SELinux implements mandatory access controls that confine processes to the minimum set of permissions they need to function. Even if an attacker compromises a service, SELinux limits the damage they can do to the broader system.
Understanding SELinux Modes and Policies
SELinux operates in enforcing, permissive, or disabled modes. Start with permissive mode to audit what would be blocked, review the audit log with audit2why, and generate custom policy modules with audit2allow before switching to enforcing mode.
The targeted policy, default on RHEL and CentOS, confines specific system services while leaving user processes in an unconfined domain. This pragmatic approach provides significant security benefits without requiring a complete policy overhaul for every application.
Common troubleshooting involves restoring file contexts with restorecon after moving files, and managing boolean flags that toggle specific policy behaviors. The semanage command configures port types, file contexts, and login mappings that persist across relabeling operations.