Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
49.8. Targeted Policy Overview
This chapter is an overview and examination of the SELinux targeted policy, the current supported policy for Red Hat Enterprise Linux.
Much of the content in this chapter is applicable to all types of SELinux policy, in terms of file locations and the type of content in those files. The difference lies in which files exist in the key locations and their contents.
49.8.1. What is the Targeted Policy?
The SELinux policy is highly configurable. For Red Hat Enterprise Linux 5, Red Hat supports a single policy, the targeted policy . Under the targeted policy, every subject and object runs in the
unconfined_tdomain except for the specific targeted daemons. Objects that are in the
unconfined_tdomain have no restrictions and fall back to using standard Linux security, that is, DAC. The daemons that are part of the targeted policy run in their own domains and are restricted in every operation they perform on the system. This way daemons that are exploited or compromised in any way are contained and can only cause limited damage.
For example, the
ntpdaemons are both protected in the default targeted policy, and run in the
ntpd_tdomains, respectively. The
sshdaemon, however, is not protected in this policy, and consequently runs in the
Refer to the following sample output, which illustrates the various domains for the daemons mentioned above:
user_u:system_r:httpd_t 25129 ? 00:00:00 httpd user_u:system_r:ntpd_t 25176 ? 00:00:00 ntpd system_u:system_r:unconfined_t 25245 ? 00:00:00 sshd
The Strict Policy
The opposite of the targeted policy is the strict policy . In the strict policy, every subject and object exists in a specific security domain, and all interactions and transitions are individually considered within the policy rules.
The strict policy is a much more complex environment, and does not ship with Red Hat Enterprise Linux. This guide focuses on the targeted policy that ships with Red Hat Enterprise Linux, and the components of SELinux used by the targeted daemons.
The targeted daemons are as follows:
Depending on your installation, only some of these daemons may be present.