1*2d543d20SAndroid Build Coastguard WorkerConstraint Statements 2*2d543d20SAndroid Build Coastguard Worker===================== 3*2d543d20SAndroid Build Coastguard Worker 4*2d543d20SAndroid Build Coastguard Workerconstrain 5*2d543d20SAndroid Build Coastguard Worker--------- 6*2d543d20SAndroid Build Coastguard Worker 7*2d543d20SAndroid Build Coastguard WorkerEnable constraints to be placed on the specified permissions of the object class based on the source and target security context components. 8*2d543d20SAndroid Build Coastguard Worker 9*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 10*2d543d20SAndroid Build Coastguard Worker 11*2d543d20SAndroid Build Coastguard Worker```secil 12*2d543d20SAndroid Build Coastguard Worker (constrain classpermissionset_id ... expression | expr ...) 13*2d543d20SAndroid Build Coastguard Worker``` 14*2d543d20SAndroid Build Coastguard Worker 15*2d543d20SAndroid Build Coastguard Worker**Where:** 16*2d543d20SAndroid Build Coastguard Worker 17*2d543d20SAndroid Build Coastguard Worker<table> 18*2d543d20SAndroid Build Coastguard Worker<colgroup> 19*2d543d20SAndroid Build Coastguard Worker<col width="27%" /> 20*2d543d20SAndroid Build Coastguard Worker<col width="72%" /> 21*2d543d20SAndroid Build Coastguard Worker</colgroup> 22*2d543d20SAndroid Build Coastguard Worker<tbody> 23*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 24*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>constrain</code></p></td> 25*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>constrain</code> keyword.</p></td> 26*2d543d20SAndroid Build Coastguard Worker</tr> 27*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 28*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>classpermissionset_id</code></p></td> 29*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td> 30*2d543d20SAndroid Build Coastguard Worker</tr> 31*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 32*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>expression</code></p></td> 33*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p> 34*2d543d20SAndroid Build Coastguard Worker<p><code> (op u1 u2)</code></p> 35*2d543d20SAndroid Build Coastguard Worker<p><code> (role_op r1 r2)</code></p> 36*2d543d20SAndroid Build Coastguard Worker<p><code> (op t1 t2)</code></p> 37*2d543d20SAndroid Build Coastguard Worker<p><code> (op u1 user_id | (user_id ...))</code></p> 38*2d543d20SAndroid Build Coastguard Worker<p><code> (op u2 user_id | (user_id ...))</code></p> 39*2d543d20SAndroid Build Coastguard Worker<p><code> (op r1 role_id | (role_id ...))</code></p> 40*2d543d20SAndroid Build Coastguard Worker<p><code> (op r2 role_id | (role_id ...))</code></p> 41*2d543d20SAndroid Build Coastguard Worker<p><code> (op t1 type_id | (type_id ...))</code></p> 42*2d543d20SAndroid Build Coastguard Worker<p><code> (op t2 type_id | (type_id ...))</code></p> 43*2d543d20SAndroid Build Coastguard Worker<p>where:</p> 44*2d543d20SAndroid Build Coastguard Worker<p><code> u1, r1, t1 = Source context: user, role or type</code></p> 45*2d543d20SAndroid Build Coastguard Worker<p><code> u2, r2, t2 = Target context: user, role or type</code></p> 46*2d543d20SAndroid Build Coastguard Worker<p>and:</p> 47*2d543d20SAndroid Build Coastguard Worker<p><code> op : eq neq</code></p> 48*2d543d20SAndroid Build Coastguard Worker<p><code> role_op : eq neq dom domby incomp</code></p> 49*2d543d20SAndroid Build Coastguard Worker<p><code> user_id : A single user or userattribute identifier.</code></p> 50*2d543d20SAndroid Build Coastguard Worker<p><code> role_id : A single role or roleattribute identifier.</code></p> 51*2d543d20SAndroid Build Coastguard Worker<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td> 52*2d543d20SAndroid Build Coastguard Worker</tr> 53*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 54*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>expr</code></p></td> 55*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 56*2d543d20SAndroid Build Coastguard Worker<p><code> (and expression expression)</code></p> 57*2d543d20SAndroid Build Coastguard Worker<p><code> (or expression expression)</code></p> 58*2d543d20SAndroid Build Coastguard Worker<p><code> (not expression)</code></p></td> 59*2d543d20SAndroid Build Coastguard Worker</tr> 60*2d543d20SAndroid Build Coastguard Worker</tbody> 61*2d543d20SAndroid Build Coastguard Worker</table> 62*2d543d20SAndroid Build Coastguard Worker 63*2d543d20SAndroid Build Coastguard Worker**Examples:** 64*2d543d20SAndroid Build Coastguard Worker 65*2d543d20SAndroid Build Coastguard WorkerTwo constrain statements are shown with their equivalent kernel policy language statements: 66*2d543d20SAndroid Build Coastguard Worker 67*2d543d20SAndroid Build Coastguard Worker```secil 68*2d543d20SAndroid Build Coastguard Worker ;; constrain { file } { write } 69*2d543d20SAndroid Build Coastguard Worker ;; (( t1 == unconfined.process ) and ( t2 == unconfined.object ) or ( r1 eq r2 )); 70*2d543d20SAndroid Build Coastguard Worker (constrain (file (write)) 71*2d543d20SAndroid Build Coastguard Worker (or 72*2d543d20SAndroid Build Coastguard Worker (and 73*2d543d20SAndroid Build Coastguard Worker (eq t1 unconfined.process) 74*2d543d20SAndroid Build Coastguard Worker (eq t2 unconfined.object) 75*2d543d20SAndroid Build Coastguard Worker ) 76*2d543d20SAndroid Build Coastguard Worker (eq r1 r2) 77*2d543d20SAndroid Build Coastguard Worker ) 78*2d543d20SAndroid Build Coastguard Worker ) 79*2d543d20SAndroid Build Coastguard Worker 80*2d543d20SAndroid Build Coastguard Worker ;; constrain { file } { read } 81*2d543d20SAndroid Build Coastguard Worker ;; (not( t1 == unconfined.process ) and ( t2 == unconfined.object ) or ( r1 eq r2 )); 82*2d543d20SAndroid Build Coastguard Worker (constrain (file (read)) 83*2d543d20SAndroid Build Coastguard Worker (not 84*2d543d20SAndroid Build Coastguard Worker (or 85*2d543d20SAndroid Build Coastguard Worker (and 86*2d543d20SAndroid Build Coastguard Worker (eq t1 unconfined.process) 87*2d543d20SAndroid Build Coastguard Worker (eq t2 unconfined.object) 88*2d543d20SAndroid Build Coastguard Worker ) 89*2d543d20SAndroid Build Coastguard Worker (eq r1 r2) 90*2d543d20SAndroid Build Coastguard Worker ) 91*2d543d20SAndroid Build Coastguard Worker ) 92*2d543d20SAndroid Build Coastguard Worker ) 93*2d543d20SAndroid Build Coastguard Worker``` 94*2d543d20SAndroid Build Coastguard Worker 95*2d543d20SAndroid Build Coastguard Workervalidatetrans 96*2d543d20SAndroid Build Coastguard Worker------------- 97*2d543d20SAndroid Build Coastguard Worker 98*2d543d20SAndroid Build Coastguard WorkerThe [`validatetrans`](cil_constraint_statements.md#validatetrans) statement is only used for `file` related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context. 99*2d543d20SAndroid Build Coastguard Worker 100*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 101*2d543d20SAndroid Build Coastguard Worker 102*2d543d20SAndroid Build Coastguard Worker```secil 103*2d543d20SAndroid Build Coastguard Worker (validatetrans class_id expression | expr ...) 104*2d543d20SAndroid Build Coastguard Worker``` 105*2d543d20SAndroid Build Coastguard Worker 106*2d543d20SAndroid Build Coastguard Worker**Where:** 107*2d543d20SAndroid Build Coastguard Worker 108*2d543d20SAndroid Build Coastguard Worker<table> 109*2d543d20SAndroid Build Coastguard Worker<colgroup> 110*2d543d20SAndroid Build Coastguard Worker<col width="25%" /> 111*2d543d20SAndroid Build Coastguard Worker<col width="75%" /> 112*2d543d20SAndroid Build Coastguard Worker</colgroup> 113*2d543d20SAndroid Build Coastguard Worker<tbody> 114*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 115*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>validatetrans</code></p></td> 116*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>validatetrans</code> keyword.</p></td> 117*2d543d20SAndroid Build Coastguard Worker</tr> 118*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 119*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>class_id</code></p></td> 120*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td> 121*2d543d20SAndroid Build Coastguard Worker</tr> 122*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 123*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>expression</code></p></td> 124*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p> 125*2d543d20SAndroid Build Coastguard Worker<p><code> (op u1 u2)</code></p> 126*2d543d20SAndroid Build Coastguard Worker<p><code> (role_op r1 r2)</code></p> 127*2d543d20SAndroid Build Coastguard Worker<p><code> (op t1 t2)</code></p> 128*2d543d20SAndroid Build Coastguard Worker<p><code> (op u1 user_id)</code></p> 129*2d543d20SAndroid Build Coastguard Worker<p><code> (op u2 user_id)</code></p> 130*2d543d20SAndroid Build Coastguard Worker<p><code> (op u3 user_id)</code></p> 131*2d543d20SAndroid Build Coastguard Worker<p><code> (op r1 role_id)</code></p> 132*2d543d20SAndroid Build Coastguard Worker<p><code> (op r2 role_id)</code></p> 133*2d543d20SAndroid Build Coastguard Worker<p><code> (op r3 role_id)</code></p> 134*2d543d20SAndroid Build Coastguard Worker<p><code> (op t1 type_id)</code></p> 135*2d543d20SAndroid Build Coastguard Worker<p><code> (op t2 type_id)</code></p> 136*2d543d20SAndroid Build Coastguard Worker<p><code> (op t3 type_id)</code></p> 137*2d543d20SAndroid Build Coastguard Worker<p>where:</p> 138*2d543d20SAndroid Build Coastguard Worker<p><code> u1, r1, t1 = Old context: user, role or type</code></p> 139*2d543d20SAndroid Build Coastguard Worker<p><code> u2, r2, t2 = New context: user, role or type</code></p> 140*2d543d20SAndroid Build Coastguard Worker<p><code> u3, r3, t3 = Process context: user, role or type</code></p> 141*2d543d20SAndroid Build Coastguard Worker<p>and:</p> 142*2d543d20SAndroid Build Coastguard Worker<p><code> op : eq neq</code></p> 143*2d543d20SAndroid Build Coastguard Worker<p><code> role_op : eq neq dom domby incomp</code></p> 144*2d543d20SAndroid Build Coastguard Worker<p><code> user_id : A single user or userattribute identifier.</code></p> 145*2d543d20SAndroid Build Coastguard Worker<p><code> role_id : A single role or roleattribute identifier.</code></p> 146*2d543d20SAndroid Build Coastguard Worker<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td> 147*2d543d20SAndroid Build Coastguard Worker</tr> 148*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 149*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>expr</code></p></td> 150*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 151*2d543d20SAndroid Build Coastguard Worker<p><code> (and expression expression)</code></p> 152*2d543d20SAndroid Build Coastguard Worker<p><code> (or expression expression)</code></p> 153*2d543d20SAndroid Build Coastguard Worker<p><code> (not expression)</code></p></td> 154*2d543d20SAndroid Build Coastguard Worker</tr> 155*2d543d20SAndroid Build Coastguard Worker</tbody> 156*2d543d20SAndroid Build Coastguard Worker</table> 157*2d543d20SAndroid Build Coastguard Worker 158*2d543d20SAndroid Build Coastguard Worker**Example:** 159*2d543d20SAndroid Build Coastguard Worker 160*2d543d20SAndroid Build Coastguard WorkerA validate transition statement with the equivalent kernel policy language statement: 161*2d543d20SAndroid Build Coastguard Worker 162*2d543d20SAndroid Build Coastguard Worker```secil 163*2d543d20SAndroid Build Coastguard Worker ; validatetrans { file } ( t1 == unconfined.process ); 164*2d543d20SAndroid Build Coastguard Worker 165*2d543d20SAndroid Build Coastguard Worker (validatetrans file (eq t1 unconfined.process)) 166*2d543d20SAndroid Build Coastguard Worker``` 167*2d543d20SAndroid Build Coastguard Worker 168*2d543d20SAndroid Build Coastguard Workermlsconstrain 169*2d543d20SAndroid Build Coastguard Worker------------ 170*2d543d20SAndroid Build Coastguard Worker 171*2d543d20SAndroid Build Coastguard WorkerEnable MLS constraints to be placed on the specified permissions of the object class based on the source and target security context components. 172*2d543d20SAndroid Build Coastguard Worker 173*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 174*2d543d20SAndroid Build Coastguard Worker 175*2d543d20SAndroid Build Coastguard Worker```secil 176*2d543d20SAndroid Build Coastguard Worker (mlsconstrain classpermissionset_id ... expression | expr ...) 177*2d543d20SAndroid Build Coastguard Worker``` 178*2d543d20SAndroid Build Coastguard Worker 179*2d543d20SAndroid Build Coastguard Worker**Where:** 180*2d543d20SAndroid Build Coastguard Worker 181*2d543d20SAndroid Build Coastguard Worker<table> 182*2d543d20SAndroid Build Coastguard Worker<colgroup> 183*2d543d20SAndroid Build Coastguard Worker<col width="27%" /> 184*2d543d20SAndroid Build Coastguard Worker<col width="72%" /> 185*2d543d20SAndroid Build Coastguard Worker</colgroup> 186*2d543d20SAndroid Build Coastguard Worker<tbody> 187*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 188*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>mlsconstrain</code></p></td> 189*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>mlsconstrain</code> keyword.</p></td> 190*2d543d20SAndroid Build Coastguard Worker</tr> 191*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 192*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>classpermissionset_id</code></p></td> 193*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td> 194*2d543d20SAndroid Build Coastguard Worker</tr> 195*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 196*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>expression</code></p></td> 197*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p> 198*2d543d20SAndroid Build Coastguard Worker<p><code> (op u1 u2)</code></p> 199*2d543d20SAndroid Build Coastguard Worker<p><code> (mls_role_op r1 r2)</code></p> 200*2d543d20SAndroid Build Coastguard Worker<p><code> (op t1 t2)</code></p> 201*2d543d20SAndroid Build Coastguard Worker<p><code> (mls_role_op l1 l2)</code></p> 202*2d543d20SAndroid Build Coastguard Worker<p><code> (mls_role_op l1 h2)</code></p> 203*2d543d20SAndroid Build Coastguard Worker<p><code> (mls_role_op h1 l2)</code></p> 204*2d543d20SAndroid Build Coastguard Worker<p><code> (mls_role_op h1 h2)</code></p> 205*2d543d20SAndroid Build Coastguard Worker<p><code> (mls_role_op l1 h1)</code></p> 206*2d543d20SAndroid Build Coastguard Worker<p><code> (mls_role_op l2 h2)</code></p> 207*2d543d20SAndroid Build Coastguard Worker<p><code> (op u1 user_id)</code></p> 208*2d543d20SAndroid Build Coastguard Worker<p><code> (op u2 user_id)</code></p> 209*2d543d20SAndroid Build Coastguard Worker<p><code> (op r1 role_id)</code></p> 210*2d543d20SAndroid Build Coastguard Worker<p><code> (op r2 role_id)</code></p> 211*2d543d20SAndroid Build Coastguard Worker<p><code> (op t1 type_id)</code></p> 212*2d543d20SAndroid Build Coastguard Worker<p><code> (op t2 type_id)</code></p> 213*2d543d20SAndroid Build Coastguard Worker<p>where:</p> 214*2d543d20SAndroid Build Coastguard Worker<p><code> u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level</code></p> 215*2d543d20SAndroid Build Coastguard Worker<p><code> u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level</code></p> 216*2d543d20SAndroid Build Coastguard Worker<p>and:</p> 217*2d543d20SAndroid Build Coastguard Worker<p><code> op : eq neq</code></p> 218*2d543d20SAndroid Build Coastguard Worker<p><code> mls_role_op : eq neq dom domby incomp</code></p> 219*2d543d20SAndroid Build Coastguard Worker<p><code> user_id : A single user or userattribute identifier.</code></p> 220*2d543d20SAndroid Build Coastguard Worker<p><code> role_id : A single role or roleattribute identifier.</code></p> 221*2d543d20SAndroid Build Coastguard Worker<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td> 222*2d543d20SAndroid Build Coastguard Worker</tr> 223*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 224*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>expr</code></p></td> 225*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 226*2d543d20SAndroid Build Coastguard Worker<p><code> (and expression expression)</code></p> 227*2d543d20SAndroid Build Coastguard Worker<p><code> (or expression expression)</code></p> 228*2d543d20SAndroid Build Coastguard Worker<p><code> (not expression)</code></p></td> 229*2d543d20SAndroid Build Coastguard Worker</tr> 230*2d543d20SAndroid Build Coastguard Worker</tbody> 231*2d543d20SAndroid Build Coastguard Worker</table> 232*2d543d20SAndroid Build Coastguard Worker 233*2d543d20SAndroid Build Coastguard Worker**Example:** 234*2d543d20SAndroid Build Coastguard Worker 235*2d543d20SAndroid Build Coastguard WorkerAn MLS constrain statement with the equivalent kernel policy language statement: 236*2d543d20SAndroid Build Coastguard Worker 237*2d543d20SAndroid Build Coastguard Worker```secil 238*2d543d20SAndroid Build Coastguard Worker ;; mlsconstrain { file } { open } 239*2d543d20SAndroid Build Coastguard Worker ;; (( l1 eq l2 ) and ( u1 == u2 ) or ( r1 != r2 )); 240*2d543d20SAndroid Build Coastguard Worker 241*2d543d20SAndroid Build Coastguard Worker (mlsconstrain (file (open)) 242*2d543d20SAndroid Build Coastguard Worker (or 243*2d543d20SAndroid Build Coastguard Worker (and 244*2d543d20SAndroid Build Coastguard Worker (eq l1 l2) 245*2d543d20SAndroid Build Coastguard Worker (eq u1 u2) 246*2d543d20SAndroid Build Coastguard Worker ) 247*2d543d20SAndroid Build Coastguard Worker (neq r1 r2) 248*2d543d20SAndroid Build Coastguard Worker ) 249*2d543d20SAndroid Build Coastguard Worker ) 250*2d543d20SAndroid Build Coastguard Worker``` 251*2d543d20SAndroid Build Coastguard Worker 252*2d543d20SAndroid Build Coastguard Workermlsvalidatetrans 253*2d543d20SAndroid Build Coastguard Worker---------------- 254*2d543d20SAndroid Build Coastguard Worker 255*2d543d20SAndroid Build Coastguard WorkerThe [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans) statement is only used for `file` related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context. 256*2d543d20SAndroid Build Coastguard Worker 257*2d543d20SAndroid Build Coastguard Worker**Statement definition:** 258*2d543d20SAndroid Build Coastguard Worker 259*2d543d20SAndroid Build Coastguard Worker```secil 260*2d543d20SAndroid Build Coastguard Worker (mlsvalidatetrans class_id expression | expr ...) 261*2d543d20SAndroid Build Coastguard Worker``` 262*2d543d20SAndroid Build Coastguard Worker 263*2d543d20SAndroid Build Coastguard Worker**Where:** 264*2d543d20SAndroid Build Coastguard Worker 265*2d543d20SAndroid Build Coastguard Worker<table> 266*2d543d20SAndroid Build Coastguard Worker<colgroup> 267*2d543d20SAndroid Build Coastguard Worker<col width="25%" /> 268*2d543d20SAndroid Build Coastguard Worker<col width="75%" /> 269*2d543d20SAndroid Build Coastguard Worker</colgroup> 270*2d543d20SAndroid Build Coastguard Worker<tbody> 271*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 272*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>mlsvalidatetrans</code></p></td> 273*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>mlsvalidatetrans</code> keyword.