SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) system developed originally by the US National Security Agency and integrated into the mainline kernel in 2003. Unlike traditional Unix discretionary access control (DAC), where file owners decide who can access their files, MAC imposes system-wide policy that even root cannot override. This provides strong containment: a compromised web server cannot read files outside its SELinux context, even if it manages to escalate to root.
SELinux assigns a security context to every process, file, and socket—a label like system_u:object_r:httpd_sys_content_t:s0. Policy rules specify which contexts can perform which operations on which other contexts. Labels are stored in extended file attributes and inspected with ls -Z, ps -Z, and id -Z.
sestatus # current mode
getenforce # enforcing / permissive / disabled
sudo setenforce 0 # temporarily permissive
ls -Z /var/www/html/index.html
sudo chcon -t httpd_sys_content_t file # change context
sudo restorecon -Rv /var/www/ # restore default contexts
sudo ausearch -m AVC # see denials
SELinux is the default on Fedora, RHEL, CentOS, and related distributions. It has a reputation for complexity, but modern tools (audit2allow, sealert) make diagnosing and fixing denials much easier than in its early years. For serious production systems, leaving SELinux enforcing is one of the best single security wins available.
Related terms: AppArmor, mac, security
Discussed in:
- Chapter 18: Security and Hardening — Mandatory Access Control: SELinux and AppArmor
Also defined in: Textbook of Linux