College of William and Mary
Domain and Type Enforcement (DTE) assigns labels called types to files and domains to processes. It controls access from domains to types and domains to other domains, regardless of the user id associated with a process. Some advantages of this include protecting user files from system administrators, protecting the system from subverted daemons running as root, and the ability to provide temporary system administrators with trusted access under a restricted domain. This project will implement Domain and Type Enforcement for Linux 2.4. An existing, working and stable implementation exists for Linux 2.3.28, which was shown to be able to thwart a popular and well-publicized root compromise attack. Future work will consist of extending DTE to accommodate new mount semantics in 2.4, further increasing performance, and creation of intuitive GUI tools for visualizing and debugging DTE policies.