What is SELinux?

SELinux, developed by the NSA, adds a layer of security beyond traditional Unix permissions. It assigns security labels (contexts) to files, processes, and ports, then enforces policies about what each labeled process can access. Even if a process runs as root, SELinux can restrict its capabilities. Three modes exist: Enforcing (blocks and logs violations), Permissive (logs but allows violations), and Disabled. Common commands include getenforce, setenforce, restorecon, and chcon. While SELinux has a steep learning curve, it significantly hardens Linux systems and is enabled by default on RHEL/CentOS/Fedora.