Standard Linux permissions (DAC — Discretionary Access Control) are powerful but have a fundamental flaw: the owner of a resource controls access to it. If an attacker compromises a process running as root, they have access to everything. SELinux (Security-Enhanced Linux) implements Mandatory Access Control (MAC), which enforces system-wide security policies that even root cannot override. This is one of the most powerful security features in Linux.
In a DAC system (standard Linux permissions), if you own a file, you can grant anyone access to it. If you are root, you can access everything. MAC changes this: the system policy defines what every process can do, regardless of who owns it. Even root processes are confined by the policy.
| Aspect | DAC (Standard Permissions) | MAC (SELinux) |
|---|---|---|
| Control | Resource owner decides | System policy decides |
| Root bypass | Root can access everything | Root is still confined by policy |
| Granularity | User/Group/Other | Type, role, user, level |
| Policy | Set by file owner | Defined by administrator, enforced by kernel |
| Compromise impact | Full system access if root is compromised | Limited to the compromised process's context |
SELinux operates in three modes. Understanding these is essential for both configuration and troubleshooting.
Every file, process, and port in SELinux has a security context (label). The context defines what that object can and cannot do. Contexts follow the format: user:role:type:level.
💡 The type (the third field, e.g., httpd_sys_content_t, httpd_t) is the most important part of the context for policy enforcement. It defines the domain a process runs in and the type of files it can access.
SELinux booleans are on/off switches for specific policy rules. They let you adjust SELinux behavior without writing custom policies.
When SELinux blocks an action, it logs the denial. Understanding how to read and fix denials is a critical skill. The key is: never just disable SELinux — fix the policy.
⚠️ The 'audit2allow' tool is powerful but dangerous. It generates policy that allows exactly what was denied — which may be more permissive than intended. Always review the generated .te file before installing the module. Never use 'setenforce 0' as a permanent fix.
AppArmor is an alternative MAC system used by default on Ubuntu and SUSE. It uses path-based profiles rather than SELinux's label-based approach. Both provide similar security benefits.
| Feature | SELinux | AppArmor |
|---|---|---|
| Default on | RHEL, CentOS, Fedora | Ubuntu, SUSE, Debian |
| Approach | Label-based (type enforcement) | Path-based profiles |
| Complexity | High learning curve | Easier to learn |
| Granularity | Very fine-grained | Moderate granularity |
| Policy location | /etc/selinux/ | /etc/apparmor.d/ |
| Status check | sestatus | aa-status |
| Mode switching | setenforce 0/1 | aa-enforce / aa-complain |
💡 Both SELinux and AppArmor are effective MAC systems. The choice often comes down to the distribution and your willingness to learn the system. For security professionals, understanding both is valuable, but mastering SELinux is particularly beneficial for RHEL-based environments.
Mandatory Access Control (MAC) is a game-changer for Linux security. It provides a powerful layer of defense that can contain even a compromised root process. Learning to configure and troubleshoot SELinux is an essential skill for any Linux security professional.
When configuring SELinux, always start with the principle of least privilege. Only allow the specific actions that are necessary for the service to function. Avoid broad permissions like 'allow httpd_t to write to all files' — instead, target specific directories and actions.
Remember: SELinux is not a replacement for proper application security. It is a powerful mitigation layer, but you should still follow secure coding practices, keep software updated, and use other security controls in conjunction with SELinux.
In incident response, SELinux can be a lifesaver. Even if an attacker compromises a service, SELinux can prevent them from accessing sensitive files or escalating privileges. Always check for SELinux denials when investigating suspicious activity on a Linux system.
For security professionals working in RHEL-based environments (RHEL, CentOS, Fedora), mastering SELinux is essential. It is a key differentiator in certifications like RHCE and RHCSA and is widely used in enterprise environments for its robust security capabilities.
SELinux is one of the most misunderstood features in Linux. Many administrators disable it at the first sign of trouble, which is like removing the airbags because the warning light came on. Take the time to learn it — it is one of the most effective security controls available on Linux, and it is a key differentiator for security-focused certifications like RHCE and RHCSA.
Verify exercises to earn ★ 160 XP and unlock next lab level.