Comment # 15 on bug 1227282 from Jiri Wiesner

(In reply to Amrita Sakthivel from comment #14)
> Cathy,Jiri,
>
> Based on comment 13(specifically On the other hand, the lsm= argument makes
> it possible for users to get it wrong and end up with a system that does not
> boot, e.g. passing lsm=bpf,selinux.) , I am a little confused.

I would say this proves my point.

> can you please confirm that I need to update to :
> lsm=selinux,bpf selinux=1

Yes, this is the needed change. It will work on the GA release of 15sp6 as well
as later updates. The order of the LSMs in the lsm= parameter matters.
lsm=selinux,bpf is right and will work, lsm=bpf,selinux will result in a system
that does not boot up. So, security=selinux would not work on the GA release of
15sp6 but it might work on later releases because I think we will change
CONFIG_LSM to "integrity,apparmor,selinux,bpf". lsm=selinux,bpf will work
always but there is a slight possibility of someone getting the order of the
LSMs wrong (because the person might think it does not matter).

I must admit I do not understand the exact reason why a system that is passed
lsm=bpf,selinux does not boot. I think it should be fixed along with changing
the documentation. The bpf and selinux LSMs are initialized very early in the
boot sequence and the root switch happens much later:
> [    0.217801] LSM: initializing lsm=lockdown,capability,bpf,selinux,integrity
> [    0.217801] LSM support for eBPF active
> [    0.217801] SELinux:  Initializing.
I suspect it's not the kernel causing this but I don't really know.