Change the SELinux checkreqprot default value to 0 so that SELinux performs access control checking on the actual memory protections used by the kernel and not those requested by the application. Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx> --- security/selinux/Kconfig | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index bca1b74..8691e92 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE int "NSA SELinux checkreqprot default value" depends on SECURITY_SELINUX range 0 1 - default 1 + default 0 help This option sets the default value for the 'checkreqprot' flag that determines whether SELinux checks the protection requested @@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE 'checkreqprot=' boot parameter. It may also be changed at runtime via /selinux/checkreqprot if authorized by policy. - If you are unsure how to answer this question, answer 1. + If you are unsure how to answer this question, answer 0. config SECURITY_SELINUX_POLICYDB_VERSION_MAX bool "NSA SELinux maximum supported policy format version" _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
