View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001310 | channel: kernel/el8 | kernel-ml | public | 2023-01-10 20:27 | 2023-01-12 11:23 |
| Reporter | efdevse | Assigned To | burakkucat | ||
| Priority | normal | Severity | text | Reproducibility | N/A |
| Status | resolved | Resolution | fixed | ||
| Platform | Linux | OS | Rocky Linux 8 | OS Version | 8.7 |
| Summary | 0001310: Boot message about: CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE | ||||
| Description | After installing kernel-ml - I noticed a boot message this mornng, and thought I should report it. It's prob nothing, but in case that is something you want/need to deal with when building the kernel(s). > SELinux: Initializing. > CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is non-zero. This is deprecated and will be rejected in a future kernel release. > SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-checkreqprot | ||||
| Tags | No tags attached. | ||||
|
|
Based on the text on the GitHub page, I checked my: '/sys/fs/selinux/checkreqprot' and it says 0. And the warning/bootmsg said it's 'non-zero'. Does it mean it's set in the kernel perhaps? |
|
|
Acknowledged. Thank you for the report / heads up. Alan, our kernel maintainer, will investigate and consider if we need to change the config. |
|
|
I check the status of that configuration option from the latest Red Hat distributed kernels for el7, el8 and el9 -- [el7 ~]$ grep 'CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE' /boot/config* /boot/config-3.10.0-1160.80.1.el7.x86_64:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 /boot/config-3.10.0-1160.81.1.el7.x86_64:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 [el7 ~]$ [el8 ~]$ grep 'CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE' /boot/config* /boot/config-4.18.0-372.32.1.el8_6.x86_64:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 /boot/config-4.18.0-425.3.1.el8.x86_64:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 [el8 ~]$ [el9 ~]$ grep 'CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE' /boot/config* /boot/config-5.14.0-70.30.1.el9_0.x86_64:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 /boot/config-5.14.0-162.6.1.el9_1.x86_64:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 [el9 ~]$ I now check the value from the running Red Hat distributed kernels for el7, el8 and el9 -- [el7 ~]$ cat /sys/fs/selinux/checkreqprot ; echo 0 [el7 ~]$ [el8 ~]$ cat /sys/fs/selinux/checkreqprot ; echo 0 [el8 ~]$ [el9 ~]$ cat /sys/fs/selinux/checkreqprot ; echo 0 [el9 ~]$ Finally I check our master configuration files for that option with kernel-ml for el7, el8 and el9 -- [kernels]$ grep -r 'CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE' * | sort | grep -E '6\.1\.4|6\.2' el7/config-6.1/config-6.1.4-x86_64:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 el7/config-6.2/config-6.2.0-x86_64-rc1:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 el7/config-6.2/config-6.2.0-x86_64-rc2:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 el7/config-6.2/config-6.2.0-x86_64-rc3:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 el8/config-6.1/config-6.1.4-x86_64:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 el8/config-6.2/config-6.2.0-x86_64-rc1:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 el8/config-6.2/config-6.2.0-x86_64-rc2:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 el8/config-6.2/config-6.2.0-x86_64-rc3:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 el9/config-6.1/config-6.1.4-aarch64:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 el9/config-6.1/config-6.1.4-x86_64:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 el9/config-6.2/config-6.2.0-aarch64-rc1:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 el9/config-6.2/config-6.2.0-aarch64-rc2:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 el9/config-6.2/config-6.2.0-aarch64-rc3:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 el9/config-6.2/config-6.2.0-x86_64-rc1:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 el9/config-6.2/config-6.2.0-x86_64-rc2:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 el9/config-6.2/config-6.2.0-x86_64-rc3:CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 [kernels]$ I have, therefore, queued a change of the default CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE, from 1 to 0, for the next builds of the kernel-ml package sets for both el7 and el8. |
|
|
With today's release [1][2] of updated kernel-ml package sets for both el7 and el8, that have the CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE option set as zero, this request has been fulfilled. Now closing as "resolved/fixed". [1] https://lists.elrepo.org/pipermail/elrepo/2023-January/006328.html [2] https://lists.elrepo.org/pipermail/elrepo/2023-January/006329.html |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-01-10 20:27 | efdevse | New Issue | |
| 2023-01-10 20:27 | efdevse | Status | new => assigned |
| 2023-01-10 20:27 | efdevse | Assigned To | => burakkucat |
| 2023-01-10 20:35 | efdevse | Note Added: 0008894 | |
| 2023-01-11 04:33 | pperry | Status | assigned => acknowledged |
| 2023-01-11 04:35 | pperry | Note Added: 0008896 | |
| 2023-01-11 12:21 | burakkucat | Note Added: 0008899 | |
| 2023-01-12 11:23 | burakkucat | Status | acknowledged => resolved |
| 2023-01-12 11:23 | burakkucat | Resolution | open => fixed |
| 2023-01-12 11:23 | burakkucat | Note Added: 0008904 |
