selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default

Change the SELinux checkreqprot default value to 0 so that SELinux performs access control checking on the actual memory protections used by the kernel and not those requested by the application. Signed-off-by: Paul Moore <pmoore@redhat.com>
author: Paul Moore <pmoore@redhat.com> 2015-10-21 17:44:25 -0400
committer: Paul Moore <pmoore@redhat.com> 2015-10-21 17:44:25 -0400
commit: 2a35d196c160e352fa56eabb7952f78f4c85f577 (patch)
tree: db364a2d2b8e8e0a352b30b2ae423547501e8841 /security/selinux/Kconfig
parent: 09302fd19efbff9569eaad3f78ead8f411defd87 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index bca1b74a4a2f..8691e92f27e5 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
        int "NSA SELinux checkreqprot default value"
        depends on SECURITY_SELINUX
        range 0 1
-        default 1
+        default 0
        help
          This option sets the default value for the 'checkreqprot' flag
          that determines whether SELinux checks the protection requested
@@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
          'checkreqprot=' boot parameter.  It may also be changed at runtime
          via /selinux/checkreqprot if authorized by policy.
-          If you are unsure how to answer this question, answer 1.
+          If you are unsure how to answer this question, answer 0.
 config SECURITY_SELINUX_POLICYDB_VERSION_MAX
        bool "NSA SELinux maximum supported policy format version"
author	Paul Moore <pmoore@redhat.com>	2015-10-21 17:44:25 -0400
committer	Paul Moore <pmoore@redhat.com>	2015-10-21 17:44:25 -0400
commit	2a35d196c160e352fa56eabb7952f78f4c85f577 (patch)
tree	db364a2d2b8e8e0a352b30b2ae423547501e8841 /security/selinux/Kconfig
parent	09302fd19efbff9569eaad3f78ead8f411defd87 (diff)

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index bca1b74a4a2f..8691e92f27e5 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig
@@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
78	int "NSA SELinux checkreqprot default value"	78	int "NSA SELinux checkreqprot default value"
79	depends on SECURITY_SELINUX	79	depends on SECURITY_SELINUX
80	range 0 1	80	range 0 1
81	default 1	81	default 0
82	help	82	help
83	This option sets the default value for the 'checkreqprot' flag	83	This option sets the default value for the 'checkreqprot' flag
84	that determines whether SELinux checks the protection requested	84	that determines whether SELinux checks the protection requested
@@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
92	'checkreqprot=' boot parameter. It may also be changed at runtime	92	'checkreqprot=' boot parameter. It may also be changed at runtime
93	via /selinux/checkreqprot if authorized by policy.	93	via /selinux/checkreqprot if authorized by policy.
94		94
95	If you are unsure how to answer this question, answer 1.	95	If you are unsure how to answer this question, answer 0.
96		96
97	config SECURITY_SELINUX_POLICYDB_VERSION_MAX	97	config SECURITY_SELINUX_POLICYDB_VERSION_MAX
98	bool "NSA SELinux maximum supported policy format version"	98	bool "NSA SELinux maximum supported policy format version"