# Copyright (c) 1999, 2000 The University of Utah and the Flux Group. # All rights reserved. # # Contributed by the Computer Security Research division, # INFOSEC Research and Technology Office, NSA. # # This file is part of the Flux OSKit. The OSKit is free software, also known # as "open source;" you can redistribute it and/or modify it under the terms # of the GNU General Public License (GPL), version 2, as published by the Free # Software Foundation (FSF). To explore alternate licensing terms, contact # the University of Utah at csl-dist@cs.utah.edu or +1-801-585-3271. # # The OSKit is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GPL for more details. You should have # received a copy of the GPL along with the OSKit; see the file COPYING. If # not, write to the FSF, 59 Temple Place #330, Boston, MA 02111-1307, USA. # # Define m4 macros for the constraints # define(`process_user_types', `{ kernel_t init_t login_t }') define(`file_user_types', `{ init_t }') # # Define the constraints # # constrain class_set perm_set expression ; # # expression : ( expression ) # | expression and expression # | expression or expression # | not expression # | sameuser # | source role rolename(s) # | target role rolename(s) # | role role_relationship # | source type typename(s) # | target type typename(s) # # role_relationship : dom | domby | eq | incomp # # Restrict the ability to transition to other user identities # to a few privileged types. # constrain process transition ( (sameuser and role eq) or source type process_user_types ); # # Restrict the ability to assign other user identities to objects # and the ability to change the label of objects which have # different user identities to a few privileged types. # constrain file_class_set { create relabelto relabelfrom } ( sameuser or source type file_user_types ); constrain dir { create relabelto relabelfrom } ( sameuser or source type file_user_types ); constrain fd { create } ( sameuser or source type file_user_types ); constrain filesystem { relabelto relabelfrom } ( sameuser or source type file_user_types );