# [Solved]Cannot add kernel config entry with menuconfig

## houqp

Hi, all

I want to have this entry added to .config file:

```
CONFIG_IMA_LSM_RULES=y
```

But when I search "ima_lsm" in menuconfig, the search result only contain two lines:

```
Symbol: IMA_LSM_RULES [=n]

TYPE   : boolean
```

Thus I have no idea of where to find the location of this entry in the menu.Last edited by houqp on Wed Mar 16, 2011 4:57 pm; edited 1 time in total

----------

## houqp

I manually added CONFIG_IMA_LSM_RULES=y to .config file and run menuconfig. But when I search in menuconfig, I still got Symbol: IMA_LSM_RULES [=n].

----------

## Goverp

Using the search in "make xconfig" gives a bit more info - like where the config options are defined - but doesn't help much.

CONFIG_IMA is defined in "Security options", which is just after Kernel hacking; you need "Security options->Enable different security models" to see it.  However, that's not enough.

Google shows you also need CONFIG_AUDIT which is in "General setup".  Adding that still doesn't make CONFIG_IMA_LSM_RULES appear for me.  The Google entries say it's also dependent on either SELINUX or SMACK.  Those are alternatives in the "Security options" section, only they cannot be enabled on my gentoo-sources kernel.  Looking at the Gentoo kernel guide, you need hardened-sources to have that.

In summary, I think you're using gentoo-sources or vanilla-sources, but you need hardened-sources.  Then you can enable SELINUX or SMACK, and so forth as above.

----------

## houqp

Thanks Goverp! I should have googled it out by myself.  :Wink: 

Yes, I am using gentoo sources. I will try hardened source later!

----------

## houqp

 *Goverp wrote:*   

> Using the search in "make xconfig" gives a bit more info - like where the config options are defined - but doesn't help much.
> 
> In summary, I think you're using gentoo-sources or vanilla-sources, but you need hardened-sources.  Then you can enable SELINUX or SMACK, and so forth as above.

 

After switch to official kernel it is now set to "y".

Actually, the dependence can be found in /usr/src/linux/security/integrity/ima/Kconfig:

```
config IMA_LSM_RULES

        bool

        depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)

        default y

        help

          Disabling this option will disregard LSM based policy rules.
```

Thanks again for your help Goverp!

----------

