selinux-policy/refpolicy/policy/constraints

#
# Define the constraints
#
# constrain class_set perm_set expression ;
#
# expression : ( expression ) 
#	     | not expression
#	     | expression and expression
#	     | expression or expression
#	     | u1 op u2
#	     | r1 role_op r2
#	     | t1 op t2
#	     | u1 op names
#	     | u2 op names
#	     | r1 op names
#	     | r2 op names
#	     | t1 op names
#	     | t2 op names
#
# op : == | != 
# role_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name		
#

#
# SELinux process identity change constraint:
#
constrain process transition
	( u1 == u2

ifdef(`targeted_policy',`
	or t1 == can_change_process_identity
',`
	or ( t1 == can_change_process_identity and t2 == process_user_target )

       	or ( t1 == cron_source_domain
		and ( t2 == cron_job_domain or u2 == system_u )
	   )

	or (t1 == process_uncond_exempt)

	or (t1 == can_system_change and u2 == system_u )
')
);

#
# SELinux process role change constraint:
#
constrain process transition 
	( r1 == r2

ifdef(`targeted_policy',`
	or t1 == can_change_process_role
',`
	or ( t1 == can_change_process_role and t2 == process_user_target )

       	or ( t1 == cron_source_domain and t2 == cron_job_domain )

	or ( t1 == process_uncond_exempt )

	# FIXME:
	ifdef(`postfix.te',`
		ifdef(`direct_sysadm_daemon',`
			or (
				t1 == sysadm_mail_t
				and t2 == system_mail_t
				and r2 == system_r
			)
		')
	')

	or (t1 == can_system_change and r2 == system_r )
')
);

#
# SELinux dynamic transition constraint:
#
constrain process dyntransition
	( u1 == u2 and r1 == r2 );

#
# SElinux object identity change constraint:
#
constrain dir_file_class_set { create relabelto relabelfrom } 
	( u1 == u2 or t1 == can_change_object_identity );

constrain socket_class_set { create relabelto relabelfrom } 
	( u1 == u2 or t1 == can_change_object_identity );