By default in an SELinux Targeted system there are lots of other unconfined domains. We have these so that users can run programs/services without SELinux interfering if SELinux does not know about them. You can list the unconfined domains on your system using the following command.
seinfo -aunconfined_domain_type -x
In RHEL6 and older versions of Fedora, we used to run system services as initrc_t by default. Unless someone has written a policy for them. initrc_t is an unconfined domain by default, unless you disabled the unconfined.pp module. Running unknown serivices as initrc_t allows administrators to run an application service, even if no policy has never been written for it.
In RHEL6 we have these rules:
init_t @initrc_exec_t -> initrc_t
If an administrator added an executable service to /usr/sbin or /usr/bin, the init system would run the service as initrc_t.
We found this to be problematic, though.
The problem was that we have lots of transition rules out of initrc_t. If a program we did not know about was running as initrc_t and executed a program like rsync to copy data between servers, SELinux would transition the program to rsync_t and it would blow up. SELinux mistakenly would think that rsync was set up in server mode, not client mode. Other transition rules could also cause breakage.
We decided we needed a new unconfined domain to run services with, that would have no transition rules. We introduced the unconfined_service_t domain. Now we have:
init_t @bin_t -> unconfined_service_t
A process running as unconfined_service_t is allowed to execute any confined program, but stays in the unconfined_service_t domain. SELinux will not block any access. This means by default, if you install a service that does not have policy written for it, it should work without SELinux getting in the way.
Sometimes applications are installed in fairly random directories under /usr or /opt (Or in oracle's case /u01), which end up with the label of usr_t, therefore we added these transition rules to policy.
# sesearch -T -s init_t | grep unconfined_service_t
Hopefully unconfined_service_t will make leaving SELinux enabled easier on systems that have to run third party services, and protect the other services that run on your system.
Thanks to Simon Sekidde and Miroslav Grepl for helping to write this blog.