Your visual how-to guide for SELinux policy enforcement

Note: SELinux does not let you side step DAC Controls. SELinux is a parallel enforcement model. An application has to be allowed by BOTH SELinux and DAC to do certain activities. This can lead to confusion for administrators since the process gets Permission Denied. Administrators see Permission Denied means something is wrong with DAC, not SELinux labels.

via Your visual how-to guide for SELinux policy enforcement |\

DAC=Discretionary Access Control

SELinux is a powerful labeling system, controlling access granted to individual processes by the kernel. The primary feature of this is type enforcement where rules define the access allowed to a process is allowed based on the labeled type of the process and the labeled type of the object.

For regular users SELinux can be a complete PITA which usually needs to be disabled or set to just log the violation only.  I recall in past years installing some service and trying to figure out why it wouldn’t work until the logs revealed I didn’t have things set up in a way SELinux wants.   Currently I try and minimize SELinux violations because it seems like it has a point most of the time.