| # Use `role_transition` and `allow` statements to affect role. Computation |
| # should be: |
| # (source_u:source_r:source_t:s0:c0-s2:c0.c1, target_u:target_r:target_t:s1:c1) -> |
| # source_u:transition_r:target_t:s0:c0 |
| |
| type source_t; |
| type target_t; |
| |
| role source_r; |
| role source_r types { source_t }; |
| |
| role target_r; |
| role target_r types { target_t }; |
| |
| role transition_r; |
| # Note: `target_t` needed for computed context to be valid. |
| role transition_r types { target_t }; |
| |
| # Note: `transition_r` needed for computed context to be valid. |
| user source_u roles { source_r transition_r } level s0 range s0 - s2:c0.c2; |
| user target_u roles { target_r } level s0 range s0 - s2:c0.c2; |
| |
| # Define role transition: when source role is `source_r`, target (in this |
| # context, the parent directory) type is `target_t`, target class is `file`, new |
| # file role should be `transition_r`. |
| role_transition source_r target_t:file transition_r; |
| # Allow the above-mentioned role transition. |
| allow source_r transition_r; |
