LOGBOOK

HELP

1 / 15
Other keys: showSpace: good1-4: rate0: skip5: flag6: invert

Question

What is SELinux and what does it protect?

Answer

SELinux is a kernel-level Mandatory Access Control (MAC) layer that confines every process to exactly the files, directories, and ports its policy allows — so even a compromised service can't reach anything it wasn't explicitly granted.

The point of SELinux is to add a second, non-bypassable layer underneath ordinary Linux permissions. Normal permissions (DAC) are set at the owner's discretion and root ignores them entirely; MAC is set centrally by policy and applies even to root processes. It works by labelling things — every process, file, and port carries a security context — and then a system-wide policy says which labelled process may touch which labelled resource. It's a whitelist / default-deny model: if no rule allows an action, it's denied. (Origin: the NSA's FLASK architecture.)

Key features:

  • Controls access to files and resources at the most granular level
  • Processes can only access resources defined by their policy or boolean settings
  • Uses Mandatory Access Control (MAC) - object-based with strict rules

What SELinux labels:

  1. Programs (processes)
  2. Files (and directories)
  3. Network ports

Important: SELinux controls access permissions only, not content. It uses a whitelist approach - only explicitly allowed actions are permitted.

Go deeper:

or press any other key