https://bugzilla.suse.com/show_bug.cgi?id=1227282 https://bugzilla.suse.com/show_bug.cgi?id=1227282#c15 --- Comment #15 from Jiri Wiesner <jwiesner@suse.com> --- (In reply to Amrita Sakthivel from comment #14)
Cathy,Jiri,
Based on comment 13(specifically On the other hand, the lsm= argument makes it possible for users to get it wrong and end up with a system that does not boot, e.g. passing lsm=bpf,selinux.) , I am a little confused.
I would say this proves my point.
can you please confirm that I need to update to : lsm=selinux,bpf selinux=1
Yes, this is the needed change. It will work on the GA release of 15sp6 as well as later updates. The order of the LSMs in the lsm= parameter matters. lsm=selinux,bpf is right and will work, lsm=bpf,selinux will result in a system that does not boot up. So, security=selinux would not work on the GA release of 15sp6 but it might work on later releases because I think we will change CONFIG_LSM to "integrity,apparmor,selinux,bpf". lsm=selinux,bpf will work always but there is a slight possibility of someone getting the order of the LSMs wrong (because the person might think it does not matter). I must admit I do not understand the exact reason why a system that is passed lsm=bpf,selinux does not boot. I think it should be fixed along with changing the documentation. The bpf and selinux LSMs are initialized very early in the boot sequence and the root switch happens much later:
[ 0.217801] LSM: initializing lsm=lockdown,capability,bpf,selinux,integrity [ 0.217801] LSM support for eBPF active [ 0.217801] SELinux: Initializing. I suspect it's not the kernel causing this but I don't really know. -- You are receiving this mail because: You are on the CC list for the bug.