SELinux
What is SELinux?
SELinuxSecurity-Enhanced Linux, an NSA-developed mandatory access control framework implemented via the Linux Security Module hooks and a type-enforcement policy.
SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) framework built on the Flask architecture and originally developed by the U.S. National Security Agency, merged into the Linux 2.6 kernel in 2003. It labels every process, file, socket, and IPC object with a security context (user:role:type:level) and enforces a centrally compiled policy through the LSM hooks, on top of standard DAC permissions. The dominant policy model is type enforcement combined with role-based access control and optional MLS/MCS for multi-level security. SELinux ships enabled in enforcing mode on RHEL, CentOS Stream, Fedora, Android, and is widely used to confine containers, web servers, and privileged daemons; its main complaint is policy complexity.
● Examples
- 01
RHEL ships with the targeted policy in enforcing mode by default.
- 02
Android uses SELinux to confine system_server, Zygote, and per-app domains.
● Frequently asked questions
What is SELinux?
Security-Enhanced Linux, an NSA-developed mandatory access control framework implemented via the Linux Security Module hooks and a type-enforcement policy. It belongs to the Cryptography category of cybersecurity.
What does SELinux mean?
Security-Enhanced Linux, an NSA-developed mandatory access control framework implemented via the Linux Security Module hooks and a type-enforcement policy.
How does SELinux work?
SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) framework built on the Flask architecture and originally developed by the U.S. National Security Agency, merged into the Linux 2.6 kernel in 2003. It labels every process, file, socket, and IPC object with a security context (user:role:type:level) and enforces a centrally compiled policy through the LSM hooks, on top of standard DAC permissions. The dominant policy model is type enforcement combined with role-based access control and optional MLS/MCS for multi-level security. SELinux ships enabled in enforcing mode on RHEL, CentOS Stream, Fedora, Android, and is widely used to confine containers, web servers, and privileged daemons; its main complaint is policy complexity.
How do you defend against SELinux?
Defences for SELinux typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SELinux?
Common alternative names include: Security-Enhanced Linux, NSA SELinux.
● Related terms
- cryptography№ 053
AppArmor
A path-based mandatory access control system for Linux, used by Ubuntu and SUSE as a simpler alternative to SELinux for confining individual programs.
- cryptography№ 979
seccomp
A Linux kernel facility that restricts which system calls a process can make, with the modern seccomp-BPF/eBPF mode enabling fine-grained per-syscall filters.
- identity-access№ 652
Mandatory Access Control (MAC)
An access-control model in which a central policy — not the resource owner — enforces access decisions based on classifications and clearances assigned to subjects and objects.
- cloud-security№ 213
Container Security
The practice of securing container images, registries, orchestrators, and the runtime in which containers execute.
- vulnerabilities№ 860
Privilege Escalation
A class of vulnerabilities that lets an attacker gain rights beyond those originally granted, such as moving from a normal user to administrator.
● See also
- № 615Linux Capabilities
- № 120BPF LSM