Domain and Type Enforcement (DTE) is a kind of Mandatory Access Control (MAC). Under a DTE, all processes are labeled with a domain, and all non-process resources (like files) are labeled with a type. If one process creates another process, the domain of the new process is set according to the domain of the old process and the new program being executed. For each combination of domain and type, there is a list of allowed and disallowed options.

As a concrete example, say that the the process which starts all others is in the domain INIT_DOMAIN. The init process then creates the web server process, which gets the domain WEB_DOMAIN. Among all the different types, the web server interacts with HTML and image files of type HTML_TYPE and CGI application files of type CGI_TYPE. The combination WEB_DOMAIN/HTML_TYPE only allows for read access, and the combination WEB_DOMAIN/CGI_TYPE only allows for process creation access; WEB_DOMAIN combined with anything other type gives no access whatsoever. So if an attacker gain control of the web server, he can't modify any of the HTML files (read access only), and he can't modify any of the CGI programs to do anything else (execute access only), or even read the CGI programs to try and find weaknesses in them (no read access).

The example above follows the principle of least privilege: you give each process only the amount of privileges that it needs to do it's job, and no more; this minimizes the amount of damage any one part of the system can cause if it is compromised in an attack. If a computer with DTE is configured with least privilege in mind, then it becomes very difficult for any attack to get very far into the system.

Examples of systems implementing DTE are FreeDTE (DTE on FreeBSD), SAIC DTE, and the NSA's Security Enhanced Linux (selinux), though selinux isn't strictly DTE.

The source for this writeup was the SAIC DTE site, at

Log in or register to write something here or to contact authors.