SELinux is a security module integrated into the Linux kernel that enforces access control policies to govern how processes interact with system resources.<\/p>
The United States National Security Agency (NSA) developed SELinux and released it to the open-source community in 2000.<\/p>
Its architecture is based on the Linux Security Modules (LSM) framework, which adds hooks to the kernel to enforce security decisions.<\/p>
This setup lets SELinux intercept and evaluate access requests at the kernel level, so that every operation complies with the defined security policies.<\/p>
SELinux is commonly used in Red Hat Enterprise Linux (RHEL), CentOS, Fedora, and other RHEL-based distros.<\/p>
That’s because these systems provide full support for SELinux, making it easier to configure and manage compared to Debian and its derivatives, which limit or don’t enable SELinux support by default.<\/p>
How does SELinux work?<\/strong><\/h3>SELinux assigns a security context to every interaction between processes (subjects) and system resources (objects). Each security context includes details like the user, role, type, and, optionally, a sensitivity level.<\/p>
When a process tries to access a resource, the SELinux policy engine checks the security contexts of both the subject and the object against the defined policy rules.<\/p>
If the policy allows the action, SELinux grants access. If not, it blocks the action and – depending on the mode – logs the event to the audit log for review.<\/p>
This mechanism ensures that processes run with only the minimum privileges they need, following the principle of least privilege. It maintains system integrity and reduces the risk of damage from compromised or misbehaving apps.<\/p>
What is mandatory access control (MAC) in SELinux?<\/strong><\/h3>Mandatory access control (MAC) is a security framework that enforces strict policies on how subjects, such as user apps or system services, interact with objects like files, directories, and network ports in a Linux system.<\/p>
Unlike discretionary access control (DAC), where users can set permissions on the files they own, MAC policies are centrally defined and enforced by the system – meaning even privileged users can’t override them.<\/p>
For example, under DAC, a system administrator might accidentally grant a web server process read and write access to a sensitive configuration file.<\/p>
With MAC in place, the SELinux policy can explicitly prevent that process from writing to system files, even if DAC permissions allow it.<\/p>
In other words, if DAC and MAC rules conflict, SELinux applies the most restrictive rule. This strict control is one key reason why SELinux provides such a powerful layer of defense in Linux environments.<\/p>
What are SELinux policies?<\/strong><\/h3>SELinux policies are collections of access rules that define the permissions granted to subjects over objects. These policies form the core of SELinux’s implementation of MAC.<\/p>
For example, a policy might allow a process labeled httpd_t<\/strong> to read files with the httpd_sys_content_t<\/strong> label but deny access to those marked as user_home_t<\/strong>.<\/p>Administrators typically write these policies in a specific policy language, and then compile them into a binary format that the SELinux kernel module can load and enforce.<\/p>
They use tools like semanage<\/strong> to manage policy components, and audit2allow<\/strong> to generate custom policy modules based on audit logs.<\/p>These tools help tailor SELinux policies to meet the specific security requirements of different environments, ensuring both flexibility and strong system protection.<\/p>
What are the different SELinux modes?<\/strong><\/h3>There are three different SELinux modes: enforcing<\/strong>, permissive<\/strong>, and disabled<\/strong>. Each mode dictates how security policies are applied on Linux systems.<\/p>Enforcing mode<\/strong><\/p>In enforcing mode, SELinux actively applies its security policies. It blocks any action that violates the policy and logs a corresponding denial message. This mode provides the highest level of security and is recommended for production environments.<\/p>
For instance, if a web server process tries to access a configuration file it shouldn’t, SELinux in enforcing mode denies the access and logs the event – helping prevent potential security breaches.<\/p>
Permissive mode<\/strong><\/p>Permissive mode allows all actions, even those that violate SELinux policies, but logs any that would’ve been denied in enforcing mode. This mode is helpful for troubleshooting and policy development, as it provides visibility without interference.<\/p>
For example, when configuring a new app, an administrator switches SELinux to permissive mode to identify and adjust policy violations so that the final setup works smoothly without triggering enforcement issues.<\/p>
Disabled mode<\/strong><\/p>Disabled mode means SELinux is turned off entirely – no policies are enforced or logged. This mode is generally discouraged because it removes SELinux’s added layer of protection.<\/p>
Re-enabling SELinux after it has been disabled requires relabeling the file system to apply policies correctly.<\/p>
A common use case for this mode is a system running legacy apps that are incompatible with SELinux. In such cases, an administrator temporarily disables SELinux, fully aware of the associated security risks.<\/p>
How to configure SELinux?<\/strong><\/h2>To configure SELinux, start by opening a terminal app – you’ll need it to run Linux commands<\/a> and apply configuration changes. On a personal computer, simply power it on and launch the app.<\/p>If you use a virtual private server (VPS), you’ll need SSH access to connect to your server. For Hostinger’s CentOS hosting users<\/a>, find your SSH credentials by going to hPanel → VPS → Manage → Overview → VPS details<\/strong>.<\/p>![\"The](\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2025\/06\/hpanel-vps-overview-vps-details-ssh-username-ipv4-highlighted-1024x406.png\")
Mandatory access control (MAC) is a security framework that enforces strict policies on how subjects, such as user apps or system services, interact with objects like files, directories, and network ports in a Linux system.<\/p>
Unlike discretionary access control (DAC), where users can set permissions on the files they own, MAC policies are centrally defined and enforced by the system – meaning even privileged users can’t override them.<\/p>
For example, under DAC, a system administrator might accidentally grant a web server process read and write access to a sensitive configuration file.<\/p>
With MAC in place, the SELinux policy can explicitly prevent that process from writing to system files, even if DAC permissions allow it.<\/p>
In other words, if DAC and MAC rules conflict, SELinux applies the most restrictive rule. This strict control is one key reason why SELinux provides such a powerful layer of defense in Linux environments.<\/p>
What are SELinux policies?<\/strong><\/h3>SELinux policies are collections of access rules that define the permissions granted to subjects over objects. These policies form the core of SELinux’s implementation of MAC.<\/p>
For example, a policy might allow a process labeled httpd_t<\/strong> to read files with the httpd_sys_content_t<\/strong> label but deny access to those marked as user_home_t<\/strong>.<\/p>Administrators typically write these policies in a specific policy language, and then compile them into a binary format that the SELinux kernel module can load and enforce.<\/p>
They use tools like semanage<\/strong> to manage policy components, and audit2allow<\/strong> to generate custom policy modules based on audit logs.<\/p>These tools help tailor SELinux policies to meet the specific security requirements of different environments, ensuring both flexibility and strong system protection.<\/p>
What are the different SELinux modes?<\/strong><\/h3>There are three different SELinux modes: enforcing<\/strong>, permissive<\/strong>, and disabled<\/strong>. Each mode dictates how security policies are applied on Linux systems.<\/p>Enforcing mode<\/strong><\/p>In enforcing mode, SELinux actively applies its security policies. It blocks any action that violates the policy and logs a corresponding denial message. This mode provides the highest level of security and is recommended for production environments.<\/p>
For instance, if a web server process tries to access a configuration file it shouldn’t, SELinux in enforcing mode denies the access and logs the event – helping prevent potential security breaches.<\/p>
Permissive mode<\/strong><\/p>Permissive mode allows all actions, even those that violate SELinux policies, but logs any that would’ve been denied in enforcing mode. This mode is helpful for troubleshooting and policy development, as it provides visibility without interference.<\/p>
For example, when configuring a new app, an administrator switches SELinux to permissive mode to identify and adjust policy violations so that the final setup works smoothly without triggering enforcement issues.<\/p>
Disabled mode<\/strong><\/p>Disabled mode means SELinux is turned off entirely – no policies are enforced or logged. This mode is generally discouraged because it removes SELinux’s added layer of protection.<\/p>
Re-enabling SELinux after it has been disabled requires relabeling the file system to apply policies correctly.<\/p>
A common use case for this mode is a system running legacy apps that are incompatible with SELinux. In such cases, an administrator temporarily disables SELinux, fully aware of the associated security risks.<\/p>
How to configure SELinux?<\/strong><\/h2>To configure SELinux, start by opening a terminal app – you’ll need it to run Linux commands<\/a> and apply configuration changes. On a personal computer, simply power it on and launch the app.<\/p>If you use a virtual private server (VPS), you’ll need SSH access to connect to your server. For Hostinger’s CentOS hosting users<\/a>, find your SSH credentials by going to hPanel → VPS → Manage → Overview → VPS details<\/strong>.<\/p>
Administrators typically write these policies in a specific policy language, and then compile them into a binary format that the SELinux kernel module can load and enforce.<\/p>
They use tools like semanage<\/strong> to manage policy components, and audit2allow<\/strong> to generate custom policy modules based on audit logs.<\/p> These tools help tailor SELinux policies to meet the specific security requirements of different environments, ensuring both flexibility and strong system protection.<\/p> There are three different SELinux modes: enforcing<\/strong>, permissive<\/strong>, and disabled<\/strong>. Each mode dictates how security policies are applied on Linux systems.<\/p> Enforcing mode<\/strong><\/p> In enforcing mode, SELinux actively applies its security policies. It blocks any action that violates the policy and logs a corresponding denial message. This mode provides the highest level of security and is recommended for production environments.<\/p> For instance, if a web server process tries to access a configuration file it shouldn’t, SELinux in enforcing mode denies the access and logs the event – helping prevent potential security breaches.<\/p> Permissive mode<\/strong><\/p> Permissive mode allows all actions, even those that violate SELinux policies, but logs any that would’ve been denied in enforcing mode. This mode is helpful for troubleshooting and policy development, as it provides visibility without interference.<\/p> For example, when configuring a new app, an administrator switches SELinux to permissive mode to identify and adjust policy violations so that the final setup works smoothly without triggering enforcement issues.<\/p> Disabled mode<\/strong><\/p> Disabled mode means SELinux is turned off entirely – no policies are enforced or logged. This mode is generally discouraged because it removes SELinux’s added layer of protection.<\/p> Re-enabling SELinux after it has been disabled requires relabeling the file system to apply policies correctly.<\/p> A common use case for this mode is a system running legacy apps that are incompatible with SELinux. In such cases, an administrator temporarily disables SELinux, fully aware of the associated security risks.<\/p> To configure SELinux, start by opening a terminal app – you’ll need it to run Linux commands<\/a> and apply configuration changes. On a personal computer, simply power it on and launch the app.<\/p> If you use a virtual private server (VPS), you’ll need SSH access to connect to your server. For Hostinger’s CentOS hosting users<\/a>, find your SSH credentials by going to hPanel → VPS → Manage → Overview → VPS details<\/strong>.<\/p>What are the different SELinux modes?<\/strong><\/h3>
How to configure SELinux?<\/strong><\/h2>