From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 4 Mar 2015 13:36:43 -0500
Subject: [refpolicy] [RFC] constraint change
Message-ID: <54F750BB.6010005@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I was looking at the constraints, and I saw this one which has been
around forever (along with a similar one for sockets):

constrain dir_file_class_set { create relabelto relabelfrom }
(
        u1 == u2
        or t1 == can_change_object_identity
);

Which has the idea that you can only create and relabelto/from files
that match your seuser.  I was thinking that the intent might be clearer
if we combine with a validatetrans:

constrain dir_file_class_set { create relabelfrom }
(
        u1 == u2
        or t1 == can_change_object_identity
);

validatetrans dir_file_class_set
(
        u1 == u2
        or t3 == can_change_object_identity
);

Thoughts?


(on a side note I think it would be even clearer if language syntax
permitted the validatetrans to have u1 == u3, but I suspect it requires
a kernel change)

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com