This section describes the initialization and exit code for the
SELinux security module. The initialization code is in the
selinux_plug_init
function in the
hooks.c file. The exit code is in the
selinux_plug_exit
function in the same file.
This function starts by initializing the secondary security module
to the original security module, typically the dummy module, to support
stacking with the dummy or capabilities modules. This is discussed further in
Section 8. It then calls the
avc_init
function to initialize the AVC. This
initialization must be done prior to any permission checking calls to
the AVC.
If SELinux is built as a separate module (not recommended),
the security_init
is then called to initialize
the security server and load the initial security policy
configuration. If SELinux is built into the kernel, then the root
filesystem has not been mounted yet, so the call to
security_init
is deferred to the
post_mountroot
hook in that case.
Next, the selinux_plug_init
function inserts the
sys_security_selinux
function into the system
call table in place of the LSM sys_security
function. This is necessary to support the
execve_secure
system call, which requires access
to the registers on the stack, as discussed in Section 9. Finally, this function calls the LSM
register_security
function to register the
SELinux security module as the primary security module for LSM.
This function starts by calling the LSM
unregister_security
function to unregister the
SELinux security module. It then restores the entry in the system
call table used for execve_secure
. Finally, it
frees all of the security data structures associated with kernel
objects. However, at present, this function does not free the memory
associated with the AVC or the security server. Since these two
components were permanently resident in the kernel in the original
SELinux prototype, they do not currently provide interfaces for
freeing their memory. This would not be difficult to add, but has not
been a high priority since currently the SELinux module is
built into the kernel.