Work through the levels in order or jump to the challenge that matches your current skill. Each level builds on the concepts from the one before it. Complete all six to earn the SELinux Master achievement.
Learn the three SELinux modes - enforcing, permissive, and disabled. Understand why enforcing is the only acceptable mode for production systems. Use getenforce, setenforce, and edit /etc/selinux/config to control SELinux behavior across reboots.
Decode the four-part security context format: user, role, type, and level. Inspect labels on files with ls -Z, on processes with ps -Z, and on your own session with id -Z. Fix broken labels with restorecon.
When the default policy does not cover your use case, you write your own. This level walks through reading AVC denials in the audit log, generating a policy module with audit2allow, compiling it with semodule_package, and loading it into the running policy store.
SELinux booleans let you toggle specific policy rules at runtime without writing or compiling custom modules. Learn to list all booleans with getsebool -a, change them with setsebool -P, and understand the most common booleans for httpd, samba, and NFS.
Modern workloads run in containers, and SELinux confines them with svirt and MCS (Multi-Category Security) labels. This level covers how Podman assigns unique labels per container, what container_t and container_file_t types do, and how to create custom policies for containers that need host access.
A full application stack is broken. Apache is serving a Django app backed by PostgreSQL, with a custom log-shipping daemon forwarding events to a remote syslog server. Every component has at least one SELinux denial. Diagnose and fix all of them without disabling enforcing mode.
Expert +500 XPaudit2allow Five real AVC denials. No audit2allow allowed. You read the log, predict the policy fix, then we reveal it. Labels, ports, MCS categories, booleans, and one denial you should escalate to incident response instead of writing policy for.
| Achievement | Requirement | Total XP |
|---|---|---|
| SELinux Rookie | Complete Levels 1-2 | 250 XP |
| Policy Crafter | Complete Levels 1-4 | 700 XP |
| Enforcement Officer | Complete Levels 1-5 | 1050 XP |
| SELinux Master | Complete all 6 levels | 1550 XP |
| Audit Reader, Tier 2 | Complete Level 7 with 3+/5 challenges called correctly | 1950+ XP |