Comment # 13 on bug 1227282 from Jiri Wiesner 
(In reply to Takashi Iwai from comment #7)
> If adding selinux wouldn't lead to a significant regression, we can update
> CONFIG_LSM on SLE15-SP6 as well.  i.e.
> CONFIG_LSM="integrity,apparmor,selinux,bpf"

I spent some time reading the parsing code in ordered_lsm_parse(). Adding
selinux after apparmor and before bpf will make it possible to boot a system
where the security=selinux has been passed to the kernel. With selinux in the
mentioned position in CONFIG_LSM, these outcomes are expected:
1. When security=apparmor is passed to the kernel only apparmor will be enabled
as it is the selected major LSM
2. When no security= argument is passed to the kernel only apparmor will be
enabled as it is the first exclusive LSM in the CONFIG_LSM option
3. When security=selinux is passed to the kernel only selinux will be enabled
as it is the selected major LSM

In the above 3 cases, the order of the LSMs will be determined by the
CONFIG_LSM option. It should be noted that the security= argument is a legacy
approach and the lsm= argument should be the preferred way to specify the LSMs
to enable and as well as their ordering. On the other hand, the lsm= argument
makes it possible for users to get it wrong and end up with a system that does
not boot, e.g. passing lsm=bpf,selinux.

You are receiving this mail because: