#
# Define the constraints
#
# constrain class_set perm_set expression ;
#
# expression : ( expression ) 
#	     | not expression
#	     | expression and expression
#	     | expression or expression
#	     | u1 op u2
#	     | r1 role_op r2
#	     | t1 op t2
#	     | u1 op names
#	     | u2 op names
#	     | r1 op names
#	     | r2 op names
#	     | t1 op names
#	     | t2 op names
#
# op : == | != 
# role_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name		
#

#
# SELinux process identity change constraint:
#
constrain process transition
(
	u1 == u2

	or ( t1 == can_change_process_identity and t2 == process_user_target )

       	or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )

	or ( t1 == can_system_change and u2 == system_u )

	or ( t1 == process_uncond_exempt )
);

#
# SELinux process role change constraint:
#
constrain process transition 
(
	r1 == r2 

	or ( t1 == can_change_process_role and t2 == process_user_target )

   	or ( t1 == cron_source_domain and t2 == cron_job_domain )

	or ( t1 == can_system_change and r2 == system_r )

	or ( t1 == process_uncond_exempt )
);

#
# SELinux dynamic transition constraint:
#
constrain process dyntransition
(
	u1 == u2 and r1 == r2
);

#
# SElinux object identity change constraint:
#
constrain dir_file_class_set { create relabelto relabelfrom } 
(
	u1 == u2

	or t1 == can_change_object_identity
);

constrain socket_class_set { create relabelto relabelfrom } 
(
	u1 == u2

	or t1 == can_change_object_identity
);