Chapter 3.
Targeted Policy Overview
This chapter is an overview and examination of the targeted policy, which is the supported policy for
Red Hat Enterprise Linux.
Much of the content in this chapter is applicable to all the kinds of SELinux policy, in terms of file
locations and type of content in those files. What is different is which files exist in the key locations
and what is in them.
As with Chapter 2 SELinux Policy Overview, you need to install both the policy source and binary
packages for the targeted policy.
selinux policy targeted sources  version
:
;
  selinux policy targeted  version
:
;
Important
When you have the policy sources installed, rpm may assume that you have modified the policy and
may not automatically load a newly installed policy. This occurs if you have ever loaded the policy
from source, that is make load, make reload, or make install. New binary policy packages install
policy. version
as, for example, $SELINUX_POLICY/policy.18.rpmnew.
<
=
If you have not modified the policy or want to use the binary policy package, you can mv
policy.18.rpmnew policy.18, then touch /.autorelabel and reboot. If you have modified the
policy and want to load your modifications, you must upgrade the policy source package and make
load. Policy building is discussed in Chapter 7 Compiling SELinux Policy .
If you have only built the policy but never loaded it, that is, only run make policy, you should not run
into this situation. The binary policy package installs cleanly, having determined you are not running
a custom policy.
Work is ongoing to improve package installation logic so the entire process is automated by rpm.
Expect this to be included in a future update to Red Hat Enterprise Linux 4.
3.1. What is the Targeted Policy?
The SELinux policy is highly configurable. For Red Hat Enterprise Linux 4, Red Hat supports a
single policy, the targeted policy. Under the targeted policy, every subject and object runs in the
unconfined_t
domain except for the specific targeted daemons. The objects on the system that are
in the
unconfined_t
domain are allowed by SELinux to have no restrictions and fall back to using
standard Linux security, that is, DAC. This policy is flexible enough to fit into enterprise infrastruc 
tures. The daemons that are part of the targeted policy run in their own domains and are restricted
in every operation they perform on the system. This way daemons that are broken or exploited are
limited in the damage they can do.
The opposite of the targeted policy is the strict policy. This does not ship with Red Hat Enterprise
Linux. In the strict policy, every subject and object are in a specific security domain, with all inter 
actions and transitions individually considered within the policy rules. This is a much more complex
environment.
This guide focuses on the targeted policy that comes with Red Hat Enterprise Linux, and the compo 
nents of SELinux used by the targeted daemons.
The targeted daemons are:






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved