Bug 1264977 - BUG: /selinux/checkreqprot should be set to 0 at boot
BUG: /selinux/checkreqprot should be set to 0 at boot
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
high Severity high
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
: Reopened
Depends On:
Blocks: 1343211
  Show dependency treegraph
Reported: 2015-09-21 15:07 EDT by Paul Moore
Modified: 2016-10-26 05:51 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-10-26 05:51:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0627 normal SHIPPED_LIVE selinux-policy bug fix update 2017-03-21 08:29:23 EDT

  None (edit)
Description Paul Moore 2015-09-21 15:07:15 EDT
Description of problem:
We should set checkreqprot to 0 at boot to help prevent bypassing SELinux memory protections.  From the kernel Kconfig documentation:

  "This option sets the default value for the 'checkreqprot' flag
   that determines whether SELinux checks the protection requested
   by the application or the protection that will be applied by the
   kernel (including any implied execute for read-implies-exec) for
   mmap and mprotect calls.  If this option is set to 0 (zero),
   SELinux will default to checking the protection that will be applied
   by the kernel.  If this option is set to 1 (one), SELinux will
   default to checking the protection requested by the application."

Additional info:
This change is already present in Fedora.
Comment 1 Paul Moore 2015-09-21 15:08:27 EDT
Related RHEL7 BZ #1264968
Comment 2 Paul Moore 2015-10-29 08:35:05 EDT
Which package version has the fix?
Comment 3 Milos Malik 2015-11-02 07:10:37 EST
I checked the 3.7.19-281.el6 build, but it doesn't contain the fix.
Comment 4 Paul Moore 2015-11-02 08:11:54 EST
I'm going to reopen this BZ so we can clear this up; Miroslav, feel free to close this once you've provided the "Fixed in Version" information.
Comment 5 Miroslav Grepl 2015-11-09 09:45:23 EST
Ok I meant RHEL7.
Comment 9 Simon Sekidde 2016-05-10 12:38:58 EDT
The solution for this would have to be in the spec file like Mirek noted in #c7
I will have to do more testing.
Comment 13 Florian Weimer 2016-10-25 12:36:52 EDT
The way this is set, through patching /etc/rc.local and adding

echo 0 > /selinux/checkreqprot

is really odd.  Is it a good idea to do it this way?
Comment 14 Lukas Vrabec 2016-10-26 05:51:06 EDT
Due to failing of rhbz#1388037 reverting this fix and CLOSING as WONTFIX.

Note You need to log in before you can comment on or make changes to this bug.