policy_module(domain,1.0)

# Mark process types as domains
attribute domain;

# entrypoint executables
attribute entry_type;

# widely-inheritable file descriptors
attribute privfd;

# constraint related attributes
attribute can_change_process_identity;
attribute can_change_process_role;
attribute can_change_object_identity;

neverallow domain ~domain:process { transition dyntransition };

# enabling setcurrent breaks process tranquility.  If you do not
# know what this means or do not understand the implications of a
# dynamic transition, you should not be using it!!!
neverallow * *:process setcurrent;