49.8. Targeted Policy Overview
49.8.1. What is the Targeted Policy?
unconfined_tdomain except for the specific targeted daemons. Objects that are in the
unconfined_tdomain have no restrictions and fall back to using standard Linux security, that is, DAC. The daemons that are part of the targeted policy run in their own domains and are restricted in every operation they perform on the system. This way daemons that are exploited or compromised in any way are contained and can only cause limited damage.
ntpdaemons are both protected in the default targeted policy, and run in the
ntpd_tdomains, respectively. The
sshdaemon, however, is not protected in this policy, and consequently runs in the
user_u:system_r:httpd_t 25129 ? 00:00:00 httpd user_u:system_r:ntpd_t 25176 ? 00:00:00 ntpd system_u:system_r:unconfined_t 25245 ? 00:00:00 sshd
The opposite of the targeted policy is the strict policy . In the strict policy, every subject and object exists in a specific security domain, and all interactions and transitions are individually considered within the policy rules.
49.8.2. Files and Directories of the Targeted Policy
49.8.3. Understanding the Users and Roles in the Targeted Policy
unconfined_ttype exists in every role, which significantly reduces the usefulness of roles in the targeted policy. More extensive use of roles requires a change to the strict policy paradigm, where every process runs in an individually considered domain.
object_r. The initial role is
system_r, and everything else inherits that role. The remaining roles are defined for compatibility purposes between the targeted policy and the strict policy.
object_r, is an implied role and is not found in policy source. Because roles are created and populated by types using one or more declarations in the policy, there is no single file that declares all roles. (Remember that the policy itself is generated from a number of separate files.)
- This role is for all system processes except user processes:
system_r (28 types) dhcpd_t httpd_helper_t httpd_php_t httpd_suexec_t httpd_sys_script_t httpd_t httpd_unconfined_script_t initrc_t ldconfig_t mailman_cgi_t mailman_mail_t mailman_queue_t mysqld_t named_t ndc_t nscd_t ntpd_t pegasus_t portmap_t postgresql_t snmpd_t squid_t syslogd_t system_mail_t unconfined_t winbind_helper_t winbind_t ypbind_t
- This is the default user role for regular Linux users. In a strict policy, individual users might be used, allowing for the users to have special roles to perform privileged operations. In the targeted policy, all users run in the
- In SELinux, roles are not utilized for objects when RBAC is being used. Roles are strictly for subjects. This is because roles are task-oriented and they group together entities which perform actions (for example, processes). All such entities are collectively referred to as subjects. For this reason, all objects have the role
object_r, and the role is only used as a placeholder in the label.
- This is the system administrator role in a strict policy. If you log in directly as the root user, the default role may actually be
staff_r. If this is true, use the
newrole -r sysadm_rcommand to change to the SELinux system administrator role to perform system administration tasks. In the targeted policy, the following retain
sysadm_r (6 types) httpd_helper_t httpd_sys_script_t initrc_t ldconfig_t ndc_t unconfined_t
user_uidentity was chosen because
libselinuxfalls back to
user_uas the default SELinux user identity. This occurs when there is no matching SELinux user for the Linux user who is logging in. Using
user_uas the single user in the targeted policy makes it easier to change to the strict policy. The remaining users exist for compatibility with the strict policy.
root. You may notice
rootas the user identity in a process's context. This occurs when the SELinux user
rootstarts daemons from the command line, or restarts a daemon originally started by
system_ralready had existing authorization for the daemon domains, simplifying the process. This was done because no mechanism currently exists to alias roles.