1Constraint Statements 2===================== 3 4constrain 5--------- 6 7Enable constraints to be placed on the specified permissions of the object class based on the source and target security context components. 8 9**Statement definition:** 10 11 (constrain classpermissionset_id ... expression | expr ...) 12 13**Where:** 14 15<table> 16<colgroup> 17<col width="27%" /> 18<col width="72%" /> 19</colgroup> 20<tbody> 21<tr class="odd"> 22<td align="left"><p><code>constrain</code></p></td> 23<td align="left"><p>The <code>constrain</code> keyword.</p></td> 24</tr> 25<tr class="even"> 26<td align="left"><p><code>classpermissionset_id</code></p></td> 27<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td> 28</tr> 29<tr class="odd"> 30<td align="left"><p><code>expression</code></p></td> 31<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p> 32<p><code> (op u1 u2)</code></p> 33<p><code> (role_op r1 r2)</code></p> 34<p><code> (op t1 t2)</code></p> 35<p><code> (op u1 user_id)</code></p> 36<p><code> (op u2 user_id)</code></p> 37<p><code> (op r1 role_id)</code></p> 38<p><code> (op r2 role_id)</code></p> 39<p><code> (op t1 type_id)</code></p> 40<p><code> (op t2 type_id)</code></p> 41<p>where:</p> 42<p><code> u1, r1, t1 = Source context: user, role or type</code></p> 43<p><code> u2, r2, t2 = Target context: user, role or type</code></p> 44<p>and:</p> 45<p><code> op : eq neq</code></p> 46<p><code> role_op : eq neq dom domby incomp</code></p> 47<p><code> user_id : A single user or userattribute identifier.</code></p> 48<p><code> role_id : A single role or roleattribute identifier.</code></p> 49<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td> 50</tr> 51<tr class="even"> 52<td align="left"><p><code>expr</code></p></td> 53<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 54<p><code> (and expression expression)</code></p> 55<p><code> (or expression expression)</code></p> 56<p><code> (not expression)</code></p></td> 57</tr> 58</tbody> 59</table> 60 61**Examples:** 62 63Two constrain statements are shown with their equivalent kernel policy language statements: 64 65 ;; constrain { file } { write } 66 ;; (( t1 == unconfined.process ) and ( t2 == unconfined.object ) or ( r1 eq r2 )); 67 (constrain (file (write)) 68 (or 69 (and 70 (eq t1 unconfined.process) 71 (eq t2 unconfined.object) 72 ) 73 (eq r1 r2) 74 ) 75 ) 76 77 ;; constrain { file } { read } 78 ;; (not( t1 == unconfined.process ) and ( t2 == unconfined.object ) or ( r1 eq r2 )); 79 (constrain (file (read)) 80 (not 81 (or 82 (and 83 (eq t1 unconfined.process) 84 (eq t2 unconfined.object) 85 ) 86 (eq r1 r2) 87 ) 88 ) 89 ) 90 91validatetrans 92------------- 93 94The [`validatetrans`](cil_constraint_statements.md#validatetrans) statement is only used for `file` related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context. 95 96**Statement definition:** 97 98 (validatetrans class_id expression | expr ...) 99 100**Where:** 101 102<table> 103<colgroup> 104<col width="25%" /> 105<col width="75%" /> 106</colgroup> 107<tbody> 108<tr class="odd"> 109<td align="left"><p><code>validatetrans</code></p></td> 110<td align="left"><p>The <code>validatetrans</code> keyword.</p></td> 111</tr> 112<tr class="even"> 113<td align="left"><p><code>class_id</code></p></td> 114<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td> 115</tr> 116<tr class="odd"> 117<td align="left"><p><code>expression</code></p></td> 118<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p> 119<p><code> (op u1 u2)</code></p> 120<p><code> (role_op r1 r2)</code></p> 121<p><code> (op t1 t2)</code></p> 122<p><code> (op u1 user_id)</code></p> 123<p><code> (op u2 user_id)</code></p> 124<p><code> (op u3 user_id)</code></p> 125<p><code> (op r1 role_id)</code></p> 126<p><code> (op r2 role_id)</code></p> 127<p><code> (op r3 role_id)</code></p> 128<p><code> (op t1 type_id)</code></p> 129<p><code> (op t2 type_id)</code></p> 130<p><code> (op t3 type_id)</code></p> 131<p>where:</p> 132<p><code> u1, r1, t1 = Old context: user, role or type</code></p> 133<p><code> u2, r2, t2 = New context: user, role or type</code></p> 134<p><code> u3, r3, t3 = Process context: user, role or type</code></p> 135<p>and:</p> 136<p><code> op : eq neq</code></p> 137<p><code> role_op : eq neq dom domby incomp</code></p> 138<p><code> user_id : A single user or userattribute identifier.</code></p> 139<p><code> role_id : A single role or roleattribute identifier.</code></p> 140<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td> 141</tr> 142<tr class="even"> 143<td align="left"><p><code>expr</code></p></td> 144<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 145<p><code> (and expression expression)</code></p> 146<p><code> (or expression expression)</code></p> 147<p><code> (not expression)</code></p></td> 148</tr> 149</tbody> 150</table> 151 152**Example:** 153 154A validate transition statement with the equivalent kernel policy language statement: 155 156 ; validatetrans { file } ( t1 == unconfined.process ); 157 158 (validatetrans file (eq t1 unconfined.process)) 159 160mlsconstrain 161------------ 162 163Enable MLS constraints to be placed on the specified permissions of the object class based on the source and target security context components. 