unconfined_service_t

Friday, 28 June 2019

When I start a random systemd service written by myself on Fedora, I
notice that the service gets

   system_u:system_r:unconfined_service_t

That's without me configuring SELinux for my service in any way.

Furthermore, I notice that my service has the right to access all files
freely across all file systems.

Again, without any special setup, my service executable gets this label:

   system_u:object_r:bin_t:s0

I thought SELinux was about granting minimal access (and no access by
default), but Fedora has granted my service maximal access by default.
What have I not understood?

Marko

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

unconfined_service_t