Thanks again for sharing your insights. Your timely inputs are much appreciated.
It is however possible for a userspace agent to exercise various degrees
of control over SELinux, e.g. by loading new policy, by changing policy
booleans, or by specifying how to label particular processes and
objects. But that would occur in response to some event visible to the
userspace agent, not in response to an upcall from SELinux in the middle
of processing some system call.
Alright. So, in essence, user-space can only indirectly affect SELinux's functioning. I presume this calls for making SELinux policy dynamic enough (e.g. by means of booleans and conditional checks in policy) to respond to changes triggered in the user-space.
Regards,
Bhargava Shastry
