Operating SystemsSELinux

SELinux: Security-Enhanced Linux

LevelAdvanced

Duration90 mins

TopicSELinux

2 / 5

SELinux Policies

The Rule Book of Mandatory Access Control

An SELinux system without a policy is like a courtroom without laws—the infrastructure exists, but no decisions can be made. SELinux policies are the comprehensive rule sets that define every permitted interaction between subjects (processes) and objects (files, sockets, devices) in the system.

A typical SELinux policy contains hundreds of thousands of rules, carefully structured to:

Confine hundreds of applications to their intended scope
Define valid transitions between security domains
Specify precisely which actions each process type may perform
Establish the security boundaries that contain attacks

Understanding SELinux policies is essential for anyone who administers, develops for, or secures Linux systems. This page explores policy architecture from first principles through practical application.

What You Will Learn

By the end of this page, you will understand the types of SELinux policies, the structure and syntax of policy rules, how the Reference Policy framework organizes rules into modules, and the process of policy development and customization. You'll be equipped to read, analyze, and modify SELinux policies.

Policy Types and Modes

SELinux supports multiple policy types, offering different trade-offs between security guarantees and operational flexibility. Understanding these types is the first step in working with SELinux policies.

Targeted Policy

The targeted policy is the default on Red Hat-derived distributions. It embodies a pragmatic approach:

Network-facing services are confined — Apache, MySQL, DNS, SSH, and other network daemons run in specific domains with limited permissions
User processes run unconfined — Regular user applications (desktop apps, shells) run in the unconfined_t domain with minimal restrictions
Selective protection — Security focus is on high-risk attack surfaces

This approach acknowledges that comprehensive policy for every application is impractical in many environments. The targeted policy protects against the most likely attack vectors—network service compromises—while minimizing user-facing policy issues.

Strict Policy

The strict policy takes a comprehensive approach:

Everything is confined — No unconfined domains; every process has explicit policy
Complete least privilege — Each application limited to exactly what it needs
Higher administrative burden — Every new application requires policy work

Strict policies are used in high-security environments where the additional administrative overhead is justified (government, military, financial systems).

MLS Policy

Multi-Level Security (MLS) policy adds Bell-LaPadula-style security levels:

Hierarchical security levels — Subjects and objects have sensitivity levels
Compartments — Additional categorical restrictions (need-to-know)
Information flow control — Prevents unauthorized disclosure across levels
Certification requirements — Often required for handling classified data

MLS is used in environments processing classified data at multiple levels (e.g., a system handling both Secret and Top Secret information).

SELinux Policy Type Comparison
Policy Type	Coverage	Complexity	Use Case
Targeted	Network services confined, users unconfined	Low-Medium	Enterprise servers, default deployments
Strict	All processes confined	High	High-security environments
MLS	Full confinement + security levels	Very High	Multi-level classified systems
Minimum	Base types only, very minimal	Very Low	Embedded, minimal systems

SELinux Modes

Independent of policy type, SELinux operates in one of three modes:

Enforcing Mode

SELinux policy is active and access violations are denied. This is production mode.

Permissive Mode

SELinux logs what would be denied but allows access. Use for debugging and policy development—never in production.

Disabled Mode

SELinux is completely inactive. No policy enforcement, no context labeling. Not recommended.

Check and Change SELinux Mode
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Check current SELinux status
$ getenforce
Enforcing
 
# Detailed status information
$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
 
# Temporarily switch to permissive mode (requires root)
# Change persists until reboot
$ sudo setenforce 0
$ getenforce
Permissive
 
# Switch back to enforcing mode
$ sudo setenforce 1
 
# Persistent configuration is in /etc/selinux/config
$ cat /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted

Never Disable SELinux

Switching to 'disabled' mode removes security labels from files as they're created or modified. Re-enabling SELinux later requires relabeling the entire filesystem. Use permissive mode for troubleshooting—it provides the same debugging information without the destructive side effects.

Policy Structure and Components

SELinux policies are composed of several distinct components that work together to define the security model. Let's examine each:

Type Declarations

The foundation of SELinux is types. Every subject (process) and object (file, socket, etc.) has a type. Types are declared in policy:

type httpd_t;           # Type for Apache processes
type httpd_exec_t;      # Type for Apache executable
type httpd_content_t;   # Type for web content files
type httpd_log_t;       # Type for Apache log files
type httpd_config_t;    # Type for Apache config files

Type naming convention: <name>_t for process types (domains), <name>_exec_t for executables, <name>_log_t for logs, etc.

Attributes

Attributes are named groups of types. Rules can reference attributes, applying to all types with that attribute:

attribute domain;        # All process types
attribute file_type;     # All file types
attribute exec_type;     # All executable types
attribute port_type;     # All port types

# Assign types to attributes
typeattribute httpd_t domain;
typeattribute httpd_exec_t exec_type, file_type;

This enables writing rules that apply to categories of types without listing each one.

Access Vector Rules

The heart of policy is access vector (AV) rules that specify what's allowed:

# Basic allow rule syntax:
# allow source_type target_type : object_class permissions;

allow httpd_t httpd_content_t : file { read open getattr };
allow httpd_t httpd_log_t : file { create write append };

Rules can also deny, audit, or conditionally allow access.

