config: disable SELinux

CONFIG_LSM is a new option which can be used to enable SELinux. Base
Fedora config does that. When disabled at runtime only, SELinux-aware
kernel will refuse setting securit.selinux xattr, breaking multiple
tools, including initramfs generation (cp --preserve=xattr fails).

config-qubes

@@ -86,6 +86,7 @@ CONFIG_SECURITY_YAMA=y
 
 # CONFIG_DEFAULT_SECURITY_SELINUX is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_LSM="yama,loadpin,safesetid,integrity"
 
 
 ################################################################################