-
Notifications
You must be signed in to change notification settings - Fork 59
DEPRECATE checkreqprot
NOTE: The SELinux checkreqprot functionality was removed in the Linux v6.4 release.
The SELinux checkreqprot functionality is being deprecated in the upstream Linux kernel. The checkreqprot feature was originally introduced as a compatibility mechanism for legacy userspace and the READ_IMPLIES_EXEC personality flag. However, if checkreqprot is enabled it weakens the security of the system by allowing memory mappings to be made executable without authorization by the SELinux policy.
This checkreqprot functionality could be toggled either at runtime by writing a 0 or 1 to "/sys/fs/selinux/checkreqprot", or at kernel build time with the CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE kernel configuration setting. Additional information can be found in the Linux Kernel's deprecation notice.
For additional assistance please see the SELinux mailing list and public archive.