ACL vs SELinux
ACL and SELinux both control access, but they work at different levels.
| Feature | ACL | SELinux |
|---|---|---|
| Full name | Access Control List | Security-Enhanced Linux |
| Main purpose | Give extra file permissions to specific users/groups | Enforce system-wide security policy |
| Access model | DAC: Discretionary Access Control | MAC: Mandatory Access Control |
| Controlled by | File owner/root | SELinux policy/root |
| Works on | Files/directories | Files, processes, ports, services, users |
| Common commands | getfacl, setfacl | getenforce, ls -Z, semanage, restorecon |
Simple explanation
ACL
ACL is like saying:
“This specific user or group can access this file/directory.”
Example:
setfacl -m u:john:rwx projectdir
This gives user john read, write, and execute permission on projectdir.
Check ACL:
getfacl projectdir
ACL extends normal Linux permissions:
owner / group / others
So ACL is mainly about who can access a file or directory.
SELinux
SELinux is like saying:
“Even if Linux permissions allow this, the system security policy must also allow it.”
Example:
ls -Z /var/www/html
You may see SELinux context labels such as:
system_u:object_r:httpd_sys_content_t:s0
This label tells SELinux what type of object it is.
For example, Apache may be allowed to read files labeled:
httpd_sys_content_t
But Apache may be blocked from reading a file with the wrong SELinux label, even if file permissions are 777.
Important rule
For access to work, both must allow it:
Linux permissions / ACL must allow it
AND
SELinux policy must allow it
If either one denies access, the access fails.
Example:
ACL allows user john
SELinux denies the action
Result: Access denied
Another example:
SELinux allows Apache
File permission denies Apache
Result: Access denied
Example situation
Suppose Apache cannot read a web page.
You check normal permissions:
ls -l /var/www/html/index.html
Output:
-rw-r--r-- 1 root root index.html
Looks okay.
Then check SELinux label:
ls -Z /var/www/html/index.html
If the label is wrong, Apache may still be denied.
Fix SELinux context:
sudo restorecon -v /var/www/html/index.html
or for the whole directory:
sudo restorecon -Rv /var/www/html
Commands summary
ACL commands
getfacl file.txt
setfacl -m u:john:r file.txt
setfacl -x u:john file.txt
setfacl -b file.txt
SELinux commands
getenforce
sestatus
ls -Z file.txt
restorecon -v file.txt
Slide-friendly summary
ACL = extra file permissions for specific users/groups.
SELinux = mandatory security policy using labels and rules.
ACL answers: “Which user/group can access this file?”
SELinux answers: “Is this process allowed to access this object in this way?”
Access works only when both Linux permissions/ACL and SELinux policy allow it.REF: AI Tools/ChatGPT
