Selinux: changing root mapping

Solution 1:

You're looking in the wrong direction. It helps to thoroughly understand the difference between DAC and MAC first. The gist is that MAC enhances DAC. Meaning that Linux identities are not the same as SELinux identities, and that if something is blocked by DAC then SELinux cannot override that, but if something is allowed by DAC then SELinux can still be used to block access.

In practical terms, just because you associated the my_user Linux identity with the root SELinux identity that does not make my_user root since from a DAC perspective my_user is still my_user.

However In reverse if you associate the root Linux identity with the guest_u SELinux identity then you're limiting the power of the root login user because even though from a DAC perspective root might be powerful SELinux still has the last say in the matter and the guest_u SELinux user was designed to be associated with guest login users (ie very little permissions from a MAC perspective)

So DAC is checked first and then after that MAC is checked. MAC cannot allow something that DAC blocks but MAC can block something that DAC allows.

As for prevention a root owned process access to signal other processes. It is not something I can run-down here in a few sentences but the gist is that security attributes are associated with processes, rules are associated with security attributes and all access is denied by default. So you have to associate a "label" with your processes and then use those labels and the available SELinux access vectors to govern how processes with given labels can interact or operate.