SELinux uses a deny by default approach for its mandatory access control rules. That means that any use of SELinux requires the entire system to be modeled in the SELinux policy. That might be difficult to obtain if a multitude of systems need to have SELinux deployed, even though the protection measures are only needed for a small set of "domains". To enable such policies, SELinux has introduced the concept of unconfined domains
An unconfined domain is a regular SELinux domain, but with massive privileges assigned to it. So although it is called unconfined, it is still managed by SELinux - however, almost all possible privileges are assigned to the unconfined domain, effectively having SELinux grant all access done through the unconfined domain.
An unconfined user is a regular user who is mapped to a SELinux user (usually
unconfined_u) with only one role (
unconfined_r) and has
unconfined_t as the default login type.
Every action performed by the user is done in the
unconfined_t, which is granted all the privileges ever needed (and more).
Unconfined application and daemon domains
However, it isn't sufficient to just consider
unconfined_t as being very "liberal" in the allowed privileges. Domains can be extended with the
unconfined_domain interface (which, amongst various other additional privileges, also "tags" the domains with the
Querying which domains are assigned this attribute helps in identifying which services are, even though still SELinux-managed, very widely privileged.
seinfo -aunconfined_domain_type -x