From 1f5dcdbf22e7d543fbab66ea1a872aef8582f2c4 Mon Sep 17 00:00:00 2001
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Date: Mon, 7 Oct 2019 01:35:53 +0300
Subject: [PATCH] Fix kernel opts for booting in enforcing selinux mode

---
 kernel.spec | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/kernel.spec b/kernel.spec
index e33c740..141c442 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -4,7 +4,7 @@
 %define sublevel	4
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		1
+%define rpmrel		2
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}
@@ -706,10 +706,17 @@ sed -i	's/CONFIG_STACKPROTECTOR_STRONG=y/# CONFIG_STACKPROTECTOR_STRONG is not s
 sed -i	's/# CONFIG_DEBUG_INFO is not set/CONFIG_DEBUG_INFO=y\nCONFIG_DEBUG_INFO_DWARF4=y\nCONFIG_GDB_SCRIPTS=y/' .config
 %endif
 
-# Enable hardening features if requested.
 %if %{enhanced_security}
-sed -i	's/# CONFIG_PAX_MEMORY_SANITIZE is not set/CONFIG_PAX_MEMORY_SANITIZE=y/' .config
-sed -i	's/# CONFIG_PAGE_POISONING is not set/CONFIG_PAGE_POISONING=y\nCONFIG_PAGE_POISONING_NO_SANITY=y/' .config
+# seems to be needed to boot system in enforcing selinux mode
+# note: cpio fpormat of initramfs does not support xattrs without patches
+# see also: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680315
+sed -i '/CONFIG_SECURITY_SELINUX_DISABLE/d' .config
+echo CONFIG_SECURITY_SELINUX_DISABLE=y >> .config
+# enable selinux in kernel by default if not disabled explicitly
+sed -i '/CONFIG_SECURITY_SELINUX_BOOTPARAM/d' .config
+echo CONFIG_SECURITY_SELINUX_BOOTPARAM=y >> .config
+sed -i '/CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE/d' .config
+echo CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 >> .config
 %endif
 
 # Store the config file in the appropriate directory.