On 11/17/2014 09:44 AM, Paddie O'Brien wrote: > Hi, > > As a learning exercise I created a simple policy to sandbox a simple > program in its own domain. > > I had to add rules to the policy to allow the program to be executed > from unconfined_t. Is this normal? My understanding was that a process > in unconfined_t was subject only to DAC so why did I have to add this > rule? What does unconfined_t actually mean? SELinux has no intrinsic concept of unconfined_t; unconfined_t is just a type that is allowed to do most things by policy. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.