From: Stephen Smalley <sds@tycho.nsa.gov>
To: Paul Moore <pmoore@redhat.com>, selinux@tycho.nsa.gov
Subject: Re: [RFC PATCH] selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default
Date: Mon, 21 Sep 2015 15:40:37 -0400 [thread overview]
Message-ID: <56005D35.6000503@tycho.nsa.gov> (raw)
In-Reply-To: <20150921193434.11997.2963.stgit@localhost>
On 09/21/2015 03:34 PM, Paul Moore wrote:
> Change the SELinux checkreqprot default value to 0 so that SELinux
> performs access control checking on the actual memory protections
> used by the kernel and not those requested by the application.
>
> Signed-off-by: Paul Moore <pmoore@redhat.com>
Any ideas on whether this breaks any supported version of RHEL or Fedora?
> ---
> security/selinux/Kconfig | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
> index bca1b74..8691e92 100644
> --- a/security/selinux/Kconfig
> +++ b/security/selinux/Kconfig
> @@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
> int "NSA SELinux checkreqprot default value"
> depends on SECURITY_SELINUX
> range 0 1
> - default 1
> + default 0
> help
> This option sets the default value for the 'checkreqprot' flag
> that determines whether SELinux checks the protection requested
> @@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
> 'checkreqprot=' boot parameter. It may also be changed at runtime
> via /selinux/checkreqprot if authorized by policy.
>
> - If you are unsure how to answer this question, answer 1.
> + If you are unsure how to answer this question, answer 0.
>
> config SECURITY_SELINUX_POLICYDB_VERSION_MAX
> bool "NSA SELinux maximum supported policy format version"
If we're killing legacy options, can we call this one (and the one that
depends on it) too? They were only needed for Fedora 3 and 4, and
people often trip over them because they blindly enable all of the
SELinux options and thereby force their kernels to old policy versions.
next prev parent reply other threads:[~2015-09-21 19:40 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-21 19:34 [RFC PATCH] selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default Paul Moore
2015-09-21 19:40 ` Stephen Smalley [this message]
2015-09-21 19:56 ` Paul Moore
2015-09-23 19:32 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56005D35.6000503@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=pmoore@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.