What is SELinux and how it affects server security. SELinux provides an advanced security mechanism for Linux systems, based on strict access rules and isolation.
Although it can be challenging to configure, the benefits in terms of protection and audit are significant.
Through proper understanding and careful application, SELinux becomes a powerful ally in securing your server.
What is SELinux and how does it affect security?
SELinux (Security-Enhanced Linux) is a security module integrated into the Linux kernel, which provides an advanced level of control over access to system resources.
Originally developed by NSA and the open-source community, SELinux operates based on a Mandatory Access Control (MAC) security policy and complements the traditional UNIX permissions system.
What is SELinux?
SELinux extends the Linux operating system security mechanism, enforcing strict rules that determine which processes can access which files, ports, resources or other processes.
Unlike standard permissions, which are flexible, SELinux adds an additional layer that applies regardless of UNIX permissions.
SELinux operating modes
SELinux can operate in three main modes:
- Enforcing – enforces security policies and blocks unauthorized actions;
- Permissive – does not block anything, but logs all policy violation attempts;
- Disabled – completely disables SELinux.
To check the current mode:
getenforce
Basic SELinux components
SELinux uses the following key concepts:
- Subjects – processes or users;
- Objects – files, directories, ports, etc.;
- Types – labels applied to objects and subjects, used in access rules;
- Policies – rules that define which subject can access which object and how.
Advantages of using SELinux
- Prevents privilege escalation in case of service compromise;
- Isolates applications from each other through strict access policies;
- Provides detailed logs of all unauthorized access attempts;
- Works independently of standard file permissions.
Useful commands in SELinux administration
1. Checking SELinux status
sestatus
2. Temporary mode change
setenforce 0 # permissive setenforce 1 # enforcing
3. Permanent mode change
sudo nano /etc/selinux/config
Modify the line:
SELINUX=enforcing
4. SELinux labels
Each file has an SELinux label:
ls -Z
To change a label:
chcon -t httpd_sys_content_t /var/www/html/index.html
5. Restoring default labels
restorecon -Rv /var/www/html
Usage example: protecting the web server
An Apache server runs with the SELinux context httpd_t. Files accessed by the server must have the httpd_sys_content_t context, and ports must be explicitly authorized.
Adding a non-standard port (ex: 8081):
semanage port -a -t http_port_t -p tcp 8081
Limitations and challenges
- Configuration can be complex for beginners;
- Incompatible applications may have functionality issues;
- Requires good understanding of SELinux policies and contexts.
When should SELinux be used?
SELinux is recommended in production environments where security is a priority, especially for network-exposed servers (web, email, databases).
It is an effective additional barrier against exploits that bypass the traditional permissions system.
Comments (0)