The constrain statements enables you to restrict specified permissions for specified object classes by defining constraints based on relationships between source and target security contexts.

'''Syntax:'''

	(constrain classpermissionset expression)

'''Syntax Explanation:''' classpermissionset:: The classpermissionset that contains the associated object class and permission(s). This can also be declared anonymously, enclosed in parentheses. expression:: A boolean expression of the constraint.

The boolean expression syntax supports the following keywords:

• t1, r1, u1 - Source type, role, and user, respectively.
• t2, r2, u2 - Target type, role, and user, respectively.

'''Example:'''

        (class file (read write execute entry_point))
        (classpermissionset file_rw (file (read write)))

        (type bin_t)
        (type exec_t)

        (constrain file_rw (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2))))

        ; Using an anonymous classpermissionset
        (constrain (file (read write)) (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2))))

---