SELinux enforces Mandatory Access Control by using security contexts and system-wide policies to restrict access beyond traditional Unix permissions. 1. Ensure SELinux is enabled in enforcing mode via /etc/selinux/config and reboot. 2. Use semanage fcontext for persistent labeling and restorecon to apply, ensuring correct file contexts. 3. Analyze denials with ausearch and generate policy modules using audit2allow only when necessary. 4. Adjust behavior using SELinux booleans like httpd_can_network_connect with setsebool -P for persistence. Best practices include never disabling SELinux in production, maintaining consistent labeling, monitoring audit logs with sealert, keeping policies minimal, and testing changes in permissive mode before enforcement, ensuring robust system security through proper configuration and proactive policy management.

SELinux (Security-Enhanced Linux) is a Linux kernel security module that provides a mechanism for supporting Mandatory Access Control (MAC). Unlike traditional Discretionary Access Control (DAC), which relies on user-based permissions (like owner/group/other), SELinux enforces system-wide policies that restrict what processes and users can do, regardless of traditional Unix permissions. This makes it a powerful tool for hardening Linux systems against misconfigurations, privilege escalation, and unauthorized access.

Here’s how SELinux implements MAC and how you can effectively use it.

Understanding Mandatory Access Control in SELinux

In a MAC model, access decisions are made based on centrally defined policies, not user discretion. SELinux labels every process, file, directory, port, and network resource with a security context—a label that includes user, role, and type (or domain). The core of SELinux enforcement lies in these labels.

For example, the Apache web server runs in the httpd_t domain, and web content is labeled with httpd_sys_content_t. SELinux policy rules dictate that only processes in the httpd_t domain can read files labeled httpd_sys_content_t.

Even if a user or process has full DAC permissions (e.g., root), SELinux can still deny access if the policy doesn’t allow it.

You can view security contexts using:

ls -Z /var/www/html
ps -ZC httpd

Key Components of SELinux Policy Enforcement

SELinux operates in three main modes:

• Enforcing: Policy is actively enforced (recommended for production).
• Permissive: Policy violations are logged but not blocked (useful for debugging).
• Disabled: SELinux is turned off (not recommended).

Check current mode:

getenforce
sestatus

The main policy types include:

• Targeted Policy: Most common; only targeted processes (like httpd, sshd) are protected.
• MLS (Multi-Level Security): Used in high-security environments (e.g., government).

SELinux policies are written in a specialized language and compiled into binary format. Custom policies can be created using tools like audit2allow.

Practical Steps to Implement SELinux MAC

1. Ensure SELinux is Enabled and in Enforcing Mode

Check status:

sestatus

If disabled, enable it via /etc/selinux/config:

SELINUX=enforcing
SELINUXTYPE=targeted

Reboot to apply.

Note: Always test in permissive mode first when deploying on new systems.

2. Use Standard SELinux Tools to Manage Contexts

Labeling files correctly is crucial. Use:

• chcon – change context temporarily
• semanage fcontext – set persistent file context rules

Example: Allow a custom web root:

sudo semanage fcontext -a -t httpd_sys_content_t "/custom-web(/.*)?"
sudo restorecon -R /custom-web

This ensures the label survives file system relabeling.

3. Handle Denials with audit2allow

When SELinux blocks an action (visible in /var/log/audit/audit.log or via ausearch), use:

ausearch -m avc -ts recent

Then generate a policy module:

audit2allow -M mypolicy -l -i /var/log/audit/audit.log
semodule -i mypolicy.pp

Use this sparingly. Overuse weakens security. First, consider fixing the root cause (e.g., incorrect labeling).

4. Manage Booleans for Common Adjustments

SELinux provides booleans to toggle certain behaviors without writing new policies:

# Allow httpd to connect to the network
setsebool -P httpd_can_network_connect on

# List boolean related to httpd
getsebool -a | grep httpd

The -P flag makes the change persistent across reboots.

Best Practices for Secure SELinux Deployment

• Never disable SELinux in production. Work with it, not around it.
• Label files consistently using semanage, not just chcon.
• Monitor audit logs regularly for denials (ausearch, sealert).
• Use sealert -a /var/log/audit/audit.log to get human-readable explanations.
• Keep policies minimal—only allow what’s necessary.
• Test policy changes in permissive mode before switching to enforcing.

Conclusion

SELinux provides robust Mandatory Access Control that significantly improves system security when properly configured. While it has a steep learning curve, understanding security contexts, using semanage, and responding to denials with audit2allow (judiciously) allows you to enforce fine-grained access controls beyond traditional Unix permissions.

The key is consistency: label everything correctly, use built-in tools, and treat denials as policy gaps—not reasons to disable SELinux. With proper setup, SELinux becomes a silent guardian, blocking unauthorized access even when DAC fails.

Basically, it’s not about avoiding SELinux—it’s about mastering it.

The above is the detailed content of Implementing Mandatory Access Control with SELinux on Linux. For more information, please follow other related articles on the PHP Chinese website!