DEPRECATE checkreqprot

NOTE: This page is a work in progress.

The SELinux checkreqprot functionality is being deprecated in the upstream Linux kernel. The checkreqprot feature was originally introduced as a compatibility mechanism for legacy userspace and the READ_IMPLIES_EXEC personality flag. However, if checkreqprot is enabled it weakens the security of the system by allowing memory mappings to be made executable without authorization by the SELinux policy.

This checkreqprot functionality could be toggled either at runtime by writing a 0 or 1 to "/sys/fs/selinux/checkreqprot", or at kernel build time with the CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE kernel configuration setting.

If you encounter suspicious and excessive read and execmem events then that may be due to lack of support for this functionality by your chip set and/or wrong configuration of your kernel.

These events were for example reported with Qualcomm chip sets:

avc:  denied  { execmem } for  pid=542 comm="ip" scontext=u:r:ip.subj tcontext=u:r:ip.subj tclass=process permissive=0
avc:  denied  { execute } for  pid=2635 comm="modprobe" path="/lib/modules/5.4.155/aead.ko" dev="overlay" ino=1112 scontext=u:r:kmodloader.subj tcontext=u:r:file.modulesfile tclass=file permissive=0

CITATION NEEDED This is because Kernels for Qualcomm chip sets have to be configured with CONFIG_STRICT_MEMORY_RWX=y because they do not support CONFIG_STRICT_KERNEL_RWX=y.

For additional assistance please see the SELinux mailing list and public archive.