Have you heard the news? Security Enhanced Linux in Fedora Core 3 has been updated. That is right, the update offers a couple different things like being able to turn off or leaving on by default SE Linux. In SE Linux 2, it was off by default.

Also, the base directory has been changed as well. In SE 2, it was /etc/security/selinux. Now it has been set as /etc/selinux instead. From what I understand, there are a few different reasons for the directory change, but the article at Linux Journal does a great job of explaining those details.

Strict policy applies the SE Linux MAC controls to all processes. The unconfined_t domain is not used by default in the strict policy, as there is a domain for each daemon and restricted domains for user logins. No restrictions exist for user login domains under the targeted policy. The strict policy is not installed by default, as it is more difficult to administer. Strict policy is more secure than targeted because of the SE Linux MAC controls being applied to all processes, apart from a small number of important system processes–init scripts, insmod, hotplug, firstboot, RPM and anaconda. This is opposed to only being applied to a small selection of important daemons under the targeted policy. One can see that a tradeoff exists here between usability and security. If you were to run strict policy, you would be more likely to edit policy manually, because the controls are tighter. Chances are, an operation you want to do would not be allowed, and you therefore would be required to make local customizations.

You can switch from targeted to strict policy and vice versa, but you first should test this on a non-production system. If you were to change from targeted to strict policy on a production system, you probably would find that some things you want to do are not allowed, requiring manual modifications to system policy. If you are not confident with troubleshooting and solving SE Linux policy-related issues, it is advised that you run the targeted policy. Switching from strict to targeted policy should not result in any major glitches.