* [RFC PATCH] selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default
@ 2015-09-21 19:34 Paul Moore
2015-09-21 19:40 ` Stephen Smalley
2015-09-23 19:32 ` Paul Moore
0 siblings, 2 replies; 4+ messages in thread
From: Paul Moore @ 2015-09-21 19:34 UTC (permalink / raw)
To: selinux
Change the SELinux checkreqprot default value to 0 so that SELinux
performs access control checking on the actual memory protections
used by the kernel and not those requested by the application.
Signed-off-by: Paul Moore <pmoore@redhat.com>
---
security/selinux/Kconfig | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index bca1b74..8691e92 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
int "NSA SELinux checkreqprot default value"
depends on SECURITY_SELINUX
range 0 1
- default 1
+ default 0
help
This option sets the default value for the 'checkreqprot' flag
that determines whether SELinux checks the protection requested
@@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
'checkreqprot=' boot parameter. It may also be changed at runtime
via /selinux/checkreqprot if authorized by policy.
- If you are unsure how to answer this question, answer 1.
+ If you are unsure how to answer this question, answer 0.
config SECURITY_SELINUX_POLICYDB_VERSION_MAX
bool "NSA SELinux maximum supported policy format version"
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [RFC PATCH] selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default
2015-09-21 19:34 [RFC PATCH] selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default Paul Moore
@ 2015-09-21 19:40 ` Stephen Smalley
2015-09-21 19:56 ` Paul Moore
2015-09-23 19:32 ` Paul Moore
1 sibling, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2015-09-21 19:40 UTC (permalink / raw)
To: Paul Moore, selinux
On 09/21/2015 03:34 PM, Paul Moore wrote:
> Change the SELinux checkreqprot default value to 0 so that SELinux
> performs access control checking on the actual memory protections
> used by the kernel and not those requested by the application.
>
> Signed-off-by: Paul Moore <pmoore@redhat.com>
Any ideas on whether this breaks any supported version of RHEL or Fedora?
> ---
> security/selinux/Kconfig | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
> index bca1b74..8691e92 100644
> --- a/security/selinux/Kconfig
> +++ b/security/selinux/Kconfig
> @@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
> int "NSA SELinux checkreqprot default value"
> depends on SECURITY_SELINUX
> range 0 1
> - default 1
> + default 0
> help
> This option sets the default value for the 'checkreqprot' flag
> that determines whether SELinux checks the protection requested
> @@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
> 'checkreqprot=' boot parameter. It may also be changed at runtime
> via /selinux/checkreqprot if authorized by policy.
>
> - If you are unsure how to answer this question, answer 1.
> + If you are unsure how to answer this question, answer 0.
>
> config SECURITY_SELINUX_POLICYDB_VERSION_MAX
> bool "NSA SELinux maximum supported policy format version"
If we're killing legacy options, can we call this one (and the one that
depends on it) too? They were only needed for Fedora 3 and 4, and
people often trip over them because they blindly enable all of the
SELinux options and thereby force their kernels to old policy versions.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC PATCH] selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default
2015-09-21 19:40 ` Stephen Smalley
@ 2015-09-21 19:56 ` Paul Moore
0 siblings, 0 replies; 4+ messages in thread
From: Paul Moore @ 2015-09-21 19:56 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
On Monday, September 21, 2015 03:40:37 PM Stephen Smalley wrote:
> On 09/21/2015 03:34 PM, Paul Moore wrote:
> > Change the SELinux checkreqprot default value to 0 so that SELinux
> > performs access control checking on the actual memory protections
> > used by the kernel and not those requested by the application.
> >
> > Signed-off-by: Paul Moore <pmoore@redhat.com>
>
> Any ideas on whether this breaks any supported version of RHEL or Fedora?
Rawhide currently sets /sys/fs/selinux/checkreqprot to 0 during boot and a
little birdy told me that F22 does the same. We're currently looking into
RHEL.
> > diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
> > index bca1b74..8691e92 100644
> > --- a/security/selinux/Kconfig
> > +++ b/security/selinux/Kconfig
> > @@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
> >
> > int "NSA SELinux checkreqprot default value"
> > depends on SECURITY_SELINUX
> > range 0 1
> >
> > - default 1
> > + default 0
> >
> > help
> >
> > This option sets the default value for the 'checkreqprot' flag
> > that determines whether SELinux checks the protection requested
> >
> > @@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
> >
> > 'checkreqprot=' boot parameter. It may also be changed at runtime
> > via /selinux/checkreqprot if authorized by policy.
> >
> > - If you are unsure how to answer this question, answer 1.
> > + If you are unsure how to answer this question, answer 0.
> >
> > config SECURITY_SELINUX_POLICYDB_VERSION_MAX
> >
> > bool "NSA SELinux maximum supported policy format version"
>
> If we're killing legacy options, can we call this one (and the one that
> depends on it) too? They were only needed for Fedora 3 and 4, and
> people often trip over them because they blindly enable all of the
> SELinux options and thereby force their kernels to old policy versions.
I have no emotional attachment to it, does anyone object?
--
paul moore
security @ redhat
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC PATCH] selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default
2015-09-21 19:34 [RFC PATCH] selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default Paul Moore
2015-09-21 19:40 ` Stephen Smalley
@ 2015-09-23 19:32 ` Paul Moore
1 sibling, 0 replies; 4+ messages in thread
From: Paul Moore @ 2015-09-23 19:32 UTC (permalink / raw)
To: selinux
On Monday, September 21, 2015 03:34:34 PM Paul Moore wrote:
> Change the SELinux checkreqprot default value to 0 so that SELinux
> performs access control checking on the actual memory protections
> used by the kernel and not those requested by the application.
>
> Signed-off-by: Paul Moore <pmoore@redhat.com>
> ---
> security/selinux/Kconfig | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
FYI, I just merged this into selinux#next.
> diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
> index bca1b74..8691e92 100644
> --- a/security/selinux/Kconfig
> +++ b/security/selinux/Kconfig
> @@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
> int "NSA SELinux checkreqprot default value"
> depends on SECURITY_SELINUX
> range 0 1
> - default 1
> + default 0
> help
> This option sets the default value for the 'checkreqprot' flag
> that determines whether SELinux checks the protection requested
> @@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
> 'checkreqprot=' boot parameter. It may also be changed at runtime
> via /selinux/checkreqprot if authorized by policy.
>
> - If you are unsure how to answer this question, answer 1.
> + If you are unsure how to answer this question, answer 0.
>
> config SECURITY_SELINUX_POLICYDB_VERSION_MAX
> bool "NSA SELinux maximum supported policy format version"
--
paul moore
security @ redhat
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-09-23 19:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-21 19:34 [RFC PATCH] selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default Paul Moore
2015-09-21 19:40 ` Stephen Smalley
2015-09-21 19:56 ` Paul Moore
2015-09-23 19:32 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.