On Sun, 2017-04-02 at 14:35 +0200, Laurent Bigonville wrote:The default is 1. The commit changing the default to 0 went into
> Le 02/04/17 à 03:25, cgzones a écrit :
> > Is there any reason why the standard Debian kernel sets the value for
> > checkreqprot to 1, while the default[1] is 0?
4.11-rc4, i.e. it is not even in an upstream stable release yet.
It's been that way in Debian since at least 2005. So anyone who has a
> > RedHat[2] seems also to use 0 and from the documentation 0 seems to be
> > the stricter setting.
> >
>
> To be honest I've no idea and the RH bug seems to miss some messages and
> refers to other private bug(s) but I can confirm that on centos 7.3 the
> value is set to 0.
>
> The kernel configuration is done by the kernel team, I'm forwarding your
> question to them on their ML. Maybe they didn't saw the default value
> has changed?
>
> Dear kernel maintainer, do you have an idea about this?
working SELinux policy for Debian must have taken this behaviour into
account.
Maybe we'll go with the new default for buster.
Ben.
--
Ben Hutchings
It is impossible to make anything foolproof because fools are so
ingenious.