Use SELinux (Security-Enhanced Linux) on a Linux server to implement mandatory access control (MAC) that enhances system security beyond traditional discretionary access controls. SELinux enforces security policies that govern how processes access files, ports, and other resources, minimizing potential damage from vulnerabilities or compromised services.
This guide walks you through how to use SELinux on a Linux server, including installation, checking status, configuring modes, managing policies, and troubleshooting.
Prerequisites
- A Linux server running a distribution that supports SELinux, such as Red Hat Enterprise Linux (RHEL), CentOS, Fedora, AlmaLinux, Rocky Linux, or Ubuntu (though SELinux might need manual enablement on Ubuntu)
- Root or sudo privileges to install and configure SELinux
- Basic knowledge of Linux command-line utilities and system administration
Use SELinux on a Linux Server
Use SELinux on Linux to enhance your server’s security by enforcing strict access controls and minimizing the impact of potential breaches.
Check SELinux Status
Check if SELinux is enabled and its current mode:
sestatusTypical outputs show:
- SELinux status: enabled or disabled
- Current mode: enforcing, permissive, or disabled
Enforcing means policies are actively enforced; permissive logs violations without enforcement; disabled means SELinux is off.
Install SELinux Packages (if needed)
On Red Hat-based systems (RHEL, CentOS, Fedora):
sudo yum install selinux-policy selinux-policy-targeted policycoreutilsOn Ubuntu/Debian:
sudo apt-get install selinux-utils selinux-policy-defaultSELinux packages may already be installed on many distributions.
Also, Read | Understand SELinux on Linux Server: A Complete Guide
Enable and Set SELinux Mode
Edit the SELinux configuration file:
sudo nano /etc/selinux/configAdjust the line starting with SELINUX= to one of the following:
SELINUX=enforcing– enable and enforce policiesSELINUX=permissive– enable but only log violationsSELINUX=disabled– disable SELinux
For full security, use enforcing. To troubleshoot, use permissive.
Save changes and reboot the server for the settings to take effect:
sudo rebootAlternatively, change SELinux mode temporarily (without reboot) via:
sudo setenforce 1 # Set enforcing mode
sudo setenforce 0 # Set permissive modeCheck the current mode without reboot:
getenforceManage SELinux Policies and Booleans
- List SELinux booleans (policy toggles) to modify system behavior without rewriting policies:
sudo semanage boolean -l- Enable/disable specific booleans, e.g., to allow Apache to connect to the network:
sudo setsebool -P httpd_can_network_connect on- Check the boolean status:
sudo getsebool httpd_can_network_connect- Use booleans to tailor SELinux to your server’s roles (web server, mail server, etc.) flexibly.
Managing SELinux Contexts and File Labels
Each file and process has an SELinux security context that determines access rights.
- Check file context:
ls -Z /path/to/file- Restore default context if contexts are incorrect (e.g., after copying files):
sudo restorecon -Rv /path/to/directory- To relabel the entire filesystem (sometimes needed after SELinux enabling or policy changes):
sudo touch /.autorelabel
sudo rebootThis causes a relabel on reboot, which may take some time.
Troubleshooting SELinux
- Check SELinux audit logs for denials and errors:
sudo less /var/log/audit/audit.log- Use the
audit2whyandaudit2allowtools to diagnose and create custom policy modules:
sudo ausearch -m avc -ts recent
sudo audit2allow -w -a # Explanation of denials
sudo audit2allow -a -M mypol # Create custom module
sudo semodule -i mypol.pp # Insert module- Switch to permissive mode temporarily for debugging if services are blocked.
Verify SELinux is Working
After enabling and configuring SELinux, verify its status and mode:
sestatus
getenforceConfirm that services are running correctly and that SELinux is enforcing policies.
Conclusion
To use SELinux on a Linux server, check and install SELinux packages if needed, configure the mode via /etc/selinux/config, and manage SELinux policies and booleans to align with your server roles. Use tools like sestatus, setenforce, and semanage to monitor and control SELinux operation. SELinux provides an advanced additional layer of security, protecting your Linux server by enforcing least privilege policies on processes and files.
![How to Use Webmin on Linux [Ultimate Guide]](https://www.youstable.com/blog/wp-content/uploads/2025/08/How-to-Use-Webmin-on-Linux-Ultimate-Guide.jpg)