164 165**Statement definition:** 166 167 (mlsconstrain classpermissionset_id ... expression | expr ...) 168 169**Where:** 170 171<table> 172<colgroup> 173<col width="27%" /> 174<col width="72%" /> 175</colgroup> 176<tbody> 177<tr class="odd"> 178<td align="left"><p><code>mlsconstrain</code></p></td> 179<td align="left"><p>The <code>mlsconstrain</code> keyword.</p></td> 180</tr> 181<tr class="even"> 182<td align="left"><p><code>classpermissionset_id</code></p></td> 183<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td> 184</tr> 185<tr class="odd"> 186<td align="left"><p><code>expression</code></p></td> 187<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p> 188<p><code> (op u1 u2)</code></p> 189<p><code> (mls_role_op r1 r2)</code></p> 190<p><code> (op t1 t2)</code></p> 191<p><code> (mls_role_op l1 l2)</code></p> 192<p><code> (mls_role_op l1 h2)</code></p> 193<p><code> (mls_role_op h1 l2)</code></p> 194<p><code> (mls_role_op h1 h2)</code></p> 195<p><code> (mls_role_op l1 h1)</code></p> 196<p><code> (mls_role_op l2 h2)</code></p> 197<p><code> (op u1 user_id)</code></p> 198<p><code> (op u2 user_id)</code></p> 199<p><code> (op r1 role_id)</code></p> 200<p><code> (op r2 role_id)</code></p> 201<p><code> (op t1 type_id)</code></p> 202<p><code> (op t2 type_id)</code></p> 203<p>where:</p> 204<p><code> u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level</code></p> 205<p><code> u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level</code></p> 206<p>and:</p> 207<p><code> op : eq neq</code></p> 208<p><code> mls_role_op : eq neq dom domby incomp</code></p> 209<p><code> user_id : A single user or userattribute identifier.</code></p> 210<p><code> role_id : A single role or roleattribute identifier.</code></p> 211<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td> 212</tr> 213<tr class="even"> 214<td align="left"><p><code>expr</code></p></td> 215<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 216<p><code> (and expression expression)</code></p> 217<p><code> (or expression expression)</code></p> 218<p><code> (not expression)</code></p></td> 219</tr> 220</tbody> 221</table> 222 223**Example:** 224 225An MLS constrain statement with the equivalent kernel policy language statement: 226 227 ;; mlsconstrain { file } { open } 228 ;; (( l1 eq l2 ) and ( u1 == u2 ) or ( r1 != r2 )); 229 230 (mlsconstrain (file (open)) 231 (or 232 (and 233 (eq l1 l2) 234 (eq u1 u2) 235 ) 236 (neq r1 r2) 237 ) 238 ) 239 240mlsvalidatetrans 241---------------- 242 243The [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans) statement is only used for `file` related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context. 244 245**Statement definition:** 246 247 (mlsvalidatetrans class_id expression | expr ...) 248 249**Where:** 250 251<table> 252<colgroup> 253<col width="25%" /> 254<col width="75%" /> 255</colgroup> 256<tbody> 257<tr class="odd"> 258<td align="left"><p><code>mlsvalidatetrans</code></p></td> 259<td align="left"><p>The <code>mlsvalidatetrans</code> keyword.</p></td> 260</tr> 261<tr class="even"> 262<td align="left"><p><code>class_id</code></p></td> 263<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td> 264</tr> 265<tr class="odd"> 266<td align="left"><p><code>expression</code></p></td> 267<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p> 268<p><code> (op u1 u2)</code></p> 269<p><code> (mls_role_op r1 r2)</code></p> 270<p><code> (op t1 t2)</code></p> 271<p><code> (mls_role_op l1 l2)</code></p> 272<p><code> (mls_role_op l1 h2)</code></p> 273<p><code> (mls_role_op h1 l2)</code></p> 274<p><code> (mls_role_op h1 h2)</code></p> 275<p><code> (mls_role_op l1 h1)</code></p> 276<p><code> (mls_role_op l2 h2)</code></p> 277<p><code> (op u1 user_id)</code></p> 278<p><code> (op u2 user_id)</code></p> 279<p><code> (op u3 user_id)</code></p> 280<p><code> (op r1 role_id)</code></p> 281<p><code> (op r2 role_id)</code></p> 282<p><code> (op r3 role_id)</code></p> 283<p><code> (op t1 type_id)</code></p> 284<p><code> (op t2 type_id)</code></p> 285<p><code> (op t3 type_id)</code></p> 286<p>where:</p> 287<p><code> u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level</code></p> 288<p><code> u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level</code></p> 289<p><code> u3, r3, t3 = Process context: user, role or type</code></p> 290<p>and:</p> 291<p><code> op : eq neq</code></p> 292<p><code> mls_role_op : eq neq dom domby incomp</code></p> 293<p><code> user_id : A single user or userattribute identifier.</code></p> 294<p><code> role_id : A single role or roleattribute identifier.</code></p> 295<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td> 296</tr> 297<tr class="even"> 298<td align="left"><p><code>expr</code></p></td> 299<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 300<p><code> (and expression expression)</code></p> 301<p><code> (or expression expression)</code></p> 302<p><code> (not expression)</code></p></td> 303</tr> 304</tbody> 305</table> 306 307**Example:** 308 309An MLS validate transition statement with the equivalent kernel policy language statement: 310 311 ;; mlsvalidatetrans { file } ( l1 domby h2 ); 312 313 (mlsvalidatetrans file (domby l1 h2)) 314