Recommended value in CONFIG_LSM option on SELinux system?

Casey Schaufler casey at schaufler-ca.com
Mon Feb 8 21:38:20 UTC 2021 

On 2/8/2021 12:35 PM, Nicolas Iooss wrote:
> Hello,
>
> Recently there was a bug in Arch Linux where SELinux was no longer
> enabled after booting [1], because the default kernel configuration
> changed recently [2]:
>
> -CONFIG_LSM="lockdown,yama"
> +CONFIG_LSM="lockdown,yama,bpf"

Neither of these settings will enable SELinux by default.

> By doing so, setting "security=selinux" on the kernel command line
> seemed to break the system, because reading /proc/$PID/attr/current
> resulted in "Invalid argument" errors.

Is this in addition to an "lsm=" specification on the command line?

> Replacing "security=selinux"
> with "lsm=selinux,lockdown,yama,bpf" fixed the issue and everything is
> now fine, but now I am wondering: how should CONFIG_LSM (and option
> "lsm" on the kernel command line) be set, on a system which is using
> SELinux?

CONFIG_SECURITY_SELINUX=y
CONFIG_DEFAULT_SECURITY_SELINUX=y
CONFIG_LSM="lockdown,yama,selinux"

> Such information is lacking from the documentation [3] [4]. Therefore
> I took a look at Fedora [5] and RHEL [6]:
>
> * Fedora uses CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor",
> which was the default value until Linux 5.4 [7].
> * RHEL uses CONFIG_LSM="yama,integrity,selinux".
>
> It seems to be strange to have an "outdated" configuration value in
> the configuration file, but this could be fine if the new modules are
> not expected to be used without the kernel being booted with a
> "lsm=..." option.

Keeping the "outdated" configuration values is necessary for
compatibility. We never intended that specifying either of
security= or lsm= on the boot line be required. Because there
is no way to maintain the old behavior of security=selinux
while allowing security=lockdown,yama,selinux we had to introduce
lsm=. 

> But there is something that I did not understand: setting
> "lsm=selinux,lockdown,yama,bpf" worked, /sys/kernel/security/lsm
> showed "capability,selinux,lockdown,yama,bpf", but this violated what
> the documentation stated [3]:
> "A list of the active security modules can be found by reading
> /sys/kernel/security/lsm. This is a comma separated list, and will
> always include the capability module. The list reflects the order in
> which checks are made. The capability module will always be first,
> followed by any “minor” modules (e.g. Yama) and then the one “major”
> module (e.g. SELinux) if there is one configured."
>
> Is "lsm=selinux,lockdown,yama,bpf" really problematic?

The documentation is out of date regarding the "major" module
having to be last. That was true before the lsm= option was introduced.

>
> TL;DR: It would be very helpful if there were some clear guidelines
> which were documented in the kernel documentation about how to
> configure CONFIG_LSM on SELinux systems.

Thanks for the feedback. We are at a mid-point in the development of
module stacking. It's not too late to make things better based on your
experience.

>
> Thanks,
> Nicolas
>
> [1] https://github.com/archlinuxhardened/selinux/issues/81
> [2] https://github.com/archlinux/svntogit-packages/commit/69cb8c2d2884181e799e67b09d67fcf7944d8408
> [3] https://www.kernel.org/doc/html/v5.11-rc7/admin-guide/LSM/index.html
> [4] https://www.kernel.org/doc/html/v5.11-rc7/admin-guide/LSM/SELinux.html
> [5] https://src.fedoraproject.org/rpms/kernel/blob/dd9f5d552f96c5171a0f04170dbca7e74e8d13c7/f/kernel-x86_64-fedora.config#_3232
> [6] https://src.fedoraproject.org/rpms/kernel/blob/dd9f5d552f96c5171a0f04170dbca7e74e8d13c7/f/kernel-x86_64-rhel.config#_2834
> [7] commit https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=000d388ed3bbed745f366ce71b2bb7c2ee70f449
>

More information about the Linux-security-module-archive mailing list