SELinux

• Mandatory Access Control system and policies for Linux operating systems, originally developed by the NSA and Red Hat and released in 2000.

• For every current user or process, SELinux assigns a three string context consisting of a username, role, and domain (or “type”).

• The command runcon allows for the launching of a process into an explicitly specified context (user, role, and domain), but SELinux may deny the transition if it is not approved by the policy.

• After running in permissive mode for a while, the audit2allow tool can be used to produce additional rules that extend the policy to allow all legitimate activities of the application being confined.

• The default policy on RHEL is “targeted”, meaning it only confines certain applications (e.g. daemons) and leaves others (e.g. the shell) running unrestricted.

Resources

• GitHub
• Wikipedia
• What is SELinux? - introductory article
• Using SELinux - from RHEL 9 documentation
• SELinux User’s and Administrator’s Guide - from RHEL 7 documentation
• SELinux troubleshooting and pitfalls
• SELinux as a security pillar of an operating system - Real-world benefits and examples

FAQ

Show the security context of processes or files

ls -Z
ps -Z

Set to permissive mode to allow (but log) policy violations

Edit /etc/selinux/config:

SELINUX=permissive

sudo reboot

Verify SELinux status

sestatus