Bug 1264968 - BUG: /sys/fs/selinux/checkreqprot should be set to 0 in /usr/lib/tmpfiles.d/selinux-policy.conf
BUG: /sys/fs/selinux/checkreqprot should be set to 0 in /usr/lib/tmpfiles.d/s...
Status: CLOSED DUPLICATE of bug 1212547
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-21 14:41 EDT by Paul Moore
Modified: 2015-09-22 14:49 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-22 10:26:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Moore 2015-09-21 14:41:34 EDT
Description of problem:
We should set checkreqprot to 0 at boot to help prevent bypassing SELinux memory protections.  From the kernel Kconfig documentation:

  "This option sets the default value for the 'checkreqprot' flag
   that determines whether SELinux checks the protection requested
   by the application or the protection that will be applied by the
   kernel (including any implied execute for read-implies-exec) for
   mmap and mprotect calls.  If this option is set to 0 (zero),
   SELinux will default to checking the protection that will be applied
   by the kernel.  If this option is set to 1 (one), SELinux will
   default to checking the protection requested by the application."

Additional info:
This change is already present in Fedora.
Comment 1 Paul Moore 2015-09-21 15:08:01 EDT
Related RHEL6 BZ #1264977
Comment 2 Milos Malik 2015-09-22 03:22:51 EDT
I believe this bug is a duplicate of BZ#1212547.
Comment 3 Miroslav Grepl 2015-09-22 10:26:59 EDT

*** This bug has been marked as a duplicate of bug 1212547 ***
Comment 4 Paul Moore 2015-09-22 14:49:45 EDT
Thanks, sorry for the noise.

Note You need to log in before you can comment on or make changes to this bug.