Targeted Policy
A targeted policy applies access controls to a limited number of processes that are believed
to be most likely to be the targets of an attack on the system. Targeted processes run in
their own SELinux domain, known as a confined domain, which restricts access to files
that an attacker could exploit. If SELinux detects that a targeted process is trying to access
resources outside the confined domain, it denies access to those resources and logs the
denial. Only specific services run in confined domains. Examples are services that listen on a
network for client requests, such as httpd,
named, and sshd, and processes that run as
root
to perform tasks on behalf of users, such as
passwd. Other processes, including most user processes, run in an
unconfined domain where only DAC rules apply. If an attack compromises an unconfined process,
SELinux doesn't prevent access to system resources and data.
The following table shows examples of SELinux domains.
Domain | Description |
---|---|
|
|
|
HTTP daemon threads |
|
Kernel threads |
|
|
|
Processes that are started by Oracle Linux users run in the unconfined domain |