The SELinux Notebook

SELinuxProject, updated 🕥 2023-03-20 14:35:44

The SELinux Notebook

SELinux Logo


The SELinux Notebook is an Open Source book on SELinux, originally created by Richard Haines and donated to the SELinux community. The Notebook's goal is to be the most current and comprehensive book on SELinux, covering the Linux Kernel components, the userspace libraries and tools, the policy toolchain, and the policy itself.

The SELinux Notebook is freely available, and contributions from the community are welcome and encouraged!

Viewing the Notebook Directly on GitHub

The SELinux Notebook is available in many different formats, including an online format that can be viewed directly on GitHub, one section at a time, starting with the link below:

Viewing the Notebook Offline

While The SELinux Notebook is a living book which is constantly updated, we do occasionally make new releases with pre-built versions in a variety of formats that can be downloaded and read offline. Our release page has more information on each release, as well as the pre-built Notebooks:


Build Your Own SELinux Notebook

The file has more information on building HTML, PDF and EPUB versions of the notebook as well as alternate ways to view the source markdown. Note that the EPUB build will optionally produce a version suitable for viewing on a Kindle that supports the "azw3" file format.


notebook: update genfscon documentation

opened on 2023-03-20 14:35:43 by cgzones

Partial paths can be used generally for virtual kernel filesystems, e.g. cgroup2, securityfs, selinuxfs, and not just for the proc filesystem.

The genfscon statement supports an optional filetype specifier.

notebook: fix typo

opened on 2023-03-20 14:35:19 by cgzones

Found by typos1

RFE: object_classes_permissions: add io_uring class

opened on 2023-01-31 16:22:55 by cukie

Fills in documentation for the io_uring object class and the associated permissions. Summary of docs changes: 1. Change anon_inode to reflect that io_uring is also using type transitions in addition to userfaultfd. 2. Add an io_uring section documenting the three permissions, override_creds, sqpoll, and cmd.

This change was tested by running make all and verifying formatting in Firefox and Foliate.

Signed-off-by: Gil Cukierman


20221216 2022-12-16 17:32:08

Github Releases (by Release)


  • Add a EPUB build target
  • Add a new section on embedded systems
  • Add a new section on hardening SELinux
  • Add policy version 33 requirements
  • Add the "anon_inode" object class
  • Add a deprecation note of the "lockdown" object class
  • Add a deprecation note for the SELinux runtime disable
  • Add a deprecation note about checkreqprot
  • Add guidance on how to add a new policy capability
  • Describe the nosuid and NNP transitions
  • Fix the definition of "gen_context()"
  • Fix a problem where transition rules were described as being allowed in conditional statements
  • Fix minor formatting issues and spelling mistakes
  • Fix a number of broken links

20201209 2020-12-10 02:08:47

Github Releases (by Release)


  • The first update with community contributions, including several small fixes and updates
  • Finished the Markdown conversion

20200707 2020-07-07 20:07:57

Github Releases (by Release)


  • This is the initial release from Richard Haines using the 5th edition as a base
SELinux Project

SELinux is flexible Mandatory Access Control (MAC) for Linux

GitHub Repository