Protecting the Administrator Domain

Since the administrator domain is highly privileged, the policy configuration must ensure that this domain can only be entered in a secure fashion. The example configuration only allows entry via domains for the login program and the newrole program. The login program is run in a separate domain for local logins than for remote logins so that the configuration can prohibit entry on remote logins, since such logins may bypass authentication via .rhosts files. However, users who are remotely logged in may still use the newrole program after login in order to enter this domain. The following excerpt shows some of the relevant statements:

type_transition getty_t login_exec_t:process 
allow local_login_t sysadm_t:process transition;
allow newrole_t sysadm_t:process transition;

The first statement causes the login program to run in the local_login_t domain when it is executed by getty. A separate statement that is not shown causes the login program to run in a separate remote_login_t domain when it is executed by rlogind. The next statement allows the local_login_t domain to transition to the administrator domain. The last statement allows the newrole program to transition to the administrator domain.

As described in the previous subsection, the example configuration also protects the administrator domain by preventing processes in other domains from interfering with it. The administrator domain is also protected against the execution of malicious code by limiting it to executing approved types and by automatically transitioning unsafe software such as netscape to a more restricted domain.