Allow user and role changes on dynamic transitions with the same constraints as regular transitions.

Changelog

@@ -1,3 +1,5 @@
+- Allow user and role changes on dynamic transitions with the same
+  constraints as regular transitions.
 - New git service features from Dominick Grift.
 - Corenetwork policy size optimization from Dan Walsh.
 - Silence spurious udp_socket listen denials.

policy/constraints

@@ -87,7 +87,7 @@ ifdef(`enable_ubac',`
 	);
 ')
 
-constrain process { transition noatsecure siginh rlimitinh }
+constrain process { transition dyntransition noatsecure siginh rlimitinh }
 (
 	u1 == u2
 	or ( t1 == can_change_process_identity and t2 == process_user_target )
@@ -96,7 +96,7 @@ constrain process { transition noatsecure siginh rlimitinh }
 	or ( t1 == process_uncond_exempt )
 );
 
-constrain process { transition noatsecure siginh rlimitinh }
+constrain process { transition dyntransition noatsecure siginh rlimitinh }
 (
 	r1 == r2 
 	or ( t1 == can_change_process_role and t2 == process_user_target )
@@ -105,11 +105,6 @@ constrain process { transition noatsecure siginh rlimitinh }
 	or ( t1 == process_uncond_exempt )
 );
 
-constrain process dyntransition
-(
-	u1 == u2 and r1 == r2
-);
-
 # These permissions do not have ubac constraints:
 # fork
 # setexec