SELinux by Example: Using Security Enhanced Linux

Take the two constraints listed together on page 96 and write them as a single constraint statement.

A common neverallow invariant rule is this:

neverallow domain ~domain : process transition ;

Write a constraint that is as close as possible to the equivalent meaning of this invariant.

Recall the example validatetrans statement from page 93:

validatetrans {file lnk_file} ( ( t3 == relabel_any) or ( t2 != shadow_t or t1 != user_tmp_t ) );

Let's suppose that you want to add a number of other types to the list of those you do not to be relabeled from user_tmp_t. How would you change this constraint to achieve this goal?