<div dir="auto"><div><br><div class="gmail_extra"><br><div class="gmail_quote">On 2 Apr 2017 3:47 pm, "Ben Hutchings" <<a href="mailto:ben@decadent.org.uk">ben@decadent.org.uk</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="quoted-text">On Sun, 2017-04-02 at 14:35 +0200, Laurent Bigonville wrote:<br>
> Le 02/04/17 à 03:25, cgzones a écrit :<br>
> > Is there any reason why the standard Debian kernel sets the value for <br>
> > checkreqprot to 1, while the default[1] is 0?<br>
<br>
</div>The default is 1. The commit changing the default to 0 went into<br>
4.11-rc4, i.e. it is not even in an upstream stable release yet.<br></blockquote></div></div></div><div dir="auto"><br></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"></blockquote></div></div></div><div dir="auto">The change is from Okt 15, 4.4-rc1</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="quoted-text"><br>
> > RedHat[2] seems also to use 0 and from the documentation 0 seems to be <br>
> > the stricter setting.<br>
> ><br>
><br>
> To be honest I've no idea and the RH bug seems to miss some messages and <br>
> refers to other private bug(s) but I can confirm that on centos 7.3 the <br>
> value is set to 0.<br>
><br>
> The kernel configuration is done by the kernel team, I'm forwarding your <br>
> question to them on their ML. Maybe they didn't saw the default value <br>
> has changed?<br>
><br>
> Dear kernel maintainer, do you have an idea about this?<br>
<br>
</div>It's been that way in Debian since at least 2005. So anyone who has a<br>
working SELinux policy for Debian must have taken this behaviour into<br>
account.<br>
<br>
Maybe we'll go with the new default for buster.<br>
<font color="#888888"><br>
Ben.<br>
<br>
--<br>
Ben Hutchings<br>
It is impossible to make anything foolproof because fools are so<br>
ingenious.<br>
<br>
</font></blockquote></div><br></div></div></div>