When I start a random systemd service written by myself on Fedora, I
notice that the service gets
system_u:system_r:unconfined_service_t
That's without me configuring SELinux for my service in any way.
Furthermore, I notice that my service has the right to access all files
freely across all file systems.
Again, without any special setup, my service executable gets this label:
system_u:object_r:bin_t:s0
I thought SELinux was about granting minimal access (and no access by
default), but Fedora has granted my service maximal access by default.
What have I not understood?
Marko