Security-Enhanced Linux facts for kids

Kids Encyclopedia Facts

Quick facts for kids
SELinux

Screenshot of `seinfo` and `semanage` showing SELinux information of a policy file used by the system, users of SELinux, and file labels related to Simple Desktop Display Manager
Original author(s)	NSA and Red Hat
Developer(s)	Red Hat
Initial release	22 December 2000; 24 years ago (2000-12-22)

Stable release	3.9 / 16 July 2025; 28 days ago (16 July 2025)

Written in	C
Operating system	Linux
Type	Security, Linux Security Modules (LSM)
License	GNU GPL

Security-Enhanced Linux (SELinux) is a special security feature for Linux computers. Think of it as an extra security guard that helps control what programs and users can do. It makes sure that even if a program has a problem, it can't cause too much trouble for the rest of your computer.

SELinux adds special rules to your Linux system. These rules help keep your computer safe by limiting what different parts of the system can access. It's like having a very strict set of permissions for everything. This system was first developed by the United States National Security Agency (NSA).

How SELinux Protects Your Computer
The Story of SELinux
- Who Helped Build SELinux?
Users, Rules, and Security Labels
Cool Features of SELinux
Where is SELinux Used?
How SELinux is Used
- Quick Examples
SELinux vs. AppArmor
Other Similar Security Systems
See also

How SELinux Protects Your Computer

SELinux works by adding strong security rules to the main parts of the Linux system. It helps keep information separate based on how secret or important it is. This means it can stop programs from messing with things they shouldn't. It also helps limit the damage if a program has a bug or gets attacked.

A Linux computer with SELinux uses these rules to control programs and services. It also controls who can access files and network connections. By limiting what each program can do, SELinux makes it harder for problems to spread. For example, if a web server program gets hacked, SELinux can stop it from harming other parts of your system.

Traditional Linux security relies on programs being perfectly written and set up. If there's a mistake in just one program, your whole system could be at risk. But with SELinux, the security depends more on the core system and its rules. This means even if one program has a problem, the rest of your computer stays safer.

SELinux combines different security ideas to create a very flexible system. It uses concepts like mandatory access control (MAC) and role-based access control (RBAC). This allows for many different ways to set up security rules.

The Story of SELinux

The idea for SELinux came from earlier work on making UNIX-like systems more secure. The National Security Agency (NSA) started working on this in the late 1980s.

SELinux was created to show how strong security controls could be added to Linux. At first, you had to add SELinux to the Linux system yourself. But later, it became a standard part of the main Linux system.

The NSA first shared SELinux with the open source community on December 22, 2000. It was officially added to the main Linux kernel in 2003. Other groups like Red Hat also helped a lot in developing it.

SELinux uses a special design called FLASK (Flux Advanced Security Kernel). This design helps it enforce many types of security rules. It can control access based on types of information, roles of users, and different security levels.

Who Helped Build SELinux?

Many people and organizations helped create and improve SELinux. The NSA was the main developer at the start. Other important helpers included Network Associates Laboratories, Mitre Corporation, Secure Computing Corporation, Red Hat, and Tresys Technology. Many individual developers also contributed their time and skills.

The National Security Agency (NSA)
Network Associates Laboratories (NAI Labs)
The MITRE Corporation
Secure Computing Corporation (SCC)
Matt Anderson
Ryan Bergauer
Bastian Blank
Thomas Bleher
Joshua Brindle
Russell Coker
John Dennis
Janak Desai
Ulrich Drepper
Lorenzo Hernandez Garcia-Hierro
Darrel Goeddel
Carsten Grohmann
Steve Grubb
Ivan Gyurdiev
Serge Hallyn
Chad Hanson
Joerg Hoh
Trent Jaeger
Dustin Kirkland
Kaigai Kohei
Paul Krumviede
Joy Latten
Tom London
Karl MacMillan
Brian May
Frank Mayer
Todd Miller
Roland McGrath
Paul Moore
James Morris
Yuichi Nakamura
Greg Norris
Eric Paris
Chris PeBenito
Red Hat
Petre Rodan
Shaun Savage
Chad Sellers
Rogelio Serrano Jr.
Justin Smith
Manoj Srivastava
Tresys Technology
Michael Thompson
Trusted Computer Solutions
Tom Vogt
Reino Wallin
Dan Walsh
Colin Walters
Mark Westerman
David A. Wheeler
Venkat Yekkirala
Catherine Zhang

Users, Rules, and Security Labels

SELinux uses special "security contexts" or labels for everything. These labels describe who or what something is and what it's allowed to do. For example, a program might have a label that says it's a "web server program." A file might have a label that says it's a "website file."

