The goal of strict policy is to make maximum use of SELinux to provide separate domain types for each program that reasonably needs one. The strict example policy is most directly reflective of the original NSA example policy that has evolved through many years of community development.
Targeted example policy is derived from the strict example policy. The goal of the targeted policy is to use SELinux to isolate high-risk system services from the rest of the system. Targeted policy runs most programs in an unconfined domain that essentially neutralizes the enhanced security of SELinux. Only the targeted services have enhanced restrictions.
Both strict and targeted example policy source trees are similar in nature. They have evolved over time, and contain a large set of files and directories.
The build conventions for strict example policy use a loose modular construct that allows the policy source file to be structured on a per-domain basis. In this way, we can decide which program domains we want to include and which we do not. The m4 macro processor is used to provide abstract concepts in the policy sources.
The primary difference between the strict and targeted policies is that the targeted policy limits the permission sets of a few outwardly vulnerable services while providing no extra limits for local users and programs; whereas the strict policy defines permission sets for all users and most applications and services.
FC4 and RHEL4 systems use the targeted example policy as their default supported policy.
