Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




2.11. TE Rules - Constraints

These rules are defined in $SELINUX_SRC/constraints, and provide final and overarching constraints on the use of permissions that are enforced during runtime by the kernel security server. The constraints are in the form of Boolean expressions. The expression must be satisfied for the given permission to be granted.

For example, the following constraint pertains to a process transition. It says that when a transition takes place, the user identity on the process must remain the same through the transition. If httpd_t tries to transition to httpd_suexec_t, the user identity user_u must remain the same. The exception is if the source domain has the attribute privuser. It then has the privilege to change user identity:

constrain process transition ( u1 == u2 or t1 == privuser );

A constraint can make a restriction for the source and target based on type, role, or user identity. This is different from the other rule types. TE rules use only types, while role allow rules use a pair of roles.

This is from the constraints file and further explains syntax and constraints in the targeted policy:

# Define the constraints
# constrain class_set perm_set expression ;
# expression : ( expression ) 
#	     | not expression
#	     | expression and expression
#	     | expression or expression
#	     | u1 op u2
#	     | r1 role_op r2
#	     | t1 op t2
#	     | u1 op names
#	     | u2 op names
#	     | r1 op names
#	     | r2 op names
#	     | t1 op names
#	     | t2 op names
# op : == | != 
# role_op : == | != | eq | dom | domby | incomp
# names : name | { name_list }
# name_list : name | name_list name#		

# Restrict the ability to transition to other users
# or roles to a few privileged types.

constrain process transition
	( u1 == u2 or t1 == privuser );

constrain process transition 
	( r1 == r2 or t1 == privrole );

# Restrict the ability to label objects with other
# user identities to a few privileged types.

constrain dir_file_class_set { create relabelto relabelfrom } 
	( u1 == u2 or t1 == privowner );

constrain socket_class_set { create relabelto relabelfrom } 
	( u1 == u2 or t1 == privowner );

  Published under the terms of the GNU General Public License Design by Interspire