Constraint Statements

constrain

Enable constraints to be placed on the specified permissions of the object class based on the source and target security context components.

Statement definition:

(constrain classpermissionset_id ... expression | expr ...)

Where:

Examples:

Two constrain statements are shown with their equivalent kernel policy language statements:

;; constrain { file } { write }
;;    (( t1 == unconfined.process  ) and ( t2 == unconfined.object  ) or ( r1 eq r2 ));
(constrain (file (write))
    (or
        (and
            (eq t1 unconfined.process)
            (eq t2 unconfined.object)
        )
        (eq r1 r2)
    )
)

;; constrain { file } { read }
;;    (not( t1 == unconfined.process  ) and ( t2 == unconfined.object  ) or ( r1 eq r2 ));
(constrain (file (read))
    (not
        (or
            (and
                (eq t1 unconfined.process)
                (eq t2 unconfined.object)
            )
            (eq r1 r2)
        )
    )
)

validatetrans

The validatetrans statement is only used for file related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context.

Statement definition:

(validatetrans class_id expression | expr ...)

Where:

Example:

A validate transition statement with the equivalent kernel policy language statement:

; validatetrans { file } ( t1 == unconfined.process  );

(validatetrans file (eq t1 unconfined.process))

mlsconstrain

Enable MLS constraints to be placed on the specified permissions of the object class based on the source and target security context components.

Statement definition:

(mlsconstrain classpermissionset_id ... expression | expr ...)

Where:

Example:

An MLS constrain statement with the equivalent kernel policy language statement:

;; mlsconstrain { file } { open }
;;     (( l1 eq l2 ) and ( u1 == u2 ) or ( r1 != r2 ));

(mlsconstrain (file (open))
    (or
        (and
            (eq l1 l2)
            (eq u1 u2)
        )
        (neq r1 r2)
    )
)

mlsvalidatetrans

The mlsvalidatetrans statement is only used for file related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context.

Statement definition:

(mlsvalidatetrans class_id expression | expr ...)

Where:

Example:

An MLS validate transition statement with the equivalent kernel policy language statement:

;; mlsvalidatetrans { file } ( l1 domby h2 );

(mlsvalidatetrans file (domby l1 h2))