What is SELinux targeted policy?

Daniel J Walsh dwalsh at redhat.com
Mon Sep 20 21:35:44 UTC 2004


When FC2 was released we attempted to add the NSA strict policy to the 
operating system. 
We were able to find hundreds of problems in the policy and we quickly 
found out that users
who customized their environments in unexpected ways caused SELinux and 
the OS to conflict.
We decided at that point to take a step back and go with a strategy 
where we would lock down
a few daemons with SELinux and allow the rest of the system to run in 
the same manner with
or without SELinux.  Targeted policy was born.

In targeted policy most processes run in a unconfined_t domain, which 
means for the most part they
are not being confined by the SELinux policy.  They are still governed 
by Standard unix security, but
not effected by SELinux.  Certain network daemons have policy and the 
unconfined_t policy transitions
to those policies when the application starts.  So when the system boots 
init runs in the unconfined_t policy,
but when named starts up it transitions to the named_t domain and is 
locked down.  We use the following
policies

nscd.te apache.te dhcpd.te named.te  ntpd.te  portmap.te snmpd.te 
squid.te syslogd.te

Also users can select which daemons he want to have SELinux to protect 
via system-config-securitylevel. 
So if an admin finds that SELinux will not allow his apache web server 
to run the way he wants he can
turn off the transition.  This will drop it back to normal Unix 
protections, but all other daemons will continue
to be protected by SELinux.  Through the use of these "boolean" values 
the admin can increase or decrease the
level of protection SELinux provides.

In the future we plan on adding additional Domains that SELinux will 
protect.

Strict policy is still available but will be not be installable 
directly,  you can use selinux-config-securitylevel to turn it on
and relabel the file system.

Dan





More information about the fedora-devel-list mailing list