Cathy Hu changed bug 1227282
What Removed Added
Summary [SELinux]: enabling SELinux for 15.6 does not work [SELinux]: kernel params security=selinux selinux=1 appends selinux behind bpf, leading to broken system
Assignee cathy.hu@suse.com kernel-bugs@suse.de

Comment # 2 on bug 1227282 from Cathy Hu 
Reassigning to kernel people:

in Leap 15.6 kernel version 6.4.0-150600.23.7.3 (the current release), when I
set the kernel parameters in /etc/default/grub in GRUB_CMDLINE_LINUX_DEFAULT:

security=selinux selinux=1

this results in this error reported by Felix:
https://bugzilla.suse.com/show_bug.cgi?id=1226937#c5

I think it is because it appends `selinux` like this:

/sys/kernel/security/lsm -> lockdown,capability,bpf,selinux

However, selinux should be loaded before bpf. When I overwrite the lsm list via
`lsm=` parameter like this, it works and the system boots up:

lsm=selinux,bpf selinux=1

/sys/kernel/security/lsm -> lockdown,capability,selinux,bpf


In tumbleweed (kernel-default-6.9.7-1.1), this seems to be fixed, so setting
security=selinux selinux=1 results in:
/sys/kernel/security/lsm ->
lockdown,capability,landlock,yama,selinux,bpf,ima,evm


Can this be fixed on the kernel side? Please let me know if you need more info
or I am doing something really wrong :D Thanks!

You are receiving this mail because: