SELinux (Security Enhanced Linux) is a mandatory access control framework that can be used to harden Linux-based systems against internal and external attack. It can, for example, be used to specify which parts of the filesystem are accessible to a daemon such as an HTTP server, so that if an attacker gains control of the daemon then the potential for further harm is limited.

For this to work, SELinux must be configured with a security policy that is matched to the legitimate needs of the programs running on the system in question. An over-restrictive policy will cause programs to fail, whereas an excessively permissive policy may provide an opening to an attacker.

SELinux is usually distributed with default policies to allow it to be installed with minimal up-front effort, but be warned that administering a system with SELinux installed is unlikely to be a pleasant experience unless you have a clear understanding of how it works and how its behaviour can be customised. This is particularly relevant when troubleshooting, because failures caused by an inappropriate security policy will not necessary provide any obvious indication that SELinux is the culprit.


Further reading