[DSE-Dev] CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE

cgzones cgzones at googlemail.com
Sun Apr 2 14:43:16 UTC 2017


On 2 Apr 2017 3:47 pm, "Ben Hutchings" <ben at decadent.org.uk> wrote:

On Sun, 2017-04-02 at 14:35 +0200, Laurent Bigonville wrote:
> Le 02/04/17 à 03:25, cgzones a écrit :
> > Is there any reason why the standard Debian kernel sets the value for
> > checkreqprot to 1, while the default[1] is 0?

The default is 1.  The commit changing the default to 0 went into
4.11-rc4, i.e. it is not even in an upstream stable release yet.


The change is from Okt 15, 4.4-rc1


> > RedHat[2] seems also to use 0 and from the documentation 0 seems to be
> > the stricter setting.
> >
>
> To be honest I've no idea and the RH bug seems to miss some messages and
> refers to other private bug(s) but I can confirm that on centos 7.3 the
> value is set to 0.
>
> The kernel configuration is done by the kernel team, I'm forwarding your
> question to them on their ML. Maybe they didn't saw the default value
> has changed?
>
> Dear kernel maintainer, do you have an idea about this?

It's been that way in Debian since at least 2005.  So anyone who has a
working SELinux policy for Debian must have taken this behaviour into
account.

Maybe we'll go with the new default for buster.

Ben.

--
Ben Hutchings
It is impossible to make anything foolproof because fools are so
ingenious.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20170402/d66af2b7/attachment.html>


More information about the SELinux-devel mailing list