The following examples demonstrate how SELinux increases security:
the default action is deny. If an SELinux policy rule does not exist to allow access, such as for a process opening a file, access is denied.
SELinux can confine Linux users. A number of confined SELinux users exist. Linux users can be mapped to SELinux users to take advantage of confined SELinux users. For example, mapping a Linux user to the SELinux user_u user, results in a Linux user that is not able to run (unless configured otherwise) set user ID (setuid) applications, such as sudo and su, as well as preventing them from executing files and applications in their home directory- if configured, this prevents users from executing malicious files from their home directories.
process separation. Processes run in their own domains, preventing processes from accessing files used by other processes, as well as processes accessing other processes. For example, when running SELinux, unless otherwise configured, an attacker can not compromise a Samba server, and then use that Samba server to read and write to files used by other processes, such as databases used by MySQL®.
help limit the damage done by configuration mistakes. Domain Name System (DNS) servers can replicate information between each other. This is known as a zone transfer. Attackers can use zone transfers to update DNS servers with false information. When running the Berkeley Internet Name Domain (BIND) DNS server in Fedora 11, even if an administrator forgets to limit which servers can perform a zone transfer, the default SELinux policy prevents zone files  from being updated by zone transfers, the BIND named daemon, and other processes.