http://selinuxproject.org/w/?title=ConstraintStatements&action=history&feed=atom ConstraintStatements - Revision history 2024-03-29T07:33:30Z Revision history for this page on the wiki MediaWiki 1.23.13 http://selinuxproject.org/w/?title=ConstraintStatements&diff=1743&oldid=prev RichardHaines at 15:02, 13 December 2014 2014-12-13T15:02:52Z <p></p> <a href="http://selinuxproject.org/w/?title=ConstraintStatements&amp;diff=1743&amp;oldid=850">Show changes</a> RichardHaines http://selinuxproject.org/w/?title=ConstraintStatements&diff=850&oldid=prev RichardHaines at 13:54, 30 November 2009 2009-11-30T13:54:02Z <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 13:54, 30 November 2009</td> </tr><tr><td colspan="2" class="diff-lineno">Line 62:</td> <td colspan="2" class="diff-lineno">Line 62:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| t2 op names</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| t2 op names</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|-</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|-</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>!colspan=&quot;2&quot;|'''Where:'''</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>!colspan=&quot;2<ins class="diffchange diffchange-inline">&quot; align=&quot;left</ins>&quot;|'''Where:'''</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">&#160; &#160; </ins>u1, r1, t1 = Source user, role, type</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>u1, r1, t1 = Source user, role, type</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">&#160; &#160; </ins>u2, r2, t2 = Target user, role, type</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>u2, r2, t2 = Target user, role, type</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>'''and:'''</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>'''and:'''</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">&#160; &#160; </ins>op : == | !=</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">&lt;nowiki&gt;</del>op : == | !=<del class="diffchange diffchange-inline">&lt;/nowiki&gt;</del></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">&#160; &#160; </ins>role_op : == | != | eq | dom | domby | incomp</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">&#160; &#160; </ins>names : name | { name_list }</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">&lt;nowiki&gt;</del>role_op : == | != | eq | dom | domby | incomp<del class="diffchange diffchange-inline">&lt;/nowiki&gt;</del></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">&#160; &#160; </ins>name_list : name | name_list name</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">&lt;nowiki&gt;</del>names : name | { name_list }<del class="diffchange diffchange-inline">&lt;/nowiki&gt;</del></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">&lt;nowiki&gt;</del>name_list : name | name_list name<del class="diffchange diffchange-inline">&lt;/nowiki&gt;</del></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td colspan="2" class="diff-lineno">Line 269:</td> <td colspan="2" class="diff-lineno">Line 262:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| t3 op names</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| t3 op names</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|-</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|-</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>!colspan=&quot;2&quot;|'''Where:'''</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>!colspan=&quot;2<ins class="diffchange diffchange-inline">&quot; align=&quot;left</ins>&quot;|'''Where:'''</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">&#160; &#160; </ins>u1, r1, t1 = Old user, role, type</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>u1, r1, t1 = Old user, role, type</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">&#160; &#160; </ins>u2, r2, t2 = New user, role, type</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">&#160; &#160; </ins>u3, r3, t3 = Process user, role, type</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>u2, r2, t2 = New user, role, type</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>u3, r3, t3 = Process user, role, type</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>'''and:'''</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>'''and:'''</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">&#160; &#160; </ins>op : == | !=</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">&lt;nowiki&gt;</del>op : == | !