On Thu, 2005-09-08 at 02:46 -0400, Xin Zhao wrote: > Sorry if this question is dumb. > > SELinux is included in 2.6. But I think it works by putting LSM hooks a lot > of place in Linux and then it can define its own policy enforcement codes. > > However, I cannot find hooks in kernel 2.6.9 and 2.6.11. How can > SELinux work with kernel 2.6 to protect system without hooks? > > Thanks in advance for your help!
The hooks are there, but possibly you are confused by the out-of-date documentation (e.g. Documentation/DocBook/lsm.tmpl still says to look for "security_ops->" in the core kernel for the hook calls, but they have long since been replaced with calls to static inline functions defined in include/linux/security.h). As an example, fs/namei.c:permission calls security_inode_permission, which is defined in include/linux/security.h and will invoke the corresponding hook if CONFIG_SECURITY=y. SELinux provides its implementations of the hook functions in security/selinux/hooks.c, e.g. selinux_inode_permission. Hence, you should be looking for calls to functions with the security_ prefix instead of explicit references to security_ops in the core kernel. Chris - feel free to rip out lsm.tmpl and replace it with something more up-to-date and complete. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
