Disable the selinuxuser_execheap SELinux Boolean

Description

By default, the SELinux boolean selinuxuser_execheap is disabled. When enabled this boolean is enabled it allows selinuxusers to execute code from the heap. If this setting is enabled, it should be disabled. To disable the selinuxuser_execheap SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_execheap off

Rationale

Disabling code execution from the heap blocks buffer overflow attacks.

ID: xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap
Severity: Medium
References: BP28(R67)

164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e)

CCE-91577-7
Updated: about 1 year ago