SELinux/Unconfined domains

SELinux uses a deny by default approach for its mandatory access control rules. That means that any use of SELinux requires the entire system to be modeled in the SELinux policy. That might be difficult to obtain if a multitude of systems need to have SELinux deployed, even though the protection measures are only needed for a small set of "domains". To enable such policies, SELinux has introduced the concept of unconfined domains

Introduction
An unconfined domain is a regular SELinux domain, but with massive privileges assigned to it. So although it is called unconfined, it is still managed by SELinux - however, almost all possible privileges are assigned to the unconfined domain, effectively having SELinux grant all access done through the unconfined domain.

Unconfined users
An unconfined user is a regular user who is mapped to a SELinux user (usually ) with only one role  and has   as the default login type.

Every action performed by the user is done in the, which is granted all the privileges ever needed (and more).

Unconfined application and daemon domains
However, it isn't sufficient to just consider  as being very "liberal" in the allowed privileges. Domains can be extended with the  interface (which, amongst various other additional privileges, also "tags" the domains with the   attribute.

Querying which domains are assigned this attribute helps in identifying which services are, even though still SELinux-managed, very widely privileged.