// learn · linux · rhcsa · 8 min

SELinux contexts, animated.

Every file and every process on a SELinux-enforcing system carries a security context. Watch how the policy engine compares them — and why a misplaced file is the most common cause of production-day denials.

SELinux contexts explained with animations. Process contexts, file contexts, the policy decision engine, chcon, restorecon, and how to troubleshoot denials. Maps to the RHCSA EX200 exam objectives on SELinux.
// SELinux contexts

SELinux is mandatory access control. Beyond regular ugo permissions, every process and every object gets a label, and policy decides what label can touch what. Confusing at first; elegant once it clicks.

// before you start
you should know
  • ·Basic Linux file permissions (chmod, chown)
  • ·Running services with systemctl
  • ·Reading log files (tail, grep, less)
by the end you'll

Explain how SELinux blocks or allows an access, and run the three commands that fix 99% of denials in production.

pace: 8 minutes

httpdPID 1234system_u:system_r:httpd_t:s0/var/www/htmlindex.htmlsystem_u:object_r:httpd_sys_content_t:s0
step 1 / 6

Every actor carries a context

SELinux (Security-Enhanced Linux) is an extra layer of access control built into RHEL-family systems. It works by giving every running program AND every file on disk a label — called a 'context'. When one tries to touch the other, the kernel checks both labels against a policy that says what's allowed. Below: the Apache web server (httpd) and a file it wants to read — both have contexts.

// key insight

When a service mysteriously fails on RHEL — works on dev, breaks in prod — SELinux is the first thing to suspect. The fix is almost never "disable SELinux"; it's usually a wrong label or a missing boolean. Learn the troubleshooting flow and you'll save hours.

// exam-ready commands
$ls -Z file
$ps -eZ | grep httpd
$id -Z
$chcon -t TYPE_t file
$restorecon -v file
$semanage fcontext -a -t TYPE_t '/path(/.*)?'
$ausearch -m AVC -ts recent
$audit2why -al
$getsebool -a | grep httpd
$setsebool -P bool on
// check yourself
4 quick questions
Q1

Which field of a SELinux context matters most for everyday decisions?

Q2

Apache can read /var/www/html on a fresh install but breaks after you copy a file there from /home. Most likely cause?

Q3

Which command resets a file's context to whatever the policy says it should be?

Q4

Where does the kernel log SELinux denials?

These aren't graded — they're just for active recall, which is what actually makes the lesson stick.

back to RHCSA trackall lessons