SELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. Under SELinux, every process and every object (files, sockets, pipes) on the system is assigned a security context, a label that includes detailed type information about the object. The kernel allows processes to access objects only if that access is explicitly allowed by the policy in effect.
Three such policies have been available for use with Debian and are included with the system:
Ensure SELinux is enabled in the bootloader configuration
Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters.
SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden.
Run the following command and verify that all linux lines include the parameters selinux=1 and security=selinux
# grep "^\s*linux" /boot/grub/grub.cfg
run the following command to configure GRUB and PAM and to create /.autorelabel
Edit /etc/default/grub and add the following parameters to the GRUB_CMDLINE_LINUX
GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX="selinux=1 security=selinux enforcing=1 audit=1"
Run the following command to update the grub2 configuration: