On Thu, 2017-09-07 at 14:26 +0200, Dominick Grift wrote: > I was just reminded of the fact that role and range transitions > cannot be conditional in kernel policy. > > Is this technically impossible? Why can type transitions be > conditional in kernel policy but not role and range transitions? It isn't a fundamental restriction, but the conditional policy implementation was done entirely in terms of TE policy due to its original use case and only (conditional) avtab entries can currently be enabled/disabled based on boolean states. So it should be possible to implement conditional policy support for other kinds of transitions, but not trivial.
