security descriptor with mandatory integrity level

Hi,

I am trying to create a security descriptor with a mandatory integrity level. All the calls are successful, but when I check the object with AccessChk I see that the integrity level is ignored.

Here is my code:

ULONG daclSize = sizeof(ACL) + RtlLengthSid(SeExports->SeWorldSid) + RtlLengthSid(SeExports->SeAuthenticatedUsersSid) + 2 * FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart);
ULONG saclSize = sizeof(ACL) + RtlLengthSid(SeExports->SeLowMandatorySid) + FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart);
char lowIntegrityBuffer[sizeof(SYSTEM_MANDATORY_LABEL_ACE) + 64] = { };
SYSTEM_MANDATORY_LABEL_ACE* lowIntegrityAce = (SYSTEM_MANDATORY_LABEL_ACE*)lowIntegrityBuffer;

lowIntegrityAce->Header.AceFlags = OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE;
lowIntegrityAce->Header.AceType = SYSTEM_MANDATORY_LABEL_ACE_TYPE;
lowIntegrityAce->Header.AceSize = FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + (USHORT)RtlLengthSid(SeExports->SeLowMandatorySid);
ASSERT(lowIntegrityAce->Header.AceSize <= sizeof(lowIntegrityBuffer));
lowIntegrityAce->Mask = SYSTEM_MANDATORY_LABEL_NO_WRITE_UP;
RtlCopySid(RtlLengthSid(SeExports->SeLowMandatorySid), &lowIntegrityAce->SidStart, SeExports->SeLowMandatorySid);

m_securityDescriptor = (SECURITY_DESCRIPTOR*)new char[daclSize + saclSize + sizeof(SECURITY_DESCRIPTOR)];
if(m_securityDescriptor == NULL) break;

ACL* sacl = (ACL*)PtrAdd(m_securityDescriptor, sizeof(SECURITY_DESCRIPTOR));
status = RtlCreateAcl(sacl, saclSize, ACL_REVISION);
if(status != STATUS_SUCCESS) break;

status = RtlAddAce(sacl, ACL_REVISION, 0, lowIntegrityAce, lowIntegrityAce->Header.AceSize);
if(status != STATUS_SUCCESS) break;

ACL* dacl = (ACL*)PtrAdd(sacl, saclSize);
status = RtlCreateAcl(dacl, daclSize, ACL_REVISION);
if(status != STATUS_SUCCESS) break;

status = RtlAddAccessAllowedAce(dacl, ACL_REVISION, DIRECTORY_ALL_ACCESS, SeExports->SeWorldSid);
if(status != STATUS_SUCCESS) break;

status = RtlAddAccessAllowedAce(dacl, ACL_REVISION, DIRECTORY_ALL_ACCESS, SeExports->SeAuthenticatedUsersSid);
if(status != STATUS_SUCCESS) break;

status = RtlCreateSecurityDescriptor(m_securityDescriptor, SECURITY_DESCRIPTOR_REVISION);
if(status != STATUS_SUCCESS) break;

status = RtlSetSaclSecurityDescriptor(m_securityDescriptor, TRUE, sacl, FALSE);
if(status != STATUS_SUCCESS) break;

status = RtlSetDaclSecurityDescriptor(m_securityDescriptor, TRUE, dacl, FALSE);
if(status != STATUS_SUCCESS) break;

Any ideas on what I am missing?

Thank you.