selinux-policy/refpolicy/policy/constraints
2006-03-14 18:53:22 +00:00

93 lines
1.8 KiB
Plaintext

#
# Define the constraints
#
# constrain class_set perm_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_op r2
# | t1 op t2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
#
# op : == | !=
# role_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name
#
#
# SELinux process identity change constraint:
#
constrain process transition
( u1 == u2
ifdef(`targeted_policy',`
or t1 == can_change_process_identity
',`
or ( t1 == can_change_process_identity and t2 == process_user_target )
or ( t1 == cron_source_domain
and ( t2 == cron_job_domain or u2 == system_u )
)
or (t1 == process_uncond_exempt)
or (t1 == can_system_change and u2 == system_u )
')
);
#
# SELinux process role change constraint:
#
constrain process transition
( r1 == r2
ifdef(`targeted_policy',`
or t1 == can_change_process_role
',`
or ( t1 == can_change_process_role and t2 == process_user_target )
or ( t1 == cron_source_domain and t2 == cron_job_domain )
or ( t1 == process_uncond_exempt )
# FIXME:
ifdef(`postfix.te',`
ifdef(`direct_sysadm_daemon',`
or (
t1 == sysadm_mail_t
and t2 == system_mail_t
and r2 == system_r
)
')
')
or (t1 == can_system_change and r2 == system_r )
')
);
#
# SELinux dynamic transition constraint:
#
constrain process dyntransition
( u1 == u2 and r1 == r2 );
#
# SElinux object identity change constraint:
#
constrain dir_file_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == can_change_object_identity );
constrain socket_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == can_change_object_identity );