#
# Define m4 macros for the constraints
#

#
# Define the constraints
#
# constrain class_set perm_set expression ;
#
# expression : ( expression ) 
#	     | not expression
#	     | expression and expression
#	     | expression or expression
#	     | u1 op u2
#	     | r1 role_op r2
#	     | t1 op t2
#	     | u1 op names
#	     | u2 op names
#	     | r1 op names
#	     | r2 op names
#	     | t1 op names
#	     | t2 op names
#
# op : == | != 
# role_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name#		
#

#
# Restrict the ability to transition to other users
# or roles to a few privileged types.
#

constrain process transition
	( u1 == u2 or t1 == privuser );

constrain process transition 
	( r1 == r2 or t1 == privrole );

constrain process dyntransition
	( u1 == u2 and r1 == r2);

#
# Restrict the ability to label objects with other
# user identities to a few privileged types.
#

constrain dir_file_class_set { create relabelto relabelfrom } 
	( u1 == u2 or t1 == privowner );

constrain socket_class_set { create relabelto relabelfrom } 
	( u1 == u2 or t1 == privowner );