Applies access controls to a limited number of processes that
are believed to be most likely to be the targets of an attack
on the system. Targeted processes run in their own SELinux
domain, known as a confined domain, which
restricts access to files that an attacker could exploit. If
SELinux detects that a targeted process is trying to access
resources outside the confined domain, it denies access to
those resources and logs the denial. Only specific services
run in confined domains. Examples are services that listen on
a network for client requests, such as
httpd, named, and
sshd, and processes that run as
root
to perform tasks on behalf of users,
such as passwd. Other processes, including
most user processes, run in an unconfined domain where only
DAC rules apply. If an attack compromises an unconfined
process, SELinux does not prevent access to system resources
and data.
The following table lists examples of SELinux domains.
Domain | Description |
---|---|
|
|
| HTTP daemon threads |
| Kernel threads |
|
|
| Processes executed by Oracle Linux users run in the unconfined domain |