TERulesDifference: Fix bug with unioning permissions.

Unit tests did not correctly test this scenario.

setools/diff/terules.py

@@ -1,4 +1,5 @@
 # Copyright 2015-2016, Tresys Technology, LLC
+# Copyright 2016, Chris PeBenito <pebenito@ieee.org>
 #
 # This file is part of SETools.
 #
@@ -34,6 +35,35 @@ modified_avrule_record = namedtuple("modified_avrule", ["rule",
 modified_terule_record = namedtuple("modified_terule", ["rule", "added_default", "removed_default"])
 
 
+def _avrule_expand_generator(rule_list, Wrapper, perms_container):
+    """
+    Generator that yields wrapped, expanded, av(x) rules with
+    unioned permission sets.
+    """
+    items = dict()
+
+    # create a hash table (dict) with the rule hash
+    # as the keys.  Rules where permission sets should
+    # be unioned together have the same hash.
+    for unexpanded_rule in rule_list:
+        for expanded_rule in unexpanded_rule.expand():
+            rule = Wrapper(expanded_rule)
+
+            try:
+                items[rule].append(rule)
+            except KeyError:
+                items[rule] = [rule]
+
+    # Go over rule lists and union permissions
+    for wrapped_unioned_rule, origins in items.items():
+        perms = perms_container()
+        for r in origins:
+            perms |= r.origin.perms
+
+        wrapped_unioned_rule.origin.perms = perms
+        yield wrapped_unioned_rule
+
+
 def av_diff_template(ruletype):
 
     """
@@ -55,8 +85,8 @@ def av_diff_template(ruletype):
             self._create_te_rule_lists()
 
         added, removed, matched = self._set_diff(
-                self._expand_generator(self._left_te_rules[ruletype], AVRuleWrapper),
+                _avrule_expand_generator(self._left_te_rules[ruletype], AVRuleWrapper, set),
-                self._expand_generator(self._right_te_rules[ruletype], AVRuleWrapper))
+                _avrule_expand_generator(self._right_te_rules[ruletype], AVRuleWrapper, set))
 
         modified = []
         for left_rule, right_rule in matched:
@@ -102,8 +132,10 @@ def avx_diff_template(ruletype):
             self._create_te_rule_lists()
 
         added, removed, matched = self._set_diff(
-                self._expand_generator(self._left_te_rules[ruletype], AVRuleXpermWrapper),
+                _avrule_expand_generator(self._left_te_rules[ruletype],
-                self._expand_generator(self._right_te_rules[ruletype], AVRuleXpermWrapper))
+                                         AVRuleXpermWrapper, IoctlSet),
+                _avrule_expand_generator(self._right_te_rules[ruletype],
+                                         AVRuleXpermWrapper, IoctlSet))
 
         modified = []
         for left_rule, right_rule in matched:

setools/policyrep/terule.py

@@ -50,12 +50,17 @@ def expanded_te_rule_factory(original, source, target):
     target      The target type of the expanded rule.
     """
 
+    # for AV and AVXperm rules, copy the perms into the
+    # expanded rule, so PolicyDifference can build single expanded
+    # rules with unioned permission sets
     if isinstance(original, (ExpandedAVRule, ExpandedAVRuleXperm, ExpandedTERule)):
         return original
     elif isinstance(original, AVRuleXperm):
         rule = ExpandedAVRuleXperm(original.policy, original.qpol_symbol)
+        rule.perms = original.perms
     elif isinstance(original, AVRule):
         rule = ExpandedAVRule(original.policy, original.qpol_symbol)
+        rule.perms = original.perms
     elif isinstance(original, TERule):
         rule = ExpandedTERule(original.policy, original.qpol_symbol)
     else:
@@ -353,14 +358,14 @@ class ExpandedAVRule(AVRule):
 
     """An expanded access vector type enforcement rule."""
 
-    __slots__ = ("source", "target", "origin")
+    __slots__ = ("source", "target", "perms", "origin")
 
 
 class ExpandedAVRuleXperm(AVRuleXperm):
 
     """An expanded extended permission access vector type enforcement rule."""
 
-    __slots__ = ("source", "target", "origin")
+    __slots__ = ("source", "target", "perms", "origin")
 
 
 class ExpandedTERule(TERule):

tests/diff_left.conf

@@ -259,12 +259,12 @@ type match_rule_by_attr_A_t, match_rule_by_attr;
 type match_rule_by_attr_B_t, match_rule_by_attr;
 allow match_rule_by_attr self:infoflow2 super_w;
 
-attribute unioned_perm_via_attr;
+attribute union_perm_a;
-type unioned_perm_via_attr_A_t, unioned_perm_via_attr;
+attribute union_perm_b;
-type unioned_perm_via_attr_B_t, unioned_perm_via_attr;
+attribute union_perm_c;
-allow unioned_perm_via_attr self:infoflow2 super_w;
+type union_perm_source, union_perm_a, union_perm_c;
-allow unioned_perm_via_attr_A_t self:infoflow2 super_r;
+type union_perm_target, union_perm_b;
-allow unioned_perm_via_attr_B_t self:infoflow2 hi_w;
+allow union_perm_source union_perm_target:infoflow { hi_w med_w low_w };
 
 # Auditallow rule differences
 type aa_matched_source;
@@ -313,12 +313,12 @@ type aa_match_rule_by_attr_A_t, aa_match_rule_by_attr;
 type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
 auditallow aa_match_rule_by_attr self:infoflow2 super_w;
 
-attribute aa_unioned_perm_via_attr;
+attribute aa_union_perm_a;
-type aa_unioned_perm_via_attr_A_t, aa_unioned_perm_via_attr;
+attribute aa_union_perm_b;
-type aa_unioned_perm_via_attr_B_t, aa_unioned_perm_via_attr;
+attribute aa_union_perm_c;
-auditallow aa_unioned_perm_via_attr self:infoflow2 super_w;
+type aa_union_perm_source, aa_union_perm_a, aa_union_perm_c;
-auditallow aa_unioned_perm_via_attr_A_t self:infoflow2 super_r;
+type aa_union_perm_target, aa_union_perm_b;
-auditallow aa_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
+auditallow aa_union_perm_source aa_union_perm_target:infoflow { hi_w med_w low_w };
 
 # Dontaudit rule differences
 type da_matched_source;
@@ -367,12 +367,12 @@ type da_match_rule_by_attr_A_t, da_match_rule_by_attr;
 type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
 dontaudit da_match_rule_by_attr self:infoflow2 super_w;
 
-attribute da_unioned_perm_via_attr;
+attribute da_union_perm_a;
-type da_unioned_perm_via_attr_A_t, da_unioned_perm_via_attr;
+attribute da_union_perm_b;
-type da_unioned_perm_via_attr_B_t, da_unioned_perm_via_attr;
+attribute da_union_perm_c;
-dontaudit da_unioned_perm_via_attr self:infoflow2 super_w;
+type da_union_perm_source, da_union_perm_a, da_union_perm_c;
-dontaudit da_unioned_perm_via_attr_A_t self:infoflow2 super_r;
+type da_union_perm_target, da_union_perm_b;
-dontaudit da_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
+dontaudit da_union_perm_source da_union_perm_target:infoflow { hi_w med_w low_w };
 
 # Neverallow rule differences
 type na_matched_source;
@@ -402,12 +402,12 @@ type na_match_rule_by_attr_A_t, na_match_rule_by_attr;
 type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
 neverallow na_match_rule_by_attr self:infoflow2 super_w;
 
-attribute na_unioned_perm_via_attr;
+attribute na_union_perm_a;
-type na_unioned_perm_via_attr_A_t, na_unioned_perm_via_attr;
+attribute na_union_perm_b;
-type na_unioned_perm_via_attr_B_t, na_unioned_perm_via_attr;
+attribute na_union_perm_c;
-neverallow na_unioned_perm_via_attr self:infoflow2 super_w;
+type na_union_perm_source, na_union_perm_a, na_union_perm_c;
-neverallow na_unioned_perm_via_attr_A_t self:infoflow2 super_r;
+type na_union_perm_target, na_union_perm_b;
-neverallow na_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
+neverallow na_union_perm_source na_union_perm_target:infoflow { hi_w med_w low_w };
 
 # type_transition rule differences
 type tt_matched_source;
@@ -663,12 +663,12 @@ type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr;
 type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
 allowxperm ax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
 
-attribute ax_unioned_perm_via_attr;
+attribute ax_union_perm_a;
-type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr;
+attribute ax_union_perm_b;
-type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr;
+attribute ax_union_perm_c;
-allowxperm ax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
+type ax_union_perm_source, ax_union_perm_a, ax_union_perm_c;
-allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
+type ax_union_perm_target, ax_union_perm_b;
-allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
+allowxperm ax_union_perm_source ax_union_perm_target:infoflow ioctl { 0x1-0x3 };
 
 # Auditallowxperm rule differences
 type aax_matched_source;
@@ -698,12 +698,12 @@ type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr;
 type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
 auditallowxperm aax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
 
-attribute aax_unioned_perm_via_attr;
+attribute aax_union_perm_a;
-type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr;
+attribute aax_union_perm_b;
-type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr;
+attribute aax_union_perm_c;
-auditallowxperm aax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
+type aax_union_perm_source, aax_union_perm_a, aax_union_perm_c;
-auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
+type aax_union_perm_target, aax_union_perm_b;
-auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
+auditallowxperm aax_union_perm_source aax_union_perm_target:infoflow ioctl { 0x1-0x3 };
 
 # Neverallowxperm rule differences
 type nax_matched_source;
@@ -733,12 +733,12 @@ type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr;
 type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
 neverallowxperm nax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
 
-attribute nax_unioned_perm_via_attr;
+attribute nax_union_perm_a;
-type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr;
+attribute nax_union_perm_b;
-type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr;
+attribute nax_union_perm_c;
-neverallowxperm nax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
+type nax_union_perm_source, nax_union_perm_a, nax_union_perm_c;
-neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
+type nax_union_perm_target, nax_union_perm_b;
-neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
+neverallowxperm nax_union_perm_source nax_union_perm_target:infoflow ioctl { 0x1-0x3 };
 
 # Dontauditxperm rule differences
 type dax_matched_source;
@@ -768,12 +768,12 @@ type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr;
 type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
 dontauditxperm dax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
 
-attribute dax_unioned_perm_via_attr;
+attribute dax_union_perm_a;
-type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr;
+attribute dax_union_perm_b;
-type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr;
+attribute dax_union_perm_c;
-dontauditxperm dax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
+type dax_union_perm_source, dax_union_perm_a, dax_union_perm_c;
-dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
+type dax_union_perm_target, dax_union_perm_b;
-dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
+dontauditxperm dax_union_perm_source dax_union_perm_target:infoflow ioctl { 0x1-0x3 };
 
 ################################################################################
 # matching typebounds

tests/diff_left_standard.conf

@@ -194,12 +194,12 @@ type match_rule_by_attr_A_t, match_rule_by_attr;
 type match_rule_by_attr_B_t, match_rule_by_attr;
 allow match_rule_by_attr self:infoflow2 super_w;
 
-attribute unioned_perm_via_attr;
+attribute union_perm_a;
-type unioned_perm_via_attr_A_t, unioned_perm_via_attr;
+attribute union_perm_b;
-type unioned_perm_via_attr_B_t, unioned_perm_via_attr;
+attribute union_perm_c;
-allow unioned_perm_via_attr self:infoflow2 super_w;
+type union_perm_source, union_perm_a, union_perm_c;
-allow unioned_perm_via_attr_A_t self:infoflow2 super_r;
+type union_perm_target, union_perm_b;
-allow unioned_perm_via_attr_B_t self:infoflow2 hi_w;
+allow union_perm_source union_perm_target:infoflow { hi_w med_w low_w };
 
 # Auditallow rule differences
 type aa_matched_source;
@@ -248,12 +248,12 @@ type aa_match_rule_by_attr_A_t, aa_match_rule_by_attr;
 type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
 auditallow aa_match_rule_by_attr self:infoflow2 super_w;
 
-attribute aa_unioned_perm_via_attr;
+attribute aa_union_perm_a;
-type aa_unioned_perm_via_attr_A_t, aa_unioned_perm_via_attr;
+attribute aa_union_perm_b;
-type aa_unioned_perm_via_attr_B_t, aa_unioned_perm_via_attr;
+attribute aa_union_perm_c;
-auditallow aa_unioned_perm_via_attr self:infoflow2 super_w;
+type aa_union_perm_source, aa_union_perm_a, aa_union_perm_c;
-auditallow aa_unioned_perm_via_attr_A_t self:infoflow2 super_r;
+type aa_union_perm_target, aa_union_perm_b;
-auditallow aa_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
+auditallow aa_union_perm_source aa_union_perm_target:infoflow { hi_w med_w low_w };
 
