16cd6a6acSopenharmony_ciConstraint Statements 26cd6a6acSopenharmony_ci===================== 36cd6a6acSopenharmony_ci 46cd6a6acSopenharmony_ciconstrain 56cd6a6acSopenharmony_ci--------- 66cd6a6acSopenharmony_ci 76cd6a6acSopenharmony_ciEnable constraints to be placed on the specified permissions of the object class based on the source and target security context components. 86cd6a6acSopenharmony_ci 96cd6a6acSopenharmony_ci**Statement definition:** 106cd6a6acSopenharmony_ci 116cd6a6acSopenharmony_ci```secil 126cd6a6acSopenharmony_ci (constrain classpermissionset_id ... expression | expr ...) 136cd6a6acSopenharmony_ci``` 146cd6a6acSopenharmony_ci 156cd6a6acSopenharmony_ci**Where:** 166cd6a6acSopenharmony_ci 176cd6a6acSopenharmony_ci<table> 186cd6a6acSopenharmony_ci<colgroup> 196cd6a6acSopenharmony_ci<col width="27%" /> 206cd6a6acSopenharmony_ci<col width="72%" /> 216cd6a6acSopenharmony_ci</colgroup> 226cd6a6acSopenharmony_ci<tbody> 236cd6a6acSopenharmony_ci<tr class="odd"> 246cd6a6acSopenharmony_ci<td align="left"><p><code>constrain</code></p></td> 256cd6a6acSopenharmony_ci<td align="left"><p>The <code>constrain</code> keyword.</p></td> 266cd6a6acSopenharmony_ci</tr> 276cd6a6acSopenharmony_ci<tr class="even"> 286cd6a6acSopenharmony_ci<td align="left"><p><code>classpermissionset_id</code></p></td> 296cd6a6acSopenharmony_ci<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td> 306cd6a6acSopenharmony_ci</tr> 316cd6a6acSopenharmony_ci<tr class="odd"> 326cd6a6acSopenharmony_ci<td align="left"><p><code>expression</code></p></td> 336cd6a6acSopenharmony_ci<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p> 346cd6a6acSopenharmony_ci<p><code> (op u1 u2)</code></p> 356cd6a6acSopenharmony_ci<p><code> (role_op r1 r2)</code></p> 366cd6a6acSopenharmony_ci<p><code> (op t1 t2)</code></p> 376cd6a6acSopenharmony_ci<p><code> (op u1 user_id | (user_id ...))</code></p> 386cd6a6acSopenharmony_ci<p><code> (op u2 user_id | (user_id ...))</code></p> 396cd6a6acSopenharmony_ci<p><code> (op r1 role_id | (role_id ...))</code></p> 406cd6a6acSopenharmony_ci<p><code> (op r2 role_id | (role_id ...))</code></p> 416cd6a6acSopenharmony_ci<p><code> (op t1 type_id | (type_id ...))</code></p> 426cd6a6acSopenharmony_ci<p><code> (op t2 type_id | (type_id ...))</code></p> 436cd6a6acSopenharmony_ci<p>where:</p> 446cd6a6acSopenharmony_ci<p><code> u1, r1, t1 = Source context: user, role or type</code></p> 456cd6a6acSopenharmony_ci<p><code> u2, r2, t2 = Target context: user, role or type</code></p> 466cd6a6acSopenharmony_ci<p>and:</p> 476cd6a6acSopenharmony_ci<p><code> op : eq neq</code></p> 486cd6a6acSopenharmony_ci<p><code> role_op : eq neq dom domby incomp</code></p> 496cd6a6acSopenharmony_ci<p><code> user_id : A single user or userattribute identifier.</code></p> 506cd6a6acSopenharmony_ci<p><code> role_id : A single role or roleattribute identifier.</code></p> 516cd6a6acSopenharmony_ci<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td> 526cd6a6acSopenharmony_ci</tr> 536cd6a6acSopenharmony_ci<tr class="even"> 546cd6a6acSopenharmony_ci<td align="left"><p><code>expr</code></p></td> 556cd6a6acSopenharmony_ci<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 566cd6a6acSopenharmony_ci<p><code> (and expression expression)</code></p> 576cd6a6acSopenharmony_ci<p><code> (or expression expression)</code></p> 586cd6a6acSopenharmony_ci<p><code> (not expression)</code></p></td> 596cd6a6acSopenharmony_ci</tr> 606cd6a6acSopenharmony_ci</tbody> 616cd6a6acSopenharmony_ci</table> 626cd6a6acSopenharmony_ci 636cd6a6acSopenharmony_ci**Examples:** 646cd6a6acSopenharmony_ci 656cd6a6acSopenharmony_ciTwo constrain statements are shown with their equivalent kernel policy language statements: 666cd6a6acSopenharmony_ci 676cd6a6acSopenharmony_ci```secil 686cd6a6acSopenharmony_ci ;; constrain { file } { write } 696cd6a6acSopenharmony_ci ;; (( t1 == unconfined.process ) and ( t2 == unconfined.object ) or ( r1 eq r2 )); 706cd6a6acSopenharmony_ci (constrain (file (write)) 716cd6a6acSopenharmony_ci (or 726cd6a6acSopenharmony_ci (and 736cd6a6acSopenharmony_ci (eq t1 unconfined.process) 746cd6a6acSopenharmony_ci (eq t2 unconfined.object) 756cd6a6acSopenharmony_ci ) 766cd6a6acSopenharmony_ci (eq r1 r2) 776cd6a6acSopenharmony_ci ) 786cd6a6acSopenharmony_ci ) 796cd6a6acSopenharmony_ci 806cd6a6acSopenharmony_ci ;; constrain { file } { read } 816cd6a6acSopenharmony_ci ;; (not( t1 == unconfined.process ) and ( t2 == unconfined.object ) or ( r1 eq r2 )); 826cd6a6acSopenharmony_ci (constrain (file (read)) 836cd6a6acSopenharmony_ci (not 846cd6a6acSopenharmony_ci (or 856cd6a6acSopenharmony_ci (and 866cd6a6acSopenharmony_ci (eq t1 unconfined.process) 876cd6a6acSopenharmony_ci (eq t2 unconfined.object) 886cd6a6acSopenharmony_ci ) 896cd6a6acSopenharmony_ci (eq r1 r2) 906cd6a6acSopenharmony_ci ) 916cd6a6acSopenharmony_ci ) 926cd6a6acSopenharmony_ci ) 936cd6a6acSopenharmony_ci``` 946cd6a6acSopenharmony_ci 956cd6a6acSopenharmony_civalidatetrans 966cd6a6acSopenharmony_ci------------- 976cd6a6acSopenharmony_ci 986cd6a6acSopenharmony_ciThe [`validatetrans`](cil_constraint_statements.md#validatetrans) statement is only used for `file` related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context. 996cd6a6acSopenharmony_ci 1006cd6a6acSopenharmony_ci**Statement definition:** 1016cd6a6acSopenharmony_ci 1026cd6a6acSopenharmony_ci```secil 1036cd6a6acSopenharmony_ci (validatetrans class_id expression | expr ...) 1046cd6a6acSopenharmony_ci``` 1056cd6a6acSopenharmony_ci 1066cd6a6acSopenharmony_ci**Where:** 1076cd6a6acSopenharmony_ci 1086cd6a6acSopenharmony_ci<table> 1096cd6a6acSopenharmony_ci<colgroup> 1106cd6a6acSopenharmony_ci<col width="25%" /> 1116cd6a6acSopenharmony_ci<col width="75%" /> 1126cd6a6acSopenharmony_ci</colgroup> 1136cd6a6acSopenharmony_ci<tbody> 1146cd6a6acSopenharmony_ci<tr class="odd"> 1156cd6a6acSopenharmony_ci<td align="left"><p><code>validatetrans</code></p></td> 1166cd6a6acSopenharmony_ci<td align="left"><p>The <code>validatetrans</code> keyword.</p></td> 1176cd6a6acSopenharmony_ci</tr> 1186cd6a6acSopenharmony_ci<tr class="even"> 1196cd6a6acSopenharmony_ci<td align="left"><p><code>class_id</code></p></td> 1206cd6a6acSopenharmony_ci<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td> 1216cd6a6acSopenharmony_ci</tr> 1226cd6a6acSopenharmony_ci<tr class="odd"> 1236cd6a6acSopenharmony_ci<td align="left"><p><code>expression</code></p></td> 1246cd6a6acSopenharmony_ci<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p> 1256cd6a6acSopenharmony_ci<p><code> (op u1 u2)</code></p> 1266cd6a6acSopenharmony_ci<p><code> (role_op r1 r2)</code></p> 1276cd6a6acSopenharmony_ci<p><code> (op t1 t2)</code></p> 1286cd6a6acSopenharmony_ci<p><code> (op u1 user_id)</code></p> 1296cd6a6acSopenharmony_ci<p><code> (op u2 user_id)</code></p> 1306cd6a6acSopenharmony_ci<p><code> (op u3 user_id)</code></p> 1316cd6a6acSopenharmony_ci<p><code> (op r1 role_id)</code></p> 1326cd6a6acSopenharmony_ci<p><code> (op r2 role_id)</code></p> 1336cd6a6acSopenharmony_ci<p><code> (op r3 role_id)</code></p> 1346cd6a6acSopenharmony_ci<p><code> (op t1 type_id)</code></p> 1356cd6a6acSopenharmony_ci<p><code> (op t2 type_id)</code></p> 1366cd6a6acSopenharmony_ci<p><code> (op t3 type_id)</code></p> 1376cd6a6acSopenharmony_ci<p>where:</p> 1386cd6a6acSopenharmony_ci<p><code> u1, r1, t1 = Old context: user, role or type</code></p> 1396cd6a6acSopenharmony_ci<p><code> u2, r2, t2 = New context: user, role or type</code></p> 1406cd6a6acSopenharmony_ci<p><code> u3, r3, t3 = Process context: user, role or type</code></p> 1416cd6a6acSopenharmony_ci<p>and:</p> 1426cd6a6acSopenharmony_ci<p><code> op : eq neq</code></p> 1436cd6a6acSopenharmony_ci<p><code> role_op : eq neq dom domby incomp</code></p> 1446cd6a6acSopenharmony_ci<p><code> user_id : A single user or userattribute identifier.</code></p> 1456cd6a6acSopenharmony_ci<p><code> role_id : A single role or roleattribute identifier.</code></p> 1466cd6a6acSopenharmony_ci<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td> 1476cd6a6acSopenharmony_ci</tr> 1486cd6a6acSopenharmony_ci<tr class="even"> 1496cd6a6acSopenharmony_ci<td align="left"><p><code>expr</code></p></td> 1506cd6a6acSopenharmony_ci<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 1516cd6a6acSopenharmony_ci<p><code> (and expression expression)</code></p> 1526cd6a6acSopenharmony_ci<p><code> (or expression expression)</code></p> 1536cd6a6acSopenharmony_ci<p><code> (not expression)</code></p></td> 1546cd6a6acSopenharmony_ci</tr> 1556cd6a6acSopenharmony_ci</tbody> 1566cd6a6acSopenharmony_ci</table> 1576cd6a6acSopenharmony_ci 1586cd6a6acSopenharmony_ci**Example:** 1596cd6a6acSopenharmony_ci 1606cd6a6acSopenharmony_ciA validate transition statement with the equivalent kernel policy language statement: 1616cd6a6acSopenharmony_ci 1626cd6a6acSopenharmony_ci```secil 1636cd6a6acSopenharmony_ci ; validatetrans { file } ( t1 == unconfined.process ); 1646cd6a6acSopenharmony_ci 1656cd6a6acSopenharmony_ci (validatetrans file (eq t1 unconfined.process)) 1666cd6a6acSopenharmony_ci``` 1676cd6a6acSopenharmony_ci 1686cd6a6acSopenharmony_cimlsconstrain 1696cd6a6acSopenharmony_ci------------ 1706cd6a6acSopenharmony_ci 1716cd6a6acSopenharmony_ciEnable MLS constraints to be placed on the specified permissions of the object class based on the source and target security context components. 1726cd6a6acSopenharmony_ci 1736cd6a6acSopenharmony_ci**Statement definition:** 1746cd6a6acSopenharmony_ci 1756cd6a6acSopenharmony_ci```secil 1766cd6a6acSopenharmony_ci (mlsconstrain classpermissionset_id ... expression | expr ...) 1776cd6a6acSopenharmony_ci``` 1786cd6a6acSopenharmony_ci 1796cd6a6acSopenharmony_ci**Where:** 1806cd6a6acSopenharmony_ci 1816cd6a6acSopenharmony_ci<table> 1826cd6a6acSopenharmony_ci<colgroup> 1836cd6a6acSopenharmony_ci<col width="27%" /> 1846cd6a6acSopenharmony_ci<col width="72%" /> 1856cd6a6acSopenharmony_ci</colgroup> 1866cd6a6acSopenharmony_ci<tbody> 1876cd6a6acSopenharmony_ci<tr class="odd"> 1886cd6a6acSopenharmony_ci<td align="left"><p><code>mlsconstrain</code></p></td> 1896cd6a6acSopenharmony_ci<td align="left"><p>The <code>mlsconstrain</code> keyword.</p></td> 1906cd6a6acSopenharmony_ci</tr> 1916cd6a6acSopenharmony_ci<tr class="even"> 1926cd6a6acSopenharmony_ci<td align="left"><p><code>classpermissionset_id</code></p></td> 1936cd6a6acSopenharmony_ci<td align="left"><p>A single named or anonymous <code>classpermissionset</code> or a single set of <code>classmap</code>/<code>classmapping</code> identifiers.</p></td> 1946cd6a6acSopenharmony_ci</tr> 1956cd6a6acSopenharmony_ci<tr class="odd"> 1966cd6a6acSopenharmony_ci<td align="left"><p><code>expression</code></p></td> 1976cd6a6acSopenharmony_ci<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p> 1986cd6a6acSopenharmony_ci<p><code> (op u1 u2)</code></p> 1996cd6a6acSopenharmony_ci<p><code> (mls_role_op r1 r2)</code></p> 2006cd6a6acSopenharmony_ci<p><code> (op t1 t2)</code></p> 2016cd6a6acSopenharmony_ci<p><code> (mls_role_op l1 l2)</code></p> 2026cd6a6acSopenharmony_ci<p><code> (mls_role_op l1 h2)</code></p> 2036cd6a6acSopenharmony_ci<p><code> (mls_role_op h1 l2)</code></p> 2046cd6a6acSopenharmony_ci<p><code> (mls_role_op h1 h2)</code></p> 2056cd6a6acSopenharmony_ci<p><code> (mls_role_op l1 h1)</code></p> 2066cd6a6acSopenharmony_ci<p><code> (mls_role_op l2 h2)</code></p> 2076cd6a6acSopenharmony_ci<p><code> (op u1 user_id)</code></p> 2086cd6a6acSopenharmony_ci<p><code> (op u2 user_id)</code></p> 2096cd6a6acSopenharmony_ci<p><code> (op r1 role_id)</code></p> 2106cd6a6acSopenharmony_ci<p><code> (op r2 role_id)</code></p> 2116cd6a6acSopenharmony_ci<p><code> (op t1 type_id)</code></p> 2126cd6a6acSopenharmony_ci<p><code> (op t2 type_id)</code></p> 2136cd6a6acSopenharmony_ci<p>where:</p> 2146cd6a6acSopenharmony_ci<p><code> u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level</code></p> 2156cd6a6acSopenharmony_ci<p><code> u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level</code></p> 2166cd6a6acSopenharmony_ci<p>and:</p> 2176cd6a6acSopenharmony_ci<p><code> op : eq neq</code></p> 2186cd6a6acSopenharmony_ci<p><code> mls_role_op : eq neq dom domby incomp</code></p> 2196cd6a6acSopenharmony_ci<p><code> user_id : A single user or userattribute identifier.</code></p> 2206cd6a6acSopenharmony_ci<p><code> role_id : A single role or roleattribute identifier.</code></p> 2216cd6a6acSopenharmony_ci<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td> 2226cd6a6acSopenharmony_ci</tr> 2236cd6a6acSopenharmony_ci<tr class="even"> 2246cd6a6acSopenharmony_ci<td align="left"><p><code>expr</code></p></td> 2256cd6a6acSopenharmony_ci<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 2266cd6a6acSopenharmony_ci<p><code> (and expression expression)</code></p> 2276cd6a6acSopenharmony_ci<p><code> (or expression expression)</code></p> 2286cd6a6acSopenharmony_ci<p><code> (not expression)</code></p></td> 2296cd6a6acSopenharmony_ci</tr> 2306cd6a6acSopenharmony_ci</tbody> 2316cd6a6acSopenharmony_ci</table> 2326cd6a6acSopenharmony_ci 2336cd6a6acSopenharmony_ci**Example:** 2346cd6a6acSopenharmony_ci 2356cd6a6acSopenharmony_ciAn MLS constrain statement with the equivalent kernel policy language statement: 2366cd6a6acSopenharmony_ci 2376cd6a6acSopenharmony_ci```secil 2386cd6a6acSopenharmony_ci ;; mlsconstrain { file } { open } 2396cd6a6acSopenharmony_ci ;; (( l1 eq l2 ) and ( u1 == u2 ) or ( r1 != r2 )); 2406cd6a6acSopenharmony_ci 2416cd6a6acSopenharmony_ci (mlsconstrain (file (open)) 2426cd6a6acSopenharmony_ci (or 2436cd6a6acSopenharmony_ci (and 2446cd6a6acSopenharmony_ci (eq l1 l2) 2456cd6a6acSopenharmony_ci (eq u1 u2) 2466cd6a6acSopenharmony_ci ) 2476cd6a6acSopenharmony_ci (neq r1 r2) 2486cd6a6acSopenharmony_ci ) 2496cd6a6acSopenharmony_ci ) 2506cd6a6acSopenharmony_ci``` 2516cd6a6acSopenharmony_ci 2526cd6a6acSopenharmony_cimlsvalidatetrans 2536cd6a6acSopenharmony_ci---------------- 2546cd6a6acSopenharmony_ci 2556cd6a6acSopenharmony_ciThe [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans) statement is only used for `file` related object classes where it is used to control the ability to change the objects security context based on old, new and the current process security context. 2566cd6a6acSopenharmony_ci 2576cd6a6acSopenharmony_ci**Statement definition:** 2586cd6a6acSopenharmony_ci 2596cd6a6acSopenharmony_ci```secil 2606cd6a6acSopenharmony_ci (mlsvalidatetrans class_id expression | expr ...) 2616cd6a6acSopenharmony_ci``` 2626cd6a6acSopenharmony_ci 2636cd6a6acSopenharmony_ci**Where:** 2646cd6a6acSopenharmony_ci 2656cd6a6acSopenharmony_ci<table> 2666cd6a6acSopenharmony_ci<colgroup> 2676cd6a6acSopenharmony_ci<col width="25%" /> 2686cd6a6acSopenharmony_ci<col width="75%" /> 2696cd6a6acSopenharmony_ci</colgroup> 2706cd6a6acSopenharmony_ci<tbody> 2716cd6a6acSopenharmony_ci<tr class="odd"> 2726cd6a6acSopenharmony_ci<td align="left"><p><code>mlsvalidatetrans</code></p></td> 2736cd6a6acSopenharmony_ci<td align="left"><p>The <code>mlsvalidatetrans</code> keyword.</p></td> 2746cd6a6acSopenharmony_ci</tr> 2756cd6a6acSopenharmony_ci<tr class="even"> 2766cd6a6acSopenharmony_ci<td align="left"><p><code>class_id</code></p></td> 2776cd6a6acSopenharmony_ci<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td> 2786cd6a6acSopenharmony_ci</tr> 2796cd6a6acSopenharmony_ci<tr class="odd"> 2806cd6a6acSopenharmony_ci<td align="left"><p><code>expression</code></p></td> 2816cd6a6acSopenharmony_ci<td align="left"><p>There must be one constraint <code>expression</code> or one or more <code>expr</code>'s. The expression consists