SELinux is one of the most important security controls on modern enterprise Linux, but it is often misunderstood because administrators first meet it during a denial. If you understand what it adds beyond standard permissions, you can troubleshoot confidently without turning protections off.
Table of Contents
This post introduces the SELinux concepts you need before daily operations and policy work.
Foundations
- What SELinux adds on top of standard permissions
- Why SELinux matters in real environments
- Core vocabulary you should recognize
- How SELinux and DAC work together
Operations
Series Navigation
What SELinux adds on top of standard permissions
Traditional Linux permissions use discretionary access control (DAC), where file owner, group, and mode bits decide access. SELinux adds mandatory access control (MAC), where policy rules can still deny access even when DAC appears to allow it.
That additional policy layer means:
- A compromised process is constrained by a defined domain
- Services can be limited to approved resource types only
- Security behavior is consistent across hosts with the same policy
- Least privilege can be enforced at process and object type level
Why SELinux matters in real environments
SELinux is not only for high security systems. It reduces blast radius during common incidents by preventing lateral actions that attackers often rely on after initial access.
Practical reasons teams keep SELinux enforcing:
- Web and API processes are confined away from unrelated system data
- Misconfigurations are surfaced as denials instead of silent unsafe access
- Compliance frameworks expect policy-driven access controls
- Shared fleet management is easier with predictable policy behavior
Core vocabulary you should recognize
You do not need to become a policy developer on day one, but these terms appear in almost every troubleshooting flow.
- Type enforcement is the primary SELinux model used on most systems
- A domain is the SELinux type assigned to a running process
- An object type labels files, sockets, ports, and other resources
- A context is the full
user:role:type:levellabel tuple - An AVC denial is a logged policy decision that blocked an action
How SELinux and DAC work together
SELinux does not replace Unix permissions, ACLs, or ownership. Instead, access must pass both DAC checks and SELinux policy checks.
If you need a quick DAC refresher before continuing, review Linux Basics: Filesystem Permissions.
Think of access evaluation as:
DAC allows + SELinux policy allows = operation succeeds
DAC denies OR SELinux policy denies = operation failsThis is why root can still be blocked by SELinux for certain actions.
SELinux modes and what they mean
SELinux behavior depends on the active mode:
- Enforcing applies policy and blocks denied operations
- Permissive logs denials but does not block operations
- Disabled turns SELinux off and removes policy enforcement
Use permissive for short diagnostics when necessary, but avoid treating it as a permanent fix.
getenforce
setenforce 0
setenforce 1setenforce changes runtime mode until reboot, while persistent configuration lives in /etc/selinux/config.
Verify SELinux state on your host
Start every investigation by checking current state, configured state, and loaded policy.
sestatus
getenforce
grep '^SELINUX=' /etc/selinux/config
grep '^SELINUXTYPE=' /etc/selinux/configKey things to verify:
- Runtime mode and configured mode match your expectations
- Policy type is
targetedon typical enterprise installations - Any temporary permissive change is reverted after troubleshooting
Common mistakes to avoid early
New SELinux users often lose time by applying broad fixes before reading denials.
- Do not disable SELinux to bypass one failing service
- Do not treat
chconas a permanent labeling strategy - Do not install generated policy modules without reviewing rules
- Do not assume file permissions alone explain access failures
Series navigation
Now that you have the conceptual model, the next step is learning how labels and contexts drive day-to-day operations.
Next in this series
Next, we focus on contexts, ls -Z, ps -Z, restorecon, and booleans so you can solve the most common SELinux issues safely.