Ben Hutchings ben at decadent.org.uk
Tue Apr 11 19:39:13 UTC 2017

On Tue, 2017-04-11 at 17:12 +0200, Laurent Bigonville wrote:
> Le 11/04/17 à 16:53, Christian Göttsche a écrit :
> > I am using the boot flag *checkreqprot=0* without any complications or
> > policy changes.
> > 
> > @Laurent
> > if you are willing, one could alter the selinux-activate script to set
> > the boot flag
> I think it's too late now to do that (and I don't know all the 
> implications).
> I prefer that this is changed in the kernel itself TBH

I looked at this again, and it does seem like we should change this in
now (i.e. for Debian 9) for the sake of security.  Given that it can be
reverted on the kernel command line if necessary, the risk seems quite


Ben Hutchings
73.46% of all statistics are made up.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20170411/77b379f5/attachment.sig>

More information about the SELinux-devel mailing list