of an operator and two operands as follows:</p> 2826cd6a6acSopenharmony_ci<p><code> (op u1 u2)</code></p> 2836cd6a6acSopenharmony_ci<p><code> (mls_role_op r1 r2)</code></p> 2846cd6a6acSopenharmony_ci<p><code> (op t1 t2)</code></p> 2856cd6a6acSopenharmony_ci<p><code> (mls_role_op l1 l2)</code></p> 2866cd6a6acSopenharmony_ci<p><code> (mls_role_op l1 h2)</code></p> 2876cd6a6acSopenharmony_ci<p><code> (mls_role_op h1 l2)</code></p> 2886cd6a6acSopenharmony_ci<p><code> (mls_role_op h1 h2)</code></p> 2896cd6a6acSopenharmony_ci<p><code> (mls_role_op l1 h1)</code></p> 2906cd6a6acSopenharmony_ci<p><code> (mls_role_op l2 h2)</code></p> 2916cd6a6acSopenharmony_ci<p><code> (op u1 user_id)</code></p> 2926cd6a6acSopenharmony_ci<p><code> (op u2 user_id)</code></p> 2936cd6a6acSopenharmony_ci<p><code> (op u3 user_id)</code></p> 2946cd6a6acSopenharmony_ci<p><code> (op r1 role_id)</code></p> 2956cd6a6acSopenharmony_ci<p><code> (op r2 role_id)</code></p> 2966cd6a6acSopenharmony_ci<p><code> (op r3 role_id)</code></p> 2976cd6a6acSopenharmony_ci<p><code> (op t1 type_id)</code></p> 2986cd6a6acSopenharmony_ci<p><code> (op t2 type_id)</code></p> 2996cd6a6acSopenharmony_ci<p><code> (op t3 type_id)</code></p> 3006cd6a6acSopenharmony_ci<p>where:</p> 3016cd6a6acSopenharmony_ci<p><code> u1, r1, t1, l1, h1 = Source context: user, role, type, low level or high level</code></p> 3026cd6a6acSopenharmony_ci<p><code> u2, r2, t2, l2, h2 = Target context: user, role, type, low level or high level</code></p> 3036cd6a6acSopenharmony_ci<p><code> u3, r3, t3 = Process context: user, role or type</code></p> 3046cd6a6acSopenharmony_ci<p>and:</p> 3056cd6a6acSopenharmony_ci<p><code> op : eq neq</code></p> 3066cd6a6acSopenharmony_ci<p><code> mls_role_op : eq neq dom domby incomp</code></p> 3076cd6a6acSopenharmony_ci<p><code> user_id : A single user or userattribute identifier.</code></p> 3086cd6a6acSopenharmony_ci<p><code> role_id : A single role or roleattribute identifier.</code></p> 3096cd6a6acSopenharmony_ci<p><code> type_id : A single type, typealias or typeattribute identifier.</code></p></td> 3106cd6a6acSopenharmony_ci</tr> 3116cd6a6acSopenharmony_ci<tr class="even"> 3126cd6a6acSopenharmony_ci<td align="left"><p><code>expr</code></p></td> 3136cd6a6acSopenharmony_ci<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 3146cd6a6acSopenharmony_ci<p><code> (and expression expression)</code></p> 3156cd6a6acSopenharmony_ci<p><code> (or expression expression)</code></p> 3166cd6a6acSopenharmony_ci<p><code> (not expression)</code></p></td> 3176cd6a6acSopenharmony_ci</tr> 3186cd6a6acSopenharmony_ci</tbody> 3196cd6a6acSopenharmony_ci</table> 3206cd6a6acSopenharmony_ci 3216cd6a6acSopenharmony_ci**Example:** 3226cd6a6acSopenharmony_ci 3236cd6a6acSopenharmony_ciAn MLS validate transition statement with the equivalent kernel policy language statement: 3246cd6a6acSopenharmony_ci 3256cd6a6acSopenharmony_ci```secil 3266cd6a6acSopenharmony_ci ;; mlsvalidatetrans { file } ( l1 domby h2 ); 3276cd6a6acSopenharmony_ci 3286cd6a6acSopenharmony_ci (mlsvalidatetrans file (domby l1 h2)) 3296cd6a6acSopenharmony_ci``` 330