Fabian, On Fri, May 20, 2016 at 9:30 PM, Fabian Arrotin <arrfab at centos.org> wrote: > WRT selinux, you've probably seen that there isn't even an upstream > kernel from rpi supporting selinux. With some efforts, we were able to > add the required config (and so the kernel that we build/ship supports > selinux) but then it conflicts with the default el7 policy (the way that > specific kernel is allocating memory). If I understand it correctly, it has nothing to do with SELinux LSM, but a misconfiguration of the kernel source. The only issue that prevents SELinux from being enforced on the image we have is that binaries are trying to do mmap_zero() calls and this goes against the SELinux default policy. The most likely cause for this is a misconfiguration of LSM_MMAP_MIN_ADDR -- most likely it is (mis)configured to be 64K instead of 32K (See: http://cateee.net/lkddb/web-lkddb/LSM_MMAP_MIN_ADDR.html). > That's the reason why the current rpi3 has selinux in permissive mode. No, the reason is most likely that people are blindly building kernels from the same source tree without verifying whether configuration suits the target system, in my opinion. Anyway, I'm going to build a kernel that matches the hardware and we will see whether it would help. For your builds, however, I'd suggest to adjust LSM_MMAP_MIN_ADDR to 32768 or even lower, like 16384. This will likely make your build be able to run in the enforcing mode with the default CentOS 7 targeted policy. P.S. Will update once my Pi3 is running in the enforced mode of SELinux. -- (GM)