SELinux Rule Types

SELinux Policy

# ALLOW RULES - Grant permissions
# Syntax: allow source target : class { permissions };
allow httpd_t httpd_content_t : file { read open getattr };
allow httpd_t httpd_log_t : dir { search write add_name };
allow httpd_t httpd_log_t : file { create write append };
 
# DONTAUDIT RULES - Deny silently (suppress audit messages)
# Useful for harmless access attempts that would flood logs
dontaudit httpd_t etc_t : dir search;
 
# AUDITALLOW RULES - Allow but log (for monitoring)
# Useful for detecting unusual but permitted behavior
auditallow httpd_t admin_home_t : file read;
 
# NEVERALLOW RULES - Policy compile-time assertions
# Ensures certain rules can never exist in policy
neverallow httpd_t shadow_t : file { read write };
neverallow * kernel_t : process ptrace;
 
# TYPE TRANSITION RULES - Domain transitions
# Syntax: type_transition source target : class new_type;
# When source creates object of class on target, use new_type
type_transition httpd_t httpd_log_t : file httpd_log_t;
type_transition init_t httpd_exec_t : process httpd_t;
 
# ROLE ALLOW RULES - Role transitions
role_transition user_r httpd_exec_t system_r;
 
# CONDITIONAL RULES - Based on boolean values
bool httpd_can_network_connect false;
if (httpd_can_network_connect) {
    allow httpd_t port_t : tcp_socket name_connect;
}

Object Classes and Permissions

Object classes represent categories of kernel objects. Each class has a set of applicable permissions:

Object Class	Examples	Key Permissions
`file`	Regular files	read, write, execute, open, create, unlink, getattr, setattr
`dir`	Directories	search, add_name, remove_name, read, write, rmdir
`lnk_file`	Symbolic links	read, write, create, unlink
`sock_file`	Unix sockets	read, write, create, connectto
`tcp_socket`	TCP sockets	create, connect, listen, accept, send, recv
`udp_socket`	UDP sockets	create, bind, send, recv
`process`	Processes	signal, ptrace, transition, fork, exec
`capability`	Linux caps	sys_admin, net_admin, dac_override

The complete list comprises over 80 object classes with hundreds of unique permissions.

Finding Object Classes and Permissions

To see all object classes and permissions available on your system, consult the policy source or use: seinfo --class and seinfo --permission. These tools reveal the complete access control vocabulary.

The Reference Policy Framework

Writing SELinux policy from scratch would be impractical—a complete system requires policies for hundreds of programs. The Reference Policy solves this by providing a well-structured, modular policy base that distributions customize.

Reference Policy Architecture

The Reference Policy organizes rules into modules, each handling a specific service or subsystem:

refpolicy/
├── policy/
│   ├── modules/
│   │   ├── admin/          # Administrative tools
│   │   │   ├── sudo.te     # sudo rules
│   │   │   ├── sudo.if     # sudo interface
│   │   │   └── sudo.fc     # sudo file contexts
│   │   ├── services/       # System services
│   │   │   ├── apache.te
│   │   │   ├── postgresql.te
│   │   │   └── sshd.te
│   │   ├── kernel/         # Kernel and core
│   │   ├── roles/          # Role definitions
│   │   └── system/         # System components
│   └── support/            # Macros and helpers
├── config/
└── doc/

Each module consists of three files:

.te (Type Enforcement) — Domain rules and type declarations
.if (Interface) — Reusable macros for other modules
.fc (File Contexts) — Path-to-label mappings

Example Module: Simple Daemon (mydaemon)

# mydaemon.te - Type Enforcement rules
 
policy_module(mydaemon, 1.0.0)
 
########################################
# Type declarations
########################################
 
type mydaemon_t;                    # Domain for the daemon process
type mydaemon_exec_t;               # Type for the executable
type mydaemon_log_t;                # Type for log files
type mydaemon_var_run_t;            # Type for runtime files
 
# Register mydaemon_t as a domain (process type)
domain_type(mydaemon_t)
 
# Register mydaemon_exec_t as an entry point
domain_entry_file(mydaemon_t, mydaemon_exec_t)
 
# Register as a system daemon
init_daemon_domain(mydaemon_t, mydaemon_exec_t)
 
########################################
# Daemon rules
########################################
 
# Allow reading /etc files
files_read_etc_files(mydaemon_t)
 
# Allow network operations
corenet_tcp_bind_generic_port(mydaemon_t)
corenet_tcp_connect_http_port(mydaemon_t)
 
# Manage own log files
logging_log_file(mydaemon_log_t)
allow mydaemon_t mydaemon_log_t:file { create write append };
allow mydaemon_t mydaemon_log_t:dir { search add_name };
 
# Manage runtime files (PID files, sockets)
files_pid_file(mydaemon_var_run_t)
allow mydaemon_t mydaemon_var_run_t:file manage_file_perms;
allow mydaemon_t mydaemon_var_run_t:dir manage_dir_perms;

The Power of Interfaces

Interfaces are the Reference Policy's key innovation. They encapsulate common access patterns as reusable macros:

# Instead of writing these raw rules:
allow mydaemon_t self:capability { net_bind_service };
allow mydaemon_t mydaemon_port_t:tcp_socket { bind listen accept };
corenet_tcp_bind_port(mydaemon_t, mydaemon_port_t)
...

# You write:
corenet_tcp_bind_generic_port(mydaemon_t)

Interfaces:

Abstract complexity — Hide dozens of low-level rules behind meaningful names
Ensure consistency — All modules binding ports do it the same way
Reduce errors — Battle-tested macros vs. hand-written rules
Enable reuse — Other modules can call your interfaces

Exploring the Reference Policy

The Reference Policy source is invaluable for learning SELinux. Study existing modules (apache.te, sshd.te) to see patterns. Use the interface documentation: seinfo -i lists available interfaces. On Fedora/RHEL, install selinux-policy-devel for policy sources.

Policy Booleans

Recompiling policy for every configuration change would be impractical. Policy booleans provide runtime-adjustable policy switches without recompilation.

Understanding Booleans

Booleans are named true/false values that enable or disable sets of rules:

# Policy defines conditional rules:
bool httpd_can_network_connect false;

if (httpd_can_network_connect) {
    corenet_tcp_connect_all_ports(httpd_t)
}

# Administrator enables at runtime:
$ sudo setsebool httpd_can_network_connect on

# Now httpd_t can connect to any port

Booleans enable administrators to:

Enable optional functionality without policy customization
Toggle features on/off for testing
Adapt stock policy to specific use cases

Working with SELinux Booleans
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# List all booleans with current and pending values
$ getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
...
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_sendmail --> off
...
 
