I am using the boot flag *checkreqprot=0* without any complications or policy changes. @Laurent if you are willing, one could alter the selinux-activate script to set the boot flag @Ben > Maybe we'll go with the new default for buster. if there are no objections from the Debian SELinux team or users, please do so