Home | History | Annotate | Download | only in docs 
      1 Constraint Statements
      2 =====================
      3 
      4 constrain
      5 ---------
      6 
      7 Enable constraints to be placed on the specified permissions of the object class based on the source and target security context components.
      8 
      9 **Statement definition:**
     10 
     11     (constrain classpermissionset_id ... expression | expr ...)
     12 
     13 **Where:**
     14 
     15 <table>
     16 <colgroup>
     17 <col width="27%" />
     18 <col width="72%" />
     19 </colgroup>
     20 <tbody>
     21 <tr class="odd">
     22 <td align="left"><p><code>constrain</code></p></td>
     23 <td align="left"><p>The <code>constrain</code> keyword.</p></td>
     24 </tr>
     25 <tr class="even">
     26 <td align="left"><p><code>classpermissionset_id</code></p></td>
     27 <td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
     28 </tr>
     29 <tr class="odd">
     30 <td align="left"><p><code>expression</code></p></td>
     31 <td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p>
     32 <p><code>    (op u1 u2)</code></p>
     33 <p><code>    (role_op r1 r2)</code></p>
     34 <p><code>    (op t1 t2)</code></p>
     35 <p><code>    (op u1 user_id)</code></p>
     36 <p><code>    (op u2 user_id)</code></p>
     37 <p><code>    (op r1 role_id)</code></p>
     38 <p><code>    (op r2 role_id)</code></p>
     39 <p><code>    (op t1 type_id)</code></p>
     40 <p><code>    (op t2 type_id)</code></p>
     41 <p>where:</p>
     42 <p><code>  u1, r1, t1 = Source context: user, role or type</code></p>
     43 <p><code>  u2, r2, t2 = Target context: user, role or type</code></p>
     44 <p>and:</p>
     45 <p><code>  op      : eq neq</code></p>
     46 <p><code>  role_op : eq neq dom domby incomp</code></p>
     47 <p><code>  user_id : A single user or userattribute identifier.</code></p>
     48 <p><code>  role_id : A single role or roleattribute identifier.</code></p>
     49 <p><code>  type_id : A single type, typealias or typeattribute identifier.</code></p></td>
     50 </tr>
     51 <tr class="even">
     52 <td align="left"><p><code>expr</code></p></td>
     53 <td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
     54 <p><code>    (and expression expression)</code></p>
     55 <p><code>    (or  expression expression)</code></p>
     56 <p><code>    (not expression)</code></p></td>
     57 </tr>
     58 </tbody>
     59 </table>
     60 
     61 **Examples:**
     62 
     63 Two constrain statements are shown with their equivalent kernel policy language statements:
     64 
     65     ;; constrain { file } { write }
     66     ;;    (( t1 == unconfined.process  ) and ( t2 == unconfined.object  ) or ( r1 eq r2 ));
     67     (constrain (file (write))
     68         (or
     69             (and
     70                 (eq t1 unconfined.process)
     71                 (eq t2 unconfined.object)
     72             )
     73             (eq r1 r2)
     74         )
     75     )
     76 
     77     ;; constrain { file } { read }
     78     ;;    (not( t1 == unconfined.process  ) and ( t2 == unconfined.object  ) or ( r1 eq r2 ));
     79     (constrain (file (read))
     80         (not
     81             (or
     82                 (and
     83                     (eq t1 unconfined.process)
     84                     (eq t2 unconfined.object)
     85                 )
     86                 (eq r1 r2)
     87             )
     88         )
     89     )
     90 
     91 validatetrans
     92 -------------
     93 
     94 The [`validatetrans`](cil_constraint_statements.md#validatetrans) statement is only used for `file` related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context.
     95 
     96 **Statement definition:**
     97 
     98     (validatetrans class_id expression | expr ...)
