On Monday, September 21, 2015 03:34:34 PM Paul Moore wrote: > Change the SELinux checkreqprot default value to 0 so that SELinux > performs access control checking on the actual memory protections > used by the kernel and not those requested by the application. > > Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx> > --- > security/selinux/Kconfig | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) FYI, I just merged this into selinux#next. > diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig > index bca1b74..8691e92 100644 > --- a/security/selinux/Kconfig > +++ b/security/selinux/Kconfig > @@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE > int "NSA SELinux checkreqprot default value" > depends on SECURITY_SELINUX > range 0 1 > - default 1 > + default 0 > help > This option sets the default value for the 'checkreqprot' flag > that determines whether SELinux checks the protection requested > @@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE > 'checkreqprot=' boot parameter. It may also be changed at runtime > via /selinux/checkreqprot if authorized by policy. > > - If you are unsure how to answer this question, answer 1. > + If you are unsure how to answer this question, answer 0. > > config SECURITY_SELINUX_POLICYDB_VERSION_MAX > bool "NSA SELinux maximum supported policy format version" -- paul moore security @ redhat _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.