Initialization

This section describes the initialization code for the SELinux security module. SELinux initialization begins with the selinux_init function, which is registered as a security initcall and called early in the kernel initialization sequence. Certain aspects of SELinux initialization must be deferred until later in the kernel initialization sequence and are handled by ordinary initcalls, including selinux_nf_ip_init, sel_netif_init, selnl_init, and init_sel_fs. SELinux initialization is not fully completed until after the initial policy is loaded by /sbin/init, at which point the selinux_complete_init function is called. Each of these functions is described below.

selinux_init

This function, located in the hooks.c file, handles early initialization for the SELinux module. The function starts by setting the security state for the initial task. It then calls the avc_init function to initialize the AVC. This initialization must be done prior to any permission checking calls to the AVC. The function then sets the secondary security module to the original security module, typically the dummy module, to support stacking with the dummy or capabilities modules. This is discussed further in the Section called Stacking with Other Modules. Finally, this function calls the LSM register_security function to register the SELinux security module as the primary security module for LSM.

selinux_nf_ip_init

This function, also located in the hooks.c file, handles initialization of the SELinux NetFilter hooks used to apply permission checks on outgoing packets. This function calls the nf_register_hook function to register the SELinux post-routing hook functions with the Netfilter framework for ipv4 and ipv6. These hook functions are discussed further in the Section called IP Networking Hook Functions.

sel_netif_init

This function, located in the netif.h file, handles initialization of the SELinux network interface table that is used to look up the SIDs of network devices. This function begins by initializing the SELinux network interface hash table. It then registers a network device notifier so that it can flush entries for devices that are downed. Finally, it also registers an AVC callback so that it can flush the entire table upon a policy reload.

selnl_init

This function, located in the netlink.c file, handles initialization of the kernel SELinux netlink socket used to send notifications of setenforce and policy load events to userspace. The function creates the netlink socket and sets it to allow non-root processes to receive notifications so that userspace object managers are not required to run as root.

init_sel_fs

This function, located in the selinuxfs.c file, handles initialization of the selinuxfs pseudo filesystem. It registers the selinuxfs filesystem type and creates a private kernel mount of selinuxfs. This results in a populated selinuxfs filesystem and sets up the special null device node used by SELinux when it closes unauthorized files upon a context-changing execve.

selinux_complete_init

This function, located in the hooks.c file, completes the initialization of SELinux after the initial policy has been loaded by /sbin/init. It traverses a list of superblocks that were initialized prior to the initial policy load and invokes the superblock_doinit function on each of them. The superblock_doinit function proceeds to set up the security structure for each of these superblocks. It also invokes the inode_doinit function to set up the security structure for any existing inodes associated with the superblock.