Selinux: Difference between revisions

Latest revision as of 22:02, 7 May 2026

Summary

SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) system built into Linux that adds an additional security layer beyond traditional Unix file permissions. Instead of relying only on users and groups, SELinux uses security contexts and policies to control exactly which processes can access specific files, directories, ports, and services. This helps contain compromised applications and prevent unauthorized access or privilege escalation. SELinux operates in three modes: enforcing (actively blocks violations), permissive (logs violations without blocking), and disabled. Properly labeling files and configuring policies allows services like nginx, PHP-FPM, and MariaDB to function securely while minimizing the system’s attack surface.

Useful Commands

Check Recent selinux Denies

sudo ausearch -m AVC,USER_AVC -ts recent

or, a more human-readable view:

sudo ausearch -m AVC,USER_AVC -ts recent | audit2why

tar, preserving selinux contexts

sudo tar --xattrs --acls --selinux -czpvf file.tar.gz /path/to/archive

And to extract:

sudo tar --xattrs --acls --selinux -xzvpf file.tar.gz .

@@ Line 1: / Line 1: @@
 ==Summary==
+SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) system built into Linux that adds an additional security layer beyond traditional Unix file permissions. Instead of relying only on users and groups, SELinux uses security contexts and policies to control exactly which processes can access specific files, directories, ports, and services. This helps contain compromised applications and prevent unauthorized access or privilege escalation. SELinux operates in three modes: enforcing (actively blocks violations), permissive (logs violations without blocking), and disabled. Properly labeling files and configuring policies allows services like nginx, PHP-FPM, and MariaDB to function securely while minimizing the system’s attack surface.
 ==Useful Commands==