SELinux is a security module built into the Linux kernel that implements the Mandatory Access Control (MAC) model. Unlike the traditional DAC (Discretionary Access Control) model, where access to resources is determined by the file owner, SELinux enforces a strict, centralized security policy. This policy defines how processes can interact with files, ports, sockets, and other system resources, regardless of standard permission settings.
SELinux is widely used in enterprise distributions such as RHEL, CentOS, and Fedora, and is considered one of the key tools for enhancing system security. It can block malicious actions even if an attacker has already gained access to the system but attempts to operate beyond allowed boundaries.
What SELinux Is and How It Works
SELinux is based on security contexts and strict policy enforcement. Every object in the system—whether a file, process, or network connection—has a label known as a security context. Access decisions are made based on these labels.
Example of a context:
system_u:object_r:httpd_sys_content_t:s0This context includes several components: SELinux user, role, type, and security level. In practice, the type is the most important element, as most access control rules are built around it.
The SELinux architecture includes several key components. The Policy Engine interprets security rules, the Security Server makes access decisions, and the Access Vector Cache (AVC) improves performance by caching previous decisions to avoid repeated calculations.
Mandatory Access Control Principles
The main difference between SELinux and traditional access control models is the use of Mandatory Access Control. In this model, the security policy is centrally defined and cannot be modified by regular users. Even the root user cannot bypass SELinux restrictions unless explicitly allowed by policy.
This means that every allowed action must be predefined. If a rule does not exist, the action will be denied. This significantly reduces the attack surface and makes system behavior more predictable from a security standpoint.
SELinux operates in three modes: Enforcing, Permissive, and Disabled. In Enforcing mode, policies are fully applied and violations are blocked. Permissive mode is used for troubleshooting, as it logs violations without enforcing them. Disabled mode completely turns off SELinux.
To check the current mode:
getenforceTo switch modes temporarily:
sudo setenforce 0 # Permissive
sudo setenforce 1 # EnforcingFor detailed status information:
sestatusIf required utilities are missing, install them with:
sudo dnf install policycoreutils policycoreutils-python-utilsContexts, Access Control, and Practical Usage
In practice, working with SELinux usually involves managing contexts and permissions. For example, to view file contexts:
ls -Z /var/www/htmlIf a web server cannot access a file, it may have an incorrect type. You can change it using:
sudo chcon -t httpd_sys_content_t /var/www/html/index.htmlHowever, temporary changes may be reset by the system. To restore default contexts:
sudo restorecon -Rv /var/www/htmlAnother common scenario is allowing a web server to use a non-standard port. By default, SELinux restricts which ports services can use. To add a new port:
sudo semanage port -a -t http_port_t -p tcp 8080SELinux also provides boolean parameters for flexible configuration. For example, to allow outbound connections for a web server:
sudo setsebool -P httpd_can_network_connect onTo view all available booleans:
getsebool -aSELinux logs all events in:
/var/log/audit/audit.logIf something is not working, check recent denials:
sudo ausearch -m avc -ts recentFor automatic analysis and suggestions:
sudo sealert -a /var/log/audit/audit.logIf SELinux blocks a legitimate action, you can create a custom policy module using:
sudo ausearch -c 'httpd' --raw | audit2allow -M my-httpd
sudo semodule -i my-httpd.ppThis approach allows you to adapt SELinux behavior without disabling it.
Enabling and Verifying SELinux
To enable SELinux permanently, edit the configuration file:
sudo nano /etc/selinux/configSet the mode:
SELINUX=enforcingThen reboot the system:
sudo rebootTo verify:
getenforce
sestatusIf configured correctly, SELinux will strictly control interactions between processes and system resources, significantly improving overall security.
In summary, SELinux is not just an access control mechanism but a comprehensive enforcement system that enables a strict and flexible security model. When properly configured, it effectively protects servers from vulnerabilities, privilege escalation, and other common attack vectors.
