When the NSA first implemented SELinux, they did so directly, but were not able to get that merged into mainline because there was concern that SELinux was not the correct solution.
What they ended up doing was creating the Linux Security Modules (LSM) framework, which is just a bunch of hooks in the kernel that a module can implement. SELinux was then rewritten as LSM module. This allowed other solutions like AppArmor to be implemented without any invasive work; they could just plug into the same system SELinux used.
Some time later, the ability to run multiple LSMs at once was added.
Incidentally, Linux capabilities are also implemented as an LSM.
Also, AppArmor might not exist without SELinux.
When the NSA first implemented SELinux, they did so directly, but were not able to get that merged into mainline because there was concern that SELinux was not the correct solution.
What they ended up doing was creating the Linux Security Modules (LSM) framework, which is just a bunch of hooks in the kernel that a module can implement. SELinux was then rewritten as LSM module. This allowed other solutions like AppArmor to be implemented without any invasive work; they could just plug into the same system SELinux used.
Some time later, the ability to run multiple LSMs at once was added.
Incidentally, Linux capabilities are also implemented as an LSM.
TIL. Very cool.