SELinux adaptation and examples

26 July 2025, 18:57:23

https://www.linuxjournal.com/content/securing-linux-steady-momentum-apparmor-and-selinux-uptake

Securing Linux: Steady Momentum in AppArmor and SELinux Uptake

Introduction

In recent times, two critical Linux security frameworks, AppArmor and SELinux, have seen noteworthy acceleration in real-world deployment. As Linux continues to anchor enterprise, container, cloud, and desktop systems, these Mandatory Access Control (MAC) tools have crossed threshold events signaling broader acceptance. This article examines those pivotal inflection points, dives into why they matter, and offers reflections on the shifting landscape of Linux security.
A Swift Journey to Widespread Use
SELinux’s Ascendancy

Originally conceived by the NSA and later shepherded by Red Hat, SELinux added powerful MAC controls to Linux by the early 2000s. Since being fully embedded into the Linux 2.6.x kernel, SELinux has steadily expanded its reach. It has become the default security layer on Red Hat Enterprise Linux, Fedora, and their derivatives, and integrated into Debian 9+, plus Ubuntu from version 8.04. Android further embraced SELinux starting from version 4.3, marking its normalization in mobile devices.

But the most recent watershed occurred in early 2025: openSUSE Tumbleweed made SELinux the default MAC for new installations beginning with snapshot 20250211, accompanied by minimalVM images running in enforcing mode. Existing installations remain unaffected unless manually migrated, and AppArmor remains an installer option. Moreover, openSUSE Leap 16 will be shipping with SELinux in enforcing mode by default, affirming a full shift within SUSE ecosystems.

https://wiki.gentoo.org/wiki/SELinux/Tutorials

SELinux is sometimes seen as a daunting additional security measure on a Linux system. And it probably is, since it requires the users to have some non-basic knowledge of both Linux and SELinux. This series of tutorials attempts to teach the basics of how to work with and configure SELinux.

Throughout the tutorials, we will assume you have access to a SELinux enabled system. This can be a RedHat Enterprise Linux (6 or higher) system, a Fedora system, CentOS, Gentoo Hardened, and etc. If you can get it to boot, you can even use the selinuxnode (experimental) SELinux-enabled live environment (KVM/Qemu guest) offered through Gentoo's mirrors (in the experimental/amd64/qemu-selinux location).

Within each tutorial, we will try to guide you through new vocabulary used by SELinux, changes compared to a regular Linux system, and more. At the end of each tutorial, you will find a What you need to remember part. This is a quick reference of what the tutorial is about, and might help you in the future to remember some stuff without having to read the entire tutorial again.

So, let's get started.