WEBVTT

00:00.420 --> 00:02.430
Welcome back.

00:02.430 --> 00:07.710
At this point we've have seen the various parts of a security context.

00:07.710 --> 00:09.810
So we have the U.S. we have the roll.

00:09.810 --> 00:12.520
We have the level and also the type.

00:12.540 --> 00:22.980
We also already know that the targeted policy uses this field for type enforcement as the name suggests

00:24.030 --> 00:28.120
only certain processes and demands yet targeted.

00:28.260 --> 00:32.250
Everything else runs on confined.

00:32.250 --> 00:41.850
The idea behind the targeted policy is to lock down the most vulnerable processes which are the network

00:41.910 --> 00:46.430
face and processes and processes that start.

00:46.470 --> 00:54.690
But this is actually a good approach to a large task securing the most vulnerable parts of the system

00:55.650 --> 01:04.590
while leaving everything else to run on confined in the olden days only a few processes and demons ever

01:04.590 --> 01:07.950
got targeted these days.

01:07.980 --> 01:16.650
Just about every network facing and startup process gets confined this means use up processes are not

01:16.650 --> 01:26.790
targeted the run in the UN confined to domain this domain is actually not the only UN confined domain

01:26.880 --> 01:28.890
on the system.

01:29.010 --> 01:37.740
For example if I want to list out all the UN confined domains in my current policy I can go out and

01:37.740 --> 01:46.410
say I see info which is a UN confined domain tied to cache X let's do a quick word count

01:49.750 --> 01:52.280
so there's over 80 of them.

01:52.330 --> 02:00.280
Basically the targeted policy of restricts the most obvious the most likely the most vulnerable processes

02:00.850 --> 02:09.070
over time more and more processes are included and the targeted list so targeted processes run in confined

02:09.160 --> 02:17.020
domains and on confined processes the subject only to discretionary access controls.