Security Enhanced Linux (SELinux) is an implementation of mandatory access control allowing a stricter enforcement of access policies for users and applications.

The primary difference with how access control is managed by default in Linux, is that users and applications cannot override set policies.

As an implementation of a layered security approach, this can be particularly important in the event of unauthorised access to the system.

SELinux has three modes of operation:

  • Enforcing - the default setting, denies access and logs actions
  • Permissive - grants access with warnings and logs actions
  • Disabled - SELinux is off

Being a flavour of Enterprise Linux, our CentOS web server deployment comes with SELinux in its default mode.

The goal of this exercise is to set SELinux to its default mode thus enforcing least privilege access.

From shell this can be verified as shown:

getenforce

References