Red Hat Bugzilla – Bug 1264968
BUG: /sys/fs/selinux/checkreqprot should be set to 0 in /usr/lib/tmpfiles.d/selinux-policy.conf
Last modified: 2015-09-22 14:49:45 EDT
Description of problem:
We should set checkreqprot to 0 at boot to help prevent bypassing SELinux memory protections. From the kernel Kconfig documentation:
"This option sets the default value for the 'checkreqprot' flag
that determines whether SELinux checks the protection requested
by the application or the protection that will be applied by the
kernel (including any implied execute for read-implies-exec) for
mmap and mprotect calls. If this option is set to 0 (zero),
SELinux will default to checking the protection that will be applied
by the kernel. If this option is set to 1 (one), SELinux will
default to checking the protection requested by the application."
This change is already present in Fedora.
Related RHEL6 BZ #1264977
I believe this bug is a duplicate of BZ#1212547.
*** This bug has been marked as a duplicate of bug 1212547 ***
Thanks, sorry for the noise.