Ben Hutchings ben at decadent.org.uk
Sun Apr 2 13:46:59 UTC 2017

On Sun, 2017-04-02 at 14:35 +0200, Laurent Bigonville wrote:
> Le 02/04/17 à 03:25, cgzones a écrit :
> > Is there any reason why the standard Debian kernel sets the value for 
> > checkreqprot to 1, while the default[1] is 0?

The default is 1.  The commit changing the default to 0 went into
4.11-rc4, i.e. it is not even in an upstream stable release yet.

> > RedHat[2] seems also to use 0 and from the documentation 0 seems to be 
> > the stricter setting.
> > 
> To be honest I've no idea and the RH bug seems to miss some messages and 
> refers to other private bug(s) but I can confirm that on centos 7.3 the 
> value is set to 0.
> The kernel configuration is done by the kernel team, I'm forwarding your 
> question to them on their ML. Maybe they didn't saw the default value 
> has changed?
> Dear kernel maintainer, do you have an idea about this?

It's been that way in Debian since at least 2005.  So anyone who has a
working SELinux policy for Debian must have taken this behaviour into

Maybe we'll go with the new default for buster.


Ben Hutchings
It is impossible to make anything foolproof because fools are so

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20170402/bd9d594c/attachment.sig>

More information about the SELinux-devel mailing list