diff options
author | Paul Moore <pmoore@redhat.com> | 2015-10-21 17:44:25 -0400 |
---|---|---|
committer | Paul Moore <pmoore@redhat.com> | 2015-10-21 17:44:25 -0400 |
commit | 2a35d196c160e352fa56eabb7952f78f4c85f577 (patch) | |
tree | db364a2d2b8e8e0a352b30b2ae423547501e8841 /security | |
parent | 09302fd19efbff9569eaad3f78ead8f411defd87 (diff) | |
download | lwn-2a35d196c160e352fa56eabb7952f78f4c85f577.tar.gz lwn-2a35d196c160e352fa56eabb7952f78f4c85f577.zip |
selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default
Change the SELinux checkreqprot default value to 0 so that SELinux
performs access control checking on the actual memory protections
used by the kernel and not those requested by the application.
Signed-off-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/Kconfig | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index bca1b74a4a2f..8691e92f27e5 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE int "NSA SELinux checkreqprot default value" depends on SECURITY_SELINUX range 0 1 - default 1 + default 0 help This option sets the default value for the 'checkreqprot' flag that determines whether SELinux checks the protection requested @@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE 'checkreqprot=' boot parameter. It may also be changed at runtime via /selinux/checkreqprot if authorized by policy. - If you are unsure how to answer this question, answer 1. + If you are unsure how to answer this question, answer 0. config SECURITY_SELINUX_POLICYDB_VERSION_MAX bool "NSA SELinux maximum supported policy format version" |