A good estimate of the number of different confined processes is to count the number of types with the domain attribute.
seinfo -adomain -x | tail -n +2 | wc -l
707
Note: I am removing the first line because it lists the attribute name.
Not all domain types are confined. If we want to look at the number of unconfined domains, we can use the unconfined_domain_type attribute.
seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l
61
| sosreport_t | bootloader_t | devicekit_power_t | nova_api_t |
| nova_network_t | dirsrvadmin_unconfined_script_t | nova_objectstore_t | certmonger_unconfined_t |
| unconfined_cronjob_t | abrt_handle_event_t | setfiles_mac_t | initrc_t |
| fsadm_t | lvm_t | mdadm_t | rpm_t |
| wine_t | nova_vncproxy_t | unconfined_dbusd_t | nova_volume_t |
| nova_scheduler_t | prelink_t | anaconda_t | boinc_project_t |
| nova_ajax_t | rpm_script_t | system_cronjob_t | openshift_initrc_t |
| samba_unconfined_net_t | kdumpctl_t | devicekit_disk_t | firstboot_t |
| samba_unconfined_script_t | nagios_eventhandler_plugin_t | httpd_unconfined_script_t | depmod_t |
| insmod_t | kernel_t | livecd_t | puppet_t |
| tomcat_t | apmd_t | clvmd_t | crond_t |
| inetd_t | init_t | udev_t | virtd_t |
| nagios_unconfined_plugin_t | rgmanager_t | devicekit_t | inetd_child_t |
| nova_direct_t | semanage_t | sge_shepherd_t | xdm_unconfined_t |
| unconfined_t | abrt_watch_log_t | sge_job_t | xserver_t |
If you disable the unconfined policy package, which I recommend.
This leaves only user domains unconfined, along with some domains that do not make sense to confine. (anaconda, firstboot, kernel,rpm)
# semodule -d unconfined
seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l
14
| rpm_t | anaconda_t | rpm_script_t | openshift_initrc_t |
| firstboot_t | kernel_t | livecd_t | unconfined_t |
You can disable all unconfined domains by disabling unconfineduser module
# semodule -d unconfineduser
Note: You need to setup all your users as confined users, before removing the unconfineduser module.
Disabling the unconfined and unconfineduser policy modules is the equivalent of what we used to call strict policy.
One other interesting domain is permissive domains. Permissive domains can be listed with the --permissive qualifier.
# seinfo --permissive -x | tail -n +3 | wc -l
31
| phpfpm_t | virt_qemu_ga_t | pkcsslotd_t | realmd_t |
| mandb_t | rngd_t | slpd_t | glusterd_t |
| stapserver_t | sensord_t |
A couple of other interesting statistics.
Total number of file types.
seinfo -afile_type -x | tail -n +2 | wc -l
2375
In order to get the number of allow rules, you need to use sesearch
sesearch --allow | wc -l
81736
Dontaudit Rules
sesearch --dontaudit | wc -l
6532
