SELinux

SELinux is a mandatory access control system which enables a more fine-grained access control mechanism as well as allow the security administrator to define what a user can do and can't. Unlike the standard discretionary access control in place for Linux (which means that the end user can still share files he shouldn't share, allow others to have write access to his files, etc.) a mandatory access control system is fully governed through a security policy.

With SELinux, which works alongside the standard discretionary access control system (the DAC system is first checked and only when this would allow an activity, then SELinux is queried as well), processes run inside what it calls a domain. Privileges are then assigned to a domain to define the allowed interactions with other resources (be it processes, other domains, files, sockets, capabilities, file contexts, semaphores, messages, ...).