SELinux: Mandatory Access Control in Linux
Understanding Security-Enhanced Linux (SELinux) contexts, policies, and how MAC provides a superior security layer over traditional Linux file permissions.
Overview
Security-Enhanced Linux (SELinux) is a security architecture for Linux systems embedded directly into the kernel using the Linux Security Modules (LSM) framework. Originally developed by the United States National Security Agency (NSA), it enforces Mandatory Access Control (MAC) policies that confine user programs and system services.
The Problem
Traditional Linux uses Discretionary Access Control (DAC), based on standard file permissions (Read/Write/Execute for Owner/Group/Others). If a web server daemon (like Apache) is compromised due to a vulnerability, the attacker inherits the permissions of the www-data or apache user. If that user has read access to the /etc/ directory or ssh keys due to a misconfiguration, the attacker can easily traverse the system, steal credentials, and escalate privileges. DAC relies entirely on the premise that the application will behave properly.
Solution and Configuration
SELinux acts as a final, absolute security barrier. Even if file permissions (DAC) allow access, SELinux (MAC) can explicitly deny it based on strict policies.
Checking SELinux Status and Contexts:
sestatus # Shows if SELinux is Enforcing or Permissive
ls -Z /var/www/html/ # Shows the security context of files
Technical Details
In SELinux, every file, process, and port has a Security Context (a label consisting of user, role, type, and level). For example, the Apache process usually has the type httpd_t, and web files have the type httpd_sys_content_t.
The core rule of SELinux is default denial. The policy explicitly states that the httpd_t process is ONLY allowed to read files labeled httpd_sys_content_t. If a compromised Apache process tries to read the /etc/shadow file (which is labeled shadow_t), the kernel will block the action instantly, log an AVC Denial, and stop the attacker dead in their tracks, regardless of what the chmod permissions say.
Conclusion
Because SELinux is notoriously complex, many junior administrators simply disable it (setenforce 0) when they encounter an "Access Denied" error during server setup. This is a catastrophic security practice. Learning to read SELinux audit logs (ausearch) and properly labeling files (chcon or semanage fcontext) is a mandatory skill for securing enterprise Red Hat/CentOS/Fedora systems.