# # Define m4 macros for the constraints # # # Define the constraints # # constrain class_set perm_set expression ; # # validatetrans class_set expression ; # # expression : ( expression ) # | not expression # | expression and expression # | expression or expression # | u1 op u2 # | r1 role_mls_op r2 # | t1 op t2 # | l1 role_mls_op l2 # | l1 role_mls_op h2 # | h1 role_mls_op l2 # | h1 role_mls_op h2 # | l1 role_mls_op h1 # | l2 role_mls_op h2 # | u1 op names # | u2 op names # | r1 op names # | r2 op names # | t1 op names # | t2 op names # | u3 op names (NOTE: this is only available for validatetrans) # | r3 op names (NOTE: this is only available for validatetrans) # | t3 op names (NOTE: this is only available for validatetrans) # # op : == | != # role_mls_op : == | != | eq | dom | domby | incomp # # names : name | { name_list } # name_list : name | name_list name# # # # Restrict the ability to transition to other users # or roles to a few privileged types. # constrain process transition ( u1 == u2 or ( t1 == privuser and t2 == userdomain ) ifdef(`crond.te', ` or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u)) ') ifdef(`userhelper.te', `or (t1 == userhelperdomain)') or (t1 == priv_system_role and u2 == system_u ) ); constrain process transition ( r1 == r2 or ( t1 == privrole and t2 == userdomain ) ifdef(`crond.te', ` or (t1 == crond_t and t2 == user_crond_domain) ') ifdef(`userhelper.te', `or (t1 == userhelperdomain)') ifdef(`postfix.te', ` ifdef(`direct_sysadm_daemon', `or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )') ') or (t1 == priv_system_role and r2 == system_r ) ); constrain process dyntransition ( u1 == u2 and r1 == r2); # # Restrict the ability to label objects with other # user identities to a few privileged types. # constrain dir_file_class_set { create relabelto relabelfrom } ( u1 == u2 or t1 == privowner ); constrain socket_class_set { create relabelto relabelfrom } ( u1 == u2 or t1 == privowner );