# Filter for specific service
$ getsebool -a | grep httpd
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_sendmail --> off
httpd_enable_cgi --> on
httpd_enable_homedirs --> off
httpd_read_user_content --> off
httpd_use_nfs --> off
 
# Get detailed information about a boolean
$ semanage boolean -l | grep httpd_can_network_connect
httpd_can_network_connect      (off  ,  off)  Allow httpd to can network connect
httpd_can_network_connect_db   (off  ,  off)  Allow httpd to can network connect db
 
# Set boolean temporarily (until reboot)
$ sudo setsebool httpd_can_network_connect on
 
# Set boolean permanently (persists across reboots)
$ sudo setsebool -P httpd_can_network_connect on
 
# Set multiple booleans at once
$ sudo setsebool -P httpd_can_network_connect=on httpd_use_nfs=on

Common Important Booleans

Some booleans have significant security implications:

Security-Critical SELinux Booleans
Boolean	Default	Effect When Enabled
httpd_can_network_connect	off	Apache can connect to any TCP port (needed for proxies)
httpd_can_network_connect_db	off	Apache can connect to database ports specifically
httpd_enable_cgi	on	Apache can execute CGI scripts
httpd_read_user_content	off	Apache can read user home directories
ftpd_anon_write	off	FTP anonymous users can write files
samba_enable_home_dirs	off	Samba can share user home directories
allow_guest_exec_content	off	Guest users can execute content in home
selinuxuser_execmod	on	Users can execute text-relocated libraries
deny_ptrace	off	Denies ptrace (debugging) for all domains

Boolean Security Trade-offs

Each boolean represents a security trade-off. Enabling 'httpd_can_network_connect' allows Apache to talk to backend services, but also means a compromised Apache can make arbitrary network connections. Enable only what's necessary, and understand the implications.

Policy Compilation and Loading

SELinux policies undergo compilation from human-readable source to an optimized binary format the kernel can efficiently query. Understanding this process helps with policy development and troubleshooting.

The Policy Compilation Pipeline

[Policy Source Files] (.te, .if, .fc)
        ↓
    checkmodule (parses, validates)
        ↓
[Policy Module] (.mod)
        ↓
    semodule_package (packages)
        ↓
[Policy Package] (.pp)
        ↓
    semodule (installs to policy store)
        ↓
[Policy Store] (/var/lib/selinux/targeted/)
        ↓
    semodule/libsemanage (links all modules)
        ↓
[Compiled Binary Policy] (policy.XX)
        ↓
    Kernel loads binary policy

Compiling and Installing a Policy Module
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Step 1: Write your policy source files
# mydaemon.te, mydaemon.if, mydaemon.fc
 
# Step 2: Compile Type Enforcement to module
$ checkmodule -M -m -o mydaemon.mod mydaemon.te
# -M: MLS/MCS enabled
# -m: build a module (not base policy)
# -o: output file
 
# Step 3: Package the module with file contexts
$ semodule_package -o mydaemon.pp -m mydaemon.mod -f mydaemon.fc
 
# Step 4: Install the module
$ sudo semodule -i mydaemon.pp
# This installs to policy store and rebuilds binary policy
 
# List installed modules
$ semodule -l
abrt    1.4.1
accountsd       1.1.0
acct    1.6.0
...
mydaemon        1.0.0
...
 
# Remove a module
$ sudo semodule -r mydaemon
 
# Alternative: Use Makefile from selinux-policy-devel
# Create a Makefile in your module directory:
$ make -f /usr/share/selinux/devel/Makefile
# This handles all compilation steps automatically

Policy Store and Versions

SELinux maintains a policy store containing all installed modules:

/var/lib/selinux/targeted/
├── active/
│   ├── modules/100/     # Priority 100 (default)
│   │   ├── base/
│   │   ├── httpd/
│   │   ├── sshd/
│   │   └── mydaemon/
│   ├── modules/400/     # Higher priority overrides
│   ├── file_contexts
│   ├── booleans.local
│   └── seusers
└── policy/
    └── policy.33        # Compiled binary (kernel version 33)

Modules have priority levels (100-999). Higher priority modules can override rules from lower ones. This enables local customizations without modifying distribution modules.

The Kernel Policy Interface

The compiled binary policy is loaded into the kernel through the SELinux filesystem:

/sys/fs/selinux/
├── load          # Write policy binary here to load
├── enforce       # Read/write enforcement mode
├── policy        # Read current loaded policy
├── status        # Sequence number for policy changes
├── class/        # Object class definitions
├── booleans/     # Boolean values
└── ...           # Other tunables

Analyzing Loaded Policy

Use 'seinfo' and 'sesearch' to analyze the currently loaded policy. 'seinfo -t' lists all types. 'sesearch --allow -s httpd_t' shows all allow rules for httpd_t. These tools work on the live binary policy.

Creating Custom Policy Modules

When stock policy doesn't meet your needs, you can create custom modules. This section walks through the process for common scenarios.

