Bug 1264968

Summary: BUG: /sys/fs/selinux/checkreqprot should be set to 0 in /usr/lib/tmpfiles.d/selinux-policy.conf
Product: Red Hat Enterprise Linux 7 Reporter: Paul Moore <pmoore>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: lvrabec, mgrepl, mmalik, plautrba, pmoore, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-22 14:26:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Moore 2015-09-21 18:41:34 UTC 
Description of problem:
We should set checkreqprot to 0 at boot to help prevent bypassing SELinux memory protections.  From the kernel Kconfig documentation:

  "This option sets the default value for the 'checkreqprot' flag
   that determines whether SELinux checks the protection requested
   by the application or the protection that will be applied by the
   kernel (including any implied execute for read-implies-exec) for
   mmap and mprotect calls.  If this option is set to 0 (zero),
   SELinux will default to checking the protection that will be applied
   by the kernel.  If this option is set to 1 (one), SELinux will
   default to checking the protection requested by the application."

Additional info:
This change is already present in Fedora.
Comment 1 Paul Moore 2015-09-21 19:08:01 UTC 
Related RHEL6 BZ #1264977
Comment 2 Milos Malik 2015-09-22 07:22:51 UTC 
I believe this bug is a duplicate of BZ#1212547.
Comment 3 Miroslav Grepl 2015-09-22 14:26:59 UTC 

*** This bug has been marked as a duplicate of bug 1212547 ***
Comment 4 Paul Moore 2015-09-22 18:49:45 UTC 
Thanks, sorry for the noise.