Reputation: 71
Can SELinux be loaded after another LSM Module?
I am building an LSM module, which should work with SELinux. It must be registered before SELinux to do the task it needs to do.
Does SELinux fail registration if it is not the first LSM Module to register?
Upvotes: 1
Views: 196
Answers (1)
Reputation: 681
EDIT I realise this is 5 years too late, and the LSM Framework is a moving target. This may not have been correct at the time you posted this, or maybe incorrect in the future
No. SELinux loads last in the module order
Selinux will stack along side any other non-legacy-major LSM(!SMACK SELinux or Apparmor)
Currently Yama is compiled into the kernel by default, which shortens the scope for ptrace operations, Yama is one of the first LSMs to load, yet currently works well with SELinux.
The LSM devs are working on away to remove the exclusivity of certain LSMs and are just about ready to make AppArmor ready for this change.
The end goal is to have the capability of an unlimited amount of LSMs compiled into the kernel, although some work needs to be done before this can be achieved
Upvotes: 2
Related Questions
- In the latest linux kernel is it possible to write a loadable Linux Security Module (LSM), which can be loaded and unloaded using insmod and rmmod?
- New linux kernels, no lsm using lkms, no kernel hooks now what?
- Best security practices in Linux
- Is SELinux still effective even when an attacker obtains the root shell?
- How to disable SELinux competely in android
- Why SELinux policy in /sepolicy and /sys/fs/selinux/policy do not match?
- Is it possible to connect SELinux policy with Android permissions?
- SElinux integrety check
- Selinux must need auditing support? Can audit2allow be used instead?
- Disabling SELinux in Android 5.0.1