Scenario: Allowing Denied Access

The most common customization: your application triggers SELinux denials and you need to allow the access. The workflow:

Trigger the denial — Run your application and observe the failure
Find the denial in audit log — ausearch -m avc -ts recent
Analyze the denial — Understand what access is needed
Generate policy — Use audit2allow as a starting point
Review and refine — Never blindly accept generated rules
Install and test — Deploy and verify

audit2allow Workflow
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Step 1: Find recent denials for your process
$ sudo ausearch -m avc -ts recent | grep mydaemon
type=AVC msg=audit(1642589234.789:456): avc:  denied  { read } for  pid=12345 
    comm="mydaemon" name="config.dat" dev="sda1" ino=987654 
    scontext=system_u:system_r:mydaemon_t:s0 
    tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
 
# Step 2: Analyze the denial
# Subject: mydaemon_t (our daemon)
# Object: etc_t (generic /etc type)
# Action: read file
# This looks legitimate - daemon reading config from /etc
 
# Step 3: Generate policy rules from audit log
$ sudo ausearch -m avc -ts recent | audit2allow -m mydaemon_custom
 
module mydaemon_custom 1.0;
 
require {
    type mydaemon_t;
    type etc_t;
    class file read;
}
 
#============= mydaemon_t ==============
allow mydaemon_t etc_t:file read;
 
# Step 4: Review - is this too broad?
# "etc_t" includes ALL of /etc. Do we need that?
# Better: Create a specific type for our config, or use an interface
 
# Step 5: Refined approach - use proper interface
$ cat mydaemon_etc.te
policy_module(mydaemon_etc, 1.0.0)
 
require {
    type mydaemon_t;
}
 
# Use the standard interface for reading /etc
files_read_etc_files(mydaemon_t)
 
# Step 6: Build and install
$ make -f /usr/share/selinux/devel/Makefile mydaemon_etc.pp
$ sudo semodule -i mydaemon_etc.pp
 
# Step 7: Verify - retest application, check no more denials
$ sudo ausearch -m avc -ts recent | grep mydaemon
<no output = no denials>

audit2allow Dangers

Never use 'audit2allow -M mypolicy | semodule -i' blindly! Generated rules may be overly permissive. An application probing the filesystem generates denials for files it shouldn't access—naively allowing all probed access defeats MAC entirely. Always review and minimize generated rules.

Scenario: Confining a New Application

For a new application requiring full confinement:

Identify resources — What files, ports, devices does it need?
Create types — Domain for the process, types for files
Write basic rules — Start minimal, add as needed
Define file contexts — Map paths to types
Test in permissive — Run with setenforce 0, collect denials
Iterate — Add rules for each legitimate denial
Deploy in enforcing — Switch to setenforce 1 for production

Policy Development Best Practices

•Start with existing modules — Use similar modules as templates (e.g., copy nginx.te when creating a web server policy)
•Use interfaces, not raw rules — Interfaces are tested, maintained, and abstract complexity
•Follow naming conventions — <app>_t for domain, <app>_exec_t for executable, etc.
•Document your policy — Comment why rules exist; future you will thank past you
•Test thoroughly — Exercise all application functionality, not just the happy path
•Minimize permissions — Only allow what's actually needed; refuse to allow 'just in case' rules
•Review denials carefully — Some denials are bugs in your app, not policy gaps

Policy Analysis Tools

SELinux provides powerful tools for inspecting and querying policy. Mastering these tools is essential for policy development and troubleshooting.

seinfo: Policy Information

seinfo provides statistics and listings from the loaded policy:

seinfo Examples
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# Overall policy statistics
$ seinfo
 
Statistics for policy file: /sys/fs/selinux/policy
Policy Version:             33 (MLS enabled)
  Classes:             130      Permissions:         463
  Sensitivities:         1      Categories:         1024
  Types:              4932      Attributes:          264
  Users:                 8      Roles:                14
  Booleans:            338      Cond. Expr.:         420
  Allow:            118394      Neverallow:            0
  Auditallow:           17      Dontaudit:         17643
  Type_transition:   24857      Role_transition:     418
  Range_transition:    623      ...
 
# List all types
$ seinfo -t | head -20
Types: 4932
   ...
   NetworkManager_t
   abrt_dump_oops_t
   abrt_helper_t
   abrt_t
   httpd_t
   httpd_exec_t
   httpd_content_t
   ...
 
# Types with specific attribute
$ seinfo -a domain -x
   domain
      NetworkManager_t
      abrt_t
      httpd_t
      sshd_t
      ...
 
# List all object classes
$ seinfo --class | head
Classes: 130
   appletalk_socket
   association
   binder
   blk_file
   capability
   ...

sesearch: Policy Rule Search

sesearch finds specific rules in the policy:

sesearch Examples
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# All allow rules for a source type
$ sesearch --allow -s httpd_t | head -10
allow httpd_t NetworkManager_var_run_t:dir { getattr search };
allow httpd_t bin_t:dir { getattr ioctl read search ... };
allow httpd_t bin_t:file { execute getattr ioctl map open read };
allow httpd_t cert_t:dir { getattr ioctl read search };
allow httpd_t cert_t:file { getattr ioctl open read };
...
 
# Rules for specific source, target, and class
$ sesearch --allow -s httpd_t -t httpd_content_t -c file
allow httpd_t httpd_content_t:file { getattr ioctl open read };
allow httpd_t httpd_content_t:file { map };
 
# Rules with specific permission
$ sesearch --allow -s httpd_t -c tcp_socket -p name_connect
allow httpd_t http_port_t:tcp_socket name_connect;
# (only if httpd_can_network_connect is enabled)
 
# Type transition rules
$ sesearch --type_trans -s init_t | grep httpd
type_transition init_t httpd_exec_t:process httpd_t;
 
# All rules involving an attribute
$ sesearch --allow -t file_type -c file -p write
# Shows all write access to any file_type
 
# Dontaudit rules (silenced denials)
$ sesearch --dontaudit -s httpd_t | head
dontaudit httpd_t admin_home_t:dir search;
dontaudit httpd_t default_t:dir search;
...

Other Essential Tools

Tool	Purpose	Example
`semanage`	Manage policy components	`semanage boolean -l`
`audit2why`	Explain why denial occurred	`audit2why < /var/log/audit/audit.log`
`sealert`	User-friendly denial analysis	`sealert -l <alert-id>`
`matchpathcon`	Show expected context for path	`matchpathcon /var/www/html`
`secon`	Show context of current process	`secon -t`
`apol`	Graphical policy analysis	GUI application

Troubleshooting Workflow

When things don't work: (1) Check ausearch -m avc -ts recent for denials, (2) Use audit2why to understand why denied, (3) Use sesearch to see what rules exist, (4) Use sealert for human-readable analysis and suggestions.

