cgzones cgzones at googlemail.com
Sun Apr 2 14:43:16 UTC 2017

On 2 Apr 2017 3:47 pm, "Ben Hutchings" <ben at decadent.org.uk> wrote:

On Sun, 2017-04-02 at 14:35 +0200, Laurent Bigonville wrote:
> Le 02/04/17 à 03:25, cgzones a écrit :
> > Is there any reason why the standard Debian kernel sets the value for
> > checkreqprot to 1, while the default[1] is 0?

The default is 1.  The commit changing the default to 0 went into
4.11-rc4, i.e. it is not even in an upstream stable release yet.

The change is from Okt 15, 4.4-rc1

> > RedHat[2] seems also to use 0 and from the documentation 0 seems to be
> > the stricter setting.
> >
> To be honest I've no idea and the RH bug seems to miss some messages and
> refers to other private bug(s) but I can confirm that on centos 7.3 the
> value is set to 0.
> The kernel configuration is done by the kernel team, I'm forwarding your
> question to them on their ML. Maybe they didn't saw the default value
> has changed?
> Dear kernel maintainer, do you have an idea about this?

It's been that way in Debian since at least 2005.  So anyone who has a
working SELinux policy for Debian must have taken this behaviour into

Maybe we'll go with the new default for buster.


Ben Hutchings
It is impossible to make anything foolproof because fools are so
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20170402/d66af2b7/attachment.html>

More information about the SELinux-devel mailing list