What Is SELinux?

What is SELinux? Why should I use SELInux on my CentOS or Red Hat Enterprise Linux server running on IBM hardware?

Tutorial details
Difficulty level Intermediate
Root privileges No
Requirements None
Est. reading time N/A
SELinux is an acronym for Security-enhanced Linux. It is a security feature of the Linux kernel. It is designed to protect the server against misconfigurations and/or compromised daemons. It put limits and instructs server daemons or programs what files they can access and what actions they can take by defining a security policy.

What is SELinux and DAC?

DAC is an acronym for Discretionary Access Control (DAC). It is the standard mechanism for Linux, *BSD, Apple OSX, and Unix like operating system security. Under DAC, each processes run under a user and group. For example, httpd process run with an associated user and a group called apache. httpd process has access to all files and directories that the apache can access. If httpd process got cracked it can create a number of security problems. Hacked httpd process can access, modify and destroy all files that belong to the apache user. It may access temporary directories (/tmp/ or /var/tmp) and world readable files. The /tmp or /var/tmp or any other legitimate directories such as caching directories can be used to install backdoor and take full control of your Linux system. Ownership of a file provides risky control. A cgi or php script with an unexpected access right can do anything it wants to the files owned by the apache user. It can perform any operations on files in the apache group. An attacker can use this misocofigured cgi/php script or broken apache server to gain root level access. This will give superuser access on a Linux based system. Once rooted an attacker can steal your private data or gain access other parts of your internal network (LAN).

Fig.01: Linux or Unix Server With DAC Security Model

Fig.01: Linux or Unix Server With DAC Security Model

MAC: Security mechanism via SELinux

MAC is an acronym for Mandatory Access Control (MAC). SELinux is an implementation of a MAC security mechanism. It is built into the Linux kernel and enabled by default on Fedora, CentOS, RHEL and a few other Linux distributions. SELinux allows server admin to define various permissions for all process. It defines how all processes can interact with other parts of the server such as:

  1. Pipes
  2. Files
  3. Network ports
  4. Sockets
  5. Directories
  6. Other process

SELinux puts restrictions on each of the above object according to a policy. For example, an apache user with full permission can only access /var/www/html directory, but can not touch other parts of the system such as /etc directory without policy modification. If an attacker managed to gain access to sendmail mail or bind dns or apache web server, would only have access to exploited server and the files normally has access as defined in the policy for the server. An attacker can not access the other parts of the system or internal LAN. In other words, damage can be now restricted to the particular server and files. The cracker will not able to get a shell on your server via common daemons such as Apache / BIND / Sendmail as SELinux offers the following security features:

  1. Protect users’ data from unauthorized access.
  2. Protect other daemons or programs from unauthorized access.
  3. Protect network ports / sockets / files from unauthorized access.
  4. Protect server against exploits.
  5. Avoid privilege escalation and much more.

Please note that SELinux is not a silver bullet for protecting the server. You must follow other security practices such as

  • Implementing firewalls policy.
  • Server monitoring.
  • Patching the system on time.
  • Writing and securing cgi/php/python/perl scripts.


I hope you understood basic concepts of SELinux. For more info see:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 3 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
3 comments… add one
  • Alex Dec 6, 2012 @ 19:54

    The problem with SELinux is that while there is documentation that shows HOW to create policies, I have yet to see anything published that shows how to determine WHAT policies you need to A) make sure you don’t break any of your applications, while B) still getting some level of protection. We don’t write our own applications so we don’t “just know” what sort of access each application requires.

    • mike Apr 13, 2015 @ 17:11

      I agree in 100% with you, this is the major probkem with selinux.

  • manish Jun 19, 2013 @ 11:34

    can u plz tell me when we change enforcing mode to permissive mode or vice versa,what is the need to changing mode. default it is set on enforcing mode.when we on permissive mode what we can do.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum