language feature: constrain attributes assigned to type #42
Description
I'd like suggest a new SELinux policy language feature to constrain attribute assignment.
In the reference policy for example, there are the attributes auth_file_type and non_auth_file_type, which should be contradictory, but can be easily messed up by
type example_t;
files_auth_file(example_t)
files_config_file(example_t)
While on it, a type may also be constrained to hold one attribute of a set:
nevertypeattribute auth_file_type non_auth_file_type; # make these attributes contradictory
nevertypeattribute domain file_type filesystem_type port_type; # make these attributes exclusive