[DSE-Dev] CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE
Ben Hutchings
ben at decadent.org.uk
Sun Apr 2 13:46:59 UTC 2017
On Sun, 2017-04-02 at 14:35 +0200, Laurent Bigonville wrote:
> Le 02/04/17 à 03:25, cgzones a écrit :
> > Is there any reason why the standard Debian kernel sets the value for
> > checkreqprot to 1, while the default[1] is 0?
The default is 1. The commit changing the default to 0 went into
4.11-rc4, i.e. it is not even in an upstream stable release yet.
> > RedHat[2] seems also to use 0 and from the documentation 0 seems to be
> > the stricter setting.
> >
>
> To be honest I've no idea and the RH bug seems to miss some messages and
> refers to other private bug(s) but I can confirm that on centos 7.3 the
> value is set to 0.
>
> The kernel configuration is done by the kernel team, I'm forwarding your
> question to them on their ML. Maybe they didn't saw the default value
> has changed?
>
> Dear kernel maintainer, do you have an idea about this?
It's been that way in Debian since at least 2005. So anyone who has a
working SELinux policy for Debian must have taken this behaviour into
account.
Maybe we'll go with the new default for buster.
Ben.
--
Ben Hutchings
It is impossible to make anything foolproof because fools are so
ingenious.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20170402/bd9d594c/attachment.sig>
More information about the SELinux-devel
mailing list