     99 
    100 **Where:**
    101 
    102 <table>
    103 <colgroup>
    104 <col width="25%" />
    105 <col width="75%" />
    106 </colgroup>
    107 <tbody>
    108 <tr class="odd">
    109 <td align="left"><p><code>validatetrans</code></p></td>
    110 <td align="left"><p>The <code>validatetrans</code> keyword.</p></td>
    111 </tr>
    112 <tr class="even">
    113 <td align="left"><p><code>class_id</code></p></td>
    114 <td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td>
    115 </tr>
    116 <tr class="odd">
    117 <td align="left"><p><code>expression</code></p></td>
    118 <td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p>
    119 <p><code>    (op u1 u2)</code></p>
    120 <p><code>    (role_op r1 r2)</code></p>
    121 <p><code>    (op t1 t2)</code></p>
    122 <p><code>    (op u1 user_id)</code></p>
    123 <p><code>    (op u2 user_id)</code></p>
    124 <p><code>    (op u3 user_id)</code></p>
    125 <p><code>    (op r1 role_id)</code></p>
    126 <p><code>    (op r2 role_id)</code></p>
    127 <p><code>    (op r3 role_id)</code></p>
    128 <p><code>    (op t1 type_id)</code></p>
    129 <p><code>    (op t2 type_id)</code></p>
    130 <p><code>    (op t3 type_id)</code></p>
    131 <p>where:</p>
    132 <p><code>  u1, r1, t1 = Old context: user, role or type</code></p>
    133 <p><code>  u2, r2, t2 = New context: user, role or type</code></p>
    134 <p><code>  u3, r3, t3 = Process context: user, role or type</code></p>
    135 <p>and:</p>
    136 <p><code>  op      : eq neq</code></p>
    137 <p><code>  role_op : eq neq dom domby incomp</code></p>
    138 <p><code>  user_id : A single user or userattribute identifier.</code></p>
    139 <p><code>  role_id : A single role or roleattribute identifier.</code></p>
    140 <p><code>  type_id : A single type, typealias or typeattribute identifier.</code></p></td>
    141 </tr>
    142 <tr class="even">
    143 <td align="left"><p><code>expr</code></p></td>
    144 <td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
    145 <p><code>    (and expression expression)</code></p>
    146 <p><code>    (or  expression expression)</code></p>
    147 <p><code>    (not expression)</code></p></td>
    148 </tr>
    149 </tbody>
    150 </table>
    151 
    152 **Example:**
    153 
    154 A validate transition statement with the equivalent kernel policy language statement:
    155 
    156     ; validatetrans { file } ( t1 == unconfined.process  );
    157 
    158     (validatetrans file (eq t1 unconfined.process))
    159 
    160 mlsconstrain
    161 ------------
    162 
    163 Enable MLS constraints to be placed on the specified permissions of the object class based on the source and target security context components.
    164 
    165 **Statement definition:**
    166 
    167     (mlsconstrain classpermissionset_id ... expression | expr ...)
    168 
    169 **Where:**
    170 
    171 <table>
    172 <colgroup>
    173 <col width="27%" />
    174 <col width="72%" />
    175 </colgroup>
    176 <tbody>
    177 <tr class="odd">
    178 <td align="left"><p><code>mlsconstrain</code></p></td>
    179 <td align="left"><p>The <code>mlsconstrain</code> keyword.</p></td>
    180 </tr>
    181 <tr class="even">
    182 <td align="left"><p><code>classpermissionset_id</code></p></td>
    183 <td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td>
    184 </tr>
    185 <tr class="odd">
    186 <td align="left"><p><code>expression</code></p></td>
    187 <td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p>
    188 <p><code>    (op u1 u2)</code></p>
    189 <p><code>    (mls_role_op r1 r2)</code></p>
    190 <p><code>    (op t1 t2)</code></p>
    191 <p><code>    (mls_role_op l1 l2)</code></p>
    192 <p><code>    (mls_role_op l1 h2)</code></p>
    193 <p><code>    (mls_role_op h1 l2)</code></p>
    194 <p><code>    (mls_role_op h1 h2)</code></p>
    195 <p><code>    (mls_role_op l1 h1)</code></p>
    196 <p><code>    (mls_role_op l2 h2)</code></p>
    197 <p><code>    (op u1 user_id)</code></p>
    198 <p><code>    (op u2 user_id)</code></p>
    199 <p><code>    (op r1 role_id)</code></p>
    200 <p><code>    (op r2 role_id)</code></p>
    201 <p><code>    (op t1 type_id)</code></p>
    202 <p><code>    (op t2 type_id)</code></p>
    203 <p>where:</p>
    204 <p><code>  u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level</code></p>
    205 <p><code>  u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level</code></p>
    206 <p>and:</p>
    207 <p><code>  op          : eq neq</code></p>
    208 <p><code>  mls_role_op : eq neq dom domby incomp</code></p>
    209 <p><code>  user_id     : A single user or userattribute identifier.</code></p>
    210 <p><code>  role_id     : A single role or roleattribute identifier.</code></p>
    211 <p><code>  type_id     : A single type, typealias or typeattribute identifier.</code></p></td>
    212 </tr>
    213 <tr class="even">
    214 <td align="left"><p><code>expr</code></p></td>
    215 <td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
    216 <p><code>    (and expression expression)</code></p>
    217 <p><code>    (or  expression expression)</code></p>
    218 <p><code>    (not expression)</code></p></td>
    219 </tr>
    220 </tbody>
    221 </table>
    222 
    223 **Example:**
    224 
    225 An MLS constrain statement with the equivalent kernel policy language statement:
    226 
    227     ;; mlsconstrain { file } { open }
    228     ;;     (( l1 eq l2 ) and ( u1 == u2 ) or ( r1 != r2 ));
    229 
    230     (mlsconstrain (file (open))
    231         (or
    232             (and
    233                 (eq l1 l2)
    234                 (eq u1 u2)
    235             )
    236             (neq r1 r2)
    237         )
    238     )
    239 
    240 mlsvalidatetrans
    241 ----------------
    242 
    243 The [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans) statement is only used for `file` related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context.
