Murray McAllister wrote: > Daniel J Walsh wrote: >> Murray McAllister wrote: >>> Stephen Smalley wrote: >>>> On Wed, 2008-09-03 at 17:41 +1000, Murray McAllister wrote: > >>> When a confined subject is compromised by an attacker, depending on >>> SELinux policy configuration, the attacker's access is to resources and >>> the possible damage they can do is limited. >>> >> If a confined ... > > Changed. > >>>>> Unconfined Subjects >>>>> >>>>> Unconfined subjects run in the unconfined_t domain type. This means >>>>> that SELinux policy rules do not apply, and only DAC permissions are >>>>> used. >> Only unconfined login users run as unconfined_t, init programs run in >> the unconfined domain initrc_t, unconfined inetd processes run in the >> inetd_child_t domain. Unconfined kernel processes run in kernel_t. >> There are about 20 unconfined domains in Fedora 10. > > How about: > > Unconfined subjects run in unconfined domains, for example, init > programs run in the unconfined initrc_t domain, unconfined kernel > subjects run in the kernel_t domain, and unconfined Linux users run in > the unconfined_t domain. For unconfined subjects, SELinux policy rules > are applied, but policy rules exist that allow subjects running in > unconfined domains almost all access. Subjects running in unconfined > domains almost always fall back to using DAC rules exclusively. If an > unconfined subject is compromised, SELinux does not prevent the attacker > from gaining access to system resources and data, but of course, DAC > rules are still used. SELinux is a security enhancement above DAC rules > - it does not replace them. I don't think you need the "almost always" -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
