constraining an app in targeted policy

Stephen Smalley sds at
Tue Dec 20 13:26:21 UTC 2005

On Mon, 2005-12-19 at 23:16 -0600, Benjamin Youngdahl wrote:
> I have a question on locking down an application under the targeted
> policy.
> The policy module I've tried is below.  I can see that the process has
> the appropriate type in "ps -Z".:
> root:system_r:bentest_t:SystemLow-SystemHigh 13127 pts/1 00:00:00
> bentest 
> But it still appears to have all the power of "unconfined_t".  I did
> to a "restorecon -RF", and the files are appropriately labeled.

What makes you say it has all the power of unconfined_t?  

> Is it possible for an app to confine "unconfined_t", or should I be
> switching over to the replacement for the strict policy?  (I think it
> is just called "mls" at this point, which is a confusing name
> considering that targeted itself is an "mls" it seems.) 

You should be able to confine a particular application under targeted
policy, just by putting it into its own domain, as you seem to be doing.
No need to switch to strict policy for that.  MLS has a specific
meaning, not relevant here.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list