All, On Sat, May 21, 2016 at 3:05 PM, (GalaxyMaster) <gm.outside+arm-dev at gmail.com> wrote: > If I understand it correctly, it has nothing to do with SELinux LSM, > but a misconfiguration of the kernel source. [...] [skipped] >[...] Anyway, I'm going to build a > kernel that matches the hardware and we will see whether it would > help. For your builds, however, I'd suggest to adjust > LSM_MMAP_MIN_ADDR to 32768 or even lower, like 16384. This will > likely make your build be able to run in the enforcing mode with the > default CentOS 7 targeted policy. > > P.S. Will update once my Pi3 is running in the enforced mode of SELinux. Confirmed, a kernel rebuilt with LSM_MMAP_MIN_ADDR set to 32768 works with the default targeted SELinux policy with no issues: === Last login: Sat May 21 07:42:30 2016 from home.fritz.box [root at centos-rpi3 ~]# uname -a Linux centos-rpi3 4.1.19-v7 #1 SMP Sat May 21 07:09:33 UTC 2016 armv7l armv7l armv7l GNU/Linux [root at centos-rpi3 ~]# semanage export boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D [root at centos-rpi3 ~]# audit2why -b <no matches> [root at centos-rpi3 ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29 [root at centos-rpi3 ~]# === I'm not going to dump the output of semodule -l, but trust me there are no custom modules. My goal is to bring this image as close to the official CentOS7 as possible. Now, a question: why did we deviate from CentOS7's default kernel (which at this particular moment is 3.10.0-327.18.2.el7)? If the project is to port CentOS7 to Pi3 I'd suggest to keep inline with the upstream since there may be incompatible changes in the interface (e.g. I recall there was one such change in 3.* series which broke strace and other binutils tools). -- (GM)