SELinux/Unconfined domains

From Gentoo Wiki
Jump to: navigation, search

SELinux uses a deny by default approach for its mandatory access control rules. That means that any use of SELinux requires the entire system to be modeled in the SELinux policy. That might be difficult to obtain if a multitude of systems need to have SELinux deployed, even though the protection measures are only needed for a small set of "domains". To enable such policies, SELinux has introduced the concept of unconfined domains


An unconfined domain is a regular SELinux domain, but with massive privileges assigned to it. So although it is called unconfined, it is still managed by SELinux - however, almost all possible privileges are assigned to the unconfined domain, effectively having SELinux grant all access done through the unconfined domain.

Unconfined users

An unconfined user is a regular user who is mapped to a SELinux user (usually unconfined_u) with only one role (unconfined_r) and has unconfined_t as the default login type.

Every action performed by the user is done in the unconfined_t, which is granted all the privileges ever needed (and more).

Unconfined application and daemon domains

However, it isn't sufficient to just consider unconfined_t as being very "liberal" in the allowed privileges. Domains can be extended with the unconfined_domain interface (which, amongst various other additional privileges, also "tags" the domains with the unconfined_domain_type attribute.

Querying which domains are assigned this attribute helps in identifying which services are, even though still SELinux-managed, very widely privileged.

root #seinfo -aunconfined_domain_type -x