Hi Marko,

The default policy in Fedora and other RHEL based distros is "targeted". This name is used as the policy is targeted at specific subsystems, mostly network daemons, which it confines. Any other software that hasn't been targeted for confinement usually run under an unconfined domain label. 

These domains are still subject to selinux policy checks so are technically not unconfined, but they generally have most privileges.

If you want to see what the result would be without these unconfined types you can disable and/or remove their modules with the semodule command. You probably what to do this in permissive mode as it will certainly not produce a running system in enforcing mode.

Good luck

On Sat, 29 Jun. 2019, 01:44 Marko Rauhamaa, <marko@pacujo.net> wrote:

When I start a random systemd service written by myself on Fedora, I
notice that the service gets


That's without me configuring SELinux for my service in any way.

Furthermore, I notice that my service has the right to access all files
freely across all file systems.

Again, without any special setup, my service executable gets this label:


I thought SELinux was about granting minimal access (and no access by
default), but Fedora has granted my service maximal access by default.
What have I not understood?

selinux mailing list -- selinux@lists.fedoraproject.org
To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org