49.8. Targeted Policy Overview
49.8.1. What is the Targeted Policy?
unconfined_tdomain except for the specific targeted daemons. Objects that are in the
unconfined_tdomain have no restrictions and fall back to using standard Linux security, that is, DAC. The daemons that are part of the targeted policy run in their own domains and are restricted in every operation they perform on the system. This way daemons that are exploited or compromised in any way are contained and can only cause limited damage.
ntpdaemons are both protected in the default targeted policy, and run in the
ntpd_tdomains, respectively. The
sshdaemon, however, is not protected in this policy, and consequently runs in the
user_u:system_r:httpd_t 25129 ? 00:00:00 httpd user_u:system_r:ntpd_t 25176 ? 00:00:00 ntpd system_u:system_r:unconfined_t 25245 ? 00:00:00 sshd
The opposite of the targeted policy is the strict policy . In the strict policy, every subject and object exists in a specific security domain, and all interactions and transitions are individually considered within the policy rules.