next up previous contents
Next: Security context configuration Up: Policy Configuration Language Previous: User configuration   Contents


Constraints configuration

Figure: Process transition constraints.
\begin{figure}\begin{center}
\begin{footnotesize}
\begin{verbatim}constrain pr...
...r2 or
t1 == privrole );\end{verbatim}\end{footnotesize}\end{center}\end{figure}

The constraints file defines additional constraints on permissions in the form of boolean expressions that must be satisfied in order for specified permissions to be granted. These constraints are used to further refine the type enforcement tables and role allow rules. Constraints may compare the user identity, role, or type of the source and target SIDs. Constraints may also compare the user identity, role, or type of either SID against a set of specified users, roles or types. Role comparisons may also be based on any dominance hierarchies defined in the RBAC configuration.

Sample constraints for changes in user identity and role for processes are shown in Figure 11. The first constraint requires that the user identity remain the same across an execve unless the process is in a type with the ``privuser'' attribute. u1 and u2 refer to the user identities of the source and target SIDs, respectively. t1 refers to the type of the source SID. The ``privuser'' attribute would typically be limited to the domain for login.

The second constraint requires that the role remain the same across an execve unless the process is in a type with the ``privrole'' attribute. r1 and r2 refer to the roles of the source and target SIDs, respectively. This constraint is in addition to the requirement that any role change be authorized by a role allow rule in the RBAC configuration. The ``privrole'' attribute would typically be limited to the domain for login. It might also be associated with the domain for a newrole program to allow users to change roles within a session.


next up previous contents
Next: Security context configuration Up: Policy Configuration Language Previous: User configuration   Contents