From: Paul Moore <pmoore@redhat.com>
To: selinux@tycho.nsa.gov
Subject: Re: [RFC PATCH] selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default
Date: Wed, 23 Sep 2015 15:32:28 -0400 [thread overview]
Message-ID: <2085395.LGiPHuVovV@sifl> (raw)
In-Reply-To: <20150921193434.11997.2963.stgit@localhost>
On Monday, September 21, 2015 03:34:34 PM Paul Moore wrote:
> Change the SELinux checkreqprot default value to 0 so that SELinux
> performs access control checking on the actual memory protections
> used by the kernel and not those requested by the application.
>
> Signed-off-by: Paul Moore <pmoore@redhat.com>
> ---
> security/selinux/Kconfig | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
FYI, I just merged this into selinux#next.
> diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
> index bca1b74..8691e92 100644
> --- a/security/selinux/Kconfig
> +++ b/security/selinux/Kconfig
> @@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
> int "NSA SELinux checkreqprot default value"
> depends on SECURITY_SELINUX
> range 0 1
> - default 1
> + default 0
> help
> This option sets the default value for the 'checkreqprot' flag
> that determines whether SELinux checks the protection requested
> @@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
> 'checkreqprot=' boot parameter. It may also be changed at runtime
> via /selinux/checkreqprot if authorized by policy.
>
> - If you are unsure how to answer this question, answer 1.
> + If you are unsure how to answer this question, answer 0.
>
> config SECURITY_SELINUX_POLICYDB_VERSION_MAX
> bool "NSA SELinux maximum supported policy format version"
--
paul moore
security @ redhat
prev parent reply other threads:[~2015-09-23 19:32 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-21 19:34 [RFC PATCH] selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default Paul Moore
2015-09-21 19:40 ` Stephen Smalley
2015-09-21 19:56 ` Paul Moore
2015-09-23 19:32 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2085395.LGiPHuVovV@sifl \
--to=pmoore@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.