This repository has been archived by the owner on May 24, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 21
CilConstraints
Corey Garst edited this page Jun 9, 2014
·
1 revision
The constrain statements enables you to restrict specified permissions for specified object classes by defining constraints based on relationships between source and target security contexts.
'''Syntax:'''
(constrain classpermissionset expression)
'''Syntax Explanation:''' classpermissionset:: The classpermissionset that contains the associated object class and permission(s). This can also be declared anonymously, enclosed in parentheses. expression:: A boolean expression of the constraint.
The boolean expression syntax supports the following keywords:
- t1, r1, u1 - Source type, role, and user, respectively.
- t2, r2, u2 - Target type, role, and user, respectively.
'''Example:'''
(class file (read write execute entry_point))
(classpermissionset file_rw (file (read write)))
(type bin_t)
(type exec_t)
(constrain file_rw (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2))))
; Using an anonymous classpermissionset
(constrain (file (read write)) (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2))))