This section describes the initialization code for the SELinux
security module. SELinux initialization begins with the
selinux_init
function, which is registered as a
security initcall and called early in the kernel initialization
sequence. Certain aspects of SELinux initialization must be deferred
until later in the kernel initialization sequence and are handled by
ordinary initcalls, including
selinux_nf_ip_init
,
sel_netif_init
, selnl_init
,
and init_sel_fs
. SELinux initialization is not
fully completed until after the initial policy is loaded by
/sbin/init, at which point the
selinux_complete_init
function is called.
Each of these functions is described below.
This function, located in the hooks.c file,
handles early initialization for the SELinux module. The function
starts by setting the security state for the initial task. It then
calls the avc_init
function to initialize the
AVC. This initialization must be done prior to any permission
checking calls to the AVC. The function then sets the secondary
security module to the original security module, typically the dummy
module, to support stacking with the dummy or capabilities
modules. This is discussed further in the Section called Stacking with Other Modules.
Finally, this function calls the LSM
register_security
function to register the
SELinux security module as the primary security module for LSM.
This function, also located in the hooks.c file,
handles initialization of the SELinux NetFilter hooks used to apply
permission checks on outgoing packets. This function calls the
nf_register_hook
function to register the SELinux
post-routing hook functions with the Netfilter framework for ipv4 and
ipv6. These hook functions are discussed further in the Section called IP Networking Hook Functions.
This function, located in the netif.h file, handles initialization of the SELinux network interface table that is used to look up the SIDs of network devices. This function begins by initializing the SELinux network interface hash table. It then registers a network device notifier so that it can flush entries for devices that are downed. Finally, it also registers an AVC callback so that it can flush the entire table upon a policy reload.
This function, located in the netlink.c file, handles initialization of the kernel SELinux netlink socket used to send notifications of setenforce and policy load events to userspace. The function creates the netlink socket and sets it to allow non-root processes to receive notifications so that userspace object managers are not required to run as root.
This function, located in the selinuxfs.c file, handles initialization of the selinuxfs pseudo filesystem. It registers the selinuxfs filesystem type and creates a private kernel mount of selinuxfs. This results in a populated selinuxfs filesystem and sets up the special null device node used by SELinux when it closes unauthorized files upon a context-changing execve.
This function, located in the hooks.c file,
completes the initialization of SELinux after the initial policy has
been loaded by /sbin/init. It traverses a list of superblocks that
were initialized prior to the initial policy load and invokes the
superblock_doinit
function on each of them. The
superblock_doinit
function proceeds to set up the
security structure for each of these superblocks. It also invokes the
inode_doinit
function to set up the security
structure for any existing inodes associated with the superblock.