SELinux is a method for mandatory access control (MAC) on Linux systems. MAC provides an additional layer of security beyond traditional discretionary access control (DAC) by labeling both subjects like users and objects like files. SELinux policies define which labeled subjects can access which labeled objects. In practice, both DAC and MAC are used together, so even if a SELinux policy allows access, the user still needs the correct file permissions via DAC. When running SELinux, commands like ps -Z and ls -Z can show the security labels on processes and files.