Recommended value in CONFIG_LSM option on SELinux system?

Nicolas Iooss nicolas.iooss at m4x.org
Mon Feb 8 20:35:15 UTC 2021 

Hello,

Recently there was a bug in Arch Linux where SELinux was no longer
enabled after booting [1], because the default kernel configuration
changed recently [2]:

-CONFIG_LSM="lockdown,yama"
+CONFIG_LSM="lockdown,yama,bpf"

By doing so, setting "security=selinux" on the kernel command line
seemed to break the system, because reading /proc/$PID/attr/current
resulted in "Invalid argument" errors. Replacing "security=selinux"
with "lsm=selinux,lockdown,yama,bpf" fixed the issue and everything is
now fine, but now I am wondering: how should CONFIG_LSM (and option
"lsm" on the kernel command line) be set, on a system which is using
SELinux?

Such information is lacking from the documentation [3] [4]. Therefore
I took a look at Fedora [5] and RHEL [6]:

* Fedora uses CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor",
which was the default value until Linux 5.4 [7].
* RHEL uses CONFIG_LSM="yama,integrity,selinux".

It seems to be strange to have an "outdated" configuration value in
the configuration file, but this could be fine if the new modules are
not expected to be used without the kernel being booted with a
"lsm=..." option.

But there is something that I did not understand: setting
"lsm=selinux,lockdown,yama,bpf" worked, /sys/kernel/security/lsm
showed "capability,selinux,lockdown,yama,bpf", but this violated what
the documentation stated [3]:
"A list of the active security modules can be found by reading
/sys/kernel/security/lsm. This is a comma separated list, and will
always include the capability module. The list reflects the order in
which checks are made. The capability module will always be first,
followed by any “minor” modules (e.g. Yama) and then the one “major”
module (e.g. SELinux) if there is one configured."

Is "lsm=selinux,lockdown,yama,bpf" really problematic?

TL;DR: It would be very helpful if there were some clear guidelines
which were documented in the kernel documentation about how to
configure CONFIG_LSM on SELinux systems.

Thanks,
Nicolas

[1] https://github.com/archlinuxhardened/selinux/issues/81
[2] https://github.com/archlinux/svntogit-packages/commit/69cb8c2d2884181e799e67b09d67fcf7944d8408
[3] https://www.kernel.org/doc/html/v5.11-rc7/admin-guide/LSM/index.html
[4] https://www.kernel.org/doc/html/v5.11-rc7/admin-guide/LSM/SELinux.html
[5] https://src.fedoraproject.org/rpms/kernel/blob/dd9f5d552f96c5171a0f04170dbca7e74e8d13c7/f/kernel-x86_64-fedora.config#_3232
[6] https://src.fedoraproject.org/rpms/kernel/blob/dd9f5d552f96c5171a0f04170dbca7e74e8d13c7/f/kernel-x86_64-rhel.config#_2834
[7] commit https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=000d388ed3bbed745f366ce71b2bb7c2ee70f449

More information about the Linux-security-module-archive mailing list