These rules are defined in $SELINUX_SRC/constraints, and provide final and overarching constraints on the use of permissions that are enforced during runtime by the kernel security server. The constraints are in the form of Boolean expressions. The expression must be satisfied for the given permission to be granted.
For example, the following constraint pertains to a process transition. It says that when a transition takes place, the user identity on the process must remain the same through the transition. If httpd_t tries to transition to httpd_suexec_t, the user identity user_u must remain the same. The exception is if the source domain has the attribute privuser. It then has the privilege to change user identity:
constrain process transition ( u1 == u2 or t1 == privuser ); |
A constraint can make a restriction for the source and target based on type, role, or user identity. This is different from the other rule types. TE rules use only types, while role allow rules use a pair of roles.
This is from the constraints file and further explains syntax and constraints in the targeted policy:
# Define the constraints
#
# constrain class_set perm_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_op r2
# | t1 op t2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
#
# op : == | !=
# role_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name#
#
#
# Restrict the ability to transition to other users
# or roles to a few privileged types.
#
constrain process transition
( u1 == u2 or t1 == privuser );
constrain process transition
( r1 == r2 or t1 == privrole );
#
# Restrict the ability to label objects with other
# user identities to a few privileged types.
#
constrain dir_file_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == privowner );
constrain socket_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == privowner ); |