Chapter 3. Targeted Policy Overview

This chapter is an overview and examination of the targeted policy, which is the supported policy for Red Hat Enterprise Linux.

Much of the content in this chapter is applicable to all the kinds of SELinux policy, in terms of file locations and type of content in those files. What is different is which files exist in the key locations and what is in them.

As with Chapter 2 SELinux Policy Overview, you need to install both the policy source and binary packages for the targeted policy.

ImportantImportant
 

When you have the policy sources installed, rpm may assume that you have modified the policy and may not automatically load a newly installed policy. This occurs if you have ever loaded the policy from source, that is make load, make reload, or make install. New binary policy packages install policy.<version> as, for example, $SELINUX_POLICY/policy.18.rpmnew.

If you have not modified the policy or want to use the binary policy package, you can mv policy.18.rpmnew policy.18, then touch /.autorelabel and reboot. If you have modified the policy and want to load your modifications, you must upgrade the policy source package and make load. Policy building is discussed in Chapter 7 Compiling SELinux Policy.

If you have only built the policy but never loaded it, that is, only run make policy, you should not run into this situation. The binary policy package installs cleanly, having determined you are not running a custom policy.

Work is ongoing to improve package installation logic so the entire process is automated by rpm. Expect this to be included in a future update to Red Hat Enterprise Linux 4.

3.1. What is the Targeted Policy?

The SELinux policy is highly configurable. For Red Hat Enterprise Linux 4, Red Hat supports a single policy, the targeted policy. Under the targeted policy, every subject and object runs in the unconfined_t domain except for the specific targeted daemons. The objects on the system that are in the unconfined_t domain are allowed by SELinux to have no restrictions and fall back to using standard Linux security, that is, DAC. This policy is flexible enough to fit into enterprise infrastructures. The daemons that are part of the targeted policy run in their own domains and are restricted in every operation they perform on the system. This way daemons that are broken or exploited are limited in the damage they can do.

The opposite of the targeted policy is the strict policy. This does not ship with Red Hat Enterprise Linux. In the strict policy, every subject and object are in a specific security domain, with all interactions and transitions individually considered within the policy rules. This is a much more complex environment.

This guide focuses on the targeted policy that comes with Red Hat Enterprise Linux, and the components of SELinux used by the targeted daemons.

The targeted daemons are:

The policy can be manipulated using command line or GUI tools. This is discussed extensively in Chapter 5 Controlling and Maintaining SELinux. Chapter 6 Tools for Manipulating and Analyzing SELinux and Chapter 7 Compiling SELinux Policy are two other chapters that detail working with the targeted policy.