https://drive.google.com/file/d/1Lk8lxMHyrVte8bOhZvnt3jigL9obMlKA/view?usp=sharing

1. Understanding Targeted Policy

Core Concept

How It Works

Process Type Domain Access Control
Network services (httpd, sshd) Confined (httpd_t, sshd_t) Strict type enforcement
Users & most system processes Unconfined (unconfined_t) Only traditional DAC (chmod)

đź’ˇ Key Insight:

Targeted policy only confines high-risk processes—everything else works like traditional Linux.

2. Confined Processes: Web Server Example

Setup & Breakage

# Install and start Apache
sudo dnf install httpd -y
sudo systemctl enable --now httpd

# Create test page
echo "Hello" | sudo tee /var/www/html/index.html

# Allow through firewall
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --reload

# Test (works)
curl localhost

Break with Wrong Context

# Change file context to Samba type
sudo chcon -t samba_share_t /var/www/html/index.html
ls -Z /var/www/html/index.html  # Now samba_share_t

# Restart Apache (fails to serve)
sudo systemctl restart httpd
curl localhost  # Permission denied!

Diagnose & Fix

# Check denials
sudo tail /var/log/audit/audit.log | grep avc

# Temporarily disable SELinux (confirm issue)
sudo setenforce 0
curl localhost  # Now works!
sudo setenforce 1

# Proper fix: Restore correct context
sudo restorecon -v /var/www/html/index.html
curl localhost  # Works with SELinux enforcing!

🔍 Why this happens:

httpd_t domain can only read httpd_sys_content_t files—not samba_share_t.

3. Unconfined Processes