SELinux/LSM

SELinux uses the Linux Security Modules (LSM) as the implementation to handle enforcement within the Linux kernel. All actions taken on the system which invokes Linux kernel calls (such as system calls) are also passed through LSM, and SELinux adds LSM hooks so that SELinux too can participate in deciding if a call is to be allowed or not.

Resources

 * Implementing SELinux as a Linux Security Module (pdf)
 * LSM Overview in the SELinux paper published by NSA research