=<del class="diffchange diffchange-inline">&lt;/nowiki&gt;</del></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">&#160; &#160; </ins>role_op : == | != | eq | dom | domby | incomp</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">&#160; &#160; </ins>names : name | { name_list }</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">&lt;nowiki&gt;</del>role_op : == | != | eq | dom | domby | incomp<del class="diffchange diffchange-inline">&lt;/nowiki&gt;</del></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">&#160; &#160; </ins>name_list : name | name_list name</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">&lt;nowiki&gt;</del>names : name | { name_list }<del class="diffchange diffchange-inline">&lt;/nowiki&gt;</del></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">&lt;nowiki&gt;</del>name_list : name | name_list name<del class="diffchange diffchange-inline">&lt;/nowiki&gt;</del></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> </table> RichardHaines http://selinuxproject.org/w/?title=ConstraintStatements&diff=844&oldid=prev RichardHaines at 17:44, 29 November 2009 2009-11-29T17:44:33Z <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 17:44, 29 November 2009</td> </tr><tr><td colspan="2" class="diff-lineno">Line 62:</td> <td colspan="2" class="diff-lineno">Line 62:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| t2 op names</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| t2 op names</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|-</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|-</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|'''Where:'''</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">!colspan=&quot;2&quot;</ins>|'''Where:'''</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>u1, r1, t1 = Source user, role, type</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>u1, r1, t1 = Source user, role, type</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 76:</td> <td colspan="2" class="diff-lineno">Line 76:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;nowiki&gt;name_list : name | name_list name&lt;/nowiki&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;nowiki&gt;name_list : name | name_list name&lt;/nowiki&gt;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">|-</del></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td colspan="2" class="diff-lineno">Line 269:</td> <td colspan="2" class="diff-lineno">Line 269:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| t3 op names</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| t3 op names</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|-</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|-</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|'''Where:'''</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">!colspan=&quot;2&quot;</ins>|'''Where:'''</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>u1, r1, t1 = Old user, role, type</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>u1, r1, t1 = Old user, role, type</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 286:</td> <td colspan="2" class="diff-lineno">Line 286:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;nowiki&gt;name_list : name | name_list name&lt;/nowiki&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;nowiki&gt;name_list : name | name_list name&lt;/nowiki&gt;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">|-</del></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> </table> RichardHaines http://selinuxproject.org/w/?title=ConstraintStatements&diff=843&oldid=prev RichardHaines at 17:28, 29 November 2009 2009-11-29T17:28:20Z <p></p> <a href="http://selinuxproject.org/w/?title=ConstraintStatements&amp;diff=843&amp;oldid=842">Show changes</a> RichardHaines http://selinuxproject.org/w/?title=ConstraintStatements&diff=842&oldid=prev RichardHaines: New page: = Constraint Statements = == constrain Statement == The constrain statement allows further restriction on permissions for the specified object classes by using boolean expressions covering... 2009-11-29T16:40:37Z <p>New page: = Constraint Statements = == constrain Statement == The constrain statement allows further restriction on permissions for the specified object classes by using boolean expressions covering...</p> <p><b>New page</b></p><div>= Constraint Statements =<br /> == constrain Statement ==<br /> The constrain statement allows further restriction on permissions for the specified object classes by using boolean expressions covering: source and target types, roles and users as described in the examples. <br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> constrain class perm_set expression;<br /> &lt;/pre&gt;<br /> <br /> <br /> '''Where:'''<br /> {|border=&quot;1&quot;<br /> |constrain<br /> |The constrain keyword.<br /> |-<br /> |class<br /> |One or more object classes. Multiple entries consist of a space separated list enclosed in braces ({}).