[DSE-Dev] CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE

Ben Hutchings ben at decadent.org.uk
Sun Apr 2 13:46:59 UTC 2017


On Sun, 2017-04-02 at 14:35 +0200, Laurent Bigonville wrote:
> Le 02/04/17 à 03:25, cgzones a écrit :
> > Is there any reason why the standard Debian kernel sets the value for 
> > checkreqprot to 1, while the default[1] is 0?

The default is 1.  The commit changing the default to 0 went into
4.11-rc4, i.e. it is not even in an upstream stable release yet.

> > RedHat[2] seems also to use 0 and from the documentation 0 seems to be 
> > the stricter setting.
> > 
> 
> To be honest I've no idea and the RH bug seems to miss some messages and 
> refers to other private bug(s) but I can confirm that on centos 7.3 the 
> value is set to 0.
> 
> The kernel configuration is done by the kernel team, I'm forwarding your 
> question to them on their ML. Maybe they didn't saw the default value 
> has changed?
> 
> Dear kernel maintainer, do you have an idea about this?

It's been that way in Debian since at least 2005.  So anyone who has a
working SELinux policy for Debian must have taken this behaviour into
account.

Maybe we'll go with the new default for buster.

Ben.

-- 
Ben Hutchings
It is impossible to make anything foolproof because fools are so
ingenious.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20170402/bd9d594c/attachment.sig>


More information about the SELinux-devel mailing list