Skip to content

Commit

Permalink
selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default
Browse files Browse the repository at this point in the history 
Change the SELinux checkreqprot default value to 0 so that SELinux
performs access control checking on the actual memory protections
used by the kernel and not those requested by the application.

Signed-off-by: Paul Moore <pmoore@redhat.com>
  • Loading branch information
@pcmoore
pcmoore committed Oct 21, 2015
1 parent 09302fd commit 2a35d19
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions security/selinux/Kconfig
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
int "NSA SELinux checkreqprot default value"
depends on SECURITY_SELINUX
range 0 1
default 1
default 0
help
This option sets the default value for the 'checkreqprot' flag
that determines whether SELinux checks the protection requested
Expand All @@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
'checkreqprot=' boot parameter. It may also be changed at runtime
via /selinux/checkreqprot if authorized by policy.

If you are unsure how to answer this question, answer 1.
If you are unsure how to answer this question, answer 0.

config SECURITY_SELINUX_POLICYDB_VERSION_MAX
bool "NSA SELinux maximum supported policy format version"
Expand Down

0 comments on commit 2a35d19

Please sign in to comment.