<br /> |-<br /> |perm_set<br /> |One or more permissions. Multiple entries consist of a space separated list enclosed in braces ({}).<br /> |-<br /> |expression<br /> |The boolean expression of the constraint that is defined as follows:<br /> |-<br /> |<br /> |( expression : expression ) <br /> |-<br /> |<br /> | not expression<br /> |-<br /> |<br /> | expression and expression<br /> |-<br /> |<br /> | expression or expression<br /> |-<br /> |<br /> | u1 op u2<br /> |-<br /> |<br /> | r1 role_op r2<br /> |-<br /> |<br /> | t1 op t2<br /> |-<br /> |<br /> | u1 op names<br /> |-<br /> |<br /> | u2 op names<br /> |-<br /> |<br /> | r1 op names<br /> |-<br /> |<br /> | r2 op names<br /> |-<br /> |<br /> | t1 op names<br /> |-<br /> |<br /> | t2 op names<br /> |}<br /> {|border=&quot;1&quot;<br /> |'''Where:'''<br /> <br /> u1, r1, t1 = Source user, role, type<br /> u2, r2, t2 = Target user, role, type<br /> <br /> '''and:'''<br /> <br /> &lt;nowiki&gt;op : == | !=&lt;/nowiki&gt;<br /> <br /> &lt;nowiki&gt;role_op : == | != | eq | dom | domby | incomp&lt;/nowiki&gt;<br /> <br /> &lt;nowiki&gt;names : name | { name_list }&lt;/nowiki&gt;<br /> <br /> &lt;nowiki&gt;name_list : name | name_list name&lt;/nowiki&gt;<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> {|border=&quot;1&quot;<br /> |&lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Examples:'''<br /> <br /> These examples have been taken from the Reference Policy source ./policy/constraints file.<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# This &lt;/nowiki&gt;''constrain'' statement is the “SELinux process identity <br /> &lt;nowiki&gt;# change constraint” taken from the Reference Policy source and&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# contains multiple expressions.&lt;/nowiki&gt;<br /> &lt;nowiki&gt;#&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# The overall constraint is on the &lt;/nowiki&gt;''process'' object class with the <br /> &lt;nowiki&gt;# &lt;/nowiki&gt;''transition'' permission, and is stating that a domain transition <br /> &lt;nowiki&gt;# is being constrained by the rules listed (u1 == u2 etc.), &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# however only the first two expressions are explained.&lt;/nowiki&gt;<br /> &lt;nowiki&gt;#&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# The first expression &lt;/nowiki&gt;''u1 == u2'' states that the '''source''' (''u1'') and<br /> &lt;nowiki&gt;# &lt;/nowiki&gt;'''target''' (''u2'') user identifiers must be '''equal''' for a ''process'' <br /> &lt;nowiki&gt;# &lt;/nowiki&gt;''transition'' to be allowed.<br /> &lt;nowiki&gt;#&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# However note that there are a number of &lt;/nowiki&gt;'''or''' operators that can <br /> &lt;nowiki&gt;# override this first constraint.&lt;/nowiki&gt;<br /> &lt;nowiki&gt;#&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# The second expression:&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# &lt;/nowiki&gt;''( t1 == can_change_process_identity and t2 == process_user_target )''<br /> &lt;nowiki&gt;# &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# states that if the &lt;/nowiki&gt;'''source type''' (''t1'') is '''equal''' to any type<br /> &lt;nowiki&gt;# associated to the &lt;/nowiki&gt;''can_change_process_identity'' attribute, '''and''' <br /> &lt;nowiki&gt;# the &lt;/nowiki&gt;'''target type''' (''t2'') is '''equal''' to any type associated to the<br /> &lt;nowiki&gt;# &lt;/nowiki&gt;''process_user_target'' attribute, then a ''process'' ''transition'' is<br /> &lt;nowiki&gt;# allowed. &lt;/nowiki&gt;<br /> <br /> &lt;nowiki&gt;# What this expression means in the 'standard' build Reference &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# Policy is that if the &lt;/nowiki&gt;'''source domain''' is either cron_t, <br /> &lt;nowiki&gt;# firstboot_t, local_login_t, su_login_t, sshd_t or xdm_t (as &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# the &lt;/nowiki&gt;''can_change_process_identity'' attribute has these types <br /> &lt;nowiki&gt;# associated to it) &lt;/nowiki&gt;'''and''' the '''target domain''' is sysadm_t (as that is<br /> &lt;nowiki&gt;# the only type associated to the &lt;/nowiki&gt;''can_change_process_identity'' <br /> &lt;nowiki&gt;# attribute), then a domain transition is allowed.&lt;/nowiki&gt;<br /> &lt;nowiki&gt;#&lt;/nowiki&gt;<br /> <br /> &lt;nowiki&gt;# SELinux process identity change constraint:&lt;/nowiki&gt;<br /> <br /> constrain process transition ( <br /> u1 == u2 <br /> or<br /> ( t1 == can_change_process_identity and t2 == process_user_target ) or<br /> ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ))<br /> or<br /> ( t1 == can_system_change and u2 == system_u )<br /> or <br /> ( t1 == process_uncond_exempt ) );<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# This &lt;/nowiki&gt;''constrain'' statement is the “SELinux file related object <br /> &lt;nowiki&gt;# identity change constraint” taken from the Reference Policy &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# source and contains two expressions.