1Constraint Statements 2===================== 3 4constrain 5--------- 6 7Enable constraints to be placed on the specified permissions of the object class based on the source and target security context components. 8 9**Statement definition:** 10 11```secil 12 (constrain classpermissionset_id ... expression | expr ...) 13``` 14 15**Where:** 16 17<table> 18<colgroup> 19<col width="27%" /> 20<col width="72%" /> 21</colgroup> 22<tbody> 23<tr class="odd"> 24<td align="left"><p><code>constrain</code></p></td> 25<td align="left"><p>The <code>constrain</code> keyword.</p></td> 26</tr> 27<tr class="even"> 28<td align="left"><p><code>classpermissionset_id</code></p></td> 29<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td> 30</tr> 31<tr class="odd"> 32<td align="left"><p><code>expression</code></p></td> 33<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p> 34<p><code> (op u1 u2)</code></p> 35<p><code> (role_op r1 r2)</code></p> 36<p><code> (op t1 t2)</code></p> 37<p><code> (op u1 user_id | (user_id ...))</code></p> 38<p><code> (op u2 user_id | (user_id ...))</code></p> 39<p><code> (op r1 role_id | (role_id ...))</code></p> 40<p><code> (op r2 role_id | (role_id ...))</code></p> 41<p><code> (op t1 type_id | (type_id ...))</code></p> 42<p><code> (op t2 type_id | (type_id ...))</code></p> 43<p>where:</p> 44<p><code> u1, r1, t1 = Source context: user, role or type</code></p> 45<p><code> u2, r2, t2 = Target context: user, role or type</code></p> 46<p>and:</p> 47<p><code> op : eq neq</code></p> 48<p><code> role_op : eq neq dom domby incomp</code></p> 49<p><code> user_id : A single user or userattribute identifier.</code></p> 50<p><code> role_id : A single role or roleattribute identifier.</code></p> 51<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td> 52</tr> 53<tr class="even"> 54<td align="left"><p><code>expr</code></p></td> 55<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 56<p><code> (and expression expression)</code></p> 57<p><code> (or expression expression)</code></p> 58<p><code> (not expression)</code></p></td> 59</tr> 60</tbody> 61</table> 62 63**Examples:** 64 65Two constrain statements are shown with their equivalent kernel policy language statements: 66 67```secil 68 ;; constrain { file } { write } 69 ;; (( t1 == unconfined.process ) and ( t2 == unconfined.object ) or ( r1 eq r2 )); 70 (constrain (file (write)) 71 (or 72 (and 73 (eq t1 unconfined.process) 74 (eq t2 unconfined.object) 75 ) 76 (eq r1 r2) 77 ) 78 ) 79 80 ;; constrain { file } { read } 81 ;; (not( t1 == unconfined.process ) and ( t2 == unconfined.object ) or ( r1 eq r2 )); 82 (constrain (file (read)) 83 (not 84 (or 85 (and 86 (eq t1 unconfined.process) 87 (eq t2 unconfined.object) 88 ) 89 (eq r1 r2) 90 ) 91 ) 92 ) 93``` 94 95validatetrans 96------------- 97 98The [`validatetrans`](cil_constraint_statements.md#validatetrans) statement is only used for `file` related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context. 99 100**Statement definition:** 101 102```secil 103 (validatetrans class_id expression | expr ...) 104``` 105 106**Where:** 107 108<table> 109<colgroup> 110<col width="25%" /> 111<col width="75%" /> 112</colgroup> 113<tbody> 114<tr class="odd"> 115<td align="left"><p><code>validatetrans</code></p></td> 116<td align="left"><p>The <code>validatetrans</code> keyword.</p></td> 117</tr> 118<tr class="even"> 119<td align="left"><p><code>class_id</code></p></td> 120<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td> 121</tr> 122<tr class="odd"> 123<td align="left"><p><code>expression</code></p></td> 124<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p> 125<p><code> (op u1 u2)</code></p> 126<p><code> (role_op r1 r2)</code></p> 127<p><code> (op t1 t2)</code></p> 128<p><code> (op u1 user_id)</code></p> 129<p><code> (op u2 user_id)</code></p> 130<p><code> (op u3 user_id)</code></p> 131<p><code> (op r1 role_id)</code></p> 132<p><code> (op r2 role_id)</code></p> 133<p><code> (op r3 role_id)</code></p> 134<p><code> (op t1 type_id)</code></p> 135<p><code> (op t2 type_id)</code></p> 136<p><code> (op t3 type_id)</code></p> 137<p>where:</p> 138<p><code> u1, r1, t1 = Old context: user, role or type</code></p> 139<p><code> u2, r2, t2 = New context: user, role or type</code></p> 140<p><code> u3, r3, t3 = Process context: user, role or type</code></p> 141<p>and:</p> 142<p><code> op : eq neq</code></p> 143<p><code> role_op : eq neq dom domby incomp</code></p> 144<p><code> user_id : A single user or userattribute identifier.</code></p> 145<p><code> role_id : A single role or roleattribute identifier.</code></p> 146<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td> 147</tr> 148<tr class="even"> 149<td align="left"><p><code>expr</code></p></td> 150<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 151<p><code> (and expression expression)</code></p> 152<p><code> (or expression expression)</code></p> 153<p><code> (not expression)</code></p></td> 154</tr> 155</tbody> 156</table> 157 158**Example:** 159 160A validate transition statement with the equivalent kernel policy language statement: 161 162```secil 163 ; validatetrans { file } ( t1 == unconfined.process ); 164 165 (validatetrans file (eq t1 unconfined.process)) 166``` 167 168mlsconstrain 169------------ 170 171Enable MLS constraints to be placed on the specified permissions of the object class based on the source and target security context components. 