constraining an app in targeted policy

Steve Brueckner steve at
Tue Dec 20 15:22:47 UTC 2005

Stephen Smalley wrote:
> On Mon, 2005-12-19 at 23:16 -0600, Benjamin Youngdahl wrote:
>> I have a question on locking down an application under the targeted
>> policy. 
>> The policy module I've tried is below.  I can see that the process
>> has the appropriate type in "ps -Z".:
>> root:system_r:bentest_t:SystemLow-SystemHigh 13127 pts/1 00:00:00
>> bentest 
>> But it still appears to have all the power of "unconfined_t".  I did
>> to a "restorecon -RF", and the files are appropriately labeled.
> What makes you say it has all the power of unconfined_t?

Remove the allows from your .te file and see how much power it has.  
Or maybe there are some macros in there giving the domain permissions.  
Also, make sure you're not running in permissive mode.

Stephen Brueckner, ATC-NY

More information about the fedora-selinux-list mailing list