&lt;/nowiki&gt;<br /> &lt;nowiki&gt;#&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# The overall constraint is on the listed file related object &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# classes (&lt;/nowiki&gt;''dir'', ''file'' etc.), covering the ''create'', ''relabelto'', and <br /> &lt;nowiki&gt;# &lt;/nowiki&gt;''relabelfrom'' permissions. It is stating that when any of the <br /> &lt;nowiki&gt;# object class listed are being created or relabeled, then they&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# are subject to the constraint rules listed (u1 == u2 etc.).&lt;/nowiki&gt;<br /> &lt;nowiki&gt;#&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# The first expression &lt;/nowiki&gt;''u1 == u2'' states that the '''source''' (''u1'') and<br /> &lt;nowiki&gt;# &lt;/nowiki&gt;'''target''' (''u2'') user identifiers (within the security context) <br /> &lt;nowiki&gt;# must be &lt;/nowiki&gt;'''equal''' when creating or relabeling any of the file <br /> &lt;nowiki&gt;# related objects listed.&lt;/nowiki&gt;<br /> &lt;nowiki&gt;#&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# The second expression:&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# &lt;/nowiki&gt;''or t1 == can_change_object_identity''<br /> &lt;nowiki&gt;# &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# states &lt;/nowiki&gt;'''or''' if the '''source type''' (''t1'') is '''equal''' to any type<br /> &lt;nowiki&gt;# associated to the &lt;/nowiki&gt;''can_change_object_identity'' attribute, then<br /> &lt;nowiki&gt;# any of the object class listed can be created or relabeled.&lt;/nowiki&gt;<br /> &lt;nowiki&gt;#&lt;/nowiki&gt;<br /> <br /> &lt;nowiki&gt;# What this expression means in the 'standard' build &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# Reference Policy is that if the &lt;/nowiki&gt;'''source domain''' (''t1'') matches a <br /> &lt;nowiki&gt;# &lt;/nowiki&gt;''type'' entry in the ''can_change_object_identity'' attribute, then<br /> &lt;nowiki&gt;# any of the object class listed can be created or relabeled.&lt;/nowiki&gt;<br /> &lt;nowiki&gt;#&lt;/nowiki&gt;<br /> <br /> &lt;nowiki&gt;# SELinux file related object identity change constraint:&lt;/nowiki&gt;<br /> <br /> constrain { dir file lnk_file sock_file fifo_file chr_file <br /> blk_file } { create relabelto relabelfrom } <br /> (<br /> u1 == u2<br /> or t1 == can_change_object_identity<br /> );<br /> &lt;/pre&gt;<br /> <br /> <br /> == validatetrans Statement ==<br /> Only file related object classes are currently supported by this statement and it is used to control the ability to change the objects security context.<br /> <br /> Note there are no validatetrans statements specified within the Reference Policy source.<br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> validatetrans class expression;<br /> &lt;/pre&gt;<br /> <br /> <br /> '''Where:'''<br /> {|border=&quot;1&quot;<br /> |validatetrans<br /> |The validatetrans keyword.<br /> <br /> |-<br /> |class<br /> |One or more file related object classes. Multiple entries consist of a space separated list enclosed in braces ({}).<br /> <br /> |-<br /> |expression<br /> |The boolean expression of the constraint that is defined as follows:<br /> <br /> |-<br /> |<br /> |( expression : expression ) <br /> <br /> | not expression<br /> <br /> | expression and expression<br /> <br /> | expression or expression<br /> <br /> | u1 op u2<br /> <br /> | r1 role_op r2<br /> <br /> | t1 op t2<br /> <br /> | u1 op names<br /> <br /> | u2 op names<br /> <br /> | r1 op names<br /> <br /> | r2 op names<br /> <br /> | t1 op names<br /> <br /> | t2 op names<br /> <br /> | u3 op names<br /> <br /> | r3 op names<br /> <br /> | t3 op names<br /> <br /> |-<br /> | colspan=&quot;2&quot; '''Where:'''<br /> <br /> u1, r1, t1 = Old user, role, type<br /> <br /> u2, r2, t2 = New user, role, type<br /> <br /> u3, r3, t3 = Process user, role, type<br /> <br /> '''and:'''<br /> <br /> op : == | !=<br /> <br /> role_op : == | != | eq | dom | domby | incomp<br /> <br /> names : name | { name_list }<br /> <br /> name_list : name | name_list name<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> {|border=&quot;1&quot;<br /> |&lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Examples:'''<br /> &lt;pre&gt;<br /> none yet<br /> &lt;/pre&gt;</div> RichardHaines