On Tue, 2017-04-11 at 17:12 +0200, Laurent Bigonville wrote: > Le 11/04/17 à 16:53, Christian Göttsche a écrit : > > I am using the boot flag *checkreqprot=0* without any complications or > > policy changes. > > > > @Laurent > > if you are willing, one could alter the selinux-activate script to set > > the boot flag > > I think it's too late now to do that (and I don't know all the > implications). > > I prefer that this is changed in the kernel itself TBH I looked at this again, and it does seem like we should change this in now (i.e. for Debian 9) for the sake of security. Given that it can be reverted on the kernel command line if necessary, the risk seems quite low. Ben. -- Ben Hutchings 73.46% of all statistics are made up.
Attachment:
signature.asc
Description: This is a digitally signed message part