SELinux (Security Enhanced Linux) is produced by, of all things, the United States National Security Agency.
http://www.nsa.gov/selinux.
Their home-page says it all.
If you stop and think about it, "regular Linux" has one important Achilles heel: too many things are
"root or nothing." A web-server might have to run as
root, in whole or in part,
just to be able to open TCP/IP port #80. In doing so, however, the potential exists that any rogue who can manage to get the web-server program to run as
root and to do something nasty .. has just done something nasty to your machine! All because your web-server needed to open port #80.
One of the solutions to this problem, as implemented in these so-called "hardened Linuxes," is to introduce the concept of a
capability. Now you can run your web-server as an ordinary joe, with no special powers at all
except that it has been granted an "OPEN_PORT_80" (say) capability.
Another weak-link in "regular" Linux is the somewhat primitive "user/group/anyone" "read/write/execute" permission-structure, a legacy of the earliest days of Unix on a PDP-8.
Access Control Lists (ACLs) enable you to assign more-specific file access rules.
These are a couple of examples of what is referred to as "hardening."
Also, "hardening" involves
increasing awareness on the part of the system administrator (that means
you...) as to what kinds of threats exist and how these various tools can be intelligently used to counter them. Pragmatically speaking, a lot of nasty things happen to people by pure chance: scripts are out there, trolling for IP-addresses of machines that "aren't paying attention" and exploiting them "just because they left the front door unlocked."