selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default

Change the SELinux checkreqprot default value to 0 so that SELinux
performs access control checking on the actual memory protections
used by the kernel and not those requested by the application.

Signed-off-by: Paul Moore <pmoore@redhat.com>

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index bca1b74a4a2f254df4dca4d4aea52c364ee53818..8691e92f27e584dcf26f35628c61e408c08a77cb 100644 (file)
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -78,7 +78,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
        int "NSA SELinux checkreqprot default value"
        depends on SECURITY_SELINUX
        range 0 1
-       default 1
+       default 0
        help
          This option sets the default value for the 'checkreqprot' flag
          that determines whether SELinux checks the protection requested
@@ -92,7 +92,7 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
          'checkreqprot=' boot parameter.  It may also be changed at runtime
          via /selinux/checkreqprot if authorized by policy.
 
-         If you are unsure how to answer this question, answer 1.
+         If you are unsure how to answer this question, answer 0.
 
 config SECURITY_SELINUX_POLICYDB_VERSION_MAX
        bool "NSA SELinux maximum supported policy format version"