Domain and Type Enforcement (DTE) is a kind of Mandatory Access
Control (MAC). Under a DTE, all processes are labeled with a
domain, and all non-process resources (like files) are labeled
with a type. If one process creates another process, the domain
of the new process is set according to the domain of the old
process and the new program being executed. For each combination
of domain and type, there is a list of allowed and disallowed
options.
As a concrete example, say that the the process which starts all
others is in the domain INIT_DOMAIN. The init process then
creates the web server process, which gets the domain WEB_DOMAIN.
Among all the different types, the web server interacts with HTML
and image files of type HTML_TYPE and CGI application files of
type CGI_TYPE. The combination WEB_DOMAIN/HTML_TYPE only allows
for read access, and the combination WEB_DOMAIN/CGI_TYPE only
allows for process creation access; WEB_DOMAIN combined with
anything other type gives no access whatsoever. So if an attacker
gain control of the web server, he can't modify any of the HTML
files (read access only), and he can't modify any of the CGI
programs to do anything else (execute access only), or even read
the CGI programs to try and find weaknesses in them (no read
access).
The example above follows the principle of least privilege: you
give each process only the amount of privileges that it needs to
do it's job, and no more; this minimizes the amount of damage any
one part of the system can cause if it is compromised in an
attack. If a computer with DTE is configured with least privilege
in mind, then it becomes very difficult for any attack to get very
far into the system.
Examples of systems implementing DTE are FreeDTE (DTE on
FreeBSD), SAIC DTE, and the NSA's Security Enhanced Linux
(selinux), though selinux isn't strictly DTE.
The source for this writeup was the SAIC DTE site, at
http://research-cistw.saic.com/cace/dte.html