Summary: SELinux Policies

We've explored the architecture and mechanics of SELinux policies. Let's consolidate the key insights:

Key Takeaways

•Policy types offer different trade-offs — Targeted confines network services while leaving users unconfined; strict confines everything; MLS adds security levels.
•Types are the foundation — Every subject and object has a type; rules define permitted interactions between types.
•The Reference Policy provides modular structure — .te for rules, .if for interfaces, .fc for file contexts.
•Interfaces encapsulate complexity — Use well-tested interfaces rather than writing raw rules.
•Booleans enable runtime configuration — Adjust policy behavior without recompilation.
•Policy modules compile to binary — checkmodule → semodule_package → semodule -i pipeline.
•audit2allow aids but doesn't replace thinking — Use it to find required rules, but always review and minimize.
•Analysis tools are essential — seinfo, sesearch, audit2why, sealert for understanding policy.

What's Next:

With policy structure understood, we'll explore Contexts and Labels—the mechanism by which types are assigned to subjects and objects. Understanding labeling is crucial for ensuring policy rules match the resources they're meant to protect.

Page Complete

You now understand SELinux policy architecture, from high-level types to individual rules, from the Reference Policy framework to custom module development. This foundation enables you to analyze, customize, and troubleshoot SELinux policies effectively.

2 / 5

Loading learning content...

Operating SystemsSELinux

SELinux: Security-Enhanced Linux

LevelAdvanced

Duration90 mins

TopicSELinux

2 / 5

SELinux Policies

The Rule Book of Mandatory Access Control

A typical SELinux policy contains hundreds of thousands of rules, carefully structured to:

Confine hundreds of applications to their intended scope
Define valid transitions between security domains
Specify precisely which actions each process type may perform
Establish the security boundaries that contain attacks

What You Will Learn

Policy Types and Modes

Targeted Policy

The targeted policy is the default on Red Hat-derived distributions. It embodies a pragmatic approach:

Network-facing services are confined — Apache, MySQL, DNS, SSH, and other network daemons run in specific domains with limited permissions
User processes run unconfined — Regular user applications (desktop apps, shells) run in the unconfined_t domain with minimal restrictions
Selective protection — Security focus is on high-risk attack surfaces

Strict Policy

The strict policy takes a comprehensive approach:

Everything is confined — No unconfined domains; every process has explicit policy
Complete least privilege — Each application limited to exactly what it needs
Higher administrative burden — Every new application requires policy work

Strict policies are used in high-security environments where the additional administrative overhead is justified (government, military, financial systems).

MLS Policy

Multi-Level Security (MLS) policy adds Bell-LaPadula-style security levels:

Hierarchical security levels — Subjects and objects have sensitivity levels
Compartments — Additional categorical restrictions (need-to-know)
Information flow control — Prevents unauthorized disclosure across levels
Certification requirements — Often required for handling classified data

MLS is used in environments processing classified data at multiple levels (e.g., a system handling both Secret and Top Secret information).

SELinux Policy Type Comparison
Policy Type	Coverage	Complexity	Use Case
Targeted	Network services confined, users unconfined	Low-Medium	Enterprise servers, default deployments
Strict	All processes confined	High	High-security environments
MLS	Full confinement + security levels	Very High	Multi-level classified systems
Minimum	Base types only, very minimal	Very Low	Embedded, minimal systems

SELinux Modes

Independent of policy type, SELinux operates in one of three modes:

Enforcing Mode

SELinux policy is active and access violations are denied. This is production mode.

Permissive Mode

SELinux logs what would be denied but allows access. Use for debugging and policy development—never in production.

Disabled Mode

SELinux is completely inactive. No policy enforcement, no context labeling. Not recommended.

Check and Change SELinux Mode
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Check current SELinux status
$ getenforce
Enforcing
 
# Detailed status information
$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
 
# Temporarily switch to permissive mode (requires root)
# Change persists until reboot
$ sudo setenforce 0
$ getenforce
Permissive
 
# Switch back to enforcing mode
$ sudo setenforce 1
 
# Persistent configuration is in /etc/selinux/config
$ cat /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted

Never Disable SELinux

Policy Structure and Components

SELinux policies are composed of several distinct components that work together to define the security model. Let's examine each:

Type Declarations

The foundation of SELinux is types. Every subject (process) and object (file, socket, etc.) has a type. Types are declared in policy:

type httpd_t;           # Type for Apache processes
type httpd_exec_t;      # Type for Apache executable
type httpd_content_t;   # Type for web content files
type httpd_log_t;       # Type for Apache log files
type httpd_config_t;    # Type for Apache config files

Type naming convention: <name>_t for process types (domains), <name>_exec_t for executables, <name>_log_t for logs, etc.

Attributes

Attributes are named groups of types. Rules can reference attributes, applying to all types with that attribute:

attribute domain;        # All process types
attribute file_type;     # All file types
attribute exec_type;     # All executable types
attribute port_type;     # All port types

# Assign types to attributes
typeattribute httpd_t domain;
typeattribute httpd_exec_t exec_type, file_type;

This enables writing rules that apply to categories of types without listing each one.

Access Vector Rules

The heart of policy is access vector (AV) rules that specify what's allowed:

# Basic allow rule syntax:
# allow source_type target_type : object_class permissions;

allow httpd_t httpd_content_t : file { read open getattr };
allow httpd_t httpd_log_t : file { create write append };

Rules can also deny, audit, or conditionally allow access.

