|
|
Constraints
-
specify additional constraints on permissions in the form
of boolean expressions that must be satisfies in order for the specified
permissions to be granted
-
boolean expressions can be based on the user identity, role
or type attributes
constrain process transition ( u1 == u2 or t1 == privuser );
constrain process transition ( r1 == r2 or t1 == privrole );
constrain dir_file_class_set { create relabelto
relabelfrom } ( u1 == u2 or t1 == privowner );
|