Given that we have multiple LSM implementations (SELinux, SMACK, AppArmor, TOMOYO) and that only one can be used effectively at a time, it makes more sense to not enable and load all off them in to memory. By current design of non-modular LSMs, it becomes very difficult for a general purpose distribution like Debian to support all users with a single kernel flavor. It is also impractical to build linux-image-selinux , linux-image-apparmor, linux-image-tomoyo et cetera. Building all the features and setting default to False works but is regarded as inefficient and bloated. Can LSM be made modular ? Otherwise, can the image size be trimmed at runtime after determining the effective LSM in use ? BTW: Is it correct in the bugzilla reference ? It states Loadable Security Module.