The default policy in Fedora and other RHEL based distros is "targeted".
This name is used as the policy is targeted at specific subsystems, mostly
network daemons, which it confines. Any other software that hasn't been
targeted for confinement usually run under an unconfined domain label.
These domains are still subject to selinux policy checks so are technically
not unconfined, but they generally have most privileges.
If you want to see what the result would be without these unconfined types
you can disable and/or remove their modules with the semodule command. You
probably what to do this in permissive mode as it will certainly not
produce a running system in enforcing mode.
On Sat, 29 Jun. 2019, 01:44 Marko Rauhamaa, <marko(a)pacujo.net> wrote:
When I start a random systemd service written by myself on Fedora, I
notice that the service gets
That's without me configuring SELinux for my service in any way.
Furthermore, I notice that my service has the right to access all files
freely across all file systems.
Again, without any special setup, my service executable gets this label:
I thought SELinux was about granting minimal access (and no access by
default), but Fedora has granted my service maximal access by default.
What have I not understood?
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines