Constraint Statements
=====================

constrain
---------

Enable constraints to be placed on the specified permissions of the object class based on the source and target security context components.

**Statement definition:**

```secil
    (constrain classpermissionset_id ... expression | expr ...)
```

**Where:**











constrain


The constrain keyword.






classpermissionset_id


A single named or anonymous classpermissionset or a single set of classmap/classmapping identifiers.






expression


There must be one constraint expression or one or more expr's. The expression consists of an operator and two operands as follows:


    (op u1 u2)


    (role_op r1 r2)


    (op t1 t2)


    (op u1 user_id | (user_id ...))


    (op u2 user_id | (user_id ...))


    (op r1 role_id | (role_id ...))


    (op r2 role_id | (role_id ...))


    (op t1 type_id | (type_id ...))


    (op t2 type_id | (type_id ...))


where:


  u1, r1, t1 = Source context: user, role or type


  u2, r2, t2 = Target context: user, role or type


and:


  op      : eq neq


  role_op : eq neq dom domby incomp


  user_id : A single user or userattribute identifier.


  role_id : A single role or roleattribute identifier.


  type_id : A single type, typealias or typeattribute identifier.






expr


Zero or more expr's, the valid operators and syntax are:


    (and expression expression)


    (or  expression expression)


    (not expression)







**Examples:**

Two constrain statements are shown with their equivalent kernel policy language statements:

```secil
    ;; constrain { file } { write }
    ;;    (( t1 == unconfined.process  ) and ( t2 == unconfined.object  ) or ( r1 eq r2 ));
    (constrain (file (write))
        (or
            (and
                (eq t1 unconfined.process)
                (eq t2 unconfined.object)
            )
            (eq r1 r2)
        )
    )

    ;; constrain { file } { read }
    ;;    (not( t1 == unconfined.process  ) and ( t2 == unconfined.object  ) or ( r1 eq r2 ));
    (constrain (file (read))
        (not
            (or
                (and
                    (eq t1 unconfined.process)
                    (eq t2 unconfined.object)
                )
                (eq r1 r2)
            )
        )
    )
```

validatetrans
-------------

The [`validatetrans`](cil_constraint_statements.md#validatetrans) statement is only used for `file` related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context.

**Statement definition:**

```secil
    (validatetrans class_id expression | expr ...)
```

**Where:**











validatetrans


The validatetrans keyword.






class_id


A single previously declared class or classmap identifier.






expression


There must be one constraint expression or one or more expr's. The expression consists of an operator and two operands as follows:


    (op u1 u2)


    (role_op r1 r2)


    (op t1 t2)


    (op u1 user_id)


    (op u2 user_id)


    (op u3 user_id)


    (op r1 role_id)


    (op r2 role_id)


    (op r3 role_id)


    (op t1 type_id)


    (op t2 type_id)


    (op t3 type_id)


where:


  u1, r1, t1 = Old context: user, role or type


  u2, r2, t2 = New context: user, role or type


  u3, r3, t3 = Process context: user, role or type


and:


  op      : eq neq


  role_op : eq neq dom domby incomp


  user_id : A single user or userattribute identifier.


  role_id : A single role or roleattribute identifier.


  type_id : A single type, typealias or typeattribute identifier.






expr


Zero or more expr's, the valid operators and syntax are:


    (and expression expression)


    (or  expression expression)


    (not expression)







**Example:**

A validate transition statement with the equivalent kernel policy language statement:

```secil
    ; validatetrans { file } ( t1 == unconfined.process  );

    (validatetrans file (eq t1 unconfined.process))
```

mlsconstrain
------------

Enable MLS constraints to be placed on the specified permissions of the object class based on the source and target security context components.

**Statement definition:**

```secil
    (mlsconstrain classpermissionset_id ... expression | expr ...)
```

**Where:**











mlsconstrain


The mlsconstrain keyword.






classpermissionset_id


A single named or anonymous classpermissionset or a single set of classmap/classmapping identifiers.






expression


There must be one constraint expression or one or more expr's. The expression consists of an operator and two operands as follows:


    (op u1 u2)


    (mls_role_op r1 r2)


    (op t1 t2)


    (mls_role_op l1 l2)


    (mls_role_op l1 h2)


    (mls_role_op h1 l2)


    (mls_role_op h1 h2)


    (mls_role_op l1 h1)


    (mls_role_op l2 h2)


    (op u1 user_id)


    (op u2 user_id)


    (op r1 role_id)


    (op r2 role_id)


    (op t1 type_id)


    (op t2 type_id)


where:


  u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level


  u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level


and:


  op          : eq neq


  mls_role_op : eq neq dom domby incomp


  user_id     : A single user or userattribute identifier.


  role_id     : A single role or roleattribute identifier.


  type_id     : A single type, typealias or typeattribute identifier.






expr


Zero or more expr's, the valid operators and syntax are:


    (and expression expression)


    (or  expression expression)


    (not expression)







**Example:**

An MLS constrain statement with the equivalent kernel policy language statement:

```secil
    ;; mlsconstrain { file } { open }
    ;;     (( l1 eq l2 ) and ( u1 == u2 ) or ( r1 != r2 ));

    (mlsconstrain (file (open))
        (or
            (and
                (eq l1 l2)
                (eq u1 u2)
            )
            (neq r1 r2)
        )
    )
```

mlsvalidatetrans
----------------

The [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans) statement is only used for `file` related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context.

**Statement definition:**

```secil
    (mlsvalidatetrans class_id expression | expr ...)
```

**Where:**











mlsvalidatetrans


The mlsvalidatetrans keyword.






class_id


A single previously declared class or classmap identifier.






expression


There must be one constraint expression or one or more expr's. The expression consists of an operator and two operands as follows:


    (op u1 u2)


    (mls_role_op r1 r2)


    (op t1 t2)


    (mls_role_op l1 l2)


    (mls_role_op l1 h2)


    (mls_role_op h1 l2)


    (mls_role_op h1 h2)


    (mls_role_op l1 h1)


    (mls_role_op l2 h2)


    (op u1 user_id)


    (op u2 user_id)


    (op u3 user_id)


    (op r1 role_id)


    (op r2 role_id)


    (op r3 role_id)


    (op t1 type_id)


    (op t2 type_id)


    (op t3 type_id)


where:


  u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level


  u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level


  u3, r3, t3         = Process context: user, role or type


and:


  op          : eq neq


  mls_role_op : eq neq dom domby incomp


  user_id     : A single user or userattribute identifier.


  role_id     : A single role or roleattribute identifier.


  type_id     : A single type, typealias or typeattribute identifier.






expr


Zero or more expr's, the valid operators and syntax are:


    (and expression expression)


    (or  expression expression)


    (not expression)







**Example:**

An MLS validate transition statement with the equivalent kernel policy language statement:

```secil
    ;; mlsvalidatetrans { file } ( l1 domby h2 );

    (mlsvalidatetrans file (domby l1 h2))
```