SELinux & AppArmor

Mandatory Access Control (MAC)

Beyond normal (discretionary) permissions, MAC systems enforce policy the file owner cannot override.

SELinux (RHEL/Fedora)

CommandPurpose
getenforceCurrent mode
setenforce 0/1Permissive / Enforcing (temporary)
sestatusDetailed status
ls -Z / ps -ZShow security contexts
restorecon -Rv /pathReset contexts to default
semanage fcontextManage context rules

Modes: Enforcing (blocks), Permissive (logs only), Disabled. Config in /etc/selinux/config.

AppArmor (Ubuntu/SUSE)

Profile-based, path-oriented. aa-status, aa-enforce, aa-complain; profiles in /etc/apparmor.d/.

Exam tip: When a service works with SELinux in permissive but fails in enforcing, it's a context/policy problem - check /var/log/audit/audit.log and use restorecon or audit2allow.