Security Tip # 2 – SELinux or other mandatory access control

This post is part of a series on my top 10 tips for securing Linux home installations. You can find the other posts here.

Enable Mandatory Access Control (MAC)

Traditionally, Linux and Unix operating systems have implemented simplistic access controls (a Discretionary Access Control (DAC) approach). These are relatively easy to exploit, and have limited flexibility in securing access to files, processes and resources. A MAC framework offers finer-grained control over users and processes on a system.

On Fedora, MAC is implemented via SELinux. It is enabled by default and set to enforcing mode on a standard Fedora system install. For most purposes you won’t need to tweak the default settings.

If you are running a Ubuntu variant, the MAC implementation would probably be AppArmor, though SELinux and AppArmor aren’t exactly equivalent.

What exactly is SELinux?

It’s a mechanism to control access within a Linux system to files, processes, applications, and ports. Access to these entities can be enforced or denied by SELinux security policies.

Check if SELinux is enabled and in enforcing mode

On Fedora you can check if SELinux is enabled using one of the following:


To modify the SELinux mode to enforcing, you can run either:

sudo setenforce Enforcing


sudo setenforce 1

To modify the SELinux mode to permissive you can run either:

sudo setenforce Permissive


sudo setenforce 0
Find out more

A Soapbox Moment

I wish I had a dollar for every time I’ve seen a system with SELinux permanently disabled or permanently placed in permissive mode. This defeats its purpose and robs the system of SELinux’s power! This article from TechRepublic explains why running SELinux in enforcing mode is important.

Note that placing SELinux in permissive mode temporarily is useful when trying to determine if a problem is SELinux-related.

Stay tuned for a future post on SELinux, including how to monitor audit logs, create custom policies and configure booleans.

Recap of my top 10 tips for securing Linux@home

  1. Enable and use an OS-level firewall
  2. Enable SELinux or another Mandatory Access Control mechanism
  3. Use sudo
  4. Apply software updates automatically or often
  5. Use encryption
  6. Use multi-factor authentication
  7. Enable threat-detection
  8. Browse securely
  9. Limit running services
  10. Backup securely

That’s it! I’ll have a bit more to say tomorrow on Tip # 3 – use sudo. Meanwhile, let me know what you think of this tip by leaving a comment below.

A glossary of terms is available here.

Once again, ensure you’re familiar with the disclaimer here!


The post references documentation and articles on,,,, and Sources are linked to within the post’s content above.

Featured image from by Ann H. Wave image from by DLKR

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: