TERulesDifference: add extended permission rules

Related to #73

setools/diff/terules.py

@@ -18,6 +18,7 @@
 #
 from collections import namedtuple
 
+from ..policyrep import ioctlSet
 from ..policyrep.exception import RuleNotConditional, RuleUseError, TERuleNoFilename
 
 from .conditional import ConditionalExprWrapper
@@ -56,6 +57,22 @@ class TERulesDifference(Difference):
     removed_dontaudits = DiffResultDescriptor("diff_dontaudits")
     modified_dontaudits = DiffResultDescriptor("diff_dontaudits")
 
+    added_allowxperms = DiffResultDescriptor("diff_allowxperms")
+    removed_allowxperms = DiffResultDescriptor("diff_allowxperms")
+    modified_allowxperms = DiffResultDescriptor("diff_allowxperms")
+
+    added_auditallowxperms = DiffResultDescriptor("diff_auditallowxperms")
+    removed_auditallowxperms = DiffResultDescriptor("diff_auditallowxperms")
+    modified_auditallowxperms = DiffResultDescriptor("diff_auditallowxperms")
+
+    added_neverallowxperms = DiffResultDescriptor("diff_neverallowxperms")
+    removed_neverallowxperms = DiffResultDescriptor("diff_neverallowxperms")
+    modified_neverallowxperms = DiffResultDescriptor("diff_neverallowxperms")
+
+    added_dontauditxperms = DiffResultDescriptor("diff_dontauditxperms")
+    removed_dontauditxperms = DiffResultDescriptor("diff_dontauditxperms")
+    modified_dontauditxperms = DiffResultDescriptor("diff_dontauditxperms")
+
     added_type_transitions = DiffResultDescriptor("diff_type_transitions")
     removed_type_transitions = DiffResultDescriptor("diff_type_transitions")
     modified_type_transitions = DiffResultDescriptor("diff_type_transitions")
@@ -81,6 +98,18 @@ class TERulesDifference(Difference):
     _left_dontaudits = None
     _right_dontaudits = None
 
+    _left_allowxperms = None
+    _right_allowxperms = None
+
+    _left_auditallowxperms = None
+    _right_auditallowxperms = None
+
+    _left_neverallowxperms = None
+    _right_neverallowxperms = None
+
+    _left_dontauditxperms = None
+    _right_dontauditxperms = None
+
     _left_type_transitions = None
     _right_type_transitions = None
 
@@ -151,6 +180,70 @@ class TERulesDifference(Difference):
                 self._expand_generator(self._left_dontaudits, AVRuleWrapper),
                 self._expand_generator(self._right_dontaudits, AVRuleWrapper))
 
+    def diff_allowxperms(self):
+        """Generate the difference in allowxperm rules between the policies."""
+
+        self.log.info(
+            "Generating allowxperm differences from {0.left_policy} to {0.right_policy}".
+            format(self))
+
+        if self._left_allowxperms is None or self._right_allowxperms is None:
+            self._create_te_rule_lists()
+
+        self.added_allowxperms, \
+            self.removed_allowxperms, \
+            self.modified_allowxperms = self._diff_avx_rules(
+                self._expand_generator(self._left_allowxperms, AVRuleXpermWrapper),
+                self._expand_generator(self._right_allowxperms, AVRuleXpermWrapper))
+
+    def diff_auditallowxperms(self):
+        """Generate the difference in auditallowxperm rules between the policies."""
+
+        self.log.info(
+            "Generating auditallowxperm differences from {0.left_policy} to {0.right_policy}".
+            format(self))
+
+        if self._left_auditallowxperms is None or self._right_auditallowxperms is None:
+            self._create_te_rule_lists()
+
+        self.added_auditallowxperms, \
+            self.removed_auditallowxperms, \
+            self.modified_auditallowxperms = self._diff_avx_rules(
+                self._expand_generator(self._left_auditallowxperms, AVRuleXpermWrapper),
+                self._expand_generator(self._right_auditallowxperms, AVRuleXpermWrapper))
+
+    def diff_neverallowxperms(self):
+        """Generate the difference in neverallowxperm rules between the policies."""
+
+        self.log.info(
+            "Generating neverallowxperm differences from {0.left_policy} to {0.right_policy}".
+            format(self))
+
+        if self._left_neverallowxperms is None or self._right_neverallowxperms is None:
+            self._create_te_rule_lists()
+
+        self.added_neverallowxperms, \
+            self.removed_neverallowxperms, \
+            self.modified_neverallowxperms = self._diff_avx_rules(
+                self._expand_generator(self._left_neverallowxperms, AVRuleXpermWrapper),
+                self._expand_generator(self._right_neverallowxperms, AVRuleXpermWrapper))
+
+    def diff_dontauditxperms(self):
+        """Generate the difference in dontauditxperm rules between the policies."""
+
+        self.log.info(
+            "Generating dontauditxperm differences from {0.left_policy} to {0.right_policy}".
+            format(self))
+
+        if self._left_dontauditxperms is None or self._right_dontauditxperms is None:
+            self._create_te_rule_lists()
+
+        self.added_dontauditxperms, \
+            self.removed_dontauditxperms, \
+            self.modified_dontauditxperms = self._diff_avx_rules(
+                self._expand_generator(self._left_dontauditxperms, AVRuleXpermWrapper),
+                self._expand_generator(self._right_dontauditxperms, AVRuleXpermWrapper))
+
     def diff_type_transitions(self):
         """Generate the difference in type_transition rules between the policies."""
 
@@ -209,6 +302,10 @@ class TERulesDifference(Difference):
         self._left_auditallows = []
         self._left_neverallows = []
         self._left_dontaudits = []
+        self._left_allowxperms = []
+        self._left_auditallowxperms = []
+        self._left_neverallowxperms = []
+        self._left_dontauditxperms = []
         self._left_type_transitions = []
         self._left_type_changes = []
         self._left_type_members = []
@@ -223,6 +320,14 @@ class TERulesDifference(Difference):
                 self._left_neverallows.append(rule)
             elif rule.ruletype == "dontaudit":
                 self._left_dontaudits.append(rule)
+            elif rule.ruletype == "allowxperm":
+                self._left_allowxperms.append(rule)
+            elif rule.ruletype == "auditallowxperm":
+                self._left_auditallowxperms.append(rule)
+            elif rule.ruletype == "neverallowxperm":
+                self._left_neverallowxperms.append(rule)
+            elif rule.ruletype == "dontauditxperm":
+                self._left_dontauditxperms.append(rule)
             elif rule.ruletype == "type_transition":
                 self._left_type_transitions.append(rule)
             elif rule.ruletype == "type_change":
@@ -237,6 +342,10 @@ class TERulesDifference(Difference):
         self._right_auditallows = []
         self._right_neverallows = []
         self._right_dontaudits = []
+        self._right_allowxperms = []
+        self._right_auditallowxperms = []
+        self._right_neverallowxperms = []
+        self._right_dontauditxperms = []
         self._right_type_transitions = []
         self._right_type_changes = []
         self._right_type_members = []
@@ -251,6 +360,14 @@ class TERulesDifference(Difference):
                 self._right_neverallows.append(rule)
             elif rule.ruletype == "dontaudit":
                 self._right_dontaudits.append(rule)
+            elif rule.ruletype == "allowxperm":
+                self._right_allowxperms.append(rule)
+            elif rule.ruletype == "auditallowxperm":
+                self._right_auditallowxperms.append(rule)
+            elif rule.ruletype == "neverallowxperm":
+                self._right_neverallowxperms.append(rule)
+            elif rule.ruletype == "dontauditxperm":
+                self._right_dontauditxperms.append(rule)
             elif rule.ruletype == "type_transition":
                 self._right_type_transitions.append(rule)
             elif rule.ruletype == "type_change":
@@ -284,6 +401,29 @@ class TERulesDifference(Difference):
 
         return added, removed, modified
 
+    def _diff_avx_rules(self, left_list, right_list):
+        """Common method for comparing extended permission access vector rules."""
+        added, removed, matched = self._set_diff(left_list, right_list)
+
+        modified = []
+
+        for left_rule, right_rule in matched:
+            # Criteria for modified rules
+            # 1. change to permissions
+            added_perms, removed_perms, matched_perms = self._set_diff(left_rule.perms,
+                                                                       right_rule.perms)
+
+            # the final set comprehension is to avoid having lists
+            # like [("perm1", "perm1"), ("perm2", "perm2")], as the
+            # matched_perms return from _set_diff is a set of tuples
+            if added_perms or removed_perms:
+                modified.append(modified_avrule_record(left_rule,
+                                                       ioctlSet(added_perms),
+                                                       ioctlSet(removed_perms),
+                                                       ioctlSet(p[0] for p in matched_perms)))
+
+        return added, removed, modified
+
     def _diff_te_rules(self, left_list, right_list):
         """Common method for comparing type_* rules."""
         added, removed, matched = self._set_diff(left_list, right_list)
@@ -315,6 +455,18 @@ class TERulesDifference(Difference):
         self.added_dontaudits = None
         self.removed_dontaudits = None
         self.modified_dontaudits = None
+        self.added_allowxperms = None
+        self.removed_allowxperms = None
+        self.modified_allowxperms = None
+        self.added_auditallowxperms = None
+        self.removed_auditallowxperms = None
+        self.modified_auditallowxperms = None
+        self.added_neverallowxperms = None
+        self.removed_neverallowxperms = None
+        self.modified_neverallowxperms = None
+        self.added_dontauditxperms = None
+        self.removed_dontauditxperms = None
+        self.modified_dontauditxperms = None
         self.added_type_transitions = None
         self.removed_type_transitions = None
         self.modified_type_transitions = None
@@ -334,6 +486,14 @@ class TERulesDifference(Difference):
         self._right_neverallows = None
         self._left_dontaudits = None
         self._right_dontaudits = None
+        self._left_allowxperms = None
+        self._right_allowxperms = None
+        self._left_auditallowxperms = None
+        self._right_auditallowxperms = None
+        self._left_neverallowxperms = None
+        self._right_neverallowxperms = None
+        self._left_dontauditxperms = None
+        self._right_dontauditxperms = None
         self._left_type_transitions = None
         self._right_type_transitions = None
         self._left_type_changes = None
@@ -377,6 +537,34 @@ class AVRuleWrapper(Wrapper):
                self.conditional_block == other.conditional_block
 
 
+class AVRuleXpermWrapper(Wrapper):
+
+    """Wrap extended permission access vector rules to allow set operations."""
+
+    def __init__(self, rule):
+        self.origin = rule
+        self.ruletype = rule.ruletype
+        self.source = SymbolWrapper(rule.source)
+        self.target = SymbolWrapper(rule.target)
+        self.tclass = SymbolWrapper(rule.tclass)
+        self.xperm_type = rule.xperm_type
+        self.key = hash(rule)
+
+    def __hash__(self):
+        return self.key
+
+    def __lt__(self, other):
+        return self.key < other.key
+
+    def __eq__(self, other):
+        # because TERuleDifference groups rules by ruletype,
+        # the ruletype always matches.
+        return self.source == other.source and \
+               self.target == other.target and \
+               self.tclass == other.tclass and \
+               self.xperm_type == other.xperm_type
+
+
 class TERuleWrapper(Wrapper):
 
     """Wrap type_* rules to allow set operations."""

tests/diff.py

@@ -1555,6 +1555,262 @@ class PolicyDifferenceTest(ValidateRule, unittest.TestCase):
         self.assertEqual("mod_parent_added", added_bound)
         self.assertEqual("mod_parent_removed", removed_bound)
 
+    #
+    # Allowxperm rules
+    #
+    def test_added_allowxperm_rules(self):
+        """Diff: added allowxperm rules."""
+        rules = sorted(self.diff.added_allowxperms)
+        self.assertEqual(2, len(rules))
+
+        # added rule with new type
+        self.validate_rule(rules[0], "allowxperm", "added_type", "added_type", "infoflow7",
+                           set([0x0009]), xperm="ioctl")
+
+        # added rule with existing types
+        self.validate_rule(rules[1], "allowxperm", "ax_added_rule_source", "ax_added_rule_target",
+                           "infoflow", set([0x0002]), xperm="ioctl")
+
+    def test_removed_allowxperm_rules(self):
+        """Diff: removed allowxperm rules."""
+        rules = sorted(self.diff.removed_allowxperms)
+        self.assertEqual(2, len(rules))
+
+        # removed rule with existing types
+        self.validate_rule(rules[0], "allowxperm", "ax_removed_rule_source",
+                           "ax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
+
+        # removed rule with new type
+        self.validate_rule(rules[1], "allowxperm", "removed_type", "removed_type", "infoflow7",
+                           set([0x0009]), xperm="ioctl")
+
+    def test_modified_allowxperm_rules(self):
+        """Diff: modified allowxperm rules."""
+        l = sorted(self.diff.modified_allowxperms, key=lambda x: x.rule)
+        self.assertEqual(3, len(l))
+
+        # add permissions
+        rule, added_perms, removed_perms, matched_perms = l[0]
+        self.assertEqual("allowxperm", rule.ruletype)
+        self.assertEqual("ax_modified_rule_add_perms", rule.source)
+        self.assertEqual("ax_modified_rule_add_perms", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertSetEqual(set([0x000f]), added_perms)
+        self.assertFalse(removed_perms)
+        self.assertSetEqual(set([0x0004]), matched_perms)
+
+        # add and remove permissions
+        rule, added_perms, removed_perms, matched_perms = l[1]
+        self.assertEqual("allowxperm", rule.ruletype)
+        self.assertEqual("ax_modified_rule_add_remove_perms", rule.source)
+        self.assertEqual("ax_modified_rule_add_remove_perms", rule.target)
+        self.assertEqual("infoflow2", rule.tclass)
+        self.assertSetEqual(set([0x0006]), added_perms)
+        self.assertSetEqual(set([0x0007]), removed_perms)
+        self.assertSetEqual(set([0x0008]), matched_perms)
+
+        # remove permissions
+        rule, added_perms, removed_perms, matched_perms = l[2]
+        self.assertEqual("allowxperm", rule.ruletype)
+        self.assertEqual("ax_modified_rule_remove_perms", rule.source)
+        self.assertEqual("ax_modified_rule_remove_perms", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertFalse(added_perms)
+        self.assertSetEqual(set([0x0006]), removed_perms)
+        self.assertSetEqual(set([0x0005]), matched_perms)
+
+    #
+    # Auditallowxperm rules
+    #
+    def test_added_auditallowxperm_rules(self):
+        """Diff: added auditallowxperm rules."""
+        rules = sorted(self.diff.added_auditallowxperms)
+        self.assertEqual(2, len(rules))
+
+        # added rule with existing types
+        self.validate_rule(rules[0], "auditallowxperm", "aax_added_rule_source",
+                           "aax_added_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
+
+        # added rule with new type
+        self.validate_rule(rules[1], "auditallowxperm", "added_type", "added_type", "infoflow7",
+                           set([0x0009]), xperm="ioctl")
+
+    def test_removed_auditallowxperm_rules(self):
+        """Diff: removed auditallowxperm rules."""
+        rules = sorted(self.diff.removed_auditallowxperms)
+        self.assertEqual(2, len(rules))
+
+        # removed rule with existing types
+        self.validate_rule(rules[0], "auditallowxperm", "aax_removed_rule_source",
+                           "aax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
+
+        # removed rule with new type
+        self.validate_rule(rules[1], "auditallowxperm", "removed_type", "removed_type", "infoflow7",
+                           set([0x0009]), xperm="ioctl")
+
+    def test_modified_auditallowxperm_rules(self):
+        """Diff: modified auditallowxperm rules."""
+        l = sorted(self.diff.modified_auditallowxperms, key=lambda x: x.rule)
+        self.assertEqual(3, len(l))
+
+        # add permissions
+        rule, added_perms, removed_perms, matched_perms = l[0]
+        self.assertEqual("auditallowxperm", rule.ruletype)
+        self.assertEqual("aax_modified_rule_add_perms", rule.source)
+        self.assertEqual("aax_modified_rule_add_perms", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertSetEqual(set([0x000f]), added_perms)
+        self.assertFalse(removed_perms)
+        self.assertSetEqual(set([0x0004]), matched_perms)
+
+        # add and remove permissions
+        rule, added_perms, removed_perms, matched_perms = l[1]
+        self.assertEqual("auditallowxperm", rule.ruletype)
+        self.assertEqual("aax_modified_rule_add_remove_perms", rule.source)
+        self.assertEqual("aax_modified_rule_add_remove_perms", rule.target)
+        self.assertEqual("infoflow2", rule.tclass)
+        self.assertSetEqual(set([0x0006]), added_perms)
+        self.assertSetEqual(set([0x0007]), removed_perms)
+        self.assertSetEqual(set([0x0008]), matched_perms)
+
+        # remove permissions
+        rule, added_perms, removed_perms, matched_perms = l[2]
+        self.assertEqual("auditallowxperm", rule.ruletype)
+        self.assertEqual("aax_modified_rule_remove_perms", rule.source)
+        self.assertEqual("aax_modified_rule_remove_perms", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertFalse(added_perms)
+        self.assertSetEqual(set([0x0006]), removed_perms)
+        self.assertSetEqual(set([0x0005]), matched_perms)
+
+    #
+    # Neverallowxperm rules
+    #
+    def test_added_neverallowxperm_rules(self):
+        """Diff: added neverallowxperm rules."""
+        rules = sorted(self.diff.added_neverallowxperms)
+        self.assertEqual(2, len(rules))
+
+        # added rule with new type
+        self.validate_rule(rules[0], "neverallowxperm", "added_type", "added_type", "infoflow7",
+                           set([0x0009]), xperm="ioctl")
+
+        # added rule with existing types
+        self.validate_rule(rules[1], "neverallowxperm", "nax_added_rule_source",
+                           "nax_added_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
+
+    def test_removed_neverallowxperm_rules(self):
+        """Diff: removed neverallowxperm rules."""
+        rules = sorted(self.diff.removed_neverallowxperms)
+        self.assertEqual(2, len(rules))
+
+        # removed rule with existing types
+        self.validate_rule(rules[0], "neverallowxperm", "nax_removed_rule_source",
+                           "nax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
+
+        # removed rule with new type
+        self.validate_rule(rules[1], "neverallowxperm", "removed_type", "removed_type", "infoflow7",
+                           set([0x0009]), xperm="ioctl")
+
+    def test_modified_neverallowxperm_rules(self):
+        """Diff: modified neverallowxperm rules."""
+        l = sorted(self.diff.modified_neverallowxperms, key=lambda x: x.rule)
+        self.assertEqual(3, len(l))
+
+        # add permissions
+        rule, added_perms, removed_perms, matched_perms = l[0]
+        self.assertEqual("neverallowxperm", rule.ruletype)
+        self.assertEqual("nax_modified_rule_add_perms", rule.source)
+        self.assertEqual("nax_modified_rule_add_perms", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertSetEqual(set([0x000f]), added_perms)
+        self.assertFalse(removed_perms)
+        self.assertSetEqual(set([0x0004]), matched_perms)
+
+        # add and remove permissions
+        rule, added_perms, removed_perms, matched_perms = l[1]
+        self.assertEqual("neverallowxperm", rule.ruletype)
+        self.assertEqual("nax_modified_rule_add_remove_perms", rule.source)
+        self.assertEqual("nax_modified_rule_add_remove_perms", rule.target)
+        self.assertEqual("infoflow2", rule.tclass)
+        self.assertSetEqual(set([0x0006]), added_perms)
+        self.assertSetEqual(set([0x0007]), removed_perms)
+        self.assertSetEqual(set([0x0008]), matched_perms)
+
+        # remove permissions
+        rule, added_perms, removed_perms, matched_perms = l[2]
+        self.assertEqual("neverallowxperm", rule.ruletype)
+        self.assertEqual("nax_modified_rule_remove_perms", rule.source)
+        self.assertEqual("nax_modified_rule_remove_perms", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertFalse(added_perms)
+        self.assertSetEqual(set([0x0006]), removed_perms)
+        self.assertSetEqual(set([0x0005]), matched_perms)
+
+    #
+    # Dontauditxperm rules
+    #
+    def test_added_dontauditxperm_rules(self):
+        """Diff: added dontauditxperm rules."""
+        rules = sorted(self.diff.added_dontauditxperms)
+        self.assertEqual(2, len(rules))
+
+        # added rule with new type
+        self.validate_rule(rules[0], "dontauditxperm", "added_type", "added_type", "infoflow7",
+                           set([0x0009]), xperm="ioctl")
+
+        # added rule with existing types
+        self.validate_rule(rules[1], "dontauditxperm", "dax_added_rule_source",
+                           "dax_added_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
+
+    def test_removed_dontauditxperm_rules(self):
+        """Diff: removed dontauditxperm rules."""
+        rules = sorted(self.diff.removed_dontauditxperms)
+        self.assertEqual(2, len(rules))
+
+        # removed rule with existing types
+        self.validate_rule(rules[0], "dontauditxperm", "dax_removed_rule_source",
+                           "dax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
+
+        # removed rule with new type
+        self.validate_rule(rules[1], "dontauditxperm", "removed_type", "removed_type", "infoflow7",
+                           set([0x0009]), xperm="ioctl")
+
+    def test_modified_dontauditxperm_rules(self):
+        """Diff: modified dontauditxperm rules."""
+        l = sorted(self.diff.modified_dontauditxperms, key=lambda x: x.rule)
+        self.assertEqual(3, len(l))
+
+        # add permissions
+        rule, added_perms, removed_perms, matched_perms = l[0]
+        self.assertEqual("dontauditxperm", rule.ruletype)
+        self.assertEqual("dax_modified_rule_add_perms", rule.source)
+        self.assertEqual("dax_modified_rule_add_perms", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertSetEqual(set([0x000f]), added_perms)
+        self.assertFalse(removed_perms)
+        self.assertSetEqual(set([0x0004]), matched_perms)
+
+        # add and remove permissions
+        rule, added_perms, removed_perms, matched_perms = l[1]
+        self.assertEqual("dontauditxperm", rule.ruletype)
+        self.assertEqual("dax_modified_rule_add_remove_perms", rule.source)
+        self.assertEqual("dax_modified_rule_add_remove_perms", rule.target)
+        self.assertEqual("infoflow2", rule.tclass)
+        self.assertSetEqual(set([0x0006]), added_perms)
+        self.assertSetEqual(set([0x0007]), removed_perms)
+        self.assertSetEqual(set([0x0008]), matched_perms)
+
+        # remove permissions
+        rule, added_perms, removed_perms, matched_perms = l[2]
+        self.assertEqual("dontauditxperm", rule.ruletype)
+        self.assertEqual("dax_modified_rule_remove_perms", rule.source)
+        self.assertEqual("dax_modified_rule_remove_perms", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertFalse(added_perms)
+        self.assertSetEqual(set([0x0006]), removed_perms)
+        self.assertSetEqual(set([0x0005]), matched_perms)
+
 
 class PolicyDifferenceTestNoDiff(unittest.TestCase):
 
@@ -1945,6 +2201,54 @@ class PolicyDifferenceTestNoDiff(unittest.TestCase):
         """NoDiff: no modified typebounds."""
         self.assertFalse(self.diff.modified_typebounds)
 
+    def test_added_allowxperms(self):
+        """NoDiff: no added allowxperm rules."""
+        self.assertFalse(self.diff.added_allowxperms)
+
+    def test_removed_allowxperms(self):
+        """NoDiff: no removed allowxperm rules."""
+        self.assertFalse(self.diff.removed_allowxperms)
+
+    def test_modified_allowxperms(self):
+        """NoDiff: no modified allowxperm rules."""
+        self.assertFalse(self.diff.modified_allowxperms)
+
+    def test_added_auditallowxperms(self):
+        """NoDiff: no added auditallowxperm rules."""
+        self.assertFalse(self.diff.added_auditallowxperms)
+
+    def test_removed_auditallowxperms(self):
+        """NoDiff: no removed auditallowxperm rules."""
+        self.assertFalse(self.diff.removed_auditallowxperms)
+
+    def test_modified_auditallowxperms(self):
+        """NoDiff: no modified auditallowxperm rules."""
+        self.assertFalse(self.diff.modified_auditallowxperms)
+
+    def test_added_neverallowxperms(self):
+        """NoDiff: no added neverallowxperm rules."""
+        self.assertFalse(self.diff.added_neverallowxperms)
+
+    def test_removed_neverallowxperms(self):
+        """NoDiff: no removed neverallowxperm rules."""
+        self.assertFalse(self.diff.removed_neverallowxperms)
+
+    def test_modified_neverallowxperms(self):
+        """NoDiff: no modified neverallowxperm rules."""
+        self.assertFalse(self.diff.modified_neverallowxperms)
+
+    def test_added_dontauditxperms(self):
+        """NoDiff: no added dontauditxperm rules."""
+        self.assertFalse(self.diff.added_dontauditxperms)
+
+    def test_removed_dontauditxperms(self):
+        """NoDiff: no removed dontauditxperm rules."""
+        self.assertFalse(self.diff.removed_dontauditxperms)
+
+    def test_modified_dontauditxperms(self):
+        """NoDiff: no modified dontauditxperm rules."""
+        self.assertFalse(self.diff.modified_dontauditxperms)
+
 
 class PolicyDifferenceTestMLStoStandard(unittest.TestCase):
 
@@ -2352,3 +2656,51 @@ class PolicyDifferenceTestMLStoStandard(unittest.TestCase):
     def test_modified_typebounds(self):
         """MLSvsStandardDiff: no modified typebounds."""
         self.assertFalse(self.diff.modified_typebounds)
+
+    def test_added_allowxperms(self):
+        """NoDiff: no added allowxperm rules."""
+        self.assertFalse(self.diff.added_allowxperms)
+
+    def test_removed_allowxperms(self):
+        """NoDiff: no removed allowxperm rules."""
+        self.assertFalse(self.diff.removed_allowxperms)
+
+    def test_modified_allowxperms(self):
+        """NoDiff: no modified allowxperm rules."""
+        self.assertFalse(self.diff.modified_allowxperms)
+
+    def test_added_auditallowxperms(self):
+        """NoDiff: no added auditallowxperm rules."""
+        self.assertFalse(self.diff.added_auditallowxperms)
+
+    def test_removed_auditallowxperms(self):
+        """NoDiff: no removed auditallowxperm rules."""
+        self.assertFalse(self.diff.removed_auditallowxperms)
+
+    def test_modified_auditallowxperms(self):
+        """NoDiff: no modified auditallowxperm rules."""
+        self.assertFalse(self.diff.modified_auditallowxperms)
+
+    def test_added_neverallowxperms(self):
+        """NoDiff: no added neverallowxperm rules."""
+        self.assertFalse(self.diff.added_neverallowxperms)
+
+    def test_removed_neverallowxperms(self):
+        """NoDiff: no removed neverallowxperm rules."""
+        self.assertFalse(self.diff.removed_neverallowxperms)
+
+    def test_modified_neverallowxperms(self):
+        """NoDiff: no modified neverallowxperm rules."""
+        self.assertFalse(self.diff.modified_neverallowxperms)
+
+    def test_added_dontauditxperms(self):
+        """NoDiff: no added dontauditxperm rules."""
+        self.assertFalse(self.diff.added_dontauditxperms)
+
+    def test_removed_dontauditxperms(self):
+        """NoDiff: no removed dontauditxperm rules."""
+        self.assertFalse(self.diff.removed_dontauditxperms)
+
+    def test_modified_dontauditxperms(self):
+        """NoDiff: no modified dontauditxperm rules."""
+        self.assertFalse(self.diff.modified_dontauditxperms)

tests/diff_left.conf

@@ -24,6 +24,7 @@ common infoflow
 	low_r
 	med_r
 	hi_r
+    ioctl
 }
 
 common removed_common
@@ -634,6 +635,146 @@ role role_tr_old_role;
 role role_tr_new_role;
 role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_old_role;
 
+# Allowxperm rule differences
+type ax_matched_source;
+type ax_matched_target;
+allowxperm ax_matched_source ax_matched_target:infoflow ioctl 0x0001;
+
+type ax_removed_rule_source;
+type ax_removed_rule_target;
+allowxperm ax_removed_rule_source ax_removed_rule_target:infoflow ioctl 0x0002;
+
+type ax_added_rule_source;
+type ax_added_rule_target;
+
+type ax_modified_rule_add_perms;
+allowxperm ax_modified_rule_add_perms self:infoflow ioctl 0x0004;
+
+type ax_modified_rule_remove_perms;
+allowxperm ax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
+
+type ax_modified_rule_add_remove_perms;
+allowxperm ax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
+
+allowxperm removed_type self:infoflow7 ioctl 0x0009;
+
+attribute ax_match_rule_by_attr;
+type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr;
+type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
+allowxperm ax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
+
+attribute ax_unioned_perm_via_attr;
+type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr;
+type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr;
+allowxperm ax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
+allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
+allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
+
+# Auditallowxperm rule differences
+type aax_matched_source;
+type aax_matched_target;
+auditallowxperm aax_matched_source aax_matched_target:infoflow ioctl 0x0001;
+
+type aax_removed_rule_source;
+type aax_removed_rule_target;
+auditallowxperm aax_removed_rule_source aax_removed_rule_target:infoflow ioctl 0x0002;
+
+type aax_added_rule_source;
+type aax_added_rule_target;
+
+type aax_modified_rule_add_perms;
+auditallowxperm aax_modified_rule_add_perms self:infoflow ioctl 0x0004;
+
+type aax_modified_rule_remove_perms;
+auditallowxperm aax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
+
+type aax_modified_rule_add_remove_perms;
+auditallowxperm aax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
+
+auditallowxperm removed_type self:infoflow7 ioctl 0x0009;
+
+attribute aax_match_rule_by_attr;
+type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr;
+type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
+auditallowxperm aax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
+
+attribute aax_unioned_perm_via_attr;
+type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr;
+type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr;
+auditallowxperm aax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
+auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
+auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
+
+# Neverallowxperm rule differences
+type nax_matched_source;
+type nax_matched_target;
+neverallowxperm nax_matched_source nax_matched_target:infoflow ioctl 0x0001;
+
+type nax_removed_rule_source;
+type nax_removed_rule_target;
+neverallowxperm nax_removed_rule_source nax_removed_rule_target:infoflow ioctl 0x0002;
+
+type nax_added_rule_source;
+type nax_added_rule_target;
+
+type nax_modified_rule_add_perms;
+neverallowxperm nax_modified_rule_add_perms self:infoflow ioctl 0x0004;
+
+type nax_modified_rule_remove_perms;
+neverallowxperm nax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
+
+type nax_modified_rule_add_remove_perms;
+neverallowxperm nax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
+
+neverallowxperm removed_type self:infoflow7 ioctl 0x0009;
+
+attribute nax_match_rule_by_attr;
+type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr;
+type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
+neverallowxperm nax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
+
+attribute nax_unioned_perm_via_attr;
+type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr;
+type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr;
+neverallowxperm nax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
+neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
+neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
+
+# Dontauditxperm rule differences
+type dax_matched_source;
+type dax_matched_target;
+dontauditxperm dax_matched_source dax_matched_target:infoflow ioctl 0x0001;
+
+type dax_removed_rule_source;
+type dax_removed_rule_target;
+dontauditxperm dax_removed_rule_source dax_removed_rule_target:infoflow ioctl 0x0002;
+
+type dax_added_rule_source;
+type dax_added_rule_target;
+
+type dax_modified_rule_add_perms;
+dontauditxperm dax_modified_rule_add_perms self:infoflow ioctl 0x0004;
+
+type dax_modified_rule_remove_perms;
+dontauditxperm dax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
+
+type dax_modified_rule_add_remove_perms;
+dontauditxperm dax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
+
+dontauditxperm removed_type self:infoflow7 ioctl 0x0009;
+
+attribute dax_match_rule_by_attr;
+type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr;
+type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
+dontauditxperm dax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
+
+attribute dax_unioned_perm_via_attr;
+type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr;
+type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr;
+dontauditxperm dax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
+dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
+dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
+
 ################################################################################
 # matching typebounds
 type match_parent;

tests/diff_left_standard.conf

@@ -24,6 +24,7 @@ common infoflow
 	low_r
 	med_r
 	hi_r
+    ioctl
 }
 
 common removed_common
@@ -556,6 +557,146 @@ role role_tr_old_role;
 role role_tr_new_role;
 role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_old_role;
 
+# Allowxperm rule differences
+type ax_matched_source;
+type ax_matched_target;
+allowxperm ax_matched_source ax_matched_target:infoflow ioctl 0x0001;
+
+type ax_removed_rule_source;
+type ax_removed_rule_target;
+allowxperm ax_removed_rule_source ax_removed_rule_target:infoflow ioctl 0x0002;
+
+type ax_added_rule_source;
+type ax_added_rule_target;
+
+type ax_modified_rule_add_perms;
+allowxperm ax_modified_rule_add_perms self:infoflow ioctl 0x0004;
+
+type ax_modified_rule_remove_perms;
+allowxperm ax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
+
+type ax_modified_rule_add_remove_perms;
+allowxperm ax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
+
+allowxperm removed_type self:infoflow7 ioctl 0x0009;
+
+attribute ax_match_rule_by_attr;
+type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr;
+type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
+allowxperm ax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
+
+attribute ax_unioned_perm_via_attr;
+type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr;
+type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr;
+allowxperm ax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
+allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
+allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
+
+# Auditallowxperm rule differences
+type aax_matched_source;
+type aax_matched_target;
+auditallowxperm aax_matched_source aax_matched_target:infoflow ioctl 0x0001;
+
+type aax_removed_rule_source;
+type aax_removed_rule_target;
+auditallowxperm aax_removed_rule_source aax_removed_rule_target:infoflow ioctl 0x0002;
+
+type aax_added_rule_source;
+type aax_added_rule_target;
+
+type aax_modified_rule_add_perms;
+auditallowxperm aax_modified_rule_add_perms self:infoflow ioctl 0x0004;
+
+type aax_modified_rule_remove_perms;
+auditallowxperm aax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
+
+type aax_modified_rule_add_remove_perms;
+auditallowxperm aax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
+
+auditallowxperm removed_type self:infoflow7 ioctl 0x0009;
+
+attribute aax_match_rule_by_attr;
+type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr;
+type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
+auditallowxperm aax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
+
+attribute aax_unioned_perm_via_attr;
+type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr;
+type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr;
+auditallowxperm aax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
+auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
+auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
+
+# Neverallowxperm rule differences
+type nax_matched_source;
+type nax_matched_target;
+neverallowxperm nax_matched_source nax_matched_target:infoflow ioctl 0x0001;
+
+type nax_removed_rule_source;
+type nax_removed_rule_target;
+neverallowxperm nax_removed_rule_source nax_removed_rule_target:infoflow ioctl 0x0002;
+
+type nax_added_rule_source;
+type nax_added_rule_target;
+
+type nax_modified_rule_add_perms;
+neverallowxperm nax_modified_rule_add_perms self:infoflow ioctl 0x0004;
+
+type nax_modified_rule_remove_perms;
+neverallowxperm nax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
+
+type nax_modified_rule_add_remove_perms;
+neverallowxperm nax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
+
+neverallowxperm removed_type self:infoflow7 ioctl 0x0009;
+
+attribute nax_match_rule_by_attr;
+type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr;
+type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
+neverallowxperm nax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
+
+attribute nax_unioned_perm_via_attr;
+type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr;
+type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr;
+neverallowxperm nax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
+neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
+neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
+
+# Dontauditxperm rule differences
+type dax_matched_source;
+type dax_matched_target;
+dontauditxperm dax_matched_source dax_matched_target:infoflow ioctl 0x0001;
+
+type dax_removed_rule_source;
+type dax_removed_rule_target;
+dontauditxperm dax_removed_rule_source dax_removed_rule_target:infoflow ioctl 0x0002;
+
+type dax_added_rule_source;
+type dax_added_rule_target;
+
+type dax_modified_rule_add_perms;
+dontauditxperm dax_modified_rule_add_perms self:infoflow ioctl 0x0004;
+
+type dax_modified_rule_remove_perms;
+dontauditxperm dax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
+
+type dax_modified_rule_add_remove_perms;
+dontauditxperm dax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
+
+dontauditxperm removed_type self:infoflow7 ioctl 0x0009;
+
+attribute dax_match_rule_by_attr;
+type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr;
+type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
+dontauditxperm dax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
+
+attribute dax_unioned_perm_via_attr;
+type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr;
+type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr;
+dontauditxperm dax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
+dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
+dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
+
 ################################################################################
 # matching typebounds
 type match_parent;

tests/diff_right.conf

@@ -24,6 +24,7 @@ common infoflow
 	low_r
 	med_r
 	hi_r
+    ioctl
 }
 
 common added_common
@@ -634,6 +635,146 @@ role role_tr_old_role;
 role role_tr_new_role;
 role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_new_role;
 
+# Allowxperm rule differences
+type ax_matched_source;
+type ax_matched_target;
+allowxperm ax_matched_source ax_matched_target:infoflow ioctl 0x0001;
+
+type ax_removed_rule_source;
+type ax_removed_rule_target;
+
+type ax_added_rule_source;
+type ax_added_rule_target;
+allowxperm ax_added_rule_source ax_added_rule_target:infoflow ioctl 0x0002;
+
+type ax_modified_rule_add_perms;
+allowxperm ax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f };
+
+type ax_modified_rule_remove_perms;
+allowxperm ax_modified_rule_remove_perms self:infoflow ioctl 0x0005;
+
+type ax_modified_rule_add_remove_perms;
+allowxperm ax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 };
+
+allowxperm added_type self:infoflow7 ioctl 0x0009;
+
+attribute ax_match_rule_by_attr;
+type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr;
+type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
+allowxperm ax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
+allowxperm ax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
+
+attribute ax_unioned_perm_via_attr;
+type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr;
+type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr;
+allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c };
+allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d };
+
+# Auditallowxperm rule differences
+type aax_matched_source;
+type aax_matched_target;
+auditallowxperm aax_matched_source aax_matched_target:infoflow ioctl 0x0001;
+
+type aax_removed_rule_source;
+type aax_removed_rule_target;
+
+type aax_added_rule_source;
+type aax_added_rule_target;
+auditallowxperm aax_added_rule_source aax_added_rule_target:infoflow ioctl 0x0002;
+
+type aax_modified_rule_add_perms;
+auditallowxperm aax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f };
+
+type aax_modified_rule_remove_perms;
+auditallowxperm aax_modified_rule_remove_perms self:infoflow ioctl 0x0005;
+
+type aax_modified_rule_add_remove_perms;
+auditallowxperm aax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 };
+
+auditallowxperm added_type self:infoflow7 ioctl 0x0009;
+
+attribute aax_match_rule_by_attr;
+type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr;
+type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
+auditallowxperm aax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
+auditallowxperm aax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
+
+attribute aax_unioned_perm_via_attr;
+type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr;
+type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr;
+auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c };
+auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d };
+
+# Neverallowxperm rule differences
+type nax_matched_source;
+type nax_matched_target;
+neverallowxperm nax_matched_source nax_matched_target:infoflow ioctl 0x0001;
+
+type nax_removed_rule_source;
+type nax_removed_rule_target;
+
+type nax_added_rule_source;
+type nax_added_rule_target;
+neverallowxperm nax_added_rule_source nax_added_rule_target:infoflow ioctl 0x0002;
+
+type nax_modified_rule_add_perms;
+neverallowxperm nax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f };
+
+type nax_modified_rule_remove_perms;
+neverallowxperm nax_modified_rule_remove_perms self:infoflow ioctl 0x0005;
+
+type nax_modified_rule_add_remove_perms;
+neverallowxperm nax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 };
+
+neverallowxperm added_type self:infoflow7 ioctl 0x0009;
+
+attribute nax_match_rule_by_attr;
+type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr;
+type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
+neverallowxperm nax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
+neverallowxperm nax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
+
+attribute nax_unioned_perm_via_attr;
+type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr;
+type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr;
+neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c };
+neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d };
+
+# Dontauditxperm rule differences
+type dax_matched_source;
+type dax_matched_target;
+dontauditxperm dax_matched_source dax_matched_target:infoflow ioctl 0x0001;
+
+type dax_removed_rule_source;
+type dax_removed_rule_target;
+
+type dax_added_rule_source;
+type dax_added_rule_target;
+dontauditxperm dax_added_rule_source dax_added_rule_target:infoflow ioctl 0x0002;
+
+type dax_modified_rule_add_perms;
+dontauditxperm dax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f };
+
+type dax_modified_rule_remove_perms;
+dontauditxperm dax_modified_rule_remove_perms self:infoflow ioctl 0x0005;
+
+type dax_modified_rule_add_remove_perms;
+dontauditxperm dax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 };
+
+dontauditxperm added_type self:infoflow7 ioctl 0x0009;
+
+attribute dax_match_rule_by_attr;
+type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr;
+type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
+dontauditxperm dax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
+dontauditxperm dax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
+
+attribute dax_unioned_perm_via_attr;
+type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr;
+type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr;
+dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c };
+dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d };
+
 ################################################################################
 # matching typebounds
 type match_parent;