Separating Processes

To protect processes in one domain from interference by processes in another domain, the example policy configuration restricts process interactions. The ability to access the /proc entries for processes in other domains is only granted to certain privileged domains such as the domain for system administrators. This is shown by the following excerpt:

allow sysadm_t domain:dir { read search };
allow sysadm_t domain:{ file lnk_file } read;

The /proc entries for each process are labeled with the domain of the process. These two statements grant the sysadm_t domain permission to access the /proc entries for all domains. Most domains are only allowed to access the entries for processes in the same domain.

Similarly, the ability to trace other processes or send signals to other processes is typically limited to processes in the same domain, except for sending SIGCHLD to notify the parent of the completion of the child. The following excerpt shows a case where processes in different domains are allowed to send signals to each other:

allow user_t user_netscape_t:process 
      { sigkill sigstop signal };
allow user_netscape_t user_t:process sigchld;

The first statement allows an ordinary user to send arbitrary signals to his netscape process. The second statement allows the netscape process to send SIGCHLD to the ordinary user process so that it can be reaped when it exits. Since there are no statements allowing an ordinary user process to send signals to an administrator process or to system processes, an ordinary user cannot interfere with these other processes. Likewise, since there are no statements allowing the user's browser to send any signal other than SIGCHLD to other user processes, malicious mobile code executed by the browser cannot kill the user's other processes.

Since many processes use temporary files, the configuration must ensure that processes in different domains cannot interfere with one another by accessing each other's temporary files. The configuration achieves this goal by defining a derived type for temporary files created by each domain and limiting access to that type to the corresponding domain. If a domain requires access to a temporary file created by another domain, then it can be granted permission to that type on a case-by-case basis. The following excerpt shows a portion of the configuration for the temporary file type defined for the ordinary user domain:

allow user_t tmp_t:dir 
      { read search add_name remove_name };
allow user_t user_tmp_t:file 
      { create read write unlink };
type_transition user_t tmp_t:file user_tmp_t;

The first statement authorizes the ordinary user domain to create and unlink files in the /tmp directory. The individual controls over each file ensure that the domain cannot unlink files created by other domains, e.g. the administrator domain. The second statement allows the ordinary user domain to create and access files with the user_tmp_t type. The last statement causes files created by the ordinary user domain in /tmp to be automatically labeled with this type. Similar statements are defined for the administrator domain and for other domains that use temporary files, with a separate type defined for each such domain. This ensures that ordinary users cannot create and use their own temporary files but does not allow them to access the temporary files of other domains.

The configuration likewise defines different types for the home directories and terminal devices used by the different domains for users. The following excerpt shows statements granting permissions to terminal devices and home directories for the ordinary user domain:

allow user_t user_tty_device_t:chr_file { read write };
allow user_t user_devpts_t:chr_file { read write };
type_transition user_t devpts_t:file user_devpts_t;
allow user_t user_home_t:file 
      { create read write unlink };