SELinux Architecture

The preceding sections of this chapter have provided an overview of the functions that underlie SELinux. This section provides an overview of the architecture of SELinux. SELinux consists of the following major components:

  • Kernel-level code

  • The SELinux shared library

  • A security policy

  • Tools

  • Labeled SELinux filesystems (optional)

Kernel-Level Code

When active, the SELinux kernel code monitors system activity and ensures that requested operations are authorized under the currently configured SELinux policy, disallowing any operations not expressly authorized. It also generates system log entries for certain allowed and denied operations, consistent with policy specifications.

Originally, the SELinux kernel-level code was implemented as a patch to the Linux 2.2 kernel, and later the Linux 2.4 kernel. More recently, much of the SELinux kernel-level code has been integrated within the Linux 2.6 kernel. The Linux Security Modules (LSM) feature of Linux 2.6 was expressly designed to support SELinux and other potential security servers.


The principal SELinux facility omitted from Linux 2.6 concerns the labeling of network objects and the security decisions pertaining to them. Some Linux distributors have plans to make the missing SELinux capabilities available as one or more kernel patches, or otherwise.

Despite the integration of SELinux with the Linux 2.6 kernel, a given operational Linux 2.6 kernel may or may not support SELinux. Like many kernel features, the level ...

Get SELinux now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.