become root.
echo [current contents] > /selinux/avc/cache_threshold
4. echo [different value] > /selinux/avc/cache_threshold
write error: permission denied
Under a role without write access to a /selinux/avc/cache_threshold. The
user is able to write the value currently in the file without having the write
fail with a permission denied error.
Any call to the write system call made by a user without write permission
should return EPERM. It is misleading for writes to succeed because the value
in the file is unchanged.
I think this was discussed on the LSPP mail list and the group consensus was
that since this is a interface accessible only by an admin, its OK. Closing this