172 173**Statement definition:** 174 175```secil 176 (mlsconstrain classpermissionset_id ... expression | expr ...) 177``` 178 179**Where:** 180 181<table> 182<colgroup> 183<col width="27%" /> 184<col width="72%" /> 185</colgroup> 186<tbody> 187<tr class="odd"> 188<td align="left"><p><code>mlsconstrain</code></p></td> 189<td align="left"><p>The <code>mlsconstrain</code> keyword.</p></td> 190</tr> 191<tr class="even"> 192<td align="left"><p><code>classpermissionset_id</code></p></td> 193<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td> 194</tr> 195<tr class="odd"> 196<td align="left"><p><code>expression</code></p></td> 197<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p> 198<p><code> (op u1 u2)</code></p> 199<p><code> (mls_role_op r1 r2)</code></p> 200<p><code> (op t1 t2)</code></p> 201<p><code> (mls_role_op l1 l2)</code></p> 202<p><code> (mls_role_op l1 h2)</code></p> 203<p><code> (mls_role_op h1 l2)</code></p> 204<p><code> (mls_role_op h1 h2)</code></p> 205<p><code> (mls_role_op l1 h1)</code></p> 206<p><code> (mls_role_op l2 h2)</code></p> 207<p><code> (op u1 user_id)</code></p> 208<p><code> (op u2 user_id)</code></p> 209<p><code> (op r1 role_id)</code></p> 210<p><code> (op r2 role_id)</code></p> 211<p><code> (op t1 type_id)</code></p> 212<p><code> (op t2 type_id)</code></p> 213<p>where:</p> 214<p><code> u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level</code></p> 215<p><code> u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level</code></p> 216<p>and:</p> 217<p><code> op : eq neq</code></p> 218<p><code> mls_role_op : eq neq dom domby incomp</code></p> 219<p><code> user_id : A single user or userattribute identifier.</code></p> 220<p><code> role_id : A single role or roleattribute identifier.</code></p> 221<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td> 222</tr> 223<tr class="even"> 224<td align="left"><p><code>expr</code></p></td> 225<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 226<p><code> (and expression expression)</code></p> 227<p><code> (or expression expression)</code></p> 228<p><code> (not expression)</code></p></td> 229</tr> 230</tbody> 231</table> 232 233**Example:** 234 235An MLS constrain statement with the equivalent kernel policy language statement: 236 237```secil 238 ;; mlsconstrain { file } { open } 239 ;; (( l1 eq l2 ) and ( u1 == u2 ) or ( r1 != r2 )); 240 241 (mlsconstrain (file (open)) 242 (or 243 (and 244 (eq l1 l2) 245 (eq u1 u2) 246 ) 247 (neq r1 r2) 248 ) 249 ) 250``` 251 252mlsvalidatetrans 253---------------- 254 255The [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans) statement is only used for `file` related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context. 256 257**Statement definition:** 258 259```secil 260 (mlsvalidatetrans class_id expression | expr ...) 261``` 262 263**Where:** 264 265<table> 266<colgroup> 267<col width="25%" /> 268<col width="75%" /> 269</colgroup> 270<tbody> 271<tr class="odd"> 272<td align="left"><p><code>mlsvalidatetrans</code></p></td> 273<td align="left"><p>The <code>mlsvalidatetrans</code> keyword.</p></td> 274</tr> 275<tr class="even"> 276<td align="left"><p><code>class_id</code></p></td> 277<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td> 278</tr> 279<tr class="odd"> 280<td align="left"><p><code>expression</code></p></td> 281<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p> 282<p><code> (op u1 u2)</code></p> 283<p><code> (mls_role_op r1 r2)</code></p> 284<p><code> (op t1 t2)</code></p> 285<p><code> (mls_role_op l1 l2)</code></p> 286<p><code> (mls_role_op l1 h2)</code></p> 287<p><code> (mls_role_op h1 l2)</code></p> 288<p><code> (mls_role_op h1 h2)</code></p> 289<p><code> (mls_role_op l1 h1)</code></p> 290<p><code> (mls_role_op l2 h2)</code></p> 291<p><code> (op u1 user_id)</code></p> 292<p><code> (op u2 user_id)</code></p> 293<p><code> (op u3 user_id)</code></p> 294<p><code> (op r1 role_id)</code></p> 295<p><code> (op r2 role_id)</code></p> 296<p><code> (op r3 role_id)</code></p> 297<p><code> (op t1 type_id)</code></p> 298<p><code> (op t2 type_id)</code></p> 299<p><code> (op t3 type_id)</code></p> 300<p>where:</p> 301<p><code> u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level</code></p> 302<p><code> u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level</code></p> 303<p><code> u3, r3, t3 = Process context: user, role or type</code></p> 304<p>and:</p> 305<p><code> op : eq neq</code></p> 306<p><code> mls_role_op : eq neq dom domby incomp</code></p> 307<p><code> user_id : A single user or userattribute identifier.</code></p> 308<p><code> role_id : A single role or roleattribute identifier.</code></p> 309<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td> 310</tr> 311<tr class="even"> 312<td align="left"><p><code>expr</code></p></td> 313<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 314<p><code> (and expression expression)</code></p> 315<p><code> (or expression expression)</code></p> 316<p><code> (not expression)</code></p></td> 317</tr> 318</tbody> 319</table> 320 321**Example:** 322 323An MLS validate transition statement with the equivalent kernel policy language statement: 324 325```secil 326 ;; mlsvalidatetrans { file } ( l1 domby h2 ); 327 328 (mlsvalidatetrans file (domby l1 h2)) 329``` 330