This section describes the current support for stacking SELinux with
other security modules. LSM provides only minimal support for
stacking security modules, providing hooks for this purpose but
deferring the details of how stacking is handled to the primary
security module. At present, the SELinux security module only
functions as a primary security module and provides minimal support
for using either the dummy security module (traditional superuser
logic) or the capabilities security module as a secondary security
module. This allows SELinux to be combined with either the
traditional superuser logic or with the Linux capabilities logic.
SELinux also provides some support for stacking with the owlsm
security module, but only for options which do not require the use of
the LSM security fields (i.e. not CONFIG_OWLSM_FD
).
As mentioned in Section 7, the
selinux_plug_init
function initializes the
secondary security module to the dummy security module, which is
always resident in the kernel, prior to registering the SELinux
security module. This allows the SELinux hook functions to
safely call the secondary hook functions. The
selinux_register_security
hook function sets the
secondary security module to a different module, such as the
capabilities module. The
selinux_unregister_security
hook function
restores the secondary security module to the dummy security module.
The dummy, capabilities, and owlsm security modules only implement a very
small subset of the hook functions. Hence, at present, the SELinux
security module only calls the secondary security module for this
small set of hooks. Additionally, some of these hook functions are
implemented in terms of the capable
function, so
stacking the capable
hook is sufficient to cover
them as well. However, there would be no harm other than performance
in always calling the secondary security module. The SELinux hook
functions that call the secondary security module are:
selinux_ptrace
selinux_capget
selinux_capset_check
selinux_capset_set
selinux_capable
selinux_bprm_alloc_security
selinux_bprm_set_security
selinux_bprm_compute_creds
selinux_task_post_setuid
selinux_task_kmod_set_label
selinux_inode_link
selinux_inode_follow_link
The dummy and capabilities security modules are easy to stack with SELinux because they do not use the security fields LSM added to the kernel data structures. Stacking the SELinux module with any module that does use these fields will require the definition of a common security object header with a module identifier and a link for chaining multiple security objects on a single security field. This has not yet been a priority.