Project 11: SELinux Kernel Module Inspector

A kernel module or tracing tool that inspects SELinux internals at runtime: watching LSM hooks fire, examining the AVC cache contents, tracing policy decisions, and visualizing the security server’s decision process.

Quick Reference

Attribute Value
Primary Language C
Alternative Languages Rust (with kernel bindings)
Difficulty Level 5: Master
Time Estimate 1-2 months
Knowledge Area Linux Kernel / LSM Framework
Tooling Linux kernel source, debugfs, ftrace
Prerequisites All previous projects, C programming, kernel development basics

What You Will Build

A kernel module or tracing tool that inspects SELinux internals at runtime: watching LSM hooks fire, examining the AVC cache contents, tracing policy decisions, and visualizing the security server’s decision process.

Why It Matters

This project builds core skills that appear repeatedly in real-world systems and tooling.

Core Challenges

  • Understanding the LSM framework → maps to kernel security architecture
  • Tracing SELinux hook invocations → maps to where access control happens
  • Inspecting AVC cache entries → maps to performance optimization
  • Understanding the security server → maps to policy enforcement engine

Key Concepts

  • LSM Framework: Linux kernel documentation, security/
  • SELinux AVC: security/selinux/avc.c in kernel source
  • Security Server: security/selinux/ss/ in kernel source
  • Kernel Tracing: ftrace, bpftrace, kprobes

Real-World Outcome

# Using the inspector module/tool
$ sudo insmod selinux_inspector.ko
$ dmesg | tail

selinux_inspector: Loaded, monitoring LSM hooks

# Trigger some activity
$ curl http://localhost/

$ cat /sys/kernel/debug/selinux_inspector/recent_decisions
┌────────────────────────────────────────────────────────────────────────────┐
│ Timestamp       │ Hook            │ Subject      │ Object       │ Decision │
├────────────────────────────────────────────────────────────────────────────┤
│ 1705123456.001  │ file_open       │ httpd_t      │ http_port_t  │ ALLOW    │
│ 1705123456.002  │ socket_connect  │ httpd_t      │ http_port_t  │ ALLOW    │
│ 1705123456.003  │ file_read       │ httpd_t      │ httpd_sys_c  │ ALLOW    │
│ 1705123456.004  │ file_write      │ httpd_t      │ shadow_t     │ DENY     │
└────────────────────────────────────────────────────────────────────────────┘

$ cat /sys/kernel/debug/selinux_inspector/avc_stats
AVC Cache Statistics:
  Entries: 1,247 / 512 (slots)
  Lookups: 45,678
  Hits: 44,890 (98.3%)
  Misses: 788
  Allocations: 1,247
  Reclaims: 102

Hot entries (most frequently accessed):
  1. httpd_t -> httpd_sys_content_t:file:read    (12,456 hits)
  2. init_t -> init_t:process:transition         (8,234 hits)
  3. sshd_t -> sshd_t:tcp_socket:accept         (5,123 hits)

$ cat /sys/kernel/debug/selinux_inspector/hook_frequency
LSM Hook Invocation Frequency (last 60s):
  file_permission:    45,678
  inode_permission:   34,567
  socket_create:       1,234
  task_alloc:            567
  bprm_check_security:   234

Implementation Guide

  1. Reproduce the simplest happy-path scenario.
  2. Build the smallest working version of the core feature.
  3. Add input validation and error handling.
  4. Add instrumentation/logging to confirm behavior.
  5. Refactor into clean modules with tests.

Milestones

  • Milestone 1: Minimal working program that runs end-to-end.
  • Milestone 2: Correct outputs for typical inputs.
  • Milestone 3: Robust handling of edge cases.
  • Milestone 4: Clean structure and documented usage.

Validation Checklist

  • Output matches the real-world outcome example
  • Handles invalid inputs safely
  • Provides clear errors and exit codes
  • Repeatable results across runs

References

  • Main guide: SELINUX_DEEP_DIVE_LEARNING_PROJECTS.md
  • “Linux Kernel Development” by Robert Love