 # Dontaudit rule differences
 type da_matched_source;
@@ -302,12 +302,12 @@ type da_match_rule_by_attr_A_t, da_match_rule_by_attr;
 type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
 dontaudit da_match_rule_by_attr self:infoflow2 super_w;
 
-attribute da_unioned_perm_via_attr;
+attribute da_union_perm_a;
-type da_unioned_perm_via_attr_A_t, da_unioned_perm_via_attr;
+attribute da_union_perm_b;
-type da_unioned_perm_via_attr_B_t, da_unioned_perm_via_attr;
+attribute da_union_perm_c;
-dontaudit da_unioned_perm_via_attr self:infoflow2 super_w;
+type da_union_perm_source, da_union_perm_a, da_union_perm_c;
-dontaudit da_unioned_perm_via_attr_A_t self:infoflow2 super_r;
+type da_union_perm_target, da_union_perm_b;
-dontaudit da_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
+dontaudit da_union_perm_source da_union_perm_target:infoflow { hi_w med_w low_w };
 
 # Neverallow rule differences
 type na_matched_source;
@@ -337,12 +337,12 @@ type na_match_rule_by_attr_A_t, na_match_rule_by_attr;
 type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
 neverallow na_match_rule_by_attr self:infoflow2 super_w;
 
-attribute na_unioned_perm_via_attr;
+attribute na_union_perm_a;
-type na_unioned_perm_via_attr_A_t, na_unioned_perm_via_attr;
+attribute na_union_perm_b;
-type na_unioned_perm_via_attr_B_t, na_unioned_perm_via_attr;
+attribute na_union_perm_c;
-neverallow na_unioned_perm_via_attr self:infoflow2 super_w;
+type na_union_perm_source, na_union_perm_a, na_union_perm_c;
-neverallow na_unioned_perm_via_attr_A_t self:infoflow2 super_r;
+type na_union_perm_target, na_union_perm_b;
-neverallow na_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
+neverallow na_union_perm_source na_union_perm_target:infoflow { hi_w med_w low_w };
 
 # type_transition rule differences
 type tt_matched_source;
@@ -585,12 +585,12 @@ type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr;
 type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
 allowxperm ax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
 
-attribute ax_unioned_perm_via_attr;
+attribute ax_union_perm_a;
-type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr;
+attribute ax_union_perm_b;
-type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr;
+attribute ax_union_perm_c;
-allowxperm ax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
+type ax_union_perm_source, ax_union_perm_a, ax_union_perm_c;
-allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
+type ax_union_perm_target, ax_union_perm_b;
-allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
+allowxperm ax_union_perm_source ax_union_perm_target:infoflow ioctl { 0x1-0x3 };
 
 # Auditallowxperm rule differences
 type aax_matched_source;
@@ -620,12 +620,12 @@ type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr;
 type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
 auditallowxperm aax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
 
-attribute aax_unioned_perm_via_attr;
+attribute aax_union_perm_a;
-type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr;
+attribute aax_union_perm_b;
-type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr;
+attribute aax_union_perm_c;
-auditallowxperm aax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
+type aax_union_perm_source, aax_union_perm_a, aax_union_perm_c;
-auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
+type aax_union_perm_target, aax_union_perm_b;
-auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
+auditallowxperm aax_union_perm_source aax_union_perm_target:infoflow ioctl { 0x1-0x3 };
 
 # Neverallowxperm rule differences
 type nax_matched_source;
@@ -655,12 +655,12 @@ type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr;
 type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
 neverallowxperm nax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
 
-attribute nax_unioned_perm_via_attr;
+attribute nax_union_perm_a;
-type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr;
+attribute nax_union_perm_b;
-type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr;
+attribute nax_union_perm_c;
-neverallowxperm nax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
+type nax_union_perm_source, nax_union_perm_a, nax_union_perm_c;
-neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
+type nax_union_perm_target, nax_union_perm_b;
-neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
+neverallowxperm nax_union_perm_source nax_union_perm_target:infoflow ioctl { 0x1-0x3 };
 
 # Dontauditxperm rule differences
 type dax_matched_source;
@@ -690,12 +690,12 @@ type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr;
 type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
 dontauditxperm dax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
 
-attribute dax_unioned_perm_via_attr;
+attribute dax_union_perm_a;
-type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr;
+attribute dax_union_perm_b;
-type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr;
+attribute dax_union_perm_c;
-dontauditxperm dax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
+type dax_union_perm_source, dax_union_perm_a, dax_union_perm_c;
-dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
+type dax_union_perm_target, dax_union_perm_b;
-dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
+dontauditxperm dax_union_perm_source dax_union_perm_target:infoflow ioctl { 0x1-0x3 };
 
 ################################################################################
 # matching typebounds

tests/diff_right.conf

@@ -260,11 +260,14 @@ type match_rule_by_attr_B_t, match_rule_by_attr;
 allow match_rule_by_attr_A_t self:infoflow2 super_w;
 allow match_rule_by_attr_B_t self:infoflow2 super_w;
 
-attribute unioned_perm_via_attr;
+attribute union_perm_a;
-type unioned_perm_via_attr_A_t, unioned_perm_via_attr;
+attribute union_perm_b;
-type unioned_perm_via_attr_B_t, unioned_perm_via_attr;
+attribute union_perm_c;
-allow unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
+type union_perm_source, union_perm_a, union_perm_c;
-allow unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };
+type union_perm_target, union_perm_b;
+allow union_perm_a union_perm_b:infoflow hi_w;
+allow union_perm_c union_perm_target:infoflow med_w;
+allow union_perm_source union_perm_target:infoflow low_w;
 
 # Auditallow rule differences
 type aa_matched_source;
@@ -314,11 +317,14 @@ type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
 auditallow aa_match_rule_by_attr_A_t self:infoflow2 super_w;
 auditallow aa_match_rule_by_attr_B_t self:infoflow2 super_w;
 
-attribute aa_unioned_perm_via_attr;
+attribute aa_union_perm_a;
-type aa_unioned_perm_via_attr_A_t, aa_unioned_perm_via_attr;
+attribute aa_union_perm_b;
-type aa_unioned_perm_via_attr_B_t, aa_unioned_perm_via_attr;
+attribute aa_union_perm_c;
-auditallow aa_unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
+type aa_union_perm_source, aa_union_perm_a, aa_union_perm_c;
-auditallow aa_unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };
+type aa_union_perm_target, aa_union_perm_b;
+auditallow aa_union_perm_a aa_union_perm_b:infoflow hi_w;
+auditallow aa_union_perm_c aa_union_perm_target:infoflow med_w;
+auditallow aa_union_perm_source aa_union_perm_target:infoflow low_w;
 
 # Dontaudit rule differences
 type da_matched_source;
@@ -368,11 +374,14 @@ type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
 dontaudit da_match_rule_by_attr_A_t self:infoflow2 super_w;
 dontaudit da_match_rule_by_attr_B_t self:infoflow2 super_w;
 
-attribute da_unioned_perm_via_attr;
+attribute da_union_perm_a;
-type da_unioned_perm_via_attr_A_t, da_unioned_perm_via_attr;
+attribute da_union_perm_b;
-type da_unioned_perm_via_attr_B_t, da_unioned_perm_via_attr;
+attribute da_union_perm_c;
-dontaudit da_unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
+type da_union_perm_source, da_union_perm_a, da_union_perm_c;
-dontaudit da_unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };
+type da_union_perm_target, da_union_perm_b;
+dontaudit da_union_perm_a da_union_perm_b:infoflow hi_w;
+dontaudit da_union_perm_c da_union_perm_target:infoflow med_w;
+dontaudit da_union_perm_source da_union_perm_target:infoflow low_w;
 
 # Neverallow rule differences
 type na_matched_source;
@@ -403,11 +412,14 @@ type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
 neverallow na_match_rule_by_attr_A_t self:infoflow2 super_w;
 neverallow na_match_rule_by_attr_B_t self:infoflow2 super_w;
 
