Initialization and Exit

This section describes the initialization and exit code for the SELinux security module. The initialization code is in the selinux_plug_init function in the hooks.c file. The exit code is in the selinux_plug_exit function in the same file.

selinux_plug_init

This function starts by initializing the secondary security module to the original security module, typically the dummy module, to support stacking with the dummy or capabilities modules. This is discussed further in the Section called Stacking with Other Modules. It then calls the avc_init function to initialize the AVC. This initialization must be done prior to any permission checking calls to the AVC.

If SELinux is built as a separate module (not recommended), the security_init is then called to initialize the security server and load the initial security policy configuration. If SELinux is built into the kernel, then the root filesystem has not been mounted yet, so the call to security_init is deferred to the post_mountroot hook in that case.

Next, the selinux_plug_init function inserts the sys_security_selinux function into the system call table in place of the LSM sys_security function. This is necessary to support the execve_secure system call, which requires access to the registers on the stack, as discussed in the Section called New System Calls. Finally, this function calls the LSM register_security function to register the SELinux security module as the primary security module for LSM.

selinux_plug_exit

This function starts by calling the LSM unregister_security function to unregister the SELinux security module. It then restores the entry in the system call table used for execve_secure. Finally, it frees all of the security data structures associated with kernel objects. However, at present, this function does not free the memory associated with the AVC or the security server. Since these two components were permanently resident in the kernel in the original SELinux prototype, they do not currently provide interfaces for freeing their memory. This would not be difficult to add, but has not been a high priority since currently the SELinux module is built into the kernel.