What is SELinux, and why does it matter?

ANGADSINGH OBBIANGADSINGH OBBI
4 min read

Table of contents

When we are talking about hardening a Linux box, there exists an interesting, frequently misunderstood, and most notably, an integrated-in-many-distributions tool SELinux (Security-Enhanced Linux). If we have servers deployed for enterprise applications or are just playing with system-level security, knowledge about SELinux is likely going to propel Linux administration expertise far beyond the next level.

In this article, we will explore what SELinux is, how it works, and how you can make the most of it.

What is SELinux?

SELinux is an integrated Linux kernel security system that provides an added level of protection. Traditional Linux permissions, where users and programs make choices about what they can use, are not the same with SELinux, where strict rules created by the system dictate how access is controlled.

Originally created by the NSA, it is widely implemented in most Linux distributions such as RHEL, CentOS, Fedora, and many others

Why Use SELinux?

SELinux strengthens the security of your system by:

  • Deterring intruders from doing extensive damage if they break in

  • Making sure apps can only access the files they need

  • Enforcing rules even on processes with root access

It’s kind of like having a security guard inside your system that enforces the rules no matter who’s asking, even root.

Discretionary Access Control (DAC) vs. Mandatory Access Control (MAC)

Understanding this difference is key to grasping how SELinux works.

  • DAC (Discretionary Access Control): This is the traditional Linux permission model. Users and applications decide who can access what. For example, if you own a file, you can choose to give others read or write access.

  • MAC (Mandatory Access Control): SELinux operates on this model. The system decides what is allowed based on predefined rules. Even if a user has permission under DAC, SELinux can still block the action if it violates a policy.

In short, DAC says “you can if the owner lets you,” while MAC says “you can only if the system policy says it’s okay.”

Key SELinux Terminology You Should Know

  • Policies: Rules that define what actions are allowed and by whom.

  • Labels: Every file and process has a label (called a context) that SELinux uses to make decisions.

  • Modes:

    • Enforcing – SELinux is active and blocking anything that violates policy

    • Permissive – SELinux logs violations but doesn’t block them

    • Disabled – SELinux is turned off entirely

How to Check SELinux Status

To check if SELinux is running:

sestatus

To temporarily change SELinux mode:

setenforce 1  # Enable enforcing mode
setenforce 0  # Switch to permissive mode

To make the change permanent, edit:

/etc/selinux/config

Working with SELinux Contexts

Each file and process has a security label (context), and SELinux uses these to decide what’s allowed.

To see file labels:

ls -Z

To change a label:

chcon -t httpd_sys_content_t /var/www/html/index.html

To restore a file or directory to its default SELinux context:

restorecon -Rv /var/www/html

How to Handle SELinux Errors

If something isn’t working as expected, like your web server can’t read a file or a service can’t start, SELinux may be the reason. Here's how to figure it out:

  1. Check Audit Logs
    Use this command to search for recent access denials:

     ausearch -m avc -ts recent

  2. Use SELinux Alert Tool
    This gives more readable messages and suggestions:

     sealert -a /var/log/audit/audit.log

  3. Look for Context Issues
    Sometimes the issue is a mislabeled file. Use ls -Z to check labels, and fix with:

     restorecon -Rv /path/to/file

  4. Set Temporary Permissions (Not Recommended Long-Term)
    If necessary, toggle SELinux to permissive mode to verify if it’s the cause:

     setenforce 0

    Don’t forget to set it back:

     setenforce 1

When to Use Permissive Mode

Permissive mode is useful for troubleshooting. SELinux won’t block anything, it’ll just log what it would have blocked. It’s great for learning and debugging before switching to full enforcement.

Final Thoughts

SELinux might seem intimidating at first, but once you understand its basic rules and tools, it becomes a powerful ally in locking down your Linux environment. Start with permissive mode, study the logs, and gradually shift to enforcing mode.

Security isn’t something you set and forget it’s a mindset. And SELinux is a smart move toward that mindset

0
Subscribe to my newsletter

Read articles from ANGADSINGH OBBI directly inside your inbox. Subscribe to the newsletter, and don't miss out.

LinuxSecurityunixsecurityawarenesslinux-basicslinux kernelchangesetslinux-commands

Written by

ANGADSINGH OBBI
ANGADSINGH OBBI