Re: unconfined_service_t
Hi Marko,
The default policy in Fedora and other RHEL based distros is "targeted".
This name is used as the policy is targeted at specific subsystems, mostly
network daemons, which it confines. Any other software that hasn't been
targeted for confinement usually run under an unconfined domain label.
These domains are still subject to selinux policy checks so are technically
not unconfined, but they generally have most privileges.
If you want to see what the result would be without these unconfined types
you can disable and/or remove their modules with the semodule command. You
probably what to do this in permissive mode as it will certainly not
produce a running system in enforcing mode.
Good luck
Phil
On Sat, 29 Jun. 2019, 01:44 Marko Rauhamaa, <marko(a)pacujo.net> wrote:
When I start a random systemd service written by myself on Fedora, I
notice that the service gets
system_u:system_r:unconfined_service_t
That's without me configuring SELinux for my service in any way.
Furthermore, I notice that my service has the right to access all files
freely across all file systems.
Again, without any special setup, my service executable gets this label:
system_u:object_r:bin_t:s0
I thought SELinux was about granting minimal access (and no access by
default), but Fedora has granted my service maximal access by default.
What have I not understood?
Marko
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
Attachments:
- attachment.html (text/html — 2.9 KB)