Red Hat Bugzilla – Bug 1264977
BUG: /selinux/checkreqprot should be set to 0 at boot
Last modified: 2016-10-26 05:51:06 EDT
Description of problem:
We should set checkreqprot to 0 at boot to help prevent bypassing SELinux memory protections. From the kernel Kconfig documentation:
"This option sets the default value for the 'checkreqprot' flag
that determines whether SELinux checks the protection requested
by the application or the protection that will be applied by the
kernel (including any implied execute for read-implies-exec) for
mmap and mprotect calls. If this option is set to 0 (zero),
SELinux will default to checking the protection that will be applied
by the kernel. If this option is set to 1 (one), SELinux will
default to checking the protection requested by the application."
This change is already present in Fedora.
Related RHEL7 BZ #1264968
Which package version has the fix?
I checked the 3.7.19-281.el6 build, but it doesn't contain the fix.
I'm going to reopen this BZ so we can clear this up; Miroslav, feel free to close this once you've provided the "Fixed in Version" information.
Ok I meant RHEL7.
The solution for this would have to be in the spec file like Mirek noted in #c7
I will have to do more testing.
The way this is set, through patching /etc/rc.local and adding
echo 0 > /selinux/checkreqprot
is really odd. Is it a good idea to do it this way?
Due to failing of rhbz#1388037 reverting this fix and CLOSING as WONTFIX.