SELinux

Overview

SELinux (Security-Enhanced Linux) is a Linux Linux/Containerization/LSM implementation that enforces mandatory access control (MAC) using labels (security contexts) instead of paths. It is widely used on RHEL/Fedora/CentOS and also heavily on Android (Linux kernel).

Mental Model

Every subject (process) and object (file/socket/etc.) can have a label. A policy decides whether a subject label may access an object label in a given way. This makes access control robust even when files move/rename (unlike path-based approaches).

Key Concepts

Security context (often shown as user:role:type:level) Type Enforcement (TE): allow/deny decisions based on types (the most common mechanism). Domains: process types (e.g., a service runs in a confined domain). Roles: mostly relevant for user logins (RBAC). MLS/MCS: optional multi-level / category separation (common for container separation: MCS).

Modes

enforcing: policy blocks violations. permissive: policy violations are logged but allowed. disabled: SELinux not active.

Relationship to Containers

Container runtimes can label container processes/files so each container runs in its own confined domain. On SELinux systems, Docker/Podman commonly rely on MCS categories to isolate containers from each other. SELinux complements:

• Linux/Containerization/Namespaces (isolation)
• Linux/Containerization/Cgroups (resource control)
• Linux/Containerization/Capabilities and Linux/Containerization/Seccomp (syscall/privilege reduction)

Tooling

getenforce show current mode. setenforce 0|1 switch permissive/enforcing. semanage manage persistent policy settings. restorecon fix file contexts based on policy defaults. ausearch / audit2why help interpret denials.

Related

• Linux/Containerization/LSM
• Linux/Permissions