    244 
    245 **Statement definition:**
    246 
    247     (mlsvalidatetrans class_id expression | expr ...)
    248 
    249 **Where:**
    250 
    251 <table>
    252 <colgroup>
    253 <col width="25%" />
    254 <col width="75%" />
    255 </colgroup>
    256 <tbody>
    257 <tr class="odd">
    258 <td align="left"><p><code>mlsvalidatetrans</code></p></td>
    259 <td align="left"><p>The <code>mlsvalidatetrans</code> keyword.</p></td>
    260 </tr>
    261 <tr class="even">
    262 <td align="left"><p><code>class_id</code></p></td>
    263 <td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td>
    264 </tr>
    265 <tr class="odd">
    266 <td align="left"><p><code>expression</code></p></td>
    267 <td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p>
    268 <p><code>    (op u1 u2)</code></p>
    269 <p><code>    (mls_role_op r1 r2)</code></p>
    270 <p><code>    (op t1 t2)</code></p>
    271 <p><code>    (mls_role_op l1 l2)</code></p>
    272 <p><code>    (mls_role_op l1 h2)</code></p>
    273 <p><code>    (mls_role_op h1 l2)</code></p>
    274 <p><code>    (mls_role_op h1 h2)</code></p>
    275 <p><code>    (mls_role_op l1 h1)</code></p>
    276 <p><code>    (mls_role_op l2 h2)</code></p>
    277 <p><code>    (op u1 user_id)</code></p>
    278 <p><code>    (op u2 user_id)</code></p>
    279 <p><code>    (op u3 user_id)</code></p>
    280 <p><code>    (op r1 role_id)</code></p>
    281 <p><code>    (op r2 role_id)</code></p>
    282 <p><code>    (op r3 role_id)</code></p>
    283 <p><code>    (op t1 type_id)</code></p>
    284 <p><code>    (op t2 type_id)</code></p>
    285 <p><code>    (op t3 type_id)</code></p>
    286 <p>where:</p>
    287 <p><code>  u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level</code></p>
    288 <p><code>  u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level</code></p>
    289 <p><code>  u3, r3, t3         = Process context: user, role or type</code></p>
    290 <p>and:</p>
    291 <p><code>  op          : eq neq</code></p>
    292 <p><code>  mls_role_op : eq neq dom domby incomp</code></p>
    293 <p><code>  user_id     : A single user or userattribute identifier.</code></p>
    294 <p><code>  role_id     : A single role or roleattribute identifier.</code></p>
    295 <p><code>  type_id     : A single type, typealias or typeattribute identifier.</code></p></td>
    296 </tr>
    297 <tr class="even">
    298 <td align="left"><p><code>expr</code></p></td>
    299 <td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
    300 <p><code>    (and expression expression)</code></p>
    301 <p><code>    (or  expression expression)</code></p>
    302 <p><code>    (not expression)</code></p></td>
    303 </tr>
    304 </tbody>
    305 </table>
    306 
    307 **Example:**
    308 
    309 An MLS validate transition statement with the equivalent kernel policy language statement:
    310 
    311     ;; mlsvalidatetrans { file } ( l1 domby h2 );
    312 
    313     (mlsvalidatetrans file (domby l1 h2))
    314