SELinux is pretty much "supported" for all distributions. That being said, the only distributions known to actually ship it by default are RHEL (Red Hat Enterprise Linux) based distributions:
- RHEL (SELinux became actually useful during the RHEL6 era, anything before that is/was clunky, but hey, rhel5 was released 14th March 2007) so don't ask for it.
- Oracle Linux (who even uses that voluntarily, just present for completeness, don't request it, we will laugh at you)
Debian: just don't, or do, it's your choice.
Ubuntu: stay with AppArmor, it will hurt less.. somewhat... we hope.
- Arch: it's awesome, without SELinux, so why bother. Also, because there are not really default places for most stuff, SELinux WILL hurt.
Blue or Red
Well, if you're not scared yet, let's go deeper down the rabbit hole.
For the basic start, using some outdated documentation: http://www.crypt.gen.nz/selinux/faq.html
You might not want to use any of the NSA links posted there
Or some better, more or less up to date, documentation.
Other than understanding file and process context. the single most important things to know, are:
And the paradigm: "something's fishy.... and I can't explain it using my VAST knowledge of Linux, it's probably SELinux biting you"
Testing if it's SELinux can be done as follows:
The at job is to make sure you don't forget to re-enable SELinux, if you run permissive for a few weeks and change a lot of stuff, you will cry the next time you open /var/log/audit/audit.log, or even harder when you reboot.
Now you can test, and use audit2why to understand what's wrong. Use audit2allow to create a SELinux module, but please check what it allows. you might allow an NSA backdoor to work
The setenforce 0 will actually give you all the gory details that would be encountered after fixing the first problem, or the next, or the one after that.
Create a rule for the filecontext of path /usr/local/share/roundcubemail/temp: