In case virtual memory is being marked as executable by default, SELinux
checks regarding explicit potential dangerous use are disabled.
Inform the user about it.
Signed-off-by: Christian Göttsche <[email protected]>
---
security/selinux/hooks.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6f53fa71fbdb..3a7ece84c2cc 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7265,6 +7265,8 @@ static __init int selinux_init(void)
cred_init_security();
default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
+ if (!default_noexec)
+ pr_notice("SELinux: virtual memory is executable by default - related checks disabled\n");
avc_init();
--
2.40.1
On Thu, Jul 20, 2023 at 6:36 AM Christian Göttsche
<[email protected]> wrote:
>
> In case virtual memory is being marked as executable by default, SELinux
> checks regarding explicit potential dangerous use are disabled.
>
> Inform the user about it.
>
> Signed-off-by: Christian Göttsche <[email protected]>
> ---
> security/selinux/hooks.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 6f53fa71fbdb..3a7ece84c2cc 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -7265,6 +7265,8 @@ static __init int selinux_init(void)
> cred_init_security();
>
> default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
> + if (!default_noexec)
> + pr_notice("SELinux: virtual memory is executable by default - related checks disabled\n");
Let's keep things concise and simply say that "virtual memory is
executable by default", dropping the last part about "related checks".
>
> avc_init();
>
> --
> 2.40.1
--
paul-moore.com