SELinux
SELinux is a mandatory access control (MAC) system that enforces policy-based permissions beyond Unix file modes.
Why it matters
- Limits process capabilities even after a service compromise.
- Adds policy-level isolation for daemons and applications.
- Supports regulated environments requiring strict controls.
Operational notes
- Use enforcing mode in production where feasible.
- Validate policy denials via audit logs before broad exceptions.
- Prefer targeted policy updates over permissive global changes.