SELinux Rule Types

SELinux Policy

# ALLOW RULES - Grant permissions
# Syntax: allow source target : class { permissions };
allow httpd_t httpd_content_t : file { read open getattr };
allow httpd_t httpd_log_t : dir { search write add_name };
allow httpd_t httpd_log_t : file { create write append };
 
# DONTAUDIT RULES - Deny silently (suppress audit messages)
# Useful for harmless access attempts that would flood logs
dontaudit httpd_t etc_t : dir search;
 
# AUDITALLOW RULES - Allow but log (for monitoring)
# Useful for detecting unusual but permitted behavior
auditallow httpd_t admin_home_t : file read;
 
# NEVERALLOW RULES - Policy compile-time assertions
# Ensures certain rules can never exist in policy
neverallow httpd_t shadow_t : file { read write };
neverallow * kernel_t : process ptrace;
 
# TYPE TRANSITION RULES - Domain transitions
# Syntax: type_transition source target : class new_type;
# When source creates object of class on target, use new_type
type_transition httpd_t httpd_log_t : file httpd_log_t;
type_transition init_t httpd_exec_t : process httpd_t;
 
# ROLE ALLOW RULES - Role transitions
role_transition user_r httpd_exec_t system_r;
 
# CONDITIONAL RULES - Based on boolean values
bool httpd_can_network_connect false;
if (httpd_can_network_connect) {
    allow httpd_t port_t : tcp_socket name_connect;
}

Object Classes and Permissions

Object classes represent categories of kernel objects. Each class has a set of applicable permissions:

Object Class	Examples	Key Permissions
`file`	Regular files	read, write, execute, open, create, unlink, getattr, setattr
`dir`	Directories	search, add_name, remove_name, read, write, rmdir
`lnk_file`	Symbolic links	read, write, create, unlink
`sock_file`	Unix sockets	read, write, create, connectto
`tcp_socket`	TCP sockets	create, connect, listen, accept, send, recv
`udp_socket`	UDP sockets	create, bind, send, recv
`process`	Processes	signal, ptrace, transition, fork, exec
`capability`	Linux caps	sys_admin, net_admin, dac_override

The complete list comprises over 80 object classes with hundreds of unique permissions.

Finding Object Classes and Permissions

The Reference Policy Framework

Reference Policy Architecture

The Reference Policy organizes rules into modules, each handling a specific service or subsystem:

refpolicy/
├── policy/
│   ├── modules/
│   │   ├── admin/          # Administrative tools
│   │   │   ├── sudo.te     # sudo rules
│   │   │   ├── sudo.if     # sudo interface
│   │   │   └── sudo.fc     # sudo file contexts
│   │   ├── services/       # System services
│   │   │   ├── apache.te
│   │   │   ├── postgresql.te
│   │   │   └── sshd.te
│   │   ├── kernel/         # Kernel and core
│   │   ├── roles/          # Role definitions
│   │   └── system/         # System components
│   └── support/            # Macros and helpers
├── config/
└── doc/

Each module consists of three files:

.te (Type Enforcement) — Domain rules and type declarations
.if (Interface) — Reusable macros for other modules
.fc (File Contexts) — Path-to-label mappings

Example Module: Simple Daemon (mydaemon)

# mydaemon.te - Type Enforcement rules
 
policy_module(mydaemon, 1.0.0)
 
########################################
# Type declarations
########################################
 
type mydaemon_t;                    # Domain for the daemon process
type mydaemon_exec_t;               # Type for the executable
type mydaemon_log_t;                # Type for log files
type mydaemon_var_run_t;            # Type for runtime files
 
# Register mydaemon_t as a domain (process type)
domain_type(mydaemon_t)
 
# Register mydaemon_exec_t as an entry point
domain_entry_file(mydaemon_t, mydaemon_exec_t)
 
# Register as a system daemon
init_daemon_domain(mydaemon_t, mydaemon_exec_t)
 
########################################
# Daemon rules
########################################
 
# Allow reading /etc files
files_read_etc_files(mydaemon_t)
 
# Allow network operations
corenet_tcp_bind_generic_port(mydaemon_t)
corenet_tcp_connect_http_port(mydaemon_t)
 
# Manage own log files
logging_log_file(mydaemon_log_t)
allow mydaemon_t mydaemon_log_t:file { create write append };
allow mydaemon_t mydaemon_log_t:dir { search add_name };
 
# Manage runtime files (PID files, sockets)
files_pid_file(mydaemon_var_run_t)
allow mydaemon_t mydaemon_var_run_t:file manage_file_perms;
allow mydaemon_t mydaemon_var_run_t:dir manage_dir_perms;

The Power of Interfaces

Interfaces are the Reference Policy's key innovation. They encapsulate common access patterns as reusable macros:

# Instead of writing these raw rules:
allow mydaemon_t self:capability { net_bind_service };
allow mydaemon_t mydaemon_port_t:tcp_socket { bind listen accept };
corenet_tcp_bind_port(mydaemon_t, mydaemon_port_t)
...

# You write:
corenet_tcp_bind_generic_port(mydaemon_t)

Interfaces:

Abstract complexity — Hide dozens of low-level rules behind meaningful names
Ensure consistency — All modules binding ports do it the same way
Reduce errors — Battle-tested macros vs. hand-written rules
Enable reuse — Other modules can call your interfaces

Exploring the Reference Policy

Policy Booleans

Recompiling policy for every configuration change would be impractical. Policy booleans provide runtime-adjustable policy switches without recompilation.

Understanding Booleans

Booleans are named true/false values that enable or disable sets of rules:

# Policy defines conditional rules:
bool httpd_can_network_connect false;

if (httpd_can_network_connect) {
    corenet_tcp_connect_all_ports(httpd_t)
}

# Administrator enables at runtime:
$ sudo setsebool httpd_can_network_connect on

# Now httpd_t can connect to any port

Booleans enable administrators to:

Enable optional functionality without policy customization
Toggle features on/off for testing
Adapt stock policy to specific use cases

Working with SELinux Booleans
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# List all booleans with current and pending values
$ getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
...
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_sendmail --> off
...
 
