Hi, As some of you might know, the question of enabling SELinux support in the official Arch Linux kernel package has been brought up a number of times. The main issue that has been pointed out the previous time was that enabling SELinux depends on CONFIG_AUDIT which is considered unnecessary or even harmful for most desktop users since it generates a flood of kernel log messages. Citing Thomas Bächler's previous post (in 2014) on the matter [1]:
And here is my problem: Audit is enabled by default and must be explicitly disabled by the admin. This is a showstopper for me! There is no kernel option to configure audit to be disabled by default (as far as I am aware) so that it can be enabled with 'audit=1' on the command line.
Actually, I think there is a perfectly valid and simple way to disable audit by default: By using the built-in kernel command line. This makes it possible to specify a number of kernel parameters at build time that the kernel prepends to the usual command line it gets from the bootloader. By specifying CONFIG_CMDLINE_BOOL=y CONFIG_CMDLINE="audit=0" in the configuration [2], the audit subsystem is disabled by default, but users intending to use it can do so by manually setting audit=1 on the bootloader's command line. That in turn would override the audit=0 specified on the built-in command line. I would be glad if Arch Linux's official kernel could support SELinux again this way! Thanks for your comments, Tobias [1] https://lists.archlinux.org/pipermail/arch-general/2014-March/03567 9.html [2] For menuconfig, look at the very end under "Processor type and features"