The use of templates earlier in this chapter is a start to support more fine-grained application domain definitions. Instead of running a workload inside the same domain as the main application, specific types are created that are meant to optimize the interaction between one domain and another, ensuring that the permissions granted to a particular domain remain small and manageable.

Using fine-grained application domains goes a step further, having processes of the same application run inside their own specific domains. This is not always possible (not all applications use multiple, distinct processes), but when it is, using fine-grained domains provides an even more secure environment, where each task runs with just the permissions needed for that individual task, even though the application, in general, needs more permissions.

An example implementation of fine-grained application domain definitions is the postfix policy, which will be used...