# Filter for specific service
$ getsebool -a | grep httpd
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_sendmail --> off
httpd_enable_cgi --> on
httpd_enable_homedirs --> off
httpd_read_user_content --> off
httpd_use_nfs --> off
 
# Get detailed information about a boolean
$ semanage boolean -l | grep httpd_can_network_connect
httpd_can_network_connect      (off  ,  off)  Allow httpd to can network connect
httpd_can_network_connect_db   (off  ,  off)  Allow httpd to can network connect db
 
# Set boolean temporarily (until reboot)
$ sudo setsebool httpd_can_network_connect on
 
# Set boolean permanently (persists across reboots)
$ sudo setsebool -P httpd_can_network_connect on
 
# Set multiple booleans at once
$ sudo setsebool -P httpd_can_network_connect=on httpd_use_nfs=on

Common Important Booleans

Some booleans have significant security implications:

Security-Critical SELinux Booleans
Boolean	Default	Effect When Enabled
httpd_can_network_connect	off	Apache can connect to any TCP port (needed for proxies)
httpd_can_network_connect_db	off	Apache can connect to database ports specifically
httpd_enable_cgi	on	Apache can execute CGI scripts
httpd_read_user_content	off	Apache can read user home directories
ftpd_anon_write	off	FTP anonymous users can write files
samba_enable_home_dirs	off	Samba can share user home directories
allow_guest_exec_content	off	Guest users can execute content in home
selinuxuser_execmod	on	Users can execute text-relocated libraries
deny_ptrace	off	Denies ptrace (debugging) for all domains

Boolean Security Trade-offs

Policy Compilation and Loading

The Policy Compilation Pipeline

[Policy Source Files] (.te, .if, .fc)
        ↓
    checkmodule (parses, validates)
        ↓
[Policy Module] (.mod)
        ↓
    semodule_package (packages)
        ↓
[Policy Package] (.pp)
        ↓
    semodule (installs to policy store)
        ↓
[Policy Store] (/var/lib/selinux/targeted/)
        ↓
    semodule/libsemanage (links all modules)
        ↓
[Compiled Binary Policy] (policy.XX)
        ↓
    Kernel loads binary policy

Compiling and Installing a Policy Module
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Step 1: Write your policy source files
# mydaemon.te, mydaemon.if, mydaemon.fc
 
# Step 2: Compile Type Enforcement to module
$ checkmodule -M -m -o mydaemon.mod mydaemon.te
# -M: MLS/MCS enabled
# -m: build a module (not base policy)
# -o: output file
 
# Step 3: Package the module with file contexts
$ semodule_package -o mydaemon.pp -m mydaemon.mod -f mydaemon.fc
 
# Step 4: Install the module
$ sudo semodule -i mydaemon.pp
# This installs to policy store and rebuilds binary policy
 
# List installed modules
$ semodule -l
abrt    1.4.1
accountsd       1.1.0
acct    1.6.0
...
mydaemon        1.0.0
...
 
# Remove a module
$ sudo semodule -r mydaemon
 
# Alternative: Use Makefile from selinux-policy-devel
# Create a Makefile in your module directory:
$ make -f /usr/share/selinux/devel/Makefile
# This handles all compilation steps automatically

Policy Store and Versions

SELinux maintains a policy store containing all installed modules:

/var/lib/selinux/targeted/
├── active/
│   ├── modules/100/     # Priority 100 (default)
│   │   ├── base/
│   │   ├── httpd/
│   │   ├── sshd/
│   │   └── mydaemon/
│   ├── modules/400/     # Higher priority overrides
│   ├── file_contexts
│   ├── booleans.local
│   └── seusers
└── policy/
    └── policy.33        # Compiled binary (kernel version 33)

Modules have priority levels (100-999). Higher priority modules can override rules from lower ones. This enables local customizations without modifying distribution modules.

The Kernel Policy Interface

The compiled binary policy is loaded into the kernel through the SELinux filesystem:

/sys/fs/selinux/
├── load          # Write policy binary here to load
├── enforce       # Read/write enforcement mode
├── policy        # Read current loaded policy
├── status        # Sequence number for policy changes
├── class/        # Object class definitions
├── booleans/     # Boolean values
└── ...           # Other tunables

Analyzing Loaded Policy

Creating Custom Policy Modules

When stock policy doesn't meet your needs, you can create custom modules. This section walks through the process for common scenarios.

Scenario: Allowing Denied Access

The most common customization: your application triggers SELinux denials and you need to allow the access. The workflow:

Trigger the denial — Run your application and observe the failure
Find the denial in audit log — ausearch -m avc -ts recent
Analyze the denial — Understand what access is needed
Generate policy — Use audit2allow as a starting point
Review and refine — Never blindly accept generated rules
Install and test — Deploy and verify

audit2allow Workflow
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Step 1: Find recent denials for your process
$ sudo ausearch -m avc -ts recent | grep mydaemon
type=AVC msg=audit(1642589234.789:456): avc:  denied  { read } for  pid=12345 
    comm="mydaemon" name="config.dat" dev="sda1" ino=987654 
    scontext=system_u:system_r:mydaemon_t:s0 
    tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
 
# Step 2: Analyze the denial
# Subject: mydaemon_t (our daemon)
# Object: etc_t (generic /etc type)
# Action: read file
# This looks legitimate - daemon reading config from /etc
 
# Step 3: Generate policy rules from audit log
$ sudo ausearch -m avc -ts recent | audit2allow -m mydaemon_custom
 
module mydaemon_custom 1.0;
 
require {
    type mydaemon_t;
    type etc_t;
    class file read;
}
 
#============= mydaemon_t ==============
allow mydaemon_t etc_t:file read;
 
# Step 4: Review - is this too broad?
# "etc_t" includes ALL of /etc. Do we need that?
# Better: Create a specific type for our config, or use an interface
 
