What is SELinux?

SELinux (security-enhanced Linux) is the United States National Security Agency (NSA) implementation of mandatory access control, is the most outstanding new security subsystem in the history of Linux. The NSA, with the help of the Linux community, has developed an access control system that, under the constraints of the access control system, can access only those files that are needed in his tasks. SELinux is installed on Fedora and Red Hat Enterprise Linux By default and can also be used as an easy-to-install package on other distributions. SELinux is a mandatory access control (MAC) system available in the 2.6 version of the Linux kernel. For the currently available Linux security modules, SELinux is the most versatile and well-tested, built on the basis of the 20 MAC research. SELinux incorporates multi-level security or an optional multi-class policy in the type enforcement server and employs a role-based access control concept. [1] most people who use SELinux use SELinux-ready distributions, such as Fedora, Red Hat Enterprise Linux (RHEL), Debian, or Centos. They all enable selinux in the kernel, provide a customizable security policy, and provide many libraries and tools at the user level, all of which can use SELinux functionality. SELinux is an enforced access control (MAC) security system based on the domain-type model (DOMAIN-TYPE), which is written by the NSA and designed into kernel modules that are included in the kernel, and some of the corresponding security-related applications have been hit by the SELinux patch, Finally, there is a corresponding security policy. Any program has full control over its resources. If a program intends to throw a file containing potentially important information into the/tmp directory, no one can stop him in the case of a DAC. S-Elinux provides better access control than traditional Unⅸ permissions .
SELinux has a choice of "disabled""permissive","enforcing"3.

disabled Needless to say, permissive is selinux is effective, but even if you violate the strategy, it lets you continue to operate, but the content of your violations recorded. It's very useful when we're developing a strategy. equivalent to debug mode. enforcing is that you violate the strategy, you can not continue to operate. Selinuxtype, now there are 2 major categories, one is the red hat developed targeted, it is only for, the main network services to protect, such as Apache,sendmail,bind,postgresql, Those who do not belong to the domain will let them in the unconfined_t, the import sex is high, usability is good but can not protect the whole. Another kind is strict, is the NAS development, can protect the whole system, but the setting is complex, I think although it is complex, but some basic will, still can play to move. we can control it by passing the parameter selinux to the kernel in addition to the/etc/sysconfig/selinux setting it valid and invalid. (Fedora 5 is available by default)

What is SELinux?