The target example policy is derived from the strict example policy, and its structure and organization are nearly identical. Whereas the strict policy attempts to make maximum use of all the SELinux power to provide strong security for most programs, the targeted policy has a goal to isolate high-risk programs and
make SELinux neutral. The benefit of the targeted policy is that significant security can be added to a Linux system while reducing the risk of
problems with existing
programs. The targeted policy primarily focuses on network-
system services (that is, those
most likely to be
by outsiders) and
enforces no additional restrictions on local programs and ordinary users. The targeted policy is the standard policy for RHEL and FC systems because it strikes a good balance between enhanced security while reducing the risk of excessive application
If installed (see Appendix A), we should be able to see the targeted example policy sources in
. In most respects, the targeted example policy source looks exactly like the strict example policy sources so we do not provide a detailed overview of the targeted file structure. We instead highlight the differences.
The primary difference between strict and targeted example policies is the use of the unconfined domain type (
) and removal of any other user domain type (for example,
). This also means the basic role structure of the strict example policy is removed (all users run as
) and that nearly all user-run programs execute with the
We can find the unconfined domain defined in
. Notice that in the targeted example policy, the strict policy files
are no longer present in
. These files define the various user domains for the strict example policy, each of which has limited privilege. In targeted example policy, all programs run with
domain type unless they are
"targeted" (hence the
). The unconfined domain
has access to all SELinux types, making it largely exempt from the SELinux security controls (hence "unconfined").
This leads to the
major difference between strict and targeted policies (that is, the targets
). In the strict example policy,
contains many policy modules, each of which represents one or more domain types and associated types and rules for specific programs. In the targeted example policy, this directory contains a smaller set of files; these are the targets.
The target example policy modules are similar to the policy modules in strict policy. For example, we should find the strict
module and the targeted
module to be identical. However some of the targeted modules simply define types but then make the domain unconfined (rather than targeted). For example, if we look at the targeted policy for
), we will find the line
. This macro, which is defined in
for the targeted example policy, effectively gives the
domain type all SELinux access, making it unconfined. If we compare this with the strict version of the
), we will see a significant difference. In targeted policy,
an unconfined domain, whereas
remains a strict domain in both policies.
The remaining differences between strict and targeted example polices are subtle and outside the scope of this book. You will find that the make targets and build options are all similar to strict.