Design



Hybrid:
Little bit of both.
Small part in the kernel for fast path.
Mostly in user-space.

Fast-path at kernel-level:
Simple policy decisions: read/write system calls.
Otherwise, ask the policy daemon in user-space.

Policy daemon in user-space:
Translate system call information into a system independent human-readable format.
Policy language operates on the translation only.