# Step 5: Refined approach - use proper interface
$ cat mydaemon_etc.te
policy_module(mydaemon_etc, 1.0.0)
 
require {
    type mydaemon_t;
}
 
# Use the standard interface for reading /etc
files_read_etc_files(mydaemon_t)
 
# Step 6: Build and install
$ make -f /usr/share/selinux/devel/Makefile mydaemon_etc.pp
$ sudo semodule -i mydaemon_etc.pp
 
# Step 7: Verify - retest application, check no more denials
$ sudo ausearch -m avc -ts recent | grep mydaemon
<no output = no denials>

audit2allow Dangers

Scenario: Confining a New Application

For a new application requiring full confinement:

Identify resources — What files, ports, devices does it need?
Create types — Domain for the process, types for files
Write basic rules — Start minimal, add as needed
Define file contexts — Map paths to types
Test in permissive — Run with setenforce 0, collect denials
Iterate — Add rules for each legitimate denial
Deploy in enforcing — Switch to setenforce 1 for production

Policy Development Best Practices

•Start with existing modules — Use similar modules as templates (e.g., copy nginx.te when creating a web server policy)
•Use interfaces, not raw rules — Interfaces are tested, maintained, and abstract complexity
•Follow naming conventions — <app>_t for domain, <app>_exec_t for executable, etc.
•Document your policy — Comment why rules exist; future you will thank past you
•Test thoroughly — Exercise all application functionality, not just the happy path
•Minimize permissions — Only allow what's actually needed; refuse to allow 'just in case' rules
•Review denials carefully — Some denials are bugs in your app, not policy gaps

Policy Analysis Tools

SELinux provides powerful tools for inspecting and querying policy. Mastering these tools is essential for policy development and troubleshooting.

seinfo: Policy Information

seinfo provides statistics and listings from the loaded policy:

seinfo Examples
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# Overall policy statistics
$ seinfo
 
Statistics for policy file: /sys/fs/selinux/policy
Policy Version:             33 (MLS enabled)
  Classes:             130      Permissions:         463
  Sensitivities:         1      Categories:         1024
  Types:              4932      Attributes:          264
  Users:                 8      Roles:                14
  Booleans:            338      Cond. Expr.:         420
  Allow:            118394      Neverallow:            0
  Auditallow:           17      Dontaudit:         17643
  Type_transition:   24857      Role_transition:     418
  Range_transition:    623      ...
 
# List all types
$ seinfo -t | head -20
Types: 4932
   ...
   NetworkManager_t
   abrt_dump_oops_t
   abrt_helper_t
   abrt_t
   httpd_t
   httpd_exec_t
   httpd_content_t
   ...
 
# Types with specific attribute
$ seinfo -a domain -x
   domain
      NetworkManager_t
      abrt_t
      httpd_t
      sshd_t
      ...
 
# List all object classes
$ seinfo --class | head
Classes: 130
   appletalk_socket
   association
   binder
   blk_file
   capability
   ...

sesearch: Policy Rule Search

sesearch finds specific rules in the policy:

sesearch Examples
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# All allow rules for a source type
$ sesearch --allow -s httpd_t | head -10
allow httpd_t NetworkManager_var_run_t:dir { getattr search };
allow httpd_t bin_t:dir { getattr ioctl read search ... };
allow httpd_t bin_t:file { execute getattr ioctl map open read };
allow httpd_t cert_t:dir { getattr ioctl read search };
allow httpd_t cert_t:file { getattr ioctl open read };
...
 
# Rules for specific source, target, and class
$ sesearch --allow -s httpd_t -t httpd_content_t -c file
allow httpd_t httpd_content_t:file { getattr ioctl open read };
allow httpd_t httpd_content_t:file { map };
 
# Rules with specific permission
$ sesearch --allow -s httpd_t -c tcp_socket -p name_connect
allow httpd_t http_port_t:tcp_socket name_connect;
# (only if httpd_can_network_connect is enabled)
 
# Type transition rules
$ sesearch --type_trans -s init_t | grep httpd
type_transition init_t httpd_exec_t:process httpd_t;
 
# All rules involving an attribute
$ sesearch --allow -t file_type -c file -p write
# Shows all write access to any file_type
 
# Dontaudit rules (silenced denials)
$ sesearch --dontaudit -s httpd_t | head
dontaudit httpd_t admin_home_t:dir search;
dontaudit httpd_t default_t:dir search;
...

Other Essential Tools

Tool	Purpose	Example
`semanage`	Manage policy components	`semanage boolean -l`
`audit2why`	Explain why denial occurred	`audit2why < /var/log/audit/audit.log`
`sealert`	User-friendly denial analysis	`sealert -l <alert-id>`
`matchpathcon`	Show expected context for path	`matchpathcon /var/www/html`
`secon`	Show context of current process	`secon -t`
`apol`	Graphical policy analysis	GUI application

Troubleshooting Workflow

Summary: SELinux Policies

We've explored the architecture and mechanics of SELinux policies. Let's consolidate the key insights:

Key Takeaways

•Policy types offer different trade-offs — Targeted confines network services while leaving users unconfined; strict confines everything; MLS adds security levels.
•Types are the foundation — Every subject and object has a type; rules define permitted interactions between types.
•The Reference Policy provides modular structure — .te for rules, .if for interfaces, .fc for file contexts.
•Interfaces encapsulate complexity — Use well-tested interfaces rather than writing raw rules.
•Booleans enable runtime configuration — Adjust policy behavior without recompilation.
•Policy modules compile to binary — checkmodule → semodule_package → semodule -i pipeline.
•audit2allow aids but doesn't replace thinking — Use it to find required rules, but always review and minimize.
•Analysis tools are essential — seinfo, sesearch, audit2why, sealert for understanding policy.

What's Next:

Page Complete

2 / 5