[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

What is SELinux targeted policy?

When FC2 was released we attempted to add the NSA strict policy to the operating system. We were able to find hundreds of problems in the policy and we quickly found out that users
who customized their environments in unexpected ways caused SELinux and the OS to conflict.
We decided at that point to take a step back and go with a strategy where we would lock down
a few daemons with SELinux and allow the rest of the system to run in the same manner with
or without SELinux. Targeted policy was born.

In targeted policy most processes run in a unconfined_t domain, which means for the most part they
are not being confined by the SELinux policy. They are still governed by Standard unix security, but
not effected by SELinux. Certain network daemons have policy and the unconfined_t policy transitions
to those policies when the application starts. So when the system boots init runs in the unconfined_t policy,
but when named starts up it transitions to the named_t domain and is locked down. We use the following

nscd.te apache.te dhcpd.te named.te ntpd.te portmap.te snmpd.te squid.te syslogd.te

Also users can select which daemons he want to have SELinux to protect via system-config-securitylevel. So if an admin finds that SELinux will not allow his apache web server to run the way he wants he can
turn off the transition. This will drop it back to normal Unix protections, but all other daemons will continue
to be protected by SELinux. Through the use of these "boolean" values the admin can increase or decrease the
level of protection SELinux provides.

In the future we plan on adding additional Domains that SELinux will protect.

Strict policy is still available but will be not be installable directly, you can use selinux-config-securitylevel to turn it on
and relabel the file system.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]