next up previous contents
Next: Security Context Configuration Up: A Security Policy Configuration Previous: User Configuration   Contents


Constraints Configuration

This section describes the constraints configuration contained in the constraints file. This configuration defines additional restrictions on certain permissions. These restrictions are expressed as boolean expressions based on the relevant user identities, roles, and types.

Two constraints are defined for the process transition permission. The first constraint restricts the ability to transition to a different user identity to domains with the privuser type attribute. Only the crond and login domains need this attribute. The second constraint restricts the ability to transition to a different role to domains with the privrole type attribute. Only the crond, login domains, and the domain for the newrole program need this attribute.

Two constraints are defined for creating and relabeling objects. The first constraint restricts the ability to create or relabel files with a different owner to domains with the privowner attribute. The second constraint restricts the ability to create or relabel sockets with a different owner to domains with the privowner attribute. The administrator domain and the logrotate_t domain have this attribute.


next up previous contents
Next: Security Context Configuration Up: A Security Policy Configuration Previous: User Configuration   Contents