Recommended value in CONFIG_LSM option on SELinux system?

Casey Schaufler casey at
Mon Feb 8 21:38:20 UTC 2021

On 2/8/2021 12:35 PM, Nicolas Iooss wrote:
> Hello,
> Recently there was a bug in Arch Linux where SELinux was no longer
> enabled after booting [1], because the default kernel configuration
> changed recently [2]:
> -CONFIG_LSM="lockdown,yama"
> +CONFIG_LSM="lockdown,yama,bpf"

Neither of these settings will enable SELinux by default.

> By doing so, setting "security=selinux" on the kernel command line
> seemed to break the system, because reading /proc/$PID/attr/current
> resulted in "Invalid argument" errors.

Is this in addition to an "lsm=" specification on the command line?

> Replacing "security=selinux"
> with "lsm=selinux,lockdown,yama,bpf" fixed the issue and everything is
> now fine, but now I am wondering: how should CONFIG_LSM (and option
> "lsm" on the kernel command line) be set, on a system which is using
> SELinux?


> Such information is lacking from the documentation [3] [4]. Therefore
> I took a look at Fedora [5] and RHEL [6]:
> * Fedora uses CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor",
> which was the default value until Linux 5.4 [7].
> * RHEL uses CONFIG_LSM="yama,integrity,selinux".
> It seems to be strange to have an "outdated" configuration value in
> the configuration file, but this could be fine if the new modules are
> not expected to be used without the kernel being booted with a
> "lsm=..." option.

Keeping the "outdated" configuration values is necessary for
compatibility. We never intended that specifying either of
security= or lsm= on the boot line be required. Because there
is no way to maintain the old behavior of security=selinux
while allowing security=lockdown,yama,selinux we had to introduce

> But there is something that I did not understand: setting
> "lsm=selinux,lockdown,yama,bpf" worked, /sys/kernel/security/lsm
> showed "capability,selinux,lockdown,yama,bpf", but this violated what
> the documentation stated [3]:
> "A list of the active security modules can be found by reading
> /sys/kernel/security/lsm. This is a comma separated list, and will
> always include the capability module. The list reflects the order in
> which checks are made. The capability module will always be first,
> followed by any “minor” modules (e.g. Yama) and then the one “major”
> module (e.g. SELinux) if there is one configured."
> Is "lsm=selinux,lockdown,yama,bpf" really problematic?

The documentation is out of date regarding the "major" module
having to be last. That was true before the lsm= option was introduced.

> TL;DR: It would be very helpful if there were some clear guidelines
> which were documented in the kernel documentation about how to
> configure CONFIG_LSM on SELinux systems.

Thanks for the feedback. We are at a mid-point in the development of
module stacking. It's not too late to make things better based on your

> Thanks,
> Nicolas
> [1]
> [2]
> [3]
> [4]
> [5]
> [6]
> [7] commit

More information about the Linux-security-module-archive mailing list