Chapter 3.


Targeted Policy Overview


This chapter is an overview and examination of the targeted policy, which is the supported policy for


Red Hat Enterprise Linux.


Much of the content in this chapter is applicable to all the kinds of SELinux policy, in terms of file


locations and type of content in those files. What is different is which files exist in the key locations


and what is in them.


As with Chapter 2 SELinux Policy Overview, you need to install both the policy source and binary


packages for the targeted policy.


selinux policy targeted sources  version


:


;


  selinux policy targeted  version


:


;


Important


When you have the policy sources installed, rpm may assume that you have modified the policy and


may not automatically load a newly installed policy. This occurs if you have ever loaded the policy


from source, that is make load, make reload, or make install. New binary policy packages install


policy. version


as, for example, $SELINUX_POLICY/policy.18.rpmnew.


<


=


If you have not modified the policy or want to use the binary policy package, you can mv


policy.18.rpmnew policy.18, then touch /.autorelabel and reboot. If you have modified the


policy and want to load your modifications, you must upgrade the policy source package and make


load. Policy building is discussed in Chapter 7 Compiling SELinux Policy .


If you have only built the policy but never loaded it, that is, only run make policy, you should not run


into this situation. The binary policy package installs cleanly, having determined you are not running


a custom policy.


Work is ongoing to improve package installation logic so the entire process is automated by rpm.


Expect this to be included in a future update to Red Hat Enterprise Linux 4.


3.1. What is the Targeted Policy?


The SELinux policy is highly configurable. For Red Hat Enterprise Linux 4, Red Hat supports a


single policy, the targeted policy. Under the targeted policy, every subject and object runs in the


unconfined_t


domain except for the specific targeted daemons. The objects on the system that are


in the


unconfined_t


domain are allowed by SELinux to have no restrictions and fall back to using


standard Linux security, that is, DAC. This policy is flexible enough to fit into enterprise infrastruc 


tures. The daemons that are part of the targeted policy run in their own domains and are restricted


in every operation they perform on the system. This way daemons that are broken or exploited are


limited in the damage they can do.


The opposite of the targeted policy is the strict policy. This does not ship with Red Hat Enterprise


Linux. In the strict policy, every subject and object are in a specific security domain, with all inter 


actions and transitions individually considered within the policy rules. This is a much more complex


environment.


This guide focuses on the targeted policy that comes with Red Hat Enterprise Linux, and the compo 


nents of SELinux used by the targeted daemons.


The targeted daemons are:








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved