Virtualization technology such as, for example, INTEL VT-x may be used in a variety of ways to implement full virtualization of multiple operating systems (OSes). Virtualization technology may also be used to implement anti-virus scanning engines where the engine can be protected from malware threats running with Ring-0 privileges (e.g., the most privileged level of the four (Rings 0-3) privilege levels). Operating systems such as SELINUX, Internet of Things OS (IoT-OS) and Clear LINUX OSes may implement mandatory access control (MAC) mechanisms using security policy modules in the form of a layered security module (LSM). Typically, the LSM may be considered part of the OS trusted computing base (TCB) because the MAC enforcement is performed by the LSM. The LSM may depend on a MAC policy that is usually authored by a system administrator read into kernel memory at system boot time. Occasionally, it may be necessary to modify/update the policy. Typically, updates require a system reboot in order that the new policy signature may be checked/verified using a secure boot mechanism. With always-on requirements of cloud and IoT (Internet of Things) computing, however, it may not be acceptable to conduct reboots. Additionally, MAC mechanisms may be vulnerable to other Ring-0 threads, interrupt handlers and device drivers that may be compromised.