selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default

Change the SELinux checkreqprot default value to 0 so that SELinux performs access control checking on the actual memory protections used by the kernel and not those requested by the application. Signed-off-by: Paul Moore <pmoore@redhat.com>

selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default
Change the SELinux checkreqprot default value to 0 so that SELinux performs access control checking on the actual memory protections used by the kernel and not those requested by the application. Signed-off-by: Paul Moore <pmoore@redhat.com>
2a35d196 · Paul Moore · 09302fd1 · 2a35d196
Commit 2a35d196 authored Oct 21, 2015 by Paul Moore
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

security/selinux/Kconfig security/selinux/Kconfig +2 -2

No files found.
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
 	int "NSA SELinux checkreqprot default value"
 	depends on SECURITY_SELINUX
 	range 0 1
-	default 1
+	default 0
 	help
 	  This option sets the default value for the 'checkreqprot' flag
 	  that determines whether SELinux checks the protection requested
@@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
 	  'checkreqprot=' boot parameter.  It may also be changed at runtime
 	  via /selinux/checkreqprot if authorized by policy.
-	  If you are unsure how to answer this question, answer 1.
+	  If you are unsure how to answer this question, answer 0.
 config SECURITY_SELINUX_POLICYDB_VERSION_MAX
 	bool "NSA SELinux maximum supported policy format version"