# Copyright (C) 2005 Tresys Technology, LLC # # Define m4 macros for the constraints # # # Define the constraints # # constrain class_set perm_set expression ; # # expression : ( expression ) # | not expression # | expression and expression # | expression or expression # | u1 op u2 # | r1 role_op r2 # | t1 op t2 # | u1 op names # | u2 op names # | r1 op names # | r2 op names # | t1 op names # | t2 op names # # op : == | != # role_op : == | != | eq | dom | domby | incomp # # names : name | { name_list } # name_list : name | name_list name # # # SELinux process identity change constraint: # constrain process transition ( u1 == u2 or ( t1 == can_change_process_identity and t2 == userdomain ) ifdef(`crond.te', ` or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u)) ') ifdef(`TODO',` ifdef(`userhelper.te', `or (t1 == userhelperdomain)') or (t1 == priv_system_role and u2 == system_u ) ') dnl end TODO ); # # SELinux process role change constraint: # constrain process transition ( r1 == r2 or ( t1 == can_change_process_role and t2 == userdomain ) ifdef(`crond.te', ` or (t1 == crond_t and t2 == user_crond_domain) ') ifdef(`TODO',` ifdef(`userhelper.te', `or (t1 == userhelperdomain)') ifdef(`postfix.te', ` ifdef(`direct_sysadm_daemon', `or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )') ') or (t1 == priv_system_role and r2 == system_r ) ') dnl end TODO ); # # SELinux dynamic transition constraint: # constrain process dyntransition ( u1 == u2 and r1 == r2); # # SElinux object identity change constraint: # constrain dir_file_class_set { create relabelto relabelfrom } ( u1 == u2 or t1 == can_change_object_identity ); constrain socket_class_set { create relabelto relabelfrom } ( u1 == u2 or t1 == can_change_object_identity );