# Copyright (c) 1999 The University of Utah and the Flux Group.
# All rights reserved.
# 
# Contributed by the Computer Security Research division,
# INFOSEC Research and Technology Office, NSA.
# 
# This file is part of the Flux OSKit.  The OSKit is free software, also known
# as "open source;" you can redistribute it and/or modify it under the terms
# of the GNU General Public License (GPL), version 2, as published by the Free
# Software Foundation (FSF).  To explore alternate licensing terms, contact
# the University of Utah at csl-dist@cs.utah.edu or +1-801-585-3271.
# 
# The OSKit is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE.  See the GPL for more details.  You should have
# received a copy of the GPL along with the OSKit; see the file COPYING.  If
# not, write to the FSF, 59 Temple Place #330, Boston, MA 02111-1307, USA.

#
# Define m4 macros for the constraints
#

define(`process_user_types', `{ kernel_t init_t login_t }')
define(`file_user_types', `{ init_t }')


#
# Define the constraints
#
# constrain class_set perm_set expression ;
#
# expression : ( expression ) 
#	     | expression and expression
#	     | expression or expression
#	     | not expression
#	     | sameuser
#	     | source role rolename(s)
#	     | target role rolename(s)
#	     | role role_relationship
#	     | source type typename(s)
#	     | target type typename(s)
#
# role_relationship : dom | domby | eq | incomp

#
# Restrict the ability to transition to other user identities
# to a few privileged types.
#
constrain process transition ( sameuser or source type process_user_types );


#
# Restrict the ability to assign other user identities to objects
# and the ability to change the label of objects which have
# different user identities to a few privileged types.  
#

constrain file_class_set { create relabelto relabelfrom } ( sameuser or source type file_user_types );

constrain dir { create relabelto relabelfrom } ( sameuser or source type file_user_types );

constrain fd { create } ( sameuser or source type file_user_types );

constrain filesystem { relabelto relabelfrom } ( sameuser or source type file_user_types );