</p></td> 274*2d543d20SAndroid Build Coastguard Worker</tr> 275*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 276*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>class_id</code></p></td> 277*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td> 278*2d543d20SAndroid Build Coastguard Worker</tr> 279*2d543d20SAndroid Build Coastguard Worker<tr class="odd"> 280*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>expression</code></p></td> 281*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p> 282*2d543d20SAndroid Build Coastguard Worker<p><code> (op u1 u2)</code></p> 283*2d543d20SAndroid Build Coastguard Worker<p><code> (mls_role_op r1 r2)</code></p> 284*2d543d20SAndroid Build Coastguard Worker<p><code> (op t1 t2)</code></p> 285*2d543d20SAndroid Build Coastguard Worker<p><code> (mls_role_op l1 l2)</code></p> 286*2d543d20SAndroid Build Coastguard Worker<p><code> (mls_role_op l1 h2)</code></p> 287*2d543d20SAndroid Build Coastguard Worker<p><code> (mls_role_op h1 l2)</code></p> 288*2d543d20SAndroid Build Coastguard Worker<p><code> (mls_role_op h1 h2)</code></p> 289*2d543d20SAndroid Build Coastguard Worker<p><code> (mls_role_op l1 h1)</code></p> 290*2d543d20SAndroid Build Coastguard Worker<p><code> (mls_role_op l2 h2)</code></p> 291*2d543d20SAndroid Build Coastguard Worker<p><code> (op u1 user_id)</code></p> 292*2d543d20SAndroid Build Coastguard Worker<p><code> (op u2 user_id)</code></p> 293*2d543d20SAndroid Build Coastguard Worker<p><code> (op u3 user_id)</code></p> 294*2d543d20SAndroid Build Coastguard Worker<p><code> (op r1 role_id)</code></p> 295*2d543d20SAndroid Build Coastguard Worker<p><code> (op r2 role_id)</code></p> 296*2d543d20SAndroid Build Coastguard Worker<p><code> (op r3 role_id)</code></p> 297*2d543d20SAndroid Build Coastguard Worker<p><code> (op t1 type_id)</code></p> 298*2d543d20SAndroid Build Coastguard Worker<p><code> (op t2 type_id)</code></p> 299*2d543d20SAndroid Build Coastguard Worker<p><code> (op t3 type_id)</code></p> 300*2d543d20SAndroid Build Coastguard Worker<p>where:</p> 301*2d543d20SAndroid Build Coastguard Worker<p><code> u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level</code></p> 302*2d543d20SAndroid Build Coastguard Worker<p><code> u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level</code></p> 303*2d543d20SAndroid Build Coastguard Worker<p><code> u3, r3, t3 = Process context: user, role or type</code></p> 304*2d543d20SAndroid Build Coastguard Worker<p>and:</p> 305*2d543d20SAndroid Build Coastguard Worker<p><code> op : eq neq</code></p> 306*2d543d20SAndroid Build Coastguard Worker<p><code> mls_role_op : eq neq dom domby incomp</code></p> 307*2d543d20SAndroid Build Coastguard Worker<p><code> user_id : A single user or userattribute identifier.</code></p> 308*2d543d20SAndroid Build Coastguard Worker<p><code> role_id : A single role or roleattribute identifier.</code></p> 309*2d543d20SAndroid Build Coastguard Worker<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td> 310*2d543d20SAndroid Build Coastguard Worker</tr> 311*2d543d20SAndroid Build Coastguard Worker<tr class="even"> 312*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>expr</code></p></td> 313*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 314*2d543d20SAndroid Build Coastguard Worker<p><code> (and expression expression)</code></p> 315*2d543d20SAndroid Build Coastguard Worker<p><code> (or expression expression)</code></p> 316*2d543d20SAndroid Build Coastguard Worker<p><code> (not expression)</code></p></td> 317*2d543d20SAndroid Build Coastguard Worker</tr> 318*2d543d20SAndroid Build Coastguard Worker</tbody> 319*2d543d20SAndroid Build Coastguard Worker</table> 320*2d543d20SAndroid Build Coastguard Worker 321*2d543d20SAndroid Build Coastguard Worker**Example:** 322*2d543d20SAndroid Build Coastguard Worker 323*2d543d20SAndroid Build Coastguard WorkerAn MLS validate transition statement with the equivalent kernel policy language statement: 324*2d543d20SAndroid Build Coastguard Worker 325*2d543d20SAndroid Build Coastguard Worker```secil 326*2d543d20SAndroid Build Coastguard Worker ;; mlsvalidatetrans { file } ( l1 domby h2 ); 327*2d543d20SAndroid Build Coastguard Worker 328*2d543d20SAndroid Build Coastguard Worker (mlsvalidatetrans file (domby l1 h2)) 329*2d543d20SAndroid Build Coastguard Worker``` 330