Description of problem: It seems tomcat_t domain is in unconfined_domain, then any process which is having tomcat_t domain can access to any file. Maybe there is a bug in policy file. Version-Release number of selected component (if applicable): Policy Version 30. [root@fedora25 ~]# seinfo Statistics for policy file: /sys/fs/selinux/policy Policy Version & Type: v.30 (binary, mls) Classes: 94 Permissions: 257 Sensitivities: 1 Categories: 1024 Types: 4811 Attributes: 272 Users: 8 Roles: 14 Booleans: 306 Cond. Expr.: 355 Allow: 102781 Neverallow: 0 Auditallow: 158 Dontaudit: 8907 Type_trans: 18033 Type_change: 74 Type_member: 35 Role allow: 39 Role_trans: 421 Range_trans: 5753 Constraints: 109 Validatetrans: 0 Initial SIDs: 27 Fs_use: 28 Genfscon: 107 Portcon: 601 Netifcon: 0 Nodecon: 0 Permissives: 1 Polcap: 2 How reproducible: Steps to Reproduce: 1. Run "sesearch -ACS -s tomcat_t -t shadow_t -c file -p read" 2. Run "seinfo -ttomcat_t -x" Actual results: [root@fedora25 ~]# sesearch -ACS -s tomcat_t -t shadow_t -c file -p read Found 1 semantic av rules: allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans open audit_access } ; [root@fedora25 ~]# seinfo -ttomcat_t -x tomcat_t can_read_shadow_passwords can_write_shadow_passwords can_relabelto_shadow_passwords can_change_object_identity can_load_kernmodule can_load_policy can_setbool can_setenforce corenet_unconfined_type corenet_unlabeled_type devices_unconfined_type domain files_unconfined_type filesystem_unconfined_type kern_unconfined kernel_system_state_reader process_uncond_exempt selinux_unconfined_type storage_unconfined_type unconfined_domain_type dbusd_unconfined daemon syslog_client_type sepgsql_unconfined_type tomcat_domain userdom_filetrans_type x_domain xserver_unconfined_type Expected results: tomcat_t domain should not have unconfined_domain_type. Additional info: