The attached patch disallows * and ~ in certain kinds of rules, the list
of where they are allowed and where they are not follows. I'm very
willing to discuss any ideas or arguments as to why these should or
shouldn't be in the list they are in.


* and ~ allowed:
range_trans (I was hoping TCS had an opinion on this)
neverallow, dontaudit, auditallow


* and ~ not allowed:
allow rules
type_transition, type_member, type_change
role declarations (to add types to a role)
role transitions


Joshua Brindle
Tresys Technology