How does SELinux differ from the standard Linux security model?
Standard rwx permissions are Discretionary Access Control (DAC) — owners decide, and root overrides everything. SELinux adds Mandatory Access Control (MAC), where a central policy decides, no owner can loosen it, and even root processes are confined.
* DAC (owner discretion + root override) vs MAC (policy decides, confines even root). *
The words explain the difference. Discretionary: access is at the owner's discretion — you can chmod 777 your own file, and a process running as root sails past every check. Mandatory: access is dictated by system policy that users can't relax; a process is boxed into its label no matter who owns the file or how permissive the rwx bits are. That's why MAC contains breaches DAC can't: under DAC a compromised Apache inherits the Apache user's full reach (its files, /tmp, every world-writable file). Under SELinux, httpd_t may touch only what policy allows (e.g. httpd_sys_content_t), so the blast radius stops at Apache's own files — "a weakness in one part of the system cannot spread to the rest." Both layers apply: an action must pass DAC and MAC.
Example - Web server vulnerability:
Without SELinux:
- Attacker compromises Apache process
- Gets Apache user/group permissions
- Can access
/var/www/html,/tmp,/var/tmp, and all world-writable files
With SELinux:
- Security rules define which process can access which files, directories, and ports
- All resources have SELinux context labels
- Default deny - no access without explicit rule
- Compromised process is confined to its policy
Key principle: A weakness in one part of the system cannot spread to other parts.
Go deeper:
Mandatory access control (Wikipedia) — centrally-enforced MAC vs owner-discretion DAC.
Type enforcement (Wikipedia) — the type-vs-type rule model SELinux uses to confine a process regardless of DAC/root.