diff options
| author | Chris PeBenito <cpebenito@tresys.com> | 2006-07-12 20:32:27 +0000 |
|---|---|---|
| committer | Chris PeBenito <cpebenito@tresys.com> | 2006-07-12 20:32:27 +0000 |
| commit | 17de1b790b30095d8dc26ef720d3cc6d0fbdceb5 (patch) | |
| tree | 89e24b9b7407840b4b6b56d58c908f1df022f712 /policy/constraints | |
| parent | b6a9bc355553f05e84f937005f53d39cdad70e27 (diff) | |
remove extra level of directory
Diffstat (limited to 'policy/constraints')
| -rw-r--r-- | policy/constraints | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/policy/constraints b/policy/constraints new file mode 100644 index 00000000..d4dab72a --- /dev/null +++ b/policy/constraints @@ -0,0 +1,92 @@ + +# +# Define the constraints +# +# constrain class_set perm_set expression ; +# +# expression : ( expression ) +# | not expression +# | expression and expression +# | expression or expression +# | u1 op u2 +# | r1 role_op r2 +# | t1 op t2 +# | u1 op names +# | u2 op names +# | r1 op names +# | r2 op names +# | t1 op names +# | t2 op names +# +# op : == | != +# role_op : == | != | eq | dom | domby | incomp +# +# names : name | { name_list } +# name_list : name | name_list name +# + +# +# SELinux process identity change constraint: +# +constrain process transition + ( u1 == u2 + +ifdef(`targeted_policy',` + or t1 == can_change_process_identity +',` + or ( t1 == can_change_process_identity and t2 == process_user_target ) + + or ( t1 == cron_source_domain + and ( t2 == cron_job_domain or u2 == system_u ) + ) + + or (t1 == process_uncond_exempt) + + or (t1 == can_system_change and u2 == system_u ) +') +); + +# +# SELinux process role change constraint: +# +constrain process transition + ( r1 == r2 + +ifdef(`targeted_policy',` + or t1 == can_change_process_role +',` + or ( t1 == can_change_process_role and t2 == process_user_target ) + + or ( t1 == cron_source_domain and t2 == cron_job_domain ) + + or ( t1 == process_uncond_exempt ) + + # FIXME: + ifdef(`postfix.te',` + ifdef(`direct_sysadm_daemon',` + or ( + t1 == sysadm_mail_t + and t2 == system_mail_t + and r2 == system_r + ) + ') + ') + + or (t1 == can_system_change and r2 == system_r ) +') +); + +# +# SELinux dynamic transition constraint: +# +constrain process dyntransition + ( u1 == u2 and r1 == r2 ); + +# +# SElinux object identity change constraint: +# +constrain dir_file_class_set { create relabelto relabelfrom } + ( u1 == u2 or t1 == can_change_object_identity ); + +constrain socket_class_set { create relabelto relabelfrom } + ( u1 == u2 or t1 == can_change_object_identity ); |