Re: unconfined_service_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Marko,

The default policy in Fedora and other RHEL based distros is "targeted". This name is used as the policy is targeted at specific subsystems, mostly network daemons, which it confines. Any other software that hasn't been targeted for confinement usually run under an unconfined domain label. 

These domains are still subject to selinux policy checks so are technically not unconfined, but they generally have most privileges.

If you want to see what the result would be without these unconfined types you can disable and/or remove their modules with the semodule command. You probably what to do this in permissive mode as it will certainly not produce a running system in enforcing mode.

Good luck
Phil

On Sat, 29 Jun. 2019, 01:44 Marko Rauhamaa, <marko@xxxxxxxxxx> wrote:

When I start a random systemd service written by myself on Fedora, I
notice that the service gets

   system_u:system_r:unconfined_service_t

That's without me configuring SELinux for my service in any way.

Furthermore, I notice that my service has the right to access all files
freely across all file systems.

Again, without any special setup, my service executable gets this label:

   system_u:object_r:bin_t:s0


I thought SELinux was about granting minimal access (and no access by
default), but Fedora has granted my service maximal access by default.
What have I not understood?


Marko
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux