SELinux is a special security system built into Linux computers that controls which programs can have access to files and perform actions they are allowed to do.
For example, The web browser can connect to the internet but it cannot read your private documents. This prevents viruses and hackers from gaining full control over your system if they get into one program.
SELinux works by implementing mandatory access controls (MAC). With MAC, sysadmins define which users and processes have access to specific resources rather than relying on less secure broadly-defined permissions. To accomplish this, SELinux uses security policies.
SELinux blocks all applications and users by default, allowing access only to those specified in the security policies.
These rules set the permissions for each user, program, and resource. SELinux keeps track of every decision in the Access Vector Cache (AVC). This makes checking permissions faster.
SELinux uses labels with the policy rules to decide what actions to allow for each resource. Admins assign labels to every process, network port, file, etc.
Labels include:
Label format
user:role:type:level
Enforcing mode: This is default and most secure. SELinux actively enforces the policy rules, denying any unauthorized access attempts. Blocked attempts are logged.
Permissive mode: Less secure but still monitors access. SELinux logs blocked processes, but allows them to execute. Usually for testing.
Disabled mode: SELinux is completely turned off removing all the access protection. This mode is only for troubleshooting.
Linux comes with prebuilt policies, but admins can create their own.
To set permanent SELinux rules, edit the /etc/selinux/config file. This file controls SELinux settings.
The file can SELinux variables which are enforcing, permissive, and disabled variables.
After editing the config file, restart the computer and run sudo sesstatus.
To set SELinux rules just for the current session, use the setenforce command.
For enforcing: setenforce 1
For permissive: setenforce 0