When FC2 was released we attempted to add the NSA strict policy to the
operating system.
We were able to find hundreds of problems in the policy and we quickly
found out that users
who customized their environments in unexpected ways caused SELinux and
the OS to conflict.
We decided at that point to take a step back and go with a strategy
where we would lock down
a few daemons with SELinux and allow the rest of the system to run in
the same manner with
or without SELinux. Targeted policy was born.
In targeted policy most processes run in a unconfined_t domain, which
means for the most part they
are not being confined by the SELinux policy. They are still governed
by Standard unix security, but
not effected by SELinux. Certain network daemons have policy and the
unconfined_t policy transitions
to those policies when the application starts. So when the system boots
init runs in the unconfined_t policy,
but when named starts up it transitions to the named_t domain and is
locked down. We use the following
policies
nscd.te apache.te dhcpd.te named.te ntpd.te portmap.te snmpd.te
squid.te syslogd.te
Also users can select which daemons he want to have SELinux to protect
via system-config-securitylevel.
So if an admin finds that SELinux will not allow his apache web server
to run the way he wants he can
turn off the transition. This will drop it back to normal Unix
protections, but all other daemons will continue
to be protected by SELinux. Through the use of these "boolean" values
the admin can increase or decrease the
level of protection SELinux provides.
In the future we plan on adding additional Domains that SELinux will
protect.
Strict policy is still available but will be not be installable
directly, you can use selinux-config-securitylevel to turn it on
and relabel the file system.
Dan
