Page tree
Skip to end of metadata
Go to start of metadata


SELinux is pretty much "supported" for all distributions. That being said, the only distributions known to actually ship it by default are RHEL (Red Hat Enterprise Linux) based distributions:

  • Fedora
  • RHEL (SELinux became actually useful during the RHEL6 era, anything before that is/was clunky, but hey, rhel5 was released 14th March 2007) so don't ask for it.
  • CentOS
  • Oracle Linux (who even uses that voluntarily, just present for completeness, don't request it, we will laugh at you)


  • Debian: just don't, or do, it's your choice.

  • Ubuntu: stay with AppArmor, it will hurt less.. somewhat... we hope.

  • Arch: it's awesome, without SELinux, so why bother. Also, because there are not really default places for most stuff, SELinux WILL hurt.

Blue or Red

Well, if you're not scared yet, let's go deeper down the rabbit hole.

For the basic start, using some outdated documentation:

You might not want to use any of the NSA links posted there (wink)

Or some better, more or less up to date, documentation.

Other than understanding file and process context. the single most important things to know, are:

audit2why - this will explain what's happening, in more or less plain english, sadly less then more.
audit2allow - this will just "fix" it, when you use most SELinux tutorials that go one step beyond "How to disable SELinux"

And the paradigm: "something's fishy.... and I can't explain it using my VAST knowledge of Linux, it's probably SELinux biting you"

Testing if it's SELinux can be done as follows:

setenforce 0; echo "setenforce 1" | at "now +1 hour"

The at job is to make sure you don't forget to re-enable SELinux, if you run permissive for a few weeks and change a lot of stuff, you will cry the next time you open /var/log/audit/audit.log, or even harder when you reboot.

Now you can test, and use audit2why to understand what's wrong. Use audit2allow to create a SELinux module, but please check what it allows. you might allow an NSA backdoor to work (wink)

The setenforce 0 will actually give you all the gory details that would be encountered after fixing the first problem, or the next, or the one after that.


You'll use this tool a lot, ignore any and all documentation telling you to use "chcon", chcon was the way to go until RHEL5, but it won't persist in case of a relabeling, or even restorecon.

  • Create a rule for the filecontext of path /usr/local/share/roundcubemail/temp:

    semanage fcontext --add --type httpd_sys_rw_content_t "/usr/local/share/roundcubemail/temp(/.*)?"
  • And apply:

    restorecon -R /usr/local/share/roundcubemail/temp

Also see: