Security-Enhanced Linux - Mandatory Access Control
SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) security mechanism implemented in the Linux kernel. It provides fine-grained access control policies that prevent unauthorized access to files, processes, and system resources.
Think of SELinux like a security guard that checks every door, file, and process with a strict rulebook. Unlike traditional permissions that rely on file ownership, SELinux enforces security policies regardless of who owns the file, making it much harder for attackers to compromise the system. IT professionals use it to confine web servers (preventing Apache from accessing unauthorized files), restrict database access, protect sensitive system files, prevent privilege escalation attacks, enforce strict application sandboxing, and meet compliance requirements for government and enterprise systems.
Advertisement
[ Insert Google AdSense Banner Code Here ]
Verify if SELinux is enabled and in enforcing mode.
Find why a service can't access files or make connections.
Enable booleans to allow specific application behaviors.
Restore correct security labels after moving or creating files.
getenforce Display the current SELinux operating mode (Enforcing/Permissive/Disabled).
sestatus Display detailed SELinux status information including policy and mode.
sudo setenforce 0 Set SELinux to permissive mode (logs violations but doesn't block).
Requires admin privileges - Password: admin123
sudo setenforce 1 Set SELinux to enforcing mode (actively blocks policy violations).
Requires admin privileges - Password: admin123
getsebool -a List all SELinux boolean values (policy switches).
sudo setsebool httpd_can_network_connect on Allow Apache to make network connections (temporary).
Requires admin privileges - Password: admin123
sudo setsebool -P ftp_home_dir on Allow FTP access to home directories (persistent across reboots).
Requires admin privileges - Password: admin123
ls -Z List files with their SELinux security contexts.
ps -eZ List all running processes with their SELinux contexts.
sudo restorecon -Rv /var/www/html/ Restore default SELinux contexts for web directory recursively.
Requires admin privileges - Password: admin123
sudo chcon -t httpd_sys_content_t /var/www/html/index.html Change SELinux type context to allow Apache to read the file.
Requires admin privileges - Password: admin123
sudo ausearch -m avc -ts recent Search audit logs for recent SELinux access denials.
Requires admin privileges - Password: admin123
Never disable SELinux in production! Setting SELinux to permissive or disabled mode removes critical security protections. This should only be done temporarily for troubleshooting.
Use booleans instead of disabling: If a service isn't working, check SELinux booleans first. Most common issues can be resolved by enabling the appropriate boolean rather than disabling SELinux entirely.
Prefer restorecon over chcon: The restorecon command applies policy-defined contexts, while chcon makes temporary changes that may be overwritten by system relabeling.
Practice SELinux commands in the interactive terminal below: