Basic concepts and fundamentals of SELinux
Security Enhanced Linux (SELinux) is a security feature developed by the U.S. National Security Agency (NSA) with help from other organizations and the Linux community to provide advanced security controls for Linux systems.
DAC V/s MAC
SELinux uses Mandatory Access Control (MAC). MAC differs from the standard Linux Discretionary Access Control (DAC). DAC includes standard file and directory permissions, access control lists (ACLs), and other user privileges. MAC adds extra protection by controlling what users or processes can access and do with the resources they access. It limits potential damage in the event of a security breach. With MAC, the security controls are precise. For example, if an attacker compromises the HTTP service, he can access only the files the HTTP process can reach, not other processes or files on the system. To enforce this control, MAC creates rules called policies that check the security settings of users and resources whenever access is requested. It stores these settings as labels.
Terminology
SELinux uses a complex terminology. The following table outlines the essential terms necessary to understand SELinux concepts and functions.
| Subject | A subject is a user or process that accesses an object. |
| Object | An object is a resource that the subject accesses. |
| Access | An access is an action the subject performs on an object. |
| Policy | A policy defines the actions the subject can perform on the object. |
| Context | A context stores security attributes for subjects and objects. |
| Labeling | Labeling is a process of mapping subjects and objects with their contexts. |
Role
A role is an attribute. It defines who (subject) can access what (domains or types). SELinux authorizes users for roles, and roles authorizes domains and types. Each subject has an associated role to ensure that the system and user processes are separated. A subject can transit into a new role to gain access to other domains and types.
Type
A type is a group of objects based on uniformity in their security needs. SELinux groups files and directories with similar security requirements in the same type.
Domain
A domain specifies the type of access that a process has. SELinux groups processes with similar security requirements within a specific domain type and runs them in a confined manner within that domain.
Access Vector Cache (AVC)
SELinux uses an Access Vector Cache (AVC) to improve performance. When a subject makes an access request for an object, SELinux checks its policy and, based on it, allows or denies the request. SELinux saves this access decision in AVC. If the same subject makes the same access request, SELinux uses AVC to make its decision. It checks SELinux policy only when the action is not available in AVC.
SELinux Users
SELinux users are predefined user accounts in the SELinux database. SELinux authorizes each SELinux user account for specific tasks. A SELinux user account can perform only the delegated tasks, nothing extra. SELinux users are different from standard Linux users. If implemented, Linux maps standard users with SELinux users. After that, standard users can perform only the action authorized to the mapped SELinux users. For example, the default file permission allows a user to create new files in his home directory and the root partition. If we map it to a SELinux user account that is authorized to create files only in its home directory, the user cannot create files in the root partition, even if he has permission to do so.
Standard Linux users
- Each user has a unique identity.
- We can track and monitor each user account separately.
- These user accounts have login capability. We use them to access the local system.
- We create, delete, and manage these accounts as per our requirements.
SELinux users
- SELinux users are role-based.
- They are pre-created. We cannot create or delete them.
- We can not use these accounts directly. These accounts do not have login capability.
- Unless we map a SELinux user to a standard Linux user, it cannot perform any actions.
- After mapping, it allows the linked user to perform only the authorized actions.
- We can map a SELinux user with multiple standard Linux users.
Viewing SELinux users
The seinfo command with the -u option lists all SELinux users.
#seinfo -u

To view the mapping between Linux and SELinux users, use the following command.
#semange login -l

The seinfo and semanage commands are part of the setools-console package. You must install this package to use these commands.
The setools-console package
SELinux management is complex. The setools-console package simplifies it. It provides commands for all essential SELinux management tasks. However, it is not part of the default SELinux installation. We must install it before we use it. The following command installs it.
#dnf install setools-console
Viewing SELinux contexts
Each SELinux context consists of a subject, an object, a type or domain, and a security level. The -Z option shows SELinux contexts. Use it with the id command to view SELinux contexts for user accounts. For example, the following command shows SELinux contexts for the current user account.
#id -Z

Use the -Z option with the ls command to view the SELinux contexts of the files and directories.
#ls -Z

To view the SELinux contexts of running processes, use it with the ps command.
#ps -eZ

Managing SELinux contexts for files
If implemented, SELinux labels all files, processes, and users with contexts. When a user or process accesses a file, it finds the file's type in the allowed file type contexts of the user or process. If the user or process is authorized to access this file type, SELinux lets it access the file. If not, it denies the access request. Since it works over the standard file permissions, no matter what file permission the user or process has, it cannot access the file. SELinux assigns contexts to a new file from its parent directory.
- If we copy the file to a new directory, the copied file receives its context from the destination directory.
- If the destination directory already has a file with the same name and we overwrite it, the new file gets the contexts of the existing file.
- If we move the file to a new directory, the moved file retains its context.
- If we archive the file with the tar utility, its context is removed.
- If we extract an archive, the extracted files get their context from the directory in which they are extracted.
- The --preserve=context option preserves the context. If we use it with copy operation, the copied file retains its original context. If we use it with the tar command, it keeps the existing context.
SELinux commands
The following table lists all essential SELinux commands.
| Command | Management type | Description |
| getenforce | Mode | Shows the current mode of SELinux |
| sestatus | Mode | Displays Boolean values and runtime status of SELinux |
| setenforce | Mode | Switches the operating mode between enforcing and permissive in the current session only |
| chcon | Context | Changes file contexts (New contexts will not survive during context relabeling) |
| restorecon | Context | Restores default contexts on files |
| semanage | Context | Changes context on files (New contexts will survive during context relabeling) |
| seinfo | Policy | Displays the status of policy components |
| semanage | Policy | Updates and manages the SELinux policy database |
| sesearch | Policy | Finds rules in the SELinux policy database |
| getsebool | Boolean | Shows Booleans and their current status |
| setsebool | Boolean | Changes Boolean values |
| semanage | Boolean | Updates Boolean values in the policy database |
| sealert | Troubleshooting | The graphical tool for troubleshooting and fixing SELinux errors and issues |
This tutorial is part of the tutorial " SELinux Explained with Examples.". Other parts of this tutorial are as follows:
Chapter 1 Basic concepts and fundamentals of SELinux
Chapter 2 SELinux and AppArmor Differences and Terminology
Chapter 3 SELinux Modes Explained with Examples
Chapter 4 SELinux Contexts for Users, Processes, and Files
Chapter 5 Copying, Moving, and Archiving Files with SELinux Contexts
Chapter 6 SELinux Explained with Examples in Easy Language
Chapter 7 SELinux Booleans Explained with Examples
Chapter 8 Troubleshooting SELinux explained with Booleans
Conclusion
This tutorial provides a brief introduction to SELinux concepts and functions. It prepares a base for SELinux topics explained in the following parts of this tutorial.
Author Laxmi Goswami Updated on 2026-02-10