| 1 |
# |
|---|
| 2 |
# Define m4 macros for the constraints |
|---|
| 3 |
# |
|---|
| 4 |
|
|---|
| 5 |
# |
|---|
| 6 |
# Define the constraints |
|---|
| 7 |
# |
|---|
| 8 |
# constrain class_set perm_set expression ; |
|---|
| 9 |
# |
|---|
| 10 |
# validatetrans class_set expression ; |
|---|
| 11 |
# |
|---|
| 12 |
# expression : ( expression ) |
|---|
| 13 |
# | not expression |
|---|
| 14 |
# | expression and expression |
|---|
| 15 |
# | expression or expression |
|---|
| 16 |
# | u1 op u2 |
|---|
| 17 |
# | r1 role_mls_op r2 |
|---|
| 18 |
# | t1 op t2 |
|---|
| 19 |
# | l1 role_mls_op l2 |
|---|
| 20 |
# | l1 role_mls_op h2 |
|---|
| 21 |
# | h1 role_mls_op l2 |
|---|
| 22 |
# | h1 role_mls_op h2 |
|---|
| 23 |
# | l1 role_mls_op h1 |
|---|
| 24 |
# | l2 role_mls_op h2 |
|---|
| 25 |
# | u1 op names |
|---|
| 26 |
# | u2 op names |
|---|
| 27 |
# | r1 op names |
|---|
| 28 |
# | r2 op names |
|---|
| 29 |
# | t1 op names |
|---|
| 30 |
# | t2 op names |
|---|
| 31 |
# | u3 op names (NOTE: this is only available for validatetrans) |
|---|
| 32 |
# | r3 op names (NOTE: this is only available for validatetrans) |
|---|
| 33 |
# | t3 op names (NOTE: this is only available for validatetrans) |
|---|
| 34 |
# |
|---|
| 35 |
# op : == | != |
|---|
| 36 |
# role_mls_op : == | != | eq | dom | domby | incomp |
|---|
| 37 |
# |
|---|
| 38 |
# names : name | { name_list } |
|---|
| 39 |
# name_list : name | name_list name# |
|---|
| 40 |
# |
|---|
| 41 |
|
|---|
| 42 |
# |
|---|
| 43 |
# Restrict the ability to transition to other users |
|---|
| 44 |
# or roles to a few privileged types. |
|---|
| 45 |
# |
|---|
| 46 |
|
|---|
| 47 |
constrain process transition |
|---|
| 48 |
( u1 == u2 or ( t1 == privuser and t2 == userdomain ) |
|---|
| 49 |
ifdef(`crond.te', ` |
|---|
| 50 |
or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u)) |
|---|
| 51 |
') |
|---|
| 52 |
ifdef(`userhelper.te', |
|---|
| 53 |
`or (t1 == userhelperdomain)') |
|---|
| 54 |
or (t1 == priv_system_role and u2 == system_u ) |
|---|
| 55 |
); |
|---|
| 56 |
|
|---|
| 57 |
constrain process transition |
|---|
| 58 |
( r1 == r2 or ( t1 == privrole and t2 == userdomain ) |
|---|
| 59 |
ifdef(`crond.te', ` |
|---|
| 60 |
or (t1 == crond_t and t2 == user_crond_domain) |
|---|
| 61 |
') |
|---|
| 62 |
ifdef(`userhelper.te', |
|---|
| 63 |
`or (t1 == userhelperdomain)') |
|---|
| 64 |
ifdef(`postfix.te', ` |
|---|
| 65 |
ifdef(`direct_sysadm_daemon', |
|---|
| 66 |
`or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )') |
|---|
| 67 |
') |
|---|
| 68 |
or (t1 == priv_system_role and r2 == system_r ) |
|---|
| 69 |
); |
|---|
| 70 |
|
|---|
| 71 |
constrain process dyntransition |
|---|
| 72 |
( u1 == u2 and r1 == r2); |
|---|
| 73 |
|
|---|
| 74 |
# |
|---|
| 75 |
# Restrict the ability to label objects with other |
|---|
| 76 |
# user identities to a few privileged types. |
|---|
| 77 |
# |
|---|
| 78 |
|
|---|
| 79 |
constrain dir_file_class_set { create relabelto relabelfrom } |
|---|
| 80 |
( u1 == u2 or t1 == privowner ); |
|---|
| 81 |
|
|---|
| 82 |
constrain socket_class_set { create relabelto relabelfrom } |
|---|
| 83 |
( u1 == u2 or t1 == privowner ); |
|---|
