Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2a35d196 authored by Paul Moore's avatar Paul Moore
Browse files

selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default 



Change the SELinux checkreqprot default value to 0 so that SELinux
performs access control checking on the actual memory protections
used by the kernel and not those requested by the application.

Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
parent 09302fd1

security/selinux/Kconfig

+2 −2
Original line number Original line Diff line number Diff line
@@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE 
	int "NSA SELinux checkreqprot default value"

	int "NSA SELinux checkreqprot default value"

	depends on SECURITY_SELINUX

	depends on SECURITY_SELINUX

	range 0 1

	range 0 1

	default 1

	default 0

	help

	help

	  This option sets the default value for the 'checkreqprot' flag

	  This option sets the default value for the 'checkreqprot' flag

	  that determines whether SELinux checks the protection requested

	  that determines whether SELinux checks the protection requested
@@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE 
	  'checkreqprot=' boot parameter.  It may also be changed at runtime

	  'checkreqprot=' boot parameter.  It may also be changed at runtime

	  via /selinux/checkreqprot if authorized by policy.

	  via /selinux/checkreqprot if authorized by policy.





	  If you are unsure how to answer this question, answer 1.

	  If you are unsure how to answer this question, answer 0.





config SECURITY_SELINUX_POLICYDB_VERSION_MAX

config SECURITY_SELINUX_POLICYDB_VERSION_MAX

	bool "NSA SELinux maximum supported policy format version"

	bool "NSA SELinux maximum supported policy format version"