These labels help SELinux decide if a program can access a file. The rules for these decisions are called "policies." Policies are like a big rulebook that tells SELinux what's allowed and what's not.

You can see these security labels using special commands. For example, if you type `ls -Z` in your computer's terminal, it will show you the SELinux labels for files. If you type `ps -Z`, it shows labels for running programs.

SELinux policies are made up of many rules. These rules say things like "only the web server program can read website files." If a program tries to do something not allowed by its label and the rules, SELinux will stop it.

Policies are usually created by experts and then compiled into a single file. This file can be loaded into the computer's kernel (the core part of the operating system). You can even test policies in a "permissive mode" where violations are logged but not stopped. This helps find and fix any problems with the rules.

Cool Features of SELinux

SELinux has many features that make it a powerful security tool:

It clearly separates the rules from how they are enforced.
It has clear ways for programs to ask about security rules.
It works with different types of security rules and languages.
It gives unique labels and controls to different parts of the system.
You can change the security rules without restarting your computer.
It protects both the system's integrity (making sure it's not messed with) and data privacy.
It's very flexible in how you set up rules.
It controls how programs start and run.
It controls access to files, folders, and network connections.
It controls special "capabilities" that programs might have.
It remembers past security decisions to make things faster.
It uses a "default-deny" rule, meaning anything not specifically allowed is blocked.

Where is SELinux Used?

sestatus showing status of SELinux in a system (openSUSE Tumbleweed)

SELinux is used in many places to make systems more secure.

It has been part of Android phones and tablets since version 4.3.

Many popular Linux systems use SELinux. For example, Fedora has included it by default since Fedora Core 2. Debian and Ubuntu also support it. openSUSE and Red Hat Enterprise Linux (RHEL) also use SELinux.

SELinux is also very useful for Linux containers. These are like small, isolated environments for running programs. SELinux helps keep these containers separate and secure from each other and the main computer.

How SELinux is Used

SELinux can control exactly what each user, program, and service on a computer is allowed to do. It's often used to protect important programs like database servers or web servers. If one of these programs gets attacked, SELinux can limit the damage it can cause.

Here are some command-line tools you can use with SELinux: chcon, restorecon, restorecond, runcon, secon, fixfiles, setfiles, load_policy, booleans, getsebool, setsebool, togglesebool setenforce, semodule, postfix-nochroot, check-selinux-installation, semodule_package, checkmodule, selinux-config-enforcing, selinuxenabled, and selinux-policy-upgrade

Quick Examples

To turn SELinux's security rules "on" (enforcing mode):

setenforce 1

To check if SELinux is "on" or "off":

getenforce

SELinux vs. AppArmor

SELinux is one way to control what software can do on a computer. Another popular way is called AppArmor. AppArmor is used on systems like SUSE Linux Enterprise Server (SLES) and openSUSE.

SELinux and AppArmor are quite different. SELinux uses a more complex system of labels and rules. AppArmor tries to be simpler by using file paths to define rules.

Here are some key differences:

AppArmor identifies files by their name and location. If you make a copy of a file, AppArmor might treat it differently. SELinux uses a deeper "type" for files, so a copy would still have the same security type.
SELinux and AppArmor are managed differently.
SELinux offers many more types of controls than AppArmor. For example, AppArmor can control if you can read or write a file. SELinux can do that and also control things like connecting to networks or loading special parts of the system.
SELinux can control special "capabilities" that programs have. This means it can prevent users from doing things they shouldn't, even if they have some special permissions.
SELinux can handle different levels of security for very sensitive information. AppArmor does not have this feature.
AppArmor rules are usually simple text files. SELinux uses a mix of text files and special labels stored with the files themselves.

Other Similar Security Systems

There are other ways to isolate programs and keep systems secure. One way is virtualization, which creates separate virtual computers. The OLPC project, for example, used this to run applications in isolated "sandboxes." The NSA also used SELinux ideas in Security-Enhanced Android.

General Dynamics also makes a system called PitBull Trusted Operating System. This system adds more security features to Red Hat Enterprise Linux.

Multi-Category Security (MCS) is an improvement for SELinux used in Red Hat Enterprise Linux. It lets users add extra "categories" to files. This helps to further limit access beyond the usual rules.