Question
What is SELinux and what does it protect?
Answer
SELinux is a kernel-level Mandatory Access Control (MAC) layer that confines every process to exactly the files, directories, and ports its policy allows — so even a compromised service can't reach anything it wasn't explicitly granted.
The point of SELinux is to add a second, non-bypassable layer underneath ordinary Linux permissions. Normal permissions (DAC) are set at the owner's discretion and root ignores them entirely; MAC is set centrally by policy and applies even to root processes. It works by labelling things — every process, file, and port carries a security context — and then a system-wide policy says which labelled process may touch which labelled resource. It's a whitelist / default-deny model: if no rule allows an action, it's denied. (Origin: the NSA's FLASK architecture.)
Key features:
- Controls access to files and resources at the most granular level
- Processes can only access resources defined by their policy or boolean settings
- Uses Mandatory Access Control (MAC) - object-based with strict rules
What SELinux labels:
- Programs (processes)
- Files (and directories)
- Network ports
Important: SELinux controls access permissions only, not content. It uses a whitelist approach - only explicitly allowed actions are permitted.
Go deeper:
Security-Enhanced Linux (Wikipedia) — MAC, type enforcement, security contexts, and the FLASK origin.
The SELinux Coloring Book (Red Hat, PDF) — an illustrated intro to type enforcement, MCS and MLS via a cats-and-dogs analogy.
Note saved — thanks!