Applies access controls to a limited number of processes that are believed to be most
likely to be the targets of an attack on the system. Targeted processes run in their own
SELinux domain, known as a confined domain, which restricts access to
files that an attacker could exploit. If SELinux detects that a targeted process is trying
to access resources outside the confined domain, it denies access to those resources and
logs the denial. Only specific services run in confined domains. Examples are services
that listen on a network for client requests, such as httpd,
named, and sshd, and processes that run as
root
to perform tasks on behalf of users, such as
passwd. Other processes, including most user processes, run in an
unconfined domain where only DAC rules apply. If an attack compromises an unconfined
process, SELinux does not prevent access to system resources and data.
The following table lists examples of SELinux domains.
Domain |
Description |
---|---|
|
init and processes executed by init |
|
Kernel processes |
|
Processes executed by Oracle Linux users run in the unconfined domain |