The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
Applies access controls to a limited number of processes that
are believed to be most likely to be the targets of an attack
on the system. Targeted processes run in their own SELinux
domain, known as a confined domain, which
restricts access to files that an attacker could exploit. If
SELinux detects that a targeted process is trying to access
resources outside the confined domain, it denies access to
those resources and logs the denial. Only specific services
run in confined domains. Examples are services that listen on
a network for client requests, such as
httpd, named, and
sshd, and processes that run as
root
to perform tasks on behalf of users,
such as passwd. Other processes, including
most user processes, run in an unconfined domain where only
DAC rules apply. If an attack compromises an unconfined
process, SELinux does not prevent access to system resources
and data.
The following table lists examples of SELinux domains.
Domain | Description |
---|---|
| init and processes executed by init |
| Kernel processes |
| Processes executed by Oracle Linux users run in the unconfined domain |