DEV Community

Wycliffe A. Onyango
Wycliffe A. Onyango

Posted on

100 Days of DevOps: Day 5

Why SELinux Matters in Real-World Applications

1. Stops Zero-Day Exploits from Spreading

Imagine a web server (e.g., Apache or Nginx) gets hacked because of an unknown vulnerability.

Without SELinux, the attacker might gain full control over the system, read sensitive files like /etc/shadow, or inject malicious binaries.

With SELinux enforcing policies, even if Apache is compromised, it can only read and write files it is explicitly allowed to access (e.g., /var/www/html).

It can’t read /etc/passwd, touch databases in /var/lib/mysql, or modify system binaries.


2. Protects Against Misconfigurations

Sometimes, human error is the biggest threat.

For example:

  • An engineer accidentally leaves database credentials in a public directory.
  • SELinux policies can block processes from reading files outside their expected directories — even if file permissions (chmod) would normally allow it.

3. Multi-Tenant or Shared Systems

If a server runs apps for different clients or departments:

  • Without SELinux: Any compromised app can attempt to access another app’s files.
  • With SELinux: Each app runs in a confined domain; one app cannot interfere with another.

4. Real Corporate Example

  • In 2019, a financial institution’s Linux web app was hacked.
  • Attackers uploaded a malicious script that tried to open a reverse shell to exfiltrate data.
  • SELinux in Enforcing mode denied the script’s attempt to connect to the attacker’s server — the intrusion was detected before any data left the network.

Commands Used in This Case

Install SELinux packages

sudo yum install -y selinux-policy selinux-policy-targeted policycoreutils
Enter fullscreen mode Exit fullscreen mode

Disable SELinux for now (permanent setting)

sudo vi /etc/selinux/config
Enter fullscreen mode Exit fullscreen mode

Change SELINUX=enforcing to SELINUX=disabled

Verify change

grep SELINUX= /etc/selinux/config
Enter fullscreen mode Exit fullscreen mode

Top comments (0)