55 lines
1.1 KiB
Plaintext
55 lines
1.1 KiB
Plaintext
#
|
|
# Define m4 macros for the constraints
|
|
#
|
|
|
|
#
|
|
# Define the constraints
|
|
#
|
|
# constrain class_set perm_set expression ;
|
|
#
|
|
# expression : ( expression )
|
|
# | not expression
|
|
# | expression and expression
|
|
# | expression or expression
|
|
# | u1 op u2
|
|
# | r1 role_op r2
|
|
# | t1 op t2
|
|
# | u1 op names
|
|
# | u2 op names
|
|
# | r1 op names
|
|
# | r2 op names
|
|
# | t1 op names
|
|
# | t2 op names
|
|
#
|
|
# op : == | !=
|
|
# role_op : == | != | eq | dom | domby | incomp
|
|
#
|
|
# names : name | { name_list }
|
|
# name_list : name | name_list name#
|
|
#
|
|
|
|
#
|
|
# Restrict the ability to transition to other users
|
|
# or roles to a few privileged types.
|
|
#
|
|
|
|
constrain process transition
|
|
( u1 == u2 or t1 == privuser );
|
|
|
|
constrain process transition
|
|
( r1 == r2 or t1 == privrole );
|
|
|
|
constrain process dyntransition
|
|
( u1 == u2 and r1 == r2);
|
|
|
|
#
|
|
# Restrict the ability to label objects with other
|
|
# user identities to a few privileged types.
|
|
#
|
|
|
|
constrain dir_file_class_set { create relabelto relabelfrom }
|
|
( u1 == u2 or t1 == privowner );
|
|
|
|
constrain socket_class_set { create relabelto relabelfrom }
|
|
( u1 == u2 or t1 == privowner );
|