2001年上半年，美国国家安全局向开放源码社区发布了一个安全性增强型版本的 Linux （Security-Enhanced Linux ，SELinux）包括所有代码！到现在，可以毫不夸张的说，它成了linux服务器维护员们的一块心病，到底是打开呢？还是关闭？打开的话由于它过于复杂，又缺乏有效的配置工具（知道近几年来才陆陆续续的出现一些）。不打开悬着的心放不下，因为关闭它后，裸linux的安全直下一个等级。
至于它的工作原理，个人认为说的还全面的这里有：揭开 SE Linux 的秘密，请特别关注他的参考资料。要进去读之后才知道真正的linux。我这里就不翻版了！
This should be the default mode.
The kernel is blocking all access unless they are explicitly allowed. All denied accesses are reported in the logging system as AVC (Access Vector Cache), unless policy writers have explicitly told the kernel to dontaudit the message.
The kernel will report Access Violations in the form of AVC messages but will allow the access.
The kernel will also continue to create properly labeled files.
There is a couple of major differences with the way the kernel reports these avc messages.
The kernel will only report the first access violation in permissive mode for a confined domain on a particular object, where as in enforcing mode, it will report each and every denied access.
You can get many additional AVC messages that would never have shown up in enforcing mode. For example if a confined domain was not allowed to read a directory or any of the files in it. In enforcing mode the directory access would be denied and one AVC message would be generated. In Permissive mode, the directory access would generate an AVC, and each file read would generate an AVC.
When reporting AVC Messages we would prefer that you report avc messages in Enforcing mode. But sometimes Permissive mode is necessary to get all the AVC Messages. You can boot the kernel in permissive mode with the enforcing=0 switch.
You can use setenforce 0 to turn on permissive mode. setenforce 1 to turn on enforcing mode.
Turns off SELinux enforcement entirely and also stops the creation of proper labels on the files.
You should only disable SELinux if you do not intend to use it. You should use permissive mode when diagnosing a problem.
If you want to disable SELinux, you need to edit /etc/selinux/config and change the SELINUX line to disabled. You will then need to reboot the machine, since SELinux is running within the kernel.
If you wish to reenable SELinux you will need to relabel the entire file system.
Managing File Context
cp vs. mv
The cp command creates the new file will either the context of the destination file, if it exists, or the security context of the destination directory.
The mv command attempts to maintain the security context of the file being moved.
This can lead to some problems in file context. For example, in targeted policy, if you were to cp /etc/resolv.conf /tmp and do some editing of /tmp/resolv.conf. Then you moved resolv.conf back to /etc with the mv /tmp/resolv.conf /etc. The file will end up with the tmp_t security context type instead of the net_conf_t type. Many domains will now not be able to read resolv.conf, resulting in failures. You can easily clear this up with restorecon /etc/resolv.conf.
Sometimes the auditlog information is tough to read and understand; a lot of times I run audit2allow on it to clear up the output.
In Fedora Core 5/Rawhide the Audit system has moved some of the AVC messages to /var/log/audit/audit.log. Some AVC messages continue to show up in the /var/log/messages file though. Usually these show up when the audit d?mon is not running.
You can use the ausearch -m avc command to display the avc messages from the audit log. There are other useful commands such as -x to specify the executable. The -ts option allows you to specify the time you want to see messages afterwards.
AVC Messages are missing
SELinux has some messages that it will not audit. There are dontaudit rules written in policy. Usually these are expected denials and they just cause the application to take a different code path. Sometimes these dontaudit rules might cover up a failure. Prior to reference policy you were required to install selinux-policy-targeted-sources and then execute make -C /etc/selinux/targeted/src/policy enableaudit reload When you were done with the audit messages you would execute make -C /etc/selinux/targeted/src/policy reload. With reference policy you need to replace the base policy package with the enableaudit policy package. semodule -b /usr/share/selinux/targeted/enableaudit.pp. When you have completed your checking, you need to execute semodule -b /usr/share/selinux/targeted/base.pp.
例如：在HOME目录下的”Forbidden / You don't have permission to access / on this server.” error. 就可以使用以下命令解决：
chcon -R -h -t httpd_sys_content_t /home/path/to/your/dir