From: Paul Moore Date: Wed, 21 Oct 2015 21:44:25 +0000 (-0400) Subject: selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default X-Git-Tag: v4.14-rc1~3768^2~15^2~8 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=2a35d196c160e352fa56eabb7952f78f4c85f577;p=platform%2Fkernel%2Flinux-rpi.git selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default Change the SELinux checkreqprot default value to 0 so that SELinux performs access control checking on the actual memory protections used by the kernel and not those requested by the application. Signed-off-by: Paul Moore --- diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index bca1b74..8691e92 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE int "NSA SELinux checkreqprot default value" depends on SECURITY_SELINUX range 0 1 - default 1 + default 0 help This option sets the default value for the 'checkreqprot' flag that determines whether SELinux checks the protection requested @@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE 'checkreqprot=' boot parameter. It may also be changed at runtime via /selinux/checkreqprot if authorized by policy. - If you are unsure how to answer this question, answer 1. + If you are unsure how to answer this question, answer 0. config SECURITY_SELINUX_POLICYDB_VERSION_MAX bool "NSA SELinux maximum supported policy format version"