-attribute na_unioned_perm_via_attr;
+attribute na_union_perm_a;
-type na_unioned_perm_via_attr_A_t, na_unioned_perm_via_attr;
+attribute na_union_perm_b;
-type na_unioned_perm_via_attr_B_t, na_unioned_perm_via_attr;
+attribute na_union_perm_c;
-neverallow na_unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
+type na_union_perm_source, na_union_perm_a, na_union_perm_c;
-neverallow na_unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };
+type na_union_perm_target, na_union_perm_b;
+neverallow na_union_perm_a na_union_perm_b:infoflow hi_w;
+neverallow na_union_perm_c na_union_perm_target:infoflow med_w;
+neverallow na_union_perm_source na_union_perm_target:infoflow low_w;
 
 # type_transition rule differences
 type tt_matched_source;
@@ -664,11 +676,14 @@ type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
 allowxperm ax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
 allowxperm ax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
 
-attribute ax_unioned_perm_via_attr;
+attribute ax_union_perm_a;
-type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr;
+attribute ax_union_perm_b;
-type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr;
+attribute ax_union_perm_c;
-allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c };
+type ax_union_perm_source, ax_union_perm_a, ax_union_perm_c;
-allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d };
+type ax_union_perm_target, ax_union_perm_b;
+allowxperm ax_union_perm_a ax_union_perm_b:infoflow ioctl 0x1;
+allowxperm ax_union_perm_c ax_union_perm_target:infoflow ioctl 0x2;
+allowxperm ax_union_perm_source ax_union_perm_target:infoflow ioctl 0x3;
 
 # Auditallowxperm rule differences
 type aax_matched_source;
@@ -699,11 +714,14 @@ type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
 auditallowxperm aax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
 auditallowxperm aax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
 
-attribute aax_unioned_perm_via_attr;
+attribute aax_union_perm_a;
-type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr;
+attribute aax_union_perm_b;
-type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr;
+attribute aax_union_perm_c;
-auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c };
+type aax_union_perm_source, aax_union_perm_a, aax_union_perm_c;
-auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d };
+type aax_union_perm_target, aax_union_perm_b;
+auditallowxperm aax_union_perm_a aax_union_perm_b:infoflow ioctl 0x1;
+auditallowxperm aax_union_perm_c aax_union_perm_target:infoflow ioctl 0x2;
+auditallowxperm aax_union_perm_source aax_union_perm_target:infoflow ioctl 0x3;
 
 # Neverallowxperm rule differences
 type nax_matched_source;
@@ -734,11 +752,14 @@ type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
 neverallowxperm nax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
 neverallowxperm nax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
 
-attribute nax_unioned_perm_via_attr;
+attribute nax_union_perm_a;
-type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr;
+attribute nax_union_perm_b;
-type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr;
+attribute nax_union_perm_c;
-neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c };
+type nax_union_perm_source, nax_union_perm_a, nax_union_perm_c;
-neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d };
+type nax_union_perm_target, nax_union_perm_b;
+neverallowxperm nax_union_perm_a nax_union_perm_b:infoflow ioctl 0x1;
+neverallowxperm nax_union_perm_c nax_union_perm_target:infoflow ioctl 0x2;
+neverallowxperm nax_union_perm_source nax_union_perm_target:infoflow ioctl 0x3;
 
 # Dontauditxperm rule differences
 type dax_matched_source;
@@ -769,11 +790,14 @@ type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
 dontauditxperm dax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
 dontauditxperm dax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
 
-attribute dax_unioned_perm_via_attr;
+attribute dax_union_perm_a;
-type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr;
+attribute dax_union_perm_b;
-type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr;
+attribute dax_union_perm_c;
-dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl { 0x000b 0x000c };
+type dax_union_perm_source, dax_union_perm_a, dax_union_perm_c;
-dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl { 0x000b 0x000d };
+type dax_union_perm_target, dax_union_perm_b;
+dontauditxperm dax_union_perm_a dax_union_perm_b:infoflow ioctl 0x1;
+dontauditxperm dax_union_perm_c dax_union_perm_target:infoflow ioctl 0x2;
+dontauditxperm dax_union_perm_source dax_union_perm_target:infoflow ioctl 0x3;
 
 ################################################################################
 # matching typebounds