Topic starter
SELinux stands for Security-Enhanced Linux. It’s a Linux kernel security module that provides a mandatory access control (MAC) system, which enforces fine-grained security policies to restrict how processes and users can access files, ports, and other resources on a Linux system.
-
Traditional Linux permissions (owner/group/others) are discretionary access control (DAC), meaning users/processes can change permissions themselves.
-
SELinux adds an extra layer of security that cannot be bypassed by users/processes, enforcing strict policies defined by the system administrator or security team.
-
Helps contain compromised processes and reduce the impact of vulnerabilities by limiting what each process can do.
SELinux Modes
| Mode | Description | Use Case |
|---|---|---|
| Enforcing | Enforces the policy and denies unauthorized access | Production environments for strong security |
| Permissive | Logs policy violations but does not block them | Troubleshooting and policy development |
| Disabled | SELinux is turned off | Rarely recommended, disables SELinux entirely |
SELinux Components
-
Policy: Defines rules for what is allowed (e.g., which processes can access which files).
-
Types/Contexts: Labels assigned to files, processes, ports, etc.
-
Targeted Policy: The default policy in RHEL and OpenShift that confines specific system daemons and services.
-
Booleans: Toggle parts of SELinux policy on/off without reloading the entire policy.
Posted : 19/10/2025 5:33 pm
