On Sun, 2017-04-02 at 14:35 +0200, Laurent Bigonville wrote: > Le 02/04/17 à 03:25, cgzones a écrit : > > Is there any reason why the standard Debian kernel sets the value for > > checkreqprot to 1, while the default[1] is 0? The default is 1. The commit changing the default to 0 went into 4.11-rc4, i.e. it is not even in an upstream stable release yet. > > RedHat[2] seems also to use 0 and from the documentation 0 seems to be > > the stricter setting. > > > > To be honest I've no idea and the RH bug seems to miss some messages and > refers to other private bug(s) but I can confirm that on centos 7.3 the > value is set to 0. > > The kernel configuration is done by the kernel team, I'm forwarding your > question to them on their ML. Maybe they didn't saw the default value > has changed? > > Dear kernel maintainer, do you have an idea about this? It's been that way in Debian since at least 2005. So anyone who has a working SELinux policy for Debian must have taken this behaviour into account. Maybe we'll go with the new default for buster. Ben. -- Ben Hutchings It is impossible to make anything foolproof because fools are so ingenious.
Attachment:
signature.asc
Description: This is a digitally signed message part