Came across this video recently <https://www.youtube.com/watch?v=cNoVgDqqJmM> from the Red Hat Summit a couple of years ago, which gives a simplified intro to Security-Enhanced Linux (SELinux), which is a set of high-security “mandatory access control” features added to the Linux kernel. There are still some people who get conniptions when they hear that SELinux was originally created by the US National Security Agency. But the code has been through a lot of independent peer review in the time (close to two decades) since then, so rest assured you can have high confidence in it. But it can be a very complex and intimidating piece of software: particularly if you get something wrong and then some service gets denied access to some file or other for mysterious reasons that you cannot fathom. Luckily, there are tools available to help you diagnose such problems. The video talks only about RHEL, but I think those tools are not distro-specific. For a start, SELinux can be set in one of three operating modes: “enabled” (actively blocking/enabling access according to set policy); “disabled” (not active), and “permissive” (where it logs only the actions it would take, without actually blocking any access). The last one is particularly useful for seeing what you would need to fix before you actually enable SELinux, before anything actually breaks. Related to this, each system log message denying access to something also shows a command that you can use to get more detailed information about why that access was blocked, and various things you might do to enable it if that’s what you want. RHEL itself allows you to set two levels of operation of SELinux: “targeted” mode (where a particular critical set of services is controlled by SELinux, while every thing else operates as though it were not there) and “multi-level/multi-category” mode, which is the one that probably justifies the reputation of SELinux for being complex and intimidating, and which is likely only of interest to certain Government employees who don’t like to talk about their job. And which is not addressed in the talk: it only describes “targeted” operation. The video goes step-by-step through a couple of scenarios with using SELinux to control the behaviour of Apache: granting users the ability to set up their own “public_html” directories, and moving a web page created by a staffer into the server area. It shows the mistakes you might make, how they manifest themselves in the logs, and how you correct them. He makes it seem so simple, you feel tempted to actually try SELinux for yourself. Go watch the video.